%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %% THE MIDGARD MAGICPOINT TEMPLATE %% %% Copyright(c) 1999 Henri Bergius %% %% A template for making MagicPoint presentations for %% Midgard. Originally written for MagicPoint 1.06a %% and the Midgard Workshop in October 1999. %% %% See the Midgard CVS repository for usage examples. %% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% %deffont "standard" tfont "arial.ttf", xfont "helvetica-medium-r" %deffont "thick" tfont "arialbd.ttf", xfont "helvetica-bold-r" %deffont "typewriter" tfont "courbd.ttf", xfont "courier-medium-r" %deffont "code" tfont "courdb.ttf", size 3, fore "green", prefix " " %% %% Default settings per each line numbers. %% %% The page settings: %%default 1 leftfill, size 2, fore "white", back "black", font "thick", bimage "midgard-black-bg.jpg" 1024x768 %default 1 leftfill, size 2, fore "white", back "black", font "thick" %% %% Format the header: %default 2 size 7, vgap 10, prefix " " %% %% Have a bar: %default 3 size 2, bar "brown" 5, vgap 30 %% %% The standard text settings: %default 4 size 5, fore "white", vgap 40, prefix " ", font "standard" %% %% Default settings that are applied to TAB-indented lines. %% %tab 1 size 4, vgap 30, prefix " ", icon box "brown" 30 %tab 2 size 4, vgap 20, prefix " ", icon arc "yellow" 30 %tab 3 size 3, vgap 20, prefix " ", icon delta3 "white" 40 %tab 4 size 3, vgap 20, prefix " ", icon delta3 "white" 40 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page %size 7 The monkey in the middle attacks %center, size 3 against %cont, size 7 SSH %cont, size 3 and %cont, size 7 HTTPS %size 4 %size 6 Monkey In The Middle %cont, size 3 (tm) %cont, size 4 Dug Song %right, size 4 by Denis Ducamp Denis.Ducamp@hsc.fr Denis.Ducamp@groar.org http://www.groar.org/~ducamp/ %left %%image "linux-logo.png" %%xsystem "display -geometry %327x360 linux-logo.png" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Introduction %rcutin dsniff, the tool box %pause Dug Song webmitm sshmitm dsniff Other tools Libraries %rcutin, pause Why does this work ? %pause SSH / HTTPS %rcutin, pause Signs of an attack ? %pause SSH / HTTPS %rcutin, pause How to protect himself ? %pause SSH / HTTPS What doesn't work against sshmitm / webmitm %rcutin, pause Conclusion %pause References / Thanks %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page dsniff, the tool box a collection of tools permitting: to audit a network, to perform penetration testing. two categories of tools: to passively monitoring the network to catch interesting data, to facilitate the interception of network traffic normally non-available to an attacker. great tools to: %cont, font "thick", fore "green" educate users and administrators %cont, fore "white", font "standard" , %cont, font "thick", fore "green" obtain security budgets %cont, fore "white", font "standard" : show his password and his e-mail to your boss %cont, fore "yellow" ;-) %fore "white" But especially %cont, font "thick", fore "red" do not abuse these tools! %fore "white", font "standard" even if they are portable: *BSD, Linux, Solaris, Win32. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Dug Song University of Michigan: Center for Information Technology Integration http://www.citi.umich.edu/ Hacker Personal coordinates: dugsong@monkey.org http://naughty.monkey.org/~dugsong/ Other projects: Check Point FireWall-1 vulnerabilities Patches: popa3d: APOP / Kerberos v4 John the Ripper: S/Key / Kerberos v4 TGT SSH: AFS / Kerberos v4 OpenBSD ports and audits OpenSSH fragrouter The Honeynet Project %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page sshmitm relays and saves SSH traffic redirected by dnsspoof catches SSH access passwords hijacks interactive sessions only version 1 of the protocol is supported and this will ever be the only one to be supported, this program is far too evil already. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page webmitm transparently relays and saves: the HTTP/HTTPS traffic redirected by dnsspoof, catches: webmail accesses: hotmail, etc. form submissions: credit card numbers, etc. even the more "secured" by a SSL encryption! require that the client is HTTP/1.1 compatible: emission of the Host: command in the HTTP header. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page dsniff allows to catch passwords traveling in clear text, or just obfuscated !!! supports more than 30 standardized / proprietary protocols: %font "code" FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase et Microsoft SQL. %font "standard", fore "white" strong items: full TCP/IP reassembly, support of asymmetrical routes, auto-magic protocol detection, storage in a Berkeley DB, HTTP: QUERY_STRING and x-www-form-urlencoded parsing. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Other tools arpspoof, dnsspoof, macof: permit interception of network traffic. filesnarf, mailsnarf, msgsnarf, urlsnarf, webspy: catch interesting informations: files transfered by NFS v2/v3 with UDP/TCP be careful about your private keys, messages transfered by POP/SMTP, IRC/ICQ/AOL/MSN/Yahoo, visited URL: in a CLF log file, live in Netscape. tcpkill, tcpnice: facilitate data catching. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Libraries Many libraries are needed: libpcap - ftp://ftp.ee.lbl.gov/ capture and filter packets on the network libnet - http://www.packetfactory.net/libnet/ generate packets on the network libnids - http://www.packetfactory.net/libnids/ reassemble packets and sessions libdb - http://www.sleepycat.com/ (for non-BSD/Linux systems) saves unique authentications in a database which permits to limit abuses :) but a RPM package is available :( %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Why does this work ? Cryptography in HTTPS and SSH is based on public keys cryptography HTTPS adds trust of public keys certificates Use of these methods is strongly constraining: to be more acceptable, degraded modes are available the client may "blindly" accept the server's key the client may accept that server may have changed his key sshmitm and webmitm use those vulnerabilities thus introduced %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SSHv1 the session key is generated by the client then sent it ciphered with the server's public key he just received attacker just have to use any public / private key pair and wait the client accept to use that public key. password client authentication: sent in "clear text" in the ciphered tunnel RSA client authentication: server sends to client a ciphered challenge with an authorized public key client proves he knows the private key by unciphered the challenge sshmitm imposes authentication by password in sshv1. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SSHv2 the session key is generated by the Diffie-Hellman protocol: the server authenticates by signing a fingerprint of exchanged messages client authentication uses same methods as sshv1 the attack is always possible by a mitm attack against the DH protocol sshmitm doesn't implement sshv2 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HTTPS The server's key is accompanied by a certificate: this certificate has been signed by a "known" authority, the browser accept the certificate only if intended to the visited site, but the user may accept it. this certificate may be signed by an "unknown" authority, the browser doesn't accept the authority, but the user may accept it. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Signs of an attack ? Signs of the attack are perfectly visible in all the cases: SSH the public key has changed HTTPS the certificate is destined to another server the certificate is signed by an unknown authority %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SSH %font "code" $ ssh -p 2222 groar @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. Please contact your system administrator. Add correct host key in /home/ducamp/.ssh/known_hosts to get rid of this message. %font "standard", fore "white" With an OpenSSH client: %font "code" Password authentication is disabled to avoid trojan horses. Permission denied. %font "standard", fore "white" With a SSH client: %font "code" Agent forwarding is disabled to avoid attacks by corrupted servers. X11 forwarding is disabled to avoid attacks by corrupted servers. Are you sure you want to continue connecting (yes/no)? yes ducamp@groar's password: %font "standard", fore "white" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HTTPS Bad certificate the certificate doesn't match to the requested domain name, this certificate may have been signed by a known authority. Unknown authority the certificate have been signed by an unknown authority, this certificate may correspond to the asked domain name. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HTTPS (bad certificate 1/2) This certificate has been get accessing to www.groar.org ... %center %image "https1.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HTTPS (bad certificate 2/2) ... whereas it has been generated for sos.groar.org %center %image "https2.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HTTPS (unknown authority 1/2) The certificate is signed by an unknown authority... %center %image "https3.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HTTPS (unknown authority 2/2) ...and risks of fraud are indicated by Netscape. %center %image "https4.jpg" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page How to protect himself ? Do not use degraded modes always know the key of its interlocutor as a preliminary systematically check the key of the other party immediately stop the connection in the event of anomaly Caution: numerous recommendations %cont, fore "red" aren't serious %cont, fore "white" !!! except for slashdot readers, a quotation of Dug Song: %font "code" argh! it's amazing how silly some people are. Slashdot readers are especially numb-skulled, if their insistence that SSH2 would prevent such attacks is any indication. i'll add compression support when i get a free second. %font "standard", fore "white" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page SSH Before the first connection the client must: recover the server's public key eventually make deposit its public key on the server At each connection the client always must: force a strict check of the server's key mandatory condition for a password authentication %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What doesn't work against sshmitm hoax #1 : use sshv2 today %cont, fore "green" only the v1 protocol have been implemented %fore "white" in the case of a %cont, fore "yellow" password authentication %cont, fore "white" : sshv2 is %cont, fore "red" as vulnerable as %cont, fore "white" sshv1 private versions have / will be implemented hoax #2 : use compression in ssh today %cont, fore "green" compression haven't been implemented yet %fore "white" which may prevent the attacker to monitor the session and to hijack it but not to catch the password private versions have / will be implemented %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page HTTPS An authority is known only at this single condition: the authority's public key must be entered in the browser. Do not accept keys signed by a known authority, if the key isn't intended to the visited site. Do not accept keys signed by an unknown authority, even if the key is intended to the visited site. even if the authority's name corresponds to a known authority. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page What doesn't work against webmitm hoax #3 : use old browser without the Host: command today %cont, fore "green" needed functionalities haven't been implemented yet %fore "white" this ask for specific code to each platform private versions have / will be implemented %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Conclusion The main problem is user's education: signs of the attack are visible, but their consequences are ignored. Must follow the set up of an organization permitting: distribution of public keys servers' keys to users a web server with signatures of public keys users' keys on accessed servers a mailing-list permitting deposit of keys Thanks to Dug Song for the work he achieved and for the conscientiousness those tools permit. Thanks to Ghislaine Labouret for review %cont, fore "yellow" :) %fore "white" %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page References Original site: http://naughty.monkey.org/~dugsong/dsniff/ FAQ (Frequently Asked Questions): http://naughty.monkey.org/~dugsong/dsniff/faq.html Mailing list: echo subscribe | mail dsniff-request@monkey.org French translation of manuals and FAQ (Frequently Asked Questions): http://www.groar.org/~ducamp/#sec-trad %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %page Thanks for your attention %rcutin, size 7, pause You may ask your questions... %size 4 %rcutin, size 6 and make know your remarks... %size 4 %rcutin, size 3, pause then discretely wake up those sleeping ;-) %size 4 %rcutin, size 5 Bye, bye... %size 4 %right (c) 02/2001 Denis de service %cont, fore "yellow" :) %cont, fore "white" [tm]