Lecture 3-2.txt

SSL/TLS Strip When you type a URL like www.shop.com without http or https, your browser often redirects you to the secure version, https://www.shop.com. An attacker sits in the middle (MITM - Man In The Middle). When you connect via http, the attacker intercepts this request. Instead of letting the site redirect you to https, the attacker sends back the http version of the site. Your connection to the attacker remains http, while the attacker's connection to the actual site is HTTPs. You think you're securely connected (since you're seeing the real website), but your data is actually going through the attacker unencrypted. The attacker could do this to avoid raising suspicion. The attacker sends the (captured) queries from the client to the server through the TLS channel between him and the server. (The queries will be encrypted.) The attacker decrypts the encrypted queries from the server and relay the decrypted results (answers) to the client. HSTS Prevention: type the full https link. HSTS (HTTP Strict Transport Security). It instructs browser that shop.com should always be HTTPS. HSTS (HTTP Strict Transport Security). It instructs browser that shop.com should always be HTTPS. What is the benefit to the attacker maintaining the http connection? The attacker can capture every data from the client as they are not encrypted. The first time someone visits a website (http://site), the browser might not know yet to redirect to the secure version (https://site). This makes it vulnerable to an SSL strip attack. Solution: Some browsers have a built-in list of websites that should always use https, even on the first visit, to prevent this issue. DNS: How DNS works The DNS is used for translating hostnames into IP addresses and vice versa. DNS makes use of a hierarchical naming scheme: Queries work in a top-down manner, beginning at the top of the DNS tree and working their way down. (Root -\> TLD -\> Authoritative). Normally, if a DNS server does not know a requested translation, it will ask another DNS server, and the process continues recursively. To increase performance, a DNS server will typically remember these translations for a certain amount of time in the DNS records. This means if it receives another request for the same translation, it can reply without needing to ask any other servers until that record expires. A record stores IP addresses of the server directly. store.example.com -\> 68.50.147.198 In CName, alias(nickname) points to the canonical name(official name). This is useful when a domain has other sub domains for different services like ftp running on the same IP address. store.example.com -\> example.com example.com -\> 68.50.147.198 A record can look up the IP address in one go but CName needs to look at the alias. Then go to the A record of the alias and get the IP. DNS cache poisoning/ DNS Poisoning (DNS Spoofing) Attacker breaks into a local DNS server and modifies the DNS record so that it can return an incorrect IP address, diverting traffic to another computer. Here, we say the DNS record is poisoned. This modified record gives the victim a false translation of hostnames. DNS poisoning with MITM MITM attacker captures a DNS response from the DNS server and replaces it with a modified one so that the DNS response will result in forcing the victim to visit the attacker's server. User Request: You type www.mybank.com into your browser. DNS Query: Your computer sends a DNS query to find the IP address of www.mybank.com. MITM Interception: An attacker intercepts this DNS query using a MITM attack. Fake DNS Response: The attacker sends back a spoofed DNS response with a fake IP address pointing to their malicious server instead of the real IP address of www.mybank.com. User Redirected: Your browser receives the fake DNS response and unknowingly directs you to the attacker's server. Phishing Site: The attacker's server hosts a website that looks exactly like www.mybank.com. Credential Theft: You enter your login credentials on the fake site, and the attacker captures this information. Subdomain takeover A process of registering a non-existing domain name to gain control over another domain. 1) Assume that the attacker targets ethicalhacking.com. 2) The attacker found that code.ethicalhacking.com uses a CNAME record to refer to third-party service domain, e.g., ethicalhacking.github.io. code.ethicalhacking.com -\> ethicalhacking.github.io. 3) The ethicalhacking.com admin decides to delete the GitHub account associated with ethicalhacking.github.io. 4) The problem is if the CNAME record is not deleted from ethicalhacking.com's DNS server, the attacker who creates a new GitHub account with ethicalhacking.github.io will have a full control over code.ethicalhacking.com. DNS Tunnelling An attacker's malware in the victim's machine wants to transfer data from it to the attacker's server. If the attacker uses a ftp, for example, it will be detected by the victim's firewall. The attacker acquires some domain such as attacker.com and runs local DNS server. The malware in the victim's machine makes DNS queries of the form.attacker.com, where is the data the attacker wants to exfiltrate. If the query reaches the attacker's DNS server, the DNS response will be sent to the victim's machine. If you want to send the data "hello" via DNS: You might encode it as hello.attacker.com. Your local DNS server at attacker.com will receive this query and log the request, capturing the encoded data. a DNS flood attack is a type of Distributed Denial of Service (DDoS) attack that targets DNS servers by overwhelming them with a large volume of DNS queries. The attacker typically uses a network of compromised devices (bots) to generate a large number of DNS requests. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The end-to-end encryption can be an effective solution against eavesdropping using MITM attacks. Even if all the data transmitted between the server and the target are captured, the attacker still cannot decrypt the data. In the end-to-end encryption, the secret parameters are not delivered in the traffic in a plaintext. In (EC)DH(E), the attacker can read ga and gb. Note that it is very hard to compute a or b from ga and gb due to discrete logarithm problem. However, insecure settings enable the attacker to compromise the privacy of the target. MITM User Request: You try to visit www.bank.com by typing it into your browser. DNS Lookup: Normally, your computer asks a DNS server to translate www.bank.com into its IP address. Attacker Intercepts: An attacker has compromised the DNS server or is performing a Man-In-The-Middle attack. Fake Response: Instead of the real IP address of www.bank.com, the attacker sends the IP address of a malicious site that looks exactly like www.bank.com. User Redirected: Your browser goes to the fake site, thinking it's the real www.bank.com. Data Theft: You enter your login credentials on the fake site, and the attacker captures this sensitive information. DNS amplification attack: The attacker gets the victim's IP address. The attacker finds a DNS server with lots of data. The attacker sends fake DNS requests to this server, pretending to be the victim. The DNS server sends huge responses back to the victim's IP. The victim's system gets overwhelmed by the flood of data and crashes. Network Address Translation (NAT) is designed for IP address conservation. It enables private IP networks that use unregistered IP addresses to connect to the Internet. NAT operates on a router, usually connecting two networks together, and translates the private (not globally unique) addresses in the internal network into legal addresses, before packets are forwarded to another network. The VM (Kali) cannot access to other VMs using NAT interface. The VM (Kali) can access to other VMs using the same NAT Network interface.

Document Details

Tags

Related

Full Transcript

Upgrade to continue