1 1 00:00:01,720 --> 00:00:03,140 Okay, now let's have a look 2 2 00:00:03,140 --> 00:00:05,360 on a social engineering plugin 3 3 00:00:05,360 --> 00:00:08,550 that'll allow us to steal usernames and passwords 4 4 00:00:08,550 --> 00:00:10,420 for accounts. 5 5 00:00:10,420 --> 00:00:13,980 So basically the way this works is, it'll dim the screen 6 6 00:00:13,980 --> 00:00:15,493 and it'll tell the person that, 7 7 00:00:15,493 --> 00:00:17,600 you got logged out of your session, 8 8 00:00:17,600 --> 00:00:20,260 so please login to your account again 9 9 00:00:20,260 --> 00:00:22,060 so you can get authenticated. 10 10 00:00:22,060 --> 00:00:25,528 So this will allow us to bypass HTTPS, HSTS, 11 11 00:00:25,528 --> 00:00:29,730 all security that's used by the target account page. 12 12 00:00:29,730 --> 00:00:32,360 For example, if you're trying to get username and password 13 13 00:00:32,360 --> 00:00:36,130 for Facebook then you'll be able to bypass all the security 14 14 00:00:36,130 --> 00:00:39,080 that Facebook uses. Because what you're doing is, 15 15 00:00:39,080 --> 00:00:42,040 you're actually just showing a fake Facebook page. 16 16 00:00:42,040 --> 00:00:44,730 So the user will never actually get in contact 17 17 00:00:44,730 --> 00:00:45,563 with Facebook. 18 18 00:00:46,580 --> 00:00:48,123 So let's just click on this. 19 19 00:00:49,430 --> 00:00:51,750 And you'll see that you can click form form here, 20 20 00:00:51,750 --> 00:00:55,350 you can click what account that you want to hijack. 21 21 00:00:55,350 --> 00:00:58,070 So let's say we're going with Facebook 22 22 00:00:58,070 --> 00:01:01,230 and you can select what the backlight will be. 23 23 00:01:01,230 --> 00:01:03,320 So we're just leaving that as gray 24 24 00:01:03,320 --> 00:01:05,093 and we're gonna execute this. 25 25 00:01:06,377 --> 00:01:08,480 And when we go to our target 26 26 00:01:08,480 --> 00:01:10,300 you'll see that they're being told 27 27 00:01:10,300 --> 00:01:12,290 that they go logged out of their session 28 28 00:01:12,290 --> 00:01:15,010 so please login with your username and password. 29 29 00:01:15,010 --> 00:01:17,073 So I'm gonna put my username as zaid. 30 30 00:01:18,330 --> 00:01:21,403 Then I'm gonna put my password as 123456. 31 31 00:01:23,120 --> 00:01:23,953 And Enter. 32 32 00:01:25,540 --> 00:01:27,253 And if we go back here, 33 33 00:01:29,880 --> 00:01:32,090 you'll see we got our username, 34 34 00:01:32,090 --> 00:01:35,773 was zaid and the password was 123456. 35 35 00:01:36,690 --> 00:01:38,960 So you can use this to hijack a number of accounts. 36 36 00:01:38,960 --> 00:01:41,750 For example. Let's just have another example. 37 37 00:01:41,750 --> 00:01:44,070 If we go with YouTube... 38 38 00:01:44,070 --> 00:01:47,440 Again you give it an execute, come back, 39 39 00:01:47,440 --> 00:01:51,060 you see the YouTube logo and you can try to login. 40 40 00:01:51,060 --> 00:01:56,060 Put a username, password, sign in and that'll be captured. 41 41 00:01:56,810 --> 00:02:00,380 So again, this is a really good way of gaining access 42 42 00:02:00,380 --> 00:02:01,350 to accounts. 43 43 00:02:01,350 --> 00:02:04,810 Because even if the user is not planning on logging in 44 44 00:02:04,810 --> 00:02:06,780 to the account that you're trying to steal 45 45 00:02:06,780 --> 00:02:09,350 then you'll kind of force them to enter their username 46 46 00:02:09,350 --> 00:02:13,230 and password to be logged back in into their account. 47 47 00:02:13,230 --> 00:02:15,330 And then you'll be able to capture the username 48 48 00:02:15,330 --> 00:02:16,180 and the password.