Hacking the Gateways

•

0 likes•2,148 views

This document outlines a plan to hack routers by exploiting vulnerabilities. The plan involves deciding targets, finding vulnerabilities in routers like the AirTies RT series, writing exploits in MIPS assembly to achieve remote code execution, writing scripts for mass exploitation, running attacks on targets in Turkey, and analyzing results. Routers are attractive targets because they are directly internet accessible, can control all traffic once compromised, have limited logging capabilities, and rarely receive security updates.

Technology

HACKING THE
GATEWAYS
Onur ALANBEL
TaintAll

whoami
Onur ALANBEL
• Computer Engineer (IZTECH)
• MSc student (EU)
• Application Security Researcher @TaintAll
• onuralanbel.pro
• @onuralanbel
• https://packetstormsecurity.com/search/?q=onur+alanbel

Purpose
• Gathering a variety of valuable information in an
effective way.

Purpose
Motivation of an APT is obtaining highly valuable
information from one target. In contrast, motivation of
a mass attack is obtaining valuable information from
multiple targets.

The Plan
• Deciding targets
• Finding a vulnerability

The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit

The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts

The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack

The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack
• Analysing results

Attractive Target: Routers
• Directly accessible from the internet.

Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the
whole trafﬁc.

Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the
whole trafﬁc.
• No log, stealth. (it’s really hard for an investigator
to ﬁnd out what is going on.)

Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the
whole trafﬁc.
• No log, it’s really hard to ﬁnd out what is going on
(very hard)
• Have a long (long long) update interval.

Easy Target
• Does It have known vulnerabilities?

Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security
advisory?

Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security
advisory?
• Are there any third party product/device to
mitigate exploitation.

AirTies
• Web interface?
• TR-069
• MiniUPNP (CVE-2013-0230

Targets From Turkey
• http://ip:5555/rootDesc.xml

PreScan
• masscan
• +
• python multiprocessing
• =

The Vulnerability
• Stack overﬂow, may cause to RCE.
• MiniUPNPd runs on WAN interface.

Writing the Exploit
• MIPS assembly
• CPU has different data and code caches; so, can’t
jump to stack directly.
• Can’t jump into middle of instructions, this reduces
the number of alternative gadgets while creating a
ROP chain.
• MiniUPNPd process restarts if it crashes or hangs.

Writing the Exploit
• MIPS is far easier than x86

Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to ﬂush caches.

Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to ﬂush caches.
• No ASLR, ROP chains could be used.

Writing the Exploit
• miniupnpd … -P /var/run/miniupnpd.pid

Writing the Exploit
• rm /var/run/miniupnpd.pid

Writing the Exploit
• rm /var/run/miniupnpd.pid
• kill mngr

Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve

Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve
• Details: Developing MIPS Exploits to Hack Routers
• Exploit:
AirTies RT Series (MIPS)

Bonus Trick
• Chain remote-mgmt-input (1 references)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
DROP

Bonus Trick
• iptables -A remote-mgmt-input -p tcp -m multiport
—dports 23,

Bonus Trick
• cat /etc/passwd
• crypt function
• john rootpass.txt

What Have We
• Free Wiﬁ :)
• Botnet army?

What Have We
• Free Wiﬁ :)
• Botnet army?
• Internet trafﬁc (DNS, GW)

What Have We
• Free Wiﬁ :)
• Botnet army?
• Internet trafﬁc (DNS, GW)
• A big chance to infect connected clients (MITMf)

This document discusses dynamic binary instrumentation and taint analysis techniques. It describes how frameworks like Intel PIN, Valgrind, and DynamoRIO can be used to inject instrumentation code into running binaries. It also explains how taint tracking can identify which parts of code are affected by tainted user input. Symbolic execution and constraint solving with Z3 are presented as methods to perform taint analysis and concolic execution on binaries. Open source tools like Triton, Angr, and BitBlaze TEMU are referenced for dynamic binary analysis.

NSC #2 - Challenge Solution

NoSuchCon

This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-

Can We Prevent Use-after-free Attacks?

inaz2

This document discusses use-after-free attacks and ways to prevent them. It begins with an introduction to dynamic memory allocation and how freed memory can be reallocated. It then explains how dangling pointers can be used to hijack memory and execute arbitrary code through use-after-free vulnerabilities. Several real-world examples are provided. The document discusses various techniques programmers can use to prevent these attacks, such as smart pointers, immediately nullifying freed pointers, and compiler security checks. It also covers operating system defenses like Control Flow Guard on Windows and AddressSanitizer on Linux. The talk concludes with recommendations on comprehensive mitigations through secure coding practices and system hardening.

Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"

Defcon Moscow

This document discusses hacking routers by exploiting vulnerabilities in their web interfaces. It begins by introducing the author and their background in security research. Several common vulnerabilities are then outlined, including default credentials, authentication bypass, XSS, CSRF and command injection issues. The document provides examples of exploiting these flaws in various router models. A methodology is proposed for analyzing router firmware to find and exploit vulnerabilities, potentially achieving remote code execution. It emphasizes chaining multiple issues together for increased access. Finally, the document suggests that support software, internet service providers, and router developers themselves can also be targeted.

Ricardo J. Rodríguez & Daniel Uroz - When ROP meets Turing: Automatic Generat...

RootedCON

This document describes a tool called EasyROP that can automatically generate ROP chains to bypass W⊕X protections on Windows operating systems. It does this by modeling the ROP chain construction as a Turing machine, where individual ROP gadgets (short sequences of existing code ending in a return) act as the basic operations of the machine. By chaining these gadgets together, the tool can perform Turing-complete computation and deactivate W⊕X protections, allowing arbitrary code execution on the target system. The document outlines the tool's design and evaluates its ability to generate exploit chains through a case study on a real Windows vulnerability.

Sheila Ayelen Berta - The Art of Persistence: "Mr. Windows… I don’t wanna go ...

RootedCON

The document discusses various techniques for achieving persistence on a Windows system without administrator privileges. These include hijacking shell extensions and COM objects by modifying registry keys, taking advantage of globally unique identifiers (GUIDs) and paths stored in the registry. The document recommends hijacking extension handlers and using PowerShell to bypass restrictions when writing to the registry for stealthier persistence.

Raptor web application firewall

Antonio Costa aka Cooler_

Raptor is an open source web application firewall created by Antonio Costa to intelligently block attacks. It uses C for its fast performance and ability to run on different architectures. Raptor acts as a reverse proxy and uses blacklists, a deterministic finite automaton, and input analysis to detect attacks like SQL injection and cross-site scripting. It can block requests from blacklisted IPs and will log any blocked attacks. Raptor is still in beta but provides basic protection and intrusion detection that can be improved going forward.

0d1n

Antonio Costa aka Cooler_

Antonio Costa created the 0d1n tool to automate bruteforcing and fuzzing of web applications written in C for performance. The tool takes parameters like the target host, payload files, and custom request files to identify vulnerabilities like XSS. It can save responses and uses techniques like tampering to bypass defenses. The open source tool is still in beta but can find anomalies and vulnerabilities in parameters, files, directories and forms.

This document discusses how Python can be used for both ethical and unethical hacking purposes. It provides examples of how Python allows for easy learning, is cross-platform, and has many built-in tools and libraries that enable activities like dictionary attacks, brute force cracking, analyzing Skype databases, and using APIs to interact with systems like sockets in a similar way to C. The document also lists several Python security tools and frameworks like Scapy and recommends resources like books and tutorials that provide inspiration for writing hacking tools with Python.

Hacking with Backtrack Lecture-3

Zia Ush Shamszaman

This document discusses techniques for man-in-the-middle attacks using Backtrack 5 R3. It begins with a caution that the information is for educational purposes only. It then outlines different attack scenarios like ARP poisoning and DNS spoofing that can be used locally or through a gateway. The bulk of the document provides step-by-step instructions for setting up an ARP poisoning man-in-the-middle attack on a local area network using tools like Ettercap on Backtrack 5 R3. It concludes with reminders not to use the techniques for illegal purposes and to learn more about how ports and IP addressing work.

Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...

Maksim Shudrak

Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...

Maksim Shudrak

Fuzzing remains to be the most effective technique for bugs hunting in memory-unsafe programs. Last year, hundreds of security papers and talks on fuzzing have been published and dozens of them were focused on adapting or improving American Fuzzy Lop in some way. Attracting with its simplicity and efficiency, AFL is the number one choice for the vast majority of security researchers. This high popularity means that hunting for bugs with AFL or a similar tool is becoming less and less fruitful since many projects are already covered by other researchers. It is especially hard when we talk about a project participating in Google OSS-Fuzz program which utilizes AFL to generate a half-trillion test cases per day. In practice, this means that we can not blindly rely on AFL anymore and should search for better fuzzing techniques. In order to overcome this challenge, we need to understand how AFL and similar fuzzers work and be able to use their weaknesses to find new 0days. This talk is aimed to discuss these weaknesses on real examples, explain how we can do fuzzing better and release a new open-source fuzzer called Manul. Manul is a high-scalable coverage-guided parallel fuzzer with the ability to search for bugs in open source and black box binaries on Windows and Linux. Manul was able to find 10 0-days in 4 widely-used projects that have been extensively tested by AFL. These vulnerabilities were not found by chance, but by analyzing and addressing issues exist in AFL. Authors will show several of the most critical vulnerabilities and explain why AFL overlooked them. This talk will be interested for experienced hackers, who are willing to improve their bug hunting capabilities, as well as for new researchers, who are making their first steps on the thorny trail of bug hunting.

Chromium Sandbox on Linux (BlackHoodie 2018)

Patricia Aas

Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Defcon Moscow

- Man-in-the-middle (MiTM) attacks are fundamental communication attacks that can be implemented in various conditions and technologies. - As communications technologies have advanced from dial-up to 4G/5G, security has evolved slowly, creating opportunities for MiTM attacks at new layers. - There are many ways to conduct MiTM attacks including via Ethernet, WiFi, VPNs, and by compromising routers to intercept traffic on the local network or WAN. Practical experience with tools is important for learning different MiTM techniques.

Linux Security APIs and the Chromium Sandbox

Patricia Aas

The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.

Kasza smashing the_jars

PacSecJP

The document discusses various Java-based remote access trojans (RATs) and their evolution over time. It begins with an overview of Java basics and how RATs are packaged in JAR files. It then analyzes the lineage of several RAT families like Frutas, Adwind, Unrecom, AlienSpy, jSocket, and others; how they emerged and were developed over time, sharing codebases and techniques. Common behaviors of Java RATs are also outlined, such as obfuscation, anti-analysis tricks, and persistence mechanisms. The document concludes with recommendations for analyzing and detecting Java threats.

Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...

Mail.ru Group

This document discusses hardware vulnerabilities in telecommunications devices. It is written by a hacker researcher who has been hacking telecom hardware since 2012. It outlines common vulnerabilities like default credentials, backdoors, and input validation issues that can be exploited in devices like modems, routers, switches, and more. Statistics on vulnerabilities in specific vendor devices are provided. Exploitation techniques for compromising 3G/4G modems and routers are described, including bypassing authentication and exploiting command injection. The document warns that with access come responsibilities and concludes with a hypothetical scenario for "robbing a train in the 21st century" by hacking its on-board WiFi network.

Introduction to Memory Exploitation (CppEurope 2021)

Patricia Aas

Масштабируемый и эффективный фаззинг Google Chrome

Positive Hack Days

Ведущий: Макс Мороз Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.

Chromium Sandbox on Linux (NDC Security 2019)

Patricia Aas

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

INCIDE

The internet of $h1t

Amit Serper

I was asked to talk in front of Computer science students at the Bar-Ilan university about "what happens" when you don't care about writing "secured" or "safe" code. A perfect example for that, in my opinion, was the world of embedded computing AKA the IoT. I talked about the history of consumer embedded devices and showed a live demo of an 0day I found in one of the most popular routers in the country.

Buffer Overflow Attacks

securityxploded

[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...

Andrea Draghetti

Web application security and Python security best practices

PGS Software S.A.

Un) fucking forensics

Shane Macaulay

2016 TTL Security Gap Analysis with Kali Linux

Jason Murray

Kali Linux - Falconer

Tony Godfrey

Tony Godfrey gave a presentation on Kali Linux at the Ohio HTCIA 2014 Spring Conference. Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It contains many security tools for information gathering, vulnerability analysis, password attacks, wireless attacks, exploitation tools, and more. The presentation demonstrated how to use various command line tools in Kali Linux like nmap, nmap, rlogin, and showed how to use Metasploit within msfconsole.

DefCon 2012 - Rooting SOHO Routers

Michael Smith

The document discusses vulnerabilities in Netgear SOHO routers that allow remote code execution. It describes analyzing the firmware of a Netgear WNDR3700 router to find SQL injection vulnerabilities in the MiniDLNA media server. These vulnerabilities can be chained to extract passwords from the router's filesystem and execute arbitrary code by manipulating the database and triggering a buffer overflow. The talk will include a live demonstration exploiting these issues to gain a root shell on the router.

Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...

DefconRussia

This document summarizes techniques for reverse engineering MIPS firmware. It discusses extracting firmware from devices, analyzing firmware binaries to find code, filesystems and encryption. It provides an overview of the MIPS architecture and reversing tools. It also presents a case study on analyzing routers from Draytek, including decrypting configuration files, dumping firmware and extracting the compressed filesystem. Master keys were derived from MAC addresses using a simple polynomial algorithm.

What's hot

Violent python

Xatierlike Lee

Hacking with Backtrack Lecture-3

Zia Ush Shamszaman

Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...

Maksim Shudrak

Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...

Maksim Shudrak

Chromium Sandbox on Linux (BlackHoodie 2018)

Patricia Aas

Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Defcon Moscow

Linux Security APIs and the Chromium Sandbox

Patricia Aas

Kasza smashing the_jars

PacSecJP

Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...

Mail.ru Group

Introduction to Memory Exploitation (CppEurope 2021)

Patricia Aas

Масштабируемый и эффективный фаззинг Google Chrome

Positive Hack Days

Chromium Sandbox on Linux (NDC Security 2019)

Patricia Aas

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

INCIDE

The internet of $h1t

Amit Serper

Buffer Overflow Attacks

securityxploded

[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...

Andrea Draghetti

Web application security and Python security best practices

PGS Software S.A.

Un) fucking forensics

Shane Macaulay

2016 TTL Security Gap Analysis with Kali Linux

Jason Murray

Kali Linux - Falconer

Tony Godfrey

What's hot (20)

Violent python

Hacking with Backtrack Lecture-3

Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...

Zero bugs found? Hold my beer AFL! how to improve coverage-guided fuzzing and...

Chromium Sandbox on Linux (BlackHoodie 2018)

Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Linux Security APIs and the Chromium Sandbox

Kasza smashing the_jars

Олег Купреев «Уязвимости программного обеспечения телекоммуникационного обору...

Introduction to Memory Exploitation (CppEurope 2021)

Масштабируемый и эффективный фаззинг Google Chrome

Chromium Sandbox on Linux (NDC Security 2019)

AntiVirus Evasion Techniques Use of Crypters 2k14 at MundoHackerDay

The internet of $h1t

Buffer Overflow Attacks

[English] BackBox Linux and Metasploit: A practical demonstration of the Shel...

Web application security and Python security best practices

Un) fucking forensics

2016 TTL Security Gap Analysis with Kali Linux

Kali Linux - Falconer

Viewers also liked

DefCon 2012 - Rooting SOHO Routers

Michael Smith

Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...

DefconRussia

Hardware Hacking and Arduinos

Howard Mao

This document provides an overview of using Arduinos for hardware hacking and includes instructions for four example projects: 1. An LED sweep circuit that uses digital output pins to light up LEDs in sequence. 2. An analog LED sweep that dims the brightness of trailing LEDs using PWM. 3. A variable speed circuit that uses a potentiometer as a voltage divider to control delay time based on input voltage. 4. A pause button circuit that uses an interrupt pin to pause and resume the LED sweeping pattern when a button is pressed. Safety tips are also provided around using appropriate voltages and ensuring components are oriented correctly.

Arduino: Open Source Hardware Hacking from the Software Nerd Perspective

Howard Lewis Ship

This document discusses Arduino open source hardware from the perspective of a software developer. It provides an overview of Arduino boards and their specifications. It then demonstrates some basic Arduino projects like blinking an LED and reading input from a button or potentiometer. It also covers scaling up projects using shift registers and discusses next steps of using more sensors and displays. The goal is to show how easy it is for software developers to get started with Arduino and physical computing.

Binary Hacking Hakkında Herşey

Onur Alanbel

Advanced SOHO Router Exploitation XCON

Lyon Yang

Lyon Yang gave a presentation about exploiting IoT and embedded devices. He discussed how he became interested in embedded systems exploitation and contributed to the field. Yang explained common vulnerabilities he finds, such as stack overflows, backdoors, and exposed credentials. He demonstrated attacks like privilege escalation, command injection, and exploiting cache coherency issues. Yang provided tips for writing exploits against various architectures and overcoming challenges like bad characters and auto-restarting services.

Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang

Lyon Yang

This is a light training/presentation talk. My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts. Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop. https://www.iotvillage.org/#schedule

Automating Analysis and Exploitation of Embedded Device Firmware

Malachi Jones

Dynamic binary analysis tools utilize a combination of techniques that include fuzzing, symbolic execution, and concolic execution to discover exploitable code in sophisticated binaries. Much work has been dedicated to developing automated analysis tools to target mainstream processor architectures (e.g. x86 and x86_64. ). An often overlooked and inadequately addressed area is the development of tools that target embedded systems processors that include PowerPC, MIPS, and SuperH. Historically, a challenge with targeting multiple embedded architectures was that it was often necessary to write an analysis tool for each architecture. In this talk, we'll discuss an approach for decoupling the architecture specifics from the analysis by utilizing intermediate representation (IR) languages. Intermediate representation languages provide a method to abstract out machine specifics in order to aid in the analysis of computer programs. In particular, the LLVM IR language provides an extensive set of analysis and optimization libraries, along with a JIT engine, that can be collectively utilized to develop architecture-independent automated analysis and exploitation tools.

IOT Exploitation

Cysinfo Cyber Security Community

This document provides an overview of exploiting insecure IoT firmware. It begins with an introduction to IoT protocols like CoAP, MQTT, XMPP, and AMQP. It then discusses the OWASP top 10 security risks for IoT, focusing on insecure software/firmware. Common debugging interfaces for firmware like UART, JTAG, SPI, and I2C are explained. Operating systems and compilers used for IoT development are listed. Finally, the document outlines a methodology for exploiting insecure firmware, including getting the firmware, performing reconnaissance, unpacking, localizing points of interest, and then decompiling, compiling, tweaking, fuzzing, or pentesting the firmware. Tools mentioned include binwalk, firmwalk

Developing MIPS Exploits to Hack Routers

BGA Cyber Security

This document discusses developing exploits for routers running MIPS binaries. It begins by setting up a Debian MIPS environment using QEMU for testing exploits. The document then analyzes a stack overflow vulnerability in MiniUPnPd version 1.0 as a target. Details are provided on obtaining the MiniUPnPd binary from router firmware, setting up remote debugging of the binary, and triggering the vulnerability with a long SOAP request. The document concludes by discussing restrictions in writing the exploit and finding an appropriate return-oriented programming chain to execute shellcode.

Open Source Cyber Weaponry

Joshua L. Davis

The document discusses the evolution of cyber weapons and offensive security tools from 1999 to today. It describes how such tools have progressed from being in their infancy to becoming highly sophisticated. A key point is that many military and government contractors now openly use open source tools like Metasploit due to their capabilities, cost effectiveness, and the ability to easily adapt them. The document highlights the features and power of the Metasploit framework, including its modular design, wide range of exploits and payloads, automation capabilities, and use by many organizations for tasks like vulnerability research and penetration testing at scale.

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware

Lastline, Inc.

Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.

C&C Botnet Factory

Nullbyte Security Conference

Palestra realizada por Toronto Garcez aka torontux durante a 3a. edição da Nullbyte Security Conference em 26 de novembro de 2016. Resumo: O objetivo da apresentação é demonstrar de forma prática, o passo-a-passo para criar uma botnet com roteadores wi-fi e/ou embarcados em geral. Será demonstrado o desenvolvimento de um comando e controle e a utilização de firmwares "backdorados" para tornar dispositivos em bots.

Viewers also liked (13)

DefCon 2012 - Rooting SOHO Routers

Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...

Hardware Hacking and Arduinos

Arduino: Open Source Hardware Hacking from the Software Nerd Perspective

Binary Hacking Hakkında Herşey

Advanced SOHO Router Exploitation XCON

Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang

Automating Analysis and Exploitation of Embedded Device Firmware

IOT Exploitation

Developing MIPS Exploits to Hack Routers

Open Source Cyber Weaponry

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware

C&C Botnet Factory

Similar to Hacking the Gateways

DC612 Day - Hands on Penetration Testing 101

dc612

Title: Hands on Penetration Testing 101 by Scott Sutherland & Karl Fosaaen Abstract: The goal of this training is to introduce attendees to standard penetration test methodologies, tools, and techniques. Hands on labs will cover the basics of asset discovery, vulnerability enumeration, system penetration, privilege escalation, and bypassing end point protection. During the labs, common vulnerabilities will be leveraged to illustrate attack techniques, using freely available tools such as Nmap and Metasploit. This training will be valuable to anyone interested in gaining a better understanding of penetration testing or to system administrators trying to understand common attack approaches.

Infosecurity.be 2019: What are relevant open source security tools you should...

B.A.

Phases of penetration testing

Abdul Rahman

A penetration test involves four main phases: reconnaissance, scanning, exploitation, and maintaining access. In the reconnaissance phase, tools are used to gather information about the target system without authorization. Scanning identifies open ports and vulnerabilities. Exploitation attempts to gain unauthorized control of systems by exploiting vulnerabilities, such as using password crackers. Maintaining access involves creating backdoors for future unauthorized access, such as using network sniffing tools or installing rootkits. Popular tools used in penetration tests include Nmap for scanning, Metasploit for exploitation, and Netcat for creating backdoors. Defending against penetration tests requires monitoring information published online, properly configuring firewalls and access controls, patching systems, and using antivirus and intrusion detection software

RIoT (Raiding Internet of Things) by Jacob Holcomb

Priyanka Aash

The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform. Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security. For more signup(it's free): www.cisoplatform.com

Ready set hack

GDSCBVCOENM

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...

CODE BLUE

Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution. During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet. All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.

Hacking Blind

NikitaAndhale

We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.

Hacking blind

NikitaAndhale

Dealing with legacy code

G Prachi

This document discusses various techniques for sandboxing untrusted code, including chroot jails, system call interposition, virtual machines, and software fault isolation. It notes that completely isolating applications is often inappropriate, as they need controlled ways to communicate. The key challenges are implementing reference monitors to enforce isolation policies and specifying the right policy for each application to define what behavior is allowed.

Python for pentesters

Rashid feroz

This document discusses using Python for penetration testing and security tasks. It notes that Python has a simple learning curve, extensive libraries, and is multiplatform, making it useful for quick prototyping and easier automation. Python can be used for exploit development, networking, debugging, encryption/decryption, reverse engineering, fuzzing, web applications, forensics, and malware analysis. Popular Python security tools include TMSET, TMCore Impact, TMW3AF, TMSqlmap, TMImmunityDebugger, TMImpacket, and TMIronWASP. The document provides examples of using Python for port scanning, creating a one-line web server, and exploit development. It also lists useful Python

Metasploitation part-1 (murtuja)

ClubHack

This document provides an overview of metasploitation and using the Metasploit framework. It discusses basics like vulnerabilities, exploits, payloads and encoders. It then covers using the msfconsole interface, exploit modules, auxiliary modules like scanners, databases integration, automation, client-side exploits, payload generation, backdooring files, Linux backdoors, Meterpreter, pivoting, and post-exploitation techniques. The document includes several screenshots and links resources for further information.

Speck & Tech: Attacking iOS (A brief overview)

Filippo Bigarella

This document summarizes techniques for attacking iOS security. It outlines getting initial code execution through vulnerabilities like JavaScriptCore use-after-frees. It then discusses escalating privileges by escaping the sandbox, leveraging stack buffer overflows, and defeating protections like ASLR, DEP, and KPP. The goal is to achieve kernel code execution and install a persistent implant by bypassing iOS security measures at each level of the software stack.

Malware analysis _ Threat Intelligence Morocco

Touhami Kasbaoui

The document discusses two cyber threats that existed in Morocco: 1. A password info stealer malware that was responsible for 90% of attacks. Intelligence tracking detected around 180GB of leaked data related to Moroccan domains and personal information, and over 320 spammers were identified from the data with connections to Morocco. 2. An ATM dispense malware that was gathered from Moroccan internet service providers. Technical details about the ATM malware were presented, but not summarized. The document ends by stating that preparations are being made for the "next war", but does not clarify the purpose of the two threats.

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Chris Gates

Workshop on Network Security

UC San Diego

Nomura UCCSC 2009

dnomura

The document provides an overview of free and open source network security tools including Kismet for wireless monitoring, OpenVAS for vulnerability scanning, Metasploit for exploitation, and Nmap for port scanning and service detection. It discusses how these tools can be used both offensively to detect issues and defensively to harden networks, and highlights advantages like cost but also challenges like potential instability. The presentation focuses on demonstrating these tools and educating administrators about network security risks and defenses.

Henrik Strøm - IPv6 from the attacker's perspective

IKT-Norge

Henrik Strøm discusses IPv6 security from an attacker's perspective. He outlines 6 points on how attackers can exploit IPv6 vulnerabilities, including using IPv6 to bypass IPv4 access controls when on a local network, spoofing router advertisements to hijack traffic, using tunneling to enable inbound and outbound connectivity, and launching denial of service attacks. He recommends network administrators decide how to implement IPv6 security, monitor for IPv6 traffic, harden clients and servers, and filter all types of IPv6 tunneling. Further reading suggests there is still significant work needed on IPv6 firewalling and many IPv4 issues have been transferred to IPv6.

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

Priyanka Aash

Writing a working exploit for a vulnerability is generally challenging, time-consuming, and labor-intensive. To address this issue, automated exploit generation techniques can be adopted. In practice, existing techniques however exhibit an insufficient ability to craft exploits, particularly for the kernel vulnerabilities. On the one hand, this is because their technical approaches explore exploitability only in the context of a crashing process whereas generating an exploit for a kernel vulnerability typically needs to vary the context of a kernel panic. On the other hand, this is due to the fact that the program analysis techniques used for exploit generation are suitable only for simple programs but not the OS kernel which has higher complexity and scalability. In this talk, we will introduce and release a new exploitation framework to fully automate the exploitation of kernel vulnerabilities. Technically speaking, our framework utilizes a kernel fuzzing technique to diversify the contexts of a kernel panic and then leverages symbolic execution to explore exploitability under different contexts. We demonstrate that this new exploitation framework facilitates exploit crafting from many aspects. First, it augments a security analyst with the ability to automate the identification of system calls that he needs to take advantages for vulnerability exploitation. Second, it provides security analysts with the ability to achieve security mitigation bypassing. Third, it allows security analysts to automatically generate exploits with different exploitation objectives (e.g., privilege escalation or data leakage). Last but not least, it equips security analysts with an ability to generate exploits even for those kernel vulnerabilities for which the exploitability has not yet been confirmed or verified. Along with this talk, we will also release many unpublished working exploits against several kernel vulnerabilities. It should be noted that, the vulnerabilities we experimented cover primarily Use-After-Free and heap overflow. Among all these test cases, more than 50% of them do not have working exploits publicly available. To illustrate this release, I have already disclosed one working exploit at my personal website (http://ww9210.cn/). The exploit released on my site pertains to CVE-2017-15649 for which there has not yet been an exploit publicly available with the demonstration of bypassing SMAP.

Metasploit Computer security testing tool

medoelkang600

The document provides an overview of using the Metasploit framework to conduct penetration testing. It discusses installing required software, updating and opening MSFConsole. It describes different Metasploit interfaces like GUI, console and Armitage. It covers topics like exploits, payloads, encoders, information gathering, vulnerability scanning, exploitation, and Meterpreter. Advanced Meterpreter commands are also summarized like capturing screenshots, migrating processes, dumping password hashes, and maintaining persistence.

Defending Enterprise IT - beating assymetricality

Claus Cramon Houmann

Similar to Hacking the Gateways (20)

DC612 Day - Hands on Penetration Testing 101

Infosecurity.be 2019: What are relevant open source security tools you should...

Phases of penetration testing

RIoT (Raiding Internet of Things) by Jacob Holcomb

Ready set hack

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMI...

Hacking Blind

Hacking blind

Dealing with legacy code

Python for pentesters

Metasploitation part-1 (murtuja)

Speck & Tech: Attacking iOS (A brief overview)

Malware analysis _ Threat Intelligence Morocco

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

Workshop on Network Security

Nomura UCCSC 2009

Henrik Strøm - IPv6 from the attacker's perspective

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...

Metasploit Computer security testing tool

Defending Enterprise IT - beating assymetricality

More from Onur Alanbel

Başarılı Bir Siber Saldırının Perde Arkası ve Vaka Analizi

Onur Alanbel

SOC Ekiplerinin Problemlerine Güncel Yaklaşımlar

Onur Alanbel

Dünden Bugüne Exploit Dünyası

Onur Alanbel

This document discusses the history and evolution of computer exploits from early vulnerabilities like stack overflows to modern techniques like return oriented programming and kernel exploits. It provides examples of major exploits from the Morris Worm in 1988 to recent zero-days. It also outlines numerous bypass techniques for defenses such as ASLR, sandboxes, and KASLR. The document examines the sophisticated Pegasus spyware and its developer, the Israeli cybersecurity firm NSO Group.

Shellshock

Onur Alanbel

Developing MIPS Exploits to Hack Routers

Onur Alanbel

OWASPTR Uygulama Güvenliği Günü 2013Onur Alanbel

More from Onur Alanbel (6)

Başarılı Bir Siber Saldırının Perde Arkası ve Vaka Analizi

SOC Ekiplerinin Problemlerine Güncel Yaklaşımlar

Dünden Bugüne Exploit Dünyası

Shellshock

Developing MIPS Exploits to Hack Routers

OWASPTR Uygulama Güvenliği Günü 2013

Recently uploaded

GraphRAG for Life Science to increase LLM accuracy

Tomaz Bratanic

AWS Cloud Cost Optimization Presentation.pptx

HarisZaheer8

This presentation provides valuable insights into effective cost-saving techniques on AWS. Learn how to optimize your AWS resources by rightsizing, increasing elasticity, picking the right storage class, and choosing the best pricing model. Additionally, discover essential governance mechanisms to ensure continuous cost efficiency. Whether you are new to AWS or an experienced user, this presentation provides clear and practical tips to help you reduce your cloud costs and get the most out of your budget.

June Patch Tuesday

Ivanti

Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.

Best 20 SEO Techniques To Improve Website Visibility In SERP

Pixlogix Infotech

Recommendation System using RAG Architecture

fredae14

Columbus Data & Analytics Wednesdays - June 2024

Jason Packer

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

alexjohnson7307

5th LF Energy Power Grid Model Meet-up Slides

DanBrown980551

5th Power Grid Model Meet-up It is with great pleasure that we extend to you an invitation to the 5th Power Grid Model Meet-up, scheduled for 6th June 2024. This event will adopt a hybrid format, allowing participants to join us either through an online Mircosoft Teams session or in person at TU/e located at Den Dolech 2, Eindhoven, Netherlands. The meet-up will be hosted by Eindhoven University of Technology (TU/e), a research university specializing in engineering science & technology. Power Grid Model The global energy transition is placing new and unprecedented demands on Distribution System Operators (DSOs). Alongside upgrades to grid capacity, processes such as digitization, capacity optimization, and congestion management are becoming vital for delivering reliable services. Power Grid Model is an open source project from Linux Foundation Energy and provides a calculation engine that is increasingly essential for DSOs. It offers a standards-based foundation enabling real-time power systems analysis, simulations of electrical power grids, and sophisticated what-if analysis. In addition, it enables in-depth studies and analysis of the electrical power grid’s behavior and performance. This comprehensive model incorporates essential factors such as power generation capacity, electrical losses, voltage levels, power flows, and system stability. Power Grid Model is currently being applied in a wide variety of use cases, including grid planning, expansion, reliability, and congestion studies. It can also help in analyzing the impact of renewable energy integration, assessing the effects of disturbances or faults, and developing strategies for grid control and optimization. What to expect For the upcoming meetup we are organizing, we have an exciting lineup of activities planned: -Insightful presentations covering two practical applications of the Power Grid Model. -An update on the latest advancements in Power Grid -Model technology during the first and second quarters of 2024. -An interactive brainstorming session to discuss and propose new feature requests. -An opportunity to connect with fellow Power Grid Model enthusiasts and users.

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

saastr

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

Generating privacy-protected synthetic data using Secludy and Milvus

Zilliz

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

Skybuffer SAM4U tool for SAP license adoption

Tatiana Kojar

Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool. SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.

Trusted Execution Environment for Decentralized Process Mining

LucaBarbaro3

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365. Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Wask

https://www.wask.co/ebooks/digital-marketing-trends-in-2024 Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.

Serial Arm Control in Real Time Presentation

tolgahangng

WeTestAthens: Postman's AI & Automation Techniques

Postman

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

saastr

Programming Foundation Models with DSPy - Meetup Slides

Zilliz

Recently uploaded (20)

GraphRAG for Life Science to increase LLM accuracy

AWS Cloud Cost Optimization Presentation.pptx

June Patch Tuesday

Best 20 SEO Techniques To Improve Website Visibility In SERP

Recommendation System using RAG Architecture

Columbus Data & Analytics Wednesdays - June 2024

Introduction of Cybersecurity with OSS at Code Europe 2024

leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...

5th LF Energy Power Grid Model Meet-up Slides

Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...

Building Production Ready Search Pipelines with Spark and Milvus

Generating privacy-protected synthetic data using Secludy and Milvus

Skybuffer SAM4U tool for SAP license adoption

Trusted Execution Environment for Decentralized Process Mining

Letter and Document Automation for Bonterra Impact Management (fka Social Sol...

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Serial Arm Control in Real Time Presentation

WeTestAthens: Postman's AI & Automation Techniques

Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...

Programming Foundation Models with DSPy - Meetup Slides

Hacking the Gateways

1. HACKING THE GATEWAYS Onur ALANBEL TaintAll

2. whoami Onur ALANBEL • Computer Engineer (IZTECH) • MSc student (EU) • Application Security Researcher @TaintAll • onuralanbel.pro • @onuralanbel • https://packetstormsecurity.com/search/?q=onur+alanbel

3. Purpose • Gathering a variety of valuable information in an effective way.

4. Purpose Motivation of an APT is obtaining highly valuable information from one target. In contrast, motivation of a mass attack is obtaining valuable information from multiple targets.

5. Purpose

6. Purpose

7. The Plan • Deciding targets

8. The Plan • Deciding targets • Finding a vulnerability

9. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit

10. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit • Writing mass exploitation scripts

11. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit • Writing mass exploitation scripts • Running the attack

12. The Plan • Deciding targets • Finding a vulnerability • Writing (weaponising) the exploit • Writing mass exploitation scripts • Running the attack • Analysing results

13. Attractive Target: Routers • Directly accessible from the internet.

14. Attractive Target: Routers • Directly accessible from the internet. • Once you own a SOHO router, you can control the whole trafﬁc.

15. Attractive Target: Routers • Directly accessible from the internet. • Once you own a SOHO router, you can control the whole trafﬁc. • No log, stealth. (it’s really hard for an investigator to ﬁnd out what is going on.)

16. Attractive Target: Routers • Directly accessible from the internet. • Once you own a SOHO router, you can control the whole trafﬁc. • No log, it’s really hard to ﬁnd out what is going on (very hard) • Have a long (long long) update interval.

17. Easy Target • Does It have known vulnerabilities?

18. Easy Target • Does It have known vulnerabilities? • Does the Vendor have published any security advisory?

19. Easy Target • Does It have known vulnerabilities? • Does the Vendor have published any security advisory? • Are there any third party product/device to mitigate exploitation.

20. AirTies • Web interface?

21. AirTies • Web interface? • TR-069

22. AirTies • Web interface? • TR-069 • MiniUPNP (CVE-2013-0230

23. Targets From Turkey

24. Targets From Turkey • http://ip:5555/rootDesc.xml

25. PreScan • masscan / zmap • +

26. PreScan • masscan • + • python multiprocessing • =

27.

28. The Vulnerability • Stack overﬂow, may cause to RCE. • MiniUPNPd runs on WAN interface.                

29. Writing the Exploit • MIPS assembly • CPU has different data and code caches; so, can’t jump to stack directly. • Can’t jump into middle of instructions, this reduces the number of alternative gadgets while creating a ROP chain. • MiniUPNPd process restarts if it crashes or hangs.

30. Writing the Exploit • MIPS is far easier than x86

31. Writing the Exploit • MIPS is far easier than x86 • sleep function may be called to ﬂush caches.

32. Writing the Exploit • MIPS is far easier than x86 • sleep function may be called to ﬂush caches. • No ASLR, ROP chains could be used.

33. Writing the Exploit • MIPS is far easier than x86 • sleep function may be called to ﬂush caches. • No ASLR, ROP chains could be used. • ?

34. Writing the Exploit • miniupnpd … -P /var/run/miniupnpd.pid

35. Writing the Exploit • rm /var/run/miniupnpd.pid

36. Writing the Exploit • rm /var/run/miniupnpd.pid • kill mngr

37. Writing t • rm /var/run/miniupnpd.pid • kill mngr • fork and execve

38. Writing t • rm /var/run/miniupnpd.pid • kill mngr • fork and execve • Details: Developing MIPS Exploits to Hack Routers • Exploit: AirTies RT Series (MIPS)

39. Bonus Trick • Chain remote-mgmt-input (1 references) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP

40. Bonus Trick • iptables -A remote-mgmt-input -p tcp -m multiport —dports 23,

41. Bonus Trick • cat /etc/passwd • crypt function • john rootpass.txt

42. What Have We • Free Wiﬁ :)

43. What Have We • Free Wiﬁ :) • Botnet army?

44. What Have We • Free Wiﬁ :) • Botnet army? • Internet trafﬁc (DNS, GW)

45. What Have We • Free Wiﬁ :) • Botnet army? • Internet trafﬁc (DNS, GW) • A big chance to infect connected clients (MITMf)

46. Next Step • 0day

47. Next Step • 0day • + • Persistency

48. Questions

Hacking the Gateways

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to Hacking the Gateways

Similar to Hacking the Gateways (20)

More from Onur Alanbel

More from Onur Alanbel (6)

Recently uploaded

Recently uploaded (20)

Hacking the Gateways