1 of 13

Who is my phone talking to?

Setting up a man-in-the-middle attack

2 of 13

$ whoami

Domen is the name. Dom or Dominic works

System level programmer / security person

C, assembly, microcontrollers, Linux, Linux Kernel, Android, vulnerability discovery ...

3 of 13

Goals

There are plenty of guides, also plenty of pitfalls.

Learn about networks

Learn about devices

Fun?

4 of 13

Network layers

Source: https://en.wikipedia.org/wiki/Internet_protocol_suite#/media/File:UDP_encapsulation.svg

HTTP, DNS, SSH ...

UDP, TCP

IPv4, IPv6

Ethernet/WiFi

5 of 13

What is man-in-the-middle?

MITM can be anywhere

between Alice and Bob.

Common example:

Free WiFi

Source: https://fr.wikipedia.org/wiki/Fichier:Attaque_Man_In_The_Middle.jpg

6 of 13

Our scenario

Alice (victim)

Bob (connection peer)

“Friendly” WiFi provider

7 of 13

Setup 1/x

Disconnect from current WiFi connection

Connect ethernet

With your package manager, install wireshark and mitmproxy

Does internet through ethernet work for everyone?

8 of 13

Setup 2/x (WiFi AP)

NetworkManager (nm-applet, nmtui): Edit Connections..., Add

Mode: Hotspot

Wi-Fi Security

Connect with phone to confirm it works

9 of 13

Setup 2/x (WiFi AP)

Internet on phone works! :)

Run wireshark, select your wireless interface (wlan0 maybe)

It does not work! :(

# iw list | grep -A 10 modes: # is there “AP”?

No AP? https://cba.si/mitm/ search for “Plan B”

AP mode supported, but no Network Manager?

https://cba.si/mitm/ “Manual” option

10 of 13

Setup 3/x (mitmproxy)

$ mitmproxy -T --host # older version�$ mitmproxy --mode transparent --showhost # newer version

# iptables -t nat -A PREROUTING -i $ap -p tcp --dport 80 -j REDIRECT --to-port 8080

(Remove the rule by replacing “-A” with “-D”)

HTTPS

Go to http://mitm.it/, install CA cert

# iptables -t nat -A PREROUTING -i $ap -p tcp --dport 443 -j REDIRECT --to-port 8080

11 of 13

Mitmproxy tricks

Scripts (oS)�- /usr/share/doc/mitmproxy/examples/upsidedownternet.py� Very useful for apps (quickly *visible* where content is downloaded with plain HTTP)!�- /usr/share/doc/mitmproxy/examples/sslstrip.py

HTML replacements (oR):�Filter Regex Replacement�~b </head> </head> <style>body {transform: scaleY(-1);}</style></head>�

12 of 13

What can I do?

As a Free WiFi user

  • VPN?
  • Don’t do sensitive stuff

As an app / internet connected device developer

  • Use HTTPS, don’t invent your own schemes
  • iOS 9 - app developer has to opt-in to plain HTTP
  • Android N (7) - developer has to opt-in to user certificates
  • Android P (9) - developer has to opt-in to allow app to do plain HTTP

13 of 13

Thank you

Slides and instructions available on

https://cba.si/mitm/