addition by subtraction

8/17/2019 Addition by Subtraction

1/47

Addition by Subtraction: How

Networked Devices Affect your Security

Chris Campbell

BSidesPR


2/47

TL;DR

Network security can be improved by removing

security appliances and other devices which

introduce unnecessary risk.


3/47

Who am I?

●Chris Campbell (@obscuresec)●Former Army Signal Officer

●Security Researcher/Penetration Tester

●Spoken at Derbycon, BlackHat, Shmoocon Firetalks,BsidesLV

●PowerShell fan and contributer to PowerSploit


4/47

Who do I speak for?

●I do not speak for anyone but myself

●This research was individually conducted and

should be considered “free-search”


5/47

Who are you?

●Managers

●Administrators

●Auditors

●Penetration Testers

●Vendors

●Students


6/47

Story Time

●You never forget your first…


7/47

Attack Diagram


8/47

Still Out There

●ShodanHQ shows that they are exposed


9/47

What I Learned

●Just because a product solves a security

problem doesn’t mean it is secure.

●Anyone can find vulnerabilities.

●These types of devices are a perfect place to

hide from incident handlers.


10/47

Started Collecting…

●Remote Access Appliances●MRV LX Series Console Server●Avaya ASG Guard Secure AccessServer

●Network and Monitoring Appliances

●Infoblox Trinzic Network Services●Riverbed Steelhead●ManageEngine Opmanager●Alert-on-Failure (AOF) Enterprise●Mutiny Technology MutinyAppliance

●Security and Firewall Appliances●Cososys Endpoint Protector●McAfee Email and Web Gateway●EdgeWave Iprism Web Proxy●ForeScout Counteract●Barracuda Spam & Virus Firewall●Servgate Edgeforce M30●Celestix Scorpio RAS3000●Qualys Qualysguard Scanner●Bluelane Patchpoint

●Other Appliances●Google Search Appliance●Symantec Opscenter●InfoBlox IPAM●EMC Clariion●F5 Big-IP Appliance


11/47

Procurement

●Craigslist, eBay and borrowed from friends

●Fully-functional demos from vendor's

websites

●Virtual appliance marketplace


12/47

Aren’t appliances expensive?


13/47

Storage Issues


14/47

Testing a New Device

●Image (backup) HDDs and RTFM

●Put in lab network (isolated)

●Testing●Port scan with NMAP/NSE scripts

●Look for known vulnerabilities with services

●Login with default credentials

●

Looked for ways to gain root OS privileges●Identify features that could be used by an attacker


15/47

Before we move on, lets get real!

●Your enterprise goes from this…


16/47

To this…


17/47

With 1 of these…


18/47

Reasons to Attack Appliances/Devices

Powerful Linux OS

Ability to leverage Python, Lua, Ruby and Bash

Tools like Netcat, Nmap, TCPDump and othersPrivileged network segment

Difficult IR environment

Admins probably don’t even have root accessBest place to persist in an enterprise


19/47

What is an appliance?

●Could be virtualized, but typically:●Out-dated server hardware (cheap)

●Open-Source Operating System (Linux)

●A few security tools●Web Application to manage and audit


20/47

Why your boss buys them…

●“…blocks both known and unknown attacks with

100% accuracy.”

●“…provides complete security protection against all

attacks.”●“…protected against compromise by any potential

attackers.”

●“…operates without human intervention or manual

updates.”


21/47

Example 1: Network Monitoring


22/47

Examine Open Ports

●SSH is open, but we don’t know the root

password

●HTTP has default passwords


23/47

Where to find the default password?


24/47

What if I change the password?

●Backdoor accounts with default passwords●Many appliances limit length and complexity

●Lots of tools to brute-force (e.g. Fireforce)

●Custom dictionaries are effective


25/47

Now What?

●Easiest vuln to find is Cmd Injection●Commonly in troubleshooting utilities

●Great for persistence on RO file systems


26/47

But how do you get Root?

●Use Curl to pull down payload and execute

●Since webapp is running as root we can…


27/47

Thanks Juan!


28/47

Example 2: Security Appliance


29/47

Scan and Enumerate

●Vulnerable FTP servicerunning

●Web interface for

management●SSH is enabled but no

credentials provided


30/47

Different Approach: Ask


31/47

Support Procedures

Documentation revealed that remote access

was possible for remote support

Is the password static or derived?


32/47

What does it mean?

Script calculates sum of

each number in 10-digit

serial number

91 possible outcomes


33/47

SSH in and sudo to root!


34/47

Example 3: The Other Security


35/47

Isolate and Scan


36/47

Remote Access?


37/47

Backdoor?


38/47

Monitor the Device


39/47

Where are my passwords going?


40/47

Free Features!


41/47

I’m sure my passwords are safe.


42/47

What to do from here?

●Privileged Network Location●Server segment or VLAN could be trusted●Attack enterprise with PTH-Suite

●Attacks against Administrators●Full access to servers is way worse than a normal XSS

●Think malicious iframes or Java applets on every page●Admins aren’t browsing with elevated privileges are they?

●Keylog /capture credentials●

Domain Authentication●Password reuse to other networked devices


43/47

What is better than a XSS vuln?

XSS Features!


44/47

Recommendations

●Don't immediately trust the vendor●Especially those that claim to stop “unknown attacks with 100%accuracy”●Look at their security track record on security sites

●Securityfocus, exploit-db and osvdb are a good start●

No vulnerabilities disclosed != good sign●Assess your current appliances and evaluate demos of allnetworked devices before purchasing

●Ask to see previous security test results from the vendor●Use a systematic approach but think like an attacker●Look for vulnerabilities like those documented by OWASP●Document potential vulnerabilities and share your findings●Think about how you will sanitize and dispose of the device


45/47

Recommendations (2)

●Segment them from your enterprise●Many organizations drown in data from continuous monitoring●Eliminating unfamiliar and untested architectures could improveyour overall posture: If you don’t need them, get rid of them

●Train yourself and your team●

Do internal training (e.g. brown-bag lunches)●Attend and participate in security conferences like Blackhat andBsides●Read security blogs

●Demand control●Ask if the vendor gives you root control before purchasing●

Ask how the appliance stores passwords●If they don't, don't buy it●Until we make real security a financial priority, vendors won’t fix


46/47

What did you do with that hardware?


47/47

Questions?

@obscuresec

www.obscuresec.com

Thanks to Matt, Josh,

Juan, Carlos, Skip & the

whole BsidesPR crew!

addition by subtraction

Documents