in this presentation well cover the basics of fiber ... · the wwpn and wwnn values can be used...

In this presentation we’ll cover the basics of Fiber Channel security.

1

So what’s wrong with this picture?? First of all, the storage network is almost never included in the network diagram. After all, it’s not a network, it’s a storage thing right? Which means that storage infrastructure is almost always ignored by PCI auditors, NERC and FERC assessments, most security assessments, audits and pentests. But what do you call a system with 2 NICs? The proverbial wisdom is that you call a system like that a ROUTER. Me, I call that a TARGET.

3

After all, in large part, all of the network and other security controls we work so hard to implement are there to protect the data. Implementing an unsecured data network just seems wrong, but here we are!

4

6

QLOGIC: CISCO

00-1B-32 00-00-0C

00-24-FF 00-01-42

00-C0-DD 00-01-43

00-E0-8B 00-01-63

EMULEX: 00-01-64

00-00-C9 00-01-96

00-0A-33 00-01-97

00-0E-03 00-01-C7

00-10-9B 00-01-C9

00-90-FA 00-02-16

00-E0-D5 00-02-17

BROCADE: 00-02-4A

00-00-88 00-02-4B

00-01-0F 00-02-7D

00-05-1E 00-02-7E

00-05-33 00-02-B9

00-14-C9 00-02-BA

00-60-69 00-02-FC

00-60-DF 00-02-FD

08-00-88 .. and many more

The WWPN and WWNN values can be used interchangeably in zoning. If WWNNs are used, the same zones can be used in two redundant fabrics (set of fiber channel switches). However, mis-cabling will result in working connections and redundancy can suffer If WWPNs are normally the recommended approach As switch ports are configured or different device types are connected, the port mode will change. The E-Ports (switch-side) / N-Port combination (host-side) is normally by far the most common.

7

To change the WWPN and WWNN of an Emulex HBA: Hbacmd ChangeWWN <Current WWPN> <New WWPN> <New WWNN> Brocade and Qlogic also support WWNN and WWPN change, but not in the default driver CLI commands.

8

Think of zones in Fiber Channel as analogous to MAC Addressed based VLANs in Ethernet, or maybe more specifically, Private VLANs based on MAC Address. The goal is that each node has access to the resources that it needs access to, and only those resources However, since the target resources are normally SAN Storage Processor HBAs (SPs), these targets generally appear in all zones.

9

The default zone ACL on Brocade switches is essentially a “default allow” Brocade switches have a command “zoneconfig –noaccess” or “defzone -noaccess”, which essentially says “unless you are in a zone that has access, you have no access” – in other words, a default deny mode. Without enabling this, the default allow stance remains even after all zoning occurs.

10

As always, Cisco’s documentation has great examples. http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/vsan.html

13

From the diagram on our second slide, it’s pretty obvious that just segregating the ethernet admin port of the Fiber Channel switch to a Management VLAN doesn’t isolate or protect the Fiber Channel ports themselves. So “Air Gap” might apply to the management port – in fact, many FC switches never get attached to a network or configured Cisco MDS Switches come with a PAA until (Protocol Analyzer), which converts FC to FCIP (on ethernet), which Wireshark will decode. Sniffing on Brocades is more the traditional source / desitination port (though it’s tied to the 6 digit FC LOGIN ID) The Cisco PAA unit can be used with Brocade SPAN functions for decoding.

14

Fiber Channel might have been cheap “back in the day”, but no more. A fully licensed 16 port 4Gbps switch can be had for under $1,000, a 2Gbps switch is in the $200-300 range. Name brand 4Gbps HBA’s can be had for $30- $100 , depending on manufacturer, model number and the day. Openfiler makes a dandy SAN for experimenting – I’m still wrestling with how much production data I want to trust it with though, but that’s just me..

15

Sniffing is fully support on most Fiber Channel Switches. Cisco MDS Fiber Channel Switches come with a PAA until (Port Analyzer Adapter), which encapsulates Fiber Channel frames within FCIP (on ethernet), shown in Wireshark as “Boardwalk” encapsulation. Wireshark fully decodes the encapsulated Fiber Channel frames – a session login (FCLOGI) is shown “SPAN” (Switch Port Analyzer) is configured per port for Cisco switches: interface fc1/1 switchport mode SD span session 1 destination interface fc1/1 source interface fc1/2 rx source interface fc1/2 tx Sniffing on Brocades is more the traditional source / destination port (though it’s tied to the 6 digit FC LOGI id rather than the physical port) The Cisco PAA unit can be used with Brocade SPAN functions for decoding, exactly as on the Cisco switch. Of course, traditional FC Taps and FC protocol analyzers can be used, but that’s a lot more expensive than a Cisco PAA on eBay !

16

Brocade Switches have several default credentials: Fabric OS (FOS) has two default administrator credentials: admin / password and root / fibranne. The first is documented, the second one is well known but is NOT documented. In the older Silkworm OS, admin / brocade1 is also seen Bladecenter chassis often use USERID / PASSWORD or PASSW0RD (with a zero) for everything, including the integrated fiber channel switch These passwords can be used against the default (unencrypted) administrative interfaces, offered up on telnet, ssh or http. HTTPS is not on by default (https is not on by default). The SNMP community strings ‘public’ and ‘private’ are also enabled by default, with no access restrictions. Cisco is not blameless in this either – the default ftp credentials ftpuser / nbv123 can be used to attain shell access in older NX-OS versions, and can be used as recovery credentials in a pinch.

18

Default services are listed below. Note the familiar unix-like syntax. Of more importance though is the list of services – tcp/23, tcp/80 are two prime targets. Note that UDP ports (SNMP in particular) are not in the list. dcx01:admin> netstat -an | grep LISTEN

tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN

tcp 0 0 10.246.200.10:897 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN

tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:809 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:27246 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:27247 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

tcp 0 0 :::6788 :::* LISTEN

tcp 0 0 :::80 :::* LISTEN

tcp 0 0 :::22 :::* LISTEN

tcp 0 0 :::23 :::* LISTEN

20

Running daemons as root is a huge no-no, something that’s been common knowledge for years (and years and years). In this case, if CDP runs as root, all you need to do is to compromise CDP and you have root. Cisco helpfully documents a few CDP compromises in their bugtraq, googling for the CVE will find you working code. Cisco has a hidden GDB command, giving you debug access to any running process (and yes, “ps” works also) vsh is a documented command that gives you a virtual shell, meant for EEM scripting. More on EEM scripting for good and evil at: http://www.sans.org/reading-room/whitepapers/tools/ioscat-port-netcats-tcp-functions-cisco-ios-33109 http://www.sans.org/reading-room/whitepapers/tools/iosmap-tcp-udp-port-scanning-cisco-ios-platforms-32964 http://www.sans.org/reading-room/whitepapers/malicious/iostrojan-owns-router-33324 Some of these issues are fixed in newer NX-OS, but many are part of the design. Reference Cisco bugs: CSCti03724, CSCti04026, CSCtf08873, CSCti85295

21

22

dcx01:admin> snmpConfig --show snmpv1

SNMPv1 community and trap recipient

configuration:

Community 1: SomeSecretC0de (rw)

Trap recipient: 10.246.72.12

Trap port: 162

Trap recipient Severity level: 4

Community 2: OrigEquipMfr (rw)

No trap recipient configured yet

Community 3: private (rw)


Community 4: public (ro)


Community 5: common (ro)


Community 6: FibreChannel (ro)


dcx01:admin> snmpConfig --show snmpv3

SNMP Informs = 0 (OFF)

SNMPv3 USM configuration:

User 1 (rw): snmpadmin1

Auth Protocol: noAuth

Priv Protocol: noPriv







User 4 (ro): snmpuser1









SNMPv3 Trap configuration:

Trap Entry 1: No trap recipient configured yet






Documentation script to block telnet:

FCLAB:root> ipfilter --clone BlockTelnet -from default_ipv4 FCLAB:root> ipfilter --save BlockTelnet FCLAB:root> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto tcp -act deny FCLAB:root> ipfilter --save FCLAB:root> ipfilter --activate BlockTelnet FCLAB:root> ipfilter –show

What's wrong with this picture? IPV6!! You also need:

FCLAB:root> ipfilter --clone BlockTelnet6 -from default_ipv6 FCLAB:root> ipfilter --save BlockTelnet6 FCLAB:root> ipfilter --addrule BlockTelnet6 -rule 1 -sip any -dp 23 -proto tcp -act deny FCLAB:root> ipfilter --save FCLAB:root> ipfilter --activate BlockTelnet6 FCLAB:root> ipfilter –show

23

Name: default_ipv4, Type: ipv4, State: defined

Rule Source IP Protocol Dest Port Action

1 any tcp 22 permit

2 any tcp 23 permit

3 any tcp 897 permit



6 any tcp 80 permit


8 any udp 161 permit



11 any tcp 600 - 1023 permit

12 any udp 600 - 1023 permit

Name: default_ipv6, Type: ipv6, State: defined


1 any tcp 22 permit

2 any tcp 23 permit




6 any tcp 80 permit







Name: BlockTelnet, Type: ipv4, State: active


1 any tcp 23 deny

2 any tcp 22 permit




6 any tcp 80 permit







Name: BlockTelnet6, Type: ipv6, State: active


1 any tcp 23 deny

2 any tcp 22 permit




6 any tcp 80 permit







This example is taken from a real security engagement. The administrator listed his qualifications on Linkedin (along with the exact model numbers of the gear deployed) Using that info, we were able to google through the vendor support forums (community forums in this case), and found their full configuration posted The Fiber Channel switch admin password was cracked manually, using likely words off the admin’s Facebook page (child’s name with a “!” appended to make it secure) Common approach is to dump Facebook and Linkin pages, as well as corporate website, then use that list for dictionary attack on admin account/

29

Google, Bing, Shodan are all good places to do recon – gathering information without sending a single packet to your target. However, with ZMAP (https://zmap.io/) recently made public, anyone can mount their own internet census with very few resources. While teams like Rapid7’s do targeted investigations and write up their results, look for lots of sites publishing census raw data in the coming months and years. This is still much tougher for IPv6, both because the size of the address space and because of the easy of address mobility.

31

https://zmap.io/

https://zmap.io/

Normally trying to intercept and decrypt SSH or HTTPS is more work than is required for an internal pentest – often getting permission for any MITM attack that is not very targeted can be difficult.

34

The full Brocade MIB is documented here (note that the MIB varies slightly from FOS version to version): http://www.brocade.com/downloads/documents/product_manuals/B_SAN/FOS_MIB_v700.pdf OIDs of Interest: .1.3.6.1.4.1.1588.2.1.1.1.6.1 = total port count .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.3.X = port state (insync / nolight) .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.4.X = port status (online / offline) .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.36.X = port name / Comment .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.39.X = port type (f-port, g-port etc) And here’s the money OIDs Baby ! .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.4.X = WWPN of device attached to port “X” .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.6.X = WWNN of device attached to port “X” .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.7.X = Driver information for node attached to port X In many environments, listing these OIDs gives you the information you need for the attack

36

snmpwalk -v 1 -c public 192.168.123.90 .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.36

SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.1 = ""


SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.3 = STRING: "ESX01"

SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.4 = STRING: "ESX02"


…


SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.10 = STRING: "SNIFFER PORT"


..


SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.1 = Hex-STRING: 21 00 00 1B 32 18 86 4C

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.2 = Hex-STRING: 50 01 43 80 02 9C 92 5E

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.3 = Hex-STRING: 50 01 43 80 00 C5 81 0C

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.4 = Hex-STRING: 21 00 00 1B 32 0B C3 E2

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.5 = Hex-STRING: 10 00 00 00 C9 86 DE 61

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.6 = Hex-STRING: 21 00 00 1B 32 00 F6 78

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.7 = Hex-STRING: 50 01 43 80 03 AD 72 20

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.8 = Hex-STRING: 10 00 00 00 C9 86 DE 5B


SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.1 = STRING: "SCST_FIOSAN_LUN0 200"




SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.5 = STRING: "Emulex PPN-10:00:00:00

:C9:86:DE:61"



SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.8 = STRING: "Emulex PPN-10:00:00:00

:c9:86:de:5b"


SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.1 = Hex-STRING: 20 00 00 1B 32 18 86 4C

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.2 = Hex-STRING: 50 01 43 80 02 9C 92 5F

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.3 = Hex-STRING: 50 01 43 80 00 C5 81 0D

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.4 = Hex-STRING: 20 00 00 1B 32 0B C3 E2

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.5 = Hex-STRING: 20 00 00 00 C9 86 DE 61

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.6 = Hex-STRING: 20 00 00 1B 32 00 F6 78

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.7 = Hex-STRING: 50 01 43 80 03 AD 72 21

SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.8 = Hex-STRING: 20 00 00 00 C9 86 DE 5B

37

FCMAP echo’s a dot (.) for each failed echo, this is sent to STDERR Successful echo’s are shows as above, with the manufacturer’s OUI information, this is sent to STDOUT So redirecting the entire thing to a file will result in just the successes being recorded, using the “tee” command will give you the screen output shown, with successes recorded to the file – for instance: fcmap.py -s 10:00:00:00:c9:00:00:00 -d

21:00:00:1b:32:00:00:00 -c 0xffffff | tee QLOGIC-

FULLOUI.txt

Note that the behaviour of “tee” will vary between operating systems

41

WMI (Windows Management Instrumentation) and Powershell both have interfaces to enumerate the Fibre Channel ports. Using this method, you can map a large part of your FC network from the Ethernet side of the network, using Windows APIs. Microsoft has built Fiber Channel support into Powershell for quite some time now (I've used it on Server 2003) - you can review what's available by simply listing the file hbaapi.mof (found in %windir\system32\wbem and %windir%\system32\wbem) - it makes for an interesting read. Or you can browse to Microsoft's Dev Center page on HBA WMI Classes, (which as of today is located at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff557239%28v=vs.85%29.aspx ).

42

http://msdn.microsoft.com/en-us/library/windows/hardware/ff557239(v=vs.85).aspx



Dumping the entire class gives us: PS C:\> Get-WmiObject -class MSFC_FCAdapterHBAAttributes -

computername localhost -namespace "root\WMI" | ForEach-Object {

$_ }

__GENUS : 2

__CLASS : MSFC_FCAdapterHBAAttributes

__SUPERCLASS :

__DYNASTY : MSFC_FCAdapterHBAAttributes

__RELPATH :

MSFC_FCAdapterHBAAttributes.InstanceName="PCI\\VEN_1077&DEV_

5432&SUBSYS_013F1077&REV_02\\4&320db83&0&0020

_0"

__PROPERTY_COUNT : 18

__DERIVATION : {}

__SERVER : WIN-QR5PCQK3K3S

__NAMESPACE : root\WMI

__PATH : \\WIN-

QR5PCQK3K3S\root\WMI:MSFC_FCAdapterHBAAttributes.Insta

nceName="PCI\\VEN_1077&DEV_5432&SUBSYS_013F10

77&REV_02\\4&32

0db83&0&0020_0"

Active : True

DriverName : ql2300.sys

DriverVersion : 9.1.10.28

FirmwareVersion : 5.07.02

HardwareVersion :

HBAStatus : 0

InstanceName :

PCI\VEN_1077&DEV_5432&SUBSYS_013F1077&REV_02\4&320db83&0&002

0_0

Manufacturer : QLogic Corporation

MfgDomain : com.qlogic

Model : QLE220

ModelDescription : QLogic QLE220 Fibre Channel Adapter

NodeSymbolicName : QLE220 FW:v5.07.02 DVR:v9.1.10.28

NodeWWN : {32, 0, 0, 27...}

NumberOfPorts : 1

OptionROMVersion : 1.02

SerialNumber : MXK72641JV

UniqueAdapterId : 0

VendorSpecificID : 1412567159

43

nodeinfo.ps1 code snip below: $nodewwns = Get-WmiObject -class MSFC_FCAdapterHBAAttributes -Namespace

"root\wmi" -ComputerName "localhost"

Foreach ($node in $nodewwns) {

$NodeWWN = (($node.NodeWWN) | ForEach-Object {"{0:X2}" -f $_}) -join

":"

$node.Model

$node.ModelDescription

$node.Active

$nodeWWN

Which for a QLogic node will output something similar to:

QLE220

QLogic QLE220 Fibre Channel Adapter

True

20:00:00:1B:32:00:F6:78

Or on a system with an Emulex card, you might see something like: LP9002

Emulex LightPulse LP9002 2 Gigabit PCI Fibre Channel

Adapter

True

20:00:00:00:C9:86:DE:61

44

See next page for notes

45

Brocade 300E: nmap -O –open –sV –version-all 192.168.123.90

Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-26 19:29 Eastern Daylight Time

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.8.1p1 (protocol 2.0)

23/tcp open telnet Linux telnetd

80/tcp open http?

111/tcp open rpcbind 2 (RPC #100000)

897/tcp open rpcbind

1 service unrecognized despite returning data. If you know the service/version,

please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi

cefp-submit.cgi :

SF-Port80-TCP:V=6.25%I=9%D=6/12%Time=51B92B56%P=i686-pc-windows-windows%r(

SF:GetRequest,1BD,"HTTP/1\.1\x20302\x20Found\r\nDate:\x20Thu,\x2013\x20Jun

SF:\x202013\x2001:40:01\x20GMT\r\nServer:\x20Apache\r\nLocation:\x20http:/

SF:/$null$/switchExplorer\.html\r\nConnection:\x20close\r\nContent-Type:

SF:\x20text/html\r\n\r\n<HTML>\r\n<HEAD>\r\n<META\x20HTTP-EQUIV=\"Pragma\"

SF:\x20CONTENT=\"no-cache\">\r\n<TITLE>/switchExplorer\.html</TITLE></HEAD

SF:>\r\n<BODY\x20BGCOLOR=\"#D4D0C8\">\r\n<H5>Can\x20not\x20automatically\x

SF:20load\x20page\x20/switchExplorer\.html\.<A\x20HREF\x20=\x20http://$nu

SF:ll$/switchExplorer\.html>Please\x20follow\x20this\x20link</A></H5></BO

SF:DY></HTML>\n")%r(HTTPOptions,143,"HTTP/1\.1\x20405\x20Method\x20not\x20

SF:allowed\r\nDate:\x20Thu,\x2013\x20Jun\x202013\x2001:40:01\x20GMT\r\nSer

SF:ver:\x20Apache\r\nConnection:\x20close\r\nContent-Type:\x20text/html\r\

SF:n\r\n<HTML><HEAD><TITLE>Status:\x20405\x20Method\x20not\x20allowed</TIT

SF:LE></HEAD><BODY\x20BGCOLOR=\"#c0c0c0\">\n<P><H1>Chassis\x20is\x20not\x2

SF:0ready\x20for\x20management\x20now\.<BR>Please\x20try\x20after\x20some\

SF:x20time\.</H1></P></BODY></HTML>\n")%r(RTSPRequest,143,"HTTP/1\.1\x2040

SF:5\x20Method\x20not\x20allowed\r\nDate:\x20Thu,\x2013\x20Jun\x202013\x20

SF:01:40:01\x20GMT\r\nServer:\x20Apache\r\nConnection:\x20close\r\nContent

SF:-Type:\x20text/html\r\n\r\n<HTML><HEAD><TITLE>Status:\x20405\x20Method\

SF:x20not\x20allowed</TITLE></HEAD><BODY\x20BGCOLOR=\"#c0c0c0\">\n<P><H1>C

SF:hassis\x20is\x20not\x20ready\x20for\x20management\x20now\.<BR>Please\x2

SF:0try\x20after\x20some\x20time\.</H1></P></BODY></HTML>\n")%r(FourOhFour

SF:Request,185,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Thu,\x2013\x2

SF:0Jun\x202013\x2001:40:06\x20GMT\r\nServer:\x20Apache\r\nContent-Length:

SF:\x20225\r\nConnection:\x20close\r\nContent-Type:\x20text/html;\x20chars

SF:et=iso-8859-1\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20H

SF:TML\x202\.0//EN\">\n<html><head>\n<title>404\x20Not\x20Found</title>\n<

SF:/head><body>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20/nic

SF:e\x20ports,/Trinity\.txt\.bak\x20was\x20not\x20found\x20on\x20this\x20s

SF:erver\.</p>\n</body></html>\n");

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.12 - 2.6.14 (embedded)

Network Distance: 2 hops

OS and Service detection performed. Please report any incorrect results at http:

//nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 269.66 seconds

46

Cisco MDS:

NMAP reveals (again) that the NX-OS CLI runs on top of Linux (Montavista embedded Linux)

nmap –sV –version-all -O --open 192.168.123.91

Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-26 19:39 Eastern Daylight Time

Nmap scan report for 192.168.123.91

Host is up (0.023s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 3.9p1 (protocol 2.0; Imperva SecureSphere f

irewall)

23/tcp open telnet Linux telnetd

80/tcp open http?

161/tcp open snmp?

900/tcp open mountd 1-2 (RPC #100005)

2002/tcp open xfce-session XFCE Session Manager

32779/tcp open flexlm FlexLM license manager

1 service unrecognized despite returning data. If you know the service/version,

please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi

cefp-submit.cgi :

SF-Port80-TCP:V=6.25%I=9%D=5/26%Time=51A29D45%P=i686-pc-windows-windows%r(

SF:GetRequest,1C0A,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2027\x20May\x

SF:202013\x2008:18:33\x20GMT\r\nServer:\x20Apache\r\nLast-Modified:\x20Mon

SF:,\x2013\x20May\x202013\x2022:31:54\x20GMT\r\nETag:\x20\"fc9-489c-156aaa

SF:80\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x2018588\r\nConnecti

SF:on:\x20close\r\nContent-Type:\x20text/html\r\n\r\n<html\x20xmlns:v=\"ur

SF:n:schemas-microsoft-com:vml\"\nxmlns:o=\"urn:schemas-microsoft-com:offi

SF:ce:office\"\nxmlns:w=\"urn:schemas-microsoft-com:office:word\"\nxmlns=\

SF:"http://www\.w3\.org/TR/REC-html40\">\n\n<head>\n<meta\x20http-equiv=Co

SF:ntent-Type\x20content=\"text/html;\x20charset=us-ascii\">\n<meta\x20nam

SF:e=ProgId\x20content=Word\.Document>\n<meta\x20name=Generator\x20content

SF:=\"Microsoft\x20Word\x2011\">\n<meta\x20name=Originator\x20content=\"Mi

SF:crosoft\x20Word\x2011\">\n<link\x20rel=File-List\x20href=\"index_dm_fil

SF:es/filelist\.xml\">\n<link\x20rel=Edit-Time-Data\x20href=\"index_dm_fil

SF:es/editdata\.mso\">\n<!--\[if\x20!mso\]>\n<style>\nv\\:\*\x20{behavior:

SF:url$#default#VML$;}\no\\:\*\x20{behavior:url$#default#VML$;}\nw\\:\

SF:*\x20{behavior:url$#default#VML$;}\n\.shape\x20{behavior:")%r(HTTPOpt

SF:ions,AB,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2027\x20May\x202013\x

SF:2008:18:33\x20GMT\r\nServer:\x20Apache\r\nAllow:\x20GET,HEAD,POST,OPTIO

SF:NS,TRACE\r\nContent-Length:\x200\r\nConnection:\x20close\r\nContent-Typ

SF:e:\x20text/html\r\n\r\n")%r(RTSPRequest,AB,"HTTP/1\.1\x20200\x20OK\r\nD

SF:ate:\x20Mon,\x2027\x20May\x202013\x2008:18:33\x20GMT\r\nServer:\x20Apac

SF:he\r\nAllow:\x20GET,HEAD,POST,OPTIONS,TRACE\r\nContent-Length:\x200\r\n

SF:Connection:\x20close\r\nContent-Type:\x20text/html\r\n\r\n")%r(FourOhFo

SF:urRequest,B5,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Mon,\x2027\x

SF:20May\x202013\x2008:18:38\x20GMT\r\nServer:\x20Apache\r\nContent-Length

SF::\x2018\r\nConnection:\x20close\r\nContent-Type:\x20text/html;\x20chars

SF:et=iso-8859-1\r\n\r\nDocument\x20not\x20found")%r(Hello,D8,"<!DOCTYPE\x

SF:20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">\n<html><head>

SF:\n<title>501\x20Method\x20Not\x20Implemented</title>\n</head><body>\n<h

SF:1>Method\x20Not\x20Implemented</h1>\n<p>EHLO\x20to\x20/index\.html\x20n

SF:ot\x20supported\.<br\x20/>\n</p>\n</body></html>\n");

Service Info: OS: Linux; Device: firewall; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 246.46 seconds

47

By now we have enough information gathered that we know which WWNs are tied to hosts that likely have access to data that might be useful in proving a point in a penetration test. Any host that’s a hypervisor for instance will usually have a pair of WWNs that have access to dozens or hundreds of hosts. Other hosts are much have much more targeted access – for instance it’s still very common to see physical hosts for database services (SQL) or mail servers.

49

Just as in ethernet, where you can easily change your MAC address, Fiber Channel adapter WWN’s can be changed. Emulex gives us this as an option in a command-line utility (hbacmd). However, this requires an adapter reset. In some cases (usually the first attempt), a soft reset will do the job. After the first WWN change, subsequent changes tend to require a host reboot.

50

Using Vports instead of simply changing the WWPN of an adapter is a much better candidate for adding a WWN to a host. However, this is still not a great candidate for iteration – we are still better to collect intelligence in advance so that we have the WWN we want to impersonate in advance, then add only a small number of vports.

54

Adding a LUN using a Vport can take significantly longer than adding a LUN by changing the physical LUN. In many cases, a production host will have dozens of Vports An attacking host may have hundreds of Vports As the Vport count goes up, the mount time increases in a straight-line ratio.

55

As always, security is a tradeoff. If you zone to the port (using D,P notation), you will lose the ability to use some features such as NPIV and FCR (Fiber Channel Routing), both of which need access controls based on WWNs to operate.

59

in this presentation well cover the basics of fiber ... · the wwpn and wwnn values can be used...

Documents