Forum Replies Created
- Posts
Hi!
As ethical hackers we need to develop researching skills, so maybe it’s a good chance to start improving such skills. Here is a link that ecplains about brute forcing attacks, but do your own research, don’t misunderstand me but it will help you a lot sharping your google-fu.
https://medium.com/swlh/using-hydra-to-spray-user-passwords-dcc12f016ba9
Greetings!
DiegoHi!
You are using an old version, can you try it with the latest one?
https://github.com/mitmproxy/mitmproxy/blob/v6.0.2/examples/contrib/sslstrip.pyLet me know how it goes!
DiegoHi!
Which OS are you using?I’ll suggest to use custom kali for the course, it will work just as expected.
Greetings!
DiegoHi!
As mentioned in the lecture this method only works against some routers, it won’t work against modern routers or ones that use PBC, Zaid still covered this though cause if it works then its a very good method to get the password as it is guaranteed, if it didn’t work then please try the method explained in the next lectures.
See this method only works if the target uses pin authentication, because when PBC is enabled the router will refuse all requests and all pins even if we send it the right pin unless the wps button is pressed. If you are the attacker you won’t know if your target is using PBC authentication or not, you have to try this method, it is still works against some routers and if it is working it will give you a clear way to get a key.So it looks like you can’t change it’s configuration, in this case this attack will not work.
Greetings!
DiegoHi!
Basically you can try it but Instagram implements a protection by blocking the account after some failed attempts, so you can only try it like 5 times (I think) as a maximum and you’ll need to wait 24 hours to try it again. So the attack will be very very slow as you can only test 5 passwords per day.
You can make a disposable account and try it out.Greetings!
DiegoHi!
Yes, if you want sniff from https sites you’ll need to downgrade the connection as well, the only difference is that you don’t have to use the arp.spoof module as you are the MITM already.Greetings!
DiegoHi bro!
Google.com will not be downgraded as it uses hsts but winzip.com should work fine. Did you clear the entire browser’s cache in victim machine? Where did you get the sslstrip.py from? Can you share the lnk?
Thanks!
DiegoHi!
Have you run apt upgrade? Because that will undo all the custom changes made by Zaid.Can you share a screenshot with the command used and the result please?
Thanks!
DiegoHi!
Are you sure you are using the latest custom kali image provided by Zaid? It’s important!Let me know.
DiegoHi!
There are some slides available to download, you can find them at the beginning of a section, do you have any issue to download them?Let me know.
DiegoHi!
Did you enable ip forwarding? echo 1 > /proc/sys/net/ipv4/ip_forwardYou have to do it everytime you boot kali and want to run an arp spoof attack.
Let me know.
DiegoHi!
You can upload images to an image hosting service and share the links here.As mentioned in the lecture this method only works against some routers, it won’t work against modern routers or ones that use PBC, Zaid still covered this though cause if it works then its a very good method to get the password as it is guaranteed, if it didn’t work then please try the method explained in the next lectures.
See this method only works if the target uses pin authentication, because when PBC is enabled the router will refuse all requests and all pins even if we send it the right pin unless the wps button is pressed. If you are the attacker you won’t know if your target is using PBC authentication or not, you have to try this method, it is still works against some routers and if it is working it will give you a clear way to get a keyGreetings!
Diego
