Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24,...
-
Upload
conrad-richardson -
Category
Documents
-
view
217 -
download
1
Transcript of Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24,...
![Page 1: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/1.jpg)
Two Scary DoS AttacksAND
Hacking American Express and Chase Manhattan Accounts
HI-TECJuly 24, 2013
![Page 2: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/2.jpg)
Bio
![Page 3: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/3.jpg)
Cookie Re-Use
![Page 4: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/4.jpg)
![Page 5: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/5.jpg)
SockStress
![Page 6: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/6.jpg)
From 2008
• Still not patched• Attacks TCP by sending a small WINDOW size• Causes sessions to hang up, consuming RAM• Does not work on BackTrack/Kali• Requires Slackware, works best on v. 10• Can render servers unbootable
![Page 7: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/7.jpg)
SockStress Demo
![Page 8: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/8.jpg)
![Page 9: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/9.jpg)
IPv4 Exhaustion
![Page 10: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/10.jpg)
IPv4 Exhaustion
![Page 11: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/11.jpg)
One Year Left
![Page 12: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/12.jpg)
IPv6 Exhaustion
![Page 13: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/13.jpg)
Link-Local DoSIPv6 Router Advertisements
![Page 14: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/14.jpg)
Old Attack (from 2011)
Image from forumlane.org
![Page 15: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/15.jpg)
IPv4: DHCP
PULL process Client requests an IP Router provides one
Host Router
I need an IP
Use this IP
![Page 16: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/16.jpg)
IPv6: Router Advertisements
PUSH process Router announces its presence Every client on the LAN creates an address and joins
the network
Host Router
JOIN MY NETWORK
Yes, SIR
![Page 17: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/17.jpg)
Router Advertisement Packet
![Page 18: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/18.jpg)
RA Flood (from 2011)flood_router6
![Page 19: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/19.jpg)
Effects of flood_router6
• Drives Windows to 100% CPU• Also affects FreeBSD• No effect on Mac OS X or Ubuntu Linux
![Page 20: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/20.jpg)
The New RA Flood
Image from guntech.com/
![Page 21: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/21.jpg)
MORE IS BETTER
• Each RA now contains– 17 Route Information sections– 18 Prefix Information sections
![Page 22: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/22.jpg)
![Page 23: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/23.jpg)
Flood Does Not Work Alone
• Before the flood, you must send some normal RA packets
• This puts Windows into a vulnerable state
![Page 24: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/24.jpg)
How to Perform this Attack
• For best results, use a gigabit Ethernet NIC on attacker and a gigabit switch
• Use thc-ipv6 2.1 on Linux• Three Terminal windows:
1. ./fake_router6 eth1 a::/642. ./fake_router6 eth1 b::/643. ./flood_router26 eth1
• Windows dies within 30 seconds
![Page 25: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/25.jpg)
Effects of New RA Flood
• Win 8 & Server 2012 die (BSOD)• Microsoft Surface RT dies (BSOD)• Mac OS X dies • Win 7 & Server 2008 R2, with the "IPv6
Readiness Update" freeze during attack• iPad 3 slows and sometimes crashes• Android phone slows and sometimes crashes• Ubuntu Linux suffers no harm
![Page 26: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/26.jpg)
Videos and Details
![Page 27: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/27.jpg)
Mitigation
• Disable IPv6• Turn off Router Discovery with netsh• Use a firewall to block rogue RAs• Get a switch with RA Guard• Microsoft's "IPv6 Readiness Update" provides
some protection for Win 7 & Server 2008 R2– Released Nov. 13, 2012– KB 2750841– But NOT for Win 8 or Server 2012!!
![Page 28: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/28.jpg)
DEMO
![Page 29: Two Scary DoS Attacks AND Hacking American Express and Chase Manhattan Accounts HI-TEC July 24, 2013.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649f475503460f94c69949/html5/thumbnails/29.jpg)
More Info
• Slides, instructions for the attacks, and more at
• Samsclass.info