WEBVTT 1 00:00:00.080 --> 00:00:02.080 Welcome to the deep dive. We're here to unpack the 2 00:00:02.080 --> 00:00:05.719 most vital insights from a stack of sources. Just for you. 3 00:00:06.000 --> 00:00:08.320 Think about the digital world we live in every single day. 4 00:00:08.400 --> 00:00:12.199 It's huge, complex, It feels like a fortress sometimes right, 5 00:00:12.679 --> 00:00:15.320 but well, sometimes a door just swings open if you 6 00:00:15.320 --> 00:00:17.839 know where to look. That is, today we're stepping through 7 00:00:17.839 --> 00:00:20.839 one of those doors. We're exploring the art and maybe 8 00:00:20.839 --> 00:00:25.559 the science of ethical hacking, or the more formal term 9 00:00:25.679 --> 00:00:26.719 penetration testing. 10 00:00:26.960 --> 00:00:29.760 Yeah, and this deep dive it's really your shortcut to 11 00:00:29.960 --> 00:00:33.079 understanding this whole fascinating field. We're pulling our insights today 12 00:00:33.119 --> 00:00:36.799 from a really practical guide, Penetration Testing step by step Guide, 13 00:00:36.840 --> 00:00:39.759 the second edition by Roddy Chataub. And it's not just theory, 14 00:00:39.880 --> 00:00:42.600 you know, it's very hands on. It explores the actual 15 00:00:42.640 --> 00:00:45.960 techniques the tools that hackers use, but for good reasons 16 00:00:46.119 --> 00:00:47.479 for defense exactly. 17 00:00:47.719 --> 00:00:50.039 So our goal for you today it's pretty simple. We 18 00:00:50.079 --> 00:00:53.679 want you to walk away understanding not just what system 19 00:00:53.759 --> 00:00:57.880 vulnerabilities are or even how they get attacked, but crucially 20 00:00:58.439 --> 00:01:01.479 how to defend against them. So, whether you're maybe new 21 00:01:01.479 --> 00:01:04.799 to information security, or perhaps you're a manager who needs 22 00:01:04.840 --> 00:01:08.319 to get a handle on modern threats. This deep dive, 23 00:01:08.439 --> 00:01:12.079 it's really designed to give you those aha moments, yeah, 24 00:01:12.159 --> 00:01:14.280 you know, without just drowning you in information. 25 00:01:14.480 --> 00:01:17.120 Absolutely, and before we jump right in, there's a really 26 00:01:17.319 --> 00:01:19.799 critical point we need to make everything we talk about today, 27 00:01:20.040 --> 00:01:22.400 it's all framed within the ethics of being a white 28 00:01:22.400 --> 00:01:26.599 hat hacker, an ethical hacker. All these techniques they're meant 29 00:01:26.640 --> 00:01:30.040 for authorized testing. You need explicit permission. The goal is 30 00:01:30.079 --> 00:01:33.159 always to find vulnerabilities and report them, not for anything 31 00:01:33.200 --> 00:01:36.599 malicious or illegal. It's really about building stronger defenses because 32 00:01:36.640 --> 00:01:37.640 you understand. 33 00:01:37.239 --> 00:01:40.120 The offense right makes sense. So, okay, we've had a 34 00:01:40.159 --> 00:01:42.799 little glimpse into this digital underworld. Let's get to the 35 00:01:42.840 --> 00:01:45.359 heart of it. How do the good guys actually fight back? 36 00:01:45.640 --> 00:01:49.359 What is penetration testing really and how does this proactive 37 00:01:49.359 --> 00:01:50.760 defense work for businesses? 38 00:01:50.840 --> 00:01:55.120 Well, think of it like this penetration testing. It's like 39 00:01:55.319 --> 00:01:59.000 hiring a professional burglar to test your home security system. Seriously, 40 00:01:59.439 --> 00:02:02.000 you give them permission right to try and break into 41 00:02:02.000 --> 00:02:05.840 your networks, your systems, your applications, specifically to find those 42 00:02:05.840 --> 00:02:09.199 weak spots, the vulnerabilities that a malicious hacker, a black 43 00:02:09.199 --> 00:02:12.560 hat might use to get in and cause real damage. 44 00:02:12.639 --> 00:02:15.840 It's proactive. You're trying to find those holes and patch 45 00:02:15.879 --> 00:02:18.360 them before the bad guys do beat them to the punch. 46 00:02:18.759 --> 00:02:21.599 Okay, and why is this so critical for businesses these days? 47 00:02:21.680 --> 00:02:24.360 Is it just, you know, a good practice or is 48 00:02:24.360 --> 00:02:25.599 there something more driving it? 49 00:02:25.960 --> 00:02:28.960 Oh, it's way beyond just a good idea. Often it's 50 00:02:29.000 --> 00:02:32.439 actually a necessity or requirement. Many businesses, especially if they 51 00:02:32.479 --> 00:02:35.319 handle payments, they're requiring to do regular pen tests to 52 00:02:35.400 --> 00:02:39.919 meet security standards like the Payment Card Industry Data Security 53 00:02:39.919 --> 00:02:43.919 Standard PCIDSS that requires a yearly pen test for certification. 54 00:02:44.319 --> 00:02:46.840 And because of things like that, the demand for skilled 55 00:02:46.840 --> 00:02:50.000 pen testers is just huge, it's booming. So understanding this 56 00:02:50.000 --> 00:02:51.080 stuff is really valuable. 57 00:02:51.159 --> 00:02:53.439 Okay, So who's this deep dive really for them? Who 58 00:02:53.479 --> 00:02:56.599 benefits most from digging into this book's insights with us? 59 00:02:56.879 --> 00:02:58.919 Well, I think it's perfect for anyone who wants to 60 00:02:59.000 --> 00:03:02.360 understand the mechanic of ethical hacking. Maybe you're just starting 61 00:03:02.360 --> 00:03:05.919 out in cybersecurity, or maybe you're an IT manager an 62 00:03:05.960 --> 00:03:09.439 INFOSEC manager, and you need practical insights. You want to 63 00:03:09.520 --> 00:03:12.759 understand the threats, the tools attackers use, and importantly, the 64 00:03:12.800 --> 00:03:15.039 protective measures you need. To put in place. Is designed 65 00:03:15.039 --> 00:03:17.639 to be really practical, you know, not get bogged down 66 00:03:17.680 --> 00:03:18.919 in just academic theory. 67 00:03:19.319 --> 00:03:22.680 Gotcha, and the book we're using. It breaks the whole 68 00:03:22.680 --> 00:03:25.879 process down into five core phases for a pen test. 69 00:03:26.120 --> 00:03:27.360 Can you give us a quick roadmap? 70 00:03:27.479 --> 00:03:30.560 Yeah, it's a pretty logical flow. Think of it like steps. First, 71 00:03:30.599 --> 00:03:34.120 there's reconnaissance that's just gathering info about your target, like 72 00:03:34.159 --> 00:03:37.639 detective work, finding out everything you can. Then comes scanning. 73 00:03:37.840 --> 00:03:41.599 That's when you actively probe the target looking for actual vulnerabilities. 74 00:03:41.919 --> 00:03:46.159 After that, the goal is gaining access, the actual exploitation part, 75 00:03:46.439 --> 00:03:49.560 getting in. Once you're in, it's about maintaining access, making 76 00:03:49.560 --> 00:03:51.240 sure you can stay in or get back in later, 77 00:03:51.680 --> 00:03:55.319 and finally covering tracks, hiding the evidence that you were 78 00:03:55.400 --> 00:03:55.919 ever there. 79 00:03:56.240 --> 00:04:01.599 Okay, reconnaissance, scanning, gaining access, maining covering tracks. Got it. 80 00:04:02.599 --> 00:04:06.439 Let's dive into the first big area then, Wi Fi vulnerabilities. 81 00:04:06.840 --> 00:04:09.800 Wireless is huge, right, It's often that first digital connection 82 00:04:09.840 --> 00:04:10.919 when you walk into a place. 83 00:04:11.000 --> 00:04:14.840 Oh, absolutely critical because a compromised Wi Fi network that 84 00:04:14.960 --> 00:04:17.639 isn't just a small problem. It puts your entire internal 85 00:04:17.680 --> 00:04:21.920 network at risk. For companies, insecure Wi Fi is often Honestly, 86 00:04:22.040 --> 00:04:24.560 the path of least resistance for an attacker makes it 87 00:04:24.600 --> 00:04:25.560 a prime target. 88 00:04:25.680 --> 00:04:29.240 And thinking about vulnerabilities, I remember WEP encryption from wayback. 89 00:04:29.319 --> 00:04:31.839 Is that still a thing we need to worry about? 90 00:04:31.920 --> 00:04:32.720 It seems ancient. 91 00:04:33.000 --> 00:04:36.240 We'd be surprised WEP is old. It is weak, but yeah, 92 00:04:36.279 --> 00:04:38.519 you still find it out there. Sometimes it uses this 93 00:04:38.600 --> 00:04:42.040 algorithm RC four. And here's the problem. Each packet is 94 00:04:42.120 --> 00:04:45.480 encrypted using a key stream generated partly by something called 95 00:04:45.519 --> 00:04:48.959 an initializing factor or five E. It's only twenty four 96 00:04:49.000 --> 00:04:52.360 bits long. And the real killer is this IV is 97 00:04:52.399 --> 00:04:55.560 sent in plain text right there in the packet, plaintext. 98 00:04:55.600 --> 00:04:57.720 Okay, that sounds like a huge red flag immediately, Yeah, 99 00:04:57.720 --> 00:05:00.120 the IV is just out there. How to attackers actual 100 00:05:00.279 --> 00:05:01.959 use that flaw? How do they crack the key? 101 00:05:02.199 --> 00:05:05.240 Right? That's the fundamental flaw Because that twenty four bit 102 00:05:05.279 --> 00:05:08.199 IV is so short, and it's sent unencrypted, it has 103 00:05:08.240 --> 00:05:11.040 to repeat eventually, especially on a busy network. So a 104 00:05:11.079 --> 00:05:14.879 tool like air cracking it doesn't even need the password itself. 105 00:05:15.000 --> 00:05:18.360 It just listens. It collects enough of these packets, enough 106 00:05:18.399 --> 00:05:21.920 of these repeating ivs, and by doing statistical analysis on 107 00:05:21.959 --> 00:05:25.120 how those ivs repeat, it can literally figure out the 108 00:05:25.279 --> 00:05:29.360 entire WEP key. It's not magic, just math exploiting that weakness. 109 00:05:29.480 --> 00:05:32.600 It can crack it surprisingly quickly, and attackers can even 110 00:05:32.639 --> 00:05:35.680 speed it up using things like a fake authentication procedure 111 00:05:35.720 --> 00:05:36.560 to inject packets. 112 00:05:36.600 --> 00:05:39.600 Okay, that makes total sense. Why WEP is considered broken. Yeah, 113 00:05:39.639 --> 00:05:42.160 so then WPA and WPA two came along to fix 114 00:05:42.199 --> 00:05:44.800 all that. They sound much more secure, unique keys, this 115 00:05:44.839 --> 00:05:48.120 four way handshake. But you know in hacking there's always 116 00:05:48.160 --> 00:05:50.160 a butt, isn't There are there still ways attackers get 117 00:05:50.199 --> 00:05:51.240 around WPA two. 118 00:05:51.439 --> 00:05:53.480 You hit it right on the head. There's always a butt. 119 00:05:53.839 --> 00:05:57.800 WPA and WPA two definitely a massive improvement over WEP, 120 00:05:58.399 --> 00:06:02.839 fix that exposed IVP problem. They use unique temporary keys 121 00:06:02.879 --> 00:06:06.360 for every packet and this robust four way handshake. Think 122 00:06:06.399 --> 00:06:09.240 of the handshake like a secret conversation. Your device and 123 00:06:09.279 --> 00:06:12.000 the router securely agree on unique keys. There's the pairwise 124 00:06:12.040 --> 00:06:15.759 master key, the PMK, and the paralyzed transient KEYPTK. They're 125 00:06:15.759 --> 00:06:18.560 derived from your WiFi password, the pre shared key or PSK. 126 00:06:18.720 --> 00:06:20.519 It means the encryption is constantly changing. 127 00:06:20.720 --> 00:06:23.680 Much harder to crack, okay, much harder, but not impossible. 128 00:06:23.920 --> 00:06:26.680 So even with those upgrades, how do attackers actually bypass 129 00:06:26.879 --> 00:06:28.560 WPA two. What are the main approaches? 130 00:06:28.959 --> 00:06:32.319 Yeah, still not impossible. There are really two main ways 131 00:06:32.319 --> 00:06:36.360 attackers go after w POPA two. First, exploiting the WPS 132 00:06:36.360 --> 00:06:39.680 feature Wi Fi protected setup. Remember that button on routers 133 00:06:40.120 --> 00:06:42.560 or at the PN. It was meant for convenience, you know, 134 00:06:42.639 --> 00:06:44.800 easily connecting printers and stuff, but it turned into a 135 00:06:44.879 --> 00:06:48.360 huge security hole. That eight digit PN. A tool called 136 00:06:48.439 --> 00:06:51.639 Reaver can basically brute force it. It attacks it in two halves, 137 00:06:51.639 --> 00:06:53.839 the first four digits, then the next four. So even 138 00:06:53.879 --> 00:06:57.279 with a super complex WPA two password, Reaver can often 139 00:06:57.319 --> 00:06:59.839 crack that eight digit PN in maybe ten hours or so. 140 00:07:00.040 --> 00:07:00.720 Get your password? 141 00:07:00.759 --> 00:07:03.839 Wow? Okay, so a convenience feature became a major vulnerability. 142 00:07:03.879 --> 00:07:04.879 What's the second method? 143 00:07:04.879 --> 00:07:08.480 Then? The second way involves capturing that four way handshake directly. 144 00:07:09.000 --> 00:07:12.439 An attacker can actually force the connected device like your laptop, 145 00:07:12.720 --> 00:07:14.920 to disconnect from the Wi Fi. It's called a de 146 00:07:15.040 --> 00:07:19.279 authentication attack. Then, when your laptop automatically tries to reconnect, 147 00:07:19.639 --> 00:07:22.439 that four way handshake happens again. The attacker listens and 148 00:07:22.439 --> 00:07:25.319 captures it. Once they have that captured handshake, they use 149 00:07:25.399 --> 00:07:28.600 tools like air cracking again, but this time they need 150 00:07:28.639 --> 00:07:32.040 a huge list of possible passwords, a word list. They 151 00:07:32.120 --> 00:07:34.800 might generate one with a tool like crunch, or download 152 00:07:34.800 --> 00:07:37.959 massive lists from places like seek lists online. Then they 153 00:07:38.000 --> 00:07:40.560 just try every password in the list against the handshake. 154 00:07:40.879 --> 00:07:43.439 If your password is in that list, they've got it. 155 00:07:43.639 --> 00:07:45.079 If not, this method. 156 00:07:44.800 --> 00:07:47.759 Fails, right the dictionary attack. That makes sense. Okay, that 157 00:07:47.800 --> 00:07:50.519 brings us to another really sneaky tactic, one that plays 158 00:07:50.519 --> 00:07:54.399 on our desire for free stuff. Fake access points classic lure, 159 00:07:54.439 --> 00:07:54.800 isn't it? 160 00:07:54.920 --> 00:07:58.439 Oh? Absolutely classic and effective. Hackers set up fake Wi 161 00:07:58.519 --> 00:08:01.639 Fi hotspots often give them ten names like free coffee 162 00:08:01.639 --> 00:08:05.480 shop WiFi or airport guest, especially in public places. You 163 00:08:05.560 --> 00:08:09.199 connect thinking it's legitimate, but now all your unencrypted traffic 164 00:08:09.480 --> 00:08:12.399 it's flowing right through the attacker's computer. They can see 165 00:08:12.399 --> 00:08:15.800 websites you visit, maybe present fake logging pages to seal 166 00:08:15.879 --> 00:08:19.720 your passwords, re emails if they're not encrypted, and tools 167 00:08:19.800 --> 00:08:23.639 like WiFi Pumpkin three makes setting these up surprisingly easy 168 00:08:23.639 --> 00:08:24.360 for an attacker. 169 00:08:24.480 --> 00:08:27.120 Okay, So, hearing all this, what's the bottom line for 170 00:08:27.160 --> 00:08:30.759 securing our own wireless networks? What are the absolute must dos? 171 00:08:31.040 --> 00:08:34.440 The takeaways are pretty clear. Yeah. First, never ever use 172 00:08:34.639 --> 00:08:38.639 wp just don't. It's completely broken. Second, always use WPA 173 00:08:38.679 --> 00:08:42.919 two and use a really strong complex password, think long passphrase, 174 00:08:43.039 --> 00:08:46.039 mix of uppercase, lowercase symbols. Numbers don't make it easy 175 00:08:46.039 --> 00:08:48.559 to guess. For businesses, integrating Wi Fi access with something 176 00:08:48.639 --> 00:08:51.279 like active directory is great. Avoids shared passwords, and for 177 00:08:51.320 --> 00:08:54.039 everyone that WPS feature we talked about, if your router 178 00:08:54.120 --> 00:08:56.440 has it, disable it, turn it off. That convenience just 179 00:08:56.480 --> 00:08:57.799 isn't worth the security. 180 00:08:57.399 --> 00:09:01.519 Risk disabled WPS got it? Okay? So let's say a 181 00:09:01.559 --> 00:09:04.799 hacker has gotten onto the network, maybe through weak Wi Fi. 182 00:09:05.360 --> 00:09:08.840 What's next? Our next deep dive is into post connection attacks, 183 00:09:09.039 --> 00:09:11.480 particularly this man in the middle stuff. Once they have 184 00:09:11.559 --> 00:09:13.600 that foothold, what's the first move right? 185 00:09:13.639 --> 00:09:16.639 Once they're inside, The very next step is discovery, like 186 00:09:16.759 --> 00:09:19.000 mapping out the territory. You need to figure out what 187 00:09:19.080 --> 00:09:21.480 else is on this network, what other devices are connected, 188 00:09:21.639 --> 00:09:24.720 what are their IP addresses. Tools like net discover or 189 00:09:24.840 --> 00:09:27.679 ARP scan are good for quickly finding other machines. But 190 00:09:27.720 --> 00:09:30.960 then the real workhorse is en map or its graphical version, 191 00:09:31.080 --> 00:09:34.759 zen map. N map is incredibly powerful. It scans targets 192 00:09:34.759 --> 00:09:37.679 and gives you detailed info, open ports, operating systems, what 193 00:09:37.720 --> 00:09:40.960 services are running that detailed scan. That's really the starting 194 00:09:41.000 --> 00:09:45.440 point for finding specific exploitable vulnerabilities on those machines, and. 195 00:09:45.320 --> 00:09:47.399 That leads us right into a man in the middle attacks. 196 00:09:47.840 --> 00:09:51.159 Then TM sounds kind of spy like, how do you 197 00:09:51.159 --> 00:09:51.519 define that? 198 00:09:51.720 --> 00:09:54.720 It pretty much is like spy stuff. A man in 199 00:09:54.720 --> 00:09:58.399 the middle attack or NATM is when an attacker secretly 200 00:09:58.440 --> 00:10:02.799 positions themselves between two communicating parties. Imagine you're talking to 201 00:10:02.840 --> 00:10:05.679 your bank online. The attacker gets in the middle. They 202 00:10:05.720 --> 00:10:08.080 intercept your messages to the bank and the bank's messages 203 00:10:08.120 --> 00:10:10.840 back to you. Both sides think they're talking directly, but 204 00:10:10.879 --> 00:10:15.120 they're actually talking through the attacker. It's like sophisticated eavesdropping, 205 00:10:15.440 --> 00:10:19.559 but worse because the attacker can potentially change the messages. 206 00:10:19.639 --> 00:10:23.399 Not just listen, they control the conversation. They might capture logins, 207 00:10:23.559 --> 00:10:28.200 manipulate transactions. It's really dangerous. Modern encryption like TLS tries 208 00:10:28.240 --> 00:10:30.519 to stop this, but attackers find ways around it sometimes. 209 00:10:30.600 --> 00:10:33.039 Okay, that's pretty scary. What are some common types of 210 00:10:33.080 --> 00:10:34.120 these my TM attacks? 211 00:10:34.159 --> 00:10:37.200 Well, the book mentions several key ones, things like ARP spoofing, 212 00:10:37.279 --> 00:10:42.559 DNS poofing, STP mangling, DHGP, spuefing, ICMP redirection. They all 213 00:10:42.559 --> 00:10:45.000 work slightly differently to trick network devices. 214 00:10:45.320 --> 00:10:48.799 Let's dig into ARP spoofing. How does that one exploit 215 00:10:48.840 --> 00:10:50.879 trust on a network? Why is it so effective? 216 00:10:51.159 --> 00:10:55.799 Okay? ARP Address resolution protocol. It's fundamental for local networks. 217 00:10:56.159 --> 00:10:59.480 Basically how your computer finds the physical MC address of 218 00:10:59.480 --> 00:11:02.720 another when it only knows the IP address, like asking 219 00:11:02.799 --> 00:11:07.120 who has this IP? The massive problem ARP is built 220 00:11:07.159 --> 00:11:11.320 on trust. It's incredibly insecure by design. Any computer on 221 00:11:11.360 --> 00:11:14.320 the network can just accept an ARP reply, even if 222 00:11:14.360 --> 00:11:17.360 it's fake. So arpspoof exploits this perfectly. It sends out 223 00:11:17.360 --> 00:11:20.519 fake AIRP messages. It tells your computer, hey, I'm the router, 224 00:11:20.600 --> 00:11:23.200 and it tells the router, hey I'm your computer. Suddenly, 225 00:11:23.440 --> 00:11:26.039 all the traffic between you and the router flows through 226 00:11:26.039 --> 00:11:29.120 the attacker's machine. For this to work seamlessly, the attacker 227 00:11:29.159 --> 00:11:31.360 needs to enable IP four in on their machine, so 228 00:11:31.440 --> 00:11:34.879 the traffic just passes through. Once that's set up, tools 229 00:11:34.879 --> 00:11:38.679 like wireshark running on the attacker's machine can see everything, logins, browsing, 230 00:11:38.720 --> 00:11:42.559 you name it. If it's unencrypted. It's disturbingly simple. Wow. 231 00:11:42.639 --> 00:11:46.120 Yeah, disturbingly simple, is right, just exploiting that basic trust. 232 00:11:46.799 --> 00:11:48.720 But what if the attacker wants to do more than 233 00:11:48.799 --> 00:11:50.759 just listen? What if they want to actively mess with 234 00:11:50.799 --> 00:11:53.039 the traffic. That's where tools like better cap come in. Right, 235 00:11:53.200 --> 00:11:55.159 What makes it such a powerful network tool? 236 00:11:55.440 --> 00:11:58.000 Exactly? Better Cap is like a Swiss army knife for 237 00:11:58.080 --> 00:12:02.120 network attacks, especially my TM. It's incredibly powerful and versatile. 238 00:12:02.279 --> 00:12:06.600 It lets an attacker manipulate HTTP, HTTPS, sometimes and TCP 239 00:12:06.720 --> 00:12:10.960 traffic in real time, sniff credentials, inject code, modify pages 240 00:12:11.000 --> 00:12:13.679 on the fly, for instance, using its arc dot spoof 241 00:12:13.759 --> 00:12:15.840 module to become the man in the middle and then 242 00:12:16.200 --> 00:12:19.600 dot sniff to capture data. It can easily grab unencrypted 243 00:12:19.720 --> 00:12:22.480 HTTP log in, say from a test website, and a 244 00:12:22.519 --> 00:12:25.399 really powerful feature caplets. These are like scripts for better Cap. 245 00:12:25.440 --> 00:12:29.240 Automating sequences of commands makes complex attacks much easier to execute. 246 00:12:29.279 --> 00:12:31.519 Okay, but what about ng GTPs. We always here look 247 00:12:31.519 --> 00:12:34.320 for the lock. HTTPS is secure? How does something like 248 00:12:34.399 --> 00:12:35.840 SSL stripping try to defeat that? 249 00:12:36.159 --> 00:12:39.480 Right? HTTPS is much more secure. SSL stripping is a 250 00:12:39.519 --> 00:12:42.759 technique attackers used to try and downgrade that security. The 251 00:12:42.799 --> 00:12:46.039 attacker acts as a proxy during the initial connection When 252 00:12:46.039 --> 00:12:49.440 your browser tries to connect via HTTPS, the attacker intercepts 253 00:12:49.480 --> 00:12:53.039 it talks HGTPS to the real server, but talks plane 254 00:12:53.320 --> 00:12:56.240 unencrypted HTTP back to your browser. So you think you 255 00:12:56.360 --> 00:12:59.039 might be secure, or maybe you don't notice THES is missing, 256 00:12:59.080 --> 00:13:02.799 but your connection is actually in the clear. But there's 257 00:13:02.799 --> 00:13:08.080 a crucial defense HSTS HTTP strict transport security. It's a 258 00:13:08.120 --> 00:13:10.440 header a website sends that tells your browser, Hey, for 259 00:13:10.480 --> 00:13:14.000 this site, only ever use HTTPS, no exceptions, so that 260 00:13:14.080 --> 00:13:16.639 parameters like maxage how long the browser should remember this 261 00:13:16.720 --> 00:13:18.799 rule include subdomains and preload. 262 00:13:19.279 --> 00:13:22.120 HSTS sounds like a solid defense, but you mentioned dynamic 263 00:13:22.200 --> 00:13:24.799 versus static HSTS. Does that distinction matter much? 264 00:13:24.960 --> 00:13:29.279 Oh? It matters hugely for security. Dynamic HSTS is where 265 00:13:29.279 --> 00:13:32.440 your browser learns about HSTS after the very first time 266 00:13:32.480 --> 00:13:35.120 it visits the site it gets the header. Then that 267 00:13:35.200 --> 00:13:37.840 leaves a tiny window on that very first connection where 268 00:13:37.840 --> 00:13:41.240 an SSL stripping attack could potentially work before the browser 269 00:13:41.279 --> 00:13:45.440 knows it must use HTPS. Static HSTS closes that gap. 270 00:13:46.080 --> 00:13:48.759 Websites can submit themselves to be included in a preload 271 00:13:48.840 --> 00:13:51.879 list that's built right into browsers like Chrome, Firefox, etc. 272 00:13:52.559 --> 00:13:54.200 So if a site is on that pre load list. 273 00:13:54.240 --> 00:13:56.919 Your browser already knows it must use HTTPS, even if 274 00:13:56.960 --> 00:13:59.159 you've never visited it before. That makes us a CEL 275 00:13:59.200 --> 00:14:02.000 stripping completely and effective. Against those sites the browser just 276 00:14:02.000 --> 00:14:03.039 won't connect insecurely. 277 00:14:03.320 --> 00:14:07.360 Got it. Preloading is key and DNS spoofing is another mitmtrick, 278 00:14:07.600 --> 00:14:09.480 basically lying about website. 279 00:14:09.080 --> 00:14:13.559 Addresses exactly your computer uses DNS, the domain name system 280 00:14:13.840 --> 00:14:17.440 to turn website names like www dot Google dot com 281 00:14:17.480 --> 00:14:22.200 into IP addresses. In DNS spoofing, the ITM attacker runs 282 00:14:22.240 --> 00:14:25.200 their own fake DNS server on the local network. When 283 00:14:25.240 --> 00:14:28.759 your computer asks what's the IP for www dot my 284 00:14:28.919 --> 00:14:32.399 bank dot com, The attacker's fakeserver answers with an IP 285 00:14:32.480 --> 00:14:35.600 address they control, maybe a phishing site that looks real, 286 00:14:35.759 --> 00:14:38.679 so you get redirected to the wrong place. But again, 287 00:14:38.799 --> 00:14:41.159 like s is all stripping, this generally doesn't work against 288 00:14:41.240 --> 00:14:45.440 sites using HTTPS. With HSTS enabled and preloaded, the browser 289 00:14:45.480 --> 00:14:48.399 will refuse to connect to a fake HTTP version. You 290 00:14:48.440 --> 00:14:50.600 can demo this with tools like an apatche webserver for 291 00:14:50.639 --> 00:14:53.799 the fake site and BETTERCAPS. DNS dot spoof module. 292 00:14:53.519 --> 00:14:56.559 And BETTERCAP can even inject code like JavaScript into the 293 00:14:56.600 --> 00:14:57.519 websites you're visiting. 294 00:14:57.559 --> 00:15:00.799 That's right. If the connection is HTTP or HTT without 295 00:15:00.840 --> 00:15:04.320 strong hsts, better cap can inject custom JavaScript into the 296 00:15:04.320 --> 00:15:07.879 pages as they pass through. This is incredibly dangerous. JavaScript 297 00:15:07.960 --> 00:15:09.759 running in your browser can do a lot of malicious 298 00:15:09.759 --> 00:15:13.200 things steal cookies, lug keystrokes, redirect you, pop up fake logins, 299 00:15:13.360 --> 00:15:14.559 all controlled by the attacker. 300 00:15:14.759 --> 00:15:19.159 Okay, so, after hearing about ARP spoofing, dnspoofing, SSL stripping, 301 00:15:19.960 --> 00:15:23.600 how do we actually detect and more importantly, prevent ARP 302 00:15:23.759 --> 00:15:25.559 poisoning which seems to underpin a lot of this. 303 00:15:25.879 --> 00:15:30.039 Detecting it tools like wireshark are invaluable. It can spot 304 00:15:30.159 --> 00:15:33.559 unusual network chatter like an ARP storm tons of AIRP 305 00:15:33.679 --> 00:15:37.399 requests which might indicate a scan or attack. Wireshot can 306 00:15:37.440 --> 00:15:40.559 even directly flag potential MITM attacks if it sees duplicate 307 00:15:40.600 --> 00:15:44.440 IP addresses claiming the same ASC or vice versa. For prevention, 308 00:15:44.600 --> 00:15:48.679 things like intrusion detection systems or intrusion prevention systems idscs 309 00:15:48.720 --> 00:15:52.159 are important. Also, modern layer two switches can be configured 310 00:15:52.159 --> 00:15:55.360 with features like dynamic AARP inspection or the AMSC address 311 00:15:55.360 --> 00:15:58.519 tracking to block spoofed packets. There are also client side 312 00:15:58.559 --> 00:16:02.840 tools like ZARP that monitor for suspicious ARP activity. Interestingly, 313 00:16:02.840 --> 00:16:05.279 while we focus on the bad stuff, airpeacepoofing can be 314 00:16:05.320 --> 00:16:08.639 used for legitimate reasons, like on public Wi Fi redirecting 315 00:16:08.720 --> 00:16:10.799 users who haven't logged in yet to a sign up page. 316 00:16:10.960 --> 00:16:14.679 Right, legitimate uses too, Okay, So moving on. After all 317 00:16:14.720 --> 00:16:18.279 that scanning and maybe MYTM setup, the real goal for 318 00:16:18.320 --> 00:16:22.120 an attacker is often gaining access, getting control of devices. 319 00:16:22.320 --> 00:16:24.879 Let's talk server side attacks first. These are direct assaults, 320 00:16:24.919 --> 00:16:25.759 right exactly. 321 00:16:25.879 --> 00:16:29.559 Server side attacks target vulnerabilities directly on the server itself. 322 00:16:29.639 --> 00:16:32.360 They don't need the user to click anything or run anything. 323 00:16:32.639 --> 00:16:35.440 You just need the server's ike address and an exploitable 324 00:16:35.440 --> 00:16:39.240 service running zenmap or nmap is key here for that 325 00:16:39.320 --> 00:16:43.639 initial info gathering, finding open ports identifying services like FTP, 326 00:16:44.039 --> 00:16:48.159 RSH remote shell or Samba Windows file sharing, so you're. 327 00:16:47.960 --> 00:16:49.799 Looking for known flaws in those. 328 00:16:49.639 --> 00:16:54.480 Specific services precisely. Sometimes it's about finding older, unpatched versions 329 00:16:54.480 --> 00:16:58.039 with well known vulnerabilities. For example, there's a specific version 330 00:16:58.080 --> 00:17:02.159 of VSFTPD and FTPC version two point three point four 331 00:17:02.399 --> 00:17:05.039 that famously had a back door baked into it. If 332 00:17:05.079 --> 00:17:07.960 you find that running boom root access. Another example is 333 00:17:08.000 --> 00:17:11.000 netkit RSH. If that remote shell service is enabled and 334 00:17:11.000 --> 00:17:13.240 misconfigured on a Linux box, you might be able to 335 00:17:13.279 --> 00:17:14.480 execute commands remotely. 336 00:17:14.759 --> 00:17:18.039 And beyond those simpler known flaws, there are more complex 337 00:17:18.160 --> 00:17:21.799 code execution vulnerabilities. Tell us about those and this concept 338 00:17:21.839 --> 00:17:24.039 of a reverse connection that sounds clever. 339 00:17:24.400 --> 00:17:28.359 Yeah, code execution vulnerabilities exploit flaws maybe in web applications 340 00:17:28.440 --> 00:17:31.440 or services like Zomba that let an attacker run their 341 00:17:31.480 --> 00:17:35.640 own commands on the server. Now the reverse connection. This 342 00:17:35.680 --> 00:17:39.119 is a really smart way to bypass firewalls. See, most 343 00:17:39.200 --> 00:17:42.440 firewalls are configured to block incoming connections initiated from the 344 00:17:42.440 --> 00:17:45.440 outside like a castle wall. Or reverse connection flips that 345 00:17:45.920 --> 00:17:48.680 the attacker sets up a listener on their machine. Then 346 00:17:48.839 --> 00:17:51.880 the exploit makes the victim's server initiate an outgoing connection 347 00:17:52.039 --> 00:17:55.279 back to the attacker. Since the connection started from inside 348 00:17:55.319 --> 00:17:57.839 the network, the firewall often lets it pass right through. 349 00:17:58.240 --> 00:18:01.000 It's like the victim opens a secret door outwards. The 350 00:18:01.039 --> 00:18:03.519 metasplit framework is the go to tool for this. It 351 00:18:03.519 --> 00:18:06.759 has tons of exploits and payloads. A common payload is 352 00:18:06.759 --> 00:18:09.640 something like cmdo nix reverse netcat. You just tell it 353 00:18:09.720 --> 00:18:12.599 your attacker ipe LHST and the port you're listening on 354 00:18:12.720 --> 00:18:16.079 lpr ort, run the exploit and hope the victim connects back. 355 00:18:16.319 --> 00:18:20.400 That is clever. Okay. So besides trying these exploits manually, 356 00:18:20.680 --> 00:18:24.240 there's automated vulnerability scanning. What's the main goal. 357 00:18:24.039 --> 00:18:28.079 There, right? Automated scanning is about efficiency and coverage. Its 358 00:18:28.119 --> 00:18:32.440 purpose is to systematically check computers, servers, whole networks for 359 00:18:32.519 --> 00:18:38.559 known weaknesses. These scanners look for outdated software, misconfigurations, missing patches, 360 00:18:38.839 --> 00:18:42.759 things that match entries in huge vulnerability databases. Think of 361 00:18:42.839 --> 00:18:48.319 databases like OSVDB Open Source Vulnerability Database, the NIST, MVD 362 00:18:48.599 --> 00:18:53.880 National Vulnerability Database, or CVE Common Vulnerabilities and Exposures. The 363 00:18:53.880 --> 00:18:56.680 scanner basically compares what it finds on your systems against 364 00:18:56.720 --> 00:18:59.599 these lists of known problems. It's like an automated security audit. 365 00:19:00.119 --> 00:19:02.279 Some of the big names in scanning software, well. 366 00:19:02.160 --> 00:19:04.960 There are several well known ones. You've got nessis Qualities, 367 00:19:05.039 --> 00:19:08.160 open vas which is open source, but a really prominent 368 00:19:08.200 --> 00:19:11.680 commercial one, especially one that integrates well with exploitation tools, 369 00:19:11.680 --> 00:19:12.319 is rapid seven. 370 00:19:12.359 --> 00:19:15.559 Nextpos xsoz so it integrates with metasploit. You said, what's 371 00:19:15.599 --> 00:19:18.279 its role in the bigger picture? The whole vulnerability management 372 00:19:18.319 --> 00:19:20.839 process and any practical tips for using it. 373 00:19:21.119 --> 00:19:24.160 Yeah, nexpos integrates tightly with metasploit. You can find a 374 00:19:24.200 --> 00:19:27.440 vulnerability in expos and often directly launch and exploit for 375 00:19:27.480 --> 00:19:31.000 it in metasploit. Its role covers the entire vulnerability management 376 00:19:31.039 --> 00:19:35.039 life cycle. Discovery, finding assets on your network, detection, finding 377 00:19:35.039 --> 00:19:40.920 the weaknesses, verification, checking if they're actually exploitable, risk classification, reporting, 378 00:19:41.599 --> 00:19:46.079 and even helping prioritize fixing things the mitigation part. Practically speaking, 379 00:19:46.079 --> 00:19:50.119 it's a powerful tool, very comprehensive, but be aware it 380 00:19:50.160 --> 00:19:52.880 can be a bit of a beast resource wise, needs 381 00:19:52.920 --> 00:19:56.119 decent RAM like eight GB good disk space, especially in 382 00:19:56.119 --> 00:19:57.920 a VM, and the first time you start it up 383 00:19:57.920 --> 00:20:00.000 it might take like thirty minutes to updates data bit. 384 00:20:00.519 --> 00:20:02.359 Once it's running, it's great. You create sites for your 385 00:20:02.359 --> 00:20:05.440 scan targets at IP addresses, run the scans, and then 386 00:20:05.480 --> 00:20:09.400 you get these really detailed reports, audit reports, executive summaries, 387 00:20:09.440 --> 00:20:11.920 even just the top ten worst vulnerabilities. Very useful. 388 00:20:11.960 --> 00:20:15.039 Okay, so those are server side attacks, that's direct, But 389 00:20:15.119 --> 00:20:20.200 client side attacks they feel different, more personal, maybe because 390 00:20:20.240 --> 00:20:21.400 they involve the human element. 391 00:20:21.680 --> 00:20:25.160 Absolutely. Client side attacks nearly always need the user to 392 00:20:25.200 --> 00:20:28.640 do something click a link, open a file, install an app, 393 00:20:28.839 --> 00:20:31.920 and because of that, they rely heavily on social engineering 394 00:20:32.279 --> 00:20:35.599 tricking the user. Honestly, it's often much much easier to 395 00:20:35.640 --> 00:20:38.559 exploit human trust or curiosity than it is to find 396 00:20:38.599 --> 00:20:41.799 a purely technical flaw. In well maintained software, you can 397 00:20:41.839 --> 00:20:44.559 have the best firewall, the best anti virus, that if 398 00:20:44.599 --> 00:20:47.200 you trick someone into letting you in the door, none 399 00:20:47.200 --> 00:20:49.680 of that matters. The human is often the weakest link. 400 00:20:49.839 --> 00:20:52.079 It really is amazing how effective that can be. I 401 00:20:52.079 --> 00:20:56.000