Stargate: Pivoting Through VNC to own internal networks
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 93 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36302 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
InternetworkingInformation securityEvent horizonWordCybersexComputer fontQuicksortVulnerability (computing)InternetworkingTwitterMultiplication signRight angleGroup actionFacebookExistential quantificationCASE <Informatik>Factory (trading post)Information securitySet (mathematics)TouchscreenWindowRouter (computing)IP addressComputer animation
03:29
AuthenticationInformation securityHacker (term)Similarity (geometry)ConsistencyPlastikkarteRadio-frequency identificationSoftware testingArrow of timeConsistencyAuthenticationWordType theorySoftwareTelnetSlide ruleQuicksortMathematicsExpressionStatisticsGoodness of fitWater vaporGame theoryInternetworkingMultiplication signVideoconferencingComputer animation
06:01
Physical systemProduct (business)Division (mathematics)ArmCellular automatonData storage deviceSystem programmingCurve fittingLevel (video gaming)Server (computing)Streaming mediaFingerprintCommunications protocolDecision theoryEmailAuthenticationEmailSystem callComputer hardwareAuthenticationVirtual machineDemo (music)BitAddress spaceSoftwareWorkstation <Musikinstrument>TouchscreenWater vaporLetterpress printingInternetworkingMultiplication signInformationDifferent (Kate Ryan album)FingerprintLink (knot theory)Game controllerDisk read-and-write headTrailVideoconferencingIdentity managementOpen setMedical imagingView (database)Electronic visual displayIP addressData storage deviceWindowQuicksortWebsiteOctagonChainChemical equationResultantPort scannerRight angleTwitterGraphical user interfaceSheaf (mathematics)Power (physics)Cycle (graph theory)Connected spaceRevision control
13:41
Electric currentRevision controlHistologyNo free lunch in search and optimizationReal numberRight angleProduct (business)Standard deviationNormal (geometry)Remote procedure callFigurate numberNumberGraph (mathematics)Revision controlPoint (geometry)Communications protocolAuthenticationMereologyTwitterMultiplication signQuicksortEnterprise architectureDemonReal number
15:12
Revision controlClient (computing)Proxy serverNetwork socketSoftware testingNumerical digitRadio-frequency identificationSpring (hydrology)File formatMereologyCodeSoftware bugGame controllerCuboidAuthenticationProxy serverSoftwareXMLUMLJSON
15:44
Product (business)Proxy serverStatisticsConnected spaceState of matterVulnerability (computing)System callIntegrated development environmentPivot elementScripting languageDemo (music)Goodness of fitConnected spaceInterface (computing)InternetworkingProxy serverQuicksortSoftwareArithmetic meanScripting languageSoftware bugMultiplication signSlide ruleSoftware testingIP addressProcess (computing)Demo (music)User interfaceComputer animation
17:52
System callMultiplication signInternetworkingProxy serverXML
18:22
Proxy serverCuboidForcing (mathematics)Server (computing)Connected spaceMultiplication signFormal languageWeb pageSoftwareLocal ring
19:48
Computer animation
Transcript: English(auto-generated)
00:00
Hi, welcome to track two. Yay! So I'm Vist, this is Jonathan. Um, we're gonna abuse VNC really, really badly. Um, you have anything? No? Yeah? Right, so this is us. Um, yeah,
00:21
fun times. We both do, we both do terrible, terrible things on the internet. Uh, usually on Twitter it's very, very public and usually it's very, very amusing. Um, so, internet stuff is, it seems like it's getting nicer but it's proliferating lots and lots of horribly broken vulnerable devices, right? So, internet's getting pretty bad, um, it's not
00:44
really getting better, they keep adding more problems and more vulnerabilities and nobody gives a crap about security and then you have this sort of thing happen and then this sort of thing happen and then basically this is just us saying like, hey dude you could totally see the faint outline of some cyber, cyber something legislation in there and you
01:02
can smell the totally, you're not allowed to hack all the routers proposals. You can, yeah, that's right, that was the, what was it, FCC? Yeah, so, cameras. Yeah, so I was doing a talk back in March this year and um, the screen you're seeing on the left was a house that was actually close to where I was doing the talk and I was also talking about VNC stuff and I just popped open the window, it's like hey this is a
01:23
house if you look to the left you can, you can probably see it and there's just a bunch of stuff so you can go from cameras to people putting SCADA stuff on cameras, um, and over time, sometimes stuff gets fixed so, um, this company had this on VNC, it could basically go into the settings and people could mess things up, uh, and what they did
01:44
when I reported is they removed it and then on the same IP address something else came back and it was a camera and it was looking at the same screen we had on VNC before, just so people couldn't screw with the settings but, you know, it's, it's okay because now you cannot mess with anything and they just want to remotely see what's going on, uh, in
02:00
the factory. Um, this is another interesting one, so there's a company, uh, in my country and when you ship something back because you don't want it, uh, they unpack it and they check to see if you didn't mess with it, if you didn't unpack it. This is the camera which shows the guy who's unpacking all the stuff because they want to have it registered in case something's up so I could send back my own package and then see it pass by
02:23
basically. Now, something else I've been doing which is kind of sketchy sometimes is look at the Middle East. They have a ton of interesting stuff. I only put this one in there because I don't want to, I don't know, put people off or get the wrong people looking at me basically but there's, there's like a bunch of cameras and a bunch of
02:41
interesting devices online in the Middle East as well. What, what could possibly go wrong? It's burn your house down as a conference. Um, so let's, let's introduce some fifth dimensional thinking. It appears as though the world at large is now in 1999 realizing that there's more on the internet than just Facebook and Candy Crush and this
03:01
realization has terrified people enough to believe that they need to have like support groups to cope with that idea. So we see uh, uh, something like this and for two guys that spend their time trolling the internet and finding ridiculous, ridiculous stuff that shouldn't be on the internet we're just like what the, really? So this. Yep.
03:30
You can browse the internet from your fridge. What could go wrong? Yeah, so sometimes you find the most sketchy devices so this one wasn't connected online. Uh, this is basically um, it, it doses the drugs you get in the hospitals. Uh, but
03:46
these used to be hooked up on the hospital networks locally and you could tell that to them and they could do statistics and you know, change values. Um, but somebody thought, you know, we need to upgrade this. We need to rebrand this. We need to sell more of this basically. So, you know, it's running the Linux sort of as
04:03
well. So let's just add Wi-Fi because that's good. They have Telnet. But nobody added authentication. So, that's kind of good. But then somebody actually got a CVE for the thing not having authentication. So apparently you can now get CVEs for features you want to have. Which is kind of neat. So, we don't really know what's up with that.
04:29
I, I, I don't even. I'm, I'm not sure. I think this is one of these there are no words slides so we're just going to show you a picture. Like, that's the greatest expression. What could possibly go wrong? Um, so, apparently there's, I, I won't read the
04:46
slide to you because I'm sure most of you in the room can read. Um, apparently there are toasters that will complain at you if you don't feed them whole wheat bread. Like, you're not allowed to eat this kind of bread. You have to eat that kind of bread. Um, and fridges are shutting down, um, when some of the, the, the, the
05:04
certain types of consistency, inconsistencies are detected. So now you have your fridge telling you, like, you can or can't eat your food. Or you can't refrigerate your food. Because, you know, that's fine. Um, and then cut to more internet fiduciary and you
05:20
have this. Um, which, when we found it on, on, uh, VNC, what on earth is that? And at the time, the little red arrow was like moving over this grid. So, have you ever played that game in the 80's, like, specter or something? It looked like that. It was like this little arrow and it was moving over this grid and we're like, that's really weird. It's alive. Um, so, we looked it up and it's this tool that's used by farmers to, oh,
05:45
is it water? No, it's not water. Maybe it's, it's something involving traveling over crops. And I can't remember whether it's to give them nutrients or to, to, uh, water them or to collect things. But, um, there's a video, um, that, um, that
06:01
we're trying to get, there we go. So, um, I wonder if it'll let us, yeah, it won't let us skip it. So, like, sorry to make you wait for 30 seconds, but, like, this is their demo video. This is their, like, reel. Um, and you can see it at about the 45 second mark. You can see it behind the dude's head. This guy's in a tractor and this thing is kind
06:22
of like if Tesla was wearing overalls and had a hay seed. Like, it drives the tractor and it, like, keeps track of where has been dealt with. And in a minute, uh, he pans up and he, like, dude moves his head and he points at the thing. The audio was crap so he cut the
06:40
audio. But, uh, like, this thing in this device is on the internet with no authentication and you can, like, you, you wanna take control of a tractor over the internet? Because you can do that because somebody thought it was a good idea. And now we have this. Fun, fun times. Yeah, so it's also interesting, like, all these devices are on,
07:07
like, 3G, 4G uplinks. So, if you just scan certain Verizon and AT&T networks, you'll get different stuff pop up every time. So, this one, you couldn't find it back if you scanned the next day. It would be somewhere else whenever they turned it on and whatever
07:20
IP they got. Um, so, yeah, we got these ancient industrial stuff we've been probably tweeting about mostly, like, any dam or water irrigation system will find it. But there's a lot of new toys, basically, just like the infusion thing at the hospital. Um, there's also this, which is an exercise bike. This was in Hawaii. And we could get the
07:41
exercise bike and remotely see, like, the screen where you had to press start and then pick whatever you wanted. And then we actually found one that was live so you could see, like, the guy, or you couldn't see the guy cycling, but at least you could see him, you know, him progressing. How to embarrass yourself over the internet live. There's also
08:00
this kind of stuff. So, this is like a solar cell power thing you can have at home. Um, these were all open in Germany. So, the manufacturer didn't do anything. And again, they were on, like, 3G, uh, sections of the network. Uh, and it was reported. And then they said they fixed it. So, what they did is they added a new GUI and then they said it's fixed. There's, they're still there, basically. Um, yeah, and you found your boat.
08:28
Why is there a yacht on the internet? Who thought this was a good idea? It lets you control the engine. There isn't enough booze in this conference. Anyway, yeah, so there's
08:45
a lot of that, but it happens on Twitter. Why, I don't even, like, you find, what do you do? You find a yacht on the internet and then what? You just go, you make a meme. That's, that's, or you download Instagiffer and you make some gifs. Um, but it gets worse. It gets much worse. Fun times. Yeah, so sometimes you find really weird
09:04
sketchy stuff. So, this is a guy who was cashing out PayPal accounts. Uh, and he was on VNC. So, we could basically see him, like, pull out accounts. So, like, the, the right side first column is all the email addresses. Then it says if it has any balance, if it's connected to a Mastercard or Visa. And then if he pulled anything off, like,
09:21
if it had a positive balance. And this guy was just cashing out PayPal and we could just watch him do this on VNC. Just kind of interesting. Yeah, and then you found your aquarium. Yeah. I thought this was an aquarium and I was really excited, like, wow, somebody spent a lot of money on their saltwater aquarium. It was the ocean. The, the
09:46
was in a place that I didn't know existed at the time. The Maldives, which is apparently a really, really fancy island chain. This is a camera in a hotel that's shaped like an octagon that's below the ocean. It's, like, submerged. And one side of the restaurant, it's a restaurant, it's a restaurant, yeah, the restaurant is
10:02
submerged. And one side of it, like, the whole thing is this big octagon of plexiglass. So, you go and you have dinner under the ocean and one side of it has coral reef. And the camera that's on their website that sort of advertises the hotel is pointing out the window. So, when you see it, I mean, this is what you see. You're like, whoa, that's kind of interesting. And it's RTSP and it's live and if you know
10:23
the address and you know how to plug it into VNC, you can just hit play and just full screen it on one of your displays and you have this huge, like, fish tank, right? So, it's really neat. Like, this is, this is the view from dinner, like, if you can afford the $16,000 a night hotel room. But you can also do what I did, which was leave it full screen and be like, oh, this is really neat, I'll just leave this up while
10:42
I'm working, whatever. And then you go out for, like, dinner or whatever and you come back and you see this and you go, what the? What? Why are there people? Um, there were divers on the other side that had gone in and were cleaning the glass. Um, but, yeah, when you think you found everything, you find this and you go, no, there's still
11:01
more. Um, but yeah, there's, and yet there is still much more. It doesn't end. It never ends. Yeah, and it goes from funny to really bad. So, this is a cardiac imaging device, which was online. You could just reach, VNC, open, nothing. Same kind of stuff, 3G network, so one day you would find it, other day you won't. Just depends if it's
11:21
actually turned on. Um, so you have this thing, which is, it's in some kind of company and it's like to scan badges or to register badges, they put up their finger for fingerprint screen and it pops up all their information. So, would you wanna, I don't know, steal identities? You just sit there, you have a fingerprint, you have all their information, you just wait, you just go, print screen, print screen, print screen. It's,
11:42
yeah. Um, and then we found this, which is kind of interesting. So, let's say you wanna swat somebody, you usually do a call and then at the end you'll just end up in jail or fined. You can now do it over VNC. So, this is some, yeah, some station somewhere and this is the software to use to manage like which patrols are out
12:02
where. And we could just call one out basically. So, let's say you wanna swat somebody, just enter the address, you send like, I don't know, 10 squads there and you hit go and they all get an update and they go there. So, yeah. Little bit less traceable. Um, and then there's this. So, originally I thought this was a device that was controlling like an
12:22
x-ray machine. Turns out, um, you actually need to press a button on the hardware to make an x-ray image. Uh, and this is stored on a data store and then you have a machine that interacts with a data store. So, what I was looking at was actually some doctor, I guess, who was working with the data on the data store and he was just making notes and annotations, uh, in the documents basically. So, yeah, my guess was first that he
12:46
was actually controlling it, but he wasn't, but close enough, right? Um, so yeah, we do a lot of scans. As in, literally, we are probably one of the five people that constantly bash VNC on the globe. Is, is Erato Rob in the room? No? Okay. Is John
13:05
Matherly in the room? No. Okay. There's basically six of us that scan the whole world routinely for VNC and like four or five of us are at con. So, just fun times. Yeah, so we do scans and we get back results. Basically, we, I usually scan for the RFP
13:22
header. So, connect on anything, unknown ports, uh, expect RFP headers back and just store them, store the IP addresses and you get about 335,000 that will respond to you. 8,000 of those will not have authentication. You can connect and do whatever you want. Um, now what's interesting is if you look at like the versioning, so you get back all these
13:41
banners and they have like a major and minor version and you can just, you can graph these. Um, but if you look at like the official versioning or the official documents that were brought out saying, okay, this is version 3 point something, um, there's 3.3, 3.7 and 3.8. Those are the official versions basically. Now, if you
14:01
look in this graph, these should not exist, right? These are numbers that make no sense. There's a bunch more that should probably not exist. Um, but if you actually look at them, you can sort of figure out what it is. So, um, you got Apple remote, uh, desktop, which basically what they did is they changed authentication to use Apple ID kind of stuff. Uh, so the rest of the VNC part, it's, it's pretty normal. It's, it's
14:24
standard VNC, just different authentication. Um, you got real VNC personal. So, the guys who originally built, uh, the RFB protocol, they actually made a company and now they're also selling products. So, you got, uh, real VNC personal, which is on, uh, 4.0. Oh. Alright,
14:44
so, then you got real VNC enterprise, which is 5.0.1. You got something unknown and you have a guy who's been messing with us. He's basically running a honeypot, gives back whatever number, um, depending on the port you connect to. But there was something else, with no version, saying zero, zero, zero, zero. Um, 3.5 thousand actually. Um, so,
15:06
yeah, we found a bug. I'll just kind of skip through this because we're sort of slowly running out of time. Basically, we got a discussion on Twitter and we ended up finding a really nasty bug in this thing. So, eh, too much talk. Let's see. So, what it ended
15:22
up with is this. So, we can use these VNC devices to reflect back on the end of internet or reflect back into the internal network. So, these are 3.5 thousand devices which allow us to use them as anonymous proxies or it can go back into their network. Which are just open. No authentication, nothing. Full port control through some bugs we
15:43
had. Um, we actually got a CVE for this, uh, because he fixed, uh, we did port wrapping and they fixed it. Yay! Um, but it actually gets worse. So, he did a fix. There was a CVE. He made an update. Um, and like 4 days ago, just when I was making these
16:01
slides or sort of finishing them, um, he got back to me and he said, hey, why are you using this bug? There's also like a feature that can do this. You don't need to abuse this bug to do port wrapping and connect anywhere. You really, you don't. You can just do it anyway. So, this means you can connect to any host on any port on any protocol inside or outside the network through these devices. Um, and even more interesting, these
16:23
devices have blacklisting, whitelisting. Um, this is locally hosted, so if you connect to one and you connect to a local host through these things, you can get on the interface and you just can turn off filtering. So, literally, if you do a curl through these things, you set the allow connection and refuse connection to nothing, all the
16:41
filtering is gone. You can go anywhere you like. That's, that's kind of neat. Yeah, the fix was whitelisting, but you just proxy to local host and turn off the whitelisting. Okay, good job. Haha. Yeah, so we call this Stargate because, you know, people get the reference, you go in somewhere you don't know where you end up.
17:01
Sometimes you end up from the same IP address, sometimes you go through somebody's network out to the internet on the other side. We don't know where. So, basically, it's an open proxy and you can pivot into it and go through anything inside. We make Python scripts, so if anybody wants to look at this and use it, it's up there. If somebody actually manages to use this in like some kind of red teaming or pentest, please
17:23
tell us. Because we, we haven't found anything interesting on the inside yet. It's pretty difficult. You go into a network and then you sort of have to guess what's always going to be there, except the web interface. Um, so, we have some demos, so let's see if we can actually do this. In time. Okay, yeah, we'll do the most
17:41
interesting one actually. Uh, let's see. I already have the, I already have the yeah, so what I did, um, I'm running a Stargate proxy locally on my host and I have a VM, uh, which is proxying towards my host through the Stargate proxy, through the Stargate, uh, back
18:00
on the internet. So, um, we can, let's do the most interesting one then, if you don't have enough time. So, there's, there's a bunch of them online, but this is one we found which is kind of interesting. Uh, so let's see, we can probably go to Google
18:20
if it works. So, just to show, you can go into Google and it will, if it works, proxy through the Stargate back onto Google. Depending how fast it is. Here you go. So, what language is that? Is it just? Oh, well there you go. So, this thing is apparently in France. Uh, so, let's see what happens if we actually go to the server, uh, it's hosted
18:45
on. Um. Oh, there's one thing, this thing does not support concurrent connections. So, this, you're doing local host, you get by Google 404s, it's because it's badly caching. So, yeah. So, now, alright, so now we get something internal in this
19:02
network. We get an Apache server which is inside the network, which we cannot reach from the outside. Uh, and then we can actually, with this one, go server status. Alright, so,
19:22
internal server status page from a page, from an internal service, through a proxy, through the Stargate. So, this should only be available to local host, but because we're proxying through the box that's hosting the thing, we are local hosts, so fun times. Yeah. Are we done?