$30 off During Our Annual Pro Sale. View Details »

Oleg Kupreev - Uncommon MiTM in uncommon conditions

DC7499
October 03, 2015
Research
0
170

Oleg Kupreev - Uncommon MiTM in uncommon conditions

DEFCON Moscow 10

DC7499

October 03, 2015
Tweet

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
320
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
190
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
230
Dmitry Volkov - Private messengers: without pain??
defcon
1
200
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
1
170
Sergey Belov - Another side of Bug Bounty programs
defcon
0
200
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
320
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
370
Sergey Golovanov - Indecent Response 2018
defcon
0
320

Other Decks in Research

See All in Research
『組織として』顧客を理解するインタビュー習慣の作り方 #pmconf2022 / Continuous user interview habit
tktktks10
4
4.1k
Meta x2 理解するExplainable AI
kionawalker
0
380
論文紹介:Learning to Express in Knowledge- Grounded Conversation
ryu1104
0
130
Making oRAT, Go
patrickwardle
0
620
OLM R&D祭 2022 10/19 タップ穴補正・作画トレースツール紹介 +”作画ツール”共同開発中!
olmdrd
PRO
0
690
Score-Based Generative Modeling through Stochastic Differential Equation
masakat0
0
140
第16回チャンピオンズミーティング・レオ杯ラウンド2集計 / Umamusume Leo 2022 Round2
kitachan_black
0
560
Revisiting Over-smoothing in BERT from the Perspective of Graph
eumesy
PRO
0
250
Learning To Retrieve Prompts for In-Context Learning
ayaniwa
0
200
論文解説 Latent Diffusion Model
koharite
0
140
RecSys2022 論文読み会 | 【紹介】Tutorial: Psychology-informed Recommender Systems
zerebom
0
380
研究のやり方,論文の書き方
kanojikajino
4
3.6k

Featured

See All Featured
Docker and Python
trallard
28
1.8k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
54k
Into the Great Unknown - MozCon
thekraken
0
190
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
8
1.2k
Build your cross-platform service in a week with App Engine
jlugia
221
17k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
20
6.7k
Product Roadmaps are Hard
iamctodd
35
7.5k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
196
9.7k
How GitHub Uses GitHub to Build GitHub
holman
465
280k
A Modern Web Designer's Workflow
chriscoyier
690
180k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
270
12k
Unsuck your backbone
ammeep
658
55k

Transcript

  1. None

  2. Uncommon MiTM in uncommon conditions

  3. 00 WHOAMI • @090h, root@0x90.ru, keybase.io/090h • ZN HW Village

    organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY) • JBFC/DC7499 member • researcher at hlsec.ru • pwning telecommunications since 2002 • …was doing MITM 20 years ago 8)

  4. 01 INTRO • XXI century is communications century • When

    I was a boy we counted in Pentiums 8) 1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz • Nowadays we count in G and still use Pentium, but 4G is used and 5G in progress • DialUp 9600 FIDO – FTTH 100Mb Internet • Nearest future: 5G + IPv6 + IoE • Security of communications evolving slooooooooooowly. SS7 invented in 1975, kicking ass nowadays

  5. 02 MAN MITM • MITM = Man In The Middle

    • It is a type fundamental communication attacks • Subtypes: active, passive • IRL: passive MITM = sniff, active MITM = MITM • Also has a name….
  6. None
  7. None

  8. Alice, Bob and Eve…

  9. .. and sometimes Charlie

  10. .. and Mallory aka Trudy

  11. Implementation • Fundamental => data channel independent • Data channels:

    • Ethernet • USB • UART • SPI • RFID • NFC • WiFi • GSM

  12. ETHERNET EVE

  13. MY FIRST SNIFFER EVE

  14. ALICE LOOKED AWSOME THEESE DAYS

  15. NFC EVE

  16. Short summary • Technology changes – MiTM changes. Hackers should

    be adaptive. • Security of telecommunications is like in 90’s • MiTM world is much more bigger than most hacker think • Study fundamental sciences, to be able to hack at FUNdaMENTAL layer!

  17. I LIKE TO MITM IT MITM IT

  18. MITM I HAVE KNOWN AND LOVED • LAN based MITM

    • WAN based MITM • Rogue AP MITM (KAMA/MANA/HostapdWPE) • MITM over VPN (L2TP, PPTP) • Hybrid MITM

  19. MITM anatomy • ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO =>

    SNIFF FOR LOOT + INJECT EViL • HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER • HTTP + BDFProxy => SHELLZ • SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO • SSL + PROTO => (HEARTBLEED || POODLE) => PWN • LOOT => cookies, credentials, photos, locations • Custom sniffers/injectors/sploits for protocols/apps/vulns • Example: SMB/NTLM relays

  20. THAT’S WHY PRACTICS RULE!

  21. Cooking MITM by ARP cache poison attack

  22. Practice with Scapy

  23. ARP attacks send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) #

    half duplex send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS

  24. Meanwhile in real world

  25. Common MITM after ARP poison

  26. IRL: WTF IS GOING ON?

  27. SOME ATTACK? MAYBE PWN THE ROUTER?

  28. PixieWPS + admin:admin @ web interface

  29. Shodan + device-pharmer.py pwnage

  30. We’ve got root! What to do next? • Backup configuration

    • Get shell • Research firmware availabilities • Have fun

  31. Backup configuration

  32. Enable telnet access

  33. Enable DynDNS if white IP

  34. Enable syslog to rsyslogd @ VPS

  35. Use Guest WiFi as tiny KARMA

  36. Separate SSID, IP mask = comfort

  37. Install plugins

  38. Enable PPTP VPN

  39. Install and use tcpdump in firmware

  40. BPF 4 YOU

  41. Set DNS to your EvilDNS with dnschef

  42. Passive MITM aka EVE at router • tcpdump • NFS

    mount and/or netcat • Write pcap file to share/pipe with tcpdump

  43. Eve on router

  44. Mallory on router • Set DNS to VPS • Install

    tcpdump, sslsplit, sslstrip • NFS mount/netcat • Write pcap file to share/pipe with tcpdump

  45. Mallory on router

  46. Pros and cons Pros: • Not so hard to do

    Cons • Router is rebooted by watchdog or users • MITM is sloooooooooow cause of high temp of CPU • Not so many routers have such reach features • VPS IP disclosure during MITM

  47. WAN MITM TO VPS

  48. WAN MITM ALGO • Telnet to router • Run mitmproxy

    in transparent mode on VPS • DNAT port 80 to VPS_IP:8080

  49. Router requirements • telnet/ssh/rce/cmd inj • iptables

  50. WAN based MITM

  51. Pros and cons Pros: • Not so hard to do

    Cons • Oworks for HTTP traffic • Can’t distinguish clients by ip • VPS IP disclosure during MITM

  52. HARDCORE MODE ON PPTP based MITM

  53. PPTP MITM ideas • MiTM contains of 2 parts for

    router and VPS • All active attacks are working on VPS • Router is used for forwarding and routing • pwner is pwning

  54. Router requirements • PPTP VPN server in firmware • iptables

    • telnet/ssh/rce/cmd inj

  55. VPS requirements • Linux, • pptp • iptables • sslstrip,sslsplit,

    tcpdump, mitmproxy

  56. PPTP MITM ALGO • Connect from VPS to PPTP VPN

    • Get ppp0 interface IP • Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding) • Telnet to router • Add ISP gateway to route map • Set VPS ppp0 IP as default gateway • PWN’em all

  57. PPTP Server on router + Mallory on VPS

  58. Pros and cons Pros: • FULL MITM • No IP

    disclosure Cons • Router looses connection to Internet if PPTP connection is down

  59. REPOS/TOOLS REPOS • https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal • https://github.com/0x90/scapy-arsenal MiTM EXAMPLES

    https://github.com/dc7499/uncommon-mitm