500 likes | 525 Views
Nullcon 7, Goa 2016. Abusing Software Defined Networks (Part 2). Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com. Hellfire Security. Overview. Our Progress Using SDN-Toolkit Assessing Controllers Extending SDN-Toolkit Wrapping Up.
E N D
Nullcon 7, Goa 2016 Abusing Software Defined Networks (Part 2)
Gregory Pickett, CISSP, GCIA, GPEN Chicago, Illinois gregory.pickett@hellfiresecurity.com Hellfire Security
Overview Our Progress Using SDN-Toolkit Assessing Controllers Extending SDN-Toolkit Wrapping Up
First Presentation • What We Covered • Southbound APIs • Northbound APIs • What’s Changed • Floodlight Improved • OpenDaylight Improved • More Controllers
The Problem • More Controllers • Each With Different API • No Easy Way To Test • Need More In-Depth Testing
The Solution • Make It Easy To Add Controllers • Move Away From Hard Coded • Use Templates Instead • Partner With Burp
The SDN-Toolkit MMMM HMMM
What Is It? Discover, identify, and manipulate SDN-Based networks Through Northbound and southbound APIs Tools of-switch, and of-flood of-check, and of-enum of-map, of-access, and of-scan
What Does It Do? Identifies Openflow Services, Reports on their Versions, and Determines Endpoint Type Simulates Openflow Switches, and Floods Controllers Maps The Network, Identifies Targets, Builds ACLs, and Locates Sensors Adds and Removes Access Fingerprints And Scans Controllers
Problems It Solves? SDN Fingerprinting SDN Visibility SDN Accessibility SDN Testing Authentication Authorization Validation
What’s Changed Previously Northbound APIs Hard Coded Floodlight and OpenDaylight Only Now Can Be Used With Any Controller Just Extend for New Controller Add Controller To “config.ini” Add Operations To “config.ini” Add Templates For Each Operation
of-scan First To Be Programmable “of-map” and “of-access” still only speak to Floodlight and Opendaylight They Will Be Ready Soon
Scanning Setup Proxy Run of-scan Pass proxy address of-scan iterates through all operations Replaces fields with Default Values Sends them to controller through proxy Utilize Burp Active Scan, Repeater, and Intruder
Some Background • Types of APIs • Interface • Datapoints • Testing Methods
Interfaces • Exchange • RESTful • RESTCONF • Paths • Operation • Operation and Target
Interfaces • Formats • JSON • XML
Data Points • Identifiers • Forwarding Elements (Datapaths) and Flows • Domains, Virtual Networks, and Policies • Tenants, Networks, and Contracts • IDs
Types of APIs (OpenDaylight) Using DatapathIDs (As Target) Using Flows Using Operations Using IDs (As Target)
Testing Methods (Black Box) Fingerprinting Controller Encryption Strength Authentication Checks Password Guessing Session Management Authorization Scheme Validation
Fingerprinting Controller • of-scan • Autodetection Identifies Controller • Flat-file database of ports, paths, and authentication mechanisms • Is able to authenticate to controller! • nmap • Differentiate between similar controllers • Based on open ports
Encryption Strength • sslyze AND testssl.sh • Usual • Exists? • Type (SSL or TLS) and Version • Heartbleed, POODLE, Log Jam, Bar Mitzvah, Etc. • Cipher Suites (Zero? Algorithms? Key Lengths?)
Authentication Checks • of-scan (HTTP, and Login) • Basic Checks • Am I being required to use password? • Default Password?
Password Guessing • Guessing • HTTP (Basic and NTLM) (thc-hydra) • Login (of-scan and Intruder) • Lockout?
Authentication Checks • openssl and sslyze (Certificate-Based) • Expanded Checks • Client and Server (Usual) • It’s Required? Checks Expiration? • Subject Valid? Impersonate Existing?
Session Management Use of-scan Proxy Through Burp Analyze with Sequencer
Authorization Scheme • of-scan • Basic Check • Adding and Removing Flows • of-access • Expanded Checks • For information gathering, use of-map or MiTM • Try To Modify Different Datapaths, Domains, and Tenants
Validation • Use of-scan • Proxy Through Burp • Test With … • Active Scan • Repeater (Manual Testing) • Intruder
Testing Considerations Exchanging Messages Check Out Reply From Controller Adjust For Feedback Unique And Revealing Error Messages Data Being Returned Unfiltered
Manual Approaches Inappropriate Data Types Different Character Sets (or symbols) Data Sizes (Out of Index, String Lengths) Injected Single and Double Quotes Anything App-Sec!!
Currently Configured Big Switch Fabric Controller (AKA. Floodlight) OpenDaylight Brocade SDN Controller HP VAN SDN Controller OpenContrail Open Network Operating System Cisco Application Policy Infrastructure Controller
Adding New Controllers Config Sections Controllers Operations Section Syntax Minimum Requirements
Section Syntax (Controllers) Format Path Identifier Identifier Name Port Port Method Method
Section Syntax (Controllers) Headers Token Name Login Template
Section Syntax (Operations) Identifier Name Method Path Template Name
Minimum Requirements Controller Entry Operation Entries (Used By of-map and of-access) ListFlows AddFlow AllowTraffic DropTraffic
Templates Text File of Expected Message Gotten From API Documentation Used Both By AutoDetection and For Operations Sample Values Replace With Fields Toolkit Replaces Fields (With Your Values) Sent To The Controller
Available Fields Switch Flowname Priority Network Source Network Destination Destination Port Actions #
Standard Attack Tools Still Work Under An SDN Controller Presents An Additional Attack Surface Visibility, Accessibility, and Testing Is Difficult Without Extensive Prior Knowledge Share That Knowledge With The Toolkit Attack The Controller Same Way You Would An Application Keep The Vendors Accountable Keep Your “NextGen” Network Safe Final Thoughts
Toolkit SHA1 hash is 570d5e3994ab04bd39ee00fb784f7904db6350d0 Updates can be found at http://sdn-toolkit.sourceforge.net/
Links http://www.slideshare.net/SOURCEConference/security-testing-for-rest-applications-ofer-shezaf-source-barcelona-nov-2011 https://www.owasp.org/index.php/REST_Assessment_Cheat_Sheet https://wiki.onosproject.org/pages/viewpage.action?pageId=1048699 https://wiki.opendaylight.org/view/Editing_OpenDaylight_OpenFlow_Plugin:End_to_End_Flows:Example_Flows#Output_to_NORMAL http://www.juniper.net/techpubs/en_US/release-independent/contrail/information-products/pathway-pages/api-server/index.html https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:End_to_End_Flows https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin::End_to_End_Inventory#How_to_push_a_flow_using_RESTCONF https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:Main http://networkgeekstuff.com/networking/tutorial-for-creating-first-external-sdn-application-for-hp-sdn-van-controller-part-13-lab-creation-and-rest-api-introduction//