1
00:00:00,180 --> 00:00:04,070
Hello everybody and welcome back to the man in the middle attack section.

2
00:00:04,200 --> 00:00:09,420
Now before we begin using the tool that we installed in the previous tutorial I just want to show you

3
00:00:09,420 --> 00:00:15,930
how you can do this manually using some already Breen's tools that come in clinics.

4
00:00:15,930 --> 00:00:22,590
So what we want to do first of all if you didn't watch the theory video behind this you might want to

5
00:00:22,590 --> 00:00:26,180
watch it since I want to explain why are we doing certain things right here.

6
00:00:26,700 --> 00:00:28,590
But let us get right into this.

7
00:00:28,590 --> 00:00:32,510
So what you need to do is first of all open up your terminal.

8
00:00:32,580 --> 00:00:39,420
And since we will be running multiple commands at the same time we want to use a tool or a program that

9
00:00:39,420 --> 00:00:43,140
we installed in the previous videos or I showed you how to install it.

10
00:00:43,140 --> 00:00:45,060
It's called deluxe.

11
00:00:45,060 --> 00:00:51,480
Now What telex is it's basically a terminal that allows you to open multiple windows and run same command

12
00:00:51,600 --> 00:00:54,100
or run different commands at the same time.

13
00:00:54,150 --> 00:01:01,080
So let us open telex and let us close these terminals since we donated so but don't call it an act you

14
00:01:01,080 --> 00:01:05,020
basically close it on this dash right here since it will close till X as well.

15
00:01:05,670 --> 00:01:12,510
And now what we want to do is we want to split this deluxe into three different windows so we can run

16
00:01:12,510 --> 00:01:14,060
three commands.

17
00:01:14,070 --> 00:01:20,410
Now what we want to do is we basically want to run the OPs spoofing attack against our Windows 10 machine.

18
00:01:20,410 --> 00:01:27,480
Now I want to show you the command of how to change your or how to check your cache table or your arm

19
00:01:27,520 --> 00:01:31,800
cache table and see which devices do you have in your ARB cache.

20
00:01:31,800 --> 00:01:37,110
So just type your art minus say and you will see all of the devices that you have currently in your

21
00:01:37,230 --> 00:01:43,140
ARP table and we can see the Gateway which is one idea that wants to say that one that one at this MAC

22
00:01:43,140 --> 00:01:48,720
address and we can also see my Windows 10 machine which is what I two to that wants to see that one

23
00:01:48,720 --> 00:01:54,570
that seeks which will be targeting at this MAC address right here.

24
00:01:54,590 --> 00:02:01,590
Now if we open up my command prompt on my Windows 10 machine and we type the same command which is out

25
00:02:01,610 --> 00:02:08,780
minus say we will see that it also has some machines in the ARP table and we can see that one of them

26
00:02:08,840 --> 00:02:12,860
is our router at the same MAC address as we can see right here.

27
00:02:13,010 --> 00:02:18,770
And this one right here which is one I to that 168 that one that date is Mike Kelly Linux machine which

28
00:02:18,770 --> 00:02:20,390
has this MAC address.

29
00:02:20,390 --> 00:02:26,360
Now you will see after we perform the our spoofing attack that these these two that these two IP addresses

30
00:02:26,360 --> 00:02:31,590
will both have the same MAC address which will be the MAC address of our Kelly Linux machine.

31
00:02:32,030 --> 00:02:38,720
That's how you will know that someone or basically us in this case is running the are spoofing since

32
00:02:38,720 --> 00:02:43,580
both of these machines will have the same MAC address which will be the MAC address of our Kelly Linux

33
00:02:43,580 --> 00:02:43,960
machine.

34
00:02:44,450 --> 00:02:48,200
So now that I explain this let's run the commands.

35
00:02:48,230 --> 00:02:52,880
So the tool that we will be using which is already in clinics is our spoof.

36
00:02:52,880 --> 00:02:55,790
So just type here our spoof and you will see the usage.

37
00:02:55,790 --> 00:02:57,050
It is simple.

38
00:02:57,050 --> 00:03:00,470
We are basically select our interface and our target.

39
00:03:00,470 --> 00:03:07,370
Now since we are only targeting one host and not all the hosts in our local network we will basically

40
00:03:07,490 --> 00:03:09,260
run the same comment twice.

41
00:03:09,260 --> 00:03:12,050
But with the reverse IP addresses.

42
00:03:12,140 --> 00:03:14,090
Now let me show you what I mean.

43
00:03:14,120 --> 00:03:14,680
First of all.

44
00:03:14,710 --> 00:03:22,460
So type your absolute then minus side and then select your network interface.

45
00:03:22,490 --> 00:03:28,710
In my case that is 88 so since if I type here I have config you will see that my only interface it's

46
00:03:28,730 --> 00:03:31,890
connected currently to the network is the 88.

47
00:03:31,990 --> 00:03:37,160
Now if you have a wireless adapter that is connected for example you can use that one as well but just

48
00:03:37,160 --> 00:03:38,150
name it differently.

49
00:03:38,210 --> 00:03:41,290
Or just check out the name with the F config comment.

50
00:03:41,410 --> 00:03:48,390
So type here I are both minus side then 88 0 then minus 3.

51
00:03:48,560 --> 00:03:54,290
And I have to do minus t we select two IP addresses which one of them will be directors IP address and

52
00:03:54,290 --> 00:03:57,050
one of them will be deep into certain IP address.

53
00:03:57,050 --> 00:04:02,990
So just type your one IDE to 168 that one that one which is our writers IP address which we want to

54
00:04:02,990 --> 00:04:04,750
spoof and type here.

55
00:04:04,880 --> 00:04:09,070
182 that 168 that one that's 6 which is the IP address.

56
00:04:09,110 --> 00:04:15,860
If I check your correctly IP config which is the IP address of our windows 10 machine which we are targeting

57
00:04:16,400 --> 00:04:16,900
now.

58
00:04:16,970 --> 00:04:23,510
This basically means as I talked in the theory video that this will spoof both the target the routers

59
00:04:23,510 --> 00:04:28,190
IP address and the Windows 10 IP address and that will make the packets go through us since the router

60
00:04:28,190 --> 00:04:32,450
will think that we are the windows that machine and the Windows 10 machine will think that we are the

61
00:04:32,450 --> 00:04:39,230
router so they will both be sending the packets to us which we will be forwarding to the router which

62
00:04:39,230 --> 00:04:40,980
we were before we went to the other websites.

63
00:04:41,450 --> 00:04:46,610
So we can't only run this command since this will only ask for one target.

64
00:04:46,640 --> 00:04:49,460
We need to put them both in for this to work.

65
00:04:49,460 --> 00:04:56,470
So just type your optimal minus side then 88 0 then minus 3.

66
00:04:56,510 --> 00:05:01,550
And now just basically these two IP addresses that we specified in this order which is first the Reuters

67
00:05:01,550 --> 00:05:05,650
IP address and then the windows then IP address you need to reverse.

68
00:05:05,660 --> 00:05:10,090
So just type your one 8 to pops when I do that 168.

69
00:05:10,090 --> 00:05:16,980
That one that 6 which is Windows 10 IP address and here Type 1 8 to the 168 that one that one.

70
00:05:17,010 --> 00:05:22,040
Now once you do this basically just click here enter on both of these commands

71
00:05:24,900 --> 00:05:28,380
and it will stop start up spoofing as we can see right here.

72
00:05:28,380 --> 00:05:31,310
And this will continue as long as you run it.

73
00:05:31,350 --> 00:05:36,330
Now what you want to what you want to check right now is for example it's open up now.

74
00:05:36,360 --> 00:05:44,290
Our command prompt on our windows 10 machine and different type here again our minus a you will notice

75
00:05:44,290 --> 00:05:49,210
that now both of these IP addresses have the same MAC address which is the MAC address of Oracle Linux

76
00:05:49,210 --> 00:05:52,240
machine which means that our Windows 10 machine.

77
00:05:52,240 --> 00:05:59,380
Now things that the router is at this MAC address and it sends all of its packets to the to the.

78
00:05:59,380 --> 00:06:01,510
Now our car Linux machine.

79
00:06:01,510 --> 00:06:05,000
And this will continue as long as we run this.

80
00:06:05,020 --> 00:06:11,680
Now if you go on to the Internet and our Windows 10 machine and you try to visit a website you wont

81
00:06:11,680 --> 00:06:12,790
be able to do it.

82
00:06:12,820 --> 00:06:18,160
Now I am able to do it because I run a simple command before I started this which I will show you right

83
00:06:18,160 --> 00:06:18,550
now.

84
00:06:19,090 --> 00:06:21,500
So let us just close this for a second.

85
00:06:21,520 --> 00:06:27,160
If I controlled see both of those windows you will see that it will clean up and rearming targets which

86
00:06:27,160 --> 00:06:33,520
basically means that it will start sending our requests and replies which consist of true IP address

87
00:06:33,520 --> 00:06:34,860
with its true MAC address.

88
00:06:34,870 --> 00:06:37,420
So they everything will be back to normal.

89
00:06:37,510 --> 00:06:44,560
Now you probably wouldn't be able to collect tolls go to the improperly spoofed target machine if you

90
00:06:44,560 --> 00:06:57,760
didn't run this comment which is Echo 1 and then proc sis slash net slash IP before and then slash IP

91
00:06:58,270 --> 00:07:00,000
underscore forward.

92
00:07:00,010 --> 00:07:07,000
This basically means that for a while by default you will have zero in this file which means that you

93
00:07:07,000 --> 00:07:11,920
will not be able to forward the packets in order for us to be able to forward the packets you need to

94
00:07:11,920 --> 00:07:15,860
run this command first before you start the ARB spoofing.

95
00:07:15,860 --> 00:07:20,950
Now I was able to connect to the internet since I already read this comment before but you wont be able

96
00:07:20,950 --> 00:07:23,500
to so you need to run this command.

97
00:07:23,500 --> 00:07:31,630
It will basically print or it will input one into the IP forward file and it will be able to forward

98
00:07:31,630 --> 00:07:32,560
back it from now on.

99
00:07:32,590 --> 00:07:36,390
So just press your enter and if we catch the same file.

100
00:07:36,520 --> 00:07:38,400
So let me just copy this right here.

101
00:07:39,740 --> 00:07:44,340
So copy and then paste right here and if we catch that you will see that.

102
00:07:44,340 --> 00:07:48,050
Now there is one in this file so now you should be good to go.

103
00:07:48,080 --> 00:07:53,820
And if you run this once again you will be able to access the Internet on the R on this port machine.

104
00:07:53,850 --> 00:07:56,270
So let us do that once again.

105
00:07:56,400 --> 00:08:02,960
But right now let us try to capture some packets with Drift Net now drift net if I type it.

106
00:08:03,000 --> 00:08:08,820
Right here you will see it will open up a window a black window which basically I believe it will pop

107
00:08:08,820 --> 00:08:12,960
up some of the thousand pictures that the target machine will visit.

108
00:08:13,230 --> 00:08:19,260
While we are spoofing now in some some cases this does not work since.

109
00:08:19,530 --> 00:08:25,320
Basically as I talked about not all Web sites can be targeted to the ARB spoofing and to demand in the

110
00:08:25,320 --> 00:08:32,670
middle attack since some of them are HDP s over t less encryption which is not vulnerable to the decrypted

111
00:08:32,750 --> 00:08:33,950
man individual attacks.

112
00:08:33,960 --> 00:08:36,050
So you will not be able to read.

113
00:08:36,900 --> 00:08:41,390
Basically you will not be able to read packets from the till as an encrypted website.

114
00:08:41,550 --> 00:08:47,370
You will only be able to read the packets from the HDP website or the HDP s website while performing

115
00:08:47,370 --> 00:08:49,470
the SSL strip on it.

116
00:08:49,470 --> 00:08:55,000
So let me just see if there are any options for the help for this comment.

117
00:08:55,770 --> 00:09:03,370
If I enlarge this we can see that we need or basically we need to interface.

118
00:09:03,390 --> 00:09:05,920
So we need to select the interface for this command.

119
00:09:05,940 --> 00:09:10,830
Now the interface will be the same interface that you're running up spoof on.

120
00:09:11,070 --> 00:09:13,530
Let's see do we need anything else.

121
00:09:13,530 --> 00:09:14,520
I don't think so.

122
00:09:14,520 --> 00:09:17,880
So we only need to run the drift net minus side.

123
00:09:17,940 --> 00:09:19,620
And then the interface.

124
00:09:19,620 --> 00:09:22,080
So let's first run that.

125
00:09:22,290 --> 00:09:30,080
So drift net minus side and then into each show and we can see that is opened up right here.

126
00:09:30,300 --> 00:09:37,330
And while that is running well let's first since it goes to the background let me just close this and

127
00:09:37,330 --> 00:09:39,090
let's run the ARB spoofing first.

128
00:09:39,100 --> 00:09:45,010
So I will just go and run the same two commands that we ran before so let me just clear the screen so

129
00:09:45,010 --> 00:09:49,700
it looks a little bit prettier and let's run the same two commands that we ran.

130
00:09:50,060 --> 00:09:53,090
So this one are proof and then started.

131
00:09:53,190 --> 00:09:55,420
First the voter and then the windows that machine.

132
00:09:55,460 --> 00:10:00,500
We run that one and then go in the next terminal and we run the reverse IP addresses.

133
00:10:00,560 --> 00:10:07,400
So we we run these two and now the target machine will be able to connect to the Internet even while

134
00:10:07,400 --> 00:10:08,580
being our support.

135
00:10:08,870 --> 00:10:14,630
And basically that the victim won't know that it is being stuffed unless they run this command in their

136
00:10:14,750 --> 00:10:20,840
in their terminal or command prompt and notice that they're to say Mac addresses which can be a little

137
00:10:20,840 --> 00:10:23,870
suspicious and does point out to the man in the middle attack.

138
00:10:24,380 --> 00:10:27,470
But most of the people don't even know what command contains.

139
00:10:27,470 --> 00:10:31,070
So you shouldn't be worried about someone actually opening this.

140
00:10:31,250 --> 00:10:36,320
And you also shouldn't be running this on any network you do not own or do not have permission to do

141
00:10:36,320 --> 00:10:37,240
this.

142
00:10:37,250 --> 00:10:46,600
So while we run the article let us now run the drift net once again minus I 88 Joe and now let's see

143
00:10:46,630 --> 00:10:48,280
if this will work on this Web site.

144
00:10:48,280 --> 00:10:50,350
It might work and it might not.

145
00:10:50,350 --> 00:10:55,480
If we reload it we might be able to see for example some of the pictures that it will load from the

146
00:10:55,480 --> 00:10:56,570
target's machine.

147
00:10:57,100 --> 00:11:03,430
So if we allow this once again you will see that it works and it does load something not all of the

148
00:11:03,430 --> 00:11:07,230
pictures we can try to load it again maybe it will work.

149
00:11:07,300 --> 00:11:10,400
So you just click on the Web site.

150
00:11:10,490 --> 00:11:12,650
Well it managed to capture something I believe.

151
00:11:12,650 --> 00:11:16,930
This is the picture from the Web site or let me just check see here it is.

152
00:11:16,940 --> 00:11:20,030
It managed to load this picture right here.

153
00:11:20,030 --> 00:11:24,010
As I said sometimes this will work and sometimes it just won't work.

154
00:11:24,080 --> 00:11:30,500
But this is just the most simple case of running the ARB spoofing attack and performing the packet capturing

155
00:11:30,560 --> 00:11:32,660
in our drift net too.

156
00:11:32,940 --> 00:11:38,540
We will be covering some of the more basically more advanced things that you can do with men in the

157
00:11:38,540 --> 00:11:38,870
middle.

158
00:11:38,870 --> 00:11:41,480
This is just the most simple form.

159
00:11:41,480 --> 00:11:45,200
We didn't even use the tool that we installed in the previous video with a little bit in the next few

160
00:11:45,200 --> 00:11:46,690
videos.

161
00:11:46,940 --> 00:11:52,220
And basically it will automate this entire process and we won't really be needing to run three commands

162
00:11:52,220 --> 00:11:58,720
at the same time we will only need to run one command and we will be able to do all of this.

163
00:11:58,920 --> 00:12:04,350
Now once again if you if the top if your target machine isn't able to connect to the Internet make sure

164
00:12:04,350 --> 00:12:10,890
that there is one echoed in that IP forward file which I showed you how to do it.

165
00:12:10,920 --> 00:12:12,750
So let us close this.

166
00:12:12,960 --> 00:12:15,570
That would be about it for this lecture.

167
00:12:15,600 --> 00:12:20,760
Now if you want to restore the arch spoofing or basically restore any mac addresses with their IP addresses

168
00:12:20,760 --> 00:12:27,270
just control see both of these and your target machine and you will might be disconnected from the internet

169
00:12:27,270 --> 00:12:34,050
for a brief second but nobody will notice that since it will go back to normal in just one second and

170
00:12:34,290 --> 00:12:37,840
nobody will notice that you Randi are spoofing attack.

171
00:12:37,980 --> 00:12:40,610
So that would be about it for this trio.

172
00:12:40,680 --> 00:12:46,620
We will continue with the man in the middle attack in the next one and I hope I see you there.

173
00:12:46,630 --> 00:12:46,890
By.