Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | luca-barba |
View: | 215 times |
Download: | 0 times |
of 39
7/31/2019 Active Man in the Middle Demo
1/39
IBM Rational Application Security Group (aka Watchfire)
Active Man in the Middle Attacks
Web Based Man In the Middle Attack 2009 IBM Corporation1
The OWASP Foundation
OWASP
http://www.owasp.org
Security Research Group Manager
IBM Rational Application Security (a.k.a. Watchfire)
adish
7/31/2019 Active Man in the Middle Demo
2/39
IBM Rational Application Security Group (aka Watchfire)
Agenda
Background
Man in the MiddleNetwork level heavily researched
Web application level sporadic research
Outline
Web Based Man In the Middle Attack 2009 IBM Corporation2
Passive MitM attacksActive MitM attacks
Penetrating an internal network
Remediation
7/31/2019 Active Man in the Middle Demo
3/39
IBM Rational Application Security Group (aka Watchfire)
Man in the Middle Scenario
All laptop users connect to a public network
Wireless connection can easily be compromised or impersonated
Wired connections might also be compromised
Web Based Man In the Middle Attack 2009 IBM Corporation3
InternetInternet
7/31/2019 Active Man in the Middle Demo
4/39
IBM Rational Application Security Group (aka Watchfire)
Rules of Thumb Donts
Someone might be listening to the requests
Dont browse sensitive sitesDont supply sensitive information
Web Based Man In the Middle Attack 2009 IBM Corporation4
Someone might be altering the responsesDont trust any information given on web sites
Dont execute downloaded code
7/31/2019 Active Man in the Middle Demo
5/39
IBM Rational Application Security Group (aka Watchfire)
Rules of Thumb What Can You Do?
This leaves us with:
Browse your favorite news site
Browse your favorite weather site
Web Based Man In the Middle Attack 2009 IBM Corporation5
InternetInternetNon-sensitive sites
Boring
Sensitive sites
Interesting
7/31/2019 Active Man in the Middle Demo
6/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation6
7/31/2019 Active Man in the Middle Demo
7/39
IBM Rational Application Security Group (aka Watchfire)
Mitigating a Fallacy
FallacyExecuting JavaScript on victim == executing an attack
Web Based Man In the Middle Attack 2009 IBM Corporation7
Same origin policy
Executing an attack
JavaScript + browser implementation bug
JavaScript + execution on a specific domainCan be done through XSS
7/31/2019 Active Man in the Middle Demo
8/39
IBM Rational Application Security Group (aka Watchfire)
Passive Man in the Middle Attacks
Victim browses to awebsite
Attacker views the requestmanipulates it
and forwards to server
Attacker views the responsemanipulates it
and forwards to victim
Server returns a response
Web Based Man In the Middle Attack 2009 IBM Corporation8
Other servers are not affected
7/31/2019 Active Man in the Middle Demo
9/39
IBM Rational Application Security Group (aka Watchfire)
Active Man in the Middle Attack
The attacker actively directs the victim to an interesting site
The IFrame could be invisible
Victim browses to aboring site
Attack transfers therequest to the server
Attacker adds an IFRAMEreferencing an interesting site
Server returns a response
Web Based Man In the Middle Attack 2009 IBM Corporation9
My Weather ChannelMy Weather Channel
My Bank SiteMy Bank Site
Automatic request sent to theinteresting server
My Bank SiteMy Bank Site
Other servers are not affected
7/31/2019 Active Man in the Middle Demo
10/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation10
7/31/2019 Active Man in the Middle Demo
11/39
IBM Rational Application Security Group (aka Watchfire)
Stealing Cookies*
Obvious result Stealing cookies associated with any domain attacker desires
Will also work for HTTP ONLY cookies(as opposed to XSS attacks)
Web Based Man In the Middle Attack 2009 IBM Corporation11
Automatic request contains victimscookies
* A similar attack was presented by Sandro Gauci Surf Jacking
7/31/2019 Active Man in the Middle Demo
12/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation12
7/31/2019 Active Man in the Middle Demo
13/39
IBM Rational Application Security Group (aka Watchfire)
Overcoming Same Origin Policy
Attacker forwards theautomatic request to the
Attacker injects an IFRAME
Victim surfs to a
Result
Attacker can execute scripts on any domain she desires
Scripts can fully interact with any interesting website Limitations
Will only work for non SSL web sites
Web Based Man In the Middle Attack 2009 IBM Corporation13
Attacker adds a malicious scriptto the response
interesting serverScript executes with the
interesting servers restrictions
Interesting serverreturns a response
Automatic request sent tothe interesting server
7/31/2019 Active Man in the Middle Demo
14/39
IBM Rational Application Security Group (aka Watchfire)
Secure Connections
Web Based Man In the Middle Attack 2009 IBM Corporation14
Login Mechanism
7/31/2019 Active Man in the Middle Demo
15/39
IBM Rational Application Security Group (aka Watchfire)
Secure ConnectionsPlease LoginPlease Login
UsernameUsernameUsernameUsernameUsernameUsernameUsernameUsername
PasswordPasswordPasswordPasswordPasswordPasswordPasswordPassword
SUBMITSUBMITSUBMITSUBMIT
jsmith
********
SUBMITSUBMITSUBMITSUBMIT
Victim browses to sitehttp://www.webmail.site
Victim fills login details,and submits the formLogin SuccessfulLogin Successful
Hello John Smith,Hello John Smith,Hello John Smith,Hello John Smith,
Pre-login action sent in clear text Attacker could alter the pre-login response to make the login
request sent unencrypted
Web Based Man In the Middle Attack 2009 IBM Corporation15
Site returns a responsewith login form
Login request is sent through asecure channel
7/31/2019 Active Man in the Middle Demo
16/39
IBM Rational Application Security Group (aka Watchfire)
Stealing Auto Completion Information
Attacker redirect victim to arequest to a pre-login page
Attacker returns the original loginform together with a malicious script
Result
Attacker can steal any auto-completion information she desires
Limitations Will only work for pre-login pages not encrypted
Will not work seamlessly in IE
Web Based Man In the Middle Attack 2009 IBM Corporation16
Script accesses the auto-completion
information using the DOM
* A passive version of this attack was described by RSnake in his blog
7/31/2019 Active Man in the Middle Demo
17/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation17
7/31/2019 Active Man in the Middle Demo
18/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation18
(Time Dimension)
7/31/2019 Active Man in the Middle Demo
19/39
IBM Rational Application Security Group (aka Watchfire)
Passive MitMActive MitM Active MitM
Web Based Man In the Middle Attack 2009 IBM Corporation19
ac sac s ac s
Present(boring sites)
Past(interesting sites)
Future(interesting sites)
7/31/2019 Active Man in the Middle Demo
20/39
IBM Rational Application Security Group (aka Watchfire)
Session Fixation
Attacker redirects victimto the site of interest
Attacker returns a page with acookie generated by server
A while later,victim connects to the site
(with the pre-provided cookie)
Server authenticatesattacker as victim
Result
Attacker can set persistent cookies on victim
Limitations
The vulnerability also lies within the server
Web Based Man In the Middle Attack 2009 IBM Corporation20
Cookie is being saved on
victims computer
Attacker uses the same cookie to
connect to the server
7/31/2019 Active Man in the Middle Demo
21/39
IBM Rational Application Security Group (aka Watchfire)
Cache Poisoning
Attacker redirects victimto the site of interest
Attacker returns a malicious page
A while later,victim visits the site
Result
Attacker can poison any page she desires
Poisoned pages will be persistent
Limitations
Attacker can poison non SSL resources
Web Based Man In the Middle Attack 2009 IBM Corporation21
Page is being cached on
victims computer
7/31/2019 Active Man in the Middle Demo
22/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation22
Demo
7/31/2019 Active Man in the Middle Demo
23/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation23
Virtual Private Networks
7/31/2019 Active Man in the Middle Demo
24/39
IBM Rational Application Security Group (aka Watchfire)
Virtual Private Networks (VPN)
VPN client initialization
Create a secure network interfaceSet users routing table
VPN client finalization (upon exit or when connection is lost)
Revert routing table
Do not confuse VPN and HTTPS architectures!
Web Based Man In the Middle Attack 2009 IBM Corporation24
7/31/2019 Active Man in the Middle Demo
25/39
IBM Rational Application Security Group (aka Watchfire)
VPN Mixed content
Result VPN web sites are compromised
User is not alerted to the security riskAs opposed to SSL mixed content issues
Limitations Such mixed content is not widely used
Attacker alters the non-encrypted script
Web Based Man In the Middle Attack 2009 IBM Corporation25
Internal Web SiteInternal Web Site
............
Malicious script executes within thesecure environmentVictim surfs to a page in
the VPN network
7/31/2019 Active Man in the Middle Demo
26/39
IBM Rational Application Security Group (aka Watchfire)
Hacking Non-Available Sites
Result Attacker can view and change any HTTP cache object
Even for non available sites
Web Based Man In the Middle Attack 2009 IBM Corporation26
7/31/2019 Active Man in the Middle Demo
27/39
IBM Rational Application Security Group (aka Watchfire)
VPN Cache Injection
Attacker disconnectsconnection to VPN Server
After routing table is updated,Attacker poisons the cache of an
internal siteAttacker recovers connection
Cached resource loads andmalicious cached script executes
Attacker redirects victim to cachedresource
Result VPN is great for the network level
VPN is not enough for the application level This attack could be applied to other application protocols!
Web Based Man In the Middle Attack 2009 IBM Corporation27
7/31/2019 Active Man in the Middle Demo
28/39
IBM Rational Application Security Group (aka Watchfire)
Web Based Man In the Middle Attack 2009 IBM Corporation28
Intranet Networks
7/31/2019 Active Man in the Middle Demo
29/39
IBM Rational Application Security Group (aka Watchfire)
Penetrating Internal Network Simple Cache Poison
Result Attack will be launched every time victim accesses the resource
The attack would executed within the local intranet
Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent
Web Based Man In the Middle Attack 2009 IBM Corporation29
7/31/2019 Active Man in the Middle Demo
30/39
IBM Rational Application Security Group (aka Watchfire)
Setting Up a Future MitM Scenario
Result Facilitates future MitM scenarios
Does not require routers credentials Fake settings could be displayed to the user
Limitations Requires victim to access router in the future Need to guess routers address (10.0.1.1)
Using Active MitM Techniques,
Script hides the configurationchanges
Web Based Man In the Middle Attack 2009 IBM Corporation30
related to his routers web access
Router
Victims router related cachepoisoned with a malicious script
Malicious script executed
when victim tries to access router Script configures router to tunnelfuture communication through
attacker
Outbound Proxy IP Address 216 187 118 221. . .
Primary DNS Server Address 216 187 118 221. . .
7/31/2019 Active Man in the Middle Demo
31/39
IBM Rational Application Security Group (aka Watchfire)
Increasing the Exposure
Poison common home pages
Script will execute every time victim opens his browser
Poison common scripts
Script will execute on every page using the common script
Web Based Man In the Middle Attack 2009 IBM Corporation31
Example: http://www.google-analytics.com/ga.js
The double active attack
Common poisoned page redirects to another poisoned resource
..
7/31/2019 Active Man in the Middle Demo
32/39
IBM Rational Application Security Group (aka Watchfire)
The Double Active Cache Poisoning Attack
At a later time,Victim o ens browser
Cached home page is loaded andredirects victims browser to
Cached routers web interface isloaded and malicious script
Result Internal network has been compromised
Limitation
Need to guess router IP and credentials
Web Based Man In the Middle Attack 2009 IBM Corporation32
Using Active MitM techniques,attacker poisons common routers
address (i.e. 10.0.1.1)
routers web interfacechanges routers settings
Attacker also poisonscommon home pages
Router
Router is compromised bymalicious script
IBM R ti l A li ti S it G ( k W t hfi )
7/31/2019 Active Man in the Middle Demo
33/39
IBM Rational Application Security Group (aka Watchfire)
Active Attack Characteristics
Not noticeable in users experience
Not noticeable by any of the web sitesIPS/IDS will not block it
Can be persistent
Can be used to hack into local organization
Web Based Man In the Middle Attack 2009 IBM Corporation33
Bypasses any firewall or VPNCan be used to access non-HTTP servers
Can be used with DNS Pinning Techniques
A problem with the current designRequires only one plain HTTP request to be transmitted
IBM Rational Application Sec rit Gro p (aka Watchfire)
7/31/2019 Active Man in the Middle Demo
34/39
IBM Rational Application Security Group (aka Watchfire)
Remediation
Users
Do not use auto-completion
Clean Slate Policy
Trust level separation
Web Based Man In the Middle Attack 2009 IBM Corporation34
Two different browsers
Two different users
Two different OS
Virtualization products
Tunnel communication through a secure proxy
Might not be allowed in many hot-spots
IBM Rational Application Security Group (aka Watchfire)
7/31/2019 Active Man in the Middle Demo
35/39
IBM Rational Application Security Group (aka Watchfire)
Web ownersConsider risks of partial SSL sites
Do not consider secure VPN connection as an SSLreplacement
Web Based Man In the Middle Attack 2009 IBM Corporation35
Use random tokens for common scriptsWhile considering performance issues
Avoid referring external scripts from internal sites
IBM Rational Application Security Group (aka Watchfire)
7/31/2019 Active Man in the Middle Demo
36/39
IBM Rational Application Security Group (aka Watchfire)
IndustryBuild integrity mechanism for HTTP
Secure WiFi networks
Web Based Man In the Middle Attack 2009 IBM Corporation36
IBM Rational Application Security Group (aka Watchfire)
7/31/2019 Active Man in the Middle Demo
37/39
IBM Rational Application Security Group (aka Watchfire)
Summary
Active MitM attacks broaden the scope of the passive attacks
Design issues
Dimension of time
Past (steal cookies, auto-completion information, cache)
Future (set up cookies, poison cache, poison form filler)
Penetratin internal networks
Web Based Man In the Middle Attack 2009 IBM Corporation37
PersistentBypass any current protection mechanisms
More information:
Paper and presentation will be uploaded to our blog:
http://blog.watchfire.com
IBM Rational Application Security Group (aka Watchfire)
7/31/2019 Active Man in the Middle Demo
38/39
IBM Rational Application Security Group (aka Watchfire)
References
Additional information at the Watchfires Blog:
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
Wireless Man in the Middle Attacks:
http://www.informit.com/articles/article.aspx?p=353735&seqNum=7
Side Jacking:
- -
Web Based Man In the Middle Attack 2009 IBM Corporation38
. . _ .
More on SideJacking:http://erratasec.blogspot.com/2008/01/more-sidejacking.html
Surf Jacking:
http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Stealing User Information:
http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/
IBM Rational Application Security Group (aka Watchfire)
7/31/2019 Active Man in the Middle Demo
39/39
at o a pp cat o Secu ty G oup (a a atc e)
Web Based Man In the Middle Attack 2009 IBM Corporation39
an you