 Here is Sergei Godechik, product and service in the past 15 years, more than 15 years, since 2011 he is director and scriptwriter at Positive Hack Days Forum, the largest cyber security event in Eastern Europe. Sergei has, for instance, been working at Capersky Lab and Positive Technologies. He is also a visiting professor at Harbour Space University in Barcelona and leader of the SCADA Strangelove Industrial Cyber Security Research Team. Today, Sergei will talk about how to hack software to find networks and keeping your sanity while doing it. Let's give a warm round of applause for Sergei Godechik. Good evening Sergei Godechik for this talk about software to find networking. Good evening and let's start to refresh our memory. I think I can skip this introduction, thanks for our host, because everything is here and... Thank you 35C3 for hosting us. I live in Abu Dhabi, I am really Russian. If you still believe in Gartner, the Find & Working software is magic. It will solve all your network problems, since there is artificial intelligence inside, but it will do everything, including security. So it's perfect to implement networks efficiently, it's not very expensive. When we tried with our team to understand how it works, our first impression was like this. We are hackers, we don't want to deal with this shit, but the only challenge we met before you hacked something, you need to... The difficulty we met before working on something, to hack things, you need to understand how the... the network of software to define works. There are several types of devices, such as router switches, which solve different problems. In the case of the network of software to define, you just have a server that could run under Linux. So it's a Linux system with very specific modules like CPI, CPI, CPE. So basically, you replace specific types of equipment, load balancers, network switches, routers with a single generic equipment that can do everything. So there are several types, the data plane type. We have the management plane, which can apply rules, we have the orchestration. But at the general level, we have a layer called network function virtualization, virtualization of network functions. So it's very practical for the administrator. It can be QVM, image to your hardware, and you can start to use it. Because inside of this box, you already have all the system infrastructure, which process packets and pass it from one virtual network function to the other. Network function on the branch level, in the cloud level, or on the HQ level. For instance, things like content filtering, which can be very heavy from a performance perspective, can be distributed. On the HQ level, you can use more heavy things like sandboxing, and if antivirus or specific rules see that this content is suspicious, it's forwarded to HQ through the MPDS or other DPM. Also analyze it in the cloud for the simple things like the cloud threat intelligence, where actually your SD1 box will send MD5 hash to the cloud and check is it good, content, or bad, or send all files to the cloud to double check. Not bad. I think that is why SD1 becomes more popular, and you can see that you can use military guys. So the network software define has become very popular. We can even see that military guys use it. Security is very familiar to us. We are used to it. Some of you are used to pirating, hacking, breaking the network app. But in this case it doesn't work because it's not really Appliances. It's closer to a virtual Appliances like virtual machines. So your main goal is to become a route. Checklist for our research. Because if you have to lift all the planes, you already have access to this. So pirating network software define equipment is closer to hacking virtual machines that are not necessarily dedicated to software define networking like any other server. It means password for one of the SD1 appliance we just googled for GitHub and found, but most of the scripts... There is no need to use any particular technique. For example, we could find a password... A password for a network app, a network software define, just for a search on GitHub. And then, to route the network app, you just need to find a file that corresponds to the exploitation that the Appliances network software define. So of course, your talent with Google is very useful here. You can find a lot of interesting things like... Just by searching for password in the configuration or in the logs, we already find interesting things. Because again, it's virtual appliance and someone has deployed before you start to use it. So in the logs, there are a lot of live interesting information. As it is virtual appliance, apart from an image, you can easily retrieve information and the image is reused by different companies, different clients. And you can find values by default that allow you to easily pirate the network software define equipment. You can also use the AWS shell script, which actually set up different passwords, etc. So if you somehow can recover a script, you can find a lot of interesting information with this kind of... Password of admin users. And you can see that from this password you can find the hash and next try to brute force. It just was my guess that maybe there's a password. There's a one-to-three, maybe other network appliance like Silverbeak have similar passwords. Silverbeak one-to-three. You can even find some secrets that are shared between different models between gmail, software define equipment, different image of virtual machine. In this case, it's more complex because it's sometimes where you live like this pottery network stuff, you know. But still, if you did not get the route with these simple steps, again, it's virtual appliance and you... But even if you don't find the secrets and the credentials with these steps, with these very simple tools, you can change remote management configuration, the password. And next boot in this configuration and get route password too. You can still use techniques that are also classic like changing the script of boot. So security assessment, at the beginning, we did in very, you know, not scientific way, we just hack all the things. But after all, we did some, let's say, scientific research and we have an article where I will give you a link like SD1 Threadlandscape with the step-by-step assessment what you should hack to get maximum results. But... Later, I will give you a list of steps to follow, a checklist that allows you to test different hacking techniques very quickly to find the credentials, to find how to access, how to become a route inside of a network software defined. This is a very simple research, we just check the patch ground. Once again, a lot of hacking techniques, common functions. There are a lot of things on the system level that are of course not patched on the TV version of OpenSSL. We found it was an OpenSSL library which was released in May 2006. It's for network devices with security functions. For example, for network devices with so-called security functions, we found an OpenSSL library that is still vulnerable to HearthBleed and which dates from 2006-2007. Next thing related to... Of course, we find it in commercial products, types of applications that we can buy on the market. Webservices, Shell, etc. And it's implemented in a terrible way. As you can see, TripLW data have all the ability to execute all commands and some scripts that just execute any command for the user. A lot of management functions of these applications, network software defined, are very poorly implemented and don't respect the state of the art in terms of security. Not system but software design from software design where a lot of open source components which implement IPsec, routing... Beyond the system side, if we go back a little higher, in network functions, like IPsec, for example, we also find a lot of OpenSource software. So in this case, it's not so old school but it's a system side. It's also true for web interfaces, we find Node.js, a very common technology. I don't know, it looks like guys developed it last 10 years. With all this modern Node.js stuff, developers confuse the client and the server, because you know JavaScript on both sides and it's hard to understand but it's server with client side. I will show you examples. And there are a lot of simple things like slow HTTP, those attacks... Of course, all of that increases the attack surface considerably and we'll see in the next talk that the developers are against these products. JSON CSRF is everywhere so almost no web interface is implemented. In a proper way, XSS is everywhere and this is not a problem. So it's a response from the product manager of OneVender. They told me that XSS from process scripting for web applications... There are even some app vendors Reso Software Define like XSS. XSS is absolutely not a problem as Chrome blocks. While this type of attack XSS allows you to send certificates that will manage the authentication. If we have an example, a request made by client side javascript user name and password page. So this, 100% client side. Now we check on the server side if you can change it. Second example is just perfect. It allows you, for example, to change something without the server participating and verifying that your operation is authorized. You can comment it and say if user name is with and password is with then go home so authentication is past. So... We find a code that, for example, checks a username and a password. That the developer is able to keep the server side but that actually executes client side. So there is more authentication. If you have a server or a system management box we just bind it to localhost. So you cannot establish connection from outside because it is listening to the localhost but if you are already on this box and you can connect from this box to... There is a service like a one or a shell in a box or a single one and that you cannot reach from outside. This give-outs If you have access to a shell on the plain, you can access all these services. You can even access other docker containers. Management application in most cases have no any traffic filtering and trust management application of all virtual network functions which run on this appliance. You can access management applications which correspond to other virtual networks. Jump down to operation system level and next go to the management plan upstairs to the management appliances. Of course you can use this type of vulnerability in both senses either to other network functions or in our sense to the OS which manages all these virtual network functions. We used static analysis tools to find vulnerability. We used static analysis tools to find vulnerability. For example in a product made by Citrix we found vulnerability in 2017. It's obviously patch traversal but it's just reminded that attachments lead to the jealousy and the shadow of grid that is. If you send attachment shadow you can get shadow. This is without interaction. The next step is crypto because the security appliance should implement cryptography. Of course the next step is to look at the crypto side because of course these applications of appliance network use of crypto. Of course on this side we find problems the configuration which is left by default in the case of many libraries and the defaults are absolutely not secure. For example with OpenSSL you will find with a lot of cipher, which are completely broken today in 2019. There are also these configuration elements such as pre-shared keys which instead of being unique by appliance software are duplicated for every instance of appliance software. It should maybe be read but why to write? And what's interesting? As you want appliances in the world be used to you know this keeper and it's obviously cut from that file system you can passively or actively sniff traffic to manage the middle spoof management appliance and if this device has any web application vulnerability you can overwrite it. I don't know why but maybe if in next turn we will change the certificate you can download and do manage the middle again. You can even change the certificate and this key to the management web interface which also you have a file on the web interface so in this case you can re-activate these security files. For a type of appliance called suricata we have vulnerability on the regular expression engine of the regex of type of service of service. We find funny things we deliver this engineering as a function called MarvelSuxInit vulnerabilities so green is good or bad so good commander bad for us we are unable to detect it but you can see that most of classes of vulnerabilities like hardcodes broken access control old products or linux components so we can see that a whole range of attack or vulnerabilities affect all the sellers so you just choose and shoot for example you have to deploy you have a branch they have several branches so with an appliance network software define you can for example send your appliance and it will be automatically configured using the internet so from security perspective this scheme looks terrible why because this sd1 cloud deployment server should be friendly but any attacker not if you know ID if you can brute force this ID you can pretend to be this device that is to say that you can go for the server in the cloud you can replace the server and force the appliance network to connect to you to your device and take control of its configuration network device should connect sometimes but also we found very funny things related to the distribution of this device because as I told you in the beginning most of such device can be activated as a cloud appliance for the AWS or other cloud services and we found that most of default images use old version with non-vulnerabilities so you go to AWS also the appliance network software define which works only in the cloud and which are available on AWS and you can deploy there we noticed that this type of appliance network software define use all old software and non-patched and so even if these images are configured to be able to search for updates etc as they have its vulnerability from the start you can once again take control of these updates and just perpetuate affection because we always work in the responsible disclosure way and as you can see as a security researcher we always try to do responsible disclosure we always try to be in contact with the community, the vendors to try to fix these problems but when we try to submit vulnerability to this vendor we are unable to find the email of this product but when we try to do that we try to find a contact but the vendors don't but we found that guys who did similar research before they found a great way send email to CEO of this company unfortunately my google foo is not good enough but I am unable to find direct email to CEO of this company but my google foo are not that good enough to find this information sometimes here is a comparison between different vendors on how it is possible to contact them or how they react to our reports our bug reports what they mean but the funnest thing here this vendor brought where the device is not generic web service so of course we contact this vendor but they don't even understand what we are talking about they don't even understand who we are someone suggested to simply scan the entire internet to try to find software defined so we can use several tools for that there is a map, a showdown even google we even find an article which makes a review of all these applications which contains no vulnerabilities and you can know in a few minutes and also we build some kind of vulnerability assessment tool which helps you to find no vulnerabilities in these sd1 devices this example for open SSH patch level as you can see some series from 2010 2014 etc this open source you can find it on the github we have two versions one sd1 harvester which we used we wrote some software to try all the necessary machines for vulnerability of course open source you can find it on github which is a bunch of network and map script and you can use it during penetration testing so it's not necessary to be connected to the internet you can just use it inside the network when we did this research of course you can use this tool even on your network you don't need to connect to the internet so you can use it to use your own products for your network appliances let's say enterprise network appliances and we found there are some IP addresses which we found during our assessment internet harvesting in this list and in our experience there is no such things as a lot we tried to find why such appliances are so easily hacked and obviously the default password which hardcoded sometimes never changed is used what is used on these appliances we tried to reach vendors and say guys maybe it's a bad idea to use for instance hardcoded, not hardcoded by default community public and public for free but they told us that SNMP is off by default but still simple short on search show that more than 200 users of this SD1 we enable this we found the appliance with default passwords but we were told that SNMP is deactivated by default but when we look when we do a search it's not what we observe that we are publishing metasploit modules to facilitate the use of these files from my perspective how SD1 to conclude my perspective on how appliance software defined are developed open sources we can basically download the open source and put them together and boom we have an appliance software defined it's not necessarily my problem but you have to be careful about what you do it's about complex products that have a lot of features especially in management the management of updates problematic a lot of sellers really have problems with updates and they don't know how to respond to bug reports or reports on security files so thank you for your attention and I want to thank all these people who have done most of what I presented to you tonight we will soon answer the questions after a quarter of questions there are no questions for now first question beyond any other Linux server are there really specific problems with the software defined for example their IPv6 I don't know kind of protocol which more or less reused in different vendors in different solutions and SD1 every vendor implements things in their own way you have to make the difference between SD1 software defined wide array network compared to SDN software defined network where things are much less harmonized each seller with SD1 does things in their own way because again this VNF story very interesting because if you have vulnerability in any virtual function next you can get access to our virtual machine but again problem here but there is no standard and different vendors called the function of virtualization that embarks these network equipment software defined are really interesting there are a lot of bugs to find for people who put the work in yeah in conclusion also that it's not necessary to try to buy things through the ebuy to hack it you can just go to AWS and activate it so the fact that there are as many different vendors these problems I did not understand question 3 so you said that some of these virtual machines are hard-on so we're talking about there were examples showing X2.6 an interview answered that it was one of the worst examples X2.6 was very old so of course there is not necessarily a vulnerability in these versions and what people or what the vendors call virtual network functions are just scripts that change the configuration there is not even any virtualization of course we do not use recent security features like recent or not but specialized like GRSEC they are not dead we ask if Cisco Miraki was if the team was watching if there were flaws in Cisco Miraki and the interviewer answers that they did not make Cisco Miraki but they made Viptela put another product at Cisco we want the hard-coded passwords back sorry because there were so many hard-coded passwords everywhere maybe you should just drop a slide in the 90s called they want the hard-coded passwords or lock-ins back I don't know so it's public things apparently there is no more questions we have this there applauded