![Guillermo Román - Análisis de capturas de tráfico de red [rooted2018]](https://cdn.slidesharecdn.com/ss_thumbnails/guillermoroman-180312234859-thumbnail.jpg?width=600&height=600&fit=bounds)
Alfonso Muñoz - Reviving Homograph attacks using (deep learning) steroids [ro...
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Ähnlich wie Sergio De Los Santos - BREAKING OUT HSTS (AND HPKP) ON FIREFOX, IE/EDGE AND (POSSIBLY) CHROME [rooted2018] (20)
Weitere von RootedCON (20)
Aktuellste (20)
Sergio De Los Santos - BREAKING OUT HSTS (AND HPKP) ON FIREFOX, IE/EDGE AND (POSSIBLY) CHROME [rooted2018]
- 1. 3.03.2018 Breaking Out HSTS (and HPKP) on Firefox, IE/Edge and (possibly) Chrome.
- 2. 22 Innovación y laboratorio
- 3. 33 We all know what TLS is all about… HTTPS / TLS CLEAR TEXT HTTPS://www.example.com/login Username:John/Password:1234 HTTP://www.example.com/login Username:John/Password:1234
- 4. 44 BEAST POODLE CRIME HEARTBLEED
- 5. 55 COMMON ATTACKS SOLUTIONS? SSLSTRIP HTTP STRICT TRANSPORT SECURITY HSTS HPKP HTTP PUBLIC KEY PINNING ROGUE CERTIFICATES
- 6. 66 HSTS - First Time Requests
- 7. 77 HSTS - HTTP Request After HSTS Header Is Set There is not a first HTTP (unsecure) request. SSLStrip has nothing to intercept, IT WON’T WORK.
- 8. 88 HPKP - Certificate Pinning pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256= "RRM1dGqnDFsCJXBTHky16vi1obOlCgFFn/yOhI/y+ho=";
- 9. 99 HPKP - Certificate Pinning
- 10. 1010 Attacking HSTS (and HPKP) Browsers Implementation
- 11. 1111
- 12. 1212 1024 Entries As Maximum The curious thing
- 13. 1313 So… What happens if we try to fill up those 1024 entries with junk entries?
- 14. 1414
- 15. 1515
- 16. 1616 Why not all the entries has been overwritten? FF’s SCORE
- 17. 1717 It is not neccesary to have a MAX score value… some with lower values may be evicted… and, even more… it is just enough to have all but one with a score higher than 0, to leave the table with one practicable slot
- 18. 1818 Junk HSTS entries injection Attack Improvement… Defeating FF’s Score System Junk HSTS entries injection SCORE=0 +1 day SCORE=1 +1 day Junk HSTS entries injection SCORE=2 …
- 19. 1919 Junk HSTS entries injection Attack Improvement… Defeating FF’s Score System Junk HSTS entries injection SCORE=0 Delorean +1 day SCORE=1 Delorean +1 day Junk HSTS entries injection SCORE=2 …
- 20. 2020
- 21. 2121 FF’s Highlights - Cons: • Attack might be a little complex to achieve: MITM + DELOREAN (not for Windows) + HSTS Injection • We need time enough inside the target’s network. (It may be some hours). • Internal Pentests, Hotel… are the best scenarios ;)
- 22. 2222 FF’s Highlights - Pros: H S T S S L O T S REAL ENTRY - SCORE=0 JUNK ENTRY - SCORE=2 JUNK ENTRY - SCORE=2 JUNK ENTRY - SCORE=2 ● With a higher score more chances to remove existent domains ● Even if not removed, table is “shrinked” NEW ENTRY - SCORE=0
- 23. 2323
- 24. 2424
- 25. 2525 No Storage limits The curious thing
- 26. 2626 So… What happens if we try to fill up the database with thousands and thousands of laaaarge junk entries?
- 27. 2727
- 28. 2828
- 29. 2929 Chrome highlights • Attack is very easy to achieve and you can try it in differents ways (WiFi Portal / MITM attack / etc). • Chrome stops working properly in a few minutes. • User is forced to clear browsing data in Chrome and therefore the TransportSecurity file starts over again: HSTS/HPKP broken ;)
- 30. 3030
- 31. 3131
- 32. 3232 The curious thing
- 33. 3333 WINNET.DLL HttpIsHostHstsEnabled CheckHsts() GetHstsEnabled() CheckHstsInternal() SetHstsEntry() IsHostHstsA() GetHstsEntry() UpdateHstsEntry() AddHstsEntry()
- 34. 3434 Landing Issues... CheckHsts() GetHstsEnabled() CheckHstsInternal() SetHstsEntry() IsHostHstsA() AddHstsEntry() IsHostHstsInternal() ConvertURLtoHTTPS() ? SaveEntryToStore() ?
- 35. 3535 CACHE I remember if you have visited the website over https or http...but not because of HSTS itself...
- 36. 3636
- 37. 3737 IE/Edge highlights • Most of websites will not be remembered as webs protected with HSTS, due to problems in the storage process. • Browser cache is the one that remembers if you have entered the website over http or https… but not HSTS itself. • Restarting the browser, the machine or most effectively) clearing the cache, leaves the user without a real HSTS protection.
- 38. 3838 Additional Staff: Mobile • How does this affect mobiles? • If you use IOS (any verson) or Android 4.0... Forget about HPKP… ● ● In Chrome… ● …and Firefox…
- 39. 3939
- 40. 4040
- 41. 4141 Additional Staff: Mobile • How does this affect mobiles? • Easy to eat up all your… ● • Space • Traffic data
- 42. 4242
- 43. 4343 Additional Staff: What about post-exploitation? • We got a new post-exploitation module in Metasploit official repo
- 44. 4444
- 45. 4545 Additional Staff: PIN calculation • Chrome does not respect PINS! • Do not know how this would be used for evil… yet
- 46. 4646
- 47. 4747 Additional Staff: What about incognito?
- 48. 4848 Additional Staff: What about links in the background?
- 49. 4949 Additional Staff: wget
- 50. 5050 Additional Staff: Bad Idea
- 51. 5151 Additional Staff: We tried hard!
- 52. 5252 • Firefox uses its own system with score that allows to: a) evict domains with low score b) practically reduce the database to 1 entry (constantly overwritten) • Chrome allows as many headers as possible, literally and it makes it crash • All attacks may be achieved via MiTM or visiting a website • Both has “minor” problems when parsing headers • IE/Edge does not even work with “not known” domains • We have created tools to a) check your local database (pinpatrol) b) test your database (cloudpinning) d) delete your database (erarser post-exploitation Metasploit module) CONCLUSIONS
- 53. 5353 We can tell there is not a strong bet yet for improving this implementations in browsers... CONCLUSIONS
- 54. 5454
- 55. ¡Síguenos en nuestras redes sociales y entérate de todo! 2016 © Telefónica Digital España, S.L.U. Todos los derechos reservados. La información contenida en el presente documento es propiedad de Telefónica Digital España, S.L.U. (“TDE”) y/o de cualquier otra entidad dentro del Grupo Telefónica o sus licenciantes. TDE y/o cualquier compañía del Grupo Telefónica o los licenciantes de TDE se reservan todos los derechos de propiedad industrial e intelectual (incluida cualquier patente o copyright) que se deriven o recaigan sobre este documento, incluidos los derechos de diseño, producción, reproducción, uso y venta del mismo, salvo en el supuesto de que dichos derechos sean expresamente conferidos a terceros por escrito. La información contenida en el presente documento podrá ser objeto de modificación en cualquier momento sin necesidad de previo aviso. La información contenida en el presente documento no podrá ser ni parcial ni totalmente copiada, distribuida, adaptada o reproducida en ningún soporte sin que medie el previo consentimiento por escrito por parte de TDE. El presente documento tiene como único objetivo servir de soporte a su lector en el uso del producto o servicio descrito en el mismo. El lector se compromete y queda obligado a usar la información contenida en el mismo para su propio uso y no para ningún otro. TDE no será responsable de ninguna pérdida o daño que se derive del uso de la información contenida en el presente documento o de cualquier error u omisión del documento o por el uso incorrecto del servicio o producto. El uso del producto o servicio descrito en el presente documento se regulará de acuerdo con lo establecido en los términos y condiciones aceptados por el usuario del mismo para su uso. TDE y sus marcas (así como cualquier marca perteneciente al Grupo Telefónica) son marcas registradas. TDE y sus filiales se reservan todo los derechos sobre las mismas. www.elevenpaths.com
