Post on 01-Apr-2015
transcript
How to Steal How to Steal Passwords:Passwords:
SSLstrip,SSLstrip,LNK Attack,LNK Attack,
Cross-Site Request ForgeryCross-Site Request Forgery& Scary SSL Attacks& Scary SSL Attacks
Sam BowneSam Bowne
No Need to Take NotesNo Need to Take Notes
This Powerpoint and other materials are atThis Powerpoint and other materials are at http://samsclass.info/HI-TEChttp://samsclass.info/HI-TEC Feel free to use all this material for your own classes, Feel free to use all this material for your own classes,
talks, etc.talks, etc.
ContactContact
Sam BowneSam Bowne Computer Networking and Information Computer Networking and Information
TechnologyTechnology City College San FranciscoCity College San Francisco Email: sbowne@ccsf.eduEmail: sbowne@ccsf.edu Web: samsclass.infoWeb: samsclass.info
TopicsTopics
sslstrip – Steals passwords from mixed-sslstrip – Steals passwords from mixed-mode Web login pagesmode Web login pages
LNK Attack: takes over any Windows LNK Attack: takes over any Windows machine (0day)machine (0day)
Cross-Site Request Forgery: Replays Cross-Site Request Forgery: Replays cookies to break into Gmaicookies to break into Gmai
Scary SSL Attacks--ways to completely Scary SSL Attacks--ways to completely fool browsersfool browsers
HTTP and HTTPSHTTP and HTTPS
HTTPS is More Secure than HTTPHTTPS is More Secure than HTTP
User Logging In
HTTP
Unencrypted data
No server authentication
HTTPS
Encrypted
Server authenticated
sslstripsslstrip
The 15 Most Popular Web 2.0 The 15 Most Popular Web 2.0 SitesSites
1. YouTube1. YouTube HTTPSHTTPS 2. Wikipedia2. Wikipedia HTTPHTTP 3. Craigslist3. Craigslist HTTPSHTTPS 4. Photobucket4. PhotobucketHTTPHTTP 5. Flickr5. Flickr HTTPSHTTPS 6. WordPress6. WordPress MIXEDMIXED 7. Twitter7. Twitter MIXEDMIXED 8. IMDB8. IMDB HTTPSHTTPS
The 15 Most Popular Web 2.0 The 15 Most Popular Web 2.0 SitesSites
9. Digg9. Digg HTTPHTTP 10. eHow10. eHow HTTPSHTTPS 11. TypePad11. TypePad HTTPSHTTPS 12. topix12. topix HTTPHTTP 13. LiveJournal13. LiveJournal Obfuscated HTTPObfuscated HTTP 14. deviantART14. deviantART MIXEDMIXED 15. Technorati15. Technorati HTTPSHTTPS
From http://www.ebizmba.com/articles/user-generated-From http://www.ebizmba.com/articles/user-generated-contentcontent
Password StealingPassword Stealing
EasyWall of Sheep
Mediumssltrip
HardSpoofing Certificates
Mixed ModeMixed Mode
HTTP Page with an HTTPS Logon ButtonHTTP Page with an HTTPS Logon Button
sslstrip Proxy Changes sslstrip Proxy Changes HTTPS to HTTPHTTPS to HTTP
TargetUsing
Attacker: sslstrip Proxyin the Middle
To Internet
HTTP
HTTPS
Ways to Get in the Ways to Get in the MiddleMiddle
Physical Insertion in a Wired Physical Insertion in a Wired NetworkNetwork
Target
Attacker
To Internet
Configuring Proxy Server in Configuring Proxy Server in the Browserthe Browser
ARP PoisoningARP Poisoning
Redirects Traffic at Layer 2Redirects Traffic at Layer 2 Sends a lot of false ARP packets on the Sends a lot of false ARP packets on the
LANLAN Can be easily detectedCan be easily detected DeCaffienateID by IronGeekDeCaffienateID by IronGeek
http://k78.sl.pthttp://k78.sl.pt
ARP Request and ReplyARP Request and Reply
Client wants to find GatewayClient wants to find Gateway ARP Request: Who has 192.168.2.1?ARP Request: Who has 192.168.2.1? ARP Reply:ARP Reply:
MAC: 00-30-bd-02-ed-7b has 192.168.2.1
Client Gateway Facebook.com
ARP Request
ARP Reply
ARP PoisoningARP Poisoning
Client Gateway Facebook.com
Attacker
ARP Replies: I am the
Gateway
Traffic to Facebook
Forwarded & Altered Traffic
DemonstrationDemonstration
LNK File AttackLNK File Attack
SCADA AttacksSCADA Attacks
In June 2010, an attack was discovered In June 2010, an attack was discovered that used a LNK file on a USB stick to that used a LNK file on a USB stick to attack SCADA-controlled power plantsattack SCADA-controlled power plants See https://www.cert.be/pro/attacks-scada-systemsSee https://www.cert.be/pro/attacks-scada-systems
LNK File AttackLNK File Attack
The SCADA attack used a vulnerability in The SCADA attack used a vulnerability in all versions of Windowsall versions of Windows
Merely viewing aMerely viewing amalicious Shortcutmalicious Shortcut(LNK file) gives the(LNK file) gives theattacker control of attacker control of your computeryour computer See http://samsclass.info/123/proj10/LNK-exploit.htmSee http://samsclass.info/123/proj10/LNK-exploit.htm
DemoDemo
LNK Attack CountermeasureLNK Attack Countermeasure
Sophos provided a free tool on July 26, Sophos provided a free tool on July 26, 2010 to protect your system2010 to protect your system See http://tinyurl.com/2f2nvy8See http://tinyurl.com/2f2nvy8
It WorksIt Works
Cross-Site Request Cross-Site Request Forgery (XSRF)Forgery (XSRF)
27
CookiesCookies
Thousands of people are Thousands of people are using Gmail all the timeusing Gmail all the time
How can the server know How can the server know who you are?who you are?
It puts a cookie on your It puts a cookie on your machine that identifies machine that identifies youyou
28
Gmail's CookiesGmail's Cookies
Gmail identifies Gmail identifies you with these you with these cookiescookies In Firefox, Tools, In Firefox, Tools,
Options, Privacy, Options, Privacy, Show CookiesShow Cookies
29
Web-based EmailWeb-based Email
Router
TargetUsingEmail
AttackerSniffingTraffic
To Internet
30
Cross-Site Request Forgery Cross-Site Request Forgery (XSRF)(XSRF)
Gmail sends the password through a Gmail sends the password through a secure HTTPS connectionsecure HTTPS connection That cannot be captured by the attackerThat cannot be captured by the attacker
But the cookie identifying the user is sent But the cookie identifying the user is sent in the clear—with HTTPin the clear—with HTTP That can easily be captured by the attackerThat can easily be captured by the attacker
The attacker gets into your account The attacker gets into your account without learning your passwordwithout learning your password
31
DemonstrationDemonstration
32
CSRF CountermeasureCSRF Countermeasure
Adust Gmail settings to "Always use https"Adust Gmail settings to "Always use https"
Scary SSL AttacksScary SSL Attacks
Man in the MiddleMan in the Middle
TargetUsing
https://gmail.com
Attacker: Cain: Fake
SSL Certificate
To Internet
HTTPS
HTTPS
Warning MessageWarning Message
Certificate ErrorsCertificate Errors
The message indicates that the Certificate The message indicates that the Certificate Authority did not validate the certificateAuthority did not validate the certificate
BUT a lot of innocent problems cause BUT a lot of innocent problems cause those messagesthose messages Incorrect date settingsIncorrect date settings Name changes as companies are acquiredName changes as companies are acquired
Most Users Ignore Certificate Most Users Ignore Certificate ErrorsErrors
Link SSL-1 on my CNIT 125 pageLink SSL-1 on my CNIT 125 page
Fake SSL With No WarningFake SSL With No Warning
Impersonate a real Certificate AuthorityImpersonate a real Certificate Authority Use a Certificate Authority in an Use a Certificate Authority in an
untrustworthy nationuntrustworthy nation Trick browser maker into adding a Trick browser maker into adding a
fraudulent CA to the trusted listfraudulent CA to the trusted list Use a zero byte to change the effective Use a zero byte to change the effective
domain namedomain name Wildcard certificateWildcard certificate
Impersonating VerisignImpersonating Verisign
Researchers created a rogue Certificate Researchers created a rogue Certificate Authority certificate, by finding MD5 collisionsAuthority certificate, by finding MD5 collisions Using more than 200 PlayStation 3 game consolesUsing more than 200 PlayStation 3 game consoles
Link SSL-2Link SSL-2
CountermeasuresCountermeasures
Verisign announced its intent to replace MD5 Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in hashes (presumably with SHA hashes), in certificates issued after January, 2009certificates issued after January, 2009
Earlier, vulnerable certificates would be Earlier, vulnerable certificates would be replaced only if the customer requested itreplaced only if the customer requested it Link SSL-4Link SSL-4
FIPS 140-1 (from 2001) did not recognize FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government workMD5 as suitable for government work Links SSL-5, SSL-6, SSL-7Links SSL-5, SSL-6, SSL-7
CA in an Untrustworthy CA in an Untrustworthy NationNation
Link SSL-8Link SSL-8
Unknown Trusted CAsUnknown Trusted CAs
An unknown entity was apparently trusted for An unknown entity was apparently trusted for more than a decade by Mozillamore than a decade by Mozilla
Link SSL-9Link SSL-9
Zero Byte Terminates Domain Zero Byte Terminates Domain NameName
Just buy a certificate for Just buy a certificate for Paypal.com\0.evil.comPaypal.com\0.evil.com Browser will see that as matching Browser will see that as matching paypal.compaypal.com
Link SSL-10Link SSL-10