{"id":511,"date":"2013-02-12T17:08:09","date_gmt":"2013-02-12T23:08:09","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=511"},"modified":"2013-02-21T22:33:09","modified_gmt":"2013-02-22T04:33:09","slug":"are-invisible-barbarians-at-your-gates","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2013\/02\/12\/are-invisible-barbarians-at-your-gates\/","title":{"rendered":"Are Invisible Barbarians At Your Gates?"},"content":{"rendered":"

A couple of weeks back, HD Moore posted a blog entry entitled
\n“Security Flaws in Universal Plug and Play: Unplug, Don’t Play<\/a>” supporting a Rapid7 Whitepaper<\/a> in which he discusses the 81 million unique IP addresses that respond to UPnP discovery requests on the Internet and the 23 million fingerprints that match a version of libupnp that exposes the systems to remote code execution.\u00a0 His research on the subject\u00a0is fascinating and I highly recommend reading it over, but that’s not the reason why I’m writing this.\u00a0 The first question this research had me asking myself is whether or not my organization utilizes UPnP for anything.\u00a0 As far as I can tell, the answer to this question is, thankfully, no.\u00a0 Next, out of curiosity I began to wonder how many people were out there actively trying to find these exploits.\u00a0 A perfect opportunity to fire up our new LYNXeon<\/a> tool.<\/p>\n

Our LYNXeon tool is configured to consume NetFlow data provided\u00a0by literally hundreds of routers and switches in our global environment.\u00a0 One of the most interesting things about it is that it can be used to see the traffic that comes in from our edge routers before it gets squashed by our firewall.\u00a0 Utilizing this tool in this way, we can visualize the so-called “Barbarians” at our gates.\u00a0 These are the hackers that are out there trying to find the weak spots in our security in order to get in.\u00a0 And since I know that UPnP is not a service that we offer up to the Internet at large, it makes finding the guys who are looking to exploit it that much easier.<\/p>\n

I fire up LYNXeon and my first step is to generate what is known as “PQL” or “Pattern Query Language”.\u00a0 While their Cyber Analytics Catalog offers up a ton of templates to use to find potential threats, PQL is the base of all those queries and writing your own allows you to define your own catalog of things to look for.\u00a0 The language is pretty easy to understand.\u00a0 First you define the characteristics of the connections that you are looking to find.\u00a0 After doing some research, I found out that HD was looking for openings on UPnP’s Simple Service Discovery Protocol (SSDP) service which typically runs on UDP\/1900.\u00a0 So, my query is for connections from external source IPs to internal source IPs using the UDP protocol on port 1900.\u00a0 Once the connections have been defined, all that is left to do is define the data that you want to see in the results.\u00a0 In total, my PQL code is 15 lines of code:<\/p>\n

\"ssdp\"<\/a><\/p>\n

Now it’s officially time to make these invisible Barbarians visible.\u00a0 I tell LYNXeon to only show me results over the last day (to reduce the amount of time the search takes) and then tell it to\u00a0“Execute Pattern Search” using the pattern file that I just created.\u00a0 Searches will vary in time based upon the timeframe searched, the number of forwarding devices, and how complicated your search criteria are.\u00a0 For me, this search returned 539 results in\u00a0one minute and 38 seconds.<\/p>\n

\"complete\"<\/a><\/p>\n

Now that I have results, I just need to select how to view them.\u00a0 My personal favorite is viewing the results in the Link Explorer.\u00a0 This will show my data as nodes on a pictoral graph.\u00a0 I make one quick adjustment using a organizational feature called “Force Directed Layout” to make the pictures look pretty and voila!<\/p>\n

\u00a0\"zoomedout\"<\/a><\/p>\n

OK, so zoomed out it looks like a bunch of spider webs.\u00a0 Now the fun begins as we begin zooming in on each cluster to see what is going on.<\/p>\n

\u00a0\"zoomedin\"<\/a><\/p>\n

I’ve blacked out the IP address of the system these guys are connecting to as it is irrelevant for the purposes of this post, but you can clearly see that in the past day this one system has had eight unique IP addresses attempt to connect to it on UDP port 1900.\u00a0 I’ve got dozens more just like these on that big graph above with varying degrees of complexity.\u00a0 From here, LYNXeon allows me to resolve DNS and\/or ARIN names for the associated IP addresses.\u00a0 I can also expand upon those sources to see what else of mine they’ve been talking to.\u00a0 Is that cool or what?\u00a0 It’s taken me minutes to find these potential threats and with little more than a few clicks of the mouse.\u00a0 The Barbarians are most definitely at my gates silently pounding away and chances are pretty good that they are doing the same to you.\u00a0 The question is….can you find them?<\/p>\n","protected":false},"excerpt":{"rendered":"

A couple of weeks back, HD Moore posted a blog entry entitled “Security Flaws in Universal Plug and Play: Unplug, Don’t Play” supporting a Rapid7 Whitepaper in which he discusses the 81 million unique IP addresses that respond to UPnP discovery requests on the Internet and the 23 million fingerprints that match a version of […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[489,28],"tags":[480,490,498,479,481,494,493,499,497,496,495,492,491],"class_list":["post-511","post","type-post","status-publish","format-standard","hentry","category-netflow-networking","category-security","tag-21ct","tag-attackers","tag-discovery","tag-lynxeon","tag-netflow","tag-play","tag-plug","tag-protocol","tag-service","tag-simple","tag-ssdp","tag-universal","tag-upnp"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-8f","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/511","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=511"}],"version-history":[{"count":7,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/511\/revisions"}],"predecessor-version":[{"id":523,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/511\/revisions\/523"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}