Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne.

Similar presentations


Presentation on theme: "How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne."— Presentation transcript:

1 How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne

2 No Need to Take Notes This Powerpoint and other materials are at This Powerpoint and other materials are at Feel free to use all this material for your own classes, talks, etc. Feel free to use all this material for your own classes, talks, etc.

3 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information Technology City College San Francisco City College San Francisco Web: samsclass.info Web: samsclass.info

4 Topics sslstrip – Steals passwords from mixed- mode Web login pages sslstrip – Steals passwords from mixed- mode Web login pages LNK Attack: takes over any Windows machine (0day) LNK Attack: takes over any Windows machine (0day) Cross-Site Request Forgery: Replays cookies to break into Gmai Cross-Site Request Forgery: Replays cookies to break into Gmai Scary SSL Attacks--ways to completely fool browsers Scary SSL Attacks--ways to completely fool browsers

5 HTTP and HTTPS

6 HTTPS is More Secure than HTTP User Logging In Facebook HTTP Unencrypted data No server authentication HTTPS Encrypted Server authenticated

7 sslstrip

8 The 15 Most Popular Web 2.0 Sites 1. YouTubeHTTPS 1. YouTubeHTTPS 2. WikipediaHTTP 2. WikipediaHTTP 3. CraigslistHTTPS 3. CraigslistHTTPS 4. PhotobucketHTTP 4. PhotobucketHTTP 5. FlickrHTTPS 5. FlickrHTTPS 6. WordPressMIXED 6. WordPressMIXED 7. TwitterMIXED 7. TwitterMIXED 8. IMDBHTTPS 8. IMDBHTTPS

9 The 15 Most Popular Web 2.0 Sites 9. DiggHTTP 9. DiggHTTP 10. eHowHTTPS 10. eHowHTTPS 11. TypePadHTTPS 11. TypePadHTTPS 12. topixHTTP 12. topixHTTP 13. LiveJournalObfuscated HTTP 13. LiveJournalObfuscated HTTP 14. deviantARTMIXED 14. deviantARTMIXED 15. TechnoratiHTTPS 15. TechnoratiHTTPS From generated-content From generated-content

10 Password Stealing Easy Wall of Sheep Medium ssltrip Hard Spoofing Certificates

11 Mixed Mode HTTP Page with an HTTPS Logon Button HTTP Page with an HTTPS Logon Button

12 sslstrip Proxy Changes HTTPS to HTTP Target Using Facebook Attacker: sslstrip Proxy in the Middle To Internet HTTP HTTPS

13 Ways to Get in the Middle

14 Physical Insertion in a Wired Network Target Attacker To Internet

15 Configuring Proxy Server in the Browser

16 ARP Poisoning Redirects Traffic at Layer 2 Redirects Traffic at Layer 2 Sends a lot of false ARP packets on the LAN Sends a lot of false ARP packets on the LAN Can be easily detected Can be easily detected DeCaffienateID by IronGeek DeCaffienateID by IronGeek

17 ARP Request and Reply Client wants to find Gateway Client wants to find Gateway ARP Request: Who has ? ARP Request: Who has ? ARP Reply: ARP Reply: MAC: bd-02-ed-7b has Client Gateway Facebook.com ARP Request ARP Reply

18 ARP Poisoning Client Gateway Facebook.com Attacker ARP Replies: I am the Gateway Traffic to Facebook Forwarded & Altered Traffic

19 Demonstration

20 LNK File Attack

21 SCADA Attacks In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants In June 2010, an attack was discovered that used a LNK file on a USB stick to attack SCADA-controlled power plants See https://www.cert.be/pro/attacks-scada-systems See https://www.cert.be/pro/attacks-scada-systems

22 LNK File Attack The SCADA attack used a vulnerability in all versions of Windows The SCADA attack used a vulnerability in all versions of Windows Merely viewing a malicious Shortcut (LNK file) gives the attacker control of your computer Merely viewing a malicious Shortcut (LNK file) gives the attacker control of your computer See See

23 Demo

24 LNK Attack Countermeasure Sophos provided a free tool on July 26, 2010 to protect your system Sophos provided a free tool on July 26, 2010 to protect your system See See

25 It Works

26 Cross-Site Request Forgery (XSRF)

27 27 Cookies Thousands of people are using Gmail all the time Thousands of people are using Gmail all the time How can the server know who you are? How can the server know who you are? It puts a cookie on your machine that identifies you It puts a cookie on your machine that identifies you

28 28 Gmail's Cookies Gmail identifies you with these cookies Gmail identifies you with these cookies In Firefox, Tools, Options, Privacy, Show Cookies In Firefox, Tools, Options, Privacy, Show Cookies

29 29 Web-based Router Target Using Attacker Sniffing Traffic To Internet

30 30 Cross-Site Request Forgery (XSRF) Gmail sends the password through a secure HTTPS connection Gmail sends the password through a secure HTTPS connection That cannot be captured by the attacker That cannot be captured by the attacker But the cookie identifying the user is sent in the clear—with HTTP But the cookie identifying the user is sent in the clear—with HTTP That can easily be captured by the attacker That can easily be captured by the attacker The attacker gets into your account without learning your password The attacker gets into your account without learning your password

31 31 Demonstration

32 32 CSRF Countermeasure Adust Gmail settings to "Always use https" Adust Gmail settings to "Always use https"

33 Scary SSL Attacks

34 Man in the Middle Target Using https://gmail.com Attacker: Cain: Fake SSL Certificate To Internet HTTPS

35 Warning Message

36 Certificate Errors The message indicates that the Certificate Authority did not validate the certificate The message indicates that the Certificate Authority did not validate the certificate BUT a lot of innocent problems cause those messages BUT a lot of innocent problems cause those messages Incorrect date settings Incorrect date settings Name changes as companies are acquired Name changes as companies are acquired

37 Most Users Ignore Certificate Errors Link SSL-1 on my CNIT 125 page Link SSL-1 on my CNIT 125 page

38 Fake SSL With No Warning Impersonate a real Certificate Authority Impersonate a real Certificate Authority Use a Certificate Authority in an untrustworthy nation Use a Certificate Authority in an untrustworthy nation Trick browser maker into adding a fraudulent CA to the trusted list Trick browser maker into adding a fraudulent CA to the trusted list Use a zero byte to change the effective domain name Use a zero byte to change the effective domain name Wildcard certificate Wildcard certificate

39 Impersonating Verisign Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions Researchers created a rogue Certificate Authority certificate, by finding MD5 collisions Using more than 200 PlayStation 3 game consoles Using more than 200 PlayStation 3 game consoles Link SSL-2 Link SSL-2

40 Countermeasures Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 Verisign announced its intent to replace MD5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 Earlier, vulnerable certificates would be replaced only if the customer requested it Earlier, vulnerable certificates would be replaced only if the customer requested it Link SSL-4 Link SSL-4 FIPS (from 2001) did not recognize MD5 as suitable for government work FIPS (from 2001) did not recognize MD5 as suitable for government work Links SSL-5, SSL-6, SSL-7 Links SSL-5, SSL-6, SSL-7

41 CA in an Untrustworthy Nation Link SSL-8 Link SSL-8

42 Unknown Trusted CAs An unknown entity was apparently trusted for more than a decade by Mozilla An unknown entity was apparently trusted for more than a decade by Mozilla Link SSL-9 Link SSL-9

43 Zero Byte Terminates Domain Name Just buy a certificate for Paypal.com\0.evil.com Just buy a certificate for Paypal.com\0.evil.com Browser will see that as matching paypal.com Browser will see that as matching paypal.com Link SSL-10 Link SSL-10


Download ppt "How to Steal Passwords: SSLstrip, LNK Attack, Cross-Site Request Forgery & Scary SSL Attacks Sam Bowne."

Similar presentations


Ads by Google