Learn how an HTTPS secure connection can be downgraded to an insecure HTTP connection to enable sensitive data to be intercepted.
- [Voiceover] One of the weaknesses…of a man in the middle attack…is that it requires the attacker to use…a fake certificate with their public key.…Some sites may detect this,…and warn that the certificate is invalid.…SSL stripping is an attack…which is used in the key exchange protocol,…and is used to downgrade security for the connection…without interfering with the certificate exchange.…This is also known as an HTTP downgrade attack.…Let's look at what happens…when an attacker downgrades the connection.…
Again, this starts with a man in the middle.…The client enters the server URL to connect to,…for example, their online banking system.…The communications path is being subverted…to send that message to the attacker.…The attacker takes this message,…and sends it on to the server.…The server thinks this comes from the real client.…The server responds to the attacker…with an internet banking log-in page…using HTTPS.…The attacker modifies that response,…changing it to HTTP,…and sends it back to the client.…
The server carries out a standard SSL exchange…
This course teaches you what session hijacking is, and how black-hat hackers use it to attack an organization. Learn how TCP, web, and wireless protocols work and how hackers exploit them. Find out how to use built-in Windows and Linux tools, as well as specialized third-party solutions such as Zed Attack Proxy (ZAP) and Cain, to detect and shore up vulnerabilities. Author and cybersecurity expert Malcolm Shore also discusses remote hijacking, which allows hackers to take control of drones or even vehicles.
Note: This course maps to the Session Hijacking domain of the Certified Ethical Hacking exam. Review the exam objectives at the EC-Council's website.
- Hijacking a network session, such as a Telnet session
- Understand web sessions
- Intercepting sessions via man-in-the-middle or man-in-the-browser attacks
- Downgrading a session by stripping SSL
- Using ARP poisoning through Subterfuge
- Hijacking an HTTP session through cookies
- Using hijacking defense tools: Zed Attack Proxy and Cain
- Service hijacking (DNS and SSH)
- Hijacking in the physical world: cars and drones