Country domination - Causing chaos and wrecking havoc

3,990 views

Published on

How to own a country

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,990
On SlideShare
0
From Embeds
0
Number of Embeds
2,259
Actions
Shares
0
Downloads
31
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • http://www.youtube.com/watch?v=WUhOnX8qt3I
  • http://www.shodanhq.com/?q=Xerver (REF: http://www.exploit-db.com/exploits/9718)http://www.shodanhq.com/?q=Golden+FTP+Server (REF: http://www.exploit-db.com/exploits/10258)
  • https://community.rapid7.com/community/metasploit/blog/2012/06/11/scanning-for-vulnerable-f5-bigips-with-metasploithttps://community.rapid7.com/community/metasploit/blog/2012/06/25/press-f5-for-root-shell
  • SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.
  • SNMP
  • Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  • Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  • Source:http://opasylum.net/WikiTreason/pentest/scanners/snmp/snmpenum/windows.txt
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • UPNP
  • UPNP
  • Explain FIREWALL THINGIE
  • UPNP
  • UPNP
  • UPNP
  • UPNP
  • UPNP
  • UPNP
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • Source:http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • SNMP
  • Country domination - Causing chaos and wrecking havoc

    1. 1. Country d0m1nat10nbalgan@ptcoresec.eu
    2. 2. Who Am I ? Team Leader of these guise• Tiago Henriques• @balgan• 24• BSc• MSc• CEH• CHFI file:///C:/Users/balga n/Downloads/11545_• CISSP 192585389754_51359• MCSA 9754_3020198_33334• CISA 9_n.jpg• CISM Currently employed• CPT by these guise• CCNA
    3. 3. What will we talk about today?
    4. 4. I AM NOTRESPONSIBLE FOR ANY ILLEGALACTS OR ACTIONS THAT YOUPRACTICE OR ANYONE THATLEARNS SOMETHING FROMTODAY’S PRESENTATION.
    5. 5. Causing Chaos.If you guys were an attacker thatThis is what I would do, control aswas out to cause am gonna talk machines real damage ormanythat’s whatin that country, Andget profit, critical systems andonpenetrate how would you go get about today.about it ?as much info as possible.
    6. 6. BusinessWhen a client asks for a pentestWe present them with these
    7. 7. Business
    8. 8. Business
    9. 9. Business
    10. 10. BusinessAnd that’s all really neat and pretty,however there are 2 problems withthat! These guys don’t give a f***. Management Blackhats
    11. 11. ManagementCares about: • Money • Money • MoneyDoes: • Will lie for PCI DSS This shit gives us, • Approves every single thing even if it security peeps, doesn’t match security department goals headaches! but gets them moneys.
    12. 12. BlackhatsI managed to acquire videofootage that shows these guys inaction and their vision of theworld, lets have a sneek peek!
    13. 13. Video - Blackhats
    14. 14. Tonight only, I ask one thing of uLeave your whitehats and CISSPs athome, and embark on a journeywith me to make the world…
    15. 15. SHODANSHODAN is a search engine that lets you find specific computers (routers,servers, etc.) using a variety of filters. Some have also described it as a publicport scan directory or a search engine of banners. Another way of putting it would be:
    16. 16. Is theOf these
    17. 17. Now combine this: With these:
    18. 18. And you get a lot of these
    19. 19. Also if you do anything ilegal andget caught, you’ll get one of these:
    20. 20. SHODANNow its when u ask
    21. 21. Shodanhttp://www.shodanhq.com/
    22. 22. SHODANAccessing that website will give u a bar, where you can type queriesand obtain results.Your queries, can ask for PORTS, Countries, strings contained in thebanners, and all sorts of other thingsFollowing is a sample set of queries that can lead to some interestingresults:
    23. 23. SHODAN QUERIES• http://www.shodanhq.com/?q=cisco-IOS• http://www.shodanhq.com/?q=IIS+4.0• http://www.shodanhq.com/?q=Xerver• http://www.shodanhq.com/?q=Fuji+xerox• http://www.shodanhq.com/?q=JetDirect• http://www.shodanhq.com/?q=Netgear• http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22• http://www.shodanhq.com/?q=Golden+FTP+Server
    24. 24. SHODAN QUERIES + combined country? Awesome! Saturday, 9th of June 2012
    25. 25. SHODAN QUERIES + combined country Port: 3306 country:PT
    26. 26. SHODAN QUERIES + combined country? Awesome! Wednesday, 6th of June 2012
    27. 27. SHODAN QUERIES + combined country BigIP country:PT
    28. 28. SHODAN QUERIES + combined country? Awesome! Tuesday, March 13, 2012
    29. 29. SHODAN QUERIES + combined country port:3389 -allowed country:PT
    30. 30. SHODAN QUERIES + combined country? Awesome!
    31. 31. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal
    32. 32. SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal
    33. 33. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal
    34. 34. SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal
    35. 35. SHODAN QUERIES OF AWESOMENESS
    36. 36. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal
    37. 37. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin
    38. 38. SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…
    39. 39. SHODAN QUERIES OF AWESOMENESS port:161 country:PT Worldwide Portugal
    40. 40. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ?• Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2• Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2• Windows SYSTEM INFO 1.3.6.1.2.1.1.1• Windows HOSTNAME 1.3.6.1.2.1.1.5• Windows DOMAIN 1.3.6.1.4.1.77.1.4.1• Windows UPTIME 1.3.6.1.2.1.1.3• Windows USERS 1.3.6.1.4.1.77.1.2.25• Windows SHARES 1.3.6.1.4.1.77.1.2.27• Windows DISKS 1.3.6.1.2.1.25.2.3.1.3• Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1• Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0• Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
    41. 41. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ?• Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2• Linux SYSTEM INFO 1.3.6.1.2.1.1.1• Linux HOSTNAME 1.3.6.1.2.1.1.5• Linux UPTIME 1.3.6.1.2.1.1.3• Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3• Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4• Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0• Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
    42. 42. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ?• Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8• Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2• Cisco SYSTEM INFO 1.3.6.1.2.1.1.1• Cisco HOSTNAME 1.3.6.1.2.1.1.5• Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4• Cisco UPTIME 1.3.6.1.2.1.1.3• Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1• Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18• Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2• Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5• Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5• Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2• Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
    43. 43. SHODAN QUERIES OF AWESOMENESS
    44. 44. SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal
    45. 45. SHODAN QUERIES OF AWESOMENESS cisco country:PT
    46. 46. Cisco
    47. 47. Cisco – GRE TUNNELING
    48. 48. SHODAN QUERIES OF AWESOMENESS port:1900 country:PT Worldwide Portugal
    49. 49. SHODAN QUERIES OF AWESOMENESS So, What is UPNP?
    50. 50. SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?
    51. 51. SHODAN QUERIES OF AWESOMENESS Hackz
    52. 52. SHODAN QUERIES OF AWESOMENESS Hackz
    53. 53. SHODAN QUERIES OF AWESOMENESS UPNP zomg time
    54. 54. SHODAN QUERIES OF AWESOMENESSUPNP Remote command execution
    55. 55. SHODAN QUERIES OF AWESOMENESS Oh and by the way…
    56. 56. SHODAN QUERIES OF AWESOMENESSAnother funny thing about UPNP, isthat you can get the MAC ADDR andSSID its usingAnd then….
    57. 57. SHODAN (MORE INTERESTING) QUERIES SCADA• http://www.shodanhq.com/?q=PLC• http://www.shodanhq.com/?q=allen+bradley• http://www.shodanhq.com/?q=fanuc• http://www.shodanhq.com/?q=Rockwell• http://www.shodanhq.com/?q=Cimplicity• http://www.shodanhq.com/?q=Omron• http://www.shodanhq.com/?q=Novatech• http://www.shodanhq.com/?q=Citect• http://www.shodanhq.com/?q=RTU• http://www.shodanhq.com/?q=Modbus+Bridge• http://www.shodanhq.com/?q=modicon• http://www.shodanhq.com/?q=bacnet• http://www.shodanhq.com/?q=telemetry+gateway• http://www.shodanhq.com/?q=SIMATIC• http://www.shodanhq.com/?q=hmi• http://www.shodanhq.com/?q=siemens+-...er+-Subscriber• http://www.shodanhq.com/?q=scada+RTS• http://www.shodanhq.com/?q=SCHNEIDER
    58. 58. SHODAN (MORE INTERESTING) QUERIES SCADA PORTUGAL?
    59. 59. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
    60. 60. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
    61. 61. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
    62. 62. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal
    63. 63. A little tip…If you want to quickly check forstuff (web related) that has noauthentication, use NMAP!
    64. 64. A little tip…First, let’s get wkhtmltoimage:wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2cp wkhtmltoimage-i386 /usr/local/bin/Next, let’s get and install the Nmap module:git clone git://github.com/SpiderLabs/Nmap-Tools.gitcd Nmap-Tools/NSE/cp http-screenshot.nse /usr/local/share/nmap/scripts/nmap --script-updatedb
    65. 65. A little tip…Then, do your shodan search and use:This automatically exports a list of ipsu can import into nmap
    66. 66. A little tip…Then…
    67. 67. A little tip…And nmap, will automatically takescreen shots of the first pages thatappear and store them, then u justneed to look at those!
    68. 68. To end…
    69. 69. SCARY SHIT! DEFACE 1 SCARY? NO!
    70. 70. SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!
    71. 71. SCARY SHIT!
    72. 72. SCARY SHIT!
    73. 73. SCARY SHIT!
    74. 74. Shodan – the bad part• Imports nmap scans from their servers, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results!• For example on mysql servers, Shodan would find 785, where our results showed 3000+
    75. 75. Shodan – the good part• Good querying system• If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
    76. 76. Kudos GFAaron @f1nuxLuis Grangeia
    77. 77. Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web- services.htmlhttp://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer
    78. 78. 50% discount forstudents and AP2SIpeeps

    ×