1
00:00:00,150 --> 00:00:05,050
OK, so now we know some you know how to use some of these tools to gather information.

2
00:00:05,670 --> 00:00:09,410
So now let's actually go ahead and launch some Web application sites.

3
00:00:09,720 --> 00:00:13,900
So the first attack that we're going to do is brute force.

4
00:00:14,310 --> 00:00:19,740
So one one way to break into Web applications is pretty much through brute force.

5
00:00:20,340 --> 00:00:26,130
And typically, this involves using a list of usernames and passwords and, you know, to see if you

6
00:00:26,130 --> 00:00:29,790
can guess the combination to successfully log in.

7
00:00:30,120 --> 00:00:32,520
And we can use a variety of tools to achieve this.

8
00:00:32,520 --> 00:00:34,350
But today we're going to be using burps.

9
00:00:34,350 --> 00:00:40,410
We only show you guys how to use that a little bit extensively to actually brute force into the damn

10
00:00:40,410 --> 00:00:42,060
vulnerable Web application server.

11
00:00:42,600 --> 00:00:45,150
So let's go over to our callisthenics machine and try this out.

12
00:00:45,330 --> 00:00:47,460
OK, so we're back in the kaylin machine.

13
00:00:47,730 --> 00:00:53,400
So what you're going to want to do is actually just type in the IP address of the ATM machine into the

14
00:00:53,400 --> 00:00:53,970
browser.

15
00:00:54,210 --> 00:00:57,750
And then we're going to click on a lot of different links here for different things that you could practice

16
00:00:57,750 --> 00:00:58,550
on an exploit.

17
00:00:58,860 --> 00:01:01,730
But for right now, we're just going to do divi a.

18
00:01:02,070 --> 00:01:04,530
So this is a damnable Web application.

19
00:01:04,740 --> 00:01:09,730
So to get into this, the default username is Ataman and then use it.

20
00:01:09,780 --> 00:01:13,440
The password is password and you can figure that out.

21
00:01:13,440 --> 00:01:16,410
Actually see your first, I guess, unofficial hack.

22
00:01:16,950 --> 00:01:18,510
You can view the page source.

23
00:01:18,720 --> 00:01:23,850
And hey, the developer actually, you know, left the username and password here.

24
00:01:24,030 --> 00:01:24,380
Cool.

25
00:01:24,720 --> 00:01:27,850
So now we know how to get in there.

26
00:01:28,170 --> 00:01:29,380
So it's actually right there at the bottom.

27
00:01:29,380 --> 00:01:33,370
Do so admin password.

28
00:01:33,630 --> 00:01:37,800
So now we're into the vulnerable web application.

29
00:01:38,520 --> 00:01:43,920
So you can kind of look through this and look at the disclaimer, look at some of the instructions.

30
00:01:44,700 --> 00:01:48,690
But for the most part, this is going to be a playground for you.

31
00:01:48,990 --> 00:01:54,120
These are different Web application vulnerabilities that you can try to exploit and then is also different

32
00:01:54,120 --> 00:01:57,920
levels as low, medium and high difficulty.

33
00:01:58,050 --> 00:02:01,980
And you can also sound like an intrusion detection system to make it even a little bit harder.

34
00:02:02,250 --> 00:02:06,450
So the first thing that we're going to want to do is go over here, set up.

35
00:02:06,730 --> 00:02:12,450
We're going to want to create or reset the database so we know the back end database is my school.

36
00:02:12,450 --> 00:02:13,730
So we just reset.

37
00:02:13,770 --> 00:02:18,180
And you want to do that when you you know, when you start a new session to practice and stuff like

38
00:02:18,180 --> 00:02:20,090
that, come in here and reset.

39
00:02:20,460 --> 00:02:28,620
The next thing that you want to do is actually go over to divide up security and make right now is set

40
00:02:28,620 --> 00:02:29,510
high by default.

41
00:02:29,790 --> 00:02:34,080
So you're going to want to put this low for now and we're going to change it for some of the different

42
00:02:34,080 --> 00:02:40,590
attacks that we do just to see, you know, how to bypass specific security measures because each level

43
00:02:40,770 --> 00:02:41,850
is going to add into it.

44
00:02:41,860 --> 00:02:44,920
So we've got to change this to low and we're going to have some.

45
00:02:45,210 --> 00:02:50,000
So let's go over to our brute force section.

46
00:02:50,010 --> 00:02:54,960
So right here we see a login username password.

47
00:02:55,740 --> 00:03:02,220
So each one of these you can look at the source code for the page so we can open up the source code.

48
00:03:02,220 --> 00:03:05,160
And I don't understand what's happening when you submit this form.

49
00:03:05,430 --> 00:03:07,590
So on the back end is Perrone.

50
00:03:08,590 --> 00:03:14,830
Is doing it requests, is getting the log information is getting the username, it's getting the password,

51
00:03:15,040 --> 00:03:21,520
it's hatcheting the password, and then it's doing Enescu Okri and is looking for, you know, in the

52
00:03:21,520 --> 00:03:27,520
user's table is going to look for the user that you passed in and the password.

53
00:03:27,520 --> 00:03:32,530
And if it's right, it's going to allow you to log in and it's going to show you welcome to the password

54
00:03:32,530 --> 00:03:33,540
protected area.

55
00:03:33,820 --> 00:03:38,770
So that's how we know that, you know, we actually logged in successfully.

56
00:03:38,770 --> 00:03:42,610
And if we logged in unsuccessfully, they at the password username was wrong.

57
00:03:43,140 --> 00:03:46,750
It says username and password and correct.

58
00:03:47,320 --> 00:03:50,760
So now we kind of understand, you know, what's going on with it.

59
00:03:50,980 --> 00:03:52,740
So let's like test it out.

60
00:03:52,750 --> 00:03:54,330
So let's say, like, I don't know.

61
00:03:54,350 --> 00:04:01,570
I mean, it's like asdf so as you can see, you know, when you have a failed log in.

62
00:04:02,560 --> 00:04:07,360
He gives you just Arah, like we saw in the south coast, and what you should also know is that in the

63
00:04:07,360 --> 00:04:16,020
euro is passing the stuff to the euro is not is actually not taking this input into, like, sanitising.

64
00:04:16,060 --> 00:04:16,510
It is.

65
00:04:16,600 --> 00:04:17,430
I'm going to save.

66
00:04:17,440 --> 00:04:18,370
It's not doing anything.

67
00:04:18,370 --> 00:04:19,740
It's just passing through the euro.

68
00:04:19,750 --> 00:04:22,300
So do a simple request.

69
00:04:22,360 --> 00:04:29,410
So and it does not seem that there's any measures like, you know, if you if you log in like, you

70
00:04:29,410 --> 00:04:35,380
know, if you fill a log in like a few times within seconds, you know, is going to block the account

71
00:04:35,380 --> 00:04:39,080
and not let you log in, there's no type of security measures like that.

72
00:04:39,110 --> 00:04:43,960
So what we can do, we can actually use berp and actually brute force this.

73
00:04:44,320 --> 00:04:49,900
So before we do that, the first thing that we're going to want to do, you don't want to go to Google

74
00:04:50,530 --> 00:04:55,780
or just open up any time in Firefox and excitement foxy proxy.

75
00:04:56,230 --> 00:04:58,390
And then this is like a Mozilla extension.

76
00:04:58,590 --> 00:05:00,220
I've got to get on the Internet one second.

77
00:05:01,150 --> 00:05:06,400
So Foxy Knoxy and then what are you going to want to do is click on this first link right here.

78
00:05:06,790 --> 00:05:11,560
And this is an extension that is going to allow us to run a proxy in our browser.

79
00:05:12,610 --> 00:05:19,990
And this is going to allow us to use burb suite to actually, you know, brute force into the application

80
00:05:19,990 --> 00:05:21,070
and do a lot of other stuff.

81
00:05:21,610 --> 00:05:23,020
So I need to add it in.

82
00:05:23,020 --> 00:05:25,240
I already have it, so I have to remove it and put it back.

83
00:05:25,840 --> 00:05:26,890
But guess is at added end.

84
00:05:26,890 --> 00:05:27,970
You can see this right here.

85
00:05:28,360 --> 00:05:31,480
You can just click on it and then go to options.

86
00:05:31,790 --> 00:05:40,810
It's going to open up a tab and then what you're going to want to do is actually create a new proxy,

87
00:05:40,810 --> 00:05:41,140
pretty much.

88
00:05:41,140 --> 00:05:45,220
So you could just hit add already have one on here, but I'm going to submit it.

89
00:05:45,520 --> 00:05:47,570
But you're going to keep this is HTP.

90
00:05:47,650 --> 00:05:48,520
You can give it a name.

91
00:05:48,520 --> 00:05:53,110
I just give it burp because I don't want to use it with you Bourbon's Zap or whatever, because you

92
00:05:53,110 --> 00:05:54,940
can use that for the exact same thing.

93
00:05:55,270 --> 00:05:59,410
So the IP address, this is going to be your computer.

94
00:05:59,410 --> 00:06:04,930
So you're going to want to be Lubeck address, which is an address that always goes back to the local

95
00:06:04,930 --> 00:06:09,490
machine, which is one two seven zero zero dot one.

96
00:06:09,490 --> 00:06:11,860
And then the port we're going to do eighty eighty.

97
00:06:12,310 --> 00:06:17,230
That's a good point to use and you need to save so and then you have to see it pop up here.

98
00:06:17,650 --> 00:06:21,280
All you need to do is make sure this is this which is flipped on.

99
00:06:21,460 --> 00:06:22,580
So it's enabled.

100
00:06:22,690 --> 00:06:29,230
So now if we want to use the proxy, we just have to turn it over to this and it's going to send everything

101
00:06:29,230 --> 00:06:31,060
over or eighty, eighty.

102
00:06:31,060 --> 00:06:36,400
And that's going to allow us to go into Berzerk and enable, you know, the interception that's going

103
00:06:36,400 --> 00:06:41,830
to allow us to grab, you know, all the requests and modify them as we need.

104
00:06:42,010 --> 00:06:43,730
So we're going to now.

105
00:06:43,750 --> 00:06:44,990
So now we have that set up.

106
00:06:45,970 --> 00:06:48,820
So now let's go over to burb.

107
00:06:49,150 --> 00:06:53,320
So what we can do is go up here, type in burps.

108
00:06:53,630 --> 00:06:59,050
So Burpengary comes up and let's just give it a second in case like a minute to load.

109
00:06:59,900 --> 00:07:05,340
OK, so when you see this window pop right here, what is going to be temporary produ project next and

110
00:07:05,530 --> 00:07:06,260
start burb.

111
00:07:06,730 --> 00:07:09,880
So once this loads up, we're going to see the interface.

112
00:07:09,890 --> 00:07:11,010
Let's just give it a minute.

113
00:07:11,890 --> 00:07:15,030
OK, so now we have operating this spurt.

114
00:07:15,400 --> 00:07:21,910
So what we're going to want to do is go over to the proxy section and hit options.

115
00:07:22,070 --> 00:07:25,560
As you can see right now, I have mine set up should.

116
00:07:25,660 --> 00:07:27,640
But it should be said it is by default.

117
00:07:27,640 --> 00:07:33,250
But if not, you can sit at and put the interface as the same as the laid back address of one two seven

118
00:07:33,370 --> 00:07:36,640
zero zero one or eighty eighty.

119
00:07:37,270 --> 00:07:38,940
And it's running right now.

120
00:07:39,340 --> 00:07:48,730
So if I were to send any traffic over port eighty eight from my computer, Berte is going to intercept

121
00:07:48,730 --> 00:07:48,870
it.

122
00:07:49,240 --> 00:07:50,770
So let's try this again.

123
00:07:50,780 --> 00:07:59,310
So let's go back over to here and let's do like, you know Test says.

124
00:07:59,340 --> 00:08:04,510
So before you actually hit submit, you're going to want to go over here, turn on your proxy.

125
00:08:04,510 --> 00:08:07,240
So now you see the proxy is running.

126
00:08:07,510 --> 00:08:11,050
So now said log in and now berp is intercepting.

127
00:08:11,060 --> 00:08:16,690
So now we can actually change anything that we want so we can look at the parameters like the we can

128
00:08:16,690 --> 00:08:18,610
see, hey, this is the cookie.

129
00:08:19,960 --> 00:08:24,160
This is the username that we put in the password, I would put it if we wanted to.

130
00:08:24,160 --> 00:08:26,830
We can change these right now if you wanted to.

131
00:08:27,460 --> 00:08:30,670
And then when we're done, we can just head forward.

132
00:08:30,850 --> 00:08:36,790
So that's pretty much how you would use birth to interact with your SCDP request.

133
00:08:36,910 --> 00:08:39,400
So we know what authentication looks like now.

134
00:08:39,760 --> 00:08:42,940
So what we can do is, is actually do this one more time.

135
00:08:49,170 --> 00:08:51,000
Look, let me do something else.

136
00:08:52,680 --> 00:08:53,220
There we go.

137
00:08:53,310 --> 00:08:53,940
It's different now.

138
00:08:54,430 --> 00:09:03,600
OK, so what we can do is actually right click inside of here or we can just do it in the wrong section

139
00:09:03,600 --> 00:09:03,840
to.

140
00:09:03,840 --> 00:09:04,080
Right.

141
00:09:04,080 --> 00:09:07,710
Click it inside of here and send to intruder.

142
00:09:09,090 --> 00:09:16,740
An intruder is a function in burb and also must turn off the servers above because we already have this

143
00:09:16,750 --> 00:09:23,050
intruder intruder allows us to kind of like attack this login form.

144
00:09:23,640 --> 00:09:26,040
So right now, we have a set.

145
00:09:26,040 --> 00:09:28,440
The host is the machine.

146
00:09:28,440 --> 00:09:30,060
We're doing this overreport 80.

147
00:09:30,330 --> 00:09:32,090
And let's look at positions.

148
00:09:32,100 --> 00:09:35,320
So as you can see, this is the request.

149
00:09:35,320 --> 00:09:40,580
So the security, you are on this in the browser for the most part, and you can see that it has the

150
00:09:40,590 --> 00:09:41,600
variables in here.

151
00:09:42,300 --> 00:09:47,490
These are called variables where we would actually put our quote unquote payloads, which is going to

152
00:09:47,490 --> 00:09:48,900
be the next station that we go to.

153
00:09:48,930 --> 00:09:53,480
So first, let's clear everything, clear all the variables that it has in there.

154
00:09:53,850 --> 00:09:55,800
So let's go ahead and head clear.

155
00:09:55,950 --> 00:09:57,530
So now all that's clear.

156
00:09:57,900 --> 00:10:02,350
So what we can do is actually change the tektites cluster bomb.

157
00:10:02,400 --> 00:10:05,140
This is the one that we're going to want for our brute force attempt.

158
00:10:05,850 --> 00:10:12,660
So let's actually highlight right here where we have the username, you know, actually being passed

159
00:10:12,660 --> 00:10:13,650
into the URL.

160
00:10:14,400 --> 00:10:15,560
We're going to hit AD.

161
00:10:15,570 --> 00:10:19,050
So this is going to be, quote unquote, payload one.

162
00:10:19,770 --> 00:10:22,290
And then we're going to go over here where we have this.

163
00:10:22,470 --> 00:10:24,420
Whatever I put in here is the password.

164
00:10:25,200 --> 00:10:26,870
We're going to highlight that we're going to hit.

165
00:10:27,510 --> 00:10:28,940
So now we have two variables.

166
00:10:28,950 --> 00:10:32,190
So this is payload one and this is payload suit.

167
00:10:32,400 --> 00:10:38,070
So the next step, we're going to go over to our payload one, which is right here.

168
00:10:38,100 --> 00:10:42,180
The username we're going to we can put whatever we want.

169
00:10:42,210 --> 00:10:49,680
So right now, we're going to keep it a simple list so you can either, you know, upload a list that

170
00:10:49,680 --> 00:10:51,150
you have or you just added.

171
00:10:51,180 --> 00:10:54,300
So right now, we're going to assume, hey, maybe there's a user.

172
00:10:54,660 --> 00:10:58,140
We're pretty sure that there's a user called admin to add that to our payload.

173
00:10:58,140 --> 00:10:59,280
One of and that's all.

174
00:10:59,280 --> 00:11:00,200
And then we have to have this.

175
00:11:00,200 --> 00:11:04,700
So now when we execute, this is only going to launch it against the admin username.

176
00:11:05,790 --> 00:11:08,070
So now we can change this to payload, too.

177
00:11:08,640 --> 00:11:10,770
And this can be as simple as well.

178
00:11:11,130 --> 00:11:18,660
So we can either upload a list or like a password is like maybe like rakita texte or something like

179
00:11:18,660 --> 00:11:20,580
that to actually brute force.

180
00:11:20,790 --> 00:11:22,530
Or we could just make our own quick little list.

181
00:11:22,530 --> 00:11:25,220
So let's try like password.

182
00:11:25,590 --> 00:11:31,610
One, two, three, password, exclamation point, start capital P.

183
00:11:32,970 --> 00:11:33,930
There we go.

184
00:11:34,440 --> 00:11:37,540
And then let's try just password and see what happens.

185
00:11:37,940 --> 00:11:46,070
So so now we have all of our possible variables set for payload number two.

186
00:11:47,040 --> 00:11:50,880
So all we have to do now is actually just start a tag.

187
00:11:51,850 --> 00:11:58,510
And is going to say, OK, ignore that you're so it's going to pop out of the window and it's actually

188
00:11:58,510 --> 00:12:08,110
going to try and look for, you know, try those password's, try to see you, try to log in so I can

189
00:12:08,110 --> 00:12:08,890
see what's happening.

190
00:12:08,920 --> 00:12:14,810
So if you remember the source code, you remember that it says welcome to the protected password area.

191
00:12:15,730 --> 00:12:22,930
So what we can do is actually look at the responses from these and see like we can just search right

192
00:12:22,930 --> 00:12:23,290
here.

193
00:12:23,620 --> 00:12:24,790
We just haven welcome.

194
00:12:25,180 --> 00:12:30,250
And if it doesn't come up and we know, hey, that password at work and we can do the same right here,

195
00:12:30,490 --> 00:12:32,550
I'm welcome to enter.

196
00:12:32,550 --> 00:12:33,440
And nothing worked.

197
00:12:33,460 --> 00:12:34,260
It didn't work.

198
00:12:35,530 --> 00:12:36,670
So let's see here.

199
00:12:39,920 --> 00:12:47,650
Let's take a walk, then come up there, make sure that you click on a response, of course, and then,

200
00:12:47,660 --> 00:12:49,520
hey, this one right here has a match.

201
00:12:49,530 --> 00:12:52,850
So let's actually go through and see where it says welcome.

202
00:12:56,360 --> 00:12:56,820
There we go.

203
00:12:56,850 --> 00:12:58,970
So welcome to the password protected area.

204
00:12:59,180 --> 00:13:05,890
So now we know that the user name is admin and the password is password.

205
00:13:06,110 --> 00:13:07,060
So that's pretty neat.

206
00:13:07,220 --> 00:13:14,720
So we can actually go over back to the one where application admin password has the password.

207
00:13:15,050 --> 00:13:15,920
We logged in.

208
00:13:15,920 --> 00:13:19,860
We successfully broke forced into this application.

209
00:13:19,880 --> 00:13:20,660
So that's pretty neat.