Automation Solution to the pesky Router problem

1. AppSec USA 2014
Denver, Colorado
Pwning the Pawns with WiHawk
Automated Solution to Pesky Router Problem
Santhosh Kumar
Anamika Singh

2. 2
Free infosec
Supporter |
nearsecurity
Introduction
Santhosh Kumar, India
 A Independent Security Research Working on
various domains.
 Acknowledged from IBM, INTEL, Microsoft, Cisco,
yahoo & more.
 Contributor to the WiHawk Router Vulnerability
Scanner.
Scanner | still write “hello world” |Eng Student
CurrentWork Devices
 Current Work on Embedded Devices.
 I Run a DEFCON Group @chennai (DC 602028)
@ security_b0x
in.linkedin.com/pub/santhosh-kumar/6a/974/8b9

3. 3
Introduction
Anamika Singh
 Product Security Analyst @ IronWASP Information
Security Service Pvt. Ltd.
 Author Of the WiHawk Router Vulnerability
Scanner.
 Speaker @ HITB/Haxpo Amsterdam, Selenium
International Conf 14, Ground Zero Srilnaka,
NULLCON Goa & DC Group @kerala
@ _Anamikas_
in.linkedin.com/pub/anamika-singh/80/4a5/5b5/

4. 4
Red Team Vs Blue Team

5. 5
Red Team Vs Blue Team
 How Many Of you take routers into the real penetration
testing?
 Regular Firmware upgrade? Alternative firmware?
 Does your internet work?
 Remote Management Enabled?
 Support from These companies on the security issue is
pathetic.
 End of Life is a another issue!! I mean who buys router every
1.5 years :P seriously ?

6. 6
Agenda
 Introduction
 Sample Router Analysis
 Open Source Tools.
 Automation Using WiHawk.
 Alternative Options.
 Post Consequences- Amplification Attacks

7. 7
Just Some Router Problems :P

8. 8
Just Some Router Problems :P

9. 9
Support Contact

10. 10
Only Response you Get..!!!

11. 11
Introduction

12. 12
Post Sales :P

13. 13
Tools for Code Analysis
• Linux – Strings / HexDump
• Interactive Disassembler
• ObjDump (GNU toolchain)
• Radare2
• FRAK
• Retargetable Decompiler

14. 14
Best For Analysis
• Binwalk Firmware Analysis tool
• Binwalk.org
• Least False Positives and Magic File Headers.

15. 15
Let’s Analyze

16. 16

17. 17
Analysis

18. 18
Analysis

19. 19
Analysis

20. 20
Analysis

21. 21
Owned..!!!!

22. 22
Vendor Response
• End of Life for the Product?
• Couldn’t Identify the issue.
• North America Got 1.0.44 firmware
but was taken down soon.
• Change Router?
• Is the Internet working?
• Netgear WNR1000 is also affected

23. 23
Next in Line: D-Link DSL 2750u

24. 24
Entropy Analysis

25. 25
Not good 

26. 26
Oh Great 

27. 27
Outcome of Analysis
 Following Firmware are affected Billion, Tplink, Sitecom,
Michelangelo, Edimax, Trust, Airline, Topcom (rompager 4.7
exploit).
 No patch for certain devices ( EOL)
 Some didn’t even bother to respond
 Around 25 Million router still vulnerable
 Did the Internet work ?

28. 28

29. 29
Services are Dangerous too
• ASUS suffered a serious of FTP based service flaws
• It has Disk Enabled Space within the router.
• After the update the Service was patched only for active FTP
mode.
• Passive Mode Continue to work till Date.
• Able to Access the entire Mounted Hard Drive.

30. 30

31. 31
Owned Again

32. 32
Vendor Response
• But We Just Patched That.
• That’s the Feature.
• Following Models are Affected.
 ASUS RT-N10U
 ASUS RT-N56U
 ASUS DSL-N55U
 ASUS RT-AC66U
 ASUS RT-N15U
 ASUS RT-N53
• Does the Internet working?

33. 33
I don’t want go through all of this

34. 34
Router Vulnerability Scanner

35. 35
WiHawk - Router Vulnerability Scanner
 Make sure your life is easy.
 https://github.com/santhoshkumar22/Wihawk-SOHO
 https://ironwasp.org/download.html
 Functionality:
 Single IP
 Example: 192.168.1.1
 Range of IP
 Example: 192.168.1.1-25 or 192.168.1.1/25
 Shodan API
Geo Location
City
Country

36. 36
WiHawk
 WiHawk Scans Router for
 Default Configuration
 Bypass Authentication
 TCP–32768 / TCP-32767 Backdoor
 Edit by Joel (Joel’s Backdoor)
 CSRF (VIP)
 XSS (VIP)
 Buffer and Stack Overflow (Beta)
 ROM-0

37. 37
DEFAULT passwords 

38. 38
Friendly Neighbourhood Bruteforce :P

39. 39
Spread the Power of Force

40. 40
Default Passwords
 Maintains a file of unique usernames and passwords.
 Covers variety of models from different routers like
 Linksys
Netgear
 Cisco
 CNET
 Beetel

41. 41
WiHawk Default Response
WiHawk Target IP
Response 401
Request
Response 200
BINGO!
Username : User
Password : pass

42. 42
WiHawk – ByPass Authentication
 WiHawk scans Routers for ByPass Authentication
Vulnerability.
 Appends IP with bypass String
 If vulnerability found prints IP with bypass string

43. 43
WiHawk – ByPass Authentication
• Multiple Routers auth
Bypass

44. 44
WiHawk – Backdoor Detection
 Allows a free access to many hosts on the Internet.
 Allows various remote commands like:
Remote access to root shell of routers
File copy
 WiHawk checks for Backdoors like:
TCP backdoor 32764
Edit By Joel Backdoor

45. 45
TCP 32764 Backdoor
Port
32764
open.?
Create Socket
NO
Port 32764 is not
Vulnerable
NO
Data
found .?
Port 32764 is
vulnerable
Write Socket
Check for response data starts
with “MMcS” or "ScMM"
YES
YES

46. 46
WiHawk – Rom-0 attack
 Rom-0 is a router Configuration file.
 Located in “IP/rom-0″ & directory isn’t password protected.
 Configuration file which contains the “admin” password.
 WiHawk:
Checks whether router is vulnerable to rom-0 attack
Downloads rom-0 file

47. 47
Joel’s Backdoor

48. 48
Netis/Netcore Backdoor
• This one was detected back in August 2014.
• It has this mysterious service running at port 53413.
• We check if the service is running then try to connect it to
using udpconnect.
• Seems the reference is A*8+netcorea00’
• Observe the connection using netcat.
• Another 2 million devices affected with this.
• Able to reach netis systems after a long call.

49. 49
WiHawk Interface
• Single IP

50. 50
WiHawk Interface
• Range of
IP(192.168.
1.1-25)
or
(192.168.1.1/
25)

51. 51
WiHawk Interface
• Shodan
API

52. 52
WiHawk
• WiHawk is built as an integral part of IronWASP .
• IronWASP is an Open Source Web Security Scanner.

53. 53
Ironwasp
• IronWASP is an open source Web
Security Scanner.
• Its one among best Scanners.
• Checks for more than 25
Vulnerabilities.
• It stands better than commercial
scanner in some parameters.
• Some of the other existing modules
are:
– Drupsnipe: Black box Drupal
vulnerability scanner.
– Skanda : Port scan on Server vulnerable
to SSRF.

54. 54
Ironwasp Team

55. 55

56. 56
Yeah so ?

57. 57
Bigger Threat
• Router not only causes data loss but also contribute to a
bigger attack.
• Threat Comes as a Amplification attacks from these
unpatched routers.
• Almost 25 million is still open to Amplification on various
protocols as we speak.
• DNS,NTP, SMTP etc.
• Observance was made for 2 months.

58. 58
Observance over week

59. 59
Over the month

60. 60
Observe
• We found that most of the traffic from our honeydns server
was directed towards a “gamming network” owned by a
specific corp.
• Amplification varied from 50 gbps to 110 gbps.
• Looks like someone want to establish their “flag” on their
networks. | USIS of URAG and ZIRIA
• 80 % traffic we got from was routers?

61. 61
Solution:

62. 62
Solution:
• Firmware Updates. Vendor should do extensive testing.
• If no firmware available, use Open After market firmware like
tomato, dd-wrt, open-wrt.
• Defend against “Purpose domains”.
• ISP’s should implement BCP 38(network ingress filtering) RFC
2827.
• Network admins force out to use TCP instead of UDP.

63. 63
Its all about the size

64. 64
Size matters:

65. 65
Factor increase with size

66. 66
Questions?

67. 67
References:
• IronWasp
– www.ironwasp.org
• Links:
– www.ripe.net
– Cve.mitre.com
– www.BCP38.info
– https://github.com/elvanderb/TCP-32764
– https://github.com/devttys0/binwalk
– 1337day.com
– www.exploit-db.com

68. 68
@security_b0x
WWW.NEARSECURITY.NET
@_Anamikas_
Connect to us

69. 69
Thank you for the inviting us