Pen-Testing the Backbone Raven || NMRC raven@nmrc.org - PowerPoint PPT Presentation

About This Presentation
Title:

Pen-Testing the Backbone Raven || NMRC raven@nmrc.org

Description:

Pen-Testing the Backbone Raven || NMRC raven_at_nmrc.org Cultural differences Security geeks and ISP geeks tend to model disclosure and vulnerability handling differently. – PowerPoint PPT presentation

Number of Views:62
Avg rating:3.0/5.0
Slides: 36
Provided by: attrition
Learn more at: https://attrition.org
Category:

less

Transcript and Presenter's Notes

Title: Pen-Testing the Backbone Raven || NMRC raven@nmrc.org


1
Pen-Testing the BackboneRaven
NMRCraven_at_nmrc.org
2
Cultural differences
  • Security geeks and ISP geeks tend to model
    disclosure and vulnerability handling
    differently.
  • ISP engineers tend to believe in limited, tiered
    disclosure.
  • Most people here are likely to disagree with
    that.
  • A balance must be struck for maximum efficiency
    and security.

3
White box or black box?
  • Black box testing is good for external recon and
    data gathering.
  • However, it's far more difficult and likely to be
    destructive in implementation.
  • Many backbone vulnerabilites are
    denial-of-service oriented.
  • Since people get unhappy when you break their
    ISP, white-box testing is preferred.

4
Initial Reconnaissance
  • Choose your target search the registars for
    their address blocks, allocated autonomous
    systems, and other data. (Contacts if not role
    account, etc.)
  • Look on route servers and Internet maps to try to
    determine their peering.
  • Throw everything you get into Google, recurse
    when necessary to build a profile of the network.
  • Check mailing list archives for likely config
    details and public peering points.

5
Vendor-specific details
  • Each vendor has their own advisory and
    vulnerability disclosure practices. Become
    familiar with these for each vendor on your
    target network.
  • Acquire CCO, Juniper, etc. site logins when
    necessary to supplement vulnerability
    information.
  • Don't forget the switches this should go for
    all your network gear.

6
Code train vulnerabilities
  • Check the vulnerabilities specific to each code
    train implemented in your network.
  • Also check vulnerabilities in stacks/implementatio
    ns that your current code train is derived from.
    BSD vulnerabilities are worth checking for Cisco
    and JunOS boxes, for example a BSD telnet
    vulnerability (http//www.osvdb.org/displayvuln.p
    hp?osvdb_id809) also affected Cisco CatOS
    boxes.(http//www.cisco.com/warp/public/707/catos
    -telrcv-vuln-pub.shtml)
  • Some scanners incorporate these checks, but many
    may need to be done by hand. Beware of
    unintentional DoS while scanning.

7
Failure paths and trust relationships
  • Architectural review check for redunancy,
    network robustness, and security.
  • Do your authentication means have redundancy?
    Fallback? What is the weakest form of
    authentication one can force? (Reverting to no
    auth on a RADIUS server http//www.osvdb.org/disp
    layvuln.php?osvdb_id17644)
  • Once authenticated, is trust transitive? Can one
    log in directly from one backbone router to
    another? Are source IP addresses restricted?
  • Is there a single point of transit or
    authentication failure? What happens when it
    fails?

8
Failure and Trust II
  • If there is centralized authentication, how many
    servers are there? Are they hardened?
  • Are authentication credentials sent cleartext?
  • Where can you access the authentication server
    from? Often it's whitelisted in ACLs, so once
    owned, it's a free ticket into the
    infrastructure.
  • Can one set up a MitM attack against the
    authentication server to harvest credentials? Is
    the auth server itself vulnerable? (RADIUS
    exploit goes here.)

9
ObSlide Physical Security
  • Make sure all data centers and peering points
    have good physical security.
  • Test this. Repeatedly. Often.
  • Many of these attacks are only possible with
    local injection or access. Make sure that
    doesn't happen.
  • Good physical security is half the game.

10
Data Leaks
  • Check for data leaks at the network border
    connect to the switch and fire up a sniffer.
    This is particularly valuable at an exchange
    point with a port in promiscuous mode.
  • Cisco Discovery Protocol
  • Routing protocol information
  • Leaked switching data

11
Protocol injection speak my route?
  • If you can see the data, you can spoof the data.
  • Fake a routing annoucement and inject it. See if
    it gets picked up. Fake spanning tree. Fake
    CDP.
  • For a ghetto DoS attack, tear down links with
    spoofed packets. (Almost no clients want this
    level of testing.)
  • Many routing protocol implementations are
    unauthenticated. This is obviously insecure.

12
Rogue router
  • Connecting a new router to many data centers is
    easier than you'd think.
  • Plug in to the exchanging switch.
  • Depending on what data is being advertised, try
    to speak their routing protocols with a similar
    configuration.
  • Depending on your contract with the client, you
    may even be able to replace their router with one
    of your own.

13
Pwn3d router
  • If you have been able to get authentication
    credentials, or force a login (cisco/cisco,
    admin/company name, etc.), router hijack is
    possible.
  • Traffic redirection into a tunnel of your choice
    is possible -- GRE tunnels are popular in the
    wild among blackhats.
  • You may be able to advertise additional netblocks
    in a preferred fashion without authorization,
    affecting routing for the whole network.

14
Netblock hijack
  • It is also possible to announce and route other
    peoples' netblocks without authorization, if you
    can convince your upstream to take the route.
  • This has happened attackers stole a
    legitimately owned large netblock, announced it
    through their ISP, spammed and sent malware for
    about a week, and disconnected. This left the
    original owners nullrouted for a week,
    blacklisted everywhere, and with a huge mob of
    angry people at their door.

15
Configuration Review
  • Check the configurations of your client against
  • Secure BGP Template http//www.cymru.com/Documents
    /secure-bgp-template.html
  • Secure IOS Template http//www.cymru.com/Documents
    /secure-ios-template.html
  • Secure JunOS Template http//www.cymru.com/gillsr/
    documents/junos-template.pdf
  • Secure JunOS BGP Template http//www.cymru.com/gil
    lsr/documents/junos-bgp-template.pdf

16
Peering Security
  • Check the peering configuration of your target
    network.
  • Data may be advertised from route servers.
  • Ensure that authentication is in place for
    peering changes.
  • Ensure that machines which are used for network
    policy are well secured.

17
Consider filtering best practices
  • A recent survey by the RPSec Working Group of
    operators got a very rough idea of current
    filtering practices in the wild.
  • The results indicate that many people, even
    security-aware backbone operators, are still not
    using all the tools at their disposal.
  • Change management/network engineer time too
    expensive under their current business model? Or
    do they not care?

18
RPSec Survey Results Yes Answers
  • Incoming AS path filter for each of your BGP
    customers? (60)
  • Incoming prefix filter for each of your BGP
    customers? (80)
  • Set one or more communities for (BGP) customer
    routes? (80)
  • Outgoing AS path filter towards your
    peers/upstreams? (40)
  • Outgoing prefix filter towards your
    peers/upstreams? (53)
  • Filter outgoing updates towards your
    peers/upstreams based on communities? (67)
  • Do you need to make BGP configuration changes on
    more than one router when adding a BGP customer?
    (20)
  • 15 people surveyed small sample size, but
    relevant placement(http//www1.ietf.org/mail-archi
    ve/web/rpsec/current/msg01276.html)

19
Backbone vulnerabilities
  • Where do you get your vuln info?
  • Vendors Cisco, Juniper, etc have internal bug
    databases requiring a customer login
  • Mailing lists public vulnerability
    announcements
  • Vulnerability databases OSVDB, CVE, etc.
  • Previous work in the field done by FX, Paul
    Watson, Mike Lynn
  • Ongoing work by many researchers

20
FX's Cisco research
  • Cisco EIGRP spoofed packet neighbor saturation
    bug (http//www.osvdb.org/displayvuln.php?osvdb_id
    18055)
  • Cisco IOS CDP Neighbor Announcement DoS
    (http//www.osvdb.org/displayvuln.php?osvdb_id196
    9)
  • Other vulnerabilities include GRE attacks, a
    Cisco IOS TFTP Server Advisory, Cisco VPN
    Concentrator DoS code, Cisco ICMP Advisory, and
    Cisco memory mapping and remote exploits
    (http//www.phenoelit.de/ultimaratio/index.html)
  • IRPAS tool for pen-testing (http//www.phenoelit.d
    e/irpas/)

21
Paul Watson and the TCP Window
  • TCP stacks on backbone equipment (among others)
    failed to check RST packets against the window
    size as well as the sequence number. This
    allowed unauthenticated BGP sessions to have
    source and destination port guessed, spoofed, and
    easily reset. (http//www.osvdb.org/displayvuln.ph
    p?osvdb_id4030)
  • In addition to strengthening the Cisco TCP stack
    with a patched version of IOS, MD5 checksums on
    BGP sessions (BGP password) were implemented as
    a workaround. However, many NANOG engineers
    deemed this unnecessary after the facts were
    disclosed, and rolled back to unauthenticated
    sessions.

22
Mike Lynn and the remote shell
  • Cisco box compromised, using a probable heap
    overflow in their processing of IP v6 packets.
    Cisco box shoveled a shell with full enable
    privileges to a listening console session.
  • For the first time, remote exploitation of a box
    running Cisco IOS appears demonstrably possible.
  • Definitions of local exploit vs. remote exploit
    in question how was he connected to the box?
    Looked remote to me.

23
This isn't the remote root you're looking for.
  • Suddenly, Mike Lynn's talk has gone missing from
    the Black Hat handouts.
  • Suddenly, Mike Lynn's presentation is no longer
    on the Black Hat CD.
  • Suddenly, Mike Lynn's slides are not available.
  • Lawsuits and threats abound.

24
Why we need disclosure
  • "I feel I had to do what's right for the country
    and the national infrastructure," he said. "It
    has been confirmed that bad people are working on
    this (compromising IOS). The right thing to do
    here is to make sure that everyone knows that
    it's vulnerable." -- Mike Lynn, as quoted
    Wednesday in SecurityFocus
    (http//www.securityfocus.com/news/11259)

25
Suing researchers into oblivion is not the way to
achieve security.
  • Cisco and ISS filed suit against Mike Lynn on
    Wednesday afternoon, with a temporary restraining
    order prohibiting him from speaking about this
    exploit. (http//www.securityfocus.com/news/1125
    9)
  • Thursday, an accord was reached between the
    parties, and an injunction was signed prohibiting
    Mike Lynn from ever talking about his exploit
    again. All materials had to be returned to
    Cisco. (http//www.networkworld.com/news/2005/07
    2805-cisco-settlement.html)
  • This is stupid. Pretending the problem didn't
    happen will not make it go away. The black hats
    certainly won't ignore it.

26
Dear Cisco and ISS
  • In order to take security seriously, you must
    practice responsible disclosure. Ostrich tactics
    are not responsible disclosure.
  • Hiding known vulnerabilites and trying to gag
    researchers even after a fix is available hurts
    both your reputations and the securityof the
    Internet.
  • Developing and fostering good relationships with
    security researchers will help improve your
    products, and the Internet at large.
  • Duh.

27
What he said Mike Lynn Recap
  • Heap overflows are far more common in IOS than
    straightforward stack exploitation.
  • Watch for the Cisco watchdog check_heaps process,
    which will induce a router crash if it detects
    memory corruption.
  • Cisco routers generally crash rather than
    attempting recovery, so you have one shot at your
    overflow before the router goes down.
  • However, the crash process itself is
    interruptable.

28
What he said, II
  • By interrupting the crashing process, and feeding
    the router a state where it already believes it's
    crashing, you can buy yourself some time.
  • Spreading memory corruption on the heap is still
    a problem, so you'll have to manage that yourself
    in shellcode, or have 2 to 5 minutes before
    router memory failure is complete.
  • Once you have gained execution, the router is
    yours, though you may have to disable interrupts
    from the hardware to keep the processor.

29
What he said, III
  • Through methods like these, you can induce the
    remote box to shovel an enabled shell back to
    your listener. Root. Game over.
  • Lynn indicated that about one in ten Cisco
    vulnerabilities looked promising for this sort of
    exploitation.
  • Anything talking about memory corruption inducing
    a crash is a good start.
  • http//www.cisco.com/en/US/products/hw/routers/ps3
    54/products_field_notice09186a00800946c8.shtml
  • http//www.cisco.com/en/US/products/products_secur
    ity_advisory09186a008029e189.shtml
  • http//www.cisco.com/en/US/products/products_secur
    ity_advisory09186a00803be77c.shtml
  • http//www.cisco.com/en/US/products/products_secur
    ity_advisory09186a00803be7d9.shtml

30
What Cisco said, and didn't
  • Cisco recently released an advisory warning about
    vulnerabilites in their IP v6 processing.
    (http//www.cisco.com/warp/public/707/cisco-sa-20
    050729-ipv6.shtml)
  • Cisco Internetwork Operating System (IOS)
    Software is vulnerable to a Denial of Service
    (DoS) and potentially an arbitrary code execution
    attack from a specifically crafted IPv6 packet.
    The packet must be sent from a local network
    segment. Only devices that have been explicitly
    configured to process IPv6 traffic are affected.
    Upon successful exploitation, the device may
    reload or be open to further exploitation.

31
Local vs. Remote Exploit, v2.0
  • In their advisory, Cisco claims the IP v6
    vulnerability only works if...The packet must
    be sent from a local network segment.(http//www
    .cisco.com/warp/public/707/cisco-sa-20050729-ipv6.
    shtml)
  • A packet sent from one machine on your local
    subnet to another is still a remote attack.
  • This sounds suspiciously like a remote root to me.

32
See for yourself.
  • Input validation is good. Check the sources
    validate Cisco's own advisories against their
    Full Disclosure archived postings, in case they
    change.
  • Read FX's details of Cisco memory management on
    the heap for helpful disassembly and overflow
    technical details. http//www.phenoelit.de/ultim
    aratio/index.html
  • Also, there is http//cryptome.org/lynn-cisco.zip

33
Towards a more complete methodology
  • Treat backbone devices like computers they do
    have vulnerabilities, and these can be tested and
    exploited.
  • Treat backbone devices like very important
    computers avoid DoS outside the test lab
    without your client's permission, and tread
    carefully even with it.
  • In time, these test tools will also become
    automated, and part of a pen-tester's kit. We're
    still kind of in the Dark Ages now.

34
Mirrors of this talk
  • http//www.nmrc.org/dc13/PenTestingTheBackbone.ppt
  • http//www.oneeyedcrow.net/tech/PenTestingTheBackb
    one.ppt
  • http//www.infowarrior.org/users/rforno/raven-bh05
    .pdf
  • http//www.attrition.org/misc/ee/PenTestingTheBack
    bone.ppt
  • http//www.abditum.com/cisco/PenTestingTheBackbone
    .ppt
  • More mirrors to come

35
Thank you
  • Feel free to contact me regarding this talk, or
    with feedback or additional ideas, at
    raven_at_nmrc.org
  • Thanks also to Jericho and the OSVDB team, for
    prompt attention to vulnerability disclosure
  • Thanks to my mirror sites, and to the EFF, for
    supporting security research and free speech.
Write a Comment
User Comments (0)
About PowerShow.com