On This Page

Practical Advanced MITM attacks

Leonardo Nve From Portcullis Computer Security Ltd. | July 30-August 2


Course Syllabus:

What's a MITM attack?
  • MITM classifications
  • Common MITM scenarios review
  • Exercise: ICMP Redirect attack to hijack internet

  • TCP/IP Model review
  • TCP protocol review
  • UDP protocol review
  • IPv6
  • Lab: IPv6 MITM

MITM with routing protocols
  • RIP
  • OSPF
  • BGP
  • Coding: Scapy + Python
  • Lab: Stealing with RIP
  • Lab: Stealing with BGP

Man on the Side (MOTS)
  • Scenarios
  • Router hacking
  • 1-way MITM
  • TCP/UDP hijacking
  • Coding: Impacket + Python
  • Lab: TCP hijacking
  • Lab: Redirect through GRE tunnels/VPN

Exploiting MITM
  • Application level vulnerabilities
  • Tools
  • Unencrypted protocols
  • Encrypted protocols
  • Lab: Ocean's 11
  • Lab: PPP weak Authentication protos
  • Lab: Pass the hash
  • Lab: SSHv2 downgrade
  • Lab: 1-way FTP exploitation

Advanced HTTP MITM
  • Tools
  • SSL Attacks
  • Advanced SSLStriping (SSLStrip2 & Delorean)
  • Abusing Mixed-Content in HTTPS
  • Coding: Twisted + Python
  • Lab: Browser information gathering
  • Lab: Advanced SSLStripping
  • Lab: Advanced Client-Side attacks with Metasploit

Infecting files on-the-fly
  • Public tools review
  • Private tools review
  • Normal drawbacks
  • Infecting PE files review
  • Advanced infections on-the-fly
  • Infecting other files type
  • Lab: Infecting files on-the-fly
  • Lab: Evilgrade attacks

'Rogue' attacks
  • Rogue AP
  • Rogue BTS
  • Rogue TOR node
  • Rogue DNS server
  • Rogue SMB server
  • Bad USB
  • Lab: MITM in 802.1X and EAP (wifi)
  • Lab: Troyanize (fake configuration) a real DNS server (bind)
  • Demo: MITM mobile voice calls / data

Who Should Take this Course

Hackers, network administrators, security engineers, law and enforcement agencies and companies which develops hacking and/or defensive tools.

Student Requirements

  • Networking knowledge.
  • Linux.
  • Basic Python programming.
  • Little experience in simple MITM attacks with ARP poisoning, for example with ettercap or Cain.

What Students Should Bring

Any OS with VMWare, capable to move two vms and can put a network interface on bridge mode.

What Students Will Be Provided With

  • 2 VMs that emulate a host and a router.
  • Workbooks.


Leonardo Nve is a penetration tester at Portcullis. He has been involved in computer security since 1996, has worked as a consultant and auditor from 2000, and from 2002 managed several research projects on various security technologies such as DOCSIS and Wireless, with various papers published in various Spanish specialized publications. He also managed the UnderCON, the first Spanish underground security congress, where he presented the first full-ASCII Shellcode in 2000. Other talks were about Wi-Fi and phone companies' security. Previously, he presented attacks in a satellite environment and exploiting DNS changes at Black Hat and other conferences. He also published tools line dns2proxy and SSLStrip2 to avoid HTTP Strict Transport Security protection.