LT - Cookie Reuse - Sam Bowne

all [Music] right great um so I'm Sam Val and what I'm going to show you I'm going to start with the demo because it's time sensitive and I'm barely going to make it I think um but this is good fun so here I am I have an American Express credit card and I have logged into my online bank oh this is Chase all right I got American expression in another tab but I'll sell whichever one's still working so I've logged in in my credit card numberers here and my balance and all that jazz and I want to come back in but I don't want to bother with my password I'm just going to use the

cookie this Chrome extension lets me copy cookies that puts it in the clipboard so now I can log off and when I log off if I try to go back to that page which is down here and view my account it ought to not let me do that and the network here is kind of slow but presumably it will eventually get around to telling me that I'm not allowed to see that because I'm not logged in this looks like progress

there we are good so now I can't see my count because I have to log in now that's what should happen What should not happen is this if I just put the cookies back in without putting in my password it shouldn't fall for that but it does I go back that shortcut I'm back logged in as me again this is bad this is really bad and this is not the only site that has this problem now I found out about this because Microsoft had this problem for a long time um last year an article came out here in The Hacker News in November saying they told Microsoft that they had this problem on outlook.com and um Hotmail and they told

him and Microsoft said ah we don't care we're not having any plans to fix it anytime soon and it doesn't matter anyway I said boy it matters I got a Microsoft account from my college an Office 365 account I logged in saved the cookie logged out I could get back in then I changed my password and I could still get in with the old cookie this is really bad I always thought a password is like the worst thing a hacker can steal from you but I guess a cookie is even worse because there's nothing you can do but cancel your account to get rid of them and uh hopefully some of you web designers out there might know more

than me exactly what's going on here people tell me they have to destroy a key on the server for cryptography that has to do with cookie but anyway it's not impossible to fix I went online looking for other people and I found I could get into my American Express account without a password and my Chase account but I saw a message that said um you're automatically logged out after 10 minutes of inactivity and I found out that works for cookies too cookies stopped working 10 minutes later so thank God for defense in depth they have multiple controls so even if one control fails something else picks up some of the slack so it's not quite that bad

yeah so hey Sam yeah is it the um can you change the time on your cooking I have not tried um it's certainly not obvious how the cookie just contains what looks like random numbers to me so hopefully it's something like cryptographic cash or something um but that's another fun game I look I always take a look at the cookies to see what's in there and the only thing I ever found is the New York Times cookies have the readable article headlines of all the articles I read which is kind of rude but anyway um yes nice so I tried looking for other so these guys found out Microsoft doesn't care so I went and start to checking

other services and like the big ones are American Express and Chase Discover card is not only not vulnerable but they contacted me when I tweeted about this and said what are you doing and are we okay and I said boy you guys really want to fall I told American Express and Chase and I gave them a week to fix it in secret before I went public and they responded immediately to a message saying get back to me in 24 hours which they never did at all now it's been like two weeks so they're just as sleep in the switch up there Amazon surprised me although to be fair the Amazon cookie that I tested is just the one that

identifies you to put your name up there now when you actually make a purchase it often asks you to log on again there are levels of authentication at Amazon and I didn't dig into that yeah so on the 10 minut exp cookies with the cookie sear it's a good question I did not try that me question is if you you can log in the cookie and then keep it count doing things to keep it active I would think see I think it would keep it alive so I think all that means is if you write some kind of script to harvest cookies you're also going to have to keep them alive but you know normally

you get cookies of crossy scripting and you don't bother harvesting them until later but there's lots of ways to get cookies um and so um what else were mention here Adobe was I thought you were bad but they were actually good I couldn't reproduce it they contacted me right away and said why are we on the bad list what exact site and I couldn't reproduce it so I think they're good um and Gmail is good so I quit exploring Google services but when I put this out a couple weeks ago and some people started helping me they tried other Google services even though Gmail is good many other Google services are not good and this is something I heard about

before Google is now sort of a patchwork amalgamation of many services they've bought and sort of imperfectly integrated into their ecosystem so you can't get in Gmail with an old cookie because you can get in the Chrome app App Store with an old cookie and you can totally get in iCloud with an old cookie which is kind of disturbing you might your Apple account let me just do that that was working pretty well here I'm signed into my app Cloud iCloud so if I export the cookie from that and then I sign out

yeah okay looks like some motion has happened ah there we go so now I am unauthenticated in the iCloud and if I go back to my shortcut to see my personal stuff I can't get in but I put that cookie back in it's the same story now I'm me again and this is just bloody unhealthy now what is the point point of this log off button I mean I thought the point of that was I wish to terminate this session and I don't want to get back in here without putting my password in again but apparently not in the eyes of these developers well I think they just haven't thought it through they just delete the cookie in

my browser they think my only concern is that I'm handing the computer to another person to use I don't want them getting in my account and it does address that issue but it doesn't do what a lot off button should do by the way I tried some security companies occurred to me how bad would it be if the online password managers have this problem and they don't all the online password managers I could text have quite serious security measures like they have a frame and you have to do everything in that frame and if you do any kind of navigation anything else they they terminate your session they're not messing around so that's somewhat comforting um Cloud play

was bad and I told them and they fixed it and then they pulled back the fix because they said it made more trouble and then they worked out another couple days and then they fixed it now it stayed fixed so um it is possible to fix it but I'm trying to get them into writing a Blog on exactly what they did so I can send it to all these other clowns because they I assume they're just using some kind of pre-made standard code which has this problem and they don't really understand how to fix it and they could probably benefit from some advice how to fix it although nobody cares although I'm kind of hoping

uh showing the Chase Manhattan and uh you know American Express the seems to get people's attention perhaps so maybe we'll eventually pressure by the way of course this is nothing new cookie reuse has been around forever that's what the old uh what was Far sheep thing was years ago it's just ridiculous that it never goes away like chal injection on and on and on generation generation of stuff comes up the same stupid mistake and all we can do is make theatrical embarrassing dramas like this this is my latest contribution to this BR pressure on them but it's not like this is a new discovery far from it anyway that's what I wanted to show you and by the way if anybody had know

who I am I'm all backwards here but I didn't want my that's who I am I'm sand bound any questions about anything anymore you show some of your IP St too later um well I could maybe I will if there's more space on that's a thought I could do let me think about it you're the last speaker I am really holy cow outside real quick and sign the list again back no well I'm going to show some of this stuff at Defcon too but here you are why let me to show you um yeah let me show you that um you already seen this one you saw this in a b thread I think no I didn't

oh didn't okay I start to right the stuff you put up on on your website your students well all right let me see if I can bring it up this this is actually kind of a fun story um so I have a lot of criminals that um talk to me on Twitter and um so I give talk about two years ago at Defcon about denial service attacks and I had a bunch of them and this guy said I was looking at that talk and why didn't you talk about in the first place why do you teach backtrack LS that stuff is lame that stuff is for losers you must be dumb and in second place why didn't you talk about sock

stress how many people heard of sock stress yeah I mean sock stress was the Raging heat in 2008 in 2008 there's this scary rumor that came out because of a podcast that there was this new attack that would kill everything used TCP and oh my God it's the end of the world and everybody panicked and then it just never happened and I hunted like everybody else I just Googled online to find some source code I found some stuff that didn't work and I said well that was just paperware I guess that never really happened and it did happen but what happened is the that designed it died and he didn't get to go to the hacker cons and demonstrate with

the dog and pony show um and show us all this cool stuff and and actually the attack is pretty hard to do so I tried doing it on backtrack I found the old code the guy said you got the wrong code you got the wrong operting system what an idiot you are and you kept bothering me so I finally went and got slackware and you have to get old slackware and even then it's pretty much of a pain half the step you need doesn't work so but this guy kept taunting me and saying if you weren't such idiot it would work and he's right ultimately it does work it's just not easy to set up but I think it's

pretty cool because it works he takes down real web service with it right and left uh let me see what state of life this horrible machine in um all right I got many machines but any machine will do for a Target as long as it hasn't already been cled or something um let's try shift control Escape all right all good so this machine has 1 gig of RAM of which half a gig are used that's a Windows uh 7 machine that'll do let me put it on host only networking and check the IP address you caught me a little off balance here I let me see if I've got a good IP address on this

thing oh good 1726 and I think I need a different machine hold on I might not be able to do this so fast I'm going to practice it more than have ready on Friday at death gun um let me try the server I think the server is ready to go oh yeser it's good I see from the huge memory usage this server has already suffered this attack so all I have to do is restart okay but this I think is the most important attack and it's not necessarily TI die6 it's a layer four attack um okay it's local P because this is 2012 so it's like Windows 8 all right yeah there's another guy after me

now okay I don't know how that works yeah I don't know how that works here that's why I told me to keep going I already finished my first by all means okay fair enough but anyway I wanted to I'll demonstrate this cuz this is fun um all right let me get my attacker running and explain what it's doing because it is a little complicated okay to make this work you have to have a lot of ports listening on the target and you have to attack from a Whole botn Net but it doesn't have to be a real botn net it can be a simulated botn net because you have to make a lot of connections and so

let me get my target going here you have to have a lot of un destination addresses you have to have a lot of what you have to when you said a lot of connections could be one machine or you have to have a spread of routes that you're hting from it can be one machine but you have to come from many IP addresses and that's what I'm going to do okay yeah um did you lose screen oh I lost my screen oh I thank you for telling the table okay good so um let me see if I can get my attacker going which is that Linux machine there we are okay so this is slackware so there are two things I have

to run here um this one is the art poisoning part and what this does is it's a simple script I wrote in in scapy and all it does is listen for art requests and whatever the target asks for it gives it my Mac address so I can run many IP addresses from one Mac address and the target thinks they're all different machines that's how I simulate a bot net a bot net of 127 machines um then the attack runs here and I think I just have to do that that'll probably do and let me um go to here and get my desktop let's see there it is good and then shift control Escape there we are glorious task maner

so this is my Windows 2012 server it's got a gig of RAM and half of it isn't currently in use the rest the CPU is doing nothing CP is 1% because there's nothing happening on here that is the Target and the point of this is TCP has flow control if the server is sending out too much data and the target is and the receiver is not ready the receiver can slow it down now the simplest process is acknowledgements you can send one window size full of data and then you have to wait for an acknowledgement and if I'm not done it'll take time to give you acknowledgement but you can also this the client can also complain

my buffer is full I don't want any more data at all it sends an acknowledgement with a window size of zero now window size of zero is like putting a call on hold it says wait and send me that data later in fact every TCP implementation tested by a lot of people has the flaw that that stuff weights in Ram and as far as we can tell it never times out at least not in any reasonable amount of time so all you have to do is make a lot of connections send syac act and when you send the ACT set the window size to zero and that will back up the RAM on the server and just chew it up but so if

when it works right let's I was working pretty recently let me see if everything's just set to go here I should see some connections oh good I should be able to get like three or 4,000 connections per second out of this thing ah there we are that's what I wanted to show you so there's the attacker and there's the target you have to get a powerful machine the black hat that Ted me about this takes over servers you said some website was up yesterday and the point of this thing is this can use up all the RAM and then the thing start struggling you see Ram go up and down CPU goes up and down the screen

goes black it starts firming like a worm on a hook and often the result is it crashes this machine so bad that you can't even shut it down or you just have to pull the plug and the black hats describe this by saying you can take websites down and they are gone forever they just never come back which I believe is true for for low great amateur websites like porn sites and stuff they probably don't have any backups they probably some sleazy shared hosting and after it crashes they can't really put it back I mean clearly even a nuclear bom couldn't take down Google they just have more servers and backup somewhere but you could certainly take

down an amateur website this way and it doesn't matter how much RAM you have it will just chew through it and I got it to work on backtrack but it only works at about one3 of the speed um anyway on collie not backtrack anyway that's that's probably the most important thing this thing has been around since 2008 and nobody's passed it which I think is because it hasn't been easy to set up so I've got the collie version of it and I've Got U what what repo did you go to get it uh it's not a repo you you just uh you need a bunch of irritating crypto libraries but they're in K by default so

in K all you have to do is download the source code and so if you want to do this which I highly recommend at least see the backtrack version is not as fun for a demo but I think it's good enough that you could make a defense for example so make a firewall rule that stops these things um and you can test to see if it's working so if you want to do that go to my page Sams classinfo and I got a page about sock stress here um so I explain I have various demos and then I explain how I did it um but uh here's various tests of it in various conditions there are a bunch of

variations they attack but they all work about the same and um someplace on here I do have the link where you can get the source code and put it on backtrack yeah here's the exact instruction J you get it from there I guess I put it on my website because the official Outpost website was down this is this stuff was all done by Outpost 24 SEC company might have Representatives around here anyway there's um so I don't know if I to quit there's um yeah the other one I really can't do without another computer I didn't bringing there's one that kills Windows 8 with blue screen to death but you need another machine for that so I think

that's all I got to show you yeah all right any other questions right all right

so somebody else come here