david lópez paz - global warfare [rootedcon 2011]
DESCRIPTION
TRANSCRIPT
![Page 1: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/1.jpg)
Global WarfareDavid López Paz
![Page 2: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/2.jpg)
OH HAI!
![Page 3: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/3.jpg)
![Page 4: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/4.jpg)
(Des)Motivación
- Importancia de Internet en conflictos reales
- Cómo analizar la web mundial
- Nuesra aproximación: Hookle
- 0-days A.K.A
BOTNETS
![Page 5: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/5.jpg)
Internet como medio deguerra
NOT this
war
![Page 6: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/6.jpg)
Orígenes- 1982: Los soviéticos necesitan un SCADA
para sus cañerías de gas.
- Canadá desarrolla un SCADA en el que el KGB está interesado.
- La CIA inserta una bomba lógica en el software de los canadienses.
- Los comunistas le roban el software a los Canadienses.
![Page 7: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/7.jpg)
![Page 8: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/8.jpg)
Cuentos Chinos
![Page 9: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/9.jpg)
Cuentos Chinos- GhostNet
- Titan Rain
- Night Dragon
- Adobe
- 40 más...
SQLi
IE 0-day
![Page 10: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/10.jpg)
Stuxnet
![Page 11: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/11.jpg)
Stuxnet- Inicialmente, ataca sistemas Windows vía
USB y red.
- Contiene... ¡4 0days!
- Autocertificación con material robado de Realtek
- Objetivo: Centrales Nucleares de Irán
![Page 12: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/12.jpg)
Wikileaks - No exactamente ciberguerra, aunque la
información sigue siendo el objetivo.
- Componente cibernético, defensa: DDoS
![Page 13: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/13.jpg)
ConclusiónLa ciberguerra existe
Más info en la charla de Iftach Ian Amit de la DEF CON 18
![Page 14: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/14.jpg)
Ataques web masivos
![Page 15: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/15.jpg)
¿Por qué?- Porque en la variedad está el gusto:
- SW de servidor: Apache, IIS...
- SW de DB: MySQL, DB2...
- SW de usuario: Wordpress, TWiki...
- Por comodidad, muchas veces la web es un frontend a un servicio crítico
![Page 16: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/16.jpg)
¿Para qué?- Botnets
- Extracción de inteligencia de DB’s
- Daños colaterales
- Defacing / Propaganda
- Phising
![Page 17: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/17.jpg)
ConclusiónQueremos muchas máquinas (recursos), sinimportarnos quiénes sean (información)
![Page 18: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/18.jpg)
¿Cómo empezamos?¡Escaneando todo Internet en busca de servidores!
![Page 19: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/19.jpg)
Información de un host
- Software de servidor
- Cabeceras aceptadas
- Sistema Operativo
- Lenguaje de servidor
HEAD / HTTP 1.0
![Page 20: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/20.jpg)
Información de un host
- Software de usuario
- Tipo de contenido
GET / HTTP 1.0
![Page 21: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/21.jpg)
Información de un host
- Dominio público
- TLD (p. ej. “.gov”)
- Compañía
DNS PTR REQUEST
![Page 22: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/22.jpg)
Información de un host
- País
- Ciudad
- Coordenadas
GeoIP Database
![Page 23: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/23.jpg)
Info de una vulnerabilidad
- Reg. expr. de Headers afectados.
- [Reg. expr. de Index afectados.]
- [CVE URL]
- [POC URL]
- [Exploit]
![Page 24: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/24.jpg)
![Page 25: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/25.jpg)
Componente 1: Crawler
- Muchas máquinas, una base de datos
- ¡Velocidad! POSIX Threads, ANSI C
- HEAD es fácil, GET no lo es: libcurl
![Page 26: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/26.jpg)
Componente II: Datos
- MySQL
- Sphinx
![Page 27: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/27.jpg)
Componente III: Frontend
- PHP
- JQuery
- GMaps API v3
![Page 28: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/28.jpg)
14.000.000
![Page 29: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/29.jpg)
14.000.000- 250.000 hosts por día
- ~ 91 millones al año
- 800 hilos
- 2 máquinas
- 2 meses de pleno funcionamiento
![Page 30: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/30.jpg)
14.000.000: Este año
![Page 31: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/31.jpg)
14.000.000: Este mes
![Page 32: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/32.jpg)
14.000.000: Por país
![Page 33: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/33.jpg)
DEMO!
![Page 34: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/34.jpg)
![Page 35: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/35.jpg)
![Page 36: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/36.jpg)
Funcionalidades
- Búsqueda por IP, país, ciudad, header, {index}, vulnerabilidad, severidad. ¡>> shodan!
- Gestión de vulnerabilidades wiki-like
- Gestor de Exploits, POC’s... wiki-like
- Live view
![Page 37: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/37.jpg)
Vuln discovery con Hookle
![Page 38: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/38.jpg)
Vulnerability discovery con Hookle
- Miles de banners que gritan: Soy Vulnerable!
- Es fácil encontrarlos en el Live View
- Hackear un banner = Hackear 1k servidores
- Hacking orientado a recursos != información
esta
charla
![Page 39: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/39.jpg)
First test: Fun with printers
Server: Chai%20113 unidades en Hookle
![Page 40: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/40.jpg)
... O con webcams
Server: %AvTech%, %Av-Tech%8096+9674 unidades
![Page 41: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/41.jpg)
IIS 4/5 Unicode Bug
Server: Microsoft-IIS [4,5].04098+131620 = 135718 unidades en Hookle
![Page 42: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/42.jpg)
“Trimble, now including Spectra Precision, is the government's largest manufacturer and supplier of surveying, leveling and grade control
systems. The U.S. Army, Marines, and Air Force choose Trimble products to ensure all construction missions are completed on time.”
![Page 43: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/43.jpg)
Trimble GPS
254 unidades en Hookle!
![Page 44: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/44.jpg)
254 unidades en Hookle!
![Page 45: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/45.jpg)
DEMO!
![Page 46: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/46.jpg)
ONE-ASP
![Page 47: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/47.jpg)
Sun-ONE-ASP
5002 unidades en Hookle!
![Page 48: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/48.jpg)
Privilegios por defecto: ROOT
DEMO!
![Page 49: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/49.jpg)
Inifinidad de ejemplosDell DRAC
Server: GoAhead-Webs%idrac
487 unidades
Sun iLOM
Server: Sun-ILOM
627 unidades
“Root execution” “Root execution”
![Page 50: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/50.jpg)
Inifinidad de ejemplosJBoss
Server: JBoss
15492 unidades vulnerables
Command Execution
![Page 51: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/51.jpg)
RomPager 4.07Denial Of Service
1.287.943
![Page 52: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/52.jpg)
![Page 53: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/53.jpg)
![Page 54: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/54.jpg)
![Page 55: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/55.jpg)
![Page 56: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/56.jpg)
![Page 57: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/57.jpg)
![Page 58: David López Paz - Global Warfare [RootedCON 2011]](https://reader033.vdocuments.net/reader033/viewer/2022051610/54953810b47959962d8b5b19/html5/thumbnails/58.jpg)
- Optimización de la DB
- Dar de alta más máquinas ($)
- Acceso público a la herramienta?
- Colaboraciones en vulnerabilidades/POC’s
Esto es sólo el principio....