1. AppSec USA 2014Denver, ColoradoPwning the Pawns with WiHawkAutomated Solution to Pesky Router ProblemSanthosh KumarAnamika Singh

2. 2Free infosecSupporter |nearsecurityIntroductionSanthosh Kumar, India A Independent Security Research Working onvarious domains. Acknowledged from IBM, INTEL, Microsoft, Cisco,yahoo & more. Contributor to the WiHawk Router VulnerabilityScanner.Scanner | still write hello world |Eng StudentCurrentWork Devices Current Work on Embedded Devices. I Run a DEFCON Group @chennai (DC 602028)@ security_b0xin.linkedin.com/pub/santhosh-kumar/6a/974/8b9 3. 3IntroductionAnamika Singh Product Security Analyst @ IronWASP InformationSecurity Service Pvt. Ltd. Author Of the WiHawk Router VulnerabilityScanner. Speaker @ HITB/Haxpo Amsterdam, SeleniumInternational Conf 14, Ground Zero Srilnaka,NULLCON Goa & DC Group @kerala@ _Anamikas_in.linkedin.com/pub/anamika-singh/80/4a5/5b5/ 4. 4Red Team Vs Blue Team 5. 5Red Team Vs Blue Team How Many Of you take routers into the real penetrationtesting? Regular Firmware upgrade? Alternative firmware? Does your internet work? Remote Management Enabled? Support from These companies on the security issue ispathetic. End of Life is a another issue!! I mean who buys router every1.5 years :P seriously ? 6. 6Agenda Introduction Sample Router Analysis Open Source Tools. Automation Using WiHawk. Alternative Options. Post Consequences- Amplification Attacks 7. 7Just Some Router Problems :P 8. 8Just Some Router Problems :P 9. 9Support Contact 10. 10Only Response you Get..!!! 11. 11Introduction 12. 12Post Sales :P 13. 13Tools for Code Analysis Linux Strings / HexDump Interactive Disassembler ObjDump (GNU toolchain) Radare2 FRAK Retargetable Decompiler 14. 14Best For Analysis Binwalk Firmware Analysis tool Binwalk.org Least False Positives and Magic File Headers. 15. 15Lets Analyze 16. 16 17. 17Analysis 18. 18Analysis 19. 19Analysis 20. 20Analysis 21. 21Owned..!!!! 22. 22Vendor Response End of Life for the Product? Couldnt Identify the issue. North America Got 1.0.44 firmwarebut was taken down soon. Change Router? Is the Internet working? Netgear WNR1000 is also affected 23. 23Next in Line: D-Link DSL 2750u 24. 24Entropy Analysis 25. 25Not good 26. 26Oh Great 27. 27Outcome of Analysis Following Firmware are affected Billion, Tplink, Sitecom,Michelangelo, Edimax, Trust, Airline, Topcom (rompager 4.7exploit). No patch for certain devices ( EOL) Some didnt even bother to respond Around 25 Million router still vulnerable Did the Internet work ? 28. 28 29. 29Services are Dangerous too ASUS suffered a serious of FTP based service flaws It has Disk Enabled Space within the router. After the update the Service was patched only for active FTPmode. Passive Mode Continue to work till Date. Able to Access the entire Mounted Hard Drive. 30. 30 31. 31Owned Again 32. 32Vendor Response But We Just Patched That. Thats the Feature. Following Models are Affected. ASUS RT-N10U ASUS RT-N56U ASUS DSL-N55U ASUS RT-AC66U ASUS RT-N15U ASUS RT-N53 Does the Internet working? 33. 33I dont want go through all of this 34. 34Router Vulnerability Scanner 35. 35WiHawk - Router Vulnerability Scanner Make sure your life is easy. https://github.com/santhoshkumar22/Wihawk-SOHO https://ironwasp.org/download.html Functionality: Single IP Example: 192.168.1.1 Range of IP Example: 192.168.1.1-25 or 192.168.1.1/25 Shodan APIGeo LocationCityCountry 36. 36WiHawk WiHawk Scans Router for Default Configuration Bypass Authentication TCP32768 / TCP-32767 Backdoor Edit by Joel (Joels Backdoor) CSRF (VIP) XSS (VIP) Buffer and Stack Overflow (Beta) ROM-0 37. 37DEFAULT passwords 38. 38Friendly Neighbourhood Bruteforce :P 39. 39Spread the Power of Force 40. 40Default Passwords Maintains a file of unique usernames and passwords. Covers variety of models from different routers like LinksysNetgear Cisco CNET Beetel 41. 41WiHawk Default ResponseWiHawk Target IPResponse 401RequestResponse 200BINGO!Username : UserPassword : pass 42. 42WiHawk ByPass Authentication WiHawk scans Routers for ByPass AuthenticationVulnerability. Appends IP with bypass String If vulnerability found prints IP with bypass string 43. 43WiHawk ByPass Authentication Multiple Routers authBypass 44. 44WiHawk Backdoor Detection Allows a free access to many hosts on the Internet. Allows various remote commands like:Remote access to root shell of routersFile copy WiHawk checks for Backdoors like:TCP backdoor 32764Edit By Joel Backdoor 45. 45TCP 32764 BackdoorPort32764open.?Create SocketNOPort 32764 is notVulnerableNODatafound .?Port 32764 isvulnerableWrite SocketCheck for response data startswith MMcS or "ScMM"YESYES 46. 46WiHawk Rom-0 attack Rom-0 is a router Configuration file. Located in IP/rom-0 & directory isnt password protected. Configuration file which contains the admin password. WiHawk:Checks whether router is vulnerable to rom-0 attackDownloads rom-0 file 47. 47Joels Backdoor 48. 48Netis/Netcore Backdoor This one was detected back in August 2014. It has this mysterious service running at port 53413. We check if the service is running then try to connect it tousing udpconnect. Seems the reference is A*8+netcorea00 Observe the connection using netcat. Another 2 million devices affected with this. Able to reach netis systems after a long call. 49. 49WiHawk Interface Single IP 50. 50WiHawk Interface Range ofIP(192.168.1.1-25)or(192.168.1.1/25) 51. 51WiHawk Interface ShodanAPI 52. 52WiHawk WiHawk is built as an integral part of IronWASP . IronWASP is an Open Source Web Security Scanner. 53. 53Ironwasp IronWASP is an open source WebSecurity Scanner. Its one among best Scanners. Checks for more than 25Vulnerabilities. It stands better than commercialscanner in some parameters. Some of the other existing modulesare: Drupsnipe: Black box Drupalvulnerability scanner. Skanda : Port scan on Server vulnerableto SSRF. 54. 54Ironwasp Team 55. 55 56. 56Yeah so ? 57. 57Bigger Threat Router not only causes data loss but also contribute to abigger attack. Threat Comes as a Amplification attacks from theseunpatched routers. Almost 25 million is still open to Amplification on variousprotocols as we speak. DNS,NTP, SMTP etc. Observance was made for 2 months. 58. 58Observance over week 59. 59Over the month 60. 60Observe We found that most of the traffic from our honeydns serverwas directed towards a gamming network owned by aspecific corp. Amplification varied from 50 gbps to 110 gbps. Looks like someone want to establish their flag on theirnetworks. | USIS of URAG and ZIRIA 80 % traffic we got from was routers? 61. 61Solution: 62. 62Solution: Firmware Updates. Vendor should do extensive testing. If no firmware available, use Open After market firmware liketomato, dd-wrt, open-wrt. Defend against Purpose domains. ISPs should implement BCP 38(network ingress filtering) RFC2827. Network admins force out to use TCP instead of UDP. 63. 63Its all about the size 64. 64Size matters: 65. 65Factor increase with size 66. 66Questions? 67. 67References: IronWasp www.ironwasp.org Links: www.ripe.net Cve.mitre.com www.BCP38.info https://github.com/elvanderb/TCP-32764 https://github.com/devttys0/binwalk 1337day.com www.exploit-db.com 68. 68@security_b0xWWW.NEARSECURITY.NET@_Anamikas_Connect to us 69. 69Thank you for the inviting us