美文网首页
内蒙铁通骨干路由配置信息泄露可导致批量扫描与登录(SNMP获取密

内蒙铁通骨干路由配置信息泄露可导致批量扫描与登录(SNMP获取密

作者: 烤土豆啦 | 来源:发表于2019-02-13 16:07 被阅读0次

    大学时无聊弄的东西,写的很傻逼,哈哈哈哈哈哈,实在不愿意改了

    披露状态:

    2015-10-04: 细节已通知厂商并且等待厂商处理中
    2015-10-12: 厂商已经确认,细节仅向厂商公开
    2015-10-22: 细节向核心白帽子及相关领域专家公开
    2015-11-01: 细节向普通白帽子公开
    2015-11-11: 细节向实习白帽子公开
    2015-11-26: 细节向公众公开

    简要描述:

    很简单啊,把我市铁通的路由器+交换机扫了一个遍,能成功的登陆上了,还有一个是bgp的路由器。

    详细说明:

    放假时候在家无聊,想想测一下我家的铁通网络安全性怎么样。于是百度了一下pppoe接口的ip,没想到竟然百度到了这个

    http://.../view/8b0f0d718e9951e79b892786.html?from=search。。

    1.png

    这个就是我市铁通某一个骨干路由器的配置文档。。。真是猪一样的队友。虽然这份配置文件用户名密码等重要信息都已经变更了。但是泄露了很多接口的网段。我们可以利用这个信息,使用NMAP去扫描之。而且最重要的是,SNMP密码没有变,很有可能全内蒙的铁通都是这个SNMP密码。。。但是通辽那边的SNMP设置做ACL限制了,外人无法随便访问。可是赤峰铁通的snmp就没有做限制,可以随便访问。下载一个SNMPWALK的小工具,就可以读取路由器的各种信息了。

    首先,把他所有的接口的IP读出来,用NMAP扫描一下。

    只要是开放telnet 23端口的,八成都是路由器。看型号,基本上都是华为的路由器。而华为路由器之前有一个漏洞,可以通过SNMP来获取到用户名密码。根据提示,获取到了几个路由器的密码,成功登陆上去。

    路由器这种基础网络设备一般没人敢随便升级去,好好的不出问题升级他干嘛啊。所以呢,当有了安全漏洞,也没有及时去修复。现在的互联网安全这么重要,你还敢吧BGP的路由器也这么干。虽然这个BGP是IBGP,但是那也挺重要的呀。而且你们做好了工程呢,不要随便吧配置文件传网上,虽然你说什么密码是都加密了。可是你知道吗,华为,华三,HP的路由器,有了那种加密的密码,是可以还原密码的。不信你去GITHUB上去搜一下就有。就算你都改了,但是你SNMP密码没改啊,间接的把内蒙铁通的路由器SNMP密码暴露了。我也就看了一下赤峰的,估计其他地方的,这个问题更加严重。。。。

    不过呢,也应该感谢你们,毕竟让我学到了好多运营商架构的网络

    漏洞证明:

    这个是四道湾镇的路由器配置

    <SiDaoWan_3300>dis current-configuration
    #
     sysname SiDaoWan_3300
    #
     router id **.**.**.**
    #
     vlan batch 1 10 to 12 20 30 to 31 35 50 to 61 99 257 321 411
     vlan batch 1000 to 1015 2000 to 2105 3004 3500 to 3501 3556 to 3558 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813
     vlan batch 3900 to 3902 3910 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981 4000
    #
     cluster enable
     ntdp enable
     ntdp hop 16
     ndp enable
    #
     voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Simens phone
     voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000 description Cisco phone
     voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
     voice-vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips/NEC phone
     voice-vlan mac-address 00d0-1e00-0000 mask ffff-ff00-0000 description Pingtel phone
     voice-vlan mac-address 00e0-7500-0000 mask ffff-ff00-0000 description Polycom phone
     voice-vlan mac-address 00e0-bb00-0000 mask ffff-ff00-0000 description 3com phone
    #
     undo http server enable
    
    interface Vlanif1
    #
    interface Vlanif10
     description To ZhongXinJu9306_B
     ip address **.**.**.** **.**.**.**
    #
    interface Vlanif11
     description dianyuanjiankong
     ip address **.**.**.** **.**.**.**
    #
    interface Vlanif30
     mtu 1560
     description To XinHuiS3300
     ip address **.**.**.** **.**.**.**
    #
    interface Vlanif3556
     description me60-1-1-guanli
      ip address **.**.**.** **.**.**.**
    #
    interface Vlanif3558
    #
    interface Ethernet0/0/1
     description dongwanzi-xinmin-damuchang5615
     port trunk allow-pass vlan 3004 3901 3965 3971 3980
     port hybrid untagged vlan 50
     bpdu enable
     qinq vlan-translation enable
     port vlan-stacking vlan 1 to 400 push vlan 50 priority-inherit
     port vlan-stacking vlan 500 to 600 push vlan 50 priority-inherit
     port vlan-mapping external-vlan 3965 map-external-vlan 3965 priority-inherit
     port vlan-mapping external-vlan 3971 map-external-vlan 3971 priority-inherit
     port vlan-mapping external-vlan 3980 map-external-vlan 3980 priority-inherit
     port vlan-mapping external-vlan 3901 map-external-vlan 3901 priority-inherit
     port vlan-mapping external-vlan 3004 map-external-vlan 3004 priority-inherit
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/2
     description bajia_baijiadian_qujiawan_shanzui
     port trunk allow-pass vlan 3501 3900 3967 to 3968 3970 3974 3981
     port hybrid untagged vlan 51
     bpdu enable
     qinq vlan-translation enable
     port vlan-stacking vlan 1 to 500 push vlan 51 priority-inherit
     port vlan-stacking vlan 501 to 600 push vlan 51 priority-inherit
     port vlan-stacking vlan 601 to 1000 push vlan 51 priority-inherit
     port vlan-mapping external-vlan 3900 map-external-vlan 3900 priority-inherit
     port vlan-mapping external-vlan 3968 map-external-vlan 3968 priority-inherit
     port vlan-mapping external-vlan 3970 map-external-vlan 3970 priority-inherit
     port vlan-mapping external-vlan 3974 map-external-vlan 3974 priority-inherit
     port vlan-mapping external-vlan 3501 map-external-vlan 3501 priority-inherit
     port vlan-mapping external-vlan 3981 map-external-vlan 3981 priority-inherit
     port vlan-mapping external-vlan 3967 map-external-vlan 3967 priority-inherit
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/3
     description xiaoheyan-dongwanzi5615
     port trunk allow-pass vlan 3004 3901 to 3902 3950 3971 3980
     port hybrid untagged vlan 52
     bpdu enable
     qinq vlan-translation enable
     port vlan-stacking vlan 1 to 300 push vlan 52 priority-inherit
     port vlan-stacking vlan 301 to 1000 push vlan 52 priority-inherit
     port vlan-mapping external-vlan 3901 map-external-vlan 3901 priority-inherit
     port vlan-mapping external-vlan 3950 map-external-vlan 3950 priority-inherit
     port vlan-mapping external-vlan 3971 map-external-vlan 3971 priority-inherit
     port vlan-mapping external-vlan 3980 map-external-vlan 3980 priority-inherit
     port vlan-mapping external-vlan 3004 map-external-vlan 3004 priority-inherit
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/4
     description sidanwanjiliansidaowan
     port trunk allow-pass vlan 2000 3965
     port hybrid untagged vlan 59
     undo negotiation auto
     bpdu enable
     qinq vlan-translation enable
     port vlan-stacking vlan 100 to 500 push vlan 59 priority-inherit
     port vlan-mapping external-vlan 2000 map-external-vlan 2000 priority-inherit
     port vlan-mapping external-vlan 3965 map-external-vlan 3965 priority-inherit
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/5
     port default vlan 11
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/6
     description bajia3300
     port trunk allow-pass vlan 51 3501 3900 3955 3967 to 3968 3970 3974 3981
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/7
     description shipinjiankong
     port link-type access
     port default vlan 3801
     undo negotiation auto
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/8
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/9
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/10
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/11
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/12
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/13
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/14
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/15
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/16
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/17
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/18
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/19
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/20
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/21
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/22
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/23
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface Ethernet0/0/24
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface GigabitEthernet0/0/1
     description to BAS1-1 GE2/0/8
     port trunk allow-pass vlan 10 to 12 20 30 to 31 35 50 to 61 99 257 321 411 1000 to 1015
     port trunk allow-pass vlan 2000 to 2015 3004 3500 to 3501 3556 to 3557 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813
     port trunk allow-pass vlan 3910 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981 4000
     jumboframe enable 13296
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface GigabitEthernet0/0/2
     port default vlan 1
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface GigabitEthernet0/0/3
     description beiyong to xinhui3300 ge0/0/3
     port trunk allow-pass vlan 11 30 50 to 52 59 99 257 1000 to 1015 2000 to 2015 3004 3501
     port trunk allow-pass vlan 3801 3900 to 3902 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981
     combo-port copper
       undo negotiation auto
       speed 1000
     combo-port media type
       combo-port auto
     jumboframe enable 13296
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface GigabitEthernet0/0/4
     description To XinHuiS3300
     port trunk allow-pass vlan 12 20 30 to 31 35 53 to 61 257 411 1000 to 1015 2001 to 2015 3500
     port trunk allow-pass vlan 3557 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813 3902 3910 3955 3967
     port trunk allow-pass vlan 3981 4000
     combo-port media type
       combo-port auto
     jumboframe enable 13296
     bpdu enable
     ntdp enable
     ndp enable
    #
    interface NULL0
    #
    interface LoopBack0
     ip address **.**.**.** **.**.**.**
    #
    

    林东火车站的

    <lindonghuochezhan3300>dis current-configuration
    #
     sysname lindonghuochezhan3300
    #
     vlan batch 1 3 31 to 32 100 to 101 200 300 to 301 1000 to 1020 3008 to 3050 3563 3902 to 3903
     vlan batch 4002 to 4003 4010
    #
     observing-port 4 interface Ethernet0/0/9
    #
     cluster enable
     ntdp enable
     ntdp hop 16
     ndp enable
    #
     voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Simens phone
     voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000 description Cisco phone
     voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
     voice-vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips/NEC phone
     voice-vlan mac-address 00d0-1e00-0000 mask ffff-ff00-0000 description Pingtel phone
     voice-vlan mac-address 00e0-7500-0000 mask ffff-ff00-0000 description Polycom phone
     voice-vlan mac-address 00e0-bb00-0000 mask ffff-ff00-0000 description 3com phone
    #
     undo http server enable
    #
    vlan 3
     description TO DaBan-MA5200G
    #
    acl number 3001
     rule 5 permit icmp source **.**.**.** 0 destination **.**.**.** 0
     rule 10 permit icmp source **.**.**.** 0 destination **.**.**.** 0
     rule 15 permit icmp source **.**.**.** 0 destination **.**.**.** 0
     rule 20 permit icmp source **.**.**.** 0 destination **.**.**.** 0
    #
    traffic classifier test
    traffic classifier tongji
     if-match acl 3001
    #
    traffic behavior test
    traffic behavior tongji
     count
    #
    traffic policy test
     classifier test behavior test
    traffic policy tongji
     classifier tongji behavior tongji
    #
    interface Vlanif200
     ip address **.**.**.** **.**.**.**
    #
    interface Vlanif3563
     description daban5200g-guanli
     ip address **.**.**.** **.**.**.**
    #
    interface Vlanif4002
     ip address **.**.**.** **.**.**.**
    #
    interface Vlanif4003
     ip address **.**.**.** **.**.**.**
    #
    interface Vlanif4010
     ip address **.**.**.** **.**.**.**
    #
    interface Ethernet0/0/1
     description lindong8220
     port link-type dot1q-tunnel
     port default vlan 300
     undo negotiation auto
    #
    

    大阪的路由器,注意,这个可是个BGP

    interface NULL0
    #
    interface LoopBack1
     ip address **.**.**.** **.**.**.**
     isis enable 1
     isis circuit-level level-2
    #
    bgp 64611
     group IBGP-Group internal
     peer IBGP-Group description To-CF-RR1-Server-IBGP-Group
     peer IBGP-Group connect-interface LoopBack1
     peer **.**.**.** as-number 64611
     peer **.**.**.** group IBGP-Group
     peer **.**.**.** as-number 64611
     peer **.**.**.** group IBGP-Group
     #
     ipv4-family unicast
      undo synchronization
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
      network **.**.**.**
      network **.**.**.**
      network **.**.**.**
      network **.**.**.**
      peer IBGP-Group enable
      peer IBGP-Group next-hop-local
      peer **.**.**.** enable
      peer **.**.**.** group IBGP-Group
      peer **.**.**.** enable
      peer **.**.**.** group IBGP-Group
     #
     ipv4-family vpnv4
      reflector cluster-id **.**.**.**
      policy vpn-target
      peer **.**.**.** enable
      peer **.**.**.** enable
     #
     ipv4-family vpn-instance VPN_IP_MGMT
      network **.**.**.** **.**.**.**
      network **.**.**.** **.**.**.**
     #
    

    对了,还有一个通辽华为放火墙,哈哈哈,你们这帮猪一样的队友,吧人家通辽那边的都连累了

    sysname TL-FIREWALL-EUDEMON1000E
    #
     ftp server enable
    #
     web-manager enable
    #
     firewall packet-filter default permit interzone local trust direction inbound
     firewall packet-filter default permit interzone local trust direction outbound
     firewall packet-filter default permit interzone local untrust direction inbound
     firewall packet-filter default permit interzone local untrust direction outbound
     firewall packet-filter default permit interzone trust untrust direction inbound
     firewall packet-filter default permit interzone trust untrust direction outbound
    #
     firewall statistic system enable 
     firewall log stream enable 
    #
    

    还有一部分拓扑,就不给你们啦,画得太差,自己上学慢慢研究去啦

    修复方案:

    你们肯定比我专业,我才是一个学生

    版权声明:转载请注明来源 烤土豆@乌云


    漏洞回应

    厂商回应:

    危害等级:高

    漏洞Rank:11

    确认时间:2015-10-12 09:31

    厂商回复:

    CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.

    最新状态:

    暂无


    漏洞评价:

    对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值

    相关文章

      网友评论

          本文标题:内蒙铁通骨干路由配置信息泄露可导致批量扫描与登录(SNMP获取密

          本文链接:https://www.haomeiwen.com/subject/geedeqtx.html