How to Hacka Telecommunication Company        And Stay Alive                  Sergey Gordeychik                Positive Te...
Ic Beo         Sergey Gordeychik, Positive Technologies, CTO         A “script writer” and a “director” of the Positive   ...
What Is It All About?       What is so peculiar about telecoms?       Attacks against subscribers/Attacks by       subscri...
What’s SoPeculiar?
Specific Features of Telecommunication Companies      Large, large networks      Unification of various services (broadban...
How many perimeters do telecoms have?        Internet       Subscribers       Partners        Office      Technology      ...
…and a bit more…     Mobile           communications        Broadband     Technological                                   ...
…and a bit more…                   Vladivostok    Moscow                     Roma        Phnom Penh
Attack AGAINST  Subscribers
Why Subscribers?    Subscribers’ $ = telecoms’ $    DOS = - $$ - reputation - $$    PWN (100 000 PC) = Botnet    Personal ...
Broadband Access   Huge non-segmented networks   Great number of end devices:    • Various SOHO devices    • Installed and...
Broadband Access. Attack   Collecting information    • Network scanning    • Access layer error (BRAS)    • Collecting inf...
Well…yes, it happens
Pick a Task…
Examples of Risks    Gaining access to a self-service portal     • Cashout         guessing password or stealing the rout...
Attacks against Clients of Mobile Networks    Faking Caller ID     •self-service portal/USSD     •voice mailbox     •cash-...
Attacks against Clients of Mobile Networks    Malware for mobile devices;    Intercepting GSM –                   Not a RO...
Hosting    Local network for collocated/dedicated    servers     • Attacks of a network/data link layer, attacks       aga...
Pentester Tips & Tricks                  ||      ||
Pentester Tips & Tricks    We are only searching for vulnerabilities    We use only our own resources for demonstration   ...
Attacks BYSubscribers
Why Subscribers? AGAIN?    Subscribers are WITHIN one of the    perimeters    Many attacks are easier if performed    on s...
General Problems   Network access control weakness   Intrasegment attacks   Protection of the end equipment   Web applicat...
Network Access Control Errors  A direct way does not  always mean the most  interesting one :)       C:>tracert -d www.ru ...
Per Aspera Ad…level 15                         #sh run                         Using 10994 out of 155640 bytes            ...
Network Access Control Errors  GPRS/EDGE/3G, which traditionally stick to  NAT  Other clients are “invisible”  This is not...
A Joke  SNMP ‘private’ on a GGSN
A Joke  Captive portal  “Your balance is low”   •Linux   •Apache   •MySQL   •PHP
Intrasegment Attacks   Subscribers of broadcast access and hosting
Web Portals and Services for Subscribers   A good few of resources    • forums, dating sites, video convertors, online    ...
Web Portals and Servers for Subscribers   Games server*   Proxima CMS, path traversal   + SQLi + configuration error= root...
Pentester Tips & Tricks    Resources on the subscriber networks are often    SUBSCRIBER’s resources    Getting approvals f...
Perimeter…Just a Perimeter
Perimeter?    Large, large networks!     •Use clouds    Great number of “third-party” resources    Get ready for rarities ...
Great Number of Third-Party Resources    Quite a large number of perimeter hosts    belong to partners/subscribers    Quit...
Great Number of Third-Party Resources    SQLi on the mobile content portal (Oracle, sys)    private at the VoIP gateway   ...
Rarities    So many different things can be found on the    perimeter      • Technology “hardware”      • VoIP      • Old-...
Rarities    nc –P 20 xxx.xxx.xxx.xxx 8080    Wireless Access Point      • Insecure password for web      • Enabling Telnet...
Journey to Gattaca
Watching the Video
Cobweb   Lots of Web. For real.   Enterprise web applications are often   accessible    • Terminal services (Citrix)    • ...
Support system    We found and applied Path Traversal    ManageEngine ServiceDesk Plus    Gained the “encrypted” password ...
VPN      Lots of VPN, good and not so good      Passwords, IPSec Aggressive Mode…
The Lords of the Net    Administrator, the Lord of the Net    A large network means many administrators    Feudalism     •...
“All animals are equal but…”
The Lords of the Rings    TCP:1337 (SSL) – a web server of the system    administration department    Radio broadcasting (...
Pentester Tips & Tricks    Try not to miss a thing on the perimeter    Keep in mind third-party hosts          Get approva...
Partners andContractors
Contractors?    Requirements for system access (VPN)    Standard accounts (in order to remember)    No update management  ...
Contractors…    Contractor in the technology network     • Wireless interface on a laptop     • Everyone, a shared folder ...
There Are Different Contractors...    OMG?! HAVE I PWND THAT?
Pentester Tips & Tricks    Contractors are never to be hacked         Get approvals for every step of your work    Many s...
Technology Networks
Something special?    Changes are highly dynamic in the network     • New gadgets keep emerging     • Contractors keep wor...
Technology Networks Are Networks First of All!    Equipment vulnerabilities    Test systems, contractors’ systems    FORGO...
Forgotten Systems      Non-configured switch      Uptime: 2 years!
Network Management Systems    Such treasure     •Network topology     •Device configuration     •Passwords and keys for   ...
That’s Tough!     WPA-PSK for     AP is found     Where are the     points     located?!!
Backup Is Quite a Useful Thing!     Especially on the Net!
VoIP Is a Honey Pie                                     Call management                                                   ...
VoIP1. VoIP Wi-Fi access (No WPA, so “slow”)2. The nearest CISCO Call Manager  a) SQLi, CVE-2008-0026       https://www.ex...
Mobile Networks – It’s So Banal    Only the perimeter is secure    Some weird hardware?     • 3G SoftSwitch – Solaris 10 с...
Self-Service Platform    WEB/USSD/WAP    Interface with payment systems    A possibility of money withdrawal    No authent...
VAS platforms    Someone’s application on the operator’s network    Malicious content, WAP-provisioning    Rich access via...
Instead of a Conclusion
Forensic Nightmare    Large networks make it extremely difficult to    investigate incidents    Lots of vectors, tons of h...
Who is there?
Trying To Make Head or Tail…
Some Are Concerned…
Others Are Happy
Thank you for your attention!Sergey Gordeychikgordey@ptsecurity.comhttp://sgordey.blogspot.comhttp://ptresearch.blogspot.c...
Upcoming SlideShare
Loading in...5
×

Sergey Gordeychik - How to hack a telecom and stay alive

1,079

Published on

International Security Conference "ZeroNights 2011" - http://www.zeronights.org/

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,079
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
41
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sergey Gordeychik - How to hack a telecom and stay alive

  1. 1. How to Hacka Telecommunication Company And Stay Alive Sergey Gordeychik Positive Technologies CTO
  2. 2. Ic Beo Sergey Gordeychik, Positive Technologies, CTO A “script writer” and a “director” of the Positive Hack Days forum Science editor of the SecurityLab.Ru portal Author of the Web Application Security course, and a book titled A Wireless Network Security and a namesake course A participant of WASC, RISSPA http://sgordey.blogspot.com
  3. 3. What Is It All About? What is so peculiar about telecoms? Attacks against subscribers/Attacks by subscribers Perimeter… Just a perimeter Partners and contractors Technology networks
  4. 4. What’s SoPeculiar?
  5. 5. Specific Features of Telecommunication Companies Large, large networks Unification of various services (broadband access, Wi-Fi, hosting, mobile communication) Great number of applications and systems on the perimeter Exotics inside and outside Lots of perimeters Most networks belong to third parties Forensics nightmare
  6. 6. How many perimeters do telecoms have? Internet Subscribers Partners Office Technology network
  7. 7. …and a bit more… Mobile communications Broadband Technological access network Wired broadband access Wireless broadband access VOIP Hosting Internet TV Hosting ...
  8. 8. …and a bit more… Vladivostok Moscow Roma Phnom Penh
  9. 9. Attack AGAINST Subscribers
  10. 10. Why Subscribers? Subscribers’ $ = telecoms’ $ DOS = - $$ - reputation - $$ PWN (100 000 PC) = Botnet Personal data!
  11. 11. Broadband Access Huge non-segmented networks Great number of end devices: • Various SOHO devices • Installed and unattended • Standard bugs configurations A manual on insecurity of network appliances  SNMP/Telnet/HTTP/UPnP control protocols in the Internet  Insecure/empty passwords  Web attacks on Client’s side (Pinning, CSRF) Huge number of users • 1 out of1000, for 10 000 000 = 10 000 • Trivial passwords
  12. 12. Broadband Access. Attack Collecting information • Network scanning • Access layer error (BRAS) • Collecting information from internal forums and other resources • Self-service platform errors Invalid login or password vs Invalid username Preparing scenarios • Capturing devices • Guessing passwords $profit$
  13. 13. Well…yes, it happens
  14. 14. Pick a Task…
  15. 15. Examples of Risks Gaining access to a self-service portal • Cashout  guessing password or stealing the router cfg files (vpn/pppoe)  transferring money from a broadband access to a cell phone (integration!)  Cashing out via PRS • It drives me NUTS!!!  Guessing password or stealing the router cfg files (vpn/ppoe)  Purchasing the available  Balance =0 Performing a mass hacking of a router/PC Performing a mass changing of configurations
  16. 16. Attacks against Clients of Mobile Networks Faking Caller ID •self-service portal/USSD •voice mailbox •cash-out via PRS •direct money withdrawal Internet SS7 Taget GSM SIP-GW Tech FAKE ID Systems unauthorized access
  17. 17. Attacks against Clients of Mobile Networks Malware for mobile devices; Intercepting GSM – Not a ROCKET SCIENCE! • attacking A5/1 • MITM, switch to A5/0 • downgrading UMTS -> GSM Traffic, SMS, one-time passwords... • Self-service portals/USSD • Cash-out via PRS • Voice mailbox
  18. 18. Hosting Local network for collocated/dedicated servers • Attacks of a network/data link layer, attacks against network infrastructure • ARP Spoofing, IP Spoofing… old school • Intrasegment IPv6 attacks Attack against infrastructure (DNS…) Shared hosting (once having intruded into one of the sites…)
  19. 19. Pentester Tips & Tricks || ||
  20. 20. Pentester Tips & Tricks We are only searching for vulnerabilities We use only our own resources for demonstration We avoid information protected by the law A fickle client… C: Prove it! Enter the portal! P: No, thank you. Here is a password – enter it yourself…
  21. 21. Attacks BYSubscribers
  22. 22. Why Subscribers? AGAIN? Subscribers are WITHIN one of the perimeters Many attacks are easier if performed on subscriber’s side The number of subscribers of modern telecoms is quite large
  23. 23. General Problems Network access control weakness Intrasegment attacks Protection of the end equipment Web applications for subscribers
  24. 24. Network Access Control Errors A direct way does not always mean the most interesting one :) C:>tracert -d www.ru Tracing route to www.ru [194.87.0.50] over a maximum of 30 hops: 1 * * * Request timed out. 3 10 ms 13 ms 5 ms 192.168.5.4 4 7 ms 6 ms 5 ms 192.168.4.6
  25. 25. Per Aspera Ad…level 15 #sh run Using 10994 out of 155640 bytes ! version 12.3 ... ! username test1 password 7 <removed> username antipov password 7 <removed> username gordey password 7 <removed> username anisimov password 7 <removed> username petkov password 7 <removed> username mitnik password 7 <removed> username jeremiah password 7 <removed>
  26. 26. Network Access Control Errors GPRS/EDGE/3G, which traditionally stick to NAT Other clients are “invisible” This is not always true… GPRS: payment kiosks, ATMs, and etc., which can have: • A missing firewall; • Missing updates; • misconfigurations.
  27. 27. A Joke SNMP ‘private’ on a GGSN
  28. 28. A Joke Captive portal “Your balance is low” •Linux •Apache •MySQL •PHP
  29. 29. Intrasegment Attacks Subscribers of broadcast access and hosting
  30. 30. Web Portals and Services for Subscribers A good few of resources • forums, dating sites, video convertors, online games, statistics, online shopping, photo hosting, file hosting, online radio… A good few of loopholes • Old versions of applications and CMS, SQLi, LFI and so on… Single-Sign-On or the same passwords… Are often placed into the DMZ togetherwith “ordinary” servers
  31. 31. Web Portals and Servers for Subscribers Games server* Proxima CMS, path traversal + SQLi + configuration error= root About 20 more sites on the host • Online broadcasting • Branded desktop applications •…
  32. 32. Pentester Tips & Tricks Resources on the subscriber networks are often SUBSCRIBER’s resources Getting approvals for every step of your work Many systems operate on a wing and a prayer They collapse all the time, but if you are online anyway… Avoiding (!) information protected by the law A fickle client…
  33. 33. Perimeter…Just a Perimeter
  34. 34. Perimeter? Large, large networks! •Use clouds Great number of “third-party” resources Get ready for rarities Corporate web applications The Lord of The Net
  35. 35. Great Number of Third-Party Resources Quite a large number of perimeter hosts belong to partners/subscribers Quite often these hosts are “mixed” with those of the client Yet, they should not be disregarded • Imagine that you are already a level 15/root/admin on the host and you just entered the segment
  36. 36. Great Number of Third-Party Resources SQLi on the mobile content portal (Oracle, sys) private at the VoIP gateway Maintained by partners No hacking  Are actually located at a flat DMZ together with client’s servers Enabling the billing Front-End
  37. 37. Rarities So many different things can be found on the perimeter • Technology “hardware” • VoIP • Old-school firewalls • Web cameras •Unusual control systems: ELOM, conditioners (!), UPS (!), etc. Keep in mind the momentous attacks (X-mas scan, UNIX RPC, Finger, and etc.) Don’t underrate the rarities
  38. 38. Rarities nc –P 20 xxx.xxx.xxx.xxx 8080 Wireless Access Point • Insecure password for web • Enabling Telnet • Compiling tcpdump/nc and others for the platform • Using them for traffic/tunnel interception Web camera • LFI via a web interface • Obtaining configuration files • Gaining an access password for the control system • Gaining access to the control system
  39. 39. Journey to Gattaca
  40. 40. Watching the Video
  41. 41. Cobweb Lots of Web. For real. Enterprise web applications are often accessible • Terminal services (Citrix) • Email systems • Helpdesk systems • Ill-equipped for operating on the “wild web”
  42. 42. Support system We found and applied Path Traversal ManageEngine ServiceDesk Plus Gained the “encrypted” password for integration with AD The password fitted for VPN The password fitted for AD (Enterprise Admin) The password fitted for Cisco ACS So we finally got lucky!
  43. 43. VPN Lots of VPN, good and not so good Passwords, IPSec Aggressive Mode…
  44. 44. The Lords of the Net Administrator, the Lord of the Net A large network means many administrators Feudalism • Rules are for wimps • Enterprise IT infrastructure VS “my infrastructure” • Remote access systems • Amusing web servers and trail apps
  45. 45. “All animals are equal but…”
  46. 46. The Lords of the Rings TCP:1337 (SSL) – a web server of the system administration department Radio broadcasting (ShoutCast Server with a default password) Location: an administrator workstation With all the consequences…
  47. 47. Pentester Tips & Tricks Try not to miss a thing on the perimeter Keep in mind third-party hosts Get approvals for every step of your work Don’t disregard network rarities. Sometimes a web camera can pave the way to the network core! Pay special attention to Web Remember admins
  48. 48. Partners andContractors
  49. 49. Contractors? Requirements for system access (VPN) Standard accounts (in order to remember) No update management Employees
  50. 50. Contractors… Contractor in the technology network • Wireless interface on a laptop • Everyone, a shared folder • The folder contains an installer of a control system for xDSL modems/end routers • With an in-built SA password in DBMS • Who also has the same system? Applications for agents, sale and activation of communication services package • Fat-client application • Build-in access password for DBMS • … as SYSDBA
  51. 51. There Are Different Contractors... OMG?! HAVE I PWND THAT?
  52. 52. Pentester Tips & Tricks Contractors are never to be hacked Get approvals for every step of your work Many scenarios can be efficiently demonstrated by a “white box” method Suppose, I were a contractor But you are not a contractor …A fickle client…
  53. 53. Technology Networks
  54. 54. Something special? Changes are highly dynamic in the network • New gadgets keep emerging • Contractors keep working • Configuration keeps changing Implemented components and protocols are standard • Threats typical for IP • Configuration errors • Platform vulnerabilities Some errors can cause failures and facilitate frauds
  55. 55. Technology Networks Are Networks First of All! Equipment vulnerabilities Test systems, contractors’ systems FORGOTTEN(!) systems Network management systems
  56. 56. Forgotten Systems Non-configured switch Uptime: 2 years!
  57. 57. Network Management Systems Such treasure •Network topology •Device configuration •Passwords and keys for VPN/Wi-Fi/SNMP/RADIUS/VPN… “They are behind the firewall” + Web password - OS, DBMS, Web updates + Standard passwords for DBMS + File(!) shares
  58. 58. That’s Tough! WPA-PSK for AP is found Where are the points located?!!
  59. 59. Backup Is Quite a Useful Thing! Especially on the Net!
  60. 60. VoIP Is a Honey Pie Call management Identity theft (fraud) Access to the enterprise network VoIP Attack against… Fraud or fraudulent infrastructure mispresentation gateways protocols i[P]Phone Wiretapping And more…
  61. 61. VoIP1. VoIP Wi-Fi access (No WPA, so “slow”)2. The nearest CISCO Call Manager a) SQLi, CVE-2008-0026 https://www.example.org/ccmuser/personaladdressbookEdit.do?key=+UNION+ALL+SELECT+,,,user,,password+from+app licationuser;-- b) Collecting hash runsql select user,password from applicationuser c) Restoring passwords from the hash Компьютер нарушителя3. Level 15 for the whole network 1 WEP ТОП ТОП 2 КЛВС Вне офиса Компании «А» PSTN IP PBX Компания «А» 3 SQL injection CVE-2008-0026
  62. 62. Mobile Networks – It’s So Banal Only the perimeter is secure Some weird hardware? • 3G SoftSwitch – Solaris 10 с CVE-2007-0882 (telnet -f) •…
  63. 63. Self-Service Platform WEB/USSD/WAP Interface with payment systems A possibility of money withdrawal No authentication (Caller ID) Weak authentication (PIN-код?) Vulnerable applications (Web, SQL Injection, XSS)
  64. 64. VAS platforms Someone’s application on the operator’s network Malicious content, WAP-provisioning Rich access via mobile stations (WAP/HTTP): • Web application vulnerabilities • Platform vulnerabilities Platforms for service development
  65. 65. Instead of a Conclusion
  66. 66. Forensic Nightmare Large networks make it extremely difficult to investigate incidents Lots of vectors, tons of hardware, a great deal of administrators A couple of hops on the internal network, and no one will make head or tail of it
  67. 67. Who is there?
  68. 68. Trying To Make Head or Tail…
  69. 69. Some Are Concerned…
  70. 70. Others Are Happy
  71. 71. Thank you for your attention!Sergey Gordeychikgordey@ptsecurity.comhttp://sgordey.blogspot.comhttp://ptresearch.blogspot.comhttp://phdays.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×