Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Corporation in 
the Middle 
Lee Brotherston! 
@synackpse
MITM 
vs Everything Else
Detection
o_O
How, what, 
why, when?
Capture all the 
Packets
PCAP Tools 
tcpdump 
wireshark 
tshark 
! 
mergecap 
tcpsplice 
tcptrace 
captcp 
ntop 
pcapdiff 
tcpflow 
snort
SYN 
SYN/ACK 
ACK 
Client Server 
HTTP Request 
HTTP Response (Header & Data) 
More Data……
SYN 
SYN/ACK 
ACK 
Client Server 
? 
RST/PSH/ACK 
HTTP Request 
HTTP Response 
? 
?
HTTP/1.1 200 OK! 
Content-Type: text/html; charset=ISO-8859-1! 
Content-Script-Type: text/javascript! 
Connection: close! ...
Content of messages 
! 
36. Except where the Commission approves 
otherwise, a Canadian carrier shall not control 
the con...
Packet 
Headers
TCPDUMP 
ip[6] = 0 and tcp[14:2] = 1
Wire/TShark 
tcp.window_size_value eq 1 
and ip.flags.df == 0
Snort 
alert tcp $EXTERNAL_NET any -> 
$HOME_NET any (msg:"INJECTION 
suspected TCP injection"; 
flow:stateless; window:1;...
Fun with 
Firewalls
But wait, 
there’s more….
SYN 
SYN/ACK 
ACK 
Client Server 
RST/PSH/ACK 
HTTP Request 
HTTP Response
SYN 
SYN/ACK 
ACK 
Client Server 
HTTP Request 
HTTP Response (Header & Data) 
Data
HTTP/1.1 200 OK! 
Content-Type: text/html; charset=ISO-8859-1! 
Content-Script-Type: text/HTML! 
Connection: close
Tests
Retention Time 
rewrite ^(.*)$ /index.php;! 
! 
! 
!
OoB Indexing 
rewrite ^(.*)$ /index.php;! 
+! 
/etc/hosts! 
+! 
.htaccess
Document Format 
! 
<html>! 
<head>! 
<title>Oh Hai</title>! 
</head>
Document Format 
<!doctype html>! 
<html>! 
<head>! 
<title>Oh Hai</title>! 
</head>
Mapping 
the Network
Traceroute 
… ish
ttl=1 
ttl expiry 
ttl=2 
ttl expiry 
ttl=1 
ttl=3 ttl=2 ttl=1 
reply
tcptraceroute 
2 7.40.72.1! 
3 209.148.241.61! 
4 66.185.81.221! 
5 69.63.251.242! 
6 69.63.249.26! 
7 *! 
! 
2 7.40.72.1!...
Intercept Portscanning 
for i in `jot 65535 1`! 
do ! 
tcptraceroute -f4 -m5 host $i! 
done >> $i.log
tcptraceroute redux 
2 7.11.164.41! 
3 66.185.90.37! 
4 209.148.224.205! 
5 209.148.224.242! 
! 
! 
! 
6 4.31.208.129 
2 7...
Intercept 
Portscanning Redux 
nmap -sS —-ttl 64 host
Which Interface? 
Target 
My Server 
Me
Scapy 
sendp(Ether(dst="be:ef:11:11:11:11", 
src="31:33:7a:aa:aa:aa")/ 
IP(src="11.11.11.11", 
dst="55.55.55.55",ttl=(1,30...
So, that network… 
Internal 
Management LAN
SYN 
SYN/ACK 
ACK 
Client Server 
RST/PSH/ACK 
TTL = 1 
TTL = 2 
TTL = 3
Great Firewall of Cameron 
6 31.55.164.187! 
7 31.55.164.107! 
8 109.159.248.69! 
9 109.159.248.10! 
10 62.172.103.187! 
!...
RoadRunner 
4 98.0.3.14! 
5 98.0.3.3! 
6 107.14.19.106! 
7 107.14.17.194! 
8 64.86.79.97! 
9 64.86.79.2! 
! 
! 
4 98.0.3.1...
What?
HTTP/1.1 200 OK! 
Date: Thu, 22 May 2014 14:29:09 GMT! 
Server: PerfTech! 
Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT! 
...
HTTP/1.0 404 Not Found! 
Date: Fri, 23 May 2014 14:00:05 GMT! 
Server: PerfTech! 
Content-Length: 25! 
Connection: close! ...
Hints in Scripts 
// Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.! 
! 
! 
extWebServer = "http://64.71.255.194...
Attribution: cat NULL planet - @skalnik
Why So 
Bothered?
Why Metadata Matters 
They know you rang a phone sex service at 2:24 am and spoke for 18 
minutes. But they don't know wha...
GET / HTTP/1.1! 
Host: squarelemon.com! 
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux 
i686; rv:25.0) Gecko/20100101 Firefo...
What could 
possibly go 
wrong? 
Photo Attribution: Tom - @tdawks
I learnt 
Stuff!
“Type a quote here.” 
–Johnny Appleseed
Internet provider subscriber communications system 
US 8793386 B2
Internet advertising method and 
system using Web page US 8005717 B2
“Never attribute to malice that 
which is adequately explained by 
stupidity Enhancing Shareholder 
Value.” 
– Hanlon’s Br...
Thank you! 
Lee Brotherston! 
@synackpse
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Lee brotherston   corporation in the middle
Upcoming SlideShare
Loading in …5
×

Lee brotherston corporation in the middle

814 views

Published on

My Corporation in the Middle slidedeck

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Lee brotherston corporation in the middle

  1. 1. Corporation in the Middle Lee Brotherston! @synackpse
  2. 2. MITM vs Everything Else
  3. 3. Detection
  4. 4. o_O
  5. 5. How, what, why, when?
  6. 6. Capture all the Packets
  7. 7. PCAP Tools tcpdump wireshark tshark ! mergecap tcpsplice tcptrace captcp ntop pcapdiff tcpflow snort
  8. 8. SYN SYN/ACK ACK Client Server HTTP Request HTTP Response (Header & Data) More Data……
  9. 9. SYN SYN/ACK ACK Client Server ? RST/PSH/ACK HTTP Request HTTP Response ? ?
  10. 10. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/javascript! Connection: close! Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache! ! <html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl? policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http:// 64.71.251.10";</script><script type="text/javascript" src="http:// 64.71.251.10/ByteCap-075-EO-English/index.js"></script></ head><noscript><frameset><frame src="http://64.71.251.10/ noscript.pl?policy=72&category=ByteCap-075&"></frameset></ noscript><body style="margin:0;"><script type="text/ javascript">Bulletin("policy=72&category=ByteCap-075&");</script></ body></html>
  11. 11. Content of messages ! 36. Except where the Commission approves otherwise, a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public. –Telecommunications Act (S.C. 1993, c. 38)
  12. 12. Packet Headers
  13. 13. TCPDUMP ip[6] = 0 and tcp[14:2] = 1
  14. 14. Wire/TShark tcp.window_size_value eq 1 and ip.flags.df == 0
  15. 15. Snort alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION suspected TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)
  16. 16. Fun with Firewalls
  17. 17. But wait, there’s more….
  18. 18. SYN SYN/ACK ACK Client Server RST/PSH/ACK HTTP Request HTTP Response
  19. 19. SYN SYN/ACK ACK Client Server HTTP Request HTTP Response (Header & Data) Data
  20. 20. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/HTML! Connection: close
  21. 21. Tests
  22. 22. Retention Time rewrite ^(.*)$ /index.php;! ! ! !
  23. 23. OoB Indexing rewrite ^(.*)$ /index.php;! +! /etc/hosts! +! .htaccess
  24. 24. Document Format ! <html>! <head>! <title>Oh Hai</title>! </head>
  25. 25. Document Format <!doctype html>! <html>! <head>! <title>Oh Hai</title>! </head>
  26. 26. Mapping the Network
  27. 27. Traceroute … ish
  28. 28. ttl=1 ttl expiry ttl=2 ttl expiry ttl=1 ttl=3 ttl=2 ttl=1 reply
  29. 29. tcptraceroute 2 7.40.72.1! 3 209.148.241.61! 4 66.185.81.221! 5 69.63.251.242! 6 69.63.249.26! 7 *! ! 2 7.40.72.1! 3 209.148.241.61! 4 *! 5 *! 6 69.63.249.26! 7 *!
  30. 30. Intercept Portscanning for i in `jot 65535 1`! do ! tcptraceroute -f4 -m5 host $i! done >> $i.log
  31. 31. tcptraceroute redux 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.205! 5 209.148.224.242! ! ! ! 6 4.31.208.129 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.214! 5 209.148.224.209! 6 209.148.228.218! 7 209.148.228.217! 8 209.148.224.254! 9 4.31.208.129
  32. 32. Intercept Portscanning Redux nmap -sS —-ttl 64 host
  33. 33. Which Interface? Target My Server Me
  34. 34. Scapy sendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/ IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('x07'))/ TCP(sport=3125, dport=80, flags="S"), iface="en1")
  35. 35. So, that network… Internal Management LAN
  36. 36. SYN SYN/ACK ACK Client Server RST/PSH/ACK TTL = 1 TTL = 2 TTL = 3
  37. 37. Great Firewall of Cameron 6 31.55.164.187! 7 31.55.164.107! 8 109.159.248.69! 9 109.159.248.10! 10 62.172.103.187! ! ! ! 6 31.55.164.187! 7 31.55.164.107! 8 109.159.248.104! 9 109.159.248.142! 10 194.71.107.15
  38. 38. RoadRunner 4 98.0.3.14! 5 98.0.3.3! 6 107.14.19.106! 7 107.14.17.194! 8 64.86.79.97! 9 64.86.79.2! ! ! 4 98.0.3.14! 5 98.0.3.3! 6 66.109.6.72! 7 107.14.17.192! 8 64.86.79.97! 9 64.86.79.2
  39. 39. What?
  40. 40. HTTP/1.1 200 OK! Date: Thu, 22 May 2014 14:29:09 GMT! Server: PerfTech! Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT! Accept-Ranges: bytes! Content-Length: 2387! Connection: close! Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache! Content-Type: application/x-javascript
  41. 41. HTTP/1.0 404 Not Found! Date: Fri, 23 May 2014 14:00:05 GMT! Server: PerfTech! Content-Length: 25! Connection: close! Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache! Content-Type: text/html; charset=iso-8859-1
  42. 42. Hints in Scripts // Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.! ! ! extWebServer = "http://64.71.255.194";! intWebServer = “http://172.19.11.72";! ! ! displayUrl = "http://www.perftech.com/console/original.html";! !
  43. 43. Attribution: cat NULL planet - @skalnik
  44. 44. Why So Bothered?
  45. 45. Why Metadata Matters They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.! ! They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.! ! They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed. Attribution: EFF 30C3 -Through Prism Darkly
  46. 46. GET / HTTP/1.1! Host: squarelemon.com! User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0! Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8! Accept-Language: en-US,en;q=0.5! Accept-Encoding: gzip, deflate! Cookie: _pk_ses.4.9b83=*! Connection: keep-alive! If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT! Cache-Control: max-age=0
  47. 47. What could possibly go wrong? Photo Attribution: Tom - @tdawks
  48. 48. I learnt Stuff!
  49. 49. “Type a quote here.” –Johnny Appleseed
  50. 50. Internet provider subscriber communications system US 8793386 B2
  51. 51. Internet advertising method and system using Web page US 8005717 B2
  52. 52. “Never attribute to malice that which is adequately explained by stupidity Enhancing Shareholder Value.” – Hanlon’s Brotherston’s Razor
  53. 53. Thank you! Lee Brotherston! @synackpse

×