Black Hat OSPF Vulerabilities

August 31st, 2011

This year at Black Hat, some researchers presented some new ways to inject routes into an OSPF network. I will not go into much technical detail on how they were able to do so but at the very beginning of the talk they made it clear that these methods assumed that the attacker already had the md5 authentication key. After the talk was over, I talked to multiple people about it and was completely surprised at how all of them were brushing it off or playing it down. From just the arguments against the talk, I can conclude that

  • If administrators are not using an authentication key then there are other serious problems
  • A simple authentication password is sufficient enough to stop attackers
  • We haven’t seen it used in the wild so we don’t need to worry

I think that is total and utter bullshit and here is why.

If administrators are not using an authentication key then there are other serious problems:
I am not going to disagree with that at all. It is super easy to turn on the authentication key and there should be no excuse for any semi-competent network administrator to not have done so but we can not assume that, because not everyone has. I can say specifically from my experience in the Network Technical Support realm, 9.8 times out of 10, when walking someone through setting up OSPF on their device, they specifically tell me to not set up an authentication key and enable OSPF on all interfaces. This could be because they want to see it working with the path of least resistance all the way to they don’t think authentication was necessary. Also, every time I went to troubleshoot an OSPF network, I not once saw it enabled. Please keep in mind that I have worked with some very LARGE companies with big teams dedicated to administrating their network and securing it.

A simple authentication password is sufficient enough to stop attackers:
I spoke with one friend who specifically stated “I got up and left once they said they assumed you already had the key.” With all the preaching about how it is so easy to abuse passwords and how we need a better system because passwords suck, I would have expected to hear a different response because thats all the authentication key is, a password. We have been cracking passwords for a long long time now and there has even been a very successful contest at Defcon the past few years aimed at cracking as many passwords as you can in 3 days. You will be amazed to see how many passwords they crack every year. In essence, it isn’t hard to crack a password these days. If you throw a team of Nvidia GPU’s at the problem, it can be solved in no time. Also, don’t forget about the speed of using rainbow tables. Oh, and there are also web based services revolving around cracking passwords. If there were not already a plethora of options for cracking passwords, here is a shot of me brute forcing an OSPF authentication key with loki

And since I am doing this just to prove a point and don’t want to wait for the brute force to complete, here is a shot of me successfully getting the authentication key via a wordlist

We haven’t seen it used in the wild so we don’t need to worry:
Out of any of the responses I have heard, this is the most absurd. I don’t feel I should have to say this to anyone involved in the Security Community but here it goes anyway.

Just because you haven’t seen it does not mean it is not currently or will never be exploited.

If I have to explain this then please give up reading anything else I have to say for the rest of time.



I think this is a very viable attack method that everyone else has been discrediting and playing down when they shouldn’t be.

Black Hat Briefings Day 2

July 30th, 2010

I unfortunately was not able to do very much at Black Hat day 2 due to having a ton of work to do to actually make sure the con didn’t fall apart. Mainly I got stuck in helping distribute Defcon badges. It was the first time they have actually given out Defcon badges at Black Hat. I did get to see the keynote though. Day 2′s keynote was (in my opinion) 100x better than Day 1.

Again, this speaker was obsessed with the word “cyber” but he actually used it where appropriate and where it made sense. As he was of the military background, he was talking about how the military has four domains (land, air, water, space) and they are all made by God (or exist naturally if that is what you prefer) but there is a new domain that they have to take into account that is made by man. This is the “Cyber” domain. The key differences between these domains, is not only natural vs unnatural but you can generally apply the same techniques between the 4 natural domains but that is not true in the Cyber domain.

I am not going to go completely into full detailed analysis about his talk but there was nothing that I disagreed with and thought he was absolutely spot on. Again, Ii am not sure if I will return next year for the briefings or if I will just go ahead and hit up B-Sides. We will just have to see what happens as it is another full year away.

Black Hat Briefings Day 1

July 28th, 2010

For anyone interested, here is the schedule for what talks I attended today at Black Hat and the ones I plan on going to tomorrow I will go ahead and post my thoughts and opinions on the various different talks.

Started out the day like most conference attendees at the Keynote. The keynote was given by some chick from the DHS. Overall opinion, it was pretty lame. She started right off the bat by saying she wasn’t apart of the security community and it became very apparent along with her lack of any technical knowledge. I don’t expect her to be “super uber 1337 h@x0R” but to have some knowledge of what she was talking about. She kept relating everything to the Army and had a fetish for the word “cyber-space” I would not be surprised to see the word “cyber-space” in the transcript more than 30 times. After the disappointment of the Keynote I made my way down to go see “WPA Migration Mode: WEP is back to haunt you…”

I was hoping “WPA Migration Mode: WEP is back to haunt you…” would be some new tech for cracking WPA but didn’t really know what to expect due to the lack of media coverage. As it turns out, Cisco has this migration mode for when you are moving from WEP to WPA that allows both to be used sanctimoniously and then just bridges the two together. The entire premise of the talk was that people forget to turn this mode off after fully migrating and thus still accepting WEP connections. All though it was not a bad talk, it did not deserve a slot at Black Hat as it is only used by people who

A) Use Cisco wireless gear
B) Try to migrate between WEP and WPA softly
C) Are dumb enough to forget to change it. 

Now, I do not have any personal look into the market and what organizations are doing with their wireless infrastructure but I would imagine that it would be fairly small. In any case, once you find out that they are still accepting WEP connections, it is just business as usual by cracking WEP. I do have to give them a little more credit though. They wrote a patch for aircrack that allowed it to crack this way as it wouldn’t crack it due to a limitation it has for TKIP.

After the WPA stuff I headed down to “Balancing the Pwn Trade Deficit” by the guys at Attack Research. This talk was all about the Chinese hacker scene. It was a really unique talk as they did not take the position of China bashing like it seems the rest of the industry does and I must say I loved it. They talked the cultural differences as you can very clearly see it in their source code as they name things such as variables and functions with J-Pop lyrics. They spent the majority of the time talking about Chinese malware and exploit generators. Going into the talk, I had some small idea about how sophisticated some pieces of malware are such as the zeus-bot but I I was almost dumbfounded by things such as 24/7 support over phone and QQ (Chinese equivalent to ICQ) as well as having to have active accounts with the creators in order to generate an exploit. In the end, it came down to the fact that the Chinese scene is just like the one here in the States where they have the white/black hat classification as well as similar targets and motivations.

Next up was the talk of the year. Mr. Barnaby Jack with his talk on Jackpotting Automated Teller Machines. Got a nice cozy seat up front due to the Blackhat Jersey. He began out with saying that it is not all about the payoff and it was about the journey to the payoff. He went through with us some of his first attempts at getting access into the ATM’s using JTAG interfaces and having to get explorer.exe to execute on it (as they all run Windows CE). Once this was demonstrated, he showed us the tool he created for exploiting the ATM’s called Dillinger where you simply connect to the ATM on its management port. Once you can connect to it, you have the choice of Testing the Exploit, Upload his Root Kit, resetting to defaults, retrieve Credit Card Track Data, or Jackpotting it (photo here). It was incredibly entertaining to see the money fall out of the ATM while it was playing shitty MIDI song. It was absolutely fantastic and left confirming my opinion that he is just a bad-ass.

Now, I decided to go to one of the most brutal talks I have ever seen. I went and saw “Harder, Better, Faster, Stronger: Semi-Auto Vulnerability Research” by the SourceFire VRT guys. As I am not really good at any type of coding or vulnerability development, a lot of it went way over my head but they did introduce a tool that it looks like would almost revolutionize that space.

Last talk of the day was the other one that got a lot of hype, it was “Getting In Bed With Robin Sage”. The basic premise was that he got this hot chick’s picture and posed as a chick in the security industry. Apparently in the end he was able to get job offers from the likes of Google and Lockheed. This was hands down the worst talk I have ever seen in my entire life. The speaker was so incredibly disorganized that he could not, stick to his own slides and spent most of the time getting into it with Chris Nickerson and browsing his file system taunting people with pictures of incriminating emails but never actually opening them to show people. It was so bad, about half of the people got up and left half way through and one guy had to ask him really what exactly he did as he never explained exactly what happened and what he did. At that point, I had to get up and walk out as well.

All in all, it was a little above average. There were some awesome talks but some really downer talks as well. We will see what happens tomorrow but I am thinking I may have to just do the whole BSides thing next year.

Another year of Black Hat/Defcon

July 21st, 2010

Black Hat and Defcon are upon us again this year. This means nothing more than covering miles of ground during setup and tear down of training classes and briefing rooms followed by epic parties with free booze supplied by several top names in the industry. Just to set the record strait, I don’t go to the parties nor the free room in Caesars for a week and a half but I go because I always learn so many new things and come away inspired. I am super excited and cant wait to get there.

); ?