WEBVTT

1
00:00:00.120 --> 00:00:02.480
<v Speaker 1>So welcome to today's deep dive. I'm really glad you're

2
00:00:02.520 --> 00:00:04.480
<v Speaker 1>joining us for this one because we are getting into

3
00:00:04.480 --> 00:00:06.320
<v Speaker 1>something incredibly cool today.

4
00:00:06.400 --> 00:00:08.839
<v Speaker 2>Yeah, we're basically looking at how to safely play with

5
00:00:08.919 --> 00:00:09.919
<v Speaker 2>fire exactly.

6
00:00:10.359 --> 00:00:11.759
<v Speaker 1>I mean, if you want to learn how to fuse

7
00:00:11.759 --> 00:00:14.560
<v Speaker 1>a bomb, you practice on a dummy, right, Yeah, you

8
00:00:14.560 --> 00:00:17.239
<v Speaker 1>build this controlled environment where you know, clipping the wrong

9
00:00:17.280 --> 00:00:20.839
<v Speaker 1>wire just triggers a loud buzzer instead of doubling a city.

10
00:00:20.559 --> 00:00:24.160
<v Speaker 2>Block, right, which makes sense. But in the realm of

11
00:00:24.239 --> 00:00:28.000
<v Speaker 2>professional cybersecurity and ethical hacking, people constantly try to learn

12
00:00:28.039 --> 00:00:31.879
<v Speaker 2>their trade by just poking around on live critical networks,

13
00:00:31.920 --> 00:00:35.759
<v Speaker 2>which is terrifying. It's completely terrifying. So today we're digging

14
00:00:35.840 --> 00:00:40.880
<v Speaker 2>into this customized, exclusive exploration of Kevin Cardwell's comprehensive guide.

15
00:00:41.240 --> 00:00:45.920
<v Speaker 2>It's called building Virtual pen Testing Labs for advanced penetration testing.

16
00:00:46.119 --> 00:00:48.159
<v Speaker 1>And the mission for this deep dive isn't just learning

17
00:00:48.200 --> 00:00:51.119
<v Speaker 1>how to hack. It's about how to actually think like

18
00:00:51.159 --> 00:00:56.280
<v Speaker 1>a professional security tester, understand their exact systematic methodology, and

19
00:00:56.320 --> 00:01:00.479
<v Speaker 1>discover how to build a safe virtual playground to practice

20
00:01:00.520 --> 00:01:01.320
<v Speaker 1>these dark arts.

21
00:01:01.719 --> 00:01:04.719
<v Speaker 2>Yeah, without going to jail or you know, accidentally taking

22
00:01:04.719 --> 00:01:05.920
<v Speaker 2>down a hospital's database.

23
00:01:06.000 --> 00:01:08.560
<v Speaker 1>Right, But before we can build that sandbox, we have

24
00:01:08.599 --> 00:01:11.959
<v Speaker 1>to fundamentally understand what a professional tester is actually trying

25
00:01:12.000 --> 00:01:13.480
<v Speaker 1>to achieve in the first place.

26
00:01:13.280 --> 00:01:18.439
<v Speaker 2>And more importantly, what they're trying to break. Because the

27
00:01:18.560 --> 00:01:22.000
<v Speaker 2>industry throws the term penetration testing around quite loosely.

28
00:01:21.760 --> 00:01:24.640
<v Speaker 1>Oh totally. They treat security like it's a product you

29
00:01:24.680 --> 00:01:26.359
<v Speaker 1>can just buy and install exactly.

30
00:01:26.920 --> 00:01:30.799
<v Speaker 2>But Cardwell's entire thesis rests on the fact that security

31
00:01:30.879 --> 00:01:33.519
<v Speaker 2>is a process. It's a methodology, not a product.

32
00:01:33.799 --> 00:01:41.920
<v Speaker 1>Okay, let's unpack this because we all know the standard basics, right, authentication, authorization, confidentiality, integrity, availability,

33
00:01:42.120 --> 00:01:43.879
<v Speaker 1>and non repudiation, right, the.

34
00:01:43.799 --> 00:01:45.640
<v Speaker 2>Core components of security testing.

35
00:01:45.680 --> 00:01:49.599
<v Speaker 1>But the source material makes this fascinating point about confidentiality.

36
00:01:49.640 --> 00:01:52.879
<v Speaker 1>It's incredibly hard to protect because of the Internet's Bedrock

37
00:01:52.959 --> 00:01:55.959
<v Speaker 1>protocol TCPIP.

38
00:01:55.519 --> 00:01:59.200
<v Speaker 2>Yeah, the Transmission Control Protocol and Internet Protocol Suite, which.

39
00:01:59.000 --> 00:02:01.400
<v Speaker 1>Is built back in the early nine teen seventies, right.

40
00:02:01.560 --> 00:02:05.719
<v Speaker 2>For Arpinett, which was essentially just this tiny network connecting

41
00:02:05.799 --> 00:02:09.319
<v Speaker 2>a few academic institutions and military researchers.

42
00:02:08.919 --> 00:02:11.360
<v Speaker 1>Or everyone inherently trusted each other exactly.

43
00:02:11.639 --> 00:02:15.800
<v Speaker 2>The foundational assumption baked into The actual mathematics of TCPIP

44
00:02:16.479 --> 00:02:17.520
<v Speaker 2>was inherent trust.

45
00:02:17.719 --> 00:02:18.120
<v Speaker 1>Wow.

46
00:02:18.280 --> 00:02:21.199
<v Speaker 2>It was assumed that if you received a packet of data,

47
00:02:21.520 --> 00:02:25.159
<v Speaker 2>it came from a reliable, friendly source. It wasn't designed

48
00:02:25.159 --> 00:02:25.879
<v Speaker 2>for secrecy.

49
00:02:26.159 --> 00:02:30.039
<v Speaker 1>So we basically took a protocol designed for a friendly

50
00:02:30.240 --> 00:02:34.479
<v Speaker 1>neighborhood block party and used it to build a highly

51
00:02:34.560 --> 00:02:36.599
<v Speaker 1>hostile global metropolis.

52
00:02:36.800 --> 00:02:39.080
<v Speaker 2>That's a great way to put it. What's fascinating here

53
00:02:39.159 --> 00:02:43.400
<v Speaker 2>is how that inherent trust issue completely undermines non repudiation, right.

54
00:02:43.319 --> 00:02:46.319
<v Speaker 1>The idea that you can mathematically prove a specific person

55
00:02:46.439 --> 00:02:47.800
<v Speaker 1>sent a specific.

56
00:02:47.319 --> 00:02:50.759
<v Speaker 2>Message exactly, because all it takes is one compromised machine

57
00:02:50.840 --> 00:02:53.080
<v Speaker 2>to throw that ole concept out the window. If a

58
00:02:53.120 --> 00:02:55.639
<v Speaker 2>machine has a remote access trojan on it, you can't

59
00:02:55.680 --> 00:02:57.319
<v Speaker 2>guarantee its state because.

60
00:02:57.080 --> 00:02:59.919
<v Speaker 1>You can't prove the human sitting at the keyboard actually

61
00:03:00.159 --> 00:03:03.520
<v Speaker 1>like send rather than like a malicious script running in

62
00:03:03.520 --> 00:03:04.120
<v Speaker 1>the background.

63
00:03:04.360 --> 00:03:08.960
<v Speaker 2>Precisely, and that shaky foundation brings up this massive corporate

64
00:03:09.159 --> 00:03:11.159
<v Speaker 2>myth that Cardwall talks about.

65
00:03:11.240 --> 00:03:14.240
<v Speaker 1>Oh, the vulnerability assessment versus pen testing thing.

66
00:03:14.400 --> 00:03:17.479
<v Speaker 2>Yeah, most clients do not know what a penetration test

67
00:03:17.560 --> 00:03:20.319
<v Speaker 2>actually is. They sign a contract for one, but they

68
00:03:20.360 --> 00:03:22.680
<v Speaker 2>really just want a vulnerability assessment.

69
00:03:22.919 --> 00:03:25.639
<v Speaker 1>I mean, a vulnerability assessment is basically like walking around

70
00:03:25.680 --> 00:03:27.639
<v Speaker 1>a house checking if the windows are unlocked.

71
00:03:27.759 --> 00:03:29.400
<v Speaker 2>Right, it's just a mapping exercise.

72
00:03:29.520 --> 00:03:32.599
<v Speaker 1>But a true penetration test is actually climbing through the window,

73
00:03:33.000 --> 00:03:34.800
<v Speaker 1>walking into the living room and seeing if you can

74
00:03:34.840 --> 00:03:35.599
<v Speaker 1>carry out the TV.

75
00:03:35.879 --> 00:03:41.639
<v Speaker 2>Yes. True penetration testing involves actual exploitation to validate the vulnerability,

76
00:03:42.000 --> 00:03:44.560
<v Speaker 2>and clients usually panic when they realize you intend to

77
00:03:44.599 --> 00:03:45.479
<v Speaker 2>climb through the window.

78
00:03:45.639 --> 00:03:47.879
<v Speaker 1>Wait, there was that amazing anecdote in the book.

79
00:03:47.639 --> 00:03:51.080
<v Speaker 2>About this, right, Oh, the Foreign stock market it director. Yeah,

80
00:03:51.120 --> 00:03:55.560
<v Speaker 2>so Cardwell recalls meeting with this director outlining the methodology.

81
00:03:54.960 --> 00:03:56.719
<v Speaker 1>And he gets to the validation phase.

82
00:03:56.560 --> 00:03:59.360
<v Speaker 2>Right, he explains they'll run real exploit code, and the

83
00:03:59.360 --> 00:04:02.599
<v Speaker 2>director just haddocks and says, that is my stockbroker records,

84
00:04:02.759 --> 00:04:05.120
<v Speaker 2>and if we lose them, we lose a lot of money.

85
00:04:05.439 --> 00:04:08.639
<v Speaker 1>Oh, man, I bet they skip the validation step.

86
00:04:08.680 --> 00:04:11.199
<v Speaker 2>They absolutely skip the validations.

87
00:04:10.800 --> 00:04:13.560
<v Speaker 1>Because proving the windows unlocked isn't worth the risk of

88
00:04:13.599 --> 00:04:17.439
<v Speaker 1>accidentally burning the house down exactly. But okay, armed with

89
00:04:17.480 --> 00:04:21.959
<v Speaker 1>this knowledge that true pen testing requires exploitation, how does

90
00:04:21.959 --> 00:04:24.680
<v Speaker 1>a professional systematically get to that point?

91
00:04:24.879 --> 00:04:27.439
<v Speaker 2>Well, we have to look at the hackers blueprint, and

92
00:04:27.560 --> 00:04:30.720
<v Speaker 2>card Well notes the crucial difference in the planning phase

93
00:04:30.759 --> 00:04:33.319
<v Speaker 2>between a pro and a malicious hacker.

94
00:04:33.199 --> 00:04:36.959
<v Speaker 1>Right time and legality. A malicious hacker has what six

95
00:04:37.040 --> 00:04:38.800
<v Speaker 1>to nine months to plan, yeah.

96
00:04:38.639 --> 00:04:41.639
<v Speaker 2>Six to nine months to passively stalk a target, and

97
00:04:41.680 --> 00:04:44.279
<v Speaker 2>they can break the law. A professional tester bound by

98
00:04:44.319 --> 00:04:47.439
<v Speaker 2>ethics has a two week contract and strict legal lines.

99
00:04:47.439 --> 00:04:50.399
<v Speaker 1>Which means the pro has to rely heavily on ocentth

100
00:04:50.639 --> 00:04:53.879
<v Speaker 1>right open source intelligence that non intrusive target.

101
00:04:53.560 --> 00:04:57.600
<v Speaker 2>Search exactly, gathering public info without sending a single packet

102
00:04:57.639 --> 00:05:01.279
<v Speaker 2>directly to the target's internal network use tools like end

103
00:05:01.279 --> 00:05:03.439
<v Speaker 2>slook up or server sniff.

104
00:05:03.600 --> 00:05:07.120
<v Speaker 1>Oh. Server sniff is so clever because Microsoft servers often

105
00:05:07.160 --> 00:05:10.319
<v Speaker 1>block standard icmpping requests by default.

106
00:05:10.120 --> 00:05:12.759
<v Speaker 2>Right, so a normal trace road just dies at the firewall.

107
00:05:13.000 --> 00:05:16.360
<v Speaker 1>But Servicesniff gets around that by doing a TCP trace rope.

108
00:05:16.439 --> 00:05:19.959
<v Speaker 2>Yes, it sends a tcps yn packet, usually to port

109
00:05:20.040 --> 00:05:22.680
<v Speaker 2>eighty or four to forty three, and if they're hosting

110
00:05:22.720 --> 00:05:25.680
<v Speaker 2>a public web server, the firewall has to let.

111
00:05:25.480 --> 00:05:27.839
<v Speaker 1>That packet through or their website wouldn't work.

112
00:05:27.720 --> 00:05:31.120
<v Speaker 2>Exactly, so you bypass the block by exploiting the ports

113
00:05:31.120 --> 00:05:32.720
<v Speaker 2>that the business requires to be open.

114
00:05:32.959 --> 00:05:36.360
<v Speaker 1>That's brilliant. And then there's the whole wayback machine strategy.

115
00:05:36.399 --> 00:05:38.120
<v Speaker 2>Oh yeah, finding deleted tools.

116
00:05:38.319 --> 00:05:41.240
<v Speaker 1>The specific example he gave was wild. He was looking

117
00:05:41.240 --> 00:05:44.920
<v Speaker 1>for this stiganography tool called infistago right.

118
00:05:44.839 --> 00:05:49.040
<v Speaker 2>From anti Labs. They had pivoted to antivirus software and

119
00:05:49.160 --> 00:05:51.759
<v Speaker 2>completely scrubbed infistago from their site.

120
00:05:51.800 --> 00:05:54.199
<v Speaker 1>But Cardwell just used the two thousand and eight archives

121
00:05:54.240 --> 00:05:56.120
<v Speaker 1>on the way back Machine to find the old site

122
00:05:56.160 --> 00:05:58.040
<v Speaker 1>and download the executable.

123
00:05:57.439 --> 00:05:59.959
<v Speaker 2>Anyway, because the Internet never really forgets see.

124
00:06:00.120 --> 00:06:02.519
<v Speaker 1>That is amazing. But then we get to Showdan and

125
00:06:02.560 --> 00:06:03.920
<v Speaker 1>this is where I have to push back a little bit.

126
00:06:03.920 --> 00:06:04.600
<v Speaker 2>Okay, lay it on me.

127
00:06:04.759 --> 00:06:09.240
<v Speaker 1>Showdan is basically this massive cloud scanner. Right, Cardwell searches

128
00:06:09.279 --> 00:06:12.759
<v Speaker 1>for like iPhone RU and instantly gets a list of

129
00:06:12.839 --> 00:06:14.800
<v Speaker 1>specific vulnerable servers in Russia.

130
00:06:14.920 --> 00:06:17.160
<v Speaker 2>Yeah, with IP addresses and open ports.

131
00:06:17.439 --> 00:06:22.279
<v Speaker 1>Right. So, if tools like showdan are publicly indexing vulnerable

132
00:06:22.360 --> 00:06:27.560
<v Speaker 1>servers globally, isn't that blurring the line between passive research

133
00:06:27.920 --> 00:06:29.920
<v Speaker 1>and handing a loaded gun to the bad guys.

134
00:06:30.000 --> 00:06:32.879
<v Speaker 2>Well, that's exactly why the methodology is so rigid. Showdowan

135
00:06:33.000 --> 00:06:36.199
<v Speaker 2>is doing the active scanning as user, You're just reading

136
00:06:36.240 --> 00:06:41.279
<v Speaker 2>a public database. The progression from passive observation to active probing.

137
00:06:41.639 --> 00:06:43.680
<v Speaker 2>That's where the legal and ethical lines are drawn.

138
00:06:43.920 --> 00:06:46.399
<v Speaker 1>Ah okay, so looking at Shrodan is just reading the

139
00:06:46.399 --> 00:06:47.399
<v Speaker 1>phone book exactly.

140
00:06:47.720 --> 00:06:50.279
<v Speaker 2>But the moment you direct your own machine to interact

141
00:06:50.279 --> 00:06:53.199
<v Speaker 2>with those ips, you enter the intrusive target search phase.

142
00:06:53.279 --> 00:06:54.639
<v Speaker 2>You're dialing the numbers.

143
00:06:54.319 --> 00:06:56.240
<v Speaker 1>And that requires authorization.

144
00:06:55.879 --> 00:06:59.639
<v Speaker 2>Explicit written authorization. Once you have that, you start finding

145
00:06:59.680 --> 00:07:03.199
<v Speaker 2>live systems with en mapping sweeps, checking open ports, and.

146
00:07:03.160 --> 00:07:05.920
<v Speaker 1>The OS numeration is wild. Using the n.

147
00:07:05.920 --> 00:07:09.439
<v Speaker 2>Map a command, Yeah, it analyzes the microscopic quirks in

148
00:07:09.519 --> 00:07:13.040
<v Speaker 2>how the server's TCPIP stack responds to guess the OS version.

149
00:07:13.480 --> 00:07:16.439
<v Speaker 2>Then you bring in a vulnerability scanner like nexpos.

150
00:07:15.959 --> 00:07:17.120
<v Speaker 1>And finally exploitation.

151
00:07:17.639 --> 00:07:21.480
<v Speaker 2>Right cardwill uses metasploit exploiting the MS zero eight zero

152
00:07:21.519 --> 00:07:24.519
<v Speaker 2>six seven vulnerability as his example to get a command shell.

153
00:07:24.720 --> 00:07:28.439
<v Speaker 1>But getting there means analyzing the data correctly, like reading

154
00:07:28.480 --> 00:07:29.720
<v Speaker 1>wire shark packet capture.

155
00:07:29.879 --> 00:07:35.240
<v Speaker 2>Oh, the ICLC type three code thirteen example, that's a classic, Yeah.

156
00:07:34.759 --> 00:07:36.879
<v Speaker 1>Walk us through that because to an untrained eye it

157
00:07:37.040 --> 00:07:38.439
<v Speaker 1>just looks like a connection error.

158
00:07:38.600 --> 00:07:43.519
<v Speaker 2>Right, So type three means destination unreachable, but the specific

159
00:07:43.560 --> 00:07:47.879
<v Speaker 2>code thirteen means the communication is administratively.

160
00:07:46.959 --> 00:07:49.720
<v Speaker 1>Filtered, meaning it's not a broken network exactly.

161
00:07:49.959 --> 00:07:53.360
<v Speaker 2>It alerts the tester that a router explicitly blocked it

162
00:07:53.399 --> 00:07:56.680
<v Speaker 2>because there is an access control list and ACL in place.

163
00:07:56.800 --> 00:07:59.519
<v Speaker 1>It's like navigating a maze by tapping a cane against

164
00:07:59.560 --> 00:08:01.040
<v Speaker 1>the wall and listening to the echo.

165
00:08:01.160 --> 00:08:02.279
<v Speaker 2>That's a perfect analogy.

166
00:08:02.360 --> 00:08:05.720
<v Speaker 1>But executing a buffer overflow or probing an ACL on

167
00:08:05.759 --> 00:08:09.680
<v Speaker 1>a live corporate network is exactly what caused that stock

168
00:08:09.720 --> 00:08:10.800
<v Speaker 1>market director.

169
00:08:10.439 --> 00:08:13.040
<v Speaker 2>To panic, which is why you have to build the matrix.

170
00:08:12.800 --> 00:08:13.839
<v Speaker 1>The virtual sandbox.

171
00:08:14.000 --> 00:08:17.560
<v Speaker 2>Yes, choosing your virtual environment is critical, and Cardwall breaks

172
00:08:17.560 --> 00:08:20.399
<v Speaker 2>it down into type one versus type two virtualization.

173
00:08:20.519 --> 00:08:23.319
<v Speaker 1>Okay, here's where it gets really interesting because using a

174
00:08:23.399 --> 00:08:28.680
<v Speaker 1>type one hypervisor like vSphere Hypervisor or esen, it rides

175
00:08:28.879 --> 00:08:32.639
<v Speaker 1>directly on the hardware. Right, it's incredibly powerful, but it's

176
00:08:32.720 --> 00:08:36.159
<v Speaker 1>basically like demolishing a house to the foundation just to

177
00:08:36.200 --> 00:08:39.440
<v Speaker 1>build a custom recording studio. It dictates the OS directly,

178
00:08:39.600 --> 00:08:40.600
<v Speaker 1>which is terrible for a.

179
00:08:40.639 --> 00:08:44.639
<v Speaker 2>Laptop because you still need to write reports and check emails.

180
00:08:44.399 --> 00:08:47.960
<v Speaker 1>Exactly, So use a type two hypervisor like virtual Box,

181
00:08:48.200 --> 00:08:51.000
<v Speaker 1>hyper v or VMware Workstation, which.

182
00:08:50.840 --> 00:08:53.159
<v Speaker 2>Rides on top of your existing operating system.

183
00:08:53.240 --> 00:08:55.919
<v Speaker 1>It's like putting up soundproof partition walls in your existing

184
00:08:55.960 --> 00:08:58.440
<v Speaker 1>spare bedroom. You still get the studio, but you don't

185
00:08:58.440 --> 00:08:59.399
<v Speaker 1>have to wreck the house.

186
00:08:59.600 --> 00:09:02.840
<v Speaker 2>I love that, but the tool nuances matter here. Virtual

187
00:09:02.879 --> 00:09:05.639
<v Speaker 2>Box is great and it's free, but Cardwell notes it

188
00:09:05.639 --> 00:09:07.600
<v Speaker 2>suffers from keyboard input.

189
00:09:07.279 --> 00:09:11.159
<v Speaker 1>Glitches, yeah, requiring special extensions to fix. And then Microsoft's

190
00:09:11.279 --> 00:09:11.759
<v Speaker 1>hyper V.

191
00:09:11.960 --> 00:09:15.000
<v Speaker 2>Hyper v is tricky. It requires a sixty four bit

192
00:09:15.080 --> 00:09:17.559
<v Speaker 2>OS and a CPU that supports.

193
00:09:17.360 --> 00:09:19.399
<v Speaker 1>Sell it second level address translation.

194
00:09:19.600 --> 00:09:22.480
<v Speaker 2>Right, And even if you have that, it historically struggles

195
00:09:22.480 --> 00:09:25.320
<v Speaker 2>with Linux networking, which is a huge problem since so

196
00:09:25.320 --> 00:09:27.240
<v Speaker 2>many pen testing tools are Linux based.

197
00:09:27.399 --> 00:09:29.480
<v Speaker 1>So the winner is VMware Workstation.

198
00:09:29.679 --> 00:09:32.519
<v Speaker 2>Yes, it costs money, but it is the winner, and.

199
00:09:32.480 --> 00:09:34.799
<v Speaker 1>It's the winner because of the virtual switches. Right. It

200
00:09:34.840 --> 00:09:38.679
<v Speaker 1>allows for up to ten virtual switches on Windows.

201
00:09:38.200 --> 00:09:41.360
<v Speaker 2>And up to two hundred and fifty five on Linux hosts.

202
00:09:42.360 --> 00:09:45.120
<v Speaker 2>If we connect this to the bigger picture, the reason

203
00:09:45.159 --> 00:09:48.799
<v Speaker 2>those ten virtual switches matter so much is because real

204
00:09:48.840 --> 00:09:51.159
<v Speaker 2>world corporate networks are never flat.

205
00:09:51.320 --> 00:09:54.080
<v Speaker 1>They aren't just one router with everything plugged in exactly.

206
00:09:54.279 --> 00:09:59.600
<v Speaker 2>They are segmented. You have firewalls, DMZs, internal routing rules.

207
00:10:00.120 --> 00:10:04.720
<v Speaker 2>If you can't simulate those complex, multi layered architectures, your

208
00:10:04.799 --> 00:10:07.360
<v Speaker 2>practice lab is useless. For advanced testing.

209
00:10:07.679 --> 00:10:09.879
<v Speaker 1>You can't practice pivoting from a web server to an

210
00:10:09.879 --> 00:10:12.639
<v Speaker 1>internal database if everything's on a single flat network.

211
00:10:12.679 --> 00:10:16.000
<v Speaker 2>Precisely, VMware Workstation gives you the infrastructure to build the

212
00:10:16.039 --> 00:10:16.919
<v Speaker 2>actual maze.

213
00:10:17.000 --> 00:10:19.720
<v Speaker 1>The room is useless if it's empty, right, how do

214
00:10:19.759 --> 00:10:21.519
<v Speaker 1>we put realistic targets inside it?

215
00:10:21.600 --> 00:10:24.480
<v Speaker 2>Well, you can populate it using pre built vulnerable ISOs.

216
00:10:24.720 --> 00:10:27.440
<v Speaker 2>The security community has great options.

217
00:10:26.919 --> 00:10:30.480
<v Speaker 1>Like the Samurai Web Testing Framework Samurai WTF.

218
00:10:29.960 --> 00:10:32.919
<v Speaker 2>Yeah, or the oas Broken Web Application Project, which is

219
00:10:32.960 --> 00:10:34.480
<v Speaker 2>actually sponsored by Mandian and.

220
00:10:34.440 --> 00:10:36.600
<v Speaker 1>That includes tools like webgoat and Mutility.

221
00:10:36.759 --> 00:10:39.200
<v Speaker 2>Exactly, you just mount the ISO, boot it up, and

222
00:10:39.240 --> 00:10:40.639
<v Speaker 2>you have a target rich environment.

223
00:10:40.960 --> 00:10:43.480
<v Speaker 1>But what about the format problem? Like what if a

224
00:10:43.480 --> 00:10:47.559
<v Speaker 1>client gives you a VMware image a VMDK format but

225
00:10:47.639 --> 00:10:50.759
<v Speaker 1>you only have Microsoft hyperv which uses VHD.

226
00:10:51.120 --> 00:10:53.360
<v Speaker 2>That happens a lot. You can use conversion tools like

227
00:10:53.360 --> 00:10:55.120
<v Speaker 2>the Starwin vtwov converter.

228
00:10:55.279 --> 00:10:57.360
<v Speaker 1>Although the author notes of funny quirk about that.

229
00:10:57.480 --> 00:11:00.840
<v Speaker 2>Oh yeah, He mentions that FreeBSD Systems old version nine

230
00:11:00.840 --> 00:11:03.080
<v Speaker 2>point x usually just break during the.

231
00:11:03.039 --> 00:11:04.600
<v Speaker 1>Conversion, just completely bricked.

232
00:11:04.679 --> 00:11:07.799
<v Speaker 2>Yeah, totally unusable. But for modern Windows and Linux it

233
00:11:07.879 --> 00:11:08.519
<v Speaker 2>works great.

234
00:11:08.679 --> 00:11:10.720
<v Speaker 1>But the coolest thing in this whole section has to

235
00:11:10.720 --> 00:11:13.279
<v Speaker 1>be P two V Physical to virtual.

236
00:11:13.399 --> 00:11:16.679
<v Speaker 2>Oh absolutely, using tools like v center converter or even

237
00:11:16.720 --> 00:11:19.120
<v Speaker 2>a feature built right into VMware workstation.

238
00:11:19.799 --> 00:11:21.840
<v Speaker 1>So what does this all mean for the listener? I mean,

239
00:11:21.879 --> 00:11:25.559
<v Speaker 1>imagine the power of this. You can literally take a chaotic,

240
00:11:26.080 --> 00:11:29.879
<v Speaker 1>terrifyingly fragile server from a client's physical.

241
00:11:29.399 --> 00:11:31.080
<v Speaker 2>Office like that's stock market server.

242
00:11:31.279 --> 00:11:34.679
<v Speaker 1>Yes, you digitally clone it, trap it in your VMware matrix,

243
00:11:34.720 --> 00:11:37.480
<v Speaker 1>and hit it with exploits all day long without ever

244
00:11:37.600 --> 00:11:39.120
<v Speaker 1>risking their actual business.

245
00:11:39.399 --> 00:11:43.039
<v Speaker 2>It is incredible. P TWOV is basically the ultimate bridge

246
00:11:43.080 --> 00:11:48.159
<v Speaker 2>between theoretical lab practice and high stakes real world consulting.

247
00:11:49.039 --> 00:11:51.639
<v Speaker 2>You are hacking an exact digital replica.

248
00:11:52.159 --> 00:11:55.279
<v Speaker 1>It's just brilliant. So to recap our journey today, we

249
00:11:55.320 --> 00:11:57.919
<v Speaker 1>went from understanding the true nature of the CIA triad

250
00:11:58.159 --> 00:12:01.080
<v Speaker 1>and why confidentiality is so hard on the Internet, to

251
00:12:01.200 --> 00:12:04.440
<v Speaker 1>breaking down the hacker's osent methodology.

252
00:12:03.799 --> 00:12:07.000
<v Speaker 2>From passive reconnaissance to active exploitation.

253
00:12:07.240 --> 00:12:09.279
<v Speaker 1>Right, and then we learn how to construct a multi

254
00:12:09.279 --> 00:12:13.399
<v Speaker 1>switched virtual battleground and populate it with clone physical servers.

255
00:12:13.399 --> 00:12:15.879
<v Speaker 2>It's an entire ecosystem for ethical hacking.

256
00:12:16.039 --> 00:12:18.320
<v Speaker 1>It really is. But before we sign off, I want

257
00:12:18.320 --> 00:12:20.240
<v Speaker 1>to leave you with a final thought. We talked early

258
00:12:20.279 --> 00:12:23.440
<v Speaker 1>on about how Cardwell mentioned TCPIP being incredibly hard to

259
00:12:23.480 --> 00:12:26.000
<v Speaker 1>secure because it was built in the nineteen seventies on

260
00:12:26.120 --> 00:12:29.600
<v Speaker 1>inherent trust, right arpin net think about this. Yeah, all

261
00:12:29.639 --> 00:12:32.720
<v Speaker 1>of this pen testing, all these complex virtual labs, this

262
00:12:33.000 --> 00:12:36.919
<v Speaker 1>entire multi billion dollar cybersecurity industry, it all exists simply

263
00:12:36.960 --> 00:12:39.679
<v Speaker 1>because we are trying to bolt security onto a foundation

264
00:12:39.879 --> 00:12:41.120
<v Speaker 1>that was never meant to be secure.

265
00:12:41.240 --> 00:12:43.799
<v Speaker 2>We're constantly patching a leaky ship exactly.

266
00:12:44.080 --> 00:12:48.159
<v Speaker 1>So if the Internet eventually undergoes a foundational rewrite to

267
00:12:48.279 --> 00:12:52.639
<v Speaker 1>replace TCPIP with a protocol built on zero trust by default,

268
00:12:52.759 --> 00:12:55.519
<v Speaker 1>oh wow. Well, penetration testing as we know it simply

269
00:12:55.519 --> 00:12:59.240
<v Speaker 1>cease to exist. Or will human error just find a

270
00:12:59.279 --> 00:13:01.679
<v Speaker 1>brand new way to leave the virtual window open?

271
00:13:01.879 --> 00:13:04.039
<v Speaker 2>That is a fascinating question, Tom.

272
00:13:03.799 --> 00:13:05.600
<v Speaker 1>All Over, I think we all know the answer is

273
00:13:05.679 --> 00:13:08.039
<v Speaker 1>usually human error. But anyway, thank you so much for

274
00:13:08.080 --> 00:13:09.519
<v Speaker 1>taking this deep Doug with us. We'll catch you on

275
00:13:09.519 --> 00:13:09.960
<v Speaker 1>the next one.