Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Man in the Middle Attacks

Published byBelgin Çağlar Modified over 5 years ago

Similar presentations

Presentation on theme: "Active Man in the Middle Attacks"— Presentation transcript:

1 Active Man in the Middle Attacks
Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish OWASP 27/02/2009 The OWASP Foundation

2 Agenda Background Outline Man in the Middle
Network level – heavily researched Web application level – sporadic research Outline Passive MitM attacks Active MitM attacks Penetrating an internal network Remediation

3 Man in the Middle Scenario
All laptop users connect to a public network Wireless connection can easily be compromised or impersonated Wired connections might also be compromised Internet

4 Rules of Thumb – Don’ts …
Someone might be listening to the requests Don’t browse sensitive sites Don’t supply sensitive information Someone might be altering the responses Don’t trust any information given on web sites Don’t execute downloaded code

5 Rules of Thumb – What Can You Do?
This leaves us with: Browse your favorite news site Browse your favorite weather site Internet Non-sensitive sites Boring Sensitive sites Interesting

6 You are still vulnerable

7 Mitigating a Fallacy Fallacy Reality
Executing JavaScript on victim == executing an attack Reality Same origin policy Executing an attack JavaScript + browser implementation bug JavaScript + execution on a specific domain Can be done through XSS

8 Passive Man in the Middle Attacks
Victim browses to a website Attacker views the response manipulates it and forwards to victim Attacker views the request manipulates it and forwards to server Server returns a response Other servers are not affected

9 Active Man in the Middle Attack
Victim browses to a “boring” site Attacker adds an IFRAME referencing an “interesting” site Attack transfers the request to the server Server returns a response The attacker actively directs the victim to an “interesting” site The IFrame could be invisible My Weather Channel Other servers are not affected My Bank Site My Bank Site Automatic request sent to the interesting server

10

11 Automatic request contains victim’s cookies
Stealing Cookies* Obvious result Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies (as opposed to XSS attacks) Automatic request contains victim’s cookies * A similar attack was presented by Mike Perry – SideJacking

12 Demo

13 Overcoming Same Origin Policy
Result Attacker can execute scripts on any domain she desires Scripts can fully interact with any “interesting” website Limitations Will only work for non SSL web sites Victim surfs to a “boring” site Attacker injects an IFRAME directing to an “interesting” site Attacker forwards the automatic request to the “interesting” server Script executes with the “interesting” server’s restrictions Attacker adds a malicious script to the response Automatic request sent to the interesting server “Interesting” server returns a response

14 Secure Connections Login Mechanism

15 Secure Connections Hello John Smith, Username Password SUBMIT jsmith
Login Successful Hello John Smith, Please Login Username Password SUBMIT Victim fills login details, and submits the form Pre-login action sent in clear text Attacker could alter the pre-login response to make the login request sent unencrypted jsmith ******** Victim browses to site SUBMIT Login request is sent through a secure channel Site returns a response with login form

16 Stealing Auto Completion Information
Result Attacker can steal any auto-completion information she desires Limitations Will only work for pre-login pages not encrypted Will not work seamlessly in IE Attacker returns the original login form together with a malicious script Attacker redirect victim to a request to a pre-login page Script accesses the auto-completion information using the DOM * A passive version of this attack was described by RSnake in his blog

17 Demo

18 Broadening the Attack (Time Dimension)

19 Past Present Future Active MitM Attacks Passive MitM Attacks
(“interesting” sites) Present (“boring” sites) Future (“interesting” sites)

20 Session Fixation Result Limitations
Attacker can set persistent cookies on victim Limitations The vulnerability also lies within the server Server authenticates attacker as victim A while later, victim connects to the site (with the pre-provided cookie) Attacker returns a page with a cookie generated by server Attacker redirects victim to the site of interest Cookie is being saved on victim’s computer Attacker uses the same cookie to connect to the server

21 Cache Poisoning Result Limitations
Attacker can poison any page she desires Poisoned pages will be persistent Limitations Attacker can poison non SSL resources A while later, victim visits the site Attacker redirects victim to the site of interest Attacker returns a malicious page with cache setting enabled Page is being cached on victim’s computer

22 Complex Hacking Intranet Networks

23 Penetrating Internal Network – Simple Cache Poison
Result Attack will be launched every time victim accesses the resource The attack would executed within the local intranet Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent

24 Setting Up a Future MitM Scenario
Result Facilitates future MitM scenarios Does not require router’s credentials Fake settings could be displayed to the user Limitations Requires victim to access router in the future Need to guess router’s address ( ) Script hides the configuration changes Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Malicious script executed when victim tries to access router Script configures router to tunnel future communication through attacker Router Victim’s router related cache poisoned with a malicious script Outbound Proxy IP Address 216 187 118 221 . Primary DNS Server Address 216 187 118 221 .

25 Increasing the Exposure
Poison common home pages Script will execute every time victim opens his browser Poison common scripts Script will execute on every page using the common script Example: The “double active” attack Common poisoned page redirects to another poisoned resource .JS

26 The Double Active Cache Poisoning Attack
Result Internal network has been compromised Limitation Need to guess router IP and credentials At a later time, Victim opens browser Cached router’s web interface is loaded and malicious script changes router’s settings Cached home page is loaded and redirects victim’s browser to router’s web interface Using Active MitM techniques, attacker poisons common router’s address (i.e ) Router Victim browses “boring” site Using active techniques, attacker poisons two resources: Poison local router address (such as ): The poisoned page will contain script that will reconfigure victim’s local router Poison common pages (such as The poisoned pages will redirect the victim to the local router’s poisoned page Victim goes back home Opens a common page Redirects to local router Running script on router Script configures routers to tunnel all further communication through attacker Attacker also poisons common home pages Router is compromised by malicious script

27 Active Attack Characteristics
Not noticeable in user’s experience Not noticeable by any of the web sites IPS/IDS will not block it Can be persistent Can be used to hack into local organization Bypasses any firewall or VPN Can be used with DNS Pinning Techniques A problem with the current design Requires only one plain HTTP request to be transmitted

28 Remediation Users Do not use auto-completion “Clean Slate Policy”
Trust level separation Two different browsers Two different users Two different OS Virtualization products Tunnel communication through a secure proxy Might not be allowed in many hot-spots

29 Web owners Consider risks of partial SSL sites
Do not consider secure VPN connection as an SSL replacement Use random tokens for common scripts While considering performance issues Avoid referring external scripts from internal sites

30 Industry Build integrity mechanism for HTTP Secure WiFi networks

31 Summary Active MitM attacks– broaden the scope of the passive attacks
Design issues Dimension of time Past (steal cookies, auto-completion information, cache) Future (set up cookies, poison cache, poison form filler) Penetrating internal networks Persistent Bypass any current protection mechanisms More information: Paper and presentation will be uploaded to our blog:

32 References Watchfire’s Blog: http://blog.watchfire.com
Wireless Man in the Middle Attacks: SideJacking: More on SideJacking: Active SideJacking: Surf Jacking Stealing User Information:

33 Thank you!

Download ppt "Active Man in the Middle Attacks"

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.

DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.

11 SUPPORTING INTERNET EXPLORER IN WINDOWS XP Chapter 11.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google