Wi-Fi hacking explained: How to protect yourself from password theft

September 4, 2019 posted by

Hi, I’m Natalie, and I’m about to get
my email account hacked. Ethically! Yes, ethically hacked. For science! So, what I’m going to show you today is
a type of man-in-the-middle attack called “SSL stripping.” SSL is a layer of encryption used between
the client and major websites. That’s the “S” in HTTPS, right? Correct. But actually I’m going to trick your computer
into using HTTP instead, which is unencrypted, so when you log into your email, you’re
actually sending the password in clear text, and I’m picking it up with this. But won’t the website know that there’s
something wrong if I’m sending my password in plain text instead of encrypted? Well that’s the fun part, you’re actually
sending it to me in plain text, and I’m sending it to the website encrypted. Neither of you will know there’s a man in
the middle. So, show me how it works then. Sure. Is your VPN off? Yup, VPN is off. Because this attack only works when VPN is
off. So firstly, I’m going to search for your
computer on the wireless network, which you are connected to. And as you see, this is your computer right
here. Wow. Now I run the attack. So now please log in to your email account. Okay. So as you can see, when you typed in your
credentials and pressed enter, you can see that the device picked up the credentials
and here is your password. Oh my! Not a great password I guess. Well it doesn’t matter how it good it was
because I have it now. And if you’re the kind of person who tends
to reuse their passwords… Oh boy. I’m definitely going to have to change my
password. So does this same attack work on other sites? Yeah. Shopping websites, cloud storage, online banking,
you name it! Wow. Was this equipment expensive? Was it hard to figure out how to use it? Well that’s the scary part. This bit caught maybe twenty bucks, and the
software is free and open source. Even a smart kid can do it. Yikes! Okay, can you unhack it now? Now earlier you said the VPN had to be turned
off. What would happen if my VPN was turned on? Great question! Just turn it on and let’s find out. OK. So I can still see your computer here. As you can see, this is your computer right
here. But when I run the attack, I’m just stuck
at the listening screen. So you can’t see any traffic at all, even
when I try to log in. None. Because your online activity is being sent
through the secure VPN servers instead of to me, so there’s just nothing for me to
read here. Amazing! So, Samet, would you say that it’s always
a good idea to have your VPN turned on? Pretty much, especially when you’re on public
Wi-Fi, you’d be crazy not to protect yourself. Alright, well thank you so much, Samet. Thank you, thanks for having me.


31 Replies to “Wi-Fi hacking explained: How to protect yourself from password theft”

  1. Ronas Celik says:


  2. SneakyJoe's Salad RUS says:

    Guys, can I please upload this to my youtube channel as well with voice over?

  3. truesonic33 says:

    ilike express vpn its cheap and it works
    but the only problem it has some issues on my phone. i have sprint and it keeps kicking the connection off.

  4. Raphael Alexander says:

    I'll try using a free VPN.

  5. JP Dollar says:

    Thanks a lot. I'll never use free wifi without VPN again.

  6. Best Online Reviews says:

    Check out our NEW Express VPN Review: https://youtu.be/6ZnmGYEe_Qo

  7. truesonic33 says:

    the android app needs more work
    i am using the apk that works well for me on android. just to give you feed back

  8. MHF says:

    She's an awesome actor

  9. Xavier MARQUES says:

    il faut bien insister sur le fait que la connexion sur le "webmail" doit être possible en HTTP. Ce qui n'est plus très vrai de nos jours… mais un VPN reste un bon moyen de se prémunir de l'attaque MITM.

  10. HFN_YTB says:

    thank you for letting us know. Will turn my VPN on more often, specialy in Hotel Wifi network

  11. Ultramajik says:

    Nice simple, informative explanation. Thanks!

  12. Kasitoa mau says:

    Happy. Happy u

  13. Joe Webster says:

    2:23 …..she shot us the 🐦, very slick 🙂

  14. Joshua says:

    feels a little staged lol

  15. Naveed Shah says:


  16. Mr.Robot says:

    What type of device and software did he use?

  17. Adison Eubanks says:

    These are fun to watch

  18. Adison Eubanks says:

    Such a noob hacker

  19. Eric Potter says:

    ummmm…. if she is connected to his laptop pretending to be an wireless access point… she would be connected and with a sniffer, he would have at least seen the public key go out for a request right, before the client connects to the VPN using a secure tunnel. If he wanted to he could even redirect traffic to his own vpn keys to hand out. So… I'm not sure how smart you need to be to figure that out. I think any smart kid could do that and still see all the passwords once decrypted. It's just an extra step. Probably automated at this point.

  20. David Nicholas says:

    Thanks for the advert (which was too long). I'm interested as to why you're "VPN" is more secure than anyone else's is? I've nothing to hide and don't use one, but I appreciate why some might. Scare tactics aside? At the end of the day all cloud stuff is someone else's shitty computer

  21. Repryma says:

    Is it the latest wifi version? Webrtc no leak, disable cookie and strong firewall is enough right

  22. Anna Banana says:

    Lol im using express vpn now ahahaha

  23. Rebel says:

    SSL stripping doesn't work now 🙂

  24. [DAN THE GREAT] says:

    Hashcat Be Like:😒

  25. David Suggitt says:

    you should also use two-factor authentication with a security key you carry with you

  26. Mr Doge says:

    staged to show how good their shitty vpn is

  27. CM says:

    Is that the only vpn app that can protect your phone from man in the middle attack ?

  28. CM says:

    Are only password is protected how about when you enter some websites and search in YouTube Netflix etc????

  29. CM says:

    More details please 😭😭😢

  30. Thunderbuns says:

    Excellent demonstration. However, some of the stated facts are now incorrect. After the invention of HSTS, passwords and logins cannot be sent in plain text. HSTS also negates the effects of an SSL stripper.

  31. 40KoopasWereHere says:

    How hard are you trying to sound like a hapless computer user who thinks its insides are made from unicorn rainbow farts and other such magic things? Good info, but my gosh!

Leave a Comment

Your email address will not be published. Required fields are marked *