1
00:00:00,430 --> 00:00:01,120
Welcome back.

2
00:00:01,780 --> 00:00:07,660
Let's start with our first tool that we're going to use to perform our spoofing and men in the middle

3
00:00:07,660 --> 00:00:10,330
attack now for this type of the attack.

4
00:00:10,360 --> 00:00:14,490
There are many tools out there that you can use to initiate this attack.

5
00:00:14,830 --> 00:00:16,270
Some of them are outdated.

6
00:00:16,280 --> 00:00:18,940
Some of them are already preinstalled in clinics.

7
00:00:19,100 --> 00:00:24,210
However, we are going to cover one of the most known tools, which is called better cap.

8
00:00:24,640 --> 00:00:27,250
It is a little bit harder to use.

9
00:00:27,250 --> 00:00:30,010
However, we're just going to cover the basics of it.

10
00:00:30,520 --> 00:00:32,710
So let's open up our terminal.

11
00:00:32,710 --> 00:00:37,570
And since this tool is not already installed in clinics, we must install it first.

12
00:00:37,900 --> 00:00:44,620
And my advice would be for this entire section to run all the tools as a route account might be asking

13
00:00:44,620 --> 00:00:44,970
why.

14
00:00:45,190 --> 00:00:50,860
Well, we're going to perform on two different networking things and some of the networking things could

15
00:00:50,860 --> 00:00:52,390
require route privileges.

16
00:00:52,700 --> 00:00:54,350
So some of the tools might not run.

17
00:00:54,400 --> 00:00:59,520
Some of the settings might not work if we run it as a regular user inside of our clinics.

18
00:01:00,010 --> 00:01:03,460
So let's real quick enter the router terminal.

19
00:01:04,900 --> 00:01:11,980
And to instill our better capital, we can simply type the command and get install and then better kepp

20
00:01:12,640 --> 00:01:18,430
press, enter press, why once it asks you do you want to continue it now, we're going to wait for

21
00:01:18,430 --> 00:01:24,370
the better cap installation to finish and then we're going to enter its framework and perform a mid-term

22
00:01:24,490 --> 00:01:24,810
attack.

23
00:01:26,250 --> 00:01:28,290
OK, it is finished now.

24
00:01:28,560 --> 00:01:34,770
There are two ways that we can run this attack, we can run it as a comment by specifying a file that

25
00:01:34,770 --> 00:01:41,000
contains all of the better kept comments that we want to run or we can run it inside of the framework.

26
00:01:41,430 --> 00:01:46,860
Now, for the first time, we are going to just type better, kept to open the framework and we're going

27
00:01:46,860 --> 00:01:50,120
to experiment with different commands in order to run this attack.

28
00:01:50,430 --> 00:01:56,820
And then after this, we're going to see how we can run it just from a terminal in a one line command.

29
00:01:57,640 --> 00:02:02,970
OK, so once you take better care, if it's end of your terminal, it will open the better care program.

30
00:02:02,970 --> 00:02:04,680
It will tell you which version it is.

31
00:02:04,980 --> 00:02:08,640
And it will also tell us to type help for a list of the commands.

32
00:02:09,420 --> 00:02:12,930
So let's type help to see what options do we have.

33
00:02:13,140 --> 00:02:17,760
And right here we're going to see a bunch of available services that we can run.

34
00:02:17,790 --> 00:02:23,250
We'd better get most of these services are not going to run, as it says right here, not running.

35
00:02:23,400 --> 00:02:27,150
And the only one that you will see running is events dot stream.

36
00:02:27,540 --> 00:02:32,280
Now, you might already start to notice something interesting for us, such as, for example, this

37
00:02:32,280 --> 00:02:33,390
AAFP spoof.

38
00:02:33,480 --> 00:02:39,120
We talked about our spoofing, the previous video, and we know that this is the base of our men in

39
00:02:39,120 --> 00:02:40,010
the middle attack.

40
00:02:40,710 --> 00:02:46,130
However, before we get to it, let's go a little bit up and check out the help menu.

41
00:02:46,800 --> 00:02:49,830
So these are the commands that we can use with better.

42
00:02:49,830 --> 00:02:53,100
Kepp we can type help and then some module name.

43
00:02:53,100 --> 00:02:59,760
In order to print out more information about that specific module, we can also active quitte sleep

44
00:02:59,760 --> 00:03:01,770
for a certain amount of seconds.

45
00:03:01,770 --> 00:03:06,150
We can set value the same way that we do inside of our MSF console.

46
00:03:06,150 --> 00:03:12,090
If you remember, once we set values for certain payloads, we do that using this command so we can

47
00:03:12,090 --> 00:03:18,350
assume that this is something similar as MSF consul or at least has similar options and commands.

48
00:03:19,140 --> 00:03:21,240
Now, let's go down to these modules.

49
00:03:21,810 --> 00:03:27,950
And before we actually get to this our module, let us take a look at this net probe module.

50
00:03:28,110 --> 00:03:32,610
If I simply just type help and then let that probe.

51
00:03:33,840 --> 00:03:37,500
This will give me the help menu and the description of this module.

52
00:03:37,740 --> 00:03:44,070
So as it says, it will keep probing for new hosts on the network by sending the packets to every possible

53
00:03:44,070 --> 00:03:45,360
IP on the subnet.

54
00:03:45,900 --> 00:03:51,390
In other words, what this module will do is it will discover all of the online hosts inside of our

55
00:03:51,390 --> 00:03:52,620
local area network.

56
00:03:53,250 --> 00:03:58,860
So what we can do is we can turn that on to start network hosts probing in background.

57
00:03:59,400 --> 00:04:02,280
Let's run this comment, as it tells us right here.

58
00:04:03,110 --> 00:04:03,890
Cofidis.

59
00:04:04,770 --> 00:04:07,740
Based it right here and let's press enter.

60
00:04:08,630 --> 00:04:14,160
And we can already see that it managed to discover some of the hosts inside of my network.

61
00:04:14,930 --> 00:04:17,450
These are the active IP addresses right here.

62
00:04:17,870 --> 00:04:24,200
The next thing that we want to do is want to type the help menu for the AAFP dot spoof module.

63
00:04:24,710 --> 00:04:27,830
So just type help or that spoof and press enter.

64
00:04:28,920 --> 00:04:36,360
And we also get the option as to how we can run this model, but down here we can see some additional

65
00:04:36,360 --> 00:04:40,670
options or as it says right here, parameters for this module.

66
00:04:41,130 --> 00:04:43,830
We got our that's proof that full duplex.

67
00:04:44,070 --> 00:04:52,740
We got our internal our that's the targets and our that prove that whitelist in this specific scenario.

68
00:04:52,740 --> 00:04:54,450
We're interested in these two.

69
00:04:54,540 --> 00:05:01,500
So the full duplex and the targets, the full duplex, if we read the description, if this is set to

70
00:05:01,500 --> 00:05:05,340
true, both the targets and the gateway will be attacked.

71
00:05:05,370 --> 00:05:06,990
Otherwise only the target.

72
00:05:07,590 --> 00:05:13,470
And as it says right here, if the router has our spoofing protections in place, this will make the

73
00:05:13,470 --> 00:05:14,270
attack fail.

74
00:05:14,610 --> 00:05:22,140
So in some networks and on some routers, this attack will not work because more and more routers nowadays

75
00:05:22,140 --> 00:05:25,350
are starting to implement the ARB spoofing protection.

76
00:05:26,370 --> 00:05:32,290
However, if it is not enabled, if the protection is not enabled, then we can perform this attack.

77
00:05:32,910 --> 00:05:41,460
So what we must do is we can type set up that proof, that full duplex to be equal to the true or just

78
00:05:41,460 --> 00:05:43,260
set it to true press.

79
00:05:43,260 --> 00:05:44,090
Enter right here.

80
00:05:44,850 --> 00:05:47,530
And we also want to set the targets.

81
00:05:48,060 --> 00:05:54,090
Now, you can specify the entire subnet or the entire network or you can do it like I'm going to do.

82
00:05:54,090 --> 00:05:56,250
I'm just going to select one target.

83
00:05:56,550 --> 00:06:01,710
And the reason why I'm selecting one target is because once you've done this on the entire network,

84
00:06:01,710 --> 00:06:08,060
there is a lot of information going inside your terminal and it is going really fast.

85
00:06:08,070 --> 00:06:09,630
You don't even get to read it.

86
00:06:10,110 --> 00:06:15,480
Therefore, what I'm going to do for the purposes of this tutorial is I'm going to select the IP address

87
00:06:15,500 --> 00:06:21,720
of my Windows 10 machine that we are going to perform the midterm attack on, and then I'm going to

88
00:06:21,720 --> 00:06:30,180
set up that spoof dot targets to be equal to that IP address just like this.

89
00:06:31,330 --> 00:06:37,930
Once they do this, I want to start sniffing for network connections, and we can do that if I go up

90
00:06:37,930 --> 00:06:45,160
here, we can see that there is a module called net that sniff if I type help, not that sniff.

91
00:06:45,820 --> 00:06:51,150
It will just say that this will sniff packets from the network and recommend it for you start.

92
00:06:51,160 --> 00:06:52,810
It is not the sniff.

93
00:06:53,590 --> 00:06:57,760
But before we actually start it, let's go and check out the parameters right here.

94
00:06:58,270 --> 00:07:03,400
The parameter that we want to use for this attack isn't that sniff that local as it says.

95
00:07:03,400 --> 00:07:09,680
If this is true, it will consider packets from to this computer, otherwise it will skip that.

96
00:07:10,060 --> 00:07:15,480
Now, once we start to attack all of the packets from our target machine, we'll go to this computer.

97
00:07:15,880 --> 00:07:17,950
Therefore, this will be able to sniff them.

98
00:07:18,310 --> 00:07:19,360
Let's go with this.

99
00:07:20,380 --> 00:07:26,410
And paste it right here and what we want to do is we want to set this to true.

100
00:07:29,270 --> 00:07:38,630
After we get all of these settings ready, we can type up that spoof and we can set this on and we can

101
00:07:38,630 --> 00:07:43,070
also tape net that sniff on press enter.

102
00:07:43,340 --> 00:07:48,070
And this will start sniffing packets on our Windows 10 machine.

103
00:07:48,740 --> 00:07:52,430
We can also see some of the queries that our Windows machine is making.

104
00:07:53,000 --> 00:07:55,700
And if I go and try to visit some Web page.

105
00:07:56,690 --> 00:08:00,380
We can see that our target machine is querying Facebook.

106
00:08:01,710 --> 00:08:09,060
As we can see, the desktop machine initiated the request for w w w dot Facebook dot com, and this

107
00:08:09,060 --> 00:08:10,740
will work for any other website.

108
00:08:13,450 --> 00:08:20,110
We can see the requests for Twitter dot com, and if they were to input a password to an unencrypted

109
00:08:20,110 --> 00:08:26,140
website, such as for example, let's say that they want to connect a router and go right here and they

110
00:08:26,140 --> 00:08:30,190
type, for example, test and test and click on login.

111
00:08:31,420 --> 00:08:36,670
If I scroll a little bit up, we should manage to find the request where they send the password.

112
00:08:37,760 --> 00:08:43,310
And here it is, here is the request where they send the password, we get the username test and the

113
00:08:43,310 --> 00:08:47,920
password is how hash value, however we manage to get it.

114
00:08:47,930 --> 00:08:55,400
Nonetheless, it will work for any website that sends unencrypted data, for example, onto this website

115
00:08:55,400 --> 00:08:56,590
called Phone Web.com.

116
00:08:56,600 --> 00:09:00,320
If you go to first link, which is this one, and I click on login.

117
00:09:01,760 --> 00:09:05,090
Type user name admin and password test, I click on login.

118
00:09:06,260 --> 00:09:12,260
And for some reason, it seems that it didn't manage to get its legs grow a little bit up to see whether

119
00:09:12,260 --> 00:09:14,040
we can find it, and here it is.

120
00:09:14,420 --> 00:09:18,590
Here is the packet that we sent, including the username and password.

121
00:09:18,590 --> 00:09:21,330
We managed to sniff it from our Windows 10 machine.

122
00:09:22,160 --> 00:09:25,250
Here is the username admin and the password test.

123
00:09:26,270 --> 00:09:26,690
Great.

124
00:09:26,870 --> 00:09:31,280
This is one way that you can use better, kepp another way that you can use better.

125
00:09:31,280 --> 00:09:37,280
Kepp is if I exit out of this program, it will automatically start the Arab spoof and it will restore

126
00:09:37,430 --> 00:09:39,320
our cash for our targets.

127
00:09:39,740 --> 00:09:45,500
And the way that we can run it with the comment is we can just create a file called Sneve Cap.

128
00:09:45,920 --> 00:09:51,740
And inside of this file we can type the commands that we typed previously, which is not the probe on.

129
00:09:52,280 --> 00:10:00,590
We also want to select our DOT spoof dot full duplex to choose in order to also prove the target and

130
00:10:00,590 --> 00:10:01,120
the router.

131
00:10:01,550 --> 00:10:08,840
And we also want to select AAFP dot spoof dot target to the IP address of our target machine.

132
00:10:09,680 --> 00:10:15,950
After that we set the net dot sniff that local to choose, which means only if the packets that are

133
00:10:15,950 --> 00:10:23,770
coming from and to this machine and then we pipe are both on and that dot sniff on.

134
00:10:24,410 --> 00:10:26,490
These are all of the commands that we must run.

135
00:10:26,510 --> 00:10:32,810
So all we need to do is save this in a file called Sneve, that cap, and then we can run the command

136
00:10:32,810 --> 00:10:33,200
better.

137
00:10:33,200 --> 00:10:40,460
Kepp that I face and efface stands for Interface where we need to specify the interface of our machine.

138
00:10:40,850 --> 00:10:45,680
Since Oncolytics, the only active interface that they have is zero.

139
00:10:46,370 --> 00:10:52,100
Once it specified that all they need to specify is another option, which is dash capelet and then the

140
00:10:52,100 --> 00:10:54,110
name of the file containing our commands.

141
00:10:54,800 --> 00:10:58,070
And this will do everything that we just did automatically.

142
00:10:58,490 --> 00:11:04,700
So if I press enter, it will set all of the settings that we did and it will start sniffing for different

143
00:11:04,700 --> 00:11:05,380
connections.

144
00:11:05,510 --> 00:11:09,470
For example, if I go right here and try to refresh Facebook.

145
00:11:11,030 --> 00:11:17,660
It will sniff that request to Facebook, and this is one way that we can perform men in the middle attack,

146
00:11:18,410 --> 00:11:22,700
in the next video, we're going to check out another tool that will allow us to perform this attack

147
00:11:22,940 --> 00:11:25,820
that you might actually find a little bit easier to use.

148
00:11:26,840 --> 00:11:27,620
Thank you for watching.

149
00:11:27,620 --> 00:11:29,060
And we'll see you in the next video.