SD-WAN a New Hop
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Untertitel |
| |
| Serientitel | ||
| Anzahl der Teile | 165 | |
| Autor | ||
| Lizenz | CC-Namensnennung 4.0 International: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/39345 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
| |
| Schlagwörter |
00:00
SoftwareCybersexComputersicherheitProdukt <Mathematik>HackerOrtsoperatorEreignishorizontDienst <Informatik>Vorlesung/Konferenz
01:10
Minkowski-MetrikCybersexVorzeichen <Mathematik>Dienst <Informatik>Produkt <Mathematik>ProgrammComputersicherheitSystem-on-ChipFirewallHalbleiterspeicherVorlesung/KonferenzComputeranimation
01:53
WasserdampftafelSoftwareWeitverkehrsnetzSystemplattformRouterRechnernetzVirtuelle MaschineOperations ResearchIntelMaschinelles LernenAusnahmebehandlungSoftwareGlobale OptimierungNichtlinearer OperatorComputeranimation
02:38
RechnernetzHochdruckE-MailComputersicherheitWeitverkehrsnetzFlächeninhaltRechenschieberCodecMereologieArchitektur <Informatik>SynchronisierungPortal <Internet>InformationsspeicherungGamecontrollerDokumentenserverDienst <Informatik>SoftwareGüte der AnpassungFlächeninhaltComputeranimationFlussdiagramm
03:18
WeitverkehrsnetzSoftwareNichtlinearer OperatorEndliche ModelltheorieServerLastteilungDifferenteCASE <Informatik>UmwandlungsenthalpieÜbertragungsfunktionDiagrammFlussdiagramm
04:23
KontrollstrukturEbeneGrenzschichtablösungRechnernetzKomponente <Software>GamecontrollerDigital Rights ManagementPublic-domain-SoftwareHardwareInterface <Schaltung>SoftwareImplementierungFunktion <Mathematik>Funktionalp-BlockArchitektur <Informatik>Framework <Informatik>Nichtlinearer OperatorDienst <Informatik>VirtualisierungPhysikalisches SystemHardwareBildgebendes VerfahrenFirewallSoftwareMessage-PassingProzess <Informatik>Automatische HandlungsplanungGamecontrollerServerÜbertragungsfunktionWeb-ApplikationBetriebssystemDifferenteDigital Rights ManagementComputeranimationTechnische Zeichnung
06:20
Dienst <Informatik>ComputersicherheitVerkettung <Informatik>Overlay-NetzVirtuelles privates NetzwerkPolygonnetzGasströmungFunktion <Mathematik>System-on-ChipPunktwolkeVerzweigendes ProgrammPerspektiveUmwandlungsenthalpieVerzweigendes ProgrammMAPPunktwolkeElektronische PublikationÜbertragungsfunktionDifferenteHash-AlgorithmusQuaderGüte der AnpassungVirtuelles privates NetzwerkInhalt <Mathematik>Prozess <Informatik>SchlussregelVirenscannerComputeranimation
07:40
RechnernetzComputersicherheitWeitverkehrsnetzBandmatrixHackerComputersicherheitHackerCASE <Informatik>SoftwareSoftware Development KitDifferenteComputeranimationBesprechung/Interview
08:26
WeitverkehrsnetzVirtuelle RealitätTelekommunikationProgrammierparadigmaWurzel <Mathematik>CodePhysikalisches SystemPatch <Software>DateiverwaltungChecklisteAnalysisDifferentePhysikalisches SystemInstantiierungHintertür <Informatik>Computeranimation
09:25
GoogolATMSystemverwaltungPasswortSoftwaretestExploitPhysikalisches SystemLoginMenütechnikNabel <Mathematik>ZeichenketteWurzel <Mathematik>VersionsverwaltungSoftwareschwachstellePasswortSystemverwaltungSkriptspracheInstantiierungProgramm/QuellcodeComputeranimationXML
10:18
WinkelPasswortWiederkehrender ZustandCodeWeb logElektronische PublikationAusnahmebehandlungFehlermeldungSpielkonsoleFormale GrammatikAbschattungGraphCodeZeichenketteVirtualisierungProtokollierungDatenbankElektronische PublikationKonfigurationsraumComputerspielDifferenteComputerforensikPasswortEinfach zusammenhängender RaumAbschattungURLInformationLoginChiffrierungProgramm/QuellcodeComputeranimation
11:10
ComputerforensikMessage-PassingPasswortInformationPasswortArithmetische FolgeNabel <Mathematik>SkriptspracheÄhnlichkeitsgeometrieSoftwareForcingBootenSchnitt <Mathematik>Hash-AlgorithmusSystemverwaltungXML
12:10
Hash-AlgorithmusPasswortDatenmodellDefaultSystemverwaltungPatch <Software>AbschattungBootenSkriptspracheInterface <Schaltung>Nabel <Mathematik>KraftSystemverwaltungSoftwareRoutingCASE <Informatik>UnternehmensarchitekturPasswortComputersicherheitSkriptspracheRPCMathematikBootenWurzel <Mathematik>AbschattungKonfigurationsraumHash-AlgorithmusPatch <Software>InstantiierungDigital Rights ManagementComputeranimation
13:05
WeitverkehrsnetzComputersicherheitVirtuelles privates NetzwerkDienst <Informatik>PunktPhysikalisches SystemSichtenkonzeptVirtuelle RealitätMengentheoretische TopologieKeller <Informatik>Offene MengeGraphikprozessorMathematikResultanteLokales MinimumHackerMixed RealitySichtenkonzeptPunktSystemtechnikProgramm/QuellcodeComputeranimation
13:44
Physikalisches SystemPunktSichtenkonzeptVirtuelle RealitätDienst <Informatik>GraphikprozessorMathematikKryptologieInterface <Schaltung>Mengentheoretische TopologieHardwarePatch <Software>Interface <Schaltung>Gemeinsamer SpeicherVirtualisierungBetriebssystemDigital Rights ManagementRPCDienst <Informatik>DifferenteCASE <Informatik>Diagramm
14:24
Total <Mathematik>ClientServerPatch <Software>MAPDynamic Host Configuration ProtocolComputersicherheitKernel <Informatik>QuaderDigital Rights ManagementSoftwareschwachstelleFreewarePortscannerProgrammbibliothekComputersicherheitFunktionalSoftwareOffene MengeMAPInstantiierungPatch <Software>QuaderKomponente <Software>Computeranimation
15:10
Elektronische PublikationPunktwolkeGruppenkeimKonfigurationsraumProdukt <Mathematik>BetriebssystemPunktSoftwareInjektivitätSoftwareschwachstelleSkriptspracheSichtenkonzeptInterface <Schaltung>CASE <Informatik>Digital Rights ManagementBenutzeroberflächeWeb ServicesPhysikalisches SystemJSONUML
16:21
SichtenkonzeptIkosaederPublic-Key-InfrastrukturOffene MengeDatenflussEbeneDigital Rights ManagementVerzweigendes ProgrammTLSKontrollstrukturW3C-StandardInterface <Schaltung>InformationZustandsdichteAppletMixed RealityServerSoftwareentwicklerClientIBM Client AccessHIP <Kommunikationsprotokoll>ZugriffskontrolleDigital Rights ManagementKomponente <Software>PerspektiveOpen SourceSoftwareBenutzerbeteiligungCASE <Informatik>SoftwareentwicklerClientMixed RealityBenutzeroberflächeServerAppletPhysikalisches SystemFlussdiagrammComputeranimation
17:50
Web SiteFlash-SpeicherWeitverkehrsnetzFlächentheorieGraphische Benutzeroberflächep-BlockComputersicherheitClientW3C-StandardVirtuelles privates NetzwerkRouterSchreiben <Datenverarbeitung>Digitales ZertifikatElektronischer FingerabdruckExogene VariableCross-site scriptingBenutzeroberflächeKartesische KoordinatenProdukt <Mathematik>Exogene VariableDigital Rights ManagementEigentliche Abbildungp-BlockClientGraphische BenutzeroberflächeCASE <Informatik>ServerDigitales ZertifikatSchaltnetzGamecontrollerAuthentifikationComputeranimation
19:08
Funktion <Mathematik>ServerClientClientWeb-SeitePasswortFunktionalLoginServerCASE <Informatik>AuthentifikationQuaderBrowserDifferenteComputeranimation
20:24
TelnetDigital Rights ManagementDatenbankOpen SourceNabel <Mathematik>Digital Rights ManagementRPCSchnelltasteDatenverarbeitungssystemVirtualisierungStellenringQuaderInstantiierungEinfach zusammenhängender RaumKomponente <Software>FunktionalVirtuelle MaschineNetzadresseSystemverwaltungBenutzeroberflächeFlussdiagramm
22:07
Digital Rights ManagementProzess <Informatik>QuaderInstantiierungKartesische KoordinatenVerzweigendes ProgrammKeller <Informatik>SoftwareschwachstelleMAPWeb-ApplikationBetriebssystemDigital Rights ManagementVirtualisierungÜbertragungsfunktionAutomatische HandlungsplanungCASE <Informatik>CodeCoprozessorComputeranimationFlussdiagramm
23:09
ExploitFunktion <Mathematik>Vorzeichen <Mathematik>BinärdatenAuthentifikationElektronische PublikationKonditionszahlDatenflussInteraktives FernsehenHydrostatikSoftwaretestWurzel <Mathematik>CodePasswortCookie <Internet>Nabel <Mathematik>Bridge <Kommunikationstechnik>PunktwolkeWeitverkehrsnetzDatentypInhalt <Mathematik>InstantiierungHilfesystemCodeInteraktives FernsehenKartesische KoordinatenSoftwareSoftwareschwachstelleOrtsoperatorPhysikalisches SystemAnalysisCASE <Informatik>Computeranimation
24:01
AbschattungProgrammierspracheOSARahmenproblemCachingKontrollstrukturInhalt <Mathematik>Konfiguration <Informatik>Virtuelles privates NetzwerkVirtuelle RealitätInformationsspeicherungCLITLSServerRoboterWeitverkehrsnetzPhysikalisches SystemVersionsverwaltungLeckMessage-PassingVerschlingungPasswortE-MailHIP <Kommunikationsprotokoll>GatewaySocketSpywareProxy ServerRechnernetzZugriffskontrolleMechanismus-Design-TheorieFunktion <Mathematik>AutorisierungMultiplikationInjektivitätDienst <Informatik>InformationAuthentifikationWeb SitePufferspeicherPufferüberlaufClientSoftwareschwachstelleElektronische PublikationMailing-ListeAbschattungPolygonzugQuellcodeInteraktives FernsehenAnalysisComputeranimationProgramm/Quellcode
24:39
KryptologieTLSRSA-VerschlüsselungAdvanced Encryption StandardEindringerkennungChiffrierungSuite <Programmpaket>ParametersystemATMZustandsdichteDigitales ZertifikatMechanismus-Design-TheorieInterface <Schaltung>KnotenmengeKonfigurationsraumDifferenteSchlüsselverwaltungDigitales ZertifikatInstantiierungCASE <Informatik>IPSecInterface <Schaltung>Digital Rights ManagementChiffrierungComputersicherheitKryptologieComputerspielSuite <Programmpaket>Reelle ZahlComputeranimation
25:53
Digitales ZertifikatGewicht <Ausgleichsrechnung>NP-hartes ProblemVerzweigendes ProgrammRSA-VerschlüsselungTLSAdvanced Encryption StandardWeitverkehrsnetzKontrollstrukturSchlüsselverwaltungDigital Rights ManagementInterface <Schaltung>Protokoll <Datenverarbeitungssystem>GamecontrollerAutomatische HandlungsplanungDigitales ZertifikatPublic-Key-KryptosystemComputersicherheitTLSTelekommunikationProtokoll <Datenverarbeitungssystem>SoftwareschwachstelleMetropolitan area networkDigital Rights ManagementWeb-ApplikationDateiverwaltungComputeranimation
27:41
Regulärer Ausdruck <Textverarbeitung>ZustandsdichteComputersicherheitSoftwaretestDefaultMultiplikationsoperatorBefehlsprozessorRegulärer Ausdruck <Textverarbeitung>Software Development KitAbfrageProgramm/Quellcode
28:25
PufferspeicherBacktrackingMereologieCoxeter-GruppeReverse EngineeringFunktionalXMLComputeranimation
29:06
Komponente <Software>ZugriffskontrolleClientROM <Informatik>GamecontrollerPhysikalisches SystemSoftwareschwachstelleKomponente <Software>Produkt <Mathematik>Klasse <Mathematik>Computeranimation
29:45
MaschinenschreibenPunktwolkeDigital Rights ManagementKontrollstrukturFirmwareTelnetSpielkonsoleURLEindeutigkeitPunktwolkeOffice-PaketVerzweigendes ProgrammKonfigurationsraumNichtlinearer OperatorInternetworkingEinfach zusammenhängender RaumServerMaschinenschreibenInstantiierungVorlesung/Konferenz
30:34
MaschinenschreibenNormierter RaumUDP <Protokoll>ZeitzoneVerzweigendes ProgrammWeitverkehrsnetzInternetworkingKonfigurationsraumPlotterComputersicherheitInjektivitätServerVersionsverwaltungSoftwareschwachstelleDienst <Informatik>Office-PaketPhysikalisches SystemNummernsystemComputersicherheitEinfach zusammenhängender RaumDienst <Informatik>PerspektiveKonfigurationsraumCoxeter-GruppeMaschinenschreibenServerPunktwolkeComputeranimationFlussdiagramm
31:22
ServerDualitätstheorieVersionsverwaltungStandardabweichungWeitverkehrsnetzStrom <Mathematik>SoftwareRouterPunktwolkeEinsDigital Rights ManagementSpezialrechnerSCI <Informatik>StatistikComputersicherheitSoftwareUmfangSoftwareschwachstelleServerInjektivitätInternetworkingMetropolitan area networkMaschinenschreibenDefaultPatch <Software>Cloud ComputingBildgebendes VerfahrenProdukt <Mathematik>Physikalisches SystemBildschirmfensterVersionsverwaltungWurm <Informatik>StatistikForcingDistributionenraumDigital Rights ManagementPunktwolkeImplementierungGeradeInformationPerspektiveCodeCASE <Informatik>Computeranimation
33:54
CodeWeitverkehrsnetzComputersicherheitMereologieComputersicherheitE-MailInzidenzalgebraExogene VariableSoftwareschwachstelleVerkehrsinformationProdukt <Mathematik>Besprechung/InterviewComputeranimation
34:34
E-MailComputersicherheitInformationAdressraumExogene VariableExogene VariableProdukt <Mathematik>ComputersicherheitInzidenzalgebraE-MailSoftwareschwachstelleVerschlingungComputeranimation
35:30
GenerizitätInternetworkingFlächentheorieRechnernetzPunktwolkeDesign by ContractGenerizitätE-MailTabelleSoftwareschwachstelleWeb ServicesInternetworkingComputeranimation
36:34
InternetworkingPortscannerWeitverkehrsnetzVersionsverwaltungElektronischer FingerabdruckGoogolSkriptspracheSCI <Informatik>DifferenteSystemplattformElektronischer FingerabdruckSkriptspracheSuchmaschineGoogolInternetworkingComputeranimationDiagramm
37:17
Patch <Software>MAPWeitverkehrsnetzLeckZustandsdichtePufferspeicherClientROM <Informatik>Elektronische PublikationStellenringGrenzschichtablösungKnotenmengeCASE <Informatik>InternetworkingMapping <Computergraphik>SoftwareschwachstelleOffene MengeInterface <Schaltung>MAPDigital Rights ManagementOpen SourcePatch <Software>Computeranimation
38:11
Nichtlineares ZuordnungsproblemSkriptspracheWeitverkehrsnetzElektronischer FingerabdruckPortscannerRechnernetzRuhmasseInternetworkingDatenbankSoftwareInternetworkingVersionsverwaltungInformationSkriptspracheSoftwaretestGoogol
38:52
RouterVerschlingungComputersicherheitMathematikStichprobeZufallszahlenE-MailDefaultPasswortMAPBenutzerbeteiligungSoftwareDifferenteInternetworkingNetzadresseElektronisches MarketingUnternehmensarchitekturComputeranimationProgramm/Quellcode
39:39
LoginRechenwerkAuthentifikationPasswortDigital Rights ManagementInterface <Schaltung>BrowserAdressraumOffene MengeDefaultPhysikalisches SystemZeichenketteComputersicherheitProdukt <Mathematik>DualitätstheoriePasswortDefaultDienst <Informatik>InstantiierungXMLUMLComputeranimation
40:30
WeitverkehrsnetzModul <Datentyp>PasswortSystemprogrammierungElektronischer FingerabdruckThreadElektronischer FingerabdruckDeskriptive StatistikSoftwareschwachstelleEndliche ModelltheorieKartesische AbgeschlossenheitComputeranimation
41:11
WeitverkehrsnetzOpen SourceIPSecComputersicherheitSchlussregelEindringerkennungProzess <Informatik>DigitalfilterFirewallSoftwareentwicklerPerspektiveDefaultOpen SourcePunktwolkeKonfigurationsraumComputeranimation
42:03
WeitverkehrsnetzCMM <Software Engineering>Open SourceProdukt <Mathematik>Komplex <Algebra>DefaultPatch <Software>Digital Rights ManagementInterface <Schaltung>PunktwolkeHackerInterface <Schaltung>IPSecDigitales ZertifikatVirtuelle MaschineDigital Rights ManagementPasswortPatch <Software>SoftwarePunktwolkeProdukt <Mathematik>DefaultExogene VariableComputeranimation
42:42
E-MailLokales MinimumGruppenoperationServerRandomisierungBenutzeroberflächeGenerizitätComputeranimationVorlesung/Konferenz
43:42
DifferenteSoftwareschwachstelleSkriptspracheProtokoll <Datenverarbeitungssystem>ComputersicherheitStandardabweichungCodeDigital Rights ManagementImplementierungWindkanalVirtualisierungVirtuelle MaschineGeheimnisprinzipProgrammfehlerVorlesung/Konferenz
45:15
CASE <Informatik>VirtualisierungNP-hartes ProblemComputersicherheitSkriptspracheKernel <Informatik>DefaultMAPKonfigurationsraumÜbertragungsfunktionMultiplikationsoperatorVirtuelle MaschinePatch <Software>VersionsverwaltungVorlesung/Konferenz
47:12
WeitverkehrsnetzInterface <Schaltung>Digital Rights ManagementRechnernetzMaschinenschreibenPunktwolkeBenutzerbeteiligungTurm <Mathematik>Mailing-ListeRechenschieberPasswortUnrundheitRechter WinkelLoginVorlesung/KonferenzComputeranimation
48:30
HalbleiterspeicherKartesische AbgeschlossenheitDiagramm
Transkript: Englisch(automatisch erzeugt)
00:18
Our next speaker is Sergei Gordychik. Sergei has been doing security research, products
00:25
and services for the past 15 years, more than 15 years. Since 2011, he's director and scriptwriter at Positive Hack Days Forum, the largest cyber security event in Eastern Europe. Sergei has, for instance, been working at Kaspersky Lab and Positive
00:43
Technologies. He's also a visiting professor at Harbor Space University in Barcelona and leader of the SCADA Strangela industrial cyber security research team. Today, Sergei will talk about how to hack software-defined networks and keeping your sanity while doing it.
01:03
Let's give a warm round of applause for Sergei Gordychik. Hello, hello, good night. Let's start to refresh on memories. This is a big honor for me to speak on
01:23
the 35 C3 because my first talk here was on 29 C3 with SCADA Strangela team and I think I can skip this introduction. Thanks for our host because everything is here and what I want to say about me, still I am very Russian, living in Abu Dhabi
01:50
and do all this stuff because I saw his album in the airplane when I fly here. So, except Bitcoin only. So, let's start to talk about software-defined networks.
02:04
What is software-defined networks in general and is the one in particular case? It's magic. So, according to Gartner, it will kill MPLS, it will replace all your Cisco and Juniper devices or Huawei if you prefer Chinese, but it's bad, you know, according to the last news.
02:24
And it will solve all your network problems because it has AI inside and it will magically optimize network operations and do everything including security. So, because it's perfectly
02:41
safe to implement acquired area networks efficiently and securely. So, okay, sounds good. What is actually software-defined networks? It's so simple. If you are familiar with the
03:04
software-defined networks, it's quite different. And when we tried with our team to understand how it works, our first impression was like this. We are hackers, we don't want to deal with
03:23
this shit, but the only challenge we met before you hack something, you need to actually activate it and make it work. That is why we start to understand how software-defined networks and SD-WAN works. So, what's the main difference between traditional LAN and SD-WAN?
03:45
In traditional LAN, you have different device which solve very specific purpose, for instance, switches or routing or firewalling or network load balancing. In case of SD-WAN, you have just a server which runs operation systems, in most cases like Linux. And on the top of this
04:08
operation system, you have very specific models like CP which do specific network functions. It can be firewalling, it can be routing, it can be switching, it can be network load balancing.
04:23
So, you replace specific devices with one big server which magically do everything with AI, and in the cloud, sure. So, in the SD-WAN, we have several layers. So, all is data plan,
04:45
when actually you process packets and decide how to go it, in which way, how to firewall or drop it. We have control plan which manage different routers, different devices. We have
05:01
management plan which can help to apply policies and orchestration plan, because it's serious things that should have something which called orchestration. On the technical plan, again, we have hardware with operation system and the layer which called
05:24
network function virtualization. What's network function virtualization? The way to apply different network functions to the specific device. It's very useful, for instance, to the
05:41
network operators who will provide you with the specific box, and if you want to activate any functions, this can be a web application firewall or the sandboxes, we just upload very specific virtual machine, it can be a docker, it can be a kvm image to your hardware and you
06:05
can start to use it. Because inside of this box, you already have all the system infrastructure which process packets and passes from one virtual network function to the other. This helps to organize things like the service chaining, so you can distribute
06:28
different network function on the branch level, in the cloud level or on the HQ level. For instance, things like content filtering which can be very heavy from performance perspective
06:43
can be distributed. As example, on the branch level you can use simple things like the antivirus to process content. On the HQ level, you can use more heavy things like sandboxing and if antivirus or specific rules see that this content is suspicious, it will forward it to
07:06
HQ through the MPLS or other VPN and the next process is in the HQ. Or you can also analyze it in the cloud for the simple things like the cloud threat intelligence, where actually
07:26
your SD1 box will send MD5 hash to the cloud and check is it good contact on that, or send all files to the cloud to double check it. Not bad and I think that is why SD1 becomes more
07:46
popular and you can see that even military guys in the US decide to switch to SD1 because of security, cost saving and all these benefits. Okay, security sounds very familiar for us
08:02
and we decided to obviously hack it. I think most of you have experience in hacking of different network appliances and you know that sometimes you need to have complex things like an RNS soldering kit or a debugger, JIT, et cetera, but not in this case because SD1
08:26
actually is not appliance, is a virtual appliance and to start hack it all you need is to go to the AWS or Azure and just activate this virtual appliance for, I don't know, 10 bucks per month
08:43
and next step is get root on it. It's a very good talk presented on different conferences including zero nights, how to hack virtual appliance and we use this like a
09:00
checklist for our research because if you hack virtual appliance you already have access to this system. You can mount file system to the other virtual appliance, you can grab ETC shadow, you can find a lot of different backdoors just through the static analysis.
09:23
But all the good things start from the Google. For instance to find admin password for one of the SD1 appliance we just Google for GitHub and found that most of the scripts which use it to automate with appliance use username administrator and password
09:46
Versa 123 and actually we found that this username and password is hardcoded there because there is no way to change it. Next step to root it is just to Google for
10:03
old vulnerabilities. For instance in Silver Peak we found that guys had reported vulnerability in September 2015 and it's still working in March 2018. So Google works because Google is fully strong with this one.
10:23
Next thing is graphics always work as a strings you know and using graph and code password you can find a lot of interesting things like hardcoded password in different location in the configuration files in the database connection string in the system logs
10:47
because again it's virtual appliance and someone had deployed before you start to use it. So in the logs there are a lot of life interesting information. In the shadow file like in the
11:00
one of Cisco appliance etc shadow file which use this encryption in 2018. You can do some forensics because again if you get virtual appliance someone had deployed and sometimes we're trying to hide with this and you can see that the
11:23
cut in bash history you can find that someone ram scrub AWS shell script which actually set up a different password etc. So if you somehow can recover with skip you find a lot of interesting information this kind of password of admin users and you can see that
11:49
from this password you can find the hash and next try to boot the force it's just was my guess but maybe because there's I have password there's a one two three maybe other network
12:04
appliance like silver peak have similar password silver peak one two three and this guess was successful and it's good because you cannot stop the progress if you have experience with red teaming in the enterprise network you know that Cisco Cisco or Huawei
12:21
with the administrator and Huawei one two three it's quite common password in this case it's more complex things sometimes very lit like we stutter in network stuff you know but still if you did not get the route with these simple steps again it's virtual appliance and you can always
12:44
patch it so you can change for instance hashes in the etc shadow you can change boot script you can change remote management configuration the password and next boot in this configuration and
13:00
get root password to do next step security assessment so security assessment at the beginning we did in very you know not scientific way we just hack all the things but after all we did some let's say scientific research and we have an article i will give you
13:27
a link like as the one threat landscape with the step-by-step assessment what you should hack to get maximum results but let's like mix this thing with funny hacks and the
13:44
scientific approach so from the system engineer point of view as the one have hardware which of the share hardware operation system in most cases again of the shelf Linux and different virtual services let's start from the operation system because
14:06
again again everything's you saw in the recent talk about bmc and remote management interfaces related to hardware it still works here unless it's disabled by the vendor but it's
14:23
highly unlike it on operation system we did very simple research we just check the patch of the all components installed on this box and you can see that patch level
14:41
ridiculously old for instance the oldest things we found it was an open SSL library which was released in may 2006 it's for network devices with security functions but our guess was that they choose this library because this library too old to be vulnerable to heartbleed attack
15:09
and as the one wins because oldest library open necessarily library we found in commercial product was in the same before was in the cement semantic win cc which was released in 2007
15:27
so as the one is like old school really next thing related to operation system configuration is sudo and it's actually everywhere and actually everywhere for management interfaces including web
15:42
services shell etc and it's implemented in terrible way as you can see uh triple w data have all ability to execute all command and some scripts just execute
16:02
execute any command through the sudo that is why if you have any small vulnerabilities in the web interfaces like in this case it's a command injection you can execute command with sudo so it's again 1990s next point it's a software not system but software design point of view
16:29
it's from software design there are a lot of open source components which implement ipsec routing but from management perspective we use mostly http and things around it so
16:48
let's analyze http and web management interfaces so in this case it's not so old school like a system aside everything and base it on node gs and javascript it's like very cool but under
17:05
the hood you can find hardcore mix from the pearl java php whatever which like i don't know looks like the guys developed with the last 10 years with all this modern node gs stuff developers
17:20
confuse the client and the server because you know javascript's on both sides and it's hard to understand where is the server with client side i will show you examples and there are a lot of simple things like a slow http dose attacks which should be fixed for a long
17:41
time ago but still you can stop web interface with few http requests so few examples about client side json csrf is everywhere so almost no web interface implement
18:03
protection from cross-site requests forgery in proper way xss is everywhere and this is not a problem so as a response from the product manager of one vendor they told me that xss from cross-site scripting for where application is not the issue because chrome blocks it
18:26
it's just an example of using xss on such appliances um in this appliance we can use a combination of the xss and cross-site requires forgery
18:43
to download and upload a certificate which use it to authenticate with the server which like control plant with management server it's just one http request and obviously there is no response from the vendor we just silently fix it so we decide to publish it
19:06
for the full disclosure one example of the perfect authentication so in this case you can see that this client side javascript which just send request to the server to the login status
19:23
function and if user is gorgeous is go to the request page in our case go to the username and password page so this 100 client side no other checks on the server side just
19:41
if you can change it second example is just perfect so guy i think he tried to port the uh authentication from the server side to client side understand what this javascript which still javascript but it doesn't work in browser and he just like commented and say if username
20:05
is uh with and password is this then go home so authentication is passed so this thing so highlighted box so with authentication on this box
20:23
next funny things which are related to sd1 is about different privilege escalation if you're already able to get access to any of virtual appliances inside you can try to
20:42
establish connection from this appliance to other appliance through the and the local host function so why it can be interesting because there are a lot of open source components for the remote management for instance like shell in the box which provide you
21:03
like shell through the web interface or mooning or solar which like system management boxes we just uh bind it to local host so you cannot establish connection from outside because it's listening to the local host but if you're already on this box
21:23
and you can connect from this box to local host when this establish this connection works and this works because on each virtual on which appliance you have a lot of virtual appliance which still listen to one ip addresses if you have experience with the docker for instance
21:48
so all docker's container have own ip address but from the all for all computer is actually connection from local host so if you own any of the virtual appliance you can own
22:03
next all virtual machines installed here this give us different interesting ways to escalate privilege inside the box for instance if you able to let me switch to the
22:20
laser pointer you can see it okay if you can get access to traffic processor for instance for the some tcp stack vulnerabilities next you can get access to management application and this management application in most cases have no any traffic filtering and trust to
22:44
management application of all virtual network functions which run on this appliance so you can uh do horizontal privilege escalation or next jump down to operation system level and and next go to the management plan upstairs to the management applies but it's
23:08
it's really boring to find web application vulnerabilities in such a big amount of code which is why we just download this code from the different network applies and drop it into the
23:22
interactive code analysis system in this case we use positive technologies application inspector and this help us to find a lot of vulnerabilities including such funny things like for instance poorly patched vulnerability in the the citrix sd1 which was patched in 2017 but it still works
23:49
if you use not get a http request but post a http request so we patched it once again uh in this in this case better uh also it's yoda style uh yoda lesson style uh
24:07
vulnerability so it's obviously patch traversal but it's just reminded that attachments lead to the jealousy and the shadow of grit that is so if you send attachment
24:21
shadow you can get shadow file so this is a full list of sorry a full list of vulnerabilities we found during just source code analysis without you know brain interaction
24:40
next step is crypto because the security appliance it shouldn't implement cryptography and there are two things is ssl tils and typysac in most cases ssl tils is used to protect management interfaces between the different appliances and because it's automatic if use
25:05
a different kind of automatic setup we found that there are a lot of things related to the unsecured configuration for instance we can use ssl tils without forward secrecy so if you
25:20
have access to the certificate you can sniff off traffic in devout full men in the middle different things related to the old cipher suits like uh tripod desk or rc4 for ipsec we found that in most cases we used a very strange way to select a certificate or the
25:48
uh appreciated keys which in most cases just hard-coded so one example from real life our example we will publish soon from again citrix netscaler
26:02
these appliances use master control node protocol to communicate between the orchestration plan control plan and the data plan it's runs on the tcp 2156 and use tls without forward perfect secrecy and what interesting
26:26
certificate located in the home gallery user certificates and account not ww data have full access to this certificate for some reason i don't know
26:41
okay it should maybe read it but why to write and what interesting all sd1 appliances we able to find during our security assessment we use same key uh pair which located in appliance so all sd1 appliances in the world used to protect communication between and management
27:07
engine same key pair so if you know this keeper and it's obviously you can just cut it from the file system you can passively or actively sniff traffic do man in the middle
27:23
spoof management appliance and if you this device have any web application vulnerability you can override it i don't know why but maybe if in next turn they will change this certificate you can download alt and do man in the middle again
27:44
interesting stuff we found we run some tests from the uh dose attacks and found that suricata which use it in sd1 appliance other ideas
28:03
is vulnerable to regards dose so it's a old story some regular expression can uh spend a lot of cpu time if you send specific queries it was fixed in the default suricata kit but still work in some modern sd1 solution
28:26
and for sure if you do some fuzzing it's always work and give you some fun unfortunately we cannot present reverse engineering part because most of such sd1 solution we have restriction in the license and agreement to the reverse engineering but
28:46
just for fun i think that some of engineers they also love star wars and have marvel that is why initialization functions cause marvel sucks so just an overview of detected
29:09
vulnerabilities so green is good or bad so good for vendor but for us we are unable to detect it but you can see that most of classes of vulnerabilities like hardcodes broken
29:23
access control old products or linux components or third-party components were in most of uh such system you can find it is most of such system so just select any sd1 and make shot
29:46
interesting thing is the one is zero touch deployment so the fee it's a very cool feature for instance let's imagine that you have a branch office you need to deploy a branch office
30:01
with sd1 it's absolutely not necessary to go where or establish telnet or ssh connection and try to upload configuration all you need is just to ship this device note with unique id set up it through the cloud console and ship this device to a remote location
30:22
this device will automatically connect to any internet it see around connect to the cloud server download configuration and start operation so for that for example how it works in the citrix system we have these appliance which ship it to the office it's first try to
30:46
establish connection with the surrounded appliance if no it's try to go to the zero touch deployment service present own id and next this service will provide all configuration which you
31:01
upload through the your sd1 center so from security perspective this scheme looks terrible why because this sd1 on cloud deployment server should be friendly but any attacker not if you no id if you can brute force with id you can pretend to be this device if you have any
31:28
weaknesses in implementation of this management servers you can own all devices which deployed from the service and as you can see even cisco which is like the best device from security
31:42
perspective we found on this product line let's say i have enough vulnerabilities it's and this you can see that zero touch provision in command injection vulnerability so
32:01
it's cloud server which to which all network device should connect sometimes but also we found very funny things related to the distribution of this device because as i told you in the beginning most of such device can be
32:23
activated as a cloud appliance through the aws or the other cloud services and we found that most of default images use old version with non-vulnerabilities so you go to aws
32:43
you trust the vendor you activate the system and you receive attack because where there is no vulnerability it's remind me in those story i'm really old man sorry you know code red nimda this kind of what kiddo this kind of war of worms and this real disaster
33:04
when you just install fresh windows 2000 which have internet information server by default and just connect it into internet to download patches you receive a new infection and need to
33:20
reinstall it from the beginning so these things look similar for me but is much worse because in this case is a security network device installed on the perimeter of your network this overview of up-to-date statistics you can see that
33:42
very few vendors actually no one of vendors have up-to-date version in the deployed on aws or internet so i think it's abuse of the force but it's also a very interesting part of story as a security researchers we always work
34:07
in the responsible disclosure way and as you can see according to this article some vendors we also understand that responsible disclosure is very important to communicate with community to fix
34:24
issues and we even have product security incident response team in place great but when we try to submit vulnerability report to this vendor we unable to find the email of this
34:42
product security incident response team so there is no pool we try to google for it a different way no luck but we found that guys who did similar research before when they found a great way sent email to CEO of this company
35:03
unfortunately my googly-foo is not good enough but i am unable to find email but i found this guy and i link it in and he answered it in few minutes actually and put me in contact so if you try to deal with SD-WAN vulnerability reporting just
35:28
do this way so we prepared this table about different vendors how they communicate with researchers
35:41
and you can see that actually Cisco, Citrix and the lockout which actually they were not bad but all the rest it's just the beginning this is my favorite mail from the one vendor when we send notification we start to ask me why we send this email
36:06
from the gmail do we have official id what they mean i need to present my passport or whatever to submit vulnerabilities but the funniest thing here this vendor
36:21
wrote that where device is not generic web service which have full access full internet explosion so after reading this email i go sleep and during the night someone told me
36:42
so to understand threatless cape of SD-WAN we built the bunch of script which works on the top of the different search engines like census showdown google and use also nmap
37:01
scripting platform to fingerprint different SD-WAN solution we have a article published as SD-WAN internet census and which and also some tools which can be read
37:20
beautiful maps if you want to present on the house communication congress because in our case it's useless and what we found that there are not so many SD-WAN devices yet in the internet about 3000 management interface which contains no vulnerabilities and you can own it in a few
37:44
minutes and also we built some kind of vulnerability assessment tool which help you to find no vulnerabilities in these SD-WAN devices this like example of for open ssh
38:00
patch level as you can see with like some cvs from 2010 2014 etc this open source you can find it on the github we have two version one SD-WAN harvester which use google
38:22
showdown and census to collect information in all the all the all those internets and also SD-WAN infiltrated infiltrator sorry which is bunch of the network nmap script engine scripts and you can use it during penetration testing so it's not necessary to be
38:43
connected to the internet you can just use it inside the network when we did this research we also found interesting article from silence about dark web market when the web guys
39:04
uh sell usernames in password to different network appliances let's say enterprise level network appliances and we found what worries there are some ip addresses which we found during our
39:23
assessment internet harvesting in this list and in our experience there is no such things as a we tried to find while such appliances can be so easily hacked and obviously the
39:43
default password which hard-coded sometimes never change it is used was used on these appliances we try to reach vendors and say guys maybe it's bad idea to use yeah for instance it's hard-coded snmp not hard-coded by default community like public and
40:09
again public for read-write but they told us that snmp is off by default but still simple showdown search show that more than 200 users of this SD-WAN they enable this
40:25
snmp service and still use default password so we have a lot of tools which publish it in our github and please contribute there are a lot of things to do with
40:44
the new fingerprints for SD-WAN harvester and infiltrator with SD-WAN thread landscape description uh with new vulnerabilities and also it's like special ccc release we start to publish metasploit models for the SD-WAN so
41:06
we have public vulnerability description you can create own models for it uh and conclusions so from my uh in my perspective how SD-WAN uh development lifecycle
41:22
works so someone come with brilliant idea okay let's build SD-WAN because garner told us that it's like brilliant i have in ai in the cloud uh so what we have to do we can download bunch of open sources i put off together setup default routing things and after all
41:45
use it as the one so as the one is a bunch of open source which not bad but still you need to care about it and you need install patches configure in the proper way and maintain
42:02
uh this complex products uh have problems with patch management uh have a lot of management interface like machine to machine and also human to mention interfaces have a lot of big defaults
42:20
like password hard-coded certificate uh psk keys for the ipsec and many vendors unfortunately have uh issues with the patching responsible disclosure and this in the cloud so if you decide to switch your network to the SD-WAN hack it before buy all you will fail so uh thank you for your
42:47
attention i want to ask you to give big hand to the SD-WAN you hope team to dennis maxime nikita alec and anthony uh who did most of the things here i just
43:02
like a frontman of this group thank you so much guys we now have about like 15 minutes uh for questions and you know the rules please
43:26
move to the microphones over there any questions yep aside from kind of generic things that
43:40
any random Linux server can have on web interface on SSH have you looked at any specific uh SD-WAN security problems like with the encapsulation of tunnels or some stuff like that uh so uh SD-WAN you know there is no like technology like SD-WAN so for for SDN there is kind of
44:06
protocol which more or less reuse it in different vendor in different solution and SD-WAN every vendor implement things in own way as an example it's like a citric management protocol etc one thing we did here but we we didn't publish it
44:29
is for the virtualization because again this vnf story very interesting because if you have
44:40
x have vulnerability in any virtual function next you can get access to our virtual machine but again problem here but there is no standard and different vendors call vnf so implement vnf in different way it can be qm it can be just a script which they
45:03
upload to their appliance so you're saying because everyone's writing their own code there are a lot of bugs to find for people who put the work in yeah okay okay and you can just like it's not necessary to try to buy things through the a byte to hack to hack it you can
45:24
go to aws and activate it for free okay mike one please my work is simple there was a lot of vendors that you all were looking um what about juniper is the one
45:40
i did not know yet looking forward for contrail investigation thank you good time and yes please okay say thanks for the talk uh you mentioned a lot of these um virtual machines were like running in hard Linux or something and how do you what are they running it's like
46:04
what patch levels are they usually on these kernels this like always 2.6 or something like uh not always 2.6 it was like the worst example so
46:22
some of us like you know newer so it's not necessary again for network function virtualization uh some vendors they call vnf just a bunch of script they download and change configuration of default sex the sensor and this case we can use
46:42
very old to kernel our way more use more recent version is is sorry yeah that's okay i mean i'm de-hardening how is it telling you really the hardening of the Linux kernel is it like in most cases no way so no up or more or more or things like this no
47:05
security or c Linux nothing all right um your question um have you looked into Cisco Meraki uh no we um for Cisco we sorry it's it's night let me find the list
47:29
ding ding ding for Cisco we did our exercise with the web tower all right last question over there please uh just advice maybe you drop the slide
47:48
in with uh the 90s called they want the password back sorry um because there there were so many uh hard-coded passwords everywhere maybe you just should just drop a slide in
48:03
the 90s called they want the hard-coded passwords or logins back i don't know so it's public things so was that a question you just recommendation
48:22
all right we have a few minutes left but if there are no questions left then i would call it a day um so another warm round of applause
Empfehlungen
Serie mit 36 Medien
Serie mit 42 Medien
Serie mit 29 Medien
Serie mit 31 Medien
Serie mit 17 Medien
Serie mit 8 Medien