1
00:00:00,710 --> 00:00:07,220
Now in this lecture I want to show you how to use whale shark to discover data sent through forums whenever

2
00:00:07,220 --> 00:00:08,990
someone fills up a form.

3
00:00:09,050 --> 00:00:16,310
And obviously this will allow us to get usernames and passwords if people log in to their accounts.

4
00:00:16,310 --> 00:00:20,510
So I'm already running better cap so I'm already the man in the middle.

5
00:00:20,750 --> 00:00:22,170
And NY shark here.

6
00:00:22,190 --> 00:00:27,680
I'm just going to start a new captcha so I'm going to continue without saving this one.

7
00:00:27,770 --> 00:00:34,050
The filter is already set to ETP so it's only going to show me his TTP packets in here and I'm going

8
00:00:34,050 --> 00:00:38,810
to go to a target Web site in here so let's go to one Web dot com.

9
00:00:40,500 --> 00:00:46,080
Now keep in mind like I said you have to be logging into a hash TTP page but that's fine because we

10
00:00:46,080 --> 00:00:50,870
already learned how to bypass hash TTP as an even partially bypass.

11
00:00:51,170 --> 00:00:52,320
Yes.

12
00:00:52,470 --> 00:00:58,570
So I'm gonna be logging into a website that just uses hash TTP here because it's just simpler.

13
00:00:58,740 --> 00:01:02,460
And we've already learned how to bypass hasty G.P.S. and HST yes.

14
00:01:02,520 --> 00:01:08,520
So there is no point of repeating that we're logging in with the user name that is set to admin.

15
00:01:08,610 --> 00:01:11,750
I'm gonna set the password to 1 2 3 ABC.

16
00:01:12,270 --> 00:01:18,780
I'm gonna click on log in and this should have been captured by wire shark.

17
00:01:18,900 --> 00:01:23,440
Now let's go ahead and actually try this with a Web site that uses each TTP s.

18
00:01:23,600 --> 00:01:25,870
So let's go to Stack Overflow.

19
00:01:25,870 --> 00:01:26,630
Dot com

20
00:01:29,220 --> 00:01:35,220
again as you can see as long as the Web site gets downgraded to normal hash TTP then we'll be able to

21
00:01:35,220 --> 00:01:39,560
capture the data sent to and from this website.

22
00:01:39,600 --> 00:01:51,540
So we're just going to log in put the user name or put it to Zaid at that security dot org and then

23
00:01:51,540 --> 00:01:52,950
we'll get to put the password.

24
00:01:52,950 --> 00:01:56,070
So we'll just do one two three one two three.

25
00:01:56,070 --> 00:02:03,450
A B C and let's go back to why a shark and see how we can discover the user name and the password.

26
00:02:04,500 --> 00:02:11,450
So first of all I'm going to stop the captcha and what we want to look for is post requests.

27
00:02:11,450 --> 00:02:16,850
So you see in here this request right here was posed for example and here there it was.

28
00:02:16,840 --> 00:02:22,040
Get now forums are usually sent over post especially log and forums.

29
00:02:22,100 --> 00:02:26,600
So if you're looking for log in information you want to look for post in here.

30
00:02:27,650 --> 00:02:31,600
So going down we can see we have a post request in here.

31
00:02:31,670 --> 00:02:37,310
Now I'm going to click here to actually show less information so it's easier for us to see so we can

32
00:02:37,310 --> 00:02:39,380
see this post was sent to Google.

33
00:02:39,380 --> 00:02:40,660
We're not interested in that.

34
00:02:40,660 --> 00:02:43,780
We're looking for stuff that was sent to one Web site.

35
00:02:43,780 --> 00:02:46,100
I'm going to keep going.

36
00:02:46,400 --> 00:02:50,180
We can see we have a post request here to a log in page.

37
00:02:50,240 --> 00:02:52,790
So this is definitely interesting.

38
00:02:52,790 --> 00:03:01,010
Now if we look down let me just make this smaller so if we look down here and look at the hasty AML

39
00:03:01,030 --> 00:03:08,450
forum data you can see that we have a user name here submitted to test hasty AML 5.1 web dot com.

40
00:03:08,700 --> 00:03:12,420
The user name is admin and the password is 1 2 3.

41
00:03:12,460 --> 00:03:13,210
ABC

42
00:03:15,790 --> 00:03:23,450
now if we scroll down again looking for post requests you can see we have a post request for a page

43
00:03:23,450 --> 00:03:25,290
called users log in.

44
00:03:25,310 --> 00:03:33,020
So again very very interesting if we click on this you'll see if we scroll down you'll see we have the

45
00:03:33,020 --> 00:03:39,710
email Zaid at that security dot org and the password 1 2 3 1 2 3 ABC.

46
00:03:39,920 --> 00:03:46,540
Again this just goes to show you that with Wired shark you'll be able to capture everything.

47
00:03:46,550 --> 00:03:53,360
Now this can actually be very very useful because I noticed that better cap is great at sniffing passwords

48
00:03:53,780 --> 00:03:57,020
and it pretty much gets to the passwords all the time.

49
00:03:57,020 --> 00:04:04,050
But in the old cases sometimes it was failing to filter the user name and password for me.

50
00:04:04,100 --> 00:04:11,260
So with wire shark you'll actually be able to get everything that passes through your interface.

51
00:04:11,780 --> 00:04:18,890
So what you could actually do is you can just go to your couplet that we always use the spoof couplet

52
00:04:19,130 --> 00:04:26,600
this one right here open it with a text editor and as you know in this couplet we turn on our sniffer

53
00:04:26,650 --> 00:04:29,590
in here so we said this nifty outlaw called Too true.

54
00:04:29,600 --> 00:04:39,200
And then we turn it on but before turning it on you can actually set the net that sniff that output

55
00:04:39,620 --> 00:04:47,060
to a location for a file that'll contain everything that Buttercup captures so you won't actually have

56
00:04:47,060 --> 00:04:50,350
to start why are shark wild Buttercup is working.

57
00:04:50,480 --> 00:04:53,190
You can just in here specify a place.

58
00:04:53,190 --> 00:05:02,980
So for example let's say root capture file that cup and then when you run your spoof couplet it'll turn

59
00:05:02,980 --> 00:05:08,980
on the probe Turn Turn on the recon run your spoofing attack putting you in the middle of the connection

60
00:05:09,370 --> 00:05:17,710
it'll run the sniffer as well and it will store everything that better cup captures in a capture file

61
00:05:18,610 --> 00:05:27,490
then all you'll have to do is come here go to file open and open the file that you captured and analyze

62
00:05:27,490 --> 00:05:33,110
it as I'm doing right now so this can be very very useful.

63
00:05:33,110 --> 00:05:39,350
Also if you don't have a lot of resources on your computer or if you had a small laptop or even a phone

64
00:05:39,590 --> 00:05:46,100
and you capture data with it store everything in a capture file and then just open it in here and wire

65
00:05:46,100 --> 00:05:53,390
shark and analyze it now finally before I finish this lecture because all we're talking about right

66
00:05:53,420 --> 00:06:02,350
now is filtering data a really really useful feature when filtering data is the control feature defined

67
00:06:02,960 --> 00:06:06,520
so you can just press control f from your keyboard.

68
00:06:06,590 --> 00:06:13,850
This will open this bar right here the search bar which you can use to find anything within the captured

69
00:06:13,850 --> 00:06:15,500
packets.

70
00:06:15,780 --> 00:06:21,570
So first of all I'm going to set the search to search within the packet details.

71
00:06:21,570 --> 00:06:27,540
I'm going to keep this too narrow and wide in here I'm going to set this to strength so that it looks

72
00:06:27,540 --> 00:06:35,290
for a normal text and for example let's say I'm looking for log ins that a person named Z has attempted.

73
00:06:35,340 --> 00:06:43,090
All I have to do is just type Z and if I hit enter and as you can see it's taking us to the log in attempt

74
00:06:43,110 --> 00:06:49,410
when I logged in to stack overflow or let's say you're looking for log in attempts by a person named

75
00:06:49,470 --> 00:06:52,150
admin or for a user named admin.

76
00:06:52,150 --> 00:06:58,320
Again if I hit enter it's going to take me to the first time an occurrence of the word admin happened

77
00:06:58,380 --> 00:06:59,360
which is in here.

78
00:06:59,430 --> 00:07:05,400
It doesn't really contain any useful information but I can just click on find to find the next packet

79
00:07:05,430 --> 00:07:07,620
that contained the word admin.

80
00:07:07,620 --> 00:07:10,790
Again this packet doesn't really contain anything useful.

81
00:07:10,830 --> 00:07:18,270
We can go next we'll actually have to go to the end of the file and go up because that was the first

82
00:07:18,270 --> 00:07:19,320
thing that we logged in.

83
00:07:19,320 --> 00:07:27,060
So I'm just going to keep clicking on next and right here we have the Post's request for the admin.

84
00:07:27,220 --> 00:07:33,340
And if we go down again as you can see we have the user name as admin and the password as one two three

85
00:07:33,400 --> 00:07:35,050
ABC.

86
00:07:35,110 --> 00:07:40,510
So this feature can be very very useful to help you find what you're looking for whether you're looking

87
00:07:40,510 --> 00:07:47,590
for a specific log in name whether you're looking for a specific tag a specific file and so on.