Time
25 minutes
Difficulty
Intermediate
CEU/CPE
1

Video Transcription

00:00
Hey, everyone is Canada Hill Master Instructor a sigh Berry In this video, we're gonna talk about attacks and persistence in this video. We're gonna go ahead into our session hijacking lab, so we'll be using the cyber lab environment for this particular lab. However, I just want to make mention that we do have a session hijack course on the side. It's a mini course, just kind of walks you through,
00:19
um,
00:20
doing session hijacking talks about some of the fundamentals behind it.
00:25
So, as always, I'm gonna step by step lab guide for use to make sure you download that and use it in the resource is section of the course. So, as I mentioned, we're gonna use a cyber lab environment for this lab. We're just gonna go back and search for the sort of unethical hacker or C E. H lance again, that lab bundle that we normally do.
00:40
So what is your type in C. E. H and press enter there. It should be the third option down like it normally is,
00:46
and we're just gonna go ahead and click on that and select the launch button.
00:49
We also need to select the launch item button at the next screen here, and that's gonna actually launch the lab environment for us.
00:56
Once that pulls up, we're gonna be looking for the network level Thean preventing network level session hijacking lab.
01:03
So let's go ahead and scroll down here is gonna be down the page just a little bit here.
01:08
Do you see right here? It's this lab right here. The implementing network level session hijacking. Just go ahead and click on that and you'll see a start button. I just go ahead and hit the star button there. Now, what we want to do, as we normally do, is just go ahead and start up our virtual machines. They're so we're gonna go ahead and hover over top select power on and do that for all of them.
01:26
Just takes a minute or so. Here. I'm gonna go ahead and pause the video and let my machines boot up
01:30
and you can go impulsive video lectures. Boot up is well,
01:34
all right. As you see, my virtual machines were booted up again and she fears are still booting up to go ahead and polish video and just wait for them all Turn on like I said it shouldn't take too long, usually about 30 seconds to a minute in this particular lab. But sometimes I might take a little longer.
01:49
What's our next step? We're gonna go ahead and enable Apache Web service is. So the way we do that, as we're gonna select this p lab essays, you're a one machine.
01:57
And while that's ah figuring booting up fully, we're gonna see a server manager window pop in the background there. But we're down here. It's step number four on our step by step guide. We've gone ahead and selected P lab s 01 We're gonna go in closets, close the server manager window. We're gonna launch example icon from the bottom here of our browser tab.
02:17
And then we're also going. Thio said that all the neighborhood Apache web service is
02:22
and then we're gonna move over to our Windows 10 machines. So let's go and do all those steps there.
02:27
So what is close our server manager window.
02:30
Select the exam icon down here at the bottom. That's gonna launch. It's just gonna take a couple of seconds here, and that's gonna enable Apache Web service is, as I mentioned, I was like this. Just click thes start buttons here to go ahead and enable those as well. And now we can click over on our Windows 10 machine.
02:46
That's gonna go ahead and bring that one up for us as well.
02:50
Now we're gonna be doing similar to what we did in the last module. Slab were to connect through our Windows 10 machine to R. Kelly Lennox box, and that's where we'll go ahead and do this lab at.
03:01
So we see, we're kind of still being in the background there. We'll get that little script running, and that should go away in just a second or so Here. Now, we're gonna go ahead and select the DNC viewer icon from our desktop screen here that's gonna pop up. It's gonna display the i p. Address of the Cali machine, and then we're just gonna type in this password right here.
03:21
So we see it's gonna display the Kelly Lennox I. P. Address will say connect. And then we're gonna type in the password with a capital P lower case A S S W. And then the number zero. So that's not a capital o the number zero lower case R D And then we could just go ahead and say, OK, there,
03:37
that's gonna boot up our Callie machine for us. We're gonna get this air missions like we normally see with a select okay to that. And then we're gonna double click on the route Terminal icon right here.
03:47
So while that's booting up there, we're just gonna go back to our step by step guide to have gone through several steps in there. And now we're down here on step number 14. We're gonna go ahead and launch. Enter caps. What is type in enter cap space, Dash capital G.
04:02
So better cap space, dash capital G.
04:05
And that should launch the outer cap tool for us. You see, it doesn't take too long to launch set for us. So let's go back to our lab guide here.
04:12
Next thing we're gonna do is select sniff at the top and then unified sniffing. So let's go and do that.
04:17
So here we're gonna select sniff
04:20
than unified sniffing,
04:24
and we just want to make sure that it's e th zero. So Ethernet zero.
04:29
So step 18 here, just making sure that it's e th zero and it should be, in most cases were just gonna go and say OK there.
04:38
All right, so let's go back to our lab guide here.
04:41
Now we're gonna go ahead and scan for hosts, were just gonna select host and then scan for host at the very top there. So at the top menu here, host and then scan for hosts
04:51
and it's gonna go ahead and perform the scan. You'll see it kind of moving to the background there. It's gonna add the identified host to the host list. And so we're next going to click host at the top and then select host list. We could take a look at those
05:05
so you'll see here down at the bottom. It shows three host added to the host list. So we're just gonna go to host
05:13
and then look at host list
05:16
so you'll see here that we've got our different hosts list of there.
05:20
So next we're going to select our target host.
05:25
So just a notation there, The window's time machine. That's the I P address for that. And then are we already actually know that from Thean map Lab that that survive he addressed there? It looks like they're using the same one. The one and 2168.0 dot one.
05:39
All right, So what we're going to do is we're gonna select this I p address first, the 1 92.168 dot 0.4, and then we're going to select the ad to target one button at the bottom of the window. So let's go and do that now. So we're just gonna click on that,
05:55
and then we're gonna select this ad to target one button right here.
05:59
Let's go ahead and do that.
06:00
And then we're going to click our next I P address, which is the 1 92.168 dot zero. Once it's going click on that
06:05
and then we're gonna select the ad to target two button right there.
06:10
All right, that was easy enough, right? So let's go back to our lab guy.
06:15
So that's where we're going to do is select men in the middle at the top menu there, and then we're gonna select are poisoning as the option. So go ahead and select men in the middle and then are poisoning.
06:28
All right. It gives us a pop up box right here.
06:30
We're gonna go ahead and select sniff remote connections.
06:34
So just check that box right there, and then we're just gonna select. Okay,
06:40
So what that's gonna do is just basically poison the AARP cast for us and you see down here, it shows are poisoning victims, and it will show us which I P addresses. It's poisoning right now. Which victim machines? It's poisoning.
06:50
Okay, so now let's go ahead and start sniffing. So we're gonna go ahead and go to the start option here, the top, and select the start sniffing option right there.
07:00
So while that's doing that, let's go back to our lab guide here. So we're here at the start sniffing and step 33.
07:06
Unified sniffing will begin. We may get a message at the bottom there. That unified sniffing is already running. Eso we see unified sniffing has already started showing It's that right there. That's perfectly fine. Perfectly expected.
07:18
Are. So now what we're going to do is we're going to click back on the Windows 10 desktop here, so we're gonna essentially
07:29
minimize our Callie lunatics here.
07:31
Let's go and do that.
07:34
And what we're going to do is we're gonna type and Internet Explorer wouldn't go ahead and launch that, and we're gonna type in the address bar. This,
07:42
uh, Web Uriel right here. The http if Colin Ford, size four, slice that our I p address and then force last DVD A, which stands for Dan Villanova Web application, which is a deliberately with vulnerable Web application. And then from there, we're gonna go to the log in page, do our admin and password,
07:59
and then we'll go back to enter Captain, see if we captured any type of information.
08:03
So let's go ahead and do that.
08:05
We're just going to select Internet Explorer at the bottom here.
08:09
We're gonna type in that you are ill.
08:11
So I'm a little lazy. I'm just gonna go ahead and delete out everything but the http colon, Ford's eyes forward slash. And now I'm just gonna type in the 1 92.168 dot 0.1 ford slash
08:24
devi w a
08:26
and then just press enter. And that should take us to the log in page for D V. W. A. And then, like I said, from there, we're gonna go ahead and enter in. Basically a default user name and password is gonna be user name of admin, and then the password is the password of password all over case. Sometimes it takes a moment to connect to that.
08:45
Ah, so we'll just give that a second or so to do so
08:48
and then what we're going to do? Once we've done that, we're gonna select the log in option. And then again, we're really just trying to see if we captured any of that information in the Etter cap tool. It'll
09:01
so it's taking a moment. So here, I'm gonna pause video briefly, let it catch up on my end. Like I said, it may take some time to go ahead and pull up the site.
09:07
All right. So I actually noticed with what the issue was in Miami. I was taking forever. I fat fingered the I p. Address again. So, um, one thing I recommend is don't don't talk through our Don't talk a lot and kind of go off on tangents as you're trying to type in I p addresses to go to the correct spot.
09:24
Um, I was typing in the 1 90 few. 168.0 dot zero. So that's why I wasn't getting anywhere.
09:28
But it's the 1 to 168.0 that one. I mentioned what the correct one was, but I wasn't typing it in on my end. So sometimes you just have to troubleshoot, uh, the user air aspect of things. So here we are at the log in page. This is where we wanted to be. Let's go ahead and now in type in our user name of admin, Oliver Case in our password, a password
09:50
all over case. And then just go ahead and log in and we don't care where you know. It's just gonna lock us, and we don't care what it's saying. Once it logs, it's in there. But the whole goal here is to try to capture that amusing name and password. So now that we've gone ahead and done that, let's click back on RV NC viewer to go back to our Callie machine,
10:07
and what we want to see is, did we capture any information from that those love and credentials in our inner cap tool. So if we go here, question number one here, Were there any log in credentials captured, and if so, just jot them down there. Where you gonna shot him On a piece of paper or just screaming at the computer? That's perfectly fine as well.
10:24
So we see here. If we look down here, we do see admin.
10:28
It's the user name. And we do see that the password is password. No. In real life, it is not normally that easy. But for our purposes, it was. So we see that, Yes, we do have the credentials of admin and password.

Attacks and Persistence for Incident Handlers

Attacks and Persistence for Incident Handlers covers several different types of attacks, with a focus on DNS attacks and USB attacks. Ken Underhill also walks you through a session hijacking lab to simulate an attacker exploiting an established session to harvest user login credentials.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor