I See You
-
Upload
andrew-beard -
Category
Internet
-
view
567 -
download
0
Transcript of I See You
I See YouWhat not to do when someone is monitoring your network traffic
Andrew BeardBrian Wohlwinder
In honor of Brian
• Lift with your legs, not your back
• Engage your core, keep your abs pulled in
• Avoid twisting your trunk
DEFCON 22
Our Setup• COTS network visibility appliance for capture and analysis• Common data tap from Packet Hacking Village• General purpose rules and some written specifically for Wall of Sheep
to generate alerts and capture content for specific sessions• Metadata capture for the duration of the event• About 500M of compressed metadata between August 8 and 10,
2014• A little over 6M transactions
Rules of Engagement• Completely passive listener• Ignore SSL/TLS content (metadata only)• All credentials partially redacted
Overall Protocol Mix
HTTPTLS/SSLFTPOtherXMPPWebSocketBitTorrentIRC
Where’s the VPN traffic?• Good question…• Very few encrypted tunnels from what
we could tell. A few sessions, but nowhere near what we expected.
• More Teredo IPv6 tunnels than real VPN traffic
• Best guess, most aren’t using the WiFi
It’s all about the passwords
Plain Text Credentials• POP3, IMAP, SMTP• FTP• IRC• Telnet• Occasional HTTP (mostly via URL or POST content)
POP3+OK <21066.1407692429@************************>CAPA-ERR authorization firstUSER lodgetreasurer@***************+OK PASS 2Q********+OK STAT+OK 8 107321
IMAP* OK IMAP4 Service Ready1 LOGIN yihui.xu@******** N*****1 OK LOGIN completed
FTP220------- Welcome to Pure-FTPd [privsep] [TLS] -------220-You are user number 129 of 200 allowed.220-Local time is now 14:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 3 minutes of inactivity.USER dpi03@******331 User dpi03@****** OK. Password requiredPASS **********230 OK. Current restricted directory is /
HTTP – In URL/login?username=jacky&password=******
/login.php?username=revelation&password=******
/perfils/autenticar/5512899033.json?passwordKey=******&telefono=**********&dispositivo=IPH&password=******&SO=iOS 7.1.2&deviceId=iPhone
When it comes to plaintext fail, mail is king
POP3IMAPSMTPFTPTELNETIRCHTTP
A problem of their own making
• For mail protocols, vast majority iPhones based on outgoing MIME headers and IMAP ID responses
• From what we can tell, most providers supported SSL
• If your provider doesn’t support SSL, find a provider that isn’t crap
• None of the major email service providers represented
• Built-in profiles, SSL automatically enabled
HTTP Basic Access AuthenticationGET / HTTP/1.1Host: ******************************Connection: keep-aliveAuthorization: Basic bmF0YXMwOm5hdHRhczA=Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
HTTP Basic Access AuthenticationGET / HTTP/1.1Host: ******************************Connection: keep-aliveAuthorization: Basic bmF0YXMwOm5hdHRhczA=Accept: text/html,application/xhtml+xml,application/xml;q=0.9, image/webp,*/*;q= 0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8Cookie: __cfduid=d95f675fe0594829173be04822ed312a41407700114750; __utma=1768596 43.984037758.1407700117.1407700117.1407700117.1; __utmb=176859643.3.10.140770011 7; __utmc=176859643; __utmz=176859643.1407700117.1.1.utmcsr=(direct)|utmccn=(dir ect)|utmcmd=(none)
HTTP Basic Access AuthenticationThat looks a lot like base64…
localhost$ echo "bmF0YXMwOm5hdHRhczA=" | base64 -D; echonatas0:nattas0
Username and password encoding. OK if the transport layer is providing confidentiality, but not for straight HTTP.
curl http://natas0:nattas0@*************
Basic Auth and API KeysGET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1Host: *********************Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Content-Type: application/jsonAuthorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/Origin: http://**************************Connection: keep-alive
Basic Auth and API KeysGET /cors?uri=https%3A%2F%2F********************%2Fapi%2Fv2%2F categorie.json%3Fparent_id%3D0%26limit%3D250%26page%3D1 HTTP/1.1Host: *********************Accept: application/json, text/javascript, */*; q=0.01Accept-Language: en-US,en;q=0.5Content-Type: application/jsonAuthorization: Basic YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0Referer: http://**************************/Las-Vegas Nevada-printer-ink-toner-cartridge-leader/Origin: http://**************************Connection: keep-alive
Basic Auth and API Keyslocalhost$ echo \ "YXBpOjQxNjY1YWJjY2JlYjA5YjFjZDY1MDA3N2I5ZWJkZWM0" | \ base64 -D; echo
api:41665abccbeb09b1cd650077b9ebdec4
Session key for the current user. Anyone interested in buying a couple tons of toner on their account?
Then we started getting bored…A bunch of bored guys looking at your network traffic probably isn’t a good thing
Fun With Mobile AppsGET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=originaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4JgNi4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%22%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%22%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1Host: api.m.taobao.com
Fun With Mobile AppsGET /gw/mtop.taobao.wireless.homepage.ac.loadPageContent/3.0/?rnd=4C28D4EB4622CA84826DDB0E8D95B2EC&type=originaljson&data=%7B%22utdid%22%3A%22U0gUZGIZnIwDAFX4JgNi4RRk%22%2C%22userId%22%3A%***********%22%2C%22ua%22%3A%22iPhone%22%2C%22cityCode%22%3A%22330100%22%2C%22nick%22%3A%22******%22%2C%22longitude%22%3A%22120.050453%22%2C%22cityName%22%3A%22%E6%9D%AD%E5%B7%9E%22%2C%22latitude%22%3A%2230.286152%22%2C%22isPosition%22%3Afalse%2C%22platformVersion%22%3A%227.1%22%7D HTTP/1.1Host: api.m.taobao.com
User’s Default Location{ "utdid": "U0gUZGIZnIwDAFX4JgNi4RRk”, "userId": ”*********", "ua": "iPhone", "cityCode": "330100", "nick": ”******", "longitude": "120.050453", "cityName": "杭州 ", "latitude": "30.286152", "isPosition": false, "platformVersion": "7.1”}
What’s the worst that could happen?It can’t be that bad…
“Is this important?”From: Deborah Simon <dms@************>To: Mitchell IPad Simon <md.simon@************>
“Is this important?”From: Deborah Simon <dms@************>To: Mitchell IPad Simon <md.simon@************>Subject: Megan’s W-4
“Is this important?”From: Deborah Simon <dms@************>To: Mitchell IPad Simon <md.simon@************>Subject: Megan’s W-4
One attachment, “2014 W4.pdf”
Nothing to worry about here
Dear God WHY!?• Data confidentiality in transit vs at rest• PGP• S/MIME certificates cheap/free. Supported by most major mail client
(including mobile devices)• Encrypted zip files or document-based encryption better than nothing
DEF CON 22 MUSIC ANNOUNCEMENT: THE ORBYou better have just done that spit-take. That's right. Electronica/Trip-Hop/IDM/dub music classics and pioneers: The Orb. They're here. They're kicking. And on the 3rd day of DEF CON (Saturday night/Sunday morning 00:00-01:00) their divine presence shall bless the glorious attendees who... attend their glorious and divine performance. Those who do not attend will be forsaken and cast into the dystopian landscape known as "the rest of Las Vegas." And so this event shall henceforth be written into the Dark Tangent's Book of DEF CON, Volume 22 - also referred to by some as "the conference program." So say we all.
More fun with misconfigured mail clientsTo: *****@theorb.comFrom: Bill QuinnSubject: ***** pick up amount Rio 8/9
Hey *****,Please pick up the balance of $6,500 for tonights performance in Vegas. Let me know if you have any questions.
Thanks,Bill QuinnMadison House, Inc.
Imagine for a moment…• You know someone is going to
be picking up a check for $6500• You have detailed knowledge of
the transaction• You have unrestricted access to
the intended recipient’s email account
Imagine for a moment…• You know someone is going to
be picking up a check for $6500• You have detailed knowledge of
the transaction• You have unrestricted access to
the intended recipient’s email account
Quick Recap• Through misconfiguration or a lack of controls it’s pretty easy for
potentially sensitive or harmful info to make it’s way over a network• Consider defense in depth. Use multiple layers of encryption in
transit, just in case.• Don’t trust your email password as the only thing keeping you from
financial or other loss. • Treat every network as untrusted (especially the ones that warn you
ahead of time)