Enei

1. How to dominate a country An analysis to the Portuguese internet exposition to cyber-attacks

2. WHAT are you ? We are: • Security Researchers • Security enthusiasts • Students, corporate sheep (read: auditors), programmers, pentesters We are not : • Lulzsec • Anonymous • Hacking group • And no we wont help you hack you girlfriends facebook!

3. Who are you ? • Tiago Henriques • Tiago Martins • Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec • Pentester/Researcher @ 7Elements • Researcher • @Balgan • @Gank_101 • Jean Figueiredo • Filipe Reis • Network security researcher @ • Programmer @ PTCoreSec PTCoreSec • Intern @ Layer8 • Netsec admin @ Tecnocom • @fjdreis • @klinzter

4. Who are you ? @balgan • Tiago Henriques • 24 • BSc Software Engineering – University of Brighton • MSc by Research Computer Security and Forensics – University of Bedfordshire • Started a PhD but decided to drop out and go work in the industry... • CEH • CHFI • Team founder @ PTCoreSec • Currently a Pentester/Researcher @ 7Elements • @Balgan

5. Who are you ?

6. Topics

7. We are NOT RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.

8. Causing Chaos. Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on about it ? A:This is what we would do, control as many machines in that country, penetrate critical systems and get as much intel/info as possible.

9. Causing Chaos. And that’s what we are gonna talk about today!

10. How it all got started We’re hackers! We love knowing how to break things and how others would go on about breaking things! The difference between us and others is simple: • We want to break things legally and find a way to fix things. • We want to learn about new things and help people.

11. PORT SCANNING….

12. How it all got started We saw some talks that really inspired us given by two great people HD Moore Fyodor

13. However… We also ran into a bit of a problem… Portscanning might or might not be illegal in Portugal! No one is actually sure, and we talked with multiple people: • Police • Sysadmins • Researchers • Security professionals

14. What to do ? • So, if you can’t port scan, how do u find out what ur enemies attack surface is ? • How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe? • Security by obscurity? Right that works well….

15. What to do ? • We went and did the portscans, on passive mode, no system was penetrated in any way what so ever. • We did it slowly, and with plenty of time between scans as to not cause any DoS issues.

16. Port scanning • Tools of the trade: • Nmap • Wkhtmltoimage • Python • Scapy • Linux • NodeJS • MongoDB • C • Redbull + Lots of nights awake + Frustration

17. Port scanning - Process 1. Get Portugal CIDRs 2. Decide on a set of services you consider important 3. Check which ips have those ports open Actual scanning. 4. Check versions running of those services

18. Port scanning - Process 1. Get Portugal’s CIDRs There are two places where you can get these: • http://software77.net/geo-ip/ • ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest 2.80.0.0/14 62.48.192.0/18 81.90.48.0/20 5.43.0.0/18 62.169.64.0/18 81.92.192.0/20 5.44.192.0/20 62.249.0.0/19 81.92.208.0/20 5.158.0.0/18 77.54.0.0/16 81.193.0.0/16 5.159.216.0/21 77.91.200.0/21 82.102.0.0/18 5.172.144.0/21 78.29.128.0/18 82.154.0.0/15 31.22.128.0/17 78.130.0.0/17 83.132.0.0/16 37.28.192.0/18 78.137.192.0/18 83.144.128.0/18 37.189.0.0/16 79.168.0.0/15 83.174.0.0/18 46.50.0.0/17 80.172.0.0/16 83.223.160.0/19 46.182.32.0/21 80.243.80.0/20 83.240.128.0/17 46.189.128.0/17 81.20.240.0/20 84.18.224.0/19 62.28.0.0/16 81.84.0.0/16 84.23.192.0/19 62.48.128.0/18 81.90.48.0/20 84.90.0.0/15

19. Port scanning - Process 2. Decide on a set of services you consider important Port 11 1900UDP UPNP ID Number TCP/UDP Service 12 2869TCP UPNP 1 80TCP http 13 5353UDP MDNS 2 443TCP https 14 137TCP Netbios 3 8080TCP http alternative 15 25TCP SMTP 4 21TCP FTP 16 110TCP POP3 5 22TCP SSH 17 143TCP IMAP 6 23TCP Telnet 18 3306TCP Mysql 7 53UDP DNS 19 5900TCP VNC Server 8 445TCP Samba 20 17185UDP VoIP 9 139TCP Samba 21 3389TCP Rdesktop 10 161UDP SNMP 22 8082TCP TR 069

20. Port scanning - Process 3. Check which ip’s have those port’s open 4. Check versions running of those services This is where it get’s tricky!

21. Port scanning - Process • Portugal on the internet…. 5,822,240 allocated ip’s Dynamic ips GPRS

22. Port scanning - Process • So as we mentioned, we devided the actual scanning into two parts! And you might be wondering why… Common nmap scan for TCP nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN The problem of this, is that DNS resolution and –sV (Service detection) are very slow. So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.

23. Port scanning - Process • Do the fast things on the 6 mil ips and then do the slow stuff merely on the ips that are running the service we want to analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP - sS -p21 -T5 -PN --host-timeout 1501 – min-hostgroup 400 --min-parallelism 10 -n • Then we will have the list of ips that have FTP running on port 21 on 3 files: • Port21-FTP.xml • Port21-FTP.gnmap • Port21-FTP.nmap • Extract ips from gnmap: cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT

24. Port scanning - Process • Do the show things only the ips that have our service running. • nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min- parallelism 10 • Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files: • Port21-FTP-FINAL.xml • Port21-FTP-FINAL.gnmap • Port21-FTP-FINAL.nmap

25. Port scanning - Process • However…we still have UDP… and let me tell u….

26. Port scanning - Process Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not. The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.” When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….

27. Port scanning - Process Solution ? SCAPY! Server Client Service running on port:11111

28. Port scanning - Process Result of that script ? On lab testing….

29. Port scanning - Process Result of that script ? On internet testing….

30. Port scanning - Process When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve… Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ? Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”) Forth run – C Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.

31. Port scanning - Process So... At this point we can do UDP in 5 minutes. As you can guess... We now love UDP scanning again... Our next objective became to speed up our TCP scanning. For you to understand what we did you need first to understand how nmap works: 25000 20000 15000 Time 10000 Packets per second Nmap 5000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

32. Port scanning - Process What we did, is write our own TCP scanner. And the result is the following: 25000 20000 15000 Time Packets per second 10000 PTCoreSecTCP 5000 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

33. Port scanning - End So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?

34. Port scanning - End Terminals are fun, BUT we want an easier way to look at our data… So…. We wrote a tool: PTCoreSec Command Center!

35. First version

36. Second version

37. Third version

38. Fourth version – Current Stable

39. Fifth version – Currently Under development

40. Port scanning - Demo DEMO TIME!

41. Port scanning – The project While we were preparing for codebits… We received something in the mail….

42. Port scanning – The project Raspi

43. Port scanning – The project And it got us thinking… Port scanning, doesn’t require a great CPU, nor a huge amount of ram…

44. Port scanning – The project So we decided to create a distributed port scanning project…

45. Port scanning – The project We grabbed the And added a custom set of scripts to it…

46. Port scanning – The project

47. Port scanning – How does it work? Step 1 – PTCoreSec admins request a job (scan) on the backend. Step 2 – Server side checks current number of live raspi minions. Step 3 – Server divides de CIDRS by the different clients and sends them over. Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server. Step 5 – Server imports these scans into the MongoDB backend.

48. Part 2

49. Business When a client asks for a pentest We present them with these

50. Business

51. Business

52. Business

53. Business And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***. Management Blackhats

54. Management Cares about: • Money • Money • Money Does: • Will lie for PCI DSS/ISO27001/{Compliance} This gives us, security • Approves every single thing even if it peeps, headaches! doesn’t match security department goals but gets them moneys.

55. I ask onLY ONE thing of u Leave your whitehats at home, and

56. SHODAN SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners. Another way of putting it would be:

57. Is the Of these

58. Now combine this: With these:

59. And you get a lot of these

60. Also if you do anything ilegal and get caught, you’ll get one of these:

61. SHODAN Now its when u ask

62. Shodan http://www.shodanhq.com/

63. SHODAN Accessing that website will give u a bar, where you can type queries and obtain results. Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things Following is a sample set of queries that can lead to some interesting results:

64. SHODAN QUERIES • http://www.shodanhq.com/?q=cisco-IOS • http://www.shodanhq.com/?q=IIS+4.0 • http://www.shodanhq.com/?q=Xerver • http://www.shodanhq.com/?q=Fuji+xerox • http://www.shodanhq.com/?q=JetDirect • http://www.shodanhq.com/?q=Netgear • http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22 • http://www.shodanhq.com/?q=Golden+FTP+Server

65. SHODAN QUERIES + combined country? Awesome! Saturday, 9th of June 2012

66. SHODAN QUERIES + combined country Port: 3306 country:PT

67. SHODAN QUERIES + combined country? Awesome! Wednesday, 6 th of June 2012

68. SHODAN QUERIES + combined country BigIP country:PT

69. SHODAN QUERIES + combined country? Awesome! Tuesday, Marc h 13, 2012

70. SHODAN QUERIES + combined country port:3389 -allowed country:PT

71. SHODAN QUERIES + combined country? Awesome!

72. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server (ICM) Worldwide Portugal

73. SHODAN QUERIES OF AWESOMENESS SAP NetWeaver Application Server Worldwide Portugal

74. SHODAN QUERIES OF AWESOMENESS SAP Web Application Server Worldwide Portugal

75. SHODAN QUERIES OF AWESOMENESS SAP J2EE Engine Worldwide Portugal

76. SHODAN QUERIES OF AWESOMENESS

77. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Worldwide Portugal

78. SHODAN QUERIES OF AWESOMENESS port:23 country:PT Username:admin Password:smcadmin

79. SHODAN QUERIES OF AWESOMENESS port:23 list of built-in commands Worldwide Not a big number, however just telnet in and you get shell…

81. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1 • Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25 • Windows SHARES 1.3.6.1.4.1.77.1.2.27 • Windows DISKS 1.3.6.1.2.1.25.2.3.1.3 • Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1 • Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0 • Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0

82. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0

83. SHODAN QUERIES OF AWESOMENESS What sort of info do I get with SNMP ? • Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7

84. SHODAN QUERIES OF AWESOMENESS

85. SHODAN QUERIES OF AWESOMENESS cisco country:PT Worldwide Portugal

86. SHODAN QUERIES OF AWESOMENESS cisco country:PT

87. Cisco

88. Cisco – GRE TUNNELING

90. SHODAN QUERIES OF AWESOMENESS So, What is UPNP?

91. SHODAN QUERIES OF AWESOMENESS So, What uses UPNP?

92. SHODAN QUERIES OF AWESOMENESS Hackz

93. UPNP January 29th 2013!!!!

94. UPNP 2013 15.000+ devices replied to UPNP in January 2013 in Portugal

95. Projecto Portugal Seguro - PTCoresec • 29 Janeiro 2013 – released a study which showed new flaws on UPNP and numbers on the devices replying to UPNP. • PTCoreSec under the scope of project Portugal Seguro proceeded to help ISP’s with this problem • We sent an email to all isp’s that resulted in the following

96. Projecto Portugal Seguro

97. Projecto Portugal Seguro • Resultado – Some ISP’s we noticed changes in order of 80% in the number of ips that stopped responding to UPNP in less then 1 week. – Quicker and faster response contacts so that we can improve even further on this in case of next event.

98. SHODAN QUERIES OF AWESOMENESS Hackz

99. SHODAN QUERIES OF AWESOMENESS UPNP zomg time

100. SHODAN QUERIES OF AWESOMENESS UPNP Remote command execution

101. SHODAN QUERIES OF AWESOMENESS Oh and by the way…

102. SHODAN QUERIES OF AWESOMENESS Another funny thing about UPNP, is that you can get the MAC ADDR and SSID its using And then….

103. SHODAN (MORE INTERESTING) QUERIES SCADA • http://www.shodanhq.com/?q=PLC • http://www.shodanhq.com/?q=allen+bradley • http://www.shodanhq.com/?q=fanuc • http://www.shodanhq.com/?q=Rockwell • http://www.shodanhq.com/?q=Cimplicity • http://www.shodanhq.com/?q=Omron • http://www.shodanhq.com/?q=Novatech • http://www.shodanhq.com/?q=Citect • http://www.shodanhq.com/?q=RTU • http://www.shodanhq.com/?q=Modbus+Bridge • http://www.shodanhq.com/?q=modicon • http://www.shodanhq.com/?q=bacnet • http://www.shodanhq.com/?q=telemetry+gateway • http://www.shodanhq.com/?q=SIMATIC • http://www.shodanhq.com/?q=hmi • http://www.shodanhq.com/?q=siemens+-...er+-Subscriber • http://www.shodanhq.com/?q=scada+RTS • http://www.shodanhq.com/?q=SCHNEIDER

104. SHODAN (MORE INTERESTING) QUERIES PORTUGAL? SCADA

105. SHODAN (MORE INTERESTING) QUERIES SCADA Portugal

109. SHODAN (MORE INTERESTING) QUERIES Cameras…. Simply connected online and without authentication…

110. A little tip… If you want to quickly check for stuff (web related) that has no authentication, use NMAP!

111. A little tip… First, let’s get wkhtmltoimage: wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static- i386.tar.bz2 tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2 cp wkhtmltoimage-i386 /usr/local/bin/ Next, let’s get and install the Nmap module: git clone git://github.com/SpiderLabs/Nmap-Tools.git cd Nmap-Tools/NSE/ cp http-screenshot.nse /usr/local/share/nmap/scripts/ nmap --script-updatedb

112. A little tip… Then, do your shodan search and use: This automatically exports a list of ips u can import into nmap

113. A little tip… Then…

114. A little tip… And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!

115. To end…

116. Open ports!

117. SCARY SHIT! DEFACE 1 SCARY? NO!

118. SCARY SHIT! DEFACE 2 SCARY? Well… disturbing, scary? Not so much!

119. SCARY SHIT!

120. SCARY SHIT!

121. SCARY SHIT!

122. Shodan – the bad part • Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results! • For example on mysql servers, Shodan would find 785, where our results showed 3000+

123. Shodan – the good part • Good querying system • If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.

124. Resources http://secanalysis.com/interesting-shodan-searches/ blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web- services.html http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West

125. Requests https://www.facebook.com/ptcoresec

126. Invite http://www.securitybsides.com/w/page/61778144/BSidesLisbon

127. Challenge

Enei

Enei

Recomendados

Más contenido relacionado

Was ist angesagt?

Was ist angesagt?(20)

Destacado

Destacado(11)

Similar a Enei

Similar a Enei(20)

Más de Tiago Henriques

Más de Tiago Henriques(9)

Enei

Hinweis der Redaktion