The goal of this talk is to provide the results of passive and active fingerprinting for SD-WAN systems using a common threat intelligence approach. We explore Internet-based and cloud-based publicly available SD-WAN systems using the well-known «Shodan» and «Censys» search engines and custom developed automation tools and show that most of the SD-WAN systems have known vulnerabilities related to outdated software and insecure configuration. Anton Nikolaev, Denis Kolegov, Oleg Broslavsky

1. or
How to Find SD-WANs and not to Lose
Yourself
Denis Kolegov
Oleg Broslavsky
Anton Nikolaev

3. Not (really) so long time ago,
we decide to start a big SD-WAN
journey
SD-WAN
NewHope

5. “SD-WAN is perfectly safe for implementing wide-
area networks affordably, efficiently and securely.”

6. Perfectly safe?
Not exactly...

7. XSS

8. Client-side Authentication
?
! // TODO: fix in prod ?

9. OS Command Injection

10. OS Command Injection

11. Unfortunately, this talk is not about sophisticated hacking
techniques (cause you do not need them to hack SD-WAN)
This talk about how to find those
low-hanging fruits on the Internet?

12. The Main Questions
• How many SD-WAN nodes on the Internet?
• Do we need new techniques to scan
and fingerprint them?
• How to find vulnerable SD-WAN nodes?

13. Approach
Best EffortWhen you have to underline the best effort approach but
you don’t know exactly how to

14. But nevertheless,
let’s start!

15. SD-WAN Essence
or
That Boring Part of Slides Again

17. F*ck that shit! We are hackers!

18. Just kidding.
We need it for understanding.

19. Traditional WAN vs
Software-defined WAN

21. Search Engines

22. Straightforward
Examples

23. More Sophisticated
Examples

24. Query Correction
html:Sonus
+ title:
"SBC Management
Application"

25. More Query Correction!
We can use
corrections to
build full
product map!
https://github.com/sdnewhop/sdwannewhope/issues/7

26. Query Confidence
Firm CertainTentative

28. Version Leakage

29. Version Leakage Patterns

30. How to Find Them All?
Let’s help Dora!

31. We have a
leakage!

32. We have a
NMAP!

33. Pen Pineapple Apple
SD-WAN
Infiltrator!

34. SD-WAN Infiltrator

36. What About Really Hard
Cases?
Easy Peasy Lemon Squeezy?
Difficult Difficult Lemon Difficult!

37. SSH Fingerprinting
SD-WAN version in
/etc/issue message
masscan
our
banner
zgrab
/sdnewhop/zgrab2
/nmap/nmap/issues/1389

38. Websocket
• Nmap can’t scan Websocket
• No standard NSE Websocket
libraries
• Weird behavior in custom
NSE Websocket libraries

39. Indirect Version Leakage

40. Stop! What about Internet
scanning?

42. You should scan
all Internet using
masscan

43. -Johny, Johny?
-Yes, papa
-Scanning Internet?
-No, papa
-Telling lies?
-No, papa

44. > well you kinda killed the entire Tomtech network..
> literally everything is down.
> so looks like I can’t help you with servers anymore, sorry.

46. SD-WAN Harvester

47. SD-WAN Harvester
Workflow
Find
SD-WANs
Grab
versions
Run NSE Frontend
Get
results

48. Results

49. SD-WAN Map

50. Top of founded SD-WAN
Vendors

51. Top of founded SD-WAN
Solutions

52. Top SD-WAN
Vulnerabilities

53. Harvester Charts
But seriously, harvester can
build next pie charts by:
• vulnerabilities
• vendors
• products
• countries
• continents
https://github.com/sdnewhop/sdwan-
harvester/tree/master/samples

55. Conclusions
• Many different vendors
and related products
have been found
• Most products are
susceptible to version
leakage
• More often products are
leaky and vulnerable

56. SD-WAN New Hope
https://github.com/sdnewhop/
• Sergey Gordeychik
• Denis Kolegov
• Oleg Broslavsky
• Max Gorbunov
• Nikita Oleksov
• Nikolay Tkachenko
• Anton Nikolaev
• SD-WAN Internet Census
• SD-WAN Harvester
• SD-WAN Infiltrator
• SD-WAN Threat Landscape

57. THANKS FOR ATTENTION
@dnkolegov
@yalegko
@manmoleculo