Practical mitm for_pentesters

Pwnie Express Practical Man in the Middle

1Saturday, June 22, 13

whoami

• Jonathan Cran

• Advisor, SOURCE Conference

• CTO Pwnie Express

• QA Director Metasploit

• Penetration Tester Rapid7

Agenda

• MitM is a huge topic

• Why Should You Care in 2013?

• Practical Attacks

• Practical Attack Automation

• Drop Boxes!

• Takeaways + Future Work

Let’s not re-invent the wheel

Our Focus

• Local & Wireless Network

• Getting in the Middle

• Viewing and Manipulating Traffic

• Automating Easy Wins

Not our focus

• Attacking SSL through certificate manipulation

• Attacking BGP

• More complex attacks (STP, HSRP)

• Proxy trojans (MitB, BitB)

Focus:Highly targeted, local

network attacks

Why Should You Care in 2013?

A couple reasons

• Wireless everywhere

• Smartphones / AT&T auto-connect

• Retail / POS Networks

• Android apps

• Sometimes it’s hard to take control of a particular system. Network is the easier target.

And...

• Local Network - ARP Cache Poisoning is STILL a valid attack - defense is impractical in many cases

• Local Network -SLAAC looks to be the best replacement if ARP Cache Poisoning won’t work - Windows 7+ has a default IPv6-enabled stack - Recommendation? Disable IPv6

• Internet - SSL - Would your users really notice lack of http or an invalid cert?

• Wireless - Wireless “Evil Twin” flaws still pervasive

Android

• It means your personal information is being transmitted to advertising agencies in mass quantities.

• Mallodroid - Leibniz University of Hannover

• 13,500 android apps reversed, 1074 vulnerable (8%)

• SSL/TLS code that is potentially vulnerable to MITM attacks

And...

• ARM Devices continue to get smaller / more portable

• Pwn Plug

• Gumstix

• ODroid

• MK - SS808

And...

• 4G / LTE Speeds will get faster

• Freedom Stick

That said...• Securing Layer 2 is hard

• You’re probably not getting owned by folks with physical access (or are you?)

• TJX (WEP + Arp Spoofing)

• Subway (Backdoored devices)

• Barnes and Noble (Verifone / Linux Pinpads)

• Realistically, dumping hashes on a windows box is an easier vector during most enterprise penetration tests

• Financial Crime? Man-in-Browser

• Go where the data is, silly. 27Saturday, June 22, 13

I thought you said practical

Super Practical Attacks

• Hardware Taps & Bridges

• ARP Cache Poisoning

• DNS Cache Poisoning

• IPv6 Abuse / SLAAC Attack

• DHCP Exhaustion

• Wireless Evil Twin

• Forced HTTP / SSLStrip

A Note on Attack Prevention

• Use a strong VPN Connection

• Do not use PPTP, MSCHAPv2 broken

• L2TP/IPSec, IPSec with IKEv2 and OpenVPN

Hardware Taps

• DualComm DCSW-1005 (Active Copy)

• Throwing Star LAN Tap (Passive)

Hardware Bridges

• Simply place a device in-line and act as a bridge

• brctl (bridge-utils)

• EBTables to route traffic

Hardware Bridges

# brctl addbr br0# brctl addif br0 eth0# brctl addif br0 eth1# ifconfig br0 netmask 255.255.255.0 10.1.1.1 up

Preventing Hardware Attacks

• Good physical security

• Good loss prevention

• 802.1x / NAC

ARP Cache Poisoning

• Observe broadcast request, send malicious ARP reply, victim stores attacker’s MAC for the IP

• “Poison” a single comm channel, or both

• Automated:

• zomg so many ways to do it - just use arpspoof

ARP Cache Poisoning

• echo 1 > /proc/sys/net/ipv4/ip_forward

• arpspoof -t <poisoned_host> <gateway>

Preventing ARP Cache Poisoning

• Broadcast Traffic Filtering

• Disable Gratuitous ARP

• Enable DHCP Snooping

• Static ARP Tables

• Monitoring

• ArpWatch, Tons of others

• HUAWEI Patented techniques

• MACSEC / 802.1AE

A note on MACSec

• MACsec, defined in 802.1AE, provides MAC-layer encryption over wired networks

• MKA and MACsec are implemented after successful authentication using the 802.1x Extensible Authentication Protocol (EAP) framework.

DNS Cache Poisoning, previously

• Cache poisoning without response forgery

• bailiwick rule fixed this in ~1993

• Blind response forgery using birthday attack

• “Birthday attack” - guess TXID, known since 2002

• “Kaminsky attack” - required guessing TXID, but added hijacking the authority records

• Automating: http://www.metasploit.com/modules/auxiliary/spoof/dns/bailiwicked_domain

DNS Cache Poisoning

Source: http://www.cs.utexas.edu/~shmatshmat_securecomm10.pdf40Saturday, June 22, 13

DNS Cache Poisoning, now

• Response forgery using eavesdropping

• Requires “being in the middle”

• Automating: Ettercap

Source: http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf42Saturday, June 22, 13

Preventing DNS Spoofing

• DNSSEC

• Response forgery using eavesdropping

• Requires “being in the middle”

• Automating: Ettercap

SLAAC Attack

• Instructions provided by the Infosec Institute article

• Uses RADVD + DHCPv6 + NAT-PT + IPv6 DNS server

• NAT-PT allows our IPv6-addressed victims to access the Internet through IPv4

SLAAC Attack

Source: http://resources.infosecinstitute.com/slaac-attack/46Saturday, June 22, 13

SLAAC Attack

Source: http://resources.infosecinstitute.com/slaac-attack/

SLAAC Attack• The address of the victim’s DNS server matches the

NAT-PT prefix on evil-rtr, denoting that the last 32 bits contain the DNS server’s IPv4 address.

• NAT-PT translates the source and destination IPv6/IPv4 addresses in both directions.

• The DNS ALG translates the victim’s AAAA query for an IPv6 address into an A query for an IPv4 address and vice versa on the way back.

• The DNS ALG also translates the IPv4 address in the reply to an IPv6 address that matches the NAT-PT prefix.

SLAAC Attack

Source: http://resources.infosecinstitute.com/slaac-attack/49Saturday, June 22, 13

SLAAC Attack• We have not compromised or altered the operation of

the victim’s IPv4 network, as we would have needed to do in order to MITM IPv4 traffic. We’ve not even needed to get an IPv4 address from their DHCP server.

• We have not compromised an existing IPv6 network, because there wasn’t one before we arrived.

• We have not compromised any given victim host (yet!). Each machine is behaving as designed and is choosing IPv6 over IPv4 of its own volition.

• We have managed to totally alter the flow of traffic on the victim’s network by awakening the hosts’ latent desire to use IPv6 over IPv4.

SLAAC Attack• We’re introducing a new path to the Internet. Any

defences or monitoring employed at the network’s IPv4 boundary are therefore ineffective and will raise no indicators of compromise.

• There’s a chance that the victim’s security systems (e.g., host firewalls, HIPS, SIEM boxes, etc.) won’t be able to handle IPv6 traffic. IPv6 support on such systems is rarely as mature as its IPv4 equivalent.

• Since the victims “aren’t using IPv6″ they won’t be expecting an attack that makes use of it.

• If the above is true, there’s a chance their Incident Response teams won’t have the necessary training and experience with IPv6 to deal with an incident.

SLAAC Attack

Preventing SLAAC

DHCP Exhaustion

• Request leases until the server runs out

• Provide a lease to new clients

• Set up your own DNS server for the client

• Automated:

• http://www.digininja.org/metasploit/dns_dhcp.php

• yersinia

DHCP Exhaustion

Preventing DHCP Exhaustion

Wireless Evil Twin

• Automating:

• airbase-ng

• Wifi-Pineapple

• Pwnie Gear

• 802.11 and Bluetooth Wireless Surveys

• 802.11 Wireless MitM Testing

• Wireless Traffic Capture

• Remote Network Access

• Zigbee Sniffing with Kisbee

• RFID Sniffing with the Proxmark |||

• Bluetooth Sniffing with the Ubertooth

Pwn Pad

DEMO: Getting In The Middle of a Wireless

Network

Preventing Evil Twin Attacks

• Educate users

• Don’t use AT&T phones

• Use RADIUS - Avoid LEAP

• EAP-TLS, EAP-TTLS, or PEAP

• MS-CHAPv2 + TLS Tunnel

Forced HTTP

• Take advantage of servers that server over both HTTP and HTTPS

• Rewrite links as HTTP

• Abuse the user’s ignorance of “secure”

• Automated: SSLStrip + IPTables

Forced HTTP with SSLStrip

• echo 1 > /proc/sys/net/ipv4/ip_forward

• iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 10000

• sslstrip -a -k -f -p 10000

DEMO: Forced HTTP with SSLStrip

Preventing SSLStrip• Server-side HSTS Header

• Automatically turns any insecure links to the website into secure links.

• http://example.com/some/page/ -> https://example.com/some/page/

• If the security of the connection cannot be ensured (ie, self-signed cert), show an error message and do not allow the user to access the site.

• HSTS tells the browser: never use HTTP with this site.

• The first time the browser sees the HSTS header from the server, it remembers it.

• This will work as long as the attacker doesn't strip the header on the first visit to the site.

Other Attacks

• CAM Overflow / Flooding

• Certificate Abuse

• BGP Attacks

• Port-Stealing

• HSRP Manipulation

• IRDP Spoofing

• Traffic Tunneling

• STP Mangling

• VLAN Attacks

CAM Overflow

• Flood the local network with random MAC addresses

• Causes some switches to fail open in repeating mode

• Automated: sudo macof -i eth0

Preventing CAM Overflow

• Similar to ARP Spoofing

• MAC Address monitoring

• DHCP Snooping

• Dynamic ARP Inspection

Certificate Abuse

• “MD5 considered harmful today”

• Stolen CA Certificates

• Comodo (March 2011)

• Diginotar (July 2011)

• Trustwave CA-signed certificate

• SSLSniff + Null Byte Attack

BGP Attacks

• "Stealing the Internet - A Routed, Wide-area, Man in the Middle Attack"

• Renesys - “Defending Against BGP Man-In-The-Middle Attacks”

• Every organization owes its Internet connectivity to one protocol: BGP4. There are no alternatives.

• Everyone who connects to the Internet is currently exposed to various routing risks: downtime, hijacking and now even wholesale traffic interception.

Port Stealing

Source: http://www.packetwatch.net/documents/papers/layer2sniffing.pdf

HSRP Manipulation

Source: http://packetlife.net/blog/2008/oct/27/hijacking-hsrp/

HSRP Manipulation

• Linux# scapy

• Welcome to Scapy (2.0.0.10 beta)

• >>> ip = IP(src='172.16.40.128', dst='224.0.0.2')

• >>> udp = UDP()

• >>> hsrp = HSRP(group=1, priority=255, virtualIP='172.16.40.1')

• >>> send(ip/udp/hsrp, iface='eth1', inter=3, loop=1)

HSRP Manipulation

Preventing HSRP Manipulation

• Prevent L2 Access to any connected switch

• Note: HSRP, VRRP, and GLBP all vulnerable

IRDP Spoofing• ICMP Internet Router Discovery Protocol (IRDP) uses Internet

Control Message Protocol (ICMP) router advertisements and router solicitation messages to allow a host to discover the addresses of operational routers on the subnet.

• The attacker can forge some advertisement packet pretending to be the router for the LAN.

• He/she can set the “preference level” and the “lifetime” at high values to be sure the hosts will choose it as the preferred router.

• The attack can be improved by sending some spoofed ICMP Host Unreachable pretending to be the real router

• Automated: IRPAS (http://www.phenoelit.de/irpas)

Traffic Tunneling

STP Mangling

• STP (Spanning-Tree Protocol) mangling refers to the technique used for the attacker host to be elected as the new root bridge of the spanning tree.

• The attacker may start either by forging BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge.

• Automated: yersinia

Others

• Dsniff

• Ettercap (http://ettercap.github.io/ettercap/)

• Beef + Shank (http://media.blackhat.com/bh-us-12/Briefings/Ocepek/BH_US_12_Ocepek_Linn_BeEF_MITM_WP.pdf)

• EvilGrade (http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt)

• EasyCreds (https://github.com/brav0hax/easy-creds)

• Subterfuge (https://code.google.com/p/subterfuge/)

Takeaways

• “MitM is a underrated attack vector”

• Phones are trivial to MitM because of Evil Twin issues

• Dropboxes present a credible threat

• POS networks / systems are available / trending wireless

• Many powerful MitM attacks can be automated, old school techniques still work

Prior Work and Resources

• http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-convery-switches.pdf

• http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-ornaghi-valleri.pdf

• http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf

• http://www.packetwatch.net/documents/papers/layer2sniffing.pdf

• http://packetlife.net• http://my.safaribooksonline.com/book/networking/security/

9781587052569

Questions?

THANKS! (and don’t forget feedback forms)

Practical mitm for_pentesters

Technology

Ev Ssl Mitm Slides

mitm - Man in the midle

Resources Infosecinstitute Com Mitm Using Sslstrip

Domain Validation++ For MitM-Resilient PKIDomain Validation++ For MitM-Resilient PKI Markus Brandt Fraunhofer SIT TU Darmstadt Tianxiang Dai Fraunhofer SIT Amit Klein Fraunhofer SIT

iOS MITM Attack

MITM Cisco

180-7010-04 MITM HSP

SELF STUDY REPORT - MITM

MitM Attack by Name Collision: Cause Analysis and Vulnerability

Simulation of MITM in PEAP with hostap - … · Introduction Cryptobinding PEAP with MSCHAPv2 oTols analysis MitM attack and its code Simulation of MITM in PEAP with hostap Siarhei

MiTM Attacks in Android Apps - TDC 2014

Bh Us 12 Ocepek Linn Beef Mitm Wp

Mitm Presentation

Lawn Mower Minor Project report For MITM Ujjain

20170629 pses mitm - confs.imirhil.fr

Ssl Mitm Attacks

Troshichev i os mitm attack

Prying open Pandora’s box: KCI attacks against TLS · KCI attacks against TLS ... (MitM) attacks. This paper ... fraudulentcertiﬁcates for the purposeof active MitM in-terception

MITM 613 Intelligent System

Uncommon MiTM in uncommon conditions