Thursday, July 29, 2010

Insecurities of Today's Websites and How to Abate the Risk

Online activities by individuals are growing on a daily basis from social networking, communications by e-mail, shopping, money transferring through third parties, etc.  End-users expect these activities or transactions to be secure through username/password and SSL encryption.  Unfortunately, this is not the case with most popular websites.  I will be demonstrating the insecurities of common websites by intercepting username/password in clear text and at the end of the presentation I will present a solution to prevent you from being a victim  from this type of attack.

Presently, there is a false assumption of online security.  For example, when a user visits facebook.com, the address will display http://www.facebook.com.  The user enters their username/password and clicks "login."  The action of clicking "login" takes users to the encrypted site of facebook.com.  The user can verify this by viewing the address change to https://www.facebook.com.  The added "s" at the end of http stands for "secure" by using SSL/TLS protocol to provide encryption and secure identification.

The issue with this type of design is the initial unencrypted page when the user enters their information.  An attacker can intercept this session before the information is encrypted and sent for verification to Facebook server; afterward, the attacker sends the information to Facebook server for the user to receive the information they have requested.  The user will never know the attack is happening.  The attack is called Man-in-the-Middle (MITM).  In short, the attacker is in between the user's computer and the website's server viewing/recording all communication.


Now, for the demonstration.

Cracking Tutorial

Needed Equipment:

1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools.  We will be using Ettercap and SSLStrip.  These tools are included with Backtrack distribution.
  • This link provides detailed instructions on multiple ways to run Backtrack on your computer.
2. A wireless adapter that allows passive packet sniffing and packet injection.  I am using Alfa AWUS036H Wireless Adapter.  The USB connection, good antenna, and ease of use makes the adapter a good choice.

3. A test network lab with two computers - the attacker and the victim - and a router or wireless access point.  I will be using a wireless access point to demonstrate the ease of the attack and the needed security awareness and precautions when accessing open Wi-Fi areas.

Steps:

1.    Boot up Backtrack.  The login is "root" and the password is "toor."  Do not include quotes or the period at the end of toor.  Type "startx" at the next prompt.

2.    Open up a Konsole window.  It is the 3rd icon from the bottom right.

3.    Type /etc/init.d/wicd start

4.    Click the KDE menu / go to Internet / click Wicd Network Manager and connect to the particular network.  Close the window and go back to the Konsole window.

5.    Type clear and hit enter

6.    Type kate /etc/etter.conf


7.    This command will open the file etter.conf in a notepad-type program called Kate.

8.    Scroll down to the "Linux" section and delete the two pound signs under "if you use iptables:."  



9.    Once you have completed the step, save the file and close the window.  The pound signs were used for comments.  In programming, comments are put in for the programmer and not for the program.  Consequently, these two lines of codes would not have run when needed for later in the demonstration.

10.    Go back to the Konsole window and type echo 1 > /proc/sys/net/ipv4/ip_forward


 11.    The command forwards IP (Internet Protocol) communication to our computer.  This allows our Backtrack computer to act as a router and receive communication from our target/victim.  In short, our victim's computer will send all their traffic to our computer instead of the wireless router access point.

12.    Type clear to clear our window.

13.    Type arpspoof -i wlan0 -t 192.168.1.100 192.168.1.1
  • This allows us to send unsolicited ARP responses and let us become any IP address on a local network.
  • -i stands for interface that we are using; which is wlan0.
  • -t stands for target.  Following the option is the target/victim's IP address, which is 192.168.1. 100
  • Following the victim's IP address is the actual wireless router (gateway) IP address that we are becoming and fooling the victim's computer into sending us their traffic.
  • When we hit enter, we start letting the victim know that the gateway IP is our MAC address.  Now, our target is going to be sending their traffic to us instead of the real gateway.
14.    To discover your interface on Backtrack, open a Konsole window and type ifconfig.  Whatever interface has an IP address is the interface that you are utilizing.


15.    My target computer is a Windows machine.  To know the IP address, go to Start and type cmd in the run/search box.  Type ipconfig to know your Ethernet adapter IP address.


16.    You will see the target IP address; as well as, the gateway IP address.

17.    When you type the arpspoof command and hit enter, you should see the following screenshots.


18.    Now, open a new Konsole window or new shell (by going to session/shell) and type iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
  • This command reroutes communication coming from port 80 to port 10000 on our computer.  We are going to be setting up SSLstrip to be listening on port 10000 on our system.

19.    Hit enter and type clear and hit enter to clear screen.

20.    Type, sslstrip -a -k -f
  • -a means to log all SSL and HTTP traffic to and from server
  • -k means kill sessions in progress.  For example, if they were logged into Gmail, Facebook, Paypal, etc., this command would log them out of the site; therefore, they could log back in with their credentials.
  • -f means to put a fake lock on the browser to make it seem the connection is secure.

21.    Hit enter, this will create a sslstrip.log file on your desktop.  This file will log all the traffic from your victim.


22.    Now, open a new Konsole window or shell (by going to session/shell).

23.    Type ettercap -T -q -i wlan0
  • -T means to display text
  • -q means to be quiet and do not display packet contents.  
  • -i means interface that we are using.
  • On the actual Konsole window we are using, the username/passwords will display when the user logs into a website.  This happens instantaneously.  For further details in their Internet usage, you can view the sslstrip.log file on your desktop.

24.    Hit enter and the following screenshot will display


25.    When your target visits a website requiring a username/password, it will automatically be posted onto your screen in clear text.  This is due to the SSL encrypted session being stripped and a phony lock being posted on the browser to make it seem the session is still secure.  The following screen shots displays examples of a SSL session being stripped.  The first one is a secure session by examining there is a "s" at the end of "http" and there is a legit certificate at the right hand side of the address bar.  The second one is a SSL session being stripped by examining there is not a "s" at the end of "http" and by seeing the phony lock at the left hand side of the address bar.  Internet Explorer does not display the lock at the left hand side.  For Mozilla Firefox, they display a green bar or a blue bar depending on the security level at the left hand side of the address bar.


26.    Now, for the intercepting of the target's traffic.  I posted multiple screenshots of different websites that require a username/password.  The last screen shot will display the username/password in clear text.

Username: shbelay / Password: password
Username: shbelay@gmail.com / Password: password
Username: shbelay / Password: password


As you can see, the username/password is in red and the website information I intercepted is in green.  I was able to do this with multiple websites; including, Paypal, Hotmail, and Amazon.  Furthermore, the "sslstrip.log" file will log your entire browsing session.  This possibly will be able to log personal identifiable information and credit card numbers.

How to Protect Yourself

Protecting yourself online from these type of attacks is as simple as typing "https://" before the website address to ensure that you are on a secure website.  The issue presently is websites put their username/password boxes on an unsecured website.  For example when you enter the following addresses: amazon.com; facebook.com; ebay.com; paypal.com; etc., you will receive an "http" site.

Of course, no one wants to type "https" every time they logon to a website.  An easy substitution for this task is to install a Mozilla Firefox add-on called HTTPS Everywhere.  Unfortunately, Internet Explorer does not have this capability.  As a result, I recommend using Mozilla Firefox for this issue, unless you are willing to type "https://" every time in Internet Explorer.

I installed this add-on and was unable to strip the SSL connection.  I received the following screenshots when viewing the following websites:


The browser is informing me that it cannot verify the certificate of the website's server and to exit or enter at your own risk.  As always, I will mention that there is not a computer or network that is completely secure.  The intention is to become more secure than the next computer/network or make it as difficult to break into the security barriers.

No comments:

Post a Comment