Numerous D-Link Routers have Backdoor in Firmware

Security researchers have found that some D-Link Routers have a completely open backdoor that will allow an attacker full administrator access to the router without ever logging in.

On Saturday Craig from the /dev/ttyS0 website posted an in-depth overview of the backdoor that was found when specific router firmware was reverse engineered and analyzed.

The firmware analyzed was v1.13 for the DIR-100 revA. The firmware seems to be used in several different routers. A Shodan search shows that several thousand routers could be affected. But only those that have remote administration enabled seem to be critical.

The following routers could have the vulnerable firmware:

  • DIR-100
  • DIR-120
  • DIR-615
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

And some Planex routers could also be vulnerable:

  • BRL-04UR
  • BRL-04CW

Not all of the firmware versions are susceptible.  But on those that are, all the attacker needs to do is set one setting in his browser and it will take them right to the router admin page without logging in!

Setting the browser user agent to “xmlset_roodkcableoj28840ybtide” and then browsing to a vulnerable D-Link router will give you full admin rights to the device.

dlink backdoor

The best way to stop this attack until D-Link releases a patch (later this month) seems to be to turn off remote management.

According to The Register, D-Link has promised to fix the problem by Halloween. Advice from D-Link and any updates can be found on D-Link’s support page.

remote.jpg
But for now, turning OFF remote management is probably the safest (and smartest) option. Just go to your router setup and uncheck the box shown in the picture above. Check you user manual for directions.

One would have to wonder, why would a company put a backdoor into their product? Especially a product that is designed to keep intruders out.

Advertisements

Veil AV Bypass on Kali

One of the common hurdles of security and penetration testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs.

A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

Kali wasn’t originally installed on Kali, but has recently been added to the repositories. In this article we will discuss how to install and run Veil on Kali Linux.

Installing Veil

Veil was recently added to Kali, if typing “veil” at a terminal prompt does not start it, it may not be installed yet.

  • To install just type, “apt-get update && apt-get install veil”:
  •  Then to run the program open a terminal and just type, “veil”:

And this will bring you to the main menu:

Veil Kali 1

Using Veil

The first thing to do is to list the available payloads using the “list” command:

Veil Kali 2
The payloads are rated as to it’s success rate, so let’s try one of the PowerShell ones.

So just type the “use” command and the number of the payload. We will use the “powershell/VirtualAlloc” payload.

  • Type, “use 9”.

This will select the payload and present us with the following screen:

Veil Kali 3

  • We will just use the default values, so just type, “generate”.

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. We will just choose the default, msfvenom.

  • Type “1” and enter:

Veil Kali 4

Next choose the type of shell; we will just use the default which is reverse_TCP. This means that their computer will connect back to us.

  • Just press “enter” to accept default shell payload:

Veil Kali 5

  • Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter.

Veil Kali 6

  • Then enter the Local port that you will be using. I chose to use port 4000:

Veil Kali 7

  • You will then be asked to enter any MSVenom options that you want to use, we won’t be using any, so just press enter to bypass them.

And that is it! Veil will then generate our shellcode with the options that we chose.

  • Now we need to give our created file a name. I chose “CutePuppy”

Okay, “Cutepuppy” sounds a little odd, but remember, you want the target to open the file that you are sending them, so a bit of Social Engineering is required.

If you know they like cute puppies, then our chosen file name is perfect. But you could also name it “2013 Business Report”, or “New Job Requirements”. Whatever you think would be the best.

Veil now has all that it needs and creates our booby-trapped file.

Veil Kali 9

Our file will be stored in the “/usr/share/veil/output/source/” directory.

Just take the created .bat file and send it to our target. When it is run, it will try to connect out to our machine.

We will now need to start a handler listener to accept the connection.

Getting a Remote Shell

To create the remote handler, we will be using Metasploit.

  • Start the Metasploit Framework from the menu or terminal (mfsconsole).
  • Now set up the multi/handler using the following screen:

Veil Kali 10

Be sure to put in the IP address for your machine and the port that you entered into Veil. They must match exactly.

Metasploit will then start the handler and wait for a connection:

Veil Kali 11

Now we just need the victim to run the file that we sent them.

Veil Kali 12

On the Windows 7 machine, if the file is executed, we will see this on our Kali system:

Veil Kali 13

A reverse shell session!

Then if we type “shell”, we see that we do in fact have a complete remote shell:

Veil Kali 14

Conclusion

This should help prove that you cannot trust in your Firewall and Anti-Virus alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run.

Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

Syrian Hacker Group (SEA) claims to be able to Hack any Website

A video has surfaced this week showing an alleged interview with the commander of the Syrian based hacker group “Syrian Electronic Army” (SEA). In the video the speaker claims that the SEA hacker group can hack any website that posts false information about Syria within just a few hours.

The SEA has gained notoriety by hacking several western news company websites and social media outlets. One of their favorite tactics to gain access seems to be via social engineering. From reports, the group sends very believable e-mails containing booby trapped links.

Though most of the attacks seem to be more nuisance type attacks, the SEA did successfully defaced a US Marine Corps recruiting site last month. I doubt they are on the top list of targets for retaliation by US Cyber Command, as our forces are more concerned with attacking military and infrastructure type targets. But messing with the Marines probably isn’t the wisest thing to do.

What I am curious of though is if the US would ever escalate to kinetic attacks on hacker group leaders. Earlier this month one of Iran’s cyber commanders was executed, presumably by Israeli forces.

Time will tell I guess…

Did Israeli Mossad Assassinate an Iranian Cyber Commander?

Mossad Logo, Translated Text says, "Where no wise direction is, a people falleth; but in the multitude of counsellors there is safety." Pr 11:14
Mossad Logo, Translated Text says, “Where no wise direction is, a people falleth; but in the multitude of counsellors there is safety.” Pr 11:14

Mojtaba Ahmadi, a commander of Iranian cyber forces has been apparently assassinated at close range by two people on a motorcycle. With similar assassinations taking place in Iran, one has to ask, “Was this an Israeli operation?”

According to reports, Ahmadi was shot two times in the heart at close range by two unknown assailants.

“I could see two bullet wounds on his body and the extent of his injuries indicated that he had been assassinated from a close range with a pistol,” an eyewitness told a Revolutionary Guard backed website.

The attack involving assailants on motor bikes sounds like a tactic used several times against Iranian Nuclear and Missile Scientists. Six key Iranians have been assassinated since 2007. And for years Iran and other nations have accused the Mossad of the strikes.

We may never know who was actually responsible, but with cyber attacks coming from Iran and with Iran’s nuclear threat against Israel, it would seem that they might have taken things into their own hands.

And that may now include physically targeting Iran’s cyber warriors.