大学时无聊弄的东西,写的很傻逼,哈哈哈哈哈哈,实在不愿意改了
披露状态:
2015-10-04: 细节已通知厂商并且等待厂商处理中
2015-10-12: 厂商已经确认,细节仅向厂商公开
2015-10-22: 细节向核心白帽子及相关领域专家公开
2015-11-01: 细节向普通白帽子公开
2015-11-11: 细节向实习白帽子公开
2015-11-26: 细节向公众公开
简要描述:
很简单啊,把我市铁通的路由器+交换机扫了一个遍,能成功的登陆上了,还有一个是bgp的路由器。
详细说明:
放假时候在家无聊,想想测一下我家的铁通网络安全性怎么样。于是百度了一下pppoe接口的ip,没想到竟然百度到了这个
http://.../view/8b0f0d718e9951e79b892786.html?from=search。。
1.png
这个就是我市铁通某一个骨干路由器的配置文档。。。真是猪一样的队友。虽然这份配置文件用户名密码等重要信息都已经变更了。但是泄露了很多接口的网段。我们可以利用这个信息,使用NMAP去扫描之。而且最重要的是,SNMP密码没有变,很有可能全内蒙的铁通都是这个SNMP密码。。。但是通辽那边的SNMP设置做ACL限制了,外人无法随便访问。可是赤峰铁通的snmp就没有做限制,可以随便访问。下载一个SNMPWALK的小工具,就可以读取路由器的各种信息了。
首先,把他所有的接口的IP读出来,用NMAP扫描一下。
只要是开放telnet 23端口的,八成都是路由器。看型号,基本上都是华为的路由器。而华为路由器之前有一个漏洞,可以通过SNMP来获取到用户名密码。根据提示,获取到了几个路由器的密码,成功登陆上去。
路由器这种基础网络设备一般没人敢随便升级去,好好的不出问题升级他干嘛啊。所以呢,当有了安全漏洞,也没有及时去修复。现在的互联网安全这么重要,你还敢吧BGP的路由器也这么干。虽然这个BGP是IBGP,但是那也挺重要的呀。而且你们做好了工程呢,不要随便吧配置文件传网上,虽然你说什么密码是都加密了。可是你知道吗,华为,华三,HP的路由器,有了那种加密的密码,是可以还原密码的。不信你去GITHUB上去搜一下就有。就算你都改了,但是你SNMP密码没改啊,间接的把内蒙铁通的路由器SNMP密码暴露了。我也就看了一下赤峰的,估计其他地方的,这个问题更加严重。。。。
不过呢,也应该感谢你们,毕竟让我学到了好多运营商架构的网络
漏洞证明:
这个是四道湾镇的路由器配置
<SiDaoWan_3300>dis current-configuration
#
sysname SiDaoWan_3300
#
router id **.**.**.**
#
vlan batch 1 10 to 12 20 30 to 31 35 50 to 61 99 257 321 411
vlan batch 1000 to 1015 2000 to 2105 3004 3500 to 3501 3556 to 3558 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813
vlan batch 3900 to 3902 3910 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981 4000
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Simens phone
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000 description Cisco phone
voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
voice-vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips/NEC phone
voice-vlan mac-address 00d0-1e00-0000 mask ffff-ff00-0000 description Pingtel phone
voice-vlan mac-address 00e0-7500-0000 mask ffff-ff00-0000 description Polycom phone
voice-vlan mac-address 00e0-bb00-0000 mask ffff-ff00-0000 description 3com phone
#
undo http server enable
interface Vlanif1
#
interface Vlanif10
description To ZhongXinJu9306_B
ip address **.**.**.** **.**.**.**
#
interface Vlanif11
description dianyuanjiankong
ip address **.**.**.** **.**.**.**
#
interface Vlanif30
mtu 1560
description To XinHuiS3300
ip address **.**.**.** **.**.**.**
#
interface Vlanif3556
description me60-1-1-guanli
ip address **.**.**.** **.**.**.**
#
interface Vlanif3558
#
interface Ethernet0/0/1
description dongwanzi-xinmin-damuchang5615
port trunk allow-pass vlan 3004 3901 3965 3971 3980
port hybrid untagged vlan 50
bpdu enable
qinq vlan-translation enable
port vlan-stacking vlan 1 to 400 push vlan 50 priority-inherit
port vlan-stacking vlan 500 to 600 push vlan 50 priority-inherit
port vlan-mapping external-vlan 3965 map-external-vlan 3965 priority-inherit
port vlan-mapping external-vlan 3971 map-external-vlan 3971 priority-inherit
port vlan-mapping external-vlan 3980 map-external-vlan 3980 priority-inherit
port vlan-mapping external-vlan 3901 map-external-vlan 3901 priority-inherit
port vlan-mapping external-vlan 3004 map-external-vlan 3004 priority-inherit
ntdp enable
ndp enable
#
interface Ethernet0/0/2
description bajia_baijiadian_qujiawan_shanzui
port trunk allow-pass vlan 3501 3900 3967 to 3968 3970 3974 3981
port hybrid untagged vlan 51
bpdu enable
qinq vlan-translation enable
port vlan-stacking vlan 1 to 500 push vlan 51 priority-inherit
port vlan-stacking vlan 501 to 600 push vlan 51 priority-inherit
port vlan-stacking vlan 601 to 1000 push vlan 51 priority-inherit
port vlan-mapping external-vlan 3900 map-external-vlan 3900 priority-inherit
port vlan-mapping external-vlan 3968 map-external-vlan 3968 priority-inherit
port vlan-mapping external-vlan 3970 map-external-vlan 3970 priority-inherit
port vlan-mapping external-vlan 3974 map-external-vlan 3974 priority-inherit
port vlan-mapping external-vlan 3501 map-external-vlan 3501 priority-inherit
port vlan-mapping external-vlan 3981 map-external-vlan 3981 priority-inherit
port vlan-mapping external-vlan 3967 map-external-vlan 3967 priority-inherit
ntdp enable
ndp enable
#
interface Ethernet0/0/3
description xiaoheyan-dongwanzi5615
port trunk allow-pass vlan 3004 3901 to 3902 3950 3971 3980
port hybrid untagged vlan 52
bpdu enable
qinq vlan-translation enable
port vlan-stacking vlan 1 to 300 push vlan 52 priority-inherit
port vlan-stacking vlan 301 to 1000 push vlan 52 priority-inherit
port vlan-mapping external-vlan 3901 map-external-vlan 3901 priority-inherit
port vlan-mapping external-vlan 3950 map-external-vlan 3950 priority-inherit
port vlan-mapping external-vlan 3971 map-external-vlan 3971 priority-inherit
port vlan-mapping external-vlan 3980 map-external-vlan 3980 priority-inherit
port vlan-mapping external-vlan 3004 map-external-vlan 3004 priority-inherit
ntdp enable
ndp enable
#
interface Ethernet0/0/4
description sidanwanjiliansidaowan
port trunk allow-pass vlan 2000 3965
port hybrid untagged vlan 59
undo negotiation auto
bpdu enable
qinq vlan-translation enable
port vlan-stacking vlan 100 to 500 push vlan 59 priority-inherit
port vlan-mapping external-vlan 2000 map-external-vlan 2000 priority-inherit
port vlan-mapping external-vlan 3965 map-external-vlan 3965 priority-inherit
ntdp enable
ndp enable
#
interface Ethernet0/0/5
port default vlan 11
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/6
description bajia3300
port trunk allow-pass vlan 51 3501 3900 3955 3967 to 3968 3970 3974 3981
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/7
description shipinjiankong
port link-type access
port default vlan 3801
undo negotiation auto
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/8
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/9
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/10
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/11
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/12
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/13
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/14
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/15
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/16
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/17
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/18
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/19
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/20
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/21
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/22
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/23
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface Ethernet0/0/24
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/1
description to BAS1-1 GE2/0/8
port trunk allow-pass vlan 10 to 12 20 30 to 31 35 50 to 61 99 257 321 411 1000 to 1015
port trunk allow-pass vlan 2000 to 2015 3004 3500 to 3501 3556 to 3557 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813
port trunk allow-pass vlan 3910 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981 4000
jumboframe enable 13296
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/2
port default vlan 1
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/3
description beiyong to xinhui3300 ge0/0/3
port trunk allow-pass vlan 11 30 50 to 52 59 99 257 1000 to 1015 2000 to 2015 3004 3501
port trunk allow-pass vlan 3801 3900 to 3902 3950 3955 3965 3967 to 3968 3970 to 3971 3974 3980 to 3981
combo-port copper
undo negotiation auto
speed 1000
combo-port media type
combo-port auto
jumboframe enable 13296
bpdu enable
ntdp enable
ndp enable
#
interface GigabitEthernet0/0/4
description To XinHuiS3300
port trunk allow-pass vlan 12 20 30 to 31 35 53 to 61 257 411 1000 to 1015 2001 to 2015 3500
port trunk allow-pass vlan 3557 3600 to 3601 3666 3700 3800 to 3801 3812 to 3813 3902 3910 3955 3967
port trunk allow-pass vlan 3981 4000
combo-port media type
combo-port auto
jumboframe enable 13296
bpdu enable
ntdp enable
ndp enable
#
interface NULL0
#
interface LoopBack0
ip address **.**.**.** **.**.**.**
#
林东火车站的
<lindonghuochezhan3300>dis current-configuration
#
sysname lindonghuochezhan3300
#
vlan batch 1 3 31 to 32 100 to 101 200 300 to 301 1000 to 1020 3008 to 3050 3563 3902 to 3903
vlan batch 4002 to 4003 4010
#
observing-port 4 interface Ethernet0/0/9
#
cluster enable
ntdp enable
ntdp hop 16
ndp enable
#
voice-vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Simens phone
voice-vlan mac-address 0003-6b00-0000 mask ffff-ff00-0000 description Cisco phone
voice-vlan mac-address 0004-0d00-0000 mask ffff-ff00-0000 description Avaya phone
voice-vlan mac-address 0060-b900-0000 mask ffff-ff00-0000 description Philips/NEC phone
voice-vlan mac-address 00d0-1e00-0000 mask ffff-ff00-0000 description Pingtel phone
voice-vlan mac-address 00e0-7500-0000 mask ffff-ff00-0000 description Polycom phone
voice-vlan mac-address 00e0-bb00-0000 mask ffff-ff00-0000 description 3com phone
#
undo http server enable
#
vlan 3
description TO DaBan-MA5200G
#
acl number 3001
rule 5 permit icmp source **.**.**.** 0 destination **.**.**.** 0
rule 10 permit icmp source **.**.**.** 0 destination **.**.**.** 0
rule 15 permit icmp source **.**.**.** 0 destination **.**.**.** 0
rule 20 permit icmp source **.**.**.** 0 destination **.**.**.** 0
#
traffic classifier test
traffic classifier tongji
if-match acl 3001
#
traffic behavior test
traffic behavior tongji
count
#
traffic policy test
classifier test behavior test
traffic policy tongji
classifier tongji behavior tongji
#
interface Vlanif200
ip address **.**.**.** **.**.**.**
#
interface Vlanif3563
description daban5200g-guanli
ip address **.**.**.** **.**.**.**
#
interface Vlanif4002
ip address **.**.**.** **.**.**.**
#
interface Vlanif4003
ip address **.**.**.** **.**.**.**
#
interface Vlanif4010
ip address **.**.**.** **.**.**.**
#
interface Ethernet0/0/1
description lindong8220
port link-type dot1q-tunnel
port default vlan 300
undo negotiation auto
#
大阪的路由器,注意,这个可是个BGP
interface NULL0
#
interface LoopBack1
ip address **.**.**.** **.**.**.**
isis enable 1
isis circuit-level level-2
#
bgp 64611
group IBGP-Group internal
peer IBGP-Group description To-CF-RR1-Server-IBGP-Group
peer IBGP-Group connect-interface LoopBack1
peer **.**.**.** as-number 64611
peer **.**.**.** group IBGP-Group
peer **.**.**.** as-number 64611
peer **.**.**.** group IBGP-Group
#
ipv4-family unicast
undo synchronization
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
network **.**.**.**
network **.**.**.**
network **.**.**.**
network **.**.**.**
peer IBGP-Group enable
peer IBGP-Group next-hop-local
peer **.**.**.** enable
peer **.**.**.** group IBGP-Group
peer **.**.**.** enable
peer **.**.**.** group IBGP-Group
#
ipv4-family vpnv4
reflector cluster-id **.**.**.**
policy vpn-target
peer **.**.**.** enable
peer **.**.**.** enable
#
ipv4-family vpn-instance VPN_IP_MGMT
network **.**.**.** **.**.**.**
network **.**.**.** **.**.**.**
#
对了,还有一个通辽华为放火墙,哈哈哈,你们这帮猪一样的队友,吧人家通辽那边的都连累了
sysname TL-FIREWALL-EUDEMON1000E
#
ftp server enable
#
web-manager enable
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
#
firewall statistic system enable
firewall log stream enable
#
还有一部分拓扑,就不给你们啦,画得太差,自己上学慢慢研究去啦
修复方案:
你们肯定比我专业,我才是一个学生
版权声明:转载请注明来源 烤土豆@乌云
漏洞回应
厂商回应:
危害等级:高
漏洞Rank:11
确认时间:2015-10-12 09:31
厂商回复:
CNVD确认并复现所述情况,已经转由CNCERT向中国移动集团公司通报,由其后续协调网站管理部门处置.
最新状态:
暂无
漏洞评价:
对本漏洞信息进行评价,以更好的反馈信息的价值,包括信息客观性,内容是否完整以及是否具备学习价值
网友评论