Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I See You

949 views

Published on

In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.

Published in: Internet
  • Be the first to comment

I See You

  1. 1. I See You What not to do when someone is monitoring your network traffic Andrew Beard Brian Wohlwinder
  2. 2. In honor of Brian • Lift with your legs, not your back • Engage your core, keep your abs pulled in • Avoid twisting your trunk
  3. 3. DEFCON 22
  4. 4. Our Setup • COTS network visibility appliance for capture and analysis • Common data tap from Packet Hacking Village • General purpose rules and some written specifically for Wall of Sheep to generate alerts and capture content for specific sessions • Metadata capture for the duration of the event • About 500M of compressed metadata between August 8 and 10, 2014 • A little over 6M transactions
  5. 5. Rules of Engagement • Completely passive listener • Ignore SSL/TLS content (metadata only) • All credentials partially redacted
  6. 6. Overall Protocol Mix HTTP TLS/SSL FTP Other XMPP WebSocket BitTorrent IRC
  7. 7. Where’s the VPN traffic? • Good question… • Very few encrypted tunnels from what we could tell. A few sessions, but nowhere near what we expected. • More Teredo IPv6 tunnels than real VPN traffic • Best guess, most aren’t using the WiFi
  8. 8. It’s all about the passwords
  9. 9. Plain Text Credentials • POP3, IMAP, SMTP • FTP • IRC • Telnet • Occasional HTTP (mostly via URL or POST content)
  10. 10. POP3 +OK <21066.1407692429@************************> CAPA -ERR authorization first USER lodgetreasurer@*************** +OK PASS 2Q******** +OK STAT +OK 8 107321
  11. 11. IMAP * OK IMAP4 Service Ready 1 LOGIN yihui.xu@******** N***** 1 OK LOGIN completed
  12. 12. FTP 220------- Welcome to Pure-FTPd [privsep] [TLS] ------- 220-You are user number 129 of 200 allowed. 220-Local time is now 14:45. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 3 minutes of inactivity. USER dpi03@****** 331 User dpi03@****** OK. Password required PASS ********** 230 OK. Current restricted directory is /
  13. 13. HTTP – In URL /login?username=jacky&password=****** /login.php?username=revelation&password=****** /perfils/autenticar/5512899033.json?passwordKey=******&telefono= **********&dispositivo=IPH&password=******&SO=iOS 7.1.2&deviceId=iPhone
  14. 14. When it comes to plaintext fail, mail is king POP3 IMAP SMTP FTP TELNET IRC HTTP
  15. 15. A problem of their own making • For mail protocols, vast majority iPhones based on outgoing MIME headers and IMAP ID responses • From what we can tell, most providers supported SSL • If your provider doesn’t support SSL, find a provider that isn’t crap
  16. 16. • None of the major email service providers represented • Built-in profiles, SSL automatically enabled
  17. 17. HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
  18. 18. HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
  19. 19. HTTP Basic Access Authentication That looks a lot like base64… localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echo natas0:nattas0 Username and password encoding. OK if the transport layer is providing confidentiality, but not for straight HTTP. curl http://natas0:nattas0@*************
  20. 20. Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
  21. 21. Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
  22. 22. Basic Auth and API Keys localhost$ echo "YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" | base64 -D; echo api:41665abccbeb09b1cd650077b9ebdec4 Session key for the current user. Anyone interested in buying a couple tons of toner on their account?
  23. 23. Then we started getting bored… A bunch of bored guys looking at your network traffic probably isn’t a good thing
  24. 24. Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
  25. 25. Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
  26. 26. User’s Default Location { "utdid": "U0gUZGIZnIwDAFX4JgNi4RRk”, "userId": ”*********", "ua": "iPhone", "cityCode": "330100", "nick": ”******", "longitude": "120.050453", "cityName": "杭州", "latitude": "30.286152", "isPosition": false, "platformVersion": "7.1” }
  27. 27. What’s the worst that could happen? It can’t be that bad…
  28. 28. “Is this important?” From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************>
  29. 29. “Is this important?” From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Megan’s W-4
  30. 30. “Is this important?” From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Megan’s W-4 One attachment, “2014 W4.pdf”
  31. 31. Nothing to worry about here
  32. 32. Dear God WHY!? • Data confidentiality in transit vs at rest • PGP • S/MIME certificates cheap/free. Supported by most major mail client (including mobile devices) • Encrypted zip files or document-based encryption better than nothing
  33. 33. DEF CON 22 MUSIC ANNOUNCEMENT: THE ORB You better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.
  34. 34. More fun with misconfigured mail clients To: *****@theorb.com From: Bill Quinn Subject: ***** pick up amount Rio 8/9 Hey *****, Please pick up the balance of $6,500 for tonights performance in Vegas. Let me know if you have any questions. Thanks, Bill Quinn Madison House, Inc.
  35. 35. Imagine for a moment… • You know someone is going to be picking up a check for $6500 • You have detailed knowledge of the transaction • You have unrestricted access to the intended recipient’s email account
  36. 36. Imagine for a moment… • You know someone is going to be picking up a check for $6500 • You have detailed knowledge of the transaction • You have unrestricted access to the intended recipient’s email account
  37. 37. Quick Recap • Through misconfiguration or a lack of controls it’s pretty easy for potentially sensitive or harmful info to make it’s way over a network • Consider defense in depth. Use multiple layers of encryption in transit, just in case. • Don’t trust your email password as the only thing keeping you from financial or other loss. • Treat every network as untrusted (especially the ones that warn you ahead of time)

×