Category: Networking

Hackers.mu VideoStream #2 : Modem Insecurity in Mauritius

Some days back, the hackers.mu team made our first video stream on Youtube about Modem Insecurity in Mauritius. We received several feedbacks from the public, friends and local medias about the issue raised. Upon further research I noticed that there are several countries including Vietnam, China amongst others are in the same problematic situation as they are using the same Huawei modem. More and more vulnerabilities are now being faced by the end users. Users aware of the issue can mitigate it from their side whilst others are still in the dark.

On Friday, the 20th of October 2017, another video stream was carried out by the hackers.mu team alongside other friends and professionals. We started with a short introduction from everybody in the videostream.

We had Billal, Codarren, Edriss, Irshaad, Logan, Kifah, Selven, Rahul, Yash and myself (Nitin) participating in the video stream. You can view the VideoStream here:

Our agenda was as follows:

  • An introduction from participants
  • Huawei’s acceptance of upgrading Dnsmasq
  • Other discoveries in the Huawei modem
  • Implication of Krack attack
  • Understanding of the mitigation techniques on Krack attack
  • Everyone’s perspective about the vulnerabilities on the Huawei modem

Other sources talking about hackers.mu‘s insecurity detection on the Huawei modem


Hackers.mu VideoStream #1 : Modem Insecurity in Mauritius

On Tuesday the 17th of October 2017, the hackers.mu team had a public podcast on Modem Insecurity in Mauritius. Fifteen minutes after the start of the broadcast, there were already about 30 views from the public. We had over Keshav Purdassea, a student in cybersecurity as guest to ask questions. We also had people asking questions on the Facebook hackers.mu public group.

Logan from hackers.mu made a smart introduction during the podcast about its goal which is informing the public about the vulnerabilities found in Huawei Modem. You can view the video which has been uploaded on youtube here :

Codarren from hackers.mu laid emphasis on several interesting points such as the state of Dnsmasq. He also gave some interesting hints to launch commands on the router which is not similar like a usual Linux Box. He explained how all processes are running as root including Dnsmasq. Codarren recently had a conversation with engineers from Huawei and it’s quite obvious that Dnsmasq is also doing DNS. It was recommended to run Dnsmasq as a non-root user which is one of the best practice in any Linux Box. Someone can craft a DNS packet and run this on the modem with the intention to control it remotely. This security risk needs to be reviewed again.

 

In addition, I made a brief introduction on the preliminary precaution that can be taken to minimise impact such as deactivating Telnet or even SSH on the router. We also noticed how it’s possible to download the configuration file and decrypt it. All passwords can be seen clearly on the configuration files. The binary aescrypt2_huawei can be downloaded from the hackers.mu Facebook group. Here are the steps to be followed to decrypt it :

1.Use the following command to decrypt it :

[[email protected] ~]# ./aescrypt2_huawei 1 hw_ctree.xml decode.xml

2. To re-encode use the following command:

[[email protected] ~]# ./aescrypt2_huawei 0 decode.xml hw_ctree.xml

3. At line 1022, You can find the web interface password

1022 <X_HW_WebUserInfoInstance InstanceID="2" UserName="telecomadmin" Password="402931e04c03e24d360477a9f90b9eb15777e154360f06228be15c37679016ef" UserLevel="0" Enable="1" ModifyPass wordFlag="0" PassMode="2"/>

We also had Yash Paupiah, President of the UOM Computer Club who made a sensitive point regarding as to whether the patch was supposed to come from Mauritius Telecom or Huawei. After some research, we noticed that there was no patch from Huawei itself.

The whole team of hackers.mu and myself invite you to join our Facebook group and Twitter to keep in touch for our oncoming Live podcasts, Hackathons, Public events etc..

Other bloggers on the Podcast:


Tunnelix.com is now IPv6 ready! Are you?

Validated by IPV6-test.com, Tunnelix.com is now IPV6 ready. Woohoo.. I now have the IPv6 validation button 🙂 Can you spot it?

So, what is exactly IPV6-test.comIPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed. Diagnose connection problems, discover which address(es) you are currently using to browse the Internet, and what is your browser’s protocol of choice when both v6 and v4 are available. 

How i got an IPv6 address ?

If you are running a low-cost budget blog, i would recommend you to try out Cloudflare to have make maximum use of the free IPV6 address that you can activate on the network tab. The IPv6 compatibility option is not activated by default.

Screenshot from 2016-07-17 10-55-06

Cloudflare provide both free and paid service for CDN service, security, DDOS protection etc… However, the IPv6 address is a free one. 

Why you might need to start moving towards IPv6 ?

Loganaden Velvindron of hackers.mu recently shed some light in his Medium blog after attending the National Innovation Framework in Mauritius “The other issue that I think is strongly lacking are the remaining IPv4 resources left in our region to be able to make Internet of things a reality. There are currently 26.4 million of IPv4 addresses left, and it keeps shrinking at a frightening rate.” The world is running out of IPv4 addresses. I think we need to move on quickly on the IPv6 world because of Internet of Things (IoT) will depend on IPv6.

What is an IPv6? What are the parts of an IPv6 ?

Lets now get on the technical parts. As you should know already IPv4 use 32 bits infrastructure whilst an IPv6 use 128-bits which makes an IPv6 a lot more longer. Here is an idea of a representation of an IPv6 adress.

Photo credits: zeusdb.com
Photo credits: zeusdb.com

As you can see IPv6 address is composed of 8 segments of 4 hexadecimal strings. A simple math is by multiplying 8×4=32 then 32×4= 128 bits. When representing IPv6 addresses, zeroes are compressed and leading zeroes are further compressed by representing it with “: :” . See picture above.

The internet might run out of room

Since 2012, Vint Cerf, Chief Internet Evangelist at Google, and a founding father of the Internet, discussed the next version of the Internet, IPv6, and why we need it. Just as phones use a system of phone numbers in order to place calls, every Internet-connected device gets a unique number known as an “IP address” that connects it to the global online network. Watch out the video

 

 


Dare to do a brute force attack again!

Dare to do a SSH Bruteforce attack again and you are banned!! I have noticed that there are several DDOS SSH botnets attack these days on my server. Despite that i would prefer SSH to listen on port 22, i can imagine how many attempts can be made to breakthrough it. Though these attacks are very common, it can increase CPU consumption on your server and consequently the server can die. However, if you did not protect the server from malicious SSH remote connection, things can get pretty dangerous and the attacker can take over the machine.

fail2ban
Photo credits – fail2ban.org

Fail2Ban is one of the tools which you can installed on your machine to ban IPs that show malicious signs. However, today with the help of Kheshav, we have decided to find a solution to reveal all the IPs to the public. From the fail2Ban log we can find all IPs that that are being banned. The solution was an easy one.

1.Install Nodejs, npm package

yum install nodejs npm

2. Install frontail with the npm utility

npm install frontail -g

3. Now you can launch frontail on any port as a demon with the following command

frontail -p {port number here} -h {IP or Hostname here} {location of your log} -d

Afterwards, you have to include the IP, the port number and the location where you want the log to be streamed live.

Here are the banned IPs – US time attempting some brute force on tunnelix.com. You can also view the IPs on the right side widget of the blog. It might take some few seconds before loading.

There are several websites where you can report IPs for abuse as well as verification of precedent attacks. We are still brewing up some ideas to produce a better and well defined output of the log.


Debug your Internet bugs and vulnerabilities with ICSI Netalyzr

Can your Network be easily compromised? Is your Internet vulnerable? You might want to perform some tests on the Quality of Service your Internet Service Provider – ISP is providing you. It can also be more dangerous if your ISP is also your router vendor! One of the fast and reliable tool which i would proposed is the ICSI Netalyzr tool which test your internet connections for signs of trouble and provide you detailed report vulnerabilities, latency and several tests. The test can be performed by almost anyone with just a simple click.

“ICSI Netalyzr is a service maintained by the Networking Group at the International Computer Science Institute, an affiliate with the University of California, Berkeley  and funded by the National Science Foundation. The service got some publicity and found importance after late 2007 when Comcast was sued for throttling Internet traffic which Comcast later admitted to be true.” – freewareGenius

The report consist of:

  • A summary of the Noteworthy Events
  • Addresses-based Tests
  • Reachability Tests
  • Network Access Link Properties
  • HTTP and DNS tests
  • IPV6 tests and Network Security Protocols
  • Host Properties

I made several tests myself and notice that many routers are vulnerable to attacks. One of the test i made from a Netgear router DG series intentionally downgraded with an old firmware from the official website of Netgear was found to be vulnerable. Click here on this link to access to the Netalyzr tool.I would however recommend you to use DDWRT or OpenWRT for best QOS.

Example - A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959
Example – A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959

You could also check for DNS resolution, Latency issues and Measurement of your Network buffering capacity. You would need to authorize your browser to access a JAVA plugin to be able to perform the test.

You can also perform your test using the Android App as well as on the Netalyzer command line client.