Menu
in ,

Hacking the Big Railway Company

That all started with a hypothesis

There are a lot of free proxy servers on the Internet. But who in the right mind state would open the Internet to everyone through their router? Basically, there are two options: these are either jailbroken devices, or the owner forgot to disable this feature.

So I got the idea to test the hypothesis: “Is there life behind a proxy?”

I ran nmap on a range of addresses on port 8080. Then, from the result, I went through the proxy checker in search of a public proxy without authorization and from the positive results I chose the one closest to me by ping.

Launched the scanner through it at the addresses 172.16.0.0/12 port 8291 (mikrotik winbox). AND! I found it! No password!

That is, behind the router with a proxy there is another one – Mikrotik without a password. The hypothesis is confirmed: there can be whole unprotected networks behind the proxy.

Only at that moment did I underestimate the scale of “insecurity” that I accidentally found.

Finding System Owner

Without thinking twice, I raised the outgoing VPN to myself. It is still more comfortable to study the network through a normal tunnel and look for signs of the owner of the system. HTTP connect is not really comfortable way..

I did not find anything interesting behind the ether1 and bridge interfaces. The found cameras were absolutely not informative.

But the vpn scan, marked in red in the screenshot above, produced more than 20,000 devices …
Moreover, more than 1000 pieces are microtiks. A huge number of devices with factory passwords.

Here are some of the services found with default passwords:

1. Surveillance cameras.

Not less than 10,000 pieces. Different manufacturers: beward, axis, panasonic, etc.

2. Ip phones and FreePBX servers are also a large number.

3. IPMI servers.

4. Converters ethernet to ‘whatever’ (Moxa UniPing etc).

5. UPS management systems.

6. Network equipment.

Of course, there are many different routers. As mentioned above, Mikrotiki is more interesting to me. The vast majority with the latest firmware and passwords are not empty. But there are no passwords and with outdated firmware.

The tunnels go up outward easily. That is, there is practically no filtering of outgoing connections.
Moreover, a huge number of microtics with proxy enabled, similar to the one with which I got into this network. By the way, the tunnels through them also rise remarkably.

How did it happen?

I have always believed that vulnerabilities in corporate networks appear due to mistakes or special actions of illiterate employees. The first thing that came to my mind was that some security officer had raised a VPN from his home to a working microtic-powered network in his home network. But in this case, this hypothesis of mine was broken as soon as I saw the reverse resolution of the address through which I got to this Mikrotik.

What needs to be changed to reduce the likelihood of potential consequences?

Further, purely my view on the solution of this situation. It has nothing to do with world best practices.

Also, I will immediately make a reservation that the problem concerns only the video surveillance network that I discovered. In other segments of the Russian Railways network, I very much hope, everything is much better.

1. Hire network auditors to help find and close the most gaping holes.

2. Hire cool system architects who have extensive experience building large networks. And it’s not a fact that they will be Russian specialists. Set the following tasks for them:

2.1. improve the current infrastructure to a safe state for minimal funds (why invest a lot of money in a project that will soon be dismantled)

2.2. develop a new full-fledged infrastructure that meets all security requirements and a phased migration plan.

3. Hire a contractor who will implement these projects in life and transfer them for operation to Russian Railways networkers.

4. After delivery of projects, conduct an audit of infrastructure security.

5. At the end of pentests, announce a Bug Bounty.

In the future, the information security internal audit service should be left permanent and bonuses should be formed on the basis of the detected bugs and their elimination.

Written by Black Bunny

Leave a Reply