Active Man in The Middle Demo

IBM Rational Application Security Group (aka Watchfire)
Active Man in the Middle Attacks
Adi Sharabani
Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire)
OWASP
adish
The OWASP Foundation

1 Web Based Man In the Middle Attack
http://www.owasp.org
2009 IBM Corporation
Agenda
Background
Man in the Middle Network level heavily researched Web application level sporadic research
Outline
Passive MitM attacks Active MitM attacks Penetrating an internal network Remediation
Web Based Man In the Middle Attack
Man in the Middle Scenario

All laptop users connect to a public network Wireless connection can easily be compromised or impersonated Wired connections might also be compromised
Internet
Rules of Thumb Donts

Someone might be listening to the requests
Dont browse sensitive sites Dont supply sensitive information
Someone might be altering the responses

Dont trust any information given on web sites Dont execute downloaded code
Rules of Thumb What Can You Do?

This leaves us with:
Browse your favorite news site Browse your favorite weather site
Internet
Non-sensitive sites
Boring
Sensitive sites
Interesting
5 Web Based Man In the Middle Attack 2009 IBM Corporation
You are still vulnerable
Mitigating a Fallacy Fallacy

Executing JavaScript on victim == executing an attack
Reality
Same origin policy Executing an attack JavaScript + browser implementation bug JavaScript + execution on a specific domain Can be done through XSS
Passive Man in the Middle Attacks

Attacker views the response request Attacker views the Victim browses to a manipulates it manipulates it website and forwards to victim to server and forwards Server returns a response
Other servers are not affected
Active Man in the Middle Attack

Victim browses to actively directstransfers the Attacker adds anAttack the victim to an interesting site IFRAME The attacker a Server returns a response boring site referencing an interestingto the server request site The IFrame could be invisible
My Weather Channel
Other servers are not affected
My Bank Site
Automatic request sent to the interesting server
10
Stealing Cookies*
Obvious result
Stealing cookies associated with any domain attacker desires Will also work for HTTP ONLY cookies (as opposed to XSS attacks)
Automatic request contains victims cookies
* A similar attack was presented by Sandro Gauci Surf Jacking

Demo
12
Overcoming Same Origin Policy

Result
Attacker can execute scripts on any domain she desires Scripts can fully interact with any interesting website
Limitations
Will only work for non SSL web sites Attacker injects an IFRAME Victim surfs to a directing to an interesting site boring site Script executes with the interesting servers restrictions Attacker forwards the automatic request to the interesting server
Automatic request sent to Attacker adds a malicious script the interesting server to the response
Interesting server returns a response
13
Secure Connections
Login Mechanism
14
Victim fills login Secure Connectionsand submits thedetails, Login Successful Please Login form
Username jsmith
Password ******** SUBMIT
Hello John Smith,
Pre-login action sent in clear text Attacker could alter the pre-login response to make the login request sent unencrypted
Victim browses to site http://www.webmail.site
Login request is sent through a secure channel Site returns a response with login form
15
Stealing Auto Completion Information

Result
Attacker can steal any auto-completion information she desires
Limitations
Will only work for pre-login pages not encrypted Will not work seamlessly in IE Attacker returns redirect victim to a Attacker the original login form together with aamalicious script request to pre-login page Script accesses the auto-completion information using the DOM
* A passive version of this attack was described by RSnake in his blog

Demo
17
Broadening the Attack (Time Dimension)
18
Active MitM Attacks
Passive MitM Attacks
Active MitM Attacks
Past
(interesting sites)
Present
(boring sites)
Future
(interesting sites)
19
Session Fixation
A while later, victim connects to the site (with the pre-provided cookie)
Result
Attacker can set persistent cookies on victim
Limitations
Server authenticates The vulnerability also as victim the server attacker lies within
AttackerAttackera page with a returns redirects victim cookie generated by server to the site of interest Cookie is being saved on victims computer
Attacker uses the same cookie to connect to the server
20
Cache Poisoning
Result
Attacker can poison any page she desires Poisoned pages will be persistent
Limitations
Attacker can poison non SSL resources A while later, victim visits the site
Page is being cached on victims computer
Attacker redirects victim Attacker returns a malicious page to the site of interest with cache setting enabled
21
Demo
22
Complex Hacking
Virtual Private Networks
23
Virtual Private Networks (VPN)

VPN client initialization
Create a secure network interface Set users routing table Do not confuse VPN and HTTPS architectures!
VPN client finalization (upon exit or when connection is lost)

Revert routing table
24
VPN Mixed content

Result
VPN web sites are compromised User is not alerted to the security risk As opposed to SSL mixed content issues
Limitations
Such mixed content is not widely used Attacker alters the nonencrypted script
Internal Web Site

Malicious script executes within the Victim secure environment surfs to a page in the VPN network
25
<html> <script src=http://external/sc.js http://external/sc.js> src=http://external/sc.js> ...
Hacking Non-Available Sites

Result
Attacker can view and change any HTTP cache object Even for non available sites
26
VPN Cache Injection

After routing table is updated, the network level VPN is great for Attacker poisonsrecovers connection the application level VPN cache of an Attacker theis not enough for internal site This attack could be applied to other application protocols! Cached resource loads and malicious cached script executes Attacker disconnects Attacker redirects victim to cached connection to VPN Server resource
Result
27
Complex Hacking
Intranet Networks
28
Penetrating Internal Network Simple Cache Poison

Result
Attack will be launched every time victim accesses the resource The attack would executed within the local intranet
Characteristics
Firewall protections are helpless Affected servers will never know The attack is persistent
29
Setting Up a Future MitM Scenario

Result
Facilitates future MitM scenarios Does not require routers credentials Fake settings could be displayed to the user
Limitations
Script hides the configuration changes Requires victim to access router in the future Need to guess routers address (10.0.1.1) Using Active MitM Techniques, attacker poisons victims cache Malicious script executedrelated to his routers web access Script configures router to tunnel when victim tries to access router future communication through attacker
Router
Victims router related cache Outbound poisoned with a malicious script
Proxy IP Address
216 . 187 . 118 . 221
Primary DNS Server Address 216 . 187 . 118 . 221
30
Increasing the Exposure

Poison common home pages
Script will execute every time victim opens his browser
Poison common scripts

.JS Script will execute on every page using the common script Example: http://www.google-analytics.com/ga.js
The double active attack

Common poisoned page redirects to another poisoned resource
31
The Double Active Cache Poisoning Attack

Result
Internal network has been compromised
Limitation
Need to guess router IP and credentials
Cached routers web interface is and Cached time, At a later home page is loaded loaded and maliciousbrowser to redirects victims script Victim opens browser changes routers settings routers web interface Using Active MitM techniques, attacker poisons common routers address (i.e. 10.0.1.1)
Router
Attacker also poisons common home Router is compromised by pages malicious script
32
Active Attack Characteristics

Not noticeable in users experience Not noticeable by any of the web sites IPS/IDS will not block it Can be persistent Can be used to hack into local organization Bypasses any firewall or VPN Can be used to access non-HTTP servers Can be used with DNS Pinning Techniques A problem with the current design Requires only one plain HTTP request to be transmitted
33
Remediation Users
Do not use auto-completion Clean Slate Policy Trust level separation Two different browsers Two different users Two different OS Virtualization products Tunnel communication through a secure proxy
Might not be allowed in many hot-spots
34
Web owners
Consider risks of partial SSL sites Do not consider secure VPN connection as an SSL replacement Use random tokens for common scripts
While considering performance issues Avoid referring external scripts from internal sites
35
Industry
Build integrity mechanism for HTTP Secure WiFi networks
36
Summary
Active MitM attacks broaden the scope of the passive attacks
Design issues Dimension of time Past (steal cookies, auto-completion information, cache) Future (set up cookies, poison cache, poison form filler) Penetrating internal networks Persistent Bypass any current protection mechanisms
More information:
Paper and presentation will be uploaded to our blog: http://blog.watchfire.com
37
References
Additional information at the Watchfires Blog:
http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html
Wireless Man in the Middle Attacks:

http://www.informit.com/articles/article.aspx?p=353735&seqNum=7
Side Jacking:
http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html
More on SideJacking:
http://erratasec.blogspot.com/2008/01/more-sidejacking.html
Surf Jacking:
http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf
Stealing User Information:

http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-formfilling/
38
Thank you!
39

Active Man in The Middle Demo

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Active Man in The Middle Demo

Transféré par

Droits d'auteur :

Formats disponibles

IBM Rational Application Security Group (aka Watchfire)

Active Man in the Middle Attacks

The OWASP Foundation

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Man in the Middle Scenario

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Rules of Thumb Donts

Someone might be altering the responses

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Rules of Thumb What Can You Do?

IBM Rational Application Security Group (aka Watchfire)

You are still vulnerable

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Mitigating a Fallacy Fallacy

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Passive Man in the Middle Attacks

Other servers are not affected

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Active Man in the Middle Attack

Automatic request sent to the interesting server

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Automatic request contains victims cookies

* A similar attack was presented by Sandro Gauci Surf Jacking

IBM Rational Application Security Group (aka Watchfire)

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Overcoming Same Origin Policy

Interesting server returns a response

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Password ******** SUBMIT

Hello John Smith,

Web Based Man In the Middle Attack

2009 IBM Corporation

IBM Rational Application Security Group (aka Watchfire)

Stealing Auto Completion Information

* A passive version of this attack was described by RSnake in his blog

IBM Rational Application Security Group (aka Watchfire)