Corporation In The Middle - SecTor

Transcript

1. Corporation in the Middle Lee Brotherston! @synackpse

2. MITM vs Everything Else

3. Detection

4. None
5. None
6. None

7. o_O

8. How, what, why, when?

9. Capture all the Packets

10. PCAP Tools tcpdump wireshark tshark ! mergecap tcpsplice tcptrace captcp

    ntop pcapdiff tcpflow snort

11. SYN Server Client SYN/ACK ACK HTTP Request HTTP Response (Header

    & Data) More Data……

12. SYN Server Client SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request

    ? ? ?

13. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/javascript! Connection: close!

    Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache! ! <html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl? policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http:// 64.71.251.10";</script><script type="text/javascript" src="http:// 64.71.251.10/ByteCap-075-EO-English/index.js"></script></ head><noscript><frameset><frame src="http://64.71.251.10/ noscript.pl?policy=72&category=ByteCap-075&"></frameset></ noscript><body style="margin:0;"><script type="text/ javascript">Bulletin("policy=72&category=ByteCap-075&");</script></ body></html>

14. –Telecommunications Act (S.C. 1993, c. 38) Content of messages !

    36. Except where the Commission approves otherwise, a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public.

15. Packet Headers

16. TCPDUMP ip[6] = 0 and tcp[14:2] = 1

17. Wire/TShark tcp.window_size_value eq 1 and ip.flags.df == 0

18. Snort alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION suspected

    TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)

19. Fun with Firewalls

20. But wait, there’s more….

21. SYN Server Client SYN/ACK ACK RST/PSH/ACK HTTP Response HTTP Request

22. SYN Server Client SYN/ACK ACK HTTP Request HTTP Response (Header

    & Data) Data

23. HTTP/1.1 200 OK! Content-Type: text/html; charset=ISO-8859-1! Content-Script-Type: text/HTML! Connection: close

24. Tests

25. Retention Time rewrite ^(.*)$ /index.php;! ! ! !

26. OoB Indexing rewrite ^(.*)$ /index.php;! +! /etc/hosts! +! .htaccess

27. Document Format ! <html>! <head>! <title>Oh Hai</title>! </head>

28. Document Format <!doctype html>! <html>! <head>! <title>Oh Hai</title>! </head>

29. Mapping the Network

30. Traceroute … ish

31. ttl=1 ttl expiry ttl=2 ttl expiry ttl=1 reply ttl=2 ttl=1

    ttl=3

32. 2 7.40.72.1! 3 209.148.241.61! 4 66.185.81.221! 5 69.63.251.242! 6 69.63.249.26!

    7 *! ! 2 7.40.72.1! 3 209.148.241.61! 4 *! 5 *! 6 69.63.249.26! 7 *! tcptraceroute

33. Intercept Portscanning for i in `jot 65535 1`! do !

    tcptraceroute -f4 -m5 host $i! done >> $i.log

34. 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.205! 5 209.148.224.242! ! !

    ! 6 4.31.208.129
 2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.214! 5 209.148.224.209! 6 209.148.228.218! 7 209.148.228.217! 8 209.148.224.254! 9 4.31.208.129 tcptraceroute redux

35. Intercept Portscanning Redux nmap -sS —-ttl 64 host

36. Which Interface? My Server Target Me

37. Scapy sendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/ IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('\x07'))/ TCP(sport=3125, dport=80, flags="S"), iface="en1")

38. So, that network… Internal Management LAN

39. SYN Server Client SYN/ACK ACK RST/PSH/ACK TTL = 1 TTL

    = 2 TTL = 3

40. 6 31.55.164.187! 7 31.55.164.107! 8 109.159.248.69! 9 109.159.248.10! 10 62.172.103.187!

    ! ! ! 6 31.55.164.187! 7 31.55.164.107! 8 109.159.248.104! 9 109.159.248.142! 10 194.71.107.15 Great Firewall of Cameron

41. 4 98.0.3.14! 5 98.0.3.3! 6 107.14.19.106! 7 107.14.17.194! 8 64.86.79.97!

    9 64.86.79.2! ! ! 4 98.0.3.14! 5 98.0.3.3! 6 66.109.6.72! 7 107.14.17.192! 8 64.86.79.97! 9 64.86.79.2 RoadRunner

42. What?

43. HTTP/1.1 200 OK! Date: Thu, 22 May 2014 14:29:09 GMT!

    Server: PerfTech! Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT! Accept-Ranges: bytes! Content-Length: 2387! Connection: close! Cache-Control: no-store, no-cache, must- revalidate, max-age=0! Expires: -1! Pragma: no-cache! Content-Type: application/x-javascript

44. HTTP/1.0 404 Not Found! Date: Fri, 23 May 2014 14:00:05

    GMT! Server: PerfTech! Content-Length: 25! Connection: close! Cache-Control: no-store, no-cache, must- revalidate, max-age=0! Expires: -1! Pragma: no-cache! Content-Type: text/html; charset=iso-8859-1

45. Hints in Scripts // Copyright 2005-2011 PerfTech, Inc., All Rights

    Reserved.! ! ! extWebServer = "http://64.71.255.194";! intWebServer = “http://172.19.11.72";! ! ! displayUrl = "http://www.perftech.com/console/original.html";! !
46. None
47. None

48. Attribution: cat NULL planet - @skalnik

49. None

50. Why So Bothered?

51. Why Metadata Matters They know you rang a phone sex

    service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.! ! They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.! ! They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed. Attribution: EFF 30C3 -Through Prism Darkly

52. GET / HTTP/1.1! Host: squarelemon.com! User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux

    i686; rv:25.0) Gecko/20100101 Firefox/25.0! Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8! Accept-Language: en-US,en;q=0.5! Accept-Encoding: gzip, deflate! Cookie: _pk_ses.4.9b83=*! Connection: keep-alive! If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT! Cache-Control: max-age=0

53. What could possibly go wrong? Photo Attribution: Tom - @tdawks

54. None
55. None

56. I learnt Stuff!

57. –Johnny Appleseed “Type a quote here.”

58. None

59. Internet provider subscriber communications system US 8793386 B2

60. Internet advertising method and system using Web page US 8005717

    B2

61. – Hanlon’s Brotherston’s Razor “Never attribute to malice that which

    is adequately explained by stupidity Enhancing Shareholder Value.”

62. Thank you! Lee Brotherston! @synackpse