New School
Man-IN-THe-Middle
Tom Eston
SECURITY JUSTICE
www.securityjustice.com

Man-In-The-Middle
• What is this MITM you speak of?
• Old school classics
• New school tools
• Why use it for pentests?
• How to defend?

What is a MITM?
• Redirect all traffic to YOU while allowing
normal Internet access for the victim(s)
• Modify, intercept and capture network
traffic
• Create DoS

Setting up your Monkey
• Traditional ARP Cache Poisoning
The MITM becomes the “router”
• KARMA on the Fon (WiFi Attack)
Karma brings you the victim

ARP Refresher
• ARP (Address Resolution Protocol)
• How devices associate MAC to IP
ARP Request
Computer A asks “Who has this IP?”
ARP Reply
Computer B tells A “That’s me! I have this MAC!”
Reverse ARP Request
Same as ARP request by Computer A asks “Who has this MAC?”
Reverse ARP Reply
Computer B tells A “I have that MAC, here is my IP!”

ARP Cache Poisoning
• Send fake ARP Reply’s to your victim(s)
• Allows sniffing on switched networks
• Hijacking of IP traffic between hosts

KARMA on the Fon
• The “evil twin”
KARMA listens and
responds to all!
• KARMA on the Fon
Route wireless traffic to
YOU!

Attacking wireless clients with Karma on the Fon
http://dimitar.me/?p=277

Old School MITM Tools

Wireshark
• Popular network sniffer
• Easy to use
• Easy capture of data
• Robust filtering
• Multi-platform (you probably have it)

Ettercap
• Used for filtering, hijacking, ARP cache poisoning
and sniffing
• GUI, cmd, ncurses! Multi-platform
• Cool filters and plugins....
• Inject HTML into existing web pages!
Meterpreter payload anyone?
• DNS Spoofing (phantom plugin)
• Many more...

Cain
• Able is a separate program used to conduct
remote activities (NT hash dump, console)
• Multi-functional “password recovery” tool
• Password cracking, scanning, sniffing, ARP
poisoning and many related attacks (DNS,
HTTPS, POP3S, RDP, etc...)
• Much, much more!
• Windows only

New School Tools

Network Miner
• Passive network sniffer/packet capture tool
• Detect OS, sessions, hostnames, open ports,
etc...
• Easy view of usernames and passwords
• Parse PCAP files, search via keywords
• Can reassemble files and certs from PCAP files
• Windows only

The Middler
• Created by Jay Beale and Justin Searle (Inguardians)
• Alpha version released at ShmooCon 2009
• Ability to inject Javascript into cleartext traffic
• Clone sessions for the attacker (CSRF)
• Intercept logout requests
• Plugin Architecture
• Highlights problem of sites using mixed HTTP/
HTTPS

SSLStrip
• Created by Moxie Marlinspike, released at BlackHat DC
2009
• Transparently hijack HTTP traffic on a network
• Switches all HTTPS links to HTTP and swaps the user to
an insecure look-alike page
• Server thinks everything is “a-ok!’ and no SSL cert
“warning”
• Supports modes for:
• supplying a favicon which looks like a lock
• selective logging and session denial

SSLStrip Demo

Why use MITM in a
Pentest?
• Allows more focus on the USERS
• Are they aware of HTTP vs. HTTPS?
• Highlight insecure protocols
(Telnet, Basic HTTP Auth)
• Hint: Save PCAP files and run them
through multiple tools! (thanks Mubix)

ARP Poisoning Defense
• Monitoring Tools
ArpON
Arpwatch
• Static IP’s/Static ARP Tables (not sustainable!)
• Turn on “port security” in your switches!
• Check out Dynamic ARP Inspection
(Cisco DAI)

MITM Defense
• User education (hard)
• Use a VPN, SSH Tunnel on insecure
networks (coffee shops, DEFCON)
• Encourage employees to use the VPN when
using public wifi!

Linkage:
spylogic.net

Questions?
Twitter: agent0x0
Web: spylogic.net
Email: tom@spylogic.net