SlideShare a Scribd company logo

Hacking routers as a Web Hacker

Download as PPTX, PDF
HeadLightSecurity
HeadLightSecurity

DEFCON MOSCOW 0X0A

Education
1 of 41
Hacking routers as Web Hacker
WHOAMI • Researcher @ hlsec.ru • @cyberpunkych • Attacking MongoDB @ ZN2012 • Database honeypot by design @ Defcon Russia • Meme Master
Routers everywhere. • Home • Work • Hospitals • Banks • In your bag • etc
But I’m web hacker, what can I do? • Router’s web control panel == web site • Connect managers with web interface, such as Yota Access  • ISP (statistics, billing, management, etc)
Routerzzz
OWASP TOP 10 for routers • Default credentials • Auth bypass • XSS • CSRF • Command Injection • Sensitive info leak • Bugs in third party libraries • RCE, XXE, etc
Default credentials Should I say anything?
Authentication Bypass/No Auth • Hello, Yota Many • Hello, D-Link’s backdoor • Hello, MTS 4G Router • Hello, others (DIR-100, DI-524, DI-604, etc)
CSRF/XSS everywhere Srlsy, it’s everywhere. But why? Because **** you, that’s why. (Zyxel Keenetic v1)
Command injection Always check network tools  (ASUS RT-N10P)
Sensitive info leak • /error_page.htm • /DevInfo.php • /rom-0 (ASUS RT-N12D1)
Bugs in third party libraries • Heartbleed • ShellShock • RomPager • etc
Hacking algorithm
WARNINNG! ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ!
1. Get the firmware • Сheck vendor web site/ftp • Get firmware source code (GPL profits) • No firmware at all? Dump it via UART/SPI/JTAG (HW mode on)
2. Unpack it • Binwalk -> search for signature and try to unpack • Firmware-mod-kit pack/unpack • If NO_SUCCESS -> analyze firmware entropy • Sasquatch for fs
3. CHECK AUTH • Black Box => White Box • for i in *; do curl http://router_ip/$i; done • You know what to do ;)
4. СHECK CMD INJECTION • PING -> ya.ru;ls • CONFIG backup to FTP/TFTP • Any place where command execution is used • Check all shell symbols • Error-based command injection for output # ping ya.ru || ls # ping $(uname) # ping `uname` # ping ya.ru && ls # ping ya.ru; ls # ping $USER.ya.ru ...
5. Check for XSS • <script>alert(1)</script> for every param! • Check hostname, sometimes it can help you  • Even 1 XSS => PROFIT!!1 • Stored XSS => Compromised web interface
5. Check for XSS • <script>alert(1)</script> for every param! • Check hostname, sometimes it can help you  • Even 1 XSS => PROFIT!!1 • Stored XSS => Compromised web interface Typical attack scheme: Link/Page with XSS => AJAX => getElementsByTagName(‘input’)[*].value => log data
HINT: Hide myself from web! Hello, 1'}]"); ! Hide’n’seek from browser via xss in Zyxel Keenetic.
6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check
6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check Referer checking:
6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check Any other == bad referer:
6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check Open Redirect trick to bypass regexp:
CSRF => MITM All you need is love CSRF via updating DNS settings! ( <img src=“csrf”>, habrahabr, you know. )
XSS + Smart CSRF 1. Get the internal IP address using a nice WebRTC hack 2. Get router IP (no so many requests 8) ) 3. Make CSRF Request via XSS payload (better for stored XSS) 4. Get all data (sometimes passwords stored in input.value’s) 5. Redirect to page with XSS 6. ??? 7. All your data are belong to us!
Support Software
Support Software • MTS Connect, Yota Access, etc • Sometimes they also use web! • Binary bugs (BOF, etc) • Bugs with bad privileges
Support Software • MTS Connect, Yota Access, etc • Sometimes they also use web! • Binary bugs (BOF, etc) • Bugs with bad privileges • Sniff requests to ISP => new bugs
Support Software From CSRF to RCE! video_here
ISP
ISP – Just another target • Google/Yandex dork • Cabinet/Balance/etc on provider’s site • Subdomains • Popular services
Why it is important? • Update server control • Client-side tricks (crossdomain.xml) • Remote device administration • New default credentials • Attack firmware developers
Google it!
Just google.
WARNINNG! WARNINNG! WARNINNG!
Example from real life
Conclusion • Router == web site • Black Box => White Box • XSS/CSRF everywhere • Vuln1+vuln2->vuln3 • The RCE is out there • R.E.S.H.E.T.O.
Any questions? INFO: @cyberpunkych Links: http://www.routerpwn.com http://routersecurity.org http://seclists.org http://dsec.ru/upload/medialibrary/589/589327eb24 133e5c615fa11950340e05.pdf Thnx: @090h

Recommended

Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaУязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaHeadLightSecurity
 
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...Mail.ru Group
 
Oleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsOleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsDefcon Moscow
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Bus Pirate Workshop Ruxcon Hardware Hacking 2017
Bus Pirate Workshop Ruxcon Hardware Hacking 2017Bus Pirate Workshop Ruxcon Hardware Hacking 2017
Bus Pirate Workshop Ruxcon Hardware Hacking 2017Tim N
 
Device inspection to remote root
Device inspection to remote rootDevice inspection to remote root
Device inspection to remote rootTim N
 
Git Money
Git MoneyGit Money
Git MoneyTim N
 

Recommended

Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
Уязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaУязвимости программного обеспечения телекоммуникационного оборудования Yota
Уязвимости программного обеспечения телекоммуникационного оборудования YotaHeadLightSecurity
 
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...
Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...Mail.ru Group
 
Oleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsOleg Kupreev - 802.11 tricks and threats
Oleg Kupreev - 802.11 tricks and threatsDefcon Moscow
 
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
 
Bus Pirate Workshop Ruxcon Hardware Hacking 2017
Bus Pirate Workshop Ruxcon Hardware Hacking 2017Bus Pirate Workshop Ruxcon Hardware Hacking 2017
Bus Pirate Workshop Ruxcon Hardware Hacking 2017Tim N
 
Device inspection to remote root
Device inspection to remote rootDevice inspection to remote root
Device inspection to remote rootTim N
 
Git Money
Git MoneyGit Money
Git MoneyTim N
 
ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)Tim N
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmwareAmit Serper
 
Passwords Found on a Wireless Network
Passwords Found on a Wireless NetworkPasswords Found on a Wireless Network
Passwords Found on a Wireless NetworkDug Song
 
MIPS-X
MIPS-XMIPS-X
MIPS-XZoltan Balazs
 
Practically DROWNing
Practically DROWNingPractically DROWNing
Practically DROWNingTim N
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the GatewaysOnur Alanbel
 
R0boCamp2016 Гліб Вінніков Home automation by ESP8266
R0boCamp2016 Гліб Вінніков Home automation by ESP8266R0boCamp2016 Гліб Вінніков Home automation by ESP8266
R0boCamp2016 Гліб Вінніков Home automation by ESP8266Lviv Startup Club
 
Home Automation
Home AutomationHome Automation
Home AutomationCássio Landim
 
The Postmodern Binary Analysis
The Postmodern Binary AnalysisThe Postmodern Binary Analysis
The Postmodern Binary AnalysisOnur Alanbel
 
Speck & Tech: Attacking iOS (A brief overview)
Speck & Tech: Attacking iOS (A brief overview)Speck & Tech: Attacking iOS (A brief overview)
Speck & Tech: Attacking iOS (A brief overview)Filippo Bigarella
 
Volatility101
Volatility101Volatility101
Volatility101April Mardock CISSP
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider
 
Exploring the abc's of raspberry pi and python(day 2)
Exploring the abc's of raspberry pi and python(day 2)Exploring the abc's of raspberry pi and python(day 2)
Exploring the abc's of raspberry pi and python(day 2)Shahed Mehbub
 
ぼくとわたしのVim
ぼくとわたしのVimぼくとわたしのVim
ぼくとわたしのVimShota Fukumori
 
Up and running with Raspberry Pi
Up and running with Raspberry PiUp and running with Raspberry Pi
Up and running with Raspberry PiShahed Mehbub
 
Exploring the ABC's of Raspberry Pi with Python
Exploring the ABC's of Raspberry Pi with PythonExploring the ABC's of Raspberry Pi with Python
Exploring the ABC's of Raspberry Pi with PythonShahed Mehbub
 
Fedora 12 Introduction
Fedora 12 IntroductionFedora 12 Introduction
Fedora 12 IntroductionRatnadeep Debnath
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?Fred Bovy
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web HackerМихаил Фирстов
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 

More Related Content

What's hot

ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)Tim N
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmwareAmit Serper
 
Passwords Found on a Wireless Network
Passwords Found on a Wireless NetworkPasswords Found on a Wireless Network
Passwords Found on a Wireless NetworkDug Song
 
Practically DROWNing
Practically DROWNingPractically DROWNing
Practically DROWNingTim N
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the GatewaysOnur Alanbel
 
R0boCamp2016 Гліб Вінніков Home automation by ESP8266
R0boCamp2016 Гліб Вінніков Home automation by ESP8266R0boCamp2016 Гліб Вінніков Home automation by ESP8266
R0boCamp2016 Гліб Вінніков Home automation by ESP8266Lviv Startup Club
 
The Postmodern Binary Analysis
The Postmodern Binary AnalysisThe Postmodern Binary Analysis
The Postmodern Binary AnalysisOnur Alanbel
 
Speck & Tech: Attacking iOS (A brief overview)
Speck & Tech: Attacking iOS (A brief overview)Speck & Tech: Attacking iOS (A brief overview)
Speck & Tech: Attacking iOS (A brief overview)Filippo Bigarella
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsDane Schneider
 
Exploring the abc's of raspberry pi and python(day 2)
Exploring the abc's of raspberry pi and python(day 2)Exploring the abc's of raspberry pi and python(day 2)
Exploring the abc's of raspberry pi and python(day 2)Shahed Mehbub
 
ぼくとわたしのVim
ぼくとわたしのVimぼくとわたしのVim
ぼくとわたしのVimShota Fukumori
 
Up and running with Raspberry Pi
Up and running with Raspberry PiUp and running with Raspberry Pi
Up and running with Raspberry PiShahed Mehbub
 
Exploring the ABC's of Raspberry Pi with Python
Exploring the ABC's of Raspberry Pi with PythonExploring the ABC's of Raspberry Pi with Python
Exploring the ABC's of Raspberry Pi with PythonShahed Mehbub
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 
I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?Fred Bovy
 

What's hot (20)

ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)
 
How *NOT* to firmware
How *NOT* to firmwareHow *NOT* to firmware
How *NOT* to firmware
 
Passwords Found on a Wireless Network
Passwords Found on a Wireless NetworkPasswords Found on a Wireless Network
Passwords Found on a Wireless Network
 
MIPS-X
MIPS-XMIPS-X
MIPS-X
 
Practically DROWNing
Practically DROWNingPractically DROWNing
Practically DROWNing
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
 
R0boCamp2016 Гліб Вінніков Home automation by ESP8266
R0boCamp2016 Гліб Вінніков Home automation by ESP8266R0boCamp2016 Гліб Вінніков Home automation by ESP8266
R0boCamp2016 Гліб Вінніков Home automation by ESP8266
 
Home Automation
Home AutomationHome Automation
Home Automation
 
The Postmodern Binary Analysis
The Postmodern Binary AnalysisThe Postmodern Binary Analysis
The Postmodern Binary Analysis
 
Speck & Tech: Attacking iOS (A brief overview)
Speck & Tech: Attacking iOS (A brief overview)Speck & Tech: Attacking iOS (A brief overview)
Speck & Tech: Attacking iOS (A brief overview)
 
Volatility101
Volatility101Volatility101
Volatility101
 
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.jsZero Knowledge - End-to-end encryption in the browser with OpenPGP.js
Zero Knowledge - End-to-end encryption in the browser with OpenPGP.js
 
Exploring the abc's of raspberry pi and python(day 2)
Exploring the abc's of raspberry pi and python(day 2)Exploring the abc's of raspberry pi and python(day 2)
Exploring the abc's of raspberry pi and python(day 2)
 
ぼくとわたしのVim
ぼくとわたしのVimぼくとわたしのVim
ぼくとわたしのVim
 
Up and running with Raspberry Pi
Up and running with Raspberry PiUp and running with Raspberry Pi
Up and running with Raspberry Pi
 
Exploring the ABC's of Raspberry Pi with Python
Exploring the ABC's of Raspberry Pi with PythonExploring the ABC's of Raspberry Pi with Python
Exploring the ABC's of Raspberry Pi with Python
 
Fedora 12 Introduction
Fedora 12 IntroductionFedora 12 Introduction
Fedora 12 Introduction
 
44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?44CON London 2015 - Is there an EFI monster inside your apple?
44CON London 2015 - Is there an EFI monster inside your apple?
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?I pv6 better than IPv4 but why ?
I pv6 better than IPv4 but why ?
 

Similar to Hacking routers as a Web Hacker

Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php confHash Lin
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Orange Tsai
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profitDavid Stockton
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSSDefconRussia
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usagedjenoalbania
 

Similar to Hacking routers as a Web Hacker (20)

Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Orange@php conf
Orange@php confOrange@php conf
Orange@php conf
 
Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧Security in PHP - 那些在滲透測試的小技巧
Security in PHP - 那些在滲透測試的小技巧
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)
 
Hacking sites for fun and profit
Hacking sites for fun and profitHacking sites for fun and profit
Hacking sites for fun and profit
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Owning the bad guys
Owning the bad guys Owning the bad guys
Owning the bad guys
 
Denis Baranov - Root via XSS
Denis Baranov - Root via XSSDenis Baranov - Root via XSS
Denis Baranov - Root via XSS
 
Top ten-list
Top ten-listTop ten-list
Top ten-list
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Bz backtrack.usage
Bz backtrack.usageBz backtrack.usage
Bz backtrack.usage
 

Recently uploaded

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Celine George
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxsocialsciencegdgrohi
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupJonathanParaisoCruz
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerunnathinaik
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentInMediaRes1
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfSumit Tiwari
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsanshu789521
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaVirag Sontakke
 

Recently uploaded (20)

ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
 
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptxHistory Class XII Ch. 3 Kinship, Caste and Class (1).pptx
History Class XII Ch. 3 Kinship, Caste and Class (1).pptx
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
MARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized GroupMARGINALIZATION (Different learners in Marginalized Group
MARGINALIZATION (Different learners in Marginalized Group
 
internship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developerinternship ppt on smartinternz platform as salesforce developer
internship ppt on smartinternz platform as salesforce developer
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Meghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media ComponentMeghan Sutherland In Media Res Media Component
Meghan Sutherland In Media Res Media Component
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdfEnzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
Enzyme, Pharmaceutical Aids, Miscellaneous Last Part of Chapter no 5th.pdf
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Presiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha electionsPresiding Officer Training module 2024 lok sabha elections
Presiding Officer Training module 2024 lok sabha elections
 
9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR9953330565 Low Rate Call Girls In Rohini Delhi NCR
9953330565 Low Rate Call Girls In Rohini Delhi NCR
 
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdfTataKelola dan KamSiber Kecerdasan Buatan v022.pdf
TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
 
ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)ESSENTIAL of (CS/IT/IS) class 06 (database)
ESSENTIAL of (CS/IT/IS) class 06 (database)
 
Painted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of IndiaPainted Grey Ware.pptx, PGW Culture of India
Painted Grey Ware.pptx, PGW Culture of India
 

Hacking routers as a Web Hacker

  • 1.
  • 3. WHOAMI • Researcher @ hlsec.ru • @cyberpunkych • Attacking MongoDB @ ZN2012 • Database honeypot by design @ Defcon Russia • Meme Master
  • 4. Routers everywhere. • Home • Work • Hospitals • Banks • In your bag • etc
  • 5. But I’m web hacker, what can I do? • Router’s web control panel == web site • Connect managers with web interface, such as Yota Access  • ISP (statistics, billing, management, etc)
  • 7. OWASP TOP 10 for routers • Default credentials • Auth bypass • XSS • CSRF • Command Injection • Sensitive info leak • Bugs in third party libraries • RCE, XXE, etc
  • 9. Authentication Bypass/No Auth • Hello, Yota Many • Hello, D-Link’s backdoor • Hello, MTS 4G Router • Hello, others (DIR-100, DI-524, DI-604, etc)
  • 10. CSRF/XSS everywhere Srlsy, it’s everywhere. But why? Because **** you, that’s why. (Zyxel Keenetic v1)
  • 11. Command injection Always check network tools  (ASUS RT-N10P)
  • 12. Sensitive info leak • /error_page.htm • /DevInfo.php • /rom-0 (ASUS RT-N12D1)
  • 13. Bugs in third party libraries • Heartbleed • ShellShock • RomPager • etc
  • 15. WARNINNG! ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ!
  • 16. 1. Get the firmware • Сheck vendor web site/ftp • Get firmware source code (GPL profits) • No firmware at all? Dump it via UART/SPI/JTAG (HW mode on)
  • 17. 2. Unpack it • Binwalk -> search for signature and try to unpack • Firmware-mod-kit pack/unpack • If NO_SUCCESS -> analyze firmware entropy • Sasquatch for fs
  • 18. 3. CHECK AUTH • Black Box => White Box • for i in *; do curl http://router_ip/$i; done • You know what to do ;)
  • 19. 4. СHECK CMD INJECTION • PING -> ya.ru;ls • CONFIG backup to FTP/TFTP • Any place where command execution is used • Check all shell symbols • Error-based command injection for output # ping ya.ru || ls # ping $(uname) # ping `uname` # ping ya.ru && ls # ping ya.ru; ls # ping $USER.ya.ru ...
  • 20. 5. Check for XSS • <script>alert(1)</script> for every param! • Check hostname, sometimes it can help you  • Even 1 XSS => PROFIT!!1 • Stored XSS => Compromised web interface
  • 21. 5. Check for XSS • <script>alert(1)</script> for every param! • Check hostname, sometimes it can help you  • Even 1 XSS => PROFIT!!1 • Stored XSS => Compromised web interface Typical attack scheme: Link/Page with XSS => AJAX => getElementsByTagName(‘input’)[*].value => log data
  • 22. HINT: Hide myself from web! Hello, 1'}]"); ! Hide’n’seek from browser via xss in Zyxel Keenetic.
  • 23. 6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check
  • 24. 6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check Referer checking:
  • 25. 6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check Any other == bad referer:
  • 26. 6. Check for CSRF • Inspect for anti-csrf tokens • Check X-Requested-With • Referer check Open Redirect trick to bypass regexp:
  • 27. CSRF => MITM All you need is love CSRF via updating DNS settings! ( <img src=“csrf”>, habrahabr, you know. )
  • 28. XSS + Smart CSRF 1. Get the internal IP address using a nice WebRTC hack 2. Get router IP (no so many requests 8) ) 3. Make CSRF Request via XSS payload (better for stored XSS) 4. Get all data (sometimes passwords stored in input.value’s) 5. Redirect to page with XSS 6. ??? 7. All your data are belong to us!
  • 30. Support Software • MTS Connect, Yota Access, etc • Sometimes they also use web! • Binary bugs (BOF, etc) • Bugs with bad privileges
  • 31. Support Software • MTS Connect, Yota Access, etc • Sometimes they also use web! • Binary bugs (BOF, etc) • Bugs with bad privileges • Sniff requests to ISP => new bugs
  • 32. Support Software From CSRF to RCE! video_here
  • 33. ISP
  • 34. ISP – Just another target • Google/Yandex dork • Cabinet/Balance/etc on provider’s site • Subdomains • Popular services
  • 35. Why it is important? • Update server control • Client-side tricks (crossdomain.xml) • Remote device administration • New default credentials • Attack firmware developers
  • 40. Conclusion • Router == web site • Black Box => White Box • XSS/CSRF everywhere • Vuln1+vuln2->vuln3 • The RCE is out there • R.E.S.H.E.T.O.