Corporation in the Middle. Lee

Size: px

Start display at page:

Download "Corporation in the Middle. Lee"

Silas George
5 years ago
Views:

1 Corporation in the Middle Lee

2 MITM vs Everything Else

3 Detection

7 o_o

8 How, what, why, when?

9 Capture all the Packets

10 PCAP Tools tcpdump mergecap ntop wireshark tcpsplice pcapdiff tshark tcptrace tcpflow! captcp

11 SYN SYN/ACK ACK Client Server HTTP Request HTTP Response (Header & Data) More Data

12 SYN SYN/ACK ACK Client HTTP Request? Server? RST/PSH/ACK HTTP Response?

13 HTTP/ OK! Content-Type: text/html; charset=iso ! Content-Script-Type: text/javascript! Connection: close! Cache-Control: no-store, no-cache, must-revalidate, max-age=0! Expires: -1! Pragma: no-cache!! <html><head><noscript><meta http-equiv="refresh" content="0;url= policy=72&category=bytecap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webserver=" ";</script><script type="text/javascript" src=" /ByteCap-075-EO-English/index.js"></script></ head><noscript><frameset><frame src=" noscript.pl?policy=72&category=bytecap-075&"></frameset></ noscript><body style="margin:0;"><script type="text/ javascript">bulletin("policy=72&category=bytecap-075&");</script></ body></html>

14 Fun with Firewalls

15 Content of messages! 36. Except where the Commission approves otherwise, a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public. Telecommunications Act (S.C. 1993, c. 38)

16 ut wait, here s more.

17 SYN SYN/ACK ACK Client Server HTTP Request RST/PSH/ACK HTTP Response

18 SYN SYN/ACK ACK Client Server HTTP Request HTTP Response (Header & Data) Data

19 HTTP/ OK! Content-Type: text/html; charset=iso ! Content-Script-Type: text/html! Connection: close

20 Tests

21 Retention Time rewrite ^(.*)$ /index.php;!!!

22 OoB Indexing rewrite ^(.*)$ /index.php; + /etc/hosts +.htaccess

23 Document Format! <html> <head> <title>oh Hai</title> </head>

24 Document Format <!doctype html> <html> <head> <title>oh Hai</title> </head>

25 Mapping the Network

26 Traceroute ish

27 ttl=1 ttl expiry ttl=2 ttl=1 ttl expiry ttl=3 ttl=2 ttl=1 reply

28 tcptraceroute * * 5 * *!

29 Intercept Portscanning for i in `jot ` do tcptraceroute -f4 -m5 host $i done >> $i.log

30 tcptraceroute redux !!!

31 Intercept Portscanning nmap -ss -ttl 64 host

32 Which Interface?

33 Scapy sendp(ether(dst="02:1f:ba:20:4b:d2", src="10:2f:33:fe:b2:11")/ IP(src=" ", dst=" ",ttl=(1,30), options=ipoption('\x07'))/ TCP(sport=3125, dport=80, flags="s"), iface="en1")

34 So, that network Internal Management LAN

35 SYN SYN/ACK ACK Client Server TTL = 1 TTL = 2 TTL = 3 RST/PSH/ACK

36 What?

37 HTTP/ OK Date: Thu, 22 May :29:09 GMT Server: PerfTech Last-Modified: Thu, 17 Apr :42:01 GMT Accept-Ranges: bytes Content-Length: 2387 Connection: close Cache-Control: no-store, no-cache, mustrevalidate, max-age=0 Expires: -1 Pragma: no-cache Content-Type: application/x-javascript

41 Why So Bothered?

42 Why Metadata Matters They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don't know what you talked about.!! They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.!! They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't know what was discussed. Attribution: EFF 30C3 -Through Prism Darkly

43 GET / HTTP/1.1! Host: squarelemon.com! User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/ Firefox/25.0! Accept: text/html,application/xhtml +xml,application/xml;q=0.9,*/*;q=0.8! Accept-Language: en-us,en;q=0.5! Accept-Encoding: gzip, deflate! Cookie: _pk_ses.4.9b83=*! Connection: keep-alive! If-Modified-Since: Fri, 18 Oct :45:41 GMT! Cache-Control: max-age=0

44 What could possibly go wrong? Photo Attribution: Tom

46 Attribution: cat NULL planet

48 I learnt Stuff!

49 Never attribute to malice that which is adequately explained by stupidity Enhancing Shareholder Value. Hanlon s Brotherston s Razor

50 Type a quote here. Johnny Appleseed

52 Internet provider subscriber communications system US B2

53 Internet advertising method and system using Web page US B2

54 Great Firewall of Cameron !!!!

55 RoadRunner via Marriot !!!

56 Thank you! Lee

World Wide Web, etc.

World Wide Web, etc. Alex S. Raw data-packets wouldn t be much use to humans if there weren t many application level protocols, such as SMTP (for e-mail), HTTP & HTML (for www), etc. 1 The Web The following