Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Unmasking You


Published on

"Unmasking You!" Presented by Joshua "Jabra" Abraham and Robert "RSnake" Hansen at BlackHat 09 and DefCon 17.

Published in: Business, Technology
  • If you need your papers to be written and if you are not that kind of person who likes to do researches and analyze something - you should definitely contact these guys! They are awesome ⇒⇒⇒ ⇐⇐⇐
    Are you sure you want to  Yes  No
    Your message goes here
  • Hello! I do no use writing service very often, only when I really have problems. But this one, I like best of all. The team of writers operates very quickly. It's called ⇒ ⇐ Hope this helps!
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❤❤❤ ❤❤❤
    Are you sure you want to  Yes  No
    Your message goes here
  • Sex in your area is here: ♥♥♥ ♥♥♥
    Are you sure you want to  Yes  No
    Your message goes here

Unmasking You

  1. 1. 1<br />Your logo here…<br />
  2. 2. About Us<br /><ul><li>Robert “RSnake” Hansen
  3. 3. SecTheory LLC - CEO
  4. 4.
  5. 5. – the lab
  6. 6. – the forum
  7. 7. Joshua “Jabra”Abraham
  8. 8. Rapid7 LLC - Security Researcher
  9. 9.
  10. 10.</li></ul>2<br />
  11. 11. De-Anonymizing You!<br />3<br />Why does this matter?<br />Privacy advocacy<br />People think they’re safe<br />Privacy is not a guarantee. It can be taken from you.<br />True anonymity is actually extremely difficult to achieve!!<br />So we decided to attack users instead of websites for once.<br />
  12. 12. Why is Privacy Good?<br />4<br />Safety from trolls who want to drop docs<br />Safer for political dissidents<br />Safer for potential victims of violent crimes (women, children)…<br />Allows people to be themselves (for good or bad)<br />Safer for whistle blowers<br />Increases freedoms<br />
  13. 13. Why is Privacy Bad?<br />5<br />Haven for “evildoers”<br />Allows them to attack easily<br />Allows them to retreat easily<br />Allows them to exfiltrate data easily<br />Hurts law enforcement<br />Prevents “social compact” rules of order from working in online contexts.<br />
  14. 14. Either Way, Privacy is Broken<br />6<br />The ecosystem is too complex<br />IP is the “gold standard” for tracking people down on the Internet, but what if we could do better?<br />Let’s start with the basics of how people anonymize themselves.<br />
  15. 15. How2<br />7<br />Basic anonymization guide<br />Proxies:<br />CGI proxies<br />SOCKS Proxies<br />Tor<br />Hacked machines<br />Freemail<br />Hotmail<br />Gmail<br />Hushmail<br />
  16. 16. Client Side Certificates<br />8<br />Good/Normal Use<br />Improving the trust model<br />Client: has the cert in the browser<br />Servers: requires all clients have valid certs<br />What if the client goes to another website with SSL?<br />Browser defaults to send the public key<br />
  17. 17. Client Side Certificates<br />Well, could this be malicious?<br />Sniff the public key<br />Name of the system<br />System/OS<br />Username/Email of the client<br />Location of the server<br />Cert Issued / Expires<br />9<br /><br />
  18. 18. Funny thing about usernames they often look like this:<br />Common usernames:<br />Administrator<br />root<br />[first].[last]<br />[first]_[last]<br />[first]-[last]<br />handle<br />… full name of the victim<br />Interesting more on this later….<br />
  19. 19. Breaking Tor<br />11<br />Kazakhstan Embassy in Egypt kazaembpiramid<br />Mongolian Embassy in USA temp<br />UK Visa Application Centre in Nepal Password<br />Defense Research & Development Organization Govt. Of India, Ministry of Defense password+1<br />Indian Embassy in USA 1234<br />Iran Embassy in Ghana accra<br />Iran Embassy in Kenya kenya<br />Hong Kong Liberal Party miriamlau 123456<br />100 embassy passwords<br />Breach proxy honeypots<br />Open Proxies you trust?<br />HackedTor.exe<br />Setup the Client<br />Tor node just logs everything<br />We can play MiTM like Jay<br />&lt;imgsrc=&quot;http://dige6xxwpt2knqbv.onion/wink.gif&quot; onload=&quot;alert(&apos;You are using Tor&apos;)&quot; onerror=&quot;alert(&apos;You are not using tor&apos;)&quot;&gt; <br />
  20. 20. Browser Detection<br />12<br />Mr T<br />Plugins<br />History<br />Screen Resolution<br />BeEF<br />VMware detection (IE only)<br />Plugin detection<br /> (Java, Flash and Quicktime)<br />Setup script in Backtrack4<br />But…. The Cloud is the new Hotness!<br />
  21. 21. Virtualization/Cloud Detection<br />13<br />VM Detection<br />VMware<br />QEMU<br />VirtualBox<br />Amazon EC2 Detection<br />Identify each region<br />Works on:<br />Firefox and IE 6, 7 and 8<br />Works on Linux and Windows <br />Mac doesn’t work - 64 bit issue<br />New BeEF Module!<br />Leverage this knowledge in our attacks<br />
  22. 22. Pwn Dem v0hns<br />14<br />Java on the client<br />Malicious Java Applet<br />Client running old/vulnerable software:<br />Plugin and/or Browser <br />Metasploit exploit<br />
  23. 23. BeEF to the MAX!<br />New BeEF Modules<br />TOR detection<br />VM detection (Vmware, QEMU, VirtualBox and EC2)<br />AJAX “Ping” Sweep<br />Java Metasploit Payload Applet<br />BeEFMetasploit Integration<br />Autopwn / New Browser 0day<br />Updated BeEF Modules<br />Visited URLs (Alexa top 500)<br />New version of BeEF coming…<br /><br />15<br />
  24. 24. Real IP<br />16<br />Java<br />Java internal IP<br />Flash<br />scp:// (winSCP)<br />Word/pdf bugs<br />itms:<br />Already part of<br />
  25. 25. File System Enumeration<br />17<br />res:// timing<br />res:// timing without JavaScript<br />smbenum<br />- “Wtf?”<br />
  26. 26. Usernames and Computer Names!<br />18<br />But seriously – that’s just terrible, let’s just get the username and computer name directly!<br />Cut and paste<br /><br />SMB<br />&lt;iframesrc=&quot;file:///.2.2.2&quot;&gt; &lt;/iframe&gt;<br />
  27. 27. SMBenum<br />19<br />SMB enum only finds certain types of files and only if known prior to testing<br />SMB enum could also gather usernames through brute force<br />Usernames + res:// timing could gather programs that smbenum alone couldn’t<br />
  28. 28. Google<br />
  29. 29. Google<br />
  30. 30. Google<br />
  31. 31. Google<br />
  32. 32. Google 0wns Us!<br />
  33. 33. Questions/Comments?<br />Robert “RSnake” Hansen<br /><ul><li>
  34. 34. – the lab
  35. 35. – the forum
  36. 36. h_aT_ckers_d0t_org</li></ul>Joshua “Jabra” Abraham<br /><ul><li>
  37. 37.
  38. 38.
  39. 39. Final version of Slides and Demos
  40. 40. Jabra_aT_spl0it_d0t_org</li>