Lee brotherston corporation in the middle
-
Upload
lee-brotherston -
Category
Technology
-
view
321 -
download
1
description
Transcript of Lee brotherston corporation in the middle
![Page 1: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/1.jpg)
Corporation in the Middle
Lee Brotherston!@synackpse
![Page 2: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/2.jpg)
MITM vs Everything Else
![Page 3: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/3.jpg)
Detection
![Page 4: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/4.jpg)
![Page 5: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/5.jpg)
![Page 6: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/6.jpg)
![Page 7: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/7.jpg)
o_O
![Page 8: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/8.jpg)
How, what, why, when?
![Page 9: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/9.jpg)
Capture all the Packets
![Page 10: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/10.jpg)
PCAP Toolstcpdump wireshark
tshark !
mergecap tcpsplice tcptrace captcp
ntop pcapdiff tcpflow snort
![Page 11: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/11.jpg)
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
More Data……
![Page 12: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/12.jpg)
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
?
??
![Page 13: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/13.jpg)
HTTP/1.1 200 OK!Content-Type: text/html; charset=ISO-8859-1!Content-Script-Type: text/javascript!Connection: close!Cache-Control: no-store, no-cache, must-revalidate, max-age=0!Expires: -1!Pragma: no-cache!!
<html><head><noscript><meta http-equiv="refresh" content="0;URL=http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></noscript><title></title><script type="text/javascript">var version=2; var webServer="http://64.71.251.10";</script><script type="text/javascript" src="http://64.71.251.10/ByteCap-075-EO-English/index.js"></script></head><noscript><frameset><frame src="http://64.71.251.10/noscript.pl?policy=72&category=ByteCap-075&"></frameset></noscript><body style="margin:0;"><script type="text/javascript">Bulletin("policy=72&category=ByteCap-075&");</script></body></html>
![Page 14: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/14.jpg)
–Telecommunications Act (S.C. 1993, c. 38)
Content of messages !
36. Except where the Commission approves otherwise, a Canadian carrier shall not control the content or influence the meaning or purpose of telecommunications carried by it for the public.
![Page 15: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/15.jpg)
Packet Headers
![Page 16: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/16.jpg)
TCPDUMPip[6] = 0 and tcp[14:2] = 1
![Page 17: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/17.jpg)
Wire/TSharktcp.window_size_value eq 1
and ip.flags.df == 0
![Page 18: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/18.jpg)
Snortalert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INJECTION
suspected TCP injection"; flow:stateless; window:1; fragbits:!D; sid:31337)
![Page 19: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/19.jpg)
Fun with Firewalls
![Page 20: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/20.jpg)
But wait, there’s more….
![Page 21: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/21.jpg)
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
HTTP Response
HTTP Request
![Page 22: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/22.jpg)
SYN
ServerClient
SYN/ACK
ACK
HTTP Request
HTTP Response (Header & Data)
Data
![Page 23: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/23.jpg)
HTTP/1.1 200 OK!Content-Type: text/html; charset=ISO-8859-1!Content-Script-Type: text/HTML!Connection: close
![Page 24: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/24.jpg)
Tests
![Page 25: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/25.jpg)
Retention Timerewrite ^(.*)$ /index.php;!
!
!
!
![Page 26: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/26.jpg)
OoB Indexingrewrite ^(.*)$ /index.php;!
+!/etc/hosts!
+!.htaccess
![Page 27: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/27.jpg)
Document Format!
<html>!<head>!<title>Oh Hai</title>!</head>
![Page 28: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/28.jpg)
Document Format<!doctype html>!<html>!<head>!<title>Oh Hai</title>!</head>
![Page 29: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/29.jpg)
Mapping the Network
![Page 30: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/30.jpg)
Traceroute … ish
![Page 31: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/31.jpg)
ttl=1
ttl expiry
ttl=2
ttl expiry
ttl=1
reply
ttl=2 ttl=1ttl=3
![Page 32: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/32.jpg)
2 7.40.72.1! 3 209.148.241.61! 4 66.185.81.221! 5 69.63.251.242! 6 69.63.249.26! 7 *!!
2 7.40.72.1! 3 209.148.241.61! 4 *! 5 *! 6 69.63.249.26! 7 *!
tcptraceroute
![Page 33: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/33.jpg)
Intercept Portscanningfor i in `jot 65535 1`!do !tcptraceroute -f4 -m5 host $i!done >> $i.log
![Page 34: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/34.jpg)
2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.205! 5 209.148.224.242!!
!
!
6 4.31.208.129
2 7.11.164.41! 3 66.185.90.37! 4 209.148.224.214! 5 209.148.224.209! 6 209.148.228.218! 7 209.148.228.217! 8 209.148.224.254! 9 4.31.208.129
tcptraceroute redux
![Page 35: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/35.jpg)
Intercept Portscanning Reduxnmap -sS —-ttl 64 host
![Page 36: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/36.jpg)
Which Interface?
My Server
TargetMe
![Page 37: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/37.jpg)
Scapysendp(Ether(dst="be:ef:11:11:11:11", src="31:33:7a:aa:aa:aa")/IP(src="11.11.11.11", dst="55.55.55.55",ttl=(1,30), options=IPOption('\x07'))/TCP(sport=3125, dport=80, flags="S"), iface="en1")
![Page 38: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/38.jpg)
So, that network…
Internal Management LAN
![Page 39: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/39.jpg)
SYN
ServerClient
SYN/ACK
ACK
RST/PSH/ACK
TTL = 1
TTL = 2
TTL = 3
![Page 40: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/40.jpg)
6 31.55.164.187! 7 31.55.164.107! 8 109.159.248.69! 9 109.159.248.10!10 62.172.103.187!!
!
!
6 31.55.164.187! 7 31.55.164.107! 8 109.159.248.104! 9 109.159.248.142!10 194.71.107.15
Great Firewall of Cameron
![Page 41: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/41.jpg)
4 98.0.3.14! 5 98.0.3.3! 6 107.14.19.106! 7 107.14.17.194! 8 64.86.79.97! 9 64.86.79.2!!
!
4 98.0.3.14! 5 98.0.3.3! 6 66.109.6.72! 7 107.14.17.192! 8 64.86.79.97! 9 64.86.79.2
RoadRunner
![Page 42: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/42.jpg)
What?
![Page 43: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/43.jpg)
HTTP/1.1 200 OK!Date: Thu, 22 May 2014 14:29:09 GMT!Server: PerfTech!Last-Modified: Thu, 17 Apr 2014 14:42:01 GMT!Accept-Ranges: bytes!Content-Length: 2387!Connection: close!Cache-Control: no-store, no-cache, must-revalidate, max-age=0!Expires: -1!Pragma: no-cache!Content-Type: application/x-javascript
![Page 44: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/44.jpg)
HTTP/1.0 404 Not Found!Date: Fri, 23 May 2014 14:00:05 GMT!Server: PerfTech!Content-Length: 25!Connection: close!Cache-Control: no-store, no-cache, must-revalidate, max-age=0!Expires: -1!Pragma: no-cache!Content-Type: text/html; charset=iso-8859-1
![Page 45: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/45.jpg)
Hints in Scripts// Copyright 2005-2011 PerfTech, Inc., All Rights Reserved.!!
!
extWebServer = "http://64.71.255.194";!intWebServer = “http://172.19.11.72";!!
!
displayUrl = "http://www.perftech.com/console/original.html";!!
![Page 46: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/46.jpg)
![Page 47: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/47.jpg)
![Page 48: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/48.jpg)
Attribution: cat NULL planet - @skalnik
![Page 49: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/49.jpg)
![Page 50: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/50.jpg)
Why So Bothered?
![Page 51: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/51.jpg)
Why Metadata MattersThey know you rang a phone sex service at 2:24 am and spoke for 18
minutes. But they don't know what you talked about.!!
They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.!
!
They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don't
know what was discussed.Attribution: EFF 30C3 -Through Prism Darkly
![Page 52: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/52.jpg)
GET / HTTP/1.1!Host: squarelemon.com!User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0!Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8!Accept-Language: en-US,en;q=0.5!Accept-Encoding: gzip, deflate!Cookie: _pk_ses.4.9b83=*!Connection: keep-alive!If-Modified-Since: Fri, 18 Oct 2013 14:45:41 GMT!Cache-Control: max-age=0
![Page 53: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/53.jpg)
What could possibly go
wrong?Photo Attribution: Tom - @tdawks
![Page 54: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/54.jpg)
![Page 55: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/55.jpg)
![Page 56: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/56.jpg)
I learnt Stuff!
![Page 57: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/57.jpg)
–Johnny Appleseed
“Type a quote here.”
![Page 58: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/58.jpg)
![Page 59: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/59.jpg)
Internet provider subscriber communications system US 8793386 B2
![Page 60: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/60.jpg)
Internet advertising method and system using Web page US 8005717 B2
![Page 61: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/61.jpg)
– Hanlon’s Brotherston’s Razor
“Never attribute to malice that which is adequately explained by stupidity Enhancing Shareholder
Value.”
![Page 62: Lee brotherston corporation in the middle](https://reader033.fdocuments.us/reader033/viewer/2022060121/5594208f1a28ab45128b46b9/html5/thumbnails/62.jpg)
Thank you!Lee Brotherston!
@synackpse