WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security...
-
Upload
brunilda-armenteros -
Category
Documents
-
view
216 -
download
0
Transcript of WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security...
![Page 1: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/1.jpg)
WhoamI
Network profiling based on HTML tags injection
Dr. Alfonso MuñozSenior Cyber Security Researcher(Co)Editor Criptored, CISA, CEH…[email protected]: @mindcrypt
Ricardo MartínQA Security [email protected]: @ricardo090489
![Page 2: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/2.jpg)
Equipo…
Ricardo MartínQ&A Security [email protected]
Dr. Alfonso MuñozSenior Cyber Security Researcher(Co)Editor Criptored, CISA, [email protected]
Dr. Antonio GuzmánHead of the research [email protected]
![Page 3: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/3.jpg)
WhoamIEl mundo real…
- Ataques/Fugas de información vs contramedidas
- ¿Estás seguro con tu navegador web?...
![Page 4: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/4.jpg)
WhoamILa idea…
![Page 5: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/5.jpg)
WhoamIInvestigando…
- ¿Cómo funcionan los navegadores web cuando buscan “recursos”?
- … ¿pero qué es un “recurso”?
Recurso: <img src=“/images/latch.jpg”/>Recurso: <href a=“http://www.latch.com“/>Recurso: <embed src=“gatos.avi”>…¿Recurso: <img src=“172.0.0.4:445”/>?
![Page 6: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/6.jpg)
WhoamIEnumeración…
- Preguntemos por “recursos específicos…”
<img src="http://172.192.19.70" onload="alert(1)" onerror="alert(0)">
Si el recurso no está disponible el navegador responderá más tarde…
- ¿Qué podemos hacer…?
- Vectores de ataque. HTML injection navegadores con webRTC- Footprinting/Fingerprinting (“sistemas operativos”, escaneo de red, puerto abiertos, software en la red, impresoras, DNS…)- Evasión de seguridad perimetral. “Exfiltración”- APTs – “Exploits”- SCADA
- ¿En qué navegadores web funciona y con qué tags?
![Page 7: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/7.jpg)
WhoamINavegadores…
- Navegadores web analizados IE (11.0.9600.17207), Chrome (35.0.1916.153 dev-m), Firefox (33.0), Safari (5.1.7(7534.57.2)), Opera (25.0)
- Ejemplo en WINDOWS 8.1:
<img src="http://172.192.19.70" onload="alert(1)" onerror="alert(0)">
Firefox Chrome IE Safari/Opera
Version 32.0 35.0.1916.153 dev-m 11.0.9600.17207 5.1.7(7534.57.2)Event / TAG=IMG Onerror Onerror Onerror Onerror
Host Activos < 21seg(>> 21 seg)
(>27seg)
< 21seg(>> 21 seg)
(>27seg)
< 7 seg(>> 7 seg)
(>10seg)
< 21seg(>> 21 seg)
(>27seg)
Timeouts(Host inexistentes)
≈ 21 seg(19 seg<X<23 seg)
≈ 21 seg(19 seg<X<23 seg)
≈ 7 seg(6seg<X<8seg)
≈ 21 seg(19 seg<X<23 seg)
WebRTC x x
![Page 8: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/8.jpg)
WhoamIIn progress… más “SOs”
- Linux (Ubuntu: FF, Chrome, Konqueror) - Android
- Por el timeout podemos “identificar” qué sistema operativo ejecuta el navegador…
Chrome Ubuntu vs Chrome Windows
LINUX: RFC 1122 recommends at least 100 seconds for the timeout Ubuntu 14.04.1
![Page 9: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/9.jpg)
WhoamITags útiles…
- Firefox 32.0.2 (Onerror): <img>, <object>, <iframe>, <audio>, <video>, <frame>, <script>
- Chrome 35.0.1916.153 dev-m (Onload/Onerror): <img>,<object>, <iframe>, <audio>, <video>, <embed>, <frame>, <script>
- IE 11.0.9600.17207 (onload/Onerror): <img>, <object>, <iframe>, <audio>, <video>, <embed>, <frame>, <script>
- Safari 5.1.7 (Onerror): <img>, <object>, <iframe>, <embed>, <frame>, <script>
TAGS analizadas: Todas
![Page 10: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/10.jpg)
WhoamITiempos de escaneo… Red Windows
- Necesidad de persistencia (MiTM…)
- Tiempo máximos:
- 1 IP|puerto- IE: 0<tiempo<8 seg Otros: 0<tiempo<23 seg (En general ≈300 ms, <2 seg)
- 1 IP|puertos- IE: 0<tiempo<65535*8 seg Otros: 0<tiempo<65535*23 seg
Ej: (10 abiertos, 65525 cerrados) ≈ 3 seg + 36horas (10 abiertos, 1014 cerrados) ≈ 3 seg + 33 minutos
- Escaneo red (X.X.X.1 – X.X.X.254, 80 equipos activos) Lanzo 3 puertos por IP, 5 IP de golpe: 15 hilos
- “Media” IE: ≈ 12 min 12*60 / 254*3 ≈ 0,95 seg/petición- “Media” Resto: ≈ 21 min 21*60 / 254*3 ≈ 1,65 seg/petición
- Forzando por JavaScript el timeout a 2 seg se pueden reducir drásticamente tiempos (redes y puertos)…
![Page 11: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/11.jpg)
WhoamIMás detalles… (escaneo rápido)
*
*
*
*
*
*
Chrome
![Page 12: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/12.jpg)
WhoamIPort BanningLimitaciones en puertos < 1024
- Algunos navegadores impiden peticiones a una serie de puertos número puerto < 1024
- Internet Explorer es “libreeeeeeeeeeeeeeeeeee”
FF/Chrome: SI (80,443,445,543,1433,…) NO (21,110,115,135,139,993…)
SI (69-tftp,80,115-sftp,135,139,443,445-smb,543-Kerberos,587-smtp, 1433-sqlserver…) NO (21-ftp,110-pop3,993-imaps…)
![Page 13: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/13.jpg)
WhoamIDetalles… (experimental) – NMAP/wireshark
- *Equipos “Windows”: es necesario lanzar contra puertos “abiertos” para saber si la IP está activa (se recibe respuesta)
- Equipos Linux (Ubuntu): si IP existe el puerto responde rápido (esté abierto o no [RST])
- Dispositivos “Android/Iphone”: si IP existe el puerto responde rápido (esté abierto o no [RST])
- *Dispositivos “Windows/Phone”: es necesario lanzar contra puertos “abiertos” para saber si la IP está activa
![Page 14: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/14.jpg)
WhoamILo mejor está por llegar….
![Page 15: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/15.jpg)
WhoamIDEMO explotaciónPort banning no es útil
1. Usuario A visita página web
Usuario A
2. Lanza exploit
2. Lanza exploit
2. Lanza exploit
Equipo en redVulnerable (Shellsock)
3. Metasploit - Meterpreter
![Page 16: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/16.jpg)
WhoamITrabajo actual / futuro
- Profiling based on HTML injection facilita la “ex-filtración” y perfil de una red interna. ¿Ataques con persistencia? otros protocolos
- El ataque no funciona si el código JavaScript está prohibido (NoScript, Port Banningdepende….)
- ¿Es posible enviar las diferencias temporales al servidor sin usar Javascript/AJAX?
- HTML5?- CSS?- …
- ¿Por qué no se habla más de este tipo de ataques? - “Lugares públicos con navegador web”…
![Page 17: WhoamI Network profiling based on HTML tags injection Dr. Alfonso Muñoz Senior Cyber Security Researcher (Co)Editor Criptored, CISA, CEH… alfonso.munoz@11paths.com.](https://reader035.fdocuments.net/reader035/viewer/2022070417/5665b4431a28abb57c90874c/html5/thumbnails/17.jpg)
WhoamI
Network profiling based on HTML tags injection
Dr. Alfonso MuñozSenior Cyber Security Researcher(Co)Editor Criptored, CISA, CEH…[email protected]: @mindcrypt
Ricardo MartínQA Security [email protected]: @ricardo090489
/**/ || ??