Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,140 --> 00:00:02,770 Let's talk again about credential stuffing. 2 00:00:02,790 --> 00:00:05,360 And while we're at it we're going to talk about password spring. 3 00:00:05,370 --> 00:00:10,650 Now I realize we talked about this earlier in the course with breach pass and we leak info but I do 4 00:00:10,650 --> 00:00:17,190 think that hammering concept over and over and how important they are does help for information retention. 5 00:00:17,190 --> 00:00:22,710 So again if we look at this example here what is credential stuffing while it's just injecting breech 6 00:00:22,710 --> 00:00:25,590 account credentials in hopes of account takeover. 7 00:00:25,620 --> 00:00:31,290 So if you look at the compromised server here in the upper right hand corner we pull down user names 8 00:00:31,380 --> 00:00:39,180 and credentials and we get these from leaks like the linked link or the Equifax link or whatever those 9 00:00:39,300 --> 00:00:40,530 have come out recently. 10 00:00:40,530 --> 00:00:45,540 We get these leaked credentials and we grab these databases we search through them like we did with 11 00:00:45,570 --> 00:00:51,360 breach pass or like we can with we leak info and we get these stolen credentials and we take these credentials 12 00:00:51,390 --> 00:00:54,050 and we try to pass them to the site log in. 13 00:00:54,210 --> 00:01:00,960 Now we could take a look at a real life example of that which I have pulled up here and again this is 14 00:01:00,960 --> 00:01:04,710 just an example of the Tesla breach pass. 15 00:01:05,250 --> 00:01:07,490 So we have some usernames and passwords. 16 00:01:07,500 --> 00:01:09,190 We have repeat offenders. 17 00:01:09,210 --> 00:01:13,080 Remember we also have similar passwords here. 18 00:01:13,080 --> 00:01:19,020 But the art of credential stuffing is taking these passwords and these usernames and throwing them at 19 00:01:19,020 --> 00:01:19,940 a Web site. 20 00:01:20,040 --> 00:01:21,040 That's all it is. 21 00:01:21,060 --> 00:01:25,720 So we're going to throw them at a Web site and just kind of spray and pray. 22 00:01:25,770 --> 00:01:32,600 Now I just gone ahead and open up this same Tesla dash master I've only opened up the users and the 23 00:01:32,600 --> 00:01:35,230 passwords just for an example of spraying. 24 00:01:35,360 --> 00:01:40,840 This video is going to be in theory only I don't want you attacking Tesla's Web site. 25 00:01:41,060 --> 00:01:47,180 So just take this for example you can follow all the way up until the point that we actually hit attack. 26 00:01:47,330 --> 00:01:48,680 If you want to follow along. 27 00:01:48,740 --> 00:01:52,700 But for this please do not attempt an exploit against Tesla. 28 00:01:52,700 --> 00:01:55,810 You do not know when the criteria is going to change. 29 00:01:55,820 --> 00:01:58,460 And I just don't want you getting in trouble just in case it does. 30 00:01:58,460 --> 00:02:05,850 So from here I'm going to go ahead and go to Firefox and while we are in Firefox what I want to do is 31 00:02:05,850 --> 00:02:13,450 I want to take a quick pit stop and go to Google and I want to look up something called Foxy proxy. 32 00:02:13,530 --> 00:02:14,660 So go ahead and do this. 33 00:02:14,670 --> 00:02:19,590 Look up Foxy proxy like this not Foxy Foxy proxy. 34 00:02:19,590 --> 00:02:23,470 And go ahead and click on this top one here the standard. 35 00:02:23,820 --> 00:02:28,500 And we're just gonna go ahead and install the standard to our Firefox. 36 00:02:28,800 --> 00:02:32,900 And this is going to be a useful tool that we'll be using throughout the course. 37 00:02:32,910 --> 00:02:36,090 So OK we've got Foxy proxy installed. 38 00:02:36,390 --> 00:02:40,110 Now what has happened up on the right hand corner we've got this here. 39 00:02:40,290 --> 00:02:46,430 You see Foxy proxies here and we can say hey options and in the options we're going to add in a proxy 40 00:02:46,430 --> 00:02:50,770 over here on the left and we're just going to call it burp sweep 41 00:02:53,590 --> 00:02:55,730 and then over here we've got proxy types. 42 00:02:55,780 --> 00:03:03,070 We're just gonna leave this at HDP and then we're gonna give it an address which is 1 2 7 0 0 about 43 00:03:03,080 --> 00:03:05,420 1 same thing as before. 44 00:03:05,450 --> 00:03:13,410 And again this is 80 80 while this hit save and then we're going to go ahead and close out and then 45 00:03:13,410 --> 00:03:16,890 all we had to do now is click this and click this. 46 00:03:16,950 --> 00:03:20,940 And now Barb sweets turned on super simple so let's go ahead. 47 00:03:20,940 --> 00:03:28,260 Also to our applications and let's just go up here and open up Herb sweet and let's test out our proxy 48 00:03:28,260 --> 00:03:36,790 and make sure ignore the errors don't worry about those was go ahead and hit next and use for defaults. 49 00:03:36,820 --> 00:03:39,000 And I will give you a second here to catch up. 50 00:03:39,010 --> 00:03:45,910 So I realized that I might be clicking through a little fast so once you have everything set up like 51 00:03:45,910 --> 00:03:51,070 this what we're going to do is we're just going to make sure our proxy works is going to refresh the 52 00:03:51,070 --> 00:03:55,030 page and you can see that it worked so easy on easy off. 53 00:03:55,030 --> 00:03:56,610 That's all we're looking for here. 54 00:03:56,740 --> 00:04:02,350 Instead of having to go in the menu and go to preferences and you know go through that whole process 55 00:04:02,410 --> 00:04:03,970 all we got to do is click a little button. 56 00:04:03,970 --> 00:04:06,340 We could turn it on or off within a couple of clicks. 57 00:04:06,730 --> 00:04:12,880 So from here I'm going to turn the intercept off and we're just gonna go ahead and go to Tesla dot com 58 00:04:16,290 --> 00:04:21,240 and Tesla should look like this when you go to it in the upper right hand corner there is a sign in 59 00:04:21,240 --> 00:04:21,870 button. 60 00:04:21,870 --> 00:04:22,950 Go ahead and click sign in 61 00:04:25,770 --> 00:04:31,140 and again this is just a watch and learn exercise you can follow along up until the point that we fire 62 00:04:31,140 --> 00:04:31,920 the attack. 63 00:04:31,950 --> 00:04:37,260 There will be opportunities here and very very soon videos where you actually get to do this and you 64 00:04:37,260 --> 00:04:38,200 can practice along. 65 00:04:38,580 --> 00:04:44,480 So from here let's turn on the intercept and let's go ahead and just put a fake e-mail this dude test 66 00:04:44,480 --> 00:04:53,770 at test stock com and we'll do tests as the password and hit sign in in that intercept here so you can 67 00:04:53,770 --> 00:04:58,600 see the user equals or e-mail equals test site test dot com and password equals test. 68 00:04:58,600 --> 00:05:05,350 We're going to go ahead and just right click this and say send two intruder and from intruder what we're 69 00:05:05,350 --> 00:05:13,470 going to do is we're going to go to positions in here and then we're gonna clear all those green go 70 00:05:13,470 --> 00:05:16,320 away because it tries to auto select positions for us. 71 00:05:16,950 --> 00:05:24,190 So now what we're going to do is we're just going to highlight this here and we're going to say ad and 72 00:05:24,190 --> 00:05:29,050 then we're going to highlight this here and we're gonna say ad so we're selecting two different parameters. 73 00:05:29,050 --> 00:05:32,560 We're selecting the e-mail parameter and we're selecting the password parameter. 74 00:05:32,800 --> 00:05:34,570 And now we have different attack types up here. 75 00:05:34,570 --> 00:05:39,530 The most common that we're going to use is either sniper but sniper uses one parameter. 76 00:05:39,700 --> 00:05:47,040 So we're actually going to use what is called a pitchfork here and we're going to go ahead and go over 77 00:05:47,040 --> 00:05:50,540 to our payloads and what we're going to do. 78 00:05:50,540 --> 00:05:56,550 All right I'm going to do is I want to take this list of users and I'm just going to copy this and I'm 79 00:05:56,550 --> 00:06:05,520 going to paste it and then on the second one I'm going to take my list of passwords and I'm going to 80 00:06:05,520 --> 00:06:14,940 paste it now what this is doing to go back payloads that one has all the usernames it's going into the 81 00:06:14,940 --> 00:06:19,960 first one we set here payload set to all the passwords. 82 00:06:19,960 --> 00:06:23,250 Those are all going into here and we have 30 total accounts. 83 00:06:23,260 --> 00:06:25,200 Meaning what's happening with this. 84 00:06:25,240 --> 00:06:28,390 This Pitchfork is payload one. 85 00:06:28,480 --> 00:06:32,990 No one is corresponding to payload to number one. 86 00:06:33,130 --> 00:06:34,380 So they only run together. 87 00:06:34,390 --> 00:06:36,550 So this will run the username and password. 88 00:06:36,550 --> 00:06:39,190 These are just the separated users and passwords. 89 00:06:39,190 --> 00:06:43,650 This will run this username against or against this password here. 90 00:06:43,660 --> 00:06:50,770 So what we're going to do is just we started attack and it just says hey this is a demo version of intruder 91 00:06:50,770 --> 00:06:51,840 because you're on community. 92 00:06:51,850 --> 00:06:53,550 Don't worry about that it still runs. 93 00:06:54,040 --> 00:06:55,050 It's just a little slower. 94 00:06:55,060 --> 00:06:57,970 I'm going to go ahead and hit pause on the attack. 95 00:06:57,970 --> 00:07:02,170 Now there are some interesting things that we can look for when we're doing this. 96 00:07:02,170 --> 00:07:05,950 What we're looking for is a status code change of some sort. 97 00:07:05,950 --> 00:07:11,740 Maybe we see two hundreds here and we want like a 3 0 one which means a redirect or we see a significant 98 00:07:11,740 --> 00:07:13,090 change in length. 99 00:07:13,150 --> 00:07:18,550 That would be a good indicator that maybe we had a successful log in other items too is that we can 100 00:07:18,550 --> 00:07:23,640 clicking here and look at the response and we can say OK what did the response say. 101 00:07:23,780 --> 00:07:27,790 If we scroll down maybe it said something in here about failed log in. 102 00:07:27,820 --> 00:07:28,050 OK. 103 00:07:28,060 --> 00:07:33,120 We could not sign you in and we could just take we could not sign you in like this. 104 00:07:33,190 --> 00:07:37,250 Copy this and then we can come back. 105 00:07:37,360 --> 00:07:38,630 We'll close this attack. 106 00:07:38,770 --> 00:07:44,650 We'll come into options here and there's actually a grep feature so we can remove we can clear all these 107 00:07:45,690 --> 00:07:52,690 in this little box McGinnis pace this and say yes match match this here so watch what this does. 108 00:07:53,110 --> 00:07:59,970 So we're going to start this attack again and then I'm going to posit and you can know immediately look 109 00:07:59,970 --> 00:08:04,230 at the checkboxes this means it's showing up in the response it's scrapping it out. 110 00:08:04,230 --> 00:08:07,090 It knows immediately that we didn't sign it successfully. 111 00:08:07,530 --> 00:08:10,920 So this is an example of a credential stuffing attack. 112 00:08:11,400 --> 00:08:16,350 So we're looking for these few different things a status change a significant length like we're seeing 113 00:08:16,380 --> 00:08:17,790 all the same kind of lengths here. 114 00:08:17,810 --> 00:08:24,630 But what if it was like five thousand or two thousand or fifteen thousand if the page length changes 115 00:08:24,780 --> 00:08:29,130 there's a good chance that you signed into something and we have a yes a log in. 116 00:08:29,130 --> 00:08:30,560 Same thing here with this. 117 00:08:30,570 --> 00:08:35,360 If you can find your air code or what it says and then grep on that then you can click up here into 118 00:08:35,410 --> 00:08:40,860 sort by that and you can search for the ones that don't return that and possibly have a log in as well. 119 00:08:40,860 --> 00:08:44,250 So this is the art of credential stuffing. 120 00:08:44,280 --> 00:08:46,620 Now let's say we wanted to close this out. 121 00:08:46,650 --> 00:08:49,800 We want to go back and we want to do password spraying. 122 00:08:49,830 --> 00:08:52,250 Well we're going to go ahead and just clear this out. 123 00:08:52,500 --> 00:08:58,410 And if you remember password spraying is the art of using known user names without a known password. 124 00:08:58,800 --> 00:09:04,610 So we'll just say add here and we would gather a list of all the possible users that we can think of. 125 00:09:04,740 --> 00:09:10,620 We can look at Hunter dot Io we can look at you know the breach password lists we can look at LinkedIn 126 00:09:10,620 --> 00:09:17,660 and gather people who work there come up with this big list and then actually clear sorry. 127 00:09:17,700 --> 00:09:19,050 No this is right. 128 00:09:19,110 --> 00:09:23,850 We'll add these and we'll have all the different users and then for this we'll just change the requests 129 00:09:23,850 --> 00:09:34,170 to like fall of 20 19 or we can set it up to we could set this up here like fall 20 19 exclamation or 130 00:09:34,170 --> 00:09:38,550 whatever the time frame is or however you want or maybe you know they work at Tesla. 131 00:09:38,550 --> 00:09:46,200 So maybe we'll do a Tesla one if they have a week pass or policy or one two three or at sign or pound 132 00:09:46,500 --> 00:09:47,970 you just try a few these. 133 00:09:47,970 --> 00:09:54,990 The only downside to this is you are most likely attacking Active Directory accounts when you're attacking 134 00:09:54,990 --> 00:10:00,570 Active Directory accounts you want to be very careful because you could lock them out without even trying. 135 00:10:00,570 --> 00:10:08,130 So if you're doing a pen test the best idea is to ask before you attack say hey how many attempts do 136 00:10:08,130 --> 00:10:13,380 you have unsuccessfully before I log out happens or a lockout happens because the worst thing you want 137 00:10:13,380 --> 00:10:19,860 to do is fire off 10 cities in a row lockout a bunch of users and closet denial service that is very 138 00:10:19,860 --> 00:10:24,720 very possible and very very easy to do so make sure you're not just firing these willy nilly that you 139 00:10:24,720 --> 00:10:30,090 have a good idea of the password policy the lockout policy etc. that will really help you when you do 140 00:10:30,090 --> 00:10:36,840 these attacks but you just want to do these kind of one or two at a time wait a few hours fire another 141 00:10:36,840 --> 00:10:40,800 one or two at a time and you should be good to go OK. 142 00:10:40,810 --> 00:10:47,320 So same deal here we could fire this and we could to say you know all the say password one two to three 143 00:10:47,650 --> 00:10:53,840 and we'll just switch this to sniper here and if we come to the payloads you could see it just kept 144 00:10:53,840 --> 00:10:54,550 the emails. 145 00:10:54,560 --> 00:10:56,450 There is no payload to anymore. 146 00:10:56,450 --> 00:11:06,300 So what this would do if we had start attack is it would start firing this against this e-mail address 147 00:11:06,630 --> 00:11:12,240 with a password a one two three and then this on this e-mail address with the password of one two three 148 00:11:12,660 --> 00:11:18,150 it would just go down the list and that's all password spring is but the feature that I'm showing you 149 00:11:18,150 --> 00:11:25,170 here between credential stuffing and password spring is by far the most common way that we get in on 150 00:11:25,170 --> 00:11:26,490 external assessments. 151 00:11:26,760 --> 00:11:31,860 Way way more than you're ever gonna see just an exploit out in the wild where you're gonna see this 152 00:11:31,860 --> 00:11:36,450 most likely and second you're probably gonna see something like default credentials. 153 00:11:36,540 --> 00:11:42,480 So if you see a log in page always check default credentials because you never know you're likely not 154 00:11:42,480 --> 00:11:49,170 going to see a exploit out there because the chances are one is that if you see an exploit like that 155 00:11:49,170 --> 00:11:52,290 out there who knows who else is seeing that already. 156 00:11:52,290 --> 00:11:56,310 What kind of bad actors because bad actors are scanning the Internet all the time for these sorts of 157 00:11:56,310 --> 00:11:59,880 things and if they're seeing it then guess what. 158 00:12:00,030 --> 00:12:01,680 You know or if you're seeing it then guess what. 159 00:12:01,680 --> 00:12:03,300 They're probably already seeing it as well. 160 00:12:03,300 --> 00:12:06,570 So that's a bad situation too. 161 00:12:06,680 --> 00:12:13,170 You got to think of protection and clients just think of clients like a house when you talk about the 162 00:12:13,290 --> 00:12:18,450 external of your house your external your doors have really good locks on them. 163 00:12:18,450 --> 00:12:20,370 You might have two locks on your door. 164 00:12:20,490 --> 00:12:22,810 You might have good lighting all this other stuff. 165 00:12:22,850 --> 00:12:24,930 I'd like to try to keep bad guys out. 166 00:12:25,320 --> 00:12:28,640 But on the inside some of your doors probably don't even lock. 167 00:12:28,860 --> 00:12:31,460 And that's really how you can treat an external assessment. 168 00:12:31,560 --> 00:12:37,960 The clients do a really good job of you know buffeting up their external. 169 00:12:38,070 --> 00:12:41,600 But when it comes to the internal it's not usually as good. 170 00:12:41,640 --> 00:12:44,330 So same thing with physical assessments as well. 171 00:12:44,340 --> 00:12:46,790 You just gotta you gotta get inside. 172 00:12:46,890 --> 00:12:52,040 Once you're inside it's kind of easy breezy for the most part so take that lesson away. 173 00:12:52,200 --> 00:12:57,780 If anything you take from the course again at least for the external side take away that enumeration 174 00:12:57,780 --> 00:13:02,970 and information gathering super important because you want to get to the stage here where you are doing 175 00:13:02,970 --> 00:13:07,110 these credentials stuffing attacks and you can use burb suite for it. 176 00:13:07,110 --> 00:13:11,880 This is my favorite go to there's other methods as well but it's so easy just to grab any different 177 00:13:11,880 --> 00:13:18,390 Web site and just you know intercept the proxy send it to intruder make one modification and fire it 178 00:13:18,390 --> 00:13:19,180 off. 179 00:13:19,320 --> 00:13:20,990 So super super simple. 180 00:13:21,030 --> 00:13:25,800 This is something you will come up in an interview as well so make sure you're very aware of it and 181 00:13:25,800 --> 00:13:29,120 make sure you watch this again if you need to understand the concepts. 182 00:13:29,130 --> 00:13:34,380 So from here we're gonna go ahead and take a quick look at our notes in the next video just kind of 183 00:13:34,380 --> 00:13:39,480 where I want you to be with your notes and then we're going to get into what I call that midcourse Capstone 184 00:13:39,480 --> 00:13:44,920 where I'm going to show you a bunch of different hacks and just my thought process and theories and 185 00:13:44,940 --> 00:13:50,760 thinking when I go into a scan and looking at results and just so you can kind of get into the mind 186 00:13:50,760 --> 00:13:55,500 of an attacker and how we think and then we'll start moving on to exploit development. 187 00:13:55,500 --> 00:13:59,100 And my favorite the Active Directory exploitation. 188 00:13:59,100 --> 00:14:01,490 So I look forward to seeing you in the next video. 20696