How I Met Your Sweetheart:.

How I Met Your Girlfriend: The revelation and execution of altogether new classes of Web assaults to meet your better half. Samy Kamkar samy@samy.pl http://samy.pl Twitter: @SamyKamkar

Who is samy? "Narcissistic Vulnerability Pimp" (aka Security Researcher for no particular reason) Author of The Samy Worm on MySpace Co-Founder of Fonality, IP PBX organization Chick Magnet [ reference required ] Lady Gaga enthusiast

Cyber Warrior Raided Computer utilization lost Tweens all over the place frustrated

Why the web? It’s new, it’s cool, it’s exploitable! Gopher isn’t utilized as much any longer The web is a code appropriation direct Browsers can convey in ways they don’t know And a great deal more!

My Homepage It’s new, it’s cool, it’s exploitable! Gopher isn’t utilized as much any longer The web is a code dispersion direct Browsers can convey in ways they don’t know And a great deal more!

Attack Indirectly Certified Information Security Specialist Professional Chief Executive Officer of SecTheory Co-Author of « XSS Exploits: Cross Site Scripting Attacks and Defenseâ â» Author of « Detecting Malaceâ â» Co-engineer of Clickjacking with Jeremiah Grossman Runs ha.ckers.org and sla.ckers.org Certified ASS (Application Security Specialist)

Attack Indirectly Robert « Rsnake » Hansen How would we assault somebody who secures himself well? Don’t.

Attack Indirectly XSS? Presumably won’t get bulldozed by it. CSRF? Same.

PHP: Overview PHP: to a great degree normal web dialect PHP sessions: to a great degree basic default session administration PHP sessions: utilized as a matter of course as a part of most PHP structures (e.g., CakePHP) PHP sessions: either went in URL or…

PHP Sessions: Overview session_start() – instate PHP session

PHP Sessions: Entropy session_start()’s pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1’d: 160 bits 160 bits = a parcel = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

How enormous is a bit? A few traps For each 10 bits, include ~3 zeros 1 0 bits = 1 , 024 (thousand) 2 0 bits = 1 , 048,576 (mil) 3 0 bits = 1 , 073,741,824 2 5 bits = ~ 32 , 000,000

It’s Just Math! 160 bits = 2 ^ 160 = ~10 ^ 48 160 bits = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 At 100 trillion qualities for each second, 160 bits would take… (2 ^ 160)/(10 ^ 14)/(3600 * 24 * 365 * 500000000) = 926,878,258,073,885,666 = 900 quadrillion ages 1 age = 500 million years

PHP Sessions: Entropy session_start()’s pseudo-irregular information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1’d: 160 bits 160 bits = a part = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 148 bits (lessened by 12 bits) SHA1’d: 160 bits

An Example: Facebook

PHP Sessions: Entropy Redux Not so pseudo-irregular information: IP address: 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 116 bits (decreased by 44 bits) SHA1’d: 160 bits

An Example: Facebook

PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 84 bits (diminished by 76 bits) SHA1’d: 160 bits

PHP LCG (PRNG): Randomness php_combined_lcg()/PHP func lcg_value()

PHP LCG (PRNG): Randomness S1 WAS 32 bits, NOW 20 bits SEED (s1+s2): 64 bits – 12 bits = 52 bits

PHP LCG (PRNG): Randomness LCG(s2) = (long) getpid(); S2 = 32 bits Linux just uses 15 bits for PIDs S2 = 32 bits – 17 bits = 15 bits SEED (s1+s2) = 15 bits + 20 bits = 35 bits PHP capacity: getmypid() Linux summon: ps Learn PID, lessen the other 15 bits! SEED (s1+s2) = 0 bits + 20 bits = 20 bits

PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (Decreased) - 12 bits Random lcg_value (REDUCED) - 44 bits TOTAL: 40 bits (diminished by 120 bits) SHA1’d: 160 bits

PHP Sessions: Entropy Redux Microseconds: 32 bits down to 20 bits Random lcg_value down to 20 bits 40 bits? No! We can calc lcg_value() first ! With a period memory exchange off (4 MB), we can take in the lcg_value unique seed in almost no time , REDUCING to 20 bits ! 40 bits – 20 bits = 20 bits 20 bits = 1,048,576 treats

GREAT SUCCESS! 500,000 solicitations overall! Will be finished in a day

You down with entropy? No doubt you know me! PHP 5.3.2: more entropy Create your own particular session values! Assault is hard to execute! PS, Facebook is NOT helpless! <3 Facebook Please help my farmville * Thanks to Arshan Dabirsiaghi and Amit Klein for guiding me in the right bearing

GREAT SUCCESS! Utilizing victim’s treat, message our new casualty with a pernicious connection!

This is your system.

This is your system on medications.

A NAT

Cross-Protocol Scripting (XPS) HTTP servers can keep running on any port A concealed structure can auto-submit information to any port by means of JS form.submit() HTTP is a newline-based convention So are other protocols….hmmmm

Cross-Protocol Scripting: Examples in this present reality Let’s compose an IRC clientâ  in HTTP! This uses the CLIENT’s PC to unite, accordingly utilizing their IP address!

XPS IRC Example

NAT Pinning: cont.

HTTP POST w/IRC content

NAT Pinning: XPS times OVER 9,000 Sweet! So what is NAT Pinning? NAT Pinning befuddles the program, as well as the ROUTER on the application layer E.g., when corresponding with port 6667, program thinks HTTP, switch thinks IRC We can abuse this and utilization switch accommodations to assault customer

Cross-Protocol Scripting (XPS) and NAT Pinning: Introduction

NAT Pinning: IRC DCC linux/net/netfilter/nf_conntrack_irc.c DCC talks/document sends happen on a different port than visit Client sends: PRIVMSG samy :DCC CHAT samy IP port Router sees IP (decided from HTTP_REMOTE_ADDR) and port, then FORWARDS port to customer! ANY PORT!

NAT Pinning: cont.

NAT Pinning: blocked ports If program doesn’t permit outbound associations on particular ports? TCP/UDP ports = 16 bits = 65536 So flood the port! 65536 + 6667

NAT Pinning: blocked ports 6667 + 65536 = 72203 6667 = 0 0001101000001011 72203 = 1 0001101000001011 Some programs check: if port == 6667 … yet 72203 != 6667 Correct check: port % 2^16 * Webkit whole number flood found by Goatse Security

NAT Pinning: counteractive action Strict firewall – don’t permit obscure outbound associations Client side – keep running breakthrough program Client side – use NoScript if utilizing Firefox Client side – run neighborhood firewall or apparatus like LittleSnitch to know whether an application is getting to obscure ports

Penetration 2.0

TRIPLE X

TRIPLE X SS

Geolocation by means of XXXSS

Geolocation through XXXSS Anna visits malignant webpage

Geolocation by means of XXXSS Anna visits noxious website XXXSS filters your nearby system for switch sort

Geolocation by means of XXXSS Anna visits vindictive webpage XXXSS examines your neighborhood system for switch sort

Geolocation by means of XXXSS Anna visits malevolent webpage XXXSS checks your neighborhood system for switch sort If fundamental, sign in with default accreditations!

Geolocation by means of XXXSS Anna visits malignant site XXXSS filters for switch sort Logs in with default accreditations (if vital) XSS switch to load remote noxious JS

Geolocation through XXXSS Remote JS utilizes AJAX to secure MAC

Why MAC Address?

Why MAC Address? Simply Bing it!

Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar

Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in “ Google ” in the hunt box

Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in “ Google ” in the inquiry box Hit enter!

Why MAC Address?

Geolocation through XXXSS Upon MAC securing, approach the Google See FF hotspot for Location Services

Geolocation by means of XXXSS scope: 36.0920029 longitude: - 123.3461946

Geolocation by means of XXXSS

NAT Pinning: anticipation Strict firewall – don’t permit obscure outbound associations Client