how to hack millions of routers
play

How to Hack Millions of Routers Craig Heffner Administrivia My - PowerPoint PPT Presentation

Apr 01, 2024 •23 likes •913 views

How to Hack Millions of Routers Craig Heffner Administrivia My overarching objective with this talk is to increase security awareness and serve as a catalyst for positive change I developed this paper and the conclusions reached and the

  1. How to Hack Millions of Routers Craig Heffner

  2. Administrivia  My overarching objective with this talk is to increase security awareness and serve as a catalyst for positive change  I developed this paper and the conclusions reached and the information presented, on my own time, not on behalf of Seismic or using any resources of Seismic and in fact prior to working for Seismic  My information was derived from well-known public vulnerabilities and other public sources  I joined Seismic (now an Applied Signal T echnology company) to develop solutions to these type of problems and to increase the integrity of our networks

  3. SOHO Router…Security?

  4. Common Attack Techniques  Cross Site Request Forgery  No trust relationship between browser and router  Can’t forge Basic Authentication credentials  Anti-CSRF  Limited by the same origin policy  DNS Rebinding  Rebinding prevention by OpenDNS / NoScript / DNSWall  Most rebinding attacks no longer work  Most …

  5. Multiple A Record Attack  Better known as DNS load balancing / redundancy  Return multiple IP addresses in DNS response  Browser attempts to connect to each IP addresses in order  If one IP goes down, browser switches to the next IP in the list  Limited attack  Can rebind to any public IP address  Can’t rebind to an RFC1918 IP addresses

  6. Rebinding to a Public IP Target IP: 2.3.5.8 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com 1.4.1.4 2.3.5.8

  7. Rebinding to a Public IP What is the IP address for attacker.com? 1.4.1.4 2.3.5.8

  8. Rebinding to a Public IP 1.4.1.4 2.3.5.8 1.4.1.4 2.3.5.8

  9. Rebinding to a Public IP GET / HTTP/1.1 Host: attacker.com 1.4.1.4 2.3.5.8

  10. Rebinding to a Public IP <script>…</script> 1.4.1.4 2.3.5.8

  11. Rebinding to a Public IP GET / HTTP/1.1 Host: attacker.com 1.4.1.4 2.3.5.8

  12. Rebinding to a Public IP TCP RST 1.4.1.4 2.3.5.8

  13. Rebinding to a Public IP GET / HTTP/1.1 Host: attacker.com 1.4.1.4 2.3.5.8

  14. Rebinding to a Public IP <html>…</html> 1.4.1.4 2.3.5.8

  15. Rebinding to a Private IP Target IP: 192.168.1.1 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com 192.168.1.1 1.4.1.4

  16. Rebinding to a Private IP What is the IP address for attacker.com? 192.168.1.1 1.4.1.4

  17. Rebinding to a Private IP 1.4.1.4 192.168.1.1 192.168.1.1 1.4.1.4

  18. Rebinding to a Private IP GET / HTTP/1.1 Host: attacker.com 192.168.1.1 1.4.1.4

  19. Rebinding to a Private IP <html>…</html> 192.168.1.1 1.4.1.4

  20. Services Bound to All Interfaces # netstat – l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:80 *:* LISTEN tcp 0 0 *:53 *:* LISTEN tcp 0 0 *:22 *:* LISTEN tcp 0 0 *:23 *:* LISTEN

  21. Firewall Rules Based on Interface Names  -A INPUT – i etho – j DROP  -A INPUT – j ACCEPT

  22. IP Stack Implementations  RFC 1122 defines two IP models:  Strong End System Model  Weak End System Model

  23. The Weak End System Model  RFC 1122, Weak End System Model:  A host MAY silently discard an incoming datagram whose destination address does not correspond to the physical interface through which it is received.  A host MAY restrict itself to sending (non-source-routed) IP datagrams only through the physical interface that corresponds to the IP source address of the datagrams.

  24. Weak End System Model eth1 eth0 192.168.1.1 2.3.5.8

  25. Weak End System Model TCP SYN Packet Source IP: 192.168.1.100 Destination IP: 2.3.5.8 Destination Port: 80 eth1 eth0 192.168.1.1 2.3.5.8

  26. Weak End System Model TCP SYN/ACK Packet Source IP: 2.3.5.8 Destination IP: 192.168.1.100 Source Port: 80 eth1 eth0 192.168.1.1 2.3.5.8

  27. Weak End System Model TCP ACK Packet Source IP: 192.168.1.100 Destination IP: 2.3.5.8 Destination Port: 80 eth1 eth0 192.168.1.1 2.3.5.8

  28. Traffic Capture

  29. End Result

  30. Public IP Rebinding Attack Target IP: 2.3.5.8 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com 2.3.5.8 1.4.1.4

  31. Public IP Rebinding Attack What is the IP address for attacker.com? 2.3.5.8 1.4.1.4

  32. Public IP Rebinding Attack 1.4.1.4 2.3.5.8 2.3.5.8 1.4.1.4

  33. Public IP Rebinding Attack GET / HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  34. Public IP Rebinding Attack <script>...</script> 2.3.5.8 1.4.1.4

  35. Public IP Rebinding Attack GET / HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  36. Public IP Rebinding Attack TCP RST 2.3.5.8 1.4.1.4

  37. Public IP Rebinding Attack GET / HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  38. Public IP Rebinding Attack <html>…</html> 2.3.5.8 1.4.1.4

  39. Public IP Rebinding Attack  Pros:  Nearly instant rebind, no delay or waiting period  Don’t need to know router’s internal IP  Works in all major browsers: IE, FF, Opera, Safari, Chrome  Cons:  Router must meet very specific conditions  Must bind Web server to the WAN interface  Firewall rules must be based on interface names, not IP addresses  Must implement the weak end system model  Not all routers are vulnerable

  40. Affected Routers

  41. Asus

  42. Belkin

  43. Dell

  44. Thompson

  45. Linksys

  46. Third Party Firmware

  47. ActionTec

  48. Making the Attack Practical  T o make the attack practical:  Must obtain target’s public IP address automatically  Must coordinate services (DNS, Web, Firewall)  Must do something useful

  49. Tool Release: Rebind  Provides all necessary services  DNS, Web, Firewall  Serves up JavaScript code  Limits foreground activity  Makes use of cross-domain XHR, if supported  Supports all major Web browsers  Attacker can browse target routers in real-time  Via a standard HTTP proxy

  50. Rebind Target IP: 2.3.5.8 Rebind IP: 1.4.1.4 Attacker Domain: attacker.com 2.3.5.8 1.4.1.4

  51. Rebind

  52. Rebind

  53. Rebind What is the IP address for attacker.com? 2.3.5.8 1.4.1.4

  54. Rebind 1.4.1.4 2.3.5.8 1.4.1.4

  55. Rebind GET /init HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  56. Rebind Location: http://wacme.attacker.com/exec 2.3.5.8 1.4.1.4

  57. Rebind What is the IP address for wacme.attacker.com? 2.3.5.8 1.4.1.4

  58. Rebind 1.4.1.4 2.3.5.8 2.3.5.8 1.4.1.4

  59. Rebind GET /exec HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  60. Rebind <script>…</script> 2.3.5.8 1.4.1.4

  61. Rebind GET / HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  62. Rebind TCP RST 2.3.5.8 1.4.1.4

  63. Rebind GET / HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  64. Rebind <html>…</html> 2.3.5.8 1.4.1.4

  65. Rebind GET /poll HTTP/1.1 Host: attacker.com:81 2.3.5.8 1.4.1.4

  66. Rebind 2.3.5.8 1.4.1.4

  67. Rebind

  68. Rebind GET http://2.3.5.8/ HTTP/1.1 2.3.5.8 1.4.1.4

  69. Rebind GET /poll HTTP/1.1 Host: attacker.com:81 2.3.5.8 1.4.1.4

  70. Rebind GET / HTTP/1.1 2.3.5.8 1.4.1.4

  71. Rebind GET / HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  72. Rebind <html>…</html> 2.3.5.8 1.4.1.4

  73. Rebind POST /exec HTTP/1.1 Host: attacker.com:81 <html>…</html> 2.3.5.8 1.4.1.4

  74. Rebind <html>…</html> 2.3.5.8 1.4.1.4

  75. Rebind

  76. Demo

  77. More Fun With Rebind  Attacking SOAP services  UPnP  HNAP  We can rebind to any public IP  Proxy attacks to other Web sites via your browser  As long as the site doesn’t check the host header

  78. DNS Rebinding Countermeasures

  79. Am I Vulnerable?

  80. End-User Mitigations  Break any of the attack’s conditions  Interface binding  Firewall rules  Routing rules  Disable the HTTP administrative interface  Reduce the impact of the attack  Basic security precautions

  81. Blocking Attacks at the Router  Don’t bind services to the external interface  May not have sufficient access to the router to change this  Some services don’t give you a choice  Re-configure firewall rules  -A INPUT – i eth1 – d 172.69.0.0/16 – j DROP

  82. HTTP Administrative Interface  Disable the HTTP interface  Use HTTPS / SSH  Disable UPnP while you’re at it  But be warned…  Enabling HTTPS won’t disable HTTP  In some routers you can’t disable HTTP  Some routers have HTTP listening on alternate ports  In some routers you can’t disable HNAP

  83. Blocking Attacks at the Host  Re-configure firewall rules  -A INPUT – d 172.69.0.0/16 – j DROP  Configure dummy routes  route add -net 172.69.0.0/16 gw 127.0.0.1

Recommend

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes Viral on Twitter By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service.

1.1k views • 3 slides
Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want FREEDOM! We want to use PEP313! Before we hack, Learn the internals Lexing - Tokenization - Read #define NEWLINE 4 #define INDENT

670 views • 36 slides
Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where are the weaknesses? What are the security implications? Security Compass and NFC Currently we are devoting a lot of energy towards NFC

704 views • 35 slides
ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly 1, Paintings and Drawings by Vincent van Gogh Digitized and Put Online | Hacker News For people who don't live close to huge cities with big

269 views • 3 slides
SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland university computer science 1 Another kind of CFGs p D ( ) x e x e D ( ) q Effects on edges. Nodes called Nodes are

310 views • 19 slides
FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1 FC2015-RSDYK - Hack Pilot project: RSDYK2008 Trial to establish whether remote sensing in combination with geological knowledge can be used for

826 views • 10 slides
Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017 Saarland University, Computer Science 1 Code Generation Consists (roughly) of three parts: 1. Instruction Selection Select processor instructions for

282 views • 9 slides
SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make Your Boots Slip-Proof May 18, Attach your Water hose. Wet your slide, this just helps for the first few slides. Once the kids get going, their

308 views • 3 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland university computer science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy from x 2

223 views • 20 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland University, Computer Science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy

394 views • 22 slides
How to Design Fast Asynchronous How to Design Fast Asynchronous Routers for Asynchronous Routers

How to Design Fast Asynchronous How to Design Fast Asynchronous Routers for Asynchronous Routers

How to Design Fast Asynchronous How to Design Fast Asynchronous Routers for Asynchronous Routers for Asynchronous On- -chip Networks chip Networks On Wei Song Supervisor: Doug Edwards Advanced Processor Technologies Group Advanced

526 views • 26 slides
Scalable IP Lookup for Programmable Routers David E. Taylor, John W. Lockwood, Todd Sproull,

Scalable IP Lookup for Programmable Routers David E. Taylor, John W. Lockwood, Todd Sproull,

IEEE INFOCOM 2002 1 Scalable IP Lookup for Programmable Routers David E. Taylor, John W. Lockwood, Todd Sproull, Jonathan S. Turner, David B. Parlour high-performance routers continues to increase, there is a Abstract Continuing growth in

680 views • 11 slides
R E S U L T S F I N A N C I A L 4Q08 FY08 Managed Results 1 $ in millions $ in millions $ O/

R E S U L T S F I N A N C I A L 4Q08 FY08 Managed Results 1 $ in millions $ in millions $ O/

2 0 0 9 1 5 , J A N U A R Y R E S U L T S F I N A N C I A L 4Q08 FY08 Managed Results 1 $ in millions $ in millions $ O/ (U) O/ (U) % FY2008 FY2007 FY2007 1 Result s excl. Merger-relat ed it ems 2 $73,402 ($1,410) (2)% Revenue

458 views • 26 slides
R APID expansion of the Internet leads to sustained growth Most

R APID expansion of the Internet leads to sustained growth Most

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 17, NO. 5, MAY 2006 481 Routing Table Partitioning for Speedy Packet Lookups in Scalable Routers Nian-Feng Tzeng, Senior Member , IEEE Abstract Most of the high-performance routers

509 views • 14 slides
The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits.

The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits.

The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits. Analogue is meant to help people think differently. This is the Hack in Paris 2015 version, and is subject to all sorts of changes as the

963 views • 80 slides
Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis Introduction Winter Semester 2014 Slides based on: H. Seidl, R. Wilhelm, S. Hack: Compiler Design, Volume 3, Analysis and Transformation, Springer

616 views • 27 slides
Report from DAQ Simulations Hack Days Georgia Karagiorgi &amp; Michael Baird Nov. 9, 2016

Report from DAQ Simulations Hack Days Georgia Karagiorgi &amp; Michael Baird Nov. 9, 2016

Report from DAQ Simulations Hack Days Georgia Karagiorgi &amp; Michael Baird Nov. 9, 2016 Organized by the DUNE DAQ Simulations Task Force [https://cdcvs.fnal.gov/redmine/projects/dune/wiki/DAQ_Simulations] Hack Days indico page, with links to

520 views • 12 slides
New Ways Im Going to Hack Your Web App Rich Lundeen,

New Ways Im Going to Hack Your Web App Rich Lundeen,

New Ways Im Going to Hack Your Web App Rich Lundeen, Jesse Ou, Travis Rhodes MicrosoE Boss Engineering Security Team &amp; Office 365 Pen Test

1.28k views • 103 slides
Indigenous Population in the Americas Mexico 15.7 millions 15% Peru 13.8 millions 45%

Indigenous Population in the Americas Mexico 15.7 millions 15% Peru 13.8 millions 45%

INDIGENOUS (NATIVE) LATIN AMERICAN IMMIGRANTS: among the most vulnerable workers Leoncio Vasquez Santos Seth M. Holmes, PhD, MD Faculty Disclosure We have nothing to disclose Indigenous Population in the Americas Mexico 15.7 millions 15%

548 views • 15 slides
Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University

Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University

The Derivative Finite Difference Floating Point Arithmetic Complex Analysis Crash Course Hack the Derivative Hack the Derivative! Erik Taubeneck Software Engineer October 20th, 2015 American University Math/Stat Dept Colloquium The

1.39k views • 106 slides
CABLE cable 13.0 millions 11.0 10.0 8.5 HATHWAY IN CABLE SITI dth 13.0 16.3 12.4 11.9

CABLE cable 13.0 millions 11.0 10.0 8.5 HATHWAY IN CABLE SITI dth 13.0 16.3 12.4 11.9

CABLE cable 13.0 millions 11.0 10.0 8.5 HATHWAY IN CABLE SITI dth 13.0 16.3 12.4 11.9 9.9 millions 8.9 VIDEOCON TATA SKY AIRTEL DISH SUN Note: MSO Subscriber Bases (including DEN) are Analog + Digital Homes Source: Pay TV

1.05k views • 22 slides
Hack the Derivative! Erik Taubeneck GameChanger Media - Software Engineer and Data Maven Were

Hack the Derivative! Erik Taubeneck GameChanger Media - Software Engineer and Data Maven Were

Calculus Crash Course Finite Difference Floating Point Arithmetic Complex Analysis Crash Course Hack the Derivative Hack the Derivative! Erik Taubeneck GameChanger Media - Software Engineer and Data Maven Were hiring!

1.21k views • 89 slides
Quickstart: RouterOS jailbreaking and security research 19 &amp; 20 JUNE Hack in Paris Author

Quickstart: RouterOS jailbreaking and security research 19 &amp; 20 JUNE Hack in Paris Author

Quickstart: RouterOS jailbreaking and security research 19 &amp; 20 JUNE Hack in Paris Author Lead researcher at Possible Security, Latvia Author of RouterOS jailbreaks CCC, Hack in the Box, Nullcon, BalCCon, CONFidence,

1.38k views • 64 slides
4,000 10% 8% 3,000 Millions of

4,000 10% 8% 3,000 Millions of

4,000 10% 8% 3,000 Millions of Square Feet 6% 2,000 4% 1,000 2% 0 0% 2009 2010 20111 2012 2013 2014 2015 2016 2017 2018 YTD Q3/19 Inventory Vacancy Rate 7 239 MW

500 views • 48 slides

More recommend