1 00:00:00,490 --> 00:00:00,760 All right. 2 00:00:00,990 --> 00:00:01,930 Welcome back to the. 3 00:00:03,220 --> 00:00:09,160 Official Cert COP series for the certified Kelly Linux PEN Testing Certification. 4 00:00:10,090 --> 00:00:16,000 We're going to talk about exploiting Windows Systems, Linux and even some OS X. 5 00:00:16,870 --> 00:00:21,370 So essentially you can call this category the operating system exploits. 6 00:00:23,260 --> 00:00:25,420 So this is our general outline. 7 00:00:26,680 --> 00:00:29,470 We're going to look at the different types of security controls. 8 00:00:30,850 --> 00:00:34,420 We're going to talk about technical, administrative and physical controls. 9 00:00:34,840 --> 00:00:37,210 We're going to look at owning systems with Metasploit. 10 00:00:38,200 --> 00:00:45,250 We'll look at systems, different types of exploits, how to generate payloads and things of that nature. 11 00:00:46,500 --> 00:00:53,130 We're also going to get into some ARP poisoning attacks, the address resolution protocol. 12 00:00:53,970 --> 00:01:00,510 We'll look at how our plays a role in different types of attacks. 13 00:01:00,990 --> 00:01:03,650 We'll get into some of the different phishing attack vectors. 14 00:01:03,660 --> 00:01:08,580 We'll look at phishing, smishing whaling, spear phishing. 15 00:01:09,420 --> 00:01:15,090 And we're going to also talk about the various countermeasures and how organizations can protect themselves 16 00:01:15,090 --> 00:01:16,830 against these different types of attacks. 17 00:01:32,500 --> 00:01:33,750 So this is our chapter flow. 18 00:01:33,760 --> 00:01:39,340 We're going to look at that Metasploit Metro Spider, which is stands for Meta Interpreter, but it's 19 00:01:39,610 --> 00:01:42,550 essentially the command interpreter for Metasploit. 20 00:01:42,550 --> 00:01:44,410 We'll talk about pulling windows machines. 21 00:01:44,710 --> 00:01:50,590 We'll look at our poisoning phishing and we'll follow up with some demos and then the different countermeasures. 22 00:01:52,150 --> 00:01:53,680 So first, we need to understand. 23 00:01:55,200 --> 00:02:00,630 The different types of controls that exist with respect to information security. 24 00:02:04,830 --> 00:02:10,940 So there are physical controls, there are technical controls and procedural alcohol controls. 25 00:02:11,430 --> 00:02:14,250 So technical controls you can think of. 26 00:02:14,250 --> 00:02:20,340 These are things that use technology, things like firewalls, encryption, passwords, anything that 27 00:02:20,370 --> 00:02:23,520 uses a technical implementation method. 28 00:02:24,300 --> 00:02:26,120 Then you have the administrative controls. 29 00:02:26,130 --> 00:02:34,530 These are usually more policy based things like user awareness training or acceptable use policies or 30 00:02:34,830 --> 00:02:36,440 password reset policies. 31 00:02:36,450 --> 00:02:37,670 These are things that have to be at. 32 00:02:39,590 --> 00:02:46,970 Implemented and enforced by your administrative elements like your H.R. Human Resources. 33 00:02:49,110 --> 00:02:51,210 Then lastly, you have your physical controls. 34 00:02:51,210 --> 00:02:53,340 You have controls that you can touch. 35 00:02:53,340 --> 00:03:02,010 So physical barricades, security cameras, door access systems, man traps, anything that you can 36 00:03:02,010 --> 00:03:03,260 physically put your hands on. 37 00:03:03,270 --> 00:03:05,070 So let's talk about technical controls. 38 00:03:05,730 --> 00:03:08,790 So these are using technology to reduce vulnerabilities. 39 00:03:09,390 --> 00:03:17,430 So the goal with these controls is not to completely remove risk, because that's not a realistic idea. 40 00:03:17,760 --> 00:03:19,320 Risk is always going to be there. 41 00:03:19,980 --> 00:03:24,450 Risk is going to be something that is inherent in any type of. 42 00:03:25,940 --> 00:03:26,540 System. 43 00:03:27,620 --> 00:03:31,970 No matter what you do, any kind of business, even driving down the street, if you think it's something 44 00:03:31,970 --> 00:03:34,720 non-technical that has an inherent amount of risk. 45 00:03:34,730 --> 00:03:41,150 So the goal with these controls is to try and get risk down to as close to zero as possible, or at 46 00:03:41,150 --> 00:03:44,360 least mitigating the different threats that are out there. 47 00:03:44,370 --> 00:03:51,110 So encryption, we mitigate unauthorized people being able to access our important files so we encrypt 48 00:03:51,110 --> 00:03:54,530 them so that they cannot be easily read. 49 00:03:54,740 --> 00:03:57,080 That could be encryption on a disk. 50 00:03:57,380 --> 00:04:00,020 That could be encryption done in transit. 51 00:04:01,350 --> 00:04:02,760 Lots of different ways to do encryption. 52 00:04:02,770 --> 00:04:11,190 Then you have antivirus software, things like desktop antivirus that check for malicious signatures 53 00:04:11,190 --> 00:04:15,540 of known malware and some of them even implement behavioral detection. 54 00:04:15,540 --> 00:04:18,230 But that's another type of technical control. 55 00:04:18,270 --> 00:04:22,800 Then we have intrusion detection systems and intrusion prevention systems. 56 00:04:23,130 --> 00:04:32,160 Many of the devices these days just combine both functions together, and they're generally thought 57 00:04:32,160 --> 00:04:34,140 of as being able to. 58 00:04:36,030 --> 00:04:39,150 Detect threats, but not able to actually prevent them. 59 00:04:39,150 --> 00:04:44,970 So if you have an IDs versus an IPS and you want to prevent different vulnerabilities, you would want 60 00:04:44,970 --> 00:04:49,230 to go with an IPS at a minimum, then you have firewalls. 61 00:04:49,230 --> 00:04:50,100 So firewalls. 62 00:04:50,100 --> 00:04:57,300 For years they were the last bastion of security between the dangerous network, otherwise known as 63 00:04:57,300 --> 00:04:59,880 the Internet and your internal corporate network. 64 00:05:00,330 --> 00:05:03,060 Although these days, firewalls can be almost anywhere. 65 00:05:03,060 --> 00:05:06,900 They can be on the host, they can be on the network, they can be in the cloud. 66 00:05:07,290 --> 00:05:09,180 They could be on your personal mobile device. 67 00:05:09,720 --> 00:05:12,270 These are all different types of technical controls that are out there. 68 00:05:13,020 --> 00:05:19,350 And then lastly, of course, lease privilege kind of runs the gamut of all systems, any system you 69 00:05:19,350 --> 00:05:24,720 want to give the least amount of privilege possible from an access control perspective, don't give 70 00:05:24,720 --> 00:05:30,210 somebody full administrative rights on a Windows machine when maybe they can get by with power use or 71 00:05:30,510 --> 00:05:32,580 don't give somebody root access. 72 00:05:32,580 --> 00:05:35,280 But maybe all they need to do is sudo to root. 73 00:05:36,000 --> 00:05:37,620 So those are technical controls. 74 00:05:39,630 --> 00:05:42,270 Then let's look through administrative controls. 75 00:05:42,270 --> 00:05:46,740 So things like risk assessments, vulnerability assessments, penetration tests. 76 00:05:46,740 --> 00:05:54,150 Now these even though these are administrative or management controls, they do have potentially a technical 77 00:05:54,150 --> 00:05:55,140 component to them. 78 00:05:55,590 --> 00:05:57,960 So don't get those confused now. 79 00:05:59,010 --> 00:06:03,180 But most of these, you know, risk assessments, vulnerability assessments, like we've talked about, 80 00:06:03,450 --> 00:06:09,870 they have to be driven by some type of management policy from the top down, from your C-level executives 81 00:06:10,920 --> 00:06:12,990 all the way down to your lowest level. 82 00:06:14,010 --> 00:06:18,030 Other types of administrative controls are user awareness and training. 83 00:06:18,030 --> 00:06:23,160 So when you first get your account, you have to go through some type of training that says you're not 84 00:06:23,160 --> 00:06:26,460 going to do anything inappropriate with that account. 85 00:06:27,780 --> 00:06:31,380 And then, of course, you have your configuration and change management. 86 00:06:31,950 --> 00:06:33,780 You might hear it called CRM. 87 00:06:34,110 --> 00:06:41,640 This is essentially making sure that people aren't arbitrarily making changes to systems without actually 88 00:06:41,640 --> 00:06:42,600 documenting things. 89 00:06:42,600 --> 00:06:48,240 And then, of course, you've got your media protection, your contingency planning, continuity of 90 00:06:48,240 --> 00:06:51,510 operations or coop, which is a very common term. 91 00:06:51,510 --> 00:06:53,640 These are all administrative controls. 92 00:06:53,640 --> 00:06:59,400 And then, of course, your physical and environmental protections, your HVAC systems, your temperature 93 00:06:59,400 --> 00:07:03,540 control systems, your thermostat, these these are all managed by. 94 00:07:04,990 --> 00:07:06,280 An administrative method. 95 00:07:07,060 --> 00:07:09,250 And then lastly, we have the physical controls. 96 00:07:09,250 --> 00:07:14,470 So anything you can physically put your hands on, whether that's a camera, whether that's a door system, 97 00:07:14,470 --> 00:07:18,340 an access badge system, of course, signs. 98 00:07:18,610 --> 00:07:21,160 Security guards say keep out, don't know. 99 00:07:21,160 --> 00:07:26,410 By entering on this property, you consent to search or some other type of action. 100 00:07:26,410 --> 00:07:28,210 So those are security controls. 101 00:07:30,190 --> 00:07:31,510 So what is exploitation? 102 00:07:31,540 --> 00:07:36,760 So we've looked at vulnerabilities, we've looked at exploits in Metasploit, but exploiting can really 103 00:07:36,760 --> 00:07:38,080 be a lot of different things. 104 00:07:38,080 --> 00:07:39,730 It could be software or hardware. 105 00:07:40,390 --> 00:07:46,870 So exploitation means taking advantage of some vulnerability that results in a loss to a company. 106 00:07:46,870 --> 00:07:50,980 So usually that involves privilege escalation. 107 00:07:51,340 --> 00:07:56,500 You get access to a system and then you elevate privileges to root or to an administrator. 108 00:07:56,950 --> 00:07:58,540 And then you take over that system. 109 00:07:59,660 --> 00:08:07,160 And use that system to perform other nefarious things like denial of service attacks or botnets or many 110 00:08:07,160 --> 00:08:08,150 other different things. 111 00:08:08,480 --> 00:08:09,830 So that's exploitation. 112 00:08:11,650 --> 00:08:14,950 So there are essentially two types of exploits. 113 00:08:14,950 --> 00:08:17,110 We have local and we have remote. 114 00:08:17,110 --> 00:08:24,190 Local generally means you have to be on the same network or have physical access, some type of local 115 00:08:24,190 --> 00:08:25,150 access to the system. 116 00:08:25,160 --> 00:08:28,360 Remote means generally it can be done over the network. 117 00:08:31,550 --> 00:08:32,270 So how do we. 118 00:08:33,820 --> 00:08:37,750 Get access to some of these systems and build exploit code while we've looked at Metasploit. 119 00:08:38,140 --> 00:08:44,620 So Metasploit is known for its anti forensic and evasion tools, some which are built into the Metasploit 120 00:08:44,620 --> 00:08:45,220 framework. 121 00:08:45,850 --> 00:08:50,050 And basically the process goes something like this you choose an exploit. 122 00:08:50,770 --> 00:08:53,080 Check and see whether the target system is vulnerable. 123 00:08:54,010 --> 00:08:55,030 Figure the payload. 124 00:08:56,120 --> 00:08:57,920 Figure out how you're going to encode. 125 00:08:59,490 --> 00:09:02,430 That payload and send it to your target. 126 00:09:04,720 --> 00:09:11,270 So NSFW venom, as we've talked about, is the combination of MST payload and MDF and code. 127 00:09:11,290 --> 00:09:19,270 They essentially replaced the old methods of creating payloads outside of the Metasploit framework. 128 00:09:19,270 --> 00:09:21,940 So the advantages are it's one single tool. 129 00:09:22,270 --> 00:09:27,640 It's standardize across the command line options and it's much faster. 130 00:09:29,620 --> 00:09:34,120 So this is an example of a payload generation on Windows System. 131 00:09:34,150 --> 00:09:42,550 Let's go ahead and run one more boot up into our Kelly Linux machine because we've seen how to do exploits 132 00:09:43,210 --> 00:09:44,380 inside of. 133 00:09:47,100 --> 00:09:47,910 Metasploit move? 134 00:09:47,910 --> 00:09:49,680 Not necessarily. 135 00:09:51,100 --> 00:09:54,790 Gone through an exploit, an MSF venom. 136 00:10:08,900 --> 00:10:12,380 So we'll type the MSI Venom Command and then a dash a. 137 00:10:12,890 --> 00:10:14,360 And then what platform we want. 138 00:10:16,310 --> 00:10:18,980 MSF then on let's look at the main page first. 139 00:10:22,370 --> 00:10:25,040 So payload generator and coder. 140 00:10:29,570 --> 00:10:34,880 And there's some different you can pick what architecture you want to use with the dash. 141 00:10:34,880 --> 00:10:35,270 A 142 00:10:38,460 --> 00:10:45,410 You know, we're going to do a dash dash platform. 143 00:10:47,770 --> 00:10:53,440 And where I use windows and we're going to do dash for the payload. 144 00:10:54,870 --> 00:11:00,060 And we have picked Windows Shell because we want to get a shell on a Windows system. 145 00:11:00,540 --> 00:11:02,970 We want a TCP binding. 146 00:11:03,960 --> 00:11:07,830 And with that, we're going to do the Dash E x86. 147 00:11:09,740 --> 00:11:11,330 So Ash Shikata. 148 00:11:16,400 --> 00:11:21,680 Underscored Jay and I and then dash B and then we put in our. 149 00:11:23,620 --> 00:11:24,340 No bite. 150 00:11:28,740 --> 00:11:29,080 What? 151 00:11:32,970 --> 00:11:34,200 And then Dash I. 152 00:11:38,070 --> 00:11:40,700 As long as we make our mistakes, we should get our payload. 153 00:11:47,390 --> 00:11:50,270 And it might take a little bit since I'm doing it in a virtual machine. 154 00:12:16,920 --> 00:12:19,590 It means I probably made a mistake for the. 155 00:12:30,620 --> 00:12:34,300 So since we were having issues with that payload, I went ahead and picked a different one. 156 00:12:34,310 --> 00:12:40,910 So, so myself venom dash p I'm using the PHP interpreter reverse TCP shell. 157 00:12:41,330 --> 00:12:46,490 I put the host as the IP of the target and the port that I want to use. 158 00:12:46,880 --> 00:12:54,290 And I had it output the payload to example dot php and there's the payload. 159 00:12:56,530 --> 00:12:59,680 That was created by the MSF venom. 160 00:13:02,720 --> 00:13:04,640 30,688 bytes. 161 00:13:04,640 --> 00:13:07,550 So this is what would get run on the target system. 162 00:13:14,680 --> 00:13:20,890 So I can generate from MSF payload as well, which we saw in the previous module. 163 00:13:27,980 --> 00:13:34,670 So if we go the strain and go into our. 164 00:13:39,490 --> 00:13:40,360 Return greater. 165 00:13:41,230 --> 00:13:41,800 Session. 166 00:13:43,790 --> 00:13:46,070 First we have to start up Metasploit. 167 00:13:48,620 --> 00:13:53,470 You is payload shell buying TCP. 168 00:14:00,700 --> 00:14:01,600 And want to. 169 00:14:09,570 --> 00:14:13,920 And there's a lot of payloads because I didn't quite type it just right, which does tend to happen 170 00:14:13,920 --> 00:14:14,630 with the command line. 171 00:14:14,640 --> 00:14:20,970 So again, you want to make sure that you're just being mindful of the. 172 00:14:22,510 --> 00:14:24,340 The case sensitive nature. 173 00:14:28,860 --> 00:14:29,940 So really you can pick. 174 00:14:32,210 --> 00:14:36,230 Any payload that you want out of this menu here, it doesn't matter which one. 175 00:14:43,070 --> 00:14:43,510 There you go. 176 00:14:43,550 --> 00:14:47,000 So we've got our payload now or essay we're going to go ahead and generate. 177 00:14:48,170 --> 00:14:51,060 We can look at Dash H, which will tell us what to do. 178 00:14:51,080 --> 00:14:53,270 We're going to go ahead and generate without any parameters. 179 00:14:54,080 --> 00:14:54,380 Oh, yeah. 180 00:14:54,380 --> 00:14:56,630 We got to set the the host. 181 00:15:01,070 --> 00:15:03,260 So we want set elbows to. 182 00:15:07,320 --> 00:15:07,650 Unknown. 183 00:15:07,650 --> 00:15:10,110 216873. 184 00:15:11,560 --> 00:15:15,460 And we're going to now we're going to generate 185 00:15:18,790 --> 00:15:20,050 and there's our payload. 186 00:15:25,270 --> 00:15:28,870 We can do the same thing with removing the no bytes. 187 00:15:28,870 --> 00:15:29,470 We've already done that. 188 00:15:29,470 --> 00:15:30,340 We're not going to do that. 189 00:15:31,090 --> 00:15:35,210 There's other tools by which you can create these types of payload. 190 00:15:35,230 --> 00:15:36,370 There's the fat rat. 191 00:15:36,370 --> 00:15:39,290 There's and MAP has its own scripting language. 192 00:15:39,730 --> 00:15:46,780 If you remember, if we go into a new tab here and we go into the 193 00:15:50,170 --> 00:15:53,470 IMAP directory, we have some payloads. 194 00:15:58,630 --> 00:16:02,770 And these are all the different payloads that come built in to and map. 195 00:16:05,870 --> 00:16:12,440 So depending on what version you might want to do, of course, there's Wireshark is more of a tool 196 00:16:12,440 --> 00:16:13,880 for capturing packets. 197 00:16:14,240 --> 00:16:20,840 If you want to look at Wireshark, it's built into Kali Linux. 198 00:16:21,680 --> 00:16:22,790 It's under the. 199 00:16:27,040 --> 00:16:27,700 Let's see. 200 00:16:27,790 --> 00:16:28,450 Or they put it. 201 00:16:30,670 --> 00:16:34,930 Under the sniffing section, along with some of the other sniffing tools. 202 00:16:34,930 --> 00:16:40,840 But notice it's already open here and we're going to just use the Ethernet zero. 203 00:16:41,860 --> 00:16:47,800 So I didn't run this from pseudo, so that means I don't have permission to run it. 204 00:16:51,640 --> 00:16:55,690 So you want to make sure you run Wireshark as a route? 205 00:16:58,720 --> 00:17:00,640 I'm going to go ahead and close that down. 206 00:17:09,780 --> 00:17:10,230 Okay. 207 00:17:12,960 --> 00:17:14,130 Let's try this again. 208 00:17:14,930 --> 00:17:17,930 But the correct permissions are the correct. 209 00:17:18,270 --> 00:17:18,720 Yes. 210 00:17:18,990 --> 00:17:19,440 Okay. 211 00:17:19,450 --> 00:17:20,160 Now we have it. 212 00:17:21,420 --> 00:17:25,830 So we can go ahead and start capturing and immediately we're going to start seeing bits come across 213 00:17:25,830 --> 00:17:26,280 the wire. 214 00:17:27,180 --> 00:17:28,500 We can see frames. 215 00:17:28,890 --> 00:17:30,570 We can see information. 216 00:17:31,200 --> 00:17:33,360 We can see the IP address. 217 00:17:33,810 --> 00:17:36,480 We can see the source and destination MAC address. 218 00:17:37,110 --> 00:17:38,970 We can see what type of packet it is. 219 00:17:39,510 --> 00:17:44,760 So this is going out to an Eero router and broadcast. 220 00:17:45,090 --> 00:17:50,280 Some of these are standard CTP traffic symbol service discovery protocol. 221 00:17:50,670 --> 00:17:52,620 I'll see what happens when we open up a web browser. 222 00:17:54,440 --> 00:17:57,530 Should start to see some ICMP connections. 223 00:17:59,910 --> 00:18:01,440 And some TCP connection as well. 224 00:18:01,470 --> 00:18:04,530 Look, there's there's some ARP traffic. 225 00:18:05,750 --> 00:18:08,170 Say who has the IP address for this? 226 00:18:08,180 --> 00:18:17,450 And we've opened up our browser and let's just go to CNN.com and we'll start seeing some TCP queries 227 00:18:17,450 --> 00:18:18,230 coming across. 228 00:18:21,730 --> 00:18:23,380 We're currently on 205. 229 00:18:23,380 --> 00:18:29,530 And essentially this is how you can look at your network and look at the traffic and see what ports 230 00:18:29,530 --> 00:18:33,250 and things are open, what how protocols are communicating. 231 00:18:34,090 --> 00:18:39,550 And see it gives you a message at the bottom and has live capture in progress and it tells you how many 232 00:18:39,550 --> 00:18:40,750 packets are being captured. 233 00:18:40,750 --> 00:18:43,150 This number on the left hand side is just arbitrary. 234 00:18:43,750 --> 00:18:52,420 So if I want to filter out just TCP traffic, I can do that by just typing in stuff in the search box 235 00:18:52,420 --> 00:18:52,690 here. 236 00:18:53,080 --> 00:18:59,080 Maybe I want to TCP dot port equals. 237 00:18:59,080 --> 00:19:02,030 Maybe just what's on port 88. 238 00:19:02,130 --> 00:19:07,060 I only want to see from particular ports and if I want to stop capture, I hit the stop button and now 239 00:19:07,060 --> 00:19:09,550 I can actually save this as a file. 240 00:19:12,160 --> 00:19:21,370 I can even open captures from other places, use different utilities to analyze the traffic if I right 241 00:19:21,370 --> 00:19:22,750 click on one of these streams. 242 00:19:23,910 --> 00:19:24,990 These TCP streams. 243 00:19:24,990 --> 00:19:32,220 I can actually follow the stream and I can see the data that was sent back and forth between the website. 244 00:19:34,730 --> 00:19:37,100 And my virtual machine. 245 00:19:37,670 --> 00:19:41,180 I can look at the whole conversation and I can only look at one side at a time. 246 00:19:41,750 --> 00:19:45,280 I can change the format if you want to see the raw input. 247 00:19:47,230 --> 00:19:48,310 Maybe the animal. 248 00:19:50,130 --> 00:19:56,340 You can change it to different different formats to hex traffic, which you can see the hex in the the 249 00:19:56,340 --> 00:19:58,260 bottom pane here. 250 00:19:59,190 --> 00:20:02,850 If we move this up and we scroll down a little bit. 251 00:20:04,410 --> 00:20:05,850 You'll be able to see the hex over here. 252 00:20:05,850 --> 00:20:11,850 So ideally, if this traffic is in the clear, you'll be able to see anything that's in plain text on 253 00:20:11,850 --> 00:20:19,740 the right hand side that potentially can get you things like passwords, session tokens and many other 254 00:20:19,740 --> 00:20:20,190 things. 255 00:20:21,420 --> 00:20:22,650 So that's Wireshark. 256 00:20:23,490 --> 00:20:24,720 Let's go ahead and close that. 257 00:20:28,490 --> 00:20:31,640 So before we get into ARB, we saw some ARB traffic. 258 00:20:31,640 --> 00:20:37,760 There are BAS actually addressed resolution protocol and we can look at ARB traffic from the command 259 00:20:37,760 --> 00:20:44,000 line and it's got an enclosed screen and we can see these are all the the IP addresses and MAC addresses 260 00:20:44,330 --> 00:20:50,390 that this network interface card knows about, that it's able to talk to and what interface. 261 00:20:50,690 --> 00:20:57,200 You might have a few more, you might have less, but ARB can be very useful in finding out information. 262 00:20:58,280 --> 00:21:04,250 And it's a chatty protocol that essentially if a system wants to communicate with another system over 263 00:21:04,250 --> 00:21:11,390 a network, it has to first send out an hour broadcast to find out what IP address and MAC address that 264 00:21:11,480 --> 00:21:14,810 that system is on so it can update its own cache. 265 00:21:15,260 --> 00:21:21,440 The cache is essentially a table that each device has and it stores that information. 266 00:21:21,440 --> 00:21:23,630 That's what I just retrieved there from the command line. 267 00:21:26,440 --> 00:21:34,720 So maybe I want to dash vee for her boss mode so I can get a little bit more information. 268 00:21:36,640 --> 00:21:40,210 If there actually is any there or about a particular host. 269 00:21:43,560 --> 00:21:51,810 So maybe I want to delete an entry or potentially I can also use this command to add a new entry. 270 00:21:51,810 --> 00:21:54,990 So if I was an attacker and I could change the ARP cache. 271 00:21:57,180 --> 00:22:01,950 Then I could potentially redirect traffic to myself or to to my website. 272 00:22:01,950 --> 00:22:05,340 So that's one of the things we're going to look at here momentarily. 273 00:22:07,130 --> 00:22:08,810 So how does art poisoning work? 274 00:22:09,560 --> 00:22:16,360 Well, an art poisoning attack is where an attacker sends messages to the local area network via armed 275 00:22:16,370 --> 00:22:16,910 traffic. 276 00:22:17,420 --> 00:22:22,640 So in this case, we have the one computer, the 1921680.102. 277 00:22:22,700 --> 00:22:27,590 Wants to talk to the .104, which is this computer over here. 278 00:22:28,190 --> 00:22:35,000 Now, the attacker can associate their Mac address with another host's IP address, which essentially 279 00:22:35,000 --> 00:22:37,860 means that all the traffic is going to be sent to them. 280 00:22:37,880 --> 00:22:41,660 So notice the attacker says, Hey, this is my Mac address. 281 00:22:42,260 --> 00:22:46,250 Send me all the traffic that was destined for this other host. 282 00:22:47,920 --> 00:22:48,280 So. 283 00:22:49,480 --> 00:22:53,710 Our poisoning is essentially changing the or our spoofing, as it's called. 284 00:22:53,710 --> 00:22:59,560 You can intercept, modify, then collect the traffic data across the network. 285 00:22:59,590 --> 00:23:05,590 This could be the start of other types of attacks like man in the middle or session hijacking. 286 00:23:08,600 --> 00:23:09,890 So what is our spoofing? 287 00:23:09,920 --> 00:23:13,270 Well, our spoofing is essentially where you forge packets. 288 00:23:13,280 --> 00:23:19,730 If you send another a bunch of our requests to try and overload a switch. 289 00:23:20,930 --> 00:23:26,390 So essentially what you'll end up doing is you'll run a tool like ARB scan or. 290 00:23:29,620 --> 00:23:31,420 The top method here as in windows. 291 00:23:31,460 --> 00:23:33,070 Let's look at Caylee first. 292 00:23:33,550 --> 00:23:35,380 Let's go ahead and clear the screen. 293 00:23:36,040 --> 00:23:40,030 Let's go ahead and look at our DASH scan. 294 00:23:40,540 --> 00:23:41,860 So this is the AAB scanner. 295 00:23:41,860 --> 00:23:47,110 So if you set up what options you want and what hosts you want to actually scan. 296 00:24:02,520 --> 00:24:09,480 So there are some options here for the different types of packets and different headers you can you 297 00:24:09,480 --> 00:24:10,350 can modify. 298 00:24:12,440 --> 00:24:13,590 And here's some examples. 299 00:24:13,600 --> 00:24:15,920 So our scan interface. 300 00:24:16,340 --> 00:24:19,670 So I'm going to use the Internet zero interface. 301 00:24:39,170 --> 00:24:40,620 What's that? 302 00:24:40,910 --> 00:24:43,010 Interface equals Ethernet zero. 303 00:24:43,730 --> 00:24:51,560 And I'm going to send it out over the network 1921687.0 slash 24, which is the network I'm on. 304 00:24:52,370 --> 00:24:57,830 So now it's going to go out and it's going to send in our request to all those packets. 305 00:24:57,830 --> 00:25:01,340 So all the packets came back for the eight hosts that responded. 306 00:25:07,960 --> 00:25:14,980 There is another tool called ARP spoofing where I can essentially 307 00:25:18,760 --> 00:25:27,490 and sometimes it may not be installed in your Kelly Linux distro, so you may have to go download it 308 00:25:27,490 --> 00:25:28,570 from the repository. 309 00:25:30,540 --> 00:25:41,760 So in that as does sometimes happen, these tools get removed removed from the distribution. 310 00:25:50,060 --> 00:25:53,540 So let's look at one other tool for spoofing. 311 00:25:53,720 --> 00:25:54,430 Mac addresses. 312 00:25:54,440 --> 00:25:59,300 There's a tool called Mac Off, which essentially will flood a network with a bunch of Mac addresses 313 00:25:59,300 --> 00:26:02,060 to try and essentially poison the Mac table. 314 00:26:02,070 --> 00:26:06,800 So it works like this Mac off Dash II and then the interface name. 315 00:26:07,160 --> 00:26:09,230 So in my case, it's Ethernet zero. 316 00:26:09,740 --> 00:26:19,220 So I'm going to press enter and again some tools get taken out of the repository. 317 00:26:22,450 --> 00:26:25,270 So as does happen sometimes tools getting removed. 318 00:26:25,270 --> 00:26:31,630 So if the Mac, iOS and the ARP spoofing tool do not come up for you, you have to do an app to get 319 00:26:31,630 --> 00:26:37,450 install DCF sniff, which is the library that contains these tools. 320 00:26:37,510 --> 00:26:40,510 So once you do that, then you'll be able to run these commands. 321 00:26:40,510 --> 00:26:41,080 No problem. 322 00:26:41,560 --> 00:26:48,130 So Mac off Dash I and the interface I want to flood it with and notice it's going to send. 323 00:26:49,000 --> 00:26:54,910 Essentially, I think it's like 130,000 Mac addresses out that interface. 324 00:26:54,910 --> 00:27:03,880 So if, if I were connected up to a corporate switch, I potentially flood the switch table to update 325 00:27:03,880 --> 00:27:06,190 new Mac addresses into its ARP cache. 326 00:27:06,190 --> 00:27:12,340 Now there are ways to block this with port security and other things, but this is one tool for doing 327 00:27:12,340 --> 00:27:12,670 that. 328 00:27:14,480 --> 00:27:16,090 And then we have our spoof. 329 00:27:18,280 --> 00:27:25,570 So this, this tool will allow you to intercept packets on a switch lan by essentially forging. 330 00:27:25,570 --> 00:27:31,360 ARP replies, So you put the interface and you put which one you want. 331 00:27:32,810 --> 00:27:39,050 Which hardware address to use when you're restoring our configuration and then you put your target. 332 00:27:46,950 --> 00:27:51,180 And then R is the if you want to poison in both directions. 333 00:27:54,420 --> 00:27:56,680 So let's say I want to go upstairs. 334 00:27:57,750 --> 00:27:59,820 Dash II for Ethernet zero. 335 00:28:00,210 --> 00:28:01,620 Dash C for both. 336 00:28:02,790 --> 00:28:11,460 I want to do dash T, I'm going to have my target be one on 21687 not t 23 and I mistyped it. 337 00:28:13,410 --> 00:28:14,640 AAP Spoof. 338 00:28:25,700 --> 00:28:26,150 Are. 339 00:28:37,460 --> 00:28:41,030 So couldn't our four spoof post 1921687.2 or five. 340 00:28:43,920 --> 00:28:50,740 And so we changed the gateway to the layout of the router and we're getting our replies back from. 341 00:28:51,920 --> 00:28:52,880 That particular. 342 00:28:54,320 --> 00:28:54,890 System. 343 00:28:56,630 --> 00:29:03,530 So essentially all we're trying to do is spoof our requests to our target to pretend to be. 344 00:29:04,710 --> 00:29:10,340 The router and essentially get that target to send all of the traffic back to us. 345 00:29:14,180 --> 00:29:16,340 So go ahead and kill that tool. 346 00:29:26,630 --> 00:29:29,180 So we've got different information in there now. 347 00:29:39,380 --> 00:29:41,780 So that's our spoofing, Mack Flooding. 348 00:29:42,290 --> 00:29:49,100 And next, we're going to look at some of the different tools by which you can do Man in the Middle 349 00:29:49,100 --> 00:29:49,580 Attacks. 350 00:29:49,590 --> 00:29:53,030 We have Ed Kapp, which is in Kali Linux. 351 00:29:53,030 --> 00:29:54,530 We also have Cain and Abel. 352 00:29:55,370 --> 00:30:03,050 We've looked at our scan, so let's go ahead and we're going to open up our terminal and we're going 353 00:30:03,050 --> 00:30:08,660 to look for a file called Error Dot DNS. 354 00:30:11,720 --> 00:30:13,520 So there's the enter cab DNS file. 355 00:30:15,600 --> 00:30:19,140 And we're going to open it with a text editor like Leaf Pad or something like that. 356 00:30:22,560 --> 00:30:24,180 And we have to give it the full path. 357 00:30:35,650 --> 00:30:39,930 So there's no leaf pad on this one unless I'm going to go out and stall it because I like that text 358 00:30:39,940 --> 00:30:40,360 editor. 359 00:30:40,810 --> 00:30:43,540 It's another it's another option. 360 00:30:43,540 --> 00:30:47,290 It just comes with some of the versions of Carly, the older versions. 361 00:30:47,290 --> 00:30:52,780 But those, again, they, they update with new things and yeah, you can always just install it. 362 00:30:55,220 --> 00:30:57,380 It's pretty lightweight and user friendly. 363 00:30:59,880 --> 00:31:03,540 And it's a little more visually appealing on some of the the default ones. 364 00:31:03,540 --> 00:31:04,830 So let's go ahead and open up. 365 00:31:05,740 --> 00:31:06,970 Edward Dance. 366 00:31:12,860 --> 00:31:14,270 And so there's the file. 367 00:31:16,070 --> 00:31:17,540 Zoom out a little bit because. 368 00:31:31,940 --> 00:31:32,240 It's not. 369 00:31:32,240 --> 00:31:32,990 Let me zoom out. 370 00:31:33,020 --> 00:31:33,620 That's okay. 371 00:31:34,610 --> 00:31:35,240 It happens. 372 00:31:35,960 --> 00:31:38,570 So we're going to. 373 00:31:40,960 --> 00:31:42,430 Add a new entry in here. 374 00:31:45,140 --> 00:31:47,780 So we've got to go to anything that's not in the. 375 00:31:51,250 --> 00:31:53,890 Cause there's lots of different things in here. 376 00:32:01,140 --> 00:32:04,260 So we're going to ping a site called Hack this site. 377 00:32:06,110 --> 00:32:08,900 And let's open up our terminal here. 378 00:32:10,040 --> 00:32:15,920 This is keeping track of the outer cap hack. 379 00:32:16,010 --> 00:32:24,200 This site is a legal site to be able to practice ethical hacking, penetration testing and all that 380 00:32:24,200 --> 00:32:24,800 kind of stuff. 381 00:32:25,370 --> 00:32:33,830 So we're going to go ahead and copy this IP address and we're going to go back to our DNS file. 382 00:32:34,460 --> 00:32:36,680 I want to go down here to where it says. 383 00:32:48,340 --> 00:32:48,940 Let's see. 384 00:32:48,970 --> 00:32:49,510 Or is it that? 385 00:32:51,630 --> 00:32:53,010 No one likes Microsoft. 386 00:32:54,240 --> 00:32:55,830 We're going to say Google.com. 387 00:32:56,770 --> 00:32:58,110 I'm going to make it a record. 388 00:32:58,350 --> 00:33:05,010 I'm going to have Google dot com point to that IP address we just copied. 389 00:33:10,230 --> 00:33:14,340 But so evidently I did not actually copy the IP address. 390 00:33:14,340 --> 00:33:14,880 One moment. 391 00:33:20,000 --> 00:33:20,810 Or my terminal. 392 00:33:20,810 --> 00:33:21,140 Go. 393 00:33:22,310 --> 00:33:22,580 All right. 394 00:33:22,610 --> 00:33:24,470 Let's see if I can actually get that. 395 00:33:26,780 --> 00:33:27,740 IP copy. 396 00:33:30,740 --> 00:33:31,370 Copy. 397 00:33:33,720 --> 00:33:34,380 Okay. 398 00:33:35,780 --> 00:33:39,920 Let's go back to the site and we're just going to put it right here. 399 00:33:40,160 --> 00:33:40,610 Paste. 400 00:33:41,240 --> 00:33:41,900 Okay, good. 401 00:33:42,320 --> 00:33:46,760 Now we're going to go ahead and hit file save. 402 00:33:48,780 --> 00:33:53,820 Now what we're going to do, we're going to look for the error cap program. 403 00:33:56,910 --> 00:34:00,030 Under the sniffing and spoofing section. 404 00:34:00,030 --> 00:34:01,560 This is the outer cap, GraphQL. 405 00:34:01,860 --> 00:34:05,310 There is a command line version, but we'll look at at our cap. 406 00:34:05,310 --> 00:34:05,880 GraphQL. 407 00:34:05,880 --> 00:34:10,080 And the program will require authentication. 408 00:34:13,070 --> 00:34:14,780 And I typed in the password wrong. 409 00:34:14,960 --> 00:34:16,940 They had the caps lock key on. 410 00:34:16,940 --> 00:34:19,640 So make sure I was paying attention to your. 411 00:34:21,810 --> 00:34:23,130 Make sure it's case sensitive. 412 00:34:23,130 --> 00:34:26,370 So we're going to go ahead and go to the host lists. 413 00:34:27,180 --> 00:34:28,710 Hosts lists. 414 00:34:35,910 --> 00:34:37,440 So I say that's fine. 415 00:34:37,980 --> 00:34:38,310 Oops. 416 00:34:46,770 --> 00:34:48,060 So they've changed it a little bit. 417 00:34:49,420 --> 00:34:51,870 So in our host list, we're going to. 418 00:35:00,290 --> 00:35:06,140 Go to our target machine and we're going to look for that IP address. 419 00:35:10,310 --> 00:35:13,770 As we've already got some hosts that are pre-populated in their. 420 00:35:19,990 --> 00:35:21,190 So we'll just use this. 421 00:35:22,450 --> 00:35:23,320 This one here. 422 00:35:24,010 --> 00:35:25,150 Add the target one. 423 00:35:29,280 --> 00:35:29,460 Now. 424 00:35:29,460 --> 00:35:31,080 We got to find we got to add the. 425 00:35:33,580 --> 00:35:35,030 The Fall gateway as well. 426 00:35:59,110 --> 00:36:02,020 It's going to run another scan for hosts because we should be getting. 427 00:36:02,350 --> 00:36:02,950 There we go. 428 00:36:03,580 --> 00:36:05,140 I'm going to add that the target to. 429 00:36:05,170 --> 00:36:06,280 There's a default gateway. 430 00:36:06,970 --> 00:36:09,190 So now we're going to click on. 431 00:36:22,670 --> 00:36:30,350 They've changed a little bit in the graphics, so we're going to go ahead and do many metal art poisoning. 432 00:36:36,790 --> 00:36:40,240 Notice there are different plug ins you can you can do here as well. 433 00:36:41,320 --> 00:36:43,810 You can set it to log different ways. 434 00:36:46,230 --> 00:36:47,430 Go ahead and click play. 435 00:36:49,500 --> 00:36:51,930 And it started the unified sniffing. 436 00:36:54,100 --> 00:37:00,340 And essentially we're going to add in a DNS spoofing plug in. 437 00:37:08,560 --> 00:37:09,100 Where's it at? 438 00:37:09,140 --> 00:37:10,120 DNA spoof. 439 00:37:17,370 --> 00:37:20,180 And I say, Oh, it's already okay, so it's already loaded. 440 00:37:20,360 --> 00:37:21,170 So we're good there. 441 00:37:27,220 --> 00:37:29,890 So now we're going to go to Google. 442 00:37:34,280 --> 00:37:35,450 On the target machine. 443 00:37:39,150 --> 00:37:44,130 Now we're going to try and browse to that Web site and we should be redirected to. 444 00:37:45,440 --> 00:37:48,260 The hack this site IP address. 445 00:37:55,080 --> 00:37:58,830 Now we can see that we've got our poisoning moving for group one. 446 00:37:58,830 --> 00:37:59,400 Group two. 447 00:37:59,430 --> 00:38:05,520 So group two is the default gateway, and the group one is our actual target. 448 00:38:08,070 --> 00:38:12,600 So what are the countermeasures we can use to protect against ARB spoofing while there is a utility 449 00:38:12,990 --> 00:38:14,640 called XR? 450 00:38:15,540 --> 00:38:21,480 There's Comodo, A.R. there's you can do static ARB entries on servers. 451 00:38:22,050 --> 00:38:29,070 You can set your IDs to check continuously for a large amount of traffic on local subnets. 452 00:38:49,430 --> 00:38:54,340 So the ZAP tool, this is the anti spoofing detection. 453 00:38:54,350 --> 00:38:55,280 It's free. 454 00:38:57,320 --> 00:38:59,900 You can donate, but all you have to do to get started. 455 00:39:00,260 --> 00:39:03,530 You can write both on Windows and Linux. 456 00:39:04,950 --> 00:39:10,500 If you want to run it on Ubuntu, which is what Kali is based on, you'll just have to make sure you 457 00:39:10,500 --> 00:39:13,500 install a couple of different. 458 00:39:14,560 --> 00:39:15,370 Prerequisites. 459 00:39:19,250 --> 00:39:22,700 So let's go ahead and go back over to our terminal. 460 00:39:23,690 --> 00:39:24,010 Okay. 461 00:39:27,990 --> 00:39:29,250 They're going to go pseudo. 462 00:39:30,330 --> 00:39:31,590 They're going to paste. 463 00:39:34,140 --> 00:39:35,280 I had already had zero in there. 464 00:39:35,730 --> 00:39:38,670 So we're going to install ZAP and we'll be able to see. 465 00:39:44,940 --> 00:39:49,830 So again, there may not be this may not work for Cali because some of the repositories aren't there. 466 00:39:50,160 --> 00:39:57,030 But if you're want to install on something like Ubuntu, that would be the best recommended practice. 467 00:39:57,720 --> 00:39:59,730 And again, some of these tools get out of date. 468 00:40:00,330 --> 00:40:03,690 They do have a VPN package that you could install as well. 469 00:40:06,620 --> 00:40:09,800 So if you're getting a problem, you might have to. 470 00:40:11,660 --> 00:40:12,560 Change your. 471 00:40:15,400 --> 00:40:18,110 Repository information your sources not list. 472 00:40:19,160 --> 00:40:20,420 So just be aware of that. 473 00:40:26,660 --> 00:40:28,790 So let's talk about phishing attacks. 474 00:40:29,270 --> 00:40:32,900 Phishing are very prevalent attacks in. 475 00:40:35,590 --> 00:40:36,490 The world even in. 476 00:40:38,760 --> 00:40:40,560 The age of lots more security. 477 00:40:40,560 --> 00:40:45,540 So phishing attacks are one of the easiest ways to get information. 478 00:40:47,360 --> 00:40:48,200 From your target. 479 00:40:48,740 --> 00:40:52,940 They are often used in conjunction with attacks like social engineering. 480 00:40:55,490 --> 00:41:01,340 There are many different types of phishing attacks, and they happen to banks, social networking sites, 481 00:41:01,730 --> 00:41:08,330 large corporations, gaming sites, all kinds of phishing attacks that exist and lots of different attack 482 00:41:08,330 --> 00:41:08,870 vectors. 483 00:41:09,200 --> 00:41:10,880 You can see on the graphic here for. 484 00:41:12,790 --> 00:41:14,690 The different targets for fishing. 485 00:41:15,400 --> 00:41:21,850 If you go to our website like Net Craft, you can actually look at the. 486 00:41:23,920 --> 00:41:25,510 They keep track of all the 487 00:41:28,630 --> 00:41:34,330 fascist top level domains or the current fishing attacks. 488 00:41:34,930 --> 00:41:40,540 So you can click on individual countries and see how many fishing incidents they are per the number 489 00:41:40,540 --> 00:41:41,290 of sites. 490 00:41:43,120 --> 00:41:48,670 So if you go to somewhere like Russia or maybe China, like one out of every 12 sites is fishing. 491 00:41:49,510 --> 00:41:51,760 Greenland apparently has no fishing sites. 492 00:41:52,690 --> 00:41:58,840 You can look at the the tracking chart to see who has the most fishing incidents. 493 00:41:58,840 --> 00:42:04,230 So Haiti is one out of two sites, but they have much less sites. 494 00:42:04,230 --> 00:42:10,300 So if you look at someone like China, one in 12, that's a much more impressive number. 495 00:42:11,230 --> 00:42:14,140 So phishing attacks can be done via pop ups. 496 00:42:14,560 --> 00:42:18,700 They can be done with toolbars, all kinds of different add ons. 497 00:42:19,090 --> 00:42:24,970 There are lots of different ways, either via email or text message will get in to some of the different 498 00:42:25,330 --> 00:42:25,940 methods here. 499 00:42:25,960 --> 00:42:31,990 Basically, the attacker sends an email to the victim, gets the victim to click on a link on a fake 500 00:42:31,990 --> 00:42:32,500 page. 501 00:42:32,890 --> 00:42:35,260 It redirects them to a different page. 502 00:42:36,650 --> 00:42:41,150 And now they're able to do things like steal credentials. 503 00:42:44,780 --> 00:42:46,020 And many other things. 504 00:42:46,040 --> 00:42:49,670 Sometimes there might be phishing attacks on the local network. 505 00:42:55,430 --> 00:42:57,810 So what can an attacker get from these types of attacks? 506 00:42:57,810 --> 00:43:04,430 They can get admin rights, your email username, credit card information, your Social Security number, 507 00:43:04,910 --> 00:43:13,700 anything that they could use to purchase something to gain that knowledge or to maybe sell your identity 508 00:43:13,700 --> 00:43:17,510 on the Darkweb, especially your your health care information. 509 00:43:18,860 --> 00:43:23,480 And it's easy to set up a website to be able to deploy these types of attacks. 510 00:43:24,520 --> 00:43:30,340 So the different types of phishing attacks and they each have their own sophisticated sophistication 511 00:43:30,340 --> 00:43:30,760 level. 512 00:43:31,360 --> 00:43:35,350 So remember that spear phishing is different than whaling. 513 00:43:35,350 --> 00:43:43,210 Spear phishing targets specific groups of users, employees, customers, whereas whaling targets high 514 00:43:43,210 --> 00:43:44,320 level executives. 515 00:43:46,780 --> 00:43:48,280 Then you have clone fishing. 516 00:43:52,320 --> 00:43:52,920 Phone fishing. 517 00:43:52,920 --> 00:43:58,020 Is cloning some type of information or some identity? 518 00:43:59,660 --> 00:44:04,010 And essentially this can be done with something like the Social Engineers Toolkit. 519 00:44:04,970 --> 00:44:12,110 The common phishing could be cloning a legitimate website in order to gain credentials or setting up 520 00:44:12,110 --> 00:44:16,330 a fake website that looks very much like, say, Twitter, for example. 521 00:44:19,030 --> 00:44:19,900 And then you have. 522 00:44:25,280 --> 00:44:28,700 Wailing for your high level executives, you're sea level executives. 523 00:44:29,370 --> 00:44:31,580 I want to talk about each one of the different types here. 524 00:44:32,390 --> 00:44:37,730 So spearfishing targets victims who put out personal information on the Internet. 525 00:44:38,930 --> 00:44:46,160 To be able to look at things like your profile or maybe your Facebook, your MySpace and the old days. 526 00:44:46,760 --> 00:44:53,390 So the more the more types of attacks that attackers put out, the more chance they have of success 527 00:44:53,390 --> 00:44:56,480 as phishing and often in conjunction with spam. 528 00:44:56,480 --> 00:45:01,310 Email can be very lucrative because it doesn't put a whole lot of risk on the attacker. 529 00:45:01,880 --> 00:45:08,170 So attackers will set up messages that say, you know, you have to do this. 530 00:45:08,180 --> 00:45:14,030 Now as to why they need sensitive information, there's urgency like your bank is contacting you and 531 00:45:14,030 --> 00:45:15,560 they're going to ask you for your password. 532 00:45:15,620 --> 00:45:17,210 Otherwise, you're going to lose some data. 533 00:45:17,510 --> 00:45:19,940 They concoct some kind of a story that. 534 00:45:22,260 --> 00:45:25,680 Makes you believe that you must do this now, otherwise there's going to be a problem. 535 00:45:26,640 --> 00:45:31,620 So victims are often asked to click on a link, open up a malicious attachment. 536 00:45:32,610 --> 00:45:35,500 This can even be done with things like mobile apps. 537 00:45:35,550 --> 00:45:39,180 Click on a link to download the app to your phone and then takes over your phone. 538 00:45:40,320 --> 00:45:43,620 So all they need to be successful is one click or one link. 539 00:45:44,130 --> 00:45:46,260 So spear phishing versus regular phishing. 540 00:45:46,260 --> 00:45:50,310 Phishing is broad and generally automated and is less sophisticated. 541 00:45:50,310 --> 00:45:54,870 Spear phishing means the attackers already done their homework and their. 542 00:45:57,580 --> 00:45:59,920 They've researched the camp, their target thoroughly. 543 00:46:02,360 --> 00:46:07,280 So let's look and see how we can create our own phishing page using Kali Linux. 544 00:46:15,420 --> 00:46:20,790 So first, we're going to open up the social engineers toolkit. 545 00:46:29,530 --> 00:46:30,700 It sits under the. 546 00:46:34,040 --> 00:46:35,660 The Social Engineering menu. 547 00:46:35,660 --> 00:46:36,290 And Kelly. 548 00:46:37,730 --> 00:46:38,820 So you can click on it there. 549 00:46:38,840 --> 00:46:42,860 Or you can just type in Setauket and you'll get the same. 550 00:46:44,210 --> 00:46:45,430 And you have to run it as route. 551 00:46:45,440 --> 00:46:46,010 So that's. 552 00:46:49,200 --> 00:46:50,670 One of the things to keep in mind. 553 00:46:56,030 --> 00:46:57,470 And you have the first time you run it. 554 00:46:57,830 --> 00:47:01,580 You have to agree to the terms of service and provide. 555 00:47:01,580 --> 00:47:03,050 You're not going to do bad things with it. 556 00:47:03,410 --> 00:47:04,460 Code named Maverick. 557 00:47:04,880 --> 00:47:08,840 And this is their website, the trusted SAC, where you can get more information on how to use it. 558 00:47:09,410 --> 00:47:14,240 Let's just say we want to perform a social engineering attack. 559 00:47:14,660 --> 00:47:19,580 And so we want a let's look at website attack vectors. 560 00:47:22,080 --> 00:47:27,060 So we can pick different modules that are built into the social engineering toolkit. 561 00:47:31,350 --> 00:47:35,280 So I choose the type of attack, and then I choose how I want to. 562 00:47:37,280 --> 00:47:38,420 What kind of payload? 563 00:47:39,630 --> 00:47:44,640 So let's say let's do the Java applet. 564 00:47:47,960 --> 00:47:50,930 And I'm going to look at the website template. 565 00:47:53,240 --> 00:47:55,520 I could clone a site as well. 566 00:47:55,910 --> 00:47:57,670 Am I using that or port forwarding? 567 00:47:57,680 --> 00:47:58,640 I'll say no. 568 00:47:59,790 --> 00:48:01,290 So what lesson or do I want? 569 00:48:02,580 --> 00:48:03,810 This is what I wanted to do. 570 00:48:03,810 --> 00:48:08,550 And then I have to decide whether I'm going to use my own self. 571 00:48:08,580 --> 00:48:10,650 Self generated applet built in one. 572 00:48:12,690 --> 00:48:13,190 I'll just. 573 00:48:13,200 --> 00:48:17,340 In this case, I'll just use the one built into the social engineer toolkit. 574 00:48:24,710 --> 00:48:30,650 So depending on the template that I want, if I want to use Google or Twitter. 575 00:48:32,220 --> 00:48:39,060 So it's going to inject the Java applet attack into that cloned website and I want to pick what type 576 00:48:39,060 --> 00:48:41,070 of session I want. 577 00:48:43,860 --> 00:48:47,220 And I'll say I want the interpreter. 578 00:48:47,220 --> 00:48:49,100 Payload will just go with the default. 579 00:48:50,340 --> 00:48:52,680 Pick the port that you want it to listen back to. 580 00:48:53,280 --> 00:48:55,440 And what payload do I want to deliver? 581 00:48:55,890 --> 00:48:59,200 I'll do the just reverse TCP. 582 00:49:01,250 --> 00:49:03,140 And so I want so. 583 00:49:03,320 --> 00:49:11,660 So I have a patch running already, so I'm going to go ahead and have it stop the Apache Service within 584 00:49:11,660 --> 00:49:12,800 the SC toolkit. 585 00:49:14,090 --> 00:49:15,140 So once that's done. 586 00:49:16,650 --> 00:49:17,700 It is now launched. 587 00:49:17,700 --> 00:49:20,970 The Web server site has been moved. 588 00:49:20,970 --> 00:49:22,470 The Web server is now listening. 589 00:49:26,210 --> 00:49:34,580 So the attacker would set up some type of email payload to get the user to click on it. 590 00:49:39,250 --> 00:49:41,680 And then that's going to move me back in to Metasploit. 591 00:49:53,460 --> 00:49:55,770 So it already started the reverse handler. 592 00:49:57,420 --> 00:49:58,770 And now we're ready to go. 593 00:50:01,200 --> 00:50:08,280 Now all we have to do is wait for our potential victim to visit the cloned website or click on the email. 594 00:50:09,360 --> 00:50:12,450 Ultimately, there are many different ways to do phishing attacks. 595 00:50:12,780 --> 00:50:16,770 They're evolving day by day, and scams are becoming better and better. 596 00:50:16,840 --> 00:50:20,010 The sites that are set up look like legitimate banking sites. 597 00:50:20,670 --> 00:50:22,320 There's even phishing mobile apps. 598 00:50:24,510 --> 00:50:27,120 And these sites may look exactly like the real thing. 599 00:50:27,120 --> 00:50:32,760 So users have to become even more tech savvy and they have to improve their user awareness training 600 00:50:32,790 --> 00:50:38,050 to make them less susceptible to clicking on phishing emails. 601 00:50:38,070 --> 00:50:41,650 There's no really prevention method except for education. 602 00:50:42,000 --> 00:50:44,310 Because phishing is so cheap and easy to do. 603 00:50:45,580 --> 00:50:46,240 You'll want to be. 604 00:50:46,240 --> 00:50:47,020 Make sure that. 605 00:50:48,430 --> 00:50:53,320 Whether you're shopping online, whether you're doing banking, you know, communicating information 606 00:50:53,320 --> 00:51:00,910 only via phone or via secure websites, you want to have some type of out of the normal band of communication 607 00:51:01,360 --> 00:51:06,430 where your bank your bank will never call you and ask you for your password. 608 00:51:07,030 --> 00:51:12,250 They may send you a authentication token or something like that, but they're not ever going to call 609 00:51:12,250 --> 00:51:12,940 you out of the blue. 610 00:51:12,940 --> 00:51:17,860 And, you know, things like the Social Security or not, Social Security, the Secret Service scam 611 00:51:17,860 --> 00:51:19,540 that says they're going to come arrest you. 612 00:51:20,400 --> 00:51:26,860 The regular people may be very tempted to fall prey to these phishing attacks. 613 00:51:27,310 --> 00:51:33,490 So, bottom line, don't click on links, download files or open attachments from unknown senders, 614 00:51:33,490 --> 00:51:39,580 even if it's from somebody that you might know, like your boss or maybe your a family member. 615 00:51:40,240 --> 00:51:44,110 Never send out personal or financial information, even if you are. 616 00:51:44,920 --> 00:51:48,010 Even if you're sure that there's no threat of that person. 617 00:51:48,010 --> 00:51:49,600 Just just to be on the safe side. 618 00:51:49,900 --> 00:51:56,740 And also beware of any links or emails or any extra downloads that come with even from legitimate sites 619 00:51:56,740 --> 00:51:58,180 that you've been to many times. 620 00:52:00,940 --> 00:52:03,970 To keep yourself from falling victim to these types of attacks. 621 00:52:06,040 --> 00:52:09,250 So this is a summary of the tech, the things we went over. 622 00:52:09,520 --> 00:52:11,980 We looked at the different security control types. 623 00:52:12,340 --> 00:52:17,620 We looked at technical controls using technology, firewalls, encryption. 624 00:52:17,920 --> 00:52:22,510 We looked at administrative controls, using administrative or management methods. 625 00:52:22,930 --> 00:52:26,290 We looked at physical controls, things you can physically touch. 626 00:52:27,160 --> 00:52:34,630 We looked at MSF Venom, which is Metasploit frameworks, payload generator, which outside of the MSF 627 00:52:34,630 --> 00:52:35,290 console. 628 00:52:36,040 --> 00:52:41,590 We looked at exploiting different ways to do software hardware exploits. 629 00:52:42,100 --> 00:52:43,540 We talked about phishing. 630 00:52:43,650 --> 00:52:48,970 We talked about spear phishing, whaling and even Smishing. 631 00:52:48,970 --> 00:52:55,750 And then Vishing, which is doing phishing over the phone or over a voice over IP connection. 632 00:52:57,370 --> 00:53:03,820 And then we have ARB spoofing the address resolution protocol where we send a bunch of forged ARP requests 633 00:53:03,820 --> 00:53:07,810 and replies to overload the switch and set it back into learning mode. 634 00:53:07,840 --> 00:53:11,230 We also looked at how to men in the middle using ed cap. 635 00:53:13,700 --> 00:53:15,590 So now let's do some practice questions. 636 00:53:16,790 --> 00:53:22,970 What is are the different types of payload connections that can be generated for Windows exploits using 637 00:53:22,970 --> 00:53:23,630 Metasploit? 638 00:53:24,440 --> 00:53:28,340 Is that a mature, prettier shell reverse HTP connection? 639 00:53:29,060 --> 00:53:31,130 B Shell TCP only. 640 00:53:32,180 --> 00:53:35,580 C interpreter only or d. 641 00:53:35,600 --> 00:53:36,290 A and b. 642 00:53:41,890 --> 00:53:43,610 The answer is a interpreter. 643 00:53:43,880 --> 00:53:46,460 Shell and a reverse HDP connection. 644 00:53:49,510 --> 00:53:56,110 Number two, what is the command that's used to generate Windows payloads using MSI Venom? 645 00:54:06,960 --> 00:54:13,950 Answer is a massive venom dash p for the payload, the windows slash interpreter slash reverso. 646 00:54:14,310 --> 00:54:16,500 ANC are very similar, but. 647 00:54:21,560 --> 00:54:23,300 There's a slight difference there. 648 00:54:23,840 --> 00:54:26,870 It's missing the mature operator section. 649 00:54:27,500 --> 00:54:29,240 And the other two are not correct. 650 00:54:30,920 --> 00:54:36,800 You could have ruled out D because it said Windows and you wouldn't be in a Linux payload for 651 00:54:40,160 --> 00:54:40,970 number three. 652 00:54:42,080 --> 00:54:42,380 Oops. 653 00:54:48,570 --> 00:54:52,260 Which command prints the table on the terminal or command prompt? 654 00:54:53,340 --> 00:54:54,570 Is it a route? 655 00:54:56,640 --> 00:54:57,840 BBC mod. 656 00:55:00,880 --> 00:55:04,240 See our dash w or d? 657 00:55:04,240 --> 00:55:05,500 Our dash a. 658 00:55:15,160 --> 00:55:16,660 Answer is d arb dash. 659 00:55:16,740 --> 00:55:24,640 A Let's take a quick moment to briefly touch on the root command, because we've not yet touched on 660 00:55:24,640 --> 00:55:24,820 it. 661 00:55:32,930 --> 00:55:33,950 Just open up a new. 662 00:55:36,140 --> 00:55:41,570 So the root command is not in Linux, but you can look at the ARP command does work. 663 00:55:48,430 --> 00:55:53,620 So the root command does work, but it's a little bit different than in Windows and Linux. 664 00:55:53,620 --> 00:55:56,050 It's just root and Windows. 665 00:55:56,050 --> 00:55:57,190 It's root print. 666 00:55:58,410 --> 00:56:03,810 So the root command can get you the routing table and Linux. 667 00:56:03,810 --> 00:56:06,510 You can change things, you can add routes, delete routes. 668 00:56:07,380 --> 00:56:11,680 So essentially functions much like a rolling table on an actual router. 669 00:56:12,450 --> 00:56:13,980 Now let's look over at windows. 670 00:56:19,840 --> 00:56:25,420 If we open up a command prompt and we do a root print that will actually give us our routing table for 671 00:56:25,420 --> 00:56:26,140 our system. 672 00:56:28,110 --> 00:56:31,950 So it gives you both IP version four and IP version six. 673 00:56:33,240 --> 00:56:35,820 As well as any active routes that are there. 674 00:56:36,090 --> 00:56:40,050 If you see it as on link, that means it was generated by the connection. 675 00:56:40,050 --> 00:56:46,020 If you see it with a lower metric like this top one here. 676 00:56:46,350 --> 00:56:50,610 This is always going to be the preferred route unless I put any routes in myself. 677 00:56:51,910 --> 00:56:53,890 These are what are known as persistent rounds. 678 00:56:54,620 --> 00:57:00,220 There are none on I.V. version six because routing is not enabled for IP version six right now, but 679 00:57:00,220 --> 00:57:08,870 that's Linux and Windows Root table now with C-H Mod, that is for setting permissions on files. 680 00:57:08,950 --> 00:57:11,440 So that would not have anything to do with ARP. 681 00:57:11,980 --> 00:57:15,580 And ARP Dash W is not the correct command to print out the ARB table. 682 00:57:16,930 --> 00:57:22,630 So let's do the next question, which is the built in calisthenics tool that's used in capturing network 683 00:57:22,630 --> 00:57:24,070 packets on the command line. 684 00:57:24,790 --> 00:57:29,200 Now, we did look at Wireshark, but we did not look at this particular one. 685 00:57:29,200 --> 00:57:34,810 We looked at end map, and we know that Inline is part of Metasploit, so that is not a packet capturing 686 00:57:34,810 --> 00:57:35,230 tool. 687 00:57:35,890 --> 00:57:37,960 So the correct answer is TCP dumps. 688 00:57:37,960 --> 00:57:41,650 So let's see briefly what you can do with TCP dump. 689 00:57:42,160 --> 00:57:47,830 If you don't have Wireshark and you want to be able to sniff traffic on the network, you can use TCP 690 00:57:47,830 --> 00:57:48,150 DHCP. 691 00:57:48,160 --> 00:57:54,550 It's generally available on about every distribution of Linux that is out there. 692 00:57:55,120 --> 00:58:02,380 So you can set it to just start capturing packets, you can set it to verbose mode, you can even tell 693 00:58:02,380 --> 00:58:04,570 it to just write to a file. 694 00:58:04,570 --> 00:58:11,050 If you don't give it any any information, it'll just start displaying the packets on the screen so 695 00:58:11,050 --> 00:58:12,670 much like Wireshark does. 696 00:58:13,850 --> 00:58:17,900 Except to be dumped just sends it out to the terminal. 697 00:58:18,980 --> 00:58:20,240 Now, what if we want to do? 698 00:58:25,080 --> 00:58:26,820 And I want to write it to a file. 699 00:58:31,080 --> 00:58:34,500 So I want to capture only what's going over the ether in that traffic. 700 00:58:37,170 --> 00:58:41,730 I'm going to go ahead and close a couple of these terminal windows because we got too many of them open 701 00:58:41,730 --> 00:58:42,030 now. 702 00:58:45,340 --> 00:58:47,980 We're going to go to the browser here. 703 00:58:49,080 --> 00:58:50,430 Open up a few tabs. 704 00:59:00,210 --> 00:59:01,950 Because we want some traffic to show up. 705 00:59:06,780 --> 00:59:08,340 This is hack this site dot org. 706 00:59:08,340 --> 00:59:09,150 So this is a. 707 00:59:14,520 --> 00:59:21,240 A place where you can practice legally your trade craft and it's free, safe and legal. 708 00:59:21,510 --> 00:59:24,760 So they gave you permission right on the front of the website. 709 00:59:24,780 --> 00:59:29,820 So if you need a safe place to be able to practice these things, this is one good example. 710 00:59:30,300 --> 00:59:34,140 There are several other ones you can actually host yourself. 711 00:59:35,010 --> 00:59:41,330 OWASP has a practice website called The Juice Shop. 712 00:59:41,340 --> 00:59:48,900 You can actually download it and load it up on your Linux box and it looks just like a fully functional 713 00:59:48,900 --> 00:59:49,470 website. 714 00:59:49,500 --> 00:59:56,580 It's written in no JavaScript Express and Angular, and it has a bunch of different challenges and bugs 715 00:59:56,580 --> 00:59:57,450 to be able to find. 716 59:58.380 --> 1:00:01.230 So you can actually install this and run it. 717 1:00:01.860 --> 1:00:04.980 There is another one called the Buggy Web app. 718 1:00:06.150 --> 1:00:12.180 So again, an effort to make you better at ethical hacking and make you not get in trouble in the process, 719 1:00:12.630 --> 1:00:20.040 give you a lot of different resources to be able to perform these types of tests legally on your own 720 1:00:20.040 --> 1:00:21.690 network, on your own systems. 721 1:00:22.410 --> 1:00:29.400 So this one has over 100 vulnerabilities just by itself, and it has not only PHP, but also a MySchool 722 1:00:29.400 --> 1:00:33.010 database, and it could be run on Linux and Windows. 723 1:00:33.030 --> 1:00:39.630 Also, they have a virtual machine called Bibox, which comes with the buggy web app pre-installed. 724 1:00:39.630 --> 1:00:42.720 So if you want to run it from your local system. 725 1:00:43.710 --> 1:00:45.690 As a virtual machine, you can do that. 726 1:00:46.470 --> 1:00:49.020 So we give you a lot of different places to practice these tools. 727 1:00:49.020 --> 1:00:56.040 So keep in mind that capturing traffic may have legal repercussions depending on where you are in the 728 1:00:56.040 --> 1:00:56.430 world. 729 1:00:56.970 --> 1:01:00.990 So don't just assume that all these tools are legal based on your country. 730 1:01:01.440 --> 1:01:05.340 Check the local laws in your local area with your local government. 731 1:01:06.360 --> 1:01:11.040 So let's go ahead and look at the the tax file we created. 732 1:01:11.040 --> 1:01:12.810 There's all the packets that were dumped out. 733 1:01:12.810 --> 1:01:15.480 And you can see we can save this to a file. 734 1:01:15.480 --> 1:01:21.300 We can analyze it later, we can take it to another system and analyze it. 735 1:01:21.300 --> 1:01:31.050 So so that's TCP dom if you have we looked at Wireshark, we did not look at the the command line component 736 1:01:31.050 --> 1:01:35.670 of Wireshark, which is t shirt, which works very similar to 737 1:01:38.460 --> 1:01:39.360 TCP dump. 738 1:01:40.080 --> 1:01:45.390 So of course they don't want you to run it as route, but it's going to show the traffic in much the 739 1:01:45.390 --> 1:01:46.080 same way. 740 1:01:46.530 --> 1:01:51.540 And we can see the packets are numbered and we can see the source and destination address and we can 741 1:01:51.540 --> 1:01:54.180 see what type of protocol it is. 742 1:01:54.180 --> 1:01:57.870 We can see the TCP connections going back and forth. 743 1:01:57.870 --> 1:02:05.910 So there's a lot of useful tools for doing packet capturing on Kali Linux as well. 744 1:02:05.910 --> 1:02:10.740 So TCP dump was the correct answer to the question, but I wanted to take a moment to show you that 745 1:02:10.740 --> 1:02:16.080 because it's an important tool to add to your repository. 746 1:02:17.310 --> 1:02:18.090 It's a number of five. 747 1:02:18.120 --> 1:02:20.160 What are the different types of exploits? 748 1:02:22.810 --> 1:02:23.800 Local and remote. 749 1:02:25.000 --> 1:02:26.050 Passive and active. 750 1:02:27.190 --> 1:02:28.390 Local and passive. 751 1:02:29.710 --> 1:02:31.840 Or local only. 752 1:02:39.610 --> 1:02:40.780 Answer is a. 753 1:02:42.160 --> 1:02:45.280 Local and remote are the two types of exploits. 754 1:02:47.290 --> 1:02:49.240 These are some of the acronyms we talked about. 755 1:02:53.190 --> 1:02:56.700 And so to recap, we covered the different control types. 756 1:02:57.090 --> 1:02:58.260 We covered Metasploit. 757 1:02:58.530 --> 1:03:01.680 We looked at going after Windows Systems with Metasploit. 758 1:03:01.710 --> 1:03:03.540 We looked at our poisoning attacks. 759 1:03:04.020 --> 1:03:07.710 We looked at phishing attacks as well as some of the countermeasures. 760 1:03:08.370 --> 1:03:09.810 I hope you enjoyed this lecture. 761 1:03:11.300 --> 1:03:16.970 You now have a better understanding of the different types of attacks you can do with Metasploit, about 762 1:03:16.970 --> 1:03:22.730 our traffic, about man in the middle line, as well as phishing attacks, and how you can protect yourself 763 1:03:23.180 --> 1:03:24.410 from these types of threats. 764 1:03:26.230 --> 1:03:28.450 Thank you and we'll see you in the next module.