Presentation at OpenCamps NYC on IoT Crusher Open Source, a basic default malware credential scanner. (links in the presentation).
On almost every pen-test I manually found default credentials, often with admin access, within the environment.
Industry standard vulnerability scanners and pen-test tools did not detect these basic default credential issues.
That was the inspiration for IoT Crusher.
2. OpCode41.com - @OpCode41
IoT Crusher (OSS) - @IoTcrusher
Kenneth F. Belva - @infosecmaverick
Find us on Online & Twitter
3. On almost every pen-test I manually found
default credentials, often with admin access,
within the environment.
Industry standard vulnerability scanners and
pen-test tools did not detect these basic
default credential issues.
That was the inspiration for IoT Crusher.
4. Table of Contents
●
“The Default Credential White Paper”: A New Solution to a Well Known Difficult Problem
●
One Root Cause: Default, Hard-coded, & Weak Credentials (OWASP)
●
Default Creds in Ransomware (OWASP)
●
Two IoT Malware Worms
● IoT Malware Worms: One Root Cause (Documented!)
●
The Case of Pastebin: IoT Device & Creds Posted
●
A “Titanic” Problem Beware of the Iceberg! Default Credentials: All Systems Vulnerable Not Just IoT!
●
Target (2013) & Equifax (2017) [plus more]: Default Credential Hacks!
●
Open Source Solution Overview & Why the Name IoT Crusher
●
Completely Different App Architectures & Code Bases for Different Versions
● IoT Crusher Open Source: More Than Just Malware Credentials
●
Point of Interest - Code Review: cmd Options / Credential Optimization
●
Point of Interest - Code Review: Networks & Single Hosts
●
Point of Interest - Code Review: Variations of telnet Logins
●
Point of Interest - Code Review: Coding a Python 3 telnetlib Client
●
Q&A
●
Links (GitHub / Email / Twitter) and Points of Contact
5. “The Default Credential White Paper”:
A New Solution to a Well Known Difficult Problem
The Problem
●
Credentials problems – in particular default credentials in the wild – are much more common than the data suggests
– Organizations and testers rely on vulnerability scanners and those apps don’t really scan for default credentials with the
exception of very few things (like the sa account for MSSQL, etc.)
– Brute forcing during testing has proven to be time consuming, yields little fruit, and frequently locks out accounts. Pen-
testers use huge lists (Rockyou, Ashley Madison, etc.,) usually from past hacks, if done at all.
– Professional pen-testing experience validates the scope of the problem. It’s an iceberg: more is out there than is “visible”…
●
User names and passwords have plagued cyber security basically forever…. Since the beginning of time…. No exaggeration!
Ask any professional in the field over 10+ years….
– Default, weak, and hard coded user names and passwords!
– Lack of centralized device management contributes significantly to the issue: including 3rd party servicing of one’s devices
●
To summarize: it’s actually a major problem and it doesn’t get the attention it deserves due to age, testing time, hard to find &
test, etc.
A New Solution
● Intelligently scan and test systems for default credentials
– Identify the device / service / system and test only the relevant credentials
– Ideally we want to try just a single instance per system that may have them
● Fast & accurate with little account lock out
● If not a single check then we need to optimize the combinations and trials
– Solution must work for all devices including legacy and embedded devices (such as Point of Sale devices,
medical devices, ATMs, etc.), not just IoT
11. The Case of Pastebin: IoT Device & Creds Posted
12. A “Titanic” Problem Beware of the iceberg!
Default Credentials: All Systems Vulnerable Not Just IoT!
● The IoT Worms were 2016
● Let’s go back to 2014 & 2015
●
Professionally pen-testing recognizable brands or large asset sizes
● I’d follow up & review the nmap and vulnerability scans manually
●
Reviewing PCI and Point of Sale systems (in one case):
– Vulnerability scans picked up nothing
– I saw telnet was available from the nmap scans
– I tried the default creds to the credit card reader (embedded device / IoT) at the check out
line
– Access…
●
From my experience, I found default credentials elsewhere and often (almost every pen-test).
● I knew from experience that because we rely on the vulnerability scanners and they really
aren’t looking for default credentials this was the “tip of the iceberg”
14. Open Source Solution Overview
& Why the Name IoT Crusher
●
After the large IoT worms and (specifically) the pastebin dump I felt compelled to release
something to the community to check their systems since there is no good solution
●
Checks if your networks and devices are vulnerable to credential malware issues without risk of
infection
●
Scans for vulnerable devices running telnet on the default port
– Just put in the network range or IP address and test
●
Telnet client tries to authenticate with known malware credentials
●
User names & passwords are optimized: can combine credential sets
●
Vulnerable devices are then reported, including printing “screen shot” after authentication
●
Why the name IoT Crusher?
– IoT and Embedded Devices are almost synonymous. So….
●
I was testing a lot of Point of Sale systems which are by definition embedded devices
●
I decided to name the app appropriately! ;)
15. IoT Crusher Application Architectures
Completely Different App Architectures & Code Bases for Different Versions
Open Source Professional
(Basic & Advanced)
Enterprise
Small app – like a script
– with a robust telnet
brute-forcer plus
credential optimizations
Solutions to brute-forcing
issues such as account
lockout, testing speed &
device/service identification
for 9000+ devices
Uses a plug-in
architecture for more
flexibility per device
Single Protocol Supported Multiple Protocols Supported
(And we are adding more!)
Focus is on device
management after
authentication
Single Threaded Multi-Threaded Multi-Threaded
All three versions check any networked embedded device extending the scope beyond just IoT.
Bonus point: checking for default creds is hard:
brute-forcing, account lockout, device identification, etc.
These testing issues are addressed in the pro & enterprise versions which is beyond the scope
of this presentation so contact me! :)
16. IoT Crusher Open Source:
More Than Just Malware Credentials
● Checks all legacy devices & IoT devices (telnet protocol)
● Authenticates with a limited set of additional embedded
device credentials beyond just the IoT malware credentials
– Used to find vulnerabilities on additional device types
– In other words, more than just malware
● Since it’s Open Source, more credentials sets can be
added very easily
18. Point of Interest - Code Review:
cmd Options & Credential Optimization
19. Point of Interest - Code Review:
Networks & Single Hosts
192.168.1.1/32 – the /32 will scan a single host
192.168.1.0/24 – will scan a 254 host subnet
20. Point of Interest - Code Review:
Variations of telnet Logins
Found a really weird telnet case or two!
Must enter a valid username first: will error if invalid
21. Point of Interest - Code Review:
Coding a Python 3 telnetlib Client
● A solid Python telnetlib client is really hard to code
● Can’t guarantee when the data gets back
● Can’t guarantee in what form the data gets back, including EOF markers
● The solution: create an “infinite loop” with “exit” criteria