Oleg Kupreev - Uncommon MiTM in uncommon conditions

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
October 03, 2015

Oleg Kupreev - Uncommon MiTM in uncommon conditions

DEFCON Moscow 10

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

October 03, 2015
Tweet

Transcript

  1. 1.
  2. 3.

    00 WHOAMI • @090h, root@0x90.ru, keybase.io/090h • ZN HW Village

    organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY) • JBFC/DC7499 member • researcher at hlsec.ru • pwning telecommunications since 2002 • …was doing MITM 20 years ago 8)
  3. 4.

    01 INTRO • XXI century is communications century • When

    I was a boy we counted in Pentiums 8) 1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz • Nowadays we count in G and still use Pentium, but 4G is used and 5G in progress • DialUp 9600 FIDO – FTTH 100Mb Internet • Nearest future: 5G + IPv6 + IoE • Security of communications evolving slooooooooooowly. SS7 invented in 1975, kicking ass nowadays
  4. 5.

    02 MAN MITM • MITM = Man In The Middle

    • It is a type fundamental communication attacks • Subtypes: active, passive • IRL: passive MITM = sniff, active MITM = MITM • Also has a name….
  5. 6.
  6. 7.
  7. 11.

    Implementation • Fundamental => data channel independent • Data channels:

    • Ethernet • USB • UART • SPI • RFID • NFC • WiFi • GSM
  8. 15.
  9. 16.

    Short summary • Technology changes – MiTM changes. Hackers should

    be adaptive. • Security of telecommunications is like in 90’s • MiTM world is much more bigger than most hacker think • Study fundamental sciences, to be able to hack at FUNdaMENTAL layer!
  10. 18.

    MITM I HAVE KNOWN AND LOVED • LAN based MITM

    • WAN based MITM • Rogue AP MITM (KAMA/MANA/HostapdWPE) • MITM over VPN (L2TP, PPTP) • Hybrid MITM
  11. 19.

    MITM anatomy • ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO =>

    SNIFF FOR LOOT + INJECT EViL • HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER • HTTP + BDFProxy => SHELLZ • SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO • SSL + PROTO => (HEARTBLEED || POODLE) => PWN • LOOT => cookies, credentials, photos, locations • Custom sniffers/injectors/sploits for protocols/apps/vulns • Example: SMB/NTLM relays
  12. 23.

    ARP attacks send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) #

    half duplex send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS
  13. 30.

    We’ve got root! What to do next? • Backup configuration

    • Get shell • Research firmware availabilities • Have fun
  14. 40.
  15. 42.

    Passive MITM aka EVE at router • tcpdump • NFS

    mount and/or netcat • Write pcap file to share/pipe with tcpdump
  16. 44.

    Mallory on router • Set DNS to VPS • Install

    tcpdump, sslsplit, sslstrip • NFS mount/netcat • Write pcap file to share/pipe with tcpdump
  17. 46.

    Pros and cons Pros: • Not so hard to do

    Cons • Router is rebooted by watchdog or users • MITM is sloooooooooow cause of high temp of CPU • Not so many routers have such reach features • VPS IP disclosure during MITM
  18. 48.

    WAN MITM ALGO • Telnet to router • Run mitmproxy

    in transparent mode on VPS • DNAT port 80 to VPS_IP:8080
  19. 51.

    Pros and cons Pros: • Not so hard to do

    Cons • Oworks for HTTP traffic • Can’t distinguish clients by ip • VPS IP disclosure during MITM
  20. 53.

    PPTP MITM ideas • MiTM contains of 2 parts for

    router and VPS • All active attacks are working on VPS • Router is used for forwarding and routing • pwner is pwning
  21. 56.

    PPTP MITM ALGO • Connect from VPS to PPTP VPN

    • Get ppp0 interface IP • Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding) • Telnet to router • Add ISP gateway to route map • Set VPS ppp0 IP as default gateway • PWN’em all
  22. 58.

    Pros and cons Pros: • FULL MITM • No IP

    disclosure Cons • Router looses connection to Internet if PPTP connection is down