This is going to be a little bit of a different style post then we usually do on Question-Defense. I have been completely amazed lately at the amount of unsecured web interfaces on the Internet and I figure another post cant hurt. I am assuming every one knows that when you buy a new piece of hardware you need to change the default user name and password. “well of course I know that” most people would say. Well how about we do a little recon and see if that is really true.
Before we begin I would like to mention that logging into and damaging or changing any systems you find is highly illegal and can result in all kinds of nasty police involvement. Please use this information to check every thing on your network to make sure its secure. As a network security tester I have often compromised whole network via a network printers default log in page. More on that later.
In order to conduct our searches we can use a new web search tool called Shodan. Its my opinion that the legality of this tool will at some point come into question but for right now its fair game. I can think of several valid uses for this tool however the malicious uses are also pretty large.
The main reason I want to use it though is to really drive home the point of having hardware login pages facing the Internet. Having default passwords on you LAN is bad enough but having them out on the internet is just plain stupidity.
There is actually already a firefox plugin for Shodan which makes it a breeze to search from firefox. Lets try a few search’s from the newly added plug in.
On the left you can see the sidebar which comes with the Shodan Firefox plug in. The search query I used was port:23 and “list of built-in commands”. We are basically banner grabbing servers across the Internet. This is all perfectly legal and anyone can do it. Its shocking to see how much information your servers actually give out when queried . In case anyone doesn’t know what the busy box is, it is a small utility on Linux based machines which is used for administration, you can read up on it here. So why is this bad? Well you basically have a unsecured Linux shell facing the internet which would give any Hacker worth his salt a platform with which to further attack and infiltrate your network. Shodan can also take regex expressions in ” ” . Just to be clear if you try this search please do not try to connect to any of the servers. All the admins have been notified via Email and have had ample time to secure their box’s.
So that’s pretty cool but who the *heck* uses Telnet anymore is what you are saying to your self. You are thinking you turned of Telnet years ago. Well lets try something a little more risque.
Huawei is a large provider of DSL routers in Italy. I have chosen this search because I friend let me log on to his router so I could show you some of the option that can be changed if you allow log on via the internet. In reality I can not see any reason whatsoever to even have the web interface for one of these facing the internet but as this search will show you many people do. We will go over changing that later. So the search I am going to run is this:
If you run that query you will see that the results are pretty massive.
Results 1 – 20 of about 98101 for Www-authenticate: “SmartAX”
That is a lot of routers! So lets see what a malicious attacker can do with this freely obtained information. A quick google search for “SmartAX router default user name password” tells us that the default user name and password is admin / admin. Once again this information is not hard to get and anyone can do this. There are literally hundreds of tutorials on the internet covering breaking into networks with default user names and passwords that any bored kid can follow and cause havoc on a production network. These are the people you really have to watch out for because they have no idea of the gravity of their actions.
So I select one of the IP’s on the list and try to log on.
HOLY CRAP! I could hardly believe it myself. This is a perfect example of the point we are making here. This router is the gateway to somebody’s entire network, maybe even a business. This is really bad! So now you are asking your self “Whats the big deal?” Its only a router. Well I will show you what the big deal is. Just to be clear this is a friends router page I used for the pictures but I did find many of these routers with default log ons although I did not go any further for reasons of obvious legality. So If I click on the advanced tab I see a option for a firewall. hmmm…. that looks interesting. As most of us are aware sometimes a firewall is the only line of defense between or computers and the big bad internet so its a pretty crucial piece of software or hardware.
Talk about really bad! Now I have the option of turning of this networks firewall completely. I am going to stop there but you can clearly see how this situation is quickly escalating into something very dangerous for network admins and home users alike.In order to really drive this point home one more time we will run one more search with Shodan. This time we will try the query “default password”. Remember in the beginning of the article I said that many networks had a weak link on print servers? Well here is a perfect example:
This is just a excerpt from page one of the search. A whole bunch of print servers that actually broadcast the default password in the banner. Honestly this is the vendors fault and should be illegal in my opinion. So a quick log on to one of these turns up just what I thought it would.
Yep, its true. People really do have print severs facing the internet. Most of today’s printers are fairly sophisticated and many have complete shell environments where a attacker can execute code to further compromise the network.
So at this point hopefully you are sufficiently horrified at the amount of information a attacker can gain on the internet and are thinking to your self, “what can I do about this?” Fortunately a little googling and a sunday afternoon can go a long way to securing your network. The first thing to do is secure your gateway. By gateway I mean the device that is between you and the internet. This is most likely the modem or the router you use to access the internet. Since Alex has written many articles on DD-Wrt routers I will show how to turn of remote managment on mine at home.
See the area that says remote access? Almost all routers, switches and modems will have a administration page and a selection that resembles this in some way. I have selected disable on everything because I cant think of any reason what so ever to have access to these form the internet. If for some reason you have to be able to access these from a remote location there is a few things you can do to make it more secure.
1. Change the default user name and password. Avoid common user names like root,admin,webmaster,administrator and things like that. And of course use a complex password that is not found in a dictionary.
2. Change the web log on to https. This prevents your user name and password being transmitted across the internet in plain text. As a general rule I always use https for any sort of web page based log in, even inside my LAN on my home network.
3. Notice the selection that says Allow any remote IP. You can use this to only add allowed IP address’s to access the web GUI. For instance if you needed to access the router from work you could add the IP address of your work to the allowed list.
Although these suggestions will greatly improve security on your network, I would once again like to drive home the point that if you do not need to access these services via the internet it is in your best interest to turn the web access from the outside world.
A few other interesting Shodan search’s to show the amount of insecure hardware on the internet:
I sincerely hope this article will prompt users and network admins to spend some time securing their networks.