Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,380 --> 00:00:08,160 This lecture I'd like to show you another way of bypassing CAPTA portals since the captive portal is 2 00:00:08,160 --> 00:00:09,330 an open network. 3 00:00:09,390 --> 00:00:16,050 We can just connect to it normally and once we connect we'll get an IP address and everything. 4 00:00:16,150 --> 00:00:21,310 And what we'll do in that case will run a normal IRP spoofing attack. 5 00:00:21,810 --> 00:00:27,180 Now as we know this attack will place us in the middle of the connection between the client and the 6 00:00:27,180 --> 00:00:28,050 router. 7 00:00:28,230 --> 00:00:34,320 And this way all the data will flow through our computer including usernames passwords your elves and 8 00:00:34,320 --> 00:00:36,120 everything. 9 00:00:36,120 --> 00:00:41,820 The advantage of this method is because the data will flow through our computers so we're going to become 10 00:00:41,820 --> 00:00:43,010 the man in the middle. 11 00:00:43,170 --> 00:00:49,590 And because we don't have Internet access through this network then when we do this attack the clients 12 00:00:49,590 --> 00:00:55,950 that we are targeting will automatically lose their connection and will automatically be asked to enter 13 00:00:55,950 --> 00:01:02,190 the username and password without having to do the authentication attack for us. 14 00:01:02,250 --> 00:01:09,270 The reason for this like I said because every request they send will be redirected to our computer our 15 00:01:09,270 --> 00:01:11,580 computer will send the request to the router. 16 00:01:11,760 --> 00:01:14,440 The response will be that we don't have connection. 17 00:01:14,460 --> 00:01:19,680 The router will ask us to log in so that the response will be forwarded to the client and the client 18 00:01:19,680 --> 00:01:23,630 will automatically be asked to log in again. 19 00:01:23,630 --> 00:01:29,300 So let me show you I have my Windows machine here and this Windows machine is connected so we can search 20 00:01:29,300 --> 00:01:33,050 for anything we can search for tests for example and that will work. 21 00:01:33,050 --> 00:01:37,940 So this machine has Internet connections already authenticated with the network and they're happy they're 22 00:01:37,940 --> 00:01:40,310 using their internet connection. 23 00:01:40,310 --> 00:01:42,740 Now what we're going to do is we're going to go back to Cali. 24 00:01:42,830 --> 00:01:45,040 We'll first connect to the network. 25 00:01:45,080 --> 00:01:51,350 So I'm going to go up my wireless adapter is already connected to Cali and it's in managed mode. 26 00:01:51,350 --> 00:01:55,860 It's not in monitor mode because you can't connect to networks when you're in motor mode. 27 00:01:56,180 --> 00:01:58,990 So I'm going to go on the Wi-Fi. 28 00:01:59,270 --> 00:02:07,730 I'm going to select a network and I'm going to select my target network which is Airport hotspot. 29 00:02:07,950 --> 00:02:13,980 I'm going to connect and wait for it until it gets connected. 30 00:02:14,850 --> 00:02:20,160 And now that I'm connected I'm just going to go on Firefox just to show you that I actually don't have 31 00:02:20,160 --> 00:02:24,350 connection now so I'm just connected to the network but I don't have internet connection. 32 00:02:24,420 --> 00:02:27,810 I have to log in put my username and password to access the Internet. 33 00:02:29,050 --> 00:02:32,830 So let's try to go to big dotcom. 34 00:02:33,100 --> 00:02:37,120 And as you can see I get asked to enter a password. 35 00:02:37,120 --> 00:02:38,780 So we're coming here. 36 00:02:38,920 --> 00:02:42,190 We're going to do a normal peaceful attack. 37 00:02:42,550 --> 00:02:44,860 So there is a number of ways to do this. 38 00:02:44,890 --> 00:02:50,580 You can use a spoof like I showed you before and then sniff the data using Wireshark. 39 00:02:51,100 --> 00:02:58,420 Alternatively you can use mine in the middle left and just do mine in the middle of a piece poof live 40 00:02:58,550 --> 00:03:06,490 with the interface which is like 0 said the gateway which is in our case we can just split the screen 41 00:03:06,490 --> 00:03:14,420 here and do route and and we can see it's 1 9 2 1 6 8 2 1. 42 00:03:14,680 --> 00:03:20,660 So we just do 1 9 2 6 8 to 1 hit enter. 43 00:03:20,680 --> 00:03:25,690 It'll put you in the middle of the connection and then when the target enters the password you'll capture 44 00:03:25,690 --> 00:03:27,150 it. 45 00:03:27,210 --> 00:03:31,740 Now I've already showed you how to use my in the middle level before and I know some people actually 46 00:03:31,740 --> 00:03:34,900 face issues with running it against Real Networks. 47 00:03:34,920 --> 00:03:38,880 Now I've suggested a lot of solutions for it and the solutions usually work. 48 00:03:39,150 --> 00:03:43,260 But what I want to show you in this lecture since you already know how to use man anti-Middle if I'm 49 00:03:43,260 --> 00:03:48,540 going to show you another tool that I really really like and I used to use even before my intimate life 50 00:03:48,570 --> 00:03:50,040 even existed. 51 00:03:50,040 --> 00:03:55,020 The thing is this tool went out of date for a while and now it's actually being developed again and 52 00:03:55,020 --> 00:03:56,620 people are updating it again. 53 00:03:56,730 --> 00:04:00,200 So it works just as good as it used to be. 54 00:04:00,210 --> 00:04:04,970 Now I'm going to clear this and the name of this tool is it a cup. 55 00:04:04,980 --> 00:04:11,150 Now you probably heard of it so we can use it took up to do a large number of things including becoming 56 00:04:11,180 --> 00:04:14,360 the man in the middle using a sharpie spoofing. 57 00:04:14,360 --> 00:04:15,970 So this is what we're interested in. 58 00:04:15,970 --> 00:04:21,420 We're going to do it hookup we're going to do minus T. 59 00:04:21,420 --> 00:04:28,230 Q To tell it I want to run and textmode and I want this text more to be quiet so that's what the T and 60 00:04:28,230 --> 00:04:30,260 Q stands for. 61 00:04:30,270 --> 00:04:34,610 We're going to tell it minus and to give it the mode that we want to run in. 62 00:04:34,710 --> 00:04:36,810 And we wanted to do IRP spoofing. 63 00:04:36,900 --> 00:04:40,830 So we're going to do AARP remote. 64 00:04:40,960 --> 00:04:43,780 We're going to give it the interface. 65 00:04:44,180 --> 00:04:50,570 And finally we want to target all the computers we don't have one specific target and the password will 66 00:04:50,570 --> 00:04:53,240 do will allow us to log into the target network. 67 00:04:53,240 --> 00:04:55,580 So we're happy with anything that we get. 68 00:04:55,580 --> 00:05:02,810 So we're just going to do three forward slashes to say that I want you to target all the clients in 69 00:05:02,810 --> 00:05:05,280 the current network. 70 00:05:05,330 --> 00:05:10,340 So like I said you can use Matt and them into life if you're comfortable with it using this command 71 00:05:10,370 --> 00:05:11,380 and that will work. 72 00:05:11,540 --> 00:05:16,820 I'm just showing this example to show you another tool that I really really like and it actually works 73 00:05:16,820 --> 00:05:18,610 very very well. 74 00:05:18,700 --> 00:05:21,030 So the name of the tool is it or cub. 75 00:05:21,500 --> 00:05:27,270 We're telling you that we want you to run in text mode and I want this text not to be quiet. 76 00:05:27,360 --> 00:05:30,360 We're giving it the mode or the attacks that we want to run. 77 00:05:30,470 --> 00:05:32,580 And that attack is a R.P. spoofing. 78 00:05:32,660 --> 00:05:36,510 So for it or copy you have to type it as a RPO remote. 79 00:05:36,700 --> 00:05:38,690 We're giving it the interface. 80 00:05:38,930 --> 00:05:46,280 And then at the end you have to specify the targets with a cup because we don't have a specific target. 81 00:05:46,280 --> 00:05:51,500 We're putting three forward slashes to say that I want you to target all the clients in the current 82 00:05:51,500 --> 00:05:52,710 network. 83 00:05:53,390 --> 00:05:54,740 Now I'm going to hit enter 84 00:05:58,400 --> 00:06:03,560 and now as you can see it's our cubs who are can and are still enemy that it's target in all the hosts 85 00:06:03,650 --> 00:06:07,130 in the list which means all the clients in the network. 86 00:06:07,250 --> 00:06:09,920 Now if you want to confirm that this attack is working. 87 00:06:10,070 --> 00:06:16,010 You can go on the Windows machine and check the table make sure that the router's mac address changed 88 00:06:16,010 --> 00:06:18,090 to the Callimachi has MAC address. 89 00:06:18,230 --> 00:06:19,190 You don't have to do that. 90 00:06:19,190 --> 00:06:21,650 You can just do that to confirm that it's working. 91 00:06:21,980 --> 00:06:28,010 But now if I come to the Windows machine here you can see that it's automatically shown me the bar on 92 00:06:28,010 --> 00:06:31,910 top saying that I need to log in even though I had log into this network. 93 00:06:31,910 --> 00:06:34,920 I could I could use the Internet and do anything I want. 94 00:06:35,090 --> 00:06:37,550 Now if I try to go to any different web page 95 00:06:40,780 --> 00:06:47,320 you'll see that it's automatically redirect me to the log in page and it's literally preventing me from 96 00:06:47,320 --> 00:06:47,990 going anywhere. 97 00:06:48,010 --> 00:06:54,970 Even though this client has already signed into this network it should already have access to the Internet. 98 00:06:55,000 --> 00:06:58,040 The reason for this is because any request. 99 00:06:58,060 --> 00:07:04,360 Now this client sense is being sent to the Callimachi in the Callimachi does not have access to the 100 00:07:04,360 --> 00:07:05,040 Internet. 101 00:07:05,080 --> 00:07:13,540 So the response that Kelly gets is this page therefore Carly forward this response to this computer 102 00:07:13,600 --> 00:07:15,550 which is being poisoned. 103 00:07:15,640 --> 00:07:17,680 And that's why we're seeing this log in page. 104 00:07:17,680 --> 00:07:23,860 So again you don't have to do the authentication attack in this case the user will automatically be 105 00:07:23,860 --> 00:07:25,250 asked to log in. 106 00:07:25,730 --> 00:07:29,400 So now the user has nothing to do but to enter their password again. 107 00:07:29,620 --> 00:07:35,820 So let's put the password hit enter. 108 00:07:36,050 --> 00:07:40,610 Now it's trying to take me to google and complaining about secure connection because the person is in 109 00:07:40,610 --> 00:07:41,950 the middle of the connection. 110 00:07:42,170 --> 00:07:47,760 But now the user has internet connections so they go to being dot com. 111 00:07:48,000 --> 00:07:49,470 They have their internet connection. 112 00:07:49,470 --> 00:07:50,850 Everything is back to normal. 113 00:07:50,850 --> 00:07:52,930 They're happy they can browse again. 114 00:07:53,250 --> 00:07:59,910 If we go to Kelly again we won't have to go to wireshark this time because it's a couple automatically 115 00:07:59,910 --> 00:08:02,980 analyze the data for us just like in the middle left. 116 00:08:03,330 --> 00:08:10,980 So as you can see it captured that there was a request for a username and the password was 1 2 3 4 5 117 00:08:11,060 --> 00:08:15,720 6 and the log in was submitted through this page. 118 00:08:15,720 --> 00:08:20,530 Now we can't quit our shark by type in queue and the keyboard and that's it. 119 00:08:20,530 --> 00:08:27,070 Now we can just go try to Briar's any page and tell you the password 1 2 3 4 5 6 and that's it. 120 00:08:27,070 --> 00:08:30,740 We have access to the captive portal. 121 00:08:30,810 --> 00:08:35,670 Now again the really cool thing about this method is you don't have to do the authentication attack. 122 00:08:35,790 --> 00:08:40,860 And even if the user has already logged in and authenticated with the network they'll automatically 123 00:08:40,860 --> 00:08:46,650 be asked to enter their log in credentials again and you'll automatically be able to see the password 124 00:08:46,860 --> 00:08:51,720 without having to go to our shark and analyze the data because again it's our cap or man in the middle 125 00:08:51,730 --> 00:08:54,000 life will do the hard work for you. 12873