From: Javier Fernández-Sanguino (jfernandez@germinus.com)
Date: Thu Jan 25 2007 - 04:14:30 EST
Alcides dijo:
> Hi List,
> I'm presently working with a semi-government ISP as a security consultant.
> The ISP has provided Internet access to the customers via phone lines,
> it's DSL.
The ISP managers seem to be clueless. The issues you described were
fixed by DSL ISPs in most locations a long time. Basicly it reduces to this:
a) If you put computers in the same VLAN then they can talk between
themselves.
b) If some of those computers gets compromised, the compromise can
spread to the other computers.
Some ISPs will put all their customers in a single VLAN with public
addresses but will have switching fabric that will prevent customer A to
talking to customer B, they can only send traffic to their gateway and
not to anyone else. Of course, this works fine if we are talking about
residential customers (they don't need to speak between themselves) but
no so much for corporate customers (which need to).
> The customer is given q DSL router as a CPE. ISP people configure it
> with 2 IP addresses; one local and one global, and implement NAT for
> security. And the router is configured using both ie Global/Private IP
> address in a browser.
Routers should never be configured to be remotely managed using global
(I guess you mean "public") IP addresses. Never. Period.
> I recently have been asked to find out loopholes in the mentioned system
> where the customer's privacy is not taken care or can be compromised.
I don't understand this line. Is customer's privacy important or not?
> Now when I started my activities impersonating a normal customer, I
> found that:
> 1]I can nmap and discover open ports on my and neighboring IP addresses.
That's because they have an unrestricted VLAN. They shouldn't do that.
They should setup private VLANs.
> 2] This included HTTP, HTTPS, FTP, SMB, NB-SSN etc services listening
> for incoming connections.
Why are those ports even available through the router? They should be
firewalled out. Is there any need for users to, for example, share
folders across that network?
> 3]When I try to connect to some customer's HTTP port, I'm taken to
> his/her DSL-router(CPE) config. page, Configuration password is asked
> but is blank.
Two issues here:
- DSL-routers should not allow management from external ports
- DSL-routers should not be installed with factory defaults (blank
passwords)
> Now my questions:
> 1]What kind of tests can be carried out in order to find out what level
> of access can other customers gain and
There's lots of things you can do. You can
a) configure a DSL-router of another customer to send *you* its traffic
(setting your public address as its gateway). Then configure your router
to act as a bridge (some allow this) and handle the traffic by a system
sitting behind the router that would capture all the traffic and forward
it to the legitimate gateway. Acting as MITM you can modify network
flows in order to substitute legitimate files downloaded from the
Internet with trojans to compromise the system.
b) try to access remotely the shares of users running Windows can be
accessed (if they allow null IPC$ mapping, have insecure passwords,
etc.). If you can do this and you can write to disk you can probably
plant trojans that will eventually compromise the system.
c) configure the DSL-router of other customers to map public ports to
internal hosts in order to access (from a public host) additional
servers that could be (remotely) compromised. Depending on the systems
and software behind the DSL router you might get acess to VNC services,
Terminal Services, etc.
> 2]What degree of impact can it have as far as the privacy of the
> customers is considered.
I'd say you have all the elements needed to compromise *any* of the
customer computers. It might take some (fun) work but, on the paper, it
certainly looks doable.
Regards
Javier
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:33 EDT