defcon moscow #0x0a - oleg kupreev "uncommon mitm in uncommon conditions"
TRANSCRIPT
Uncommon MiTM in uncommon conditions
00 WHOAMI• @090h, [email protected], keybase.io/090h • ZN HW Village organizer [email protected] • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY)• JBFC/DC7499 member• researcher at hlsec.ru • pwning telecommunications since 2002• …was doing MITM 20 years ago 8)
01 INTRO• XXI century is communications century• When I was a boy we counted in Pentiums 8)1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz• Nowadays we count in G and still use Pentium, but 4G is
used and 5G in progress• DialUp 9600 FIDO – FTTH 100Mb Internet• Nearest future: 5G + IPv6 + IoE• Security of communications evolving slooooooooooowly.
SS7 invented in 1975, kicking ass nowadays
02 MAN MITM • MITM = Man In The Middle• It is a type fundamental communication attacks• Subtypes: active, passive• IRL: passive MITM = sniff, active MITM = MITM• Also has a name….
Alice, Bob and Eve…
.. and sometimes Charlie
.. and Mallory aka Trudy
Implementation• Fundamental => data channel independent • Data channels:• Ethernet• USB• UART• SPI• RFID• NFC• WiFi• GSM
ETHERNET EVE
MY FIRST SNIFFER EVE
ALICE LOOKED AWSOME THEESE DAYS
NFC EVE
Short summary• Technology changes – MiTM changes. Hackers should be adaptive.• Security of telecommunications is like in 90’s• MiTM world is much more bigger than most hacker think• Study fundamental sciences, to be able to hack at FUNdaMENTAL
layer!
I LIKE TO MITM IT MITM IT
MITM I HAVE KNOWN AND LOVED• LAN based MITM• WAN based MITM• Rogue AP MITM (KAMA/MANA/HostapdWPE)• MITM over VPN (L2TP, PPTP)• Hybrid MITM
MITM anatomy• ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO => SNIFF FOR LOOT + INJECT EViL• HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER• HTTP + BDFProxy => SHELLZ• SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO• SSL + PROTO => (HEARTBLEED || POODLE) => PWN• LOOT => cookies, credentials, photos, locations• Custom sniffers/injectors/sploits for protocols/apps/vulns• Example: SMB/NTLM relays
THAT’S WHY PRACTICS RULE!
Cooking MITM by ARP cache poison attack
Practice with Scapy
ARP attackssend( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # half duplex
send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS
Meanwhile in real world
Common MITM after ARP poison
IRL: WTF IS GOING ON?
SOME ATTACK?MAYBE PWN THE
ROUTER?
PixieWPS + admin:admin @ web interface
Shodan + device-pharmer.py pwnage
We’ve got root! What to do next?• Backup configuration• Get shell• Research firmware availabilities• Have fun
Backup configuration
Enable telnet access
Enable DynDNS if white IP
Enable syslog to rsyslogd @ VPS
Use Guest WiFi as tiny KARMA
Separate SSID, IP mask = comfort
Install plugins
Enable PPTP VPN
Install and use tcpdump in firmware
BPF 4 YOU
Set DNS to your EvilDNS with dnschef
Passive MITM aka EVE at router• tcpdump • NFS mount and/or netcat • Write pcap file to share/pipe with tcpdump
Eve on router
Mallory on router• Set DNS to VPS• Install tcpdump, sslsplit, sslstrip• NFS mount/netcat• Write pcap file to share/pipe with tcpdump
Mallory on router
Pros and consPros:• Not so hard to doCons• Router is rebooted by watchdog or users• MITM is sloooooooooow cause of high temp of CPU• Not so many routers have such reach features• VPS IP disclosure during MITM
WAN MITM TO VPS
WAN MITM ALGO
• Telnet to router• Run mitmproxy in transparent mode on VPS• DNAT port 80 to VPS_IP:8080
Router requirements • telnet/ssh/rce/cmd inj• iptables
WAN based MITM
Pros and consPros:• Not so hard to doCons• Oworks for HTTP traffic• Can’t distinguish clients by ip• VPS IP disclosure during MITM
HARDCORE MODE ONPPTP based MITM
PPTP MITM ideas• MiTM contains of 2 parts for router and VPS• All active attacks are working on VPS• Router is used for forwarding and routing• pwner is pwning
Router requirements • PPTP VPN server in firmware• iptables• telnet/ssh/rce/cmd inj
VPS requirements • Linux,• pptp• iptables• sslstrip,sslsplit, tcpdump, mitmproxy
PPTP MITM ALGO• Connect from VPS to PPTP VPN• Get ppp0 interface IP• Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding)• Telnet to router• Add ISP gateway to route map• Set VPS ppp0 IP as default gateway• PWN’em all
PPTP Server on router + Mallory on VPS
Pros and consPros:• FULL MITM• No IP disclosureCons• Router looses connection to Internet if PPTP connection is down
REPOS/TOOLSREPOS• https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal• https://github.com/0x90/scapy-arsenal
MiTM EXAMPLEShttps://github.com/dc7499/uncommon-mitm