SD-WAN Internet Census, Zeronighst 2018
- 1. or How to Find SD-WANs and not to Lose Yourself Denis Kolegov Oleg Broslavsky Anton Nikolaev
- 3. Not (really) so long time ago, we decide to start a big SD-WAN journey SD-WAN NewHope
- 5. “SD-WAN is perfectly safe for implementing wide- area networks affordably, efficiently and securely.”
- 7. XSS
- 8. Client-side Authentication ? ! // TODO: fix in prod ?
- 11. Unfortunately, this talk is not about sophisticated hacking techniques (cause you do not need them to hack SD-WAN) This talk about how to find those low-hanging fruits on the Internet?
- 12. The Main Questions • How many SD-WAN nodes on the Internet? • Do we need new techniques to scan and fingerprint them? • How to find vulnerable SD-WAN nodes?
- 13. Approach Best EffortWhen you have to underline the best effort approach but you don’t know exactly how to
- 15. SD-WAN Essence or That Boring Part of Slides Again
- 17. F*ck that shit! We are hackers!
- 18. Just kidding. We need it for understanding.
- 21. Search Engines
- 24. Query Correction html:Sonus + title: "SBC Management Application"
- 25. More Query Correction! We can use corrections to build full product map! https://github.com/sdnewhop/sdwannewhope/issues/7
- 28. Version Leakage
- 30. How to Find Them All? Let’s help Dora!
- 32. We have a NMAP!
- 36. What About Really Hard Cases? Easy Peasy Lemon Squeezy? Difficult Difficult Lemon Difficult!
- 37. SSH Fingerprinting SD-WAN version in /etc/issue message masscan our banner zgrab /sdnewhop/zgrab2 /nmap/nmap/issues/1389
- 38. Websocket • Nmap can’t scan Websocket • No standard NSE Websocket libraries • Weird behavior in custom NSE Websocket libraries
- 40. Stop! What about Internet scanning?
- 42. You should scan all Internet using masscan
- 43. -Johny, Johny? -Yes, papa -Scanning Internet? -No, papa -Telling lies? -No, papa
- 44. > well you kinda killed the entire Tomtech network.. > literally everything is down. > so looks like I can’t help you with servers anymore, sorry.
- 46. SD-WAN Harvester
- 47. SD-WAN Harvester Workflow Find SD-WANs Grab versions Run NSE Frontend Get results
- 48. Results
- 49. SD-WAN Map
- 50. Top of founded SD-WAN Vendors
- 51. Top of founded SD-WAN Solutions
- 53. Harvester Charts But seriously, harvester can build next pie charts by: • vulnerabilities • vendors • products • countries • continents https://github.com/sdnewhop/sdwan- harvester/tree/master/samples
- 55. Conclusions • Many different vendors and related products have been found • Most products are susceptible to version leakage • More often products are leaky and vulnerable
- 56. SD-WAN New Hope https://github.com/sdnewhop/ • Sergey Gordeychik • Denis Kolegov • Oleg Broslavsky • Max Gorbunov • Nikita Oleksov • Nikolay Tkachenko • Anton Nikolaev • SD-WAN Internet Census • SD-WAN Harvester • SD-WAN Infiltrator • SD-WAN Threat Landscape