1
00:00:00,910 --> 00:00:07,810
Now in this lecture I want to show you how to run an AARP spoofing attack using Buttercup.

2
00:00:07,840 --> 00:00:15,030
This will allow us to place our computer in the middle of the connection and intercept data.

3
00:00:15,160 --> 00:00:22,180
Not only that but we're also going to see how we can read this data so we can see all of your L's and

4
00:00:22,240 --> 00:00:27,670
all the Web sites that the target visits and we'll see everything that they post.

5
00:00:27,670 --> 00:00:32,670
So anything and usernames and passwords they send to any Web sites.

6
00:00:32,770 --> 00:00:35,320
We're gonna be able to capture them and see them.

7
00:00:36,950 --> 00:00:43,630
So first we need to become the man in the middle and we're going to do this using a module called AARP

8
00:00:43,670 --> 00:00:44,170
spoof.

9
00:00:44,540 --> 00:00:55,480
So if I scroll up to the help menu you can see we have a module here called AARP spoof so as usual if

10
00:00:55,480 --> 00:00:58,850
we don't know how to use this module we're going to do help.

11
00:00:59,290 --> 00:01:06,640
AARP though it's proof because we want to see how to use this module and see all the options that we

12
00:01:06,640 --> 00:01:08,690
can set for it.

13
00:01:08,710 --> 00:01:14,670
So as you can see as usual we can do AARP spoof on to turn this module on.

14
00:01:14,860 --> 00:01:21,150
We can do IRP that van on and this will literally just cut the connection off the target.

15
00:01:21,160 --> 00:01:22,310
This is very simple.

16
00:01:22,330 --> 00:01:24,120
You can try it on your own time.

17
00:01:24,130 --> 00:01:26,090
I'm not going to do it here.

18
00:01:26,170 --> 00:01:34,480
You can do AARP spoof of to turn it off and AARP that barn off to turn the barn of now.

19
00:01:34,560 --> 00:01:41,340
In the previous lecture I also said anything you see under the parameters are the options that we can

20
00:01:41,340 --> 00:01:43,910
set for this specific module.

21
00:01:44,010 --> 00:01:46,930
But I didn't show you have to modify that.

22
00:01:47,130 --> 00:01:53,490
So in this lecture we're actually going to be modifying some of these options now as you can see the

23
00:01:53,490 --> 00:01:59,630
tool is actually very helpful because first of all it's given us the option name in yellow here.

24
00:01:59,640 --> 00:02:06,420
So these are the options that we can set that we can change and then it's also telling us a description

25
00:02:06,540 --> 00:02:14,360
of what this option does and the default value so for example we can see we have an option called AARP

26
00:02:14,390 --> 00:02:17,120
that's proof that full duplex.

27
00:02:17,120 --> 00:02:20,090
You can see the description for this option.

28
00:02:20,090 --> 00:02:28,140
And basically what this option will do if you set it to true it will spoof both the outer and the target.

29
00:02:28,160 --> 00:02:34,640
So it's similar to what we did with the AARP spoof when we executed the command twice to spoof both

30
00:02:34,640 --> 00:02:36,480
the rotor and the target.

31
00:02:36,500 --> 00:02:42,590
So if you set this to true both the outer and the target will be spoofed and you will be in the middle

32
00:02:42,590 --> 00:02:47,180
of the connection if you leave it to the default which is false.

33
00:02:47,330 --> 00:02:50,420
You will only spoof the target machine.

34
00:02:50,420 --> 00:02:57,620
Now this can be useful if the writer has some sort of protection against AARP spoofing attacks because

35
00:02:57,620 --> 00:03:00,380
you won't be interacting with the router at all.

36
00:03:01,010 --> 00:03:07,400
But it's also limiting because we won't be able to do what I'm going to do in the next lectures because

37
00:03:07,430 --> 00:03:11,820
the router will communicate with the target device directly.

38
00:03:11,840 --> 00:03:19,670
So we want to be able to inject stuff and the responses that they're after sends to the target device.

39
00:03:19,670 --> 00:03:26,090
Now I actually want to change this to true and the method I'm going to do this can be used to change

40
00:03:26,210 --> 00:03:29,710
any option in any module and cup.

41
00:03:29,870 --> 00:03:36,680
So not only in the ARPU that spoof if you're using any module you can do help followed by the module

42
00:03:36,680 --> 00:03:39,200
name to get help about that module name.

43
00:03:39,200 --> 00:03:42,530
You can see all of the options that you can set in here.

44
00:03:42,530 --> 00:03:50,390
And then if you want to modify the value of any of these options all we have to do is copy the option

45
00:03:50,390 --> 00:03:58,750
name which is what I have right here and type said followed by the option that you want to modify.

46
00:03:58,880 --> 00:04:03,240
And in my case it's called ERP dot spoof dot full duplex.

47
00:04:03,440 --> 00:04:09,420
And I want to set this to true so very very simple.

48
00:04:09,490 --> 00:04:15,990
And like I said you can use this command to change any option in any module and better cup.

49
00:04:16,240 --> 00:04:23,430
All you have to do is type set followed by the option name followed by the value that you want to set.

50
00:04:23,440 --> 00:04:25,890
So I'm going to hit enter and that's done.

51
00:04:26,050 --> 00:04:30,350
If you don't see errors that means it got executed properly.

52
00:04:30,550 --> 00:04:33,850
The next option that I want to change is the targets.

53
00:04:34,510 --> 00:04:40,510
So again in the description it's telling us that these are the targets that I want to run the attack

54
00:04:40,570 --> 00:04:41,360
against.

55
00:04:41,500 --> 00:04:48,130
And I can use a comma if I wanted to target more than one IP at the same time.

56
00:04:48,190 --> 00:04:55,210
So again just like what I did before I'm going to do set followed by the option name which is a sharpie

57
00:04:55,450 --> 00:05:02,740
that's proof dot targets and you can actually use the tab to auto complete.

58
00:05:02,770 --> 00:05:08,580
So if I just type t a tab it'll auto complete the targets for me.

59
00:05:09,280 --> 00:05:12,620
And after this I'm going to put the value that I want to set this.

60
00:05:12,630 --> 00:05:20,800
Option 2 which is the IP of my target and we can get this using net this cover using z map or using

61
00:05:20,800 --> 00:05:28,120
the result that I got in here after I run the recon module I did not show and we got all of this which

62
00:05:28,120 --> 00:05:32,160
is the list of all of the computers connected to the same network.

63
00:05:32,230 --> 00:05:37,590
And my target right now is this particular device the 10 0 2 7.

64
00:05:37,990 --> 00:05:48,490
This is my windows virtual machine right here so I'm going to put the IP 10 0 2 7.

65
00:05:48,490 --> 00:05:55,690
And again we don't see any errors which means that everything got executed as expected.

66
00:05:55,690 --> 00:06:02,350
Now we're ready to run the tool and again based on the help menu that we got we can do a sharpie spoof

67
00:06:02,470 --> 00:06:05,730
on to turn this module on.

68
00:06:05,950 --> 00:06:14,720
So we're gonna do a sharpie that spoof on and perfect as you can see we see no errors.

69
00:06:14,720 --> 00:06:22,700
It's telling us that the module is running and if I do help again we're going to get a list of all of

70
00:06:22,700 --> 00:06:25,150
the modules that are running right now.

71
00:06:25,160 --> 00:06:30,740
And as you can see we can see that a piece proofing is on.

72
00:06:30,740 --> 00:06:38,220
Also it is very important that you make sure that the net dot probe and the net the three con are running.

73
00:06:38,570 --> 00:06:40,360
We did this in the previous lecture.

74
00:06:40,370 --> 00:06:41,560
That's why I didn't do it.

75
00:06:41,560 --> 00:06:49,780
Now so right now Buttercup should be doing what ERP spoofing was doing full and both their outer and

76
00:06:49,780 --> 00:06:56,270
the target device and putting me in the middle of the connection as shown here.

77
00:06:56,290 --> 00:07:05,380
So let's go to the Windows machine right here and I'm gonna do a sharpie a and as you can see the rafters

78
00:07:05,380 --> 00:07:14,430
mac address right here is the same as the MAC address for this device which is the 10 0 to 15.

79
00:07:14,440 --> 00:07:23,740
And if I go back here to the Kali machine and do if config you'll see this is the same MAC address as

80
00:07:23,740 --> 00:07:30,190
the MAC address of the Kali 88 zero interface.

81
00:07:30,190 --> 00:07:36,820
So basically what this means is this Windows machine every time it wants to send something to the router

82
00:07:37,090 --> 00:07:40,000
it will send it to the Kali machine.

83
00:07:40,180 --> 00:07:48,070
And because we set the full duplex option on an better cup the router also thinks that this Kali machine

84
00:07:48,130 --> 00:07:50,090
is the target machine.

85
00:07:50,260 --> 00:07:57,240
Therefore anytime it needs to send a response to the Windows machine it will actually send it to better

86
00:07:57,460 --> 00:08:04,840
right here and like I said before this means every user name password you are L anything.

87
00:08:04,840 --> 00:08:10,510
The target computer sends or receives will have to go through the Kali machine where we're going to

88
00:08:10,510 --> 00:08:17,080
be able to read it modify it or drop it and I'm going to walk you through that and the next lectures.