sslstrip slowloris ipv6 split handshake sam bowne n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
SSLstrip Slowloris & IPv6 & Split Handshake Sam Bowne PowerPoint Presentation
Download Presentation
SSLstrip Slowloris & IPv6 & Split Handshake Sam Bowne

Loading in 2 Seconds...

play fullscreen
1 / 67

SSLstrip Slowloris & IPv6 & Split Handshake Sam Bowne - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

SSLstrip Slowloris & IPv6 & Split Handshake Sam Bowne. Contact. Sam Bowne Computer Networking and Information Technology City College San Francisco Email: sbowne@ccsf.edu Web: samsclass.info. Topics. sslstrip – Steals passwords from mixed-mode Web login pages

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SSLstrip Slowloris & IPv6 & Split Handshake Sam Bowne' - dean-jordan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
contact
Contact
  • Sam Bowne
  • Computer Networking and Information Technology
  • City College San Francisco
  • Email: sbowne@ccsf.edu
  • Web: samsclass.info
topics
Topics

sslstrip – Steals passwords from mixed-mode Web login pages

Slowloris – Denial of Service – Stops Apache Web servers

IPv6 – The end of the world

Split Handshake--simple trick that evades all tested IPS systems

the 15 most popular web 2 0 sites
The 15 Most Popular Web 2.0 Sites

1. YouTube HTTPS

2. Wikipedia HTTP

3. Craigslist HTTPS

4. Photobucket HTTP

5. Flickr HTTPS

6. WordPress MIXED

7. Twitter MIXED

8. IMDB HTTPS

the 15 most popular web 2 0 sites1
The 15 Most Popular Web 2.0 Sites
  • 9. Digg HTTP
  • 10. eHow HTTPS
  • 11. TypePad HTTPS
  • 12. topix HTTP
  • 13. LiveJournal Obfuscated HTTP
  • 14. deviantART MIXED
  • 15. Technorati HTTPS
    • From http://www.ebizmba.com/articles/user-generated-content
password stealing
Password Stealing

Mediumssltrip

EasyWall of Sheep

Hard

Spoofing Certificates

mixed mode
Mixed Mode

HTTP Page with an HTTPS Logon Button

sslstrip proxy changes https to http
sslstrip Proxy Changes HTTPS to HTTP

To Internet

HTTPS

Attacker: sslstrip Proxyin the Middle

HTTP

TargetUsingFacebook

physical insertion in a wired network
Physical Insertion in a Wired Network

To Internet

Attacker

Target

arp poisoning
ARP Poisoning
  • Redirects Traffic at Layer 2
  • Sends a lot of false ARP packets on the LAN
  • Can be easily detected
  • DeCaffienateID by IronGeek
    • http://k78.sl.pt
arp request and reply
ARP Request and Reply
  • Client wants to find Gateway
  • ARP Request: Who has 192.168.2.1?
  • ARP Reply:
    • MAC: 00-30-bd-02-ed-7b has 192.168.2.1

ARP Request

ARP Reply

Client

Gateway

Facebook.com

arp poisoning1
ARP Poisoning

Attacker

ARP Replies: I am the Gateway

Forwarded & Altered Traffic

Traffic to Facebook

Client

Gateway

Facebook.com

send incomplete http requests
Send Incomplete HTTP Requests

Apache has a queue of approx. 256 requests

Each one waits approx. 400 seconds by default for the request to complete

So less than one packet per second is enough to occupy them all

Low-bandwidth DoS--no collateral damage!

power failures brought down servers at 365 main last year what osi model was that attack in
Power failures brought down servers at 365 Main last year. What OSI Model was that attack in?
  • Layer 1
  • Layer 2
  • Layer 3
  • Layer 4
  • Layer 5 or higher
which type of website is the most dangerous
Which type of website is the most dangerous?
  • HTTP
  • Mixed: HTTP with HTTPS elements
  • HTTPS
what precaution seems best against slowloris
What precaution seems best against SlowLoris?
  • Do nothing and ignore it
  • Adjust Apache timeouts
  • Use a load-balancer
  • Add a module to Apache
  • Something else
what sort of logins do users of your website use
What sort of logins do users of your Website use?
  • Plaintext
  • Mixed-mode
  • HTTPS with a CA
  • Self-signed SSL
  • Something else
what plans do you have to use ipv6
What plans do you have to use IPv6?
  • I don't care about IPv6 at all
  • I'll implement IPv6, but not for years
  • Planning to implement it within a year
  • Planning to implement it sooner than a year
  • I am already using IPv6
ipv4 exhaustion
IPv4 Exhaustion
  • Available pool is 18 "/8 address ranges"
    • Each /8 has 16.8 Million Addresses
  • 203 already allocated
  • 35 Reserved for special uses
    • Data from 5-13-2010, CNIT 202E, link IPv6 3
the end of the world
The End of the World
  • No Reprieve
    • IANA will not re-purpose class D or E addresses for general use
  • People who ask for IPv4 addresses after exhaustion will not get them
    • Hoarding, scalping, and simple direct sale of IPv4 addresses will begin soon
federal ipv6 transition timeline
Federal IPv6 Transition Timeline
  • Cisco, Sept 2009 (CNIT 202E, link IPv6 9)
ipv6 tunnels
IPv6 Tunnels
  • Tunnelbroker.com
  • Free IPv4-to-IPv6 Tunnels
  • BUT your router needs to allow protocol 41
    • I had to move to the DMZ to get it through
ipv6 certification
IPv6 Certification
  • Get it now!
ipv6 ipv4 addresses
IPv6 - IPv4 Addresses
  • A hybrid format may be used when dealing with IPv6 - IPv4 addresses where the normal IPv4 dotted decimal notation may be used after the first 6, 16 bit address elements:
multiple addresses
Multiple Addresses
  • Note: Interfaces normally have two addresses, or even more
    • Link-local FE80::w.x.y.z
    • Global unicast
example
Example

Interface MAC 00-40-63-ca-9a-20

IPv6 Interface ID (EUI-64)

::0040:63FF:FECA:9A20

or

::40:63FF:FECA:9A20

link local

FE80::40:63FF:FECA:9A20

aaaa records in dns
AAAA Records in DNS
  • iana.org and ipv6.net work too
primary source
Primary Source
  • I got a lot of this talk here
what plans do you have to use ipv61
What plans do you have to use IPv6?
  • I don't care about IPv6 at all
  • I'll implement IPv6, but not for years
  • Planning to implement it within a year
  • Planning to implement it sooner than a year
  • I am already using IPv6
tcp handshake
TCP Handshake

Normally a three-way process

SYN

SYN / ACK

ACK

ACK

tcp handshake1
TCP Handshake

Since both devices could start the session simultaneously, this four-way handshake is also allowed

SYN

ACK

SYN

ACK

ACK

tcp handshake2
TCP Handshake

But when you send those packets to a modern OS, this is what really happens

SYN

ACK

SYN

SYN / ACK

ACK

ACK

which side opened that session
Which Side Opened That Session?
  • This five-way handshake works--it opens a session so data can flow
  • But security devices are so confused by it they no longer provide protection
  • Snort, TippingPoint 2400, and Juniper SRX 5800 all failed to detect attacks sent after that handshake
  • More info here: http://bit.ly/9tUfb9