Getting Sneaky: Using DVWA to identify MiTM attacks

And for our wireless website manual attack demonstration, our individual wants to go out to the internet. They want to log into a website. So we have our malicious hacker sitting in the middle, and they’re going to be running Wireshark. Now Wireshark, if you’re not familiar, is a packet capturing software. It’s a really fantastic software used for network troubleshooting. However, we’re going to use it in this example for capturing the username and password. So, I have my machine here - we’re going to start this up. This is DVWA. This is a vulnerable website or program that we run that launches website and we’re going to launch Wireshark.

Now I do want to say that you shouldn’t do this on any network that you don’t own. In this particular case, this is a virtual machine. It’s my own virtual machine running the software, so I’m essentially attacking myself. Now DVWA is designed to be vulnerable, so that’s why we’re using this. And we’re going to be using Wireshark, and, again, it’s a packet capturing software. A lot of great legitimate uses for it - Windows Linux OSX. So, once we launch Wireshark here, we need to select the wireless traffic that we’re going to be capturing - ethernet, wireless, in this case, it’s going to be the virtual machine adapter.

And then we’re going to click the little shark fin here to start it, and then we’re going to start capturing traffic. And this is going to fill up here as soon as it starts detecting traffic being sent. So, going back to the DVWA site here, we’re going to enter in a username and password. This is our user logging into the site. So, we type in admin, and we’re going to type in our super secret password. And we’re going to go ahead and log in. And we’re in the website. Fantastic. Let’s see what Wireshark has. So we’re going to close Wireshark, and we’re also going to bump this up a little bit so you don’t go blind trying to view this.

OK. And under the display filter, I’m going to type in HTTP because it was HTTP traffic not HTTPS. OK, and if we scroll down in here, we should see some really interesting information. This is all information that was transmitted back and forth. And we can see the SYN and ACK request here, and this is the really interesting stuff. So, password is password login is login. So, it was able to capture the login and password information because again it was HTTP connection not HTTPS which is secure. So that’s why it’s really important always going to sites using a secure connection.

If an attacker - again, in this case, I’m using Wireshark as a man in the middle attack, they could potentially get all your login information. So wrapping up, man in the middle attacks these type of attacks, the attacker sits between you and your destination. These attacks can be hardware or software based. The man in the middle attacks can redirect you to websites that you’re going to, they can collect your login credentials, your passwords, keystrokes, and a lot more.

Now, by monitoring your workstation, by, say, locking it up if it’s a laptop when you’re not there, keeping an eye on if anything strange is plugged in your workstation, just doing a quick scan, you could potentially catch hardware devices trying to snoop on your computer. Connecting to SSIDs, you want to make sure you always connect to SSIDs that you know and trust. So, if you see Starbucks with a dollar sign instead of S, that’s a pretty bad sign that it’s probably not a legitimate Starbucks SSID. And joining any open Wi-Fi, open Wi-Fi is potentially hazardous, too. Also, you want to be sure of the websites you’re connecting to.

So in these - a lot of the spoof websites, it’s going to be an IP address or the URL is going to look funny, like PayPal might be ZXDF 12, 13 blah, blah, blah dot pay money now dot com, for example. It’s not going to be PayPal.com because someone’s trying to spoof that website. It might look like a legitimate website, but looking at the URL, it might be an IP address or some crazy URL. That’s another bad sign. And finally, when you’re connecting over to the internet to any site, always make sure you’re using HTTPS, a secure connection. Remember using HTTP, you’re transmitting in plain text. So that’s always a bad thing.

So this was about man in the middle attacks, and in the next video, we’re going to be talking about the Exploit Database, or ExploitDB. Thanks for watching. I’ll see you in the next video.