Check out a free preview of the full Web Security course
The "Hardware" Lesson is part of the full, Web Security course featured in this preview video. Here's what you'd learn in this lesson:
Mike examines hardware gear necessary to perform Man-in-the-Middle attacks.
Transcript from the "Hardware" Lesson
[00:00:00]
>> Mike North: So here is some gear I use for this kind of stuff. Just to describe to you how easy this might be to accomplish. The WiFi Pineapple, this is a Linux box. It runs on a 5 volt USB power thing, so like it's just getting power from this port, it could get power from an iPhone charger too.
[00:00:21]
It has the double WiFi cards. It has an app store where you can download an SSL strip plugin or a malicious captive portal where it would say, enter your credit card number, $0.99, free WiFi throughout the whole city of Minneapolis. Only today, for the next 30 seconds, enter your credit card number, and capture all that stuff.
[00:00:42]
I run Kali Linux in a virtual machine which we already saw earlier today. That comes with tools pre-installed, that's the main benefit of that. And it has a bunch of WiFi drivers. In Linux, you have to install some kernel extensions to support a wide range of wireless cards.
[00:01:00]
This is set up to already be oriented towards that. And then finally, this little thing here. It is a WiFi antenna and a radio that it's about between 10 and 15 times more powerful than what you have in your laptop because you don't want to drain the battery any more than is necessary so they don't install mega WiFI radios in these laptops.
[00:01:27]
And additionally it's a little big and so you have a light antenna I have an antenna that could hit another building from here. And the idea is you can cast a huge net and effect a broad range of people. And also have a very, very strong signal because devices will have a bias for joining a super strong WiFi signal.
[00:01:53]
You wanna join the five bars, not the one bar, right? So the WiFi Pineapple's about $100 if you can get it on sale and I think it was 9.99 for this thing. You don't need a whole lot of investment to cause trouble with this, I say this because anybody could do it.
[00:02:09]
They make little wired devices, I believe this even comes with the tape on it and the handwritten IT do not remove sticker. It's just mean to sort of blend in with every little black plastic box thing that you have in an IT environment. So this is my favorite here.
[00:02:28]
For $5 extra you can get something that would set on top of this that's plug into the wall. It looks like a smoke detector, the lights actually turn on and it actually beeps when you press the button. So short of like taking a broom and whacking this off the wall to see if its insides look like a smoke detector you're not going to be able to stop this from happening.
[00:02:48]
So we have to build our applications in such a way that it helps insulate users from this thing that we really can't stop. Well let's say we even lock down WiFi. There's one step further here, and that is to use something called a Femtocell. So this is, if you have a weak cell signal in your home, right, say you live out in the country.
[00:03:10]
You can call your cellular service provider and they will be glad to rent you one of these things. It essentially is a little mini cell tower that you put in your home and it'll use your cable Internet connection or your DSL connection to essentially create a little mini-cell tower that your devices will join.
[00:03:28]
Why this is sort of interesting and potentially a little dangerous. While, number one, you're not just providing your own WiFi network with your own name and your own password. You don't log into this thing. Anyone who happens to walk by takes advantage of it. The second thing is you don't have a choice about joining this.
[00:03:51]
Your device hops on to it just as it hops on to a LTE network. So short of going into airplane mode there’s really no way to avoid jumping on these. They’re on sale, they're a couple hundred dollars on eBay and they absolutely been hacked were people can just get cellphones to join these and they can read your texts.
[00:04:10]
Listen to your voice calls, monitor traffic that's going through them. So assume that someone will man in the middle of your users, even if they're vigilant and they always use a VPN. Eventually they're gonna get onto cellular service and most people are not aware that this kind of thing exists.
Learn Straight from the Experts Who Shape the Modern Web
- In-depth Courses
- Industry Leading Experts
- Learning Paths
- Live Interactive Workshops