The second session is getting underway. I am nursing a dodge Internet connection and munching a sammich Elzje made for me. Single geeks, eat your heart out. (Dankie Love)

I have a feeling this session will be realy cool. Can’t believe two hours are gone already.

Ivan Burke – Who Needs Botnets if you have Google?

What are the basic goals of a botnet?

Make money, disrupt services, grow the botnet, hide in the masses.

A basic botnet needs a stealth component. A botnet needs to a way to communicate as well, and then a way of relaying information back to your bots.

Google Gadgets Complaints

Google Gadgets does not follow the standard web protocol.  It does not follow the robots.txt policy.

There is no validation of page existence – it tries to probe a website for known webpages.

Multiple IPs and locations. Every request might come from a different server.

Because Google fetches the content they have a cache server holding the content, and the user can set how frequently it updates the cache.

What they did with the info

Create a PoC man in the middle attack.

Harvested Browser Info

Establish crude C2 capabilities server and gadgets

Attempted a DDOS, settled for messing with AdSense stats and website traffic generator.

Created a basic anonymous website browsing gadget.

How this was done

Man in the middle PoC – fetch a site and replace the URL of the site.

Gadgets and iFramse have no addres bar.

Harvested the browser info ( I lost a chunk here – typing slower than this guy speaks…)

They had a basic command and control structure. Used the google servers to act as a carrier to hide the IP of origin and destination.

DDoS Attempt

Option 1: Set the refresh interval to Zero

Option 2: Make hundreds of of fictitious requests to a server.

Why did this not work:

Google Adsense causes gadget user PC to crash before DDoS is triggered.

Anonymous browser gadget

Allows you to brows the Internet making it look like you are the google agent string.

Does Google Gadgets meet the requirements of a botnet

  • Needs to be viral. The gadgets are designed to be easy to share.
  • Access to valuable data or services. Browser history data contained on other gatgets.
  • They require C2 to communicate. Basic communication achieved via GET and POST
  • Stealth. All actions taken are done by Google gadget server, target server’s logs only contain Gadget server IP.

The Fix

  • Googles Side
    Follow common web protocol, listen to robots.txt.
    Prevent/notify users of gadget redirects
  • Consumer Side
    Block Google-feedfetch agent
    Clean Browser History Regularly
    Better education about their risks

Summary

This is very cool. I was missing a lot of this talk to type bacause I often sat back and listened to how this works. In short with some clever coding you can build yourself a botnet with nasty capabilities with google gadgets.

Nice talk.

——————————————–

Simeon Miteff – Detecting Backdoors With Network Trickery War dialing in the age of 3G

Back in the day you would war dial looking for people who have PC-anywhere, try and get access to their systems.

How would you find the open backdoors on your company network (3G, ADSL etc.)

The assumption is that workstations are not locked down.

Firewalls versus ADSL lines in the offices of a person.

The assumption was that you don’t want an ADSL line into an office of a person that effectively bypasses your network firewall. The line was installed to a central location as opposed to having the lines installed to the offices to make sure the lines did not end up in the offices. Some people simply ignored this policy.

How do you detect them?

  1. You can do a physical audit.
  2. Write a script.

Thoughts on the threat model – would you hack the ADSL box, or would you walk into an office? THe assumption is that a big perimeter firewall has poor internal security.

Where is the default route of the box pointing? What DNS resolution is this using?

You can ask the host to forward a packet to the Internet, detect where this packet goes, through your network, or maybe through another network node?

Paasive approach – Is the host cahtty on the local subnet? (lots of false positives)

Active approach – test reachability from subnet vs elswhere on the LAN.

Firewalls break passive approaches.

Solution

Trick the host into doing a DNS lookup. Put a URI in the UPNP header.

Encode teh host’s LAN address into a DNS label.

Set up a custom powerdns server on the backend.

Summary

The application is very specific. Data mining would be a good place to do this. You could use this to find out when a host is switching  default gateways on the network.

——————————————————-

Georg-Christian Pranschke: SNMP – Simple Network Mediated (Cisco) Pwnage

Snmp is the simple network management protocol. It is active on avery network and runs on port 161 and some on port 162.

SNMP strings functions like passwords.

SNMP is plaintext protocol. From a UDP viewpoint you can do spoofing. Get/Set requests contain community string, because community strings are like passwords they suffer from the same problems that passwords do.

What does SNMP give you.

Information disclosure like

  • IP Adresses
  • Reouting Information
  • Running Processes
  • Running Services
  • Installed Software
  • Usernames
  • Passwords

Specifically Cisco

You can brute force a Cisco appliance via:

  • TELNET: Often only password required
  • SSH: Needs username and passowrd
  • HTTPS: Needs authentication
  • SNMP: You can brute force a device as fast as you send out packets. Just community string needed.

SNMP On Cisco Appliances

  • Remote Configuration thought SNMP
    Setting OID’s
    Configuration up and downloads via TFTP
    Running config on device

Exploiting Cisco Misconfiguration

FRISK-O is a rogue management interface. It brute forces community strings, downloads running and startup configurations, extracts and decrypts all CISCO passwords and hashes. It has spoofing capapbilites.

Summary

Wow, I had to type my heart out to keep up with this talk. Gerhard basically discovered a vulnerability in SNMP, and realized that Cisco devices are managed via SNMP. Using the vulnerability he found you can brute force a Cisco device in a manner of seconds, and with a tool he wrote (FRISK-O) you can extract important information out of a Cisco device. He demonstrated a hacking a Cisco device within a few seconds, extracting the password needed to access the device and logged into it.

Thats it for the pre lunch session.

Wow, I will need to learn to type faster.

If you did not make today you are missing out. I am just managing to touch on the most important points. Lunchtime!

No related posts.