More features for your corporate network: a hacking-based approach (II)


Security Web Security Web Development Information Security Technology Router Hardware Networking Engineering

This is the second part of the process started in the article published earlier. In the first part we presented the customer's problem, the possible solutions and the rather original approach we offered. Furthermore, we took the first steps by analyzing the router and its web manager, the protocols and even automating the code injection on the captured frames.

analyzing and automatizing the login panel

Analyzing the login front panel and its difficulties for automatic manipulation. Example of interaction with the password field: multiple overlapping and dynamic hidden fields.

The automation process has both functional (protocol and data exchange) and visual components. The former has been done with the whole process described above, so the code generation for the automatic manipulation is nothing more than a "mechanical" process based on the previous tests. The visual component requires an analysis of the entire frontend architecture and design. As it is an application with large dynamic contents, the design itself fluctuates, making the analysis somewhat more complex in those places that make great use of asynchronous requests and interface regeneration (internal states of the router and propagation of changes).

analyzing realtime update and removal of components

Analysis of continuous requests (POST) where memory cleaning and update of interface regions based on statistics (performance) is performed. On the right, execution stack until the request is made.

Some of the more complicated parts of this process have been the mechanisms for identifying the completion of interface renderings, the preservation of useful data in memory, or the manipulation of the login panel. One very common technique is to wait until there are no more network requests (packets) to determine that a page has completed. Another is to wait until a certain graphical component is loaded or rendered. The problem with the frontend design of the router manipulation panels is that they have such a dynamic component that requests are practically constant, memory values are cleared automatically and graphic component IDs are not static (they vary on many occasions). Thus, a few hours of analysis were required due to mechanisms sophisticated enough to complicate their automation.

analyzing encryption mechanisms after the login

Inside the router management panel. On the right, analysis of the storage and post-login encryption mechanisms (periodic regeneration).

Once inside the system automatically, we concluded the task by developing a crawler over the developed system. The whole process has gone in that direction, but it is at this point where we finally perform the typical steps for an html (and network traces and javascript) processor and parser. We package the software as a service and expose a simple API to query the router to request the network status with router-independent credentials. We have chosen to offer a service as a daemon of the operating system (systemd) because it facilitates its portability when we want to use it in another node or manager device.

$ curl -H @headers_token $MNGR_HOST/api/v1/router/status/clients?range=2h&join=stats
{
  "datetime": "2021-05-18T13:29:38.512Z",
  "version": "1.0",
  "query": "/router/status/clients?range=2h&join=stats",
  "quantity": { "wlan": 2, "wired": 4 },
  "clients": [
    { "ip": "192.168.1.106", "mac": "<HIDDEN>", "name": "srv3", "conn": "wlan" },
    { "ip": "192.168.1.107", "mac": "<HIDDEN>", "name": "estebanlj", "conn": "wired" },
    { "ip": "192.168.1.116", "mac": "<HIDDEN>", "name": "srv1", "conn": "wired" },
    { "ip": "192.168.1.132", "mac": "<HIDDEN>", "name": "srv1", "conn": "wired" },
    { "ip": "192.168.1.148", "mac": "<HIDDEN>", "name": "mar13", "conn": "wlan" },
    { "ip": "192.168.2.1", "mac": "<HIDDEN>", "name": "gate1link", "conn": "wired", "net": "DMZ" }
  ],
  "statistics": {
    "max": { "quantity": 5, "datetime": "2021-05-18T12:41:21.788Z" },
    "min": { "quantity": 3, "datetime": "2021-05-18T11:29:38.512Z" },
    "bouncing": {
      "reconnection": { "quantity": 3, "route": "DMZ-link2", "datetime_last": "2021-05-18T12:18:20.284Z" }
    },
    "alerts": [
      { "type": "warn", "message": "<HIDDEN>" }
    ]
  }
}

Example of a query made to the service built and displayed on the internal network.

A key point of all this work is that it is now possible to build other services or applications that consume this API. Moreover, it is possible to compose services and solutions where knowing or manipulating the state of the network is a substantial advantage (or even indispensable to be able to offer service).

Finally, a brief word about the hacking process and the experience with this router. This time they have made a significant leap in terms of the quality of the frontend development of the router manager given to the user. Not only have they improved the quality, but the complexity, obfuscation and good development practices. It has been relatively interesting to do this exploration and provide this ad-hoc solution. The most remarkable thing is that we have refreshed our knowledge in an area that is not very common in the work they ask us to do, and at the same time we have been able to demonstrate all our experience in web development and communications, offering a solution that has saved them time and money. At the end of the day, as engineers, it is about offering an efficient, applicable and scalable solution. And what makes the difference between one company and another is the ability to be able to offer solutions where others don't see them.

We just hope that hardware manufacturers will get their act together and become aware of the consumers' needs. If solution developers and engineers had offered an API or an automatable management interface, most of this effort would not have been necessary. This is not a very ambitious request, as we are talking about devices with a considerable price tag for the non-professional market, but which after all many SMEs and freelancers use for their convenience.

Offering this type of solutions is not an easy task, as it involves both problem-solving creativity and a wide range of technical knowledge. Some of the techniques applied transcend the projects and types of solutions that we usually offer, but if experience tells us anything, it is that the broader the technical spectrum that is mastered, the better answers can be given. Among the courses we currently teach to companies, we would highlight Frontend Web Technologies and Web Application Architecture for being the most relevant to all the experience outlined in both articles.

This website uses its own and third party cookies to analyze the traffic and offer you a better experience. By browsing or using our services the user is accepting its use.More information.