SSLstrip Slowloris IPv 6 Sam Bowne Contact Sam
SSLstrip Slowloris & IPv 6 Sam Bowne
Contact Sam Bowne n Computer Networking and Information Technology n City College San Francisco n Email: sbowne@ccsf. edu n Web: samsclass. info n
Topics n sslstrip – Steals passwords from mixed-mode Web login pages n Slowloris – Denial of Service – Stops Apache Web servers n IPv 6 – The end of the world
sslstrip
The 15 Most Popular Web 2. 0 Sites 1. You. Tube n 2. Wikipedia n 3. Craigslist n 4. Photobucket n 5. Flickr n 6. Word. Press n 7. Twitter n 8. IMDB n HTTPS HTTPS MIXED HTTPS
The 15 Most Popular Web 2. 0 Sites 9. Digg n 10. e. How n 11. Type. Pad n 12. topix n 13. Live. Journal n 14. deviant. ART n 15. Technorati n n HTTPS HTTP Obfuscated HTTP MIXED HTTPS From http: //www. ebizmba. com/articles/user-generated -content
Password Stealing Medium ssltrip Easy Wall of Sheep MIXED, 3 HTTP, 5 HTTPS, 7 Hard Spoofing Certificates
Mixed Mode n HTTP Page with an HTTPS Logon Button
sslstrip Proxy Changes HTTPS to HTTP To Internet HTTPS HTTP Target Using Facebook Attacker: sslstrip Proxy in the Middle
Ways to Get in the Middle
Physical Insertion in a Wired Network To Internet Attacker Target
Configuring Proxy Server in the Browser
ARP Poisoning Redirects Traffic at Layer 2 n Sends a lot of false ARP packets on the LAN n Can be easily detected n De. Caffienate. ID by Iron. Geek n n http: //k 78. sl. pt
ARP Request and Reply Client wants to find Gateway n ARP Request: Who has 192. 168. 2. 1? n ARP Reply: n n MAC: 00 -30 -bd-02 -ed-7 b has 192. 168. 2. 1 ARP Request ARP Reply Client Gateway Facebook. com
ARP Poisoning Attacker ARP Replies: I am the Gateway Forwarded & Altered Traffic to Facebook Client Gateway Facebook. com
Demonstration
slowloris
HTTP GET
Send Incomplete HTTP Requests n n Apache has a queue of approx. 256 requests Each one waits approx. 400 seconds by default for the request to complete So less than one packet per second is enough to occupy them all Low-bandwidth Do. S--no collateral damage!
OSI Model Do. S Attack 7 Application Slowloris – Incomplete HTTP Requests 6 Presentation 5 Session 4 Transport SYN Flood – Incomplete TCP Handshakes 3 Network 2 Data Link 1 Physical Cut a cable
Demonstration
i. Clicker Questions
Power failures brought down servers at 365 Main last year. What OSI Model was that attack in? A. B. C. D. E. Layer 1 Layer 2 Layer 3 Layer 4 Layer 5 or higher
Which type of website is the most dangerous? A. B. C. HTTP Mixed: HTTP with HTTPS elements HTTPS
What precaution protects you best when using a public Wi-Fi hotspot? A. B. C. D. E. Open Access WEP WPA VPN 802. 1 x
What precaution seems best against Slow. Loris? A. B. C. D. E. Do nothing and ignore it Adjust Apache timeouts Use a load-balancer Add a module to Apache Something else
What sort of logins do users of your Website use? A. B. C. D. E. Plaintext Mixed-mode HTTPS with a CA Self-signed SSL Something else
What plans do you have to use IPv 6? A. B. C. D. I don't care about IPv 6 at all I'll implement IPv 6, but not for years Planning to implement it within a year Planning to implement it sooner than a year E. I am already using IPv 6
IPv 4 Exhaustion n Available pool is 18 "/8 address ranges" n n n Each /8 has 16. 8 Million Addresses 203 already allocated 35 Reserved for special uses n Data from 5 -13 -2010, CNIT 202 E, link IPv 6 3
The End is Near
The End of the World n No Reprieve n n IANA will not re-purpose class D or E addresses for general use People who ask for IPv 4 addresses after exhaustion will not get them n Hoarding, scalping, and simple direct sale of IPv 4 addresses will begin soon
n CNIT 202 E - Link IPv 6 2 (from 2003)
Federal IPv 6 Transition Timeline n Cisco, Sept 2009 (CNIT 202 E, link IPv 6 9)
IPv 6 Tunnels n n n Tunnelbroker. com Free IPv 4 -to-IPv 6 Tunnels BUT your router needs to allow protocol 41 n I had to move to the DMZ to get it through
IPv 6 Certification n Get it now!
n : : can be used once to represent a string of zeroes
n From Zytrax: link IPv 6 10
IPv 6 - IPv 4 Addresses n A hybrid format may be used when dealing with IPv 6 - IPv 4 addresses where the normal IPv 4 dotted decimal notation may be used after the first 6, 16 bit address elements:
Examples
Multiple Addresses n Note: Interfaces normally have two addresses, or even more Link-local n Global unicast n FE 80: : w. x. y. z
n Used by Ethernet
Example Interface MAC 00 -40 -63 -ca-9 a-20 IPv 6 Interface ID (EUI-64) : : 0040: 63 FF: FECA: 9 A 20 or : : 40: 63 FF: FECA: 9 A 20 link local FE 80: : 40: 63 FF: FECA: 9 A 20
AAAA Records in DNS n iana. org and ipv 6. net work too
Primary Source n I got a lot of this talk here
- Slides: 60