312-50v11: Certified Ethical Hacker v11 Exam Certification Video Training Course

312-50v11: Certified Ethical Hacker v11 Exam certification video training course by prepaway along with practice test questions and answers, study guide and exam dumps provides the ultimate training package to help you pass.

Network Hacking - Detection & Security

3. Preventing MITM Attacks - Method 1

In the previous lectures, we learned how to detect ARP spoofing attacks by manually analysing the ARP tables. We also learned how to install tools such as Xarp to automatically detect ARP spoofing attacks without having to manually check the ARP tables.

And we even learned how to detect other suspicious activities using Wireshark. Now, this is really good, but it still has a few problems. First of all, we're only talking about detection. So even when we detect that someone is intercepting the connection, we can't really do much. All we could do is simply disconnect from the network and maybe change its password if we could. If we own the network to something that's more difficult, or if this is a public network, such as an airport, a hotel, or a college network, then all we can do is simply disconnect and use a different network because we can't change its password.

The other problem with the previous methods is that, like I said, there are only detection methods. Therefore, they'll only work if the target manages to become "the man in the middle" using ARP spoofing. But what if someone is able to intercept the connection using another method? For example, if someone is running a fake access point like I showed you earlier and you connect to this fake access point, or if you connect it to a hotel, a college public WiFi network, or a cafe network, and the admin of that network is actually collecting data, or if someone or a hacker gained access to the admin's computer and again is analysing the data, because by default, in fake networks and in any network, the admin is able to see the traffic because the traffic will have to go through their server or through their outer network, the traffic will have to go So the detection methods that I showed you earlier won't even work against this.

Therefore, in this lecture, I want to discuss two solutions to this problem. So the idea is that you use these solutions if you discover that you're being attacked or if you're connecting to a network that you don't own and manage yourself. So if you're connecting to a college network, an airport network, a cafe network, or any other network that you don't have control over, the solution to all of this is to encrypt your traffic. If you encrypt your traffic, we don't care if someone is able to intercept it because our traffic will be encrypted, which means it will be gibberish and useless to whoever is intercepting it.

So there are a number of ways to do this, and I'll explain how they work as we go through them. So let me show you this in action. Right here, I'm already running Bettercap, and as you can see, it's already getting information. And right here is my target. And we've already signed up for Von Web. And if we just click on anything to show you, you'll see the domain is going to be detected here. And then let's just quickly log in. You'll see that this login attempt will be detected. So far, we've got the username "admin" and the password "test." Again, if we try, I'll just open a new tab and go to Stack Overflow.

As you can see, it's a load over HTTP rather than HTTPS. So again, if I go ahead and login, I'll be able to log in and detect the password. And the HSTs method that I showed you earlier will again work, and we'll be able to bypass that and steal the password. So right now, this Kali machine is able to intercept all the data that is sent to and from my Windows machine right here. So the first method to prevent these attacks is to not care if we're being attacked.

Again, I'm not running XRP, I'm not managing my ARP tables, and I don't care if someone intercepts my data. What I'm going to do is install the HTTP Everywhere browser plug-in. So I'm going to be installing it on Firefox. I'll include its link in the resources for this lecture. But there is an equivalent of this plugin for most browsers, such as Chrome and others. All you have to do is simply click on "Add to Firefox" or "Add to Browser." Whatever browser you use We're going to click on "Add in here," and that's it. The plugin is added here. As you can see, we're going to click OK, and we can manage it from the top right icon. As you can see, it's currently set to off.

And if I click this, I will turn on this plugin. And, in essence, what this plugin will do is add HSTs support to more websites, essentially any website that uses HTTPS. Therefore, for example, when I tried to access tagoverflow in here, I was able to downgrade it because my browser does not know that this website should be loaded over HTTP, and better yet, cap was downgrading the HTTP requests to HTTP. Like I explained in previous lectures, what this plugin will do is, similar to HSTs, have a list of websites that support HTTP.

As a result, if we try to downgrade this website's HTTP connection to a HTTP connection, it will tell the browser, "No, don't do that," and it will upgrade it to a HTTP connection again. So let me show you. I'm just going to delete the history, and I'm going to load stack overflow again. And perfect. As you can see, it's loading with HTTP in here. Therefore, now if I go and login, my information will be encrypted, and therefore the hacker won't be able to see my username and password.

So that's really, really good. but not perfect. Let me tell you why it's not perfect. First of all, if we go back to a HTTP website, again, similar to what we have here in terms of venue, So I'm just going to log out, and we'll log in again with another password.

I'll just change the password now to 123-456-7890. We log in, and if we go back here to the logs all the way down, you'll see we are still able to detect the username and password. So this plugin is really good for websites that support HTTP. It will force us to load HTTP on websites that support HTTP. But if you access a website that only uses HTTP (such as Von Web), I know there aren't a lot of websites that do that, but they still exist. So if you access any website that uses only HTTP, then that website is still open to the hacker. So the hacker can still see this information. They'll still be able to steal usernames and passwords if you send usernames and passwords to them.

Not only that, but they will also still be able to replace downloads, serve you fake updates, or inject JavaScript code like we've seen earlier and get you hooked on beef. HTTPS everywhere also does not prevent the hacker from seeing the websites that you access and running DNS spoofing attacks. Let me show you.

So, for example, if I go to Bing.com and then to doc dot go.com, keep in mind that HTTPS is still working everywhere. And let's go to the hacker machine and just look at our logs. So as you can see, we can still see that our target went to dot-dot-go. We can still see that the target went to Google; we can see that the target went to Bing, so we can still see the domain names, but we can't see the data that gets sent because that will be encrypted with HTTP. So there is still some data that the hacker is able to get. If you want to take your security to the next level and completely encrypt everything you send and receive, then you should think about using a VPN. Therefore, in the next lecture, I'll explain to you what a VPN is, how it works, and how it can protect us from hackers or anybody else that intercepts.

4. Preventing MITM Attacks - Method 2

In the previous lecture, we discussed a good solution to protect us from man-in-the-middle attacks. And that solution was to use the HTTPS Everywhere plugin. With this plugin, as seen earlier, we were able to force all HTTP websites to always load HTTP over HTTP. Therefore, if anybody intercepts our data, it will be useless because it will be encrypted with HTTP.

So this solution is really good. It's free. The only problem is, as you know, that it only works with websites that use HTTP. So, as we saw earlier, if you log in or use the HTTP website, your data is still exposed. Hackers or anybody else that intercepts your data is still able to read your usernames or passwords, inject JavaScript codes, serve you fake updates, and so on. Also, as seen earlier, with this plugin, the hacker or anybody else that intercepts your data will be able to see the websites that you visit. Not only that, but they'll be able to manipulate DNS requests, allowing them to launch DNS proofing attacks. At the end of the previous lecture, I said that if you want to take your security to the next level, then you should think about using a VPN.

Let me show you what happens when we use a VPN, and then I'll explain it in more detail to help you understand what's happening. So I'm back here at my hacker machine. As you know, it's already the man in the middle. I'm going to clear the screen, and I'm actually going to turn off HTTPS everywhere. Now, it's a good idea to use both at the same time, but I'm just going to turn them off to show you the difference. You can use any VPN provider you want.

It really doesn't matter. Most of them use more or less the same technologies. We at Zet Security provide our own VPN service called Zsvpn. So I have it right here. It comes with no logs. We support all operating systems, including Linux, Windows, OS X, Android, iOS, and even Tails, which is a privacy-focused Linux distro. So, like I said, you can use anything you want. They all use more or less the same technology. What I want to highlight right now is what happens when you actually go ahead and use a VPN. So I'm going to open my client, and I'm going to connect to a server, one of these servers right here. And what this will do is establish an encrypted tunnel between my computer and the VPN server that I just connected to.

Therefore, right now, let me show you. Let's just start. I'll delete everything, and let's start by going to some websites. For example, we'll go to Google.com, then Bing.com, and then let's go to Stack Overflow and make sure it loads over HTTP. Now keep in mind that I am not using HTTP everywhere, but you'll notice that it will still load over HTTP. As you can see, we're not able to downgrade it. And let's take this even one step further. Let's go to vulnweb.com and just log in. So again, this is a website that only uses HTTP. It simply does not support HTTP. But let's log in and see if we can still capture the data.

So I'll just type in my phone number: 098-765-4321. Log in, and let's go back to our Kali machine to see if we detected anything. Now, as you can see, we're not able to read any of the traffic sent to and from the target. So, in the case where we use HTTPs everywhere, we were able to see at least the domains and websites visited by the target, as well as data sent over HTTP when we logged in to vulnweb.com.

But in this case, as you can see right now, we can't see the username and the password, even if they're sent over HTTP to Vonneweb. And we can't see the domain names that the target visited. And the reason for this is because we are using a VPN. And like I said, a VPN creates an encrypted tunnel between our computer and a server, and all of our data will be sent through this encrypted tunnel.

Let me explain this to you with diagrams to make it simpler. So in general, let's say you try to go to Google.com. Your connection will pass through a number of hops, but at the end it's going directly to Google.com, hence the red arrow indicating that this connection could possibly not be encrypted. Therefore, your data might be at risk.

Now, when you use a VPN, you connect to a VPN server in a certain country. And when you do that, you create an encrypted tunnel between your computer and the VPN server. So let's say you want to go to Google.com. That request will first be sent to the VPN server.

Now, the VPN server will be able to read this, but the data is sent in an encrypted tunnel. Therefore, if anybody intercepts this data, they will not be able to see what you are sending to your VPN server. That's why we don't even care if someone manages to intercept our connection, because our data is simply going to be gibberish to them, as you can see here.

Then, once the VPN server receives your request, it will forward it to the destination that you're requesting, and the response will follow a similar route. Now, because of this structure and the way that the data is always encrypted between you and the VPN server, using a VPN can be useful in so many scenarios because it has an extra layer of encryption. Therefore, it improves our privacy and anonymity in general, and it allows us to bypass censorship.

Because, let's say, your Internet service provider is preventing you from accessing certain services or certain websites, they will not be able to know what these websites and these services are because, again, the connection is encrypted, and they won't even know what you're doing. All they'll see is that you're connecting to a server in some country.

And last but not least, it will also protect us from hackers or anybody else that intercepts our connection. Again, because all of our data is encrypted, Therefore, we don't really care who intercepts this data; the data will be gibberish. Now, also because of this structure, you need to be careful when you pick a VPN provider because this structure introduces the VPN provider as a man in the middle. So as you can see, we send everything to the VPN server first, and then it goes to the Internet.

The VPN server is able to decrypt this data because the tunnel, the VPN encryption, is only used between our computer and the VPN server. So if the admin of the VPN server wanted to analyse your data and see what you sent and received, they would be able to do that.

Therefore, you need to make sure that you pick a reputable VPN provider, a company that you can trust. You want to stay away from these three providers because providing a VPN service is very expensive. Therefore, if someone is able to give it to you for free, they must have another angle or another reason for why they are giving it to you for free.

You want to make sure that the VPN provider keeps no logs, and with all of that, you can use the HTTP Everywhere plugin with the VPN. If you do that, you will actually fix the problem of the data leaving the VPN server.

Because your data will be encrypted between your computer and the VPN server with two layers of encryption, First, using the VPN encryption, and second, using TLS because of HTTPS Everywhere. Then data leaving the VPN server will be encrypted with one layer of encryption, which is the encryption enforced by HTTPS Everywhere. Therefore, even though the VPN provider is able to see your data and decrypt the encryption used in the VPN tunnel, they will still not be able to see your data because it will still be encrypted with TLS. So this basically solves the problem of the VPN server being able to see your data because at the VPN server, your data will still be encrypted with TLS.

So to summarise the two methods that we covered to protect our data from man-in-the-middle attacks with HTTPS Everywhere, it's great. It's free. The only problem is that it only works with HTTPS websites. The person intercepting the data will still be able to see the websites we visit, and they will still be able to run DNS spoofing attacks.

Then we spoke about using a VPN, and with a VPN, everything gets encrypted. So that's even better. None of the attacks that we talked about and that we covered in this course will work because everything gets encrypted. The only problem is that it's not free. There are free services. But, as I previously stated, they aren't great. so you shouldn't use them. Just don't use a VPN if you don't want to pay for it.

The other problem with the VPN is that the provider can see your data. So you're introducing a man in the middle. But we can take this one step further and use HTTPS everywhere with a VPN. And with that, we're getting all of the benefits of using a VPN, so everything gets encrypted, protecting us from all "man in the middle" attacks, but without the problem of the VPN provider being able to see our data.

Because our data will be encrypted with two layers, even the VPN provider will not be able to see what we send or receive because it'll still be encrypted with TLS. So the only downside to using HTTPS everywhere with a VPN is that you have to pay for the VPN.

Gaining Access - Server Side Attacks

1. Installing Metasploitable As a Virtual Machine

We'll start talking about server-side attacks next week. I'm going to teach you what a server is, and we're going to talk about that in detail. But before we jump into this, we need to have a computer or a machine that acts as a server so that we can try to hack into it. So, similar to how we had a Windows machine to practise attacks we could launch against normal users. We need to have another virtual machine that behaves like a server so that we can practise server-side attacks against it and see how we can hack into servers.

So the machine that we're going to use is called Metasploitable; it's a virtual machine that's built on Linux, and it contains a number of services that are typically used by servers. It also contains a number of web applications that act exactly like normal web applications and use the same technologies used by normal servers and normal web applications. So we're going to install this machine, and then in the future we're going to use it as a target to learn how to hack into servers and how to hack into websites. You can download this from the following link: Now I've also included this link in the resources for this lecture. If you click on this link, you'll get this page, and all you have to do is simply click on "Download" to download it.

I've already done that to save time. So if I go to my downloads directory in here, you will see that I have a zip archive in here called Metasploitable 2. And we know that this is an archive, a zip archive, because we can see the icon, and you can see the file type. So in order to uncompress this, as we saw before, we have to first double-click it to access it. We're going to right-click and copy. We're going to go back one directory and paste it here on Linux. You'll have to right-click it and click on "Extract here."

And on Mac OS, you're going to have to double-click it to uncompress it. We're going to give it some time to uncompress the contents of this file. And once this process is over, you'll see that you'll have a new directory in here with the contents of this virtual machine. To import it into VMware, we're going to double-click VMware to open it, and then we're going to click on "Open a virtual machine." We're going to navigate to the location where we downloaded this virtual machine. So it's in my downloads. It's called Metasploitable for Linux. And the only file that we can double-click is this file called Metasploitable. We're going to open it and perfect it. As you can see, VMware added it there for us.

You can click on Edit Virtual Machine Settings to edit its settings. The main thing you want to make sure of is that it's connected to the NAT network. As you can see here, The same Nat network that all of the other virtual machines are connected to Once you're sure with that, we're going to click on "Start" to start it. We're going to say, "I copied it." This pop-up is asking us if we want to install the VMware tools for this machine.

This is not necessary at all, especially for this machine. So we're going to click on "Remind me later" and make everything perfect. As you can see, this machine is now installed and ready to be used. Now it's asking us to log in. So the default username is Msfadmin, and the default password is the same as well: Msfadmin. But you'll notice when you type in the password, you will not see the characters on screen. This is normal. It's a security feature to prevent people other than you from seeing the password.

So simply type MSF admin and hit Enter, and you should be allowed to log in. and that's pretty much it. Right now we have this virtual machine installed inside our own main operating system within our hacking lab, and we're going to use it as a target to practise a number of attacks. Don't be intimidated by the way this machine looks.

We're actually not going to be using it much. We're only going to be using it as a target, and you'll know what I mean as we go through the course. So for now, our job is done. We managed to install a vulnerable server as a virtual machine so we could test server-side attacks and other attacks in the next lectures in this course.

2. Introduction to Server-Side Attacks

So the first thing we're going to look at is the server-side attacks. And again, these are the attacks that don't require user interaction. These attacks can be used against servers, such as web servers. And you can also use it against the normal computers that people use every day.

The reason why I'm going to be using it against my metasploitable, which runs Unix and is more of a server than a normal personal computer, is because if your target uses a personal computer and if they're not on the same network as you, then even if you get their IP address, their IP address is going to be behind the router.

So they'll probably be connecting through a router. And therefore, if you use the IP to try and determine what operating systems run on it and what applications are installed, you will not get much useful information because you're only going to be getting information about the router and not about the person because the person is hiding behind the router. Whereas when you're targeting a web server or a server in general, then the server will have an IP address, and with that IP address, you can access it directly on the Internet.

So these ways of gathering information that we're going to look at now will work if the person is on the same network and if the person has a real IP. So, if you can ping the person, even if it's a personal computer, you can run all of the attacks and information gathering methods that we're going to describe. Now, in my example, I'm going to be targeting my metasploitable machine here.

So if I do IP configuration, or if I do ifconfig, you'll see that my IP is 1020-14-44, and if I go to my Cali machine, I should be able to ping it. Now if I can't ping it, we won't be able to do anything. And as you can see, we're getting responses back from the machine, so we can try and test its security. So, once again, you can use these attacks and approaches against any computer that can be pinned.

So, whether it's a personal computer or a server of any kind, as long as you can ping that direction or pin that person, you can use the attacks and methods discussed in the server side attacks. So it's going to work against websites, web servers, people, and normal computers, as long as you can ping them. And just to convey this idea, now we see the metasploitable machine right there.

So it's just a normal machine; it's a normal virtual machine that I can use right here to do anything I want. I can list it; I can even install a graphical interface, and then I'll be able to use it just like I use my Kelly machine, but at the same time, it has a web server.

So if I try to navigate to it from here, you'll see that I actually have a web server here, and it has web sites that I can actually read and browse. We're actually going to have a look at these websites and see how we can pen-test them in the future. So everything is a computer. If you can ping that IP, you can use server-side attacks. It mostly works against servers because servers always have real IPS. You can also ping the person and perform all of these attacks if they are on the same network as you.

Prepaway's 312-50v11: Certified Ethical Hacker v11 Exam video training course for passing certification exams is the only solution which you need.