Ethical Hacking:Ethical Hacking:Hacking GMailHacking GMail

Teaching HackingTeaching Hacking

3

What do Hackers Do?What do Hackers Do?

Get into computer systems without valid Get into computer systems without valid accounts and passwordsaccounts and passwords

Open encrypted files without the keyOpen encrypted files without the key Take over Web serversTake over Web servers Collect passwords from Internet trafficCollect passwords from Internet traffic Take over computers with remote access Take over computers with remote access

trojanstrojans And much, much moreAnd much, much more

4

Ethical HackersEthical Hackers

Ethical Hackers do the same thing criminal Ethical Hackers do the same thing criminal hackers do, with one differencehackers do, with one difference

Ethical Hackers have permission from the Ethical Hackers have permission from the owner of the machines to hack inowner of the machines to hack in

These "Penetration Tests" reveal security These "Penetration Tests" reveal security problems so they can be fixedproblems so they can be fixed

5

Two Hacking ClassesTwo Hacking ClassesCNIT 123: Ethical Hacking and Network DefenseCNIT 123: Ethical Hacking and Network Defense

Has been taught since Spring 2007 (four times)Has been taught since Spring 2007 (four times)

Face-to-face and Online sections available Fall 2008Face-to-face and Online sections available Fall 2008

CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical HackingTaught for the first time in Spring 2008Taught for the first time in Spring 2008

6

Certificate in Network Certificate in Network SecuritySecurity

7

Associate of Science Degree Associate of Science Degree

8

Student AgreementStudent Agreement

Required for every student in CNIT 123: Required for every student in CNIT 123: Ethical Hacking and Network Defense or Ethical Hacking and Network Defense or CNIT 124: Advanced Ethical HackingCNIT 124: Advanced Ethical Hacking

Sniffing Plaintext Sniffing Plaintext PasswordsPasswords

10

Insecure Login PagesInsecure Login Pages

HTTP does not HTTP does not encrypt dataencrypt data

Always look for Always look for HTTPS on login HTTPS on login pagespages

11

Tool: CainTool: Cain

Click NIC icon to start snifferClick NIC icon to start sniffer Click Sniffer tab, Password tab on bottomClick Sniffer tab, Password tab on bottom

From http://www.oxid.it/cain.htmlFrom http://www.oxid.it/cain.html

Authentication CookiesAuthentication Cookies

13

GMail Uses HTTPSGMail Uses HTTPS

Sniffing for Sniffing for passwords won't passwords won't workwork

Most Web mail Most Web mail services now use services now use HTTPS tooHTTPS too

14

CookiesCookies

Thousands of people are Thousands of people are using Gmail all the timeusing Gmail all the time

How can the server know How can the server know who you are?who you are?

It puts a cookie on your It puts a cookie on your machine that identifies machine that identifies youyou

15

Gmail's CookiesGmail's Cookies

Gmail identifies Gmail identifies you with these you with these cookiescookies In Firefox, Tools, In Firefox, Tools,

Options, Privacy, Options, Privacy, Show CookiesShow Cookies

Cross-Site Request Cross-Site Request Forgery (XSRF)Forgery (XSRF)

17

Web-based EmailWeb-based Email

Router

TargetUsingEmail

AttackerSniffingTraffic

To Internet

18

Cross-Site Request Forgery Cross-Site Request Forgery (XSRF)(XSRF)

Gmail sends the password through a Gmail sends the password through a secure HTTPS connectionsecure HTTPS connection That cannot be captured by the attackerThat cannot be captured by the attacker

But the cookie identifying the user is sent But the cookie identifying the user is sent in the clear—with HTTPin the clear—with HTTP That can easily be captured by the attackerThat can easily be captured by the attacker

The attacker gets into your account The attacker gets into your account without learning your passwordwithout learning your password

19

DemonstrationDemonstration

20

XSRF CountermeasureXSRF Countermeasure

Use Use https://mail.google.comhttps://mail.google.com instead of instead of http://gmail.comhttp://gmail.com

No other mail service has this option at all, No other mail service has this option at all, as far as I knowas far as I know

21

ReferencesReferences

CainCain http://www.oxid.it/cain.htmlhttp://www.oxid.it/cain.html

HamsterHamster http://erratasec.blogspot.com/2007/08/http://erratasec.blogspot.com/2007/08/

sidejacking-with-hamster_05.htmlsidejacking-with-hamster_05.html

22

ContactContact

Sam BowneSam Bowne Computer Networking and Information Computer Networking and Information

TechnologyTechnology City College San FranciscoCity College San Francisco Email: sbowne@ccsf.eduEmail: sbowne@ccsf.edu Web: samsclass.infoWeb: samsclass.info

Last modified 6-26-08Last modified 6-26-08