WEBVTT 1 00:00:00.040 --> 00:00:03.120 Welcome back everyone to the deep dive. This time we're 2 00:00:03.160 --> 00:00:05.919 going deep into the world of penetration testing. 3 00:00:06.280 --> 00:00:08.320 Sounds intense, it is. 4 00:00:08.640 --> 00:00:13.480 But fascinating too. Our guide is the Hacker Playbook. This 5 00:00:13.519 --> 00:00:16.760 book is a gold mine of practical techniques, almost like 6 00:00:16.800 --> 00:00:18.359 a blueprint for ethical. 7 00:00:18.000 --> 00:00:20.480 Hacking, like a hacker's manual exactly. 8 00:00:21.160 --> 00:00:24.399 Imagine being hired to test the security of say a 9 00:00:24.440 --> 00:00:25.879 Fortune five hundred company. 10 00:00:25.960 --> 00:00:28.640 WHOA where do you even start with something like that? 11 00:00:28.640 --> 00:00:29.640 That's what we're going to uncover. 12 00:00:29.760 --> 00:00:30.600 Okay, I'm all ears. 13 00:00:30.879 --> 00:00:33.759 So the book uses this really interesting analogy of a 14 00:00:33.759 --> 00:00:36.640 football game to break down a penetration test. 15 00:00:36.840 --> 00:00:38.320 Okay, I like where this is gone. 16 00:00:38.359 --> 00:00:43.640 It has phases like the pregame, scanning the network, exploiting vulnerabilities, 17 00:00:44.000 --> 00:00:45.920 almost like planning a series of plays. 18 00:00:46.039 --> 00:00:48.079 So it's strategic very much. 19 00:00:47.920 --> 00:00:50.520 So it helps you see the big picture. Let's start 20 00:00:50.520 --> 00:00:52.560 with the pregame, which is all about setting up your 21 00:00:52.600 --> 00:00:53.479 tools and environment. 22 00:00:53.600 --> 00:00:55.159 Gotcha, getting your gear ready. 23 00:00:55.200 --> 00:00:57.520 And the book busted a myth for me. You don't 24 00:00:57.560 --> 00:01:01.479 need some crazy supercomputer to run these penetration testing tools. 25 00:01:01.560 --> 00:01:04.560 Really, that's good news for aspiring hackers, right. 26 00:01:05.319 --> 00:01:08.040 A decent computer that can handle a few virtual machines 27 00:01:08.359 --> 00:01:12.079 will do the trick. The book recommends Cali Linux. 28 00:01:12.040 --> 00:01:15.120 Ah Kali Linux the go to for pen testing. 29 00:01:15.359 --> 00:01:18.359 It's like your specialized toolbox for probing and testing. 30 00:01:18.040 --> 00:01:20.280 Systems, and it comes with a ton of pre installed 31 00:01:20.280 --> 00:01:20.959 tools right. 32 00:01:21.079 --> 00:01:23.879 Absolutely, And the best part is the book actually walks 33 00:01:23.920 --> 00:01:24.959 you through setting it up. 34 00:01:25.079 --> 00:01:28.400 That's helpful, especially for beginners. It's like having a coach guide. 35 00:01:28.159 --> 00:01:32.120 You precisely now. In this toolbox you'll find both open 36 00:01:32.200 --> 00:01:37.000 source and commercial tools. Industry standards like nessis, which is 37 00:01:37.079 --> 00:01:41.239 amazing for vulnerability scanning, and burp suite, which is super 38 00:01:41.280 --> 00:01:43.519 powerful for web application security testing. 39 00:01:43.599 --> 00:01:46.079 Those are big names. Yeah, but what if you're on 40 00:01:46.120 --> 00:01:47.799 a budget or just starting out. 41 00:01:47.920 --> 00:01:51.719 The book mentions OSPAP two it's a free alternative to 42 00:01:51.719 --> 00:01:53.719 burp Suite, great for getting your feet wet. 43 00:01:53.799 --> 00:01:55.760 That's good to know. Options are always good. 44 00:01:55.959 --> 00:01:59.000 Okay, So let's say we've got our toolbox ready, how 45 00:01:59.000 --> 00:02:03.439 do we even approach this massive fortune five hundred company network. 46 00:02:03.439 --> 00:02:05.359 It's got to be like a digital fortress, right, It's 47 00:02:05.400 --> 00:02:07.519 definitely a challenge. So where do we even begin? 48 00:02:07.920 --> 00:02:10.719 Well, you wouldn't storm a fortress without knowing the terrain, right, 49 00:02:11.280 --> 00:02:12.960 That's where scanning the network comes in. 50 00:02:13.039 --> 00:02:16.439 Okay, so we're scouting gathering intel exactly. 51 00:02:16.800 --> 00:02:20.199 The book breaks it down into two approaches, passive and 52 00:02:20.319 --> 00:02:21.360 active discovery. 53 00:02:21.639 --> 00:02:23.520 Passive inactive tell me more about those. 54 00:02:23.639 --> 00:02:28.000 Passive discovery is all about being stealthy. You're gathering information 55 00:02:28.199 --> 00:02:30.879 without directly interacting with the target network. 56 00:02:31.039 --> 00:02:34.280 So like observing from a distance looking for weak points. 57 00:02:34.400 --> 00:02:38.360 You got it. One technique they highlight is using discover scripts. 58 00:02:38.759 --> 00:02:39.319 What are those? 59 00:02:39.479 --> 00:02:43.080 They automate searches on sites like LinkedIn and use domain 60 00:02:43.159 --> 00:02:44.719 tools to uncover information. 61 00:02:45.199 --> 00:02:48.439 So you're like a digital detective piecing together clues precisely. 62 00:02:48.639 --> 00:02:51.960 Now, get this, Even old data breaches can be valuable. 63 00:02:52.319 --> 00:02:54.639 You can use those credential dumps to see if any 64 00:02:54.680 --> 00:02:57.400 employees might have reused their compromise passwords. 65 00:02:57.439 --> 00:03:00.240 Wow, that's clever using their own mistakes against them, right. 66 00:03:00.719 --> 00:03:03.439 It really shows how human behavior plays a big role 67 00:03:03.520 --> 00:03:04.560 in cybersecurity. 68 00:03:04.840 --> 00:03:08.080 People often reuse passwords for convenience, but it can have 69 00:03:08.240 --> 00:03:10.240 serious consequences. 70 00:03:09.800 --> 00:03:13.120 No doubt. And it's not just usernames and passwords. Think 71 00:03:13.159 --> 00:03:17.120 about all the other info companies might expose employee details, 72 00:03:17.479 --> 00:03:19.919 server names, software versions. 73 00:03:19.719 --> 00:03:22.520 All valuable intel for a penetration destric exactly. 74 00:03:22.960 --> 00:03:25.800 Every bit of information is a potential lead. 75 00:03:26.199 --> 00:03:30.840 Okay, So passive discovery is all about stealth and gathering 76 00:03:30.879 --> 00:03:34.919 intel without raising any alarms. What about active discovery? Is 77 00:03:34.919 --> 00:03:37.080 that when we start knocking on those digital doors. 78 00:03:37.360 --> 00:03:40.919 Yeah, you could say that active discovery involves probing the network, 79 00:03:41.280 --> 00:03:46.400 actively searching for live systems, open ports, running services, and vulnerabilities. 80 00:03:46.599 --> 00:03:49.560 So that's where those vulnerability scanners like NESSUS come in. 81 00:03:49.800 --> 00:03:52.000 Right, They automate a lot of that process. 82 00:03:52.080 --> 00:03:53.120 I'm pretty straightforward. 83 00:03:53.520 --> 00:03:56.360 It can be, but the book warns against relying solely 84 00:03:56.400 --> 00:03:58.680 on automated scans. They have their limitations. 85 00:03:59.000 --> 00:04:01.599 Why is that they were good at finding vulnerabilities? 86 00:04:01.639 --> 00:04:05.199 They are, but they might miss some. Oh some vulnerabilities 87 00:04:05.240 --> 00:04:09.560 need specific conditions to trigger. Others are hidden behind custom code. 88 00:04:10.039 --> 00:04:12.280 So manual probing is still important. 89 00:04:12.680 --> 00:04:16.319 It's crucial, especially when combined with a good understanding of 90 00:04:16.360 --> 00:04:17.839 networking and how things work. 91 00:04:18.160 --> 00:04:21.360 So it's about blending the power of those tools with 92 00:04:21.639 --> 00:04:23.079 human intuition and skill. 93 00:04:23.279 --> 00:04:27.079 That's the key. And understanding the tools themselves is important too. 94 00:04:27.199 --> 00:04:29.439 Like the book talks about customizing en map. 95 00:04:29.680 --> 00:04:31.360 Enmap that's a popular one. 96 00:04:31.279 --> 00:04:33.360 Right, Yeah, it's a network scanning tool. They show you 97 00:04:33.360 --> 00:04:35.240 how to tweak it for faster assessments. 98 00:04:35.399 --> 00:04:37.720 Cool any other interesting tools. 99 00:04:37.839 --> 00:04:41.040 There's peeping tom. This one's pretty cool. It takes screenshots 100 00:04:41.040 --> 00:04:42.879 of web services screen shots. 101 00:04:42.959 --> 00:04:44.240 Why is that helpful. 102 00:04:44.040 --> 00:04:46.319 When you're dealing with tons of websites. It gives you 103 00:04:46.319 --> 00:04:49.600 a quick visual overview. You can see what looks promising 104 00:04:49.639 --> 00:04:50.600 for further testing. 105 00:04:50.839 --> 00:04:55.360 Ah, I see Prioritizing targets exactly helps you focus your efforts. Now, 106 00:04:55.360 --> 00:04:58.680 speaking of websites, web app security is a huge part 107 00:04:58.720 --> 00:05:01.720 of penetration testing. What kind of tools and tactics are 108 00:05:01.720 --> 00:05:02.519 we talking about there? 109 00:05:02.560 --> 00:05:05.160 Web apps are often the most exposed part of a 110 00:05:05.199 --> 00:05:09.600 company's attack surface. It's where attackers love to strike. The 111 00:05:09.600 --> 00:05:12.000 book spends a lot of time on web app scanning, 112 00:05:12.399 --> 00:05:15.600 especially with burp suite pro so. 113 00:05:15.639 --> 00:05:17.759 Burpsuite is our go to for web apps. 114 00:05:18.240 --> 00:05:20.879 It's a Swiss army knife for web app testers. You 115 00:05:20.879 --> 00:05:26.160 can intercept traffic, modify requests, test for vulnerabilities like sequel injection, 116 00:05:26.879 --> 00:05:30.040 cross site scripting. It's incredibly powerful. 117 00:05:30.079 --> 00:05:31.240 It's like a hacker's playground. 118 00:05:31.319 --> 00:05:34.720 You could say that it allows for both automated and 119 00:05:34.920 --> 00:05:35.800 manual testing. 120 00:05:36.120 --> 00:05:38.920 So we've gathered our intel scanned the network and found 121 00:05:38.959 --> 00:05:43.560 some potential weaknesses. What's next in our penetration testing playbook, Well. 122 00:05:43.399 --> 00:05:46.720 Now comes the fun part, the drive. We try to 123 00:05:46.759 --> 00:05:50.399 turn those potential vulnerabilities into actual exploits. 124 00:05:50.439 --> 00:05:52.519 So we've reached the drive time to see if we 125 00:05:52.519 --> 00:05:54.600 can actually exploit the vulnerabilities we found. 126 00:05:54.639 --> 00:05:56.600 This is where things get real, right exactly. 127 00:05:56.959 --> 00:06:00.000 This is where all that intel and scanning pays off. Yeah, 128 00:06:00.000 --> 00:06:03.240 and when it comes to exploiting vulnerabilities, metasploit is the 129 00:06:03.240 --> 00:06:04.040 star of the show. 130 00:06:04.199 --> 00:06:05.519 Metasploy. Yeah, I've heard of that. 131 00:06:05.600 --> 00:06:08.480 It's incredibly powerful, almost like a library of pre built 132 00:06:08.519 --> 00:06:11.040 exploits for all sorts of vulnerabilities. 133 00:06:11.079 --> 00:06:13.959 Looks like having a cheat sheet for breaking into systems. 134 00:06:14.279 --> 00:06:18.079 Well not quite. The book stresses that it's not about 135 00:06:18.120 --> 00:06:19.439 blindly using the tool. 136 00:06:19.560 --> 00:06:21.199 Okay, so you need to know what you're doing. You 137 00:06:21.319 --> 00:06:25.680 really have to understand why exploits work, how those vulnerabilities 138 00:06:25.720 --> 00:06:29.079 can be manipulated. The book uses a classic example to 139 00:06:29.120 --> 00:06:33.319 illustrate this, the MS zero eight zero six seven vulnerability 140 00:06:33.360 --> 00:06:33.879 in Windows. 141 00:06:34.000 --> 00:06:35.560 Oh yeah, I remember hearing about that one. It was 142 00:06:35.560 --> 00:06:36.680 a big deal back in the day. 143 00:06:36.759 --> 00:06:39.639 It was. It shows how a tiny flow can have 144 00:06:39.839 --> 00:06:44.199 massive consequences. MSR eight zero six seven allowed attackers to 145 00:06:44.279 --> 00:06:48.240 run code on a vulnerable machine remotely, no authentication needed. 146 00:06:48.480 --> 00:06:51.240 Yikes. So you're saying someone could take control of a 147 00:06:51.279 --> 00:06:53.680 computer just by sending a network packet. 148 00:06:53.759 --> 00:06:57.639 That's the power of a remote code execution vulnerability. And 149 00:06:57.759 --> 00:07:01.240 metasploit has a module just for exploit msibeto zero six. 150 00:07:01.199 --> 00:07:03.439 Seven, So it takes care of all the technical bits. 151 00:07:03.560 --> 00:07:05.560 It helps craft the exploit, but you still need to 152 00:07:05.639 --> 00:07:07.199 understand what's happening under the hood. 153 00:07:07.279 --> 00:07:08.759 I see. So you need to know how to pick 154 00:07:08.759 --> 00:07:11.839 the right module, configure the settings, and choose. 155 00:07:11.560 --> 00:07:14.240 The payload exactly. The payload is the part that actually 156 00:07:14.240 --> 00:07:15.439 does the attacker's dirty work. 157 00:07:15.439 --> 00:07:16.639 What kind of dirty work It. 158 00:07:16.600 --> 00:07:19.279 Could be opening a command shell, giving full control of 159 00:07:19.279 --> 00:07:21.360 the system, or something more. 160 00:07:21.240 --> 00:07:25.240 Sneaky like installing a backdoor or stealing data exactly. 161 00:07:25.279 --> 00:07:26.839 It all depends on the attacker's goal. 162 00:07:27.199 --> 00:07:31.480 So metasploit helps exploit those vulnerabilities we found through scanning. 163 00:07:32.000 --> 00:07:34.279 What about those specific to web applications. 164 00:07:34.600 --> 00:07:37.680 That's where things get more hands on. The throw is 165 00:07:37.800 --> 00:07:40.079 all about manual web application testing. 166 00:07:40.279 --> 00:07:42.920 Ah, so we're getting into the art of penetration testing. 167 00:07:42.959 --> 00:07:45.759 Now you could say that it's about going beyond the 168 00:07:45.800 --> 00:07:49.480 automated tools and using your skills to find those hidden vulnerability. 169 00:07:49.600 --> 00:07:53.079 I like it. So we're talking SQL injection, cross site scripting, 170 00:07:53.160 --> 00:07:54.040 those kinds of things. 171 00:07:54.199 --> 00:07:56.560 You got it. Let's start with a SEQL injection or 172 00:07:56.600 --> 00:08:00.399 seql The book talks about tools like seql map and 173 00:08:00.560 --> 00:08:01.480 school Ninja. 174 00:08:01.519 --> 00:08:03.680 I've heard as a sql map, but what's school Inja. 175 00:08:03.759 --> 00:08:07.600 They both exploit SQL injection flaws, but they have different strengths. 176 00:08:08.000 --> 00:08:11.199 SQL injection is tricking an application into spelling secrets from 177 00:08:11.199 --> 00:08:11.959 its database. 178 00:08:12.160 --> 00:08:15.199 So like if I'm filling out a form online, someone 179 00:08:15.199 --> 00:08:18.120 could inject code to mess with the database. 180 00:08:18.319 --> 00:08:20.879 That's the idea. Sql map automates a lot of this. 181 00:08:21.000 --> 00:08:23.120 It tries different variations of SQL. 182 00:08:22.879 --> 00:08:24.720 Code, brute force approach. 183 00:08:24.720 --> 00:08:27.439 Kind of Now, school Ninja is more steallly. 184 00:08:27.279 --> 00:08:31.040 So it's designed to slip past security measures exactly. 185 00:08:31.279 --> 00:08:33.759 It's all about choosing the right tool for the job. 186 00:08:34.480 --> 00:08:37.000 The book gives some pretty cool examples of how to 187 00:08:37.120 --> 00:08:41.840 use these tools. Imagine retrieving user names and passwords from 188 00:08:41.840 --> 00:08:42.960 a database. 189 00:08:42.639 --> 00:08:45.399 Or even getting full control of the database server. That's 190 00:08:45.399 --> 00:08:46.600 a gold mine, right. 191 00:08:46.480 --> 00:08:48.440 It's like getting the keys to the kingdom. 192 00:08:48.600 --> 00:08:51.759 All right, so we've talked about SQL. What about cross 193 00:08:51.759 --> 00:08:53.919 site scripting. I know that's another big one, but how 194 00:08:53.919 --> 00:08:54.879 does it actually work. 195 00:08:55.000 --> 00:08:59.360 Cross site scripting or XSS, is injecting malicious code into 196 00:08:59.399 --> 00:09:02.440 a website, which then runs in the browser of other 197 00:09:02.639 --> 00:09:04.000 users who visit the site. 198 00:09:04.039 --> 00:09:06.519 So you're not attacking the server directly, not this. 199 00:09:06.519 --> 00:09:08.879 Time, you're targeting the people who use it. Think of 200 00:09:08.919 --> 00:09:10.720 it like planting a trap on the website. 201 00:09:10.759 --> 00:09:11.120 That's right. 202 00:09:11.440 --> 00:09:15.159 The book shows how to exploit EXSS vulnerabilities using a 203 00:09:15.200 --> 00:09:19.159 framework called BEEF, the Browser Exploitation Framework. 204 00:09:19.440 --> 00:09:20.639 BEEF sounds interesting. 205 00:09:20.679 --> 00:09:23.440 It basically gives you control over a victim's browser. 206 00:09:23.559 --> 00:09:26.200 Hold on, you're saying you can control someone else's browser. 207 00:09:26.399 --> 00:09:29.879 That's the power of XSS. Imagine you find a vulnerability. 208 00:09:29.960 --> 00:09:33.000 You could inject a link that, when clicked, loads this 209 00:09:33.159 --> 00:09:35.559 BEEF thing into their browser. Men, what then you can 210 00:09:35.559 --> 00:09:37.960 do all sorts of things like steal cookies, grab their 211 00:09:37.960 --> 00:09:40.360 logging credentials, even launch more attacks. 212 00:09:40.639 --> 00:09:43.879 WHOA, that's some serious stuff. Yeah, so you can basically 213 00:09:43.879 --> 00:09:46.759 do anything they can do on that website pretty much. 214 00:09:47.159 --> 00:09:49.200 The book even shows you how to use a BEEF 215 00:09:49.279 --> 00:09:53.440 module called petty Theft. It steals user credentials, proving just 216 00:09:53.559 --> 00:09:55.240 how dangerous EXSS can be. 217 00:09:55.720 --> 00:09:58.960 That's scary. So how do developers protect against this? 218 00:09:59.360 --> 00:10:03.320 Input valid is crucial Making sure any data submitted by 219 00:10:03.399 --> 00:10:06.320 users is carefully checked and cleaned. Think of it like 220 00:10:06.360 --> 00:10:08.399 having a security guard checking IDs at the. 221 00:10:08.320 --> 00:10:11.039 Door so no sneaky code gets through. 222 00:10:11.200 --> 00:10:14.720 Right now, we've talked about SQL injection and cross site scripting, 223 00:10:15.240 --> 00:10:19.759 let's move on to crosset request forgery or CSRF. AH. 224 00:10:19.879 --> 00:10:22.720 CSRF, that one always trips me up a little. It's 225 00:10:22.720 --> 00:10:24.679 a bit more subtle than the others, right it is. 226 00:10:25.000 --> 00:10:27.559 It exploits the trust a website has and a logged 227 00:10:27.559 --> 00:10:31.120 in user. Imagine you're logged into your bank's website. A 228 00:10:31.159 --> 00:10:33.960 CSRF attack could trick you into clicking a link, you 229 00:10:34.080 --> 00:10:36.120 kind of link, one that sends a hidden request to 230 00:10:36.159 --> 00:10:38.600 the bank doing something you didn't authorize. 231 00:10:38.120 --> 00:10:41.399 So like transferring money without me even knowing it exactly. 232 00:10:41.559 --> 00:10:43.600 And you don't even have to visit a shady website 233 00:10:43.600 --> 00:10:45.440 for this to happen. The link could be in an 234 00:10:45.480 --> 00:10:48.679 email or even on a legit website that's been compromised. 235 00:10:48.840 --> 00:10:52.120 That's unsettling. So how do you stop these CSRF attacks? 236 00:10:52.320 --> 00:10:57.559 CSRF tokens are a common defense, unique unpredictable tokens that 237 00:10:57.600 --> 00:11:00.600 the server generates and includes in every form you submit. 238 00:11:00.679 --> 00:11:02.759 It's like a secret handshake. 239 00:11:02.519 --> 00:11:04.759 So the server knows the request is legit. 240 00:11:04.919 --> 00:11:07.960 Exactly. It makes it much harder for attackers to forge 241 00:11:08.000 --> 00:11:08.799 those requests. 242 00:11:08.919 --> 00:11:12.200 Makes sense. Okay? What about session hijacking? I know that's 243 00:11:12.200 --> 00:11:14.919 another way attackers can impersonate users, right. 244 00:11:15.080 --> 00:11:18.440 Session hijacking is all about stealing those session tokens. They're 245 00:11:18.440 --> 00:11:21.240 like digital keys that websites use to keep you logged in. 246 00:11:21.519 --> 00:11:23.919 So if an attacker steals my second token they can 247 00:11:23.960 --> 00:11:24.600 log in is me. 248 00:11:25.039 --> 00:11:28.960 You got it. Tools like burpsuite can analyze how websites 249 00:11:29.039 --> 00:11:31.679 make these tokens looking for weaknesses. 250 00:11:31.919 --> 00:11:34.840 So what can developers do to make those tokens more secure? 251 00:11:35.039 --> 00:11:38.679 Make sure they're generated securely using random values and set 252 00:11:38.679 --> 00:11:41.559 them to expire after a short time. Also, storing them 253 00:11:41.600 --> 00:11:43.080 on the server side is much safer. 254 00:11:43.240 --> 00:11:45.919 Keep them out of reach of those attackers exactly. 255 00:11:46.679 --> 00:11:49.039 Okay, Now, how about something a bit more under the radar. 256 00:11:49.799 --> 00:11:50.799 Have you heard of fuzzing? 257 00:11:51.440 --> 00:11:52.720 Fuzzing rings a bell. 258 00:11:53.120 --> 00:11:55.799 It's a way of finding those hidden vulnerabilities by sending 259 00:11:55.879 --> 00:11:57.799 unexpected data to an application. 260 00:11:58.200 --> 00:12:01.200 So you're basically trying to break things by throwing random 261 00:12:01.279 --> 00:12:01.919 junk at them. 262 00:12:02.279 --> 00:12:05.840 There's a method to the madness. Fuzzing tools use lists 263 00:12:05.840 --> 00:12:08.960 of common inputs or generate them based on what they're testing. 264 00:12:09.679 --> 00:12:13.559 The book uses an example of fuzzing with burpsuite. Imagine 265 00:12:13.559 --> 00:12:15.000 testing an online store. 266 00:12:15.440 --> 00:12:16.600 Okay, I'm picturing it. 267 00:12:16.919 --> 00:12:19.919 You could fuzz the parameters that control things like product 268 00:12:19.960 --> 00:12:21.440 ideas or prices, and. 269 00:12:21.360 --> 00:12:24.320 By doing that you might find a way to, say, 270 00:12:24.720 --> 00:12:27.559 buy things for ridiculously cheap exactly. 271 00:12:27.879 --> 00:12:31.799 Fuzzing can uncover those weird vulnerabilities that other tests might miss. 272 00:12:32.240 --> 00:12:35.360 Cool. So we've covered a lot of offensive techniques so far. 273 00:12:35.960 --> 00:12:38.879 But let's say an attacker gets into a network. What's next? 274 00:12:38.919 --> 00:12:40.960 How do they move around and gain more access. 275 00:12:41.399 --> 00:12:43.840 That's where lateral movement comes in. It's all about moving 276 00:12:43.840 --> 00:12:46.399 from that initial foothold to other systems within the. 277 00:12:46.360 --> 00:12:49.519 Network, So escalating privileges getting to those crown. 278 00:12:49.320 --> 00:12:53.080 Jewels you got it, domain admin access is often the 279 00:12:53.200 --> 00:12:55.879 ultimate goal. The book goes over a bunch of tools 280 00:12:55.960 --> 00:13:00.799 and techniques for this, exploiting network protocols, using stolen credentials, 281 00:13:01.200 --> 00:13:05.200 even leveraging powerful scripting languages like PowerShell. 282 00:13:04.759 --> 00:13:07.639 Okay, let's break down some of these lateral movement techniques. 283 00:13:08.120 --> 00:13:11.480 The book mentions a tool called Responder. What's that all about? 284 00:13:11.600 --> 00:13:15.240 Responder is pretty clever. It exploits flaws in those protocols 285 00:13:15.240 --> 00:13:19.039 Windows uses for things like name resolution and finding proxies. 286 00:13:19.679 --> 00:13:23.879 Think LMNR, NBTNS and WPA. 287 00:13:24.240 --> 00:13:26.679 Okay, so it's taking advantage of how Windows networks work. 288 00:13:26.840 --> 00:13:29.240 It sets up a rogue server that tricks victims into 289 00:13:29.279 --> 00:13:31.159 connecting to it instead of the real one. 290 00:13:31.200 --> 00:13:32.720 So it's like a fake signpos point in them in 291 00:13:32.720 --> 00:13:33.600 the wrong direction. 292 00:13:33.559 --> 00:13:37.120 Exactly, and once they connect, bam, the attacker can grab 293 00:13:37.159 --> 00:13:41.279 all sorts of juicy information, NTLM hashes, cookies, you name it. 294 00:13:41.360 --> 00:13:43.799 Wait, those NTLM things are used for Windows logins, right 295 00:13:43.879 --> 00:13:44.360 they are. 296 00:13:44.399 --> 00:13:46.480 And Responder can snatch them right out of the air. 297 00:13:46.840 --> 00:13:49.200 Then you can use tools to crack those hashes and 298 00:13:49.240 --> 00:13:51.600 get the actual passwords. It's like getting a copy of 299 00:13:51.600 --> 00:13:52.480 the key to the castle. 300 00:13:52.759 --> 00:13:55.360 That's insane. So just by being on the same network 301 00:13:55.440 --> 00:13:57.200 you could potentially capture all that. 302 00:13:57.360 --> 00:14:01.360 It's surprisingly effective, especially when people are automatically logging into things, 303 00:14:01.879 --> 00:14:04.759 and Responder can do even more it can inject a 304 00:14:04.759 --> 00:14:08.559 fake wpad file, forcing the victim's browser to use the 305 00:14:08.600 --> 00:14:10.279 attacker's computer as a proxy. 306 00:14:10.480 --> 00:14:12.960 Talk about a man in the middle rat. 307 00:14:12.720 --> 00:14:17.279 You're controlling the traffic now. Another technique is smb relay attacks. 308 00:14:17.320 --> 00:14:19.879 They exploit how Windows handles authentication. 309 00:14:20.320 --> 00:14:23.000 Smb relay refresh my memory on that one. 310 00:14:23.120 --> 00:14:25.879 Imagine someone trying to connect to a file share with 311 00:14:25.960 --> 00:14:29.480 an smb relay attack. Their request goes through the attacker's 312 00:14:29.600 --> 00:14:33.679 machine first. Sneaky, the attacker relays the authentication request to 313 00:14:33.720 --> 00:14:36.600 the real file server, tricking the victim into giving their 314 00:14:36.600 --> 00:14:37.799 credentials to the attacker. 315 00:14:37.919 --> 00:14:40.840 So like a middleman intercepting the conversation exactly. 316 00:14:41.240 --> 00:14:44.799 Tools like smbu relay and invey are perfect for this 317 00:14:44.919 --> 00:14:45.519 kind of attack. 318 00:14:45.600 --> 00:14:47.840 Okay, so let's say we've snagged some of those NTLM 319 00:14:47.919 --> 00:14:51.320 hashes or other log in information. What then, how do 320 00:14:51.399 --> 00:14:54.799 we actually use those to get into other systems. 321 00:14:54.879 --> 00:14:57.679 That's where the big guns come out. Tools like WCE. 322 00:14:57.840 --> 00:15:00.000 And mimicat those names sound familiar. 323 00:15:00.120 --> 00:15:03.639 They extract passwords and hashes right from a computer's. 324 00:15:03.159 --> 00:15:07.399 Memory, so you could potentially dump the passwords of everyone 325 00:15:07.480 --> 00:15:08.440 logged onto a system. 326 00:15:08.559 --> 00:15:12.120 You got it, it's powerful stuff, but there's a catch. 327 00:15:12.200 --> 00:15:15.559 You usually need admin rights to use these tools. 328 00:15:15.799 --> 00:15:18.440 Makes sense you need some level of access first. 329 00:15:18.559 --> 00:15:21.919 That's often the whole point of lateral movement, to gain 330 00:15:22.000 --> 00:15:24.679 more and more control within the network, work your way 331 00:15:24.759 --> 00:15:27.320 up the ladder, so to speak. The book mentions a 332 00:15:27.360 --> 00:15:30.240 technique for exploiting group policy preferences. 333 00:15:30.440 --> 00:15:32.240 Group policy preferences, what's that? 334 00:15:32.440 --> 00:15:35.320 It's a Windows feature that admins use to manage settings 335 00:15:35.360 --> 00:15:38.679 across a whole network. The problem is the passwords for 336 00:15:38.720 --> 00:15:42.240 these policies can be stored insecurely, so. 337 00:15:42.240 --> 00:15:45.120 An attacker could potentially get their hands on some high level. 338 00:15:44.879 --> 00:15:48.960 Passwords domain admin credentials. Even that's game over. The book 339 00:15:49.039 --> 00:15:51.320 actually shows you how to do this using a Python 340 00:15:51.360 --> 00:15:52.679 script and tools. 341 00:15:52.399 --> 00:15:54.879 Like powersploy powersplay. Is that a PowerShell thing? 342 00:15:55.039 --> 00:15:58.240 It is? PowerShell is a scripting language built into Windows, 343 00:15:58.519 --> 00:15:59.960 and it's incredibly versatile. 344 00:16:00.159 --> 00:16:03.519 I've heard it's a favorite among both admins and attackers. 345 00:16:03.159 --> 00:16:06.440 For good reason. You can use it for automating tasks 346 00:16:06.720 --> 00:16:09.200 or carrying out sophisticated attacks. 347 00:16:08.879 --> 00:16:12.799 So it's powerful but also potentially dangerous if it falls 348 00:16:12.799 --> 00:16:13.759 into the wrong hands. 349 00:16:13.840 --> 00:16:17.080 Exactly. The book has a whole section on PowerShell for 350 00:16:17.159 --> 00:16:21.519 post exploitation, covering tools like power spoit and nicheing. 351 00:16:21.840 --> 00:16:24.360 What kind of things can you do with PowerShell after 352 00:16:24.399 --> 00:16:25.720 you've compromised the system? 353 00:16:25.840 --> 00:16:28.600 Oh, all sorts of things. You can inject toad into 354 00:16:29.000 --> 00:16:33.960 running processes, connect to other systems, even log keystrokes. The 355 00:16:34.039 --> 00:16:35.600 possibilities are endless. 356 00:16:35.639 --> 00:16:38.360 It's like a hacker Swiss army knife, you could say that. 357 00:16:38.759 --> 00:16:41.360 And because it's built into Windows, it often flies under 358 00:16:41.399 --> 00:16:42.840 the radar of security software. 359 00:16:42.919 --> 00:16:46.240 That makes it even more dangerous. So we've got lateral movement, 360 00:16:46.399 --> 00:16:49.519 privileged escalation, PowerShell. What other tricks do we need to 361 00:16:49.519 --> 00:16:49.960 be aware of? 362 00:16:50.240 --> 00:16:53.240 Well, no discussion of hacking would be complete without mentioning 363 00:16:53.480 --> 00:16:54.600 man in the middle attacks. 364 00:16:54.639 --> 00:16:56.840 Yep, manim attacks, Yeah, I've heard of those. 365 00:16:57.039 --> 00:17:00.159 This is where an attacker gets between two parties, intercept 366 00:17:00.399 --> 00:17:03.440 and potentially manipulating their communication so. 367 00:17:03.360 --> 00:17:07.920 They're easdropping and maybe even tampering with the messages exactly. 368 00:17:08.359 --> 00:17:10.839 And one of the classic tools for this is Ettercap. 369 00:17:10.920 --> 00:17:12.400 Ettercap that name sounds familiar. 370 00:17:12.440 --> 00:17:16.119 It lets you do ARP spoofing. It tricks devices on 371 00:17:16.160 --> 00:17:19.759 the network into sending their traffic through the attacker's computer. 372 00:17:19.759 --> 00:17:21.799 So the attacker becomes the middleman. 373 00:17:21.599 --> 00:17:24.480 Precisely, and they can do all sorts of nasty things. 374 00:17:24.599 --> 00:17:26.480 The book shows you how to use etter cap for 375 00:17:26.599 --> 00:17:27.559 DNS spoofing. 376 00:17:27.839 --> 00:17:29.200 DNS spoofing, what's that. 377 00:17:29.599 --> 00:17:33.359 Imagine you're trying to visit your bank's website with DNAs spoofing. 378 00:17:33.440 --> 00:17:36.599 The attacker redirects you to a fake website that looks 379 00:17:36.759 --> 00:17:37.839 just like the real deal. 380 00:17:38.039 --> 00:17:41.519 That's terrifying. You could easily enter your login info without 381 00:17:41.519 --> 00:17:42.599 realizing it's a trap. 382 00:17:42.680 --> 00:17:45.079 That's the danger. And it's not just websites. They could 383 00:17:45.119 --> 00:17:49.160 redirect you to fake update servers, download malware, you name it. 384 00:17:49.359 --> 00:17:52.160 Yikes. So edercap is a pretty powerful tool, it. 385 00:17:52.079 --> 00:17:54.720 Is, and there are even more advanced tools out there. 386 00:17:55.000 --> 00:17:59.319 The book mentions evil Foka, which targets IPv six networks at. 387 00:17:59.160 --> 00:18:01.839 Pv six that's the newer version of the Internet Protocol, 388 00:18:01.920 --> 00:18:02.799 right exactly. 389 00:18:02.920 --> 00:18:05.079 It just shows that attackers are always coming up with 390 00:18:05.160 --> 00:18:07.319 new ways to exploit new technologies. 391 00:18:07.480 --> 00:18:11.039 It's like an arms race. Speaking of new ways, what 392 00:18:11.119 --> 00:18:13.880 about attacks that target cookies? Those are used to track 393 00:18:13.960 --> 00:18:15.960 user sessions on websites right right. 394 00:18:16.039 --> 00:18:19.599 Cookies are little text files that websites store on your computer. 395 00:18:20.000 --> 00:18:23.680 They remember things like your login status or preferences. 396 00:18:23.759 --> 00:18:26.680 So if an attacker steals my cookies, they can basically 397 00:18:26.720 --> 00:18:28.279 become me on that website. 398 00:18:28.359 --> 00:18:31.799 You got it, And that's where attacks like sidejacking and 399 00:18:31.839 --> 00:18:32.960 cookie stealing come in. 400 00:18:33.160 --> 00:18:34.200 Tell me more about those. 401 00:18:34.400 --> 00:18:38.960