how to steal passwords: sslstrip, lnk attack, cross-site request forgery & scary ssl attacks sam...
TRANSCRIPT
![Page 1: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/1.jpg)
How to Steal How to Steal Passwords:Passwords:
SSLstrip,SSLstrip,LNK Attack,LNK Attack,
Cross-Site Request ForgeryCross-Site Request Forgery& Scary SSL Attacks& Scary SSL Attacks
Sam BowneSam Bowne
![Page 2: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/2.jpg)
No Need to Take NotesNo Need to Take Notes
This Powerpoint and other materials are atThis Powerpoint and other materials are at http://samsclass.info/HI-TEChttp://samsclass.info/HI-TEC Feel free to use all this material for your own classes, Feel free to use all this material for your own classes,
talks, etc.talks, etc.
![Page 3: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/3.jpg)
ContactContact
Sam BowneSam Bowne Computer Networking and Information Computer Networking and Information
TechnologyTechnology City College San FranciscoCity College San Francisco Email: [email protected]: [email protected] Web: samsclass.infoWeb: samsclass.info
![Page 4: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/4.jpg)
TopicsTopics
sslstrip – Steals passwords from mixed-sslstrip – Steals passwords from mixed-mode Web login pagesmode Web login pages
LNK Attack: takes over any Windows LNK Attack: takes over any Windows machine (0day)machine (0day)
Cross-Site Request Forgery: Replays Cross-Site Request Forgery: Replays cookies to break into Gmaicookies to break into Gmai
Scary SSL Attacks--ways to completely Scary SSL Attacks--ways to completely fool browsersfool browsers
![Page 5: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/5.jpg)
HTTP and HTTPSHTTP and HTTPS
![Page 6: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/6.jpg)
HTTPS is More Secure than HTTPHTTPS is More Secure than HTTP
User Logging In
HTTP
Unencrypted data
No server authentication
HTTPS
Encrypted
Server authenticated
![Page 7: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/7.jpg)
sslstripsslstrip
![Page 8: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/8.jpg)
The 15 Most Popular Web 2.0 The 15 Most Popular Web 2.0 SitesSites
1. YouTube1. YouTube HTTPSHTTPS 2. Wikipedia2. Wikipedia HTTPHTTP 3. Craigslist3. Craigslist HTTPSHTTPS 4. Photobucket4. PhotobucketHTTPHTTP 5. Flickr5. Flickr HTTPSHTTPS 6. WordPress6. WordPress MIXEDMIXED 7. Twitter7. Twitter MIXEDMIXED 8. IMDB8. IMDB HTTPSHTTPS
![Page 9: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/9.jpg)
The 15 Most Popular Web 2.0 The 15 Most Popular Web 2.0 SitesSites
9. Digg9. Digg HTTPHTTP 10. eHow10. eHow HTTPSHTTPS 11. TypePad11. TypePad HTTPSHTTPS 12. topix12. topix HTTPHTTP 13. LiveJournal13. LiveJournal Obfuscated HTTPObfuscated HTTP 14. deviantART14. deviantART MIXEDMIXED 15. Technorati15. Technorati HTTPSHTTPS
From http://www.ebizmba.com/articles/user-generated-From http://www.ebizmba.com/articles/user-generated-contentcontent
![Page 10: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/10.jpg)
Password StealingPassword Stealing
EasyWall of Sheep
Mediumssltrip
HardSpoofing Certificates
![Page 11: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/11.jpg)
Mixed ModeMixed Mode
HTTP Page with an HTTPS Logon ButtonHTTP Page with an HTTPS Logon Button
![Page 12: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/12.jpg)
sslstrip Proxy Changes sslstrip Proxy Changes HTTPS to HTTPHTTPS to HTTP
TargetUsing
Attacker: sslstrip Proxyin the Middle
To Internet
HTTP
HTTPS
![Page 13: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/13.jpg)
Ways to Get in the Ways to Get in the MiddleMiddle
![Page 14: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/14.jpg)
Physical Insertion in a Wired Physical Insertion in a Wired NetworkNetwork
Target
Attacker
To Internet
![Page 15: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/15.jpg)
Configuring Proxy Server in Configuring Proxy Server in the Browserthe Browser
![Page 16: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/16.jpg)
ARP PoisoningARP Poisoning
Redirects Traffic at Layer 2Redirects Traffic at Layer 2 Sends a lot of false ARP packets on the Sends a lot of false ARP packets on the
LANLAN Can be easily detectedCan be easily detected DeCaffienateID by IronGeekDeCaffienateID by IronGeek
http://k78.sl.pthttp://k78.sl.pt
![Page 17: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/17.jpg)
ARP Request and ReplyARP Request and Reply
Client wants to find GatewayClient wants to find Gateway ARP Request: Who has 192.168.2.1?ARP Request: Who has 192.168.2.1? ARP Reply:ARP Reply:
MAC: 00-30-bd-02-ed-7b has 192.168.2.1
Client Gateway Facebook.com
ARP Request
ARP Reply
![Page 18: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/18.jpg)
ARP PoisoningARP Poisoning
Client Gateway Facebook.com
Attacker
ARP Replies: I am the
Gateway
Traffic to Facebook
Forwarded & Altered Traffic
![Page 19: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/19.jpg)
DemonstrationDemonstration
![Page 20: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/20.jpg)
LNK File AttackLNK File Attack
![Page 21: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/21.jpg)
SCADA AttacksSCADA Attacks
In June 2010, an attack was discovered In June 2010, an attack was discovered that used a LNK file on a USB stick to that used a LNK file on a USB stick to attack SCADA-controlled power plantsattack SCADA-controlled power plants See https://www.cert.be/pro/attacks-scada-systemsSee https://www.cert.be/pro/attacks-scada-systems
![Page 22: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/22.jpg)
LNK File AttackLNK File Attack
The SCADA attack used a vulnerability in The SCADA attack used a vulnerability in all versions of Windowsall versions of Windows
Merely viewing aMerely viewing amalicious Shortcutmalicious Shortcut(LNK file) gives the(LNK file) gives theattacker control of attacker control of your computeryour computer See http://samsclass.info/123/proj10/LNK-exploit.htmSee http://samsclass.info/123/proj10/LNK-exploit.htm
![Page 23: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/23.jpg)
DemoDemo
![Page 24: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/24.jpg)
LNK Attack CountermeasureLNK Attack Countermeasure
Sophos provided a free tool on July 26, Sophos provided a free tool on July 26, 2010 to protect your system2010 to protect your system See http://tinyurl.com/2f2nvy8See http://tinyurl.com/2f2nvy8
![Page 25: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/25.jpg)
It WorksIt Works
![Page 26: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/26.jpg)
Cross-Site Request Cross-Site Request Forgery (XSRF)Forgery (XSRF)
![Page 27: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/27.jpg)
27
CookiesCookies
Thousands of people are Thousands of people are using Gmail all the timeusing Gmail all the time
How can the server know How can the server know who you are?who you are?
It puts a cookie on your It puts a cookie on your machine that identifies machine that identifies youyou
![Page 28: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/28.jpg)
28
Gmail's CookiesGmail's Cookies
Gmail identifies Gmail identifies you with these you with these cookiescookies In Firefox, Tools, In Firefox, Tools,
Options, Privacy, Options, Privacy, Show CookiesShow Cookies
![Page 29: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/29.jpg)
29
Web-based EmailWeb-based Email
Router
TargetUsingEmail
AttackerSniffingTraffic
To Internet
![Page 30: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/30.jpg)
30
Cross-Site Request Forgery Cross-Site Request Forgery (XSRF)(XSRF)
Gmail sends the password through a Gmail sends the password through a secure HTTPS connectionsecure HTTPS connection That cannot be captured by the attackerThat cannot be captured by the attacker
But the cookie identifying the user is sent But the cookie identifying the user is sent in the clear—with HTTPin the clear—with HTTP That can easily be captured by the attackerThat can easily be captured by the attacker
The attacker gets into your account The attacker gets into your account without learning your passwordwithout learning your password
![Page 31: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/31.jpg)
31
DemonstrationDemonstration
![Page 32: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/32.jpg)
32
CSRF CountermeasureCSRF Countermeasure
Adust Gmail settings to "Always use https"Adust Gmail settings to "Always use https"
![Page 33: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/33.jpg)
Scary SSL AttacksScary SSL Attacks
![Page 34: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/34.jpg)
Man in the MiddleMan in the Middle
TargetUsing
https://gmail.com
Attacker: Cain: Fake
SSL Certificate
To Internet
HTTPS
HTTPS
![Page 35: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/35.jpg)
Warning MessageWarning Message
![Page 36: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/36.jpg)
Certificate ErrorsCertificate Errors
The message indicates that the Certificate The message indicates that the Certificate Authority did not validate the certificateAuthority did not validate the certificate
BUT a lot of innocent problems cause BUT a lot of innocent problems cause those messagesthose messages Incorrect date settingsIncorrect date settings Name changes as companies are acquiredName changes as companies are acquired
![Page 37: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/37.jpg)
Most Users Ignore Certificate Most Users Ignore Certificate ErrorsErrors
Link SSL-1 on my CNIT 125 pageLink SSL-1 on my CNIT 125 page
![Page 38: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/38.jpg)
Fake SSL With No WarningFake SSL With No Warning
Impersonate a real Certificate AuthorityImpersonate a real Certificate Authority Use a Certificate Authority in an Use a Certificate Authority in an
untrustworthy nationuntrustworthy nation Trick browser maker into adding a Trick browser maker into adding a
fraudulent CA to the trusted listfraudulent CA to the trusted list Use a zero byte to change the effective Use a zero byte to change the effective
domain namedomain name Wildcard certificateWildcard certificate
![Page 39: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/39.jpg)
Impersonating VerisignImpersonating Verisign
Researchers created a rogue Certificate Researchers created a rogue Certificate Authority certificate, by finding MD5 collisionsAuthority certificate, by finding MD5 collisions Using more than 200 PlayStation 3 game consolesUsing more than 200 PlayStation 3 game consoles
Link SSL-2Link SSL-2
![Page 40: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/40.jpg)
CountermeasuresCountermeasures
Verisign announced its intent to replace MD5 Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in hashes (presumably with SHA hashes), in certificates issued after January, 2009certificates issued after January, 2009
Earlier, vulnerable certificates would be Earlier, vulnerable certificates would be replaced only if the customer requested itreplaced only if the customer requested it Link SSL-4Link SSL-4
FIPS 140-1 (from 2001) did not recognize FIPS 140-1 (from 2001) did not recognize MD5 as suitable for government workMD5 as suitable for government work Links SSL-5, SSL-6, SSL-7Links SSL-5, SSL-6, SSL-7
![Page 41: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/41.jpg)
CA in an Untrustworthy CA in an Untrustworthy NationNation
Link SSL-8Link SSL-8
![Page 42: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/42.jpg)
Unknown Trusted CAsUnknown Trusted CAs
An unknown entity was apparently trusted for An unknown entity was apparently trusted for more than a decade by Mozillamore than a decade by Mozilla
Link SSL-9Link SSL-9
![Page 43: How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne](https://reader035.vdocument.in/reader035/viewer/2022062303/551b9217550346a10a8b59ff/html5/thumbnails/43.jpg)
Zero Byte Terminates Domain Zero Byte Terminates Domain NameName
Just buy a certificate for Just buy a certificate for Paypal.com\0.evil.comPaypal.com\0.evil.com Browser will see that as matching Browser will see that as matching paypal.compaypal.com
Link SSL-10Link SSL-10