Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,140 --> 00:00:02,770
Let's talk again about credential stuffing.
2
00:00:02,790 --> 00:00:05,360
And while we're at it we're going to talk about password spring.
3
00:00:05,370 --> 00:00:10,650
Now I realize we talked about this earlier in the course with breach pass and we leak info but I do
4
00:00:10,650 --> 00:00:17,190
think that hammering concept over and over and how important they are does help for information retention.
5
00:00:17,190 --> 00:00:22,710
So again if we look at this example here what is credential stuffing while it's just injecting breech
6
00:00:22,710 --> 00:00:25,590
account credentials in hopes of account takeover.
7
00:00:25,620 --> 00:00:31,290
So if you look at the compromised server here in the upper right hand corner we pull down user names
8
00:00:31,380 --> 00:00:39,180
and credentials and we get these from leaks like the linked link or the Equifax link or whatever those
9
00:00:39,300 --> 00:00:40,530
have come out recently.
10
00:00:40,530 --> 00:00:45,540
We get these leaked credentials and we grab these databases we search through them like we did with
11
00:00:45,570 --> 00:00:51,360
breach pass or like we can with we leak info and we get these stolen credentials and we take these credentials
12
00:00:51,390 --> 00:00:54,050
and we try to pass them to the site log in.
13
00:00:54,210 --> 00:01:00,960
Now we could take a look at a real life example of that which I have pulled up here and again this is
14
00:01:00,960 --> 00:01:04,710
just an example of the Tesla breach pass.
15
00:01:05,250 --> 00:01:07,490
So we have some usernames and passwords.
16
00:01:07,500 --> 00:01:09,190
We have repeat offenders.
17
00:01:09,210 --> 00:01:13,080
Remember we also have similar passwords here.
18
00:01:13,080 --> 00:01:19,020
But the art of credential stuffing is taking these passwords and these usernames and throwing them at
19
00:01:19,020 --> 00:01:19,940
a Web site.
20
00:01:20,040 --> 00:01:21,040
That's all it is.
21
00:01:21,060 --> 00:01:25,720
So we're going to throw them at a Web site and just kind of spray and pray.
22
00:01:25,770 --> 00:01:32,600
Now I just gone ahead and open up this same Tesla dash master I've only opened up the users and the
23
00:01:32,600 --> 00:01:35,230
passwords just for an example of spraying.
24
00:01:35,360 --> 00:01:40,840
This video is going to be in theory only I don't want you attacking Tesla's Web site.
25
00:01:41,060 --> 00:01:47,180
So just take this for example you can follow all the way up until the point that we actually hit attack.
26
00:01:47,330 --> 00:01:48,680
If you want to follow along.
27
00:01:48,740 --> 00:01:52,700
But for this please do not attempt an exploit against Tesla.
28
00:01:52,700 --> 00:01:55,810
You do not know when the criteria is going to change.
29
00:01:55,820 --> 00:01:58,460
And I just don't want you getting in trouble just in case it does.
30
00:01:58,460 --> 00:02:05,850
So from here I'm going to go ahead and go to Firefox and while we are in Firefox what I want to do is
31
00:02:05,850 --> 00:02:13,450
I want to take a quick pit stop and go to Google and I want to look up something called Foxy proxy.
32
00:02:13,530 --> 00:02:14,660
So go ahead and do this.
33
00:02:14,670 --> 00:02:19,590
Look up Foxy proxy like this not Foxy Foxy proxy.
34
00:02:19,590 --> 00:02:23,470
And go ahead and click on this top one here the standard.
35
00:02:23,820 --> 00:02:28,500
And we're just gonna go ahead and install the standard to our Firefox.
36
00:02:28,800 --> 00:02:32,900
And this is going to be a useful tool that we'll be using throughout the course.
37
00:02:32,910 --> 00:02:36,090
So OK we've got Foxy proxy installed.
38
00:02:36,390 --> 00:02:40,110
Now what has happened up on the right hand corner we've got this here.
39
00:02:40,290 --> 00:02:46,430
You see Foxy proxies here and we can say hey options and in the options we're going to add in a proxy
40
00:02:46,430 --> 00:02:50,770
over here on the left and we're just going to call it burp sweep
41
00:02:53,590 --> 00:02:55,730
and then over here we've got proxy types.
42
00:02:55,780 --> 00:03:03,070
We're just gonna leave this at HDP and then we're gonna give it an address which is 1 2 7 0 0 about
43
00:03:03,080 --> 00:03:05,420
1 same thing as before.
44
00:03:05,450 --> 00:03:13,410
And again this is 80 80 while this hit save and then we're going to go ahead and close out and then
45
00:03:13,410 --> 00:03:16,890
all we had to do now is click this and click this.
46
00:03:16,950 --> 00:03:20,940
And now Barb sweets turned on super simple so let's go ahead.
47
00:03:20,940 --> 00:03:28,260
Also to our applications and let's just go up here and open up Herb sweet and let's test out our proxy
48
00:03:28,260 --> 00:03:36,790
and make sure ignore the errors don't worry about those was go ahead and hit next and use for defaults.
49
00:03:36,820 --> 00:03:39,000
And I will give you a second here to catch up.
50
00:03:39,010 --> 00:03:45,910
So I realized that I might be clicking through a little fast so once you have everything set up like
51
00:03:45,910 --> 00:03:51,070
this what we're going to do is we're just going to make sure our proxy works is going to refresh the
52
00:03:51,070 --> 00:03:55,030
page and you can see that it worked so easy on easy off.
53
00:03:55,030 --> 00:03:56,610
That's all we're looking for here.
54
00:03:56,740 --> 00:04:02,350
Instead of having to go in the menu and go to preferences and you know go through that whole process
55
00:04:02,410 --> 00:04:03,970
all we got to do is click a little button.
56
00:04:03,970 --> 00:04:06,340
We could turn it on or off within a couple of clicks.
57
00:04:06,730 --> 00:04:12,880
So from here I'm going to turn the intercept off and we're just gonna go ahead and go to Tesla dot com
58
00:04:16,290 --> 00:04:21,240
and Tesla should look like this when you go to it in the upper right hand corner there is a sign in
59
00:04:21,240 --> 00:04:21,870
button.
60
00:04:21,870 --> 00:04:22,950
Go ahead and click sign in
61
00:04:25,770 --> 00:04:31,140
and again this is just a watch and learn exercise you can follow along up until the point that we fire
62
00:04:31,140 --> 00:04:31,920
the attack.
63
00:04:31,950 --> 00:04:37,260
There will be opportunities here and very very soon videos where you actually get to do this and you
64
00:04:37,260 --> 00:04:38,200
can practice along.
65
00:04:38,580 --> 00:04:44,480
So from here let's turn on the intercept and let's go ahead and just put a fake e-mail this dude test
66
00:04:44,480 --> 00:04:53,770
at test stock com and we'll do tests as the password and hit sign in in that intercept here so you can
67
00:04:53,770 --> 00:04:58,600
see the user equals or e-mail equals test site test dot com and password equals test.
68
00:04:58,600 --> 00:05:05,350
We're going to go ahead and just right click this and say send two intruder and from intruder what we're
69
00:05:05,350 --> 00:05:13,470
going to do is we're going to go to positions in here and then we're gonna clear all those green go
70
00:05:13,470 --> 00:05:16,320
away because it tries to auto select positions for us.
71
00:05:16,950 --> 00:05:24,190
So now what we're going to do is we're just going to highlight this here and we're going to say ad and
72
00:05:24,190 --> 00:05:29,050
then we're going to highlight this here and we're gonna say ad so we're selecting two different parameters.
73
00:05:29,050 --> 00:05:32,560
We're selecting the e-mail parameter and we're selecting the password parameter.
74
00:05:32,800 --> 00:05:34,570
And now we have different attack types up here.
75
00:05:34,570 --> 00:05:39,530
The most common that we're going to use is either sniper but sniper uses one parameter.
76
00:05:39,700 --> 00:05:47,040
So we're actually going to use what is called a pitchfork here and we're going to go ahead and go over
77
00:05:47,040 --> 00:05:50,540
to our payloads and what we're going to do.
78
00:05:50,540 --> 00:05:56,550
All right I'm going to do is I want to take this list of users and I'm just going to copy this and I'm
79
00:05:56,550 --> 00:06:05,520
going to paste it and then on the second one I'm going to take my list of passwords and I'm going to
80
00:06:05,520 --> 00:06:14,940
paste it now what this is doing to go back payloads that one has all the usernames it's going into the
81
00:06:14,940 --> 00:06:19,960
first one we set here payload set to all the passwords.
82
00:06:19,960 --> 00:06:23,250
Those are all going into here and we have 30 total accounts.
83
00:06:23,260 --> 00:06:25,200
Meaning what's happening with this.
84
00:06:25,240 --> 00:06:28,390
This Pitchfork is payload one.
85
00:06:28,480 --> 00:06:32,990
No one is corresponding to payload to number one.
86
00:06:33,130 --> 00:06:34,380
So they only run together.
87
00:06:34,390 --> 00:06:36,550
So this will run the username and password.
88
00:06:36,550 --> 00:06:39,190
These are just the separated users and passwords.
89
00:06:39,190 --> 00:06:43,650
This will run this username against or against this password here.
90
00:06:43,660 --> 00:06:50,770
So what we're going to do is just we started attack and it just says hey this is a demo version of intruder
91
00:06:50,770 --> 00:06:51,840
because you're on community.
92
00:06:51,850 --> 00:06:53,550
Don't worry about that it still runs.
93
00:06:54,040 --> 00:06:55,050
It's just a little slower.
94
00:06:55,060 --> 00:06:57,970
I'm going to go ahead and hit pause on the attack.
95
00:06:57,970 --> 00:07:02,170
Now there are some interesting things that we can look for when we're doing this.
96
00:07:02,170 --> 00:07:05,950
What we're looking for is a status code change of some sort.
97
00:07:05,950 --> 00:07:11,740
Maybe we see two hundreds here and we want like a 3 0 one which means a redirect or we see a significant
98
00:07:11,740 --> 00:07:13,090
change in length.
99
00:07:13,150 --> 00:07:18,550
That would be a good indicator that maybe we had a successful log in other items too is that we can
100
00:07:18,550 --> 00:07:23,640
clicking here and look at the response and we can say OK what did the response say.
101
00:07:23,780 --> 00:07:27,790
If we scroll down maybe it said something in here about failed log in.
102
00:07:27,820 --> 00:07:28,050
OK.
103
00:07:28,060 --> 00:07:33,120
We could not sign you in and we could just take we could not sign you in like this.
104
00:07:33,190 --> 00:07:37,250
Copy this and then we can come back.
105
00:07:37,360 --> 00:07:38,630
We'll close this attack.
106
00:07:38,770 --> 00:07:44,650
We'll come into options here and there's actually a grep feature so we can remove we can clear all these
107
00:07:45,690 --> 00:07:52,690
in this little box McGinnis pace this and say yes match match this here so watch what this does.
108
00:07:53,110 --> 00:07:59,970
So we're going to start this attack again and then I'm going to posit and you can know immediately look
109
00:07:59,970 --> 00:08:04,230
at the checkboxes this means it's showing up in the response it's scrapping it out.
110
00:08:04,230 --> 00:08:07,090
It knows immediately that we didn't sign it successfully.
111
00:08:07,530 --> 00:08:10,920
So this is an example of a credential stuffing attack.
112
00:08:11,400 --> 00:08:16,350
So we're looking for these few different things a status change a significant length like we're seeing
113
00:08:16,380 --> 00:08:17,790
all the same kind of lengths here.
114
00:08:17,810 --> 00:08:24,630
But what if it was like five thousand or two thousand or fifteen thousand if the page length changes
115
00:08:24,780 --> 00:08:29,130
there's a good chance that you signed into something and we have a yes a log in.
116
00:08:29,130 --> 00:08:30,560
Same thing here with this.
117
00:08:30,570 --> 00:08:35,360
If you can find your air code or what it says and then grep on that then you can click up here into
118
00:08:35,410 --> 00:08:40,860
sort by that and you can search for the ones that don't return that and possibly have a log in as well.
119
00:08:40,860 --> 00:08:44,250
So this is the art of credential stuffing.
120
00:08:44,280 --> 00:08:46,620
Now let's say we wanted to close this out.
121
00:08:46,650 --> 00:08:49,800
We want to go back and we want to do password spraying.
122
00:08:49,830 --> 00:08:52,250
Well we're going to go ahead and just clear this out.
123
00:08:52,500 --> 00:08:58,410
And if you remember password spraying is the art of using known user names without a known password.
124
00:08:58,800 --> 00:09:04,610
So we'll just say add here and we would gather a list of all the possible users that we can think of.
125
00:09:04,740 --> 00:09:10,620
We can look at Hunter dot Io we can look at you know the breach password lists we can look at LinkedIn
126
00:09:10,620 --> 00:09:17,660
and gather people who work there come up with this big list and then actually clear sorry.
127
00:09:17,700 --> 00:09:19,050
No this is right.
128
00:09:19,110 --> 00:09:23,850
We'll add these and we'll have all the different users and then for this we'll just change the requests
129
00:09:23,850 --> 00:09:34,170
to like fall of 20 19 or we can set it up to we could set this up here like fall 20 19 exclamation or
130
00:09:34,170 --> 00:09:38,550
whatever the time frame is or however you want or maybe you know they work at Tesla.
131
00:09:38,550 --> 00:09:46,200
So maybe we'll do a Tesla one if they have a week pass or policy or one two three or at sign or pound
132
00:09:46,500 --> 00:09:47,970
you just try a few these.
133
00:09:47,970 --> 00:09:54,990
The only downside to this is you are most likely attacking Active Directory accounts when you're attacking
134
00:09:54,990 --> 00:10:00,570
Active Directory accounts you want to be very careful because you could lock them out without even trying.
135
00:10:00,570 --> 00:10:08,130
So if you're doing a pen test the best idea is to ask before you attack say hey how many attempts do
136
00:10:08,130 --> 00:10:13,380
you have unsuccessfully before I log out happens or a lockout happens because the worst thing you want
137
00:10:13,380 --> 00:10:19,860
to do is fire off 10 cities in a row lockout a bunch of users and closet denial service that is very
138
00:10:19,860 --> 00:10:24,720
very possible and very very easy to do so make sure you're not just firing these willy nilly that you
139
00:10:24,720 --> 00:10:30,090
have a good idea of the password policy the lockout policy etc. that will really help you when you do
140
00:10:30,090 --> 00:10:36,840
these attacks but you just want to do these kind of one or two at a time wait a few hours fire another
141
00:10:36,840 --> 00:10:40,800
one or two at a time and you should be good to go OK.
142
00:10:40,810 --> 00:10:47,320
So same deal here we could fire this and we could to say you know all the say password one two to three
143
00:10:47,650 --> 00:10:53,840
and we'll just switch this to sniper here and if we come to the payloads you could see it just kept
144
00:10:53,840 --> 00:10:54,550
the emails.
145
00:10:54,560 --> 00:10:56,450
There is no payload to anymore.
146
00:10:56,450 --> 00:11:06,300
So what this would do if we had start attack is it would start firing this against this e-mail address
147
00:11:06,630 --> 00:11:12,240
with a password a one two three and then this on this e-mail address with the password of one two three
148
00:11:12,660 --> 00:11:18,150
it would just go down the list and that's all password spring is but the feature that I'm showing you
149
00:11:18,150 --> 00:11:25,170
here between credential stuffing and password spring is by far the most common way that we get in on
150
00:11:25,170 --> 00:11:26,490
external assessments.
151
00:11:26,760 --> 00:11:31,860
Way way more than you're ever gonna see just an exploit out in the wild where you're gonna see this
152
00:11:31,860 --> 00:11:36,450
most likely and second you're probably gonna see something like default credentials.
153
00:11:36,540 --> 00:11:42,480
So if you see a log in page always check default credentials because you never know you're likely not
154
00:11:42,480 --> 00:11:49,170
going to see a exploit out there because the chances are one is that if you see an exploit like that
155
00:11:49,170 --> 00:11:52,290
out there who knows who else is seeing that already.
156
00:11:52,290 --> 00:11:56,310
What kind of bad actors because bad actors are scanning the Internet all the time for these sorts of
157
00:11:56,310 --> 00:11:59,880
things and if they're seeing it then guess what.
158
00:12:00,030 --> 00:12:01,680
You know or if you're seeing it then guess what.
159
00:12:01,680 --> 00:12:03,300
They're probably already seeing it as well.
160
00:12:03,300 --> 00:12:06,570
So that's a bad situation too.
161
00:12:06,680 --> 00:12:13,170
You got to think of protection and clients just think of clients like a house when you talk about the
162
00:12:13,290 --> 00:12:18,450
external of your house your external your doors have really good locks on them.
163
00:12:18,450 --> 00:12:20,370
You might have two locks on your door.
164
00:12:20,490 --> 00:12:22,810
You might have good lighting all this other stuff.
165
00:12:22,850 --> 00:12:24,930
I'd like to try to keep bad guys out.
166
00:12:25,320 --> 00:12:28,640
But on the inside some of your doors probably don't even lock.
167
00:12:28,860 --> 00:12:31,460
And that's really how you can treat an external assessment.
168
00:12:31,560 --> 00:12:37,960
The clients do a really good job of you know buffeting up their external.
169
00:12:38,070 --> 00:12:41,600
But when it comes to the internal it's not usually as good.
170
00:12:41,640 --> 00:12:44,330
So same thing with physical assessments as well.
171
00:12:44,340 --> 00:12:46,790
You just gotta you gotta get inside.
172
00:12:46,890 --> 00:12:52,040
Once you're inside it's kind of easy breezy for the most part so take that lesson away.
173
00:12:52,200 --> 00:12:57,780
If anything you take from the course again at least for the external side take away that enumeration
174
00:12:57,780 --> 00:13:02,970
and information gathering super important because you want to get to the stage here where you are doing
175
00:13:02,970 --> 00:13:07,110
these credentials stuffing attacks and you can use burb suite for it.
176
00:13:07,110 --> 00:13:11,880
This is my favorite go to there's other methods as well but it's so easy just to grab any different
177
00:13:11,880 --> 00:13:18,390
Web site and just you know intercept the proxy send it to intruder make one modification and fire it
178
00:13:18,390 --> 00:13:19,180
off.
179
00:13:19,320 --> 00:13:20,990
So super super simple.
180
00:13:21,030 --> 00:13:25,800
This is something you will come up in an interview as well so make sure you're very aware of it and
181
00:13:25,800 --> 00:13:29,120
make sure you watch this again if you need to understand the concepts.
182
00:13:29,130 --> 00:13:34,380
So from here we're gonna go ahead and take a quick look at our notes in the next video just kind of
183
00:13:34,380 --> 00:13:39,480
where I want you to be with your notes and then we're going to get into what I call that midcourse Capstone
184
00:13:39,480 --> 00:13:44,920
where I'm going to show you a bunch of different hacks and just my thought process and theories and
185
00:13:44,940 --> 00:13:50,760
thinking when I go into a scan and looking at results and just so you can kind of get into the mind
186
00:13:50,760 --> 00:13:55,500
of an attacker and how we think and then we'll start moving on to exploit development.
187
00:13:55,500 --> 00:13:59,100
And my favorite the Active Directory exploitation.
188
00:13:59,100 --> 00:14:01,490
So I look forward to seeing you in the next video.
20696
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.