1
00:00:00,480 --> 00:00:01,830
Instructor: Welcome back.

2
00:00:01,830 --> 00:00:03,540
Let's start with our first tool

3
00:00:03,540 --> 00:00:05,640
that we're going to use to perform

4
00:00:05,640 --> 00:00:08,700
our spoofing and man in the middle attack.

5
00:00:08,700 --> 00:00:10,320
Now for this type of the attack,

6
00:00:10,320 --> 00:00:12,060
there are many tools out there

7
00:00:12,060 --> 00:00:14,850
that you can use to initiate this attack.

8
00:00:14,850 --> 00:00:16,230
Some of them are outdated,

9
00:00:16,230 --> 00:00:19,110
some of them are already pre-installed in Kali Linux.

10
00:00:19,110 --> 00:00:20,940
However, we're going to cover

11
00:00:20,940 --> 00:00:24,660
one of the most known tools, which is called bettercap.

12
00:00:24,660 --> 00:00:27,990
It is a little bit harder to use, however

13
00:00:27,990 --> 00:00:30,510
we are just going to cover the basics of it.

14
00:00:30,510 --> 00:00:32,700
So let's open up our terminal,

15
00:00:32,700 --> 00:00:36,120
and since this tool is not already installed in Kali Linux,

16
00:00:36,120 --> 00:00:37,950
we must install it first.

17
00:00:37,950 --> 00:00:41,280
And my advice would be for this entire section

18
00:00:41,280 --> 00:00:43,770
to run all the tools as a root account.

19
00:00:43,770 --> 00:00:45,210
Now, you might be asking why?

20
00:00:45,210 --> 00:00:46,860
Well, we're going to perform

21
00:00:46,860 --> 00:00:48,960
bunch of different networking things,

22
00:00:48,960 --> 00:00:50,550
and some of the networking things

23
00:00:50,550 --> 00:00:52,740
could require root privileges.

24
00:00:52,740 --> 00:00:54,360
So some of the tools might not run,

25
00:00:54,360 --> 00:00:56,250
some of the settings might not work

26
00:00:56,250 --> 00:01:00,030
if we run it as a regular user inside of our Kali Linux.

27
00:01:00,030 --> 00:01:01,560
So let's real quick

28
00:01:01,560 --> 00:01:03,603
enter the root terminal,

29
00:01:04,860 --> 00:01:07,380
and to install our bettercap tool,

30
00:01:07,380 --> 00:01:09,720
we can simply type the command apt-get,

31
00:01:09,720 --> 00:01:12,660
install, and then bettercap.

32
00:01:12,660 --> 00:01:13,830
Press Enter.

33
00:01:13,830 --> 00:01:14,970
Press Y

34
00:01:14,970 --> 00:01:15,840
once it asks you,

35
00:01:15,840 --> 00:01:17,160
do you want to continue?

36
00:01:17,160 --> 00:01:18,240
And now we're going to wait

37
00:01:18,240 --> 00:01:20,370
for the bettercap installation to finish,

38
00:01:20,370 --> 00:01:22,620
and then we're going to enter its framework,

39
00:01:22,620 --> 00:01:25,113
and perform MITM attack.

40
00:01:26,280 --> 00:01:28,080
Okay, it is finished.

41
00:01:28,080 --> 00:01:30,990
Now, there are two ways we can run this attack.

42
00:01:30,990 --> 00:01:32,730
We can run it as a command

43
00:01:32,730 --> 00:01:34,500
by specifying a file

44
00:01:34,500 --> 00:01:36,900
that contains all of the better cap commands

45
00:01:36,900 --> 00:01:38,520
that we want to run,

46
00:01:38,520 --> 00:01:41,430
or we can run it inside of the framework.

47
00:01:41,430 --> 00:01:42,690
Now for the first try,

48
00:01:42,690 --> 00:01:46,200
we are going to just type better cap to open the framework,

49
00:01:46,200 --> 00:01:48,690
and we're going to experiment with different commands

50
00:01:48,690 --> 00:01:50,490
in order to run this attack.

51
00:01:50,490 --> 00:01:52,380
And then after this we're going to see

52
00:01:52,380 --> 00:01:53,580
how we can run it

53
00:01:53,580 --> 00:01:57,600
just from a terminal in a one line command.

54
00:01:57,600 --> 00:02:01,200
Okay, so once you type bettercap, it's under your terminal

55
00:02:01,200 --> 00:02:02,940
it'll open the bettercap program,

56
00:02:02,940 --> 00:02:04,707
it will tell you which version it is,

57
00:02:04,707 --> 00:02:07,440
and it'll also tell us to type, help

58
00:02:07,440 --> 00:02:09,419
for a list of the commands.

59
00:02:09,419 --> 00:02:13,170
So let's type help to see what options do we have.

60
00:02:13,170 --> 00:02:15,060
And right here we are going to see

61
00:02:15,060 --> 00:02:16,830
bunch of available services

62
00:02:16,830 --> 00:02:19,440
that we can run with bettercap.

63
00:02:19,440 --> 00:02:21,540
Most of these services are not going to run

64
00:02:21,540 --> 00:02:23,460
as it says right here, not running.

65
00:02:23,460 --> 00:02:25,500
And the only one that you will see running is

66
00:02:25,500 --> 00:02:27,570
events.stream.

67
00:02:27,570 --> 00:02:29,400
Now you might totally start to notice

68
00:02:29,400 --> 00:02:31,740
something interesting for us such as for example,

69
00:02:31,740 --> 00:02:33,540
this ARP spoof.

70
00:02:33,540 --> 00:02:36,030
We talked about ARP spoof in the previous video,

71
00:02:36,030 --> 00:02:38,220
and we know that this is the base of

72
00:02:38,220 --> 00:02:40,740
our man in the middle attack.

73
00:02:40,740 --> 00:02:42,570
However, before we get to it,

74
00:02:42,570 --> 00:02:46,830
let's go a little bit up and check out the help manual.

75
00:02:46,830 --> 00:02:48,300
So these are the commands

76
00:02:48,300 --> 00:02:50,580
that we can use with better cap.

77
00:02:50,580 --> 00:02:51,690
We can type, help,

78
00:02:51,690 --> 00:02:53,070
and then some module name

79
00:02:53,070 --> 00:02:55,170
in order to print out more information about

80
00:02:55,170 --> 00:02:56,880
that specific module.

81
00:02:56,880 --> 00:02:59,730
We can also active, quit, sleep

82
00:02:59,730 --> 00:03:01,800
for a certain amount of seconds.

83
00:03:01,800 --> 00:03:03,090
We can set value

84
00:03:03,090 --> 00:03:04,680
the same way that we do inside of

85
00:03:04,680 --> 00:03:06,090
our MSF console.

86
00:03:06,090 --> 00:03:09,180
If you remember, once we set values for certain payloads,

87
00:03:09,180 --> 00:03:11,580
we do that using this command.

88
00:03:11,580 --> 00:03:13,860
So we can assume that this is something similar

89
00:03:13,860 --> 00:03:15,270
as MSF console,

90
00:03:15,270 --> 00:03:19,170
or at least has similar options and commands.

91
00:03:19,170 --> 00:03:21,870
Now let's go down to these modules,

92
00:03:21,870 --> 00:03:24,900
and before we actually get to this arp.spoof module,

93
00:03:24,900 --> 00:03:28,140
let us take a look at this net.probe module.

94
00:03:28,140 --> 00:03:30,450
If I simply just type help,

95
00:03:30,450 --> 00:03:32,703
and then net.probe,

96
00:03:33,810 --> 00:03:35,340
this will give me the help manual,

97
00:03:35,340 --> 00:03:37,770
and the description of this module.

98
00:03:37,770 --> 00:03:38,700
So as it says,

99
00:03:38,700 --> 00:03:41,520
it'll keep probing for new hosts on the network

100
00:03:41,520 --> 00:03:45,930
by sending UDP packets to every possible IP on the subnet.

101
00:03:45,930 --> 00:03:46,770
In other words,

102
00:03:46,770 --> 00:03:48,150
what this module will do is

103
00:03:48,150 --> 00:03:50,640
it'll discover all of the online hosts

104
00:03:50,640 --> 00:03:53,280
inside of our local area network.

105
00:03:53,280 --> 00:03:56,010
So what we can do is we can turn that on

106
00:03:56,010 --> 00:03:59,400
to start network hosts probing in background.

107
00:03:59,400 --> 00:04:00,900
Let's run this command

108
00:04:00,900 --> 00:04:03,120
as it tells us right here,

109
00:04:03,120 --> 00:04:04,770
copy this,

110
00:04:04,770 --> 00:04:06,060
paste it right here,

111
00:04:06,060 --> 00:04:07,833
and let's press enter.

112
00:04:08,670 --> 00:04:10,470
And, we can already see

113
00:04:10,470 --> 00:04:13,080
that it managed to discover some of the hosts

114
00:04:13,080 --> 00:04:14,910
inside of my network.

115
00:04:14,910 --> 00:04:17,880
These are the active IP addresses, right here.

116
00:04:17,880 --> 00:04:19,380
The next thing that we want to do

117
00:04:19,380 --> 00:04:21,149
is we want to type the help menu

118
00:04:21,149 --> 00:04:24,720
for the arp.spoof module.

119
00:04:24,720 --> 00:04:27,963
So just type help arp.spoot and press enter.

120
00:04:28,980 --> 00:04:33,840
And we also get the option as to how we can run this module

121
00:04:33,840 --> 00:04:37,020
but down here we can see some additional options,

122
00:04:37,020 --> 00:04:39,360
or as it says right here, parameters

123
00:04:39,360 --> 00:04:41,130
for this module.

124
00:04:41,130 --> 00:04:43,023
We got arp.spoof.fullduplex,

125
00:04:44,160 --> 00:04:46,470
we got arp.spoof.internal,

126
00:04:46,470 --> 00:04:48,000
arp.spoof.target,

127
00:04:48,000 --> 00:04:51,000
and arp.spoof.whitelist.

128
00:04:51,000 --> 00:04:52,740
In this specific scenario,

129
00:04:52,740 --> 00:04:54,600
we're interested in these two.

130
00:04:54,600 --> 00:04:58,050
So the default duplex and the targets.

131
00:04:58,050 --> 00:04:59,070
The full duplex

132
00:04:59,070 --> 00:05:00,450
if we read the description,

133
00:05:00,450 --> 00:05:02,310
if this is set the true,

134
00:05:02,310 --> 00:05:05,400
both the targets and the gateway will be attacked,

135
00:05:05,400 --> 00:05:07,650
otherwise only the target.

136
00:05:07,650 --> 00:05:09,150
And as it says right here,

137
00:05:09,150 --> 00:05:12,570
if the router has ARP spoofing protections in place,

138
00:05:12,570 --> 00:05:14,640
this will make the attack fail.

139
00:05:14,640 --> 00:05:17,550
So in some networks and on some routers,

140
00:05:17,550 --> 00:05:19,530
this attack will not work

141
00:05:19,530 --> 00:05:22,110
because more and more routers nowadays

142
00:05:22,110 --> 00:05:25,443
are starting to implement the arp spoofing protection.

143
00:05:26,400 --> 00:05:28,170
However, if it is not enabled,

144
00:05:28,170 --> 00:05:30,300
if the protection is not enabled,

145
00:05:30,300 --> 00:05:32,940
then we can perform this attack.

146
00:05:32,940 --> 00:05:34,860
So what we must do is we can type,

147
00:05:34,860 --> 00:05:37,647
set arp.spoof.fullduplex

148
00:05:39,741 --> 00:05:42,900
to be equal to true or just set it to true.

149
00:05:42,900 --> 00:05:44,880
Press enter right here.

150
00:05:44,880 --> 00:05:48,060
And we also want to set the targets.

151
00:05:48,060 --> 00:05:50,370
Now you can specify the entire subnet,

152
00:05:50,370 --> 00:05:51,750
or the entire network,

153
00:05:51,750 --> 00:05:54,060
or you can do it like I'm going to do,

154
00:05:54,060 --> 00:05:56,610
I'm just going to select one target.

155
00:05:56,610 --> 00:05:58,800
And the reason why I'm selecting one target is

156
00:05:58,800 --> 00:06:01,710
because once you run this on the entire network,

157
00:06:01,710 --> 00:06:04,920
there is a lot of information going

158
00:06:04,920 --> 00:06:06,660
inside your terminal,

159
00:06:06,660 --> 00:06:07,980
and it is going really fast

160
00:06:07,980 --> 00:06:10,110
so you don't even get to read it.

161
00:06:10,110 --> 00:06:12,720
Therefore, what I'm going to do for the purposes

162
00:06:12,720 --> 00:06:13,650
of this tutorial is

163
00:06:13,650 --> 00:06:17,430
I'm going to select the IP address of my Windows 10 machine

164
00:06:17,430 --> 00:06:20,700
that we're going to perform the MITM attack on.

165
00:06:20,700 --> 00:06:21,690
And then I'm going to

166
00:06:21,690 --> 00:06:24,910
set arp.spoof.targets

167
00:06:26,010 --> 00:06:28,020
to be equal to that

168
00:06:28,020 --> 00:06:30,273
IP address, just like this.

169
00:06:31,350 --> 00:06:32,520
Once they do this,

170
00:06:32,520 --> 00:06:34,140
I want to start sniffing

171
00:06:34,140 --> 00:06:35,970
for the network connections,

172
00:06:35,970 --> 00:06:37,200
and we can do that.

173
00:06:37,200 --> 00:06:38,820
If I go up here,

174
00:06:38,820 --> 00:06:40,800
we can see that there is a module called

175
00:06:40,800 --> 00:06:42,240
net.sniff.

176
00:06:42,240 --> 00:06:45,870
If I type help net.sniff,

177
00:06:45,870 --> 00:06:46,890
it'll just say that

178
00:06:46,890 --> 00:06:49,620
this will sniff packets from the network.

179
00:06:49,620 --> 00:06:53,610
And the command that we used started is net.sniff.

180
00:06:53,610 --> 00:06:55,470
But before we actually started,

181
00:06:55,470 --> 00:06:58,260
let's go and check out the parameters, right here.

182
00:06:58,260 --> 00:07:00,750
The parameter that we want to use for this attack is

183
00:07:00,750 --> 00:07:02,730
net.sniff.local

184
00:07:02,730 --> 00:07:04,290
As it says, if this is true,

185
00:07:04,290 --> 00:07:06,510
it'll consider packets from

186
00:07:06,510 --> 00:07:10,050
to this computer, otherwise it'll skip them.

187
00:07:10,050 --> 00:07:12,330
Now, once we start the ARP spoof attack,

188
00:07:12,330 --> 00:07:14,340
all of the packets from our target machine

189
00:07:14,340 --> 00:07:15,870
will go to this computer,

190
00:07:15,870 --> 00:07:18,300
therefore this will be able to sniff them.

191
00:07:18,300 --> 00:07:19,503
Let's go with this,

192
00:07:20,430 --> 00:07:23,610
and paste it right here.

193
00:07:23,610 --> 00:07:26,523
And what we want to do is we want to set this to true.

194
00:07:29,310 --> 00:07:31,770
After we get all of these settings ready,

195
00:07:31,770 --> 00:07:34,590
we can type arp.spoof,

196
00:07:34,590 --> 00:07:36,363
and we can set this on,

197
00:07:37,590 --> 00:07:42,270
and we can also type net.sniff on,

198
00:07:42,270 --> 00:07:43,380
press enter

199
00:07:43,380 --> 00:07:46,050
and this will start sniffing packets

200
00:07:46,050 --> 00:07:48,750
on our Windows 10 machine.

201
00:07:48,750 --> 00:07:50,700
We can also see some of the queries

202
00:07:50,700 --> 00:07:53,010
the tower Windows machine is making,

203
00:07:53,010 --> 00:07:55,833
and if I go and try to visit some webpage,

204
00:07:56,730 --> 00:08:00,513
we can see the tower target machine is querying Facebook.

205
00:08:01,740 --> 00:08:03,480
As we can see the desktop machine

206
00:08:03,480 --> 00:08:08,480
initiated the request for www.facebook.com,

207
00:08:08,610 --> 00:08:10,863
and this will work for any other website.

208
00:08:13,440 --> 00:08:17,100
We can see the requests for twitter.com,

209
00:08:17,100 --> 00:08:18,960
and if they were to input a password

210
00:08:18,960 --> 00:08:22,320
to an unencrypted website such as for example, let's say

211
00:08:22,320 --> 00:08:24,240
that they want to connect our router,

212
00:08:24,240 --> 00:08:25,770
and go right here,

213
00:08:25,770 --> 00:08:27,660
and they type for example, test,

214
00:08:27,660 --> 00:08:29,190
and test,

215
00:08:29,190 --> 00:08:30,333
and click on login.

216
00:08:31,470 --> 00:08:32,940
If we scroll a little bit up,

217
00:08:32,940 --> 00:08:35,010
we should manage to find the request

218
00:08:35,010 --> 00:08:36,722
where they send the password,

219
00:08:37,830 --> 00:08:39,179
and here it is.

220
00:08:39,179 --> 00:08:41,490
Here's the request where they send the password

221
00:08:41,490 --> 00:08:42,990
we get the username test,

222
00:08:42,990 --> 00:08:46,080
and the password is a hashed value.

223
00:08:46,080 --> 00:08:48,753
However we manage to get it, nonetheless.

224
00:08:49,680 --> 00:08:51,390
It'll work for any website

225
00:08:51,390 --> 00:08:54,420
that sends unencrypted data, for example,

226
00:08:54,420 --> 00:08:56,550
onto this website called vulnweb.com,

227
00:08:56,550 --> 00:08:58,920
If I go to first link, which is this one,

228
00:08:58,920 --> 00:09:00,370
and I click on login

229
00:09:01,770 --> 00:09:04,170
type username admin and password test,

230
00:09:04,170 --> 00:09:05,223
I click on login.

231
00:09:06,270 --> 00:09:07,350
And for some reason

232
00:09:07,350 --> 00:09:09,450
it seems that it didn't manage to get it.

233
00:09:09,450 --> 00:09:11,850
Let's just scroll a little bit up to see

234
00:09:11,850 --> 00:09:13,050
whether we can find it.

235
00:09:13,050 --> 00:09:14,370
And here it is.

236
00:09:14,370 --> 00:09:15,510
Here is the packet

237
00:09:15,510 --> 00:09:18,630
that we sent including the username and password.

238
00:09:18,630 --> 00:09:22,140
We manage to sniff it from our Windows 10 machine.

239
00:09:22,140 --> 00:09:23,580
Here is the username admin,

240
00:09:23,580 --> 00:09:25,383
and the password test.

241
00:09:26,250 --> 00:09:27,083
Great.

242
00:09:27,083 --> 00:09:29,850
This is one way that you can use Better Cap.

243
00:09:29,850 --> 00:09:31,620
Another way that you can use Better Cap

244
00:09:31,620 --> 00:09:34,200
is if I exit out of this program,

245
00:09:34,200 --> 00:09:36,270
it will automatically start the ARP spoof,

246
00:09:36,270 --> 00:09:39,810
and it'll restore our cashe for our one targets.

247
00:09:39,810 --> 00:09:42,120
And the way that we can run it with the command

248
00:09:42,120 --> 00:09:45,960
is we can just create a file called sniff.cap

249
00:09:45,960 --> 00:09:48,270
and inside of this file we can type

250
00:09:48,270 --> 00:09:50,190
the commands that we typed previously,

251
00:09:50,190 --> 00:09:52,260
which is net.probe on.

252
00:09:52,260 --> 00:09:56,710
We also want to select arp.spoof.fullduplex

253
00:09:57,690 --> 00:09:58,680
to true

254
00:09:58,680 --> 00:10:01,620
in order to also spoof the target and the router.

255
00:10:01,620 --> 00:10:06,540
And we also want to select arp.spoof.target

256
00:10:06,540 --> 00:10:09,720
to the IP address of our target machine.

257
00:10:09,720 --> 00:10:10,890
After that, we set

258
00:10:10,890 --> 00:10:13,230
the net.sniff.local

259
00:10:13,230 --> 00:10:14,063
to true

260
00:10:14,063 --> 00:10:16,410
which means only leave the packages that are coming

261
00:10:16,410 --> 00:10:18,360
from and to this machine.

262
00:10:18,360 --> 00:10:21,360
And then we type arp.spoof on,

263
00:10:21,360 --> 00:10:24,390
and net.spoof on.

264
00:10:24,390 --> 00:10:26,520
These are all the commands that we must run.

265
00:10:26,520 --> 00:10:28,170
So all we need to do is

266
00:10:28,170 --> 00:10:31,200
save this in a file called sniff.cap,

267
00:10:31,200 --> 00:10:35,490
and then we can run the command bettercap -i face.

268
00:10:35,490 --> 00:10:37,500
And -i face stands for interface

269
00:10:37,500 --> 00:10:40,860
where we need to specify the interface of our machine.

270
00:10:40,860 --> 00:10:42,210
Since on Kali Linux,

271
00:10:42,210 --> 00:10:46,380
the only active interface that I have is ETH0.

272
00:10:46,380 --> 00:10:47,730
Once I specify that

273
00:10:47,730 --> 00:10:49,710
all I need to specify is another option

274
00:10:49,710 --> 00:10:51,270
which is -caplet,

275
00:10:51,270 --> 00:10:54,243
and then the name of the file containing our commands.

276
00:10:55,224 --> 00:10:58,470
And this will do everything that we just did automatically.

277
00:10:58,470 --> 00:10:59,880
So if I press enter,

278
00:10:59,880 --> 00:11:02,280
it'll set all of the settings that we did,

279
00:11:02,280 --> 00:11:05,520
and it'll start sniffing for different connections.

280
00:11:05,520 --> 00:11:07,530
For example, if I go right here,

281
00:11:07,530 --> 00:11:09,603
and try to refresh Facebook,

282
00:11:11,070 --> 00:11:11,970
it'll sniff

283
00:11:11,970 --> 00:11:14,160
that request to Facebook.

284
00:11:14,160 --> 00:11:15,000
And this is

285
00:11:15,000 --> 00:11:18,420
one way that we can perform man in the middle attack.

286
00:11:18,420 --> 00:11:19,320
In the next video,

287
00:11:19,320 --> 00:11:20,910
we're going to check out another tool

288
00:11:20,910 --> 00:11:22,950
that will allow us to perform this attack

289
00:11:22,950 --> 00:11:26,640
that you might actually find a little bit easier to use.

290
00:11:26,640 --> 00:11:27,600
So thank you for watching,

291
00:11:27,600 --> 00:11:29,450
and I will see you in the next video.