1
00:00:00,270 --> 00:00:07,950
In this video, we will learn an important technique in dynamic malware analysis called SSL decryption

2
00:00:08,010 --> 00:00:09,690
or SSL interception.

3
00:00:10,110 --> 00:00:17,040
Suppose that we have malicious mobile application running on your smartphone that is connecting over

4
00:00:17,040 --> 00:00:20,790
an encrypted tunnel to a command and control server over the cloud.

5
00:00:21,120 --> 00:00:27,450
Now, one of the things that we need to do is to jump into that tunnel and see if there is sort of malicious

6
00:00:27,450 --> 00:00:28,840
activity taking place.

7
00:00:29,190 --> 00:00:30,210
So how to do that?

8
00:00:30,240 --> 00:00:31,110
Everything is encrypted.

9
00:00:31,410 --> 00:00:37,560
Now, one of the things that we need to do is to install a proxy server in the middle here and drought

10
00:00:37,620 --> 00:00:43,020
our traffic from the mobile phone through this proxy server on that proxy server.

11
00:00:43,080 --> 00:00:45,120
We will install a fake certificate.

12
00:00:45,630 --> 00:00:51,330
So the public certificate, the public and the private key will be exchanged between the mobile phone

13
00:00:51,360 --> 00:00:52,500
and the proxy server.

14
00:00:52,830 --> 00:00:57,480
And now we have the keys so we can decrypt the traffic.

15
00:00:57,750 --> 00:01:00,480
Now the rest of the connection will remain the same.

16
00:01:00,810 --> 00:01:07,770
The proxy server will continue or will forward that traffic to the cloud and controls, or C and C,

17
00:01:08,000 --> 00:01:09,270
a server over the cloud.

18
00:01:09,540 --> 00:01:13,260
So from the proxy server to the cloud, it is still encrypted.

19
00:01:13,560 --> 00:01:19,440
But between our smartphone and the proxy server, it is decrypted and we can see everything that is

20
00:01:19,440 --> 00:01:20,400
taking place there.

21
00:01:20,550 --> 00:01:23,700
Let's go to the demo directly for that purpose.

22
00:01:23,760 --> 00:01:29,130
I'll be using my mobile phone and you have to install two applications.

23
00:01:29,130 --> 00:01:34,070
Actually, if you're trying to do that on a malicious up, make sure you're doing that on a lab and

24
00:01:34,080 --> 00:01:35,580
not on a real phone.

25
00:01:35,820 --> 00:01:37,440
But now I have a safe application.

26
00:01:37,450 --> 00:01:39,060
That's how I'll be doing that on my phone.

27
00:01:39,180 --> 00:01:42,900
So the first thing that I have here is my mobile application.

28
00:01:42,930 --> 00:01:48,000
This is actually a legitimate mobile application I developed for one of my clients.

29
00:01:48,450 --> 00:01:50,510
And it's just a CRM, right.

30
00:01:50,820 --> 00:01:58,940
So you need to know if that application is connecting to a malicious server or performing some activities

31
00:01:58,950 --> 00:01:59,570
in question.

32
00:02:00,090 --> 00:02:02,400
To do that, you need to sniff the traffic.

33
00:02:02,850 --> 00:02:06,930
And as we said, install this proxy server for this purpose.

34
00:02:07,080 --> 00:02:12,150
You need to install an application that will do this for you automatically.

35
00:02:12,150 --> 00:02:13,060
It's called SSL.

36
00:02:13,120 --> 00:02:13,870
Back at capture.

37
00:02:14,400 --> 00:02:16,520
So that application is very simple.

38
00:02:16,580 --> 00:02:22,410
Just open it and you choose the application in which you want to sniff.

39
00:02:23,130 --> 00:02:26,340
So that's the name of the application that I have.

40
00:02:27,780 --> 00:02:30,570
Just click that and it will start sniffing.

41
00:02:31,140 --> 00:02:41,100
Now, when I go use my application, it will record all the activities that are taking place within

42
00:02:41,100 --> 00:02:42,210
this application.

43
00:02:42,690 --> 00:02:46,500
Now, I'll go again to the packet capture and stop it.

44
00:02:46,900 --> 00:02:47,090
Okay.

45
00:02:47,790 --> 00:02:52,170
As you can see here, the date, the time and the number of captures, it is three.

46
00:02:52,830 --> 00:02:57,570
You go down, you drill down and you'll see all the captures which are DCP captures.

47
00:02:57,930 --> 00:03:01,450
You can open one of those and you'll see the HDD.

48
00:03:01,530 --> 00:03:03,960
The request is in blue and the response is in red.

49
00:03:04,140 --> 00:03:06,720
So one of the things to look for is the host.

50
00:03:07,170 --> 00:03:13,180
This is the IP where the application is communicating to you can actually take this IP.

51
00:03:13,250 --> 00:03:16,130
Here you can go to this Web site here.

52
00:03:16,140 --> 00:03:17,810
It's abuse, a PDB.

53
00:03:18,240 --> 00:03:25,200
You can paste that IP or any other IP you suspect, and it will give you some information about it.

54
00:03:25,230 --> 00:03:31,680
If it's blacklisted, it will give you that this IP has been blacklisted and this will give you enough

55
00:03:31,680 --> 00:03:36,960
information on the activities that are taking place within this up.

56
00:03:37,410 --> 00:03:40,110
The capture has many information.

57
00:03:40,200 --> 00:03:45,330
You can take the files from here and you can import them to Wireshark.

58
00:03:45,540 --> 00:03:49,960
You can do further analysis if you want to know more about that.

59
00:03:49,980 --> 00:03:52,970
You can subscribe for my course, Masser Wireshark.

60
00:03:53,160 --> 00:03:58,500
Three in five days and where you will be equipped with enough knowledge to troubleshoot not only the

61
00:03:58,500 --> 00:04:03,270
traffic from mobile applications, but traffic from corporate network and personal network.

62
00:04:03,660 --> 00:04:09,780
Investigate further to spot any out of ordinary behavior or malicious behavior.