Hacker
Professional
- Messages
- 1,044
- Reaction score
- 812
- Points
- 113
It would seem that the topic of "free internet" is something from the distant past. However, the peculiarities of the device of home networks allow even today some irresponsible people not to pay for the connection. In this article, we will analyze how the provider's subscriber network is arranged and what vulnerabilities allow not only freeloaders to flourish, but also more serious pests.
On the territory of Russia and the former USSR, the most common way to connect subscribers to a provider is a twisted pair. If you didn’t put in some money for the external IP, after connecting the provider will give your device a “gray” IP address via DHCP from the class A (10.*.*.*/24) network , and will also register its DNS servers in the connection settings. This allows you to interact with the provider's resources (DNS / VPN server, personal account), as well as with other subscribers of the provider's local network using such addresses.
For the Internet to appear, you need to configure an L2TP VPN connection using the credentials provided by the provider. When the balance on your account is not enough to charge the subscription fee, the L2TP connection works only in the mode of redirecting all HTTP requests to your personal account, other requests are blocked and you remain without the Internet, but you will still be connected to the local network as long as you are physically will not disconnect.
In practice, this process can be delayed, because there is, in fact, only one good reason for the physical disconnection: this is when it is necessary to connect a new subscriber, but all ports on the provider's terminal equipment are busy (which usually stands somewhere in the attic among mountains of expanded clay and pigeon poop ). Then the installers of the provider can audit and disable the one who does not use their services and does not pay with hard cash. But if there is no such need, then it is quite logical to keep subscribers connected - what if they will come back?
ACTIVE AND PASSIVE SUBSCRIBERS
The savvy reader has already guessed what creative opportunities open up when there is a connection to a local network and there are no restrictions on network interaction between subscribers. You can, for example, "share" the Internet from another subscriber and not pay for access.
What does a person want to do such a trick?
An active subscriber who pays for the Internet in good faith and will act as a distributor. For example, if a freeloader and his relative, friend, acquaintance or colleague have the same provider, this is ideal, otherwise a random person may become a victim. Moreover, subscribers can be physically located in different parts of the city.
The equipment requires a router / server that will act as an L2TP client for the provider and as a VPN or proxy server for a passive subscriber. Any router that is powerful enough to install OpenWRT will do.
Passive subscriber - who does not pay, but is connected to the local network of the provider. A passive subscriber may also have the cheapest ordinary home router, if it supports the technologies required for connection (L2TP, IPSec, OpenVPN).
Schematically, a similar connection looks like this.
Connection diagram through an active subscriber.
Let's take a close look at this diagram. The main vulnerability, in my opinion, is the lack of restrictions on interpersonal interaction. And we are not talking about one broadcast domain: during my research, more than 160 subnets were discovered (for more details in the botnet section) with different IP addresses, and no restrictions were identified between them. As the saying goes, "any to any - allow". If you know why this is done, share in the comments.
Another problem for the provider is unmanaged switches that play the role of terminal equipment. The inability to disable ports automatically, programmatically and remotely leads to the fact that anyone can connect to the subscriber's local network, if this someone has access to network equipment. Which, as a rule, is poorly protected physically or even stands in staircase cabinets, locked on a piece of wire.
WHAT TO DO FOR THE PROVIDER
The provider can prohibit or restrict network communication between subscribers from different subnets. Then the vulnerability will remain only for subscribers of one broadcast domain, but we will talk about this further.
The provider's DHCP server in the local network must assign a random IP address to subscribers each time when the short lease time is exceeded. Thus, the passive subscriber will be forced to change the IP address of the server connection in his settings at each end of lease time for the active subscriber, or use a domain name.
You should separate the provider's DNS servers according to the way they handle internal and external requests. Disallow third-party DNS and resolve only internal whitelisted domains (VPN server and personal account). This will reduce the likelihood that it will be possible to connect to an active subscriber using a domain name. And already inside the L2TP connection, assign a DNS server that resolves external requests.
This method also protects against DNS Tunneling attacks. However, due to the low bandwidth, we do not even consider it here - hardly anyone wants to use such a tunnel as the main channel.
BOTNET
During the research, I got the idea to analyze what will happen to a network device that is connected to the provider's local network, but is not connected to the Internet. For example, who scans it and which ports.
To do this, I connected the provider's patch cord to a separate switch, and connected my home router and Orange Pi to it. On Orange Pi I have deployed PSAD. This tool appeared in 1999, can detect attacks by signature and even act as an IPS.
INFO
Description of PSAD features you will find in the book «Linux Firewalls: Attack Detection and Response with iptables, psad, and fwsnort» either on site car-ra program.
In our simplified case, it will only analyze iptables logs and build statistics: who, when and on what ports tried to connect to us. All you need to do for this tool to work is to enable logging of iptables rules. No additional ports need to be opened. I changed the standard port number of the SSH service so that there would be no collisions in the statistics with unauthorized connections.
Over the course of three weeks of running Orange Pi, this tool has discovered over 160 unique subnets in fully passive mode.
Detected passive subnets.
The first two addresses on the attackers list are my own and the ISP's DNS server. Mine was there for obvious reasons, but the provider's DNS server appeared there because PSAD is trying to resolve the PTR record of the attackers, plus the OS sends some requests. And since UDP does not save the session state, it turns out that reverse responses from the DNS server are detected as attacks, as you can see in the next screen.
Reverse responses from the DNS server are detected as attacks.
The statistics show that Mikrotik's service ports are being actively scanned. Having run a web server in python on these ports, we can observe that an attempt is made to exploit the vulnerability in order to obtain credentials and, in general, the entire Mikrotik config. This is typical of a botnet. This is what the information about each attacker and exploit use looks like.
To understand whether the "attackers" themselves are victims of the botnet, I scanned back (hackback) the IP addresses of the "attackers" and got 50 live hosts ( nmap -sn) out of 164. When scanning ports (22, 8293, 8728) on these addresses, open there were only two, and they weren't Mikrotiki. Hence, it can be assumed that, most likely, the infected are not the network devices themselves, from whose IP addresses the scan was performed, but the computers connected to these devices on the LAN and located behind NAT.
CONCLUSION
So, it turns out that the chain of misconfigs from the provider allows you to use his network for free in your own interests and cannot be considered safe in any way. In addition, network analysis showed that even devices that are not connected to the Internet are quite successfully attacked by neighbors.
