WEBVTT

0
00:00:00.000 --> 00:00:02.190
So now we know the user name is administrator.

1
00:00:02.200 --> 00:00:04.910
We know the password length is 20 characters.

2
00:00:04.920 --> 00:00:08.090
The next target is to actually get that password.

3
00:00:08.220 --> 00:00:10.860
The problem with that is it's a 20 character

4
00:00:10.860 --> 00:00:14.080
password and we can't actually get it displayed anywhere.

5
00:00:14.090 --> 00:00:16.835
Therefore we're going to have to follow a very similar approach

6
00:00:16.835 --> 00:00:20.595
to what we did in the previous blind SQL injection example.

7
00:00:20.715 --> 00:00:23.585
Again we're simply just manipulating the condition in here.

8
00:00:23.595 --> 00:00:25.925
We're asking if the user name is administrator

9
00:00:26.125 --> 00:00:26.755
and

10
00:00:26.945 --> 00:00:30.170
the first character of the password is A.

11
00:00:30.500 --> 00:00:33.370
And the way we're doing this we're using the sub string function.

12
00:00:33.380 --> 00:00:37.130
So again you can look this function up basically what this function does.

13
00:00:37.140 --> 00:00:39.720
It can divide the strength and what we're saying is the

14
00:00:39.720 --> 00:00:42.960
strength that we want to divide is the value of the password

15
00:00:43.070 --> 00:00:47.155
and we want to get the first characters. That That's why we're saying one and one.

16
00:00:47.165 --> 00:00:51.125
So this specifies where to start the division from and

17
00:00:51.125 --> 00:00:53.845
this specifies how many characters you want to get.

18
00:00:53.905 --> 00:00:57.325
So we're saying we want to start our division at the first character.

19
00:00:57.335 --> 00:01:00.985
We will only want to get one character starting from there.

20
00:01:01.185 --> 00:01:04.215
And therefore we're checking if the first letter or the

21
00:01:04.215 --> 00:01:06.945
first character in the password is equal to a.

22
00:01:06.955 --> 00:01:10.225
If it is sleep for 10 seconds otherwise move on.

23
00:01:10.470 --> 00:01:13.910
And then we do that for the next character by changing this value to two.

24
00:01:13.920 --> 00:01:17.310
So we're going to say is the second character is equal to A.

25
00:01:17.320 --> 00:01:19.920
And then we say if the second character is equal to B.

26
00:01:19.930 --> 00:01:21.270
And go ahead,

27
00:01:21.270 --> 00:01:26.310
go through all of the possible characters to actually get every single character

28
00:01:26.310 --> 00:01:29.730
in the password very similar to what we did in the previous example.

29
00:01:29.740 --> 00:01:33.770
That's why I'm kind of going through it quicker than I did in the previous example.

30
00:01:33.770 --> 00:01:37.680
So if you don't remember how this works please go back and revise that example.

31
00:01:38.380 --> 00:01:41.990
So let's go ahead and let's edit this.

32
00:01:42.000 --> 00:01:46.710
So instead of saying the length we're actually now doing sub string

33
00:01:48.020 --> 00:01:50.400
And we're doing it for the password and we're getting

34
00:01:50.400 --> 00:01:54.980
the first character starting for one and then we're checking if

35
00:01:54.980 --> 00:01:57.460
that is equal to a then I want you to

36
00:01:57.460 --> 00:02:00.810
sleep for 10 seconds otherwise don't do any of that.

37
00:02:00.810 --> 00:02:04.300
Don't sleep for anything. Let's hit enter.

38
00:02:05.760 --> 00:02:08.669
And as you can see we didn't sleep for any seconds at all which

39
00:02:08.669 --> 00:02:12.450
means that the first character of the password is not the letter A.

40
00:02:12.460 --> 00:02:14.870
So now you have to go ahead and try the letter B

41
00:02:14.880 --> 00:02:17.780
and the letter C and move on to all possible characters.

42
00:02:18.130 --> 00:02:22.160
And as mentioned the previous examples that could take a lot of time.

43
00:02:22.170 --> 00:02:26.160
Therefore what we usually do is send it to the intruder.

44
00:02:26.200 --> 00:02:28.930
But bear with me I'm not repeating myself,

45
00:02:28.940 --> 00:02:32.610
there is a slight difference with this example that's why I'm covering it

46
00:02:32.610 --> 00:02:35.970
in here because I know we use the intruder in the previous example

47
00:02:36.170 --> 00:02:38.450
you should know by now what the intruder does.

48
00:02:38.460 --> 00:02:41.770
It basically allow us to specify certain locations within the

49
00:02:41.770 --> 00:02:46.760
request where we can automatically change and send to the

50
00:02:46.760 --> 00:02:50.830
target web application and then get our results straight away

51
00:02:50.840 --> 00:02:54.480
instead of having to manually I guess every single character.

52
00:02:54.600 --> 00:02:57.170
And we actually relied on the sniper first and then

53
00:02:57.170 --> 00:03:00.110
I showed you how to do the cluster bomb but

54
00:03:00.120 --> 00:03:02.240
with this example because I showed you the sniper and

55
00:03:02.240 --> 00:03:05.230
it's actually the simpler and longer way of doing it,

56
00:03:05.260 --> 00:03:08.100
I'm going to go ahead and do it with the cluster bomb straight away.

57
00:03:08.750 --> 00:03:12.640
So the first thing we wanna do is clear out all the signs that we have

58
00:03:12.920 --> 00:03:18.940
and we need to specify the locations in our request that we actually want to modify.

59
00:03:18.950 --> 00:03:24.030
So as we know the first thing that we want to modify in our request is

60
00:03:24.040 --> 00:03:29.810
this part of it where we actually change the character that we want to guess.

61
00:03:30.300 --> 00:03:33.230
And the second thing that we want to modify is the letters.

62
00:03:33.240 --> 00:03:36.520
So again you want to replace this with every single

63
00:03:36.520 --> 00:03:39.410
possible character that could be used in a password.

64
00:03:39.500 --> 00:03:41.780
Therefore we're going to go to the request.

65
00:03:41.820 --> 00:03:44.990
And the first thing that we want to modify is in here it's this number

66
00:03:44.990 --> 00:03:49.280
one so we're gonna highlight it like this and click on add the characters.

67
00:03:49.280 --> 00:03:50.630
So as you can see it's gonna add

68
00:03:50.630 --> 00:03:53.700
these characters surrounded by these characters which means that

69
00:03:53.700 --> 00:03:56.740
this part of the request will be changed

70
00:03:56.750 --> 00:03:59.540
based on whatever configuration I'm gonna set later on

71
00:03:59.810 --> 00:04:03.310
and the next part that we want to change is this a letter?

72
00:04:03.320 --> 00:04:06.110
Again we're gonna click on add to add it in here.

73
00:04:06.120 --> 00:04:11.140
So now we're basically gonna be modifying this part and this part of the request

74
00:04:11.860 --> 00:04:14.060
and we need to change the attack type to

75
00:04:14.060 --> 00:04:16.329
the cluster bomb because we're actually going to be

76
00:04:16.339 --> 00:04:19.820
changing two parts or manipulating two parts in the

77
00:04:19.820 --> 00:04:22.460
request and then we're gonna go to the payloads.

78
00:04:22.470 --> 00:04:25.190
Now this party is similar to what we did before.

79
00:04:25.200 --> 00:04:28.270
So the first set is actually gonna be numbers

80
00:04:28.380 --> 00:04:31.690
and we're just gonna go from 1 to 20

81
00:04:32.380 --> 00:04:35.230
And we're gonna go one number at a time.

82
00:04:35.240 --> 00:04:39.990
So what this will do it will basically increase this number from 1 to 20

83
00:04:40.660 --> 00:04:43.950
the next set. So we're going to specify the next set from here

84
00:04:44.050 --> 00:04:46.950
and in this one we're gonna do a brute force

85
00:04:47.680 --> 00:04:51.350
and we want to guess one character at a time

86
00:04:51.470 --> 00:04:54.280
and this is the character set that we'll be using.

87
00:04:54.280 --> 00:04:56.610
So we're using alphabetical characters and

88
00:04:56.610 --> 00:04:59.790
numbers without special characters but that's fine

89
00:04:59.790 --> 00:05:02.950
for this example it really depends on your example and your target.

90
00:05:02.960 --> 00:05:05.590
But basically what we're doing here with the second

91
00:05:05.590 --> 00:05:09.080
set we're modifying the second part of our request in

92
00:05:09.080 --> 00:05:12.600
here and we're replacing this a with all of the

93
00:05:12.600 --> 00:05:16.600
characters that we're specifying in here in every request.

94
00:05:17.160 --> 00:05:20.770
So as you can see the configuration that we set between set

95
00:05:20.770 --> 00:05:25.030
one and set two is going to result in 720 requests,

96
00:05:25.040 --> 00:05:27.920
which you would have had to do manually but now they will

97
00:05:27.930 --> 00:05:32.270
all be done automatically for you by burp suite by the intruder

98
00:05:32.370 --> 00:05:34.130
plugging of burp suite.

99
00:05:34.450 --> 00:05:38.200
Now so far it's been very similar to what we did previously.

100
00:05:38.210 --> 00:05:43.690
But the main thing that we want to change is if you go here to the resource pool,

101
00:05:43.700 --> 00:05:46.760
it's usually set to the default which will basically

102
00:05:46.760 --> 00:05:50.210
send 10 concurrent requests at the same time.

103
00:05:50.220 --> 00:05:53.140
That's good in most scenarios.

104
00:05:53.150 --> 00:05:58.520
But because in our scenario we actually want to monitor the amount of time taken for

105
00:05:58.520 --> 00:06:00.420
the response to get back to us because

106
00:06:00.420 --> 00:06:03.700
remember this is a time-based blind SQL injection.

107
00:06:04.150 --> 00:06:04.920
Therefore

108
00:06:05.130 --> 00:06:07.330
the results would be much more accurate.

109
00:06:07.340 --> 00:06:09.900
If we send only one request at a time,

110
00:06:09.910 --> 00:06:13.680
obviously it'll be slower but your results would be more accurate

111
00:06:13.880 --> 00:06:17.690
by default. You would not have this option in here. That's an option that I created.

112
00:06:17.900 --> 00:06:20.950
So therefore instead of keeping it at the default,

113
00:06:20.960 --> 00:06:23.580
you would need to create a new resource pool.

114
00:06:23.590 --> 00:06:26.700
You can call it whatever you want. So let's this time, just call it

115
00:06:26.930 --> 00:06:30.490
one request and we're gonna take the maximum concurrent

116
00:06:30.490 --> 00:06:32.980
requests and we're gonna set it to one.

117
00:06:32.990 --> 00:06:37.550
So we actually only send one request at a time, wait for the response,

118
00:06:37.560 --> 00:06:40.320
log the amount of time taken for that response.

119
00:06:40.320 --> 00:06:43.270
So that later on when we come back and analyze the results,

120
00:06:43.270 --> 00:06:46.150
we know which ones were the correct characters.

121
00:06:46.610 --> 00:06:50.180
So these little things that in a real life scenario it

122
00:06:50.180 --> 00:06:53.120
might make you even doubt yourself because if you set it to

123
00:06:53.120 --> 00:06:56.760
10 concurrent requests at the same time you're gonna be sending

124
00:06:56.760 --> 00:06:59.680
10 requests and waiting for delays for 10 of these requests.

125
00:06:59.690 --> 00:07:01.400
Whatever is else you get back.

126
00:07:01.410 --> 00:07:03.160
The time is not going to be very accurate and

127
00:07:03.160 --> 00:07:05.640
you'll think there's something wrong with your payload and then

128
00:07:05.640 --> 00:07:07.700
you're gonna have to go back and start playing with

129
00:07:07.700 --> 00:07:10.070
it and thinking why is the normal test is working?

130
00:07:10.080 --> 00:07:12.380
But when I'm trying to guess characters it's breaking

131
00:07:12.690 --> 00:07:16.650
it's just simply just because you're sending too many requests at the same time.

132
00:07:17.230 --> 00:07:18.690
So once you're happy with all of this,

133
00:07:18.690 --> 00:07:22.630
similar to what we did previously we're gonna click on start attack

134
00:07:23.610 --> 00:07:27.780
Burp suite is gonna go ahead and execute the configuration that you said.

135
00:07:27.790 --> 00:07:32.060
So it's going to start guessing the password for you by increasing

136
00:07:32.060 --> 00:07:35.770
this number to get every single character of the 20 characters that

137
00:07:35.770 --> 00:07:39.320
make up the password and then guess the value of that character

138
00:07:39.330 --> 00:07:42.900
based on the brute force option that we set in set two.

139
00:07:43.800 --> 00:07:48.530
Now how are you going to determine the correct guesses based on the information

140
00:07:48.530 --> 00:07:53.050
that is displayed here in the previous example we went by the length because

141
00:07:53.050 --> 00:07:56.730
as you as I said before and as you remember the page that was

142
00:07:56.730 --> 00:08:01.945
loading changed based on the injection or the pale that we were sending it.

143
00:08:01.955 --> 00:08:05.015
So we looked at the length of the page and if it was

144
00:08:05.015 --> 00:08:08.385
of a certain length we knew that that is the correct character.

145
00:08:08.555 --> 00:08:13.405
But so far we rely on the time taken for the response to come

146
00:08:13.405 --> 00:08:17.885
back to us to decide whether a certain guess is correct or not.

147
00:08:17.965 --> 00:08:21.655
And therefore we're going to have to go to the columns in here

148
00:08:21.865 --> 00:08:26.450
and we're gonna have to enable the response received.

149
00:08:27.340 --> 00:08:29.230
And now we have a new column in here that

150
00:08:29.230 --> 00:08:31.940
shows us the amount of time taken for the response

151
00:08:31.940 --> 00:08:35.020
to come back in milliseconds keep in mind so I

152
00:08:35.020 --> 00:08:38.190
know you're seeing 65 and 89 that's not in seconds,

153
00:08:38.190 --> 00:08:39.309
that's in milliseconds.

154
00:08:40.370 --> 00:08:45.120
So now what we're looking for is 1000 or something that is over 1000.

155
00:08:45.130 --> 00:08:48.870
So so far we don't really have anything that took over 1000

156
00:08:48.880 --> 00:08:52.820
which means that so far we haven't really guessed any correct characters.

157
00:08:52.830 --> 00:08:56.690
But if you let this run for long enough you should start getting the

158
00:08:56.690 --> 00:09:00.860
characters one by one similar to what we did in the previous lecture.

159
00:09:00.870 --> 00:09:04.390
So there you go. As you can see now we got a correct guess already.

160
00:09:04.400 --> 00:09:10.320
So we know the 19th character is the letter D. Because that took over 12th to load.

161
00:09:10.390 --> 00:09:13.370
So that is the first character that we guessed and simply

162
00:09:13.370 --> 00:09:15.510
all you have to do is just let it run right now

163
00:09:15.650 --> 00:09:18.800
once it's done, as I showed in the previous lecture again,

164
00:09:18.810 --> 00:09:21.430
you're just gonna have to open up a text file and

165
00:09:21.430 --> 00:09:24.500
literally match every character to its position in the password.

166
00:09:24.510 --> 00:09:29.790
And then you would be able to extract the full password for the administrator simply

167
00:09:29.800 --> 00:09:33.850
by monitoring the amount of time taken for the response to come back to us.