PowerPoint Presentation
Mirai botnetIntro to discussion
[email protected] @slawekja OWASP Krakw, 15.11.2016
We have all heard about it...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Most often pointed manufacturer
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
No, its not us, its the users!
http://www.xiongmaitech.com/index.php/news/info/12/76(only
Chinese, I used Google translator)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
My story...The best-priced IP camera with PoE and ONVIF
Management standard (was supposed to) assure painless integration
of the video in my installation.
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Malware embedded...
http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-comehttps://ipcamtalk.com/threads/brenz-pl-malware-in-ip-cameras-what-now.12851/http://forums.whirlpool.net.au/forum-replies.cfm?t=2362073&p=11r211
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Path traversal
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Auth bypass...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
cloud service
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
The cloud service# tcpdump host camera.local18:48:41.290938 IP
camera.local.49030 >
ec2-54-72-86-70.eu-west-1.compute.amazonaws.com.8000: UDP, length
25
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Device login no pass, static captcha, id=MAC ;)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
FAQ
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Telnet
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Nmap root@kali:~# nmap 10.5.5.20Starting Nmap 7.25BETA2 (
https://nmap.org ) at 2016-11-06 10:59 ESTNmap scan report for
10.5.5.20Host is up (0.019s latency).Not shown: 996 closed
portsPORT STATE SERVICE23/tcp open telnet80/tcp open http554/tcp
open rtsp8899/tcp open ospf-lite
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai credentials for
brute-forcehttps://github.com/securing/mirai_credentials
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Now go and brute the telnetroot@kali:~# hydra -C mirai_creds.txt
telnet://10.5.5.20
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
few seconds later...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
The telnet passwordI did not have the credentials few years
ago...But the password was already known then.
No need to hack, search password and the name of device in
Russian
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Wait...But we have changed the default password, didnt we?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
https://www.us-cert.gov/ncas/alerts/TA16-288A
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
So, where is the password?# cat
/etc/passwdroot:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh#
mount/dev/root on / type cramfs (ro,relatime)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Can we change it?# passwd-sh: passwd: not found# echo "better
etc passwd" > /etc/passwd-sh: can't create /etc/passwd:
Read-only file system# mount -o remount,rw /# mount/dev/root on /
type cramfs (ro,relatime)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
So, it looks like we have to reflash...The DVR (10.5.5.30) has
telnet disabled.Firmware versions starting mid-2015.But for many
models the upgrade is not available ;)... and the DVR still has
telnet on 9527 ;) not to mention other vulns
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How to upgrade firmware?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Lets imagine you are a regular camera user...You have bought a
camera in the nearest shop with cameras.You know your camera is
vulnerable and should be upgraded.Try to find out how to do it, and
where to find the firmware.
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How do you think will regular user do?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Device Supply chain
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Various vendors same device
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Supply chainBoard Support Package - drivers, bootloader,
kernel-level SDKBroadcom, Texas Instruments, HiSilicon,
WindRiver...Original Device Manufacturer web interface, SDK,
cloud...usually unknown from China, Taiwan etc.Original Equipment
Manufacturer composing, branding ODMs+ support, license,
warranty...Value Added Reseller / DistributorEnd user
Fabless manufacturing
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Supply chainBoard Support Package - drivers, bootloader,
kernel-level SDKBroadcom, Texas Instruments, HiSilicon,
WindRiver...Original Device Manufacturer web interface, SDK,
cloud...usually unknown from China, Taiwan etc.Original Equipment
Manufacturer composing, branding ODMs+ support, license,
warranty...Value Added Reseller / DistributorEnd user
Fabless manufacturing
Features, Price!
Features, Price!
Features, Price!
Features, Price!
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Supply chainBoard Support Package - drivers, bootloader,
kernel-level SDKBroadcom, Texas Instruments, HiSilicon,
WindRiver...Original Device Manufacturer web interface, SDK,
cloud...usually unknown from China, Taiwan etc.Original Equipment
Manufacturer composing, branding ODMs+ support, license,
warranty...Value Added Reseller / DistributorEnd user
Fabless manufacturing
Security?
?
?
?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Back in 2012Internet Census
Projecthttp://internetcensus2012.bitbucket.org/paper.html
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
2012 vs 2016
https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.htmlhttp://internetcensus2012.bitbucket.org/paper.html
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai sourcehttps://github.com/jgamblin/Mirai-Source-Code/
Warning:The zip file for the is repo is being identified by some
AV programs as malware.
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Worth readingThe original post with source code
:Mirai-Source-Code-master/ForumPost.txt
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How does it spread?mirai/bot/scanner.c
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Scans for random IPs with several exclusions ;)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Next, tries to hit the telnetAnd once per ten also on 2323
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Password list
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Resolve C&C IP with DNS
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Catching mirai
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
https://twitter.com/MiraiAttacks/Live feed of commands sent to
500 infected machines
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How about dynamic analysis?We will expose the cameras telnet
service directly to the Internet.... and see what happens.
https://asciinema.org/a/1tynlhzfs0lmw6t3bn5k40cu7
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Our setupDevices: 2 cameras + 1 DVRRouter VPNs to public IP,
exposes devices telnetDump all traffic to/from devices for
analysis
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Wireshark analysishttp://10.5.5.5/mirai.pcapRight click
->Follow->TCP Stream
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Telnet session
Hello, my name is ...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Check processor version
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Download payload into upnp
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
CNC connection establishement dns query
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
C&C DNS
Thanks: Josh Pyorre, OpenDNS
Thanks: Josh Pyorre, OpenDNS
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
DNS domain taken by FBI
Thanks: Josh Pyorre, OpenDNS
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Registrant ID: C4853993-CLUBRegistrant Name: Zee GateRegistrant
Street: 666 antichrist laneRegistrant City: San DiegoRegistrant
State/Province: CARegistrant Postal Code: 92050Registrant Country:
USRegistrant Phone: +1.7603014069Registrant Fax:
+1.7603014069Registrant Email: [email protected] ID:
C4853996-CLUBAdmin Name: Zee GateAdmin Street: 666 antichrist
lane
whois hightechcrime.club
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
CNC
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Scanning for new targets
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Other variants DONGS ?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Other variants DONGS ?
https://asciinema.org/a/eqayq785gwz5qqnbhnfrmwdkg (about
13:00)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
What can we do?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Set your DNS to 127.0.0.1?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Not everyone can afford that ;)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Protocols?P2P? We have seen it already...Proprietary management
protocol? It can reset the camera remotely to default if you forgot
pass. Seriously ;)And there was also auth bypass in similar (same?)
one:https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
OUR LAB
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
3 devices:Black one: 10.5.5.20White one: 10.5.5.25DVR:
10.5.5.30admin/WIFI: owasp/ApplicationSecurity
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Bot wars?Will the blackmarket regulate itself? ;)Write a better
bot, vigilante hack? Remember Linux.wifatch?Find vuln in
botnet?https://www.invincealabs.com/blog/2016/10/killing-mirai
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
What can we do about it?ISP? Block telnet, inform users?Device
callout? User awareness?Regulatory?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Open source?DD-WRT / openWRT is a great success.Maybe we should
write similar soft for cameras?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Features at low cost compromising on security is just obscene ;)
Lets do it better!
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Many other vulns...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
9527 debug Telnet
telnet 10.5.5.30 9527Console log of the device (including user
passwords for RTSP)Remote control of the device (if you know user
pass)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
nmap -sS -sV -p 1-65535 10.5.5.20PORT STATE SERVICE
VERSION23/tcp open telnet Busybox telnetd80/tcp open
tcpwrapped554/tcp open rtsp?8899/tcp open soap gSOAP soap
2.79527/tcp open unknown34561/tcp open unknown34567/tcp open
unknown34599/tcp open unknown
Proprietary protodebug/telnet
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
