31
iOS MITM Attack Technology and effects sieg.in 1

iOS MITM Attack

  • Upload
    siegin

  • View
    3.499

  • Download
    3

Embed Size (px)

DESCRIPTION

 

Citation preview

Page 1: iOS MITM Attack

iOS MITM Attack Technology and effects

sieg.in 1

Page 2: iOS MITM Attack

sieg.in 2

Page 3: iOS MITM Attack

Boot validation

• CA – Apple Certificate Authority

• SIGN – Signature

sieg.in 3

Page 4: iOS MITM Attack

Files Protection

sieg.in 4

Page 5: iOS MITM Attack

Classic provisioning

sieg.in 5

Page 6: iOS MITM Attack

Actual provisioning

sieg.in 6

Page 7: iOS MITM Attack

Because “Apple Root CA” fingerprint hardcoded into iOS and have to be 61:1E:5B:66:2C:59:3A:08:FF:58:D1:4A:E2:24:52:D1:98:DF:6C:60

Why we can’t create fake signature?

sieg.in 7

Page 8: iOS MITM Attack

SSL

sieg.in 8

Page 9: iOS MITM Attack

Certificate Authority Storage

Few from 186 are quite interesting :

– C=US, O=U.S. Government, OU=DoD, OU=PKI, CN=DoD CLASS 3 Root CA

– C=JP, O=Japanese Government, OU=ApplicationCA

– C=CN, O=China Internet Network Information Center, CN=China Internet Network Information Center EV Certificates Root

sieg.in 9

Page 10: iOS MITM Attack

Certificate authentication

sieg.in 10

Page 11: iOS MITM Attack

I want my CA in your iOS

sieg.in 11

Page 12: iOS MITM Attack

Ways to install CA in iOS

o Safari

o Email attachment

o MDM

With configuration profile

Can be installed with Safari

sieg.in 12

Page 13: iOS MITM Attack

Attack

sieg.in 13

Page 14: iOS MITM Attack

Mobileconfig contains

WiFi settings (pass, SSID) for “Gate”

CA

Proxy Settings, if we want victim’s traffic even it has left attack range. (Only for iOS6)

iCloud backup (enable it, if not)

sieg.in 14

Page 15: iOS MITM Attack

Mobileconfig installation

sieg.in 15

Page 16: iOS MITM Attack

Looks bad =(

sieg.in 16

Page 17: iOS MITM Attack

Let’s take a look on default CA list...

sieg.in 17

Page 18: iOS MITM Attack

COMODO trial certificate

• You only need valid [email protected] mail for confirmation

• Can be used for signing

sieg.in 18

mailto:[email protected]
Page 19: iOS MITM Attack

How to sign

sieg.in 19

Page 20: iOS MITM Attack

Looks much better

sieg.in 20

Page 21: iOS MITM Attack

SSL Defeated But we want more

sieg.in 21

Page 22: iOS MITM Attack

How to get files from device

sieg.in 22

Page 23: iOS MITM Attack

Elcomsoft Phone Password Breaker

sieg.in 23

Page 24: iOS MITM Attack

Once again

sieg.in 24

Page 25: iOS MITM Attack

What’s in backup?

• SMS • Private photo • Emails • Application data • And more …

sieg.in 25

Page 26: iOS MITM Attack

Files done But we want more

sieg.in 26

Page 27: iOS MITM Attack

Apple Push Notification Service

sieg.in 27

Page 28: iOS MITM Attack

Fake! Fake! Fake!

sieg.in 28

Page 29: iOS MITM Attack

Wipe Tragedy (act 1/1)

sieg.in 29

Page 30: iOS MITM Attack

Summary

User only have to tap ‘Install’ two times to make us able to :

– Sniff all his SSL traffic (cookies,passwords, etc)

– Steal his backup (call log, sms log, photos and application data)

– Send him funny push messages or just wipe device

sieg.in 30

Page 31: iOS MITM Attack

sieg.in 31

sieg.in [email protected]

@siegin

Alexey Troshichev


Offensive MitM

Offensive MitM

Technology
iOS backdoors attack points and surveillance mechanisms

iOS backdoors attack points and surveillance mechanisms

Documents
Detection of Man-in-the-middle Attacks Using Physical ... · Using Physical Layer Wireless Security Techniques by Le Wang ... In the MITM attack, ... 3.18 The model of jamming attack

Detection of Man-in-the-middle Attacks Using Physical ... · Using Physical Layer Wireless Security Techniques by Le Wang ... In the MITM attack, ... 3.18 The model of jamming attack

Documents
Practical mitm for_pentesters

Practical mitm for_pentesters

Technology
Review and Exploit Neglected Attack Surface in iOS 8

Review and Exploit Neglected Attack Surface in iOS 8

Documents
MitM attacks on multi-platform banking applications · MitM attacks on multi-platform banking applications ... This attack was not successfully ... MitM attack provide an own DNS

MitM attacks on multi-platform banking applications · MitM attacks on multi-platform banking applications ... This attack was not successfully ... MitM attack provide an own DNS

Documents
CHPTE - KERNELiOS...MITM Advance Attacks 5 Exam Testing MITM Advance Attacks 5 Infrastructure Penetration Testing - Wi-Fi Networks 1. WEP Protocol – Attack types, Using Aircrack-NG,

CHPTE - KERNELiOS...MITM Advance Attacks 5 Exam Testing MITM Advance Attacks 5 Infrastructure Penetration Testing - Wi-Fi Networks 1. WEP Protocol – Attack types, Using Aircrack-NG,

Documents
iOS Masque Attack

iOS Masque Attack

Software
Man-in-middle-attack (MITM) - home.inf.unibe.chhome.inf.unibe.ch/~rvs/teaching/cn applets/Man_in_the_Middle_Attack... · Ethernet / TCP ISMI-Catcher in GSM Networks Tools to perform

Man-in-middle-attack (MITM) - home.inf.unibe.chhome.inf.unibe.ch/~rvs/teaching/cn applets/Man_in_the_Middle_Attack... · Ethernet / TCP ISMI-Catcher in GSM Networks Tools to perform

Documents
BeEF Injection MITM

BeEF Injection MITM

Documents
IP Security - Computer Action Teamweb.cecs.pdx.edu/~jrb/netsec/lectures/pdfs/ipsec.pdf · firewalls/routers great MITM attack ... Stallings - Cryptography and ... Jim Binkley 39 naming

IP Security - Computer Action Teamweb.cecs.pdx.edu/~jrb/netsec/lectures/pdfs/ipsec.pdf · firewalls/routers great MITM attack ... Stallings - Cryptography and ... Jim Binkley 39 naming

Documents
MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring

MitM attacks on HTTPS sessionsMitM (Man-in-the-Middle) attacks • MitM attack: attacker gets between the browser and the web server, eg by – setting up a wifi access point – luring

Documents
Power of MITM

Power of MITM

Documents
MITM : man in the middle attack

MITM : man in the middle attack

Education
A Billion Open Interfaces for Eve and Mallory: MitM, …...A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct

A Billion Open Interfaces for Eve and Mallory: MitM, …...A Billion Open Interfaces for Eve and Mallory: MitM, DoS, and Tracking Attacks on iOS and macOS Through Apple Wireless Direct

Documents
All Subkeys Recovery Attack on Block Ciphers: Extending ...ark/mitm_preprint.pdf · All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle ... (MITM) attacks on

All Subkeys Recovery Attack on Block Ciphers: Extending ...ark/mitm_preprint.pdf · All Subkeys Recovery Attack on Block Ciphers: Extending Meet-in-the-Middle ... (MITM) attacks on

Documents
Sieve-in-the-Middle: Improved MITM Attacks · Sieve-in-the-Middle: Improved MITM Attacks Anne Canteaut 1, Mar a Naya-Plasencia , and Bastien Vayssi ere2 ... that it provides an attack

Sieve-in-the-Middle: Improved MITM Attacks · Sieve-in-the-Middle: Improved MITM Attacks Anne Canteaut 1, Mar a Naya-Plasencia , and Bastien Vayssi ere2 ... that it provides an attack

Documents
MITM using SSLStrip & Mitigation Methods - … · MITM using SSLStrip & Mitigation Methods Page 4 The Attack ARP Spoofing and SSL Stripping Considered an active eavesdropping attack,

MITM using SSLStrip & Mitigation Methods - … · MITM using SSLStrip & Mitigation Methods Page 4 The Attack ARP Spoofing and SSL Stripping Considered an active eavesdropping attack,

Documents
Sieve-in-the-Middle: Improved MITM Attacks (Full Version )y · Sieve-in-the-Middle: Improved MITM Attacks (Full Version ... attacks in the sense that it provides an attack on a higher

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )y · Sieve-in-the-Middle: Improved MITM Attacks (Full Version ... attacks in the sense that it provides an attack on a higher

Documents
Legacy of Heartbleed: MITM and Revoked - Zeronights 2017 · Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin busygin@neobit.ru NeoBIT . ... Man-in-the-Middle Attack

Legacy of Heartbleed: MITM and Revoked - Zeronights 2017 · Legacy of Heartbleed: MITM and Revoked Certificates Alexey Busygin [email protected] NeoBIT . ... Man-in-the-Middle Attack

Documents
MITM ARP Poison Attack - simms-teach.com · CIS 76 MITM via ARP Poisoning MITM ARP Poison Attack 1 DRAFT Last updated 9/4/2017

MITM ARP Poison Attack - simms-teach.com · CIS 76 MITM via ARP Poisoning MITM ARP Poison Attack 1 DRAFT Last updated 9/4/2017

Documents
MitM Attack by Name Collision: Cause Analysis and Vulnerability

MitM Attack by Name Collision: Cause Analysis and Vulnerability

Documents
IOS Backdoors Attack Points Surveillance Mechanisms

IOS Backdoors Attack Points Surveillance Mechanisms

Documents
Converting MITM Preimage Attack into Pseudo Collision ...fse2012.inria.fr/SLIDES/67.pdf · MITM preimage attack with the matching point at the end is considered as partial target

Converting MITM Preimage Attack into Pseudo Collision ...fse2012.inria.fr/SLIDES/67.pdf · MITM preimage attack with the matching point at the end is considered as partial target

Documents
Network Security INTERNET · PDF fileNetwork Security indigoo.com ... TCP connection hijacking (MITM - Man In The Middle attack): ... Often servers disclose their version at startup

Network Security INTERNET · PDF fileNetwork Security indigoo.com ... TCP connection hijacking (MITM - Man In The Middle attack): ... Often servers disclose their version at startup

Documents
MITM Attack with Patching Binaries on the Fly by Adding Shellcodes

MITM Attack with Patching Binaries on the Fly by Adding Shellcodes

Internet
MITM Attacks on HTTPS: Another Perspective · - A. stops the MitM attack 4. JS can interact with HostA in a usual way Browser knows nothing about MitM! ... MITM Attacks on HTTPS:

MITM Attacks on HTTPS: Another Perspective · - A. stops the MitM attack 4. JS can interact with HostA in a usual way Browser knows nothing about MitM! ... MITM Attacks on HTTPS:

Documents
Collaborative Approach to Mitigating ARP Poisoning-based ...yu.ac.kr/~synam/papers/arp_spoofing_mitigation_general_submit.pdf · ARP poisoning on Node A and the MITM attack be-tween

Collaborative Approach to Mitigating ARP Poisoning-based ...yu.ac.kr/~synam/papers/arp_spoofing_mitigation_general_submit.pdf · ARP poisoning on Node A and the MITM attack be-tween

Documents
A COUNTERMEASURE FOR FLOODING ATTACK IN MOBILE … · Man-In-The-Middle (MITM) MITM attacks occur when an adversary deceives a MSS to appear as a legitimate BS while simultaneously

A COUNTERMEASURE FOR FLOODING ATTACK IN MOBILE … · Man-In-The-Middle (MITM) MITM attacks occur when an adversary deceives a MSS to appear as a legitimate BS while simultaneously

Documents
Mitm Presentation

Mitm Presentation

Documents