Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Hacking Intranets

If anyone is interested in the Hacking Intranets presentation I gave this week, video (which very poor audio quality, unfortunately), slides, and the demo code are available online. I'm not super-pleased with the results as I think I tried to cram too much information into too short of a time-frame (especially when 15 minutes were subtracted from the length I had to present in!), but the take away of how easy it is to use web browsers to hack intranets is worth reiterating.
To recap, I used the AttackAPI library from pdp along with a slightly modified version of his backframe project to set up a local webserver that allowed me to interactively control visiting web-browsers. Unfortunately, no one from the audience was willing to to join the wireless network I had set up (no trust in the security industry these days!) to demo the network, so I used a spare laptop of my own with a volunteer from the audience to steer it.

I had him verify that he was on the "inside" of the linksys router I was using (originally a WRT54GC until we were somehow locked out of it and I had to switch to my backup WRT54Gv2) and login and change the password. As he was doing that, I set up the the AttackAPI libraries to force his browser to not only change the password to an entirely new password, but also enable remote-management of the device. The fun part about this is that the linux based WRT54G is susceptable to this attack even if javascript is disabled. That's worth repeating: javascript disabled, password changed, still possible to hack the router. The password changed defense would have worked if he had closed down his browser and caused it to lose the session authentication information, however it's still a create example of using CSRF (cross-site request forgeries) to hack internal devices. Had the password been set to the default, it would have been likewise easy to hack.

The WRT54GC did require data to be submitted via a form, which is done most easily with javascript enabled, but is also possible if you can convince a visitor to click anywhere on a page (transparent full-screen image submit, redirecting to a hidden iframe so the user doesn't see the attack, just thinks the links are broken).

The short of it was that it's trivial to exploit the network from the inside out using no browser vulnerabilities, just the functions built into it as they were designed. There's a lot of work left to be done to secure the way the web works (as if anybody needed convincing of that!)