ZillyGurke – Minecraft anarchy – The Monkey in the Middle: A pentesters guide to playing in traffic.

All right you are you hyped because I’m not hmm let’s go welcome back to this effort iseman episode for nays equipment h0z Lee hoon comm play now freely reachable Aniki server it’s pure vanilla there are no white resets I have enough storage for big words and so on

Yeah I don’t know it’s just a chilled quality server I wouldn’t call it to quality but it’s not bad like I’m not like a coffee old admin who will remove the server after 2 weeks or if he loses interest so the server would stick around and yeah there are no rules you

Allowed to use sect clients and all the other anarchy stuff so if there is something for you make sure to join now and that was it for the advertisement part for the server and I know this is all water this is so bad but why do I

Have to feeling with this waters like thousand blocks long and salt unfortunate okay so well my items was my job inventory is so empty yeah okay so let’s get started with the video that we are going to play back in the background it’s a Def Con conference talk and it’s

From 2014 with 30,000 views it has to touch with Def Con 22 and the monkey pen testers guide to playing in traffic so if you’re interested in that talk that I’m going to watch in the background make sure to check out the original and the link to lettuce in the description

As always if you interested in playing on the server check out LG o dot Z Lee Hong Kong and IP address for that is also in the description is that my Shaka box over there did I actually forget it a new my inventory was clear kinda empty

Is it mine is it even mine why do I think it’s not mine I don’t know okay so hmm yeah then I would say let’s go get started where’s my talk mark yeah well I will do that why the video is playing back alright so you’ll hear people refer

To me as honk launch annc I don’t know launch technically it’s a form of unk but I wonder how I pronounce it I think I pronounce it kind of wrong oh yeah I’m I’m on CH and you guys are here to listen to me ramble on about Amanda

Mental attacks or monkey in the middle attacks and well we’ll play some traffic there will be a lot of fun so just a little bit about me this is the slide that I you normally introduce my wife because she’s here but she’s not here no that’s her on my way yeah I’m sure

You’re gonna be four minutes late I’ll introduce you guys when you get when she gets here I have I have a lot of experience in penetration testing and hacking and funny story funny story time since I have time a penetration tester with the job title penetration tester is the best best

Title to have at a party if people walk up to you what do you do I’m a penetration tester and they look at you funny like huh and and they’re like so what do you do exactly and they’re expecting something like well I test the

Lighting and porn but then I oh boy I noticed talk get whatever that’s that’s what I do and they’re like oh that’s actually really [ __ ] boring so yeah I’ve had I’ve got over ten years experience doing this I like to do this and I like to teach people how to do it

And then take a little bit of a survey how many of you guys first year Def Con first time I got a roomful of noobs that’s awesome by the way I when I say new it’s not an insult honest honest to god not an insult it is a compliment

Imma knew that thing’s I can’t reverse engineer for [ __ ] and I’m teaching myself to do it I’m a total noob at reverse engineering but I’m really really good at the other stuff so being a noob is not a problem it’s actually really awesome how many people in here

Are penetration testers right now okay how many people here want to be my nutrition testers good that’s awesome that that’s that’s a that’s an admirable goal how many people how many people actively exploit boxes as a penetration tester I have one I had to charge I didn’t save those seats for you

Actually really I didn’t I you know what my life is coming down so just save her see she’s got one one more with her she’ll probably sit on the floor it’ll be okay yeah a people thing you know it’s important that I take care of my

Life so yeah so so that’s a little bit about me boneheads and on is my my Twitter so tweet me if you want me it’s all good so why do we play in traffic [ __ ] traffic is really really interesting and by the way I put funny

Stuff on my slide so feel free to laugh don’t be like it’s quiet and stuff guys are the quietest audience I’ve ever had when I walk down here and I asked you guys he does it line for the talk you’re all like anyway traffic is interesting stuff yeah thank you

He gives us insight onto how things work you know when you’re looking for something on the network that’s misbehaving you know the first place I go is the traffic oftentimes you know it’s something simple like I missed configure to switch port or I’m in the wrong VLAN or I’m pushing things to the

Wrong address but the traffic will tell me that and if you know how to read traffic you know how to look at it you know how to capture it you can actually do some pretty cool stuff with it it it allows us to gather information on a target really valuable information on a

Target actually it tells us a source and destination MAC addresses it tells us what ports the traffic is the the the target is talking on what ports are open sometimes you you can’t get a port scan because you have firewall and and it’s just sitting there it’s just like empty

You know you run in map and you’re like oh that comes back nothing well I know that host is alive so if I can get the traffic I can tell what ports are open on it and maybe I can spoof the traffic in order to get

That host you know there’s a lot of fun stuff you can do with traffic and it allows us to change things as they go by and I’ll get into some fun stuff you can do you can really prank your friends with some of this especially when you’re

At home your friends get on the internet and they’re like why why is all the way out all the images upside down yeah we get hi everybody this is my wife oh [ __ ] I press the button just to change things as they go by and I’ll get into some fun

Stuff you can do we can really prank your friends with some of this especially when you’re at home your friends get on the internet and they’re like why why is all the why are all the images upside down yeah we get hi everybody this is my wife yeah I saved

These seats and yeah I see she she supports me in everything that I do and I love her very very much and so she deserves a great big and [Applause] so yeah so being able to play in traffic allows us to change things as they go by

And make modifications to stuff that may not may or may not allow us to get into things that we’re not supposed to and that kind of that kind of power is great because if people are looking looking for it IDs looks for it a little bit but if

You’re smart about it you can actually bypass IDs all together yeah oh yeah that’s the traffic that’s supposed to be there yeah I’m actually getting you chuckles let’s get most importantly that allows us to prank our friends and honestly allowing us to prank our friends is we have to have fun with this

Job we can’t just you can’t just just do the work to do the work if it’s not interesting to you you are in the wrong line of work you really are was that it we have to we have to laugh that it is all about the

Walls you’re right we have to laugh we have to have fun and you have to be interested in doing this stuff so you’ll actually learn it otherwise you go to work for ten or fifteen hours of the day and you come home and you get stagnant because you’re not learning new stuff

You know you’re going to you’re you’re applying what you already know but you’re not actually picking it up and and you know if you love it you’ll go home and you’ll read about it or you’ll play with it or you’re you know you’ll mess with your friends you know your neighbors

Interesting story about my neighbors I actually I I did something for Aruba and they they were kind enough to to to give me an access point to play with and it’s one of their new 802 11 easy access points and I set it up at home and I’ve been having problems with interference

On on stuff and the Aruba access point comes up and it goes oh I’m seeing interference let me take care of that for you and all of a sudden all of all of my neighbors access points go oh I’m gonna get quieter and turned down and now I’m

The king the mountain it’s pretty awesome [Applause] all right so how do we how do we get into the traffic that we want to play with this is there’s a lot of different ways to do it and and I don’t have my percentage of notes up here so just remember always wear a helmet you want

To you don’t want to really mess anything up so you got to be real careful playing with traffic playing with network traffic in general you’re not gonna permanently screw something up but it can definitely have unintended consequences and I’ll get into those here in a little bit when you mess with

Things the systems have checksums and ways to figure out that you’re actually messing with them and they’ll toss it out and then you can be like Tahoe you know I got that transparent proxy in place and I’m trying to try to create the all porn internet and end it it’s

Replacing these images but it’s not the images aren’t coming up and it’s probably because you’re not injecting them right we’ll talk about that a little bit later it can be dangerous you can get caught it’s a noisy thing if you get caught and you’re not well if you

Get caught me you don’t have permission to play in traffic by the way get permission first it no means no if you don’t have permission you get caught you know the the consequences can be dire you can get arrested and go to jail and that’s that’s never fun they can be

Dangerous it can mess stuff up it can mess your your traffic up on your network you know I’ve done that a couple of times my wife calls me the Internet’s not working and I’m you know in Oklahoma and like uh sorry I left that um road

And they didn’t mean to it does really mess with the networks especially some of the tools that we’ll talk about here in a little bit again taking take entire networks down and like big networks or entire segments of a network town when you’re when you’re impersonating a gateway or or

Directing traffic to your box and you know that gateway is normally handling 10 gigs of traffic in your box that’s 100 making a big card in it that tends to hurt a little bit so it can really really mess with the networks and you can really be you can really be put

Yourself in a position where where are you taking something critical offline and and as as a tester we never really want to do that we tend to get smacked for it and makes our jobs even more difficult and like it just alluded to your host might not be fast enough you

You might not be able to press that process all the traffic that you’re that you’re getting you’re gonna drink from a fire hose and you know when you do that it tends to fill your mouth pretty fast and switches will alert on on things if you have a client that is particularly

Intelligent has their monitoring and alerting set up it will throw an alert and and they will catch you and they’ll be like ah any be like okay coming and ideas usually does catch it there are ways to get around that and we’ll talk about that in a little bit but it

Usually does plague on on things when they start to change your IDs is set up to look for normal and you’re creating something abnormal or you know yeah you’re looking for something abnormal and you’re creating you’re creating something that is is not not kosher on the network and so it’ll

Usually catch it for those of you that can’t read this it says a giant tool and he’s carrying a wrench so we’re gonna have a little discussion about tools and how to use them and what they’re for and the best ones to use I’m going to go

Through the stuff that I normally use and normally nobody put on the network in order to get into traffic and and tell you their pitfalls and goods in the bads so we’re gonna talk a little bit about art spoofing and when to use it which is almost never and we’re going to

Talk a little bit about DNS poisoning and spoofing and when to use it which is a lot because it’s a whole lot of fun we’re going to talk about DHCP snooping or spoofing as well basically telling people answering faster than the DHCP server for an address and making

Yourself a gateway dad guy what’d you hire that guy with this have fun mentality I would and we’re going to talk about transparent proxies which is where all the pranks come those are the most fun and those transparent proxies are what you use after you get the traffic to your machine

I’m glad that got a laugh because I have run into so many people that are like yeah I use Kali Linux I am a hacker no that doesn’t make you a hacker I’m sorry so let’s talk about the most dangerous option Ark spoofing and an art poisoning

The tool is ARP spoof and it’s provided as part of the decent of suite of tools and if you haven’t got d sniff installed install it there’s a lot of really fun stuff you can do with the decent if sweet you can art spoof you can DNS spoof you

Can do traffic discovery you can do a lot of stuff with it and it’s really really really cool it is easily easily easily detected on the network so basically what you’re doing with with an ARP spoof is you’re you’re answering everybody know what ARP is lgn done

Alright so for those of you don’t talk to your neighbor afterwards they’ll explain it to you just kidding Basically an ARP is a way to tie a MAC address to an IP address and a switch holds a table of these ties and that’s the best way that it can route the traffic the layer to traffic in the switch from port to port and so what

You’re doing when you are spoof is you’re saying no I’m really the gateway address it’s me and you’re flooding the switch with with answers to our pre quests for whose got the Gateway who’s got the Gateway who’s got the Gateway you like me me it allows me and and so basically you’re injecting

Yourself in the middle and becoming a gateway now if you don’t have your machine configured right what’s gonna happen is you’re gonna get all the traffic is gonna have nowhere to go the whole network is gonna come crashing down and you’re gonna be like oops and you know when your machine finally

Crashes because you’re you know drinking from that fire hose the network will go back to normal but until then you know you’ve just brought your client down and that’s never a good thing but for the most part ideas will will catch this is you’re doing a gratuitous art IDs will

Go oh no he’s not really the gateway you can like he can he could like to think he is but he’s not and and it will catch it so it’s it’s it’s one of these things that lights I guess up like a Christmas tree I just alluded to if done

Incorrectly it will take down the network and it will I’ve done it I’ll admit that I’ve done it at home I’ve done it at work I’ve done it well yeah I work at home Starbucks you need a fairly powerful hose to keep up with the traffic

I mean you these days you know we’re looking at at you know gigabit or multi gigabit connections and your host needs to be able to process that so you’re a little Wi-Fi pineapple or your little Linksys box you know that you can do this with it’s not going to cut it

I just can’t process the traffic fast enough laptops Mac minis small computers there they’re gonna be able to keep up with the traffic as long as you know your your gigabit or better my carry a secondary network card fire lightning network adapter in my bag just for this

Purpose and so that I don’t have to rub traffic in and out the same address I can pull it in one and route it out the other setting it up basically you’re setting your your box up is a gateway and you got to be able to to route the

Traffic through the machine without actually slowing it down you’re gonna slow it down a little bit it’s just one of those things but you want to slow it down as little as possible I told you they were funny yeah so Dean that’s poisoning and spoofing a slightly

Less dangerous way it is slightly less dangerous Kane is one of the tools is able to perform this function amongst others it’s actually pretty ready to have good they’re doing what it’s what it’s supposed to do and it’s it’s the one that I prefer yeah it’s a Windows

Tool and I know Windows is bad but yeah what’s that enemy em absolutely people people look funny at me because I have a Mac and actually see a lot of Mac’s now it used to be one of them first you know first people to actually hack on a Mac and you

Know like you run a Mac and I’m like yeah it’s a great platform and I can run Windows on it still it may still require you to arch through first you you’re you’re going to send replies to DNS requests to to point traffic at yourself

So you have to become that DNS server so you know you may have to to ARP for that one specific address and say I’m the DNS server I’m the DNS server to the line the Gateway okay and it is always used in conducted conjunction with other tools it doesn’t make they can’t actually

Handle the traffic itself and so what you’re going to do is you’re going to reply with an address pointing that particular you know that DNS answer back at yourself or someplace else in order to capture the traffic going in order to get the traffic to be redirected and the

Great thing is is with DNS caching is you know you may only have to answer once every five minutes or once every two weeks depending on how the cache is set up in DNS and if you have to answer once every two weeks that’s pretty awesome because I can stand up a box

Answer wants you know poison the cash and take the box down and go home and I’m still getting that traffic it’s it’s really pretty cool unless you know they figure it out them to flush the cache and like I said it provides your IP address the answer to DNS queries so

You’re saying I’m really this I’m really Google it’s me and Google I’m going to I’m gonna send you my search results which may not necessarily culture although I’ll let you read this because it’s I thought that was pretty funny too so still a little bit less dangerous

When we’re going from most dangerous to least dangerous in this particular category the HTTP spoofing and you’re going to provide answers did used to be requests the ever-famous at our captain here has heard a better cat that’s been it’s a tool it’s a long hold old tool

And it works really really well and it has for a long time and it’s really well maintained and it’s just awesome better cat does this function perfectly you still be able to mute you still need to be able to sniff the traffic so you you still need to get the traffic come

Into your box somehow so you’re still going to have to to do something either have a span port or o or one of these last year I did a talk on my bag of dirty tricks and sauces mom came up and said I really like the ninja throwing

Star and this is what she’s talking about so this is a ninja throwing star land tap and you guys have probably seen these I think they’re available in the vendor area as kits and they’re really really cool it allows you to get in the middle of traffic and and you know scan

It and play with it and it inject into it and hey look all my friends finally showed up I’m gonna embarrass you like a embarrass my wife will wave hi to everybody everybody turn around the wave hi to Bill yeah okay you and I need to

Go talk to priests later okay no but I want my t-shirt bellies laughing so yeah so you can you can actually give it in the middle of traffic one of these you have to be physically there and you have to be able to plug into a wall jack in

Between a machine but it will let you scan traffic and it provides both in and transmit and receive and that’s pretty cool it’s a passive device you don’t need power it’s really really really awesome Wow are they loud or what okay so we’re gonna take a real quick break

And we’re gonna do something here to the other guys okay I want everybody I’m not gonna make you stand up again I want everybody to scream and clap for ten seconds as loud as you possibly can ready one two three do it perfect then put us in these small rooms

With these thin walls and you know that’s sky talks over there and there’s no recording and we just you know probably really annihilate the speaker because he’s right behind that wall [Applause] that’s a lot of fun to do off to look and see who was speaking and go hand

Switches can be checked can be alerted to to check for and deny this type of attack especially in situations where you’re you’re you’re relaying traffic to one DHCP server so it can be you know the switch can be configured to actually send these packets directly to DHCP server and send the response responses

Back and if that’s the case this isn’t going to work for you and if they’re really really well configured and tight on this this this this attack is gonna be tough to pull off but it is less dangerous than an ARP spoof because you’re not you you’re not

Going to interrupt all the traffic just some of it and it is also used in conjunction with other tools and we’ll talk about those other tools here in a little bit so we’re gonna talk about proxies but this image might be a little bit a little bit hard to hard to see or

Hard to read and you know it’s the whole what my friends think I do what my mom thinks I do and yeah my mom knows I’m a hacker but she does think I work for the Geek Squad sometimes you know and I’m not a check even though that that’s a

Chicken what I think I do know and and we all know what we actually do so the government one I thought was the funniest isn’t seeking the Titanic so you leave and to be able to do something with the tram once you get it

You need to be able to have a way to change things and the easiest way to change it is to set up a transparent proxy and in this case we’re talking about HTTP or HTTPS type traffic through the web traffic there are some other tools that you can you can do that do

Other traffic like SSH you can actually do SSH man-in-the-middle and it is evil and it is fun why guys this is crimped he’s pranking everybody all of his friends and [Applause] hey crit why don’t you uh oh um me deaf Klingon you uh huh huh oh that’s nice

Gift for left can I have them yeah of course I did all right [Applause] company dismissed big I I am amazing and I’m a good sport it or not yeah awesome so I’ve got 400 def coin here and I’m gonna do some question and answers and

The best questions I come up that that that we that you guys asked me I’m gonna give death coin to who here has def quite yeah I know you guys do of course you do okay come on who here wants def coin okay good at least I got something

That’s valuable it’s the paper it’s printed on it’s worth more than the actual coin but you know so multiple tools provide this service and I will talk about Association in the middle here in a little while but we’ll talk about HTTP and HTTPS first how many how

Many here have have heard of burp the burp suite who have actually installed the burp suite and was that Pro I don’t pay for it the the the features have asked it it provides they’re not valuable enough for me to pay for it and the free version is awesome

Who here has actually used the burp suite for something okay good good so you know what I’m talking about it’s fun you can actually examine and look and change traffic web traffic that goes by and you would not believe the number people that look at me funny when I say

You know I’ve got your password how’d you do that well you sent it in clear text what do you mean clear text yeah another tool I’ll talk about is Mallory – till this is one your people have heard of raise your hand if you’ve heard of Mallory yeah

Raise your hand if you’ve got Mallory to successfully run yeah it’s it’s a difficult tool to actually use but it is infinitely more powerful than burp you can do so much more with Mallory and it’s fast and it’s not java-based yeah see I got that yeah but it’s really

Really hard to set up and use the documentation isn’t very good it’s not very well maintained I don’t think is it I haven’t I didn’t see anything since like 2011 yeah it’s it’s it hasn’t been maintained very much at all and so most people that use it and use it

Effectively maintain it themselves I actually have a private github repository with my version of Mallory in it and it’s because I’ve had to make so many changes to it to keep it functioning over time that s all for keeping it private on version control I

Mean I can’t just you know I’ll lose the tarball if I lose a machine so and then there’s squid and people look at squid as it’s like a good regular old proxy but it can actually do scriptable changes it’s fast it’s efficient it runs as a service and it’s really really good

At what it does we’ll talk about squid here a little bit so let’s yeah it is passwords anymore are are ineffective unless they have spaces remember that put spaces in your passwords people don’t think about spaces and spaces at the end of passwords when you crack them they show

Up as a blank space right so you’re like I don’t understand why this password isn’t working because it’s kind of space let’s talk a little bit about burp suite you guys know it’s Java runs on almost anything runs really well on almost anything everyone’s really slow on

Almost anything Java is one of those things that we wish we didn’t have to put up with but we we do have to put up with it and but it’s good it’s readily available the free version is more than effective for what most people need unless you’re doing some really really

Serious heavy heavy heavy application testing and want to know some automated stuff it’s a lot of a certificate stuff my arrow keys just aren’t working well it just works most of the time it’s like an Apple computer you know or an iPhone it just works five-year-olds and probably figure it

Out it’s pretty cool it’s got a real good GUI it sets up requests and posts in such a way that you can actually change them and see what’s going on and I’ll be honest if I’m if I’m looking for something quick burp is the first thing

I grab and if I don’t have time to play with Mallory and get it filled with fiddles and setup if I’m just looking for a quick you know two-day engagement that I’m doing a pen test on an application I’ll pull up herb suite and go through it that way it’s really

Really good at what it does it grabs cookies it will hold it gets posts for you it’ll sit there and fake the server out like you trickle on the data to you I’m just on a really slow connection and lets you change things and its really great to

Escalate privileges because a lot of people don’t think about a lot developers don’t think about the cookies that they’re setting you know they set this cookie and they’re like yeah you’ve got user level and it’s like user level zero like okay what happens when I change that user level one and all

Sudden I’ve got admin access and it’s it’s hilarious still be like how’d you get that well I just changed it on the way that’s my role is that pyro no I thought was pyro we’d really mess with them it’s not my role so we’ll leave them alone

It can change cookies variables and HTML responses on the way back to the server this is a client based tool you’re not gonna actually change the the traffic going from anything but your client to or your group of clients that you’ve configured to use this proxy to the

Server and so this is this is a really good way to get into things Tomcat and stuff like that on the server side speaker goodness interrupting me I’m just kidding I know I’m just giving you a hard time and it has some very powerful SSL

Options SSL is only as good as your user training I can present you a fake certificate and as long as you are trained to click on yeah yeah give me that fake certificate I cut all your traffic our our social engineering efforts are are vastly vastly vastly successful because people have gotten

Used to oh that looks odd but hey I’ve got an OK button I don’t want to call IT I’m just going to click OK you know Google the Chrome has gotten better and that it’s presenting like a yellow screen you know full-on yellow screen now but it still

Gives you the option to be like yeah I’m I I understand what what you’re saying I’m gonna go through used to be red the red screen really freaked people out and I think they changed it to yellow because they were getting too many calls hmm yeah this is really kind

Of what Mallory is all about I’m the best hacker ever I downloaded this thing on the Internet to do it and Mallory it’s tough to use and we’ll talk a little bit about it it’s really really really powerful though more powerful than bourbon and much more much faster

It’s got very very very good SSL options you know just like Bert I know I’ll generate certificates but if you have the right type of root certificate like a fake root certificate it won’t it’ll generate these these valid certificates with the valid information based on the certificate it downloads from from the

Actual site that you’re attacking so it will actually fill everything in like you’re like it’s like it’s a real certificate from Google you know it’s like Google HTTP and you don’t look at it it’s like Google Incorporated you know this is the date it’s just been

Self signed and so when you when you actually examine it if you have a user that’s actually going to examine the certificate and look at it it looks legit and you’re like they’re like okay well Google just made a mistake and input a self signed certificate up there

I think I can do that and I’ll let it through and then you’ve got all the traffic it’s a very very very good a very configurable and almost too configurable Linux and Mac OS are the easiest way to get already working and I actually have a a virtual machine that I

Keep just for Malory and it’s because it takes so many different libraries it has to be massaged just in the right spot and it takes a certain configuration of item tables in order to actually work and so I just keep it all set up on a VM

That’s ready to go I you know boot up the snapshot I start Malory I’m ready to rock and roll and I know that I can make changes to the configuration as I need to go and it has a chrome plug-in that will allow you to look at cookies and and do do injection

Of change and do injection of cookies and things like that it’s not very effective it actually kind of sucks and it’s it’s really difficult to to understand it’s a tool it’s a great tool try it out go download it I’ve got the link somewhere on here and it’s it’s

Actually in the presenters notes which are on the conference CD it can be very very very picky it really doesn’t like a what the heck is going on back there that’s really really annoying all right oh he’s gonna go take care of it for me

I Love You Man thank you it can be really really picky about the environment it’s set up in a really really really tough again to get working and there’s not a lot of real stands for it you’re gonna be building a lot yourself if you can code in Python or C

You’re gonna be set up and ready to rock and roll but you’re gonna be writing a lot of your own plugins and lautering your own tools to get it working there are some real advantages to that and the fact that you can write your own plugins

You know um tools and so as you do that you’ll get this kind of your own personal suite of tools and plugins you’ve got around Malory that will do some really really cool stuff I don’t share mine and it’s probably a really really really bad thing yeah I should

Probably start doing that yeah no [ __ ] I’m kind of possessive of my Malory stuff because I don’t want people to find out about it and be like oh yeah gotcha so and it’s not maintained it hasn’t been maintained until since 2011 there hasn’t been an release since then and I think it’s just

Due to lack of popularity so if more people start using it we can start to maintain it we can actually make it a a solid stable and scalable tool yeah disgusted cat is questioning what he just saw squid the squid proxy is a staple of of Linux proxies UNIX proxies really it’s

Used in everyday use for a normal caching proxy in fact I used it for a caching proxy for years at home when my internet connection was slow because it sped things up so drastically and it’s really really really good at that it’s very good at doing the caching stuff but

It can also be turned into a very nefarious tool with IP tables and PF it can actually be completely transparent to the user I can redirect the traffic into squid without having to set up proxies on the proxy configuration on the browser and so I can sit there in

The middle of this traffic and be modifying it all day long and you would never know it and who did this PowerPoint anyway it’s good for fast and Static replacement so if you want to replace images or you want to put a header at the top of a

Certain set of webpages captive portal type stuff it’s really really good for that and it’s there’s lots of modules and lots of support and it’s very very well maintained it’s you know it’s a it’s more or less a commercial product and people use it all over the place and

So picking those products and then being able to to twist them to your own uses is is something that is incredibly valuable and it is the best thing to break your print and bring your friends with is readily available at home there’s lots of resources on the web to

Do what you want to do with it and it’s it’s a whole lot of fun so I was gonna do an SSH monkey in the middle here and I pleaded my VM this morning and I got set up to do it and as always the demo

Gods are not in my favor today so oh wow that’s a flying dick we’ll set that there for the next speaker he’ll wonder what the hell happened in here it’ll be a lot of fun but instead I’m going to do some time for questions some answers here at the

End because they didn’t give us any Q&A time after our talks this year and I want to be able to answer your guys’s questions so I’m going to take the 10 minutes I set aside for that and do that instead the the other thing I want to

Talk about is the Allport internet redo yeah I like that image it was so much fun I actually have something in my bag that his batteries are dead and it’s it’s a redo of something that was done back in DEFCON 17 and these guys got up and

Talked about what they called the all part Internet and it would it was an access point you can attach to and it would replace all of the images as random porn it’s it’s a great prank it’s a great example of what you can do with

The proxy battery is dead and – in my box my bag right now but I’ll be up I’ll go upstairs and charge it will be up and I’ll be walking around Conn and you’ll see an access point that says you know all the internet again and it will throw

You in a captive portal and it will actually ask you about your preferences and so so you know I’m non-discriminatory and and I want to make sure everybody gets you know not my brand of porn but what they want and so so will ask you about your preferences

And it will it will present you your preferences of pornography and every image will be pornography I’m sorry but it also gives you the option to join it or not and I’m not going to force it on you because I understand that that’s not for everybody to know demo but it’s it

Will be available yeah I won’t force it on you you have to ask for it and it’s gender and reference neutral so with that let’s let’s open the floor up for some questions let me see what I know good I’ve got 20 minutes left or 25 minutes left so I haven’t

Played with in a long time to be honest it’s it’s one that I’ll put them in less certainly to check out if you got something that you’ve done with it that you want to talk to me about and come come grab me a beer afterwards and we’ll

Do that yeah so there’s actually a tool if you google mrs. SSH a man in the middle it’s part of the decent of suite it will it will actually present a fake public key to your client and you would get a message a key warning you know the

Public he has changed I have mine configured to where it won’t even connect to a changed public key but most default implementations will just ask you if you want to replace it yes or no and then it will sit in the middle and decrypt the traffic and record the

Traffic for you as it’s passing the traffic to the to the next host because you just changed the public key to the one I presented to you – and it’s decrypting that traffic it’s a whole lot of fun it’s not a lot you can change with it but you definitely get passwords

From it yeah yeah you’d be surprised presenting somebody with a are you sure you want to do this type message it will almost always get a yes answer I do it you do it anyway come on admit it did you answer yes to that kind of stuff just because it’s convenient yeah I’ll

Be the first one to admit I do it too and and I’ve gotten caught by my friends we like yeah gotcha you know and I’m like ah man but yeah everybody does it it’s kind of human nature you know you get a a are

You sure you want to do this yes or no and the answer is almost always yeah yeah yeah I’m sure I want to do this so yeah the best the best proxy to use for SSL stripping what I would actually do if it’s just something that you’re you’re

Trying to do quick use a tool called SSL strip and that’s the fastest way to do it if you’re just looking to strip the SSL and get the credentials if you want a little bit more complicated version burp actually does do some certificate generation you can set it up to to

Generate fake certificates and send them back to the client and they’ll get the message the other way is to use Malory and actually generate some really really good certificates and if you if you can get a a fake root certificate onto the client that you’re you’re you’re

Attacking then you won’t have the issue of the certificate is bad type type stuff and it’s it’s really really powerful and cool but yeah SSL strip and burp are the first go-to yeah on the cloud it’s gonna be hard to do on the cloud if you want to play prank your

Friends get a little yeah okay my wife was telling me to rethink the question for everybody because they can’t hear you and then she’s right she’s right she’s a teacher so she knows this kind of stuff he wasn’t know what the best service cloud service is to set this stuff up

Into prank the cloud and or the best way I actually do it at my gateway my home gateway I run pfsense which gives me access to VSD and PF and so you can do a lot of fun stuff with that and there’s a lot of plugins for it if you’re pranking

Your cloud your friends out here just carry a Wi-Fi pineapple or something in your backpack with the battery on it and connect it to the DEF CON Network and a way to go you can that’s that’s how the thing in my bag works it’s it is it’s just a Wi-Fi pineapple configure to

Connect to the DEF CON Network and it funnels traffic through there but it changes everything coming back and forth to it yeah no I’m not yeah VPNs see I’m not going to keep the deafblind for myself that was a really good question the rage about VPNs videos are actually pretty well protected

Although most people are switching to like an SSL or TLS version of VPN right and you can still use all your SSL based tools for that and actually get access to the traffic though the problem being is that when you’ve got a VPN going you’re oftentimes tunneling traffic

Inside tunnels least I do you know so you’re gonna have to not only man in the middle my SS my SSL VPN you’re also gonna have to man the middle my SSH and if I see one warning for VPN and then another warning for for SSH I’m at that

Point I’m gonna be like okay something’s up you know somebody didn’t miss configure something or I’m not on a network that that it’s is you know in the middle already I’m actually being messed with they don’t get definitely those good questions yeah yeah Yeah almost so the that’s actually a very very good question so what he’s what he’s asking is is when you get that yellow screen from chrome and it’s a site that you’ve been to and you know but you’re still getting that yellow swing screen how do you verify that it’s okay there’s

Actually a small link and on that that screen you know there’s like so it’s like get me out of here or and then there’s advance to let you or everything’s okay I know what I’m doing we’re really kind of the three options there under the Advanced tab if you

Click it it will give you all the certificate information so what I look for when I when I look at that certificate is is it really the site that I’m going to you know what what’s the issue is it the company that I’m expecting to work with am i sending my

Data to someplace where I actually want to send it to is the URL correct was that yeah you’ll see the CA the certificate certification with a certificate authority you’re right and the certificate authority I can put anything I want in that field it could be kind of fun if I because I’m

Generating my own route right so I can be like oh yeah what’s that you really shouldn’t trust it yeah yeah you just click click get me out of here that’s that’s the best option and then if it you know if it’s Google or something especially if it’s like a big

Name company or your bank and it’s like oh it’s been self signed don’t trust it if it says it’s expired don’t trust it chances are with if it’s a big company and they’re SSL certificate expired they’re just getting ready put in a new one anyway so late 20

Minutes and go check again test on an independent network that’s a good one too this is for you yeah yeah his question is have I ever tied at one of these tools into like a beast attack or a claim type attack our arena negotiation type it’s a decrypt to the

The SSL yes and it works very very very well like the the crime attack was until until they patched it has been amazing so yeah it’s time to wrap it up all right one more question yeah right right on it would have they they have since fixed that but yes it would have

And it actually worked very very well so that’s all I got for you guys [Applause] cool I most certainly saw his talk already but I can’t remember like 90% of it yeah we’re a few sentences where it peaked my may remember Asian oh my gosh my English is on point today again but

Yeah you know what I mean but yeah we’re still kind of fun to watch oh my gosh and yeah we officially started the 1000 project and yeah it’s not going well I guess it’s one of those projects that we’ll never finish but you know it just

Keeps you busy and I think it can still have some impact even if just one edge is covered and yeah keeps the loops inside and this one will actually be Unpassable by respawning right because the inner one the two hundred wall can be bypassed by just respawning and hoping that is born outside of the world but this time it’s it won’t it won’t happen so if you respawn and in the wrong crowd round where the project is

Kind of more completed and you have struggle getting out of there for now it’s still possible to leave this but I don’t know a few episodes down the line you probably have some progress especially when other people join us and especially on the land where we can use

Something to do because I see some potentials but I don’t see it actually getting fully finished but that’s fine I think that’s fine that should be the goal for this project and that shouldn’t be something that frustrates one while working on it just because it’s a unfinished shared

With project doesn’t mean it’s a useless project okay so that’s it for this episode and if you’re interested in playing on the server and escaping the tooter mm Wow let’s not go mm as capping the 1,000 by 1,000 goal after you escape to 200 by 200 war yet then check it out

Ng l dot ZD human comm is your place to go and if in the rare case that the service offline and that can happen then just make sure to try it again a few hours later a few days later or maybe even a few weeks later and because in a

Long time the server will stay online