1 / 39

Active Man in the Middle Attacks

Active Man in the Middle Attacks. Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish. OWASP. 27/02/2009. The OWASP Foundation. http://www.owasp.org. Agenda. Background Man in the Middle Network level – heavily researched

feliciano
Download Presentation

Active Man in the Middle Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Active Man in the Middle Attacks Adi Sharabani Security Research Group Manager IBM Rational Application Security (a.k.a. Watchfire) adish OWASP 27/02/2009 The OWASP Foundation http://www.owasp.org

  2. Agenda • Background • Man in the Middle • Network level – heavily researched • Web application level – sporadic research • Outline • Passive MitM attacks • Active MitM attacks • Penetrating an internal network • Remediation

  3. Man in the Middle Scenario Internet • All laptop users connect to a public network • Wireless connection can easily be compromised or impersonated • Wired connections might also be compromised

  4. Rules of Thumb – Don’ts … • Someone might be listening to the requests • Don’t browse sensitive sites • Don’t supply sensitive information • Someone might be altering the responses • Don’t trust any information given on web sites • Don’t execute downloaded code

  5. Rules of Thumb – What Can You Do? Internet • This leaves us with: • Browse your favorite news site • Browse your favorite weather site Non-sensitive sites Boring Sensitive sites Interesting

  6. You are still vulnerable

  7. Mitigating a Fallacy • Fallacy • Executing JavaScript on victim == executing an attack • Reality • Same origin policy • Executing an attack • JavaScript + browser implementation bug • JavaScript + execution on a specific domain • Can be done through XSS

  8. Passive Man in the Middle Attacks Server returns a response Victim browses to a website Attacker views the responsemanipulates itand forwards to victim Attacker views the requestmanipulates itand forwards to server Other servers are not affected

  9. Active Man in the Middle Attack My Weather Channel My Bank Site My Bank Site Server returns a response Victim browses to a “boring” site Attacker adds an IFRAME referencing an “interesting” site Attack transfers the request to the server • The attacker actively directs the victim to an “interesting” site • The IFrame could be invisible Other servers are not affected Automatic request sent to the interesting server

  10. Stealing Cookies* • Obvious result • Stealing cookies associated with any domain attacker desires • Will also work for HTTP ONLY cookies(as opposed to XSS attacks) Automatic request contains victim’s cookies * A similar attack was presented by Mike Perry – SideJacking

  11. Demo

  12. Overcoming Same Origin Policy • Result • Attacker can execute scripts on any domain she desires • Scripts can fully interact with any “interesting” website • Limitations • Will only work for non SSL web sites Attacker injects an IFRAME directing to an “interesting” site Victim surfs to a “boring” site Attacker forwards the automatic request to the “interesting” server Script executes with the “interesting” server’s restrictions Automatic request sent to the interesting server Attacker adds a malicious script to the response “Interesting” server returns a response

  13. Secure Connections Login Mechanism

  14. Secure Connections Login Successful Please Login Username Hello John Smith, Password SUBMIT Victim fills login details,and submits the form • Pre-login action sent in clear text • Attacker could alter the pre-login response to make the login request sent unencrypted jsmith ******** Victim browses to site http://www.webmail.site SUBMIT Login request is sent through a secure channel Site returns a response with login form

  15. Stealing Auto Completion Information • Result • Attacker can steal any auto-completion information she desires • Limitations • Will only work for pre-login pages not encrypted • Will not work seamlessly in IE Attacker returns the original login form together with a malicious script Attacker redirect victim to a request to a pre-login page Script accesses the auto-completion information using the DOM * A passive version of this attack was described by RSnake in his blog

  16. Demo

  17. Broadening the Attack (Time Dimension)

  18. Active MitMAttacks Passive MitM Attacks Active MitMAttacks Past (“interesting” sites) Present (“boring” sites) Future (“interesting” sites)

  19. Session Fixation • Result • Attacker can set persistent cookies on victim • Limitations • The vulnerability also lies within the server Server authenticates attacker as victim A while later, victim connects to the site (with the pre-provided cookie) Attacker returns a page with a cookie generated by server Attacker redirects victim to the site of interest Cookie is being saved on victim’s computer Attacker uses the same cookie to connect to the server

  20. Cache Poisoning • Result • Attacker can poison any page she desires • Poisoned pages will be persistent • Limitations • Attacker can poison non SSL resources A while later, victim visits the site Attacker redirects victim to the site of interest Attacker returns a malicious page with cache setting enabled Page is being cached onvictim’s computer

  21. Demo

  22. Complex Hacking Virtual Private Networks

  23. Virtual Private Networks (VPN) • VPN client initialization • Create a secure network interface • Set user’s routing table • VPN client finalization (upon exit or when connection is lost) • Revert routing table Do not confuse VPN and HTTPS architectures!

  24. VPN Mixed content Internal Web Site <html><scriptsrc=http://external/sc.js>...</html> • Result • VPN web sites are compromised • User is not alerted to the security risk • As opposed to SSL mixed content issues • Limitations • Such mixed content is not widely used Attacker alters the non-encrypted script Malicious script executes within the secure environment Victim surfs to a page in the VPN network

  25. Hacking Non-Available Sites • Result • Attacker can view and change any HTTP cache object • Even for non available sites

  26. VPN Cache Injection • Result • VPN is great for the network level • VPN is not enough for the application level • This attack could be applied to other application protocols! After routing table is updated, Attacker poisons the cache of an internal site Attacker recovers connection Attacker disconnects connection to VPN Server Attacker redirects victim to cached resource Cached resource loads and malicious cached script executes

  27. Complex Hacking Intranet Networks

  28. Penetrating Internal Network – Simple Cache Poison • Result • Attack will be launched every time victimaccesses the resource • The attack would executed within the local intranet • Characteristics • Firewall protections are helpless • Affected servers will never know • The attack is persistent

  29. Setting Up a Future MitM Scenario Router Outbound Proxy IP Address 216 187 118 221 . . . Primary DNS Server Address 216 187 118 221 . . . • Result • Facilitates future MitM scenarios • Does not require router’s credentials • Fake settings could be displayed to the user • Limitations • Requires victim to access router in the future • Need to guess router’s address (10.0.1.1) Script hides the configuration changes Using Active MitM Techniques, attacker poisons victim’s cache related to his router’s web access Malicious script executedwhen victim tries to access router Script configures router to tunnel future communication through attacker Victim’s router related cache poisoned with a malicious script

  30. Increasing the Exposure .JS • Poison common home pages • Script will execute every time victim opens his browser • Poison common scripts • Script will execute on every page using the common script • Example: http://www.google-analytics.com/ga.js • The “double active” attack • Common poisoned page redirects to another poisoned resource

  31. The Double Active Cache Poisoning Attack Router • Result • Internal network has been compromised • Limitation • Need to guess router IP and credentials At a later time, Victim opens browser Cached router’s web interface is loaded and malicious script changes router’s settings Cached home page is loaded and redirects victim’s browser to router’s web interface Using Active MitM techniques, attacker poisons common router’s address (i.e. 10.0.1.1) Attacker also poisons common home pages Router is compromised by malicious script

  32. Active Attack Characteristics • Not noticeable in user’s experience • Not noticeable by any of the web sites • IPS/IDS will not block it • Can be persistent • Can be used to hack into local organization • Bypasses any firewall or VPN • Can be used with DNS Pinning Techniques • A problem with the current design • Requires only one plain HTTP request to be transmitted

  33. Remediation • Users • Do not use auto-completion • “Clean Slate Policy” • Trust level separation • Two different browsers • Two different users • Two different OS • Virtualization products • Tunnel communication through a secure proxy • Might not be allowed in many hot-spots

  34. Web owners • Consider risks of partial SSL sites • Do not consider secure VPN connection as an SSL replacement • Use random tokens for common scripts • While considering performance issues • Avoid referring external scripts from internal sites

  35. Industry • Build integrity mechanism for HTTP • Secure WiFi networks

  36. Summary • Active MitM attacks– broaden the scope of the passive attacks • Design issues • Dimension of time • Past (steal cookies, auto-completion information, cache) • Future (set up cookies, poison cache, poison form filler) • Penetrating internal networks • Persistent • Bypass any current protection mechanisms • More information: • Paper and presentation will be uploaded to our blog: http://blog.watchfire.com

  37. References • Watchfire’s Blog: • http://blog.watchfire.com • Wireless Man in the Middle Attacks: • http://www.informit.com/articles/article.aspx?p=353735&seqNum=7 • SideJacking: • http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html • More on SideJacking: • http://erratasec.blogspot.com/2008/01/more-sidejacking.html • Active SideJacking: • http://seclists.org/bugtraq/2007/Aug/0070.html • Surf Jacking • http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf • Stealing User Information: • http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/

  38. Thank you!

More Related