New School Man-in-the-Middle

5,860 views
5,693 views

Published on

During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.

Published in: Technology
1 Comment
6 Likes
Statistics
Notes
  • Dear One
    How are you today, I hope all is well with you .I am sorry to worry you with my Proposal for a relationship with you, but I know that you will grant my request in good sense and understanding, My name is miss Jessica, i am a single girl never marry before no kid, i like your profile
    but i will like you contact me through this Email (jesicadumbe@yahoo.com)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total views
5,860
On SlideShare
0
From Embeds
0
Number of Embeds
459
Actions
Shares
0
Downloads
0
Comments
1
Likes
6
Embeds 0
No embeds

No notes for slide




























  • New School Man-in-the-Middle

    1. 1. New School Man-IN-THe-Middle Tom Eston SECURITY JUSTICE www.securityjustice.com
    2. 2. Man-In-The-Middle • What is this MITM you speak of? • Old school classics • New school tools • Why use it for pentests? • How to defend?
    3. 3. What is a MITM? • Redirect all traffic to YOU while allowing normal Internet access for the victim(s) • Modify, intercept and capture network traffic • Create DoS
    4. 4. Setting up your Monkey • Traditional ARP Cache Poisoning The MITM becomes the “router” • KARMA on the Fon (WiFi Attack) Karma brings you the victim
    5. 5. ARP Refresher • ARP (Address Resolution Protocol) • How devices associate MAC to IP ARP Request Computer A asks “Who has this IP?” ARP Reply Computer B tells A “That’s me! I have this MAC!” Reverse ARP Request Same as ARP request by Computer A asks “Who has this MAC?” Reverse ARP Reply Computer B tells A “I have that MAC, here is my IP!”
    6. 6. ARP Cache Poisoning • Send fake ARP Reply’s to your victim(s) • Allows sniffing on switched networks • Hijacking of IP traffic between hosts
    7. 7. KARMA on the Fon • The “evil twin” KARMA listens and responds to all! • KARMA on the Fon Route wireless traffic to YOU!
    8. 8. Attacking wireless clients with Karma on the Fon http://dimitar.me/?p=277
    9. 9. Old School MITM Tools
    10. 10. Wireshark • Popular network sniffer • Easy to use • Easy capture of data • Robust filtering • Multi-platform (you probably have it)
    11. 11. Ettercap • Used for filtering, hijacking, ARP cache poisoning and sniffing • GUI, cmd, ncurses! Multi-platform • Cool filters and plugins.... • Inject HTML into existing web pages! Meterpreter payload anyone? • DNS Spoofing (phantom plugin) • Many more...
    12. 12. Cain • Able is a separate program used to conduct remote activities (NT hash dump, console) • Multi-functional “password recovery” tool • Password cracking, scanning, sniffing, ARP poisoning and many related attacks (DNS, HTTPS, POP3S, RDP, etc...) • Much, much more! • Windows only
    13. 13. New School Tools
    14. 14. Network Miner • Passive network sniffer/packet capture tool • Detect OS, sessions, hostnames, open ports, etc... • Easy view of usernames and passwords • Parse PCAP files, search via keywords • Can reassemble files and certs from PCAP files • Windows only
    15. 15. The Middler • Created by Jay Beale and Justin Searle (Inguardians) • Alpha version released at ShmooCon 2009 • Ability to inject Javascript into cleartext traffic • Clone sessions for the attacker (CSRF) • Intercept logout requests • Plugin Architecture • Highlights problem of sites using mixed HTTP/ HTTPS
    16. 16. SSLStrip • Created by Moxie Marlinspike, released at BlackHat DC 2009 • Transparently hijack HTTP traffic on a network • Switches all HTTPS links to HTTP and swaps the user to an insecure look-alike page • Server thinks everything is “a-ok!’ and no SSL cert “warning” • Supports modes for: • supplying a favicon which looks like a lock • selective logging and session denial
    17. 17. SSLStrip Demo
    18. 18. Why use MITM in a Pentest? • Allows more focus on the USERS • Are they aware of HTTP vs. HTTPS? • Highlight insecure protocols (Telnet, Basic HTTP Auth) • Hint: Save PCAP files and run them through multiple tools! (thanks Mubix)
    19. 19. ARP Poisoning Defense • Monitoring Tools ArpON Arpwatch • Static IP’s/Static ARP Tables (not sustainable!) • Turn on “port security” in your switches! • Check out Dynamic ARP Inspection (Cisco DAI)
    20. 20. MITM Defense • User education (hard) • Use a VPN, SSH Tunnel on insecure networks (coffee shops, DEFCON) • Encourage employees to use the VPN when using public wifi!
    21. 21. Linkage: spylogic.net
    22. 22. Questions? Twitter: agent0x0 Web: spylogic.net Email: tom@spylogic.net

    ×