Wednesday, December 18, 2013

Open vSwitch

Just reading this post: http://openvswitch.org/slides/OpenStack-131107.pdf and slide 13 caught my eye.
(edit: figured out how to link directly to a page in a pdf, should work in chrome and adobe reader: http://openvswitch.org/slides/OpenStack-131107.pdf#page=13)

I'm interested if this kernel caching could be hijacked at all from a security standpoint to send further packets that appear to be part of that netflow to bypass userland Open vSwitch logic checks by continuing to ride as if they were part of the cached entry.

Should look into the logic that decides if the flow is the same as the previous. I don't expect that it could be used to route packets improperly, but should be fun to dig in to and is a good reason to learn more about Open vSwitch. Will update this at that point.

Made it to page 17: http://openvswitch.org/slides/OpenStack-131107.pdf#page=17 this as a bit more info on how the user-logic vs cached logic is applied:
"Header fields are hashed and used as an index into a set of large hash tables"
"if entry found, actions applied to packet and counters are updated."
If not: packet is sent to userspace for processing

This seems like a smart way of doing things, still need to dig into even nittier gritty.

Thursday, November 28, 2013

BacNET - I watched a ShmooCon video and here are my notes

Brad Bowers [BradBowers@digitalintercept.com]

  • Also has a good youtube channel for Arduino and Zigbee security stuff: https://www.youtube.com/user/warezjoe5


BacNET Attack Framework

  • About BacNET networks and how to attack them
  • ShmooCon Video: http://www.youtube.com/watch?v=c4LMrKEO_t0
  • Code should be hosted here, but isn't: http://www.digitalintercept.com/bacnet
    • quips about someone helping him set up a github in ihs talk (what issues could he be having?)
    • also couldn't find code on google or github
    • sent him and email to: BradBowers@digitalintercept.com asking about if the code is public, but the email bounced, but I'll find an email.

BacNET

  • All over UDP (47808)
  • No MAC address for BacNET, just IP + port
    • so holy crap spoofable (in addition to it being UDP)
  • no authentication
  • universal moreso than many proprietary SCADA devices which run behind BacNET devices
  • Used in building temperature networks, elevators, SCADA systems, HVAC, others

What's the attack surface? - He found at least 62 internet exposed devices
-this number is growing
-Let's adapt his stuff for ZMAP or another one of the "whole internet scanning" tools.
-Maybe search the Internet Census 2012 if that port was scanned (unlikely - wasn't it just the top X ports?)

BacNET Attack Framework:

  • all in python
  • lots of scapy involved
  • BacNET_arpsweep.py
    • id all devices on a network (not just BacNET)
  • BacNET_scanner.py
    • id listeners listening on UDP/47808
    • this is the BacNET port
  • BacNET_Sniff.py - will only pull in BacNET IP packets
    • throws it in scapy which lets you pick it apart
    • lots of different settings possible with that
  • BacNET_Search.py - id BacNET based on a popular search engine
  • BacNET_IAMRouter.py
    • sends BVLL packet - send me everything you have current primary BacNET gateway device
    • can act as same router
    • can act as different router
  • BacNET_Confirmed_alarm.py
    • highpriority packet
    • ignores all other traffic and does whatever this packet wants
    • sometimes causes device to crap out
  • BacNET_Spoof.py
    • allows a form of fuzzing
    • lots of stuff falls over or has unintended consequences
  • BacNET_Flood.py
    • DoS a unique device (gateway, or sensor)
    • (My addition) Attack scenario: "This temperature sensor is gone, I'm that device, you only see my traffic because I'm flooding you with my data" It's 'cool'
  • BacNET devices can be CRUSHED by the packet production capabilities of a normal laptop, gotta scale it down sometimes or accidental DoS.