Re: Privacy of ISP's customers

[Javier Fernández-Sanguino <jfernandez () germinus com>]

Alcides dijo:
> Hi List,
> I'm presently working with a semi-government ISP as a security consultant.
> The ISP has provided Internet access to the customers via phone lines, 
> it's DSL.

The ISP managers seem to be clueless. The issues you described were 
fixed by DSL ISPs in most locations a long time. Basicly it reduces to this:

a) If you put computers in the same VLAN then they can talk between 
themselves.
b) If some of those computers gets compromised, the compromise can 
spread to the other computers.

Some ISPs will put all their customers in a single VLAN with public 
addresses but will have switching fabric that will prevent customer A to 
talking to customer B, they can only send traffic to their gateway and 
not to anyone else. Of course, this works fine if we are talking about 
residential customers (they don't need to speak between themselves) but 
no so much for corporate customers (which need to).

> The customer is given q DSL router as a CPE. ISP people configure it 
> with 2 IP addresses; one local and one global, and implement NAT for 
> security. And the router is configured using both ie Global/Private IP 
> address in a browser.

Routers should never be configured to be remotely managed using global 
(I guess you mean "public") IP addresses. Never. Period.

> I recently have been asked to find out loopholes in the mentioned system 
> where the customer's privacy is not taken care or can be compromised. 

I don't understand this line. Is customer's privacy important or not?

> Now when I started my activities impersonating a normal customer, I 
> found that:
> 1]I can nmap and discover open ports on my and neighboring IP addresses.

That's because they have an unrestricted VLAN. They shouldn't do that. 
They should setup private VLANs.

> 2] This included HTTP, HTTPS, FTP, SMB, NB-SSN etc services listening 
> for incoming connections.

Why are those ports even available through the router? They should be 
firewalled out. Is there any need for users to, for example, share 
folders across that network?

> 3]When I try to connect to some customer's HTTP port, I'm taken to 
> his/her DSL-router(CPE) config. page, Configuration password is asked 
> but is blank.

Two issues here:
- DSL-routers should not allow management from external ports
- DSL-routers should not be installed with factory defaults (blank 
passwords)


> Now my questions:
> 1]What kind of tests can be carried out in order to find out what level 
> of access can other customers gain and

There's lots of things you can do. You can

a) configure a DSL-router of another customer to send *you* its traffic 
(setting your public address as its gateway). Then configure your router 
to act as a bridge (some allow this) and handle the traffic by a system 
sitting behind the router that would capture all the traffic and forward 
it to the legitimate gateway. Acting as MITM you can modify network 
flows in order to substitute legitimate files downloaded from the 
Internet with trojans to compromise the system.

b) try to access remotely the shares of users running Windows can be 
accessed (if they allow null IPC$ mapping, have insecure passwords, 
etc.). If you can do this and you can write to disk you can probably 
plant trojans that will eventually compromise the system.

c) configure the DSL-router of other customers to map public ports to 
internal hosts in order to access (from a public host) additional 
servers that could be (remotely) compromised. Depending on the systems 
and software behind the DSL router you might get acess to VNC services, 
Terminal Services, etc.

> 2]What degree of impact can it have as far as the privacy of the 
> customers is considered.

I'd say you have all the elements needed to compromise *any* of the 
customer computers. It might take some (fun) work but, on the paper, it 
certainly looks doable.

Regards

Javier

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------