Upload
tiago-henriques
View
3.665
Download
4
Tags:
Embed Size (px)
Citation preview
Codebits 2012
T.H.,J.F.,T.M.,F.R.
@PTCoreSec
HOW TO DOMINATE A COUNTRY.
WHAT ARE YOU ?We are:• Security Researchers• Security enthusiasts• Students, corporate sheep (read: auditors),
programmers, pentesters• Beer lovers We are not:• Lulzsec• Anonymous• Hacking group• And no we wont help you hack you girlfriends facebook!
• Ok… that depends on the amount of beer involved!
WHO ARE YOU ?
• Tiago Henriques• Team founder and leader @ PTCoreSec• Pentester/Researcher @ 7Elements• @Balgan
• Tiago Martins• Team vice-founder @ PTCoreSec• Researcher • @Gank_101
• Filipe Reis• Programmer @ PTCoreSec• Intern @ Layer8• @fjdreis
• Jean Figueiredo• Network security researcher @ PTCoreSec• Netsec admin @ Tecnocom• @klinzter
WHO ARE YOU ?
TOPICS
WE ARE NOT
RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS PRACTICED BY YOU OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.
CAUSING CHAOS.
Q:If you guys were an attacker that was out to cause real damage or get profit, how would you go on about it ?A:This is what we would do, control as many machines in that country, penetrate critical systems and get as much intel/info as possible.
CAUSING CHAOS.
And that’s what we are gonna talk about today!
HOW IT ALL GOT STARTED
We’re hackers! We love knowing how to break things and how others would go on about breaking things!
The difference between us and others is simple:
• We want to break things legally and find a way to fix things.• We want to learn about new things and help people.
PORT SCANNING….
HOW IT ALL GOT STARTED
We saw some talks that really inspired us given by two great people
HD Moore Fyodor
HOWEVER…We also ran into a bit of a problem…
Portscanning might or might not be illegal in Portugal!
No one is actually sure, and we talked with multiple people:• Police• Sysadmins• Researchers• Security professionals
WHAT TO DO ?• So, if you can’t port scan, how do u find out what ur enemies attack
surface is ?
• How do u know out if the entire infrastructure u rely on everyday is vulnerable or safe?
• Security by obscurity? Right that works well….
But like I said before…we’re hackers, so we hacked the law and rules and bent them to our favor!
WHAT TO DO ?
• Port scanning isn’t illegal in 2 nice places! Sweden and USA!
• So we got 2 friends of ours who knew nothing of portscanning and wanted to learn, taught them how to portscan the big internets, and then they sent the raw results to us…
PORT SCANNING
• Tools of the trade:• Nmap• Wkhtmltoimage• Python• Scapy• Linux• NodeJS• MongoDB• C• Redbull + Lots of nights awake +
Frustration
PORT SCANNING - PROCESS
1. Get Portugal’s CIDRs
2. Decide on a set of services you consider important
3. Check which ip’s have those port’s open
4. Check versions running of those services
Actual scanning.
PORT SCANNING - PROCESS
1. Get Portugal’s CIDRsThere are two places where you can get these:
• http://software77.net/geo-ip/
• ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest2.80.0.0/145.43.0.0/185.44.192.0/205.158.0.0/185.159.216.0/215.172.144.0/2131.22.128.0/1737.28.192.0/1837.189.0.0/1646.50.0.0/1746.182.32.0/2146.189.128.0/1762.28.0.0/1662.48.128.0/18
62.48.192.0/1862.169.64.0/1862.249.0.0/1977.54.0.0/1677.91.200.0/2178.29.128.0/1878.130.0.0/1778.137.192.0/1879.168.0.0/1580.172.0.0/1680.243.80.0/2081.20.240.0/2081.84.0.0/1681.90.48.0/20
81.90.48.0/2081.92.192.0/2081.92.208.0/2081.193.0.0/1682.102.0.0/1882.154.0.0/1583.132.0.0/1683.144.128.0/1883.174.0.0/1883.223.160.0/1983.240.128.0/1784.18.224.0/1984.23.192.0/1984.90.0.0/15
PORT SCANNING - PROCESS
2. Decide on a set of services you consider importantID Port Number TCP/UDP Service
1 80TCP http2 443TCP https3 8080TCP http alternative4 21TCP FTP5 22TCP SSH6 23TCP Telnet7 53UDP DNS8 445TCP Samba9 139TCP Samba
10 161UDP SNMP
11 1900UDP UPNP12 2869TCP UPNP13 5353UDP MDNS14 137TCP Netbios15 25TCP SMTP16 110TCP POP317 143TCP IMAP18 3306TCP Mysql19 5900TCP VNC Server20 17185UDP VoIP21 3389TCP Rdesktop22 8082TCP TR 069
PORT SCANNING - PROCESS
3. Check which ip’s have those port’s open
4. Check versions running of those services
This is where it get’s tricky!
PORT SCANNING - PROCESS• Portugal on the internet….
5,822,240 allocated ip’s
Dynamic ips
GPRS
PORT SCANNING - PROCESS• So as we mentioned, we devided the actual scanning into two parts!
And you might be wondering why…
Common nmap scan for TCP
nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21 -T5 -PN
The problem of this, is that DNS resolution and –sV (Service detection) are very slow.
So how do we solve this problem? We obviously want the domains the ips are associated with, and the versions of the services running.
PORT SCANNING - PROCESS• Do the fast things on the 6 mil ips and then do the slow stuff merely
on the ips that are running the service we want to analyse.• nmap -iL CIDRSPT.txt -oA port21-FTP -sS -p21
-T5 -PN --host-timeout 1501 –min-hostgroup 400 --min-parallelism 10 -n
• Then we will have the list of ips that have FTP running on port 21 on 3 files:
• Port21-FTP.xml• Port21-FTP.gnmap• Port21-FTP.nmap
• Extract ips from gnmap:
cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' > IPSWITHFTP.TXT
PORT SCANNING - PROCESS• Do the show things only the ips that have our service running.
• nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5 -PN --host-timeout 1501 –min-hostgroup 400 --min-parallelism 10
• Then we will have the list of ips that have FTP running on port 21 AND the version of those services on 3 files:
• Port21-FTP-FINAL.xml• Port21-FTP-FINAL.gnmap• Port21-FTP-FINAL.nmap
PORT SCANNING - PROCESS• However…we still have UDP… and let me tell u….
PORT SCANNING - PROCESS
Nmap also has a UDP mode… -sU however it doesn’t work very well without -sV (read: its shit!), when testing it on our lab we noticed that most of the times nmap wasn’t able to detect if there was a service running or not.
The reason for this is: “UDP scanning is slow as open/filtered ports typically don't respond so nmap has to time out and then retransmit whilst closed ports will send a ICMP port unreachable error, which systems typically rate limit.”
When we started, it took us around 4 Weeks to scan UDP on the entire country on 1 port….
PORT SCANNING - PROCESSSolution ?
SCAPY!
Service running on port:11111
Server
Client
PORT SCANNING - PROCESS
Result of that script ?On lab testing….
PORT SCANNING - PROCESS
Result of that script ?On internet testing….
PORT SCANNING - PROCESS
When we started, it took us around +4 Weeks to scan UDP on the entire country on 1 port using NMap…. -We took this as a baseline first run to improve…
Our second run, we used python+scapy and it went down!! 1 week – well not bad for a second run, but 1 week for a port ?
Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days – and this was the best we brought it down to without bringing in the big guns (read: “asking HD Moore for help”)
Forth run – C
Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
PORT SCANNING - END
So we had our kick ass friends, send us our kick ass raw results… now what do we do with them ?
PORT SCANNING - END
Terminals are fun, BUT we want an easier way to look at our data…
So…. We wrote a tool:Presenting for the first time: Nmap Query Center!
PORT SCANNING - END
DEMO TIME!
Mongo DB NodeJS
ExpressSocket.ioNodeJS
Scan Importer
Nmap Minion
Store processed scan data
Process raw nmap data to json so we can better process the information
Show all the pretty data to the client
Nmap scans run here
PORT SCANNING - END
Well that’s it folks…Thank you for coming
PORT SCANNING – END
Just kidding! We did promise a few more things didn’t we ?
PORT SCANNING – THE PROJECT
While we were preparing for codebits…
We received something in the mail….
PORT SCANNING – THE PROJECT
Raspi
PORT SCANNING – THE PROJECT
And it got us thinking…
Port scanning, doesn’t require a great CPU, nor a huge amount of ram…
PORT SCANNING – THE PROJECT
So we decided to create a distributed port scanning project…
PORT SCANNING – THE PROJECT
We grabbed the
And added a custom set of scripts to it…
PORT SCANNING – THE PROJECT
PORT SCANNING – HOW DOES IT WORK?
Step 1 – PTCoreSec admins request a job (scan) on the backend.
Step 2 – Server side checks current number of live raspi minions.
Step 3 – Server divides de CIDRS by the different clients and sends them over.
Step 4 – Clients (minions) do the scans and XMLRPC send them back to the server.
Step 5 – Server imports these scans into the MongoDB backend.
Part 2
BUSINESS
When a client asks for a pentestWe present them with these
BUSINESS
BUSINESS
BUSINESS
BUSINESS
And that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***.
Management Blackhats
FOCU
S
MANAGEMENTCares about:
• Money• Money• Money
Does:• Will lie for PCI DSS/ISO27001/{Compliance}• Approves every single thing even if it doesn’t
match security department goals but gets them moneys.
This shit gives us, security peeps, headaches!
BLACKHATS
I managed to acquire video footage that shows these guys in action and their vision of the world, lets have a sneek peek!
VIDEO - BLACKHATS
I ASK ONLY ONE THING OF U
Leave your whitehats at home, and
SHODAN
SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.
Another way of putting it would be:
Is the
Of these
Now combine this:
With these:
And you get a lot of these
Also if you do anything ilegal and get caught, you’ll get one of these:
SHODAN
Now its when u ask
SHODAN
http://www.shodanhq.com/
SHODAN
Accessing that website will give u a bar, where you can type queries and obtain results.
Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things
Following is a sample set of queries that can lead to some interesting results:
SHODAN QUERIES
• http://www.shodanhq.com/?q=cisco-IOS• http://www.shodanhq.com/?q=IIS+4.0• http://www.shodanhq.com/?q=Xerver• http://www.shodanhq.com/?q=Fuji+xerox• http://www.shodanhq.com/?q=JetDirect• http://www.shodanhq.com/?q=Netgear• http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22• http://www.shodanhq.com/?q=Golden+FTP+Server
SHODAN QUERIES + COMBINED COUNTRY?AWESOME!
Saturday, 9th of June 2012
SHODAN QUERIES + COMBINED COUNTRYPort: 3306 country:PT
SHODAN QUERIES + COMBINED COUNTRY?AWESOME!
Wednesday, 6th of June 2012
SHODAN QUERIES + COMBINED COUNTRYBigIP country:PT
SHODAN QUERIES + COMBINED COUNTRY?AWESOME!
Tuesday, March 13, 2012
SHODAN QUERIES + COMBINED COUNTRYport:3389 -allowed country:PT
SHODAN QUERIES + COMBINED COUNTRY?AWESOME!
SHODAN QUERIES OF AWESOMENESSSAP Web Application Server (ICM)
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESSSAP NetWeaver Application Server
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESSSAP Web Application Server
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESSSAP J2EE Engine
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESSport:23 country:PT
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESSport:23 country:PT
Username:adminPassword:smcadmin
SHODAN QUERIES OF AWESOMENESSport:23 list of built-in commands
Worldwide
Not a big number, however just telnet in and you get shell…
SHODAN QUERIES OF AWESOMENESSport:161 country:PT
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESSWhat sort of info do I get with SNMP ?
• Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1• Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25• Windows SHARES 1.3.6.1.4.1.77.1.2.27• Windows DISKS 1.3.6.1.2.1.25.2.3.1.3• Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1• Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0• Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
SHODAN QUERIES OF AWESOMENESSWhat sort of info do I get with SNMP ?
• Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
SHODAN QUERIES OF AWESOMENESSWhat sort of info do I get with SNMP ?
• Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
SHODAN QUERIES OF AWESOMENESS
SHODAN QUERIES OF AWESOMENESScisco country:PT
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESScisco country:PT
CISCO
CISCO – GRE TUNNELING
SHODAN QUERIES OF AWESOMENESSport:1900 country:PT
Worldwide
Portugal
SHODAN QUERIES OF AWESOMENESS
So, What is UPNP?
SHODAN QUERIES OF AWESOMENESS
So, What uses UPNP?
SHODAN QUERIES OF AWESOMENESS
Hackz
SHODAN QUERIES OF AWESOMENESS
Hackz
SHODAN QUERIES OF AWESOMENESS
UPNP zomg time
SHODAN QUERIES OF AWESOMENESS
UPNP Remote command execution
SHODAN QUERIES OF AWESOMENESS
Oh and by the way…
SHODAN QUERIES OF AWESOMENESS
Another funny thing about UPNP, isthat you can get the MAC ADDR and SSID its using
And then….
SHODAN (MORE INTERESTING) QUERIES
• http://www.shodanhq.com/?q=PLC• http://www.shodanhq.com/?q=allen+bradley• http://www.shodanhq.com/?q=fanuc• http://www.shodanhq.com/?q=Rockwell• http://www.shodanhq.com/?q=Cimplicity• http://www.shodanhq.com/?q=Omron• http://www.shodanhq.com/?q=Novatech• http://www.shodanhq.com/?q=Citect• http://www.shodanhq.com/?q=RTU• http://www.shodanhq.com/?q=Modbus+Bridge• http://www.shodanhq.com/?q=modicon• http://www.shodanhq.com/?q=bacnet• http://www.shodanhq.com/?q=telemetry+gateway• http://www.shodanhq.com/?q=SIMATIC• http://www.shodanhq.com/?q=hmi• http://www.shodanhq.com/?q=siemens+-...er+-Subscriber• http://www.shodanhq.com/?q=scada+RTS• http://www.shodanhq.com/?q=SCHNEIDER
SCADA
SHODAN (MORE INTERESTING) QUERIES
SCADAPORTUGAL?
SHODAN (MORE INTERESTING) QUERIES
SCADA Portugal
SHODAN (MORE INTERESTING) QUERIESSCADA Portugal
SHODAN (MORE INTERESTING) QUERIESSCADA Portugal
SHODAN (MORE INTERESTING) QUERIESSCADA Portugal
SHODAN (MORE INTERESTING) QUERIESCameras…. Simply connected online and without authentication…
If you want to quickly check for stuff (web related) that has no authentication, use NMAP!
A LITTLE TIP…
First, let’s get wkhtmltoimage:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2cp wkhtmltoimage-i386 /usr/local/bin/
Next, let’s get and install the Nmap module:git clone git://github.com/SpiderLabs/Nmap-Tools.gitcd Nmap-Tools/NSE/cp http-screenshot.nse /usr/local/share/nmap/scripts/nmap --script-updatedb
A LITTLE TIP…
Then, do your shodan search and use:
A LITTLE TIP…
This automatically exports a list of ips u can import into nmap
Then…A LITTLE TIP…
And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!
A LITTLE TIP…
To end…
OPEN PORTS!
SCARY SHIT!
DEFACE 1 SCARY?
NO!
SCARY SHIT!
DEFACE 2 SCARY?
Well… disturbing, scary? Not so much!
SCARY SHIT!
SCARY SHIT!
SCARY SHIT!
SHODAN – THE BAD PART
• Imports nmap scans from their servers on a rotational basis, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results!
• For example on mysql servers, Shodan would find 785, where our results showed 3000+
SHODAN – THE GOOD PART
• Good querying system
• If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.
Kudos
Aaron @f1nuxHD Moore
Girlfriends / Wives
Codebits organization
Resources
http://secanalysis.com/interesting-shodan-searches/
blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html
http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer
http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore – Empirical Exploitation
http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild West
Requests
https://www.facebook.com/ptcoresec
Rate our talk @ codebits.eu
Test our toolwww.infosec.ptptcoresec0 jguw8r6msfptcoresec4 k48fg1wj7tptcoresec3 35q4lr2wxqptcoresec2 uhrptvkm28ptcoresec1 pwqc9azmwlptcoresec6 dt9onrpnb8ptcoresec9 l744jjy6g2
ptcoresec7 9on68zqfm5ptcoresec8 xfw9wqqf6f