defense by numbers: making problems for script kiddies
DESCRIPTION
On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see. This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites.TRANSCRIPT
Defense by Numb3r5Making problems for script k1dd13s
and scanner monkeys@ChrisJohnRiley
“THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS
NOTHING”SOCRATES: APOLOGY, 21D
I LIKE EDGE CASES
GLOBAL
INFRASTRUCTURE ISSUES
OS SPECIFICISSUES
APPLICATIONISSUES
TL;DR
Goals for this talk
Describe the defensive uses of HTTP status codes
1) What2) Why3) How4) Goals5) Bringing it together6) Review
1WHAT?
HTTP STATUS CODES
Seems like such a Small detail
… small detail,big impact
This talk contains:- Numbers
- Bad Jokes
- Traces of peanuts
- Did I mention numbers?
HTTP Status Codes
o Majority part of RFC 2616 (HTTP/1.1)o 5 main classes of responseo 1XX informationalo 2XX successo 3XX redirectiono 4XX client erroro 5XX server error
BASICSAKA: THE BORING THEORY BIT
1XX Informational
o Indicates response receivedo Processing is not yet completedo 100 Continueo 101 Switching Protocolso 102 Processing (WebDAV RFC 2518)
2XX Success
o Indicates response receivedo Processed and understoodo 200 OKo 201 Createdo 202 Acceptedo 203 Non-Authoritative Informationo 204 No Content
2XX Success (cont.)
o 205 Reset Contento 206 Partial Contento 207 Multi-Status (WebDAV RFC 4918)
o Codes not supported by Apacheo 208 Already Reportedo 226 IM Usedo 250 Low on Storage Space
3XX Redirection
o Action required to complete requesto 300 Multiple Choiceso 301 Moved Permanentlyo 302 Found / Moved Temporarilyo 303 See Othero 304 Not Modified
3XX Redirection (cont.)
o 305 Use Proxyo 306 Switch Proxyo 307 Temporary Redirect
o Codes not supported by Apacheo 308 Permanent Redirect
4XX Client Error
o Client caused an erroro 400 Bad Requesto 401 Unauthorizedo 402 Payment Requiredo 403 Forbiddeno 404 Not Foundo 405 Method Not Allowed
4XX Client Error (cont.)
o 406 Not Accessibleo 407 Proxy Authentication Requiredo 408 Request Timeouto 409 Conflicto 410 Goneo 411 Length Required
4XX Client Error (cont.)
o 412 Precondition Failedo 413 Request Entity Too Largeo 414 Request-URI Too Longo 415 Unsupported Media Typeo 416 Request Range Not Satisfiableo 417 Expectation Failedo 418 I’m a Teapot (WebDAV RFC 2324)
4XX Client Error (cont.)
o 419 / 420 / 421 Unusedo 422 Unprocessable Entity (RFC 4918)
o 423 Locked (RFC 4918)
o 424 Failed Dependency (RFC 4918)
o 425 No Code / Unordered Collectiono 426 Upgrade Required (RFC 2817)
4XX Client Error (cont.)
o Codes not supported by Apacheo 428 Precondition Requiredo 429 Too Many Requestso 431 Request Header Fields Too Largeo 444 No Response (NGINX)
o 449 Retry With (Microsoft)
o 450 Blocked by Win. Parental Controlso 451 Unavailable For Legal Reasons
4XX Client Error (cont.)
o Codes not supported by Apacheo 494 Request Header Too Large (NGINX)
o 495 Cert Error(NGINX)
o 496 No Cert (NGINX)
o 497 HTTP to HTTPS (NGINX)
o 499 Client Closed Request (NGINX)
5XX Server Error
o Server error occurredo 500 Internal Server Erroro 501 Not Implementedo 502 Bad Gatewayo 503 Service Unavailableo 504 Gateway Timeouto 505 Method Not Allowed
5XX Server Error (cont.)
o 506 Variant Also Negotiates (RFC 2295)
o 507 Insufficient Storage (WebDAV RFC 4918)
o 508 Loop Detected (WebDAV RFC 5842)
o 509 Bandwidth Limit Exceeded (apache ext.) o 510 Not Extended (RFC 2274)
5XX Server Error (cont.)
o Codes not supported by Apacheo 511 Network Authentication Required (RFC
6585)
o 550 Permission Deniedo 598 Network Read Timeout Error (Microsoft
Proxy)
o 599 Network Connect Timeout Error (Microsoft Proxy)
OMG Enough with the numbers already!!!!
2WHY?
It started as a simple idea…
… and I started to think
SCREW WITH
SCANNERS
… AND SCRIPT
K1DD13S
THAT SOUNDS LIKE FUN!
@thegrugq 26 Feb 2013
@thegrugq 26 Feb 2013
- When the tables turn (2004) - Roelof Temmingh, Haroon Meer, Charl van der Walt- http://slideshare.net/sensepost/strikeback
- Stopping Automated Attack Tools (2006)- Gunter Ollmann- http://www.technicalinfo.net/papers/
StoppingAutomatedAttackTools.html
Prior Art
3HOW?
BROWSERS HAVE TO BE
FLEXIBLE
THIS LEADS TO INTERPRETATIO
N
RFCS…THEY’RE MORE OF A GUIDELINE
REALLY
WHAT COULD POSSIBLY GO WRONG!
TESTINGTHE HOW OF THE THING!
o Restricted research to the big 3o Internet Explorero Chrome / Chromiumo Firefox
NO… SAFARI ISN’T IN THE
TOP 10 3
OPERA JUMPED…OR WAS IT PUSHED!
LYNXTHE UNREALISTIC OPTION
o MITMproxyo Python-basedo Simple to setup proxy / reverse proxyo Script-based actions
o PHPo Ability to set response code
o Must be at the top of the PHP codeo Can be added to php.ini
o auto-prepend-file=o Limited by web-server (apache)
o Testing browsers automaticallyo Created PHP file to set status code
- http://c22.cc/POC/respcode.php?code=XXX
BROWSERS… AND THEIR STATUS CODE HABITS
Miss
Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
100 X X X X d/load X X X X
101 X X X X d/load X X X X
102 X X X X d/load X X X X
200
201
202
203
204 X X X X X X X X X
205 X X X X X X
206
207
300 X
301 X X X X
302 X X X X
303 X X X X
304 X X X X X X X X X
305 X
306 X
307 X X X X
Firefox Chrome Internet ExplorerResponse Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
400 X X X X
401 X X X
402 X X X
403 X X X X
404 X X X X
405 X X X X
406 X X X X
407 X Proxy Proxy Proxy X
408 X X X X X X
409 X X X X
410 X X X X
411 X X X
412 X X X
413 X X X
424 X X X
425 X X X
426 X X X
Firefox Chrome Internet Explorer
Response Code HTML iFrame JS HTML iFrame JS HTML iFrame JS
500 X X X X
501 X X X X
502 X X X
503 X X X
504 X X X
505 X X X X
506 X X X
507 X X X
508 X X X
509 X X X
510 X X X
Browsers handle most things just like
they handle a200 OK?
YEP…MOSTLY
o HTML Responseso Almost all response codes are rendered by
the browser correctlyo iFrameso Some special cases for IE, but other
browsers handle this the same as HTML
o JavaScript/CSSo Limited accepted status codeso Limited 3XX support
o Chrome is the exception hereo No support for 4XX/5XX codes
So we know what browsers
interpret differently
What do all browsers have in common?
o 10X code handlingo Retrieso Confusion
o Chrome / IE6 try to download the page!o Fun on Android…
o Timeoutso Eventually
o 204 No Contento Um, no content!
o 304 Not Modifiedo Again, no content
WHAT ABOUT
HEADERS?
Just because the RFC says a specific status code
must have an associated header doesn’t mean it
HAS to…
o Redirection codes (301-304, 307)o No Location header, no redirect
o 401 Unauthorizedo No WWW-Authenticate header, no
authentication prompto 407 Proxy Authentication Requiredo No Proxy-Authenticate header, no prompt
Just because the RFC says a specific status code
shouldn’t have an associated header
doesn’t mean it can’t…
o 300 Multiple Choices w/ Location Headero Firefox/IE6 follows the redirecto Chrome doesn’t
o More research needed in this direction
EACH BROWSER HANDLES
THINGS A LITTLE DIFFERENTLY
I WONDER WHAT WE
CAN DO WITH THAT!
4GOALS
o Each browser handles things differentlyo Use known conditionso Handled codeso Unhandled codes
o Browser weirdness
BROWSER FINGERPRINTI
NG
o Doesn’t load JavaScript returned with a 300 ‘Multiple Choices’ status codeo Other browsers tested DO (IE/Chrome)
o Request JS from servero Respond using 300 ‘Multiple Choices’o If JS doesn’t run in the browser - it’s FF
Firefox
o Loads JavaScript returned with a 307 ‘Temporary Redirect’ status codeo Other browsers tested DON’T (IE/FF)
o Request JS from servero Respond with 307 ‘Temporary Redirect’o If JS runs in the browser - it’s Chrome
Chrome
o Loads JavaScript returned with a 205 ‘Reset Content’ status codeo Other browsers tested DON’T (FF/Chrome)
o Request JS from servero Respond using 205 ‘Reset Content’o If JS runs in the browser - it’s IE
Internet Explorer
o Other options to fingerprint browserso 300 Redirect (Chrome)o 305/306 JavaScript (Firefox)o 400 iFrame (Internet Explorer)o …
o There are probably more
BROWSER FINGERPRINTI
NGDEMO
USER-AGENTS CAN BE SPOOFED
BROWSER TRAITS CAN’T
PROXY DETECTIO
N
o Chrome handles proxy configuration differently to other browserso 407 status code isn’t rendered o Unless an HTTP proxy is set!
o Allows us to detect if an HTTP proxy is in useo Just not which proxy
o Can only detect HTTP proxies ;(
Chrome
o Request page from servero Respond using 407 ‘Proxy Authentication
Required’o - w/o Proxy-Authenticate header
o If Chrome responds, it’s configured to use an HTTP proxy
Chrome Proxy Detection
o Privoxy 3.0.20 (CVE-2013-2503)o 407 Proxy Authentication Required
o w/ Proxy-Authenticate headero User prompted for username/password
o Prompt appears to be from Privoxyo Privoxy passes username/password to
remote siteo Profit???
Side-Effect: Owning Proxies
5BRINGING IT TOGETHER
What we have
o Status codes all browsers treat as contento Status codes all browsers can’t handle
o 10X, etc..o Lots of browser quirks
What can we do
o F*ck with thingso Screw with scanner monkeyso Make RFC lovers cry into their beero Break things in general
Let’s try to…
o Use what we’ve discovered to…o Break spidering toolso Cause false positives / negativeso Slow down attackers
o The fun way!o Blocking successful exploitation
BREAKING SPIDERS
Simplistic view of spiders
o Access target URLo Read links / functionso Test them outo If true: repeato What is TRUE?
o What happens if:o Every response is a 200o Every response is a 404 / 500
200 OK
o IF 200 == True:o Problems!o Never-ending spider
404 Not Found
o IF 404 == False:o More problems!o What website?
500 Internal Server Error
o Skipfish != happy fish
False Positives
/Negatives
o Most scanners use status codeso At least to some extent
o Initial match (prior to more costly regex)o Speed up detection
o What happens if:o Every response is a 200o Every response is a 404 / 500o Every response is random*
* Using codes that are accepted by all browsers as content
Vulnerability Baseline
o w3afo Information 79 pointso Vulnerabilities 65o Shells 0 shells o Scan time 1h37m23s
Every response 200 OK
o No changeo All points discovered - per baseline
o 79/65/0o Scan time 9h56m55s
o Lots more to check ;)
Every response 404 Not Found
o Less to scan == Less to findo False negativeso 44 Information points (-35)o 37 Vulnerabilities (-28)
o Scan time 7m13so Much quicker scano Less paths traversed
Every response 500
o Server error == OMG VULN!o False positives+++o 9540 Information points (+9461)o 9526 Vulnerabilities (+9461)
Random Status Codes
o Multiple runso All tests produced False positives++o avg. 619 Information points (+540)o avg. 550 Vulnerabilities (+485)
o Avg. scan time 11m37so Much quicker scan
Random Status Codes
o Skipfish + $rand = chaoso False Positives and False Negativeso Scan jobs killed due to lack of resources
o Scan timeso 1st scan time 10h3m35so 2nd scan time 0h0m4so 3rd scan time 16h47m41s
Slowing attackers
down!
What does your WAF really do?
o OMG Attacko Return error (401?)o Profit???
Why?
Remember that list of status codes browsers don’t
handle well?
Yeah well, scanners don’t usually handle
them well either!
Especially the 1XX codes
o Remember LaBrea tarpit?o Tim Liston 2001 (labrea.sourceforge.net)o Designed to slow spread of Code Redo Slows down scans / attackers
How about an HTTP Tarpit!
HTTP Tarpit Scenario
o WAF detects scan / attacko Adds source IP to “naughty” listo All responses from the server are
rewritteno 100|101|102 status codes only (random)o 204|304 might also be useful (no content)
Let’s do some science!*
* Science not included
Nikto vs. HTTP Tarpit
Baseline HTTP Tarpit
Scan time
2m 18s
Findings
18
14h 33m 2s
10
W3AF vs. HTTP Tarpit
Baseline HTTP Tarpit
Scan time
1h 37m 23s
Findings
65
18m 10s
0
Skipfish vs. HTTP Tarpit
Baseline HTTP Tarpit
Scan time
18m 10s
Findings
Low: 2519Med: 2522
High: 12
Low:Med: High:
05s
003
HTTP Tarpit
o HTTP Tarpit Results*o Slow scans (nikto)
o 340x as longo Unreliable / aborted scans (w3af / skipfish)
o 100% less findings
* Not scientifically sound ;)
Blocking successful
exploitation
We’ve made it hard to find the vulnerabilities
We’ve made it time consuming
for attackers
Now let’s stop the sk1dd13s using
Metasploit to pop $hells
o How often does Metasploit reference status codes?
rgrep -E 'res[p|ponse]?\.code' *
846*
* Not scientifically sound ;)
rgrep -E 'res[p|ponse]?\.code' *
Lots of dependency on status codes*
* yep, even the stuff I wrote
if (res.code < 200 or res.code >= 300)
case res.codewhen 401
print_warning("Warning: The web site
asked for authentication: #{res.headers
['WWW-Authenticate'] || res.headers
['Authentication']}")end
fail_with(Exploit::Failure::Unknown,"Upload failed on #{path_tmp}[#{res.code} #{res.message}]")
end
No match, No shell*
* exploit dependent
6REVIEW
o Using status codes to our benefit is funo … and useful!
o Browsers can be quirkyo Scanners / attack toolkits are sometimes
set in their wayso Take the easy routeo Easy to fool
o WAFs need to get more offensive about their defenseo More than just blocking a request with a
snazzy messageo Hacking back is bado Slowing down known attacks is goodo Make life harder for skiddies is pricele$$
o Current tools are much the same as APTo APT (Adequate Persistent Threat)o Only as advanced as they NEED to be
Countering this research
o Less reliance on status codeso More reliance on content / headerso Proso Better matching / intelligence
o Conso Slower? (regex)o More resource intensive
Questions?
MITMPROXY SCRIPTS AVAILABLE
GITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE
What doesn’t kill you,makes you
smaller!
Thanks for cominghttp://c22.cc