Oleg Kupreev - Uncommon MiTM in uncommon conditions

Transcript

1. None

2. Uncommon MiTM in uncommon conditions

3. 00 WHOAMI • @090h, root@0x90.ru, keybase.io/090h • ZN HW Village

   organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY) • JBFC/DC7499 member • researcher at hlsec.ru • pwning telecommunications since 2002 • …was doing MITM 20 years ago 8)

4. 01 INTRO • XXI century is communications century • When

   I was a boy we counted in Pentiums 8) 1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz • Nowadays we count in G and still use Pentium, but 4G is used and 5G in progress • DialUp 9600 FIDO – FTTH 100Mb Internet • Nearest future: 5G + IPv6 + IoE • Security of communications evolving slooooooooooowly. SS7 invented in 1975, kicking ass nowadays

5. 02 MAN MITM • MITM = Man In The Middle

   • It is a type fundamental communication attacks • Subtypes: active, passive • IRL: passive MITM = sniff, active MITM = MITM • Also has a name….
6. None
7. None

8. Alice, Bob and Eve…

9. .. and sometimes Charlie

10. .. and Mallory aka Trudy

11. Implementation • Fundamental => data channel independent • Data channels:

    • Ethernet • USB • UART • SPI • RFID • NFC • WiFi • GSM

12. ETHERNET EVE

13. MY FIRST SNIFFER EVE

14. ALICE LOOKED AWSOME THEESE DAYS

15. NFC EVE

16. Short summary • Technology changes – MiTM changes. Hackers should

    be adaptive. • Security of telecommunications is like in 90’s • MiTM world is much more bigger than most hacker think • Study fundamental sciences, to be able to hack at FUNdaMENTAL layer!

17. I LIKE TO MITM IT MITM IT

18. MITM I HAVE KNOWN AND LOVED • LAN based MITM

    • WAN based MITM • Rogue AP MITM (KAMA/MANA/HostapdWPE) • MITM over VPN (L2TP, PPTP) • Hybrid MITM

19. MITM anatomy • ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO =>

    SNIFF FOR LOOT + INJECT EViL • HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER • HTTP + BDFProxy => SHELLZ • SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO • SSL + PROTO => (HEARTBLEED || POODLE) => PWN • LOOT => cookies, credentials, photos, locations • Custom sniffers/injectors/sploits for protocols/apps/vulns • Example: SMB/NTLM relays

20. THAT’S WHY PRACTICS RULE!

21. Cooking MITM by ARP cache poison attack

22. Practice with Scapy

23. ARP attacks send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) #

    half duplex send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS

24. Meanwhile in real world

25. Common MITM after ARP poison

26. IRL: WTF IS GOING ON?

27. SOME ATTACK? MAYBE PWN THE ROUTER?

28. PixieWPS + admin:admin @ web interface

29. Shodan + device-pharmer.py pwnage

30. We’ve got root! What to do next? • Backup configuration

    • Get shell • Research firmware availabilities • Have fun

31. Backup configuration

32. Enable telnet access

33. Enable DynDNS if white IP

34. Enable syslog to rsyslogd @ VPS

35. Use Guest WiFi as tiny KARMA

36. Separate SSID, IP mask = comfort

37. Install plugins

38. Enable PPTP VPN

39. Install and use tcpdump in firmware

40. BPF 4 YOU

41. Set DNS to your EvilDNS with dnschef

42. Passive MITM aka EVE at router • tcpdump • NFS

    mount and/or netcat • Write pcap file to share/pipe with tcpdump

43. Eve on router

44. Mallory on router • Set DNS to VPS • Install

    tcpdump, sslsplit, sslstrip • NFS mount/netcat • Write pcap file to share/pipe with tcpdump

45. Mallory on router

46. Pros and cons Pros: • Not so hard to do

    Cons • Router is rebooted by watchdog or users • MITM is sloooooooooow cause of high temp of CPU • Not so many routers have such reach features • VPS IP disclosure during MITM

47. WAN MITM TO VPS

48. WAN MITM ALGO • Telnet to router • Run mitmproxy

    in transparent mode on VPS • DNAT port 80 to VPS_IP:8080

49. Router requirements • telnet/ssh/rce/cmd inj • iptables

50. WAN based MITM

51. Pros and cons Pros: • Not so hard to do

    Cons • Oworks for HTTP traffic • Can’t distinguish clients by ip • VPS IP disclosure during MITM

52. HARDCORE MODE ON PPTP based MITM

53. PPTP MITM ideas • MiTM contains of 2 parts for

    router and VPS • All active attacks are working on VPS • Router is used for forwarding and routing • pwner is pwning

54. Router requirements • PPTP VPN server in firmware • iptables

    • telnet/ssh/rce/cmd inj

55. VPS requirements • Linux, • pptp • iptables • sslstrip,sslsplit,

    tcpdump, mitmproxy

56. PPTP MITM ALGO • Connect from VPS to PPTP VPN

    • Get ppp0 interface IP • Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding) • Telnet to router • Add ISP gateway to route map • Set VPS ppp0 IP as default gateway • PWN’em all

57. PPTP Server on router + Mallory on VPS

58. Pros and cons Pros: • FULL MITM • No IP

    disclosure Cons • Router looses connection to Internet if PPTP connection is down

59. REPOS/TOOLS REPOS • https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal • https://github.com/0x90/scapy-arsenal MiTM EXAMPLES

    https://github.com/dc7499/uncommon-mitm