BG - Empirical Exploitation - H.D. Moore

you

go what do you like

minimize awesome all right I've got like 9,000 slides and I'm going to try to do them in an hour so I won't be going slow um that probably won't be different for any other talk I do um so this is a fun talk this is the part one of two part two is actually at 5:00 and that's all the dirty stuff I can't talk about on t uh this is all the stuff leading up to it so there's still a lot of data still a lot of kind of fun macro stuff but it's not like the crap that'll probably get me arrested which is the next talk probably um I don't know actually um so

this talks about quantifying security research by actually looking for the stuff in the wild uh you see security researchers come out and say you know what I found this vulnerability and you know Jim Bob chat application and you know it's terrible and you know I deserve to get a crown for this and sit on a throne a Noble Peace rbes I found you know gym mobs chat application vulnerability in reality no one cares but no one uses the damn thing however we don't really have the data to say whether or not someone uses that application or not today so you have all these uh security researchers saying this vulnerability is you know gigantic and everyone should be you know paying

attention to it the same time you got the vendor saying no this isn't a big deal at all you're crazy no one really uses configuration how do you find the truth between those two things and that's really what this is about is how do you actually measure the truth of exposure for a particular application across the internet at a global level um and then what kind of fun things can you do with it so uh advisories suck they don't have much data um they're affected versions lady fig ation things like that not really much fun um there's no real data about the impact of the vulnerabilities they don't tell you hey this vulnerability is actually going to cause

the World Trade Center to melt down it's going to cause you know this hospital to Lon lung to stop moving like they don't have that data they can't say that data they've got nothing to measure it against there's some sources out there today but there's not a whole lot of like there's nothing really Bes say a Google dork you can do to find out the impact of something there is showen of course you can use that for some of it but it's not necessarily application specific yet so there's not really much data you can use to accurately say what the impact of ility is today so we don't really worry about the security of other people we really worry

about the security of ourselves and that's really it your responsibility typically ends at your own firewall or at your isp's Uplink and that's it you don't care about anything outside of that it's not your business you don't really care so we're kind of this you know Society of Walled Gardens when it comes to networking we don't really care about um our peers we don't care about our clients networks so far as they pay us uh we don't care about a lot of things in terms of uh other people's security unless there's some direct impact on our revenue or on our business um in reality all those other networks really do affect us um every time you go

to the doctor's office and you're signing those like 15 forms telling you you know basically giving them the permission to share your entire medical record with you know anybody they want to um that's a case that you really do depend on their security you depend on their ability to use a shredder on actually storing data securely or someone's going to find out about you know that wart you have in your toe or Worse right anytime you're defending it's a Dos attack the machines that are actually attacking you those aren't some attacker who's been out the internet with a cluster of machines that's a whole bunch of owned boxes they're using to attack you and why were

those boxes own because no one cared about their networks the people in charge of them couldn't secure them no one could really solve the problem before it turned into a DS against you um that's really the problem with you know maare you know Bots Trojans things like that these days is they're all you know using innocent people's machines As Weapons against other folks anytime you get a data loss letter you start caring a whole lot about that particular provider security um every time you know there's a major breach like wow crap I got three letters this month this sucks um how come they can't get their crap together so that's why that's when you really start caring

about other people's security and spam of course is the same problem as dos it's all usually going through compromised machines these days you don't have a whole lot of bad host internet left uh most isps want to stay connected don't want their uplinks to cut them off and so they don't just they're not really that many spam Havens these days um there really are just a lot bunch of owned boxes sending spam so we actually are effective the lousy security of other people we can't do anything about that we don't really recognize that in terms of how we act or what we do but in reality this is really the more we know about everyone else the

better we can defend ourselves the better we can scure the network as a whole um but most of the approaches to this are pretty much reactive they're black list based they're saying things like anytime your machine is compromised and you show up on a Black List we'll put you on this list for a month or two until you get removed so great you've tooken some random you know joeo got his box owned and they're penalizing for the fact that he didn't know what he was doing for two or three months you're not really helping anybody at this point so most of blacklists out there just really aren't useful because you don't have you know some you know

internet hacker sitting on his throne rubbing his hands together with a bunch of boxes at his feet you've got someone owning a bunch of other boxes that are not being put on these blacklists and yeah I mean The Blacklist are really the only way to carry some responsibility back to the ISP to have their clients take care of this stuff but at the same time the clients generally aren't the ones responsible they you know build houses or they you know sell widgets they do something else that's not their business doing security so what I want to do is kind of invert this instead of having a Black List let's kind of invert this and let's

create a you know a a white list if you will of machines that aren't owned um because that's usually more the case these days um the only problem is you can't figure out whether the machine is compromised just by looking at usually you can scan it you can look for things you can look for traffic coming out of it you look for scann sources coming from this machine but it's really difficult to find out whether some random box internet is owned today however you can guess based on the data you have by doing some active scanning so what I want to do is actually say let's look at the entire internet let's scan the vesus out of it

and let's actually predict which boxes will get owned when and then what the results and data loss will be and let's use that data to actually tune our advisories tune our research tune exploitation to really go after what matters the most as opposed to saying let's go exploit this PHP web app again uh which is no fun so um I'm going to fly through this because I short in time so the the tricky part of this is how do you actually measure this stuff you need people measure data in a way that you can then query later on um that when a vulnerability comes out in the future you can then go back look at your

old data and say well the impact of this vulnerability is X Y and Z because I've got the data showing as much um so I've actually had a couple um case studies I talk about later on if there's time uh my SQL Andi for example are cases where when the only ability came out recently I was already sitting on a monster pile of data I can go back and look at to find out what the real impact was so the fun part Gathering data um first I'm going to talk about a Shin Shin is awesome I love Shin Shin's like you know my hero at this point John he does an awesome job of getting more

information about the internet's vulnerabilities and exposure to the rest of the world and he hasn't gone to jail yet so that's why I love him um he's legitimizing it through Brute Force at this point um so I love what he's doing um there's lots of really great data so use showen it's cool in this case I searched for Port 161 and Cisco so every Cisco device with S&P enabled that was in the showen database as of uh a month month ago or so and you see there's about 999,000 no 95,000 um devices with Cisco in the S&P description so if you look at the breakdown of the port showed in covers they've recently expanded a whole lot

lately but it's really not that many ports FTP scare shell T nut HTP HPS SNP set UPnP um most of the work that he's been working on has been related to HTP and htps surveys so things like doing HTP header analysis doing things like SSL certificate analysis really useful great data um but it's really focus mostly on web overall if you combine the HTP and htps data that's really majority of showen is just you know 90% plus web data in showen and great web's everything right web is what we care about most of the time so that does make sense but I want everything else I want to have all the other fun nibbly bits of

the internet that show tell me things about machines that's not part of the web services um things like fdp sh tell that yes but more of it I also want to quiry net bios I want upm data I want anything that gives me lots of like you know bits I can measure going forward so net bios is great because it gives you the name of the machine Mac addresses caner Hardware addresses uh upm tells you vendor information um SNP is awesome if you have lots of it because it gives you really detailed information on large variety of devices and of course on the you know TP protocol side MySQL getting versions of MySQL out there because they

tend to get owned a lot um what's the easiest way to have data loss have someone you know own your data source and Skip all the steps in between so that's kind of what I'm looking at versus what Show's looking at so time to scan all the things U the fun part uh so scanning the whole internet is tricky um if you want to scan TP Services really two steps if you want to grab banners you have to scan it once to find whether the port's open or not do that with the sin packet look for sin act done um that goes pretty quick but you still have to collect the Dan banners that's the slow part so you can

do you know crazy amounts of ports per second if you're Dan kinsky um with 80 he's got a new scanner that's awesome he's going to talk about later on he's got a really neat way to do it it's just difficult to collect Banners at the same time unless we have a full user land TP stack which he might have that he I can't talk about um so anyways there's you can TP scanning you have to find the port open then connect to the port grab the banner sometimes you like poke the service a little bit saying Hey to that application like let's negotiate some fdfo FD fdfo will won't crap before you give me the banner um UDP is actually

two steps too because you want to send and receive the datagrams the raw bits you send but decod is too damn slow to do when you're scanning you need those CPUs for sending more packets so you actually you know send and receive the data then store it all off as a a file you can then process later on the back end so really quick internet Mass if you know internet is freaking tiny um there's more RAM in a 4 gig Netbook than there are you know IPS on the internet in terms of bytes uh with a single 4 gig stick of ram you can store 2 256 States about every IP on the internet without a

problem have lots of room to spare so if you're looking at doing a big memory map of the entire internet you don't really need that much data it's actually pretty small 32 bits is not big anymore um in reality you only have about 30 3.2 billion IPS Ed 3.3 billion these days but it's really not going to get past 3.5 Reserve blocks um if you want to send a single packet to everything on a really cheap ass server that does 50,000 packets per second um 24 hours hit All 4 billion IPS in reality you can go a lot faster for a lot cheaper and a lot bigger boxes and pay a lot less um the

reason for that is most of those crazy um cheap VPS hosting Services out there yeah they'll give you a really crappy VPS with like you know 1 gz processor and 32 Megs of Ram or something terrible like that but it's running out a honking Zeon box that has like Intel e Pro 1000s in it that can actually send out 100,000 th000 packet per second so if you can write a scanning tool that doesn't use many CPU or or memory resources you can basically clog the entire E1000 card in that thing for five bucks a month um from anywhere like Russia China wherever these boxes are all over the place so you look at these cheap VPS providers

they think they're limiting you by giving you no memory no CPU in reality for internet scanning projects like this it's really the the rate limit of the network card itself and the throughput and the buffering of the card so you can really cram some packets to these really cheap VPS providers um these days I'm actually hitting every IP every 7even hours right now uh for for UDP services and nine box in a cluster doing it but each server is doing every you know z0 range in seven hours so for nmap uh sorry for TP scanning I'm really lazy and I like nmap so I used mmap and map is awesome if you tune it the right way there's a great

talk that Gordon did a couple years ago uh talking about how he scanned the whole Internet it's part of the world scan project uh I recommend looking at that here's just some settings I use like parallelism uh setting your your uh sin probe list to be also your port list short circuits the TP Discovery phase um and I had a little crappy NSE script I sort of kind of wrote and Le and paste copy pasted together that we'll do things like tet negotiation and do the right kind of protocol initialization for report I talk to that would get nice clean data so if it's SSL versus non SSL you know recognize that catch the error

resend the get request without SSL if it's fdp try logging into it get the banner and so on um if it's telling that do the negotiation sequence first to get the banner out of it um unfortunately I found out I'm really bad at Lua by doing a test scan with tnet and realized it never broke out of the wild Loop and so I was eating like 30 megabits per second with a Lua connection to some poor little router someplace and the router is basically offline for 2 days I'm like oh crap got let me fix that so definitely test your tools better than I did before unleashing it upon the internet oh here's the URL to the actual

n script you want to see my terrible Lua it's mostly copy pasted out a much better Lua developers code so for UDP UDP is awesome but there wasn't really any good tools out there to do large scale UDP probes um so I wrote this little crappy C thing that spews out packets you give it a file name of data you give it a port number to send it to in a packet per second rate and you feed it IPS and standard in it spits out data and standard out that's it so you can run about three or four of these per server and you can get about 200,000 packs per second out of a really cheap server really easy and it

just go so this is how I get 7 hour scans these days and that actually turns out to be about 1.2 gigabyt of traffic per server every 24 hours with just this one little thing running on it just choking out packets as fast as they can and uh works out pretty well um so there's the usage case there's um should be URL on the next page for where to download it but this thing I ran out a bunch of russan VPS nodes for a while and work right they they kept thinking I was being dsed like no no I'm not being dosed all cool don't worry about it it's all fine that's not a Dos that's

intentional o I don't know uh so here's an example what happens when you run the little UDP Blaster script this is on a a box da at single hop you can see I actually had to rate limit it and drop it down to about 85,000 backs per second because I was going to run through my bandwidth que too fast I was going to hit 20 terabytes of traffic in like 5 days otherwise so I knocked it down to about 645 or so 645 G per day for that box just so I can stay under the wire on it um but yeah it works so when you scan the internet this is actually from yesterday it's now 590

down here um I got lots and lots of abuse complaints there's probably like 15 people I talked to so far since walking in today they're like hey you scamed me I'm like yep sorry um and a lot of folks works for msps and they basically having to deal with this traffic because I'm hitting them every seven hours for 4 months it's probably getting old um so sorry guys um it's good data though um you can do cool things with it uh so I've I've gone to some ridiculous lengths to keep my um support people happy at my ISP I found out where they lived and got their home addresses and then sent them things um so I'm not sure

whether they think that's good or bad but they you know we we have an understanding um they got candy and I've got their home address and that's how we keep it uh so uh anyways so I've had a pretty fun experience working with all the different isps it ends up being about two hours a night of work for last three months just handling abuse complaints um building up these huge exclusion files i' got about 2300 exclusions right now of different organizations that didn't want to be scanned anymore it's like great I've already scanned you I don't need that anymore done thanks here we go um so we've got some really fun ones someone uh demanded $10 million me today

to uh in Damages for me sending a packet to his little like home router in like New Zealand like all right buddy good luck with that um the ISB basically laughed him off like yeah whatever dude here you go um we'll give you like a sticker here's a sticker um so the two IPS that are awesome with this type of stuff is they actually are willing to give you the benefit of the doubt and security research are Lode and single hop. net they are awesome give them all your monies um single hop is better for large term dedicated servers Lode is better for really short bursty stuff but it's much more expensive you have a lot

of bandwidth but anyways they've been really good you know the the line not folks were so awesome they took my 50 abuse reports per couple hours collated them for me sucked out all the exclusion list provided me like a configuration file with exclusions for all them already I'm like sweet I don't have to do anything this is great so I love those guys um and now I'm about this is my single hop abuse queue I'm about 595 abuse complaints as with this morning now so it just keeps on coming and just go through them all and reply back yep thanks yep scanning you yep you're getting scanned um so this is my email box uh if you want to know what it looks

like it's about 9,000 pages of this so complaint complaint complain complaint um this is a um so d.org has this really cool thing called the top 100 attackers list or as I call it my scoreboard uh so uh I try to if the top here this is number one at the top I haven't quite get number one I've got number one a couple times here um but this this is number one through number 100 on the top 100 list for all nine boxes I'm scanning with so this is a course of 6 days or so in July um so this one's doing most my UDP scanning so it's all near the top the urchin box then they kind of trickle

way down so this is basically every single hour for that six day period of uh my top 100 rankings for these machines and here's a shiny version of it so this is actually a clock if you start going around every tick on this is basically an hour mark all the way around and the orange one down here that's the the UDP scanner and this is the number of complaints coming in to d.org and S incident. org uh over the sixday period so you can see it's kind of like a spiral the some of the machines like this is ping3 gets a ton of traffic gets a ton of um um you know complaints and then as people start

getting their networks excluded or saying yeah whatever we'll just ignore it it starts actually declining all the way around so um you can see the UDP scans though really aren't they're getting a little bit thinner over here but not by too much this still is a number one generator of complaints so fun way to visualize how much people hate me and here's like the the fancy version all the numbers and crap but here's like the whole clock all the way around hour by hour and anyways you're welcome to look at the data later on and play with it but it's kind of fun um so storing all this crap um this is where it gets

painful uh 260 gigs of compressed XML um for nmap alone and then another 40 gigs of compressed UDP files that are all the output for my UDP scans um bring it all into is actually the only thing I could find on the planet that's fast enough to do really quick upserts because I don't want to have duplicates for every IP I want to basically just keep overriding the latest data for the latest service um and having 150 million plus entries it gets really expensive to do that with most database storages so everything else melted down I looked at Cassandra I looked at um postgress with crazy tuning on it I looked at react looked a bunch of crap and is the

only one that really kept up unfortunately likes to corrupt its beaston database every 24 hours when I use it so I've had to do a whole lot of like load much data to dump it back out to Json files then reload the Json files back in so they won't be corrupted anymore and keep cleaning the data like that over time to actually get the data to store so finally got it mostly stable these days map produce will still corrupt the database again it looks like it's actually a data content issue not a data storage issue let me see I'm time sweet going quick um so we can spend some time on the fun stuff later uh so this basically goes into

then gets dump to elastic search elastic search is loose scene plus kind of a no SQL back end on top and and elastic is great um so just so folks can start playing along if you happen to have a laptop with you let's [Music] see let me skip to the end slide real quick make it's easier

ah wrong one all right let's try that again so if you go to io. critical. and use username bsides password bsides you can do neat little Geographic maps of any query input you put in so you can say like look for China look for MySQL look for whatever and it shows you a nice little geographic map without the raw data on it yet so I'm still trying to find a way good way to do that without exposing all the vulnerabilities in the world um but right now it just shows you pretty maps for whatever qu you give it so that server is going to melt down in like 5 seconds so get aead start now

before else gets it all right let's move back up

and so all this is done uh through you know going from raw files to to elastic search the Baston pipes and and then elastic surgery used for a lot of the uh facets and normalization as well and then finally little 3 interface top of search it that's what your guys are hitting at critical IO um so really neat stuff so when it's all said and done I scan lots of fun ports I got um when you scan Mac addresses or sorry when you scan NEP bios you also get Mac addresses back and Mac addresses are great because they give you um the uh vendor of the machine as well and there's some fun things about Mac

addresses you can use to really kind of hone in your vulnerability data when it's done um and Mac addes are supposed to be globally unique but they're really not we'll go into more of that in a second uh upm is really cool I'm actually going to talk about more of this more of the upm stuff at 5:00 clock um but upm there's only about six or seven vendors in the world that make upm stacks uh and no one's ever a like audited the damn things so like gp-r SPF and laugh uh it's really that bad for ssdp and like there's 33 million devices on the internet that have this service running um and you know you can make a

Fairly reliable explo so we'll dig into more of that later uh but that gives you the OS information the kernel version sometimes things like that uh mdns is really cool as a thing to scan because mdns being bonjour or you know aaji demon or whatever you want to call it um it actually register any Services running on a machine so instead of having to basically port scan a box you query mdns saying hey what services do you have and it just tells you and the cool thing about that is if there's a custom like proprietary service in that machine it'll register that and serve it up by name so you can be like hey what's

this really weird thing I found we'll talk about that in a second too thanks so a little bit on the Highlight side um here's where I ended up with the service data uh this big old pink slice here this is adcp which you expect to be pretty big um the little uh yellow guy down here this is SSL so I've got about 114 million host about 156 million total IPS that are just web based and I've got 880 in there too but it's fairly small um the thing that really is different about this py graph versus the showen one for example is all these other big slices that aren't web um this block down here this is actually SNP data

there's 33.5 million devices on the internet that have SNP Expos the world with public um if you've ever seen a Dos being done through SNP reflection um that should scare the crap out of you um because you can swing something like you know some number of terabits per second DS with those boxes U just by doing a reflection from the their Quest on that um this big uh Pink slice right here it's kind of weird this is actually mdns sorry this is UPnP so if you look at vulnerabilities in UPnP Stacks they're pretty significant I mean there's more of these things that I found than T than basically SSL services are pretty close to it just in terms of overall impact

number of boxes I found with random scanning um as you start going around the P graph you find less and less stuff the really really invisible Little Slice you can't see here at all that's the bottom one on this list the kind of you know clockwise and top to bottom that's actually VX Works debug services so I talked about VX works here about 2 years ago and we'll talk a little bit about what that means but there's still tons of them out there um other things notable in the kind of the sizing on this is tnut is still alive and well you've got a big slice of tet right here that's still out there about 13 million

machines or sorry 11.3 million machines um anyways lots of fun stuff so we'll start going through some of it so first thing uh basic stats there's about 156 million IPS that were found so far in the scan uh up sorry every UDP service I scanned mdns upm snnp and net bios I scan the entire internet for it every 7even hours so I know that one's solid like if you have got a Windows machine it gets online in a cafe on an external range I'll find it and if you go to a different Cafe the next day I'll find it again and correlate the Mac addresses like yep you got these two IPS for this machine so that's all fairly

well done and organized um TCP was more random mode it takes so long to scan it so I scan something like um I think I've got TP Services about 140 million 156 million hosts so but it's a different ratio of those uh sometimes they have some ports sometimes they don't have other ports depending which ones they scan when and wear it's a little bit more pecil uh when you look at all the services you still have web being majority still combined 8080 8080 8443 and showen has really good data on web so if you ever want to look into surveys about you know what's the most common web server what has the most common header uh what an SSL what's most

common SL key size uh the showen surveys are awesome go look at those um I'm not going to dig into web at all I think it's it's awesome but it's been very well covered by the folks um the scary thing was you know 35 million machines Destin top the 30 million UPnP and the 148,000 devices with VX Works debug are still enabled um which is basically rewrite memory of a device with a debugger already in metas for two years so talking about VX works ah I love this thing um basically there's every little device on the planet um as of 5 years ago ran VX works these days that ratio has been going down a little

bit uh but the you know the Mars rovers run VX Works uh we found out that it would take about 30 days the root Force the tell my password on them using the password encryption weakness just due to the round trip time of TCP connections but we' have to like hold up in NASA for 30 days with guns and then brute force it and didn't seem worth it um but we found you know these things you can read and write memor so you can basically dump the entire running image of the device find out you know hey this is how the logic of this particular control works like authentication and then knp out that check and then write the memory

back into the device most these devices don't have memory protection at all so you can overwrite the running code in memory to replace the login routines to replace any kind of functionality you want of these devices and just go right through it so it's basically like cart blon access to all 140,000 machines out there and you can scan for all of them in s hours and they're still there now granted that's down from 250,000 in July um so I already killed my little dramatic pause but yep 149,000 still um so it's it's gone down by a little bit in two years but not enough to really make much of a difference that difference is really by the vendors who

care these are the vendors who still don't care still don't really can't replace the gear that's already out there I'm flying through this this is great uh so mdns is great because you can find all kinds of cool stuff um this is known by mdns responder bonjour vaji um by default a lot of Lin distributions install a vol demon by you know on the machine just with a default configuration of a bunte for example and it's really stupid because now this thing exposes all kinds of fun information about your system to anyone on the network um and you can register all kinds of cool Services out of here but there's lots of really neat stuff

that pops up in these lists so if you look for some really strange stuff that comes up in the mdns advertised lists there's only a few million of these devices out there few million devices that respond to mdns like six seven million I think um you'll see a whole bunch of too boxes adverti a too Service as being an internal service on it they also advertise myth TV snap TV Direct TV every set top box basically has MD Nest running on it and advertises video streaming services so a neat way to go say let's own all the teos yay um done same thing with a lot of Nas devices actually like ready Nas Max door black

armor some of the Seagate boxes the GLE stuff they actually all had mdns exposed to the world as well which didn't make any sense but that's they configured uh what was kind of fun is these iPhone surveillance service that shows up all over the place there's actually a whole lot of these things this is actually a Nas side service for integrating with a surve surveillance system tied into your iPhone so if you have a a home home surveillance system set up this is the service on your Nas device that let your iPhone look at it with their client application but again now you know okay here's all the people that have home surveillance setups of their home let's

just go to the web service and look at everyone's house um so it's scary data to have um one of the things I really found interesting was some of the really weird specific stuff from vendors like cell bio was one that showed up as a service like cell bio instrument it's like this can't be anything but awesome like it's called seala instrument I really want to see what this thing is we'll actually look at in a second um find pump monitor as a service name like I probably don't want to scan pump monitor I don't want to stop monitoring that pump whatever it's doing I don't know where that pump is or what it does

but it's probably not good if I touch it um a company used to work for found a couple their devices on the internet using BP using the U mdns exposure as well so it really it leaks some really weird things you can't find any other way um there's also some vulnerability indicators you can see machines advertising the fact they've got disc CC exposed which is basically just a remote shell waiting for you to run commands on it um and it's used for you know uh uh it's used for uh parallel compiling basically and it's default configuration isn't too bad these days but limits it based on rfc1 19 addresses doesn't limit it based on passwords so if you have

network access to it from a machine you can still do anything you want these machines by default andom TP Etc so with that here's some cool stuff um here's the floor chem Laboratory um that does this is what cell bio Maps do the cell bio instrument is a whole system for doing like um video capture with different you know light frequencies of like cellular crap on slides so and this whole review and gallery and all kinds of really cool stuff um check out the temperature though the temperature of this thing is 22c on this camera so and it's got all kinds of cool functions like reload firmware upload flash of firmware like I don't know what you can

do with this thing but it looks scary if you can actually start reconfiguring it so here's example some you know biologic surveys done with this thing has nice little you know Galleries and it's almost like a Facebook for like you know cells to hang out and show off their stuff um so anyways really cool stuff here I'll do a little closeup here in a second too here's one of the little slides of some stuff growing in a plate under weird light so anyways the weird crap you find on the internet when you start looking for the things that don't look like the others so lots of kind of unexpected findings from this stuff so moving on to a couple other

things uh VNC everyone loves VNC there's actually lots of implementations a lot of lights out boxes like ipmi cars now sport VNC as well to control them um so lots of things impl VNC as a protocol and it's got some pretty weak password configuration usually us just like a static string the encryptions Dez by default just standard Dez encryption so you can break that pretty quick um and the uh some versions of 411 of real VNC blow had authentication bypass fla um it only affected certain protocol versions and only some systems so I was like well let's look at every VNC server on the internet I can find and actually start seeing how many of those are probably

vulnerable to authentication bypass most of them um so of this set I think it's something like uh 132,000 devices have RFB 0308 which is the one version that is affected by this they could be the patch version but most of these really are pretty old installations of real VNC and you see some other slices around here but basically the majority and I cut it all the ones that are below a certain Mark or ones that had uh some Cru at the end of it but just from basic protocol version breakdown you can see uh the most widely exposed version of VNC is the most widely exposed version of VNC uh MySQL fun too uh when the whole MySQL

authentication bypass FL came out recently um I went through the data and try to figure out how many of these are actually exploitable the crazy thing about the MySQL one was you actually had to find a 64-bit box of certain versions of certain builds rollable so if you look for like one a20 as the version name in my sqls banner you knew that was an auntu box the right version but you couldn't tell whether 64-bit or not so you had to go through and do a whole followup of scanning all those machines with M TR figure out 32 versus 64bit based on OS fingerprints so about 1.8 million Machines of my SQL open to the

internet just in general um half of those had no host tle so when you connect to them they actually you just start brute forceing like mad and half those probably still in have password I just didn't bother testing that um and all those altogether about 50,000 at the time were vulnerable to this straight bypass so you know there's your data loss there's 50,000 database servers of who knows what in them sitting off the internet that you can basically just keep trying to log in into get it an authentication attempt like for folks who aren't familiar with a bug you can give it any password you want and one out of 250 256 attempts would accept

your bad password so you just run you basically just run the login command in Loop till you get in and it's awesome and 50,000 Machin sitting out there full of all all kinds of fun data just exposed so that's why we're all scared um net bios is a lot of fun and I'll go on this a little bit uh of course you get the system name for net bios you get the domain name which is cool if you're trying to find out where you know particular machine is what company works for that the user works for uh one unknown trick about net bios you can use it to enumerate multi-home host um basically when you ask net bios for

status request comes back saying my name is this my Mac address is this if you come back and then say okay now what IPS have this name it'll enumerate every IP address on that system remotely without authentication so you can use it for multi-home detection the metas net bios probe module already does that so just do use aary scanner net bios probe and scan your heart's content and you'll find out all your multi-home machines on your local system right away so really neat way to find multi-home boxes um I haven't gotone that far with this data set yet just it's 13 million boxes it takes a while um but all the Mac outes were fun to look through because you

look at Mac address is being globally unique so every vendor gets a little three by prefix and they've got three byes that can allocates their their Hardware um Bluetooth ethernet and zigg I think all use the same oui um allocation for addresses um and so vendors are supposed to allocate an address and then pick things out of this address range to use with their systems so they should be unique so how many people screwed up unique addresses most of them um Qualcomm has 8 sorry 880,000 devices out there that have the same Mac address just for one ma guers um so you hope hopefully you don't get two of these things in the same network or that

one of them won't work anymore um Asus has a couple lines here under different names but basically they've got about actually more than that um 40,000 yeah something like this is a logarithm scale because it's hard to show otherwise but I think like around 50,000 machines that Asus has shipped have the same Mac adders too and this isn't just like you know small vendors VMware of course because VMware allocates mag is randomly based on a magic seed so those are going to eventually conflict so that makes sense that there's lots of vmw and lots of Zen down here it doesn't make sense that hulet Packard has a bunch of duplicate Mac addresses or Dell or Intel or Xerox

or 3com so when you think about your Mac ouers being unique or using it as a forensic indication it's not really unique and here's proof that there's not no such thing as unique Mac ouers um the most common Mac outers I found was uh 00 5655 then all zeros and there's 1.3 million machines that internet use this Mac outers um the reason for that is it's a uh it's a uh tethering adapter so as I software adapter on the Machine by a vendor that comes up with the same Mac adders no matter what for the interface so every machine using this tethering adapter has the same Mac adders it's like great now we've got a list of every

person on the internet using this tethering software so there's some of neat findings I didn't get a chance to dig up one of them but there's a a version of Windows XP called Windows XP black that's just like hacked up Rogue version that doesn't get security patches anymore um and they all have hardcode mac addes too to bypass licensing checks so if you find any machine out there with that Mac add you know it's a pired version when is XP black so there's all kinds of cool kind of inference you can do between Mac addresses and vulnerabilities and things like that so I I'll release the data later on this is kind of just a quick

look at it so SNP is awesome I'm going to dive a little bit into it um I know i' got a little bit of time left I want to have some demos and questions uh 33 million devices SNP public which is awful but SNP does all kinds of cool stuff S&P will tell you you know what ports you're listing on the machine what IP address it has what routes it knows about the Mac addresses involve its neighbors in the same network um if it's a Windows or Linux machine it'll tell you a list of all processes running all software packages installed all local user accounts um and we actually dove into some of the and have some of the fun

information from those deep scans on those windows machines too so I'll dive into that in the 5:00 talk as well um so lots of cool data but if we wanted to take a very particular take on this and say well let's exploit some Cisco routers um how would we do that well the tricky thing is Cisco routers are very kind of you know fickle about how you exploit them you have to get the hardware version right you get the firmware version right you have to know what imag is running you have to get all this you know very precise data to Reliable exploit them but Cisco releases about 40 vulnerabilities a year 40 advisor your

overall um how often do most people Flash the routers I'm guessing never they sit out there till they go away and you replace them with something else um so if you look at the scan of every router on the internet that had SNP open then he mapped that to uh the vulnerability database of what advisories affect what particular version so I basically just blly stole an expose code and use that to scan our SNP database um and use that to basically match against it and found it on average most rers have at least 60 unpatched flaws across the internet in general which is not really surprising um but the most exploitable version of iOS in production right now is IOS 122

so 122 is the first version that had enough features that had enough vulnerabilities and never got patched enough that it's still the most widely exposed version of Cisco Cisco iOS out there um it's different from the most um common version of iOS but it's the one with an average of about 95 vul abilities per machine with Cisco iOS 122 um so if you have a Cisco iOS 122 box you should probably think about patching it so if we're trying to tune an exploit to work on Cisco iOS we really have to know lots of magic num we know the hardware information the Rand specifications R time configuration you know iOS version the build names uh you

find some really crazy stuff with the build names cuz Cisco likes to do a lot of one-off compiles for different isps so you see like you know this was built for a custom CIA intercept project by this engineer Dell or this engineer at Cisco in the actual Cisco SNP version info coming back so grapping this database for like Kalia or law enforcement was really fun to see what came back as custom build information um so we're trying to find what was the best Target to explo if I wanted to like you know hack as many Cisco routers as I possibly could in the shortest amount of time what's the version of Cisco iOS I should care about that's most widely

exposed I can easily find easily fingerprint uh so looking through all the stuff trying to find out what the best configuration was um ended up being version 12415 t7 um there's over 12,000 routers with that particular version and the next version Downs just around 6,000 and they kind of taper off pretty quick so there's a very few number of Cisco iOS versions out there that are really popular um and these are scattered across the entire world if you search for the string in the the UI you'll see the global distribution is pretty uh pretty wide for this thing um as this kind of tapers off you see there's bunch of 122 so you know we talked about 122

being one of the worst versions out there this particular version of 12252 SE has about 6,000 boxes sitting out with that version and these are only Cisco devices with SNP exposed with public um I'm actually running a scan right now that we'll talk about at 5:00 which is which one of these have private and if you're familiar with Cisco iOS and SNP and private strings private lets you uh retrieve and overwrite the configuration file of the device remotely including all the passwords so we'll get some good stats on that in a little bit just waiting for the scan to finish so uh if you want to play around with it while we go through this that's

the URL for it and then we'll do some questions some demos things like that looks like got plenty of time to go through it awesome all right uh so while I switch gears any questions off hand

great so here's a version of the portal let me uh let's see this one's got IPS on it but if your IP shows up here sorry um it's got everything in it so you're not special uh so here's 135 million machines in this particular dump of the database here's global distribution count across the the globe for which IPS we where uh us was the most heavy in terms of concentration so if you Mouse over stuff you'll say hey look we've got you know around 30 million machines in the US that were found by the scan um so lots of cool stuff you can find and I'll do one I'll lose one of my um let's see

here's one I like hacked by so here's distribution machines that have the string hacked by in one of their banners sitting out there and you can see there's 3,600 of them um mostly us but pretty wide distribution across the world um and there's lots of cool things in here like you can go through and find that uh let's see hack PC hack by let's see so this guy named tiger mate apparently like hacked everything in the planet and no one really noticed then youve got like you know you're hacked just for fun things like that so all kinds of fun data you can just grab out of this thing um some other fun keywords to look for are things that are very

industry specific so looking for you know scada for example like who actually cares about skada and who's got machines named something SK related and hopefully someone won't kill the server while it runs there we go so 1,00 is machines that have skada someplace but concentrated in the US uh very much so but definitely everywhere too um if we look through let's see couple other terms I want to look at like Kia is a good one um is anyone familiar with Kia all right so clea's you know the law that lets law enforcement tap isps and so you look for distribution of services this is where things get really funny hey how come there's this little black

dot in Europe um what really cares about klea in Europe that's not the US Like Us Canada show up of course but what's this little dot um it's Romania so Romania is hardcore with their kala gear and all the stuff they have around klea they either have Kia in their Banner of a website or they have a system named Kia something uh as we dig through it you'll see I don't want to go too deep in this one because there's some really awful crap in this list but um we'll go into that one later on um let's see any other requests for things you want to look for so look for called bsides probably not much of anything seven

host in the US looks like we got a little bit in South America too uh Argentina there we go oh Ukraine too looks like it cool anyways so fun stuff um you know I'm really short on time and I'm surprised because I took way too long otherwise um but I've got lots of fun data to go through too Ah that's the password you want to see there you go that password doesn't work by the way um I actually tried it didn't work I had to go get the real password later on so it's a fake one um sorry sorry root and a hash what's uh talk about that a little bit I'll I'll do you

one better I'll just do shell and then pound see hopefully this will show

up um we'll dig into that one more at 5 o'clock I've got a bunch of examples for that one later um any other questions for this particular scan anything else awesome well I finished early which I'm sorry about and it means you can drink more in between so I'll leave you there thank you very

much you want St to uh a giveway oh great thanks um hang on we got some giveaways I got a couple uh questions uh Francisco and these Samsung galaxy3 and iPhone 4S awesome great yeah um all right so got a know there trivia questions uh so can anyone tell me what the the three by prefixes are for vmware's Mac adders is both of them both ESX and for workstation what's the second one no no what's the second one what's the workstation and ESX they have two different pre anyone else all right you got closest then here you go sorry that all right uh any else uh if you found Port 17185 the internet what is

it there we go quick one sorry all right you don't want iPhone okay think go t-shirt ah here you go all right if uh

if you were trying to guess between how many machines on the internet that ran Vista and an S&P expose or that ran Windows NT 351 and and an S&P expose or Windows NT 40 do you think there'd be more NT more 351 or more Vista machines internet 4 40 who is first with 40 here you go you want a phone or iPhone cover or a shirt shirt okay here you go all right I got two more to go um let's see your mother your mother that was just common knowledge if you can give me your mother's name and it returns more than 10 hits in the search portal you got a t-shirt Robin Robin all right well full name and

Maiden [Laughter] actually uh let's see trying to give me their questions off hand this thing if um Can anyone Define what an inner packet Gap is oh inner packet Gap as it relates to sending packets on ethern networks that are IP like if you're trying to send them you know th packets per second what does inner packet Gap tell you about your traffic and what does it mean you have to change with your rate limiting all right never mind that's a u sorry no it's the uh the hardware level delay you have account for that actually takes up Phantom bandwidth on the network uh if you're looking for the most common let's say um what's the most common SNP

service in Brazil by

vendor fos no okay um that one's easy it's actually UCD snnp version 412 um um let's see if you're trying to find uh let's see what's to guess this thing how many uh F5 networks machines are on the internet right now and just High you know over under how many 35,000 anyone else want to bet over under on that over 35,000 yeah any for under under under let see you realize there's people like spinning up Mach

hopefully this Server doesn't you know die on us here it's not hard too this box is Tiny it's got like eight gigs of RAM there we go so yeah 2.1 million so who is over ah crap we have one shirt left and one uh uh iPad cover what do you prefer you're closer there you go all right sorry thanks thanks again guys appreciate it