telling the time
play

Telling The Time chris.anley@nccgroup.trust The Bug Server - PowerPoint PPT Presentation

Feb 21, 2023 •229 likes •371 views

Telling The Time chris.anley@nccgroup.trust The Bug Server generates a time-based: -Password reset token -Session id -Random password -REST API Key ... For example: PHP uniqid() Gets a prefixed unique identifier based on the current

  1. Telling The Time chris.anley@nccgroup.trust

  2. The Bug Server generates a time-based: -Password reset token -Session id -Random password -REST API Key ...

  3. For example: PHP uniqid() “Gets a prefixed unique identifier based on the current time in microseconds.” CAUTION NOT SECURE WARNING NOT UNIQUE (?!) blah blah SECURE blah UNIQUE blah ...

  4. Check Github $token = uniqid(); // 57eb8c5bbf47b; time $token = md5(uniqid()); // 41eced92fef729c756... time $pwd = substr(md5(uniqid()),0,8);// 41eced92; time srand((double) microtime() * 1000000); $token = md5(uniqid(rand())); // time,time $password = md5(uniqid($session, true));//time,known,time $password = md5(uniqid(time(), true));// time,time,time

  5. Let’s Take a Moment A microsecond is a *really* short period of time “Lightning fast” - a lightning flash takes ~200,000 microseconds. “In the blink of an eye” ~100,000 microseconds “In a flash” ~1000 microseconds British Army L115A3 rifle muzzle velocity: 938 m/s = ~1mm per 1 µ s

  6. The Target - Reset <?php // resetPwd.php date_default_timezone_set("GMT"); ... $pwd = uniqid(); file_put_contents('/tmp/pwd', $pwd ); ...

  7. The Target - Login <?php // login.php $pwd = $_GET['password']; $target = file_get_contents('/tmp/pwd'); if( strcmp( $pwd, $target ) == 0 ) { print("Access Granted<br>"); print("target: $target\\n<BR>"); print(phpinfo()); }

  8. Methodology Could use - ntp, icmp timestamp, snmp, web app... RFC 2616: Origin servers MUST include a Date header field in all responses except: 100,101,500,503 or no clock. If no clock, MUST NOT use expires or last-modified (ie. uncacheable). But date has a resolution of 1,000,000 µ s... (!)

  9. Known Unknowns Find a script with similar timing to the password reset script. Request this many times to find the clock di ff . Date resolution is 1,000,000 µ s, but there's an edge. Correct for distance from the edge. Apply this di ff erence. Brute force (0, 1, -1, 2, -2, 3, -3...)

  10. Req Duration - Metropolitan Frequency 180 150 120 90 60 30 0 17900 20100 22300 24500 26700 28900 31100 33300 35500 Microsecond Req Duration - Leatherhead to Telecity (SOV), Docklands (~30km) 200 µ sec resolution.

  11. Results - Metropolitan Frequency 18 15 12 9 6 3 0 -13200 -11000 -8800 -6600 -4400 -2200 0 2200 Microsecond Error in Brute Force - Leatherhead to Telecity (SOV), Docklands (~30km) 200 µ sec resolution.

  12. Results - Antipodes Frequency 12 10 8 6 4 2 0 -157000 -141000 -125000 -109000 -93000 -77000 -61000 -45000 -29000 -13000 3000 Microsecond Error in Brute Force - Leatherhead to Sydney (ec2), ~17000km, 2000 µ sec resolution.

  13. But what does it mean? We can brute force the µ s time at which a web script will generate a token in: LAN: ~500 requests Metropolitan Area: ~1000 requests (~30 seconds) Antipodes, tiny server: ~40,000 requests (~1 hour) ...without trying very hard...

  14. Questions? Improvements: - Frequency buckets. - Faster client environment. - Reliability testing; use a better network. We haven’t talked about: - Local brute force. - Millisecond brute force. - Remote timing attacks in the literature. - All the many situations in which this is useful...

Recommend

Maths Measurement Maths | Year 4 | Measurement | Telling the Time 12-Hour and 24-Hour | Lesson 1

Maths Measurement Maths | Year 4 | Measurement | Telling the Time 12-Hour and 24-Hour | Lesson 1

Maths Measurement Maths | Year 4 | Measurement | Telling the Time 12-Hour and 24-Hour | Lesson 1 of 4: Telling the Time Minute Intervals Aim I can tell the time to minute intervals. Success Criteria I can count single minutes in a

643 views • 30 slides
Telling Time by the Sun Martha P. Haynes Goldwin Smith Professor of Astronomy Cornell

Telling Time by the Sun Martha P. Haynes Goldwin Smith Professor of Astronomy Cornell

Telling Time by the Sun Martha P. Haynes Goldwin Smith Professor of Astronomy Cornell University CAU Study Tour June 2014 The Arecibo Legacy Fast ALFA (ALFALFA) Survey http://stefanoderosa.com ALFA is not a car It is a radio camera

690 views • 40 slides
TELLING STORIES TECHNOLOGY &amp; MEDIA DREW DAVIDSON A LITTLE BIT ABOUT ME STORIES

TELLING STORIES TECHNOLOGY &amp; MEDIA DREW DAVIDSON A LITTLE BIT ABOUT ME STORIES

TELLING STORIES TECHNOLOGY &amp; MEDIA DREW DAVIDSON A LITTLE BIT ABOUT ME STORIES Fairytales, Folktales, Myths, Legends, Fables Narratives, Fictions, Tales, Dramas Once upon a time Everyday But one day Because of this

986 views • 76 slides
11-823: Conlanging Numbers and Time Numbers and Time Counting Speech and Orthography

11-823: Conlanging Numbers and Time Numbers and Time Counting Speech and Orthography

11-823: Conlanging Numbers and Time Numbers and Time Counting Speech and Orthography Clocks Representing time (and Calendars) Building prompts for telling the time Numbers Counting (English) One, two, three

932 views • 28 slides
PRESENTATION + REPRESENTATION Narrative (Telling a Story) Composition Color

PRESENTATION + REPRESENTATION Narrative (Telling a Story) Composition Color

PRESENTATION + REPRESENTATION Narrative (Telling a Story) Composition Color Palette Font Choices Balancing Text and Graphics Telling a Story... 1. Use narrative to describe your project with pictures and in writing.

859 views • 32 slides
Pat Bode Presentation Telling the Next Generation Let us begin with prayer. Dear Lord God,

Pat Bode Presentation Telling the Next Generation Let us begin with prayer. Dear Lord God,

Pat Bode Presentation Telling the Next Generation Let us begin with prayer. Dear Lord God, Father of us all, we thank you for bringing us here today to hear about the importance of Telling the Next Generation of your great love for

523 views • 6 slides
Its going to happen... Oh s#%t, the network is down!!!! What are you telling me? It's a

Its going to happen... Oh s#%t, the network is down!!!! What are you telling me? It's a

Its going to happen... Oh s#%t, the network is down!!!! What are you telling me? It's a conversation. If you are taking in all the stuff on this page and reading all of the text you are: - Not listening to what I am saying as you

287 views • 6 slides
Aberdeen &amp; Aberdeenshire: Telling the story Lorna Easton Adam Bates Telling the Story of

Aberdeen &amp; Aberdeenshire: Telling the story Lorna Easton Adam Bates Telling the Story of

Telling the Story of Aberdeen &amp; Aberdeenshire Aberdeen &amp; Aberdeenshire: Telling the story Lorna Easton Adam Bates Telling the Story of Aberdeen &amp; Aberdeenshire Telling the Story of Aberdeen &amp; Aberdeenshire For this project we

750 views • 42 slides
IN-THEATER AGENT J DISPLAY The neuralyzer light blinks from time to time and you can here

IN-THEATER AGENT J DISPLAY The neuralyzer light blinks from time to time and you can here

IN-THEATER AGENT J DISPLAY The neuralyzer light blinks from time to time and you can here the voice of agent J telling you a story to cover up the truth, such as the golden fish story from the trailer. IN-THEATER Men in Black at the

188 views • 15 slides
LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of

TIF FINANCING: Allan-Charles Chipman LONGITUDINAL DATA AND FISCAL IMPACT TRANSPARENCY Transparency is telling all of the people all of the truth Transparency can be violated in two ways: 1. Telling some of the people all of the truth 2.

518 views • 35 slides
The First Impression What You Are Telling Clients Without Saying A Word! An effective

The First Impression What You Are Telling Clients Without Saying A Word! An effective

First Impressions Presentation and Headshot Coaching Demo Chris Joyce 502-639-9557 The First Impression What You Are Telling Clients Without Saying A Word! An effective Social Media presence can really give you a positive head start when

239 views • 7 slides
Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Slide 1 / 87 Slide 2 / 87 3rd Grade Time, Volume &amp; Mass 2015-10-22 www.njctl.org Slide 3 / 87 Table of Contents click on the topic to go to that section Hour and Half Hour Quarter Hour, 5 Minute and 1 Minute Elapsed Time AM

546 views • 29 slides
Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Hour and Half Hour Return to Table of Contents Slide 5 / 87 Telling Time What do you know

Slide 1 / 87 Slide 2 / 87 3rd Grade Time, Volume &amp; Mass 2015-10-22 www.njctl.org Slide 3 / 87 Table of Contents click on the topic to go to that section Hour and Half Hour Quarter Hour, 5 Minute and 1 Minute Elapsed Time AM

577 views • 44 slides
TELLING YOUR STORY When it comes to a Marketing Strategy you already have what you need. Your

TELLING YOUR STORY When it comes to a Marketing Strategy you already have what you need. Your

TELLING YOUR STORY When it comes to a Marketing Strategy you already have what you need. Your Story Make sure you tell it! Powerful Meaningful Sincere ANSWER THE PUBLIC What does your audience want to know about you?

631 views • 29 slides
your sTory Telling Effective church newsletters By Rick Frennea editor of The Edgewood

your sTory Telling Effective church newsletters By Rick Frennea editor of The Edgewood

your sTory Telling Effective church newsletters By Rick Frennea editor of The Edgewood Epistle Edgewood Presbyterian Church Your identitY Telling your story Who are we? What do we have to say (share)? What is the life of our

417 views • 38 slides
Is the B/C slope in AMS-02 data actually telling us something about the diffusion coefficient

Is the B/C slope in AMS-02 data actually telling us something about the diffusion coefficient

Is the B/C slope in AMS-02 data actually telling us something about the diffusion coefficient slope ? P.I. Batista, M. Vecchi, D. Maurin, ++ List of authors to be updated Scientific motivations and goals There is a common misconception about

542 views • 19 slides
Physical Education Telling Stories Through Gymnastics Speakers:

Physical Education Telling Stories Through Gymnastics Speakers:

Physical Education Telling Stories Through Gymnastics Speakers: Heidi Bohler, Robert Rausch, and Kate Stanne Westfield State University.

136 views • 10 slides
Welcome! Helping You QUIT! At TCPT we are ready to help you quit! By taking the time to

Welcome! Helping You QUIT! At TCPT we are ready to help you quit! By taking the time to

Welcome! Helping You QUIT! At TCPT we are ready to help you quit! By taking the time to review this information you are telling us You are interested in quitting smoking And you want to know how we can support your goal Why

378 views • 16 slides
received in the past. It s nice to have a brief chat as we are going around the wards, telling

received in the past. It s nice to have a brief chat as we are going around the wards, telling

I love being a volunteer. I am glad I can give something back for the service my husband and I have received in the past. It s nice to have a brief chat as we are going around the wards, telling patients that their hair looks nice etc, as it

517 views • 48 slides
Theres Dataand Then Theres Data : Telling Your Institution's Story Sherry Yennello,

Theres Dataand Then Theres Data : Telling Your Institution's Story Sherry Yennello,

Theres Dataand Then Theres Data : Telling Your Institution's Story Sherry Yennello, ADVANCE PI Texas A&amp;M University This material is based upon work supported by the National Science Foundation under NSF Cooperative Agreement No.

267 views • 13 slides
Mathemusicking with children: Doing music and math without telling them apart Srikumar Karaikudi

Mathemusicking with children: Doing music and math without telling them apart Srikumar Karaikudi

Mathemusicking with children: Doing music and math without telling them apart Srikumar Karaikudi Subramanian http://sriku.org srikumarks@gmail.com Ph.D., Dept. of Communications and New Media, NUS Principal Architect, Pramati

1.11k views • 46 slides
Telling the Story of How We Got Here: Part I Presented by: Lucas Smiraldo Organizations only

Telling the Story of How We Got Here: Part I Presented by: Lucas Smiraldo Organizations only

` Telling the Story of How We Got Here: Part I Presented by: Lucas Smiraldo Organizations only improve where the truth is told and the brutal facts confronted. -Jim Collins 2 Human progress is neither automatic nor inevitable... Every

1.16k views • 20 slides
1 Corinthians 16:9 Telling People About the Need Isnt Enough Chris+anityworks Fundraising

1 Corinthians 16:9 Telling People About the Need Isnt Enough Chris+anityworks Fundraising

17/9/17 1 Corinthians 16:9 Telling People About the Need Isnt Enough Chris+anityworks Fundraising Presenta+on 1 17/9/17 The Universal Revenue Model Average Donors x Dona+ons x = Income $1 mil 1000 6 $167 x x = 25% Downturn

299 views • 19 slides
Welcome. Telling the Co-op Story so People Actually Listen The Co-op Dilemma I asked my wife.

Welcome. Telling the Co-op Story so People Actually Listen The Co-op Dilemma I asked my wife.

Welcome. Telling the Co-op Story so People Actually Listen The Co-op Dilemma I asked my wife. Quaint Innocuous Well-meaning folks Leftie Wooly Flakey Seduction Help people believe. Respect brains.

1.33k views • 91 slides

More recommend