How I Met Your Girlfriend: The revelation and execution of altogether new classes of Web assaults to meet your better half. Samy Kamkar samy@samy.pl http://samy.pl Twitter: @SamyKamkar
Slide 2Who is samy? "Narcissistic Vulnerability Pimp" (aka Security Researcher for no particular reason) Author of The Samy Worm on MySpace Co-Founder of Fonality, IP PBX organization Chick Magnet [ reference required ] Lady Gaga enthusiast
Slide 3Cyber Warrior Raided Computer utilization lost Tweens all over the place frustrated
Slide 4Why the web? Itâs new, itâs cool, itâs exploitable! Gopher isnât utilized as much any longer The web is a code appropriation direct Browsers can convey in ways they donât know And a great deal more!
Slide 5My Homepage Itâs new, itâs cool, itâs exploitable! Gopher isnât utilized as much any longer The web is a code dispersion direct Browsers can convey in ways they donât know And a great deal more!
Slide 6Attack Indirectly Certified Information Security Specialist Professional Chief Executive Officer of SecTheory Co-Author of « XSS Exploits: Cross Site Scripting Attacks and Defenseâ â» Author of « Detecting Malaceâ â» Co-engineer of Clickjacking with Jeremiah Grossman Runs ha.ckers.org and sla.ckers.org Certified ASS (Application Security Specialist)
Slide 7Attack Indirectly Robert « Rsnake » Hansen How would we assault somebody who secures himself well? Donât.
Slide 8Attack Indirectly XSS? Presumably wonât get bulldozed by it. CSRF? Same.
Slide 9PHP: Overview PHP: to a great degree normal web dialect PHP sessions: to a great degree basic default session administration PHP sessions: utilized as a matter of course as a part of most PHP structures (e.g., CakePHP) PHP sessions: either went in URL orâ¦
Slide 11PHP Sessions: Overview session_start() â instate PHP session
Slide 12PHP Sessions: Entropy session_start()âs pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1âd: 160 bits 160 bits = a parcel = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976
Slide 13How enormous is a bit? A few traps For each 10 bits, include ~3 zeros 1 0 bits = 1 , 024 (thousand) 2 0 bits = 1 , 048,576 (mil) 3 0 bits = 1 , 073,741,824 2 5 bits = ~ 32 , 000,000
Slide 14Itâs Just Math! 160 bits = 2 ^ 160 = ~10 ^ 48 160 bits = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 At 100 trillion qualities for each second, 160 bits would take⦠(2 ^ 160)/(10 ^ 14)/(3600 * 24 * 365 * 500000000) = 926,878,258,073,885,666 = 900 quadrillion ages 1 age = 500 million years
Slide 15PHP Sessions: Entropy session_start()âs pseudo-irregular information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1âd: 160 bits 160 bits = a part = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976
Slide 16PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits just 0 â 999,999 ⦠20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 148 bits (lessened by 12 bits) SHA1âd: 160 bits
Slide 17An Example: Facebook
Slide 18PHP Sessions: Entropy Redux Not so pseudo-irregular information: IP address: 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 â 999,999 ⦠20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 116 bits (decreased by 44 bits) SHA1âd: 160 bits
Slide 19An Example: Facebook
Slide 20PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 â 999,999 ⦠20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 84 bits (diminished by 76 bits) SHA1âd: 160 bits
Slide 21PHP LCG (PRNG): Randomness php_combined_lcg()/PHP func lcg_value()
Slide 22PHP LCG (PRNG): Randomness S1 WAS 32 bits, NOW 20 bits SEED (s1+s2): 64 bits â 12 bits = 52 bits
Slide 23PHP LCG (PRNG): Randomness LCG(s2) = (long) getpid(); S2 = 32 bits Linux just uses 15 bits for PIDs S2 = 32 bits â 17 bits = 15 bits SEED (s1+s2) = 15 bits + 20 bits = 35 bits PHP capacity: getmypid() Linux summon: ps Learn PID, lessen the other 15 bits! SEED (s1+s2) = 0 bits + 20 bits = 20 bits
Slide 24PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 â 999,999 ⦠20 bits = 1,048,576 < 20 bits! (Decreased) - 12 bits Random lcg_value (REDUCED) - 44 bits TOTAL: 40 bits (diminished by 120 bits) SHA1âd: 160 bits
Slide 26PHP Sessions: Entropy Redux Microseconds: 32 bits down to 20 bits Random lcg_value down to 20 bits 40 bits? No! We can calc lcg_value() first ! With a period memory exchange off (4 MB), we can take in the lcg_value unique seed in almost no time , REDUCING to 20 bits ! 40 bits â 20 bits = 20 bits 20 bits = 1,048,576 treats
Slide 27GREAT SUCCESS! 500,000 solicitations overall! Will be finished in a day
Slide 28You down with entropy? No doubt you know me! PHP 5.3.2: more entropy Create your own particular session values! Assault is hard to execute! PS, Facebook is NOT helpless! <3 Facebook Please help my farmville * Thanks to Arshan Dabirsiaghi and Amit Klein for guiding me in the right bearing
Slide 29GREAT SUCCESS! Utilizing victimâs treat, message our new casualty with a pernicious connection!
Slide 30This is your system.
Slide 31This is your system on medications.
Slide 32A NAT
Slide 33Cross-Protocol Scripting (XPS) HTTP servers can keep running on any port A concealed structure can auto-submit information to any port by means of JS form.submit() HTTP is a newline-based convention So are other protocolsâ¦.hmmmm
Slide 34Cross-Protocol Scripting: Examples in this present reality Letâs compose an IRC clientâ in HTTP! This uses the CLIENTâs PC to unite, accordingly utilizing their IP address!
Slide 35XPS IRC Example
Slide 36NAT Pinning: cont.
Slide 37HTTP POST w/IRC content
Slide 38NAT Pinning: XPS times OVER 9,000 Sweet! So what is NAT Pinning? NAT Pinning befuddles the program, as well as the ROUTER on the application layer E.g., when corresponding with port 6667, program thinks HTTP, switch thinks IRC We can abuse this and utilization switch accommodations to assault customer
Slide 39Cross-Protocol Scripting (XPS) and NAT Pinning: Introduction
Slide 40NAT Pinning: IRC DCC linux/net/netfilter/nf_conntrack_irc.c DCC talks/document sends happen on a different port than visit Client sends: PRIVMSG samy :DCC CHAT samy IP port Router sees IP (decided from HTTP_REMOTE_ADDR) and port, then FORWARDS port to customer! ANY PORT!
Slide 41NAT Pinning: cont.
Slide 42NAT Pinning: blocked ports If program doesnât permit outbound associations on particular ports? TCP/UDP ports = 16 bits = 65536 So flood the port! 65536 + 6667
Slide 43NAT Pinning: blocked ports 6667 + 65536 = 72203 6667 = 0 0001101000001011 72203 = 1 0001101000001011 Some programs check: if port == 6667 ⦠yet 72203 != 6667 Correct check: port % 2^16 * Webkit whole number flood found by Goatse Security
Slide 45NAT Pinning: counteractive action Strict firewall â donât permit obscure outbound associations Client side â keep running breakthrough program Client side â use NoScript if utilizing Firefox Client side â run neighborhood firewall or apparatus like LittleSnitch to know whether an application is getting to obscure ports
Slide 46Penetration 2.0
Slide 47TRIPLE X
Slide 48TRIPLE X SS
Slide 49Geolocation by means of XXXSS
Slide 50Geolocation through XXXSS Anna visits malignant webpage
Slide 51Geolocation by means of XXXSS Anna visits noxious website XXXSS filters your nearby system for switch sort
Slide 52Geolocation by means of XXXSS Anna visits vindictive webpage XXXSS examines your neighborhood system for switch sort
Slide 53Geolocation by means of XXXSS Anna visits malevolent webpage XXXSS checks your neighborhood system for switch sort If fundamental, sign in with default accreditations!
Slide 55Geolocation by means of XXXSS Anna visits malignant site XXXSS filters for switch sort Logs in with default accreditations (if vital) XSS switch to load remote noxious JS
Slide 56Geolocation through XXXSS Remote JS utilizes AJAX to secure MAC
Slide 57Why MAC Address?
Slide 58Why MAC Address? Simply Bing it!
Slide 59Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar
Slide 60Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in â Google â in the hunt box
Slide 61Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in â Google â in the inquiry box Hit enter!
Slide 62Why MAC Address?
Slide 63Geolocation through XXXSS Upon MAC securing, approach the Google See FF hotspot for Location Services
Slide 64Geolocation by means of XXXSS scope: 36.0920029 longitude: - 123.3461946
Slide 65Geolocation by means of XXXSS
Slide 66NAT Pinning: anticipation Strict firewall â donât permit obscure outbound associations Client