Uncommon MiTM in uncommon conditions

00 WHOAMI• @090h, root@0x90.ru, keybase.io/090h • ZN HW Village organizer hardware@zeronights.ru • 802.11 pwner, SDR/RF enthusiast • embedded reverser (for PWN/DIY)• JBFC/DC7499 member• researcher at hlsec.ru • pwning telecommunications since 2002• …was doing MITM 20 years ago 8)

01 INTRO• XXI century is communications century• When I was a boy we counted in Pentiums 8)1993 Pentium 66Mhz – 2000 Pentium 4 1400MHz• Nowadays we count in G and still use Pentium, but 4G is

used and 5G in progress• DialUp 9600 FIDO – FTTH 100Mb Internet• Nearest future: 5G + IPv6 + IoE• Security of communications evolving slooooooooooowly.

SS7 invented in 1975, kicking ass nowadays

02 MAN MITM • MITM = Man In The Middle• It is a type fundamental communication attacks• Subtypes: active, passive• IRL: passive MITM = sniff, active MITM = MITM• Also has a name….

Alice, Bob and Eve…

.. and sometimes Charlie

.. and Mallory aka Trudy

Implementation• Fundamental => data channel independent • Data channels:• Ethernet• USB• UART• SPI• RFID• NFC• WiFi• GSM

ETHERNET EVE

MY FIRST SNIFFER EVE

ALICE LOOKED AWSOME THEESE DAYS

NFC EVE

Short summary• Technology changes – MiTM changes. Hackers should be adaptive.• Security of telecommunications is like in 90’s• MiTM world is much more bigger than most hacker think• Study fundamental sciences, to be able to hack at FUNdaMENTAL

layer!

I LIKE TO MITM IT MITM IT

MITM I HAVE KNOWN AND LOVED• LAN based MITM• WAN based MITM• Rogue AP MITM (KAMA/MANA/HostapdWPE)• MITM over VPN (L2TP, PPTP)• Hybrid MITM

MITM anatomy• ARP/DHCP/IPv6/RogueAP/SOME_ATTACK to become MALLORY • PLAiN_TEXT_PROTO => SNIFF FOR LOOT + INJECT EViL• HTTP + BEEF hook.js => MITB = MAN_IN_THE_BROWSER• HTTP + BDFProxy => SHELLZ• SSL + PROTO => (SSLSPLIT || SSLSTRiP) => PROTO• SSL + PROTO => (HEARTBLEED || POODLE) => PWN• LOOT => cookies, credentials, photos, locations• Custom sniffers/injectors/sploits for protocols/apps/vulns• Example: SMB/NTLM relays

THAT’S WHY PRACTICS RULE!

Cooking MITM by ARP cache poison attack

Practice with Scapy

ARP attackssend( Ether(dst=clientMAC)/ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # half duplex

send( Ether(dst=clientMAC)/Dot1Q(vlan=1)/Dot1Q(vlan=2) /ARP(op="who-has", psrc=gateway, pdst=client), inter=RandNum(10,40), loop=1 ) # ARP spoofing in VLANS

Meanwhile in real world

Common MITM after ARP poison

SOME ATTACK?MAYBE PWN THE

ROUTER?

PixieWPS + admin:admin @ web interface

Shodan + device-pharmer.py pwnage

We’ve got root! What to do next?• Backup configuration• Get shell• Research firmware availabilities• Have fun

Backup configuration

Enable telnet access

Enable DynDNS if white IP

Enable syslog to rsyslogd @ VPS

Use Guest WiFi as tiny KARMA

Separate SSID, IP mask = comfort

Install plugins

Enable PPTP VPN

Install and use tcpdump in firmware

BPF 4 YOU

Set DNS to your EvilDNS with dnschef

Passive MITM aka EVE at router• tcpdump • NFS mount and/or netcat • Write pcap file to share/pipe with tcpdump

Eve on router

Mallory on router• Set DNS to VPS• Install tcpdump, sslsplit, sslstrip• NFS mount/netcat• Write pcap file to share/pip with tcpdump

Mallory on router

Pros and consPros:• Not so hard to doCons• Router is rebooted by watchdog or users• MITM is sloooooooooow cause of high temp of CPU• Not so many routers have such reach features• VPS IP disclosure during MITM

HARDCORE MODE ONPPTP based MITM

PPTP MITM ideas• MiTM contains of 2 parts for router and VPS• All active attacks are working on VPS• Router is used for forwarding and routing• pwner is pwning

Router requirements • PPTP VPN server in firmware• iptables• telnet/ssh/rce/cmd inj

VPS requirements • Linux,• pptp• iptables• sslstrip,sslsplit, tcpdump, mitmproxy

PPTP MITM WEB ALGO• Connect from VPS to PPTP Server on router• Get ppp0 interface ip• Telnet to router• Run mitmproxy in transparent mode on VPS• DNAT port 80 to ip(ppp0):8080

PPTP Server on router + Mallory on VPS

PPTP MITM WEB ALGO• Connect from VPS to PPTP VPN• Get ppp0 interface ip• Telnet to router

PPTP Server on router + Mallory on VPS

IRL: WTF IS GOING ON?

REPOS/TOOLS

• https://github.com/0x90/lan-warz • https://github.com/0x90/mitm-arsenal• https://github.com/0x90/scapy-arsenal