Zoklet.net

Go Back   Zoklet.net > Technology > Technophiles and Technophiliacs

Reply
 
Thread Tools
  #1  
Old 02-25-2009, 01:50 AM
NamelessNom4d's Avatar
NamelessNom4d NamelessNom4d is offline
Procrastination Expert
 
Join Date: Jan 2009
Location: Pennsylvania
Thanks: 950
Thanked 720 Times in 515 Posts
Question Hacking the SonicWall

Okay... I know what many of you probably thought when you read that title, but no, this isn't going to be your generic kidiot post about "how i hack thru firewall at school lol?"

I'm a highschool senior, and I know some of the basic mechanics of hacking, and I know how to do some light programming. I know C++, Java, have used Visual Basic Script a few times and am keen to learn Javascript. Anyway, today I was at school, dicking around on the computer as usual.

Eventually I got bored and thought, hmmm... what mischief can I get into? So I started typing in IP addresses into the address bar. The IP address for the school network storage is 10.0.0.19 (I think that's what it was anyway), so I got curious... Everyone knows how you type 192.168.1.1 into your browser at home and it takes you your router login. So I thought, hmmm... I should be able to get to the SonicWall login using the same principle. So I typed some shit in and found that the login is at 10.0.0.2. I saved the webpage to my flash drive, and I checked out the contents.

I analyzed the source and found that the login page handles login requests through a few Javascript files, and I believe it authenticates or some shit through MD5 encryption (forgive me, I'm a noob). Anyway, I was thinking... would I be able to trick the SonicWall into logging me in through a series of Javascript injections?

I think it would be an interesting senior prank to hack into the SonicWall and unblock every web page but block the school's website and Google.com. And of course change the password to make it more difficult for the tech people to remedy the error... *mischievous laugh*

Anyway, I'm a noob, so firstly I want to know if this is possible. Secondly I obviously want help or advice on how to do this from the more experienced people here. I learn pretty quickly. I don't exactly know Javascript... but it's nothing I can't figure out by playing around with it a bit.

**Disclaimer** I also don't want to do this for any "destructive" purpose... I mostly just want to learn. Of course, if I get in, senior lulz will be had.

http://rapidshare.de/files/45605808/SonicWall.rar.html That's the saved SonicWall login.

tl;dr - I'm a noob and want to learn how to hack shit through Javascript injection.
__________________
---------- ------------

Last edited by NamelessNom4d; 02-26-2009 at 03:57 AM.
Reply With Quote
  #2  
Old 02-25-2009, 03:19 AM
Jo Nathen Jo Nathen is offline
Peasant
 
Join Date: Feb 2009
Location: NJ, center of it.
Thanks: 43
Thanked 4 Times in 3 Posts
Default Re: Hacking the SonicWall

Good post. Thats why I take electronics apart ...to see what I can modify.

Sonicwall daze. haha.
__________________
T [] T S E.
Reply With Quote
  #3  
Old 02-25-2009, 04:39 AM
zeusy|Nemsis zeusy|Nemsis is offline
Member
 
Join Date: Jan 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hacking the SonicWall

Using the XSS you could potentially get a session-id cookie of some sort using javascript.

Then you could simply change the username/password and your set.
Reply With Quote
  #4  
Old 02-26-2009, 03:50 AM
NamelessNom4d's Avatar
NamelessNom4d NamelessNom4d is offline
Procrastination Expert
 
Join Date: Jan 2009
Location: Pennsylvania
Thanks: 950
Thanked 720 Times in 515 Posts
Default Re: Hacking the SonicWall

Quote:
Originally Posted by zeusy|Nemsis View Post
Using the XSS you could potentially get a session-id cookie of some sort using javascript.

Then you could simply change the username/password and your set.
Can you elaborate on this a bit?
__________________
---------- ------------
Reply With Quote
  #5  
Old 02-26-2009, 08:19 PM
NamelessNom4d's Avatar
NamelessNom4d NamelessNom4d is offline
Procrastination Expert
 
Join Date: Jan 2009
Location: Pennsylvania
Thanks: 950
Thanked 720 Times in 515 Posts
Default Re: Hacking the SonicWall

Hmmm. This looks like it could have some potential value: http://www.securityfocus.com/bid/4755/discuss

I'm really still trying to figure this out. Can anyone help me? I'm completely lost.
__________________
---------- ------------
Reply With Quote
  #6  
Old 02-28-2009, 11:10 PM
Syphilis Syphilis is offline
Marquis
 
Join Date: Feb 2009
Location: Deep inside your girlfriend
Thanks: 100
Thanked 652 Times in 352 Posts
Default Re: Hacking the SonicWall

The password which is typed on the login screen gets hashed by the MD5 algorithm. If the hash matches the hash that the sonicwall server has stored, you are logged in.

The password on the login screen is either hashed on the local computer and sent to the server to be checked against the stroed hash, or is hashed on the local computer, and then the stored hash is sent over from the server to the local computer and the two hashes are compared on the local computer.

If the latter system is used (doubtful), you could use a packet sniffer like Wireshark to analyse the traffic to look for the proper hash, and then crack it with John The Ripper.

Might take a look at the saved page a little later. Do you know if it uses HTTPS or SSL, or if there is no encryption over the LAN connection?
Reply With Quote
  #7  
Old 03-01-2009, 03:53 PM
NamelessNom4d's Avatar
NamelessNom4d NamelessNom4d is offline
Procrastination Expert
 
Join Date: Jan 2009
Location: Pennsylvania
Thanks: 950
Thanked 720 Times in 515 Posts
Confused Re: Hacking the SonicWall

Quote:
Originally Posted by Syphilis View Post
The password which is typed on the login screen gets hashed by the MD5 algorithm. If the hash matches the hash that the sonicwall server has stored, you are logged in.

The password on the login screen is either hashed on the local computer and sent to the server to be checked against the stroed hash, or is hashed on the local computer, and then the stored hash is sent over from the server to the local computer and the two hashes are compared on the local computer.

If the latter system is used (doubtful), you could use a packet sniffer like Wireshark to analyse the traffic to look for the proper hash, and then crack it with John The Ripper.

Might take a look at the saved page a little later. Do you know if it uses HTTPS or SSL, or if there is no encryption over the LAN connection?
Ok good someone knows something . That makes sense as to how it works... a bit more complicated than I thought though. How would I use Wireshark to sniff the packets? I have it but I've never really used it before. Do I just generate traffic by making login attempts?

As for the encryption... I just typed 10.0.0.2 into the address bar, and I discovered the login page. I would assume it is encrypted somehow... maybe through SSL?
__________________
---------- ------------
Reply With Quote
  #8  
Old 03-02-2009, 12:26 AM
Jo Nathen Jo Nathen is offline
Peasant
 
Join Date: Feb 2009
Location: NJ, center of it.
Thanks: 43
Thanked 4 Times in 3 Posts
Talking Re: Hacking the SonicWall

Quote:
Originally Posted by Slice_760 View Post
Ok good someone knows something . That makes sense as to how it works... a bit more complicated than I thought though. How would I use Wireshark to sniff the packets? I have it but I've never really used it before. Do I just generate traffic by making login attempts?

As for the encryption... I just typed 10.0.0.2 into the address bar, and I discovered the login page. I would assume it is encrypted somehow... maybe through SSL?
Thats too easy.....try the usual -
User - Admin
Password - Password

I have used user name : 1 and password 1 ....And got onto a network from high school before haha.
__________________
T [] T S E.
Reply With Quote
  #9  
Old 03-02-2009, 04:26 AM
Syphilis Syphilis is offline
Marquis
 
Join Date: Feb 2009
Location: Deep inside your girlfriend
Thanks: 100
Thanked 652 Times in 352 Posts
Default Re: Hacking the SonicWall

Quote:
Originally Posted by Slice_760 View Post
Ok good someone knows something . That makes sense as to how it works... a bit more complicated than I thought though. How would I use Wireshark to sniff the packets? I have it but I've never really used it before. Do I just generate traffic by making login attempts?

As for the encryption... I just typed 10.0.0.2 into the address bar, and I discovered the login page. I would assume it is encrypted somehow... maybe through SSL?
Yes, login attempts should generate the traffic you need. One should be enough, but do two or three to make sure you get everything.

The page itself won't be encrypted, but the connection might, which would make things very difficult. Since it's on a LAN, it may not be.

If it's not encrypted, and the stored hash is sent to your computer to be matched against the hash of the password you entered (not likely, unfortunately), you should be able to capture the real hash and use John The Ripper to crack it.
Reply With Quote
  #10  
Old 04-15-2009, 10:29 PM
incudie incudie is offline
New Arrival
 
Join Date: Apr 2009
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Hacking the SonicWall

Interesting stuff. I can tell you that by default, on the LAN, http and https are enabled for management (if it running 3.2+ then SSH also).

The SSH is based on OpenSSH (so do a scan and find out what version its running). You might be able to find an exploit. The webserver is running Tomcat (I believe). The OS is VXWorks (screwed up distro of Linux). It may help also to find out what kind of Sonicwall you are running. Check your arp cache, does the mac start with 0006B1? If so it is a previous generation (Pro series most likely). If it starts with 0017 then its a TZ190 or newer.

Sonicwall is insane about licensing (in fact they accidentally took down every Sonicwall because they b0rked their license server). You might want to try and figure out what host the Sonicwall tries to connect to for license syncs and maybe do a DNS poison to redirect it to kitten war (after so long the licensed services fail, such as the content filter).

If its a *somewhat* current version you might want to try and append "popup" to the end of the url at the login screen. It might just let you upload a different settings file (oops did I say that?)

I'll check the wireshark bit in a few min and let you know if I see a hash.

Good luck!

*Just tried a capture*

Heres a helping hand for ya, this is a capture of logging on the LAN via HTTP (from a linux box to the Sonicwall 2040 running 3.2+)

Quote:
POST /auth.cgi HTTP/1.1

Host: 10.1.1.1

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko/2009033100 Ubuntu/9.04 (jaunty) Firefox/3.0.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://10.1.1.1/auth1.html

Cookie: temp=temp; SessId=-2005221440; PageSeed=0f719e0c8318ee5f4174d6a751a82325; Bar=0; lastFolderClicked=IMG03; 555=systemAdministrationView.html; 777=0; 1001=1; 1000=1; 1003=1; 1002=1

Content-Type: application/x-www-form-urlencoded

Content-Length: 165



param1=6C7191B122B9C727D3C9C10B3EA595A7&param2=DFA A9E783E1E65E8737D91EB67FE1B65&sessId=-2005221440&id=02&uName=admin&pass=&digest=d9f3cf9a ab31f4d4c520c3ce4b6ad42fHTTP/1.0 200 OK

Server: SonicWALL

Content-type: text/html; charset=UTF-8



<HTML>
<HEAD><TITLE>Document Moved</TITLE>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
</HEAD>
<BODY onLoad="top.location.href = 'management.html';">
This document has moved <A HREF="management.html">here</A>
</BODY>
</HEAD>

Hmm this might be good for you =

http://forums.remote-exploit.org/showthread.php?t=2891

Last edited by incudie; 04-15-2009 at 10:45 PM.
Reply With Quote
  #11  
Old 04-16-2009, 02:35 AM
eSparq eSparq is offline
Member
 
Join Date: Feb 2009
Thanks: 2
Thanked 23 Times in 14 Posts
Default Re: Hacking the SonicWall

Quote:
Originally Posted by incudie View Post
Interesting stuff. I can tell you that by default, on the LAN, http and https are enabled for management (if it running 3.2+ then SSH also).
Well, you can try looking up the specific versions of the HTTP server and see if there are any known exploits -- it's as easy as "webserver version exploit", where you substitute the server name and version of course.

Quote:
Originally Posted by incudie View Post
The SSH is based on OpenSSH (so do a scan and find out what version its running). You might be able to find an exploit. The webserver is running Tomcat (I believe). The OS is VXWorks (screwed up distro of Linux). It may help also to find out what kind of Sonicwall you are running. Check your arp cache, does the mac start with 0006B1? If so it is a previous generation (Pro series most likely). If it starts with 0017 then its a TZ190 or newer.
First, VXWorks is NOT LINUX. It's VXWorks, a Unix-like operating system developed by Wind River for embedded systems use. (http://www.windriver.com/products/vxworks/) You can look for exploits for it the same way as you look for exploits for other software. (There are more effective searches than the one I gave above, but it's usually enough.)

Wind River does have a Linux distro though.

You're right, it's likely that the services have vulnerabilities. That's a decent place to start.

Quote:
Originally Posted by incudie View Post
Sonicwall is insane about licensing (in fact they accidentally took down every Sonicwall because they b0rked their license server). You might want to try and figure out what host the Sonicwall tries to connect to for license syncs and maybe do a DNS poison to redirect it to kitten war (after so long the licensed services fail, such as the content filter).
I wouldn't be surprised if the whole device failed shut -- that is, if it stopped all traffic passing over it. That's how I'd code it, only allowing the packets out to attempt to contact the license server.

Quote:
Originally Posted by incudie View Post
If its a *somewhat* current version you might want to try and append "popup" to the end of the url at the login screen. It might just let you upload a different settings file (oops did I say that?)
Interesting... Might also be useful for a xss attack.

I don't really have anything to say about the rest of your post, so I'll save a little space by not quoting it.
Reply With Quote
  #12  
Old 04-19-2009, 09:40 PM
Zip Zip is offline
Mud Farmer
 
Join Date: Jan 2009
Location: Pittsburgh, PA
Thanks: 225
Thanked 192 Times in 123 Posts
Default Re: Hacking the SonicWall

I have a SonicWall TZ-150 and SSL VPN 200. One thing SonicWall does very well is monitoring, so if the administrator has configured it at all properly, any failed login attempts or any number of other attempted breaches in security will immediately be reported by email. All of the other advice is very good if you're looking for vulnerabilities, but this is something you should keep in mind. SonicWall is also very good at addressing security disclosures quickly.
__________________
[url=http://www.zoklet.net/bbs/forumdisplay.php?f=52]Math, Science, and Engineering[/url] >> [thread=18519]Engineering Q&A[/thread]
Reply With Quote
  #13  
Old 06-22-2009, 01:03 PM
Raziel Raziel is offline
Count
 
Join Date: Apr 2009
Thanks: 3
Thanked 136 Times in 103 Posts
Send a message via MSN to Raziel Send a message via Skype™ to Raziel
Default Re: Hacking the SonicWall

Quote:
Originally Posted by Zip View Post
I have a SonicWall TZ-150 and SSL VPN 200. One thing SonicWall does very well is monitoring, so if the administrator has configured it at all properly, any failed login attempts or any number of other attempted breaches in security will immediately be reported by email. All of the other advice is very good if you're looking for vulnerabilities, but this is something you should keep in mind. SonicWall is also very good at addressing security disclosures quickly.
This, so use a live cd/usb.

Quote:
Originally Posted by Zip View Post
SonicWall is also very good at addressing security disclosures quickly.
And I think we all know that if the administrator knew jack shit about good security practises, he wouldn't be working at a school.
Reply With Quote
Reply

Bookmarks

Tags
hacking, sonicwall

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:25 AM.


Hot Topics
Join our Chatroom!
Users: 8
Messages/minute: 0
Topic: "Only rule: be nice or I'll cut your fucking face off, dumbshit"
Users: 27
Messages/minute: 1.6
Topic: "http://codelove.org :: Below is above in 2 codes 1 love. :: wh..."
Users: 18
Messages/minute: 5
Topic: "http://www.literotica...."
Advertisements
Your ad could go right HERE! Contact us!

Powered by vBulletin® Version 3.8.1
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.