1 00:00:00,070 --> 00:00:03,520 And we're going to learn about this broken authentication. 2 00:00:03,810 --> 00:00:10,120 I will tell you straight to the point, there is a weak authentication mechanism at the server. 3 00:00:10,410 --> 00:00:15,650 So what you can do is you can brute force the user and the password using the word list. 4 00:00:16,440 --> 00:00:18,320 And we have seen this using the intruder. 5 00:00:18,330 --> 00:00:19,830 But you can use any tool you want. 6 00:00:20,070 --> 00:00:27,510 So the purpose is you need to go for these attacks first to bypass this or find the user name the password 7 00:00:27,600 --> 00:00:29,710 and use all the credentials. 8 00:00:30,360 --> 00:00:35,910 So if there are weaknesses, you can, uh, brute force these credentials also. 9 00:00:36,240 --> 00:00:42,310 And, uh, you can successfully logged in as the user and a week session cookies. 10 00:00:42,480 --> 00:00:43,550 So it does. 11 00:00:44,520 --> 00:00:51,420 So if the server keeps the are generating the session cookies within a week or so, if you can able 12 00:00:51,420 --> 00:00:58,440 to guess or predict the algorithm, then you can get these cookies are going to use the algorithm to 13 00:00:58,440 --> 00:01:04,500 put all the cookies, uh, within one cookie, you will get the session and the response will be different. 14 00:01:04,710 --> 00:01:09,260 So these are the common attacks against this broken authentication. 15 00:01:10,590 --> 00:01:15,600 So to avoid those broken authentication, you need to password getting a text, though. 16 00:01:15,690 --> 00:01:21,120 You need to put a very complex password like eight or 10 characters with the special characters in it. 17 00:01:21,480 --> 00:01:27,780 And you can also use the filter, the XML, to factor out any ODP or some other like that. 18 00:01:28,020 --> 00:01:30,040 So this is about DTT. 19 00:01:30,120 --> 00:01:32,030 You can read in this website. 20 00:01:32,400 --> 00:01:38,280 This room is called, as we have already seen, the commanding the action, uh, which you have seen 21 00:01:38,280 --> 00:01:42,860 in the previous video that is in the action group, which is the same deal applied here. 22 00:01:43,140 --> 00:01:44,640 There is nothing different from this. 23 00:01:45,420 --> 00:01:49,890 So I'm hitting the computer button, not actually practical. 24 00:01:50,550 --> 00:01:54,760 So what they're doing is, uh, let's understand this with the for example. 25 00:01:54,780 --> 00:01:55,240 OK. 26 00:01:55,470 --> 00:01:57,780 So there is an existing user with the name. 27 00:01:58,140 --> 00:02:04,350 So there is a user in the Web server and now we want to get to access to the account so that we can 28 00:02:05,460 --> 00:02:08,900 be used to reregister that user site modification. 29 00:02:08,940 --> 00:02:12,600 So what we're going to do is to register again with admin. 30 00:02:12,840 --> 00:02:14,660 So we need to modify something. 31 00:02:14,670 --> 00:02:18,000 So what we're going to do is we are going to enter space. 32 00:02:19,080 --> 00:02:22,860 So we need to restart the user with the space. 33 00:02:23,610 --> 00:02:31,770 So if you register with the space admin, then this Web server allows me directly to, uh, into the 34 00:02:31,770 --> 00:02:32,490 admin user. 35 00:02:32,520 --> 00:02:35,490 I mean, that means I get the privileges of this admin user. 36 00:02:35,790 --> 00:02:42,600 So what this Jindalee, this Web server is doing is this is generating a session ID with the privileges 37 00:02:42,600 --> 00:02:43,800 of that name. 38 00:02:44,200 --> 00:02:49,970 So it's not considering whether this is the there is a space or the president or any other symbol. 39 00:02:50,250 --> 00:02:57,060 It's just checking that if there is a built in the name, etc. to approve this access according to the 40 00:02:57,060 --> 00:02:57,400 name. 41 00:02:57,420 --> 00:03:03,540 So it does not checking the backspace are a normal space or any other special character. 42 00:03:03,540 --> 00:03:06,070 It's just taking the admin in the same way. 43 00:03:06,090 --> 00:03:12,660 What we can do is we can create the user space admin and then we can log in to this admin account and 44 00:03:12,660 --> 00:03:15,210 I get the privileges of this, uh, actually. 45 00:03:16,380 --> 00:03:19,500 So to see this in action, we need to go to this IP address. 46 00:03:19,510 --> 00:03:25,270 So this is the IP address I have already on this machine and the port is for it. 47 00:03:25,770 --> 00:03:28,170 So I have already opened this one to save some time. 48 00:03:28,620 --> 00:03:31,680 Now let me go and try to login it at. 49 00:03:34,310 --> 00:03:42,200 So let me try this this invalidism Malpaso, let me try to register this one, so before registering, 50 00:03:42,380 --> 00:03:57,900 I will set them down in my bar mitzvah username, username Neki, uh, male or am at their tempora. 51 00:04:01,200 --> 00:04:11,010 And the pastor said, Nikil, 16, like, so click on this register note, we get the request. 52 00:04:11,490 --> 00:04:17,970 Now what we can do is we need to modify some changes and that's what they're going to ask is what is 53 00:04:17,970 --> 00:04:19,830 the fact that you found in the data intercom? 54 00:04:19,980 --> 00:04:23,440 So what is this data to try to register user name data? 55 00:04:23,440 --> 00:04:29,760 And you'll see that you're already so determined to put up space at the starting of this data so that 56 00:04:29,760 --> 00:04:32,370 we put Chindi Sneaky to their. 57 00:04:35,820 --> 00:04:38,000 Let me put this piece and Dara. 58 00:04:41,680 --> 00:04:46,920 Now, I think everything is fine, and this is my e-mail address and this is my password, Nicholas, 59 00:04:48,570 --> 00:04:49,990 so far this. 60 00:04:51,470 --> 00:04:52,730 And for this one. 61 00:04:54,950 --> 00:04:58,420 So I think we have successfully created the user there. 62 00:04:59,000 --> 00:05:00,870 Now, let me log into this. 63 00:05:02,210 --> 00:05:07,250 I don't know whether I need to put this on private normal, Darren. 64 00:05:08,570 --> 00:05:13,760 No, I'm going to say Nicole Sixty-nine. 65 00:05:15,350 --> 00:05:19,580 I think they would deposit Gartree. 66 00:05:20,890 --> 00:05:22,600 I'm sorry. 67 00:05:27,180 --> 00:05:27,640 Communicate. 68 00:05:27,950 --> 00:05:33,530 Well, you know, I don't I don't think so, but this value so I had I would only go sixty nine. 69 00:05:35,640 --> 00:05:37,680 So let me sign signing this. 70 00:05:40,100 --> 00:05:40,880 So Invalides. 71 00:05:41,330 --> 00:05:52,070 So we need to see a space there and then a night and night, six night in the No. 72 00:05:54,730 --> 00:06:01,150 So we need to disperse after this started in the U.S. also, so we got some hash value. 73 00:06:03,210 --> 00:06:10,540 So we need to raise the flag, we need to submit to the, uh, pragma upset question, uh, we're waiting 74 00:06:10,560 --> 00:06:11,730 for this other. 75 00:06:14,960 --> 00:06:16,460 So you can see the similarity to the. 76 00:06:19,650 --> 00:06:23,520 So we can tell you this one on record with this one. 77 00:06:25,160 --> 00:06:28,750 Copy and paste it in here. 78 00:06:31,470 --> 00:06:38,420 So we got the that for that here, the concert piece is the back end of this. 79 00:06:38,470 --> 00:06:41,800 Absaroka is just checking the name on it. 80 00:06:41,800 --> 00:06:44,740 They're not taking any values are spacious enough. 81 00:06:44,940 --> 00:06:50,220 So it's very featuring the name and just given the privileges based on this name. 82 00:06:51,630 --> 00:06:53,820 So what is the flag that you found in the order? 83 00:06:54,210 --> 00:06:56,150 So we need to do the order also. 84 00:06:56,790 --> 00:06:58,200 Let me look at this one. 85 00:07:13,380 --> 00:07:19,740 So I about let's register again on Perceptron, let's 86 00:07:22,230 --> 00:07:24,580 order not after Morgan. 87 00:07:24,600 --> 00:07:27,450 OK, that's a high. 88 00:07:29,140 --> 00:07:30,520 A great hideout come. 89 00:07:32,510 --> 00:07:43,090 And it's a password, password, sixty-nine, sort of MACUGEN is to know I got the I request I can I 90 00:07:43,150 --> 00:07:49,820 only to please put the space in front of Father and let me follow this and follow this. 91 00:07:51,460 --> 00:07:59,890 Now, why the user order has been successfully registered, now it can be used against space after and 92 00:08:00,160 --> 00:08:08,280 password to nine, if I say so, I short-sightedness normal after user. 93 00:08:10,060 --> 00:08:12,100 So we have rockiness order user. 94 00:08:12,670 --> 00:08:14,470 We need to copy this also. 95 00:08:16,210 --> 00:08:25,120 And pasted in here to make sure that we answered the question, so we have successfully impersonated 96 00:08:25,180 --> 00:08:27,910 as done harder and better. 97 00:08:30,140 --> 00:08:36,440 No, let me try to create another account that is for had been so. 98 00:08:39,340 --> 00:08:43,030 To kill. 99 00:08:48,380 --> 00:08:51,080 So now I'm giving the same answer 469. 100 00:08:54,510 --> 00:09:00,480 So now click on this register of Nicole, I'm going to create the userspace. 101 00:09:01,820 --> 00:09:10,700 Space is sort of turn this into something, it will automatically for, you know, the space that has 102 00:09:10,700 --> 00:09:11,450 been created. 103 00:09:11,480 --> 00:09:20,330 Let me try to ruggie space a minute and zip password sixty-nine. 104 00:09:22,630 --> 00:09:31,790 So let me go to this and show you the actual and drink so I can turn this into sort of sorry, just 105 00:09:31,820 --> 00:09:32,900 click the forward. 106 00:09:35,230 --> 00:09:36,490 And no luck. 107 00:09:39,130 --> 00:09:46,980 So this admin user does not have the flags, just you need to log on to find out so you can also impersonate 108 00:09:47,020 --> 00:09:48,100 that as well. 109 00:09:49,480 --> 00:09:55,320 So I hope you understood that Saarbrucken broken authentication so this small Flosse can lead to the 110 00:09:55,330 --> 00:09:56,550 account impersonation. 111 00:09:56,560 --> 00:10:00,460 And you can also steal those sessions like this. 112 00:10:00,460 --> 00:10:01,760 We we have. 113 00:10:02,740 --> 00:10:05,350 So that's all you need to know about this broken authentication.