During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.
2. Man-In-The-Middle
⢠What is this MITM you speak of?
⢠Old school classics
⢠New school tools
⢠Why use it for pentests?
⢠How to defend?
3. What is a MITM?
⢠Redirect all trafďŹc to YOU while allowing
normal Internet access for the victim(s)
⢠Modify, intercept and capture network
trafďŹc
⢠Create DoS
4.
5. Setting up your Monkey
⢠Traditional ARP Cache Poisoning
The MITM becomes the ârouterâ
⢠KARMA on the Fon (WiFi Attack)
Karma brings you the victim
6. ARP Refresher
⢠ARP (Address Resolution Protocol)
⢠How devices associate MAC to IP
ARP Request
Computer A asks âWho has this IP?â
ARP Reply
Computer B tells A âThatâs me! I have this MAC!â
Reverse ARP Request
Same as ARP request by Computer A asks âWho has this MAC?â
Reverse ARP Reply
Computer B tells A âI have that MAC, here is my IP!â
7. ARP Cache Poisoning
⢠Send fake ARP Replyâs to your victim(s)
⢠Allows snifďŹng on switched networks
⢠Hijacking of IP trafďŹc between hosts
8.
9. KARMA on the Fon
⢠The âevil twinâ
KARMA listens and
responds to all!
⢠KARMA on the Fon
Route wireless trafďŹc to
YOU!
12. Wireshark
⢠Popular network sniffer
⢠Easy to use
⢠Easy capture of data
⢠Robust ďŹltering
⢠Multi-platform (you probably have it)
13.
14. Ettercap
⢠Used for ďŹltering, hijacking, ARP cache poisoning
and snifďŹng
⢠GUI, cmd, ncurses! Multi-platform
⢠Cool ďŹlters and plugins....
⢠Inject HTML into existing web pages!
Meterpreter payload anyone?
⢠DNS SpooďŹng (phantom plugin)
⢠Many more...
15.
16. Cain
⢠Able is a separate program used to conduct
remote activities (NT hash dump, console)
⢠Multi-functional âpassword recoveryâ tool
⢠Password cracking, scanning, snifďŹng, ARP
poisoning and many related attacks (DNS,
HTTPS, POP3S, RDP, etc...)
⢠Much, much more!
⢠Windows only
19. Network Miner
⢠Passive network sniffer/packet capture tool
⢠Detect OS, sessions, hostnames, open ports,
etc...
⢠Easy view of usernames and passwords
⢠Parse PCAP ďŹles, search via keywords
⢠Can reassemble ďŹles and certs from PCAP ďŹles
⢠Windows only
20.
21. The Middler
⢠Created by Jay Beale and Justin Searle (Inguardians)
⢠Alpha version released at ShmooCon 2009
⢠Ability to inject Javascript into cleartext trafďŹc
⢠Clone sessions for the attacker (CSRF)
⢠Intercept logout requests
⢠Plugin Architecture
⢠Highlights problem of sites using mixed HTTP/
HTTPS
22. SSLStrip
⢠Created by Moxie Marlinspike, released at BlackHat DC
2009
⢠Transparently hijack HTTP trafďŹc on a network
⢠Switches all HTTPS links to HTTP and swaps the user to
an insecure look-alike page
⢠Server thinks everything is âa-ok!â and no SSL cert
âwarningâ
⢠Supports modes for:
⢠supplying a favicon which looks like a lock
⢠selective logging and session denial
24. Why use MITM in a
Pentest?
⢠Allows more focus on the USERS
⢠Are they aware of HTTP vs. HTTPS?
⢠Highlight insecure protocols
(Telnet, Basic HTTP Auth)
⢠Hint: Save PCAP ďŹles and run them
through multiple tools! (thanks Mubix)
25. ARP Poisoning Defense
⢠Monitoring Tools
ArpON
Arpwatch
⢠Static IPâs/Static ARP Tables (not sustainable!)
⢠Turn on âport securityâ in your switches!
⢠Check out Dynamic ARP Inspection
(Cisco DAI)
26. MITM Defense
⢠User education (hard)
⢠Use a VPN, SSH Tunnel on insecure
networks (coffee shops, DEFCON)
⢠Encourage employees to use the VPN when
using public wiďŹ!