HACK FACEBOOK BY BREAKING THE SSL

By -

HACK FACEBOOK BY BREAKING THE SSL
By Parth Makadiya

In my previous post I've discussed how user's session is hijacked and how SSL/TLS is incorporated for secure communication. But still the hackers can sniff the user credentials by breaking the SSL/TLS. This technique is referred to SSLstrip which was released by Moxie Marlinspike to demonstrate the vulnerabilities he spoke about at Black Hat Technical Security Conference: USA 2009.




In this scope I'll be using BackTrack, a Penetration Testing Distribution integrated with the below tools to scan the Network, set up Firewall rules, MIMA, monitor client-server HTTP connection and sniff packets.

  1. NMAP
  2. IPTABLES
  3. ARPSPOOF
  4. SSLSTRIP
  5. ETTERCAP

SSLstrip strips out HTTPS links from unencrypted webpages, replaces them with HTTP links and sends the altered pages to the client. The client never sees an HTTPS link to click on, only the unencrypred HTTP version.



  • Techniques:   

1. First Scan your network and find the target using NMAP, a Network Scanner. In this case i got 192.168.1.5 as the Target.



  2. Next I need to start the IP Forwarding which enables my machine to forward any network traffic it receives from the target to the router.



3. Next Set up port redirection using IPtables.



4. Next Man-In-The-Middle-Attack (MIMA) is begun by exploiting ARP Cache Poisoning to intercept network traffic between the target and the router.  



5. Start the SSLstrip tool and make it listen to default port 10000.

 


6. Start Ettercap to sniff the packets to fetch user credentials.



Once this setup is up and running perfectly, let the victim login the Facebook. In particular, the victim's HTTP traffic will be redirected to our port 10000, where SSLstrip is listening. After this we will be able to eavesdrop and steal all of the victim's passwords sent supposedly over SSL/TLS.



  • Protection:
1. Force-TLS add-on allows web sites to tell Firefox that they should be served via HTTPS in the future; this helps secure you from accidentally negotiating an insecure session with certain sites. 
 

2. HTTP Strict Transport Security (HSTS) is a web security policy mechanism whereby a web server declares that complying user agents (such as a web browser) are to interact with it using only secure HTTPS connections (i.e. HTTP layered over TLS/SSL) 




Be extra careful

Happy Hacking...Enjoy... 

For educational purpose only...Do not misuse it...

Comments

Post a Comment

Popular posts from this blog

A Ten Year Journey: How SEO PowerSuite Has Kept Its SEO Tools Current

By -
Image
By Parth Makadiya I reviewed  PowerSuite set of tools in a previous post and am adding further information about their evolution through the years as part of a sponsored post series. We’ve all heard the old saying “The only thing that stays the same is that everything changes”. And in the online marketing industry, change has always been the name of the game. From staying on top of the zoo Google keeps throwing at us, to dodging curve balls from Facebook Ads, to figuring out each new social platform that pops up – if you aren’t flexible, then online marketing may not be for you. As our industry continuously shifts, the tools we use must change and adapt just as fast. Through out all the changes, one tool set has continued to help SEO experts attain higher rankings, increase traffic, and spy on their competition. We know them now as  SEO PowerSuite . Yet, this tool set has evolved over the last ten years. It’s fun to look back on where you’ve come through the waves of Goog
Read more

Create Separate Contact Page in Blogger

By -
Image
By Parth Patel Share On Google+ Add This To Delicious Tweet/ReTweet This Share on Facebook StumbleUpon This Digg This Blogger launched it’s official version of the Contact Form Widget but, it works only on the Blogger Sidebar. If you don’t want to add the contact form to your Blog’s sidebar but want it to appear on a specific page, then this tutorial will help you out. I didn’t want the contact form to appear every where on my blog. So I have moved it to a separate Contact Me Page How to move the Blogger Contact Form to a separate Page Follow the below steps to move the Contact Form to a separate page. If you would like to see a demo, you can check out my Contact page. First, add the Blogger Contact Form Widget to your sidebar. (We will hide the contact form later in this tutorial, but you have to add it) .  Now create a new page in your blog Copy the below contact form code block <form name='contact-form'> <div>Your Name : </div> &
Read more

4 Ways to Crack a Facebook Password and How to Protect Yourself from Them

By -
Image
     We share our lives on Facebook. We share our birthdays and our anniversaries. We share our vacation plans and locations. We share the births of our sons and the deaths of our fathers. We share our most cherished moments and our most painful thoughts. We divulge every aspect of our lives. We even clamor to see the  latest versions even before they're ready  for primetime. But we sometimes forget who's watching. We use Facebook as a tool to connect, but there are those people who use that connectivity for malicious purposes. We reveal what others can use against us. They know when we're not home and for how long we're gone. They know the answers to our security questions. People can practically steal our identities—and that's just with the visible information we purposely give away through our public Facebook profile. The scariest part is that as we get more comfortable with advances in technology, we actually become more susceptible to hacking. A
Read more