Classic New
server-side attack: no interaction required from victim user. Probe daemon on device directly
generation victim-user-to-server attack: target daemon available on LAN interface only (NOT WAN). Exploit relies internal user as a proxy to attack device from inside the network
Demo time: owning cameras Hollywood style!
axis-defacer.sh demo tool
Why "and beyond"
OK, so you compromise an appliance. So
what i.e.: who cares about my printer being owned
We need to think in more than one dimension:
How far can you go after you own a device
Why "and beyond" : stepping stone attacks
If Internet-visible device not properly
segmented we can use compromised device as stepping stone and probe the internal network (LAN)
Internet
-> Target Device -> LAN
Not many companies consider DMZing
"miscellaneous" devices
i.e.:
printers, IP cameras, VCR appliances, UPS appliances
Why "and beyond" : stepping stone attacks (pt 2)
Most of what we need to probe the LAN
already on device. i.e.:
Axis
camera with shell scripting (mish) and PHP support
with port-forwarding functionalities
Routers
Why "and beyond" : stepping stone attacks (pt 3)
brute-force URLs of internal web server
via Axis cameras telnet interface
#!/bin/mish [snip] for i in `cat $2` do if shttpclient -p $1/$i/ | grep 404 > /dev/null then : else echo "possible resource found: $1/$i/" fi sleep $3 done
Why "and beyond" : exploit password reuse
Dump all passwords stored on device and try
against all login interfaces on target companys netblocks
Passwords
could be found on: HTML source code (i.e.: type="password" fields), config file, SNMP OIDs
Login
interfaces include: SSH, telnet, FTP, Terminal Services, VNS, SSL VPNs (i.e.: Juniper SA), SNMP, etc …
Why "and beyond" : exploit password reuse (pt 2)

上一页下一页