How I Met Your Girlfriend: The revelation and execution of altogether new classes of Web assaults to meet your better half. Samy Kamkar email@example.com http://samy.pl Twitter: @SamyKamkarSlide 2
Who is samy? "Narcissistic Vulnerability Pimp" (aka Security Researcher for no particular reason) Author of The Samy Worm on MySpace Co-Founder of Fonality, IP PBX organization Chick Magnet [ reference required ] Lady Gaga enthusiastSlide 3
Cyber Warrior Raided Computer utilization lost Tweens all over the place frustratedSlide 4
Why the web? Itâs new, itâs cool, itâs exploitable! Gopher isnât utilized as much any longer The web is a code appropriation direct Browsers can convey in ways they donât know And a great deal more!Slide 5
My Homepage Itâs new, itâs cool, itâs exploitable! Gopher isnât utilized as much any longer The web is a code dispersion direct Browsers can convey in ways they donât know And a great deal more!Slide 6
Attack Indirectly Certified Information Security Specialist Professional Chief Executive Officer of SecTheory Co-Author of Â«Â XSS Exploits: Cross Site Scripting Attacks and Defenseâ â» Author of Â«Â Detecting Malaceâ â» Co-engineer of Clickjacking with Jeremiah Grossman Runs ha.ckers.org and sla.ckers.org Certified ASS (Application Security Specialist)Slide 7
Attack Indirectly Robert Â«Â RsnakeÂ Â» Hansen How would we assault somebody who secures himself well? Donât.Slide 8
Attack Indirectly XSS? Presumably wonât get bulldozed by it. CSRF? Same.Slide 9
PHP: Overview PHP: to a great degree normal web dialect PHP sessions: to a great degree basic default session administration PHP sessions: utilized as a matter of course as a part of most PHP structures (e.g., CakePHP) PHP sessions: either went in URL orâ¦Slide 11
PHP Sessions: Overview session_start() â instate PHP sessionSlide 12
PHP Sessions: Entropy session_start()âs pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1âd: 160 bits 160 bits = a parcel = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976Slide 13
How enormous is a bit? A few traps For each 10 bits, include ~3 zeros 1 0 bits = 1 , 024 (thousand) 2 0 bits = 1 , 048,576 (mil) 3 0 bits = 1 , 073,741,824 2 5 bits = ~ 32 , 000,000Slide 14
Itâs Just Math! 160 bits = 2 ^ 160 = ~10 ^ 48 160 bits = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 At 100 trillion qualities for each second, 160 bits would takeâ¦ (2 ^ 160)/(10 ^ 14)/(3600 * 24 * 365 * 500000000) = 926,878,258,073,885,666 = 900 quadrillion ages 1 age = 500 million yearsSlide 15
PHP Sessions: Entropy session_start()âs pseudo-irregular information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1âd: 160 bits 160 bits = a part = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976Slide 16
PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits just 0 â 999,999 â¦ 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 148 bits (lessened by 12 bits) SHA1âd: 160 bitsSlide 17
An Example: FacebookSlide 18
PHP Sessions: Entropy Redux Not so pseudo-irregular information: IP address: 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 â 999,999 â¦ 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 116 bits (decreased by 44 bits) SHA1âd: 160 bitsSlide 19
An Example: FacebookSlide 20
PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 â 999,999 â¦ 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 84 bits (diminished by 76 bits) SHA1âd: 160 bitsSlide 21
PHP LCG (PRNG): Randomness php_combined_lcg()/PHP func lcg_value()Slide 22
PHP LCG (PRNG): Randomness S1 WAS 32 bits, NOW 20 bits SEED (s1+s2): 64 bits â 12 bits = 52 bitsSlide 23
PHP LCG (PRNG): Randomness LCG(s2) = (long) getpid(); S2 = 32 bits Linux just uses 15 bits for PIDs S2 = 32 bits â 17 bits = 15 bits SEED (s1+s2) = 15 bits + 20 bits = 35 bits PHP capacity: getmypid() Linux summon: ps Learn PID, lessen the other 15 bits! SEED (s1+s2) = 0 bits + 20 bits = 20 bitsSlide 24
PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 â 999,999 â¦ 20 bits = 1,048,576 < 20 bits! (Decreased) - 12 bits Random lcg_value (REDUCED) - 44 bits TOTAL: 40 bits (diminished by 120 bits) SHA1âd: 160 bitsSlide 26
PHP Sessions: Entropy Redux Microseconds: 32 bits down to 20 bits Random lcg_value down to 20 bits 40 bits? No! We can calc lcg_value() first ! With a period memory exchange off (4 MB), we can take in the lcg_value unique seed in almost no time , REDUCING to 20 bits ! 40 bits â 20 bits = 20 bits 20 bits = 1,048,576 treatsSlide 27
GREAT SUCCESS! 500,000 solicitations overall! Will be finished in a daySlide 28
You down with entropy? No doubt you know me! PHP 5.3.2: more entropy Create your own particular session values! Assault is hard to execute! PS, Facebook is NOT helpless! <3 Facebook Please help my farmville * Thanks to Arshan Dabirsiaghi and Amit Klein for guiding me in the right bearingSlide 29
GREAT SUCCESS! Utilizing victimâs treat, message our new casualty with a pernicious connection!Slide 30
This is your system.Slide 31
This is your system on medications.Slide 32
A NATSlide 33
Cross-Protocol Scripting (XPS) HTTP servers can keep running on any port A concealed structure can auto-submit information to any port by means of JS form.submit() HTTP is a newline-based convention So are other protocolsâ¦.hmmmmSlide 34
Cross-Protocol Scripting: Examples in this present reality Letâs compose an IRC clientâ in HTTP! This uses the CLIENTâs PC to unite, accordingly utilizing their IP address!Slide 35
XPS IRC ExampleSlide 36
NAT Pinning: cont.Slide 37
HTTP POST w/IRC contentSlide 38
NAT Pinning: XPS times OVER 9,000 Sweet! So what is NAT Pinning? NAT Pinning befuddles the program, as well as the ROUTER on the application layer E.g., when corresponding with port 6667, program thinks HTTP, switch thinks IRC We can abuse this and utilization switch accommodations to assault customerSlide 39
Cross-Protocol Scripting (XPS) and NAT Pinning: IntroductionSlide 40
NAT Pinning: IRC DCC linux/net/netfilter/nf_conntrack_irc.c DCC talks/document sends happen on a different port than visit Client sends: PRIVMSG samy :DCC CHAT samy IP port Router sees IP (decided from HTTP_REMOTE_ADDR) and port, then FORWARDS port to customer! ANY PORT!Slide 41
NAT Pinning: cont.Slide 42
NAT Pinning: blocked ports If program doesnât permit outbound associations on particular ports? TCP/UDP ports = 16 bits = 65536 So flood the port! 65536 + 6667Slide 43
NAT Pinning: blocked ports 6667 + 65536 = 72203 6667 = 0 0001101000001011 72203 = 1 0001101000001011 Some programs check: if port == 6667 â¦ yet 72203 != 6667 Correct check: port % 2^16 * Webkit whole number flood found by Goatse SecuritySlide 45
NAT Pinning: counteractive action Strict firewall â donât permit obscure outbound associations Client side â keep running breakthrough program Client side â use NoScript if utilizing Firefox Client side â run neighborhood firewall or apparatus like LittleSnitch to know whether an application is getting to obscure portsSlide 46
Penetration 2.0Slide 47
TRIPLE XSlide 48
TRIPLE X SSSlide 49
Geolocation by means of XXXSSSlide 50
Geolocation through XXXSS Anna visits malignant webpageSlide 51
Geolocation by means of XXXSS Anna visits noxious website XXXSS filters your nearby system for switch sortSlide 52
Geolocation by means of XXXSS Anna visits vindictive webpage XXXSS examines your neighborhood system for switch sortSlide 53
Geolocation by means of XXXSS Anna visits malevolent webpage XXXSS checks your neighborhood system for switch sort If fundamental, sign in with default accreditations!Slide 55
Geolocation by means of XXXSS Anna visits malignant site XXXSS filters for switch sort Logs in with default accreditations (if vital) XSS switch to load remote noxious JSSlide 56
Geolocation through XXXSS Remote JS utilizes AJAX to secure MACSlide 57
Why MAC Address?Slide 58
Why MAC Address? Simply Bing it!Slide 59
Why MAC Address? Simply Bing it! Sort www.bing.com in your URL barSlide 60
Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in â Google â in the hunt boxSlide 61
Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in â Google â in the inquiry box Hit enter!Slide 62
Why MAC Address?Slide 63
Geolocation through XXXSS Upon MAC securing, approach the Google See FF hotspot for Location ServicesSlide 64
Geolocation by means of XXXSS scope: 36.0920029 longitude: - 123.3461946Slide 65
Geolocation by means of XXXSSSlide 66
NAT Pinning: anticipation Strict firewall â donât permit obscure outbound associations Client
What sort of school/school of instruction environment underpins maintenance of different workfor ...
Volunteering is as old as the Met the first police in London were unpaid ... Volunteer Police Ca ...
use antivirus programming. try not to tap on connections to email. successive ... from safe plat ...
national estimates of essential climate conditions up to three days ahead ... Effect diminishes ...
Study of 31 rural groups with the biggest reasonable lodging need ... Columbia Hts Coon Rapids C ...
Port snow/backwoods/ocean/snow on ice/lake models to SURFEX. Interface ... also, orographically ...
1997 - eBay hits on the site spiked in the first quarter of the year, from 600, ... 2000 eBay ha ...
affectability of maize respects stochastic structure of climate arrangement ... stochastic day b ...
MET CS 779 W4 Advanced Database Management Spring 2010. Prof. Robert Schudy Meets 6-9 PM Thu ...
1985 Growth Management Act and Aftermath. Concentrate on state\'s quick development, securing de ...
2. Inhoud. De FPU regelingUw OuderdomsPensioen en AOW. 3. De FPU regeling vanaf 2006. De voorwaa ...
Man, 25 jaar, weddeschaal A1a-A2a1% werkgeversbijdrage 3,25% rendement 0,75% winstparticipatie2% ...
Diagnostiek van angst en gedragsproblemen bij mensen met een verstandelijke beperking. Drs. A ...
<Esc> om te verlaten. De H.Mis met diaken en subdiaken. versie ceremoniaris. Gebruikte afko ...
Communicatie met de achterban. BRAINSTORM. Wat hebben jullie al gedaan als communicatie?. I ...
De rol van de NP-er binnen de keten van het kind met een chronische nierinsufficiëntie. Jacq ...
STI-2. LEERDOELEN Kennismaking met model- en theorievorming in de sociologie (of eigenlijk d ...
‘Venijn zit ‘m in de staart‘ 26 maart 2009, Ellen Witteveen. ‘Goeie snap van elkaar ...