-
Notifications
You must be signed in to change notification settings - Fork 73
Hackathon Security Track
This page describes the security track at the Hackathon and should give you a starting point to get hacking during this day.
The goal of today is to find as many security problems and capture them such that they can be patched (by you, Prpl, OpenWRT, OpenWireless, Jack Bauer, etc.) If you find something, please write it down in your team page (see below). If you don't, it's been a fun day, we enjoyed having you around, but your contribution to the project is in /dev/null.
In the morning there will be a team forming session. This will allow us to get some productive teams together. Our suggested team formation is 1-3 people, with at least 1 experienced person. If you missed the session, either walk around to find someone or give Slack a try.
Slack has a #securitytrack channel where we encourage all security teams to hang out.
Software and hardware setup should just be a default OpenWireless setup. Go to the (physical) helpdesk or Github page for further details.
To capture all teams and information they gathered, we are hosting Wiki pages on Github. Now, we don't want to explicitly authorize all of you, so we'll give you Owner access such that you can add your private Github account as collaborator. You can use this login:
Username: openwirelesshackathon Password: will be written on the whiteboard in the lounge
In detail:
- Login as owner with details above
- Add your private github account as a contributor (push rights)
- Logout as owner, login as your private github
- Go to https://github.com/openwirelesshackathon/SecurityTrack/wiki to 'register' your team and create a link to your team page.
With great power comes great responsibility. We are very aware you can fsck up the wiki with that admin account and give everyone a bad day.
Again, have a look at Slack, but also the getting started section below. There are seasoned devs and security analysts around, and core OpenWRT/prpl folks.
You can use the team wiki page to keep notes; just wrap a nice bow around it by the end of the day so that others may pick up where you left off. At the end of the day, we'll have 2 minute pitches. This is where you can brag on what you did and what you found.
There is an ongoing contest for root. The subgoal here is to show that root cannot be easily achieved on the router. The first team to show Robert van Spyk (Riscure) a working root exploit can pull a BTC wallet and will win $50 in BTC!
The main security objective of the router is to protect the confidentiality, availability and integrity of the different network segments (LAN, WAN, Private and Public Wifi) from various attackers. There are two sections below describe different attack vectors and what an attacker shouldn't be able to do, and interesting targets to look at.
This section describes the different vectors an attacker could pick, and which what heshe shouldn't be able to do.
There are a few classes of initial attack vectors:
-
Remote : Only way to interact with the router is the WAN link
- Should not be able to access the admin login page
- Should not be able to access any daemons running on the router
- Should not be able to initiate contact with any of the devices connected to the router (on LAN, Private WiFi or [[http://Openwireless.org][Openwireless.org]])
-
Proximate: Can interact with WiFi or has ability to plug into LAN in addition (1)
- All remote attacks
- Should not be able to get onto the PrivateWiFi or LAN (with or without getting on [[http://openwireless.org][openwireless.org]])
- Proximate attackers on [[http://openwireless.org][openwireless.org]] shouldn't reach devices on PrivateWiFi or the LAN
-
LAN/PrivateWifi connected; e.g. a legitimate user's computer has been owned, or through a reflection attack. Assume router password hasn't been sniffed.
- All remote and proximate attacks, but from a more privileged machine
- E.g. An attacker running a malicious website on the public Internet, trying to use XSS, CSRF, or similar attacks that use the router admin's logged-in session to change settings in the admin UI.
-
Physical: Has physical access to the router in addition to (2)
- All remote, proximate attacks, LAN/PrivateWifi attacks
- Use switches or buttons or the USB on the router to read any data on the router or gain root
- OpenWireless does currently not run on secure hardware, so this class of attackers is not protected against.
- Stepping stone vuln: an attacker has been able to get unprivileged code execution on the router, but wants to become root.
The following have been identified as interesting starting points for your security analysis. Each point will give you some hints as to what you may be looking for.
- Implemented on lighthttpd with python
- Using JSONRPC for communication
- Analysis possibilities: * Poke around in a shell * Source code analysis * grep 'sudo' or other interesting commands * Check dataflow * e.g. firefox TamperData plugin * Any of https://www.owasp.org/index.php/Category:Attack
- Find out what packages are installed * Check out the source code * OR SSH into router and ask it (using "opkg list_installed")
- Start browsing vulnerability databases to see if package version is vulnerable * https://web.nvd.nist.gov/view/vuln/search
- Look for suid binaries
- Look for known local (kernel) exploits (on http://www.securityfocus.com/vulnerabilities for example, or the bug tracker page of openwrt or openwireless)
- Same as above, look for vulnerable version for all running daemons
- Hostapd is handling all the 802.11 stuff, so important proximity attack surface * Check for flaws in message parsing * Check WPS pin/button mechanism
- Find out if there's a way to trick Hostapd into crossing over in to the private network from the public side
- Hostapd is huge, find newly added code that's not commonly used or tested but still enabled in the build
- Look for flaws in the openwrt patches on hostapd
- Identify any other daemons that go outwards, and hack them :)
- SSH into router and read "/etc/config/network" and "/etc/firewall.user" (also try "ip -6 rule") * Are there holes in the firewall, for any protocols? * How can it be improved (e.g. bogon or DoS blocking, defense in depth)? * The firewall is stateful so perhaps it can be confused * Check out the kernel configuration in the source code to see what firewall modules are used
- Setup Virtualbox with Kali linux to use IPv6 pentesting tools such as THC
- Mesh networks - abuse trust (find slides from security conference)
- Analyze the certificate from the router admin interface.
- Is there any way to fake the certificate?
- Aside from man-in-the-middle, does this allow any other attacks?
- How does the router use random data, and if randomness were poor are there vulnerabilites?
- Some info is polled over Tor that contains info about the update
- Check parsing of info
- Check Tor connection secure
- Analysis possibilities: * Source code review * Spoofing fake Tor entry point
This data comes from a field survey of common router vulns.
- Cross-site request forgery (and stealing browser cache and cookies)
- [[http://www.cnet.com/news/top-wi-fi-routers-easy-to-hack-says-study/][Default passwords]]
- Lack of need for active management session
- SOAP services
- [[http://readwrite.com/2013/04/16/beware-the-wireless-router-security-threat][Logical vulnerability]] in exposed service