字幕表 動画を再生する 英語字幕をプリント everyone just not going to waste a lot of time in theory, but want to explain what you should expect from the scores Now, basically, we will be covering. How do you do phishing attacks? Or how do you manage fishing? Camping's for a corporate penetration test in real life. Okay, And how do you do that with one of the most that wants fishing for game works in the world, which is known as goldfish. Now you need to understand one thing by duty to penetration testing assessments that contains a social engineering when you go and see even of the nest. Special Publications, that is 800-115 one of my favorite publications. This has been out dated a little bit, but you can see it has almost 80 pages, and it gives you a lot off glance on how you should perform a penetration test. Earlier Life in addition test. So here you will see they have social engineering should be in this one quite boring. Three social engineering. So when you go ahead and open these social engineering expects, which is right here, you will understand that social engineering simply attempts to trick someone to reveal the information. That's what it is. Okay, that's what it is. Generally, we are trying toe get some of the information which comes in the active reconnaissance feeds through social engineering. Otherwise, we're tryingto gain access, which comes in beginning access face right sometimes can get extended to the maintaining access piece. We're we're trying to expand our reach through social engineering. We are already in the system and we want to attack other systems. So we've made life social engineering the most common way social engineering is utilized you consume. Over here is one form of digital social engineering is known as suspicion. So that's what we generally do. Fishing is your first line off attack, right? You always start social engineering by, uh, the vo fishing because even a focus on a mass audience. Right? And that's why you need a dashboard. You need a software application to manage your phishing attack. Your fishing camping. Now, social engineering may also be used to target high value individuals. Generally, you know, different names given as veiling spearfishing, extra crab, those kind of stuff. But the basic idea is when you are doing a corporate level fishing you cannot just use those little tools like Social Engineering Tool kit except Rexach. We're going to use those tools and perform a corporate level social engineering attack, right? You can't use those in professional penetration testing. You need something bigger. And that is why I am going to show you how go fish can help you with. Down there is an open source speaking framework. And it's one of the best frameworks I have ever used in all of my penetration tests that got a little physical security or social engineering assessments. And the main thing is, we are not going to do it on a local host, which most of the other people are teaching. That's very impractical. We set up a live server that runs a website that has the spring murdered. This dashboard as well as that has sso, so you never get caught with the STD be connections. You will be spoofing your email to send the fishing campaigns, and it's very, very practical. But you see, in the real life, right, so I hope you're very interested with this. Let's go ahead and cover the scores on goldfish and let's get started. We'll grab the goldfish framework, which will allow us to do phishing attacks really simply and will give us a lot off power as compared to other possible ways. So goldfish is a really great framework little indie going with so you can just Porto like you can directly goto get goldfish dot com. Or you can either search for that. The Search for Golf ish year. You will get the get gofish dot com, which is for the download, and here's the guitar repositories if you want to check that out. But let's just go ahead and grab the government's framework. Oh, here you can just click on download, and depending upon the system which you are using, you can download the one here. We have thesixty for orbit, but for a Darwin Okay, there is the Lenox 64 bit in my guest. Give me download depending upon what you are using here. So let me download it. Hey, let's save this file now until it is all morning. Let's go back and you're going to see here launching camping in three steps so you can see how clear interface this is. All right here in this image, how clear and a good Anna like structure it will give you So it's a really good panel. I have use it a lot. And this is Go ahead and see if Donald has completed. So it's about 10 seconds. Last testing. Oh, so it has been downloaded? Yeah. Yeah. And let's open this up and you will find the more fish, though. Let's drag this thing on the deck. Stop depending upon where you want, you can just have it anywhere. It has been extracted T lead and we don't need the browser anymore. Here. I would like to rename into goldfish. I don't like long names. You hear this? Now here. I have got bigger fish for him. Work and let's see. What are the fires in this? So here is the read me file. If you want Haraszti configuration file in contradiction file. If you just open it up, you can set up the ports. Let me show you guys dancing. Here are the goldfish listening port here. It will listen. And here are the goldfish Cannell server panel means of support. So if you want, you can change this board. 80 and 3333 If you want. It was all about on you that this argo fish is and turned office. You just need to run this file here of the terminal. And it's also and seeing the mix lecture, we will. We will just go ahead and explore Goldfish Miller in this ever and then see what you can do with the coefficient. How it looks. So thank you so much for watching Welcome. Make a one in this lecture. We will go ahead and start the go fish. It's over. So the last picture we just downloaded this whole folder and it's simple, too long score, fish. You just open it in a terminal and it's just the running the goldfish script here. So it's the full stop on. Then a always last poor fish and this press enter. It'll start the gulf. It's over. It can see starting go fits over at this and go fish. The Edmund's ever add toward this. Let's go ahead and check that out. Open fire folks here and let's go ahead and check that $127 you're a doctor about weren't bored. Number 3333 express. Enter. Now, if you get this kind of error. Nothing here and here. The error is like the s three b. U S and check error. So the first record does not match. Looks like a dealer's handshake. Now what do you want to do? Is that make sure you're not running, Is it? On? Actually be. You need to run it on. Actually, BSO, STD, ps are you then going forward slash forward slash And this presenter. And here it should. Lord, if it gives you a security warning no matters. It's your local poor. Just at a security exception right out there. No, here is deeply Sinan, though it's really simple. The user name is Edmund, and the password is goldfish. So G o P h i s h this press enter. And here you are in the goldfish Edmund dashboard. So I will start covering up this goldfish admin dashboard in the next lecture. But before that, let's go ahead. Where is it? And change the possible. So you just need to click on these your name. And here you can change the admin user name and all and the possibles. And here is the a P i ke. You can just go ahead and reset it if you want. So here we have the well, fish was the old password and the new popular right here. So this this click on save, you can see it uploaded successfully and let's just go ahead and look out. That is how you, Logan and load out and ex textures start exploring the goldfish film work, Dashboard. Now, I'll just cancel intermediate this process by control, See here. But that is how you just kill this ever. And that's all for this lecture us. In the next month in Karachi, we'll make a one in this lecture. I will like you all to move your goldfish framework on a V P. S so that you can connect a Dominion with it. Now, you can do this thing on your calendar next machine or basically any running to summer anything. Whichever you're using. You can do this on that thing, but it will not be really convenient until you have a static I p address because your domain name the Dominion, which you will be using actually will need to have a domain name is real. But we can take that for free from a lot of service is like freedom so that no man will not appoint. Tow your your machine and you will need a dynamic Dean s. And there are a lot of troubles with that. So I would recommend to set up a V p. S where this gonna work. Now I am here in my digital or shim dashboard. And if you don't know about the solution, you can just google it and get yourself account distortion provides you $10 for free by using the coupon chord d over on zero. Currently, it is the coupon. Good. Maybe they will change it. So you might want to check that and you can even use if you have already an account. You can use every gun if you don't have, you can even use my reference link that will additionally give you $10 so that you can process and you can proceed with this lecture. Now I will create a droplet here. Droplet is a V. P s. You don't know what happened wrong. So I'll just go ahead and be great. A Drop it here and it is still lording This election is not working. Fine. Okay, so here you need to choose a burning system. Now you can. Basically Jews anybody system, I'll go over the You won't do. It doesn't really matters. Here. You can choose the size. Now, this is just a fishing Sever doesn't need a lot of Ram. So maybe five. Probably perfect. I'll take the band leverages most near to me and yeah, that's all. You can add a message if you want, but I won't at any here. That's great. And it'll just it created soon. So until then, let me open my email. You get the password because we're not using SS is key here. Not going to take more than dominance, her whole setup to come. Okay, the possible has come. Maybe this will also, uh, work in some chickens, but the mail on my phone. It's not working here. Israel. My Internet connection is working right is working. And why not? These boards off these service is on working a kid. Little ocean. Yeah. So they're giving me the eye p and it is now here. But my mail service is working again and the possible will be very long. So I it open a new dab. Maybe that'll work here is the possible Oh, I want to copy this parcel, basically. And actually, the I be Israel, I'll just copy everything. I really don't need this additional ocean panel any where we just created the door plate, that's all. And there is no roll off this panel and minimize everything. It was this. We'll email. You've been super. Yeah. So let's create it. X file here. When did I created that fire? Rated on deck Stop. Rated on deck. Stop here. We have got it. X file. It's edited ist the information you have got the i P address using him and the password. So let's go ahead and logging in the server. I'll be using the terminal for this. Let me open a new tab. Okay. Is this my goldfish over running here? I don't get it. One thing if this is running or not, yeah, the recording is being done. Okay, let's clear the screen. Now Let's move to the next stop our root directory and let's go ahead. And Logan, So it will just use sssh. And then we have fruit at the Met. This I p address user name is wrote at the D. I p address controls. You have to be for a paste. You asked me for the password. Firstly, asking me Do you want to connect with this? So yes, it is already right. Yes, yes. Here it is asking me for the past. But now I'll grab the password. Tested that and press enter. Yes. So it is asking me to change the password. So first of all, I am adding the current password. Okay. I don't know what I died here. Uh, let me go back. So Justine, your bastard Here, get possible change. Clear the screen now We need the garbage from work. So I really don't need ID. And it's open the fire folks and get the goldfish framework. You are also you have the get goldfish gone and ah, believe I am using a It is honest. All 274 it's not. I believe I'm using its orbit.