WEBVTT 00:01.750 --> 00:02.270 Well I often. 00:02.270 --> 00:03.240 Welcome to the show. 00:03.250 --> 00:07.080 Or interesting life hacking demo in this case. 00:07.080 --> 00:11.280 I'm just going to show you my setup so this is quite unusual for me to record like this with a camera 00:11.540 --> 00:15.810 but just to prove that this is sort of like live and I'm not admitting or faking any of it. 00:15.900 --> 00:19.860 I've got a calling machine here which is running on a virtual machine the host machine is down here 00:19.860 --> 00:21.100 which runs Windows 10. 00:21.240 --> 00:24.050 And I've also got a wireless USP adapter connected. 00:24.350 --> 00:29.010 I'll explain why later on on the right hand screen here I be asked which will we use. 00:29.010 --> 00:30.530 I'm not going to be recording the video. 00:30.630 --> 00:32.750 The whole video anyway like this. 00:33.360 --> 00:38.690 And on the left here we have a laptop without an internet connection and this PEASANTS TRYING TO BROWSE 00:38.690 --> 00:38.940 Reddit. 00:39.150 --> 00:40.770 So let's add some context. 00:40.770 --> 00:45.980 Well first let me say that this video is for ethical and educational purposes only. 00:46.020 --> 00:49.300 I'm not responsible for any damages you cause with the information in this video. 00:49.320 --> 00:55.740 This video is very brief so I don't go into great detail if you want to know more than please visit 00:55.740 --> 01:00.250 my playlist on my YouTube channel called Land ethical hacking I go into greater detail. 01:01.140 --> 01:07.110 So this person that's called Hair carbon in Starbucks is trying to connect to the Wi-Fi so we go and 01:07.110 --> 01:10.430 sit down with our laptop and plug in our wireless USP adapter. 01:10.470 --> 01:16.570 Now we've generated a fake or we create in this case a fake access point So Dan how got Bash report 01:16.590 --> 01:19.920 will create our fake access point using money toolkit. 01:19.930 --> 01:26.270 This bash script will start to freak access point in the conflict config file or configuration file. 01:26.280 --> 01:30.030 I've called it Free Wi-Fi so people are going to see this in public. 01:30.030 --> 01:32.010 Now this could work for people who are close to you. 01:32.010 --> 01:33.150 It could work in your house. 01:33.150 --> 01:34.430 It could work for a neighbor. 01:34.530 --> 01:39.810 People who are in the general vicinity of where you are or your wireless card is a maid. 01:39.810 --> 01:42.920 This could be called SSA I.D.. 01:42.990 --> 01:44.440 Free Wi-Fi. 01:44.470 --> 01:47.330 The access idea is just the name of the router. 01:47.430 --> 01:52.390 So here it's created and we're starting to get direct probe requests. 01:52.500 --> 01:57.000 Now the reason I called it Free Wi-Fi makes sense because in public people want free Wi-Fi. 01:57.000 --> 01:59.020 And in a way they are getting free Wi-Fi. 02:00.360 --> 02:04.410 So now if we go to our target machine on this computer it's going to be the one that we're going to 02:04.410 --> 02:05.970 hack into. 02:06.030 --> 02:09.360 So we open the Wi-Fi and as you can see now there's a one called free Wi-Fi. 02:09.360 --> 02:15.420 So this person Karen in this case thinks oh free Wi-Fi clicks connect to the cell connecting to this 02:15.420 --> 02:16.140 free Wi-Fi. 02:16.710 --> 02:20.570 And as you can see now we know that someone's tried to connect to it. 02:20.670 --> 02:23.880 So we've got an authentication from this MAC address here. 02:23.880 --> 02:31.190 So we've got the MAC address of a device AC and not MAC address corresponds to our laptop so that's 02:31.190 --> 02:32.410 basically the set up. 02:32.410 --> 02:36.380 So I'm going to jump on the coffee machine and get everything else settled now so I'll see you back 02:36.380 --> 02:36.860 on that. 02:37.190 --> 02:41.870 So now that we're on the clear Linux machine we've still got our terminal running with our fake access 02:41.870 --> 02:49.040 point the fake access point basically locks or creates a method of listening into the pockets because 02:49.040 --> 02:51.200 now we're sort of like man in the middle. 02:51.230 --> 02:54.490 So every request they send we see a face. 02:54.500 --> 02:57.970 Then it goes to our router and then back towards back to them. 02:57.980 --> 03:03.260 So it's very useful because the same ways and methods of attack that we can do we can inject things 03:03.260 --> 03:10.280 which we're going to do in this video but the downside is that we are offering them free Wi-Fi. 03:10.640 --> 03:17.930 And if we have loads of different connections in public then that could take a toll on performance. 03:18.190 --> 03:19.010 You could. 03:19.090 --> 03:24.070 But then again in the benefit of the is we got all this information. 03:25.240 --> 03:28.380 So the next thing to do is I'm going to open a new terminal. 03:28.420 --> 03:34.790 I'm going to use Terminator for the app and I'm going to start an AARP spoof. 03:34.790 --> 03:40.510 But the first thing we need is be folk so be folk will give us a malicious J.S. file this beef hook 03:40.540 --> 03:48.790 once injected into a Web site will allow us to basically execute basic commands on this computer such 03:48.790 --> 03:56.360 as the left boxes and fake updates and we can still credentials and take screenshots so we'll open beef 03:56.360 --> 03:56.660 here. 03:56.900 --> 04:03.900 So when I log into beef just beef and beef the user name and password we've got beef open now. 04:03.950 --> 04:07.460 And like I said at the start of this video if you don't know everything or what I'm doing here go and 04:07.460 --> 04:14.030 watch my line ethical hacking cause that go into much more detail Scott beef open so I can just I can 04:14.090 --> 04:21.060 minimize that I don't really need to open and we can start an AARP spoof. 04:21.260 --> 04:24.050 So I'm going to use mine in the middle F A R P spoof. 04:24.050 --> 04:26.560 I'm going to use w lands a rule which is my wireless card. 04:26.570 --> 04:30.830 Then we've got to talk IP address and the Gateway which is the reaches IP then we've got a malicious 04:30.830 --> 04:31.650 J. 04:32.000 --> 04:36.920 Hooked J.S. file which is shown in the all the terminal windows I just minimized. 04:37.250 --> 04:44.540 So I'll show you again if we open up this one you can see here that it's hooked up J.S. and that's what 04:44.540 --> 04:49.200 we want to inject into their browser and I didn't mean to close before then. 04:49.550 --> 04:54.780 So we'll just have to reopen it to give it a second while it just closes and reopen beef. 04:55.100 --> 05:00.840 So when you closed the terminal you've got to remember to keep the terminal open while you keep beef 05:00.850 --> 05:01.180 open. 05:02.500 --> 05:06.460 So we'll wait for B to open and while that's doing it we can open a new terminal. 05:06.460 --> 05:10.870 I'll open a new window and we'll split this horizontally because now we want to generate our payload 05:11.440 --> 05:13.930 to beef up hooks going to open. 05:13.930 --> 05:14.480 There we go. 05:14.480 --> 05:18.970 It locks is in straight away anyway split it horizontally and I'm going to use Hercules to generate 05:18.970 --> 05:19.730 a payload. 05:19.800 --> 05:26.590 So generally payload and when to use reverse hitch TTP which is number two the Al host is the IP address 05:26.590 --> 05:28.360 of my server. 05:28.360 --> 05:34.330 Now Kelly links screen installed with a local server and an Apache to server that's 1 9 2. 05:34.330 --> 05:37.280 Now this wouldn't be the same for you. 05:37.680 --> 05:40.810 The port will use ATC you can use any common ports. 05:40.810 --> 05:46.740 The most common ones or the ones are less suspicious are like 80 81 88. 05:46.750 --> 05:49.000 For 444 et cetera. 05:49.360 --> 05:52.570 So we don't want to add any of that and we'll call this payload update. 05:52.570 --> 05:57.200 So it's more believable you'll see why I've called it update and why it's quite clever. 05:57.520 --> 05:59.250 So we don't a. 05:59.270 --> 06:00.220 So there we go. 06:00.370 --> 06:02.410 There just to make sure everything's correct. 06:02.410 --> 06:05.620 We can have a look at these settings once we start listening for it. 06:06.430 --> 06:08.850 Let's make this terminal window a little bit larger. 06:09.010 --> 06:09.990 Maybe go. 06:10.450 --> 06:13.300 And if we go to our redirect we will have updates. 06:13.330 --> 06:13.690 Yes. 06:13.720 --> 06:20.860 So I'm going to copy this now and upload it to the service directory which is right here. 06:21.130 --> 06:25.570 I'm going to paste it so we've got a direct download link now for our payload. 06:25.570 --> 06:31.930 The main objective is to get the payload executed on the computer so got beef hoping here we can start 06:31.930 --> 06:34.280 an AP poisoning attack. 06:34.360 --> 06:41.450 So what we'll do is I'll open a new terminal and we'll use our IP poisoning. 06:41.500 --> 06:46.880 Click enter so just start at the man in the middle and attack. 06:46.950 --> 06:51.000 So while it's loading we'll wait for it in fact. 06:51.000 --> 06:53.010 So there we go because it doesn't take too long. 06:53.010 --> 06:58.140 So the servers are online and now it's waiting for a request to a Web site. 06:58.170 --> 07:00.560 It's going to try and inject the whole dot J.S.. 07:00.840 --> 07:04.080 So we go to our top computer and we offer internet connection. 07:05.140 --> 07:12.300 If we go to let's say this Karen is sick of Reddit and decides to go to BBC doc you can click enter. 07:12.720 --> 07:15.350 You can see it takes a little while longer to load. 07:15.510 --> 07:21.510 But now if you go back to our Kelly machine we've got BBC doco the UK request and it starts to inject. 07:21.510 --> 07:28.040 So we go to our B hook and wait a few seconds as you can see it's still loading and still trying to 07:28.040 --> 07:29.030 inject. 07:29.030 --> 07:29.660 There we go. 07:29.660 --> 07:30.890 We've got an online browser. 07:31.610 --> 07:36.370 So now we can execute a few commands so let's look at some of the commands we can execute. 07:36.530 --> 07:42.980 There's an alert box so we type less we can create the left dialog and there's a dialog can say anything 07:43.010 --> 07:44.790 we wish. 07:44.840 --> 07:47.610 So let's say we want to say hi. 07:48.200 --> 07:51.790 It's very simple just a simple hi Ben down here. 07:51.890 --> 07:55.180 If you look right down here there's a little botnet is executed. 07:55.200 --> 07:55.760 It. 07:56.000 --> 08:01.730 We can lock on our target machine and there's a little message that says Hi from the Web sites and actually 08:01.730 --> 08:02.680 noticed the website. 08:02.680 --> 08:08.540 You are I was a little bit different and that's the M S I think it's emptier MF or something like that. 08:08.570 --> 08:11.420 It's a spoof to get round pitch to cheap gas. 08:11.420 --> 08:12.690 So we get messages. 08:12.740 --> 08:14.260 So that's a simple alleged box. 08:15.320 --> 08:22.250 So now what we can do is we can add a fake notification bar to make them download our payload. 08:22.400 --> 08:28.050 And that was the reason I called to update because if we type in fake sorry it's spelled properly. 08:28.150 --> 08:37.250 There we go we can get a fake notification bar so our fake notification bar if we get that backup and 08:37.490 --> 08:43.340 we'll use the chrome fake notification bar here we can add IP address for the server. 08:43.340 --> 08:47.770 So 1 9 2 sorry 1 9 2 0 1 6 8. 08:47.770 --> 08:50.110 Make sure do in the correct format. 08:50.210 --> 08:53.510 Now as you can see the browser just gone off line for second. 08:53.540 --> 08:58.970 But if you don't do anything on the top computer and you just leave it then be folk don't lose connection 08:58.970 --> 08:59.410 a little bit. 08:59.420 --> 09:05.470 So we just need to refresh the page or just wait a few more seconds. 09:05.480 --> 09:08.360 There we go it's going to just re hook the browser. 09:08.390 --> 09:08.990 There we go. 09:08.990 --> 09:17.270 As you can see it's come back online so this fake notification bar will add fake keeps them fake will 09:17.280 --> 09:18.600 add all Halo 2. 09:18.680 --> 09:26.650 So you are L 1 9 2 1 6 8 dot 1 10 1 2 8 and the direct download link for update dot the vaccine. 09:26.960 --> 09:32.020 So the download updates straight away so we'll add a custom message. 09:32.640 --> 09:44.810 Plus a critical update required maybe go and click execute so click execute. 09:44.970 --> 09:46.300 As you can see there's a come on now. 09:46.500 --> 09:51.750 And if we go back to our target machine as you can see up here it's as critical update required if we 09:51.750 --> 09:59.950 click on install missing plugins and we'll wait for it to download to wait a few seconds for that to 09:59.950 --> 10:07.390 download and while we're waiting we'll go back to our culling machine and actually listen for a connection. 10:07.580 --> 10:11.700 So to listen for a connection we can type MSF console. 10:11.780 --> 10:15.220 This will start the meters really framework. 10:15.500 --> 10:20.090 We need to wait for this before we actually won the payload because we need to be listening for connection 10:20.150 --> 10:23.020 as they run and execute our payload. 10:23.060 --> 10:28.010 So just wait a few seconds for the meters blue frame where console to run we can monitor the or the 10:28.010 --> 10:32.690 terminals to see if our servers are OK which they are. 10:32.690 --> 10:38.680 Now meet this place to start so we can use exploit and multi handler. 10:39.200 --> 10:44.900 Then we'll set the payload to the corresponding one that we use for update dot actually which was Windows 10:45.520 --> 10:51.570 interpreter reverse underscore each TTP. 10:51.830 --> 11:00.500 So we set the payload then we'll set the Al host to the servers and then we'll set the Al port to 80 11:00.490 --> 11:01.800 80. 11:01.910 --> 11:04.420 Then we type exploit we'll listen for a connection 11:07.110 --> 11:09.450 sorry I typed that wrong so we'll start that again. 11:09.480 --> 11:10.710 We need to set the Al host. 11:10.710 --> 11:17.440 I made a mistake when typing the Al host I was 1 6 8 1 10 not 1 2 8. 11:17.610 --> 11:18.380 Yeah that's fine. 11:18.390 --> 11:22.430 So I'll host 1 6 8 9 0 1 2 8. 11:22.680 --> 11:28.020 Then we'll show options to make sure everything set correctly maybe go will listen on on the correct 11:28.500 --> 11:33.360 IP address now on the crack port so we can type exploit again listen for connection maybe go does a 11:33.360 --> 11:41.510 reverse handler started so now that all rebase handler has actually started we go to our target machine 11:41.580 --> 11:45.210 and as you can see the downloads and started uncompleted and we've got update. 11:45.230 --> 11:48.380 Now it says 1 in brackets because there's already an application called update. 11:48.410 --> 11:52.460 But if you just click on it so we can actually prove that we're running update. 11:52.520 --> 11:55.160 Now if you noticed there's a message here. 11:55.160 --> 11:56.890 This is not an antivirus message. 11:56.890 --> 11:59.210 This is just a Windows Defender smart screen. 11:59.210 --> 12:01.560 This is for applications with known. 12:01.820 --> 12:02.630 I believe publishers. 12:02.630 --> 12:03.450 There we go. 12:03.530 --> 12:08.570 So we'll run it anyway because most common applications that you download will get that message. 12:08.570 --> 12:12.530 So we click on have noticed no antivirus messages just have shown up. 12:12.530 --> 12:15.760 We get a well-known publisher would like to make changes. 12:15.920 --> 12:18.510 So this person current in this case clicks. 12:18.530 --> 12:19.170 Yes. 12:19.250 --> 12:19.780 So we click. 12:19.790 --> 12:20.770 Yes. 12:20.840 --> 12:23.330 Then we go back to our cutting machine. 12:23.330 --> 12:27.480 And as you can see we've got a tape it's a section. 12:27.730 --> 12:30.580 So now we can do pretty much anything we want to the computer. 12:31.840 --> 12:36.900 So now that we've got separate secession Let's type some commands. 12:36.910 --> 12:43.380 So sis info will get some system information so we know the computer's name's Karen. 12:43.390 --> 12:46.550 We've got an operating system Windows 10. 12:46.660 --> 12:51.030 We know its architecture and that's a mouthful. 12:51.510 --> 12:53.600 Just about said that right there we go anyway. 12:53.610 --> 12:54.790 It's a 64 bit. 12:54.960 --> 13:00.220 So we've got a system in here it's not really fun that's just just basic stuff. 13:00.300 --> 13:07.320 Let's start something the interest in so we'll start key scan underscore start and then we'll type. 13:07.560 --> 13:13.080 Well actually and I will wait and we'll go over to the target machine and what we'll do is we'll type 13:13.080 --> 13:17.230 some information in so we'll type anything in the search bar on BBC dot com. 13:17.260 --> 13:20.880 Okay so we'll just type something in. 13:20.880 --> 13:27.840 And now if we wait a few seconds and then type dump instead of start then we capture the keystrokes 13:27.840 --> 13:31.710 and as you can see DG or DTV or whatever. 13:31.860 --> 13:32.270 They we go. 13:32.270 --> 13:35.220 We've just done some key scans and this is like a key logo. 13:35.220 --> 13:39.420 So imagine if they looked into Facebook with their e-mail and password you would see that then we can 13:39.420 --> 13:42.340 just need to stop it so we don't get too many. 13:42.520 --> 13:45.460 So we can stop. 13:45.780 --> 13:47.390 What else can we do. 13:47.400 --> 13:48.580 Let's take a screenshot. 13:48.600 --> 13:54.080 So we'll take a screenshot of the desktop so I'll save a screenshot. 13:54.090 --> 13:55.860 And as you can see there is the name of the screenshot. 13:55.860 --> 13:57.420 So if we go to our root directory 14:01.800 --> 14:07.130 so we're on our root directory and it's called Z A V M beauty. 14:07.170 --> 14:12.040 So we click on this well and as you can see we got a full screenshot of the desktop. 14:12.070 --> 14:16.640 So they're on Reddit they're on this dodgy BBC Dr do care website. 14:16.660 --> 14:21.730 This doesn't affect BBC web site by the way there are people using just the laptop connected because 14:21.730 --> 14:25.040 we specifically told it to target the IP. 14:25.060 --> 14:27.160 So now we can do pretty much anything. 14:27.190 --> 14:29.790 Let's look for some secret files. 14:29.830 --> 14:34.740 So like I said this was a dummy account created so let's see deep into users. 14:35.110 --> 14:42.200 In fact we'll type p p WD and will notice that we're in users current downloads. 14:42.280 --> 14:49.110 So now we know that the users current so we can just type D forward slash uses for Slash current. 14:50.800 --> 14:53.830 Now we're in the users current directory. 14:53.830 --> 14:57.760 Now we can type C D desktop to get to the desktop and see what kind of files she has on the desktop 14:57.770 --> 14:59.680 now spelt that wrong so that's going to give me an error. 15:00.400 --> 15:01.480 So it's desktop. 15:01.510 --> 15:03.220 There we go. 15:03.550 --> 15:06.550 And we type Alex to see what's on the desktop. 15:06.550 --> 15:12.540 So there we go there's a few files but look these passwords dot your XY so if you type can't passwords 15:12.760 --> 15:19.200 dot e x t t click enter it will spam them and it will dump them. 15:19.210 --> 15:19.840 So there we go. 15:19.840 --> 15:22.360 Password 1 2 3 my password Facebook password. 15:22.360 --> 15:23.150 Mr. Robot. 15:23.530 --> 15:27.550 So we got their passwords now obviously most people wouldn't store their passwords in the tax documents 15:27.790 --> 15:30.870 but some do believe me I've seen it. 15:31.480 --> 15:38.980 So the last thing is we'll take a snapshot of the web cam or first let me put something on my head so 15:39.040 --> 15:47.230 I can't be seen so I've got something on my head now might sound a little bit strange but what I'm going 15:47.230 --> 15:54.340 to do is I'm going to start a I've got you'll see and it's quite funny in a second book for Type help 15:55.750 --> 16:01.990 click enter and we can see a few commands so I'll show you a few we can record the mike and we can take 16:01.990 --> 16:03.600 a webcam snap. 16:03.640 --> 16:04.700 So that's what I'm going to do. 16:04.750 --> 16:11.790 So I'm going to take webcam underscores that first before I put the mask on webcam from the school snap. 16:12.550 --> 16:35.000 I'll put the mask on and click enter and then show you the screenshot. 16:35.100 --> 16:35.820 So there we go. 16:35.850 --> 16:37.780 We got a screenshot of the camera. 16:38.080 --> 16:44.840 There's my setup and yes that's the horse mask but you got the idea we took a screenshot of the webcam. 16:44.880 --> 16:48.480 That's quite scary to be honest because it could be doing absolutely anything. 16:48.960 --> 16:55.170 But in this case Karen is a male for some reason I'm wearing a horse mask but there we go. 16:55.170 --> 16:58.710 So that was just a short hacking demonstration. 16:59.070 --> 17:04.800 If this video was interesting then please even like comments if you want to know anything else subscribe 17:04.800 --> 17:08.160 for future content and I will see you in the next video.