WEBVTT 0 00:00.910 --> 00:06.770 In the last lecture I've shown you how to launch a SSL Sniffing attack on HTTPS 1 00:06.770 --> 00:14.500 protocol. We'll move on and see the second attack on HTTP called SSL Stripping. 2 00:14.620 --> 00:18.520 I've already explained to you in detail what it does 3 00:18.700 --> 00:22.010 so let's go straight into line to the attack. 4 00:22.060 --> 00:26.390 I’m gonna use bettercap on Kali! First 5 00:26.390 --> 00:35.770 I'm becoming root; because there are many parameters that need to be set and modules that need to be 6 00:35.770 --> 00:36.730 started 7 00:36.760 --> 00:45.300 I'll create a caplet and then start bettercap giving that caplet. I'm moving to /root 8 00:45.310 --> 00:53.080 directory and here using Vim I'm creating the caplet let's say ssl_stripping.cap 9 00:56.040 --> 00:56.700 First 10 00:56.740 --> 01:00.840 I'm starting net.probe module which is required. 11 01:00.910 --> 01:07.990 net.probe on Then I'll set the options for ARP spoofing. 12 01:07.990 --> 01:13.990 This attack is of type MITM and arp.spoofing is also required. 13 01:14.260 --> 01:17.320 So set arp.spoof 14 01:17.320 --> 01:18.580 .fullduplex true 15 01:21.550 --> 01:22.570 now the target 16 01:25.180 --> 01:37.080 the IP address of the Wndows machine and I'm starting the module arp.spoof on The next step is 17 01:37.080 --> 01:41.990 to set parameters and start net.sniff module. 18 01:42.300 --> 01:51.620 set net.sniff.local true This option is required and set net.sniff. 19 01:52.050 --> 02:00.110 verbose false and I am starting the module: net.sniff on 20 02:00.880 --> 02:11.130 And finally I'll start the http.proxy module! Let's set some options for this module and then start 21 02:11.130 --> 02:14.820 it! set http.proxy 22 02:14.820 --> 02:19.170 .script and the path to a javascript file. 23 02:19.410 --> 02:22.530 This file is already in the bettercap directory. 24 02:28.060 --> 02:31.530 And the option for SSL stripping! 25 02:31.690 --> 02:35.890 set http.proxy.sslstrip true 26 02:41.800 --> 02:49.170 and I'm starting the module http.proxy on! Okay, one mistake here! 27 02:49.420 --> 02:54.460 There is also a directory in the path called a HSTS hijack 28 02:57.370 --> 02:59.780 I'm saving the file and then start 29 02:59.780 --> 03:09.400 bettercap: bettercap -iface the name of the interface eth0 -caplet and the name of the caplet 30 03:09.470 --> 03:11.810 ssl_stripping.cap 31 03:14.790 --> 03:17.030 OK, it has started! 32 03:17.470 --> 03:19.460 The attack is running! Let's 33 03:19.530 --> 03:21.630 check theARP table of the victim: 34 03:21.650 --> 03:23.920 arp-a 35 03:24.080 --> 03:27.410 This is the default gateway and that this is the hacker. 36 03:27.410 --> 03:30.050 Both have the same MAC address! 37 03:30.150 --> 03:37.100 Let's go to the victim machine and visit a website that normally uses an encrypted connection like 38 03:37.190 --> 03:37.860 ing.com 39 03:37.880 --> 03:39.920 ing.com 40 03:46.770 --> 03:55.660 and we notice that the connection is not secure bettercap has downgraded the connection to HTTP, it's 41 03:55.680 --> 03:57.180 not a secure connection. 42 03:57.270 --> 04:06.600 Normally this connection would use HTTPS; before visiting the site I'd recommend you to clear all 43 04:06.600 --> 04:09.700 browser data by pressing on control 44 04:09.780 --> 04:11.370 +shift + Del 45 04:14.320 --> 04:22.300 This attack involves cookies sessions and so on and they should not already be on the client's machine, 46 04:22.630 --> 04:27.550 so it would be great for the victim to visit the website for the first time. 47 04:28.360 --> 04:30.400 I won't clear browsing data now. 48 04:32.260 --> 04:36.670 Let's try another domain: shops.audi.com 49 04:42.140 --> 04:50.850 and it's an HTTP connection; without this SSL Stripping running it would have used an encrypted one 50 04:51.580 --> 04:54.780 HTTPS was downgraded to HTTP. 51 04:57.750 --> 05:03.510 And finally let's try to visit on HSTS domain like YouTube.com 52 05:08.170 --> 05:09.540 and it's not working. 53 05:09.580 --> 05:17.280 The connection is encrypted; we see this lock here and that the connection is secure. 54 05:18.470 --> 05:25.170 SSL Stripping is not working on HSTS domains, they are immune to this attack. 55 05:25.530 --> 05:30.030 OK, that's all about SSL Stripping! In the next lecture 56 05:30.140 --> 05:35.860 I'll give you some advice on how to keep yourself safe while visiting the Web.