31
iOS MITM Attack Technology and effects sieg.in 1

Troshichev i os mitm attack

Tags:

Embed Size (px)

Citation preview

Page 1: Troshichev i os mitm attack

iOS MITM Attack Technology and effects

sieg.in 1

Page 2: Troshichev i os mitm attack

sieg.in 2

Page 3: Troshichev i os mitm attack

Boot validation

• CA – Apple Certificate Authority

• SIGN – Signature

sieg.in 3

Page 4: Troshichev i os mitm attack

Files Protection

sieg.in 4

Page 5: Troshichev i os mitm attack

Classic provisioning

sieg.in 5

Page 6: Troshichev i os mitm attack

Actual provisioning

sieg.in 6

Page 7: Troshichev i os mitm attack

Because “Apple Root CA” fingerprint hardcoded into iOS and have to be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60

Why we can’t create fake signature?

sieg.in 7

Page 8: Troshichev i os mitm attack

SSL

sieg.in 8

Page 9: Troshichev i os mitm attack

Certificate Authority Storage

Few from 186 are quite interesting :

– C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA

– C=JP, O=Japanese Government, OU=ApplicationCA

– C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root

sieg.in 9

Page 10: Troshichev i os mitm attack

Certificate authentication

sieg.in 10

Page 11: Troshichev i os mitm attack

I want my CA in your iOS

sieg.in 11

Page 12: Troshichev i os mitm attack

Ways to install CA in iOS

o Safari

o Email attachment

o MDM

With configuration profile

Can be installed with Safari

sieg.in 12

Page 13: Troshichev i os mitm attack

Attack

sieg.in 13

Page 14: Troshichev i os mitm attack

Mobileconfig contains

WiFi settings (pass, SSID) for “Gate”

CA

Proxy Settings, if we want victim’s traffic even it has left attack range. (Only for iOS6)

iCloud backup (enable it, if not)

sieg.in 14

Page 15: Troshichev i os mitm attack

Mobileconfig installation

sieg.in 15

Page 16: Troshichev i os mitm attack

Looks bad =(

sieg.in 16

Page 17: Troshichev i os mitm attack

Let’s take a look on default CA list...

sieg.in 17

Page 18: Troshichev i os mitm attack

COMODO trial certificate

• You only need valid [email protected] mail for confirmation

• Can be used for signing

sieg.in 18

mailto:[email protected]
Page 19: Troshichev i os mitm attack

How to sign

sieg.in 19

Page 20: Troshichev i os mitm attack

Looks much better

sieg.in 20

Page 21: Troshichev i os mitm attack

SSL Defeated But we want more

sieg.in 21

Page 22: Troshichev i os mitm attack

How to get files from device

sieg.in 22

Page 23: Troshichev i os mitm attack

Elcomsoft Phone Password Breaker

sieg.in 23

Page 24: Troshichev i os mitm attack

Once again

sieg.in 24

Page 25: Troshichev i os mitm attack

What’s in backup?

• SMS • Private photo • Emails • Application data • And more …

sieg.in 25

Page 26: Troshichev i os mitm attack

Files done But we want more

sieg.in 26

Page 27: Troshichev i os mitm attack

Apple Push Notification Service

sieg.in 27

Page 28: Troshichev i os mitm attack

Fake! Fake! Fake!

sieg.in 28

Page 29: Troshichev i os mitm attack

Wipe Tragedy (act 1/1)

sieg.in 29

Page 30: Troshichev i os mitm attack

Summary

User only have to tap ‘Install’ two times to make us able to :

– Sniff all his SSL traffic (cookies,passwords, etc)

– Steal his backup (call log, sms log, photos and application data)

– Send him funny push messages or just wipe device

sieg.in 30

Page 31: Troshichev i os mitm attack

sieg.in 31

sieg.in [email protected]

@siegin


MitM Attack Detection in BLE Networks using Reconstruction

MitM Attack Detection in BLE Networks using Reconstruction

Documents
Simulation of MITM in PEAP with hostap - … · Introduction Cryptobinding PEAP with MSCHAPv2 oTols analysis MitM attack and its code Simulation of MITM in PEAP with hostap Siarhei

Simulation of MITM in PEAP with hostap - … · Introduction Cryptobinding PEAP with MSCHAPv2 oTols analysis MitM attack and its code Simulation of MITM in PEAP with hostap Siarhei

Documents
20170629 pses mitm - confs.imirhil.fr

20170629 pses mitm - confs.imirhil.fr

Documents
MITM Cisco

MITM Cisco

Documents
Man-in-middle-attack (MITM) - Portal

Man-in-middle-attack (MITM) - Portal

Documents
A COUNTERMEASURE FOR FLOODING ATTACK IN MOBILE … · Man-In-The-Middle (MITM) MITM attacks occur when an adversary deceives a MSS to appear as a legitimate BS while simultaneously

A COUNTERMEASURE FOR FLOODING ATTACK IN MOBILE … · Man-In-The-Middle (MITM) MITM attacks occur when an adversary deceives a MSS to appear as a legitimate BS while simultaneously

Documents
Offensive MitM

Offensive MitM

Technology
Recent Meet-in-the-Middle Attacks on Block Ciphersweb.spms.ntu.edu.sg/~ask/2012/slides_03_Takanori_Isobe.pdf · Background Meet-in-the-Middle(MitM)attack was proposed by Diffie

Recent Meet-in-the-Middle Attacks on Block Ciphersweb.spms.ntu.edu.sg/~ask/2012/slides_03_Takanori_Isobe.pdf · Background Meet-in-the-Middle(MitM)attack was proposed by Diffie

Documents
SELF STUDY REPORT - MITM

SELF STUDY REPORT - MITM

Documents
SECURING OIL AND GAS PRODUCTION SYSTEMS FROM CYBER-ATTACK · GAS PRODUCTION SYSTEMS FROM CYBER-ATTACK ... PLC is Vulnerable to the Man in the Middle Attack ... (MiTM) attack MiTM

SECURING OIL AND GAS PRODUCTION SYSTEMS FROM CYBER-ATTACK · GAS PRODUCTION SYSTEMS FROM CYBER-ATTACK ... PLC is Vulnerable to the Man in the Middle Attack ... (MiTM) attack MiTM

Documents
MITM ARP Poison Attack - simms-teach.com · CIS 76 MITM via ARP Poisoning MITM ARP Poison Attack 1 DRAFT Last updated 9/4/2017

MITM ARP Poison Attack - simms-teach.com · CIS 76 MITM via ARP Poisoning MITM ARP Poison Attack 1 DRAFT Last updated 9/4/2017

Documents
All Subkeys Recovery Attack on Block Ciphers: Extending ...ark/mitm_preprint.pdf · All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle ... (MITM) attacks on

All Subkeys Recovery Attack on Block Ciphers: Extending ...ark/mitm_preprint.pdf · All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle ... (MITM) attacks on

Documents
Implementation of MITM Attack on HDCP-Secured Links …bunniestudios.com/blog/images/28c3_bunnie_hdcp_mitm_final.pdf · Implementation of MITM Attack on HDCP-Secured Links bunnie

Implementation of MITM Attack on HDCP-Secured Links …bunniestudios.com/blog/images/28c3_bunnie_hdcp_mitm_final.pdf · Implementation of MITM Attack on HDCP-Secured Links bunnie

Documents
CHPTE - KERNELiOS...MITM Advance Attacks 5 Exam Testing MITM Advance Attacks 5 Infrastructure Penetration Testing - Wi-Fi Networks 1. WEP Protocol – Attack types, Using Aircrack-NG,

CHPTE - KERNELiOS...MITM Advance Attacks 5 Exam Testing MITM Advance Attacks 5 Infrastructure Penetration Testing - Wi-Fi Networks 1. WEP Protocol – Attack types, Using Aircrack-NG,

Documents
IP Security - Computer Action Teamweb.cecs.pdx.edu/~jrb/netsec/lectures/pdfs/ipsec.pdf · firewalls/routers great MITM attack ... Stallings - Cryptography and ... Jim Binkley 39 naming

IP Security - Computer Action Teamweb.cecs.pdx.edu/~jrb/netsec/lectures/pdfs/ipsec.pdf · firewalls/routers great MITM attack ... Stallings - Cryptography and ... Jim Binkley 39 naming

Documents
Network Security INTERNET · PDF fileNetwork Security indigoo.com ... TCP connection hijacking (MITM - Man In The Middle attack): ... Often servers disclose their version at startup

Network Security INTERNET · PDF fileNetwork Security indigoo.com ... TCP connection hijacking (MITM - Man In The Middle attack): ... Often servers disclose their version at startup

Documents
Sieve-in-the-Middle: Improved MITM Attacks · Sieve-in-the-Middle: Improved MITM Attacks Anne Canteaut 1, Mar a Naya-Plasencia , and Bastien Vayssi ere2 ... that it provides an attack

Sieve-in-the-Middle: Improved MITM Attacks · Sieve-in-the-Middle: Improved MITM Attacks Anne Canteaut 1, Mar a Naya-Plasencia , and Bastien Vayssi ere2 ... that it provides an attack

Documents
MITM : man in the middle attack

MITM : man in the middle attack

Education
MitM attacks on multi-platform banking applications · MitM attacks on multi-platform banking applications ... This attack was not successfully ... MitM attack provide an own DNS

MitM attacks on multi-platform banking applications · MitM attacks on multi-platform banking applications ... This attack was not successfully ... MitM attack provide an own DNS

Documents
BeEF Injection MITM

BeEF Injection MITM

Documents
Security for 5G Mobile Wireless Networks · •Active attack (man-in-the-middle(MITM) attack, replay attack, Dos, DDos) Cryptographic techniques •Cryptography (Symmetric-key, public-key)

Security for 5G Mobile Wireless Networks · •Active attack (man-in-the-middle(MITM) attack, replay attack, Dos, DDos) Cryptographic techniques •Cryptography (Symmetric-key, public-key)

Documents
MitM Attack by Name Collision: Cause Analysis and ...alfchen/alfred_sp16.pdfMitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era Qi Alfred

MitM Attack by Name Collision: Cause Analysis and ...alfchen/alfred_sp16.pdfMitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era Qi Alfred

Documents
MITM Attack with Patching Binaries on the Fly by Adding Shellcodes

MITM Attack with Patching Binaries on the Fly by Adding Shellcodes

Internet
Mitm Presentation

Mitm Presentation

Documents
Sieve-in-the-Middle: Improved MITM Attacks (Full Version )y · Sieve-in-the-Middle: Improved MITM Attacks (Full Version ... attacks in the sense that it provides an attack on a higher

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )y · Sieve-in-the-Middle: Improved MITM Attacks (Full Version ... attacks in the sense that it provides an attack on a higher

Documents
Converting MITM Preimage Attack into Pseudo Collision ...fse2012.inria.fr/SLIDES/67.pdf · MITM preimage attack with the matching point at the end is considered as partial target

Converting MITM Preimage Attack into Pseudo Collision ...fse2012.inria.fr/SLIDES/67.pdf · MITM preimage attack with the matching point at the end is considered as partial target

Documents
Legacy of Heartbleed: MITM and Revoked - Zeronights 2017 · Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin busygin@neobit.ru NeoBIT . ... Man-in-the-Middle Attack

Legacy of Heartbleed: MITM and Revoked - Zeronights 2017 · Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin [email protected] NeoBIT . ... Man-in-the-Middle Attack

Documents
Ev Ssl Mitm Slides

Ev Ssl Mitm Slides

Documents
Collaborative Approach to Mitigating ARP Poisoning-based ...yu.ac.kr/~synam/papers/arp_spoofing_mitigation_general_submit.pdf · ARP poisoning on Node A and the MITM attack be-tween

Collaborative Approach to Mitigating ARP Poisoning-based ...yu.ac.kr/~synam/papers/arp_spoofing_mitigation_general_submit.pdf · ARP poisoning on Node A and the MITM attack be-tween

Documents
MITM using SSLStrip & Mitigation Methods - … · MITM using SSLStrip & Mitigation Methods Page 4 The Attack ARP Spoofing and SSL Stripping Considered an active eavesdropping attack,

MITM using SSLStrip & Mitigation Methods - … · MITM using SSLStrip & Mitigation Methods Page 4 The Attack ARP Spoofing and SSL Stripping Considered an active eavesdropping attack,

Documents