1
00:00:00,800 --> 00:00:08,180
OK so now that we understand the theory behind bypass and hash TTP us and we have the correct couplet

2
00:00:08,330 --> 00:00:10,580
placed in the correct path.

3
00:00:10,580 --> 00:00:18,020
Let's go ahead and use this couplet with better buttercup and see how we can downgrade TTP s to TTP

4
00:00:18,380 --> 00:00:26,210
and steal passwords from log and pages that use haste TTP s by default.

5
00:00:26,360 --> 00:00:33,750
So I'm gonna go to my terminal and I'm going to use better cup exactly as I've been using it before.

6
00:00:33,770 --> 00:00:39,890
So we're doing better cups the name of the program will give unit our interface after the face argument

7
00:00:40,400 --> 00:00:47,030
we're using the couplet argument to specify a couplet to run as soon as we run the program and we're

8
00:00:47,030 --> 00:00:52,700
running this spoof couplet the one that we built in the previous lecture that run the AARP spoofing

9
00:00:52,700 --> 00:01:00,860
command and run the sniffer for us so I'm going to hit enter and as you can see everything got executed

10
00:01:00,950 --> 00:01:02,390
as expected.

11
00:01:02,390 --> 00:01:10,040
If we do help we'll see all the running modules and we have the AARP spoof and the sniffer running with

12
00:01:10,040 --> 00:01:11,690
the recon and with the probe.

13
00:01:12,380 --> 00:01:16,380
So this is exactly what we wanted from our couplet.

14
00:01:16,460 --> 00:01:22,700
The next thing that we want to do is run the hake s t s bypass couplet the one that we just downloaded

15
00:01:22,940 --> 00:01:26,470
and placed in our Buttercup directory.

16
00:01:26,720 --> 00:01:34,670
So first of all the hey just yes bypass couplet is one of many couplets that Buttercup comes with if

17
00:01:34,670 --> 00:01:43,250
you want to list all of these couplets you can do couplets that show and as you can see you'll get a

18
00:01:43,250 --> 00:01:49,900
list of all of the couplets that you have and their location on the system.

19
00:01:50,030 --> 00:01:54,980
Now the couplet that we want to run is the H S T S hijack couplet.

20
00:01:55,070 --> 00:01:58,280
This one right here and you can see it stored in here.

21
00:01:58,280 --> 00:02:04,460
This is the location where we actually replaced it with the one that we downloaded and to run any of

22
00:02:04,460 --> 00:02:11,060
these couplets all you have to do is literally just type its name and as usual you can use the top two

23
00:02:11,060 --> 00:02:14,850
auto complete so to run our couplet right here.

24
00:02:14,900 --> 00:02:22,160
All I have to do is literally type Hage s and press tab and as you can see it will automatically auto

25
00:02:22,170 --> 00:02:26,010
complete for me and type the Catholic name.

26
00:02:26,060 --> 00:02:31,700
Now if I had enter this allowed the couplet with all of its options and it will run it for me.

27
00:02:32,690 --> 00:02:39,130
So as you can see because we don't see any errors this means everything got executed as expected.

28
00:02:39,170 --> 00:02:46,970
So let's go to the Windows machine browse some hash TTP pages and see if we can sniff data user names

29
00:02:46,970 --> 00:02:55,200
passwords and your ls that they enter on their computer so I have my windows machine here I have chrome

30
00:02:55,260 --> 00:02:56,070
installed.

31
00:02:56,070 --> 00:02:58,180
This is the latest version of Chrome.

32
00:02:58,230 --> 00:03:05,970
At the time of recording this lecture which is in April 2019 now a really good idea before trying all

33
00:03:05,970 --> 00:03:11,970
of these things is to remove your browsing data because the websites that we're going to try to access

34
00:03:12,180 --> 00:03:16,170
might be cached and they might be just loaded from your cash.

35
00:03:16,170 --> 00:03:21,780
This will only happen if you're visiting the same Web site over and over again mostly when testing.

36
00:03:21,780 --> 00:03:29,510
Therefore it's a really good idea to control shift delete and click on clear browsing data.

37
00:03:29,510 --> 00:03:31,290
Make sure all of this is clicked.

38
00:03:31,290 --> 00:03:38,340
Make sure it's set to all the time and click on clear to remove all of it and let let's go ahead and

39
00:03:38,340 --> 00:03:41,570
go to a Web site that uses hash TTP s.

40
00:03:41,640 --> 00:03:45,090
So a good example would be linked in dot com

41
00:03:48,170 --> 00:03:49,160
and perfect.

42
00:03:49,160 --> 00:03:56,440
If you look here at the top you'll see the Web site is loading over hash TTP not over hasty G.P.S..

43
00:03:56,630 --> 00:04:02,900
Therefore we'll be able to see anything the user enters in these boxes.

44
00:04:02,900 --> 00:04:13,090
So let's put a username let's set it to Zaid at Z Security dot org and I'll put a password as 1 2 3

45
00:04:13,090 --> 00:04:15,200
4 5 6 7 8 9 0.

46
00:04:15,200 --> 00:04:21,630
Doesn't really matter you can use any password and I'm going to hit enter to log in.

47
00:04:21,850 --> 00:04:27,880
This is wrong so obviously we're getting an error message but if we go back to Carly as you can see

48
00:04:27,940 --> 00:04:34,300
we're capturing all of this data because it's not being sent over a hasty US anymore it's being sent

49
00:04:34,390 --> 00:04:43,600
over hash TTP and if you look in here you can see we captured log in information it's sent to LinkedIn

50
00:04:43,710 --> 00:04:52,530
dot com sent to this specific UA l a log in your URL and you can see the user name is Zaid at Z Security

51
00:04:52,530 --> 00:04:57,990
dot org and the password is 1 2 3 all the way up to 9 0.

52
00:04:59,190 --> 00:05:01,040
So that's really really good.

53
00:05:01,080 --> 00:05:04,310
Let's go ahead and test another hasty CPS Web site.

54
00:05:04,350 --> 00:05:06,510
Let's go to stack overflow.

55
00:05:06,510 --> 00:05:07,200
Dot com.

56
00:05:09,620 --> 00:05:18,410
Again you can see on top it's loading overhead TTP notation TTP s so I'm going to click on log n and

57
00:05:18,440 --> 00:05:24,540
again I'm going to put my emails a that Z Security dot org and we'll put a password as one two three

58
00:05:24,540 --> 00:05:29,700
four five six seven eight nine zero hit enter.

59
00:05:29,870 --> 00:05:32,460
Let's go to the Kelly machine again.

60
00:05:32,870 --> 00:05:36,890
Scroll down this time because we're stuck on top.

61
00:05:36,950 --> 00:05:37,480
Perfect.

62
00:05:37,490 --> 00:05:40,140
You can see we have a post request in here.

63
00:05:40,340 --> 00:05:42,540
It's sent to this specific U.R.L. again.

64
00:05:42,590 --> 00:05:44,560
You can see log in in the URL.

65
00:05:44,660 --> 00:05:46,340
You can see the Web site itself.

66
00:05:46,340 --> 00:05:48,110
Stack Overflow dot com.

67
00:05:48,580 --> 00:05:57,800
And if we scroll down a little bit more we can see that the user name is Zaid at that security dot org.

68
00:05:57,890 --> 00:06:05,470
And the password again One two three all the way up to 9 0 so that is really really good.

69
00:06:05,470 --> 00:06:15,060
Now we can downgrade any hasty G.P.S. connection to TTP as long as the target's Web site uses hash TTP

70
00:06:15,070 --> 00:06:18,260
as not hedge as T.S..

71
00:06:18,520 --> 00:06:25,780
So this method will work against pretty much all Web sites that use hash TTP as except for the really

72
00:06:25,780 --> 00:06:30,780
popular Web sites such as Facebook Twitter and so on.

73
00:06:30,790 --> 00:06:32,740
So let me show you a quick example.

74
00:06:32,860 --> 00:06:43,070
If I go here and try to go to Facebook dotcom you'll see that the Web site got loaded over Haitian TTP

75
00:06:43,070 --> 00:06:50,350
s not overheated TTP even though we configured our couplet correctly.

76
00:06:50,350 --> 00:06:57,400
And even though we're able to downgrade haste TTP has connections on a lot of Web sites such as LinkedIn

77
00:06:57,640 --> 00:07:00,060
and Stack Overflow.

78
00:07:00,490 --> 00:07:08,760
This is happening because Facebook is using Hage as t us which is a little bit trickier to bypass in

79
00:07:08,770 --> 00:07:09,640
the next lecture.

80
00:07:09,640 --> 00:07:17,650
We'll talk more about what HST says is why it's tricky to bypass and how to partially bypass it and

81
00:07:17,650 --> 00:07:24,950
still get usernames and passwords from the Web sites that implemented such as Facebook Twitter and so

82
00:07:24,960 --> 00:07:25,230
on.