SlideShare una empresa de Scribd logo

SSL Checklist for Pentesters (BSides MCR 2014)

J
Jerome Smith

This document provides a summary of checks that a pentester should perform when evaluating the security of SSL/TLS implementations. It discusses checking for support of outdated and insecure protocols like SSLv2 and SSLv3. It also recommends validating support for newer, more secure versions like TLSv1.1 and TLSv1.2. The document outlines steps to check for vulnerabilities like Heartbleed, BEAST, and CRIME. It also provides guidance on evaluating certificate validity, cipher suites, and renegotiation support. Web application considerations like mixed content and HTTP Strict Transport Security are also covered at a high level. The presenter provides these checks and recommendations from the perspective of a pentester to identify potential issues to consider reporting

TecnologíaEducación
1 de 31
SSL Checklist for Pentesters Jerome Smith BSides MCR, 27th June 2014
whoami • Pentester • Author/trainer – Hands-on technical – Web application, infrastructure, wireless security • Security projects – Log correlation – Dirty data – Incident response exercises • Sysadmin • MSc Computing Science (Dist) • www.exploresecurity.com | @exploresecurity # whoami jerome
Introduction • Broad review of SSL/TLS checks – Viewpoint of pentester – Pitfalls – Manually replicating what tools do (unless you told the client that SSL Labs would be testing them ) – Issues to consider reporting (but views are my own) • While SSL issues are generally low in priority, it’s nice to get them right! • I’m not a cryptographer: this is all best efforts
SSLv2 • Flawed, e.g. no handshake protection → MITM downgrade • Modern browsers do not support SSLv2 anyway – Except for IE but it’s disabled by default from IE7 – That mitigates the risk these days – http://en.wikipedia.org/wiki/Transport_Layer_Security#W eb_browsers • OpenSSL 1.0.0+ doesn’t support it – Which means SSLscan won’t find it – General point: tools that dynamically link to an underlying SSL library in the OS can be limited by what that library supports
SSLv2 • Same scan on different OpenSSL versions:
SSLv2 • testssl.sh warns you – It can work with any installed OpenSSL version • OpenSSL <1.0.0 s_client -ssl2 switch – More on this later • Recompile OpenSSL – http://blog.opensecurityresearch.com/2013/05/fixing-sslv2-support- in-kali-linux.html • SSLyze 0.7+ is statically linked – Watch out for bug https://github.com/iSECPartners/sslyze/issues/73
SSLv3 • SSLv3 RFC is in fact “historical” – TLS began in 1999 as the standardised version of SSL – The SSL protocol hasn’t been updated since 1996 • We really shouldn’t be running it – Everything supports TLSv1.0 by default – Oh, except IE6 – Should we take the lead and begin to flag it in pentests as obsolete?
TLSv1.1 & v1.2 • We really should be running it – They’ve been around since 2006 and 2008 respectively • Latest versions of browsers support them (platform dependent) – http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_br owsers – http://en.wikipedia.org/wiki/Comparison_of_TLS_implementati ons • Check support – and report their absence? – Missing out on more robust design and better ciphers – Again, trying to push in the right direction • SSLscan isn’t designed to check for these versions – openssl s_client -tls1_1 or -tls1_2 switch (from v1.0.1)
TLSv1.1 & v1.2 • Not immune • While the protocol handshake is protected, browsers have fall-back mechanisms or performance tricks (e.g. False Start) that could be abused – To be fair, Google later abandoned False Start – http://blog.cryptographyengineering.com/2012/04/so-long- false-start-we-hardly-knew-ya.html • A MITM attacker could trigger a protocol downgrade – Possibly all the way down to SSLv3 – https://www.imperialviolet.org/2013/10/07/chacha20.html – http://www.carbonwind.net/blog/post/Random-SSLTLS- 101%E2%80%93SSLTLS-version-rollbacks-and-browsers.aspx • But benefits far outweigh this annoyance
Renegotiation Checks • Insecure renegotiation flaw CVE-2009-3555 • Both insecure and secure renegotiation may be supported – Especially if multiple servers are behind the hostname • Manual check openssl s_client –connect site:port HEAD / HTTP/1.0 R – If no error, renegotiation is supported: whether it’s insecure or secure will depend on the OpenSSL version – Add a final CRLF to prove the request completes • OpenSSL 0.9.8m+ won’t renegotiate insecurely – Conversely v0.9.8k and older won’t renegotiate securely – So how can BT5R3’s OpenSSL 0.9.8k state this?: »
OpenSSL • It’s useful to have an older OpenSSL around – But you don’t want it to clash with your main version • Download e.g. https://www.openssl.org/source/openssl- 0.9.8k.tar.gz to /tools • Run cd /tools tar -xzf openssl-0.9.8k.tar.gz cd openssl-0.9.8k ./config --prefix=/tools/openssl-0.9.8k -- openssldir=/tools/openssl-0.9.8k make
Renegotiation Checks • Client-initiated renegotiation – Wholly different issue to secure vs insecure – Potential DoS attack • http://www.thc.org/thc-ssl-dos/ • Although renegotiation isn’t a prerequisite, it helps – If client-initiated renegotiation is disabled, insecure renegotiation is not exploitable • So clients may do this to “fix” CVE-2009-3555 – Only really needed for client certificate authentication • So what does it mean if renegotiation works? – <= 0.9.8k >= 0.9.8m Insecure Yes No Client-initiated Yes Yes
Certificate Checks Public key size • <1,024-bit – vulnerable (ish) – RSA-768 was factored • http://www.emc.com/emc-plus/rsa-labs/historical/the-rsa-challenge- numbers.htm – 512-bit Google key cracked to spoof email • “72 hours using Amazon Web Services for £47” • http://www.wired.co.uk/news/archive/2012-10/25/google-email • 1,024-bit – upgrade to 2,048-bit – Any larger increases overhead with no real security benefit (yet) Valid certificate chain • Note that different browsers hold different sets of root CAs • Tip: don’t report “the certificate was signed by an untrusted root CA PortSwigger” 
Certificate Checks Expiry date • Warn of imminent expiry Signature • Hashed using MD5 (certificate spoofing 2008) Revocation • Does the certificate hold CRL/OCSP (AIA) fields? –
Certificate Checks Revocation (cont) • Are those fields valid? – Is your browser checking them? – Chrome doesn’t by default → – Does it fail open? – Revocation check for a pentest requires hard fail – Firefox Tools | Options | Advanced | Certificates – Ah, but what about the full certificate chain?
Certificate Checks Certificate Subject • Valid for all resource requests? – Users often miss off www – is the certificate still valid? • Wildcard certificate – *.domain.com not valid for https://domain.com – Encourages more widespread use of powerful certificate – Provides SSL confidence to links exploiting other flaws (especially if wildcard DNS enabled) • Subject Alternative Names – Can be used for other domains, not just the host’s – Some tools may not check this field correctly → false positive “certificate name does not match hostname”
Cipher Suites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA protocol asymmetric (public key) crypto symmetric cipher with key size hash algorithm for message authentication key agreement authentication NB: OpenSSL cipher suite names differ from RFCs – e.g. “RC4-MD5” vs “TLS_RSA_WITH_RC4_128_MD5”
Cipher Suites • <128-bit keys can be brute-forced (ish) – Not trivial: decent hardware < 1 day for DES • e.g. RIVYERA S3-5000 • http://www.voltage.com/blog/crypto/rivyera-from-sciengines/ – 3DES provides an effective key strength of 112 bits • http://csrc.nist.gov/publications/nistpubs/800-57/sp800- 57_part1_rev3_general.pdf • And it’s relatively slow • Less likely to see: – Anonymous Diffie-Hellman (lacks authentication) – NULL cipher suites (lacks encryption) – “Export” ciphers (unlike with beer, this label is bad) – Unlikely to be supported by browser anyway
Cipher Suites • Server preference – Client sends list of cipher suites in order of preference – Server will choose the first one it supports unless it has a preference • openssl s_client -cipher switch – Pick specific cipher suites (sent in order) or groups – man ciphers or https://testssl.sh/openssl-rfc.mappping.html – Replicate server preference check by switching order of ciphers • (Perfect) Forward secrecy – Without it, private key compromise means previous traffic can be read – Look for “ephemeral” in the key agreement part, e.g. DHE, ECDHE – Adds a cost (ECDHE is faster than DHE) • Latest cipher suites – require TLSv1.2 – AES-GCM (slow), ChaCha20/Poly1305 (new) – https://www.imperialviolet.org/2013/10/07/chacha20.html
RC4 • First bytes of ciphertext are cryptographically weak • http://www.isg.rhul.ac.uk/tls/RC4biases.pdf – To attack cookies, it would take 2,000 hours (short of 3 months) – “It would be incorrect to describe the attacks as being a practical threat to TLS…today” (my emphasis) • “Attacks always get better, they never get worse” – Sensible to phase out RC4 ciphers – Even Microsoft has done it with KB2868725 • IETF draft advisory – http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02 – “TLS clients MUST NOT include RC4 cipher suites” – “TLS servers MUST NOT select an RC4 cipher suite”
Revealing SSL/TLS • Most of the handshake is in clear text • To decrypt traffic in Wireshark, run with OpenSSL: – Create text file: RSA Session-ID:<Session-ID> Master-Key:<Master-Key> – The NSS SSL/TLS stack (Chrome & Firefox) can auto-create this file: set the environment variable SSLKEYLOGFILE to the path of a text file • Wireshark – Edit | Preferences | Protocols | SSL – Set “(Pre-)Master-Secret log filename” to file above
• Wireshark SSL preferences – Everything you (n)ever wished to know – “Records” are a sub-layer – and if you see a starting record of data that’s empty or has one byte, that’s because of... Revealing SSL/TLS
BEAST • A client-side attack but it’s nice to help your users – TLS 1.0 or less with block ciphers in CBC mode = vulnerable server • All recent major browsers have a patch – Apple finally woke up in Nov 2013 – But not every user will be running the latest version • TLSv1.1 and v1.2 aren’t vulnerable to BEAST – But recall browser downgrade attack • Alternative is to prefer RC4 – But we’ve said not to use it! – RC4 flaws are systemic: BEAST attack surface will diminish • So should we let it go now? – Confusing for client to have both RC4 and BEAST reported? – https://community.qualys.com/blogs/securitylabs/2013/09/10/is- beast-still-a-threat
CRIME • Targets SSL compression (again, client-side attack) – Only Chrome really supported it, it’s now disabled – So it’s unlikely to be exploitable • Check for compression on server with OpenSSL – Don’t rely on “Compression: NONE” message until you’ve checked your OpenSSL version supports compression – Look at Client Hello: – To enable, build with ./config zlib zlib-dynamic
CRIME • SPDY uses compression to “make the web faster” – It sits between HTTP and TLS: it’s similarly vulnerable – BREACH: HTTP has native compression – same issue • openssl s_client -nextprotoneg NULL – Connection will fail but look at Server Hello: – Future TLS extension “Application Layer Protocol Negotiation”
Heartbleed • OpenSSL 1.0.1 - 1.0.1f (and 1.0.2-beta1) • PoC and first-gen tools raced out – Testing could lead to compromise of sensitive data and/or potentially crash the service – https://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed- vulnerability-without-exploiting-the-server/ • Vulnerability analysis vs pentesting – More prone to false negatives • Easy to check if Heartbeat enabled – Connect using OpenSSL 1.0.1+ with s_client –tlsextdebug –
Heartbleed • Obviously openssl s_client can’t be used to test • Tools – heartbleeder from Titanous – MDSec’s heartbleed -s <target> -p 443 -f out -t 0 – Metasploit • Core openssl_heartbleed module is greedy even using “check” • Try the module from the previous Mozilla article – HP iLO/iLO2 products locked up (not vulnerable anyway!) • Nice GUI tool from CrowdStrike (aggressive)
Change Cipher Spec (CCS) • CVE-2014-0224 MITM attack to force weak keys • Only exploitable if: – Server uses OpenSSL <1.0.1h – Client uses OpenSSL <1.0.1h, <1.0.0m, <0.9.8za • So that’s only Android as far as browsers are concerned • Tools – Metasploit openssl_ccs module – ./testssl.sh --ccs –
Web Applications • Mixed secure and non-secure content – Read session cookies, data etc. – Edit non-secure resources, e.g. JavaScript – Browser errors reduce confidence – or may refuse to load content • Cacheable HTTPS – Non-sensitive content marked as “public” improves performance – Check for pages with sensitive data Pragma: no-cache Cache-Control: no-store, no-cache – http://palizine.plynt.com/issues/2008Jul/cache-control-attributes/
Web Applications • Sensitive cookies secure (but site must expect this…) • Redirect back to HTTP following HTTPS • Login over HTTPS but HTTP pre-auth session cookie re-used • HTTP Strict Transport Security (HSTS) – a safety net – Convert all insecure links to secure ones (blocks SSLstrip) – Ensures SSL cert warnings cannot be ignored and access blocked – Set by a response header Strict-Transport-Security – Supported by recent browser versions (oh, except IE) – If a site is fully HTTPS (and is likely to remain so), why not use it? – https://www.leviathansecurity.com/blog/the-double-edged- sword-of-hsts-persistence-and-privacy/ – a fun privacy/tracking issue abusing HSTS
20: Finished Questions? www.exploresecurity.com | @exploresecurity

Recomendados

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2
Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2
Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2NICOLLEELIZABETHGAMA
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 

Recomendados

CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2
Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2
Tarea 4 lamas_sanchez_ariana_413_6to_ciclo_unmsm_2020-2NICOLLEELIZABETHGAMA
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssln|u - The Open Security Community
 
Password hacking
Password hackingPassword hacking
Password hackingAbhay pal
 
Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Nia
NiaNia
Niambarbosao2012
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best PracticesSalesforce Developers
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLSSirish Kumar
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Auditoria con base en riesgos
Auditoria con base en riesgosAuditoria con base en riesgos
Auditoria con base en riesgosMynor Parada
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacksn|u - The Open Security Community
 

Más contenido relacionado

La actualidad más candente

Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmapHerman Duarte
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTshiriskumar
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionSina Manavi
 
Auditoria con base en riesgos
Auditoria con base en riesgosAuditoria con base en riesgos
Auditoria con base en riesgosMynor Parada
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 

La actualidad más candente (20)

Sql injection with sqlmap
Sql injection with sqlmapSql injection with sqlmap
Sql injection with sqlmap
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
Sql injection
Sql injectionSql injection
Sql injection
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Nia
NiaNia
Nia
 
Single Sign-On Best Practices
Single Sign-On Best PracticesSingle Sign-On Best Practices
Single Sign-On Best Practices
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
A Brief Introduction in SQL Injection
A Brief Introduction in SQL InjectionA Brief Introduction in SQL Injection
A Brief Introduction in SQL Injection
 
Auditoria con base en riesgos
Auditoria con base en riesgosAuditoria con base en riesgos
Auditoria con base en riesgos
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
Sql injection
Sql injectionSql injection
Sql injection
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 

Destacado

BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...Amazon Web Services
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksCamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksJerome Smith
 
Attack of the BEAST
Attack of the BEASTAttack of the BEAST
Attack of the BEASTStefan Fodor
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 

Destacado (12)

BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
Poodle
PoodlePoodle
Poodle
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
 
Internet cookies
Internet cookiesInternet cookies
Internet cookies
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksCamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacks
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 
Poodle
PoodlePoodle
Poodle
 
Attack of the BEAST
Attack of the BEASTAttack of the BEAST
Attack of the BEAST
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 

Similar a SSL Checklist for Pentesters (BSides MCR 2014)

1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityssuserec53e73
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverhannob
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Grid middleware is easy to install, configure, secure, debug and manage acros...
Grid middleware is easy to install, configure, secure, debug and manage acros...Grid middleware is easy to install, configure, secure, debug and manage acros...
Grid middleware is easy to install, configure, secure, debug and manage acros...Paul Brebner
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingNetSPI
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Scott Sutherland
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configurationextremeunix
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 

Similar a SSL Checklist for Pentesters (BSides MCR 2014) (20)

FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
OpenSecure socket layerin cyber security
OpenSecure socket layerin cyber securityOpenSecure socket layerin cyber security
OpenSecure socket layerin cyber security
 
SSL overview
SSL overviewSSL overview
SSL overview
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
SSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS serverSSL, X.509, HTTPS - How to configure your HTTPS server
SSL, X.509, HTTPS - How to configure your HTTPS server
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Rootconf2019
Rootconf2019Rootconf2019
Rootconf2019
 
Sqlviking
SqlvikingSqlviking
Sqlviking
 
Grid middleware is easy to install, configure, secure, debug and manage acros...
Grid middleware is easy to install, configure, secure, debug and manage acros...Grid middleware is easy to install, configure, secure, debug and manage acros...
Grid middleware is easy to install, configure, secure, debug and manage acros...
 
Unsafe SSL webinar
Unsafe SSL webinarUnsafe SSL webinar
Unsafe SSL webinar
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
Random musings on SSL/TLS configuration
Random musings on SSL/TLS configurationRandom musings on SSL/TLS configuration
Random musings on SSL/TLS configuration
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 

Último

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 

Último (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

SSL Checklist for Pentesters (BSides MCR 2014)

  • 1. SSL Checklist for Pentesters Jerome Smith BSides MCR, 27th June 2014
  • 2. whoami • Pentester • Author/trainer – Hands-on technical – Web application, infrastructure, wireless security • Security projects – Log correlation – Dirty data – Incident response exercises • Sysadmin • MSc Computing Science (Dist) • www.exploresecurity.com | @exploresecurity # whoami jerome
  • 3. Introduction • Broad review of SSL/TLS checks – Viewpoint of pentester – Pitfalls – Manually replicating what tools do (unless you told the client that SSL Labs would be testing them ) – Issues to consider reporting (but views are my own) • While SSL issues are generally low in priority, it’s nice to get them right! • I’m not a cryptographer: this is all best efforts
  • 4. SSLv2 • Flawed, e.g. no handshake protection → MITM downgrade • Modern browsers do not support SSLv2 anyway – Except for IE but it’s disabled by default from IE7 – That mitigates the risk these days – http://en.wikipedia.org/wiki/Transport_Layer_Security#W eb_browsers • OpenSSL 1.0.0+ doesn’t support it – Which means SSLscan won’t find it – General point: tools that dynamically link to an underlying SSL library in the OS can be limited by what that library supports
  • 5. SSLv2 • Same scan on different OpenSSL versions:
  • 6. SSLv2 • testssl.sh warns you – It can work with any installed OpenSSL version • OpenSSL <1.0.0 s_client -ssl2 switch – More on this later • Recompile OpenSSL – http://blog.opensecurityresearch.com/2013/05/fixing-sslv2-support- in-kali-linux.html • SSLyze 0.7+ is statically linked – Watch out for bug https://github.com/iSECPartners/sslyze/issues/73
  • 7. SSLv3 • SSLv3 RFC is in fact “historical” – TLS began in 1999 as the standardised version of SSL – The SSL protocol hasn’t been updated since 1996 • We really shouldn’t be running it – Everything supports TLSv1.0 by default – Oh, except IE6 – Should we take the lead and begin to flag it in pentests as obsolete?
  • 8. TLSv1.1 & v1.2 • We really should be running it – They’ve been around since 2006 and 2008 respectively • Latest versions of browsers support them (platform dependent) – http://en.wikipedia.org/wiki/Transport_Layer_Security#Web_br owsers – http://en.wikipedia.org/wiki/Comparison_of_TLS_implementati ons • Check support – and report their absence? – Missing out on more robust design and better ciphers – Again, trying to push in the right direction • SSLscan isn’t designed to check for these versions – openssl s_client -tls1_1 or -tls1_2 switch (from v1.0.1)
  • 9. TLSv1.1 & v1.2 • Not immune • While the protocol handshake is protected, browsers have fall-back mechanisms or performance tricks (e.g. False Start) that could be abused – To be fair, Google later abandoned False Start – http://blog.cryptographyengineering.com/2012/04/so-long- false-start-we-hardly-knew-ya.html • A MITM attacker could trigger a protocol downgrade – Possibly all the way down to SSLv3 – https://www.imperialviolet.org/2013/10/07/chacha20.html – http://www.carbonwind.net/blog/post/Random-SSLTLS- 101%E2%80%93SSLTLS-version-rollbacks-and-browsers.aspx • But benefits far outweigh this annoyance
  • 10. Renegotiation Checks • Insecure renegotiation flaw CVE-2009-3555 • Both insecure and secure renegotiation may be supported – Especially if multiple servers are behind the hostname • Manual check openssl s_client –connect site:port HEAD / HTTP/1.0 R – If no error, renegotiation is supported: whether it’s insecure or secure will depend on the OpenSSL version – Add a final CRLF to prove the request completes • OpenSSL 0.9.8m+ won’t renegotiate insecurely – Conversely v0.9.8k and older won’t renegotiate securely – So how can BT5R3’s OpenSSL 0.9.8k state this?: »
  • 11. OpenSSL • It’s useful to have an older OpenSSL around – But you don’t want it to clash with your main version • Download e.g. https://www.openssl.org/source/openssl- 0.9.8k.tar.gz to /tools • Run cd /tools tar -xzf openssl-0.9.8k.tar.gz cd openssl-0.9.8k ./config --prefix=/tools/openssl-0.9.8k -- openssldir=/tools/openssl-0.9.8k make
  • 12. Renegotiation Checks • Client-initiated renegotiation – Wholly different issue to secure vs insecure – Potential DoS attack • http://www.thc.org/thc-ssl-dos/ • Although renegotiation isn’t a prerequisite, it helps – If client-initiated renegotiation is disabled, insecure renegotiation is not exploitable • So clients may do this to “fix” CVE-2009-3555 – Only really needed for client certificate authentication • So what does it mean if renegotiation works? – <= 0.9.8k >= 0.9.8m Insecure Yes No Client-initiated Yes Yes
  • 13. Certificate Checks Public key size • <1,024-bit – vulnerable (ish) – RSA-768 was factored • http://www.emc.com/emc-plus/rsa-labs/historical/the-rsa-challenge- numbers.htm – 512-bit Google key cracked to spoof email • “72 hours using Amazon Web Services for £47” • http://www.wired.co.uk/news/archive/2012-10/25/google-email • 1,024-bit – upgrade to 2,048-bit – Any larger increases overhead with no real security benefit (yet) Valid certificate chain • Note that different browsers hold different sets of root CAs • Tip: don’t report “the certificate was signed by an untrusted root CA PortSwigger” 
  • 14. Certificate Checks Expiry date • Warn of imminent expiry Signature • Hashed using MD5 (certificate spoofing 2008) Revocation • Does the certificate hold CRL/OCSP (AIA) fields? –
  • 15. Certificate Checks Revocation (cont) • Are those fields valid? – Is your browser checking them? – Chrome doesn’t by default → – Does it fail open? – Revocation check for a pentest requires hard fail – Firefox Tools | Options | Advanced | Certificates – Ah, but what about the full certificate chain?
  • 16. Certificate Checks Certificate Subject • Valid for all resource requests? – Users often miss off www – is the certificate still valid? • Wildcard certificate – *.domain.com not valid for https://domain.com – Encourages more widespread use of powerful certificate – Provides SSL confidence to links exploiting other flaws (especially if wildcard DNS enabled) • Subject Alternative Names – Can be used for other domains, not just the host’s – Some tools may not check this field correctly → false positive “certificate name does not match hostname”
  • 17. Cipher Suites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA protocol asymmetric (public key) crypto symmetric cipher with key size hash algorithm for message authentication key agreement authentication NB: OpenSSL cipher suite names differ from RFCs – e.g. “RC4-MD5” vs “TLS_RSA_WITH_RC4_128_MD5”
  • 18. Cipher Suites • <128-bit keys can be brute-forced (ish) – Not trivial: decent hardware < 1 day for DES • e.g. RIVYERA S3-5000 • http://www.voltage.com/blog/crypto/rivyera-from-sciengines/ – 3DES provides an effective key strength of 112 bits • http://csrc.nist.gov/publications/nistpubs/800-57/sp800- 57_part1_rev3_general.pdf • And it’s relatively slow • Less likely to see: – Anonymous Diffie-Hellman (lacks authentication) – NULL cipher suites (lacks encryption) – “Export” ciphers (unlike with beer, this label is bad) – Unlikely to be supported by browser anyway
  • 19. Cipher Suites • Server preference – Client sends list of cipher suites in order of preference – Server will choose the first one it supports unless it has a preference • openssl s_client -cipher switch – Pick specific cipher suites (sent in order) or groups – man ciphers or https://testssl.sh/openssl-rfc.mappping.html – Replicate server preference check by switching order of ciphers • (Perfect) Forward secrecy – Without it, private key compromise means previous traffic can be read – Look for “ephemeral” in the key agreement part, e.g. DHE, ECDHE – Adds a cost (ECDHE is faster than DHE) • Latest cipher suites – require TLSv1.2 – AES-GCM (slow), ChaCha20/Poly1305 (new) – https://www.imperialviolet.org/2013/10/07/chacha20.html
  • 20. RC4 • First bytes of ciphertext are cryptographically weak • http://www.isg.rhul.ac.uk/tls/RC4biases.pdf – To attack cookies, it would take 2,000 hours (short of 3 months) – “It would be incorrect to describe the attacks as being a practical threat to TLS…today” (my emphasis) • “Attacks always get better, they never get worse” – Sensible to phase out RC4 ciphers – Even Microsoft has done it with KB2868725 • IETF draft advisory – http://tools.ietf.org/html/draft-popov-tls-prohibiting-rc4-02 – “TLS clients MUST NOT include RC4 cipher suites” – “TLS servers MUST NOT select an RC4 cipher suite”
  • 21. Revealing SSL/TLS • Most of the handshake is in clear text • To decrypt traffic in Wireshark, run with OpenSSL: – Create text file: RSA Session-ID:<Session-ID> Master-Key:<Master-Key> – The NSS SSL/TLS stack (Chrome & Firefox) can auto-create this file: set the environment variable SSLKEYLOGFILE to the path of a text file • Wireshark – Edit | Preferences | Protocols | SSL – Set “(Pre-)Master-Secret log filename” to file above
  • 22. • Wireshark SSL preferences – Everything you (n)ever wished to know – “Records” are a sub-layer – and if you see a starting record of data that’s empty or has one byte, that’s because of... Revealing SSL/TLS
  • 23. BEAST • A client-side attack but it’s nice to help your users – TLS 1.0 or less with block ciphers in CBC mode = vulnerable server • All recent major browsers have a patch – Apple finally woke up in Nov 2013 – But not every user will be running the latest version • TLSv1.1 and v1.2 aren’t vulnerable to BEAST – But recall browser downgrade attack • Alternative is to prefer RC4 – But we’ve said not to use it! – RC4 flaws are systemic: BEAST attack surface will diminish • So should we let it go now? – Confusing for client to have both RC4 and BEAST reported? – https://community.qualys.com/blogs/securitylabs/2013/09/10/is- beast-still-a-threat
  • 24. CRIME • Targets SSL compression (again, client-side attack) – Only Chrome really supported it, it’s now disabled – So it’s unlikely to be exploitable • Check for compression on server with OpenSSL – Don’t rely on “Compression: NONE” message until you’ve checked your OpenSSL version supports compression – Look at Client Hello: – To enable, build with ./config zlib zlib-dynamic
  • 25. CRIME • SPDY uses compression to “make the web faster” – It sits between HTTP and TLS: it’s similarly vulnerable – BREACH: HTTP has native compression – same issue • openssl s_client -nextprotoneg NULL – Connection will fail but look at Server Hello: – Future TLS extension “Application Layer Protocol Negotiation”
  • 26. Heartbleed • OpenSSL 1.0.1 - 1.0.1f (and 1.0.2-beta1) • PoC and first-gen tools raced out – Testing could lead to compromise of sensitive data and/or potentially crash the service – https://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed- vulnerability-without-exploiting-the-server/ • Vulnerability analysis vs pentesting – More prone to false negatives • Easy to check if Heartbeat enabled – Connect using OpenSSL 1.0.1+ with s_client –tlsextdebug –
  • 27. Heartbleed • Obviously openssl s_client can’t be used to test • Tools – heartbleeder from Titanous – MDSec’s heartbleed -s <target> -p 443 -f out -t 0 – Metasploit • Core openssl_heartbleed module is greedy even using “check” • Try the module from the previous Mozilla article – HP iLO/iLO2 products locked up (not vulnerable anyway!) • Nice GUI tool from CrowdStrike (aggressive)
  • 28. Change Cipher Spec (CCS) • CVE-2014-0224 MITM attack to force weak keys • Only exploitable if: – Server uses OpenSSL <1.0.1h – Client uses OpenSSL <1.0.1h, <1.0.0m, <0.9.8za • So that’s only Android as far as browsers are concerned • Tools – Metasploit openssl_ccs module – ./testssl.sh --ccs –
  • 29. Web Applications • Mixed secure and non-secure content – Read session cookies, data etc. – Edit non-secure resources, e.g. JavaScript – Browser errors reduce confidence – or may refuse to load content • Cacheable HTTPS – Non-sensitive content marked as “public” improves performance – Check for pages with sensitive data Pragma: no-cache Cache-Control: no-store, no-cache – http://palizine.plynt.com/issues/2008Jul/cache-control-attributes/
  • 30. Web Applications • Sensitive cookies secure (but site must expect this…) • Redirect back to HTTP following HTTPS • Login over HTTPS but HTTP pre-auth session cookie re-used • HTTP Strict Transport Security (HSTS) – a safety net – Convert all insecure links to secure ones (blocks SSLstrip) – Ensures SSL cert warnings cannot be ignored and access blocked – Set by a response header Strict-Transport-Security – Supported by recent browser versions (oh, except IE) – If a site is fully HTTPS (and is likely to remain so), why not use it? – https://www.leviathansecurity.com/blog/the-double-edged- sword-of-hsts-persistence-and-privacy/ – a fun privacy/tracking issue abusing HSTS

Notas del editor

  1. Slides from BSides with a couple of modifications for clarity, as slides alone are missing some context I already have updated material (including SNI and OCSP Stapling) for the next version Look out for future content @exploresecurity and @NCCGroupInfosec