ethical hacking: new web 2.0 attacks and defenses hi-tec 2011
TRANSCRIPT
![Page 1: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/1.jpg)
Ethical Hacking:New Web 2.0 Attacks
and Defenses
HI-TEC 2011
![Page 2: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/2.jpg)
Bio
![Page 3: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/3.jpg)
To Get These Materials• samsclass.info• All PowerPoints, projects, etc. available for
anyone to use
![Page 4: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/4.jpg)
Join Twitter
![Page 5: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/5.jpg)
Ethical Hacking
![Page 6: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/6.jpg)
Security Training at CCSF
• Security+• CEH (Certified Ethical Hacker)• CISSP (Certified Information Systems Security
Professional)• Computer Forensics• Firewalls
![Page 7: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/7.jpg)
The Security Circus
![Page 8: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/8.jpg)
Denial of Service
Part 1
![Page 9: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/9.jpg)
Summary
• The DoS Circus
• Layer 4 DDoS: Thousands of attackers bring down one site
• Layer 7 DoS: One attacker brings down one site
• Link-Local DoS: IPv6 RA Attack: One attacker brings down a whole network
![Page 10: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/10.jpg)
The Security Circus
Characters
![Page 11: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/11.jpg)
Wikileaks
• Published <1000 US Gov't diplomatic cables froma leak of 250,000
• Distributed an encrypted "Insurance" file by BitTorrent• Widely assumed to contain the complete,
uncensored leaked data• Encrypted with AES-256--no one is ever getting in
there without the key• Key to be released if Assange is jailed or killed,
but he is in UK now resisting extradition to Sweden and the key has not been released
![Page 12: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/12.jpg)
Anonymous
![Page 13: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/13.jpg)
Operation Payback
• 4chan's Anonymous group• Attacked Scientology websites in 2008• Attacked the RIAA and other copyright
defenders• Using the Low Orbit Ion Cannon with
HiveMind (DDoS)• "Opt-in Botnet"
![Page 14: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/14.jpg)
HB Gary Federal
• Aaron Barr• Developed a questionable
way to track people down online
• By correlating Twitter, Facebook, and other postings
• Announced in Financial Times that he had located the “leaders” of Anonymous and would reveal them in a few days
![Page 15: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/15.jpg)
![Page 16: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/16.jpg)
Social Engineering & SQLi
• http://tinyurl.com/4gesrcj
![Page 17: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/17.jpg)
Leaked HB Gary Emails
• For Bank of America• Discredit Wikileaks• Intimidate Journalist Glenn Greenwald• For the Chamber of Commerce• Discredit the watchdog group US Chamber
Watch• Using fake social media accounts• For the US Air Force• Spread propaganda with fake accounts• http://tinyurl.com/4anofw8
![Page 18: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/18.jpg)
Drupal Exploit
![Page 19: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/19.jpg)
Th3j35t3r
• "Hacktivist for Good"• Claims to be ex-military• Originally performed DoS attacks on Jihadist
sites• Bringing them down for brief periods, such
as 30 minutes• Announces his attacks on Twitter, discusses
them on a blog and live on irc.2600.net
![Page 20: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/20.jpg)
Jester's Tweets from Dec 2010
![Page 21: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/21.jpg)
Th3j35t3r v. Wikileaks
• He brought down Wikileaks single-handed for more than a day
– I was chatting with him in IRC while he did it, and he proved it was him by briefly pausing the attack
![Page 22: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/22.jpg)
Wikileaks Outage
• One attacker, no botnet
![Page 23: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/23.jpg)
Th3j35t3r
• After his Wikileaks attack• He battled Anonymous• He claims to have trojaned a tool the Anons
downloaded• He claims to pwn Anon insiders now
![Page 24: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/24.jpg)
Jester's Tweets
![Page 25: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/25.jpg)
Westboro Baptist Outage
• 4 sites held down for 8 weeks• From a single 3G cell phone
– http://tinyurl.com/4vggluu
![Page 26: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/26.jpg)
LulzSec
• The skilled group of Anons who hacked H B Gary Federal
• Hacked– US Senate– Pron.com– Sony– FBI– PBS– Fox News
![Page 27: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/27.jpg)
![Page 28: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/28.jpg)
![Page 29: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/29.jpg)
LulzSec Attacks on Government Sites
• FBI, CIA, US Senate, NATO• UK's National Health Service• SOCA, the UK's Serious Organised Crime
Agency taken down 6-20-2011
![Page 30: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/30.jpg)
![Page 31: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/31.jpg)
Booz Allen Hamilton
• 150,000 US Military emails & hashed passwords• Half the passwords cracked within 24 hours
![Page 32: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/32.jpg)
![Page 33: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/33.jpg)
T-Flow of LulzSec Arrested
![Page 34: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/34.jpg)
Topiary of LulzSec Arrested
![Page 35: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/35.jpg)
Layer 4 DDoSMany Attackers – One Target
![Page 36: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/36.jpg)
Companies that Refused Service to Wikileaks
• Amazon
• Paypal
• Mastercard
• Visa
• Many others
![Page 37: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/37.jpg)
Low Orbit Ion Cannon
• Primitive DDoS Attack, controlled via IRC• Sends thousands of packets per second from
the attacker directly to the target• Like throwing a brick through a window • Takes thousands of participants to bring down
a large site• They tried but failed to bring down Amazon
![Page 38: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/38.jpg)
Low Orbit Ion Cannon
![Page 39: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/39.jpg)
Operation Payback v. Mastercard
• Brought down Visa, Mastercard, and many other sites
– Easily tracked, and easily blocked
– High bandwidth, cannot be run through anonymizer
– Dutch police have already arrested two participants
![Page 40: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/40.jpg)
Mastercard Outage
3,000 to 30,000 attackers working together
![Page 41: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/41.jpg)
![Page 42: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/42.jpg)
Layer 7 DoS
One Attacker – One TargetExhausts Server Resources
![Page 43: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/43.jpg)
Layer 7 DoS
• Subtle, concealable attack
• Can be routed through proxies
• Low bandwidth
• Can be very difficult to distinguish from normal traffic
![Page 44: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/44.jpg)
HTTP GET
![Page 45: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/45.jpg)
SlowLoris• Send incomplete GET
requests• Freezes Apache with
one packet per second
![Page 46: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/46.jpg)
R-U-Dead-Yet
• Incomplete HTTP POSTs
• Stops IIS, but requires thousands of packets per second
![Page 47: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/47.jpg)
Keep-Alive DoS
• HTTP Keep-Alive allows 100 requests in a single connection
• HEAD method saves resources on the attacker• Target a page that is expensive for the server
to create, like a search– http://www.esrun.co.uk/blog/keep-alive-dos-script/
• A php script– pkp keep-dead.php
![Page 48: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/48.jpg)
keep-dead
![Page 49: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/49.jpg)
XerXes
• Th3j35t3r's DoS Tool• Routed through proxies like Tor to hide the
attacker's origin• No one knows exactly what it does• Layer 7 DoS?
![Page 50: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/50.jpg)
XerXes
![Page 51: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/51.jpg)
Link-Local DoSIPv6 Router Advertisements
![Page 52: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/52.jpg)
IPv4: DHCP
PULL processClient requests an IPRouter provides one
Host Router
I need an IP
Use this IP
![Page 53: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/53.jpg)
IPv6: Router Advertisements
PUSH processRouter announces its presenceEvery client on the LAN creates an address and joins the network
Host Router
JOIN MY NETWORK
Yes, SIR
![Page 54: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/54.jpg)
Router Advertisement Packet
![Page 55: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/55.jpg)
RA Flood
![Page 56: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/56.jpg)
Windows Vulnerability
• It takes a LOT of CPU for Windows to process those Router Advertisements
• 5 packets per second drives the CPU to 100%• And they are sent to every machine in the LAN
(ff02::1 is Link-Local All Nodes Multicast)• One attacker kills all the Windows machines on
a LAN
![Page 57: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/57.jpg)
Responsible Disclosure
• Microsoft was alerted by Marc Heuse on July 10, 2010• Microsoft does not plan to patch this• Juniper and Cisco devices are also vulnerable• Cisco has released a patch, Juniper has not
![Page 58: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/58.jpg)
Defenses from RA Floods
• Disable IPv6• Turn off Router Discovery• Block rogue RAs with a firewall• Get a switch with RA Guard
![Page 59: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/59.jpg)
RA Guard Evasion
• Add "Fragmentation Headers" to the RA Packets– http://samsclass.info/ipv6/proj/RA-evasion.html
![Page 60: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/60.jpg)
Fragmentation Headers
![Page 61: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/61.jpg)
Defending Websites
![Page 62: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/62.jpg)
Attack > Defense
• Right now, your website is only up because
– Not even one person hates you, or
– All the people that hate you are ignorant about network security
![Page 63: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/63.jpg)
Defense
• Mod Security--free open-source defense tool• Latest version has some protections
against Layer 7 DoS
• Akamai has good defense solutions• Caching• DNS Redirection• Javascript second-request trick
![Page 64: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/64.jpg)
Load Balancer
![Page 65: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/65.jpg)
Counterattacks
• Reflecting attacks back to the command & control server
• Effective against dumb attackers like Anonymous' LOIC
– Will lose effect if they ever learn about Layer 7 DoS, which is happening now
![Page 66: Ethical Hacking: New Web 2.0 Attacks and Defenses HI-TEC 2011](https://reader036.vdocuments.site/reader036/viewer/2022062318/551b9224550346d6338b5f7b/html5/thumbnails/66.jpg)
CloudFlare