I See You

Andrew Beard
Andrew BeardLead Software Architect at Atomic Mole
I See You
What not to do when someone is monitoring your network traffic
Andrew Beard
Brian Wohlwinder
In honor of Brian
• Lift with your legs, not your
back
• Engage your core, keep your
abs pulled in
• Avoid twisting your trunk
DEFCON 22
Our Setup
• COTS network visibility appliance for capture and analysis
• Common data tap from Packet Hacking Village
• General purpose rules and some written specifically for Wall of Sheep
to generate alerts and capture content for specific sessions
• Metadata capture for the duration of the event
• About 500M of compressed metadata between August 8 and 10,
2014
• A little over 6M transactions
Rules of Engagement
• Completely passive listener
• Ignore SSL/TLS content (metadata only)
• All credentials partially redacted
Overall Protocol Mix
HTTP
TLS/SSL
FTP
Other
XMPP
WebSocket
BitTorrent
IRC
Where’s the VPN traffic?
• Good question…
• Very few encrypted tunnels from what
we could tell. A few sessions, but
nowhere near what we expected.
• More Teredo IPv6 tunnels than real VPN
traffic
• Best guess, most aren’t using the WiFi
It’s all about the passwords
Plain Text Credentials
• POP3, IMAP, SMTP
• FTP
• IRC
• Telnet
• Occasional HTTP (mostly via URL or POST content)
POP3
+OK <21066.1407692429@************************>
CAPA
-ERR authorization first
USER lodgetreasurer@***************
+OK
PASS 2Q********
+OK
STAT
+OK 8 107321
IMAP
* OK IMAP4 Service Ready
1 LOGIN yihui.xu@******** N*****
1 OK LOGIN completed
FTP
220------- Welcome to Pure-FTPd [privsep] [TLS] -------
220-You are user number 129 of 200 allowed.
220-Local time is now 14:45. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 3 minutes of inactivity.
USER dpi03@******
331 User dpi03@****** OK. Password required
PASS **********
230 OK. Current restricted directory is /
HTTP – In URL
/login?username=jacky&password=******
/login.php?username=revelation&password=******
/perfils/autenticar/5512899033.json?passwordKey=******&telefono=
**********&dispositivo=IPH&password=******&SO=iOS
7.1.2&deviceId=iPhone
When it comes to plaintext fail, mail is king
POP3
IMAP
SMTP
FTP
TELNET
IRC
HTTP
A problem of their own making
• For mail protocols, vast majority iPhones
based on outgoing MIME headers and IMAP ID
responses
• From what we can tell, most providers
supported SSL
• If your provider doesn’t support SSL, find a
provider that isn’t crap
• None of the major email service
providers represented
• Built-in profiles, SSL automatically
enabled
HTTP Basic Access Authentication
GET / HTTP/1.1
Host: ******************************
Connection: keep-alive
Authorization: Basic bmF0YXMwOm5hdHRhczA=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,*/*;q= 0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750;
__utma=1768596 43.984037758.1407700117.1407700117.1407700117.1;
__utmb=176859643.3.10.140770011 7; __utmc=176859643;
__utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir
ect)|utmcmd=(none)
HTTP Basic Access Authentication
GET / HTTP/1.1
Host: ******************************
Connection: keep-alive
Authorization: Basic bmF0YXMwOm5hdHRhczA=
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,
image/webp,*/*;q= 0.8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125
Safari/537.36
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750;
__utma=1768596 43.984037758.1407700117.1407700117.1407700117.1;
__utmb=176859643.3.10.140770011 7; __utmc=176859643;
__utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir
ect)|utmcmd=(none)
HTTP Basic Access Authentication
That looks a lot like base64…
localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echo
natas0:nattas0
Username and password encoding. OK if the transport layer is
providing confidentiality, but not for straight HTTP.
curl http://natas0:nattas0@*************
Basic Auth and API Keys
GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F
categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1
HTTP/1.1
Host: *********************
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Authorization: Basic
YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0
Referer: http://**************************/Las-Vegas
Nevada-printer-ink-toner-cartridge-leader/
Origin: http://**************************
Connection: keep-alive
Basic Auth and API Keys
GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F
categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1
HTTP/1.1
Host: *********************
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/json
Authorization: Basic
YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0
Referer: http://**************************/Las-Vegas
Nevada-printer-ink-toner-cartridge-leader/
Origin: http://**************************
Connection: keep-alive
Basic Auth and API Keys
localhost$ echo 
"YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" | 
base64 -D; echo
api:41665abccbeb09b1cd650077b9ebdec4
Session key for the current user. Anyone interested in buying a couple
tons of toner on their account?
Then we started getting bored…
A bunch of bored guys looking at your network traffic probably isn’t a good thing
Fun With Mobile Apps
GET
/gw/mtop.taobao.wireless.homepage.ac.loadPageContent
/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig
inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg
Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2
2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%
22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.
050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2
2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition
%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D
HTTP/1.1
Host: api.m.taobao.com
Fun With Mobile Apps
GET
/gw/mtop.taobao.wireless.homepage.ac.loadPageContent
/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig
inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg
Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2
2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%
22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.
050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2
2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition
%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D
HTTP/1.1
Host: api.m.taobao.com
User’s Default Location
{
"utdid": "U0gUZGIZnIwDAFX4JgNi4RRk”,
"userId": ”*********",
"ua": "iPhone",
"cityCode": "330100",
"nick": ”******",
"longitude": "120.050453",
"cityName": "杭州",
"latitude": "30.286152",
"isPosition": false,
"platformVersion": "7.1”
}
What’s the worst that could
happen?
It can’t be that bad…
“Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
“Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
Subject: Megan’s W-4
“Is this important?”
From: Deborah Simon <dms@************>
To: Mitchell IPad Simon <md.simon@************>
Subject: Megan’s W-4
One attachment, “2014 W4.pdf”
Nothing to worry about here
Dear God WHY!?
• Data confidentiality in transit vs at rest
• PGP
• S/MIME certificates cheap/free. Supported by most major mail client
(including mobile devices)
• Encrypted zip files or document-based encryption better than nothing
DEF CON 22 MUSIC ANNOUNCEMENT: THE ORB
You better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and
pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday
morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious
and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape
known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's
Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.
More fun with misconfigured mail clients
To: *****@theorb.com
From: Bill Quinn
Subject: ***** pick up amount Rio 8/9
Hey *****,
Please pick up the balance of $6,500 for tonights performance in
Vegas.
Let me know if you have any questions.
Thanks,
Bill Quinn
Madison House, Inc.
Imagine for a moment…
• You know someone is going to
be picking up a check for $6500
• You have detailed knowledge of
the transaction
• You have unrestricted access to
the intended recipient’s email
account
Imagine for a moment…
• You know someone is going to
be picking up a check for $6500
• You have detailed knowledge of
the transaction
• You have unrestricted access to
the intended recipient’s email
account
Quick Recap
• Through misconfiguration or a lack of controls it’s pretty easy for
potentially sensitive or harmful info to make it’s way over a network
• Consider defense in depth. Use multiple layers of encryption in
transit, just in case.
• Don’t trust your email password as the only thing keeping you from
financial or other loss.
• Treat every network as untrusted (especially the ones that warn you
ahead of time)
1 of 37

Recommended

Detecting Malicious SSL Certificates Using Bro by
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
4.1K views32 slides
How to discover 1352 Wordpress plugin 0days in one hour (not really) by
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
2.2K views37 slides
Dirty Little Secrets They Didn't Teach You In Pentest Class v2 by
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
45.5K views120 slides
Analyzing RDP traffc with Bro by
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
6.7K views20 slides
Internal Pentest: from z3r0 to h3r0 by
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
2.6K views33 slides
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2 by
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
7.6K views121 slides

More Related Content

What's hot

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
1.7K views156 slides
Jwt == insecurity? by
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
18.6K views55 slides
Invoke-Obfuscation DerbyCon 2016 by
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
7.1K views236 slides
Offensive Python for Pentesting by
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
1.1K views44 slides
[OPD 2019] Attacking JWT tokens by
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
2.4K views34 slides
Red Team Tactics for Cracking the GSuite Perimeter by
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
10.7K views52 slides

What's hot(20)

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by CODE BLUE
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUE1.7K views
Jwt == insecurity? by snyff
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
snyff18.6K views
Invoke-Obfuscation DerbyCon 2016 by Daniel Bohannon
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannon7.1K views
Offensive Python for Pentesting by Mike Felch
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felch1.1K views
[OPD 2019] Attacking JWT tokens by OWASP
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASP2.4K views
Red Team Tactics for Cracking the GSuite Perimeter by Mike Felch
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felch10.7K views
NotaCon 2011 - Networking for Pentesters by Rob Fuller
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fuller5.4K views
A Forgotten HTTP Invisibility Cloak by Soroush Dalili
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Dalili17.6K views
BSides Philly Finding a Company's BreakPoint by Andrew McNicol
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol346 views
Big problems with big data – Hadoop interfaces security by SecuRing
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing6.9K views
BSides_Charm2015_Info sec hunters_gathers by Andrew McNicol
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicol2.2K views
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu... by Daniel Bohannon
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon3.4K views
SANS DFIR Prague: PowerShell & WMI by Joe Slowik
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik1.5K views
TeelTech - Advancing Mobile Device Forensics (online version) by Mike Felch
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felch614 views
DevOops & How I hacked you DevopsDays DC June 2015 by Chris Gates
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates3.2K views
Invoke-Obfuscation nullcon 2017 by Daniel Bohannon
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon6.8K views
The Travelling Pentester: Diaries of the Shortest Path to Compromise by Will Schroeder
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroeder9.1K views
Hunting for the secrets in a cloud forest by SecuRing
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRing259 views

Similar to I See You

State of Authenticating RESTful APIs by
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIsrobwinch
580 views40 slides
Fun With SHA2 Certificates by
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
3.1K views54 slides
Presentation To Vo Ip Round Table V2 by
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
460 views24 slides
Authenticated Identites in VoIP Call Control by
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
397 views24 slides
Dirty Little Secrets They Didn't Teach You In Pentest Class v2 by
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
2.7K views120 slides
Wireless Hotspot: The Hackers Playground by
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
20.3K views44 slides

Similar to I See You(20)

State of Authenticating RESTful APIs by robwinch
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIs
robwinch580 views
Presentation To Vo Ip Round Table V2 by Warren Bent
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
Warren Bent460 views
Authenticated Identites in VoIP Call Control by Warren Bent
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
Warren Bent397 views
Dirty Little Secrets They Didn't Teach You In Pentest Class v2 by Chris Gates
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gates2.7K views
Wireless Hotspot: The Hackers Playground by Jim Geovedi
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
Jim Geovedi20.3K views
Microsoft Bluehat 2017: Mobile SSL Interception by Himanshu Dwivedi
Microsoft Bluehat 2017: Mobile SSL InterceptionMicrosoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL Interception
Himanshu Dwivedi82 views
Malware Analysis For The Enterprise by Jason Ross
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Ross339 views
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like... by Felipe Prado
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado106 views
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf by Lior Rotkovitch
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitch102 views
What you wanted to know about MySQL, but could not find using inernal instrum... by Sveta Smirnova
What you wanted to know about MySQL, but could not find using inernal instrum...What you wanted to know about MySQL, but could not find using inernal instrum...
What you wanted to know about MySQL, but could not find using inernal instrum...
Sveta Smirnova2.2K views
Go passwordless with fido2 by Rob Dudley
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
Rob Dudley1.3K views
Aditya - Hacking Client Side Insecurities - ClubHack2008 by ClubHack
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008
ClubHack183 views
CrikeyCon VI - The Boring Security Talk by kieranjacobsen
CrikeyCon VI - The Boring Security TalkCrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talk
kieranjacobsen673 views
VoIP Security 101 what you need to know by Eric Klein
VoIP Security 101   what you need to knowVoIP Security 101   what you need to know
VoIP Security 101 what you need to know
Eric Klein758 views
Fundamentals of network hacking by Pranshu Pareek
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek91 views
Shameful secrets of proprietary network protocols by Slawomir Jasek
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek432 views

Recently uploaded

IETF 118: Starlink Protocol Performance by
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
124 views22 slides
WEB 2.O TOOLS: Empowering education.pptx by
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptxnarmadhamanohar21
15 views16 slides
UiPath Document Understanding_Day 3.pptx by
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptxUiPathCommunity
95 views25 slides
We see everywhere that many people are talking about technology.docx by
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docxssuserc5935b
6 views2 slides
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 by
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲Infosec train
7 views6 slides
Building trust in our information ecosystem: who do we trust in an emergency by
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
85 views18 slides

Recently uploaded(20)

IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNIC124 views
UiPath Document Understanding_Day 3.pptx by UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunity95 views
We see everywhere that many people are talking about technology.docx by ssuserc5935b
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docx
ssuserc5935b6 views
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲 by Infosec train
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
𝐒𝐨𝐥𝐚𝐫𝐖𝐢𝐧𝐝𝐬 𝐂𝐚𝐬𝐞 𝐒𝐭𝐮𝐝𝐲
Infosec train7 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnat85 views
AI Powered event-driven translation bot by Jimmy Dahlqvist
AI Powered event-driven translation botAI Powered event-driven translation bot
AI Powered event-driven translation bot
Jimmy Dahlqvist16 views
Existing documentaries (1).docx by MollyBrown86
Existing documentaries (1).docxExisting documentaries (1).docx
Existing documentaries (1).docx
MollyBrown8613 views
PORTFOLIO 1 (Bret Michael Pepito).pdf by brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess04107 views
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf by RIPE NCC
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCC9 views
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf by RIPE NCC
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCC15 views
google forms survey (1).pptx by MollyBrown86
google forms survey (1).pptxgoogle forms survey (1).pptx
google forms survey (1).pptx
MollyBrown8614 views
Serverless cloud architecture patterns by Jimmy Dahlqvist
Serverless cloud architecture patternsServerless cloud architecture patterns
Serverless cloud architecture patterns
Jimmy Dahlqvist17 views

I See You

  • 1. I See You What not to do when someone is monitoring your network traffic Andrew Beard Brian Wohlwinder
  • 2. In honor of Brian • Lift with your legs, not your back • Engage your core, keep your abs pulled in • Avoid twisting your trunk
  • 4. Our Setup • COTS network visibility appliance for capture and analysis • Common data tap from Packet Hacking Village • General purpose rules and some written specifically for Wall of Sheep to generate alerts and capture content for specific sessions • Metadata capture for the duration of the event • About 500M of compressed metadata between August 8 and 10, 2014 • A little over 6M transactions
  • 5. Rules of Engagement • Completely passive listener • Ignore SSL/TLS content (metadata only) • All credentials partially redacted
  • 7. Where’s the VPN traffic? • Good question… • Very few encrypted tunnels from what we could tell. A few sessions, but nowhere near what we expected. • More Teredo IPv6 tunnels than real VPN traffic • Best guess, most aren’t using the WiFi
  • 8. It’s all about the passwords
  • 9. Plain Text Credentials • POP3, IMAP, SMTP • FTP • IRC • Telnet • Occasional HTTP (mostly via URL or POST content)
  • 10. POP3 +OK <21066.1407692429@************************> CAPA -ERR authorization first USER lodgetreasurer@*************** +OK PASS 2Q******** +OK STAT +OK 8 107321
  • 11. IMAP * OK IMAP4 Service Ready 1 LOGIN yihui.xu@******** N***** 1 OK LOGIN completed
  • 12. FTP 220------- Welcome to Pure-FTPd [privsep] [TLS] ------- 220-You are user number 129 of 200 allowed. 220-Local time is now 14:45. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 3 minutes of inactivity. USER dpi03@****** 331 User dpi03@****** OK. Password required PASS ********** 230 OK. Current restricted directory is /
  • 13. HTTP – In URL /login?username=jacky&password=****** /login.php?username=revelation&password=****** /perfils/autenticar/5512899033.json?passwordKey=******&telefono= **********&dispositivo=IPH&password=******&SO=iOS 7.1.2&deviceId=iPhone
  • 14. When it comes to plaintext fail, mail is king POP3 IMAP SMTP FTP TELNET IRC HTTP
  • 15. A problem of their own making • For mail protocols, vast majority iPhones based on outgoing MIME headers and IMAP ID responses • From what we can tell, most providers supported SSL • If your provider doesn’t support SSL, find a provider that isn’t crap
  • 16. • None of the major email service providers represented • Built-in profiles, SSL automatically enabled
  • 17. HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
  • 18. HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
  • 19. HTTP Basic Access Authentication That looks a lot like base64… localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echo natas0:nattas0 Username and password encoding. OK if the transport layer is providing confidentiality, but not for straight HTTP. curl http://natas0:nattas0@*************
  • 20. Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
  • 21. Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
  • 22. Basic Auth and API Keys localhost$ echo "YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" | base64 -D; echo api:41665abccbeb09b1cd650077b9ebdec4 Session key for the current user. Anyone interested in buying a couple tons of toner on their account?
  • 23. Then we started getting bored… A bunch of bored guys looking at your network traffic probably isn’t a good thing
  • 24. Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
  • 25. Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
  • 26. User’s Default Location { "utdid": "U0gUZGIZnIwDAFX4JgNi4RRk”, "userId": ”*********", "ua": "iPhone", "cityCode": "330100", "nick": ”******", "longitude": "120.050453", "cityName": "杭州", "latitude": "30.286152", "isPosition": false, "platformVersion": "7.1” }
  • 27. What’s the worst that could happen? It can’t be that bad…
  • 28. “Is this important?” From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************>
  • 29. “Is this important?” From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Megan’s W-4
  • 30. “Is this important?” From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Megan’s W-4 One attachment, “2014 W4.pdf”
  • 31. Nothing to worry about here
  • 32. Dear God WHY!? • Data confidentiality in transit vs at rest • PGP • S/MIME certificates cheap/free. Supported by most major mail client (including mobile devices) • Encrypted zip files or document-based encryption better than nothing
  • 33. DEF CON 22 MUSIC ANNOUNCEMENT: THE ORB You better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.
  • 34. More fun with misconfigured mail clients To: *****@theorb.com From: Bill Quinn Subject: ***** pick up amount Rio 8/9 Hey *****, Please pick up the balance of $6,500 for tonights performance in Vegas. Let me know if you have any questions. Thanks, Bill Quinn Madison House, Inc.
  • 35. Imagine for a moment… • You know someone is going to be picking up a check for $6500 • You have detailed knowledge of the transaction • You have unrestricted access to the intended recipient’s email account
  • 36. Imagine for a moment… • You know someone is going to be picking up a check for $6500 • You have detailed knowledge of the transaction • You have unrestricted access to the intended recipient’s email account
  • 37. Quick Recap • Through misconfiguration or a lack of controls it’s pretty easy for potentially sensitive or harmful info to make it’s way over a network • Consider defense in depth. Use multiple layers of encryption in transit, just in case. • Don’t trust your email password as the only thing keeping you from financial or other loss. • Treat every network as untrusted (especially the ones that warn you ahead of time)

Editor's Notes

  1. Brian couldn't be here today Recovering from severe back issues
  2. In honor of Brian, wanted to say a few words about protecting your back Picking something up or just bending over Avoid long and painful recovery, and bailing on your co presenter
  3. Setup last year Couple very basic (and very stupid) was to pass credentials in the clear Weird things we found Wall of Sheep at DEFCON 22, August 2014 Fidelis sponsor Fun to park a couple guys on a network tap and see what we could find
  4. Mostly OpenVPN Keep it on cellular Paranoid enough to use VPN, paranoid enough not to use shared network
  5. So that’s where we started
  6. Fish in a barrel
  7. Metadata collection. Plug Bro, Critical Stack, Liam Randall Other HTTP, HTTP POST + keyword
  8. Very different from the protocol mix above, in other category less than 10% 75% here Why? Beaconing. Almost all other protocols are active, and transactional. You have to do something. Mail, especially on mobile devices, a given. Repeated logins. Easy to misconfigure something in the background.
  9. One class of credentials on the wire, straight plaintext. Another class, encoded Don't like obfuscated, because it's a poor job
  10. HTTP client header
  11. Content aware, Bro Liam Randall, Critical Stack awesome Bro training
  12. Rule looking for any interesting documents. Found a lot, mostly from defcon file share. Large percentage of FTP traffic. So a woman walks over, sits down at our setup, and says “teach me something”. Show her setup, how things work, starts playing around. About 5 minutes later she says “Is this important?”
  13. All data in transit. Consider implication though. Even if they hadn’t been actively looking at the file anyone could have logged.
  14. Part of a larger email exchange