1 / 43

No Need to Take Notes

How to Steal Passwords: SSLstrip , LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne. No Need to Take Notes. This Powerpoint and other materials are at http://samsclass.info/HI-TEC Feel free to use all this material for your own classes, talks, etc. Contact. Sam Bowne

saeran
Download Presentation

No Need to Take Notes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Steal Passwords:SSLstrip,LNK Attack,Cross-Site Request Forgery& Scary SSL AttacksSam Bowne

  2. No Need to Take Notes • This Powerpoint and other materials are at • http://samsclass.info/HI-TEC • Feel free to use all this material for your own classes, talks, etc.

  3. Contact • Sam Bowne • Computer Networking and Information Technology • City College San Francisco • Email: sbowne@ccsf.edu • Web: samsclass.info

  4. Topics sslstrip – Steals passwords from mixed-mode Web login pages LNK Attack: takes over any Windows machine (0day) Cross-Site Request Forgery: Replays cookies to break into Gmai Scary SSL Attacks--ways to completely fool browsers

  5. HTTP and HTTPS

  6. HTTPS is More Secure than HTTP Facebook HTTPS Encrypted Server authenticated HTTP Unencrypted data No server authentication User Logging In

  7. sslstrip

  8. The 15 Most Popular Web 2.0 Sites 1. YouTube HTTPS 2. Wikipedia HTTP 3. Craigslist HTTPS 4. Photobucket HTTP 5. Flickr HTTPS 6. WordPress MIXED 7. Twitter MIXED 8. IMDB HTTPS

  9. The 15 Most Popular Web 2.0 Sites • 9. Digg HTTP • 10. eHow HTTPS • 11. TypePad HTTPS • 12. topix HTTP • 13. LiveJournal Obfuscated HTTP • 14. deviantART MIXED • 15. Technorati HTTPS • From http://www.ebizmba.com/articles/user-generated-content

  10. Password Stealing Mediumssltrip EasyWall of Sheep Hard Spoofing Certificates

  11. Mixed Mode HTTP Page with an HTTPS Logon Button

  12. sslstrip Proxy Changes HTTPS to HTTP To Internet HTTPS Attacker: sslstrip Proxyin the Middle HTTP TargetUsingFacebook

  13. Ways to Get in the Middle

  14. Physical Insertion in a Wired Network To Internet Attacker Target

  15. Configuring Proxy Server in the Browser

  16. ARP Poisoning • Redirects Traffic at Layer 2 • Sends a lot of false ARP packets on the LAN • Can be easily detected • DeCaffienateID by IronGeek • http://k78.sl.pt

  17. ARP Request and Reply • Client wants to find Gateway • ARP Request: Who has 192.168.2.1? • ARP Reply: • MAC: 00-30-bd-02-ed-7b has 192.168.2.1 ARP Request ARP Reply Client Gateway Facebook.com

  18. ARP Poisoning Attacker ARP Replies: I am the Gateway Forwarded & Altered Traffic Traffic to Facebook Client Gateway Facebook.com

  19. Demonstration

  20. LNK File Attack

  21. SCADA Attacks • In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants • See https://www.cert.be/pro/attacks-scada-systems

  22. LNK File Attack • The SCADA attack used a vulnerability in all versions of Windows • Merely viewing amalicious Shortcut(LNK file) gives theattacker control of your computer • See http://samsclass.info/123/proj10/LNK-exploit.htm

  23. Demo

  24. LNK Attack Countermeasure • Sophos provided a free tool on July 26, 2010 to protect your system • See http://tinyurl.com/2f2nvy8

  25. It Works

  26. Cross-Site Request Forgery (XSRF)

  27. Cookies • Thousands of people are using Gmail all the time • How can the server know who you are? • It puts a cookie on your machine that identifies you

  28. Gmail's Cookies • Gmail identifies you with these cookies • In Firefox, Tools, Options, Privacy, Show Cookies

  29. Web-based Email To Internet Router AttackerSniffingTraffic TargetUsingEmail

  30. Cross-Site Request Forgery (XSRF) • Gmail sends the password through a secure HTTPS connection • That cannot be captured by the attacker • But the cookie identifying the user is sent in the clear—with HTTP • That can easily be captured by the attacker • The attacker gets into your account without learning your password

  31. Demonstration

  32. CSRF Countermeasure • Adust Gmail settings to "Always use https"

  33. Scary SSL Attacks

  34. Man in the Middle To Internet HTTPS Attacker: Cain: Fake SSL Certificate HTTPS TargetUsinghttps://gmail.com

  35. Warning Message

  36. Certificate Errors • The message indicates that the Certificate Authority did not validate the certificate • BUT a lot of innocent problems cause those messages • Incorrect date settings • Name changes as companies are acquired

  37. Most Users Ignore Certificate Errors Link SSL-1 on my CNIT 125 page

  38. Fake SSL With No Warning Impersonate a real Certificate Authority Use a Certificate Authority in an untrustworthy nation Trick browser maker into adding a fraudulent CA to the trusted list Use a zero byte to change the effective domain name Wildcard certificate

  39. Impersonating Verisign • Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions • Using more than 200 PlayStation 3 game consoles • Link SSL-2

  40. Countermeasures • Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 • Earlier, vulnerable certificates would be replaced only if the customer requested it • Link SSL-4 • FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government work • Links SSL-5, SSL-6, SSL-7

  41. CA in an Untrustworthy Nation Link SSL-8

  42. Unknown Trusted CAs An unknown entity was apparently trusted for more than a decade by Mozilla Link SSL-9

  43. Zero Byte Terminates Domain Name • Just buy a certificate for Paypal.com\0.evil.com • Browser will see that as matching paypal.com • Link SSL-10

More Related