Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

New School Man-in-the-Middle

During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.

  • Identifiez-vous pour voir les commentaires

New School Man-in-the-Middle

  1. 1. New School Man-IN-THe-Middle Tom Eston SECURITY JUSTICE www.securityjustice.com
  2. 2. Man-In-The-Middle • What is this MITM you speak of? • Old school classics • New school tools • Why use it for pentests? • How to defend?
  3. 3. What is a MITM? • Redirect all traffic to YOU while allowing normal Internet access for the victim(s) • Modify, intercept and capture network traffic • Create DoS
  4. 4. Setting up your Monkey • Traditional ARP Cache Poisoning The MITM becomes the “router” • KARMA on the Fon (WiFi Attack) Karma brings you the victim
  5. 5. ARP Refresher • ARP (Address Resolution Protocol) • How devices associate MAC to IP ARP Request Computer A asks “Who has this IP?” ARP Reply Computer B tells A “That’s me! I have this MAC!” Reverse ARP Request Same as ARP request by Computer A asks “Who has this MAC?” Reverse ARP Reply Computer B tells A “I have that MAC, here is my IP!”
  6. 6. ARP Cache Poisoning • Send fake ARP Reply’s to your victim(s) • Allows sniffing on switched networks • Hijacking of IP traffic between hosts
  7. 7. KARMA on the Fon • The “evil twin” KARMA listens and responds to all! • KARMA on the Fon Route wireless traffic to YOU!
  8. 8. Attacking wireless clients with Karma on the Fon http://dimitar.me/?p=277
  9. 9. Old School MITM Tools
  10. 10. Wireshark • Popular network sniffer • Easy to use • Easy capture of data • Robust filtering • Multi-platform (you probably have it)
  11. 11. Ettercap • Used for filtering, hijacking, ARP cache poisoning and sniffing • GUI, cmd, ncurses! Multi-platform • Cool filters and plugins.... • Inject HTML into existing web pages! Meterpreter payload anyone? • DNS Spoofing (phantom plugin) • Many more...
  12. 12. Cain • Able is a separate program used to conduct remote activities (NT hash dump, console) • Multi-functional “password recovery” tool • Password cracking, scanning, sniffing, ARP poisoning and many related attacks (DNS, HTTPS, POP3S, RDP, etc...) • Much, much more! • Windows only
  13. 13. New School Tools
  14. 14. Network Miner • Passive network sniffer/packet capture tool • Detect OS, sessions, hostnames, open ports, etc... • Easy view of usernames and passwords • Parse PCAP files, search via keywords • Can reassemble files and certs from PCAP files • Windows only
  15. 15. The Middler • Created by Jay Beale and Justin Searle (Inguardians) • Alpha version released at ShmooCon 2009 • Ability to inject Javascript into cleartext traffic • Clone sessions for the attacker (CSRF) • Intercept logout requests • Plugin Architecture • Highlights problem of sites using mixed HTTP/ HTTPS
  16. 16. SSLStrip • Created by Moxie Marlinspike, released at BlackHat DC 2009 • Transparently hijack HTTP traffic on a network • Switches all HTTPS links to HTTP and swaps the user to an insecure look-alike page • Server thinks everything is “a-ok!’ and no SSL cert “warning” • Supports modes for: • supplying a favicon which looks like a lock • selective logging and session denial
  17. 17. SSLStrip Demo
  18. 18. Why use MITM in a Pentest? • Allows more focus on the USERS • Are they aware of HTTP vs. HTTPS? • Highlight insecure protocols (Telnet, Basic HTTP Auth) • Hint: Save PCAP files and run them through multiple tools! (thanks Mubix)
  19. 19. ARP Poisoning Defense • Monitoring Tools ArpON Arpwatch • Static IP’s/Static ARP Tables (not sustainable!) • Turn on “port security” in your switches! • Check out Dynamic ARP Inspection (Cisco DAI)
  20. 20. MITM Defense • User education (hard) • Use a VPN, SSH Tunnel on insecure networks (coffee shops, DEFCON) • Encourage employees to use the VPN when using public wifi!
  21. 21. Linkage: spylogic.net
  22. 22. Questions? Twitter: agent0x0 Web: spylogic.net Email: tom@spylogic.net