Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SD-WAN Internet Census, Zeronighst 2018


Published on

The goal of this talk is to provide the results of passive and active fingerprinting for SD-WAN systems using a common threat intelligence approach. We explore Internet-based and cloud-based publicly available SD-WAN systems using the well-known «Shodan» and «Censys» search engines and custom developed automation tools and show that most of the SD-WAN systems have known vulnerabilities related to outdated software and insecure configuration.

Anton Nikolaev, Denis Kolegov, Oleg Broslavsky

Published in: Technology
  • Be the first to comment

  • Be the first to like this

SD-WAN Internet Census, Zeronighst 2018

  1. 1. or How to Find SD-WANs and not to Lose Yourself Denis Kolegov Oleg Broslavsky Anton Nikolaev
  2. 2. Not (really) so long time ago, we decide to start a big SD-WAN journey SD-WAN NewHope
  3. 3. “SD-WAN is perfectly safe for implementing wide- area networks affordably, efficiently and securely.”
  4. 4. Perfectly safe? Not exactly...
  5. 5. XSS
  6. 6. Client-side Authentication ? ! // TODO: fix in prod ?
  7. 7. OS Command Injection
  8. 8. OS Command Injection
  9. 9. Unfortunately, this talk is not about sophisticated hacking techniques (cause you do not need them to hack SD-WAN) This talk about how to find those low-hanging fruits on the Internet?
  10. 10. The Main Questions • How many SD-WAN nodes on the Internet? • Do we need new techniques to scan and fingerprint them? • How to find vulnerable SD-WAN nodes?
  11. 11. Approach Best EffortWhen you have to underline the best effort approach but you don’t know exactly how to
  12. 12. But nevertheless, let’s start!
  13. 13. SD-WAN Essence or That Boring Part of Slides Again
  14. 14. F*ck that shit! We are hackers!
  15. 15. Just kidding. We need it for understanding.
  16. 16. Traditional WAN vs Software-defined WAN
  17. 17. Search Engines
  18. 18. Straightforward Examples
  19. 19. More Sophisticated Examples
  20. 20. Query Correction html:Sonus + title: "SBC Management Application"
  21. 21. More Query Correction! We can use corrections to build full product map!
  22. 22. Query Confidence Firm CertainTentative
  23. 23. Version Leakage
  24. 24. Version Leakage Patterns
  25. 25. How to Find Them All? Let’s help Dora!
  26. 26. We have a leakage!
  27. 27. We have a NMAP!
  28. 28. Pen Pineapple Apple SD-WAN Infiltrator!
  29. 29. SD-WAN Infiltrator
  30. 30. What About Really Hard Cases? Easy Peasy Lemon Squeezy? Difficult Difficult Lemon Difficult!
  31. 31. SSH Fingerprinting SD-WAN version in /etc/issue message masscan our banner zgrab /sdnewhop/zgrab2 /nmap/nmap/issues/1389
  32. 32. Websocket • Nmap can’t scan Websocket • No standard NSE Websocket libraries • Weird behavior in custom NSE Websocket libraries
  33. 33. Indirect Version Leakage
  34. 34. Stop! What about Internet scanning?
  35. 35. You should scan all Internet using masscan
  36. 36. -Johny, Johny? -Yes, papa -Scanning Internet? -No, papa -Telling lies? -No, papa
  37. 37. > well you kinda killed the entire Tomtech network.. > literally everything is down. > so looks like I can’t help you with servers anymore, sorry.
  38. 38. SD-WAN Harvester
  39. 39. SD-WAN Harvester Workflow Find SD-WANs Grab versions Run NSE Frontend Get results
  40. 40. Results
  41. 41. SD-WAN Map
  42. 42. Top of founded SD-WAN Vendors
  43. 43. Top of founded SD-WAN Solutions
  44. 44. Top SD-WAN Vulnerabilities
  45. 45. Harvester Charts But seriously, harvester can build next pie charts by: • vulnerabilities • vendors • products • countries • continents harvester/tree/master/samples
  46. 46. Conclusions • Many different vendors and related products have been found • Most products are susceptible to version leakage • More often products are leaky and vulnerable
  47. 47. SD-WAN New Hope • Sergey Gordeychik • Denis Kolegov • Oleg Broslavsky • Max Gorbunov • Nikita Oleksov • Nikolay Tkachenko • Anton Nikolaev • SD-WAN Internet Census • SD-WAN Harvester • SD-WAN Infiltrator • SD-WAN Threat Landscape
  48. 48. THANKS FOR ATTENTION @dnkolegov @yalegko @manmoleculo