- The document discusses techniques for man-in-the-middle (MiTM) attacks in various conditions and networks. - MiTM attacks are fundamental to communications and can be implemented in different data channels like Ethernet, WiFi, and mobile networks. - The author has experience with historical MiTM techniques from the 1990s as well as more modern approaches like ARP cache poisoning to intercept traffic on local networks.

2. Uncommon MiTM in
uncommon conditions

3. 00 WHOAMI
• @090h, root@0x90.ru, keybase.io/090h
• ZN HW Village organizer hardware@zeronights.ru
• 802.11 pwner, SDR/RF enthusiast
• embedded reverser (for PWN/DIY)
• JBFC/DC7499 member
• researcher at hlsec.ru
• pwning telecommunications since 2002
• …was doing MITM 20 years ago 8)

4. 01 INTRO
• XXI century is communications century
• When I was a boy we counted in Pentiums 8)
1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz
• Nowadays we count in G and still use Pentium, but 4G is used
and 5G in progress
• DialUp 9600 FIDO – FTTH 100Mb Internet
• Nearest future: 5G + IPv6 + IoE
• Security of communications evolving slooooooooooowly. SS7
invented in 1975, kicking ass nowadays

5. 02 MAN MITM
• MITM = Man In The Middle
• It is a type fundamental communication attacks
• Subtypes: active, passive
• IRL: passive MITM = sniff, active MITM = MITM
• Also has a name….

8. Alice, Bob and Eve…

9. .. and sometimes Charlie

10. .. and Mallory aka Trudy

11. Implementation
• Fundamental => data channel independent
• Data channels:
• Ethernet
• USB
• UART
• SPI
• RFID
• NFC
• WiFi
• GSM

12. ETHERNET EVE

13. MY FIRST SNIFFER EVE

14. ALICE LOOKED AWSOME THEESE DAYS

15. NFC EVE

16. Short summary
• Technology changes – MiTM changes. Hackers should be adaptive.
• Security of telecommunications is like in 90’s
• MiTM world is much more bigger than most hacker think
• Study fundamental sciences, to be able to hack at FUNdaMENTAL
layer!

17. I LIKE TO MITM IT MITM IT

18. MITM I HAVE KNOWN AND LOVED
• LAN based MITM
• WAN based MITM
• Rogue AP MITM (KAMA/MANA/HostapdWPE)
• MITM over VPN (L2TP, PPTP)
• Hybrid MITM

19. MITM anatomy
• ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY
• PLAiN_TEXT_PROTO => SNIFF FOR LOOT + INJECT EViL
• HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER
• HTTP + BDFProxy => SHELLZ
• SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO
• SSL + PROTO => (HEARTBLEED || POODLE) => PWN
• LOOT => cookies, credentials, photos, locations
• Custom sniffers/injectors/sploits for protocols/apps/vulns
• Example: SMB/NTLM relays

20. THAT’S WHY PRACTICS RULE!

21. Cooking MITM by ARP cache poison attack

22. Practice with Scapy

23. ARP attacks
send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway,
pdst=client), inter=RandNum(10,40), loop=1 ) # half duplex
send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2)
/ARP(op="who-has", psrc=gateway, pdst=client),
inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS

24. Meanwhile in real world

25. Common MITM after ARP poison

26. SOME ATTACK?
MAYBE PWN THE ROUTER?

27. PixieWPS + admin:admin @ web interface

28. Shodan + device-pharmer.py pwnage

29. We’ve got root! What to do next?
• Backup configuration
• Get shell
• Research firmware availabilities
• Have fun

30. Backup configuration

31. Enable telnet access

32. Enable DynDNS if white IP

33. Enable syslog to rsyslogd @ VPS

34. Use Guest WiFi as tiny KARMA

35. Separate SSID, IP mask = comfort

36. Install plugins

37. Enable PPTP VPN

38. Install and use tcpdump in firmware

39. BPF 4 YOU

40. Set DNS to your EvilDNS with dnschef

41. Passive MITM aka EVE at router
• tcpdump
• NFS mount and/or netcat
• Write pcap file to share/pipe with tcpdump

42. Eve on router

43. Mallory on router
• Set DNS to VPS
• Install tcpdump, sslsplit, sslstrip
• NFS mount/netcat
• Write pcap file to share/pip with tcpdump

44. Mallory on router

45. Pros and cons
Pros:
• Not so hard to do
Cons
• Router is rebooted by watchdog or users
• MITM is sloooooooooow cause of high temp of CPU
• Not so many routers have such reach features
• VPS IP disclosure during MITM

46. HARDCORE MODE ON
PPTP based MITM

47. PPTP MITM ideas
• MiTM contains of 2 parts for router and VPS
• All active attacks are working on VPS
• Router is used for forwarding and routing
• pwner is pwning

48. Router requirements
• PPTP VPN server in firmware
• iptables
• telnet/ssh/rce/cmd inj

49. VPS requirements
• Linux,
• pptp
• iptables
• sslstrip,sslsplit, tcpdump, mitmproxy

50. PPTP MITM WEB ALGO
• Connect from VPS to PPTP Server on router
• Get ppp0 interface ip
• Telnet to router
• Run mitmproxy in transparent mode on VPS
• DNAT port 80 to ip(ppp0):8080

51. PPTP Server on router + Mallory on VPS

52. PPTP MITM WEB ALGO
• Connect from VPS to PPTP VPN
• Get ppp0 interface ip
• Telnet to router

53. PPTP Server on router + Mallory on VPS

55. IRL: WTF IS GOING ON?

56. REPOS/TOOLS
• https://github.com/0x90/lan-warz
• https://github.com/0x90/mitm-arsenal
• https://github.com/0x90/scapy-arsenal