Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
•Download as PPTX, PDF•
2 likes•3,735 views
DC7499
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (8)
Similar to Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Similar to Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions" (20)
More from Defcon Moscow
More from Defcon Moscow (8)
Recently uploaded
Recently uploaded (20)
Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
- 2. Uncommon MiTM in uncommon conditions
- 3. 00 WHOAMI • @090h, root@0x90.ru, keybase.io/090h • ZN HW Village organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY) • JBFC/DC7499 member • researcher at hlsec.ru • pwning telecommunications since 2002 • …was doing MITM 20 years ago 8)
- 4. 01 INTRO • XXI century is communications century • When I was a boy we counted in Pentiums 8) 1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz • Nowadays we count in G and still use Pentium, but 4G is used and 5G in progress • DialUp 9600 FIDO – FTTH 100Mb Internet • Nearest future: 5G + IPv6 + IoE • Security of communications evolving slooooooooooowly. SS7 invented in 1975, kicking ass nowadays
- 5. 02 MAN MITM • MITM = Man In The Middle • It is a type fundamental communication attacks • Subtypes: active, passive • IRL: passive MITM = sniff, active MITM = MITM • Also has a name….
- 8. Alice, Bob and Eve…
- 9. .. and sometimes Charlie
- 10. .. and Mallory aka Trudy
- 11. Implementation • Fundamental => data channel independent • Data channels: • Ethernet • USB • UART • SPI • RFID • NFC • WiFi • GSM
- 12. ETHERNET EVE
- 13. MY FIRST SNIFFER EVE
- 14. ALICE LOOKED AWSOME THEESE DAYS
- 15. NFC EVE
- 16. Short summary • Technology changes – MiTM changes. Hackers should be adaptive. • Security of telecommunications is like in 90’s • MiTM world is much more bigger than most hacker think • Study fundamental sciences, to be able to hack at FUNdaMENTAL layer!
- 17. I LIKE TO MITM IT MITM IT
- 18. MITM I HAVE KNOWN AND LOVED • LAN based MITM • WAN based MITM • Rogue AP MITM (KAMA/MANA/HostapdWPE) • MITM over VPN (L2TP, PPTP) • Hybrid MITM
- 19. MITM anatomy • ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO => SNIFF FOR LOOT + INJECT EViL • HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER • HTTP + BDFProxy => SHELLZ • SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO • SSL + PROTO => (HEARTBLEED || POODLE) => PWN • LOOT => cookies, credentials, photos, locations • Custom sniffers/injectors/sploits for protocols/apps/vulns • Example: SMB/NTLM relays
- 20. THAT’S WHY PRACTICS RULE!
- 21. Cooking MITM by ARP cache poison attack
- 23. ARP attacks send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # half duplex send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS
- 24. Meanwhile in real world
- 25. Common MITM after ARP poison
- 26. IRL: WTF IS GOING ON?
- 27. SOME ATTACK? MAYBE PWN THE ROUTER?
- 28. PixieWPS + admin:admin @ web interface
- 29. Shodan + device-pharmer.py pwnage
- 30. We’ve got root! What to do next? • Backup configuration • Get shell • Research firmware availabilities • Have fun
- 33. Enable DynDNS if white IP
- 34. Enable syslog to rsyslogd @ VPS
- 35. Use Guest WiFi as tiny KARMA
- 36. Separate SSID, IP mask = comfort
- 37. Install plugins
- 38. Enable PPTP VPN
- 39. Install and use tcpdump in firmware
- 40. BPF 4 YOU
- 41. Set DNS to your EvilDNS with dnschef
- 42. Passive MITM aka EVE at router • tcpdump • NFS mount and/or netcat • Write pcap file to share/pipe with tcpdump
- 43. Eve on router
- 44. Mallory on router • Set DNS to VPS • Install tcpdump, sslsplit, sslstrip • NFS mount/netcat • Write pcap file to share/pipe with tcpdump
- 46. Pros and cons Pros: • Not so hard to do Cons • Router is rebooted by watchdog or users • MITM is sloooooooooow cause of high temp of CPU • Not so many routers have such reach features • VPS IP disclosure during MITM
- 47. WAN MITM TO VPS
- 48. WAN MITM ALGO • Telnet to router • Run mitmproxy in transparent mode on VPS • DNAT port 80 to VPS_IP:8080
- 49. Router requirements • telnet/ssh/rce/cmd inj • iptables
- 50. WAN based MITM
- 51. Pros and cons Pros: • Not so hard to do Cons • Oworks for HTTP traffic • Can’t distinguish clients by ip • VPS IP disclosure during MITM
- 52. HARDCORE MODE ON PPTP based MITM
- 53. PPTP MITM ideas • MiTM contains of 2 parts for router and VPS • All active attacks are working on VPS • Router is used for forwarding and routing • pwner is pwning
- 54. Router requirements • PPTP VPN server in firmware • iptables • telnet/ssh/rce/cmd inj
- 55. VPS requirements • Linux, • pptp • iptables • sslstrip,sslsplit, tcpdump, mitmproxy
- 56. PPTP MITM ALGO • Connect from VPS to PPTP VPN • Get ppp0 interface IP • Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding) • Telnet to router • Add ISP gateway to route map • Set VPS ppp0 IP as default gateway • PWN’em all
- 57. PPTP Server on router + Mallory on VPS
- 58. Pros and cons Pros: • FULL MITM • No IP disclosure Cons • Router looses connection to Internet if PPTP connection is down
- 59. REPOS/TOOLS REPOS • https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal • https://github.com/0x90/scapy-arsenal MiTM EXAMPLES https://github.com/dc7499/uncommon-mitm