Man-In-The-Browser Attacks. Daniel Tomescu

Similar documents
Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Mobile Security Fall 2013

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Evaluating the Security Risks of Static vs. Dynamic Websites

CS 161 Computer Security

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Web Security Computer Security Peter Reiher December 9, 2014

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

Quick Start Guide for Standalone EAP

RKN 2015 Application Layer Short Summary

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

GETTING THE MOST OUT OF EVIL TWIN

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Security and Authentication

WEB SECURITY: XSS & CSRF

Wireless Network Security

Solutions Business Manager Web Application Security Assessment

Chapter 2. Switch Concepts and Configuration. Part II

Testing login process security of websites. Benjamin Krumnow

GWN7600/GWN7600LR Firmware Release Note

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Hackveda Training - Ethical Hacking, Networking & Security

Pass Microsoft Exam

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

Exam : JK Title : CompTIA E2C Security+ (2008 Edition) Exam. Version : Demo

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

CTS2134 Introduction to Networking. Module 08: Network Security

McAfee MVISION Mobile Threat Detection Android App Product Guide

1 About Web Security. What is application security? So what can happen? see [?]

Web Application Security. Philippe Bogaerts

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Release Notes. Dell SonicWALL SRA Release Notes

WDC RDS Connection for Android Users

Defeating All Man-in-the-Middle Attacks

Endpoint Security - what-if analysis 1

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

PMS 138 C Moto Black spine width spine width 100% 100%

Web Application Security

SECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi

HP Cloud-Managed Networking Solution Release Notes

Wireless Security and Monitoring. Training materials for wireless trainers

TECHNICAL NOTE MSM & CLEARPASS HOW TO CONFIGURE HPE MSM CONTROLLERS WITH ARUBA CLEARPASS VERSION 3, JUNE 2016

Exam Questions SY0-401

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Network Security. Thierry Sans

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

OAuth securing the insecure

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Barracuda Firewall Release Notes 6.5.x

Locking down a Hitachi ID Suite server

Web-based Attacks on Local IoT Devices. Gunes Acar Danny Huang Frank Li Arvind Narayanan Nick Feamster

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

GWN7600 Firmware Release Note IMPORTANT UPGRADING NOTE

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Social Engineering (SE)

Wireless Network Security Spring 2016

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Configuring Remote Access using the RDS Gateway

Vulnerabilities in online banking applications

RouterCheck Installation and Usage

Facebook API Breach. Jake Williams Rendition Infosec

Wireless Network Security Spring 2015

Wifiphisher Documentation

GWN7600/7600LR Firmware Release Notes IMPORTANT UPGRADING NOTE

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

pinremote Manual Version 4.0

Computer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

Post Connection Attacks

Application security : going quicker

THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

Principles of ICT Systems and Data Security

Security and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1

Ethical Hacking and Prevention

vsolution Cynap Pure Network Integration

Pass-the-Hash Attacks

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Web Security II. Slides from M. Hicks, University of Maryland

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Man in the Middle Attacks and Secured Communications

10 FOCUS AREAS FOR BREACH PREVENTION

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Responder for Purple Teams

Becoming the Adversary

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

EasyCrypt passes an independent security audit

Transcription:

Man-In-The-Browser Attacks Daniel Tomescu 1

About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests: Web app security Internal network penetration tests Red / Blue Teaming Curious about mobile and embedded devices Bug bounty hunter 2

Getting the password From Facebook Not that easy From NSA / FBI / SRI They won t respond my emails From the user Social Engineering rocks! But I don t like dealing with people too much. From the user s browser Knows more about the user than the user itself But which browser? And how? 3

A few browsers 4

Browsers? Really? 5

Mobile browsers? 6

Smart TV? Console? 7

Ok, it s time to stop! HTML Help: run hh http://google.com 8

Security features Implementation of CORE security features: Same Origin Policy HTML / JS / CSS Engines Local file access Session management / local storage HTTP Request / Response headers Certificates Fancy security features Extensions / Add-Ons In-Browser Apps Developer Tools Inter-application communication 9

Security indicators The address bar, probably the only reliable security indicator We recognize that the address bar is the only reliable security indicator in modern browsers, Google, https://www.google.com/about/appsecurity/reward-program/ 10

More security indicators View source Inspect certificates Monitor network traffic Check origin Extensions? Process list? Is somebody watching you? 11

Certificates Trusted root certificates + Certificates installed by your antivirus software + Certificates installed by your Company + Certificates installed by proxy tool(s) + Certificates installed by development frameworks + Certificates installed by strange 3 rd party applications And I don t even fully trust the default certification authorities. 12

Extensions if the browser supports extensions, and if an attacker manages to control a browser extension + Every permission you can dream of (almost), the browser is yours! - Hard to install - access to the system - trick the user to install extensions by himself - Also, a bit of programming is required 13

Local Access Elevated permissions: no fun, you can control anything, therefore the OS and everything it runs (including the browser) is compromised. Limited user permissions: Elevate permissions! Install malicious browser extensions Steal / replace browser profiles => passwords! Start browser with disabled security features: >> chromium-browser --disable-web-security Intercept browser traffic and eavesdrop passwords, secrets NetRipper, Ionut Popescu, https://github.com/nytrorst/netripper 14

Man-In-The-Middle MITM scenarios: Control the DHCP server Control the DNS server Control one intermediary node (ex: a proxy server) Good old Arp Spoofing gets the job done Or maybe it doesn t Protection: Use HTTPS, with a valid certificate Cool security headers: HSTS, CSP, Secure flag for cookies A decent Antivirus solution Use trusted network connections only! 15

The Man is the Browser! Common attack in applications which used WebView controls to embed HTML content 16

The Man is the Browser! 17

The Man is the Browser! Inserting arbitrary JavaScript code in WebView control Java code for Android 18

Fantasy attack #1 Rogue AP: 1. Target a device with WiFi turned on; 19

Fantasy attack #1 Rogue AP: 1. Target a device with WiFi turned on; 2. Detect WiFi profiles already known by the target; Name (SSID) MAC Address (BSSID) Authentication protocol (None / WEP / WPA / WPA2 / WPA Enterprise / Magic) 20

Fantasy attack #1 Rogue AP: 1. Target a device with WiFi turned on; 2. Detect WiFi profiles already known by the target; 3. Replicate the discovered profiles, hoping that one of them has the automatically connect option checked; Also, continuously disconnect the target from his safe connection; 21

Fantasy attack #1 Rogue AP: 1. Target a device with WiFi turned on; 2. Detect WiFi profiles already known by the target; 3. Replicate the discovered profiles, hoping that one of them has the automatically connect option checked; 4. Capture any connection attempt (half handshake) and bruteforce it to recover the WiFi s original password. https://github.com/dxa4481/wpa2-halfhandshake-crack 22

Fantasy attack #1 Rogue AP: 1. Target a device with WiFi turned on; 2. Detect WiFi profiles already known by the target; 3. Imitate the discovered profiles, hoping that one of them has the automatically connect option checked; 4. Capture any connection attempt (half handshake) and bruteforce it to recover the WiFi s original password. 5. Again, replicate the discovered network with the correct password and wait until the user connects to your AP. CVE-2017-11120: Buffer overflow in Broadcom WiFi chipsets; Classic MITM attacks: 23

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address: Demo: http://portswigger-labs.net/hackability/ WebRTC is your friend. 24

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address; 2. Guess the router s IP address: Probably it is the gateway: 192.168.1.1 or 192.168.1.254 The web management interface is probably accessible on a common port: 80, 443, 8080, 8443, 8888 25

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address; 2. Guess the router s IP address; 3. Detect router type using a simple trick: trying to access router images (logo, backdround, icons) which can be accessed without authentication: 26

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address; 2. Guess the router s IP address; 3. Detect router type; 4. Login in the Router s web administration interface: Logon CSRF? Default credentials? admin : admin 27

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address; 2. Guess the router s IP address; 3. Detect router type; 4. Login in the Router s web administration interface; 5. Exploit other CSRF vulnerabilities in the Router s web interface: Change DHCP settings; Change DNS settings; Update firmware which will probably brick the router; Restart router for changes to take effect. 28

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address; 2. Guess the router s IP address; 3. Detect router type; 4. Login in the Router s web administration interface; 5. Exploit other CSRF vulnerabilities in the Router s web interface; 6. Configure a Captive Portal! 29

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address; 2. Guess the router s IP address; 3. Detect router type; 4. Login in the Router s web administration interface; 5. Exploit other CSRF vulnerabilities in the Router s web interface; 6. Configure a Captive Portal and ask for credentials: 30

Fantasy attack #2 Visiting a malicious website: 1. Detect the victim s local IP address; 2. Guess the router s IP address; 3. Detect router type; 4. Login in the Router s web administration interface; 5. Exploit other CSRF vulnerabilities in the Router s web interface; 6. Configure a Captive Portal and ask for Integrated Windows Authentication (NTLM-SSP) 31

Fantasy attack #2 Captive Portal with Integrated Windows Authentication (NTLM-SSP): Can be simulated with Responder, https://github.com/spiderlabs/responder NTLMv1 / NTLMv2 handshakes can be bruteforced; The obtained credentials might be used to RDP into the victim s computer or to execute commands over SMB using PsExec or similar tools (Administrative privileges required) 32

Fantasy attack #2 Visiting a malicious website Protection measures: 1. Don t visit malicious websites 2. Use a router which is not vulnerable to CSRF; 3. Do not use default credentials for admin interfaces. 4. Do not use default settings for browser security levels AND disable unused features. 33

Questions? 34

The End Thank you! Mail: mail@daniel-tomescu.com LinkedIn: https://www.linkedin.com/in/daniel-tomescu/ 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback