Defense by Numb3r5Making problems for script k1dd13s

and scanner monkeys@ChrisJohnRiley

“THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS

NOTHING”SOCRATES: APOLOGY, 21D

I LIKE EDGE CASES

GLOBAL

INFRASTRUCTURE ISSUES

OS SPECIFICISSUES

APPLICATIONISSUES

TL;DR

Goals for this talk

Describe the defensive uses of HTTP status codes

1) What2) Why3) How4) Goals5) Bringing it together6) Review

1WHAT?

HTTP STATUS CODES

Seems like such a Small detail

… small detail,big impact

This talk contains:- Numbers

- Bad Jokes

- Traces of peanuts

- Did I mention numbers?

HTTP Status Codes

o Majority part of RFC 2616 (HTTP/1.1)o 5 main classes of responseo 1XX informationalo 2XX successo 3XX redirectiono 4XX client erroro 5XX server error

BASICSAKA: THE BORING THEORY BIT

1XX Informational

o Indicates response receivedo Processing is not yet completedo 100 Continueo 101 Switching Protocolso 102 Processing (WebDAV RFC 2518)

2XX Success

o Indicates response receivedo Processed and understoodo 200 OKo 201 Createdo 202 Acceptedo 203 Non-Authoritative Informationo 204 No Content

2XX Success (cont.)

o 205 Reset Contento 206 Partial Contento 207 Multi-Status (WebDAV RFC 4918)

o Codes not supported by Apacheo 208 Already Reportedo 226 IM Usedo 250 Low on Storage Space

3XX Redirection

o Action required to complete requesto 300 Multiple Choiceso 301 Moved Permanentlyo 302 Found / Moved Temporarilyo 303 See Othero 304 Not Modified

3XX Redirection (cont.)

o 305 Use Proxyo 306 Switch Proxyo 307 Temporary Redirect

o Codes not supported by Apacheo 308 Permanent Redirect

4XX Client Error

o Client caused an erroro 400 Bad Requesto 401 Unauthorizedo 402 Payment Requiredo 403 Forbiddeno 404 Not Foundo 405 Method Not Allowed

4XX Client Error (cont.)

o 406 Not Accessibleo 407 Proxy Authentication Requiredo 408 Request Timeouto 409 Conflicto 410 Goneo 411 Length Required

4XX Client Error (cont.)

o 412 Precondition Failedo 413 Request Entity Too Largeo 414 Request-URI Too Longo 415 Unsupported Media Typeo 416 Request Range Not Satisfiableo 417 Expectation Failedo 418 I’m a Teapot (WebDAV RFC 2324)

4XX Client Error (cont.)

o 419 / 420 / 421 Unusedo 422 Unprocessable Entity (RFC 4918)

o 423 Locked (RFC 4918)

o 424 Failed Dependency (RFC 4918)

o 425 No Code / Unordered Collectiono 426 Upgrade Required (RFC 2817)

4XX Client Error (cont.)

o Codes not supported by Apacheo 428 Precondition Requiredo 429 Too Many Requestso 431 Request Header Fields Too Largeo 444 No Response (NGINX)

o 449 Retry With (Microsoft)

o 450 Blocked by Win. Parental Controlso 451 Unavailable For Legal Reasons

4XX Client Error (cont.)

o Codes not supported by Apacheo 494 Request Header Too Large (NGINX)

o 495 Cert Error(NGINX)

o 496 No Cert (NGINX)

o 497 HTTP to HTTPS (NGINX)

o 499 Client Closed Request (NGINX)

5XX Server Error

o Server error occurredo 500 Internal Server Erroro 501 Not Implementedo 502 Bad Gatewayo 503 Service Unavailableo 504 Gateway Timeouto 505 Method Not Allowed

5XX Server Error (cont.)

o 506 Variant Also Negotiates (RFC 2295)

o 507 Insufficient Storage (WebDAV RFC 4918)

o 508 Loop Detected (WebDAV RFC 5842)

o 509 Bandwidth Limit Exceeded (apache ext.) o 510 Not Extended (RFC 2274)

5XX Server Error (cont.)

o Codes not supported by Apacheo 511 Network Authentication Required (RFC

6585)

o 550 Permission Deniedo 598 Network Read Timeout Error (Microsoft

Proxy)

o 599 Network Connect Timeout Error (Microsoft Proxy)

OMG Enough with the numbers already!!!!

2WHY?

It started as a simple idea…

… and I started to think

SCREW WITH

SCANNERS

… AND SCRIPT

K1DD13S

THAT SOUNDS LIKE FUN!

@thegrugq 26 Feb 2013

@thegrugq 26 Feb 2013

- When the tables turn (2004) - Roelof Temmingh, Haroon Meer, Charl van der Walt- http://slideshare.net/sensepost/strikeback

- Stopping Automated Attack Tools (2006)- Gunter Ollmann- http://www.technicalinfo.net/papers/

StoppingAutomatedAttackTools.html

Prior Art

3HOW?

BROWSERS HAVE TO BE

FLEXIBLE

THIS LEADS TO INTERPRETATIO

N

RFCS…THEY’RE MORE OF A GUIDELINE

REALLY

WHAT COULD POSSIBLY GO WRONG!

TESTINGTHE HOW OF THE THING!

o Restricted research to the big 3o Internet Explorero Chrome / Chromiumo Firefox

NO… SAFARI ISN’T IN THE

TOP 10 3

OPERA JUMPED…OR WAS IT PUSHED!

LYNXTHE UNREALISTIC OPTION

o MITMproxyo Python-basedo Simple to setup proxy / reverse proxyo Script-based actions

o PHPo Ability to set response code

o Must be at the top of the PHP codeo Can be added to php.ini

o auto-prepend-file=o Limited by web-server (apache)

o Testing browsers automaticallyo Created PHP file to set status code

- http://c22.cc/POC/respcode.php?code=XXX

BROWSERS… AND THEIR STATUS CODE HABITS

Miss

Firefox Chrome Internet Explorer

Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS

100 X X X X d/load X X X X

101 X X X X d/load X X X X

102 X X X X d/load X X X X

200

201

202

203

204 X X X X X X X X X

205 X X X X X X

206

207

300 X

301 X X X X

302 X X X X

303 X X X X

304 X X X X X X X X X

305 X

306 X

307 X X X X

Firefox Chrome Internet ExplorerResponse Code HTML iFrame JS HTML iFrame JS HTML iFrame JS

400 X X X X

401 X X X

402 X X X

403 X X X X

404 X X X X

405 X X X X

406 X X X X

407 X Proxy Proxy Proxy X

408 X X X X X X

409 X X X X

410 X X X X

411 X X X

412 X X X

413 X X X

424 X X X

425 X X X

426 X X X

Firefox Chrome Internet Explorer

Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS

500 X X X X

501 X X X X

502 X X X

503 X X X

504 X X X

505 X X X X

506 X X X

507 X X X

508 X X X

509 X X X

510 X X X

Browsers handle most things just like

they handle a200 OK?

YEP…MOSTLY

o HTML Responseso Almost all response codes are rendered by

the browser correctlyo iFrameso Some special cases for IE, but other

browsers handle this the same as HTML

o JavaScript/CSSo Limited accepted status codeso Limited 3XX support

o Chrome is the exception hereo No support for 4XX/5XX codes

So we know what browsers

interpret differently

What do all browsers have in common?

o 10X code handlingo Retrieso Confusion

o Chrome / IE6 try to download the page!o Fun on Android…

o Timeoutso Eventually

o 204 No Contento Um, no content!

o 304 Not Modifiedo Again, no content

WHAT ABOUT

HEADERS?

Just because the RFC says a specific status code

must have an associated header doesn’t mean it

HAS to…

o Redirection codes (301-304, 307)o No Location header, no redirect

o 401 Unauthorizedo No WWW-Authenticate header, no

authentication prompto 407 Proxy Authentication Requiredo No Proxy-Authenticate header, no prompt

Just because the RFC says a specific status code

shouldn’t have an associated header

doesn’t mean it can’t…

o 300 Multiple Choices w/ Location Headero Firefox/IE6 follows the redirecto Chrome doesn’t

o More research needed in this direction

EACH BROWSER HANDLES

THINGS A LITTLE DIFFERENTLY

I WONDER WHAT WE

CAN DO WITH THAT!

4GOALS

o Each browser handles things differentlyo Use known conditionso Handled codeso Unhandled codes

o Browser weirdness

BROWSER FINGERPRINTI

NG

o Doesn’t load JavaScript returned with a 300 ‘Multiple Choices’ status codeo Other browsers tested DO (IE/Chrome)

o Request JS from servero Respond using 300 ‘Multiple Choices’o If JS doesn’t run in the browser - it’s FF

Firefox

o Loads JavaScript returned with a 307 ‘Temporary Redirect’ status codeo Other browsers tested DON’T (IE/FF)

o Request JS from servero Respond with 307 ‘Temporary Redirect’o If JS runs in the browser - it’s Chrome

Chrome

o Loads JavaScript returned with a 205 ‘Reset Content’ status codeo Other browsers tested DON’T (FF/Chrome)

o Request JS from servero Respond using 205 ‘Reset Content’o If JS runs in the browser - it’s IE

Internet Explorer

o Other options to fingerprint browserso 300 Redirect (Chrome)o 305/306 JavaScript (Firefox)o 400 iFrame (Internet Explorer)o …

o There are probably more

BROWSER FINGERPRINTI

NGDEMO

USER-AGENTS CAN BE SPOOFED

BROWSER TRAITS CAN’T

PROXY DETECTIO

N

o Chrome handles proxy configuration differently to other browserso 407 status code isn’t rendered o Unless an HTTP proxy is set!

o Allows us to detect if an HTTP proxy is in useo Just not which proxy

o Can only detect HTTP proxies ;(

Chrome

o Request page from servero Respond using 407 ‘Proxy Authentication

Required’o - w/o Proxy-Authenticate header

o If Chrome responds, it’s configured to use an HTTP proxy

Chrome Proxy Detection

o Privoxy 3.0.20 (CVE-2013-2503)o 407 Proxy Authentication Required

o w/ Proxy-Authenticate headero User prompted for username/password

o Prompt appears to be from Privoxyo Privoxy passes username/password to

remote siteo Profit???

Side-Effect: Owning Proxies

5BRINGING IT TOGETHER

What we have

o Status codes all browsers treat as contento Status codes all browsers can’t handle

o 10X, etc..o Lots of browser quirks

What can we do

o F*ck with thingso Screw with scanner monkeyso Make RFC lovers cry into their beero Break things in general

Let’s try to…

o Use what we’ve discovered to…o Break spidering toolso Cause false positives / negativeso Slow down attackers

o The fun way!o Blocking successful exploitation

BREAKING SPIDERS

Simplistic view of spiders

o Access target URLo Read links / functionso Test them outo If true: repeato What is TRUE?

o What happens if:o Every response is a 200o Every response is a 404 / 500

200 OK

o IF 200 == True:o Problems!o Never-ending spider

404 Not Found

o IF 404 == False:o More problems!o What website?

500 Internal Server Error

o Skipfish != happy fish

False Positives

/Negatives

o Most scanners use status codeso At least to some extent

o Initial match (prior to more costly regex)o Speed up detection

o What happens if:o Every response is a 200o Every response is a 404 / 500o Every response is random*

* Using codes that are accepted by all browsers as content

Vulnerability Baseline

o w3afo Information 79 pointso Vulnerabilities 65o Shells 0 shells o Scan time 1h37m23s

Every response 200 OK

o No changeo All points discovered - per baseline

o 79/65/0o Scan time 9h56m55s

o Lots more to check ;)

Every response 404 Not Found

o Less to scan == Less to findo False negativeso 44 Information points (-35)o 37 Vulnerabilities (-28)

o Scan time 7m13so Much quicker scano Less paths traversed

Every response 500

o Server error == OMG VULN!o False positives+++o 9540 Information points (+9461)o 9526 Vulnerabilities (+9461)

Random Status Codes

o Multiple runso All tests produced False positives++o avg. 619 Information points (+540)o avg. 550 Vulnerabilities (+485)

o Avg. scan time 11m37so Much quicker scan

Random Status Codes

o Skipfish + $rand = chaoso False Positives and False Negativeso Scan jobs killed due to lack of resources

o Scan timeso 1st scan time 10h3m35so 2nd scan time 0h0m4so 3rd scan time 16h47m41s

Slowing attackers

down!

What does your WAF really do?

o OMG Attacko Return error (401?)o Profit???

Why?

Remember that list of status codes browsers don’t

handle well?

Yeah well, scanners don’t usually handle

them well either!

Especially the 1XX codes

o Remember LaBrea tarpit?o Tim Liston 2001 (labrea.sourceforge.net)o Designed to slow spread of Code Redo Slows down scans / attackers

How about an HTTP Tarpit!

HTTP Tarpit Scenario

o WAF detects scan / attacko Adds source IP to “naughty” listo All responses from the server are

rewritteno 100|101|102 status codes only (random)o 204|304 might also be useful (no content)

Let’s do some science!*

* Science not included

Nikto vs. HTTP Tarpit

Baseline HTTP Tarpit

Scan time

2m 18s

Findings

18

14h 33m 2s

10

W3AF vs. HTTP Tarpit

Baseline HTTP Tarpit

Scan time

1h 37m 23s

Findings

65

18m 10s

0

Skipfish vs. HTTP Tarpit

Baseline HTTP Tarpit

Scan time

18m 10s

Findings

Low: 2519Med: 2522

High: 12

Low:Med: High:

05s

003

HTTP Tarpit

o HTTP Tarpit Results*o Slow scans (nikto)

o 340x as longo Unreliable / aborted scans (w3af / skipfish)

o 100% less findings

* Not scientifically sound ;)

Blocking successful

exploitation

We’ve made it hard to find the vulnerabilities

We’ve made it time consuming

for attackers

Now let’s stop the sk1dd13s using

Metasploit to pop $hells

o How often does Metasploit reference status codes?

rgrep -E 'res[p|ponse]?\.code' *

846*

* Not scientifically sound ;)

rgrep -E 'res[p|ponse]?\.code' *

Lots of dependency on status codes*

* yep, even the stuff I wrote

if (res.code < 200 or res.code >= 300)

case res.codewhen 401

print_warning("Warning: The web site

asked for authentication: #{res.headers

['WWW-Authenticate'] || res.headers

['Authentication']}")end

fail_with(Exploit::Failure::Unknown,"Upload failed on #{path_tmp}[#{res.code} #{res.message}]")

end

No match, No shell*

* exploit dependent

6REVIEW

o Using status codes to our benefit is funo … and useful!

o Browsers can be quirkyo Scanners / attack toolkits are sometimes

set in their wayso Take the easy routeo Easy to fool

o WAFs need to get more offensive about their defenseo More than just blocking a request with a

snazzy messageo Hacking back is bado Slowing down known attacks is goodo Make life harder for skiddies is pricele$$

o Current tools are much the same as APTo APT (Adequate Persistent Threat)o Only as advanced as they NEED to be

Countering this research

o Less reliance on status codeso More reliance on content / headerso Proso Better matching / intelligence

o Conso Slower? (regex)o More resource intensive

Questions?

MITMPROXY SCRIPTS AVAILABLE

GITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE

What doesn’t kill you,makes you

smaller!

Thanks for cominghttp://c22.cc

contact@c22.cc