Defense by numbers: Making problems for script kiddies

4,904 views
4,951 views

Published on

On the surface most common browsers (user agents) all look the same, function the same, and deliver web content to the user in a relatively uniformed fashion. Under the surface however, the way specific user agents handle traffic varies in a number of interesting ways. This variation allows for intelligent and skilled defenders to play with attackers and scripted attacks in a way that most normal users will never even see.
This talk will attempt to show that differences in how user agents handle web server responses can be used to improve the defensive posture of a website. Further examples will be given that show specially crafted responses can disrupt common automated attack methods and cause issues for casual attackers and wide scale scanning of websites.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,904
On SlideShare
0
From Embeds
0
Number of Embeds
2,897
Actions
Shares
0
Downloads
29
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Defense by numbers: Making problems for script kiddies

  1. 1. Defense by Numb3r5Making problems for script k1dd13s and scanner monkeys @ChrisJohnRiley
  2. 2. “THE WISEST MAN, IS HE WHO KNOWS, THAT HE KNOWS NOTHING” SOCRATES: APOLOGY, 21D
  3. 3. I LIKE EDGE CASES
  4. 4. Goals for this talk Describe thedefensive uses ofHTTP status codes
  5. 5. 1) What2) Why3) How4) Goals5) Bringing it together6) Review
  6. 6. WHAT?
  7. 7. HTTP STATUS CODES
  8. 8. Seems like such a Small detail
  9. 9. … small detail, big impact
  10. 10. This talk contains: - Numbers - Bad Jokes - Traces of peanuts - Did I mention numbers?
  11. 11. HTTP Status Codeso Majority part of RFC 2616 (HTTP/1.1)o 5 main classes of response o 1XX informational o 2XX success o 3XX redirection o 4XX client error o 5XX server error
  12. 12. BASICSAKA: THE BORING THEORY BIT
  13. 13. 1XX Informationalo Indicates response receivedo Processing is not yet completed o 100 Continue o 101 Switching Protocols o 102 Processing (WebDAV RFC 2518)
  14. 14. 2XX Successo Indicates response receivedo Processed and understood o 200 OK o 201 Created o 202 Accepted o 203 Non-Authoritative Information o 204 No Content
  15. 15. 2XX Success (cont.)o 205 Reset Contento 206 Partial Contento 207 Multi-Status (WebDAV RFC 4918)o Codes not supported by Apache o 208 Already Reported o 226 IM Used o 250 Low on Storage Space
  16. 16. 3XX Redirectiono Action required to complete request o 300 Multiple Choices o 301 Moved Permanently o 302 Found / Moved Temporarily o 303 See Other o 304 Not Modified
  17. 17. 3XX Redirection (cont.)o 305 Use Proxyo 306 Switch Proxyo 307 Temporary Redirecto Codes not supported by Apache o 308 Permanent Redirect
  18. 18. 4XX Client Erroro Client caused an error o 400 Bad Request o 401 Unauthorized o 402 Payment Required o 403 Forbidden o 404 Not Found o 405 Method Not Allowed
  19. 19. 4XX Client Error (cont.)o 406 Not Accessibleo 407 Proxy Authentication Requiredo 408 Request Timeouto 409 Conflicto 410 Goneo 411 Length Required
  20. 20. 4XX Client Error (cont.)o 412 Precondition Failedo 413 Request Entity Too Largeo 414 Request-URI Too Longo 415 Unsupported Media Typeo 416 Request Range Not Satisfiableo 417 Expectation Failedo 418 I’m a Teapot (WebDAV RFC 2324)
  21. 21. 4XX Client Error (cont.)o 419 / 420 / 421 Unusedo 422 Unprocessable Entity (RFC 4918)o 423 Locked (RFC 4918)o 424 Failed Dependency (RFC 4918)o 425 No Code / Unordered Collectiono 426 Upgrade Required (RFC 2817)
  22. 22. 4XX Client Error (cont.)o Codes not supported by Apache o 428 Precondition Required o 429 Too Many Requests o 431 Request Header Fields Too Large o 444 No Response (NGINX) o 449 Retry With (Microsoft) o 450 Blocked by Win. Parental Controls o 451 Unavailable For Legal Reasons
  23. 23. 4XX Client Error (cont.)o Codes not supported by Apache o 494 Request Header Too Large (NGINX) o 495 Cert Error(NGINX) o 496 No Cert (NGINX) o 497 HTTP to HTTPS (NGINX) o 499 Client Closed Request (NGINX)
  24. 24. 5XX Server Erroro Server error occurred o 500 Internal Server Error o 501 Not Implemented o 502 Bad Gateway o 503 Service Unavailable o 504 Gateway Timeout o 505 Method Not Allowed
  25. 25. 5XX Server Error (cont.)o 506 Variant Also Negotiates (RFC 2295)o 507 Insufficient Storage (WebDAV RFC 4918)o 508 Loop Detected (WebDAV RFC 5842)o 509 Bandwidth Limit Exceeded (apache ext.)o 510 Not Extended (RFC 2274)
  26. 26. 5XX Server Error (cont.)o Codes not supported by Apache o 511 Network Authentication Required (RFC 6585) o 550 Permission Denied o 598 Network Read Timeout Error (Microsoft Proxy) o 599 Network Connect Timeout Error (Microsoft Proxy)
  27. 27. OMG Enough with the numbers already!!!!
  28. 28. WHY?
  29. 29. It started as a simple idea…
  30. 30. … and I started to think
  31. 31. SCREW WITH SCANNERS
  32. 32. … AND SCRIPT K1DD13S
  33. 33. THAT SOUNDS LIKE FUN!
  34. 34. @thegrugq 26 Feb 2013
  35. 35. @thegrugq 26 Feb 2013
  36. 36. Prior Art- When the tables turn (2004) - Roelof Temmingh, Haroon Meer, Charl van der Walt - http://slideshare.net/sensepost/strikeback- Stopping Automated Attack Tools (2006) - Gunter Ollmann - http://www.technicalinfo.net/papers/StoppingAutom atedAttackTools.html
  37. 37. HOW?
  38. 38. BROWSERS HAVE TO BE FLEXIBLE
  39. 39. THIS LEADS TOINTERPRETATION
  40. 40. RFCS…THEY’RE MORE OF A GUIDELINE REALLY
  41. 41. WHAT COULDPOSSIBLY GO
  42. 42. TESTINGTHE HOW OF THE THING!
  43. 43. o Restricted research to the big 3 o Internet Explorer o Chrome / Chromium o Firefox
  44. 44. NO… SAFARI ISN’T IN THE TOP 10 3
  45. 45. OPERA JUMPED… OR WAS IT PUSHED!
  46. 46. LYNXTHE UNREALISTIC OPTION
  47. 47. o MITMproxy o Python-based o Simple to setup proxy / reverse proxy o Script-based actions
  48. 48. o PHP o Ability to set response code o Must be at the top of the PHP code o Can be added to php.ini o auto-prepend-file= o Limited by web-server (apache)
  49. 49. o Testing browsers automatically o Created PHP file to set status code - http://c22.cc/POC/respcode.php?code=XXX
  50. 50. BROWSERS… AND THEIR STATUS CODE HABITS
  51. 51. Firefox Chrome Internet ExplorerResponse Code HTML iFrame JS HTML iFrame JS HTML iFrame JS 100 X X X X d/load X X X X 101 X X X X d/load X X X X 102 X X X X d/load X X X X 200 201 202 203 204 X X X X X X X X X 205 X X X X X X 206 207 300 X 301 X X X X 302 X X X X 303 X X X X 304 X X X X X X X X X 305 X 306 X 307 X X X X
  52. 52. Firefox Chrome Internet ExplorerResponse Code HTML iFrame JS HTML iFrame JS HTML iFrame JS 400 X X X X 401 X X X 402 X X X 403 X X X X 404 X X X X 405 X X X X 406 X X X X 407 X Proxy Proxy Proxy X 408 X X X X X X 409 X X X X 410 X X X X 411 X X X 412 X X X 413 X X X 424 X X X 425 X X X 426 X X X
  53. 53. Firefox Chrome Internet ExplorerResponse Code HTML iFrame JS HTML iFrame JS HTML iFrame JS 500 X X X X 501 X X X X 502 X X X 503 X X X 504 X X X 505 X X X X 506 X X X 507 X X X 508 X X X 509 X X X 510 X X X
  54. 54. Browsers handlemost things just like they handle a 200 OK?
  55. 55. YEP… MOSTLY
  56. 56. o HTML Responses o Almost all response codes are rendered by the browser correctlyo iFrames o Some special cases for IE, but other browsers handle this the same as HTML
  57. 57. o JavaScript/CSS o Limited accepted status codes o Limited 3XX support o Chrome is the exception here o No support for 4XX/5XX codes
  58. 58. So we knowwhat browsers interpret differently
  59. 59. What do allbrowsers have in common?
  60. 60. o 10X code handling o Retries o Confusion o Chrome / IE6 try to download the page! o Fun on Android… o Timeouts o Eventually
  61. 61. o 204 No Content o Um, no content!o 304 Not Modified o Again, no content
  62. 62. WHAT ABOUT HEADERS?
  63. 63. Just because the RFC says a specific status code must have an associated header doesn’t mean it HAS to…
  64. 64. o Redirection codes (301-304, 307) o No Location header, no redirecto 401 Unauthorized o No WWW-Authenticate header, no authentication prompto 407 Proxy Authentication Required o No Proxy-Authenticate header, no prompt
  65. 65. Just because the RFC says a specific status code shouldn’t have an associated header doesn’t mean it can’t…
  66. 66. o 300 Multiple Choices w/ Location Header o Firefox/IE6 follows the redirect o Chrome doesn’to More research needed in this direction
  67. 67. EACH BROWSERHANDLES THINGS ALITTLE DIFFERENTLY
  68. 68. I WONDER WHAT WE CAN DO WITH THAT!
  69. 69. GOALS
  70. 70. o Each browser handles things differently o Use known conditions o Handled codes o Unhandled codes o Browser weirdness
  71. 71. BROWSERFINGERPRINTING
  72. 72. Firefoxo Doesn’t load JavaScript returned with a 300 ‘Multiple Choices’ status code o Other browsers tested DO (IE/Chrome)o Request JS from servero Respond using 300 ‘Multiple Choices’o If JS doesn’t run in the browser - it’s FF
  73. 73. Chromeo Loads JavaScript returned with a 307 ‘Temporary Redirect’ status code o Other browsers tested DON’T (IE/FF)o Request JS from servero Respond with 307 ‘Temporary Redirect’o If JS runs in the browser - it’s Chrome
  74. 74. Internet Explorero Loads JavaScript returned with a 205 ‘Reset Content’ status code o Other browsers tested DON’T (FF/Chrome)o Request JS from servero Respond using 205 ‘Reset Content’o If JS runs in the browser - it’s IE
  75. 75. o Other options to fingerprint browsers o 300 Redirect (Chrome) o 305/306 JavaScript (Firefox) o 400 iFrame (Internet Explorer) o …o There are probably more
  76. 76. BROWSERFINGERPRINTING DEMO
  77. 77. USER-AGENTS CAN BE SPOOFED
  78. 78. BROWSERTRAITS CAN’T
  79. 79. PROXYDETECTION
  80. 80. Chromeo Chrome handles proxy configuration differently to other browsers o 407 status code isn’t rendered o Unless an HTTP proxy is set! o Allows us to detect if an HTTP proxy is in use o Just not which proxy o Can only detect HTTP proxies ;(
  81. 81. Chrome Proxy Detectiono Request page from servero Respond using 407 ‘Proxy Authentication Required’ o - w/o Proxy-Authenticate headero If Chrome responds, it’s configured to use an HTTP proxy
  82. 82. Side-Effect: Owning Proxieso Privoxy 3.0.20 (CVE-2013-2503) o 407 Proxy Authentication Required o w/ Proxy-Authenticate header o User prompted for username/password o Prompt appears to be from Privoxy o Privoxy passes username/password to remote site o Profit???
  83. 83. BRINGING IT TOGETHER
  84. 84. What we haveo Status codes all browsers treat as contento Status codes all browsers can’t handle o 10X, etc..o Lots of browser quirks
  85. 85. What can we doo F*ck with thingso Screw with scanner monkeyso Make RFC lovers cry into their beero Break things in general
  86. 86. Let’s try to…o Use what we’ve discovered to… o Break spidering tools o Cause false positives / negatives o Slow down attackers o The fun way! o Blocking successful exploitation
  87. 87. BREAKING SPIDERS
  88. 88. Simplistic view of spiders
  89. 89. o Access target URLo Read links / functionso Test them outo If true: repeat o What is TRUE?
  90. 90. o What happens if: o Every response is a 200 o Every response is a 404 / 500
  91. 91. 200 OKo IF 200 == True: o Problems! o Never-ending spider
  92. 92. 404 Not Foundo IF 404 == False: o More problems! o What website?
  93. 93. 500 Internal Server Erroro Skipfish != happy fish
  94. 94. False Positives/Negatives
  95. 95. o Most scanners use status codes o At least to some extent o Initial match (prior to more costly regex) o Speed up detection
  96. 96. o What happens if: o Every response is a 200 o Every response is a 404 / 500 o Every response is random* * Using codes that are accepted by all browsers as content
  97. 97. Vulnerability Baselineo w3af o Information  79 points o Vulnerabilities  65 o Shells  0 shells  o Scan time  1h37m23s
  98. 98. Every response 200 OKo No change o All points discovered - per baseline o 79/65/0 o Scan time  9h56m55s o Lots more to check ;)
  99. 99. Every response 404 Not Foundo Less to scan == Less to find o False negatives o 44 Information points (-35) o 37 Vulnerabilities (-28)o Scan time  7m13s o Much quicker scan o Less paths traversed
  100. 100. Every response 500o Server error == OMG VULN! o False positives+++ o 9540 Information points (+9461) o 9526 Vulnerabilities (+9461)
  101. 101. Random Status Codeso Multiple runs o All tests produced False positives++ o avg. 619 Information points (+540) o avg. 550 Vulnerabilities (+485)o Avg. scan time  11m37s o Much quicker scan
  102. 102. Random Status Codeso Skipfish + $rand = chaos o False Positives and False Negatives o Scan jobs killed due to lack of resourceso Scan times o 1st scan time  10h3m35s o 2nd scan time  0h0m4s o 3rd scan time  16h47m41s
  103. 103. Slowingattackers down!
  104. 104. What doesyour WAFreally do?
  105. 105. o OMG Attacko Return error (401?)o Profit???
  106. 106. Why?
  107. 107. Remember that list of status codes browsers don’t handle well?
  108. 108. Yeah well, scannersdon’t usually handle them well either!
  109. 109. Especially the 1XX codes
  110. 110. o Remember LaBrea tarpit? o Tim Liston 2001 (labrea.sourceforge.net) o Designed to slow spread of Code Red o Slows down scans / attackers
  111. 111. How about an HTTP Tarpit!
  112. 112. HTTP Tarpit Scenarioo WAF detects scan / attacko Adds source IP to “naughty” listo All responses from the server are rewritten o 100|101|102 status codes only (random) o 204|304 might also be useful (no content)
  113. 113. Let’s do some science!** Science not included
  114. 114. Nikto vs.HTTP Tarpit
  115. 115. Baseline HTTP Tarpit Scan time 2m 18s 14h 33m 2s Findings 18 10
  116. 116. W3AF vs.HTTP Tarpit
  117. 117. Baseline HTTP Tarpit Scan time1h 37m 23s 18m 10s Findings 65 0
  118. 118. Skipfish vs.HTTP Tarpit
  119. 119. Baseline HTTP Tarpit Scan time18m 10s 05s FindingsLow: 2519 Low: 0Med: 2522 Med: 0 High: 12 High: 3
  120. 120. HTTP Tarpito HTTP Tarpit Results* o Slow scans (nikto) o 340x as long o Unreliable / aborted scans (w3af / skipfish) o 100% less findings * Not scientifically sound ;)
  121. 121. Blocking successfulexploitation
  122. 122. We’ve made ithard to find the vulnerabilities
  123. 123. We’ve made ittime consuming for attackers
  124. 124. Now let’s stop the sk1dd13s usingMetasploit to pop $hells
  125. 125. o How often does Metasploit reference status codes?rgrep -E res[p|ponse]?.code ** rgrep -E res[p|ponse]?.code  846* * Not scientifically sound ;)
  126. 126. Lots ofdependency on status codes* * yep, even the stuff I wrote
  127. 127. if (res.code < 200 or res.code >= 300) case res.code when 401 print_warning("Warning: The web site asked for authentication: #{res.headers [WWW-Authenticate] || res.headers [Authentication]}") end fail_with(Exploit::Failure::Unknown, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]")end
  128. 128. No match, No shell* * exploit dependent
  129. 129. REVIEW
  130. 130. o Using status codes to our benefit is fun o … and useful!o Browsers can be quirkyo Scanners / attack toolkits are sometimes set in their ways o Take the easy route o Easy to fool
  131. 131. o WAFs need to get more offensive about their defense o More than just blocking a request with a snazzy message o Hacking back is bad o Slowing down known attacks is good o Make life harder for skiddies is pricele$$
  132. 132. o Current tools are much the same as APT o APT (Adequate Persistent Threat) o Only as advanced as they NEED to be
  133. 133. Counteringthis research
  134. 134. o Less reliance on status codeso More reliance on content / headers o Pros o Better matching / intelligence o Cons o Slower? (regex) o More resource intensive
  135. 135. Questions?
  136. 136. MITMPROXY SCRIPTS AVAILABLEGITHUB.COM/CHRISJOHNRILEY/RANDOM_CODE
  137. 137. Thanks for coming http://c22.cc contact@c22.cc

×