Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,570 --> 00:00:06,120 in this lesson I'm going to be talking 2 00:00:02,420 --> 00:00:06,120 3 00:00:02,430 --> 00:00:08,820 about password attacks so similarly to 4 00:00:06,110 --> 00:00:08,820 5 00:00:06,120 --> 00:00:10,950 just normal password attacks against 6 00:00:08,810 --> 00:00:10,950 7 00:00:08,820 --> 00:00:14,339 systems what you're usually doing is 8 00:00:10,940 --> 00:00:14,339 9 00:00:10,950 --> 00:00:18,420 some form of brute force and I'm going 10 00:00:14,329 --> 00:00:18,420 11 00:00:14,339 --> 00:00:22,859 to do a quick search here for a user and 12 00:00:18,410 --> 00:00:22,859 13 00:00:18,420 --> 00:00:26,029 I'm going to find web pages that have 14 00:00:22,849 --> 00:00:26,029 15 00:00:22,859 --> 00:00:29,849 come from my scans that have a user 16 00:00:26,019 --> 00:00:29,849 17 00:00:26,029 --> 00:00:33,120 associated with them or a UID and here's 18 00:00:29,839 --> 00:00:33,120 19 00:00:29,849 --> 00:00:35,039 a good one here's a log in form and it 20 00:00:33,110 --> 00:00:35,039 21 00:00:33,120 --> 00:00:36,960 looks like there's a user ID and a 22 00:00:35,029 --> 00:00:36,960 23 00:00:35,039 --> 00:00:38,250 password that's associated with it so I 24 00:00:36,950 --> 00:00:38,250 25 00:00:36,960 --> 00:00:41,160 can actually send that one to the 26 00:00:38,240 --> 00:00:41,160 27 00:00:38,250 --> 00:00:42,570 intruder and I'm going to go to the 28 00:00:41,150 --> 00:00:42,570 29 00:00:41,160 --> 00:00:46,890 intruder I'm going to take a look at my 30 00:00:42,560 --> 00:00:46,890 31 00:00:42,570 --> 00:00:48,989 positions so I've got a number of attack 32 00:00:46,880 --> 00:00:48,989 33 00:00:46,890 --> 00:00:51,809 types that i can use and i'm going to 34 00:00:48,979 --> 00:00:51,809 35 00:00:48,989 --> 00:00:54,420 use a cluster bomb approach because that 36 00:00:51,799 --> 00:00:54,420 37 00:00:51,809 --> 00:00:56,640 gives me the ability to manipulate the 38 00:00:54,410 --> 00:00:56,640 39 00:00:54,420 --> 00:01:00,480 user ID and the password with two 40 00:00:56,630 --> 00:01:00,480 41 00:00:56,640 --> 00:01:04,589 different types of payloads so in the 42 00:01:00,470 --> 00:01:04,589 43 00:01:00,480 --> 00:01:07,920 first payload set i am going to put in 44 00:01:04,579 --> 00:01:07,920 45 00:01:04,589 --> 00:01:10,950 user names and burp suite has a number 46 00:01:07,910 --> 00:01:10,950 47 00:01:07,920 --> 00:01:14,670 of user names that are built in and the 48 00:01:10,940 --> 00:01:14,670 49 00:01:10,950 --> 00:01:18,329 second payload set i am going to put in 50 00:01:14,660 --> 00:01:18,329 51 00:01:14,670 --> 00:01:21,570 passwords and i'm not going to do any 52 00:01:18,319 --> 00:01:21,570 53 00:01:18,329 --> 00:01:24,330 options here I'm actually just going to 54 00:01:21,560 --> 00:01:24,330 55 00:01:21,570 --> 00:01:27,510 start my attack 56 00:01:24,320 --> 00:01:27,510 57 00:01:24,330 --> 00:01:32,400 except that it requires me to plug this 58 00:01:27,500 --> 00:01:32,400 59 00:01:27,510 --> 00:01:36,900 in and so I'm going to do a simple list 60 00:01:32,390 --> 00:01:36,900 61 00:01:32,400 --> 00:01:39,990 and I'm going to go back and actually 62 00:01:36,890 --> 00:01:39,990 63 00:01:36,900 --> 00:01:41,940 add the value back in so I'm not 64 00:01:39,980 --> 00:01:41,940 65 00:01:39,990 --> 00:01:45,600 actually playing with the value at all 66 00:01:41,930 --> 00:01:45,600 67 00:01:41,940 --> 00:01:49,080 I'm just going to use one payload to use 68 00:01:45,590 --> 00:01:49,080 69 00:01:45,600 --> 00:01:52,770 what it was and then I am going to go 70 00:01:49,070 --> 00:01:52,770 71 00:01:49,080 --> 00:01:54,690 run my attack and what this is doing is 72 00:01:52,760 --> 00:01:54,690 73 00:01:52,770 --> 00:01:57,930 it's brute-forcing so what it's going to 74 00:01:54,680 --> 00:01:57,930 75 00:01:54,690 --> 00:02:00,390 do is check all of the usernames with 76 00:01:57,920 --> 00:02:00,390 77 00:01:57,930 --> 00:02:02,280 the first password and then it's going 78 00:02:00,380 --> 00:02:02,280 79 00:02:00,390 --> 00:02:05,340 to go check all of the usernames with 80 00:02:02,270 --> 00:02:05,340 81 00:02:02,280 --> 00:02:09,000 the second password and you can see 82 00:02:05,330 --> 00:02:09,000 83 00:02:05,340 --> 00:02:11,010 there are like 30 million requests that 84 00:02:08,990 --> 00:02:11,010 85 00:02:09,000 --> 00:02:14,040 we're going to be going through here 86 00:02:11,000 --> 00:02:14,040 87 00:02:11,010 --> 00:02:16,920 just to do this brute force password 88 00:02:14,030 --> 00:02:16,920 89 00:02:14,040 --> 00:02:20,130 attack now one of the interesting things 90 00:02:16,910 --> 00:02:20,130 91 00:02:16,920 --> 00:02:23,400 here is that the different payloads have 92 00:02:20,120 --> 00:02:23,400 93 00:02:20,130 --> 00:02:25,680 these special characters in them and 94 00:02:23,390 --> 00:02:25,680 95 00:02:23,400 --> 00:02:28,590 usually you wouldn't have special 96 00:02:25,670 --> 00:02:28,590 97 00:02:25,680 --> 00:02:31,680 characters because that may open the 98 00:02:28,580 --> 00:02:31,680 99 00:02:28,590 --> 00:02:34,920 door to things like sequel injection or 100 00:02:31,670 --> 00:02:34,920 101 00:02:31,680 --> 00:02:37,800 cross-site scripting so normally you 102 00:02:34,910 --> 00:02:37,800 103 00:02:34,920 --> 00:02:41,070 would do some sort of input validation 104 00:02:37,790 --> 00:02:41,070 105 00:02:37,800 --> 00:02:44,400 on any data that you get and it's useful 106 00:02:41,060 --> 00:02:44,400 107 00:02:41,070 --> 00:02:47,130 to do the input validation at the border 108 00:02:44,390 --> 00:02:47,130 109 00:02:44,400 --> 00:02:49,680 between different layers in your 110 00:02:47,120 --> 00:02:49,680 111 00:02:47,130 --> 00:02:53,340 application architecture you wouldn't do 112 00:02:49,670 --> 00:02:53,340 113 00:02:49,680 --> 00:02:54,959 the validation strictly at the browser 114 00:02:53,330 --> 00:02:54,959 115 00:02:53,340 --> 00:02:57,209 for example because that's going to be 116 00:02:54,949 --> 00:02:57,209 117 00:02:54,959 --> 00:03:01,140 done in JavaScript and I can always run 118 00:02:57,199 --> 00:03:01,140 119 00:02:57,209 --> 00:03:03,120 a proxy behind your JavaScript and undo 120 00:03:01,130 --> 00:03:03,120 121 00:03:01,140 --> 00:03:06,450 any validation that you may have done 122 00:03:03,110 --> 00:03:06,450 123 00:03:03,120 --> 00:03:09,330 there so while validation is useful to 124 00:03:06,440 --> 00:03:09,330 125 00:03:06,450 --> 00:03:12,510 do in javascript and you can certainly 126 00:03:09,320 --> 00:03:12,510 127 00:03:09,330 --> 00:03:15,000 do it in the browser there are ways of 128 00:03:12,500 --> 00:03:15,000 129 00:03:12,510 --> 00:03:16,560 getting around that and you also can't 130 00:03:14,990 --> 00:03:16,560 131 00:03:15,000 --> 00:03:19,260 guarantee that there may not be 132 00:03:16,550 --> 00:03:19,260 133 00:03:16,560 --> 00:03:22,080 something happening at different layers 134 00:03:19,250 --> 00:03:22,080 135 00:03:19,260 --> 00:03:25,290 and so it's useful to do some level of 136 00:03:22,070 --> 00:03:25,290 137 00:03:22,080 --> 00:03:29,489 input validation at the different layers 138 00:03:25,280 --> 00:03:29,489 139 00:03:25,290 --> 00:03:31,980 between your application architecture so 140 00:03:29,479 --> 00:03:31,980 141 00:03:29,489 --> 00:03:33,780 that's always helpful to do now this is 142 00:03:31,970 --> 00:03:33,780 143 00:03:31,980 --> 00:03:35,160 going to take quite a while to run and 144 00:03:33,770 --> 00:03:35,160 145 00:03:33,780 --> 00:03:37,950 I'm not going to actually run it to 146 00:03:35,150 --> 00:03:37,950 147 00:03:35,160 --> 00:03:40,860 completion I'm going to pause the 148 00:03:37,940 --> 00:03:40,860 149 00:03:37,950 --> 00:03:44,120 back here because the goal was simply to 150 00:03:40,850 --> 00:03:44,120 151 00:03:40,860 --> 00:03:47,940 show you a different way of doing a 152 00:03:44,110 --> 00:03:47,940 153 00:03:44,120 --> 00:03:50,940 password attack and just the ways that 154 00:03:47,930 --> 00:03:50,940 155 00:03:47,940 --> 00:03:53,519 password attacks work so it actually 156 00:03:50,930 --> 00:03:53,519 157 00:03:50,940 --> 00:03:56,880 showed me some different things here 158 00:03:53,509 --> 00:03:56,880 159 00:03:53,519 --> 00:03:59,489 with regards to the password another way 160 00:03:56,870 --> 00:03:59,489 161 00:03:56,880 --> 00:04:02,940 of doing a password attack against a web 162 00:03:59,479 --> 00:04:02,940 163 00:03:59,489 --> 00:04:05,970 application is in cases where there is a 164 00:04:02,930 --> 00:04:05,970 165 00:04:02,940 --> 00:04:07,950 clear text submission of a password so 166 00:04:05,960 --> 00:04:07,950 167 00:04:05,970 --> 00:04:11,340 you can see here there was actually no 168 00:04:07,940 --> 00:04:11,340 169 00:04:07,950 --> 00:04:14,190 encryption involved in this particular 170 00:04:11,330 --> 00:04:14,190 171 00:04:11,340 --> 00:04:17,549 submission of this password it was all 172 00:04:14,180 --> 00:04:17,549 173 00:04:14,190 --> 00:04:20,070 done in the clear and because of that I 174 00:04:17,539 --> 00:04:20,070 175 00:04:17,549 --> 00:04:22,380 could actually run a sniffer on the 176 00:04:20,060 --> 00:04:22,380 177 00:04:20,070 --> 00:04:25,400 network and be able to capture the 178 00:04:22,370 --> 00:04:25,400 179 00:04:22,380 --> 00:04:25,400 username and password 180 00:04:25,920 --> 00:04:25,920 181 00:04:25,930 --> 00:04:30,699 so that's another type of password 182 00:04:28,320 --> 00:04:30,699 183 00:04:28,330 --> 00:04:33,460 attack that you can use and it's not 184 00:04:30,689 --> 00:04:33,460 185 00:04:30,699 --> 00:04:36,039 commonly one you could use against 186 00:04:33,450 --> 00:04:36,039 187 00:04:33,460 --> 00:04:39,789 systems but often web applications are 188 00:04:36,029 --> 00:04:39,789 189 00:04:36,039 --> 00:04:42,490 done without SSL or TLS involved and so 190 00:04:39,779 --> 00:04:42,490 191 00:04:39,789 --> 00:04:44,740 there's no encryption and sometimes I 192 00:04:42,480 --> 00:04:44,740 193 00:04:42,490 --> 00:04:47,050 guess people believe that because we're 194 00:04:44,730 --> 00:04:47,050 195 00:04:44,740 --> 00:04:49,780 primarily in switched architectures 196 00:04:47,040 --> 00:04:49,780 197 00:04:47,050 --> 00:04:52,660 these days that they are sort of in 198 00:04:49,770 --> 00:04:52,660 199 00:04:49,780 --> 00:04:54,880 vulnerable to grabbing passwords like 200 00:04:52,650 --> 00:04:54,880 201 00:04:52,660 --> 00:04:57,520 that the reality is they're just not and 202 00:04:54,870 --> 00:04:57,520 203 00:04:54,880 --> 00:05:00,280 so encryption particularly since it's 204 00:04:57,510 --> 00:05:00,280 205 00:04:57,520 --> 00:05:02,680 pretty easy to do encryption is just 206 00:05:00,270 --> 00:05:02,680 207 00:05:00,280 --> 00:05:04,930 really something that you should be 208 00:05:02,670 --> 00:05:04,930 209 00:05:02,680 --> 00:05:08,099 doing any time you're transmitting data 210 00:05:04,920 --> 00:05:08,099 211 00:05:04,930 --> 00:05:10,780 between a client and a server so input 212 00:05:08,089 --> 00:05:10,780 213 00:05:08,099 --> 00:05:13,720 validation is a really good thing to 214 00:05:10,770 --> 00:05:13,720 215 00:05:10,780 --> 00:05:16,030 protect against cross-site scripting and 216 00:05:13,710 --> 00:05:16,030 217 00:05:13,720 --> 00:05:18,880 sequel injection and other types of 218 00:05:16,020 --> 00:05:18,880 219 00:05:16,030 --> 00:05:22,389 attacks and also you want to be doing 220 00:05:18,870 --> 00:05:22,389 221 00:05:18,880 --> 00:05:26,580 encryption on your communication between 222 00:05:22,379 --> 00:05:26,580 223 00:05:22,389 --> 00:05:26,580 your web server and your browser 12177