1
00:00:00,450 --> 00:00:01,530
Instructor: Welcome back.

2
00:00:01,530 --> 00:00:03,630
Let's cover another tool that we can use

3
00:00:03,630 --> 00:00:05,790
for man-in-the-middle attack.

4
00:00:05,790 --> 00:00:08,640
And this tool is called similar to the previous tool

5
00:00:08,640 --> 00:00:09,693
from the last video.

6
00:00:10,806 --> 00:00:14,640
This tool is called Ettercap, just without B.

7
00:00:14,640 --> 00:00:16,170
Now, unlike the previous tool,

8
00:00:16,170 --> 00:00:18,300
we already have this pre-installed

9
00:00:18,300 --> 00:00:20,160
inside of our Cal Linux machine.

10
00:00:20,160 --> 00:00:23,310
And this is a graphical interface tool.

11
00:00:23,310 --> 00:00:26,070
So it might be a little bit easier for us to run it,

12
00:00:26,070 --> 00:00:27,690
and let's give it a try.

13
00:00:27,690 --> 00:00:30,840
What we must do first is we must open the terminal,

14
00:00:30,840 --> 00:00:33,090
and as I already mentioned in the previous video,

15
00:00:33,090 --> 00:00:36,423
let's run all of this with root account.

16
00:00:37,680 --> 00:00:40,980
Now, before we actually start running this tool,

17
00:00:40,980 --> 00:00:43,380
I want to talk about another thing

18
00:00:43,380 --> 00:00:46,710
which is called manual packet forwarding.

19
00:00:46,710 --> 00:00:49,750
So sometimes some of the tools will not perform

20
00:00:50,647 --> 00:00:51,480
the packet forwarding for you.

21
00:00:51,480 --> 00:00:53,310
And if you don't do it yourself,

22
00:00:53,310 --> 00:00:56,868
sometimes even after performing the ARP spoofing

23
00:00:56,868 --> 00:00:58,501
and the man-in-the-middle attack,

24
00:00:58,501 --> 00:01:00,000
your targets will not be able to visit pages,

25
00:01:00,000 --> 00:01:02,343
because you didn't allow packet forwarding.

26
00:01:03,650 --> 00:01:06,390
To always make sure that your packet forwarding is allowed,

27
00:01:06,390 --> 00:01:08,200
you can cat out the file at

28
00:01:09,096 --> 00:01:14,096
location/proc/sys/net/ipv4/ip_forward.

29
00:01:22,132 --> 00:01:23,780
Once you cat this file, you will either have

30
00:01:23,780 --> 00:01:25,350
a value of zero or one right here.

31
00:01:25,350 --> 00:01:26,940
If you have a value of zero,

32
00:01:26,940 --> 00:01:30,180
that means the packet forwarding is not enabled.

33
00:01:30,180 --> 00:01:34,110
And, in that case, you must enable it first.

34
00:01:34,110 --> 00:01:37,623
To do that, you can type echo 1,

35
00:01:38,490 --> 00:01:42,127
and you echo it into this location.

36
00:01:42,127 --> 00:01:46,950
So proc sys net ipv4 and ip underscore forward.

37
00:01:46,950 --> 00:01:49,186
And then you double check to see

38
00:01:49,186 --> 00:01:52,140
whether the value of one has been added to this file

39
00:01:52,140 --> 00:01:53,280
and it indeed has.

40
00:01:53,280 --> 00:01:56,820
Now the packets are allowed to be forwarded.

41
00:01:56,820 --> 00:02:00,060
Once you do that, then you can start your tools.

42
00:02:00,060 --> 00:02:03,430
So to start the Ettercap tool, all we need to do

43
00:02:04,267 --> 00:02:07,923
is to type Ettercap dash G.

44
00:02:09,539 --> 00:02:12,433
Oops, it says Ettercap not found.

45
00:02:12,433 --> 00:02:13,751
Let's give it a try.

46
00:02:13,751 --> 00:02:15,601
Maybe it is not installed by default.

47
00:02:17,830 --> 00:02:18,960
Let me see.

48
00:02:18,960 --> 00:02:23,687
Hmm, unable to load Ettercap.

49
00:02:23,687 --> 00:02:25,306
Maybe it is lowercase.

50
00:02:25,306 --> 00:02:26,139
So if I type it like this,

51
00:02:26,139 --> 00:02:28,404
okay, so now it works.

52
00:02:28,404 --> 00:02:30,253
Just make sure that you specify it

53
00:02:30,253 --> 00:02:31,680
with lowercase e at the beginning.

54
00:02:31,680 --> 00:02:35,380
Then you type ettercap and then dash capital G

55
00:02:36,254 --> 00:02:37,440
for graphical interface.

56
00:02:37,440 --> 00:02:40,612
Once you do that, it will open this new window

57
00:02:40,612 --> 00:02:42,360
which is the new version of Ettercap,

58
00:02:42,360 --> 00:02:44,673
that is a little bit different than

59
00:02:44,673 --> 00:02:46,503
in the previous Cal Linux versions.

60
00:02:47,670 --> 00:02:49,970
You can enlarge the window and the first thing

61
00:02:50,843 --> 00:02:53,070
that we must do right here is to set up the interface

62
00:02:53,070 --> 00:02:55,110
and the sniffing at startup.

63
00:02:55,110 --> 00:02:56,493
So you can turn this on,

64
00:02:57,347 --> 00:02:59,717
you can select your primary interface in case

65
00:02:59,717 --> 00:03:00,908
you're over Cal Linux.

66
00:03:00,908 --> 00:03:02,040
It'll usually be eth0,

67
00:03:02,040 --> 00:03:03,903
unless you're running over wireless.

68
00:03:04,895 --> 00:03:06,528
Then you want to choose a different interface.

69
00:03:06,528 --> 00:03:07,410
And once you do all of that,

70
00:03:07,410 --> 00:03:10,323
you can click on this check button right here.

71
00:03:11,250 --> 00:03:14,250
Which says accept, and it will tell you down here

72
00:03:14,250 --> 00:03:16,473
started Unified sniffing.

73
00:03:18,411 --> 00:03:19,815
Now what I usually like to do,

74
00:03:19,815 --> 00:03:21,715
is I like to enlarge this lower window

75
00:03:22,848 --> 00:03:24,473
a little bit more to see everything better,

76
00:03:25,472 --> 00:03:28,590
and then we can experiment with different Ettercap options.

77
00:03:28,590 --> 00:03:30,390
The first thing that we must do,

78
00:03:30,390 --> 00:03:32,940
once performing this attack, is to discover

79
00:03:32,940 --> 00:03:35,550
all of the hosts on the network.

80
00:03:35,550 --> 00:03:39,840
To do that, you can type on this button right here.

81
00:03:39,840 --> 00:03:42,060
It'll even tell you that this button is used

82
00:03:42,060 --> 00:03:44,870
to scan for hosts, and once you click on this,

83
00:03:44,870 --> 00:03:49,680
it will automatically scan all 255 hosts on my network,

84
00:03:49,680 --> 00:03:54,063
and it'll tell me four hosts added to the host list.

85
00:03:55,416 --> 00:03:58,057
But right here we cannot really see the hosts.

86
00:03:58,057 --> 00:04:00,720
So how can we see which hosts are discovered?

87
00:04:00,720 --> 00:04:04,096
Well, we can go onto this button right here

88
00:04:04,096 --> 00:04:07,163
click on it and it'll tell us the IP addresses

89
00:04:07,163 --> 00:04:10,080
of the hosts and their Mac address.

90
00:04:10,080 --> 00:04:14,190
Down here also, these buttons will open the lead host at

91
00:04:14,190 --> 00:04:18,060
Target one or add to Target two.

92
00:04:18,060 --> 00:04:19,740
And as in the previous video

93
00:04:19,740 --> 00:04:22,750
we're going to perform this attack on our Windows

94
00:04:23,723 --> 00:04:24,816
10 target machine.

95
00:04:24,816 --> 00:04:25,649
Or in my case

96
00:04:25,649 --> 00:04:27,450
I'm going to perform on my Windows 10 target machine.

97
00:04:27,450 --> 00:04:29,750
You can choose what type machine that you want

98
00:04:31,166 --> 00:04:33,777
since the IP address on my Windows 10 machine

99
00:04:33,777 --> 00:04:34,920
is 192.168.1.7.

100
00:04:34,920 --> 00:04:37,547
I'm going to right click on this

101
00:04:37,547 --> 00:04:39,510
and add to Target one.

102
00:04:39,510 --> 00:04:41,730
To check out whether I successfully added.

103
00:04:41,730 --> 00:04:44,730
I can take a look down here and it does say Host

104
00:04:44,730 --> 00:04:47,340
and then this IP address added to Target one

105
00:04:47,340 --> 00:04:50,100
but I can also go to these three dots

106
00:04:50,100 --> 00:04:53,730
click on targets and click on current targets

107
00:04:53,730 --> 00:04:56,160
and it'll tell me that I have the current target

108
00:04:56,160 --> 00:05:00,000
of 192.168.1.7.

109
00:05:00,000 --> 00:05:03,870
Once I select my targets, I can start ARP poisoning.

110
00:05:03,870 --> 00:05:07,110
And to do that, I click on this right here

111
00:05:07,110 --> 00:05:10,410
which says M I T M menu, and we got different types

112
00:05:10,410 --> 00:05:14,010
of poisoning, but we are interested in this ARP poisoning.

113
00:05:14,010 --> 00:05:17,910
Click on that and click on, Okay, to start sniffing

114
00:05:17,910 --> 00:05:19,113
remote connections.

115
00:05:20,850 --> 00:05:23,641
It'll tell us down here our poisoning

116
00:05:23,641 --> 00:05:26,591
victims Group one, which is the only target that we specify

117
00:05:27,921 --> 00:05:29,790
with its Mac address, and the group two will be all

118
00:05:29,790 --> 00:05:33,399
of the hosts in the list, but we don't have any.

119
00:05:33,399 --> 00:05:36,630
So currently we are attacking just the Windows 10 machine.

120
00:05:36,630 --> 00:05:38,280
Now there is one thing about this tool.

121
00:05:38,280 --> 00:05:41,130
It'll not print nearly as much information

122
00:05:41,130 --> 00:05:43,620
as the previous Better Gap tool.

123
00:05:43,620 --> 00:05:46,860
However, once our target visits a page that sends

124
00:05:46,860 --> 00:05:51,070
unencrypted usernames and passwords, it'll print that right

125
00:05:52,131 --> 00:05:53,070
here and we can take a look at that

126
00:05:53,070 --> 00:05:55,840
by going to our router as in the previous video

127
00:05:56,910 --> 00:06:00,690
and typing in, for example, admin and then password.

128
00:06:00,690 --> 00:06:05,690
If I click on login down here, we will manage to sniff that.

129
00:06:05,970 --> 00:06:07,770
As we can see the htp

130
00:06:07,770 --> 00:06:10,530
it'll tell us from where the the connection come from.

131
00:06:10,530 --> 00:06:14,100
The username is admin and the password is this.

132
00:06:14,100 --> 00:06:17,525
Now, this is once again the hashed value of the password

133
00:06:17,525 --> 00:06:20,550
because that is how it is implemented inside of our router.

134
00:06:20,550 --> 00:06:22,770
If it was some page that was sending the passwords

135
00:06:22,770 --> 00:06:24,120
in plain text

136
00:06:24,120 --> 00:06:28,273
we would be able to see it right here in plain text.

137
00:06:28,273 --> 00:06:29,430
Okay, so now

138
00:06:29,430 --> 00:06:31,590
that we did the same thing from the previous video,

139
00:06:31,590 --> 00:06:34,450
I also want to show you a cool trick that you can check

140
00:06:36,346 --> 00:06:39,499
out to see if the target machine is being arp spoofed.

141
00:06:39,499 --> 00:06:41,460
So let's say that we are on our target machine

142
00:06:41,460 --> 00:06:45,223
and this is the machine that is currently being ARP spoofed.

143
00:06:45,223 --> 00:06:46,056
How can we check out

144
00:06:46,056 --> 00:06:48,510
whether our connection is being sniffed?

145
00:06:48,510 --> 00:06:50,650
Well, we can open the command prompt

146
00:06:52,967 --> 00:06:54,617
and we can type the command ARP-a

147
00:06:57,060 --> 00:07:01,510
and this will give us our ARP cash, or in other words

148
00:07:02,374 --> 00:07:04,068
this will give us the IP addresses

149
00:07:04,068 --> 00:07:05,640
of the machines in the local area network

150
00:07:05,640 --> 00:07:08,730
and their correspondent Mac addresses.

151
00:07:08,730 --> 00:07:11,370
And if we take a look at right here

152
00:07:11,370 --> 00:07:13,830
we can see that all of these IP addresses right

153
00:07:13,830 --> 00:07:18,120
here appear to have the same Mac address.

154
00:07:18,120 --> 00:07:21,180
And that is not a good sign.

155
00:07:21,180 --> 00:07:23,760
Once you see something like this, or if you even

156
00:07:23,760 --> 00:07:27,450
see two different IP addresses having the same Mac address

157
00:07:27,450 --> 00:07:29,040
that is also not a good sign

158
00:07:29,040 --> 00:07:30,450
and that would most likely mean

159
00:07:30,450 --> 00:07:33,270
that a man in the middle attack is being performed

160
00:07:33,270 --> 00:07:35,100
especially if you have an IP address

161
00:07:35,100 --> 00:07:38,380
of router having the same Mac address

162
00:07:39,313 --> 00:07:41,310
as a different machine on the network.

163
00:07:41,310 --> 00:07:43,440
And this is how you can check this out.

164
00:07:43,440 --> 00:07:46,090
For example, if I stop this

165
00:07:47,520 --> 00:07:51,600
let's go right here and quit this program

166
00:07:51,600 --> 00:07:56,600
stopping the Mitm attack and closing this.

167
00:07:59,640 --> 00:08:02,070
And if I go and run the same command.

168
00:08:02,070 --> 00:08:04,990
Now you can see different IP addresses have

169
00:08:06,480 --> 00:08:08,538
different Mac addresses, and this is how it should be

170
00:08:08,538 --> 00:08:10,365
because the Mac addresses are unique.

171
00:08:10,365 --> 00:08:13,530
So one IP address should have one different Mac address

172
00:08:13,530 --> 00:08:15,630
and not like this where we had all

173
00:08:15,630 --> 00:08:18,960
of the IP addresses having the same Mac address.

174
00:08:18,960 --> 00:08:21,450
Now in the next video, we're going to take a look

175
00:08:21,450 --> 00:08:25,050
at how we can perform this manually using Python three.

176
00:08:25,050 --> 00:08:27,060
We're not going to be sniffing for data.

177
00:08:27,060 --> 00:08:30,510
We're just going to see how we can change the Mac address

178
00:08:30,510 --> 00:08:33,900
of the router from our Cal Linux machine to appear

179
00:08:33,900 --> 00:08:35,159
as the same Mac address

180
00:08:35,159 --> 00:08:38,159
from the Cal Linux machine to our Windows 10 machine.

181
00:08:38,159 --> 00:08:40,419
Or in other words, if you didn't understand

182
00:08:41,287 --> 00:08:43,320
we're going to spoof the Windows 10 machine

183
00:08:44,241 --> 00:08:46,320
with one packet just to change its r tables.

184
00:08:46,320 --> 00:08:49,620
And we're going to do that using Python three.

185
00:08:49,620 --> 00:08:51,750
So that would be about it for the advocate tool.

186
00:08:51,750 --> 00:08:54,120
You can experiment with other options as well

187
00:08:54,120 --> 00:08:57,543
if you want to, and I will see you in the next video.