 Okay, good morning everyone. It is now 10.59 in beautiful Las Vegas, Nevada Thank you so much for spending your Saturday morning with us here at the packet hacking village. There are many opportunities Around here. We got captured a packet going on right now We have the wall of sheep. We have a packet detective in the back corner We have emerging technology food in the back and right next to it is a DJ booth And it is now the top of the hour 11 a.m. Here and we have the second speaker workshop And this speaker workshop. I know a lot of people are looking forward to Boy at any rate, please feel free to make yourself a home. Are there any empty seats at the envy? I can't see do the light Okay, please make yourself a home for now It is absolutely my pleasure to introduce to you our next speaker who will be talking about monkeys in the middle Okay Ladies and gentlemen, Bob Simpson everyone. All right, maybe we're good to go excellent So yeah, I'm glad being said monkeys in the middle because man in the middle is a sexist term It was created a long time ago. We should never ever use it again Until my next slide. So I apologize for that in advance I'll make the next presentation better So it starts with Who am I and basically I'm just a security Researcher on the side my day job. I'm a CIO for an accounting firm and we actually Use man in the middle techniques to create a captive portal for a small segment of our audience and market a product to them So man in the middle can actually be used for profit other than the type of profit We generally talk about on this stage, right? So what is man in the middle monkey in the middle? Sorry? There's a number of different Acronyms they're used to to describe it but more or less what you need to know is it's not just sniffing right? You got to sniff some packets, but that's not what it's all about If I were talking to you know, I'm gonna jump down to the illustration here Alice and Bob are speaking Right. I'm speaking with Alice here. I'm Bob. Obviously I'm speaking with Alice here. Nice beard by the way. I love it so Anything I say to Alice you potentially could hear as long as you've got good ears, right? So I'm saying hey Alice Let's go out tonight. All right Fine now, you know, I'm going out tonight. Let's go to that place. We went last night, right? Cool. All right We're on Now what do you know? You don't know nothing You know, you don't know where we're going, you know because you don't know where we went last night, right? So sniffing helps but it doesn't always give you what you need to really get where you're going There's a slide here somewhere that shows the wall of sheep. We'll get to it and and you know ultimately that's your goal, right? Onage, you know another another name on the wall of sheep That's what we're trying for whenever we talk man in the middle. Sometimes you can sniff it sometimes you can't So you got to be smart about it So we're actually gonna do a demo right now This is a non-technical demo. This is one you might do in the SE class except we're going to be talking pseudo packets So back to the same conversation. I'm I'm Bob. You're Alice. I say to Alice. Hey You want to go to that place? We went last night. You said it was fun, right? Now here's the part you've probably already the whole thought of Y'all are gonna be Mallory right Mallory is the person in the middle the monkey in the middle the man in the middle In this case, you're all gonna participate and answer for Alice, right? You got one or two responses One is that's what he said The other one is that's what she said. I'll let you pick. I mean it's up to you, right? So let's try this out. We're gonna try it again with want to go to that fun place again tonight And you say It's it's unclear, right? So okay. We'll try the next one Because they answered for you I didn't hear what you said so I'm like I gotta clarify here, right? I really do want to go somewhere. So I Say hey remember you said it was so much fun. You wanted to go every night Even though it was kind of dark and hard to get into Yeah, now you're getting where I'm going and you all have dirty minds So The next step is obviously I still didn't hear you and this is something Tony actually mentioned to me before I entered the stage You know sometimes the first or their first authentication is fine Second one's fine third one might be fine, but at some point you can break these things down, right? If you jack with it Next one is come on. It's the place. He said will be really awesome if they had better service and and lots of hot dogs Right. It's pretty obvious At this point. I'm completely confused. I'm like Alice you have lost your mind, right? I don't know what's going on Let's go to That new place called Pinkies hot dogs down in Las Vegas Boulevard, right real place by the way I've heard it's really awesome at this point. You can disengage Right Mallory can disengage you've got what you need in this conversation and we'll do a technical demonstration in a minute But the point is you didn't let me get away with just doing a simple handshake You didn't let me even go away with get away with reminding him of our previous session You made me state explicitly what was going on here, right? So that you could listen in on that and then take that to the next step So what do we get out of man in the middle? Obviously you can get reconnaissance like we just did you can get fingerprinting of Of the a client that wouldn't normally show you their Their OS their application their personality But with jacking with connection with man in the middle of you could certainly get that Ntlm capture relay escalation redirection At this point. I'm gonna remind you that this is a 101 course, right? This is man in the middle of 101 I absolutely do not mean here to say that I'm going to cover all of this And in fact, I'm not What we want is onage, right? And I will demonstrate a little bit of that if you Google it, you know, so you're all going okay This is great. I'm gonna go home and do it because I actually do want to Figure this stuff out if you Google it. You're gonna find eater cap Cane enabled awesome tool art spoofing Man in the middle framework or is it or is it factory? I don't know I saw a demo of it actually in the arsenal very cool stuff. I love it web exploit burp sweet by the way in MIT MF is built-in Python so a lot of these are built-in Python So when when you go through some of the techniques, I'm gonna show you then you'll be it'll be a natural fit for you Middle or fiddler sub-surface Yes, you get it and and and there's also a number of there's a plethora of Methods you can use ICMP You can do spanning p2tree protocol manipulation, right? We've probably all read all about all these things But but but actually doing it if you're looking at okay tomorrow I want to actually start learning these things doing these things Demonstrating to myself that I can get to the next level Then you need to go do Art or DNS or spanning tree and and all of those require semi-advanced tools So if those aren't your specialties you might be stuck right out of the gate This is why easy is good and and why I'm gonna demonstrate a simple technique and might not be practical in the real world But probably is This is actually from the DEF CON roots asylum area. It's it's up on this I want to say the second floor of the South tower. I don't get your map and and it's a really cool area is set up just for kids last year was called DEF CON kids or two years ago Anyway, it's just for kids all kinds of demonstration One of the posters they had up when I visited that area was any sufficiently advanced technology is indistinguishable from magic We all love that right and this is a classic quote and one we used to our benefit every day and That's why I'm gonna give you a really easy way to do a man in the middle understand it start manipulating it playing with it and You can go from there because then you can build on all the other techniques you want use your particular flavor to add to it So all we need is scappy NFQ and We're gonna bridge. So you gotta kind of understand what's going on there. Although. I'm gonna show you a script The bun 2 1404 is awesome because it comes right out of the box with about everything you need In fact, what you're gonna do if you wanted to do the demo I'm gonna show you here in a minute and by the way, I'm praying to the demo gods. We'll see what happens Everyone says that but it's so true when you're standing here app get install bridge you till scappy. I think Actually, there wouldn't be any commas there But you get where I'm going scappy and Python NFQ those are the three packages you need There's no config you just go at that point. You're ready to man in the middle on a bridge So what we're gonna do in the following demo is create a bridge Redirect some packets and start mangling The the goal being mangling. I don't know what's gonna happen here when I switch away from This show so bear with me Shall see Yep, that's what I thought So the demos machine you're looking at right here is actually Exactly what I said. It's a Out of the box The bun 2 machine with 32 packages and these three scripts absolutely nothing else installed it last night So if it breaks, you'll know why oh Sorry my bad. You're not looking at anything. Are you? That's what I was afraid of. Oh Nice You can see that part See if I can get back to my other one. It's on the opposite side that I expected here There's my bridge. I'm using virtual. So I basically just created the virtual Interfaces on both sides of the bridge and stuck it up there And then this is my windows machine where I'm going to So there's my bridge commands. I don't know if you all can see that or not It's basically you bring your ethernet interfaces up You you create a bridge called man in the middle in this case add ethernet one and ethernet to it and you bring it up Easy peasy Now we're going to do redirection. This is really really really really cool and I say that because out of the depths of my heart because about I have probably Seven years ago. I don't know when I started doing this this involved Compiling a crap load of stuff for the kernel get loading modules or in Compiling and it however you did it it was just a pain and it broke everything else. You wanted to work so Insane so these are great days when out of the box. You're gonna just load a module. You're good In fact, this one loads automatically So what we're gonna do is do IP tables if you haven't learned IP tables learn it as cool stuff You'll use it every day your life IP tables the key part being that very last section there, which is in FQ. So instead of blocking a Packet instead of allowing a packet instead of doing anything else with it. We're actually gonna queue it Default Q is zero and you'll see why that matters here in a second Let's go ahead and run both of those because then we'll just kick this off and you'll see what's going on So we're gonna bridge it It's gonna fail because part of it's already done The two redirects So now packets are redirected if we go over to our Sorry, I'm not sure which side my mouse is on. There we go. If we go over here. We're gonna find that in theory Things should start right up. What page is not available? That is awesome Bear with me. Hey What do you know? So we've got Google's page, right? That's because we're not actually Doing anything yet if we actually and and we defaulted to Secure so that's one thing to understand here Immediately is this demo. It's nothing to do with SSL. I say that you're gonna see that it does here in a second But but nothing to do with direct SSL manipulation so What I'm wondering is why My Python isn't catching that That is what do you know? Here, let's try some close else. Actually, let's just kill the browser There we go. So what happened was we got over here and Gladly forwarded. Ah, I missed it. So what we got was a redirect. So HTTP WWW.google.com Google's like whoa. No way. I want to go secure redirects. It's a 302 found Moved kind of message. We'll try it one more time. I think you'll see it. Let's break out of this. There you go Let's stop my code So we've got HTTP 1, 3, 2, and I found and it gives the location That we ought to be going right so the browser a compliant browser is gonna go gladly. I'm on it I've got secure. I've got SSL. I'm redirecting. We are good to go That was just standard No mangling Now live here. We're gonna see what we can do about editing this script. And this is how easy it is. Actually I'm gonna run through the script real quick. So I'm gonna run through it real quick And then if you have any questions later, you want to run back through it or whatever But I think you'll find that this is exactly that. In fact, this is all the code on this page It may be missing one line, but it's really close to all the code and this is a standard script You're gonna find anywhere if you Google this stuff. I'll give you at the end In fact, you can Google Python and NFQ, Scapi, and you're there. You will get this script Because there's only one way to write it So basically right there at the beginning we're saying we're gonna Manage some packets. Give me a give me a callback. I'm gonna manage some packets and then right down towards the end basically we set up a queue and I don't know if it specifies queue zero or not, but essentially there's a way here. Oh, there it is Queue zero, right? Which is the default. You can actually have, I don't know, I think thousands in managing different types of packets and then essentially going to take that payload dump it back into the packet and tell the queue that we're basically Modifying the packet. Now in this case or what you saw already, we didn't modify it at all We just said you take this payload, put it in this, let it go. Alright, we're good But you see I've got prepped here some little edits that we can do and this is the only rule Way we're gonna jack with HD2BS If they go secure, I can't see it right now. There are methods for that There are modules you can do one-on-one course guys Gals, people, humans. Is it better to be human or a goon? That's what I want to know. Let's run this. Holy moly, where'd our lock go? You all know that the lock means you're secure anyway. So we're still at HTTP, www.google.com, although we still have our redirect. No, I don't know why Google lets you do that. Honestly, if you're saying to them, hey, I reached here through a redirect and you're on port 80, they ought to go, ah, I don't think so. Something happened, right? This is an obvious clue. But everybody likes to pick on Google and honestly, so do I. That's all we did though. So what we did effectively right this second is now we can sniff in real time. So we say I go, I want to sniff for, to make sure that Mallory is not listening to my conversation, I'm going to sniff all about Mallory, right? I'm not going to be able to stop it in time, but if I did stop it in time, you would see that Google was actually showing us the step-by-step search that I was doing. So M, M-A, M-A-L, M-A-L-L, right? It's all in plain text. I tried to filter out just plain text. Theoretically, this is all printable code, so I didn't spend much time with it, but you get where I'm going with that. If we grabbed that for Mallory, you would find it in plain text and not only that, every permutation of what I was typing up to that. So you could tell it's a live, live thing. We'll get there in a minute. At any rate, you are seeing plain text when in all reality, the end user of that machine should have been able to expect that they were using Secure, because they were the day before. They didn't get an error. So again, 101 techniques, but pretty useful. I mean, you could actually use that, right? So beyond that, what we're going to do is see if we can't basically change good to evil. That's always a goal, right? That's never bad. That was my goal with getting you guys in on that joke, but it didn't work out very well. You're very well protected on the good side. Let's see here, what happens? I'm dumping stuff. I'm going to try again, because it's like, oh, I don't know if that last one was good or not. Yeah, no, we're still good. Okay, good. So at this point, okay, end user has no idea. He's going to go, I'm just going to search for something good. I love good stuff. Ooh, goog actually, wait, no, that's the term. I'm going to search for good stuff, right? Wow, it broke it. That's nice. There you go. There you go. Maybe I'm cashed. Maybe I'm not even doing it. That's all right. You get where I'm going. Let's give it one more shot and then we'll go back and we'll go on. Remember if I go to www.good.com, never tried this before, it should be fun. Oh crap, it actually worked. We are manipulating live what's going on, somebody's browser, they don't know what's going on. Actually, I mean, obviously that's the best way to get caught if you're trying to, like, see somebody is like, you just jacked with what they thought what they were going to see. The best way would be to send them to evil or, you know, googl.com, right? That kind of looks like where I was supposed to go. It looks just like Google and type in what I got. I'm good. Easy peasy. Actually, with a little bit of edits, you could actually have this thing searching for just HTML. It just so happens that you've got an HTML blob right there at the end. What it's doing right now is dumping all of it. So including, none of the packets are encrypted that you're seeing there. It's all report 80, although you couldn't crypto report 80, but it's not. What it is, it's compressed. So some of this stuff is compressed. Some of it's just binary garbage that's going on, sending icons and crap. Let's see. Next step. We can mangle some more. Let's see what else we can mangle. Got another part of this here. Where I'm basically redirecting somebody. This is the same thing. So basically I said before, if you really wanted to mess with somebody, then you go... One thing, one annoying thing when trying to hack somebody is that the browser tends to remember what the last connection was. And many of them now try to go SSLA if at all possible. Right? Not all of them do this. Some of them do. I just read it. You're like Google to Google, which is kind of an interesting exercise. I have no association with Google. It looks like a baby registry. So you can get all kinds of stuff on Google. It's probably not going to load up. I figured this will be safe content just in case some of the roots ended up down here, right? What I was going to do though is show you. So if you happen to want to say Google.com, how do I do a search? Somebody told me, oh, I got there. I'm searching for good. What does that look like? Okay, good. Let's change this to that. It's not even worth looking at. The funny thing was last night when I was messing around with this, I just happened to notice that whenever I went to giggle.com on accident because, wow, I don't know what happened. I was going to Google and ended up to Google. Then it actually hit the search page and I was searching for something good. The word good, it was like something for good gifts or whatever. And it came up with a 404 saying we have no evil gifts at this location or something. That was awesome. I was trying to replicate that. Obviously that's not going to work out for me. Let's close this browser and go back. Let's see. One more edit here I've got here and I think it kind of gets where we're going. And then we can talk about not even really going to talk through this one because I think it's going to be self-evident. My bad. We're back there again. This is another thing you got to work watch when you're doing pen testing slash hacking people is you want to undo the stuff you did so it doesn't trip you up in the future. If you're done with it, clean it up, it's really better for everybody. It doesn't leave any evidence behind. But that being said, even if you're doing this on your own company, I mean, a serious note, if you're doing this even on your own company, get out of jail free card. You need to not jack with people without complete permission for everybody involved. And if you are intercepting stuff that's going over state lines or international lines, make sure you understand the law. That's my I have permission from everybody here. Let's see here. Sorry. I just actually need to write that down. I was cleaning up my own mess. I do not need to go to Giggle. I need now to go to the grand finale, which is I open up my Google page and I end up on Google. That's unfortunate. Try one more time. And I'll just tell you what I was trying here. Defcon, good evil. I'm going to run back through this in just a second. So you'll understand why I put Defcon in here. I'll post a version of the script somewhere you can contact me at bobby underscore Simpson on Twitter. But okay, I do need that one actually. So what I'm trying to do is redirect HTTP to HTTPS. Never mind. My bad. That is exactly what I shouldn't do right there. This last one, it stands alone by itself. Didn't follow my own advice and did not clean up after myself. So let's try that. That should be fun. Now what we're going to do is launch our browser and find that instead of going to Google, which is where I meant to go, sort of, it's going to let me Google that for you. Have you ever used a site? It's an awesome site. Man, do it. I love it. I love it. My wife, almost everything she asks me, I send her one of these links. Yeah, it's always good. I usually come home late on those nights. Eat on my own. So let me Google that for you. It's essentially something that creates a link that you can send somebody when they ask a completely, you know, obvious question. In this case, I'm not trying to do that to you all exactly. I'm just saying really seriously, if you Google Scapi and NFQ, you're going to find some demos, some tutorials, some things that are going to help you. Now that you've seen a live demo and you understand, out of the box, 14.04, three packages, go to work, you know, go to town. It's awesome stuff. And in the process, you're learning the structure of Scapi, which is awesome, and you're learning a little bit about Python if you've never done it before, which is also awesome. Everything in this script that doesn't have DEF CON before it is basically the only way you could possibly write it. All the stuff that has DEF CON is basically just a, you know, make up your own name. So I mean, in a lot of code, it's like my data, my whatever. That's boring. DEF CON is a lot more cool. And so what we're doing is DEF CON packet, DEF CON packet, DEF CON queue. All of these things, you give it your own name, you do what you want. There's nothing special about those things. That's sometimes hard to figure out when you get some code, you download some code off the internet. It's just exactly what I want. And then you can't figure out which are the functions, which are variables, what's required, what's not required. This one kind of lays it out for you. So, but after seeing this, please just go, go, go, you're going to find some awesome stuff and be able to quickly set up a bridged main in the middle setup so that you can jack with people. Let's see what's next. Oh, nothing. Now the trick is going to be getting back to, I already did the summary. We're doing a four-up, get a bridged utility, get a creative bridge, redirect packets and that is cool. And main in the middle told you to do that. So always trust main in the middle. He's smart. Any questions, anything I can help with, anything you want to know about this setup or concepts in general? I haven't in Skappy actually looked at theoretically what happened. The question was what's necessary to actually do an SSL? Some of the tools I mentioned actually will do that for you. I would love to do a presentation in the future on, you know, doing that. I haven't had the commercial necessity to intercept SSL yet. But, you know, again, these SSL strips probably does a lot. I actually don't know. I actually don't know. Theoretically though what happens is you send them your own cert, right? You send them a self-signed cert. They say, oh, I'm good. So, you know, Alice sends Bob a packet that relies on Alice's cert. Mallory gets in the middle, sends Bob Mallory's cert pretending to be Alice. As long as Bob is stupid enough to click okay, this is an obscure connection. Or, now here's a big or, if that SSL cert has already been installed on that PC, right? So then it's like, we're good. Somebody already vindicated this stuff. We're good. I have now an SSL connection. Two of them. One between Mallory and Alice. One between Mallory and Bob. And the data gets, you know, shuffle along and modified in the middle so that good becomes evil. Python-wise, I don't know what the tools are, but I'll be back. Oh, this is all three. Python three. I think it's what comes with Ubuntu 14.04. Another reason to love it. Very cool. Love y'all. Love the venue. Thanks a lot, Ming. Thanks, Tony, for setting me up. You guys have a great show.