SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.
• What is this MITM you speak of?
• Old school classics
• New school tools
• Why use it for pentests?
• How to defend?
What is a MITM?
• Redirect all trafﬁc to YOU while allowing
normal Internet access for the victim(s)
• Modify, intercept and capture network
• Create DoS
Setting up your Monkey
• Traditional ARP Cache Poisoning
The MITM becomes the “router”
• KARMA on the Fon (WiFi Attack)
Karma brings you the victim
• ARP (Address Resolution Protocol)
• How devices associate MAC to IP
Computer A asks “Who has this IP?”
Computer B tells A “That’s me! I have this MAC!”
Reverse ARP Request
Same as ARP request by Computer A asks “Who has this MAC?”
Reverse ARP Reply
Computer B tells A “I have that MAC, here is my IP!”
ARP Cache Poisoning
• Send fake ARP Reply’s to your victim(s)
• Allows snifﬁng on switched networks
• Hijacking of IP trafﬁc between hosts
KARMA on the Fon
• The “evil twin”
KARMA listens and
responds to all!
• KARMA on the Fon
Route wireless trafﬁc to
Attacking wireless clients with Karma on the Fon
• Popular network sniffer
• Easy to use
• Easy capture of data
• Robust ﬁltering
• Multi-platform (you probably have it)
• Used for ﬁltering, hijacking, ARP cache poisoning
• GUI, cmd, ncurses! Multi-platform
• Cool ﬁlters and plugins....
• Inject HTML into existing web pages!
Meterpreter payload anyone?
• DNS Spooﬁng (phantom plugin)
• Many more...
• Able is a separate program used to conduct
remote activities (NT hash dump, console)
• Multi-functional “password recovery” tool
• Password cracking, scanning, snifﬁng, ARP
poisoning and many related attacks (DNS,
HTTPS, POP3S, RDP, etc...)
• Much, much more!
• Windows only
• Passive network sniffer/packet capture tool
• Detect OS, sessions, hostnames, open ports,
• Easy view of usernames and passwords
• Parse PCAP ﬁles, search via keywords
• Can reassemble ﬁles and certs from PCAP ﬁles
• Windows only
• Created by Jay Beale and Justin Searle (Inguardians)
• Alpha version released at ShmooCon 2009
• Clone sessions for the attacker (CSRF)
• Intercept logout requests
• Plugin Architecture
• Highlights problem of sites using mixed HTTP/
• Created by Moxie Marlinspike, released at BlackHat DC
• Transparently hijack HTTP trafﬁc on a network
• Switches all HTTPS links to HTTP and swaps the user to
an insecure look-alike page
• Server thinks everything is “a-ok!’ and no SSL cert
• Supports modes for:
• supplying a favicon which looks like a lock
• selective logging and session denial
Why use MITM in a
• Allows more focus on the USERS
• Are they aware of HTTP vs. HTTPS?
• Highlight insecure protocols
(Telnet, Basic HTTP Auth)
• Hint: Save PCAP ﬁles and run them
through multiple tools! (thanks Mubix)
ARP Poisoning Defense
• Monitoring Tools
• Static IP’s/Static ARP Tables (not sustainable!)
• Turn on “port security” in your switches!
• Check out Dynamic ARP Inspection
• User education (hard)
• Use a VPN, SSH Tunnel on insecure
networks (coffee shops, DEFCON)
• Encourage employees to use the VPN when
using public wiﬁ!