LuizEduardo. Introduction to Mobile Snitch
-
Upload
yury-chemerkin -
Category
Documents
-
view
125 -
download
0
Transcript of LuizEduardo. Introduction to Mobile Snitch
![Page 1: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/1.jpg)
© 2012
Presented by:
Mobile Snitch CONFidence 2012
Luiz Eduardo @effffn le(at)trustwave.com
![Page 2: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/2.jpg)
© 2012
Agenda • Intro • Motivations • Current “issue” • Profiling • Mitigation Tips • Future
2
![Page 3: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/3.jpg)
© 2012
$ whois Luiz Eduardo
3
• Head of SpiderLabs LAC • Knows a thing or two about WiFi • Conference organizer (YSTS & SilverBullet) • Amateur photographer • le/at/ trustwave /dot/ com • @effffn
![Page 4: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/4.jpg)
© 2012
$whois Rodrigo Montoro • Security Researcher at Trustwave/Spiderlabs
• Intrusion Detection System Rules • New ways to detect malicious activities • Patent Pending Author for methodology to discover malicious digital
files
• Speaker • Toorcon, SecTor, .FISL, Conisli, CNASI , OWASP Appsec Brazil,
H2HC (São Paulo and México)
• Founder Malwares-BR Group / Webcast Localthreats • Founder and Coordinator • Snort Brazilian Community
• Snort Rules Library for Brazilian Malwares
4
![Page 5: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/5.jpg)
© 2012
Trustwave SpiderLabs®
5
Customers
Trustwave SpiderLabs uses real-world and innovative security research to improve Trustwave products, and provides unmatched expertise and intelligence to customers.
Response and Investigation (R&I) Analysis and Testing (A&T)
Research and Development (R&D)
THREATS PROTECTIONS
Real-World
Discovered
Learned
Products
Partners
![Page 6: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/6.jpg)
© 2012
Goals of this Talk • Information about the data your mobile devices broadcast • Possible implications of that • Raise awareness of public in general in regards to mobile privacy
6
![Page 7: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/7.jpg)
© 2012
Motivations • Previous WiFi Research • Tons of travel • Client-side / targeted attacks and Malware
trending • Very initial thoughts of this talk presented at
BayThreat 2011 • (very very initial WiFi-based devices location at
ToorCon Seattle 2008)
7
![Page 8: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/8.jpg)
© 2012
Disclaimer
8
![Page 9: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/9.jpg)
© 2012
Definitive Goal • Ability to fingerprint a PERSON
based on the information given by their mobile device(s)
Passive information gathering of • Automatic “LAN/Internal” protocols • Non-encrypted traffic analysis
(security flaws / features / non-confidential info)
9
![Page 10: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/10.jpg)
© 2012
Current “issue” • Massive adoption of mobile devices • Usability vs. Security
• Networking Protocols • Broadcast / Multicast (and basic WiFi
operation) • And…
10
![Page 11: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/11.jpg)
© 2012
BYOD
11
![Page 12: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/12.jpg)
© 2012
BYO(B)D
12
WiFi Security as we know it • protect the infrastructure • protect the user, once it’s in the protected network
And the newER buzzword: BYOD Security Still, doesn’t solve the privacy issue
![Page 13: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/13.jpg)
© 2012
Privacy Matters?
13
![Page 14: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/14.jpg)
© 2012
I can haz ZeroConfig • Used by most mobile devices • Discovery, Announcement & Integration with (mostly) home devices
• Multimedia products • IP Cameras • Printers
• Yet, always on and automatic
“Zero configuration networking allows devices such as computers and printers to connect to a network automatically. Without zeroconf, a network administrator must set up services…”
14
![Page 15: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/15.jpg)
© 2012
ZeroConfig Protocols • mDNS • UPnP SSDP (Simple Service Discovery Protocol) • SLP (Service Location Protocol)
15
![Page 16: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/16.jpg)
© 2012
(IPV6) Lack of • Monitoring • Protection • Knowledge • Etc…
16
![Page 17: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/17.jpg)
© 2012
mDNS is evil then?
17
![Page 18: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/18.jpg)
© 2012
So, how does it work? • Data Acquisition (Passive) • Filters • Compare with Existing Info
• First Search – Internet Search – Applications (Netbios / Services)
• Third Party • Arp Poisoning • Extra pcaps • Info correlation • Additional Internet Search
18
Profile Creation • Domain Request Info • IP / Geolocation • Locations (collection) • Contacts • Company info • Personal Network • Softwares • etc
![Page 19: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/19.jpg)
© 2012
Data Acquisition (mdns - multicast)
19
![Page 20: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/20.jpg)
© 2012
mdns query
20
![Page 21: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/21.jpg)
© 2012
mdns “passive port scan”
21
![Page 22: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/22.jpg)
© 2012
Data Acquisition (Netbios - Broadcast)
22
![Page 23: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/23.jpg)
© 2012
netbios query
23
![Page 24: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/24.jpg)
© 2012
Key Information
24
![Page 25: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/25.jpg)
© 2012
In mdns we trust … insecure $ perl snitch.pl rodrigo-montoro-ipad-iphone.pcap ##### Mobile Snitch ##### ##### Analyzing File: rodrigo-montoro-ipad-iphone.pcap ##### Tool by @effffn and @spookerlabs Packet Number: 596 Mac Address: 5c:59:48:45:db:fb Name Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local
25
![Page 26: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/26.jpg)
© 2012
First Search Name Info: Rodrigo-Montoro.local,Rodrigo-Montoro.local Translating to Google (or any other search tool) Rodrigo Montoro inurl:facebook.com Rodrigo Montoro inurl:linkedin.com Rodrigo Montoro inurl:twitter.com Google images Rodrigo+Montoro Montoro Rodrigo Montoro Or any other Google search for that matter.
26
![Page 27: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/27.jpg)
© 2012 27
![Page 28: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/28.jpg)
© 2012
But ….
28
![Page 29: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/29.jpg)
© 2012
Rodrigo is not that famous (yet)…
29
![Page 30: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/30.jpg)
© 2012
So we could use third-party info • ARP Spoofing • New pcaps • In depth request analysis
• http objects rebuild (oh yeah) • Plain-text request • Who wants a cookie ? • Usernames (we don’t want passwords .. At least, not now ) • GeoIP / Domains • SSIDs databases • Image EXIF info
30
![Page 31: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/31.jpg)
© 2012
Arp Spoofing Difficult level: -10 # arpspoof –i eth0 192.168.0.1 * Don’t forget to enable ip_forward =)
31
![Page 32: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/32.jpg)
© 2012
New pcaps • Cloudshark • Pcapr • Sniffing random locations • Create an online repository ?
32
![Page 33: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/33.jpg)
© 2012
http objects rebuilt - the secrets
33
{"authToken":"name:hpVy","distance":0,"firstName":”Rodrigo","formattedName":”Rodrigo Montoro","headline":”Nerds at Spiderlabs","id":”1337","lastName":”Montoro","picture":http://media.linkedin.com/mpr/mpr/shrink_80_80/p/4/000/13/lalal.jpg,"hasPicture":true,"twitter":”spookerlabs"}
![Page 34: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/34.jpg)
© 2012
User-Agents (-e http.user_agent http.request.method == GET)
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1
lwp-trivial/5.810
Mozilla/5.0 (iPad; CPU OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Mobile/9A405
TwitterForBlackBerry/2.1.0.28 (BlackBerry; U; BlackBerry 9300; es) Version/5.0.0.846
Mozilla/5.0 (Linux; U; Android 2.1-update1; es-ar; U20a Build/2.1.1.A.0.6) AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17 [FBAN/FB4A;FBAV/1.8.4;FBDM/{density=0.75,width=320,height=240};FBLC/es_AR;FB_FW/1;FBCR/CLARO;FBPN/com.facebook.katana;FBDV/U20a;FBSV/2.1-update1;]
34
![Page 35: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/35.jpg)
© 2012
We are the good guys … $ cat /var/log/snort/alert | grep "\[\*\*" | sort | uniq -c | sort -nr 25 [**] [1:100000236:2] GPL CHAT Jabber/Google Talk Incoming Message [**] 13 [**] [1:100000233:2] GPL CHAT Jabber/Google Talk Outgoing Message [**] 5 [**] [1:2010785:4] ET CHAT Facebook Chat (buddy list) [**] 2 [**] [1:2100538:17] GPL NETBIOS SMB IPC$ unicode share access [**] 1 [**] [1:2014473:2] ET INFO JAVA - Java Archive Download By Vulnerable Client [**] 1 [**] [1:2012648:3] ET POLICY Dropbox Client Broadcasting [**] 1 [**] [1:2011582:19] ET POLICY Vulnerable Java Version 1.6.x Detected [**] 1 [**] [1:2006380:12] ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted [**] 1 [**] [1:2002878:6] ET POLICY iTunes User Agent [**] 1 [**] [1:100000230:2] GPL CHAT MISC Jabber/Google Talk Outgoing Traffic [**]
35
![Page 36: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/36.jpg)
© 2012
Person “MACnification” Mac Address Username Pictures Facebook Linkedin Twitter Locations Company Softwares Extras Infected ?
36
![Page 37: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/37.jpg)
© 2012
Next time we meet…
37
![Page 38: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/38.jpg)
© 2012
“Mitigation” Tips - Name the device: Never use your name / last name in your device - Careful where you use your mobile - Turn off WiFi (BlueTooth and etc) when not using it - (Bonus!) Consider removing some SSID entries from your device…
but why?
38
![Page 39: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/39.jpg)
© 2012
Bonus! Aka: Bring Your Own Probe Request And Bluetooth
39
![Page 40: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/40.jpg)
© 2012
Disconnected Devices & SSIDs • Company • People • SSN #s • Hotel • School • Event • Airport • Lounges • … and • Free Public WiFi
40
![Page 41: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/41.jpg)
© 2012
Careful with the New Features That might affect (event more) your privacy….
41
![Page 42: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/42.jpg)
© 2012
Future … • Website for profile feed collaboration?
• Macprofiling.com • Whoisthismac.com • Followthemac.com • ISawYouSomehereAlready.com
• Social Engineer • SET (Social Engineer Toolkit) integration • Maltego
• Others
42
![Page 43: LuizEduardo. Introduction to Mobile Snitch](https://reader034.fdocuments.net/reader034/viewer/2022050801/544c5562b1af9f207d8b49e0/html5/thumbnails/43.jpg)
© 2012
Additional Resources Download the Global Security Report: http://www.trustwave.com/GSR Read our Blog: http://blog.spiderlabs.com Follow us on Twitter: @SpiderLabs / @efffffn / @spookerlabs
43