alice and bob are f**ked

alice and bob are f**kedjason ross

narcissism

i work here

i play here

i malware

if you need notes for this slide, you suck.2

intro to mitm

theres aliceand bobthey want to talk to each other.because theyre friends.mallory hates them both. shes got a plan. if she can jump into one of their conversations,she can cause all kinds of problems.3

traditional mitm techniquesarp spoof/poisoningdsniff / ettercap / cain

dns poisoningdns-mre

802.11 trickskarma/airbase

dhcp exhaustionscapy / metasploit (digininjas mods)

theres a number of techniques for accomplishing man-in-the-middle attacks.heres a list of the more common ones, and some of the tools that can be used to perform them.

* arp spoofing tricks other machines on the network into thinking youre the gateway host. this results in the attacking host acting as the router for the network. because it is the router, all packets can be intercepted.

* dns poisoning can be used to inject an attackers ip address into the answer section of a dns query. this results in a victim host believing the attackers IP is the correct address for, say, paypal.com

* 802.11 tricks typically involve setting up a rogue AP. wireless clients connect to the AP, resulting in the attacker again acting as a gateway device and router, able to intercept all traffic from the victim machine.

* dhcp exhaustion is generally performed by sending a flood of dhcp request packets, and accepting all resulting dhcp offers until the dhcp server pool has been entirely consumed by the attacking machine. more complicated versions attempt to send dhcp release packets for existing hosts, in an attempt to knock them off the network. once all dhcp addresses are owned by the attacker, it can send out dhcp replies to new requests and assign addresses from the pool it now owns. the result once again is that the attacker becomes the gateway device for the victim machines.4

problems with mitmcan be painful to maintain

arp poisoning is problematic

encryption!

passive capture is fun, but may not be enough

details in the next few slides5

painfulmaintenance

iptables works well

but managing long lists of rules is a pain

and you still have to do something useful with the traffic you intercept

maintenance window!

youve just become the router on a network with somewhere between 50 and 150 hosts. you need to intercept specific traffic, monitor it, and potentially manipulate the data being sent between the client and server.how do you do that effectively?

*hint*: manually adding iptables for everything you want + managing a crapton of netsed regex statements is not effective.6

arp poisoning isnt idealbusy networks will kill the poisoning host

its likely to get noticed

even when it works, its fickle

odds are in favor of the network

when you arp poison a network, its essentially you vs. every machine on the segment.

because each machine is trying to respond to arp requests with valid information as youre trying to respond with bogus information, theres a dramatic increase in the total amount of traffic.

additionally, any success is limited, as the valid arp data is constantly being sent by the legit hosts.7

crypto ftw sucksfew tools dynamically handle certs

ones that do are generally passive listeners (sslsniff)

those that do manipulate traffic & dynamically handle certs dont do well if the traffic is not HTTP (burp)

8

pics or it didnt suck

using cain, i arp poisoned my whole network (a /24, with 6 live hosts)i then checked email using imaps, and both twitter and gmail over https.the end result was that, while cain captured the certs, the connections werent successfully intercepted.worse, in the case of the twitter connection, cain was able to snarf the twitter information, but it was completely wrong.

9

data capture is fun

remember tjx and heartland, from back before anti-nony-lulzsec made everyone forget about actual hacking by releasing a tsunami of dox?they are examples of what can happen when someone just passively captures data (crypted or plain).

then theres the obligatory hipsters sitting in starbucks credentials theft scenario. whatever.10

mucking with packets is bettermobile app testing requires more than passive capture.

why just watch wifi traffic, when you could be injecting client side exploits into the streams?

could using mitm help social engineering?

enter mallory

mallory isa tcp mitm proxy

that supports fuzzing

and tcp stream editing

mallory is notburp

terribly well supported

necessarily stable

how to get mallorybitbucket.org/IntrepidusGroup/malloryinstall ubunturun the mallory install scriptdone.

download the minimal vm image, and run the update script for that (deprecated)

licensingpython foundation software license v2

except the gui. thats gpl3

some familiar challengeshave to get traffic to the mallory hostpptpgateway box (virtual or otherwise)traditional mitm techniques already covered

but now you can do stuff easilypause the streams (tcp/udp)

manipulate packets (manually, or via rulesets)

create modules to deal with unknown protocols

then muck with that data

recent changes to mallorygui vastly improved

configuration moved to gui

rules / mucking syntax made much better

many rules / mucking bugs fixed

stuff ive donecreated the install / update scriptsfor the vm imagefor standard ubuntu iso installs (10.10 & 11.04)

completely redesigned the directory structuremade it *nix-ishfor great justice!

added random shell scripts / minor code tweaks

code tweaks: updated a lot of files to work with the new directory structuredchanged the codebase to use native set() instead of python Sets module

20

common problemsrules gui is confusing

protocols configuration is confusing

traffic doesnt show up in the stream

solutionsthink backwardsneed to have a rule before you can edit it

uncommented protocols get handled by the protocol handler, not the tcp debugger

yeah, that sucks

demo!

endgame

mallory pwns!

mallory supportbitbucket issues tickets

google group

twitter

intrepidusgroup.com/insight/mallory

[stop]@rossja

algorythm@gmail.com