SSLstrip Slowloris

1
SSLstripSlowloris IPv6 Split HandshakeSam
Bowne
2
Contact

• Sam Bowne
• Computer Networking and Information Technology
• City College San Francisco
• Email sbowne_at_ccsf.edu
• Web samsclass.info

3
Topics

• sslstrip Steals passwords from mixed-mode Web
  login pages
• Slowloris Denial of Service Stops Apache Web
  servers
• IPv6 The end of the world
• Split Handshake--simple trick that evades all
  tested IPS systems

4
sslstrip
5
The 15 Most Popular Web 2.0 Sites

• 1. YouTube HTTPS
• 2. Wikipedia HTTP
• 3. Craigslist HTTPS
• 4. Photobucket HTTP
• 5. Flickr HTTPS
• 6. WordPress MIXED
• 7. Twitter MIXED
• 8. IMDB HTTPS

6
The 15 Most Popular Web 2.0 Sites

• 9. Digg HTTP
• 10. eHow HTTPS
• 11. TypePad HTTPS
• 12. topix HTTP
• 13. LiveJournal Obfuscated HTTP
• 14. deviantART MIXED
• 15. Technorati HTTPS
• From http//www.ebizmba.com/articles/user-generate
  d-content

7
Password Stealing
Mediumssltrip
EasyWall of Sheep
Hard Spoofing Certificates
8
Mixed Mode

• HTTP Page with an HTTPS Logon Button

9
sslstrip Proxy Changes HTTPS to HTTP
To Internet
HTTPS
Attacker sslstrip Proxyin the Middle
HTTP
TargetUsingFacebook
10
Ways to Get in the Middle
11
Physical Insertion in a Wired Network
To Internet
Attacker
Target
12
Configuring Proxy Server in the Browser
13
ARP Poisoning

• Redirects Traffic at Layer 2
• Sends a lot of false ARP packets on the LAN
• Can be easily detected
• DeCaffienateID by IronGeek
• http//k78.sl.pt

14
ARP Request and Reply

• Client wants to find Gateway
• ARP Request Who has 192.168.2.1?
• ARP Reply
• MAC 00-30-bd-02-ed-7b has 192.168.2.1

ARP Request
ARP Reply
Client
Gateway
Facebook.com
15
ARP Poisoning
Attacker
ARP Replies I am the Gateway
Forwarded Altered Traffic
Traffic to Facebook
Client
Gateway
Facebook.com
16
Demonstration
17
slowloris
18
HTTP GET
19
Send Incomplete HTTP Requests

• Apache has a queue of approx. 256 requests
• Each one waits approx. 400 seconds by default for
  the request to complete
• So less than one packet per second is enough to
  occupy them all
• Low-bandwidth DoS--no collateral damage!

20
OSI Model
OSI Model DoS Attack
7 Application Slowloris Incomplete HTTP Requests
6 Presentation
5 Session
4 Transport SYN Flood Incomplete TCP Handshakes
3 Network
2 Data Link
1 Physical Cut a cable
21
Demonstration
22
iClicker Questions
23
Power failures brought down servers at 365 Main
last year. What OSI Model was that attack in?

1. Layer 1
2. Layer 2
3. Layer 3
4. Layer 4
5. Layer 5 or higher

24
Which type of website is the most dangerous?

1. HTTP
2. Mixed HTTP with HTTPS elements
3. HTTPS

25
What precaution protects you best when using a
public Wi-Fi hotspot?

1. Open Access
2. WEP
3. WPA
4. VPN
5. 802.1x

26
What precaution seems best against SlowLoris?

1. Do nothing and ignore it
2. Adjust Apache timeouts
3. Use a load-balancer
4. Add a module to Apache
5. Something else

27
What sort of logins do users of your Website use?

1. Plaintext
2. Mixed-mode
3. HTTPS with a CA
4. Self-signed SSL
5. Something else

28
What plans do you have to use IPv6?

1. I don't care about IPv6 at all
2. I'll implement IPv6, but not for years
3. Planning to implement it within a year
4. Planning to implement it sooner than a year
5. I am already using IPv6

29
(No Transcript)
30
IPv4 Exhaustion

• Available pool is 18 "/8 address ranges"
• Each /8 has 16.8 Million Addresses
• 203 already allocated
• 35 Reserved for special uses
• Data from 5-13-2010, CNIT 202E, link IPv6 3

31
The End is Near
32
The End of the World

• No Reprieve
• IANA will not re-purpose class D or E addresses
  for general use
• People who ask for IPv4 addresses after
  exhaustion will not get them
• Hoarding, scalping, and simple direct sale of
  IPv4 addresses will begin soon

33

• CNIT 202E - Link IPv6 2 (from 2003)

34
Federal IPv6 Transition Timeline

• Cisco, Sept 2009 (CNIT 202E, link IPv6 9)

35
IPv6 Tunnels

• Tunnelbroker.com
• Free IPv4-to-IPv6 Tunnels
• BUT your router needs to allow protocol 41
• I had to move to the DMZ to get it through

36
IPv6 Certification

• Get it now!

37
(No Transcript)
38

• can be used once to represent a string of
  zeroes

39

• From Zytrax link IPv6 10

40
IPv6 - IPv4 Addresses

• A hybrid format may be used when dealing with
  IPv6 - IPv4 addresses where the normal IPv4
  dotted decimal notation may be used after the
  first 6, 16 bit address elements

41
Examples
42
(No Transcript)
43
(No Transcript)
44
(No Transcript)
45
(No Transcript)
46
Multiple Addresses

• Note Interfaces normally have two addresses, or
  even more
• Link-local FE80w.x.y.z
• Global unicast

47

• Used by Ethernet

48
Example

• Interface MAC 00-40-63-ca-9a-20
• IPv6 Interface ID (EUI-64)
• 004063FFFECA9A20
• or
• 4063FFFECA9A20
• link local
• FE804063FFFECA9A20

49
(No Transcript)
50
(No Transcript)
51
(No Transcript)
52
(No Transcript)
53
(No Transcript)
54
(No Transcript)
55
(No Transcript)
56
(No Transcript)
57
AAAA Records in DNS

• iana.org and ipv6.net work too

58
(No Transcript)
59
(No Transcript)
60
Primary Source

• I got a lot of this talk here

61
iClicker Questions
62
What plans do you have to use IPv6?

1. I don't care about IPv6 at all
2. I'll implement IPv6, but not for years
3. Planning to implement it within a year
4. Planning to implement it sooner than a year
5. I am already using IPv6

63
Split Handshake
64
TCP Handshake

• Normally a three-way process

SYN
SYN / ACK
ACK
ACK
65
TCP Handshake

• Since both devices could start the session
  simultaneously, this four-way handshake is also
  allowed

SYN
ACK
SYN
ACK
ACK
66
TCP Handshake

• But when you send those packets to a modern OS,
  this is what really happens

SYN
ACK
SYN
SYN / ACK
ACK
ACK
67
Which Side Opened That Session?

• This five-way handshake works--it opens a session
  so data can flow
• But security devices are so confused by it they
  no longer provide protection
• Snort, TippingPoint 2400, and Juniper SRX 5800
  all failed to detect attacks sent after that
  handshake
• More info here http//bit.ly/9tUfb9