CONFidence 2015: MIMOSAWRITERROUTER - Abusing EPC on Cisco Router to collect critical data - Joaquim Espinhara, Rafael Silva
•
0 likes•434 views
Speakers: Joaquim Espinhara, Rafael Silva Language: English The goal of this talk is present a way to abuse a default feature of Cisco routers. The feature mentioned is the Embedded Packet Capture (EPC), described by the Cisco: "... a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data packets flowing through, to, and from, a Cisco router." We were able to abuse this feature and build a system to collecting massive data and store them for analysis purpose. The PoC developed uses multiple Cisco routers configured with default accounts to send their data traffic (input, output or both) to our repository and finally we are able to starting the processes to transform these raw data packet files in useful information. Such as user credentials, pre-shared key keys, URLs and many other potential sensitive data can be extracted, but additional "features", like cyber attacks, are planned for the future. The subject presented by the researchers would help a simple penetration tester during a usual engagement , additionally it's possible configure a larger set of routers to collect data and build a huge database, hack the planet style. The content of this presentation results from independent research conducted by me on my own time and of my own accord. This research was not approved, sanctioned or funded by my employer and is not in any way associated with my employer. CONFidence: http://confidence.org.pl/pl/
Recommended
More Related Content
Similar to CONFidence 2015: MIMOSAWRITERROUTER - Abusing EPC on Cisco Router to collect critical data - Joaquim Espinhara, Rafael Silva
Similar to CONFidence 2015: MIMOSAWRITERROUTER - Abusing EPC on Cisco Router to collect critical data - Joaquim Espinhara, Rafael Silva (20)
Recently uploaded
Recently uploaded (20)
CONFidence 2015: MIMOSAWRITERROUTER - Abusing EPC on Cisco Router to collect critical data - Joaquim Espinhara, Rafael Silva
- 2. µMIMOSAWRITERROUTER Abusing EPC on Cisco Routers to Collect Data. Joaquim Espinhara Rafael Silva @jespinhara @rfdslabs µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 3. µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! www.nsanamegenerator.com Why this name?
- 4. Agenda 1 / About Us 2 / Introduction & Motivation 3 / EPC / Evil / How EPC works / Abusing EPC 4 / Mimosa / Our approach / Demo / Potential 5 / Threat Intelligence 6 / Future 7 / Conclusion! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 5. About us µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 6. 1 / About us Rafael Silva aka @rfdslabs CTO at @EstuárioTI Twitter @rfdslabs µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 7. 1 / About us Joaquim Espinhara aka @Jespinhara Senior Security Consultant at @securusglobal µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 8. Introduction & motivation µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 9. µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! 2 / Introduction & motivation • We are NOT exploiting a 0day on Cisco devices.! • We are aware of other methods, like GRE tunnels, port mirroring, lawful interception, etc.! • This is an automated tool to help pentesters / Threat intelligence to collect interesting data in a controlled environment.! • This is really useful tool for threat intelligence data gathering.! • You have to get ENABLE privilege on the router to use Mimosa.! !
- 10. 2 / Introduction & motivation 2009 / @jespinhara @h2hc about GRE-TUNNELS. 2009 / @rfdslabs tell about EPC to @jespinhara. 2010 / Hacking the Planet… 2011 / Hacking the Planet… 2012 / Hacking the Planet… 2013 / Hacking the Planet… 2014 -2015 / Mimosa released. ! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 11. EPC Embedded Packet Capture µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 12. 3 / EPC The ability to capture IPv4 and IPv6 packets. A flexible method for specifying the capture buffer size and type. EXEC-level commands to start and stop the capture. Show commands to display packet contents on the device. Facility to export the packet capture in PCAP format. Extensible infrastructure for enabling packet capture points.! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 13. 3 / EPC / Abuse! The ability to capture IPv4 and IPv6 packets. A flexible method for specifying the capture buffer size and type. EXEC-level commands to start and stop the capture. Show commands to display packet contents on the device. Facility to export the packet capture in PCAP format. Extensible infrastructure for enabling packet capture points.! • Sniffing • Choose the sniffer buffer size. More than one buffer and capture point. • Need some hacking to Enable, cisco/cisco. • Sniffing on the fly. • Make your pcap-farm-server. • All Your Network Are Belong to Us. µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 14. 3 / EPC / How EPC Works! Define a Capture Buffer and Size and Type (Linear OR Circular): Define a Capture point (interfaces and directions): Associate the capture point to our buffer: µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 15. 3 / EPC / How EPC Works! Start / stop the capture point: Linear / When the buffer is full, the capture will stop. Circular / The buffer will be overwritten with new packets.! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 16. 3 / EPC / How EPC Works! Sniffing on the fly: µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 17. 3 / EPC / How EPC Works! Export the capture in PCAP format to a remote location: µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 18. µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! 3 / EPC / How EPC Works! The main problem is export the capture to a REMOTE location. No way to disable the EPC OR block the export to a remote location L This is a feature, is not a BUG J!
- 19. Mimosa Framework µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 20. 4 / Mimosa / Our approach! µMimosa C&C Routers Collectors µMimosa Parser µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 21. 4 / Mimosa Framework! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 22. 4 / Mimosa / Detect Threats! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! Tshark and Bro! tshark -Y 'http contains "User-Agent:"' -T fields -e http.user_agent -nlr pcapfile! User Agents
- 23. 4 / Mimosa / Detect Threats! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! Tshark and Bro! tshark -T fields -e http.host -e http.request.uri -Y 'http.request.method == "GET"' -nlr pcapfile! HTTP Requests
- 24. 4 / Mimosa / Detect Threats! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! Tshark and Bro! • tshark -T fields -e http.host -e http.request.uri -Y 'http.request.method == "GET"' -nlr pcapfile! HTTP Requests • tshark -r pcapfile -o "ip.use_geoip:TRUE" -o column.format:""IP_Flags", "%Cus:ip.flags". "IP_src", "%Cus:ip.src". "IP_dst", "%Cus:ip.dst", "CITY", "%Cus:ip.geoip.city", "Latitude”, "%Cus:ip.geoip.lat""! Geo IP • tshark -T fields -e http.host -e http.request.uri -Y 'http.request.method == "GET"' -nlr pcapfile! HTTP Requests ! User Agents (Client Side Attacks)! • tshark -Y 'http contains "User-Agent:"' -T fields -e http.user_agent –r pcapfile! DNS Requests (Virus Total) • tshark -nn -e ip.src -e dns.qry.name -T fields -Y "dns" –r pcaptile! !
- 25. 4 / Mimosa / Detect Threats! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! Tshark and Bro! FTP Creds! • tshark -Y "(ftp.response.code == 230 || ftp.request.command == "PASS") || (ftp.request.command == "USER")" -nlr pcapfile! ! POP Creds! • tshark -Y "(pop.request.command == "PASS") || (pop.request.command == "USER")" –nlr pcapfile! Cookies! • tshark -r pcapfile -Y 'http.cookie' -z "proto,colinfo,http.content_type,http.content_type" -z "proto,colinfo,http.content_length,http.content_length" -z "proto,colinfo,http.cookie,http.cookie”!
- 26. 4 / Mimosa / Detect Threats! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! Tshark and Bro! • Extract Files With Bro!
- 27. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 28. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 29. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 30. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 31. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 32. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 33. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 34. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 35. 4 / Mimosa / Results! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 36. 4 / Mimosa / Potential! Some numbers: • 300 Routers • 1MB per hour • 24hr per day • 365 days per year • 1hr = 300 MB • 24hr = 7200 = 7.2 GB • 365 = 2628000 = 2566,40625 GB = 2,506256104 TB! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 37. Future µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 38. 6 / Future Add support to another devices, such as mikrotik and Juniper. A dashboard for better visualization of the sensitive data. Other attack options like bruteforce, CVE-XXXX.! µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow!
- 39. Mimosa https://github.com/rfdslabs/Mimosa-Framework µMIMOSAWRITERROUTER / Confidence 2015 @ Krakow! Download and coding with us.! Python Based.!
- 40. Trank you! Rafael Silva rafa.silva@gmail.com @rfdslabs! Joaquim Espinhara espinhara.net@gmail.com @jespinhara! Ulisses Albuquerque @urma Julio Auto @julioauto Luiz Eduardo @effffn! Mateusz Sitkowski Julio Cesar Fort @juliocesarfort NSA for the insight!