1
00:00:00,300 --> 00:00:02,550
‫Instructor: Hi. Now within this lecture

2
00:00:02,550 --> 00:00:04,290
‫we are going to test our attack.

3
00:00:04,290 --> 00:00:06,090
‫It's working actually right now

4
00:00:06,090 --> 00:00:11,090
‫so I can get the data from my phone, my computer

5
00:00:11,670 --> 00:00:14,880
‫my Kali Linux is actually man in the middle right now.

6
00:00:14,880 --> 00:00:17,010
‫So net.sniff is working.

7
00:00:17,010 --> 00:00:17,910
‫So let's try this.

8
00:00:17,910 --> 00:00:20,010
‫Let's go to browser.

9
00:00:20,010 --> 00:00:24,450
‫Okay, so I'm inside a website over here.

10
00:00:24,450 --> 00:00:26,700
‫So let me go to some other website

11
00:00:26,700 --> 00:00:29,220
‫like an HTTP website maybe.

12
00:00:29,220 --> 00:00:34,220
‫So this is hurriyet.com and it's a local Turkish newspaper

13
00:00:34,500 --> 00:00:37,200
‫so you don't have to go into that, okay?

14
00:00:37,200 --> 00:00:39,840
‫You can just try any website.

15
00:00:39,840 --> 00:00:41,160
‫I'm just trying to see

16
00:00:41,160 --> 00:00:45,000
‫if I can get this information on the left hand side.

17
00:00:45,000 --> 00:00:47,580
‫So as you can see, I'm getting the information.

18
00:00:47,580 --> 00:00:49,410
‫Okay, once I got that

19
00:00:49,410 --> 00:00:53,490
‫so you can try this website for example unicornitems.com

20
00:00:53,490 --> 00:00:56,610
‫but as you can see on the left hand side on my terminal

21
00:00:56,610 --> 00:00:58,983
‫I can get the information, right?

22
00:00:59,910 --> 00:01:02,310
‫So if you go to unicornitems.com

23
00:01:02,310 --> 00:01:03,990
‫and if you go to my account,

24
00:01:03,990 --> 00:01:07,590
‫you can see a login page like username and password.

25
00:01:07,590 --> 00:01:09,150
‫So this is my own website.

26
00:01:09,150 --> 00:01:12,750
‫I just make it available for the tests.

27
00:01:12,750 --> 00:01:16,140
‫So I'm going to say, "testtesttest", for username

28
00:01:16,140 --> 00:01:18,723
‫and I'm going to say "123456123456"

29
00:01:21,891 --> 00:01:22,860
‫for password.

30
00:01:22,860 --> 00:01:25,110
‫And I'm going to try and log in.

31
00:01:25,110 --> 00:01:26,940
‫Of course it will give me an error

32
00:01:26,940 --> 00:01:29,910
‫because that user doesn't exist,

33
00:01:29,910 --> 00:01:33,420
‫But the reason that I'm doing that is to see

34
00:01:33,420 --> 00:01:38,400
‫if I can get this information on my terminal.

35
00:01:38,400 --> 00:01:42,630
‫So since I'm man in the middle, okay, and

36
00:01:42,630 --> 00:01:46,260
‫since I'm doing an ARP sniffing over here

37
00:01:46,260 --> 00:01:48,660
‫I should get this information

38
00:01:48,660 --> 00:01:51,720
‫and if you search for the account name

39
00:01:51,720 --> 00:01:55,410
‫and password that you have given, you will see it like this.

40
00:01:55,410 --> 00:01:59,250
‫As you can see, we managed to get the username and password

41
00:01:59,250 --> 00:02:02,850
‫so it will take a little bit time to find this

42
00:02:02,850 --> 00:02:07,850
‫in all of these logs, but we managed to get it, right?

43
00:02:08,100 --> 00:02:12,960
‫So it was an HTTP website rather than an HTTPS.

44
00:02:12,960 --> 00:02:16,080
‫And I'm going to explain the difference in a minute.

45
00:02:16,080 --> 00:02:20,700
‫However, we managed to get the username and password

46
00:02:20,700 --> 00:02:25,700
‫so it works much better in computers as I said before.

47
00:02:25,710 --> 00:02:29,370
‫So there is a lot more to learn in man in the middle attacks

48
00:02:29,370 --> 00:02:33,870
‫like DNS spoofing, maybe JavaScript injection,

49
00:02:33,870 --> 00:02:38,870
‫and HTTPS downgrades, and HSTS cracking attempts

50
00:02:40,830 --> 00:02:41,820
‫and everything.

51
00:02:41,820 --> 00:02:44,700
‫And we do all of those things in the complete ethical

52
00:02:44,700 --> 00:02:48,750
‫hacking course because we generally target the

53
00:02:48,750 --> 00:02:51,420
‫actual computers in that course.

54
00:02:51,420 --> 00:02:55,050
‫It works in the mobile devices as well but,

55
00:02:55,050 --> 00:02:59,100
‫it has a limit. It doesn't work in apps

56
00:02:59,100 --> 00:03:02,670
‫generally, it works in the browsers, okay?

57
00:03:02,670 --> 00:03:06,030
‫So less people use browsers right now rather

58
00:03:06,030 --> 00:03:09,990
‫than they always go for the apps

59
00:03:09,990 --> 00:03:14,190
‫and it doesn't make sense to allocate too much time

60
00:03:14,190 --> 00:03:19,140
‫on these sections kind of over here, just so that you know

61
00:03:19,140 --> 00:03:22,410
‫there is something called man in the middle attacks, okay?

62
00:03:22,410 --> 00:03:25,050
‫You don't have to spend too much time on it.

63
00:03:25,050 --> 00:03:28,050
‫So if you come to my webpage for example

64
00:03:28,050 --> 00:03:32,940
‫like atilsam.com, you will see it uses HTTPS and if you go

65
00:03:32,940 --> 00:03:37,080
‫to unicornitems.com on your computer it says not secure

66
00:03:37,080 --> 00:03:40,140
‫it doesn't use HTTPS, okay?

67
00:03:40,140 --> 00:03:42,300
‫It starts with HTTP.

68
00:03:42,300 --> 00:03:45,938
‫So of course it's different in HTTPS

69
00:03:45,938 --> 00:03:50,938
‫and HTTP because in HTTPS it's secure HTTP and

70
00:03:51,120 --> 00:03:55,920
‫it encrypts the information that is being sent or retrieved.

71
00:03:55,920 --> 00:03:59,790
‫Okay? So that was the thing that I was talking about.

72
00:03:59,790 --> 00:04:03,540
‫Even though we can get the packets that that is being sent

73
00:04:03,540 --> 00:04:08,340
‫to HTTPS websites, we cannot see the content of them.

74
00:04:08,340 --> 00:04:12,030
‫So it doesn't make sense to capture the HTTPS packets

75
00:04:12,030 --> 00:04:15,180
‫because we cannot see what's inside.

76
00:04:15,180 --> 00:04:19,530
‫So we could have seen the HTTP websites like we

77
00:04:19,530 --> 00:04:23,010
‫did see in the unicornitems.com example, right?

78
00:04:23,010 --> 00:04:27,720
‫But if it was an HTTPS website, we couldn't have seen it.

79
00:04:27,720 --> 00:04:32,550
‫So there are some certain ways to downgrade

80
00:04:32,550 --> 00:04:36,210
‫HTTPS to HTTP as well.

81
00:04:36,210 --> 00:04:39,630
‫We use something called SSL strip.

82
00:04:39,630 --> 00:04:43,560
‫We use some caplets in bettercap in order to

83
00:04:43,560 --> 00:04:45,660
‫achieve this result.

84
00:04:45,660 --> 00:04:49,800
‫However, it doesn't make sense to learn all of these

85
00:04:49,800 --> 00:04:53,280
‫things because it doesn't work very good in mobile devices.

86
00:04:53,280 --> 00:04:57,780
‫Rather, in this section I believe we should focus

87
00:04:57,780 --> 00:05:02,310
‫on how to protect ourselves against these attacks.

88
00:05:02,310 --> 00:05:06,840
‫For example if you are a developer now you should understand

89
00:05:06,840 --> 00:05:11,670
‫why you shouldn't use HTTP connections in your app.

90
00:05:11,670 --> 00:05:14,610
‫Believe it or not, up until three years ago

91
00:05:14,610 --> 00:05:19,610
‫I believe Instagram wasn't using HTTPS connections

92
00:05:20,070 --> 00:05:22,740
‫they were using HTTP connections.

93
00:05:22,740 --> 00:05:24,450
‫So let me show you an example.

94
00:05:24,450 --> 00:05:28,530
‫I'm inside one of the apps that I have written

95
00:05:28,530 --> 00:05:31,980
‫for my iOS course, so you don't have to do that

96
00:05:31,980 --> 00:05:34,470
‫of course I'm going to open this

97
00:05:34,470 --> 00:05:37,050
‫and this is a currency converter app.

98
00:05:37,050 --> 00:05:42,050
‫So all it does is get the currency data from some API

99
00:05:42,750 --> 00:05:46,290
‫and display to them to the user like this, okay?

100
00:05:46,290 --> 00:05:51,240
‫So you can see what your currency is here at this point.

101
00:05:51,240 --> 00:05:54,840
‫Like it's, I believe the base is euro over here

102
00:05:54,840 --> 00:05:59,280
‫and one euro equals to $1.10 right now.

103
00:05:59,280 --> 00:06:02,580
‫So if I come over here, if I see the strength

104
00:06:02,580 --> 00:06:06,390
‫it uses an HTTP connection, okay?

105
00:06:06,390 --> 00:06:09,270
‫So if an app uses an HTTP connection

106
00:06:09,270 --> 00:06:13,590
‫we can see the the data of this app as well.

107
00:06:13,590 --> 00:06:15,960
‫If we attack a mobile device

108
00:06:15,960 --> 00:06:19,380
‫and if I come over here to info.plist

109
00:06:19,380 --> 00:06:24,380
‫I can see that I for Allow Arbitrary Loads option

110
00:06:25,200 --> 00:06:30,120
‫I changed it to yes because I need to change it to yes

111
00:06:30,120 --> 00:06:33,750
‫in order to use an HTTP connection in my app.

112
00:06:33,750 --> 00:06:36,660
‫So Apple basically said that yeah

113
00:06:36,660 --> 00:06:40,380
‫you cannot use an HTTP connection anymore

114
00:06:40,380 --> 00:06:43,950
‫but since there are millions of people using

115
00:06:43,950 --> 00:06:47,820
‫millions of developers using HTTP connections every day

116
00:06:47,820 --> 00:06:50,340
‫they couldn't go for it 100%.

117
00:06:50,340 --> 00:06:51,540
‫So they said that yeah

118
00:06:51,540 --> 00:06:55,860
‫we suggest you go to HTTPS connections right now

119
00:06:55,860 --> 00:06:58,650
‫but if you want to use an HTTP connection

120
00:06:58,650 --> 00:07:00,690
‫you have to come over here and say

121
00:07:00,690 --> 00:07:05,280
‫Allow Arbitrary Loads is yes on your info.plist.

122
00:07:05,280 --> 00:07:07,710
‫So if you are doing a reverse engineering for

123
00:07:07,710 --> 00:07:12,540
‫any kind of app, if you see Allow Arbitrary Loads is yes

124
00:07:12,540 --> 00:07:17,430
‫then you should know that this is using HTTP

125
00:07:17,430 --> 00:07:20,970
‫connection and it's not very secure to do so.

126
00:07:20,970 --> 00:07:23,430
‫It's the same thing in Android as well.

127
00:07:23,430 --> 00:07:27,570
‫Okay? You can use HTTP connections in android

128
00:07:27,570 --> 00:07:32,010
‫development and let me come over here to my

129
00:07:32,010 --> 00:07:35,610
‫currency and let me show you the link.

130
00:07:35,610 --> 00:07:38,460
‫As you can see, the link of this app is over

131
00:07:38,460 --> 00:07:41,970
‫here and I have an Android version of this as well.

132
00:07:41,970 --> 00:07:45,960
‫So you're more than welcome to download it and try it

133
00:07:45,960 --> 00:07:46,950
‫if you want.

134
00:07:46,950 --> 00:07:50,910
‫I'm just going to show you something on the Android as well

135
00:07:50,910 --> 00:07:54,120
‫so we can understand it in a better way.

136
00:07:54,120 --> 00:07:57,930
‫So the thing that you should understand from the section

137
00:07:57,930 --> 00:08:02,043
‫if you're a developer, you shouldn't use HTTP websites.

138
00:08:02,043 --> 00:08:07,043
‫HTTP APIs, if they're not very vital, just switch to HTTPS.

139
00:08:07,800 --> 00:08:12,060
‫And if you are a user, just don't connect

140
00:08:12,060 --> 00:08:16,770
‫to the wireless networks that you are not familiar with.

141
00:08:16,770 --> 00:08:19,740
‫For example if you are at a restaurant, just don't connect

142
00:08:19,740 --> 00:08:23,490
‫to them, just don't connect to their wireless networks.

143
00:08:23,490 --> 00:08:24,450
‫It's not very safe.

144
00:08:24,450 --> 00:08:28,590
‫You can be ARP spoofed, they can see the things

145
00:08:28,590 --> 00:08:30,600
‫that you're doing on the internet.

146
00:08:30,600 --> 00:08:33,720
‫They can get your information, just don't do it.

147
00:08:33,720 --> 00:08:38,720
‫As you can see in the Android as well, I have this HTTP site

148
00:08:38,730 --> 00:08:39,810
‫over here.

149
00:08:39,810 --> 00:08:44,810
‫So in the Android manifest, I have this network

150
00:08:45,870 --> 00:08:49,710
‫security config and usesCleartextTraffic true.

151
00:08:49,710 --> 00:08:51,420
‫So this is the same thing

152
00:08:51,420 --> 00:08:54,960
‫like we changed the info.plist in the iOS and

153
00:08:54,960 --> 00:08:57,270
‫we change this in Android.

154
00:08:57,270 --> 00:09:00,630
‫So if you're doing an reverse engineering on an Android app

155
00:09:00,630 --> 00:09:03,450
‫and if you see this usesCleartextTraffic

156
00:09:03,450 --> 00:09:07,710
‫as true and network security configuration has been changed

157
00:09:07,710 --> 00:09:12,710
‫then you should understand that it's using HTTP connection.

158
00:09:12,900 --> 00:09:17,130
‫It's one of the vulnerabilities that this app should have.

159
00:09:17,130 --> 00:09:19,740
‫Okay, so again, if you come

160
00:09:19,740 --> 00:09:22,830
‫over to network security config over here

161
00:09:22,830 --> 00:09:26,130
‫you can see it says that clear text traffic permitted

162
00:09:26,130 --> 00:09:29,670
‫true and it includes some kind of domains over here

163
00:09:29,670 --> 00:09:33,870
‫and even it includes some sub domains as well.

164
00:09:33,870 --> 00:09:37,260
‫So as you can see, both on Android and iOS

165
00:09:37,260 --> 00:09:40,350
‫don't suggest using HTTP connections

166
00:09:40,350 --> 00:09:45,090
‫because of these reasons and it's still available

167
00:09:45,090 --> 00:09:49,440
‫for developers to use, so don't do that.

168
00:09:49,440 --> 00:09:52,590
‫If you can just switch it to HTTPS

169
00:09:52,590 --> 00:09:54,150
‫just make sure you do it.

170
00:09:54,150 --> 00:09:57,600
‫So I hope you enjoyed this section as well.

171
00:09:57,600 --> 00:09:59,373
‫Meet you in the next one.