1 / 50

Nullcon 7, Goa 2016

Nullcon 7, Goa 2016. Abusing Software Defined Networks (Part 2). Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com. Hellfire Security. Overview. Our Progress Using SDN-Toolkit Assessing Controllers Extending SDN-Toolkit Wrapping Up.

allenl
Download Presentation

Nullcon 7, Goa 2016

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Nullcon 7, Goa 2016 Abusing Software Defined Networks (Part 2)

  2. Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security

  3. Overview Our Progress Using SDN-Toolkit Assessing Controllers Extending SDN-Toolkit Wrapping Up

  4. First Presentation • What We Covered • Southbound APIs • Northbound APIs • What’s Changed • Floodlight Improved • OpenDaylight Improved • More Controllers

  5. The Problem • More Controllers • Each With Different API • No Easy Way To Test • Need More In-Depth Testing

  6. The Solution • Make It Easy To Add Controllers • Move Away From Hard Coded • Use Templates Instead • Partner With Burp

  7. The SDN-Toolkit MMMM HMMM

  8. What Is It? Discover, identify, and manipulate SDN-Based networks Through Northbound and southbound APIs Tools of-switch, and of-flood of-check, and of-enum of-map, of-access, and of-scan

  9. What Does It Do? Identifies Openflow Services, Reports on their Versions, and Determines Endpoint Type Simulates Openflow Switches, and Floods Controllers Maps The Network, Identifies Targets, Builds ACLs, and Locates Sensors Adds and Removes Access Fingerprints And Scans Controllers

  10. Problems It Solves? SDN Fingerprinting SDN Visibility SDN Accessibility SDN Testing Authentication Authorization Validation

  11. What’s Changed Previously Northbound APIs Hard Coded Floodlight and OpenDaylight Only Now Can Be Used With Any Controller Just Extend for New Controller Add Controller To “config.ini” Add Operations To “config.ini” Add Templates For Each Operation

  12. of-scan First To Be Programmable “of-map” and “of-access” still only speak to Floodlight and Opendaylight They Will Be Ready Soon

  13. Scanning Setup Proxy Run of-scan Pass proxy address of-scan iterates through all operations Replaces fields with Default Values Sends them to controller through proxy Utilize Burp Active Scan, Repeater, and Intruder

  14. Some Background • Types of APIs • Interface • Datapoints • Testing Methods

  15. Interfaces • Exchange • RESTful • RESTCONF • Paths • Operation • Operation and Target

  16. Interfaces • Formats • JSON • XML

  17. Data Points • Identifiers • Forwarding Elements (Datapaths) and Flows • Domains, Virtual Networks, and Policies • Tenants, Networks, and Contracts • IDs

  18. Types of APIs (OpenDaylight) Using DatapathIDs (As Target) Using Flows Using Operations Using IDs (As Target)

  19. Time For The Bug Hunt

  20. Testing Methods (Black Box) Fingerprinting Controller Encryption Strength Authentication Checks Password Guessing Session Management Authorization Scheme Validation

  21. Fingerprinting Controller • of-scan • Autodetection Identifies Controller • Flat-file database of ports, paths, and authentication mechanisms • Is able to authenticate to controller! • nmap • Differentiate between similar controllers • Based on open ports

  22. Demonstration

  23. Encryption Strength • sslyze AND testssl.sh • Usual • Exists? • Type (SSL or TLS) and Version • Heartbleed, POODLE, Log Jam, Bar Mitzvah, Etc. • Cipher Suites (Zero? Algorithms? Key Lengths?)

  24. Authentication Checks • of-scan (HTTP, and Login) • Basic Checks • Am I being required to use password? • Default Password?

  25. Demonstration

  26. Password Guessing • Guessing • HTTP (Basic and NTLM) (thc-hydra) • Login (of-scan and Intruder) • Lockout?

  27. Demonstration

  28. Authentication Checks • openssl and sslyze (Certificate-Based) • Expanded Checks • Client and Server (Usual) • It’s Required? Checks Expiration? • Subject Valid? Impersonate Existing?

  29. Session Management Use of-scan Proxy Through Burp Analyze with Sequencer

  30. Demonstration

  31. Authorization Scheme • of-scan • Basic Check • Adding and Removing Flows • of-access • Expanded Checks • For information gathering, use of-map or MiTM • Try To Modify Different Datapaths, Domains, and Tenants

  32. Validation • Use of-scan • Proxy Through Burp • Test With … • Active Scan • Repeater (Manual Testing) • Intruder

  33. Demonstration

  34. Testing Considerations Exchanging Messages Check Out Reply From Controller Adjust For Feedback Unique And Revealing Error Messages Data Being Returned Unfiltered

  35. Manual Approaches Inappropriate Data Types Different Character Sets (or symbols) Data Sizes (Out of Index, String Lengths) Injected Single and Double Quotes Anything App-Sec!!

  36. Currently Configured Big Switch Fabric Controller (AKA. Floodlight) OpenDaylight Brocade SDN Controller HP VAN SDN Controller OpenContrail Open Network Operating System Cisco Application Policy Infrastructure Controller

  37. Adding New Controllers Config Sections Controllers Operations Section Syntax Minimum Requirements

  38. Config Sections

  39. Section Syntax (Controllers) Format Path Identifier Identifier Name Port Port Method Method

  40. Section Syntax (Controllers) Headers Token Name Login Template

  41. Section Syntax (Operations) Identifier Name Method Path Template Name

  42. Minimum Requirements Controller Entry Operation Entries (Used By of-map and of-access) ListFlows AddFlow AllowTraffic DropTraffic

  43. Templates Text File of Expected Message Gotten From API Documentation Used Both By AutoDetection and For Operations Sample Values Replace With Fields Toolkit Replaces Fields (With Your Values) Sent To The Controller

  44. Template (HP)

  45. Template (OpenDayLight – Lithium)

  46. Available Fields Switch Flowname Priority Network Source Network Destination Destination Port Actions #

  47. Standard Attack Tools Still Work Under An SDN Controller Presents An Additional Attack Surface Visibility, Accessibility, and Testing Is Difficult Without Extensive Prior Knowledge Share That Knowledge With The Toolkit Attack The Controller Same Way You Would An Application Keep The Vendors Accountable Keep Your “NextGen” Network Safe Final Thoughts

  48. Toolkit SHA1 hash is 570d5e3994ab04bd39ee00fb784f7904db6350d0 Updates can be found at http://sdn-toolkit.sourceforge.net/

  49. Links http://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-nov-2011 https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet https://wiki.onosproject.org/pages/viewpage.action?pageId=1048699 https://wiki.opendaylight.org/view/Editing_OpenDaylight_OpenFlow_Plugin:End_to_End_Flows:Example_Flows#Output_to_NORMAL http://www.juniper.net/techpubs/en_US/release-independent/contrail/information-products/pathway-pages/api-server/index.html https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:End_to_End_Flows https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin::End_to_End_Inventory#How_to_push_a_flow_using_RESTCONF https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:Main http://networkgeekstuff.com/networking/tutorial-for-creating-first-external-sdn-application-for-hp-sdn-van-controller-part-13-lab-creation-and-rest-api-introduction//

More Related