Corporation In The Middle

Transcript

1. Corporation in the Middle Lee Brotherston! @synackpse #BSidesTO Edition

2. MITM vs Everything Else

3. Detection

4. None
5. None
6. None

7. o_O

8. How, what, why, when?

9. Capture all the Packets

10. PCAP Tools tcpdump wireshark tshark ! mergecap tcpsplice tcptrace captcp

    pcapdiff tcpflow snort

11. SYN Server Client SYN/ACK ACK HTTP Request HTTP Response (Header

    & Data) More Data……

12. SYN Server Client SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request

    ? ? ?

13. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/javascript! Connection: close!

    Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache! ! <html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl? policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http:// 64.71.251.10";</script><script type="text/javascript" src="http:// 64.71.251.10/ByteCap-075-EO-English/index.js"></script></ head><noscript><frameset><frame src="http://64.71.251.10/ noscript.pl?policy=72&category=ByteCap-075&"></frameset></ noscript><body style="margin:0;"><script type="text/ javascript">Bulletin("policy=72&category=ByteCap-075&");</script></ body></html>

14. Packet Headers

15. TCPDUMP ip[6] = 0 and tcp[14:2] = 1

16. Wire/TShark tcp.window_size_value eq 1 and ip.flags.df == 0

17. Snort alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION suspected

    TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)

18. But wait, there’s more….

19. SYN Server Client SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request

20. SYN Server Client SYN/ACK ACK HTTP Request HTTP Response (Header

    & Data) Data

21. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/HTML! Connection: close

22. Profiling Target Acquisition

23. Retention Time rewrite ^(.*)$ /index.php;! ! ! !

24. OoB Indexing rewrite ^(.*)$ /index.php;! +! /etc/hosts! +! .htaccess

25. Document Format ! <html>! <head>! <title>Oh Hai</title>! </head>

26. Document Format <!doctype html>! <html>! <head>! <title>Oh Hai</title>! </head>

27. – PIPEDA, 4.9 Principle 9 — Individual Access ! “Upon

    request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.”
28. None

29. Mapping the Network

30. Traceroute (8 bits of goodness)

31. ttl=1 ttl expiry ttl=2 ttl expiry ttl=1 reply ttl=2 ttl=1

    ttl=3

32. 2 7.40.72.1! 3 209.148.241.61! 4 66.185.81.221! 5 69.63.251.242! 6 69.63.249.26!

    7 *! ! 2 7.40.72.1! 3 209.148.241.61! 4 *! 5 *! 6 69.63.249.26! 7 *! tcptraceroute

33. Intercept Portscanning for i in `jot 65535 1`! do !

    tcptraceroute -f4 -m5 host $i! done >> $i.log

34. 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.205! 5 209.148.224.242! ! !

    ! 6 4.31.208.129
 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.214! 5 209.148.224.209! 6 209.148.228.218! 7 209.148.228.217! 8 209.148.224.254! 9 4.31.208.129 tcptraceroute redux

35. Intercept Portscanning Redux nmap -sS —-ttl 64 host

36. Which Interface? My Server Destination Me

37. Scapy sendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/ IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('\x07'))/ TCP(sport=3125, dport=80, flags="S"), iface="en1")

38. So, that network… Internal Management LAN extWebServer = "http://64.71.255.194";! intWebServer

    = “http://172.19.11.72";

39. SYN Server Client SYN/ACK ACK RST/PSH/ACK TTL = 1 TTL

    = 2 TTL = 3

40. What?

41. HTTP/1.1 200 OK! Date: Thu, 22 May 2014 14:29:09 GMT!

    Server: PerfTech! Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT! Accept-Ranges: bytes! Content-Length: 2387! Connection: close! Cache-Control: no-store, no-cache, must- revalidate, max-age=0! Expires: -1! Pragma: no-cache! Content-Type: application/x-javascript

42. Hints in Scripts // Copyright 2005-2011 PerfTech, Inc., All Rights

    Reserved.! ! ! ! displayUrl = "http://www.perftech.com/console/ original.html";!
43. None
44. None

45. Why So Bothered?

46. Why Metadata Matters • They know you rang a phone

    sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.! ! • They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.! ! • They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.

47. GET / HTTP/1.1! Host: squarelemon.com! User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux

    i686; rv:25.0) Gecko/20100101 Firefox/25.0! Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8! Accept-Language: en-US,en;q=0.5! Accept-Encoding: gzip, deflate! Cookie: _pk_ses.4.9b83=*! Connection: keep-alive! If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT! Cache-Control: max-age=0

48. What could possibly go wrong? Photo Attribution: Tom - @tdawks

49. None
50. None

51. I learnt Stuff!

52. –Johnny Appleseed “Type a quote here.”

53. None

54. Internet provider subscriber communications system US 8793386 B2

55. Internet advertising method and system using Web page US 8005717

    B2

56. – Hanlon’s Brotherston’s Razor “Never attribute to malice that which

    is adequately explained by stupidity Enhancing Shareholder Value.”

57. Thank you! Lee Brotherston! @synackpse!