SSL 우회기법및응용 이경문 ( gilgil1973@gmail.com )
Evolving of sniffing attacks Packet sniffing attacks have been developed in connection with various techniques for a long time. Simple Sniffing Promiscuous mode, TCP/IP and so on Sniffing with Spoofing ARP spoofing, IP spoofing and so on Sniffing with MITM Proxy, Version rollback and so on
Can I decrypt enciphered code? Do you want to sniff? Sniffing often requires not only high level technical skills but also original ideas. How can I analyze this encrypted code?
MITM for SSL - What is SSL? SSL (Secure Sockets Layer) is a protocol developed by Netscape for transmitting private documents via Internet. http://www.webopedia.com/term/s/ssl.html http://www.ietf.org/rfc/rfc2246.txt?number=2246
MITM for SSL - What is Secure Server? A Web server that supports any of the major security protocols, like SSL, that encrypt and decrypt messages to protect them against third party tampering. http://www.webopedia.com/term/s/secure_server.html
MITM for SSL - What is SSL MITM attack? The attacker must be positioned between the victim and the server.the attacker intercepts packets and routes them to the SSL Proxy.The SSL Proxy changes the SSL key value in order to get the decrypted information. Victim SSL Server Public I can see plain text!!! Private Victim SSL Attacker SSL Proxy SSL Server Public Private Public Private
How to disable SSL certificate warning message? Change HTTP response payload from https:// to http:// http://www.thoughtcrime.org/software/sslstrip/
How to protect my web site from SSL Strip? Automatically turn any insecure links referencing the web application into secure links. (For instance, http://example.com/some/page/ will be modified to https://example.com/some/page/ before accessing the server.) If the security of the connection cannot be ensured (e.g. the server's TLS certificate is self-signed), show an error message and do not allow the user to access the web application. http://en.wikipedia.org/wiki/http_strict_transport_security https://tools.ietf.org/html/rfc6797
Strict Transport Security HTTP Response
Preloaded HSTS sites A selected subset of the members of the preloaded HSTS list: Google Paypal Twitter Simple Linode Stripe Lastpass http://dev.chromium.org/sts
Java Script Strip Specific sites protect account information using Java Script Encryption as well as SSL Encryption. http://www.gilgil.net/783115 http://www.snoopspy.com/988
STS & JSE Both STS(Strict Transport Security) and JSE(Java Script Encryption) are good solutions for preventing from hacking account information. Site STS JSE google.com O(Preloaded) X twitter.com O(Preloaded) X paypal.com O(Preloaded) X facebook.com O X naver.com X O daum.net X O nate.com X O 11st.co.kr X O
국내사이트현황 국내은행사이트, 공공기관사이트에서는 ActiveX 모듈이구동되는곳들이많이있다.
어디에 ActiveX 가사용되나? 키로깅방지. 방화벽 ( 백신 ). 전용암호화통신. 등등...
왜하필 ActiveX 가사용되나? 웹브라우저에서기본적으로제공되지않는기능을구현하다보니어쩔수없이 ActiveX 로구현이되어있다.
무엇이문제점인가? 웹접근성훼손. 외국인 : 천송이옷사게해주세요 사용자동의없는무분별한모듈의중복설치. 난다른 AV 쓰고있다구... 버럭!!! 이로인한시스템의불안정화. 최소한블루스크린은뜨지말게해야지... 등등무지무지많아서일일이열거가힘듬.
생각 이러한사이트에서 ActiveX 의구동없이사이트를이용할수있는방법은없을까?
고민 개발자는개발자스럽게방법을고민해보자!!!
뭘했나? 국내유명금융사이트및공공기관사이트를분함. 트래픽 (HTTP, HTTPS) 을분석하여특정 ActiveX 가어느시점에, 어떻게구동되는지일일이확인. 하나의사이트를분석하는데적게는 10 분, 많게는몇시간이상소요.
어디어디분석했나 (1)? 랭키닷컴 TOP 100 에서사이트선정. 국민은행 www.kbstar.com 우리은행 www.wooribank.com 신한은행 www.shinhan.com NH농협 www.nonghyup.com IBK기업은행 www.ibk.co.kr IBK기업은행오픈뱅킹 open.ibk.co.kr 하나은행 www.hanabank.com 신한카드 www.shinhancard.com 인터넷우체국 www.epost.go.kr 국세청전자세금계산서 e세로 www.esero.go.kr 외환은행 www.keb.co.kr 현대카드 www.hyundaicard.com 스탠다드차타드은행 www.standardchartered.co.kr KB국민카드 www.kbcard.com
기타사이트선정. 어디어디분석했나 (2)? 비씨카드 www.bccard.com 교육행정정보시스템 www.neis.go.kr 특허로 www.patent.go.kr 삼성카드 www.samsungcard.com 금융결제원 www.kftc.or.kr 시티은행 www.citibank.co.kr 여기말고도많이있음.
어떤방식인가? ActiveX Module ActiveX Module 과 Web Bowser 상의연결고리인 Javs Script 를내용을변경하여연결을끊는다. Java Script or HTML Web Browser
우회방식 A(DNS Sinkhole) 특정사이트는 ActiveX 관련모듈을특정도메인으로부터받아감. 해당 domain name 을 127.0.0.1 로설정하면 ActiveX 우회가능. 사이트예제 URL 금융결제원나이스현대카드...... http://ahnlabdownload.nefficient.co.kr/aos/plugin/aosmgr_common.js http://update.nprotect.net/netizenv55/gov/neisnew/netizen55_p.js https://supdate.nprotect.net/netizen/card/hyundaicard/81/netizen_multios_check.js 이방식은기존인터넷에많이나와있음.
우회방식 B(Web Proxy) 특정사이트는 ActiveX 관련모듈을자체도메인에서받아감. 해당 Domain Name 을 127.0.0.1 로설정해서는우회불가능. 사이트예제 URL 농협국민은행...... https://banking.nonghyup.com/service/js/so/ahnlab/aos/aosmgr_common.js https://oimg1.kbstar.com/js/common/nprotect/op_netizen.js Web Proxy 를이용해서해당파일을제거.
우회방식 C(HTTP Response) 단순한파일 (html, js 등등 ) 의제거만으로는안되는사이트가존재. 사이트예제 js file 삼성카드 function scardlogin(scallback,target,loginmethod,aftermaintype) { // AOS(AhnLab Online Security) 실행대상여부판단 getaostargetinfo('common-main.js.scardlogin');... if(window.location.href.indexof('menuid=nhpimcspcx') > -1) { if(aos_is_new()) { // AOS(AhnLab Online Security) 설치여부체크 aoswrap_run_only(); // AOS(AhnLab Online Security) 구동실행... } else { alert('pc 방화벽프로그램이설치되지않았습니다. \n\n설치후이용해주시기바랍니다.'); } } else {... } }... 함수를일일이분석해야하는번거로움이있음.
결과 분석한 20 개사이트에서방화벽 ( 이라쓰고멘붕이라읽는다 ) ActiveX 모듈은모두제거성공. 키로깅방지 ActiveX 모듈은일부제거성공 암호화모듈과같이무력화를하였을때서비스를이용하지못하는 ActiveX 는제거가힘듬.
세부결과 사이트 우회모듈 bccard.com nprotect Netizen v5.5, nprotect KeyCrypt V6.0 citibank.co.kr AhnLab Online Security epost.go.kr EasyKeytec ( 키보드보안프로그램 ) esero.go.kr nprotect KeyCrypt V6.0 hanabank.com AhnLab Online Security hyundaicard.com nprotect Netizen v5.5 ibk.co.kr nprotect Netizen v5.5 kbcard.com nprotect Netizen v5.5, npefdswctrl kbstar.com nprotect Netizen v5.5 keb.co.kr nprotect Netizen v5.5 kftc.or.kr AhnLab Online Security neis.go.kr nprotect Netizen v5.5, nprotect X-Guard nonghyup.com AhnLab Online Security, SoftCamp Secure KeyStroke 4.0 open.ibk.co.kr nprotect Netizen v5.5 patent.go.kr nprotect Netizen v5.5, nprotect KeyCrypt V6.0 samsungcard.com AhnLab Online Security shinhan.com AhnLab Online Security, SoftCamp Secure KeyStroke 4.0 shinhancard.com nprotect Netizen v5.5 standardchartered.co.kr AhnLab Online Security wooribank.com AhnLab Online Security
결론 특정사이트에들어가기만하면무조건설치해야하는 ActiveX 모듈들에대해서는사용자들의동의를얻어선택적으로설치를할수있도록하는배려가필요함.
감사합니다. http://www.gilgil.net http://www.snoopspy.com http://powerofcommunity.net/pt2014