RSenic RSenic@hackphreak.org
�Hacker Jokes (low quality)
Hackers do it through the backdoor. Hackers exploit all your holes. Hackers always want to play with your box. Hackers probe all your ports. Hackers always scan you first. Hackers can finger you all night.
�Thesis
Htaccess can be a robust solution
one time passwords
token based authentication SSL/browser encryption
Htaccess is insecure and can inadvertently cause DoS attacks
�What is Htaccess?
Auth-Type Basic password protection Pop-up Box integrated into browsers Out of the box Apache directory protection
Insecure against sniffing (dsniff) Insecure against brute force attacks (wwwhack/whisker) Can cause DoS attacks by simple brute force attacks
�Configuring Htaccess
AllowOverride All
typical .htaccess file:
AuthUserFile /apache/data/.htpasswd AuthType Basic AuthName “Protected” require valid-user
�Detecting (signature overview)
Zombied Processes / Spiked load Gracefully restarting does not help load hard (apachectl stop) stop and start improves load many attempts from the same IP address (range) to access members area Sequential username attempts
�Cracking Methodology
Check for 200 OK return headers Pattern match “Welcome” or “Please log in again” embedded in returned html
�Headers Masking
First tried returning 401 Error
“Status 401 Authorization
Required\nContent-Type: text/html\n\n” IE/Netscape act differently with 401 errors
○ Browser detection is useless
�Headers Masking 2
Next tried 200 OK
“Status 200 OK\nContent-Type:
text/html\n\n” Results in no Pop-up window
○ Only modifying URI can pass
username/passwords: ○ http://user:pass@www.site.com/private/
Modified approach using form submission
works in coordination with a client side token that corresponds with a local database entry.
�Headers Masking 3
Now we need a program to run interference between normal .htaccess scripts and the database.
mod_auth_external mod_PERL Proxy
�Content Masking
�Content Masking 2
Since the user has not been authenticated if the user attempts to see /private/index.cgi they will be redirected to /401.cgi but URI will still say /private/index.cgi. ErrorDocument 401 /401.cgi
401.cgi places a “one time try” token cookie
mainframe.html (non authenticated version) contains login form submission.
�Logic Flow
�Why the cookie?
You need a token (AOL, proxies, etc…) Extremely difficult to guess (based on time) No more sending sensitive information over and over again. cookie will time out, unlike usernames/passwords. Used with OTPW, even problems in SSL are a non-issue.
�Content Masking 3
Using frames our index.cgi and 401.cgi page look identical (including cookies) Working towards 100% perfection to prevent recursive cracking programs is inefficient and opens another security hole.
Ascii hex &20; = “ “ &41 = “a” (randomize) including mainframe.html in comments multimedia headers mismatch problem
�Worst Case
As many as 10 connections or more opening per second, without cleanly shutting-down
20 different proxy servers 60k hits normal traffic (heavy day)
Can you find out who the original host is?
Nope and not like that would help you, they
are using a proxy server, duh!
�Morris’ Attack
Robert T. Morris 1985 attack against the ISN. “A Weakness in the 4.2BST UNIX TCP/IP Software” If the return address in the initial SYN packet is spoofed, we don’t see it, but we can guess it.
Blind (half-duplex) httpd connection can be
used to break IP based authentication.
�Blocking
Two choices
mod_PERL/Apache mod to deny access from
that IP (or “reinstate your password” page):
○ Mod_PERL has issues regarding IPC ○ if speed is a concern and fast-CGI will not work,
mod_PERL will probably be equally problematic.
Connect mod_auth_external to ipchains or
hardware firewall
○ could be used to create DoS without human logic
�Alternatives
Auth-Type Digest
essentially based off hash of user/pass
combination + one time pad considered computationally unbreakable 2^128 will not stop brute force attempts, and has the same problems with additional overhead that Auth-Type Basic has No one has written such a tool
�Alternatives 2
Proxy server
Will work with any webserver and not just
Apache (Windows/Mac/Solaris, etc…) Could easily be integrated into existing IDS or Firewall architecture Highly theoretical must have a que from the webserver when/where to interfere with connection.
�Conclusion
Without much effort htaccess can be a robust solution. Knowing the symptoms of the attack can only help you.
Aware of the risks
You will know your own reaction strategy
�Thanks!
RLoxley, Teeceep and Peter Shipley - idea bouncing Ali Nazar - proofing Ethan Brooks, Goose, Vacuum, Bronc Buster, John Stewart, Tattooman - technical help Robert Morris - taking impromptu phone calls :)
�Links
www.shocking.com/~rsnake/htaccess.html (the paper in entirety along with links to resources and more details can be found on this site)
�