Bh us-03-ornaghi-valleri
Upcoming SlideShare
Loading in...5
×
 

Bh us-03-ornaghi-valleri

on

  • 273 views

 

Statistics

Views

Total Views
273
Views on SlideShare
273
Embed Views
0

Actions

Likes
0
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Bh us-03-ornaghi-valleri Presentation Transcript

  • 1. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 11Man in the middleMan in the middle attacksattacksDemosDemosAlberto Ornaghi <alor@antifork.org>Marco Valleri <naga@antifork.org>
  • 2. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 22The scenarioThe scenarioServerClientAttacker
  • 3. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 33Once in the middleOnce in the middle……InjectionInjectionKey ManipulationKey ManipulationDowngrade attackDowngrade attackFilteringFiltering
  • 4. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 44InjectingInjectingPossibility to add packets to an already establishedPossibility to add packets to an already establishedconnection (only possible in full-duplexconnection (only possible in full-duplex mitmmitm))The attacker can modify the sequence numbers andThe attacker can modify the sequence numbers andkeep the connection synchronized while injectingkeep the connection synchronized while injectingpackets.packets.If theIf the mitmmitm attack is aattack is a ““proxy attackproxy attack”” it is evenit is eveneasier to inject (there are two distinct connections)easier to inject (there are two distinct connections)
  • 5. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 55InjectingInjectingCommand injectionCommand injectionUseful in scenarios where a one timeUseful in scenarios where a one timeauthentication is used (e.g. RSA token).authentication is used (e.g. RSA token).In such scenarios sniffing the password isIn such scenarios sniffing the password isuseless, but hijacking an alreadyuseless, but hijacking an alreadyauthenticated session is criticalauthenticated session is criticalInjection of commands to the serverInjection of commands to the serverEmulation of fake replies to the clientEmulation of fake replies to the client
  • 6. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 66Command InjectionCommand InjectionDEMODEMO
  • 7. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 77Key ManipulationKey ManipulationSSH v1SSH v1IPSECIPSECHTTPSHTTPS
  • 8. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 88Key ManipulationKey ManipulationSSH v1SSH v1Modification of the public key exchanged byModification of the public key exchanged byserver and clientserver and client..Server ClientMITMstartKEY(rsa) KEY(rsa)Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEYMEskey(M)D(E(M))D(E(M))
  • 9. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 99SSH v1 AttackSSH v1 AttackDEMODEMO
  • 10. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1010Key ManipulationKey ManipulationIPSECIPSECIf two or more clients share the sameIf two or more clients share the same ““secretsecret””, each, eachof them can impersonate the server with anotherof them can impersonate the server with anotherclient.client.Client MiM ServerDiffie-Hellmanexchange 1 –Authenticated bypre-shared secretDiffie-Hellmanexchange 2 –Authenticated bypre-shared secretDe-CryptPacketRe-CryptPacket
  • 11. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1111Key ManipulationKey ManipulationHTTPSHTTPSWe can create a fake certificate (We can create a fake certificate (egeg::issued byissued by VerVeryySignSign) relying on browser) relying on browsermisconfigurationmisconfiguration or user dumbness.or user dumbness.Client MiM ServerFake cert.RealConnectionto the server
  • 12. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1212HTTPS AttackHTTPS AttackDEMODEMO
  • 13. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1313FilteringFilteringThe attacker can modify the payload of theThe attacker can modify the payload of thepackets by recalculating the checksumpackets by recalculating the checksumHe/she can create filters on the flyHe/she can create filters on the flyThe length of the payload can also beThe length of the payload can also bechanged but only in full-duplex (in this casechanged but only in full-duplex (in this casethethe seqseq has to be adjusted)has to be adjusted)
  • 14. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1414FilteringFilteringCode Filtering / InjectionCode Filtering / InjectionInsertion of malicious code into webInsertion of malicious code into webpages or mail (pages or mail (javascriptjavascript,, trojanstrojans, virus,, virus,eccecc))Modification on the fly of binary filesModification on the fly of binary filesduring the download phase (virus,during the download phase (virus,backdoor,backdoor, eccecc))
  • 15. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1515Binary ModificationBinary ModificationDEMODEMO
  • 16. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1616FilteringFilteringHTTPS redirectionHTTPS redirectionLetLet’’s see an examples see an exampleHttp main page withhttps login formChange form destinationto http://attackerHttp post(loginpassword)Auto-submitting hiddenform with rightauthentication dataReal https authentication postAuthenticated connectionClient ServerMiMloginpassword
  • 17. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1717HTTPS Redirection AttackHTTPS Redirection AttackDEMODEMO
  • 18. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1818Downgrade AttacksDowngrade AttacksSSH v2SSH v2IPSECIPSECPPTPPPTP
  • 19. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 1919Downgrade AttacksDowngrade AttacksSSH v2SSH v2 v1v1Parameters exchanged by server and client can beParameters exchanged by server and client can besubstituted in the beginning of a connection.substituted in the beginning of a connection.(algorithms to be used later)(algorithms to be used later)The attacker can force the client to initialize a SSH1The attacker can force the client to initialize a SSH1connection instead of SSH2.connection instead of SSH2.–– The server replies in this way:The server replies in this way:SSH-1.99 -- the server supports ssh1 and ssh2SSH-1.99 -- the server supports ssh1 and ssh2SSH-1.51 -- the server supports ONLY ssh1SSH-1.51 -- the server supports ONLY ssh1–– The attacker makes a filter to replaceThe attacker makes a filter to replace ““1.991.99”” withwith ““1.511.51””Possibility to circumvent known_hostsPossibility to circumvent known_hosts
  • 20. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2020SSH v2 DowngradeSSH v2 DowngradeDEMODEMO
  • 21. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2121Downgrade AttacksDowngrade AttacksIPSEC FailureIPSEC FailureBlock theBlock the keymaterialkeymaterial exchanged on theexchanged on theport 500 UDPport 500 UDPEnd points think that the other cannot startEnd points think that the other cannot startan IPSEC connectionan IPSEC connectionIf the client is configured in rollback mode,If the client is configured in rollback mode,there is a good chance that the user will notthere is a good chance that the user will notnotice that the connection is in clear textnotice that the connection is in clear text
  • 22. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2222Downgrade AttacksDowngrade AttacksPPTP attack (1)PPTP attack (1)During negotiation phaseDuring negotiation phase–– Force PAP authentication (almost fails)Force PAP authentication (almost fails)–– Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)–– Force no encryptionForce no encryptionForce re-negotiation (clear text terminate-Force re-negotiation (clear text terminate-ackack))–– Retrieve passwords from existing tunnelsRetrieve passwords from existing tunnels–– Perform previous attacksPerform previous attacksForceForce ““password changepassword change”” to obtain password hashesto obtain password hashes–– Hashes can be used directly by a modified SMB or PPTPHashes can be used directly by a modified SMB or PPTPclientclient–– MS-CHAPv2 hashes are notMS-CHAPv2 hashes are not usefullusefull (you can force v1)(you can force v1)
  • 23. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2323Downgrade AttacksDowngrade AttacksPPTP attack (2)PPTP attack (2)Server ClientMITMstartreq | auth | chapnak | auth | papreq | auth | papack | auth | papreq | auth | fakenak| auth | chapreq | auth | papack | auth | papForce PAP from CHAPWe don’t have to mess with GRE sequences...
  • 24. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2424Downgrade AttacksDowngrade AttacksL2TP rollbackL2TP rollbackL2TP can useL2TP can use IPSecIPSec ESP as transport layer (strongerESP as transport layer (strongerthan PPTP)than PPTP)By default L2TP is tried before PPTPBy default L2TP is tried before PPTPBlocking ISAKMP packets results in anBlocking ISAKMP packets results in an IPSecIPSec failurefailureClient starts a request for a PPTP tunnel (rollback)Client starts a request for a PPTP tunnel (rollback)Now you can perform PPTP previous attacksNow you can perform PPTP previous attacks
  • 25. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2525PPTP AttackPPTP AttackDEMODEMO
  • 26. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2626MITM attacksMITM attacksDifferent attacks in different scenarios:Different attacks in different scenarios:LOCAL AREA NETWORK:LOCAL AREA NETWORK:-- ARP poisoningARP poisoning - DNS spoofing- DNS spoofing - STP- STP manglingmangling-- PortPort stealingstealingFROM LOCAL TO REMOTEFROM LOCAL TO REMOTE (through a gateway):(through a gateway):-- ARP poisoningARP poisoning - DNS spoofing- DNS spoofing - DHCP spoofing- DHCP spoofing- ICMP redirection- ICMP redirection - IRDP spoofing- IRDP spoofing - route mangling- route manglingREMOTE:REMOTE:- DNS poisoning- DNS poisoning -- traffictraffic tunnelingtunneling - route- route manglingmanglingWIRELESSWIRELESS::-- AAcceccessss PointPoint ReassociationReassociation
  • 27. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2727MITM attacksMITM attacksARPARP poisoningpoisoningARP is stateless (we all knows how it works and whatARP is stateless (we all knows how it works and whatthe problems are)the problems are)Some operating systems do not update an entry if it isSome operating systems do not update an entry if it isnot already in the cache, others accept only the firstnot already in the cache, others accept only the firstreceived reply (e.greceived reply (e.g solarissolaris))The attacker can forge a spoofed ICMP packets to forceThe attacker can forge a spoofed ICMP packets to forcethe host to make an ARP request. Immediately after thethe host to make an ARP request. Immediately after theICMP it sends the fake ARP replayICMP it sends the fake ARP replayUsefullUsefull on switchedon switched lanlan (the switch will not notice the(the switch will not notice theattack)attack)
  • 28. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2828MITM attacksMITM attacksARPARP poisoningpoisoning - countermeasures- countermeasuresYESYES - passive monitoring (arpwatch)- passive monitoring (arpwatch)YESYES - active monitoring (ettercap)- active monitoring (ettercap)YESYES - IDS (detect but not avoid)- IDS (detect but not avoid)YESYES -- StaticStatic ARPARP entriesentries (avoid it)(avoid it)YESYES - Secure-ARP (public- Secure-ARP (public keykey authauth))NONO -- PortPort securitysecurity on theon the switchswitchNONO -- anticapanticap, antidote,, antidote, middlewaremiddleware approachapproach
  • 29. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 2929ARP PoisoningARP PoisoningDEMODEMO(all we have done until now(all we have done until now……))
  • 30. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 3030ARP PoisoningARP PoisoningAntidoteAntidote Kernel PatchKernel Patchhttp://www.http://www.securityfocussecurityfocus.com/archive/1/299929.com/archive/1/299929““Kernel will send ARP request to test if there is aKernel will send ARP request to test if there is ahost at old MAC address. If such response ishost at old MAC address. If such response isreceived it lets us know than one IP pretends toreceived it lets us know than one IP pretends tohave several MAC addresses at one moment, thathave several MAC addresses at one moment, thatprobably caused by ARP spoof attack.probably caused by ARP spoof attack.””We can fake this protection if the ARP entry is notWe can fake this protection if the ARP entry is notin the cache and the realin the cache and the real macmac address will beaddress will bebannedbanned
  • 31. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 3131Antidote AttackAntidote AttackDEMODEMO
  • 32. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 3232MITM attackMITM attackPort stealingPort stealingThe attacker sends many layer 2 packets with:The attacker sends many layer 2 packets with:–– Source address equal to victim hostsSource address equal to victim hosts’’ addressaddress–– Destination address equal to its ownDestination address equal to its own macmac addressaddressThe attacker now hasThe attacker now has ““stolenstolen”” victim hostsvictim hosts’’ portsportsWhen the attacker receives a packet for one of the victims itWhen the attacker receives a packet for one of the victims itgenerates a broadcast ARP request for the victimgenerates a broadcast ARP request for the victim’’s IP address.s IP address.When the attacker receives the ARP reply from the victim, theWhen the attacker receives the ARP reply from the victim, thevictimvictim’’s port has been restored to the original binding states port has been restored to the original binding stateThe attacker can now forward the packet and restart the stealingThe attacker can now forward the packet and restart the stealingprocessprocessPossibility to circumvent static-mappedPossibility to circumvent static-mapped arparp entriesentries
  • 33. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 3333MITM attackMITM attackPort stealingPort stealing - countermeasures- countermeasuresYESYES - port security on the switch- port security on the switchNONO - static ARP- static ARP
  • 34. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 3434Port StealingPort StealingDEMODEMO
  • 35. Blackhat Conference - USA 2003Blackhat Conference - USA 2003 3535Q & AQ & AAlberto Ornaghi <alor@antifork.org>Marco Valleri <naga@antifork.org>