 So, speaking right now is Jay Beal. So, let's give him a really big DEF CON welcome. Mike? Oh, there we go. Okay, great. So, hello everybody. You're having a fun DEF CON. Not been owned quite too many times yet, I hope. Who's been owned at DEF CON? Oh, come on. Yeah, yeah, yeah. No one's going to admit it. Oh, sorry. Yeah, that's a better question. The suggestion was, I got to rephrase that question. Okay, so, being at DEF CON, who here has owned someone? Okay, that's so much better. So, the people who haven't been owned, clearly, yeah, I don't know. I'm maybe a little bit of fooling ourselves. So, I'm here to talk about, oh, I'm here to talk about how you should make sure that both displays are working. And, yeah, it's a Mac. You know, this actually somehow is better when I did it with Linux, which is really wrong, or really right. Okay, the, you know what, maybe we'll just start, maybe we'll just do, try and do this the old-fashioned way, if there is one. View slideshow, and we're mirrored, and somehow, okay, that works. Yeah, we're flipping. Okay, cool. So, here we are. What I want to do, what I want to talk to you about today is, basically, man-in-the-middle attacks. I want to talk to you about a tool that we've been working on, but I want to also just try to, there's a reason that we created the tool, and that was that we felt, and we still feel, that man-in-the-middle attacks aren't really taken, that we don't really take man-in-the-middle attacks very seriously. And I'm hoping that over time we're going to change some of that, or that we'll be proven wrong, that maybe we do take man-in-the-middle attacks more seriously. So, the, I want to, so basically, there's a, to give you a bit of history, one of the things that I've, every now and then, like all of us, I, you know, get off on a rant, right? You know, you start getting really upset about something and you say, okay, I've got to, I'm clearly, clearly in the minority here, I've got to, I've got to find a way to show everybody that this, that this particular security kind of thing is dangerous. And I think we've all, I think we've all found ourselves in that spot. For me, the rants actually come out in a variety of ways. One of the ways they come out, as in, as with many, many, many open source people, is with code. Because you start saying, this is really annoying, I want to fix it, or you start saying, this is really, really annoying, I want to do this. And so I started getting, I started getting a whole lot of ideas. I started getting a whole lot of ideas and saying, why hasn't someone, why do I only see these kinds of, why do I only see man in the middle attacks really actually demonstrating the main dangerous in malware? Why don't I see them in, you know, why don't I see them in any of these, in any tools that security people use? And most of all, security people use to, well, convince our peers and convince ourselves that a given kind of attack is dangerous. So, as I started thinking about that, I started saying, okay, what I've got to do is I've got to build a tool. I've got to build a tool that makes this stuff really, really brain dead easy. If I can make it brain dead easy, it'll be really, really obvious what the danger is. We've all seen that time and time again. You go and you say, we've got a patch. And someone says, yeah, patching seems important. And you say, no, no, no, we really have to patch. Yeah, but we have all these other things we've got to do at this company or this university or whatever. We'll get to patching, but right now what we've got to do is take inventory. I had that conversation way too long ago, 10 years ago, where I was a system administrator at the time and I was trying to convince my boss that what we needed to do was actually take security really seriously. We had to lock down systems and stuff. And we had to patch systems and we had to go and take these sun boxes we were running that had 60, 80 ports open and weren't using almost all of them. And, you know, I shut some of that down. And he disagreed and said we should take inventory. And we should get better and better asset control or something like that. And that seems really lame. And I switched jobs and wrote an open source tool. But so this is, in this case, I've had those, you know, we've all had those kind of conversations. This kind of, this for me came out in, okay, I got to make the last time around. I had to make locking down a system brain dead easy. Now I've got to switch around and make figuring out, figuring out how to do man in the middle attacks that would normally take some expertise a whole lot easier. So this is what I set out to design and build with the Midler. And the focus was I want to make a man in the middle tool. I want to make one that's easy. I want to make one that takes, that makes it so that only one person, only one person, only a small number of people actually have to understand the application really well or have to understand the protocol really well. And the rest of us can just click the button, right? How many of us, how many in here, how many of the people in here have kind of had that patching conversation and made it, and finally actually won the argument and made it click for somebody by saying, oh, yeah, fine. I'm going to download Metasploit right now on your computer and I'm going to own that system over there. And if you want to own all of those over there. And it's, I'm going to show you how brain-dead easy it is and how any kid on the Internet, you know, any kid, anybody can do it. How I can teach my grandmother to own systems. Okay, I've got some friends who have. So the, anyway, so this is, so this is, this is, I think there's a tremendous amount of, there's a tremendous amount of worth in building tools that make things easy that were doable before so that you can actually demonstrate the ease. So you could demonstrate that the attack is real. There are, and we've all had that, we've all had that conversation. We've had that conversation with other very security-ware people where you're having an argument about which attack is more likely about, you know, it's like, okay, well, yes, we could do this or we could protect against this, protect against this. We can only do one of them right now. Which one do we go after first? And the conversations, the conversation, the conversation is very often, it's kind of, in the end you know you don't really have an agreement and sometimes you have an agreement and very often that way is by saying, okay, boom, see, oh, okay, wow, I really should put a lock on that door or whatever. So the, so anyway, so the focus in building the Middler, Middler is, the focus is to make a man in the middle tool that makes things easier. The very first thing that I started looking at was HTTP as I'll explain a little bit, because it turns out I got little snitch on my Mac and it's little snitches, this little program that shows you every single outgoing connection. We all saw this on Windows like 10 years ago, but the Mac's got to do everything new, making the old new again. And so I'm watching little snitch pop up and say, hey, this program's doing this, this program's doing this, and you're sitting there like, that's all over HTTP? Are you kidding me? And none of it encrypted. Okay, and so I started really getting a B in my body and saying, listen, HTTP is enough to target. That's more than enough. I mean, outside of web apps, there's, you can go after so much. So, but web apps have been, web apps have been really, really interesting. And for me, I think that there's still, part of what I think, my first thought about man in the middle attacks was that we don't talk about them a lot, we don't consider them, we don't consider them, or I believe that we didn't consider them all that dangerous, because it's all news. We've had the simplest man in the middle tool, man in the middle tools for 10, 15 years, it's really, it's like, okay, well, that's old. But the stuff that's old, if it's not fixed, it's still dangerous. We kind of stopped thinking about it, because there's something new and shiny and more dangerous now. So what I started thinking about here was, what can I do with man in the middle that we don't think about? And the biggest thing for me was integrity, was attacks on integrity. I can change what the user sees. I'm not just going to write every single time somebody says clear text protocol to you. Every time I hear anybody talk about the danger of a clear text protocol, everyone says, oh my God, they'd be able to see such and such. And we say, oh gosh, but we're always talking about confidentiality. And I think that there's actually more to it. I think that there's, I think there's integrity. I think integrity attacks are a lot, a lot more dangerous. So I'll try to show you a little bit. So anyway, one of the biggest focuses for the Midler outside of ease of use was trying to make it so that eventually we could build plug-ins. We could build attacks on web applications that were specific to the web application so that we could put the intelligence in the tool and not force the user to have it. Wow, not force the user to have intelligence. That's really mean. Not force the user to have very, very domain specific knowledge to the application. And part of the value to that is that we stop saying, hey, look, I can read your email too. Part of it, part of the value is we say, okay, I can do a lot. And if you automate it, you can make it really fast and you can do a lot more damage a lot more quickly. But then what else can you do if you could, and it'd be hard as hell to keep up with this in real time as a human, but if you could do it with, if you could do it with a tool, you can start saying, wait, why don't I take any man in the middle, any clear text protocol that I'm man in the middling and start modifying it. And modifying it in specific ways. Why don't I make those modifications so in essence, I'm trying to change the, I'm trying to change the victim's reality. I'm trying to change their perception of reality. I want to, to use an extremely old movie, and I apologize for that. I want to stick them in the matrix and I want them not to know that they're in the matrix. I want them to walk around and say, hey, you know, that everything's, why is there, why do they just see the same cat? Oh, that's deja vu, no worries. I want them to have that deja vu experience. I want them to say, I saw something weird, but whatever. I trust what I see in front of my eyes. So as an example, one of the things I, one of the things I thought of immediately was if I've got a whole bunch of web-based email that only encrypts the password, but all the, everyone using this web-based email is seeing, is reading their email and writing their email and it's, and that whole thing's clear text. Why don't I start pulling emails out? They don't exist. You don't see them. They're still there maybe. Maybe they're not. But let's pull them out. You never see them. You never saw that they were there. Let's put some in. One of the easiest examples is, let's make sure my victim never sees any emails from his girlfriend. And maybe we can make that right after we send him a fake email from his girlfriend that says that she never wants to see him again, she's getting restraining order and all that. We can start changing what he thinks is going on with his girlfriend. And here's the next step. So what does he do then? Well, he picks up his phone and he calls her. Right? But that's where I'm trying to go with VoIP. Well, maybe she's not going to get his call. So we'll talk about it. Okay. So again, confidentiality. Everyone, I swear, I've been a, what do we call it, a consultant. I've been a consultant for many years, which means that on the positive side, it means you get to see lots and lots and lots of different environments. You get to go into all kinds of communities and organizations and see how different they are and how the same they are. And there's actually, they're actually a lot more different, I think, than anybody thinks they are. But it's, you start to see, like everyone thinks that everyone else is doing it better or doing it, maybe they think it's doing it worse, but usually I think everyone else is doing it better. It's like, no, no, it doesn't matter. The companies that are 10 times, 100 times your size, or you know, that have a whole lot more people helping them and so on are still basically doing things badly often. So the, but the thing that I've had in so many conversations with the client, one of the things I started doing early on was saying, well, what do you think the risks are? What are you afraid of? You know, what are you, you're telling us that you want us to evaluate this application or this thing or this, or what you're doing. Tell me what the biggest, you know, before I go and tell you I can hone that box over there, tell me what is it that actually would have you have to go to your boss and your boss go to your boss's boss and so on? What would be the thing that would say, oh my God, and I'll try to, seems like most of all, if I'm trying to figure out where your risks are and how real they are and what vulnerabilities exist, I should be framing it in terms of what the, which ones could do the most damage to you and you know what damage is, because me poning that one box over there, not so dangerous. Me being able to modify that database over there, but not being able to own the box far, far more dangerous if the right stuff's in the database. Okay, so the big thing for me is every time I talk to them, they say, they keep saying confidentiality. They don't say confidentiality. They say, well, if somebody could get that information and they could do this, they could get that information and for me it's like screw, get that information, change that information and more to the point change it without you knowing it was changed. That's the, if I think of the dangers, those are the fun ones. As an example of the confidentiality integrity thing, okay, Twitter, right? You know, we're all many, many, who's tweeting clear text? Who's tweeting with encryption? Who's not tweeting? Oh my God! I thought I was the only one not tweeting most days and it turns out that, okay, so this room does not use Twitter. I've got a sniffer up, so if anybody with a laptop wants to, okay, so the, so anyway, okay, well I won't tell you what Twitter is. I'm gonna hope that you've got that part already, despite your complete lack of experience with it. But people are tweeting. What a dumb word. I love, I think Twitter's awesome, but what's that? Oh, I'm not saying that. You're supposed to always repeat the question or the comment, I'm not repeating that one. Yep, yep, yep, yep. So yeah, I think we should totally, I think we should be tweeting maybe. That's about as close as it should be. Maybe we should be Twittering, but not tweeting. Okay, so anyway, we've got Twitter, we've got tweeting. If I were to throw up a message through Twitter, I believe, in almost all cases, it's almost always public. It's almost always public. There's a little bit of direct messaging, but it's basically public. So if I tell somebody, hey, oh my God, you're going clear text to Twitter, they say, what do I care? I'm putting something public out there. What do I care if somebody sees it? And my thought is, well what if you could change it? I don't know if anybody got any of my tweets in the last couple days that I didn't think were going to everybody, but they were. But it was really kind of embarrassing and all that. Well what if they said things even more embarrassing than whatever I managed to say, right? What if they, you know, it's, that's the, I think it would be really, really, really interesting if they said all kinds of things, if my tweets said all kinds of things that I didn't know they said. And heck, if you could man in the middle of me for long enough, in enough places, I would never know. It would fall off my radar of things that I'd said. It was just, every time I pull up my iPhone, no I don't have an iPhone, don't SMS me. Every time I pull up my iPhone, and I look at, you know, and I look at Twitter, I see it says 100 more messages, and you're like, it's only been five minutes man, what the heck? So the stuff's off the screen. What if I can, what if people can send e-mails of me? Everything, think about everything you can do with every clear text protocol you can think of, not just the two I'm talking about today, that would totally, that would start screwing your victims, start screwing your victims' entire perception of what's been going on in their life. And I know that sounds really strange, but the internet's basically communications medium. The sites, the apps that we're most excited about, the last one with Mobile Me, the apps we're most excited about are things that are serving as communications. If somebody can alter your communications, it starts changing, at least for a little while, the nature of your relationships. So, let me go slightly further. I'll speak to this point just really, really briefly, and then I'll come back to it at the end. One of the first things that, one of the first things, I had a conversation with one of my friends, and I said, you know, clear text, it's awful. And he said, yeah, but don't we know this already? I mean, I know clear text is bad. And I said, okay, you do, fine. But you told me you use Vonage. And he said, yeah, I said, well then, you're signaling your voice, it's all clear text, I can change all your calls. It was like, yeah, but it's like 10 bucks cheaper a month than the normal phone company, and I really like it. And I said, that's okay, but you're also using, you're also using, you know, pick your social networking site and so on. And he says, well, but I like those. They're really nice. It's like, okay, but you're a security person. And I think that's my challenge to us. If we're the security people and we know clear text is bad, we know that we have these risks in clear text, why are we still using it all? I mean, we're not, we can't, I guess what I'm saying is if we think it's dangerous, then why can't we convince ourselves? Much less each other. Okay, so the, that's a good, so let me ask, how many people are using Vonage or another VoIP provider? Everyone thinks they're going to be targeted so they don't raise their hand. We got like 10. Okay, who's using a social networking site of any kind? Okay, see, that's more like it. Okay, cool. So that gets us, anyway, we're security people. I will, some of this has finally started to hit the mainstream press, but I think that it's, I think that what's great, I think that what's great if you're an attacker right now in terms of man in the middle attacks is that while it's, while we all think it's obvious, our non-geek friends, at least our non-security friends and probably our non, you know, and absolutely our non-geek friends, our family members have no idea, my grandmother just knows that, you know, that her new, that her new Vonage thing is like, it's a weird little box and her phone's cheaper now. She can call all kinds of people for like next to nothing and it's great, but she definitely doesn't know that, you know, we can do anything to it. She doesn't, she doesn't know, the mainstream public knows virtually nothing about this. I mean, this was, this is a news story from a couple weeks ago and it's new. It's, this is new. This is not a, this is not a, yeah, it's old news. No, no, no, this is, the news is getting really, really excited. Oh my God, you could be on vacation or people could be getting your credit card numbers and what else? The what else is what I keep thinking about? I hate hearing about credit card numbers because I'm not really that worried about my credit card numbers, you know. I'm a deaf con or else I would say, dude, I'll go post my credit card number on a wall. Have fun, I think I have to pay 50 bucks. No, wait, that's waived. So I have virtually no risk except that my credit card turns useless for a little while until the people are done investigating the fraud or what have you, but I'm not as worried about my credit card number. Could be, but I'm a lot more worried about, well, I'm a lot more worried about my email now. I'm a lot more worried about a lot of these things. So, okay, so what are we doing with Midler? With the Midler, we're working on a bunch of great new features. There are, I'm gonna walk through some of them, I'll walk through some of them right now. There are, so the first one, the big one, the one that's been driving us nuts a little bit, has been basically to say, let's pick on voiceover IP because there's more and more voiceover IP and, oh my gosh, it's the phone. I love the idea of being able to screw with the phone. I never could screw with the phone before. I was never a freeker. How many of you were freekers? Dude, statute of limitations is over by now. Come on, raise your hand, you were freekers back in the day. Okay, you're all too young. I'm old. I could have been a freeker, but I didn't. Okay, so anyway, but I never had those cool phone hacking skills and now I can have them and that's really cool. The, so voiceover IP is really, really fun and I'll show you why I took an interest in it. We've also been working on a bunch of other things and so you can, I'll show you some of these and you can see the state of the rest of them in our Google code subversion. One of them is we've been working on basically on a GUI which means I've had to find out how many people don't, how many people are in security or no protocols and have never done any GUI coding before. It is really hard in an open source project to find somebody else to help you with your GUI so I've been doing that part myself. We decided to actually start making some of the Middler's HTTP functionality more interactive. The original design on the Middler was actually to make it totally non-interactive and that wasn't a lack of a feature for us that was to make this kind of thing really dangerous. To make it really dangerous to be a man in the middle of your web, all of your web, then the really, really fun thing would be if you could hopefully know law enforcement's hanging out in the room. There's nobody in here that's fed or anything, right? No? Okay, good. Perfect. So, you know, I mean if you were to take, if you were to take a tool like this and go and put it on, you know, there's WRT54Gs and all the other little things that are like, you know, 30 bucks now and you can pick them up for 30 bucks and you can put Linux on them if they don't have it on already and then you've got a little computer you can deploy anywhere and you can basically throw away. Well, you know, 30 bucks, some of you can throw away and if you bought them in bulk you might start getting close to 20. Now, suppose that you take the, suppose you say, okay, well, you got a few friends, you're going to go in on this together and you're going to spend, I don't know, $2,000. You're going to spend $2,000. You're going to buy 100 of these and you're going to buy 100 of them and that's probably more than you need but go around New York City and go to the public parks and public parks all have wireless and well, it's definitely not encrypted so you could have some fun there already but how nice would it be if you could put your own access points or heck, don't even make an access point, just use them as clients, use them as things that have wireless access. You're going to throw them away, they're not going to store any data on them and all they're going to do is they're all going to basically man in the middle, they're all going to, not only capture but modify traffic, they're going to take things, they're going to take all the data they see and they're not going to go grab packet captures because who wants packet captures? Pass through it, get all the juicy bits, get all the data that's really, really interesting, take all of that and correlate it. What do you care if you've got one of Jay's sessions? Get all of Jay's sessions, everywhere he goes in New York City. I mean, as long as I'm going to go walking around on a wireless and using my iPhone, being like, oh cool access points and now I'm not draining my batteries much and everything's running, everything's running so much faster, I'm just on a big shared network using protocols that are basically designed for us all to stay on wired networks that were carefully protected physically, right? Well, so you start to really have some chances to put me in the matrix, you also have some chances to get a tremendous amount of access to, well, everything I send out over the radio and keep forgetting as a radio as I walk around the public park. So that's my, how do you make this more fun and dangerous and bigger? You have all these things logging to a database and you make that really, really fun and then you start saying, what did I get? I didn't just get. Each time we see one of our own compromised and their stuff publicly posted, it's a snapshot in time. It's one point, usually it's one box. What if you could get more? With that said, I think it's really mean to own people and you shouldn't do it and you really, really shouldn't do some of the stuff that's been done to our friends lately. So have I compiled for MIPS? That's a good question. The short version is we're in Python so all I gotta do, all I have to do to compile for MIPS is to have Python and MIPS and a bunch of dependency modules also in MIPS but basically, I guess the short answer would be no and the long answer would be, anybody seen Python running on a WRT54G? Anybody? Okay. Yes, in the back. Okay, so I'll take that. I'll call Guido after this and ask him if anybody's got Python on that platform because it should be pretty simple. He might just take it as a challenge. So anyway, let me go a little bit further. So what else are we trying to add? We've been trying to add both more application-specific plugins and then also more generic plugins because that was when we started making our release, we said, wait, there's a whole bunch of stuff you could do to just every site or you could do to every site and then target it specifically which is part of where the GUI idea came from. We also made some serious performance improvements because, well, my code was slow and the nice thing about Open Source Project is people come along and start fixing your bugs and they even start going and optimizing your code for you and it's really nice. So the other thing is we've got a, we're getting some collaboration going although this is all open source, free stuff, not a commercial software so actually locking it all together and having everybody have their stuff together at the same time and all that's a little bit hard but we're working with SoftSec who's been working on something called LibPoison and I'll tell you more about that. So anyway, let me start with, let me start just, I know I've kind of talked right through some of my slides at this point and I'll try not to do that quite so much but I get excited. I think this stuff is fun, I think talking to you guys is fun so this is, okay, so anyway, adding protocols. Honestly, we only wanted to go after HTTP in the first place. HTTP seemed like enough. It seemed like actually more than enough and if anybody, if any of you have watched the history of the code and more to the point of the releases that came later and so on, you'll know that it was a bit off a little bit more when you chew from the start and HTTP is really quite a bit, you can find quite a bit of stuff that's fun there. There's a whole lot of software update that's still done very, very badly and done without any kind of encryption or hashing that you can get in the way of that and we didn't get to touch that problem. There's, but there's some other, there's some neat tricks. I told you that we started out with saying we're just gonna go after specific applications then we started saying we've got some nice tricks we can just put in everything. So there's something I'm gonna show you that's just some neat JavaScript but when we came to DEF CON last year and we went to our Q&A afterwards we had a whole bunch of people saying well have you thought about doing this on and they started naming the different kinds of clear text protocols and some of them were scary, some of them were like you can do this for pop and eye map and I'm like yeah I thought of that I just figured no one's really using unencrypted pop and eye map and they said dude go over to the wall of sheep go talk to those guys and so I talked to those guys and I said can you like show me everything besides just these passwords and they're like yeah and they said it just like oh my god this is at a security conference we got a whole bunch of clear text stuff we don't know is clear text but there are a lot of protocols and the ones that scared me weren't pop and eye map they were when people started talking about SCADA and I said but I like my house having power and water and the dam's not flooding and all of that I don't want everybody's seen the latest die hard movie from you know years ago what do they call it a fire sale which was just basically everything all at once every single thing you might start attacking and changing that movie was great that movie was great for integrity tax because there's a point in the movie where someone's trying to where this guy is really trying to get Bruce Willis dead because Bruce Willis is causing him kind of quite a bit of trouble as he has in way too many die hard movies that I've never seen actually I've only seen one die hard movie and Bruce Willis is such a pain in the butt yippee-ki-yay and so on and he's chasing down an attacker and waving a movie paycheck at him and all that I think and the guy you know goes and gets on his radio and instructs a fighter jet that's in the area to target Bruce Willis' truck and the fighter jet proceeds to absolutely demolish not just the truck I mean this guy takes his job very seriously but to basically destroy like bridges and overpasses and everything and it's beautiful it's awesome and it's like you're like dude it's one truck what the hell are you doing but this I don't know anyway I wanted to fly a fighter jet so badly right then and only then so anyway so and I said that's really really neat if you could go and start I mean it's also evil right but if you could go and start saying gee this fighter pilot thinks that he's just been given that he's just been given an actual valid instruction and you'd all be like yeah but it wouldn't work like that how the hell do you know how the hell do any of us know I mean every single little proprietary secret protocol the more the more insulated it is the more specific it is to a given industry the more specific it is to just one specific application where some other company decided to write their own protocol from scratch which is almost as bad as writing your own writing your own crypto from scratch anybody designed a crypto system in here that doesn't have a degree in cryptography okay anybody in here have a degree in cryptography and did design a crypto system has had it broken by your peers no one okay well fine but most of us have tried at some point I know I did when I was 12 and that thing was a piece of oh my god so but and we all have we've all been like ooh XOR is really really neat no just don't do it I'll teach you how no don't so anyway the so people said people said you should really look at other protocols out of HTTP because there are ones that are dangerous and I said well I don't want to touch that SCADA stuff I really really don't ever want to build somebody the capability to really really screw my whole city but on the other hand you know VoIP seems like fun so here's one of the other things anybody want a password hash or two because this is mine so I'm going to have to change my password right after this presentation I'm going to be in a race now to see whether you guys can break whether you guys can crack passwords when you crack HTTP digest authentication as fast as I can finish a talk I'm not betting on me now so anyway the interesting thing one of the things that made it really really really really obvious to target VoIP was look at this first line look at any of these lines but you know all these lines are kind of like you know a a header a header name and colon and a value well that's kind of kind of reminds me a little bit of HTTP but the first line is the first line is method is something you want to that the one thing is asking the other thing to do the next line has a has a URI has it you know something like an HTTP blah blah blah except it's not if you're been used to getting a whole if you've looked at many many many many many get slash foo you know HTTP 1.1 things this is you're seeing the same thing in SIP there's the request okay and here's a response oh wait doesn't that look really really similar if I change the word SIP there to if I change the word SIP HTTP and I you know well if I change the version number you start saying oh look it's an HTTP no wait that's not still not right because that's not a that's not the it's not the response I should see so anyway yeah so I saw this and I said oh this is nice I found another little helpless unencrypted protocol to pick on and and I'm surprised at how much so before you think Jay why are you why are you thinking about the obvious here look at the tools we have for VoIP right now the big ones the VoIP tools that exist and I'm not at all claiming to do anything new actually this is I don't believe that anything here is positively new the point is making something the point is to basically start thinking about it more solidly we have tools that will go and grab all of the unencrypted RTP audio traffic and will play it for you what's that that's a confidentiality attack screw confidentiality I like confidentiality but you know but go for integrity change it we do have tools that will change the voice stream so so this is yeah I spoke to this I guess I've spoken to this earlier but this is the I hadn't realized they just saw HTTP digest but if you captured a copy of that slide and you've started cracking the digest already I'd love it if you just tell me my password I'd say whoever goes into my Vonage password first at the end of this session definitely gets at least one beer on me so anyway it's just fine if you have your friends do it for you or it's probably just fine it's a Beowulf cluster but okay so there's the nice thing is so my point though is that you can crack my password but that's not really the danger I said I was going to have a little race with you that I was going to hope that I could finish talking and go and change my Vonage password before you could finish cracking it I wonder if I'm like somehow violating my Vonage terms of service by saying that but really the point is if you can man in the middle my my Vonage session then you can do anything you want to it you don't need my password screw having my password just basically forward my authentication along and modify the request reuse it you know the nice thing is it gets even worse than that there's tons of things once my once my phone once my VoIP phone authenticates most of what happens after that isn't authenticated okay even the things that authenticate outbound calls you better authenticate here's a whole fresh new nonce so you can't replay well even those things well they don't actually make you authenticate to receive a call so if the call is coming in and it gets modified or the call is coming in and it was never actually sent by the server then you know fun so so I hope that this I hope this text is readable these are the kinds of VoIP attacks we've been building into the midler as plugins there's at the very least you start saying okay let's take all of the inbound calls that are coming to you or heck if we can get in the right place all the inbound calls that are going to a given company for everyone who's basically said and I've we deal with a number of businesses including my accountant that have replaced there were the they've replaced for a 20% or 40% office they've replaced their normal POTS phone lines with their own little you know with their own little asterisk style system or what have you they're using a they're using a VoIP system tons so so take all the calls that are going inbound and send them somewhere else you could send them into my phone you could send them to some other company's phone you could just take them and swap all the extensions you know do whatever you want you could redirect to all of the in essence redirect all of the inbound calls to one or several devices you can alter this is the easiest thing in the world you can alter the incoming caller ID it's really really simple that there's I don't know if you remember that back there but um but there's my there's my phone number okay from colon in quotes caller ID string change anything you want you change it to whatever you want that's what I'm going to see in my phone so you get to change the caller ID you could add the this is one of the things I like a lot you add your as the attacker you add your VoIP phone to the simul ring list for my phone number and just race me and get on my phone get on my phone calls first I'm not going to know somebody started calling me and they hung up they didn't get me okay I didn't reach the phone fast enough well you know they'll call back if it's important maybe I'll look at the caller ID and I'll call them back but you know cool so um this is uh you can the hard trick is doing things like actually modifying the RQP um but I'll talk more about that in another slide and then finally you could go in just today I'm going to remove the phone's registration this is one that's really nice your phone registers to say hey I just want to let you know that phone number 301-591 blah that's uh uh I'm reporting for duty I'm here if you've got any calls send them to me um well you could take that you could just simply not forward it along you can also but what if there have been three or four registrations that have gone out already or three hundred it seems um then you could just go and you can send a nice little message that says hey drop that registration if you drop my registration I can still I still think I can make up on calls the thing is that my inbound calls aren't getting to me and I don't even know that that's happening I just know my phone's not ringing well there's plenty of time my phone's not ringing it's not ringing right now um so this is this is you know this stuff's kind of kind of nice and fun um the focus for us um one of the focuses for us was to basically was again to start thinking how do we do it non-interactively how do we do it interactively so the non-interactive version was going to go and was saying okay let's only get that call or only get that person's calls alternatively you could say hey I'm gonna man another whole network but I only want calls for Jay because everyone else is fine but I I want Jay um so the so I do that if I look at um altering the caller ID is the really is really fun to me I told you it was the easiest out of all of those it is amazingly simple it is amazingly easy and you really could basically do it with a couple net cat listeners this is the one that is really really fun because we all trust caller ID I see a call that's coming in my call says that it's my call says it's coming in from Bob and I say I don't want to talk to Bob right now and I just missed that call from my girlfriend to tell me that you know she didn't send any emails like that or what have you right so the um you can so part of what we did was we basically made it so you could call ID to something else and tell it what to switch it to um we can set up we've talked about talked about eavesdropping um but the really fun thing to me is if you can start modifying the call again I keep thinking about integrity attacks who cares you can hear the conversation I agree that's really bad but what if you can actually change it what if you can change it so I don't know what's going on heck you could think happened on this phone call is not what the person I was talking to thinks happened on the phone call we've all had that happen a little bit what if it happened a lot or what if it happened in a in a more destructive way um I talked about unregistering your unregistering the phone um we've got some we've got some other fun features that we're working on um and uh and this is so I'm basically that's what I got really excited about and said and uh and I ran into uh I ran into some some serious bug hunting on the sip on uh on the VoIP and said okay I'm gonna put GUI down for now um so I put GUI down for now but it's gonna come back and the cool thing for me with GUI is that you can start targeting is that if we are gonna go interactive you can start targeting based on what's going on on the network Blackhats has has gone and just you know a man in the middle of the whole network every single packet on the network is gonna route through you okay I know these two yeah yeah okay well a lot more than you a lot more of you just won't admit to it and I understand and I've said that if you're going to do it I'd appreciate it if you would fully route my packets keep the network working you can see all that you want just get them there and I'm even giving you permission now because the worst thing in the world is really when your packets when you can't get to the internet I mean it's one thing to have the internet be this clear text dangerous Wild West place we're all used to that but damn it if you can't get to it well that's really painful and all of a sudden okay well anyway so but how would you target me if you're going to go onto the if you're going to pop up on the DEF CON network and you see and you're seeing the same kind of view the wall of sheep guys see what do you start doing you get I'm going to look at all of this and I'll figure out what all of it was but I don't have time so right now I'm just going to grab old passwords and and that's kind of lame right wouldn't you rather be able to keep up with it all maybe you'd actually so that's one of so what we want to do with the middlers GUI is basically make it so that we're giving you the vital info from each site this is why application specific this is why protocol specific gets more interesting because instead of showing you a whole freaking the more plugins we can write the more different things that we can do the more protocols we can add the more you can say hey look at this this IP address I know this IP address is this is this Gmail address I know this IP address has this phone number I know this IP address is this that's the one I'm going to go after so you know so basically let you target based on what's actually there let you find who's interesting or let you pick your friend out of a crowd I don't know if you're interested in the importance of eavesdropping on the local network one of the painful things at first is figuring out basically who's who you see a whole bunch of IP addresses you see a whole bunch of this but you don't know who's surfing that specific porn right and you want to you want to embarrass that person but you can't because you don't even know who they are yet and you just need a little more data and it takes you a little while and you get there but wouldn't it be nice if you could get there a lot faster wouldn't it be nice for people but like really? so okay so so anyway that's the so let us so our idea so far has been go after let's at least at the very least we want to show you we want to say this is the web mail identity this is their this is their this is their this is their social networking identity this is what they're going to pop and I'm up this is what their phone number is if you think about it increasingly you're going to go after more you're going to say hey this is a list of sites or you could give it a white list of things you're not interested in show me everything else people are surfing and now let me pick let me basically hone in and target and target more finely and they say that's the guy that's the one I'm going after that's the one I want a man in the middle and now I want a man in the middle that specific session so the so the as I said the point of the the point of the point of the the point of the the point of the most of all has been to let you impersonate the user not just actually change what the user is up to maybe not in a way that he knows maybe not in a way that maybe not in a way that ever makes it to him or makes it to him anytime soon it's really really the embarrassing thing for me is basically seeing the tweet says I am whatever I don't I just yeah but you know it's the it's basically the embarrassing thing is when we start making it so that maybe if it's public then if it's public when we're going embarrassing we're changing your emails we're changing your phone calls but I think that's the I think that's the fun so this is what we've been these are sites that we've been targeting with plugins these are kind basically wanted to I wanted to give you a picture of what kinds of things you do to each of these I think that there's this is what this is what we this is what we've set out to automate with every with every one of the web based email portals we want to basically be able to add emails to your view of the inbox but not actually put it in your inbox the server doesn't even know that you're being tampered with you don't know that you're being tampered with but you are seeing emails that don't exist later on after you've deleted them hopefully they're not there okay great we'd like to as long as we're going to as long as it's true with you like screw just reading your emails let's harvest your address book let's use your address book to find more targets then maybe we say stick these things up all over the city look at the take all of these take all of these take of you know if I'm man in the middle in your if I'm man in the middle in your your web mail then I'd like to go through your address book I take your address book I say this person's connected to these people that out of those people that are connected to these people and now I start to really really get the kind of stuff that we're all that we read scary articles about people mining about people and companies and this isn't even public but it could be because it's broadcast by radio so it basically is public even though it wasn't intended to be which is the really really fun way of really I guess taking advantage of yeah so the so you go so you know I talked about sending people's emails profiling for me the other fun thing is basically take the email addresses that they that they turn out to have take those email addresses and look for them and everything else this was one of the other things that was really important for CIP one of the things we did is we said okay let's you know the very very simple argument was do we make the thing that can parse the CIP URIs only available to the CIP proxy where they'd be used and the CIP plugins no screw that if I see a CIP URI and email don't you want to be able to do something with it so if you start in essence part of the goal is you start to be able to correlate information I think there's going to be a lot of fun with databases here and probably too much evil too the other big one that's kind of the obvious thing that I think the people don't think of enough is if you can we talk about session cloning now and then and when we talk about session cloning what we don't really think of is if you're actually a man in the middling if you're actually a man in the middling a session dude the user clicks log out show him the log out page I don't mean just show him the page I mean send him the same response the application normally sends this is why it's nice to get specific to the application send him the okay set your cookie session cookie back to an empty string or set your cookie to some you know or set your cookie to nonsense value or whatever it does make him totally logged out if his browser if he hits back on his browser he gets a login prompt meanwhile you continue with the application that's where I go with it now all that means is you've got to make sure that his log out request doesn't get there and that you give him the right thing the right response to it social networking sites I've asked I've been surprised how many people in here uses live journal really okay so I'm in Seattle Seattle's a very odd kind of town we've got lots of free wifi everywhere we also have a tremendous number of live journal users it's a nice little it's a nice little app where you can kind of you can kind of talk to your friends about your day kind of the the big version of Twitter you write you know four paragraphs about he said she said and I can't believe so and so and and such and kind of journal into your friends and so your most posts you put into it only your friends can see and actually you can go and say these posts only available to some friends these posts about my sex life they're only about the they're only for in my case my wife but maybe you know in in in other people's cases you know this whole set of 20 people and these posts you know I like filters for each of those well you know screw it I like the filters if you're seeing all the traffic you can go and do things like you can go and read their private entries you can read the stuff that's only for their friends you can take the stuff that was only their friends and change it to make it public because that might be really upsetting or make it just visible to if you want to be more subtle you start doing things like this some of the obvious some of the obvious things that really only the JavaScript worms have done you go and say hey let's add my user let's add my user to your friends list you know why should Sammy get to have all the fun okay so the another feature we've been working on that I've talked about is the cloning arbitrary sessions we've been doing we've been trying to build up a bigger library of things focuses make it so that to do these kinds of attacks you don't have to know the protocol already or you don't have to know JavaScript you don't have to be domain expert in the given area I want to kind of take us away from the browser for a second but the and just take us the I've talked before about banks one of the one of the nice tricks we did I love this if you have a friend who does his online banking and goes to a clear text page and that clear text called submit form make him stop right now make him stop absolutely show him I will send you some if we don't no we have code yeah we have code we have code in the middle of it does this right now show him this show him take him to us bank if you like and go and type into password form and watch what we've done is we just say it's a clear text page insert some JavaScript into the page change the on key press handler every single time a separate request all Ajax style and everything off to our server and then when he hits submit that's that's encrypted I can't see it but what do I care I already have it I'm done if the if the big lesson with HDDP the big big lesson with HDDP is basically if it was ever clear text at all fail that's just it I just you've got too many opportunities so I'm going to go right past US Bank and yes if you if you can see the if you're if you're a man in the middle of my browser if you can execute JavaScript in my browser you can you can basically check and see what sites what sites I visited so you know take your set again take your set of your favorite of your favorite scary porn sites and and find out who's actually going to them maybe take if you see a spam that comes in see if anybody's actually buying so the thing is we wrote we wrote the midler in python we're writing the midler in python and our team has been growing because I remembered that I was an open sourcer a little while ago open sourcer it's kind of like sourcer I like that but I remember I was an open sourcer a sourced person a while ago and realized wait a second there's a lot of people who want to help there and it's been really nice I've been able to I've been able to get a lot of help but the but what I'd like to what I'd like to do is if you're finding this stuff interesting at all consider writing a plug-in we'll teach you how because honestly the big deal is that every single every single plug-in requires some amount of knowledge of the application and there's just only as many applications we can go after in the case of the web applications in the case of VoIP attacks we're only so creative please the biggest thing is you know come help us develop because they think that we'll get some we've already been really really cool stuff out of people that have been joining on lately and I think there's a lot of I think there's a lot of opportunity to have a whole lot of fun with this so let's see I've got a in particular there was something I wanted to do here I've got a turns out I've got a bug in my code it turns out I've got a really really really really annoying bug in my code and if I can actually flip it over I could show you I've got a I've got a really really annoying bug in my code and who in here codes python come on okay about 10 20 people okay fine I want to see you all outside this room right afterwards I have homework I have homework for you so the where did it go it seemed to be missing a file well I have a problem and my problem is this and I've had a whole bunch of I've had a whole bunch of friends in the last in the last 24 hours try to figure it out but they've been doing that through tremendous amounts of sleep loss and alcohol because they said they were at a hacker conference or something I'm not sure what they're talking about but it's but basically what I've got is when I when I you know I'll tell you what I'll just tell you what I've got because getting to the we're running short on time and so getting to the specific spot what we've got right now is a proxy should basically be bi-directional that's kind of one of the things you'd like a lot what we've got right now is the phone you pick up your you pick up your phone and you dial or you get an incoming call and here's what happens for us they're kind of they're kind of six steps as it were step one is you know the packet goes the packet goes out of the phone and it hits the proxy the proxy gets it the proxy then takes it it parses it out it gives you all the good gives you all the good information and it can change it that part that part happens it then looks at the packet and says okay now where should this really head and it sends it off to where it should really head which is usually some upstream some upstream SIP proxy server so it gets up to the proxy server the proxy servers looks at it and says oh cool proxy server says this is something I'm used to this is valid fine and says it's a response and the response comes back and it hits our system and it gets sniffed by the sniffer and I look at it and it's good it doesn't go through it doesn't go in I don't know why it doesn't go in we're doing a stateless proxy we're doing a pretty stateless proxy which means that basically handling and oh and SIP is peer to peer so there really aren't it's not like there are really actually clients and servers so in any given request response the phone might be there might be the client or the server might be the client but anyway let's go both ways and because we can't get to both go both ways I didn't bring happy shiny demos here and I'm really really upset with it what I brought instead was code and was code and packet captures so either what I'll say is this if I can I have been I have been trying extremely hard to figure out how to make that one tiny problem go away for about 48 hours maybe 72 maybe okay I don't know how many days really nuts and it's driving me nuts and I'm going to say this if you are feeling industrious and want to look at the code and fix it or they say what were you thinking feel free I would love it and you can even corner me because if I can fix this before if I can fix this before tomorrow I am absolutely positively going to going to tweet it but I'm doing more than tweet it I'll basically make a video with I show you a nice little application in essence it's not screen showing it's video of your screen and I'll post it and you can all look at it because I really wish I had a demo for you and if you're the person who fixes it obviously you just became a co-author if you never write another line of code which is some nice credit you write a nice big tool so the if you want to fix it please we'd love the help if you don't want to fix it well come along after you see the demo and help us write some more help us write some stuff that we haven't set out to do because we haven't even thought of it but I'll tell you how it's pretty simple this is Python it's a wonderful language for this I wish there were you know kind of better debuggers but you know it's it's a wonderful language for it we'd very much love the help if you want to if you want to corner me and look at my look at my bug I'll be happy to show you in Q&A but I'm hoping that some time today or tomorrow I'll be posting up a video that shows it working and