1
00:00:08,030 --> 00:00:15,590
Let's see how to make use of this new information, how to modify a use a neutral or a Web address by

2
00:00:15,590 --> 00:00:22,160
using the symbol to put something before the URL that allows us to trick the user into thinking they're

3
00:00:22,160 --> 00:00:28,710
going to use that Facebook dotcom, for example, and really send them to our Calli Linux computer.

4
00:00:29,060 --> 00:00:35,810
Then we're going to make use of that integer version of a U.S. URL instead of the Tendo nine address

5
00:00:35,990 --> 00:00:38,300
or one more time than you call Linux Box.

6
00:00:38,840 --> 00:00:41,570
Let's get that IP address of the Calli Linux box.

7
00:00:41,580 --> 00:00:48,500
If config, make sure we're still on a ten point nine to four address and let's copy that or 10.

8
00:00:48,500 --> 00:00:50,830
DataDot, whatever your address is, is fine.

9
00:00:51,560 --> 00:00:52,820
Come back into Chrome.

10
00:00:52,820 --> 00:00:56,840
Make sure that we can still pull up our Web page, make sure that you're still running the social engineering

11
00:00:56,840 --> 00:00:57,340
toolkit.

12
00:00:57,620 --> 00:01:04,310
If not, you can rerun the credential harvester just by using the social engineering tool kit on the

13
00:01:04,310 --> 00:01:06,830
left hand menu there or other applications.

14
00:01:06,830 --> 00:01:10,040
Number 13, social engineering techniques.

15
00:01:10,550 --> 00:01:16,070
And remember, that credential harvester is under the menu entries, one for social engineering toolkit,

16
00:01:16,490 --> 00:01:19,610
two for Web attacks, three for the credential harvester.

17
00:01:20,300 --> 00:01:24,410
And what we have done is set that up and got it running.

18
00:01:24,980 --> 00:01:30,440
And if we go to ten point nine for four, you notice it takes us to something that looks exactly like

19
00:01:30,440 --> 00:01:31,550
the Facebook log in.

20
00:01:31,940 --> 00:01:36,050
Well, let's convert that ten point nine for address first into an integer.

21
00:01:36,650 --> 00:01:38,900
So I'll do IP address.

22
00:01:39,990 --> 00:01:48,560
Converter to decimal, and I'll use the same tool IP address guide, I'll use the ten point nine for

23
00:01:48,570 --> 00:01:51,450
dress now or whatever the address of your Kalay Linux box is.

24
00:01:52,600 --> 00:01:57,460
Convert that to an integer notice that gave me one hundred sixty seven million seven hundred seventy

25
00:01:57,460 --> 00:01:59,470
four thousand four hundred sixty eight.

26
00:02:00,040 --> 00:02:02,290
Copy that integer come up here.

27
00:02:02,800 --> 00:02:05,590
Just give it an HDTV colon slash slash.

28
00:02:07,120 --> 00:02:13,480
And then paste that integer one six seven seven seven four four six eight.

29
00:02:15,450 --> 00:02:21,260
And notice that takes us to ten tonight, nine, but for now, let's obfuscate that even more.

30
00:02:21,300 --> 00:02:32,190
Let's make it HDTV Coingate don't forget the colon slash slash w w w dot Facebook dot com at and then

31
00:02:32,190 --> 00:02:36,960
paste that number and let's go ahead and copy this whole address, because that's what we're going to

32
00:02:36,960 --> 00:02:44,520
use in our new version of the spear phishing email www.youtube.com at one six seven seven seven four

33
00:02:44,520 --> 00:02:45,420
six eight.

34
00:02:45,660 --> 00:02:51,270
If you copied that address from the IP address converter correctly, now we should be able to copy that

35
00:02:51,510 --> 00:02:52,950
and lets it enter.

36
00:02:53,220 --> 00:03:00,090
And remember this WWOR, Facebook dot com at is going to treat it like there's a username we Facebook

37
00:03:00,090 --> 00:03:06,330
dotcom at this web server address and that htp colon slash slash before it means that it'll force us

38
00:03:06,330 --> 00:03:09,720
to go to this address that's represented by this integer.

39
00:03:09,720 --> 00:03:10,920
So let's see what happens.

40
00:03:11,990 --> 00:03:21,590
I just hit a link called HDB Coingate, W-W that Facebook dot com at a long integer and it gave me my

41
00:03:21,590 --> 00:03:23,420
Calli Linux box.

42
00:03:25,940 --> 00:03:31,380
Let's go back to our Gmail email, and we're going to change out all of those links, not with 10.1,

43
00:03:31,400 --> 00:03:40,460
and for that looks obviously like a phishing email, but with www.youtube.com with that HTP launch before

44
00:03:40,480 --> 00:03:43,900
and some number that's going to look like a Web address.

45
00:03:43,910 --> 00:03:48,980
In fact, the Facebook dot com web address with just some other information, like a username or something

46
00:03:48,980 --> 00:03:49,760
else after it.

47
00:03:49,970 --> 00:03:52,270
Most people won't spot this type of attack.

48
00:03:52,460 --> 00:03:59,690
So copy this address WDW that Facebook dot com, make sure your HTP comes before it at and you're calling

49
00:03:59,690 --> 00:04:04,610
Linux boxes address and we'll come back over into Gmail on any of our other computers and we'll be able

50
00:04:04,610 --> 00:04:05,480
to craft the email.

51
00:04:06,020 --> 00:04:09,740
So I have pulled open that email that I sent earlier.

52
00:04:09,740 --> 00:04:11,720
I'm going to forward it one more time.

53
00:04:12,230 --> 00:04:14,330
I'll send this to one of my addresses.

54
00:04:15,680 --> 00:04:22,670
I will clean up any extra in email and now I'm going to click on each of those links, I happen to be

55
00:04:22,670 --> 00:04:29,000
using Gmail, but you can right click in Microsoft Outlook or whatever other email program you're using.

56
00:04:29,000 --> 00:04:31,010
Just select the text.

57
00:04:31,010 --> 00:04:33,020
Sometimes it'll ask you to do that.

58
00:04:33,290 --> 00:04:38,360
And we're not going to give it that obvious phishing email address tonight at nine four, we're going

59
00:04:38,360 --> 00:04:54,350
to give it this new much more difficult to spot to be Coingate WWOR, Facebook, dotcom at one six seven

60
00:04:54,350 --> 00:04:57,590
seven seven four four six eight.

61
00:05:00,280 --> 00:05:10,180
This euro is very difficult, even for experienced people to understand as a phishing email address

62
00:05:10,180 --> 00:05:10,900
or phishing.

63
00:05:12,130 --> 00:05:17,200
Website address w w w dot Facebook dot com at this address.

64
00:05:18,550 --> 00:05:22,330
That's going to be a really tough one for even your most experienced users to spot.

65
00:05:23,460 --> 00:05:28,800
In fact, that symbol is one of the most important things to educate your users on, if they ever see

66
00:05:28,800 --> 00:05:36,630
this or Facebook, dotcom and anything else after it, they need to be suspicious of that email and

67
00:05:36,630 --> 00:05:39,810
go out to the real Facebook dotcom web address.

68
00:05:40,080 --> 00:05:46,440
Don't enter in the don't just click through and address in an email, but I'm going to change all.

69
00:05:46,590 --> 00:05:47,930
I'm going to copy that one more time.

70
00:05:47,940 --> 00:05:48,390
Copy it.

71
00:05:50,160 --> 00:05:57,270
And I'm going to change all of these addresses to that address just by clicking, going to change and

72
00:05:57,270 --> 00:06:06,780
pasting that, make sure that Congress comes before it or work at WWLP, that Facebook dotcom at the

73
00:06:06,780 --> 00:06:13,020
integer version of our Tendo DOT nine four address in this case for our Cauli Linux computer change.

74
00:06:13,020 --> 00:06:21,540
All of the URL in the email go all the way to the bottom of your email so that every single address,

75
00:06:21,810 --> 00:06:29,340
including the Facebook icon, will now go to your fake Facebook dot com at address.

76
00:06:30,770 --> 00:06:34,730
When I send this now and then open it on my other computer.

77
00:06:36,220 --> 00:06:44,410
I'll be able to see the effect that this Facebook dotcom at address has now, if I switch over to my

78
00:06:45,250 --> 00:06:51,970
work email account from Firefox and hover over one of those links from the Facebook email, it looks

79
00:06:51,970 --> 00:06:58,270
like it came from WWLP that Facebook dotcom at some address and this case, Firefox will convert it

80
00:06:58,270 --> 00:06:59,590
for you in Chrome.

81
00:06:59,590 --> 00:07:02,140
It may convert it all the way down to the ten point ninety four.

82
00:07:02,140 --> 00:07:08,830
But that do Facebook dot com is realistic enough that someone might click through Firefox.

83
00:07:08,830 --> 00:07:13,900
It's going to give me a warning that this is using the username Facebook Dotcom.

84
00:07:14,560 --> 00:07:22,360
But if I click through and it anyway, I'll see Facebook and in Chrome it just takes me directly to

85
00:07:22,360 --> 00:07:25,720
the Tendo nine to four address without any warning.

86
00:07:26,050 --> 00:07:28,720
And if I enter my past my username and password.

87
00:07:29,560 --> 00:07:34,150
Wilma at Flintstone dot com.

88
00:07:35,370 --> 00:07:42,450
And Fred, as my password press log in, it will just reload the Facebook dot com web page and I'll

89
00:07:42,450 --> 00:07:47,010
have no idea that it just sent my information to the other server.

90
00:07:47,670 --> 00:07:52,140
We'll see how to capture all of those usernames and passwords that might have fallen for this phishing

91
00:07:52,140 --> 00:07:53,970
attempt in the next lesson.