alice and bob are eff'd
Post on 15-Feb-2017
28 Views
Preview:
TRANSCRIPT
alice and bob are f**ked
alice and bob are f**kedjason ross
narcissism
i work here
i play here
i malware
if you need notes for this slide, you suck.2
intro to mitm
theres aliceand bobthey want to talk to each other.because theyre friends.mallory hates them both. shes got a plan. if she can jump into one of their conversations,she can cause all kinds of problems.3
traditional mitm techniquesarp spoof/poisoningdsniff / ettercap / cain
dns poisoningdns-mre
802.11 trickskarma/airbase
dhcp exhaustionscapy / metasploit (digininjas mods)
theres a number of techniques for accomplishing man-in-the-middle attacks.heres a list of the more common ones, and some of the tools that can be used to perform them.
* arp spoofing tricks other machines on the network into thinking youre the gateway host. this results in the attacking host acting as the router for the network. because it is the router, all packets can be intercepted.
* dns poisoning can be used to inject an attackers ip address into the answer section of a dns query. this results in a victim host believing the attackers IP is the correct address for, say, paypal.com
* 802.11 tricks typically involve setting up a rogue AP. wireless clients connect to the AP, resulting in the attacker again acting as a gateway device and router, able to intercept all traffic from the victim machine.
* dhcp exhaustion is generally performed by sending a flood of dhcp request packets, and accepting all resulting dhcp offers until the dhcp server pool has been entirely consumed by the attacking machine. more complicated versions attempt to send dhcp release packets for existing hosts, in an attempt to knock them off the network. once all dhcp addresses are owned by the attacker, it can send out dhcp replies to new requests and assign addresses from the pool it now owns. the result once again is that the attacker becomes the gateway device for the victim machines.4
problems with mitmcan be painful to maintain
arp poisoning is problematic
encryption!
passive capture is fun, but may not be enough
details in the next few slides5
painfulmaintenance
iptables works well
but managing long lists of rules is a pain
and you still have to do something useful with the traffic you intercept
maintenance window!
youve just become the router on a network with somewhere between 50 and 150 hosts. you need to intercept specific traffic, monitor it, and potentially manipulate the data being sent between the client and server.how do you do that effectively?
*hint*: manually adding iptables for everything you want + managing a crapton of netsed regex statements is not effective.6
arp poisoning isnt idealbusy networks will kill the poisoning host
its likely to get noticed
even when it works, its fickle
odds are in favor of the network
when you arp poison a network, its essentially you vs. every machine on the segment.
because each machine is trying to respond to arp requests with valid information as youre trying to respond with bogus information, theres a dramatic increase in the total amount of traffic.
additionally, any success is limited, as the valid arp data is constantly being sent by the legit hosts.7
crypto ftw sucksfew tools dynamically handle certs
ones that do are generally passive listeners (sslsniff)
those that do manipulate traffic & dynamically handle certs dont do well if the traffic is not HTTP (burp)
8
pics or it didnt suck
using cain, i arp poisoned my whole network (a /24, with 6 live hosts)i then checked email using imaps, and both twitter and gmail over https.the end result was that, while cain captured the certs, the connections werent successfully intercepted.worse, in the case of the twitter connection, cain was able to snarf the twitter information, but it was completely wrong.
9
data capture is fun
remember tjx and heartland, from back before anti-nony-lulzsec made everyone forget about actual hacking by releasing a tsunami of dox?they are examples of what can happen when someone just passively captures data (crypted or plain).
then theres the obligatory hipsters sitting in starbucks credentials theft scenario. whatever.10
mucking with packets is bettermobile app testing requires more than passive capture.
why just watch wifi traffic, when you could be injecting client side exploits into the streams?
could using mitm help social engineering?
enter mallory
mallory isa tcp mitm proxy
that supports fuzzing
and tcp stream editing
mallory is notburp
terribly well supported
necessarily stable
how to get mallorybitbucket.org/IntrepidusGroup/malloryinstall ubunturun the mallory install scriptdone.
download the minimal vm image, and run the update script for that (deprecated)
licensingpython foundation software license v2
except the gui. thats gpl3
some familiar challengeshave to get traffic to the mallory hostpptpgateway box (virtual or otherwise)traditional mitm techniques already covered
but now you can do stuff easilypause the streams (tcp/udp)
manipulate packets (manually, or via rulesets)
create modules to deal with unknown protocols
then muck with that data
recent changes to mallorygui vastly improved
configuration moved to gui
rules / mucking syntax made much better
many rules / mucking bugs fixed
stuff ive donecreated the install / update scriptsfor the vm imagefor standard ubuntu iso installs (10.10 & 11.04)
completely redesigned the directory structuremade it *nix-ishfor great justice!
added random shell scripts / minor code tweaks
code tweaks: updated a lot of files to work with the new directory structuredchanged the codebase to use native set() instead of python Sets module
20
common problemsrules gui is confusing
protocols configuration is confusing
traffic doesnt show up in the stream
solutionsthink backwardsneed to have a rule before you can edit it
uncommented protocols get handled by the protocol handler, not the tcp debugger
yeah, that sucks
demo!
endgame
mallory pwns!
mallory supportbitbucket issues tickets
google group
intrepidusgroup.com/insight/mallory
[stop]@rossja
algorythm@gmail.com
top related