1 00:00:00,150 --> 00:00:05,300 Hello everybody and welcome to the next tutorial in the man in the middle attack. 2 00:00:05,310 --> 00:00:12,870 So now let the state run some of the more more advanced tech with the men in the middle of prep work. 3 00:00:12,930 --> 00:00:17,070 So in order to do that let's see our available options first. 4 00:00:17,100 --> 00:00:24,700 So just type your dot minus dot slash minus or dot slash M.I.T. MF dot by minus minus help. 5 00:00:25,080 --> 00:00:31,340 Sorry for that and let us see some of our available options that we can use right here. 6 00:00:31,380 --> 00:00:36,510 So if you scroll up you can see a bunch of these options. 7 00:00:36,510 --> 00:00:40,560 Now we will mostly be using the minus minus ARB spoofing. 8 00:00:40,620 --> 00:00:46,760 We will use later on the DNS spoofing or possibly in this video as well. 9 00:00:47,010 --> 00:00:52,800 What we want to do I just want to show you that you can also specify targets with this. 10 00:00:52,830 --> 00:01:00,230 So not everyone on the on the local network will be exposed to the ARB spoofing attack. 11 00:01:00,240 --> 00:01:08,910 So if you just specify both the gateway and both the targets or our single target it can be used to 12 00:01:08,940 --> 00:01:11,740 only attack one single machine. 13 00:01:11,730 --> 00:01:19,800 Everyone else will be functioning normally but be aware that sometimes when you close this program everyone 14 00:01:19,800 --> 00:01:28,260 will be unavailable to connect to the internet because you were messing around with the ARP table in 15 00:01:28,260 --> 00:01:32,100 both Gateway and both your machines that you were spoofing. 16 00:01:32,100 --> 00:01:38,600 So it might take a few seconds possibly a minute or two in order for everything to get back to normal. 17 00:01:38,610 --> 00:01:42,240 And in order for everyone to be able to access the internet once again. 18 00:01:42,420 --> 00:01:45,960 So let's actually specify a single target right here. 19 00:01:45,960 --> 00:01:54,990 We can do that with my TMF minus minus or minus AI for the interface we specify the EDI h zero as one 20 00:01:54,990 --> 00:02:03,210 for the interface and we specify the same as before so minus minus both then minus minus ARP. 21 00:02:03,240 --> 00:02:12,270 So for our stalking and then minus minus target we can use our command prompt to check out the IP address 22 00:02:12,330 --> 00:02:14,760 of our we understand machine. 23 00:02:14,760 --> 00:02:21,780 So it is one I do that want to say that one that too and then we specify that IP address right here 24 00:02:21,990 --> 00:02:25,440 and then we specify the gateway IP address right after it. 25 00:02:25,440 --> 00:02:31,410 So one that one and I will not be running this command at the moment is it is the same as in the previous 26 00:02:31,410 --> 00:02:31,930 video. 27 00:02:31,950 --> 00:02:37,740 I just want to show you that you can specify a single target or I believe if you for example do something 28 00:02:37,740 --> 00:02:40,900 like this to minus 20. 29 00:02:41,100 --> 00:02:46,950 It will ARP spoof all of the targets that have the IP range between dot one the two and between dot 30 00:02:46,950 --> 00:02:51,810 one the 20 so it's good to know that you can do that as well. 31 00:02:51,800 --> 00:02:58,880 And right now before we continue I want to show you the config file that comes with the MF. 32 00:02:59,480 --> 00:03:07,030 So what we want to do right now is I want to show you how you can perform the same attack on the AC 33 00:03:07,070 --> 00:03:10,460 ATP as servers or Web sites as well. 34 00:03:10,520 --> 00:03:18,300 So we saw in the previous video that this Web site right here which is HDP s wasn't vulnerable to our 35 00:03:18,310 --> 00:03:24,920 our spoofing attack and we weren't able to see the username and password that were typed in on this 36 00:03:24,920 --> 00:03:25,370 Web site. 37 00:03:25,970 --> 00:03:27,890 But let's see if we can change that. 38 00:03:27,890 --> 00:03:30,380 So we want to run this command. 39 00:03:30,380 --> 00:03:33,050 Let me just play this and what you want to do. 40 00:03:33,290 --> 00:03:35,100 Let me just first clear the screen. 41 00:03:35,180 --> 00:03:40,790 Just type LSU in the M.I.T. MF folder and you will see a directory called config. 42 00:03:40,850 --> 00:03:41,540 It is right here. 43 00:03:42,020 --> 00:03:48,980 So let's change our current directory into the config directory and what we want to do is type your 44 00:03:49,040 --> 00:03:54,520 l s and you will see that there is a file called MTM that don't count. 45 00:03:54,620 --> 00:04:01,250 Now you will be using that file extensively while performing some of the advanced attacks right here 46 00:04:01,820 --> 00:04:02,570 in this tool. 47 00:04:02,600 --> 00:04:06,140 Since all the configuration is in that file. 48 00:04:06,740 --> 00:04:13,670 So right now what we want to do is basically we want to we want to open that file so let us nano Am 49 00:04:13,670 --> 00:04:18,350 I TMF dot com and you will see some of the available options right here. 50 00:04:18,380 --> 00:04:24,950 So this the configuration file as it says right here everything that is after the hash is referred to 51 00:04:25,040 --> 00:04:29,570 as a comment and it won't be run by our man in the middle or proxy. 52 00:04:29,570 --> 00:04:32,630 So this is for if matters employed. 53 00:04:32,870 --> 00:04:37,730 AM My TMF API users so we can see some specified host port. 54 00:04:37,730 --> 00:04:45,830 Now this is the the default port would it be for access as framework which we were also covering the 55 00:04:45,830 --> 00:04:52,580 next videos briefly while performing demand in the middle attack the methods ploy to covering the next 56 00:04:52,580 --> 00:04:53,140 section. 57 00:04:53,150 --> 00:04:57,410 But what we are interested right now is the DNS part right here. 58 00:04:57,920 --> 00:05:06,320 So you have a plugin called DNS in our man Domino framework 2 which can allow us to basically specify 59 00:05:06,440 --> 00:05:12,000 the IP address for a certain domain as we can see right here. 60 00:05:12,380 --> 00:05:17,600 Twitter dot com equals 180 to that 168 that won that 15. 61 00:05:17,600 --> 00:05:26,390 Now we both know that this isn't the real Twitter's IP address and it basically will redirect the Twitter 62 00:05:26,390 --> 00:05:33,820 dot com to the one to that once you say that one that 15 which is my laptop's IP address. 63 00:05:33,820 --> 00:05:41,110 So for example I could be hosting a fake log in page on D on my laptop and I could be redirecting everyone 64 00:05:41,110 --> 00:05:45,080 to the laptop and the people wouldn't even notice. 65 00:05:45,260 --> 00:05:51,100 Since if I host a fake Twitter log in page everyone will think it's legit since they typed in the Google 66 00:05:51,100 --> 00:05:51,830 search bar. 67 00:05:51,970 --> 00:05:54,510 Twitter dot com and they were redirected to Twitter. 68 00:05:54,510 --> 00:05:57,790 Dot com log in page but it is a fake one. 69 00:05:58,120 --> 00:06:06,250 So let us actually try to use this but not on Twitter since I don't believe it will work since Twitter 70 00:06:06,280 --> 00:06:15,130 is h t p s or t less now sometimes I were able to get Twitter to display a fake log in page but not 71 00:06:15,130 --> 00:06:22,900 with this attack with the H HST s attack which is basically stripping the SSL and performing the DNS 72 00:06:22,900 --> 00:06:31,000 resolving on Twitter which basically just enabled us to be able to capture username usernames and passwords 73 00:06:31,030 --> 00:06:34,330 on Twitter as well but this doesn't work anymore I believe. 74 00:06:34,330 --> 00:06:40,870 So we will specify a simple website like this one which is a GDP s so we can see that its domain is 75 00:06:40,960 --> 00:06:46,210 this one we will specified right here. 76 00:06:47,560 --> 00:06:56,020 So let me just type here star then dot then this right here and we can specify the IP address of my 77 00:06:56,140 --> 00:06:59,410 laptop since right there I am running Apache to. 78 00:06:59,680 --> 00:07:06,640 Now if you are running a patch two and clinics what you want to do is basically open a new window let 79 00:07:06,640 --> 00:07:15,060 me enlarge this right here now your Apache two web page folder is stored in seed so strange rectory 80 00:07:15,060 --> 00:07:17,880 bar W W W and H PML. 81 00:07:18,190 --> 00:07:24,400 So if you type here unless you will have probably this index that a CML file which is the file that 82 00:07:24,400 --> 00:07:28,900 you will display once someone types your IP address on the Google search bar. 83 00:07:28,900 --> 00:07:36,220 So let me just delete this file right here and let me get the in the rotation the amount so let me just 84 00:07:36,220 --> 00:07:38,440 show you what I mean by that. 85 00:07:38,440 --> 00:07:40,210 So let me just check my IP address. 86 00:07:40,240 --> 00:07:42,870 My IP address is not one not seven. 87 00:07:42,870 --> 00:07:52,300 Now if you open up your Firefox and type the IP address of your calendar machine it will lead you to 88 00:07:52,300 --> 00:07:56,040 your Apache to web page if it is running currently. 89 00:07:56,050 --> 00:08:00,980 If it is not I will show you how you can run it not one 7. 90 00:08:00,980 --> 00:08:03,740 Not really sure why is it displaying. 91 00:08:03,920 --> 00:08:04,620 Oh ASP 92 00:08:07,940 --> 00:08:11,320 as we can see is not one but seven. 93 00:08:11,320 --> 00:08:18,200 Even my IP address so let's call up. 94 00:08:18,380 --> 00:08:22,600 It is my IP address but it doesn't seem to be loading the correct page. 95 00:08:24,200 --> 00:08:30,290 So let's remove the or Let's rename the index that is the amount into one that came out. 96 00:08:30,740 --> 00:08:39,850 So this will display the page a little bit different since a patch it to only recognizes the the unable 97 00:08:39,860 --> 00:08:42,310 to connect Firefox can establish a connection. 98 00:08:42,310 --> 00:08:44,490 The site could be temporarily OK. 99 00:08:44,510 --> 00:08:50,600 It doesn't even matter but you want to do is basically take a fake page or any other page and put it 100 00:08:50,690 --> 00:08:55,680 in this folder and name the main h the email file indexed HDMI out. 101 00:08:55,790 --> 00:09:03,660 So in order for the Apache tool to display your fake page properly you will need to name the file indexed 102 00:09:03,670 --> 00:09:05,900 top HDMI out if you name it. 103 00:09:05,900 --> 00:09:07,750 For example one that HDMI out. 104 00:09:07,760 --> 00:09:09,030 This won't work. 105 00:09:09,110 --> 00:09:12,400 So keep that in mind. 106 00:09:12,590 --> 00:09:17,630 I will show you once we create a fake captive portal I will show you how you can clone pages and how 107 00:09:17,630 --> 00:09:23,050 you can put them in the Apache too and run them for example. 108 00:09:23,060 --> 00:09:28,220 You can see that my Apache too is running on my laptop. 109 00:09:28,250 --> 00:09:34,100 If I type the IP address on my laptop you will see it will lead me to this index off and then some files 110 00:09:34,100 --> 00:09:34,580 right here. 111 00:09:34,970 --> 00:09:41,360 So these are basically some of the files that I have in the slash bar slash W WW Slash is the amount 112 00:09:41,360 --> 00:09:44,990 folder and they will be displayed on the page. 113 00:09:44,990 --> 00:09:46,960 Once you type the IP address. 114 00:09:46,980 --> 00:09:53,750 Now the point of this is that you can have a fake log in page displayed right here and you can redirect 115 00:09:53,810 --> 00:10:01,250 this website to that fake log in page so every time someone types this in their search bar they will 116 00:10:01,250 --> 00:10:03,360 be redirected here. 117 00:10:03,500 --> 00:10:06,860 Now let us see how that works right now. 118 00:10:06,860 --> 00:10:12,890 So let us call this first of all what you want to do is control or to save enter and then control X 119 00:10:12,890 --> 00:10:13,460 to exit. 120 00:10:14,720 --> 00:10:19,990 And let me just turn on the Apache too on my laptop. 121 00:10:20,350 --> 00:10:25,160 OK so it's already turned on and what we want to do right now is run this command. 122 00:10:25,160 --> 00:10:31,000 So am I TMF Does this help in order for us to. 123 00:10:31,700 --> 00:10:33,610 Oh it's a mighty amount of call. 124 00:10:33,670 --> 00:10:34,600 We do not want that. 125 00:10:34,600 --> 00:10:41,050 We want to go on directory back and right here on M.I.T. a map that does help and let's see what we 126 00:10:41,050 --> 00:10:44,810 can do in order to use DNS to 40 redirection. 127 00:10:44,830 --> 00:10:52,420 So if we can see right here uh let me just find this perfect part since I believe it is right there. 128 00:10:53,420 --> 00:10:54,350 Did they pass it 129 00:10:58,100 --> 00:10:59,030 where is it. 130 00:10:59,040 --> 00:10:59,640 Where is. 131 00:10:59,700 --> 00:11:02,410 Okay here it is minus minus DNS. 132 00:11:02,420 --> 00:11:05,090 So proxy modified DNS queries. 133 00:11:05,120 --> 00:11:06,280 That's what I was talking about. 134 00:11:06,280 --> 00:11:12,110 So we will use this one for anyone that specifies the certain name of a website that we specify in the 135 00:11:12,110 --> 00:11:12,560 conflict. 136 00:11:12,560 --> 00:11:18,980 While they will get redirected to my laptop which is running a patch it 2 on the IP address 1 92 that 137 00:11:18,980 --> 00:11:21,250 168 that one that's 15. 138 00:11:21,260 --> 00:11:30,100 Now what you also want to do a if you want to perform the SSL strip is you can run this command right 139 00:11:30,100 --> 00:11:33,090 here which is minus minus H S the s. 140 00:11:33,100 --> 00:11:34,260 Let me just find it. 141 00:11:34,270 --> 00:11:34,680 Where is it. 142 00:11:34,680 --> 00:11:35,750 Right here. 143 00:11:37,160 --> 00:11:38,450 It's not here. 144 00:11:40,250 --> 00:11:43,030 It's not they're not just fine it. 145 00:11:43,030 --> 00:11:45,230 They're just bunch of options right here. 146 00:11:45,230 --> 00:11:48,400 It is not so easy to keep track of all of them. 147 00:11:50,440 --> 00:11:51,790 It should be somewhere right here. 148 00:11:54,770 --> 00:11:55,370 Here it is. 149 00:11:55,370 --> 00:12:04,820 So as a cell strip HST Yes loads plug in SSL strip enables us so strip for partial HST yes bypass. 150 00:12:04,820 --> 00:12:09,800 So let us perform that and we will run the full command which looks something like this. 151 00:12:09,800 --> 00:12:15,760 So dot slash and my TMF dot pi minus IV. 152 00:12:15,830 --> 00:12:21,340 And then we specify our interface which is 88 0 minus minus both. 153 00:12:21,590 --> 00:12:28,610 And then what we want to specify right here is we want to specify the both Arp and DNS spoofing. 154 00:12:28,610 --> 00:12:36,200 So we step specify DNS so we can use the thing we specified in the conflict file and we use the minus 155 00:12:36,200 --> 00:12:39,510 minus ARP in order to perform the ARB spoofing as well. 156 00:12:39,650 --> 00:12:43,210 Right now what we want to type after this is the gateway. 157 00:12:43,400 --> 00:12:45,550 So let's say the Gateway. 158 00:12:45,710 --> 00:12:54,140 We will not specify these targets since we want to actually our spoof everyone on the local network. 159 00:12:54,500 --> 00:13:01,670 And after that the only thing when you specify again or not again for the first time is h as the S S 160 00:13:01,880 --> 00:13:08,570 H S T S which will load the plug in for SSL strip which will enable us to capture the information from 161 00:13:08,570 --> 00:13:10,880 some HDP s Web sites. 162 00:13:10,910 --> 00:13:18,030 So once you type this comment right here and just press here enter it will once again load the banner 163 00:13:18,090 --> 00:13:25,800 and it will start our ARB spoofing attack as we can see the SSL strip is loaded and both our DNS spoofing 164 00:13:25,860 --> 00:13:28,350 and our spoofing is enabled. 165 00:13:28,350 --> 00:13:34,250 So let's see now what happens when we go so let's just close. 166 00:13:34,350 --> 00:13:38,850 So let's see what happens when we try to visit the domain 167 00:13:41,760 --> 00:13:47,070 that we specified in the in the dot config file. 168 00:13:47,070 --> 00:13:54,170 So if we I if I press here enter you will see that it doesn't even lead us to that web page. 169 00:13:54,170 --> 00:13:56,900 It actually does to my laptop web page. 170 00:13:56,900 --> 00:14:03,980 See I typed here this domain and I was redirected to the same IP address on my laptop as we can see 171 00:14:03,980 --> 00:14:05,780 these two pages are basically the same. 172 00:14:05,780 --> 00:14:11,180 So this my IP address or laptop and this is the domain that we visited before with the log in page. 173 00:14:11,180 --> 00:14:14,230 As we can see the redirection work that worked perfectly. 174 00:14:14,570 --> 00:14:21,050 And now if I had a fake Web page right here which looked the same as the real domain I would get redirected 175 00:14:21,200 --> 00:14:28,010 and nobody would notice that they are currently on the fake page since it says the same domain name 176 00:14:28,010 --> 00:14:28,560 right here. 177 00:14:28,580 --> 00:14:37,370 And the page would look identical if we check it right here we can see that the DNS cooking the response 178 00:14:37,370 --> 00:14:38,150 of Taipei. 179 00:14:38,150 --> 00:14:46,340 Now this single a basically means for IP for mac address IP address for this website which we specified 180 00:14:46,340 --> 00:14:49,210 in the contract while to this IP address. 181 00:14:49,280 --> 00:14:54,340 So it performed the redirection using DNS spoofing. 182 00:14:54,350 --> 00:15:03,140 Now if you wanted to go for example to the logon page that we went before check it right here. 183 00:15:03,140 --> 00:15:05,780 So this is the Web page right here. 184 00:15:05,960 --> 00:15:10,310 You can see that it is still HDTV s for some reason. 185 00:15:10,310 --> 00:15:12,520 Now I'm not really sure why is that. 186 00:15:12,560 --> 00:15:18,440 So let us try to run this once again without the redirection. 187 00:15:18,720 --> 00:15:22,170 So let's close this for a second. 188 00:15:22,740 --> 00:15:29,880 So we successfully managed to redirect the person but now we want to capture the the user name and password 189 00:15:29,880 --> 00:15:31,530 from that age at CBS Web site. 190 00:15:31,530 --> 00:15:37,820 So let us remote First the redirection that we just find. 191 00:15:37,820 --> 00:15:38,270 Where is it. 192 00:15:38,300 --> 00:15:38,620 OK. 193 00:15:38,630 --> 00:15:41,010 So here it is. 194 00:15:41,480 --> 00:15:43,100 We do not want this. 195 00:15:43,100 --> 00:15:45,440 So I will just leave it on Twitter. 196 00:15:45,440 --> 00:15:52,370 Dot com IT DOESN'T EVEN MATTER IT WON'T REDIRECT THE Twitter and if you go down here you will find the 197 00:15:52,490 --> 00:15:57,290 SSL strip plugin or the configuration for the SSL strip. 198 00:15:57,320 --> 00:16:04,040 Now what we want to do right here is basically if you want if you have a Web site that you want to perform 199 00:16:04,040 --> 00:16:11,210 a cell strip on here as it says here you can configure your domains to bypass HST yes on the format 200 00:16:11,230 --> 00:16:14,040 is real domain dot com equals fake domain dot com. 201 00:16:14,150 --> 00:16:19,940 Now basically for anyone typing for example Facebook dot com they will get redirected to walk in dot 202 00:16:19,940 --> 00:16:27,110 Facebook dot com which will be a log in page that you would be able to sniff the user name and password 203 00:16:27,110 --> 00:16:28,050 from. 204 00:16:28,190 --> 00:16:30,560 Now what we want to do right here. 205 00:16:30,560 --> 00:16:38,990 Let me just close this for a second and let me see if I can bring my router since sometimes I get disconnected 206 00:16:38,990 --> 00:16:40,670 from the Internet while performing the attack. 207 00:16:40,700 --> 00:16:45,220 OK so everything is good and let's perform the same attack. 208 00:16:45,650 --> 00:16:56,450 So my A.I. or interface 88 0 minus minus spoof and minus minus DNS minus minus. 209 00:16:56,870 --> 00:16:59,190 We want to specify the Gateway as well. 210 00:16:59,260 --> 00:17:01,460 One wanted to the considered on the one. 211 00:17:01,820 --> 00:17:03,310 And we specify HST. 212 00:17:03,320 --> 00:17:04,040 Yes. 213 00:17:04,130 --> 00:17:06,100 And let us run this once again. 214 00:17:07,190 --> 00:17:07,520 OK. 215 00:17:07,520 --> 00:17:14,210 So you can specify the minus minus interface letters is it with minus I. 216 00:17:15,230 --> 00:17:21,630 And let's run this attack couldn't listen on board that resulted in years. 217 00:17:21,630 --> 00:17:21,880 OK. 218 00:17:21,930 --> 00:17:25,440 So this means basically that we need to restart this terminal. 219 00:17:25,560 --> 00:17:31,120 Since the address is already in use we can actually use this one. 220 00:17:31,320 --> 00:17:36,550 We need to just go to the vault and then add my TMF And now we want to run the same comment. 221 00:17:36,560 --> 00:17:39,050 So minus I 88 zero. 222 00:17:39,200 --> 00:17:44,360 Now when you get that address all renewals just restart your terminal and it should be good to go. 223 00:17:44,370 --> 00:17:50,990 So I just used the different terminal set since I already had it open so let's specify the same command 224 00:17:54,180 --> 00:17:56,190 and let's run the attack once again. 225 00:17:56,700 --> 00:18:03,430 So Gateway one I do that one say that on the one and then HST yes for the South Street bypass. 226 00:18:03,480 --> 00:18:05,080 Now I think that's it. 227 00:18:05,220 --> 00:18:07,980 And let's let this run everything is good. 228 00:18:07,980 --> 00:18:15,470 If we go right here and with Pat and we visit this for example we can see a simple edge DP websites 229 00:18:16,020 --> 00:18:19,740 could not proxy requests timed out. 230 00:18:19,780 --> 00:18:22,290 Okay so my internet seems to be down. 231 00:18:22,980 --> 00:18:27,280 I will have to restart it and give me just one second I will be back. 232 00:18:27,330 --> 00:18:34,000 Okay so I'm back on the internet and let me just restart the terminal and then continue. 233 00:18:34,120 --> 00:18:40,260 But in light of this we just want to see if the SSL strip attack will work. 234 00:18:40,680 --> 00:18:45,690 Let's first change our directory to the man in the mental framework and let's run this attack the same 235 00:18:45,690 --> 00:18:46,910 as before. 236 00:18:46,920 --> 00:18:50,610 So right now we can see everything is order DSL strip. 237 00:18:50,610 --> 00:18:56,180 And if we visit this page which we couldn't predict before we get it specified right here. 238 00:18:56,190 --> 00:18:56,540 OK. 239 00:18:56,550 --> 00:18:58,750 So we can see that we are visiting the page. 240 00:18:58,860 --> 00:19:08,060 But what happens when we visit that page that we visited before which was a GDP s. 241 00:19:08,670 --> 00:19:09,450 Let me just change. 242 00:19:09,450 --> 00:19:10,300 No I did not. 243 00:19:10,330 --> 00:19:11,160 On that page. 244 00:19:11,160 --> 00:19:21,480 So we want right here and we specified that right here we are still getting redirected for some reason 245 00:19:23,600 --> 00:19:26,990 can't really seem to figure out why is that 246 00:19:31,170 --> 00:19:32,270 DNS cooking. 247 00:19:32,340 --> 00:19:35,330 The response of Taipei for the Web site. 248 00:19:35,820 --> 00:19:42,290 So we are still getting redirected. 249 00:19:42,730 --> 00:19:44,440 Why are we getting redirected. 250 00:19:44,440 --> 00:19:45,960 I have no idea. 251 00:19:48,470 --> 00:19:52,500 But let's try some other page which is Sam's Club. 252 00:19:52,700 --> 00:20:00,490 Now this page is usually the HDP page and we can see that the SSL strip worked for this page. 253 00:20:00,590 --> 00:20:06,960 Now I'm not really sure why it didn't work for that uh for that uh address TPM page. 254 00:20:06,980 --> 00:20:09,800 I believe it has something to do with the previous tags that we ran. 255 00:20:10,250 --> 00:20:15,950 But if you notice for example if you visit the Sam's Club dot com page on your own you will see that 256 00:20:15,950 --> 00:20:17,620 it is HDP s. 257 00:20:17,630 --> 00:20:22,340 But right now we are able to capture all of the packets going through this page. 258 00:20:22,610 --> 00:20:30,410 And if you notice if you really notice you will see something fishy about this page right here as it 259 00:20:30,410 --> 00:20:33,410 has for WS instead of three. 260 00:20:33,410 --> 00:20:41,480 Now we know for my world wide world wide web has three W's and here in the link we can see for now that 261 00:20:41,480 --> 00:20:48,020 is the only thing that this person can actually notice if they are running this page on the r spoofed 262 00:20:48,020 --> 00:20:55,880 attack since it can be literally the same domain as in the real page it has to be some spoofed domain 263 00:20:56,210 --> 00:20:58,650 and they spoofed it with four Ws. 264 00:20:58,670 --> 00:21:04,330 Now it is hard to notice but if you know where to look you will notice it easily. 265 00:21:04,340 --> 00:21:08,700 So now basically anywhere you go you will be able to. 266 00:21:08,960 --> 00:21:14,030 For example let's see if there is a log in right here not a member join now. 267 00:21:14,030 --> 00:21:17,930 So you can go to the sign in right here. 268 00:21:17,930 --> 00:21:19,500 I believe this will lead us to. 269 00:21:19,520 --> 00:21:19,920 Yeah okay. 270 00:21:19,940 --> 00:21:22,580 So this will lead us to the log in page. 271 00:21:22,580 --> 00:21:33,980 And if you specify anything right here and just specify password and click sign in you can see or you 272 00:21:33,980 --> 00:21:42,020 should see that we received something there is just too much stuff going on right here. 273 00:21:42,140 --> 00:21:52,620 Post data we just see if I can find it it should be somewhere around here. 274 00:21:54,170 --> 00:21:56,970 There is just too much data for us to find 275 00:22:02,370 --> 00:22:03,910 with this try once again. 276 00:22:03,910 --> 00:22:04,330 So 277 00:22:07,440 --> 00:22:11,640 if we post it once again please enter a valid address. 278 00:22:11,670 --> 00:22:18,500 So I just typed Windows Mail dot com. 279 00:22:18,750 --> 00:22:26,310 So we can just type any mac address or any address we have right here and let me just see if it captured 280 00:22:26,310 --> 00:22:26,850 anything. 281 00:22:30,030 --> 00:22:31,680 Resolving resolving 282 00:22:37,660 --> 00:22:38,380 here it is. 283 00:22:38,400 --> 00:22:48,910 So the user name windows at gmail dot com and let me see where is the password. 284 00:22:48,910 --> 00:22:57,020 I'm not even sure what I typed as the password so that could be a problem in this huge uh. 285 00:22:57,940 --> 00:22:59,460 So password. 286 00:22:59,470 --> 00:23:01,580 There is something password. 287 00:23:02,200 --> 00:23:02,810 Password. 288 00:23:02,830 --> 00:23:03,340 Here it is. 289 00:23:03,370 --> 00:23:05,860 So value for the password is this one. 290 00:23:05,860 --> 00:23:10,990 Now it could be a really really hard to find sometimes but we managed to find it. 291 00:23:10,990 --> 00:23:16,570 So this is a password that I typed in I just typed a bunch of random letters and they were able to successfully 292 00:23:16,570 --> 00:23:24,850 get the logging of username and password for the HDP S. PAGE while performing the ATP as or SSL strip 293 00:23:24,850 --> 00:23:25,360 attack. 294 00:23:25,930 --> 00:23:32,590 So that's how you can actually gather the user name and password from some websites that are not HDP. 295 00:23:33,300 --> 00:23:35,220 Uh while performing the SSL strip. 296 00:23:35,230 --> 00:23:37,500 Now this one for on all the websites. 297 00:23:37,570 --> 00:23:38,200 Uh. 298 00:23:38,380 --> 00:23:45,510 As I said on the TLC websites it shouldn't work as a sales rep shouldn't work on TLC website but as 299 00:23:45,510 --> 00:23:51,150 I said before I sometimes was able to get it working on Twitter dot com and I could capture Twitter 300 00:23:51,150 --> 00:23:56,180 dot com credentials so that would be about it for this trial. 301 00:23:56,180 --> 00:24:03,140 It was rather a long tutorial in the next one will will cover some of the plugin or we will combine 302 00:24:03,140 --> 00:24:06,600 two tools which is this tool and the tool called Beef. 303 00:24:06,650 --> 00:24:12,350 I will show you how you can hook other browsers and try to exploit the victim machines on local network 304 00:24:12,380 --> 00:24:13,820 using man in the middle attack. 305 00:24:14,390 --> 00:24:16,480 So that would be about it for this tutorial. 306 00:24:16,500 --> 00:24:18,410 Remote place you in the next one by.