WEBVTT 1 00:00:00.080 --> 00:00:03.399 Welcome back to the deep Dive. Today. We're kracking open 2 00:00:03.439 --> 00:00:06.559 a really fascinating stack of sources. It's excerpts from a 3 00:00:06.599 --> 00:00:10.279 book called The Art of Network Penetration Testing. And this 4 00:00:10.320 --> 00:00:12.720 isn't a theory, right, it's like a practical guide on 5 00:00:12.759 --> 00:00:15.960 how the pros simulate cyber attacks on company networks. 6 00:00:16.039 --> 00:00:19.039 That's exactly it. Our deep dive today is basically pulling 7 00:00:19.079 --> 00:00:22.480 back the curtain on how ethical hackers operate. We're trying 8 00:00:22.480 --> 00:00:25.079 to understand, you know, what does a network penetration test? 9 00:00:25.120 --> 00:00:28.839 Why do companies even need them? And maybe the most 10 00:00:28.879 --> 00:00:32.679 interesting part the actual steps, the phases and techniques they use. 11 00:00:33.119 --> 00:00:36.159 It's all straight from this how to guide. 12 00:00:36.280 --> 00:00:39.039 So it's like we're getting the attackers playbook, but you know, 13 00:00:39.320 --> 00:00:39.679 used for. 14 00:00:39.719 --> 00:00:44.000 Defense precisely the core idea and the source really emphasizes 15 00:00:44.039 --> 00:00:47.640 this is simulating how a real adversary thinks and acts, 16 00:00:48.479 --> 00:00:51.439 trying to find those security weaknesses before the bad guys do. 17 00:00:51.759 --> 00:00:55.079 The book uses that analogy, doesn't it hiring a professional adversary? 18 00:00:55.159 --> 00:00:57.280 It does, and it's kind of surprising how much the 19 00:00:57.280 --> 00:01:00.640 whole process can feel like like planning movie heist. 20 00:01:00.759 --> 00:01:02.560 Huh okay, I like that you. 21 00:01:02.520 --> 00:01:07.200 Know, mapping the place out, finding entry points, moving around, 22 00:01:07.840 --> 00:01:10.920 just replace laser grids with firewalls. Maybe we'll walk through 23 00:01:10.959 --> 00:01:13.439 all that, the planning, getting in, moving deeper, and then 24 00:01:13.480 --> 00:01:15.400 the reporting. Lots of interesting stuff here. 25 00:01:15.519 --> 00:01:19.040 Okay, let's definitely unpack this. So first things first, what 26 00:01:19.200 --> 00:01:22.599 exactly is a penetration test a pentist? 27 00:01:23.200 --> 00:01:26.640 Well, think of it as an authorized simulated attack. The 28 00:01:26.719 --> 00:01:31.680 goal isn't just scanning passively, it's actively trying to exploit weaknesses, 29 00:01:31.879 --> 00:01:33.840 you know, just like a real attacker. 30 00:01:33.480 --> 00:01:37.120 Would, so actively trying to break in, essentially exactly. 31 00:01:36.719 --> 00:01:38.879 And the book points out sometimes these tests are done 32 00:01:39.799 --> 00:01:43.079 almost secretly, like the client's security team might not even 33 00:01:43.120 --> 00:01:44.920 know what's happening until they get the final report. 34 00:01:45.000 --> 00:01:48.159 Wow, okay, trying to sneak past the guards, that's the idea. 35 00:01:48.239 --> 00:01:51.280 You're adopting that malicious mindset. But here's a really important 36 00:01:51.319 --> 00:01:54.480 point the book makes early on. A pentist isn't very 37 00:01:54.560 --> 00:01:58.400 useful if the company's basic security, their hygiene is just 38 00:01:59.760 --> 00:02:01.920 bad house. So well, if you've got what they call 39 00:02:02.000 --> 00:02:07.079 low hanging fruit everywhere, default passwords not changed, people sharing logins, 40 00:02:07.159 --> 00:02:12.240 everyone having admin rights, critical patches missing, ye appentis is 41 00:02:12.280 --> 00:02:14.919 just going to find all those really obvious things first. 42 00:02:15.240 --> 00:02:17.759 So like, if you haven't even locked the front door, 43 00:02:18.080 --> 00:02:21.360 don't pay someone fancy to tell you the front door's unlocked. 44 00:02:21.560 --> 00:02:24.280 That's a perfect way to put it. Fix the absolute 45 00:02:24.360 --> 00:02:28.400 basics first. Default passwords, for instance, The source says they're 46 00:02:28.400 --> 00:02:31.759 shockingly common and attackers actively look for them because they're 47 00:02:31.800 --> 00:02:32.680 such easy wins. 48 00:02:32.680 --> 00:02:35.319 It makes total sense. Fix the big holes before you 49 00:02:35.439 --> 00:02:38.639 check for tiny cracks now. The book also mentions for 50 00:02:38.680 --> 00:02:41.479 anyone wanting to learn this stuff, setting up a lab. 51 00:02:41.639 --> 00:02:45.800 Oh definitely, learning by doing is crucial. The source suggests 52 00:02:45.879 --> 00:02:48.479 using something like the Capsule Core Pentest project. It gives 53 00:02:48.520 --> 00:02:51.719 you a pre built credit environment to practice on. Okay, 54 00:02:51.879 --> 00:02:55.120 and for your own machine, the attacker machine, they strongly 55 00:02:55.159 --> 00:02:58.840 recommend starting with Linux Opuntu for example. So many of 56 00:02:58.840 --> 00:03:01.400 the standard pen testing tools are built for Linux. They 57 00:03:01.479 --> 00:03:02.759 just run better there. 58 00:03:02.759 --> 00:03:05.280 Right, Getting the tools and the environment set up kind 59 00:03:05.319 --> 00:03:06.000 of step zero. 60 00:03:06.199 --> 00:03:10.560 Absolutely, you need that stable tool rich setup Linux is 61 00:03:10.599 --> 00:03:12.199 really fundamental for this kind of work. 62 00:03:12.319 --> 00:03:14.919 Okay, So let's get into the actual process. The book 63 00:03:14.960 --> 00:03:18.360 lays out a pretty standard four phase approach for specifically 64 00:03:18.840 --> 00:03:22.400 internal network penetration tests or ionpts. 65 00:03:22.560 --> 00:03:26.159 That's right, And interestingly, they mentioned a typical IMPT can 66 00:03:26.199 --> 00:03:29.960 often wrap up within a normal forty hour work week. 67 00:03:30.080 --> 00:03:31.479 Really okay, Yeah. 68 00:03:31.280 --> 00:03:34.400 These four phases are basically the attackers playbook once they're 69 00:03:34.439 --> 00:03:37.560 inside the network perimeter. Yeah, even if that initial inside 70 00:03:37.599 --> 00:03:40.080 access is just simulated for the test itself. 71 00:03:40.240 --> 00:03:43.560 Gotcha. So phase one, if we're sticking with the heist analogy, 72 00:03:43.599 --> 00:03:46.879 this sounds like the planning, the recon phase casing the 73 00:03:46.960 --> 00:03:47.800 joint exactly. 74 00:03:47.840 --> 00:03:50.879 That Phase one is all about information gathering. The main 75 00:03:50.919 --> 00:03:53.919 goal is to map out the target's attack surface. You 76 00:03:53.960 --> 00:03:56.360 need to figure out, Okay, what systems are actually alive 77 00:03:56.400 --> 00:03:59.199 on this network, what services are they running, where the 78 00:03:59.199 --> 00:04:00.159 potential entry point? 79 00:04:00.240 --> 00:04:02.680 How you even start finding systems? Networks can be huge. 80 00:04:02.960 --> 00:04:06.680 That's the host discovery part. You're looking for live machines 81 00:04:06.680 --> 00:04:09.560 within whatever IP range you've been given, or you're trying 82 00:04:09.560 --> 00:04:13.159 to discover the source. Talks about different scopes. Here, white 83 00:04:13.199 --> 00:04:15.919 box where the client gives you a list of targets, sure, 84 00:04:16.360 --> 00:04:19.639 black box where you basically start blind, and gray box, 85 00:04:19.879 --> 00:04:22.839 which is somewhere in between. Maybe you get some IP ranges. 86 00:04:23.199 --> 00:04:25.720 But here's a really interesting point from the book. Even 87 00:04:25.759 --> 00:04:28.160 in a white box test where the client gives you 88 00:04:28.199 --> 00:04:31.839 a list. Experienced PEN testers often still scan the whole 89 00:04:31.920 --> 00:04:35.759 range anyway. Why is that because clients frequently miss systems 90 00:04:36.000 --> 00:04:38.360 on their own network inventories. 91 00:04:37.839 --> 00:04:40.240 No kidding, so their own map might be wrong. That's 92 00:04:40.639 --> 00:04:41.759 a big deal, it really is. 93 00:04:41.839 --> 00:04:43.839 It shows why this kind of independent testing is so 94 00:04:43.959 --> 00:04:48.120 valuable for techniques. You've got simple stuff like ping, but 95 00:04:48.199 --> 00:04:52.040 mostly you're using powerful tools like ENMP. The book mentions 96 00:04:52.120 --> 00:04:55.879 specific n MAP options like at PN to assume hosts 97 00:04:56.000 --> 00:04:58.519 or up or things like min rate to speed up 98 00:04:58.519 --> 00:05:02.560 the scanning significantly to cover faster exactly. They also mentioned 99 00:05:02.680 --> 00:05:06.480 maybe sniffing network traffic with wireshark, looking for hosts talking, 100 00:05:06.720 --> 00:05:09.480 or even hunting for hidden subnets if the scope allows. 101 00:05:09.800 --> 00:05:12.279 Okay, so you found the live machines. What's next in 102 00:05:12.319 --> 00:05:14.079 this info gathering phase. 103 00:05:14.199 --> 00:05:17.680 Necktub is service discovery. So now you know who's home, 104 00:05:17.879 --> 00:05:19.759 you need to figure out what doors are open on 105 00:05:19.800 --> 00:05:22.680 those houses and what's behind. 106 00:05:22.360 --> 00:05:24.319 Them doors being ports right. 107 00:05:24.360 --> 00:05:27.120 Finding which services are running on which ports across that 108 00:05:27.160 --> 00:05:30.319 whole range zero to six, five, five, three five, and 109 00:05:30.399 --> 00:05:32.800 figuring out what the service is. Is it a web server, 110 00:05:33.439 --> 00:05:35.519 a database, something. 111 00:05:35.199 --> 00:05:37.319 Else, like checking the signs on the shops and you're 112 00:05:37.319 --> 00:05:38.920 building analogy earlier. 113 00:05:38.680 --> 00:05:42.759 Exactly, and many services advertise themselves with service banners. It's 114 00:05:42.800 --> 00:05:45.040 like that sign telling you the software name and maybe 115 00:05:45.079 --> 00:05:47.879 even the version number. Tools like Curl can grab this 116 00:05:47.959 --> 00:05:51.040 from web servers, for example, and getting that version info. 117 00:05:51.720 --> 00:05:54.480 That's gold for an attacker looking for known exploits. 118 00:05:54.560 --> 00:05:56.680 And end map is key here too for finding the 119 00:05:56.720 --> 00:05:57.399 open ports. 120 00:05:57.800 --> 00:06:00.959 Oh. Absolutely, enmap is your main cool for port scanning. 121 00:06:01.120 --> 00:06:04.000 You're looking for common ones twenty two for Ssh, eighty 122 00:06:04.079 --> 00:06:06.519 and four forty three for web three three eighty nine 123 00:06:06.560 --> 00:06:09.959 for Windows Remote desktop. The source gets practical tips on 124 00:06:10.000 --> 00:06:12.759 how to parse end map's output, maybe using command line 125 00:06:12.759 --> 00:06:15.560 tools like rep or cut to filter results my filter. 126 00:06:15.680 --> 00:06:17.800 So you can create specific target lists for the next step, 127 00:06:17.839 --> 00:06:19.959 like okay, here's a list of just the web servers 128 00:06:20.120 --> 00:06:23.079 or just the systems. Running Microsoft Seql helps you focus 129 00:06:23.120 --> 00:06:24.120 your efforts. 130 00:06:23.720 --> 00:06:27.199 Which leads to vulnerability discovery. Now you know what services 131 00:06:27.199 --> 00:06:29.680 are running. Time to check if the locks on those doors. 132 00:06:29.439 --> 00:06:33.199 Are weak precisely, Now you analyze those identified services for 133 00:06:33.360 --> 00:06:38.000 known weaknesses. Is there an authentication problem, a configuration mistake? 134 00:06:38.519 --> 00:06:40.439 Is it missing critical security patches? 135 00:06:40.639 --> 00:06:40.720 Oh? 136 00:06:40.759 --> 00:06:43.160 Okay, And this is where pintesting really differs from just 137 00:06:43.279 --> 00:06:47.199 running say an SS or Qualis scan. Those tools often 138 00:06:47.240 --> 00:06:51.360 flag potential issues based on version numbers, known cvs. 139 00:06:51.000 --> 00:06:52.360 Right, theoretical problems. 140 00:06:52.480 --> 00:06:55.279 Yeah, ap Pennus focuses on finding things that are actually 141 00:06:55.319 --> 00:06:57.920 exploitable in that specific environment. Can I really use this 142 00:06:57.959 --> 00:06:58.680 weakness to get in? 143 00:06:58.879 --> 00:07:01.680 Like finding a specific old software version with a known 144 00:07:01.879 --> 00:07:03.240 working exploit. 145 00:07:03.000 --> 00:07:06.360 Exactly That and missing patches are a huge one. The 146 00:07:06.399 --> 00:07:10.639 book uses MS seventeen zero ten the eternal Blue vulnerability 147 00:07:10.720 --> 00:07:13.720 as a prime example. It's famous from twenty seventeen, but 148 00:07:13.759 --> 00:07:16.879 the source says finding system still missing this patch is 149 00:07:16.959 --> 00:07:19.160 often an easy quick win for attackers. 150 00:07:19.439 --> 00:07:21.399 Still wow, yep. 151 00:07:21.639 --> 00:07:24.519 You can even use tools within frameworks like metasploit to 152 00:07:24.600 --> 00:07:27.959 specifically check for it. Finding Eternal Blue unpatched that's a 153 00:07:28.079 --> 00:07:28.920 major red flag. 154 00:07:29.000 --> 00:07:32.600 One of the things like weak passwords authentication issues. 155 00:07:32.360 --> 00:07:35.160 Oh, absolutely critical. The source talks a lot about guessing 156 00:07:35.240 --> 00:07:39.639 or brute forcing passwords, trying default credentials, building clients. Specific 157 00:07:39.639 --> 00:07:42.079 word lists may be based on the company name They 158 00:07:42.120 --> 00:07:45.240 mentioned using metasploit modules again to hammer login prompts for 159 00:07:45.319 --> 00:07:49.560 databases like MSCL or myceycle or even VNC remote access services, 160 00:07:49.560 --> 00:07:52.879 which sometimes don't lock accounts after too many bad guesses. Yikes. 161 00:07:53.120 --> 00:07:56.399 And here's another surprising bit. The book notes that successful 162 00:07:56.399 --> 00:08:00.480 password guessing often leads logs, but companies frequently do monitor 163 00:08:00.519 --> 00:08:03.639 those logs closely enough, or they ignore the alerts. 164 00:08:03.399 --> 00:08:05.480 So the alarm is ringing but nobody's listening. 165 00:08:05.519 --> 00:08:09.879 Per pick analogy. Then you've got configuration vulnerabilities. Services just 166 00:08:09.920 --> 00:08:13.240 set up insecurely, maybe using default settings. The book suggests 167 00:08:13.279 --> 00:08:15.199 a cool tool called web shot. 168 00:08:15.519 --> 00:08:16.120 What does that do? 169 00:08:16.639 --> 00:08:19.560 It takes screenshots of lots of web servers really quickly, 170 00:08:20.000 --> 00:08:24.399 helps you visually scan and spot potentially interesting things, maybe 171 00:08:24.439 --> 00:08:28.879 an old admin interface or specific platforms like Apache, Tomcat 172 00:08:28.959 --> 00:08:32.240 or Jenkins which are known to have remote code execution 173 00:08:32.360 --> 00:08:35.120 possibilities if you can guess their admin passwords. 174 00:08:35.200 --> 00:08:38.919 So Phase one is really about building this incredibly detailed 175 00:08:38.960 --> 00:08:42.639 map of the network's weak spots, understanding the landscape exactly. 176 00:08:42.679 --> 00:08:45.600 It's deep reconnaissance lets you make an informed decision about 177 00:08:45.799 --> 00:08:49.879 the path of least resistance, which vulnerability looks most promising 178 00:08:49.879 --> 00:08:52.200 to get you that initial access, rather than just you know, 179 00:08:52.320 --> 00:08:53.440 randomly trying stuff. 180 00:08:53.519 --> 00:08:57.279 Okay, map complete weak points identified. Phase two focus penetration. 181 00:08:57.399 --> 00:09:00.000 Now the heist crew actually makes their move right getting 182 00:09:00.120 --> 00:09:00.960 inside the building. 183 00:09:01.240 --> 00:09:05.360 That's the goal, precisely gain that initial foothold. You're actively 184 00:09:05.399 --> 00:09:08.480 exploiting one or more of those vulnerabilities found in phase 185 00:09:08.519 --> 00:09:11.519 one to get remote control, usually called getting a shell. 186 00:09:11.840 --> 00:09:13.840 How does that work attacking a web server for. 187 00:09:13.840 --> 00:09:17.480 Example, Well, say you found weak admin credentials on that 188 00:09:17.519 --> 00:09:20.679 Tomcat or Jenkin server. You might be able to achieve 189 00:09:20.879 --> 00:09:25.399 remote code execution RCE, basically tricking the server into running 190 00:09:25.440 --> 00:09:29.120 your commands. Okay, for Tomcap, maybe you upload a malicious 191 00:09:29.120 --> 00:09:32.559 web application file a war file through the admin panel. 192 00:09:33.120 --> 00:09:35.360 That file then runs and gives you a command prompt 193 00:09:35.399 --> 00:09:35.679 on the. 194 00:09:35.639 --> 00:09:36.440 Server, a shell. 195 00:09:36.559 --> 00:09:40.120 A shell. Yeah. Now, the source distinguishes between interactive shells 196 00:09:40.120 --> 00:09:43.399 like a normal command prompt and non interactive ones, which 197 00:09:43.440 --> 00:09:46.039 can be more limited. They even list some safe commands 198 00:09:46.080 --> 00:09:48.480 you can usually run in those limited shells, like ipconfig 199 00:09:48.600 --> 00:09:52.159 to check network settings, task lists to see processes, or 200 00:09:52.399 --> 00:09:53.799 during kat to look at files. 201 00:09:54.200 --> 00:09:56.960 So you might not get full easy control right away. 202 00:09:57.080 --> 00:09:59.360 It depends on the exploit and the shell you get back. 203 00:10:00.080 --> 00:10:03.519 Sometimes even limited access is enough. Here's a really clever 204 00:10:03.600 --> 00:10:06.879 Windows trick. The book details the sticky keys back door. 205 00:10:06.799 --> 00:10:08.639 Sticky keys like the accessibility feature. 206 00:10:08.759 --> 00:10:12.000 Exactly, you replace the program that runs when you hit 207 00:10:12.039 --> 00:10:15.600 shift five times sets dot ex with the command prompt 208 00:10:15.720 --> 00:10:20.039 cmd dot ex. If you have remote desktop access RDB 209 00:10:20.679 --> 00:10:23.559 and the right permissions to swap the files. Uh huh, 210 00:10:23.600 --> 00:10:25.840 you can hit shift five times at the Windows login 211 00:10:25.919 --> 00:10:28.440 screen and instead of sticky keys options, you get a 212 00:10:28.480 --> 00:10:29.799 system level command prompt. 213 00:10:29.879 --> 00:10:32.679 Whoo, that's disius, there really is. 214 00:10:33.159 --> 00:10:35.960 The book mentions you might need tools like cackles dot 215 00:10:35.960 --> 00:10:39.240 ex first to mess with file permissions to allow the replacement. 216 00:10:39.320 --> 00:10:43.279 Okay, what about attacking databases like that ms sql example, if. 217 00:10:43.120 --> 00:10:45.759 You found credentials in phase one, maybe that's SAFF password 218 00:10:45.799 --> 00:10:49.320 one combo. The source uses as an example. You connect 219 00:10:49.320 --> 00:10:52.080 to the database now if a specific stored procedure called 220 00:10:52.200 --> 00:10:55.720 xpcmd shell is enabled, which shouldn't be usually. Why not 221 00:10:55.919 --> 00:10:58.440 because it lets you run operating system commands directly from 222 00:10:58.440 --> 00:11:00.960 the database. So you could type CQ commands that execute 223 00:11:01.000 --> 00:11:04.039 WAMI or if config on the underlying server. You definitely 224 00:11:04.120 --> 00:11:06.279 check what account the d B service itself is running, 225 00:11:06.279 --> 00:11:07.799 asked to see how much power you just got? 226 00:11:07.919 --> 00:11:12.159 Gotcha? And if you found that eternal blue vulnerability MS 227 00:11:12.279 --> 00:11:15.519 seventeen M zero ten zero, that's. 228 00:11:15.279 --> 00:11:17.480 Often a much more direct route. You'd use a pre 229 00:11:17.519 --> 00:11:20.879 built exploit module like MS one CO ten p XC 230 00:11:20.919 --> 00:11:23.879 and metasploit pointed at the vulnerable machine, run it and 231 00:11:24.000 --> 00:11:25.759 often boom you get a show. 232 00:11:25.879 --> 00:11:27.759 And you mentioned some shells are better than others. 233 00:11:27.919 --> 00:11:31.799 Materpreter, Yeah, Interpreter is metasploits enhanced shell. It has a 234 00:11:31.879 --> 00:11:35.320 lot more built in capabilities, specifically for the next phases 235 00:11:35.360 --> 00:11:39.159 of the attack post exploitation. Simple commands like EPs in 236 00:11:39.159 --> 00:11:42.559 Interpreter let you see running processes and crucially who's logged 237 00:11:42.600 --> 00:11:45.919 in the source gives an example of spotting a domain 238 00:11:46.039 --> 00:11:49.200 user capsule Cartian logged in via RDP this. 239 00:11:49.159 --> 00:11:51.960 Way, so you can see other users on the system exactly. 240 00:11:52.159 --> 00:11:55.440 Interpreter also lets you easily run more advanced modules, and 241 00:11:55.480 --> 00:11:58.120 you can even generate custom versions of the Materpreter payload 242 00:11:58.360 --> 00:12:01.200 using tools like m venom to try and evade antivirus. 243 00:12:01.559 --> 00:12:04.600 So summing up phase two, it's all about getting that 244 00:12:04.639 --> 00:12:08.720 first access that beachhead and maybe compromising multiple systems quickly 245 00:12:08.720 --> 00:12:09.360 if possible. 246 00:12:09.679 --> 00:12:13.679 That's the core idea. Get inside established presence. The more 247 00:12:13.679 --> 00:12:16.799 systems you initially compromise, the better your chances of finding 248 00:12:16.879 --> 00:12:20.639 useful information like credentials or finding a path that leads 249 00:12:20.639 --> 00:12:23.639 deeper into the network. For Phase three, okay. 250 00:12:23.399 --> 00:12:26.000 We're in. We have shells on one or more machines. 251 00:12:26.120 --> 00:12:30.399 Phase three post exploitation and privileged escalation. Back to the heist. 252 00:12:31.000 --> 00:12:33.840 The crews inside now they're moving around looking for the vault, 253 00:12:33.879 --> 00:12:35.639 getting keys to restricted areas. 254 00:12:35.720 --> 00:12:39.360 Perfect analogy. That's exactly what this phase is about. The 255 00:12:39.440 --> 00:12:43.440 key goals here, according to the source, are maintain reliable 256 00:12:43.480 --> 00:12:47.279 re entry, harvest credentials, maybe install more permanent back doors, 257 00:12:47.799 --> 00:12:49.960 and move laterally jump from system. 258 00:12:49.679 --> 00:12:52.679 To system maintaining re entry. That sounds important. You don't 259 00:12:52.919 --> 00:12:55.080 want your shell to just die if the user logs 260 00:12:55.120 --> 00:12:55.799 off or rebooths. 261 00:12:55.919 --> 00:12:59.200 Precisely, you need persistence. For Windows. The book talks about 262 00:12:59.279 --> 00:13:02.279 using a meterpretcript called persistence. It can set up a 263 00:13:02.279 --> 00:13:06.279 simple backdoor, maybe a VBScript that runs automatically on startup 264 00:13:06.480 --> 00:13:09.000 and connects back to your attack machine. Very and the 265 00:13:09.039 --> 00:13:11.799 Sorts mays a critical ethical point here. You must keep 266 00:13:11.799 --> 00:13:14.480 detailed notes of everything you installed or change so you 267 00:13:14.519 --> 00:13:17.960 can clean it up perfectly. Later for Linux or Uni 268 00:13:18.120 --> 00:13:21.600 X systems. They talk about using kron job scheduled tasks, 269 00:13:21.759 --> 00:13:25.840 maybe to automatically set up reverse SSH tunnels, using pre 270 00:13:25.919 --> 00:13:28.200 shared keys for passwordless access back. 271 00:13:28.000 --> 00:13:32.679 In okay, persistence covered. What about credential harvesting finding usernames 272 00:13:32.679 --> 00:13:33.480 and passwords? 273 00:13:33.600 --> 00:13:36.080 This is huge. It's like finding spare keys lying around 274 00:13:36.080 --> 00:13:39.440 the building. On Windows, the go to tool is mimicats, 275 00:13:39.759 --> 00:13:43.360 often run through metasploids KB extension. It's famous for being 276 00:13:43.399 --> 00:13:46.200 able to dump clear text passwords directly from the computer's 277 00:13:46.200 --> 00:13:49.759 memory if they're stored there. Commands like tspkg or w 278 00:13:49.960 --> 00:13:50.639 digest do this. 279 00:13:50.960 --> 00:13:53.919 Clear text passwords and memory often Yes. 280 00:13:54.279 --> 00:13:56.840 You can also try to grab cash domain credentials hashes 281 00:13:56.879 --> 00:13:59.320 of passwords for users who've logged into that box before, 282 00:13:59.639 --> 00:14:02.840 using formats like mscash two. On Linux unn the X, 283 00:14:02.919 --> 00:14:06.279 you might check the user's commandhistoryfile dot bash history. People 284 00:14:06.320 --> 00:14:08.120 sometimes type passwords on a command. 285 00:14:07.799 --> 00:14:09.879 Line Oh wow, seriously it happens. 286 00:14:10.120 --> 00:14:12.799 Or you grab the password hashes from the ETCA shadow file, 287 00:14:13.000 --> 00:14:15.000 which stores them in a hashed format. 288 00:14:14.720 --> 00:14:17.159 So you're grabbing credentials from memory history. 289 00:14:18.120 --> 00:14:22.200 What else searching the filesystem itself, looking for configuration files 290 00:14:22.200 --> 00:14:26.279 where developers might have hard coded passwords. The source list's 291 00:14:26.320 --> 00:14:29.600 common examples web dot ca fig for asp, dot net apps, 292 00:14:29.799 --> 00:14:33.559 tomcatusers dot xml for tomcat, can figure out ink dot php. 293 00:14:33.799 --> 00:14:36.679 For some PHP apps, you'd use system search commands like 294 00:14:37.000 --> 00:14:39.639 find star on Windows or grap on Linux to hunt 295 00:14:39.679 --> 00:14:43.120 for keywords like password or PWD within files. 296 00:14:43.200 --> 00:14:45.799 Okay, so now you've potentially got a collection of usernames, 297 00:14:45.799 --> 00:14:48.799 maybe some clear text passwords, and a bunch of password hashes. 298 00:14:49.080 --> 00:14:50.320 What do you do with the hashes? 299 00:14:50.399 --> 00:14:52.799 You try to crack them using tools like John the Ripper. 300 00:14:53.240 --> 00:14:56.120 The book explains the difference between brute force cracking trying 301 00:14:56.159 --> 00:14:59.759 every single combination, which is super slow for strong passwords, 302 00:14:59.799 --> 00:15:01.240 and dictionary attacks. 303 00:15:00.919 --> 00:15:03.000 Using lists of common passwords. 304 00:15:02.519 --> 00:15:06.039 Exactly like the famous Rocky dot txt list. Dictionary attacks 305 00:15:06.039 --> 00:15:09.639 are surprisingly effective against weaker common passwords. The source mentions 306 00:15:09.639 --> 00:15:11.840 cracking the hash for that user t in and finding 307 00:15:11.919 --> 00:15:15.080 the password was password eighty two to two, pretty common format. 308 00:15:15.120 --> 00:15:18.679 Okay, so cracked passwords or harvested clear text ones, Now 309 00:15:18.720 --> 00:15:20.080 you can move laterly. 310 00:15:20.000 --> 00:15:24.000 Yes, that's lateral movement. You take those credentials or even 311 00:15:24.080 --> 00:15:26.519 just to hashes and use them to log in to 312 00:15:26.639 --> 00:15:29.080 other computers on the network that you couldn't access before. 313 00:15:30.000 --> 00:15:33.440 For Windows, the source highlights a really powerful technique called 314 00:15:33.519 --> 00:15:36.919 pass the hash pa'ss the hash Yeah. Tools like crack map, 315 00:15:36.960 --> 00:15:42.600 exec CME or Metasploit's smug in module let you authenticate 316 00:15:42.639 --> 00:15:46.000 to other Windows machines using just the user's password hash. 317 00:15:46.320 --> 00:15:47.759 You don't even need to crack it to the plain 318 00:15:47.879 --> 00:15:48.799 text password first. 319 00:15:48.840 --> 00:15:51.080 That's incredible. You just need the hash fingerprint, not the 320 00:15:51.120 --> 00:15:51.759 actual key. 321 00:15:52.000 --> 00:15:56.039 Essentially, yes, it works because of how Windows authentication protocols 322 00:15:56.039 --> 00:16:00.120 can operate, so as you're moving laterally, you're also constantly 323 00:16:00.120 --> 00:16:01.879 looking for privileged escalation. 324 00:16:01.519 --> 00:16:04.519 Opportunities getting more power on the machines you land on. 325 00:16:04.720 --> 00:16:07.799 Right going from a regular user to administrator on Windows 326 00:16:07.919 --> 00:16:10.799 or to the root user on Linux. On Linux unax, 327 00:16:11.039 --> 00:16:14.919 the source mentions looking for misconfigured SUID binaries. These are 328 00:16:14.960 --> 00:16:17.799 special programs that run with the permissions of the file's owner, 329 00:16:18.080 --> 00:16:21.080 not the user running it. The password command is a 330 00:16:21.120 --> 00:16:25.279 classic example. It needs root privileges to change the password 331 00:16:25.320 --> 00:16:28.399 file even when run by a normal user. If you 332 00:16:28.440 --> 00:16:31.360 find a custom program mistakenly set with SUID and owned 333 00:16:31.360 --> 00:16:33.480 by rout, you might be able to exploit it to 334 00:16:33.519 --> 00:16:36.639 become route. The book even gives an example of potentially 335 00:16:36.679 --> 00:16:40.240 backdooring the ETSETA password file itself this way to add 336 00:16:40.279 --> 00:16:41.440 a new root level user. 337 00:16:41.600 --> 00:16:44.919 Okay, so you're moving sideways, grabbing more power. What's the 338 00:16:45.039 --> 00:16:45.639 ultimate goal? 339 00:16:45.799 --> 00:16:49.000 Usually in most corporate environments using Windows Active directory, the 340 00:16:49.080 --> 00:16:53.559 ultimate prize is domain administrator privileges. That's basically the keys 341 00:16:53.600 --> 00:16:55.720 to the entire kingdom full control. 342 00:16:55.840 --> 00:16:56.639 How do you get there? 343 00:16:57.000 --> 00:16:59.559 Well, first you need to identify who the domain admins are, 344 00:17:00.320 --> 00:17:03.240 like net group domain admins. Domain can list them. Then 345 00:17:03.360 --> 00:17:05.240 you need to figure out where they might be logged 346 00:17:05.240 --> 00:17:09.079 in currently, maybe using commands like hinsta on servers you 347 00:17:09.079 --> 00:17:10.079 already have access to. 348 00:17:10.279 --> 00:17:13.000 Okay, find the admins, fine, where they are? Then what? 349 00:17:13.480 --> 00:17:16.759 Then? You try to compromise that session or machine. Maybe 350 00:17:16.759 --> 00:17:19.680 you can impersonate their logged in session using tools like 351 00:17:19.720 --> 00:17:23.880 Metasplois incognito. Or maybe you get lucky and use mimicats 352 00:17:23.880 --> 00:17:26.119 on the machine where a domain admin is logged in 353 00:17:26.160 --> 00:17:28.640 and steal their password or hash right out of memory. 354 00:17:28.759 --> 00:17:31.799 So target the admins directly? Is there another way? 355 00:17:32.000 --> 00:17:35.480 Yes? The real holy grail, as the source calls it, 356 00:17:35.559 --> 00:17:38.480 is getting your hands on the NTDs dotd it file 357 00:17:38.559 --> 00:17:39.720 from a domain controller. 358 00:17:39.799 --> 00:17:43.480 The domain controller that's the main server for the Windows domain. 359 00:17:43.400 --> 00:17:46.799 Exactly, and that NTBs dotd it file it contains the 360 00:17:46.839 --> 00:17:49.440 password hashes for every single user and computer in the 361 00:17:49.559 --> 00:17:51.680 entire domain. It could be thousands. 362 00:17:51.759 --> 00:17:54.680 Wow, but isn't that file locked super tight by the OS. 363 00:17:54.960 --> 00:17:57.599 It is while the domain controller is running. You can't 364 00:17:57.640 --> 00:18:00.359 just copy it. So the book describes the standard TECHNIQE 365 00:18:00.680 --> 00:18:03.079 using volume shadow copies VSC. 366 00:18:02.680 --> 00:18:05.039 Shadow copies like the system backups. 367 00:18:04.720 --> 00:18:06.920 Kind of yeah. You can use a built in Windows 368 00:18:06.920 --> 00:18:09.319 command VS and flyming and create shadow to create a 369 00:18:09.359 --> 00:18:12.000 point in time snapshot of the domain controller's hard drive. 370 00:18:12.440 --> 00:18:16.079 This snapshot acts like a separate mounted volume, like plugging in. 371 00:18:16.039 --> 00:18:18.279 A USB drive that has a copy of the system 372 00:18:18.319 --> 00:18:19.720 files from a moment ago. 373 00:18:19.599 --> 00:18:22.640 Exactly like that. And crucially, the files on this shadow 374 00:18:22.640 --> 00:18:25.960 copy aren't locked by the live operating system, so you 375 00:18:26.000 --> 00:18:28.200 can just copy the NTDs dot dt file from the 376 00:18:28.200 --> 00:18:30.759 shadow copy. You also need one other file from the 377 00:18:30.759 --> 00:18:32.480 shadow copy, the System registry hive. 378 00:18:32.960 --> 00:18:33.640 Why that one? 379 00:18:33.839 --> 00:18:36.119 You need the system hive because it contains the key 380 00:18:36.240 --> 00:18:38.920 required to decrypt the hashes stored in NTDs dot d. 381 00:18:39.680 --> 00:18:43.480 Once you have both files NTDs dot D and system. 382 00:18:43.839 --> 00:18:46.759 You take them offline to your attack machine. Then you 383 00:18:46.880 --> 00:18:49.680 use tools like secret stump dot PUI from a toolkit 384 00:18:49.720 --> 00:18:52.440 called impack it. You feed it those two files and 385 00:18:52.480 --> 00:18:54.680 it extracts all the domain passwerd hashes. 386 00:18:54.440 --> 00:18:57.559 All of them thousands, potentially game over basically pretty much. 387 00:18:57.640 --> 00:18:59.559 With all those hashes, you can use past the hash 388 00:18:59.599 --> 00:19:02.640 to access almost anything or start cracking the important ones. 389 00:19:03.119 --> 00:19:06.240 So yeah, Phase three is really about leveraging that initial access, 390 00:19:06.400 --> 00:19:10.440 moving strategically, escalating privileges, and aiming for that total control 391 00:19:10.480 --> 00:19:12.200 to show maximum potential impact. 392 00:19:12.480 --> 00:19:16.119 Okay, incredible, We've planned the heist, reached the building, moved 393 00:19:16.160 --> 00:19:22.119 through it, grab the crown jewels. Phase four documentation. This 394 00:19:22.160 --> 00:19:24.079 isn't the part where the heist crew vanishes, is it. 395 00:19:24.720 --> 00:19:28.480 No? Quite the opposite. This phase is absolutely critical. The 396 00:19:28.519 --> 00:19:31.240 goal here is to deliver real value back to the client, 397 00:19:31.599 --> 00:19:33.960 and you need to clearly report exactly how you got in, 398 00:19:34.160 --> 00:19:36.960 what you found, what the risks are, and most importantly, 399 00:19:36.960 --> 00:19:39.319 how they can fix it. The book really stresses this. 400 00:19:39.839 --> 00:19:42.480 You need meticulous notes during the test. You can't write 401 00:19:42.480 --> 00:19:44.319 a good report weeks later from memory. 402 00:19:44.480 --> 00:19:47.039 Makes sense. What goes into this report. What are the 403 00:19:47.079 --> 00:19:47.799 key sections? 404 00:19:47.880 --> 00:19:51.119 The source lays out the standard components. First, the executive summary, 405 00:19:51.720 --> 00:19:55.599 high level, non technical for managers, for leadership. It answers 406 00:19:55.640 --> 00:19:58.880 the basic questions, who did the test, what was the scope, 407 00:19:59.079 --> 00:20:01.720 what were the major find When did it happen? And 408 00:20:01.759 --> 00:20:03.680 why does it matter? The how comes later? 409 00:20:03.799 --> 00:20:05.599 Got it? Big picture first exactly? 410 00:20:05.960 --> 00:20:09.799 Then the engagement methodology. This explains your approach. Was it whitebox, 411 00:20:09.839 --> 00:20:12.759 gray box, black box? It outlines the four phases you followed. 412 00:20:12.960 --> 00:20:15.160 After that comes the attack narrative, the story of the 413 00:20:15.200 --> 00:20:18.519 heist exactly. It's the step by step story of your 414 00:20:18.599 --> 00:20:21.640 specific compromise. How did you get that first shell? What 415 00:20:21.759 --> 00:20:24.000 credentials did you find? How did you move from machine 416 00:20:24.000 --> 00:20:27.000 AID to machine B? How did you eventually get domain admin? 417 00:20:27.119 --> 00:20:28.160 If you did it. 418 00:20:28.079 --> 00:20:30.559 Reads like a narrative, okay, that makes it understandable. 419 00:20:30.680 --> 00:20:34.079 Then you have the core technical details. The technical observations 420 00:20:34.079 --> 00:20:39.079 are findings. Each finding needs structure. The source suggests severity 421 00:20:39.599 --> 00:20:43.440 like high, medium, low. High usually means direct compromise or 422 00:20:43.440 --> 00:20:46.960 a clear path to it, a clear title. The observation itself. 423 00:20:47.119 --> 00:20:50.720 The example found default Tomcat admin password, The impact what 424 00:20:50.799 --> 00:20:56.079 an attacker could do gain make code execution on the server, evidence, screenshots, 425 00:20:56.319 --> 00:21:00.000 command output to prove it assets affected, which specific servers 426 00:21:00.160 --> 00:21:03.440 ips and finally a recommendation and what's. 427 00:21:03.279 --> 00:21:06.039 The philosophy behind what counts as a finding? 428 00:21:06.400 --> 00:21:09.359 This is important. The book emphasizes finding should be based 429 00:21:09.400 --> 00:21:13.160 on demonstrable compromise or a clear attack path you successfully 430 00:21:13.200 --> 00:21:16.480 executed or validated. It's not usually about just listing minor 431 00:21:16.519 --> 00:21:19.680 best practice deviations like maybe an old SSL cipher being enabled, 432 00:21:19.799 --> 00:21:22.680 unless you could actually leverage that weakness somehow during your attack. 433 00:21:22.920 --> 00:21:25.799 So focus on what an attacker could really do, not 434 00:21:26.000 --> 00:21:27.759 just theoretical stuff exactly. 435 00:21:27.839 --> 00:21:31.640 It's about proven risk and the recommendations need to be actionable. 436 00:21:32.039 --> 00:21:37.200 Update this software and force stronger password complexity, disable xpcmd shell. 437 00:21:38.200 --> 00:21:40.319 One key ethical point the source makes is not to 438 00:21:40.359 --> 00:21:44.000 recommend specific vendor products unless that was part of the agreement. 439 00:21:44.319 --> 00:21:47.559 You identify the type of control needed, not push a 440 00:21:47.599 --> 00:21:48.440 particular brand. 441 00:21:48.640 --> 00:21:50.480 And supporting infogos and appendices. 442 00:21:50.599 --> 00:21:53.359 Yeah, things like how you define severity levels, the full 443 00:21:53.440 --> 00:21:56.079 list of live hosts and open ports you found, maybe 444 00:21:56.160 --> 00:21:59.400 a list of the tools used, references all the supporting data. 445 00:21:59.440 --> 00:22:03.039 Okay, that's comprehensive. And one last really crucial step. The 446 00:22:03.039 --> 00:22:05.839 book mentions cleanup absolutely critical. 447 00:22:06.240 --> 00:22:09.599 Responsible pen testing means leaving the client's environment exactly as 448 00:22:09.599 --> 00:22:12.519 you found it or arguably slightly more secure. By removing 449 00:22:12.519 --> 00:22:14.960 any tools or changes you made, you cannot leave them 450 00:22:15.000 --> 00:22:15.640 more vulnerable. 451 00:22:15.680 --> 00:22:16.680 What does cleanup involve? 452 00:22:16.839 --> 00:22:20.720 It means killing all your active sessions and shells, Removing 453 00:22:20.720 --> 00:22:23.480 any files you uploaded, any backdoors you installed, like that 454 00:22:23.559 --> 00:22:27.680 persistent script or the sticky keys hack, Reversing any configuration 455 00:22:27.839 --> 00:22:30.880 changes you made, like if you had to enable xpcmd 456 00:22:30.960 --> 00:22:33.839 shell to prove a point you disabled it again, delete 457 00:22:33.880 --> 00:22:37.279 any temporary shares you created. It's about meticulous housekeeping. 458 00:22:37.440 --> 00:22:40.960 Got it, leave no trace except for the report exactly. 459 00:22:41.160 --> 00:22:45.440 So wow, we've really walked through that entire simulated attack 460 00:22:45.559 --> 00:22:48.799 life cycle based on this guide, from the initial planning 461 00:22:48.839 --> 00:22:51.799 and discovery, finding those weak spots, getting that foothold, moving 462 00:22:51.880 --> 00:22:55.960 laterally and escalating privileges, potentially gaining full control, and then 463 00:22:56.119 --> 00:22:59.920 crucially documenting it all so the organization can actually improve. 464 00:23:00.200 --> 00:23:03.319 It's a really powerful process when done right. And that 465 00:23:03.440 --> 00:23:06.160 core takeaway which the source hits on again and again, 466 00:23:06.480 --> 00:23:09.119 is that understanding how an attacker thinks and operates, which 467 00:23:09.119 --> 00:23:12.119 is what a good pentis simulates is probably the best 468 00:23:12.119 --> 00:23:14.599 way to figure out how to build effective defenses. And 469 00:23:14.640 --> 00:23:16.839 that low hanging fruit we talked about at the start, 470 00:23:17.359 --> 00:23:21.640 default passwords, missing patches, it's not just theory. The book 471 00:23:21.680 --> 00:23:24.279 makes it clear that's often the actual way attackers get 472 00:23:24.279 --> 00:23:28.599 their first foothold basic security hygiene, getting the fundamentals right. 473 00:23:28.880 --> 00:23:30.880 It really does go an incredibly long way. 474 00:23:31.160 --> 00:23:34.240 It is pretty striking, isn't it. How finding just one mistake, 475 00:23:34.440 --> 00:23:39.160 one oversight, that default password, that unpatched vulnerability like eternal 476 00:23:39.160 --> 00:23:43.119 Blue can potentially unravel the security of an entire network 477 00:23:43.240 --> 00:23:46.079 Using the kinds of techniques laid out here. It really 478 00:23:46.200 --> 00:23:48.880 underscores that old saying defenders have to be right every time, 479 00:23:48.920 --> 00:23:50.319 attackers only need to be right once. 480 00:23:50.440 --> 00:23:53.440 It's a sobering reality for anyone in defense. Yeah, but 481 00:23:53.720 --> 00:23:56.960 understanding the attack paths makes defense much smarter. 482 00:23:57.000 --> 00:24:00.599 Absolutely so for you listening to this, thinking about this 483 00:24:00.680 --> 00:24:04.720 whole process, the reconnaissance, the exploitation, the lateral movement, the 484 00:24:04.759 --> 00:24:08.400 sheer power of finding just one open door. What single 485 00:24:08.440 --> 00:24:11.440 security practice maybe in your own work or even personal setup, 486 00:24:11.440 --> 00:24:13.880 feels like it might be that potential weak point, that 487 00:24:14.000 --> 00:24:16.440 one thing that maybe deserves a closer look after hearing 488 00:24:16.440 --> 00:24:19.079 all this something to definitely think about after this deep 489 00:24:19.119 --> 00:24:22.759 dive into the art and science of network penetration testing.