1 00:00:00,700 --> 00:00:07,730 In the previous lecture we seen how to downgrade TTP s Web sites to TTP. 2 00:00:07,810 --> 00:00:15,060 This allowed us to basically see anything a user does on these websites because data and he's TTP is 3 00:00:15,090 --> 00:00:16,990 sent in plain text. 4 00:00:16,990 --> 00:00:23,320 Therefore we were able to see the user name use the passwords the URLs and anything they do on each 5 00:00:23,410 --> 00:00:25,700 TTP as Web sites. 6 00:00:26,170 --> 00:00:32,830 At the end of the lecture I also showed you that the method will not work against Facebook Twitter and 7 00:00:32,920 --> 00:00:36,960 other Web sites that use heat as T.S.. 8 00:00:37,360 --> 00:00:45,040 The reason why it won't work against these websites because modern web browsers come with a list of 9 00:00:45,040 --> 00:00:54,100 Web sites that they should only load over haste TTP s see what we were doing in the previous lecture 10 00:00:54,370 --> 00:00:58,060 whenever browser requests a Web site. 11 00:00:58,090 --> 00:01:04,750 We load that Web site even if it uses hash TTP as what we always give him back the hash TTP version 12 00:01:05,690 --> 00:01:13,720 and HST yes the browser knows that this Web site for example Facebook dot com should always be loaded 13 00:01:13,840 --> 00:01:22,750 over TTP s so even before sending this request to us it will always send it in TTP s and it will always 14 00:01:22,850 --> 00:01:26,620 on the accepted if it comes back as his TTP s. 15 00:01:27,070 --> 00:01:33,970 So there is nothing we can do really once we become the man in the middle because the browser is doing 16 00:01:34,000 --> 00:01:42,040 this check locally it's checking this against a list that is stored on the computer itself. 17 00:01:42,190 --> 00:01:51,100 Therefore the only practical solution at the moment to bypass Hage S T S is to make the browser think 18 00:01:51,490 --> 00:01:56,500 that it is loading another Web site to do this. 19 00:01:56,500 --> 00:02:03,640 We're going to replace all hate s t s links and loaded pages to similar links but they're not the same 20 00:02:03,640 --> 00:02:04,790 links. 21 00:02:04,900 --> 00:02:10,290 For example we can replace Facebook dot com with Facebook dot com on. 22 00:02:10,410 --> 00:02:18,670 Now I know this seems very suspicious but trust me when it goes into the URL bar the R and here at the 23 00:02:18,670 --> 00:02:22,980 middle it'll seem very similar to the M letter. 24 00:02:23,080 --> 00:02:27,870 Another way of doing this you can replace Twitter dot com with Twitter dot com. 25 00:02:28,000 --> 00:02:31,240 But with a single t here instead of a double team. 26 00:02:32,590 --> 00:02:38,560 I know this sounds a little bit confusing right now but let me go and do it practically and you will 27 00:02:38,560 --> 00:02:40,360 see how this is going to work. 28 00:02:41,500 --> 00:02:50,140 So right here I have my Kelly machine and we're actually going to use the H S T S couplet that we used 29 00:02:50,140 --> 00:02:51,470 in the previous lecture. 30 00:02:51,670 --> 00:02:55,300 So I've already showed you where to download it and where to place it. 31 00:02:55,300 --> 00:03:00,880 Please make sure you use the couplet that I gave you in the resources of this lecture not the one that 32 00:03:00,880 --> 00:03:07,000 comes with better cup because the one that I gave you and the resources of this lecture is modified 33 00:03:07,360 --> 00:03:13,240 and it contains code that will actually replace the domain names as shown in here. 34 00:03:13,390 --> 00:03:18,910 The original one does not contain that code so it won't work as I'm going to show you right now. 35 00:03:20,680 --> 00:03:27,610 So as shown in the previous lecture I already have my couplet in here and users share better cap couplets 36 00:03:28,030 --> 00:03:30,000 and this is the name of the couplet. 37 00:03:30,070 --> 00:03:35,720 If we go inside it we have a file called H S T S hijack dot cup. 38 00:03:35,740 --> 00:03:41,250 This is the configuration file of the couplet so I'm gonna right click it. 39 00:03:41,380 --> 00:03:44,100 I'm going to open it with other application. 40 00:03:44,260 --> 00:03:49,970 I'm going to click on View all applications and you want to pick any text editor that you have. 41 00:03:50,560 --> 00:03:52,240 So I'm going to keep this at least. 42 00:03:52,240 --> 00:03:56,370 But you might have to scroll down to find it but I have it here. 43 00:03:56,470 --> 00:04:02,980 I'm going to select and as you can see we have a normal text file will with all the configurations that 44 00:04:02,980 --> 00:04:03,970 we can set. 45 00:04:04,180 --> 00:04:07,010 And I've already reconfigured this for you. 46 00:04:07,060 --> 00:04:14,270 The main thing is that you want to understand and maybe change is the targets and the replacements. 47 00:04:14,590 --> 00:04:20,250 So the targets are the domains that use HST HECS that you want to replace. 48 00:04:20,260 --> 00:04:26,380 For example I have to return dot com in here and they also have star dot with her dot com. 49 00:04:26,380 --> 00:04:32,980 Basically when you use a star this is a wild card and it basically means any subdomain dot Twitter dot 50 00:04:32,980 --> 00:04:35,700 com is a target as well. 51 00:04:36,340 --> 00:04:42,850 And the replacement you want to tell the program what to replace this target with for example whenever 52 00:04:42,850 --> 00:04:47,180 we see Twitter dot com we're gonna replace it with Twitter dot corn. 53 00:04:47,200 --> 00:04:54,850 Similar goes for Facebook and Apple and a few other domains that I said You can also play around with 54 00:04:54,850 --> 00:04:57,770 the obfuscate and encode options. 55 00:04:57,850 --> 00:05:04,330 I've said both of these two false because basically what these will do they'll obfuscate the code and 56 00:05:04,360 --> 00:05:05,290 encoded. 57 00:05:05,440 --> 00:05:11,720 But I noticed some browsers like Firefox will block obfuscated or encoded code. 58 00:05:11,740 --> 00:05:19,400 That's why I said both of these two faults so that the code is left as is here in the payload. 59 00:05:19,400 --> 00:05:22,710 You can set any other javascript code that you want to inject. 60 00:05:22,790 --> 00:05:23,740 Live this the same. 61 00:05:23,740 --> 00:05:27,710 We'll talk about JavaScript injection and a future lecture. 62 00:05:27,760 --> 00:05:35,140 Finally you want to make sure that the DNS proof domains are said exactly the same as the replacements 63 00:05:35,170 --> 00:05:36,070 in here. 64 00:05:36,130 --> 00:05:40,220 So I literally copy this line and paste it here. 65 00:05:40,300 --> 00:05:42,350 Now I'm actually going to keep all of this the same. 66 00:05:42,350 --> 00:05:47,980 I don't need to modify any of it but like I said if you're targeting different websites or if you want 67 00:05:47,980 --> 00:05:53,380 to use different replacements for example if you wanted to use a Twitter with a single T and keep this 68 00:05:53,380 --> 00:06:00,040 dot com you can do that here if you wanted to use a Facebook with a single Oh and keep this dot com 69 00:06:00,040 --> 00:06:01,480 again instead of those current. 70 00:06:01,480 --> 00:06:05,200 You can do it here once done make sure you're safe and quit. 71 00:06:05,200 --> 00:06:08,860 This file and we're ready to run the attack. 72 00:06:08,950 --> 00:06:14,220 So running this attack is actually going to be identical to what we did in the previous lecture. 73 00:06:14,260 --> 00:06:20,370 You just want to make sure you modify this file properly so going back to Buttercup better cup. 74 00:06:20,410 --> 00:06:26,620 I'm going to clear the screen run better cup with the same command loading the spoof couplet so we can 75 00:06:26,770 --> 00:06:34,600 do all of the AARP spoofing commands and run the sniffer all automatically and perfect as you can see 76 00:06:34,630 --> 00:06:37,810 everything is running as expected with no errors. 77 00:06:37,840 --> 00:06:43,660 If you run this and you get an error just do exit and run better cap again. 78 00:06:43,750 --> 00:06:50,160 Next we want to run the couplet the USGS hijack couplet exactly as shown in the previous lecture. 79 00:06:50,170 --> 00:06:57,710 All we have to do is type each as tab it'll auto complete for us and hit enter to run it again. 80 00:06:57,770 --> 00:06:59,210 As you can see no errors. 81 00:06:59,240 --> 00:07:01,440 So everything is working as expected. 82 00:07:02,450 --> 00:07:07,580 Let's go to the target's machine and see how this is going to work. 83 00:07:07,890 --> 00:07:10,360 So I have my windows machine right here. 84 00:07:10,380 --> 00:07:11,400 This is Chrome. 85 00:07:11,430 --> 00:07:18,330 The latest version and April 2019 and before I do anything like I said it's a good idea to always just 86 00:07:18,330 --> 00:07:27,070 remove the browsing data and before I actually load any Web sites it is very important to understand 87 00:07:27,370 --> 00:07:34,330 that even with everything that we're doing right now if you try to go to Facebook and type dot com at 88 00:07:34,330 --> 00:07:36,610 the end here it will not work. 89 00:07:36,610 --> 00:07:44,230 What we're doing right now will not work because chrome right here has a list that is stored on this 90 00:07:44,230 --> 00:07:51,610 computer that says do not load Facebook dot com unless it is loaded over haste TTP S.. 91 00:07:51,680 --> 00:07:56,410 So if you tell Facebook right here like this it will not work. 92 00:07:56,410 --> 00:08:05,650 The only way we can do this is if the user first goes to search engine for example Google that I e for 93 00:08:05,650 --> 00:08:10,320 Ireland and then in Google as you can see Google doesn't use HST. 94 00:08:10,330 --> 00:08:10,960 Yes. 95 00:08:11,020 --> 00:08:19,420 So we bypass this using the normal hash CPS bypass and then if the user in here searches for their target 96 00:08:19,420 --> 00:08:21,580 Web site for example Facebook 97 00:08:24,380 --> 00:08:31,670 then our script is going to run in the background and it's going to replace all links in this page for 98 00:08:31,670 --> 00:08:35,860 Facebook dot com with Facebook dot corn. 99 00:08:35,870 --> 00:08:43,790 So if I actually hover over this you'll see in the status bar the website that will be loaded is Facebook 100 00:08:43,790 --> 00:08:46,800 dot corn not Facebook dot com. 101 00:08:46,880 --> 00:08:47,920 This is fine here. 102 00:08:47,920 --> 00:08:55,610 It still says Facebook dot com but only in the code of the hasty M.L. page Facebook dot com got replaced 103 00:08:55,670 --> 00:08:57,950 with Facebook dot com. 104 00:08:57,950 --> 00:09:06,650 So if I click on this link again as you can see we get a normal Facebook page but if you look here on 105 00:09:06,650 --> 00:09:14,300 top you'll see there is no hash TTP s and if you look at the domain name you'll see it says Dot corn 106 00:09:14,450 --> 00:09:16,690 not dot com. 107 00:09:16,690 --> 00:09:21,570 Again like I said you can actually keep this dot com and use Facebook with one 0. 108 00:09:21,710 --> 00:09:26,780 Or you can add an extra Oh you can be as creative as you want with this. 109 00:09:26,780 --> 00:09:30,410 This is just an example that I'm giving you now. 110 00:09:30,410 --> 00:09:38,360 Once we're here we can log in normally with my user name so Z adds that security dot org and put my 111 00:09:38,360 --> 00:09:52,070 password 1 2 3 4 5 6 7 8 9 0 hit enter and if we go back scroll up perfect as you can see we have the 112 00:09:52,070 --> 00:10:02,170 user name Z at Z security dot org and the password all the way up to 9 0 now like I said the only way 113 00:10:02,170 --> 00:10:10,120 for this to work is if the user gets to Facebook through another Web site that does not use H S T as 114 00:10:10,480 --> 00:10:15,450 if they go on the URL bar and type Facebook dot com themselves. 115 00:10:15,490 --> 00:10:17,890 We will not be able to do this. 116 00:10:17,920 --> 00:10:23,320 That's why this is considered as a partial solution and not a full solution.