1
00:00:00,140 --> 00:00:02,770
Let's talk again about credential stuffing.

2
00:00:02,790 --> 00:00:05,360
And while we're at it we're going to talk about password spring.

3
00:00:05,370 --> 00:00:10,650
Now I realize we talked about this earlier in the course with breach pass and we leak info but I do

4
00:00:10,650 --> 00:00:17,190
think that hammering concept over and over and how important they are does help for information retention.

5
00:00:17,190 --> 00:00:22,710
So again if we look at this example here what is credential stuffing while it's just injecting breech

6
00:00:22,710 --> 00:00:25,590
account credentials in hopes of account takeover.

7
00:00:25,620 --> 00:00:31,290
So if you look at the compromised server here in the upper right hand corner we pull down user names

8
00:00:31,380 --> 00:00:39,180
and credentials and we get these from leaks like the linked link or the Equifax link or whatever those

9
00:00:39,300 --> 00:00:40,530
have come out recently.

10
00:00:40,530 --> 00:00:45,540
We get these leaked credentials and we grab these databases we search through them like we did with

11
00:00:45,570 --> 00:00:51,360
breach pass or like we can with we leak info and we get these stolen credentials and we take these credentials

12
00:00:51,390 --> 00:00:54,050
and we try to pass them to the site log in.

13
00:00:54,210 --> 00:01:00,960
Now we could take a look at a real life example of that which I have pulled up here and again this is

14
00:01:00,960 --> 00:01:04,710
just an example of the Tesla breach pass.

15
00:01:05,250 --> 00:01:07,490
So we have some usernames and passwords.

16
00:01:07,500 --> 00:01:09,190
We have repeat offenders.

17
00:01:09,210 --> 00:01:13,080
Remember we also have similar passwords here.

18
00:01:13,080 --> 00:01:19,020
But the art of credential stuffing is taking these passwords and these usernames and throwing them at

19
00:01:19,020 --> 00:01:19,940
a Web site.

20
00:01:20,040 --> 00:01:21,040
That's all it is.

21
00:01:21,060 --> 00:01:25,720
So we're going to throw them at a Web site and just kind of spray and pray.

22
00:01:25,770 --> 00:01:32,600
Now I just gone ahead and open up this same Tesla dash master I've only opened up the users and the

23
00:01:32,600 --> 00:01:35,230
passwords just for an example of spraying.

24
00:01:35,360 --> 00:01:40,840
This video is going to be in theory only I don't want you attacking Tesla's Web site.

25
00:01:41,060 --> 00:01:47,180
So just take this for example you can follow all the way up until the point that we actually hit attack.

26
00:01:47,330 --> 00:01:48,680
If you want to follow along.

27
00:01:48,740 --> 00:01:52,700
But for this please do not attempt an exploit against Tesla.

28
00:01:52,700 --> 00:01:55,810
You do not know when the criteria is going to change.

29
00:01:55,820 --> 00:01:58,460
And I just don't want you getting in trouble just in case it does.

30
00:01:58,460 --> 00:02:05,850
So from here I'm going to go ahead and go to Firefox and while we are in Firefox what I want to do is

31
00:02:05,850 --> 00:02:13,450
I want to take a quick pit stop and go to Google and I want to look up something called Foxy proxy.

32
00:02:13,530 --> 00:02:14,660
So go ahead and do this.

33
00:02:14,670 --> 00:02:19,590
Look up Foxy proxy like this not Foxy Foxy proxy.

34
00:02:19,590 --> 00:02:23,470
And go ahead and click on this top one here the standard.

35
00:02:23,820 --> 00:02:28,500
And we're just gonna go ahead and install the standard to our Firefox.

36
00:02:28,800 --> 00:02:32,900
And this is going to be a useful tool that we'll be using throughout the course.

37
00:02:32,910 --> 00:02:36,090
So OK we've got Foxy proxy installed.

38
00:02:36,390 --> 00:02:40,110
Now what has happened up on the right hand corner we've got this here.

39
00:02:40,290 --> 00:02:46,430
You see Foxy proxies here and we can say hey options and in the options we're going to add in a proxy

40
00:02:46,430 --> 00:02:50,770
over here on the left and we're just going to call it burp sweep

41
00:02:53,590 --> 00:02:55,730
and then over here we've got proxy types.

42
00:02:55,780 --> 00:03:03,070
We're just gonna leave this at HDP and then we're gonna give it an address which is 1 2 7 0 0 about

43
00:03:03,080 --> 00:03:05,420
1 same thing as before.

44
00:03:05,450 --> 00:03:13,410
And again this is 80 80 while this hit save and then we're going to go ahead and close out and then

45
00:03:13,410 --> 00:03:16,890
all we had to do now is click this and click this.

46
00:03:16,950 --> 00:03:20,940
And now Barb sweets turned on super simple so let's go ahead.

47
00:03:20,940 --> 00:03:28,260
Also to our applications and let's just go up here and open up Herb sweet and let's test out our proxy

48
00:03:28,260 --> 00:03:36,790
and make sure ignore the errors don't worry about those was go ahead and hit next and use for defaults.

49
00:03:36,820 --> 00:03:39,000
And I will give you a second here to catch up.

50
00:03:39,010 --> 00:03:45,910
So I realized that I might be clicking through a little fast so once you have everything set up like

51
00:03:45,910 --> 00:03:51,070
this what we're going to do is we're just going to make sure our proxy works is going to refresh the

52
00:03:51,070 --> 00:03:55,030
page and you can see that it worked so easy on easy off.

53
00:03:55,030 --> 00:03:56,610
That's all we're looking for here.

54
00:03:56,740 --> 00:04:02,350
Instead of having to go in the menu and go to preferences and you know go through that whole process

55
00:04:02,410 --> 00:04:03,970
all we got to do is click a little button.

56
00:04:03,970 --> 00:04:06,340
We could turn it on or off within a couple of clicks.

57
00:04:06,730 --> 00:04:12,880
So from here I'm going to turn the intercept off and we're just gonna go ahead and go to Tesla dot com

58
00:04:16,290 --> 00:04:21,240
and Tesla should look like this when you go to it in the upper right hand corner there is a sign in

59
00:04:21,240 --> 00:04:21,870
button.

60
00:04:21,870 --> 00:04:22,950
Go ahead and click sign in

61
00:04:25,770 --> 00:04:31,140
and again this is just a watch and learn exercise you can follow along up until the point that we fire

62
00:04:31,140 --> 00:04:31,920
the attack.

63
00:04:31,950 --> 00:04:37,260
There will be opportunities here and very very soon videos where you actually get to do this and you

64
00:04:37,260 --> 00:04:38,200
can practice along.

65
00:04:38,580 --> 00:04:44,480
So from here let's turn on the intercept and let's go ahead and just put a fake e-mail this dude test

66
00:04:44,480 --> 00:04:53,770
at test stock com and we'll do tests as the password and hit sign in in that intercept here so you can

67
00:04:53,770 --> 00:04:58,600
see the user equals or e-mail equals test site test dot com and password equals test.

68
00:04:58,600 --> 00:05:05,350
We're going to go ahead and just right click this and say send two intruder and from intruder what we're

69
00:05:05,350 --> 00:05:13,470
going to do is we're going to go to positions in here and then we're gonna clear all those green go

70
00:05:13,470 --> 00:05:16,320
away because it tries to auto select positions for us.

71
00:05:16,950 --> 00:05:24,190
So now what we're going to do is we're just going to highlight this here and we're going to say ad and

72
00:05:24,190 --> 00:05:29,050
then we're going to highlight this here and we're gonna say ad so we're selecting two different parameters.

73
00:05:29,050 --> 00:05:32,560
We're selecting the e-mail parameter and we're selecting the password parameter.

74
00:05:32,800 --> 00:05:34,570
And now we have different attack types up here.

75
00:05:34,570 --> 00:05:39,530
The most common that we're going to use is either sniper but sniper uses one parameter.

76
00:05:39,700 --> 00:05:47,040
So we're actually going to use what is called a pitchfork here and we're going to go ahead and go over

77
00:05:47,040 --> 00:05:50,540
to our payloads and what we're going to do.

78
00:05:50,540 --> 00:05:56,550
All right I'm going to do is I want to take this list of users and I'm just going to copy this and I'm

79
00:05:56,550 --> 00:06:05,520
going to paste it and then on the second one I'm going to take my list of passwords and I'm going to

80
00:06:05,520 --> 00:06:14,940
paste it now what this is doing to go back payloads that one has all the usernames it's going into the

81
00:06:14,940 --> 00:06:19,960
first one we set here payload set to all the passwords.

82
00:06:19,960 --> 00:06:23,250
Those are all going into here and we have 30 total accounts.

83
00:06:23,260 --> 00:06:25,200
Meaning what's happening with this.

84
00:06:25,240 --> 00:06:28,390
This Pitchfork is payload one.

85
00:06:28,480 --> 00:06:32,990
No one is corresponding to payload to number one.

86
00:06:33,130 --> 00:06:34,380
So they only run together.

87
00:06:34,390 --> 00:06:36,550
So this will run the username and password.

88
00:06:36,550 --> 00:06:39,190
These are just the separated users and passwords.

89
00:06:39,190 --> 00:06:43,650
This will run this username against or against this password here.

90
00:06:43,660 --> 00:06:50,770
So what we're going to do is just we started attack and it just says hey this is a demo version of intruder

91
00:06:50,770 --> 00:06:51,840
because you're on community.

92
00:06:51,850 --> 00:06:53,550
Don't worry about that it still runs.

93
00:06:54,040 --> 00:06:55,050
It's just a little slower.

94
00:06:55,060 --> 00:06:57,970
I'm going to go ahead and hit pause on the attack.

95
00:06:57,970 --> 00:07:02,170
Now there are some interesting things that we can look for when we're doing this.

96
00:07:02,170 --> 00:07:05,950
What we're looking for is a status code change of some sort.

97
00:07:05,950 --> 00:07:11,740
Maybe we see two hundreds here and we want like a 3 0 one which means a redirect or we see a significant

98
00:07:11,740 --> 00:07:13,090
change in length.

99
00:07:13,150 --> 00:07:18,550
That would be a good indicator that maybe we had a successful log in other items too is that we can

100
00:07:18,550 --> 00:07:23,640
clicking here and look at the response and we can say OK what did the response say.

101
00:07:23,780 --> 00:07:27,790
If we scroll down maybe it said something in here about failed log in.

102
00:07:27,820 --> 00:07:28,050
OK.

103
00:07:28,060 --> 00:07:33,120
We could not sign you in and we could just take we could not sign you in like this.

104
00:07:33,190 --> 00:07:37,250
Copy this and then we can come back.

105
00:07:37,360 --> 00:07:38,630
We'll close this attack.

106
00:07:38,770 --> 00:07:44,650
We'll come into options here and there's actually a grep feature so we can remove we can clear all these

107
00:07:45,690 --> 00:07:52,690
in this little box McGinnis pace this and say yes match match this here so watch what this does.

108
00:07:53,110 --> 00:07:59,970
So we're going to start this attack again and then I'm going to posit and you can know immediately look

109
00:07:59,970 --> 00:08:04,230
at the checkboxes this means it's showing up in the response it's scrapping it out.

110
00:08:04,230 --> 00:08:07,090
It knows immediately that we didn't sign it successfully.

111
00:08:07,530 --> 00:08:10,920
So this is an example of a credential stuffing attack.

112
00:08:11,400 --> 00:08:16,350
So we're looking for these few different things a status change a significant length like we're seeing

113
00:08:16,380 --> 00:08:17,790
all the same kind of lengths here.

114
00:08:17,810 --> 00:08:24,630
But what if it was like five thousand or two thousand or fifteen thousand if the page length changes

115
00:08:24,780 --> 00:08:29,130
there's a good chance that you signed into something and we have a yes a log in.

116
00:08:29,130 --> 00:08:30,560
Same thing here with this.

117
00:08:30,570 --> 00:08:35,360
If you can find your air code or what it says and then grep on that then you can click up here into

118
00:08:35,410 --> 00:08:40,860
sort by that and you can search for the ones that don't return that and possibly have a log in as well.

119
00:08:40,860 --> 00:08:44,250
So this is the art of credential stuffing.

120
00:08:44,280 --> 00:08:46,620
Now let's say we wanted to close this out.

121
00:08:46,650 --> 00:08:49,800
We want to go back and we want to do password spraying.

122
00:08:49,830 --> 00:08:52,250
Well we're going to go ahead and just clear this out.

123
00:08:52,500 --> 00:08:58,410
And if you remember password spraying is the art of using known user names without a known password.

124
00:08:58,800 --> 00:09:04,610
So we'll just say add here and we would gather a list of all the possible users that we can think of.

125
00:09:04,740 --> 00:09:10,620
We can look at Hunter dot Io we can look at you know the breach password lists we can look at LinkedIn

126
00:09:10,620 --> 00:09:17,660
and gather people who work there come up with this big list and then actually clear sorry.

127
00:09:17,700 --> 00:09:19,050
No this is right.

128
00:09:19,110 --> 00:09:23,850
We'll add these and we'll have all the different users and then for this we'll just change the requests

129
00:09:23,850 --> 00:09:34,170
to like fall of 20 19 or we can set it up to we could set this up here like fall 20 19 exclamation or

130
00:09:34,170 --> 00:09:38,550
whatever the time frame is or however you want or maybe you know they work at Tesla.

131
00:09:38,550 --> 00:09:46,200
So maybe we'll do a Tesla one if they have a week pass or policy or one two three or at sign or pound

132
00:09:46,500 --> 00:09:47,970
you just try a few these.

133
00:09:47,970 --> 00:09:54,990
The only downside to this is you are most likely attacking Active Directory accounts when you're attacking

134
00:09:54,990 --> 00:10:00,570
Active Directory accounts you want to be very careful because you could lock them out without even trying.

135
00:10:00,570 --> 00:10:08,130
So if you're doing a pen test the best idea is to ask before you attack say hey how many attempts do

136
00:10:08,130 --> 00:10:13,380
you have unsuccessfully before I log out happens or a lockout happens because the worst thing you want

137
00:10:13,380 --> 00:10:19,860
to do is fire off 10 cities in a row lockout a bunch of users and closet denial service that is very

138
00:10:19,860 --> 00:10:24,720
very possible and very very easy to do so make sure you're not just firing these willy nilly that you

139
00:10:24,720 --> 00:10:30,090
have a good idea of the password policy the lockout policy etc. that will really help you when you do

140
00:10:30,090 --> 00:10:36,840
these attacks but you just want to do these kind of one or two at a time wait a few hours fire another

141
00:10:36,840 --> 00:10:40,800
one or two at a time and you should be good to go OK.

142
00:10:40,810 --> 00:10:47,320
So same deal here we could fire this and we could to say you know all the say password one two to three

143
00:10:47,650 --> 00:10:53,840
and we'll just switch this to sniper here and if we come to the payloads you could see it just kept

144
00:10:53,840 --> 00:10:54,550
the emails.

145
00:10:54,560 --> 00:10:56,450
There is no payload to anymore.

146
00:10:56,450 --> 00:11:06,300
So what this would do if we had start attack is it would start firing this against this e-mail address

147
00:11:06,630 --> 00:11:12,240
with a password a one two three and then this on this e-mail address with the password of one two three

148
00:11:12,660 --> 00:11:18,150
it would just go down the list and that's all password spring is but the feature that I'm showing you

149
00:11:18,150 --> 00:11:25,170
here between credential stuffing and password spring is by far the most common way that we get in on

150
00:11:25,170 --> 00:11:26,490
external assessments.

151
00:11:26,760 --> 00:11:31,860
Way way more than you're ever gonna see just an exploit out in the wild where you're gonna see this

152
00:11:31,860 --> 00:11:36,450
most likely and second you're probably gonna see something like default credentials.

153
00:11:36,540 --> 00:11:42,480
So if you see a log in page always check default credentials because you never know you're likely not

154
00:11:42,480 --> 00:11:49,170
going to see a exploit out there because the chances are one is that if you see an exploit like that

155
00:11:49,170 --> 00:11:52,290
out there who knows who else is seeing that already.

156
00:11:52,290 --> 00:11:56,310
What kind of bad actors because bad actors are scanning the Internet all the time for these sorts of

157
00:11:56,310 --> 00:11:59,880
things and if they're seeing it then guess what.

158
00:12:00,030 --> 00:12:01,680
You know or if you're seeing it then guess what.

159
00:12:01,680 --> 00:12:03,300
They're probably already seeing it as well.

160
00:12:03,300 --> 00:12:06,570
So that's a bad situation too.

161
00:12:06,680 --> 00:12:13,170
You got to think of protection and clients just think of clients like a house when you talk about the

162
00:12:13,290 --> 00:12:18,450
external of your house your external your doors have really good locks on them.

163
00:12:18,450 --> 00:12:20,370
You might have two locks on your door.

164
00:12:20,490 --> 00:12:22,810
You might have good lighting all this other stuff.

165
00:12:22,850 --> 00:12:24,930
I'd like to try to keep bad guys out.

166
00:12:25,320 --> 00:12:28,640
But on the inside some of your doors probably don't even lock.

167
00:12:28,860 --> 00:12:31,460
And that's really how you can treat an external assessment.

168
00:12:31,560 --> 00:12:37,960
The clients do a really good job of you know buffeting up their external.

169
00:12:38,070 --> 00:12:41,600
But when it comes to the internal it's not usually as good.

170
00:12:41,640 --> 00:12:44,330
So same thing with physical assessments as well.

171
00:12:44,340 --> 00:12:46,790
You just gotta you gotta get inside.

172
00:12:46,890 --> 00:12:52,040
Once you're inside it's kind of easy breezy for the most part so take that lesson away.

173
00:12:52,200 --> 00:12:57,780
If anything you take from the course again at least for the external side take away that enumeration

174
00:12:57,780 --> 00:13:02,970
and information gathering super important because you want to get to the stage here where you are doing

175
00:13:02,970 --> 00:13:07,110
these credentials stuffing attacks and you can use burb suite for it.

176
00:13:07,110 --> 00:13:11,880
This is my favorite go to there's other methods as well but it's so easy just to grab any different

177
00:13:11,880 --> 00:13:18,390
Web site and just you know intercept the proxy send it to intruder make one modification and fire it

178
00:13:18,390 --> 00:13:19,180
off.

179
00:13:19,320 --> 00:13:20,990
So super super simple.

180
00:13:21,030 --> 00:13:25,800
This is something you will come up in an interview as well so make sure you're very aware of it and

181
00:13:25,800 --> 00:13:29,120
make sure you watch this again if you need to understand the concepts.

182
00:13:29,130 --> 00:13:34,380
So from here we're gonna go ahead and take a quick look at our notes in the next video just kind of

183
00:13:34,380 --> 00:13:39,480
where I want you to be with your notes and then we're going to get into what I call that midcourse Capstone

184
00:13:39,480 --> 00:13:44,920
where I'm going to show you a bunch of different hacks and just my thought process and theories and

185
00:13:44,940 --> 00:13:50,760
thinking when I go into a scan and looking at results and just so you can kind of get into the mind

186
00:13:50,760 --> 00:13:55,500
of an attacker and how we think and then we'll start moving on to exploit development.

187
00:13:55,500 --> 00:13:59,100
And my favorite the Active Directory exploitation.

188
00:13:59,100 --> 00:14:01,490
So I look forward to seeing you in the next video.