Want to know how to hack travelers and hotel networks in a matter of minutes? On a recent trip, Nabil Ouchn (@toolswatch) decided to do some some security analysis with a piece of hardware called the PwnPad – a penetration testing tablet – and a few other tools to see what kind of mischief he could get into.

Ouchn is the founder of ToolsWatch.org and the organizer of the Arsenal Tools exhibit at the BlackHat Conferences in both the US and Europe since 2011. ToolsWatch is a free interactive service designed to help auditors, penetration testers, and other security professionals keep their ethical hacking toolbox up to date with the latest and greatest resources.

Ouchn has over 15 years of experience in vulnerability management, compliance assessment and penetration testing, and Co-Founder of an innovative SaaS Multi-Engines Threats Scanning Solution. His adventure began one day at an undisclosed European airport where he had a layover while heading to another country through a connecting flight.

“I had an hour to kill before catching my flight, and I thought I’d do a little fooling around with one of my favorite weapons on the PwnPad: EvilAP,” Ouchn said.

EvilAP can be configured with the option to force clients to connect based on their device’s probe requests, which means it will accept any probe request frames originating from a client.

“No authentication is required, so the connection is completed without the target noticing anything unusual. All they think is they got access to a unlimited 3G internet connection,” Ouchn said.

“To make things seem even more legit, I chose a very catchy and suggestive name for my WiFi connection it was something like “Free_wifi_[popular_store_name] when in fact I was just sitting at a nearby a chocolate store waiting for the first fly to hit my web.”

Along with EvilAP, Ouchn fired up a couple of other tools including SSLstrip – which will transparently hijack HTTP traffic on a network – and Ettercap, which can be used to perform Man-in-the-Middle (MitM) attacks by reprocessing a target’s requests from the fake EvilAP connection to a legit 3G connection, and then pushing it to SSLstrip to perform the HTTPS stripping attack described by Moxie Marlinspike years ago.

It was not very long before Ouchn got his first targets:

Got an auth request from 00:26:37:B5:0D:5D (open system)
Client 00:26:37:B5:0D:5D associated (unencrypted) to ESSID: “free_wifi_xxxx”
.

.

Got an auth request from 30:85:A9:65:F2:73 (open system)
Client 00:26:37:B5:0D:5D associated (unencrypted) to ESSID: “free_wifi_xxxx”

Shortly thereafter, SSLstrip started to hijack all the HTTP and HTTPS traffic:

209:12:25,862 SECURE POST Data (auth.mail.ru):
post=&mhost=m.mail.ru&login_from=&Login=XXXX&Domain=mail.ru&Password=XXXXXX
09:12:30,791 POST Data (events20staging.adtilt.com):
{“guid”:”4DC9F75E-11AB-4B15-84D9-D02BA59E799F”,”guid_key”:”e46a3e5ee6bc1541bf0511a1e4815cf89270c332″}
09:12:30,817 POST Data (events20staging.adtilt.com):
{“guid_key”:”fe283167c6a93973dfadd195526a788385895ea6″,”guid”:”27840061-C877-4112-A4A7-3EC9853FA9E3″,”session_length

09:12:35,610 POST Data (data.flurry.com):

“For security reasons, I masked the password and login in the example above,” Ouchn said. “A  quick look at the target’s email (for curiosity only, and not for doing bad things) revealed the identity of the target who was a businessman from Russia. His email was full of credentials to many of his accounts like banking, other emails accounts, Skype, Facebook, and more. So I stopped there.”

Ouchn said he was able to enumerate six other logins and passwords in just a half hour.

“This attack is one of the easiest because it targeted users and not the airport IT infrastructure. Why would an attacker spend a lot of time digging into the airport systems when users are such easy prey?” Ouchn said rhetorically. “I then closed my computer to catch my flight to the next hub.”

Several hours later, after having missed his next connection, Ouchn said the airline put him up in a wonderful hotel to rest his flight departed the next morning.

“Of course curiosity would not let me sleep once I found out that the room was equipped with an Alcatel VoIP phone and I saw the system options were not protected,” Ouchn recalled. “When system administrators make such a big mistake then you can assume that the whole network is wide open.”

Armed with the Wifi code the hotel staff provided, Ouchn connected to the network with his Android smartphone and then leveraged a very cool application called “Fing,” which performed a network and services discovery listing in a matter of seconds, providing him with a list of connected devices.

Being the middle of the night, he found no guests were connected, so targeting users was not an option. Unwilling to relent, Ouchn tried for a little serendipity.

“I wanted to figure out if any of those hotel IT administrators has ever attended a security convention before, or had even read a book on hacking,” he said. “I fired up Fing on my computer and started scanning – here’s what I found:”

$ sudo fing -s 192.168.13.1/24 -r 1 -d 1

05:22:56 > Service scan on a local network

05:22:56 > Preemptive discovery on: 192.168.13.0/24

05:23:00 > Preemptive discovery completed.

05:23:00 > Service scan on: 192.168.13.1

05:23:00 > Service scan starting.

05:23:00 > Detected MAC address: 00:00:5E:00:01:1E

05:23:07 > Service scan completed in 6.664 seconds.

05:23:07 > Service scan on: 192.168.13.2

05:23:07 > Service scan starting.

05:23:07 > Detected MAC address: 00:E0:B1:E1:2E:03

05:23:07 > Detected service:    21 (ftp)

05:23:07 > Detected service:    23 (telnet)

05:23:07 > Detected service:    22 (ssh)

05:23:07 > Detected service:    80 (http)

05:23:07 > Detected service:   443 (https)

05:23:13 > Detected firewall

05:23:13 > Service scan completed in 6.233 seconds.

05:23:13 > Service scan on: 192.168.13.3

etc etc …

“The device at 192.168.13.2 seemed a to be good place to start,” Ouchn said. “When connecting to TCP/80, it revealed a Webviewfor  Alcatel-Lucent. One of the first things any security pentester will do is trydefault credentials. So my own project DPE came in handy, and I pulled up all the default credentials for Alcatel.”

And guess what?  the admin/switch combination worked:

pic.jpg

He then captured telnet session using the same credentials:

telnet 192.168.13.2

Trying 192.168.13.2…

Connected to 192.168.13.2.

Escape character is ‘^]’.

login : admin

password :

Welcome to the Alcatel-Lucent OmniSwitch 9000

Software Version 6.4.3.520.R01 GA, April 08, 2010

Copyright(c), 1994-2010 Alcatel-Lucent. All Rights reserved.

OmniSwitch(TM) is a trademark of Alcatel-Lucent registered

in the United States Patent and Trademark Office.

XXXX # ?

^

WHOAMI WHO VIEW VI VERBOSE USER USB UPGRADE UPDATE UMOUNT TTY

TFTP TELNET6 TELNET SYSTEM SWLOG SSH6 SSH SHOW SFTP6 SFTP

SESSION SCP-SFTP SCP RZ RMDIR RM RENAME PWD PROMPT NTP NSLOOKUP

NO NEWFS MV MOVE MOUNT MORE MODIFY MKDIR LS KILL IPV6 IP INSTALL

HISTORY FTP6 FTP FSCK FREESPACE EXIT DSHELL DIR DELETE DE

“In fact, I was in front of the Alcatel-Lucent OmniSwitch 9000,” Ouchn said. “If this switch was hit by a malicious attacker or even just a joker, he could modify configurations, change administrator passwords, and even go further since the OmniSwitch 9000 was the core network device of this five star hotel:”

pic.jpg

Ouchn found other administrators which are listed below (login’s are obfuscated for security reasons), and note that a password policy is not being applied:

pic.jpg

“I was on my way to closing my computer down as the clock was ticking on the time-out before when I decided to try one last thing,” Ouchn said. “Getting a connection to the switch FTP service, and I was rewarded:”

Listing Directory /flash/working:

-rw   3303906 Jun  8  2018 Jdiag.img

-rw      9645 Sep 12  2012 boot.cfg 

-rw       744 Jun  5  2018 software.lsm

-rw    581967 Jun  5  2018 Jsecu.img

-rw   3258135 Jun  8  2018 Jdni.img

-rw   2859888 Jun  5  2018 Jadvrout.img

-rw  21798508 Jun  5  2018 Jbase.img

-rw   6497127 Jun  5  2018 Jeni.img

-rw   2151785 Jun  5  2018 Jos.img

“I focused my attention on the boot.cfg file which revealed the whole internal network of IP addresses:”

ip interface “Users” address 192.168.110.2 mask 255.255.255.0 vlan 110 ifindex 1

ip interface “Guest” address Xxxxxxxxx mask 255.255.255.0 vlan 150 ifindex 2

ip interface “Wifi-Guest” address Xxxxxxxxx mask 255.255.255.0 vlan 160 ifindex 3

ip interface “CCTV” address Xxxxxxxxx mask 255.255.255.0 vlan 170 ifindex 4

ip interface “Mgmt” address Xxxxxxxxx mask 255.255.255.0 vlan 200 ifindex 5

ip interface “AP” address Xxxxxxxxx mask 255.255.255.0 vlan 240 ifindex 6

ip interface “Voice” address Xxxxxxxxx mask 255.255.254.0 vlan 120 ifindex 7

ip interface “Internet” address Xxxxxxxxx mask 255.255.255.0 vlan 999 ifindex 8

ip interface “Test” address Xxxxxxxxx mask 255.255.255.252 vlan 99 ifindex 9

ip interface “Guest1″ address Xxxxxxxxx mask 255.255.255.0 vlan 12 ifindex 10

ip interface “Guest2″ address 192.168.13.2 mask 255.255.255.0 vlan 13 ifindex 11

ip interface “Guest3″ address Xxxxxxxxx mask 255.255.255.0 vlan 14 ifindex 12

“Fabulous, I thought. I wish I had one more hour since now I knew exactly which networks belongs to which categories of service ranging from guests (folks like me) to users (hotel employees), CCTV, AP, Voice (VoIP phones), etc…” Ouchn said. “This line in the configuration file caught my attention:”

snmp station 192.168.110.25 162 “xxxxxx” v1 enable

“This reminded me of a login I found previously in the OmniSwitch Local users – there was actually an administrator located in the ‘Users’ VLAN, so it all made sense,” Ouchn continued. “The next logical step was to scan this computer. Normally, if the switch is well configured i could not do such action. I looked at the configuration boot.cfg I’ve downloaded and hopefully the ‘policy rules’ for denying inter-VLAN communications were not enabled. The switch was configured with no security hardening in mind. The scan for the admin computer revealed the following:

05:58:43 > Service scan on: 192.168.110.25

05:58:43 > Service scan starting.

05:58:43 > Detected service:   135 (msrpc)

05:58:43 > Detected service:   139 (netbios-ssn)

05:58:43 > Detected service:   389 (ldap)

05:58:43 > Detected service:   445 (microsoft-ds)

05:58:43 > Detected service:   636 (ldapssl)

05:58:43 > Detected service:  3389 (ms-term-serv)

05:58:43 > Detected service:  3999 (remoteanything)

05:58:46 > Detected firewall

05:58:46 > Service scan completed in 2.984 seconds

Ouchn said he had the choice to do it in a complicated manner using Metasploit and scanning for the appropriate exploits, or he could just focus on a remote service.

“The remote desktop (RDP) was enabled, and II also remember that password policy was not their strength. So, fingers crossed, I launched my RDP client and tried to get access with the password as the login,: Ouchn said. “To my very big surprise, it worked.”

“I immediately disconnect from host without even taking a snapshot. I then quickly tried connections to more than five switches belongings to the other services (VoiP, CCTV…)  and they all accepted default passwords,” Ouchen said.

“I was in for less than one hour and gained access to six of the most important switches for the network and also accessed the computer of the IT Security Administrator at a major five star hotel, but I had to leave to catch my cab to the airport,” he said.

Conclusion

Ouchn emphasizes that the techniques he used are some of the simplest to employ, and he did not have to use SQL injections, cross-site scripting (XSS), CSRF or any of the relatively more sophisticated attacks he might undertake during a challenging pentest.

“Putting together theses basic techniques for a security breach may lead in turn to a major compromise.” Ouchn said of the experiment. “It took me less than one hour to access part of a hotel network, and I didn;t even have time to play with tools like Armitage to get at more.”

“And while major airports may have a decent IT infrastructure, they ignore traveler’s security. I mean, have you never seen an awareness message in an airports about being cautious when using the WiFi? I haven’t,” he said, noting that using a VPN to access accounts is the only legitimate way to protect yourself.

“Do the airports have a responsibility towards protecting their customers? The same applies the hotels where the basic principles of security are not being applied,” Ouchn said.

“What does it cost to deploy a decent compliance and vulnerability management solution? There are plenty of choices ranging from open source and free software like SecureCheq and OVAL for compliance, CIS guides for hardening, etc… as well as commercial solutions,” Ouchn said.

“Anyone who reads this post should be advised that neither airports nor hotels are doing what should be done to improve IT security, so be smart.”

 

Related Articles:

 

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock

Categories: ,

Tags: , , , , , , , , , , , , , ,


14 Comments

Leave a Reply

Anthony M Freed

Anthony M Freed has contributed 483 posts to The State of Security.

View all posts by Anthony M Freed >