Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,960 --> 00:00:04,790 Now let's do a full attack using Issaka. 2 00:00:05,190 --> 00:00:10,650 This attack will depend on intercepting traffic and changing the. 3 00:00:11,250 --> 00:00:13,020 And before showing you the attack. 4 00:00:13,020 --> 00:00:15,210 Let me show you a scenario. 5 00:00:15,630 --> 00:00:17,370 So this is my vector machine. 6 00:00:17,370 --> 00:00:20,960 It has a Windows 8 could be immobile it could be anything it has Windows 8. 7 00:00:21,420 --> 00:00:30,370 And notice that when I tried to go to a specific Web site and this actually work on any platform. 8 00:00:30,390 --> 00:00:31,190 So. 9 00:00:31,440 --> 00:00:38,760 So let's if I try to go to a Microsoft Web site Canute's type in Microsoft 10 00:00:44,120 --> 00:00:48,570 come. 11 00:00:48,710 --> 00:01:01,080 Oh sorry my go soft so come so we have internet connectivity. 12 00:01:01,080 --> 00:01:05,750 And when you type any website he's going to this Web site. 13 00:01:05,790 --> 00:01:09,660 And if we try to ping on Microsoft dot come let me show you. 14 00:01:09,660 --> 00:01:11,390 Microsoft IP. 15 00:01:12,420 --> 00:01:19,410 So if I try to ping on this Web site to see if we have a connectivity with it or not. 16 00:01:20,400 --> 00:01:31,840 My rule of thumb is pinging and so we have internet connectivity and this is the IP of Microsoft start 17 00:01:31,840 --> 00:01:33,010 two one zero. 18 00:01:33,420 --> 00:01:34,440 OK. 19 00:01:34,510 --> 00:01:42,810 Now getting back to our candy Linux machine now we can intercept the traffic but we need to intercept 20 00:01:42,810 --> 00:01:46,110 the traffic and whatever traffic will be intercepted it need to be modified. 21 00:01:46,440 --> 00:01:48,370 And I'm going to focus on DNS traffic. 22 00:01:48,390 --> 00:01:50,320 Now what is DNS exactly. 23 00:01:50,550 --> 00:01:54,840 DNS is a service that change from name to IP. 24 00:01:54,840 --> 00:02:02,040 I mean when you type Microsoft the router cannot understand that you have to translate that to Microsoft 25 00:02:02,040 --> 00:02:03,950 IP to be able to reach it. 26 00:02:03,960 --> 00:02:08,470 So what will happen if we poison's this IP if we change that right. 27 00:02:08,510 --> 00:02:12,160 Or is the correct Microsoft IP put a fake Microsoft Web site. 28 00:02:12,570 --> 00:02:22,320 Once the victim type Microsoft does come it will be translated to fake IP from Microsoft fake page and 29 00:02:22,320 --> 00:02:25,360 the user will be taken to this fake page. 30 00:02:26,100 --> 00:02:27,180 Let me show you how to do that. 31 00:02:27,180 --> 00:02:31,410 But before doing that the only things that need some effort is a cap set. 32 00:02:31,410 --> 00:02:35,790 If you need to apply those plug you need to do some modification. 33 00:02:35,880 --> 00:02:37,110 So lets take Genest. 34 00:02:37,110 --> 00:02:42,210 We're going to make a modification in DNS any DNS traffic it will be modified according to some rules 35 00:02:42,210 --> 00:02:43,990 that we can implement right now. 36 00:02:44,370 --> 00:02:54,300 So we need to go here into the it is so we go to other location and go to computer and go to ATC and 37 00:02:54,370 --> 00:03:00,090 it says it is a folder called Issaka where this folder has all the configuration files. 38 00:03:00,420 --> 00:03:05,740 So when you plan to implement some plug in some modification it'll be done according to the plan. 39 00:03:05,940 --> 00:03:11,740 And as you can see you have like four or five our files that we can change is called insur DNS. 40 00:03:11,760 --> 00:03:15,480 This is the file that we need to do some modification inside. 41 00:03:15,490 --> 00:03:21,270 Now you can change from here but actually it's confusing me because the font is too big and I don't 42 00:03:21,300 --> 00:03:23,060 spend time changing and so on. 43 00:03:23,220 --> 00:03:25,920 So I'm going to repeat the step from the command line. 44 00:03:26,230 --> 00:03:32,150 So I'm gonna open a terminal and you need to locate the file. 45 00:03:32,610 --> 00:03:37,040 So the file name is easier not the. 46 00:03:37,090 --> 00:03:42,220 And as and as you can see this is the location of the file. 47 00:03:42,270 --> 00:03:47,910 So I need to modify from the command line you can do from the UI I I'm just showing you different option 48 00:03:48,390 --> 00:03:49,220 now. 49 00:03:49,530 --> 00:03:51,590 And you put the footbaths. 50 00:03:51,860 --> 00:03:52,260 Sorry 51 00:03:59,360 --> 00:04:03,500 copy and paste. 52 00:04:03,830 --> 00:04:05,130 And he opens a fine. 53 00:04:05,210 --> 00:04:09,040 Now it's not it's and it's readable file. 54 00:04:09,040 --> 00:04:13,920 I mean you can read exactly what you need to change but let me brief you instead of let you search and 55 00:04:14,450 --> 00:04:18,310 you need to go to a place that doesn't have those hash specially. 56 00:04:18,350 --> 00:04:25,460 Or is it just one Microsoft that can or go through the record. 57 00:04:25,820 --> 00:04:31,970 So here is thank you whenever someone inside the network is going to Microsoft I usually translate that. 58 00:04:32,120 --> 00:04:36,250 Translate that to Microsoft IP and this is right. 59 00:04:36,250 --> 00:04:41,350 Microsoft IP or the start of Microsoft to come I mean it could be Microsoft. 60 00:04:41,360 --> 00:04:47,720 It could be portal of Microsoft the com or local or anything related to Microsoft syndicate to this 61 00:04:47,720 --> 00:04:49,250 IP or that. 62 00:04:49,250 --> 00:04:55,610 So what he's trying to say is that anyone is going to any Microsoft website or something related to 63 00:04:55,640 --> 00:04:59,120 Microsoft's website it's redirected to the regular Microsoft upset. 64 00:04:59,120 --> 00:05:05,810 Now what will happen if I change those IP and put another IP whoever to go to Microsoft to go to this 65 00:05:05,810 --> 00:05:06,420 IP. 66 00:05:06,770 --> 00:05:11,930 What if I change that and it put Facebook and I put fake Facebook page it will do the same. 67 00:05:12,230 --> 00:05:14,160 Or Twitter or so on. 68 00:05:14,210 --> 00:05:18,140 So it's not about Microsoft website it's about the concept. 69 00:05:18,170 --> 00:05:23,780 So if this work you can change just Microsoft that come and put a fake Microsoft to page and the user 70 00:05:23,780 --> 00:05:25,990 will never feel that he went to a fake page. 71 00:05:26,300 --> 00:05:29,340 So let's see what I'm going to do right now as a proof of concept. 72 00:05:29,360 --> 00:05:34,330 I'm going to whoever go to Microsoft would be directed to google for it. 73 00:05:34,580 --> 00:05:39,960 So I need to open another terminal because I need to get Google IP. 74 00:05:40,100 --> 00:05:43,760 So let's type ping. 75 00:05:45,670 --> 00:05:56,360 W w w Google dot com and you'll see that the. 76 00:05:56,450 --> 00:05:57,120 OK. 77 00:05:57,260 --> 00:06:08,070 Control-C This is the Google ipe 0 8 1 1 7 2 3 1 1 8 7 excellence so I'm going to copy that. 78 00:06:10,640 --> 00:06:11,220 Copy. 79 00:06:11,510 --> 00:06:18,440 And I'm going to go here and we're going to change the IP and put the Google IP 80 00:06:25,800 --> 00:06:27,700 is and then 81 00:06:34,310 --> 00:06:35,860 beast and then 82 00:06:39,390 --> 00:06:44,430 last one and based. 83 00:06:45,040 --> 00:06:46,210 And we are set to go. 84 00:06:46,270 --> 00:06:48,040 So I need to save this file. 85 00:06:48,160 --> 00:06:53,080 So I'm going to click on control X and click on yes. 86 00:06:53,110 --> 00:07:07,950 And now let's run Essar cap minus get algae and let's do the sense that the user care minus the G. 87 00:07:09,310 --> 00:07:15,460 And let's follow the previous the step from the previous lecture with where I need to go to sniff and 88 00:07:15,460 --> 00:07:20,710 choose the first one to identify which network I'm going to sniff the wire and wireless. 89 00:07:20,710 --> 00:07:25,630 Then go to host and scan for host scan for host. 90 00:07:25,810 --> 00:07:31,060 And sometimes you may need to do scan more than one time because you know he's not detecting all the 91 00:07:31,060 --> 00:07:32,460 machine from the first time. 92 00:07:32,770 --> 00:07:33,930 So it's better to do it twice. 93 00:07:33,940 --> 00:07:37,260 But anyway I'm going to do it right one more time. 94 00:07:37,270 --> 00:07:38,900 Scan for host. 95 00:07:39,280 --> 00:07:41,940 And it seems that he finds five holes. 96 00:07:41,950 --> 00:07:44,760 I know that there are five or six here. 97 00:07:44,920 --> 00:07:50,200 And second step Z by doing more than one scan you get more machines so you have to repeat a couple of 98 00:07:50,200 --> 00:07:55,390 times then go to host and go to a host test. 99 00:07:56,230 --> 00:07:58,690 And as I told you need to identify it that way. 100 00:07:58,690 --> 00:08:01,400 This is my gateway as target one. 101 00:08:01,600 --> 00:08:09,780 And then I can identify is when the computer started to or I can keep all the machine to be DNS posing. 102 00:08:09,850 --> 00:08:17,250 So I'm going to keep the remaining of the machine and then we'll go to MTM. 103 00:08:17,380 --> 00:08:23,940 Now before going to Antium or before going to start sniffing we need to go to plug ins and Mohnish plug 104 00:08:23,940 --> 00:08:31,510 ins and activate the Genesis poof which is the files that we did the modification in a few seconds ago. 105 00:08:31,690 --> 00:08:37,210 So by clicking here and make sure you have a sign besides this plug in Jesmyn any traffic that will 106 00:08:37,210 --> 00:08:43,580 be intercepted by this bicycle and Linux machine it will apply is the content of this file on it. 107 00:08:43,600 --> 00:08:50,260 So I need to make sure that this one is active then going back to mennes amental are poisoning and choose 108 00:08:50,260 --> 00:08:58,460 the first one sniffer remote connection and click on OK and then start and start sniffing. 109 00:08:58,780 --> 00:09:00,650 And let's see if it going to work or not. 110 00:09:01,060 --> 00:09:09,460 So going to my Windows 8 machine you remember a few seconds ago you were pinging on Microsoft and we 111 00:09:09,460 --> 00:09:14,080 are getting a reply from Microsoft server and those are the Microsoft server IP right. 112 00:09:14,110 --> 00:09:24,370 Let's think one more time on Microsoft see we are getting a reply from the IPs that we added to the 113 00:09:24,710 --> 00:09:32,100 fine or not is or that is fine let's say to go to Microsoft to come refresh the page 114 00:09:36,810 --> 00:09:40,410 sketch so we get too close and open it one more time. 115 00:09:48,210 --> 00:09:52,290 My crew so the 116 00:09:56,560 --> 00:10:00,090 Nagios you can see it has been redirected to Google. 117 00:10:00,100 --> 00:10:05,960 But the amazing part that this still you are and has Microsoft. 118 00:10:06,910 --> 00:10:13,510 So according to that if it's not about Microsoft and Google if you change the website from Microsoft 119 00:10:13,630 --> 00:10:21,920 to Twitter or Facebook or any other Web sites that need credential and then redirect those request to 120 00:10:22,060 --> 00:10:32,590 Facebook pages that look like exactly like those pages user will never or a victim will never feel that 121 00:10:32,770 --> 00:10:37,800 it has been redirected besides creating a fake Web site. 122 00:10:37,810 --> 00:10:43,330 It's quite easy in the hacking and droite section we're going to take a tool called social engineering 123 00:10:43,390 --> 00:10:48,800 toolkit that is used for doing that in a few steps. 124 00:10:48,850 --> 00:10:55,390 So it's not that hard to create a fake Web site and to activate a web server on your colonics and to 125 00:10:55,390 --> 00:10:56,500 redirect the traffic. 126 00:10:56,710 --> 00:11:01,970 So keep in mind this attack and then later on you're going to see how to as you said this attack with 127 00:11:01,990 --> 00:11:08,260 another attack that we'll be taking in social engineering toolkit in Xandros section. 12606