WEBVTT 1 00:00:00.080 --> 00:00:02.839 Welcome to the Deep Dive. We're the show where we 2 00:00:02.879 --> 00:00:06.440 take a whole stack of sources, you know, articles, books, research, 3 00:00:06.480 --> 00:00:08.400 our own notes, and we really try to pull out 4 00:00:08.439 --> 00:00:10.720 those key bits of knowledge, those insights. 5 00:00:10.839 --> 00:00:14.080 That's right, And today we're diving into a world that 6 00:00:14.160 --> 00:00:17.160 I think fascinates a lot of people how things work, 7 00:00:17.280 --> 00:00:18.920 especially digital things. 8 00:00:19.719 --> 00:00:23.120 And it's a space where curiosity well can sometimes rope 9 00:00:23.160 --> 00:00:24.600 right up against security boundaries. 10 00:00:24.719 --> 00:00:27.679 Yeah, that line is thin, isn't it. The interplay between 11 00:00:27.760 --> 00:00:31.399 wanting to know and the risks involved. That's really our 12 00:00:31.440 --> 00:00:33.359 focus today. We're exploring the world. 13 00:00:33.200 --> 00:00:36.320 Of hacking, but specifically ethical hacking right its role which 14 00:00:36.399 --> 00:00:40.240 maybe isn't always understood in finding vulnerabilities and actually making 15 00:00:40.320 --> 00:00:42.000 our digital world safer. 16 00:00:41.880 --> 00:00:45.880 Exactly making it stronger. So for this deep dive, our 17 00:00:45.960 --> 00:00:49.600 main guide is a book called Hacking the Unlocking of Transparency. 18 00:00:49.679 --> 00:00:52.520 Security is a myth, it's a title, it is. It's 19 00:00:52.520 --> 00:00:55.600 by our Shutosh pertop Singh, who's also known as Joker 20 00:00:55.640 --> 00:00:56.600 of Technical Sepien. 21 00:00:56.920 --> 00:01:00.439 Okay, so our mission here is to really unpack the 22 00:01:00.560 --> 00:01:03.240 key insights from his work, give you a kind of 23 00:01:03.280 --> 00:01:07.400 shortcut to getting up to speed on ethical hacking. We're 24 00:01:07.400 --> 00:01:10.799 hoping for some surprising facts, maybe some explanations that really 25 00:01:10.840 --> 00:01:12.359 click absolutely. 26 00:01:11.959 --> 00:01:13.519 And to really get it, you kind of have to 27 00:01:13.599 --> 00:01:17.840 start with the author himself, a shutash pratopsing his journey 28 00:01:17.840 --> 00:01:19.959 into this whole thing. It started with, believe it or not, 29 00:01:20.120 --> 00:01:22.879 a YouTube video, oh yeah, yeah, one that claimed to 30 00:01:22.920 --> 00:01:25.359 show how you could remotely shut down someone else's computer. 31 00:01:25.840 --> 00:01:28.680 Turned out the video was fake, okay, but the curiosity 32 00:01:28.719 --> 00:01:30.840 it ignited in him that was one hundred percent real. 33 00:01:31.159 --> 00:01:34.959 That's fascinating. So from that that kind of false start. 34 00:01:35.000 --> 00:01:37.959 He just dove in totally headfirst into hacking during a 35 00:01:37.959 --> 00:01:40.480 summer break, and the book is pretty open about it. 36 00:01:40.519 --> 00:01:44.079 He initially went down the black hat path. 37 00:01:43.920 --> 00:01:47.200 Right the illegal side, things like cracking software. 38 00:01:46.879 --> 00:01:49.879 Card carding, spamming, that kind of thing, but he says 39 00:01:49.879 --> 00:01:54.200 he pretty quickly realized, you know, how risky that was unsustainable, 40 00:01:54.319 --> 00:01:57.079 and it really opened his eyes to just how bad 41 00:01:57.120 --> 00:01:58.920 cybersecurity often is out there. 42 00:01:59.159 --> 00:02:01.640 So that was the turning point, seeing the risks and 43 00:02:01.680 --> 00:02:03.959 the well the need for better security. 44 00:02:04.120 --> 00:02:08.719 It seems so that realization was pivotal. By late twenty seventeen, 45 00:02:08.840 --> 00:02:11.599 he made a conscious shift. He decided to focus on 46 00:02:11.639 --> 00:02:14.759 ethical hacking wanting to use those skills. He was developing 47 00:02:14.800 --> 00:02:17.280 for something constructive, something useful. 48 00:02:17.000 --> 00:02:19.199 And that led to technical sapien, that's right. 49 00:02:19.759 --> 00:02:23.560 In January twenty eighteen, he started an Instagram page. The 50 00:02:23.639 --> 00:02:26.919 initial goal was simple, find other people who were interested 51 00:02:26.919 --> 00:02:28.000 in the same things. 52 00:02:27.800 --> 00:02:29.560 A community, building, exercise base. 53 00:02:29.520 --> 00:02:32.800 Exactly, And like any big project, it wasn't smooth sailing 54 00:02:32.840 --> 00:02:35.159 at first. He tried what zapp groups had about five 55 00:02:35.199 --> 00:02:38.879 active ones. Oh wow, yeah, but apparently getting smart people 56 00:02:38.879 --> 00:02:42.840 to cooperate smoothly in that format it was tough. Then 57 00:02:42.879 --> 00:02:45.879 he moved to Telegram, built up this huge community over 58 00:02:45.960 --> 00:02:50.479 eleven thousand members, but faced issues there too, scams, people 59 00:02:50.479 --> 00:02:53.520 you couldn't trust. So ultimately he decided, okay, let's just 60 00:02:53.560 --> 00:02:57.439 focus everything on Instagram, build a more dedicated, reliable community. 61 00:02:57.000 --> 00:02:58.800 There, and that focused approach worked. 62 00:02:59.080 --> 00:03:02.599 It seems to have thought the Instagram community now they 63 00:03:02.599 --> 00:03:05.759 share info daily, help each other with technical problems, even 64 00:03:05.800 --> 00:03:10.800 self development stuff. They make informative posts, stories, guide people 65 00:03:10.840 --> 00:03:11.560 on careers. 66 00:03:11.759 --> 00:03:15.400 Sounds pretty comprehensive. And they actively ask for feedback too, you. 67 00:03:15.360 --> 00:03:20.840 Said, very interactive. They've even run five ethical hacking classes, 68 00:03:21.240 --> 00:03:24.560 trained over five hundred people. Wow, And apparently the demand 69 00:03:24.599 --> 00:03:27.240 for those classes was huge, way more than they had 70 00:03:27.240 --> 00:03:28.840 seats for it. That was actually a big reason he 71 00:03:28.840 --> 00:03:30.439 wrote the book. To get this knowledge out. 72 00:03:30.280 --> 00:03:33.960 To more people makes sense. And the name technical Sapien 73 00:03:34.719 --> 00:03:35.960 it's not just random, is it. 74 00:03:36.120 --> 00:03:38.080 No, there's a philosophy behind it. It plays on a 75 00:03:38.120 --> 00:03:41.479 homo sapien right. The mission, as he puts it, is 76 00:03:41.520 --> 00:03:44.360 to make people really aware of technology, to sort of 77 00:03:44.840 --> 00:03:46.800 convert them into technical humans. 78 00:03:46.919 --> 00:03:48.159 Technical humans. I like that. 79 00:03:48.280 --> 00:03:51.000 Yeah, the idea is helping people learn tech in easier, 80 00:03:51.080 --> 00:03:54.439 faster ways, keeping them current for this digital age. We're 81 00:03:54.479 --> 00:03:58.319 all in. And interestingly, their focus isn't just ethical hacking anymore. 82 00:03:58.319 --> 00:04:00.879 It's broadened out to other tech felss. 83 00:04:00.360 --> 00:04:04.199 Too, so a wider mission for digital literacy overall. Okay, 84 00:04:04.240 --> 00:04:06.520 as a great background, Now let's peel back the layers, 85 00:04:06.560 --> 00:04:10.680 the foundations. What actually is hacking because often we think 86 00:04:10.719 --> 00:04:14.439 of it as purely modern right digital, But the book 87 00:04:14.439 --> 00:04:16.199 says its roots go way back. 88 00:04:16.360 --> 00:04:19.959 They really do. The core idea manipulating systems has been 89 00:04:20.000 --> 00:04:22.480 around for over fifty years. You can even argue the 90 00:04:22.519 --> 00:04:26.800 spirit goes back to like eighteen seventy eight Bell telephone 91 00:04:27.279 --> 00:04:32.759 teenage switchboard operators messing with calls, disconnecting them, misdirecting them, 92 00:04:33.120 --> 00:04:34.519 kind of mischievous hacks. 93 00:04:34.600 --> 00:04:36.160 Huh, never thought of it like that. 94 00:04:36.480 --> 00:04:39.360 But the first sort of authentic computer hackers they showed 95 00:04:39.439 --> 00:04:42.759 up in the nineteen sixties at MIT, students finding clever 96 00:04:42.879 --> 00:04:46.839 programming shortcuts, hacks to make computers do tasks faster, sometimes 97 00:04:46.920 --> 00:04:48.560 even better than the original design. 98 00:04:48.720 --> 00:04:51.680 And that creative shortcut approach led to big things. 99 00:04:51.680 --> 00:04:55.279 Like Unix exactly. The book credits Dennis Ritchie and Ken 100 00:04:55.319 --> 00:04:58.040 Thompson at Bell Labs in nineteen sixty nine they created 101 00:04:58.079 --> 00:05:00.759 you Andix as this open set of rules for running machines, 102 00:05:00.839 --> 00:05:03.560 essentially a really sophisticated creative hack at the time. 103 00:05:03.639 --> 00:05:06.480 Okay, so how do we get from creative shortcuts to 104 00:05:06.519 --> 00:05:08.120 the definition we mostly use today? 105 00:05:08.319 --> 00:05:12.040 Well, that's the crucial evolution. Today. Hacking in the common 106 00:05:12.120 --> 00:05:15.759 sense is mostly about finding those entry points, those vulnerabilities 107 00:05:16.240 --> 00:05:20.199 in a system or network, usually to gain unauthorized access, 108 00:05:20.240 --> 00:05:22.120 maybe steal info, cause harm. 109 00:05:22.279 --> 00:05:24.839 Right, But ethical hacking flips that completely. 110 00:05:24.920 --> 00:05:28.199 Ethical hacking is deliberately doing the same things, but with permission. 111 00:05:28.560 --> 00:05:33.920 You're exploring the weaknesses, testing the defenses, specifically to improve security. 112 00:05:34.360 --> 00:05:40.040 It's also called penetration testing, intrusion testing, red teaming, different 113 00:05:40.120 --> 00:05:41.240 names for the same goal. 114 00:05:41.360 --> 00:05:43.759 Got it. So what motivates people to hack in the 115 00:05:43.759 --> 00:05:46.439 first place? The book covers a pretty wide range, doesn't it. 116 00:05:46.439 --> 00:05:48.560 It really does. It goes from just you know, for 117 00:05:48.639 --> 00:05:52.000 fun or showing off skills all the way to malicious 118 00:05:52.000 --> 00:05:56.759 stuff like stealing information, damaging systems, invading privacy, even extortion. 119 00:05:56.959 --> 00:06:00.519 But it also includes the positive side, like testing security. 120 00:06:00.120 --> 00:06:04.920 Absolutely system security testing, maybe even breaking policy compliance in 121 00:06:04.959 --> 00:06:08.240 a way that highlights a flaw constructively. It's a mixed 122 00:06:08.240 --> 00:06:09.519 bag of motivations, which. 123 00:06:09.439 --> 00:06:12.399 Leads us nicely into different types of hackers. The book 124 00:06:12.439 --> 00:06:13.480 breaks them down by intent. 125 00:06:13.839 --> 00:06:16.399 Yeah, pretty clearly, you've got your white hat hackers. Those 126 00:06:16.399 --> 00:06:20.399 are the ethical security experts, the good guys doing the 127 00:06:20.399 --> 00:06:22.199 penetration testing to protect us. 128 00:06:22.480 --> 00:06:25.600 Then the black hat hackers sometimes called crackers. They're the 129 00:06:25.639 --> 00:06:30.879 ones operating illegally with malicious intent, stealing data, wrecking systems. 130 00:06:31.399 --> 00:06:34.639 And then there's that interesting gray area, the gray hat hackers. 131 00:06:34.800 --> 00:06:38.399 Right, they might bend or break rules, maybe even laws, 132 00:06:39.000 --> 00:06:40.759 but not necessarily with bad intentions. 133 00:06:40.920 --> 00:06:43.279 Often, yeah, their goal might be just to find a 134 00:06:43.319 --> 00:06:46.800 weakness and tell the owner. Maybe hoping for some recognition 135 00:06:46.959 --> 00:06:49.480 or even a bug bounty payment. They operate in that 136 00:06:49.519 --> 00:06:50.480 ambiguous zone. 137 00:06:50.639 --> 00:06:53.560 The book also mentions red hat hackers that's distinct from 138 00:06:53.560 --> 00:06:54.879 the software company right. 139 00:06:54.839 --> 00:06:55.399 Very distinct. 140 00:06:55.480 --> 00:06:55.759 Yeah. 141 00:06:56.079 --> 00:06:59.079 In this context, red hat hackers are described as focusing 142 00:06:59.120 --> 00:07:03.720 specifically on targeting government agencies, top secret data hubs, high 143 00:07:03.800 --> 00:07:04.800 level target Okay. 144 00:07:04.839 --> 00:07:07.519 And then you have the less sophisticated. 145 00:07:06.839 --> 00:07:10.839 Actors right script kitties, people who use hacking tools made 146 00:07:10.879 --> 00:07:15.120 by others without really understanding the underlying principles. And activists 147 00:07:15.199 --> 00:07:19.600 who use hacking techniques like defacing websites or launching denial 148 00:07:19.600 --> 00:07:23.639 of service attacks to promote a social, political, or religious message. 149 00:07:23.720 --> 00:07:26.439 It's a whole ecosystem. Now. Trying to understand all this 150 00:07:26.879 --> 00:07:30.480 requires learning a new language. Almost The book includes a 151 00:07:30.519 --> 00:07:32.560 glossary which seems super. 152 00:07:32.319 --> 00:07:36.199 Helpful, absolutely essential. Understanding these terms is key to unlocking 153 00:07:36.279 --> 00:07:38.959 what the book and the field is all about. And 154 00:07:39.000 --> 00:07:41.639 you'll notice as we go through some how many revolve 155 00:07:41.639 --> 00:07:45.199 around deception. Unauthorized access tells you a lot. 156 00:07:45.319 --> 00:07:48.720 Good point, it's as much about psychology as technology sometimes, 157 00:07:48.959 --> 00:07:51.680 So let's run through a few key ones. Adwere software 158 00:07:51.720 --> 00:07:55.439 that just forces ads on you annoying, sometimes malicious. 159 00:07:55.879 --> 00:07:58.040 An attack is pretty straightforward. The action to get in 160 00:07:58.120 --> 00:08:00.079 or get data a backdoor. 161 00:08:00.040 --> 00:08:03.240 Secret entrance, a hidden way in that bypasses the normal 162 00:08:03.279 --> 00:08:04.120 security checks. 163 00:08:04.199 --> 00:08:08.560 Okay, Bots and botnets. A bot is just an automated program. 164 00:08:08.800 --> 00:08:12.199 A botnet is when an attacker controls a whole network 165 00:08:12.199 --> 00:08:15.120 of infected computers. Those zombie drones we mentioned to do 166 00:08:15.160 --> 00:08:18.959 their bidding, like sending spam or launching massive attacks. 167 00:08:19.120 --> 00:08:21.079 Brute force attack that's. 168 00:08:20.879 --> 00:08:25.360 Just trying every single password combination possible, usually automated until 169 00:08:25.360 --> 00:08:29.959 one works simple, but can be effective against weak passwords. 170 00:08:30.040 --> 00:08:32.879 But for overflow, you described it like pouring too much 171 00:08:32.919 --> 00:08:34.279 water into a glass earlier. 172 00:08:34.480 --> 00:08:38.600 Exactly, you overwhelm a specific memory area, causing data to 173 00:08:38.639 --> 00:08:42.480 spill over, potentially crashing the system or worse, allowing the 174 00:08:42.480 --> 00:08:44.080 attacker to inject their own code. 175 00:08:44.240 --> 00:08:45.559 Clone fishing sounds sneaky. 176 00:08:45.679 --> 00:08:49.159 It is taking a legitimate email, copying it, but changing 177 00:08:49.200 --> 00:08:51.480 the links to point somewhere malicious to trick you. 178 00:08:51.639 --> 00:08:53.279 A cracker versus a hacker. 179 00:08:53.080 --> 00:08:56.000 Often use for someone who modifies software, especially to break 180 00:08:56.039 --> 00:08:58.919 copy protection. Sometimes overlaps with black. 181 00:08:58.639 --> 00:09:01.399 Hat denial of service sandidas. 182 00:09:01.080 --> 00:09:04.240 Making a website or service unusable by flooding it with traffic. 183 00:09:04.600 --> 00:09:08.120 Didas is the distributed version using a botnet to amplify 184 00:09:08.159 --> 00:09:09.120 the attack massively. 185 00:09:09.279 --> 00:09:10.519 Exploit and exploit kit. 186 00:09:10.840 --> 00:09:13.840 An exploit is the specific piece of code or technique 187 00:09:13.840 --> 00:09:17.279 that takes advantage of a vulnerability. An exploit kit is 188 00:09:17.320 --> 00:09:20.360 like a prepackaged toolkit that helps automate finding and using 189 00:09:20.360 --> 00:09:21.120 those exploits. 190 00:09:21.240 --> 00:09:23.120 Firewall the digital bouncer. 191 00:09:23.039 --> 00:09:26.080 YEP filtering traffic trying to keep intruders out. 192 00:09:26.159 --> 00:09:28.679 Dampto quogging malicious. 193 00:09:28.039 --> 00:09:32.399 Software that secretly records everything you type, very dangerous for 194 00:09:32.519 --> 00:09:37.360 capturing passwords, credit card numbers. A logic bomb a piece 195 00:09:37.399 --> 00:09:41.200 of malicious code designed to trigger only under certain conditions, 196 00:09:41.279 --> 00:09:44.440 like on a specific date or if an employee gets fired. 197 00:09:44.440 --> 00:09:47.120 That kind of thing. Malware is the big umbrella. 198 00:09:46.759 --> 00:09:52.720 Term right covers, viruses, worms, trojans, ransomware, any software designed 199 00:09:52.759 --> 00:09:53.320 to be hostile. 200 00:09:53.399 --> 00:09:56.320 Phishing. We all know that one sadly, the fake emails 201 00:09:56.360 --> 00:09:57.519 trying to get personal info. 202 00:09:58.360 --> 00:10:01.720 Freaker is an older term, most for breaking into phone networks. 203 00:10:01.879 --> 00:10:06.639 Rootkit super stealthy malware. It hides itself and other malicious processes, 204 00:10:06.639 --> 00:10:09.720 often giving the attacker the highest level root privileges. On 205 00:10:09.759 --> 00:10:12.080 a system very hard to detect. 206 00:10:12.120 --> 00:10:13.840 Shrink wrap code exploit. 207 00:10:13.679 --> 00:10:16.879 Taking advantage of vulnerabilities in software that hasn't been patched 208 00:10:17.159 --> 00:10:21.679 or is using default insecure configurations, basically exploiting the out 209 00:10:21.679 --> 00:10:22.759 of the box weaknesses. 210 00:10:22.840 --> 00:10:26.120 Social engineering. This one feels different, less technical. 211 00:10:26.320 --> 00:10:29.720 Absolutely, it's the art of manipulation. Tricking people into giving 212 00:10:29.799 --> 00:10:33.799 up information or performing actions they shouldn't. Often involves impersonation. 213 00:10:34.159 --> 00:10:36.840 Pre Texting relies on human psychology. 214 00:10:37.039 --> 00:10:39.679 Spam unwanted email spoofing. 215 00:10:39.279 --> 00:10:42.639 Faking your identity could be your IP address, email address, 216 00:10:42.720 --> 00:10:46.120 caller ID to gain unauthorized access or trick someone. 217 00:10:46.279 --> 00:10:48.960 Spyware gathers info without you knowing. 218 00:10:49.320 --> 00:10:53.919 SQL injection a huge one for web security. Injecting malicious 219 00:10:54.000 --> 00:10:57.039 database commands or into input fields on a website can 220 00:10:57.120 --> 00:10:59.960 let attackers read, chained or delete database comes. 221 00:11:00.559 --> 00:11:01.919 Threat versus vulnerability. 222 00:11:01.960 --> 00:11:05.480 A vulnerability is the weakness itself, the unlocked window. A 223 00:11:05.519 --> 00:11:08.559 threat is the potential danger that could exploit that weakness, 224 00:11:08.879 --> 00:11:10.799 the burglar who might climb through the window. 225 00:11:10.960 --> 00:11:13.440 Trojan horse malware disguises something legitimate. 226 00:11:13.639 --> 00:11:15.840 Yep, you willingly let it in because you think it's 227 00:11:15.879 --> 00:11:16.879 harmless or useful. 228 00:11:17.000 --> 00:11:18.480 Virus versus worm a. 229 00:11:18.519 --> 00:11:21.600 Virus needs to attach itself to another program to spread, 230 00:11:21.919 --> 00:11:26.320 often requiring human action like opening a file. A worm 231 00:11:26.559 --> 00:11:29.559 is self replicating, it can spread across networks on its 232 00:11:29.600 --> 00:11:31.600 own without needing to attach to anything. 233 00:11:31.840 --> 00:11:34.559 Cross sight scripting EXSS. 234 00:11:33.960 --> 00:11:38.519 Injecting malicious scripts usually JavaScript, into a legitimate website so 235 00:11:38.559 --> 00:11:41.879 it runs in the browsers of other visitors. Can steal cookies, 236 00:11:41.960 --> 00:11:44.279 redirect users, deface sites. 237 00:11:44.200 --> 00:11:46.759 And zombie drawn that hijacked computer and a bot. 238 00:11:46.720 --> 00:11:49.759 At exactly doing the attackers dirty work. 239 00:11:49.840 --> 00:11:52.399 Okay, that's a ton of terminology, but really crucial for 240 00:11:52.480 --> 00:11:56.759 understanding the landscape. So once you grasp the language, what 241 00:11:56.840 --> 00:12:00.320 tools does an ethical hacker actually use? The book talks 242 00:12:00.320 --> 00:12:03.480 about starting with physical tools. What does that really mean? Here? 243 00:12:03.639 --> 00:12:05.759 It's more about starting with tools where you can kind 244 00:12:05.759 --> 00:12:08.279 of see the cause and effect more directly. The idea 245 00:12:08.279 --> 00:12:11.759 is to understand the underlying protocols and concepts without getting 246 00:12:11.799 --> 00:12:14.559 lost in complex code right away see the results of 247 00:12:14.600 --> 00:12:15.240 your actions. 248 00:12:15.279 --> 00:12:18.399 Clearly makes sense, and the book highlights some big ones 249 00:12:18.720 --> 00:12:20.320 Metasploid framework. Yeah. 250 00:12:20.480 --> 00:12:25.840 Cornerstone open source penetration testing tool makes exploiting known vulnerabilities 251 00:12:25.919 --> 00:12:29.279 much easier with its library of pre built modules and payloads. 252 00:12:29.279 --> 00:12:33.519 It's incredibly powerful end map network mapper, fantastic tool for 253 00:12:33.600 --> 00:12:37.200 network discovery and security auditing. It finds hosts, scans for 254 00:12:37.240 --> 00:12:41.399 open ports, identifies services running, can even help fingerprint operating 255 00:12:41.440 --> 00:12:45.039 systems and bypass firewalls really versatile. 256 00:12:45.080 --> 00:12:47.360 Wireshark is another famous one packet sniffing. 257 00:12:47.720 --> 00:12:51.240 The go to packet analyzer. It captures network traffic in 258 00:12:51.360 --> 00:12:55.080 real time and lets you inspect individual packets. Essential for 259 00:12:55.120 --> 00:12:59.399 troubleshooting network problems, analyzing protocols, and yes, finding things like 260 00:12:59.519 --> 00:13:02.960 unencrypted passwords if they're flying across the network. Nesis a 261 00:13:03.000 --> 00:13:07.080 popular vulnerability scanner. It checks systems against a huge database 262 00:13:07.120 --> 00:13:11.519 of known vulnerabilities cvees and reports potential weaknesses. Uses its 263 00:13:11.519 --> 00:13:14.840 own scripting language NASL for tests, air. 264 00:13:14.720 --> 00:13:17.159 Cracking sounds Wi Fi specific it is. 265 00:13:17.200 --> 00:13:20.120 It's a whole suite of tools for auditing wireless network security, 266 00:13:20.519 --> 00:13:23.759 monitoring traffic, attacking networks like trying to crack WP and 267 00:13:23.919 --> 00:13:27.360 wpopat two keys, testing Wi Fi cards, the standard for 268 00:13:27.399 --> 00:13:28.399 Wi Fi pen testing. 269 00:13:28.639 --> 00:13:30.360 John the Ripper for passwords. 270 00:13:29.960 --> 00:13:34.200 YEP a fast password cracker primarily known for cracking various 271 00:13:34.240 --> 00:13:37.759 password hash formats, especially good at finding weak Unix passwords, 272 00:13:37.799 --> 00:13:39.279 but supports many others too. 273 00:13:39.559 --> 00:13:42.240 And surprisingly, Google itself is listed as a tool. 274 00:13:42.360 --> 00:13:46.039 Oh yeah, definitely. The book calls it a near real 275 00:13:46.120 --> 00:13:50.759 time vulnerability database. Using specific search queries what's often called 276 00:13:50.759 --> 00:13:54.360 Google dorking, you can find an astonishing amount of sensitive 277 00:13:54.360 --> 00:13:59.120 information that's been accidentally exposed online, misconfigured servers, internal documents, 278 00:13:59.159 --> 00:14:02.080 open network share. It's all about knowing how to search. 279 00:14:02.480 --> 00:14:05.480 That's wild. So you have the tools, but you need 280 00:14:05.519 --> 00:14:08.559 a place to use them safely and effectively. That brings 281 00:14:08.639 --> 00:14:12.440 us to the workplace. Setup Kali Linux Why is Collie? 282 00:14:12.440 --> 00:14:13.000 The standard? 283 00:14:13.200 --> 00:14:17.159 KLLI is basically Debian Linux, specifically rebuilt and pre configured 284 00:14:17.159 --> 00:14:21.600 for penetration testing and digital forensics. It's maintained by Offensive Security, 285 00:14:21.639 --> 00:14:24.960 the folks behind the OSCP certification. It comes bundled with 286 00:14:25.120 --> 00:14:29.440 hundreds of specialized tools metasploid, end map, wire Shark, aircrack, 287 00:14:29.559 --> 00:14:32.159 John the Ripper. They're all usually there. It saves a 288 00:14:32.200 --> 00:14:36.480 ton of setup time and provides a standardized, reliable environment. 289 00:14:36.279 --> 00:14:38.799 And the book recommends setting it up in a virtual 290 00:14:38.840 --> 00:14:40.360 machine like virtual box. 291 00:14:40.519 --> 00:14:44.399 Exactly. Running Collie in a VM creates an isolated sandbox 292 00:14:44.759 --> 00:14:47.759 you can experiment even break things without affecting your main 293 00:14:47.840 --> 00:14:51.320 operating system. It's much safer, especially when you're learning or 294 00:14:51.360 --> 00:14:55.080 dealing with potentially risky tools or exploits. The book gives 295 00:14:55.120 --> 00:14:57.399 step by step instructions for that virtual. 296 00:14:57.080 --> 00:15:00.919 Box setup, covering things like memory allocation, virtual hard disk, 297 00:15:01.000 --> 00:15:02.600 set up, all. 298 00:15:02.399 --> 00:15:05.639 The details right, getting the foundation right, and beyond just 299 00:15:05.679 --> 00:15:10.039 installing Collie. The book covers configuring essential network services within it, 300 00:15:10.240 --> 00:15:12.960 making sure you can connect properly, maybe setting up network 301 00:15:13.000 --> 00:15:14.320 proxies if needed, and. 302 00:15:14.279 --> 00:15:18.360 Enabling SSH secure shell for remote access but. 303 00:15:18.360 --> 00:15:23.360 Securely, crucially securely, Collie disables the default SSH service for safety. 304 00:15:23.720 --> 00:15:26.159 The book explains how to generate unique keys and start 305 00:15:26.200 --> 00:15:27.799 the service properly if you need it. 306 00:15:27.840 --> 00:15:31.559 And keeping Collie updated is paramount, just like ANYOS. 307 00:15:31.519 --> 00:15:36.120 Absolutely critical. The threat landscape changes constantly. The book explains 308 00:15:36.159 --> 00:15:40.480 debian's package management system APT and the commands like appt 309 00:15:40.480 --> 00:15:43.039 get update and app get upgrade or disted upgrade. To 310 00:15:43.120 --> 00:15:45.840 keep Collie and all its tools patched and current. An 311 00:15:45.919 --> 00:15:49.440 outdated hacking toolkit is not very effective or safe. 312 00:15:49.559 --> 00:15:54.240 Okay, environment set tools ready. Now the actual process begins. 313 00:15:54.240 --> 00:15:58.120 The book Hammer's home that reconnaissance or information gathering is 314 00:15:58.480 --> 00:16:00.960 the first and maybe most critical step. It says it 315 00:16:00.960 --> 00:16:03.279 can take up to seventy five percent of the effort. 316 00:16:03.559 --> 00:16:06.519 Why so much because you can't effectively attack what you 317 00:16:06.559 --> 00:16:10.639 don't understand. Recon is about meticulously mapping out your target's 318 00:16:10.679 --> 00:16:13.360 digital footprint. What systems do they have, what software are 319 00:16:13.360 --> 00:16:15.840 they running, who works there, what's their network structure like. 320 00:16:16.559 --> 00:16:18.960 The more info you gather up front, the higher your 321 00:16:19.039 --> 00:16:22.360 chances of finding a viable enter point. Rushing this phase 322 00:16:22.440 --> 00:16:24.960 is a recipe for failure or getting caught, and. 323 00:16:24.919 --> 00:16:28.000 There are two main types of recon, active and passive. 324 00:16:28.320 --> 00:16:32.480 That's right. Passive recon is gathering information without directly interacting 325 00:16:32.519 --> 00:16:37.120 with the target systems. Think public records, social media, news articles, DNS, 326 00:16:37.159 --> 00:16:41.399 lookups from public servers, Google dorking. It's stealthier, lower risk 327 00:16:41.440 --> 00:16:41.960 of detection. 328 00:16:42.279 --> 00:16:46.159 Active recon, then, is when you start probing the target directly. 329 00:16:45.919 --> 00:16:49.559 Exactly things like ports, standing their servers, trying to identify 330 00:16:49.600 --> 00:16:52.360 web server versions, interacting with their systems in ways that 331 00:16:52.399 --> 00:16:55.840 could be logged or detected by intrusion detection systems IDs 332 00:16:56.279 --> 00:17:00.399 or intrusion prevention systems IPS. It yields more detailed info 333 00:17:00.559 --> 00:17:01.720 but carries more risk. 334 00:17:02.200 --> 00:17:05.400 You mentioned DNS lookups. DNS reconnaissance seems like a key 335 00:17:05.440 --> 00:17:05.799 part of this. 336 00:17:06.119 --> 00:17:10.359 It's incredibly valuable DNS. The Internet's phone book holds info 337 00:17:10.400 --> 00:17:15.000 about domain names, mail servers, IP addresses. Analyzing and organization's 338 00:17:15.079 --> 00:17:18.279 DNS records can reveal a surprising amount about their internal 339 00:17:18.319 --> 00:17:21.960 network structure, often without setting off alarms. Because while DNAs 340 00:17:22.000 --> 00:17:23.599 traffic is usually considered normal. 341 00:17:23.720 --> 00:17:26.279 So what are some specific methods the book mentions for 342 00:17:26.359 --> 00:17:28.279 gathering target info footprinting? 343 00:17:28.519 --> 00:17:34.000 Footprinting is that broad initial information gathering, collecting domain names, 344 00:17:34.119 --> 00:17:38.480 IP ranges, network blocks, employee names, and contact details, maybe 345 00:17:38.480 --> 00:17:42.480 even physical locations using tools like who is and slick 346 00:17:42.559 --> 00:17:45.680 up trace route, even just searching online databases. 347 00:17:46.039 --> 00:17:47.519 Fingerprinting sounds more specific. 348 00:17:47.599 --> 00:17:51.880 It is fingerprinting aims to identify the exact operating system, services, 349 00:17:51.880 --> 00:17:56.160 and software versions running on a target system. Active fingerprinting 350 00:17:56.240 --> 00:18:00.799 involves sending specific, sometimes malformed packets and analyze the response 351 00:18:01.200 --> 00:18:06.480 different ozs response slightly differently. Passive fingerprinting involves analyzing network 352 00:18:06.480 --> 00:18:08.400 traffic characteristics without sending. 353 00:18:08.160 --> 00:18:10.119 Anything directly DNS enumeration. 354 00:18:10.319 --> 00:18:13.279 This is actively querying DNS servers to try and discover 355 00:18:13.400 --> 00:18:17.000 all DNS records associated with a domain, host names, subdomains, 356 00:18:17.039 --> 00:18:19.599 server roles. It's like trying to get a complete map 357 00:18:19.599 --> 00:18:21.039 of their digital territory, and. 358 00:18:21.000 --> 00:18:23.960 Tools like the Harvester can automate finding user names and emails. 359 00:18:24.200 --> 00:18:27.000 Yeah, the Harvester is great for passive recon. It's screen 360 00:18:27.119 --> 00:18:31.160 search engines, pgpkey servers, social networks like LinkedIn to gather 361 00:18:31.240 --> 00:18:35.400 email addresses, employee names, subdomains associated with the target domain 362 00:18:35.680 --> 00:18:38.680 very useful for building a picture of the organization. 363 00:18:38.519 --> 00:18:42.920 And finding domain registration details via whis is standard. 364 00:18:42.480 --> 00:18:46.000 Practice absolutely whoiz, dot com or command line whose tools 365 00:18:46.039 --> 00:18:50.160 give you the owner registrar, registration expiry dates, name servers, 366 00:18:50.160 --> 00:18:52.799 contact info sometimes reveals more than. 367 00:18:52.680 --> 00:18:55.640 Intended pingsweep sounds simple. 368 00:18:55.640 --> 00:18:59.480 It is, but effective for basic network mapping sending ICMP 369 00:18:59.640 --> 00:19:02.920 echo requests things to a range of IP addresses to 370 00:19:02.920 --> 00:19:06.400 see which ones respond, indicating live hosts. Tools like flepping 371 00:19:06.559 --> 00:19:08.119 or nmap do this efficiently. 372 00:19:08.319 --> 00:19:10.240 Import scanning checking for open doors. 373 00:19:10.000 --> 00:19:13.319 Precisely systematically probing the ports on a target host to 374 00:19:13.319 --> 00:19:16.240 see which ones are open and listening for connections. Open 375 00:19:16.279 --> 00:19:19.799 ports indicate running services which might be vulnerable. N map 376 00:19:19.839 --> 00:19:22.440 is the king of port Standing all this together builds 377 00:19:22.440 --> 00:19:24.920 that crucial foundation before you even think about. 378 00:19:24.640 --> 00:19:29.519 Exploits, which brings us to actually executing exploits. The book 379 00:19:29.599 --> 00:19:32.519 dives deep into metasploid. Here we doudged on it, but 380 00:19:32.680 --> 00:19:34.839 let's revisit its core components. Right. 381 00:19:35.119 --> 00:19:39.079 Metasploid is modular. You have exploits, which are the code 382 00:19:39.079 --> 00:19:43.400 that takes advantage of a specific vulnerability. You have payloads, 383 00:19:43.440 --> 00:19:45.359 which is the code that runs on the victim machine 384 00:19:45.480 --> 00:19:49.319 after the exploit succeeds, giving you control like a reverse shell. 385 00:19:49.319 --> 00:19:50.160 A shell code. 386 00:19:50.319 --> 00:19:53.039 Often the payload itself is referred to as shell code, 387 00:19:53.279 --> 00:19:55.640 especially if its goal is to give you a command 388 00:19:55.680 --> 00:19:59.039 shell like a command prompt terminal on the victim system. 389 00:19:59.119 --> 00:20:01.279 And modules are the interchangeable parts yep. 390 00:20:01.599 --> 00:20:06.359 Metascloid organizes everything into modules. Exploit modules, payload modules, auxiliary 391 00:20:06.440 --> 00:20:10.599 modules for scanning, fuzzing, et cetera. Post exploitation modules. You 392 00:20:10.640 --> 00:20:13.000 mix and match them. A listener is needed on the 393 00:20:13.039 --> 00:20:16.200 attackers machine to handle the incoming connection from the payload 394 00:20:16.279 --> 00:20:17.240 running on the victim. 395 00:20:17.559 --> 00:20:20.079 The show command helps navigate all this invaluable. 396 00:20:20.279 --> 00:20:23.319 Show exploits, show payloads, show options. It tells you what's 397 00:20:23.319 --> 00:20:25.799 available and what parameters you need. To set for a 398 00:20:25.880 --> 00:20:26.640 chosen module. 399 00:20:26.960 --> 00:20:29.640 You mentioned. Payloads could be staged or single. Can you 400 00:20:29.720 --> 00:20:30.519 unpack that a bit? 401 00:20:30.720 --> 00:20:33.839