Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
Search
DC7499
July 03, 2015
Research
0
39
Oleg Kupreev - Telecommunication Hardware Vulnerabilities
DEFCON Moscow 9
DC7499
July 03, 2015
Tweet
Share
More Decks by DC7499
See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
430
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
220
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
260
Dmitry Volkov - Private messengers: without pain??
defcon
1
210
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
1
190
Sergey Belov - Another side of Bug Bounty programs
defcon
0
240
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
400
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
460
Sergey Golovanov - Indecent Response 2018
defcon
0
370
Other Decks in Research
See All in Research
脳卒中患者・家族からみた循環器病対策推進基本計画の進捗に関する調査
japanstrokeassociation
0
530
メタ動画データセットによる動作認識の現状と可能性
yuyay
0
180
方策の長期性能に対する効率的なオフライン評価・学習 (Long-term Off-Policy Evaluation and Learning)
usaito
PRO
2
180
Equivalence of Geodesics and Importance Weighting from the Perspective of Information Geometry
mkimura
0
140
生成AIを用いたText to SQLの最前線
masatoto
1
2.3k
Deep State Space Models 101 / Mamba
kurita
9
3.5k
Discovering Universal Geometry in Embeddings with ICA
momoseoyama
1
340
説明可能AI:代表的手法と最近の動向
yuyay
1
590
ゼロからわかるリザバーコンピューティング
kurotaky
1
290
訓練データ作成のためのCloudCompareを利用した点群の手動ラベリング
kentaitakura
0
540
Alternative Photographic Processes Reimagined: The Role of Digital Technology in Revitalizing Classic Printing Techniques【SIGGRAPH Asia 2023】
toremolo72
0
430
Experiments on ROP Attack with Various Instruction Set Architectures
yumulab
0
320
Featured
See All Featured
We Have a Design System, Now What?
morganepeng
43
6.7k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Side Projects
sachag
451
41k
The Language of Interfaces
destraynor
151
23k
Building Applications with DynamoDB
mza
88
5.6k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
125
32k
[RailsConf 2023] Rails as a piece of cake
palkan
23
3.9k
Ruby is Unlike a Banana
tanoku
96
10k
Bash Introduction
62gerente
604
210k
Documentation Writing (for coders)
carmenintech
60
3.9k
Transcript
None
Telecommunication Hardware Vulnerabilities
WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h,
[email protected]
•
ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM
TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS
• HYBRiD
VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS
(/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*
VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •
D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13
MODEMZ
3G/4G modems. Made in China by Huawei.
Zero CD
Zero CD-RW
EViL C0NF
OUC.EXE = OUCH LPE
3G/4G MODEM -> CYBERWEAPON
CR0SSPLATF0RM 3G/4G M0D3M R00TKiT
ROUTERZ
SDLC BUBEN DANCiNG
None
BACKUP=FCUKUP
GET HTTP REQUEST
20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •
Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…
21 habrahabr.ru CSRF Evil FTP server Config CSRF
• Network configuration • PPPOE account • SIP account CONFiGURATiON
OLD DAYS…
24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century
AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t
rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!
Huawei HG8245 Jtagulator Huawei 8245 hacking
PLACE 4 FUTURE ViRUSES
PASSWORDS….
How to rob the train in XXI century? Easy!
WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY
• ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274
STAGE 0x00 • Search for train with WiFi • Buy
train ticket • Don’t miss the train
STAGE 0x01 admin
STAGE 0x02
STAGE 0x03
STAGE 0x04
SIP hacking? • Port 5060 + SHODAN • Auth needed?
• Web interface?
CALL TO UID 0
but check! Trust,
Any questions? INFO: @090h
[email protected]
Links https://github.com/0x90/routerz https://github.com/0x90/modemz