The document discusses the challenges and techniques of man-in-the-middle (MITM) attacks, highlighting tools like ARP spoofing, DNS poisoning, and the limitations of current methods due to encryption. It introduces 'Mallory,' a TCP MITM proxy that allows for packet manipulation and stream editing, with notes on installation and recent improvements to its GUI and functionality. However, it also addresses common problems users face, such as confusion in the rules and protocol configurations.

1. alice and
bob are
f**ked
jasonross

2. narcissism
• i work here 
• i play here 
• i malware

3. intro to mitm

4. traditional mitm techniques
• arp spoof/poisoning
– dsniff / ettercap / cain
• dns poisoning
– dns-mre
• 802.11 tricks
– karma/airbase
• dhcp exhaustion
– scapy / metasploit (digininja’s mods)

5. problems with mitm
• can be painful to maintain
• arp poisoning is problematic
• encryption!
• passive capture is fun, but may not be enough

6. painful
maintenance
• iptables works well
• but managing long lists of rules is a pain
• and you still have to do something useful with
the traffic you intercept
maintenancewindow!

7. arp poisoning isn’t ideal
• busy networks will kill the poisoning host
• it’s likely to get noticed
• even when it works, it’s fickle
• odds are in favor of the network

8. crypto ftw sucks
• few tools dynamically handle certs
• ones that do are generally passive listeners
(sslsniff)
• those that do manipulate traffic & dynamically
handle certs don’t do well if the traffic is not
HTTP (burp)

9. pics or it didn’t suck…

10. data capture is fun

11. mucking with packets is better
• mobile app testing requires more than passive
capture.
• why just watch wifi traffic, when you could be
injecting client side exploits into the streams?
• could using mitm help social engineering?

12. enter mallory

13. mallory is
• a tcp mitm proxy
• that supports fuzzing
• and tcp stream editing

14. mallory is not
• burp
• terribly well supported
• necessarily stable

15. how to get mallory
• bitbucket.org/IntrepidusGroup/mallory
– install ubuntu
– run the mallory install script
– done.
• download the minimal vm image, and run the
update script for that (deprecated)

16. licensing
• python foundation software license v2
• except the gui. that’s gpl3

17. some familiar challenges
• have to get traffic to the mallory host
– pptp
– gateway box (virtual or otherwise)
– traditional mitm techniques already covered

18. but now you can do stuff easily
• pause the streams (tcp/udp)
• manipulate packets (manually, or via rulesets)
• create modules to deal with unknown
protocols…
• then muck with that data

19. recent changes to mallory
• gui vastly improved
• configuration moved to gui
• rules / mucking syntax made much better
• many rules / mucking bugs fixed

20. stuff i’ve done
• created the install / update scripts
– for the vm image
– for standard ubuntu iso installs (10.10 & 11.04)
• completely redesigned the directory structure
– made it *nix-ish
– for great justice!
• added random shell scripts / minor code tweaks

21. common problems
• rules gui is confusing
• protocols configuration is confusing
• traffic doesn’t show up in the stream

22. solutions
• think backwards
– need to have a rule before you can edit it
• uncommented protocols get handled by the
protocol handler, not the tcp debugger
• yeah, that sucks

23. demo!

24. endgame
mallory
pwns!

25. mallory support
• bitbucket issues tickets
• google group
• twitter
• intrepidusgroup.com/insight/mallory

26. [stop]
• @rossja
• algorythm@gmail.com