During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.
2. Man-In-The-Middle
• What is this MITM you speak of?
• Old school classics
• New school tools
• Why use it for pentests?
• How to defend?
3. What is a MITM?
• Redirect all traffic to YOU while allowing
normal Internet access for the victim(s)
• Modify, intercept and capture network
traffic
• Create DoS
4.
5. Setting up your Monkey
• Traditional ARP Cache Poisoning
The MITM becomes the “router”
• KARMA on the Fon (WiFi Attack)
Karma brings you the victim
6. ARP Refresher
• ARP (Address Resolution Protocol)
• How devices associate MAC to IP
ARP Request
Computer A asks “Who has this IP?”
ARP Reply
Computer B tells A “That’s me! I have this MAC!”
Reverse ARP Request
Same as ARP request by Computer A asks “Who has this MAC?”
Reverse ARP Reply
Computer B tells A “I have that MAC, here is my IP!”
7. ARP Cache Poisoning
• Send fake ARP Reply’s to your victim(s)
• Allows sniffing on switched networks
• Hijacking of IP traffic between hosts
8.
9. KARMA on the Fon
• The “evil twin”
KARMA listens and
responds to all!
• KARMA on the Fon
Route wireless traffic to
YOU!
12. Wireshark
• Popular network sniffer
• Easy to use
• Easy capture of data
• Robust filtering
• Multi-platform (you probably have it)
13.
14. Ettercap
• Used for filtering, hijacking, ARP cache poisoning
and sniffing
• GUI, cmd, ncurses! Multi-platform
• Cool filters and plugins....
• Inject HTML into existing web pages!
Meterpreter payload anyone?
• DNS Spoofing (phantom plugin)
• Many more...
15.
16. Cain
• Able is a separate program used to conduct
remote activities (NT hash dump, console)
• Multi-functional “password recovery” tool
• Password cracking, scanning, sniffing, ARP
poisoning and many related attacks (DNS,
HTTPS, POP3S, RDP, etc...)
• Much, much more!
• Windows only
19. Network Miner
• Passive network sniffer/packet capture tool
• Detect OS, sessions, hostnames, open ports,
etc...
• Easy view of usernames and passwords
• Parse PCAP files, search via keywords
• Can reassemble files and certs from PCAP files
• Windows only
20.
21. The Middler
• Created by Jay Beale and Justin Searle (Inguardians)
• Alpha version released at ShmooCon 2009
• Ability to inject Javascript into cleartext traffic
• Clone sessions for the attacker (CSRF)
• Intercept logout requests
• Plugin Architecture
• Highlights problem of sites using mixed HTTP/
HTTPS
22. SSLStrip
• Created by Moxie Marlinspike, released at BlackHat DC
2009
• Transparently hijack HTTP traffic on a network
• Switches all HTTPS links to HTTP and swaps the user to
an insecure look-alike page
• Server thinks everything is “a-ok!’ and no SSL cert
“warning”
• Supports modes for:
• supplying a favicon which looks like a lock
• selective logging and session denial
24. Why use MITM in a
Pentest?
• Allows more focus on the USERS
• Are they aware of HTTP vs. HTTPS?
• Highlight insecure protocols
(Telnet, Basic HTTP Auth)
• Hint: Save PCAP files and run them
through multiple tools! (thanks Mubix)
25. ARP Poisoning Defense
• Monitoring Tools
ArpON
Arpwatch
• Static IP’s/Static ARP Tables (not sustainable!)
• Turn on “port security” in your switches!
• Check out Dynamic ARP Inspection
(Cisco DAI)
26. MITM Defense
• User education (hard)
• Use a VPN, SSH Tunnel on insecure
networks (coffee shops, DEFCON)
• Encourage employees to use the VPN when
using public wifi!