This is the second of the three part blog “How easy can it get?”
Pen-testing is a skill acquired only through experience and experience is gained through mistakes which have been committed.
Many of us, including administrators or IT Heads have always stressed upon IT security, strengthening of infrastructure including the servers, devices etc. but rarely do we put these to test. As an admin whenever we deploy any device, we should be aware of the basic thumb rule about “Information” and ask ourselves a question “The information provided by this device/application/appliance is it getting leaked?” Mis-configured Firewall rules can play havoc with any organization especially with services to the likes of ShodanHQ and Google providing information based on caching and spider bots.
In this second installment, we provide a small preview about two aspects
1: Information Leaks
2: Easy in Information retrieval.
It is a search engine to search for routers, SNMP devices, ftp servers, telnet services. These services are identified by the banner information and get responses. The search can be segregated based on country, device, subnet and the response received is logged into a database.
Routers, which up till now, were a part of the Network but never a part of the IDS/IPS or firewall, will be targeted.
These devices are the gateways to your network, protected by a password and sometimes default passwords which were never changed by the admin.
SNMP Devices, these are the heart of a network providing vital statistical information.
Servers (FTP / HTTP) – these servers are identified by their banners and “get responses”; this same information is available using NMAP.
Using a Search Engine to do the basic recon is far more viable than doing a Subnet Scan.
Conducting a Scan on the subnet means presenting your IP address to the logging mechanism and in order to avoid logging, users may try various evasive methods, just to retrieve the basic information about the devices / services that may be present on your network.
With a search engine presenting to you the necessary information the primary task reduces considerably.
Added on 03.11.2010
|HTTP/1.0 401 ;unauthorized
WWW-Authenticate: Basic realm=”UPS SNMP/HTTP Agent”
|Multiple Server Shutdown|
|Liebert Pro II||203.x.y.z
Added on 04.07.2010
|Liebert Pro II Card v5.21 (SN 112000xxxxxxx)||The OpenComms Web Card installed in a UPS may be used with MuitiLink software, pro-viding unattended graceful operating system shutdown.|
Added on 25.11.2010
|HTTP/1.0 401 Unauthorized
WWW-Authenticate: Basic realm=”mtnlbroadband”
Server: RomPager/4.07 UPnP/1.0
|Based on the router model, there are lots of things a user can do, including, traffic sniffing. This requires expertise and excellent networking knowledge.|
Bot-nets to the likes of Stuxnet may utilize services similar to this to scale down their target scan footprint or may develop their own infrastructure to store and utilize this data. In the age of Information Warfare, this is the most viable solution for any entity whose primary goal is to create a database of leaked information by devices. Not a difficult task when NMap is around.
Google Hacks or GoogleDorks
Many hackers use Google to find vulnerable WebPages and later use these vulnerabilities for hacking. But since this blog is not about Web-Server configuration bloopers, we will stick to device discovery.
A small example on Web-Server Configuration bloopers:
This example was chosen as it is one of the most documented vulnerability / configuration error, a web-admin can commit and is one of the oldest, but still you will find loads of systems, whose administrators are blissfully unaware. Look for entries starting with “Index of”. _vti_pvt contains an interesting file with the extension .pwd . A little bit of playing around with Google’s advanced search options may fetch you results pertaining to .pwd files in _vti_pvt directory.
This snoop was possible because, the Web Administrator has used the default configuration and was least bothered about the security.
Now, back to device discovery, using Google.
intitle:”Live View / – AXIS” | inurl:view/view.shtml^
The above mentioned search will search for webpage title, The title is set by the application of the Security CAM.
The first result from the search belongs to an airport. Nothing more to say about IT Security Awareness, as airports are supposed to be high secure areas. Hope, this airport’s network administrator rectifies this.
A simpler solution would be to obfuscate the title of the web-page, so that even though any search engine which has cached the page, a normal search will not return a valid result.
It seems, in order to enhance the aesthetic looks, readability and for product identity, application/appliance makers do contribute towards device discovery and information leaks in a big way.
Discovering a device is the first step, and gaining access is the second step. Many of these devices do not even provide password protection, but for those devices which are protected by password, we will rely on default passwords or factory default passwords which are retrieved using search engines.
What does an admin do, when the password is lost, in case the password has not been changed? Starts the browser, goes to google.com and searches for “default password + device-name”.
In case the admin has changed the password then, hopes that the Appliance has left a backdoor open or an alternate method to gain legitimate access and control of this device.
Searching for “default password + dlink” or “default password + netgear” will provide us with enough links to find the correct answer.
Shown below is the screenshot of the login-page of a router, the default password is already inserted, by the appliance. This appliance is provided by one of the most renowned ISP to all its customers and the appliance is manufactured by one of the most reputed router manufacturer.
The last blog entry of this multi-part blog will demonstrate live hack and a few scenarios based on the information which has been retrieved through these searches.