Description: Welcome to Part 13 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will learn how to conduct an SSL Man-in-the-Middle attacker over wireless. You are urged to watch the following videos as well created by me on this topic; these talk about the basics of the attack in more detail:
http://www.securitytube.net/video/100
http://www.securitytube.net/video/101
We will use the setup we created in the previous video and run a couple of new tools, namely - Dnsspoof and Burpsuite Proxy. The basic idea is to hijack the application running on the victim by first using Dnsspoof to inject spoofed DNS responses for the DNS requests made by the victim. Once the victim DNS cache is poisoned, all further requests will be sent to the attacker's IP address. Now in the SSL MITM case, we will run Burpsuite to attach a proxy to port 80 and 443. Now when the application on the victim sends any request it goes through the attacker's proxy. At this point, the attacker can passively monitor or modify any data sent to/from the victim almost transparently. The only indication the victim gets a alert on the browser window warning him of certificate problems. Now if he victim accepts the risk (which 95% users do) and clicks through the warning, the rest is history :)
Tags: wireless , wlan , security , authentication , SSL , MITM , Burpsuite , airodump , airreplay , megaprimer , 802.11 ,
WOOOOOOOOW!!!Nice Vivek, Thank You
Another fantastic video Vivek :-)
Only problem I have is Burp suite has always crashed/hung/frozen the minute it gets a connection. Looks like I'm going to need to fix it, but I hate things made with Java :-< Perhaps I should not be so lazy and look at this as you suggest:
http://www.delegate.org/delegate/
My head hurts...... :-)
I sincerely appreciate the time you take to make these great tutorials.
Bon Courage Mr. Vivek.
You're making these videos faster than I can blind and that's just amazing! Except my dried eyes.
Your expressions and explanations are wonderful and i'm suprised you don't do any mistakes in your speech. Keep up the good work!
Waiting for the next vid.
madispuk
Excellent,Mind blowing, Fantastic.....
"The only indication the victim gets a alert on the browser window warning him of certificate problems. Now if he victim accepts the risk (which 95% users do) and clicks through the warning, the rest is history"
Vivek, why don't you use SSlstrip in conjunction with a few other tools? :-)
Amazing hack!! Thanks for making this videos :)
Thanks again my friend for both videos! checking them right now !
have tried MITM attacks using arpspoofing, but I think I prefer this method.
Nice video Vivek....
your MacBook Pro is 15" or 17'' and ram 4 GB
Thanks for everything vivek!
Im having a lot of fun with this Megaprimer series!
Greetings from Argentina!
woooooooooooow you make video so fast :O
i can't say anything only thank you :)
Good Work .. Thanks Vivek.
Vivek, you're the best. Thank you very much.
Vivek, this was a post you made on a nmap video I just saw
--------------------------------------
Vivek-Ramachandran on Sat 26 Feb 2011
Nice! I wish the talk was longer.
I am tempted to start making a Nmap Megaprimer series to include all the little details of Nmap.
Who know maybe I might make it :)
-------------------------------------------------
Please!!!!!!!!!!! Do the nmap video series!!!!!!!!!!!!!!
One question? Are you planing to explain and demo the Cafe Latte? Also Karmetasploit will be a good thing to explore and demonstrate on the megaprimer!!!!
@zidane, Kamel, madispuk, vital, luizfzs, m0ei, pispuso, behrouz, b345ty, nehun Thanks for all the encouraging comments my friends! :)
@Blackmarketeer Yes, Java sucks but most of the proxies like Burp and Webscarab use it. Delegate is good for automation and would recommend using it.
@zitstif Very valid point. I should have mentioned Sslstrip as a nice workaround. Not so long ago I made a video on it: http://www.securitytube.net/video/193 I will make a mention of this in a later video when I talk about session hijacking using wireless.
@Fitzroy MITM over ARP is cool but I have found the ARP cache to be unstable and you have to send the spoof updates more often, compared to the DNS cache. This is the reason why I used DNS for hijacking the session.
@esojzuir I have not forgotten the Nmap Megaprimer my friend. I definitely well do so, maybe in June. Yes, Caffe-Latte and some other interesting tools and attacks will also be included.
@Henrucux I have a 17" macbook pro with 4GB ram, damn beautiful and powerful machine. Makes you wanna work more :)
Hi Vivek,
The only issue (and a serious one) I'm finding with Delegate is this nasty warning:
The proxy x.x.x.x is requesting a user name and password. The site says: "!!! CAUTION !!! Man-In-The-Middle DeleGate http://www.delegate.org/mitmwarn
Kind of gives the game away a bit, that :-( Other than that, it's a beautiful proxy.
I've spent most of the morning trying to get around that warning, but no matter how I start it with STLS=mitm it's no dice. Leaving that out of the stanza results in only seeing the TLS/SSL connections, and not the data.
Back to the drawing board for me......
To quote one of your favorite phrases- Awesome :))
Great Job vivek as always you are make us enlightened , but i think if we run SSLstrip on mitm interface we can bypass the certification warning , am i right ?
Thank you very much
@Blackmarketeer Interesting! The SSL demo with Delegate I had posted in 2008 did not have these issues. I need to check the latest version of delegate and check. If they have hardcoded this we have 3 options:
1. Use an older version (maybe the one I was using in my video)
2. Modify the source of the latest version (Delegate is open source!)
3. Find a new proxy tool
Gimme till next week and I will get back on this.
@WCNA hehe :)
@ahmadqdemat Yes, absolutely right. The only issue with SSLStrip is if the user does not see the SSL in the URL, he might get suspicious.
Quick Update: The next video will be posted on Friday morning. I was not feeling too good today, so took a break for the day. The next topic will be WEP cracking but more details than you have ever seen elsewhere :)
Get well soon Vivek. BTW the -mitm option is appears not to be available at all in the source code version, only the pre-compiled binary. This is a royal PITA!
FYI, Keep hold of your old version - whatever you do, don't delete it! I think you were using 9.5.2, it's now 9.9.7 and the whole 9.5.x tree is missing from the download list:
http://www.delegate.org/delegate/
Get well soon, looking forward to WEP cracking :-)
@Blackmarketeer Thanks! I am good just a bit of fatigue. Today is one of those days when you feel a lil lazy and exhausted but really don't know why :)
The bad news is the laptop and VM I used way back in 2008 is all gone. I never checked the latest version of delegate since then. Hmmm ... lets see what we can do.
ya im too looking forward to methods in case of encryption and authentication
Great videos. Keep up the good work. I'd love to see the caffe-latte attack in action.
Vivek, great as always
could you tell me what is your Alfa card model? I want to by one.
thx
Well it's no wonder you're wore out....you're a freakin' securitytube-video-makin' machine!
Take some time off. We'll all be here when you get back.
elostaz3omda said "could you tell me what is your Alfa card model?"
He posted the model number in the first vid. I just ordered the Alfa AWUS036NH 2000mW from data-alliance for $32 to go with my new Asus EEE netbook w/BT4.
Vivek: Get a well deserved rest day man!!!! You have given us a lot of information to digest, so just take your time and get better!!!!! Watch a good movie and just relax!!!
Don't know how to word this, but you've done a fantastic job, in producing these videos. I've watched too many tutorial videos and have to say that while some of these videos are excellent, in some of the cases the speaker does not show confidence in their speech, as result the viewers are left wondering what the hell he is talking about.
Your case is exceptional and I think God has gifted you. You are very patient, calm, entertaining and above all very confident and this is very important, as it makes video more enjoyable and interesting to watch.
Keep it up, get plenty of rest, you are doing amazing.
elostaz3omda and WCNA:
Check that Vivek its using an Alfa AWUS036H, not the NH version, wich its newer, but that version its having some driver problems and its not totally with every software.
I recommend you try to get the one vivek uses, the AWUS036H, i have that one since a month and its working great.
great job vivek. you set the video tutorial bar so high that watching the other videos is painful to do. i'll just wait for your videos to come out instead.
WCNA and pispuso :
Thank you for your consideration.
Nice video!!
Please continue http://www.security-freak.net/worms/worms.html#1 I hope each and every user on sectube wants iT!! Please~!!
Ive watched all these videos in one night, and still going. I reg. just for this guy!!! awesome keep it up. I am a future Pen Tester!!!
Thanks Vivek for your time and amazing videos, I only have one question,
I did the same setup as you did in this video, i can browse the internet when my iphone or windows 7 connect to the fake AP but windows vista only gets local access on that network and it wont connect to the internet? any idea why? shall I post wireshark results on here?
After looking at wire shark results it shows the Vista workstation is desperately trying to find WPAD (Web Proxy Auto Discovery) and wont connect to the internet only LAN.
I finally found my problem and im working on a solution to fix it. if anybody has faced this issue and managed to get it fixed let me know. I will post back if I manage to get it to work... Peace and thanks again vivek
My notes on this part are here: http://41j.com/blog/2011/10/securitytube-wireless-lan-security-megaprimer-notes-part-12-ssl-man-in-the-middle-attacks/
Great job Vivek,
I'm having a problem with my macbook pro. I've bridged at0 and eth0 but I'm unable to connect to my fake AP with airbase-ng. I've exhausted my search and tried everything I know but I cannot connect to the AP. I'm using a macbook pro 2009 model with BT4R2 through virtual box. I'm curious as to which macbook pro model you are using. Anyone have this issue or know a resolution to it?
Excelent Video!! thanx Vivek., I've a question , when I create a rogue ap and the clients connect to it , they have a slow performance ... what is happening?? . I'm using bactrack 5 r1 and Alfa card :S
hi vivek and all....at first vivek is awesome as he just explains the way u wished someone cud..so cheers...friends me getting stuck at the last step when you forward the clients request by puttin off intercept..i am still getting a " burp proxy error : network not reachable " when i forward or remove the intercepts.vud love to receive help frm ne one pl.thnx
I remember in previous videos, vivek says you can log all the requests made and do a password search. how do you do that in burp suite?
Interesting video !!
Thank you Vivek, You have help me learn a great deal of hacking. keep it up!!!!
great vid vivek, keep them coming!
question, is delegate found on bt5?
Thanks Vivek !
Was looking at the 100 and 101 videos, but I didn't find the delegate tutorial there .... 1 explain the theory of mitm, but the other was from the perspective of the victim, and clearly said that the setup of delegate was done somewhere else ...
where can I find this ?
Thanks !!
Another great demo Vivek, awesome :D
I boot my backtrack from usb now please tell me what to do I am puzzling around please conduct a video.....although I done my engineering in mechanical recently instead of that now I am loving network because of you KEEP IT UP
You are the coolest!
You are the coolest!
I searched for hours to find a video like this. I'll be sharing these with my friends. All of them are great. I skipped the super technical/not-as-much-hands-on videos, but I may watch them later. This has been incredibly helpful. The whole series is great so far. I actually am planning to watch every video of yours that I can find.
Thanks Vivek for the wonderful video!
For anyone that has run into this problem...I have my dnsspoof up and running and i can see where the traffic is occurring but burpsuite is not intercepting any traffic. is there a common cause for this by chance?
Worked this out too.