A look into Man in the Middle attacks

Two way mirrors and traffic, How Do They Correlate?

DON’T DO STUPID SHIT WITHOUT PERMISSION

-YOU’LL BE BREAKING

THE LAW(there’s a law lecture, it’s enthralling)

whoami3rd year

@calagaraa/@cagaarr

I like infrastructure

Reverse engineering is cool

I climb and stuff

American football is lyf - GO PATS

I love politics

Tech Glossary● WiFi Pineapple -- cool wireless hacking thing● SSLStrip -- removes encryption from HTTPS traffic● Ettercap -- used to perform man in the middle

attacks● Kali -- super useful hacker OS● Wireshark -- packet sniffer, watch what you send

over a network (can be scary)

IT’S ALL FREEEEEEEEEEReferences on hacksoc.co.uk

What’s the point?I want to see what you are doing

You could have valuable information

I could just be a dickhead wanting your logins

[stock images rule]

When can I do it?

EVER USE PUBLIC WIFI? (DON'T - UNLESS YOU VPN)

Open WiFi are treasure troves for this

Could do it at home I guess??

I miss waitrose :( :( :(

The principlesBob is connected to Starbucks wifi - he is a meanie and wants Jimmy’s facebook log on - for blackmail or something idk

Bob uses ARP poisoning to convince the network that the traffic should go to him before the internet - becoming the default gateway

Bob then uses sslstrip to read the https data from Jimmy’s facebook by rerouting it through a local port on his machine

Oh hello log on details - Sésame, ouvre-toi

jimmy

bob

ARP - Address ResolutionProtocol

How IPv4 knows who’s who

Allows IP addresses to beMapped to MAC addresses

-MAC is a unique code toEach NIC (it’s also spoofable)

-IP are usually dynamic onA local network

The principlesBob is connected to Starbucks wifi - he is a meanie and wants Jimmy’s facebook log on - for blackmail or something idk

Bob uses ARP poisoning to convince the network that the traffic should go to him before the internet - he effectively plays the router

Bob then uses sslstrip to read the https data from Jimmy’s facebook by rerouting it through a local port on his machine

Oh hello log on details - Sésame, ouvre-toi

jimmy

bob

Nitty Gritty

What am I actually trying to do? How can I do it?

Consolidate knowledge: what do I already know? What can I learn?

View everything as a learning opportunity

You will never know nothing

-You will never know

everything

Nitty Gritty

What am I actually trying to do? How can I do it?

Consolidate knowledge: what do I already know? What can I learn?

How to utilise your knowledge - Tools? Hardware?

Plan it out - what is your direction of attack

Execute - go for it!!

Part One-

The Gentlemen's lounge

What’s happening? 1. Set upBecoming the gateway - ARP Poisoning

Manipulate ARP tables - duplicate IP of default gateway as your own

Use ettercap, bettercap, arpspoof etc etc

ettercap -T -i eth2 -w ~/Desktop/log.log -M ARP /192.168.234.129// /192.168.234.2//

Orettercap -G

Dirty

Who listens to a network anyway...

A savvy user will spot it straight away - as well as anyone doing live or post

auditing

But what can I actually see? HTTP requests - see where they are going HTTP traffic - increasingly lower

unencrypted trafficHTTP requests - Images transferred between client and server

HTTPS requests - encrypted traffic

Getting rid of Encryption?SSLStrip by Moxie Marlinspike

First demonstrated at black hat 2009 - Slides: https://goo.gl/7zDEmx Presentation: https://goo.gl/UGQf8z

Changes links from https to http

Allows traffic to be seen visibly from wireshark & other sniffers

Literally changes link from https://www.foo.bar to http://www.foo.bar

Acts in between the client and server - literally a SSL middle man

Moxie Marlinspike

Genius

Founded Open Whisper Systems

Wrote the Signal Protocol

Used by Signal - Encrypted messaging app

Protocol used for Whatsapp and Facebook Secret Messages

Ask Mikey about crypto - I don’t know much

2009? Out of date?

Yes, yes it isHeavily mitigated in 2015/2016 with browser enforcement of HSTS

HSTS - HTTP Strict Transport SecurityEnforcement of the HTTPS protocol.

Uses preloaded DNS and certs in the browser to ensure SSL

Not everyone has fixed it...

Let’s pray

What just happened? - hopefully

(not) InvisibleChrome and Firefox both

display warnings of insecure posts

(Reddit also posts error 304: unauthenticated)

Mitigations - application

Chrome Firefox (51)

Chrome - Front runner (IMO)

DISPLAY ALL HTTP AS INSECURE

Mitigations -network

Static ARP tables - no way to configure MAC or clone the gatewayDynamic ARP Inspection - validation on a network of IP/MAC pairs

Carrying it on...

Look into HSTS bypassing

SSLStrip + (not made by Moxie) LeonardoNve

Part Two-

Pina Coladas

The WiFi Pineapple

WiFi Pineapple Nano

Becoming the Router? Unnecessary...

You are the router!

Pine(ap)ple

What does it actually do?

Get in the middle...

QUESTIONS?? (pub)

BONUS

References1. Pineapple - https://hakshop.com/products/wifi-pineapple 2. Kali - https://www.kali.org/3. Sslstrip - https://moxie.org/software/sslstrip/4. Ettercap - https://ettercap.github.io/ettercap/5. Moxie - https://moxie.org6. Wireshark - https://www.wireshark.org/7. Moxie Blackhat talk -

https://ia800701.us.archive.org/7/items/blackhat2009dcvideo/BlackHat_DC_2009_Moxie_Marlinespike_Defeating_SSL_in_Practice.mp4

8. Moxie Blackhat slides - https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

9. Pineapple Modules - https://www.wifipineapple.com/modules10. Chrome HTTPS non-secure -

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html11. Firefox HHTPS non-secure -

https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/ 12. Chrome next steps -

https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html13. ARP mitigations - Colin14. Signal - https://signal.org/15. Whatsapp - https://signal.org/blog/whatsapp-complete/16. Facebook secure - https://signal.org/blog/facebook-messenger/

17. SSLStrip (plus) - https://github.com/LeonardoNve/sslstrip218. Leonardo Nve - https://twitter.com/leonardonve?lang=en (it’s really in Spanish)