Video yükleniyor...

Video Yüklenemedi

Ana Sayfaya Dön

Public WiFi: Quick demo for 2 devices on the same network 1. SSLstrip + DNS change leads to user input interception for HTTPS with HSTS bypass 2. DNS spoofing redirects user to attacker controlled website More in upcoming "NetHunter Hacker XIII: Overall guide to MITM framework"

536,514 görüntüleme • 2 yıl önce •via X (Twitter)

10 Yorum

Mobile Hacker profil fotoğrafı
Mobile Hacker2 yıl önce

An attacker can create custom fake access point with internet connection directly from Android smartphone running within a pocket #NetHunter

Mobile Hacker profil fotoğrafı
Mobile Hacker2 yıl önce

✅How to prevent being spied on the public wifi Use specific native mobile apps, not browser, to access services that requires you to enter credentials or sensitive data. These apps should use SSL certificate pinning where attacker can't intercept their traffic

Ricardo Portela profil fotoğrafı
Ricardo Portela2 yıl önce

Which parts of the HSTS will this be able to circumvent? And in native apps where pinning is being used, can you do any kind of attack to the comms using this approach?

Mobile Hacker profil fotoğrafı
Mobile Hacker2 yıl önce

It changes the requested domain by prepending not registered subdomain. Since such subdomain doesn't exist, server will not request browser to use HSTS. If native apps use ssl pinning then it's not possible to use this scenario or intercept such app's traffic without patching it.

Arun Magesh profil fotoğrafı
Arun Magesh2 yıl önce

Where's the https lock? lol!

Mobile Hacker profil fotoğrafı
Mobile Hacker2 yıl önce

SSLStrip stripped it away

✖System✖ profil fotoğrafı
✖System✖2 yıl önce

It's clearly not https

Sarper⚡ profil fotoğrafı
Sarper⚡2 yıl önce

Shouldn't a HTTPS certification error occur when attempting to open the page?

Jason Sawyer profil fotoğrafı
Jason Sawyer1 yıl önce

sigh @UK_Daniel_Card

ghostfirmware profil fotoğrafı
ghostfirmware2 yıl önce

Cómo lo has conseguido? Los dispositivos modernos requieren de que un certificado sea instalado en el dispositivo para conseguir pasar por alto hsts y poder capturar el trafico vía mitmproxy o burpsuite 🤔. Sslstrip vence hsts?

Benzer Videolar