1 00:00:00,230 --> 00:00:06,600 Right now, it's time to start the Reinach know the first thing, make sure that your machines are active 2 00:00:06,600 --> 00:00:09,760 and running and don't forget that then it must be bridged. 3 00:00:10,500 --> 00:00:16,530 So from here, make sure it is bridged and make sure you choose the exact interface that you have. 4 00:00:17,010 --> 00:00:17,370 All right. 5 00:00:17,370 --> 00:00:21,650 So this is the door and this is for the county, which is the idiot machine, the hacking machine. 6 00:00:22,110 --> 00:00:25,260 It is Broadbridge as well right now. 7 00:00:25,260 --> 00:00:26,640 Open it now. 8 00:00:26,640 --> 00:00:27,830 Here is the open machine. 9 00:00:28,380 --> 00:00:35,280 Now, I actually make sure that the torch is running and active through the Swadesh actually to go as 10 00:00:35,280 --> 00:00:38,460 an adult user toward one, two, three, one, two, three. 11 00:00:39,210 --> 00:00:39,550 Yeah. 12 00:00:39,600 --> 00:00:41,260 If there is here. 13 00:00:41,560 --> 00:00:42,080 Right. 14 00:00:42,780 --> 00:00:43,200 Yeah. 15 00:00:43,200 --> 00:00:43,620 Cool. 16 00:00:44,010 --> 00:00:47,580 Now system sitel status actually lets. 17 00:00:48,610 --> 00:00:55,930 I actually I want, yeah, to increase the font size system to the start datastore. 18 00:00:55,960 --> 00:01:02,260 Yeah, it is running, but it's better to restart it actually to make sure everything is working as 19 00:01:02,260 --> 00:01:02,740 expected. 20 00:01:03,220 --> 00:01:04,720 The same thing for Ingenix. 21 00:01:05,600 --> 00:01:11,470 Right now, let's run this tool or this Mid-State Dash NCLB. 22 00:01:12,730 --> 00:01:18,100 Yeah, you can see it is not here, so let's install it now, we have this to us as Dutch NTSB so you 23 00:01:18,100 --> 00:01:21,400 can see that, yeah, it is running on board 80, which is the engine. 24 00:01:21,790 --> 00:01:27,910 And here on this board, we have the tour, by the way, sorry about this, because actually this is 25 00:01:27,930 --> 00:01:28,150 better. 26 00:01:28,150 --> 00:01:28,570 I think. 27 00:01:28,930 --> 00:01:31,620 So you can see that here it is, the door where it is. 28 00:01:31,630 --> 00:01:31,990 Yeah. 29 00:01:31,990 --> 00:01:32,470 Here it is. 30 00:01:32,470 --> 00:01:33,910 The use of this photo here. 31 00:01:35,160 --> 00:01:38,550 All right, what is running low on this board? 32 00:01:38,820 --> 00:01:39,410 All right, cool. 33 00:01:39,450 --> 00:01:41,600 So we are running now, actually. 34 00:01:41,610 --> 00:01:46,110 Let's go to that Etsy store or actually Etsy store. 35 00:01:46,110 --> 00:01:49,770 It is Bar Lip Tor Hidden Services. 36 00:01:50,130 --> 00:01:51,800 And inside it, we have the hosting. 37 00:01:51,810 --> 00:01:53,320 So let's go to hostname. 38 00:01:53,590 --> 00:01:54,330 This could be it. 39 00:01:54,330 --> 00:01:55,950 And it's open to our browser. 40 00:01:56,340 --> 00:01:59,200 And actually I download it here in the downloads. 41 00:01:59,940 --> 00:02:00,610 Here it is. 42 00:02:01,080 --> 00:02:06,960 So I will go to it and he'll open the terminal here and it's the start. 43 00:02:08,920 --> 00:02:13,540 The name of their browser, which is a manuscript, by the way, Orshansky, Lizzi. 44 00:02:14,720 --> 00:02:16,760 So here it is, an open. 45 00:02:17,810 --> 00:02:24,410 In a moment, yeah, here it is, you can see that it is now running now in its base that to see if 46 00:02:24,410 --> 00:02:25,440 it is working or not. 47 00:02:25,600 --> 00:02:28,800 Right now you can see that, yeah, it is running successfully. 48 00:02:28,940 --> 00:02:30,570 Now you can see that to our website. 49 00:02:30,980 --> 00:02:36,160 Here are some disgusting content or whatever that child -- website that Illiad captured. 50 00:02:36,350 --> 00:02:36,770 All right. 51 00:02:36,770 --> 00:02:37,430 Now, here it is. 52 00:02:37,730 --> 00:02:38,160 OK. 53 00:02:38,510 --> 00:02:38,960 All right. 54 00:02:38,960 --> 00:02:39,280 Cool. 55 00:02:40,370 --> 00:02:46,660 Now, let's clear the screen and let's go to another machine, which is the next machine now here, 56 00:02:47,330 --> 00:02:48,590 if you open the Terramin, then. 57 00:02:50,440 --> 00:02:51,160 Like this. 58 00:02:52,150 --> 00:02:58,930 So actually, let's increase the font size, so actually, if I thought if I have config, you can see 59 00:02:58,930 --> 00:03:01,150 that here is the IP address. 60 00:03:02,290 --> 00:03:10,480 Which is, as you can see, the is one two one nine two one six eight eight and one one three four eight 61 00:03:10,480 --> 00:03:11,200 one one, two, three. 62 00:03:11,410 --> 00:03:16,750 But here, actually, if I thought I have conflict like this, you can see that here it is, eight one 63 00:03:16,750 --> 00:03:20,710 one a four, which is at the same subnet or the same network. 64 00:03:20,740 --> 00:03:21,650 OK, cool. 65 00:03:21,880 --> 00:03:29,950 Which means that we are having the total website on the same bandwidth as in the show this year that 66 00:03:29,950 --> 00:03:32,950 our website on Rollin's Cuppy network or bandwidth. 67 00:03:33,070 --> 00:03:33,550 All right. 68 00:03:33,820 --> 00:03:35,180 So we are ready to go. 69 00:03:35,440 --> 00:03:40,900 So from here, actually, the first thing we want to make the man in the middle ATEC. 70 00:03:41,410 --> 00:03:44,380 So for that we will use the technique. 71 00:03:45,330 --> 00:03:47,010 Our people think, OK. 72 00:03:47,930 --> 00:03:55,340 And for that, the tool we will use actually to go through the Soudas, so which is Aleut one, two, 73 00:03:55,340 --> 00:03:58,580 three, one, two, three, or actually just Aleut or not. 74 00:03:58,580 --> 00:04:00,300 Now we will use the tool called it. 75 00:04:00,320 --> 00:04:03,140 OK, so you can see that it cap like this. 76 00:04:03,290 --> 00:04:05,960 And if I meant it so he would open the manual. 77 00:04:05,990 --> 00:04:10,120 This is a multipurpose sniffer content filter for men in the middle attacks. 78 00:04:10,420 --> 00:04:14,030 Right now there are a lot of tools for men, limited attacks, by the way. 79 00:04:14,030 --> 00:04:17,020 They are spoofing manumitted framework. 80 00:04:17,030 --> 00:04:17,820 A lot of things actually. 81 00:04:17,880 --> 00:04:20,940 You can read more, but this one is good. 82 00:04:21,710 --> 00:04:26,750 So for it, we would use that Dashty option, which is the text only interface, as you can see. 83 00:04:27,030 --> 00:04:30,410 Also, we will use the dash M capital and the M here. 84 00:04:30,410 --> 00:04:36,440 It actually is the man in the middle attack, as you can see, dash and or dash, dash and ITM, which 85 00:04:36,440 --> 00:04:37,540 is men in the immediate attack. 86 00:04:37,760 --> 00:04:41,270 And for that we will use up OK, which is this one. 87 00:04:41,580 --> 00:04:42,070 Right. 88 00:04:42,320 --> 00:04:43,720 And we will use the remote. 89 00:04:44,000 --> 00:04:48,980 So by the way, you can read more about this tool, what is remote, which is one way, but briefly 90 00:04:49,340 --> 00:04:50,690 remote, which is two way. 91 00:04:50,990 --> 00:04:52,250 One way, which is one way. 92 00:04:52,430 --> 00:04:52,740 All right. 93 00:04:52,760 --> 00:05:00,200 So from this I.B. to this I.B. or from as one direction or multidirectional, OK, don't worry, we 94 00:05:00,200 --> 00:05:00,720 will handle it. 95 00:05:01,010 --> 00:05:06,980 Now, the first thing, it's a cat and then dash t, which means text. 96 00:05:06,980 --> 00:05:12,440 And as a verbose that's either in the Ethernet or the interface actually. 97 00:05:12,710 --> 00:05:13,940 And how to do that. 98 00:05:14,270 --> 00:05:22,040 Just like I have config and you can see that here, the Ethernet or that interface I'm using is ETEC. 99 00:05:22,280 --> 00:05:23,530 So it's on its own. 100 00:05:24,020 --> 00:05:26,540 And by the way, this is inside the virtual box. 101 00:05:27,130 --> 00:05:29,550 OK, so I will use it. 102 00:05:30,110 --> 00:05:31,130 And here we will lose. 103 00:05:31,130 --> 00:05:36,300 Dash M Capital, as we learned previously, are like this and we will choose the remote. 104 00:05:36,350 --> 00:05:38,540 OK, no remote here. 105 00:05:38,540 --> 00:05:44,490 We would provide the first IP address, as you can see here, and then the second IP address. 106 00:05:44,510 --> 00:05:44,880 OK. 107 00:05:45,470 --> 00:05:45,980 All right. 108 00:05:46,250 --> 00:05:51,980 Now the first IP address, which is the IP address of the network or of the drought, are actually know 109 00:05:51,980 --> 00:05:53,340 how to know about it. 110 00:05:53,690 --> 00:06:00,860 Now, remember an idiot actually connected to that Rollin's coffee, so and Brauns coffee access point 111 00:06:00,860 --> 00:06:04,280 or the switch will have the DCB protocol enabled. 112 00:06:04,290 --> 00:06:11,300 So it would give him an IP as well as we would understand that this is that the network and here is 113 00:06:11,300 --> 00:06:12,380 the subnet for it. 114 00:06:12,710 --> 00:06:17,460 So we understand that these are the network baat and these are their hosts. 115 00:06:17,460 --> 00:06:25,040 But so most likely it will be one nine two one six eight eight to one. 116 00:06:25,160 --> 00:06:26,080 All right, cool. 117 00:06:26,780 --> 00:06:34,520 And to know the IP address of the network, we will use that about woman and I would Dushan and you 118 00:06:34,520 --> 00:06:37,250 can see that the gateway we are going to watch is this one. 119 00:06:37,610 --> 00:06:43,340 If you notice here, this one is the same as this one as is something that this first part, which is 120 00:06:43,340 --> 00:06:43,850 the network. 121 00:06:44,210 --> 00:06:46,040 So actually let's increase the font size. 122 00:06:46,370 --> 00:06:49,680 So here one nine two one six eight eight. 123 00:06:49,700 --> 00:06:56,600 Here it is, one nine two one six eight today to one, which is this is the gateway or the Ebe of the 124 00:06:57,500 --> 00:06:57,740 left. 125 00:06:58,370 --> 00:07:00,340 So from here I would put it OK. 126 00:07:00,470 --> 00:07:02,260 And what slash. 127 00:07:02,270 --> 00:07:06,140 Slash then slash that I.B. of the victim. 128 00:07:06,420 --> 00:07:09,560 OK, which is the I.B. of that war machine. 129 00:07:10,520 --> 00:07:11,660 Cool, which is this one? 130 00:07:12,040 --> 00:07:12,440 OK. 131 00:07:14,040 --> 00:07:19,050 Or one, two, three, one, two, three, no, you may ask me, but I don't have access on this tour 132 00:07:19,080 --> 00:07:19,490 machine. 133 00:07:19,890 --> 00:07:20,840 How should I know it? 134 00:07:21,120 --> 00:07:21,600 All right. 135 00:07:21,900 --> 00:07:22,370 It's OK. 136 00:07:22,380 --> 00:07:22,840 I got you. 137 00:07:23,280 --> 00:07:23,700 So if I. 138 00:07:23,940 --> 00:07:24,630 I have conflict. 139 00:07:24,660 --> 00:07:25,110 This is the. 140 00:07:25,110 --> 00:07:25,800 I believe it. 141 00:07:25,920 --> 00:07:26,390 All right. 142 00:07:26,550 --> 00:07:30,880 But how should I know this is the EBE for this specific machine. 143 00:07:31,500 --> 00:07:32,030 All right. 144 00:07:32,100 --> 00:07:35,230 For that we would use a tool called Discover. 145 00:07:35,680 --> 00:07:42,520 OK, so actually let's go pseudo sue dash to go as a route user idiot user. 146 00:07:43,110 --> 00:07:51,090 So here we will have a command called Net Discover, OK, like this and if I type into it will start 147 00:07:51,090 --> 00:07:54,270 scanning all the Ibbs inside the network. 148 00:07:54,570 --> 00:07:58,680 So give it sometimes until we got the I.D., ok. 149 00:07:58,830 --> 00:08:00,870 Now after a time you I got these. 150 00:08:00,870 --> 00:08:03,690 Ibbs So this is the IP of that doctor. 151 00:08:03,690 --> 00:08:05,170 You can see how you can do whatever. 152 00:08:05,490 --> 00:08:07,200 Here is one of the clients. 153 00:08:07,200 --> 00:08:08,890 Interconnect, cooperate, whatever. 154 00:08:09,150 --> 00:08:11,990 Here is another plant which is BKS and system whatever. 155 00:08:12,450 --> 00:08:15,930 How idiot knows that this is the IP for this machine. 156 00:08:16,050 --> 00:08:19,970 Actually he, he, he will try getting it OK. 157 00:08:20,310 --> 00:08:27,290 And actually it took him a lot of times to detect if there are a lot of clients, what are the claims. 158 00:08:27,300 --> 00:08:35,130 Today he came to the cafe and a lot of times actually and they start scanning until he reach to the 159 00:08:35,130 --> 00:08:38,650 conclusion that this is the IP of this store server. 160 00:08:38,700 --> 00:08:42,000 OK, so I can stop it right now and I can take this IP. 161 00:08:42,150 --> 00:08:44,160 So let's make sure that it's one one four. 162 00:08:44,280 --> 00:08:45,290 Actually, if I go here. 163 00:08:45,510 --> 00:08:49,100 Yeah, it is 114000 which is the same one right now actually. 164 00:08:49,110 --> 00:08:50,790 Remember this virtual machine. 165 00:08:50,790 --> 00:08:51,270 This one. 166 00:08:51,630 --> 00:08:52,020 This one. 167 00:08:52,020 --> 00:08:58,860 The candy machine is completely separate from the example by the way, because we are using a virtual 168 00:08:58,860 --> 00:08:59,110 machine. 169 00:08:59,820 --> 00:09:01,010 So how did I know that? 170 00:09:01,020 --> 00:09:07,110 Because they are in the same network and using the Discover tool, we discovered that this is the IP 171 00:09:07,110 --> 00:09:08,040 of the machine. 172 00:09:08,260 --> 00:09:08,670 All right. 173 00:09:08,670 --> 00:09:09,480 Now we need to copy it. 174 00:09:09,690 --> 00:09:10,710 And it's what it's here. 175 00:09:11,280 --> 00:09:13,670 And again, the same syntax, which is Síochána. 176 00:09:13,710 --> 00:09:18,960 So the syntax would be like this it acap again, a quick recap here. 177 00:09:19,110 --> 00:09:24,030 We lose the command, which is Ithaka, Dashti Capitán, which means text or verbose. 178 00:09:24,150 --> 00:09:31,530 That's either interface, which is at zero that I'm using on Linux, on my checking machine, Desh Cavitat, 179 00:09:31,530 --> 00:09:37,890 which means many of them did a deck and the technique would be up with the remote and the difference 180 00:09:37,890 --> 00:09:44,070 between remote and one way, which means remote, which which means that we would send Tropica and intercept 181 00:09:44,070 --> 00:09:49,860 the traffic between this I.B. and this I.B. and we would send the traffic between them not as a one 182 00:09:49,860 --> 00:09:53,070 way as a bidirectional right. 183 00:09:53,190 --> 00:09:55,980 Which means from this to this and from this to this. 184 00:09:56,120 --> 00:09:56,580 All right. 185 00:09:57,810 --> 00:10:05,250 And this is the IP of that gateway or the router or the switch in our topology, and this is the IP 186 00:10:05,430 --> 00:10:07,030 of the Tor machine. 187 00:10:07,290 --> 00:10:08,810 How did we know about this? 188 00:10:08,820 --> 00:10:12,580 We used that discover tool and we found it here. 189 00:10:12,780 --> 00:10:20,100 Now, it is not as simple as that because there are imagine we have 10 or 15 client that are connected 190 00:10:20,100 --> 00:10:20,640 to the network. 191 00:10:20,660 --> 00:10:25,460 So actually it took him a lot of time, maybe one month, maybe two or three months. 192 00:10:25,470 --> 00:10:31,790 I don't know, actually, until he discovered that this is the IP or this is the static IP. 193 00:10:32,190 --> 00:10:42,030 So the first day he found that there are 10 or 20 IP and the other day they are another Ibbs and he 194 00:10:42,030 --> 00:10:48,570 made a list, OK, but the IP he found and he found out that this IP keeps going over and over and then 195 00:10:48,570 --> 00:10:49,230 his teammate. 196 00:10:49,230 --> 00:10:52,370 So he assumed that this is the idea of the machine. 197 00:10:52,380 --> 00:10:54,100 So he would start doing it. 198 00:10:54,390 --> 00:10:57,930 So actually before that, he will start intercepting the traffic. 199 00:10:58,340 --> 00:11:02,130 Right now, by doing that, I will start intercepting the traffic. 200 00:11:03,510 --> 00:11:11,820 And doing Mendham, again, I want you to do that to help others, please do it to defend yourself or 201 00:11:11,820 --> 00:11:15,000 your business cafe or whatever, OK, from such attacks. 202 00:11:15,750 --> 00:11:17,210 All right, Bressington. 203 00:11:17,490 --> 00:11:19,470 Now you can see that it will start showing. 204 00:11:19,650 --> 00:11:24,170 So we are actually we are starting intercepting the traffic and so on. 205 00:11:24,390 --> 00:11:26,730 So this is the first step right now. 206 00:11:26,730 --> 00:11:32,370 If I go here, actually, if I open the browser, which is total website, if I appreciate and it is 207 00:11:32,370 --> 00:11:32,760 open. 208 00:11:33,030 --> 00:11:39,300 So if I go ahead, actually it got that and intercepted here through our network, through our network 209 00:11:39,300 --> 00:11:39,650 card. 210 00:11:40,350 --> 00:11:46,270 So it's time to start sniffing that traffic now here to intercept the traffic. 211 00:11:46,290 --> 00:11:49,050 Now it's time to start to sniffing that topic. 212 00:11:49,290 --> 00:11:50,060 How to do that? 213 00:11:50,070 --> 00:11:54,990 Actually we will use Sudo Wireshark, OK, or open the way from here. 214 00:11:55,240 --> 00:11:56,370 OK, it's OK. 215 00:11:56,370 --> 00:12:00,430 But I prefer to run it as a rule actually like this one. 216 00:12:00,750 --> 00:12:07,710 Now we will choose the atrophic interface for the inter network interface, which is zero, and it actually 217 00:12:07,710 --> 00:12:14,690 is the network interface that we are running the attack on or that we are intercepting the traffic man 218 00:12:14,700 --> 00:12:15,410 in the middle of that. 219 00:12:15,690 --> 00:12:16,170 All right. 220 00:12:17,360 --> 00:12:18,500 So we will choose it. 221 00:12:20,270 --> 00:12:23,310 And from here, we will start intercepting everything. 222 00:12:23,330 --> 00:12:28,490 So actually there are a lot of information, a lot of data and so on now actually, how do you detect 223 00:12:28,670 --> 00:12:29,510 at our website? 224 00:12:29,540 --> 00:12:35,310 OK, now the first thing there are a lot of methods are way to detect at our website. 225 00:12:35,390 --> 00:12:39,590 The first thing using the tote board number by default, the door. 226 00:12:40,010 --> 00:12:42,470 What number is the TCBY? 227 00:12:42,950 --> 00:12:45,590 The board after I'm using the filter here. 228 00:12:46,070 --> 00:12:47,030 Equal, equal. 229 00:12:47,510 --> 00:12:49,320 Nine thousand and one. 230 00:12:49,430 --> 00:12:51,710 OK, yeah, we got it. 231 00:12:52,040 --> 00:12:57,280 OK, from our first try we got that they are at our website running until December. 232 00:12:57,460 --> 00:13:02,460 OK, now how actually did I know this is the different board number for our website. 233 00:13:02,630 --> 00:13:04,370 Now actually it's not from me. 234 00:13:04,760 --> 00:13:05,870 I just read about it. 235 00:13:05,960 --> 00:13:07,610 This is the default board number. 236 00:13:07,610 --> 00:13:10,780 How it is that board at the different for HDB. 237 00:13:10,790 --> 00:13:12,950 This is the default board for simple. 238 00:13:13,580 --> 00:13:16,460 Now this is one of the way to detect at all website. 239 00:13:17,030 --> 00:13:23,870 Now some people change this default because they want to make it very hard to capture the traffic or 240 00:13:23,870 --> 00:13:24,250 capture. 241 00:13:24,260 --> 00:13:28,540 There is a total website running, so they change this default board to something else. 242 00:13:28,790 --> 00:13:30,260 So we cannot use this method. 243 00:13:30,290 --> 00:13:31,810 We need another method. 244 00:13:32,090 --> 00:13:33,140 And what is the method? 245 00:13:33,320 --> 00:13:40,700 Actually, by typing the Ibbs right now, remember, from the topology, from the theory site, from 246 00:13:40,700 --> 00:13:47,210 Tau or how Tor works, that we mentioned that there are exit nodes or in regards. 247 00:13:47,480 --> 00:13:47,930 Right. 248 00:13:48,080 --> 00:13:51,000 And we have a public Ibbs available. 249 00:13:51,590 --> 00:13:52,070 All right. 250 00:13:52,340 --> 00:13:59,660 Now, if we have a list of the known public IPS for the entry guards or the exits nodes and compare 251 00:13:59,750 --> 00:14:04,710 here, then we can find it and you can see that this is the EBE, you can see that. 252 00:14:04,760 --> 00:14:10,280 So if I remove this so let's remove this filter so you can see that there are a lot of traffic right 253 00:14:10,490 --> 00:14:10,910 now. 254 00:14:10,940 --> 00:14:16,760 I am intercepting that the source is coming from this and going to this arbitrary destination, public 255 00:14:16,760 --> 00:14:17,390 IP address. 256 00:14:17,570 --> 00:14:18,000 OK. 257 00:14:18,920 --> 00:14:20,660 And the protocol is DNS, whatever. 258 00:14:20,690 --> 00:14:25,450 OK, so for the source IP, I know that this is the IP of that or machine. 259 00:14:25,610 --> 00:14:27,940 We saw that a two to one one four. 260 00:14:27,950 --> 00:14:28,540 We saw that. 261 00:14:28,850 --> 00:14:29,810 Now the destination. 262 00:14:30,140 --> 00:14:31,550 What is this IP address? 263 00:14:31,880 --> 00:14:32,360 All right. 264 00:14:32,480 --> 00:14:38,090 So I want to make sure that this IP is not one of the entry or exit nodes. 265 00:14:38,340 --> 00:14:44,600 OK, so if it is one of these so we make sure that this is at our website, so we are communicating 266 00:14:44,810 --> 00:14:47,240 or this tor up the open to see. 267 00:14:47,400 --> 00:14:54,140 I mean this one is communicating with at our website and he got the connection from an exit node or 268 00:14:54,140 --> 00:14:54,480 whatever. 269 00:14:54,620 --> 00:15:01,160 OK, now by the way, I used the term browser or tor client from the same machine, so if I have it 270 00:15:01,370 --> 00:15:03,020 from another machine it is OK. 271 00:15:03,030 --> 00:15:09,800 It would be the same actually OK, because we got connection through our network from some IP address 272 00:15:09,800 --> 00:15:10,300 through this. 273 00:15:10,550 --> 00:15:12,950 So either it is coming from the same network. 274 00:15:13,890 --> 00:15:20,610 Performance could be or it is coming from a network from outside cuffy through the Internet, as we 275 00:15:20,610 --> 00:15:21,480 saw previously. 276 00:15:21,540 --> 00:15:22,180 OK, it's OK. 277 00:15:22,210 --> 00:15:29,040 It is the same after either running or seeing if it is a TCBY brought on board, nine thousand and one. 278 00:15:29,370 --> 00:15:34,950 Or we can see that there are some public Ibbs ads, as you can see that there are some public IP address 279 00:15:35,040 --> 00:15:38,300 and you need to start checking these public IP addresses for that. 280 00:15:38,310 --> 00:15:40,620 Actually, I provided you with these links. 281 00:15:40,770 --> 00:15:44,190 Actually, I got this from the official documentation, the relationship. 282 00:15:44,760 --> 00:15:52,180 We already know that the relay or the n internet work are running as a volunteer around the world. 283 00:15:52,350 --> 00:15:52,730 Right. 284 00:15:53,070 --> 00:15:59,800 So some of these back people are using these relays or this not as Tigard or as exit nodes. 285 00:15:59,850 --> 00:16:07,530 OK, so we would assume that in the show that the Tor website was using one of these nodes, OK, from 286 00:16:07,530 --> 00:16:10,140 these and in it he captured this. 287 00:16:10,150 --> 00:16:13,210 So actually, let's take this IP, for example. 288 00:16:13,770 --> 00:16:18,010 So actually, if we have this IP address, which is this one. 289 00:16:18,030 --> 00:16:21,510 OK, so let's search about it to one night. 290 00:16:22,230 --> 00:16:25,170 OK, now you can see that it is not here. 291 00:16:25,380 --> 00:16:28,290 OK, now let's find here in the intriguer. 292 00:16:28,410 --> 00:16:32,820 So this is for then triggered, by the way, as you can see, the search is also for the exit. 293 00:16:32,820 --> 00:16:35,280 Go for the exit, not the flag. 294 00:16:35,280 --> 00:16:37,740 Is exit here for the entry guard or the guards. 295 00:16:38,100 --> 00:16:40,820 So if I found it here, if I search about it here. 296 00:16:40,860 --> 00:16:42,960 Oh, you can see we found it. 297 00:16:43,320 --> 00:16:50,720 So which means that this IP address is used as a got where it is here it is here as regard or guard, 298 00:16:50,760 --> 00:16:57,420 which means that, yeah, this strophic where it is here, here it is that this means that this IP address, 299 00:16:57,750 --> 00:17:06,050 which is the IP address of TOR, is contacting an entry guard or exit node with this public IP address. 300 00:17:06,180 --> 00:17:12,720 We assume now that 90 percent or more actually let's say it is 97 percent. 301 00:17:12,840 --> 00:17:14,820 We are seeing Tor traffic. 302 00:17:15,000 --> 00:17:22,440 OK, by the way, we already assumed that by seeing the TCBY bot, which is nine thousand one, we already 303 00:17:22,440 --> 00:17:22,850 saw that. 304 00:17:22,860 --> 00:17:27,930 But imagine if that the default would have has been changed. 305 00:17:27,960 --> 00:17:33,750 OK, so this is the other way, which is by looking or by searching for the public IP we are talking 306 00:17:33,750 --> 00:17:34,050 to. 307 00:17:34,260 --> 00:17:38,340 So the public IP of the entry guard or the exit node, we found it here. 308 00:17:38,340 --> 00:17:39,990 We search about it here. 309 00:17:40,560 --> 00:17:43,080 And I bravado, by the way, with these things. 310 00:17:43,710 --> 00:17:49,080 And actually you can search it here from the official documentation or the official website. 311 00:17:49,200 --> 00:17:56,130 And we noticed or we know that this is our total Web site that are running on this specific what? 312 00:17:56,160 --> 00:18:03,420 OK, no, not specific here on this specific IBE, because this IP is the idea of the Tor server itself. 313 00:18:03,760 --> 00:18:10,130 Right, because we are running that our client or Tor browser from the same server or to Portugal. 314 00:18:10,290 --> 00:18:17,030 Now we noticed that this is the IP of the server that are coming or going to this one. 315 00:18:17,220 --> 00:18:25,800 So we came with the conclusion this IP is the IP of the server, that we are contacting an exit node 316 00:18:25,800 --> 00:18:29,520 or in Tigard, whatever, which is used in the Tor network. 317 00:18:29,970 --> 00:18:34,620 So we would assume that this IP address is the IP actually subnet. 318 00:18:34,980 --> 00:18:42,520 So we would assume that this IP address is the IP address of that Tor server or maybe client. 319 00:18:42,540 --> 00:18:42,990 I don't know. 320 00:18:42,990 --> 00:18:44,880 Actually we don't know. 321 00:18:44,880 --> 00:18:48,790 So how to do make sure we will start scanning this IP address. 322 00:18:49,500 --> 00:18:52,740 So actually let's stop that by typing concurrency. 323 00:18:54,210 --> 00:18:56,580 All right, we don't need to intercept anyone. 324 00:18:56,760 --> 00:19:04,170 OK, let's good from this, it's from the Cairney, from that Wireshark squid, and we don't need it 325 00:19:04,170 --> 00:19:04,550 anymore. 326 00:19:04,830 --> 00:19:12,670 Now we assume that this is the IP address, which is this one one six eight eight one one four. 327 00:19:12,720 --> 00:19:18,810 This is the IP address of this suspicious Tor said about maybe Torsella or maybe not how to make sure 328 00:19:18,960 --> 00:19:26,640 we will start using the N map utility or tool so unmap to start scanning, so unmap this IP address 329 00:19:27,120 --> 00:19:33,420 and you can see that it will show us only the board eight thousand because by default this is the first 330 00:19:33,420 --> 00:19:34,080 one thousand. 331 00:19:34,230 --> 00:19:41,700 So let's type this time dash B dash to scan all the bots and just give it some time because the bot 332 00:19:41,700 --> 00:19:44,840 nine thousand is not within the first 1000. 333 00:19:44,850 --> 00:19:48,960 By the way, you can see Nachshon nine nine nine goes right now. 334 00:19:48,960 --> 00:19:54,360 You can see that even though we scan everything, as you can see all board, so you can see that all 335 00:19:54,360 --> 00:19:55,260 the boards are closed. 336 00:19:55,500 --> 00:19:59,870 Now why the board nine thousand one is not opened here? 337 00:19:59,880 --> 00:20:02,010 Because if you noticed here in the top tier. 338 00:20:02,670 --> 00:20:08,450 Yeah, I know we don't have access yet on the server, but we already we already know the technology. 339 00:20:08,700 --> 00:20:16,050 So from here, actually, if you go to that then etsi tor RC or torturously. 340 00:20:17,720 --> 00:20:19,340 You can see that if I go to that. 341 00:20:20,260 --> 00:20:28,540 Now, something where it is, yeah, the hidden service dial, you can see that it is 80 on the localhost, 342 00:20:28,540 --> 00:20:29,550 80, right. 343 00:20:30,250 --> 00:20:31,110 So here it is. 344 00:20:31,120 --> 00:20:33,430 So you can see that it is running locally. 345 00:20:33,550 --> 00:20:34,900 So you can see that. 346 00:20:34,900 --> 00:20:35,630 Here it is. 347 00:20:35,940 --> 00:20:40,270 So the board that are running 9000, you can change it, by the way. 348 00:20:40,650 --> 00:20:41,080 OK. 349 00:20:42,630 --> 00:20:48,280 So we didn't know by that, actually, we made sure that here it is running on board. 350 00:20:49,320 --> 00:20:51,660 So this is HDTV service, Ingenix. 351 00:20:52,830 --> 00:20:57,630 And why we use it, why we use that on board nine thousand one. 352 00:20:58,200 --> 00:21:04,170 OK, so you can see that it is on this IP address and on this nine thousand what? 353 00:21:04,440 --> 00:21:10,500 Which means that, yeah, it is at our website 100 percent on this idea. 354 00:21:11,040 --> 00:21:11,480 All right. 355 00:21:11,850 --> 00:21:14,960 Now, here's the part of how to hack the machine. 356 00:21:15,390 --> 00:21:21,070 Now, actually hacking to our website or to our exit node is very hard. 357 00:21:21,510 --> 00:21:25,050 So how is it managed to hack this specific server? 358 00:21:25,480 --> 00:21:31,890 No, they didn't give much details about how he hacked it, but maybe he found some vulnerability on 359 00:21:31,890 --> 00:21:32,370 this machine. 360 00:21:32,400 --> 00:21:36,600 OK, so maybe he was able to access it through the network. 361 00:21:37,500 --> 00:21:43,710 As you can see, because it is, what, 80, so our you can find there are a bug or vulnerability running 362 00:21:43,830 --> 00:21:47,570 in this server and he compromised the system by that. 363 00:21:47,580 --> 00:21:53,820 But from the day he said that he is the one in control of the exit node, which makes me the one on 364 00:21:53,820 --> 00:21:54,220 control. 365 00:21:54,360 --> 00:22:00,210 So from this day on, we understand that he compromised not the talks, but he compromised the exit 366 00:22:00,210 --> 00:22:04,290 node, which is actually harder than compromising the server itself. 367 00:22:04,590 --> 00:22:10,950 So if he said that, yeah, we noticed that the server and the same network and I I scanned it, I found 368 00:22:10,950 --> 00:22:15,540 there are some vulnerability and start hacking it, though this is a battle. 369 00:22:15,900 --> 00:22:18,270 But he said that, no, he compromised the exit. 370 00:22:18,270 --> 00:22:21,120 Not that referring to this machine. 371 00:22:21,240 --> 00:22:24,470 No how to compromise at our exit nodes or into. 372 00:22:24,810 --> 00:22:25,830 Actually it's very hard. 373 00:22:25,860 --> 00:22:31,460 You need to compromise almost 90 percent of their power relay networks around the world. 374 00:22:31,470 --> 00:22:36,690 And then you will start capturing the traffic on each one and then you can detect that it is going to 375 00:22:36,690 --> 00:22:40,290 turn on Ron's coffee and this what makes it hard. 376 00:22:41,190 --> 00:22:42,950 So this is just for the show. 377 00:22:42,960 --> 00:22:45,130 This is nuttery one had to be honest. 378 00:22:45,150 --> 00:22:46,770 So theoretically, it is possible. 379 00:22:46,830 --> 00:22:51,960 But actually it it takes a lot of dedication, effort, time. 380 00:22:52,170 --> 00:22:56,720 And on top of that, you need a lot of luck, actually, actually 90 percent. 381 00:22:56,730 --> 00:23:03,450 You need that to be honest, because from the theory I showed you, that using the relay or choosing 382 00:23:03,450 --> 00:23:08,070 the circuit for this TOR network, it requires randomisation. 383 00:23:08,070 --> 00:23:14,470 And to know exactly that there's traffic going from this place to this server is very hard. 384 00:23:14,940 --> 00:23:17,610 So how he managed to do that, I didn't know, actually. 385 00:23:17,640 --> 00:23:19,680 But I think this is for the sake of the show. 386 00:23:19,710 --> 00:23:21,890 After all, they need some drama, right. 387 00:23:22,070 --> 00:23:28,080 By the way, I provided you the method how to hack at our website, the ways to hack a website to our 388 00:23:28,080 --> 00:23:33,600 website when it sounds insane or impossible, let's say hard, but just as a theory. 389 00:23:33,730 --> 00:23:40,990 But OK, so we will assume that actually to be a real life, that in the term and runs cuppy, the torch 390 00:23:41,010 --> 00:23:43,920 server is exist and here it is, the IP address of it. 391 00:23:44,160 --> 00:23:50,940 And he managed to find a vulnerability here inside this server and he start hacking it and he managed 392 00:23:50,940 --> 00:23:59,190 to hack it by exploiting that vulnerability and which is clearly they didn't show us and they didn't 393 00:23:59,190 --> 00:24:00,570 give much details about it. 394 00:24:00,600 --> 00:24:00,990 All right. 395 00:24:01,110 --> 00:24:01,950 Thanks for watching.