Block HTTPS/TLS (Wo)Man in the Middle Attack

I found out that the landlord of my building is able to access all my internet URLs even though they are HTTPS. Ex they are able to see this entire URL: https://www.google.com/search?q=stackoverflow including path and query params.

I verified by clicking on the lock icon of my browser that the certificate issuer is "Google Trust Services". They are able to see all URLs, not just google.

Therefore, I am not able to understand how are they able to access all my internet traffic (I am certain they are able to access it). I am not sure if they can see the request/response body & content as well. We are using AT&T internet (not sure if they have a Netgear Nighthawk router connected in the middle). I cannot access the router interface (192.168.0.1) because the attacker (the landlord) is able to see all my URLs.

Is there a way to thwart their attack by using some browser plugin or a similar solution? I found out that Chrome has HTTPS Everywhere Plugin but that might not help because my browser is already showing that the connection is HTTPS. Ideally I would like to find a way to also detect (and prove) that they are looking at my web browsing history, ex: I can create a website and use javascript to log visitor information (but it will be hard to pinpoint that they are the attacker), in case I decide to show it to our local authorities.

I use Firefox and Chrome for browsing the internet.

A proposal to prevent man in the middle attacks

Let us assume that there is a man in the middle who can read (not modify) all the data that’s being transferred between a client and the server. We want the client to be able to login without sacrificing their credentials.

We will be using asymmetric Encryption here.

When the client wants to login, client will send a signal to server to initiate the process and generate a key pair and send the public key to server, The server will create a session and generate a key pair for itself and return the public key to client. Now, both have key pairs, so any data transfer between them can be encrypted and there is no way the man in the middle will be able to read the data.

Thus, the client can send encrypted login credentials to server and, server can return encrypted login data.

Our assumption that the man in the middle can’t modify data is mostly wrong, and thus, if the middleman replaces the keys with the ones he generated, then he will be able to read all the data.

Is there any scope in this proposal?

Would love to hear feedback from fellow cybersecurity engineers

Hard Wired Man in the Middle Logging

I am wanting to set up a single logging point on my home network that logs URLs and search terms to monitor teenagers… um… activity.

I was thinking of setting up a computer between the cable modem and the router, which would capture all network traffic. The upside would be no need for arp spoofing, the downside would be you would lose specific device information for if the traffic was on a wireless tablet vs wired PC.

I have played with Kali a little, and while there are some cool things like driftnet, urlsnarf, and arpspoof, they all seem to be to target a single device, and seems most tutorials are for creating wireless hotspots.

With thousands of tools available, I am not sure where to start on this, where I am wanting basically a consolidated browser history from all devices on the network.

I have a PC with a 4 port GB network card and an SSD available with Kali installed. Is my plan of putting it between the router and modem good, or should I stick with arp spoofing past the router? The router is a Linksys 1200AC.

Can you spend a bonus action in the middle of an attack?

Say you’re a Paladin, and you want to cast Searing Smite.

Can I roll my attack, see the result, and decide if I want to spend my Bonus Action on Searing Smite before the outcome is determined?

Taking this a step further, can I do it after the outcome is known (so I know I will hit)?


Relevant quotes from Jeremy Crawford, DnD 5E Development Lead:

  • (1) You make an attack roll. (2) You hit or miss. (3) You roll damage if you hit. "When you hit" happens at number 2.
  • {The quote below} was addressing bonus actions and reactions that have triggers. A bonus action that has no trigger—such as Cunning Action and the misty step spell—can take place whenever you want on your turn (PH, 189).
  • No general rule allows you to insert a bonus action between attacks in a single action. You can interrupt a multiple-attack action with a bonus action/reaction only if the trigger of the bonus action/reaction is an attack, rather than the action.

Crawford’s quotes above are about timing related to things like spending a Bonus Action between attacks, or defining how certain abilities determine when the "hit" is calculated in the damage formula. My question is, can something as general as a Bonus Action interfere with the "steps" of the Attack roll?

We know that something like the Shield spell can directly interfere with these steps (as the spell’s trigger requires an attack that "hits" you, but then the AC bonus applied can then negate that hit from occurring). However, is that specifically due to the Shield spell’s trigger and magical effect, or is it using a general rule?


Other, related questions:

  • Can you use a bonus action from Cunning Action in the middle of an Attack action?
  • Can you use a bonus action between the separate attacks of a spell?

Finding the middle point of the “most populated” area in a set of points?

I’m working on a game-related application, and I’m trying to find the middle point of the most populated area in my map.

Example:

Positions (format [x, y]) :  [48, 49] [51, 50] [49, 50] [51, 49] [49, 48] [130, 150] [129, 148]  Excepted output : [50, 50] or something close enough like [49, 51], [51, 50] 

To create this algorithm I’ve access to all entities position (X/Y) I’ve tried by creating a position using X average and Y average but it’s not what i’m looking for (using example values output would have been [75, 75] or something like this and not [50, 50] as excepted)

Here is an example image:
Red dot: Entities
Green dot: Position i’m looking for
enter image description here

Thanks for reading and for your help!

Why Man In The Middle (MITM) is not working with my Huawei router?

Man-in-the-Middle is not working with my router (Huawei) on my Windows machine/any device.

But it works with another router on my same Windows machine/any device.

When I doing MITM with Huawei router:

Linux MAC: a0:af:bd:c5:21:87   Router's MAC: 7c-11-cb-1f-ad-85 

My Windows ARP table before doing MITM on it:

c:\Users\acer>arp -a  Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             7c-11-cb-1f-ad-85     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

arpspoof script to do MITM:

1st terminal:

arpspoof -i wlan0 -t 192.168.1.113 192.168.1.1 

2nd terminal:

arpspoof -i wlan0 -t 192.168.1.1 192.168.1.113 

Then the Widows machine ARP table is:

c:\Users\acer>arp -a  Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             7c-11-cb-1f-ad-85     dynamic  192.168.1.112           a0:af:bd:c5:21:87     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

I tried with bettercap, ettercap, my own python script and I done ‘echo 1 > /proc/sys/net/ipv4/ip_forward’ in Linux. It is still not working! Not capturing anything.

The expected ARP table on Windows:

Interface: 192.168.1.113 --- 0x4  Internet Address        Physical Address      Type  192.168.1.1             a0:af:bd:c5:21:87     dynamic  192.168.1.255           ff-ff-ff-ff-ff-ff     static  224.0.0.022             01-00-5e-00-00-16     static 

Should I allow my players to change their characters in the middle of my campaign?

Two of my players, asking if they can change their characters, mid game. Their reason being that they don’t really like there characters anymore, and don’t feel any energy towards being them anymore.

I would usually allow them to do it, though it’s in the middle of the campaign, but I have been setting up a character plot twist for quite some time, and had just barely connected the characters together.

So I thought OK don’t allow them… However if they were to be playing a character that they don’t really want to play anymore, they probably wouldn’t care whether they mess up the game.

This is where my predicament is, their new characters that they made have nothing to do with anything that is going on; no relation to the other characters, zip. I don’t want to have to start from scratch, however I want the others to have fun too… and feel excited about their characters. The other players don’t really appreciate them changing character… What should I do?

How does BLE secure connection ensure man in the middle protection?

I understand BLE secure connection pairing mode is improvement over Legacy Pairing. The issue with legacy pairing was intial TK value can easily be bruteforce by an attacker.

In contrast, in secure connection, both device start by generating ECDH key pair and exchange public key.

Since BLE doesn’t use certificate for public key, how would a device know if the public key actually belong to the entity it wants to communicate with.

I know later in pairing, there is confirmation check but that’s similar idea to legacy pairing, just sequence is changed.