SlideShare a Scribd company logo
Pwnie Express
Practical Man in the Middle
1Saturday, June 22, 13
whoami
• Jonathan Cran
• Advisor, SOURCE Conference
• CTO Pwnie Express
• QA Director Metasploit
• Penetration Tester Rapid7
2Saturday, June 22, 13
Agenda
• MitM is a huge topic
• Why ShouldYou Care in 2013?
• Practical Attacks
• Practical Attack Automation
• Drop Boxes!
• Takeaways + Future Work
3Saturday, June 22, 13
Let’s not re-invent the
wheel
4Saturday, June 22, 13
Our Focus
• Local & Wireless Network
• Getting in the Middle
• Viewing and Manipulating Traffic
• Automating Easy Wins
5Saturday, June 22, 13
Not our focus
• Attacking SSL through certificate
manipulation
• Attacking BGP
• More complex attacks (STP, HSRP)
• Proxy trojans (MitB, BitB)
6Saturday, June 22, 13
Focus:
Highly targeted, local
network attacks
7Saturday, June 22, 13
8Saturday, June 22, 13
9Saturday, June 22, 13
10Saturday, June 22, 13
Why ShouldYou Care
in 2013?
11Saturday, June 22, 13
12Saturday, June 22, 13
13Saturday, June 22, 13
A couple reasons
• Wireless everywhere
• Smartphones / AT&T auto-connect
• Retail / POS Networks
• Android apps
• Sometimes it’s hard to take control of a particular
system. Network is the easier target.
14Saturday, June 22, 13
And...
• Local Network - ARP Cache Poisoning is STILL
a valid attack - defense is impractical in many cases
• Local Network -SLAAC looks to be the best
replacement if ARP Cache Poisoning won’t work -
Windows 7+ has a default IPv6-enabled stack -
Recommendation? Disable IPv6
• Internet - SSL - Would your users really notice
lack of http or an invalid cert?
• Wireless - Wireless “Evil Twin” flaws still pervasive
15Saturday, June 22, 13
Android
• It means your personal information is being
transmitted to advertising agencies in mass
quantities.
• Mallodroid - Leibniz University of Hannover
• 13,500 android apps reversed, 1074 vulnerable
(8%)
• SSL/TLS code that is potentially vulnerable to
MITM attacks
16Saturday, June 22, 13
And...
• ARM Devices continue to get smaller / more
portable
• Pwn Plug
• Gumstix
• ODroid
• MK - SS808
17Saturday, June 22, 13
And...
18Saturday, June 22, 13
And...
19Saturday, June 22, 13
And...
20Saturday, June 22, 13
And...
21Saturday, June 22, 13
And...
22Saturday, June 22, 13
And...
23Saturday, June 22, 13
And...
24Saturday, June 22, 13
And...
25Saturday, June 22, 13
And...
• 4G / LTE Speeds will get faster
• Freedom Stick
26Saturday, June 22, 13
That said...
• Securing Layer 2 is hard
• You’re probably not getting owned by folks with
physical access (or are you?)
• TJX (WEP + Arp Spoofing)
• Subway (Backdoored devices)
• Barnes and Noble (Verifone / Linux Pinpads)
• Realistically, dumping hashes on a windows box is an
easier vector during most enterprise penetration
tests
• Financial Crime? Man-in-Browser
• Go where the data is, silly.
27Saturday, June 22, 13
I thought you said
practical
28Saturday, June 22, 13
Super Practical Attacks
• Hardware Taps & Bridges
• ARP Cache Poisoning
• DNS Cache Poisoning
• IPv6 Abuse / SLAAC Attack
• DHCP Exhaustion
• Wireless Evil Twin
• Forced HTTP / SSLStrip
29Saturday, June 22, 13
A Note on Attack
Prevention
• Use a strongVPN Connection
• Do not use PPTP, MSCHAPv2 broken
• L2TP/IPSec, IPSec with IKEv2 and
OpenVPN
30Saturday, June 22, 13
Hardware Taps
• DualComm DCSW-1005 (Active Copy)
• Throwing Star LAN Tap (Passive)
vs
31Saturday, June 22, 13
Hardware Bridges
• Simply place a device in-line and act as a
bridge
• brctl (bridge-utils)
• EBTables to route traffic
32Saturday, June 22, 13
Hardware Bridges
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# ifconfig br0 netmask 255.255.255.0 10.1.1.1 up
33Saturday, June 22, 13
Preventing Hardware
Attacks
• Good physical security
• Good loss prevention
• 802.1x / NAC
34Saturday, June 22, 13
ARP Cache Poisoning
• Observe broadcast request, send malicious
ARP reply, victim stores attacker’s MAC for
the IP
• “Poison” a single comm channel, or both
• Automated:
• zomg so many ways to do it - just use
arpspoof
35Saturday, June 22, 13
ARP Cache Poisoning
• echo 1 > /proc/sys/net/ipv4/ip_forward
• arpspoof -t <poisoned_host> <gateway>
36Saturday, June 22, 13
Preventing ARP Cache
Poisoning
• Broadcast Traffic Filtering
• Disable Gratuitous ARP
• Enable DHCP Snooping
• Static ARP Tables
• Monitoring
• ArpWatch,Tons of others
• HUAWEI Patented techniques
• MACSEC / 802.1AE
37Saturday, June 22, 13
A note on MACSec
• MACsec, defined in 802.1AE, provides
MAC-layer encryption over wired
networks
• MKA and MACsec are implemented after
successful authentication using the 802.1x
Extensible Authentication Protocol (EAP)
framework.
38Saturday, June 22, 13
DNS Cache Poisoning,
previously
• Cache poisoning without response forgery
• bailiwick rule fixed this in ~1993
• Blind response forgery using birthday attack
• “Birthday attack” - guess TXID, known since
2002
• “Kaminsky attack” - required guessing TXID, but
added hijacking the authority records
• Automating: http://www.metasploit.com/
modules/auxiliary/spoof/dns/
bailiwicked_domain
39Saturday, June 22, 13
DNS Cache Poisoning
Source: http://www.cs.utexas.edu/~shmatshmat_securecomm10.pdf
40Saturday, June 22, 13
DNS Cache Poisoning,
now
• Response forgery using eavesdropping
• Requires “being in the middle”
• Automating: Ettercap
41Saturday, June 22, 13
DNS Cache Poisoning,
now
Source: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf
42Saturday, June 22, 13
Preventing DNS
Spoofing
• DNSSEC
43Saturday, June 22, 13
DNS Cache Poisoning,
now
• Response forgery using eavesdropping
• Requires “being in the middle”
• Automating: Ettercap
44Saturday, June 22, 13
SLAAC Attack
• Instructions provided by the Infosec
Institute article
• Uses RADVD + DHCPv6 + NAT-PT + IPv6
DNS server
• NAT-PT allows our IPv6-addressed victims
to access the Internet through IPv4
45Saturday, June 22, 13
SLAAC Attack
Source: http://resources.infosecinstitute.com/slaac-attack/
46Saturday, June 22, 13
SLAAC Attack
Source: http://resources.infosecinstitute.com/slaac-attack/
47Saturday, June 22, 13
SLAAC Attack
• The address of the victim’s DNS server matches the
NAT-PT prefix on evil-rtr, denoting that the last 32 bits
contain the DNS server’s IPv4 address.
• NAT-PT translates the source and destination IPv6/IPv4
addresses in both directions.
• The DNS ALG translates the victim’s AAAA query for
an IPv6 address into an A query for an IPv4 address and
vice versa on the way back.
• The DNS ALG also translates the IPv4 address in the
reply to an IPv6 address that matches the NAT-PT
prefix.
48Saturday, June 22, 13
SLAAC Attack
Source: http://resources.infosecinstitute.com/slaac-attack/
49Saturday, June 22, 13
SLAAC Attack
• We have not compromised or altered the operation of
the victim’s IPv4 network, as we would have needed to
do in order to MITM IPv4 traffic.We’ve not even
needed to get an IPv4 address from their DHCP server.
• We have not compromised an existing IPv6 network,
because there wasn’t one before we arrived.
• We have not compromised any given victim host (yet!).
Each machine is behaving as designed and is choosing
IPv6 over IPv4 of its own volition.
• We have managed to totally alter the flow of traffic on
the victim’s network by awakening the hosts’ latent
desire to use IPv6 over IPv4.
50Saturday, June 22, 13
SLAAC Attack
• We’re introducing a new path to the Internet.Any
defences or monitoring employed at the network’s IPv4
boundary are therefore ineffective and will raise no
indicators of compromise.
• There’s a chance that the victim’s security systems
(e.g., host firewalls, HIPS, SIEM boxes, etc.) won’t be
able to handle IPv6 traffic. IPv6 support on such
systems is rarely as mature as its IPv4 equivalent.
• Since the victims “aren’t using IPv6″ they won’t be
expecting an attack that makes use of it.
• If the above is true, there’s a chance their Incident
Response teams won’t have the necessary training and
experience with IPv6 to deal with an incident.
51Saturday, June 22, 13
SLAAC Attack
52Saturday, June 22, 13
SLAAC Attack
53Saturday, June 22, 13
Preventing SLAAC
54Saturday, June 22, 13
DHCP Exhaustion
• Request leases until the server runs out
• Provide a lease to new clients
• Set up your own DNS server for the client
• Automated:
• http://www.digininja.org/metasploit/
dns_dhcp.php
• yersinia
55Saturday, June 22, 13
DHCP Exhaustion
56Saturday, June 22, 13
Preventing DHCP
Exhaustion
57Saturday, June 22, 13
Preventing DHCP
Exhaustion
58Saturday, June 22, 13
Wireless Evil Twin
• Automating:
• airbase-ng
• Wifi-Pineapple
• Pwnie Gear
59Saturday, June 22, 13
• 802.11 and Bluetooth Wireless Surveys
•802.11 Wireless MitM Testing
• Wireless Traffic Capture
• Remote Network Access
• Zigbee Sniffing with Kisbee
• RFID Sniffing with the Proxmark |||
• Bluetooth Sniffing with the Ubertooth
Pwn Pad
60Saturday, June 22, 13
61Saturday, June 22, 13
DEMO: Getting In The
Middle of a Wireless
Network
62Saturday, June 22, 13
Preventing Evil Twin Attacks
• Educate users
• Don’t use AT&T phones
• Use RADIUS - Avoid LEAP
• EAP-TLS, EAP-TTLS, or PEAP
• MS-CHAPv2 + TLS Tunnel
63Saturday, June 22, 13
MDM?
64Saturday, June 22, 13
MDM?
65Saturday, June 22, 13
Forced HTTP
• Take advantage of servers that server over
both HTTP and HTTPS
• Rewrite links as HTTP
• Abuse the user’s ignorance of “secure”
• Automated: SSLStrip + IPTables
66Saturday, June 22, 13
Forced HTTP with
SSLStrip
• echo 1 > /proc/sys/net/ipv4/ip_forward
• iptables -t nat -A PREROUTING -p tcp --
dport 80 -j REDIRECT --to-ports 10000
• sslstrip -a -k -f -p 10000
67Saturday, June 22, 13
DEMO: Forced HTTP
with SSLStrip
68Saturday, June 22, 13
Preventing SSLStrip
• Server-side HSTS Header
• Automatically turns any insecure links to
the website into secure links.
• http://example.com/some/page/ ->
https://example.com/some/page/
• If the security of the connection cannot
be ensured (ie, self-signed cert), show an
error message and do not allow the user
to access the site.
69Saturday, June 22, 13
HSTS
• HSTS tells the browser: never use HTTP
with this site.
• The first time the browser sees the HSTS
header from the server, it remembers it.
• This will work as long as the attacker
doesn't strip the header on the first visit to
the site.
70Saturday, June 22, 13
Other Attacks
• CAM Overflow /
Flooding
• Certificate Abuse
• BGP Attacks
• Port-Stealing
• HSRP
Manipulation
• IRDP Spoofing
• Traffic Tunneling
• STP Mangling
• VLAN Attacks
71Saturday, June 22, 13
CAM Overflow
• Flood the local network with random MAC
addresses
• Causes some switches to fail open in
repeating mode
• Automated: sudo macof -i eth0
72Saturday, June 22, 13
Preventing CAM
Overflow
• Similar to ARP Spoofing
• MAC Address monitoring
• DHCP Snooping
• Dynamic ARP Inspection
73Saturday, June 22, 13
Certificate Abuse
• “MD5 considered harmful today”
• Stolen CA Certificates
• Comodo (March 2011)
• Diginotar (July 2011)
• Trustwave CA-signed certificate
• SSLSniff + Null Byte Attack
74Saturday, June 22, 13
BGP Attacks
• "Stealing the Internet - A Routed,Wide-area, Man in
the Middle Attack"
• Renesys - “Defending Against BGP Man-In-The-
Middle Attacks”
• Every organization owes its Internet connectivity to
one protocol: BGP4.There are no alternatives.
• Everyone who connects to the Internet is currently
exposed to various routing risks: downtime,
hijacking and now even wholesale traffic
interception.
75Saturday, June 22, 13
Port Stealing
Source: http://www.packetwatch.net/documents/papers/layer2sniffing.pdf
76Saturday, June 22, 13
HSRP Manipulation
Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/
77Saturday, June 22, 13
HSRP Manipulation
Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/
78Saturday, June 22, 13
HSRP Manipulation
• Linux# scapy
• Welcome to Scapy (2.0.0.10 beta)
• >>> ip = IP(src='172.16.40.128', dst='224.0.0.2')
• >>> udp = UDP()
• >>> hsrp = HSRP(group=1, priority=255,
virtualIP='172.16.40.1')
• >>> send(ip/udp/hsrp, iface='eth1', inter=3, loop=1)
Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/
79Saturday, June 22, 13
HSRP Manipulation
Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/
80Saturday, June 22, 13
Preventing HSRP
Manipulation
• Prevent L2 Access to any connected switch
• Note: HSRP,VRRP, and GLBP all vulnerable
81Saturday, June 22, 13
IRDP Spoofing
• ICMP Internet Router Discovery Protocol (IRDP) uses Internet
Control Message Protocol (ICMP) router advertisements and
router solicitation messages to allow a host to discover the
addresses of operational routers on the subnet.
• The attacker can forge some advertisement packet pretending to
be the router for the LAN.
• He/she can set the “preference level” and the “lifetime” at high
values to be sure the hosts will choose it as the preferred router.
• The attack can be improved by sending some spoofed ICMP Host
Unreachable pretending to be the real router
• Automated: IRPAS (http://www.phenoelit.de/irpas)
82Saturday, June 22, 13
Traffic Tunneling
83Saturday, June 22, 13
STP Mangling
• STP (Spanning-Tree Protocol) mangling refers to the
technique used for the attacker host to be elected as the
new root bridge of the spanning tree.
• The attacker may start either by forging BPDUs (Bridge
Protocol Data Units) with high priority assuming to be the
new root, or by broadcasting STP Configuration/Topology
Change Acknowledgement BPDUs to get his host elected as
the new root bridge.
• Automated: yersinia
84Saturday, June 22, 13
Others
• Dsniff
• Ettercap (http://ettercap.github.io/ettercap/)
• Beef + Shank (http://media.blackhat.com/bh-us-12/Briefings/Ocepek/BH_US_12_Ocepek_Linn_BeEF_MITM_WP.pdf)
• EvilGrade (http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt)
• EasyCreds (https://github.com/brav0hax/easy-creds)
• Subterfuge (https://code.google.com/p/subterfuge/)
85Saturday, June 22, 13
Takeaways
86Saturday, June 22, 13
Takeaways
• “MitM is a underrated attack vector”
• Phones are trivial to MitM because of Evil Twin issues
• Dropboxes present a credible threat
• POS networks / systems are available / trending wireless
• Many powerful MitM attacks can be automated, old school
techniques still work
87Saturday, June 22, 13
Prior Work and
Resources
• http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-
convery-switches.pdf
• http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-
ornaghi-valleri.pdf
• http://www.blackhat.com/presentations/bh-europe-03/bh-
europe-03-valleri.pdf
• http://www.packetwatch.net/documents/papers/
layer2sniffing.pdf
• http://packetlife.net
• http://my.safaribooksonline.com/book/networking/security/
9781587052569
88Saturday, June 22, 13
Questions?
89Saturday, June 22, 13
THANKS! (and don’t forget feedback forms)
90Saturday, June 22, 13

More Related Content

What's hot

FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
Yutaka Ishizaki
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Pavel Odintsov
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
Pavel Odintsov
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environment
Pavel Odintsov
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
Pavel Odintsov
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
Babak Farrokhi
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMon
Pavel Odintsov
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
Daniel Stenberg
 
9534715
95347159534715
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
Redge Technologies
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
Bangladesh Network Operators Group
 
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS ProtectionWhat can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
Jakub Słociński
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Bangladesh Network Operators Group
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
Pavel Odintsov
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
Pavel Odintsov
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
Pavel Odintsov
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
Pavel Odintsov
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
Andrew Denner
 

What's hot (19)

FastNetMonを試してみた
FastNetMonを試してみたFastNetMonを試してみた
FastNetMonを試してみた
 
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De LucaDetecting and mitigating DDoS ZenDesk by Vicente De Luca
Detecting and mitigating DDoS ZenDesk by Vicente De Luca
 
Distributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And MitigationDistributed Denial of Service Attack - Detection And Mitigation
Distributed Denial of Service Attack - Detection And Mitigation
 
DDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environmentDDoS Challenges in IPv6 environment
DDoS Challenges in IPv6 environment
 
DeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPSDeiC DDoS Prevention System - DDPS
DeiC DDoS Prevention System - DDPS
 
DDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and TechniquesDDoS Mitigation Tools and Techniques
DDoS Mitigation Tools and Techniques
 
Jon Nield FastNetMon
Jon Nield FastNetMonJon Nield FastNetMon
Jon Nield FastNetMon
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!HTTP/3 over QUIC. All is new but still the same!
HTTP/3 over QUIC. All is new but still the same!
 
9534715
95347159534715
9534715
 
redGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solutionredGuardian DP100 large scale DDoS mitigation solution
redGuardian DP100 large scale DDoS mitigation solution
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
 
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS ProtectionWhat can possibly go wrong? Why eSport needs an AntiDDoS Protection
What can possibly go wrong? Why eSport needs an AntiDDoS Protection
 
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane ElectricLet's talk about routing security, Anurag Bhatia, Hurricane Electric
Let's talk about routing security, Anurag Bhatia, Hurricane Electric
 
Implementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit networkImplementing BGP Flowspec at IP transit network
Implementing BGP Flowspec at IP transit network
 
Nanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmonNanog66 vicente de luca fast netmon
Nanog66 vicente de luca fast netmon
 
Keeping your rack cool
Keeping your rack cool Keeping your rack cool
Keeping your rack cool
 
Protect your edge BGP security made simple
Protect your edge BGP security made simpleProtect your edge BGP security made simple
Protect your edge BGP security made simple
 
St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)St Louis Linux Users Group Wireguard (for Fun and Networking)
St Louis Linux Users Group Wireguard (for Fun and Networking)
 

Viewers also liked

Arp spoofing slides
Arp spoofing slidesArp spoofing slides
Arp spoofing slides
Luthfi Widyanto
 
Raspbery pi Arm
Raspbery pi ArmRaspbery pi Arm
Raspbery pi Arm
Mohammad Dehghan
 
Minimalist Operating Systems for Containers
Minimalist Operating Systems for ContainersMinimalist Operating Systems for Containers
Minimalist Operating Systems for Containers
Enderson Tadeu Maia
 
IoT - Innovating without compromising security
IoT - Innovating without compromising securityIoT - Innovating without compromising security
IoT - Innovating without compromising security
Victor Tuson Palau
 
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!
Linaro
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
DefconRussia
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
Chris Gates
 
FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6
Chema Alonso
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
Luthfi Widyanto
 
Arp and rarp
Arp and rarpArp and rarp
Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing Techniques
Raza_Abidi
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
arpit.arp
 
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Techsylvania
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrs
Security Weekly
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 

Viewers also liked (15)

Arp spoofing slides
Arp spoofing slidesArp spoofing slides
Arp spoofing slides
 
Raspbery pi Arm
Raspbery pi ArmRaspbery pi Arm
Raspbery pi Arm
 
Minimalist Operating Systems for Containers
Minimalist Operating Systems for ContainersMinimalist Operating Systems for Containers
Minimalist Operating Systems for Containers
 
IoT - Innovating without compromising security
IoT - Innovating without compromising securityIoT - Innovating without compromising security
IoT - Innovating without compromising security
 
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!
BKK16-406 Ubuntu Core - a snappy platform for Embedded, IoT and 96boards!
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6FC00::1 (Algunos) Ataques en IPv6
FC00::1 (Algunos) Ataques en IPv6
 
Arp spoofing
Arp spoofingArp spoofing
Arp spoofing
 
Arp and rarp
Arp and rarpArp and rarp
Arp and rarp
 
Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing Techniques
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
Mark Shuttleworth (Ubuntu) - Faster, Easier and More Secure: The Next Generat...
 
Pwn phone2014 jrs
Pwn phone2014 jrsPwn phone2014 jrs
Pwn phone2014 jrs
 
Spoofing
SpoofingSpoofing
Spoofing
 

Similar to Practical mitm for_pentesters

MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
Shumon Huque
 
Don Bailey - A Million Little Tracking Devices
Don Bailey  - A Million Little Tracking DevicesDon Bailey  - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
Source Conference
 
PLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New Again
PROIDEA
 
How we lose etu hadoop competition
How we lose etu hadoop competitionHow we lose etu hadoop competition
How we lose etu hadoop competition
Evans Ye
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
Hackito Ergo Sum
 
Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!
stricaud
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
Wilson Rogerio Lopes
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
Santhosh Kumar
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
Chong-Kuan Chen
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?
Stephen Kho
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
johnmcclure00
 
SignalR
SignalRSignalR
SignalR
Troy Miles
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Bailey
idsecconf
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
Omer Coskun
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
RIPE NCC
 
Outsourced database
Outsourced databaseOutsourced database
Outsourced database
faraz Safarpour
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
P1Security
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
FernandoGont
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
gocybersec
 

Similar to Practical mitm for_pentesters (20)

MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSECMAGPI: Advanced Services: IPv6, Multicast, DNSSEC
MAGPI: Advanced Services: IPv6, Multicast, DNSSEC
 
Don Bailey - A Million Little Tracking Devices
Don Bailey  - A Million Little Tracking DevicesDon Bailey  - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking Devices
 
PLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New AgainPLNOG 5: Merike Kaeo - Something Old Is New Again
PLNOG 5: Merike Kaeo - Something Old Is New Again
 
How we lose etu hadoop competition
How we lose etu hadoop competitionHow we lose etu hadoop competition
How we lose etu hadoop competition
 
HES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you canHES2011 - Sebastien Tricaud - Capture me if you can
HES2011 - Sebastien Tricaud - Capture me if you can
 
Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!Hackito Ergo Sum 2011: Capture me if you can!
Hackito Ergo Sum 2011: Capture me if you can!
 
DDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and MitigationDDoS Attacks - Scenery, Evolution and Mitigation
DDoS Attacks - Scenery, Evolution and Mitigation
 
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar
 
Security events in 2014
Security events in 2014Security events in 2014
Security events in 2014
 
4G LTE Security - What hackers know?
4G LTE Security - What hackers know?4G LTE Security - What hackers know?
4G LTE Security - What hackers know?
 
IPv6 Threat Presentation
IPv6 Threat PresentationIPv6 Threat Presentation
IPv6 Threat Presentation
 
SignalR
SignalRSignalR
SignalR
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
A million little tracking devices - Don Bailey
A million little tracking devices - Don BaileyA million little tracking devices - Don Bailey
A million little tracking devices - Don Bailey
 
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco NetworksInfiltrateCon 2016 - Why Nation-State Hack Telco Networks
InfiltrateCon 2016 - Why Nation-State Hack Telco Networks
 
IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?IPv6 Security - Where is the Challenge?
IPv6 Security - Where is the Challenge?
 
Outsourced database
Outsourced databaseOutsourced database
Outsourced database
 
Attacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchangeAttacking GRX - GPRS Roaming eXchange
Attacking GRX - GPRS Roaming eXchange
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
501 ch 3 network technologies tools
501 ch 3 network technologies tools501 ch 3 network technologies tools
501 ch 3 network technologies tools
 

More from Jonathan Cran

Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment Automation
Jonathan Cran
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
Jonathan Cran
 
Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...)
Jonathan Cran
 
Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction
Jonathan Cran
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and Prediction
Jonathan Cran
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
Jonathan Cran
 
Attack Surface Discovery with Intrigue
Attack Surface Discovery with IntrigueAttack Surface Discovery with Intrigue
Attack Surface Discovery with Intrigue
Jonathan Cran
 
Ear
EarEar

More from Jonathan Cran (8)

Intrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment AutomationIntrigue Core: Scaling Assessment Automation
Intrigue Core: Scaling Assessment Automation
 
2019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 20202019 Cybersecurity Retrospective and a look forward to 2020
2019 Cybersecurity Retrospective and a look forward to 2020
 
Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...) Top 10 exploited vulnerabilities 2019 (thus far...)
Top 10 exploited vulnerabilities 2019 (thus far...)
 
Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction
 
Vulnerability Prioritization and Prediction
Vulnerability Prioritization and PredictionVulnerability Prioritization and Prediction
Vulnerability Prioritization and Prediction
 
RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)RSA 2018: Recon For the Defender - You know nothing (about your assets)
RSA 2018: Recon For the Defender - You know nothing (about your assets)
 
Attack Surface Discovery with Intrigue
Attack Surface Discovery with IntrigueAttack Surface Discovery with Intrigue
Attack Surface Discovery with Intrigue
 
Ear
EarEar
Ear
 

Recently uploaded

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
Shinana2
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
Intelisync
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
Postman
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 

Recently uploaded (20)

Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
dbms calicut university B. sc Cs 4th sem.pdf
dbms  calicut university B. sc Cs 4th sem.pdfdbms  calicut university B. sc Cs 4th sem.pdf
dbms calicut university B. sc Cs 4th sem.pdf
 
A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024A Comprehensive Guide to DeFi Development Services in 2024
A Comprehensive Guide to DeFi Development Services in 2024
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
WeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation TechniquesWeTestAthens: Postman's AI & Automation Techniques
WeTestAthens: Postman's AI & Automation Techniques
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 

Practical mitm for_pentesters

  • 1. Pwnie Express Practical Man in the Middle 1Saturday, June 22, 13
  • 2. whoami • Jonathan Cran • Advisor, SOURCE Conference • CTO Pwnie Express • QA Director Metasploit • Penetration Tester Rapid7 2Saturday, June 22, 13
  • 3. Agenda • MitM is a huge topic • Why ShouldYou Care in 2013? • Practical Attacks • Practical Attack Automation • Drop Boxes! • Takeaways + Future Work 3Saturday, June 22, 13
  • 4. Let’s not re-invent the wheel 4Saturday, June 22, 13
  • 5. Our Focus • Local & Wireless Network • Getting in the Middle • Viewing and Manipulating Traffic • Automating Easy Wins 5Saturday, June 22, 13
  • 6. Not our focus • Attacking SSL through certificate manipulation • Attacking BGP • More complex attacks (STP, HSRP) • Proxy trojans (MitB, BitB) 6Saturday, June 22, 13
  • 7. Focus: Highly targeted, local network attacks 7Saturday, June 22, 13
  • 11. Why ShouldYou Care in 2013? 11Saturday, June 22, 13
  • 14. A couple reasons • Wireless everywhere • Smartphones / AT&T auto-connect • Retail / POS Networks • Android apps • Sometimes it’s hard to take control of a particular system. Network is the easier target. 14Saturday, June 22, 13
  • 15. And... • Local Network - ARP Cache Poisoning is STILL a valid attack - defense is impractical in many cases • Local Network -SLAAC looks to be the best replacement if ARP Cache Poisoning won’t work - Windows 7+ has a default IPv6-enabled stack - Recommendation? Disable IPv6 • Internet - SSL - Would your users really notice lack of http or an invalid cert? • Wireless - Wireless “Evil Twin” flaws still pervasive 15Saturday, June 22, 13
  • 16. Android • It means your personal information is being transmitted to advertising agencies in mass quantities. • Mallodroid - Leibniz University of Hannover • 13,500 android apps reversed, 1074 vulnerable (8%) • SSL/TLS code that is potentially vulnerable to MITM attacks 16Saturday, June 22, 13
  • 17. And... • ARM Devices continue to get smaller / more portable • Pwn Plug • Gumstix • ODroid • MK - SS808 17Saturday, June 22, 13
  • 26. And... • 4G / LTE Speeds will get faster • Freedom Stick 26Saturday, June 22, 13
  • 27. That said... • Securing Layer 2 is hard • You’re probably not getting owned by folks with physical access (or are you?) • TJX (WEP + Arp Spoofing) • Subway (Backdoored devices) • Barnes and Noble (Verifone / Linux Pinpads) • Realistically, dumping hashes on a windows box is an easier vector during most enterprise penetration tests • Financial Crime? Man-in-Browser • Go where the data is, silly. 27Saturday, June 22, 13
  • 28. I thought you said practical 28Saturday, June 22, 13
  • 29. Super Practical Attacks • Hardware Taps & Bridges • ARP Cache Poisoning • DNS Cache Poisoning • IPv6 Abuse / SLAAC Attack • DHCP Exhaustion • Wireless Evil Twin • Forced HTTP / SSLStrip 29Saturday, June 22, 13
  • 30. A Note on Attack Prevention • Use a strongVPN Connection • Do not use PPTP, MSCHAPv2 broken • L2TP/IPSec, IPSec with IKEv2 and OpenVPN 30Saturday, June 22, 13
  • 31. Hardware Taps • DualComm DCSW-1005 (Active Copy) • Throwing Star LAN Tap (Passive) vs 31Saturday, June 22, 13
  • 32. Hardware Bridges • Simply place a device in-line and act as a bridge • brctl (bridge-utils) • EBTables to route traffic 32Saturday, June 22, 13
  • 33. Hardware Bridges # brctl addbr br0 # brctl addif br0 eth0 # brctl addif br0 eth1 # ifconfig br0 netmask 255.255.255.0 10.1.1.1 up 33Saturday, June 22, 13
  • 34. Preventing Hardware Attacks • Good physical security • Good loss prevention • 802.1x / NAC 34Saturday, June 22, 13
  • 35. ARP Cache Poisoning • Observe broadcast request, send malicious ARP reply, victim stores attacker’s MAC for the IP • “Poison” a single comm channel, or both • Automated: • zomg so many ways to do it - just use arpspoof 35Saturday, June 22, 13
  • 36. ARP Cache Poisoning • echo 1 > /proc/sys/net/ipv4/ip_forward • arpspoof -t <poisoned_host> <gateway> 36Saturday, June 22, 13
  • 37. Preventing ARP Cache Poisoning • Broadcast Traffic Filtering • Disable Gratuitous ARP • Enable DHCP Snooping • Static ARP Tables • Monitoring • ArpWatch,Tons of others • HUAWEI Patented techniques • MACSEC / 802.1AE 37Saturday, June 22, 13
  • 38. A note on MACSec • MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks • MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP) framework. 38Saturday, June 22, 13
  • 39. DNS Cache Poisoning, previously • Cache poisoning without response forgery • bailiwick rule fixed this in ~1993 • Blind response forgery using birthday attack • “Birthday attack” - guess TXID, known since 2002 • “Kaminsky attack” - required guessing TXID, but added hijacking the authority records • Automating: http://www.metasploit.com/ modules/auxiliary/spoof/dns/ bailiwicked_domain 39Saturday, June 22, 13
  • 40. DNS Cache Poisoning Source: http://www.cs.utexas.edu/~shmatshmat_securecomm10.pdf 40Saturday, June 22, 13
  • 41. DNS Cache Poisoning, now • Response forgery using eavesdropping • Requires “being in the middle” • Automating: Ettercap 41Saturday, June 22, 13
  • 42. DNS Cache Poisoning, now Source: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf 42Saturday, June 22, 13
  • 44. DNS Cache Poisoning, now • Response forgery using eavesdropping • Requires “being in the middle” • Automating: Ettercap 44Saturday, June 22, 13
  • 45. SLAAC Attack • Instructions provided by the Infosec Institute article • Uses RADVD + DHCPv6 + NAT-PT + IPv6 DNS server • NAT-PT allows our IPv6-addressed victims to access the Internet through IPv4 45Saturday, June 22, 13
  • 48. SLAAC Attack • The address of the victim’s DNS server matches the NAT-PT prefix on evil-rtr, denoting that the last 32 bits contain the DNS server’s IPv4 address. • NAT-PT translates the source and destination IPv6/IPv4 addresses in both directions. • The DNS ALG translates the victim’s AAAA query for an IPv6 address into an A query for an IPv4 address and vice versa on the way back. • The DNS ALG also translates the IPv4 address in the reply to an IPv6 address that matches the NAT-PT prefix. 48Saturday, June 22, 13
  • 50. SLAAC Attack • We have not compromised or altered the operation of the victim’s IPv4 network, as we would have needed to do in order to MITM IPv4 traffic.We’ve not even needed to get an IPv4 address from their DHCP server. • We have not compromised an existing IPv6 network, because there wasn’t one before we arrived. • We have not compromised any given victim host (yet!). Each machine is behaving as designed and is choosing IPv6 over IPv4 of its own volition. • We have managed to totally alter the flow of traffic on the victim’s network by awakening the hosts’ latent desire to use IPv6 over IPv4. 50Saturday, June 22, 13
  • 51. SLAAC Attack • We’re introducing a new path to the Internet.Any defences or monitoring employed at the network’s IPv4 boundary are therefore ineffective and will raise no indicators of compromise. • There’s a chance that the victim’s security systems (e.g., host firewalls, HIPS, SIEM boxes, etc.) won’t be able to handle IPv6 traffic. IPv6 support on such systems is rarely as mature as its IPv4 equivalent. • Since the victims “aren’t using IPv6″ they won’t be expecting an attack that makes use of it. • If the above is true, there’s a chance their Incident Response teams won’t have the necessary training and experience with IPv6 to deal with an incident. 51Saturday, June 22, 13
  • 55. DHCP Exhaustion • Request leases until the server runs out • Provide a lease to new clients • Set up your own DNS server for the client • Automated: • http://www.digininja.org/metasploit/ dns_dhcp.php • yersinia 55Saturday, June 22, 13
  • 59. Wireless Evil Twin • Automating: • airbase-ng • Wifi-Pineapple • Pwnie Gear 59Saturday, June 22, 13
  • 60. • 802.11 and Bluetooth Wireless Surveys •802.11 Wireless MitM Testing • Wireless Traffic Capture • Remote Network Access • Zigbee Sniffing with Kisbee • RFID Sniffing with the Proxmark ||| • Bluetooth Sniffing with the Ubertooth Pwn Pad 60Saturday, June 22, 13
  • 62. DEMO: Getting In The Middle of a Wireless Network 62Saturday, June 22, 13
  • 63. Preventing Evil Twin Attacks • Educate users • Don’t use AT&T phones • Use RADIUS - Avoid LEAP • EAP-TLS, EAP-TTLS, or PEAP • MS-CHAPv2 + TLS Tunnel 63Saturday, June 22, 13
  • 66. Forced HTTP • Take advantage of servers that server over both HTTP and HTTPS • Rewrite links as HTTP • Abuse the user’s ignorance of “secure” • Automated: SSLStrip + IPTables 66Saturday, June 22, 13
  • 67. Forced HTTP with SSLStrip • echo 1 > /proc/sys/net/ipv4/ip_forward • iptables -t nat -A PREROUTING -p tcp -- dport 80 -j REDIRECT --to-ports 10000 • sslstrip -a -k -f -p 10000 67Saturday, June 22, 13
  • 68. DEMO: Forced HTTP with SSLStrip 68Saturday, June 22, 13
  • 69. Preventing SSLStrip • Server-side HSTS Header • Automatically turns any insecure links to the website into secure links. • http://example.com/some/page/ -> https://example.com/some/page/ • If the security of the connection cannot be ensured (ie, self-signed cert), show an error message and do not allow the user to access the site. 69Saturday, June 22, 13
  • 70. HSTS • HSTS tells the browser: never use HTTP with this site. • The first time the browser sees the HSTS header from the server, it remembers it. • This will work as long as the attacker doesn't strip the header on the first visit to the site. 70Saturday, June 22, 13
  • 71. Other Attacks • CAM Overflow / Flooding • Certificate Abuse • BGP Attacks • Port-Stealing • HSRP Manipulation • IRDP Spoofing • Traffic Tunneling • STP Mangling • VLAN Attacks 71Saturday, June 22, 13
  • 72. CAM Overflow • Flood the local network with random MAC addresses • Causes some switches to fail open in repeating mode • Automated: sudo macof -i eth0 72Saturday, June 22, 13
  • 73. Preventing CAM Overflow • Similar to ARP Spoofing • MAC Address monitoring • DHCP Snooping • Dynamic ARP Inspection 73Saturday, June 22, 13
  • 74. Certificate Abuse • “MD5 considered harmful today” • Stolen CA Certificates • Comodo (March 2011) • Diginotar (July 2011) • Trustwave CA-signed certificate • SSLSniff + Null Byte Attack 74Saturday, June 22, 13
  • 75. BGP Attacks • "Stealing the Internet - A Routed,Wide-area, Man in the Middle Attack" • Renesys - “Defending Against BGP Man-In-The- Middle Attacks” • Every organization owes its Internet connectivity to one protocol: BGP4.There are no alternatives. • Everyone who connects to the Internet is currently exposed to various routing risks: downtime, hijacking and now even wholesale traffic interception. 75Saturday, June 22, 13
  • 79. HSRP Manipulation • Linux# scapy • Welcome to Scapy (2.0.0.10 beta) • >>> ip = IP(src='172.16.40.128', dst='224.0.0.2') • >>> udp = UDP() • >>> hsrp = HSRP(group=1, priority=255, virtualIP='172.16.40.1') • >>> send(ip/udp/hsrp, iface='eth1', inter=3, loop=1) Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/ 79Saturday, June 22, 13
  • 81. Preventing HSRP Manipulation • Prevent L2 Access to any connected switch • Note: HSRP,VRRP, and GLBP all vulnerable 81Saturday, June 22, 13
  • 82. IRDP Spoofing • ICMP Internet Router Discovery Protocol (IRDP) uses Internet Control Message Protocol (ICMP) router advertisements and router solicitation messages to allow a host to discover the addresses of operational routers on the subnet. • The attacker can forge some advertisement packet pretending to be the router for the LAN. • He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will choose it as the preferred router. • The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router • Automated: IRPAS (http://www.phenoelit.de/irpas) 82Saturday, June 22, 13
  • 84. STP Mangling • STP (Spanning-Tree Protocol) mangling refers to the technique used for the attacker host to be elected as the new root bridge of the spanning tree. • The attacker may start either by forging BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge. • Automated: yersinia 84Saturday, June 22, 13
  • 85. Others • Dsniff • Ettercap (http://ettercap.github.io/ettercap/) • Beef + Shank (http://media.blackhat.com/bh-us-12/Briefings/Ocepek/BH_US_12_Ocepek_Linn_BeEF_MITM_WP.pdf) • EvilGrade (http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt) • EasyCreds (https://github.com/brav0hax/easy-creds) • Subterfuge (https://code.google.com/p/subterfuge/) 85Saturday, June 22, 13
  • 87. Takeaways • “MitM is a underrated attack vector” • Phones are trivial to MitM because of Evil Twin issues • Dropboxes present a credible threat • POS networks / systems are available / trending wireless • Many powerful MitM attacks can be automated, old school techniques still work 87Saturday, June 22, 13
  • 88. Prior Work and Resources • http://www.blackhat.com/presentations/bh-usa-02/bh-us-02- convery-switches.pdf • http://www.blackhat.com/presentations/bh-usa-03/bh-us-03- ornaghi-valleri.pdf • http://www.blackhat.com/presentations/bh-europe-03/bh- europe-03-valleri.pdf • http://www.packetwatch.net/documents/papers/ layer2sniffing.pdf • http://packetlife.net • http://my.safaribooksonline.com/book/networking/security/ 9781587052569 88Saturday, June 22, 13
  • 90. THANKS! (and don’t forget feedback forms) 90Saturday, June 22, 13