New School Man-in-the-Middle

New School Man-IN-THe-Middle Tom Eston SECURITY JUSTICE www.securityjustice.com

Man-In-The-Middle • What is this MITM you speak of? • Old school classics • New school tools • Why use it for pentests? • How to defend?

What is a MITM? • Redirect all trafﬁc to YOU while allowing normal Internet access for the victim(s) • Modify, intercept and capture network trafﬁc • Create DoS

Setting up your Monkey • Traditional ARP Cache Poisoning The MITM becomes the “router” • KARMA on the Fon (WiFi Attack) Karma brings you the victim

ARP Refresher • ARP (Address Resolution Protocol) • How devices associate MAC to IP ARP Request Computer A asks “Who has this IP?” ARP Reply Computer B tells A “That’s me! I have this MAC!” Reverse ARP Request Same as ARP request by Computer A asks “Who has this MAC?” Reverse ARP Reply Computer B tells A “I have that MAC, here is my IP!”

ARP Cache Poisoning • Send fake ARP Reply’s to your victim(s) • Allows snifﬁng on switched networks • Hijacking of IP trafﬁc between hosts

KARMA on the Fon • The “evil twin” KARMA listens and responds to all! • KARMA on the Fon Route wireless trafﬁc to YOU!

Attacking wireless clients with Karma on the Fon http://dimitar.me/?p=277

Old School MITM Tools

Wireshark • Popular network sniffer • Easy to use • Easy capture of data • Robust ﬁltering • Multi-platform (you probably have it)

Ettercap • Used for filtering, hijacking, ARP cache poisoning and sniffing • GUI, cmd, ncurses! Multi-platform • Cool filters and plugins.... • Inject HTML into existing web pages! Meterpreter payload anyone? • DNS Spoofing (phantom plugin) • Many more...

Cain • Able is a separate program used to conduct remote activities (NT hash dump, console) • Multi-functional “password recovery” tool • Password cracking, scanning, snifﬁng, ARP poisoning and many related attacks (DNS, HTTPS, POP3S, RDP, etc...) • Much, much more! • Windows only

New School Tools

Network Miner • Passive network sniffer/packet capture tool • Detect OS, sessions, hostnames, open ports, etc... • Easy view of usernames and passwords • Parse PCAP files, search via keywords • Can reassemble files and certs from PCAP files • Windows only

The Middler • Created by Jay Beale and Justin Searle (Inguardians) • Alpha version released at ShmooCon 2009 • Ability to inject Javascript into cleartext trafﬁc • Clone sessions for the attacker (CSRF) • Intercept logout requests • Plugin Architecture • Highlights problem of sites using mixed HTTP/ HTTPS

SSLStrip • Created by Moxie Marlinspike, released at BlackHat DC 2009 • Transparently hijack HTTP trafﬁc on a network • Switches all HTTPS links to HTTP and swaps the user to an insecure look-alike page • Server thinks everything is “a-ok!’ and no SSL cert “warning” • Supports modes for: • supplying a favicon which looks like a lock • selective logging and session denial

SSLStrip Demo

Why use MITM in a Pentest? • Allows more focus on the USERS • Are they aware of HTTP vs. HTTPS? • Highlight insecure protocols (Telnet, Basic HTTP Auth) • Hint: Save PCAP ﬁles and run them through multiple tools! (thanks Mubix)

ARP Poisoning Defense • Monitoring Tools ArpON Arpwatch • Static IP’s/Static ARP Tables (not sustainable!) • Turn on “port security” in your switches! • Check out Dynamic ARP Inspection (Cisco DAI)

MITM Defense • User education (hard) • Use a VPN, SSH Tunnel on insecure networks (coffee shops, DEFCON) • Encourage employees to use the VPN when using public wiﬁ!

Linkage: spylogic.net

Questions? Twitter: agent0x0 Web: spylogic.net Email: tom@spylogic.net

http://www.neoisf.org	186
http://www.slideshare.net	25
http://iktfag.wordpress.com	6
http://www.neoisf.com	5
http://static.slidesharecdn.com	4

New School Man-in-the-Middle

by Tom Eston on May 21, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

5 Embeds 226

Statistics

New School Man-in-the-Middle — Presentation Transcript