1 00:00:00,420 --> 00:00:01,120 Welcome back. 2 00:00:01,530 --> 00:00:07,650 Let's cover another tool that we can use for men in the middle attack, and this tool is called similar 3 00:00:07,650 --> 00:00:09,570 to the previous tool from the last video. 4 00:00:09,810 --> 00:00:14,040 This tool is called Aitor QEP Just Without Me. 5 00:00:14,610 --> 00:00:19,890 Now, unlike the previous tool, we already have this preinstalled inside the Linux machine. 6 00:00:20,130 --> 00:00:22,850 And this is a graphical interface tool. 7 00:00:23,310 --> 00:00:26,100 So it might be a little bit easier for us to run it. 8 00:00:26,100 --> 00:00:27,370 And let's give it a try. 9 00:00:27,660 --> 00:00:30,480 What we must do first is we must open the terminal. 10 00:00:30,780 --> 00:00:36,300 And as I already mentioned in the previous video, let's run all of this with good account. 11 00:00:37,660 --> 00:00:44,200 Now, before we actually start running this tour, I want to talk about another thing which is called 12 00:00:44,320 --> 00:00:46,050 Manuell Packet Forwarding. 13 00:00:46,690 --> 00:00:51,130 So sometimes some of the tools will not perform the packet forwarding for you. 14 00:00:51,430 --> 00:00:56,560 And if you don't do it yourself, sometimes even after performing the ARB spoofing and the man in the 15 00:00:56,560 --> 00:01:02,320 middle attack, your targets will not be able to visit pages because you didn't allow packet forwarding 16 00:01:02,770 --> 00:01:06,090 to always make sure that your packet forwarding is allowed. 17 00:01:06,400 --> 00:01:11,290 You can get out the file at location proc slash sis. 18 00:01:12,260 --> 00:01:22,370 Slash net, slash IPV for and slash IP underscore Forbert, once you catch this fall, you will either 19 00:01:22,370 --> 00:01:26,860 have a value of zero or one right here if you have a value of zero. 20 00:01:26,930 --> 00:01:29,960 That means the packet forwarding is not enabled. 21 00:01:30,140 --> 00:01:33,650 And in that case, you must enable it first. 22 00:01:34,100 --> 00:01:41,370 To do that, you can type echo one and you echo it into this location. 23 00:01:41,390 --> 00:01:49,250 So Praksis net IP for and IP underscore forward and then you double check to see whether the value of 24 00:01:49,250 --> 00:01:51,110 one has been added to this file. 25 00:01:51,350 --> 00:01:52,940 And it indeed has. 26 00:01:53,270 --> 00:01:56,030 Now the packets are allowed to be forwarded. 27 00:01:56,810 --> 00:01:59,580 Once you do that, then you can start your tools. 28 00:02:00,050 --> 00:02:04,640 So to start the atter capital, all we need to do is to type Aitor cap. 29 00:02:06,780 --> 00:02:07,260 That's. 30 00:02:09,890 --> 00:02:12,960 It says Atter kept not found, let's give it a try. 31 00:02:12,980 --> 00:02:15,230 Maybe it is not installed by default. 32 00:02:17,000 --> 00:02:17,930 Let me see. 33 00:02:18,910 --> 00:02:25,720 Hmmm, unable to load that cap, maybe it is lower case, so if I type it like this. 34 00:02:26,020 --> 00:02:27,570 OK, so now it works. 35 00:02:27,580 --> 00:02:33,730 Just make sure that you specify it with lowercase at the beginning, then you type at the cap and then 36 00:02:33,730 --> 00:02:36,880 dash capital for graphical interface. 37 00:02:37,450 --> 00:02:43,180 Once you do that, it will open this new window, which is the new version of Aitor Cap that is a little 38 00:02:43,180 --> 00:02:46,350 bit different than in the previous colonics versions. 39 00:02:46,870 --> 00:02:53,080 You can enlarge the window and the first thing that we must do right here is to set up the interface 40 00:02:53,080 --> 00:02:56,350 and display thing at startup so you can turn this on. 41 00:02:56,500 --> 00:02:59,860 You can select your primary interface in case you're over colonics. 42 00:02:59,860 --> 00:03:03,820 It will usually be zero unless you're running over wireless. 43 00:03:03,850 --> 00:03:05,620 Then you want to choose a different interface. 44 00:03:05,620 --> 00:03:10,210 And once you do all of that, you can click on this check button right here. 45 00:03:11,230 --> 00:03:18,340 Which says accept and it will tell you down here started unified sniffing now what they usually like 46 00:03:18,340 --> 00:03:23,830 to do is they like to enlarge this lower window a little bit more to see everything better. 47 00:03:23,830 --> 00:03:27,910 And then we can experiment with different Aitor cap options. 48 00:03:28,570 --> 00:03:34,750 The first thing that we must do once performing this attack is to discover all of the hosts on the network. 49 00:03:35,530 --> 00:03:38,980 To do that, you can type on this button right here. 50 00:03:39,820 --> 00:03:43,180 It will even tell you that this button is used to scan for hosts. 51 00:03:43,180 --> 00:03:48,850 And once you click on this, it would automatically scan all two hundred and fifty five hosts on my 52 00:03:48,850 --> 00:03:53,950 network and it will tell me four hosts added to the host list. 53 00:03:54,670 --> 00:03:57,280 But right here we cannot really see the hosts. 54 00:03:57,280 --> 00:04:00,320 So how can we see which hosts are discovered? 55 00:04:00,700 --> 00:04:06,550 Well, we can go onto this button right here, click on it and it will tell us the IP addresses of the 56 00:04:06,550 --> 00:04:10,720 hosts and their Mac address down here. 57 00:04:10,930 --> 00:04:17,290 Also, these buttons will open the lead hosts at Target one or add to Target two. 58 00:04:17,980 --> 00:04:23,680 And as in the previous video, we're going to perform this attack on our Windows Ten target machine, 59 00:04:23,680 --> 00:04:27,160 or in my case, I'm going to perform on my Windows Ten Target machine. 60 00:04:27,400 --> 00:04:29,500 You can choose whatever machine that you want. 61 00:04:30,340 --> 00:04:34,930 Since the IP address, all my Windows machine is one to took 168 at one seven. 62 00:04:34,930 --> 00:04:38,280 I'm going to right click on this and add to Target. 63 00:04:38,470 --> 00:04:44,950 Want to check out whether I successfully added I can take a look down here and it does say host and 64 00:04:44,950 --> 00:04:47,050 then this IP address added to target one. 65 00:04:47,290 --> 00:04:54,670 But I can also go to these three dots, click on targets and click on current targets and it will tell 66 00:04:54,670 --> 00:04:57,910 me that they have the current target of one or two of the 168. 67 00:04:57,910 --> 00:04:58,780 That one that. 68 00:05:00,010 --> 00:05:07,060 Once I select my targets, I can start AAFP poisoning and to do that, I click on this right here, 69 00:05:07,090 --> 00:05:12,910 which says Mittie menu, and we've got different types of poisoning, but we're interested in this. 70 00:05:12,910 --> 00:05:13,860 Ah, poisoning. 71 00:05:14,020 --> 00:05:18,970 Click on that and click on OK to start sniffing remote connections. 72 00:05:20,840 --> 00:05:26,540 It will tell us down here are poisoning victims, group one, which is the only target that we specify 73 00:05:26,540 --> 00:05:32,210 with its MAC address, and the group, too, will be all of the hosts in the list, but we don't have 74 00:05:32,210 --> 00:05:32,510 any. 75 00:05:32,520 --> 00:05:35,540 So currently we're attacking just the Windows 10 machine. 76 00:05:36,790 --> 00:05:42,580 There is one thing about this tool, it will not print nearly as much information as the previous better 77 00:05:42,580 --> 00:05:43,330 cap tool. 78 00:05:43,630 --> 00:05:50,200 However, once our target visits a page that sends unencrypted usernames and passwords, it will print 79 00:05:50,200 --> 00:05:51,400 that right here. 80 00:05:51,400 --> 00:05:58,060 And we can take a look at that by going to our router, as in the previous video and typing in, for 81 00:05:58,060 --> 00:06:01,840 example, admin and then password if I click on login. 82 00:06:03,480 --> 00:06:09,330 Down here, we will manage to sniff that as we can see the HTP, it will tell us from where did the 83 00:06:09,330 --> 00:06:10,320 connection come from? 84 00:06:10,530 --> 00:06:13,950 The user name is admin and the password is this. 85 00:06:14,070 --> 00:06:19,470 Now, this is once again the hash value of the password, because that is how it is implemented inside 86 00:06:19,470 --> 00:06:20,280 of our router. 87 00:06:20,520 --> 00:06:25,710 If it was some page that was sending the passwords in plain text, we would be able to see it right 88 00:06:25,710 --> 00:06:27,810 here in plain text. 89 00:06:28,680 --> 00:06:33,540 OK, so now that we did the same thing from the previous video, I also want to show you a cool trick 90 00:06:33,570 --> 00:06:38,180 that you can check out to see if the target machine is being spoofed. 91 00:06:38,520 --> 00:06:43,940 So let's say that we are on our target machine and this is the machine that is currently being asked, 92 00:06:44,430 --> 00:06:47,890 how can we check out whether our connection is being sniffed? 93 00:06:48,510 --> 00:06:50,550 Well, we can open the command prompt. 94 00:06:51,930 --> 00:06:55,320 And if we can type the comment, AAFP that pay. 95 00:06:57,020 --> 00:07:04,340 And this will give us our AAFP cash or in other words, this will give us the IP addresses of the machines 96 00:07:04,340 --> 00:07:07,900 in the local area network and their correspondent Mac addresses. 97 00:07:08,660 --> 00:07:15,440 And if we take a look at right here, we can see that all of these IP addresses right here appear to 98 00:07:15,440 --> 00:07:17,540 have the same Mac address. 99 00:07:18,050 --> 00:07:20,560 And that is not a good sign. 100 00:07:21,140 --> 00:07:27,170 Once you see something like this or if you even see two different IP addresses having the same Mac address, 101 00:07:27,440 --> 00:07:29,050 that is also not a good sign. 102 00:07:29,060 --> 00:07:34,040 And that would most likely mean that a man in the middle attack is being performed, especially if you 103 00:07:34,040 --> 00:07:40,540 have an IP address of a router having the same address as a different machine on the network. 104 00:07:41,240 --> 00:07:46,010 And this is how you can check this out, for example, if I stop this. 105 00:07:47,490 --> 00:07:53,640 Let's go right here and quit this program, stopping the Mitt and attack. 106 00:07:55,300 --> 00:07:57,130 And closing this. 107 00:07:59,580 --> 00:08:06,410 And if I go and run the same comment now, you can see different IP addresses have different MAC addresses, 108 00:08:06,420 --> 00:08:09,380 and this is how it should be because the Mac addresses are unique. 109 00:08:09,600 --> 00:08:15,870 So one IP address should have one different Mac address and not like this, where we had all of the 110 00:08:15,870 --> 00:08:18,150 IP addresses having the same Mac address. 111 00:08:18,930 --> 00:08:24,330 Now, in the next video, we're going to take a look at how we can perform this manually using Python 112 00:08:24,330 --> 00:08:24,610 three. 113 00:08:25,020 --> 00:08:26,870 We're not going to be sniffing for data. 114 00:08:27,030 --> 00:08:33,840 We're just going to see how we can change the Mac address of the router from our Linux machine to appear 115 00:08:33,870 --> 00:08:37,860 as the same Mac address from Linux machine to our Windows 10 machine. 116 00:08:38,160 --> 00:08:43,470 Or in other words, if you didn't understand, we're going to spoof the Windows 10 machine with one 117 00:08:43,470 --> 00:08:46,290 packet just to change its ARP tables. 118 00:08:46,290 --> 00:08:48,920 And we're going to do that using Python three. 119 00:08:49,620 --> 00:08:51,740 So that would be about it for the tool. 120 00:08:51,750 --> 00:08:54,800 You can experiment with other options as well if you want to. 121 00:08:55,050 --> 00:08:57,440 And I will see you in the next video.