Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking the Gateways

1,952 views

Published on

Slides of my Hacktrick Conf Presentation "Hacking The Gateways"

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Hacking the Gateways

  1. 1. HACKING THE GATEWAYS Onur ALANBEL TaintAll
  2. 2. whoami Onur ALANBEL • Computer Engineer (IZTECH) • MSc student (EU) • Application Security Researcher @TaintAll • onuralanbel.pro • @onuralanbel • https://packetstormsecurity.com/search/?q=onur+alanbel
  3. 3. Purpose • Gathering a variety of valuable information in an effective way.
  4. 4. Purpose Motivation of an APT is obtaining highly valuable information from one target. In contrast, motivation of a mass attack is obtaining valuable information from multiple targets.
  5. 5. Purpose
  6. 6. Purpose
  7. 7. The Plan • Deciding targets
  8. 8. The Plan • Deciding targets • Finding a vulnerability
  9. 9. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit
  10. 10. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit • Writing mass exploitation scripts
  11. 11. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit • Writing mass exploitation scripts • Running the attack
  12. 12. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit • Writing mass exploitation scripts • Running the attack • Analysing results
  13. 13. Attractive Target: Routers • Directly accessible from the internet.
  14. 14. Attractive Target: Routers • Directly accessible from the internet. • Once you own a SOHO router, you can control the whole traffic.
  15. 15. Attractive Target: Routers • Directly accessible from the internet. • Once you own a SOHO router, you can control the whole traffic. • No log, stealth. (it’s really hard for an investigator to find out what is going on.)
  16. 16. Attractive Target: Routers • Directly accessible from the internet. • Once you own a SOHO router, you can control the whole traffic. • No log, it’s really hard to find out what is going on (very hard) • Have a long (long long) update interval.
  17. 17. Easy Target • Does It have known vulnerabilities?
  18. 18. Easy Target • Does It have known vulnerabilities? • Does the Vendor have published any security advisory?
  19. 19. Easy Target • Does It have known vulnerabilities? • Does the Vendor have published any security advisory? • Are there any third party product/device to mitigate exploitation.
  20. 20. AirTies • Web interface?
  21. 21. AirTies • Web interface? • TR-069
  22. 22. AirTies • Web interface? • TR-069 • MiniUPNP (CVE-2013-0230
  23. 23. Targets From Turkey
  24. 24. Targets From Turkey • http://ip:5555/rootDesc.xml
  25. 25. PreScan • masscan / zmap • +
  26. 26. PreScan • masscan • + • python multiprocessing • =
  27. 27. The Vulnerability • Stack overflow, may cause to RCE. • MiniUPNPd runs on WAN interface. 
 
 
 
 
 
 
 

  28. 28. Writing the Exploit • MIPS assembly • CPU has different data and code caches; so, can’t jump to stack directly. • Can’t jump into middle of instructions, this reduces the number of alternative gadgets while creating a ROP chain. • MiniUPNPd process restarts if it crashes or hangs.
  29. 29. Writing the Exploit • MIPS is far easier than x86
  30. 30. Writing the Exploit • MIPS is far easier than x86 • sleep function may be called to flush caches.
  31. 31. Writing the Exploit • MIPS is far easier than x86 • sleep function may be called to flush caches. • No ASLR, ROP chains could be used.
  32. 32. Writing the Exploit • MIPS is far easier than x86 • sleep function may be called to flush caches. • No ASLR, ROP chains could be used. • ?
  33. 33. Writing the Exploit • miniupnpd … -P /var/run/miniupnpd.pid
  34. 34. Writing the Exploit • rm /var/run/miniupnpd.pid
  35. 35. Writing the Exploit • rm /var/run/miniupnpd.pid • kill mngr
  36. 36. Writing t • rm /var/run/miniupnpd.pid • kill mngr • fork and execve
  37. 37. Writing t • rm /var/run/miniupnpd.pid • kill mngr • fork and execve • Details: Developing MIPS Exploits to Hack Routers • Exploit: AirTies RT Series (MIPS)
  38. 38. Bonus Trick • Chain remote-mgmt-input (1 references) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP
  39. 39. Bonus Trick • iptables -A remote-mgmt-input -p tcp -m multiport —dports 23,
  40. 40. Bonus Trick • cat /etc/passwd • crypt function • john rootpass.txt
  41. 41. What Have We • Free Wifi :)
  42. 42. What Have We • Free Wifi :) • Botnet army?
  43. 43. What Have We • Free Wifi :) • Botnet army? • Internet traffic (DNS, GW)
  44. 44. What Have We • Free Wifi :) • Botnet army? • Internet traffic (DNS, GW) • A big chance to infect connected clients (MITMf)
  45. 45. Next Step • 0day
  46. 46. Next Step • 0day • + • Persistency
  47. 47. Questions

×