WEBVTT 1 00:00:00.120 --> 00:00:02.839 You hear the word hacker, and what comes to mind 2 00:00:03.000 --> 00:00:06.320 probably that image, right, the person in the hoodie green 3 00:00:06.400 --> 00:00:09.759 text scrolling madly like something out of a movie. Yeah, 4 00:00:09.759 --> 00:00:13.160 the Hollywood version exactly, But the real world of ethical 5 00:00:13.199 --> 00:00:17.399 hacking it's much more complex. It's this constant back and forth, 6 00:00:17.480 --> 00:00:19.679 this kind of cat and mouse game between the people 7 00:00:19.879 --> 00:00:24.120 building defenses and those trying to find a way around them. 8 00:00:25.359 --> 00:00:29.679 Welcome to the deep dive today. We're really getting into 9 00:00:29.679 --> 00:00:32.799 the nuts and bolts of ethical hacking. Our goal to 10 00:00:32.920 --> 00:00:36.119 understand how these folks actually think, you know, think like 11 00:00:36.159 --> 00:00:39.880 hackers and explore how Python surprisingly plays this huge role 12 00:00:40.159 --> 00:00:43.200 in building their tools, both for attacking and defending. We're 13 00:00:43.240 --> 00:00:45.719 drawing a lot from Python ethical hacking from scratch today. 14 00:00:45.759 --> 00:00:47.640 So we want to give you the listener a really 15 00:00:47.679 --> 00:00:49.359 solid perspective on cybersecurity. 16 00:00:49.399 --> 00:00:51.759 And it's crucial to understand this isn't just about, you know, 17 00:00:51.840 --> 00:00:54.320 the thrill of breaking in for you listening, this is 18 00:00:54.359 --> 00:00:57.079 kind of a shortcut to getting some critical cyber concepts. 19 00:00:57.359 --> 00:01:00.880 It's about seeing how attacks work you can understand how 20 00:01:00.880 --> 00:01:03.560 to protect against them. We want to show you how 21 00:01:03.600 --> 00:01:06.680 these different methods actually play out, what skills are needed, 22 00:01:06.719 --> 00:01:10.760 to guard our digital stuff. We're aiming for those aha moments. 23 00:01:10.920 --> 00:01:12.319 So not just the what, but the why. 24 00:01:12.359 --> 00:01:15.079 It matters precisely why it matters to all of us. 25 00:01:15.120 --> 00:01:18.319 Really, and Python, it really is a bit of a 26 00:01:18.359 --> 00:01:19.400 superstar here, isn't it. 27 00:01:19.439 --> 00:01:19.560 Oh? 28 00:01:19.560 --> 00:01:22.920 Absolutely, it's so popular with ethical hackers. It's simple, relatively 29 00:01:22.959 --> 00:01:26.760 easy to pick up, and the libraries. Wow, you can 30 00:01:26.799 --> 00:01:29.799 build some really powerful tools from scratch quite quickly. 31 00:01:29.920 --> 00:01:32.519 It makes complicated things feel more manageable, you know, a 32 00:01:32.599 --> 00:01:33.680 very versatile toolkit. 33 00:01:33.879 --> 00:01:36.640 Okay, so before we dive too deep, let's clarify something. 34 00:01:36.719 --> 00:01:39.799 When we say hacking today, we're mostly talking about penetration 35 00:01:40.000 --> 00:01:41.920 testing or ethical hacking. 36 00:01:42.040 --> 00:01:43.040 Right, there's a big difference. 37 00:01:43.120 --> 00:01:45.799 Yeah, it's not about being a digital outlaw. Think of 38 00:01:45.840 --> 00:01:48.760 it more like like a fire drill for your network, 39 00:01:49.000 --> 00:01:52.879 but way more advanced. It's an authorized attack simulation. You're 40 00:01:52.959 --> 00:01:55.159 hired to find the weak spots before the bad guys do. 41 00:01:55.439 --> 00:01:58.319 Exactly, you need to understand the offense to build a 42 00:01:58.359 --> 00:02:02.120 good defense. The core of what you're defending and what 43 00:02:02.200 --> 00:02:05.640 attackers target boils down to the CIA triad. 44 00:02:06.480 --> 00:02:09.680 Not that CIA though, huh No, not the agency. 45 00:02:09.719 --> 00:02:13.479 This is confidentiality, integrity, and availability. These are like the 46 00:02:13.560 --> 00:02:16.800 three pillars of information security. If any one of them 47 00:02:16.800 --> 00:02:18.719 gets breached, you've got a security incident. 48 00:02:18.800 --> 00:02:20.599 Okay, break those down for us. Let's start with C. 49 00:02:21.039 --> 00:02:26.400 Confidentiality, simple idea, keep private data private. Only authorized people 50 00:02:26.439 --> 00:02:30.080 should see it. Imagine someone, let's call him mister X again, 51 00:02:30.159 --> 00:02:32.039 just listening in on network traffic. 52 00:02:32.240 --> 00:02:32.759 Just listening. 53 00:02:32.919 --> 00:02:35.080 Yeah, even if he doesn't change anything, if he reads 54 00:02:35.080 --> 00:02:38.840 messages he shouldn't. Confidentiality is gone. The data was exposed, 55 00:02:39.039 --> 00:02:39.560 got it. 56 00:02:39.479 --> 00:02:41.879 So just seeing it as a breach. What about changing it? 57 00:02:42.360 --> 00:02:45.639 That hits the second pillar, integrity. This means the data 58 00:02:45.800 --> 00:02:49.520 is accurate, reliable, hasn't been messed with. Say message goes 59 00:02:49.560 --> 00:02:52.639 out meter four pm, mister X intercepts it, changes it 60 00:02:52.639 --> 00:02:53.560 to six pm. 61 00:02:53.719 --> 00:02:55.599 Okay, that could cause problems. 62 00:02:55.199 --> 00:03:00.479 Big problems. Now confidentiality and integrity are breached, the receiver 63 00:03:00.599 --> 00:03:03.680 gets bad info. That's why things like checksums or digital 64 00:03:03.719 --> 00:03:06.439 signatures are used. They can tell you if even one 65 00:03:06.560 --> 00:03:08.240 tiny bit of data was altered. 66 00:03:08.039 --> 00:03:12.280 Right, like a digital seal and the last one. Availability. 67 00:03:12.560 --> 00:03:16.919 Availability means authorized users can get to the data or 68 00:03:17.000 --> 00:03:20.199 system when they need it. I think denial of service dots. 69 00:03:20.000 --> 00:03:22.479 Attacks where they just flood a server exactly. 70 00:03:22.479 --> 00:03:25.479 They overwhelmed with requests, so legitimate users can't get through 71 00:03:25.759 --> 00:03:28.039 or back to mister X. Maybe he just delays an 72 00:03:28.120 --> 00:03:31.759 urgent message until it's useless. That's an availability breach. Which 73 00:03:31.759 --> 00:03:33.759 one do you think is the toughest challenge these days? 74 00:03:34.120 --> 00:03:37.000 Oh, that's a good question. I mean they're all critical, 75 00:03:37.080 --> 00:03:41.240 but maybe availability, especially with those huge distributed denial of 76 00:03:41.319 --> 00:03:45.120 service DDoS attacks. They come from everywhere at once, hard 77 00:03:45.120 --> 00:03:46.000 to block entirely. 78 00:03:46.080 --> 00:03:48.000 Yeah, the scale is immense, a constant back. 79 00:03:48.039 --> 00:03:52.560 Okay, So CIA tryad confidentiality, integrity, availability, got it. Now 80 00:03:52.599 --> 00:03:55.080 let's talk about the hackers themselves. It's not just one type, 81 00:03:55.159 --> 00:03:57.520 is it. It's more like different hats they wear. 82 00:03:57.800 --> 00:04:00.120 That's a common way to think about it. Yeah, on 83 00:04:00.159 --> 00:04:00.919 their motivations. 84 00:04:01.159 --> 00:04:04.199 So first up, the white hat hackers, the good. 85 00:04:03.960 --> 00:04:07.800 Guys, cyber sick pros pen testers. Their job is defense, 86 00:04:07.879 --> 00:04:09.080 finding holes to fix them. 87 00:04:09.120 --> 00:04:11.759 Then the opposite, black hat hackers. 88 00:04:11.560 --> 00:04:15.360 The criminals. Yeah, usually after money or trying to cause damage. 89 00:04:15.400 --> 00:04:16.720 They cover their tracks carefully. 90 00:04:16.759 --> 00:04:17.879 And then there's a middle ground. 91 00:04:18.000 --> 00:04:20.639 Yeah, the gray hat hackers. It's a murky territory. They 92 00:04:20.720 --> 00:04:22.879 might hack for the challenge. Maybe tell the owner about 93 00:04:22.879 --> 00:04:27.959 a flaw, sometimes ask for money, legally questionable, often. 94 00:04:27.920 --> 00:04:29.720 Right, And then things get more serious. 95 00:04:30.360 --> 00:04:34.600 Nation states nation state hackers, state sponsored groups targeting other 96 00:04:34.600 --> 00:04:39.360 countries cyber infrastructure. The classic chilling example is stucksnet. 97 00:04:39.040 --> 00:04:41.160 The one that hit the Iranian nuclear program. 98 00:04:41.240 --> 00:04:44.639 That's the one. It didn't just steal data, It manipulated 99 00:04:44.680 --> 00:04:48.439 their SCATUS systems, those industrial controls. It subtly messed with 100 00:04:48.480 --> 00:04:52.079 centrifuge speeds while making the system report everything was normal. 101 00:04:52.199 --> 00:04:56.160 Wow. So it caused actual physical damage through code precisely. 102 00:04:56.279 --> 00:04:58.720 It showed how attacks could cross from digital to physical. 103 00:04:58.959 --> 00:05:01.560 Really changed the game. It wasn't just about it, It 104 00:05:01.639 --> 00:05:05.439 was about understanding the industrial process itself. A huge lesson. 105 00:05:05.439 --> 00:05:08.319 There truly chilling. Okay, who else is out there? 106 00:05:08.439 --> 00:05:14.439 Corporate spies YEP, corporate skies, hacking competitors, stealing trade secrets, 107 00:05:14.680 --> 00:05:18.399 customer lists, business plans trying to get an edge. 108 00:05:18.279 --> 00:05:21.439 And activists like anonymous. 109 00:05:20.879 --> 00:05:23.600 Right part activists, part hacker. They use hacking skills to 110 00:05:23.600 --> 00:05:27.240 make political or social statements. Usually want maximum publicity, but 111 00:05:27.519 --> 00:05:28.160 stay hidden. 112 00:05:28.439 --> 00:05:31.759 Okay, one more group script kitties ah. 113 00:05:31.519 --> 00:05:36.040 Yes, often beginners. They use tools others have built. Maybe 114 00:05:36.079 --> 00:05:40.160 don't fully grasp the mechanics, but don't underestimate them. 115 00:05:40.199 --> 00:05:42.639 Even simple tools can cause chaos. 116 00:05:42.680 --> 00:05:45.560 Absolutely accessible tools in the wrong hands can still do 117 00:05:45.680 --> 00:05:46.759 significant damage. 118 00:05:46.839 --> 00:05:48.720 Okay, so we have all these different players, But how 119 00:05:48.720 --> 00:05:52.279 does an attack actually happen? Is it just random clicking? 120 00:05:52.560 --> 00:05:56.360 Rarely? Even complex attacks usually follow up pretty set methodology. 121 00:05:56.439 --> 00:05:59.639 It's structured like the sources. One lapse could potentially expose 122 00:05:59.680 --> 00:06:01.360 your idea. Very careful work. 123 00:06:01.519 --> 00:06:02.519 So phase one. 124 00:06:02.480 --> 00:06:05.920 Planning, defining the mission, what systems are fair game, what 125 00:06:05.959 --> 00:06:09.480 are the goals? Timelines? In ethical hacking, this is super important, 126 00:06:09.519 --> 00:06:10.480 often legally. 127 00:06:10.160 --> 00:06:11.839 Defined gotcha plan first. 128 00:06:12.240 --> 00:06:16.360 Then reconnaissance or recon basically getting to know the target. 129 00:06:16.560 --> 00:06:21.480 Two types here, passive recon gathering public info without directly 130 00:06:21.480 --> 00:06:25.399 poking the target. I think social media, news, company websites, 131 00:06:25.439 --> 00:06:30.519 search engines. You find out the CEO loves dogs. Seems harmless, right, 132 00:06:31.240 --> 00:06:33.560 but maybe you use that to craft a very convincing 133 00:06:33.560 --> 00:06:36.439 phishing email with a link about a local dog show 134 00:06:36.800 --> 00:06:40.839 that's weaponizing passive info clever. And the other type active 135 00:06:41.000 --> 00:06:44.879 active reconnaissance. Now you're interacting with the target, trying to 136 00:06:44.879 --> 00:06:48.800 find ike addresses, open ports with services or software they're running. 137 00:06:49.000 --> 00:06:51.879 Maybe even the operating system higher risk, though you might 138 00:06:51.920 --> 00:06:52.959 get detected. 139 00:06:52.639 --> 00:06:56.199 Like rattling the doorknobs. So passive is watching from afar, 140 00:06:56.399 --> 00:06:58.399 Active is getting closer. What's next? 141 00:06:58.399 --> 00:07:01.720 After recon, then you move into scanning, getting more technical, 142 00:07:01.839 --> 00:07:04.120 using tools like nmap to map the network, see what 143 00:07:04.160 --> 00:07:08.399 devices are actually online, find firewalls, routers, building a clearer. 144 00:07:08.079 --> 00:07:10.000 Picture, okay, mapping the digital territory. 145 00:07:10.079 --> 00:07:13.399 Step four, identifying weaknesses. You take all that info from 146 00:07:13.399 --> 00:07:17.360 recon and scanning and analyze it. Look for known software bugs, misconfigurations, 147 00:07:17.439 --> 00:07:18.319 potential entry. 148 00:07:18.120 --> 00:07:22.480 Points, finding the cracks, and then the main event, attacking 149 00:07:22.560 --> 00:07:25.839 and gaining access exploiting those weaknesses you found. How do 150 00:07:25.959 --> 00:07:26.680 they get control? 151 00:07:26.839 --> 00:07:30.519 Often via a shell. Two main ways forward shell where 152 00:07:30.519 --> 00:07:34.000 the attacker connects to the victim, but firewalls often block that, 153 00:07:34.680 --> 00:07:38.279 so more common, especially for malware, is the reverse shell, 154 00:07:39.040 --> 00:07:42.399 the victim's machine connects back to the attacker. Much harder 155 00:07:42.399 --> 00:07:46.319 for defenses to spot. Looks like normal outgoing traffic. Tools 156 00:07:46.360 --> 00:07:48.319 like minisploit help create these payloads. 157 00:07:48.519 --> 00:07:51.560 Sneaky Okay, they're in now what maintaining access? 158 00:07:52.000 --> 00:07:54.079 They want to stay in, maybe for a long time 159 00:07:54.319 --> 00:07:57.439 set of persistence, and often they'll pivot use the first 160 00:07:57.439 --> 00:08:00.680 compromise machine to attack other machines on the same internal. 161 00:08:00.399 --> 00:08:02.319 Networks, spreading out exactly. 162 00:08:02.680 --> 00:08:06.319 Phase seven is post exploitation. This is about getting more power, 163 00:08:06.839 --> 00:08:10.160 elevating privileges, say from a standard user to an administrator, 164 00:08:10.519 --> 00:08:11.920 that gives much more control. 165 00:08:12.040 --> 00:08:14.680 Admin rights are the keys to the kingdom pretty much. 166 00:08:15.079 --> 00:08:19.600 Then very importantly, covering tracks, removing logs, the leading files, 167 00:08:19.680 --> 00:08:22.160 clearing command histories, anything that shows they were there. They 168 00:08:22.240 --> 00:08:25.240 might use common ports like port eighty for web traffic 169 00:08:25.560 --> 00:08:29.040 to hide their command and control communication makes forensics tougher. 170 00:08:29.399 --> 00:08:32.320 Maybe use export his size zero to clear the command history. 171 00:08:32.320 --> 00:08:34.639 Things like that, like wiping fingerprints exactly. 172 00:08:34.960 --> 00:08:39.000 And finally, for ethical hackers, the last crucial step reporting. 173 00:08:39.440 --> 00:08:43.960 Documenting everything found, the vulnerabilities, how they were exploited, and 174 00:08:44.080 --> 00:08:47.960 recommendations for fixing them, turns the attack into a lesson learned. 175 00:08:48.039 --> 00:08:51.720 That whole process sounds incredibly methodical, it has to be. Okay, 176 00:08:51.799 --> 00:08:55.320 let's talk Python in action. How do ethical hackers actually 177 00:08:55.360 --> 00:08:56.720 practice this stuff safely? 178 00:08:56.960 --> 00:08:59.759 The use of virtual lab usually set up something like 179 00:09:00.000 --> 00:09:02.960 ALI Linux is the attacking machine and maybe a Windows 180 00:09:03.039 --> 00:09:06.639 ten machine is the victim. All running inside software like virtual. 181 00:09:06.320 --> 00:09:09.600 Box, so it's all contained, no real world damage. Right, 182 00:09:09.759 --> 00:09:13.519 safe simulation and before attacking. Even in the lab, Identity 183 00:09:13.559 --> 00:09:17.080 protection is key, right like changing the mass address absolutely. 184 00:09:17.240 --> 00:09:21.240 The MSS address is your network card's physical ID. You 185 00:09:21.320 --> 00:09:23.919 typically use command line tools to change it, but Python 186 00:09:24.000 --> 00:09:27.600 subprocess library lets you automate that run those system commands 187 00:09:27.679 --> 00:09:28.600 right from your script. 188 00:09:29.039 --> 00:09:31.120 Nice. Okay, let's get into the network stuff. How does 189 00:09:31.159 --> 00:09:34.039 Python help with things like scanning and intercepting traffic. 190 00:09:34.679 --> 00:09:36.679 Well, first you need to understand a bit about how 191 00:09:36.799 --> 00:09:41.000 data travels. The TCPIP model packets flying around, and Python 192 00:09:41.039 --> 00:09:44.639 has libraries like skapy that are amazing for this scapey Yeah, 193 00:09:44.759 --> 00:09:50.039 lets you craft send, sniff dissect network packets. Really powerful 194 00:09:50.080 --> 00:09:52.159 for low level network interaction. You can use it to 195 00:09:52.360 --> 00:09:55.720 play things like the Address resolution Protocol or ARPARP. 196 00:09:55.919 --> 00:09:58.159 That's how devices find each other on a local network 197 00:09:58.200 --> 00:09:59.799 IP to m MED address exactly. 198 00:10:00.240 --> 00:10:03.360 ARP has this fundamental weakness. Device is just trust updates. 199 00:10:03.519 --> 00:10:06.080 They don't really verify who sent the ARP reply. 200 00:10:06.279 --> 00:10:08.039 Uh oh sounds exploitable. 201 00:10:08.279 --> 00:10:10.960 It is leads to ARP poisoning or man in the 202 00:10:10.960 --> 00:10:15.919 middle MITM attacks. The attacker sends fake ARP replies basically 203 00:10:15.919 --> 00:10:18.600 telling the victim machine I'm the router and telling the 204 00:10:18.639 --> 00:10:19.919 router I'm the victim machine. 205 00:10:20.000 --> 00:10:21.759 So all the traffic goes through the attacker. 206 00:10:22.000 --> 00:10:25.679 Yep. Both the victim and router update their ARP tables 207 00:10:25.720 --> 00:10:29.519 with the attacker's MSc address. Then the attacker just needs 208 00:10:29.559 --> 00:10:32.080 to enable IP forwarding on their own machine, so the 209 00:10:32.080 --> 00:10:35.679 traffic still flows through them to the actual destination. The 210 00:10:35.759 --> 00:10:38.519 victim can still browse the web none the wiser. 211 00:10:38.480 --> 00:10:41.360 While the attacker sees everything. Tools like wire shark would 212 00:10:41.360 --> 00:10:43.200 show that intercepted traffic exactly. 213 00:10:43.360 --> 00:10:45.720 Wire shark lets you capture and view all that data 214 00:10:45.759 --> 00:10:46.360 passing through. 215 00:10:47.000 --> 00:10:51.559 Okay, MITM makes sense for unencrypted traffic, but everything's HTTPS 216 00:10:51.600 --> 00:10:52.799 now right? Secure? 217 00:10:53.039 --> 00:10:56.720 Mostly? Yes, but there are techniques. SSL stripping is a 218 00:10:56.759 --> 00:10:58.320 classic MITM enhancement. 219 00:10:58.600 --> 00:10:59.320 How does that work? 220 00:10:59.480 --> 00:11:01.840 The attacker sits in the middle. When the victim tries 221 00:11:01.879 --> 00:11:05.000 to connect to a website, say http dot bank dot com, 222 00:11:05.120 --> 00:11:07.679 the attacker intercepts it. The attacker, I think, connects to 223 00:11:07.720 --> 00:11:11.399 the real bank server over secure HGTPS. Okay, the bank 224 00:11:11.440 --> 00:11:14.639 sends back its encrypted page. The attacker decrypts it and 225 00:11:14.679 --> 00:11:17.440 sends it back to the victim overplane unsecure HTTP. 226 00:11:17.639 --> 00:11:20.480 WHOA so the victim thinks they're just on HTTP, and 227 00:11:20.519 --> 00:11:23.200 the server thinks it has a secure connection sort of. 228 00:11:23.440 --> 00:11:26.720 The victim sees HGTP, maybe he doesn't notice the missing padlock. 229 00:11:27.039 --> 00:11:29.600 The server does have a secure connection with the attacker, 230 00:11:29.960 --> 00:11:33.679 and the attacker sees everything in plaintext. Tools like better 231 00:11:33.679 --> 00:11:36.720 cap can automate this, but it's a moving target. Big 232 00:11:36.759 --> 00:11:38.279 sites are always improving defenses. 233 00:11:38.399 --> 00:11:43.399 That's incredibly sneaky. Okay, let's shift gears from intercepting data 234 00:11:43.440 --> 00:11:46.320 to actually controlling a machine malware. 235 00:11:45.919 --> 00:11:50.039 Development right, building a remote access tool or rat. The 236 00:11:50.120 --> 00:11:53.840 foundation here is socket programming in Python. Sockets are basically 237 00:11:53.840 --> 00:11:56.519 the endpoints for network communication. If you one on the 238 00:11:56.519 --> 00:11:59.679 server listening and one on the client connecting client server 239 00:11:59.799 --> 00:12:03.399 mall yep. And for malware you usually want that reverse 240 00:12:03.440 --> 00:12:04.559 shell we mentioned earlier. 241 00:12:04.720 --> 00:12:05.960 Why reverse again. 242 00:12:05.879 --> 00:12:09.240 Because the victim's machine initiates the connection out to the 243 00:12:09.279 --> 00:12:12.840 attacker's listening server. Firewalls are much less likely to block 244 00:12:12.879 --> 00:12:17.360 outgoing connections than incoming ones. Looks more normal. Python makes 245 00:12:17.360 --> 00:12:20.080 setting up that client on the victim and server for 246 00:12:20.159 --> 00:12:21.840 the attacker pretty straightforward. 247 00:12:22.000 --> 00:12:24.360 Okay, connection established, what can the attacker do? 248 00:12:24.480 --> 00:12:28.639 Then? A lot basic remote command execution is first, send 249 00:12:28.639 --> 00:12:32.080 a command like ipconfig or system info from the attacker machine, 250 00:12:32.320 --> 00:12:35.480 rent it on the victim using pythons subprocess maybe calling 251 00:12:35.480 --> 00:12:39.399 PowerShell dot ex on Windows, capture the output and set 252 00:12:39.399 --> 00:12:43.080 it back. You need ways to handle potentially large output, 253 00:12:43.200 --> 00:12:45.120 maybe using special identifiers to mark. 254 00:12:45.000 --> 00:12:47.240 The end so you can run commands as if you 255 00:12:47.240 --> 00:12:50.559 were sitting at the victims computer. Can you browse files absolutely? 256 00:12:50.960 --> 00:12:54.679 Using Python's os module, you can implement directory navigation, send 257 00:12:54.679 --> 00:12:57.600 commands like CD dot or CD desktop and see the 258 00:12:57.600 --> 00:12:58.200 file listing. 259 00:12:58.360 --> 00:13:00.960 Wow. What else can you build into a rt. 260 00:13:00.960 --> 00:13:04.120 Oh plenty File transfer is common. Downloading files from the 261 00:13:04.200 --> 00:13:07.440 victim or uploading files to the victim needs careful handling 262 00:13:07.480 --> 00:13:09.720 of binary data and knowing when the transfer. 263 00:13:09.360 --> 00:13:12.240 Is complete, like grabbing a password file or uploading more 264 00:13:12.279 --> 00:13:13.080 malware exactly. 265 00:13:13.159 --> 00:13:16.360 You could implement screenshot capability using a library like pot guy. 266 00:13:16.399 --> 00:13:19.240 On the victim side, save the image and transfer it back. 267 00:13:20.039 --> 00:13:23.240 Or build a key logger using pinput to record keystrokes, 268 00:13:23.679 --> 00:13:27.600 log everything they type, handle, spend keys like enter or backspace, 269 00:13:27.919 --> 00:13:29.159 sends it all back to the attacker. 270 00:13:29.399 --> 00:13:32.240 You can basically see everything they do and steal anything 271 00:13:32.240 --> 00:13:36.159 on their machine that's scary stuff. How do you actually 272 00:13:36.159 --> 00:13:39.120 deploy this Python script? A victim isn't going to run 273 00:13:39.159 --> 00:13:40.120 a dot pi file. 274 00:13:40.559 --> 00:13:43.919 Good point. That's where packaging comes in. A tool called 275 00:13:43.960 --> 00:13:46.960 pinestaller is key. It takes your Python script and all 276 00:13:47.039 --> 00:13:50.759 its dependencies and bundles them into a single dot exx 277 00:13:51.120 --> 00:13:53.039 file for Windows ahunexecutable. 278 00:13:53.200 --> 00:13:53.759 That makes sense. 279 00:13:53.960 --> 00:13:56.399 Yeah, and you usually want to use virtual environments when 280 00:13:56.440 --> 00:14:00.480 building it to keep dependencies clean. Critically, pinestore has an 281 00:14:00.480 --> 00:14:04.399 option no console to make the dot ex run silently. 282 00:14:04.320 --> 00:14:08.120 So when the victim clicks it, nothing appears to happen exactly. 283 00:14:08.200 --> 00:14:10.360 No black command window pops up. It just runs in 284 00:14:10.399 --> 00:14:12.320 the background. You'd only see it if you knew to 285 00:14:12.360 --> 00:14:15.360 look in the task manager. Very stealthy, and how do. 286 00:14:15.320 --> 00:14:17.279 You trick someone into running it? Trojans? 287 00:14:17.759 --> 00:14:21.039 Trojans are a classic method hide the malware inside something 288 00:14:21.080 --> 00:14:23.919 that looks legitimate. You can use bindstaller to add an icon, 289 00:14:24.200 --> 00:14:26.360 maybe make it look like a dot JPG image file 290 00:14:26.600 --> 00:14:29.600 or a PDF document icon. Make it look harmless right, 291 00:14:30.159 --> 00:14:34.200 or even better, create a self extracting archive SFX using 292 00:14:34.240 --> 00:14:38.320 something like winrr. You bundle your malware dot ex a 293 00:14:38.399 --> 00:14:41.720 real image file like wallpaper dot jpg and maybe the 294 00:14:42.000 --> 00:14:44.440 icon file together into a single file that still looks 295 00:14:44.480 --> 00:14:47.960 like wallpaper dot GPG. Then you can figure the SFX options, 296 00:14:48.159 --> 00:14:51.039 set it to hide all so no extraction window shows, 297 00:14:51.559 --> 00:14:54.679 and crucially tell it to run two things after extraction. First, 298 00:14:54.759 --> 00:14:58.720 the actual image viewer to open wallpaper dot jpg and second, 299 00:14:58.919 --> 00:14:59.879 you're hidden malware. 300 00:15:00.919 --> 00:15:03.879 So the victim clicks the image, the image actually opens and. 301 00:15:03.840 --> 00:15:07.679 They see the wallpaper they expected. Meanwhile, silently, in the background, 302 00:15:07.799 --> 00:15:10.799 your reverse shell connects back to you. They're completely unaware. 303 00:15:10.919 --> 00:15:13.240 That is devious. Okay, this works on a local network. 304 00:15:13.240 --> 00:15:15.039 What about attacking someone across the Internet. 305 00:15:15.120 --> 00:15:18.200 Now you're attacking over a public IP. The core idea 306 00:15:18.279 --> 00:15:20.759 is the same, but the attacker needs to be reachable 307 00:15:20.759 --> 00:15:23.519 from the public Internet. The malware needs the attacker's public 308 00:15:23.519 --> 00:15:24.960 IP address to connect. 309 00:15:24.639 --> 00:15:26.919 Back to, and the attacker needs to let that connection 310 00:15:27.039 --> 00:15:28.480 in through their router. 311 00:15:28.759 --> 00:15:32.360 Exactly. That's port forwarding. The attacker configures their home router 312 00:15:32.480 --> 00:15:36.039 to forward any incoming traffic on a specific port, the 313 00:15:36.080 --> 00:15:39.240 one their listener is on directly to their callie machine's 314 00:15:39.320 --> 00:15:42.320 internal IP address, opens a path through the router. 315 00:15:42.519 --> 00:15:46.159 Got it? What about passwords? Always a prime target. 316 00:15:45.919 --> 00:15:51.600 Always A common technique is the dictionary attack, basically trying 317 00:15:51.600 --> 00:15:54.799 a huge list of potential passwords against something like maybe 318 00:15:54.799 --> 00:15:58.799 you got a password protected ZP file off the victim machine. 319 00:15:58.840 --> 00:15:59.600 How to get the list? 320 00:16:00.080 --> 00:16:02.519 There are massive word lists out there. The seakless collection 321 00:16:02.559 --> 00:16:04.679 on GitHub is famous for having tons of them. You 322 00:16:04.679 --> 00:16:07.360 can write a Python script using the zip file library 323 00:16:07.399 --> 00:16:09.799 to try every password in the list against the ZP 324 00:16:09.919 --> 00:16:12.879 file until it opens. Brute force, but with a dictionary 325 00:16:13.120 --> 00:16:16.919 kinda yeah, more targeted than just random characters. Yeah. Another thing, 326 00:16:16.960 --> 00:16:19.639 if you have command execution on a Windows machine, yes, 327 00:16:19.799 --> 00:16:22.840 you can often steal saved Wi Fi passwords. There's a 328 00:16:22.840 --> 00:16:25.879 command using netch that, if run with enough privileges, will 329 00:16:25.879 --> 00:16:29.480 show saved Wi Fi network names and their passwords in plaintext. 330 00:16:29.799 --> 00:16:32.799 Wow. So compromising one laptop could give you access to 331 00:16:32.840 --> 00:16:34.080 their whole Wi Fi. 332 00:16:33.879 --> 00:16:37.159 Network potentially, Yes, big security implications. 333 00:16:37.200 --> 00:16:40.840 And finally, this idea of botnets that sounds really advanced. 334 00:16:41.200 --> 00:16:44.240 It's basically taking the rat concept and scaling it up. 335 00:16:44.840 --> 00:16:47.679 Instead of controlling one machine, you have a central command 336 00:16:47.679 --> 00:16:51.480 and control C and C server managing many compromise machines 337 00:16:51.919 --> 00:16:52.480 or bots. 338 00:16:52.799 --> 00:16:54.080 What are botanets used for? 339 00:16:54.600 --> 00:16:58.720 Nasty stuff, usually launching those massive DDAs attacks. We talk 340 00:16:58.759 --> 00:17:02.320 about using the combined of all the bots or using 341 00:17:02.320 --> 00:17:05.960 their processing power for cryptocurrency mining without the owner's knowledge. 342 00:17:06.319 --> 00:17:09.079 Python socket and threading libraries can be used to build 343 00:17:09.119 --> 00:17:11.799 a basic C and C server that handles connections from 344 00:17:11.880 --> 00:17:14.119 multiple bots simultaneously. 345 00:17:13.640 --> 00:17:16.400 Controlling an army of zombie computers. Okay, we've covered a 346 00:17:16.400 --> 00:17:19.240 lot of offense. Let's flip to defense. How do systems 347 00:17:19.240 --> 00:17:23.039 try to stop this stuff? Intrusion detection systems IDCs exactly. 348 00:17:23.119 --> 00:17:26.240 IDCs are crucial. They watch for suspicious activity. There are 349 00:17:26.240 --> 00:17:30.279 different types. Host based hids run on one computer, watching 350 00:17:30.279 --> 00:17:34.079 its files and traffic. Network based and IDs watch traffic 351 00:17:34.079 --> 00:17:37.319 for a whole network segment. Hybrid systems combine both and. 352 00:17:37.240 --> 00:17:41.400 How do they actually detect intrusions? Two main ways. Signature 353 00:17:41.440 --> 00:17:45.160 based detection is like antivirus. It has a database of 354 00:17:45.240 --> 00:17:48.920 known malware signatures, unique patterns. If it sees a file 355 00:17:49.000 --> 00:17:51.920 or traffic matching a known signature, it flags it. 356 00:17:52.000 --> 00:17:54.279 Good for known threats. What about new stuff? 357 00:17:54.359 --> 00:17:57.640 That's the weakness. It can't catch brand new zero day 358 00:17:57.640 --> 00:18:00.640 malware it hasn't seen before. That's where a nominally based 359 00:18:00.680 --> 00:18:03.880 detection comes in it learns what normal activity looks like 360 00:18:03.920 --> 00:18:06.960 on the system or network. Then it flags anything that 361 00:18:07.000 --> 00:18:09.759 deviates significantly from that baseline. 362 00:18:09.200 --> 00:18:12.559 Like if my calculator app suddenly tries to access the Internet. 363 00:18:12.319 --> 00:18:15.480 Exactly, or a game tries to disable the antivirus. It 364 00:18:15.519 --> 00:18:18.759 looks for unusual behavior acts like a behavioral guard dog. 365 00:18:19.319 --> 00:18:21.920 So defenses exist, but attackers are always trying to get 366 00:18:21.960 --> 00:18:24.680 around them, right, how do they bypass an IDs? 367 00:18:24.839 --> 00:18:28.440 Often it comes down to privileged escalation. Many defensive actions 368 00:18:28.480 --> 00:18:31.440 like disabling the antivirus or adding an exception for your 369 00:18:31.440 --> 00:18:33.839 malware folder require administrator rights. 370 00:18:33.920 --> 00:18:36.200 Ah, back to eating admin access right. 371 00:18:36.319 --> 00:18:39.240 There are Python modules like elevate that can try to 372 00:18:39.240 --> 00:18:42.400 get admin privileges on Windows, but there's a big catch. 373 00:18:43.200 --> 00:18:45.799 The UAC User Account Control. 374 00:18:45.519 --> 00:18:48.079 Pop up, that annoying Windows prompt, that's. 375 00:18:47.920 --> 00:18:50.839 The one for the script to actually get elevated privileges. Yeah, 376 00:18:50.880 --> 00:18:54.200 the real human user has to physically click yes on 377 00:18:54.279 --> 00:18:57.720 that pop up. It's a major hurdle for malware often 378 00:18:57.759 --> 00:19:00.200 requires tricking the user's social engineering. 379 00:18:59.839 --> 00:19:02.200 So it's not purely technical. There's a human element too. 380 00:19:02.319 --> 00:19:06.279 Always that interaction between attack techniques and defenses, including the 381 00:19:06.359 --> 00:19:10.759 human factor. Yeah, that's the heart of cybersecurity's constant evolution. 382 00:19:11.000 --> 00:19:16.039 Wow, we've covered so much ground, from the very basics 383 00:19:16.079 --> 00:19:18.799 of ethical hacking, who the players are, all the way 384 00:19:18.799 --> 00:19:22.480 through that detailed attack methodology, and then seeing how Python 385 00:19:22.559 --> 00:19:26.279 is used to build these tools, rats, botnets, password crackers. 386 00:19:25.960 --> 00:19:28.559 And also the defense is the IDCs. 387 00:19:28.119 --> 00:19:33.079 Right, masking your identity, ARP, poisoning, SSL stripping, packaging malware. 388 00:19:33.440 --> 00:19:35.559 It really highlights Python's. 389 00:19:35.119 --> 00:19:37.599 Role in all this and hopefully for you listening, this 390 00:19:37.720 --> 00:19:40.960 gives you a much deeper feel for how dynamic cybersecurity is. 391 00:19:41.200 --> 00:19:43.079 It's not just about knowing tools, it's a way of 392 00:19:43.119 --> 00:19:47.200 thinking the mindset. Yeah, analyzing systems, understanding how they can break. 393 00:19:47.480 --> 00:19:51.400 Thinking creatively. That's how you build stronger defenses. Seeing the 394 00:19:51.400 --> 00:19:52.880 offense helps you protect better. 395 00:19:53.200 --> 00:19:55.640 So here's a final thought to leave you with. We 396 00:19:55.680 --> 00:19:59.720 know cybersecurity change is incredibly fast. We talked about zero 397 00:19:59.799 --> 00:20:04.240 day exploits, those brand new vulnerabilities hackers find. First they 398 00:20:04.279 --> 00:20:07.839 create these tiny windows where attackers have the upper hand. 399 00:20:08.480 --> 00:20:12.039 What does this relentless race, this constant chase between the 400 00:20:12.079 --> 00:20:14.359 people building things and the people trying to break them, 401 00:20:14.960 --> 00:20:17.440