I See You

Andrew Beard
Andrew BeardLead Software Architect at Atomic Mole
ā€¢ā€¢
I See You What not to do when someone is monitoring your network traffic Andrew Beard Brian Wohlwinder
In honor of Brian ā€¢ Lift with your legs, not your back ā€¢ Engage your core, keep your abs pulled in ā€¢ Avoid twisting your trunk
DEFCON 22
Our Setup ā€¢ COTS network visibility appliance for capture and analysis ā€¢ Common data tap from Packet Hacking Village ā€¢ General purpose rules and some written specifically for Wall of Sheep to generate alerts and capture content for specific sessions ā€¢ Metadata capture for the duration of the event ā€¢ About 500M of compressed metadata between August 8 and 10, 2014 ā€¢ A little over 6M transactions
Rules of Engagement ā€¢ Completely passive listener ā€¢ Ignore SSL/TLS content (metadata only) ā€¢ All credentials partially redacted
Overall Protocol Mix HTTP TLS/SSL FTP Other XMPP WebSocket BitTorrent IRC
Whereā€™s the VPN traffic? ā€¢ Good questionā€¦ ā€¢ Very few encrypted tunnels from what we could tell. A few sessions, but nowhere near what we expected. ā€¢ More Teredo IPv6 tunnels than real VPN traffic ā€¢ Best guess, most arenā€™t using the WiFi
Itā€™s all about the passwords
Plain Text Credentials ā€¢ POP3, IMAP, SMTP ā€¢ FTP ā€¢ IRC ā€¢ Telnet ā€¢ Occasional HTTP (mostly via URL or POST content)
POP3 +OK <21066.1407692429@************************> CAPA -ERR authorization first USER lodgetreasurer@*************** +OK PASS 2Q******** +OK STAT +OK 8 107321
IMAP * OK IMAP4 Service Ready 1 LOGIN yihui.xu@******** N***** 1 OK LOGIN completed
FTP 220------- Welcome to Pure-FTPd [privsep] [TLS] ------- 220-You are user number 129 of 200 allowed. 220-Local time is now 14:45. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 3 minutes of inactivity. USER dpi03@****** 331 User dpi03@****** OK. Password required PASS ********** 230 OK. Current restricted directory is /
HTTP ā€“ In URL /login?username=jacky&password=****** /login.php?username=revelation&password=****** /perfils/autenticar/5512899033.json?passwordKey=******&telefono= **********&dispositivo=IPH&password=******&SO=iOS 7.1.2&deviceId=iPhone
When it comes to plaintext fail, mail is king POP3 IMAP SMTP FTP TELNET IRC HTTP
A problem of their own making ā€¢ For mail protocols, vast majority iPhones based on outgoing MIME headers and IMAP ID responses ā€¢ From what we can tell, most providers supported SSL ā€¢ If your provider doesnā€™t support SSL, find a provider that isnā€™t crap
ā€¢ None of the major email service providers represented ā€¢ Built-in profiles, SSL automatically enabled
HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
HTTP Basic Access Authentication That looks a lot like base64ā€¦ localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echo natas0:nattas0 Username and password encoding. OK if the transport layer is providing confidentiality, but not for straight HTTP. curl http://natas0:nattas0@*************
Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
Basic Auth and API Keys localhost$ echo "YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" | base64 -D; echo api:41665abccbeb09b1cd650077b9ebdec4 Session key for the current user. Anyone interested in buying a couple tons of toner on their account?
Then we started getting boredā€¦ A bunch of bored guys looking at your network traffic probably isnā€™t a good thing
Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
Userā€™s Default Location { "utdid": "U0gUZGIZnIwDAFX4JgNi4RRkā€, "userId": ā€*********", "ua": "iPhone", "cityCode": "330100", "nick": ā€******", "longitude": "120.050453", "cityName": "ę­å·ž", "latitude": "30.286152", "isPosition": false, "platformVersion": "7.1ā€ }
Whatā€™s the worst that could happen? It canā€™t be that badā€¦
ā€œIs this important?ā€ From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************>
ā€œIs this important?ā€ From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Meganā€™s W-4
ā€œIs this important?ā€ From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Meganā€™s W-4 One attachment, ā€œ2014 W4.pdfā€
Nothing to worry about here
Dear God WHY!? ā€¢ Data confidentiality in transit vs at rest ā€¢ PGP ā€¢ S/MIME certificates cheap/free. Supported by most major mail client (including mobile devices) ā€¢ Encrypted zip files or document-based encryption better than nothing
DEF CON 22 MUSIC ANNOUNCEMENT: THE ORB You better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.
More fun with misconfigured mail clients To: *****@theorb.com From: Bill Quinn Subject: ***** pick up amount Rio 8/9 Hey *****, Please pick up the balance of $6,500 for tonights performance in Vegas. Let me know if you have any questions. Thanks, Bill Quinn Madison House, Inc.
Imagine for a momentā€¦ ā€¢ You know someone is going to be picking up a check for $6500 ā€¢ You have detailed knowledge of the transaction ā€¢ You have unrestricted access to the intended recipientā€™s email account
Imagine for a momentā€¦ ā€¢ You know someone is going to be picking up a check for $6500 ā€¢ You have detailed knowledge of the transaction ā€¢ You have unrestricted access to the intended recipientā€™s email account
Quick Recap ā€¢ Through misconfiguration or a lack of controls itā€™s pretty easy for potentially sensitive or harmful info to make itā€™s way over a network ā€¢ Consider defense in depth. Use multiple layers of encryption in transit, just in case. ā€¢ Donā€™t trust your email password as the only thing keeping you from financial or other loss. ā€¢ Treat every network as untrusted (especially the ones that warn you ahead of time)
1 of 37

I See You

ā€¢ā€¢
Download to read offline
Internet

In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.

Andrew Beard
Andrew BeardLead Software Architect at Atomic Mole

Recommended

Detecting Malicious SSL Certificates Using Bro by
Detecting Malicious SSL Certificates Using BroDetecting Malicious SSL Certificates Using Bro
Detecting Malicious SSL Certificates Using BroAndrew Beard
4.1K viewsā€¢32 slides
How to discover 1352 Wordpress plugin 0days in one hour (not really) by
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
2.2K viewsā€¢37 slides
Dirty Little Secrets They Didn't Teach You In Pentest Class v2 by
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
45.5K viewsā€¢120 slides
Analyzing RDP traffc with Bro by
Analyzing RDP traffc with BroAnalyzing RDP traffc with Bro
Analyzing RDP traffc with BroJosh Liburdi
6.7K viewsā€¢20 slides
Internal Pentest: from z3r0 to h3r0 by
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
2.6K viewsā€¢33 slides
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2 by
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
7.6K viewsā€¢121 slides

More Related Content

What's hot

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
1.7K viewsā€¢156 slides
Jwt == insecurity? by
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?snyff
18.6K viewsā€¢55 slides
Invoke-Obfuscation DerbyCon 2016 by
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
7.1K viewsā€¢236 slides
Offensive Python for Pentesting by
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for PentestingMike Felch
1.1K viewsā€¢44 slides
[OPD 2019] Attacking JWT tokens by
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokensOWASP
2.4K viewsā€¢34 slides
Red Team Tactics for Cracking the GSuite Perimeter by
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
10.7K viewsā€¢52 slides

What's hot(20)

[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To... by CODE BLUE
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
CODE BLUEā€¢1.7K views
Jwt == insecurity? by snyff
Jwt == insecurity?Jwt == insecurity?
Jwt == insecurity?
snyffā€¢18.6K views
Invoke-Obfuscation DerbyCon 2016 by Daniel Bohannon
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016
Daniel Bohannonā€¢7.1K views
Offensive Python for Pentesting by Mike Felch
Offensive Python for PentestingOffensive Python for Pentesting
Offensive Python for Pentesting
Mike Felchā€¢1.1K views
[OPD 2019] Attacking JWT tokens by OWASP
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
OWASPā€¢2.4K views
Red Team Tactics for Cracking the GSuite Perimeter by Mike Felch
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
Mike Felchā€¢10.7K views
NotaCon 2011 - Networking for Pentesters by Rob Fuller
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
Rob Fullerā€¢5.4K views
A Forgotten HTTP Invisibility Cloak by Soroush Dalili
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
Soroush Daliliā€¢17.6K views
BSides Philly Finding a Company's BreakPoint by Andrew McNicol
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicolā€¢346 views
Big problems with big data ā€“ Hadoop interfaces security by SecuRing
Big problems with big data ā€“ Hadoop interfaces securityBig problems with big data ā€“ Hadoop interfaces security
Big problems with big data ā€“ Hadoop interfaces security
SecuRingā€¢6.9K views
BSides_Charm2015_Info sec hunters_gathers by Andrew McNicol
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
Andrew McNicolā€¢2.2K views
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu... by Daniel Bohannon
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannonā€¢3.4K views
SANS DFIR Prague: PowerShell & WMI by Joe Slowik
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowikā€¢1.5K views
TeelTech - Advancing Mobile Device Forensics (online version) by Mike Felch
TeelTech - Advancing Mobile Device Forensics (online version)TeelTech - Advancing Mobile Device Forensics (online version)
TeelTech - Advancing Mobile Device Forensics (online version)
Mike Felchā€¢614 views
DevOops & How I hacked you DevopsDays DC June 2015 by Chris Gates
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gatesā€¢3.2K views
Invoke-Obfuscation nullcon 2017 by Daniel Bohannon
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannonā€¢6.8K views
Revoke-Obfuscation by Daniel Bohannon
Revoke-ObfuscationRevoke-Obfuscation
Revoke-Obfuscation
Daniel Bohannonā€¢452 views
Hacking Wordpress Plugins by Larry Cashdollar
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress Plugins
Larry Cashdollarā€¢2.3K views
The Travelling Pentester: Diaries of the Shortest Path to Compromise by Will Schroeder
The Travelling Pentester: Diaries of the Shortest Path to CompromiseThe Travelling Pentester: Diaries of the Shortest Path to Compromise
The Travelling Pentester: Diaries of the Shortest Path to Compromise
Will Schroederā€¢9.1K views
Hunting for the secrets in a cloud forest by SecuRing
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
SecuRingā€¢259 views

Similar to I See You

State of Authenticating RESTful APIs by
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIsrobwinch
580 viewsā€¢40 slides
Fun With SHA2 Certificates by
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 CertificatesGabriella Davis
3.1K viewsā€¢54 slides
Presentation To Vo Ip Round Table V2 by
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
460 viewsā€¢24 slides
Authenticated Identites in VoIP Call Control by
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
397 viewsā€¢24 slides
Dirty Little Secrets They Didn't Teach You In Pentest Class v2 by
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
2.7K viewsā€¢120 slides
Wireless Hotspot: The Hackers Playground by
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers PlaygroundJim Geovedi
20.3K viewsā€¢44 slides

Similar to I See You(20)

State of Authenticating RESTful APIs by robwinch
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIs
robwinchā€¢580 views
Fun With SHA2 Certificates by Gabriella Davis
Fun With SHA2 CertificatesFun With SHA2 Certificates
Fun With SHA2 Certificates
Gabriella Davisā€¢3.1K views
Presentation To Vo Ip Round Table V2 by Warren Bent
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
Warren Bentā€¢460 views
Authenticated Identites in VoIP Call Control by Warren Bent
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
Warren Bentā€¢397 views
Dirty Little Secrets They Didn't Teach You In Pentest Class v2 by Chris Gates
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Chris Gatesā€¢2.7K views
Wireless Hotspot: The Hackers Playground by Jim Geovedi
Wireless Hotspot: The Hackers PlaygroundWireless Hotspot: The Hackers Playground
Wireless Hotspot: The Hackers Playground
Jim Geovediā€¢20.3K views
Microsoft Bluehat 2017: Mobile SSL Interception by Himanshu Dwivedi
Microsoft Bluehat 2017: Mobile SSL InterceptionMicrosoft Bluehat 2017: Mobile SSL Interception
Microsoft Bluehat 2017: Mobile SSL Interception
Himanshu Dwivediā€¢82 views
Malware Analysis For The Enterprise by Jason Ross
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
Jason Rossā€¢339 views
LACNOG - Logging in the Post-IPv4 World by Carlos Martinez Cagnazzo
LACNOG - Logging in the Post-IPv4 WorldLACNOG - Logging in the Post-IPv4 World
LACNOG - Logging in the Post-IPv4 World
Carlos Martinez Cagnazzoā€¢541 views
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like... by Felipe Prado
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Pradoā€¢106 views
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf by Lior Rotkovitch
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdfBrute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf
Lior Rotkovitchā€¢102 views
The Boring Security Talk by kieranjacobsen
The Boring Security TalkThe Boring Security Talk
The Boring Security Talk
kieranjacobsenā€¢480 views
What you wanted to know about MySQL, but could not find using inernal instrum... by Sveta Smirnova
What you wanted to know about MySQL, but could not find using inernal instrum...What you wanted to know about MySQL, but could not find using inernal instrum...
What you wanted to know about MySQL, but could not find using inernal instrum...
Sveta Smirnovaā€¢2.2K views
Go passwordless with fido2 by Rob Dudley
Go passwordless with fido2Go passwordless with fido2
Go passwordless with fido2
Rob Dudleyā€¢1.3K views
2023-May.pptx by mnaeemuetcs
2023-May.pptx2023-May.pptx
2023-May.pptx
mnaeemuetcsā€¢23 views
Aditya - Hacking Client Side Insecurities - ClubHack2008 by ClubHack
Aditya - Hacking Client Side Insecurities - ClubHack2008Aditya - Hacking Client Side Insecurities - ClubHack2008
Aditya - Hacking Client Side Insecurities - ClubHack2008
ClubHackā€¢183 views
CrikeyCon VI - The Boring Security Talk by kieranjacobsen
CrikeyCon VI - The Boring Security TalkCrikeyCon VI - The Boring Security Talk
CrikeyCon VI - The Boring Security Talk
kieranjacobsenā€¢673 views
VoIP Security 101 what you need to know by Eric Klein
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
Eric Kleinā€¢758 views
Fundamentals of network hacking by Pranshu Pareek
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareekā€¢91 views
Shameful secrets of proprietary network protocols by Slawomir Jasek
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasekā€¢432 views

Recently uploaded

IETF 118: Starlink Protocol Performance by
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol PerformanceAPNIC
124 viewsā€¢22 slides
WEB 2.O TOOLS: Empowering education.pptx by
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptxnarmadhamanohar21
15 viewsā€¢16 slides
UiPath Document Understanding_Day 3.pptx by
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptxUiPathCommunity
95 viewsā€¢25 slides
We see everywhere that many people are talking about technology.docx by
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docxssuserc5935b
6 viewsā€¢2 slides
š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš² by
š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš²š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš²
š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš²Infosec train
7 viewsā€¢6 slides
Building trust in our information ecosystem: who do we trust in an emergency by
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergencyTina Purnat
85 viewsā€¢18 slides

Recently uploaded(20)

IETF 118: Starlink Protocol Performance by APNIC
IETF 118: Starlink Protocol PerformanceIETF 118: Starlink Protocol Performance
IETF 118: Starlink Protocol Performance
APNICā€¢124 views
WEB 2.O TOOLS: Empowering education.pptx by narmadhamanohar21
WEB 2.O TOOLS: Empowering education.pptxWEB 2.O TOOLS: Empowering education.pptx
WEB 2.O TOOLS: Empowering education.pptx
narmadhamanohar21ā€¢15 views
UiPath Document Understanding_Day 3.pptx by UiPathCommunity
UiPath Document Understanding_Day 3.pptxUiPath Document Understanding_Day 3.pptx
UiPath Document Understanding_Day 3.pptx
UiPathCommunityā€¢95 views
We see everywhere that many people are talking about technology.docx by ssuserc5935b
We see everywhere that many people are talking about technology.docxWe see everywhere that many people are talking about technology.docx
We see everywhere that many people are talking about technology.docx
ssuserc5935bā€¢6 views
š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš² by Infosec train
š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš²š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš²
š’šØš„ššš«š–š¢š§šš¬ š‚ššš¬šž š’š­š®šš²
Infosec trainā€¢7 views
Building trust in our information ecosystem: who do we trust in an emergency by Tina Purnat
Building trust in our information ecosystem: who do we trust in an emergencyBuilding trust in our information ecosystem: who do we trust in an emergency
Building trust in our information ecosystem: who do we trust in an emergency
Tina Purnatā€¢85 views
AI Powered event-driven translation bot by Jimmy Dahlqvist
AI Powered event-driven translation botAI Powered event-driven translation bot
AI Powered event-driven translation bot
Jimmy Dahlqvistā€¢16 views
Audience profile.pptx by MollyBrown86
Audience profile.pptxAudience profile.pptx
Audience profile.pptx
MollyBrown86ā€¢12 views
DU Series - Day 4.pptx by UiPathCommunity
DU Series - Day 4.pptxDU Series - Day 4.pptx
DU Series - Day 4.pptx
UiPathCommunityā€¢94 views
OMS: Diretrizes para um controle da promoĆ§Ć£o comercial dos ditos substitutos ... by Prof. Marcus Renato de Carvalho
OMS: Diretrizes para um controle da promoĆ§Ć£o comercial dos ditos substitutos ...OMS: Diretrizes para um controle da promoĆ§Ć£o comercial dos ditos substitutos ...
OMS: Diretrizes para um controle da promoĆ§Ć£o comercial dos ditos substitutos ...
Prof. Marcus Renato de Carvalhoā€¢88 views
information by khelgishekhar
informationinformation
information
khelgishekharā€¢7 views
Existing documentaries (1).docx by MollyBrown86
Existing documentaries (1).docxExisting documentaries (1).docx
Existing documentaries (1).docx
MollyBrown86ā€¢13 views
PORTFOLIO 1 (Bret Michael Pepito).pdf by brejess0410
PORTFOLIO 1 (Bret Michael Pepito).pdfPORTFOLIO 1 (Bret Michael Pepito).pdf
PORTFOLIO 1 (Bret Michael Pepito).pdf
brejess0410ā€¢7 views
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf by RIPE NCC
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdfOpportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
Opportunities for Youth in IG - Alena Muravska RIPE NCC.pdf
RIPE NCCā€¢9 views
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf by RIPE NCC
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdfIGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
IGF UA - Dialog with I_ organisations - Alena Muavska RIPE NCC.pdf
RIPE NCCā€¢15 views
zotabet.pdf by zotabetcasino
zotabet.pdfzotabet.pdf
zotabet.pdf
zotabetcasinoā€¢6 views
google forms survey (1).pptx by MollyBrown86
google forms survey (1).pptxgoogle forms survey (1).pptx
google forms survey (1).pptx
MollyBrown86ā€¢14 views
informing ideas.docx by MollyBrown86
informing ideas.docxinforming ideas.docx
informing ideas.docx
MollyBrown86ā€¢12 views
Serverless cloud architecture patterns by Jimmy Dahlqvist
Serverless cloud architecture patternsServerless cloud architecture patterns
Serverless cloud architecture patterns
Jimmy Dahlqvistā€¢17 views
Sustainable Marketing by Theo van der Zee
Sustainable MarketingSustainable Marketing
Sustainable Marketing
Theo van der Zeeā€¢9 views

I See You

  • 1. I See You What not to do when someone is monitoring your network traffic Andrew Beard Brian Wohlwinder
  • 2. In honor of Brian ā€¢ Lift with your legs, not your back ā€¢ Engage your core, keep your abs pulled in ā€¢ Avoid twisting your trunk
  • 4. Our Setup ā€¢ COTS network visibility appliance for capture and analysis ā€¢ Common data tap from Packet Hacking Village ā€¢ General purpose rules and some written specifically for Wall of Sheep to generate alerts and capture content for specific sessions ā€¢ Metadata capture for the duration of the event ā€¢ About 500M of compressed metadata between August 8 and 10, 2014 ā€¢ A little over 6M transactions
  • 5. Rules of Engagement ā€¢ Completely passive listener ā€¢ Ignore SSL/TLS content (metadata only) ā€¢ All credentials partially redacted
  • 7. Whereā€™s the VPN traffic? ā€¢ Good questionā€¦ ā€¢ Very few encrypted tunnels from what we could tell. A few sessions, but nowhere near what we expected. ā€¢ More Teredo IPv6 tunnels than real VPN traffic ā€¢ Best guess, most arenā€™t using the WiFi
  • 8. Itā€™s all about the passwords
  • 9. Plain Text Credentials ā€¢ POP3, IMAP, SMTP ā€¢ FTP ā€¢ IRC ā€¢ Telnet ā€¢ Occasional HTTP (mostly via URL or POST content)
  • 10. POP3 +OK <21066.1407692429@************************> CAPA -ERR authorization first USER lodgetreasurer@*************** +OK PASS 2Q******** +OK STAT +OK 8 107321
  • 11. IMAP * OK IMAP4 Service Ready 1 LOGIN yihui.xu@******** N***** 1 OK LOGIN completed
  • 12. FTP 220------- Welcome to Pure-FTPd [privsep] [TLS] ------- 220-You are user number 129 of 200 allowed. 220-Local time is now 14:45. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 3 minutes of inactivity. USER dpi03@****** 331 User dpi03@****** OK. Password required PASS ********** 230 OK. Current restricted directory is /
  • 13. HTTP ā€“ In URL /login?username=jacky&password=****** /login.php?username=revelation&password=****** /perfils/autenticar/5512899033.json?passwordKey=******&telefono= **********&dispositivo=IPH&password=******&SO=iOS 7.1.2&deviceId=iPhone
  • 14. When it comes to plaintext fail, mail is king POP3 IMAP SMTP FTP TELNET IRC HTTP
  • 15. A problem of their own making ā€¢ For mail protocols, vast majority iPhones based on outgoing MIME headers and IMAP ID responses ā€¢ From what we can tell, most providers supported SSL ā€¢ If your provider doesnā€™t support SSL, find a provider that isnā€™t crap
  • 16. ā€¢ None of the major email service providers represented ā€¢ Built-in profiles, SSL automatically enabled
  • 17. HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
  • 18. HTTP Basic Access Authentication GET / HTTP/1.1 Host: ****************************** Connection: keep-alive Authorization: Basic bmF0YXMwOm5hdHRhczA= Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
  • 19. HTTP Basic Access Authentication That looks a lot like base64ā€¦ localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echo natas0:nattas0 Username and password encoding. OK if the transport layer is providing confidentiality, but not for straight HTTP. curl http://natas0:nattas0@*************
  • 20. Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
  • 21. Basic Auth and API Keys GET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1 Host: ********************* Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Content-Type: application/json Authorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0 Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/ Origin: http://************************** Connection: keep-alive
  • 22. Basic Auth and API Keys localhost$ echo "YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" | base64 -D; echo api:41665abccbeb09b1cd650077b9ebdec4 Session key for the current user. Anyone interested in buying a couple tons of toner on their account?
  • 23. Then we started getting boredā€¦ A bunch of bored guys looking at your network traffic probably isnā€™t a good thing
  • 24. Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
  • 25. Fun With Mobile Apps GET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent /3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=orig inaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4Jg Ni4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%2 2%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C% 22nick%22%3A%22******%22%2C%22longitude%22%3A%22120. 050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%2 2%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition %22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1 Host: api.m.taobao.com
  • 26. Userā€™s Default Location { "utdid": "U0gUZGIZnIwDAFX4JgNi4RRkā€, "userId": ā€*********", "ua": "iPhone", "cityCode": "330100", "nick": ā€******", "longitude": "120.050453", "cityName": "ę­å·ž", "latitude": "30.286152", "isPosition": false, "platformVersion": "7.1ā€ }
  • 27. Whatā€™s the worst that could happen? It canā€™t be that badā€¦
  • 28. ā€œIs this important?ā€ From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************>
  • 29. ā€œIs this important?ā€ From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Meganā€™s W-4
  • 30. ā€œIs this important?ā€ From: Deborah Simon <dms@************> To: Mitchell IPad Simon <md.simon@************> Subject: Meganā€™s W-4 One attachment, ā€œ2014 W4.pdfā€
  • 31. Nothing to worry about here
  • 32. Dear God WHY!? ā€¢ Data confidentiality in transit vs at rest ā€¢ PGP ā€¢ S/MIME certificates cheap/free. Supported by most major mail client (including mobile devices) ā€¢ Encrypted zip files or document-based encryption better than nothing
  • 33. DEF CON 22 MUSIC ANNOUNCEMENT: THE ORB You better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.
  • 34. More fun with misconfigured mail clients To: *****@theorb.com From: Bill Quinn Subject: ***** pick up amount Rio 8/9 Hey *****, Please pick up the balance of $6,500 for tonights performance in Vegas. Let me know if you have any questions. Thanks, Bill Quinn Madison House, Inc.
  • 35. Imagine for a momentā€¦ ā€¢ You know someone is going to be picking up a check for $6500 ā€¢ You have detailed knowledge of the transaction ā€¢ You have unrestricted access to the intended recipientā€™s email account
  • 36. Imagine for a momentā€¦ ā€¢ You know someone is going to be picking up a check for $6500 ā€¢ You have detailed knowledge of the transaction ā€¢ You have unrestricted access to the intended recipientā€™s email account
  • 37. Quick Recap ā€¢ Through misconfiguration or a lack of controls itā€™s pretty easy for potentially sensitive or harmful info to make itā€™s way over a network ā€¢ Consider defense in depth. Use multiple layers of encryption in transit, just in case. ā€¢ Donā€™t trust your email password as the only thing keeping you from financial or other loss. ā€¢ Treat every network as untrusted (especially the ones that warn you ahead of time)

Editor's Notes

  1. Brian couldn't be here today Recovering from severe back issues
  2. In honor of Brian, wanted to say a few words about protecting your back Picking something up or just bending over Avoid long and painful recovery, and bailing on your co presenter
  3. Setup last year Couple very basic (and very stupid) was to pass credentials in the clear Weird things we found Wall of Sheep at DEFCON 22, August 2014 Fidelis sponsor Fun to park a couple guys on a network tap and see what we could find
  4. Mostly OpenVPN Keep it on cellular Paranoid enough to use VPN, paranoid enough not to use shared network
  5. So thatā€™s where we started
  6. Fish in a barrel
  7. Metadata collection. Plug Bro, Critical Stack, Liam Randall Other HTTP, HTTP POST + keyword
  8. Very different from the protocol mix above, in other category less than 10% 75% here Why? Beaconing. Almost all other protocols are active, and transactional. You have to do something. Mail, especially on mobile devices, a given. Repeated logins. Easy to misconfigure something in the background.
  9. One class of credentials on the wire, straight plaintext. Another class, encoded Don't like obfuscated, because it's a poor job
  10. HTTP client header
  11. Content aware, Bro Liam Randall, Critical Stack awesome Bro training
  12. Rule looking for any interesting documents. Found a lot, mostly from defcon file share. Large percentage of FTP traffic. So a woman walks over, sits down at our setup, and says ā€œteach me somethingā€. Show her setup, how things work, starts playing around. About 5 minutes later she says ā€œIs this important?ā€
  13. All data in transit. Consider implication though. Even if they hadnā€™t been actively looking at the file anyone could have logged.
  14. Part of a larger email exchange