bsidessp: pentesting in sdn - owning the controllers
TRANSCRIPT
![Page 1: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/1.jpg)
Pentesting in SDN Owning the controllers
@espreto
![Page 2: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/2.jpg)
Who Am I?
Roberto SoaresInformation Security ConsultantConviso Application Security@espreto
![Page 3: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/3.jpg)
• Network (traditional)• SDN Overview• Threat Vectors• Pentesting• Defense• Future
![Page 4: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/4.jpg)
Traditionally…• Specific Vendors;• Scalability;• Complexity;• Hardware Focus;• Interoperability;• etc…
https://33.media.tumblr.com/tumblr_m8gl3iiTk51qjve0go1_500.gif
![Page 5: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/5.jpg)
Classical Model
1. Package sent to the switch.2. Switch looks in their polices.3. Switch forwards the packet to the server.
![Page 6: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/6.jpg)
SDN
http://www.algoblu.com/en/image/sdn_1.jpg
(Software Defined Network)
![Page 7: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/7.jpg)
SDN: ArchitectureData Plane & Control
Plane
“SDN isn’t a technology, it’s a architecture”.
![Page 8: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/8.jpg)
SDN: Technical
1. Packet is sent to the switch.2. Packet header is extracted and sent to the controller.3. Controller (check) adds a new flow in the switch table.4. Switch forwards the packet to the server.
![Page 9: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/9.jpg)
Vendors
“SDN is just a fad…”
![Page 10: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/10.jpg)
Controllers• Commercial• HP VAN SDN• Juniper Contrail• Oracle SDN• Cisco XNC• Huawei POF
•Open-Source• Mininet• OpenDayLight• FloodLight• Juniper OpenContrail
![Page 11: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/11.jpg)
OpenFlow• Communication between the controller and the switch (logical/physical).• Routing flow based.• Secure channel for transmission.• Allows for programming "Flows" (traffic type);• Allows for switching different network layers to be combined;• Not limited by the platform or be enforced by the protocols.“SDN != OpenFlow”
![Page 12: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/12.jpg)
OpenFlow (internal)
https://www.sdncentral.com/wp-content/uploads/2013/04/figure1.png
![Page 13: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/13.jpg)
It’s time for revision!
DEMO 1SDN overview with mininet
“Why set up your network if you can program it?”
![Page 14: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/14.jpg)
Threat Vectors
map.ipviking.com
![Page 15: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/15.jpg)
Vectors!Data Plane
Control Plane
Admins
1
7
6
5 4
3
2
![Page 16: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/16.jpg)
Attacks!1. Fake/Hijacked traffic flows.2. Switch vulnerabilities.3. Vulnerabilities on Control Plane communications.4. Controller vulnerabilities.5. Untrusted apps/plugins on controller.6. Vulnerabilities on admin computer.7. Lack of resources for security analysis.
Specific to SDN
![Page 17: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/17.jpg)
Attacks!1. Fake/Hijacked traffic flows.2. Switch vulnerabilities.3. Vulnerabilities on Control Plane communications.4. Controller vulnerabilities.5. Untrusted apps/plugins on controller.6. Vulnerabilities on admin computer.7. Lack of resources for security analysis.
![Page 18: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/18.jpg)
Pentesting...1. Identify controllers.2. Enumerate configs.
![Page 19: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/19.jpg)
Default PortsControllers:
FloodLight/Mininet/Pox/POF/HP VAN port 6633.Oracle SDN port 6522.
Management Interface:FloodLight port 8080.OpenDayLight Web Interface port 8080.HP VAN SDN & IBM SDN-VE port 8443.Cisco XNC HTTP (8080) and HTTPS (8443).
![Page 20: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/20.jpg)
DEMO 2sdn_enum_controllers.rb
It’s time for revision!
https://github.com/espreto
![Page 21: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/21.jpg)
AuthenticationDefault passwords:
FloodLight = floodlight:<null>OpenDayLight = admin:adminHP VAN SDN = admin:skylineJuniper Contrail = admin:contrail123IBM SDN-VE = admin:adminCisco XNC = admin:admin
![Page 22: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/22.jpg)
REST APIs• FloodLight port 8080
• (http://localhost:8080/wm/core/controller/switchs/json)
• OpenDayLight port 80/8080• (http://localhost/rest/v1/model/controller-node)
• HP VAN SDN port 35357/8443• (https://localhost:8443/sdn/v2.0/auth)
• Juniper Contrail port 8081/8082• (http://localhost:8081/analytics/uves)
• IBM SDN-VE port 8443• (http://localhost:8443/one/nb/v2)
• Cisco XNC port 8080• (http://localhost:8080/controller/nb/v2/monitor)
![Page 23: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/23.jpg)
DEMO 3It’s time for revision!
https://github.com/espreto
sdn_enum_configs_api.rb
![Page 24: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/24.jpg)
DEMO 4It’s time for revision!
https://github.com/espreto
sdn_hp_change_pass.rb
![Page 25: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/25.jpg)
Real World...
http://cdn.business2community.com/wp-content/uploads/2014/08/real_world_dwight_meme.jpg
![Page 26: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/26.jpg)
Try Hard• VLANs?• IDS/IPS?• NAC?• Etc, etc, etc…
“Packet Analysis is your best friend”.
Look:idle_timeout, hard_timeout, rtt values, etc.
![Page 27: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/27.jpg)
Defense• Apply controls in CP and DP;• Restrict access APIs;• Audit internal malicious activity;• Plugins/Applications that add levels of security;• Hardening;• Secure Development Lifecycle (SDLC);• Specialized intrusion tests;• Others…
“Security must not be optional”.
![Page 28: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/28.jpg)
Future...• Coordination of CVEs with vendors; \o/• Advanced research with SDN;• Donations of Switches (OpenFlow supported); • Create a group to share information;• And…
“Opportunities are usually disguised as hard work, so most people don't recognize them”.Ann Landers.
…of this research:
![Page 29: BsidesSP: Pentesting in SDN - Owning the Controllers](https://reader033.vdocuments.mx/reader033/viewer/2022042605/58f2f7b61a28aba2448b45c3/html5/thumbnails/29.jpg)
Questions?
@espretorsoares[at]conviso.com.brrobertoespreto[at]gmail.co
miwantshell.com