1

Okay, so I am basically an electronics student so I have limited knowledge on the subject. So please help me out here.

The thing is that one day, as I was browsing, I opened up Google and instead of the Google logo, a "You have been hacked" image came up. I share a flat with 5 people and one of my flatmates came up and told me that he had performed an "Image replacement" attack or something. He didn't tell me how he did it. I did some research and stumbled upon the mitmf's GitHub page. I was quite impressed with the capabilities of the tool. However, the question here is, how do I protect my computer against the attack? My flatmate and I are on the same network (using our home router). We have a broadband connection. How do I protect myself from this tool?

Also, please inform me whether it is possible to install viruses on my machine via this tool? I also saw that this tool (mitmf) has screenshot and keylogger capabilities. In that case, will my anti virus detect these? And will the screenshot and keylogging work one the attacker's machine is turned off (Meaning can he still receive my screenshots and keystrokes even after he disconnects from the network)?

NB: I know that he won't use this tool to cause any harm to me, but one can never be too cautious. Please help me out here.

EDIT: I am looking to prevent all kinds of attacks that this tool can do, not just the keylogging and screenshot attacks in particular.

Swastik Mohapatra
  • 13
  • 4

2 Answers2

0

The type of attacks you can suffer from depends to what your flatmate has access.

Understanding the attack

There are a couple of ways that your flatmate could have pulled this attack and understanding them will help you to understand how to protect yourself.

Google usually use https for its pages. This usually means that your flatmate can't do MitM attack on your communication with google and if they do your browser will give you a big scary warning warn you that your communication was tampered.

The first way to counter the https protection is to remove the https by redirecting to http. We call this attack ssl stripping. By doing that, he can now modify anything on the page and your browser will not give you any warning, except that the address will be in http instead of https.

The second way to counter https is to counter https is to install a CA certificate on your computer. Your browser is able to warn you when someone tamper with a secure connection because of the CA certificates. If your flatmate, is able to access your computer and install CA certificates, he can tamper any and every of your connections and your browser won't give you any warning. The address will even be in https. You can sometimes detect this type of attack by looking at the certificate that is encrypting the current connection. Right click on the padlock in the address bar and look for the certificate information. If you are on google.com but the certificate is issued by "flatmate", then you have a problem.

Also, with physical access his possibility are limitless. For example, the easiest way for me to do this attack would be to install a custom made browser extension on your computer.

Restrict his physical access

You need to restrict the physical access of your flatmate to your computer. If you can lock your door, do it. Then you need to make sure your computer is protected with a good password. It's the first step.

In the previous section, I talked how your flatmate could install CA certificate if he had access to your computer but this is just the tip of the iceberg. If he has physical acccess, he can install any type of malicious software.

Your system might already be compromised

There are good chances that he installed something on your computer. In this case, you need to do a fresh install. Antivirus won't help you here.

The router / modem is compromised

You can probably assume that he has complete control over the router/modem. This means that anything that you access from the internet need to be encrypted or he can tamper it. Using extension like httpseverywhere can help or you could also use a secure VPN.

Gudradain
  • 6,921
  • 2
  • 26
  • 43
  • Thank you for the info. Physical access is impossible for him as my laptop is always kept locked in my cupboard. My main concern is the MITMF tool. I mean since he has access to the router, he can probably monitor my activity on the web. While that is not much of a concern, the problem arises when my passwords are compromised. Accroding to use, the HTTPS extension tool can prevent this tool right? – Swastik Mohapatra Jan 24 '17 at 16:36
  • @SwastikMohapatra Httpseverywhere extension will only help for website that already have an https version (for example google). If the site doesn't have an https version then httpseverywhere won't help you. The good news is that most website that contain critical information will have https. If you need to also encrypt website that don't have an https version, a vpn can help to protect against your flatmate as he will only see the encrypted connection with the vpn. Still, the link between the vpn and http website can be attacked by other attacker, but this is always true vpn or not. – Gudradain Jan 24 '17 at 16:42
  • I understand. Thanks for the help. My main concern was my blogs on WordPress but since WP is encrypted anyways, I guess I should be out of trouble with the extension. One more query, as SilverlightFox has said, the keylogger and screenshot are browser only functions. This means that they cease to exist as soon as I close my browser (or disconnect from the network). In that case, a password manager would be a good choice right? This is of course assuming that I am enforcing an HTTPS connection to the website – Swastik Mohapatra Jan 24 '17 at 16:53
  • @SwastikMohapatra Using the tool you mentioned the key logger can only be there when the page is tampered with. It's not installed browser wide. It's just a script injected on the page as the fake image was injected on google page. Any page you access with https, can't have anything injected hence no key logger. – Gudradain Jan 24 '17 at 17:06
-1

I'm surprised that the Google image could be replaced.

This would only be possible if you weren't using the HTTPS version of the site. This is the mitigation for Man-In-The-Middle - ensure the sites you visit are accessed over HTTPS. HTTPEverywhere browser extension can help with this.

HTTPS employs SSL/TLS to encrypt your connection to the server so it can't be Man-In-The-Middle'd with such a tool.

The keyloggers and screenshot capabilities are within the browser only, and are accomplished by injecting a <script> tag into the page. If using HTTPS then this is also not possible.

Anti-Virus won't detect it because it is an attack on the wire, not on your machine.

(Note all the above assumes your flatmates haven't installed their trusted root certificate on your browser - that would make it possible to intercept HTTPS sites if so. Check this with the GRC tool.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • What about SSL Strip that the tool has? Also, if my browser is compromised, will a clean install of the browser do the trick? – Swastik Mohapatra Jan 24 '17 at 15:39
  • When you say the keylogger capability is within the browser only, does it mean I can be safe by using tools like KeePass (I have been using it for a while) – Swastik Mohapatra Jan 24 '17 at 15:42
  • SSLstrip needs a plain HTTP connection. If you access sites over HTTPS only then it won't work. Yes for Firefox, no for Chrome and IE. Firefox uses it's own certificate store, whereas the others use the OS's. – SilverlightFox Jan 24 '17 at 15:42
  • Okay, then my best bet is : 1) Use Firefox 2) Install HHTPEverywhere If I do the above then the tool won't work right? I am worried mainly because I share the home network with them. – Swastik Mohapatra Jan 24 '17 at 15:44