Download presentation
Presentation is loading. Please wait.
1
Active Man in the Middle Attacks
Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish OWASP 27/02/2009 The OWASP Foundation
2
Agenda Background Outline Man in the Middle
Network level – heavily researched Web application level – sporadic research Outline Passive MitM attacks Active MitM attacks Penetrating an internal network Remediation
3
Man in the Middle Scenario
All laptop users connect to a public network Wireless connection can easily be compromised or impersonated Wired connections might also be compromised Internet
4
Rules of Thumb – Don’ts …
Someone might be listening to the requests Don’t browse sensitive sites Don’t supply sensitive information Someone might be altering the responses Don’t trust any information given on web sites Don’t execute downloaded code
5
Rules of Thumb – What Can You Do?
This leaves us with: Browse your favorite news site Browse your favorite weather site Internet Non-sensitive sites Boring Sensitive sites Interesting
6
You are still vulnerable
7
Mitigating a Fallacy Fallacy Reality
Executing JavaScript on victim == executing an attack Reality Same origin policy Executing an attack JavaScript + browser implementation bug JavaScript + execution on a specific domain Can be done through XSS
8
Passive Man in the Middle Attacks
Victim browses to a website Attacker views the response manipulates it and forwards to victim Attacker views the request manipulates it and forwards to server Server returns a response Other servers are not affected
9
Active Man in the Middle Attack
Victim browses to a “boring” site Attacker adds an IFRAME referencing an “interesting” site Attack transfers the request to the server Server returns a response The attacker actively directs the victim to an “interesting” site The IFrame could be invisible My Weather Channel Other servers are not affected My Bank Site My Bank Site Automatic request sent to the interesting server
11
Automatic request contains victim’s cookies
Stealing Cookies* Obvious result Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies (as opposed to XSS attacks) Automatic request contains victim’s cookies * A similar attack was presented by Mike Perry – SideJacking
12
Demo
13
Overcoming Same Origin Policy
Result Attacker can execute scripts on any domain she desires Scripts can fully interact with any “interesting” website Limitations Will only work for non SSL web sites Victim surfs to a “boring” site Attacker injects an IFRAME directing to an “interesting” site Attacker forwards the automatic request to the “interesting” server Script executes with the “interesting” server’s restrictions Attacker adds a malicious script to the response Automatic request sent to the interesting server “Interesting” server returns a response
14
Secure Connections Login Mechanism
15
Secure Connections Hello John Smith, Username Password SUBMIT jsmith
Login Successful Hello John Smith, Please Login Username Password SUBMIT Victim fills login details, and submits the form Pre-login action sent in clear text Attacker could alter the pre-login response to make the login request sent unencrypted jsmith ******** Victim browses to site SUBMIT Login request is sent through a secure channel Site returns a response with login form
16
Stealing Auto Completion Information
Result Attacker can steal any auto-completion information she desires Limitations Will only work for pre-login pages not encrypted Will not work seamlessly in IE Attacker returns the original login form together with a malicious script Attacker redirect victim to a request to a pre-login page Script accesses the auto-completion information using the DOM * A passive version of this attack was described by RSnake in his blog
17
Demo
18
Broadening the Attack (Time Dimension)
19
Past Present Future Active MitM Attacks Passive MitM Attacks
(“interesting” sites) Present (“boring” sites) Future (“interesting” sites)
20
Session Fixation Result Limitations
Attacker can set persistent cookies on victim Limitations The vulnerability also lies within the server Server authenticates attacker as victim A while later, victim connects to the site (with the pre-provided cookie) Attacker returns a page with a cookie generated by server Attacker redirects victim to the site of interest Cookie is being saved on victim’s computer Attacker uses the same cookie to connect to the server
21
Cache Poisoning Result Limitations
Attacker can poison any page she desires Poisoned pages will be persistent Limitations Attacker can poison non SSL resources A while later, victim visits the site Attacker redirects victim to the site of interest Attacker returns a malicious page with cache setting enabled Page is being cached on victim’s computer
22
Complex Hacking Intranet Networks
23
Penetrating Internal Network – Simple Cache Poison
Result Attack will be launched every time victim accesses the resource The attack would executed within the local intranet Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent
24
Setting Up a Future MitM Scenario
Result Facilitates future MitM scenarios Does not require router’s credentials Fake settings could be displayed to the user Limitations Requires victim to access router in the future Need to guess router’s address ( ) Script hides the configuration changes Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Malicious script executed when victim tries to access router Script configures router to tunnel future communication through attacker Router Victim’s router related cache poisoned with a malicious script Outbound Proxy IP Address 216 187 118 221 . Primary DNS Server Address 216 187 118 221 .
25
Increasing the Exposure
Poison common home pages Script will execute every time victim opens his browser Poison common scripts Script will execute on every page using the common script Example: The “double active” attack Common poisoned page redirects to another poisoned resource .JS
26
The Double Active Cache Poisoning Attack
Result Internal network has been compromised Limitation Need to guess router IP and credentials At a later time, Victim opens browser Cached router’s web interface is loaded and malicious script changes router’s settings Cached home page is loaded and redirects victim’s browser to router’s web interface Using Active MitM techniques, attacker poisons common router’s address (i.e ) Router Victim browses “boring” site Using active techniques, attacker poisons two resources: Poison local router address (such as ): The poisoned page will contain script that will reconfigure victim’s local router Poison common pages (such as The poisoned pages will redirect the victim to the local router’s poisoned page Victim goes back home Opens a common page Redirects to local router Running script on router Script configures routers to tunnel all further communication through attacker Attacker also poisons common home pages Router is compromised by malicious script
27
Active Attack Characteristics
Not noticeable in user’s experience Not noticeable by any of the web sites IPS/IDS will not block it Can be persistent Can be used to hack into local organization Bypasses any firewall or VPN Can be used with DNS Pinning Techniques A problem with the current design Requires only one plain HTTP request to be transmitted
28
Remediation Users Do not use auto-completion “Clean Slate Policy”
Trust level separation Two different browsers Two different users Two different OS Virtualization products Tunnel communication through a secure proxy Might not be allowed in many hot-spots
29
Web owners Consider risks of partial SSL sites
Do not consider secure VPN connection as an SSL replacement Use random tokens for common scripts While considering performance issues Avoid referring external scripts from internal sites
30
Industry Build integrity mechanism for HTTP Secure WiFi networks
31
Summary Active MitM attacks– broaden the scope of the passive attacks
Design issues Dimension of time Past (steal cookies, auto-completion information, cache) Future (set up cookies, poison cache, poison form filler) Penetrating internal networks Persistent Bypass any current protection mechanisms More information: Paper and presentation will be uploaded to our blog:
32
References Watchfire’s Blog: http://blog.watchfire.com
Wireless Man in the Middle Attacks: SideJacking: More on SideJacking: Active SideJacking: Surf Jacking Stealing User Information:
33
Thank you!
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.