Network Device vulnerability exploitation and security reinforcement

This article consists of two parts: the first part demonstrates the use of network device vulnerabilities through instances; the second part describes the security reinforcement technology of network devices, in addition, this article introduces some important aspects of security reinforcement based on instances.

Network Device vulnerability exploitation instance

A router is the egress of a network. All inbound and outbound traffic must go through the router. Once the vro is fully controlled by attackers, attackers can control the entire network. The following uses TP-Link and D-Link as examples to demonstrate how to use the vulnerabilities to successfully control the target router.

Use the vulnerability to completely control the TP-Link Router

Vulnerability name: TP-Link Wireless Router backdoor Vulnerability

Affected Versions:

TP-LINK TL-WDR4300 v1

TP-LINK TL-WR743ND

TP-LINK TL-WR743ND v1.2

TP-LINK TL-WR941N

TP-LINK TL-WR2041

TP-LINK TL-WDR4310

TP-LINK TL-WDR4320

TP-LINK TL-WR743N

Cause of the vulnerability: some versions of the TP-Link Wireless Router have a backdoor for debugging. Hackers can execute arbitrary system commands using this backdoor.

Test process:

Detect vulnerabilities

Access http: // ip/userRpmNatDebugRpm26525557/linux_cmdline.html. If the target host has the linux_cmdline.html page, the vulnerability exists, and vice versa.

Figure 1

Execute Command

On the page returned above, enter the following account (osteam) and password (5up), enter the command to be executed in the command, and then click send to execute.

Figure 2

Figure 3

Completely control the D-Link router through Vulnerabilities

Vulnerability name: D-Link Wireless Router Remote Command Execution Vulnerability

Affected Versions: D-Link DIR-300 v2.12 and 2.13, D-Link DIR-600 v2.12b02, 2.13b01, 2.14b01, etc.

Hazards: attackers can remotely execute arbitrary system commands, resulting in full control of the vro.

Vulnerability cause: Because the device does not restrict access to command. php, attackers can construct specific HTTP requests and execute arbitrary system commands.

Manual testing process:

Check whether the target vro has the command. php page.

First, check whether the target vro has the command. php page. If 200 is returned, a vulnerability exists. Otherwise, the vulnerability does not exist.

Figure 4

Construct an HTTP request and execute the command

Construct a POST request and send it to the target router using the packet sending tool to listen for the returned data packets. For example, 5 is an example of obtaining the Web management account and password of the target router:

Figure 5

Now that we have successfully obtained the Web administrator account and password of the target router, We can log on to the Web management interface of the device to view and modify the configuration of the device.

Figure 6

Vulnerability Testing using tools:

Through the above process, we found that manual testing of vulnerabilities is cumbersome and inefficient. Next we will use tools to automate the vulnerability process.

Vulnerability Detection

Figure 7

Execute Command

Figure 8

Figure 9

Network Device Security reinforcement instance

From a technical point of view, the security reinforcement of network equipment mainly needs to begin from the following aspects:

The security of the device, including whether the system version of the device has vulnerabilities and whether the hardware has backdoors.

Account password settings and user permission allocation, such as whether the Account Password meets the complexity requirements, whether there is a weak password, and whether the user permission allocation is appropriate. In principle, only necessary permissions are assigned to the corresponding user.

Whether the device is properly configured, including management configuration and Policy Configuration

Different network devices can refer to the above three aspects for security reinforcement, and carry out security reinforcement operations based on the characteristics of the equipment.

Security reinforcement instance

The following describes how to use a security reinforcement instance of rising-star InterScan. Rising-star InterScan security reinforcement focuses on the following aspects:

Promptly upgrade the device system version, virus feature library, and URL feature Library

Figure 10

Figure 11

Account password settings and user permission assignment

Modify the default Administrator account and password. Create a user account based on your actual needs, assign necessary permissions to the account, set a complex password, and modify the password on a regular basis; modify the default logon parameters to improve security.

Figure 12

Device Access Control

Use a dedicated management port to manage devices. Configure to allow only specific IP addresses to access the IP addresses of devices. Do not open the device access permissions to the Internet.

Figure 13

The device provides five management methods: "Serial Port", "HTTP", "HTTPS", "SSH", and "Telnet ", we recommend that you do not use the "HTTP" and "Telnet" methods to manage the device, because these two methods are both plain text when transmitting the user name and password, which can be easily sniffed by malicious users. Finally, modify the default Management port.

Figure 14

Figure 15

Send device logs to the SysLog server

After the device is restarted, some device logs are cleared. We recommend that you send the logs to a dedicated SysLog server for Better log storage. In this way, you can analyze the cause through logs after a problem or security event occurs.