IIT Kanpur Hackers Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm)...
-
Upload
kenya-happy -
Category
Documents
-
view
223 -
download
5
Transcript of IIT Kanpur Hackers Workshop 2004 23, 24 Feb 2004 1 A current analysis of man in the middle (mitm)...
11IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
A current analysis of A current analysis of man in the middle (mitm) man in the middle (mitm)
attacksattacksSachin Deodhar <[email protected]>
22IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
The scenarioThe scenario
Server
Client
Attacker
33IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
MITM attack scenarios TOCMITM attack scenarios TOC
Different attacks in different scenarios:Different attacks in different scenarios:
LOCAL AREA NETWORK:LOCAL AREA NETWORK:- - ARP poisoningARP poisoning - - DNS spoofingDNS spoofing - - STP STP manglingmangling- - PortPort stealingstealing
FROM LOCAL TO REMOTEFROM LOCAL TO REMOTE (through a gateway): (through a gateway):- - ARP poisoningARP poisoning - - DNS spoofingDNS spoofing - - DHCP spoofing DHCP spoofing - - ICMP redirectionICMP redirection - - IRDP spoofingIRDP spoofing - - route manglingroute mangling
REMOTE: REMOTE: - - DNS poisoningDNS poisoning - - traffictraffic tunnelingtunneling - - route route manglingmangling
44IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
MITM attack techniquesMITM attack techniquesThe local scenarioThe local scenario
55IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (1)Local attacks (1)ARP poisoningARP poisoning
ARP is stateless (we all knows how it works and ARP is stateless (we all knows how it works and what the problems are)what the problems are)
Some operating systems do not update an entry if it Some operating systems do not update an entry if it is not already in the cache, others accept only the is not already in the cache, others accept only the first received reply (e.g. Solaris)first received reply (e.g. Solaris)
The attacker can forge spoofed ICMP packets to The attacker can forge spoofed ICMP packets to force the host to make an ARP request. Immediately force the host to make an ARP request. Immediately after the ICMP it sends the fake ARP reply after the ICMP it sends the fake ARP reply
66IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
The scenarioThe scenario
Server
Client Attacker
Gratuitous ARP (forged)
Gratuitous ARP (forged)
77IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (1)Local attacks (1)ARP poisoning ARP poisoning - Tools- Tools
ettercapettercap ((http://ettercap.sf.nethttp://ettercap.sf.net)) PoisoningPoisoning SniffingSniffing HijackingHijacking FilteringFiltering SSH v.1 sniffing (transparent attack)SSH v.1 sniffing (transparent attack)
dsniffdsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff)) PoisoningPoisoning SniffingSniffing SSH v.1 sniffing (proxy attack)SSH v.1 sniffing (proxy attack)
88IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (1)Local attacks (1)ARP poisoning ARP poisoning - countermeasures- countermeasures
YESYES - passive monitoring (arpwatch) - passive monitoring (arpwatch)YESYES - active monitoring (ettercap) - active monitoring (ettercap)YESYES - IDS (detect but not avoid) - IDS (detect but not avoid)
YESYES - Static ARP entries (avoid it) - Static ARP entries (avoid it) YESYES - Secure-ARP (public key authentication) - Secure-ARP (public key authentication)
99IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (2)Local attacks (2)DNS spoofingDNS spoofing
HOST DNSserverX.localdomain.in
10.1.1.50
MITM
10.1.1.1
If the attacker is able to sniff the ID of the DNS request,he/she can reply before the real DNS server
1010IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (2)Local attacks (2)DNS spoofing DNS spoofing - tools- tools
ettercapettercap ((http://ettercap.sf.nethttp://ettercap.sf.net)) Phantom pluginPhantom plugin
dsniffdsniff ((http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniff)) DnsspoofDnsspoof
zodiac zodiac ((http://www.packetfactory.com/http://www.packetfactory.com/ProjectsProjects//zodiaczodiac))
1111IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (2)Local attacks (2)DNS spoofing DNS spoofing - countermeasures- countermeasures
YESYES - detect multiple replies (IDS) - detect multiple replies (IDS)
YESYES - use lmhost or host file for static - use lmhost or host file for static resolution of critical hostsresolution of critical hosts
YESYES - DNSSEC - DNSSEC
1212IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (3)Local attacks (3)STP manglingSTP mangling
It is not a real MITM attack since the It is not a real MITM attack since the attacker is able to receive only attacker is able to receive only “unmanaged” traffic“unmanaged” traffic
The attacker can forge BPDU with high The attacker can forge BPDU with high priority pretending to be the new root of priority pretending to be the new root of the spanning treethe spanning tree
1313IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (3)Local attacks (3)STP mangling STP mangling - tools- tools
EttercapEttercap ((http://ettercap.sf.nethttp://ettercap.sf.net))
With the Lamia pluginWith the Lamia plugin
1414IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (3)Local attacks (3)STP mangling STP mangling - countermeasures- countermeasures
YESYES - Disable STP on VLAN without loops - Disable STP on VLAN without loops
YESYES - Root Guard, BPDU Guard. - Root Guard, BPDU Guard.
1515IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (4)Local attacks (4)Port stealing Port stealing
Attacker floods the switch with forged gratuitous ARP packets with the Attacker floods the switch with forged gratuitous ARP packets with the source MAC address being that of the target host and the destination MAC source MAC address being that of the target host and the destination MAC address being that of the attacker.address being that of the attacker.Since the destination MAC address of each flooding packet is the attackers Since the destination MAC address of each flooding packet is the attackers MAC address, the switch will not forward these packets to other ports, MAC address, the switch will not forward these packets to other ports, meaning they will not be seen by other hosts on the networkmeaning they will not be seen by other hosts on the networkA race condition: because the target host will send packets too. The switch A race condition: because the target host will send packets too. The switch will see packets with the same source MAC address on two different ports will see packets with the same source MAC address on two different ports and will constantly change the binding of the MAC address to the port. and will constantly change the binding of the MAC address to the port. Remember that the switch binds a MAC address to a single port. If the Remember that the switch binds a MAC address to a single port. If the attacker is fast enough, packets intended for the target host will be sent to attacker is fast enough, packets intended for the target host will be sent to the attacker’s switch port and not the target host.the attacker’s switch port and not the target host.When a packet arrives, the attacker performs an ARP request asking for the When a packet arrives, the attacker performs an ARP request asking for the target hosts’ IP address. Next, the attacker stops the flooding and waits for target hosts’ IP address. Next, the attacker stops the flooding and waits for the ARP reply. When the attacker receives the reply, it means that the the ARP reply. When the attacker receives the reply, it means that the target hosts’ switch port has been restored to its original binding.target hosts’ switch port has been restored to its original binding.The attacker now sniffs the packet and forwards it to the target host and The attacker now sniffs the packet and forwards it to the target host and restarts the attack ad naseum …restarts the attack ad naseum …
1616IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (5)Local attacks (5)Port stealing how toPort stealing how to
1 2 3
A Attacker B
Layer 2 switch
Gratuitous ARP (forged)
1717IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local attacks (4)Local attacks (4)Port stealing Port stealing - tools- tools
ettercapettercap ( (http://ettercap.sf.nethttp://ettercap.sf.net)) With the Confusion pluginWith the Confusion plugin
1818IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local Attacks (4)Local Attacks (4)Port stealing Port stealing - countermeasures- countermeasures
YESYES - port security on the switch - port security on the switch
1919IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Attack techniquesAttack techniquesFrom local to remoteFrom local to remote
2020IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks (1)Local to remote attacks (1)DHCP spoofingDHCP spoofing
The DHCP requests are made in broadcast The DHCP requests are made in broadcast mode. mode.
If the attacker replies before the real DHCP If the attacker replies before the real DHCP server it can manipulate:server it can manipulate:
IP address of the victimIP address of the victim GW address assigned to the victimGW address assigned to the victim DNS addressDNS address
2121IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks (1)Local to remote attacks (1)DHCP spoofing DHCP spoofing - countermeasures- countermeasures
YESYES - detection of multiple DHCP replies - detection of multiple DHCP replies
2222IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (2)(2)ICMP redirectICMP redirect
G1
AT
H
T
LAN
The attacker can forge ICMP redirect packet in order to redirect traffic to himself
ICMP redirect to AT
2323IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (2)(2)ICMP redirect ICMP redirect - tools- tools
IRPAS icmp_redirectIRPAS icmp_redirect (Phenoelit) (Phenoelit)((http://www.phenoelit.de/http://www.phenoelit.de/irpasirpas//))
icmp_rediricmp_redir (Yuri Volobuev) (Yuri Volobuev)
2424IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks (2)Local to remote attacks (2)ICMP redirect ICMP redirect - countermeasures- countermeasures
YESYES - Disable the ICMP REDIRECT - Disable the ICMP REDIRECT
NONO - Linux has the “secure redirect” options but - Linux has the “secure redirect” options but it seems to be ineffective against this attackit seems to be ineffective against this attack
2525IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (3)(3)IRDP spoofingIRDP spoofing
The attacker can forge some advertisement The attacker can forge some advertisement packet pretending to be the router for the LAN. packet pretending to be the router for the LAN. He/she can set the “preference level” and the He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will “lifetime” at high values to be sure the hosts will choose it as the preferred router.choose it as the preferred router.
The attack can be improved by sending some The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to spoofed ICMP Host Unreachable pretending to be the real routerbe the real router
2626IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (3)(3)IRDP spoofing IRDP spoofing - tools- tools
IRPAS IRPAS by Phenoelitby Phenoelit(http://www.phenoelit.de/irpas/)(http://www.phenoelit.de/irpas/)
2727IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks (3)Local to remote attacks (3)IRDP spoofing IRDP spoofing - countermeasures- countermeasures
YESYES - Disable IRDP on hosts if the - Disable IRDP on hosts if the operating system permit it.operating system permit it.
2828IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling
The attacker can forge packets for the gateway (GW) pretending to be a router with a good metric for a specified host on the internet
INTERNET GW AT
H
2929IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (4)(4)ROUTE manglingROUTE mangling
Now the problem for the attacker is to send packets to Now the problem for the attacker is to send packets to the real destination. He/she cannot send it through GW the real destination. He/she cannot send it through GW since it is convinced that the best route is AT.since it is convinced that the best route is AT.
INTERNET GW AT
H
D
AT2Tunnel
3030IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - tools- tools
IRPASIRPAS (Phenoelit) (Phenoelit)(http://www.phenoelit.de/irpas/)(http://www.phenoelit.de/irpas/)
Nemesis Nemesis (http://www.packetfactory.net/Projects/nemesis/)(http://www.packetfactory.net/Projects/nemesis/)
3131IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Local to remote attacks Local to remote attacks (4)(4)ROUTE mangling ROUTE mangling - countermeasures- countermeasures
YESYES - Disable dynamic routing protocols in - Disable dynamic routing protocols in this type of scenario this type of scenario
YES YES - Enable ACLs to block unexpected - Enable ACLs to block unexpected updateupdate
YESYES - Enable authentication on the - Enable authentication on the protocols that support authenticationprotocols that support authentication
3232IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Attacks techniquesAttacks techniquesRemote scenariosRemote scenarios
3333IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning
Type 1 attackType 1 attack The attacker sends a request to the victim DNS The attacker sends a request to the victim DNS
asking for one hostasking for one host
The attacker spoofs the reply which is expected to The attacker spoofs the reply which is expected to come from the real DNScome from the real DNS
The spoofed reply must contain the correct ID (brute The spoofed reply must contain the correct ID (brute force or semi-blind guessing)force or semi-blind guessing)
3434IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks (1)Remote attacks (1)DNS poisoningDNS poisoning
Type 2 attackType 2 attack The attacker can send a “dynamic update” to The attacker can send a “dynamic update” to
the victim DNSthe victim DNS
If the DNS processes it, it is even worst If the DNS processes it, it is even worst because it will be authoritative for those because it will be authoritative for those entriesentries
3535IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - tools- tools
ADMIdPackADMIdPack
Zodiac Zodiac (http://www.packetfactory.com/Projects/zodiac)(http://www.packetfactory.com/Projects/zodiac)
3636IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (1)(1)DNS poisoning DNS poisoning - countermeasures- countermeasures
YESYES - Use DNS with random transaction - Use DNS with random transaction ID (Bind v9)ID (Bind v9)
YESYES - DNSSec (Bind v9) allows the digital - DNSSec (Bind v9) allows the digital signature of the replies. signature of the replies.
NONO - restrict the dynamic update to a - restrict the dynamic update to a range of IPs (they can be spoofed)range of IPs (they can be spoofed)
3737IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (2)(2)Traffic tunnelingTraffic tunneling
Router 1
Gateway
INTERNET
Server
Client
Fake host
Attacker
Tunnel GRE
3838IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (2)(2)Traffic tunneling Traffic tunneling - tools- tools
ettercapettercap (http://ettercap.sf.net)(http://ettercap.sf.net) Zaratan pluginZaratan plugin
tunnelXtunnelX (http://www.phrack.com)(http://www.phrack.com)
3939IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (2)(2)Traffic tunneling Traffic tunneling - countermeasure- countermeasure
YESYES - Strong passwords and community on - Strong passwords and community on routersrouters
4040IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (3)(3)ROUTE mangling revisitedROUTE mangling revisited
The attacker aims to hijack the traffic between The attacker aims to hijack the traffic between the two victims A and Bthe two victims A and B
The attack will collect sensitive information The attack will collect sensitive information through:through: TracerouteTraceroute port scanning port scanning protoscanningprotoscanning
Quite impossible against link state protocolsQuite impossible against link state protocols
4141IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (3)(3)ROUTE mangling revisitedROUTE mangling revisited
Scenario 1 aScenario 1 a(IGRP inside the AS)(IGRP inside the AS)
A B
The attacker pretends to be the GW
R1
R2
4242IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (3)(3)ROUTE mangling revisitedROUTE mangling revisited
Scenario 1 b Scenario 1 b (IGRP inside the AS)(IGRP inside the AS)
A BR1
R2
R3
4343IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (3)(3)ROUTE mangling revisitedROUTE mangling revisited
Scenario 2 aScenario 2 a((the traffic does not pass thru thethe traffic does not pass thru the AS) AS)
AS 1 AS 2
BG 1 BG 2
BG 3
AS 3
BGP
RIP
4444IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (3)(3)ROUTE mangling revisited - toolsROUTE mangling revisited - tools
IRPASIRPAS di Phenoelit di Phenoelit((http://www.phenoelit.de/irpas/)http://www.phenoelit.de/irpas/)
Nemesis Nemesis ((http://www.packetfactory.net/Projects/nemesis/)http://www.packetfactory.net/Projects/nemesis/)
4545IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Remote attacks Remote attacks (3)(3)ROUTE mangling revisited ROUTE mangling revisited - -
countermeasurecountermeasure
YESYES - Use routing protocol authentication - Use routing protocol authentication
4646IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
ConclusionsConclusions
The security of a connection relies on:The security of a connection relies on: Proper configuration of the client (avoiding ICMP Redirect, Proper configuration of the client (avoiding ICMP Redirect,
ARP Poisoning etc.) ARP Poisoning etc.) the other endpoint infrastructure (e.g.. DNS dynamic the other endpoint infrastructure (e.g.. DNS dynamic
update),update), the strength of a third party appliances on which we don’t the strength of a third party appliances on which we don’t
have access (e.g.. Tunneling and Route Mangling).have access (e.g.. Tunneling and Route Mangling).
The best way to ensure secure communication is the correct The best way to ensure secure communication is the correct and conscious use of cryptographic systemsand conscious use of cryptographic systems both client and server sideboth client and server side at the network layer (i.e.. IPSec)at the network layer (i.e.. IPSec) at transport layer (i.e.. SSLv3) at transport layer (i.e.. SSLv3) at application layer (i.e.. PGP).at application layer (i.e.. PGP).
4747IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Once in the middle…Once in the middle…
Injection attacksInjection attacks
Key Manipulation attacksKey Manipulation attacks
Downgrade attacksDowngrade attacks
Filtering attacksFiltering attacks
4848IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Injection attacksInjection attacks
Add packets to an already established connection (only Add packets to an already established connection (only possible in full-duplex mitm)possible in full-duplex mitm)
The attacker can modify the sequence numbers and The attacker can modify the sequence numbers and keep the connection synchronized while injecting keep the connection synchronized while injecting packets. packets.
If the mitm attack is a “proxy attack” it is even easier to If the mitm attack is a “proxy attack” it is even easier to inject (there are two distinct connections)inject (there are two distinct connections)
4949IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Injection attack examples Injection attack examples Command injectionCommand injection
Useful in scenarios where a one time Useful in scenarios where a one time authentication is used (e.g. RSA token).authentication is used (e.g. RSA token).In such scenarios sniffing the password is In such scenarios sniffing the password is useless, but hijacking an already authenticated useless, but hijacking an already authenticated session is criticalsession is critical
Injection of commands to the serverInjection of commands to the server
Emulation of fake replies to the clientEmulation of fake replies to the client
5050IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Key Manipulation in the case of Key Manipulation in the case of popular VPN/crypto systemspopular VPN/crypto systems
SSH v1SSH v1
IPSECIPSEC
HTTPSHTTPS
5151IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Key Manipulation attack Key Manipulation attack example example
SSH v1SSH v1
Modification of the public key exchanged by Modification of the public key exchanged by server and clientserver and client. .
Server Client
MITM
start
KEY(rsa) KEY(rsa)
Ekey[S-Key]Ekey[S-Key]S-KEY S-KEY S-KEY
MEskey(M)
D(E(M))
D(E(M))
5252IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Key manipulation attack Key manipulation attack exampleexample
IPSECIPSEC If two or more clients share the same “secret”, each If two or more clients share the same “secret”, each
of them can impersonate the server with another of them can impersonate the server with another client.client.
Client mitm
Server
Diffie-Hellman exchange 1 – Authenticated by pre-shared secret
Diffie-Hellman exchange 2 – Authenticated by pre-shared secret
De-Crypt Packet
Re-Crypt Packet
5353IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Key manipulation attack Key manipulation attack exampleexample
HTTPSHTTPS We can create a fake certificate (eg: We can create a fake certificate (eg:
issued by Verissued by VeryySign) relying on Sign) relying on browser misconfiguration or user browser misconfiguration or user dumbness.dumbness.
Client MiM Server
Fake cert.
Real Connection to the server
5454IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Filtering attacksFiltering attacks
The attacker can modify the payload of the The attacker can modify the payload of the packets by recalculating the checksumpackets by recalculating the checksum
He/she can create filters on the flyHe/she can create filters on the fly
The length of the payload can also be changed The length of the payload can also be changed but only in full-duplex (in this case the seq has to but only in full-duplex (in this case the seq has to be adjusted)be adjusted)
5555IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Filtering attacks exampleFiltering attacks exampleCode Filtering / InjectionCode Filtering / Injection
Insertion of malicious code into web pages Insertion of malicious code into web pages or mail (javascript, trojans, virus, etc)or mail (javascript, trojans, virus, etc)
Modification on the fly of binary files during Modification on the fly of binary files during the download phase (virus, backdoor, etc)the download phase (virus, backdoor, etc)
5656IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Filtering attacks exampleFiltering attacks exampleHTTPS redirectionHTTPS redirection
Let’s see an exampleLet’s see an example
Http main page with https login form
Change form destination to http://attacker
Http post (login\password)
Auto-submitting hidden form with right authentication data
Real https authentication post
Authenticated connection
Client
Server
MiMlogin
password
5757IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Downgrade attacks for typical Downgrade attacks for typical VPN/crypto systemsVPN/crypto systems
SSH v2SSH v2
IPSECIPSEC
PPTPPPTP
5858IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Downgrade attack examples Downgrade attack examples SSH v2 SSH v2 v1 v1
Parameters exchanged by server and client can be Parameters exchanged by server and client can be substituted in the beginning of a connection. substituted in the beginning of a connection. (algorithms to be used later)(algorithms to be used later)
The attacker can force the client to initialize a SSH1 The attacker can force the client to initialize a SSH1 connection instead of SSH2.connection instead of SSH2.
The server replies in this way:The server replies in this way:SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.99 -- the server supports ssh1 and ssh2 SSH-1.51 -- the server supports ONLY ssh1 SSH-1.51 -- the server supports ONLY ssh1
The attacker makes a filter to replace “1.99” with “1.51”The attacker makes a filter to replace “1.99” with “1.51”
Possibility to circumvent known_hostsPossibility to circumvent known_hosts
5959IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Downgrade attack examples Downgrade attack examples IPSEC FailureIPSEC Failure
Block the key material exchanged on the Block the key material exchanged on the port 500 UDPport 500 UDP
End points think that the other cannot start End points think that the other cannot start an IPSEC connectionan IPSEC connection
If the client is configured in rollback mode, If the client is configured in rollback mode, there is a good chance that the user will not there is a good chance that the user will not notice that the connection is in clear textnotice that the connection is in clear text
6060IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Downgrade attack examples Downgrade attack examples PPTP attack (1)PPTP attack (1)
During negotiation phaseDuring negotiation phase Force PAP authentication (almost fails)Force PAP authentication (almost fails) Force MS-CHAPv1 from MS-CHAPv2 (easier to crack)Force MS-CHAPv1 from MS-CHAPv2 (easier to crack) Force no encryptionForce no encryption
Force re-negotiation (clear text terminate-ack)Force re-negotiation (clear text terminate-ack) Retrieve passwords from existing tunnelsRetrieve passwords from existing tunnels Perform previous attacksPerform previous attacks
Force “password change” to obtain password hashesForce “password change” to obtain password hashes Hashes can be used directly by a modified SMB or PPTP Hashes can be used directly by a modified SMB or PPTP
clientclient MS-CHAPv2 hashes are not useful (you can force v1)MS-CHAPv2 hashes are not useful (you can force v1)
6161IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Downgrade attack examples Downgrade attack examples PPTP attack (2)PPTP attack (2)
Server ClientMITM
start
req | auth | chapnak | auth | papreq | auth | papack | auth | pap
req | auth | fakenak| auth | chapreq | auth | papack | auth | pap
Force PAP from CHAP
We don’t have to mess with GRE sequences...
6262IIT Kanpur Hacker’s Workshop 2004
23, 24 Feb 2004
Downgrade attack examples Downgrade attack examples L2TP rollbackL2TP rollback
L2TP can use IPSec ESP as transport layer (stronger L2TP can use IPSec ESP as transport layer (stronger than PPTP)than PPTP)
By default L2TP is tried before PPTPBy default L2TP is tried before PPTP
Blocking ISAKMP packets results in an IPSec failureBlocking ISAKMP packets results in an IPSec failure
Client starts a request for a PPTP tunnel (rollback)Client starts a request for a PPTP tunnel (rollback)
Now you can perform PPTP previous attacksNow you can perform PPTP previous attacks