Active Man in the Middle Demo

7/31/2019 Active Man in the Middle Demo

1/39

IBM Rational Application Security Group (aka Watchfire)

Active Man in the Middle Attacks

Web Based Man In the Middle Attack 2009 IBM Corporation1

The OWASP Foundation

OWASP

http://www.owasp.org

Security Research Group Manager

IBM Rational Application Security (a.k.a. Watchfire)

adish


2/39


Agenda

Background

Man in the MiddleNetwork level heavily researched

Web application level sporadic research

Outline


Passive MitM attacksActive MitM attacks

Penetrating an internal network

Remediation


3/39


Man in the Middle Scenario

All laptop users connect to a public network

Wireless connection can easily be compromised or impersonated

Wired connections might also be compromised


InternetInternet


4/39


Rules of Thumb Donts

Someone might be listening to the requests

Dont browse sensitive sitesDont supply sensitive information


Someone might be altering the responsesDont trust any information given on web sites

Dont execute downloaded code


5/39


Rules of Thumb What Can You Do?

This leaves us with:

Browse your favorite news site

Browse your favorite weather site


InternetInternetNon-sensitive sites

Boring

Sensitive sites

Interesting


6/39




7/39


Mitigating a Fallacy

FallacyExecuting JavaScript on victim == executing an attack


Same origin policy

Executing an attack

JavaScript + browser implementation bug

JavaScript + execution on a specific domainCan be done through XSS


8/39


Passive Man in the Middle Attacks

Victim browses to awebsite

Attacker views the requestmanipulates it

and forwards to server

Attacker views the responsemanipulates it

and forwards to victim

Server returns a response


Other servers are not affected


9/39


Active Man in the Middle Attack

The attacker actively directs the victim to an interesting site

The IFrame could be invisible

Victim browses to aboring site

Attack transfers therequest to the server

Attacker adds an IFRAMEreferencing an interesting site

Server returns a response


My Weather ChannelMy Weather Channel

My Bank SiteMy Bank Site

Automatic request sent to theinteresting server

My Bank SiteMy Bank Site

Other servers are not affected


10/39




11/39


Stealing Cookies*

Obvious result Stealing cookies associated with any domain attacker desires

Will also work for HTTP ONLY cookies(as opposed to XSS attacks)


Automatic request contains victimscookies

* A similar attack was presented by Sandro Gauci Surf Jacking


12/39




13/39


Overcoming Same Origin Policy

Attacker forwards theautomatic request to the

Attacker injects an IFRAME

Victim surfs to a

Result

Attacker can execute scripts on any domain she desires

Scripts can fully interact with any interesting website Limitations

Will only work for non SSL web sites


Attacker adds a malicious scriptto the response

interesting serverScript executes with the

interesting servers restrictions

Interesting serverreturns a response

Automatic request sent tothe interesting server


14/39


Secure Connections


Login Mechanism


15/39


Secure ConnectionsPlease LoginPlease Login

UsernameUsernameUsernameUsernameUsernameUsernameUsernameUsername

PasswordPasswordPasswordPasswordPasswordPasswordPasswordPassword

SUBMITSUBMITSUBMITSUBMIT

jsmith

********

SUBMITSUBMITSUBMITSUBMIT

Victim browses to sitehttp://www.webmail.site

Victim fills login details,and submits the formLogin SuccessfulLogin Successful

Hello John Smith,Hello John Smith,Hello John Smith,Hello John Smith,

Pre-login action sent in clear text Attacker could alter the pre-login response to make the login

request sent unencrypted


Site returns a responsewith login form

Login request is sent through asecure channel


16/39


Stealing Auto Completion Information

Attacker redirect victim to arequest to a pre-login page

Attacker returns the original loginform together with a malicious script

Result

Attacker can steal any auto-completion information she desires

Limitations Will only work for pre-login pages not encrypted

Will not work seamlessly in IE


Script accesses the auto-completion

information using the DOM

* A passive version of this attack was described by RSnake in his blog


17/39




18/39



(Time Dimension)


19/39


Passive MitMActive MitM Active MitM


ac sac s ac s

Present(boring sites)

Past(interesting sites)

Future(interesting sites)


20/39


Session Fixation

Attacker redirects victimto the site of interest

Attacker returns a page with acookie generated by server

A while later,victim connects to the site

(with the pre-provided cookie)

Server authenticatesattacker as victim

Result

Attacker can set persistent cookies on victim

Limitations

The vulnerability also lies within the server


Cookie is being saved on

victims computer

Attacker uses the same cookie to

connect to the server


21/39


Cache Poisoning

Attacker redirects victimto the site of interest

Attacker returns a malicious page

A while later,victim visits the site

Result

Attacker can poison any page she desires

Poisoned pages will be persistent

Limitations

Attacker can poison non SSL resources


Page is being cached on

victims computer


22/39



Demo


23/39



Virtual Private Networks


24/39


Virtual Private Networks (VPN)

VPN client initialization

Create a secure network interfaceSet users routing table

VPN client finalization (upon exit or when connection is lost)

Revert routing table

Do not confuse VPN and HTTPS architectures!



25/39


VPN Mixed content

Result VPN web sites are compromised

User is not alerted to the security riskAs opposed to SSL mixed content issues

Limitations Such mixed content is not widely used

Attacker alters the non-encrypted script


Internal Web SiteInternal Web Site

............

Malicious script executes within thesecure environmentVictim surfs to a page in

the VPN network


26/39


Hacking Non-Available Sites

Result Attacker can view and change any HTTP cache object

Even for non available sites



27/39


VPN Cache Injection

Attacker disconnectsconnection to VPN Server

After routing table is updated,Attacker poisons the cache of an

internal siteAttacker recovers connection

Cached resource loads andmalicious cached script executes

Attacker redirects victim to cachedresource

Result VPN is great for the network level

VPN is not enough for the application level This attack could be applied to other application protocols!



28/39



Intranet Networks


29/39


Penetrating Internal Network Simple Cache Poison

Result Attack will be launched every time victim accesses the resource

The attack would executed within the local intranet

Characteristics Firewall protections are helpless Affected servers will never know The attack is persistent



30/39


Setting Up a Future MitM Scenario

Result Facilitates future MitM scenarios

Does not require routers credentials Fake settings could be displayed to the user

Limitations Requires victim to access router in the future Need to guess routers address (10.0.1.1)

Using Active MitM Techniques,

Script hides the configurationchanges


related to his routers web access

Router

Victims router related cachepoisoned with a malicious script

Malicious script executed

when victim tries to access router Script configures router to tunnelfuture communication through

attacker

Outbound Proxy IP Address 216 187 118 221. . .

Primary DNS Server Address 216 187 118 221. . .


31/39


Increasing the Exposure

Poison common home pages

Script will execute every time victim opens his browser

Poison common scripts

Script will execute on every page using the common script


Example: http://www.google-analytics.com/ga.js

The double active attack

Common poisoned page redirects to another poisoned resource

..


32/39


The Double Active Cache Poisoning Attack

At a later time,Victim o ens browser

Cached home page is loaded andredirects victims browser to

Cached routers web interface isloaded and malicious script

Result Internal network has been compromised

Limitation

Need to guess router IP and credentials


Using Active MitM techniques,attacker poisons common routers

address (i.e. 10.0.1.1)

routers web interfacechanges routers settings

Attacker also poisonscommon home pages

Router

Router is compromised bymalicious script

IBM R ti l A li ti S it G ( k W t hfi )


33/39


Active Attack Characteristics

Not noticeable in users experience

Not noticeable by any of the web sitesIPS/IDS will not block it

Can be persistent

Can be used to hack into local organization


Bypasses any firewall or VPNCan be used to access non-HTTP servers

Can be used with DNS Pinning Techniques

A problem with the current designRequires only one plain HTTP request to be transmitted

IBM Rational Application Sec rit Gro p (aka Watchfire)


34/39


Remediation

Users

Do not use auto-completion

Clean Slate Policy

Trust level separation


Two different browsers

Two different users

Two different OS

Virtualization products

Tunnel communication through a secure proxy

Might not be allowed in many hot-spots



35/39


Web ownersConsider risks of partial SSL sites

Do not consider secure VPN connection as an SSLreplacement


Use random tokens for common scriptsWhile considering performance issues

Avoid referring external scripts from internal sites



36/39


IndustryBuild integrity mechanism for HTTP

Secure WiFi networks




37/39


Summary

Active MitM attacks broaden the scope of the passive attacks

Design issues

Dimension of time

Past (steal cookies, auto-completion information, cache)

Future (set up cookies, poison cache, poison form filler)

Penetratin internal networks


PersistentBypass any current protection mechanisms

More information:

Paper and presentation will be uploaded to our blog:

http://blog.watchfire.com



38/39


References

Additional information at the Watchfires Blog:

http://blog.watchfire.com/wfblog/2009/02/active-man-in-the-middle-attacks.html

Wireless Man in the Middle Attacks:

http://www.informit.com/articles/article.aspx?p=353735&seqNum=7

Side Jacking:

- -


. . _ .

More on SideJacking:http://erratasec.blogspot.com/2008/01/more-sidejacking.html

Surf Jacking:

http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf

Stealing User Information:

http://ha.ckers.org/blog/20060821/stealing-user-information-via-automatic-form-filling/



39/39

at o a pp cat o Secu ty G oup (a a atc e)


an you

Active Man in the Middle Demo

Documents