Network Stream Debugging with Mallory

Black Hat USA 2010

Presented by: Jeremy Allen, Raj Umadas
Date: Wednesday July 28, 2010
Time: 13:45 - 15:00
Location: Neopolitan 1+2+3+4
Track: Bug Collecting

Using the same techniques that governments use to surreptitiously read private email and SSL encrypted traffic, you can easily find more bugs in all types of client and server apps! Sometimes the easiest way to quickly understand a client, a server, or just the protocol they use to communicate with, is to become the "man in the middle." Many client side proxies - such as Burp, Paros, and WebScarab - already exist to let you tamper with HTTP and proxy aware clients. But sometimes your client might not be proxy aware, nor your protocol as simple as HTTP or HTTPS. What to do? You can start with Wireshark, but be limited to viewing traffic on the wire and not tampering with it. You can debug the client or server, which can be effective, but also time consuming. Or you can try becoming the "man in the middle" with tools like Ettercap, or the Middler, which might work - but might also fail.

Or you can use our new tool, named Mallory. Mallory is a MITM capable of intercepting any TCP or UDP base network stream. Why is Mallory different? Well first of all, you don't need to configure it. Just turn her on, and she starts intercepting traffic. Mallory is designed to be an undetectable, transparent proxy, capable of intercepting any known or unknown application protocol, just like those super-duper SSL MITM devices documented in the "Certified Lies" paper. The same techniques that allow over bearing governments to snoop on private email, we've been using to easily own up tons of mobile applications running on arbitrary platforms. And did we mention how much fun it is to MITM SSH?

Raj Umadas

Intrepidus Group Raj Umadas is a Consultant with the Intrepidus Group. Mr. Umadas graduated Summa Cum-Laude from The Polytechnic Institute of NYU with a BS in Computer Engineering. At NYU:Poly, Mr. Umadas pursued a highly expansive computer security curriculum. He is just as comfortable sniffing out a memory corruption bug as he is assessing the risk management decisions of large projects. Coupled with Mr. Umadas' fresh academic outlook on security, he obtained a no-nonsense business sense of security while working in an Information Risk Management arm of a large investment bank. Corporate governance, segregation of duties, and SOX compliance were all daily concerns for Mr. Umadas. Mr. Umadas is eager to establish his own niche in the security world where he will be the catalyst of some very major innovation. With his strong academics, proven real world experience, and never-say-no attitude; it is only a matter of time.

Jeremy Allen


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats