View
216
Download
7
Category
Preview:
Citation preview
PowerPoint Presentation
Mirai botnetIntro to discussion
Slawomir.Jasek@securing.pl @slawekja OWASP Krakw, 15.11.2016
We have all heard about it...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Most often pointed manufacturer
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
No, its not us, its the users!
http://www.xiongmaitech.com/index.php/news/info/12/76(only Chinese, I used Google translator)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
My story...The best-priced IP camera with PoE and ONVIF Management standard (was supposed to) assure painless integration of the video in my installation.
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Malware embedded...
http://artfulhacker.com/post/142519805054/beware-even-things-on-amazon-comehttps://ipcamtalk.com/threads/brenz-pl-malware-in-ip-cameras-what-now.12851/http://forums.whirlpool.net.au/forum-replies.cfm?t=2362073&p=11r211
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Path traversal
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Auth bypass...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
cloud service
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
The cloud service# tcpdump host camera.local18:48:41.290938 IP camera.local.49030 > ec2-54-72-86-70.eu-west-1.compute.amazonaws.com.8000: UDP, length 25
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Device login no pass, static captcha, id=MAC ;)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
FAQ
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Telnet
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Nmap root@kali:~# nmap 10.5.5.20Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-06 10:59 ESTNmap scan report for 10.5.5.20Host is up (0.019s latency).Not shown: 996 closed portsPORT STATE SERVICE23/tcp open telnet80/tcp open http554/tcp open rtsp8899/tcp open ospf-lite
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai credentials for brute-forcehttps://github.com/securing/mirai_credentials
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Now go and brute the telnetroot@kali:~# hydra -C mirai_creds.txt telnet://10.5.5.20
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
few seconds later...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
The telnet passwordI did not have the credentials few years ago...But the password was already known then.
No need to hack, search password and the name of device in Russian
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Wait...But we have changed the default password, didnt we?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
https://www.us-cert.gov/ncas/alerts/TA16-288A
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
So, where is the password?# cat /etc/passwdroot:$1$RYIwEiRA$d5iRRVQ5ZeRTrJwGjRy.B0:0:0:root:/:/bin/sh# mount/dev/root on / type cramfs (ro,relatime)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Can we change it?# passwd-sh: passwd: not found# echo "better etc passwd" > /etc/passwd-sh: can't create /etc/passwd: Read-only file system# mount -o remount,rw /# mount/dev/root on / type cramfs (ro,relatime)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
So, it looks like we have to reflash...The DVR (10.5.5.30) has telnet disabled.Firmware versions starting mid-2015.But for many models the upgrade is not available ;)... and the DVR still has telnet on 9527 ;) not to mention other vulns
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How to upgrade firmware?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Lets imagine you are a regular camera user...You have bought a camera in the nearest shop with cameras.You know your camera is vulnerable and should be upgraded.Try to find out how to do it, and where to find the firmware.
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How do you think will regular user do?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Device Supply chain
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Various vendors same device
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Supply chainBoard Support Package - drivers, bootloader, kernel-level SDKBroadcom, Texas Instruments, HiSilicon, WindRiver...Original Device Manufacturer web interface, SDK, cloud...usually unknown from China, Taiwan etc.Original Equipment Manufacturer composing, branding ODMs+ support, license, warranty...Value Added Reseller / DistributorEnd user
Fabless manufacturing
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Supply chainBoard Support Package - drivers, bootloader, kernel-level SDKBroadcom, Texas Instruments, HiSilicon, WindRiver...Original Device Manufacturer web interface, SDK, cloud...usually unknown from China, Taiwan etc.Original Equipment Manufacturer composing, branding ODMs+ support, license, warranty...Value Added Reseller / DistributorEnd user
Fabless manufacturing
Features, Price!
Features, Price!
Features, Price!
Features, Price!
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Supply chainBoard Support Package - drivers, bootloader, kernel-level SDKBroadcom, Texas Instruments, HiSilicon, WindRiver...Original Device Manufacturer web interface, SDK, cloud...usually unknown from China, Taiwan etc.Original Equipment Manufacturer composing, branding ODMs+ support, license, warranty...Value Added Reseller / DistributorEnd user
Fabless manufacturing
Security?
?
?
?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Back in 2012Internet Census Projecthttp://internetcensus2012.bitbucket.org/paper.html
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
2012 vs 2016
https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.htmlhttp://internetcensus2012.bitbucket.org/paper.html
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai sourcehttps://github.com/jgamblin/Mirai-Source-Code/
Warning:The zip file for the is repo is being identified by some AV programs as malware.
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Worth readingThe original post with source code :Mirai-Source-Code-master/ForumPost.txt
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How does it spread?mirai/bot/scanner.c
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Scans for random IPs with several exclusions ;)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Next, tries to hit the telnetAnd once per ten also on 2323
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Password list
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Resolve C&C IP with DNS
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Catching mirai
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
https://twitter.com/MiraiAttacks/Live feed of commands sent to 500 infected machines
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
How about dynamic analysis?We will expose the cameras telnet service directly to the Internet.... and see what happens.
https://asciinema.org/a/1tynlhzfs0lmw6t3bn5k40cu7
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Our setupDevices: 2 cameras + 1 DVRRouter VPNs to public IP, exposes devices telnetDump all traffic to/from devices for analysis
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Wireshark analysishttp://10.5.5.5/mirai.pcapRight click ->Follow->TCP Stream
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Telnet session
Hello, my name is ...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Check processor version
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Download payload into upnp
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
CNC connection establishement dns query
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
C&C DNS
Thanks: Josh Pyorre, OpenDNS
Thanks: Josh Pyorre, OpenDNS
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
DNS domain taken by FBI
Thanks: Josh Pyorre, OpenDNS
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Registrant ID: C4853993-CLUBRegistrant Name: Zee GateRegistrant Street: 666 antichrist laneRegistrant City: San DiegoRegistrant State/Province: CARegistrant Postal Code: 92050Registrant Country: USRegistrant Phone: +1.7603014069Registrant Fax: +1.7603014069Registrant Email: abuse@fbi.govAdmin ID: C4853996-CLUBAdmin Name: Zee GateAdmin Street: 666 antichrist lane
whois hightechcrime.club
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
CNC
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Scanning for new targets
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Other variants DONGS ?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Other variants DONGS ?
https://asciinema.org/a/eqayq785gwz5qqnbhnfrmwdkg (about 13:00)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
What can we do?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Set your DNS to 127.0.0.1?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Not everyone can afford that ;)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Protocols?P2P? We have seen it already...Proprietary management protocol? It can reset the camera remotely to default if you forgot pass. Seriously ;)And there was also auth bypass in similar (same?) one:https://depthsecurity.com/blog/dahua-dvr-authentication-bypass-cve-2013-6117
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
OUR LAB
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
3 devices:Black one: 10.5.5.20White one: 10.5.5.25DVR: 10.5.5.30admin/WIFI: owasp/ApplicationSecurity
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Bot wars?Will the blackmarket regulate itself? ;)Write a better bot, vigilante hack? Remember Linux.wifatch?Find vuln in botnet?https://www.invincealabs.com/blog/2016/10/killing-mirai
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
What can we do about it?ISP? Block telnet, inform users?Device callout? User awareness?Regulatory?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Open source?DD-WRT / openWRT is a great success.Maybe we should write similar soft for cameras?
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Features at low cost compromising on security is just obscene ;) Lets do it better!
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Many other vulns...
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
9527 debug Telnet
telnet 10.5.5.30 9527Console log of the device (including user passwords for RTSP)Remote control of the device (if you know user pass)
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
nmap -sS -sV -p 1-65535 10.5.5.20PORT STATE SERVICE VERSION23/tcp open telnet Busybox telnetd80/tcp open tcpwrapped554/tcp open rtsp?8899/tcp open soap gSOAP soap 2.79527/tcp open unknown34561/tcp open unknown34567/tcp open unknown34599/tcp open unknown
Proprietary protodebug/telnet
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Mirai intro to discussion, OWASP Krakw 2016.11.15@slawekja
Recommended