1 / 33

Active Man in the Middle Attacks

Active Man in the Middle Attacks. Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish. OWASP. 27/02/2009. The OWASP Foundation. http://www.owasp.org. Agenda. Background Man in the Middle Network level – heavily researched

ashanti
Download Presentation

Active Man in the Middle Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Man in the Middle Attacks Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish OWASP 27/02/2009 The OWASP Foundation http://www.owasp.org

  2. Agenda • Background • Man in the Middle • Network level – heavily researched • Web application level – sporadic research • Outline • Passive MitM attacks • Active MitM attacks • Penetrating an internal network • Remediation

  3. Internet Man in the Middle Scenario • All laptop users connect to a public network • Wireless connection can easily be compromised or impersonated • Wired connections might also be compromised

  4. Rules of Thumb – Don’ts … • Someone might be listening to the requests • Don’t browse sensitive sites • Don’t supply sensitive information • Someone might be altering the responses • Don’t trust any information given on web sites • Don’t execute downloaded code

  5. Internet Rules of Thumb – What Can You Do? • This leaves us with: • Browse your favorite news site • Browse your favorite weather site Non-sensitive sites Boring Sensitive sites Interesting

  6. You are still vulnerable

  7. Mitigating a Fallacy • Fallacy • Executing JavaScript on victim == executing an attack • Reality • Same origin policy • Executing an attack • JavaScript + browser implementation bug • JavaScript + execution on a specific domain • Can be done through XSS

  8. Passive Man in the Middle Attacks Server returns a response Victim browses to a website Attacker views the responsemanipulates itand forwards to victim Attacker views the requestmanipulates itand forwards to server Other servers are not affected

  9. My Weather Channel My Bank Site My Bank Site Active Man in the Middle Attack Server returns a response Victim browses to a “boring” site Attacker adds an IFRAME referencing an “interesting” site Attack transfers the request to the server • The attacker actively directs the victim to an “interesting” site • The IFrame could be invisible Other servers are not affected Automatic request sent to the interesting server

  10. Stealing Cookies* • Obvious result • Stealing cookies associated with any domain attacker desires • Will also work for HTTP ONLY cookies(as opposed to XSS attacks) Automatic request contains victim’s cookies * A similar attack was presented by Mike Perry – SideJacking

  11. Demo

  12. Overcoming Same Origin Policy • Result • Attacker can execute scripts on any domain she desires • Scripts can fully interact with any “interesting” website • Limitations • Will only work for non SSL web sites Attacker injects an IFRAME directing to an “interesting” site Victim surfs to a “boring” site Attacker forwards the automatic request to the “interesting” server Script executes with the “interesting” server’s restrictions Automatic request sent to the interesting server Attacker adds a malicious script to the response “Interesting” server returns a response

  13. Secure Connections Login Mechanism

  14. Login Successful Username Password Hello John Smith, SUBMIT Please Login Secure Connections Victim fills login details,and submits the form • Pre-login action sent in clear text • Attacker could alter the pre-login response to make the login request sent unencrypted jsmith ******** Victim browses to site http://www.webmail.site SUBMIT Login request is sent through a secure channel Site returns a response with login form

  15. Stealing Auto Completion Information • Result • Attacker can steal any auto-completion information she desires • Limitations • Will only work for pre-login pages not encrypted • Will not work seamlessly in IE Attacker returns the original login form together with a malicious script Attacker redirect victim to a request to a pre-login page Script accesses the auto-completion information using the DOM * A passive version of this attack was described by RSnake in his blog

  16. Demo

  17. Broadening the Attack (Time Dimension)

  18. Active MitMAttacks Passive MitM Attacks Active MitMAttacks Past (“interesting” sites) Present (“boring” sites) Future (“interesting” sites)

  19. Session Fixation • Result • Attacker can set persistent cookies on victim • Limitations • The vulnerability also lies within the server Server authenticates attacker as victim A while later, victim connects to the site (with the pre-provided cookie) Attacker returns a page with a cookie generated by server Attacker redirects victim to the site of interest Cookie is being saved on victim’s computer Attacker uses the same cookie to connect to the server

  20. Cache Poisoning • Result • Attacker can poison any page she desires • Poisoned pages will be persistent • Limitations • Attacker can poison non SSL resources A while later, victim visits the site Attacker redirects victim to the site of interest Attacker returns a malicious page with cache setting enabled Page is being cached onvictim’s computer

  21. Complex Hacking Intranet Networks

  22. Penetrating Internal Network – Simple Cache Poison • Result • Attack will be launched every time victimaccesses the resource • The attack would executed within the local intranet • Characteristics • Firewall protections are helpless • Affected servers will never know • The attack is persistent

  23. Router Outbound Proxy IP Address . . . Primary DNS Server Address . . . 221 216 187 118 187 118 221 216 Setting Up a Future MitM Scenario • Result • Facilitates future MitM scenarios • Does not require router’s credentials • Fake settings could be displayed to the user • Limitations • Requires victim to access router in the future • Need to guess router’s address (10.0.1.1) Script hides the configuration changes Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Malicious script executedwhen victim tries to access router Script configures router to tunnel future communication through attacker Victim’s router related cache poisoned with a malicious script

  24. .JS Increasing the Exposure • Poison common home pages • Script will execute every time victim opens his browser • Poison common scripts • Script will execute on every page using the common script • Example: http://www.google-analytics.com/ga.js • The “double active” attack • Common poisoned page redirects to another poisoned resource

  25. Router The Double Active Cache Poisoning Attack • Result • Internal network has been compromised • Limitation • Need to guess router IP and credentials At a later time, Victim opens browser Cached router’s web interface is loaded and malicious script changes router’s settings Cached home page is loaded and redirects victim’s browser to router’s web interface Using Active MitM techniques, attacker poisons common router’s address (i.e. 10.0.1.1) Attacker also poisons common home pages Router is compromised by malicious script

  26. Active Attack Characteristics • Not noticeable in user’s experience • Not noticeable by any of the web sites • IPS/IDS will not block it • Can be persistent • Can be used to hack into local organization • Bypasses any firewall or VPN • Can be used with DNS Pinning Techniques • A problem with the current design • Requires only one plain HTTP request to be transmitted

  27. Remediation • Users • Do not use auto-completion • “Clean Slate Policy” • Trust level separation • Two different browsers • Two different users • Two different OS • Virtualization products • Tunnel communication through a secure proxy • Might not be allowed in many hot-spots

  28. Web owners • Consider risks of partial SSL sites • Do not consider secure VPN connection as an SSL replacement • Use random tokens for common scripts • While considering performance issues • Avoid referring external scripts from internal sites

  29. Industry • Build integrity mechanism for HTTP • Secure WiFi networks

  30. Summary • Active MitM attacks– broaden the scope of the passive attacks • Design issues • Dimension of time • Past (steal cookies, auto-completion information, cache) • Future (set up cookies, poison cache, poison form filler) • Penetrating internal networks • Persistent • Bypass any current protection mechanisms • More information: • Paper and presentation will be uploaded to our blog: http://blog.watchfire.com

  31. References • Watchfire’s Blog: • http://blog.watchfire.com • Wireless Man in the Middle Attacks: • http://www.informit.com/articles/article.aspx?p=353735&seqNum=7 • SideJacking: • http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html • More on SideJacking: • http://erratasec.blogspot.com/2008/01/more-sidejacking.html • Active SideJacking: • http://seclists.org/bugtraq/2007/Aug/0070.html • Surf Jacking • http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf • Stealing User Information: • http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/

  32. Thank you!

More Related