Keynote01 Ghost In The Shadows Identifying Hidden Threats Lurking On Our Networks Deral Heiland

there we go if folks can please start taking their seats good afternoon my name’s Dave Garcia volunteer with the chapter and like to welcome you to our last event of the day before the reception it’ll be a keynote address before we do a few housekeeping notes certainly hope that all of you can join us for the reception and Connie has assured me that just like last year it’s going to be a wide range of food be sure to walk through the area where you registered to get your thing to free drink tickets then after that I think just about any type of cuisine you’re going to want you’ll find inside before we get to the keynote keynote want to take some time to introduce at least point out one of one of our platinum sponsors sentra calm and if you’re not familiar with since you’re calm if you actually work with values to say you probably are central comm has been a sponsor throughout the years they’re headquartered in Finley primarily known for their managed services for their data center they work with other vendors but primarily probably a Juniper in a Palo Alto shop been around for years profitable growing very respected and Kevin Miller Kevin in the back raised in his hand is the person who can help you and if you’ve if you’ve been with us through the years you’ve probably noticed there’s a few extra folks this year whereas we normally have about 475 people attend very pleased to say that you’re hanging out with more than 600 of your closest friends thanks to Connie and her team primarily stacey camp and jasonluttrell things were so well organized it was marketed so well that this is actually the first time that we’ve been in a position due to space limitations at the end of the day to thank for interested sponsors and tell them we’re out of room we’re very sorry you have to keep your money this year we hope to see you next year so the net of that and this is what it means for us throughout the year years taken care of and so if you’ve been in ISS a member you typically know what our price points are for our chapter meetings they’re free we also feed you we offer hands-on training sessions throughout the year on virtually any topic that someone requests hint hint sponsors are welcome to get involved as well and and we also have some social networking events as well but but again having done a bit of cat hurting you know for this organization to have that out of the way to know that we can once again offer a robust schedule throughout the year it’s a good feeling so if you haven’t had a chance to thank Connie and her team I certainly encourage you to do so that being said it’s time to introduce our last speaker of the day Darrell is a senior consultant with rapid seven and sir the floors yours thank you David so I was everyone doing this acceptance oh you doing good doing good conference going well conference going well good good so my presentation goes to the shadows identifying hidden threats lurking on our networks and imagine a number you’re going what’s he going to talk about okay so we’re going to get into some things that are a little technical but I’m not going to get overly technical my ultimate goal here is to enlighten you to get you thinking about these ghosts in the shadows what they are and we’re going to talk about what they are here in a minute so quickly just to introduce myself i’m a senior security consultant for rapid seven I’ve been in IT for over 25 years 14 of those years in security and I currently do pen testing and consulting work for corporations and government agencies so interesting with this slide it’s like really hurts the eyes it’s horrible but my manager one of my managers goes hey Darrell you know usually when you introduce yourself you

ought to you ought to consider introducing something personal about yourself so I sitting here thinking about it I really had a hard time telling him that I don’t have a personal life you know I work for you and I break into companies and then teach the company’s how to protect themselves and when I’m at home in my own time I develop ways to break into companies in my lab at home doing research so today we’re going to share a lot of pieces of those research projects that I’ve done over the years and how we leverage some of that stuff to compromise compromise corporations with the goal of you learning of this serious risks that exist in your environments and start protecting it because the stuff we’re going to talk about today most of the companies i go into are doing nothing about it and i quickly can gain access traverse through their network using some of the stuff and escalate my rights into critical systems so ghost in the shadows what is ghost in the shadows so what I’m talking about are embedded devices that exist on your business networks these could be multifunction printers load balancers content management systems application firewalls IP cameras the list go on and on and on so why are these ghosts in the shadows because you just plug them in turn them on make them work and you forget about them and every one of these devices I’ve leveraged in some way during assessments to compromise corporate assets and we’re going to get into this we have we have videos we have all kinds of cool stuff so so the goal is is you really understand the risk and we got a lot of stories where we get into some detail about how this stuff was actually utilized so we know what it is what is it not for this presentation so in this case ghosts and the shadows is not your Windows servers and desktops you’re Leonard Linux servers and desktops these systems right now currently you should have solid methodologies around securing them properly patch management identity management anything associated with these systems any virus any malware and a number of solutions so the reality those should not be a risk in your environment directly so moving from there some things to avoid or some things to think about dealing with embedded devices on your network currently in my opinion you’re fixing all the windows stuff you’re patching it you’re securing it you’re doing the right things in your Linux environments hopefully so anyone not I didn’t think I’d get it in hands I didn’t check there’s always one smart I like in the audience but not tonight and it turns out because of that attackers and hackers are actually starting to pay attention to the embedded devices I have been looking at him for about three to four years now as part of my job and like I said I leverage these systems continually to compromise corporate assets it’s only a matter of time until the bad guys start doing the same thing and the reality they have good example community health systems was breached with the heartbleed attack against the Juniper device a firewall device and they were able to pull creds out of the memory of this device which led to a compromise of their systems 4.5 million records and I assure you you probably don’t want to join them right does anyone want to join them I didn’t think so expect not so the goal here today like I said before is to kind of educate you to get you thinking obviously in an hour I can’t give you all the answers you know I can’t point out all the potential risk but I can give you some ideas to start thinking so you can go back to your company’s your corporations your government agencies wherever you may work and start brainstorming about how us as an organization can better secure these devices on our network and start paying more attention to these devices on our network so let’s get into introduction to fail this is the fun part so I hope you don’t mind me moving around i hate standing on stage too long i’m only doing this to so they keep the camera on me from now I’m going to mess them up real bad so introduction to fail so what are we talking about like I said we never patch him right so how many times you patch printers on your network okay there you go we don’t patch you we never ought to them how many times do you run any kind of security auditing and testing against these embedded devices on your network you’re paying all kinds of attention to

your Windows environment your UNIX environments if you’re not paying any attention to IP cameras that may exist on your network how about APC UPS is that you use in the data center those little boxes these are all network aware with web interfaces on them so it’s pretty critical and then last what was my last one I can you see it we just deploy and forget yeah that’s exactly it so we deploy these devices on our network and forget about them because they work right we only care about them if they don’t work well the goal here is to educate you with enough information to start thinking that they won’t be an issue and you won’t get compromised because of them because then you will be aware of them so will everyone else in the world when they find out you’ve compromised and lost 3 million 4 million records because of some embedded device on your network so it’s start off with embedded device passwords what’s the biggest problem with embedded devices and passwords does anyone know the answer to that without looking you’re cheating I CEO cheating there you go default passwords so you know if you think no one’s going to figure out what the default password is your device then you’ve obviously never used Google ok so when I do an engagement and I find a new device that I’ve never experienced before I google product name default password and I’m able to download the manuals which of course give me the default passwords if they actually exist on the devices also when you do firmware updates on some devices even if you’re really good at hey we we don’t deploy devices with default passwords and then do firmware upgrades of certain devices it can literally set the password back to default I know several products that that is the case so you need to continue monitoring testing paying attention to these devices and the big one is with default passwords that as an example let’s say let’s say you have a device on your network and the default password out of the factory happens to be 22 22 ok you’re going to say hey that’s a bad pass where I’m going to change it what I found out historically you’re going to change it to another four digit pin number and it’s always going to be higher than 22 22 so how long do you think is going to take me to guess 2223 to 9999 I assure you not long at all and now I’m into the device so these are things to think about when you’re deploying these devices in your environment ok so we get into some stories I love stories they’re always fun so how many people have video conferencing systems in your corporations now these are like totally cool I’ve lost count of the number of times from the internet I’ve set in on corporate meetings ok because these devices are deployed they work and no one paid attention to the default passwords or the lack of passwords all together in it and you’d maisie the horror in the eyes of the people i’m doing assessment for when i show them a screen print of a video conference that i set in now nice enough i don’t record them but think of the security impact of that you’re having a corporate conference and you’re discussing acquisitions divestitures things that could impact the value your stock and now anyone on the internet can set in on that conference pretty serious on a light note one of the guys I worked with was doing an assessment I can’t show you my screen but my camera on my laptop is covered with tape and I’ve always done that he didn’t always do that so he’s setting one morning he gets up at eight o’clock in the morning we work out of her homes he decides he’s going to do checking the 82 h.323 protocol which is the protocol used for the video conferencing systems and boom he’s into middle of a corporate conference where there’s this big beeping noise and everyone in a room turns around looks at the screen and him setting air in his pajamas luckily it was not in his underwear of course that would have been a better story but you know how that goes so the second one I have up there is say newborn babies well one of the assessments I was doing was a large hospital chain okay and they happen to have a video conferencing set set up in the paternity word and it was also used for people to connect in to see their their babies from a distant place kind of a nice cool thing and it was also used for doctor consultation with another hospital okay so I was able to connect into this system it was a really

high quality system with a high quality camera that I could pan around so I was able to pan this around and zoom in onto several documents laying on tables which turned out to be HIPAA data was able to pull out personal information about the parents Social Security numbers the baby’s weight all this information was stored in this document the product also had a vulnerability in it does vulnerability gave me the ability to connect into the operating system and pivot through that machine into the internal network so not all I was able to steal HIPAA data i was able gain access to the internal network through this device because they hadn’t been properly patching it the patch for this had been out for about six months the interesting thing about this product when i told the hospital they goes that’s not our product that’s not our equipment that belongs to the other hospital it’s their problem how is this their problem I asked I just broke into your network stole your HIPAA data you’re responsible for and gain a foothold in your eternal and that work so think about that because we’re going to talk about that some more and this is in reference to subcontract at work out outsourced type of work equipment they may exist on your network that doesn’t belong to you remember you’re still responsible for your network and your security it’s not someone else’s fault if you get compromised even if it is their equipment so this is my favorite one I don’t know how many people here know me have been to any presentations so it’s not a lot so I love this this is great so I get a new audience printers I love printers when i’m done with this section you’re going to be horrified I promise you so I’ve been doing printer research for a number of years and this is a lot of fun an example was and this was probably about two years ago a mortgage company simple small mom-and-pop mortgage company had a printer and they expose it to the Internet does anyone see anything wrong with that okay okay so that’s leading to fail right off well it turned out they were also using it for faxing all the transaction stuff so printers and faxing and all this stuff and it happened to be a standard HD HP printer that had pc a pcl printer control language capability so what i did i actually connect into it over pcl gain access to the hard drive on the thing and captured every fax coming in canaan containing all the banking information for all of the mortgage transactions they were doing because everything was going through that fax machine so bad that’s definitely a bad everyone understand that’s a bad it’s going to get worse I assure you so i can use printers to gain full domain admin access or full full access to your unless a domain admin access but let’s say i can gain access to your Active Directory environment with a valid account in over fifty percent of the people in here their companies I guarantee you that that’s the running averages right now if I can gain access to any printer on your network and you’ve integrated that printer into your business environment that means you know you can go up and you can do faxing and scan the file and scan to email on all these nice cool things which you should be doing I don’t want to scare you away from leveraging these printers correctly you spend twelve thousand dollars on a printer you don’t want to use it to just print with that’s a waste of resources and money you want to leverage it into your environment for all the business functions that you could use it for that are good but you need to secure it so what we can do is we can pull those authentication and integration creds off these devices and I will show you a quick little example this so everyone see this is pretty good so we have the evil guy that’s me with the skull so yeah I i carry sunglasses my 11 VPS why do you have sunglasses on your head that’s so I can go into disguise and no one can pick me out of a crowd well we know that doesn’t work with me so let’s move on so we have we have a evil guy we have a printer and what we have here is your Active Directory environment where you’ve set up ldap functionality what you’re going to do is on the printer you’re going to walk up to the printer you’re going to go hey I need to syndicate myself so I can carry out some type of transaction so it’s going to do an L bat off back to the ldap server and then that’s going to reply with the ldap reply saying yeah he can carry out this transaction me the evil guy we’re going to do something a little different we’re going to la go to the printer we’re going to change the IP address to your ldap server then we’re going to go ahead and tell us to do an ldap look up and then it’s going to pass me your creds

and plain text and now i can log into your Windows environment and start my evil path to destruction at that point so about forty to fifty percent of all the companies I engage this attack works on most of the printers out there okay pretty straightforward but remember the key thing is they had to log on so change the default passwords we’re starting down the right path you’re not a hundred percent there I get a couple quick things i’ll point out but you change that password on that printer from something default or I can’t easily guess and you can render this somewhat incapable the exceptions to this are if you’re running a Rico Rico Rico is it Rico Rico printers turns out that you can go in there change the admin password on the ricoh printer so I think the normal password is blank so it’s admin blank you can gain access to it if you change that password there’s a backdoor accountant machine it’s called supervisor I come in log in the supervisor on that box change your admin password back to default because that’s the only thing to supervisor password can do but you can never see the supervisor account to change the password unless you’re logged in a supervisor most people don’t know that account exists I’ve actually was on a message board because i’m a member of a message boards for copy technicians and they come right out and said hey here’s how you do this but don’t tell any your customers what they don’t know won’t hurt him okay so I’ve actually used this on engagement at a company that had hardened everything on their network I literally had nothing three days into this I think I’d broken into one or two machines and had nothing so it was like okay I really don’t like to change passwords on equipment but hey I’m tired of having nothing okay so the last day logged onto his printer changed the password back to blank logged on did this pass back attack is what we call this and guess what the account was it was a domain admin account game over it turns out that about ten percent of the time ten to fifteen percent of the time when I’m able to compromise a valid account off a printer it’s a domain admin password the reason why people set these things up for scanned scan the file system so you want to scan something save it on the file system oh it’s so hard to get work and using a real count we’ll just give it a domain admin account and you know what it will always work okay so let’s move on um videos I liked videos so i want to show this on a video I don’t want to run out of time here so let’s show a video so you can get this going and this video here is a little more brutal because we’re going to show some other attack vectors here he is aruba there we go Looby xerox okay I think this is it now let’s make sure that’s what an extra yeah this is it let’s go ahead and run this so this is a Xerox printer this is kind of cool watches watches so I’m going to try to log on to the Xerox the typical default password for a Xerox printer work center is 1111 for once okay so you can see that it fails right here so it’s like oh darn man I can’t get into this printer well this is going to go south really quick here in a second I actually found a way to actually do firmware injection attacks is against all works sentra printers where I can get full root level access to these devices and I can also do things like pull the admin password out of a storage file from the operating system and i wrote a Metasploit module to do that so you can all do it now so we’re going to use a it’s called gather xerox console i believe and i must’ve been typing slow it’s terrible it’s amazing you think these things go fast until you get them in front of everybody it’s like come on go a little faster ain’t talked to these guys down here so let’s do that for a second so instantly we see the configure a steer and it turns out i actually have a xerox printer that was sitting into my dining room big 300-pound thing my wife loved it but this one we have j port which is the printer port the jet direct port is what it is and mine set to 96 96 too because i had it on the internet a few times I was just trying to slow down everyone from half give me after I told them how to hack me so so we set this up we set up the

remote host which is the printer we set up the jet direct port and then we go ahead and run this and what it does is it goes out does this injection attack into the device and it will run some code and the code will make you go to a file and it will parse out the password takes I guess takes about 45 seconds that’s a timer I set on it in case you actually have print jobs on the device and it’s running a little slow I need to give it enough time because if I run it too fast it kind of messes up the whole thing won’t hurt the printer is totally harmless because I actually strip all the firmware down so the only thing it does is it runs the bootstrap program that would do the firmware install and then I just take that shell script that it runs and I put my own code in there to do what I wanted to do so 45 seconds is like really slow let’s speed it up it okay good okay so we can see there we have the password so it’s acne widget so now I have the password of the console and it also saves it off in metasploit to a config file so now we come over here and now we can wall go onto the device give us administrative access to the device I’m hoping everyone can see this either the lighting is a little messed up in here but so we come over to properties pretty straightforward click on properties we come down to ldap settings and we can see there’s ldap setting in here and you may see other names on this printer because I bought this printer so there’s some garbage still on the printer name wise but it’s harmless this it was purged of any personal information that belong to that location so nothing was compromised with them I made a point of doing that so we come over here and we change the IP address the goal is to change the IP dress to point to us it’s fairly simple all we have to do is fire up a neck cap everyone understand what net cat is it’s kind of like a little telnet style program and it gives you the ability to move data in and out of a network port so we set netcat up to listen for incoming connections so to listen for the incoming the incoming ldap connection from the printer so now we got it configured we’ve reconfigured this printer and Xerox is kind of cool and a number printers have this they have a an actual ldap functionality in here so we come over here to the ldap under mapping we’re able to fire up that and then we fire up in that cat like I said and we set it up to listen on that port that I set it on 44 44 then we go ahead and we should be able to click look up so now it’s just going to do an ldap look up and then we can jump over here to our neck cat and now we have the windows domain server our user name and the actual password for your Active Directory so now we’re able to take your printer log on to active directory and potentially start moving on your network at that point at a minimum you know we have access to ever what rights this account had we also have access to typically because no one ever changes it to everyone so if you’ve granted everyone access to it now we have that second we have access to all of your Active Directory configuration stuff so I can dump a complete list of every user you have in your environment I can’t get their password but I get all your users now and I can also pull down all the groups the rent in their privilege level so i can tell every domain name that you have domain admin account in your system all with a standard after Directory account just like any user can but now I did it purely with what you had on your printer before going to next one yes we have time let’s see if this is there because one of the stories I wanted to talk about doesn’t want to do it come on let’s see if we can find this this is yeah may not have it we’ll just tell the story because that’s really really good it’s really important it’s actually that’s an internets a good question it

was the password I got back in clear text or was it hashed it turns out that all printers that I’ve ever encountered can be configured for ntlm can be configured for some kind of hashing Kerberos or plain text so one of the things you do is if the person is set it up to use a encrypted hash communication you just tell the product to send it to me in plain text and that’s available in every printer also because there’s a chance that this L debt may not be a Windows environment it could be who knows what it could be some kind of appliance it could be a Linux environment so they give you all those options on every printer I’ve ever encountered okay so as I mentioned this is a farm where attack so currently I have the ability to get root level access to most xerox printers anything below the newest 58 7800 series that just came out and i know there’s a way to do it on those I just haven’t developed it yet so one of the guys was on an engagement the other day like I said I can get root level access to this so I can get a command-line bash shell on a printer remotely he actually broke in through the internet through password guessing attacks he gained foothold into a citrix box this company turned out to have really good antivirus any malware solutions and a lot of restrictions in nursery rocks environments so we were never able to get code on there to launch further attacks on the internal network so I talked him into hey look at the printers on the network which is what he did and he found a Xerox that was vulnerable to our attack and I developed a package for him and he used standard LPR command line printer command in the windows environment the dump this package because this is just a print job this attacks purely a print job the print job hit the printer the printer called out over the internet and gave us a bash shell with root privileges on to his printer the printer also had SSH running so we set up an SSH reverse tunnel were able to tunnel in through their printer which connected out to us on the internet given us access on the network basically undetectable and unless you’re doing some kind of anonyme anomaly checking of your devices do you would you notice if your xerox printer called out over the internet maybe not maybe you would if you have a way of doing that i would consider taking all devices that you know shouldn’t be going out to the internet and monitoring them if possible and all this codes available in metasploit stuff and the patches for the xerox i want to give you the patch for it we know what the the ricoh is to change the password okay for supervisor so you can’t be back door on the xerox printers go in there’s a setting in there for remote firmware upgrades turn it off and then set the password to something complex and not some number between 11 12 and 9 999 set it to something complex at that point if you need to do a firmware upgrade audit you can easily log on turn it on do the firmware upgrade and turn it back off again that will prevent the printer for being attacked period I would love once one engagement I did actually find somebody has done that and I’ve been this is something that’s been out there for close to three years now and I lost count a number times I preached about this so I’m hoping ever want to go back from here get something from this and kind of start raining in these embedded devices so you understand what the risk our tooth okay move them from there we have simple network management protocol do we have anyone here that runs their entire network and manages it with SNMP simple network management protocol okay probably probably not probably not the interesting thing with this is that the best way to do is just show it to you here we go this happens to be a brocade load balancer this was an assessment I did this is not a screenshot from assessment I did this was one I did further on later when we were doing some testing but simple network management protocol a number of devices will commonly enable it with the community strings of public and private so you guys do not use SNMP in your environment I assure you I can go into your environment and probably find dozens if not hundreds of devices that have SNMP enabled by default with public and private community strings public gives me the ability to read data off these devices or at least the SNMP data private would give me the ability to

alter those devices which is a bad thing okay in this case here the Brocade load balancer i found on the internet during the assessment and I dumped the SNMP Oh IDs off the box i walked the entire thing and during analysis I found a string entry that started off with dollar one dollar to me that is a typical Linux shadow file DES encryption so I said hey I wonder if it is I fed it into a password cracker I cracked the password when 24 hours I logged into their load balancer from the internet and gained access full admin access to the device and this happens to be a module that’s been written for doing that now this has been patched was patched about a year ago I think but as you can see we’re able to dump all these hashes the bad thing about this I mean I mean these hashes that you see here are probably going to be the same passwords that are used on all your infrastructure devices in your organization most likely which is seriously bad when I did this how many people have heard a showdown okay so we have a few more numbers to shared it showed an happens to be like a for no better words it’s kind of like a google type device where you can request information on devices based on ports and services or run so the Internet’s like being scanned constantly and the state is being gathered so I can go to show dan and I can go give me the SNMP all SNMP devices out there port 161 and there’s like i don’t know i think it’s like 60 million around the world exposed to the internet in this case here there was about a thousand to two thousand of these devices on the internet with this problem okay the vendor patches quickly which is great that’s what we expect and then it was a number of months later after they patched it before we actually made any of this stuff available so as for everyone’s protection so if you happen to have brocade load balancers on the internet and you’ve never managed to patch them I’d seriously consider doing that that would be a bad thing okay and come back here and SNMP strings is kind of interesting so when I’m dealing with an organization that actually uses SNMP strings they set public and private to something else okay and because one is only read and the other ones read and write which is a lot more worse with a read and write community string in a company that actually leverages SNMP I can pull the running configs off all your cisco routers with a read string okay so it becomes a real issue if you deployed it in your tire environment but you’ve never properly secured the environment an example that’s what I can use is an IP camera on an engagement they had implemented SNMP across the gambit of devices but they didn’t bother to secure the devices properly so logging in through an IP camera I was only able to get like the public string because it didn’t have a private string but it gave me public so that I could take that custom public string play it against other devices and then search the public output data for a private because public was also contained in private now I had to private I can go and pull the running configs off all the xerox or i’m sorry running configs off all of the Cisco devices remotely and then I can go through there and find passwords and if you use in password seven it’s easily decrypted if you using the more complex ones I’ve defeated into a cracker but as you can see how in this and I hope you’ve noticed on a number of these presentations number of things I’m talking this is the methodology that’s used by most breaches we gain a foothold in an organization we move lateral and we escalate our rights every breach takes that model so if you’ve noticed every story i have given you we’ve used the same model i gained access to one device because of a weak password I pull the SNMP data for public I use public moving lateral until I find a stored private now with private I escalate my lights and then I continue moving until I get to where I want to be and take over what I want to take over the same method most breaches follow if you read up on what took place in most of these breaches you may get some write ups that say it was advanced these people were compromised through an advanced attack I assure you in most cases they are not advanced attacks they are trivial tax the last one I want to mention here is dealing with cable modems so this was

kind of kind of interesting so I did a research project last year dealing with simple network management protocol looking for devices that leak information and it turned out that we found a number of cable modems the cable modems and dsl modems now these are cable modems and dsl modems that may exist in your home these are DSL cable modems that may exist in your satellite offices we found out that over the internet that we’re able to actually enumerate these devices when their dual devices that also do Wi-Fi and pull the WPA pre-shared keys and plain text off the device remotely over the Internet once we figured out this was a reality we went out and purchased about 10 15 different devices and went through to see how many we can find and then compared the ones that we found this problem to data off show Dan and we found out that we could compromise using this methodology over 500,000 devices on the internet about 200 about a hundred and fifty thousand of those were in the u.s. about another 150,000 in South America and and then the country of Turkey had like two hundred seventy five thousand and then we gave up and quit looking but I assure you there’s probably a lot more out there so that makes me think about you know satellite offices because I’ve actually found these same devices during assessments sitting at satellite offices these are those small offices where you have two or three sales guys are just two or three people that do work you don’t want to put up a big expense of connections so what do you go out you go out and buy a cable modem a dsl modem and you set up some simple VPN connectivity for them pretty straightforward but it’s a potential entry point for exploitation because if someone decides they’re going to do this research and it’s not me and they find this data they could easily go hey here’s company ABC let’s go ahead and do some search on the internet we find all the IP addresses are belong to ABC we go ahead and scan those we happen to find some cable modem we enumerate SNMP now we got Wi-Fi we figure out why that satellite location is we drive out to their parking lot we log their network now where their internal network so this is getting interesting i’m getting this horrid stare at me so you guys find in this valid information usable information i’m hoping your because i really want to get everyone thinking about these devices on your network because they’re critical let’s get to this point before they get to this point because i don’t want to see anyone compromised i’m here for security not in security yes sir that varies i’m going to remember i only looked at a small handset a number the ones i seen in the US that were most easily compromised we’re ones that are being phased out okay which is good so we’re dealing with the oh gosh the old netopia devices were really bad ubi devices but mostly movies are not being used on the internet inappropriately they’re vulnerable but the providers are using them appropriately switch is a good thing if you search my name in SSID in rapid seven you’ll find all the advisories and actually get a list of all the actual modems that we did actually test and i’ll give you it has all the oids that you could actually quarry for the data to and how we did it was there another question down here okay excellent excellent so moving from there so wireless now this was this was probably one of the most fun research projects i did so so my job as a consultant pentester is to think outside the box so let me propose this to you so everyone i hope everyone knows what an SSID is you know if you have wireless and you want to connect to wireless and you look on your device and it gives you a name and that name of the device you want to connect to that’s the SSID that name is the SSID that name can only be 32 bytes long so one day I was sitting there and going hey now I have these thoughts once in a while it’s like hey I wonder if I could use an SSID to launch attacks against somebody it’s only 32 bytes long what could I do with SSIDs so I started testing a few devices and found a number of vulnerabilities where I was actually

able to fire up an access point with an SSID and carry out attacks against corporate enterprise level equipment because I was a rogue access point and you’re monitoring for rogue access points and you go look a rogue access point I got a video for this one okay so real quick on this thing here so you see this this happens to be in a Rubicon soul for a wireless LAN controller this up here happens to be the rogue access point I’m going to fire up it’s a soft APA so I can control the SSID more readily this happens to be a third-party ftp server located on another system so the whole idea is here is to carry out a cross-site scripting attack to inject java code into a systems console where you may see this system actually logged in see this system in a data center where they’re monitoring on a war board hey we’re monitoring for rogue access points 24 7 so i’m going to give them a rogue access point to monitor and we get to see what happens here so i’m kind of walking through here showing some different things i think i’m showing the configurations and currently there’s there’s an admin account and there’s the rogue access point let me get that off there and blocking it that’s not good there we go okay so you can see all the rogue access points on here as they’re showing up down here at the bottom and the different numbers and this is our this happens to be it has to fit in 32 bytes so that was my challenge I had to fit the entire attack vector into 32 bytes so we see all that and then we come over here i’m going to actually show that there’s no file sitting there and then what we’re going to do is we’re going to come up here and we’re going to go fire up this access point or this rogue access point and i set it up to be obvious I get easily hidden the attack but we’re going to be obvious here so when we kick this thing off so access points fires up this device the monitoring and data center goes blank now I could have hidden all that so what actually happened it’s kind of cool what happened that Java code just hit that box two things just took place I actually dumped the running configure the device off to a third party ftp server remotely i think i play route that just for a second let’s move one and if we look right here since i come over here you’ll see it show up under how they gets it come on over here wrong window come over here two minute eration we just created an ID called evil hacker root-level images on that device so far up an SSID within close proximity of a company wait for I don’t know half an hour a day if we know they’re monitoring this and instantly I’ve created these kind of creds I could have done anything to this particular device I could actually reconfigured it had it fire up other access point functionality for me where I can get in remote access this is purely a proof of concept that I did to get people aware of of this is a potential attack vector now the big thing here is this is all about patch management so you want to patch your devices so if you happen to have a rubra and you haven’t patched it in two years I would advise you do so so everyone understand what took place there we just want to make sure everyone understood that okay so everyone everyone did understand that make sure I don’t take this too far off okay we’re running out of time the last story this was kind of quick I cannot leave out of it physical security physical security is cool this was not mine this was a friend of mine so he wants to go go into a company and break into a company through physical security turns out this company had a bio reader for entry into the company so he marches up to the bio reader opens it up finds an rj45 jack attacks is a wireless access point he does this right in the middle of day just wearing some workers uniform while everyone’s coming on scanning their

thumbs on this thing to get into fielding and he says his worst part is the access point he had was too big to get back inside the thing so he left it hanging out of it and just walked out and said down in the parking lot to see if anyone would notice and no they did not logged into the company set there for a while and then basically would uh pair disconnected as Hardware shut it up and left so if you have this type of connectivity devices or anything it takes your network outside the perimeter of your building in any way shape or form think about that I’ll sitting out there this is a hardware this is an embedded device from my perspective it is a risk to your organization so there anyone have one of these devices I I expect you in the mid to it if you do just make sure it’s secured properly apparently this did not have the proper security on it and somehow he was able to easily pop the case open without damaging it it was probably like a clip or a screw or something he opened it up and it just opened up ok so now now we’ve talked about the worst talked about breaking stuff talked about stealing stuff showed you a bunch of horrible videos showed you your printers or you’re going to be your death well hopefully not so let’s get on the protecting your environment because this is kind of cool i love the protection part so asset management patch management threat and vulnerability management those are the areas we’re going to kind of talk about real quick so what are you doing for asset management do you know the embedded devices you have on your network how many here know all the embedded devices on her network please somebody raise your hand ok ok that’s not bad ninety-five percent is good ninety-five percent but that’s that’s kind of interesting it brings up a story I worked at a very large fortune 500 company and had a very bad argument with a CTO and that was after a critical meeting with management where he basically said there’s no way for us to know in a company this large what we have on our network so we’re not even going to try we had some words he threw me out of his office and I continue harassing forever about it I like the guy he was a good guy but I disagreed with him so you want a comprehensive method for identifying your assets I don’t know what that is I mean you’re going to have to make that decision for yourself from a business perspective how are you managing your current windows linux assets how can you figure out how to manage those assets these are things i want you to think about when you get back to your company i mean it may be as simple as what I mentioned before SNMP a simple network management there’s a lot of products out there that you can do global management and they’ll automatically scan your network and identify new devices and new IPs and inquiry for SNMP and identify what the product is it’s a lot of good products out there I’m actually testing some right now so if you buy him make sure you keep them patched so don’t forget if it’s on your network or touches your network it is a risk to you just like I’d mentioned earlier you want to pay attention to those things it’s not someone else’s product if it’s on your network or can be used to gain access to your network it’s your problem not someone else’s problem that doesn’t mean you can’t handle some of the stuff from a contractual standpoint but that contractual standpoint would be you define into them how that device is going to be configured on your network not them telling you how it’s going to be configured most companies I’ve dealt with the printer they you know you guys go out and you you contract printers printer is expensive it’s easier to lease them it’s more it’s less complex but remember those printers are a risk to you so from a contractual standpoint you need to define some of those settings passwords will be changed they’ll be complex if you want to change regularly it’s your network if they want your business they’ll meet those requirements so i recommend considering those type of things out sort out source systems and obviously anything managed outside the network so when your network to your responsibility so patch management and this is a hard one you know I I can’t even imagine what it’s going to take the rain this in and it’s going to be something you’re going to have to decide on how you’re going to do that how do you identify once you’ve identified all the embedded devices on your network how do you go about identifying needed patches and how do you regularly check those you’re gonna have to build a process around that and I don’t know if there’s any perfect one out there there may be some third party

audax out there that make this easier to do I have not encountered any of them because I haven’t encountered anyone actually doing it right if I had encountered somebody doing this right i’d share that information with you but it’s all about managing those devices those IP cameras and you think how’s that IP camera going to be an issue I just spent the weekend with some friends down in Raleigh North Carolina it locked in a locked in a hotel room at a hacker conference where we had lab DUP IP cameras and we’re actually carrying out attack test against them did we find anything critical no not at this point other than one of the high-end cameras we were looking at we found out that we can enable ssh and possibly use it as a pivot point on the network which is critical and if you’re monitoring these things and managing these things the attack vectors that mean we may think up or research we’re going to eventually share with somebody you know in an ethical manner but there may be people out there that aren’t ethical like us coming up with ideas to attack you so it’s important to be able to come up with solutions to manage these devices and patch management does anyone in here have a patch management solution it goes beyond the Windows desktop client environment okay let’s good threat and vulnerability management this is a big one for me this is something i did when i was at a large fortune 500 company it’s something i took a lot of pride in doing start with do you have a security team I assume most people here have some security team even if it’s one person yeah okay so if it’s a one person security team you know what can you do in those cases there i would recommend actually looking at outsourcing solutions they’re valid solutions and i think they’re a good thing because obviously you need to secure your environment if you can’t get the resources or the full time ftes to be able to do that outsourcing is a valid solution for being able to get third parties to be able to handle that security stuff for you do you conduct any proactive security monitoring so what I’m trying to say here is does anyone in your organization log on to google and look to see what’s going on out there from an attack vector does anyone look at the latest greatest malware that may be coming out so we got a hand back here we got one this is cool stuff because this is where it all works this was something I did for a fortune 500 company now obviously not everyone can afford a Darrell to set in there and have a lab to do this stuff but I was in a fortune 500 company in the mid-2000s the 2003-2006 time frame I actually called to within three to four days every worm that hit the street the first one was blaster when I told my company I actually demoed the exploit to them before the worm ever hit because I lived in that realm I had my ear the railroad tax I did that security intelligence work for the company I played with the devil and was able to get code like that off various Chinese hacker groups lab them up test them see if they were really possible to carry out attacks with now obviously that whole realm has changed as a different world now that method wouldn’t work but security intelligence is still a valid part of your organization if you know what’s going to happen you know what people were doing you know what the attack vectors are you have a better chance to protect it and that’s what we did back then the first one I had a meeting with like 40 people and these were all managers we had an IT department over 700 we had like 40 managers that ran these seven seven hundred people and I demoed this attack vector and told him it was a hundred percent perfect it would not fail and when they got turned into a worm I was going to get they laughed at me told me i was called me chicken little the skys falling this ain’t ever going to happen I got pissed at him walked out of the room told him they were going to get hit with a worm within seven days five days later they got hit with a worm the only thing it saved them was the one manager that was like making fun of me actually wit out and started patching his systems and and it told up his group to roll out patches rapidly if he hadn’t done that it would have been really bad so after that it was kind of interesting every time

something hit the news I had 40 manager standing at my desk go on what do we do Darryl what’s going to happen is it going to happen is it going to be a worm so I got credibility real quick of course they were he had actually proposed that if we didn’t get hit with a worm within seven days that I should be fired luckily we and of course then there was the stories of Darryl wrote the worm which I did not but you know how that goes so so from a security intelligence standpoint really consider this really think about security intelligence and their services out there that can provide this stuff for you because if you know what’s going on out there in your real world in your environment you have a better chance to actually mitigate those risks before the damage is done and be able to define real risk for your organization if you understand what’s going on so in conclusion I’m hoping you got something out of this and that was enlightening those are my contact it feel free to contact me if you have any questions because i love this i love security i live eat and breathe this stuff and my goal is to help everyone be secure as possible and i’ve been living in the embedded device world pretty heavily for five or six years in the goal to understand this risk and hopefully headed off before it becomes a big issue for you now i know a lot of people may not like the research i do and the fact that i publish this information but remember when this information is published the vendors there the fixes are there the workarounds are there this isn’t blindsiding nobody but if you don’t pay attention what’s going out there you’re not paying attention another devices you have on your network you don’t know what you have on your network the work I do is wasted because now only the bad guys have access to it or the consultants assessment engineers not you and the truth is you need to have that information and that’s why I’m here and I’m hopefully I gave it to you enjoyed it and that’s my presentation thank you very much any questions so I forgot about questions someone have any question yes sir yeah we have we have a guy at rapid7 it’s actually doing an embedded device research so feel free if you have any questions the contact rapid7 contact me and i can get you his information anyone else well i’m going to be around most of the evening right now I gotta go do some quick work but i’ll be at the event tonight until eight nine ten o’clock so feel free to engage me thank you