1 1 00:00:00,130 --> 00:00:01,600 In the previous lecture, 2 2 00:00:01,600 --> 00:00:03,910 we learned how to use BetterCAP 3 3 00:00:03,910 --> 00:00:06,600 to run an ARP spoofing attack 4 4 00:00:06,600 --> 00:00:10,110 and place ourselves in the middle of the connection 5 5 00:00:10,110 --> 00:00:13,530 between a computer and the access point. 6 6 00:00:13,530 --> 00:00:15,210 And every time I do this, 7 7 00:00:15,210 --> 00:00:17,810 I keep saying this means that all the requests 8 8 00:00:17,810 --> 00:00:21,370 and all the responses will flow through our computer, 9 9 00:00:21,370 --> 00:00:24,220 which means that we'll be able to see anything 10 10 00:00:24,220 --> 00:00:26,680 a user does on the Internet. 11 11 00:00:26,680 --> 00:00:29,230 So we should be able to see the URLs, 12 12 00:00:29,230 --> 00:00:31,240 the images, the videos, 13 13 00:00:31,240 --> 00:00:33,520 the passwords they login with 14 14 00:00:33,520 --> 00:00:35,863 or anything they send or receive. 15 15 00:00:37,360 --> 00:00:41,050 So right now, we are already in the middle of the connection 16 16 00:00:41,050 --> 00:00:44,680 and this data is already flowing through our computer. 17 17 00:00:44,680 --> 00:00:47,560 So all we have to do is just use a program 18 18 00:00:47,560 --> 00:00:50,940 to capture this data and analyze it. 19 19 00:00:50,940 --> 00:00:53,010 Now we can use Wireshark to do that, 20 20 00:00:53,010 --> 00:00:55,850 and I will cover this later on in the course, 21 21 00:00:55,850 --> 00:00:58,940 but for now I'm gonna use a really nice module 22 22 00:00:58,940 --> 00:01:01,000 that comes with BetterCAP, 23 23 00:01:01,000 --> 00:01:04,520 that will automatically capture all of this data, 24 24 00:01:04,520 --> 00:01:08,193 analyze it and show me the interesting stuff. 25 25 00:01:09,760 --> 00:01:14,150 So all we have to do now is to tell BetterCAP 26 26 00:01:14,150 --> 00:01:15,960 to capture all of the data 27 27 00:01:15,960 --> 00:01:18,470 that is flowing through this computer 28 28 00:01:18,470 --> 00:01:20,830 and analyze it for me. 29 29 00:01:20,830 --> 00:01:25,200 And to do this, we can use the net.sniff module. 30 30 00:01:25,200 --> 00:01:28,210 So you can do help followed by net.sniff 31 31 00:01:28,210 --> 00:01:32,650 to see all of the options that you can set for this module. 32 32 00:01:32,650 --> 00:01:35,600 But I showed you how to read options and change them, 33 33 00:01:35,600 --> 00:01:37,780 so for now I actually wanna run it 34 34 00:01:37,780 --> 00:01:40,410 without modifying any of the options, 35 35 00:01:40,410 --> 00:01:45,410 so I'm just gonna do net.sniff on. 36 36 00:01:46,980 --> 00:01:50,250 So now everything that's gonna flow through this computer 37 37 00:01:50,250 --> 00:01:55,250 will be captured and analyzed by the net.sniff module. 38 38 00:01:56,400 --> 00:01:58,900 So I'm gonna close this terminal window 39 39 00:01:58,900 --> 00:02:02,260 and let's go to the target Windows computer. 40 40 00:02:02,260 --> 00:02:04,470 I'm gonna open my web browser 41 41 00:02:04,470 --> 00:02:06,700 and we're gonna generate some traffic 42 42 00:02:06,700 --> 00:02:11,020 and see if that's gonna be captured by BetterCAP. 43 43 00:02:11,020 --> 00:02:12,620 What we're doing right now 44 44 00:02:12,620 --> 00:02:15,610 will not work against HTTPS 45 45 00:02:15,610 --> 00:02:16,550 but don't worry, 46 46 00:02:16,550 --> 00:02:20,080 we'll talk about how to bypass HTTPS later on 47 47 00:02:20,080 --> 00:02:21,930 and why this won't work. 48 48 00:02:21,930 --> 00:02:23,560 But for now, for testing, 49 49 00:02:23,560 --> 00:02:27,080 I'm just gonna to a website called vulnweb 50 50 00:02:28,520 --> 00:02:30,110 and I'm gonna include it's link 51 51 00:02:30,110 --> 00:02:32,303 in the resources of this lecture. 52 52 00:02:33,330 --> 00:02:35,440 So as you can see this is a normal website 53 53 00:02:35,440 --> 00:02:36,590 that doesn't use HTTPS. 54 54 00:02:37,770 --> 00:02:39,790 It also has a number of links here, 55 55 00:02:39,790 --> 00:02:42,600 so if I click, for example, on this link, 56 56 00:02:42,600 --> 00:02:43,960 everything is loading fine 57 57 00:02:43,960 --> 00:02:45,550 as you can see here. 58 58 00:02:45,550 --> 00:02:48,350 But if we go to the Kali machine, 59 59 00:02:48,350 --> 00:02:51,610 you'll see that every request that we sent 60 60 00:02:51,610 --> 00:02:54,510 was actually captured by this computer. 61 61 00:02:54,510 --> 00:02:57,090 So you can do this to any computer 62 62 00:02:57,090 --> 00:02:59,950 that is connected to the same network as you, 63 63 00:02:59,950 --> 00:03:03,240 whether it's a wired or a wireless network. 64 64 00:03:03,240 --> 00:03:06,400 So you can see there were requests sent to Google, 65 65 00:03:06,400 --> 00:03:08,083 if we scroll down, 66 66 00:03:09,170 --> 00:03:10,580 you will see we made a request 67 67 00:03:10,580 --> 00:03:13,710 for this website, vulnweb.com. 68 68 00:03:13,710 --> 00:03:16,270 You can also see all of the other files 69 69 00:03:16,270 --> 00:03:18,060 that this website loaded. 70 70 00:03:18,060 --> 00:03:21,970 So you can see we have a logo loaded here. 71 71 00:03:21,970 --> 00:03:25,740 You can see we have a styles file being loaded here. 72 72 00:03:25,740 --> 00:03:27,330 Again, if there were more images, 73 73 00:03:27,330 --> 00:03:30,120 you'll actually see links to all of the images 74 74 00:03:30,120 --> 00:03:32,380 that are being loaded. 75 75 00:03:32,380 --> 00:03:35,600 You can see here this is the second link 76 76 00:03:35,600 --> 00:03:40,040 that we clicked on, the testphp.vulnweb.com. 77 77 00:03:40,040 --> 00:03:43,773 So this is what we have right here, here in the top. 78 78 00:03:44,930 --> 00:03:47,440 Now also, let me just go back 79 79 00:03:47,440 --> 00:03:50,210 and maybe click on the first one. 80 80 00:03:50,210 --> 00:03:51,870 And as you can see, 81 81 00:03:51,870 --> 00:03:53,390 this is another website. 82 82 00:03:53,390 --> 00:03:56,610 It has the login functionality in here. 83 83 00:03:56,610 --> 00:03:58,430 And let's try, for example, 84 84 00:03:58,430 --> 00:03:59,820 login with a username. 85 85 00:03:59,820 --> 00:04:04,190 Let's set the username to my name, ziad sabih. 86 86 00:04:04,190 --> 00:04:06,693 And let's put the password as 1234567890. 87 87 00:04:10,530 --> 00:04:12,463 I'm gonna click on Login. 88 88 00:04:13,810 --> 00:04:15,040 Again, as you can see, 89 89 00:04:15,040 --> 00:04:17,980 we got logged in, no issues at all. 90 90 00:04:17,980 --> 00:04:22,450 But if I go back to the Kali computer 91 91 00:04:22,450 --> 00:04:24,053 and scroll up, 92 92 00:04:25,730 --> 00:04:28,630 as you can see, we captured a login 93 93 00:04:28,630 --> 00:04:33,330 that was sent to this website, testhtml5.vulnweb.com. 94 94 00:04:35,270 --> 00:04:38,980 Again, this is exactly the website that we have here 95 95 00:04:38,980 --> 00:04:40,450 and if you look in here, 96 96 00:04:40,450 --> 00:04:43,460 you can see that the username was ziad sabih 97 97 00:04:43,460 --> 00:04:47,203 and the password was 123 all the way up to 90. 98 98 00:04:48,770 --> 00:04:51,070 So basically the idea that I'm trying 99 99 00:04:51,070 --> 00:04:52,720 to get across right now, 100 100 00:04:52,720 --> 00:04:56,000 anything that the target computer sends 101 101 00:04:56,000 --> 00:05:00,180 or receives right now will be captured by the Kali machine. 102 102 00:05:00,180 --> 00:05:03,470 And like I said, we can do this to any computer 103 103 00:05:03,470 --> 00:05:07,790 or any phone that is connected to the same network as us, 104 104 00:05:07,790 --> 00:05:11,123 whether it's a WiFi or a wired network.