So, you'll hear people refer to me as Anch, Unch, Inch. I pronounce it Anch. Technically it's a form of Unc but I'm Anch, and you guys are here to listen to me ramble on about man in the middle attacks or monkey in the middle attacks. And we'll, we'll play some traffic it will be a lot of fun.
Uh, so, just a little bit about me. This is the slide that I normally introduce my wife because she's here but she's not here. That's her on my way. I'm sure you're going to be four minutes late. I'll introduce you guys when she gets here.
I have a lot of experience in penetration testing and hacking and funny story -- funny story time since I have time. A penetration tester, the job title penetration tester is the best, best title to have at a party.
People walk up to you, what do you do? I'm a penetration tester. And they look at you funny like, Huh?
And they're like, so, what do you do exactly?
They're expecting something like, well, I test the lighting in porn. But then I explain to them what I do, and they're like, oh, that's actually really fucking boring.
So, uh yeah. I have got over ten years experience doing this. I like to do this, and I like to teach people how to do it. I'll take a little bit of a survey, how many of you guys are first year DEF CON, first time. Wow, I got a room full of noobs, that's awesome. By the way when I say noob it's not an insult, honest to God not an insult it is a compliment. I'm a noob at things, I can't reverse engineer for shit I'm teaching myself to do it. I'm total noob at reverse engineering but I'm really, really good at the other stuff. So, being a noob is not a problem it's actually really awesome.
How many people in here are penetration testers right now?
Ok, how many people in here want to be penetration testers?
Good. That's awesome. That's an admirable goal. How many people -- How many people actively exploit boxes? As a penetration tester?
I got one. I got two. Charge, I didn't save those seats for you.
Actually really I didn't. My wife is coming down so just save her a seat she's got one more with her she'll probably sit on the floor it will be ok. Well, You know it's important that I take care of my wife. So, yeah, so uh, that's a little bit about me. Boneheadsanom is my Twitter, tweet me if you want me, it's all good. Did that not actually cycle? There we go.
So, why do we play in traffic?
Traffic is really, really interesting. By the way I put funny stuff on my slide so feel free to laugh. Don't be like -- It's quiet and stuff. You guys are the quietest audience I've ever had, When I walked down here and I asked you guys if you were in line for the talk you were like -- anyway. Traffic is interesting stuff. Yeah, thank you.
It gives us insight on to how things work.
When you're looking for something on the network that's misbehaving the first place I go is the traffic. Oftentimes it's something simple like a miss configured switchport or I'm in the wrong VLAN or I'm pushing things to the wrong address but the traffic will tell me that. And if you know how to read traffic and you know how to look at it and you know how to capture it you can actually do some pretty cool stuff with it.
It allows us to gather information on a target, really valuable information on a target actually. Tells us the source and destination, Mac addresses, tells us what ports the traffic is -- the target is talking on, so what ports are open. Sometimes you can't get a port scan because you got a fire wall and it's just sitting there and it's like empty. You know you run M Map and you're like, it comes back, nothing.
I know that host is alive so if I can get the traffic I can tell what ports are open on it and maybe I can spoof the traffic in order to get in to that host. There's a lot of fun stuff you can do with traffic. And it allows us to change things as they go by, I know I get in to some fun stuff you can do. You can really prank your friends with some of this especially when you're at home your friends get on the Internet they're like, why -- why are, why is all the images upside down? We get -- Hi!
Everybody, this is my wife.
Yeah. I saved you seats. And uh, yeah. Have a seat. She supports me in everything that I do and I love her very, very much. And so she deserves a great big hand.
So, being able to play in traffic allows us to change things as they go by and make modifications to stuff that may or may not allow us to get in to things that we're not supposed to. And that kind of -- that kind of power is great because people aren't looking for it. IDS looks for it a little bit but if you're smart about it you can actually bypass IDS altogether. And by like, oh, yeah, that's the traffic that is supposed to be there. Good I'm actually getting you -- chuckles. That's good. Most importantly it allows us to prank our friends. And honestly allowing us to prank our friends, we have to have fun with this job. We can't just -- we can't just -- just do the work to do the work. If it's not interesting to you, you are in the wrong line of work. You really are. What was that?
We have to laugh. It is all about the roles, you'r right. We have to laugh, we have to have fun. And you have to be interested in doing this stuff so you'll actually learn it. Otherwise you go to work for 10 or 15 hours out of the day and you come home and you get stagnant because you're not learning new stuff. You're going to -- you're applying what you already know but not actually picking it up. And if you love it, you'll go home and you'll read about it or you'll play with it or you, you know, you'll mess with your friends, your neighbors.
Interesting story about my neighbors. I actually -- I did something for Aruba and they were kind enough to give me an access point to play with. It was one of their new 80211AC access points and I set it up at home and I'd been having problems with interference on stuff and the Aruba access point comes up and it goes, oh I'm seeing interference. Let me take care of that for you. All of a sudden all of my neighbors access points go, oh I'm going to get quieter and turn down and now I'm the king of the mountain, pretty awesome.
All right. How do we get in to the traffic that we want to play with. There's a lot of different ways to do it. And I don't have my presenter notes up here, so just remember to always wear a helmet. You want to -- you don't want to really mess anything up so you got to be real careful. Playing with traffic, playing with network traffic in general you're not going to permanently screw something up but it can definitely have unintended consequences, I'll get in to those here in a little bit.
When you mess with things, the systems have checksums and ways to figure out that you're actually messing with them and they'll toss it out. You can be like, oh, I got the transparent proxy in place I'm trying to create the all important Internet. And it's replacing these images but it's not -- the images aren't coming up and it's probably because you're not injecting them right. We'll talk about that a little bit later.
It can be dangerous. You can get caught. It's a noisy thing. If you get caught and you're not -- well if you get caught and you don't have permission to play in traffic, by the way, get permission first.
No means no.
If you don't have permission and get caught, the consequences can be dire, you can get arrested and go to jail. That's never fun. But, it can be dangerous, it can mess stuff up. It can mess your traffic up on your network, I've done that a couple of times. My wife calls me, the Internet is not working. I'm in Oklahoma I'm like, sorry, I left that on and I didn't mean to. It does really mess with the network especially some of the tools that we'll talk about here in a little bit. It can take entire networks down and like big networks. Or entire segments of a network down. When you're impersonating a gateway or directing traffic to your box and that gateway is normally handling 10 gigs of traffic and your box has a 100 gig card in it, it tends to hurt a little bit. It can really, really mess with the networks. And you can really be -- you can really be -- put yourself in a position where you are taking something critical off line. And as a tester we never really want to do that. We tend to get smacked for it and it makes our jobs even more difficult.
And like I just alluded to your host might not be fast enough. You might not be able to process all the traffic that you're getting. You're going to drink from a fire hose and when you do that it tends to fill your mouth pretty fast.
And switches will alert on things, if you have a client that is particularly intelligent and has their monitoring and alerting set up it will throw an alert and they will catch you and they'll be like, ha. And you'll be like, okay, you caught me.
And IDS usually does catch it. There are ways to get around that and we'll talk about that in a little bit, but it usually does flag on things when they start to change. Your IDS is set up to look for normal and you're creating something abnormal or, you know, yeah -- looking for somebody abnormal and you're creating something that is not kosher on the network. And so it will usually catch it.
For those of you that can't read this, it says a giant tool and he's carrying a wrench.
So we're going to have a little discussion about tools. And how to use them and what they're for and the best ones to use. I'm going to go through the stuff that I normally use and normally put on a network in order to get in to traffic. And tell you there are pitfalls and the goods and the bads. So we're going to talk a little bit about arp spoofing and when to use it which is almost never. And we're going to talk a little bit about DNS poisoning and spoofing and when to use it, which is a lot because it's a whole lot of fun. We're going to talk about DHCP snooping or spoofing as well, basically telling -- answering faster than the DHCP server for an address and making yourself a gateway. We're going to talk about transparent proxies which is where all the pranks come. Those are the most fun. And those transparent proxies are what you use after you get the traffic to your machine.
I'm glad that got a laugh. Because I have run in to so many people that are like, yeah, I use Kali Linux I'm a hacker. No. That doesn't make you a hacker, I'm sorry. Let's talk about the most dangerous option, arp spoofing and arp poisoning.
The tool is Arp spoof and it's provided as part of the Dsniff suite of tools. If you haven't got Dsniff installed, install it. There's a lot of really fun stuff you can do with the Dsniff suite. You can Arp spoof, you can DNS spoof, you can do traffic discovery you can do a lot of stuff with it. It's really, really, really cool.
It is easily, easily, easily detected on the network. So basically what you're doing with an Arp spoof is you're answering -- everybody know what Arp is? Hold your hand up.
All right. For those of you that don't talk to your neighbor afterwards they will explain it to you, just kidding. Basically an Arp is a way to tie a Mac address to an IP address and a switch holds the table of these ties that's best way that it can route the traffic, the layer 2 traffic, in the switch. From port to port. So what you're doing when you ARP spoof, is you're saying, no, I'm really the gateway address it's me, you're flooding the switch with answers to Arp requests for whose got the gateway, whose got the gateway, whose got the gateway. And you're like, me. Me. You know, it's me. And basically you're injecting yourself in the middle and becoming a gateway.
Now, if you don't have your machine configured right what is going to happen is you're going to get all the traffic that's going to have nowhere to go and whole network is going to come crashing down and you're going to be like, um, Oops. When your machine finally crashes because you're drinking from that fire hose the network will go back to normal. But, until then you just brought your client down and that's never a good thing.
But for the most part IDS will catch this as you're doing a gratuitous Arp, IDS will go, no, he's not really the gateway. He can like to think he is but he's not. And it will catch it. It's one of these things that lights IDS up like a Christmas tree.
I just alluded to, if done incorrectly it will take down the network, and it will, I've done it. I'll admit that. I've done it at home. I've done it at work. I've done it at work, at home. Starbucks.
You need a fairly powerful host to keep up with the traffic. These days we're looking at gigabit or multi-gigabit connections. Your host needs to be able to process that. So your little Wi-Fi pineapple or your little Linksys box that you can do this with is not going to cut it. It just can't process the traffic fast enough. Laptops, Mac minis, small commuters, they're going to be able to keep up with the traffic as long as you're at a gigabit or better, I carry a secondary network card, lightning network adapter in my bag just for this purpose. So that I don't have to route traffic in and out the same address I can pull it in one and route it out the other. Setting it up basically your setting your box up as a gateway and you got to be able to route the traffic through the machine without actually slowing it down. You're going to slow it down a little bit, just one of those things, but you want to slow it down as little as possible.
I told you they were funny. Yeah. So DNS poisoning and spoofing a slightly less dangerous way. It is slightly less dangerous, Cane is one of tools that is able to perform this function amongst others. It's actually pretty damn good at doing what it's supposed to do. And it's the one that I prefer, yeah it's a Windows tool and I know Windows is bad.
What's that? InnoVM, Absolutely. People look funny at me because I have a Mac, and actually I see a lot of Macs now, used to be one of those first people to actually hack on a Mac. They're like, you run a Mac, I'm like, yeah, it's a great platform. I can run Windows on it still. It may still require you to Arp spoof first. You're going to send replies to DNS requests, to point traffic at yourself. So you have to become that DNS server. You may have to Arp for that one specific address and say, I'm a DNS server, I'm the DNS server instead of I'm the gateway.
And it is always used in conjunction with other tools. It doesn't -- it can't actually handle the traffic itself. And so what you're going to do is you're going to reply with an address pointing that particular -- that DNS answer back at yourself or someplace else in order to capture the traffic going -- in order to get the traffic to be redirected. And the great thing is, is with DNS caching, is you may only have to answer once every five minutes. Or once every two weeks. Depending on how the cache is set up in DNS. If you have to answer once every two weeks, that's pretty awesome. Because I can stand up a box, answer once, poison the cache and take the box down and go home and I'm still getting that traffic. It's really pretty cool. Unless they figure it out and they flush the cache.
Like I said it provides your IP address the answer to the DNS queries. You're saying I'm really this -- I'm really Google, it's me. I'm Google. I'm going to -- I'm going to send you my search results which may not necessarily be kosher.
I'll let you read this. Cause it's --
I thought that was pretty funny, too. Still a little bit less dangerous, we're going from most dangerous to least dangerous in this particular category. DHCP spoofing, you're going to provide answers to DHCP requests. The ever famous Ettercap who in here has heard of Ettercap it's a tool, it's a long old, old tool. It works really, really well it has for a long time. And it's really well maintained, it's awesome. But Ettercap does this function perfectly.
You still be able -- you still need to be able to sniff the traffic, you still need to get the traffic coming to your box somehow so you're still going to have to do something. Either have a span port or, or one of these.
Last year I did a talk on my bag of dirty tricks. Zase's mom came up and said I really like the Ninja throwing star. This is what she's talking about. This is a Ninja throwing star LAN tap. You guys have probably seen these I think they're available in the vendor area. As kits. They're really, really cool. It allows you to get in the middle of traffic and, you know, scan it, play with it and inject in to it and, hey look, all my friends finally showed up. I'm going to embarrass you like I embarrassed my wife. Bill, wave hi to everybody. Everybody turn around and wave hi to Bill. You and I need to go talk to Priest later. No. But I want my T-shirt.
Now he's laughing.
Yeah, you can actually get in the middle of traffic with one of these, you have to be physically there, you have to be able to plug in to a wall jack between a machine but it will let you scan traffic and provides both transmit and receive and it's pretty cool. It's a passive device, you don't need power, it's really, really, really awesome.
Wow, are they loud or what?
We're going to take a real quick break we're going to do something here to annoy the other guys. Okay?
I want everybody -- I'm not going to make you stand up again. I want everybody to scream and clap for ten seconds as loud as you possibly can. Ready, one, two, three -- do it.
[Cheering and Screaming]
They put us in these small rooms with these thin walls and you know that's Sky Talks over there and there's no recording we just probably really annoyed the speaker because he's right behind that wall.
That's a lot of fun to do. I'll have to look and see who was speaking and go, Hey!
Switches can be alerted to check for and deny this type of attack. Especially in situations where you're relaying traffic to one DHCP server. It can be -- the switch can be configured to actually send these packets directly to the DHCP server and send the responses back, if that's the case this isn't going to work for you. If they're really, really well configured and tight on this, this attack is going to be tough to pull off. But it is less dangerous than an Arp spoof because you're not -- you're not going to interrupt all the traffic, just some of it. And it is also used in conjunction with other tools, we'll talk about those other tools here in a little bit.
So, we're going to talk about proxies but this image might be a little bit hard to see, hard to read. It's the whole, what my friends think I do, what my mom thinks I do. Yeah. My mom knows I'm a hacker but she does think I work for the Geek squad sometimes. And I'm not a chick even though that's a chick in what I think I do. And we all know what we actually do. The government one I thought was the funniest, cause I'm sinking the Titanic.
You need to actually be able to do something with the traffic once you get it. You need to be able to have a way to change things, the easiest way to change it is to set up a transparent proxy. In this case we're talking about HTTP or HTTPS type traffic or web traffic. There are some other tools that you can do that do other traffic like SSH. You can do actually do SHH man in the middle and it is evil and it is fun and
>> It's so heavy. I love you softly.
>> Guys, this is Crypt. He's pranking everybody. All of his friends.
>> Hey Crypt?
>> Why don't you -- Oh.
>> You have any Def Coin on ya? Uh-huh. Oh, that's nice.
>> I only have -- I have four left.
>> You have four left? Can I have them? Of course I did. All right.
>> I am amazing. And I'm a good sport am I not?
>> You're one of the smartest guys I know.
>> Yeah, awesome. I've got 400 Def coin here and I'm going to do some questions and answers. And the best questions that I come up -- that uh, that you guys ask me I'm going to give a Def coin to. Who here has DEF coin?
I know you guys do. Of course you do. Who here wants DEF coin. Good. At least I've got something that's valuable. The paper it's printed on is worth more than the actual coin.
So, multiple tools provide this service. We'll talk about SSH man in the middle here in a little while. We'll talk about HTTP and HTTPS first. Who in here have heard of Burp, the Burp suite?
Who have actually installed the Burp suite?
What was that? Pro?
I don't pay for it. The features that ask, it provides, they're not valuable enough for me to pay for it. And the free version is awesome.
Who here has actually used the Burp suite for something?
Good. Good. You know what I'm talking about. It's fun. You can actually examine, and look and change traffic, web traffic as it goes by. You would not believe the number of people that look at me funny, when I say, you know what, I've got your password. How did you do that?
You sent it in clear text. What do you mean, clear text?
Another tool I'll talk about is Malory. This is one that fewer people have heard of. Raise your hand if you've heard of Malory. Raise your hand if you've got Malory to successfully run.
It's a difficult tool to actually use. But, it's infinitely more powerful than Burp. You can do so much more with Malory and it's fast. And it's not Java based. That got you. But it's really, really hard to set up and use. The documentation isn't very good, not very well maintained. I don't think -- I didn't see anything since like 2011. It hasn't been maintained very much at all. So most people that use it and use it effectively maintain it themselves. I actually have a private GetHub repository with my version of Malory in it and it's because I've had to make so many changes to it to keep it functioning over time that I a want version control. I can't just -- I'll lose the tar ball if I lose the machines. And then there's Squid. People look at Squid as like a good regular old proxy but it can actually do scriptable changes. It's fast, it's efficient, it runs as a service and it's really, really good at what it does. We'll talk about Squid here in a little bit.
So let's uh -- Yeah. It is. Passwords any more are ineffective unless they have spaces. Remember that, put spaces in your passwords. People don't think about spaces. Spaces at the end of passwords when you crack them they show up as a blank space, right? So you're like, I don't understand why this password isn't working. Well, it's because it's got a space at the end of it.
Let's talk a little bit about Burp suite. You guys know, it's Java, it runs on almost anything. Runs really well on almost anything and runs really slow on almost anything. Java is one of those things that we wish we didn't have to put up with but we do have to put up with it. But it's good, readily available, the free version is more than effective for what most people need. Unless you're doing some really serious heavy, heavy, heavy application testing and want to know some automated stuff and some automated certificate stuff.
My arrow keys just aren't working well. It just works most of the time. It's like an Apple computer, you know. Or iPhone. Just works. Your 5 year old can probably figure it out, it's pretty cool, it's got a real good GUI. It sets up requests and posts in such a way that you can actually change them and see what's going on. I'll be honest if I'm looking for something quick Burp is the first thick I grab. If I don't have time to play with Malory and get it fiddled and setup, If I'm just looking for a quick, you know, two-day engagement I'm doing a pentest on application I'll pull up Burp suite and go through it that way. It's really, really good at what it does. It grabs cookies. It will hold gets and posts for you, it will sit there and fake the server out like, yeah, trick on the data to you, just on a really slow connection and let you change things and it's really great to escalate privileges because lot of people don't think about -- developers don't think about the cookies that they're setting, you know, they set this cookie and their like, yeah, you've got user level. It's like user level zero. Like, okay. What happens when I change that user level one?
And all of a sudden I've got admin access it's hilarious, are like, how did you get that? Well, I just changed it on the way.
That's Pyro. Is that Pyro? No. If that was Pyro we'd really mess with him. And it's not Pyro so I'll leave him alone.
It can change cookies, variables and HTML responses on the way back to the server. This is a client-based tool. You're not going to actually change the traffic going from anything but your client to -- or your group of clients that you've configured to use this proxy to the server. And so this is a really good way to get in to things, Tomcat and stuff like that on the server side. Speaker goodness, interrupting me, I'm just giving you a hard time.
It has some very powerful SSL options. SSL is only as good as your user training. I can present you a fake certificate as long as you are trained to click on, yeah, give me that fake certificate, I've got all your traffic. Our social engineering efforts are vastly, vastly, vastly successful because people have gotten used to, oh, that looks odd. But, hey, I've got an okay button I don't want to call IT I'm just going to click okay.
You know. Google chrome has gotten better that it's presenting a yellow screen, full on yellow screen now but it still gives you the option to be like, yeah, I understand what you're saying, I'm going to go through. Used to be red, the red screen really freaked people out I think they changed it to yellow because they were getting too many calls.
Yeah. This is really kinda what Malory is all about. I'm the best Hacker ever I downloaded this thing on the Internet to do it and Malory it's tough to use, we'll talk a little bit about it. It's really, really, really powerful, though. More powerful than Burp and much more -- much faster. It's got very, very good SSL options, it will just like Burp it will auto generate certificates but if you have the right type of root certificate, like a fake root certificate it will generate these valid certificates with the valid information based on the certificate it downloads from the actual site that you're attacking. So it will actually fill everything in like it's a real certificate from Google. Like Google, HTTPS, and you'll look at it and it's Google incorporated.
This is the date. Just been self signed. You actually examine it if you have a user that is actually going to examine the certificate and look at it, it looks legit. And you're like, oh, okay, Google just made a mistake and put a self signed certificate up there I think I can do that. And I'll let it through. And then you've got all their traffic and it's very, very good. Very configurable and almost too configurable.
Linux and macro OS are easiest way to get Malory working. I actually have a virtual machine that I keep just for Malory. And it's because it takes so many different libraries, it has to be massaged just in the right spot, it takes a certain configuration of IP tables in order to actually work. So I just keep it all set up on a VM that's ready to go, I boot up the snapshot I start Malory I'm ready to rock and roll. I know that I can make changes to the configurations I need to go. It has a chrome plug in that will allow to you look at cookies and do injection of -- change of injection of cookies and things like that it's not very effective it actually kind of sucks. And it's really difficult to understand. It's a great tool, try it out, go download it. I've got the link somewhere on here and it's actually in the presenter's notes which are on the conference CD.
It can be very, very, very picky. It really doesn't like -- what the heck is going on back there? That is really, really annoying. He's going to go take care of it for me, I love you, man, thank you.
It can be really, really picky about the environment it's set up in and it can be really, really, really tough again to get working. And there's not a lot of prebuilt tools for it you're going to be building a lot yourself if you can code in python or C you're going to be set up and ready to rock and roll. But you're going to be writing a lot of your own plugins and a lot of your own tools to get it working, there's some real advantages to that. In the fact that you can write your own plugins and your own tools and so as you do that, you'll get your only personal suite of tools and plug ins that you've got around Malory that will do some really, really cool stuff. I don't share mine that's probably really, really bad thing. I should probably start doing that but I am possessive of my Malory stuff because I don't want people to find out about it, and be like oh, yeah, got you.
And it's not maintained. Hasn't been maintained since 2011. It hasn't been a new release since then and I think it's just due to lack of popularity. So if more people start using it we can start to maintain it we can actually make it a solid stable and scalable tool.
Disgusted cat is questioning what he just saw. Squid. The squid proxy is a staple of Linux proxies, UNIX proxies, really. It's used in everyday use for a normal caching proxy. In fact I used it for a caching proxy for years at home when my Internet connection was slow, cause it sped things up so drastically and it's really, really, really good at that. It's very good at doing the caching stuff. But it can also be turned in to a very nefarious tool with IP tables and PF. It can actually be completely transparent to the user, I can redirect the traffic in to squid without having set up proxies on the -- proxy configuration on the browser so I can sit there in the middle of this traffic and be modifying it all day long and you would never know it.
Man, who did this PowerPoint anyway?
It's good for fast and static replacement, if you want to replace images or you want to put a header at the top of a certain set of webpages, captive portal type stuff it's really good for that. And lots of modules and lots of support and it's very, very well maintained. It's more or less a commercial product and people use it all over the place. And so picking those products and then being able to twist them to your own uses is something that is incredibly valuable.
And it is the best thing to prank your friends with, it's readily available at home, there's lots of resources on the web to do what you want to do with it and it's a whole lot of fun.
So I was going to do an SSH monkey in the middle here, I booted my VM this morning and I got set up to do it and as always, the demo Gods are not in my favor today. So --
>> I would just like to say that those guys --
>> Oh, wow. It's a flying Dick. We'll set that there for the next speaker and he'll wonder what the hell happened in here. It will be a lot of fun. But instead I'm going to do some time for questions and answers here at the end because they didn't give us any Q and A time after our talks this year I wanted to be able to answer you guys' questions. So, I'm going to take the ten minutes I set aside for that and do that instead.
The other thing I want to talk about is the all port Internet. Redo. I like that image it was so much fun. I actually have something in my bag that is -- batteries are dead, and it's a redo of something that was done back in DEF CON 17. And these guys got up and talked about what they called the all port Internet. And it was an access point you could attach to, and it would replace all of the images with random porn. It's a great prank, a great example of what you can do with a proxy. Battery is dead in my box, in my bag right now. But it will be up -- I'll go upstairs and charge it and it will be up and I'll be walking around Con, and you'll see an access point that says, all P Internet. It will throw you in a captive portal and it will actually ask you about your preferences.
And so, I'm non-discriminatory I want to make sure everybody gets -- not my brand of porn but what they want, and so it will ask you about your preferences and it will present you your preferences of pornography and every image will be pornography, I'm sorry. But it also gives you the option to join it or not and I'm not going to force it on you because I understand that that's not for everybody too.
No demo, but it will be available. I won't force it on you. You have to ask for it. It's gender and preference neutral. With that, let's open the floor up for some questions. Let's see what kind of time I've got. I've got 20 minutes left or 25 minutes left. So, yeah.
I haven't played with it in a long time to be honest. It's one that I will put on my list certainly to check out. You got something that you've done with it that you want to talk to me about, come grab me a beer afterwards we'll do that. Yeah.
There's actually a tool, if you Google SSH man in the middle, it's part of the DSniff suite it will actually present a fake public key to your client. You'll get a message, a key warning, the public key has changed, I have mine configured to where it won't connect to a changed public key but most default and limitations will ask you if you want to replace it, yes or no. Then it will sit in the middle and decrypt the traffic and record the traffic for you as it's passing the traffic to the next host. Because you just changed the public key to the one I presented you to, it's decrypting that traffic. It's a whole lot of fun. It's not a whole lot you can change with it but you definitely get passwords from it.
You'd be surprised. Presenting somebody with, are you sure you want to do this type message, will almost always get a yes answer. I do it. You do it. Come on, admit it. Do you answer yes to that kind of stuff just because it's convenient, yeah, I'll be the first one to admit that I do it, too. I've gotten caught by my friends they are like, got you!
I'm like, oh, man. But, yeah, everybody does it, it's kind of human nature you get, are you sure you want to do this yes or no, and the answer is almost always, yeah, I'm sure I want to do this. Yeah.
The best proxy to use for SSL stripping? What I would actually do is just something that you're trying to do quick. Use a tool called SSL strip and Burp. And that's the fastest way to do it if you're just looking to strip the SSL, and get the credentials. If you want a little bit more complicated version, Burp actually does do some certificate generation. You can set it up to generate fake certificates and send them back to the client and get the message. The other way is to use Malory and actually generate some really, really good certificates. If you can get a fake root certificate on to the client that you're attacking, then you won't have the issue of the certificate as bad type stuff. It's really, really powerful and cool. But, yeah, SSL strip and Burp are the first go-to.
Out in the cloud? It's gonna be hard to do out in the cloud if you want to prank your friends get a little -- Yeah, okay. My wife is telling me to repeat the question for everybody because they can't hear you.
She's right. She's a teacher. She knows this kind of stuff. He wants to know what the best service, cloud service to set this stuff up in to prank the cloud. Or the best way. I actually do it at my gateway my home gateway. I run PFsense which gives me access to VSD and PF you can do a lot of fun stuff with that. There's a lot of plug ins for it. If you're pranking your cloud -- your friends out here just carry a Wi-Fi pineapple or something in your backpack with a battery on it and connect it to the DEF CON network and away you go. That's how the thing in my bag works. It is, just a Wi-Fi pineapple configured to connect to the DEF CON network and funnels traffic through there but it changes everything coming back and forth to it.
No, I'm not. Yeah.
VPNs. See I'm not going to keep the Def Coins to myself, that was a really good question. The range about VPNs, VPNs are actually pretty well protected. Although most people are switching to like a SSL or TLS version of VPN you can still use all your SSL based tools for that and actually get access to the traffic. The problem being is that when you've got a VPN going you often times tunneling traffic inside tunnels, at least I do. You are going to have to not only man in the middle my SSL VPN but your also going to have to man in the middle my SSH and if I see one warning for VPN and then another warning for SSH at that point I'm going to be like, okay, something's up. Somebody didn't misconfigure something or I'm not an a network that is in the middle already. I'm actually being messed with. You definitely get a Def Coin that was a good question. Yeah.
So that's actually a very, very good question. What he's asking is, when you get that yellow screen from chrome and it's a site that you've been to you know but you're still getting that yellow screen how do you verify that it's okay. There's actually a small link on that screen, there's like, get me out of here. Or then there's advanced or everything is okay I know what I'm doing. Are really the kind of three options there. Under the advanced tab you click it, it will give you all the certificate information. So what I look for when I look at that certificate is, is it really the site that I'm going to. What's the issue. Is it the company that I'm expecting to work with. Am I sending my data to some place that I actually want to send it to. Is the URL correct -- what's that?
Yeah, you'll see the CA. The certificate authority. And the certificate authority I can put anything I want in that field, it could be kind of fun, I'm generating my own root so I can be like, oh, yeah. What's that?
You really shouldn't trust it. Just click, get me out of here. That's the best option. Then if it's Google or something especially if it's like a big name company or your bank it's like, oh, it's been self signed. Don't trust it. If it says it's expired, don't trust it. Chances are if it's a big company and their SSL certificate expires they're just getting ready to put in a new one anyway so wait 20 minutes and go check again. Just on an independent network, that's a good one, too. This is for you. Yeah.
His question is have I ever tied one of these tools into like a beast attack or a crime type attack or a renegotiation type to decrypt the SSL. Yes. It works very, very, very well. The crime attack, until they patched it has been amazing. Yeah. Time to wrap it up. One more question. Yeah.
It would have. They have since fixed that. But yes it would have. It actually worked very, very well. That's all I got for you guys.