hacking the gateways
TRANSCRIPT
![Page 1: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/1.jpg)
HACKING THE GATEWAYS
Onur ALANBELTaintAll
![Page 2: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/2.jpg)
whoamiOnur ALANBEL
• Computer Engineer (IZTECH)
• MSc student (EU)
• Application Security Researcher @TaintAll
• onuralanbel.pro
• @onuralanbel
• https://packetstormsecurity.com/search/?q=onur+alanbel
![Page 3: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/3.jpg)
Purpose
• Gathering a variety of valuable information in an effective way.
![Page 4: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/4.jpg)
PurposeMotivation of an APT is obtaining highly valuable
information from one target. In contrast, motivation ofa mass attack is obtaining valuable information from
multiple targets.
![Page 5: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/5.jpg)
Purpose
![Page 6: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/6.jpg)
Purpose
![Page 7: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/7.jpg)
The Plan
• Deciding targets
![Page 8: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/8.jpg)
The Plan
• Deciding targets
• Finding a vulnerability
![Page 9: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/9.jpg)
The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
![Page 10: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/10.jpg)
The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
![Page 11: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/11.jpg)
The Plan
• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack
![Page 12: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/12.jpg)
The Plan• Deciding targets
• Finding a vulnerability
• Writing (weaponising) the exploit
• Writing mass exploitation scripts
• Running the attack
• Analysing results
![Page 13: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/13.jpg)
Attractive Target: Routers
• Directly accessible from the internet.
![Page 14: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/14.jpg)
Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the whole traffic.
![Page 15: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/15.jpg)
Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the whole traffic.
• No log, stealth. (it’s really hard for an investigator to find out what is going on.)
![Page 16: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/16.jpg)
Attractive Target: Routers
• Directly accessible from the internet.
• Once you own a SOHO router, you can control the whole traffic.
• No log, it’s really hard to find out what is going on (very hard)
• Have a long (long long) update interval.
![Page 17: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/17.jpg)
Easy Target
• Does It have known vulnerabilities?
![Page 18: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/18.jpg)
Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security advisory?
![Page 19: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/19.jpg)
Easy Target
• Does It have known vulnerabilities?
• Does the Vendor have published any security advisory?
• Are there any third party product/device to mitigate exploitation.
![Page 20: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/20.jpg)
AirTies
• Web interface?
![Page 21: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/21.jpg)
AirTies
• Web interface?
• TR-069
![Page 22: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/22.jpg)
AirTies
• Web interface?
• TR-069
• MiniUPNP (CVE-2013-0230
![Page 23: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/23.jpg)
Targets From Turkey
![Page 25: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/25.jpg)
PreScan
• masscan / zmap
• +
![Page 26: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/26.jpg)
PreScan
• masscan
• +
• python multiprocessing
• =
![Page 27: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/27.jpg)
![Page 28: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/28.jpg)
The Vulnerability• Stack overflow, may cause to RCE.
• MiniUPNPd runs on WAN interface.
![Page 29: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/29.jpg)
Writing the Exploit• MIPS assembly
• CPU has different data and code caches; so, can’t jump to stack directly.
• Can’t jump into middle of instructions, this reduces the number of alternative gadgets while creating a ROP chain.
• MiniUPNPd process restarts if it crashes or hangs.
![Page 30: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/30.jpg)
Writing the Exploit
• MIPS is far easier than x86
![Page 31: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/31.jpg)
Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
![Page 32: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/32.jpg)
Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
• No ASLR, ROP chains could be used.
![Page 33: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/33.jpg)
Writing the Exploit
• MIPS is far easier than x86
• sleep function may be called to flush caches.
• No ASLR, ROP chains could be used.
• ?
![Page 34: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/34.jpg)
Writing the Exploit
• miniupnpd … -P /var/run/miniupnpd.pid
![Page 35: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/35.jpg)
Writing the Exploit
• rm /var/run/miniupnpd.pid
![Page 36: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/36.jpg)
Writing the Exploit
• rm /var/run/miniupnpd.pid
• kill mngr
![Page 37: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/37.jpg)
Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve
![Page 38: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/38.jpg)
Writing t
• rm /var/run/miniupnpd.pid
• kill mngr
• fork and execve
• Details: Developing MIPS Exploits to Hack Routers
• Exploit: AirTies RT Series (MIPS)
![Page 39: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/39.jpg)
Bonus Trick
• Chain remote-mgmt-input (1 references)target prot opt source destinationDROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 DROP
![Page 40: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/40.jpg)
Bonus Trick
• iptables -A remote-mgmt-input -p tcp -m multiport —dports 23,
![Page 41: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/41.jpg)
Bonus Trick• cat /etc/passwd
• crypt function
• john rootpass.txt
![Page 42: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/42.jpg)
What Have We
• Free Wifi :)
![Page 43: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/43.jpg)
What Have We
• Free Wifi :)
• Botnet army?
![Page 44: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/44.jpg)
What Have We
• Free Wifi :)
• Botnet army?
• Internet traffic (DNS, GW)
![Page 45: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/45.jpg)
What Have We
• Free Wifi :)
• Botnet army?
• Internet traffic (DNS, GW)
• A big chance to infect connected clients (MITMf)
![Page 46: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/46.jpg)
Next Step
• 0day
![Page 47: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/47.jpg)
Next Step
• 0day
• +
• Persistency
![Page 48: Hacking the Gateways](https://reader030.vdocument.in/reader030/viewer/2022021422/58ed00881a28abf2798b45e9/html5/thumbnails/48.jpg)
Questions