Active Man in the Middle Attacks.ppt - SecurityBytesecuritybyte.org/2009/schedule/Day1_Orchid/Active Man in the Middle... · Active Man in the Middle Attacks ... – Passive MitM

IBM Rational Application Security Group (aka Watchfire)

Active Man in the Middle Attacks

Adi Sharabani

Web Based Man In the Middle Attack © 2009 IBM Corporation1

The OWASP Foundation

OWASP

http://www.owasp.org

Adi Sharabani

Security Research Group Manager

IBM Rational Application Security (a.k.a. Watchfire)

adish


Agenda

� Background

– Man in the Middle

– Network level – heavily researched

– Web application level – sporadic research

� Outline


� Outline

– Passive MitM attacks

– Active MitM attacks

– Penetrating an internal network

– Remediation


Man in the Middle Scenario

� All laptop users connect to a public network

� Wireless connection can easily be compromised or impersonated

� Wired connections might also be compromised


InternetInternet


Rules of Thumb – Don’ts …

� Someone might be listening to the requests– Don’t browse sensitive sites

– Don’t supply sensitive information


� Someone might be altering the responses– Don’t trust any information given on web sites

– Don’t execute downloaded code


Rules of Thumb – What Can You Do?

� This leaves us with:

– Browse your favorite news site

– Browse your favorite weather site


InternetInternetNon-sensitive sites

Boring

Sensitive sites

Interesting


You are still vulnerable


You are still vulnerable


Mitigating a Fallacy

� Fallacy–Executing JavaScript on victim == executing an attack

�Reality


�Reality–Same origin policy

–Executing an attack

–JavaScript + browser implementation bug

–JavaScript + execution on a specific domain

– Can be done through XSS


Passive Man in the Middle Attacks

Victim browses to a website

Attacker views the requestmanipulates it

and forwards to server

Attacker views the responsemanipulates it

and forwards to victim

Server returns a response


Other servers are not affected


Active Man in the Middle Attack

� The attacker actively directs the victim to an “interesting” site� The IFrame could be invisible

Victim browses to a “boring” site

Attack transfers the request to the server

Attacker adds an IFRAME referencing an “interesting” site

Server returns a response


My Weather ChannelMy Weather Channel

My Bank SiteMy Bank Site

Automatic request sent to the interesting server

My Bank SiteMy Bank Site

Other servers are not affected




Stealing Cookies*

� Obvious result� Stealing cookies associated with any domain attacker desires

� Will also work for HTTP ONLY cookies(as opposed to XSS attacks)


Automatic request contains victim’s cookies

* A similar attack was presented by Sandro Gauci – Surf Jacking


Demo


Demo


Overcoming Same Origin Policy

Attacker forwards the automatic request to the

Attacker injects an IFRAME directing to an “interesting” site

Victim surfs to a “boring” site

� Result

– Attacker can execute scripts on any domain she desires

– Scripts can fully interact with any “interesting” website

� Limitations

– Will only work for non SSL web sites


Attacker adds a malicious scriptto the response

“interesting” serverScript executes with the “interesting” server’s restrictions

“Interesting” server returns a response

directing to an “interesting” site“boring” site

Automatic request sent to the interesting server


Secure Connections


Login Mechanism


Secure ConnectionsPlease LoginPlease Login

UsernameUsernameUsernameUsernameUsernameUsernameUsernameUsername

PasswordPasswordPasswordPasswordPasswordPasswordPasswordPassword

SUBMITSUBMITSUBMITSUBMIT

jsmith

********

SUBMITSUBMITSUBMITSUBMIT

Victim browses to sitehttp://www.webmail.site

Victim fills login details,and submits the formLogin SuccessfulLogin Successful

Hello John Smith,Hello John Smith,Hello John Smith,Hello John Smith,� Pre-login action sent in clear text� Attacker could alter the pre-login response to make the login

request sent unencrypted


Site returns a response with login form

Login request is sent through a secure channel


Stealing Auto Completion Information

Attacker redirect victim to a request to a pre-login page

Attacker returns the original login form together with a malicious script

� Result

– Attacker can steal any auto-completion information she desires

� Limitations

– Will only work for pre-login pages not encrypted

– Will not work seamlessly in IE


Script accesses the auto-completion information using the DOM

request to a pre-login pageform together with a malicious script

* A passive version of this attack was described by RSnake in his blog


Demo


Demo


Broadening the Attack


Broadening the Attack

(Time Dimension)


Passive MitM

AttacksActive MitM

Attacks

Active MitM

Attacks


AttacksAttacks Attacks

Present(“boring” sites)

Past(“interesting” sites)

Future(“interesting” sites)


Session Fixation

Attacker redirects victim to the site of interest

Attacker returns a page with a cookie generated by server

A while later,

victim connects to the site(with the pre-provided cookie)

Server authenticates attacker as victim

� Result

– Attacker can set persistent cookies on victim

� Limitations

– The vulnerability also lies within the server


Cookie is being saved on victim’s computer

to the site of interestcookie generated by server

Attacker uses the same cookie to connect to the server


Cache Poisoning

Attacker redirects victim to the site of interest

Attacker returns a malicious page with cache setting enabled

A while later,victim visits the site

� Result

– Attacker can poison any page she desires

– Poisoned pages will be persistent

� Limitations

– Attacker can poison non SSL resources


Page is being cached onvictim’s computer

to the site of interestwith cache setting enabled



Demo


Complex Hacking


Complex Hacking Virtual Private Networks


Virtual Private Networks (VPN)

� VPN client initialization

– Create a secure network interface

– Set user’s routing table

� VPN client finalization (upon exit or when connection is lost)

– Revert routing table

Do not confuse VPN and HTTPS architectures!



VPN Mixed content

� Result� VPN web sites are compromised

� User is not alerted to the security risk�As opposed to SSL mixed content issues

� Limitations� Such mixed content is not widely used

Attacker alters the non-encrypted script


Internal Web SiteInternal Web Site

<html><html><html><html>

<script<script<script<script

src=src=src=src=http://external/sc.jshttp://external/sc.jshttp://external/sc.jshttp://external/sc.js>>>>

............

Malicious script executes within the secure environmentVictim surfs to a page in

the VPN network


Hacking Non-Available Sites

� Result� Attacker can view and change any HTTP cache object� Even for non available sites



VPN Cache Injection

Attacker disconnects connection to VPN Server

After routing table is updated, Attacker poisons the cache of an

internal siteAttacker recovers connection

Cached resource loads and malicious cached script executes

Attacker redirects victim to cached resource

� Result� VPN is great for the network level

� VPN is not enough for the application level� This attack could be applied to other application protocols!



Complex Hacking


Complex Hacking Intranet Networks


Penetrating Internal Network – Simple Cache Poison

� Result� Attack will be launched every time victim accesses the resource

� The attack would executed within the local intranet

� Characteristics� Firewall protections are helpless� Affected servers will never know� The attack is persistent



Setting Up a Future MitM Scenario

� Result� Facilitates future MitM scenarios

� Does not require router’s credentials� Fake settings could be displayed to the user

� Limitations� Requires victim to access router in the future� Need to guess router’s address (10.0.1.1)

Using Active MitM Techniques,

attacker poisons victim’s cache

Script hides the configuration changes


attacker poisons victim’s cacherelated to his router’s web access

Router

Victim’s router related cache poisoned with a malicious script

Malicious script executedwhen victim tries to access router Script configures router to tunnel

future communication through attacker

Outbound Proxy IP Address 216 187 118 221. . .

Primary DNS Server Address 216 187 118 221. . .


Increasing the Exposure

� Poison common home pages

– Script will execute every time victim opens his browser

� Poison common scripts

– Script will execute on every page using the common script.JS.JS


– Example: http://www.google-analytics.com/ga.js

� The “double active” attack

– Common poisoned page redirects to another poisoned resource

.JS.JS


The Double Active Cache Poisoning Attack

At a later time,

Victim opens browser

Cached home page is loaded and Cached home page is loaded and redirects victim’s browser to

Cached router’s web interface is loaded and malicious script

� Result� Internal network has been compromised

� Limitation� Need to guess router IP and credentials


Using Active MitM techniques,attacker poisons common router’s

address (i.e. 10.0.1.1)

Victim opens browserrouter’s web interfacechanges router’s settings

Attacker also poisons common home pages

Router

Router is compromised by malicious script


Active Attack Characteristics

– Not noticeable in user’s experience

– Not noticeable by any of the web sites

– IPS/IDS will not block it

– Can be persistent

– Can be used to hack into local organization


– Can be used to hack into local organization

– Bypasses any firewall or VPN

– Can be used to access non-HTTP servers

– Can be used with DNS Pinning Techniques

– A problem with the current design

– Requires only one plain HTTP request to be transmitted


Remediation

�Users–Do not use auto-completion

–“Clean Slate Policy”

–Trust level separation


–Two different browsers

–Two different users

–Two different OS

–Virtualization products

–Tunnel communication through a secure proxy

– Might not be allowed in many hot-spots


�Web owners–Consider risks of partial SSL sites

–Do not consider secure VPN connection as an SSL replacement


–Use random tokens for common scripts

– While considering performance issues

– Avoid referring external scripts from internal sites


� Industry–Build integrity mechanism for HTTP

–Secure WiFi networks



Summary

� Active MitM attacks– broaden the scope of the passive attacks

– Design issues

– Dimension of time

– Past (steal cookies, auto-completion information, cache)

– Future (set up cookies, poison cache, poison form filler)

– Penetrating internal networks


– Penetrating internal networks

– Persistent

– Bypass any current protection mechanisms

� More information:

– Paper and presentation will be uploaded to our blog:

http://blog.watchfire.com


References

� Additional information at the Watchfire’s Blog:

– http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html

� Wireless Man in the Middle Attacks:

– http://www.informit.com/articles/article.aspx?p=353735&seqNum=7

� Side Jacking:

– http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html


– http://erratasec.blogspot.com/2007/08/sidejacking-with-hamster_05.html

� More on SideJacking:

– http://erratasec.blogspot.com/2008/01/more-sidejacking.html

� Surf Jacking:

– http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf

� Stealing User Information:

– http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/


Thank you!


Thank you!

Documents

Active Man in the Middle Attacks.ppt - SecurityBytesecuritybyte.org/2009/schedule/Day1_Orchid/Active Man in the Middle... · Active Man in the Middle Attacks ... – Passive MitM