• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
New School Man-in-the-Middle
 

New School Man-in-the-Middle

on

  • 7,674 views

During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take ...

During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.

Statistics

Views

Total Views
7,674
Views on SlideShare
7,234
Embed Views
440

Actions

Likes
3
Downloads
0
Comments
1

6 Embeds 440

http://www.neoisf.org 336
http://iktfag.wordpress.com 69
http://www.slideshare.net 25
http://www.neoisf.com 5
http://static.slidesharecdn.com 4
http://www.youporn.com 1

Accessibility

Categories

Upload Details

Uploaded via as Apple Keynote

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Dear One
    How are you today, I hope all is well with you .I am sorry to worry you with my Proposal for a relationship with you, but I know that you will grant my request in good sense and understanding, My name is miss Jessica, i am a single girl never marry before no kid, i like your profile
    but i will like you contact me through this Email (jesicadumbe@yahoo.com)
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />
  • <br />

New School Man-in-the-Middle New School Man-in-the-Middle Presentation Transcript

  • New School Man-IN-THe-Middle Tom Eston SECURITY JUSTICE www.securityjustice.com
  • Man-In-The-Middle • What is this MITM you speak of? • Old school classics • New school tools • Why use it for pentests? • How to defend?
  • What is a MITM? • Redirect all traffic to YOU while allowing normal Internet access for the victim(s) • Modify, intercept and capture network traffic • Create DoS
  • Setting up your Monkey • Traditional ARP Cache Poisoning The MITM becomes the “router” • KARMA on the Fon (WiFi Attack) Karma brings you the victim
  • ARP Refresher • ARP (Address Resolution Protocol) • How devices associate MAC to IP ARP Request Computer A asks “Who has this IP?” ARP Reply Computer B tells A “That’s me! I have this MAC!” Reverse ARP Request Same as ARP request by Computer A asks “Who has this MAC?” Reverse ARP Reply Computer B tells A “I have that MAC, here is my IP!”
  • ARP Cache Poisoning • Send fake ARP Reply’s to your victim(s) • Allows sniffing on switched networks • Hijacking of IP traffic between hosts
  • KARMA on the Fon • The “evil twin” KARMA listens and responds to all! • KARMA on the Fon Route wireless traffic to YOU!
  • Attacking wireless clients with Karma on the Fon http://dimitar.me/?p=277
  • Old School MITM Tools
  • Wireshark • Popular network sniffer • Easy to use • Easy capture of data • Robust filtering • Multi-platform (you probably have it)
  • Ettercap • Used for filtering, hijacking, ARP cache poisoning and sniffing • GUI, cmd, ncurses! Multi-platform • Cool filters and plugins.... • Inject HTML into existing web pages! Meterpreter payload anyone? • DNS Spoofing (phantom plugin) • Many more...
  • Cain • Able is a separate program used to conduct remote activities (NT hash dump, console) • Multi-functional “password recovery” tool • Password cracking, scanning, sniffing, ARP poisoning and many related attacks (DNS, HTTPS, POP3S, RDP, etc...) • Much, much more! • Windows only
  • New School Tools
  • Network Miner • Passive network sniffer/packet capture tool • Detect OS, sessions, hostnames, open ports, etc... • Easy view of usernames and passwords • Parse PCAP files, search via keywords • Can reassemble files and certs from PCAP files • Windows only
  • The Middler • Created by Jay Beale and Justin Searle (Inguardians) • Alpha version released at ShmooCon 2009 • Ability to inject Javascript into cleartext traffic • Clone sessions for the attacker (CSRF) • Intercept logout requests • Plugin Architecture • Highlights problem of sites using mixed HTTP/ HTTPS
  • SSLStrip • Created by Moxie Marlinspike, released at BlackHat DC 2009 • Transparently hijack HTTP traffic on a network • Switches all HTTPS links to HTTP and swaps the user to an insecure look-alike page • Server thinks everything is “a-ok!’ and no SSL cert “warning” • Supports modes for: • supplying a favicon which looks like a lock • selective logging and session denial
  • SSLStrip Demo
  • Why use MITM in a Pentest? • Allows more focus on the USERS • Are they aware of HTTP vs. HTTPS? • Highlight insecure protocols (Telnet, Basic HTTP Auth) • Hint: Save PCAP files and run them through multiple tools! (thanks Mubix)
  • ARP Poisoning Defense • Monitoring Tools ArpON Arpwatch • Static IP’s/Static ARP Tables (not sustainable!) • Turn on “port security” in your switches! • Check out Dynamic ARP Inspection (Cisco DAI)
  • MITM Defense • User education (hard) • Use a VPN, SSH Tunnel on insecure networks (coffee shops, DEFCON) • Encourage employees to use the VPN when using public wifi!
  • Linkage: spylogic.net
  • Questions? Twitter: agent0x0 Web: spylogic.net Email: tom@spylogic.net