Preso fcul
Upcoming SlideShare
Loading in...5
×
 

Preso fcul

on

  • 1,096 views

 

Statistics

Views

Total Views
1,096
Views on SlideShare
1,082
Embed Views
14

Actions

Likes
0
Downloads
23
Comments
0

1 Embed 14

http://balgan.eu 14

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Image source:http://us.123rf.com/400wm/400/400/cla78/cla781008/cla78100800263/7655075-an-old-grunge-flag-of-portugal-state.jpg
  • Everyonehad a different set ofopinions.
  • http://en.wikipedia.org/wiki/Security_through_obscurity
  • Althoughnothuge, itsstillnearly 6milipaddrs
  • -iL – file withips-ao saved output-sSSYN Stealth Scan-sVServiceDetection-p21 port-T5 Supadupa ultra fast-PN dontping
  • --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  • --host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
  • http://stackoverflow.com/questions/10531618/how-to-retrieve-both-tcp-and-udp-ports-with-nmap
  • Servernetcatrunningudpport 11111Clientchecks for serviceonport 11111
  • Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  • Source:http://blog.stalkr.net/2010/05/udp-scan-with-icmp-port-unreachable-and.html
  • Imgsource:http://i.i.com.com/cnwk.1d/i/tim/2012/06/19/Raspberry_Pi_35332544_05_1.jpg
  • Imgsource: http://elinux.org/R-Pi_Hub
  • Imgsource: http://elinux.org/R-Pi_Hub
  • http://www.shodanhq.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)http://www.shodanhq.com/?q=Golden+FTP+Server (REF: http://www.exploit-db.com/exploits/10258)
  • https://community.rapid7.com/community/metasploit/blog/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploithttps://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell
  • SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.
  • SNMP
  • Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  • Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  • Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • UPNP
  • UPNP
  • Explain FIREWALL THINGIE
  • UPNP
  • UPNP
  • UPNP
  • UPNP
  • UPNP
  • UPNP
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP

Preso fcul Preso fcul Presentation Transcript

  • How to dominate a country An analysis to the Portugueseinternet exposition to cyber-attacks
  • WHAT are you ?We are:• Security Researchers• Security enthusiasts• Students, corporate sheep (read: auditors), programmers, pentestersWe are not :• Lulzsec• Anonymous• Hacking group• And no we wont help you hack you girlfriends facebook!
  • Who are you ?• Tiago Henriques • Tiago Martins • Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101• Filipe Reis • Jean Figueiredo • Programmer @ PTCoreSec • Network security researcher @ • Intern @ Layer8 PTCoreSec • @fjdreis • Netsec admin @ Tecnocom • @klinzter• Tomás Lima • Paulo Figueiredo • Security Researcher @ PTCoreSec • Designer @ PTCoreSec • Researcher @ FCCN • CEO @ • @synchroack • @synchroack
  • Who are you ?
  • Topics
  • We are NOTRESPONSIBLE FOR ANY ILLEGALACTS OR ACTIONS PRACTICED BYYOU OR ANYONE THAT LEARNSSOMETHING FROM TODAY’SPRESENTATION.
  • Causing Chaos.Q:If you guys were an attackerthat was out to cause real damageor get profit, how would you goon aboutwhat we would do,A:This is it ?control as many machines in thatcountry, penetrate critical systemsand get as much intel/info as
  • Causing Chaos.And that’s what we are gonna talk abouttoday!
  • How it all got startedWe’re hackers! We love knowing how to break things andhow others would go on about breaking things!The difference between us and others is simple:• We want to break things legally and find a way to fix things.• We want to learn about new things and help people.
  • PORT SCANNING….
  • How it all got startedWe saw some talks that really inspired us given by two greatpeople HD Moore Fyodor
  • However…We also ran into a bit of a problem…Portscanning might or might not be illegal in Portugal!No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals
  • What to do ?• So, if you can’t port scan, how do u find out what ur enemies attack surface is ?• How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe?• Security by obscurity? Right that works well….
  • What to do ?• We and did the portscans, on passive mode, no system was penetrated in any way what so ever.• We did it slowly, and with plenty of time between scans as to not cause any DoS issues.
  • Port scanning• Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration
  • Port scanning - Process1. Get Portugal’s CIDRs2. Decide on a set of services you consider important3. Check which ip’s have those port’s open Actual scanning.4. Check versions running of those services
  • Port scanning - Process 1. Get Portugal’s CIDRsThere are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
  • Port scanning - Process2. Decide on a set of services you consider important Port 11 1900UDP UPNPID Number TCP/UDP Service 12 2869TCP UPNP 1 80TCP http 13 5353UDP MDNS 2 443TCP https 14 137TCP Netbios 3 8080TCP http alternative 15 25TCP SMTP 4 21TCP FTP 16 110TCP POP3 5 22TCP SSH 17 143TCP IMAP 6 23TCP Telnet 18 3306TCP Mysql 7 53UDP DNS 19 5900TCP VNC Server 8 445TCP Samba 20 17185UDP VoIP 9 139TCP Samba 21 3389TCP Rdesktop 10 161UDP SNMP 22 8082TCP TR 069
  • Port scanning - Process3. Check which ip’s have those port’s open4. Check versions running of those services This is where it get’s tricky!
  • Port scanning - Process• Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS
  • Port scanning - Process• So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCPnmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
  • Port scanning - Process• Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP -sS - p21 -T5 -PN --host-timeout 1501 –min- hostgroup 400 --min-parallelism 10 -n• Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap• Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk {print $2} > IPSWITHFTP.TXT
  • Port scanning - Process• Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min- parallelism 10• Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap
  • Port scanning - Process• However…we still have UDP… and let me tell u….
  • Port scanning - ProcessNmap also has a UDP mode… -sU however it doesn’t work verywell without -sV (read: its shit!), when testing it on our lab wenoticed that most of the times nmap wasn’t able to detect ifthere was a service running or not.The reason for this is: “UDP scanning is slow as open/filteredports typically dont respond so nmap has to time out and thenretransmit whilst closed ports will send a ICMP portunreachable error, which systems typically rate limit.”When we started, it took us around 4 Weeks to scan UDP onthe entire country on 1 port….
  • Port scanning - Process Solution ? SCAPY!ServerClientService running on
  • Port scanning - ProcessResult of that script ?On lab testing….
  • Port scanning - ProcessResult of that script ?On internet testing….
  • Port scanning - ProcessWhen we started, it took us around +4 Weeks to scan UDP on the entire country on 1port using NMap…. -We took this as a baseline first run to improve…Our second run, we used python+scapy and it went down!!1 week – well not bad for a second run, but 1 week for a port ?Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days –and this was the best we brought it down to without bringing in the big guns (read:“asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
  • Port scanning - EndSo we had our kick assfriends, send us our kick assraw results… now what dowe do with them ?
  • Port scanning - EndTerminals are fun, BUT we want an easierway to look at our data…So…. We wrote a tool:PTCoreSec Command Center!
  • First version
  • Second version
  • Third version
  • Fourth version – Current Stable
  • Fifth version – Currently Under development
  • Port scanning - Demo DEMO TIME!
  • Port scanning – The projectWhile we were preparing forcodebits…We received something inthe mail….
  • Port scanning – The project Raspi
  • Port scanning – The projectAnd it got us thinking…Port scanning, doesn’trequire a great CPU, nora huge amount of ram…
  • Port scanning – The projectSo we decided to create adistributed port scanningproject…
  • Port scanning – The project We grabbed theAnd added a custom set ofscripts to it…
  • Port scanning – The project
  • Port scanning – How does it work? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.
  • Part 2
  • BusinessWhen a client asks for a pentestWe present them with these
  • Business
  • Business
  • Business
  • BusinessAnd that’s all really neat and pretty,however there are 2 problems withthat! These guys don’t give a f***. Management Blackhats
  • ManagementCares about: • Money • Money • MoneyDoes: • Will lie for PCI DSS/ISO27001/{Compliance} This shit gives us, • Approves every single thing even if it security peeps, doesn’t match security department goals headaches! but gets them moneys.
  • I ask onLY ONE thing of uLeave your whitehats at home, and
  • SHODANSHODAN is a search engine that lets you find specific computers (routers,servers, etc.) using a variety of filters. Some have also described it as a publicport scan directory or a search engine of banners. Another way of putting it would be:
  • Is theOf these
  • Now combine this: With these:
  • And you get a lot of these
  • Also if you do anything ilegal andget caught, you’ll get one of these:
  • SHODANNow its when u ask
  • Shodanhttp://www.shodanhq.com/
  • SHODANAccessing that website will give u a bar, where you can type queriesand obtain results.Your queries, can ask for PORTS, Countries, strings contained in thebanners, and all sorts of other thingsFollowing is a sample set of queries that can lead to some interestingresults:
  • SHODAN QUERIES• http://www.shodanhq.com/?q=cisco-IOS• http://www.shodanhq.com/?q=IIS+4.0• http://www.shodanhq.com/?q=Xerver• http://www.shodanhq.com/?q=Fuji+xerox• http://www.shodanhq.com/?q=JetDirect• http://www.shodanhq.com/?q=Netgear• http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22• http://www.shodanhq.com/?q=Golden+FTP+Server
  • SHODAN QUERIES + combined country? Awesome! Saturday, 9th of June 2012
  • SHODAN QUERIES + combined country Port: 3306 country:PT
  • SHODAN QUERIES + combined country? Awesome! Wednesday, 6th of June 2012
  • SHODAN QUERIES + combined country BigIP country:PT
  • SHODAN QUERIES + combined country? Awesome! Tuesday, March 13, 2012
  • SHODAN QUERIES + combined country port:3389 -allowed country:PT
  • SHODAN QUERIES + combined country? Awesome!
  • SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS
  • SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
  • SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
  • SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ?• Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2• Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2• Windows SYSTEM INFO 1.3.6.1.2.1.1.1• Windows HOSTNAME 1.3.6.1.2.1.1.5• Windows DOMAIN 1.3.6.1.4.1.77.1.4.1• Windows UPTIME 1.3.6.1.2.1.1.3• Windows USERS 1.3.6.1.4.1.77.1.2.25• Windows SHARES 1.3.6.1.4.1.77.1.2.27• Windows DISKS 1.3.6.1.2.1.25.2.3.1.3• Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1• Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0• Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
  • SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ?• Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2• Linux SYSTEM INFO 1.3.6.1.2.1.1.1• Linux HOSTNAME 1.3.6.1.2.1.1.5• Linux UPTIME 1.3.6.1.2.1.1.3• Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3• Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4• Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0• Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
  • SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ?• Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8• Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2• Cisco SYSTEM INFO 1.3.6.1.2.1.1.1• Cisco HOSTNAME 1.3.6.1.2.1.1.5• Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4• Cisco UPTIME 1.3.6.1.2.1.1.3• Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1• Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18• Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2• Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5• Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5• Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2• Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
  • SHODAN QUERIES OF AWESOMENESS
  • SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS cisco country:PT
  • Cisco
  • Cisco – GRE TUNNELING
  • SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
  • SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
  • SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
  • SHODAN QUERIES OF AWESOMENESS Hackz
  • SHODAN QUERIES OF AWESOMENESS Hackz
  • SHODAN QUERIES OF AWESOMENESS UPNP zomg time
  • SHODAN QUERIES OF AWESOMENESSUPNP Remote command execution
  • SHODAN QUERIES OF AWESOMENESS Oh and by the way…
  • SHODAN QUERIES OF AWESOMENESSAnother funny thing about UPNP, isthat you can get the MAC ADDR andSSID its usingAnd then….
  • SHODAN (MORE INTERESTING) QUERIES SCADA• http://www.shodanhq.com/?q=PLC• http://www.shodanhq.com/?q=allen+bradley• http://www.shodanhq.com/?q=fanuc• http://www.shodanhq.com/?q=Rockwell• http://www.shodanhq.com/?q=Cimplicity• http://www.shodanhq.com/?q=Omron• http://www.shodanhq.com/?q=Novatech• http://www.shodanhq.com/?q=Citect• http://www.shodanhq.com/?q=RTU• http://www.shodanhq.com/?q=Modbus+Bridge• http://www.shodanhq.com/?q=modicon• http://www.shodanhq.com/?q=bacnet• http://www.shodanhq.com/?q=telemetry+gateway• http://www.shodanhq.com/?q=SIMATIC• http://www.shodanhq.com/?q=hmi• http://www.shodanhq.com/?q=siemens+-...er+-Subscriber• http://www.shodanhq.com/?q=scada+RTS• http://www.shodanhq.com/?q=SCHNEIDER
  • SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA
  • SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
  • SHODAN (MORE INTERESTING) QUERIESCameras…. Simply connected online and withoutauthentication…
  • A little tip…If you want to quickly check forstuff (web related) that has noauthentication, use NMAP!
  • A little tip…First, let’s get wkhtmltoimage:wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2cp wkhtmltoimage-i386 /usr/local/bin/Next, let’s get and install the Nmap module:git clone git://github.com/SpiderLabs/Nmap-Tools.gitcd Nmap-Tools/NSE/cp http-screenshot.nse /usr/local/share/nmap/scripts/nmap --script-updatedb
  • A little tip…Then, do your shodan search and use:This automatically exports a list of ipsu can import into nmap
  • A little tip…Then…
  • A little tip…And nmap, will automatically takescreen shots of the first pages thatappear and store them, then u justneed to look at those!
  • To end…
  • Openports!
  • SCARY SHIT!DEFACE 1 SCARY? NO!
  • SCARY SHIT!DEFACE 2 SCARY?Well… disturbing, scary? Not so much!
  • SCARY SHIT!
  • SCARY SHIT!
  • SCARY SHIT!
  • Shodan – the bad part• Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results!• For example on mysql servers, Shodan would find 785, where our results showed 3000+
  • Shodan – the good part• Good querying system• If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
  • Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web- services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitationhttp://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West
  • Requestshttps://www.facebook.com/ptcoresec
  • Invitehttp://www.securitybsides.com/w/page/61778144/BSidesLisbon
  • Challenge