Over a year ago I presented at LaCon'09 a custom PCI NIC which allows to perform Man in the middle of the whole network traffic flowing through the device.
The idea behind this PCI Card is once it is plugged into a computer the whole traffic can be inspected, analyzed and, of course, modified when required in a transparent way to the user.
All the above should be achieved producing a network pci card so that a regular IT guy wouldn't be able to notice a diference between M-ETH and other NICs.
Another required feature for M-ETH is it must be platform-independant, I don't want it to be tied to any Operating System.
After some days of research and advice from hardware guys, the final design of M-ETH came up and featured the following main components:
- National's DP83816
- Microchip's ENC28J60
- An RJ-45 port
Some with some basic hardware skills will notice that building such a card would require several Magnetics and that could easly spot something "wrong" in the card. To avoid this, "Transformerless connection" between ethernet chips was included.
A simplified architectural view of the schematics for M-ETH can be found below.
The firmware running on the AVR32 reads packets coming out from victim's computer via the SPI Driver controlling the ENC28J60, so for the victims' Operating system the whole networking stack ends in the PCI Ethernet Chip, so they are not able to detect anything going wrong outside it.
The PoC presented at LaCon'09 showed how a TCP Stream originated in the victim's computer is succesfully modified without the victim being able to notice it.
And finally this is one of the prototypes developed as a PoC, this card does not have the AVR32 soldered as it was easier to develop the whole firmware running it dettached with an wired SPI connection going to the ENC28J60.
The next video (Spanish, but subtitles coming soon) shows the first version of M-ETH, it just reads packets from the "Victim's computer", an Mini-ITX in the video, and send them to the outside LAN. As soon as I have enough free time I want to record a new one showing a TCP stream modification, for now watch this video
You may also want to have a look at the slides I used at LaCon'09, I have translated them to English
If you have any further question or interested in a sample do not hesitate to drop an email, gabriel at wintercore dot com