Oleg Kupreev - Uncommon MiTM in uncommon conditions

Transcript

1. 1.

   None
2. 2.

   Uncommon MiTM in uncommon conditions

3. 3.

   00 WHOAMI • @090h, root@0x90.ru, keybase.io/090h • ZN HW Village

   organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY) • JBFC/DC7499 member • researcher at hlsec.ru • pwning telecommunications since 2002 • …was doing MITM 20 years ago 8)
4. 4.

   01 INTRO • XXI century is communications century • When

   I was a boy we counted in Pentiums 8) 1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz • Nowadays we count in G and still use Pentium, but 4G is used and 5G in progress • DialUp 9600 FIDO – FTTH 100Mb Internet • Nearest future: 5G + IPv6 + IoE • Security of communications evolving slooooooooooowly. SS7 invented in 1975, kicking ass nowadays
5. 5.

   02 MAN MITM • MITM = Man In The Middle

   • It is a type fundamental communication attacks • Subtypes: active, passive • IRL: passive MITM = sniff, active MITM = MITM • Also has a name….
6. 6.

   None
7. 7.

   None
8. 8.

   Alice, Bob and Eve…

9. 9.

   .. and sometimes Charlie

10. 10.

    .. and Mallory aka Trudy

11. 11.

    Implementation • Fundamental => data channel independent • Data channels:

    • Ethernet • USB • UART • SPI • RFID • NFC • WiFi • GSM
12. 12.

    ETHERNET EVE

13. 13.

    MY FIRST SNIFFER EVE

14. 14.

    ALICE LOOKED AWSOME THEESE DAYS

15. 15.

    NFC EVE

16. 16.

    Short summary • Technology changes – MiTM changes. Hackers should

    be adaptive. • Security of telecommunications is like in 90’s • MiTM world is much more bigger than most hacker think • Study fundamental sciences, to be able to hack at FUNdaMENTAL layer!
17. 17.

    I LIKE TO MITM IT MITM IT

18. 18.

    MITM I HAVE KNOWN AND LOVED • LAN based MITM

    • WAN based MITM • Rogue AP MITM (KAMA/MANA/HostapdWPE) • MITM over VPN (L2TP, PPTP) • Hybrid MITM
19. 19.

    MITM anatomy • ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO =>

    SNIFF FOR LOOT + INJECT EViL • HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER • HTTP + BDFProxy => SHELLZ • SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO • SSL + PROTO => (HEARTBLEED || POODLE) => PWN • LOOT => cookies, credentials, photos, locations • Custom sniffers/injectors/sploits for protocols/apps/vulns • Example: SMB/NTLM relays
20. 20.

    THAT’S WHY PRACTICS RULE!

21. 21.

    Cooking MITM by ARP cache poison attack

22. 22.

    Practice with Scapy

23. 23.

    ARP attacks send( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) #

    half duplex send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS
24. 24.

    Meanwhile in real world

25. 25.

    Common MITM after ARP poison

26. 26.

    IRL: WTF IS GOING ON?

27. 27.

    SOME ATTACK? MAYBE PWN THE ROUTER?

28. 28.

    PixieWPS + admin:admin @ web interface

29. 29.

    Shodan + device-pharmer.py pwnage

30. 30.

    We’ve got root! What to do next? • Backup configuration

    • Get shell • Research firmware availabilities • Have fun
31. 31.

    Backup configuration

32. 32.

    Enable telnet access

33. 33.

    Enable DynDNS if white IP

34. 34.

    Enable syslog to rsyslogd @ VPS

35. 35.

    Use Guest WiFi as tiny KARMA

36. 36.

    Separate SSID, IP mask = comfort

37. 37.

    Install plugins

38. 38.

    Enable PPTP VPN

39. 39.

    Install and use tcpdump in firmware

40. 40.

    BPF 4 YOU

41. 41.

    Set DNS to your EvilDNS with dnschef

42. 42.

    Passive MITM aka EVE at router • tcpdump • NFS

    mount and/or netcat • Write pcap file to share/pipe with tcpdump
43. 43.

    Eve on router

44. 44.

    Mallory on router • Set DNS to VPS • Install

    tcpdump, sslsplit, sslstrip • NFS mount/netcat • Write pcap file to share/pipe with tcpdump
45. 45.

    Mallory on router

46. 46.

    Pros and cons Pros: • Not so hard to do

    Cons • Router is rebooted by watchdog or users • MITM is sloooooooooow cause of high temp of CPU • Not so many routers have such reach features • VPS IP disclosure during MITM
47. 47.

    WAN MITM TO VPS

48. 48.

    WAN MITM ALGO • Telnet to router • Run mitmproxy

    in transparent mode on VPS • DNAT port 80 to VPS_IP:8080
49. 49.

    Router requirements • telnet/ssh/rce/cmd inj • iptables

50. 50.

    WAN based MITM

51. 51.

    Pros and cons Pros: • Not so hard to do

    Cons • Oworks for HTTP traffic • Can’t distinguish clients by ip • VPS IP disclosure during MITM
52. 52.

    HARDCORE MODE ON PPTP based MITM

53. 53.

    PPTP MITM ideas • MiTM contains of 2 parts for

    router and VPS • All active attacks are working on VPS • Router is used for forwarding and routing • pwner is pwning
54. 54.

    Router requirements • PPTP VPN server in firmware • iptables

    • telnet/ssh/rce/cmd inj
55. 55.

    VPS requirements • Linux, • pptp • iptables • sslstrip,sslsplit,

    tcpdump, mitmproxy
56. 56.

    PPTP MITM ALGO • Connect from VPS to PPTP VPN

    • Get ppp0 interface IP • Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding) • Telnet to router • Add ISP gateway to route map • Set VPS ppp0 IP as default gateway • PWN’em all
57. 57.

    PPTP Server on router + Mallory on VPS

58. 58.

    Pros and cons Pros: • FULL MITM • No IP

    disclosure Cons • Router looses connection to Internet if PPTP connection is down
59. 59.

    REPOS/TOOLS REPOS • https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal • https://github.com/0x90/scapy-arsenal MiTM EXAMPLES

    https://github.com/dc7499/uncommon-mitm