Save 37% off PRO during our
Black Friday Sale! »
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
DC7499
July 03, 2015
Research
0
33
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
DEFCON Moscow 9
DC7499
July 03, 2015
Tweet
Share
More Decks by DC7499
See All by DC7499
defcon
0
240
defcon
0
170
defcon
0
220
defcon
1
190
defcon
1
160
defcon
0
190
defcon
0
280
defcon
0
340
defcon
0
310
Other Decks in Research
See All in Research
dropout009
0
640
100_tools
0
150
kei18
0
270
joolsa
1
110
stakaya
1
1.1k
kitachan_black
0
4k
meshidenn
0
110
roger_s
0
290
allenyummy
0
150
shuntaros
1
610
tkym1220
0
160
shutakahama
2
450
Featured
See All Featured
3n
169
23k
lauravandoore
19
2.5k
marcelosomers
225
15k
reverentgeek
172
7.8k
eitanlees
120
11k
caitiem20
314
18k
holman
464
280k
trallard
27
1.3k
paigeccino
7
430
cromwellryan
108
6.6k
holman
295
140k
paulrobertlloyd
73
3.9k
Transcript
None
Telecommunication Hardware Vulnerabilities
WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h, root@0x90.ru •
ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM
TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS
• HYBRiD
VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS
(/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*
VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •
D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13
MODEMZ
3G/4G modems. Made in China by Huawei.
Zero CD
Zero CD-RW
EViL C0NF
OUC.EXE = OUCH LPE
3G/4G MODEM -> CYBERWEAPON
CR0SSPLATF0RM 3G/4G M0D3M R00TKiT
ROUTERZ
SDLC BUBEN DANCiNG
None
BACKUP=FCUKUP
GET HTTP REQUEST
20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •
Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…
21 habrahabr.ru CSRF Evil FTP server Config CSRF
• Network configuration • PPPOE account • SIP account CONFiGURATiON
OLD DAYS…
24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century
AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t
rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!
Huawei HG8245 Jtagulator Huawei 8245 hacking
PLACE 4 FUTURE ViRUSES
PASSWORDS….
How to rob the train in XXI century? Easy!
WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY
• ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274
STAGE 0x00 • Search for train with WiFi • Buy
train ticket • Don’t miss the train
STAGE 0x01 admin
STAGE 0x02
STAGE 0x03
STAGE 0x04
SIP hacking? • Port 5060 + SHODAN • Auth needed?
• Web interface?
CALL TO UID 0
but check! Trust,
Any questions? INFO: @090h root@0x90.ru Links https://github.com/0x90/routerz https://github.com/0x90/modemz
defcon
dropout009
100_tools
kei18
joolsa
stakaya
kitachan_black
meshidenn
roger_s
allenyummy
shuntaros
tkym1220
shutakahama
3n
lauravandoore
marcelosomers
reverentgeek
eitanlees
caitiem20
holman
trallard
paigeccino
cromwellryan
paulrobertlloyd
