Stu t17 a
-
Upload
selectedpresentations -
Category
Documents
-
view
24 -
download
5
Transcript of Stu t17 a
Session ID:
Session Classification:
MOBILE AND THE CONNECTED WORLD
Kevin MahaffeyCTO, Lookout
STU-T17A
Intermediate
getButter"y http://www."ickr.com/photos/59770877@N05/6317955134/
Nmap scan report for 192.168.XXX.XXXHost is up (0.014s latency).Not shown: 65510 closed portsPORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds2000/tcp open cisco-sccp5060/tcp open sip7504/tcp open unknown7533/tcp open unknown49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49159/tcp open unknown49160/tcp open unknown49163/tcp open unknown
Nmap scan report for 192.168.XXX.XXXXHost is up (0.0019s latency).PORT STATE SERVICE80/tcp open http5060/tcp open sip
Nmap scan report for 192.168.XXX.XXXHost is up (0.017s latency).PORT STATE SERVICE21/tcp open ftp80/tcp open http139/tcp open netbios-ssn445/tcp open microsoft-ds515/tcp open printer5358/tcp open unknown9090/tcp open zeus-admin9100/tcp open jetdirect9101/tcp open jetdirect9102/tcp open jetdirect9103/tcp open jetdirect
Nmap scan report for 192.168.XXX.XXXHost is up (0.024s latency).PORT STATE SERVICE21/tcp open ftp80/tcp open http139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds515/tcp open printer5358/tcp open unknown9090/tcp open zeus-admin9091/tcp open xmltec-xmlmail9100/tcp open jetdirect9101/tcp open jetdirect9102/tcp open jetdirect9103/tcp open jetdirect
Nmap scan report for 192.168.XXX.XXXHost is up (0.019s latency).PORT STATE SERVICE80/tcp open http443/tcp open https4352/tcp open unknown5120/tcp open unknown5357/tcp open wsdapi7142/tcp open unknown7145/tcp open unknown7146/tcp open unknown7200/tcp open fodms7201/tcp open dlip41794/tcp open crestron-cip
Nmap scan report for 192.168.1.XXXHost is up (0.0057s latency).Not shown: 65531 closed portsPORT STATE SERVICE80/tcp open http Linksys E4200 WAP http config139/tcp open netbios-ssn Samba smbd 3.X445/tcp open netbios-ssn Samba smbd 3.X51000/tcp open unknownMAC Address: C0:C1:C0:XX:XX:XX (Cisco-Linksys)
Nmap scan report for 192.168.1.XXXHost is up (0.0028s latency).Not shown: 65527 closed portsPORT STATE SERVICE22/tcp open ssh OpenSSH 5.8p1-hpn13v11 (protocol 2.0)80/tcp open http Apache httpd 2.2.22 ((Unix))161/tcp open snmp?515/tcp open printer?548/tcp open afp?631/tcp open ipp CUPS 1.45000/tcp open http Apache httpd 2.2.22 ((Unix))5432/tcp open postgresql PostgreSQL DB 8.3.9 - 8.3.11
MAC Address: 00:11:32:XX:XX:XX (Synology Incorporated)
Nmap scan report for 192.168.1.XXHost is up (0.13s latency).All 65535 scanned ports on 192.168.1.XX are closedMAC Address: 18:B4:30:XX:XX:XX (Nest Labs)
SSL Certificate
Signature Algorithm: sha256WithRSAEncryptionIssuer: C=US, O=Nest Labs, Inc., CN=Nest Private Server Certificate AuthorityValidity Not Before: Aug 14 00:46:40 2012 GMT Not After : Aug 14 00:46:40 2013 GMTSubject: C=US, O=Nest Labs, Inc., CN=devices.nest.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)
SSL Certificate
Signature Algorithm: md5WithRSAEncryptionIssuer: C=CA, ST=Ontario, L=Toronto, O=Ecobee Inc, OU=Development, CN=ecobee.comValidity Not Before: Dec 5 22:06:37 2007 GMT Not After : Dec 2 22:06:37 2017 GMTSubject: C=CA, ST=Ontario, L=Toronto, O=Ecobee Inc, OU=Development, CN=ecobee.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit)
Nmap scan report for 192.168.1.XXXHost is up (0.027s latency).All 65535 scanned ports on 192.168.1.XXX are closedMAC Address: 00:1C:BE:XX:XX:XX (Nintendo Co.)
SSL Certificate
Signature Algorithm: sha1WithRSAEncryptionIssuer: C=US, ST=Washington, O=Nintendo of America Inc, OU=NOA, CN=Nintendo CA/[email protected] Not Before: Mar 28 19:07:13 2008 GMT Not After : Mar 26 19:07:13 2018 GMTSubject: C=US, ST=Washington, L=Redmond, O=Nintendo, CN=*.shop.wii.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)
Nmap scan report for 192.168.1.XXXHost is up (0.0065s latency).Not shown: 65530 closed portsPORT STATE SERVICE3689/tcp open daap Apple iTunes DAAP 11.0.1d15000/tcp open rtsp Apple AirTunes rtspd 160.10 7000/tcp open http Apple AirPlay httpd7100/tcp open http Apple AirPlay httpd62078/tcp open tcpwrappedMAC Address: 70:56:81:XX:XX:XX (Unknown)
SSL Certificate
Signature Algorithm: sha1WithRSAEncryptionIssuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL SGC CAValidity Not Before: Oct 2 00:00:00 2012 GMT Not After : Oct 2 23:59:59 2013 GMTSubject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/businessCategory=Private Organization/serialNumber=C0806592, C=US/postalCode=95014, ST=California, L=Cupertino/street=1 Infinite Loop, O=Apple Inc., OU=iTMS Engineering, CN=p2-buy.itunes.apple.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)
Nmap scan report for 192.168.1.XXXHost is up (0.0031s latency).Not shown: 65525 closed portsPORT STATE SERVICE23/tcp open telnet?80/tcp open http GoAhead-Webs embedded httpd443/tcp open ssl/http GoAhead-Webs httpd1024/tcp open rtsp Apple AirTunes rtspd 103.25000/tcp open upnp?5001/tcp open commplex-link?6666/tcp open tcpwrapped8080/tcp open http-proxy?10100/tcp open unknown15555/tcp open unknownMAC Address: 00:05:CD:XX:XX:XX (Denon)
SSL Certificate
Signature Algorithm: sha1WithRSAEncryptionIssuer: C=JP, ST=Kanagawa, L=Kawasaki-ku,Kawasaki-shi, O=D&M Holding Inc., OU=Denon Brand Company, CN=firmware.denon.jp/[email protected] Not Before: Jan 14 07:37:43 2009 GMT Not After : Jan 9 07:37:43 2029 GMTSubject: C=JP, ST=Kanagawa, L=Kawasaki-ku,Kawasaki-shi, O=D&M Holding Inc., OU=Denon Brand Company, CN=firmware.denon.jp/[email protected] Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)
POST /firminfo.php HTTP/1.1Host: firmware.denon.jp:443Content-Type: multipart/form-data; boundary=---------------------------16068598951Authorization: Basic XXXXXXXXXXXXXXXXX
-----------------------------16068598951Content-Disposition: form-data; name="FILE"; filename="RequestFirmInfo.xml"Content-Type: text/xml
<firminfo_request><req_option>1</req_option><device_id>0005CD25XXXX</device_id><id>0</id><divisionnum>0</divisionnum><req_pkgver></req_pkgver><req_item></req_item></firminfo_request>-----------------------------16068598951
Nmap scan report for 192.168.1.XXXHost is up (0.0024s latency).All 65535 scanned ports on 192.168.1.XXX are closedMAC Address: 00:1D:BA:XX:XX:XX (Sony)
GET /support/blu-ray/BDP-S300_USA/BDP-S300_USA.frf HTTP/1.1User-Agent: ORION_FRF_UA_START(00:1d:ba:XX:XX:XX BDP-S300_USA 07.0.010 M)END_ORION_FRF_UAHost: blu-ray.update.sony.netAccept: */*Connection: Close
HTTP/1.1 200 OKServer: ApacheLast-Modified: Thu, 21 Jun 2012 06:43:16 GMTAccept-Ranges: bytesContent-Length: 368Content-Type: text/plainDate: Mon, 25 Feb 2013 00:03:00 GMTConnection: close
<BINARY DATA>
DRAG + DROPIMAGE HERE
http://xtra.simplexnet.com/a_e/FA/4100-0055.pdf
DRAG + DROPIMAGE HERE
http://w3.usa.siemens.com/buildingtechnologies/us/en/integrated-solutions/command-and-control/Pages/command-and-control.aspx
BIG PROBLEMS WITH CONNECTED DEVICES
Lots of exposed servicesPwnable !rmware update mechanismsLow end-user visibility that something is !shy
How will you know if a device gets hacked?
Manufacturer abandonmentHow long will manufacturer keep device current?
ADMINISTRATORS
Apply patches to all connected devicesSome devices need a manual <click>
Segment your networkSIP phones don’t need to talk to your source code management server
Monitor internal net"owsPerimeter defenses are helpfulMake sure you trust your Internet connection
DEVELOPERS
Use SSLValidate certi!cate chaining to a trusted rootUse modern crypto
Digitally sign !rmwarePenetration-test your devicesHarden your update servers
Apache/2.2.3 (Red Hat) DAV/2 mod_auth_pgsql/2.0.3 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-!ps-rhel5 SVN/1.6.11 mod_perl/2.0.4 Perl/v5.8.8