title=Interception [1 ed.] 1231231231231

Citation preview

CSE363

Offensive Security

2020-02-05

Network Traffic Interception

Michalis Polychronakis Stony Brook University

Active vs. Passive Attacks Passive: the attacker eavesdrops but does not modify the message stream in any way Traffic snooping, wiretapping, passive reconnaissance, listening for unsolicited/broadcast traffic, traffic analysis, … Previous lecture

Active: the attacker may transmit messages, replay old messages, modify messages in transit, or drop selected messages from the wire Spoofing, data injection/manipulation (man-in-the-middle/man-on-the-side), session replay, DoS, malicious requests/resp., … This lecture 2

Link Layer Attacks Spoofing Impersonate another machine Bypass address-based authentication Change MAC address to get 30’ more of free WiFi Hide the device’s vendor (first three bytes of MAC address)

Denial of Service (DoS) Flooding WiFi deauth

Traffic injection or interception Man on the Side (MotS) Man in the Middle (MitM)

3

Address Resolution Protocol (ARP) Allows mapping of IP addresses to physical addresses A new machine joins a LAN; How can it find the MAC addresses of a neighbor machine? ARP request (broadcast): Who has IP 192.168.0.1? ARP reply by 192.168.0.1: Hey, here I am, this is my MAC address

Each host maintains a local ARP cache Send request only if local table lookup fails

ARP announcements (gratuitous ARP) Voluntarily announce address updates (NIC change, load balancing/failover, …) Can be abused…

4

ARP Cache Poisoning ARP replies can be spoofed: IP to MAC mapping is not authenticated! Enables traffic sniffing/manipulation through MitM Normal Operation

switch

gateway

Internet

ARP Cache Poisoning

Internet

5

ARP Cache Poisoning Attack steps 1. ARP reply to victim, mapping gateway’s IP to attacker’s MAC 2. ARP reply to gateway, mapping victim’s IP to attacker’s MAC 3. Just forward packets back and forth

1

2

Internet

3

6

ARP Cache Poisoning Tools arpspoof (dsniff) Ettercap -> Bettercap nemesis

…

Various Defenses Static ARP entries: ignore ARP reply packets OS configuration: ignore unsolicited replies, … ARPwatch and other detection tools Managed switches

7

CAM Table Exhaustion Switches use Content Addressable Memory (CAM) to keep MAC address to port mappings Finite resource!

Flooding a switch with a large number of randomly generated MAC addresses can fill up the CAM table Failsafe operation: send all packets to all ports Essentially the switch turns into a hub  eavesdropping! Noisy attack, can be easily detected

Tool: macof (part of dsniff)

8

Rogue Access Points No authentication of the AP to the client Set up fake AP with an existing SSID or an enticing name (e.g., Starbucks-FREE-WiFi) “Auto-connect”/”Ask to join network” mobile phone features greatly facilitate this kind of attacks Pineapple, Power Pwn, …

Wireless backdoor Ship an iPhone/special purpose device to an office and use 4G/LTE/5G connection for C&C Hide a tiny AP in a wall plug etc.

Detection NetStumbler: show all WiFi networks RF monitoring systems Wireless IDS/IPS 9

WiFi-Pumpkin

https://github.com/P0cL4bs/WiFi-Pumpkin

10

Network Layer Attacks ICMP (Internet Control Message Protocol): Used to exchange error messages about IP datagram delivery Smurf Attack (DoS with spoofed broadcast Echo request) Reconnaissance Exfiltration using ICMP tunneling ICMP redirect MitM Organizations typically block incoming/outgoing ICMP traffic due to all the above

IP spoofing: conceal the real IP address of the sender Mostly used in DDoS attacks Ingress and egress filtering limit its applicability

IP fragmentation: confuse packet filters and intrusion detection systems Split important information across two or more packets

11

Transport Layer Attacks Sequence Number Attacks TCP connection hijacking/spoofing DoS (connection reset)

Port scanning (future lecture) OS Fingerprinting (future lecture) Intricacies of TCP/IP stack implementations

Denial of Service (DoS) Resource exhaustion Blind RST injection

Content injection/manipulation (MotS, MitM) 12

Man-on-the-Side Attack Main capabilities: packet capture + packet injection Sniff for requests, and forge responses

Requires a privileged position between the victim and the destination Attackers can observe transmitted packets and inject new ones Attackers cannot modify or drop transmitted packets

But a less privileged position than what is required for a MitM attack (!) Also much easier: no need to keep per-connection state and relay traffic

Example: unprotected (non-encrypted) WiFi network MotS: any client that joins the network can mount it right away MitM: need to compromise the access point or perform ARP poisoning 13

Man-on-the-Side Attack Race condition: the attacker’s forged response should arrive before the actual response from the server Most operating systems will accept the first packet they see as valid

No need to guess TCP seq/ack numbers (!) The rest of the original stream can follow after the injected packet

Powerful: redirect to rogue server, manipulate content, inject exploits Request

Internet Spoofed Response

Response

14

Airpwn Sniffs packets and acts on interesting HTTP requests based on rules Beating the server’s response is easy: the server is several hops away (10s-100s ms) while the attacker is local GET / HTTP/1.1 Host: www.google.com ... HTTP/1.1 OK Content-length: 1462 ...

Google

...

HTTP/1.1 OK Content-length: 1462 ...

Airpwned!

... 15

airpwn-ng

https://github.com/ICSec/airpwn-ng

16

17

TLS (Transport Layer Security) Predecessor: SSL (Secure Socket Layer)

Most widely used protocol for encrypted data transmission Same basic design, different crypto algorithms

Designed to provide secure communication over the insecure internet Authentication, confidentiality, and integrity

Used in many services and secure versions of protocols HTTP, POP, IMAP, SMTP, OpenVPN, CalDAV, CardDAV, LDAP, NNTP, FTP, IRC, SIP, … Separate port number: HTTPS: 443, FTPS: 990, IMAPS: 993, …

18

Server (and Client) Authentication After handshake completion, the client knows it can “trust” the information in the server’s certificate Assuming it trusts the issuing CA

SSL/TLS certs are based on the X.509 PKI standard How is the certificate associated with the server? Common Name (CN): server’s hostname

Same process is supported for authenticating clients Highly-secure web services, some VPN services, …

Not used often in practice Common alternative: username + password over TLS connection 19

20

21

Trust anchors: systems are pre-configured with ~200 trusted root certificates

Embedded in browser/OS

Certificate Chains Root Cert

System/public store: used by OS, browsers, … More can be added in the local/private cert store: vendor-specific certs, MitM certs for content inspection filters/AVs, …

A certificate from an intermediate CA is trusted if there is a valid chain of trust all the way back to a trusted root CA

Any certificate authority can issue and sign certificates for any subject The system is only as secure as the weakest certificate authority…

Provided by the server

Server provides a chain of certificates

Intermediate Cert

Intermediate Cert

End Entity Cert

22

23

HTTPS Most common use of TLS: more than half of web traffic is now encrypted Crypto is expensive, needs more CPU cycles Not a big deal these days (native hardware support)

Mixed content: Ad networks, mashups, … Stop using them! …easier said than done (lost revenue, increased development time) Incentives: Google rewards HTTPS sites with higher ranking

Virtual Hosting: initially incompatible Not anymore: solved as of TLS 1.1 through the Server Name Indication (SNI) extension about IE6/WinXP users?



what

Needs expertise and certificates cost $$$$ Not anymore: letsencrypt.org 24

SSL Stripping Browsing sessions often start with a plain HTTP page Web sites (used to) switch to HTTPS only for login or checkout Example: Facebook in 2010 (optional full HTTPS in 2011, on by default in 2013) Users type addresses without specifying “https://” Browser connects over HTTP  site may redirect to HTTPS

SSLstrip [Moxie Marlinspike, Black Hat DC 2009] MitM attack tool for preventing redirection to HTTPS Watch for HTTPS redirects and links, and rewrite them to HTTP links …or (even better!) homograph-similar valid HTTPS links: https://www.bank.com.attacker.com

25

SSL Stripping

HTTP

Victim

HTTPS

Attacker

Server

Location: http://…do

Location: https://…do





Missing lock icon “Not secure” warning, but who is going to notice? 26

HSTS (HTTP Strict Transport Security) Defense against SSL stripping and other issues Convert insecure links (http://) into secure links (https://) before accessing a resource Treat all errors (e.g., invalid certificate, mixed content) as fatal: do not allow users to access the web application

A server implements an HSTS policy by supplying an extra HTTP header Strict-Transport-Security: max-age=31536000 “Use only HTTPS for future requests to this domain for the next year”

An instance of trust on first use (TOFU) The initial request remains unprotected if sent over HTTP

HSTS preloading fixes the TOFU issue Most major browsers come with a list of known HSTS sites – https://hstspreload.org/ 27

HSTS Bypass HSTS rules used to be defined only for a specific hostnames https://www.example.com

Rewriting to http://www.example.com will trigger HSTS No problem! Just rewrite it to: http://wwww.example.com There is no HSTS rule for wwww.example.com (!) Attacker must also intercept DNS requests for wwww.* and serve them appropriately Easy to automate (e.g., Bettercap)

Solution: includeSubdomains directive in the HSTS header strict-transport-security: max-age=63072000; includeSubdomains; preload

28

Bettercap

https://www.bettercap.org/

29

Proper HSTS deployment for www.example.com User visits (types in the browser) example.com for the first time (assuming it’s not preloaded) Requested URL

Response Headers

http://example.com

Status Code: 301 Location: https://example.com

https://example.com

Status Code: 301 Location: https://www.example.com

preload

strict-transport-security: max-age=63072000; includeSubdomains;

https://www.example.com Status Code: 200 preload

strict-transport-security: max-age=63072000; includeSubdomains;

30

HSTS Preloading

31

HSTS Preloading

2020

32

Marking HTTP as Non-Secure Phase 1 (January 2017): page is marked “Not Secure” when The page contains a password field The user interacts with a credit card field

© Chromium - https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

33

Marking HTTP as Non-Secure Phase 2 (October 2017): page is marked “Not Secure” when The page contains a password field The user interacts with any input field The user is browsing in Chrome incognito mode

© Chromium - https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

34

Marking HTTP as Non-Secure Phase 3 (July 2018): all HTTP pages are marked “Not Secure”

© Chromium - https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

35

Marking HTTP as Non-Secure Phase 3+ (October 2018): red “Not Secure” warning if the user interacts with any input field

© Chromium - https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

36

Marking HTTP as Non-Secure In the future: all HTTP pages are marked “Not Secure”

© Chromium - https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

37

MitM is Still Possible… Rogue certificates Most governments have a trusted root CA planted in our systems Attackers may break into CAs and forge certificates

Pre-planted/generated certificates Default static keys: Lenovo, Dell, anti-malware software, … Low entropy during key generation: repeated or factorable keys

Exploitation of certificate validation flaws Programming errors while checking date, hostname, …

Self-signed certificates If desperate… will trigger browser warning 38

39

40

41

42

Self-signed certificate warning: used to be one click away…

43

Self-signed certificate warning: now two clicks away…

44

Self-signed certificate warning: now two clicks away…

45

GOTO FAIL iOS 7.0.6 signature verification error Legitimate-looking TLS certificates with a mismatched private keys were unconditionally accepted… if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; ?!!?!?!? if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; ...

Check never executed

fail: SSLFreeBuffer(&signedHashes); SSLFreeBuffer(&hashCtx); return err; 46

Domain Name System DNS maps domain names to IP addresses “Phonebook” for the internet Client: I want to connect to: www.cs.stonybrook.edu DNS server: here is its IP address: 130.245.27.2

Distributed, hierarchical, reliable database Replaced the manually maintained /etc/hosts file

Domain names are assigned by registrars accredited by ICANN Not always a one-to-one mapping Virtual hosting: many names to a single IP address Load balancing/fault tolerance: single name to many addresses 47

DNS Server Hierarchy Hierarchically divided name space .edu  stonybrook.edu  cs.stonybrook.edu  www.cs.stonybrook.edu

Root name servers Responsible for top-level domains (TLDs): .com, .edu, .net, … Point to the authoritative name server of each TLD  managed by government or commercial organizations $ curl http://data.iana.org/TLD/tlds-alpha-by-domain.txt |wc -l 1517

Authoritative name servers are responsible for a set of names belonging into a zone Leaf nodes in the DNS hierarchy manage the zone of a single domain 48

DNS Resolvers Query DNS servers and resolve the requested resource

Main query types: Non-recursive: query a single server and receive a response May be a partial response

Recursive: query a single server, which may then query (as a client itself ) other DNS servers on behalf of the requester Has to reply with the requested response or “doesn’t exist” (cannot refer the client to a different DNS server)

Iterative: query a chain of one or more DNS servers Each server returns the best answer it has If the server cannot find an exact match, it returns a referral: a pointer to an authoritative server lower in the chain 49

Walking the Tree: End User Applications place resolution requests to the stub resolver of the OS The stub resolver then sends DNS queries to a recursive resolver Caches responses for future queries (TTL specified by owner) Negative responses are cached as well  save time for nonexistent sites (e.g. due to misspelling)

© Lion Kimbro - https://en.wikipedia.org/wiki/Domain_Name_System#/media/File:DNS_in_the_real_world.svg

50

Walking the Tree: Recursive Resolver Hosts know at least one local DNS recursive resolver Usually specified by the ISP or organization through DHCP – users can manually override it Uses the hierarchy of zones and delegations to respond to queries for which it is not authoritative

Root/edu DNS Server

Caches responses as well styx.cs.stonybrook.edu? IP = 10.0.0.1

styx.cs.stonybrook.edu? NS cs.stonybrook.edu

stonybrook.edu DNS Server

Local Recursive DNS Resolver cs.stonybrook.edu DNS Server 51

DNS message format

DNS header format

+---------------------+ | Header | +---------------------+ | Question | +---------------------+ | Answer | +---------------------+ | Authority | +---------------------+ | Additional | +---------------------+

the question for the name server RRs answering the question RRs pointing toward an authority RRs holding additional information

1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ID | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ |QR| Opcode |AA|TC|RD|RA| Z | RCODE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | QDCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ANCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | NSCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | ARCOUNT | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

Primarily uses UDP for queries/responses (port 53) TCP sometimes used for long responses and zone transfers

Recent developments: DNS over TLS (port 853) and DNS over HTTPS (port 443) 52

DNS resource record format

1 1 1 1 1 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | | / / / NAME / | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TYPE | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | CLASS | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | TTL | | | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+ | RDLENGTH | +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--| / RDATA / / / +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+

NAME

Name of the node to which this record pertains

TYPE

Type of RR in numeric form (e.g., 15 for MX RRs)

CLASS

Class code

TTL

Count of seconds that the RR stays valid

RDLENGTH Length of RDATA field RDATA

Additional RR-specific data 53

Types of Resource Records Besides translating host addresses, DNS is in essence a generic “directory” for other host-related information A: host address NS: authoritative name server MX: mail server of domain CNAME: aliases for other names (not IP addresses) PTR: map IP addresses to names (reverse lookup) TXT: arbitrary data associated with the domain HINFO: host information 54

DNS Spoofing/Cache Poisoning No authentication: responses can be spoofed! Point to a different address of the attacker’s choosing Phishing, malware infection, …

Root/edu DNS Server

Part of the motivation for DoT/DoH

styx.cs.stonybrook.edu? IP = 10.0.0.1

styx.cs.stonybrook.edu? NS cs.stonybrook.edu

stonybrook.edu DNS Server

Local Recursive DNS Resolver cs.stonybrook.edu DNS Server

55

DNS Poisoning: Different Vantage Points Off-path: attackers cannot observe any DNS messages (blind) Blind packet injection: must guess the proper values in the forged response fields according to the query Race condition: forged response must arrive before the real one

On-path: attackers can passively observe the traffic (queries) and inject properly forged responses (MotS) Easy to mount in WiFi networks, by ISPs, … Race condition: forged response must arrive before the real one

In-path: attackers can block responses from reaching the victim, and inject forged ones instead (MitM) But then the attacker can do so much more… 56

DNS TXID Synchronization mechanism between clients and servers 16-bit transaction identifier Randomly chosen for each query Response accepted only if TXIDs match Response cached according to TTL (e.g., one day)

Attacker has to win a race Guess the correct TXID Response src IP and dst port should match query dst IP and src port

TXID

styx.cs.stonybrook.edu? NS cs.stonybrook.edu

TXID

It’s possible! Kaminsky attack 57

More Ways to Intercept Traffic using DNS DNS hijacking by going after registrars Social engineering, stolen credentials, …

Typosquatting/registering expired domains Phishing – www.paypa1.com Hijack scripts hosted on expired domains still in use by other web pages

Pharming Change the system’s (or the local router’s) DNS server (e.g., malware, malicious JavaScript) Add entries in /etc/hosts Example: DNSChanger: estimated 4M infected computers, US$14M profit (FBI’s “Operation Ghost Click”) 58