PDA

View Full Version : Hacking the SonicWall


NamelessNom4d
02-25-2009, 01:50 AM
Okay... I know what many of you probably thought when you read that title, but no, this isn't going to be your generic kidiot post about "how i hack thru firewall at school lol?"

I'm a highschool senior, and I know some of the basic mechanics of hacking, and I know how to do some light programming. I know C++, Java, have used Visual Basic Script a few times and am keen to learn Javascript. Anyway, today I was at school, dicking around on the computer as usual.

Eventually I got bored and thought, hmmm... what mischief can I get into? So I started typing in IP addresses into the address bar. The IP address for the school network storage is 10.0.0.19 (I think that's what it was anyway), so I got curious... Everyone knows how you type 192.168.1.1 into your browser at home and it takes you your router login. So I thought, hmmm... I should be able to get to the SonicWall login using the same principle. So I typed some shit in and found that the login is at 10.0.0.2. I saved the webpage to my flash drive, and I checked out the contents.

I analyzed the source and found that the login page handles login requests through a few Javascript files, and I believe it authenticates or some shit through MD5 encryption (forgive me, I'm a noob). Anyway, I was thinking... would I be able to trick the SonicWall into logging me in through a series of Javascript injections?

I think it would be an interesting senior prank to hack into the SonicWall and unblock every web page but block the school's website and Google.com. And of course change the password to make it more difficult for the tech people to remedy the error... *mischievous laugh*

Anyway, I'm a noob, so firstly I want to know if this is possible. Secondly I obviously want help or advice on how to do this from the more experienced people here. I learn pretty quickly. I don't exactly know Javascript... but it's nothing I can't figure out by playing around with it a bit.

**Disclaimer** I also don't want to do this for any "destructive" purpose... I mostly just want to learn. Of course, if I get in, senior lulz will be had. :D

http://rapidshare.de/files/45605808/SonicWall.rar.html That's the saved SonicWall login.

tl;dr - I'm a noob and want to learn how to hack shit through Javascript injection.

Jo Nathen
02-25-2009, 03:19 AM
Good post. Thats why I take electronics apart ...to see what I can modify.

Sonicwall daze. haha.

zeusy|Nemsis
02-25-2009, 04:39 AM
Using the XSS (http://search.securityfocus.com/swsearch?query=sonicwall&sbm=bid&submit=Search%21&metaname=alldoc&sort=swishrank) you could potentially get a session-id cookie of some sort using javascript.

Then you could simply change the username/password and your set.

NamelessNom4d
02-26-2009, 03:50 AM
Using the XSS (http://search.securityfocus.com/swsearch?query=sonicwall&sbm=bid&submit=Search%21&metaname=alldoc&sort=swishrank) you could potentially get a session-id cookie of some sort using javascript.

Then you could simply change the username/password and your set.

Can you elaborate on this a bit?

NamelessNom4d
02-26-2009, 08:19 PM
Hmmm. This looks like it could have some potential value: http://www.securityfocus.com/bid/4755/discuss

I'm really still trying to figure this out. Can anyone help me? I'm completely lost.

Syphilis
02-28-2009, 11:10 PM
The password which is typed on the login screen gets hashed by the MD5 algorithm. If the hash matches the hash that the sonicwall server has stored, you are logged in.

The password on the login screen is either hashed on the local computer and sent to the server to be checked against the stroed hash, or is hashed on the local computer, and then the stored hash is sent over from the server to the local computer and the two hashes are compared on the local computer.

If the latter system is used (doubtful), you could use a packet sniffer like Wireshark to analyse the traffic to look for the proper hash, and then crack it with John The Ripper.

Might take a look at the saved page a little later. Do you know if it uses HTTPS or SSL, or if there is no encryption over the LAN connection?

NamelessNom4d
03-01-2009, 03:53 PM
The password which is typed on the login screen gets hashed by the MD5 algorithm. If the hash matches the hash that the sonicwall server has stored, you are logged in.

The password on the login screen is either hashed on the local computer and sent to the server to be checked against the stroed hash, or is hashed on the local computer, and then the stored hash is sent over from the server to the local computer and the two hashes are compared on the local computer.

If the latter system is used (doubtful), you could use a packet sniffer like Wireshark to analyse the traffic to look for the proper hash, and then crack it with John The Ripper.

Might take a look at the saved page a little later. Do you know if it uses HTTPS or SSL, or if there is no encryption over the LAN connection?

Ok good someone knows something ;). That makes sense as to how it works... a bit more complicated than I thought though. How would I use Wireshark to sniff the packets? I have it but I've never really used it before. Do I just generate traffic by making login attempts?

As for the encryption... I just typed 10.0.0.2 into the address bar, and I discovered the login page. I would assume it is encrypted somehow... maybe through SSL?

Jo Nathen
03-02-2009, 12:26 AM
Ok good someone knows something ;). That makes sense as to how it works... a bit more complicated than I thought though. How would I use Wireshark to sniff the packets? I have it but I've never really used it before. Do I just generate traffic by making login attempts?

As for the encryption... I just typed 10.0.0.2 into the address bar, and I discovered the login page. I would assume it is encrypted somehow... maybe through SSL?

Thats too easy.....try the usual -
User - Admin
Password - Password

I have used user name : 1 and password 1 ....And got onto a network from high school before haha.

Syphilis
03-02-2009, 04:26 AM
Ok good someone knows something ;). That makes sense as to how it works... a bit more complicated than I thought though. How would I use Wireshark to sniff the packets? I have it but I've never really used it before. Do I just generate traffic by making login attempts?

As for the encryption... I just typed 10.0.0.2 into the address bar, and I discovered the login page. I would assume it is encrypted somehow... maybe through SSL?

Yes, login attempts should generate the traffic you need. One should be enough, but do two or three to make sure you get everything.

The page itself won't be encrypted, but the connection might, which would make things very difficult. Since it's on a LAN, it may not be.

If it's not encrypted, and the stored hash is sent to your computer to be matched against the hash of the password you entered (not likely, unfortunately), you should be able to capture the real hash and use John The Ripper to crack it.

incudie
04-15-2009, 10:29 PM
Interesting stuff. I can tell you that by default, on the LAN, http and https are enabled for management (if it running 3.2+ then SSH also).

The SSH is based on OpenSSH (so do a scan and find out what version its running). You might be able to find an exploit. The webserver is running Tomcat (I believe). The OS is VXWorks (screwed up distro of Linux). It may help also to find out what kind of Sonicwall you are running. Check your arp cache, does the mac start with 0006B1? If so it is a previous generation (Pro series most likely). If it starts with 0017 then its a TZ190 or newer.

Sonicwall is insane about licensing (in fact they accidentally took down every Sonicwall because they b0rked their license server). You might want to try and figure out what host the Sonicwall tries to connect to for license syncs and maybe do a DNS poison to redirect it to kitten war (after so long the licensed services fail, such as the content filter).

If its a *somewhat* current version you might want to try and append "popup" to the end of the url at the login screen. It might just let you upload a different settings file (oops did I say that?)

I'll check the wireshark bit in a few min and let you know if I see a hash.

Good luck!

*Just tried a capture*

Heres a helping hand for ya, this is a capture of logging on the LAN via HTTP (from a linux box to the Sonicwall 2040 running 3.2+)

POST /auth.cgi HTTP/1.1

Host: 10.1.1.1

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009033100 Ubuntu/9.04 (jaunty) Firefox/3.0.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://10.1.1.1/auth1.html

Cookie: temp=temp; SessId=-2005221440; PageSeed=0f719e0c8318ee5f4174d6a751a82325; Bar=0; lastFolderClicked=IMG03; 555=systemAdministrationView.html; 777=0; 1001=1; 1000=1; 1003=1; 1002=1

Content-Type: application/x-www-form-urlencoded

Content-Length: 165



param1=6C7191B122B9C727D3C9C10B3EA595A7&param2=DFAA9E783E1E65E8737D91EB67FE1B65&sessId=-2005221440&id=02&uName=admin&pass=&digest=d9f3cf9aab31f4d4c520c3ce4b6ad42fHTTP/1.0 200 OK

Server: SonicWALL

Content-type: text/html; charset=UTF-8



<HTML>
<HEAD><TITLE>Document Moved</TITLE>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</HEAD>
<BODY onLoad="top.location.href = 'management.html';">
This document has moved <A HREF="management.html">here</A>
</BODY>
</HEAD>



Hmm this might be good for you =;)

http://forums.remote-exploit.org/showthread.php?t=2891

eSparq
04-16-2009, 02:35 AM
Interesting stuff. I can tell you that by default, on the LAN, http and https are enabled for management (if it running 3.2+ then SSH also).

Well, you can try looking up the specific versions of the HTTP server and see if there are any known exploits -- it's as easy as "webserver version exploit", where you substitute the server name and version of course.


The SSH is based on OpenSSH (so do a scan and find out what version its running). You might be able to find an exploit. The webserver is running Tomcat (I believe). The OS is VXWorks (screwed up distro of Linux). It may help also to find out what kind of Sonicwall you are running. Check your arp cache, does the mac start with 0006B1? If so it is a previous generation (Pro series most likely). If it starts with 0017 then its a TZ190 or newer.


First, VXWorks is NOT LINUX. It's VXWorks, a Unix-like operating system developed by Wind River for embedded systems use. (http://www.windriver.com/products/vxworks/) You can look for exploits for it the same way as you look for exploits for other software. (There are more effective searches than the one I gave above, but it's usually enough.)

Wind River does have a Linux distro though.

You're right, it's likely that the services have vulnerabilities. That's a decent place to start.


Sonicwall is insane about licensing (in fact they accidentally took down every Sonicwall because they b0rked their license server). You might want to try and figure out what host the Sonicwall tries to connect to for license syncs and maybe do a DNS poison to redirect it to kitten war (after so long the licensed services fail, such as the content filter).


I wouldn't be surprised if the whole device failed shut -- that is, if it stopped all traffic passing over it. That's how I'd code it, only allowing the packets out to attempt to contact the license server.


If its a *somewhat* current version you might want to try and append "popup" to the end of the url at the login screen. It might just let you upload a different settings file (oops did I say that?)


Interesting... Might also be useful for a xss attack.

I don't really have anything to say about the rest of your post, so I'll save a little space by not quoting it.

Zip
04-19-2009, 09:40 PM
I have a SonicWall TZ-150 and SSL VPN 200. One thing SonicWall does very well is monitoring, so if the administrator has configured it at all properly, any failed login attempts or any number of other attempted breaches in security will immediately be reported by email. All of the other advice is very good if you're looking for vulnerabilities, but this is something you should keep in mind. SonicWall is also very good at addressing security disclosures quickly.

Raziel
06-22-2009, 01:03 PM
I have a SonicWall TZ-150 and SSL VPN 200. One thing SonicWall does very well is monitoring, so if the administrator has configured it at all properly, any failed login attempts or any number of other attempted breaches in security will immediately be reported by email. All of the other advice is very good if you're looking for vulnerabilities, but this is something you should keep in mind. SonicWall is also very good at addressing security disclosures quickly.
This, so use a live cd/usb.

SonicWall is also very good at addressing security disclosures quickly.
And I think we all know that if the administrator knew jack shit about good security practises, he wouldn't be working at a school.