Access to thousands of personal data of users of Beeline Wired Internet was obtained
Sorry for the pretentious title, but once such a booze has gone , then we will continue. I personally always liked such posts.
So, it goes about the vulnerability of the well-known in Moscow time (and not only) provider Beeline. Many remember him by the name of Corbina. Without a doubt, this is one of the foremost Internet service providers, with a long and good history. At one time he was a rescue, thanks to high-quality and fast Internet, intranet networks, etc. Currently, the provider’s employees are aware of vulnerabilities and the most critical ones are already closed. However, I am sure that many will discover many new and interesting things. Moreover, the technique is applicable to almost any provider.
By the will of fate, I ended up in a removable hruschevka. I had a “Megaphone” whistle. Since I had to stay there for a week, I was not bothered by the lack of a fixed Internet. However, my stay there was delayed. I decided that it did not matter, since I was armed with wardriving tools. But I couldn’t pull anything off for a couple of days, except for the open network Yota (facepalm). As you could guess from the name of the post, in the hallway of the apartment I found a painfully familiar orange wire. Connect - it was "Beeline". It would seem that this is just an orange wire. Nevertheless, this is at least a 100mb channel (optimally) with access to the local network (possible). In our case, whois said that this is a 10.0.0.0/8 subnet. It is clear that not all ip will be available, but better than nothing.
')
This is where nmap comes into action. I forgot about him in the early 2000s, because like the era of open ports has passed. However, in early 2010, I remembered about him again, because all sorts of nosql and other sub-services, which were often without authorization, became widely popular. nosql saved on everything in pursuit of productivity, and heaps of sub-services, such as zabbiks, jenkins, etc. often turned out to be either open, from the category “yes, who knows that my port is 12345 open”, or full of holes. The same zabbiks had a bunch of holes, including sqli without authorization. In short, my goal was routers. 80th ports. Previously, they were often open to ekzeku, now providers block ekzeku by default, just like the routers themselves. But I was local to them.
I started scanning with nmap, but quickly changed my mind as he suggested that I wait a couple of days. Zmap was sent into battle . You can read about him, but briefly, this is a very fast and narrow alternative to nmap. zmap scanned the same subnet in 2 minutes.
The fact that the glands had default logins / passwords, I will not even consider the vulnerability. Old as the world. From the category "why should I put a complex password on my router, if it is local?" Or, more often: "Oh, everything."
However, further I was waiting for a more interesting detail. 80% of the routers that I found - dir300 with firmware from Beeline. Without a doubt, this is one of the most reliable and affordable routers, which completely copes with its task. When I ran into non-standard logins / passwords, I decided to see what went where and how. Those. opened the inspector in the browser and began to sniff requests. Amazing near! It turned out that the Beeline firmware returned to the attempt of incorrect authorization:
However, the firmware for some reason sent several requests for authorization. At the same time. And when the first just swore auth: false, the second gave something like:
Those. The firmware seemed to say that auth: false, sorry guy. But at the same time, in passing, I gave all the settings of the router, including the login / pass from the personal account of Beeline and from wifi. In some cases, it was generally ridiculous, the webmord swore at the wrong login / password, but she herself showed the login / password, but this was more likely an exception, I met a couple of such routers:
I admit, I did not even suspect that everything would come out that way. Found it all by chance. And indeed, if the firmware had not sent several requests at once (obviously by mistake of the developers), I would never have thought of checking its availability.
Even having a login / pass from a personal account, we will not do anything with it. First, as soon as the device has registered under a certain login / password in the Beeline network, no other device can register under this login / password. Secondly, it is a hard fawn.
We scan routers, collect wifi logins / passwords. We look, what networks are within reach. We connect to them and sit as partisans. Even networks with a huge password will not stand, because in the router it is stored in clear text. Well, so as not to burn at all. We take a marker and at the entrance we write the login / password from this wifi network somewhere in a remote place. Under the stairs of the first floor, for example. Those. even if they come to you, you turn on the fool and say that you have found your username and password under the stairs: “Use everything, free wifi”.
In my case, I did not have the patience to collect all the wifi accesses from all routers. The only network that I quickly found and which was in the range of visibility of my laptop, had a good speed, but pings from 30ms to 7s. With AlfaNetworks, I had a stable signal, but these external wifi cards all over the world have the reputation of being a ward driver, so sitting under them is also pale.
I continued to collect access to wifi. There were a lot of them and it bothered me. I wanted a network right now. A simple and ingenious idea came to mind. Suppose I found a router with an open 80 port at 10.82.2.20. Standard dir300. Either anything else is not important. Turn off DHCP, and write the network settings:
gateway: 10.82.2.20 (router found)
ip: 10.82.2.222 (from noodles on the same subnet)
dns: 8.8.8.8
We connect the network, and, even without intrigue, we have high-quality Internet through the wire, and not through wifi. We go to the router, we look - yes indeed, we are connected to it as if in a lan.
Once again we read, slowly and penetrating into every word: We prescribe ANY active IP network as a gateway and have a connection to it via LAN.
Fine? In my opinion completely.
It only remained for me to check several routers in my personal account for a normal tariff in order to choose “who to be today”.
To be honest, this is rather a vulnerability not so much (and not only) of “Beeline”, as there are routers. But nonetheless.
Having received moral and aesthetic pleasure, I contacted the representatives of the provider and gave them all the best practices.
At the exit, having only the Beeline wire, without knowing the logins / passwords, one could get fast internet for free. Simple as 2 bytes to send.
Some details:
1. 99% of TrendNet routers have standard login / password. For all the time, I found only 1 or 2 routers from TrendNet, to which default access did not fit.
2. 0% of Zyxel routers have standard login / password. Most likely, when setting up, they require changing this password.
3. 50% of access to LC does not change. Who is familiar with the biline knows that when concluding a contract, the installer makes the password from the LC either equal to the login, or adds 1 character to the beginning or the end of the login.
And another thing, at the level of fiction. Again, quite by chance, I came across a live router, registered it as a gateway and local 192.168.0.222 for myself. I received the Internet, used it, and then went to the settings of the router (at 192.168.0.1). I do not remember why. Maybe something to check or something else. Imagine my surprise when the login form of the ADSL router from MTS opened in front of me. I rechecked the network, looked at checkip.dyndns.com, prokhizil external IP - yes indeed, it is MTS Internet.
I stuck the wire "Beeline", and got the Internet from MTS. I puzzled for a long time what is the point and how is this possible. Connected to the process sysadmin from work and specialists from "Beeline". The only possible option that I came up with:
1. There is a dude who has both MTS and Beeline Internet, respectively, 2 routers.
2. Both routers are contiguous to each other.
3. "Beeline" router does not have an Internet and asks him from the MTS router.
4. "Beeline" router is not in the network 192.168.0.0/24
5. MTS router is in the network 192.168.0.0/24
6. Knowing the local IP of the biline, inserting it as a gateway, I connect through it to the MTS router and have the Internet from it.
Cool? It is noteworthy that on the 1st of the next month the device disappeared. Presumably, the man turned off Beeline.
Thanks to the staff of "Beeline" for the quick response. In particular, geran_utran and givtone . In fact, you often have to communicate with the administrators and developers of this or that service about security and more often come across: “Yes, we will put you, but this is a matter of jurisdiction!” And other inadequate. The guys quickly corrected critical holes and attracted the right people. I was sure that I would have another month or two freebies until the entire Beeline network was reconfigured, but no, everything was decided within 24 hours, as soon as they found the person in charge. Well done, in one word.
So, it goes about the vulnerability of the well-known in Moscow time (and not only) provider Beeline. Many remember him by the name of Corbina. Without a doubt, this is one of the foremost Internet service providers, with a long and good history. At one time he was a rescue, thanks to high-quality and fast Internet, intranet networks, etc. Currently, the provider’s employees are aware of vulnerabilities and the most critical ones are already closed. However, I am sure that many will discover many new and interesting things. Moreover, the technique is applicable to almost any provider.
By the will of fate, I ended up in a removable hruschevka. I had a “Megaphone” whistle. Since I had to stay there for a week, I was not bothered by the lack of a fixed Internet. However, my stay there was delayed. I decided that it did not matter, since I was armed with wardriving tools. But I couldn’t pull anything off for a couple of days, except for the open network Yota (facepalm). As you could guess from the name of the post, in the hallway of the apartment I found a painfully familiar orange wire. Connect - it was "Beeline". It would seem that this is just an orange wire. Nevertheless, this is at least a 100mb channel (optimally) with access to the local network (possible). In our case, whois said that this is a 10.0.0.0/8 subnet. It is clear that not all ip will be available, but better than nothing.
')
This is where nmap comes into action. I forgot about him in the early 2000s, because like the era of open ports has passed. However, in early 2010, I remembered about him again, because all sorts of nosql and other sub-services, which were often without authorization, became widely popular. nosql saved on everything in pursuit of productivity, and heaps of sub-services, such as zabbiks, jenkins, etc. often turned out to be either open, from the category “yes, who knows that my port is 12345 open”, or full of holes. The same zabbiks had a bunch of holes, including sqli without authorization. In short, my goal was routers. 80th ports. Previously, they were often open to ekzeku, now providers block ekzeku by default, just like the routers themselves. But I was local to them.
I started scanning with nmap, but quickly changed my mind as he suggested that I wait a couple of days. Zmap was sent into battle . You can read about him, but briefly, this is a very fast and narrow alternative to nmap. zmap scanned the same subnet in 2 minutes.
Vulnerability # 1
Not having a login / password from Beeline, simply by plugging a wire, I got access to all local resources and devices (routers, cameras, voip hardware, etc.)
The fact that the glands had default logins / passwords, I will not even consider the vulnerability. Old as the world. From the category "why should I put a complex password on my router, if it is local?" Or, more often: "Oh, everything."
However, further I was waiting for a more interesting detail. 80% of the routers that I found - dir300 with firmware from Beeline. Without a doubt, this is one of the most reliable and affordable routers, which completely copes with its task. When I ran into non-standard logins / passwords, I decided to see what went where and how. Those. opened the inspector in the browser and began to sniff requests. Amazing near! It turned out that the Beeline firmware returned to the attempt of incorrect authorization:
{ auth: false } However, the firmware for some reason sent several requests for authorization. At the same time. And when the first just swore auth: false, the second gave something like:
{ auth: false, … settings: { ssid: "blablabla", wpakey: "12345678", login: 089746254 password: "lovelove123" … } } Those. The firmware seemed to say that auth: false, sorry guy. But at the same time, in passing, I gave all the settings of the router, including the login / pass from the personal account of Beeline and from wifi. In some cases, it was generally ridiculous, the webmord swore at the wrong login / password, but she herself showed the login / password, but this was more likely an exception, I met a couple of such routers:
Vulnerability # 2
The Beeline firmware for routers itself gave all the settings of the router without knowing the login / password.
I admit, I did not even suspect that everything would come out that way. Found it all by chance. And indeed, if the firmware had not sent several requests at once (obviously by mistake of the developers), I would never have thought of checking its availability.
Even having a login / pass from a personal account, we will not do anything with it. First, as soon as the device has registered under a certain login / password in the Beeline network, no other device can register under this login / password. Secondly, it is a hard fawn.
We scan routers, collect wifi logins / passwords. We look, what networks are within reach. We connect to them and sit as partisans. Even networks with a huge password will not stand, because in the router it is stored in clear text. Well, so as not to burn at all. We take a marker and at the entrance we write the login / password from this wifi network somewhere in a remote place. Under the stairs of the first floor, for example. Those. even if they come to you, you turn on the fool and say that you have found your username and password under the stairs: “Use everything, free wifi”.
In my case, I did not have the patience to collect all the wifi accesses from all routers. The only network that I quickly found and which was in the range of visibility of my laptop, had a good speed, but pings from 30ms to 7s. With AlfaNetworks, I had a stable signal, but these external wifi cards all over the world have the reputation of being a ward driver, so sitting under them is also pale.
I continued to collect access to wifi. There were a lot of them and it bothered me. I wanted a network right now. A simple and ingenious idea came to mind. Suppose I found a router with an open 80 port at 10.82.2.20. Standard dir300. Either anything else is not important. Turn off DHCP, and write the network settings:
gateway: 10.82.2.20 (router found)
ip: 10.82.2.222 (from noodles on the same subnet)
dns: 8.8.8.8
We connect the network, and, even without intrigue, we have high-quality Internet through the wire, and not through wifi. We go to the router, we look - yes indeed, we are connected to it as if in a lan.
Once again we read, slowly and penetrating into every word: We prescribe ANY active IP network as a gateway and have a connection to it via LAN.
Fine? In my opinion completely.
It only remained for me to check several routers in my personal account for a normal tariff in order to choose “who to be today”.
To be honest, this is rather a vulnerability not so much (and not only) of “Beeline”, as there are routers. But nonetheless.
Vulnerability # 3
Ability to connect / register locally on any router within the network and get from it the Internet.
Having received moral and aesthetic pleasure, I contacted the representatives of the provider and gave them all the best practices.
At the exit, having only the Beeline wire, without knowing the logins / passwords, one could get fast internet for free. Simple as 2 bytes to send.
Some details:
1. 99% of TrendNet routers have standard login / password. For all the time, I found only 1 or 2 routers from TrendNet, to which default access did not fit.
2. 0% of Zyxel routers have standard login / password. Most likely, when setting up, they require changing this password.
3. 50% of access to LC does not change. Who is familiar with the biline knows that when concluding a contract, the installer makes the password from the LC either equal to the login, or adds 1 character to the beginning or the end of the login.
And another thing, at the level of fiction. Again, quite by chance, I came across a live router, registered it as a gateway and local 192.168.0.222 for myself. I received the Internet, used it, and then went to the settings of the router (at 192.168.0.1). I do not remember why. Maybe something to check or something else. Imagine my surprise when the login form of the ADSL router from MTS opened in front of me. I rechecked the network, looked at checkip.dyndns.com, prokhizil external IP - yes indeed, it is MTS Internet.
I stuck the wire "Beeline", and got the Internet from MTS. I puzzled for a long time what is the point and how is this possible. Connected to the process sysadmin from work and specialists from "Beeline". The only possible option that I came up with:
1. There is a dude who has both MTS and Beeline Internet, respectively, 2 routers.
2. Both routers are contiguous to each other.
3. "Beeline" router does not have an Internet and asks him from the MTS router.
4. "Beeline" router is not in the network 192.168.0.0/24
5. MTS router is in the network 192.168.0.0/24
6. Knowing the local IP of the biline, inserting it as a gateway, I connect through it to the MTS router and have the Internet from it.
Cool? It is noteworthy that on the 1st of the next month the device disappeared. Presumably, the man turned off Beeline.
Thanks to the staff of "Beeline" for the quick response. In particular, geran_utran and givtone . In fact, you often have to communicate with the administrators and developers of this or that service about security and more often come across: “Yes, we will put you, but this is a matter of jurisdiction!” And other inadequate. The guys quickly corrected critical holes and attracted the right people. I was sure that I would have another month or two freebies until the entire Beeline network was reconfigured, but no, everything was decided within 24 hours, as soon as they found the person in charge. Well done, in one word.
Source: https://habr.com/ru/post/243997/
All Articles