The document discusses practical man-in-the-middle attacks that can be carried out on local networks. It covers several types of attacks including ARP cache poisoning, DNS cache poisoning, DHCP exhaustion, wireless evil twin attacks, forced HTTP redirection using SSLStrip, and SLAAC attacks on IPv6 networks. The document provides steps to automate many of these attacks and demonstrates them in practical scenarios. Prevention techniques are also discussed for each attack vector.
2. whoami
• Jonathan Cran
• Advisor, SOURCE Conference
• CTO Pwnie Express
• QA Director Metasploit
• Penetration Tester Rapid7
2Saturday, June 22, 13
3. Agenda
• MitM is a huge topic
• Why ShouldYou Care in 2013?
• Practical Attacks
• Practical Attack Automation
• Drop Boxes!
• Takeaways + Future Work
3Saturday, June 22, 13
14. A couple reasons
• Wireless everywhere
• Smartphones / AT&T auto-connect
• Retail / POS Networks
• Android apps
• Sometimes it’s hard to take control of a particular
system. Network is the easier target.
14Saturday, June 22, 13
15. And...
• Local Network - ARP Cache Poisoning is STILL
a valid attack - defense is impractical in many cases
• Local Network -SLAAC looks to be the best
replacement if ARP Cache Poisoning won’t work -
Windows 7+ has a default IPv6-enabled stack -
Recommendation? Disable IPv6
• Internet - SSL - Would your users really notice
lack of http or an invalid cert?
• Wireless - Wireless “Evil Twin” flaws still pervasive
15Saturday, June 22, 13
16. Android
• It means your personal information is being
transmitted to advertising agencies in mass
quantities.
• Mallodroid - Leibniz University of Hannover
• 13,500 android apps reversed, 1074 vulnerable
(8%)
• SSL/TLS code that is potentially vulnerable to
MITM attacks
16Saturday, June 22, 13
17. And...
• ARM Devices continue to get smaller / more
portable
• Pwn Plug
• Gumstix
• ODroid
• MK - SS808
17Saturday, June 22, 13
26. And...
• 4G / LTE Speeds will get faster
• Freedom Stick
26Saturday, June 22, 13
27. That said...
• Securing Layer 2 is hard
• You’re probably not getting owned by folks with
physical access (or are you?)
• TJX (WEP + Arp Spoofing)
• Subway (Backdoored devices)
• Barnes and Noble (Verifone / Linux Pinpads)
• Realistically, dumping hashes on a windows box is an
easier vector during most enterprise penetration
tests
• Financial Crime? Man-in-Browser
• Go where the data is, silly.
27Saturday, June 22, 13
28. I thought you said
practical
28Saturday, June 22, 13
30. A Note on Attack
Prevention
• Use a strongVPN Connection
• Do not use PPTP, MSCHAPv2 broken
• L2TP/IPSec, IPSec with IKEv2 and
OpenVPN
30Saturday, June 22, 13
31. Hardware Taps
• DualComm DCSW-1005 (Active Copy)
• Throwing Star LAN Tap (Passive)
vs
31Saturday, June 22, 13
32. Hardware Bridges
• Simply place a device in-line and act as a
bridge
• brctl (bridge-utils)
• EBTables to route traffic
32Saturday, June 22, 13
35. ARP Cache Poisoning
• Observe broadcast request, send malicious
ARP reply, victim stores attacker’s MAC for
the IP
• “Poison” a single comm channel, or both
• Automated:
• zomg so many ways to do it - just use
arpspoof
35Saturday, June 22, 13
38. A note on MACSec
• MACsec, defined in 802.1AE, provides
MAC-layer encryption over wired
networks
• MKA and MACsec are implemented after
successful authentication using the 802.1x
Extensible Authentication Protocol (EAP)
framework.
38Saturday, June 22, 13
39. DNS Cache Poisoning,
previously
• Cache poisoning without response forgery
• bailiwick rule fixed this in ~1993
• Blind response forgery using birthday attack
• “Birthday attack” - guess TXID, known since
2002
• “Kaminsky attack” - required guessing TXID, but
added hijacking the authority records
• Automating: http://www.metasploit.com/
modules/auxiliary/spoof/dns/
bailiwicked_domain
39Saturday, June 22, 13
44. DNS Cache Poisoning,
now
• Response forgery using eavesdropping
• Requires “being in the middle”
• Automating: Ettercap
44Saturday, June 22, 13
45. SLAAC Attack
• Instructions provided by the Infosec
Institute article
• Uses RADVD + DHCPv6 + NAT-PT + IPv6
DNS server
• NAT-PT allows our IPv6-addressed victims
to access the Internet through IPv4
45Saturday, June 22, 13
48. SLAAC Attack
• The address of the victim’s DNS server matches the
NAT-PT prefix on evil-rtr, denoting that the last 32 bits
contain the DNS server’s IPv4 address.
• NAT-PT translates the source and destination IPv6/IPv4
addresses in both directions.
• The DNS ALG translates the victim’s AAAA query for
an IPv6 address into an A query for an IPv4 address and
vice versa on the way back.
• The DNS ALG also translates the IPv4 address in the
reply to an IPv6 address that matches the NAT-PT
prefix.
48Saturday, June 22, 13
50. SLAAC Attack
• We have not compromised or altered the operation of
the victim’s IPv4 network, as we would have needed to
do in order to MITM IPv4 traffic.We’ve not even
needed to get an IPv4 address from their DHCP server.
• We have not compromised an existing IPv6 network,
because there wasn’t one before we arrived.
• We have not compromised any given victim host (yet!).
Each machine is behaving as designed and is choosing
IPv6 over IPv4 of its own volition.
• We have managed to totally alter the flow of traffic on
the victim’s network by awakening the hosts’ latent
desire to use IPv6 over IPv4.
50Saturday, June 22, 13
51. SLAAC Attack
• We’re introducing a new path to the Internet.Any
defences or monitoring employed at the network’s IPv4
boundary are therefore ineffective and will raise no
indicators of compromise.
• There’s a chance that the victim’s security systems
(e.g., host firewalls, HIPS, SIEM boxes, etc.) won’t be
able to handle IPv6 traffic. IPv6 support on such
systems is rarely as mature as its IPv4 equivalent.
• Since the victims “aren’t using IPv6″ they won’t be
expecting an attack that makes use of it.
• If the above is true, there’s a chance their Incident
Response teams won’t have the necessary training and
experience with IPv6 to deal with an incident.
51Saturday, June 22, 13
55. DHCP Exhaustion
• Request leases until the server runs out
• Provide a lease to new clients
• Set up your own DNS server for the client
• Automated:
• http://www.digininja.org/metasploit/
dns_dhcp.php
• yersinia
55Saturday, June 22, 13
60. • 802.11 and Bluetooth Wireless Surveys
•802.11 Wireless MitM Testing
• Wireless Traffic Capture
• Remote Network Access
• Zigbee Sniffing with Kisbee
• RFID Sniffing with the Proxmark |||
• Bluetooth Sniffing with the Ubertooth
Pwn Pad
60Saturday, June 22, 13
66. Forced HTTP
• Take advantage of servers that server over
both HTTP and HTTPS
• Rewrite links as HTTP
• Abuse the user’s ignorance of “secure”
• Automated: SSLStrip + IPTables
66Saturday, June 22, 13
67. Forced HTTP with
SSLStrip
• echo 1 > /proc/sys/net/ipv4/ip_forward
• iptables -t nat -A PREROUTING -p tcp --
dport 80 -j REDIRECT --to-ports 10000
• sslstrip -a -k -f -p 10000
67Saturday, June 22, 13
69. Preventing SSLStrip
• Server-side HSTS Header
• Automatically turns any insecure links to
the website into secure links.
• http://example.com/some/page/ ->
https://example.com/some/page/
• If the security of the connection cannot
be ensured (ie, self-signed cert), show an
error message and do not allow the user
to access the site.
69Saturday, June 22, 13
70. HSTS
• HSTS tells the browser: never use HTTP
with this site.
• The first time the browser sees the HSTS
header from the server, it remembers it.
• This will work as long as the attacker
doesn't strip the header on the first visit to
the site.
70Saturday, June 22, 13
72. CAM Overflow
• Flood the local network with random MAC
addresses
• Causes some switches to fail open in
repeating mode
• Automated: sudo macof -i eth0
72Saturday, June 22, 13
73. Preventing CAM
Overflow
• Similar to ARP Spoofing
• MAC Address monitoring
• DHCP Snooping
• Dynamic ARP Inspection
73Saturday, June 22, 13
75. BGP Attacks
• "Stealing the Internet - A Routed,Wide-area, Man in
the Middle Attack"
• Renesys - “Defending Against BGP Man-In-The-
Middle Attacks”
• Every organization owes its Internet connectivity to
one protocol: BGP4.There are no alternatives.
• Everyone who connects to the Internet is currently
exposed to various routing risks: downtime,
hijacking and now even wholesale traffic
interception.
75Saturday, June 22, 13
82. IRDP Spoofing
• ICMP Internet Router Discovery Protocol (IRDP) uses Internet
Control Message Protocol (ICMP) router advertisements and
router solicitation messages to allow a host to discover the
addresses of operational routers on the subnet.
• The attacker can forge some advertisement packet pretending to
be the router for the LAN.
• He/she can set the “preference level” and the “lifetime” at high
values to be sure the hosts will choose it as the preferred router.
• The attack can be improved by sending some spoofed ICMP Host
Unreachable pretending to be the real router
• Automated: IRPAS (http://www.phenoelit.de/irpas)
82Saturday, June 22, 13
84. STP Mangling
• STP (Spanning-Tree Protocol) mangling refers to the
technique used for the attacker host to be elected as the
new root bridge of the spanning tree.
• The attacker may start either by forging BPDUs (Bridge
Protocol Data Units) with high priority assuming to be the
new root, or by broadcasting STP Configuration/Topology
Change Acknowledgement BPDUs to get his host elected as
the new root bridge.
• Automated: yersinia
84Saturday, June 22, 13
87. Takeaways
• “MitM is a underrated attack vector”
• Phones are trivial to MitM because of Evil Twin issues
• Dropboxes present a credible threat
• POS networks / systems are available / trending wireless
• Many powerful MitM attacks can be automated, old school
techniques still work
87Saturday, June 22, 13
88. Prior Work and
Resources
• http://www.blackhat.com/presentations/bh-usa-02/bh-us-02-
convery-switches.pdf
• http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-
ornaghi-valleri.pdf
• http://www.blackhat.com/presentations/bh-europe-03/bh-
europe-03-valleri.pdf
• http://www.packetwatch.net/documents/papers/
layer2sniffing.pdf
• http://packetlife.net
• http://my.safaribooksonline.com/book/networking/security/
9781587052569
88Saturday, June 22, 13