SlideShare a Scribd company logo

Alice and Bob are Eff'd

Download as PPTX, PDF
Jason Ross
Jason Ross

A talk discussing the Mallory TCP/IP proxy tool written by folks at Intrepidus Group. The talk discusses how to use the tool effectively, as well as outlining some known problems with the tool and how to get around them. Presented at DEF CON Skytalks 2011.

Law
1 of 26
alice and bob are f**ked jasonross
narcissism • i work here  • i play here  • i malware
intro to mitm
traditional mitm techniques • arp spoof/poisoning – dsniff / ettercap / cain • dns poisoning – dns-mre • 802.11 tricks – karma/airbase • dhcp exhaustion – scapy / metasploit (digininja’s mods)
problems with mitm • can be painful to maintain • arp poisoning is problematic • encryption! • passive capture is fun, but may not be enough
painful maintenance • iptables works well • but managing long lists of rules is a pain • and you still have to do something useful with the traffic you intercept maintenancewindow!
arp poisoning isn’t ideal • busy networks will kill the poisoning host • it’s likely to get noticed • even when it works, it’s fickle • odds are in favor of the network
crypto ftw sucks • few tools dynamically handle certs • ones that do are generally passive listeners (sslsniff) • those that do manipulate traffic & dynamically handle certs don’t do well if the traffic is not HTTP (burp)
pics or it didn’t suck…
data capture is fun
mucking with packets is better • mobile app testing requires more than passive capture. • why just watch wifi traffic, when you could be injecting client side exploits into the streams? • could using mitm help social engineering?
enter mallory
mallory is • a tcp mitm proxy • that supports fuzzing • and tcp stream editing
mallory is not • burp • terribly well supported • necessarily stable
how to get mallory • bitbucket.org/IntrepidusGroup/mallory – install ubuntu – run the mallory install script – done. • download the minimal vm image, and run the update script for that (deprecated)
licensing • python foundation software license v2 • except the gui. that’s gpl3
some familiar challenges • have to get traffic to the mallory host – pptp – gateway box (virtual or otherwise) – traditional mitm techniques already covered
but now you can do stuff easily • pause the streams (tcp/udp) • manipulate packets (manually, or via rulesets) • create modules to deal with unknown protocols… • then muck with that data
recent changes to mallory • gui vastly improved • configuration moved to gui • rules / mucking syntax made much better • many rules / mucking bugs fixed
stuff i’ve done • created the install / update scripts – for the vm image – for standard ubuntu iso installs (10.10 & 11.04) • completely redesigned the directory structure – made it *nix-ish – for great justice! • added random shell scripts / minor code tweaks
common problems • rules gui is confusing • protocols configuration is confusing • traffic doesn’t show up in the stream
solutions • think backwards – need to have a rule before you can edit it • uncommented protocols get handled by the protocol handler, not the tcp debugger • yeah, that sucks
demo!
endgame mallory pwns!
mallory support • bitbucket issues tickets • google group • twitter • intrepidusgroup.com/insight/mallory
[stop] • @rossja • algorythm@gmail.com

Recommended

Linux – routing and firewall for beginners v 1.0
Linux – routing and firewall for beginners v 1.0Linux – routing and firewall for beginners v 1.0
Linux – routing and firewall for beginners v 1.0Sriram Narayanan
 
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News
 
Keeping MongoDB Data Safe
Keeping MongoDB Data SafeKeeping MongoDB Data Safe
Keeping MongoDB Data SafeTony Tam
 
How to Keep Your Data Safe in MongoDB
How to Keep Your Data Safe in MongoDBHow to Keep Your Data Safe in MongoDB
How to Keep Your Data Safe in MongoDBMongoDB
 
FFMUC jitsi-report after first two weeks
FFMUC jitsi-report after first two weeks FFMUC jitsi-report after first two weeks
FFMUC jitsi-report after first two weeks Annika Wickert
 
Indicadores de desempeño de tecnología y emprendimiento
Indicadores de desempeño de tecnología y emprendimientoIndicadores de desempeño de tecnología y emprendimiento
Indicadores de desempeño de tecnología y emprendimientoSantiago Bedoya Palacio
 
Golden medias - a strategic BRAND management Firm
Golden medias - a strategic BRAND management FirmGolden medias - a strategic BRAND management Firm
Golden medias - a strategic BRAND management FirmGolden Medias
 
25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.
25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.
25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.Comparte la Biblia
 

Recommended

Linux – routing and firewall for beginners v 1.0
Linux – routing and firewall for beginners v 1.0Linux – routing and firewall for beginners v 1.0
Linux – routing and firewall for beginners v 1.0Sriram Narayanan
 
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...
The Hacker News: Hacking Wireless DSL routers via Admin Panel Password Reset ...The Hacker News
 
Keeping MongoDB Data Safe
Keeping MongoDB Data SafeKeeping MongoDB Data Safe
Keeping MongoDB Data SafeTony Tam
 
How to Keep Your Data Safe in MongoDB
How to Keep Your Data Safe in MongoDBHow to Keep Your Data Safe in MongoDB
How to Keep Your Data Safe in MongoDBMongoDB
 
FFMUC jitsi-report after first two weeks
FFMUC jitsi-report after first two weeks FFMUC jitsi-report after first two weeks
FFMUC jitsi-report after first two weeks Annika Wickert
 
Indicadores de desempeño de tecnología y emprendimiento
Indicadores de desempeño de tecnología y emprendimientoIndicadores de desempeño de tecnología y emprendimiento
Indicadores de desempeño de tecnología y emprendimientoSantiago Bedoya Palacio
 
Golden medias - a strategic BRAND management Firm
Golden medias - a strategic BRAND management FirmGolden medias - a strategic BRAND management Firm
Golden medias - a strategic BRAND management FirmGolden Medias
 
25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.
25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.
25. cuestionario de las letras rojas. lamento por jerusalén 2a. parte.Comparte la Biblia
 
The Nuts And Bolts: Getting Started in Social Media
The Nuts And Bolts: Getting Started in Social MediaThe Nuts And Bolts: Getting Started in Social Media
The Nuts And Bolts: Getting Started in Social MediaStacey Harmon
 
The Warmst Photigraphy
The Warmst PhotigraphyThe Warmst Photigraphy
The Warmst Photigraphyzsoltslideshare
 
Reforming the Industrial Disputes Act
Reforming the Industrial Disputes ActReforming the Industrial Disputes Act
Reforming the Industrial Disputes ActSamarth Chaddha
 
Cocoapods and Most common used library in Swift
Cocoapods and Most common used library in SwiftCocoapods and Most common used library in Swift
Cocoapods and Most common used library in SwiftWan Muzaffar Wan Hashim
 
Todo musica
Todo musicaTodo musica
Todo musicaMariaCarinaRosas
 
Athlete NCAA Recruiting Registration (Section 3 of 11)
Athlete NCAA Recruiting Registration (Section 3 of 11)Athlete NCAA Recruiting Registration (Section 3 of 11)
Athlete NCAA Recruiting Registration (Section 3 of 11)athletebuilder
 
Allanamiento demanda
Allanamiento demandaAllanamiento demanda
Allanamiento demandaJòse Rangel
 
Radio Journalism & Production - RADIO FORMATS
Radio Journalism & Production - RADIO FORMATS Radio Journalism & Production - RADIO FORMATS
Radio Journalism & Production - RADIO FORMATS Trinity Dwarka
 
Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginnersn|u - The Open Security Community
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 cccDan Kaminsky
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshootingSkillspire LLC
 
Compression talk
Compression talkCompression talk
Compression talkIlya Ganelin
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_monTomas Doran
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-huntingbob dobbs
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsCarlos Martinez Cagnazzo
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logsTomas Doran
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
 

More Related Content

Viewers also liked

The Nuts And Bolts: Getting Started in Social Media
The Nuts And Bolts: Getting Started in Social MediaThe Nuts And Bolts: Getting Started in Social Media
The Nuts And Bolts: Getting Started in Social MediaStacey Harmon
 
Reforming the Industrial Disputes Act
Reforming the Industrial Disputes ActReforming the Industrial Disputes Act
Reforming the Industrial Disputes ActSamarth Chaddha
 
Cocoapods and Most common used library in Swift
Cocoapods and Most common used library in SwiftCocoapods and Most common used library in Swift
Cocoapods and Most common used library in SwiftWan Muzaffar Wan Hashim
 
Athlete NCAA Recruiting Registration (Section 3 of 11)
Athlete NCAA Recruiting Registration (Section 3 of 11)Athlete NCAA Recruiting Registration (Section 3 of 11)
Athlete NCAA Recruiting Registration (Section 3 of 11)athletebuilder
 
Allanamiento demanda
Allanamiento demandaAllanamiento demanda
Allanamiento demandaJòse Rangel
 
Radio Journalism & Production - RADIO FORMATS
Radio Journalism & Production - RADIO FORMATS Radio Journalism & Production - RADIO FORMATS
Radio Journalism & Production - RADIO FORMATS Trinity Dwarka
 

Viewers also liked (8)

The Nuts And Bolts: Getting Started in Social Media
The Nuts And Bolts: Getting Started in Social MediaThe Nuts And Bolts: Getting Started in Social Media
The Nuts And Bolts: Getting Started in Social Media
 
The Warmst Photigraphy
The Warmst PhotigraphyThe Warmst Photigraphy
The Warmst Photigraphy
 
Reforming the Industrial Disputes Act
Reforming the Industrial Disputes ActReforming the Industrial Disputes Act
Reforming the Industrial Disputes Act
 
Cocoapods and Most common used library in Swift
Cocoapods and Most common used library in SwiftCocoapods and Most common used library in Swift
Cocoapods and Most common used library in Swift
 
Todo musica
Todo musicaTodo musica
Todo musica
 
Athlete NCAA Recruiting Registration (Section 3 of 11)
Athlete NCAA Recruiting Registration (Section 3 of 11)Athlete NCAA Recruiting Registration (Section 3 of 11)
Athlete NCAA Recruiting Registration (Section 3 of 11)
 
Allanamiento demanda
Allanamiento demandaAllanamiento demanda
Allanamiento demanda
 
Radio Journalism & Production - RADIO FORMATS
Radio Journalism & Production - RADIO FORMATS Radio Journalism & Production - RADIO FORMATS
Radio Journalism & Production - RADIO FORMATS
 

Similar to Alice and Bob are Eff'd

Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsHeadLightSecurity
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 cccDan Kaminsky
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshootingSkillspire LLC
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_monTomas Doran
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-huntingbob dobbs
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieESUG
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashinfodox
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Chris Tankersley
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automationSensePost
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheelsinfodox
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pieTomas Doran
 

Similar to Alice and Bob are Eff'd (20)

Linux routing and firewall for beginners
Linux routing and firewall for beginnersLinux routing and firewall for beginners
Linux routing and firewall for beginners
 
Uncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditionsUncommon MiTM in uncommon conditions
Uncommon MiTM in uncommon conditions
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 ccc
 
Network troubleshooting
Network troubleshootingNetwork troubleshooting
Network troubleshooting
 
Compression talk
Compression talkCompression talk
Compression talk
 
Real time system_performance_mon
Real time system_performance_monReal time system_performance_mon
Real time system_performance_mon
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
 
110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting110864103 adventures-in-bug-hunting
110864103 adventures-in-bug-hunting
 
Scratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry PieScratching the itch, making Scratch for the Raspberry Pie
Scratching the itch, making Scratch for the Raspberry Pie
 
Steelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trashSteelcon 2015 - 0wning the internet of trash
Steelcon 2015 - 0wning the internet of trash
 
IPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPsIPv6 Transition Considerations for ISPs
IPv6 Transition Considerations for ISPs
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logs
 
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
Your Inner Sysadmin - Tutorial (SunshinePHP 2015)
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
 
Nodeconf npm 2011
Nodeconf npm 2011Nodeconf npm 2011
Nodeconf npm 2011
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
BSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pie
 

More from Jason Ross

Nodejs Security
Nodejs SecurityNodejs Security
Nodejs SecurityJason Ross
 
Tizen Security
Tizen SecurityTizen Security
Tizen SecurityJason Ross
 
AC2DM For Security
AC2DM For SecurityAC2DM For Security
AC2DM For SecurityJason Ross
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
WHOIS the Master
WHOIS the MasterWHOIS the Master
WHOIS the MasterJason Ross
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The EnterpriseJason Ross
 
Dev opsec killing-the_buzz
Dev opsec killing-the_buzzDev opsec killing-the_buzz
Dev opsec killing-the_buzzJason Ross
 

More from Jason Ross (7)

Nodejs Security
Nodejs SecurityNodejs Security
Nodejs Security
 
Tizen Security
Tizen SecurityTizen Security
Tizen Security
 
AC2DM For Security
AC2DM For SecurityAC2DM For Security
AC2DM For Security
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
WHOIS the Master
WHOIS the MasterWHOIS the Master
WHOIS the Master
 
Malware Analysis For The Enterprise
Malware Analysis For The EnterpriseMalware Analysis For The Enterprise
Malware Analysis For The Enterprise
 
Dev opsec killing-the_buzz
Dev opsec killing-the_buzzDev opsec killing-the_buzz
Dev opsec killing-the_buzz
 

Recently uploaded

Introduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusionIntroduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusionAnuragMishra811030
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdflaysamaeguardiano
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书Fs Las
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourBhavikaGholap1
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxnyabatejosphat1
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm2020000445musaib
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx2020000445musaib
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxRRR Chambers
 
如何办理(Michigan文凭证书)密歇根大学毕业证学位证书
如何办理(Michigan文凭证书)密歇根大学毕业证学位证书 如何办理(Michigan文凭证书)密歇根大学毕业证学位证书
如何办理(Michigan文凭证书)密歇根大学毕业证学位证书Sir Lt
 
Cleades Robinson's Commitment to Service
Cleades Robinson's Commitment to ServiceCleades Robinson's Commitment to Service
Cleades Robinson's Commitment to ServiceCleades Robinson
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书Fir L
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxRRR Chambers
 
Legal Risks and Compliance Considerations for Cryptocurrency Exchanges in India
Legal Risks and Compliance Considerations for Cryptocurrency Exchanges in IndiaLegal Risks and Compliance Considerations for Cryptocurrency Exchanges in India
Legal Risks and Compliance Considerations for Cryptocurrency Exchanges in IndiaFinlaw Consultancy Pvt Ltd
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书E LSS
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书SS A
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书E LSS
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书Fs Las
 

Recently uploaded (20)

Introduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusionIntroduction to Corruption, definition, types, impact and conclusion
Introduction to Corruption, definition, types, impact and conclusion
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
如何办理(SFSta文凭证书)美国旧金山州立大学毕业证学位证书
 
THE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labourTHE FACTORIES ACT,1948 (2).pptx labour
THE FACTORIES ACT,1948 (2).pptx labour
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Greater Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
如何办理(Michigan文凭证书)密歇根大学毕业证学位证书
如何办理(Michigan文凭证书)密歇根大学毕业证学位证书 如何办理(Michigan文凭证书)密歇根大学毕业证学位证书
如何办理(Michigan文凭证书)密歇根大学毕业证学位证书
 
Cleades Robinson's Commitment to Service
Cleades Robinson's Commitment to ServiceCleades Robinson's Commitment to Service
Cleades Robinson's Commitment to Service
 
如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书如何办理澳洲南澳大学(UniSA)毕业证学位证书
如何办理澳洲南澳大学(UniSA)毕业证学位证书
 
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
Russian Call Girls Service Gomti Nagar \ 9548273370 Indian Call Girls Service...
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
Russian Call Girls Rohini Sector 6 💓 Delhi 9999965857 @Sabina Modi VVIP MODEL...
 
Legal Risks and Compliance Considerations for Cryptocurrency Exchanges in India
Legal Risks and Compliance Considerations for Cryptocurrency Exchanges in IndiaLegal Risks and Compliance Considerations for Cryptocurrency Exchanges in India
Legal Risks and Compliance Considerations for Cryptocurrency Exchanges in India
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书一比一原版利兹大学毕业证学位证书
一比一原版利兹大学毕业证学位证书
 
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
如何办理(USF文凭证书)美国旧金山大学毕业证学位证书
 

Alice and Bob are Eff'd

  • 2. narcissism • i work here  • i play here  • i malware
  • 4. traditional mitm techniques • arp spoof/poisoning – dsniff / ettercap / cain • dns poisoning – dns-mre • 802.11 tricks – karma/airbase • dhcp exhaustion – scapy / metasploit (digininja’s mods)
  • 5. problems with mitm • can be painful to maintain • arp poisoning is problematic • encryption! • passive capture is fun, but may not be enough
  • 6. painful maintenance • iptables works well • but managing long lists of rules is a pain • and you still have to do something useful with the traffic you intercept maintenancewindow!
  • 7. arp poisoning isn’t ideal • busy networks will kill the poisoning host • it’s likely to get noticed • even when it works, it’s fickle • odds are in favor of the network
  • 8. crypto ftw sucks • few tools dynamically handle certs • ones that do are generally passive listeners (sslsniff) • those that do manipulate traffic & dynamically handle certs don’t do well if the traffic is not HTTP (burp)
  • 9. pics or it didn’t suck…
  • 11. mucking with packets is better • mobile app testing requires more than passive capture. • why just watch wifi traffic, when you could be injecting client side exploits into the streams? • could using mitm help social engineering?
  • 13. mallory is • a tcp mitm proxy • that supports fuzzing • and tcp stream editing
  • 14. mallory is not • burp • terribly well supported • necessarily stable
  • 15. how to get mallory • bitbucket.org/IntrepidusGroup/mallory – install ubuntu – run the mallory install script – done. • download the minimal vm image, and run the update script for that (deprecated)
  • 16. licensing • python foundation software license v2 • except the gui. that’s gpl3
  • 17. some familiar challenges • have to get traffic to the mallory host – pptp – gateway box (virtual or otherwise) – traditional mitm techniques already covered
  • 18. but now you can do stuff easily • pause the streams (tcp/udp) • manipulate packets (manually, or via rulesets) • create modules to deal with unknown protocols… • then muck with that data
  • 19. recent changes to mallory • gui vastly improved • configuration moved to gui • rules / mucking syntax made much better • many rules / mucking bugs fixed
  • 20. stuff i’ve done • created the install / update scripts – for the vm image – for standard ubuntu iso installs (10.10 & 11.04) • completely redesigned the directory structure – made it *nix-ish – for great justice! • added random shell scripts / minor code tweaks
  • 21. common problems • rules gui is confusing • protocols configuration is confusing • traffic doesn’t show up in the stream
  • 22. solutions • think backwards – need to have a rule before you can edit it • uncommented protocols get handled by the protocol handler, not the tcp debugger • yeah, that sucks
  • 23. demo!
  • 25. mallory support • bitbucket issues tickets • google group • twitter • intrepidusgroup.com/insight/mallory

Editor's Notes

  1. if you need notes for this slide, you suck.
  2. there’s alice and bob they want to talk to each other. because they’re friends. mallory hates them both. she’s got a plan. if she can jump into one of their conversations, she can cause all kinds of problems.
  3. there’s a number of techniques for accomplishing man-in-the-middle attacks. here’s a list of the more common ones, and some of the tools that can be used to perform them. * arp spoofing tricks other machines on the network into thinking you’re the gateway host. this results in the attacking host acting as the router for the network. because it is the router, all packets can be intercepted. * dns poisoning can be used to inject an attackers ip address into the answer section of a dns query. this results in a victim host believing the attacker’s IP is the correct address for, say, paypal.com * 802.11 tricks typically involve setting up a rogue AP. wireless clients connect to the AP, resulting in the attacker again acting as a gateway device and router, able to intercept all traffic from the victim machine. * dhcp exhaustion is generally performed by sending a flood of dhcp request packets, and accepting all resulting dhcp offers until the dhcp server pool has been entirely consumed by the attacking machine. more complicated versions attempt to send dhcp release packets for existing hosts, in an attempt to knock them off the network. once all dhcp addresses are owned by the attacker, it can send out dhcp replies to new requests and assign addresses from the pool it now owns. the result once again is that the attacker becomes the gateway device for the victim machines.
  4. details in the next few slides
  5. you’ve just become the router on a network with somewhere between 50 and 150 hosts. you need to intercept specific traffic, monitor it, and potentially manipulate the data being sent between the client and server. how do you do that effectively? *hint*: manually adding iptables for everything you want + managing a crapton of netsed regex statements is not effective.
  6. when you arp poison a network, it’s essentially you vs. every machine on the segment. because each machine is trying to respond to arp requests with valid information as you’re trying to respond with bogus information, there’s a dramatic increase in the total amount of traffic. additionally, any success is limited, as the valid arp data is constantly being sent by the legit hosts.
  7. using cain, i arp poisoned my whole network (a /24, with 6 live hosts) i then checked email using imaps, and both twitter and gmail over https. the end result was that, while cain captured the certs, the connections weren’t successfully intercepted. worse, in the case of the twitter connection, cain was able to snarf the twitter information, but it was completely wrong.
  8. remember tjx and heartland, from back before anti-nony-lulzsec made everyone forget about actual hacking by releasing a tsunami of dox? they are examples of what can happen when someone just passively captures data (crypted or plain). then there’s the obligatory “hipsters sitting in starbucks” credentials theft scenario. whatever.
  9. code tweaks: updated a lot of files to work with the new directory structured changed the codebase to use native set() instead of python Sets module