How I Met Your Sweetheart:.


90 views
Uploaded on:
Description
How I Met Your Better half: The disclosure and execution of completely new classes of Web assaults to meet your sweetheart. Samy Kamkar samy@samy.pl http://samy.pl Twitter: @SamyKamkar Who is samy? "Narcissistic Defenselessness Pimp" (aka Security Scientist for no particular reason)
Transcripts
Slide 1

How I Met Your Girlfriend: The revelation and execution of altogether new classes of Web assaults to meet your better half. Samy Kamkar samy@samy.pl http://samy.pl Twitter: @SamyKamkar

Slide 2

Who is samy? "Narcissistic Vulnerability Pimp" (aka Security Researcher for no particular reason) Author of The Samy Worm on MySpace Co-Founder of Fonality, IP PBX organization Chick Magnet [ reference required ] Lady Gaga enthusiast

Slide 3

Cyber Warrior Raided Computer utilization lost Tweens all over the place frustrated

Slide 4

Why the web? It’s new, it’s cool, it’s exploitable! Gopher isn’t utilized as much any longer The web is a code appropriation direct Browsers can convey in ways they don’t know And a great deal more!

Slide 5

My Homepage It’s new, it’s cool, it’s exploitable! Gopher isn’t utilized as much any longer The web is a code dispersion direct Browsers can convey in ways they don’t know And a great deal more!

Slide 6

Attack Indirectly Certified Information Security Specialist Professional Chief Executive Officer of SecTheory Co-Author of « XSS Exploits: Cross Site Scripting Attacks and Defenseâ â» Author of « Detecting Malaceâ â» Co-engineer of Clickjacking with Jeremiah Grossman Runs ha.ckers.org and sla.ckers.org Certified ASS (Application Security Specialist)

Slide 7

Attack Indirectly Robert « Rsnake » Hansen How would we assault somebody who secures himself well? Don’t.

Slide 8

Attack Indirectly XSS? Presumably won’t get bulldozed by it. CSRF? Same.

Slide 9

PHP: Overview PHP: to a great degree normal web dialect PHP sessions: to a great degree basic default session administration PHP sessions: utilized as a matter of course as a part of most PHP structures (e.g., CakePHP) PHP sessions: either went in URL or…

Slide 11

PHP Sessions: Overview session_start() – instate PHP session

Slide 12

PHP Sessions: Entropy session_start()’s pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1’d: 160 bits 160 bits = a parcel = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Slide 13

How enormous is a bit? A few traps For each 10 bits, include ~3 zeros 1 0 bits = 1 , 024 (thousand) 2 0 bits = 1 , 048,576 (mil) 3 0 bits = 1 , 073,741,824 2 5 bits = ~ 32 , 000,000

Slide 14

It’s Just Math! 160 bits = 2 ^ 160 = ~10 ^ 48 160 bits = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976 At 100 trillion qualities for each second, 160 bits would take… (2 ^ 160)/(10 ^ 14)/(3600 * 24 * 365 * 500000000) = 926,878,258,073,885,666 = 900 quadrillion ages 1 age = 500 million years

Slide 15

PHP Sessions: Entropy session_start()’s pseudo-irregular information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits Random lcg_value() (PRNG): 64 bits TOTAL: 160 bits SHA1’d: 160 bits 160 bits = a part = 1,461,501,637,330,902,918,203,684,832,716,283,019,655,932,542,976

Slide 16

PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits Epoch: 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 148 bits (lessened by 12 bits) SHA1’d: 160 bits

Slide 17

An Example: Facebook

Slide 18

PHP Sessions: Entropy Redux Not so pseudo-irregular information: IP address: 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 116 bits (decreased by 44 bits) SHA1’d: 160 bits

Slide 19

An Example: Facebook

Slide 20

PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (REDUCED) - 12 bits Random lcg_value() (PRNG): 64 bits TOTAL: 84 bits (diminished by 76 bits) SHA1’d: 160 bits

Slide 21

PHP LCG (PRNG): Randomness php_combined_lcg()/PHP func lcg_value()

Slide 22

PHP LCG (PRNG): Randomness S1 WAS 32 bits, NOW 20 bits SEED (s1+s2): 64 bits – 12 bits = 52 bits

Slide 23

PHP LCG (PRNG): Randomness LCG(s2) = (long) getpid(); S2 = 32 bits Linux just uses 15 bits for PIDs S2 = 32 bits – 17 bits = 15 bits SEED (s1+s2) = 15 bits + 20 bits = 35 bits PHP capacity: getmypid() Linux summon: ps Learn PID, lessen the other 15 bits! SEED (s1+s2) = 0 bits + 20 bits = 20 bits

Slide 24

PHP Sessions: Entropy Redux Not so pseudo-arbitrary information: IP address: 32 bits (ACQUIRED) - 32 bits Epoch: 32 bits (ACQUIRED) - 32 bits Microseconds: 32 bits just 0 – 999,999 … 20 bits = 1,048,576 < 20 bits! (Decreased) - 12 bits Random lcg_value (REDUCED) - 44 bits TOTAL: 40 bits (diminished by 120 bits) SHA1’d: 160 bits

Slide 26

PHP Sessions: Entropy Redux Microseconds: 32 bits down to 20 bits Random lcg_value down to 20 bits 40 bits? No! We can calc lcg_value() first ! With a period memory exchange off (4 MB), we can take in the lcg_value unique seed in almost no time , REDUCING to 20 bits ! 40 bits – 20 bits = 20 bits 20 bits = 1,048,576 treats

Slide 27

GREAT SUCCESS! 500,000 solicitations overall! Will be finished in a day

Slide 28

You down with entropy? No doubt you know me! PHP 5.3.2: more entropy Create your own particular session values! Assault is hard to execute! PS, Facebook is NOT helpless! <3 Facebook Please help my farmville * Thanks to Arshan Dabirsiaghi and Amit Klein for guiding me in the right bearing

Slide 29

GREAT SUCCESS! Utilizing victim’s treat, message our new casualty with a pernicious connection!

Slide 30

This is your system.

Slide 31

This is your system on medications.

Slide 32

A NAT

Slide 33

Cross-Protocol Scripting (XPS) HTTP servers can keep running on any port A concealed structure can auto-submit information to any port by means of JS form.submit() HTTP is a newline-based convention So are other protocols….hmmmm

Slide 34

Cross-Protocol Scripting: Examples in this present reality Let’s compose an IRC clientâ  in HTTP! This uses the CLIENT’s PC to unite, accordingly utilizing their IP address!

Slide 35

XPS IRC Example

Slide 36

NAT Pinning: cont.

Slide 37

HTTP POST w/IRC content

Slide 38

NAT Pinning: XPS times OVER 9,000 Sweet! So what is NAT Pinning? NAT Pinning befuddles the program, as well as the ROUTER on the application layer E.g., when corresponding with port 6667, program thinks HTTP, switch thinks IRC We can abuse this and utilization switch accommodations to assault customer

Slide 39

Cross-Protocol Scripting (XPS) and NAT Pinning: Introduction

Slide 40

NAT Pinning: IRC DCC linux/net/netfilter/nf_conntrack_irc.c DCC talks/document sends happen on a different port than visit Client sends: PRIVMSG samy :DCC CHAT samy IP port Router sees IP (decided from HTTP_REMOTE_ADDR) and port, then FORWARDS port to customer! ANY PORT!

Slide 41

NAT Pinning: cont.

Slide 42

NAT Pinning: blocked ports If program doesn’t permit outbound associations on particular ports? TCP/UDP ports = 16 bits = 65536 So flood the port! 65536 + 6667

Slide 43

NAT Pinning: blocked ports 6667 + 65536 = 72203 6667 = 0 0001101000001011 72203 = 1 0001101000001011 Some programs check: if port == 6667 … yet 72203 != 6667 Correct check: port % 2^16 * Webkit whole number flood found by Goatse Security

Slide 45

NAT Pinning: counteractive action Strict firewall – don’t permit obscure outbound associations Client side – keep running breakthrough program Client side – use NoScript if utilizing Firefox Client side – run neighborhood firewall or apparatus like LittleSnitch to know whether an application is getting to obscure ports

Slide 46

Penetration 2.0

Slide 47

TRIPLE X

Slide 48

TRIPLE X SS

Slide 49

Geolocation by means of XXXSS

Slide 50

Geolocation through XXXSS Anna visits malignant webpage

Slide 51

Geolocation by means of XXXSS Anna visits noxious website XXXSS filters your nearby system for switch sort

Slide 52

Geolocation by means of XXXSS Anna visits vindictive webpage XXXSS examines your neighborhood system for switch sort

Slide 53

Geolocation by means of XXXSS Anna visits malevolent webpage XXXSS checks your neighborhood system for switch sort If fundamental, sign in with default accreditations!

Slide 55

Geolocation by means of XXXSS Anna visits malignant site XXXSS filters for switch sort Logs in with default accreditations (if vital) XSS switch to load remote noxious JS

Slide 56

Geolocation through XXXSS Remote JS utilizes AJAX to secure MAC

Slide 57

Why MAC Address?

Slide 58

Why MAC Address? Simply Bing it!

Slide 59

Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar

Slide 60

Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in “ Google ” in the hunt box

Slide 61

Why MAC Address? Simply Bing it! Sort www.bing.com in your URL bar Type in “ Google ” in the inquiry box Hit enter!

Slide 62

Why MAC Address?

Slide 63

Geolocation through XXXSS Upon MAC securing, approach the Google See FF hotspot for Location Services

Slide 64

Geolocation by means of XXXSS scope: 36.0920029 longitude: - 123.3461946

Slide 65

Geolocation by means of XXXSS

Slide 66

NAT Pinning: anticipation Strict firewall – don’t permit obscure outbound associations Client

Recommended
View more...