1
00:00:11,570 --> 00:00:18,500
Let us start with the last practical off Web application penetration testing throughout this section,

2
00:00:18,500 --> 00:00:24,380
you have to learn a lot of different concepts, and I hope you'll understand it very clearly because

3
00:00:24,380 --> 00:00:27,470
we have tried to explain it in simple language.

4
00:00:28,230 --> 00:00:31,940
We tried our best to tell you how these concepts work.

5
00:00:32,270 --> 00:00:38,450
And now in the last practical that is a brute force attack, I will show you a simple reworking of how

6
00:00:38,450 --> 00:00:42,970
hackers use brute force attacks to actually hack a system.

7
00:00:42,980 --> 00:00:48,940
But let me tell you one thing, that these brute force attacks are very time consuming.

8
00:00:49,370 --> 00:00:57,890
If you try to brute force a login page of a very well-known application like Flipkart or Gmail or any

9
00:00:58,730 --> 00:01:05,720
other website, these won't work because at the end in the database, the password is stored in the

10
00:01:05,720 --> 00:01:10,830
form of hash and also let's say, ah, ah ah.

11
00:01:10,850 --> 00:01:17,700
Constructor Yeshe keeps a password of let's say my name is Yaish as his password.

12
00:01:18,030 --> 00:01:25,250
Now the brute force attack and gets the password, but he can't guess it like my name is Uche.

13
00:01:25,490 --> 00:01:27,200
So that is really very crucial.

14
00:01:27,200 --> 00:01:32,160
And it migues if you use brute force, but it really takes a lot of time.

15
00:01:32,570 --> 00:01:42,020
So without wasting any much time, I will just show you a simple demonstration of a brute force attack

16
00:01:42,020 --> 00:01:42,590
example.

17
00:01:43,070 --> 00:01:47,990
So for this, you will just need to login to your coffee machine.

18
00:01:47,990 --> 00:01:50,420
And for this practical, since you are going to use.

19
00:01:50,960 --> 00:01:52,730
But it will require metastable.

20
00:01:53,450 --> 00:01:59,680
Now, why do the requirement as multiple here and why can't we just use the DeVita already present in

21
00:01:59,690 --> 00:02:00,220
Akali?

22
00:02:00,230 --> 00:02:08,390
Because if you have observed the address of our Kalima machine that is debatably, which is installed

23
00:02:08,390 --> 00:02:12,500
in Caleigh machine is one twenty seven point zero point zero point one.

24
00:02:12,890 --> 00:02:17,260
And the proxy that we have set in Boxwood is also the same.

25
00:02:17,540 --> 00:02:22,940
So the request won't be intercepted and that is why we need metastable machine.

26
00:02:22,940 --> 00:02:25,380
I will again tell you why do we use metastable?

27
00:02:25,670 --> 00:02:33,790
So make sure you turn on your card machine and you keep all metastable also on.

28
00:02:33,890 --> 00:02:35,960
So let us get started.

29
00:02:36,230 --> 00:02:43,880
So here I am in my coffee machine and first I will connect to my DV w e that is as portable machine.

30
00:02:45,020 --> 00:02:47,930
I have already explained to you, why are we using table?

31
00:02:48,290 --> 00:02:54,740
Because whenever you require to capture the intercept using BOPE suite, you should use them at a small

32
00:02:54,740 --> 00:03:01,700
table in a plural lecture in which you know you can use the baby in Linux because we need to change

33
00:03:01,700 --> 00:03:03,320
the back IP address there.

34
00:03:04,630 --> 00:03:12,640
So we just typed the IP address, ten point zero point two point six, and I will connect to my metastable.

35
00:03:12,640 --> 00:03:13,210
There you go.

36
00:03:13,540 --> 00:03:16,180
And we log in to my DV w.

37
00:03:24,900 --> 00:03:27,390
They will have logged into my DVD player.

38
00:03:27,900 --> 00:03:35,790
Now, the first thing that you need to do is change the TV security to law and here you can see brute

39
00:03:35,790 --> 00:03:36,200
force.

40
00:03:36,630 --> 00:03:42,930
This is the page where we are going to enter the login and password and then we are going to try the

41
00:03:42,930 --> 00:03:43,740
brute forcing it.

42
00:03:44,280 --> 00:03:45,150
Not for this.

43
00:03:45,150 --> 00:03:47,690
We need to first turn on our Bob Sweet.

44
00:03:48,390 --> 00:03:52,200
So go to applications and then turn on your Bob Sweet.

45
00:03:52,720 --> 00:03:55,350
Now let us give it some time to get load.

46
00:04:01,710 --> 00:04:08,670
There you go, overboard suit has been launched and now you can see what I was talking about is here

47
00:04:08,670 --> 00:04:09,540
the proxy.

48
00:04:10,230 --> 00:04:14,150
You can see this address is seen as a TV address.

49
00:04:14,520 --> 00:04:21,570
So in our case of a missing, when a browser sends a request now, what browser is located at ten point

50
00:04:21,570 --> 00:04:28,230
zero point two point sixteen, thirteen point zero point two point sixteen will send a request to Bob.

51
00:04:28,230 --> 00:04:33,190
That is this address and then this will again get reflected in here.

52
00:04:33,660 --> 00:04:40,260
That is why we require Bob Street now in a Bob Sweet introduction, like we have seen the different

53
00:04:40,260 --> 00:04:49,350
rules of intruder and repeat sequencer, decoder, etc. And for this particular brute force attack,

54
00:04:49,350 --> 00:04:54,700
we need the intruder to act as a man in the middle and then perform the brute force attacks.

55
00:04:54,990 --> 00:05:02,130
So what you have to do is first if to to configure to send request, we have seen that we need to go

56
00:05:02,130 --> 00:05:10,980
to preferences, then we need to change the network settings and set our proxy to manually proxy that

57
00:05:10,980 --> 00:05:14,220
is one twenty seven point zero point one click.

58
00:05:14,220 --> 00:05:20,370
OK, go to Bob's suite, go to the proxy and intercept queries on that.

59
00:05:20,370 --> 00:05:21,030
It be on.

60
00:05:21,480 --> 00:05:28,290
Now what you have to do is we have to just give a random username and password here and then they will

61
00:05:28,290 --> 00:05:36,300
try to crack by giving a dictionary or a list of different passwords and usernames and the suite will

62
00:05:36,300 --> 00:05:37,850
do a brute force thing for us.

63
00:05:38,190 --> 00:05:43,950
So just in the random username and password.

64
00:05:43,950 --> 00:05:45,210
One, two, three, four, five.

65
00:05:45,630 --> 00:05:50,480
Now if you click login, it will the password will capture the request.

66
00:05:50,910 --> 00:05:51,560
There you go.

67
00:05:52,050 --> 00:05:55,760
And now we do not have to forward the request.

68
00:05:55,770 --> 00:06:01,920
What we have to do is we have to copy the request or you can just send to the intruder.

69
00:06:02,880 --> 00:06:05,530
And if you send the intruder, it becomes orange.

70
00:06:05,570 --> 00:06:13,020
If you click here, the host does this because we want to again send the request to host and now positions.

71
00:06:13,350 --> 00:06:19,560
Now you can see these all places.

72
00:06:19,560 --> 00:06:21,840
Our fields are highlighted with a blue color.

73
00:06:21,840 --> 00:06:28,830
Right, because intruders, whatever we will insert in the dictionary in the payload here, OK, you

74
00:06:28,830 --> 00:06:29,850
can see the payload.

75
00:06:30,090 --> 00:06:33,780
It will try to insert those values at the marked fields.

76
00:06:34,110 --> 00:06:38,340
But right now we're interested in username and password.

77
00:06:38,520 --> 00:06:42,300
So what we'll do is we'll select everything and click clear.

78
00:06:42,960 --> 00:06:46,590
And now we just want to target two positions.

79
00:06:46,590 --> 00:06:49,500
That is username and password.

80
00:06:49,530 --> 00:06:51,090
So we'll select Jeanne-Marie.

81
00:06:52,590 --> 00:06:58,830
That is a username which we had supplied click add and then we will select password.

82
00:07:04,880 --> 00:07:14,100
Like the password and click add, so now nascence attacked by snipers on what a sniper does is sniper

83
00:07:14,100 --> 00:07:16,880
basically targets only one position at a time.

84
00:07:17,130 --> 00:07:21,170
But in our case, we're interested in targeting two positions at a time.

85
00:07:21,510 --> 00:07:28,260
So we will use cluster bombs, which basically tries all the combinations and then performs attacks

86
00:07:28,260 --> 00:07:30,270
on two different positions.

87
00:07:31,020 --> 00:07:34,150
Now, just go to payload step now your payload.

88
00:07:34,470 --> 00:07:41,070
Now, since we are going to use two payloads, one is for the user name and the next one is for the

89
00:07:41,070 --> 00:07:42,930
password to just go to payloads.

90
00:07:43,260 --> 00:07:44,790
So you can see two options.

91
00:07:44,810 --> 00:07:48,920
OK, if we select Sniper here, we will have only one option.

92
00:07:49,410 --> 00:07:52,710
So we're going to select cluster bomb, go to payloads.

93
00:07:52,710 --> 00:07:58,380
The first the first payload will target all the fields at username only.

94
00:07:58,390 --> 00:08:06,370
So whatever we supply here in this payload options symbolist will get inserted into the username feel

95
00:08:06,390 --> 00:08:08,520
and then it will try that password.

96
00:08:08,520 --> 00:08:10,300
So I will show you how to insert.

97
00:08:10,320 --> 00:08:11,910
Now just add here AGYEMAN.

98
00:08:11,910 --> 00:08:12,270
I will.

99
00:08:12,570 --> 00:08:18,990
Since we are going to add the first payload for use in here, we will try to insert six or seven random

100
00:08:18,990 --> 00:08:25,380
usernames which are most commonly deployed, will just click admin, then another one is full admin

101
00:08:25,800 --> 00:08:26,190
in.

102
00:08:27,250 --> 00:08:27,970
Caps lock.

103
00:08:28,660 --> 00:08:31,850
Another common user name is a root.

104
00:08:33,260 --> 00:08:33,690
OK.

105
00:08:34,630 --> 00:08:44,710
Or our capital, Beirut, or in case or another common name is E, Capital D and admin.

106
00:08:45,920 --> 00:08:56,390
Or let's say I want to give as admin at the rate one to three, so these are all the names of what boops

107
00:08:56,510 --> 00:09:03,290
it will do, is it will take admin, it will go to position and replace the name here, and then it

108
00:09:03,290 --> 00:09:08,210
will take another admin and then tried all these options with the remaining passwords.

109
00:09:08,570 --> 00:09:10,850
Now we have added the user names here.

110
00:09:11,180 --> 00:09:13,880
We will add for the passwords of a password.

111
00:09:13,880 --> 00:09:16,130
I will enter password.

112
00:09:18,260 --> 00:09:29,030
Let's look at another common factor is capital s s w r d you can see or D who are.

113
00:09:30,850 --> 00:09:32,710
Or everything in capital.

114
00:09:37,140 --> 00:09:44,700
Or let's say Adnen, at the rate one to three, is also on three four, it's also password, common

115
00:09:44,700 --> 00:09:46,860
password or admin.

116
00:09:50,110 --> 00:09:57,110
At the rate one, two, three, four, OK, so I will try these six passwords against these six usernames.

117
00:09:57,110 --> 00:09:59,560
So what in will do enterable.

118
00:09:59,560 --> 00:10:06,970
Take first admin and it will try the password, this password, this password, this password, this

119
00:10:06,970 --> 00:10:08,290
password and password.

120
00:10:08,770 --> 00:10:15,030
If it successfully gets a valid username and password, how do we come to know?

121
00:10:15,280 --> 00:10:25,670
So you have to go down here in options and you can see grappler grep extract or you can see grep match.

122
00:10:25,690 --> 00:10:31,570
So if the result matches to the value username and password, we will have to get notified.

123
00:10:31,570 --> 00:10:31,840
Right.

124
00:10:32,020 --> 00:10:38,260
So what is the common message that you get when you have a successful login, you get success or login

125
00:10:38,260 --> 00:10:38,810
successful?

126
00:10:38,810 --> 00:10:42,910
I will just click clear and I will enter a new item.

127
00:10:42,910 --> 00:10:48,220
I will just click right success and click and select this.

128
00:10:48,520 --> 00:10:53,620
So what it is saying flag result items with the responses matching these expressions.

129
00:10:53,890 --> 00:11:01,390
So whenever a user name and password will get validated by the backend application, we will get a success

130
00:11:01,390 --> 00:11:02,830
message in the Internet.

131
00:11:02,920 --> 00:11:04,450
I will show you how it is.

132
00:11:05,200 --> 00:11:09,700
So I hope you must have understood why do we use payloads and where do we use Peeler's?

133
00:11:10,090 --> 00:11:14,270
Now you are saying that you have manually added.

134
00:11:14,290 --> 00:11:20,800
So now what if there are hundreds and thousands of usernames now that you have here is an option.

135
00:11:20,800 --> 00:11:22,300
You can see ad from list.

136
00:11:22,750 --> 00:11:25,930
Now that option is only available in the professional version.

137
00:11:25,930 --> 00:11:32,200
So what attackers do is they have common dictionaries with them through dark web or, you know, through

138
00:11:32,210 --> 00:11:32,680
collecting.

139
00:11:32,680 --> 00:11:37,940
They have thousands and one lacks of passwords that just enter the dictionary there and then Popescu

140
00:11:37,960 --> 00:11:38,350
takes.

141
00:11:38,680 --> 00:11:43,990
But since we're using the community word and here we have to manually enter so either you can enter

142
00:11:43,990 --> 00:11:50,890
hundreds and thousands of passwords manually or you can buy the provision and get it done by itself.

143
00:11:51,160 --> 00:11:57,910
I'm going to just show you about six usernames and passwords and you can see the request count in the

144
00:11:57,910 --> 00:11:58,380
payload.

145
00:11:58,630 --> 00:12:02,980
That option is thirty six six passwords, six usernames.

146
00:12:02,980 --> 00:12:05,080
Combinations are six to six.

147
00:12:05,290 --> 00:12:05,980
Thirty six.

148
00:12:07,460 --> 00:12:14,550
And you do not have to change anything into options now let us so I guess you might have taken the suit

149
00:12:14,570 --> 00:12:22,460
so admin will come here and this password will come here.

150
00:12:22,850 --> 00:12:25,160
Then it will send the request to the server.

151
00:12:25,160 --> 00:12:28,340
If server, it will get a message success.

152
00:12:28,790 --> 00:12:31,700
So after all this is said, click Startrek.

153
00:12:33,020 --> 00:12:33,800
And Anokhi.

154
00:12:36,030 --> 00:12:38,250
And it will start the attack.

155
00:12:38,850 --> 00:12:39,490
There you go.

156
00:12:39,510 --> 00:12:48,270
Now, before we do that, if you can see the content length here, uh, if you can see the content learned,

157
00:12:48,270 --> 00:12:52,720
I guess there's not a visible right now or it will it will be visible.

158
00:12:52,740 --> 00:12:53,460
I will show you.

159
00:12:59,970 --> 00:13:08,220
So the length is four nine four, which is the highest probably, and if you can see the success types

160
00:13:08,220 --> 00:13:12,470
of whatever is success will get automatically ticked.

161
00:13:12,510 --> 00:13:16,380
So right now, it is performing attacks, different types of attacks.

162
00:13:16,740 --> 00:13:19,490
So let's wait till it finally completes everything.

163
00:13:20,640 --> 00:13:24,330
And yes, it has finished the attack.

164
00:13:24,750 --> 00:13:32,400
So if you check the length and check the length, you can see a root password route, admin, password,

165
00:13:32,400 --> 00:13:35,920
admin, admin, admin, password, admin password.

166
00:13:36,300 --> 00:13:42,510
So these are the values of which might be the values of this.

167
00:13:42,510 --> 00:13:47,040
I will, uh, just see what is the value for nine for it.

168
00:13:47,040 --> 00:13:50,840
And the payload is admin and this is password.

169
00:13:51,210 --> 00:13:53,820
So I just turn off the intercept.

170
00:13:58,880 --> 00:14:04,280
We have the results here will go to David, U.S. ambassador in Cairo, it will try admen.

171
00:14:07,750 --> 00:14:09,160
And password.

172
00:14:11,320 --> 00:14:16,720
And they go, welcome to Password-Protected area, Egmont, which means this is correct, now I will

173
00:14:16,720 --> 00:14:20,770
try this one, the admin and the password.

174
00:14:22,180 --> 00:14:25,090
Let's see if we have got the correct answer.

175
00:14:38,620 --> 00:14:39,250
There you go.

176
00:14:39,460 --> 00:14:41,830
Welcome to the password protected area admin.

177
00:14:42,100 --> 00:14:43,920
So these two values were correct.

178
00:14:43,930 --> 00:14:50,680
So if you sort if you see the content length four nine four eight, all the values with and for it must

179
00:14:50,680 --> 00:14:51,150
be correct.

180
00:14:51,220 --> 00:14:52,950
We have got three possible choices.

181
00:14:53,200 --> 00:14:56,610
So these are the three possible correct answers.

182
00:14:57,190 --> 00:15:04,720
And in this way, if you let us check this admin and capital P password, it should show it is not the

183
00:15:04,720 --> 00:15:09,790
correct answer or just I will give the password as P or R.

184
00:15:12,010 --> 00:15:18,170
And username and password is incorrect in this way, basically, brute force attack is carried out.

185
00:15:18,370 --> 00:15:23,190
Now, you might guess that, you know, you are and you can see it is admin and it is password.

186
00:15:23,200 --> 00:15:24,580
You can just change it here.

187
00:15:24,820 --> 00:15:28,700
And we have seen how this attack is used in Kiselev.

188
00:15:29,050 --> 00:15:36,070
Now, in this case, the request or the URL is not protected because it is using HTP protocol in case

189
00:15:36,070 --> 00:15:44,670
if it if it is using GPS protocols, you can see in the request and the target dashboard or intruder,

190
00:15:44,670 --> 00:15:51,460
the repeater, the request, we do not clearly we can't clearly see the username and password.

191
00:15:51,470 --> 00:15:54,260
In that case, the username and password is encrypted.

192
00:15:54,700 --> 00:16:03,130
That is why cookies then encryption htp SSL encryption is all used to avoid such kind of brute force

193
00:16:03,280 --> 00:16:03,820
attacks.

194
00:16:04,750 --> 00:16:11,350
Now an attacker can also try to hack or brute force or T.P that is one time password, a four digit

195
00:16:11,350 --> 00:16:13,300
one and password can be easily brute force.

196
00:16:13,630 --> 00:16:22,420
But if you carefully observe the digits are four and the number of combinations are for at least two,

197
00:16:22,990 --> 00:16:25,820
I guess four or for every time it is three.

198
00:16:25,840 --> 00:16:29,410
So it takes around a lot of time to crack a one time password.

199
00:16:29,410 --> 00:16:35,530
And hence the validity of a one time password is generally two to three minutes because brute force

200
00:16:35,530 --> 00:16:39,010
cannot get the result between two to three minutes.

201
00:16:39,290 --> 00:16:43,500
Right now for this video, I would actually fast forwarded the 36.

202
00:16:43,840 --> 00:16:48,490
It actually took five minutes for me to actually take the old account.

203
00:16:49,180 --> 00:16:55,210
And that is why brute force attacks are time-Consuming attacks and hackers do not prefer them.

204
00:16:55,210 --> 00:17:00,250
And nowadays all the passwords are also hashed out, encrypted and therefore becomes more difficult.

205
00:17:00,760 --> 00:17:07,480
In the next lecture, we will probably see the most important step of application penetration testing,

206
00:17:07,750 --> 00:17:14,790
which is how to perform the web application penetration testing in a very detailed manner.

207
00:17:14,860 --> 00:17:20,350
We will demonstrate what are the steps required, how you should approach to perform overapplication

208
00:17:20,560 --> 00:17:20,950
test.

209
00:17:21,400 --> 00:17:28,510
If you have if you are applying for a testing role, which steps you should perform in order to generate

210
00:17:28,510 --> 00:17:29,560
a report and everything.

211
00:17:29,950 --> 00:17:32,720
So make sure you watch the next video.

212
00:17:32,980 --> 00:17:37,950
And please do not skip these lectures as these are very helpful.

213
00:17:38,170 --> 00:17:39,910
I will see you in the next lecture.