1
00:00:01,030 --> 00:00:01,810
All right.

2
00:00:02,350 --> 00:00:07,330
Let us take a look at another option that perhaps it gives us, which is intruder.

3
00:00:08,140 --> 00:00:14,200
Now, you can consider intruder as something made for brute force attacks.

4
00:00:14,860 --> 00:00:22,030
The definition behind it is that it allows us to change anything in the request and forward it, but

5
00:00:22,030 --> 00:00:27,940
it also allows us to change certain parts of the requests by reading stuff from our list.

6
00:00:28,780 --> 00:00:35,320
Now, it might sound confusing, but let me show you what I mean, make sure that intercept is turned

7
00:00:35,320 --> 00:00:35,710
off.

8
00:00:35,900 --> 00:00:42,640
Make sure that you have the virtual machine started and let's visit our TV, a login page.

9
00:00:43,150 --> 00:00:49,820
It will lead us to this page and we should be able to find it under the target tab and right here.

10
00:00:50,410 --> 00:00:51,520
So here it is.

11
00:00:51,820 --> 00:01:00,430
As we can see, this is the gate request that searched for a log in DOT BHP, which is the exact link

12
00:01:00,430 --> 00:01:01,040
right here.

13
00:01:01,630 --> 00:01:10,060
Now, we can send this request straight from here to the intruder by clicking on it and clicking send

14
00:01:10,060 --> 00:01:10,810
to intruder.

15
00:01:11,930 --> 00:01:16,800
And as usual, you will see this intruder tab light up, it will become orange.

16
00:01:17,360 --> 00:01:18,080
Go to it.

17
00:01:18,500 --> 00:01:20,850
And this is pretty much all we get.

18
00:01:21,380 --> 00:01:27,880
Now, it might seem nothing at the beginning, but we do have four different tabs for this request.

19
00:01:28,610 --> 00:01:33,560
So once we switch the deposition step here, we can see our request.

20
00:01:34,350 --> 00:01:38,270
Now, you will see some of the things here already light up.

21
00:01:38,270 --> 00:01:43,700
And these are the things that we do want to change because they might be important for us, which in

22
00:01:43,730 --> 00:01:49,640
this case is correct, since these are cookie values and in some attacks, we might want to change the

23
00:01:49,640 --> 00:01:50,330
cookie value.

24
00:01:51,110 --> 00:01:54,120
But let's go with a different HTP request.

25
00:01:54,140 --> 00:01:57,710
Let's go with the next request where we try to log in.

26
00:01:57,720 --> 00:02:01,250
So let's go test and test, which is incorrect login.

27
00:02:01,550 --> 00:02:06,410
We will get the login filled error and now let's try to find that request right here.

28
00:02:07,450 --> 00:02:08,900
It will be a post request.

29
00:02:08,919 --> 00:02:15,130
You can already filter it out since all of these other requests are get request and here is the only

30
00:02:15,130 --> 00:02:15,970
post request.

31
00:02:16,160 --> 00:02:20,830
And down here, we can see that it does contain our username and password.

32
00:02:21,430 --> 00:02:26,440
So we can either go here on actions and send it to intruder or we can just.

33
00:02:26,440 --> 00:02:26,830
Right.

34
00:02:26,830 --> 00:02:29,320
Click here and send it to intruder.

35
00:02:29,620 --> 00:02:33,310
And once we visit the intruder, we will have another tab opened up.

36
00:02:33,310 --> 00:02:38,110
And if we go to the positions, here is our HTP login request.

37
00:02:38,950 --> 00:02:46,600
Now, you will see that these options as well are now printed in green because as I mentioned, it recognizes

38
00:02:46,600 --> 00:02:49,100
them as something that could be important for us.

39
00:02:50,020 --> 00:02:56,680
Now, what I usually like to do is I like to clear out all of these other options and this will remove

40
00:02:56,680 --> 00:02:59,920
any green print that perhaps it gives by default.

41
00:03:01,060 --> 00:03:07,510
Now we have something called paillard positions, and as you can see, there is this attack type option

42
00:03:07,510 --> 00:03:08,500
that we can choose from.

43
00:03:08,920 --> 00:03:13,360
If we click on this arrow, we will get four different attack types.

44
00:03:14,900 --> 00:03:20,570
Now, to read more about these attack types, what I advise you to do is click on this question mark

45
00:03:21,200 --> 00:03:28,400
and this question mark will open up a page that gives you all the detailed information about these attack

46
00:03:28,400 --> 00:03:31,940
types, as well as what you can do with the intruder.

47
00:03:32,890 --> 00:03:39,730
If we scroll all the way down, it also gives you the explanation for ad clear and out button, which

48
00:03:39,730 --> 00:03:42,610
are the buttons right here on the right side.

49
00:03:43,180 --> 00:03:48,760
And under the attack type, we can read about each and every attack type that we want.

50
00:03:49,180 --> 00:03:53,560
For example, the sniper attack type uses only a single set of payloads.

51
00:03:53,860 --> 00:03:59,020
It targets each payload position in turn and places each payload into that position in turn.

52
00:03:59,800 --> 00:04:06,100
Now, in other words, this simply means that with sniper attack type, we can only select one word

53
00:04:06,100 --> 00:04:07,700
right here that we want to change.

54
00:04:08,170 --> 00:04:13,570
For example, let's say that we want to brute force this account, but we do know username and we don't

55
00:04:13,570 --> 00:04:14,370
know password.

56
00:04:14,470 --> 00:04:20,470
We would select the password field and we would use the sniper attack in order to brute force the password

57
00:04:20,470 --> 00:04:20,800
field.

58
00:04:21,959 --> 00:04:27,560
You have some other options that you can use battering ram this year as a single set of payloads.

59
00:04:27,720 --> 00:04:29,970
Now you can read about all of these if you like.

60
00:04:29,970 --> 00:04:35,910
For example, a cluster bump is an option that you would use if you want to brute force both username

61
00:04:35,910 --> 00:04:42,090
and password since as it says right here, this uses multiple payload sets, which means you can select,

62
00:04:42,600 --> 00:04:45,030
for example, password and username.

63
00:04:46,080 --> 00:04:48,870
And then you can brute force both of them at the same time.

64
00:04:49,620 --> 00:04:51,050
Now let me show you what I mean.

65
00:04:51,420 --> 00:04:58,710
For example, let's say that we do know the username, which is Admon, but we don't know the password

66
00:04:58,710 --> 00:05:00,300
and we just set it to test.

67
00:05:00,900 --> 00:05:08,010
What we would want to do in order to get into this account is we would want to select this test and

68
00:05:08,010 --> 00:05:12,300
click on that and you will see that it will become green.

69
00:05:12,900 --> 00:05:13,860
Once we do that.

70
00:05:13,980 --> 00:05:18,930
We told the purpose that we're going to try to brute force this word right here.

71
00:05:19,530 --> 00:05:25,710
Then we can go to payloads and under the payloads in this window right here.

72
00:05:25,740 --> 00:05:27,750
We want to load our list now.

73
00:05:27,750 --> 00:05:33,570
You can either add the list by clicking on this load button and then navigating through your file system

74
00:05:33,570 --> 00:05:39,180
and trying to find that the next list that you want to use or you can add some random words right here.

75
00:05:39,180 --> 00:05:42,750
For example, test one, two, three, test one, two, three, four.

76
00:05:43,080 --> 00:05:44,630
One, two, three, four, five.

77
00:05:44,790 --> 00:05:46,530
Let's see route.

78
00:05:47,130 --> 00:05:51,570
And let's also add the correct password just so we can show that it does work.

79
00:05:51,990 --> 00:05:55,020
And let's go password and password.

80
00:05:55,290 --> 00:05:56,020
One, two, three.

81
00:05:56,910 --> 00:05:59,490
Now, let's say that this is our list that we want to use.

82
00:06:00,510 --> 00:06:04,930
Once we select it right here, we can click on this start attack.

83
00:06:05,310 --> 00:06:08,120
It will give us this error, which we want to click on, OK?

84
00:06:08,550 --> 00:06:10,760
And it will start our attack.

85
00:06:10,770 --> 00:06:19,710
And what intruder will do is it will send an HTP request with changed password and it will change password

86
00:06:19,710 --> 00:06:22,530
with these items that we specified in our list.

87
00:06:23,740 --> 00:06:29,590
It will go for each password and it will perform the request and we can see that we got status three

88
00:06:29,590 --> 00:06:34,330
or two, which, if you remember it does redirect us after we send this request.

89
00:06:34,660 --> 00:06:38,160
But what you can do is you can, for example, select the correct password.

90
00:06:38,560 --> 00:06:42,160
Now, in this case, we do know what incorrect and what the correct password is.

91
00:06:42,160 --> 00:06:46,420
So we can just select the incorrect one and we can.

92
00:06:46,420 --> 00:06:46,900
Right.

93
00:06:46,900 --> 00:06:53,740
Click on it and click on request in browser, or we can also choose show response in browser.

94
00:06:53,920 --> 00:06:57,850
If we click on that, it will give us a link that we want to copy.

95
00:06:58,030 --> 00:06:59,320
We can copy that link.

96
00:07:00,160 --> 00:07:02,590
Go right here and paste it.

97
00:07:05,200 --> 00:07:11,290
We get the Loganville printed a couple of times and we do get wrecked login right here.

98
00:07:11,400 --> 00:07:17,490
Now, this is a bug because we only requested one password, but it does give us that one of these eight

99
00:07:17,490 --> 00:07:23,670
passwords for our list did work and we did manage to log in since we already know which one it is.

100
00:07:24,690 --> 00:07:26,280
Let's go to the.

101
00:07:27,420 --> 00:07:34,410
This option, select the correct password, which is admin and show response in browser, copy the link.

102
00:07:34,740 --> 00:07:39,060
We can close this for now and we can go to that link.

103
00:07:40,660 --> 00:07:47,650
And here it is, once we selected, the request for the password was Admon, now it logs are sent because

104
00:07:47,650 --> 00:07:49,240
that was the correct password.

105
00:07:49,900 --> 00:07:50,890
How awesome is that?

106
00:07:50,900 --> 00:07:54,280
So we performed a small brute force attack right here.

107
00:07:55,230 --> 00:08:00,630
Now, this is not that practical and we're going to talk about that more once we get to the brute forcing

108
00:08:00,630 --> 00:08:07,360
part of the course for now on, we just took a look at a very simple brute force attack.

109
00:08:08,010 --> 00:08:14,370
Now we're going to take a look at how we can deal with the problem once it redirects, because we don't

110
00:08:14,370 --> 00:08:19,230
really want to go and visit every single request for every single password just to see whether we manage

111
00:08:19,230 --> 00:08:20,180
to log in or not.

112
00:08:20,730 --> 00:08:25,900
We want another way that we can check out which password is correct much faster, right?

113
00:08:26,760 --> 00:08:30,020
Well, we will talk about that in the first part of the course for now.

114
00:08:30,180 --> 00:08:35,940
We checked out the option called intruder, and there are many other options that perhaps it allows

115
00:08:35,940 --> 00:08:36,539
us to use.

116
00:08:36,549 --> 00:08:40,400
However, we're going to check most of them out throughout the course.

117
00:08:40,409 --> 00:08:44,310
We just covered the basics of it right now so we can get familiar with it.

118
00:08:44,580 --> 00:08:50,040
And if there is something that you didn't quite get or didn't quite understand, don't worry.

119
00:08:50,040 --> 00:08:53,400
We will practice it a lot throughout the course for now.

120
00:08:53,400 --> 00:08:57,110
And it's just important that you do know how to navigate through it.

121
00:08:57,120 --> 00:08:58,680
You do know what the target is.

122
00:08:58,950 --> 00:09:00,450
You do know what the proxy tab is.

123
00:09:00,450 --> 00:09:04,830
You do know how to intercept certain requests and how to remove the intercept.

124
00:09:04,840 --> 00:09:06,150
All of that is important.

125
00:09:06,180 --> 00:09:10,560
However, more advanced stuff we are going to cover throughout the course.

126
00:09:11,100 --> 00:09:12,360
Now we are fully ready.

127
00:09:12,360 --> 00:09:18,030
And in the next lecture, we're going to start off with our first vulnerability, which will be HTML

128
00:09:18,030 --> 00:09:19,890
injection see there.