1
00:00:01,040 --> 00:00:02,690
‫Oh, yes, there's plenty more to do.

2
00:00:03,610 --> 00:00:09,670
‫There are several tools to perform an art spoof attack, such as art spoof, the command line tool,

3
00:00:09,670 --> 00:00:17,260
‫which is embedded in COLLY, but we're going to use AACAP for the demonstration of the art spoof attack.

4
00:00:18,280 --> 00:00:27,520
‫AACAP is a free and open source network security tool for men in the middle attacks on LAN.

5
00:00:28,520 --> 00:00:35,750
‫It works by putting the network interface into promiscuous mode and by art poisoning the target machines,

6
00:00:36,560 --> 00:00:41,960
‫thereby it can act as a man in the middle and unleash various attacks on the victims.

7
00:00:42,870 --> 00:00:49,710
‫AACAP has both a command line interface version and a graphical user interface version, let's see them

8
00:00:49,710 --> 00:00:50,360
‫both in action.

9
00:00:52,890 --> 00:00:55,530
‫First, let me show you the command line version of AACAP.

10
00:00:56,460 --> 00:00:59,400
‫So this is my network created in three.

11
00:01:00,650 --> 00:01:05,510
‫I have a collie and a wasp bue and a exploitable VM and the network.

12
00:01:06,620 --> 00:01:14,240
‫So use if config inside the VMS to check the IP addresses and the other interface configurations as

13
00:01:14,240 --> 00:01:14,620
‫well.

14
00:01:15,960 --> 00:01:18,600
‫So paying each other to be sure that they can communicate.

15
00:01:19,220 --> 00:01:19,640
‫OK.

16
00:01:21,440 --> 00:01:29,510
‫Now I go to Carly overdetermined screen and do the same here, check the interface configuration and

17
00:01:29,510 --> 00:01:30,590
‫ping other VMS.

18
00:01:36,530 --> 00:01:37,810
‫Yep, everything's OK.

19
00:01:39,020 --> 00:01:46,190
‫So let's look at the art table of Metters voidable type Arben and Press enter.

20
00:01:47,280 --> 00:01:54,630
‫So currently, there are two records in the ARP table of boy, one for Collee and one for Oos Liwei.

21
00:01:55,990 --> 00:02:02,860
‫Now, let me show you something, if you want to perform an art spoof attack, you should enable IP

22
00:02:02,860 --> 00:02:09,910
‫forwarding in your attacker system so that the packets will not end on your attacker system and be forwarded

23
00:02:09,910 --> 00:02:11,170
‫to the destination system.

24
00:02:11,530 --> 00:02:15,370
‫Otherwise, you'll block the traffic between the victim and the spoofed system.

25
00:02:16,370 --> 00:02:17,200
‫Check that out.

26
00:02:18,310 --> 00:02:23,260
‫So the IP address is managed by a variable IP forward like in Collie.

27
00:02:24,590 --> 00:02:27,320
‫And to look at the final content type.

28
00:02:28,680 --> 00:02:38,970
‫Cat piracy exists, Agnete IPV for IPE Forward and press enter.

29
00:02:40,400 --> 00:02:45,130
‫Its value is zero, so to enable it, it has to be one, so I'll change it.

30
00:02:46,230 --> 00:02:52,380
‫You can open the file with a text editor and change the value, but here I'll just simply use the Echo

31
00:02:52,380 --> 00:02:53,550
‫command for this purpose.

32
00:02:54,850 --> 00:02:55,660
‫Echo one.

33
00:02:56,700 --> 00:02:59,820
‫Greater than sign the entire file name.

34
00:03:02,980 --> 00:03:04,470
‫So check the file again.

35
00:03:05,610 --> 00:03:07,830
‫And yes, its value is now one.

36
00:03:09,580 --> 00:03:17,320
‫Now, please note that AACAP enables IP forwarding automatically, even though you don't enable it manually.

37
00:03:17,650 --> 00:03:18,010
‫All right.

38
00:03:18,010 --> 00:03:21,840
‫I want you to know what's happening behind the scenes, so to speak.

39
00:03:23,530 --> 00:03:30,160
‫All right, so now is the time of the attack before creating the command, let's see the manual of etiquette.

40
00:03:30,970 --> 00:03:34,450
‫So type man etiquette and press enter.

41
00:03:35,640 --> 00:03:40,800
‫So here's the short definition and the long description targets.

42
00:03:47,970 --> 00:03:51,280
‫M four men in the middle Midem attack.

43
00:03:52,200 --> 00:04:00,830
‫So these are the Midem attack types, AAB, is it the first line and the others, ICMP, DHP, et cetera.

44
00:04:04,460 --> 00:04:10,130
‫And here are the user interface options t for the text only interface.

45
00:04:10,680 --> 00:04:12,580
‫Anyway, let's just create the command.

46
00:04:13,220 --> 00:04:22,910
‫So first, the command itself, aacap I the interface either zero T for the text only interface type.

47
00:04:24,190 --> 00:04:31,660
‫M to make it admit m attack and select the Midem attack type AAFP column remote.

48
00:04:33,140 --> 00:04:40,040
‫So the first IP specifies the IP address, which will be spoofed and the second IP address is the victim

49
00:04:40,050 --> 00:04:46,700
‫system, so that means there will be a row in the Métis spoils ARP table with a Collie's Mac address

50
00:04:46,700 --> 00:04:49,790
‫and a WASP Busways IP address.

51
00:04:50,750 --> 00:04:57,050
‫And that means when Metastable Voidable wants to send a packet to always be that way, it will be sent

52
00:04:57,050 --> 00:04:58,140
‫to Colly instead.

53
00:04:58,610 --> 00:04:58,990
‫Right.

54
00:04:59,780 --> 00:05:06,680
‫And with the help of IP forwarding, the packet will arrive at OAH Speedway finally.

55
00:05:08,800 --> 00:05:16,480
‫Now, please don't forget to use these slashes at the beginning and end of each I.P. address, the command

56
00:05:16,480 --> 00:05:17,250
‫is ready to run.

57
00:05:17,770 --> 00:05:19,380
‫So let's see what it does.

58
00:05:19,420 --> 00:05:19,960
‫Hit enter.

59
00:05:21,920 --> 00:05:25,280
‫And here's a summary of the attack, the victims.

60
00:05:26,720 --> 00:05:34,250
‫Interface type, et cetera, now go to med exploitable AAFP RN to see the table again.

61
00:05:35,150 --> 00:05:42,380
‫And as you can see here, the first record is for Caylee, so please look at the Mac address and the

62
00:05:42,380 --> 00:05:45,740
‫second record is for Oos Way.

63
00:05:46,370 --> 00:05:53,720
‫But with the attackers, Mac address, any packet sent from Métis voidable to Odwa Speedway will visit

64
00:05:53,720 --> 00:05:54,500
‫Colleano.

65
00:05:55,710 --> 00:06:01,080
‫So let's create a telnet connection to Port 80 of a WASP Bayway.

66
00:06:02,930 --> 00:06:17,930
‫Type Telnet, or WASP, BBWAA, IP and the Port 80 now hit enter pipe get slash HTTP 1.0 and press enter

67
00:06:18,020 --> 00:06:18,700
‫twice.

68
00:06:19,910 --> 00:06:25,310
‫And here is the HTTP response, the main page of Oos BBWAA.

69
00:06:27,300 --> 00:06:29,540
‫Now, let's go back to Cali and see what happens.

70
00:06:30,790 --> 00:06:38,410
‫So these are all the TCP packets sent for Métis voidable to Walwa Speedway backpack at Fehn Packet and

71
00:06:38,410 --> 00:06:41,470
‫scroll up a bit and here's a telnet connection.

72
00:06:41,470 --> 00:06:44,190
‫Results HTP response.

73
00:06:44,560 --> 00:06:45,460
‫Keep going up.

74
00:06:46,120 --> 00:06:48,340
‫We can find some other critical data here to.

75
00:06:51,140 --> 00:06:53,660
‫And here are some credentials, for example.

76
00:06:55,370 --> 00:07:01,090
‫In the terminal screen where AACAP is running, you can use control, see to end the attack.

77
00:07:01,580 --> 00:07:02,770
‫So there it is.

78
00:07:02,780 --> 00:07:03,290
‫It's not.

79
00:07:04,910 --> 00:07:08,210
‫Now go back to med exploitable and look at the art table again.

80
00:07:09,450 --> 00:07:14,820
‫Now, the IP address of Oos BWA is matched with a correct Mac address.

81
00:07:17,630 --> 00:07:22,820
‫Now, you might remember what I told you before that, well, I hope you remember everything that I

82
00:07:22,820 --> 00:07:29,370
‫told you before, but in particular, AACAP has a graphical user interface as well.

83
00:07:29,840 --> 00:07:32,330
‫So let's have a look at Etiquettes GUI right now.

84
00:07:33,730 --> 00:07:39,670
‫Again, we're in Colly Click Show applications, menu item and type better cat.

85
00:07:40,210 --> 00:07:40,990
‫And here you go.

86
00:07:40,990 --> 00:07:42,610
‫You'll find the AACAP GooYa.

87
00:07:43,470 --> 00:07:48,000
‫So these are both AACAP gooey apps, you can just simply click one of them.

88
00:07:49,130 --> 00:07:56,420
‫I want to show you, though, another way to start the app from the upper left corner applications go

89
00:07:56,420 --> 00:08:01,580
‫to sniffing, spoofing tools and select AACAP Gooey.

90
00:08:02,850 --> 00:08:07,260
‫OK, so here we are at the main panel of the outer category.

91
00:08:08,580 --> 00:08:13,590
‫We'd better check the network, so I'll open up a terminal screen and ping the other VMS at a schoolboy

92
00:08:13,590 --> 00:08:15,450
‫table and it was BWI.

93
00:08:22,510 --> 00:08:30,010
‫Yeah, everything looks OK, so go to the sniff menu and AACAP and select Unified Sniffing.

94
00:08:31,200 --> 00:08:39,040
‫Asking for input interface is good click OK, if you look at the AACAP menu, it's totally different

95
00:08:39,040 --> 00:08:39,340
‫now.

96
00:08:40,580 --> 00:08:48,200
‫To go to host and select Skåne for hosts, it's a kind of a ping scan to find out the devices of the

97
00:08:48,200 --> 00:08:52,130
‫network found five devices and added them to the host's list.

98
00:08:53,400 --> 00:09:00,000
‫So go back to host again and now select hosts lists and here's a list, very nice.

99
00:09:00,630 --> 00:09:01,740
‫Works well.

100
00:09:03,080 --> 00:09:08,200
‫One nine two one six eight one zero one one is a WASP Vidalia.

101
00:09:08,840 --> 00:09:14,630
‫So this is the system that will spoof so selected and quick and to target to.

102
00:09:16,270 --> 00:09:21,820
‫So one nine two one six eight one zero one two is met us voidable, that's our victim.

103
00:09:22,370 --> 00:09:27,760
‫So we'll change its to our table, select it and click add to target one.

104
00:09:30,210 --> 00:09:31,980
‫I think now we're ready to attack.

105
00:09:32,010 --> 00:09:32,550
‫What do you think?

106
00:09:33,060 --> 00:09:37,860
‫All right, so let's go to Midem and quick AAFP poisoning.

107
00:09:39,600 --> 00:09:43,770
‫OK, check this sniff remote connections option and click, OK?

108
00:09:44,760 --> 00:09:49,920
‫And the final step, go to start and select, start sniffing.

109
00:09:51,010 --> 00:09:52,270
‫So the attack has begun.

110
00:09:53,460 --> 00:10:01,210
‫Let's go to Matt Exploitable and see the attack result to see the ARP table type RPN and press enter.

111
00:10:02,450 --> 00:10:10,190
‫The first row is for Oos BWL, but the Mac address is Collie's Mac to show it now while paying Colly

112
00:10:10,190 --> 00:10:11,510
‫to create the AAFP record.

113
00:10:13,620 --> 00:10:21,480
‫Run the command again, and now I have another word for Collee and both Collee and Oos BWA of the same

114
00:10:21,750 --> 00:10:22,590
‫Mac address.

115
00:10:23,480 --> 00:10:30,080
‫OK, you know, the rest the package will be sent to Colly instead of Oos Bue, so if you like, you

116
00:10:30,080 --> 00:10:33,990
‫can open Wireshark and collect the fruits of your labor.

117
00:10:34,190 --> 00:10:34,820
‫Enjoy it.