DeepSec 2019 Talk: Lauschgerät – Gets in the Way of Your Victim’s Traffic and Out of Yours – Adrian Vollmer
The talk will present a new tool for pentesters called „Lauschgerät“. This python script acts as a convenient man-in-the-middle tool to sniff traffic, terminate TLS encryption, host malicious services and bypass 802.1X – provided you have physical access to the victim machine, or at least its network cable.
There are three ways to run it: Either on its own dedicated device like a Raspberry Pi or Banana Pi, in a virtual machine with two physical USB-NICs attached, or on your regular pentest system in its own network namespace. It will look like a completely transparent piece of wire to both victim systems you are getting in the middle of, even if they are using 802.1X because it is implementing the ideas presented in a talk by Alva Lease ‘Skip’ Duckwall IV.
The Lauschgerät operates with three interfaces: Two interfaces going to the victim client and the victim switch respectively, and one management interface which you can connect to and initiate the redirection of traffic, inject your own traffic, start and stop malicious services, and so forth. It comes with a few services included, such as a service that terminates TLS encryption (which will of course cause a certificate warning on the victim’s end) or a service that performs the classic “SSL strip” attack. And more to come!
An optional wireless interface can either be used as another management interface or for intercepting traffic of wireless devices. The management can be done via SSH or via a web application, making sure you can hit the ground running.
Details on its challenges regarding the implementation will be covered in the talk, focusing on the 802.1x bypass and the transparent TLS proxy, including a demo that shows how a man in the middle can modify traffic by flipping images in web pages.
We asked Adrian a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- The talk covers details of the development and usage of the Lauschgerät.
- The Lauschgerät allows you to easily observe, inject and modify traffic between two network devices
- It looks completely transparent to those devices and bypasses 802.1X by default.
- It is extensible and supports launching malicious services, for example TLS eraser, which terminates TLS and redirects the unencrypted traffic on a new interface for packet capturing.
- It’s free, open source, and written in Python and Bash.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The need for obtaining a man-in-the-middle position for encrypted connections arises regularly during penetration tests. Wanting to be able to handle differences in various network environments without having to adjust my own workflow led to the idea of creating a convenient “plug and play” solution.
Why do you think this is an important topic?
This has the potential to become a standard part in any pentesters toolbox. When pentesters become more efficient, customers benefit by receiving higher quality reports about the security of their systems. Also, it shows you quite plainly the limits of 802.1X network access control and why it may not be the panacea you might have hoped it is.
Is there something you want everybody to know – some good advice for our readers maybe?
The source code is available at https://github.com/SySS-Research/Lauschgeraet. If you are a pentester, I invite you take a look. It was developed with attacks on the client in mind, but attacks on the rest of the network are just as possible. I believe the talk is interesting because it covers all seven layers of the OSI model and how they are important when you want to truly man-in-the-middle a real life connection.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
My hope is that it becomes kind of a Swiss army knife for man-in-the-middle attacks, with the help of the community which can help by creating more modules.
Formerly an astrophysicist focusing on cosmology, Adrian Vollmer has been working as an IT security consultant for the Germany-based pentest company SySS since 2015. His specialty is hacking Windows networks and performing all kinds of man in the middle attacks.