WEBVTT 1 00:00:00.040 --> 00:00:02.879 Hey there, and welcome back to the deep dive. Hey, 2 00:00:03.399 --> 00:00:06.960 get ready, because today we're tackling something well maybe a 3 00:00:07.000 --> 00:00:08.519 bit cloak and dagger sidding. 4 00:00:08.279 --> 00:00:08.560 Uh huh. 5 00:00:08.880 --> 00:00:14.439 We're diving into the actual how behind ethical hacking techniques. Right, 6 00:00:14.560 --> 00:00:16.960 this comes straight from the source material you shared with us. Yeah, 7 00:00:17.000 --> 00:00:19.280 you're asking about the practical side, you know, the tools, 8 00:00:19.280 --> 00:00:22.359 the steps. Yeah, and that's exactly what we're here to unpack. 9 00:00:22.480 --> 00:00:26.199 That's right. We've got this guide here and it lays 10 00:00:26.239 --> 00:00:30.160 out various practical methods and tools. Okay, what's really interesting 11 00:00:30.199 --> 00:00:33.039 about it is the focus. It's very hands on. It's 12 00:00:33.079 --> 00:00:36.439 really designed to show how things are done, rather than 13 00:00:36.479 --> 00:00:39.240 getting you know, bogged down in abstract theory. 14 00:00:39.359 --> 00:00:42.240 So our mission for this deep dive then is to 15 00:00:42.320 --> 00:00:45.719 pull out those key techniques, the tools, the concepts from 16 00:00:45.799 --> 00:00:48.960 this guide. I want to understand the steps involved, see 17 00:00:49.000 --> 00:00:52.079 what insights they offer about how these methods actually work 18 00:00:52.119 --> 00:00:52.719 in practice. 19 00:00:52.960 --> 00:00:55.560 And look, it's absolutely essential we highlight something the source 20 00:00:55.600 --> 00:00:58.479 makes really clear right at the start. Okay, what's that 21 00:00:58.799 --> 00:01:02.520 It states very iplicitly that whenever it uses the word hacking, 22 00:01:03.039 --> 00:01:04.959 it's referring to ethical hacking. 23 00:01:05.239 --> 00:01:06.439 Right, important distinction. 24 00:01:06.599 --> 00:01:09.680 Absolutely, it gives a strong warning against using any of 25 00:01:09.719 --> 00:01:12.920 this for illegal stuff and clearly says it's not responsible 26 00:01:12.959 --> 00:01:14.519 for any illegal actions. 27 00:01:15.079 --> 00:01:17.959 So, just to be crystal clear, we're exploring the information 28 00:01:18.120 --> 00:01:22.519 in the source purely for education to understand the techniques 29 00:01:22.519 --> 00:01:23.719 described precisely. 30 00:01:23.920 --> 00:01:27.239 That's the goal here, understanding, not instruction for misuse. 31 00:01:27.359 --> 00:01:30.359 Got it, and the material itself, you said, it's quite direct. 32 00:01:30.480 --> 00:01:33.120 Yeah, it gets straight to the point, almost like field notes, 33 00:01:33.159 --> 00:01:35.760 you know, focuses on the practical steps. It acknowledges there 34 00:01:35.840 --> 00:01:39.719 might be like language imperfections, but the focus is action, okay, 35 00:01:39.719 --> 00:01:42.040 And it sets the stage early on saying, look, this 36 00:01:42.079 --> 00:01:42.879 isn't movie. 37 00:01:42.640 --> 00:01:45.840 Magic, right, no glowing green text rolling super fast. 38 00:01:45.640 --> 00:01:50.280 Uh huh, probably not. It emphasizes groundwork, especially information gathering 39 00:01:50.599 --> 00:01:54.319 and a solid grasp of both theory and practice. And 40 00:01:54.439 --> 00:01:59.239 it really highlights knowing Linux specifically calls out Kala Linux 41 00:01:59.280 --> 00:02:00.719 as like found. 42 00:02:00.799 --> 00:02:04.159 Okay, calie linox good to know. All right, right, let's 43 00:02:04.200 --> 00:02:07.000 unpack this. Then the guide seemed to jump right into 44 00:02:07.239 --> 00:02:12.199 gaining initial access first method up SSH brute force. 45 00:02:12.479 --> 00:02:15.560 Yeah. It points out that getting SSH access is like 46 00:02:16.360 --> 00:02:18.960 a top priority because if you get. 47 00:02:18.759 --> 00:02:22.039 That, basically in control of the whole system pretty much. 48 00:02:22.080 --> 00:02:24.159 So it shows how to use tools like n maps, 49 00:02:24.199 --> 00:02:27.680 specifically an n MAP script called swish brute and another 50 00:02:27.759 --> 00:02:31.840 tool MEDUSA right to just hammer away trying tons of 51 00:02:31.919 --> 00:02:34.000 username and password combinations. 52 00:02:33.520 --> 00:02:36.919 Until one works. And it mentioned something kind of surprising 53 00:02:37.240 --> 00:02:39.479 trying a blank password for SSH. 54 00:02:39.520 --> 00:02:42.039 It does a small detail, but yeah, it's just giving 55 00:02:42.039 --> 00:02:44.280 that a try. Sometimes NMP even does it automatically as 56 00:02:44.280 --> 00:02:44.879 a first check. 57 00:02:45.039 --> 00:02:47.360 Huh, a simple potential weak point. 58 00:02:47.439 --> 00:02:50.400 Maybe less common now, but yeah, it's mentioned so before. 59 00:02:50.159 --> 00:02:53.680 The main brute force. It's about recon finding weak spots. Yeah, 60 00:02:53.680 --> 00:02:55.400 what other reconnaissance tools does it mention? 61 00:02:55.479 --> 00:02:57.560 Early on it lists a few others to sort of 62 00:02:57.800 --> 00:03:00.960 give try once as it puts it, okay, like dirbuster 63 00:03:01.360 --> 00:03:05.159 or dirb They search for hidden web pages or directories. 64 00:03:04.520 --> 00:03:07.759 Ah, finding stuff that's not obviously linked exactly. 65 00:03:08.319 --> 00:03:11.439 Then there's an n MAP script FTP dash and non 66 00:03:11.560 --> 00:03:13.800 dot NSS just to quickly check if a site allows 67 00:03:13.800 --> 00:03:15.240 anonymous FTP logins. 68 00:03:15.360 --> 00:03:17.319 Another potential way in YEP. 69 00:03:17.800 --> 00:03:21.879 And nikto for vulnerability standing though it notes nikto can 70 00:03:21.919 --> 00:03:23.680 be slow but often. 71 00:03:23.400 --> 00:03:25.400 Accurate slow bit steady, and. 72 00:03:25.400 --> 00:03:29.919 Search sploit, which lets you search databases of known exploits. 73 00:03:29.360 --> 00:03:31.800 Offline, right, So you don't need to be connected while 74 00:03:31.800 --> 00:03:33.360 searching for attack methods. 75 00:03:33.360 --> 00:03:36.400 Correct, So it's all about building that initial picture. 76 00:03:36.520 --> 00:03:39.199 Reconnaissance sounds like a whole toolkit, not just one thing. 77 00:03:39.280 --> 00:03:43.280 Oh. Absolutely, the guide really hammers home that information gathering 78 00:03:43.319 --> 00:03:44.960 is maybe the most critical. 79 00:03:44.560 --> 00:03:47.039 Phase, more important than the attack itself arguably. 80 00:03:47.159 --> 00:03:51.919 Yeah. It lists tools like Maltago, the Osen framework, reconninging 81 00:03:52.120 --> 00:03:54.599 and map again dymmetry, a lot of tools, and the 82 00:03:54.639 --> 00:03:57.759 stresses that any info can be useful user names, emails, 83 00:03:57.879 --> 00:04:01.520 even things like hobbies or company structure, anything. The more 84 00:04:01.560 --> 00:04:02.960 you know, the better your chance is. 85 00:04:03.000 --> 00:04:05.520 Basically, Okay, here's something that caught my eye in the notes. 86 00:04:05.560 --> 00:04:09.639 Banner grabbing Chapter eight sounds a bit retro. 87 00:04:10.000 --> 00:04:11.919 It does sound a bit old school, right, But what's 88 00:04:11.960 --> 00:04:14.599 fascinating is how simple the source makes it seem. 89 00:04:14.759 --> 00:04:15.360 How simple. 90 00:04:15.759 --> 00:04:18.560 Banner grabbing is just described as, you know, connecting to 91 00:04:18.639 --> 00:04:21.720 an open port on a system to see what service responds. 92 00:04:21.879 --> 00:04:24.240 And how do you do that, according to the guide. 93 00:04:23.959 --> 00:04:27.920 Using really basic often built in tools like netcat and 94 00:04:28.000 --> 00:04:32.519 c or tilnet. So nothing fancy needed, Nope, just connect 95 00:04:32.519 --> 00:04:35.199 to the port like port eighty for web or twenty 96 00:04:35.199 --> 00:04:38.480 two for SSH. Maybe send some garbage input and the 97 00:04:38.680 --> 00:04:41.800 server often sends back a banner basically a greeting. 98 00:04:41.480 --> 00:04:42.959 Message, and that banner tells you. 99 00:04:43.600 --> 00:04:47.040 Often the service name and crucially it's version number. 100 00:04:47.199 --> 00:04:49.399 Ah. And knowing the version is key because. 101 00:04:49.160 --> 00:04:51.839 Because you can immediately look up if that specific version 102 00:04:51.920 --> 00:04:56.920 has known vulnerabilities. You know, cvees common vulnerabilities and exposures. 103 00:04:56.959 --> 00:04:58.800 So it's a low tech way to find a known 104 00:04:58.839 --> 00:05:01.160 weakness before you even try anything complicated. 105 00:05:01.240 --> 00:05:03.240 Exactly straight from the sources description. 106 00:05:03.360 --> 00:05:07.560 Okay, Moving on from reconnaissance, the guide gets into common 107 00:05:07.639 --> 00:05:11.920 attack types. Wi Fi hacking comes up, apparently a popular 108 00:05:11.959 --> 00:05:12.720 search query. 109 00:05:13.079 --> 00:05:16.680 Yeah, it mentions that, and it contrasts the older method 110 00:05:16.800 --> 00:05:20.000 capturing that Wi Fi handshake and trying to crack the 111 00:05:20.040 --> 00:05:21.759 password hash offline. 112 00:05:21.360 --> 00:05:22.879 Which takes a lot of computing power. 113 00:05:22.920 --> 00:05:26.319 Now right right, the guide calls it a headache. Now instead, 114 00:05:26.319 --> 00:05:28.720 it focuses on what it presents as a more modern approach, 115 00:05:29.199 --> 00:05:30.639 the evil twin attack. 116 00:05:30.839 --> 00:05:35.079 Evil twin sounds ominous. How does that work? According to 117 00:05:35.120 --> 00:05:35.560 this guide? 118 00:05:35.600 --> 00:05:38.199 Okay, so it involves setting up a fake Wi Fi 119 00:05:38.240 --> 00:05:41.959 access point, one that looks exactly like a legitimate one 120 00:05:42.079 --> 00:05:44.839 nearby same name the SSID. 121 00:05:44.560 --> 00:05:46.639 Like mimiking the coffee shop's s WiFi precisely. 122 00:05:47.040 --> 00:05:49.160 The material shows using a tool called. 123 00:05:49.000 --> 00:05:51.160 Flection for this election. Got it. 124 00:05:51.360 --> 00:05:55.319 Then the attack actively kicks legitimate users off the real network, 125 00:05:55.399 --> 00:05:59.399 forces them off, yeah, deauthenticates them. So their devices automatically 126 00:05:59.439 --> 00:06:02.279 look for the work again and find your fake one. 127 00:06:02.120 --> 00:06:04.480 Ah, and connect to the fake one because it looks 128 00:06:04.600 --> 00:06:06.480 right and might even be open often. 129 00:06:06.600 --> 00:06:09.160 Yeah. And once they're connected to your fake network, then 130 00:06:09.199 --> 00:06:11.720 what then comes the trap? They get presented with a 131 00:06:11.759 --> 00:06:15.040 fake login page looks like one of those captive portals, 132 00:06:15.079 --> 00:06:17.720 you know, enter the password to access the Internet. 133 00:06:17.959 --> 00:06:20.000 So it is like phishing, but for the Wi Fi 134 00:06:20.040 --> 00:06:21.480 password itself exactly. 135 00:06:22.040 --> 00:06:24.800 But and this is a crucial difference, the source highlights 136 00:06:24.839 --> 00:06:27.160 m M unlike a lot of web fishing where you 137 00:06:27.240 --> 00:06:29.800 might enter fake details and it still looks like it 138 00:06:29.879 --> 00:06:33.639 works right here, for the evil twin portal to seem 139 00:06:33.680 --> 00:06:37.560 to grant Internet access, the user actually has to enter 140 00:06:37.800 --> 00:06:41.199 the correct real password for the network they thought they 141 00:06:41.199 --> 00:06:41.720 were joining. 142 00:06:41.959 --> 00:06:46.519 WHOA, So the attack relies on them needing to input 143 00:06:46.560 --> 00:06:49.720 the actual password to proceed. That's how it captures it. 144 00:06:49.759 --> 00:06:52.480 That's the mechanism described Yeah, the requirement for the real 145 00:06:52.519 --> 00:06:54.920 password is the core of it. The guide walks through 146 00:06:54.959 --> 00:06:56.600 the flection steps pretty thoroughly. 147 00:06:56.720 --> 00:07:00.680 That's clever deceptive. Oh okay, speaking of fishing, the guide 148 00:07:00.680 --> 00:07:04.920 cover standard webfishing too fake login pages, but it notes 149 00:07:04.959 --> 00:07:07.680 people are getting better at spotting fake URLs, so it 150 00:07:07.759 --> 00:07:08.680 suggests twists. 151 00:07:08.839 --> 00:07:11.399 Yeah, a couple of interesting vectors described. First, instead of 152 00:07:11.439 --> 00:07:13.920 just sending a link, generate the fishing link using a 153 00:07:13.959 --> 00:07:18.360 tool like next fisher, but then embed that link inside 154 00:07:18.399 --> 00:07:21.000 a mobile app file. It shows using an online tool 155 00:07:21.120 --> 00:07:22.600 like appskyzer dot com for. 156 00:07:22.600 --> 00:07:25.240 This, Wait, turn the fishing page into an app. 157 00:07:25.480 --> 00:07:29.560 Basically, yeah, so you're tricking someone into installing a seemingly 158 00:07:29.639 --> 00:07:32.279 harmless app, which then presents the login page. 159 00:07:32.759 --> 00:07:35.759 That's wow, that's a different level. What was the other method? 160 00:07:35.800 --> 00:07:36.600 Masking the link? 161 00:07:36.839 --> 00:07:40.720 Right? Using a tool shown called mask phish, it takes 162 00:07:40.759 --> 00:07:43.959 your nasty fishing url uh huh and creates a new 163 00:07:44.000 --> 00:07:46.639 link that looks incredibly real. It can make it look 164 00:07:46.680 --> 00:07:50.920 like www dot Facebook dot com, but maybe with extra 165 00:07:50.959 --> 00:07:54.279 words tacked on that seem legit while completely hiding the 166 00:07:54.399 --> 00:07:56.079 actual malicious destination. 167 00:07:56.399 --> 00:08:01.360 The sources. These look so real sounds really effective, especially 168 00:08:01.360 --> 00:08:02.399 on mobile, it does. 169 00:08:02.480 --> 00:08:05.639 The guide notes desktop browsers might sometimes throw a warning, 170 00:08:05.680 --> 00:08:07.600 but on mobile often works smoothly. 171 00:08:07.800 --> 00:08:09.959 Scary. It even gives a tip about making a fake 172 00:08:10.000 --> 00:08:12.000 Facebook app and asking a friend to log in. 173 00:08:12.319 --> 00:08:15.720 Yeah, highlighting that social engineering element again is often not 174 00:08:15.800 --> 00:08:17.720 just about the tech, right, Okay. 175 00:08:17.759 --> 00:08:20.279 So, let's say an attacker gets some kind of foothold 176 00:08:20.639 --> 00:08:23.720 or they're probing deeper. The guide talks about defenses they 177 00:08:23.800 --> 00:08:25.279 might hit, like cloud Flare. 178 00:08:26.120 --> 00:08:28.920 Cloud Flair's common the source explains its main job is 179 00:08:29.000 --> 00:08:31.439 protecting sites from things like denial of service. 180 00:08:31.160 --> 00:08:34.360 Attacks and hiding the site's real IP address right acting 181 00:08:34.399 --> 00:08:35.600 as a proxy exactly. 182 00:08:35.600 --> 00:08:37.840 So. The guide shows how to try and bypass that 183 00:08:37.879 --> 00:08:40.440 protection using a tool called cloud. 184 00:08:40.080 --> 00:08:42.559 Fail cloud fail, and its goal. 185 00:08:42.360 --> 00:08:45.440 Is to find the actual original IP address of the 186 00:08:45.440 --> 00:08:47.480 web server behind cloud Flair's network. 187 00:08:47.639 --> 00:08:50.600 Ah okay, yeah, And why is finding that real IP 188 00:08:51.200 --> 00:08:52.559 so important for an attacker? 189 00:08:52.840 --> 00:08:55.320 Because, as the guide shows, if you know the real IP, 190 00:08:55.879 --> 00:08:58.799 you might be able to attack the server directly, maybe 191 00:08:58.840 --> 00:09:02.080 launch that DOS attack cloud Flair was supposed to stop. 192 00:09:01.840 --> 00:09:04.639 Or access things cloud flaw might be hiding, like an 193 00:09:04.639 --> 00:09:05.759 admin login. 194 00:09:05.519 --> 00:09:09.200 Page, precisely like the cPanel login. The source demonstrates it's 195 00:09:09.200 --> 00:09:11.039 about peeling back that protective layer. 196 00:09:11.320 --> 00:09:14.799 Got it, so stripping away defenses. Now what happens after 197 00:09:15.000 --> 00:09:18.759 getting basic access to the SSH access we talked about earlier? 198 00:09:18.960 --> 00:09:20.600 The guide implies that's just step one. 199 00:09:20.720 --> 00:09:23.840 Oh definitely, it moves onto something critical, privilege. 200 00:09:23.480 --> 00:09:25.840 Escalation, raising your permission level. 201 00:09:25.799 --> 00:09:29.200 Exactly, especially on Linux systems, which the source notes are 202 00:09:29.200 --> 00:09:31.440 common for websites. You might get in as a regular 203 00:09:31.519 --> 00:09:32.639 user with limited powers. 204 00:09:32.759 --> 00:09:34.840 Right, can't do much damage, not really. 205 00:09:35.200 --> 00:09:39.759 To make significant changes, install things, read sensitive files. 206 00:09:39.919 --> 00:09:43.879 You need root access the super rouser the administrator keys 207 00:09:43.919 --> 00:09:46.799 basically yep, and the guide calls this the point where 208 00:09:47.039 --> 00:09:49.759 real skills come to play, not just running simple scripts. 209 00:09:50.039 --> 00:09:53.720 So how does it suggest getting root without having the 210 00:09:53.799 --> 00:09:56.159 root password? This seems like the hard part. 211 00:09:56.320 --> 00:09:59.799 It demonstrates a technique focused on exploiting the pseudo command. 212 00:09:59.519 --> 00:10:02.720 To pseudo that lets users run some commands. Is root 213 00:10:02.879 --> 00:10:03.679 right correct? 214 00:10:03.840 --> 00:10:07.360 The method shown is first check exactly which commands your 215 00:10:07.440 --> 00:10:10.879 specific user account is allowed to run using Pseudo without 216 00:10:10.919 --> 00:10:13.679 needing the root password. You use pseudo dsh L for that. 217 00:10:13.879 --> 00:10:15.639 Okay, so you see your allowed list? 218 00:10:15.919 --> 00:10:19.240 Then what then you cross reference that list with external resources? 219 00:10:19.519 --> 00:10:23.519 The guide specifically mentions gtfobins gtf obins. Yeah, it's a 220 00:10:23.600 --> 00:10:26.600 curated list of Unix Linux binaries that can be abused 221 00:10:26.639 --> 00:10:30.679 to bypass local security restrictions, including getting a rootshell if 222 00:10:30.679 --> 00:10:32.360 they're configured incorrectly with pseudo. 223 00:10:32.679 --> 00:10:35.039 Huh. So you find a command you are allowed to 224 00:10:35.120 --> 00:10:38.000 run with pseudo, check gtf obins and see there's a 225 00:10:38.039 --> 00:10:39.080 known exploit for it. 226 00:10:39.200 --> 00:10:42.840 Exactly. The guide shows an example using the tar command. 227 00:10:43.399 --> 00:10:46.600 Running tar in a very specific way with pseudo based 228 00:10:46.639 --> 00:10:49.960 on the gtf opins entry directly gives you a root command. 229 00:10:50.039 --> 00:10:54.240 Prompt Wow, turning a file archiving tool into a root exploit. 230 00:10:54.559 --> 00:10:55.639 That's subtle. 231 00:10:55.759 --> 00:10:58.799 It's presented as a classic example of, as the source 232 00:10:58.840 --> 00:11:02.759 puts it, the game of Linux privileged esigalation. This configurations 233 00:11:02.799 --> 00:11:03.440 are key. 234 00:11:03.399 --> 00:11:06.639 Okay, so that's getting deeper access. What about communication? If 235 00:11:06.639 --> 00:11:09.120 you're doing this, you probably want to share files or 236 00:11:09.159 --> 00:11:10.960 info securely, right, good point. 237 00:11:11.039 --> 00:11:13.759 The guide addresses that too. It points out that normal 238 00:11:13.799 --> 00:11:17.879 methods email cloud storage aren't secure for sensitive stuff mentions. 239 00:11:17.919 --> 00:11:19.840 Even big platforms. 240 00:11:19.200 --> 00:11:21.639 Get breached, like Twitter, it said, right. 241 00:11:21.480 --> 00:11:23.720 So it introduces a tool called Onion Share. 242 00:11:23.840 --> 00:11:26.320 Onion Share uses tour I assume from. 243 00:11:26.200 --> 00:11:29.519 The name YEP designed for secure and anonymous file sharing 244 00:11:29.600 --> 00:11:30.720 over the Tour network. 245 00:11:30.879 --> 00:11:32.519 How does it work? Does it use servers? 246 00:11:32.799 --> 00:11:35.080 No, that's the clever part. According to the guide, it 247 00:11:35.159 --> 00:11:38.120 starts a temporary web server directly on your own computer 248 00:11:38.559 --> 00:11:42.720 and makes whatever you're sharing accessible only via a unique, 249 00:11:43.039 --> 00:11:45.799 unguessable Tour Onion address. 250 00:11:45.559 --> 00:11:47.559 So the recipient needs the Tour browser. 251 00:11:47.200 --> 00:11:49.759 To get it exactly, and the connection is described as 252 00:11:49.960 --> 00:11:53.639 end to end encrypted using tours strong v three Onion services, 253 00:11:53.879 --> 00:11:56.000 no third parties, no accounts needed. 254 00:11:56.240 --> 00:11:58.480 Meat What can you do with it? Just send files? 255 00:11:58.600 --> 00:12:02.320 The source shows options for send files securely, receiving files 256 00:12:02.360 --> 00:12:06.559 from someone, and even publishing a simple static website anonymously. 257 00:12:07.200 --> 00:12:09.440 Pretty versatile for a secure peer to peer sharing. 258 00:12:10.039 --> 00:12:12.799 Seems like it okay, But the guide doesn't just focus 259 00:12:12.879 --> 00:12:15.480 on attacking. It flips the script a bit, so it 260 00:12:15.519 --> 00:12:19.679 talks about catching attackers. Chapter seven introduces honeypots. 261 00:12:19.879 --> 00:12:22.480 Honey pots like setting a trap? What does the guide 262 00:12:22.480 --> 00:12:22.960 say they are? 263 00:12:23.120 --> 00:12:25.440 Describes them as a way to catch the hacker, or 264 00:12:25.480 --> 00:12:27.360 even quote hack the hacker. 265 00:12:27.519 --> 00:12:30.240 Okay, sounds interesting? Are they hard to set up? 266 00:12:30.360 --> 00:12:32.960 Present? It is pretty easy. Actually. The demo uses a 267 00:12:33.000 --> 00:12:35.039 tool called pent box vent box. 268 00:12:35.200 --> 00:12:35.440 Yeah. 269 00:12:35.519 --> 00:12:38.519 It shows configuring it to listen on a specific port. 270 00:12:38.960 --> 00:12:41.279 Maybe make it look like an interesting service, and you 271 00:12:41.279 --> 00:12:43.840 can even set a custom fake message if someone connects. 272 00:12:44.159 --> 00:12:46.679 So you set up this fake service, how does it 273 00:12:46.720 --> 00:12:47.399 catch anyone? 274 00:12:47.639 --> 00:12:50.559 The practical example shows running an NMP scan against the 275 00:12:50.600 --> 00:12:52.480 machine with the honeypot running. 276 00:12:52.480 --> 00:12:54.000 Just a standard port scan. 277 00:12:53.919 --> 00:12:57.440 Yep, and the pent Box honeypot immediately detects the connection 278 00:12:57.519 --> 00:13:00.600 attempt from the scanner and lugs. It logs the attackers 279 00:13:00.600 --> 00:13:03.399 IP address and the port they tried to connect to. 280 00:13:03.559 --> 00:13:06.879 So even this simple setup acts as an early warning system. 281 00:13:06.960 --> 00:13:09.799 Ah, so you see someone poking around your network where 282 00:13:09.799 --> 00:13:10.360 they shouldn't be. 283 00:13:10.559 --> 00:13:14.240 Exactly turns the tables a bit using their scanning against them. 284 00:13:14.559 --> 00:13:19.759 Clever. Okay, so we've gone through access attacks, escalations, secure comms, 285 00:13:20.159 --> 00:13:22.879 even detection. What's the final stage? 286 00:13:23.000 --> 00:13:27.799 According to this guide Cleaning Tracks chapter thirteen, absolutely vital. 287 00:13:27.840 --> 00:13:31.159 It stresses to avoid getting caught obviously and maybe maintain 288 00:13:31.200 --> 00:13:32.279 access both. 289 00:13:32.320 --> 00:13:36.840 Avoid detection maintain persistence. The guide shows a few methods 290 00:13:37.120 --> 00:13:40.360 creating hidden directories to store tools or data. 291 00:13:40.279 --> 00:13:43.120 Like putting a dot before the directory name and Linux Yeah. 292 00:13:42.919 --> 00:13:46.279 Like secret inside devshim was the example. Clearing your command 293 00:13:46.440 --> 00:13:48.840 history history dash you see so no one sees what 294 00:13:48.840 --> 00:13:49.360 you type. 295 00:13:49.240 --> 00:13:49.639 Makes sense? 296 00:13:49.840 --> 00:13:52.519 And critically clearing system log. 297 00:13:52.320 --> 00:13:55.840 Files that seems like the big one which logs does 298 00:13:55.840 --> 00:13:57.039 it mention key. 299 00:13:56.840 --> 00:14:01.399 Ones like varlogoth dot log that tracks logins, authentication attempts right, 300 00:14:01.639 --> 00:14:05.320 also varlocron dot log for scheduled tasks, barlog, mail log, 301 00:14:05.799 --> 00:14:10.480 web server logs like varla tpd basically anywhere your activity 302 00:14:10.559 --> 00:14:11.320 might be recorded. 303 00:14:11.399 --> 00:14:14.080 And how does this show clearing them just delete the file? 304 00:14:14.200 --> 00:14:18.039 It shows two ways, either armin to remove the file completely, which. 305 00:14:17.879 --> 00:14:20.480 Might be suspicious if the file is suddenly missing. 306 00:14:20.279 --> 00:14:25.000 Right, or perhaps more subtly, using echo varlogoth dot log 307 00:14:25.360 --> 00:14:27.879 to just erase the contents of the file, leaving an 308 00:14:27.879 --> 00:14:31.600 empty log file behind. Ah less obvious maybe possibly. And 309 00:14:31.679 --> 00:14:34.399 it also points out an automated tool called cover my ass. 310 00:14:34.399 --> 00:14:36.840 Seriously, cover my ass that's. 311 00:14:36.679 --> 00:14:39.200 The name shown for those who are as the source 312 00:14:39.240 --> 00:14:42.399 puts it lazy to clear your own tracks. It apparently 313 00:14:42.440 --> 00:14:44.480 clears logs and bash history automatically. 314 00:14:44.639 --> 00:14:47.759 Okay, automation for the file steps seems so now to 315 00:14:47.759 --> 00:14:50.000 put some of this together, the guide includes a CTF 316 00:14:50.039 --> 00:14:51.600 walkthrough capture the flag. 317 00:14:51.799 --> 00:14:54.600 Yeah, a simple one from tri Hackney chapter twelve. It's 318 00:14:54.639 --> 00:14:56.600 a nice way to show how these techniques link up 319 00:14:56.639 --> 00:14:57.840 in a practical scenario. 320 00:14:58.559 --> 00:15:00.919 Okay, walk us through how the guy presents it. How 321 00:15:00.919 --> 00:15:01.919 does it connect the dots? 322 00:15:02.200 --> 00:15:05.600 It starts naturally with reconnaissance an n. 323 00:15:05.559 --> 00:15:07.559 MAP scan finding open ports. 324 00:15:07.720 --> 00:15:11.679 Right, it finds FTP, SSH and HTTP open on the. 325 00:15:11.639 --> 00:15:13.519 Target machine standard services. 326 00:15:13.720 --> 00:15:17.600 Then it runs a specific n map script that ftpdashanon 327 00:15:17.679 --> 00:15:21.200 dot essa we mentioned earlier to check for vulnerabilities. Finds 328 00:15:21.279 --> 00:15:24.759 an anonymous FTP log in vulnerability. Anyone can log in. 329 00:15:24.840 --> 00:15:26.360 Okay, so that's the first way in well. 330 00:15:26.279 --> 00:15:29.799 A way to get information logging into FTP as anonymous. 331 00:15:29.879 --> 00:15:32.440 The walkthrough finds a couple of files. One has a 332 00:15:32.519 --> 00:15:35.679 username and another file contains a list of passwords. 333 00:15:36.240 --> 00:15:38.960 So the recon led to a vulnerability, which led to 334 00:15:39.200 --> 00:15:42.879 finding potential credentials. Clever exactly. So now they have a 335 00:15:42.960 --> 00:15:45.960 username l I N and the example and a password 336 00:15:46.000 --> 00:15:47.320 list locks dot txt. 337 00:15:47.519 --> 00:15:48.919 What next try those passwords? 338 00:15:49.039 --> 00:15:51.679 Yep. The guide shows using a brute force tool MEDUSA 339 00:15:51.679 --> 00:15:53.960 again targeting the SSA service, this time. 340 00:15:53.840 --> 00:15:56.399 Using the username l I N and the password list 341 00:15:56.440 --> 00:16:01.480 found via FTP correct and MEDUSA successfully the SSH. 342 00:16:01.039 --> 00:16:04.600 Password, giving them command line access as the user. 343 00:16:04.440 --> 00:16:08.200 Lai in precisely. Once logged in via SSH, they find 344 00:16:08.240 --> 00:16:11.919 the first flag user dot txt. Goal one achieved. 345 00:16:12.120 --> 00:16:14.799 But there's usually a root flag too, right, the ultimate goal. 346 00:16:14.679 --> 00:16:17.840 There is and to get the second flag root dot txt. 347 00:16:18.080 --> 00:16:22.039 The guide explicitly states you need to perform privileged escalation. 348 00:16:21.879 --> 00:16:25.960 Referencing the techniques from chapter six we discussed pseudo SLGTF 349 00:16:26.000 --> 00:16:27.080 opens exactly. 350 00:16:27.240 --> 00:16:30.000 It doesn't show the full steps again in the CTF walkthrough, 351 00:16:30.200 --> 00:16:32.679 but it points back to that chapter saying that's what's 352 00:16:32.759 --> 00:16:35.480 needed to get root access and the final flag. 353 00:16:35.840 --> 00:16:39.600 So the CTF example really ties it together. Reconvulnerability and 354 00:16:39.639 --> 00:16:43.360 on FTP info gathering, user name, password list, brute force, 355 00:16:43.399 --> 00:16:48.840 initial access, SSH post exploitation, privileged escalation, final goal root flag. 356 00:16:48.919 --> 00:16:51.039 Yeah, it's in a neat little package showing several of 357 00:16:51.080 --> 00:16:54.120 the key steps described individually in the source, all used 358 00:16:54.120 --> 00:16:54.679 in sequence. 359 00:16:54.799 --> 00:16:58.000 Wow. Okay, that was quite a journey through the practical 360 00:16:58.000 --> 00:17:00.639 techniques this guide laid out. We went from scanning and 361 00:17:00.759 --> 00:17:03.879 initial access as the states brute force banner grabbing, to 362 00:17:03.960 --> 00:17:07.160 common attacks like the evil twin WiFi hack that appmbitted 363 00:17:07.200 --> 00:17:10.799 fishing yep, the creative ones bypassing defenses like cloud flare, 364 00:17:11.119 --> 00:17:14.000 getting deeper with privileged escalation. 365 00:17:13.759 --> 00:17:16.119 Using tools like onion share for secure. 366 00:17:15.839 --> 00:17:20.240 Comms, setting traps with honeypots, and then that final crucial 367 00:17:20.279 --> 00:17:22.440 step cleaning tracks. 368 00:17:22.839 --> 00:17:27.119 We really unpack the how to details, the specific tools 369 00:17:27.160 --> 00:17:30.720 mentioned in the source material, seeing the steps according to 370 00:17:30.759 --> 00:17:33.200 the author, and how they might chain together. In that 371 00:17:33.359 --> 00:17:34.839 CTF example. 372 00:17:34.559 --> 00:17:36.599 It definitely gives you a different picture than the movies, 373 00:17:36.640 --> 00:17:37.079 doesn't it. 374 00:17:37.119 --> 00:17:37.279 Oh? 375 00:17:37.319 --> 00:17:42.039 Completely, It's much more about like systematic information gathering, understanding 376 00:17:42.039 --> 00:17:44.920 the target system, finding those specific weak points. 377 00:17:44.799 --> 00:17:46.920 And knowing the right tools and techniques for the job. 378 00:17:47.039 --> 00:17:51.519 Like the source kept emphasizing that practical knowledge, and you know, 379 00:17:51.559 --> 00:17:55.119 going back to the start, that strong disclaimer the source 380 00:17:55.119 --> 00:17:59.000 included about ethical use, only it really underscores the power 381 00:17:59.160 --> 00:18:02.240 I mean understanding stuff. It's potent knowledge. 382 00:18:01.880 --> 00:18:02.480 It really is. 383 00:18:02.680 --> 00:18:03.160 Yeah. 384 00:18:03.240 --> 00:18:06.680 So thinking about everything we've just gone through, all these 385 00:18:06.680 --> 00:18:10.720 detailed steps, the tools many readily available, Yeah, it does 386 00:18:10.759 --> 00:18:11.960 make you think, doesn't it. 387 00:18:11.960 --> 00:18:14.759 It absolutely raises a pre significant question, I think, which 388 00:18:14.799 --> 00:18:17.839 is well in a world where this kind of technical knowledge, 389 00:18:17.880 --> 00:18:21.480 these methods, even if learned for defense, are becoming more 390 00:18:21.519 --> 00:18:24.000 widely documented and accessible. 391 00:18:23.559 --> 00:18:24.960 Right like in guys like this one. 392 00:18:25.079 --> 00:18:30.640 Exactly, how do we as individuals, as organizations, as a society, 393 00:18:31.200 --> 00:18:34.400 how do we ensure that this powerful information is pursued, 394 00:18:34.680 --> 00:18:37.000 used and applied responsibly ethically. 395 00:18:38.640 --> 00:18:41.880 That's a heavy question, definitely something that you want. Thank 396 00:18:41.960 --> 00:18:44.000 you for taking as though as deep dive into these 397 00:18:44.079 --> 00:18:46.119 techniques as presented in the source. 398 00:18:46.000 --> 00:18:49.200 You're welcome, Thank you and honestly just understanding these methods 399 00:18:49.240 --> 00:18:51.720 even at a high level like this, Yeah, it really 400 00:18:51.759 --> 00:18:57.480 can highlight why basic security hygiene, strong passwords, updates, being cautious, 401 00:18:57.599 --> 00:19:00.000 and having multiple layers of defense are just so important. 402 00:19:00.319 --> 00:19:03.839 Absolutely a good reminder. Yeah, Well, until next time, keep learning, 403 00:19:03.920 --> 00:19:05.599 keep exploring, and stay curious.