Video yükleniyor...
Video Yüklenemedi
Public WiFi: Quick demo for 2 devices on the same network 1. SSLstrip + DNS change leads to user input interception for HTTPS with HSTS bypass 2. DNS spoofing redirects user to attacker controlled website More in upcoming "NetHunter Hacker XIII: Overall guide to MITM framework"
536,514 görüntüleme • 2 yıl önce •via X (Twitter)
10 Yorum

An attacker can create custom fake access point with internet connection directly from Android smartphone running within a pocket #NetHunter

✅How to prevent being spied on the public wifi Use specific native mobile apps, not browser, to access services that requires you to enter credentials or sensitive data. These apps should use SSL certificate pinning where attacker can't intercept their traffic

Which parts of the HSTS will this be able to circumvent? And in native apps where pinning is being used, can you do any kind of attack to the comms using this approach?

It changes the requested domain by prepending not registered subdomain. Since such subdomain doesn't exist, server will not request browser to use HSTS. If native apps use ssl pinning then it's not possible to use this scenario or intercept such app's traffic without patching it.

Where's the https lock? lol!

SSLStrip stripped it away

It's clearly not https

Shouldn't a HTTPS certification error occur when attempting to open the page?

sigh @UK_Daniel_Card

Cómo lo has conseguido? Los dispositivos modernos requieren de que un certificado sea instalado en el dispositivo para conseguir pasar por alto hsts y poder capturar el trafico vía mitmproxy o burpsuite 🤔. Sslstrip vence hsts?
Benzer Videolar
Sensitive content
Is your wifi network well protected? 👉 In 3 minutes, I discovered 175 access points with 79 connected devices using just a smartphone #nethunter
Mobile Hacker
227,305 görüntüleme • 1 yıl önce
