1
00:00:00,150 --> 00:00:01,000
All right, welcome back.

2
00:00:01,020 --> 00:00:08,590
Folks, this is a mission and decision is about the demo, the demo of bypassing the log in.

3
00:00:08,610 --> 00:00:16,140
But Bob Sweet, we have done it with Manuel Manuel Way.

4
00:00:16,440 --> 00:00:24,030
But this is about automatically, you know, on automation, where we be using a wonderful tool box.

5
00:00:24,870 --> 00:00:27,180
Let's get started for this.

6
00:00:27,240 --> 00:00:31,350
Let's log in to our Kelly machine.

7
00:00:31,680 --> 00:00:38,400
Usually as a practice, you can actually do it from your post machine, from your windows or whatever

8
00:00:38,400 --> 00:00:38,790
it is.

9
00:00:39,450 --> 00:00:44,520
You don't need to be in a secure environment like Carly or other stuff.

10
00:00:44,520 --> 00:00:45,320
You don't need that.

11
00:00:45,900 --> 00:00:51,030
But just to make sure we have everything in one place, I'll be using Kelly.

12
00:00:54,240 --> 00:00:55,830
OK, so it started.

13
00:00:57,930 --> 00:01:00,670
And now on the other side, on the other side.

14
00:01:05,630 --> 00:01:09,090
On the other side, we need the target.

15
00:01:09,680 --> 00:01:12,750
The target is still our.

16
00:01:17,280 --> 00:01:17,910
Tara.

17
00:01:20,360 --> 00:01:27,870
OK, so as so far we know, we can launch the browser from here.

18
00:01:27,940 --> 00:01:30,690
So there we go.

19
00:01:32,030 --> 00:01:34,610
Let's keep the intercept off.

20
00:01:35,870 --> 00:01:37,400
Let's go to Altero.

21
00:01:39,340 --> 00:01:40,070
Nuccio.

22
00:01:43,360 --> 00:01:51,370
As a first step, what we need, we need a sample, let's sign in, and now we can put the test and

23
00:01:51,370 --> 00:01:51,810
the test.

24
00:01:52,290 --> 00:01:57,730
OK, and now let's turn on the inducer.

25
00:01:57,940 --> 00:02:01,990
And the moment we click on the login, we should see the post.

26
00:02:03,800 --> 00:02:04,190
Right.

27
00:02:04,330 --> 00:02:07,160
You could see this is the request.

28
00:02:07,480 --> 00:02:09,750
A study report request comes here.

29
00:02:10,300 --> 00:02:16,980
Now we going to send it to OK, so this is OK.

30
00:02:16,990 --> 00:02:22,380
We can send it to the intruder and let's turn off the inducer.

31
00:02:23,050 --> 00:02:26,110
OK, now we can simply go to the intruder.

32
00:02:26,530 --> 00:02:33,820
We are in the interior now and you can see this is the position initially before you can start your

33
00:02:34,030 --> 00:02:36,580
expectation, you have to specify your markers.

34
00:02:36,910 --> 00:02:43,240
So where exactly our market CMOC are supposed to be, if you remember in the manual explanation, we

35
00:02:43,240 --> 00:02:45,950
just need your username and password.

36
00:02:46,630 --> 00:02:48,520
So that's where the magic happens, right?

37
00:02:48,850 --> 00:02:57,610
So the website is a bit smarter so it can, you know, select all the stuff by itself so we can clear

38
00:02:57,610 --> 00:03:00,940
all of them and select only test.

39
00:03:01,270 --> 00:03:01,660
Sorry.

40
00:03:02,410 --> 00:03:02,820
Yeah.

41
00:03:02,860 --> 00:03:08,170
Test as our marker and another one would be the password as a marker.

42
00:03:08,750 --> 00:03:14,220
Earlier it was selected a couple of more fields as a marker one.

43
00:03:14,860 --> 00:03:15,850
So now this is done.

44
00:03:16,840 --> 00:03:19,780
Let's select the attack attack type.

45
00:03:20,140 --> 00:03:24,280
So the Inactine we have got four options we can because we have to freeze.

46
00:03:24,280 --> 00:03:27,070
We can either go for pitchfork or cluster bomb.

47
00:03:27,490 --> 00:03:30,250
Let's go for Pitchfork if you're OK.

48
00:03:30,250 --> 00:03:31,840
We can even go for a cluster bomb.

49
00:03:31,840 --> 00:03:39,460
It might take a bit more than that because it might be taking random operation for two and a bychkov

50
00:03:39,460 --> 00:03:43,300
will be taking one to one mapping Israel would select the payload.

51
00:03:44,020 --> 00:03:49,000
Well, in this case, we just know only very few limited options.

52
00:03:49,000 --> 00:03:56,530
But still, just to show you where you can get the details when you have GitHub repository, I'll take

53
00:03:56,530 --> 00:04:01,330
an example of Stoebe so you can simply even type on the Google.

54
00:04:01,400 --> 00:04:02,800
It's pretty popular.

55
00:04:03,160 --> 00:04:06,080
You can type in the first response first.

56
00:04:06,080 --> 00:04:07,690
The result is positive.

57
00:04:07,700 --> 00:04:12,070
DeVita, you can go to the first DB and from there select the attack.

58
00:04:12,490 --> 00:04:15,790
That's the first repository attack.

59
00:04:16,030 --> 00:04:20,860
And the attacks select the screen injection center.

60
00:04:20,890 --> 00:04:21,240
Yeah.

61
00:04:21,760 --> 00:04:22,180
Oh yeah.

62
00:04:22,690 --> 00:04:23,170
Here.

63
00:04:23,620 --> 00:04:30,310
And in next year's kill injection you have to select the exploit because that's what we are building

64
00:04:30,610 --> 00:04:33,640
and in here we have to select bypass.

65
00:04:33,670 --> 00:04:34,170
OK, yeah.

66
00:04:34,510 --> 00:04:37,900
So it's my squirrel injection by logging bypass.

67
00:04:37,900 --> 00:04:39,190
This is what we are looking for.

68
00:04:39,490 --> 00:04:42,900
Oh we have this too this weekend.

69
00:04:42,910 --> 00:04:44,500
So like many as well.

70
00:04:44,500 --> 00:04:47,230
So for one we we have to balance it.

71
00:04:47,230 --> 00:04:48,820
Right, because we have two markers.

72
00:04:49,210 --> 00:04:58,660
So we have to first define the payload first one first marker so we can insert values like the first

73
00:04:58,660 --> 00:05:00,700
one and so we can have.

74
00:05:03,180 --> 00:05:04,230
This value.

75
00:05:07,030 --> 00:05:13,510
Added, We can have our own, the one we have tried earlier as well, and.

76
00:05:15,550 --> 00:05:20,830
Sorry, this has not been yeah, this is walk's as well.

77
00:05:20,860 --> 00:05:22,080
This is the first option.

78
00:05:25,250 --> 00:05:27,070
This doesn't have one is one, right?

79
00:05:27,380 --> 00:05:28,280
Let's have this.

80
00:05:29,000 --> 00:05:30,640
We already know this is going to work.

81
00:05:30,650 --> 00:05:39,110
We can even have some more random value of let's say we we try to capture some more option so we can

82
00:05:39,110 --> 00:05:39,830
go for that.

83
00:05:39,830 --> 00:05:43,850
One is but there are some union operators as well.

84
00:05:43,860 --> 00:05:48,850
So you can possibly select some more style of making it possible.

85
00:05:49,310 --> 00:05:51,260
But for now, let's keep it as it is.

86
00:05:52,770 --> 00:05:54,820
You can have much more options.

87
00:05:55,100 --> 00:06:01,910
You can go for much more the repository as well to get more detail about it and can get to see if this

88
00:06:01,910 --> 00:06:02,720
really works.

89
00:06:04,850 --> 00:06:08,080
We can even try for some of those style as well.

90
00:06:08,120 --> 00:06:16,940
So maybe or is that equal to one one dash, dash and F-stop?

91
00:06:16,940 --> 00:06:19,820
We are one is equal to one that's Deathstar.

92
00:06:20,150 --> 00:06:20,990
These are options.

93
00:06:20,990 --> 00:06:26,600
We can try it out, but just to keep it simple, let's keep it as it is and let's select the second

94
00:06:26,600 --> 00:06:27,020
pillar.

95
00:06:27,020 --> 00:06:32,380
And here we can have any random but let's say you type test maybe.

96
00:06:32,390 --> 00:06:34,360
And the second one can be Anderman.

97
00:06:36,110 --> 00:06:36,470
Right.

98
00:06:37,190 --> 00:06:37,610
Enter.

99
00:06:38,210 --> 00:06:42,670
And once it has been selected you can actually go ahead and start the attack.

100
00:06:42,680 --> 00:06:44,810
OK, everything has been selected.

101
00:06:44,810 --> 00:06:49,900
The position is said failure has been selected for both the both the mockers.

102
00:06:50,570 --> 00:06:52,190
And let's stop the attack.

103
00:06:54,180 --> 00:07:00,630
This is a community addition, so it probably daytime time if you have a larger payload set and multiple

104
00:07:01,050 --> 00:07:05,370
maybe to mockers in that case.

105
00:07:06,090 --> 00:07:06,520
OK.

106
00:07:06,540 --> 00:07:16,440
So you could see the payload lend itself can give you a better idea about if you see the payload changes,

107
00:07:16,440 --> 00:07:20,010
you know, if you see all the lente is exactly the same.

108
00:07:20,010 --> 00:07:25,440
But if you see a different payload somewhere, discrepencies in the payload, that will give you an

109
00:07:25,440 --> 00:07:29,240
idea if this is a different response or the same response.

110
00:07:29,310 --> 00:07:37,470
What you see on the first 145 length, 145, 145, 145, 140 for this comes to be the incorrect prediction,

111
00:07:38,130 --> 00:07:39,300
because of course it is.

112
00:07:39,600 --> 00:07:42,110
And even the response tell you the same.

113
00:07:42,600 --> 00:07:48,330
But if you see this one, this gives you the successful authentication into the system.

114
00:07:48,340 --> 00:07:56,330
The reason is you get to see and the login page, you get to see the what you have in the responses

115
00:07:57,030 --> 00:08:04,860
about what content and details about the pages, different account details.

116
00:08:05,130 --> 00:08:06,720
So this gives you more information.

117
00:08:06,750 --> 00:08:11,970
That's why the length of the speech limit of this payload is higher.

118
00:08:11,970 --> 00:08:15,010
Is going rid of responses basically higher as well.

119
00:08:15,030 --> 00:08:15,300
Right.

120
00:08:16,110 --> 00:08:24,570
So this is how you can make it successful, do so if you see the rest of the request, number one.

121
00:08:24,570 --> 00:08:29,400
And number three, this is actually similar, isn't it?

122
00:08:30,270 --> 00:08:32,780
But the payload two is different.

123
00:08:32,970 --> 00:08:38,370
But if you remember, payload two are the password can be anything, irrespective of what password you

124
00:08:38,370 --> 00:08:42,180
put at all matter, what payload you have for the username.

125
00:08:42,480 --> 00:08:48,180
As you remember, there's a double dash that means anything after that will be removed, as you know,

126
00:08:48,180 --> 00:08:49,350
as a part of the government.

127
00:08:49,620 --> 00:08:49,970
All right.

128
00:08:49,980 --> 00:08:52,050
So that's why the request No.

129
00:08:52,050 --> 00:08:56,190
One and the request number three has been successful.

130
00:08:56,490 --> 00:08:59,750
And this let you access into the system.

131
00:09:00,090 --> 00:09:03,690
That's why you get the information about the account as well.

132
00:09:05,020 --> 00:09:05,420
Right.

133
00:09:05,460 --> 00:09:09,210
So this is a successful exploitation with Bob.

134
00:09:09,210 --> 00:09:18,330
So I hope you got the idea that there are many more ways of getting access into the system that could

135
00:09:18,690 --> 00:09:22,170
this might not work on many of these situations.

136
00:09:22,200 --> 00:09:30,060
This might work on some of the situation where there's no proper sensitization on skill injection or

137
00:09:30,270 --> 00:09:36,600
the way the greatest goes into the system and come out in those situations which are vulnerable to the

138
00:09:36,620 --> 00:09:44,280
ESKIL injection that are pretty much, you know, that's where this attack is pretty much popular.

139
00:09:44,310 --> 00:09:44,660
All right.

140
00:09:45,030 --> 00:09:46,800
So I hope you got the idea.

141
00:09:46,800 --> 00:09:47,910
We'll get you in the next one.

142
00:09:48,060 --> 00:09:48,510
Thank you.