WEBVTT

0
00:01.150 --> 00:02.290
Welcome back!

1
00:02.290 --> 00:08.860
In the last lecture  we took a look at Bettercap, one of the most complete and advanced Man-in-

2
00:08.860 --> 00:17.370
the-Middle attack framework. Bettercap brings MITM attacks to the next level. Let’s start a MITM


3
00:17.370 --> 00:25.590
attack of type ARP Poisoning using Bettercap! We’ll intercept all the traffic between Windows,

4
00:26.330 --> 00:28.200
the recording machine,

5
00:28.200 --> 00:35.600
it will be the victim and the default gateway! We will see all Internet data sent and received by

6
00:35.600 --> 00:36.410
the victim.

7
00:36.410 --> 00:43.890
The attacker who runs Kali is connected to the same WiFi network as the victim and the default gate.

8
00:44.010 --> 00:49.690
Kali runs in a VM and the network is set to bridge mode. Let's start

9
00:49.700 --> 00:57.260
Bettercap! bettercap -iface and the name of the interface.

10
00:57.340 --> 01:02.650
eth0 . To insert in the middle of the connection

11
01:02.730 --> 01:05.490
we'll use a module called arp.spoof.

12
01:05.910 --> 01:17.030
Let's see the help of the module and what are the available options help arp.spoof We see that the module

13
01:17.030 --> 01:18.130
is not running.

14
01:18.170 --> 01:26.940
We started by executing art.spoof on and we stop it by executing arp.spoof off .There

15
01:26.940 --> 01:31.430
is also the possibility to launch a denial of service attack,

16
01:31.500 --> 01:40.690
not a Man in the Middle using arp.ban on. In this case bettercap will intercept the traffic

17
01:40.930 --> 01:42.330
and then drop it.

18
01:42.370 --> 01:44.350
We'll see shortly how to do that.

19
01:46.160 --> 01:53.870
We also see the available parameters of the module, a short description of each parameter and its default

20
01:53.870 --> 01:55.400
value.

21
01:55.410 --> 02:01.310
There are two parameters or options that are of interest to us at this moment.

22
02:01.420 --> 02:06.220
arp.spoof.fullduplex and arp.spoof.targets.

23
02:06.970 --> 02:08.910
Let's take them one by one!

24
02:09.420 --> 02:17.000
arp.spoof.fullduplex will make bettercap to spoof both the victim and the default gateway

25
02:17.070 --> 02:24.150
if it's set to true. If it's set to false, which is the default value, it will spoof only the victim, not

26
02:24.210 --> 02:26.510
the default gateway as well.

27
02:26.610 --> 02:33.660
In this case we cannot inject packets and the data in the connection between the victim and default

28
02:33.660 --> 02:38.160
gateway; we will talk more about injection in the next lectures.

29
02:39.300 --> 02:47.640
Note that the default gateway could have some anti spoofing features like dynamic ARP inspection activated.

30
02:48.300 --> 02:56.460
If it's the case we cannot spoof the router and we have to set this option to false. To change the value

31
02:56.520 --> 02:57.920
of an option,

32
02:57.990 --> 03:09.360
any option of any module, we execute set the name of the option and the value;  for example set the option

33
03:10.520 --> 03:18.430
and the value true. When you change an option you can use tab to autocomplete that option.

34
03:18.430 --> 03:29.090
It's the Linux style of running commands! For example ar and I am hitting tab and it has auto completed

35
03:29.270 --> 03:37.460
the option; f u and TAB OK you've got it and I want to start

36
03:37.460 --> 03:45.540
also the net.probe module for it to be able to discover the targets: so net.probe.

37
03:51.540 --> 03:57.310
The second important option of arp.spoof module is arp.

38
03:57.360 --> 04:05.040
spoof.targets; it's used to specified the host targets as a list of comma separated values

39
04:05.370 --> 04:13.050
of IP or MAC addresses. Let's set the target as being the Windows machine.

40
04:13.130 --> 04:18.800
Let's see what is its  address: ipconfig and this is

41
04:18.830 --> 04:31.700
its address 192.168.0.113 so set arp.spoof.target and the

42
04:31.700 --> 04:33.440
IP address of Windows

43
04:37.870 --> 04:40.630
Now that we've set all the required options

44
04:40.630 --> 04:44.170
we can start the module arp.spoof on

45
04:47.430 --> 04:55.190
arp.spoofer started and there is one target; there is no error in I'll check that the module

46
04:55.190 --> 05:05.280
is running by executing help and we notice that besides the modules that were running arp.spoof

47
05:05.490 --> 05:14.030
is also running. Take notice thatnet.probe and net.recon must be running as well.

48
05:14.750 --> 05:19.160
Let's check that the attack has been executed successfully.

49
05:19.230 --> 05:24.560
Let's see the MAC address of the attacker. In another terminal

50
05:24.580 --> 05:32.110
I am executing ifconfig and this is the MAC address of the attacker.

51
05:32.180 --> 05:42.830
It ends in 76 and on the victim  machine let's display its arp table: arp - a

52
05:46.540 --> 05:54.400
And we notice that both the default gateway and the attacker have the same MAC address in arp table.

53
05:55.250 --> 06:02.740
Now when it wants to send the packet to the default gateway or to another address on the Internet it

54
06:02.740 --> 06:09.540
will search for the MAC address of the default gateway of the arp table and use that address.

55
06:09.700 --> 06:14.860
This is the default gateway and this is the entry for the attacker.

56
06:14.860 --> 06:22.660
The attack is running! The information like emails, credentials, like usernames and passwords or other

57
06:22.660 --> 06:29.020
sensitive data will be intercepted by the hacker who is in the middle of the connection between the

58
06:29.020 --> 06:36.460
victim and the default gateway which is also the access point of this network. To save and see the

59
06:36.460 --> 06:37.670
capture packets

60
06:37.750 --> 06:45.610
we should use a program like Wireshark or we can start a bettercap module that does the job; and the

61
06:45.610 --> 06:53.930
bettercap module that sniffs and then displays sensitive data is net.sniff and we must start

62
06:53.940 --> 06:58.250
it as well: net.sniff on.

63
06:58.330 --> 07:03.000
Okay, let's test the attack! From the victim's machine

64
07:03.010 --> 07:13.820
I'm gonna visit a website and then log in and the site is demo.testfire.net. I'm clicking

65
07:13.820 --> 07:14.090
on

66
07:14.120 --> 07:19.940
online banking log in, user name Andrei and the password

67
07:20.010 --> 07:28.760
test 1234 and log in. The authentication was not successful but that's not important.

68
07:30.380 --> 07:32.260
Back to the attacker's machine

69
07:32.360 --> 07:40.080
we notice in bettercap window the communication between the victim and that website.

70
07:40.100 --> 07:50.630
This is the communication. The website I have visited and here we notice the credentials: the username

71
07:50.900 --> 07:54.810
and the password.

72
07:54.950 --> 07:58.530
Of course that connection was not encrypted.

73
07:58.580 --> 08:03.810
It used http instead of https. We'll see in the next lectures

74
08:03.860 --> 08:05.270
what are the possibilities

75
08:05.270 --> 08:10.070
a hacker has to bypass the encryption and sniff encrypted traffic.

76
08:11.360 --> 08:18.830
If we want to be more verbose, so to display all of the information that was captured, we set an option

77
08:19.040 --> 08:20.950
to net.sniff: net.

78
08:20.960 --> 08:23.990
sniff.verbose true

79
08:26.680 --> 08:32.070
and we see each packet. At the end of this lecture

80
08:32.140 --> 08:39.130
I want to tell you a troubleshooting tip: if you don't see the credentials, the user name and the password

81
08:39.220 --> 08:40.840
in bettercap window,

82
08:40.840 --> 08:49.330
it doesn't mean that it didn't capture them. Bettercap does not display all captured data but only a

83
08:49.330 --> 08:50.430
part of it.

84
08:50.560 --> 08:58.210
Normally net.sniff module should capture and then display the credentials for well-known protocols

85
08:58.420 --> 08:59.530
like http

86
08:59.740 --> 09:04.700
but from my experience I can tell you that's not always the case.

87
09:04.780 --> 09:12.730
First I'll set this option to false. What you can do is to set an option of net.sniff module

88
09:12.910 --> 09:21.580
to save all captured data to a pcap zip file that can be later opened in Wireshark. Let's

89
09:21.580 --> 09:27.750
see the options of net.sniff module: help net.sniff


90
09:31.620 --> 09:40.250
and this is the option so a set net.sniff.output  ad a file 

91
09:40.510 --> 09:50.240
for example /root/win.pcap
Bettercap will save to that file all the captured traffic

92
09:50.450 --> 09:58.910
and you can later open it using Wireshark and search for traffic of your interest like credentials. And

93
09:58.970 --> 10:06.680
to stop the spoofing attack arp.spoof off. It's restoring the arp cache!