Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,990 --> 00:00:07,470 Any attack that composition themselves in the middle between the source and destination traffic source 2 00:00:07,470 --> 00:00:14,880 being here destination being here can perform man in the middle attacks one such attack that requires 3 00:00:14,880 --> 00:00:19,740 pretty minimal skill and resources is called SSL stripping. 4 00:00:19,890 --> 00:00:30,270 The attacker acts as a proxy here and changes encrypted Haiti CPS connections to hasty connections and 5 00:00:30,270 --> 00:00:38,830 is a free tool available to do this called SSL strip which works with Hastey pay using SSL and that's 6 00:00:38,840 --> 00:00:45,250 here and this is by a guy called Moxie marlinspike who's a fairly well renowned security researcher. 7 00:00:45,580 --> 00:00:50,390 So was thinking about how we actually end up getting to hate Web sites. 8 00:00:50,720 --> 00:00:52,350 Click here. 9 00:00:52,390 --> 00:00:58,790 I was really a couple main ways that we end up getting into hate CPS Web sites and the first is this 10 00:00:58,790 --> 00:00:59,400 way. 11 00:00:59,600 --> 00:01:04,750 So we type in maybe the site that we're going for. 12 00:01:06,440 --> 00:01:09,190 And we press return. 13 00:01:09,430 --> 00:01:15,810 Now most often we do not type in Haiti ETP asked Colon slash slash. 14 00:01:15,880 --> 00:01:22,680 What happens is we go to the Haiti ETP Web site and then the server gives is what's known as a three 15 00:01:22,780 --> 00:01:26,040 to redirect and then sends us to this. 16 00:01:26,070 --> 00:01:35,380 DP s version of the Web site another way that we get to hate CPS Web sites is if you go viral link so 17 00:01:35,650 --> 00:01:38,290 a search here on Google. 18 00:01:38,440 --> 00:01:45,290 And then there we have a link and we can see it is a hasty CBS link and then that takes us directly 19 00:01:45,290 --> 00:01:47,850 to the hate U.P.S. version of Facebook. 20 00:01:47,960 --> 00:01:55,420 So the way SSL strip works is it acts as a proxy working for those two types of events. 21 00:01:55,440 --> 00:02:02,650 So three O2 redirects and links that are hated CPS proxies those connections. 22 00:02:02,790 --> 00:02:10,140 So you send the original hate ETP connection it reaches the server the surface says actually no this 23 00:02:10,140 --> 00:02:12,480 should be a hated to b s connection. 24 00:02:12,480 --> 00:02:20,970 So it sends it back this prox is this pretending to be your browser and sends back a hasty ETP version 25 00:02:20,970 --> 00:02:21,910 to you. 26 00:02:21,910 --> 00:02:27,270 Server never knows any difference it thinks it's talking to you. 27 00:02:27,300 --> 00:02:33,960 It believes this to be the browser and what you would see would be virtually identical to the actual 28 00:02:33,960 --> 00:02:34,640 site. 29 00:02:34,860 --> 00:02:38,120 So let me show you what the face for web site should look like. 30 00:02:38,160 --> 00:02:47,740 So that's the legitimate Facebook Web site now Abdon Hey CGP stripping using Kalli and this is what 31 00:02:47,740 --> 00:02:49,550 the stripped version looks like. 32 00:02:52,490 --> 00:03:00,760 Jetman version stript version Jetman version stript version. 33 00:03:01,250 --> 00:03:08,960 So as you can see the difference is you don't have the Haiti CPS and most people will not notice that 34 00:03:08,960 --> 00:03:09,890 difference. 35 00:03:09,930 --> 00:03:16,850 And as I said the server never sees anything is wrong because he's talking to a proxy that acts just 36 00:03:16,850 --> 00:03:20,060 like you would act in order to perform this attack. 37 00:03:20,060 --> 00:03:26,450 You need to be in the middle he need to be able to see the traffic so that you can strip it out and 38 00:03:26,450 --> 00:03:31,040 it's not always that easy to be in the middle of someone else's traffic. 39 00:03:31,040 --> 00:03:33,050 It really depends on where you are. 40 00:03:33,290 --> 00:03:40,760 So if you're on someone else's network like for example you were you were in an internet cafe Internet 41 00:03:40,760 --> 00:03:42,330 service provider. 42 00:03:42,380 --> 00:03:43,520 All those people. 43 00:03:43,520 --> 00:03:45,510 They control that network. 44 00:03:45,530 --> 00:03:47,600 So they are in the middle. 45 00:03:47,600 --> 00:03:50,210 So therefore they can perform this type of attack. 46 00:03:50,420 --> 00:03:56,600 Obviously governments nation states they control network devices across the Internet. 47 00:03:56,780 --> 00:04:00,230 So they are in the middle they can perform this sort of attack. 48 00:04:00,410 --> 00:04:05,880 But this is not a very subtle attack as you can notice the meshing hate CPS. 49 00:04:06,080 --> 00:04:12,590 But is not beyond the government in a targeted attack that they may consider doing this but it's reasonably 50 00:04:12,590 --> 00:04:19,010 on lightly and it would very very unlikely be doing any sort of mass surveillance type way unless it 51 00:04:19,010 --> 00:04:26,450 was some sort of tin pot government that was doing it because it's a pretty basic form of attack effective 52 00:04:26,690 --> 00:04:34,970 for low resource low skilled attackers but not really nation state level attack a random cyber criminals 53 00:04:34,970 --> 00:04:40,650 sat somewhere at a distance from you is going to really struggle to get in the middle of your traffic. 54 00:04:40,730 --> 00:04:44,010 There are not really many mechanisms to do that. 55 00:04:44,330 --> 00:04:51,650 And it therefore more likely that this distance attacker would attack your client instead because that's 56 00:04:51,650 --> 00:04:53,050 just simply easier. 57 00:04:53,150 --> 00:04:57,110 And people always go for what is easy as opposed to what is more difficult. 58 00:04:57,260 --> 00:05:00,870 And if they attack your client and they're on your client they own your client. 59 00:05:00,980 --> 00:05:06,290 They don't need to strip our SSL because they're real to see your data anyway because they're on your 60 00:05:06,290 --> 00:05:07,550 client. 61 00:05:07,550 --> 00:05:13,730 Another interesting way to do this attack is if the attackers sat on your local network so that's either 62 00:05:13,730 --> 00:05:18,920 physically through the ethernet cables or wirelessly through Wi-Fi. 63 00:05:19,010 --> 00:05:23,790 They can trick your machine into sending traffic through them. 64 00:05:23,900 --> 00:05:32,390 And this is known as spoofing or poisoning the attacker sends out all packets pretending to be the victims 65 00:05:32,510 --> 00:05:34,180 default gateway. 66 00:05:34,280 --> 00:05:40,620 This works because Ethan It has no mechanism through authentication functionality. 67 00:05:40,730 --> 00:05:46,760 So any machine can essentially send out what's known as this art packet and say that they are any other 68 00:05:46,760 --> 00:05:53,300 machine that's on the network including the gateway or router which means you end up sending your traffic 69 00:05:53,660 --> 00:05:59,840 through a fake router and then forwards on the traffic and strips out the SSL and then for the traffic 70 00:05:59,840 --> 00:06:07,710 back to you like we've shown now if you want to learn more about ARP spoofing I would recommend this 71 00:06:07,710 --> 00:06:09,470 Web site here which is quite good. 72 00:06:09,720 --> 00:06:16,680 And here's a little diagram here where you can see the attacker here is saying look I'm the router and 73 00:06:16,680 --> 00:06:19,440 the traffic is getting sent by them instead. 74 00:06:19,440 --> 00:06:27,270 There are tools in Cali called ether cap an all spoof and obviously SSL strip which can enable you to 75 00:06:27,270 --> 00:06:28,640 do this sort of attack. 76 00:06:28,800 --> 00:06:36,010 And there's a tool called Cain and Abel which is here which you can use on Windows and this is the Web 77 00:06:36,010 --> 00:06:45,530 site for SSL straight to and actually gives you the commands here for how to do this and everything 78 00:06:45,530 --> 00:06:53,150 you need to do SSL stripping and the art of spoofing if your local is available within Kalai And actually 79 00:06:53,150 --> 00:06:55,260 here it shows you the commands that you need to run. 80 00:06:55,310 --> 00:06:57,510 And it's fairly simple. 81 00:06:57,580 --> 00:07:04,730 You're enabling IP forwarding here making some changes to the IP table so it redirects the hate city 82 00:07:04,730 --> 00:07:09,250 traffic to SSL strip running SSL strip here. 83 00:07:09,620 --> 00:07:15,290 You need to put in the port here and then you are enabling the OP spoofing where you're telling the 84 00:07:15,530 --> 00:07:19,180 target machine to send this traffic to you instead. 85 00:07:19,190 --> 00:07:22,760 So if you'd like to have a play around with that and Kelly you can do that. 86 00:07:22,760 --> 00:07:30,560 Another interesting way of stripping out your SSL is if you set up a rogue access point and then that 87 00:07:30,560 --> 00:07:33,800 can be set to automatically strip down SSL. 88 00:07:33,800 --> 00:07:41,300 So a rogue access point is when you connect to a Wi-Fi network and the owner of that one I find that 89 00:07:41,300 --> 00:07:50,840 work is trying to attack us and Rogow fake access point and you can set that access point to strip out 90 00:07:50,870 --> 00:07:55,820 SSL just as we spoke about because again they are obviously in the middle because that's what you're 91 00:07:55,820 --> 00:08:03,200 connecting to and you can actually buy a piece of hardware that will do this for you. 92 00:08:03,210 --> 00:08:05,540 And this is the Wi-Fi pineapple. 93 00:08:05,570 --> 00:08:07,410 There's other versions. 94 00:08:07,600 --> 00:08:14,560 But this is one that I would recommend you take this to a airport or somewhere a busy switch you don't 95 00:08:15,110 --> 00:08:20,620 switch on an open network saying you know free Wi-Fi or something like that and you'll be amazed at 96 00:08:20,620 --> 00:08:27,650 the number of passwords you'll get for Facebook and Google and all the rest of the Web sites by stripping 97 00:08:27,650 --> 00:08:28,560 out the SSL. 98 00:08:28,560 --> 00:08:31,170 People just do not notice. 99 00:08:31,340 --> 00:08:37,310 It's probably worth pointing out actually that when you do strip SSL it means the connection is no longer 100 00:08:37,310 --> 00:08:43,310 encrypted and therefore you can see all of the content and therefore you'll be able to steal usernames 101 00:08:43,310 --> 00:08:47,960 and passwords and just see everything that the person is actually doing. 102 00:08:48,110 --> 00:08:51,350 Now what can we do to help prevent this. 103 00:08:51,350 --> 00:09:01,010 Well client side I mean you can attempt to notice that you don't have a hate CPS but you know if you're 104 00:09:01,010 --> 00:09:06,100 busy that's not necessarily something that you might spot but you do need to keep your eye out for it. 105 00:09:06,110 --> 00:09:13,870 A most solid method is to use a tunnel or encrypted tunnel so that it's not possible for them to strip 106 00:09:13,880 --> 00:09:19,960 out the SSL because the traffic that you are sending is encrypted by a different mechanism. 107 00:09:20,090 --> 00:09:27,350 So you can use S-sh for tunneling for example you can use VPN technology like IP PSEC But really what 108 00:09:27,350 --> 00:09:31,890 you're after is end to end encryption and talk more on end to end encryption. 109 00:09:31,910 --> 00:09:39,380 And also you don't want to connect really to untrusted networks without using tunneling or VPN or encryption 110 00:09:39,410 --> 00:09:44,490 because this is exactly what can happen if you don't have a VPN or tunneling. 111 00:09:44,520 --> 00:09:48,020 You SSL can be stripped out and all your traffic can be seen. 112 00:09:48,040 --> 00:09:54,620 We're going to cover more on VPN as well on your local network is possible to detect to some degree 113 00:09:54,710 --> 00:09:57,510 if ARP spoofing and sniffing is happening. 114 00:09:57,590 --> 00:10:01,230 And there's a couple of examples of tools here that you can use. 115 00:10:01,250 --> 00:10:07,720 This is all watch it monitors your ethernet to see whether ARP spoofing or poisoning is happening. 116 00:10:08,920 --> 00:10:14,040 And there's another tool here which is a sniffer detection so it's seeing if anyone is watching the 117 00:10:14,040 --> 00:10:15,240 network traffic. 118 00:10:15,270 --> 00:10:21,870 Also service side bring a screen and you may not have control the service side but I guess in some instances 119 00:10:21,870 --> 00:10:26,480 you might you can enable They can enable something called hate. 120 00:10:26,490 --> 00:10:34,110 S ts all strict Transport Security which used a special response had to tell the browser to only accept 121 00:10:34,480 --> 00:10:36,140 hasty traffic. 122 00:10:36,150 --> 00:10:42,960 This only works if you visited the site before and then your client essentially remembers that they 123 00:10:42,960 --> 00:10:51,360 only accept hate traffic and this is an example of where I've stripped out the SSL on an error message 124 00:10:51,600 --> 00:10:59,570 because they've enabled Haiti to pay strict transport security all the way to prevent SSL stripping 125 00:10:59,600 --> 00:11:07,370 and also ARP spoofing and poisoning is to use virtual lands and other forms of network isolation virtual 126 00:11:07,370 --> 00:11:13,040 land prevents traffic going from one end of the network to another area of the network using a switch 127 00:11:13,130 --> 00:11:14,600 and special tax. 128 00:11:14,600 --> 00:11:20,080 If you're interested in that sort of thing then google around villans You can also have a general network 129 00:11:20,080 --> 00:11:21,000 constellation. 130 00:11:21,020 --> 00:11:27,230 If a attacker is not on the same physical network as you and the traffic is literally not going past 131 00:11:27,230 --> 00:11:32,030 that attacker because we're on a different switch or going through a different router then obviously 132 00:11:32,030 --> 00:11:34,190 they cannot get access to your traffic. 133 00:11:34,190 --> 00:11:40,340 You can also use firewalls which prevent traffic going in certain directions and you can configure Wi-Fi 134 00:11:40,340 --> 00:11:46,900 so that isolation using the configuration on your access point and you can set up separate Wi-Fi network. 135 00:11:46,900 --> 00:11:49,870 So a guest network or network on a network. 136 00:11:49,910 --> 00:11:52,610 And then those two networks cannot see the traffic or the other. 137 00:11:52,610 --> 00:11:55,350 So there's lots of things you can do at the network. 138 00:11:55,520 --> 00:12:00,540 And when we talk about your local network and Wi-Fi will go into more details on that. 139 00:12:00,620 --> 00:12:02,130 So that's SSL stripping. 15489