1
00:00:06,851 --> 00:00:10,187
- So you may ask, why
hack network devices?

2
00:00:10,187 --> 00:00:11,907
What is it that makes
the network device so

3
00:00:11,907 --> 00:00:14,475
attractive to an attacker or maybe even to

4
00:00:14,475 --> 00:00:17,625
the defender who is defending
against the attacker?

5
00:00:17,625 --> 00:00:19,741
And really, when it gets
down to the base of it,

6
00:00:19,741 --> 00:00:21,408
it's the core of the network right?

7
00:00:21,408 --> 00:00:24,534
This is where all of your
packets are flowing through.

8
00:00:24,534 --> 00:00:27,045
And really if you have a way of snooping

9
00:00:27,045 --> 00:00:29,250
or injecting packets off the network,

10
00:00:29,250 --> 00:00:31,291
you really have a way
of controlling the end

11
00:00:31,291 --> 00:00:32,944
points even without having to worry

12
00:00:32,944 --> 00:00:35,261
about the endpoints themselves necessarily

13
00:00:35,261 --> 00:00:38,487
individually if you have
access to the entire network.

14
00:00:38,487 --> 00:00:39,924
Another thing is it may not be

15
00:00:39,924 --> 00:00:42,190
monitored as closely as your hosts.

16
00:00:42,190 --> 00:00:43,987
We're all very familiar with how

17
00:00:43,987 --> 00:00:46,003
we monitor our host today.

18
00:00:46,003 --> 00:00:47,501
Really when it comes down to it though,

19
00:00:47,501 --> 00:00:51,425
routers and switches
and networking devices

20
00:00:51,425 --> 00:00:54,220
may not be monitored that closely.

21
00:00:54,220 --> 00:00:55,887
Your firewalls you probably are

22
00:00:55,887 --> 00:00:57,389
monitoring those fairly closely,

23
00:00:57,389 --> 00:00:59,748
but routers and switches
maybe not as much.

24
00:00:59,748 --> 00:01:01,695
They have a longer system life cycle.

25
00:01:01,695 --> 00:01:02,528
What does that mean?

26
00:01:02,528 --> 00:01:03,361
Well that means that you don't

27
00:01:03,361 --> 00:01:05,789
replace them as often right?

28
00:01:05,789 --> 00:01:06,990
A lot of times, sometimes I've

29
00:01:06,990 --> 00:01:08,651
even heard people that just load

30
00:01:08,651 --> 00:01:10,608
up the code that it came with,

31
00:01:10,608 --> 00:01:12,180
you know that a switch
or a router came with,

32
00:01:12,180 --> 00:01:14,470
and that's what it runs
for the rest of its life.

33
00:01:14,470 --> 00:01:16,157
You know they don't keep it up to date,

34
00:01:16,157 --> 00:01:18,133
they don't patch it.

35
00:01:18,133 --> 00:01:19,961
They don't have any
malware detection right?

36
00:01:19,961 --> 00:01:22,739
You don't have any antivirus that runs

37
00:01:22,739 --> 00:01:25,219
on a switch or on a router that makes sure

38
00:01:25,219 --> 00:01:29,023
that it is free of any kind of malware.

39
00:01:29,023 --> 00:01:30,641
Another issue is that it's antiquated.

40
00:01:30,641 --> 00:01:32,508
A lot of the protocols that are on a

41
00:01:32,508 --> 00:01:35,233
router or a switch
they're running protocols

42
00:01:35,233 --> 00:01:37,505
that were designed back in the 80s,

43
00:01:37,505 --> 00:01:39,838
their IGP's maybe early 90s.

44
00:01:41,617 --> 00:01:43,526
where the configuration stays static.

45
00:01:43,526 --> 00:01:44,940
I can't tell you how many devices I've

46
00:01:44,940 --> 00:01:49,175
seen where maybe they have
an excel spreadsheet right,

47
00:01:49,175 --> 00:01:50,701
and maybe you plug in some values in it

48
00:01:50,701 --> 00:01:53,536
and it spits out a configuration
and that's what you use.

49
00:01:53,536 --> 00:01:55,919
It could be that simple.

50
00:01:55,919 --> 00:01:57,390
Routers and switches, they have features

51
00:01:57,390 --> 00:01:59,461
such as port mirroring, tunneling,

52
00:01:59,461 --> 00:02:01,747
lawful intercept, where you can use

53
00:02:01,747 --> 00:02:04,183
those as an attacker to infiltrate

54
00:02:04,183 --> 00:02:05,610
and even exfiltrate data.

55
00:02:05,610 --> 00:02:07,035
So and when I say infiltrate data,

56
00:02:07,035 --> 00:02:08,561
you can inject packets that look

57
00:02:08,561 --> 00:02:10,727
like they're coming from some host,

58
00:02:10,727 --> 00:02:12,135
where in reality they're coming from

59
00:02:12,135 --> 00:02:13,362
somewhere completely different.

60
00:02:13,362 --> 00:02:14,710
And an example of this is

61
00:02:14,710 --> 00:02:16,242
like using GRE tunneling.

62
00:02:16,242 --> 00:02:18,861
If you can send packets
directly to a router,

63
00:02:18,861 --> 00:02:20,619
you can have that get stripped off,

64
00:02:20,619 --> 00:02:21,926
that GRE tunnel get stripped off,

65
00:02:21,926 --> 00:02:24,136
and then forwarded on to a host.

66
00:02:24,136 --> 00:02:25,541
And then finally, some devices,

67
00:02:25,541 --> 00:02:28,064
they have built in analysis tools.

68
00:02:28,064 --> 00:02:30,491
Especially some of the
newer switches and routers.

69
00:02:30,491 --> 00:02:32,738
They have Wire Shark
or TShark or something

70
00:02:32,738 --> 00:02:36,068
like that built into them so that you can

71
00:02:36,068 --> 00:02:38,584
analyze packets and flows directly on box

72
00:02:38,584 --> 00:02:40,691
without having to copy them off and

73
00:02:40,691 --> 00:02:42,425
look at them somewhere else.

74
00:02:42,425 --> 00:02:44,753
So as far as the steps
to owning a network,

75
00:02:44,753 --> 00:02:47,599
we'll start out with you have
an exploited vulnerability,

76
00:02:47,599 --> 00:02:50,907
and this vulnerability could
be a compromised credential,

77
00:02:50,907 --> 00:02:53,745
could be an unpatched software,

78
00:02:53,745 --> 00:02:55,285
the vulnerability is in the software

79
00:02:55,285 --> 00:02:57,028
and there's just no patch that

80
00:02:57,028 --> 00:02:58,744
has been applied to the device,

81
00:02:58,744 --> 00:03:00,418
and then other times
you'll have zero days,

82
00:03:00,418 --> 00:03:02,208
which are genuine
vulnerabilities that have

83
00:03:02,208 --> 00:03:05,961
not been discovered and they
have not been reported on,

84
00:03:05,961 --> 00:03:08,417
and sometimes you find those.

85
00:03:08,417 --> 00:03:10,812
Really what happens though
more often than not,

86
00:03:10,812 --> 00:03:12,589
are compromised credentials.

87
00:03:12,589 --> 00:03:13,966
And you're gonna see this later on,

88
00:03:13,966 --> 00:03:17,170
I'm actually going to show you how to copy

89
00:03:17,170 --> 00:03:19,775
off credentials from other protocols like

90
00:03:19,775 --> 00:03:22,944
triple A protocols like Radius or Tacacs.

91
00:03:22,944 --> 00:03:25,484
Where you have access to a device,

92
00:03:25,484 --> 00:03:28,291
and you wait for a legitimate

93
00:03:28,291 --> 00:03:30,502
administrator to log into the device,

94
00:03:30,502 --> 00:03:32,188
and then you'll get their password,

95
00:03:32,188 --> 00:03:33,566
and then you'll be able to us that

96
00:03:33,566 --> 00:03:36,350
access to pivot to other devices.

97
00:03:36,350 --> 00:03:38,097
And then, the second step is,

98
00:03:38,097 --> 00:03:40,127
is once you have access to the device

99
00:03:40,127 --> 00:03:41,714
then you can start doing things like

100
00:03:41,714 --> 00:03:43,076
configuration changes.

101
00:03:43,076 --> 00:03:45,502
You can start turning on GRE tunnels,

102
00:03:45,502 --> 00:03:47,774
you can turn on lawful intercept.

103
00:03:47,774 --> 00:03:50,538
And then, if you're a lot more capable,

104
00:03:50,538 --> 00:03:51,929
and you have more resources,

105
00:03:51,929 --> 00:03:53,400
you can do things like in memory

106
00:03:53,400 --> 00:03:55,964
network operating system modifications.

107
00:03:55,964 --> 00:03:58,439
That's where you could patch the code

108
00:03:58,439 --> 00:04:00,595
so that for instance you could turn off

109
00:04:00,595 --> 00:04:02,930
all kinds of password checking so that

110
00:04:02,930 --> 00:04:04,860
if you login you can give any password you

111
00:04:04,860 --> 00:04:07,311
want and let you in for
a particular account.

112
00:04:07,311 --> 00:04:09,259
These are things that you can do.

113
00:04:09,259 --> 00:04:10,195
Another thing that you can do is

114
00:04:10,195 --> 00:04:13,916
let's say you wanted to
make your change persistent.

115
00:04:13,916 --> 00:04:15,573
Then you can change the code that's

116
00:04:15,573 --> 00:04:17,738
actually on the disk of the network

117
00:04:17,738 --> 00:04:19,699
operating itself so that when it boots

118
00:04:19,699 --> 00:04:23,480
up the next time you have
your change that you've made.

119
00:04:23,480 --> 00:04:26,080
Another thing you could do
is change the boot loader.

120
00:04:26,080 --> 00:04:28,795
So what this applies
for is not only for code

121
00:04:28,795 --> 00:04:31,229
that has already been
installed on the device,

122
00:04:31,229 --> 00:04:33,040
but code that could be installed

123
00:04:33,040 --> 00:04:34,730
in the future of the device.

124
00:04:34,730 --> 00:04:36,746
So you could patch the boot loader so that

125
00:04:36,746 --> 00:04:39,452
it goes through your
code and as it boots up

126
00:04:39,452 --> 00:04:42,313
it can change the code to do whatever it

127
00:04:42,313 --> 00:04:44,645
is that the attacker wants when the system

128
00:04:44,645 --> 00:04:46,284
boots up so that it comes up and it always

129
00:04:46,284 --> 00:04:48,670
comes up in the same state.

130
00:04:48,670 --> 00:04:50,232
And then finally the result.

131
00:04:50,232 --> 00:04:53,142
Once you have this you
can get persistence.

132
00:04:53,142 --> 00:04:55,549
So by doing some of these in memory,

133
00:04:55,549 --> 00:04:57,525
on disk and boot loader modifications

134
00:04:57,525 --> 00:04:58,552
you can have persistence.

135
00:04:58,552 --> 00:05:00,839
So even if the device is rebooted,

136
00:05:00,839 --> 00:05:02,971
in some cases if it's reinstalled,

137
00:05:02,971 --> 00:05:04,909
you have that access.

138
00:05:04,909 --> 00:05:06,485
Another thing that is starting to become

139
00:05:06,485 --> 00:05:08,986
a lot more serious is that now when

140
00:05:08,986 --> 00:05:11,095
you have access to do things like boot

141
00:05:11,095 --> 00:05:14,097
loader modifications is
you can brick the hardware.

142
00:05:14,097 --> 00:05:16,063
You could have a very,
very expensive device

143
00:05:16,063 --> 00:05:18,667
that sometimes costs
upwards of hundreds of

144
00:05:18,667 --> 00:05:20,977
thousands of dollars,
and you can go through

145
00:05:20,977 --> 00:05:22,896
every line card that's in that device and

146
00:05:22,896 --> 00:05:25,596
just basically modify the boot loader so

147
00:05:25,596 --> 00:05:27,163
that it doesn't boot.

148
00:05:27,163 --> 00:05:29,813
And then later on when it gets rebooted

149
00:05:29,813 --> 00:05:32,245
maybe by the attacker or maybe by some

150
00:05:32,245 --> 00:05:35,153
kind of maintenance window
that has been scheduled,

151
00:05:35,153 --> 00:05:38,273
the device goes down and
it never comes back up.

152
00:05:38,273 --> 00:05:41,714
And then finally, you have
data exfiltration right?

153
00:05:41,714 --> 00:05:43,790
You have these features that are

154
00:05:43,790 --> 00:05:46,353
built in such as lawful intercept,

155
00:05:46,353 --> 00:05:49,635
and then that copies the
data out of the network,

156
00:05:49,635 --> 00:05:51,135
in some cases tunnels it over the

157
00:05:51,135 --> 00:05:55,218
internet to a system that
the attacker controls.