Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Privacy of ISP's customers

from [Javier Fernández-Sanguino] Network Security [Permanent Link]
Subject: Re: Privacy of ISP's customers
Date: Thu, 25 Jan 2007 10:14:30 +0100
Alcides dijo:
Hi List,
I'm presently working with a semi-government ISP as a security consultant.
The ISP has provided Internet access to the customers via phone lines, it's DSL.

The ISP managers seem to be clueless. The issues you described were fixed by DSL ISPs in most locations a long time. Basicly it reduces to this:

a) If you put computers in the same VLAN then they can talk between themselves.
b) If some of those computers gets compromised, the compromise can spread to the other computers.

Some ISPs will put all their customers in a single VLAN with public addresses but will have switching fabric that will prevent customer A to talking to customer B, they can only send traffic to their gateway and not to anyone else. Of course, this works fine if we are talking about residential customers (they don't need to speak between themselves) but no so much for corporate customers (which need to).

The customer is given q DSL router as a CPE. ISP people configure it with 2 IP addresses; one local and one global, and implement NAT for security. And the router is configured using both ie Global/Private IP address in a browser.

Routers should never be configured to be remotely managed using global (I guess you mean "public") IP addresses. Never. Period.

I recently have been asked to find out loopholes in the mentioned system where the customer's privacy is not taken care or can be compromised. 

I don't understand this line. Is customer's privacy important or not?

Now when I started my activities impersonating a normal customer, I found that:
1]I can nmap and discover open ports on my and neighboring IP addresses.

That's because they have an unrestricted VLAN. They shouldn't do that. They should setup private VLANs.

2] This included HTTP, HTTPS, FTP, SMB, NB-SSN etc services listening for incoming connections.

Why are those ports even available through the router? They should be firewalled out. Is there any need for users to, for example, share folders across that network?

3]When I try to connect to some customer's HTTP port, I'm taken to his/her DSL-router(CPE) config. page, Configuration password is asked but is blank.

Two issues here:
- DSL-routers should not allow management from external ports
- DSL-routers should not be installed with factory defaults (blank passwords)


Now my questions:
1]What kind of tests can be carried out in order to find out what level of access can other customers gain and 

There's lots of things you can do. You can

a) configure a DSL-router of another customer to send *you* its traffic (setting your public address as its gateway). Then configure your router to act as a bridge (some allow this) and handle the traffic by a system sitting behind the router that would capture all the traffic and forward it to the legitimate gateway. Acting as MITM you can modify network flows in order to substitute legitimate files downloaded from the Internet with trojans to compromise the system.

b) try to access remotely the shares of users running Windows can be accessed (if they allow null IPC$ mapping, have insecure passwords, etc.). If you can do this and you can write to disk you can probably plant trojans that will eventually compromise the system.

c) configure the DSL-router of other customers to map public ports to internal hosts in order to access (from a public host) additional servers that could be (remotely) compromised. Depending on the systems and software behind the DSL router you might get acess to VNC services, Terminal Services, etc.

2]What degree of impact can it have as far as the privacy of the customers is considered.

I'd say you have all the elements needed to compromise *any* of the customer computers. It might take some (fun) work but, on the paper, it certainly looks doable.

Regards

Javier

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  VPN Server, kapil assudani
Next by Date:  Re: Novell Password Cracking Issue, s-williams
Previous by Thread:  RE: Privacy of ISP's customers, Marc Doudiet
Next by Thread:  New article on SecurityFocus: Wishes for 2007, Erin Carroll
Indexes:  [Date] [Thread] [Top] [All Lists]