Practical mitm for_pentesters
5 likes3,681 views
The document discusses practical man-in-the-middle attacks that can be carried out on local networks. It covers several types of attacks including ARP cache poisoning, DNS cache poisoning, DHCP exhaustion, wireless evil twin attacks, forced HTTP redirection using SSLStrip, and SLAAC attacks on IPv6 networks. The document provides steps to automate many of these attacks and demonstrates them in practical scenarios. Prevention techniques are also discussed for each attack vector.
Practical mitm for_pentesters
- 1. Pwnie Express Practical Man in the Middle 1Saturday, June 22, 13
- 2. whoami ā¢ Jonathan Cran ā¢ Advisor, SOURCE Conference ā¢ CTO Pwnie Express ā¢ QA Director Metasploit ā¢ Penetration Tester Rapid7 2Saturday, June 22, 13
- 3. Agenda ā¢ MitM is a huge topic ā¢ Why ShouldYou Care in 2013? ā¢ Practical Attacks ā¢ Practical Attack Automation ā¢ Drop Boxes! ā¢ Takeaways + Future Work 3Saturday, June 22, 13
- 4. Letās not re-invent the wheel 4Saturday, June 22, 13
- 5. Our Focus ā¢ Local & Wireless Network ā¢ Getting in the Middle ā¢ Viewing and Manipulating Trafļ¬c ā¢ Automating Easy Wins 5Saturday, June 22, 13
- 6. Not our focus ā¢ Attacking SSL through certiļ¬cate manipulation ā¢ Attacking BGP ā¢ More complex attacks (STP, HSRP) ā¢ Proxy trojans (MitB, BitB) 6Saturday, June 22, 13
- 7. Focus: Highly targeted, local network attacks 7Saturday, June 22, 13
- 8. 8Saturday, June 22, 13
- 9. 9Saturday, June 22, 13
- 10. 10Saturday, June 22, 13
- 11. Why ShouldYou Care in 2013? 11Saturday, June 22, 13
- 12. 12Saturday, June 22, 13
- 13. 13Saturday, June 22, 13
- 14. A couple reasons ā¢ Wireless everywhere ā¢ Smartphones / AT&T auto-connect ā¢ Retail / POS Networks ā¢ Android apps ā¢ Sometimes itās hard to take control of a particular system. Network is the easier target. 14Saturday, June 22, 13
- 15. And... ā¢ Local Network - ARP Cache Poisoning is STILL a valid attack - defense is impractical in many cases ā¢ Local Network -SLAAC looks to be the best replacement if ARP Cache Poisoning wonāt work - Windows 7+ has a default IPv6-enabled stack - Recommendation? Disable IPv6 ā¢ Internet - SSL - Would your users really notice lack of http or an invalid cert? ā¢ Wireless - Wireless āEvil Twinā ļ¬aws still pervasive 15Saturday, June 22, 13
- 16. Android ā¢ It means your personal information is being transmitted to advertising agencies in mass quantities. ā¢ Mallodroid - Leibniz University of Hannover ā¢ 13,500 android apps reversed, 1074 vulnerable (8%) ā¢ SSL/TLS code that is potentially vulnerable to MITM attacks 16Saturday, June 22, 13
- 17. And... ā¢ ARM Devices continue to get smaller / more portable ā¢ Pwn Plug ā¢ Gumstix ā¢ ODroid ā¢ MK - SS808 17Saturday, June 22, 13
- 18. And... 18Saturday, June 22, 13
- 19. And... 19Saturday, June 22, 13
- 20. And... 20Saturday, June 22, 13
- 21. And... 21Saturday, June 22, 13
- 22. And... 22Saturday, June 22, 13
- 23. And... 23Saturday, June 22, 13
- 24. And... 24Saturday, June 22, 13
- 25. And... 25Saturday, June 22, 13
- 26. And... ā¢ 4G / LTE Speeds will get faster ā¢ Freedom Stick 26Saturday, June 22, 13
- 27. That said... ā¢ Securing Layer 2 is hard ā¢ Youāre probably not getting owned by folks with physical access (or are you?) ā¢ TJX (WEP + Arp Spooļ¬ng) ā¢ Subway (Backdoored devices) ā¢ Barnes and Noble (Verifone / Linux Pinpads) ā¢ Realistically, dumping hashes on a windows box is an easier vector during most enterprise penetration tests ā¢ Financial Crime? Man-in-Browser ā¢ Go where the data is, silly. 27Saturday, June 22, 13
- 28. I thought you said practical 28Saturday, June 22, 13
- 29. Super Practical Attacks ā¢ Hardware Taps & Bridges ā¢ ARP Cache Poisoning ā¢ DNS Cache Poisoning ā¢ IPv6 Abuse / SLAAC Attack ā¢ DHCP Exhaustion ā¢ Wireless Evil Twin ā¢ Forced HTTP / SSLStrip 29Saturday, June 22, 13
- 30. A Note on Attack Prevention ā¢ Use a strongVPN Connection ā¢ Do not use PPTP, MSCHAPv2 broken ā¢ L2TP/IPSec, IPSec with IKEv2 and OpenVPN 30Saturday, June 22, 13
- 31. Hardware Taps ā¢ DualComm DCSW-1005 (Active Copy) ā¢ Throwing Star LAN Tap (Passive) vs 31Saturday, June 22, 13
- 32. Hardware Bridges ā¢ Simply place a device in-line and act as a bridge ā¢ brctl (bridge-utils) ā¢ EBTables to route trafļ¬c 32Saturday, June 22, 13
- 33. Hardware Bridges # brctl addbr br0 # brctl addif br0 eth0 # brctl addif br0 eth1 # ifconļ¬g br0 netmask 255.255.255.0 10.1.1.1 up 33Saturday, June 22, 13
- 34. Preventing Hardware Attacks ā¢ Good physical security ā¢ Good loss prevention ā¢ 802.1x / NAC 34Saturday, June 22, 13
- 35. ARP Cache Poisoning ā¢ Observe broadcast request, send malicious ARP reply, victim stores attackerās MAC for the IP ā¢ āPoisonā a single comm channel, or both ā¢ Automated: ā¢ zomg so many ways to do it - just use arpspoof 35Saturday, June 22, 13
- 36. ARP Cache Poisoning ā¢ echo 1 > /proc/sys/net/ipv4/ip_forward ā¢ arpspoof -t <poisoned_host> <gateway> 36Saturday, June 22, 13
- 37. Preventing ARP Cache Poisoning ā¢ Broadcast Trafļ¬c Filtering ā¢ Disable Gratuitous ARP ā¢ Enable DHCP Snooping ā¢ Static ARP Tables ā¢ Monitoring ā¢ ArpWatch,Tons of others ā¢ HUAWEI Patented techniques ā¢ MACSEC / 802.1AE 37Saturday, June 22, 13
- 38. A note on MACSec ā¢ MACsec, deļ¬ned in 802.1AE, provides MAC-layer encryption over wired networks ā¢ MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP) framework. 38Saturday, June 22, 13
- 39. DNS Cache Poisoning, previously ā¢ Cache poisoning without response forgery ā¢ bailiwick rule ļ¬xed this in ~1993 ā¢ Blind response forgery using birthday attack ā¢ āBirthday attackā - guess TXID, known since 2002 ā¢ āKaminsky attackā - required guessing TXID, but added hijacking the authority records ā¢ Automating: http://www.metasploit.com/ modules/auxiliary/spoof/dns/ bailiwicked_domain 39Saturday, June 22, 13
- 40. DNS Cache Poisoning Source: http://www.cs.utexas.edu/~shmatshmat_securecomm10.pdf 40Saturday, June 22, 13
- 41. DNS Cache Poisoning, now ā¢ Response forgery using eavesdropping ā¢ Requires ābeing in the middleā ā¢ Automating: Ettercap 41Saturday, June 22, 13
- 42. DNS Cache Poisoning, now Source: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf 42Saturday, June 22, 13
- 43. Preventing DNS Spooļ¬ng ā¢ DNSSEC 43Saturday, June 22, 13
- 44. DNS Cache Poisoning, now ā¢ Response forgery using eavesdropping ā¢ Requires ābeing in the middleā ā¢ Automating: Ettercap 44Saturday, June 22, 13
- 45. SLAAC Attack ā¢ Instructions provided by the Infosec Institute article ā¢ Uses RADVD + DHCPv6 + NAT-PT + IPv6 DNS server ā¢ NAT-PT allows our IPv6-addressed victims to access the Internet through IPv4 45Saturday, June 22, 13
- 46. SLAAC Attack Source: http://resources.infosecinstitute.com/slaac-attack/ 46Saturday, June 22, 13
- 47. SLAAC Attack Source: http://resources.infosecinstitute.com/slaac-attack/ 47Saturday, June 22, 13
- 48. SLAAC Attack ā¢ The address of the victimās DNS server matches the NAT-PT preļ¬x on evil-rtr, denoting that the last 32 bits contain the DNS serverās IPv4 address. ā¢ NAT-PT translates the source and destination IPv6/IPv4 addresses in both directions. ā¢ The DNS ALG translates the victimās AAAA query for an IPv6 address into an A query for an IPv4 address and vice versa on the way back. ā¢ The DNS ALG also translates the IPv4 address in the reply to an IPv6 address that matches the NAT-PT preļ¬x. 48Saturday, June 22, 13
- 49. SLAAC Attack Source: http://resources.infosecinstitute.com/slaac-attack/ 49Saturday, June 22, 13
- 50. SLAAC Attack ā¢ We have not compromised or altered the operation of the victimās IPv4 network, as we would have needed to do in order to MITM IPv4 trafļ¬c.Weāve not even needed to get an IPv4 address from their DHCP server. ā¢ We have not compromised an existing IPv6 network, because there wasnāt one before we arrived. ā¢ We have not compromised any given victim host (yet!). Each machine is behaving as designed and is choosing IPv6 over IPv4 of its own volition. ā¢ We have managed to totally alter the ļ¬ow of trafļ¬c on the victimās network by awakening the hostsā latent desire to use IPv6 over IPv4. 50Saturday, June 22, 13
- 51. SLAAC Attack ā¢ Weāre introducing a new path to the Internet.Any defences or monitoring employed at the networkās IPv4 boundary are therefore ineffective and will raise no indicators of compromise. ā¢ Thereās a chance that the victimās security systems (e.g., host ļ¬rewalls, HIPS, SIEM boxes, etc.) wonāt be able to handle IPv6 trafļ¬c. IPv6 support on such systems is rarely as mature as its IPv4 equivalent. ā¢ Since the victims āarenāt using IPv6ā³ they wonāt be expecting an attack that makes use of it. ā¢ If the above is true, thereās a chance their Incident Response teams wonāt have the necessary training and experience with IPv6 to deal with an incident. 51Saturday, June 22, 13
- 52. SLAAC Attack 52Saturday, June 22, 13
- 53. SLAAC Attack 53Saturday, June 22, 13
- 54. Preventing SLAAC 54Saturday, June 22, 13
- 55. DHCP Exhaustion ā¢ Request leases until the server runs out ā¢ Provide a lease to new clients ā¢ Set up your own DNS server for the client ā¢ Automated: ā¢ http://www.digininja.org/metasploit/ dns_dhcp.php ā¢ yersinia 55Saturday, June 22, 13
- 56. DHCP Exhaustion 56Saturday, June 22, 13
- 57. Preventing DHCP Exhaustion 57Saturday, June 22, 13
- 58. Preventing DHCP Exhaustion 58Saturday, June 22, 13
- 59. Wireless Evil Twin ā¢ Automating: ā¢ airbase-ng ā¢ Wiļ¬-Pineapple ā¢ Pwnie Gear 59Saturday, June 22, 13
- 60. ā¢ 802.11 and Bluetooth Wireless Surveys ā¢802.11 Wireless MitM Testing ā¢ Wireless Trafļ¬c Capture ā¢ Remote Network Access ā¢ Zigbee Snifļ¬ng with Kisbee ā¢ RFID Snifļ¬ng with the Proxmark ||| ā¢ Bluetooth Snifļ¬ng with the Ubertooth Pwn Pad 60Saturday, June 22, 13
- 61. 61Saturday, June 22, 13
- 62. DEMO: Getting In The Middle of a Wireless Network 62Saturday, June 22, 13
- 63. Preventing Evil Twin Attacks ā¢ Educate users ā¢ Donāt use AT&T phones ā¢ Use RADIUS - Avoid LEAP ā¢ EAP-TLS, EAP-TTLS, or PEAP ā¢ MS-CHAPv2 + TLS Tunnel 63Saturday, June 22, 13
- 64. MDM? 64Saturday, June 22, 13
- 65. MDM? 65Saturday, June 22, 13
- 66. Forced HTTP ā¢ Take advantage of servers that server over both HTTP and HTTPS ā¢ Rewrite links as HTTP ā¢ Abuse the userās ignorance of āsecureā ā¢ Automated: SSLStrip + IPTables 66Saturday, June 22, 13
- 67. Forced HTTP with SSLStrip ā¢ echo 1 > /proc/sys/net/ipv4/ip_forward ā¢ iptables -t nat -A PREROUTING -p tcp -- dport 80 -j REDIRECT --to-ports 10000 ā¢ sslstrip -a -k -f -p 10000 67Saturday, June 22, 13
- 68. DEMO: Forced HTTP with SSLStrip 68Saturday, June 22, 13
- 69. Preventing SSLStrip ā¢ Server-side HSTS Header ā¢ Automatically turns any insecure links to the website into secure links. ā¢ http://example.com/some/page/ -> https://example.com/some/page/ ā¢ If the security of the connection cannot be ensured (ie, self-signed cert), show an error message and do not allow the user to access the site. 69Saturday, June 22, 13
- 70. HSTS ā¢ HSTS tells the browser: never use HTTP with this site. ā¢ The ļ¬rst time the browser sees the HSTS header from the server, it remembers it. ā¢ This will work as long as the attacker doesn't strip the header on the ļ¬rst visit to the site. 70Saturday, June 22, 13
- 71. Other Attacks ā¢ CAM Overļ¬ow / Flooding ā¢ Certiļ¬cate Abuse ā¢ BGP Attacks ā¢ Port-Stealing ā¢ HSRP Manipulation ā¢ IRDP Spooļ¬ng ā¢ Trafļ¬c Tunneling ā¢ STP Mangling ā¢ VLAN Attacks 71Saturday, June 22, 13
- 72. CAM Overļ¬ow ā¢ Flood the local network with random MAC addresses ā¢ Causes some switches to fail open in repeating mode ā¢ Automated: sudo macof -i eth0 72Saturday, June 22, 13
- 73. Preventing CAM Overļ¬ow ā¢ Similar to ARP Spooļ¬ng ā¢ MAC Address monitoring ā¢ DHCP Snooping ā¢ Dynamic ARP Inspection 73Saturday, June 22, 13
- 74. Certiļ¬cate Abuse ā¢ āMD5 considered harmful todayā ā¢ Stolen CA Certiļ¬cates ā¢ Comodo (March 2011) ā¢ Diginotar (July 2011) ā¢ Trustwave CA-signed certiļ¬cate ā¢ SSLSniff + Null Byte Attack 74Saturday, June 22, 13
- 75. BGP Attacks ā¢ "Stealing the Internet - A Routed,Wide-area, Man in the Middle Attack" ā¢ Renesys - āDefending Against BGP Man-In-The- Middle Attacksā ā¢ Every organization owes its Internet connectivity to one protocol: BGP4.There are no alternatives. ā¢ Everyone who connects to the Internet is currently exposed to various routing risks: downtime, hijacking and now even wholesale trafļ¬c interception. 75Saturday, June 22, 13
- 76. Port Stealing Source: http://www.packetwatch.net/documents/papers/layer2snifļ¬ng.pdf 76Saturday, June 22, 13
- 77. HSRP Manipulation Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/ 77Saturday, June 22, 13
- 78. HSRP Manipulation Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/ 78Saturday, June 22, 13
- 79. HSRP Manipulation ā¢ Linux# scapy ā¢ Welcome to Scapy (2.0.0.10 beta) ā¢ >>> ip = IP(src='172.16.40.128', dst='224.0.0.2') ā¢ >>> udp = UDP() ā¢ >>> hsrp = HSRP(group=1, priority=255, virtualIP='172.16.40.1') ā¢ >>> send(ip/udp/hsrp, iface='eth1', inter=3, loop=1) Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/ 79Saturday, June 22, 13
- 80. HSRP Manipulation Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/ 80Saturday, June 22, 13
- 81. Preventing HSRP Manipulation ā¢ Prevent L2 Access to any connected switch ā¢ Note: HSRP,VRRP, and GLBP all vulnerable 81Saturday, June 22, 13
- 82. IRDP Spooļ¬ng ā¢ ICMP Internet Router Discovery Protocol (IRDP) uses Internet Control Message Protocol (ICMP) router advertisements and router solicitation messages to allow a host to discover the addresses of operational routers on the subnet. ā¢ The attacker can forge some advertisement packet pretending to be the router for the LAN. ā¢ He/she can set the āpreference levelā and the ālifetimeā at high values to be sure the hosts will choose it as the preferred router. ā¢ The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router ā¢ Automated: IRPAS (http://www.phenoelit.de/irpas) 82Saturday, June 22, 13
- 83. Trafļ¬c Tunneling 83Saturday, June 22, 13
- 84. STP Mangling ā¢ STP (Spanning-Tree Protocol) mangling refers to the technique used for the attacker host to be elected as the new root bridge of the spanning tree. ā¢ The attacker may start either by forging BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Conļ¬guration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge. ā¢ Automated: yersinia 84Saturday, June 22, 13
- 85. Others ā¢ Dsniff ā¢ Ettercap (http://ettercap.github.io/ettercap/) ā¢ Beef + Shank (http://media.blackhat.com/bh-us-12/Brieļ¬ngs/Ocepek/BH_US_12_Ocepek_Linn_BeEF_MITM_WP.pdf) ā¢ EvilGrade (http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt) ā¢ EasyCreds (https://github.com/brav0hax/easy-creds) ā¢ Subterfuge (https://code.google.com/p/subterfuge/) 85Saturday, June 22, 13
- 87. Takeaways ā¢ āMitM is a underrated attack vectorā ā¢ Phones are trivial to MitM because of Evil Twin issues ā¢ Dropboxes present a credible threat ā¢ POS networks / systems are available / trending wireless ā¢ Many powerful MitM attacks can be automated, old school techniques still work 87Saturday, June 22, 13
- 88. Prior Work and Resources ā¢ http://www.blackhat.com/presentations/bh-usa-02/bh-us-02- convery-switches.pdf ā¢ http://www.blackhat.com/presentations/bh-usa-03/bh-us-03- ornaghi-valleri.pdf ā¢ http://www.blackhat.com/presentations/bh-europe-03/bh- europe-03-valleri.pdf ā¢ http://www.packetwatch.net/documents/papers/ layer2sniffing.pdf ā¢ http://packetlife.net ā¢ http://my.safaribooksonline.com/book/networking/security/ 9781587052569 88Saturday, June 22, 13
- 90. THANKS! (and donāt forget feedback forms) 90Saturday, June 22, 13