WEBVTT 1 00:00:00.080 --> 00:00:03.359 Welcome to the deep dive. Today, we're plunging into a 2 00:00:03.439 --> 00:00:07.320 really critical area of cybersecurity penetration testing. Now you might 3 00:00:07.360 --> 00:00:11.000 hear that term penetration testing and think, you know, Hollywood 4 00:00:11.039 --> 00:00:14.679 hackers in hoodies, but it's while it's way more strategic 5 00:00:14.720 --> 00:00:18.839 than that and honestly essential. So our mission here is 6 00:00:18.839 --> 00:00:21.719 to sort of demystify this world of ethical hacking. We 7 00:00:21.760 --> 00:00:25.000 want to explore how security pros, the good guys, find 8 00:00:25.039 --> 00:00:27.239 weaknesses before the bad actors do. And we've got this 9 00:00:27.320 --> 00:00:30.559 great stack of practice exam questions. They're not just for CERTs. 10 00:00:30.800 --> 00:00:33.759 They actually they lay out the core knowledge and the 11 00:00:33.799 --> 00:00:36.560 real practical skills a pen tester needs. This is about 12 00:00:36.560 --> 00:00:38.240 the nuts and bowls exactly. 13 00:00:38.479 --> 00:00:40.840 And what's really key here, I think, is understanding the 14 00:00:40.880 --> 00:00:44.079 hacker's mindset. It's not about doing harm obviously, it's about 15 00:00:44.079 --> 00:00:46.840 thinking like an adversary so you can build much stronger defenses. 16 00:00:47.200 --> 00:00:53.240 And this ties directly into the fundamentals of infosec confidentiality, integrity, availability. 17 00:00:53.640 --> 00:00:57.719 The CIA triad a good pen test well, it actually 18 00:00:57.759 --> 00:01:01.840 demonstrates how an attacker could break those prints, leading to disclosure, 19 00:01:01.920 --> 00:01:05.480 alteration or denial. Some people call that the Dad, try it. 20 00:01:05.560 --> 00:01:08.840 It's like proactively stress testing your security. 21 00:01:08.920 --> 00:01:12.200 Okay, so let's dive into this because before any actual 22 00:01:12.319 --> 00:01:14.719 hacking happens, there's a whole lot of groundwork. You can't 23 00:01:14.760 --> 00:01:17.599 just jump straight in, can you. There are big legal things, 24 00:01:17.640 --> 00:01:18.480 ethical lines. 25 00:01:18.560 --> 00:01:21.719 Oh absolutely. The absolute first step, the one that makes 26 00:01:21.719 --> 00:01:24.439 you an ethical hacker and not well criminal, is getting 27 00:01:24.480 --> 00:01:28.319 explicit written authorization. That's not just like a suggestion. It's 28 00:01:28.319 --> 00:01:30.359 the legal foundation for everything that follows. 29 00:01:30.719 --> 00:01:33.200 Right, And I'm guessing the authorization isn't just a quick 30 00:01:33.239 --> 00:01:36.239 email saying go ahead. We're talking detailed documents like the 31 00:01:36.319 --> 00:01:39.879 Rules of Engagement ROE and a statement of work. Soow, 32 00:01:41.480 --> 00:01:44.200 what kind of things get hammered out there? 33 00:01:44.280 --> 00:01:46.680 Yeah? They have to be incredibly detailed and for good reason. 34 00:01:47.000 --> 00:01:49.879 So the ROE, for instance, it sets the exact timeline. 35 00:01:49.959 --> 00:01:53.400 It clearly lists what systems are in scope and just 36 00:01:53.719 --> 00:01:56.799 as vital, what's out of scope. You can't just wander off. 37 00:01:57.239 --> 00:02:00.840 It also dictates, you know, allowed behaviors like the target 38 00:02:00.920 --> 00:02:04.640 shouldn't blacklist the tester's IP addresses during the test unless 39 00:02:04.640 --> 00:02:06.719 that's part of the test itself. And it sets up 40 00:02:06.719 --> 00:02:09.879 communication channels how to escalate if there's a problem. You know, 41 00:02:09.919 --> 00:02:13.840 if an act accidentally causes disruption. Plus, there's usually disclaimer 42 00:02:14.039 --> 00:02:16.560 something saying the results are only valid for that specific 43 00:02:16.599 --> 00:02:20.240 moment the test happened, right, because security, well, it changes constantly. 44 00:02:20.439 --> 00:02:23.199 And crucially, this permission, this sign off, it needs to 45 00:02:23.240 --> 00:02:26.159 come from the right level senior management, maybe legal, not 46 00:02:26.280 --> 00:02:28.639 just your buddy and it okay. And if your testing 47 00:02:28.680 --> 00:02:32.000 systems hosted by say a cloud provider or a sauce. 48 00:02:31.759 --> 00:02:34.240 Company, oh right, you need their permission to you. 49 00:02:34.240 --> 00:02:37.120 Absolutely do. Their written consent is a must. 50 00:02:37.719 --> 00:02:41.080 That sounds like maybe a bit bureaucratic at first glance, 51 00:02:41.159 --> 00:02:43.960 but does it actually help things run smoother in the 52 00:02:44.080 --> 00:02:46.120 end or does it just slow things down. 53 00:02:46.319 --> 00:02:49.520 It might feel like a hurdle initially, yeah, but honestly 54 00:02:49.599 --> 00:02:54.840 it streamlines everything, having clear boundaries, stops misunderstandings. It prevents 55 00:02:54.840 --> 00:02:58.240 scope creep, you know where the test starts wandering into areas. 56 00:02:57.879 --> 00:03:00.560 It shouldn't, right, scope creep, I've heard of that causing 57 00:03:00.639 --> 00:03:02.159 major headaches exactly. 58 00:03:02.319 --> 00:03:05.159 It avoids legal problems, keeps everyone on the same page 59 00:03:05.159 --> 00:03:07.599 about what you're trying to achieve or what the limits are, 60 00:03:08.000 --> 00:03:10.400 saves time, saves money, ultimately. 61 00:03:10.159 --> 00:03:13.240 Makes perfect sense. Okay. So once the lawyers are happy, 62 00:03:13.400 --> 00:03:17.719 the scope is set, how much does the tester actually 63 00:03:17.800 --> 00:03:20.120 know about the target system before they start? Are they 64 00:03:20.120 --> 00:03:22.639 flying blind or do they get some inside info? 65 00:03:22.840 --> 00:03:25.400 Ah? Well, that really depends on the assessment type. We 66 00:03:25.520 --> 00:03:28.800 usually talk about three main flavors based on knowledge. First 67 00:03:28.919 --> 00:03:32.599 is black box. That's zero prior knowledge. You're basically simulating 68 00:03:32.639 --> 00:03:35.960 an external attacker who knows nothing about the internal workings. 69 00:03:36.240 --> 00:03:39.439 Okay, so that's the most realistic attacker view often. 70 00:03:39.199 --> 00:03:41.479 Yes, but it also tends to be the most time 71 00:03:41.520 --> 00:03:47.919 consuming and potentially expensive. Then you've got gray box. Here 72 00:03:48.000 --> 00:03:50.719 the tester has some limited info, maybe a network map, 73 00:03:50.759 --> 00:03:53.479 maybe log in details for a standard user account. 74 00:03:53.520 --> 00:03:56.159 So that's like simulating an insider threat maybe, or someone 75 00:03:56.159 --> 00:03:57.800 who's already got a foothold exactly. 76 00:03:57.879 --> 00:04:00.599 That strikes a balance, you know, it's efficient, but still 77 00:04:00.879 --> 00:04:04.599 models common real world threads pretty well. And finally, white box, 78 00:04:04.960 --> 00:04:08.680 this is full knowledge source code, network diagrams, admin passwords, 79 00:04:08.719 --> 00:04:09.199 the works. 80 00:04:09.599 --> 00:04:12.199 Wow. Okay, so that allows for the deepest dive. 81 00:04:12.360 --> 00:04:14.400 Definitely. It's the most thorough way to check every nook 82 00:04:14.439 --> 00:04:17.000 and cranny, and surprisingly it can be the fastest because 83 00:04:17.000 --> 00:04:19.279 you're not spending time discovering basic infrastructure. 84 00:04:19.480 --> 00:04:22.160 It seems like understanding this planning phase isn't just about 85 00:04:22.160 --> 00:04:25.959 ticking boxes. It defines the whole test its value without 86 00:04:26.000 --> 00:04:28.399 it you're discussing, right, it sets the stage for getting 87 00:04:28.480 --> 00:04:33.439 real useful security insights for your organization. Okay, moving on 88 00:04:33.519 --> 00:04:37.560 from that crucial planning. This is where for me, anyway, 89 00:04:37.600 --> 00:04:40.160 it starts to get really fascinating. How do you actually 90 00:04:40.199 --> 00:04:43.920 start finding weaknesses, especially in say a black box test 91 00:04:43.920 --> 00:04:47.000 where you know almost nothing feels like finding a needle 92 00:04:47.040 --> 00:04:48.160 in a digital haystack. 93 00:04:48.639 --> 00:04:51.399 Right, This is where reconnaissance and enumeration come in. It's 94 00:04:51.439 --> 00:04:54.560 all about intelligence gathering. Usually split it into two phases. 95 00:04:54.879 --> 00:04:58.879 Reconnaissance is passive, you're gathering info without directly poking the target. 96 00:04:58.959 --> 00:05:01.680 I think public record, website analysis, that sort of thing. 97 00:05:01.959 --> 00:05:06.240 Active enumeration is when you start interacting directly, sending packets, 98 00:05:06.279 --> 00:05:07.959 scanning ports, seem what responds. 99 00:05:08.480 --> 00:05:11.720 Let's talk about the passing side first, Open source intelligence OCENT. 100 00:05:12.160 --> 00:05:14.560 What are some of the key tools testers use here 101 00:05:14.759 --> 00:05:17.879 and what kind of maybe surprising things can they dig up? 102 00:05:18.120 --> 00:05:22.680 OCENT is well, it's incredibly powerful, sometimes disturbingly. So you 103 00:05:22.720 --> 00:05:25.600 start with basics like who's to find out who owns 104 00:05:25.600 --> 00:05:28.600 a domain name and slick up or dig to get 105 00:05:28.600 --> 00:05:32.319 IP addresses for those domains. Simple stuff. But then you 106 00:05:32.439 --> 00:05:35.800 use tools like the Harvester. It scrapes search engines LinkedIn 107 00:05:36.240 --> 00:05:40.079 other public sources to find employee names, email addresses. 108 00:05:39.879 --> 00:05:42.639 Gold dust for phishing attacks later, I imagine precisely. 109 00:05:43.040 --> 00:05:45.560 And then there are tools like showdan and senses. They 110 00:05:45.600 --> 00:05:48.920 constantly scan the entire Internet. You can search for devices 111 00:05:48.959 --> 00:05:51.959 or services linked to your target's IP ranges. You might 112 00:05:52.000 --> 00:05:57.800 find forgotten webcams, industrial control systems, misconfigured databases, all exposed online. 113 00:05:57.839 --> 00:05:58.279 Wow. 114 00:05:58.439 --> 00:06:01.079 We also use things like multago visualize all this data 115 00:06:01.160 --> 00:06:05.680 see connections or FOCA to extract metadata from documents found online, PDFs, 116 00:06:05.879 --> 00:06:10.000 office files. Sometimes you find usernames, software versions, hidden comments. 117 00:06:10.079 --> 00:06:12.560 It's not just tools though, right I heard searching job 118 00:06:12.560 --> 00:06:14.560 postings can reveal text. 119 00:06:14.480 --> 00:06:18.279 X oh definitely. Job ads often list required skills like 120 00:06:18.439 --> 00:06:22.560 experienced with Cisco iOS or managing pal Alto firewalls or 121 00:06:22.600 --> 00:06:25.319 developing in Python three point nine. That tells you exactly 122 00:06:25.399 --> 00:06:28.600 what tech they're using internally. Same with employee residents on LinkedIn. 123 00:06:29.000 --> 00:06:32.399 It's all about piecing together the puzzle from public crumbs sounds. 124 00:06:32.120 --> 00:06:35.000 Like an amazing amount of info is just out there 125 00:06:35.199 --> 00:06:38.600 is the challenge then filtering it all, making sense of it, that's. 126 00:06:38.480 --> 00:06:40.240 A huge part of it. Yeah, you get a lot 127 00:06:40.279 --> 00:06:44.439 of noise. The skill is connecting the relevant dots and 128 00:06:44.480 --> 00:06:47.360 that often leads us into active enumeration. Once we have 129 00:06:47.399 --> 00:06:50.839 a better picture, we start probing directly, and the workhorse 130 00:06:50.879 --> 00:06:52.560 for that is usually ENDMP. 131 00:06:52.279 --> 00:06:54.959 Right endmap, the network mapper. What are the key scan 132 00:06:55.160 --> 00:06:57.759 types people should be aware of? How do they differ? So? 133 00:06:57.920 --> 00:07:00.439 Endmap has tons of options or really common one is 134 00:07:00.480 --> 00:07:03.800 the syn scan or SIS. It's called a half open scan. 135 00:07:03.920 --> 00:07:05.000 Half open Yeah. 136 00:07:05.079 --> 00:07:07.560 It sends the initial syn packet to start a connection, 137 00:07:08.040 --> 00:07:11.160 waits for the synack response from the server, but then 138 00:07:11.240 --> 00:07:13.839 doesn't send the final ack to complete the connection. This 139 00:07:13.920 --> 00:07:16.560 makes it stealthier, less likely to show up in basic 140 00:07:16.600 --> 00:07:21.800 firewall logs. Okay, well there's a DCP conn x scan st. 141 00:07:21.879 --> 00:07:24.279 This one does complete the full three way handshake. It's 142 00:07:24.319 --> 00:07:27.399 less stealthy, might get logged, but sometimes it's more reliable. 143 00:07:27.399 --> 00:07:30.360 If firewalls are blocking s yn scans, then you've get 144 00:07:30.399 --> 00:07:33.519 UDP scans aid su because lots of important services run 145 00:07:33.560 --> 00:07:37.399 over UDP, like DNS. Sometimes and crucially you use flags 146 00:07:37.480 --> 00:07:40.920 like AHA, which tries to detect the operating system services versions. 147 00:07:41.199 --> 00:07:45.639 It's quite aggressive, or SSV specifically for service version detection. 148 00:07:45.879 --> 00:07:47.399 Why is it the version so important? 149 00:07:47.600 --> 00:07:50.920 Because knowing the exact version of say apatche web server 150 00:07:51.199 --> 00:07:54.399 or open ssh tells you if there are non published 151 00:07:54.439 --> 00:07:56.759 vulnerabilities for that specific version, that's often your. 152 00:07:56.680 --> 00:07:58.920 Way in got it and those open ports and map 153 00:07:58.959 --> 00:08:02.360 finds obviously web twenty two for SSH. What are some 154 00:08:02.439 --> 00:08:04.800 other interesting ones you look for? Maybe ones that signal 155 00:08:04.879 --> 00:08:06.120 higher risk definitely? 156 00:08:06.319 --> 00:08:09.240 Port twenty three telnet is a huge red flag. It's 157 00:08:09.360 --> 00:08:13.079 unencrypted remote access bad news. Port's one thirty nine and 158 00:08:13.120 --> 00:08:16.639 four to forty five on Windows signal SMBCIFS. File sharing, 159 00:08:17.079 --> 00:08:20.720 often misconfigured, can lead to information disclosure or even remote 160 00:08:20.720 --> 00:08:24.040 code execution. Port fifty three for DNS, three eighty nine 161 00:08:24.120 --> 00:08:26.959 for lded app or six thirty six for LDPS Directory 162 00:08:27.000 --> 00:08:30.519 services three three eighty nine for RDP remote desktop. These 163 00:08:30.560 --> 00:08:33.559 all point to critical infrastructure. Even seeing web servers on 164 00:08:33.600 --> 00:08:35.840 non standard ports like eighty eighty or eighty four to 165 00:08:35.879 --> 00:08:39.120 forty three can be interesting, might be less monitor development servers. 166 00:08:39.159 --> 00:08:41.360 Each open port is a potential door or clue. 167 00:08:41.440 --> 00:08:43.720 It really is like detective work, isn't it, Gathering all 168 00:08:43.720 --> 00:08:46.120 these clues, building a profile of the targets, weak spots. 169 00:08:46.440 --> 00:08:49.120 Understanding this helps you, the listeners see how security isn't 170 00:08:49.159 --> 00:08:51.440 just one big wall, but lots and potential little cracks. 171 00:08:51.440 --> 00:08:54.480 So we've gathered technical intel, but often the easiest path 172 00:08:54.519 --> 00:08:57.279 isn't through a firewall, it's through a person social engineering. 173 00:08:57.480 --> 00:08:59.799 Our sources say this is incredibly common. Often the first 174 00:08:59.840 --> 00:09:00.759 thing testers try. 175 00:09:01.000 --> 00:09:04.320 It absolutely is why spend days trying to crack a 176 00:09:04.399 --> 00:09:07.440 complex system when you can trick someone into giving you 177 00:09:07.480 --> 00:09:11.799 the keys. Humans, well, we're often wired to trust, or 178 00:09:11.840 --> 00:09:16.159 help or respond to urgency, and attackers exploit that. It's 179 00:09:16.200 --> 00:09:17.639 often the path of least resistance. 180 00:09:17.759 --> 00:09:20.519 Let's run through some common techniques, because honestly, these aren't 181 00:09:20.519 --> 00:09:24.000 just theoretical threats. You listening are probably targeted by some 182 00:09:24.039 --> 00:09:25.639 of these daily you really are. 183 00:09:26.360 --> 00:09:29.080 We start with phishing. Those generic emails trying to get 184 00:09:29.120 --> 00:09:31.399 you to click a bad link or give up credentials 185 00:09:31.879 --> 00:09:35.240 very common. Then it gets more targeted. Spear phishing aims 186 00:09:35.240 --> 00:09:38.000 at specific people or roles within a company. The email 187 00:09:38.080 --> 00:09:42.080 might mention colleagues current projects much more convincing. 188 00:09:42.200 --> 00:09:44.039 And whaling that's even more specific. 189 00:09:44.159 --> 00:09:48.279 Yeah, whaling goes after the big fish CEOs, CFOs, senior execs. 190 00:09:48.600 --> 00:09:51.120 The potential payoff is huge, so attackers put a lot 191 00:09:51.120 --> 00:09:53.759 of effort into making these look legitimate. And it's not 192 00:09:53.799 --> 00:09:57.879 just email. Smishing is fishing via SMS, text messages. Fishing 193 00:09:57.960 --> 00:10:00.440 is voice fishing over the phone. They might pretend to 194 00:10:00.480 --> 00:10:02.159 be tech support or the bank. 195 00:10:02.279 --> 00:10:05.159 It really plays on that immediate reaction. Doesn't a text 196 00:10:05.279 --> 00:10:07.639 or a call feels more urgent exactly? 197 00:10:07.759 --> 00:10:10.600 And then there are the physical or more direct interaction. 198 00:10:10.240 --> 00:10:13.000 Techniques too, right, not just digital Nope. 199 00:10:13.480 --> 00:10:16.960 Impersonation is a big one, pretending to be a repair person, 200 00:10:17.240 --> 00:10:20.240 a new employee, a delivery driver to get physical access 201 00:10:20.279 --> 00:10:24.320 or information. Elicitation is more subtle, just chatting with someone, 202 00:10:24.480 --> 00:10:27.799 building rapport, guiding the conversation to get them to reveal 203 00:10:27.840 --> 00:10:30.440 sensitive bits of information without realizing it. 204 00:10:30.480 --> 00:10:33.720 Like casually asking about network problems and getting details about 205 00:10:33.720 --> 00:10:34.879 their setup precisely. 206 00:10:35.519 --> 00:10:38.600 Then you have shoulder surfing, just looking over someone's shoulder 207 00:10:38.720 --> 00:10:42.559 as the type of password or poan low tech still works. 208 00:10:43.200 --> 00:10:47.120 The USB key drop or baiting is leading infected USB 209 00:10:47.279 --> 00:10:50.120 drives lying around hoping someone plugs one into a company 210 00:10:50.159 --> 00:10:51.440 machine out of curiosity. 211 00:10:51.519 --> 00:10:54.919 Does that still work? People plugging in random USB's. 212 00:10:54.600 --> 00:10:59.120 Surprising them often? Yes, curiosity is powerful. Then there's dumpster diving, 213 00:10:59.440 --> 00:11:02.440 looking through trash for discarded hard drives, print ounce sticky 214 00:11:02.440 --> 00:11:03.440 notes with passwords. 215 00:11:03.639 --> 00:11:05.879 Seriously, people still find useful stuff in. 216 00:11:05.879 --> 00:11:09.879 The trash, you'd be amazed. And for physical access, tailgating 217 00:11:09.960 --> 00:11:14.360 or piggybacking, just following someone authorized through a secure door 218 00:11:14.399 --> 00:11:17.919 before it closes. People often hold the door out of politeness. 219 00:11:18.240 --> 00:11:22.799 More advanced physical stuff includes bypassing door sensors, lock picking, cloning, 220 00:11:22.840 --> 00:11:25.840 access badges, even fence jumping if the perimeter is weak. 221 00:11:25.960 --> 00:11:28.799 Wow, it sounds like spycraft, But I guess it works 222 00:11:28.840 --> 00:11:31.559 because people generally want to be helpful, or they're just 223 00:11:31.600 --> 00:11:34.840 not expecting it. I've heard stories of testers just walking 224 00:11:34.879 --> 00:11:36.399 in confidently with a clipboard. 225 00:11:36.559 --> 00:11:39.960 Exactly, Confidence and a plausible story go a long way. 226 00:11:40.240 --> 00:11:45.120 Attackers leverage psychological triggers, urgency. You need to do this now, scarcity. 227 00:11:45.360 --> 00:11:47.879 This offer is only available for an hour. Authority. I'm 228 00:11:47.919 --> 00:11:51.480 calling from headquarters. Also social proof. Everyone else on your 229 00:11:51.480 --> 00:11:55.360 team has already done this. Likeness building, rapport finding common ground, 230 00:11:55.639 --> 00:11:58.240 and of course fear your account will be suspended if 231 00:11:58.279 --> 00:11:58.879 you don't act. 232 00:11:59.159 --> 00:12:02.600 It's a supering reminder that security awareness isn't just an 233 00:12:02.720 --> 00:12:06.879 IT department issue, It's for everyone. You are a crucial 234 00:12:06.960 --> 00:12:08.000 part of the defense. 235 00:12:08.679 --> 00:12:12.720 Okay, let's unpack the next stage. The intel's gathered technical 236 00:12:12.879 --> 00:12:17.519 human whatever. Now what how do testers actually, you know, 237 00:12:17.720 --> 00:12:21.840 break things or rather demonstrate how things could be broken. 238 00:12:21.960 --> 00:12:23.639 This is the exploitation phase, right. 239 00:12:23.519 --> 00:12:25.960 That's right. This is where you take those vulnerabilities you found, 240 00:12:26.120 --> 00:12:29.360 the open ports, the unpatched software, the weak passwords, the 241 00:12:29.360 --> 00:12:32.840 information leak through osent or social engineering, and you actively 242 00:12:32.879 --> 00:12:36.320 try to leverage them. You're demonstrating the potential impact. 243 00:12:36.399 --> 00:12:39.440 Okay, let's start with network based exploits. What kind of 244 00:12:39.480 --> 00:12:41.320 attacks do we commonly see there? 245 00:12:41.480 --> 00:12:44.360 Well, in wireless networks, setting up an evil twin is classic. 246 00:12:44.519 --> 00:12:46.799 It's a fake Wi Fi hotspot that looks like the 247 00:12:46.840 --> 00:12:49.720 real one people connect to capture their traffic or credentials. 248 00:12:50.080 --> 00:12:54.000 Yeah, de authentication attacks can kick legitimate users off the 249 00:12:54.039 --> 00:12:57.120 real network, maybe forcing them to connect to your evil twin. 250 00:12:57.919 --> 00:13:01.879 Cracking week Wi Fi passwords, especially using WPS vulnerabilities, is 251 00:13:01.919 --> 00:13:05.600 still common for Bluetooth blue snarfing lets use steal data 252 00:13:05.600 --> 00:13:09.159 from a device. Bluejacking just sends spam messages, but can 253 00:13:09.200 --> 00:13:11.720 be annoying and on the wired side, man in the 254 00:13:11.720 --> 00:13:16.120 middle MITM attacks are a huge category. AIRP spoofing is 255 00:13:16.120 --> 00:13:17.840 a common way to do this on a local network, 256 00:13:18.000 --> 00:13:20.559 basically telling computers that your machine is the router so 257 00:13:20.600 --> 00:13:24.000 all their traffic goes through you. DNS poisoning or spoofing 258 00:13:24.120 --> 00:13:26.440 redirects users to fake websites when they type in a 259 00:13:26.480 --> 00:13:30.200 real address. SSL stripping forces a connection down from secure 260 00:13:30.240 --> 00:13:35.200 ATTPS to insecure HTTP, letting you eavesdrop Downgrade attacks do 261 00:13:35.279 --> 00:13:37.799 similar things, forcing older, weaker encryption. 262 00:13:37.639 --> 00:13:39.559 So intercepting traffic basically a. 263 00:13:39.519 --> 00:13:43.000 Lot of it is yeah or disrupting it. More advanced 264 00:13:43.000 --> 00:13:47.320 things include VLAN hopping. If a network uses VLANs for segmentation, 265 00:13:47.759 --> 00:13:50.799 attackers might use tricks like switch spoofing or double tacking 266 00:13:50.840 --> 00:13:53.600 packets to jump from one restricted vland to another they 267 00:13:53.600 --> 00:13:56.840 shouldn't have access to, and of course, denial the service 268 00:13:57.240 --> 00:14:01.639 do s attacks Things like s floods overwhelm a server 269 00:14:01.720 --> 00:14:05.320 with connection requests so legitimate users can't get through. There 270 00:14:05.320 --> 00:14:08.240 are older ones too, like land attacks, which can crash 271 00:14:08.360 --> 00:14:09.399 vulnerable systems. 272 00:14:09.639 --> 00:14:11.879 Okay, that's a lot on the network. What about attacking 273 00:14:11.919 --> 00:14:14.240 the actual systems or applications running on them? 274 00:14:14.360 --> 00:14:17.159 Right? This is where it often gets really impactful. A 275 00:14:17.240 --> 00:14:22.440 huge area is authentication. Finding systems using default administrative credentials 276 00:14:22.519 --> 00:14:26.480 like admin and password is surprisingly common, especially on routers, printers, 277 00:14:26.559 --> 00:14:27.399 IoT devices. 278 00:14:27.440 --> 00:14:29.320 Still after all these years. 279 00:14:29.080 --> 00:14:33.759 Still or just generally weak, easily guessable passwords. We use 280 00:14:33.840 --> 00:14:36.440 tools like John the Ripper or hashcat to perform password 281 00:14:36.480 --> 00:14:38.840 cracking on password hashes we might steal from a database. 282 00:14:38.919 --> 00:14:42.120 Dump techniques like using rainbow tables speed this up. Those 283 00:14:42.159 --> 00:14:44.080 salting hashes helps defend against. 284 00:14:43.799 --> 00:14:45.799 That salting adds randomness exactly. 285 00:14:46.399 --> 00:14:49.639 Another big one is past the hash on Windows networks. 286 00:14:49.679 --> 00:14:52.440 If you can steal the user's password hash, you often 287 00:14:52.440 --> 00:14:54.000 don't even need to crack it to get the plain 288 00:14:54.080 --> 00:14:56.519 text password. You can just reuse the hash itself to 289 00:14:56.559 --> 00:14:59.720 authenticate to other systems as that user. Very powerful for 290 00:14:59.759 --> 00:15:00.960 move laterally. 291 00:15:00.799 --> 00:15:04.639 And web applications. They seem like a constant battleground. 292 00:15:04.679 --> 00:15:08.960 Oh absolutely, They're complex, often custom built and Internet facing 293 00:15:09.360 --> 00:15:13.000 prime targets. SEQL injection is still a king. If a 294 00:15:13.000 --> 00:15:15.840 website doesn't properly clean user input before putting it into 295 00:15:15.879 --> 00:15:18.879 a database query. You can inject your own SQL commands, 296 00:15:19.279 --> 00:15:22.759 steal data, modified data, sometimes even take over the database server. 297 00:15:23.200 --> 00:15:26.840 Look for errors mentioning SQL or unexpected behavior with characters 298 00:15:26.879 --> 00:15:28.320 like single quotes or semi. 299 00:15:28.039 --> 00:15:31.159 Colon right the classic or one that sort of thing. Yeah. 300 00:15:31.320 --> 00:15:34.919 Cross site scripting EXSS is another huge one, injecting malicious 301 00:15:34.960 --> 00:15:37.320 JavaScript into a web page that then runs another users. 302 00:15:37.360 --> 00:15:40.120 Browsers can steal their session cookies, redirect them to face 303 00:15:40.120 --> 00:15:44.279 the site. There's scored XSS, reflected EXSS, DOM based EXSS 304 00:15:44.279 --> 00:15:48.600 different flavors. Then cross site request forgery CSRF tricks are 305 00:15:48.639 --> 00:15:51.440 logged in user's browser into sending a request to a 306 00:15:51.440 --> 00:15:54.840 web application they didn't intend, like changing their password. 307 00:15:54.519 --> 00:15:55.320 Or making a purchase. 308 00:15:55.399 --> 00:15:59.799 Tricky very We also look for file inclusion bugs. Local 309 00:15:59.799 --> 00:16:03.879 file inclusion LFI to read server files, Remote file inclusion 310 00:16:04.000 --> 00:16:07.600 RFI execute code from another server directory. Traversal lets you 311 00:16:07.679 --> 00:16:10.840 navigate outside the webroot directory using things like dot dot 312 00:16:10.879 --> 00:16:12.320 to access sensitive system. 313 00:16:12.039 --> 00:16:14.000 Files to trying to read et ceter a passway or 314 00:16:14.000 --> 00:16:15.440 something exactly. 315 00:16:15.159 --> 00:16:18.480 Or configuration files with passwords. Other web flaws include parameter 316 00:16:18.519 --> 00:16:22.759 pollution insecure direct object references I do war like changing 317 00:16:22.799 --> 00:16:24.919 dot user one two three to dot user one to 318 00:16:24.960 --> 00:16:28.480 four in the URL to see someone else's data and 319 00:16:28.559 --> 00:16:31.360 finding hard coded credentials and source code, hidden form fields, 320 00:16:31.440 --> 00:16:34.840 or overly verbose error messages that leak internal paths or 321 00:16:34.840 --> 00:16:37.000 software versions. It all helps an attacker. 322 00:16:37.159 --> 00:16:40.840 Okay, switching gears slightly. What about the underlying operating system 323 00:16:40.919 --> 00:16:41.879 or other software. 324 00:16:42.159 --> 00:16:46.240 Yeah, vulnerabilities there are critical too. On Windows, things like 325 00:16:46.320 --> 00:16:49.799 unquoted service paths can sometimes allow an attacker to replace 326 00:16:49.840 --> 00:16:53.840 a legitimate service executable with malware, gaining higher privileges when 327 00:16:53.879 --> 00:16:58.279 the service starts. Dlll hijacking exploits the way Windows searches 328 00:16:58.320 --> 00:17:01.440 for libraries. Tricking an app iplication into loading a malicious 329 00:17:01.480 --> 00:17:05.680 DLL using scheduled tasks is a common way for malware 330 00:17:05.720 --> 00:17:08.920 to achieve persistence, running automatically after a reboot. 331 00:17:09.079 --> 00:17:12.759 Persistence is key for attackers staying in the system absolutely. 332 00:17:13.200 --> 00:17:16.079 More advanced stuff includes cold boot attacks where you quickly 333 00:17:16.079 --> 00:17:18.839 reboot a machine and dump the memory contents before they fade, 334 00:17:19.079 --> 00:17:22.400 hoping to find encryption keys, or breaking out of virtual 335 00:17:22.440 --> 00:17:25.680 machines VM escape or container escape to attack the underlying 336 00:17:25.680 --> 00:17:28.440 host system. Those are rarer but very serious. 337 00:17:28.680 --> 00:17:31.160 And what tools help orchestrate these kinds of attacks? 338 00:17:31.400 --> 00:17:34.279 The big one is the Metasploid framework. It's like a 339 00:17:34.319 --> 00:17:38.519 giant database and toolkit of known exploits, payloads, and auxiliary modules, 340 00:17:38.759 --> 00:17:42.319 makes launching complex attacks much easier for setting up listeners 341 00:17:42.359 --> 00:17:47.559 or remote shells. NCAT, the modern version of netcat, is indispensable. 342 00:17:48.079 --> 00:17:50.839 Tools like Responder are great for capturing password hashes on 343 00:17:50.880 --> 00:17:54.799 internal networks by spoofing name resolution services, and the Impact 344 00:17:54.799 --> 00:17:58.119 Suite provides amazing tools for interacting with Windows network protocols 345 00:17:58.160 --> 00:18:01.880 like SMB, cerberos etc. At a low level, very powerful 346 00:18:01.880 --> 00:18:02.920 for domain exploitation. 347 00:18:03.119 --> 00:18:07.039 It's clear that understanding these specific attack methods isn't just academic. 348 00:18:07.319 --> 00:18:09.759 It helps you see the real ways systems get compromised, 349 00:18:09.799 --> 00:18:13.359 going beyond vague terms like hacked to the actual techniques involved. 350 00:18:13.640 --> 00:18:16.680 It shows why specific defenses are needed. So, Okay, the 351 00:18:16.720 --> 00:18:20.240 tester has done their work, found vulnerabilities, maybe even gained access. 352 00:18:20.480 --> 00:18:22.880 What happens next? The job isn't done until the client 353 00:18:22.960 --> 00:18:25.319 understands the findings and knows what to do, right, It's 354 00:18:25.319 --> 00:18:27.200 all about the report and the recommendations. 355 00:18:27.559 --> 00:18:31.640 Absolutely, finding the holes is only half the battle. Communicating 356 00:18:31.680 --> 00:18:35.480 them clearly and effectively and providing actionable advice is just 357 00:18:35.519 --> 00:18:38.839 as important. If the client doesn't understand or can't act 358 00:18:38.839 --> 00:18:42.400 on the findings, the test was well kind of pointless, 359 00:18:43.039 --> 00:18:48.440 and communication happens throughout the test too, things like deconflection, deconfliction. Yeah, 360 00:18:49.039 --> 00:18:52.680 imagine the client security team sees some suspicious activity. They 361 00:18:52.680 --> 00:18:55.400 need a way to quickly check with the pen test team. Hey, 362 00:18:55.480 --> 00:18:58.200 are you guys doing something involving server X right now? 363 00:18:58.359 --> 00:19:01.720 This confirms it's the author test and not a real attacker. 364 00:19:02.000 --> 00:19:06.880 Preventing unnecessary panic or incident response and sometimes de escalation 365 00:19:07.039 --> 00:19:10.240 is needed. Maybe a test is accidentally causing more disruption 366 00:19:10.319 --> 00:19:12.920 than intended. You need agreed upon procedures to dial it 367 00:19:12.960 --> 00:19:13.480 that quickly. 368 00:19:13.559 --> 00:19:16.319 Okay, that makes sense. So after the testing phase, all 369 00:19:16.319 --> 00:19:19.640 this raw data from different tools needs organizing. You mentioned 370 00:19:19.640 --> 00:19:21.279 normalization of data, right. 371 00:19:21.480 --> 00:19:25.160 You might have output from endmap logs, from metasploit screenshots, 372 00:19:25.240 --> 00:19:28.519 notes from social engineering attempts. It's all over the place. 373 00:19:29.000 --> 00:19:32.319 Normalization is the process of bringing all that data together, 374 00:19:32.799 --> 00:19:37.200 correlating it, removing duplicates, and formatting it consistently. It makes 375 00:19:37.200 --> 00:19:40.039 the evidence much clear and helps build a coherent narrative 376 00:19:40.039 --> 00:19:43.920 for the final report. It's a crucial, sometimes tedious step and. 377 00:19:43.799 --> 00:19:47.720 That final report that's the key deliverable. What absolutely needs 378 00:19:47.759 --> 00:19:49.200 to be in there for it to be useful? 379 00:19:49.240 --> 00:19:52.279 Well, you always need a clear executive summary, high level 380 00:19:52.279 --> 00:19:55.359 overview for management. What are the biggest risks, the key takeaways, 381 00:19:55.359 --> 00:19:59.440 the most urgent recommendations, no jargon. Then the detailed findings 382 00:19:59.440 --> 00:20:03.440 in remediation section. This is the technical need for each vulnerability. 383 00:20:03.960 --> 00:20:07.720 What it is, how it was found, the evidence, screenshots, logs, 384 00:20:07.720 --> 00:20:10.920 the potential impact, and specific actionable steps to fix it. 385 00:20:11.119 --> 00:20:14.079 And critically, metrics and measures you need to prioritize. The 386 00:20:14.119 --> 00:20:17.759 Common Vulnerability Scoring System CBSS is widely used here. It 387 00:20:17.759 --> 00:20:21.440 assigns a score low, medium, high, critical, based on factors 388 00:20:21.480 --> 00:20:22.519 like complexity, impact, etc. 389 00:20:23.000 --> 00:20:25.519 So the client knows where to focus their efforts first, 390 00:20:25.960 --> 00:20:28.000 fix the criticals and highs before the lows. 391 00:20:28.119 --> 00:20:31.400 Exactly, it helps them allocate resources effectively. You can't fix 392 00:20:31.440 --> 00:20:32.400 everything at once. 393 00:20:32.519 --> 00:20:35.720 Based on the sources. What are some common concrete fixes 394 00:20:35.759 --> 00:20:38.480 that often show up in these reports? Things organizations should 395 00:20:38.480 --> 00:20:39.440 probably be doing anyway. 396 00:20:39.599 --> 00:20:42.640 A lot of them are cybersecurity basics. Honestly, things like 397 00:20:42.720 --> 00:20:46.359 using secure Protocol CP instead of RCP for file transfers, 398 00:20:46.599 --> 00:20:51.240 SSH instead of telnet huge one change default administrative user 399 00:20:51.279 --> 00:20:55.599 names and passwords on everything, routers, switches, printers, applications. Still 400 00:20:55.599 --> 00:20:58.680 a problem, Still a massive problem. On the network level, 401 00:20:58.759 --> 00:21:04.519