Practical mitm for_pentesters

2,336 views

Published on

Published in: Technology
  • Be the first to comment

Practical mitm for_pentesters

  1. 1. Pwnie ExpressPractical Man in the Middle1Saturday, June 22, 13
  2. 2. whoami• Jonathan Cran• Advisor, SOURCE Conference• CTO Pwnie Express• QA Director Metasploit• Penetration Tester Rapid72Saturday, June 22, 13
  3. 3. Agenda• MitM is a huge topic• Why ShouldYou Care in 2013?• Practical Attacks• Practical Attack Automation• Drop Boxes!• Takeaways + Future Work3Saturday, June 22, 13
  4. 4. Let’s not re-invent thewheel4Saturday, June 22, 13
  5. 5. Our Focus• Local & Wireless Network• Getting in the Middle• Viewing and Manipulating Traffic• Automating Easy Wins5Saturday, June 22, 13
  6. 6. Not our focus• Attacking SSL through certificatemanipulation• Attacking BGP• More complex attacks (STP, HSRP)• Proxy trojans (MitB, BitB)6Saturday, June 22, 13
  7. 7. Focus:Highly targeted, localnetwork attacks7Saturday, June 22, 13
  8. 8. 8Saturday, June 22, 13
  9. 9. 9Saturday, June 22, 13
  10. 10. 10Saturday, June 22, 13
  11. 11. Why ShouldYou Carein 2013?11Saturday, June 22, 13
  12. 12. 12Saturday, June 22, 13
  13. 13. 13Saturday, June 22, 13
  14. 14. A couple reasons• Wireless everywhere• Smartphones / AT&T auto-connect• Retail / POS Networks• Android apps• Sometimes it’s hard to take control of a particularsystem. Network is the easier target.14Saturday, June 22, 13
  15. 15. And...• Local Network - ARP Cache Poisoning is STILLa valid attack - defense is impractical in many cases• Local Network -SLAAC looks to be the bestreplacement if ARP Cache Poisoning won’t work -Windows 7+ has a default IPv6-enabled stack -Recommendation? Disable IPv6• Internet - SSL - Would your users really noticelack of http or an invalid cert?• Wireless - Wireless “Evil Twin” flaws still pervasive15Saturday, June 22, 13
  16. 16. Android• It means your personal information is beingtransmitted to advertising agencies in massquantities.• Mallodroid - Leibniz University of Hannover• 13,500 android apps reversed, 1074 vulnerable(8%)• SSL/TLS code that is potentially vulnerable toMITM attacks16Saturday, June 22, 13
  17. 17. And...• ARM Devices continue to get smaller / moreportable• Pwn Plug• Gumstix• ODroid• MK - SS80817Saturday, June 22, 13
  18. 18. And...18Saturday, June 22, 13
  19. 19. And...19Saturday, June 22, 13
  20. 20. And...20Saturday, June 22, 13
  21. 21. And...21Saturday, June 22, 13
  22. 22. And...22Saturday, June 22, 13
  23. 23. And...23Saturday, June 22, 13
  24. 24. And...24Saturday, June 22, 13
  25. 25. And...25Saturday, June 22, 13
  26. 26. And...• 4G / LTE Speeds will get faster• Freedom Stick26Saturday, June 22, 13
  27. 27. That said...• Securing Layer 2 is hard• You’re probably not getting owned by folks withphysical access (or are you?)• TJX (WEP + Arp Spoofing)• Subway (Backdoored devices)• Barnes and Noble (Verifone / Linux Pinpads)• Realistically, dumping hashes on a windows box is aneasier vector during most enterprise penetrationtests• Financial Crime? Man-in-Browser• Go where the data is, silly.27Saturday, June 22, 13
  28. 28. I thought you saidpractical28Saturday, June 22, 13
  29. 29. Super Practical Attacks• Hardware Taps & Bridges• ARP Cache Poisoning• DNS Cache Poisoning• IPv6 Abuse / SLAAC Attack• DHCP Exhaustion• Wireless Evil Twin• Forced HTTP / SSLStrip29Saturday, June 22, 13
  30. 30. A Note on AttackPrevention• Use a strongVPN Connection• Do not use PPTP, MSCHAPv2 broken• L2TP/IPSec, IPSec with IKEv2 andOpenVPN30Saturday, June 22, 13
  31. 31. Hardware Taps• DualComm DCSW-1005 (Active Copy)• Throwing Star LAN Tap (Passive)vs31Saturday, June 22, 13
  32. 32. Hardware Bridges• Simply place a device in-line and act as abridge• brctl (bridge-utils)• EBTables to route traffic32Saturday, June 22, 13
  33. 33. Hardware Bridges# brctl addbr br0# brctl addif br0 eth0# brctl addif br0 eth1# ifconfig br0 netmask 255.255.255.0 10.1.1.1 up33Saturday, June 22, 13
  34. 34. Preventing HardwareAttacks• Good physical security• Good loss prevention• 802.1x / NAC34Saturday, June 22, 13
  35. 35. ARP Cache Poisoning• Observe broadcast request, send maliciousARP reply, victim stores attacker’s MAC forthe IP• “Poison” a single comm channel, or both• Automated:• zomg so many ways to do it - just usearpspoof35Saturday, June 22, 13
  36. 36. ARP Cache Poisoning• echo 1 > /proc/sys/net/ipv4/ip_forward• arpspoof -t <poisoned_host> <gateway>36Saturday, June 22, 13
  37. 37. Preventing ARP CachePoisoning• Broadcast Traffic Filtering• Disable Gratuitous ARP• Enable DHCP Snooping• Static ARP Tables• Monitoring• ArpWatch,Tons of others• HUAWEI Patented techniques• MACSEC / 802.1AE37Saturday, June 22, 13
  38. 38. A note on MACSec• MACsec, defined in 802.1AE, providesMAC-layer encryption over wirednetworks• MKA and MACsec are implemented aftersuccessful authentication using the 802.1xExtensible Authentication Protocol (EAP)framework.38Saturday, June 22, 13
  39. 39. DNS Cache Poisoning,previously• Cache poisoning without response forgery• bailiwick rule fixed this in ~1993• Blind response forgery using birthday attack• “Birthday attack” - guess TXID, known since2002• “Kaminsky attack” - required guessing TXID, butadded hijacking the authority records• Automating: http://www.metasploit.com/modules/auxiliary/spoof/dns/bailiwicked_domain39Saturday, June 22, 13
  40. 40. DNS Cache PoisoningSource: http://www.cs.utexas.edu/~shmatshmat_securecomm10.pdf40Saturday, June 22, 13
  41. 41. DNS Cache Poisoning,now• Response forgery using eavesdropping• Requires “being in the middle”• Automating: Ettercap41Saturday, June 22, 13
  42. 42. DNS Cache Poisoning,nowSource: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf42Saturday, June 22, 13
  43. 43. Preventing DNSSpoofing• DNSSEC43Saturday, June 22, 13
  44. 44. DNS Cache Poisoning,now• Response forgery using eavesdropping• Requires “being in the middle”• Automating: Ettercap44Saturday, June 22, 13
  45. 45. SLAAC Attack• Instructions provided by the InfosecInstitute article• Uses RADVD + DHCPv6 + NAT-PT + IPv6DNS server• NAT-PT allows our IPv6-addressed victimsto access the Internet through IPv445Saturday, June 22, 13
  46. 46. SLAAC AttackSource: http://resources.infosecinstitute.com/slaac-attack/46Saturday, June 22, 13
  47. 47. SLAAC AttackSource: http://resources.infosecinstitute.com/slaac-attack/47Saturday, June 22, 13
  48. 48. SLAAC Attack• The address of the victim’s DNS server matches theNAT-PT prefix on evil-rtr, denoting that the last 32 bitscontain the DNS server’s IPv4 address.• NAT-PT translates the source and destination IPv6/IPv4addresses in both directions.• The DNS ALG translates the victim’s AAAA query foran IPv6 address into an A query for an IPv4 address andvice versa on the way back.• The DNS ALG also translates the IPv4 address in thereply to an IPv6 address that matches the NAT-PTprefix.48Saturday, June 22, 13
  49. 49. SLAAC AttackSource: http://resources.infosecinstitute.com/slaac-attack/49Saturday, June 22, 13
  50. 50. SLAAC Attack• We have not compromised or altered the operation ofthe victim’s IPv4 network, as we would have needed todo in order to MITM IPv4 traffic.We’ve not evenneeded to get an IPv4 address from their DHCP server.• We have not compromised an existing IPv6 network,because there wasn’t one before we arrived.• We have not compromised any given victim host (yet!).Each machine is behaving as designed and is choosingIPv6 over IPv4 of its own volition.• We have managed to totally alter the flow of traffic onthe victim’s network by awakening the hosts’ latentdesire to use IPv6 over IPv4.50Saturday, June 22, 13
  51. 51. SLAAC Attack• We’re introducing a new path to the Internet.Anydefences or monitoring employed at the network’s IPv4boundary are therefore ineffective and will raise noindicators of compromise.• There’s a chance that the victim’s security systems(e.g., host firewalls, HIPS, SIEM boxes, etc.) won’t beable to handle IPv6 traffic. IPv6 support on suchsystems is rarely as mature as its IPv4 equivalent.• Since the victims “aren’t using IPv6″ they won’t beexpecting an attack that makes use of it.• If the above is true, there’s a chance their IncidentResponse teams won’t have the necessary training andexperience with IPv6 to deal with an incident.51Saturday, June 22, 13
  52. 52. SLAAC Attack52Saturday, June 22, 13
  53. 53. SLAAC Attack53Saturday, June 22, 13
  54. 54. Preventing SLAAC54Saturday, June 22, 13
  55. 55. DHCP Exhaustion• Request leases until the server runs out• Provide a lease to new clients• Set up your own DNS server for the client• Automated:• http://www.digininja.org/metasploit/dns_dhcp.php• yersinia55Saturday, June 22, 13
  56. 56. DHCP Exhaustion56Saturday, June 22, 13
  57. 57. Preventing DHCPExhaustion57Saturday, June 22, 13
  58. 58. Preventing DHCPExhaustion58Saturday, June 22, 13
  59. 59. Wireless Evil Twin• Automating:• airbase-ng• Wifi-Pineapple• Pwnie Gear59Saturday, June 22, 13
  60. 60. • 802.11 and Bluetooth Wireless Surveys•802.11 Wireless MitM Testing• Wireless Traffic Capture• Remote Network Access• Zigbee Sniffing with Kisbee• RFID Sniffing with the Proxmark |||• Bluetooth Sniffing with the UbertoothPwn Pad60Saturday, June 22, 13
  61. 61. 61Saturday, June 22, 13
  62. 62. DEMO: Getting In TheMiddle of a WirelessNetwork62Saturday, June 22, 13
  63. 63. Preventing Evil Twin Attacks• Educate users• Don’t use AT&T phones• Use RADIUS - Avoid LEAP• EAP-TLS, EAP-TTLS, or PEAP• MS-CHAPv2 + TLS Tunnel63Saturday, June 22, 13
  64. 64. MDM?64Saturday, June 22, 13
  65. 65. MDM?65Saturday, June 22, 13
  66. 66. Forced HTTP• Take advantage of servers that server overboth HTTP and HTTPS• Rewrite links as HTTP• Abuse the user’s ignorance of “secure”• Automated: SSLStrip + IPTables66Saturday, June 22, 13
  67. 67. Forced HTTP withSSLStrip• echo 1 > /proc/sys/net/ipv4/ip_forward• iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 10000• sslstrip -a -k -f -p 1000067Saturday, June 22, 13
  68. 68. DEMO: Forced HTTPwith SSLStrip68Saturday, June 22, 13
  69. 69. Preventing SSLStrip• Server-side HSTS Header• Automatically turns any insecure links tothe website into secure links.• http://example.com/some/page/ ->https://example.com/some/page/• If the security of the connection cannotbe ensured (ie, self-signed cert), show anerror message and do not allow the userto access the site.69Saturday, June 22, 13
  70. 70. HSTS• HSTS tells the browser: never use HTTPwith this site.• The first time the browser sees the HSTSheader from the server, it remembers it.• This will work as long as the attackerdoesnt strip the header on the first visit tothe site.70Saturday, June 22, 13
  71. 71. Other Attacks• CAM Overflow /Flooding• Certificate Abuse• BGP Attacks• Port-Stealing• HSRPManipulation• IRDP Spoofing• Traffic Tunneling• STP Mangling• VLAN Attacks71Saturday, June 22, 13
  72. 72. CAM Overflow• Flood the local network with random MACaddresses• Causes some switches to fail open inrepeating mode• Automated: sudo macof -i eth072Saturday, June 22, 13
  73. 73. Preventing CAMOverflow• Similar to ARP Spoofing• MAC Address monitoring• DHCP Snooping• Dynamic ARP Inspection73Saturday, June 22, 13
  74. 74. Certificate Abuse• “MD5 considered harmful today”• Stolen CA Certificates• Comodo (March 2011)• Diginotar (July 2011)• Trustwave CA-signed certificate• SSLSniff + Null Byte Attack74Saturday, June 22, 13
  75. 75. BGP Attacks• "Stealing the Internet - A Routed,Wide-area, Man inthe Middle Attack"• Renesys - “Defending Against BGP Man-In-The-Middle Attacks”• Every organization owes its Internet connectivity toone protocol: BGP4.There are no alternatives.• Everyone who connects to the Internet is currentlyexposed to various routing risks: downtime,hijacking and now even wholesale trafficinterception.75Saturday, June 22, 13
  76. 76. Port StealingSource: http://www.packetwatch.net/documents/papers/layer2sniffing.pdf76Saturday, June 22, 13
  77. 77. HSRP ManipulationSource: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/77Saturday, June 22, 13
  78. 78. HSRP ManipulationSource: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/78Saturday, June 22, 13
  79. 79. HSRP Manipulation• Linux# scapy• Welcome to Scapy (2.0.0.10 beta)• >>> ip = IP(src=172.16.40.128, dst=224.0.0.2)• >>> udp = UDP()• >>> hsrp = HSRP(group=1, priority=255,virtualIP=172.16.40.1)• >>> send(ip/udp/hsrp, iface=eth1, inter=3, loop=1)Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/79Saturday, June 22, 13
  80. 80. HSRP ManipulationSource: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/80Saturday, June 22, 13
  81. 81. Preventing HSRPManipulation• Prevent L2 Access to any connected switch• Note: HSRP,VRRP, and GLBP all vulnerable81Saturday, June 22, 13
  82. 82. IRDP Spoofing• ICMP Internet Router Discovery Protocol (IRDP) uses InternetControl Message Protocol (ICMP) router advertisements androuter solicitation messages to allow a host to discover theaddresses of operational routers on the subnet.• The attacker can forge some advertisement packet pretending tobe the router for the LAN.• He/she can set the “preference level” and the “lifetime” at highvalues to be sure the hosts will choose it as the preferred router.• The attack can be improved by sending some spoofed ICMP HostUnreachable pretending to be the real router• Automated: IRPAS (http://www.phenoelit.de/irpas)82Saturday, June 22, 13
  83. 83. Traffic Tunneling83Saturday, June 22, 13
  84. 84. STP Mangling• STP (Spanning-Tree Protocol) mangling refers to thetechnique used for the attacker host to be elected as thenew root bridge of the spanning tree.• The attacker may start either by forging BPDUs (BridgeProtocol Data Units) with high priority assuming to be thenew root, or by broadcasting STP Configuration/TopologyChange Acknowledgement BPDUs to get his host elected asthe new root bridge.• Automated: yersinia84Saturday, June 22, 13
  85. 85. Others• Dsniff• Ettercap (http://ettercap.github.io/ettercap/)• Beef + Shank (http://media.blackhat.com/bh-us-12/Briefings/Ocepek/BH_US_12_Ocepek_Linn_BeEF_MITM_WP.pdf)• EvilGrade (http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt)• EasyCreds (https://github.com/brav0hax/easy-creds)• Subterfuge (https://code.google.com/p/subterfuge/)85Saturday, June 22, 13
  86. 86. Takeaways86Saturday, June 22, 13
  87. 87. Takeaways• “MitM is a underrated attack vector”• Phones are trivial to MitM because of Evil Twin issues• Dropboxes present a credible threat• POS networks / systems are available / trending wireless• Many powerful MitM attacks can be automated, old schooltechniques still work87Saturday, June 22, 13
  88. 88. Prior Work andResources• http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf• http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf• http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf• http://www.packetwatch.net/documents/papers/layer2sniffing.pdf• http://packetlife.net• http://my.safaribooksonline.com/book/networking/security/978158705256988Saturday, June 22, 13
  89. 89. Questions?89Saturday, June 22, 13
  90. 90. THANKS! (and don’t forget feedback forms)90Saturday, June 22, 13

×