This is the last installment of the multipart blog titled : How easy can it get?
*WARNING* – The contents of this post are for educational purposes only and this information has been provided with an intention that it would be used for securing the devices and the network.
As we will be demonstrating live hacks, before we go ahead with it, we need to understand the network layout and the attack vectors.
The above figure represents a Typical Secured Network. This is the basic layout and this architecture may differ only with respect to the resources available to the organization. Some organizations may add VLAN devices, while others may add managed switches , while other may deploy their servers in a Data Center but, the basic architecture is never going to change.
A router and a line modem will always remain before IDS/IPS and Firewall. Some organizations may re-direct the router logs to a different server. In case of a CPE hack (which we will be demonstrating), an IPS/IDS or Firewall, in a few cases would be mute spectators and in majority of cases, these Security devices would be totally unaware.
We all depend on logs and the threshold alarms, most of the administrators will always remain in the dark, in case of an attack on these devices takes place.
We would be referencing this diagram quite often in upcoming blog entries, sometimes we would just add an extension diagram to provide a granular view of the various attacks.
Let us revisit the diagram and ponder over the placement of the hub, and ask ourselves a question – what is the role of the HUB in a network hoisting high end devices / systems?
Well, hub is a device, which does a broadcast of the network traffic and this traffic is then analyzed by the IPS/IDS appliances/applications. Some organizations may deploy IDS/IPS and Firewall on a single appliance, in such scenarios, the hub disappears from the picture.
Routers are devices which allow inter-connectivity between two or more physically different networks. Eg. Wireless Router allowing connectivity between wired network and wireless network. An IPS/IDS can never be deployed before a router and if someone even tries to then, they will have to restructure the complete ISP Network.
Router provides variety of features for traffic management which includes, traffic redirection, tunneling and Access control lists.
A mis-configured router based on its placement in the network can cause greater damage than ever imagined. Eg. You-Tube Hijack Feb 25, 2008
Scenario No. 1:
If your BGP router has a default password or some unknown entity does a brute-force on this router or exploits a known vulnerability, takes control of the router and changes the router configuration, then you will have another you-tube getting redirected to a totally different site. Does this sound easy, well no, its rather quite difficult to do this, unless and until you have access and you mess up the routing table, then its quite easy.
Coming back to click and hack topic, Let us follow the below mentioned steps
1: ShodanHQ , search for mtnlbroadband keyword.
MTNL Broadband is an ISP providing ADSL connections. Along -with their telephone line connection they also do provide broadband routers manufactured by Dlink. There are a few parameters we shall utilize,
A: Username used by these routers to log on to the PPPOA network
B: Dynamic DNS. Dynamic DNS is a service for mapping the IP address with a Fully Qualified Domain Name. Since most ADSL connections have dynamic IP addresses, we utilize the services of Dynamic DNS to bind this IP address with a domain name which we can remember.
C: the default username and passwords for DLink DSL Routers.
2: We select any device which has been retrieved by Shodanhq and open this device using our browser http://IP_Address.
3: In the meanwhile, we access google and search for default password for the device which is shown in the ShodanHQ list.
* In our research,we found that 9 out of 10 devices had default passwords.
The IP address of the router, when searched using any of the IP Location lookup services, was from the city of – New Delhi.
The next step is to access the Telephone Directory of New-Delhi and again a simple search with the procured username – gives us the actual geographical location of this CPE.
* To protect the identity, we have masked the usernames, IP addresses and the geographical address.
There are many IP Address to Geo Location Proximation services , they rely on the information provided by the ISPs for the subnets hosted, but this is the only Proof of Concept to ever exist which demonstrates the ease with which it is possible to pin point the exact location of an IP address. Investigation agencies may find this post useful.
Worst case scenarios, wherein a user is able to pin-point the locations of an IP address are numerous and we might end up writing a complete book on them.
Had the user been a little bit careful then it would have been very difficult to pin-point the exact geographical location of this IP-address.
Based on the model of the router, there are many things that can be done, right from hijacking the traffic to denial of service.
In our research we have found numerous devices with default passwords, so it shouldn’t surprise you, when we stress on default passwords.
Someone searches for UPS devices, retrieves the default password and utilizes it to gain access. Then ? Modern day UPS’s provide remote server shutdown as a feature, nothing more to say.
Someone diverts SMTP Traffic to a pre-installed open-relay server out in the wild, not possible?
Very much possible ….
1: Default Passwords : Change them. Maintain a policy to specifically handle peripheral devices of your network.
2: Protect you router, in the same manner, you would protect your Database server. Hopefully, the router OS is not vulnerable to other forms of attacks.
3: SNMP Devices : Never publish them on Internet, use VPN instead.
4: Utilize the Thumb Rule of “Information” effectively when publishing your servers on Internet and on LAN.