Embed Size (px)
Citation preview
Corporation in the Middle
Lee Brotherston!@synackpse
#BSidesTO
Edition
MITM vs Everything Else
Detection
o_O
How, what, why, when?
Capture all the Packets
PCAP Toolstcpdump wireshark
tshark !
mergecap tcpsplice tcptrace captcp
pcapdiff tcpflow snort
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
More Data……
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
?
??
HTTP/1.1 200 OK!Content-Type: text/html; charset=ISO-8859-1!Content-Script-Type: text/javascript!Connection: close!Cache-Control: no-store, no-cache, must-revalidate, max-age=0!Expires: -1!Pragma: no-cache!!
<html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http://64.71.251.10";</script><script type="text/javascript" src="http://64.71.251.10/ByteCap-075-EO-English/index.js"></script></head><noscript><frameset><frame src="http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></frameset></noscript><body style="margin:0;"><script type="text/javascript">Bulletin("policy=72&category=ByteCap-075&");</script></body></html>
Packet Headers
TCPDUMPip[6] = 0 and tcp[14:2] = 1
Wire/TSharktcp.window_size_value eq 1
and ip.flags.df == 0
Snortalert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION
suspected TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)
But wait, there’s more….
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
Data
HTTP/1.1 200 OK!Content-Type: text/html; charset=ISO-8859-1!Content-Script-Type: text/HTML!Connection: close
Profiling Target Acquisition
Retention Timerewrite ^(.*)$ /index.php;!
!
!
!
OoB Indexingrewrite ^(.*)$ /index.php;!
+!/etc/hosts!
+!.htaccess
Document Format!
<html>!<head>!<title>Oh Hai</title>!</head>
Document Format<!doctype html>!<html>!<head>!<title>Oh Hai</title>!</head>
– PIPEDA, 4.9 Principle 9 — Individual Access !
“Upon request, an individual shall be informed of the existence, use,
and disclosure of his or her personal information and shall be given access to that information.”
Mapping the Network
Traceroute (8 bits of goodness)
ttl=1
ttl expiry
ttl=2
ttl expiry
ttl=1
reply
ttl=2 ttl=1ttl=3
2 7.40.72.1! 3 209.148.241.61! 4 66.185.81.221! 5 69.63.251.242! 6 69.63.249.26! 7 *!!
2 7.40.72.1! 3 209.148.241.61! 4 *! 5 *! 6 69.63.249.26! 7 *!
tcptraceroute
Intercept Portscanningfor i in `jot 65535 1`!do !tcptraceroute -f4 -m5 host $i!done >> $i.log
2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.205! 5 209.148.224.242!!
!
!
6 4.31.208.129
2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.214! 5 209.148.224.209! 6 209.148.228.218! 7 209.148.228.217! 8 209.148.224.254! 9 4.31.208.129
tcptraceroute redux
Intercept Portscanning Reduxnmap -sS —-ttl 64 host
Which Interface?
My Server
DestinationMe
Scapysendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('\x07'))/TCP(sport=3125, dport=80, flags="S"), iface="en1")
So, that network…
Internal Management LAN
extWebServer = "http://64.71.255.194";!intWebServer = “http://172.19.11.72";
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
TTL = 1
TTL = 2
TTL = 3
What?
HTTP/1.1 200 OK!Date: Thu, 22 May 2014 14:29:09 GMT!Server: PerfTech!Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT!Accept-Ranges: bytes!Content-Length: 2387!Connection: close!Cache-Control: no-store, no-cache, must-revalidate, max-age=0!Expires: -1!Pragma: no-cache!Content-Type: application/x-javascript
Hints in Scripts// Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.!!
!
!
displayUrl = "http://www.perftech.com/console/original.html";!
Why So Bothered?
Why Metadata Matters• They know you rang a phone sex service at 2:24 am and spoke
for 18 minutes. But they don't know what you talked about.!!
• They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.!!
• They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed.
GET / HTTP/1.1!Host: squarelemon.com!User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0!Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8!Accept-Language: en-US,en;q=0.5!Accept-Encoding: gzip, deflate!Cookie: _pk_ses.4.9b83=*!Connection: keep-alive!If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT!Cache-Control: max-age=0
What could possibly go
wrong?Photo Attribution: Tom - @tdawks
I learnt Stuff!
–Johnny Appleseed
“Type a quote here.”
Internet provider subscriber communications system US 8793386 B2
Internet advertising method and system using Web page US 8005717 B2
– Hanlon’s Brotherston’s Razor
“Never attribute to malice that which is adequately explained by stupidity Enhancing Shareholder
Value.”
Thank you!Lee Brotherston!
@synackpse!
