1. How to dominate a country
An analysis to the Portuguese
internet exposition to cyber-attacks
2. WHAT are you ?
We are:
• Security Researchers
• Security enthusiasts
• Students, corporate sheep (read: auditors),
programmers, pentesters
We are not :
• Lulzsec
• Anonymous
• Hacking group
• And no we wont help you hack you girlfriends
facebook!
3. Who are you ?
• Tiago Henriques • Tiago Martins
• Team founder @ PTCoreSec • Team vice-founder @ PTCoreSec
• Pentester/Researcher @ 7Elements • Researcher
• @Balgan • @Gank_101
• Jean Figueiredo
• Filipe Reis • Network security researcher @
• Programmer @ PTCoreSec PTCoreSec
• Intern @ Layer8 • Netsec admin @ Tecnocom
• @fjdreis • @klinzter
4. Who are you ? @balgan
• Tiago Henriques
• 24
• BSc Software Engineering – University of Brighton
• MSc by Research Computer Security and Forensics – University of Bedfordshire
• Started a PhD but decided to drop out and go work in the industry...
• CEH
• CHFI
• Team founder @ PTCoreSec
• Currently a Pentester/Researcher @ 7Elements
• @Balgan
7. We are NOT
RESPONSIBLE FOR ANY ILLEGAL
ACTS OR ACTIONS PRACTICED BY
YOU OR ANYONE THAT LEARNS
SOMETHING FROM TODAY’S
PRESENTATION.
8. Causing Chaos.
Q:If you guys were an attacker that was
out to cause real damage or get
profit, how would you go on about it ?
A:This is what we would do, control as
many machines in that country,
penetrate critical systems and get as
much intel/info as possible.
10. How it all got started
We’re hackers! We love knowing how to break things and
how others would go on about breaking things!
The difference between us and others is simple:
• We want to break things legally and find a way to fix
things.
• We want to learn about new things and help people.
12. How it all got started
We saw some talks that really inspired us given by two great
people
HD Moore Fyodor
13. However…
We also ran into a bit of a problem…
Portscanning might or might not be illegal in Portugal!
No one is actually sure, and we talked with multiple people:
• Police
• Sysadmins
• Researchers
• Security professionals
14. What to do ?
• So, if you can’t port scan, how do u find out what ur
enemies attack surface is ?
• How do u know out if the entire infrastructure u rely on
everyday is vulnerable or safe?
• Security by obscurity? Right that works well….
15. What to do ?
• We went and did the portscans, on passive mode, no system
was penetrated in any way what so ever.
• We did it slowly, and with plenty of time between scans as
to not cause any DoS issues.
16. Port scanning
• Tools of the trade:
• Nmap
• Wkhtmltoimage
• Python
• Scapy
• Linux
• NodeJS
• MongoDB
• C
• Redbull + Lots of nights awake +
Frustration
17. Port scanning - Process
1. Get Portugal CIDRs
2. Decide on a set of services you consider important
3. Check which ips have those ports open
Actual scanning.
4. Check versions running of those services
18. Port scanning - Process
1. Get Portugal’s CIDRs
There are two places where you can get these:
• http://software77.net/geo-ip/
• ftp://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
2.80.0.0/14 62.48.192.0/18 81.90.48.0/20
5.43.0.0/18 62.169.64.0/18 81.92.192.0/20
5.44.192.0/20 62.249.0.0/19 81.92.208.0/20
5.158.0.0/18 77.54.0.0/16 81.193.0.0/16
5.159.216.0/21 77.91.200.0/21 82.102.0.0/18
5.172.144.0/21 78.29.128.0/18 82.154.0.0/15
31.22.128.0/17 78.130.0.0/17 83.132.0.0/16
37.28.192.0/18 78.137.192.0/18 83.144.128.0/18
37.189.0.0/16 79.168.0.0/15 83.174.0.0/18
46.50.0.0/17 80.172.0.0/16 83.223.160.0/19
46.182.32.0/21 80.243.80.0/20 83.240.128.0/17
46.189.128.0/17 81.20.240.0/20 84.18.224.0/19
62.28.0.0/16 81.84.0.0/16 84.23.192.0/19
62.48.128.0/18 81.90.48.0/20 84.90.0.0/15
19. Port scanning - Process
2. Decide on a set of services you consider important
Port 11 1900UDP UPNP
ID Number TCP/UDP Service 12 2869TCP UPNP
1 80TCP http 13 5353UDP MDNS
2 443TCP https 14 137TCP Netbios
3 8080TCP http alternative 15 25TCP SMTP
4 21TCP FTP 16 110TCP POP3
5 22TCP SSH 17 143TCP IMAP
6 23TCP Telnet 18 3306TCP Mysql
7 53UDP DNS 19 5900TCP VNC Server
8 445TCP Samba 20 17185UDP VoIP
9 139TCP Samba 21 3389TCP Rdesktop
10 161UDP SNMP 22 8082TCP TR 069
20. Port scanning - Process
3. Check which ip’s have those port’s open
4. Check versions running of those services
This is where it get’s tricky!
21. Port scanning - Process
• Portugal on the internet….
5,822,240 allocated ip’s
Dynamic ips
GPRS
22. Port scanning - Process
• So as we mentioned, we devided the actual scanning into two
parts! And you might be wondering why…
Common nmap scan for TCP
nmap -iL ipswithftp -oA port21-FTP-with-Services -sS -sV -p21-T5 -PN
The problem of this, is that DNS resolution and –sV (Service detection) are very slow.
So how do we solve this problem? We obviously want the domains the ips are
associated with, and the versions of the services running.
23. Port scanning - Process
• Do the fast things on the 6 mil ips and then do the slow stuff
merely on the ips that are running the service we want to
analyse. • nmap -iL CIDRSPT.txt -oA port21-FTP -
sS -p21 -T5 -PN --host-timeout 1501 –
min-hostgroup 400 --min-parallelism
10 -n
• Then we will have the list of ips that have FTP running on port
21 on 3 files:
• Port21-FTP.xml
• Port21-FTP.gnmap
• Port21-FTP.nmap
• Extract ips from gnmap:
cat port21-FTP.gnmap | grep -w "21/open" | awk '{print $2}' >
IPSWITHFTP.TXT
24. Port scanning - Process
• Do the show things only the ips that have our service running.
• nmap -iL IPSWITHFTP.txt -oA port21-FTP-FINAL -sV -p21 -T5
-PN --host-timeout 1501 –min-hostgroup 400 --min-
parallelism 10
• Then we will have the list of ips that have FTP running on port
21 AND the version of those services on 3 files:
• Port21-FTP-FINAL.xml
• Port21-FTP-FINAL.gnmap
• Port21-FTP-FINAL.nmap
25. Port scanning - Process
• However…we still have UDP… and let me tell u….
26. Port scanning - Process
Nmap also has a UDP mode… -sU however it doesn’t work very
well without -sV (read: its shit!), when testing it on our lab we
noticed that most of the times nmap wasn’t able to detect if
there was a service running or not.
The reason for this is: “UDP scanning is slow as open/filtered
ports typically don't respond so nmap has to time out and then
retransmit whilst closed ports will send a ICMP port
unreachable error, which systems typically rate limit.”
When we started, it took us around 4 Weeks to scan UDP on
the entire country on 1 port….
27. Port scanning - Process
Solution ?
SCAPY!
Server
Client
Service running on
port:11111
28. Port scanning - Process
Result of that script ?
On lab testing….
29. Port scanning - Process
Result of that script ?
On internet testing….
30. Port scanning - Process
When we started, it took us around +4 Weeks to scan UDP on the entire country on 1
port using NMap…. -We took this as a baseline first run to improve…
Our second run, we used python+scapy and it went down!!
1 week – well not bad for a second run, but 1 week for a port ?
Our third run, we used python+multithreading fu + scapy + blackmamba – 3 days –
and this was the best we brought it down to without bringing in the big guns (read:
“asking HD Moore for help”)
Forth run – C
Yup entire .pt (1 port ) scanned in 4 minutes and 45 seconds.
31. Port scanning - Process
So... At this point we can do UDP in 5 minutes. As you can guess... We now love UDP
scanning again...
Our next objective became to speed up our TCP scanning. For you to understand
what we did you need first to understand how nmap works:
25000
20000
15000
Time
10000 Packets per second Nmap
5000
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
32. Port scanning - Process
What we did, is write our own TCP scanner. And the result is the following:
25000
20000
15000
Time
Packets per second
10000 PTCoreSecTCP
5000
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
33. Port scanning - End
So we had our kick ass
friends, send us our kick ass
raw results… now what do
we do with them ?
34. Port scanning - End
Terminals are fun, BUT we want an easier
way to look at our data…
So…. We wrote a tool:
PTCoreSec Command Center!
47. Port scanning – How does it work?
Step 1 – PTCoreSec admins request a job
(scan) on the backend.
Step 2 – Server side checks current
number of live raspi minions.
Step 3 – Server divides de CIDRS by the
different clients and sends them over.
Step 4 – Clients (minions) do the scans
and XMLRPC send them back to the
server.
Step 5 – Server imports these scans into
the MongoDB backend.
53. Business
And that’s all really neat and
pretty, however there are 2 problems
with that! These guys don’t give a
f***.
Management Blackhats
54. Management
Cares about:
• Money
• Money
• Money
Does:
• Will lie for PCI DSS/ISO27001/{Compliance}
This gives us, security
• Approves every single thing even if it
peeps, headaches!
doesn’t match security department goals
but gets them moneys.
55. I ask onLY ONE thing of u
Leave your whitehats at home, and
56. SHODAN
SHODAN is a search engine that lets you find specific computers
(routers, servers, etc.) using a variety of filters. Some have also described it as
a public port scan directory or a search engine of banners.
Another way of putting it would be:
63. SHODAN
Accessing that website will give u a bar, where you can type queries
and obtain results.
Your queries, can ask for PORTS, Countries, strings contained in the
banners, and all sorts of other things
Following is a sample set of queries that can lead to some interesting
results:
78. SHODAN QUERIES OF AWESOMENESS
port:23 country:PT
Username:admin
Password:smcadmin
79. SHODAN QUERIES OF AWESOMENESS
port:23 list of built-in commands
Worldwide
Not a big number, however just telnet in and you get shell…
80. SHODAN QUERIES OF AWESOMENESS
port:161 country:PT
Worldwide
Portugal
81. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Windows RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2
• Windows INSTALLED SOFTWARE 1.3.6.1.2.1.25.6.3.1.2
• Windows SYSTEM INFO 1.3.6.1.2.1.1.1
• Windows HOSTNAME 1.3.6.1.2.1.1.5
• Windows DOMAIN 1.3.6.1.4.1.77.1.4.1
• Windows UPTIME 1.3.6.1.2.1.1.3
• Windows USERS 1.3.6.1.4.1.77.1.2.25
• Windows SHARES 1.3.6.1.4.1.77.1.2.27
• Windows DISKS 1.3.6.1.2.1.25.2.3.1.3
• Windows SERVICES 1.3.6.1.4.1.77.1.2.3.1.1
• Windows LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
• Windows LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
82. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Linux RUNNING PROCESSES 1.3.6.1.2.1.25.4.2.1.2
• Linux SYSTEM INFO 1.3.6.1.2.1.1.1
• Linux HOSTNAME 1.3.6.1.2.1.1.5
• Linux UPTIME 1.3.6.1.2.1.1.3
• Linux MOUNTPOINTS 1.3.6.1.2.1.25.2.3.1.3
• Linux RUNNING SOFTWARE PATHS 1.3.6.1.2.1.25.4.2.1.4
• Linux LISTENING UDP PORTS 1.3.6.1.2.1.7.5.1.2.0.0.0.0
• Linux LISTENING TCP PORTS 1.3.6.1.2.1.6.13.1.3.0.0.0.0
83. SHODAN QUERIES OF AWESOMENESS
What sort of info do I get with SNMP ?
• Cisco LAST TERMINAL USERS 1.3.6.1.4.1.9.9.43.1.1.6.1.8
• Cisco INTERFACES 1.3.6.1.2.1.2.2.1.2
• Cisco SYSTEM INFO 1.3.6.1.2.1.1.1
• Cisco HOSTNAME 1.3.6.1.2.1.1.5
• Cisco SNMPcommunities 1.3.6.1.6.3.12.1.3.1.4
• Cisco UPTIME 1.3.6.1.2.1.1.3
• Cisco IP ADDRESSES 1.3.6.1.2.1.4.20.1.1
• Cisco INTERFACE DESCRIPTIONS 1.3.6.1.2.1.31.1.1.1.18
• Cisco HARDWARE 1.3.6.1.2.1.47.1.1.1.1.2
• Cisco TACACS SERVER 1.3.6.1.4.1.9.2.1.5
• Cisco LOGMESSAGES 1.3.6.1.4.1.9.9.41.1.2.3.1.5
• Cisco PROCESSES 1.3.6.1.4.1.9.9.109.1.2.1.1.2
• Cisco SNMP TRAP SERVER 1.3.6.1.6.3.12.1.2.1.7
95. Projecto Portugal Seguro - PTCoresec
• 29 Janeiro 2013 – released a study which showed
new flaws on UPNP and numbers on the devices
replying to UPNP.
• PTCoreSec under the scope of project Portugal
Seguro proceeded to help ISP’s with this problem
• We sent an email to all isp’s that resulted in the
following
97. Projecto Portugal Seguro
• Resultado
– Some ISP’s we noticed changes in order of 80% in
the number of ips that stopped responding to
UPNP in less then 1 week.
– Quicker and faster response contacts so that we
can improve even further on this in case of next
event.
110. A little tip…
If you want to quickly check for
stuff (web related) that has no
authentication, use NMAP!
111. A little tip…
First, let’s get wkhtmltoimage:
wget http://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-
i386.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0_rc1-static-i386.tar.bz2
cp wkhtmltoimage-i386 /usr/local/bin/
Next, let’s get and install the Nmap module:
git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
cp http-screenshot.nse /usr/local/share/nmap/scripts/
nmap --script-updatedb
112. A little tip…
Then, do your shodan search and use:
This automatically exports a list of ips
u can import into nmap
122. Shodan – the bad part
• Imports nmap scans from their servers
on a rotational basis, so its not always
100% updated! Confirmed this by
correlating some of the shodan results
with our personal results!
• For example on mysql servers, Shodan
would find 785, where our results
showed 3000+
123. Shodan – the good part
• Good querying system
• If port scanning is illegal in your
country, you’re out of trouble if
u use shodan, because ur just
querying data acquired by them.
124. Resources
http://secanalysis.com/interesting-shodan-searches/
blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-
services.html
http://www.youtube.com/watch?v=LPgZU7ZNIjQ - Defcon 18 2010
SHODAN for Penetration Testers Michael Schearer
http://www.youtube.com/watch?v=Tg9ZAvynjdk – HD Moore –
Empirical Exploitation
http://www.youtube.com/watch?v=b-uPh99whw4 – HD Moore – Wild
West
--host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
--host-timeout 1501 – waittheminimum time onhost-n don’t do DNS resolution--min-parallelism 10 - probes (instances)–min-hostgroup 400 - eachprobe does 400 hostsatthe time
SAP applications, provide the capability to manage financial, asset, and cost accounting, production operations and materials, personnel, plants, and archived documents.