Oleg Kupreev - Telecommunication Hardware Vulnerabilities

Transcript

1. None

2. Telecommunication Hardware Vulnerabilities

3. WHOAMI • HACKER REASEARCHER @ DSEC.RU • @090h, [email protected] •

   ADMIN @ ISP IN THE PAST • HACKING TELECOMMUNICATIONS SINCE 2001 • HACKING HARDWARE SINCE 2012 • DREAM TO LEARN, LEARN TO DREAM

4. TELECOM HARDWARE • MODEM • ROUTER • SWiTCH • ATS

   • HYBRiD

5. VULNERABiLiTiES • DEFAULT CREDENTiALS (admin:admin, admin:1234, cisco:cisco) • PLAiNTEXT PASSWORDS

   (/var/passwd) • BACKDOORS/ISP ACCOUNTS • AUTH BYPASS • USER iNPUT MiSVALiDATiON (COMMAND/SQL/HTML/XML injection) • iNFORMATiON DiSCLOSURE • CSRF • XXE • BOF (stack, heap, of-by-one) • WPS*

6. VENDORS & VULNS @ EXPLOiT DB • Cisco 144 •

   D-link 81 • Linksys 49 • Netgear 36 • TP-Link 18 • Zyxel 15 • Huawei 13

7. MODEMZ

8. 3G/4G modems. Made in China by Huawei.

9. Zero CD

10. Zero CD-RW

11. EViL C0NF

12. OUC.EXE = OUCH LPE

13. 3G/4G MODEM -> CYBERWEAPON

14. CR0SSPLATF0RM 3G/4G M0D3M R00TKiT

15. ROUTERZ

16. SDLC BUBEN DANCiNG

17. None

18. BACKUP=FCUKUP

19. GET HTTP REQUEST

20. 20 AUTH BYPASS + CSRF = CONFiG UPLOAD 8) •

    Firewall/AV bypass • Botnet via Habrahabr <IMG SRC =“PWN”…

21. 21 habrahabr.ru CSRF Evil FTP server Config CSRF

22. • Network configuration • PPPOE account • SIP account CONFiGURATiON

23. OLD DAYS…

24. 24 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 2-12-85-06 XXI century

25. AUTH BYPASS + CSRF + COMMAND INJECTION = w00t w00t

    rem0t3 reb00t… Back to 90’s….. Do you remember +++ATH.jpg trick? WARNINNG!!! WARNINNG!!! WARNINNG!!!

26. Huawei HG8245 Jtagulator Huawei 8245 hacking

27. PLACE 4 FUTURE ViRUSES

28. PASSWORDS….

29. How to rob the train in XXI century? Easy!

30. WARNINNG!!! WARNINNG!!! WARNINNG!!! • WITH GREAT POWER COMES GREAT RESPONSIBILITY

    • ВАС ПРИСТРЕЛЯТ ПО УТРУ – НЕ РАБОТАЙТЕ ПО РУ • 272, 273, 274

31. STAGE 0x00 • Search for train with WiFi • Buy

    train ticket • Don’t miss the train

32. STAGE 0x01 admin

33. STAGE 0x02

34. STAGE 0x03

35. STAGE 0x04

36. SIP hacking? • Port 5060 + SHODAN • Auth needed?

    • Web interface?

37. CALL TO UID 0

38. but check! Trust,

39. Any questions? INFO: @090h [email protected] Links https://github.com/0x90/routerz https://github.com/0x90/modemz