WEBVTT 1 00:00:00.080 --> 00:00:02.720 Imagine for a moment, you're at your computer doing something 2 00:00:03.200 --> 00:00:08.080 completely normal, checking emails or maybe browsing a website. Now, 3 00:00:08.240 --> 00:00:12.199 what if someone somewhere could actually see every single key 4 00:00:12.199 --> 00:00:15.519 stroke you type, or even worse, turn on your webcam 5 00:00:15.720 --> 00:00:18.960 that you ever knowing it was happening. It sounds like 6 00:00:18.960 --> 00:00:20.559 something pulled straight from a spy movie. 7 00:00:20.640 --> 00:00:21.480 It really does. 8 00:00:22.160 --> 00:00:25.920 But for ethical hackers, understanding these incredibly powerful capabilities isn't 9 00:00:25.960 --> 00:00:29.839 really about invasion. It's the very first step in building 10 00:00:29.920 --> 00:00:31.440 robust defense and protection. 11 00:00:31.760 --> 00:00:32.359 Exactly. 12 00:00:32.759 --> 00:00:35.479 Welcome to the deep dive, where we impact complex topics 13 00:00:35.520 --> 00:00:38.840 and help you quickly become truly well informed. Today we're 14 00:00:38.880 --> 00:00:42.520 plunging into the fascinating world of ethical hacking, exploring what's 15 00:00:42.520 --> 00:00:46.600 often described as well the playbook of a genius. Our 16 00:00:46.600 --> 00:00:48.520 mission for you, our listener, is to extract the most 17 00:00:48.520 --> 00:00:51.759 important nuggets of knowledge from this material, helping you understand 18 00:00:51.799 --> 00:00:54.679 not just what these powerful systems and tools do, but 19 00:00:54.759 --> 00:00:57.520 crucially how they actually work and why they matter. 20 00:00:57.840 --> 00:01:01.640 And it's vital to remember this isn't about teaching you 21 00:01:01.679 --> 00:01:04.959 to be malicious. It's fundamentally about learning how to defend 22 00:01:05.000 --> 00:01:08.200 against those who are Did you know that many major 23 00:01:08.239 --> 00:01:12.159 companies like Facebook actually run what are called bug bounty. 24 00:01:11.760 --> 00:01:13.719 Programs, right, I've heard of those. 25 00:01:13.879 --> 00:01:17.000 Yeah, they offer substantial rewards sometimes, you know, tens of 26 00:01:17.040 --> 00:01:21.239 thousands of dollars for individuals who responsibly discover and disclose 27 00:01:21.319 --> 00:01:25.439 vulnerabilities they find. It really highlights the immense value placed 28 00:01:25.480 --> 00:01:29.359 on this kind of expertise, demonstrating that understanding these techniques 29 00:01:29.480 --> 00:01:32.879 is a highly sought after skill for building stronger digital defenses. 30 00:01:33.120 --> 00:01:36.599 Okay, so to start cracking, open this playbook. Let's talk 31 00:01:36.599 --> 00:01:40.480 about building your secure sandbox. This sounds like the absolute 32 00:01:40.560 --> 00:01:43.239 foundation for any ethical hacking exploration. 33 00:01:43.760 --> 00:01:46.719 It absolutely is. Before you even think about engaging with 34 00:01:46.760 --> 00:01:49.760 a real network or system, an ethical hacker creates a 35 00:01:49.799 --> 00:01:54.439 completely safe, isolated environment. Think of it as a virtual lab. Okay, 36 00:01:54.480 --> 00:01:58.200 we're talking about creating computers within your computer using virtualization 37 00:01:58.319 --> 00:02:02.079 software like virtual box. This setup ensures that you can 38 00:02:02.159 --> 00:02:05.920 experiment to your heart's content, break things, fix them, and 39 00:02:06.040 --> 00:02:09.840 learn fearlessly, all without any risk to your own operating 40 00:02:09.879 --> 00:02:14.400 system or critically anyone else's. It's a completely contained space. 41 00:02:14.800 --> 00:02:18.039 And within this virtual lab, you typically set up what 42 00:02:18.199 --> 00:02:20.879 three main machines, that's the common setup. Yeah, first you 43 00:02:20.919 --> 00:02:24.159 have Kully Linux, which acts as your primary attacking machine. 44 00:02:24.479 --> 00:02:27.439 It's a specialized operating system that comes preloaded with just 45 00:02:27.520 --> 00:02:31.919 an incredible array of penetration testing tools packed full. Then 46 00:02:32.039 --> 00:02:35.360 you'd add Metasploitable another Linux machine, but this one is 47 00:02:35.560 --> 00:02:38.000 like deliberately designed to be vulnerable exactly. 48 00:02:38.039 --> 00:02:40.680 It's literally built to be the perfect practice target, makes 49 00:02:40.759 --> 00:02:41.520 learning safe. 50 00:02:41.639 --> 00:02:44.719 And finally, you'd include a standard Windows machine just to 51 00:02:44.759 --> 00:02:48.240 simulate real world user scenarios, giving you a realistic target 52 00:02:48.280 --> 00:02:50.719 for say, client side attacks. 53 00:02:50.840 --> 00:02:53.879 Right, and one of the most brilliant features for learning 54 00:02:53.919 --> 00:02:57.360 in a virtual lab is the power of snapshots. Oh yeah, 55 00:02:57.560 --> 00:03:00.800 imagine being able to hit save game or your entire 56 00:03:00.840 --> 00:03:04.719 computer system. If you're experimenting and you break something or 57 00:03:05.199 --> 00:03:08.719 mess up a configuration, no problem, you can instantly revert 58 00:03:08.759 --> 00:03:12.719 to a previous working state. This makes the learning process 59 00:03:12.840 --> 00:03:16.240 incredibly practical, and it sort of removes the fear of 60 00:03:16.280 --> 00:03:19.159 irreversible mistakes because you always know you can go back 61 00:03:19.199 --> 00:03:20.080 to a clean slate. 62 00:03:20.240 --> 00:03:22.599 That's like having an infinite undo button for your entire 63 00:03:22.680 --> 00:03:25.520 operating system. That's amazing pretty much. Yeah, So, once your 64 00:03:25.599 --> 00:03:27.840 lab is up and running, you'll spend a lot of 65 00:03:27.879 --> 00:03:30.759 time within klie Linux. Now, while it does have a 66 00:03:30.759 --> 00:03:36.039 familiar graphical interface for aspiring ethical hackers, interacting with the 67 00:03:36.080 --> 00:03:39.840 command line is absolutely central, Oh absolutely Essentially, you'll become 68 00:03:39.960 --> 00:03:43.919 very familiar with fundamental commands like LS to list files, 69 00:03:44.319 --> 00:03:47.919 CD to change directories, and PWD to show your current location. 70 00:03:48.319 --> 00:03:49.120 The basics. 71 00:03:49.360 --> 00:03:52.080 And there's a secret weapon, the man command to get 72 00:03:52.080 --> 00:03:55.080 help for any command, and the tab button for autocomplete, 73 00:03:55.199 --> 00:03:57.319 which seriously saves a ton of typing. 74 00:03:57.360 --> 00:04:00.520 Tab complete is your best friend. A's finitely And one 75 00:04:00.599 --> 00:04:03.800 crucial detail often overlooked when first setting up is how 76 00:04:03.840 --> 00:04:08.319 you connect to wireless networks for hacking purposes. Your laptop's 77 00:04:08.319 --> 00:04:11.280 built in Wi Fi isn't typically enough for the advanced attacks. 78 00:04:11.319 --> 00:04:15.000 Why is that, Well, you need external USB wireless adapters 79 00:04:15.039 --> 00:04:19.160 that specifically support monitor mode and packet injection. These aren't 80 00:04:19.199 --> 00:04:22.120 just technical terms. They describe the ability to listen to 81 00:04:22.199 --> 00:04:25.360 all wireless traffic, not just what's intended for your computer, 82 00:04:26.000 --> 00:04:28.959 and to send custom wireless packets, which is essential for 83 00:04:29.079 --> 00:04:33.879 more sophisticated network attacks like cracking Wi Fi passwords. Standard 84 00:04:33.879 --> 00:04:35.680 cards simply aren't designed to do that. 85 00:04:36.319 --> 00:04:40.079 Got it? So, with our secure Virtual Labs set up 86 00:04:40.120 --> 00:04:42.720 and ready to go. The next crucial step in this 87 00:04:42.759 --> 00:04:46.160 ethical hackers playbook is reconnaissance. Before you can even think 88 00:04:46.199 --> 00:04:50.240 about defense, you need to understand your target, truly unmasking. 89 00:04:49.720 --> 00:04:54.199 The network, and that understanding begins with network identities, specifically 90 00:04:54.399 --> 00:04:55.279 MAC addresses. 91 00:04:55.360 --> 00:04:57.000 Right, it's a physical address exactly. 92 00:04:57.199 --> 00:04:59.959 Every network card, whether it's in your phone, laptop, or route, 93 00:05:00.560 --> 00:05:04.680 has a unique physical media access control address assigned by 94 00:05:04.680 --> 00:05:08.480 its manufacturer. Think of it like a permanent physical serial 95 00:05:08.560 --> 00:05:11.519 number etched directly onto the device's network hardware. 96 00:05:11.800 --> 00:05:16.839 But here's an interesting twist For anonymity. During penetration testing, 97 00:05:17.199 --> 00:05:20.480 a crucial step is being able to change your MSS address. 98 00:05:21.040 --> 00:05:23.600 While it's a physical address, you can actually alter this 99 00:05:23.759 --> 00:05:26.040 on the fly using software you can. 100 00:05:26.240 --> 00:05:29.879 It's a basic but essential technique to avoid being easily 101 00:05:29.959 --> 00:05:33.800 traced back during your testing. Okay, so once we understand 102 00:05:33.839 --> 00:05:37.800 basic network identities, we move into active intelligence gathering the 103 00:05:37.839 --> 00:05:41.319 eyes of the ethical hacker, so to speak. We can 104 00:05:41.319 --> 00:05:44.319 start with simple tools like net discover, which quickly sweep 105 00:05:44.360 --> 00:05:47.879 a network, revealing connected devices along with their IP and 106 00:05:48.000 --> 00:05:51.160 m MAT addresses. Pretty straightforward, but if you want to 107 00:05:51.240 --> 00:05:53.920 really dig deep, the go to tool is n MAP. 108 00:05:54.199 --> 00:05:57.160 Often called the Swiss Army Knife for network scanning, and 109 00:05:57.240 --> 00:05:57.959 for good reason. 110 00:05:58.240 --> 00:05:59.680 So once we have a list of who's on the 111 00:05:59.720 --> 00:06:02.560 network work with their m mass addresses, how do we 112 00:06:02.600 --> 00:06:06.040 start to understand what these devices actually are, what services 113 00:06:06.040 --> 00:06:08.480 are running, and maybe what might be open to attack. 114 00:06:08.800 --> 00:06:12.319 That's exactly where n MAP shines. It uses different scam profiles, 115 00:06:12.360 --> 00:06:14.720 like a ping scan just to find active devices, or 116 00:06:14.759 --> 00:06:18.079 maybe a quick scam plus to go much deeper. What's 117 00:06:18.079 --> 00:06:21.319 truly powerful about NMP is its ability to uncover not 118 00:06:21.399 --> 00:06:25.399 just active devices, but they're open ports, the specific services 119 00:06:25.439 --> 00:06:27.839 running on those ports, like a web server or a 120 00:06:27.879 --> 00:06:31.600 file sharing service, and even the versions of the software. 121 00:06:31.639 --> 00:06:32.680 Ah, the versions are key. 122 00:06:32.720 --> 00:06:36.360 You absolutely key that granular detail is crucial for finding 123 00:06:36.399 --> 00:06:40.480 specific vulnerabilities. For example, a quick scan plus might tell 124 00:06:40.480 --> 00:06:44.720 you a device is running Apache http Server version two 125 00:06:44.800 --> 00:06:47.319 point two point eight on Linux, right, and that instantly 126 00:06:47.399 --> 00:06:50.199 narrows down potential exploits you could look for and try. 127 00:06:50.319 --> 00:06:54.560 Okay, So, once you've unmasked the network, the next significant 128 00:06:54.560 --> 00:06:56.879 move in the playbook often involves man in the middle 129 00:06:57.319 --> 00:07:01.800 or MITM attacks. This is all about intercepting network traffic. 130 00:07:01.839 --> 00:07:02.639 Hey get in the middle. 131 00:07:02.720 --> 00:07:06.920 The core concept is deceptively simple. You redirect all network 132 00:07:06.959 --> 00:07:09.639 traffic between a client like a user's laptop and a 133 00:07:09.680 --> 00:07:12.399 gateway like their router through your own device. 134 00:07:12.560 --> 00:07:12.800 Right. 135 00:07:12.879 --> 00:07:15.279 This effectively puts you right in the middle of their conversation, 136 00:07:15.399 --> 00:07:18.680 allowing you to read, modify, or even just drop packets entirely. 137 00:07:18.399 --> 00:07:22.160 And tools like ARPSPOOF and MITMF are used to facilitate this. 138 00:07:22.240 --> 00:07:24.519 They perform something called ARP poisoning. 139 00:07:25.079 --> 00:07:27.000 ARP poisoning, Okay, what's the fout? 140 00:07:27.439 --> 00:07:31.120 To put it simply, ARP, or Address resolution protocol, is 141 00:07:31.160 --> 00:07:34.360 like a directory service that tells devices on a local 142 00:07:34.399 --> 00:07:37.439 network which m querre belongs to which IP address. 143 00:07:37.480 --> 00:07:37.759 Okay. 144 00:07:38.199 --> 00:07:42.240 ARP poisoning essentially tricks devices into thinking your computer is 145 00:07:42.279 --> 00:07:45.160 the router, and also tricks the router into thinking your 146 00:07:45.160 --> 00:07:46.759 computer is the target device. 147 00:07:47.000 --> 00:07:47.480 Huh. 148 00:07:47.519 --> 00:07:50.199 It's like putting up a false road sign that diverts 149 00:07:50.240 --> 00:07:53.199 all traffic through your own property. You can even see 150 00:07:53.199 --> 00:07:56.199 this visually when the MIA address entries on the target's 151 00:07:56.199 --> 00:07:57.879 network table actually changed to yours. 152 00:07:57.879 --> 00:08:00.519 Wow. Okay, So, with literally in the middle of the 153 00:08:00.560 --> 00:08:05.600 network conversation, sniffing credentials become shockingly straightforward for unencrypted or 154 00:08:05.800 --> 00:08:07.199 HTTP websites. 155 00:08:07.279 --> 00:08:08.040 Yeah, very easy. 156 00:08:08.040 --> 00:08:11.040 Then attackers can easily capture user names and passwords as 157 00:08:11.079 --> 00:08:14.680 they are transmitted. But what about secure sites HTTPS? 158 00:08:14.759 --> 00:08:19.040 That's where bypassing HTTPS becomes the challenge. Tools like SSL 159 00:08:19.120 --> 00:08:23.759 strip attempt to downgrade these secure HTTPS connections to unencrypted 160 00:08:23.879 --> 00:08:25.720 HTTP for interception. 161 00:08:25.319 --> 00:08:27.560 Right force it back to HDTP exactly. 162 00:08:27.920 --> 00:08:30.959 However, it's critical to note that modern security features like 163 00:08:31.160 --> 00:08:35.000 HTTP Strict Transport Security or HSTS are far more robust. 164 00:08:35.840 --> 00:08:36.000 Yeah. 165 00:08:36.120 --> 00:08:39.679 HSTS essentially tells a browser, hey, for this website only 166 00:08:39.720 --> 00:08:44.159 ever connect using HTTPS. Major sites like Facebook and Google 167 00:08:44.200 --> 00:08:48.519 have HSTS pre hard coded in browsers, okay, making these 168 00:08:48.559 --> 00:08:51.799 downgrade attacks much much more difficult for newer browsers to 169 00:08:51.840 --> 00:08:54.000 fall for. It's a great example of how defenses are 170 00:08:54.000 --> 00:08:55.000 constantly evolving. 171 00:08:55.200 --> 00:08:59.559 That makes sense. So beyond passwords, there's another powerful session 172 00:08:59.720 --> 00:09:03.399 high Why bother trying to guess or steal credentials if 173 00:09:03.399 --> 00:09:06.000 you can just steal the key to an already. 174 00:09:05.639 --> 00:09:07.440 Active session right steal the token. 175 00:09:07.639 --> 00:09:11.039 Yeah. By stealing authentication cookies using tools like Ferret and Hamster, 176 00:09:11.600 --> 00:09:14.240 an attacker can log into accounts, say on a site 177 00:09:14.279 --> 00:09:16.799 like you to Me, without ever needing the user's password. 178 00:09:17.159 --> 00:09:21.039 It's a very effective way to bypass traditional authentication, very effective. 179 00:09:21.080 --> 00:09:23.559 And then there's DNS spoofing. This is where you take 180 00:09:23.559 --> 00:09:26.320 control of how domain names resolve to IP addresses. 181 00:09:26.360 --> 00:09:29.080 Okay, so you control where the name points exactly. 182 00:09:29.600 --> 00:09:33.759 Imagine being able to redirect www dot Google dot com 183 00:09:33.799 --> 00:09:35.879 to a fake website running on your own server. 184 00:09:36.120 --> 00:09:37.360 Oh boy, you could use. 185 00:09:37.240 --> 00:09:40.559 This to serve malicious files, push fake updates, or even 186 00:09:40.679 --> 00:09:44.080 trick users into revealing credentials on a convincing but fake 187 00:09:44.200 --> 00:09:48.039 login page. The possibilities for deception really are extensive. 188 00:09:47.600 --> 00:09:51.120 And MITMF, that powerful man in the middle framework we 189 00:09:51.200 --> 00:09:54.559 mentioned earlier, also offers some rather nasty plugins I gather 190 00:09:54.840 --> 00:09:55.399 it does. 191 00:09:55.919 --> 00:09:59.320 There are things like screenshot keyloggers, which capture images of 192 00:09:59.360 --> 00:10:02.279 the target's screen every few seconds, giving you a visual 193 00:10:02.320 --> 00:10:06.200 log of their activity. And there's a JS key lagger, 194 00:10:06.440 --> 00:10:10.080 which injects a JavaScript keylogger to record keystrokes directly in 195 00:10:10.120 --> 00:10:13.840 the browser. These tools give an attacker and frankly alarming 196 00:10:13.879 --> 00:10:15.799 amount of insight into what the user is doing. 197 00:10:15.879 --> 00:10:17.759 Yeah, that's that's quite invasive. 198 00:10:18.799 --> 00:10:21.679 Finally, in this segment, we need to talk about wire shark. 199 00:10:21.600 --> 00:10:22.720 Right, the packet analyzer. 200 00:10:22.879 --> 00:10:26.480 Yes, but It's important to understand this clearly. Wireshark itself 201 00:10:26.519 --> 00:10:30.080 is not a hacking tool. It's a powerful network protocol 202 00:10:30.159 --> 00:10:35.080 analyzer designed for network administrators and ethical hackers to analyze 203 00:10:35.120 --> 00:10:37.799 traffic flowing through their own network interface. 204 00:10:38.200 --> 00:10:39.759 So it's for analysis, not attack. 205 00:10:40.000 --> 00:10:44.159 Precisely, its true power in penetration testing really comes after 206 00:10:44.200 --> 00:10:46.080 an MITM attack is established. 207 00:10:46.159 --> 00:10:48.879 Ah, because then the traffic is flowing through your machine. 208 00:10:48.919 --> 00:10:52.360 Exactly, Since all the victims traffic is now flowing through 209 00:10:52.399 --> 00:10:56.000 your machine, wireshark can capture and analyze all of it. 210 00:10:56.000 --> 00:10:58.320 It's like having X ray vision for network packets. 211 00:10:58.519 --> 00:11:01.159 So if we connect this to the bigger picture, wire 212 00:11:01.200 --> 00:11:05.240 shark allows for incredible practical use. You can filter packets, 213 00:11:05.240 --> 00:11:11.720 say for just HTTP traffic, examine individual packet details like source, destination, protocol, 214 00:11:11.759 --> 00:11:15.120 and content, and even identify suspicious patterns like a pre 215 00:11:15.240 --> 00:11:18.879 packet storms or duplicate IP address warnings, which are strong 216 00:11:18.919 --> 00:11:20.919 indicators that a hack might be in progress. 217 00:11:21.000 --> 00:11:24.600 Absolutely, it's an invaluable diagnostic tool for both attackers trying 218 00:11:24.600 --> 00:11:27.360 to understand the network and defenders looking for anomalies. 219 00:11:27.639 --> 00:11:31.440 Okay, now that we've unmasked the network, let's shift gears. 220 00:11:31.440 --> 00:11:35.159 And explore the next chapter in this playbook, gaining deeper 221 00:11:35.200 --> 00:11:39.039 control and establishing a persistent presence. This is where things 222 00:11:39.039 --> 00:11:42.399 get really impactful, moving beyond just observation. 223 00:11:42.759 --> 00:11:45.159 We begin with server side attacks, which are all about 224 00:11:45.200 --> 00:11:49.360 gaining control of computer systems by exploiting misconfigurations or built 225 00:11:49.399 --> 00:11:52.720 in vulnerabilities and programs and services running on target machines. 226 00:11:52.879 --> 00:11:54.919 And that could be anything right, a laptop, a. 227 00:11:54.919 --> 00:11:58.240 Server, anything from a personal laptop to a complex web server. 228 00:11:58.639 --> 00:12:01.600 We've seen classic examples of gaining full control over a 229 00:12:01.639 --> 00:12:08.039 metasploitable machine through surprisingly simple misconfigurations like allowing anonymous. 230 00:12:07.480 --> 00:12:09.879 FTP log in just leaving it open. 231 00:12:09.759 --> 00:12:12.480 Yeah, or leaving default or log in credentials where the 232 00:12:12.559 --> 00:12:15.600 username is root and the password is tour. It's surprisingly 233 00:12:15.639 --> 00:12:18.639 common to find systems left with such easy entry points. 234 00:12:18.720 --> 00:12:22.039 Wow. And when it comes to exploiting these vulnerabilities, the 235 00:12:22.080 --> 00:12:25.000 metaplate framework is often an ethical hackers powerhouse. 236 00:12:25.039 --> 00:12:25.720 Oh definitely. 237 00:12:25.840 --> 00:12:28.320 This open source framework isn't just a collection of tools. 238 00:12:28.399 --> 00:12:33.440 It represents a fundamental shift in how vulnerabilities are cataloged 239 00:12:33.480 --> 00:12:38.120 and exploited, essentially democratizing advanced penetration testing. What does it 240 00:12:38.159 --> 00:12:38.799 allow you to do? 241 00:12:39.000 --> 00:12:41.799 Well. It provides a console MSFF console where you can 242 00:12:41.879 --> 00:12:45.480 quickly select and launch exploits. You use basic commands like 243 00:12:45.759 --> 00:12:49.679 used to select and exploit, set rhos to define your target. 244 00:12:49.559 --> 00:12:51.879 Ra meaning remote host remote host. 245 00:12:51.679 --> 00:12:55.399 Exactly, and then exploit or run to initiate the attack. 246 00:12:55.639 --> 00:12:58.120 For example. The sources cover how it's used to exploit 247 00:12:58.200 --> 00:13:02.480 vulnerabilities like a backdoor found INFTPD and FTP service okay, 248 00:13:02.879 --> 00:13:06.159 or a remote code execution flaw in Samba like the 249 00:13:06.240 --> 00:13:10.200 user map script vulnerability. These techniques can ultimately grant full 250 00:13:10.240 --> 00:13:12.080 command line access to the target. 251 00:13:11.840 --> 00:13:15.919 System, full control. Beyond manually launching exploits, there are also 252 00:13:16.000 --> 00:13:20.519 automated vulnerability scanning tools you mentioned Metasploit Community or MSFC right. 253 00:13:21.000 --> 00:13:25.919 MSFC provides a web based graphical interface for metasploit. It 254 00:13:26.039 --> 00:13:30.600 streamlines the process of finding open ports, identifying services, and 255 00:13:30.720 --> 00:13:34.799 mapping them to known exploits. You can even launch exploits 256 00:13:34.879 --> 00:13:37.159 directly from its dashboard. Makes it a bit. 257 00:13:37.039 --> 00:13:38.559 Easier, a bit more user friendly. 258 00:13:38.679 --> 00:13:43.080 Yeah, and then there's Nexpose, another comprehensive vulnerability management tool 259 00:13:43.120 --> 00:13:47.440 from Rapid seven, Metasploit's creator. Okay, what's truly compelling about 260 00:13:47.519 --> 00:13:50.679 expos is that it's designed more from a defender's perspective. 261 00:13:51.120 --> 00:13:54.519 It detects a much broader range of vulnerabilities, discovering hundreds 262 00:13:54.559 --> 00:13:56.639 where MSFC might find only tens. 263 00:13:56.840 --> 00:13:58.600 Wow, big difference. Yeah. 264 00:13:58.600 --> 00:14:03.200 More importantly, it provides d tailed risk assessments, categorizes vulnerabilities 265 00:14:03.240 --> 00:14:06.200 by the skill level required to exploit them, and offers 266 00:14:06.240 --> 00:14:10.399 concrete remediation advice. It's truly a tool for organizations to 267 00:14:10.480 --> 00:14:13.960 understand exactly what an attacker might see and crucially, how 268 00:14:14.000 --> 00:14:14.480 to fix it. 269 00:14:14.679 --> 00:14:17.840 So it helps you prioritize your defenses exactly. Okay, moving 270 00:14:17.879 --> 00:14:20.399 from serv let's talk about client side attacks. This is 271 00:14:20.399 --> 00:14:22.279 really the art of deception aim to the user. 272 00:14:22.080 --> 00:14:24.679 Isn't it very much? So social engineering often plays a 273 00:14:24.679 --> 00:14:25.120 big part. 274 00:14:25.519 --> 00:14:29.440 Veil evasion is a tool used for generating undetectable back doors. 275 00:14:29.639 --> 00:14:30.399 How does that work? 276 00:14:30.519 --> 00:14:33.960 It works by creating payloads that's the malicious code that 277 00:14:34.120 --> 00:14:37.679 establish reverse connections. Verse connections, Yeah, where the target computer 278 00:14:37.759 --> 00:14:40.759 connects back to the attackers machine. This is a smart 279 00:14:40.840 --> 00:14:44.399 technique because it often helps bypass firewalls and anti virus 280 00:14:44.440 --> 00:14:47.600 software as the connection is outbound from the victim's perspective, 281 00:14:47.840 --> 00:14:51.799 which often looks less suspicious. Ah clever and veil even 282 00:14:51.879 --> 00:14:55.559 lets you tweak parameters like processors and sleep time within 283 00:14:55.600 --> 00:14:59.000 the payload itself. These adjustments can make the back door 284 00:14:59.039 --> 00:15:03.039 appear less suspicion to antivirus software, increasing its chances of 285 00:15:03.080 --> 00:15:04.600 going undetected. 286 00:15:04.200 --> 00:15:06.320 So you can tune it to be stealthier exactly. 287 00:15:06.960 --> 00:15:09.919 You can then test these generated backdoors using tools like 288 00:15:10.120 --> 00:15:13.879 no distribute, which checks them against common antivirus programs to 289 00:15:13.879 --> 00:15:14.879 see if they get flagged. 290 00:15:14.960 --> 00:15:19.360 Okay, now here's a brilliant, almost sneaky play in the 291 00:15:19.399 --> 00:15:22.320 realm of deception. Deceptive file extensions. 292 00:15:22.360 --> 00:15:24.679 Tell me about this, right, This is a clever social 293 00:15:24.720 --> 00:15:28.639 engineering technique. It uses a special Unicode character called the 294 00:15:28.720 --> 00:15:30.600 right to left override character in. 295 00:15:30.600 --> 00:15:33.039 A file name right to leftoveride. Yeah. 296 00:15:33.440 --> 00:15:36.679 This character can make an executable file. For example, invoice 297 00:15:36.720 --> 00:15:41.320 dot ex appear as a harmless image like invoicer alogpj 298 00:15:41.480 --> 00:15:45.559 dot ex might display as invoiceeq dot jpg. 299 00:15:45.840 --> 00:15:48.039 WHOA, so it looks like a JPEG, but it's actually 300 00:15:48.080 --> 00:15:49.879 an ex Exactly. 301 00:15:50.240 --> 00:15:53.360 It visually hides the true nature of the file while 302 00:15:53.440 --> 00:15:56.559 still allowing it to run when clicked. It's a subtle 303 00:15:56.600 --> 00:15:59.159 but highly effective trick that can fool many users into 304 00:15:59.240 --> 00:16:00.480 running something they sh shouldn't. 305 00:16:00.679 --> 00:16:04.320 That is sneaky. Okay. So, once initial access is gained, 306 00:16:04.399 --> 00:16:07.720 you typically landed a interpreter session, which is a powerful 307 00:16:07.759 --> 00:16:11.399 interactive shell within metasploit. This is your initial foothold, correct, 308 00:16:11.480 --> 00:16:14.320 How do you ensure that fur hoold isn't lost if, say, 309 00:16:14.600 --> 00:16:17.080 the user closes the program you initially exploited. 310 00:16:17.159 --> 00:16:19.440 That's where the migrate command comes in. You can use 311 00:16:19.480 --> 00:16:21.919 it to move your active interpreter session from the initial 312 00:16:21.960 --> 00:16:24.799 exploited program, which might be unstable or temporary, to a 313 00:16:24.840 --> 00:16:28.440 more stable, always running process on the target like explore 314 00:16:28.480 --> 00:16:31.240 dot exe, the Windows Graphical interface. 315 00:16:31.240 --> 00:16:32.759 Jump into a core process. 316 00:16:32.919 --> 00:16:35.639 Right. This prevents you from losing access if the original 317 00:16:35.639 --> 00:16:36.519 program closes. 318 00:16:36.679 --> 00:16:36.879 Right. 319 00:16:37.039 --> 00:16:40.519 Even more robust is the persistence module first. Yeah, this 320 00:16:40.559 --> 00:16:43.679 installs a back door that automatically reconnects to your calling 321 00:16:43.799 --> 00:16:47.360 machine every few seconds, even if the target computer restarts. 322 00:16:48.159 --> 00:16:51.360 This ensures continuous access. It's much harder to get rid of. 323 00:16:51.600 --> 00:16:54.480 Okay, that's serious. So from this interpreter session you have 324 00:16:54.559 --> 00:16:56.919 extensive control over the target's filesystem. Right. 325 00:16:57.200 --> 00:17:03.720 Oh, yes, there are commands to navigate directories, PWDLSTS, read files, cat, 326 00:17:03.919 --> 00:17:07.440 download sensitive data, upload your own tools, and execute programs 327 00:17:07.480 --> 00:17:12.000 on the victim's machine. It's essentially full remote control of their. 328 00:17:11.839 --> 00:17:13.839 System, and I assume you can also see what they're 329 00:17:13.839 --> 00:17:14.720 doing absolutely. 330 00:17:15.079 --> 00:17:18.880 Interpreter plugins also enable key logging and screenshots. You can 331 00:17:18.920 --> 00:17:22.240 log every keystroke the target makes, every single one, every 332 00:17:22.240 --> 00:17:24.880 single one, and capture screenshots of their desktop, giving you 333 00:17:24.920 --> 00:17:28.039 a full picture of their activity and often revealing sensitive 334 00:17:28.039 --> 00:17:31.079 information like passwords or private communications. 335 00:17:31.359 --> 00:17:33.960 That's powerful and quite scary. So if you're on one 336 00:17:34.039 --> 00:17:38.039 compromised machine, what's the next logical step? If you want 337 00:17:38.039 --> 00:17:40.640 to expand your reach within a larger network, maybe get 338 00:17:40.680 --> 00:17:41.440 to other servers. 339 00:17:41.519 --> 00:17:44.839 That brings us to a really important technique called pivoting. Pivoting, Okay, 340 00:17:45.079 --> 00:17:48.240 you use a compromised machine as a pivot point to 341 00:17:48.359 --> 00:17:51.640 attack other machines on its internal network that you couldn't 342 00:17:51.640 --> 00:17:53.200 reach directly from your own. 343 00:17:53.000 --> 00:17:56.000 Network, So you hop from one machine to the next exactly. 344 00:17:56.039 --> 00:17:59.000 Think of it like gaining access to one room in 345 00:17:59.039 --> 00:18:01.720 a building and then you using that room to unlock 346 00:18:01.839 --> 00:18:04.720 doors to other rooms you couldn't reach from the outside. 347 00:18:04.799 --> 00:18:08.400 The material shows how this is simulated using multiple neat 348 00:18:08.400 --> 00:18:12.400 networks in virtual box to create those isolated segments, mirroring 349 00:18:12.480 --> 00:18:14.720 real world network segmentation. 350 00:18:14.359 --> 00:18:18.119 Right, simulating a corporate network or something precisely Okay. On 351 00:18:18.200 --> 00:18:23.240 the flip side, For defenders, it's about detecting trojans and 352 00:18:23.319 --> 00:18:26.480 other malicious software. How would someone identify if they've been 353 00:18:26.519 --> 00:18:28.519 compromised with these kinds of techniques. 354 00:18:28.720 --> 00:18:31.519 Well, you can perform manual detection by using tools like 355 00:18:31.559 --> 00:18:35.160 Windows Resource Monitor to look for suspicious outbound network connections 356 00:18:35.200 --> 00:18:38.039 to unknown or unusual IP addresses. 357 00:18:37.680 --> 00:18:40.200 Okay, looking for strange connections going out exactly. 358 00:18:40.519 --> 00:18:43.000 You can then use a reverse DNS lookup to see 359 00:18:43.039 --> 00:18:46.319 if a suspicious IP resolves to a legitimate website like 360 00:18:46.359 --> 00:18:50.559 say Facebook server, or something completely unidentifiable and likely malicious. 361 00:18:50.839 --> 00:18:55.440 For more advanced detection, there's sandbox analysis. You upload suspicious 362 00:18:55.440 --> 00:18:59.759 files to online sandboxes like Cuckoo sandbox for automated behavioral 363 00:18:59.759 --> 00:19:02.640 and of those do they run the file in a safe, 364 00:19:02.839 --> 00:19:05.960 isolated environment and watch what it does. These reports can 365 00:19:06.000 --> 00:19:10.319 show if a file suppresses aeroboxes, modifies the registry, tries 366 00:19:10.359 --> 00:19:14.480 to create network connections, all strong indicators of malicious intent. 367 00:19:14.880 --> 00:19:17.519 Very useful. Okay, Now let's dive into our final chapter 368 00:19:17.559 --> 00:19:22.200 in this playbook exploiting the Web from websites to databases. 369 00:19:22.880 --> 00:19:25.480 This is where a huge amount of modern hacking really 370 00:19:25.559 --> 00:19:28.440 takes place, right since so much of our interaction is online. 371 00:19:28.519 --> 00:19:33.200 Absolutely. A crucial distinction here is understanding web application architecture, 372 00:19:33.319 --> 00:19:37.799 particularly client side versus server side languages. Client side languages 373 00:19:37.880 --> 00:19:41.200 like JavaScript execute in your web browser. Server side languages 374 00:19:41.279 --> 00:19:44.519 like PHP, your Python execute on the web server itself. 375 00:19:44.640 --> 00:19:45.839 Good. That distance is key. 376 00:19:46.079 --> 00:19:49.200 It's fundamental because it determines where your attacks will land 377 00:19:49.240 --> 00:19:52.200 and what kind of impact they'll have. If you inject JavaScript, 378 00:19:52.279 --> 00:19:55.200 it affects the user's browser. If you inject Php, it 379 00:19:55.200 --> 00:19:56.640 can affect the server itself. 380 00:19:56.839 --> 00:20:01.240 Makes sense. Then comes web information gathering or digital footprinting. 381 00:20:01.559 --> 00:20:02.559 You start with a who is. 382 00:20:02.559 --> 00:20:06.319 Look up YEP, basic stuff. Discover details about a domains, owner, 383 00:20:06.440 --> 00:20:10.880 creation date, and associated IP addresses and name servers. It's 384 00:20:10.920 --> 00:20:13.359 like looking up public records for a website. 385 00:20:12.920 --> 00:20:14.799 And netcraft that sounds interesting. 386 00:20:15.000 --> 00:20:19.039 Netcraft is an invaluable resource for uncovering the specific technologies 387 00:20:19.079 --> 00:20:22.359 a website uses. Everything from the web server like apatchee 388 00:20:22.359 --> 00:20:26.119 and the operating system like Linux okay, to the programming 389 00:20:26.200 --> 00:20:30.720 languages like Php or JavaScript and even specific web applications 390 00:20:30.839 --> 00:20:36.839 like WordPress. This information is pure gold for identifying known vulnerabilities. 391 00:20:36.000 --> 00:20:38.160 Because if you know a site uses an old version 392 00:20:38.200 --> 00:20:39.480 of WordPress. 393 00:20:38.960 --> 00:20:41.079 You can look up known exploits for that version. 394 00:20:41.000 --> 00:20:46.480 Exactly got it. Tools like robtechs provide comprehensive DNS information, 395 00:20:47.000 --> 00:20:50.400 helping to identify other websites hosted on the same physical server. 396 00:20:50.880 --> 00:20:51.839 Why is that useful? 397 00:20:52.200 --> 00:20:54.599 Well, if one site on a shared server is vulnerable, 398 00:20:54.640 --> 00:20:56.960 there's a good chance others might be too, offering a 399 00:20:57.000 --> 00:21:01.279 broader attack surface. For the ethical hacker, one weekly can expose. 400 00:21:00.920 --> 00:21:03.000 Others right shared hosting risks. 401 00:21:03.279 --> 00:21:06.160