Talk at DEF CON 23, Las Vegas (USA)

1. Breaking SSL using time synchronisation attacks
Jose Selvi, Senior Security Consultant

2. $ whois jselvi
• Jose%Selvi%
• +10%years%working%in%security%
• Senior%Security%Consultant%
• SANS%Institute%Community%Instructor%
• GIAC%Security%Expert%(GSE)%
• Twitter:%@JoseSelvi%
• Blog:%http://www.pentester.es

3. Valencia: Beach, Sun & Hacking

4. Valencia: Beach, Sun & Hacking

5. What’s the time?

6. Disclaimer

7. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations

8. HTTP Strict Transport Security
• RFCK6797:%November%2012.%
• Also%known%as%HSTS%or%STS.%
• Prevent%HTTP%connections.%
• Prevent%accepting%selfKsigned%and%
rogue%certificates.%
• Use%a%new%“StrictKTransportKSecurity”%
header.

9. How it work?
Server
HTTPS
GET / HTTP/1.1
Client
Strict-Transport-Security: max-
age=3153600

10. HSTS Timeline
HTTPS
connection
3153600
secs later

11. Preloaded HSTS
• Hardcoded%list%of%well%known%
website%names%that%should%always%
use%HTTPS.%
• Prevent%the%security%gap%before%
the%first%HTTPS%connection.%
• Google,%Twitter,%Paypal,%…

12. HTTPS
connection
3153600
secs later

13. 3153600
secs later

14. Preloaded HSTS - Google
http://www.chromium.org/sts

15. Preloaded HSTS - Mozilla
https://blog.mozilla.org/security/2012/11/01/preloading-hsts/

16. Preloaded HSTS - Others

17. Chromium Source Code

18. Safari plist
$%plutil%Kp%HSTS.plist
{
%%"com.apple.CFNetwork.defaultStorageSession"%=>%{
%%%%"ssl.googleKanalytics.com"%=>%Kinf
%%%%"webmail.mayfirst.org"%=>%Kinf
%%%%"braintreegateway.com"%=>%Kinf
%%%%"code.google.com"%=>%Kinf
%%%%"dm.mylookout.com"%=>%inf
%%%%"therapynotes.com"%=>%inf
%%%%"chrome.google.com"%=>%Kinf
%%%%"sol.io"%=>%Kinf
%%%%"www.sandbox.mydigipass.com"%=>%inf
[…]

19. HSTS weakness
• Its%security%relies%on%time.%
• It%completely%trust%the%OS’s%
current%time.%
• What%if%I%could%change%the%
computer%clock%from%the%
network?

20. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations

21. Network Time Protocol (NTP)
• Time%Synchronisation%Services.%
• RFCK1305%(v3)%/%RFCK5905%(v4)%/%RFCK4330%
(SNTPv4).%
• By%default%in%(almost)%all%operating%systems.%
• No%secured%by%default.%
• Vulnerable%to%ManKinKtheKMiddle%attacks.

22. NTP Packet: Ubuntu

23. Delorean
• NTP%MitM%Tool.%Free.%Open%Source.%Python.%
– http://github.com/PentesterES/Delorean%
• Based%on%a%kimifly’s%work:%
– http://github.com/limifly/ntpserver%
• Implements%several%attacks.%
• It%pretends%to%be%an%NTP%attack%‘suite’.

24. Delorean
$%./delorean.py%Kh%
Usage:%delorean.py%[options]%
Options:%
%%Kh,%KKhelp%%%%%%%%%%%%show%this%help%message%and%exit%
%%Ki%INTERFACE,%KKinterface=INTERFACE%
%%%%%%%%%%%%%%%%%%%%%%%%Listening%interface%
%%Kp%PORT,%KKport=PORT%%Listening%port%
%%Kn,%KKnobanner%%%%%%%%Not%show%Delorean%banner%
%%Ks%STEP,%KKforceKstep=STEP%
%%%%%%%%%%%%%%%%%%%%%%%%Force%the%time%step:%3m%(minutes),%4d%(days),%1M%
%%%%%%%%%%%%%%%%%%%%%%%%(month)%
%%Kd%DATE,%KKforceKdate=DATE%
%%%%%%%%%%%%%%%%%%%%%%%%Force%the%date:%YYYYKMMKDD%hh:mm[:ss]%
%%Kx,%KKrandomKdate%%%%%Use%random%date%each%time

25. Basic attacks
#%./delorean.py%Kn%
[19:44:42]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:44%
[19:45:18]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2018K08K31%19:45
#%./delorean.py%Kd%‘2020K08K01%23:15’%Kn%
[19:49:50]%Sent%to%127.0.0.1:48473%K%Going%to%the%future!%2020K08K01%21:15%
[19:50:10]%Sent%to%127.0.0.1:52406%K%Going%to%the%future!%2020K08K01%21:15
#%./delorean.py%Kr%Kx%
[19:51:17]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2023K07K19%20:48%
[19:51:21]%Sent%to%127.0.0.1:37680%K%Going%to%the%future!%2019K03K12%10:11
#%./delorean.py%Ks%10d%Kn%
[19:46:09]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:46%
[19:47:19]%Sent%to%192.168.10.113:123%K%Going%to%the%future!%2015K08K10%19:47

26. DEMO

27. Replay Attack
$%./delorean.py%Kn%Kr%capture.pcap%
[06:19:13]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41%
[06:19:17]%Replayed%to%192.168.10.105:39895%K%Going%to%the%past!%2015K06K24%21:41

28. Spoofing Attack
$%./delorean.py%Kn%Kf%192.168.10.10%Ko%8.8.8.8%Kr%capture.pcap%%
Flooding%to%192.168.10.10%
$%tcpdump%Knn%Kp%Ki%eth1%host%192.168.10.10%
tcpdump:%verbose%output%suppressed,%use%Kv%or%Kvv%for%full%protocol%decode%
listening%on%eth1,%linkKtype%EN10MB%(Ethernet),%capture%size%65535%bytes%
08:26:07.621412%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.682578%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.761407%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.766434%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.843923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.905666%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48%
08:26:07.922923%IP%8.8.8.8.123%>%192.168.10.10.123:%NTPv4,%Server,%length%48

29. Anti replaying…

30. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations

31. Ubuntu Linux
• Very%simple%
• NTPv4.%
• Each%time%it%connects%to%a%network%(and%at%
boot%time,%of%course).
$%ls%/etc/network/ifKup.d/%
000resolvconf%%avahiKdaemon%%ntpdate%%wpasupplicant%
avahiKautoipd%%%ethtool%%%%%%%%%%%%%upstart

32. Fedora Linux
• The%easiest%
• NTPv3.%
• More%than%one%NTP%server%
• Requests%each%minute!
$%tcpdump%Ki%eth0%Knn%src%port%123%
12:43:50.614191%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48%
12:44:55.696390%IP%192.168.1.101.123%>%213.194.159.3.123:%NTPv3,%Client,%length%48%
12:45:59.034059%IP%192.168.1.101.123%>%89.248.106.98.123:%NTPv3,%Client,%length%48

33. Mac OS X - Mavericks
• New%synchronisation%service%
• NTP%daemon%exits,%but%not%synchronises.%
• Just%writes%in%/var/db/ntp.drift%
• A%new%service%called%“pacemaker”%check%
that%file%and%change%the%clock.%
• It%seems%it%doesn’t%work%as%it%should…
http://www.atmythoughts.com/livingKinKaKtechKfamilyKblog/2014/2/28/whatKtimeKisKit

34. Does NTP work?

35. /usr/libexec/ntpd-wrapper

36. Mac OS X - Mavericks

37. Windows
• NTPv3%but…%
• The%most%secure.%
• Synchronisation%each%7%days.%
• More%than%15%hours%drift%isn’t%allowed.%
• Domain%members%work%in%a%different%
way.

38. W32time service

39. Max[Pos|Neg]PhaseCorrection
W7 / W8
15 hours
W2K12 48 hours

40. What the Internet says?

41. Time Skimming Attack
3153600 secs
later
Time Sync

42. Time Skimming Attack
3153600 secs
later
Time Sync

43. Time Skimming Attack
#%./delorean.py%Kk%15h%Kt%10s%Kn%
[21:57:26]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K11%12:57%
[21:57:33]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%03:57%
[21:57:37]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K12%18:56%
[21:57:44]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K13%09:56%
[21:57:50]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%00:56%
[21:57:58]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K14%15:56%
[21:58:04]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%06:56%
[21:58:11]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K15%21:56%
[21:58:17]%Sent%to%192.168.10.105:123%K%Going%to%the%future!%2015K06K16%12:56

44. DEMO

45. Manual Synchronisation

46. Not a silver bullet

47. Lots of things goes wrong…

48. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations

49. Task scheduler

50. Windows automatic updates

51. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations

52. PKI, CAs & Certificates

53. Certificates from the past
Data:
Version: 3 (0x2)
Serial Number:
5d:9e:f1:65:7f:f4:0c:14:e4:19:46:87:0b:b3:7b:fc
Signature Algorithm: sha1WithRSAEncryption
Issuer:
C=US, ST=UT, L=Salt Lake City,
O=The USERTRUST Network,
OU=http://www.usertrust.com,
CN=UTN-USERFirst-Hardware
Validity
Not Before: Sep 19 00:00:00 2008 GMT
Not After : Nov 22 23:59:59 2010 GMT
Subject:
O=The SANS Institute,
OU=Network Operations Center (NOC),
OU=Comodo PremiumSSL Wildcard,
CN=*.sans.org

54. Edo Tensei no Jutsu!

55. Weak certificates
https://www.eff.org/observatory

56. Looking around Las Vegas

57. Let’s look any other…

58. cado-nfs + ec2 in action

59. DEMO

60. Leaked certificates
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56
Signature Algorithm: sha1WithRSAEncryption
Issuer:
emailAddress = info@diginotar.nl
commonName = DigiNotar Public CA 2025
organizationName = DigiNotar
countryName = NL
Validity
Not Before: Jul 10 19:06:30 2011 GMT
Not After : Jul 9 19:06:30 2013 GMT
Subject:
commonName = *.google.com
serialNumber = PK000229200002
localityName = Mountain View
organizationName = Google Inc
countryName = US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):

61. Heartbleed

62. Debian PRNG

63. Certificate Chain

64. Revocation lists
Revoked Certificates:
Serial Number: 08CA22CD4F70A626B07C7A4DB75494FA
Revocation Date: Nov 21 16:46:04 2013 GMT
Serial Number: 017D4D9DF57B784B5D7DF0B9D450D37E
Revocation Date: Nov 21 16:46:04 2013 GMT
Serial Number: 061AD6AD34F67938C0870AAF74FC041A
Revocation Date: Nov 21 17:16:03 2013 GMT
Serial Number: 0FBBD7921F710C02FD9AFF2D4DDCDF12
Revocation Date: Nov 21 17:28:02 2013 GMT
Serial Number: 0656A344CD735B2C52858A4A2AF96EE6
Revocation Date: Nov 21 18:23:02 2013 GMT
Serial Number: 0F0C3DC4EE1229E280938DF6A889B178
Revocation Date: Nov 22 07:21:03 2013 GMT
Serial Number: 0536AC86E884BE1773A78D4D232691A5
Revocation Date: Nov 22 09:52:05 2013 GMT
Serial Number: 0335D45DC4E571A37BDE1869B44C1306
Revocation Date: Nov 24 00:45:02 2013 GMT

65. A CRL over the years

66. Purged CRLs???

67. Purged CRLs???
CRL Issued%date Oldest%revoked
DigiCert%SHA2%Extended%Validation%Server%CA%
(Dropbox,%GitHub)
22/Oct/2013 13/Dec/2013%
(330%certs)
DigiCert%High%Assurance%CAK3%
(Facebook)
02/Apr/2008% 14/Jun/2012%
27/Sep/2014
GeoTrust%Global%CA%
(Google)
20/May/2002 21/May/2002%
(9%certs)
GlobalSign%Organization%Validation%CA%K%
SHA256%K%G2%(LogmeIn)
20/Feb/2014% 31/Mar/2014%
(637%certs)
VeriSign%Class%3%Extended%Validation%SSL%CA%
(Microsoft,%Paypal,%Twitter)
08/Nov/2006% 04/Dec/2012%
(1709%certs)
VeriSign%Class%3%Secure%Server%CA%K%G3%
(Yahoo)
07/Feb/2010 10/Oct/2010%
(41120%certs)

68. Online Certificate Status Protocol

69. What if I can’t connect?
https://www.grc.com/revocation/implementations.htm

70. DEMO

71. Let’s Go!
• Starting from the beginning
• HTTP Strict Transport Security
• Get in a Delorean
• Modern Time Synchronisation
• More attacks
• Windows task scheduler
• Public Key Infrastructure
• Conclusions & Recommendations

72. Conclusions & Recommendations
Facts
• Time synchronisation isn’t managed securely by most operating
system vendors.
• Many security protections relies in time. If an attacker can control the
local clock, lots of things can go wrong.
What to do
• Configure NTP synchronisation in a secure way (Microsoft does):
• Signature.
• Maximum drift.
• Block SSL certificates which expiry date is before the browser build
date or the last update (Chrome does).

73. Special thanks to…
• Pedro Candel (my leaked certs dealer).
• Juan Garrido (microsoft guru).
• Tom Ritter (my factoring mentor).
• All the NCC Group guys and resources.
/mode +nostalgic JoseSelvi
• People who created the Back to the Future saga, War
Games, and all those amazing 80’s movies and
series :’)

74. 71
Jose Selvi
http://twitter.com/JoseSelvi
jselvi@pentester.es
http://www.pentester.es
Jose.Selvi@nccgroup.trust
http://www.nccgroup.trust
Thanks! Questions?