LOUISVILLE - DerbyCon – During his talk on Friday, Rapid7’s HD Moore presented findings to attendees of DerbyCon, which are the result of his research and efforts to map the Internet. He focused on what he calls the “funky little ghost towns” that emerge and the trends that are reviled when one does large-scale mapping on the Internet.
Some of Moore’s findings offer a look into the state of security for systems that are exceedingly common, as well as those that may not be given a second look during a security assessment – but are critical nevertheless.
“We’re in an unprecedented time in out lives, were we have an abundant amounts of data, and not enough attention (and time) to spend on it,” he said.
“It’s not a matter of getting the data any more; it’s a matter of what to do with it.”
Fingerprinting has long been a tool used by security professionals on a network, and criminal hackers are no strangers to the process either. It isn’t like the data discovered is private. Networking protocols are standardized, and the services running on a given port are designed to respond one way or another. Again though, collecting the data and using or analyzing the data from a large-scale mapping project are two different things.
“You can have the same types of devices, the same types of switches, and the same type of organization, and entirely different represented exposure of vulnerabilities and exposed datasets,” Moore said.
As an example of one of the patterns within the dataset that came from his scanning initiative, Moore highlighted the 43 million servers that had Simple Network Management Protocol (SNMP) enabled. “SNMP is a pretty scary freaking protocol to expose to the world,” Moore explained.
SNMP can release a ton of information about a network, including all the different routes used, any running processes and services on Linux and Windows, installed software patches on the same versions. Moreover, SNMP arguments that are displayed can also contain passwords to services such as RDP or SSH, which are exposed in the clear. Data leaks aside, SNMP can also be used to launch amplification DDoS attacks.
UPNP, something that most administrators don’t feel is a risk by itself if exposed, is another interesting finding. Moore disagrees with the low risk assessment, as there are only about a dozen unique implementations of the UPNP software in the world being used. Almost all of them are based on the Intel SDK, which has several bugs. Moreover, most of the bugs in the SDK were forked by vendors without addressing the issues and sold to clients.
“So you’ve got this massively potentially exploitable vulnerability, in a protocol that no one’s really looked at, that exposes more devices other than HTTP, and no one knows about it. So have fun,” Moore said.
When it comes to Cisco, there was little surprise that Moore was able to locate a massive amount of them during his scanning. Risk wise, Cisco puts out about 40 iOS updates a year, but most organizations won’t flash their routers more than once every five years. In fact, most will use the router until it breaks.
Based on the data reported by SNMP, taken from the 360,000 that were exposed, the average router had about 60 flaws. The most exploitable version of iOS on the planet is 12.2, because Cisco “added a whole slew of features that all had vulnerabilities at once, and no one ever updated past it.”
The mapping project is expected to last for another six months or so, Moore noted towards the end of his talk. Hopefully that additional work will mean stronger and more robust data sets, which in turn can be used to help administrators understand what they’re exposing to the world and why it matters.
You can view HD's full DerbyCon talk in the video below: