Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oleg Kupreev - Telecommunication Hardware Vulne...

Avatar for DC7499 DC7499
July 03, 2015
Research
0
54

Oleg Kupreev - Telecommunication Hardware Vulnerabilities

DEFCON Moscow 9

Avatar for DC7499

DC7499

July 03, 2015
Tweet

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
Avatar for DC7499 defcon
0
540
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
Avatar for DC7499 defcon
0
270
Anton Lopanitsyn - Initial reconnaissance of web applications.
Avatar for DC7499 defcon
0
290
Dmitry Volkov - Private messengers: without pain??
Avatar for DC7499 defcon
1
240
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
Avatar for DC7499 defcon
2
210
Sergey Belov - Another side of Bug Bounty programs
Avatar for DC7499 defcon
0
300
Dmitry Sklyarov - Intel ME: Flash file system explained
Avatar for DC7499 defcon
0
520
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
Avatar for DC7499 defcon
0
610
Sergey Golovanov - Indecent Response 2018
Avatar for DC7499 defcon
0
530

Other Decks in Research

See All in Research
Creation and environmental applications of 15-year daily inundation and vegetation maps for Siberia by integrating satellite and meteorological datasets
Avatar for SatAI.challenge satai
3
280
Type Theory as a Formal Basis of Natural Language Semantics
Avatar for Daiki Matsuoka daikimatsuoka
1
290
数理最適化に基づく制御
Avatar for MIKIO KUBO mickey_kubo
6
730
Galileo: Learning Global & Local Features of Many Remote Sensing Modalities
Avatar for SatAI.challenge satai
3
240
AIによる画像認識技術の進化 -25年の技術変遷を振り返る-
Avatar for Hironobu Fujiyoshi hf149
7
4k
Time to Cash: The Full Stack Breakdown of Modern ATM Attacks
Avatar for D ratatata
0
130
電力システム最適化入門
Avatar for MIKIO KUBO mickey_kubo
1
920
「どう育てるか」より「どう働きたいか」〜スクラムマスターの最初の一歩〜
Avatar for hirakawa hirakawa51
0
860
能動適応的実験計画
Avatar for MasaKat0 masakat0
2
810
利用シーンを意識した推薦システム 〜SpotifyとAmazonの事例から〜
Avatar for kuri8ive kuri8ive
1
250
国際論文を出そう!ICRA / IROS / RA-L への論文投稿の心構えとノウハウ / RSJ2025 Luncheon Seminar
Avatar for koide3 koide3
6
4.7k
論文読み会 SNLP2025 Learning Dynamics of LLM Finetuning. In: ICLR 2025
Avatar for S s_mizuki_nlp
0
210

Featured

See All Featured
Faster Mobile Websites
Avatar for Dean Hume deanohume
309
31k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
48
9.7k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1032
460k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
43
7.6k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
36
2.5k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
127
53k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
236
140k
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
62k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
52
5.6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3k
Navigating Team Friction
Avatar for Lara Hogan lara
189
15k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
6k

Transcript

  1. None

  2. Telecommunication Hardware Vulnerabilities

  3. WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h, [email protected]

    ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM

  4. TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS

    • HYBRiD

  5. VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS

    (/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*

  6. VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •

    D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13

  7. MODEMZ

  8. 3G/4G modems. Made in China by Huawei.

  9. Zero CD

  10. Zero CD-RW

  11. EViL C0NF

  12. OUC.EXE = OUCH LPE

  13. 3G/4G MODEM -> CYBERWEAPON

  14. CR0SSPLATF0RM 3G/4G M0D3M R00TKiT

  15. ROUTERZ

  16. SDLC BUBEN DANCiNG

  17. None

  18. BACKUP=FCUKUP

  19. GET HTTP REQUEST

  20. 20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •

    Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…

  21. 21 habrahabr.ru CSRF Evil FTP server Config CSRF

  22. • Network configuration • PPPOE account • SIP account CONFiGURATiON

  23. OLD DAYS…

  24. 24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century

  25. AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t

    rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!

  26. Huawei HG8245 Jtagulator Huawei 8245 hacking

  27. PLACE 4 FUTURE ViRUSES

  28. PASSWORDS….

  29. How to rob the train in XXI century? Easy!

  30. WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY

    • ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274

  31. STAGE 0x00 • Search for train with WiFi • Buy

    train ticket • Don’t miss the train

  32. STAGE 0x01 admin

  33. STAGE 0x02

  34. STAGE 0x03

  35. STAGE 0x04

  36. SIP hacking? • Port 5060 + SHODAN • Auth needed?

    • Web interface?

  37. CALL TO UID 0

  38. but check! Trust,

  39. Any questions? INFO: @090h [email protected] Links https://github.com/0x90/routerz https://github.com/0x90/modemz