How to Steal How to Steal Passwords:Passwords:

SSLstrip,SSLstrip,LNK Attack,LNK Attack,

Cross-Site Request ForgeryCross-Site Request Forgery& Scary SSL Attacks& Scary SSL Attacks

Sam BowneSam Bowne

No Need to Take NotesNo Need to Take Notes

This Powerpoint and other materials are atThis Powerpoint and other materials are at http://samsclass.info/HI-TEChttp://samsclass.info/HI-TEC Feel free to use all this material for your own classes, Feel free to use all this material for your own classes,

talks, etc.talks, etc.

ContactContact

Sam BowneSam Bowne Computer Networking and Information Computer Networking and Information

TechnologyTechnology City College San FranciscoCity College San Francisco Email: sbowne@ccsf.eduEmail: sbowne@ccsf.edu Web: samsclass.infoWeb: samsclass.info

TopicsTopics

sslstrip – Steals passwords from mixed-sslstrip – Steals passwords from mixed-mode Web login pagesmode Web login pages

LNK Attack: takes over any Windows LNK Attack: takes over any Windows machine (0day)machine (0day)

Cross-Site Request Forgery: Replays Cross-Site Request Forgery: Replays cookies to break into Gmaicookies to break into Gmai

Scary SSL Attacks--ways to completely Scary SSL Attacks--ways to completely fool browsersfool browsers

HTTP and HTTPSHTTP and HTTPS

HTTPS is More Secure than HTTPHTTPS is More Secure than HTTP

User Logging In

Facebook

HTTP

Unencrypted data

No server authentication

HTTPS

Encrypted

Server authenticated

sslstripsslstrip

The 15 Most Popular Web 2.0 The 15 Most Popular Web 2.0 SitesSites

1. YouTube1. YouTube HTTPSHTTPS 2. Wikipedia2. Wikipedia HTTPHTTP 3. Craigslist3. Craigslist HTTPSHTTPS 4. Photobucket4. PhotobucketHTTPHTTP 5. Flickr5. Flickr HTTPSHTTPS 6. WordPress6. WordPress MIXEDMIXED 7. Twitter7. Twitter MIXEDMIXED 8. IMDB8. IMDB HTTPSHTTPS

The 15 Most Popular Web 2.0 The 15 Most Popular Web 2.0 SitesSites

9. Digg9. Digg HTTPHTTP 10. eHow10. eHow HTTPSHTTPS 11. TypePad11. TypePad HTTPSHTTPS 12. topix12. topix HTTPHTTP 13. LiveJournal13. LiveJournal Obfuscated HTTPObfuscated HTTP 14. deviantART14. deviantART MIXEDMIXED 15. Technorati15. Technorati HTTPSHTTPS

From http://www.ebizmba.com/articles/user-generated-From http://www.ebizmba.com/articles/user-generated-contentcontent

Password StealingPassword Stealing

EasyWall of Sheep

Mediumssltrip

HardSpoofing Certificates

Mixed ModeMixed Mode

HTTP Page with an HTTPS Logon ButtonHTTP Page with an HTTPS Logon Button

sslstrip Proxy Changes sslstrip Proxy Changes HTTPS to HTTPHTTPS to HTTP

TargetUsing

Facebook

Attacker: sslstrip Proxyin the Middle

To Internet

HTTP

HTTPS

Ways to Get in the Ways to Get in the MiddleMiddle

Physical Insertion in a Wired Physical Insertion in a Wired NetworkNetwork

Target

Attacker

To Internet

Configuring Proxy Server in Configuring Proxy Server in the Browserthe Browser

ARP PoisoningARP Poisoning

Redirects Traffic at Layer 2Redirects Traffic at Layer 2 Sends a lot of false ARP packets on the Sends a lot of false ARP packets on the

LANLAN Can be easily detectedCan be easily detected DeCaffienateID by IronGeekDeCaffienateID by IronGeek

http://k78.sl.pthttp://k78.sl.pt

ARP Request and ReplyARP Request and Reply

Client wants to find GatewayClient wants to find Gateway ARP Request: Who has 192.168.2.1?ARP Request: Who has 192.168.2.1? ARP Reply:ARP Reply:

MAC: 00-30-bd-02-ed-7b has 192.168.2.1

Client Gateway Facebook.com

ARP Request

ARP Reply

ARP PoisoningARP Poisoning

Client Gateway Facebook.com

Attacker

ARP Replies: I am the

Gateway

Traffic to Facebook

Forwarded & Altered Traffic

DemonstrationDemonstration

LNK File AttackLNK File Attack

SCADA AttacksSCADA Attacks

In June 2010, an attack was discovered In June 2010, an attack was discovered that used a LNK file on a USB stick to that used a LNK file on a USB stick to attack SCADA-controlled power plantsattack SCADA-controlled power plants See https://www.cert.be/pro/attacks-scada-systemsSee https://www.cert.be/pro/attacks-scada-systems

LNK File AttackLNK File Attack

The SCADA attack used a vulnerability in The SCADA attack used a vulnerability in all versions of Windowsall versions of Windows

Merely viewing aMerely viewing amalicious Shortcutmalicious Shortcut(LNK file) gives the(LNK file) gives theattacker control of attacker control of your computeryour computer See http://samsclass.info/123/proj10/LNK-exploit.htmSee http://samsclass.info/123/proj10/LNK-exploit.htm

DemoDemo

LNK Attack CountermeasureLNK Attack Countermeasure

Sophos provided a free tool on July 26, Sophos provided a free tool on July 26, 2010 to protect your system2010 to protect your system See http://tinyurl.com/2f2nvy8See http://tinyurl.com/2f2nvy8

It WorksIt Works

Cross-Site Request Cross-Site Request Forgery (XSRF)Forgery (XSRF)

27

CookiesCookies

Thousands of people are Thousands of people are using Gmail all the timeusing Gmail all the time

How can the server know How can the server know who you are?who you are?

It puts a cookie on your It puts a cookie on your machine that identifies machine that identifies youyou

28

Gmail's CookiesGmail's Cookies

Gmail identifies Gmail identifies you with these you with these cookiescookies In Firefox, Tools, In Firefox, Tools,

Options, Privacy, Options, Privacy, Show CookiesShow Cookies

29

Web-based EmailWeb-based Email

Router

TargetUsingEmail

AttackerSniffingTraffic

To Internet

30

Cross-Site Request Forgery Cross-Site Request Forgery (XSRF)(XSRF)

Gmail sends the password through a Gmail sends the password through a secure HTTPS connectionsecure HTTPS connection That cannot be captured by the attackerThat cannot be captured by the attacker

But the cookie identifying the user is sent But the cookie identifying the user is sent in the clear—with HTTPin the clear—with HTTP That can easily be captured by the attackerThat can easily be captured by the attacker

The attacker gets into your account The attacker gets into your account without learning your passwordwithout learning your password

31

DemonstrationDemonstration

32

CSRF CountermeasureCSRF Countermeasure

Adust Gmail settings to "Always use https"Adust Gmail settings to "Always use https"

Scary SSL AttacksScary SSL Attacks

Man in the MiddleMan in the Middle

TargetUsing

https://gmail.com

Attacker: Cain: Fake

SSL Certificate

To Internet

HTTPS

HTTPS

Warning MessageWarning Message

Certificate ErrorsCertificate Errors

The message indicates that the Certificate The message indicates that the Certificate Authority did not validate the certificateAuthority did not validate the certificate

BUT a lot of innocent problems cause BUT a lot of innocent problems cause those messagesthose messages Incorrect date settingsIncorrect date settings Name changes as companies are acquiredName changes as companies are acquired

Most Users Ignore Certificate Most Users Ignore Certificate ErrorsErrors

Link SSL-1 on my CNIT 125 pageLink SSL-1 on my CNIT 125 page

Fake SSL With No WarningFake SSL With No Warning

Impersonate a real Certificate AuthorityImpersonate a real Certificate Authority Use a Certificate Authority in an Use a Certificate Authority in an

untrustworthy nationuntrustworthy nation Trick browser maker into adding a Trick browser maker into adding a

fraudulent CA to the trusted listfraudulent CA to the trusted list Use a zero byte to change the effective Use a zero byte to change the effective

domain namedomain name Wildcard certificateWildcard certificate

Impersonating VerisignImpersonating Verisign

Researchers created a rogue Certificate Researchers created a rogue Certificate Authority certificate, by finding MD5 collisionsAuthority certificate, by finding MD5 collisions Using more than 200 PlayStation 3 game consolesUsing more than 200 PlayStation 3 game consoles

Link SSL-2Link SSL-2

CountermeasuresCountermeasures

Verisign announced its intent to replace MD5 Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in hashes (presumably with SHA hashes), in certificates issued after January, 2009certificates issued after January, 2009

Earlier, vulnerable certificates would be Earlier, vulnerable certificates would be replaced only if the customer requested itreplaced only if the customer requested it Link SSL-4Link SSL-4

FIPS 140-1 (from 2001) did not recognize FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government workMD5 as suitable for government work Links SSL-5, SSL-6, SSL-7Links SSL-5, SSL-6, SSL-7

CA in an Untrustworthy CA in an Untrustworthy NationNation

Link SSL-8Link SSL-8

Unknown Trusted CAsUnknown Trusted CAs

An unknown entity was apparently trusted for An unknown entity was apparently trusted for more than a decade by Mozillamore than a decade by Mozilla

Link SSL-9Link SSL-9

Zero Byte Terminates Domain Zero Byte Terminates Domain NameName

Just buy a certificate for Just buy a certificate for Paypal.com\0.evil.comPaypal.com\0.evil.com Browser will see that as matching Browser will see that as matching paypal.compaypal.com

Link SSL-10Link SSL-10