addition by subtraction
Post on 06-Jul-2018
233 Views
Preview:
TRANSCRIPT
-
8/17/2019 Addition by Subtraction
1/47
Addition by Subtraction: How
Networked Devices Affect your Security
Chris Campbell
BSidesPR
-
8/17/2019 Addition by Subtraction
2/47
TL;DR
Network security can be improved by removing
security appliances and other devices which
introduce unnecessary risk.
-
8/17/2019 Addition by Subtraction
3/47
Who am I?
●Chris Campbell (@obscuresec)●Former Army Signal Officer
●Security Researcher/Penetration Tester
●Spoken at Derbycon, BlackHat, Shmoocon Firetalks,BsidesLV
●PowerShell fan and contributer to PowerSploit
-
8/17/2019 Addition by Subtraction
4/47
Who do I speak for?
●I do not speak for anyone but myself
●This research was individually conducted and
should be considered “free-search”
-
8/17/2019 Addition by Subtraction
5/47
Who are you?
●Managers
●Administrators
●Auditors
●Penetration Testers
●Vendors
●Students
-
8/17/2019 Addition by Subtraction
6/47
Story Time
●You never forget your first…
-
8/17/2019 Addition by Subtraction
7/47
Attack Diagram
-
8/17/2019 Addition by Subtraction
8/47
Still Out There
●ShodanHQ shows that they are exposed
-
8/17/2019 Addition by Subtraction
9/47
What I Learned
●Just because a product solves a security
problem doesn’t mean it is secure.
●Anyone can find vulnerabilities.
●These types of devices are a perfect place to
hide from incident handlers.
-
8/17/2019 Addition by Subtraction
10/47
Started Collecting…
●Remote Access Appliances●MRV LX Series Console Server●Avaya ASG Guard Secure AccessServer
●Network and Monitoring Appliances
●Infoblox Trinzic Network Services●Riverbed Steelhead●ManageEngine Opmanager●Alert-on-Failure (AOF) Enterprise●Mutiny Technology MutinyAppliance
●Security and Firewall Appliances●Cososys Endpoint Protector●McAfee Email and Web Gateway●EdgeWave Iprism Web Proxy●ForeScout Counteract●Barracuda Spam & Virus Firewall●Servgate Edgeforce M30●Celestix Scorpio RAS3000●Qualys Qualysguard Scanner●Bluelane Patchpoint
●Other Appliances●Google Search Appliance●Symantec Opscenter●InfoBlox IPAM●EMC Clariion●F5 Big-IP Appliance
-
8/17/2019 Addition by Subtraction
11/47
Procurement
●Craigslist, eBay and borrowed from friends
●Fully-functional demos from vendor's
websites
●Virtual appliance marketplace
-
8/17/2019 Addition by Subtraction
12/47
Aren’t appliances expensive?
-
8/17/2019 Addition by Subtraction
13/47
Storage Issues
-
8/17/2019 Addition by Subtraction
14/47
Testing a New Device
●Image (backup) HDDs and RTFM
●Put in lab network (isolated)
●Testing●Port scan with NMAP/NSE scripts
●Look for known vulnerabilities with services
●Login with default credentials
●
Looked for ways to gain root OS privileges●Identify features that could be used by an attacker
-
8/17/2019 Addition by Subtraction
15/47
Before we move on, lets get real!
●Your enterprise goes from this…
-
8/17/2019 Addition by Subtraction
16/47
To this…
-
8/17/2019 Addition by Subtraction
17/47
With 1 of these…
-
8/17/2019 Addition by Subtraction
18/47
Reasons to Attack Appliances/Devices
Powerful Linux OS
Ability to leverage Python, Lua, Ruby and Bash
Tools like Netcat, Nmap, TCPDump and othersPrivileged network segment
Difficult IR environment
Admins probably don’t even have root accessBest place to persist in an enterprise
-
8/17/2019 Addition by Subtraction
19/47
What is an appliance?
●Could be virtualized, but typically:●Out-dated server hardware (cheap)
●Open-Source Operating System (Linux)
●A few security tools●Web Application to manage and audit
-
8/17/2019 Addition by Subtraction
20/47
Why your boss buys them…
●“…blocks both known and unknown attacks with
100% accuracy.”
●“…provides complete security protection against all
attacks.”●“…protected against compromise by any potential
attackers.”
●“…operates without human intervention or manual
updates.”
-
8/17/2019 Addition by Subtraction
21/47
Example 1: Network Monitoring
-
8/17/2019 Addition by Subtraction
22/47
Examine Open Ports
●SSH is open, but we don’t know the root
password
●HTTP has default passwords
-
8/17/2019 Addition by Subtraction
23/47
Where to find the default password?
-
8/17/2019 Addition by Subtraction
24/47
What if I change the password?
●Backdoor accounts with default passwords●Many appliances limit length and complexity
●Lots of tools to brute-force (e.g. Fireforce)
●Custom dictionaries are effective
-
8/17/2019 Addition by Subtraction
25/47
Now What?
●Easiest vuln to find is Cmd Injection●Commonly in troubleshooting utilities
●Great for persistence on RO file systems
-
8/17/2019 Addition by Subtraction
26/47
But how do you get Root?
●Use Curl to pull down payload and execute
●Since webapp is running as root we can…
-
8/17/2019 Addition by Subtraction
27/47
Thanks Juan!
-
8/17/2019 Addition by Subtraction
28/47
Example 2: Security Appliance
-
8/17/2019 Addition by Subtraction
29/47
Scan and Enumerate
●Vulnerable FTP servicerunning
●Web interface for
management●SSH is enabled but no
credentials provided
-
8/17/2019 Addition by Subtraction
30/47
Different Approach: Ask
-
8/17/2019 Addition by Subtraction
31/47
Support Procedures
Documentation revealed that remote access
was possible for remote support
Is the password static or derived?
-
8/17/2019 Addition by Subtraction
32/47
What does it mean?
Script calculates sum of
each number in 10-digit
serial number
91 possible outcomes
-
8/17/2019 Addition by Subtraction
33/47
SSH in and sudo to root!
-
8/17/2019 Addition by Subtraction
34/47
Example 3: The Other Security
-
8/17/2019 Addition by Subtraction
35/47
Isolate and Scan
-
8/17/2019 Addition by Subtraction
36/47
Remote Access?
-
8/17/2019 Addition by Subtraction
37/47
Backdoor?
-
8/17/2019 Addition by Subtraction
38/47
Monitor the Device
-
8/17/2019 Addition by Subtraction
39/47
Where are my passwords going?
-
8/17/2019 Addition by Subtraction
40/47
Free Features!
-
8/17/2019 Addition by Subtraction
41/47
I’m sure my passwords are safe.
-
8/17/2019 Addition by Subtraction
42/47
What to do from here?
●Privileged Network Location●Server segment or VLAN could be trusted●Attack enterprise with PTH-Suite
●Attacks against Administrators●Full access to servers is way worse than a normal XSS
●Think malicious iframes or Java applets on every page●Admins aren’t browsing with elevated privileges are they?
●Keylog /capture credentials●
Domain Authentication●Password reuse to other networked devices
-
8/17/2019 Addition by Subtraction
43/47
What is better than a XSS vuln?
XSS Features!
-
8/17/2019 Addition by Subtraction
44/47
Recommendations
●Don't immediately trust the vendor●Especially those that claim to stop “unknown attacks with 100%accuracy”●Look at their security track record on security sites
●Securityfocus, exploit-db and osvdb are a good start●
No vulnerabilities disclosed != good sign●Assess your current appliances and evaluate demos of allnetworked devices before purchasing
●Ask to see previous security test results from the vendor●Use a systematic approach but think like an attacker●Look for vulnerabilities like those documented by OWASP●Document potential vulnerabilities and share your findings●Think about how you will sanitize and dispose of the device
-
8/17/2019 Addition by Subtraction
45/47
Recommendations (2)
●Segment them from your enterprise●Many organizations drown in data from continuous monitoring●Eliminating unfamiliar and untested architectures could improveyour overall posture: If you don’t need them, get rid of them
●Train yourself and your team●
Do internal training (e.g. brown-bag lunches)●Attend and participate in security conferences like Blackhat andBsides●Read security blogs
●Demand control●Ask if the vendor gives you root control before purchasing●
Ask how the appliance stores passwords●If they don't, don't buy it●Until we make real security a financial priority, vendors won’t fix
-
8/17/2019 Addition by Subtraction
46/47
What did you do with that hardware?
-
8/17/2019 Addition by Subtraction
47/47
Questions?
@obscuresec
www.obscuresec.com
Thanks to Matt, Josh,
Juan, Carlos, Skip & the
whole BsidesPR crew!
top related