>> One of the absolute worst things you can ever do, from a cybersecurity perspective,is connect to a public Wi-Fi network.The aircrack-ng network software suite includes a tool called airmon-ng which is usedto put a NIC, network interface card, into monitor mode, which allows your NICto sniff packets in the air without associating to an access point.That would be like walking around the public area listening to other people's conversations.Let's say you connect to a public Wi-Fi network, perhaps in a coffee shop,and there's someone there sniffing packets in monitor mode.When you go to your bank's website, is your information safe, if the site is using SSL/TLS?Even if there is no encryption on the Wi-Fi network, itself,the only option today is WPA2, WiFi Protected Access 2.The modern remote sniffer will not be able to decrypt the SSL/TLS segments.However, hackers know users reuse passwords, so your username and password for a random forumor a website that doesn't use SSL/TLS will be seen by the monitor-mode sniffer.The attacker will now have your username and password to teston banking sites, corporate sites, and much more.Furthermore, what happens if a man in the middle performs the aforementioned ARP spoofing attackon a public Wi-Fi network, and then you go to a site that uses SSL/TLS?You'll see the certificate error message again, but granting exceptions and clickingthrough all the warnings will once again make you a victimof a man-in-the-middle ARP spoofing attack.There used to be another type of attack called SSL strip.It was usually preceded by an attacker using the device, like a Wi-Fi pineapple,to get the coffee-shop customer traffic.These devices are small, little boxes with antennas that searchfor Wi-Fi networks to masquerade as.After de-authenticating clients from their legitimate access points, these devices sendout stronger signals, which makes your laptop or phone wantto select it as a new wireless access point.Known as an evil twin, or a rogue access point,these devices will advertise either the same SSID, service set identifier, name of a network,as an actual one, or a slight variation of the legitimate SSID.Imagine you're nowhere near a Starbucks,and you search for available networks, and you see a Starbucks network.That could be a red flag.But, what if you're in Starbucks, and you see two networks,Starbucks Wi-Fi, and Free Starbucks Wi-Fi.Don't pick the wrong one, or else you'll be sending allof your traffic directly to the attacker.Evil twins can even use the same SSID as a legitimate one.The attackers would de-authenticate you from your current SSID, possibly with aireplay-ng,and because the rogue access point is now sending out stronger signalsthan the legitimate one, because it's programmed to do so, or because it's physically closerthan the legitimate one, your device will automatically connect to the evil twin.Now that you're sending and receiving packets to and from the hacker's access point,the hackers want to see your traffic.If SSL/TLS is being used, that would pose a problem.Back to SSL strip.If Bob wants to log into his bank website and types www.bobsbank.com in the browser's URL bar,when the request for the website goes to the attacker, the attacker will resend itto the actual webserver and get a reply back with a login page at https://www.bobsbank.com.SSL strip running on the attacker's machine will change the HTTPS reply to plain old HTTPand send it back to the client, who will see http://www.bobsbank.com.The victim machine sends plain-text credentials to the man in the middle who,after logging them, encrypts them and sends them off to the webserver.There is no certificate error warning with this attack, and it would take a pretty sharp eyeto notice the HTTP in the address bar, as opposed to what it should be, HTTPS.The web server thinks it's communicating with the victim in this HTTP downgrading attack.HSTS, HTTP Strict Transport Security, was designed to put SSL strip out of businessby allowing webservers to specify to browsersto only use secure HTTPS connections on their sites, and never HTTP.Furthermore, the addresses of many major sites now are preloaded into the major browsersto use HSTS, so that the initial message to only use HTTPS can't be hijacked by an attacker.While SSL strip has been foiled by HSTS, ARP cache poisoning still exists.Furthermore, evil twins can still redirect victims to malware sitesand phishing sites for further penetration.
转载于:https://www.cnblogs.com/sec875/articles/10049557.html
相关资源:BIOS-UEFI安全培训.7z