 Please give it up for Jay Beal. He's going to take us through the next 50 minutes. Hey everybody. I'll let you file in just a little bit. While I introduced my co-presenter, this is Justin Searle. He's our newest hired Intel Guardians. Well, he's a badass guy. We'll talk a little bit more about him and his contributions to this talk, both positive and negative, because I'm going to blame things on him. Or at least, that's what he thinks. So, let's see. Here's what we're doing. I've been doing defensive programs for a long time, and somehow I've well spent about six or seven years now pen testing, and now and then we end up creating some tools. So, I'm releasing one. And you're going to be able to find this. I've got a URL at the end of the slide. You'll be able to find this up on Intel Guardians site. Later this weekend when I get the bugs out. So, but I'll tell you all about it right now. So basically, the tool is called the Midler. We tried and went through all kinds of names. What's that? Oh, hi priest. Don't hurt me. He is a very nice man who's got a weight race of three to one on me. And I'm telling you it's all muscle. That's great. Fill it up. Okay. So, I'm just going to get a little bit of a slow start and let a couple more people in. But basically, here's what we're doing. So, we're going to talk a little bit about, in general, an attack vector shared networks. Because we're all on a lot more shared networks than we ever were before, and we probably don't think about it quite as much. So, we'll... Come on in. Okay. For those of you watching on video, there are a lot of people in the hall, and we're finding ways to stack them around the room. Yeah, I'm not pissed. Yeah, I think the goons actually deserve quite another round of applause here. Go goons! What's that? You don't have a red cape? A red cape? Okay, great. Okay, I've been asked to reiterate, and I think it's really, really important, that anything bad happens in this room. I'm about one of the last people that's going to be able to get out. So, I want to reiterate that we... You can't block doors. You absolutely cannot block doors. It's not good to block doors. That is how people die. And I do not mean the people that you block from getting out. I mean you as you get trampled. Really, really badly. Really badly. It's no, no, no fun. So, first, don't block doors. Second, keep a clear aisle for some definition of aisle. That means goons should be able to run down, and they may just do it as like a test. And, again, the goons are called goons for reasons. So, don't block the aisles either. Okay, wow. This is really a lot of fun. I'm already having fun with this, and I haven't even gotten to the table of contents. Rock. This is just cool. Okay, so let's see. So, what we're going to talk about is basically, just one of the things I like to do every now and then, I think we all do, is basically say what kinds of, what kinds of maybe bad assumptions are we making, or what kinds of issues have we kind of left behind as things that we dealt with a long time ago, or that we figure, you know, it wasn't much of a problem anymore. I have my own favorite sets of them. You know, patching is a real fun one. I know patching is like one of the most boring things, but we start going and looking and saying, okay, how long does it take between when someone, when a Microsoft patch comes out, and it gets reverse engineered and turned into a weaponable exploit, and that number is like under a day by far. And then, you know, we look and we say our average patch time is like three months. I mean, you know, not all of us, because we're in this room, but like, you know, nationwide, it's pretty bad. Anyway, it's kind of patching one of those boring little things that we kind of left behind, and well, it's actually the thing that's going to kill us one day, which from talking to Dan, is basically what's going on with DNS too. And I think he's right. Okay, so, but here's what we're going to do. We're going to talk about, we're going to have a little bit of fun. We're going to talk about shared networks, and not that much, but we're going to talk about what happens when you share a network with me. I mean, with a bad guy, with somebody who's up to no good and possibly has forgotten their, you know, laws and all kinds of ethics and stuff like that. And we're going to talk about how you can use these kinds of attacks to exploit a good number of sites, including Gmail and LinkedIn and LiveJournal and honestly tons and tons and tons of sites way, way, way too easily. And we'll talk about how you can do it against sites that are actually not as vulnerable, like online banks. And we'll talk about what you can do when you're sharing a network with someone. You can start troging software installation and update, and that was really fun to learn about, and I'll tell you how I learned about that later on. And we're going to talk about browser exploits and how it gets a heck of a lot easier when you're not trying to get somebody halfway across the country or the planet to click on a link because you can make them go where you want, and we'll get to that. And then lastly, we're going to talk about what you can do to try to survive hostile networks. I think DEF CON has been rated by, you know, at least 14 intelligence agencies as the most hostile network in the world. Okay, that's made up, but I could see it being true. Every year I bring a laptop here, and when I get home, I burn the laptop. No, I burn the hard drive. I pull the hard drive out. It was a fresh one that went in before I got here. It didn't have any real data on it. I just installed some kind of, well, it used to be a Linux distribution, but now it's Apple, but it's good. Apple, yay. But anyway, I get home, and I don't torch the laptop anymore because they've gotten expensive, but I torch the hard drive, and then I grind it up in little bits, and then I kind of wait for a really, really, really windy day, and I go out to one of the places where they used to test airplanes, not normal airplanes with jet engines and stuff. I mean like the Wright Brothers kind of thing, and I try to throw up the hard drive bits into the wind. Okay, well, I'm getting way, way, way off topic. But this is DEF CON, so we get to do because you gotta assume that we're going to, that we're gonna have a whole lot of fun, and that's what we're here to do, and wow, this is a blast every single year. So let's see. The deal is basically HTTP, or let's call it non-encrypted web traffic, whatever you want to call it, non-encrypted HTTP, and shared networks. Networks you share with, well, anybody bad, or anybody who might want to be bad, or anybody who might spend a little bit of time being bad, and otherwise is a perfectly reasonable DEF CON speaker. You go to these hostels, you go to all these shared networks, and we don't really think about how many times we share a network. We all got, I mean, it's really been fun in the security industry, I mean, watching our community, because, you know, we had to fight so darn hard to get companies and people to use firewalls, and we're not done yet, because I tell you, one of the most fun things to do is to actually put an outbound firewall on your machine and find out about all the things that, well, used to go out without you knowing about it. I put this little thing called little snitch on my laptop for a little while, and I started watching all the stuff that was talking to everywhere, and I started realizing there were a ton of people who are still, you know, who are not behind any kind of an ad box, they're not behind really anything of a firewall or much of a firewall, and I know this because, well, my machine's going and doing Skype to them, and it's doing all, it's just, I'm looking at it and saying, oh, my gosh. But anyway, assuming that we've all got these great firewalls and so on, we think we're pretty safe, and it's nice. We've gotten a lot safer, but then we get on these wireless networks with people, and, you know, Dave Maynard and Johnny Cash taught us a couple of years ago that on might be dangerous, and, okay, well, you know, if we don't join the network, I don't have anything that lead. I wish I did, but I don't. But on the other hand, what I do have is just, if we go and start looking at actually everything that leaks out of your laptop, it's pretty amazing. I'm not going to go after everything that leaks out of your laptop. I'm pretty amazed at how much I see when I sniff a network. Of course, legally, sniffing is the only reason I'd ever sniff a network or glue or anything. No, no. Defconn speakers do not sniff glue. They apparently, I think, have a lot harder stuff. So, anyway, so, yeah, I mean, and if you think about it, you might be like, well, no, I never use any shared networks, and honestly, I live in Seattle now. This is, like, the place where, like, coffee houses are huge. Everyone's in the coffee houses. They're all on the Wi-Fi, and it's all free, and there's free Wi-Fi everywhere. The wireless community, it's just huge, and you find it everywhere. You're constantly going to wireless networks in hotels, not in this one, not on my life, but, you know, you're going on wireless networks in hotels, you're going on wireless networks. You know, if you go to a non-security conference, you might turn your laptop on. You know, you might turn the wireless card on your laptop on and, you know, join on. You might even be paying for it. Heck, you could be paying for the wireless networks, and they're still not really any safer. You're sharing it with a whole bunch of people who may or may not have had bad people install bad things on their laptop even though they're good. So, you know, we go to coffee shops, we go to bookstores, you know, actually, there's been a series of great talks, one with Simple Nomad talking about going on an airplane and starting to just, you know, finding people with their wireless card on, and he would go and set up a little network with them and, you know, start seeing what he could see. I'm sure that he didn't do that. It's all fictional stories. The deal is, especially with wireless, we're all on shared networks with lots of bad people all the time, and it's really kind of nice to think about, well, maybe it's not, but I think it's nice. I think it's nice to think about what people can do and what people are doing, and you open yourselves up to a heck of a lot of tech. You also open yourself up to a whole lot of monitoring. I don't know anybody who does this, or if I did know them, I wouldn't have known their name or anything like that, but I've heard there are lots of people with wireless networks and just simply set up a sniffer of some sort and just start watching passwords go by. Well, and so, you know, a lot of the services that would have clear text passwords go by started saying, wait, we've heard of this wall of sheep thing, and that's not good, so we're going to start, we're going to encrypt. We're going to encrypt something. We'll encrypt those passwords, and so now, you know, my friends who I don't know the names of who would be sniffing on these wireless networks, they don't see passwords go by anymore, and they see all kinds of conversations, and they see email going by, and they see all kinds of wonderful clear text stuff. This is what you've got to kind of understand, and this is what you've got to tell your friends, you've got to tell your family, you've got to tell your places of employ, and you've got to tell everybody on the earth, if we share a land, if you and I share a land, I can view and modify your traffic, okay? Whether or not in modifying it, I break it because it doesn't work, it's useless to me and useless to you, and that's different. If it's clear text, for the most part, I get to view and modify it, and I have a lot of fun. By the way, this is one of the... I don't really have rants. I'm a pretty nice guy. I don't think anybody's ever said, wow, Jay, he's grumpy, right? But I have all these weird thoughts about things, and things that kind of bug me, because I start to think about it, and I say, you know, before you can call us a consultant, we do sell our time by the hour and all that, but, you know, I go and I talk to lots and lots of companies, and we sit down, and one of the things we do is we talk about, you know, before we start hacking anything, or looking at firewalls, or whatever we're going to do, we kind of say, well, you know, what are the threats that are most, what are the biggest things that could harm the business? And when we do that, we say, okay, they start talking about the data that we're going to be able to see. They could see secret stuff, and they say, and they could take things down, they could do denial of service, and they always, always, I swear, always forget the last one. Everybody knows that first one is confidentiality, and that, well, kind of last one, but I've reordered it, is availability. Anybody know what the middle one is? Integrity. Oh, God, wait. Who the hell cares if I can see that data? Sometimes it's really good that I can see it, and you didn't know I changed it. And what if I could do that, you know, all the time? And I think that's one of the things we're going to talk about in this talk. We're going to talk about how with good tools, or, you know, honestly with even bad tools, you can get at the integrity part just as much as the confidentiality. You can have a hack of a lot more fun with the integrity. It's a lot more fun, and we'll get into the kinds of attacks. But what you need to understand is if you're sharing a land with me, especially a wireless land, it's not the broadcast domain. You know, we all had hubs, and it was like really crazy because you could, like, tell your network card to just tell you everything that went by on the wire instead of just the stuff that was for it. And all of a sudden, you'd be like, wow, I can see everybody's traffic, and it's really cool. And then, well, that's been kind of a decade since that was really all the way through. You know, we got switches, and these switches were really nice, and now we can only see your stuff. And, well, unless you played some games, which we'll talk about. But on a wireless network, oh, wow, the packet goes into a hub, and the hub sends it out in all of the directions. I mean, dude, I can be really, really far away. As long as you've got a really nice antenna, you can be really, really far away, and watch all of your traffic, and you don't know it. And you didn't have to do anything, and I didn't have to throw any packets. You didn't even know I'm doing it. That's, well, anyway. So we'll get into that. So the thing you've got to understand is I can, if we're on a land together, and I'm bad, I'm looking at your traffic. This is just to stand up your own DHCP server. I mean, you know, you could go and play games with the switches, but why not just stand up your own DHCP server? I mean, everybody just kind of expects they'll put their laptop on a network, and their laptop will go and try to get an IP address, and they figure that the box that gives it to them will probably be a nice, friendly one that was supposed to be on the network. But, honestly, DHCP is this wonderful broadcast thing, right? It's like, hey, does anybody have an IP address? For me, me, me. And it says, and somebody wins a race. And sometimes that's the right somebody. And sometimes it's the wrong somebody. Now, I'm going to tell you guys something. Because we're at a hacker con, and I've been on a lot of good networks gone bad. If you're going to do that to me, if you're going to give me a DHCP lease instead of the real person, you're going to do any of these network games, please route my packets. I mean, really, how many of us have gone on a network and we're like, okay, the network's down. What's going on? There's some fools trying to sniff all the traffic. He sent all the traffic to him, but he's not bothering to route it because he's clueless and stupid or lazy or whatever. Or he stopped a long time ago, but he didn't put the network back the way he found it. Which, really, you've got to think there's got to be some kind of ethics to doing bad things. I mean, you can be bad. But there's levels of badness. You know, there's like shoving somebody in line or cutting in line, and then there's like eating a kitten. Eating a kitten is really bad, okay? And I would pause it that if you're going to watch my traffic, if you're going to have all my traffic go to your box and you don't bother to route it out to the internet where I was trying to get, that's eating the kitten. Just don't do that. Okay, so here we are. So the DHCP server's a nice way of doing things, another nice way of doing things and it's amazingly simple and easy is you can run a little tool like ARPSBOO for Adercap or whatever and you can run a little tool that will basically say hi, I'm the router. Everybody who wants to go out, you come to me. And if you wanted to be really, really careful about it or really, really targeted, you could be like, no, I'm that one server. That's the really, really, highly important server. But honestly, most of us, if we were bad and we were going in, we just you know, we just want to be a router. Maybe we want to, actually, honestly, maybe we want to be the DNS server. That's a good person to be too because you start saying, wow, everybody who asks for livejournal.com, that's my laptop. And they're not ever going to know the difference. Anyway, so we'll get to that. But this is, I think this is kind of fun. Anyway, yeah, I added a slide. I added a slide I forgot about adding, but I added it. DNS is a beautiful, beautiful thing to an attacker and we wouldn't be complete if we didn't talk about it. UDP protocols are so beautiful because they're so much easier to spoof and they're just, it's just so much. It makes things worlds easier. And it's a beautiful thing for an attacker and Dan, I read Dan's slides. I missed his talk before, but I'm going to see it. But Dan has some really good ideas here. DNS is a wonderful thing to an attacker. Absolutely. What I really like, you know, on the one hand you could spoof DNS replies to everybody on the network and that doesn't go away as a threat. We don't really have much of anything we can do about it. Okay, if you happen to put your laptop on a network on the same network and I send out a DNS and I send out a DNS request and you watch it go by, you can respond to it. And quite possibly, very often, trust me, DNS spoof is a great tool, you can respond to it faster than the real DNS server. Part of that is because, well, you already know the answer. Well, the fake answer, whereas it might have to go and do work to find out where, you know, what Yahoo.com is or such. Anyway, the other really cool thing about DNS is if you can poison it, if you can poison DNS for like an hour or five minutes or 10 minutes or whatever, you can get an SSL cert. Because honestly, the way they do SSL certs is kind of simple. You apply for an SSL cert, if you can get email for the domain for a short time, then you've got the SSL cert. And revocation is really amazingly difficult because, basically, the people who own the domain for real have to wait for it to expire. So, okay, well, I'll get to some more, I'll get to some more man-in-the-middle stuff, but I think that this is good stuff to think about. We trust our networks way too much. So, if we share a LAN, did I go back a slide? Hmm. Okay, so let me get on to some of the, let me get on some more of the meat. I've been playing, I've been man-in-the-middling and I've been surprised at, well, how much of it goes by clear text and how much stuff is in there and how much stuff is persistent and now I'm afraid of Google, too. But I'll get to that. So, basically, part of what I want to say is that, you know, beyond just the straight, this website is clear text. Sites that are mixed between clear text and not-so-clear text are between, you know, HTTP and then whatever you want to call it, SSL, TLS, encrypted web traffic, I think it's a reasonable thing. And the problem is that anytime you're unencrypted, I get to watch. But remember, I'm into integrity. I don't just get to watch. I can clone your session. Okay, I can throw in whatever I want. If I can route your packets for you and I try to say that that's actually pretty easy and trivial and we all knew how to do that a long time ago, if I can route your packets for you, well, then I can take any of the ones that, you know, will let me, any of the clear text ones and, you know, I can use them if I want. I could, honestly, I could keep them for myself and not send them on to their real destination. And I could send my own stuff on to the real destination and then when the answers came back, I could hold on to that and I could send you something else. And if you start scripting this, if you start going programmatic, you can really do a whole lot. Part of the way I got an idea for this was basically the idea of taking a user who's signing in to Webmail and saying, wait, if I can get them on to my Webmail server and if they can control their whole, like, email world, I know that sounds really overblown, but really it's, I can sit there and say, okay, well, I don't want them to see this email that came in. So I'm just gonna make sure that in the view that they're getting of the data, they never see that email. Maybe they never see any email from this person. Maybe this is, you know, maybe I'm, you know, I don't know, let me think of something bad. I don't know, we're both trying to date the same girl, maybe. And, you know, this guy's never gonna get an email from her anymore. And he's saying, I don't ever want to talk to you again. Right? And she's not gonna know unless she goes out of band. But, you know, but we've got VoIP and I'm working on it, right? So anyway, we've got this, so it's really, I mean, you really, it's really freaking crazy because you can put someone in their own little email matrix and they don't know they're in the matrix. They think that they're just going to their mail site as per normal and it's not that hard. And I rode a tool to do this kind of stuff. So anyway, one of the, this is actually one of the things that got me thinking about this was basically in we were, you know, we've been doing, we do a lot of web app hacking. I do a lot of web app hacking and it's really, really fun and it's great stuff. But constantly we talk to companies and we say, you know, your users are logging in and you're encrypting their password and then after that, you're leaving the whole session unencrypted and they say, well, we protected the password. And I think at the password, and I say the problem is that if I share a network with them, not to be repetitious, but if I share a network with them, I can see everything they send, but more than that I can impersonate them and I can impersonate them for, well, about as long as I can manage to keep a clone session. So it's really kind of, I mean, I can, with most applications, I can be in the application. They can be in the application. We can both be in at the same time or both the same user and they may not know if I'm modifying data, it could be subtle. So anyway, I mean, this is one of the, I take LinkedIn as example, but I only take LinkedIn as an example because it was just one of the ones I was thinking about. It's one of the sites that we all, you know, that I think a lot of people in this room use. But LinkedIn is this great site. You can go to, you can, like many, many people, just go to www.linkedin.com and you'll have an unencrypted session and then when you go to do your password, you'll go unencrypted. And you could say, no, I'm not going to be like that. I'm going to make sure that I'm not going to Jay's version of LinkedIn. I'm going to make sure that I'm going to the right one. So you'll type hdbs, slash, slash, you know, www.linkedin.com, right? And that'll actually give you some assurance that you're actually getting to the real LinkedIn, not to me instead, and then I'm going to forward things on. Okay, that's good. The difficulty is that you'll go to that, you'll go to that encrypted site, and then LinkedIn will give you, will take you back to clear text. And you may say, well, I can keep typing hdbs and the problem is they keep giving you pages back that have, well, clear text links all over them, so you're just stuck. And that's just how the site operates and it's really, really no fun. So that's our red link. That's where you go. So if you change the URL, clicking on any link basically just gets you back to not so SSL, not so encrypted. Anyway, there are people out there that have made modifications to browsers, they've gone and gotten plugins. They do like me and surf through a defensive proxy. And basically they make it so that all of their stuff is going, whenever the site will permit it, is going encrypted every single time. So they just keep making encrypted and a lot of applications will let you do that, but not all of them. But anyway, the nice thing for me as an attacker, it's really a lot nicer to be an attacker. I'm telling you, it's like way better to be on the attack side of this one. Okay, as an attacker all I've got to do is wait for one request to go by and I get to clone session and maybe I get to inject some things. I might inject some JavaScript or inject some redirects. So, you know, let's look at, let's kind of start thinking about what I can do. So one of the first things I do is basically I'm going to get your machine to go to my machine. Maybe it's going to my machine because it thinks it's the router, maybe it's going to my machine because it thinks it's the DNS server or the real web server or what have you. I might do it through ARP spoofing. I might do it through DNS spoofing and I might do it through DHCP spoofing. And none of that's really all that hard. I mean, there are nice command line tools for everything but the DHCP spoofing and the DHCP spoofing, well, you can use KB or HP or whatever or you can just stand up your own DHCP server that has the same settings as the real one because they're kind of public. You can figure out which IPs are taken and you know, go and assign the rest. You can be really friendly. You know, I don't know if you guys have seen this but I've thought about this but this is really kind of the way that DHCP thing works. If I can beat the DHCP server and give you an answer before the real one does, well, everything's going to work just fine as long as the real DHCP server doesn't give out your address. So if I kind of watch what address it's giving out and give you and say, okay, well, it's not going to get to this last 20 for a while so I'll give out those. It's kind of like this guy, this happened to my wife like a week ago, it's kind of like the guy and the parking attendant in that lot, if there is an attendant doesn't really wear a jacket or uniform and he just goes up to people are parking their cars and says, hey, it's $5 and writes them a receipt and then walks away from the lot and you get a ticket and you're like, what the heck? This is, you know, yet another way. You're not really quite sure who you're talking to. Somebody got friendly. They said you can have that spot, no problem. Okay. So what kinds of things can you do? I can start injecting clear... I can inject anything into your traffic. If it's clear text, I get to inject anything I want. It's fun. It's really good. I can inject anything in both directions. So I can inject JavaScript into clear text traffic. I can go and take your session keys. So, you know, like, HDB is this really, you know, web is this really, really crazy little protocol that kind of was invented as file transfer for the most part, right? It was kind of glorified file transfer. Pretty fast glorified file transfer, but glorified file transfer with this nice hyperlinking stuff. And then we've like gone and basically made everything web. I mean everything, and we'll talk about that, but we've made everything web, and so that's really nice. But the thing is, as glorified file transfer, it doesn't have any state. So we bolted on this weird thing called cookies and said, okay, I'm going to, as the server, I'm going to go and I'm going to tell your browser, hey, every time you talk to me, I want you to remind me that you're user number 45, because otherwise I'm not going to know that you're user number 45, that you're user J. So I'm going to remember, J log Danny gave me his password, and in exchange for his password, I gave him this session ID, I gave him this cookie, I gave him this thing, I gave him a number, I gave him 45, you know, like at a deli counter. And I said, okay, every time you talk to me, remind me that you're number 45, so I can remember that you're J, so I don't have to ask you for your password every single time. Okay, cool. So we've got this session cookies, but if anybody watches that number go by, very much like the deli counter, or whatever, or the pharmacy or what have you, they can kind of come up and say, oh, good, I'm so glad to see you number 45, here's your prescription. Right, this is, anyway, it kind of works very much the same way with web apps. So if I've got session keys, if I've got your session keys, if I can see them once, well, then that means I can start up my own parallel session, and some web apps are really nice and actually say, wait, there's two of you, and I'll knock one of you off, and I'll probably win the race, but you'll probably notice me. So I guess that's better than if, like, you know, we just were both there and you never noticed me, but it's still not great. So there are other things I can do. I can intercept your logout request. So you go and say logout, and I'm like, wait, if you logout, this session hijacking thing, or this session cloning thing doesn't work so well. So I'm not going to let you logout. You try to logout. If I'm proxying all your traffic, if all your traffic's routing through me, then I'll just say logouts and how I'm not permitting those. And if I know the application I'm dealing with ahead of time, instead of just, you know, this is one of the things with existing tools, right? If I know the application ahead of time, and I know this is the logout link, well, I could just make sure that anytime you send anything that matches this given regular expression, ooh, reg apps, then I'm not going to let it go by. But I'll let everything else you do go by. Just not that one. Okay, so what else can I do? I can replace, and this is his idea. It is, I think. At least I think I had it, but then I forgot it. But that's like so many ideas we've all had, because I'm pretty sure every idea I've ever had, somebody else has had before, and not just one, like 15,000. So anyway, this, I can go through and I can replace HDBS links with HDDB links. And this is something really, really cool. This is something that we're actually doing, that we're actually doing in the middler. This is part of the reason the middler is, well, not entirely working right now, because we added some functionality at the very last minute. But on the other hand, it's cool functionality. It's better. So now, well, I'll go into it. Exactly how it works. So the middler basically does this. The middler has two kinds of modes. One is an interactive mode. And that interactive mode is somewhat similar to existing tools, except that it actually is there to make it kind of brain dead easy for you to clone other people's sessions. Instead of having to be a web app hacker, instead of having to be a web app programmer, where somebody really, you know, could follow this, and it takes a while. It really does take a little while with some of these apps to go and profile them and say, what do you need, and so on. We've spent some time with different apps and said, okay, this is what's logged in. This is what's logged out. These are the session cookies I need. These are the things. And what we're doing is basically doing something non-interactive. But I've gotten ahead of myself. We've got this interactive thing. And basically what you can do is, if one person is surfing through the proxy, unbeknownst to them, and you're the bad guy who set up the proxy, you can go to the proxy and say, I'm going through the proxy and I'm coming from my IP address. Well, then when I try to go to LinkedIn or LiveJournal, I'll go in as somebody else. And I can choose the somebody else. But I can go in as somebody else that's on the proxy right now. And maybe as many of them. So that parts we're kind of all used to. I mean, we don't do that so much because the existing tools kind of make it easy to watch, but not so easy to actually, well, modify. Again, integrity, not confidentiality. Well, both. But integrity is really fun. We're more to the point attacking it. So the first part, so we can do this. This is kind of the interactive parts, the parts that you're really going to do. And this is human. This is at human speed. But I like machine speed better. It's faster. But at human speed, we can actually go and basically, you know, we can just clone someone's session and make that really easy. And you don't have to go and sit there and figure out which things you need to clone, which things are being changed, which things you need to hold static, screw that, let the proxy do it for you. And it's a useful thing. We can also just start saying, you know what, as long as you're going to be able to clone someone's session, as long as you're going to be able to proxy their session and, you know, look at every single bit that comes through and change whatever you want, we can actually start going through and injecting JavaScript and other links into the page. You can put in whatever links you want. But I like JavaScript because it means you can send somebody to links they didn't want to go to. You could put in pictures, as we've all seen with some really disgusting pictures. You can go through and, you know, we tend to see it here. I don't know why that is. But you can go through and put in your own, and I like this a lot because you turning off JavaScript doesn't really save you one bit, this part of HTTP. You could go and actually start putting in your own redirects. So you can say, hey, you know what, I'm going to decide that every other user, or only these three users or whatever, are going to be redirected to the site of my choice. And that site of my choice might be, I don't know, it might be my own vanity site, but that wouldn't be nearly as fun or nearly as evil. I could make it a phishing site, but that's not all that much fun. What I'd really like to do is redirect them to, I don't know, Metasploit, yeah, clients at Exploits. So that would be fun. Or I could redirect them over to, you know, Anybody Heard of Beef, the browser exploitation framework. I think it's really fun. This guy, Kevin Johnson, who's like taught everybody a lot, is like, got me really into this idea, and I'm blown away from some of the demos I've seen. I need to play with it more myself. But this is pretty easy. You can, you know, we can go through and do some of the normal stuff, which is the user's whole session, and the middleers actually got some really nice stuff. Again, trying to go and basically take previous tools to a really, really different level. The middleers actually got some stuff in there so that we can parse out the Excel that's going by. We can parse out JSON. JSON is JavaScript object notation. It's like what Google uses to send your mail back and forth. So if you can parse it, it gets a whole lot easier to read somebody else's mail or throw some in there, or delete some, or whatever. But we're making it so that the intent is to make it really, really easy, not only for you to do this interactively, but for you to add onto it, because that's the idea. It's like I'm this kind of weird open-source guy, and well, this is open-source attack tools. So I'm going to tell you that it's going to be really easy. I'm not going to get to write documentation this weekend by far about how to do it, but it's going to be pretty easy for you to add more and more sites. There's also, the really fun stuff to me, though, also is this kind of doing some site-specific features. And this is a little weird, because you say, wait, I can do all this with a browser, but I'm going to kind of go into some of the stuff you might do. So the first is, suppose Gmail and Webmail, Gmail, Yahoo Mail, all the different Webmails. Most of these Webmails all basically leave almost the entire session clear text, which means, ding, ding, we can all have fun with them. So what kinds of things might you do with Gmail? Well, you might read the user's email, which is kind of the obvious. And by read the user's email, it'll just be in their email, but they're, you know, the email that they're reading, but also all their other email, you know, and go through the folders. And part of the intent of the Middler is to go and say, let's do this programmatically. Let's say, listen, if I'm watching Justin read his Gmail, you know, it's like, it's nice. I can go and click on a link and see what his message is and all that. I hit compose and send a message. Yeah, whatever. What I really want to do is just harvest all of his messages all at once. And I want to do it before I even knew about it. I want to do it while I'm off drinking or, you know, whatever it is I do, eating sushi, because I don't really drink so much, but sushi, that I do. But so the, you know, I want to make that really, really, really easy. And that's the intent. Okay, so we're automating the... That's a bad word too. Gee, I don't have any cur... How do you not curse at DevCon? Yeah, we're automating the crap out of it. Absolutely positively. Anyway, so you can go through and you can read their email, but you can go beyond that. As long as you're logged into Google as them and you didn't need their password, you're just writing their session. Why not do a whole bunch more? Why not read all their past Google Talk conversations? I think about that and I think, oh gosh, and why not harvest their whole address book? I mean, you know, we probably don't care about that so much, but if you were a professional spammer, a professional fisher, a professional, well, if you wanted to send client-side exploits to all of their friends or all of their coworkers or whatever, that might be really useful too. And we could send our own emails. We could do that programmatically so we can send tons of emails and they all look like they came from this guy and he can't prove that it wasn't him, right? You follow the headers and you're like, yeah, this was absolutely him. You can go and profile the user in all the other Google applications, awesome. You can profile the user in all the other Google applications and, you know, since you can prevent that, since you can prevent him from logging out, he thinks he's logged out and you're going to keep using that session for a long, long, long time. When I start thinking about all the Google applications, I really get scared. I love Google. I love all the stuff that give me, that give me all this wonderful functionality, most of it through my browser and even through my phone. That's really, really cool. But every so often I think, gosh, wow, you know, if I were Google, I have a lot of information on a lot of people. You know, I almost want to sell that stuff. But if I didn't sell it, maybe I'd just, like, one day, I'd be like, you know, screw this ad stuff. We're going to be an intelligence agency because we already know it all. I mean, we don't know it. But it's all in there. We just have to mine through it and find it all. Anyway, hopefully Google won't get mad at me and publish all of my stuff on the internet somewhere or, you know, whatever. But be nice. Okay, so it's kind of crazy. Imagine not so much what happens if, you know, don't think so much about what would happen if somebody could get to your Google data, right? Because you're like, no, I'm too smart for that. I would never use Gmail for anything that wasn't absolutely public. I know you're all like that. I'm not. So why don't you think instead about what would happen if you could get to all of my Google data? What would happen if you could get to those docs and those spreadsheets and, you know, my email and my chat conversations and my bookmarks and my browsing history? I mean, Google will show you your own. As long as you're cloning somebody's session, why not look at theirs? I mean, you know, mine, I guess. So please be nice when you're looking at all of it and, you know, keep it to yourself. It'll be just between you and me and you and you and you and you. Okay. But this is bad. You shouldn't do it, so please don't go and do this stuff to me. Please. Please. Pretty please. So other sites. I think a lot of journals are really fun ones to think about, too. This is one of the reasons I targeted it as one of the first sites to do this within the tool. And LiveJournal really shows you the power of... I think LiveJournal really shows you the power of doing this programmatically. LiveJournal is a blogging site, but to call LiveJournal another blogging site is kind of really underestimating what it does. People think of LiveJournal as a private thing. I don't know. Who in here has actually got a LiveJournal? I know we're all kind of getting older, so it's, oh, more of you do than that. I read some of yours. Okay. So this LiveJournal thing can get really popular, especially among young adults. But basically, LiveJournal is this blogging site where people kind of expect that a lot of their blog posts will be private. They mark their blog posts as just for me. It's like your own little journal site, and your own little diary. But they also mark their posts as just for me and my friends. My friends can know this, but nobody else can, because this is really embarrassing. I don't want everyone to know about how drunk I got last weekend or whatever it was. But they can actually do something else. They don't know far more than I do, because I've logged into it like, I don't know, you know, once a month or something. But, you know, I've talked to people, and they have all these filters set up. They say, this is one group of friends, this is one group of friends, this is another group of friends, this is another group of friends. This group can know about my career, but this group can't, and this group can know about my sex life, but this group can't, and so on and so on and so on. I'm serious. I'm serious. I could, yeah. So anyway, but they have this expectation of privacy, and yet it's also clear text, which means you could programmatically with a proxy, if you could get them to surf through the proxy, which just means you have to be on a, you know, on a wireless network with them, which, oh, that's never going to happen with somebody who blogs. People got a blog from everywhere, right? So, you know, you can go through and read their private and their friends-only journal entries, but you can do more than that. You could go and make them all public if you wanted to. You could make some of them public. You could make some of them that aren't supposed to be seen by one of the groups of friends visible, you know, to that group of people who would be offended or what have you. You could go through and harvest their friends list and then go look at all of their friends' private posts. And if you did this programmatically, which is what we do in the Middler, you'd get a lot of it really fast and it would be kind of fun. Anyway, you could even start, you know, you could even give yourself more privilege. You could add your own user to the victim's list and now we've got something like Sammy all over again. And there have been some really great talks about social networking at Black Hat and DefCon this year and yes. So LinkedIn's another good one, same kind of thing. Just imagine the same kind of thing. It's just we all kind of have this expectation of LinkedIn that, you know, Justin's my friend. He can have my phone number. He can have all my phone numbers and my home phone number. That's okay, but I'm not sure that I want everyone to have it. That's, you know, so whatever. I want to go a little bit further. What's wrong with this picture? This is actually pretty hard to see, but this is Clear Text Banking site. This is a Clear Text. This is US Bank. This is the front page of their site. Okay, it's Clear Text. And I've blown it up a bit. There's some locks over here where you put in your personal ID. Okay, this is where you put in your username. And there are locks and those locks are there to make you feel very safe. Okay, so why are they there to make you feel safe? Well, that, this form where you put your login ID, it's encrypted. It's okay. It's SSL. So we're all supposed to feel safe. And I remember back when I did feel safe with that and I felt really dumb then once I figured it out. I said, wait a second. Since you went to Clear Text site first, doesn't that mean that that SSL page, that SSL link doesn't have to be SSL? And you may not even ever know it wasn't SSL and most of us don't look for it. I mean, honestly, Justin, you made a good point. You made a good point about this. He said, wait, I'm a security guy. Great. He said, I'm a security guy. And I don't always notice if it's gone SSL or not. I don't always notice. I'm, okay, just so I'm not just making fun of him, I don't always notice. Okay, I found out how much was Clear Text by sticking an outbound, sticking this little, little snitch outbound firewall on my machine and saying, what? Okay, so anyway, this is a banking site that, you know, if you wanted to, you could fool a tremendous number of people into just, well, never going encrypted. And this is actually, this is actually something, let's see, yeah, we have it here. This is what the Middler does and this is one of Justin's big contributions. So yeah, you should speak to it because I keep telling him. Yeah, not a problem. We have this nice, beautiful, beautiful program. Nice little thing. It came up and, oh, it's Python. It's beautiful. And he asked me to go ahead and, if I could help him out, try to finish up some of the nice functionality for the nice demo for everybody here at DEF CON. And I said, sure, why not? Good friend that I am. Get out my nice little ice pick and start to reverse engineering some programs, trying to get some nice little point and click stuff in there for everybody. And we started this nice little conversation. You know, your concept right now is we have these secure websites and your tool only works if the first page is unsecure, if it's unencrypted. And your solution to try to gain some additional information is we're just going ahead and try to inject some JavaScript, do some other tricks that everybody's really heard. And that was kind of the backbone of the tool. And honestly, part of it was I was just going to wait. I was like, wait, they're going to go through but Justin said we didn't have to wait. But wait a minute. We're already man in the middle in them. We have controller, their connections, all their traffic's floating through us. What if, when they go to that ClearText first page, we never let them get to HTTPS. In the middle, we go ahead and we rewrite all the h-refs inside the page so that they don't have the s. And that was where I said to Justin, wait, there's a problem. You know, you try to go ClearText and it says, no, no, this part of the application is only available encrypted. So, we allow the proxy to go ahead and stay encrypted. And we basically create a proxy that strips out SSL for the client. And then it kind of keeps track. Well, right now in a kind of stupid sin cookie kind of way, but it kind of keeps track of all the things that it changed from SSL to not so SSL. All these links that used to be SSL that aren't SSL anymore, it's like, wait, the user surfs to one of those. When they come through me, I got to go and make sure that I change them around again and make them SSL again. So, we've got this kind of little clues, but we kind of like it. It works. Which is we just take the URL that was SSL and we throw a little cookie in. We were going to do a random number and we probably will eventually, but right now it was proof of concept we did secure for. So, we said to the proxy says, okay, if the user is trying to surf and I see secure for, I know that that means I'm supposed to go and pull the secure for out and make sure that I do that session encrypted. User never needs to do that. We're going to keep things just as they are. Hunky Dory, and it works really well. And honestly, I'm going to tell you, I love my family, but they're not IT people and none of them will ever know the difference. Which is really sad, because I'm really working on it, but I'm just not that good a teacher. Okay. So, yeah, and then the only problem we really have left is most of us are actually typing in the URLs and a lot of the secure websites that we're actually going to, most of us go ahead and just type the domain and it pops right up and it redirects us over to the HTTPS. But occasionally we have bookmarks that go directly to HTTPS. Or occasionally we'll actually type in the HTTPS. So, the solution for that is we either simply wait for them to go ahead and have the application drop them back out or move over to another website. Or if you really want, you can go ahead and give them a self-signed certificate and broadcast the world say, hey, I'm right here, I know that how many people actually pay attention to that little thing. Absolutely. So we have multiple different options there, but given enough time, that person will eventually drop out of SSL mode, eventually find something to click on that is back in SSL mode and we'll prevent him from ever going back in. Okay. Now, we're running low on time, so I've skipped a couple slides, but I want to get out of just the application, out of the web application space. There's something else I realized, and that was I have a whole lot of software updates that self-updates, a tremendous amount of software on this laptop right here that's self-updating all the time. And the first time I thought about it, I was like, wow, if anybody were to sniff the wire, they could find out what versions of software I'm running. They'd figure out which ones were vulnerable and they could even send me clients that exploits specifically targeted to the vulnerable software that I have. And since they're watching me try to update and they know that update's going to take 20 minutes to download, they can do it while I'm still downloading the update. How about our ace condition there? We started watching this, we started looking more and more at this, and there have actually been I started looking at this and I said, wait, my iPhone, my iPhone's got this, okay, so any Apple people in the crowd? Could you guys, like, plug your ears? So I might have jailbroken my iPhone and it's possible, or it might have happened to me while I wasn't looking because I went to, actually I probably served to a vulnerable, I've probably served to a website that was supposed to be all nice but it had an image file that was, you know, bad. It was bad, and so it got hacked. But one of the things I learned with this Installer.App thing that was really, really cool, I mean, the baddie who hacked my phone, he left me this Installer.App thing and, you know, a love for sushi. And I realized, wait a second, Installer.App, it's like pulling down a software catalog in clear text. That's really cool. I can man in the middle of that. I don't want it on the iPhone. Well, I mean, I already could. But I'm a baddie, so now I can change the software that's going on. Because if you can do the catalog, if you can man in the middle of the catalog, then you can actually choose where all the software comes from. Unless some college students, one of them got doing just dissertation on it, who basically figured out that he could do this to a whole bunch of open source distributions and what else? Yeah, we can do it. So we're doing it for software installation. We're doing it for software updates. Start watching your software updates, you'll be really, really scared. They won't explain vulnerable browsers. It's really, really nice for man in the middle people because they think they're going to CNN, they think they're going to their own bank site, and wow. Did they kill them both? Oh, here you go, Jay. You won't get...