WEBVTT 1 00:00:00.080 --> 00:00:03.160 Have you ever wondered what truly goes on behind the 2 00:00:03.200 --> 00:00:06.559 digital curtain? How the very best defenders learn to think 3 00:00:06.639 --> 00:00:11.480 like whoa malicious actors all to keep our online world safer. Today, 4 00:00:11.800 --> 00:00:14.119 we're taking a deep dive into the fascinating realm of 5 00:00:14.160 --> 00:00:18.320 ethical hacking and penetration testing. Our mission to unpack the 6 00:00:18.399 --> 00:00:22.719 core concepts, the practical techniques, and the essential tools that 7 00:00:22.760 --> 00:00:26.879 empower individuals to understand and secure digital systems from the 8 00:00:26.879 --> 00:00:27.559 inside out. 9 00:00:27.640 --> 00:00:30.000 Really yeah, and our guide for this journey is the 10 00:00:30.039 --> 00:00:33.960 comprehensive book Learn Ethical Hacking from Scratch by Zaid Sabi. 11 00:00:34.320 --> 00:00:37.439 What's great is that this resource assumes no prior knowledge. 12 00:00:37.679 --> 00:00:40.119 It offers a truly ground up approach, which makes it 13 00:00:40.119 --> 00:00:41.640 perfect for our exploration today. 14 00:00:41.759 --> 00:00:45.719 Absolutely so, whether you're simply curious about cybersecurity, maybe looking 15 00:00:45.799 --> 00:00:48.799 to fortify your own digital defenses, or just love to 16 00:00:48.920 --> 00:00:51.880 understand how things work at the deepest level, this deep 17 00:00:51.920 --> 00:00:54.079 dive will give you a shortcut to being well informed 18 00:00:54.359 --> 00:00:58.000 and honestly with some truly surprising facts along the way. 19 00:00:58.240 --> 00:01:01.159 Get ready for some illuminating in sites, because we're about 20 00:01:01.159 --> 00:01:05.040 to unpack how ethical hackers learn to protect systems by 21 00:01:05.120 --> 00:01:08.000 understanding how to test their security just like well, real 22 00:01:08.040 --> 00:01:11.799 attackers do. Okay, So the term ethical hacking it almost 23 00:01:11.799 --> 00:01:14.120 sounds like an oxymoron to some people. Could you really 24 00:01:14.159 --> 00:01:16.920 break down for us how hacking can truly be ethical 25 00:01:17.280 --> 00:01:19.799 and what that critical distinction means, especially when we talk 26 00:01:19.799 --> 00:01:21.959 about black hat versus white hat hackers. 27 00:01:22.200 --> 00:01:25.879 Absolutely, it's a good question. At its core, ethical hacking 28 00:01:25.920 --> 00:01:29.040 is about learning to test the security of systems exactly 29 00:01:29.079 --> 00:01:32.519 as real attackers would. But and this is key, with 30 00:01:32.640 --> 00:01:36.959 explicit permission. Always it's all in the service of strengthening 31 00:01:37.000 --> 00:01:39.400 those systems, finding the holes before the bad guys do. 32 00:01:39.840 --> 00:01:43.439 To critical distinction, so we differentiate between black hat hackers 33 00:01:43.439 --> 00:01:46.599 who operate maliciously, you know, for criminal gain or disruption. 34 00:01:47.159 --> 00:01:49.000 Then there are gray hat hackers who kind of blur 35 00:01:49.079 --> 00:01:52.120 the lines, sometimes maybe finding a flaw and disclosing it, 36 00:01:52.159 --> 00:01:54.920 but maybe not always with permission first. And then white 37 00:01:54.959 --> 00:01:57.680 hat hackers, the ethical professionals we're focusing on today. Their 38 00:01:57.719 --> 00:01:59.519 intent is always to secure. 39 00:01:59.439 --> 00:02:02.480 Right, good guys using the same skills exactly. 40 00:02:02.680 --> 00:02:05.560 Yeah, and this raises an important question. Yeah, why should 41 00:02:05.560 --> 00:02:08.960 you listening right now learn about hacking even if you 42 00:02:09.039 --> 00:02:12.680 never intend to be a penetration tester. The fundamental reason 43 00:02:12.800 --> 00:02:16.039 is to truly understand vulnerabilities, you need to know how 44 00:02:16.080 --> 00:02:20.919 things break to build stronger, more resilient defenses. The book 45 00:02:21.120 --> 00:02:24.479 highlights a crucial point here. Any electronic device you interact with, 46 00:02:24.520 --> 00:02:27.680 your phone, your smart TV, your laptop, even web servers 47 00:02:27.680 --> 00:02:31.840 and routers, Yeah, they're all at their heart computers running 48 00:02:31.840 --> 00:02:35.360 operating systems and programs h as. The concepts we're discussing 49 00:02:35.360 --> 00:02:38.479 today are broadly applicable to pretty much anything in your 50 00:02:38.479 --> 00:02:39.199 digital life. 51 00:02:39.280 --> 00:02:41.639 One aspect that really opened my eyes when exploring this 52 00:02:41.879 --> 00:02:45.479 was the absolute necessity of a dedicated lab environment. You 53 00:02:45.479 --> 00:02:48.599 can't just go testing these techniques out on like your 54 00:02:48.639 --> 00:02:49.759 neighbor's WiFi. 55 00:02:49.479 --> 00:02:52.120 Right, Definitely not. That's illegal and unethical. This is where 56 00:02:52.159 --> 00:02:54.639 virtual box comes in. It's a program, it's free, and 57 00:02:54.719 --> 00:02:57.639 allows you to install virtual machines. Think of them as 58 00:02:57.680 --> 00:03:01.639 completely separate, isolated computers inside your main machine. This is 59 00:03:01.680 --> 00:03:05.960 incredibly important for penetration testing because well, first it avoids 60 00:03:06.000 --> 00:03:10.000 needing multiple physical computers, save space and money. And second, 61 00:03:10.439 --> 00:03:14.319 it completely isolates your hacking activities from your main system, 62 00:03:14.560 --> 00:03:18.400 so you can experiment break things, really push the limits. 63 00:03:18.080 --> 00:03:19.960 Without damaging your actual computer. 64 00:03:20.159 --> 00:03:22.759 Exactly, and then you can easily revert back if something 65 00:03:22.759 --> 00:03:25.439 goes wrong, no harm done to your primary setup. 66 00:03:25.599 --> 00:03:28.199 So what does this typical lab look like? What machines 67 00:03:28.240 --> 00:03:29.080 are we talking about? 68 00:03:29.199 --> 00:03:31.199 Yeah? In a typical setup, we work with three main 69 00:03:31.319 --> 00:03:35.439 virtual machines. First, our tacker machine. This usually runs Collie. 70 00:03:35.159 --> 00:03:37.120 Linux Collie, right, I've heard of that. 71 00:03:37.240 --> 00:03:40.879 Yeah. Collie is a specialized distribution of Linux based on Debian. 72 00:03:41.120 --> 00:03:43.759 It comes pre installed with i mean pretty much all 73 00:03:43.759 --> 00:03:47.039 the necessary penetration testing tools you'd need. Running it as 74 00:03:47.039 --> 00:03:49.919 a virtual machine is ideal for isolation, like we said, 75 00:03:50.240 --> 00:03:53.240 and makes it super easy to recover if things go sideways. 76 00:03:53.360 --> 00:03:55.680 Okay, attacker machine Collie. What else? 77 00:03:56.039 --> 00:03:59.919 Then we need victims. Our first victim is usually metasploid. 78 00:04:00.439 --> 00:04:03.639 It's another Linux machine. But here's the crucial detail. It's 79 00:04:03.680 --> 00:04:04.879 designed to be highly. 80 00:04:04.680 --> 00:04:06.879 Vulnerable, ah intentionally weak. 81 00:04:07.120 --> 00:04:12.080 Precisely, it's built specifically for learning penetration testing. It has 82 00:04:12.159 --> 00:04:15.240 numerous known weaknesses built right in for you to practice 83 00:04:15.280 --> 00:04:16.560 finding and exploiting. 84 00:04:16.720 --> 00:04:18.439 Got it, and the second victim. 85 00:04:18.600 --> 00:04:22.199 The second victim is usually a standard Windows machine, maybe 86 00:04:22.199 --> 00:04:25.360 Windows ten or something similar. This is used for scenarios 87 00:04:25.360 --> 00:04:29.240 that mimic a normal user browsing the internet, clicking links, 88 00:04:29.279 --> 00:04:30.319 opening files. 89 00:04:30.079 --> 00:04:33.439 Makes sense simulating a realistic target exactly. 90 00:04:33.680 --> 00:04:38.000 And Microsoft actually offers free virtual machine versions for developers 91 00:04:38.000 --> 00:04:40.639 and testers, which is really convenient for setting up these 92 00:04:40.680 --> 00:04:42.120 realistic attack simulations. 93 00:04:42.160 --> 00:04:45.600 Okay, attacker two victims. What about that recovery feature you 94 00:04:45.639 --> 00:04:46.319 mentioned right. 95 00:04:46.160 --> 00:04:49.639 That's snapshots a core feature of Virtual Box. It becomes 96 00:04:49.680 --> 00:04:53.279 absolutely invaluable. Think of snapshots like instant bookmarks for your 97 00:04:53.319 --> 00:04:54.319 virtual machine. 98 00:04:54.040 --> 00:04:56.439 State, like a safe point in a game, kind of 99 00:04:56.439 --> 00:04:56.639 like that. 100 00:04:56.720 --> 00:04:59.120 Yeah, they allow you to save the exact state of 101 00:04:59.120 --> 00:05:02.040 a virtual machine at any point in time. So let's 102 00:05:02.040 --> 00:05:04.680 say you're trying to exploit and you completely mess up 103 00:05:04.680 --> 00:05:07.519 the victim machine, maybe crash the operating system or something. 104 00:05:07.839 --> 00:05:11.240 If you took a snapshot beforehand, you can instantly revert 105 00:05:11.360 --> 00:05:14.000 right back to that previous working state. 106 00:05:14.560 --> 00:05:17.800 Wow, Okay, that sounds essential for learning It really is. 107 00:05:18.040 --> 00:05:21.079 A common practice is to take a fresh install snapshot 108 00:05:21.439 --> 00:05:24.360 right after setting everything up. Then if an update breaks 109 00:05:24.360 --> 00:05:28.120 something or an experiment goes totally wrong, boom, You're back 110 00:05:28.160 --> 00:05:30.800 to that clean slate in seconds, ready to try again, 111 00:05:31.199 --> 00:05:32.399 no reinstalling needed. 112 00:05:32.480 --> 00:05:35.600 Okay, that makes setting up a lab feel much less daunting. Now, 113 00:05:35.680 --> 00:05:38.680 Collie Linux, I know it has a graphical interface, but 114 00:05:38.720 --> 00:05:40.199 I hear you quickly move past that. 115 00:05:40.399 --> 00:05:43.959 Yeah, Collie has a nice graphical interface. GUI looks familiar 116 00:05:43.959 --> 00:05:46.600 like Windows or macOS. But you're right, you quickly pitt 117 00:05:46.720 --> 00:05:48.399 to the terminal the command line. 118 00:05:48.519 --> 00:05:50.560 Why is that? Why is the terminal so central? 119 00:05:50.720 --> 00:05:53.600 Well, the Linux terminal is just incredibly powerful. It lets 120 00:05:53.720 --> 00:05:56.160 users do far more than the GUI in many cases, 121 00:05:56.480 --> 00:06:00.000 and often it's much easier and quicker for specific tasks 122 00:06:00.079 --> 00:06:00.439 once you. 123 00:06:00.399 --> 00:06:02.839 Get the hang of it, faster than clicking around definitely 124 00:06:02.879 --> 00:06:03.600 for many things. 125 00:06:03.720 --> 00:06:07.920 But more importantly, in many real world penetration tests, you 126 00:06:08.040 --> 00:06:10.879 might only gain access via command prompt on the target, 127 00:06:11.360 --> 00:06:14.360 may through SSH or some other remote shell. If you 128 00:06:14.360 --> 00:06:17.240 don't know the commands, you can't do anything. So mastering 129 00:06:17.240 --> 00:06:21.120 the terminal is absolutely essential for controlling compromise systems effectively. 130 00:06:21.279 --> 00:06:24.199 Makes sense. So what are some basic commands people should know? 131 00:06:24.800 --> 00:06:27.600 Let's touch on a few foundational ones. The al's command, 132 00:06:27.680 --> 00:06:29.879 for instance, it lists files and. 133 00:06:29.839 --> 00:06:32.160 Directories like Dirt and Windows. 134 00:06:32.000 --> 00:06:35.079 Exactly like Dirt and Windows, and you can add options 135 00:06:35.240 --> 00:06:40.439 like ls L gives you a long listing with more detail, permissions, dates, file, sizes, etc. 136 00:06:41.000 --> 00:06:44.160 If you're ever unsure about any command, man which stands 137 00:06:44.160 --> 00:06:46.879 for manual, or just adding help or ad H after 138 00:06:46.920 --> 00:06:48.720 the command, those are your best friends. 139 00:06:48.879 --> 00:06:51.000 Ah built in help yep, they'll. 140 00:06:50.759 --> 00:06:53.240 Give you comprehensive information on how to use almost any command. 141 00:06:53.279 --> 00:06:56.680 It's a critical earning tool and a huge time saver. 142 00:06:56.759 --> 00:06:59.759 Almost a reflex for experienced users is the tab button 143 00:07:00.720 --> 00:07:04.279 for what for autocompletion? Start typing a command or a 144 00:07:04.279 --> 00:07:06.839 file name, Hit tab and the system will try to 145 00:07:06.879 --> 00:07:08.959 complete it for you or show you the possibilities if 146 00:07:09.000 --> 00:07:09.680 there's more than one. 147 00:07:09.800 --> 00:07:12.399 Oh. Nice safe typing and avoids typos. 148 00:07:12.839 --> 00:07:16.480 Huge time saver. Yeah, makes complex commands feel much more intuitive. 149 00:07:16.759 --> 00:07:20.240 Then there's CD for changing directories navigating around the filesystem, 150 00:07:20.399 --> 00:07:23.439 and PUD prints your current working directory so you know 151 00:07:23.480 --> 00:07:26.519 where you are. We also use app to get or 152 00:07:26.600 --> 00:07:29.839 just appt now. Usually that's for managing software, updating the 153 00:07:29.879 --> 00:07:33.279 list of available software, installing new programs, upgrading existing ones. 154 00:07:33.519 --> 00:07:34.399 Keeps your COLLY set. 155 00:07:34.279 --> 00:07:37.920 Up fresh, got it basics covered? Lab set up understood? 156 00:07:38.079 --> 00:07:39.000 Where do we go first? 157 00:07:39.240 --> 00:07:42.199 Okay, with our virtual lab ready, The first frontier and 158 00:07:42.279 --> 00:07:45.639 ethical hacker typically explores is the network itself. You know, 159 00:07:45.680 --> 00:07:49.759 the invisible pathways connecting all our devices. Network penetration testing 160 00:07:49.800 --> 00:07:53.279 could be broadly divided into let's say four main sections. 161 00:07:53.519 --> 00:07:56.360 There's pre connection stuff you do before even connecting, then 162 00:07:56.560 --> 00:07:59.920 gaining access, then post connection what you do once you 163 00:08:00.040 --> 00:08:03.000 are in, and finally detection and security aspects. 164 00:08:03.160 --> 00:08:05.240 Okay, logical steps, and we're starting with wireless. 165 00:08:05.360 --> 00:08:08.959 Yeah, let's focus on wireless networks initially. To start cracking 166 00:08:09.000 --> 00:08:11.839 Wi Fi, you'll first need to get your wireless adapter 167 00:08:11.959 --> 00:08:15.560 properly connected and configured inside your Colli Virtual Machine. 168 00:08:15.560 --> 00:08:18.120 How does that work? The VM is software, the adapter 169 00:08:18.240 --> 00:08:18.800 is hardware. 170 00:08:18.920 --> 00:08:22.759 Good point. This often requires installing the Virtual Box Extension 171 00:08:22.759 --> 00:08:27.360 pack first that enables better USB device support. Then you 172 00:08:27.360 --> 00:08:31.279 can essentially pass through your physical USB Wi Fi adapter 173 00:08:31.680 --> 00:08:34.360 to the COLLIVM so Collie can see it and control 174 00:08:34.399 --> 00:08:37.559 it directly. Not all adapters work well for this, mind you, 175 00:08:37.600 --> 00:08:39.000 some are better than others for hacking. 176 00:08:39.080 --> 00:08:41.639 Okay, so you need the right hardware and setup. Now. 177 00:08:41.679 --> 00:08:45.480 Something fundamental about networks is MSS addresses. You mentioned them earlier. 178 00:08:45.840 --> 00:08:49.600 Every network card has this unique physical static media access 179 00:08:49.600 --> 00:08:52.879 control address right assigned by the manufacturer. Why is the 180 00:08:52.960 --> 00:08:54.320 static identify or important? 181 00:08:54.360 --> 00:08:57.960 Here it's fundamental because MIC addresses are used for device 182 00:08:58.000 --> 00:09:01.240 identification and packet transfer at the very lowest level of 183 00:09:01.240 --> 00:09:04.120 the local network layer two for the technical folks. But 184 00:09:04.200 --> 00:09:07.440 here's the kicker, the surprising part for many. You can 185 00:09:07.480 --> 00:09:08.399 change your MSSEA. 186 00:09:08.519 --> 00:09:09.919 You can change a physical address. 187 00:09:10.159 --> 00:09:13.120 Well, you change what your operating system reports as your 188 00:09:13.240 --> 00:09:16.960 Mac address. It's called spoofing. This allows you to do 189 00:09:17.000 --> 00:09:20.159 a couple of things. You can avoid being easily traced 190 00:09:20.399 --> 00:09:24.279 while performing tests, making your activity less obvious. Or you 191 00:09:24.279 --> 00:09:28.480 could potentially impersonate a legitimate white listed device on a network, 192 00:09:28.799 --> 00:09:33.000 maybe a printer or an authorized laptop to bypass MAAC 193 00:09:33.039 --> 00:09:35.080 filtering security and gain access. 194 00:09:35.360 --> 00:09:40.159 Wow. Okay, so even fundamental identifiers aren't always fixed. That's insightful. 195 00:09:40.320 --> 00:09:42.639 It highlights that many things we assume are fixed in 196 00:09:42.679 --> 00:09:44.360 networking can actually be manipulated. 197 00:09:44.440 --> 00:09:47.639 Okay, so we understand how devices identify themselves and that 198 00:09:47.679 --> 00:09:50.840 we can even spoof that. What's the next step? Listening 199 00:09:50.879 --> 00:09:51.639 in exactly? 200 00:09:51.759 --> 00:09:54.559 The next logical step is to actually listen in on 201 00:09:54.600 --> 00:09:57.759 the digital conversations happening on the airwaves around you, even 202 00:09:57.799 --> 00:09:59.960 if you're not part of the chat. This is packets new. 203 00:10:00.399 --> 00:10:02.399 How do you do that with Wi Fi, you need 204 00:10:02.440 --> 00:10:02.840 to put. 205 00:10:02.720 --> 00:10:06.440 Your Wi Fi card into what's called monitor mode. Normal 206 00:10:06.440 --> 00:10:08.879 Wi Fi mode only pays attention to trafficman for your 207 00:10:08.879 --> 00:10:12.159 device or the network you're connected to. Monitor mode is different. 208 00:10:12.440 --> 00:10:15.360 It allows you to capture any compatible Wi Fi packet 209 00:10:15.360 --> 00:10:18.919 within your physical range, regardless of who it's for, even 210 00:10:18.919 --> 00:10:21.080 if you're not connected to any network at all, like. 211 00:10:21.039 --> 00:10:23.000 A radio scanner for Wi Fi signals. 212 00:10:23.080 --> 00:10:25.639 That's a great analogy. Yeah, And a powerful tool for 213 00:10:25.679 --> 00:10:28.360 this is aero dumping. It's part of the popular air 214 00:10:28.399 --> 00:10:31.600 cracking suite. You're run aero dumping and it starts capturing 215 00:10:31.639 --> 00:10:33.639 all the packets at seas, showing you all the Wi 216 00:10:33.639 --> 00:10:39.279 Fi networks around you, their names, esds, their hardware addresses, bssids, 217 00:10:39.559 --> 00:10:43.120 the channel thereon, the type of encryption they're using, lots 218 00:10:43.120 --> 00:10:43.840 of useful info. 219 00:10:44.000 --> 00:10:46.080 And what do you do with all those captured packets. 220 00:10:46.120 --> 00:10:48.879 Well, aero dumping captures them, often saving them to a file. 221 00:10:49.360 --> 00:10:51.840 Then you can use another tool like the incredibly powerful 222 00:10:51.879 --> 00:10:54.840 wire shark to open that file and analyze the packets 223 00:10:54.840 --> 00:10:55.360 in detail. 224 00:10:55.559 --> 00:10:57.480 Wire Shark that sounds familiar. 225 00:10:57.639 --> 00:11:00.279 It's a standard tool for a network analysis used by 226 00:11:00.320 --> 00:11:03.240 network admins. And security pros alike. It gives you a 227 00:11:03.240 --> 00:11:06.480 graphical view of every single packet, lets you filter, search, 228 00:11:06.559 --> 00:11:10.320 and dissect the traffic, even if the data payload is encrypted. 229 00:11:10.679 --> 00:11:14.399 Just seeing the patterns of communication can sometimes be revealing. 230 00:11:14.120 --> 00:11:18.080 So we can listen. Can we also actively disrupt things? 231 00:11:18.120 --> 00:11:20.320 I read about diuthentication attacks? What are those? 232 00:11:20.480 --> 00:11:24.000 Yes? Absolutely? De Authentication attacks are interesting. They allow you 233 00:11:24.080 --> 00:11:29.799 to selectively disconnect specific devices, or even all devices from 234 00:11:29.799 --> 00:11:32.399 a Wi Fi network. You do this by sending specially 235 00:11:32.399 --> 00:11:35.320 crafted authentication packets that look like they came from the 236 00:11:35.360 --> 00:11:38.759 access point. The router telling the target device you're no 237 00:11:38.799 --> 00:11:40.200 longer authorized, please. 238 00:11:39.919 --> 00:11:42.320 Disconnect, and the device just disconnects. 239 00:11:42.519 --> 00:11:44.919 Usually yes, it obeys the command. Now, this isn't about 240 00:11:44.919 --> 00:11:48.000 gaining access to the network's data yourself. It's purely about disruption. 241 00:11:48.559 --> 00:11:51.080 Or sometimes it's used tactically, as we'll see later. 242 00:11:51.159 --> 00:11:53.799 Okay, disruption. What about tricking people fake networks? 243 00:11:54.159 --> 00:11:57.720 Ah? Yes? Building on that, we learn about setting up 244 00:11:57.759 --> 00:12:01.600 fake access points, often called evil to wins. This involves 245 00:12:01.639 --> 00:12:04.840 creating a rogue Wi Fi network, maybe with the same 246 00:12:04.919 --> 00:12:08.440 name as a legitimate nearby network like airport free Wi 247 00:12:08.559 --> 00:12:10.559 Fi or coffee shop Guests. 248 00:12:10.360 --> 00:12:13.039 To lure people into connecting to your network instead of 249 00:12:13.039 --> 00:12:13.679 the real one. 250 00:12:13.720 --> 00:12:16.960 Precisely, you trick users into connecting, and when they do, 251 00:12:17.080 --> 00:12:20.240 all their Internet traffic flows directly through your Collie machine. 252 00:12:20.559 --> 00:12:24.759 You effectively become their router. Tools like the Manna toolkit 253 00:12:25.120 --> 00:12:27.679 used to be popular for automating this, making it easier 254 00:12:27.720 --> 00:12:29.559 to set up sophisticated fake aps. 255 00:12:29.679 --> 00:12:31.159 And once you're their router. 256 00:12:31.080 --> 00:12:33.200 Once you're the man in the metal, you can capture 257 00:12:33.200 --> 00:12:36.639 and analyze all their unencrypted traffic. Using wire Shark, you 258 00:12:36.639 --> 00:12:39.559 can see websites they visit, maybe capture credentials entered on 259 00:12:39.600 --> 00:12:42.399 insecure sites. It gives you a lot of visibility into 260 00:12:42.399 --> 00:12:43.000 their activity. 261 00:12:43.200 --> 00:12:47.080 That sounds incredibly powerful and quite scary from a user perspective. 262 00:12:47.240 --> 00:12:50.200 It is. It highlights the danger of connecting to unknown 263 00:12:50.240 --> 00:12:51.919 or unsecured Wi Fi networks. 264 00:12:52.159 --> 00:12:57.320 Okay, so disruption observation. Let's talk about actually gaining access 265 00:12:57.360 --> 00:13:01.679 to encrypted networks. Most networks today use WPA two, maybe 266 00:13:01.720 --> 00:13:04.200 WPA three. Now, how do you get the password right? 267 00:13:04.240 --> 00:13:07.320 Getting the key is the main goal for accessing recruited networks. 268 00:13:07.519 --> 00:13:10.000 The strategy depends on the encryption type. For the really 269 00:13:10.039 --> 00:13:14.000 old WBP encryption well, it's fundamental broken. There are attacks 270 00:13:14.039 --> 00:13:16.879 that can recover the wpke relatively quickly, sometimes even if 271 00:13:16.879 --> 00:13:18.840 no one is actively using the network. It's just not 272 00:13:18.879 --> 00:13:19.919 secure at all anymore. 273 00:13:20.279 --> 00:13:22.600 So avoid WEP at all costs. 274 00:13:22.639 --> 00:13:27.039 Absolutely. WPA and especially WPA TOWPA three are much stronger. 275 00:13:27.879 --> 00:13:31.320 The evolution from wp wasn't just about better encryption algorithms. 276 00:13:31.360 --> 00:13:34.679 It was about fixing fundamental flaws in the connection process. 277 00:13:35.080 --> 00:13:38.840 But even WPA two isn't impenetrable yet. These techniques expose 278 00:13:38.960 --> 00:13:41.799 is that even robust encryption can sometimes be bypassed by 279 00:13:41.799 --> 00:13:46.320 exploiting the connection process itself, not necessarily the encryption algorithm directly. 280 00:13:46.440 --> 00:13:49.600 How So, for WPPA two, the main attack focuses on 281 00:13:49.639 --> 00:13:52.759 capturing the handshake. This is a crucial four way exchange 282 00:13:52.759 --> 00:13:55.559 of cryptographic messages that happens only when a device connects 283 00:13:55.639 --> 00:13:56.919 or reconnects to the network. 284 00:13:57.159 --> 00:14:00.679 The handshake contains information related to the passwords exactly. 285 00:14:00.840 --> 00:14:04.039 It doesn't contain the password directly, but it contains information 286 00:14:04.120 --> 00:14:06.759 derived from the password that can be used to verify 287 00:14:06.840 --> 00:14:10.159 if a guest password is correct. So the goal is 288 00:14:10.200 --> 00:14:13.200 to capture that handshake. You just wait for someone to 289 00:14:13.200 --> 00:14:17.559 connect naturally or you can use those do authentication attacks. 290 00:14:17.240 --> 00:14:20.559 We talked about, AH force someone to disconnect. 291 00:14:19.960 --> 00:14:24.840 So they automatically try to reconnect moments later, allowing you 292 00:14:24.919 --> 00:14:28.519 to reliably capture that handshake as they do. It's a 293 00:14:28.559 --> 00:14:30.080 tactical use of the death attack. 294 00:14:30.159 --> 00:14:33.120 Okay, clever, So you've captured the handshake file. Now what 295 00:14:33.440 --> 00:14:35.000 how do you get the actual password? 296 00:14:35.200 --> 00:14:38.240 Now comes the cracking part. The handshake itself doesn't give 297 00:14:38.279 --> 00:14:41.600 you the password. You need to perform an offline brute 298 00:14:41.639 --> 00:14:45.799 force or dictionary attack against the captured handshake data. This 299 00:14:45.879 --> 00:14:48.720 is where tools that generate password possibilities come in, like 300 00:14:48.879 --> 00:14:49.759 crunch Crunch. 301 00:14:49.799 --> 00:14:50.320 What does it do? 302 00:14:50.720 --> 00:14:53.679 Crunch is a flexible tool for creating custom word lists. 303 00:14:54.240 --> 00:14:56.399 You don't just have to use pre made dictionaries of 304 00:14:56.399 --> 00:15:00.240 common passwords. You can tell Crunch, for instance, generate all 305 00:15:00.279 --> 00:15:03.759 possible passwords between eight and ten characters long using only 306 00:15:03.799 --> 00:15:07.120 lowercase letters and the numbers one, two, three, or define 307 00:15:07.159 --> 00:15:08.200 more complex patterns. 308 00:15:08.240 --> 00:15:11.399 So you create massive lists of potential. 309 00:15:10.960 --> 00:15:14.279 Password potentially massive yes. Then you take the captured handshake 310 00:15:14.320 --> 00:15:16.879 file and you feed it, along with your generated word 311 00:15:16.879 --> 00:15:20.039 list or a banner dictionary file into a cracking tool 312 00:15:20.159 --> 00:15:23.679 like air cracking. Air cracking down then tries each password 313 00:15:23.679 --> 00:15:26.840 from the list against the handshake data. If it finds 314 00:15:26.840 --> 00:15:30.320 a password that successfully validates the handshake, you found. 315 00:15:30.159 --> 00:15:32.679 The network key, which really just highlights the importance of 316 00:15:32.720 --> 00:15:36.360 having a strong, complex Wi Fi password absolutely. 317 00:15:36.799 --> 00:15:39.440 The difficulty of cracking depends entirely on the strength and 318 00:15:39.519 --> 00:15:42.279 length of the password. A shirt simple password might be 319 00:15:42.279 --> 00:15:45.600 cracked in minutes or hours, A long, complex, random one 320 00:15:45.600 --> 00:15:49.799 could take years, decades, or even centuries with current technology. 321 00:15:50.080 --> 00:15:53.759 Okay, so that covers gaining access. Now let's talk about 322 00:15:53.759 --> 00:15:56.639 what happens after you're connected to a network. Man in 323 00:15:56.679 --> 00:16:00.320 the middle attacks. You mentioned them with fake aps, but 324 00:16:00.360 --> 00:16:03.279 they apply once you're on a legitimate network too, right. 325 00:16:03.559 --> 00:16:07.279 Yes, Man in the middle or mitm IT attacks are 326 00:16:07.360 --> 00:16:10.480 incredibly powerful. Once you're on the same local network as 327 00:16:10.480 --> 00:16:13.240 your target, maybe you crack the Wi Fi or you 328 00:16:13.279 --> 00:16:16.399 plugged into the same wired network, you can potentially redirect 329 00:16:16.440 --> 00:16:18.559 their traffic through your machine. 330 00:16:18.159 --> 00:16:20.919 So you sit between the target user and the router. 331 00:16:21.440 --> 00:16:25.039 Essentially, yes, you become the invisible intermediary. This allows you 332 00:16:25.080 --> 00:16:28.440 to read, modify, or even drop their network packets, and crucially, 333 00:16:28.440 --> 00:16:31.919 it often allows you to capture sensitive information like usernames 334 00:16:31.919 --> 00:16:33.799 and passwords entered on websites. 335 00:16:33.960 --> 00:16:36.840 How does that redirection actually work? Technically? How do you 336 00:16:36.879 --> 00:16:39.679 trick their computer into sending traffic to you instead of 337 00:16:39.679 --> 00:16:40.399 the real router. 338 00:16:40.720 --> 00:16:43.600 What's fascinating and maybe a bit alarming, is how this 339 00:16:43.759 --> 00:16:47.440 often works due to the inherent simplicity and trust built 340 00:16:47.440 --> 00:16:51.159 into a fundamental network protocol called ARP, the Address Resolution 341 00:16:51.279 --> 00:16:52.279 Protocol ARP. 342 00:16:52.559 --> 00:16:53.279 What's its job? 343 00:16:53.480 --> 00:16:57.039 Think of ARP as the network's local address book. On 344 00:16:57.159 --> 00:17:00.919 local network devices use IP addresses ninety two point one 345 00:17:01.000 --> 00:17:03.360 sixty eight point one one zero zero to talk to 346 00:17:03.399 --> 00:17:05.720 each other, but the actual data transfer at the lowest 347 00:17:05.799 --> 00:17:09.720 level uses those physical MQ addresses we discussed. AARP's job 348 00:17:09.759 --> 00:17:11.559 is simply to ask, hey, who has IP address one 349 00:17:11.599 --> 00:17:13.759 ninety two point one sixty eight point one one zero zero, 350 00:17:13.920 --> 00:17:16.119 Tell me your AMC address, and the device with that 351 00:17:16.200 --> 00:17:20.119 IP responds with its MK. It's designed for efficiency. 352 00:17:19.559 --> 00:17:21.440 But that simplicity makes it vulnerable. 353 00:17:21.480 --> 00:17:24.640 Exactly, It's largely based on trust. There's no built in verification, 354 00:17:25.119 --> 00:17:28.559 so using a technique called ARP spoofing or AIRP poisoning, 355 00:17:28.759 --> 00:17:32.200 your attacking machine can send out unsolicited ARP replies. You 356 00:17:32.279 --> 00:17:34.920 basically tell the target computer, hey, the router's IP address 357 00:17:34.960 --> 00:17:36.640 like one hint two point one six eight point one 358 00:17:36.640 --> 00:17:39.279 point one, that's my MSA address now, and simultaneously you 359 00:17:39.279 --> 00:17:41.359 tell the router, hey, the target's IP address one ninety 360 00:17:41.359 --> 00:17:43.279 two point one six eight point one one zero zero, 361 00:17:43.400 --> 00:17:44.480 that's my MAAC address. 362 00:17:44.519 --> 00:17:46.680 So you trick both of them into sending traffic meant 363 00:17:46.680 --> 00:17:48.680 for each other to you instead. 364 00:17:48.960 --> 00:17:52.720 Precisely you insert yourself into the conversation. Tools like the 365 00:17:52.920 --> 00:17:55.839 MTMF the Man in the Middle framework automate this whole 366 00:17:55.839 --> 00:17:59.960 process beautifully. MITMS performs the AARP poisoning to redirect trap, 367 00:18:00.440 --> 00:18:03.720 and automatically starts various sniffing and attack plugins for you. 368 00:18:04.200 --> 00:18:07.599 The book provides a compelling example using MITMF to capture 369 00:18:07.640 --> 00:18:11.119 usernames and passwords submitted to plane HTTP websites like a 370 00:18:11.160 --> 00:18:14.000 test site called hack dot me. Just by being the 371 00:18:14.119 --> 00:18:16.640 MITM the credentials pop right up on your screen as 372 00:18:16.640 --> 00:18:17.720 the victim logs. 373 00:18:17.400 --> 00:18:20.519 In plan HTTP. That's the key there, right. What about 374 00:18:20.559 --> 00:18:22.000 secure sites HTTPS? 375 00:18:22.200 --> 00:18:25.480 Ah? Yes, that's the big hurdle HTTPS. When you try 376 00:18:25.480 --> 00:18:28.599 an MITM attack on a site using HTTPS, the encryption 377 00:18:28.720 --> 00:18:31.880 kicks in the browser. Expect the valid digital certificate from 378 00:18:31.880 --> 00:18:35.160 the website signed by a trusted authority. Your MITM tool 379 00:18:35.160 --> 00:18:37.240 can't provide that genuine certificate. 380 00:18:36.799 --> 00:18:38.319 So the browser throws up a warning. 381 00:18:38.440 --> 00:18:41.200 Exactly, the user gets a big, scary warning message saying 382 00:18:41.240 --> 00:18:44.240 that connection is in private, the certificate is invalid. Most 383 00:18:44.319 --> 00:18:45.880 users hopefully would back away. 384 00:18:45.720 --> 00:18:48.559 At that point, so HTTTS works. But is there a 385 00:18:48.559 --> 00:18:49.559 way around that warning? 386 00:18:49.799 --> 00:18:51.960 Well, this is where a clever tool called SSL strip 387 00:18:52.000 --> 00:18:55.480 comes in and understanding this is a truly illuminating insight 388 00:18:55.799 --> 00:18:58.799 into how some attacks work. SSL strip works during the 389 00:18:58.839 --> 00:19:02.880 initial connection attempt. If a user types, say example, dot 390 00:19:02.920 --> 00:19:05.400 Com into their browser, the browser might first try to 391 00:19:05.400 --> 00:19:10.319 connect via HTTP before being redirected to the HTTPS. SSL strip, 392 00:19:10.480 --> 00:19:14.160 running on the MITM machine, intercepts that initial HTDP request. 393 00:19:14.480 --> 00:19:17.119 It then connects to the real server over eahttps itself, 394 00:19:17.400 --> 00:19:20.400 but it presents the website back to the victim over PLANEAHTTP. 395 00:19:20.640 --> 00:19:23.200 It strips away the SSLTLS layer. 396 00:19:23.119 --> 00:19:26.000 Effectively yes for the connection between the victim and the attacker. 397 00:19:26.400 --> 00:19:29.079 The victims browser thinks it's talcking HGTP, so it doesn't 398 00:19:29.079 --> 00:19:32.200 expect a certificate and therefore no warning appears, but the 399 00:19:32.240 --> 00:19:34.400 attacker is still getting the data securely from the real 400 00:19:34.440 --> 00:19:36.799 server and decrypting it or passing it along. 401 00:19:36.839 --> 00:19:38.759