SlideShare a Scribd company logo

Dmk bo2 k7_web

Dan Kaminsky
Dan Kaminsky
Dan KaminskyChief Scientist at White Ops

Dmk bo2 k7_web

1 of 67
Download to read offline
copyright IOActive, Inc. 2006, all rights
reserved.
Black Ops 2007:
Design Reviewing The Web
AKA:
“Packets Will Be Involved”
Dan Kaminsky
Director of Penetration Testing
IOActive, Inc.
Introduction
• This is my seventh talk here at Black Hat, where
previous subjects have included:
– Everything over SSH
– Massive Speed Network Scanning
– Everything over DNS
– Pattern Analysis
– Neutrality Verification
• New Target: The World Wide Web
– Why?
That’s Not A Moon, That’s A Web
Browser
© LucasFilm
Mobile Too!
© LucasFilm
Where The Wild Things Are
• Rampant and persistent XSS/XSRF announcements
• Superbowl .WMF 0-day
– Two days before Superbowl, malicious image placed on
web page
– 1+M desktops compromised overnight
• DNS Rebinding Test By Dan Boneh’s Team at Stanford
– Test flash applet placed on an Ad network, distributed
across many web sites
– Applet acquired partial network connectivity to client LAN
– +100K networks exposed
These Are A Few Of My Favorite
Things
• DNS…? Tunneling…? Behind Firewalls…?
– “I try to get out, but they pull me back in!”
• DNS Rebinding is an old bug
– Dates back to 1996
– So old, people forgot about it, and started building
systems that didn’t defend against it
• Dan Boneh of Stanford University’s been driving the
most thorough research
– Attack dates back to 1996 (“Princeton Attack”)
– Martin Johns revived the attack in August 2006
– RSnake’s been pushing a lot of attention its way
• Effect: DNS Rebinding partially breaks the security
policy of the web.
Ad

Recommended

Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0:  Introducing the Domain Key InfrastructurePhreebird Suite 1.0:  Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japanDan Kaminsky
 

More Related Content

What's hot

Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Dan Kaminsky
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsDan Kaminsky
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Dan Kaminsky
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Dan Kaminsky
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slidesDan Kaminsky
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 cccDan Kaminsky
 
Bugs Aren't Random
Bugs Aren't RandomBugs Aren't Random
Bugs Aren't RandomDan Kaminsky
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Dan Kaminsky
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHAndrew Morris
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 

What's hot (20)

Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)Yet Another Dan Kaminsky Talk (Black Ops 2014)
Yet Another Dan Kaminsky Talk (Black Ops 2014)
 
Dmk bo2 k8
Dmk bo2 k8Dmk bo2 k8
Dmk bo2 k8
 
Dmk shmoo2007
Dmk shmoo2007Dmk shmoo2007
Dmk shmoo2007
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Black ops 2012
Black ops 2012Black ops 2012
Black ops 2012
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 
Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)Domain Key Infrastructure (From Black Hat USA)
Domain Key Infrastructure (From Black Hat USA)
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
232 md5-considered-harmful-slides
232 md5-considered-harmful-slides232 md5-considered-harmful-slides
232 md5-considered-harmful-slides
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 ccc
 
Bugs Aren't Random
Bugs Aren't RandomBugs Aren't Random
Bugs Aren't Random
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
 
Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017Wo defensive trickery_13mar2017
Wo defensive trickery_13mar2017
 
Shmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSHShmoocon Epilogue 2013 - Ruining security models with SSH
Shmoocon Epilogue 2013 - Ruining security models with SSH
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front Door
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 

Similar to Dmk bo2 k7_web

Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Webamiable_indian
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Webroyans
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defenseDan Kaminsky
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsYury Chemerkin
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Brandon Arvanaghi
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Chirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterChirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterJohn Adams
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...CODE BLUE
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploitTiago Henriques
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 

Similar to Dmk bo2 k7_web (20)

Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Web
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
Dmk bo2 k8_ccc
Dmk bo2 k8_cccDmk bo2 k8_ccc
Dmk bo2 k8_ccc
 
Realtime web2012
Realtime web2012Realtime web2012
Realtime web2012
 
Web identity part1
Web identity part1Web identity part1
Web identity part1
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
nanog
nanognanog
nanog
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
Dmk sb2010 web_defense
Dmk sb2010 web_defenseDmk sb2010 web_defense
Dmk sb2010 web_defense
 
Dmk neut toor
Dmk neut toorDmk neut toor
Dmk neut toor
 
TriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingToolsTriplePlay-WebAppPenTestingTools
TriplePlay-WebAppPenTestingTools
 
Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17Breadcrumbs to Loaves: BSides Austin '17
Breadcrumbs to Loaves: BSides Austin '17
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Chirp 2010: Scaling Twitter
Chirp 2010: Scaling TwitterChirp 2010: Scaling Twitter
Chirp 2010: Scaling Twitter
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
[CB19] I KNOW WHAT YOU DID LAST NIGHT : Pwning The State-Of-The-Art the IoT H...
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Computer Network Part 1
Computer Network Part 1Computer Network Part 1
Computer Network Part 1
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 

More from Dan Kaminsky

Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix ThingsDan Kaminsky
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryDan Kaminsky
 
I Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetI Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetDan Kaminsky
 
Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenDan Kaminsky
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On BitcoinDan Kaminsky
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingDan Kaminsky
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsDan Kaminsky
 

More from Dan Kaminsky (14)

Move Fast and Fix Things
Move Fast and Fix ThingsMove Fast and Fix Things
Move Fast and Fix Things
 
A Technical Dive into Defensive Trickery
A Technical Dive into Defensive TrickeryA Technical Dive into Defensive Trickery
A Technical Dive into Defensive Trickery
 
Chicken
ChickenChicken
Chicken
 
I Want These * Bugs Off My * Internet
I Want These * Bugs Off My * InternetI Want These * Bugs Off My * Internet
I Want These * Bugs Off My * Internet
 
Chicken Chicken Chicken Chicken
Chicken Chicken Chicken ChickenChicken Chicken Chicken Chicken
Chicken Chicken Chicken Chicken
 
Some Thoughts On Bitcoin
Some Thoughts On BitcoinSome Thoughts On Bitcoin
Some Thoughts On Bitcoin
 
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of TryingShowing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
Showing How Security Has (And Hasn't) Improved, After Ten Years Of Trying
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Bh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackopsBh us-02-kaminsky-blackops
Bh us-02-kaminsky-blackops
 
Bh eu 05-kaminsky
Bh eu 05-kaminskyBh eu 05-kaminsky
Bh eu 05-kaminsky
 
Dmk audioviz
Dmk audiovizDmk audioviz
Dmk audioviz
 
Bo2004
Bo2004Bo2004
Bo2004
 
Gwc3
Gwc3Gwc3
Gwc3
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 

Dmk bo2 k7_web

  • 1. copyright IOActive, Inc. 2006, all rights reserved. Black Ops 2007: Design Reviewing The Web AKA: “Packets Will Be Involved” Dan Kaminsky Director of Penetration Testing IOActive, Inc.
  • 2. Introduction • This is my seventh talk here at Black Hat, where previous subjects have included: – Everything over SSH – Massive Speed Network Scanning – Everything over DNS – Pattern Analysis – Neutrality Verification • New Target: The World Wide Web – Why?
  • 3. That’s Not A Moon, That’s A Web Browser © LucasFilm
  • 5. Where The Wild Things Are • Rampant and persistent XSS/XSRF announcements • Superbowl .WMF 0-day – Two days before Superbowl, malicious image placed on web page – 1+M desktops compromised overnight • DNS Rebinding Test By Dan Boneh’s Team at Stanford – Test flash applet placed on an Ad network, distributed across many web sites – Applet acquired partial network connectivity to client LAN – +100K networks exposed
  • 6. These Are A Few Of My Favorite Things • DNS…? Tunneling…? Behind Firewalls…? – “I try to get out, but they pull me back in!” • DNS Rebinding is an old bug – Dates back to 1996 – So old, people forgot about it, and started building systems that didn’t defend against it • Dan Boneh of Stanford University’s been driving the most thorough research – Attack dates back to 1996 (“Princeton Attack”) – Martin Johns revived the attack in August 2006 – RSnake’s been pushing a lot of attention its way • Effect: DNS Rebinding partially breaks the security policy of the web.
  • 7. How Does The Web Work? • Web pages are pulled together in the browser, from pieces that can come from all over the place – You can even embed one web page inside another one! • This is an “IFrame” – But what if someone embedded Hotmail, and you were logged in? Would they be able to read your mail?
  • 8. The Same Origin Policy • “Look but don’t touch” – A web page can embed Hotmail, but it can’t “look inside” to see what’s happening – Access to “look inside” controlled by Same Origin Policy – If foo.com has an iframe to foo.com, it can look inside. – If foo.com has an iframe to bar.com, it can display bar.com to the user, but it can’t peek inside and see what the user sees. • “If two things come from the same place, they must be trusted the same” – Same place = Same name, right?
  • 9. The Bug • Names don’t host anything. • Everything comes from IP addresses • We use DNS to translate between a name we trust and an IP address we communicate with – Foo.com -> 1.2.3.4 – Bar.com -> 3.4.5.6 • Assumption: The translations don’t change – Reality: Both foo.com and bar.com can return any IP address, at any time, whether they control that IP or not • Bar.com can return an IP address of Foo.Com’s
  • 10. Now What? • One moment, bar.com could point to a server in Europe • The next moment, bar.com could point to the printer down the hall • Suppose your browser loaded a page from each address – The content from the European server would be from bar.com – The content from the printer down the hall would also be from bar.com – According to the Same Origin Policy, the server in Europe can do whatever it wants to your printer! • The server can’t get past your corporate firewall… • …but it doesn’t need to. It’ll tell your browser what to do, and your browser will report back with whatever your printer is up to.
  • 11. Why The Attack Works • Browser doesn’t know bar.com from the external IP is any different from bar.com from the internal IP – This is by design – Major web sites have IP addresses spread across the world, and resources acquired from them need to be able to script against one another • Detecting that there’s a cross-IP scripting action happening is only the beginning – what to do after that is what people are trying to figure out.
  • 12. What is the canonical attack here? • Firewall Bypass – Most corporate networks draw a significant distinction between the external network and the internal network • Things inside can route out • Things outside cannot route in • By bouncing off a lured browser, an attacker on the outside can access resources on the inside
  • 13. Levels of Exploitation • Level 1: Browser-Only – One IFrame is from Europe, the other is down the hall. Same name, so they can script against eachother. – The Win: Arbitrary HTTP Sites • Level 2: Web Plugins – MSXML* / XmlHTTPRequest / Silverlight – The Win: HTTP + Web Services + Semi-Arbitrary Headers • Level 3: Socket Plugins – Flash / Java, though different resources available through each – The Win: Everything from L1+L2, plus various degrees of TCP or UDP access
  • 14. Java • Original Target of 1996 Princeton Attack – From Applet interface, can only get high-port UDP and TCP to the actual calling app • More widely deployed than I thought • LiveConnect – Ability for Javascript to call Sockets directly, without going through Applet interface – Totally rebindable – effect is high-port UDP and TCP to anyone – FireFox and Safari only though
  • 15. Flash • Has worked hardest to make arbitrary socket connections work when they’re supposed to – Most mature security model in the industry – They don’t handle rebinding well though • Breaks what is otherwise a lot of really good work  • Effect: Arbitrary TCP, though you have to pull some tricks to get TCP ports below 1024
  • 16. Mechanisms for rebinding an address • Lots of ways to use a rebind, but how do you achieve it in the first place? – How do you cause the DNS infrastructure to accept your change of address? – The entire architecture is designed to cache across hours to days, not to be swappable in seconds • Three mechanisms – Temporal – Spatial – Ridiculous
  • 17. Traditional Rebinding: Temporal Modulation • DNS records have a TTL field – lets you declare how long a record should live in the infrastructure before a second query causes a new request to the original server – Declare a 0 TTL and records will supposedly not cache – Now every time the browser has a slightly different DNS request, you get an opportunity to provide a different location • Problem: Some networks won’t respect your low TTL. Some networks brag about that ;) – You could wait until the network-enforced minimum TTL expires, but that takes time
  • 18. Another Rebinding Mechanism: Spatial Modulation • DNS responses can contain multiple addresses • When bar.com is asked for its IP address, it returns both its address and the address of the printer – This can have a infinite TTL • Problem: Which record will the browser choose? – Totally random.  • Solution: Try again – Seriously.
  • 19. Spatial Error Resolution • Case 1: Browser wants external, gets internal – Fix 1: External resource is hosted on an unusual port, so the internal connection will fail and thus retry to external. This has problems with outbound firewalls, though. – Fix 2: Immediately after connecting, look for evidence in the connected session that we’ve actually reached the correct server. If not, destroy the object that did the incorrect retrieve and keep trying until success. • The trick: Retrieve the content with XMLHttpRequest so that you can actually destroy the object that guessed incorrectly. • Case 2: Flash/Java wants internal, gets external – Fix: Look for magic token on incoming session. If magic token is returned, destroy the object and try again. If no token, retry the applet a couple times just in case there’s a extrusion firewall in the way.
  • 20. Ridiculous? • People are trying to use DNS TTLs as a security technology • DNS TTL’s are not a security technology – Finally, something less a security technology than Virtual Machines  • Overriding a TTL, if you control the record, turns out to be very easy, and this is by design – When something wasn’t designed to be a security technology, don’t be surprised when it isn’t one
  • 21. CNiping • CNAME Records: DNS Aliases – Instead of returning an address, return what the “Canonical”, or Official Name was, and then the address of that Canonical Name – If you are allowed to be the resolver for that canonical name, your additional record overrides whatever’s already in the cache, even if the TTL hasn’t expired yet • It’s not a bug. • Works against most, but not actually all name servers
  • 22. CNiping Demo[0] • dig 1.foo.notmallory.com ;; ANSWER SECTION: 1.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com bar.foo.notmallory.com. 120 IN A 10.0.0.0 • dig bar.foo.notmallory.com bar.foo.notmallory.com. 111 IN A 10.0.0.0
  • 23. CNiping Demo[1] • dig 2.foo.notmallory.com 2.foo.notmallory.com. 120 IN CNAME bar.foo.notmallory.com. bar.foo.notmallory.com. 120 IN A 10.0.0.1 • dig bar.foo.notmallory.com bar.foo.notmallory.com. 118 IN A 10.0.0.1
  • 24. Review • By swapping addresses out from underneath a web browser, we can get arbitrary TCP (and sometimes UDP) access to hosts reachable by the client. What can we do with this? – Can we VPN into corporate networks with nothing but a lured web browser? • Sure! It’s easy!* * Actually a pain in the ass, but heh 
  • 25. Concentration • Three actors in this little dance – The Browser, which has access to internal resources – The Attacker, which wants access to those internal resources – The Proxy, which sends code to the Browser to copy messages from the Attacker • We will start with the Proxy, running software of my design. This software is called Slirpie.
  • 26. Slirpie, The Proxy • Multiprotocol Server, Built using POE – Accepts TCP streams for Browser delivery, containing routing data – Accepts HTTP requests for those routable streams – Accepts DNS requests to direct routing – Accepts XMLSocket requests to determine routing policy • For Flash • The basic theme is – Attacker connects to Proxy, which manages the appropriate resources in Browser to service the Attacker’s connections.
  • 27. A Bucket of Suckets • Browser connects, establishes an IFrame called a “Bucket” – A bucket is a collection of connection managers – The bucket polls for new connections to establish • Attacker connects to Proxy and requests a socket to 10.0.0.1, port 80. • Browser Bucket retrieves list of new connections, compares against the previous list, notices one new demand for 10.0.0.1:80. – Bucket opens up a 2nd level IFrame for this new IP address. • The IFRAME SRC attribute for the 2nd level IFrame is set to 10.0.0.1.foo.proxydomain.com. For now, it still resolves to the Proxy’s address. – This 2nd level IFrame is called a “Sucket”.
  • 28. Demo JSON • { • "10.0.0.1" : { • "3" : { • "from_browser_seq" : -1, • "server_state" : "CONNECTED", • "from_browser_ack" : -1, • "to_browser" : { • "1" : "YQo=", • "0" : "Zm9vCg==", • "3" : "Ywo=", • "2" : "Ygo=" • }, • "dport" : 80, • "dproto" : 6, • "browser_state" : "CONNECTING", • "to_browser_seq" : 3, • "to_browser_ack" : -1, • "from_browser" : { • • } • } • } • }
  • 29. How many DNS requests does it take to get to the center of your corporate network? • Javascript alone will not open this Socket. Flash is necessary. – HaXe, a metalanguage, is used to compile both a Flash object and a Javascript interface to it. – The Flash object is loaded, and directed to create a connection to 10.0.0.1:80 • QUERY ONE: Load the movie from 10.0.0.1.foo.proxyhost.com (actually Proxy’s IP) • QUERY TWO: Load the security policy controlling <1024 port access from 10.0.0.1.foo.proxyhost.com (still Proxy’s IP) • ARM THE REBIND: Tell the Proxy to return a different address with the next query, using a special HTTP query. • QUERY THREE: Connect to 10.0.0.1.foo.proxyhost.com:80 (now finally returning 10.0.0.1). – Connection is in the applet loaded by the proxy, using the
  • 30. Managing Dataflows • 1) Data is received by Flash – sent down into the Sucket’s DOM for eventual collection. • 2) Bucket prepares to send an update to the Proxy. It visits each Sucket, and retrieves the latest list of updates. • 3) Proxy received the update, acknowledges reception, and sends any replies in the update response. • 4) Bucket receives the response, and tells each Sucket to parse their replies and send() them up through Flash.
  • 31. But What Of Domains? • Each of those IFrames inside the bucket is in a different domain than the bucket itself. – Why can they push stuff up, or pull stuff down? • Same Origin Policy allows two subdomains from the same domain to explicitly claim support for one another – So we do that. – Thanks Same Origin Policy! 
  • 32. And that’s it! • OK, a little bit of housekeeping for opening and closing sockets, and eventually entire suckets. – Yeah, it’s a reimplementation of TCP in Javascript. Who else was going to write it?  • …but what about the attacker? How does he open sockets?
  • 33. Does anyone remember this? •
  • 34. Back In The Day, When I Was Young I’m Not Runnin’ 95 Anymore • SLiRP – 1995 era tool that turned shell connections (text only) into PPP connections (pretty pretty pictures) – Was old school when I used it in my talk back in 2001 – What SLiRP actually does: Given a stream of packets, create sockets and send the data in the packets into the sockets • SLiRP was Userspace NAT – Where to find SLiRP: Recent versions … uh … disappeared. • Found in my “ancient cool stuff” archive 
  • 35. SLIRP and PPTP • PoPToP: Linux PPTP Daemon – PPTP: Horrifyingly hideous VPN protocol, ultimately uses a PPP encapsulated stream of packets – PoPToP can hand this PPP stream to SLiRP for termination • Makes setting up a VPN link much easier • Makes VPN’ing into a web browser possible. • Normally, SLiRP would now handle sockets directly – What if, instead, it gave the socket requests to Slirpie?
  • 36. The General Idea • The Attacker runs applications that use sockets. • The sockets get their traffic sent over PPTP to SLIRP. • SLIRP provides a set of streams to the Proxy. • The Proxy tells the Browser’s bucket to open appropriate suckets. • The Browser opens suckets, which themselves provide sockets. • The Proxy mediates traffic between the Attacker’s sockets and the Browser’s sockets. • And it all just works. – Nessus over IE: Nessie! – WoW over IE: Wowie! – Any TCP-based protocol should work.
  • 37. What else can we use this for? • Things other people have mentioned – Click Fraud – go to random web sites, do bad things – SPAM – er, you get Port 25 access too • What else can we do? – “Stealth Tor” – go to a website, be involuntarily added to a worldwide proxy network – Protect Network Neutrality – P2P Networking? • Java provides UDP support. Even through NATs, bidirectional UDP = ability to generate a cloud entirely in the browser – That one thing…
  • 38. IP OVER SPAM • Defcon 14, TCP/IP Drinking Game – “How would you get around the great firewall of China?” • “Correct Answer”: Drop all RST packets, ignore the firewall trying to shut you down • My Answer: Encapsulate data in SPAM. • We have IP (or at least TCP) inbound • We have SPAM outbound • Uh… – You know, I was originally joking…
  • 39. Oh, People Are Interested In This Whole Network Neutrality Thing? • I…was unaware this was such a hot button subject when I started developing tools to detect problems with it – First of all, we need to start using the correct language: We wish to detect Provider Hostility • If you’re sniffing my traffic, you’re hostile. • If you’re altering my traffic, you’re hostile. • If you’re censoring my traffic, you’re hostile. • If you’re selling my traffic, you’re very very hostile. • Would the military bomb you for doing it to them? You’re hostile. Deal.
  • 40. What Do We Need To Detect Provider Hostility? • Downloading data from two separate sites, at two separate speeds, unfortunately doesn’t tell us much – Too many factors are conflated to determine what one thing is causing the problem • What we want: “Given identical network paths for two web sites, is the last mile provider hostile to content from one site vs. another?” – Detect differential speeds – Correct content injection
  • 41. SOMEBODY is buying this stuff • Everyone who knows anyone who makes routers knows that carriers are desperately trying to buy routers that support hostility. • There are repeated news articles about ISPs replacing ads and companies setting themselves up as ad replacers • Can we monitor the spread of this problem? – Can we defend Online Advertising against the Times Square effect?
  • 42. The Times Square Effect • Movies that show Times Square replace all the ads. – No contractual obligation not to – No real expectation from the viewer that this is reality – it’s a movie • Carriers are under no contractual obligation to host the web sites they say they are – “Provider In The Middle” attacks might very well be profitable! • Web sites and ads – Users tolerate them – Businesses would pay dearly to be top ranked on Google – Google Times Squared would not be…good.
  • 43. A Modest Proposal For Correcting Corruption • WARNING: This is hideous • Why the web can’t go 100% SSL/TLS yet – Ignoring perf, most web sites are aggregated on one IP, with Host: multiplexing – SSL/TLS didn’t get an equivalent to the Host: header to determine which certificate to present until very recently, and most downlevel clients don’t support • One idea: We use SSL/TLS only to acquire loaders, which acquire content from existing CDN mechanism but refuse to inject into the DOM unless a HMAC or Tiger Tree check is passed – Can definitely do from Flash or Silverlight, possibly from simple AJAX as well – Building a system to do this, codenamed “NDK” • “Not DOMokun”
  • 44. A Reminder • The commercial people are why we have strong crypto in the browser in the first place. Thanks credit card craving commerce people! • Feds: If you like sniffing traffic, require the providers to need a warrant before going hostile. – Ad replacement will spread web crypto like nothing else ever has. • Now: Is it possible to get better data regarding the inevitability of all of this?
  • 45. The Transparent Proxy Gem • Some consumer networks have transparent proxies – These take all traffic outbound on Port 80 and coalesce onto a single proxy instance that uses the Host: header to route requests to the correct destination – Arbitrary TCP = Arbitrary Headers – So an attacker can go back to the IP address that provided the applet, and ask for Host: www.fark.com – it’ll get routed to Fark instead of to the original host • What this means – Since the same infrastructure ultimately hosts all web content, all sites (once they’re cached in proxy) come from the same host – A speed test against this “transparent” (easily detectable) proxy for various sites will directly yield information about hostility
  • 46. The Silent Censor Detector • Even if there’s no transparent proxy, a filter box can still limit traffic for web requests with non- preferred Host: headers. • Using Flash, we can impersonate being a Host: for any site on the Internet when we provide a speed check. – The thinking is that the attacker/provider won’t monitor the IP address used to contact Host: www.whatever.com, and will thus equally rate limit traffic with that Host: no matter what provider.
  • 47. The Detectability Problem • In every major networking company, I assume there is a protocol guy as ornery as I am – “Oh yeah, well I’ll just detect him doing that…this way!” • Is it possible to build a hostility detection system that uses traffic indistinguishable from real world traffic?
  • 48. Well… • We want to spoof sites on the Internet. • We want to know what these sites would see. • We want to be able to respond as if we were these sites. • We don’t want the real sites to interfere with our interference. • Good luck! That would require…sequence numbers. – We’d have to know where in the TCP stream an attacker was, and that’s clearly not possible…
  • 50. PACKET CLAUS IS COMING TO TOWN
  • 51. Introducing: INSPECTOR PAKKET • What normally stops Mallory from pretending to be a random site on the Internet? – Mallory doesn’t know sequence numbers client will accept – Mallory has to compete with real server for the sending of data • What do we have? – A sniffer that will leak sequence numbers to Mallory • What can Mallory now do? – Send data to the client that it’ll accept – Send a RST to the server so it’ll shut down the session it has with the client
  • 52. Go Pakket Go! • About that RST… – RST is a TCP Reset message – it shuts down a socket rather unceremoniously • Requires correct SEQ#, but don’t worry, we have that • When Mallory spoofs Bob to Alice, Alice is going to ACK to Bob – Normally, Bob will send RSTs back to Alice, since there’s no associated session – Thankfully, Bob is usually running a firewall that long since shut down its connection for Alice…and so drops all of Alice’s ACKs that have been stimulated by Mallory’s traffic! • And just to be clear, how is Mallory getting those ACKs? – AJAcks: TCP Acks over AJAX
  • 53. Go Go Pakket Pwn • ‘The goal is to identify the applications being used on the network, but some of these devices can go much further; those from a company like Narus, for instance, can look inside all traffic from a specific IP address, pick out the HTTP traffic, then drill even further down to capture only traffic headed to and from Gmail, and can even reassemble emails as they are typed out by the user.‘ • Given a colluding client, I can: • Impersonate anyone who doesn’t ACK my traffic • Generate arbitrary traffic that is completely indistinguishable from theirs • Provide deep packet inspectors with a whole new realm of content to inspect. • I recommend inspecting this information. Deeply.
  • 54. Conclusions • DNS Rebinding threatens the boundaries of your network – There are multiple rebinding mechanisms and many major use cases for each of them; this will not be an easy problem to fix. – The web could use some real work on its underlying security models • We may need to consider applying integrity, and perhaps encryption to all web traffic due to provider hostility • There are mechanisms for detecting such hostility that should be deployable shortly.
  • 56. My Process • Sit down • Relax • Put some music on • Start writing code • Get totally distracted – Write something completely different than intended – Find out later why
  • 57. A Fun Little Distraction • “Dotplots??? WTF!” – Best feedback I’ve ever gotten  • Dotplots are a mechanism for visually analyzing similarity across a dataset – See last year’s talk for details • So I decided to port last year’s talk to WinAMP. – I’m listening to music – I like pretty pictures – I should like listening to music that generates pretty pictures! • Be nice to code something that I’d never show at Black Hat!
  • 59. +30% vs. -30% tempo
  • 60. LudiVu: Realtime Audio Visualizer • Images are based directly on spectral similarity – “How similar is what I’m hearing now, to what I’ve heard for the last n seconds?” • Bass = Red • Midrange = Green • Treble = Blue – Our auditory system almost certainly does this too • Always good to match what the ear is up to – Our auditory system almost certain does this better  • Amazingly apocalyptically naïve similarity metric!
  • 61. What We See • “Visual Hash” of auditory segments, based on mutual similarity/dissimilarity across frequencies – Reflects overall timbre of what we’re hearing • Vertical lines representing repeated structures in the music – Lines close = Fast Tempo – Lines far away = Slow Tempo • Tradeoff between visual hash and structure detection – Blur less, get better visual hashing – Blur more, get better structure detection
  • 62. So Why Is This At Black Hat? • I’m doing web research! • One of my friends, Zane Lackey, knows AJAX quite well and is in town – We go out for beers. – Me: “So I’m working on this really cool thing, it makes pictures from sound!” – Zane: “What, for Audio CAPTCHAs?” – Me: “…”
  • 63. Whatsa CAPTCHA? • CAPTCHA: “Completely Automated Public Turing test to tell Computers and Humans Apart” • Used to bind access to a resource to the presence of a human – Web sites use them to suppress bots • So I get this email, in response to me breaking CAPTCHAs... – “CAPTCHA is quite annoying. I use a few programs to send "auto-messages" and to "steal friends" from others' pages. They had a way around the CAPTCHA system for a while, but not anymore. Check out www.xxx.com and www.yyy.com. I dunno, I have 5 different accounts, and I add 300 people a day on each one, so imagine - I'm typing 250+ CAPTCHA codes a day on this damn thing. ;)”
  • 64. AmIHumanOrNot • The general idea is to use a human’s superior ability at figure/ground separation to differentiate human/machine • Image Captchas: Text, distorted and overlaid with lines and other non-text shapes – Problem: Blind people can’t get in • Audio Captchas: Speech, distorted and overlaid with quieter speech – Humans get a 10db boost in perception simply by paying conscious attention – Problem: Audio is actually easier to hack.
  • 67. Tips For Building Better Audio CAPTCHAs • Don’t actually make your speech much louder than your noise – Easy to sync on regions of high volume • Expand your vocabulary – Use a sentence, rather than words in isolation, as we’re much better at parsing them • Ask a question, perhaps? – “My name is Bob. How many letters are in my name?”