1
00:00:01,860 --> 00:00:03,570
Hello and welcome, everyone.

2
00:00:04,440 --> 00:00:10,340
So in this video, we are going to see suicide attacks against another banking system.

3
00:00:11,070 --> 00:00:16,260
So in the previous video we saw how can we attack our own system?

4
00:00:16,470 --> 00:00:22,500
But now we are going to see how can we attack any other banking system which is running into the same

5
00:00:22,500 --> 00:00:24,310
network of the organization.

6
00:00:25,740 --> 00:00:33,510
So we are going to scan the target machine, which has the admin interface on the board, and we are

7
00:00:33,510 --> 00:00:37,260
going to use it to perform more sensitive actions.

8
00:00:37,950 --> 00:00:38,420
All right.

9
00:00:38,850 --> 00:00:45,630
So to understand this principle, let's see a quick animation so you can see here is the attacker.

10
00:00:46,500 --> 00:00:53,130
And there is a wonderful Web application, which is example dot com, which is vulnerable to SRF, and

11
00:00:53,130 --> 00:00:59,830
there is one more application into the same network, an organization which is awesome app, dot com.

12
00:01:01,230 --> 00:01:08,100
So the first attacker is going to send a request to example dot com and the request is going to be a

13
00:01:08,100 --> 00:01:16,230
get request of, let's say he wants to access the admin portal on the host example dot com, whether

14
00:01:16,230 --> 00:01:19,320
you are allowed into the body of example dot com.

15
00:01:20,980 --> 00:01:27,370
So it is going to reply with a response which is going to be forbidden.

16
00:01:28,540 --> 00:01:37,090
Now the attacker is going to send one more request that is a get request again to the slash admin portal

17
00:01:37,630 --> 00:01:45,550
on the host example dot com, but into the you are a barometer from the body that specifies awesome

18
00:01:45,700 --> 00:01:47,770
app dot com slash admin.

19
00:01:48,160 --> 00:01:51,580
Where is the actual admin portal hosted?

20
00:01:52,480 --> 00:01:59,290
So this time the vulnerable application example dot com is going to send a request to awesome app dot

21
00:01:59,290 --> 00:02:06,640
com, which is specified into the mean request which has been sent by the attacker and the Web application,

22
00:02:06,640 --> 00:02:07,540
which is awesome.

23
00:02:07,570 --> 00:02:15,940
Dot com in return gives the response to example dot com which it sends back to the attackers browser

24
00:02:16,030 --> 00:02:17,580
or attackers screen.

25
00:02:18,010 --> 00:02:24,880
And this way the attacker is able to get the sensitive information from the Web application, which

26
00:02:24,880 --> 00:02:29,830
is awesome of dot com to the wonderful example dot com machine.

27
00:02:30,880 --> 00:02:34,560
So I hope you guys understood this, no, what is the impact?

28
00:02:35,450 --> 00:02:41,060
The impact is exactly the same that we have seen into the previous video in which the attacker is able

29
00:02:41,060 --> 00:02:46,460
to exploit this SRF into their own system of the Web application.

30
00:02:48,200 --> 00:02:55,190
So what are the steps that we are going to do, so we will exploit our obligation to induce request

31
00:02:55,730 --> 00:03:01,760
to the backend server by bypassing the access control, as we saw into the animation, we're going to

32
00:03:01,760 --> 00:03:09,200
send request to another server and perform sensitive actions after we have performed sensitive actions

33
00:03:09,200 --> 00:03:16,540
as unauthenticated users not being admon, we will confirm that our attack was successful.

34
00:03:17,790 --> 00:03:19,210
So it is the practical time.

35
00:03:19,230 --> 00:03:26,910
And let's quickly jump on to see how can we perform this exercise of attack against another back systems

36
00:03:27,090 --> 00:03:28,690
into the same see over here.

37
00:03:28,860 --> 00:03:34,500
This is the lab that we are going to solve, which is basic SRF against under the banking system.

38
00:03:35,250 --> 00:03:40,890
Now, let me just click on Access Lab and we can start this lab before that.

39
00:03:40,890 --> 00:03:47,790
You can see the question is to solve the lab, use the structure functionality to scan the internal

40
00:03:47,790 --> 00:03:55,560
network, which is 192 dot 168 or zero dot x, which means you do not know the target system as it is

41
00:03:55,560 --> 00:03:56,880
given as X.

42
00:03:57,210 --> 00:04:07,080
So we need to know the target system from the range for the admin interface on which Board 88 is running,

43
00:04:07,080 --> 00:04:10,320
and then we are going to delete the user that is Carlos.

44
00:04:10,890 --> 00:04:16,010
So let's quickly begin with the lab and you can see this is the Web application.

45
00:04:16,020 --> 00:04:17,610
Let me click on you detailed.

46
00:04:17,610 --> 00:04:20,200
And here is the text functionality.

47
00:04:20,940 --> 00:04:25,640
Let me quickly set up Batsuit, and I'm going to intercept this request in my book.

48
00:04:26,610 --> 00:04:32,970
Now for this video, I have used my professional records scanning the range.

49
00:04:32,970 --> 00:04:37,880
I'm going to use intruder just not to make the video much longer.

50
00:04:38,040 --> 00:04:43,380
I'm going to increase the threat in my intruder so it does the process a little bit faster.

51
00:04:44,340 --> 00:04:50,370
You are good to go onto the community in addition as well, because we can do the same thing on community

52
00:04:50,370 --> 00:04:56,240
edition, but just your request are going to be a little bit slow, but it should do the job for you

53
00:04:56,250 --> 00:04:57,630
and it's exactly the same.

54
00:04:58,640 --> 00:05:05,240
You just do not get to tune your request, which means you cannot make them faster into the community

55
00:05:05,240 --> 00:05:05,690
audition.

56
00:05:06,170 --> 00:05:11,030
Other than that, it is exactly the same and works perfectly fine.

57
00:05:11,870 --> 00:05:12,200
All right.

58
00:05:12,200 --> 00:05:14,360
So this is a request that we have got.

59
00:05:14,690 --> 00:05:17,000
So I'm going to send this request to repeat it.

60
00:05:18,260 --> 00:05:23,060
Now, once it is into the repeater tap, we are going to do the inspection of this request.

61
00:05:23,510 --> 00:05:29,830
So you can see this is something that is passing into the parameter, which is stock epper equal to.

62
00:05:29,870 --> 00:05:34,370
So let us first send this to Decoder and see what exactly is this.

63
00:05:35,360 --> 00:05:41,660
And you can see this is the you are Elvis has been passed with these HGP IP address, which is 90 to

64
00:05:41,660 --> 00:05:48,210
168 081 and Port Adelaide product stock check, product ID and ready.

65
00:05:48,490 --> 00:05:48,880
All right.

66
00:05:49,460 --> 00:05:52,790
So now we know that into the question.

67
00:05:52,790 --> 00:05:54,820
There was admin specified.

68
00:05:54,830 --> 00:06:03,830
So we are going to replace this with IP address, which is that 081 colonnaded slash admin and let him

69
00:06:03,830 --> 00:06:07,800
go and see if you are able to access the admin portal.

70
00:06:08,510 --> 00:06:11,130
So this was just a random hit and trial.

71
00:06:11,150 --> 00:06:18,890
And you can see we got an error message on a 400 board request, which is missing parameter, which

72
00:06:18,890 --> 00:06:23,710
means obviously this is not the correct machine or the server.

73
00:06:24,410 --> 00:06:27,340
So we need to identify it, which is the correct machine.

74
00:06:27,350 --> 00:06:33,730
For that, we are going to use intruder and we are going to identify the right IP address from the range.

75
00:06:34,430 --> 00:06:36,230
So we just need to select this one.

76
00:06:36,470 --> 00:06:42,740
Click on ADD because this is our inflection point going payload type and use numbers.

77
00:06:43,560 --> 00:06:50,510
So we are going to choose numbers from zero to 254 to scan these many IP addresses with the step of

78
00:06:50,510 --> 00:06:53,420
one and hit on start attack.

79
00:06:55,060 --> 00:07:02,260
Now, when I will hit on state attack, it will automatically start scanning the IP addresses from the

80
00:07:02,260 --> 00:07:04,720
range that is zero to 250 for.

81
00:07:05,870 --> 00:07:11,040
And we are going to start the results based on the status, as you can see over here.

82
00:07:12,290 --> 00:07:19,880
Let's just wait for this to complete and then we are going to observe our results and identify which

83
00:07:19,880 --> 00:07:23,840
is the correct IP address of the backend server, which is running.

84
00:07:24,230 --> 00:07:29,780
And then we are going to get the admin status or we are going to perform some sensitive actions.

85
00:07:30,710 --> 00:07:36,670
As you can see, this is the error that we get on invalid external stop check.

86
00:07:36,680 --> 00:07:43,730
You are an invalid IP before address when the IP is to 168 00 because that is an invalid IP.

87
00:07:44,960 --> 00:07:51,050
You can see you're missing parameter error because this is the same IP, which is 190 to 168 zero,

88
00:07:51,060 --> 00:07:54,440
not the error message that we have already received.

89
00:07:55,390 --> 00:08:01,300
Now, if you notice, all year we have finally got a status code of 200 onto the payload, which is

90
00:08:01,300 --> 00:08:03,400
two zero six perfect.

91
00:08:03,760 --> 00:08:11,060
So we have identified that the IP address is 190 to 168, zero two zero six.

92
00:08:11,560 --> 00:08:16,030
You can also click on state staff and you will be able to see the 200.

93
00:08:16,030 --> 00:08:17,250
OK, perfect.

94
00:08:17,260 --> 00:08:18,020
It is all here.

95
00:08:18,880 --> 00:08:24,370
Now, this proves that we have identified our target vulnerable system, which is running the admin

96
00:08:24,370 --> 00:08:25,030
interface.

97
00:08:25,510 --> 00:08:26,440
Let's confirm.

98
00:08:27,100 --> 00:08:28,510
But this a repeater head.

99
00:08:28,510 --> 00:08:31,090
Go and see if we are able to see.

100
00:08:31,300 --> 00:08:40,120
And you can see we have the admin portal access and here are the three delete button with administrator

101
00:08:40,450 --> 00:08:41,600
Carlos and.

102
00:08:43,330 --> 00:08:48,370
So we need to delete Carlos to finish this lab and this exercise.

103
00:08:48,730 --> 00:08:51,270
So we are going to delete the Carlos from here.

104
00:08:51,280 --> 00:08:56,740
As you can see, when I rendered we're able to see the list of users as we have successfully logged

105
00:08:56,740 --> 00:08:59,520
in as admin panel and these are the users.

106
00:08:59,950 --> 00:09:03,880
So let's just remove this and delete the user, Carlos.

107
00:09:04,180 --> 00:09:05,410
And he'd go.

108
00:09:06,430 --> 00:09:06,940
Perfect.

109
00:09:06,970 --> 00:09:12,600
So we are able to delete the user and let's see if we are able to complete our lab and congratulations.

110
00:09:13,560 --> 00:09:13,940
Awesome.

111
00:09:14,000 --> 00:09:15,790
So we have successfully sold our.

112
00:09:16,540 --> 00:09:17,920
So I hope you guys understood.

113
00:09:17,920 --> 00:09:19,340
How did we do this?

114
00:09:20,230 --> 00:09:21,550
Let me give a quick recap.

115
00:09:22,030 --> 00:09:30,400
First of all, we identified that the stock parameter is vulnerable because it was given into the hands.

116
00:09:31,250 --> 00:09:37,310
The next thing that we did was we needed to identify the correct server, which is the backend server

117
00:09:37,340 --> 00:09:40,010
or the IP address from the range.

118
00:09:40,070 --> 00:09:43,000
So we did that using intruder.

119
00:09:43,250 --> 00:09:51,750
So we brute force the IP from zero to do 54 and based on the status could be identified at 200.

120
00:09:51,770 --> 00:09:53,270
OK, on one IP.

121
00:09:54,160 --> 00:10:00,790
And we successfully identified that the admin interface or the admin portal was running on that IP address,

122
00:10:01,570 --> 00:10:03,980
and then we successfully deleted the user.

123
00:10:04,690 --> 00:10:06,190
So I hope you guys understood this.

124
00:10:06,400 --> 00:10:06,940
Thank you.