time_trial icon indicating copy to clipboard operation
time_trial copied to clipboard
verified publisher icon dmayer

Attack tab proposal

Open andresriancho opened this issue 10 years ago • 2 comments

User story

As a user I want to be able to exploit timing vulnerabilities using time-trial

Limitations

  • The algorithm I'll implement requires the attacker to have a valid token/password.
  • The algorithm I'll implement does timing attack for the first N chars and then performs a brute-force attack for the last M bytes (N, M are TBD)
  • The algorithm will find only one extra valid token, not all the existing ones

Conditions of satisfaction

  • [ ] User can easily configure the attack
  • [ ] The attack is automated

User input

The user needs to be able to configure the following settings (which are duplicates from the creation of a new trial):

  • [ ] Trial type
  • [ ] Name
  • [ ] Repetitions
  • [ ] Description
  • [ ] Request URL
  • [ ] HTTP request
  • [ ] Racer
  • [ ] CPU core
  • [ ] Real-time scheduling

These extra settings are required:

  • [ ] Bruteforce charset, for example "abcdef..." or "0123456789"
  • [ ] Valid token/password
  • [ ] First token characters to keep unmodified during bruteforce phase (>0)
  • [ ] Analysis lower quantile (for box test during attack)
  • [ ] Analysis upper quantile (for box test during attack)

When specifying the HTTP request the user needs to use $TIME_TRIAL$ in the part of the request where time trial will perform the brute force.

Algorithm

  • User inputs valid token ab123, valid charset 0123456789abcdef and token chars to keep untouched
  • Algorithm asserts that token length is at least 5 characters
  • Algorithm asserts that token chars to keep untouched is >0
  • Time trial gathers timing information for ab100 and ab200. These tokens are created using the valid token + number of characters to keep untouched; and finally padding with the first valid charset char to the right.
  • Time trial asserts that it is able to differentiate between these two data sets. If this is True then time trial knows it is able to bruteforce the token byte per byte
  • Time attack process is performed for all bytes after the "untouched" ones
  • Time trial sends the following tests abc100 (a), ab110 (b)
  • Compares A and B using the box test. If A takes less time than B it means that 0 is a valid character after abc1.
  • Test continues with abc10 as the beginning of the valid token and time-attacks the next character (unless brute-force takes less HTTP requests)
  • In the case where the algorithm detects no time difference between all the tested characters in the defined charset the algorithm stops with an error

Last M characters brute-force

The algorithm will brute-force the last M characters. M is calculated using:

  • Attack repetitions
  • User defined charset

The goal is to brute-force only when the number of HTTP requests used for brute-force is less than the used for timing attack.

Ideas and potential improvements

  • The algorithm has no backtracking, so if it makes a mistake

andresriancho avatar Oct 30 '15 18:10 andresriancho

Initial implementation and unittests at https://github.com/andresriancho/time_trial/tree/develop/time_trial_gui/lib/attack

andresriancho avatar Oct 31 '15 15:10 andresriancho

Still need to work on the GUI, but the tests do PASS :+1:

andresriancho avatar Oct 31 '15 15:10 andresriancho