Hacking The Network Inside Out

1
Hacking The Network Inside Out

• Craig Heffner, Derek Yap
• SourceSec Security Research

2
Who Are We?

• Co-founders of SourceSec Security Research Group
• Publish research papers, tutorials, exploits, etc
• Columnist at EthicalHacker.net

3
Presentation Purpose

• Discuss SOHO router attacks
• Performing router reconnaissance
• Identifying router vulnerabilities
• Exploiting vulnerabilities with client-side
  attacks
• Building hardware back doors
• Release some new tools
• Everybody likes new toys, right?

4
Reconnaissance
5
Router Reconnaissance

• You can't attack what you don't know
• Well, you can, but it's not recommended
• We need to be able to fingerprint routers
• Both externally and via WiFi
• What tools do we have to do this?
• Unfortunately, not many

6
External Router Fingerprinting

• Nmap
• Great scanner, lots of TCP/IP signatures
• But only works if the router has an open WAN port

7
Client-Side Fingerprinting

• Lan Scan
• JavaScript / CSS based LAN scanner
• IDs router make/model and IP address
• http//www.businessinfo.co.uk/

8
JavaScript LAN Scan In Action
9
WiFi Fingerprinting

• There isn't much currently available
• What is available mostly focuses on
• Fingerprinting client drivers
• Fingerprinting individual 802.11 devices
• Typically rely on RF signaling, time skews, etc
• Not so easy to use / update / maintain

10
802.11 Information Elements
11
Tool Time WiFinger

• Passively identifies APs based on beacon packets
• Examines 802.11 Information Elements
• Existence, order, contents, etc
• Only works on APs that it has signatures for
• Send us pcap files!

12
WiFinger In Action
13
Tool Time WPScan

• Actively probes AP for device information
• Takes advantage of WPS probe response IE
• Can contain lots of juicy info about the device
• Some routers give up more information than others

14
WPScan In Action
15
Tool Time WPSpy

• Monitors WPS state changes
• Tells you if WPS is configured
• Tells you when a router is listening for WPS
  clients

16
WPSpy In Action
17
Why Do We Want To Know?

• Google for vulnerabilities
• Anything specific for that model router?
• Anything for similar models from the same vendor?
• Get user guide and manufacturer description
• What features does it support?
• Default settings?
• Go get the same router and test it
• Zero days are fun!

18
What Are We Looking For?

• Type of HTTP authentication
• Basic Authentication? HTML form authentication?
• Router host name / default IP address
• Supported features
• WiFi Protected Setup support is a plus

19
WiFi Protected Setup

• Used for WPA key distribution
• Push a button on the router
• Push a button on the client
• Router encrypts WPA key and sends it to client
• Not well supported by clients yet
• wpa_supplicant now supports WPS
• Most new routers have WPS enabled by default

20
WiFi Protected Setup

• WPS push button authentication
• Push a button on the router
• Router advertises that it's looking for a client
• Client has two minutes to respond
• Push a button on the client device
• Client checks if the access point is looking for
  a client
• Client initiates 802.11 EAP exchange
• Router gives the client the encryption key
• Key exchange is encrypted

21
Client-Side Attacks
22
Why Use Client-Side Attacks?

• Most router vulnerabilities exist only on the LAN
  
• Usually in the Web-based administrative interface
• Routers usually must be managed from the LAN
• Remote management is rarely enabled
• Before we can consider router vulnerabilities
• How do we attack the LAN without direct LAN
  access?

23
Client-Side Attack Overview

• Use an inside client to help us attack the router
• Typically via the client's Web browser
• We'll cover two primary attack methods
• Cross-Site Request Forgery
• Anti-DNS pinning
• Most other methods aren't as useful in this case

24
CSRF Problems

• For CSRF to work, the router must trust the
  browser
• No one ever logs into their router
• We can try to force a login, but...
• No auto-login for basic authentication
• http//userpassword_at_192.168.1.1/
• Blocked by IE and FF
• Changes in the IP address range
• If IP of the router is not known, it can't be
  targeted

25
CSRF Solutions

• Most new routers make CSRF much easier
• Use HTML forms for submitting authentication
• Assign themselves host names
• Don't distinguish between POST and GET requests

26
Sample CSRF Attack Code
27
Bypassing Authentication

• Some routers don't check if you've logged in
• Don't have to guess any logins
• Makes CSRF attacks much more reliable
• Typically just a direct request to a CGI script
• More common than you might think
• Linksys WRT54G v1.00.9
• 3Com OfficeConnect Wireless Cable/DSL Router
• DD-WRT v24-sp1
• Most Belkin routers

28
CSRF Auth Bypass Attack Code
29
CSRF Pros

• Login to the router with default credentials
• Or bypass login altogether
• Issue updates to router configuration
• Typically can be done without any JavaScript

30
CSRF Cons

• Not all routers vulnerable to CSRF
• We have to guess the login, or use default login
• Because of this, it doesn't work against basic
  auth
• This is mitigated if auth bypass vulnerability
  exists
• We can only change settings, not view settings
• Due to browser's same-domain policy

31
Anti-DNS Pinning

• Using anti-DNS pinning, we can
• Circumvent same-domain policy
• Load and control the router admin page
• Unlike CSRF, we can use basic authentication
• No router vulnerabilities required!
• This allows us to change and view router settings
• WEP / WPA keys, DNS settings, firewall rules, etc

32
What Is The Same-Domain Policy?

• Prevents site X from accessing contents of site Y
• Example
• Page on site X creates an iframe that points to
  site Y
• Iframe is successfully created
• But site X code can't access the iframe contents

33
What Is DNS Pinning?

• Browser caches results from first DNS lookup
• Cache cleared when browser is closed
• Prevents evil.com from changing their IP
• New IP points to another server
• Allows attacker to bypass same-domain policy

34
Anti-DNS Pinning Prerequisites

• We have to know the router IP address
• This is rarely changed from the default
• We have to be able to login
• Use default credentials
• Or circumvent the login process altogether
• We have to own a domain
• DNS server
• Web server

35
Browser Queries DNS Server
Client's Router 192.168.1.1
ns1.sourcesec.com
Where is cc.sourcesec.com?
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
36
DNS Responds With Two IPs
Client's Router 192.168.1.1
ns1.sourcesec.com
IN A 1.2.3.4 IN A 192.168.1.1
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
37
Browser Connects To First IP
Client's Router 192.168.1.1
ns1.sourcesec.com
GET /evil.html HTTP/1.1
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
38
Server Responds With Evil Page
Client's Router 192.168.1.1
ns1.sourcesec.com
lthtmlgt ltscriptgt ...Evil Script... lt/scriptgt lt/htm
lgt
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
39
Web Service Shuts Down
Client's Router 192.168.1.1
ns1.sourcesec.com
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
40
JS Initiates New Connection
Client's Router 192.168.1.1
ns1.sourcesec.com
GET /index.html HTTP/1.1 Host cc.sourcesec.com
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
41
Browser Sees A Failed Connection
Client's Router 192.168.1.1
ns1.sourcesec.com
TCP RST Packet
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
42
Browser Tries The Second IP
Client's Router 192.168.1.1
ns1.sourcesec.com
GET /index.html HTTP/1.1 Host cc.sourcesec.com
Client Browsing To cc.sourcesec.com
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
43
JS Has Full Access To Router Page
Client's Router 192.168.1.1
ns1.sourcesec.com
lthtmlgt lttitlegtHome Routerlt/titlegt ...
Client Browsing To cc.sourcesec.com
cc.sourcesec.com 1.2.3.4
44
Anti-DNS Pinning Pros

• Doesn't rely on any vulnerabilities in the router
• Works with basic authentication
• Allows JS to access the router's Web content

45
Anti-DNS Pinning Cons

• Still have to know / guess the router credentials
• Use default login
• Sends wrong host header
• But the router doesn't mind
• Doesn't send cookie credentials
• But routers don't use cookies anyway

46
Client-Side WiFi Attacks
47
Why WiFi?

• Often, simply changing settings is not desirable
• Router behind corporate firewall
• More likely to be noticed
• Against pen-test ROE
• WiFi provides direct access to internal network
• Most other attack methods require a multi-step
  process

48
Router WiFi Attacks

• Encryption is typically the only real WiFi
  security
• Traditional WiFi attacks
• Use kismet aircrack to crack WEP key
• WPA / WPA2 are tougher
• Client-side WiFi attacks
• Get the router to give us the encryption key

49
Cracking WPA With HTML Images

• Recall that WPS hands out WPA keys?
• WPS-capable routers have virtual WPS push buttons
• Located in the Web interface
• We can activate WPS via CSRF attacks
• CSRF WPS WPA Key

50
Belkin F5D8233-4v3 CSRF Attack
51
Network Reconnaissance

• Device identification
• WiFinger reports Belkin F5D8233-4v3
• WPScan reports Belkin
• Reconnaissance shows
• Web based login on LAN port 80
• Vulnerable to CSRF and authentication bypass
• WPS enabled by default
• Default IP address 192.168.2.1

52
F5D8233-4v3 Attack

• Use CSRF to activate WPS
• Done with a single hidden image tag
• Listen for activation
• Use wpspy
• Perform WPS key exchange
• Use WPS-capable WiFi card

53
HTML Exploit Code
54
Client Visiting Site
55
WPS Push Button Activated
56
Success!
57
CSRF WPS Attack Pros

• Crack WPA key of any strength in seconds
• Simple attack to implement

58
CSRF WPS Attack Cons

• Requires proximity to WiFi network
• Requires CSRF vulnerability
• Requires WPS

59
Cracking WiFi With A DNS Server

• Using an anti-DNS pinning attack, we can
• Retrieve SSID, encryption type and key remotely
• Foil anti-CSRF implementations
• Do so without the aid of WPS
• We will need to know
• Router login
• Router IP

60
DIR-628 Anti-Pinning Attack
61
Network Reconnaissance

• Device identification
• WiFinger reports D-Link DIR-628
• WPScan reports D-Link DIR-628
• Reconnaissance shows
• JavaScript-based anti-CSRF in login page
• User account with read-only access and blank
  password
• Default IP address of 192.168.0.1

62
DIR-628 Attack

• Can't use CSRF we'll have to use anti-pinning
• Attack the user account
• Likely to be ignored / forgotten about
• All D-Links have both admin and user accounts
• Retrieve the WPA key, send it back to our server

63
DNS Configuration
64
Initial Browser Request
65
Browser Window
66
Success!
67
Physical Attacks
68
Probability of Physical Attacks

• If an attacker can obtain access to the router
• Before it enters an organization
• After it is installed inside an organization
• Then there is the threat of physical tampering
• Has happened to many other devices in the past...

69
Hewlett Packard
70
Creative
71
Amazon
72
Best Buy
73
WalMart
74
Physical Router Attacks

• But what can we do with routers?
• Not much without a lot of time and resources
• They run custom firmware
• Firmware will vary between vendors / models /
  versions
• Any malware will be customized to the vendor /
  model
• It's really hard to do, so it's not a threat

75
WPS Physical Attacks Made Easy

• Push the router's WPS button
• This is as easy as it gets!
• Backdoor the WiFi encryption
• We are only really concerned with WPA
• WEP / open networks are backdoors in and of
  themselves
• This can be done very easily thanks to WPS...

76
Hacking With Gum
77
Gum Hack Description

• Short out the WPS button
• The router thinks the button is always pushed
• WPS will always be actively looking for clients!
• Cover up the WPS light
• It blinks when WPS is activated

78
Linksys WRT160N Physical Attack
79
Linksys WRT160N Reconnaissance

• Device identification
• WiFinger reports Linksys WRT160N
• WPScan reports Linksys WRT160N
• Reconnaissance shows
• Uses basic authentication
• No CSRF or authentication bypass vulnerabilities
• XSS vulnerability, but requires LAN access
• WPS enabled by default

80
WPS Button Placement
81
Linksys Board Top View
82
Linksys Board Bottom View
83
Tear Foil
84
Fold Foil
85
Foil Placement
86
Board Placement
87
Foil Fold 2
88
Lights Out
89
Finished
90
Success!
91
Gum Hack Pitfalls

• Noticeable on Linksy's wireless admin page
• Makes it not-so-stealthy
• Some routers require push, hold release
• Simply shorting the switch doesn't work

92
Improving The Gum Hack

• Shortcomings can be overcome with NE555 timer
• Small, cheap timer IC
• Easy project, even for hardware beginners
• Works with nearly every WPS-capable router

93
NE555 Circuit Description

• NE555 configured as an astable timer
• Shorts the button pins for 1.5 seconds, every 5
  minutes
• Simple circuit, low parts count
• 1 NE555 chip
• 1 Capacitor
• 1 Diode
• 3 Resistors

94
NE555 Circuit Schematic
95
NE555 Linksys
96
NE555 D-Link
97
NE555 Belkin
98
Conclusion

• SOHO router security has a long way to go
• This is just a portion of vulnerabilities and
  attacks
• WPS is hazardous if underlying system is
  vulnerable
• Default logins / authentication bypassing, CSRF
  attacks
• Physical attacks
• Client side attacks don't just affect the clients
• Can be used to attack internal infrastructure
• Routers are prime targets

99
Q A
100
Resources

• Visit http//www.sourcesec.com for
• Tools
• Slides
• Papers
• Schematics
• Email us
• dev_at_sourcesec.com

101
References

• Intranet Invasion Through Anti-DNS Pinning
• David Bryne, BlackHat 2007
• DNS problems with new DNS cache, Bugzilla
• https//bugzilla.mozilla.org/show_bug.cgi?id16287
  1
• WiFi Protected Setup Knowledge Center
• http//www.wi-fi.org/wifi-protected-setup