黑客如何入侵你的路由器?

本文由 伯乐在线 – deathmonkey 翻译自 disconnected。欢迎加入技术翻译小组。转载请参见文章末尾处的要求。

一段时间以前一位从事信息安全的朋友请我做一件奇怪的事情。让我黑掉他的路由器。我们可以叫他Bill,出于保护隐私的原因,其它的名字和地点都会有所改变。但是供应商的名字会被保留。

入侵一个大公司很容易(也许吧)。他们的信息资源可能分布在全球各地,尽管他们会投资各种各样的防护技术,但这也仅仅是让我们很难追踪他们所有的东西而已。他们得日复一日的为所有资产严格地执行扫描-修补-重启流程,不容有失。

但是入侵个人则很困难。的确,黑帽技术在非对称的信息安全性方面有它的优势。有时只需要一个bug(就可以成功黑掉大公司)。但是与大公司相比,个体目标暴露的攻击区域是非常的小的。此外,很多人都相信大型供应商提供的信息,以及云供应商通常会做保护人们免受攻击这样高尚的事情。

我从最基本的侦察开始。我喜欢使用Maltego,再附加上像checkusernames.com、knowem.com、piple search这样的网站,以及其他工具来计算在线状态。同样还有一些比较经典的网站如Google+、Facebook以及Linkedin。我们可以使用Facebook上的一些假资料来做这样的工作。你需要为你的目标准备好的诱饵信息,这样可以通过社交引擎提取额外的信息。

而在线状态方面,密码重置问题是非常好的手段(唾手可得的东西)”。我见过有些web邮箱账户询问的信息是可以直接从目标的Facebook资料里面找到的。我确信大多数人甚至都不会意识到这一点,他们可能在五年前写的这些重置问题(而现在早忘了)。然而现在这些东西在这里都不管用了。要知道我的目标是个搞信息安全的书呆子,而他正期待着我。

是时候跟他决斗了。首先,我检查了他是否有在他的家庭网络连接上托管任何东西。他可能以前做过但没有注意。很多的应用和设备使用UPnP在消费级的防火墙上面打孔。有时候我们只需要一个NAS或媒体服务器来开启一个后门即可。为了找到他的家庭IP地址,我使用了一个Skype解析器,比如resolvme.org。它非常棒。我扫描了他的ip地址(以及一些邻居的ip)来看是否可以找到一些服务。虽然没有骰子…但我确信他认为我会这样做。

好吧,接下来,821.11。无线网络是一个非常棒的攻击媒介。我有两块Radeon 6990′s的显卡在i7平台上,通过WPA哈希值咬合在一起。我使用一个马尔科夫预测字表生成器来为oclHashcat提供预测值。它在8小时内能达到80%的平均破解率。

所以我从bill的地址着手(用各种Alfa wifi卡)。实际上我也是知道Bill的地址的,可能我之前已经通过侦察或社交引擎得到了这些信息。这可不是什么秘密。在我成功的捕捉到一个WPA握手之后,我运行了一周的破解器,还是不行。也许对大多数人来说这是有用的,但Bill是个从事信息安全的家伙。他的WPA的key很可能大于32个字符长度。

此时你可能会想,为什么我没有利用Java 的0-day漏洞对他钓鱼攻击,然后享受我的胜利啤酒。答案很简单——我知道我的目标。他精于扫描-修复-重复的咒语。我要手上真有一个浏览器0-day漏洞,上周就赢了。

在我参观了Bill的地盘后,带了一点有用的信息离开了。他的无线路由器的MAC地址(BSSID):06:A1:51:E3:15:E3。由于我有OUI(MAC的前3个字节),我知道这是Netgear的路由器。我当然也知道Netgear的路由器有一些问题,但Bill运行的是最新的固件。可这并不意味着所有的漏洞都在这个固件中被修复了。想要确定唯一的办法,就是自己买一个Netgear路由器并亲自测试它。

要获取准确的型号也许不可能(反正从远程是不行)。消费者设备可能在不同型号间有许多变体,因为参考平台来自于Soc供应商,比如Broadcom和Atheros。我知道Bill有点简朴,所以我选了WNDR3400v3——入门级的产品。

在了解了一些该设备的一些弱点后,我做了两个Metasploit模块。在第一个模块,我用一个CSRF漏洞发送post请求到UPnP接口,并打了个孔来访问路由器自身的远程连接服务。这个问题在很多其他设备上都存在,而且非常值得重视。

如果你能通过CSRF欺骗UPnP请求,你可以将整个网络闹的天翻地覆。

这是非常关键的一点。我开启了一个单独的端口。你可以从受害者的浏览器上使用Ajax请求,为每一个子网中的IP配置NAT入口,从而有效的禁用防火墙。当然对于UPnP的NAT入口数量有很多硬限制,但是大多数设备都会允许有足够的入口来为100台左右的主机映射一些关键端口。

为了引诱Bill走到我设的陷阱上,我给他发送了一封内置链接的邮件。Cobalt Strike有个工具可以拷贝一封已存在的邮件(标题和所有),所以就很简单了。我需要做的仅仅是修改这个链接。那么什么邮件是每个人都会点的呢?哪怕是个从事信息安全的家伙?——邀请。

编辑:有些读者可能会怀疑为什么Bill会喜欢这个。哪怕简单的检查下发件人域或是链接都会发现有问题。一个好的借口是成功的关键所在。至于借口的背景,我们看这篇文章。在这种情况下,邀请似乎从那个下午他与某个人的会议就发出了。好吧,是还有很多非正式的工作面谈,我想这是个确认偏差——他愿意相信自己得到了这个工作。

在我发送这封邮件之前,我需要一个跟踪负载。默认情况下telnet端口在Netgear路由器上是开启的,但是服务没有响应。你必须连接到端口并发送一个特殊的解锁码。事实上存在对这个漏洞的公开利用,但我还是写了另一个MSF模块,因为我喜欢我的Ruby(以及Metasploit)。

Bill点击了这个链接。在我看到回调时,我触发了第二个模块然后通过telnet登陆到了路由器。在我获得路由器的root访问权限后,我立即更改了DNS设置让其指向一个由我控制的DNS服务器。

控制DNS是一件非常过瘾的事情,它有效的为你提供所需要的中间人攻击。有很多的MITM攻击载体,但我还是喜欢Evilgrade——因为其隐秘性。Evilgrade已经问世很多年了,但仍然很棒(有一些必要的修改)。在Bill决定升级notepad++到新版本之前我等了大概一周的时间。当他做时,他送了一个有后门的版本,这也在他的电脑上给我提供了一个Meterpreter shell。我立即发了封带有截图和击键记录的邮件,几分钟后他拔去了电脑的插头。

最后,我得到了6瓶装的Ruby啤酒的奖励。我爱我的Ruby!

 

=======================================================================================================

 

HOW I HACKED YOUR ROUTER

Some time ago a friend in infosec asked me to do a strange thing.  He asked me to hack him.  We will call him Bill, for the sake of anonymity.  Other names and places have been changed to protect the innocent.  Vendor names have been kept to incriminate the guilty.

Hacking a large corporation is easy(ish).  They have information assets that may span the globe, and despite investments in various protection technologies, it’s just hard to keep track of all that stuff.  It requires Zen-like discipline to rigorously follow the cycle of scan-patch-repeat day after day, on all assets in an organization, without fail.

Hacking a person can be tough.  It’s true that blackhats have the advantage in terms of the asymmetric nature of information security.  Sometimes it only takes one bug.  But the attack surface area of a single individual is quite small compared to a corporation.  In addition, most people trust large vendors with their information and the cloud vendors typically do a decent job of protecting people.

I started with basic recon.  I like to use Maltego, along with sites like checkusernames.com, knowem.com, pipl search, and other tools to enumerate online presence.  There’s also the classics like Google+, Facebook and Linkedin.  It helps to have a fake profile on Facebook for this kind of work.  A good bait profile should be tuned to your target.  It will help when extracting additional information via social engineering.

In terms of online presence, password reset questions are good low hanging fruit.  I’ve seen webmail accounts asking for information that you can pull right out of the target’s Facebook profile.  I’m sure most people don’t even make the connection; they may have written their reset questions 5 years ago.  None of this stuff was going to work in this case though.  My target was an infosec nerd, and he was expecting me.

Time to take the fight to him.  First, I checked to see if he is hosting anything on his home Internet connection.  He may have been doing this and not even know it.  Many apps and devices use UPnP to punch holes in consumer-grade firewalls without much fanfare.  Sometimes all it takes is a NAS or media server to open up a backdoor.  To find his home IP address, I used a Skype resolver, such as resolvme.org.  It worked brilliantly, so I scanned his IP address (and a few neighboring IPs) to see if I could find any services.  No dice though… I’m sure he figured I would do this.

Next up, 802.11.  Wireless networks are a great attack vector.  I have two Radeon 6990′s in an i7 rig that chews through WPA hashes.  I use a Markov predictive wordlist generator to feed guesses to oclHashcat.  It can achieve an 80% average crack rate over an 8 hour time frame.

So I set about to Bill’s address with various Alfa wifi cards in tow.  While in this case I actually know Bill’s address, I may have been able to get this information via recon or social engineering.  It’s not exactly a secret.  After successfully capturing a WPA handshake, I ran the cracker for a week.  Still no dice.  This would probably work on most people, but Bill is an infosec guy.  His WPA key is probably >32 characters long.

At this point you’re probably wondering why I didn’t just spear-phish him with a Java 0-day and go have my victory beer.  The answer is simple — I know my target.  He has mastered the mantra of scan-patch-repeat.  Java isn’t even installed.  And if I did have a browser 0-day in my back pocket, I would have used it to win the pwn2own last week.

After my visit to Bill’s place, I did come away with one useful piece of information.  The wireless MAC address (BSSID) of his router: 06:A1:51:E3:15:E3.  Since I have the OUI (the first 3 bytes of the MAC), I know that it’s a Netgear router.  I also know that Netgear routers have some issues, but Bill was running the latest firmware.  That doesn’t mean that all the vulnerabilities were patched in the latest firmware though.  The only way to be sure was to buy a Netgear router and test it myself.

Determining the exact model is probably not possible (not remotely anyway).  Consumer devices may have a lot of variation between different models as the reference platforms come from SoC vendors such as Broadcom and Atheros.  I know that Bill is a bit frugal, so I went with the WNDR3400v3 — the entry level unit.

After reading about some of the vulnerabilities this device has had in the past, I created two Metasploit modules.  In the first module, I would use a CSRF bug to POST to the UPnP interfaceand punch a hole to access the telnet service of the router itself.  This issue likely exists in numerous other devices and is worth emphasizing:

If you can spoof UPnP requests via CSRF, you can turn the entire network inside-out.

That’s an important point.  I was opening up a single port.  You can use Ajax requests from the victim’s browser to configure NAT entries for every IP in a subnet, effectively disabling the firewall.  There are hard limits to the number of UPnP NAT entries of course, but most devices will allow enough entries to map a few key ports for a hundred hosts or so.

In order to trick Bill into connecting to my exploit, I sent him an email with an embedded link.  Cobalt Strike has a tool to copy an existing email (headers and all), which makes this basically turn-key.  All you need to do is modify the links.  So what email does everyone always click?  What would work even against an infosec guy?  Linkedin invites.

EDIT: Some readers have wondered why Bill would fall for this. Even a cursory check of the sender domain or link would have been a dead giveaway. The key to a successful SE campaign is a good pretext. For a background on pretexting, read this article. In this case the invite appeared to be from someone he had a meeting with that afternoon. Well, more of an informal job interview really. I suppose it was confirmation bias — he wanted to believe he got the job.

Now before I sent the email, I needed a follow up payload.  By default, the telnet port is enabled on Netgear routers, but the service is unresponsive.  You have to connect to the port and send a special unlock key.  Public exploits exist for this flaw, but I wrote another MSF module because I love my Ruby (and Metasploit).

Bill clicked the link.  As soon as I saw the callback, I triggered the second module and logged into the router via telnet.  Once I obtained root access to the router, I immediately changed the DNS settings to point to a DNS server that I control.

Controlling DNS is a powerful thing; it effectively provides you with on-demand man-in-the-middle.  There are plenty of MITM attack vectors, but I like Evilgrade for stealth.  Evilgrade has been out for years, and still works great (some modifications necessary).  It took about a week before Bill decided to upgrade notepad++ to the new version.  When he did, he was fed a backdoored version that gave me a Meterpreter shell on his computer.  I immediately emailed him a few screen shots and a keystroke log, and he unplugged his computer a few minutes later.

For my efforts, I was rewarded with a six-pack of Ruby ale.  I do love my Ruby.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s