1
00:00:00,180 --> 00:00:01,920
Hello everybody and welcome back.

2
00:00:01,920 --> 00:00:06,730
And in this trial we will cover the brute forcing of the username and password.

3
00:00:06,760 --> 00:00:13,800
Now this is very common on since this will work on any website that basically has the user name and

4
00:00:13,800 --> 00:00:21,540
password input so in order to do that let us first open up our OS machine.

5
00:00:21,620 --> 00:00:23,980
So make sure it is turned on.

6
00:00:24,110 --> 00:00:29,210
Make sure that your burps suit is turned on and make sure that your purpose it is used as the proxy

7
00:00:29,210 --> 00:00:30,790
in the Firefox.

8
00:00:30,800 --> 00:00:38,180
Once you turn all of that on just go onto the IP address of your virtual machine and where we want to

9
00:00:38,180 --> 00:00:42,380
go right now is we want to go on to the OS breaks.

10
00:00:43,130 --> 00:00:50,300
So click on the OS breaks and right here you will see this page and where we want to go is here.

11
00:00:50,300 --> 00:00:56,560
Bricks and then log in pages it will lead you to basically these six different logging pages.

12
00:00:56,570 --> 00:01:02,870
We want to click onto the log in page three and you will see it will prompt us with the user name and

13
00:01:02,870 --> 00:01:12,310
password which is probably very familiar to you since we see these kind of user ID on every Web site.

14
00:01:12,310 --> 00:01:18,550
So basically Facebook Twitter all of them use these kind of form input in order for us to brute force

15
00:01:18,550 --> 00:01:19,460
this.

16
00:01:19,540 --> 00:01:24,710
First of all we will need to make a user list and password list.

17
00:01:24,880 --> 00:01:27,670
So I already made mine.

18
00:01:27,670 --> 00:01:34,610
So let me just open a new terminal and as we can see right here if I type here or else I have a user

19
00:01:34,620 --> 00:01:38,200
that 60 and password and password not to exceed.

20
00:01:38,640 --> 00:01:45,480
So let me just now Nano the users that 60 so you can see that it basically has a few user names so you

21
00:01:45,480 --> 00:01:51,350
can just copy all these user names from me and create your users not the 60 file.

22
00:01:51,510 --> 00:01:57,850
How we do that we are basically just now the users of text file type.

23
00:01:57,850 --> 00:02:03,600
These user names city URL plus all that enter and then control X to exit.

24
00:02:03,610 --> 00:02:09,880
Same do that do that also with these passwords that list better the text.

25
00:02:10,210 --> 00:02:10,690
Excuse me.

26
00:02:11,230 --> 00:02:17,890
So here is my passwords list file as we can see one two three four five six Password password one admin

27
00:02:17,890 --> 00:02:23,360
web code then capital web code quietly One two three one two three and so on and so on.

28
00:02:23,800 --> 00:02:27,880
So these are just readily read through small lists.

29
00:02:27,880 --> 00:02:33,250
We use small lists right now so it doesn't take a lot of time in order to brute force this.

30
00:02:33,250 --> 00:02:40,620
And what we want to do right here is we want to turn our intercept on once we do that.

31
00:02:40,860 --> 00:02:47,270
Go on to your logon page which is log entry and type here anything.

32
00:02:47,340 --> 00:02:49,470
Dee dee dee dee dee dee dee dee dee dee.

33
00:02:49,470 --> 00:02:50,360
Doesn't even matter.

34
00:02:50,360 --> 00:02:57,120
Just click here submit and we can see right here the packet that we're sending.

35
00:02:57,120 --> 00:03:02,670
So of course we're sending WITH THE POST request we are sending on to this page which is the same as

36
00:03:02,670 --> 00:03:03,690
this one.

37
00:03:03,690 --> 00:03:07,710
And we're sending a user name of this and password of this.

38
00:03:07,710 --> 00:03:13,500
So once we see the packet you can turn the intercept off and right here it will say wrong username or

39
00:03:13,500 --> 00:03:17,640
password which we really didn't expect that to work.

40
00:03:17,730 --> 00:03:22,930
So let's just find the packet right now.

41
00:03:23,400 --> 00:03:24,590
Let me just find it.

42
00:03:24,600 --> 00:03:31,170
It is under over bricks log in three.

43
00:03:31,840 --> 00:03:40,390
It's not this since this is a GET request you basically tried to find the posts request Oh US bricks

44
00:03:40,410 --> 00:03:45,430
log in three and here at this my posts request for the log in three page

45
00:03:49,800 --> 00:03:58,370
what we want to do right here we want to create an attack where we will send a bunch of usernames and

46
00:03:58,370 --> 00:04:05,630
passwords and wait for the different server response for some of them which will tell us that that username

47
00:04:05,660 --> 00:04:07,580
and password is correct.

48
00:04:07,580 --> 00:04:13,820
Now it is similar to the previous attack which we used on the user name but right here what we want

49
00:04:13,820 --> 00:04:19,610
to do is we want to check out the server response for every attack for every user name and every password

50
00:04:20,050 --> 00:04:27,460
and we want to see if the server responds in its h the email code has this string right here.

51
00:04:27,620 --> 00:04:32,630
As you can see wrong username or password and this is this string.

52
00:04:32,630 --> 00:04:34,460
So this is the same as this.

53
00:04:34,460 --> 00:04:42,580
This is just in the HMO code of the page the user name and passwords and password which doesn't have

54
00:04:42,580 --> 00:04:46,990
the string right here is the valid username and valid password.

55
00:04:47,560 --> 00:04:54,790
So the concept of this attack is brute forcing until we find a response which doesn't contain this string.

56
00:04:54,790 --> 00:05:00,100
So let us do that what we want to do is basically do the same as in the previous video we want to send

57
00:05:00,130 --> 00:05:01,960
this packet into the intruder.

58
00:05:04,730 --> 00:05:10,760
And once this packet ID is in the intruder go into the positions and you will see also once again that

59
00:05:10,970 --> 00:05:17,390
all these positions are selected you want to clear all of them and right now instead of selecting one

60
00:05:17,390 --> 00:05:22,910
position we want to select both username and password so click here on ADD and select.

61
00:05:22,910 --> 00:05:24,450
Also the password.

62
00:05:24,770 --> 00:05:31,370
Click here on add for the type of the attack you do not want to use sniper since it is used to only

63
00:05:31,370 --> 00:05:33,150
put forth one input.

64
00:05:33,260 --> 00:05:40,780
We want to use the cluster bomb the cluster bomb is basically used to brute force two different inputs.

65
00:05:41,540 --> 00:05:47,990
So once you select here the attack type cluster bomb and once you select here the user name and password

66
00:05:48,290 --> 00:05:55,910
go onto the payloads and here as the payload set one we want to leave this and go down here and click

67
00:05:55,910 --> 00:06:02,860
on load and we want to basically load our username and password list that we created.

68
00:06:02,930 --> 00:06:08,220
So the username and password is that I created is in the root folders.

69
00:06:08,240 --> 00:06:10,370
Let me just find where root is.

70
00:06:10,400 --> 00:06:11,530
Here it is.

71
00:06:11,720 --> 00:06:20,570
And as we can see here our 2 Uh lists that we created so on for the first list we pick the user dot

72
00:06:20,610 --> 00:06:24,910
the extent and click here open and this is our list right here.

73
00:06:24,910 --> 00:06:31,020
And then after you select that list which is the user list you want to go onto the payload set and on

74
00:06:31,030 --> 00:06:37,000
here you just click here on 2 which is basically referring to the second input of our packet which is

75
00:06:37,000 --> 00:06:38,070
the password.

76
00:06:38,140 --> 00:06:44,110
So once you select that there to click here on load and select the passwords not the 60 which is our

77
00:06:44,110 --> 00:06:53,440
list for passwords now after you do that you want to select one more thing which is we want to add to

78
00:06:53,440 --> 00:06:59,500
the burbs should this ring that it should search for in the packets which is this string since we the

79
00:06:59,500 --> 00:07:06,330
district will only be prompted once the user name or password is wrong so let me just find where the

80
00:07:06,340 --> 00:07:07,220
adoption is.

81
00:07:07,230 --> 00:07:09,720
It is just cohere here on the options

82
00:07:12,580 --> 00:07:18,100
and once you go onto the options scroll right here down and in the grep match.

83
00:07:18,340 --> 00:07:23,830
But you want to do with basically grep match is the option that people use in order to find the string

84
00:07:23,830 --> 00:07:24,500
in our packet.

85
00:07:24,520 --> 00:07:29,240
So just remove all of these strings right here.

86
00:07:29,240 --> 00:07:31,120
We do not need them.

87
00:07:31,140 --> 00:07:33,080
Let me just click right here on the remote.

88
00:07:33,080 --> 00:07:37,680
Once again since it doesn't work or clear it could be clearer.

89
00:07:37,710 --> 00:07:38,110
Yeah.

90
00:07:38,120 --> 00:07:41,950
Just click here on the clear and it was asking you if you want to quit list.

91
00:07:41,960 --> 00:07:48,780
We want to end it in the ad section but you want to type is wrong.

92
00:07:50,150 --> 00:07:54,930
User name or password dot.

93
00:07:54,980 --> 00:07:57,300
Now make sure that it is the same.

94
00:07:57,320 --> 00:07:59,000
Exactly the same as this.

95
00:07:59,030 --> 00:08:04,830
So the user the MySpace name must also be the user space name right here.

96
00:08:04,850 --> 00:08:07,680
This dot must also be right here.

97
00:08:07,700 --> 00:08:14,670
So if you for example type your user name that is the one word it will not work.

98
00:08:14,690 --> 00:08:18,410
So make sure you had a space right there.

99
00:08:18,410 --> 00:08:25,430
And once you do that click here on ad and we selected the string that we want to search for our response.

100
00:08:25,580 --> 00:08:26,150
So the server.

101
00:08:26,870 --> 00:08:33,470
So once you select all of that what you want to go is here on the stock deck you will get the same prompt

102
00:08:33,510 --> 00:08:34,520
window as before.

103
00:08:34,520 --> 00:08:36,850
So just click here on the OK.

104
00:08:36,920 --> 00:08:43,870
And as you can see right now it is trying out different combinations of our usernames and passwords

105
00:08:45,730 --> 00:08:48,910
and here as we can see where this is checked.

106
00:08:48,910 --> 00:08:55,610
It is basically showing us the responses that have this string in there.

107
00:08:56,170 --> 00:08:59,970
So all of them have this string which is the wrong user name or password.

108
00:09:00,100 --> 00:09:05,100
And one what we want to do is find the one that doesn't have that as we can see.

109
00:09:05,140 --> 00:09:06,760
We found it right here.

110
00:09:06,820 --> 00:09:16,150
So this response doesn't have wrong user name or password in the output of the server to read for example

111
00:09:16,180 --> 00:09:19,890
if you were to use this one which is user and admin.

112
00:09:19,900 --> 00:09:21,490
So let's just try it right here.

113
00:09:21,490 --> 00:09:26,530
User admin you will get the wrong user name or password.

114
00:09:26,770 --> 00:09:27,910
And that's why it's checked.

115
00:09:27,940 --> 00:09:28,980
But this one isn't.

116
00:09:28,990 --> 00:09:31,240
So it must be a valid account.

117
00:09:31,240 --> 00:09:40,300
If we type here admin and admin below and submit you will see that is that you have successfully logged

118
00:09:40,480 --> 00:09:40,750
in

119
00:09:43,960 --> 00:09:52,120
once you do that you basically brute force it a log in and you can log in as a different user.

120
00:09:52,150 --> 00:10:01,220
Now of course most people won't really have to use the user name and password set admin admin but for

121
00:10:01,310 --> 00:10:07,070
the real life attacks you want to use much bigger lists and you want to use more probable usernames

122
00:10:07,130 --> 00:10:07,850
and passwords.

123
00:10:09,070 --> 00:10:14,170
Now in order to perform this same attack faster.

124
00:10:14,650 --> 00:10:22,090
What I will show you in the next video which is the another tool that calculus comes with which is Hydra

125
00:10:22,900 --> 00:10:27,280
it is a brute force search for the log in pages for the Web site log and pages.

126
00:10:27,280 --> 00:10:34,780
But it works much faster than the burps with brute force or sea as as you can see right here.

127
00:10:34,800 --> 00:10:36,130
I just find it.

128
00:10:36,130 --> 00:10:44,650
Whereas our page it has finished but it took some time to run this 60 different types of combinations

129
00:10:45,190 --> 00:10:50,820
in order to find one which was the the valid username and password.

130
00:10:50,830 --> 00:10:55,900
Now you will see that the Hydra which is a tool that we will use in the next video will do that much

131
00:10:55,900 --> 00:10:57,070
faster.

132
00:10:57,070 --> 00:11:00,790
So I hope I see you in the next video and take her by.