Oleg Kupreev - Telecommunication Hardware Vulnerabilities

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
July 03, 2015
Research
0
28

Oleg Kupreev - Telecommunication Hardware Vulnerabilities

DEFCON Moscow 9

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

July 03, 2015
Tweet

Want more?

0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
150
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
100
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
200
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
3
770
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
14
900
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
6
490
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
0
310
61857dafbd287b3027c4dcea9008ad3c?s=48 carmenhchung
8
640
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
9
330
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
3
370
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
5
920
6bb82b13cda86d3b821fa44100335ddf?s=48 thoeni
1
240

Transcript

  1. 1.
    None
  2. 2.

    Telecommunication Hardware Vulnerabilities

  3. 3.

    WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h, root@0x90.ru •

    ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM
  4. 4.

    TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS

    • HYBRiD
  5. 5.

    VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS

    (/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*
  6. 6.

    VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •

    D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13
  7. 7.

    MODEMZ

  8. 8.

    3G/4G modems. Made in China by Huawei.

  9. 9.

    Zero CD

  10. 10.

    Zero CD-RW

  11. 11.

    EViL C0NF

  12. 12.

    OUC.EXE = OUCH LPE

  13. 13.

    3G/4G MODEM -> CYBERWEAPON

  14. 14.

    CR0SSPLATF0RM 3G/4G M0D3M R00TKiT

  15. 15.

    ROUTERZ

  16. 16.

    SDLC BUBEN DANCiNG

  17. 17.
    None
  18. 18.

    BACKUP=FCUKUP

  19. 19.

    GET HTTP REQUEST

  20. 20.

    20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •

    Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…
  21. 21.

    21 habrahabr.ru CSRF Evil FTP server Config CSRF

  22. 22.

    • Network configuration • PPPOE account • SIP account CONFiGURATiON

  23. 23.

    OLD DAYS…

  24. 24.

    24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century

  25. 25.

    AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t

    rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!
  26. 26.

    Huawei HG8245 Jtagulator Huawei 8245 hacking

  27. 27.

    PLACE 4 FUTURE ViRUSES

  28. 28.

    PASSWORDS….

  29. 29.

    How to rob the train in XXI century? Easy!

  30. 30.

    WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY

    • ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274
  31. 31.

    STAGE 0x00 • Search for train with WiFi • Buy

    train ticket • Don’t miss the train
  32. 32.

    STAGE 0x01 admin

  33. 33.

    STAGE 0x02

  34. 34.

    STAGE 0x03

  35. 35.

    STAGE 0x04

  36. 36.

    SIP hacking? • Port 5060 + SHODAN • Auth needed?

    • Web interface?
  37. 37.

    CALL TO UID 0

  38. 38.

    but check! Trust,

  39. 39.

    Any questions? INFO: @090h root@0x90.ru Links https://github.com/0x90/routerz https://github.com/0x90/modemz