in this presentation well cover the basics of fiber ... · the wwpn and wwnn values can be used...
TRANSCRIPT
In this presentation we’ll cover the basics of Fiber Channel security.
1
2
So what’s wrong with this picture?? First of all, the storage network is almost never included in the network diagram. After all, it’s not a network, it’s a storage thing right? Which means that storage infrastructure is almost always ignored by PCI auditors, NERC and FERC assessments, most security assessments, audits and pentests. But what do you call a system with 2 NICs? The proverbial wisdom is that you call a system like that a ROUTER. Me, I call that a TARGET.
3
After all, in large part, all of the network and other security controls we work so hard to implement are there to protect the data. Implementing an unsecured data network just seems wrong, but here we are!
4
5
6
QLOGIC: CISCO
00-1B-32 00-00-0C
00-24-FF 00-01-42
00-C0-DD 00-01-43
00-E0-8B 00-01-63
EMULEX: 00-01-64
00-00-C9 00-01-96
00-0A-33 00-01-97
00-0E-03 00-01-C7
00-10-9B 00-01-C9
00-90-FA 00-02-16
00-E0-D5 00-02-17
BROCADE: 00-02-4A
00-00-88 00-02-4B
00-01-0F 00-02-7D
00-05-1E 00-02-7E
00-05-33 00-02-B9
00-14-C9 00-02-BA
00-60-69 00-02-FC
00-60-DF 00-02-FD
08-00-88 .. and many more
The WWPN and WWNN values can be used interchangeably in zoning. If WWNNs are used, the same zones can be used in two redundant fabrics (set of fiber channel switches). However, mis-cabling will result in working connections and redundancy can suffer If WWPNs are normally the recommended approach As switch ports are configured or different device types are connected, the port mode will change. The E-Ports (switch-side) / N-Port combination (host-side) is normally by far the most common.
7
To change the WWPN and WWNN of an Emulex HBA: Hbacmd ChangeWWN <Current WWPN> <New WWPN> <New WWNN> Brocade and Qlogic also support WWNN and WWPN change, but not in the default driver CLI commands.
8
Think of zones in Fiber Channel as analogous to MAC Addressed based VLANs in Ethernet, or maybe more specifically, Private VLANs based on MAC Address. The goal is that each node has access to the resources that it needs access to, and only those resources However, since the target resources are normally SAN Storage Processor HBAs (SPs), these targets generally appear in all zones.
9
The default zone ACL on Brocade switches is essentially a “default allow” Brocade switches have a command “zoneconfig –noaccess” or “defzone -noaccess”, which essentially says “unless you are in a zone that has access, you have no access” – in other words, a default deny mode. Without enabling this, the default allow stance remains even after all zoning occurs.
10
11
12
As always, Cisco’s documentation has great examples. http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/vsan.html
13
From the diagram on our second slide, it’s pretty obvious that just segregating the ethernet admin port of the Fiber Channel switch to a Management VLAN doesn’t isolate or protect the Fiber Channel ports themselves. So “Air Gap” might apply to the management port – in fact, many FC switches never get attached to a network or configured Cisco MDS Switches come with a PAA until (Protocol Analyzer), which converts FC to FCIP (on ethernet), which Wireshark will decode. Sniffing on Brocades is more the traditional source / desitination port (though it’s tied to the 6 digit FC LOGIN ID) The Cisco PAA unit can be used with Brocade SPAN functions for decoding.
14
Fiber Channel might have been cheap “back in the day”, but no more. A fully licensed 16 port 4Gbps switch can be had for under $1,000, a 2Gbps switch is in the $200-300 range. Name brand 4Gbps HBA’s can be had for $30- $100 , depending on manufacturer, model number and the day. Openfiler makes a dandy SAN for experimenting – I’m still wrestling with how much production data I want to trust it with though, but that’s just me..
15
Sniffing is fully support on most Fiber Channel Switches. Cisco MDS Fiber Channel Switches come with a PAA until (Port Analyzer Adapter), which encapsulates Fiber Channel frames within FCIP (on ethernet), shown in Wireshark as “Boardwalk” encapsulation. Wireshark fully decodes the encapsulated Fiber Channel frames – a session login (FCLOGI) is shown “SPAN” (Switch Port Analyzer) is configured per port for Cisco switches: interface fc1/1 switchport mode SD span session 1 destination interface fc1/1 source interface fc1/2 rx source interface fc1/2 tx Sniffing on Brocades is more the traditional source / destination port (though it’s tied to the 6 digit FC LOGI id rather than the physical port) The Cisco PAA unit can be used with Brocade SPAN functions for decoding, exactly as on the Cisco switch. Of course, traditional FC Taps and FC protocol analyzers can be used, but that’s a lot more expensive than a Cisco PAA on eBay !
16
17
Brocade Switches have several default credentials: Fabric OS (FOS) has two default administrator credentials: admin / password and root / fibranne. The first is documented, the second one is well known but is NOT documented. In the older Silkworm OS, admin / brocade1 is also seen Bladecenter chassis often use USERID / PASSWORD or PASSW0RD (with a zero) for everything, including the integrated fiber channel switch These passwords can be used against the default (unencrypted) administrative interfaces, offered up on telnet, ssh or http. HTTPS is not on by default (https is not on by default). The SNMP community strings ‘public’ and ‘private’ are also enabled by default, with no access restrictions. Cisco is not blameless in this either – the default ftp credentials ftpuser / nbv123 can be used to attain shell access in older NX-OS versions, and can be used as recovery credentials in a pinch.
18
19
Default services are listed below. Note the familiar unix-like syntax. Of more importance though is the list of services – tcp/23, tcp/80 are two prime targets. Note that UDP ports (SNMP in particular) are not in the list. dcx01:admin> netstat -an | grep LISTEN
tcp 0 0 0.0.0.0:512 0.0.0.0:* LISTEN
tcp 0 0 10.246.200.10:897 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:513 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:199 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:809 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27246 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:27247 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 :::6788 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::23 :::* LISTEN
20
Running daemons as root is a huge no-no, something that’s been common knowledge for years (and years and years). In this case, if CDP runs as root, all you need to do is to compromise CDP and you have root. Cisco helpfully documents a few CDP compromises in their bugtraq, googling for the CVE will find you working code. Cisco has a hidden GDB command, giving you debug access to any running process (and yes, “ps” works also) vsh is a documented command that gives you a virtual shell, meant for EEM scripting. More on EEM scripting for good and evil at: http://www.sans.org/reading-room/whitepapers/tools/ioscat-port-netcats-tcp-functions-cisco-ios-33109 http://www.sans.org/reading-room/whitepapers/tools/iosmap-tcp-udp-port-scanning-cisco-ios-platforms-32964 http://www.sans.org/reading-room/whitepapers/malicious/iostrojan-owns-router-33324 Some of these issues are fixed in newer NX-OS, but many are part of the design. Reference Cisco bugs: CSCti03724, CSCti04026, CSCtf08873, CSCti85295
21
22
dcx01:admin> snmpConfig --show snmpv1
SNMPv1 community and trap recipient
configuration:
Community 1: SomeSecretC0de (rw)
Trap recipient: 10.246.72.12
Trap port: 162
Trap recipient Severity level: 4
Community 2: OrigEquipMfr (rw)
No trap recipient configured yet
Community 3: private (rw)
No trap recipient configured yet
Community 4: public (ro)
No trap recipient configured yet
Community 5: common (ro)
No trap recipient configured yet
Community 6: FibreChannel (ro)
No trap recipient configured yet
dcx01:admin> snmpConfig --show snmpv3
SNMP Informs = 0 (OFF)
SNMPv3 USM configuration:
User 1 (rw): snmpadmin1
Auth Protocol: noAuth
Priv Protocol: noPriv
User 2 (rw): snmpadmin2
Auth Protocol: noAuth
Priv Protocol: noPriv
User 3 (rw): snmpadmin3
Auth Protocol: noAuth
Priv Protocol: noPriv
User 4 (ro): snmpuser1
Auth Protocol: noAuth
Priv Protocol: noPriv
User 5 (ro): snmpuser2
Auth Protocol: noAuth
Priv Protocol: noPriv
User 6 (ro): snmpuser3
Auth Protocol: noAuth
Priv Protocol: noPriv
SNMPv3 Trap configuration:
Trap Entry 1: No trap recipient configured yet
Trap Entry 2: No trap recipient configured yet
Trap Entry 3: No trap recipient configured yet
Trap Entry 4: No trap recipient configured yet
Trap Entry 5: No trap recipient configured yet
Trap Entry 6: No trap recipient configured yet
Documentation script to block telnet:
FCLAB:root> ipfilter --clone BlockTelnet -from default_ipv4 FCLAB:root> ipfilter --save BlockTelnet FCLAB:root> ipfilter --addrule BlockTelnet -rule 1 -sip any -dp 23 -proto tcp -act deny FCLAB:root> ipfilter --save FCLAB:root> ipfilter --activate BlockTelnet FCLAB:root> ipfilter –show
What's wrong with this picture? IPV6!! You also need:
FCLAB:root> ipfilter --clone BlockTelnet6 -from default_ipv6 FCLAB:root> ipfilter --save BlockTelnet6 FCLAB:root> ipfilter --addrule BlockTelnet6 -rule 1 -sip any -dp 23 -proto tcp -act deny FCLAB:root> ipfilter --save FCLAB:root> ipfilter --activate BlockTelnet6 FCLAB:root> ipfilter –show
23
Name: default_ipv4, Type: ipv4, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 permit
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 - 1023 permit
12 any udp 600 - 1023 permit
Name: default_ipv6, Type: ipv6, State: defined
Rule Source IP Protocol Dest Port Action
1 any tcp 22 permit
2 any tcp 23 permit
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 permit
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 - 1023 permit
12 any udp 600 - 1023 permit
Name: BlockTelnet, Type: ipv4, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 23 deny
2 any tcp 22 permit
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 permit
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 - 1023 permit
12 any udp 600 - 1023 permit
Name: BlockTelnet6, Type: ipv6, State: active
Rule Source IP Protocol Dest Port Action
1 any tcp 23 deny
2 any tcp 22 permit
3 any tcp 897 permit
4 any tcp 898 permit
5 any tcp 111 permit
6 any tcp 80 permit
7 any tcp 443 permit
8 any udp 161 permit
9 any udp 111 permit
10 any udp 123 permit
11 any tcp 600 - 1023 permit
12 any udp 600 - 1023 permit
24
25
26
27
28
This example is taken from a real security engagement. The administrator listed his qualifications on Linkedin (along with the exact model numbers of the gear deployed) Using that info, we were able to google through the vendor support forums (community forums in this case), and found their full configuration posted The Fiber Channel switch admin password was cracked manually, using likely words off the admin’s Facebook page (child’s name with a “!” appended to make it secure) Common approach is to dump Facebook and Linkin pages, as well as corporate website, then use that list for dictionary attack on admin account/
29
30
Google, Bing, Shodan are all good places to do recon – gathering information without sending a single packet to your target. However, with ZMAP (https://zmap.io/) recently made public, anyone can mount their own internet census with very few resources. While teams like Rapid7’s do targeted investigations and write up their results, look for lots of sites publishing census raw data in the coming months and years. This is still much tougher for IPv6, both because the size of the address space and because of the easy of address mobility.
31
32
33
Normally trying to intercept and decrypt SSH or HTTPS is more work than is required for an internal pentest – often getting permission for any MITM attack that is not very targeted can be difficult.
34
35
The full Brocade MIB is documented here (note that the MIB varies slightly from FOS version to version): http://www.brocade.com/downloads/documents/product_manuals/B_SAN/FOS_MIB_v700.pdf OIDs of Interest: .1.3.6.1.4.1.1588.2.1.1.1.6.1 = total port count .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.3.X = port state (insync / nolight) .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.4.X = port status (online / offline) .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.36.X = port name / Comment .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.39.X = port type (f-port, g-port etc) And here’s the money OIDs Baby ! .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.4.X = WWPN of device attached to port “X” .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.6.X = WWNN of device attached to port “X” .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.7.X = Driver information for node attached to port X In many environments, listing these OIDs gives you the information you need for the attack
36
snmpwalk -v 1 -c public 192.168.123.90 .1.3.6.1.4.1.1588.2.1.1.1.6.2.1.36
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.1 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.2 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.3 = STRING: "ESX01"
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.4 = STRING: "ESX02"
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.5 = ""
…
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.9 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.10 = STRING: "SNIFFER PORT"
SNMPv2-SMI::enterprises.1588.2.1.1.1.6.2.1.36.11 = ""
..
snmpwalk -v 1 -c public 192.168.123.90 .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.4
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.1 = Hex-STRING: 21 00 00 1B 32 18 86 4C
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.2 = Hex-STRING: 50 01 43 80 02 9C 92 5E
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.3 = Hex-STRING: 50 01 43 80 00 C5 81 0C
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.4 = Hex-STRING: 21 00 00 1B 32 0B C3 E2
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.5 = Hex-STRING: 10 00 00 00 C9 86 DE 61
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.6 = Hex-STRING: 21 00 00 1B 32 00 F6 78
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.7 = Hex-STRING: 50 01 43 80 03 AD 72 20
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.4.8 = Hex-STRING: 10 00 00 00 C9 86 DE 5B
snmpwalk -v 1 -c public 192.168.123.90 .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.5
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.1 = STRING: "SCST_FIOSAN_LUN0 200"
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.2 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.3 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.4 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.5 = STRING: "Emulex PPN-10:00:00:00
:C9:86:DE:61"
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.6 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.7 = ""
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.5.8 = STRING: "Emulex PPN-10:00:00:00
:c9:86:de:5b"
snmpwalk -v 1 -c public 192.168.123.90 .1.3.6.1.4.1.1588.2.1.1.1.7.2.1.6
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.1 = Hex-STRING: 20 00 00 1B 32 18 86 4C
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.2 = Hex-STRING: 50 01 43 80 02 9C 92 5F
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.3 = Hex-STRING: 50 01 43 80 00 C5 81 0D
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.4 = Hex-STRING: 20 00 00 1B 32 0B C3 E2
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.5 = Hex-STRING: 20 00 00 00 C9 86 DE 61
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.6 = Hex-STRING: 20 00 00 1B 32 00 F6 78
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.7 = Hex-STRING: 50 01 43 80 03 AD 72 21
SNMPv2-SMI::enterprises.1588.2.1.1.1.7.2.1.6.8 = Hex-STRING: 20 00 00 00 C9 86 DE 5B
37
38
39
40
FCMAP echo’s a dot (.) for each failed echo, this is sent to STDERR Successful echo’s are shows as above, with the manufacturer’s OUI information, this is sent to STDOUT So redirecting the entire thing to a file will result in just the successes being recorded, using the “tee” command will give you the screen output shown, with successes recorded to the file – for instance: fcmap.py -s 10:00:00:00:c9:00:00:00 -d
21:00:00:1b:32:00:00:00 -c 0xffffff | tee QLOGIC-
FULLOUI.txt
Note that the behaviour of “tee” will vary between operating systems
41
WMI (Windows Management Instrumentation) and Powershell both have interfaces to enumerate the Fibre Channel ports. Using this method, you can map a large part of your FC network from the Ethernet side of the network, using Windows APIs. Microsoft has built Fiber Channel support into Powershell for quite some time now (I've used it on Server 2003) - you can review what's available by simply listing the file hbaapi.mof (found in %windir\system32\wbem and %windir%\system32\wbem) - it makes for an interesting read. Or you can browse to Microsoft's Dev Center page on HBA WMI Classes, (which as of today is located at: http://msdn.microsoft.com/en-us/library/windows/hardware/ff557239%28v=vs.85%29.aspx ).
42
Dumping the entire class gives us: PS C:\> Get-WmiObject -class MSFC_FCAdapterHBAAttributes -
computername localhost -namespace "root\WMI" | ForEach-Object {
$_ }
__GENUS : 2
__CLASS : MSFC_FCAdapterHBAAttributes
__SUPERCLASS :
__DYNASTY : MSFC_FCAdapterHBAAttributes
__RELPATH :
MSFC_FCAdapterHBAAttributes.InstanceName="PCI\\VEN_1077&DEV_
5432&SUBSYS_013F1077&REV_02\\4&320db83&0&0020
_0"
__PROPERTY_COUNT : 18
__DERIVATION : {}
__SERVER : WIN-QR5PCQK3K3S
__NAMESPACE : root\WMI
__PATH : \\WIN-
QR5PCQK3K3S\root\WMI:MSFC_FCAdapterHBAAttributes.Insta
nceName="PCI\\VEN_1077&DEV_5432&SUBSYS_013F10
77&REV_02\\4&32
0db83&0&0020_0"
Active : True
DriverName : ql2300.sys
DriverVersion : 9.1.10.28
FirmwareVersion : 5.07.02
HardwareVersion :
HBAStatus : 0
InstanceName :
PCI\VEN_1077&DEV_5432&SUBSYS_013F1077&REV_02\4&320db83&0&002
0_0
Manufacturer : QLogic Corporation
MfgDomain : com.qlogic
Model : QLE220
ModelDescription : QLogic QLE220 Fibre Channel Adapter
NodeSymbolicName : QLE220 FW:v5.07.02 DVR:v9.1.10.28
NodeWWN : {32, 0, 0, 27...}
NumberOfPorts : 1
OptionROMVersion : 1.02
SerialNumber : MXK72641JV
UniqueAdapterId : 0
VendorSpecificID : 1412567159
43
nodeinfo.ps1 code snip below: $nodewwns = Get-WmiObject -class MSFC_FCAdapterHBAAttributes -Namespace
"root\wmi" -ComputerName "localhost"
Foreach ($node in $nodewwns) {
$NodeWWN = (($node.NodeWWN) | ForEach-Object {"{0:X2}" -f $_}) -join
":"
$node.Model
$node.ModelDescription
$node.Active
$nodeWWN
Which for a QLogic node will output something similar to:
QLE220
QLogic QLE220 Fibre Channel Adapter
True
20:00:00:1B:32:00:F6:78
Or on a system with an Emulex card, you might see something like: LP9002
Emulex LightPulse LP9002 2 Gigabit PCI Fibre Channel
Adapter
True
20:00:00:00:C9:86:DE:61
44
See next page for notes
45
Brocade 300E: nmap -O –open –sV –version-all 192.168.123.90
Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-26 19:29 Eastern Daylight Time
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.8.1p1 (protocol 2.0)
23/tcp open telnet Linux telnetd
80/tcp open http?
111/tcp open rpcbind 2 (RPC #100000)
897/tcp open rpcbind
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port80-TCP:V=6.25%I=9%D=6/12%Time=51B92B56%P=i686-pc-windows-windows%r(
SF:GetRequest,1BD,"HTTP/1\.1\x20302\x20Found\r\nDate:\x20Thu,\x2013\x20Jun
SF:\x202013\x2001:40:01\x20GMT\r\nServer:\x20Apache\r\nLocation:\x20http:/
SF:/\(null\)/switchExplorer\.html\r\nConnection:\x20close\r\nContent-Type:
SF:\x20text/html\r\n\r\n<HTML>\r\n<HEAD>\r\n<META\x20HTTP-EQUIV=\"Pragma\"
SF:\x20CONTENT=\"no-cache\">\r\n<TITLE>/switchExplorer\.html</TITLE></HEAD
SF:>\r\n<BODY\x20BGCOLOR=\"#D4D0C8\">\r\n<H5>Can\x20not\x20automatically\x
SF:20load\x20page\x20/switchExplorer\.html\.<A\x20HREF\x20=\x20http://\(nu
SF:ll\)/switchExplorer\.html>Please\x20follow\x20this\x20link</A></H5></BO
SF:DY></HTML>\n")%r(HTTPOptions,143,"HTTP/1\.1\x20405\x20Method\x20not\x20
SF:allowed\r\nDate:\x20Thu,\x2013\x20Jun\x202013\x2001:40:01\x20GMT\r\nSer
SF:ver:\x20Apache\r\nConnection:\x20close\r\nContent-Type:\x20text/html\r\
SF:n\r\n<HTML><HEAD><TITLE>Status:\x20405\x20Method\x20not\x20allowed</TIT
SF:LE></HEAD><BODY\x20BGCOLOR=\"#c0c0c0\">\n<P><H1>Chassis\x20is\x20not\x2
SF:0ready\x20for\x20management\x20now\.<BR>Please\x20try\x20after\x20some\
SF:x20time\.</H1></P></BODY></HTML>\n")%r(RTSPRequest,143,"HTTP/1\.1\x2040
SF:5\x20Method\x20not\x20allowed\r\nDate:\x20Thu,\x2013\x20Jun\x202013\x20
SF:01:40:01\x20GMT\r\nServer:\x20Apache\r\nConnection:\x20close\r\nContent
SF:-Type:\x20text/html\r\n\r\n<HTML><HEAD><TITLE>Status:\x20405\x20Method\
SF:x20not\x20allowed</TITLE></HEAD><BODY\x20BGCOLOR=\"#c0c0c0\">\n<P><H1>C
SF:hassis\x20is\x20not\x20ready\x20for\x20management\x20now\.<BR>Please\x2
SF:0try\x20after\x20some\x20time\.</H1></P></BODY></HTML>\n")%r(FourOhFour
SF:Request,185,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Thu,\x2013\x2
SF:0Jun\x202013\x2001:40:06\x20GMT\r\nServer:\x20Apache\r\nContent-Length:
SF:\x20225\r\nConnection:\x20close\r\nContent-Type:\x20text/html;\x20chars
SF:et=iso-8859-1\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20H
SF:TML\x202\.0//EN\">\n<html><head>\n<title>404\x20Not\x20Found</title>\n<
SF:/head><body>\n<h1>Not\x20Found</h1>\n<p>The\x20requested\x20URL\x20/nic
SF:e\x20ports,/Trinity\.txt\.bak\x20was\x20not\x20found\x20on\x20this\x20s
SF:erver\.</p>\n</body></html>\n");
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.12 - 2.6.14 (embedded)
Network Distance: 2 hops
OS and Service detection performed. Please report any incorrect results at http:
//nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 269.66 seconds
46
Cisco MDS:
NMAP reveals (again) that the NX-OS CLI runs on top of Linux (Montavista embedded Linux)
nmap –sV –version-all -O --open 192.168.123.91
Starting Nmap 6.25 ( http://nmap.org ) at 2013-05-26 19:39 Eastern Daylight Time
Nmap scan report for 192.168.123.91
Host is up (0.023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 2.0; Imperva SecureSphere f
irewall)
23/tcp open telnet Linux telnetd
80/tcp open http?
161/tcp open snmp?
900/tcp open mountd 1-2 (RPC #100005)
2002/tcp open xfce-session XFCE Session Manager
32779/tcp open flexlm FlexLM license manager
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port80-TCP:V=6.25%I=9%D=5/26%Time=51A29D45%P=i686-pc-windows-windows%r(
SF:GetRequest,1C0A,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2027\x20May\x
SF:202013\x2008:18:33\x20GMT\r\nServer:\x20Apache\r\nLast-Modified:\x20Mon
SF:,\x2013\x20May\x202013\x2022:31:54\x20GMT\r\nETag:\x20\"fc9-489c-156aaa
SF:80\"\r\nAccept-Ranges:\x20bytes\r\nContent-Length:\x2018588\r\nConnecti
SF:on:\x20close\r\nContent-Type:\x20text/html\r\n\r\n<html\x20xmlns:v=\"ur
SF:n:schemas-microsoft-com:vml\"\nxmlns:o=\"urn:schemas-microsoft-com:offi
SF:ce:office\"\nxmlns:w=\"urn:schemas-microsoft-com:office:word\"\nxmlns=\
SF:"http://www\.w3\.org/TR/REC-html40\">\n\n<head>\n<meta\x20http-equiv=Co
SF:ntent-Type\x20content=\"text/html;\x20charset=us-ascii\">\n<meta\x20nam
SF:e=ProgId\x20content=Word\.Document>\n<meta\x20name=Generator\x20content
SF:=\"Microsoft\x20Word\x2011\">\n<meta\x20name=Originator\x20content=\"Mi
SF:crosoft\x20Word\x2011\">\n<link\x20rel=File-List\x20href=\"index_dm_fil
SF:es/filelist\.xml\">\n<link\x20rel=Edit-Time-Data\x20href=\"index_dm_fil
SF:es/editdata\.mso\">\n<!--\[if\x20!mso\]>\n<style>\nv\\:\*\x20{behavior:
SF:url\(#default#VML\);}\no\\:\*\x20{behavior:url\(#default#VML\);}\nw\\:\
SF:*\x20{behavior:url\(#default#VML\);}\n\.shape\x20{behavior:")%r(HTTPOpt
SF:ions,AB,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Mon,\x2027\x20May\x202013\x
SF:2008:18:33\x20GMT\r\nServer:\x20Apache\r\nAllow:\x20GET,HEAD,POST,OPTIO
SF:NS,TRACE\r\nContent-Length:\x200\r\nConnection:\x20close\r\nContent-Typ
SF:e:\x20text/html\r\n\r\n")%r(RTSPRequest,AB,"HTTP/1\.1\x20200\x20OK\r\nD
SF:ate:\x20Mon,\x2027\x20May\x202013\x2008:18:33\x20GMT\r\nServer:\x20Apac
SF:he\r\nAllow:\x20GET,HEAD,POST,OPTIONS,TRACE\r\nContent-Length:\x200\r\n
SF:Connection:\x20close\r\nContent-Type:\x20text/html\r\n\r\n")%r(FourOhFo
SF:urRequest,B5,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Mon,\x2027\x
SF:20May\x202013\x2008:18:38\x20GMT\r\nServer:\x20Apache\r\nContent-Length
SF::\x2018\r\nConnection:\x20close\r\nContent-Type:\x20text/html;\x20chars
SF:et=iso-8859-1\r\n\r\nDocument\x20not\x20found")%r(Hello,D8,"<!DOCTYPE\x
SF:20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">\n<html><head>
SF:\n<title>501\x20Method\x20Not\x20Implemented</title>\n</head><body>\n<h
SF:1>Method\x20Not\x20Implemented</h1>\n<p>EHLO\x20to\x20/index\.html\x20n
SF:ot\x20supported\.<br\x20/>\n</p>\n</body></html>\n");
Service Info: OS: Linux; Device: firewall; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 246.46 seconds
47
48
By now we have enough information gathered that we know which WWNs are tied to hosts that likely have access to data that might be useful in proving a point in a penetration test. Any host that’s a hypervisor for instance will usually have a pair of WWNs that have access to dozens or hundreds of hosts. Other hosts are much have much more targeted access – for instance it’s still very common to see physical hosts for database services (SQL) or mail servers.
49
Just as in ethernet, where you can easily change your MAC address, Fiber Channel adapter WWN’s can be changed. Emulex gives us this as an option in a command-line utility (hbacmd). However, this requires an adapter reset. In some cases (usually the first attempt), a soft reset will do the job. After the first WWN change, subsequent changes tend to require a host reboot.
50
51
52
53
Using Vports instead of simply changing the WWPN of an adapter is a much better candidate for adding a WWN to a host. However, this is still not a great candidate for iteration – we are still better to collect intelligence in advance so that we have the WWN we want to impersonate in advance, then add only a small number of vports.
54
Adding a LUN using a Vport can take significantly longer than adding a LUN by changing the physical LUN. In many cases, a production host will have dozens of Vports An attacking host may have hundreds of Vports As the Vport count goes up, the mount time increases in a straight-line ratio.
55
56
57
58
As always, security is a tradeoff. If you zone to the port (using D,P notation), you will lose the ability to use some features such as NPIV and FCR (Fiber Channel Routing), both of which need access controls based on WWNs to operate.
59
60
61
62