1
00:00:00,830 --> 00:00:08,030
Previously we learned what AARP spoofing is and how to use it to intercept connections in our network

2
00:00:08,150 --> 00:00:11,840
using a tool called AARP spoof.

3
00:00:11,840 --> 00:00:19,370
I covered this tool because it is simple reliable and available for a number of operating systems.

4
00:00:19,400 --> 00:00:24,650
Therefore learning how to use this tool can be useful in so many scenarios.

5
00:00:25,520 --> 00:00:31,940
However and this lecture aren't in the next lectures we're going to be using a tool called better cap

6
00:00:32,660 --> 00:00:42,470
better cap can be used to do exactly what we did with AARP spoof so we can use it to run an AARP spoofing

7
00:00:42,470 --> 00:00:50,150
attack to intercept connections and it can be used to do so much more so we can use it to capture data

8
00:00:50,180 --> 00:00:57,320
and analyze it and see usernames and passwords we can use it to bypass hash TTP s and potentially bypass

9
00:00:57,410 --> 00:01:06,140
H S T S we can use it to do DNS spoofing inject code into loaded pages and so much more.

10
00:01:06,200 --> 00:01:12,230
For now though I'm gonna show you how to install the tool and give you a quick overview on how to use

11
00:01:12,230 --> 00:01:20,550
it and we'll go over all of that and the next lectures so I'm gonna go to my Kelly machine here.

12
00:01:20,780 --> 00:01:27,100
As usual when we want to install something first we need to make sure that our sources are up to date.

13
00:01:27,320 --> 00:01:32,820
So we're gonna do up get update this run with no errors.

14
00:01:32,820 --> 00:01:33,770
Perfect.

15
00:01:33,780 --> 00:01:37,560
The next thing that we need to do is install Buttercup.

16
00:01:37,650 --> 00:01:46,780
So we're going to do apt get install a package called Buttercup so we've used this command before after

17
00:01:46,790 --> 00:01:53,140
Kit is the package manager that we use to download uninstall packages we're saying we want to install

18
00:01:53,380 --> 00:01:59,020
a package called Buttercup so I'm going to hit enter.

19
00:01:59,020 --> 00:02:04,450
This will ask you if you want to download it and you will have to press away from your keyboard for

20
00:02:04,450 --> 00:02:04,760
me.

21
00:02:04,760 --> 00:02:08,500
I've already installed it so that's why it didn't ask me.

22
00:02:08,700 --> 00:02:15,930
And as you can see now it is downloaded and installed so I'm going to clear my screen and to run Buttercup.

23
00:02:15,940 --> 00:02:21,320
All I have to do now is just type its name Buttercup now as usual.

24
00:02:21,330 --> 00:02:27,670
If you want to get more information on this command and how to use it you can do dash dash help.

25
00:02:27,670 --> 00:02:33,960
And this will give you a complete help menu but you don't really need to worry about this now because

26
00:02:34,140 --> 00:02:39,900
we will be using the tool a lot throughout the course and you will learn a lot as you use it.

27
00:02:40,800 --> 00:02:46,940
So I'm going to clear the screen again and to run the tool now I'm going to type better.

28
00:02:46,970 --> 00:02:55,340
The name of the tool followed by Dash a face to specify the interface that is connected to the network

29
00:02:55,580 --> 00:02:58,790
that I want to run the attacks against.

30
00:02:58,850 --> 00:03:02,210
And as you know to get my interface we can just do.

31
00:03:02,240 --> 00:03:11,230
If config and I'm gonna be running this against my not network which is 88 0 is connected to so I'm

32
00:03:11,230 --> 00:03:14,890
gonna set my interface to 88 0.

33
00:03:15,160 --> 00:03:22,700
I'm going to close this and I'm going to hit enter to run the tool and as you can see now we're inside

34
00:03:22,730 --> 00:03:23,480
the tool.

35
00:03:23,600 --> 00:03:30,980
We have a different prompt now in which we can use the commands of better cup now.

36
00:03:31,020 --> 00:03:36,840
As you can see here it's still us that we can type help to get a list of all of the commands that we

37
00:03:36,840 --> 00:03:44,330
can use with weather Cup and since we don't know how to use it I'm actually gonna type help and perfect

38
00:03:44,390 --> 00:03:45,140
as you can see it.

39
00:03:45,170 --> 00:03:49,370
We get a full list of all of the commands that we can use.

40
00:03:49,420 --> 00:03:54,230
Again we're going to use it with you now as we go through the course so he can have a quick look on

41
00:03:54,230 --> 00:03:54,550
them.

42
00:03:54,560 --> 00:03:57,350
But don't worry too much about them.

43
00:03:57,560 --> 00:04:02,400
What's really important and you need to pay attention to right now is the modules.

44
00:04:03,260 --> 00:04:09,980
So these are all of the modules that we can use or all of the things that we can get better cup to do.

45
00:04:09,980 --> 00:04:15,890
And as you can see right now none of them is working except for the events stream which is basically

46
00:04:15,890 --> 00:04:21,470
the module that runs in the background to handle all the events.

47
00:04:21,470 --> 00:04:28,610
Now you can type help followed by the name of any module you want.

48
00:04:28,610 --> 00:04:34,800
And this will show you a help menu that shows you how to use this specific module.

49
00:04:34,970 --> 00:04:42,230
For example I want to show you in this lecture the net dot probe and the net dot recon modules.

50
00:04:42,230 --> 00:04:45,550
So since I don't know how to use them I've typed help.

51
00:04:45,800 --> 00:04:52,600
And I'm going to follow it by the name of the module which is net dot pro I'm going to hit enter.

52
00:04:52,600 --> 00:04:57,400
And as you can see you'll get a description of what this module does.

53
00:04:57,430 --> 00:05:05,110
So basically it keeps sending UDP packets to discover devices on the same network and we can do a net

54
00:05:05,170 --> 00:05:12,400
probe on to turn on the module and net that probe off to turn it off.

55
00:05:12,400 --> 00:05:17,110
You can also see all the options that you can modify for this module.

56
00:05:17,110 --> 00:05:21,970
And I'm going to talk about options and how to modify them in the next lecture.

57
00:05:21,970 --> 00:05:29,170
So for now I'm going to keep all these two the default option and I'm just going to do net dot probe

58
00:05:29,710 --> 00:05:33,020
on to turn it on.

59
00:05:33,130 --> 00:05:39,370
And as you can see this will automatically start discovering clients connected to the same network.

60
00:05:40,120 --> 00:05:46,760
So the 10 0 2 7 right here is actually my windows target machine.

61
00:05:46,870 --> 00:05:54,160
So if I go to the target Windows machine right here and do IP config you'll see its I.P. address is

62
00:05:54,160 --> 00:05:56,250
10 0 2 7.

63
00:05:56,320 --> 00:06:01,720
So this is just another way of discovering connected clients quickly using better.

64
00:06:02,110 --> 00:06:10,270
And what you didn't notice right now is when we started the net dot probe it automatically started the

65
00:06:10,270 --> 00:06:13,300
net dot recon to confirm this.

66
00:06:13,300 --> 00:06:19,350
So if we go operate here you can see the only module that was running is the events dot stream.

67
00:06:19,870 --> 00:06:28,730
And now if I do help you'll see I actually have two modules running the net dot probe which we just

68
00:06:28,730 --> 00:06:37,990
so and we turned on manually and the net the three con which got turned on automatically by better cap.

69
00:06:38,150 --> 00:06:45,220
The reason for this is because the net dot probe sends probe requests to all possible eyepiece.

70
00:06:45,440 --> 00:06:53,270
And then if we get a response the net the three con will be the one detecting this response by monitoring

71
00:06:53,270 --> 00:07:03,240
my AARP cache and then adding all of these IP is in a nice list so we can target them so now because

72
00:07:03,240 --> 00:07:11,070
the net the three kind is actually running we can do net the show to see all of the connected clients.

73
00:07:11,070 --> 00:07:17,280
And as you can see we get a nice list of all of the connected clients we can see their IP is we can

74
00:07:17,280 --> 00:07:24,360
see the corresponding mac addresses for these clients and it can also show you information right here

75
00:07:24,630 --> 00:07:26,860
about each one of these APIs.

76
00:07:27,180 --> 00:07:32,280
For example it's telling us that this IP right here is the IP for 88 0.

77
00:07:32,310 --> 00:07:39,250
So this is the IP of this computer that's also telling us that this IP right here is the gateway.

78
00:07:39,260 --> 00:07:47,660
This is the IP of the router and you can also see at the vendor in here it's attempting to discover

79
00:07:47,870 --> 00:07:52,210
the manufacturer of the hardware used in each of these clients.

80
00:07:52,220 --> 00:07:58,700
So as you can see for the Gateway it thinks that it uses a real tech chipset.

81
00:07:58,810 --> 00:08:03,360
Now you can also see here the standard 0 2 that 7 device.

82
00:08:03,460 --> 00:08:05,110
Like I said this is my target.

83
00:08:05,110 --> 00:08:11,000
Windows device right here so that's it for this lecture.

84
00:08:11,020 --> 00:08:17,470
I just wanted to give you a quick overview on how to get help about a specific module how to run a specific

85
00:08:17,470 --> 00:08:20,890
module and analyze the results that it returns.

86
00:08:21,100 --> 00:08:27,510
And in the next lecture I'm going to show you how we can run and ERP spoofing attack using Buttercup

87
00:08:27,610 --> 00:08:34,900
to intercept the data and read usernames and passwords that flow through the network once we become

88
00:08:34,930 --> 00:08:35,980
the man in the middle.

89
00:08:35,980 --> 00:08:37,690
Once we intercept the connection.