SlideShare una empresa de Scribd logo

New School Man-in-the-Middle

Tom Eston
Tom Eston

During our last tool talk at NEOISF, Matt Neely talked about using a Fon (a wireless access point) with Karmetasploit to attack wireless clients for penetration testing. In this talk we will take this concept a step further and show you what the latest techniques are for conducting man-in-the-middle attacks (MITM). First, we will define what man-in-the-middle attacks are and why we should be doing these in our penetration tests. The technical discussion will include talk about our old favorites like Wireshark, Ettercap and Cain. Next, we will show some new techniques introduced with tools like SSLStrip, The Middler, and Network Miner. Finally, we will end with an open discussion on how to defend against man-in-the-middle attacks.

Tecnología
1 de 28
New School Man-IN-THe-Middle Tom Eston SECURITY JUSTICE www.securityjustice.com
Man-In-The-Middle • What is this MITM you speak of? • Old school classics • New school tools • Why use it for pentests? • How to defend?
What is a MITM? • Redirect all traffic to YOU while allowing normal Internet access for the victim(s) • Modify, intercept and capture network traffic • Create DoS
Setting up your Monkey • Traditional ARP Cache Poisoning The MITM becomes the “router” • KARMA on the Fon (WiFi Attack) Karma brings you the victim
ARP Refresher • ARP (Address Resolution Protocol) • How devices associate MAC to IP ARP Request Computer A asks “Who has this IP?” ARP Reply Computer B tells A “That’s me! I have this MAC!” Reverse ARP Request Same as ARP request by Computer A asks “Who has this MAC?” Reverse ARP Reply Computer B tells A “I have that MAC, here is my IP!”
ARP Cache Poisoning • Send fake ARP Reply’s to your victim(s) • Allows sniffing on switched networks • Hijacking of IP traffic between hosts
KARMA on the Fon • The “evil twin” KARMA listens and responds to all! • KARMA on the Fon Route wireless traffic to YOU!
Attacking wireless clients with Karma on the Fon http://dimitar.me/?p=277
Old School MITM Tools
Wireshark • Popular network sniffer • Easy to use • Easy capture of data • Robust filtering • Multi-platform (you probably have it)
Ettercap • Used for filtering, hijacking, ARP cache poisoning and sniffing • GUI, cmd, ncurses! Multi-platform • Cool filters and plugins.... • Inject HTML into existing web pages! Meterpreter payload anyone? • DNS Spoofing (phantom plugin) • Many more...
Cain • Able is a separate program used to conduct remote activities (NT hash dump, console) • Multi-functional “password recovery” tool • Password cracking, scanning, sniffing, ARP poisoning and many related attacks (DNS, HTTPS, POP3S, RDP, etc...) • Much, much more! • Windows only
New School Tools
Network Miner • Passive network sniffer/packet capture tool • Detect OS, sessions, hostnames, open ports, etc... • Easy view of usernames and passwords • Parse PCAP files, search via keywords • Can reassemble files and certs from PCAP files • Windows only
The Middler • Created by Jay Beale and Justin Searle (Inguardians) • Alpha version released at ShmooCon 2009 • Ability to inject Javascript into cleartext traffic • Clone sessions for the attacker (CSRF) • Intercept logout requests • Plugin Architecture • Highlights problem of sites using mixed HTTP/ HTTPS
SSLStrip • Created by Moxie Marlinspike, released at BlackHat DC 2009 • Transparently hijack HTTP traffic on a network • Switches all HTTPS links to HTTP and swaps the user to an insecure look-alike page • Server thinks everything is “a-ok!’ and no SSL cert “warning” • Supports modes for: • supplying a favicon which looks like a lock • selective logging and session denial
SSLStrip Demo
Why use MITM in a Pentest? • Allows more focus on the USERS • Are they aware of HTTP vs. HTTPS? • Highlight insecure protocols (Telnet, Basic HTTP Auth) • Hint: Save PCAP files and run them through multiple tools! (thanks Mubix)
ARP Poisoning Defense • Monitoring Tools ArpON Arpwatch • Static IP’s/Static ARP Tables (not sustainable!) • Turn on “port security” in your switches! • Check out Dynamic ARP Inspection (Cisco DAI)
MITM Defense • User education (hard) • Use a VPN, SSH Tunnel on insecure networks (coffee shops, DEFCON) • Encourage employees to use the VPN when using public wifi!
Linkage: spylogic.net
Questions? Twitter: agent0x0 Web: spylogic.net Email: tom@spylogic.net

Recomendados

Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
 
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedMan In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedInfoSec Institute
 
Breaking ssl
Breaking sslBreaking ssl
Breaking sslVinayak Raghuvamshi
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackGeekPwn Keen
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
 
Best!
Best!Best!
Best!gofortution
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 

Recomendados

Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
 
Man In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedMan In The Middle - Hacking Illustrated
Man In The Middle - Hacking IllustratedInfoSec Institute
 
Breaking ssl
Breaking sslBreaking ssl
Breaking sslVinayak Raghuvamshi
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackGeekPwn Keen
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseGeekPwn Keen
 
Best!
Best!Best!
Best!gofortution
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleHimani Singh
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Theoretical practice 3
Theoretical practice 3Theoretical practice 3
Theoretical practice 3Erick Treviño
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dnspantu_1961
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffingguestfa1226
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Detection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosDetection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosOleh Stupak
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS AttackGopi Krishnan S
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers Ravi Teja Reddy
 
Nmap
NmapNmap
NmapNishaYadav177
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specNatasha Rooney
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Final Engagement
Final EngagementFinal Engagement
Final EngagementJefferson Green
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
11. wireless-penetration-testing-training-cyber51
11. wireless-penetration-testing-training-cyber5111. wireless-penetration-testing-training-cyber51
11. wireless-penetration-testing-training-cyber51Doree Garcia, CCNA, OSWP
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAdvantec Distribution
 

Más contenido relacionado

La actualidad más candente

Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Theoretical practice 3
Theoretical practice 3Theoretical practice 3
Theoretical practice 3Erick Treviño
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer vilss
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Viren Rao
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap OWASP Delhi
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hackingAmanpreet Singh
 
Detection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosDetection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosOleh Stupak
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specNatasha Rooney
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesSalvatore Lentini
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Client side exploits
Client side exploitsClient side exploits
Client side exploitsnickyt8
 

La actualidad más candente (20)

Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Theoretical practice 3
Theoretical practice 3Theoretical practice 3
Theoretical practice 3
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
 
Packet Sniffer
Packet Sniffer Packet Sniffer
Packet Sniffer
 
Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
 
Packet Sniffing
Packet SniffingPacket Sniffing
Packet Sniffing
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
Detection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddosDetection and analysis_of_syn_flood_ddos
Detection and analysis_of_syn_flood_ddos
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
DDoS Attack
DDoS AttackDDoS Attack
DDoS Attack
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Packet sniffers
Packet sniffers Packet sniffers
Packet sniffers
 
Nmap
NmapNmap
Nmap
 
TLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one specTLS Perf: from three to zero in one spec
TLS Perf: from three to zero in one spec
 
Hardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS TechnologiesHardening Three - IDS/IPS Technologies
Hardening Three - IDS/IPS Technologies
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
Final Engagement
Final EngagementFinal Engagement
Final Engagement
 
Client side exploits
Client side exploitsClient side exploits
Client side exploits
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 

Destacado

11. wireless-penetration-testing-training-cyber51
11. wireless-penetration-testing-training-cyber5111. wireless-penetration-testing-training-cyber51
11. wireless-penetration-testing-training-cyber51Doree Garcia, CCNA, OSWP
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAdvantec Distribution
 
Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignInfographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignPratum
 
LokiPi: Small form factor wireless auditing and penetration testing toolkit
LokiPi: Small form factor wireless auditing and penetration testing toolkitLokiPi: Small form factor wireless auditing and penetration testing toolkit
LokiPi: Small form factor wireless auditing and penetration testing toolkitJonathan O'Brien
 
Networking & Security Ettercap
Networking & Security EttercapNetworking & Security Ettercap
Networking & Security EttercapNick Beattie
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesBulent Buyukkahraman
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSecurityTube.Net
 
MITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles ClubMITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles ClubShritesh Bhattarai
 
Ettercap
EttercapEttercap
EttercapTensor
 
Security & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case StudySecurity & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case StudyMohammad Mahmud Kabir
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?Dmitry Evteev
 

Destacado (14)

11. wireless-penetration-testing-training-cyber51
11. wireless-penetration-testing-training-cyber5111. wireless-penetration-testing-training-cyber51
11. wireless-penetration-testing-training-cyber51
 
Air defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheetAir defense wireless_vulnerability_assessement_module_spec_sheet
Air defense wireless_vulnerability_assessement_module_spec_sheet
 
Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test CampaignInfographic: Penetration Testing - A Look into a Full Pen Test Campaign
Infographic: Penetration Testing - A Look into a Full Pen Test Campaign
 
LokiPi: Small form factor wireless auditing and penetration testing toolkit
LokiPi: Small form factor wireless auditing and penetration testing toolkitLokiPi: Small form factor wireless auditing and penetration testing toolkit
LokiPi: Small form factor wireless auditing and penetration testing toolkit
 
Networking & Security Ettercap
Networking & Security EttercapNetworking & Security Ettercap
Networking & Security Ettercap
 
Axoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing ServicesAxoss Wireless Penetration Testing Services
Axoss Wireless Penetration Testing Services
 
SSL MITM Attack Over Wireless
SSL MITM Attack Over WirelessSSL MITM Attack Over Wireless
SSL MITM Attack Over Wireless
 
MITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles ClubMITM Attacks with Ettercap : TTU CyberEagles Club
MITM Attacks with Ettercap : TTU CyberEagles Club
 
The magic of ettercap
The magic of ettercapThe magic of ettercap
The magic of ettercap
 
Ettercap
EttercapEttercap
Ettercap
 
Security & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case StudySecurity & Privacy in WLAN - A Primer and Case Study
Security & Privacy in WLAN - A Primer and Case Study
 
Penetration testing, What’s this?
Penetration testing, What’s this?Penetration testing, What’s this?
Penetration testing, What’s this?
 
MITM : man in the middle attack
MITM : man in the middle attackMITM : man in the middle attack
MITM : man in the middle attack
 
Kali Linux
Kali LinuxKali Linux
Kali Linux
 

Similar a New School Man-in-the-Middle

Securing Rails
Securing RailsSecuring Rails
Securing RailsAlex Payne
 
Tips on High Performance Server Programming
Tips on High Performance Server ProgrammingTips on High Performance Server Programming
Tips on High Performance Server ProgrammingJoshua Zhu
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Nathan Winters
 
Ajax Tutorial
Ajax TutorialAjax Tutorial
Ajax Tutorialoscon2007
 
The Evolving Internet Fndtn
The Evolving Internet FndtnThe Evolving Internet Fndtn
The Evolving Internet Fndtnguestbf78f8b
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer SystemsUwe Schmidt
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
 
Microblogging via XMPP
Microblogging via XMPPMicroblogging via XMPP
Microblogging via XMPPStoyan Zhekov
 
Full Stack Load Testing
Full Stack Load Testing Full Stack Load Testing
Full Stack Load Testing Terral R Jordan
 
PPW2007 - Continuity Project
PPW2007 - Continuity ProjectPPW2007 - Continuity Project
PPW2007 - Continuity Projectawwaiid
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingVlatko Kosturjak
 
Evergreen Sysadmin Survival Skills
Evergreen Sysadmin Survival SkillsEvergreen Sysadmin Survival Skills
Evergreen Sysadmin Survival SkillsEvergreen ILS
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2ratnalajaggu
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LANArpit Suthar
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsMasabi
 
Retooling the world wide web for its original purpose
Retooling the world wide web for its original purposeRetooling the world wide web for its original purpose
Retooling the world wide web for its original purposesingingfish
 

Similar a New School Man-in-the-Middle (20)

Securing Rails
Securing RailsSecuring Rails
Securing Rails
 
Tips on High Performance Server Programming
Tips on High Performance Server ProgrammingTips on High Performance Server Programming
Tips on High Performance Server Programming
 
Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3Rhonda Layfield Sniffing Your Network With Netmon 3.3
Rhonda Layfield Sniffing Your Network With Netmon 3.3
 
Ajax Tutorial
Ajax TutorialAjax Tutorial
Ajax Tutorial
 
The Evolving Internet Fndtn
The Evolving Internet FndtnThe Evolving Internet Fndtn
The Evolving Internet Fndtn
 
Peer-to-Peer Systems
Peer-to-Peer SystemsPeer-to-Peer Systems
Peer-to-Peer Systems
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)
 
Microblogging via XMPP
Microblogging via XMPPMicroblogging via XMPP
Microblogging via XMPP
 
Full Stack Load Testing
Full Stack Load Testing Full Stack Load Testing
Full Stack Load Testing
 
PPW2007 - Continuity Project
PPW2007 - Continuity ProjectPPW2007 - Continuity Project
PPW2007 - Continuity Project
 
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)
 
Arpspoofing
ArpspoofingArpspoofing
Arpspoofing
 
iPhone & Java Web Services
iPhone & Java Web ServicesiPhone & Java Web Services
iPhone & Java Web Services
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testing
 
Evergreen Sysadmin Survival Skills
Evergreen Sysadmin Survival SkillsEvergreen Sysadmin Survival Skills
Evergreen Sysadmin Survival Skills
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Packet sniffing in LAN
Packet sniffing in LANPacket sniffing in LAN
Packet sniffing in LAN
 
Challenges Building Secure Mobile Applications
Challenges Building Secure Mobile ApplicationsChallenges Building Secure Mobile Applications
Challenges Building Secure Mobile Applications
 
Retooling the world wide web for its original purpose
Retooling the world wide web for its original purposeRetooling the world wide web for its original purpose
Retooling the world wide web for its original purpose
 

Más de Tom Eston

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyTom Eston
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Tom Eston
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadTom Eston
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown Tom Eston
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Tom Eston
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationTom Eston
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesTom Eston
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredTom Eston
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsTom Eston
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringTom Eston
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on TwitterTom Eston
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsTom Eston
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With MaltegoTom Eston
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkTom Eston
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security AssessmentsTom Eston
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyTom Eston
 

Más de Tom Eston (18)

Privacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile TechnologyPrivacy Exposed: Ramifications of Social Media and Mobile Technology
Privacy Exposed: Ramifications of Social Media and Mobile Technology
 
Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?Cash is King: Who's Wearing Your Crown?
Cash is King: Who's Wearing Your Crown?
 
Social Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile DeadSocial Zombies: Rise of the Mobile Dead
Social Zombies: Rise of the Mobile Dead
 
The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown The Android vs. Apple iOS Security Showdown
The Android vs. Apple iOS Security Showdown
 
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
Five Lessons Learned From Breaking Into A Casino: Confessions of a Penetratio...
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
Attacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS DevicesAttacking and Defending Apple iOS Devices
Attacking and Defending Apple iOS Devices
 
Social Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and UncensoredSocial Zombies Gone Wild: Totally Exposed and Uncensored
Social Zombies Gone Wild: Totally Exposed and Uncensored
 
Social Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More BrainsSocial Zombies II: Your Friends Need More Brains
Social Zombies II: Your Friends Need More Brains
 
Enterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence GatheringEnterprise Open Source Intelligence Gathering
Enterprise Open Source Intelligence Gathering
 
Staying Safe & Secure on Twitter
Staying Safe & Secure on TwitterStaying Safe & Secure on Twitter
Staying Safe & Secure on Twitter
 
Rise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network BotsRise of the Autobots: Into the Underground of Social Network Bots
Rise of the Autobots: Into the Underground of Social Network Bots
 
Information Gathering With Maltego
Information Gathering With MaltegoInformation Gathering With Maltego
Information Gathering With Maltego
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 
Automated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit FrameworkAutomated Penetration Testing With The Metasploit Framework
Automated Penetration Testing With The Metasploit Framework
 
Physical Security Assessments
Physical Security AssessmentsPhysical Security Assessments
Physical Security Assessments
 
Online Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safelyOnline Social Networks: 5 threats and 5 ways to use them safely
Online Social Networks: 5 threats and 5 ways to use them safely
 

Último

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

New School Man-in-the-Middle

  • 1. New School Man-IN-THe-Middle Tom Eston SECURITY JUSTICE www.securityjustice.com
  • 2. Man-In-The-Middle • What is this MITM you speak of? • Old school classics • New school tools • Why use it for pentests? • How to defend?
  • 3. What is a MITM? • Redirect all traffic to YOU while allowing normal Internet access for the victim(s) • Modify, intercept and capture network traffic • Create DoS
  • 4.
  • 5. Setting up your Monkey • Traditional ARP Cache Poisoning The MITM becomes the “router” • KARMA on the Fon (WiFi Attack) Karma brings you the victim
  • 6. ARP Refresher • ARP (Address Resolution Protocol) • How devices associate MAC to IP ARP Request Computer A asks “Who has this IP?” ARP Reply Computer B tells A “That’s me! I have this MAC!” Reverse ARP Request Same as ARP request by Computer A asks “Who has this MAC?” Reverse ARP Reply Computer B tells A “I have that MAC, here is my IP!”
  • 7. ARP Cache Poisoning • Send fake ARP Reply’s to your victim(s) • Allows sniffing on switched networks • Hijacking of IP traffic between hosts
  • 8.
  • 9. KARMA on the Fon • The “evil twin” KARMA listens and responds to all! • KARMA on the Fon Route wireless traffic to YOU!
  • 10. Attacking wireless clients with Karma on the Fon http://dimitar.me/?p=277
  • 12. Wireshark • Popular network sniffer • Easy to use • Easy capture of data • Robust filtering • Multi-platform (you probably have it)
  • 13.
  • 14. Ettercap • Used for filtering, hijacking, ARP cache poisoning and sniffing • GUI, cmd, ncurses! Multi-platform • Cool filters and plugins.... • Inject HTML into existing web pages! Meterpreter payload anyone? • DNS Spoofing (phantom plugin) • Many more...
  • 15.
  • 16. Cain • Able is a separate program used to conduct remote activities (NT hash dump, console) • Multi-functional “password recovery” tool • Password cracking, scanning, sniffing, ARP poisoning and many related attacks (DNS, HTTPS, POP3S, RDP, etc...) • Much, much more! • Windows only
  • 17.
  • 19. Network Miner • Passive network sniffer/packet capture tool • Detect OS, sessions, hostnames, open ports, etc... • Easy view of usernames and passwords • Parse PCAP files, search via keywords • Can reassemble files and certs from PCAP files • Windows only
  • 20.
  • 21. The Middler • Created by Jay Beale and Justin Searle (Inguardians) • Alpha version released at ShmooCon 2009 • Ability to inject Javascript into cleartext traffic • Clone sessions for the attacker (CSRF) • Intercept logout requests • Plugin Architecture • Highlights problem of sites using mixed HTTP/ HTTPS
  • 22. SSLStrip • Created by Moxie Marlinspike, released at BlackHat DC 2009 • Transparently hijack HTTP traffic on a network • Switches all HTTPS links to HTTP and swaps the user to an insecure look-alike page • Server thinks everything is “a-ok!’ and no SSL cert “warning” • Supports modes for: • supplying a favicon which looks like a lock • selective logging and session denial
  • 24. Why use MITM in a Pentest? • Allows more focus on the USERS • Are they aware of HTTP vs. HTTPS? • Highlight insecure protocols (Telnet, Basic HTTP Auth) • Hint: Save PCAP files and run them through multiple tools! (thanks Mubix)
  • 25. ARP Poisoning Defense • Monitoring Tools ArpON Arpwatch • Static IP’s/Static ARP Tables (not sustainable!) • Turn on “port security” in your switches! • Check out Dynamic ARP Inspection (Cisco DAI)
  • 26. MITM Defense • User education (hard) • Use a VPN, SSH Tunnel on insecure networks (coffee shops, DEFCON) • Encourage employees to use the VPN when using public wifi!
  • 28. Questions? Twitter: agent0x0 Web: spylogic.net Email: tom@spylogic.net

Notas del editor