Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

MITMf: Bringing Man-In-The-Middle attacks to the 21’st century

44CON
by

byt3bl33d3r byt3m3

on 11 September 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of MITMf: Bringing Man-In-The-Middle attacks to the 21’st century

MITMf:
Bringing Man-In-The-Middle attacks to the 21’st century

whoami
@byt3bl33d3r
https://github.com/byt3bl33d3r
https://byt3bl33d3r.github.io
Contributed to the Veil-Framework, Kali-Nethunter, Responder, Impacket and more...
How did this get started?
I feel your pain bro...
Sergio wut??
Created by Ben Schmidt (@_supernothing)
http://spareclockcycles.org/

Buy him a drink!

For those wondering, it stands for: Super Effective Recorder of Gathered Inputs and Outputs
So problem solved right?
Well not really...
Who the hell is Sergio??
What I wanted out of it
No reliance on external tools

Verbosity and logging

Minimize dependencies as much as possible (FAIL!)

BeEF and Metasploit integration via their respective API and RPC

Learn from other projects mistakes!
MITMf v0.9.8
AppCachePoison
JSkeylogger
Inject
Spoof
Filepwn
SMBTrap
BeEFHelper
BrowserSniper
Replace
Responder
Upsidedownternet
BrowserProfiler
SMBAuth
SSLstrip+
Ferret-NG
HTA Drive by
Screenshotter
Spoof
Inject
Replace
Written by @rubenthijssen
Replaces strings in HTML content
BrowserProfiler
http://www.pinlady.net/PluginDetect
BrowserSniper

BeEFAutorun
FilePwn
Let's pause for a moment too understand how cool this is

Huge shout-out to @midnite_runr

Uses BDFactory to transparently backdoor executables going over HTTP

You can check out BDFactory at:
https://github.com/secretsquirrel/the-backdoor-factory

The plugin uses code from BDFproxy:
https://github.com/secretsquirrel/BDFProxy
JSKeylogger
Responder
SSLstrip+
Uses Leonardo Nve's technique for partially bypassing HSTS
(buy him a drink!)
App Cache Poison
Implements Krzysztof Kotowicz (@kkotowicz) response tampering attacks
Upsidedownternet
Gahhh! Vodoo?? No...
Browser requests
http://
www
.google.com
Returns redirect to
http://
wwww
.google.com

DNS request gets intercepted and
www
.google.com
is mirrored to
wwww
.google.com

We then re-write all links to the alternate domain

Client continues in plain-text since browser has no HSTS setting for
wwww
.google.com
Hallelujah!
Dan McInerney's (@DanHMcInerney)

Buy him a drink!

https://github.com/DanMcInerney/net-creds
But dude! I want some shells <3
I got you covered!
Looking into the crystal ball...
Port everything over to mitmproxy

SMB Proxy

Make everything less 'hacky'

Improve modularity

Evilgrade and Snarf integration

Actual SSL/TLS support

SSLsplit like functionality

MITM RDP connections (almost done)

More protocol level attacks (Yersinia)

More HSTS bypasses
Ferret-NG
SMBAuth
Soooo.. How does this thing work?
Net-Creds
Here we go... May the demo gods be with me...
The configuration file
Questions?
If you're more of a Ruby person
Check bettercap out
https://github.com/evilsocket/bettercap
Really awesome project by @evilsocket
SMBTrap
HTA Drive-By
Screenshotter
Takes screenshots of clients browsers using HTML5 canvas
Hallelujah!
What it turned out to be...
A combination of the best features of 7+ tools all hacked to work together:

Sergio-Proxy
SSLStrip+
AppCache Poison SSLstrip Mod
Subterfuge Framework
Net-Creds
Responder
DNSChef
Some JS from Metasploit
Overview
Why?
How?
LIVE DEMOS!
Full transcript