Luiz eduardo. introduction to mobile snitch

1,166 views
1,038 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,166
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Luiz eduardo. introduction to mobile snitch

  1. 1. Mobile SnitchCONFidence 2012 Pre Luiz Eduar le(at)trus
  2. 2. genda Intro Motivations Current “issue” Profiling Mitigation Tips Future 2
  3. 3. whois Luiz EduardoHead of SpiderLabs LACKnows a thing or two about WiFiConference organizer (YSTS & SilverBullet)Amateur photographerle/at/ trustwave /dot/ com@effffn 3
  4. 4. whois Rodrigo Montorocurity Researcher at Trustwave/Spiderlabs •  Intrusion Detection System Rules •  New ways to detect malicious activities •  Patent Pending Author for methodology to discover malicious digital fileseaker •  Toorcon, SecTor, .FISL, Conisli, CNASI , OWASP Appsec Brazil, H2HC (São Paulo and México)under Malwares-BR Group / Webcast Localthreatsunder and Coordinatorort Brazilian Community •  Snort Rules Library for Brazilian Malwares 4
  5. 5. ustwave SpiderLabs ®wave SpiderLabs uses real-world and innovative security research to improvewave products, and provides unmatched expertise and intelligence to customers.REATS PROTECTIal-World Customecovered Product Response and Investigation (R&I) Analysis and Testing (A&T) Research and Development (R&D)earned Partner 5
  6. 6. oals of this Talk nformation about the data your mobile devices broadcastPossible implications of thatRaise awareness of public in general in regards to mobile privacy 6
  7. 7. otivations revious WiFi Researchons of travel lient-side / targeted attacks and Malwarerending ery initial thoughts of this talk presented at ayThreat 2011very very initial WiFi-based devices location atoorCon Seattle 2008) 7
  8. 8. sclaimer 8
  9. 9. efinitive GoalAbility to fingerprint a PERSONbased on the information given by heir mobile device(s) Passive information gathering of •  Automatic “LAN/Internal” protocols •  Non-encrypted traffic analysis (security flaws / features / non- confidential info) 9
  10. 10. urrent “issue”Massive adoption of mobile devicesUsability vs. Security •  Networking Protocols •  Broadcast / Multicast (and basic WiFi operation) •  And… 10
  11. 11. YOD 11
  12. 12. YO(B)Di Security as we know it •  protect the infrastructure •  protect the user, once it’s in the protected network the newER buzzword: BYOD Security, doesn’t solve the privacy issue 12
  13. 13. ivacy Matters? 13
  14. 14. can haz ZeroConfigUsed by most mobile devicesDiscovery, Announcement & Integration with (mostly) home devic •  Multimedia products •  IP Cameras •  PrintersYet, always on and automaticro configuration networking allows devices such asmputers and printers to connect to a network automaticalhout zeroconf, a network administrator must set up services…” 14
  15. 15. eroConfig ProtocolsmDNSUPnP SSDP (Simple Service Discovery Protocol)SLP (Service Location Protocol) 15
  16. 16. PV6)k ofMonitoringProtectionKnowledgeEtc… 16
  17. 17. DNS is evil then? 17
  18. 18. o, how does it work? ata Acquisition (Passive)ilters Profile Creationompare with Existing Info •  Domain Request Info •  First Search –  Internet Search •  IP / Geolocation –  Applications (Netbios / Services) •  Locations (collection)hird Party •  Contacts •  Arp Poisoning •  Company info •  Extra pcaps •  Personal Network •  Info correlation •  Softwares •  Additional Internet Search •  etc 18
  19. 19. ata Acquisition (mdns - multicast 19
  20. 20. dns query 20
  21. 21. dns “passive port scan” 21
  22. 22. ata Acquisition (Netbios - Broadcast) 22
  23. 23. etbios query 23
  24. 24. ey Information 24
  25. 25. mdns we trust …cure $ perl snitch.pl rodrigo-montoro-ipad-iphone.pcap### Mobile Snitch ######## Analyzing File: rodrigo-montoro-ipad-iphone.pcap### Tool by @effffn and @spookerlabs et Number: 596 Address: 5c:59:48:45:db:fb e Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local 25
  26. 26. rst Searche Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local ating to Google (or any other search tool)go Montoro inurl:facebook.comgo Montoro inurl:linkedin.comgo Montoro inurl:twitter.come imagesgo+Montoro ro Rodrigo roy other Google search for that matter. 26
  27. 27. 27
  28. 28. ut …. 28
  29. 29. odrigo is not that famous (yet)… 29
  30. 30. o we could use third-party infoARP SpoofingNew pcaps n depth request analysis •  http objects rebuild (oh yeah) •  Plain-text request •  Who wants a cookie ? •  Usernames (we don’t want passwords .. At least, not now ) •  GeoIP / Domains •  SSIDs databases •  Image EXIF info 30
  31. 31. p Spoofing Difficult level: -10 # arpspoof –i eth0 192.168.0.1 * Don’t forget to enable ip_forwa 31
  32. 32. ew pcapsCloudsharkPcaprSniffing random locationsCreate an online repository ? 32
  33. 33. tp objects rebuilt - the secretsuthToken":"name:hpVy","distance": irstName":”Rodrigo","formattedName":”Rodrigo ntoro","headline":”Nerds atiderlabs","id":”1337","lastName":”Montoro","picture":htt media.linkedin.com/mpr/mpr/shrink_80_80/p/ 00/13/al.jpg,"hasPicture":true,"twitter":”spookerlabs"} 33
  34. 34. r-Agents (-e http.user_agent http.request.method == GET)a/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Saf1a/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) VersSafari/533.21.1ivial/5.810a/5.0 (iPad; CPU OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A405rForBlackBerry/2.1.0.28 (BlackBerry; U; BlackBerry 9300; es) Version/5.0.0.846a/5.0 (Linux; U; Android 2.1-update1; es-ar; U20a Build/2.1.1.A.0.6) AppleWebKit/530.17 (KHTML, li ) Version/4.0 Mobile Safari/530.17 [FBAN/FB4A;FBAV/1.8.4;FBDM/ity=0.75,width=320,height=240};FBLC/es_AR;FB_FW/1;FBCR/CLARO;FBPN/com.facebook.katana;FBFBSV/2.1-update1;] 34
  35. 35. e are the good guys …/var/log/snort/alert | grep "[**" | sort | uniq -c | sort -nr [**] [1:100000236:2] GPL CHAT Jabber/Google Talk Incoming Message [**] [**] [1:100000233:2] GPL CHAT Jabber/Google Talk Outgoing Message [**][**] [1:2010785:4] ET CHAT Facebook Chat (buddy list) [**][**] [1:2100538:17] GPL NETBIOS SMB IPC$ unicode share access [**][**] [1:2014473:2] ET INFO JAVA - Java Archive Download By Vulnerable Client [**][**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**][**] [1:2011582:19] ET POLICY Vulnerable Java Version 1.6.x Detected [**][**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted[**] [1:2002878:6] ET POLICY iTunes User Agent [**][**] [1:100000230:2] GPL CHAT MISC Jabber/Google Talk Outgoing Traffic [**] 35
  36. 36. erson “MACnification”Mac Address sername ictures acebook inkedin witter ocations ompany oftwares xtrasnfected ? 36
  37. 37. ext time we meet… 37
  38. 38. Mitigation” TipsName the device: Never use your name / last name in your deviceCareful where you use your mobileTurn off WiFi (BlueTooth and etc) when not using it Bonus!) Consider removing some SSID entries from your device…but why? 38
  39. 39. onus!: Bring Your Own Probe Request Bluetooth 39
  40. 40. sconnected Devices & SSIDsCompanyPeopleSSN #sHotelSchoolEventAirportLounges… andFree Public WiFi 40
  41. 41. areful with the New Featurest might affect (event more) your privacy…. 41
  42. 42. uture …Website for profile feed collaboration? •  Macprofiling.com •  Whoisthismac.com •  Followthemac.com •  ISawYouSomehereAlready.comSocial Engineer •  SET (Social Engineer Toolkit) integration •  MaltegoOthers 42
  43. 43. dditional Resourceswnload the Global Security Report: http://www.trustwave.com/GSd our Blog: http://blog.spiderlabs.comow us on Twitter: @SpiderLabs / @efffffn / @spookerlabs 43

×