Category: Networking

Hackers.mu VideoStream #1 : Modem Insecurity in Mauritius

On Tuesday the 17th of October 2017, the hackers.mu team had a public podcast on Modem Insecurity in Mauritius. Fifteen minutes after the start of the broadcast, there were already about 30 views from the public. We had over Keshav Purdassea, a student in cybersecurity as guest to ask questions. We also had people asking questions on the Facebook hackers.mu public group.

Logan from hackers.mu made a smart introduction during the podcast about its goal which is informing the public about the vulnerabilities found in Huawei Modem. You can view the video which has been uploaded on youtube here :

Codarren from hackers.mu laid emphasis on several interesting points such as the state of Dnsmasq. He also gave some interesting hints to launch commands on the router which is not similar like a usual Linux Box. He explained how all processes are running as root including Dnsmasq. Codarren recently had a conversation with engineers from Huawei and it’s quite obvious that Dnsmasq is also doing DNS. It was recommended to run Dnsmasq as a non-root user which is one of the best practice in any Linux Box. Someone can craft a DNS packet and run this on the modem with the intention to control it remotely. This security risk needs to be reviewed again.

 

In addition, I made a brief introduction on the preliminary precaution that can be taken to minimise impact such as deactivating Telnet or even SSH on the router. We also noticed how it’s possible to download the configuration file and decrypt it. All passwords can be seen clearly on the configuration files. The binary aescrypt2_huawei can be downloaded from the hackers.mu Facebook group. Here are the steps to be followed to decrypt it :

1.Use the following command to decrypt it :

[[email protected] ~]# ./aescrypt2_huawei 1 hw_ctree.xml decode.xml

2. To re-encode use the following command:

[[email protected] ~]# ./aescrypt2_huawei 0 decode.xml hw_ctree.xml

3. At line 1022, You can find the web interface password

1022 <X_HW_WebUserInfoInstance InstanceID="2" UserName="telecomadmin" Password="402931e04c03e24d360477a9f90b9eb15777e154360f06228be15c37679016ef" UserLevel="0" Enable="1" ModifyPass wordFlag="0" PassMode="2"/>

We also had Yash Paupiah, President of the UOM Computer Club who made a sensitive point regarding as to whether the patch was supposed to come from Mauritius Telecom or Huawei. After some research, we noticed that there was no patch from Huawei itself.

The whole team of hackers.mu and myself invite you to join our Facebook group and Twitter to keep in touch for our oncoming Live podcasts, Hackathons, Public events etc..

Other bloggers on the Podcast:


Tunnelix.com is now IPv6 ready! Are you?

Validated by IPV6-test.com, Tunnelix.com is now IPV6 ready. Woohoo.. I now have the IPv6 validation button 🙂 Can you spot it?

So, what is exactly IPV6-test.comIPv6-test.com is a free service that checks your IPv6 and IPv4 connectivity and speed. Diagnose connection problems, discover which address(es) you are currently using to browse the Internet, and what is your browser’s protocol of choice when both v6 and v4 are available. 

How i got an IPv6 address ?

If you are running a low-cost budget blog, i would recommend you to try out Cloudflare to have make maximum use of the free IPV6 address that you can activate on the network tab. The IPv6 compatibility option is not activated by default.

Screenshot from 2016-07-17 10-55-06

Cloudflare provide both free and paid service for CDN service, security, DDOS protection etc… However, the IPv6 address is a free one. 

Why you might need to start moving towards IPv6 ?

Loganaden Velvindron of hackers.mu recently shed some light in his Medium blog after attending the National Innovation Framework in Mauritius “The other issue that I think is strongly lacking are the remaining IPv4 resources left in our region to be able to make Internet of things a reality. There are currently 26.4 million of IPv4 addresses left, and it keeps shrinking at a frightening rate.” The world is running out of IPv4 addresses. I think we need to move on quickly on the IPv6 world because of Internet of Things (IoT) will depend on IPv6.

What is an IPv6? What are the parts of an IPv6 ?

Lets now get on the technical parts. As you should know already IPv4 use 32 bits infrastructure whilst an IPv6 use 128-bits which makes an IPv6 a lot more longer. Here is an idea of a representation of an IPv6 adress.

Photo credits: zeusdb.com
Photo credits: zeusdb.com

As you can see IPv6 address is composed of 8 segments of 4 hexadecimal strings. A simple math is by multiplying 8×4=32 then 32×4= 128 bits. When representing IPv6 addresses, zeroes are compressed and leading zeroes are further compressed by representing it with “: :” . See picture above.

The internet might run out of room

Since 2012, Vint Cerf, Chief Internet Evangelist at Google, and a founding father of the Internet, discussed the next version of the Internet, IPv6, and why we need it. Just as phones use a system of phone numbers in order to place calls, every Internet-connected device gets a unique number known as an “IP address” that connects it to the global online network. Watch out the video

 

 


Dare to do a brute force attack again!

Dare to do a SSH Bruteforce attack again and you are banned!! I have noticed that there are several DDOS SSH botnets attack these days on my server. Despite that i would prefer SSH to listen on port 22, i can imagine how many attempts can be made to breakthrough it. Though these attacks are very common, it can increase CPU consumption on your server and consequently the server can die. However, if you did not protect the server from malicious SSH remote connection, things can get pretty dangerous and the attacker can take over the machine.

fail2ban
Photo credits – fail2ban.org

Fail2Ban is one of the tools which you can installed on your machine to ban IPs that show malicious signs. However, today with the help of Kheshav, we have decided to find a solution to reveal all the IPs to the public. From the fail2Ban log we can find all IPs that that are being banned. The solution was an easy one.

1.Install Nodejs, npm package

yum install nodejs npm

2. Install frontail with the npm utility

npm install frontail -g

3. Now you can launch frontail on any port as a demon with the following command

frontail -p {port number here} -h {IP or Hostname here} {location of your log} -d

Afterwards, you have to include the IP, the port number and the location where you want the log to be streamed live.

Here are the banned IPs – US time attempting some brute force on tunnelix.com. You can also view the IPs on the right side widget of the blog. It might take some few seconds before loading.

There are several websites where you can report IPs for abuse as well as verification of precedent attacks. We are still brewing up some ideas to produce a better and well defined output of the log.


Debug your Internet bugs and vulnerabilities with ICSI Netalyzr

Can your Network be easily compromised? Is your Internet vulnerable? You might want to perform some tests on the Quality of Service your Internet Service Provider – ISP is providing you. It can also be more dangerous if your ISP is also your router vendor! One of the fast and reliable tool which i would proposed is the ICSI Netalyzr tool which test your internet connections for signs of trouble and provide you detailed report vulnerabilities, latency and several tests. The test can be performed by almost anyone with just a simple click.

“ICSI Netalyzr is a service maintained by the Networking Group at the International Computer Science Institute, an affiliate with the University of California, Berkeley  and funded by the National Science Foundation. The service got some publicity and found importance after late 2007 when Comcast was sued for throttling Internet traffic which Comcast later admitted to be true.” – freewareGenius

The report consist of:

  • A summary of the Noteworthy Events
  • Addresses-based Tests
  • Reachability Tests
  • Network Access Link Properties
  • HTTP and DNS tests
  • IPV6 tests and Network Security Protocols
  • Host Properties

I made several tests myself and notice that many routers are vulnerable to attacks. One of the test i made from a Netgear router DG series intentionally downgraded with an old firmware from the official website of Netgear was found to be vulnerable. Click here on this link to access to the Netalyzr tool.I would however recommend you to use DDWRT or OpenWRT for best QOS.

Example - A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959
Example – A Netgear router vulnerable to CVE-2012-5958 and CVE-2012-5959

You could also check for DNS resolution, Latency issues and Measurement of your Network buffering capacity. You would need to authorize your browser to access a JAVA plugin to be able to perform the test.

You can also perform your test using the Android App as well as on the Netalyzer command line client.


ZeNmap – The classic way of Nmap

Nmap is a free and open source utility for network exploration and security auditing whilst ZeNmap is a multi-platform graphical Nmap frontend and results viewer. It was originally derived from Umit which was created as part of the Nmap/Google Summer of Code program. ZeNmap is compatible with almost all types of Operating system. I have tested ZeNmap on Ubuntu and FreeBSD and it works pretty fine.

Some basic ‘nmapping’ funs from my Kali Linux Box

Look for visible IP in your network –  nmap -sP 192.168.1.0/24

Check number of ports opened – nmap -Ss 192.168.1.0/24

Find the operating systems being used in the same network – nmap -O 192.168.1.0/24

You can even check the ACK bit during the TCP handshake authentication – nmap -sA 192.168.1.0/24

Screenshot from 2015-10-19 19:02:35
Tested with instances of several OS running on Vbox

Of course the world of Nmap is so vast that you will need to go through the Manual to design your own way of exploring the Nmap command. There are many features and capabilities such as Hosts identification, Port scanning, Interrogation of network services, OS detection etc.. How does Nmap works? Since every hosts or deivces is connected to a network and has some network ports open and is consequently waiting for connections, the Nmap tool initiate connection to the 1000 most used ports whether it is open responding to an incoming connection, closed and has no service running but can respond to probes, filtered; i.e protected by a Firewall, unfiltered; post can be accessed but no chance to determine if its opened or not and the last one is the open / close filtered.

What is more interesting is the ZeNmap tool where you can scan network using GUI. At this level, parameters are defined like Paranoid, Sneaky, Polite, Normal, Agressive and Insane.

Screenshot from 2015-10-17 11:37:21
A paranoid scan performed here

 ZeNmap can also be used for firewall evasion techniques, source address and port spoofing, setting flag values on both IP and transport level. Results are also shown through a Map.

Screenshot from 2015-10-20 05:54:29