1
00:00:01,010 --> 00:00:02,680
Oh, yes, there's plenty more to do.

2
00:00:03,580 --> 00:00:09,640
There are several tools to perform an art spoof attack, such as art spoof, the command line tool,

3
00:00:09,640 --> 00:00:17,230
which is embedded in COLLY, but we're going to use AACAP for the demonstration of the art spoof attack.

4
00:00:18,250 --> 00:00:27,490
AACAP is a free and open source network security tool for men in the middle attacks on LAN.

5
00:00:28,500 --> 00:00:35,730
It works by putting the network interface into promiscuous mode and by art poisoning the target machines,

6
00:00:36,540 --> 00:00:41,940
thereby it can act as a man in the middle and unleash various attacks on the victims.

7
00:00:42,850 --> 00:00:49,690
AACAP has both a command line interface version and a graphical user interface version, let's see them

8
00:00:49,690 --> 00:00:50,310
both in action.

9
00:00:52,860 --> 00:00:55,500
First, let me show you the command line version of AACAP.

10
00:00:56,440 --> 00:00:59,380
So this is my network created in three.

11
00:01:00,620 --> 00:01:05,480
I have a collie and a WASPy way animate exploitable VM and the network.

12
00:01:06,590 --> 00:01:14,210
To use if config inside the VMS to check the IP addresses and the other interface configurations as

13
00:01:14,210 --> 00:01:14,590
well.

14
00:01:15,940 --> 00:01:18,560
So paying each other to be sure that they can communicate.

15
00:01:19,200 --> 00:01:19,620
OK.

16
00:01:21,440 --> 00:01:29,480
Now I go to Carly overdetermined screen and do the same here, check the interface configuration and

17
00:01:29,480 --> 00:01:30,590
ping other VMS.

18
00:01:36,500 --> 00:01:37,780
Yep, everything's OK.

19
00:01:39,000 --> 00:01:46,170
So let's look at the art table of medicine, voidable type are RN and press enter.

20
00:01:47,250 --> 00:01:54,600
So currently, there are two records in the ARP table of boy, one for Collee and one for Oos Bway.

21
00:01:55,960 --> 00:02:02,830
Now, let me show you something, if you want to perform an art spoof attack, you should enable IP

22
00:02:02,830 --> 00:02:09,880
forwarding in your attacker system so that the packets will not end on your attacker system and be forwarded

23
00:02:09,880 --> 00:02:11,140
to the destination system.

24
00:02:11,500 --> 00:02:15,340
Otherwise, you'll block the traffic between the victim and the spoofed system.

25
00:02:16,320 --> 00:02:17,160
Check that out.

26
00:02:18,280 --> 00:02:23,230
So the IP address is managed by a variable IP forward like in Collie.

27
00:02:24,540 --> 00:02:27,300
And to look at the final content type.

28
00:02:28,650 --> 00:02:38,940
Cat proxy exists Agnete ipv for IPE Forward and press enter.

29
00:02:40,400 --> 00:02:45,110
Its value is zero, so to enable it, it has to be one, so I'll change it.

30
00:02:46,200 --> 00:02:52,350
You can open the file with a text editor and change the value, but here I'll just simply use the Echo

31
00:02:52,350 --> 00:02:53,520
command for this purpose.

32
00:02:54,820 --> 00:02:55,630
Echo one.

33
00:02:56,670 --> 00:02:59,790
Greater than sign the entire file name.

34
00:03:02,950 --> 00:03:04,440
So check the file again.

35
00:03:05,570 --> 00:03:07,820
And yes, its value is now one.

36
00:03:09,540 --> 00:03:17,280
Now, please note that AACAP enables IP forwarding automatically, even though you don't enable it manually.

37
00:03:17,610 --> 00:03:17,990
All right.

38
00:03:18,000 --> 00:03:21,830
I want you to know what's happening behind the scenes, so to speak.

39
00:03:23,500 --> 00:03:30,160
All right, so now is the time of the attack before creating the comen, let's see the manual of etiquette.

40
00:03:30,940 --> 00:03:34,420
So type man etiquette and press enter.

41
00:03:35,610 --> 00:03:40,770
So here's the short definition and the long description targets.

42
00:03:47,930 --> 00:03:51,290
M four men in the middle Midem attack.

43
00:03:52,190 --> 00:04:00,820
So these are the Midem attack types, AAB, is it the first line and the others, ICMP, DHP, et cetera.

44
00:04:04,420 --> 00:04:10,120
And here are the user interface options t for the text only interface.

45
00:04:10,660 --> 00:04:12,540
Anyway, let's just create the command.

46
00:04:13,210 --> 00:04:22,870
So first, the command itself, aacap I the interface either zero T for the text only interface type.

47
00:04:24,160 --> 00:04:31,630
M to make it admit Midem attack and select a Midem attack type AAFP column remote.

48
00:04:33,120 --> 00:04:40,020
So the first IP specifies the IP address, which will be spoofed and the second IP address is the victim

49
00:04:40,030 --> 00:04:46,650
system, so that means there will be a row in the meta spoils ARP table with a Carlee's Mac address

50
00:04:46,680 --> 00:04:49,770
and a WASP Busways IP address.

51
00:04:50,730 --> 00:04:57,030
And that means when metastable voidable wants to send a packet to always be the way it will be sent

52
00:04:57,030 --> 00:04:58,100
to Colly instead.

53
00:04:58,590 --> 00:04:58,970
Right.

54
00:04:59,760 --> 00:05:06,660
And with the help of IP forwarding, the packet will arrive at a speedway finally.

55
00:05:08,780 --> 00:05:16,460
Now, please don't forget to use these slashes at the beginning and end of each I.P. address, the command

56
00:05:16,460 --> 00:05:17,210
is ready to run.

57
00:05:17,750 --> 00:05:19,280
So let's see what it does.

58
00:05:19,370 --> 00:05:19,940
Hit enter.

59
00:05:21,890 --> 00:05:25,250
And here's a summary of the attack, the victims.

60
00:05:26,670 --> 00:05:34,220
Interface, type, etc. Now go to bed exploitable AAFP nt to see the table again.

61
00:05:35,100 --> 00:05:42,360
And as you can see here, the first record is for Caylee, so please look at the Mac address and the

62
00:05:42,360 --> 00:05:45,720
second record is for Oos BWI.

63
00:05:46,350 --> 00:05:53,700
But with the attackers, Mac address, any packet sent from Métis voidable to Oah Speedway will visit

64
00:05:53,700 --> 00:05:54,450
Colleano.

65
00:05:55,680 --> 00:06:01,050
So let's create a telnet connection to Port 80 of a WASP VWA.

66
00:06:02,900 --> 00:06:18,670
Type Telnet, a wasp bue IP and the Port 80 now hit enter pipe get HTTP 1.0 and press enter twice.

67
00:06:19,880 --> 00:06:25,280
And here is the HTTP response, the main page of Oos BBWAA.

68
00:06:27,240 --> 00:06:29,510
Now, let's go back to Cali and see what happens.

69
00:06:30,760 --> 00:06:37,780
So these are all the TCP packets sent for Métis voidable to always be that way at Packet Fyn packet

70
00:06:37,780 --> 00:06:41,440
and scroll up a bit and here's a telnet connection.

71
00:06:41,440 --> 00:06:44,160
Results HTP response.

72
00:06:44,530 --> 00:06:45,430
Keep going up.

73
00:06:46,090 --> 00:06:48,310
We can find some other critical data here to.

74
00:06:51,120 --> 00:06:53,640
And here are some credentials, for example.

75
00:06:55,340 --> 00:07:01,080
In the terminal screen where AACAP is running, you can use control, see to end the attack.

76
00:07:01,580 --> 00:07:02,740
So there it is.

77
00:07:02,750 --> 00:07:03,260
It's not.

78
00:07:04,890 --> 00:07:08,190
Now go back to med exploitable and look at the AAP table again.

79
00:07:09,450 --> 00:07:14,810
Now, the IP address of Oos BWA is matched with a correct Mac address.

80
00:07:17,600 --> 00:07:22,790
Now, you might remember what I told you before that, well, I hope you remember everything that I

81
00:07:22,790 --> 00:07:29,340
told you before, but in particular, AACAP has a graphical user interface as well.

82
00:07:29,840 --> 00:07:32,300
So let's have a look at AACAP Schooley right now.

83
00:07:33,700 --> 00:07:41,140
Again, we're in Colly Click Show Applications, Menu Item and type AACAP, and here you go, you'll

84
00:07:41,140 --> 00:07:42,580
find the AACAP GooYa.

85
00:07:43,440 --> 00:07:47,970
So these are both AACAP gooey apps, you can just simply click one of them.

86
00:07:49,100 --> 00:07:56,390
I want to show you, though, another way to start the app from the upper left corner applications go

87
00:07:56,390 --> 00:08:01,550
to sniffing, spoofing tools and select AACAP Gooey.

88
00:08:02,820 --> 00:08:07,230
OK, so here we are at the main panel of the outer cap, Gooey.

89
00:08:08,550 --> 00:08:14,040
We'd better check the network, so I'll open up a terminal screen and ping the other teams at a supportable

90
00:08:14,040 --> 00:08:15,450
and oos BWI.

91
00:08:22,490 --> 00:08:29,990
Yeah, everything looks OK, so go to the sniff menu and enter AACAP and select Unified Sniffing.

92
00:08:31,190 --> 00:08:33,830
Asking for input interface e0 is good.

93
00:08:34,480 --> 00:08:39,320
Like, OK, if you look at the etiquette menu, it's totally different now.

94
00:08:40,550 --> 00:08:48,170
To go to host and select Skåne for hosts, it's a kind of a ping scan to find out the devices of the

95
00:08:48,170 --> 00:08:52,100
network found five devices and added them to the host's list.

96
00:08:53,400 --> 00:09:01,680
To go back to host again and now select hosts lists and here's a list, very nice works well.

97
00:09:03,050 --> 00:09:08,180
One nine two one six eight one zero one one is a WASP Vidalia.

98
00:09:08,810 --> 00:09:14,600
So this is a system that will spoof so selected and quick add to target to.

99
00:09:16,240 --> 00:09:21,790
So one nine two one six eight one zero eight one two is met us voidable, that's our victim.

100
00:09:22,360 --> 00:09:27,730
So we'll change its heart to table, select it and click add to target one.

101
00:09:30,160 --> 00:09:31,940
I think now we're ready to attack.

102
00:09:31,960 --> 00:09:32,530
What do you think?

103
00:09:33,040 --> 00:09:37,840
All right, so let's go to Midem and quick AAFP poisoning.

104
00:09:39,600 --> 00:09:43,740
OK, check this sniff remote connections option and click, OK?

105
00:09:44,740 --> 00:09:49,870
And the final step, go to start and select, start sniffing.

106
00:09:50,980 --> 00:09:52,240
So the attack has begun.

107
00:09:53,420 --> 00:10:01,180
Let's go to Matt Exploitable and see the attack result to see the ARP table type RPN and press enter.

108
00:10:02,430 --> 00:10:10,170
The first row is for Oos BWP, but the Mac address is Collie's Mac to show it now while paying Colly

109
00:10:10,170 --> 00:10:11,490
to create the AAFP record.

110
00:10:13,590 --> 00:10:21,450
Run the command again, and now I have another word for Collee and both Collee and Oos BWA of the same

111
00:10:21,720 --> 00:10:22,560
Mac address.

112
00:10:23,480 --> 00:10:30,050
OK, you know, the rest the package will be sent to Cali instead of Oos Bue, so if you like, you

113
00:10:30,050 --> 00:10:33,970
can open Wireshark and collect the fruits of your labor.

114
00:10:34,160 --> 00:10:34,790
Enjoy it.