Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Corporation in 
the Middle 
Lee Brotherston! 
@synackpse 
#BSidesTO 
Edition
MITM 
vs Everything Else
Detection
o_O
How, what, 
why, when?
Capture all the 
Packets
PCAP Tools 
tcpdump 
wireshark 
tshark 
! 
mergecap 
tcpsplice 
tcptrace 
captcp 
pcapdiff 
tcpflow 
snort
SYN 
SYN/ACK 
ACK 
Client Server 
HTTP Request 
HTTP Response (Header & Data) 
More Data……
SYN 
SYN/ACK 
ACK 
Client Server 
? 
RST/PSH/ACK 
HTTP Request 
HTTP Response 
? 
?
HTTP/1.1 200 OK! 
Content-Type: text/html; charset=ISO-8859-1! 
Content-Script-Type: text/javascript! 
Connection: close! ...
Packet 
Headers
TCPDUMP 
ip[6] = 0 and tcp[14:2] = 1
Wire/TShark 
tcp.window_size_value eq 1 
and ip.flags.df == 0
Snort 
alert tcp $EXTERNAL_NET any -> 
$HOME_NET any (msg:"INJECTION 
suspected TCP injection"; 
flow:stateless; window:1;...
But wait, 
there’s more….
SYN 
SYN/ACK 
ACK 
Client Server 
RST/PSH/ACK 
HTTP Request 
HTTP Response
SYN 
SYN/ACK 
ACK 
Client Server 
HTTP Request 
HTTP Response (Header & Data) 
Data
HTTP/1.1 200 OK! 
Content-Type: text/html; charset=ISO-8859-1! 
Content-Script-Type: text/HTML! 
Connection: close
Profiling 
Target Acquisition
Retention Time 
rewrite ^(.*)$ /index.php;! 
! 
! 
!
OoB Indexing 
rewrite ^(.*)$ /index.php;! 
+! 
/etc/hosts! 
+! 
.htaccess
Document Format 
! 
<html>! 
<head>! 
<title>Oh Hai</title>! 
</head>
Document Format 
<!doctype html>! 
<html>! 
<head>! 
<title>Oh Hai</title>! 
</head>
“Upon request, an individual shall 
be informed of the existence, use, 
and disclosure of his or her 
personal information...
Mapping 
the Network
Traceroute 
(8 bits of goodness)
ttl=1 
ttl expiry 
ttl=2 
ttl expiry 
ttl=1 
ttl=3 ttl=2 ttl=1 
reply
tcptraceroute 
2 7.40.72.1! 
3 209.148.241.61! 
4 66.185.81.221! 
5 69.63.251.242! 
6 69.63.249.26! 
7 *! 
! 
2 7.40.72.1!...
Intercept Portscanning 
for i in `jot 65535 1`! 
do ! 
tcptraceroute -f4 -m5 host $i! 
done >> $i.log
tcptraceroute redux 
2 7.11.164.41! 
3 66.185.90.37! 
4 209.148.224.205! 
5 209.148.224.242! 
! 
! 
! 
6 4.31.208.129 
2 7...
Intercept 
Portscanning Redux 
nmap -sS —-ttl 64 host
Which Interface? 
Destination 
My Server 
Me
Scapy 
sendp(Ether(dst="be:ef:11:11:11:11", 
src="31:33:7a:aa:aa:aa")/ 
IP(src="11.11.11.11", 
dst="55.55.55.55",ttl=(1,30...
So, that network… 
extWebServer = "http://64.71.255.194";! 
intWebServer = “http://172.19.11.72"; 
Internal 
Management LA...
SYN 
SYN/ACK 
ACK 
Client Server 
RST/PSH/ACK 
TTL = 1 
TTL = 2 
TTL = 3
What?
HTTP/1.1 200 OK! 
Date: Thu, 22 May 2014 14:29:09 GMT! 
Server: PerfTech! 
Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT! 
...
Hints in Scripts 
// Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.! 
! 
! 
! 
displayUrl = "http://www.perftech...
Why So 
Bothered?
Why Metadata Matters 
• They know you rang a phone sex service at 2:24 am and spoke 
for 18 minutes. But they don't know w...
GET / HTTP/1.1! 
Host: squarelemon.com! 
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux 
i686; rv:25.0) Gecko/20100101 Firefo...
What could 
possibly go 
wrong? 
Photo Attribution: Tom - @tdawks
I learnt 
Stuff!
“Type a quote here.” 
–Johnny Appleseed
Internet provider subscriber communications system 
US 8793386 B2
Internet advertising method and 
system using Web page US 8005717 B2
“Never attribute to malice that 
which is adequately explained by 
stupidity Enhancing Shareholder 
Value.” 
– Hanlon’s Br...
Thank you! 
Lee Brotherston! 
@synackpse!
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Corporation In The Middle - BSidesTO Edition
Upcoming SlideShare
Loading in …5
×

Corporation In The Middle - BSidesTO Edition

1,296 views

Published on

The BSidesTO version my Corporation In The Middle Talk

Published in: Technology
  • Be the first to comment

Corporation In The Middle - BSidesTO Edition

  1. 1. Corporation in the Middle Lee Brotherston! @synackpse #BSidesTO Edition
  2. 2. MITM vs Everything Else
  3. 3. Detection
  4. 4. o_O
  5. 5. How, what, why, when?
  6. 6. Capture all the Packets
  7. 7. PCAP Tools tcpdump wireshark tshark ! mergecap tcpsplice tcptrace captcp pcapdiff tcpflow snort
  8. 8. SYN SYN/ACK ACK Client Server HTTP Request HTTP Response (Header & Data) More Data……
  9. 9. SYN SYN/ACK ACK Client Server ? RST/PSH/ACK HTTP Request HTTP Response ? ?
  10. 10. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/javascript! Connection: close! Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache! ! <html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl? policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http:// 64.71.251.10";</script><script type="text/javascript" src="http:// 64.71.251.10/ByteCap-075-EO-English/index.js"></script></ head><noscript><frameset><frame src="http://64.71.251.10/ noscript.pl?policy=72&category=ByteCap-075&"></frameset></ noscript><body style="margin:0;"><script type="text/ javascript">Bulletin("policy=72&category=ByteCap-075&");</script></ body></html>
  11. 11. Packet Headers
  12. 12. TCPDUMP ip[6] = 0 and tcp[14:2] = 1
  13. 13. Wire/TShark tcp.window_size_value eq 1 and ip.flags.df == 0
  14. 14. Snort alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION suspected TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)
  15. 15. But wait, there’s more….
  16. 16. SYN SYN/ACK ACK Client Server RST/PSH/ACK HTTP Request HTTP Response
  17. 17. SYN SYN/ACK ACK Client Server HTTP Request HTTP Response (Header & Data) Data
  18. 18. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/HTML! Connection: close
  19. 19. Profiling Target Acquisition
  20. 20. Retention Time rewrite ^(.*)$ /index.php;! ! ! !
  21. 21. OoB Indexing rewrite ^(.*)$ /index.php;! +! /etc/hosts! +! .htaccess
  22. 22. Document Format ! <html>! <head>! <title>Oh Hai</title>! </head>
  23. 23. Document Format <!doctype html>! <html>! <head>! <title>Oh Hai</title>! </head>
  24. 24. “Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.” – PIPEDA, 4.9 Principle 9 — Individual Access !
  25. 25. Mapping the Network
  26. 26. Traceroute (8 bits of goodness)
  27. 27. ttl=1 ttl expiry ttl=2 ttl expiry ttl=1 ttl=3 ttl=2 ttl=1 reply
  28. 28. tcptraceroute 2 7.40.72.1! 3 209.148.241.61! 4 66.185.81.221! 5 69.63.251.242! 6 69.63.249.26! 7 *! ! 2 7.40.72.1! 3 209.148.241.61! 4 *! 5 *! 6 69.63.249.26! 7 *!
  29. 29. Intercept Portscanning for i in `jot 65535 1`! do ! tcptraceroute -f4 -m5 host $i! done >> $i.log
  30. 30. tcptraceroute redux 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.205! 5 209.148.224.242! ! ! ! 6 4.31.208.129 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.214! 5 209.148.224.209! 6 209.148.228.218! 7 209.148.228.217! 8 209.148.224.254! 9 4.31.208.129
  31. 31. Intercept Portscanning Redux nmap -sS —-ttl 64 host
  32. 32. Which Interface? Destination My Server Me
  33. 33. Scapy sendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/ IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('x07'))/ TCP(sport=3125, dport=80, flags="S"), iface="en1")
  34. 34. So, that network… extWebServer = "http://64.71.255.194";! intWebServer = “http://172.19.11.72"; Internal Management LAN
  35. 35. SYN SYN/ACK ACK Client Server RST/PSH/ACK TTL = 1 TTL = 2 TTL = 3
  36. 36. What?
  37. 37. HTTP/1.1 200 OK! Date: Thu, 22 May 2014 14:29:09 GMT! Server: PerfTech! Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT! Accept-Ranges: bytes! Content-Length: 2387! Connection: close! Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache! Content-Type: application/x-javascript
  38. 38. Hints in Scripts // Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.! ! ! ! displayUrl = "http://www.perftech.com/console/ original.html";!
  39. 39. Why So Bothered?
  40. 40. Why Metadata Matters • They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.! ! • They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.! ! • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
  41. 41. GET / HTTP/1.1! Host: squarelemon.com! User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0! Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8! Accept-Language: en-US,en;q=0.5! Accept-Encoding: gzip, deflate! Cookie: _pk_ses.4.9b83=*! Connection: keep-alive! If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT! Cache-Control: max-age=0
  42. 42. What could possibly go wrong? Photo Attribution: Tom - @tdawks
  43. 43. I learnt Stuff!
  44. 44. “Type a quote here.” –Johnny Appleseed
  45. 45. Internet provider subscriber communications system US 8793386 B2
  46. 46. Internet advertising method and system using Web page US 8005717 B2
  47. 47. “Never attribute to malice that which is adequately explained by stupidity Enhancing Shareholder Value.” – Hanlon’s Brotherston’s Razor
  48. 48. Thank you! Lee Brotherston! @synackpse!

×