How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne

No Need to Take Notes This Powerpoint and other materials are at This Powerpoint and other materials are at Feel free to use all this material for your own classes, talks, etc. Feel free to use all this material for your own classes, talks, etc.

Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information Technology City College San Francisco City College San Francisco Web: samsclass.info Web: samsclass.info

Topics sslstrip – Steals passwords from mixed- mode Web login pages sslstrip – Steals passwords from mixed- mode Web login pages LNK Attack: takes over any Windows machine (0day) LNK Attack: takes over any Windows machine (0day) Cross-Site Request Forgery: Replays cookies to break into Gmai Cross-Site Request Forgery: Replays cookies to break into Gmai Scary SSL Attacks--ways to completely fool browsers Scary SSL Attacks--ways to completely fool browsers

HTTP and HTTPS

HTTPS is More Secure than HTTP User Logging In Facebook HTTP Unencrypted data No server authentication HTTPS Encrypted Server authenticated

sslstrip

The 15 Most Popular Web 2.0 Sites 1. YouTubeHTTPS 1. YouTubeHTTPS 2. WikipediaHTTP 2. WikipediaHTTP 3. CraigslistHTTPS 3. CraigslistHTTPS 4. PhotobucketHTTP 4. PhotobucketHTTP 5. FlickrHTTPS 5. FlickrHTTPS 6. WordPressMIXED 6. WordPressMIXED 7. TwitterMIXED 7. TwitterMIXED 8. IMDBHTTPS 8. IMDBHTTPS

The 15 Most Popular Web 2.0 Sites 9. DiggHTTP 9. DiggHTTP 10. eHowHTTPS 10. eHowHTTPS 11. TypePadHTTPS 11. TypePadHTTPS 12. topixHTTP 12. topixHTTP 13. LiveJournalObfuscated HTTP 13. LiveJournalObfuscated HTTP 14. deviantARTMIXED 14. deviantARTMIXED 15. TechnoratiHTTPS 15. TechnoratiHTTPS From generated-content From generated-content

Password Stealing Easy Wall of Sheep Medium ssltrip Hard Spoofing Certificates

Mixed Mode HTTP Page with an HTTPS Logon Button HTTP Page with an HTTPS Logon Button

sslstrip Proxy Changes HTTPS to HTTP Target Using Facebook Attacker: sslstrip Proxy in the Middle To Internet HTTP HTTPS

Ways to Get in the Middle

Physical Insertion in a Wired Network Target Attacker To Internet

Configuring Proxy Server in the Browser

ARP Poisoning Redirects Traffic at Layer 2 Redirects Traffic at Layer 2 Sends a lot of false ARP packets on the LAN Sends a lot of false ARP packets on the LAN Can be easily detected Can be easily detected DeCaffienateID by IronGeek DeCaffienateID by IronGeek

ARP Request and Reply Client wants to find Gateway Client wants to find Gateway ARP Request: Who has ? ARP Request: Who has ? ARP Reply: ARP Reply: MAC: bd-02-ed-7b has Client Gateway Facebook.com ARP Request ARP Reply

ARP Poisoning Client Gateway Facebook.com Attacker ARP Replies: I am the Gateway Traffic to Facebook Forwarded & Altered Traffic

Demonstration

LNK File Attack

SCADA Attacks In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants See See

LNK File Attack The SCADA attack used a vulnerability in all versions of Windows The SCADA attack used a vulnerability in all versions of Windows Merely viewing a malicious Shortcut (LNK file) gives the attacker control of your computer Merely viewing a malicious Shortcut (LNK file) gives the attacker control of your computer See See

Demo

LNK Attack Countermeasure Sophos provided a free tool on July 26, 2010 to protect your system Sophos provided a free tool on July 26, 2010 to protect your system See See

It Works

Cross-Site Request Forgery (XSRF)

27 Cookies Thousands of people are using Gmail all the time Thousands of people are using Gmail all the time How can the server know who you are? How can the server know who you are? It puts a cookie on your machine that identifies you It puts a cookie on your machine that identifies you

28 Gmail's Cookies Gmail identifies you with these cookies Gmail identifies you with these cookies In Firefox, Tools, Options, Privacy, Show Cookies In Firefox, Tools, Options, Privacy, Show Cookies

29 Web-based Router Target Using Attacker Sniffing Traffic To Internet

30 Cross-Site Request Forgery (XSRF) Gmail sends the password through a secure HTTPS connection Gmail sends the password through a secure HTTPS connection That cannot be captured by the attacker That cannot be captured by the attacker But the cookie identifying the user is sent in the clear—with HTTP But the cookie identifying the user is sent in the clear—with HTTP That can easily be captured by the attacker That can easily be captured by the attacker The attacker gets into your account without learning your password The attacker gets into your account without learning your password

31 Demonstration

32 CSRF Countermeasure Adust Gmail settings to "Always use https" Adust Gmail settings to "Always use https"

Scary SSL Attacks

Man in the Middle Target Using Attacker: Cain: Fake SSL Certificate To Internet HTTPS

Warning Message

Certificate Errors The message indicates that the Certificate Authority did not validate the certificate The message indicates that the Certificate Authority did not validate the certificate BUT a lot of innocent problems cause those messages BUT a lot of innocent problems cause those messages Incorrect date settings Incorrect date settings Name changes as companies are acquired Name changes as companies are acquired

Most Users Ignore Certificate Errors Link SSL-1 on my CNIT 125 page Link SSL-1 on my CNIT 125 page

Fake SSL With No Warning Impersonate a real Certificate Authority Impersonate a real Certificate Authority Use a Certificate Authority in an untrustworthy nation Use a Certificate Authority in an untrustworthy nation Trick browser maker into adding a fraudulent CA to the trusted list Trick browser maker into adding a fraudulent CA to the trusted list Use a zero byte to change the effective domain name Use a zero byte to change the effective domain name Wildcard certificate Wildcard certificate

Impersonating Verisign Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions Using more than 200 PlayStation 3 game consoles Using more than 200 PlayStation 3 game consoles Link SSL-2 Link SSL-2

Countermeasures Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 Earlier, vulnerable certificates would be replaced only if the customer requested it Earlier, vulnerable certificates would be replaced only if the customer requested it Link SSL-4 Link SSL-4 FIPS (from 2001) did not recognize MD5 as suitable for government work FIPS (from 2001) did not recognize MD5 as suitable for government work Links SSL-5, SSL-6, SSL-7 Links SSL-5, SSL-6, SSL-7

CA in an Untrustworthy Nation Link SSL-8 Link SSL-8

Unknown Trusted CAs An unknown entity was apparently trusted for more than a decade by Mozilla An unknown entity was apparently trusted for more than a decade by Mozilla Link SSL-9 Link SSL-9

Zero Byte Terminates Domain Name Just buy a certificate for Paypal.com\0.evil.com Just buy a certificate for Paypal.com\0.evil.com Browser will see that as matching paypal.com Browser will see that as matching paypal.com Link SSL-10 Link SSL-10