Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:00
Hello, everybody. Welcome to the episode number nine off the RCP course. Forfeit.
00:07
My name is Alejandro Gina, and I'll be your instructor for today's session.
00:11
Some learning our objectives for decision is to understand the most common number visit functionalities and options
00:18
also used Berkshire to implement hacking and information gathering techniques.
00:22
So let's get down to business.
00:25
Well, first of all, let me just tell you I don't lower it a bit too machine from the B Web weapons,
00:33
you know, be weapons just not. It's an application. Uh, Web server there is really, really vulnerable. It actually has several vulnerability, so you can practice on your own, but, you know, we'll be using that later in the curse. But for now, I just need to know that we'll be using the brutal machine dedicated for that
00:52
which is called the B bucks. Just need to download it. And that's it.
00:57
Eso I have it right here. This is
01:00
you know,
01:02
uh, P would have it and you know, the Loki. And actually, you know the credentials
01:07
are in the clear writer, and, you know, it's really belittle, but just let me get looking,
01:15
and as you can see, it has a lot off pulling abilities we can play with,
01:21
you know, nothing. Nothing really, to be,
01:23
you know,
01:25
But for now, I just need to know that Ah, there's that we'll be using that machine.
01:32
Um
01:34
well, birthday it is a proxy. I know you guys really know that. What a proxies. But, you know, just put it in simple words. Ah, proxies like Millman that sits between your machine or decline on the web server. Or, you know, this the server itself. But
01:51
why will you do that? I mean, why bother to another step in your connection? Well, first of all, in an anonymized your traffic
01:59
some sometimes that's really important. That's really important feature. When you're trying to hide your traffic, maybe you're trying Thio performer, Pay intestine against our server. But you don't really want to show your really I p or sure show where the traffic is coming from. Uh, you know,
02:19
you can also use it for other purposes, but you know us for a penetration destined process.
02:23
That's I guess, the most common use for that. You can use it combined with other tools like a proxy chains and the Thorn network. You know, full well we'll discuss that later in the course.
02:37
I was all of this, of course, for well, for legal purposes, I mean, don't don use it to how your traffic from your corporate net incorporate network. Or maybe, you know, to ah,
02:50
avoid being filtered by your company policy and maybe surf through social media. Something like that. You know, just legal stuff. That's the point.
03:00
Now, why? Perhaps it will burst. It will intercept the connection to your Web server on Deacon. Do you know Cyril task over that connection? You know, Anna, less traffic change cookies test different responses in packages,
03:15
um, Spider, the Web server, and so on. But first, let me, you know,
03:22
tell birds that were too. Listen, we're in the proxy were in the or Web browser, and we have to tell him that too. To listened in in in
03:37
e. I mean to go to the burbs with first, So let me just start barbs at first.
03:43
No, I don't have it up today. As for now,
03:46
you know, later, maybe temporary project. Just to show you guys
03:51
started burb. And first we need to know where we will be listening so
03:55
you can go to the Brocks E and then two options.
04:00
And then you see that it will be listening in the local interface import 80 80. So now you can go to your browser.
04:10
I mean, whatever browsers you're usin and just go this case, you go to settings, you know? I mean, I don't
04:18
specifically followed this with the browser. Uh, you might be using a different browser or different stuff. So you know, the point is that you have to actually tell the proxy that there's a proxy. I'm sorry to tell the wife served with
04:33
browser that there's a proxy in the middle and were ill be distance. As you can see,
04:39
I'm selling to that. Well, you have to go to my local interface import 80 81st before any connection happens. And as you can see Amber fit, you will be listening here. So we're good to go.
04:54
So we said that, and from now on, any connection to any Web page he will be, they will go to two
05:02
brooksie up.
05:05
But if the births of proxy.
05:09
But you know,
05:11
again, what's the user of that? What's the purpose of that.
05:15
Well, let me just go here to Milligan weapon again. Well, well, you have to, of course. Tell it to mean intercept is on. You can turn it off if you don't want to intercept the traffic. But, you know, intercept is on. That's for now. So let me just go ahead
05:32
candle again. Here again,
05:35
Be Buck.
05:39
Nothing to see here.
05:41
And as you can see, something changed caller here, which is telling me that you know B will be here in Buck will be here so you can see we can *** changed a lot of stuff. For example, if we don't have, maybe we're not sure about the password. Or, you know,
05:59
maybe we're not sure about the cookie or something that we can change it right here. There, You know, you can tell me what? Yeah. Hey, there are other Web browsers
06:11
pull gins that you can actually use to do that. For example, Hack bar. This is an amazing plucky in. Yeah, I agree with that. But the point is that you can do a lot of stuff for stamp aspiring this kinder, By the way, I'm using the free version of burps it peeking pay. You can actually use the paid version of it.
06:31
And if you actually are really invested intestine
06:34
web applications and you know our building have a living will amputate applications. I highly recommend you to go with the paid version. He has a lot of more stuff. You can actually do that when the free version. But as for now, the free version will do their work
06:48
again. You king used intruder, the repeater, this sequencer decoder. I mean, full c all of them at a time. As for now, we just first need Thio. Uh,
07:02
make a side map. This will prevent us from the makers. Go here. This will prevent us from actually going to something. Let me just
07:13
forward this forward, this
07:15
forward this and I'm loved in. That's the point. As you can see, sir, but that Ah, you can see Ah,
07:24
we already locked in and we saw all the information sitting in the middle here. But you know, we need to define or target. Why's that? Because if we're going to use despite our capability or actually any other capabilities, we don't want this to run out of control. We don't You know, as you can see there,
07:42
several other pages involved here And why do you think is that? I mean, we were just running for this webpage, But what the Why do you think this is actually happening? We see Twitter here. Facebook. I mean, we don't want to scan Facebook or Twitter will get into troubles. So
08:00
this'll happens because
08:03
this web pages or this link and are located somewhere in this weapons may be in the service curd. Or maybe there's there's our reference. I'll pointing to that link or something like that. So what verb buses to gather gathers all that information, but putting in the target
08:22
tough. So, uh, we're again. We don't want to, actually, uh,
08:30
it's Can those were pages of links, So waking at us at the site we really care about in the scope. I mean, you see the scope here because, you know, we just
08:43
once you actually you can just go here and out here the scope and go to this web page
08:52
and got me here.
08:54
Single is that
08:58
and I right here. Okay,
09:03
you have added an item telescope. Do you want to, bro? Brooks it to stop sending out of Scott items to the history. Yeah, we went that. Ah, but you can see that we're actually
09:15
haven't scoped defined. And the point here we can just click here and show on Lian scope items
09:22
This will prevent from the scans to go nuts in other what beach
09:26
And now that will prevent us from doing malicious stuff on other service we don't care about.
09:33
But that's the point. Simple is that you can actually see that they're some information here already. Ah, look, Ian, you know, it saved the buzzword or or the phrase
09:46
that we're using to look in, you know, other stuff right here.
09:50
But this is the magic of burbs. It it doesn't just really intercepts connection. It gathers all the information on or all that intel so we can play around later.
10:01
But you know, what's the point of spider than I mean isn't supposed to, despite her niece is supposed to do that, and we never click a spider, But well, it could be a more data and go further in this can remember. We have to limit our scope again. If we don't do that, despite, we'll go through all the things we saw
10:20
before, and we may have not been troubled.
10:22
So I start a test. Just, you know,
10:26
Roxy here. I'm sorry, Spider Options. And we have a lot of options here.
10:35
You know, you can stop the cider despite her of any time, and you can just go, you know, in any page.
10:41
That's okay.
10:43
The point is here that you can limit here. What? To gather what to go prom from the guidance done. Submit luck looking forms, for example. We don't want to log in to the pages and just ignore the pages that we actually, um, scanning for, you know, it. It's some stuffs for here.
11:01
And we can, you know, a start Spider.
11:05
You know, spiders running these gather information, you know,
11:11
used street scope defined in target left. Yeah.
11:15
We actually want to do that on, you know, stop Spider and we want to target. You can see that There's a lot of information here. We saw We see a page in a evil which no *** be at me and sq light way More information portal reset security level. Set
11:31
a lot of information you can go actually use in here
11:35
to do some other stuff.
11:39
But, you know, let me again
11:41
go to Brock, See? Intercepts on and let me just log off
11:48
so I can show you the page. Okay? Have to forward here. Forward, forward, forward. See, locked off.
11:54
And what's the magic again of orbs? It we can We can use several other
12:01
cap capabilities that you know. For example, other proteins don't have. For example,
12:07
let me just try to lugging here
12:09
may
12:11
bye.
12:13
And lucky. And okay, first of all,
12:16
let's go to burbs. Said again, An action, for example, Saying to in tutor.
12:22
And what is the US is study, actually, you know, payloads
12:28
it actually, you know, you can define one or more pails here. It actually performs a pale, the least processing. You can actually let me just go here. And, for example, we don't want to change this. I mean, this can stay the same.
12:41
The skin state. Same. This king all stayed the same,
12:46
and these other two stuff can stay the same. But actually, we went to change. What? Ah, the log in and password. Um,
12:56
Bay devils have, for example, maybe we're not sure about what's the use her name or what's the password? We cannot we can We can do this and, you know, impaled options. You can actually, you know, at removed.
13:11
Ah, in the in the paid version a person you have way more capability than this option that I'm showing you here. Yes, you know,
13:22
And you can actually at a payload. And, you know, as from list, you know, pro version on Lee. There's a list here. You can actually of load. Ah, for example, here, um,
13:37
wordless that are there comes with Caroline. It's for example, rock you rock you Dottie XTC and were released that most of the time he's used to crack wise words. So you can you do that? I mean, you can actually go ahead and do that.
13:50
We're not going to do that. Was because Well, right now, the guys work, but that's the point. If you maybe don't don't know the bodies work
13:56
Or maybe your first. For some reason, you have deposit work, but you don't have the user name. You can also do that. I mean, you can change again positions and say, Hey, you know what? I don't I don't actually want to change the use of them because I got it through social engineering or whatever,
14:13
but I actually don't know the password, so I will, you know, change the password that will try all these options. You know, that's the point of the intruder. Let me just go hit a good hair in Senate two repeater again.
14:26
The repeater is willing to change to take, you know, the parameters you may have. And we'll see. What's the response, for example, All happen if we actually change here, and we put something like secret or something like that
14:41
and you will say Go.
14:43
It will tell us what's the response? And, you know, the magic of this is you can see a lot of the response in in several
14:52
formats. For example, headers hex as mo html. You know, raw. And you can render the response.
15:01
That's some good stuff right here, guys, for example, Uh, actually boogie up. Yeah, we know that
15:09
in violent credentials
15:11
or a user not activated. Okay, I know that. So let me see what happens if I put the correct password,
15:18
Buck and I go again
15:22
and go, you know? Go, Go, go, go.
15:26
Oh,
15:28
I didn't get to do that. Okay, so, uh, that's the point. You can actually go here and, you know, as many times fall a ridge oration for the right direction and, you know, again
15:41
and the security level Loki And he doesn't say anything about me putting something that it's not actually there. And if you go to the weapons were still trying to locate and remember, this is still loading mean this hasn't gone to to the whips or the original responses to steal here in the proxy. I haven't forward that.
16:00
So that's another thing that you can, you know, Actually, you do
16:03
doing burps it and kind of a big deal to me. Ah, sequencer, for example. You can go to sequencer in manual love a lot off any sequence you may have. You may want I'm sorry and maybe change the cookie or change. For example. You know that the files were policy for that. Businesses, too,
16:23
have a number
16:26
in the 1st 3 digits. I mean, maybe 12 tree to dry them in creating world list. Based on that policy, for example, I know that it has to start with the capital. I don't know capital letter or an opera case later, but it has to end with a number or it has to end with a symbol.
16:45
So maybe you can create
16:45
patterns and, you know, try to do that and you have a lot of stuff. Maybe you are getting an answer or I reply from my server buddies encoded so you can go ahead and decoded as well and compare. And you know, a lot of options you can actually use in Burt's it.
17:03
And it is not only in t always say, okay, forward that
17:07
that I actually loved into the application. So again, births it has that capability and wait more other capability that you can use into pro abortion.
17:22
Ah, what is proxy and how came we use it in our penetration testing process? Well, actually, you can, uh,
17:30
use it to how your traffic or, you know, to tell the server Larry actually coming from a different I p or different, maybe country or whatever you can do that. And you can also use it to intercept connections so you can change them, maybe change the cookie or changing information.
17:49
What does it mean when someone say's is Spider in a Web page where it's actually trying to all the possibilities to see what Bages are existent and maybe find some other information. Loki informs cookies and files and whatever they're actually trying. T map
18:07
the Web page itself so you can have an idea of
18:11
what information is contained in dialogue with server.
18:15
What can be achieved by the repeater? Well, actually, you can change information and send it several times to the Web server to see what's the reply or the response from the word server and you're trying Thio. Guess a positive word. Thio. Maybe change possible several times and see what the response So you can
18:33
actually get an idea
18:36
if the password trying to use is correct.
18:38
It is me. Here we saw the most common burst of options to perform very barest sat with based hacking techniques. We executed some options over a Web page to see what functionalities on the results
18:52
supplemental materials. I will highly recommend you to go through the Buck Grout University course. They have really specialized
19:03
course for for burps it. Looking forward in the next video, we'll cover some basic knowledge off mad exploit. Well, that's it for today, folks, I hope in your video and talk to you soon

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor