Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hardening HTaccess RSenic Hacker Jokes (low quality) n Hackers do it through the backdoor. n Hackers exploit all your holes. n.

Published byJudith Griffin Modified over 9 years ago

Similar presentations

Presentation on theme: "Hardening HTaccess RSenic Hacker Jokes (low quality) n Hackers do it through the backdoor. n Hackers exploit all your holes. n."— Presentation transcript:

1 Hardening HTaccess RSenic RSenic@hackphreak.org

2 Hacker Jokes (low quality) n Hackers do it through the backdoor. n Hackers exploit all your holes. n Hackers always want to play with your box. n Hackers probe all your ports. n Hackers always scan you first. n Hackers can finger you all night.

3 Thesis n Htaccess can be a robust solution – one time passwords – token based authentication – SSL/browser encryption n Htaccess is insecure and can inadvertently cause DoS attacks

4 What is Htaccess? n Auth-Type Basic password protection n Pop-up Box integrated into browsers n Out of the box Apache directory protection n Insecure against sniffing (dsniff) n Insecure against brute force attacks (wwwhack/whisker) n Can cause DoS attacks by simple brute force attacks

5 Configuring Htaccess n AllowOverride All n typical.htaccess file: AuthUserFile /apache/data/.htpasswd AuthType Basic AuthName “Protected” require valid-user

6 Detecting (signature overview) n Zombied Processes / Spiked load n Gracefully restarting does not help load n hard (apachectl stop) stop and start improves load n many attempts from the same IP address (range) to access members area n Sequential username attempts

7 Cracking Methodology n Check for 200 OK return headers n Pattern match “Welcome” or “Please log in again” embedded in returned html

8 Headers Masking n First tried returning 401 Error – “Status 401 Authorization Required\nContent- Type: text/html\n\n” – IE/Netscape act differently with 401 errors n Browser detection is useless

9 Headers Masking 2 n Next tried 200 OK – “Status 200 OK\nContent-Type: text/html\n\n” – Results in no Pop-up window n Only modifying URI can pass username/passwords: n http://user:pass@www.site.com/private/ – Modified approach using form submission works in coordination with a client side token that corresponds with a local database entry.

10 Headers Masking 3 n Now we need a program to run interference between normal.htaccess scripts and the database. – mod_auth_external – mod_PERL – Proxy

11 Content Masking Must have a browser that can use frames

12 Content Masking 2 n Since the user has not been authenticated if the user attempts to see /private/index.cgi they will be redirected to /401.cgi but URI will still say /private/index.cgi. n ErrorDocument 401 /401.cgi – 401.cgi places a “one time try” token cookie n mainframe.html (non authenticated version) contains login form submission.

13 Logic Flow

14 Why the cookie? n You need a token (AOL, proxies, etc…) n Extremely difficult to guess (based on time) n No more sending sensitive information over and over again. n cookie will time out, unlike usernames/passwords. n Used with OTPW, even problems in SSL are a non-issue.

15 Content Masking 3 n Using frames our index.cgi and 401.cgi page look identical (including cookies) n Working towards 100% perfection to prevent recursive cracking programs is inefficient and opens another security hole. – Ascii hex &20; = “ “ &41 = “a” (randomize) – including mainframe.html in comments – multimedia headers mismatch problem

16 Worst Case n As many as 10 connections or more opening per second, without cleanly shutting-down – 20 different proxy servers – 60k hits normal traffic (heavy day) n Can you find out who the original host is? – Nope and not like that would help you, they are using a proxy server, duh!

17 Morris’ Attack n Robert T. Morris 1985 attack against the ISN. “A Weakness in the 4.2BST UNIX TCP/IP Software” n If the return address in the initial SYN packet is spoofed, we don’t see it, but we can guess it. – Blind (half-duplex) httpd connection can be used to break IP based authentication.

18 Blocking n Two choices – mod_PERL/Apache mod to deny access from that IP (or “reinstate your password” page): n Mod_PERL has issues regarding IPC n if speed is a concern and fast-CGI will not work, mod_PERL will probably be equally problematic. – Connect mod_auth_external to ipchains or hardware firewall n could be used to create DoS without human logic

19 Alternatives n Auth-Type Digest – essentially based off hash of user/pass combination + one time pad – considered computationally unbreakable 2^128 – will not stop brute force attempts, and has the same problems with additional overhead that Auth-Type Basic has – No one has written such a tool

20 Alternatives 2 n Proxy server – Will work with any webserver and not just Apache (Windows/Mac/Solaris, etc…) – Could easily be integrated into existing IDS or Firewall architecture – Highly theoretical – must have a que from the webserver when/where to interfere with connection.

21 Conclusion n Without much effort htaccess can be a robust solution. n Knowing the symptoms of the attack can only help you. – Aware of the risks – You will know your own reaction strategy

22 Thanks! n RLoxley, Teeceep and Peter Shipley - idea bouncing n Ali Nazar - proofing n Ethan Brooks, Goose, Vacuum, Bronc Buster, John Stewart, Tattooman - technical help n Robert Morris - taking impromptu phone calls :)

23 Links www.shocking.com/~rsnake/htaccess.html (the paper in entirety along with links to resources and more details can be found on this site)

Download ppt "Hardening HTaccess RSenic Hacker Jokes (low quality) n Hackers do it through the backdoor. n Hackers exploit all your holes. n."

Similar presentations

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
Installing Samba Vicki Insixiengmay Jonathan Krieger.

Installing Samba Vicki Insixiengmay Jonathan Krieger.
NORTEL NETWORKS CONFIDENTIAL CallPilot 150 Modem Access Jan 03, 2005 Version 1.5.

NORTEL NETWORKS CONFIDENTIAL CallPilot 150 Modem Access Jan 03, 2005 Version 1.5.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Ana Chanaba Robert Huylo

Ana Chanaba Robert Huylo
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
AIS, 20141 Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Similar presentations

Ads by Google