telling the time
play

Telling The Time chris.anley@nccgroup.trust The Bug Server - PowerPoint PPT Presentation

Feb 21, 2023 •229 likes •371 views

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password reset token -Session id -Random password -REST API Key ... For example: PHP uniqid() Gets a prefixed unique identifier based on the current

  1. Telling The Time chris.anley@nccgroup.trust

  2. The Bug Server generates a time-based: -Password reset token -Session id -Random password -REST API Key ...

  3. For example: PHP uniqid() “Gets a prefixed unique identifier based on the current time in microseconds.” CAUTION NOT SECURE WARNING NOT UNIQUE (?!) blah blah SECURE blah UNIQUE blah ...

  4. Check Github $token = uniqid(); // 57eb8c5bbf47b; time $token = md5(uniqid()); // 41eced92fef729c756... time $pwd = substr(md5(uniqid()),0,8);// 41eced92; time srand((double) microtime() * 1000000); $token = md5(uniqid(rand())); // time,time $password = md5(uniqid($session, true));//time,known,time $password = md5(uniqid(time(), true));// time,time,time

  5. Let’s Take a Moment A microsecond is a *really* short period of time “Lightning fast” - a lightning flash takes ~200,000 microseconds. “In the blink of an eye” ~100,000 microseconds “In a flash” ~1000 microseconds British Army L115A3 rifle muzzle velocity: 938 m/s = ~1mm per 1 µ s

  6. The Target - Reset <?php // resetPwd.php date_default_timezone_set("GMT"); ... $pwd = uniqid(); file_put_contents('/tmp/pwd', $pwd ); ...

  7. The Target - Login <?php // login.php $pwd = $_GET['password']; $target = file_get_contents('/tmp/pwd'); if( strcmp( $pwd, $target ) == 0 ) { print("Access Granted<br>"); print("target: $target\\n<BR>"); print(phpinfo()); }

  8. Methodology Could use - ntp, icmp timestamp, snmp, web app... RFC 2616: Origin servers MUST include a Date header field in all responses except: 100,101,500,503 or no clock. If no clock, MUST NOT use expires or last-modified (ie. uncacheable). But date has a resolution of 1,000,000 µ s... (!)

  9. Known Unknowns Find a script with similar timing to the password reset script. Request this many times to find the clock di ff . Date resolution is 1,000,000 µ s, but there's an edge. Correct for distance from the edge. Apply this di ff erence. Brute force (0, 1, -1, 2, -2, 3, -3...)

  10. Req Duration - Metropolitan Frequency 180 150 120 90 60 30 0 17900 20100 22300 24500 26700 28900 31100 33300 35500 Microsecond Req Duration - Leatherhead to Telecity (SOV), Docklands (~30km) 200 µ sec resolution.

  11. Results - Metropolitan Frequency 18 15 12 9 6 3 0 -13200 -11000 -8800 -6600 -4400 -2200 0 2200 Microsecond Error in Brute Force - Leatherhead to Telecity (SOV), Docklands (~30km) 200 µ sec resolution.

  12. Results - Antipodes Frequency 12 10 8 6 4 2 0 -157000 -141000 -125000 -109000 -93000 -77000 -61000 -45000 -29000 -13000 3000 Microsecond Error in Brute Force - Leatherhead to Sydney (ec2), ~17000km, 2000 µ sec resolution.

  13. But what does it mean? We can brute force the µ s time at which a web script will generate a token in: LAN: ~500 requests Metropolitan Area: ~1000 requests (~30 seconds) Antipodes, tiny server: ~40,000 requests (~1 hour) ...without trying very hard...

  14. Questions? Improvements: - Frequency buckets. - Faster client environment. - Reliability testing; use a better network. We haven’t talked about: - Local brute force. - Millisecond brute force. - Remote timing attacks in the literature. - All the many situations in which this is useful...

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Maths Measurement Maths | Year 4 | Measurement | Telling the Time 12-Hour and 24-Hour | Lesson 1

Maths Measurement Maths | Year 4 | Measurement | Telling the Time 12-Hour and 24-Hour | Lesson 1

Maths Measurement Maths | Year 4 | Measurement | Telling the Time 12-Hour and 24-Hour | Lesson 1 of 4: Telling the Time Minute Intervals Aim I can tell the time to minute intervals. Success Criteria I can count single minutes in a

643 views • 30 slides
Telling Time by the Sun Martha P. Haynes Goldwin Smith Professor of Astronomy Cornell

Telling Time by the Sun Martha P. Haynes Goldwin Smith Professor of Astronomy Cornell

Telling Time by the Sun Martha P. Haynes Goldwin Smith Professor of Astronomy Cornell University CAU Study Tour June 2014 The Arecibo Legacy Fast ALFA (ALFALFA) Survey http://stefanoderosa.com ALFA is not a car It is a radio camera

690 views • 40 slides
TELLING STORIES TECHNOLOGY &amp; MEDIA DREW DAVIDSON A LITTLE BIT ABOUT ME STORIES

TELLING STORIES TECHNOLOGY &amp; MEDIA DREW DAVIDSON A LITTLE BIT ABOUT ME STORIES

TELLING STORIES TECHNOLOGY &amp; MEDIA DREW DAVIDSON A LITTLE BIT ABOUT ME STORIES Fairytales, Folktales, Myths, Legends, Fables Narratives, Fictions, Tales, Dramas Once upon a time Everyday But one day Because of this

986 views • 76 slides
11-823: Conlanging Numbers and Time Numbers and Time Counting Speech and Orthography

11-823: Conlanging Numbers and Time Numbers and Time Counting Speech and Orthography

11-823: Conlanging Numbers and Time Numbers and Time Counting Speech and Orthography Clocks Representing time (and Calendars) Building prompts for telling the time Numbers Counting (English) One, two, three

932 views • 28 slides
PRESENTATION + REPRESENTATION Narrative (Telling a Story) Composition Color

PRESENTATION + REPRESENTATION Narrative (Telling a Story) Composition Color

PRESENTATION + REPRESENTATION Narrative (Telling a Story) Composition Color Palette Font Choices Balancing Text and Graphics Telling a Story... 1. Use narrative to describe your project with pictures and in writing.

859 views • 32 slides
Pat Bode Presentation Telling the Next Generation Let us begin with prayer. Dear Lord God,

Pat Bode Presentation Telling the Next Generation Let us begin with prayer. Dear Lord God,

Pat Bode Presentation Telling the Next Generation Let us begin with prayer. Dear Lord God, Father of us all, we thank you for bringing us here today to hear about the importance of Telling the Next Generation of your great love for

523 views • 6 slides
Its going to happen... Oh s#%t, the network is down!!!! What are you telling me? It's a

Its going to happen... Oh s#%t, the network is down!!!! What are you telling me? It's a

Its going to happen... Oh s#%t, the network is down!!!! What are you telling me? It's a conversation. If you are taking in all the stuff on this page and reading all of the text you are: - Not listening to what I am saying as you

287 views • 6 slides
Aberdeen &amp; Aberdeenshire: Telling the story Lorna Easton Adam Bates Telling the Story of

Aberdeen &amp; Aberdeenshire: Telling the story Lorna Easton Adam Bates Telling the Story of

Telling the Story of Aberdeen &amp; Aberdeenshire Aberdeen &amp; Aberdeenshire: Telling the story Lorna Easton Adam Bates Telling the Story of Aberdeen &amp; Aberdeenshire Telling the Story of Aberdeen &amp; Aberdeenshire For this project we

750 views • 42 slides
IN-THEATER AGENT J DISPLAY The neuralyzer light blinks from time to time and you can here

IN-THEATER AGENT J DISPLAY The neuralyzer light blinks from time to time and you can here

IN-THEATER AGENT J DISPLAY The neuralyzer light blinks from time to time and you can here the voice of agent J telling you a story to cover up the truth, such as the golden fish story from the trailer. IN-THEATER Men in Black at the

188 views • 15 slides
LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

TIF FINANCING: Allan-Charles Chipman LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of the truth Transparency can be violated in two ways: 1. Telling some of the people all of the truth 2.

518 views • 35 slides
The First Impression What You Are Telling Clients Without Saying A Word! An effective

The First Impression What You Are Telling Clients Without Saying A Word! An effective

First Impressions Presentation and Headshot Coaching Demo Chris Joyce 502-639-9557 The First Impression What You Are Telling Clients Without Saying A Word! An effective Social Media presence can really give you a positive head start when

239 views • 7 slides
Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Slide 1 / 87 Slide 2 / 87 3rd Grade Time, Volume &amp; Mass 2015-10-22 www.njctl.org Slide 3 / 87 Table of Contents click on the topic to go to that section Hour and Half Hour Quarter Hour, 5 Minute and 1 Minute Elapsed Time AM

546 views • 29 slides
Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Slide 1 / 87 Slide 2 / 87 3rd Grade Time, Volume &amp; Mass 2015-10-22 www.njctl.org Slide 3 / 87 Table of Contents click on the topic to go to that section Hour and Half Hour Quarter Hour, 5 Minute and 1 Minute Elapsed Time AM

577 views • 44 slides
TELLING YOUR STORY When it comes to a Marketing Strategy you already have what you need. Your

TELLING YOUR STORY When it comes to a Marketing Strategy you already have what you need. Your

TELLING YOUR STORY When it comes to a Marketing Strategy you already have what you need. Your Story Make sure you tell it! Powerful Meaningful Sincere ANSWER THE PUBLIC What does your audience want to know about you?

631 views • 29 slides
your sTory Telling Effective church newsletters By Rick Frennea editor of The Edgewood

your sTory Telling Effective church newsletters By Rick Frennea editor of The Edgewood

your sTory Telling Effective church newsletters By Rick Frennea editor of The Edgewood Epistle Edgewood Presbyterian Church Your identitY Telling your story Who are we? What do we have to say (share)? What is the life of our

417 views • 38 slides
Is the B/C slope in AMS-02 data actually telling us something about the diffusion coefficient

Is the B/C slope in AMS-02 data actually telling us something about the diffusion coefficient

Is the B/C slope in AMS-02 data actually telling us something about the diffusion coefficient slope ? P.I. Batista, M. Vecchi, D. Maurin, ++ List of authors to be updated Scientific motivations and goals There is a common misconception about

542 views • 19 slides
Opportunities for Spin Physics at NICA O.Kouznetsov and I.Savin Veksler &amp; Baldin Laboratory

Opportunities for Spin Physics at NICA O.Kouznetsov and I.Savin Veksler &amp; Baldin Laboratory

Opportunities for Spin Physics at NICA O.Kouznetsov and I.Savin Veksler &amp; Baldin Laboratory of High Energy Physics, JINR, Dubna 1 Opportunities for Polarized Physics at Fermilab, May 20-22, 2013 FNAL NICA Nuclotron-based Ion Collider

262 views • 25 slides
1 John Series Lesson #073 August 25, 2002 Dean Bible Ministries www.deanbibleministries.org

1 John Series Lesson #073 August 25, 2002 Dean Bible Ministries www.deanbibleministries.org

1 John Series Lesson #073 August 25, 2002 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. 1 John 4:19, We love Him because He first loved us. 1. There are basically three Greek New Testaments available for

633 views • 34 slides
Recent B A B AR Studies of Bottomonium States Claudia Patrignani Universit e INFN Genova for

Recent B A B AR Studies of Bottomonium States Claudia Patrignani Universit e INFN Genova for

Recent B A B AR Studies of Bottomonium States Claudia Patrignani Universit e INFN Genova for the B A B AR Collaboration HADRON 2011 XIV International Conference on Hadron Spectroscopy 13-17 June 2011 Mnchen (Germany) Inclusive

737 views • 16 slides
11-737 Multilingual NLP Lang in 10: Hindi Example of 10 minute presentation on a language Hindi

11-737 Multilingual NLP Lang in 10: Hindi Example of 10 minute presentation on a language Hindi

11-737 Multilingual NLP Lang in 10: Hindi Example of 10 minute presentation on a language Hindi Hindi spoken in Northern India 320mn native speakers 270 L2 speakers 3 rd or 4 th most spoken language in world (after

753 views • 9 slides
Classes (II) Ling-Chieh Kung Department of Information Management National Taiwan University

Classes (II) Ling-Chieh Kung Department of Information Management National Taiwan University

friend , this , and const Static members Objects and pointers Programming Design Classes (II) Ling-Chieh Kung Department of Information Management National Taiwan University Programming Design Classes (II) 1 / 38 Ling-Chieh Kung (NTU IM)

419 views • 38 slides
Exotic atoms by the DIRAC experiment Mikhail Zhabitsky for the DIRAC Collaboration (CERN PS-212)

Exotic atoms by the DIRAC experiment Mikhail Zhabitsky for the DIRAC Collaboration (CERN PS-212)

K atoms Long-lived + atoms Results and Outlook Exotic atoms by the DIRAC experiment Mikhail Zhabitsky for the DIRAC Collaboration (CERN PS-212) Joint Institute for Nuclear Research, Dubna CERN, the European Organization for

464 views • 25 slides
Orientation Data: legal and ethical issues Last few lectures: distributional semantics (technical

Orientation Data: legal and ethical issues Last few lectures: distributional semantics (technical

Orientation Data: legal and ethical issues Last few lectures: distributional semantics (technical aspects). Your next assignment (out Friday) explores some of these ideas. Sharon Goldwater Work with data extracted from Twitter (co-occurrence

387 views • 10 slides
Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior

Hunting malware using its fingerprints Piotr Biaczak About me Piotr Biaczak Senior Researcher CERT Polska/NASK/ Warsaw University of Technology piotr.bialczak@cert.pl Twitter: @bialczakp 2 Malware hunting A mouse and cat game? 3

828 views • 28 slides

More recommend