Upload
hoangthuy
View
215
Download
2
Embed Size (px)
Citation preview
DON’T DO STUPID SHIT WITHOUT PERMISSION
-YOU’LL BE BREAKING
THE LAW(there’s a law lecture, it’s enthralling)
whoami3rd year
@calagaraa/@cagaarr
I like infrastructure
Reverse engineering is cool
I climb and stuff
American football is lyf - GO PATS
I love politics
Tech Glossary● WiFi Pineapple -- cool wireless hacking thing● SSLStrip -- removes encryption from HTTPS traffic● Ettercap -- used to perform man in the middle
attacks● Kali -- super useful hacker OS● Wireshark -- packet sniffer, watch what you send
over a network (can be scary)
IT’S ALL FREEEEEEEEEEReferences on hacksoc.co.uk
What’s the point?I want to see what you are doing
You could have valuable information
I could just be a dickhead wanting your logins
[stock images rule]
When can I do it?
EVER USE PUBLIC WIFI? (DON'T - UNLESS YOU VPN)
Open WiFi are treasure troves for this
Could do it at home I guess??
I miss waitrose :( :( :(
The principlesBob is connected to Starbucks wifi - he is a meanie and wants Jimmy’s facebook log on - for blackmail or something idk
Bob uses ARP poisoning to convince the network that the traffic should go to him before the internet - becoming the default gateway
Bob then uses sslstrip to read the https data from Jimmy’s facebook by rerouting it through a local port on his machine
Oh hello log on details - Sésame, ouvre-toi
jimmy
bob
ARP - Address ResolutionProtocol
How IPv4 knows who’s who
Allows IP addresses to beMapped to MAC addresses
-MAC is a unique code toEach NIC (it’s also spoofable)
-IP are usually dynamic onA local network
The principlesBob is connected to Starbucks wifi - he is a meanie and wants Jimmy’s facebook log on - for blackmail or something idk
Bob uses ARP poisoning to convince the network that the traffic should go to him before the internet - he effectively plays the router
Bob then uses sslstrip to read the https data from Jimmy’s facebook by rerouting it through a local port on his machine
Oh hello log on details - Sésame, ouvre-toi
jimmy
bob
Nitty Gritty
What am I actually trying to do? How can I do it?
Consolidate knowledge: what do I already know? What can I learn?
View everything as a learning opportunity
Nitty Gritty
What am I actually trying to do? How can I do it?
Consolidate knowledge: what do I already know? What can I learn?
How to utilise your knowledge - Tools? Hardware?
Plan it out - what is your direction of attack
Execute - go for it!!
What’s happening? 1. Set upBecoming the gateway - ARP Poisoning
Manipulate ARP tables - duplicate IP of default gateway as your own
Use ettercap, bettercap, arpspoof etc etc
ettercap -T -i eth2 -w ~/Desktop/log.log -M ARP /192.168.234.129// /192.168.234.2//
Orettercap -G
But what can I actually see? HTTP requests - see where they are going HTTP traffic - increasingly lower
unencrypted trafficHTTP requests - Images transferred between client and server
HTTPS requests - encrypted traffic
Getting rid of Encryption?SSLStrip by Moxie Marlinspike
First demonstrated at black hat 2009 - Slides: https://goo.gl/7zDEmx Presentation: https://goo.gl/UGQf8z
Changes links from https to http
Allows traffic to be seen visibly from wireshark & other sniffers
Literally changes link from https://www.foo.bar to http://www.foo.bar
Acts in between the client and server - literally a SSL middle man
Moxie Marlinspike
Genius
Founded Open Whisper Systems
Wrote the Signal Protocol
Used by Signal - Encrypted messaging app
Protocol used for Whatsapp and Facebook Secret Messages
Ask Mikey about crypto - I don’t know much
2009? Out of date?
Yes, yes it isHeavily mitigated in 2015/2016 with browser enforcement of HSTS
HSTS - HTTP Strict Transport SecurityEnforcement of the HTTPS protocol.
Uses preloaded DNS and certs in the browser to ensure SSL
Not everyone has fixed it...
(not) InvisibleChrome and Firefox both
display warnings of insecure posts
(Reddit also posts error 304: unauthenticated)
Mitigations -network
Static ARP tables - no way to configure MAC or clone the gatewayDynamic ARP Inspection - validation on a network of IP/MAC pairs
References1. Pineapple - https://hakshop.com/products/wifi-pineapple 2. Kali - https://www.kali.org/3. Sslstrip - https://moxie.org/software/sslstrip/4. Ettercap - https://ettercap.github.io/ettercap/5. Moxie - https://moxie.org6. Wireshark - https://www.wireshark.org/7. Moxie Blackhat talk -
https://ia800701.us.archive.org/7/items/blackhat2009dcvideo/BlackHat_DC_2009_Moxie_Marlinespike_Defeating_SSL_in_Practice.mp4
8. Moxie Blackhat slides - https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
9. Pineapple Modules - https://www.wifipineapple.com/modules10. Chrome HTTPS non-secure -
https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html11. Firefox HHTPS non-secure -
https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ 12. Chrome next steps -
https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html13. ARP mitigations - Colin14. Signal - https://signal.org/15. Whatsapp - https://signal.org/blog/whatsapp-complete/16. Facebook secure - https://signal.org/blog/facebook-messenger/
17. SSLStrip (plus) - https://github.com/LeonardoNve/sslstrip218. Leonardo Nve - https://twitter.com/leonardonve?lang=en (it’s really in Spanish)