1
00:00:00,970 --> 00:00:09,090
And the previous lecture we've seen how to create a web page that exploits s.c.s our vulnerability doesn't

2
00:00:09,120 --> 00:00:15,610
automatically submit a form and we seen how we can exploited to get the target person to change their

3
00:00:15,610 --> 00:00:17,470
password without them even knowing.

4
00:00:17,470 --> 00:00:22,140
So as soon as they Doubleclick the file this form will be automatically submitted.

5
00:00:22,150 --> 00:00:25,570
Changing the password to the password that we want.

6
00:00:25,590 --> 00:00:31,350
One problem with that is it's usually a bit difficult to get people to run files even those just a hasty

7
00:00:31,360 --> 00:00:32,190
M-L file.

8
00:00:32,370 --> 00:00:36,460
And you can use smart social engineering skills to get them to run it.

9
00:00:36,480 --> 00:00:43,170
It's still a bit difficult and it will be much easier if we can just send them a link which will change

10
00:00:43,170 --> 00:00:45,930
their password as soon as they click on that link.

11
00:00:46,350 --> 00:00:51,000
And this is actually really easy because the file we created is a hasty XML file.

12
00:00:51,000 --> 00:00:55,830
So all we have to do is just upload that file to our web hosting company you know there is a lot of

13
00:00:55,830 --> 00:00:57,600
free web hosting online.

14
00:00:57,600 --> 00:00:59,390
You can just upload that file there.

15
00:00:59,460 --> 00:01:04,190
You can use your shortening service as well to make the or else shorter and less suspicious.

16
00:01:04,380 --> 00:01:07,170
And then you can send it to the target person.

17
00:01:07,170 --> 00:01:10,890
So I'm going to show you how to do that but I'm actually going to do it on my local machine because

18
00:01:10,890 --> 00:01:15,780
everything for me here is local but it works on the external web sites exactly the same.

19
00:01:15,810 --> 00:01:19,820
You'll just have to upload to the demo page on our web hosting.

20
00:01:19,820 --> 00:01:21,880
Doesn't matter if it's free or paid.

21
00:01:21,930 --> 00:01:23,530
But there is a lot of free ones.

22
00:01:23,760 --> 00:01:26,460
So I'm going to use my local Apache server right here.

23
00:01:26,730 --> 00:01:31,800
And then we're going to browse it from our target Windows machine and we'll see how that is going to

24
00:01:31,800 --> 00:01:35,190
be executed and how the password is going to be changed.

25
00:01:35,190 --> 00:01:39,810
So before I do anything I'm actually just going to reopen the file and I'm going to set the password

26
00:01:39,810 --> 00:01:43,330
to 7 7 7 7 7 7 and serve 6 6 6.

27
00:01:43,350 --> 00:01:49,580
So we just know that the password has been changed to the new one and I'll change it in here as well.

28
00:01:50,540 --> 00:01:56,610
And now I'm going to copy this to my local web server and Cali.

29
00:01:56,740 --> 00:02:02,680
First of all I'm going to copy the file to my document root so the file is stored in desktop now so

30
00:02:02,680 --> 00:02:11,350
I'm going to do C.P desktops if to R W W W H D L.

31
00:02:11,510 --> 00:02:16,410
And now I'm going to start my Apache's so I'm going to do service Apache to start

32
00:02:19,670 --> 00:02:21,030
now everything's working.

33
00:02:21,050 --> 00:02:22,850
So I'm just going to get my IP address

34
00:02:25,820 --> 00:02:29,470
and my IP address is 10 20 14 to 30.

35
00:02:29,510 --> 00:02:31,910
So I'm just going to go to a Windows machine.

36
00:02:33,790 --> 00:02:37,710
Now in this machine I'm actually pretending to be a target user.

37
00:02:37,720 --> 00:02:41,090
So first of all I have to be logged in to my account.

38
00:02:41,200 --> 00:02:47,950
So I'm just going to go to DVD-Video A so I'm going to log in with my username which is admin and I'm

39
00:02:47,950 --> 00:02:53,770
going to log in with my old password which is or to my current password the ones that were listed previously

40
00:02:53,950 --> 00:02:57,020
which is 6:06 is.

41
00:02:57,270 --> 00:02:59,450
Now as you can see I can log in normally.

42
00:03:00,540 --> 00:03:04,940
Now I'm going to go I'm going to close this.

43
00:03:05,000 --> 00:03:11,070
Now we're going to browse to the page that contains the forged C-s are exploit.

44
00:03:11,090 --> 00:03:17,300
So we're going to pretend that I was social engineer and someone gave me a u r l to click.

45
00:03:17,330 --> 00:03:20,070
So at the moment we're actually not going to download any file.

46
00:03:20,090 --> 00:03:21,860
We're not going to double click any file.

47
00:03:21,890 --> 00:03:27,740
All we're going to do is literally just browse a u r l and once we do that our password is going to

48
00:03:27,740 --> 00:03:33,680
be changed so the page as I said you can host it on free hosting there's a lot of free hosting online

49
00:03:33,980 --> 00:03:34,580
at the moment.

50
00:03:34,610 --> 00:03:43,410
I have it hosted on my Callimachi in and it's IP is 10 20 14 to 13.

51
00:03:43,580 --> 00:03:50,670
And then I'm going to put my the name of the page which was set to C-s or aftertaste.

52
00:03:50,800 --> 00:03:54,120
I'm going to hit enter.

53
00:03:54,230 --> 00:03:59,120
As you can see it's still in me that the password has been changed and all I did again.

54
00:03:59,150 --> 00:04:00,910
All I did is just run as you are.

55
00:04:00,910 --> 00:04:06,960
And so it's all down to you to how you're going to convince your target to execute that you are out.

56
00:04:06,980 --> 00:04:14,250
So if I just log out now and log in again you'll see that my password now I have to log in with admin

57
00:04:14,950 --> 00:04:21,970
and I'm actually going to type the password here so it's 7 7 7 7 7 7 and I'm going to copy all of this

58
00:04:22,810 --> 00:04:29,340
and paste it down there just so that you actually know that the password has been changed to 7 7 7 7.

59
00:04:29,740 --> 00:04:36,070
So the vulnerable you are ALWIS 10 20 14 to 13 forward slash CSR.

60
00:04:36,190 --> 00:04:43,180
Anybody who would run this you are l and logged into their target web site they'll be forced to change

61
00:04:43,180 --> 00:04:46,600
their password to 7 7 7 7 7 7.

62
00:04:46,630 --> 00:04:47,780
Now you can use this method.

63
00:04:47,830 --> 00:04:55,180
As I said with any website that is vulnerable to s.c.s or F and it'll force the user to do any action

64
00:04:55,180 --> 00:04:55,590
you want.

65
00:04:55,600 --> 00:04:58,750
All you have to do is just adopt the same method to the form.

66
00:04:58,750 --> 00:05:04,420
So whether it's a payment form whether it's a sign up form whether it's a submit article for whether

67
00:05:04,420 --> 00:05:10,360
it's a form that sends a message to a friend you can just change the website right click inspect the

68
00:05:10,360 --> 00:05:17,290
form element copy the form code hide everything the javascript code that submits the website or that

69
00:05:17,380 --> 00:05:19,420
submit the form automatically.

70
00:05:19,420 --> 00:05:25,150
Then you can send the what the hasty M-L website as it is to the target person or you can upload it

71
00:05:25,390 --> 00:05:30,730
to an online hosting and then just send the hosting your all to the target person.

72
00:05:30,730 --> 00:05:34,960
Once they browse that you are l the web page will be automatically executed.

73
00:05:35,040 --> 00:05:39,790
Force them to change their password or to do the action that you want them to do.