1 1 00:00:00,940 --> 00:00:03,530 So far, we saw a number of things 2 2 00:00:03,530 --> 00:00:07,070 that we can do once we become the man in the middle. 3 3 00:00:07,070 --> 00:00:10,750 So we saw how we can see anything a target computer 4 4 00:00:10,750 --> 00:00:12,010 does on the network. 5 5 00:00:12,010 --> 00:00:15,180 So we're able to see the websites, the usernames, 6 6 00:00:15,180 --> 00:00:17,120 the passwords, the images, 7 7 00:00:17,120 --> 00:00:19,920 anything they load on their browser. 8 8 00:00:19,920 --> 00:00:22,510 We also saw that since we're the man in the middle, 9 9 00:00:22,510 --> 00:00:25,730 we're able to redirect them to other websites. 10 10 00:00:25,730 --> 00:00:27,700 So whenever they request a domain, 11 11 00:00:27,700 --> 00:00:29,626 we can redirect them to somewhere else 12 12 00:00:29,626 --> 00:00:33,090 by doing a DNS spoofing attack. 13 13 00:00:33,090 --> 00:00:35,850 Another really cool thing that we can do 14 14 00:00:35,850 --> 00:00:40,280 is modify the HTML, modify the pages 15 15 00:00:40,280 --> 00:00:43,630 as they load on the target browser. 16 16 00:00:43,630 --> 00:00:45,520 Obviously, this is all possible 17 17 00:00:45,520 --> 00:00:47,410 because we are the man in the middle, 18 18 00:00:47,410 --> 00:00:50,350 because we're able to intercept all this data. 19 19 00:00:50,350 --> 00:00:52,760 So we can wait for the HTML code, 20 20 00:00:52,760 --> 00:00:56,540 which is the code that's responsible for loading web pages. 21 21 00:00:56,540 --> 00:00:58,930 And as it flows through our computer, 22 22 00:00:58,930 --> 00:01:02,350 we can insert any piece of code that we want, 23 23 00:01:02,350 --> 00:01:04,983 and the browser will execute this code. 24 24 00:01:05,840 --> 00:01:09,370 Now, HTML is only responsible for rendering the elements 25 25 00:01:09,370 --> 00:01:10,960 that you see on the web page. 26 26 00:01:10,960 --> 00:01:13,860 So it's responsible for the buttons, 27 27 00:01:13,860 --> 00:01:15,890 for the forms for the text, 28 28 00:01:15,890 --> 00:01:18,720 it doesn't really allow us to do much. 29 29 00:01:18,720 --> 00:01:23,293 But modern browsers can execute JavaScript code. 30 30 00:01:24,140 --> 00:01:27,290 JavaScript is a powerful programming language 31 31 00:01:27,290 --> 00:01:30,420 that we can use to do so many things, 32 32 00:01:30,420 --> 00:01:32,620 we can actually modify the whole page, 33 33 00:01:32,620 --> 00:01:35,490 remove elements or add elements into the page, 34 34 00:01:35,490 --> 00:01:38,040 we can replace links and this is actually 35 35 00:01:38,040 --> 00:01:42,780 what I did when I modified the HSTS plugin. 36 36 00:01:42,780 --> 00:01:47,290 So I added code that will replace the HTTPS with HTTP. 37 37 00:01:47,290 --> 00:01:49,570 And I also added code that will replace 38 38 00:01:49,570 --> 00:01:52,470 the actual link the actual domain name 39 39 00:01:52,470 --> 00:01:55,880 with this spoof domain name with the one with the dot com 40 40 00:01:55,880 --> 00:01:58,820 or to whatever you set it to in the script. 41 41 00:01:58,820 --> 00:02:02,360 You can even use it to hooke the browser 42 42 00:02:02,360 --> 00:02:05,040 to other browser exploitation frameworks, 43 43 00:02:05,040 --> 00:02:07,940 which we can use to further exploit the target 44 44 00:02:07,940 --> 00:02:10,850 and even gain full control over their computer. 45 45 00:02:10,850 --> 00:02:13,760 And we'll see that later on in the course. 46 46 00:02:13,760 --> 00:02:16,320 But for now, I'm gonna show you how to inject 47 47 00:02:16,320 --> 00:02:20,540 a very simple JavaScript code into the loaded pages. 48 48 00:02:20,540 --> 00:02:23,460 And then we'll build up on that in future lectures 49 49 00:02:23,460 --> 00:02:27,540 and see how powerful and useful this can be. 50 50 00:02:27,540 --> 00:02:31,050 So right here, I have my Cali machine. 51 51 00:02:31,050 --> 00:02:33,330 And before I run better cap and show you 52 52 00:02:33,330 --> 00:02:35,200 how to inject JavaScript. 53 53 00:02:35,200 --> 00:02:38,260 First of all, we need to have some JavaScript code 54 54 00:02:38,260 --> 00:02:40,723 to inject into the target browser. 55 55 00:02:41,570 --> 00:02:43,653 So I'm gonna open a text editor. 56 56 00:02:44,640 --> 00:02:48,740 And I'm gonna write a very, very simple JavaScript code. 57 57 00:02:48,740 --> 00:02:51,540 Like I said, we will see how we can use this 58 58 00:02:51,540 --> 00:02:53,340 to run more useful codes. 59 59 00:02:53,340 --> 00:02:55,350 But for now, we're keeping this simple 60 60 00:02:55,350 --> 00:02:58,860 just to see how we can actually run JavaScript code. 61 61 00:02:58,860 --> 00:03:03,080 So all I'm gonna do is alert, open a bracket, 62 62 00:03:03,080 --> 00:03:07,023 quotation mark and I'm gonna say JavaScript test. 63 63 00:03:08,860 --> 00:03:10,610 I'm gonna close the quotation mark 64 64 00:03:10,610 --> 00:03:14,350 and close the bracket and add a semicolon. 65 65 00:03:14,350 --> 00:03:16,680 So right here, this code, all it's gonna do 66 66 00:03:16,680 --> 00:03:19,460 is it's gonna display a warning message 67 67 00:03:19,460 --> 00:03:22,950 and alert message saying JavaScript code. 68 68 00:03:22,950 --> 00:03:27,290 So since we're gonna try to inject this code into all pages, 69 69 00:03:27,290 --> 00:03:29,070 every time we load a webpage, 70 70 00:03:29,070 --> 00:03:32,053 we should see a message saying JavaScript test. 71 71 00:03:33,110 --> 00:03:34,540 Now I'm gonna save this. 72 72 00:03:34,540 --> 00:03:36,970 So I'm gonna go to file, save, 73 73 00:03:36,970 --> 00:03:40,550 and I'm gonna put this in my root directory. 74 74 00:03:40,550 --> 00:03:45,550 And I'm just gonna call it alert dot js. 75 75 00:03:45,740 --> 00:03:49,450 I'm gonna hit enter and that is saved now in my route, 76 76 00:03:49,450 --> 00:03:54,450 so if I quit it, we can see we have the file right here. 77 77 00:03:55,000 --> 00:03:57,390 So this is the file that contains the code 78 78 00:03:57,390 --> 00:04:00,270 that we want to inject into any webpage 79 79 00:04:00,270 --> 00:04:02,683 that loads on the target computer. 80 80 00:04:03,560 --> 00:04:07,780 The next step is to go to our HSTS hijack plugin. 81 81 00:04:07,780 --> 00:04:09,741 So as I showed you before, this was n-user, 82 82 00:04:09,741 --> 00:04:14,670 share better cap caplets, HSTS hijack, 83 83 00:04:14,670 --> 00:04:17,920 make sure you use the one that I included in the resources, 84 84 00:04:17,920 --> 00:04:21,140 not the one that comes built-in with better cap 85 85 00:04:21,140 --> 00:04:25,160 because the built-in one will not work as you wanted. 86 86 00:04:25,160 --> 00:04:29,570 So in here we have the HSTS hijack dot cap file. 87 87 00:04:29,570 --> 00:04:33,060 This is the configuration file for the whole plugin. 88 88 00:04:33,060 --> 00:04:35,520 So I'm gonna right click this and open 89 89 00:04:35,520 --> 00:04:37,900 it with my text editor. 90 90 00:04:37,900 --> 00:04:40,140 And in here, what we wanna modify 91 91 00:04:40,140 --> 00:04:42,730 is the payloads right here. 92 92 00:04:42,730 --> 00:04:44,040 So as you can see in here, 93 93 00:04:44,040 --> 00:04:46,560 it's already injecting a JavaScript file 94 94 00:04:46,560 --> 00:04:48,830 called key logger dot js. 95 95 00:04:48,830 --> 00:04:52,440 But we also want to inject our own code. 96 96 00:04:52,440 --> 00:04:54,757 So I'm gonna add a comma here 97 97 00:04:54,757 --> 00:04:58,600 and I'm gonna add star followed by a colon. 98 98 00:04:58,600 --> 00:05:02,240 We added this star right here to say that I want to inject 99 99 00:05:02,240 --> 00:05:06,770 my script into any page that the target loads. 100 100 00:05:06,770 --> 00:05:10,190 If you want to inject your code into specific domains, 101 101 00:05:10,190 --> 00:05:13,780 then you can remove the star and just list the domains 102 102 00:05:13,780 --> 00:05:17,740 that you want to inject this code in right here. 103 103 00:05:17,740 --> 00:05:20,920 But like I said, we wanna inject this into all pages. 104 104 00:05:20,920 --> 00:05:23,600 So I'm gonna put this as a star. 105 105 00:05:23,600 --> 00:05:27,310 And after the colon, I'm gonna put the location 106 106 00:05:27,310 --> 00:05:29,720 of the JavaScript file that I want 107 107 00:05:29,720 --> 00:05:31,713 to inject into the browser. 108 108 00:05:32,570 --> 00:05:34,230 So if we look back in here, 109 109 00:05:34,230 --> 00:05:36,320 this is the file that we just created, 110 110 00:05:36,320 --> 00:05:41,320 which is in route in my home, and it's called alert dot js. 111 111 00:05:41,410 --> 00:05:43,420 So I'm gonna put in here, 112 112 00:05:43,420 --> 00:05:46,490 I'm just gonna say forward slash route, 113 113 00:05:46,490 --> 00:05:50,593 followed by alert dot js. 114 114 00:05:52,020 --> 00:05:55,270 And that's it, I'm gonna save this Control+S 115 115 00:05:55,270 --> 00:05:59,510 and credit Control+Q, and we are ready to go. 116 116 00:05:59,510 --> 00:06:01,870 So I'm gonna go to my terminal, 117 117 00:06:01,870 --> 00:06:04,120 I'm gonna run better cap using the exact 118 118 00:06:04,120 --> 00:06:06,250 same command that we've been using. 119 119 00:06:06,250 --> 00:06:09,530 So we're just giving it the interface as ETH zero 120 120 00:06:09,530 --> 00:06:11,200 and we're giving it our spoof file 121 121 00:06:11,200 --> 00:06:14,060 to automatically run the ARP spoofing attack, 122 122 00:06:14,060 --> 00:06:16,210 putting us in the middle of the connection. 123 123 00:06:17,310 --> 00:06:19,550 And as you can see, this is working with not errors, 124 124 00:06:19,550 --> 00:06:21,540 so everything is perfect. 125 125 00:06:21,540 --> 00:06:26,410 What I also wanna do right now is run my HSTS hijack plugin. 126 126 00:06:26,410 --> 00:06:30,300 And as you know, all we have to do is just type HS and tab, 127 127 00:06:30,300 --> 00:06:33,400 this will auto complete, I'm gonna hit Enter, 128 128 00:06:33,400 --> 00:06:35,810 and everything is running with no errors at all. 129 129 00:06:35,810 --> 00:06:38,020 So everything is perfect. 130 130 00:06:38,020 --> 00:06:39,430 And as you can see in here, 131 131 00:06:39,430 --> 00:06:41,070 it's saying that the payloads, 132 132 00:06:41,070 --> 00:06:44,380 it's loading the JavaScript payloads are the key loggers. 133 133 00:06:44,380 --> 00:06:47,150 This is the default one that the file already 134 134 00:06:47,150 --> 00:06:50,650 was loading and the one that we just specified, 135 135 00:06:50,650 --> 00:06:53,503 which is in route alert dot js. 136 136 00:06:54,360 --> 00:06:58,170 So now anytime our target loads any web page, 137 137 00:06:58,170 --> 00:07:01,385 the whatever code we put in the alert dot js 138 138 00:07:01,385 --> 00:07:04,470 should be injected in the loaded page, 139 139 00:07:04,470 --> 00:07:06,253 and it should get executed. 140 140 00:07:07,210 --> 00:07:09,000 The result of that should show us 141 141 00:07:09,000 --> 00:07:12,283 a simple message saying test JavaScript. 142 142 00:07:13,350 --> 00:07:15,570 So let's go to the target. 143 143 00:07:15,570 --> 00:07:17,930 And as usual, a good idea is just to remove 144 144 00:07:17,930 --> 00:07:22,260 the browsing data just to make sure that nothing is cached. 145 145 00:07:22,260 --> 00:07:26,290 And I always like to first test with the simplest case, 146 146 00:07:26,290 --> 00:07:29,300 and then move on to more complex scenarios. 147 147 00:07:29,300 --> 00:07:31,380 So first of all, I'm gonna test it against 148 148 00:07:31,380 --> 00:07:34,570 a normal HTTP page, so that there is nothing 149 149 00:07:34,570 --> 00:07:37,190 to bypass, no encryption whatsoever. 150 150 00:07:37,190 --> 00:07:39,853 So we're just gonna go to vulnweb.com. 151 151 00:07:41,588 --> 00:07:44,380 Perfect as you can see, we have an alert message 152 152 00:07:44,380 --> 00:07:47,060 in here telling us JavaScript test. 153 153 00:07:47,060 --> 00:07:50,170 So basically, this means the JavaScript code 154 154 00:07:50,170 --> 00:07:54,773 in my alert dot js file got injected into this page. 155 155 00:07:56,180 --> 00:07:57,930 So now that we've verified 156 156 00:07:57,930 --> 00:08:00,920 it works against normal HTTP pages, 157 157 00:08:00,920 --> 00:08:04,673 let's go ahead and test it against a page that uses HTTPS, 158 158 00:08:05,910 --> 00:08:08,683 such as stack overflow.com. 159 159 00:08:10,140 --> 00:08:13,010 Perfect, it's working as expected. 160 160 00:08:13,010 --> 00:08:16,323 Another example would be linkedin.com. 161 161 00:08:18,100 --> 00:08:21,370 Keep in mind, these websites use HTTPS. 162 162 00:08:21,370 --> 00:08:25,160 And as you can see, we're able to load them with no HTTPS 163 163 00:08:25,160 --> 00:08:27,520 in here, so over HTTP only. 164 164 00:08:27,520 --> 00:08:29,550 So even if you log in right here, 165 165 00:08:29,550 --> 00:08:31,210 you'll be able to get the username 166 166 00:08:31,210 --> 00:08:33,453 and the password as shown before. 167 167 00:08:34,740 --> 00:08:38,650 Finally, let's go and test it against the HSTS website 168 168 00:08:38,650 --> 00:08:42,740 using the partial HSTS bypass method that I showed you. 169 169 00:08:42,740 --> 00:08:46,470 So for that work we'll need to go to Google first of all, 170 170 00:08:46,470 --> 00:08:50,450 and we need to go to a Google domain that does not use HSTS. 171 171 00:08:50,450 --> 00:08:52,570 Similar to google.ie. 172 172 00:08:52,570 --> 00:08:56,030 This is actually the local Google website for Ireland. 173 173 00:08:56,030 --> 00:08:57,930 And as you can see, the code works. 174 174 00:08:57,930 --> 00:09:01,513 This is fine Google only users HTTPS anyway. 175 175 00:09:02,370 --> 00:09:04,520 But let's look for Facebook. 176 176 00:09:04,520 --> 00:09:07,940 Now we know Facebook uses HSTS. 177 177 00:09:07,940 --> 00:09:12,760 And because HSTS is used, we should not be able 178 178 00:09:12,760 --> 00:09:14,750 to inject anything on the website 179 179 00:09:14,750 --> 00:09:19,030 because the browser will only load it over HTTPS. 180 180 00:09:19,030 --> 00:09:21,710 But using our partial bypass method, 181 181 00:09:21,710 --> 00:09:24,410 if I click on Facebook from here, 182 182 00:09:24,410 --> 00:09:27,140 as you can see, the code gets executed, 183 183 00:09:27,140 --> 00:09:29,250 because what we're loading right now 184 184 00:09:29,250 --> 00:09:32,573 is facebook.con, not facebook.com. 185 185 00:09:33,980 --> 00:09:36,800 And as you can see, we get a normal Facebook page again, 186 186 00:09:36,800 --> 00:09:39,340 that looks identical, and if you log in, 187 187 00:09:39,340 --> 00:09:42,183 you'll be able to get the username and the password. 188 188 00:09:43,810 --> 00:09:47,140 So as you can see, this work against HTTP 189 189 00:09:47,140 --> 00:09:52,140 and HTTPS pages, and even HSTS if the target searches 190 190 00:09:52,660 --> 00:09:57,330 for that website, not if they put the domain name in here. 191 191 00:09:57,330 --> 00:10:00,360 So if the target comes in and literally types 192 192 00:10:00,360 --> 00:10:04,590 facebook.com manually and hit enter, 193 193 00:10:04,590 --> 00:10:07,890 the browser will force the HTTPS connection 194 194 00:10:07,890 --> 00:10:10,560 as you can see in here, because like I said, 195 195 00:10:10,560 --> 00:10:12,800 it has a preloaded list of websites 196 196 00:10:12,800 --> 00:10:15,970 that it can only load over HTTPS. 197 197 00:10:15,970 --> 00:10:20,700 And because the browser is establishing a HTTPS connection, 198 198 00:10:20,700 --> 00:10:22,570 the data will be encrypted 199 199 00:10:22,570 --> 00:10:26,253 and therefore we won't be able to inject anything in it.