Country domination - Causing chaos and wrecking havoc

Tags:

Preview:

Click to see full reader

DESCRIPTION

How to own a country

Citation preview

Country d0m1nat10n

balgan@ptcoresec.eu

Who Am I ?

• Tiago Henriques• @balgan• 24• BSc• MSc• CEH• CHFI

• CISSP• MCSA• CISA• CISM• CPT• CCNA

file:///C:/Users/balgan/Downloads/11545_192585389754_513599754_3020198_333349_n.jpg

Team Leader of these guise

Currently employed by these guise

What will we talk about today?

I AM NOT

RESPONSIBLE FOR ANY ILLEGAL ACTS OR ACTIONS THAT YOU PRACTICE OR ANYONE THAT LEARNS SOMETHING FROM TODAY’S PRESENTATION.

Causing Chaos.

If you guys were an attacker that was out to cause real damage or get profit, how would you go on about it ?

This is what I would do, control as many machines in that country, penetrate critical systems and get as much info as possible.

And that’s what am gonna talk about today.

Business

When a client asks for a pentestWe present them with these

Business

Business

Business

BusinessAnd that’s all really neat and pretty, however there are 2 problems with that! These guys don’t give a f***.

Management Blackhats

FOCU

S

ManagementCares about:

• Money• Money• Money

Does:• Will lie for PCI DSS• Approves every single thing even if it

doesn’t match security department goals but gets them moneys.

This shit gives us, security peeps, headaches!

BlackhatsI managed to acquire video footage that shows these guys in action and their vision of the world, lets have a sneek peek!

Video - Blackhats

Tonight only, I ask one thing of u

Leave your whitehats and CISSPs at home, and embark on a journey with me to make the world…

SHODAN

SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.

Another way of putting it would be:

Is the

Of these

Now combine this:

With these:

And you get a lot of these

Also if you do anything ilegal and get caught, you’ll get one of these:

SHODAN

Now its when u ask

Shodan

http://www.shodanhq.com/

SHODAN

Accessing that website will give u a bar, where you can type queries and obtain results.

Your queries, can ask for PORTS, Countries, strings contained in the banners, and all sorts of other things

Following is a sample set of queries that can lead to some interesting results:

SHODAN QUERIES

• http://www.shodanhq.com/?q=cisco-IOS• http://www.shodanhq.com/?q=IIS+4.0• http://www.shodanhq.com/?q=Xerver• http://www.shodanhq.com/?q=Fuji+xerox• http://www.shodanhq.com/?q=JetDirect• http://www.shodanhq.com/?q=Netgear• http://www.shodanhq.com/?q=%22Anonymous+access+allowed%22• http://www.shodanhq.com/?q=Golden+FTP+Server

SHODAN QUERIES + combined country?Awesome!

Saturday, 9th of June 2012

SHODAN QUERIES + combined country

Port: 3306 country:PT

SHODAN QUERIES + combined country?Awesome!

Wednesday, 6th of June 2012

SHODAN QUERIES + combined country

BigIP country:PT

SHODAN QUERIES + combined country?Awesome!

Tuesday, March 13, 2012

SHODAN QUERIES + combined country

port:3389 -allowed country:PT

SHODAN QUERIES + combined country?Awesome!

SHODAN QUERIES OF AWESOMENESSSAP Web Application Server (ICM)

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESSSAP NetWeaver Application Server

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESSSAP Web Application Server

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESSSAP J2EE Engine

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESS

SHODAN QUERIES OF AWESOMENESSport:23 country:PT

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESSport:23 country:PT

Username:adminPassword:smcadmin

SHODAN QUERIES OF AWESOMENESSport:23 list of built-in commands

Worldwide

Not a big number, however just telnet in and you get shell…

SHODAN QUERIES OF AWESOMENESSport:161 country:PT

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESSWhat sort of info do I get with SNMP ?

• Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2 • Windows SYSTEM INFO 1.3.6.1.2.1.1.1 • Windows HOSTNAME 1.3.6.1.2.1.1.5 • Windows DOMAIN 1.3.6.1.4.1.77.1.4.1• Windows UPTIME 1.3.6.1.2.1.1.3 • Windows USERS 1.3.6.1.4.1.77.1.2.25• Windows SHARES 1.3.6.1.4.1.77.1.2.27• Windows DISKS 1.3.6.1.2.1.25.2.3.1.3• Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1• Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0• Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0

SHODAN QUERIES OF AWESOMENESSWhat sort of info do I get with SNMP ?

• Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2 • Linux SYSTEM INFO 1.3.6.1.2.1.1.1 • Linux HOSTNAME 1.3.6.1.2.1.1.5 • Linux UPTIME 1.3.6.1.2.1.1.3 • Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3 • Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4 • Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0 • Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0

SHODAN QUERIES OF AWESOMENESSWhat sort of info do I get with SNMP ?

• Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8 • Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2 • Cisco SYSTEM INFO 1.3.6.1.2.1.1.1 • Cisco HOSTNAME 1.3.6.1.2.1.1.5 • Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4 • Cisco UPTIME 1.3.6.1.2.1.1.3 • Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1 • Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18 • Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2 • Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5 • Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5 • Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2 • Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7

SHODAN QUERIES OF AWESOMENESS

SHODAN QUERIES OF AWESOMENESScisco country:PT

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESScisco country:PT

Cisco

Cisco – GRE TUNNELING

SHODAN QUERIES OF AWESOMENESSport:1900 country:PT

Worldwide

Portugal

SHODAN QUERIES OF AWESOMENESS

So, What is UPNP?

SHODAN QUERIES OF AWESOMENESSSo, What uses UPNP?

SHODAN QUERIES OF AWESOMENESSHackz

SHODAN QUERIES OF AWESOMENESSHackz

SHODAN QUERIES OF AWESOMENESS

UPNP zomg time

SHODAN QUERIES OF AWESOMENESS

UPNP Remote command execution

SHODAN QUERIES OF AWESOMENESS

Oh and by the way…

SHODAN QUERIES OF AWESOMENESS

Another funny thing about UPNP, isthat you can get the MAC ADDR and SSID its using

And then….

SHODAN (MORE INTERESTING) QUERIES

• http://www.shodanhq.com/?q=PLC• http://www.shodanhq.com/?q=allen+bradley• http://www.shodanhq.com/?q=fanuc• http://www.shodanhq.com/?q=Rockwell• http://www.shodanhq.com/?q=Cimplicity• http://www.shodanhq.com/?q=Omron• http://www.shodanhq.com/?q=Novatech• http://www.shodanhq.com/?q=Citect• http://www.shodanhq.com/?q=RTU• http://www.shodanhq.com/?q=Modbus+Bridge• http://www.shodanhq.com/?q=modicon• http://www.shodanhq.com/?q=bacnet• http://www.shodanhq.com/?q=telemetry+gateway• http://www.shodanhq.com/?q=SIMATIC• http://www.shodanhq.com/?q=hmi• http://www.shodanhq.com/?q=siemens+-...er+-Subscriber• http://www.shodanhq.com/?q=scada+RTS• http://www.shodanhq.com/?q=SCHNEIDER

SCADA

SHODAN (MORE INTERESTING) QUERIESSCADA

PORTUGAL?

SHODAN (MORE INTERESTING) QUERIESSCADA Portugal

SHODAN (MORE INTERESTING) QUERIESSCADA Portugal

SHODAN (MORE INTERESTING) QUERIESSCADA Portugal

SHODAN (MORE INTERESTING) QUERIESSCADA Portugal

If you want to quickly check for stuff (web related) that has no authentication, use NMAP!

A little tip…

First, let’s get wkhtmltoimage:

wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2cp wkhtmltoimage-i386 /usr/local/bin/

Next, let’s get and install the Nmap module:git clone git://github.com/SpiderLabs/Nmap-Tools.gitcd Nmap-Tools/NSE/cp http-screenshot.nse /usr/local/share/nmap/scripts/nmap --script-updatedb

A little tip…

Then, do your shodan search and use:

A little tip…

This automatically exports a list of ips u can import into nmap

Then…

A little tip…

And nmap, will automatically take screen shots of the first pages that appear and store them, then u just need to look at those!

A little tip…

To end…

SCARY SHIT!

DEFACE 1 SCARY?

NO!

SCARY SHIT!

DEFACE 2 SCARY?

Well… disturbing, scary? Not so much!

SCARY SHIT!

SCARY SHIT!

SCARY SHIT!

Shodan – the bad part

• Imports nmap scans from their servers, so its not always 100% updated! Confirmed this by correlating some of the shodan results with our personal results!

• For example on mysql servers, Shodan would find 785, where our results showed 3000+

Shodan – the good part

• Good querying system

• If port scanning is illegal in your country, you’re out of trouble if u use shodan, because ur just querying data acquired by them.

Kudos

Aaron @f1nux

GF

Luis Grangeia

Resources

http://secanalysis.com/interesting-shodan-searches/

blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html

http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010 SHODAN for Penetration Testers Michael Schearer

50% discount for students and AP2SI peeps

Recommended

Happy Havoc
Documents
Ray’s Auto Wrecking Site
Documents
Ahead of the Wrecking Ball
Documents
CRY HAVOC - 3bde.org
Documents
Cry Havoc 03
Documents
Girders and wrecking ball activity
Documents
Escenarios - Cry Havoc Fan
Documents
Havoc Command
Documents
WRECKING BALL APPLE - lifewithheidi.com
Documents
With wrecking crew
Documents
Deliberately Wrecking Our Planet
Documents
The Wall Street Wrecking Ball
Documents
Cry Havoc 05
Documents
Wrecking Ball ATL Partnership Overview
Marketing
Havoc Booklet Draft
Documents
Saved from the Wrecking Ball!
Documents
Havoc Tutorial #1
Technology
1920s Postwar Havoc
News & Politics
Cry Havoc 02
Documents
Havoc Tutorial #2
Entertainment & Humor