Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne.

Published bySusan Burkart Modified over 10 years ago

Similar presentations

Presentation on theme: "How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne."— Presentation transcript:

1 How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne

2 No Need to Take Notes This Powerpoint and other materials are at This Powerpoint and other materials are at http://samsclass.info/HI-TEC http://samsclass.info/HI-TEC Feel free to use all this material for your own classes, talks, etc. Feel free to use all this material for your own classes, talks, etc.

3 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information Technology City College San Francisco City College San Francisco Email: sbowne@ccsf.edu Email: sbowne@ccsf.edu Web: samsclass.info Web: samsclass.info

4 Topics sslstrip – Steals passwords from mixed- mode Web login pages sslstrip – Steals passwords from mixed- mode Web login pages LNK Attack: takes over any Windows machine (0day) LNK Attack: takes over any Windows machine (0day) Cross-Site Request Forgery: Replays cookies to break into Gmai Cross-Site Request Forgery: Replays cookies to break into Gmai Scary SSL Attacks--ways to completely fool browsers Scary SSL Attacks--ways to completely fool browsers

5 HTTP and HTTPS

6 HTTPS is More Secure than HTTP User Logging In Facebook HTTP Unencrypted data No server authentication HTTPS Encrypted Server authenticated

7 sslstrip

8 The 15 Most Popular Web 2.0 Sites 1. YouTubeHTTPS 1. YouTubeHTTPS 2. WikipediaHTTP 2. WikipediaHTTP 3. CraigslistHTTPS 3. CraigslistHTTPS 4. PhotobucketHTTP 4. PhotobucketHTTP 5. FlickrHTTPS 5. FlickrHTTPS 6. WordPressMIXED 6. WordPressMIXED 7. TwitterMIXED 7. TwitterMIXED 8. IMDBHTTPS 8. IMDBHTTPS

9 The 15 Most Popular Web 2.0 Sites 9. DiggHTTP 9. DiggHTTP 10. eHowHTTPS 10. eHowHTTPS 11. TypePadHTTPS 11. TypePadHTTPS 12. topixHTTP 12. topixHTTP 13. LiveJournalObfuscated HTTP 13. LiveJournalObfuscated HTTP 14. deviantARTMIXED 14. deviantARTMIXED 15. TechnoratiHTTPS 15. TechnoratiHTTPS From http://www.ebizmba.com/articles/user- generated-content From http://www.ebizmba.com/articles/user- generated-content

10 Password Stealing Easy Wall of Sheep Medium ssltrip Hard Spoofing Certificates

11 Mixed Mode HTTP Page with an HTTPS Logon Button HTTP Page with an HTTPS Logon Button

12 sslstrip Proxy Changes HTTPS to HTTP Target Using Facebook Attacker: sslstrip Proxy in the Middle To Internet HTTP HTTPS

13 Ways to Get in the Middle

14 Physical Insertion in a Wired Network Target Attacker To Internet

15 Configuring Proxy Server in the Browser

16 ARP Poisoning Redirects Traffic at Layer 2 Redirects Traffic at Layer 2 Sends a lot of false ARP packets on the LAN Sends a lot of false ARP packets on the LAN Can be easily detected Can be easily detected DeCaffienateID by IronGeek DeCaffienateID by IronGeek http://k78.sl.pt http://k78.sl.pt

17 ARP Request and Reply Client wants to find Gateway Client wants to find Gateway ARP Request: Who has 192.168.2.1? ARP Request: Who has 192.168.2.1? ARP Reply: ARP Reply: MAC: 00-30-bd-02-ed-7b has 192.168.2.1 Client Gateway Facebook.com ARP Request ARP Reply

18 ARP Poisoning Client Gateway Facebook.com Attacker ARP Replies: I am the Gateway Traffic to Facebook Forwarded & Altered Traffic

19 Demonstration

20 LNK File Attack

21 SCADA Attacks In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants See https://www.cert.be/pro/attacks-scada-systems See https://www.cert.be/pro/attacks-scada-systems

22 LNK File Attack The SCADA attack used a vulnerability in all versions of Windows The SCADA attack used a vulnerability in all versions of Windows Merely viewing a malicious Shortcut (LNK file) gives the attacker control of your computer Merely viewing a malicious Shortcut (LNK file) gives the attacker control of your computer See http://samsclass.info/123/proj10/LNK-exploit.htm See http://samsclass.info/123/proj10/LNK-exploit.htm

23 Demo

24 LNK Attack Countermeasure Sophos provided a free tool on July 26, 2010 to protect your system Sophos provided a free tool on July 26, 2010 to protect your system See http://tinyurl.com/2f2nvy8 See http://tinyurl.com/2f2nvy8

25 It Works

26 Cross-Site Request Forgery (XSRF)

27 27 Cookies Thousands of people are using Gmail all the time Thousands of people are using Gmail all the time How can the server know who you are? How can the server know who you are? It puts a cookie on your machine that identifies you It puts a cookie on your machine that identifies you

28 28 Gmail's Cookies Gmail identifies you with these cookies Gmail identifies you with these cookies In Firefox, Tools, Options, Privacy, Show Cookies In Firefox, Tools, Options, Privacy, Show Cookies

29 29 Web-based Email Router Target Using Email Attacker Sniffing Traffic To Internet

30 30 Cross-Site Request Forgery (XSRF) Gmail sends the password through a secure HTTPS connection Gmail sends the password through a secure HTTPS connection That cannot be captured by the attacker That cannot be captured by the attacker But the cookie identifying the user is sent in the clear—with HTTP But the cookie identifying the user is sent in the clear—with HTTP That can easily be captured by the attacker That can easily be captured by the attacker The attacker gets into your account without learning your password The attacker gets into your account without learning your password

31 31 Demonstration

32 32 CSRF Countermeasure Adust Gmail settings to "Always use https" Adust Gmail settings to "Always use https"

33 Scary SSL Attacks

34 Man in the Middle Target Using https://gmail.com Attacker: Cain: Fake SSL Certificate To Internet HTTPS

35 Warning Message

36 Certificate Errors The message indicates that the Certificate Authority did not validate the certificate The message indicates that the Certificate Authority did not validate the certificate BUT a lot of innocent problems cause those messages BUT a lot of innocent problems cause those messages Incorrect date settings Incorrect date settings Name changes as companies are acquired Name changes as companies are acquired

37 Most Users Ignore Certificate Errors Link SSL-1 on my CNIT 125 page Link SSL-1 on my CNIT 125 page

38 Fake SSL With No Warning Impersonate a real Certificate Authority Impersonate a real Certificate Authority Use a Certificate Authority in an untrustworthy nation Use a Certificate Authority in an untrustworthy nation Trick browser maker into adding a fraudulent CA to the trusted list Trick browser maker into adding a fraudulent CA to the trusted list Use a zero byte to change the effective domain name Use a zero byte to change the effective domain name Wildcard certificate Wildcard certificate

39 Impersonating Verisign Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions Using more than 200 PlayStation 3 game consoles Using more than 200 PlayStation 3 game consoles Link SSL-2 Link SSL-2

40 Countermeasures Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 Earlier, vulnerable certificates would be replaced only if the customer requested it Earlier, vulnerable certificates would be replaced only if the customer requested it Link SSL-4 Link SSL-4 FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government work FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government work Links SSL-5, SSL-6, SSL-7 Links SSL-5, SSL-6, SSL-7

41 CA in an Untrustworthy Nation Link SSL-8 Link SSL-8

42 Unknown Trusted CAs An unknown entity was apparently trusted for more than a decade by Mozilla An unknown entity was apparently trusted for more than a decade by Mozilla Link SSL-9 Link SSL-9

43 Zero Byte Terminates Domain Name Just buy a certificate for Paypal.com\0.evil.com Just buy a certificate for Paypal.com\0.evil.com Browser will see that as matching paypal.com Browser will see that as matching paypal.com Link SSL-10 Link SSL-10

Download ppt "How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne."

Similar presentations

Whats New in Fireware XTM v11.5.2. New Features in Fireware XTM v11.5.2 Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.

Whats New in Fireware XTM v New Features in Fireware XTM v Major Changes FireCluster with XTM 330 appliances Mobile VPN with SSL using multiple.
1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.

1. XP 2 * The Web is a collection of files that reside on computers, called Web servers. * Web servers are connected to each other through the Internet.
Ethical Hacking Module VII Sniffers.

Ethical Hacking Module VII Sniffers.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Accessing Public Wi-Fi: Security Issues Sankar Roy Department of Computing and Information Sciences Kansas State University.

Accessing Public Wi-Fi: Security Issues Sankar Roy Department of Computing and Information Sciences Kansas State University.
Why Eve & Mallory Love Android

Why Eve & Mallory Love Android
ACT User Meeting June 2011. Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.

ACT User Meeting June Your entitlements window Entitlements, roles and v1 security overview Problems with v1 security Tasks, jobs and v2 security.
Network Vulnerabilities and Attacks Dr. John Abraham UTPA.

Network Vulnerabilities and Attacks Dr. John Abraham UTPA.
Man in the Middle Attack

Man in the Middle Attack
SSL Man-in-the-Middle Attack over Wireless Vivek Ramachandran

SSL Man-in-the-Middle Attack over Wireless Vivek Ramachandran
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.

HTTPS and the Lock Icon Dan Boneh. Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating.
Services Course Windows Live SkyDrive Participant Guide.

Services Course Windows Live SkyDrive Participant Guide.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
XP New Perspectives on Browser and E-mail Basics Tutorial 1 1 Browser and E-mail Basics Tutorial 1.

XP New Perspectives on Browser and Basics Tutorial 1 1 Browser and Basics Tutorial 1.
PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.

Similar presentations

Ads by Google