1
00:00:00,990 --> 00:00:07,470
Any attack that composition themselves in the middle between the source and destination traffic source

2
00:00:07,470 --> 00:00:14,880
being here destination being here can perform man in the middle attacks one such attack that requires

3
00:00:14,880 --> 00:00:19,740
pretty minimal skill and resources is called SSL stripping.

4
00:00:19,890 --> 00:00:30,270
The attacker acts as a proxy here and changes encrypted Haiti CPS connections to hasty connections and

5
00:00:30,270 --> 00:00:38,830
is a free tool available to do this called SSL strip which works with Hastey pay using SSL and that's

6
00:00:38,840 --> 00:00:45,250
here and this is by a guy called Moxie marlinspike who's a fairly well renowned security researcher.

7
00:00:45,580 --> 00:00:50,390
So was thinking about how we actually end up getting to hate Web sites.

8
00:00:50,720 --> 00:00:52,350
Click here.

9
00:00:52,390 --> 00:00:58,790
I was really a couple main ways that we end up getting into hate CPS Web sites and the first is this

10
00:00:58,790 --> 00:00:59,400
way.

11
00:00:59,600 --> 00:01:04,750
So we type in maybe the site that we're going for.

12
00:01:06,440 --> 00:01:09,190
And we press return.

13
00:01:09,430 --> 00:01:15,810
Now most often we do not type in Haiti ETP asked Colon slash slash.

14
00:01:15,880 --> 00:01:22,680
What happens is we go to the Haiti ETP Web site and then the server gives is what's known as a three

15
00:01:22,780 --> 00:01:26,040
to redirect and then sends us to this.

16
00:01:26,070 --> 00:01:35,380
DP s version of the Web site another way that we get to hate CPS Web sites is if you go viral link so

17
00:01:35,650 --> 00:01:38,290
a search here on Google.

18
00:01:38,440 --> 00:01:45,290
And then there we have a link and we can see it is a hasty CBS link and then that takes us directly

19
00:01:45,290 --> 00:01:47,850
to the hate U.P.S. version of Facebook.

20
00:01:47,960 --> 00:01:55,420
So the way SSL strip works is it acts as a proxy working for those two types of events.

21
00:01:55,440 --> 00:02:02,650
So three O2 redirects and links that are hated CPS proxies those connections.

22
00:02:02,790 --> 00:02:10,140
So you send the original hate ETP connection it reaches the server the surface says actually no this

23
00:02:10,140 --> 00:02:12,480
should be a hated to b s connection.

24
00:02:12,480 --> 00:02:20,970
So it sends it back this prox is this pretending to be your browser and sends back a hasty ETP version

25
00:02:20,970 --> 00:02:21,910
to you.

26
00:02:21,910 --> 00:02:27,270
Server never knows any difference it thinks it's talking to you.

27
00:02:27,300 --> 00:02:33,960
It believes this to be the browser and what you would see would be virtually identical to the actual

28
00:02:33,960 --> 00:02:34,640
site.

29
00:02:34,860 --> 00:02:38,120
So let me show you what the face for web site should look like.

30
00:02:38,160 --> 00:02:47,740
So that's the legitimate Facebook Web site now Abdon Hey CGP stripping using Kalli and this is what

31
00:02:47,740 --> 00:02:49,550
the stripped version looks like.

32
00:02:52,490 --> 00:03:00,760
Jetman version stript version Jetman version stript version.

33
00:03:01,250 --> 00:03:08,960
So as you can see the difference is you don't have the Haiti CPS and most people will not notice that

34
00:03:08,960 --> 00:03:09,890
difference.

35
00:03:09,930 --> 00:03:16,850
And as I said the server never sees anything is wrong because he's talking to a proxy that acts just

36
00:03:16,850 --> 00:03:20,060
like you would act in order to perform this attack.

37
00:03:20,060 --> 00:03:26,450
You need to be in the middle he need to be able to see the traffic so that you can strip it out and

38
00:03:26,450 --> 00:03:31,040
it's not always that easy to be in the middle of someone else's traffic.

39
00:03:31,040 --> 00:03:33,050
It really depends on where you are.

40
00:03:33,290 --> 00:03:40,760
So if you're on someone else's network like for example you were you were in an internet cafe Internet

41
00:03:40,760 --> 00:03:42,330
service provider.

42
00:03:42,380 --> 00:03:43,520
All those people.

43
00:03:43,520 --> 00:03:45,510
They control that network.

44
00:03:45,530 --> 00:03:47,600
So they are in the middle.

45
00:03:47,600 --> 00:03:50,210
So therefore they can perform this type of attack.

46
00:03:50,420 --> 00:03:56,600
Obviously governments nation states they control network devices across the Internet.

47
00:03:56,780 --> 00:04:00,230
So they are in the middle they can perform this sort of attack.

48
00:04:00,410 --> 00:04:05,880
But this is not a very subtle attack as you can notice the meshing hate CPS.

49
00:04:06,080 --> 00:04:12,590
But is not beyond the government in a targeted attack that they may consider doing this but it's reasonably

50
00:04:12,590 --> 00:04:19,010
on lightly and it would very very unlikely be doing any sort of mass surveillance type way unless it

51
00:04:19,010 --> 00:04:26,450
was some sort of tin pot government that was doing it because it's a pretty basic form of attack effective

52
00:04:26,690 --> 00:04:34,970
for low resource low skilled attackers but not really nation state level attack a random cyber criminals

53
00:04:34,970 --> 00:04:40,650
sat somewhere at a distance from you is going to really struggle to get in the middle of your traffic.

54
00:04:40,730 --> 00:04:44,010
There are not really many mechanisms to do that.

55
00:04:44,330 --> 00:04:51,650
And it therefore more likely that this distance attacker would attack your client instead because that's

56
00:04:51,650 --> 00:04:53,050
just simply easier.

57
00:04:53,150 --> 00:04:57,110
And people always go for what is easy as opposed to what is more difficult.

58
00:04:57,260 --> 00:05:00,870
And if they attack your client and they're on your client they own your client.

59
00:05:00,980 --> 00:05:06,290
They don't need to strip our SSL because they're real to see your data anyway because they're on your

60
00:05:06,290 --> 00:05:07,550
client.

61
00:05:07,550 --> 00:05:13,730
Another interesting way to do this attack is if the attackers sat on your local network so that's either

62
00:05:13,730 --> 00:05:18,920
physically through the ethernet cables or wirelessly through Wi-Fi.

63
00:05:19,010 --> 00:05:23,790
They can trick your machine into sending traffic through them.

64
00:05:23,900 --> 00:05:32,390
And this is known as spoofing or poisoning the attacker sends out all packets pretending to be the victims

65
00:05:32,510 --> 00:05:34,180
default gateway.

66
00:05:34,280 --> 00:05:40,620
This works because Ethan It has no mechanism through authentication functionality.

67
00:05:40,730 --> 00:05:46,760
So any machine can essentially send out what's known as this art packet and say that they are any other

68
00:05:46,760 --> 00:05:53,300
machine that's on the network including the gateway or router which means you end up sending your traffic

69
00:05:53,660 --> 00:05:59,840
through a fake router and then forwards on the traffic and strips out the SSL and then for the traffic

70
00:05:59,840 --> 00:06:07,710
back to you like we've shown now if you want to learn more about ARP spoofing I would recommend this

71
00:06:07,710 --> 00:06:09,470
Web site here which is quite good.

72
00:06:09,720 --> 00:06:16,680
And here's a little diagram here where you can see the attacker here is saying look I'm the router and

73
00:06:16,680 --> 00:06:19,440
the traffic is getting sent by them instead.

74
00:06:19,440 --> 00:06:27,270
There are tools in Cali called ether cap an all spoof and obviously SSL strip which can enable you to

75
00:06:27,270 --> 00:06:28,640
do this sort of attack.

76
00:06:28,800 --> 00:06:36,010
And there's a tool called Cain and Abel which is here which you can use on Windows and this is the Web

77
00:06:36,010 --> 00:06:45,530
site for SSL straight to and actually gives you the commands here for how to do this and everything

78
00:06:45,530 --> 00:06:53,150
you need to do SSL stripping and the art of spoofing if your local is available within Kalai And actually

79
00:06:53,150 --> 00:06:55,260
here it shows you the commands that you need to run.

80
00:06:55,310 --> 00:06:57,510
And it's fairly simple.

81
00:06:57,580 --> 00:07:04,730
You're enabling IP forwarding here making some changes to the IP table so it redirects the hate city

82
00:07:04,730 --> 00:07:09,250
traffic to SSL strip running SSL strip here.

83
00:07:09,620 --> 00:07:15,290
You need to put in the port here and then you are enabling the OP spoofing where you're telling the

84
00:07:15,530 --> 00:07:19,180
target machine to send this traffic to you instead.

85
00:07:19,190 --> 00:07:22,760
So if you'd like to have a play around with that and Kelly you can do that.

86
00:07:22,760 --> 00:07:30,560
Another interesting way of stripping out your SSL is if you set up a rogue access point and then that

87
00:07:30,560 --> 00:07:33,800
can be set to automatically strip down SSL.

88
00:07:33,800 --> 00:07:41,300
So a rogue access point is when you connect to a Wi-Fi network and the owner of that one I find that

89
00:07:41,300 --> 00:07:50,840
work is trying to attack us and Rogow fake access point and you can set that access point to strip out

90
00:07:50,870 --> 00:07:55,820
SSL just as we spoke about because again they are obviously in the middle because that's what you're

91
00:07:55,820 --> 00:08:03,200
connecting to and you can actually buy a piece of hardware that will do this for you.

92
00:08:03,210 --> 00:08:05,540
And this is the Wi-Fi pineapple.

93
00:08:05,570 --> 00:08:07,410
There's other versions.

94
00:08:07,600 --> 00:08:14,560
But this is one that I would recommend you take this to a airport or somewhere a busy switch you don't

95
00:08:15,110 --> 00:08:20,620
switch on an open network saying you know free Wi-Fi or something like that and you'll be amazed at

96
00:08:20,620 --> 00:08:27,650
the number of passwords you'll get for Facebook and Google and all the rest of the Web sites by stripping

97
00:08:27,650 --> 00:08:28,560
out the SSL.

98
00:08:28,560 --> 00:08:31,170
People just do not notice.

99
00:08:31,340 --> 00:08:37,310
It's probably worth pointing out actually that when you do strip SSL it means the connection is no longer

100
00:08:37,310 --> 00:08:43,310
encrypted and therefore you can see all of the content and therefore you'll be able to steal usernames

101
00:08:43,310 --> 00:08:47,960
and passwords and just see everything that the person is actually doing.

102
00:08:48,110 --> 00:08:51,350
Now what can we do to help prevent this.

103
00:08:51,350 --> 00:09:01,010
Well client side I mean you can attempt to notice that you don't have a hate CPS but you know if you're

104
00:09:01,010 --> 00:09:06,100
busy that's not necessarily something that you might spot but you do need to keep your eye out for it.

105
00:09:06,110 --> 00:09:13,870
A most solid method is to use a tunnel or encrypted tunnel so that it's not possible for them to strip

106
00:09:13,880 --> 00:09:19,960
out the SSL because the traffic that you are sending is encrypted by a different mechanism.

107
00:09:20,090 --> 00:09:27,350
So you can use S-sh for tunneling for example you can use VPN technology like IP PSEC But really what

108
00:09:27,350 --> 00:09:31,890
you're after is end to end encryption and talk more on end to end encryption.

109
00:09:31,910 --> 00:09:39,380
And also you don't want to connect really to untrusted networks without using tunneling or VPN or encryption

110
00:09:39,410 --> 00:09:44,490
because this is exactly what can happen if you don't have a VPN or tunneling.

111
00:09:44,520 --> 00:09:48,020
You SSL can be stripped out and all your traffic can be seen.

112
00:09:48,040 --> 00:09:54,620
We're going to cover more on VPN as well on your local network is possible to detect to some degree

113
00:09:54,710 --> 00:09:57,510
if ARP spoofing and sniffing is happening.

114
00:09:57,590 --> 00:10:01,230
And there's a couple of examples of tools here that you can use.

115
00:10:01,250 --> 00:10:07,720
This is all watch it monitors your ethernet to see whether ARP spoofing or poisoning is happening.

116
00:10:08,920 --> 00:10:14,040
And there's another tool here which is a sniffer detection so it's seeing if anyone is watching the

117
00:10:14,040 --> 00:10:15,240
network traffic.

118
00:10:15,270 --> 00:10:21,870
Also service side bring a screen and you may not have control the service side but I guess in some instances

119
00:10:21,870 --> 00:10:26,480
you might you can enable They can enable something called hate.

120
00:10:26,490 --> 00:10:34,110
S ts all strict Transport Security which used a special response had to tell the browser to only accept

121
00:10:34,480 --> 00:10:36,140
hasty traffic.

122
00:10:36,150 --> 00:10:42,960
This only works if you visited the site before and then your client essentially remembers that they

123
00:10:42,960 --> 00:10:51,360
only accept hate traffic and this is an example of where I've stripped out the SSL on an error message

124
00:10:51,600 --> 00:10:59,570
because they've enabled Haiti to pay strict transport security all the way to prevent SSL stripping

125
00:10:59,600 --> 00:11:07,370
and also ARP spoofing and poisoning is to use virtual lands and other forms of network isolation virtual

126
00:11:07,370 --> 00:11:13,040
land prevents traffic going from one end of the network to another area of the network using a switch

127
00:11:13,130 --> 00:11:14,600
and special tax.

128
00:11:14,600 --> 00:11:20,080
If you're interested in that sort of thing then google around villans You can also have a general network

129
00:11:20,080 --> 00:11:21,000
constellation.

130
00:11:21,020 --> 00:11:27,230
If a attacker is not on the same physical network as you and the traffic is literally not going past

131
00:11:27,230 --> 00:11:32,030
that attacker because we're on a different switch or going through a different router then obviously

132
00:11:32,030 --> 00:11:34,190
they cannot get access to your traffic.

133
00:11:34,190 --> 00:11:40,340
You can also use firewalls which prevent traffic going in certain directions and you can configure Wi-Fi

134
00:11:40,340 --> 00:11:46,900
so that isolation using the configuration on your access point and you can set up separate Wi-Fi network.

135
00:11:46,900 --> 00:11:49,870
So a guest network or network on a network.

136
00:11:49,910 --> 00:11:52,610
And then those two networks cannot see the traffic or the other.

137
00:11:52,610 --> 00:11:55,350
So there's lots of things you can do at the network.

138
00:11:55,520 --> 00:12:00,540
And when we talk about your local network and Wi-Fi will go into more details on that.

139
00:12:00,620 --> 00:12:02,130
So that's SSL stripping.