WEBVTT 0 00:01.310 --> 00:08.990 In the last lecture we've seen theoretically how a black hat hacker can attake the HTTPS protocol. 1 00:09.020 --> 00:18.620 In this video I'll show you a live example of SSL Sniffing. The attack can be executed from any Linux machine 2 00:18.860 --> 00:22.720 using tools like ettercap or bettercap. 3 00:22.820 --> 00:30.470 I'm going to use Linux Mint ettercap because in the latest version of Kali these tools are a little 4 00:30.470 --> 00:33.100 bit buggy when executing the attack. 5 00:33.380 --> 00:40.950 If you want to run it on Kali you execute all all commands and follow all steps exactly like this. 6 00:40.970 --> 00:41.990 There is no difference 7 00:41.990 --> 00:45.940 in fact. Let's get started ! By default 8 00:45.990 --> 00:50.410 ettercap is not performing the ssl sniffing attack. 9 00:50.450 --> 00:58.310 This means intercepting the server certificate, generating a new fake one on the fly and sending it to 10 00:58.310 --> 00:59.340 the victim. 11 00:59.410 --> 01:04.990 Let's change the ettercap config file to activate ssl sniffing! 12 01:05.040 --> 01:16.310 I'm opening the configuration file of ettercap It's in /etc/ettercap and then enter.conf. 13 01:16.360 --> 01:26.110 This is the configuration file of ettercap; and almost at the end of the file I'll uncomment 2 14 01:26.110 --> 01:31.780 lines related to iptables. These 2 lines! 15 01:32.060 --> 01:39.360 If you see here another 2 IP tables rules related toipv6, please uncomment 16 01:39.390 --> 01:41.370 those 2 lines as well 17 01:41.450 --> 01:48.520 in order for the attack to work! And I am saving the file and then quit. 18 01:48.570 --> 01:52.270 Let's start the ARP spoofing attack. 19 01:52.390 --> 01:55.500 The victims will be the Windows machine, 20 01:55.590 --> 01:59.280 this one, and the default gateway. 21 01:59.850 --> 02:11.370 So ettercap -T -M ARP the first victim the default gateway // and 22 02:11.490 --> 02:12.600 the Windows machine, 23 02:12.600 --> 02:13.440 the second victim. 24 02:17.190 --> 02:24.890 We had an entire lecture on ettercap and you can recap from there if you feel the need. I'm launching 25 02:24.980 --> 02:33.150 the attack! Let's check that the the attack was successful on the victim: arp -a 26 02:36.250 --> 02:44.050 and we notice that both the default gateway and the hacker have the same MAC address in the arp 27 02:44.050 --> 02:45.780 table. 28 02:45.830 --> 02:49.350 This is the hacker and this is his MAC address. 29 02:49.370 --> 02:59.380 Let's check it just to be sure! Ok the IP address ends 151 and the MAC address ends 30 02:59.470 --> 03:00.130 in 91 31 03:03.600 --> 03:04.090 Now 32 03:04.110 --> 03:08.630 let's visit a website using https! 33 03:08.740 --> 03:14.080 This is the victim machine, let's say bbc.co.uk 34 03:17.150 --> 03:23.480 wow we notice this the certificate error: your connection is not private. 35 03:23.480 --> 03:31.940 This certificate is not the authentic certificate sent by the server but it's the fake certificate generated 36 03:32.000 --> 03:42.550 by the hacker. The connection to the site is not secure! If the user accepts the certificate and clicks 37 03:42.550 --> 03:46.220 on proceed to bbc.co.uk 38 03:46.360 --> 03:51.460 the hacker will capture all data in clear text and the user will be hacked! 39 03:56.190 --> 03:58.210 In the ettercap window 40 03:58.230 --> 04:01.170 we already notice unencrypted traffic. 41 04:01.170 --> 04:08.520 Remember that in the last lecture I have said that this attack cannot be performed on HSTS domains 42 04:10.310 --> 04:15.890 If we check this domain bbc.co.uk on hstspreload.org 43 04:15.920 --> 04:22.210 will see that it's not in the list. Let's try another domain, 44 04:22.310 --> 04:24.810 this time a domain that's in the list, 45 04:24.830 --> 04:29.600 for example Facebook,com! Okay! 46 04:29.690 --> 04:37.370 We see the same security warning "your connection is not private" but there is no way to continue. 47 04:37.540 --> 04:45.190 It says that you cannot visit Facebook.com right now because the website uses HSTS. 48 04:45.190 --> 04:53.410 So HSTS does not allow us to visit some particular websites in an unsecure manner. 49 04:53.410 --> 05:01.870 It protects the user against this attack and many others; and I'm stopping the attack by pressing on q 50 05:02.080 --> 05:07.720 in ettercap window.It's RE-ARPing the victim. That's all. 51 05:07.790 --> 05:08.300 Thank you!