Are We Secure ?

What you should know about hacking?

• The impact of hacking is much worse than we could possibly imagine..

• A single ID compromised can lead to the devastation of your reputation and even money..

What if your Gmail account is hacked!!

What if FaceBook??!!

Agenda

• Social Engineering• ARP Poisoning – MITM• Injection attacks• Cross Site Scripting• Wireless Security• Cross Site Request Forgery• Google Hacking• Linux vs. Microsoft• The Servers FaceOff

To catch a hacker, we should think like one

• What does a hacker want?

• Why does he want it?

• How he gets it?

Aaha!! Got it

• Use at least eight characters, the more characters the better. (safe from Brute Force attacks)

• Don't use a word found in a dictionary. (Safe from Dictionary attacks)

• Never use the same password twice. (safe for obvious reasons)

• Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.

Social Engineering is the first attack of the session

• Psychologically manipulating people into performing some action and extracting confidential information, instead of breaking in or using technical cracking skills..

1. Security Question

• You got 500 Facebook Friends who could answer all these questions!!

2. Social Networking

• Vulnerability : Human tendency to share intimate details of human life.

• Though few sites allow us to set privacy controls on visibility, still most of our details are shared to the applications.

• So any hacker could exploit this to find information about us.

• Cyber attack on Google in December 2009.

• Chinese rebels’ accounts were accessed.

• Led to Google pulling out from China.

• A combination of Social Engineering and Zero-day vulnerabilities in IE6

Protecting yourself

• Be aware that such attacks exist.

DISCLAIMER

• Hacking is Illegal

• This workshop is for Educational Purposes Only

• Only use this stuff on your websites and your own

networks.

ARP Poison Routing (APR)

MAC Address

IP Address

Address Resolution Protocol

ARP Poisoning

• Usually : Victim Server

• In MITM : Victim Attacker Server

• Thus the Attacker becomes the “Man in the Middle” (MITM)

• This is done using ARP poisoning.

Technique - MITM

Counter Measures• All Your ARP Are Belong To Us ! !

• Encryption

• SSL

• Always Look out for the SSL Lock , if you are transferring confidential data.

• Public Key Cryptography

• MD5

PHP - Review

• HTML can only display static content. PHP is used for processing.

• PHP is a server side scripting language.

• Exploiting the weakness present in the code used for validation.

• Technology review:

– PHP

Injection attack

• THUS A SIMPLE TEXTBOX BECOMES A PORTAL TO THE WEBSERVER.

• VULNERABILITY : Input from the user is processed as such by the PHP script in the server.

1. DIRECTORY TRAVERSAL

Directory

File

Traversing Directories in Windows and Linux

– cd .. Takes us to the parent directory

– cd pages Takes us into the Directory “pages” in the current directory

– cd ../etc/files Goes back to parent directory then enters “etc” directory and then into “files” directory.

Website

Index.htmlChoose.php Stunner.html

Pulsar.htmlJive.html

password.txt

Pages

• Apache Tomcat was vulnerable to Directory Traversal attack till version 6.0.18 (fixed July 30,2010)

• RAD platform ColdFusion was found vulnerable to DT technique (fixed August 13th , 2010)

Protection mechanisms

• Allow only Possible inputs..

• For the chosen scenario, make a list of Bike names.

SQL Injection

A little bit of SQL queries

• With SQL, we can query a database and have a result set returned

SELECT last_nameFROM users WHERE user_id= 10;

• Gives a result set like this:

last_name

rahul

What is SQL Injection?

The ability to inject SQL commands into the database engine through an existing application.

How does SQL Injection work?

Comments : # , --

username: ' or 1=1 #

Password: anything

Final query would look like this:

SELECT * FROM users WHERE username = ' ' or 1=1

#AND password = 'anything'

SQL Injection Defense

• Input Validation• Reject "select", "insert", "update", "shutdown",

"delete", "drop", "--", “#'"

• Implement stringent "allow only good" filters

• If the input is supposed to be numeric, use a numeric variable in your script to store it.

• Magic quotes gpc is an awesome inbuilt input filter for PHP .

Cookies and Sessions

• A cookie(client-side) can keep information in the user's browser until deleted. Used for Authentication, site preferences ,focusing Ads.

• Sessions (server-side) assigs each user a unique number, called session id.

• This session id is stored in a cookie and passed in the URL between pages while the user browses.

XSS

Cross-Site Scripting (XSS)

• What is it?:

The Web Application is used to store, transport, and deliver malicious active content to an unsuspecting user.

• XSS typically results from a web application that takes user input from one user and displays it to another user (or set of users ).

Ways of Launching Cross-Site Scripting Attacks

Attacker's script must be sent to the victim

o Inter-user communication within the target site (i.e., message board, etc.)

o URL provided on a third-party web site (either clicked on by victim user or automatically loaded when visiting a malicious web site)

o URL embedded in an email or newsgroup posting

Defending XSS• Remove from user input all characters that are meaningful in

scripting languages:

– =<>"'();

– You must do this filtering on the server side

– You cannot do this filtering using Javascript on the client, because the attacker can get around such filtering

• More generally, on the server-side, your application must filter user input to remove:

– Quotes of all kinds (', ", and `)

– Semicolons (;), Asterisks (*), Percents (%), Underscores (_)

• Your best bet – define characters that are good and needed for the particular input (alpha and numeric), and filter everything else out .

• The ever changing network scenario..

What’s so special about Wireless networks?

• Use internet anywhere, anytime.

• Save a lot of money.

• No need to carry cables.

• IT IS ALWAYS THERE

The major problem in wireless networks – Plain text packets

• Wireless devices broadcast information.

• Access Anywhere, at the same time ACCESS TO ANYONE!!

Need for Wireless Security

Evolution of Wireless Security

1. Open SSID

2. Hidden SSID

3. WEP

4. WPA

5. WPA2

1. Open SSID

• The SSID (Service Set Identifier) is a name for the wireless network.

• Open SSID – SSID is broadcasted

by the access point.

• So it is visible to everyone.

• And so anyone can connect to our network.

SSIDSSID

SSID

SSID

2. Hidden SSID

• First layer of security.

• The user should know the name of the SSID to connect to the internet.

• Problem : Hidden SSIDs could be

found using Packet Sniffers.

3. WEP – Wired Equivalent Privacy

• Both the client PC and the Access point share a common key (Shared Key).

• The shared key generates a key-stream using RC4 algorithm.

• Then the key-stream is XORed with the plain text to create the cipher text.

• The cipher text is sent to the receiver.

SharedKey

Key unchanged Same key-stream every time

• If the shared key used is not changed for every frame transmitted, then the data will be XORed with the same key every time!!

• So we use an Initialization Vector (IV) which changes for every frame sent thus making the key-stream unique for every frame using RC4 algorithm.

WEP Simplified

WEP Vulnerability

• IV changes for each frame transmitted.

• But IV is made up of 24 bits – Therefore only 16 million combinations are possible. So surely the key-stream has to repeat after a while.

• If two cipher text frames using same key-stream are captured, then using statistical analysis the plain text can be found.

• Searching for Wifi Networks in a moving vehicle.

• Once a Wifi network is found, the place is marked with necessary details to connect to that network. (WAR-CHALKING)

Picture showing availability of an Open SSID network with bandwidth 1.5 Mbps.

Is it not CRUEL?

Cracking the WEP Key

• Interested in knowing how your home wireless network is getting poached?

• Now on to a Live Demo!

So came WPA – Wifi Protected Alliance

• WPA – Temporal Key Integrity Protocol– TKIP (Personal)

– EAP (Enterprise)

• WPA 2 – (Counter mode with Cipher Block Chaining Message Authentication Protocol)– CCMP (Personal)

– EAP (Enterprise)

CSRF

CSRF (Cross Site Request Forgery)

• A malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

• XSS exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

Bank Forgery

Social Networks

71

soicalnetwork.com

attacker’s post(CSRF Code) at blog.net

Delete certain friends

https://social.com/deletefriends.p

hp?id=66Add a person as friend

https://social.com/addfriend.php?

id=44 Change the password

https://social.com/changepass

?new_pass=hacked

CSRF Defenses

• Secret Validation Token

• Referer Validation

<input type=hidden value=23a3af01b>

Referer: http://www.facebook.com/home.php

• The best search engine.

• Google hacking is not a exact hack. It just makes hacking easy.

• VULNERABILITY : We can googleANYTHING!!

• Version of the server our website uses.

• Error messages which contain too much information.

• Logon Portals

• Files containing passwords.

1. Google Caches

• Google caches pages whenever its crawler finds a new page in the internet.

• When Cached pages are viewed then the IP address of the hacker is not logged into the system.

2. Download anything from internet

• “parent directory” akon mp3 –xxx –html –htm–php –shtml –opendir –md5 –md5sum

• The above command returns the directory listing of all files under ‘Akon MP3’. Rest is “Right click” “Save Link As”

3. Get server information

• Google provides information about the server which runs a website.. Some times even passwords

• Moreover some error logs in the website’s can be exploited to find the actual internal implementation of a website..

Secure against Google hacks

• The password file should be saved in any name other than “password.txt” “Pass.db” or any other obviously funny names.

• Exceptions should be handled properly.

• Linux has NO open ports by default. But windows has open ports for Windows File Sharing even if no files are shared.

• Windows is susceptible to NULL session attack on port 139.

• Windows gives the root user the COMPLETE power to rule the PC!!

LINUX vs. MICROSOFT

And that includes me too :P

Are We Secure ?