Oleg Kupreev - Uncommon MiTM in uncommon conditions

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
October 03, 2015

Oleg Kupreev - Uncommon MiTM in uncommon conditions

DEFCON Moscow 10

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

October 03, 2015
Tweet

Transcript

  1. None
  2. Uncommon MiTM in uncommon conditions

  3. 00 WHOAMI • @090h, root@0x90.ru, keybase.io/090h • ZN HW Village

    organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY) • JBFC/DC7499 member • researcher at hlsec.ru • pwning telecommunications since 2002 • …was doing MITM 20 years ago 8)
  4. 01 INTRO • XXI century is communications century • When

    I was a boy we counted in Pentiums 8) 1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz • Nowadays we count in G and still use Pentium, but 4G is used and 5G in progress • DialUp 9600 FIDO – FTTH 100Mb Internet • Nearest future: 5G + IPv6 + IoE • Security of communications evolving slooooooooooowly. SS7 invented in 1975, kicking ass nowadays
  5. 02 MAN MITM • MITM = Man In The Middle

    • It is a type fundamental communication attacks • Subtypes: active, passive • IRL: passive MITM = sniff, active MITM = MITM • Also has a name….
  6. None
  7. None
  8. Alice, Bob and Eve…

  9. .. and sometimes Charlie

  10. .. and Mallory aka Trudy

  11. Implementation • Fundamental => data channel independent • Data channels:

    • Ethernet • USB • UART • SPI • RFID • NFC • WiFi • GSM
  12. ETHERNET EVE

  13. MY FIRST SNIFFER EVE

  14. ALICE LOOKED AWSOME THEESE DAYS

  15. NFC EVE

  16. Short summary • Technology changes – MiTM changes. Hackers should

    be adaptive. • Security of telecommunications is like in 90’s • MiTM world is much more bigger than most hacker think • Study fundamental sciences, to be able to hack at FUNdaMENTAL layer!
  17. I LIKE TO MITM IT MITM IT

  18. MITM I HAVE KNOWN AND LOVED • LAN based MITM

    • WAN based MITM • Rogue AP MITM (KAMA/MANA/HostapdWPE) • MITM over VPN (L2TP, PPTP) • Hybrid MITM
  19. MITM anatomy • ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO =>

    SNIFF FOR LOOT + INJECT EViL • HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER • HTTP + BDFProxy => SHELLZ • SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO • SSL + PROTO => (HEARTBLEED || POODLE) => PWN • LOOT => cookies, credentials, photos, locations • Custom sniffers/injectors/sploits for protocols/apps/vulns • Example: SMB/NTLM relays
  20. THAT’S WHY PRACTICS RULE!

  21. Cooking MITM by ARP cache poison attack

  22. Practice with Scapy

  23. ARP attacks send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) #

    half duplex send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS
  24. Meanwhile in real world

  25. Common MITM after ARP poison

  26. IRL: WTF IS GOING ON?

  27. SOME ATTACK? MAYBE PWN THE ROUTER?

  28. PixieWPS + admin:admin @ web interface

  29. Shodan + device-pharmer.py pwnage

  30. We’ve got root! What to do next? • Backup configuration

    • Get shell • Research firmware availabilities • Have fun
  31. Backup configuration

  32. Enable telnet access

  33. Enable DynDNS if white IP

  34. Enable syslog to rsyslogd @ VPS

  35. Use Guest WiFi as tiny KARMA

  36. Separate SSID, IP mask = comfort

  37. Install plugins

  38. Enable PPTP VPN

  39. Install and use tcpdump in firmware

  40. BPF 4 YOU

  41. Set DNS to your EvilDNS with dnschef

  42. Passive MITM aka EVE at router • tcpdump • NFS

    mount and/or netcat • Write pcap file to share/pipe with tcpdump
  43. Eve on router

  44. Mallory on router • Set DNS to VPS • Install

    tcpdump, sslsplit, sslstrip • NFS mount/netcat • Write pcap file to share/pipe with tcpdump
  45. Mallory on router

  46. Pros and cons Pros: • Not so hard to do

    Cons • Router is rebooted by watchdog or users • MITM is sloooooooooow cause of high temp of CPU • Not so many routers have such reach features • VPS IP disclosure during MITM
  47. WAN MITM TO VPS

  48. WAN MITM ALGO • Telnet to router • Run mitmproxy

    in transparent mode on VPS • DNAT port 80 to VPS_IP:8080
  49. Router requirements • telnet/ssh/rce/cmd inj • iptables

  50. WAN based MITM

  51. Pros and cons Pros: • Not so hard to do

    Cons • Oworks for HTTP traffic • Can’t distinguish clients by ip • VPS IP disclosure during MITM
  52. HARDCORE MODE ON PPTP based MITM

  53. PPTP MITM ideas • MiTM contains of 2 parts for

    router and VPS • All active attacks are working on VPS • Router is used for forwarding and routing • pwner is pwning
  54. Router requirements • PPTP VPN server in firmware • iptables

    • telnet/ssh/rce/cmd inj
  55. VPS requirements • Linux, • pptp • iptables • sslstrip,sslsplit,

    tcpdump, mitmproxy
  56. PPTP MITM ALGO • Connect from VPS to PPTP VPN

    • Get ppp0 interface IP • Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding) • Telnet to router • Add ISP gateway to route map • Set VPS ppp0 IP as default gateway • PWN’em all
  57. PPTP Server on router + Mallory on VPS

  58. Pros and cons Pros: • FULL MITM • No IP

    disclosure Cons • Router looses connection to Internet if PPTP connection is down
  59. REPOS/TOOLS REPOS • https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal • https://github.com/0x90/scapy-arsenal MiTM EXAMPLES

    https://github.com/dc7499/uncommon-mitm