1
00:00:01,010 --> 00:00:02,660
‫Oh, yes, there's plenty more to do.

2
00:00:03,580 --> 00:00:09,610
‫There are several tools to perform an AAP spoof attack, such as AAP Spoof, the command line tool,

3
00:00:09,610 --> 00:00:17,200
‫which is embedded in Cali, but we're going to use ED Cap for the demonstration of the AAP spoof attack.

4
00:00:18,280 --> 00:00:27,460
‫Ed Capp is a free and open source network security tool for men in the middle attacks on land.

5
00:00:28,530 --> 00:00:35,700
‫It works by putting the network interface into promiscuous mode and by art poisoning the target machines,

6
00:00:36,570 --> 00:00:41,910
‫thereby it can act as a man in the middle and unleash various attacks on the victims.

7
00:00:42,880 --> 00:00:48,310
‫Better Cap has both a command line interface version and a graphical user interface version.

8
00:00:49,210 --> 00:00:50,320
‫Let's see him both in action.

9
00:00:52,860 --> 00:00:55,440
‫First, let me show you the command line version of AerCap.

10
00:00:56,440 --> 00:00:59,380
‫So this is my network created in Janus three.

11
00:01:00,650 --> 00:01:05,450
‫I have a collie and a wasp and a Metasploit VM in the network.

12
00:01:06,590 --> 00:01:14,180
‫To use if config inside the VMS to check the IP addresses and the other interface configurations as

13
00:01:14,180 --> 00:01:14,570
‫well.

14
00:01:15,970 --> 00:01:18,500
‫So ping each other to be sure that they can communicate.

15
00:01:19,210 --> 00:01:19,600
‫OK.

16
00:01:21,410 --> 00:01:25,910
‫Now I go to Cali over an internal screen and do the same here.

17
00:01:26,780 --> 00:01:30,560
‫Check the interface configuration and paying other VMS.

18
00:01:36,500 --> 00:01:37,790
‫Yep, everything's OK.

19
00:01:39,000 --> 00:01:46,140
‫So let's look at the art table of Metasploit, one Type R RN and press enter.

20
00:01:47,280 --> 00:01:53,130
‫So currently, there are two records in the ARP table of Metasploit, but one for Collie and one for

21
00:01:53,130 --> 00:01:54,390
‫oash BW.

22
00:01:55,960 --> 00:01:57,100
‫Now, let me show you something.

23
00:01:57,970 --> 00:02:04,930
‫If you want to perform an AAP spoof attack, you should enable IP forwarding in your attacker system

24
00:02:04,930 --> 00:02:11,110
‫so that the packets will not end on your attacker system and be forwarded to the destination system.

25
00:02:11,470 --> 00:02:15,340
‫Otherwise, you'll block the traffic between the victim and the spoofed system.

26
00:02:16,320 --> 00:02:17,160
‫Check that out.

27
00:02:18,310 --> 00:02:23,230
‫So the IP address is managed by a variable IP forward like in Collie.

28
00:02:24,540 --> 00:02:27,240
‫And to look at the file content type.

29
00:02:28,620 --> 00:02:38,910
‫Cat slash pro C slash six slash net slash IPV four slash IP forward and press enter.

30
00:02:40,400 --> 00:02:43,700
‫Its value is zero, so to enable it, it has to be one.

31
00:02:44,510 --> 00:02:45,080
‫So I'll change it.

32
00:02:46,200 --> 00:02:49,560
‫You can open a file with a text editor and change the value.

33
00:02:50,190 --> 00:02:53,490
‫But here I'll just simply use the Echo Command for this purpose.

34
00:02:54,850 --> 00:02:55,620
‫Echo one.

35
00:02:56,670 --> 00:02:59,790
‫Greater than sign the entire file name.

36
00:03:02,950 --> 00:03:04,420
‫So check the file again.

37
00:03:05,600 --> 00:03:07,790
‫And yes, its value is now one.

38
00:03:09,570 --> 00:03:16,620
‫Now, please note that Ed Cap enables IP forwarding automatically, even though you don't enable it

39
00:03:16,620 --> 00:03:17,250
‫manually.

40
00:03:17,670 --> 00:03:17,950
‫All right.

41
00:03:17,970 --> 00:03:21,840
‫I want you to know what's happening behind the scenes, so to speak.

42
00:03:23,500 --> 00:03:27,550
‫All right, so now is it time the attack before creating the command?

43
00:03:28,000 --> 00:03:30,100
‫Let's see the manual of etiquette.

44
00:03:30,970 --> 00:03:34,420
‫So type man etiquette and press enter.

45
00:03:35,610 --> 00:03:40,740
‫So here's the short definition and the long description targets.

46
00:03:43,870 --> 00:03:44,650
‫Options.

47
00:03:47,960 --> 00:03:49,520
‫M for men in the middle.

48
00:03:49,820 --> 00:03:51,290
‫MIT them attack.

49
00:03:52,190 --> 00:03:55,100
‫So these are the MIT em attack types.

50
00:03:55,400 --> 00:04:00,770
‫AAB is it the first line and the others ICMP, the HP, et cetera.

51
00:04:04,450 --> 00:04:10,090
‫And here are the user interface options T for the text only interface.

52
00:04:10,690 --> 00:04:12,520
‫Anyway, let's just create the command.

53
00:04:13,240 --> 00:04:22,840
‫So first, the command itself at Cap I, the interface is zero T for the text only interface type.

54
00:04:24,160 --> 00:04:31,600
‫M, to make it a Mitt M attack and select them Mitt M attack type AAP column remote.

55
00:04:33,150 --> 00:04:39,660
‫So the first IP specifies the IP address, which will be spoofed, and the second IP address is the

56
00:04:39,660 --> 00:04:40,470
‫victim's system.

57
00:04:40,980 --> 00:04:48,930
‫So that means there will be a row in the Metasploit BBLs Arp table with a Mac address and OWASP BW was

58
00:04:48,930 --> 00:04:49,740
‫IP address.

59
00:04:50,790 --> 00:04:57,570
‫And that means when Metasploit Obel wants to send a packet to always W-A, it will be sent to Collee

60
00:04:57,570 --> 00:04:58,080
‫instead.

61
00:04:58,590 --> 00:04:58,920
‫Right?

62
00:04:59,790 --> 00:05:06,630
‫And with the help of IP forwarding, the packet will arrive at OWASP CWA finally.

63
00:05:08,780 --> 00:05:14,750
‫Now, please don't forget to use these slashes at the beginning and end of each IP address.

64
00:05:15,920 --> 00:05:17,180
‫The command is ready to run.

65
00:05:17,750 --> 00:05:19,250
‫So let's see what it does.

66
00:05:19,370 --> 00:05:19,910
‫Hit Enter.

67
00:05:21,920 --> 00:05:23,660
‫And here is a summary of the attack.

68
00:05:24,470 --> 00:05:25,220
‫The victims.

69
00:05:26,700 --> 00:05:34,200
‫Interface type, etc. Now we'll go to Metasploit on Arp RN to see the ARP table again.

70
00:05:35,130 --> 00:05:38,010
‫And as you can see here, the first record is for Carl.

71
00:05:39,720 --> 00:05:45,700
‫So please look at the Mac address and the second record is for OWASP BWC.

72
00:05:46,350 --> 00:05:54,120
‫But with the attackers Mac address, any packet sent from Metasploit about to OWASP CWA will visit Collee

73
00:05:54,120 --> 00:05:54,420
‫now.

74
00:05:55,710 --> 00:06:01,020
‫So let's create a Telnet connection to Port 80 of OWASP BWI.

75
00:06:02,870 --> 00:06:17,570
‫Type Telnet, OWASP, BWR, IP and the Port 80 now hit enter tape, get slash http slash 1.0 and press

76
00:06:17,570 --> 00:06:18,650
‫enter twice.

77
00:06:19,880 --> 00:06:22,400
‫And here is the HTTP response.

78
00:06:22,700 --> 00:06:25,250
‫The main page of OWASP bw a.

79
00:06:27,300 --> 00:06:29,490
‫Now, let's go back to Carly and see what happens.

80
00:06:30,790 --> 00:06:38,830
‫So these are all that TCP packet sent for Metasploit to what was BW Air Act packet fin packet and scroll

81
00:06:38,830 --> 00:06:44,140
‫up a bit and here's a Telnet connection results HTP response.

82
00:06:44,530 --> 00:06:45,400
‫Keep going up.

83
00:06:46,060 --> 00:06:48,310
‫We can find some other critical data here to.

84
00:06:51,150 --> 00:06:53,640
‫And here are some credentials, for example.

85
00:06:55,340 --> 00:07:01,070
‫In the terminal screen, where Ed Cap is running, you can use control seed and the attack.

86
00:07:01,580 --> 00:07:02,710
‫So there it is.

87
00:07:02,720 --> 00:07:03,260
‫It's stopped.

88
00:07:04,920 --> 00:07:08,160
‫Now, go back to Metasploit, Bill and look at the ARP table again.

89
00:07:09,450 --> 00:07:14,790
‫Now, the IP address of OWASP, BBWAA is matched with a correct Mac address.

90
00:07:17,660 --> 00:07:20,630
‫Now, you might remember what I told you before that.

91
00:07:20,660 --> 00:07:23,600
‫Well, I hope you remember everything that I told you before.

92
00:07:24,020 --> 00:07:29,330
‫But in particular, Ed Cap has a graphical user interface as well.

93
00:07:29,840 --> 00:07:32,300
‫So let's have a look at ed caps gooey right now.

94
00:07:33,730 --> 00:07:39,610
‫Again, we're in Cali click show applications, menu item and type better cap.

95
00:07:40,180 --> 00:07:42,550
‫And here you go, you'll find the AerCap Gooey app.

96
00:07:43,470 --> 00:07:45,360
‫So these are both AerCap gooey.

97
00:07:45,930 --> 00:07:47,970
‫You can just simply click one of them.

98
00:07:49,130 --> 00:07:53,900
‫I want to show you, though, another way to start the app from the upper left corner.

99
00:07:54,560 --> 00:08:01,520
‫Applications go to sniffing spoofing tools and select AerCap Gooey.

100
00:08:02,850 --> 00:08:07,230
‫OK, so here we are at the main panel of the outer cap, gooey.

101
00:08:08,550 --> 00:08:13,600
‫We'd better check the network, so I'll open up a terminal screen and ping the other teams Metasploit

102
00:08:13,620 --> 00:08:15,420
‫Bill and OWASP BW A.

103
00:08:22,520 --> 00:08:23,960
‫Yeah, everything looks OK.

104
00:08:24,830 --> 00:08:29,960
‫So go to the sniff menu and enter cap and select unified sniffing.

105
00:08:31,190 --> 00:08:33,770
‫Asking for input interface, E0 was good.

106
00:08:34,370 --> 00:08:35,150
‫Click OK.

107
00:08:36,140 --> 00:08:39,290
‫If you look at the AerCap menu, it's totally different now.

108
00:08:40,550 --> 00:08:43,790
‫To go to hosts and select scan for hosts.

109
00:08:44,870 --> 00:08:51,110
‫It's a kind of a ping scan to find out the devices of the network found five devices and added them

110
00:08:51,110 --> 00:08:52,070
‫to the host's list.

111
00:08:53,400 --> 00:08:57,690
‫So go back to hosts again and now select hosts lists.

112
00:08:58,410 --> 00:08:59,940
‫And here's a list very nice.

113
00:09:00,570 --> 00:09:01,650
‫Works well.

114
00:09:03,020 --> 00:09:10,430
‫One nine two one six eight one zero one one is OWASP BW, yeah, so this is the system that will spoof.

115
00:09:11,090 --> 00:09:14,570
‫So select it and click Add to Target to.

116
00:09:16,240 --> 00:09:20,470
‫So one nine two two one six eight one zero one two is Metasploit.

117
00:09:20,920 --> 00:09:21,760
‫That's our victim.

118
00:09:22,360 --> 00:09:24,130
‫So we'll change its Arp table.

119
00:09:24,970 --> 00:09:27,690
‫Select it and click Add to Target one.

120
00:09:30,190 --> 00:09:32,530
‫I think now we're ready to attack, what do you think?

121
00:09:33,070 --> 00:09:37,810
‫All right, so let's go to Mitt M and quick Arp poisoning.

122
00:09:39,600 --> 00:09:43,740
‫OK, check this sniff remote connections option and click OK.

123
00:09:44,740 --> 00:09:49,870
‫And the final step go to start and select start sniffing.

124
00:09:50,980 --> 00:09:52,210
‫So the attack has begun.

125
00:09:53,260 --> 00:10:00,580
‫Well, let's go to Metasploit, Obel and see the attack result to see the ARP table type Arp in and

126
00:10:00,580 --> 00:10:01,180
‫press enter.

127
00:10:02,430 --> 00:10:08,250
‫The first row is for OWASP BW, but the Mac address is Carly's Mac to show it.

128
00:10:08,760 --> 00:10:11,460
‫Now I'll ping Carly to create the AAP record.

129
00:10:13,590 --> 00:10:14,910
‫Run the ARB command again.

130
00:10:15,330 --> 00:10:22,530
‫And now I have another row for Kali and both Kali and OWASP BWR of the same Mac address.

131
00:10:23,540 --> 00:10:23,890
‫OK.

132
00:10:24,140 --> 00:10:30,020
‫You know, the rest, the package will be sent to Cali instead of always BWI, so if you like, you

133
00:10:30,020 --> 00:10:33,950
‫can open Wireshark and collect the fruits of your labor.

134
00:10:34,190 --> 00:10:34,790
‫Enjoy it.