1
00:00:00,060 --> 00:00:05,080
So this is exactly how hackers create what we call phishing website or fake Web site.

2
00:00:05,190 --> 00:00:10,320
And once you clicked on it because you tend to go to the website, you log into the website, it will

3
00:00:10,320 --> 00:00:12,150
make your account do funny stuff.

4
00:00:23,470 --> 00:00:28,420
So over here on the left side of colonics running and what I can do now is to go ahead and open up,

5
00:00:28,420 --> 00:00:31,830
see any browser's in case we open up Firefox.

6
00:00:32,260 --> 00:00:38,290
So once I've opened up Firefox, enter the IP address or the domain name that we were targeting as a

7
00:00:38,290 --> 00:00:38,670
website.

8
00:00:38,680 --> 00:00:43,630
So in this case, we have one or two one six eight zero one five six.

9
00:00:43,840 --> 00:00:49,780
And of course we have Port eight zero eight zero SWEPCO slash login.

10
00:00:49,790 --> 00:00:51,820
So let's go ahead and log into the website.

11
00:00:51,820 --> 00:00:54,430
So you have not yet registered into this website.

12
00:00:54,430 --> 00:00:56,110
Go ahead and register that.

13
00:00:56,110 --> 00:01:00,430
So we have already done the registration so we can enter the user name and of course we can enter the

14
00:01:00,430 --> 00:01:03,640
password and we can go and login right into Webcke.

15
00:01:03,640 --> 00:01:09,760
It's a Web code, is a vulnerable Web application system for us to run all our article hacking techniques.

16
00:01:09,790 --> 00:01:11,830
And I remember hacking is illegal.

17
00:01:11,830 --> 00:01:18,040
If you want to hack, run it inside your own lab environment and on the bottom left so we can look and

18
00:01:18,040 --> 00:01:19,110
request forgeries.

19
00:01:19,120 --> 00:01:21,370
So let's go ahead and click on a cross site.

20
00:01:21,400 --> 00:01:22,360
Request forgery.

21
00:01:22,840 --> 00:01:26,060
So Crosseyed request forgery is actually very easy to understand.

22
00:01:26,380 --> 00:01:29,200
So as you can see here, we have a link.

23
00:01:29,410 --> 00:01:35,980
So this is a hyperlink, a nature Reserve Bank dotcom slash transfer account number.

24
00:01:36,340 --> 00:01:36,670
All right.

25
00:01:36,670 --> 00:01:41,950
And of course, we can see over here account number from an account number two and an amount.

26
00:01:42,100 --> 00:01:42,370
All right.

27
00:01:42,410 --> 00:01:45,400
So this is what you typically see under the U.

28
00:01:45,400 --> 00:01:50,170
Or L as you input different actions into, say, an e-commerce site to at a product.

29
00:01:50,380 --> 00:01:50,730
All right.

30
00:01:50,740 --> 00:01:55,120
If you want to do a look up of your account profile, you'll be able to see see, for example, your

31
00:01:55,120 --> 00:01:59,410
account ID and all those different information, integral and of course, do.

32
00:01:59,410 --> 00:02:02,310
What's the and you see the falling view, my pictures.

33
00:02:02,440 --> 00:02:07,510
So what are the hackers trying to do here is to trick you into clicking the link.

34
00:02:07,510 --> 00:02:11,830
And because you already log in to the website and because you really log into the website, it will

35
00:02:11,830 --> 00:02:12,630
make your account.

36
00:02:12,910 --> 00:02:19,300
Do those actions that a hacker wanted to do in this case, for example, it is account number from account

37
00:02:19,300 --> 00:02:23,090
number two and of course, an amount out of your bank account.

38
00:02:23,770 --> 00:02:27,310
So in lesson number four, poster review on someone else's behalf.

39
00:02:27,310 --> 00:02:32,320
As you can see right here at the bottom, we have John Doe is selling this particular poster, read

40
00:02:32,320 --> 00:02:33,100
reviews below.

41
00:02:33,520 --> 00:02:36,640
And we can see here Lilling Five Stars Hacked by Lioy.

42
00:02:37,180 --> 00:02:38,590
This is an awesome tutorial.

43
00:02:38,590 --> 00:02:39,370
And so on, so forth.

44
00:02:39,370 --> 00:02:43,150
So we can see the username and we can see as well as the review.

45
00:02:43,150 --> 00:02:44,900
And of course you can input a star.

46
00:02:45,340 --> 00:02:50,690
So what we can do now is to do a right click inspect element to look at the form.

47
00:02:51,130 --> 00:02:57,610
So this is the part what we'll be learning about how we can send information on behalf of the user so

48
00:02:57,610 --> 00:02:58,180
we can do it right.

49
00:02:58,180 --> 00:03:00,120
Click and then as XHTML.

50
00:03:00,250 --> 00:03:00,550
Right.

51
00:03:00,670 --> 00:03:03,010
And you can select everything and I can do it right.

52
00:03:03,010 --> 00:03:03,990
Click and copy it.

53
00:03:04,330 --> 00:03:07,030
So now we will open up a text editor.

54
00:03:07,270 --> 00:03:13,090
So in this case we can use mouse pad and go ahead and open it up and we can pace the form that we have

55
00:03:13,090 --> 00:03:15,760
just copied over here and it can save it into home.

56
00:03:15,790 --> 00:03:21,460
Or in this case, I'll call RF, highjacked it dot hakes html.

57
00:03:21,460 --> 00:03:23,260
Of course I can go in and click save.

58
00:03:23,560 --> 00:03:23,950
All right.

59
00:03:24,830 --> 00:03:27,770
And we placed a fall that I was testing earlier.

60
00:03:28,090 --> 00:03:29,290
So now we have to form.

61
00:03:29,290 --> 00:03:29,510
All right.

62
00:03:29,530 --> 00:03:34,090
And we can see over here with input from control and so on and so forth, so we can go ahead and get

63
00:03:34,090 --> 00:03:34,740
rid of a class.

64
00:03:34,750 --> 00:03:39,340
So in case they're using certain controls and a JavaScript and so and so forth, so we can go in and

65
00:03:39,340 --> 00:03:40,150
removed all those.

66
00:03:40,630 --> 00:03:41,710
And here we have the ID.

67
00:03:41,710 --> 00:03:46,240
So we'll leave the ID as it is because this information will be sent over into the application server

68
00:03:46,240 --> 00:03:47,050
for processing.

69
00:03:47,620 --> 00:03:48,640
Next, we have a name.

70
00:03:48,760 --> 00:03:49,000
All right.

71
00:03:49,040 --> 00:03:54,250
So likewise, it could be use or in this case, we also have placeholder at the review so we can easily

72
00:03:54,250 --> 00:03:55,430
change up the placeholder.

73
00:03:55,830 --> 00:04:00,280
And we can enter, say, for example, hacked by Lioy, OK, and we have to type equal tax.

74
00:04:00,910 --> 00:04:05,350
And of course, all you going to do right now is go ahead and open up this file that we have just created

75
00:04:06,010 --> 00:04:06,910
so I can enter.

76
00:04:07,500 --> 00:04:07,650
Right.

77
00:04:07,860 --> 00:04:14,080
In this case we can just go hand or Firefox followed by SRF highjacked that e-mail hit enter a desk

78
00:04:14,110 --> 00:04:15,130
and he opens up a new tab.

79
00:04:15,130 --> 00:04:20,830
And we can see right here we have a new form, a newly created form by us, hosted in our local computer.

80
00:04:20,980 --> 00:04:21,280
All right.

81
00:04:21,280 --> 00:04:27,850
And whoever some ID from here will be able to send all those details, all the information to commands

82
00:04:27,850 --> 00:04:33,160
to start the rating and all these different details from our local computer all the way into Web application

83
00:04:33,160 --> 00:04:33,570
system.

84
00:04:34,150 --> 00:04:36,850
So how can we bring this to the next level?

85
00:04:37,180 --> 00:04:40,990
What we can do now is to go ahead and change the information here.

86
00:04:41,440 --> 00:04:46,930
So instead of using a tax which will be shown to the user, we can change the type to hidden and mix

87
00:04:46,930 --> 00:04:47,050
up.

88
00:04:47,050 --> 00:04:49,210
We can enter the value on behalf of the user.

89
00:04:49,210 --> 00:04:56,020
In this case, we can enter, say you review tax, the review takes, we can see a hacker ly is awesome.

90
00:04:56,650 --> 00:05:00,610
I will want to subscribe to the channel.

91
00:05:00,610 --> 00:05:01,900
Subscribe to the channel.

92
00:05:02,710 --> 00:05:06,200
And turn on notification right now.

93
00:05:06,250 --> 00:05:10,510
OK, so again, this is a really, really good, fantastic review.

94
00:05:10,570 --> 00:05:12,880
Of course, we have here review stories in this case like why?

95
00:05:12,880 --> 00:05:16,870
So we can change this to Hayden and we can enter value on behalf of the user.

96
00:05:16,990 --> 00:05:18,830
So I can enter five.

97
00:05:18,970 --> 00:05:20,230
This is five star rating.

98
00:05:20,240 --> 00:05:22,220
OK, Fantastic Four Stars.

99
00:05:22,240 --> 00:05:22,540
All right.

100
00:05:22,900 --> 00:05:24,100
This is a perfect review.

101
00:05:24,340 --> 00:05:26,830
And what we can do now is right before an input.

102
00:05:26,830 --> 00:05:29,560
I can enter the following, OK, right before to some in button.

103
00:05:29,560 --> 00:05:30,490
I can enter the following.

104
00:05:30,730 --> 00:05:33,520
I can enter click this submit button.

105
00:05:33,850 --> 00:05:37,180
You get your hundred dollar vulture's now.

106
00:05:37,210 --> 00:05:43,720
OK, so once we save it I go back to the page, refresh it and we can see right here click to submit

107
00:05:43,720 --> 00:05:45,640
button to get you one hundred dollars Volke right now.

108
00:05:45,940 --> 00:05:48,790
So one last thing that we need to confirm is the action.

109
00:05:49,000 --> 00:05:55,060
So this is where we'll be posting into so I can enter TDP, BaLobedu, Iapetus one or two one six eight

110
00:05:55,180 --> 00:05:56,200
zero two one five six.

111
00:05:56,200 --> 00:06:00,890
Follow my PT. eight zero eight zero slash Rabu ref review.

112
00:06:00,940 --> 00:06:01,190
All right.

113
00:06:01,270 --> 00:06:03,970
So this summit button to get you one hundred all vulture's now.

114
00:06:04,420 --> 00:06:07,720
So once we have said this for it, I can go in and refresh this, OK?

115
00:06:07,720 --> 00:06:13,720
And once I click on the review, if you see carefully in three to one, I clicked on it.

116
00:06:14,530 --> 00:06:15,070
That's it.

117
00:06:15,070 --> 00:06:16,060
Lesson completed.

118
00:06:16,060 --> 00:06:16,420
True.

119
00:06:16,600 --> 00:06:18,520
It appears you submitted correctly from another site.

120
00:06:18,520 --> 00:06:20,410
Go reload and see if your post is there.

121
00:06:20,950 --> 00:06:24,190
So what do we just do before a review?

122
00:06:24,190 --> 00:06:27,190
And now if I do a refresh, I close the web developer.

123
00:06:27,190 --> 00:06:28,210
I do a refresh.

124
00:06:28,390 --> 00:06:28,720
All right.

125
00:06:28,750 --> 00:06:31,420
I go to request for Tree Cross site request forgery.

126
00:06:31,480 --> 00:06:32,590
Click on lesson four.

127
00:06:33,010 --> 00:06:36,340
I scroll down and you can see right here, Hackle Loy's awesome.

128
00:06:36,340 --> 00:06:40,180
I will want to subscribe to the channel internal notification right now.

129
00:06:40,360 --> 00:06:46,720
OK, so very quickly, we're able to create a fake HTML page and we can send it to anybody and once

130
00:06:46,720 --> 00:06:52,570
they click on it, that's in our will be able to trick them into clicking this button and it'll be one

131
00:06:52,570 --> 00:06:53,320
hundred dollars value.

132
00:06:53,320 --> 00:06:58,380
But once they click done, it will be able to do all sorts of instruction and commands into your account.

133
00:06:58,510 --> 00:06:58,870
All right.

134
00:06:59,350 --> 00:07:01,210
So how can we bring this to the next level?

135
00:07:01,450 --> 00:07:05,260
What we can do now is to go ahead and start up our application server.

136
00:07:05,260 --> 00:07:05,490
All right.

137
00:07:05,530 --> 00:07:10,980
So we can enter a Web application server, can enter a pseudo system, ctrl start aperture.

138
00:07:11,260 --> 00:07:11,730
All right.

139
00:07:12,160 --> 00:07:15,180
To dot service and enter and that enter your password.

140
00:07:15,940 --> 00:07:17,710
So now Estado Apache's server.

141
00:07:17,920 --> 00:07:22,330
So what we can do is to go in and transfer to file over into overwrote doped up.

142
00:07:22,330 --> 00:07:22,570
All right.

143
00:07:22,570 --> 00:07:27,670
So as you can see here, we have a lot of pages that we've created for you to learn all about radical

144
00:07:27,670 --> 00:07:28,120
hacking.

145
00:07:28,270 --> 00:07:32,110
And of course, here we have the CSS, RF Highjacked Advantage HTML.

146
00:07:32,110 --> 00:07:33,580
So we go ahead and transfer it at file.

147
00:07:33,580 --> 00:07:36,700
So copy the file or you can copy, you can do a move.

148
00:07:36,700 --> 00:07:40,480
Whichever is your favorite choice by XHTML hit Enter on debt.

149
00:07:40,720 --> 00:07:41,000
All right.

150
00:07:41,030 --> 00:07:41,650
Permission denied.

151
00:07:41,660 --> 00:07:42,190
No worries.

152
00:07:42,190 --> 00:07:45,220
Use super super user do hit enter on debt.

153
00:07:45,310 --> 00:07:52,000
So we have transferred the false SRF highjacked not a.T.M of copying it over into via HTML.

154
00:07:52,450 --> 00:07:56,440
So right here we have the fall and we also have our IP address of a colonics machine.

155
00:07:56,560 --> 00:08:02,230
So all I going to do now is to go ahead and open up the site and we can enter IP address so we can all

156
00:08:02,260 --> 00:08:06,910
call the IP address of one or two one six eight nine zero one zero six.

157
00:08:06,910 --> 00:08:08,620
I go back to the browser.

158
00:08:08,620 --> 00:08:15,190
I entered a website link one two one six zero zero one zero six four by slash and we can parcelling

159
00:08:15,190 --> 00:08:18,970
right here see RF highjacked XHTML and that's it.

160
00:08:19,000 --> 00:08:24,610
We hosted our fishing website and all you going to do if you want to put it onto the Internet is to

161
00:08:24,610 --> 00:08:26,470
actually enable port forwarding.

162
00:08:26,470 --> 00:08:30,820
And what hackers would do is to people upload all this different kind of fake documents into different

163
00:08:30,820 --> 00:08:31,870
kind of cloud providers.

164
00:08:31,870 --> 00:08:34,390
So a lot of cloud providers give free travel and hackers.

165
00:08:34,390 --> 00:08:38,260
What they would do is they would take advantage of those free trials, create all this phishing sites.

166
00:08:38,260 --> 00:08:40,990
Once you click on it, you'll do up a Bitly link.

167
00:08:41,170 --> 00:08:43,030
I it's a shortened ling, a shortened form.

168
00:08:43,030 --> 00:08:43,690
You clicked on it.

169
00:08:43,690 --> 00:08:44,110
That's it.

170
00:08:44,110 --> 00:08:44,860
Game over.

171
00:08:44,860 --> 00:08:47,380
But you have to verify who are sending you all those links.

172
00:08:47,710 --> 00:08:50,340
And if they are malicious intent, you've no idea who they are.

173
00:08:50,380 --> 00:08:51,880
Delete away those messages.

174
00:08:52,180 --> 00:08:54,520
The once again I hope you learned something valuable in today's tutorial.

175
00:08:54,700 --> 00:08:58,360
If I have any questions before you leave a comment below, I'll try my best to answer any of your questions.

176
00:08:58,720 --> 00:09:02,820
Like Schantz, let's cut the channel so that you can be kept abreast of the latest cybersecurity tutorial.

177
00:09:02,920 --> 00:09:04,300
Thanks so much once again for watching.