Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

MITMf BHASIA 2015

No description
by

byt3bl33d3r byt3m3

on 1 September 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of MITMf BHASIA 2015

MITMf:
The swiss-army knife
for Man-In-The-Middle Attacks

whoami
@byt3bl33d3r
https://github.com/byt3bl33d3r
http://sign0f4.blogspot.it/
Contributed to the Veil-Framework, Kali-Nethunter and more..
Student
So why do we need another MITM tool?
Stuck in dependencie hell
Not really designed to be an attack platform

Good for MITM
Unreliable when modifying traffic
Not easily extendible
Out of date
Too low level
Never got this to work properly
GUI seems broken
Do we even need a GUI?
How did this get started?
I JUST WANT SOMETHING TO RELIABLY INJECT IFRAMES!!!!!
OMG!!
So I Google'd like there was no tomorrow until I came across this:
I feel your pain bro...
Sergio wut??
Created by Ben Schmidt (@_supernothing)
http://spareclockcycles.org/

Buy him a drink!

For those wondering, it stands for: Super Effective Recorder of Gathered Inputs and Outputs

A modified version of Moxie Marlinspike's SSLstrip tool

Hooks core functions in SSLstrip to modify traffic

Extremely easy to extend and build upon
So problem solved right?
Well not really...
A lot of the plugins relied on external tools (e.g. Ettercap, Metasploit etc..)

Some plugins were very limited in their functionality and were a bit outdated

Lots of bugs to squash
Wierd name but sounds promising!
What I wanted out of it
No reliance on external tools

Verbosity and logging

Minimize dependencies as much as possible (I truly tried..)

BeEF and Metasploit integration via their respective API and RPC's

Learn from other projects mistakes!
MITMf v0.9.5
AppCachePoison
JSkeylogger
Inject
Spoof
Filepwn
CacheKill
BeEFAutorun
JavaPwn
Replace
Responder
Upsidedownternet
BrowserProfiler
SMBAuth
SSLstrip+
SessionHijacker
Sniffer
Spoof
Originally used Ettercap

Completely re-written, now uses Scapy

Added support for ICMP, ARP req, ARP rep, DHCP

Supports DNS tampering (DNS spoofing on steroids)

When DHCP spoofing can exploit the ShellShock vuln!
Inject
DEMO!
Replace
Written by @rubenthijssen (Thanks man!)
Replaces strings in HTML content
BrowserProfiler
Injects a JS script to enumerate all browser plugins

Uses PluginDetect to precisely get the installed Java plugin version
http://www.pinlady.net/PluginDetect
JavaPwn
Uses the BrowserProfiler plugin to enumerate the Java Plugin version

Connects to Metasploit using it's MSGRPC interface

Uses SpiderLabs msfrpc to facilitate communication with Metasploit, original code had a bug, fixed it, you can find it here
https://github.com/byt3bl33d3r/msfrpc

Automatically sets up correct exploits, and injects iframes to trigger them
DEMO!
BeEFAutorun
Born out of frustration from using the beef_injection_framework

Automatically injects BeEF hooks

Uses BeEFAPI
https://github.com/byt3bl33d3r/beefapi
for interfacing with BeEF's RESTfulAPI

Fingerprints OS, Browser and runs modules specified in the config file
FilePwn
Let's pause for a moment too understand how cool this is

Huge shout-out to @midnite_runr

Uses BDFactory to transparently "patch" executables going over HTTP

You can check out BDFactory at:
https://github.com/secretsquirrel/the-backdoor-factory

The plugin uses code from BDFproxy:
https://github.com/secretsquirrel/BDFProxy
JSKeylogger
Injects the JS keylogger found in the http_javascript_keylogger Metasploit module
Modified to work somewhat on mobile devices
Responder
Responder integration into MITMf brings the framework to a whole new level

NBTNS/LLMNR spoof , act a a WPAD rougue server and more!

Shout out to Laurent Gaffie for letting me do this!
SSLstrip+
Uses Leonardo Nve's technique for partially bypassing HSTS as demonstrated last year at BHAsia
(buy him a drink!)
App Cache Poison
Implements Krzysztof Kotowicz (@kkotowicz) response tampering attacks

Places web pages in browsers long-lasting HTML5 AppCache so that the browser will continue to receive the modified page even when no longer MITM'd
Upsidedownternet
For the lulz
Flips images 180 degrees
Gahhh! Vodoo?? No...
Browser requests
http://
www
.google.com
Returns redirect to
http://
wwww
.google.com

DNS request gets intercepted and
www
.google.com
is mirrored to
wwww
.google.com

We then re-write all links to the alternate domain

Client continues in plain-text since browser has no HSTS setting for
wwww
.google.com
Hallelujah!
Sniffer
A port of Dan McInerney's (@DanHMcInerney) Net-Creds script
https://github.com/DanMcInerney/net-creds

Sniffs passwords, hashes and search engine queries

TCP Re-Assembly aware

Doesn't rely on ports for service identification

Currently supports: FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc..) and Kerberos
But Dude! I want some shells ! <3
I got you covered!
Injects anything you want into HMTL!
Looking into the crystal ball...
Evilgrade and Snarf integration

Actual SSL/TLS support

SSLsplit like functionality

MITM RDP connections (almost done)

More protocol level attacks (Yersinia)

More HSTS bypasses
Session Hijacker
Automatically stores captured cookies in a firefox profile ,uses code from Firelamb:
https://github.com sensepost/mana/tree/master/firelamb
Alternatively can send the cookies to the "Mallory cookie injector" Browser Extension
SMBAuth
Injects Iframes with UNC paths to evoke SMB challenge-response attempts
Full transcript