Скачать презентацию SSLstrip Slowloris Scary SSL Attacks Sam Bowne Скачать презентацию SSLstrip Slowloris Scary SSL Attacks Sam Bowne

ebef588ffc96a6a5e2ddae683d69e19e.ppt

  • Количество слайдов: 39

SSLstrip, Slowloris & Scary SSL Attacks Sam Bowne SSLstrip, Slowloris & Scary SSL Attacks Sam Bowne

Contact Sam Bowne n Computer Networking and Information Technology n City College San Francisco Contact Sam Bowne n Computer Networking and Information Technology n City College San Francisco n Email: [email protected] edu n Web: samsclass. info n

Topics n sslstrip – Steals passwords from mixedmode Web login pages n Slowloris – Topics n sslstrip – Steals passwords from mixedmode Web login pages n Slowloris – Denial of Service – Stops Apache Web servers n Scary SSL Attacks--ways to completely fool browsers

sslstrip sslstrip

The 15 Most Popular Web 2. 0 Sites 1. You. Tube n 2. Wikipedia The 15 Most Popular Web 2. 0 Sites 1. You. Tube n 2. Wikipedia n 3. Craigslist n 4. Photobucket n 5. Flickr n 6. Word. Press n 7. Twitter n 8. IMDB n HTTPS HTTPS MIXED HTTPS

The 15 Most Popular Web 2. 0 Sites 9. Digg n 10. e. How The 15 Most Popular Web 2. 0 Sites 9. Digg n 10. e. How n 11. Type. Pad n 12. topix n 13. Live. Journal n 14. deviant. ART n 15. Technorati n n HTTPS HTTP Obfuscated HTTP MIXED HTTPS From http: //www. ebizmba. com/articles/user-generated -content

Password Stealing Medium ssltrip Easy Wall of Sheep MIXED, 3 HTTP, 5 HTTPS, 7 Password Stealing Medium ssltrip Easy Wall of Sheep MIXED, 3 HTTP, 5 HTTPS, 7 Hard Spoofing Certificates

Mixed Mode n HTTP Page with an HTTPS Logon Button Mixed Mode n HTTP Page with an HTTPS Logon Button

sslstrip Proxy Changes HTTPS to HTTP To Internet HTTPS HTTP Target Using Facebook Attacker: sslstrip Proxy Changes HTTPS to HTTP To Internet HTTPS HTTP Target Using Facebook Attacker: sslstrip Proxy in the Middle

Ways to Get in the Middle Ways to Get in the Middle

Physical Insertion in a Wired Network To Internet Attacker Target Physical Insertion in a Wired Network To Internet Attacker Target

Configuring Proxy Server in the Browser Configuring Proxy Server in the Browser

ARP Poisoning Redirects Traffic at Layer 2 n Sends a lot of false ARP ARP Poisoning Redirects Traffic at Layer 2 n Sends a lot of false ARP packets on the LAN n Can be easily detected n De. Caffienate. ID by Iron. Geek n n http: //k 78. sl. pt

ARP Request and Reply Client wants to find Gateway n ARP Request: Who has ARP Request and Reply Client wants to find Gateway n ARP Request: Who has 192. 168. 2. 1? n ARP Reply: n n MAC: 00 -30 -bd-02 -ed-7 b has 192. 168. 2. 1 ARP Request ARP Reply Client Gateway Facebook. com

ARP Poisoning Attacker ARP Replies: I am the Gateway Forwarded & Altered Traffic to ARP Poisoning Attacker ARP Replies: I am the Gateway Forwarded & Altered Traffic to Facebook Client Gateway Facebook. com

Demonstration Demonstration

slowloris slowloris

HTTP GET HTTP GET

Send Incomplete HTTP Requests n n Apache has a queue of approx. 256 requests Send Incomplete HTTP Requests n n Apache has a queue of approx. 256 requests Each one waits approx. 400 seconds by default for the request to complete So less than one packet per second is enough to occupy them all Low-bandwidth Do. S--no collateral damage!

OSI Model Do. S Attack 7 Application Slowloris – Incomplete HTTP Requests 6 Presentation OSI Model Do. S Attack 7 Application Slowloris – Incomplete HTTP Requests 6 Presentation 5 Session 4 Transport SYN Flood – Incomplete TCP Handshakes 3 Network 2 Data Link 1 Physical Cut a cable

Demonstration Demonstration

i. Clicker Questions i. Clicker Questions

Power failures brought down servers at 365 Main last year. What OSI Model was Power failures brought down servers at 365 Main last year. What OSI Model was that attack in? A. B. C. D. E. Layer 1 Layer 2 Layer 3 Layer 4 Layer 5 or higher

Which type of website is the most dangerous? A. B. C. HTTP Mixed: HTTP Which type of website is the most dangerous? A. B. C. HTTP Mixed: HTTP with HTTPS elements HTTPS

What precaution protects you best when using a public Wi-Fi hotspot? A. B. C. What precaution protects you best when using a public Wi-Fi hotspot? A. B. C. D. E. Open Access WEP WPA VPN 802. 1 x

What precaution seems best against Slow. Loris? A. B. C. D. E. Do nothing What precaution seems best against Slow. Loris? A. B. C. D. E. Do nothing and ignore it Adjust Apache timeouts Use a load-balancer Add a module to Apache Something else

What sort of logins do users of your Website use? A. B. C. D. What sort of logins do users of your Website use? A. B. C. D. E. Plaintext Mixed-mode HTTPS with a CA Self-signed SSL Something else

What plans do you have to use IPv 6? A. B. C. D. I What plans do you have to use IPv 6? A. B. C. D. I don't care about IPv 6 at all I'll implement IPv 6, but not for years Planning to implement it within a year Planning to implement it sooner than a year E. I am already using IPv 6

Scary SSL Attacks Scary SSL Attacks

Man in the Middle To Internet HTTPS Target Using https: //gmail. com Attacker: Cain: Man in the Middle To Internet HTTPS Target Using https: //gmail. com Attacker: Cain: Fake SSL Certificate

Warning Message Warning Message

Certificate Errors The message indicates that the Certificate Authority did not validate the certificate Certificate Errors The message indicates that the Certificate Authority did not validate the certificate n BUT a lot of innocent problems cause those messages n Incorrect date settings n Name changes as companies are acquired n

Most Users Ignore Certificate Errors n Link SSL-1 on my CNIT 125 page Most Users Ignore Certificate Errors n Link SSL-1 on my CNIT 125 page

Fake SSL With No Warning Impersonate a real Certificate Authority n Use a Certificate Fake SSL With No Warning Impersonate a real Certificate Authority n Use a Certificate Authority in an untrustworthy nation n Trick browser maker into adding a fraudulent CA to the trusted list n Use a zero byte to change the effective domain name n Wildcard certificate n

Impersonating Verisign n Researchers created a rogue Certificate Authority certificate, by finding MD 5 Impersonating Verisign n Researchers created a rogue Certificate Authority certificate, by finding MD 5 collisions n n Using more than 200 Play. Station 3 game consoles Link SSL-2

Countermeasures Verisign announced its intent to replace MD 5 hashes (presumably with SHA hashes), Countermeasures Verisign announced its intent to replace MD 5 hashes (presumably with SHA hashes), in certificates issued after January, 2009 n Earlier, vulnerable certificates would be replaced only if the customer requested it n n n Link SSL-4 FIPS 140 -1 (from 2001) did not recognize MD 5 as suitable for government work n Links SSL-5, SSL-6, SSL-7

CA in an Untrustworthy Nation n Link SSL-8 CA in an Untrustworthy Nation n Link SSL-8

Unknown Trusted CAs n n An unknown entity was apparently trusted for more than Unknown Trusted CAs n n An unknown entity was apparently trusted for more than a decade by Mozilla Link SSL-9

Zero Byte Terminates Domain Name n Just buy a certificate for Paypal. com�. evil. Zero Byte Terminates Domain Name n Just buy a certificate for Paypal. com. evil. com n n Browser will see that as matching paypal. com Link SSL-10