WEBVTT 1 00:00:00.200 --> 00:00:06.480 So have you ever really stopped to think about how 2 00:00:06.799 --> 00:00:11.400 ethical hackers, yeah, you know, the good guy, the penetration testers, 3 00:00:11.759 --> 00:00:14.279 how they actually think not just the tools, but their 4 00:00:14.320 --> 00:00:15.800 whole strategy. 5 00:00:15.439 --> 00:00:17.920 Or maybe how much info about a company and maybe 6 00:00:17.920 --> 00:00:21.079 even your company is just well out there, yeah. 7 00:00:20.920 --> 00:00:22.920 Just floating around the digital ether kind of waiting for 8 00:00:22.960 --> 00:00:25.120 someone to piece it together into a strategic map. 9 00:00:25.199 --> 00:00:28.120 It's often a surprising amount, really often lying in plain sight. 10 00:00:28.359 --> 00:00:31.600 And yeah, most people don't realize how easily it connects exactly. 11 00:00:31.640 --> 00:00:33.880 So today we're taking a real deep dive into that 12 00:00:33.920 --> 00:00:39.039 strategic world penetration testing. Our mission basically is to give 13 00:00:39.079 --> 00:00:43.719 you a solid but you know, digestible overview the key phases, 14 00:00:43.759 --> 00:00:46.479 the clever techniques these ethical hackers use. We're going to 15 00:00:46.520 --> 00:00:49.600 explore that mindset, the core methods they use to find vulnerabilities, 16 00:00:49.960 --> 00:00:52.200 get that initial foothold, stay hidden. 17 00:00:52.359 --> 00:00:54.159 Move through networks, move through networks, and. 18 00:00:54.119 --> 00:00:56.719 Yeah, ultimately pull out valuable information. And the whole point, 19 00:00:56.759 --> 00:00:58.960 of course is to make systems more secure for everyone. 20 00:00:59.159 --> 00:01:01.600 And we'll show you how they turn these like disparate 21 00:01:01.840 --> 00:01:05.200 bits of public data into a really precise blueprint for 22 00:01:05.239 --> 00:01:08.599 an attack. Okay, and even how they use these well 23 00:01:08.799 --> 00:01:12.120 ingenious tricks to live off the land once they're inside, 24 00:01:12.519 --> 00:01:14.640 living off the land. Yeah, think of it as maybe 25 00:01:14.799 --> 00:01:19.560 a shortcut to understanding the real tactics behind digital defense. 26 00:01:19.799 --> 00:01:22.120 And where are we getting this from? Well, our insights 27 00:01:22.159 --> 00:01:24.480 today they come straight from a detailed guide for the 28 00:01:24.640 --> 00:01:29.120 GIA Certified Penetration Tester exam, the GPM. 29 00:01:29.239 --> 00:01:30.519 Oh yeah, that solid stuff. 30 00:01:30.560 --> 00:01:36.519 Methodologies, tools, potential methodologies, practical tools, even real world lab exercises. 31 00:01:37.200 --> 00:01:39.280 This is the good stuff, really pulled right from the 32 00:01:39.359 --> 00:01:42.519 experts to give you that kind of insider view. Definitely. Okay, 33 00:01:42.599 --> 00:01:46.480 so let's unpack this. Let's imagine our target is a 34 00:01:46.560 --> 00:01:48.920 hypothetical company. We'll call it Acmecorp. 35 00:01:49.000 --> 00:01:50.640 Okay, Acmecorp Classic. 36 00:01:50.719 --> 00:01:53.840 So before anyone tries to break in, there's this really 37 00:01:53.879 --> 00:01:57.359 crucial first step reconnaissance pricon. Yeah, it's like being a 38 00:01:57.359 --> 00:02:02.040 digital detective, right, gathering clues, particulously building this detailed profile 39 00:02:02.079 --> 00:02:05.879 of ACME core M, but without firing a single shot, 40 00:02:05.959 --> 00:02:06.599 so to speak. 41 00:02:06.799 --> 00:02:09.240 And what's really fascinating here isn't just that you can 42 00:02:09.280 --> 00:02:13.080 find info, but how easily these separate pieces can be 43 00:02:13.120 --> 00:02:18.840 woven together into a well potentially devastatingly precise attack plan. Right, 44 00:02:19.039 --> 00:02:23.680 we're talking open source intelligence ocent ocent. Yeah, there are 45 00:02:23.680 --> 00:02:27.240 two main flavors, passive and active information. 46 00:02:26.840 --> 00:02:30.879 Gathering passive and active. How big a deal is that difference? 47 00:02:30.919 --> 00:02:33.719 In practice? Does one like lead to the other or 48 00:02:33.960 --> 00:02:35.199 for they for totally different things. 49 00:02:35.280 --> 00:02:38.520 Oh, that's a crucial difference, mainly because of the risk involved. 50 00:02:38.560 --> 00:02:39.360 You know, Okay. 51 00:02:39.360 --> 00:02:44.159 Passive recon is all about discovery through observation. You stay anonymous, 52 00:02:44.400 --> 00:02:46.759 hard to detect. Think of it like watching a building 53 00:02:46.759 --> 00:02:48.240 from across the street, just. 54 00:02:48.360 --> 00:02:50.520 Looking, looking, not touching exactly. 55 00:02:50.560 --> 00:02:53.479 Active recon, though, that's when you start interacting directly with 56 00:02:53.520 --> 00:02:57.400 ACME systems, which is much more likely to create logs 57 00:02:57.439 --> 00:02:59.840 potentially get you notice, It's like knocking on the buildings 58 00:03:00.159 --> 00:03:00.919 or gotcha. 59 00:03:01.039 --> 00:03:03.840 So more risk, maybe more reward. 60 00:03:03.840 --> 00:03:06.840 Potentially both are valuable, but yeah, the risks are different. 61 00:03:06.879 --> 00:03:08.360 You usually start passive. 62 00:03:08.680 --> 00:03:10.919 So what does all this mean for our ACMECORB You're 63 00:03:10.960 --> 00:03:12.960 saying you can learn a ton about their tech stack, 64 00:03:13.039 --> 00:03:15.560 their people, maybe even their culture just from. 65 00:03:15.439 --> 00:03:19.000 Public stuff, a tremendous amount. The key thing is every 66 00:03:19.039 --> 00:03:22.120 digital interaction leaves some kind of trace. Yeah, and when 67 00:03:22.159 --> 00:03:25.400 you add up all these seemingly harmless little traces. 68 00:03:25.639 --> 00:03:26.479 You get a blueprint. 69 00:03:26.560 --> 00:03:30.120 You get a blueprint for an attacker precisely like what 70 00:03:30.759 --> 00:03:35.319 give me example? Okay, Well, ethical hackers they analyze organizational cultures, 71 00:03:35.360 --> 00:03:36.759 sometimes through job posting. 72 00:03:36.960 --> 00:03:38.879 Job postings really yeah, if. 73 00:03:38.840 --> 00:03:44.360 ACNCRE is hiring for say a Solaris ten system administrator, boom, 74 00:03:44.520 --> 00:03:47.960 that tells you immediately they're using Solaris ten. Some more important, 75 00:03:48.080 --> 00:03:52.159 probably data centers. That kind of detail helps define their 76 00:03:52.159 --> 00:03:56.360 attack surface, what specific systems might be vulnerable. It's often 77 00:03:56.400 --> 00:03:59.919 just unintended data leakage. Nobody thinks twice about posting it. 78 00:04:00.120 --> 00:04:03.960 That's a really interesting angle using job ads. Is there 79 00:04:04.000 --> 00:04:06.639 a downside? Like can companies hide that stuff? 80 00:04:06.719 --> 00:04:09.319 Well, it's about corroboration, right, You never rely on just 81 00:04:09.479 --> 00:04:12.360 one thing. And yeah, companies might try to be vague, 82 00:04:12.400 --> 00:04:14.879 but they usually need specific skills, so they have to 83 00:04:14.919 --> 00:04:18.800 reveal something makes sense and it goes further social media 84 00:04:18.839 --> 00:04:22.639 behavior think LinkedIn profiles for IT staff. Oh yeah, they 85 00:04:22.720 --> 00:04:26.360 might detail their experience CERTs, maybe even tech conferences they 86 00:04:26.360 --> 00:04:31.199 go to. That's gold for tailoring attacks, especially social engineering. Howso, well, 87 00:04:31.319 --> 00:04:34.759 you can craft much more convincing phishing emails if you 88 00:04:34.839 --> 00:04:38.720 know someone's specific tech interests or who they know, what 89 00:04:38.759 --> 00:04:42.000 events they attended. It makes it personal believable. 90 00:04:42.160 --> 00:04:44.879 So we've got the human side, the company culture clues. 91 00:04:45.360 --> 00:04:49.079 What about the pure tech data, the digital fingerprints from the. 92 00:04:49.000 --> 00:04:52.319 Machines right exactly? Now we're digging into things like the 93 00:04:52.480 --> 00:04:55.199 whois Database woaas. 94 00:04:55.600 --> 00:04:58.319 Think of it as the public phone book for domain names. 95 00:04:58.439 --> 00:05:01.480 It listens on TCP port forty three, gives you registration 96 00:05:01.560 --> 00:05:05.519 info for acmecore's domain, contact details, their name servers. 97 00:05:05.560 --> 00:05:08.600 Okay, basic contact info, basic but essential. 98 00:05:08.879 --> 00:05:12.680 Did you move on to querying DNS records? The Internet's 99 00:05:12.839 --> 00:05:14.480 address books actually. 100 00:05:14.319 --> 00:05:19.120 DNS records like soa SRV cnamey. They reveal specific domain 101 00:05:19.160 --> 00:05:24.279 assets like server names, fully qualified domain names, FQDNS, IP addresses. 102 00:05:24.439 --> 00:05:27.079 Okay, can you quickly break down those record types? Soa 103 00:05:27.199 --> 00:05:28.160 SRV sure? Sure? 104 00:05:28.480 --> 00:05:31.879 The SOA startup authority tells you who's officially in charge 105 00:05:31.920 --> 00:05:34.680 of the domains records, set some rules, scott it. SRV 106 00:05:34.800 --> 00:05:38.839 records point to specific services like where's acme's email server 107 00:05:39.319 --> 00:05:43.040 or their internal chat SRV might tell you. And cnames 108 00:05:43.079 --> 00:05:46.160 are like nicknames, mapping one name to another. But here's 109 00:05:46.160 --> 00:05:50.959 the kicker. If Acmecorp has a misconfigured DNS server, oh, 110 00:05:51.319 --> 00:05:54.279 it might allow something called a DNS zone. 111 00:05:53.920 --> 00:05:55.560 Transfer zone transfer. What's that? 112 00:05:56.000 --> 00:05:58.639 Normally DNA servers keep their full list of internal names 113 00:05:58.639 --> 00:06:01.759 and addresses pretty secret. But a misconfigured one you can 114 00:06:01.800 --> 00:06:04.639 trick it into dumping its entire internal aggress book the 115 00:06:04.680 --> 00:06:06.800 whole network map to you, the attacker. 116 00:06:06.959 --> 00:06:10.519 WHOA that sounds bad, like finding the entire internal phone 117 00:06:10.519 --> 00:06:11.160 directory for. 118 00:06:11.120 --> 00:06:14.680 A company HQ Exactly like that, a potentially colossal leak 119 00:06:14.920 --> 00:06:17.920 gives you a map of their whole internal network structure. 120 00:06:18.120 --> 00:06:21.240 Okay, And I've heard people mention Google dorking. Is that 121 00:06:21.279 --> 00:06:22.879 part of this tech recon Oh? 122 00:06:22.920 --> 00:06:27.199 Absolutely? Google dorking is basically using advanced search operators in 123 00:06:27.279 --> 00:06:30.000 Google to find things that aren't supposed to be public. 124 00:06:30.319 --> 00:06:35.120 Like what like using say cite dot axmecorp, dot com 125 00:06:35.600 --> 00:06:39.639 entitled dot index dot f that might find web directories 126 00:06:39.639 --> 00:06:42.759 and admin forgot to secure okay, or maybe entitled dot 127 00:06:42.759 --> 00:06:45.560 index dot of uploads that could find directories where users 128 00:06:45.600 --> 00:06:49.199 upload files, potentially a place an attacker could drop malicious 129 00:06:49.199 --> 00:06:52.439 code or find sensitive stuff someone uploaded by mistake. 130 00:06:52.639 --> 00:06:55.560 Wow, I've bet pentesters find some embarrassing. 131 00:06:55.120 --> 00:06:57.319 Stuff that way you can only imagine. So, yeah, Google 132 00:06:57.319 --> 00:06:59.920 can be an unwitting helper here, No Google helps. 133 00:07:00.079 --> 00:07:03.680 What about tools built specifically for mapping devices online, more 134 00:07:03.720 --> 00:07:04.680 specialized stuff. 135 00:07:04.800 --> 00:07:07.319 Yeah, now you're talking about search engines like showd in and. 136 00:07:07.319 --> 00:07:09.279 Senses Showdan heard of that one. 137 00:07:09.319 --> 00:07:12.959 Showdan's often called the search engine for Internet connected devices, 138 00:07:13.000 --> 00:07:14.560 not websites, but devices. 139 00:07:14.720 --> 00:07:15.560 What's the difference really? 140 00:07:15.680 --> 00:07:18.800 It reviews stuff like open ports, the services running on 141 00:07:18.800 --> 00:07:23.839 those ports, device locations, banner data for specific ips or keywords. 142 00:07:24.000 --> 00:07:24.560 Banner dat. 143 00:07:24.720 --> 00:07:27.800 Yeah, like the welcome message a service gives out often 144 00:07:27.839 --> 00:07:31.759 includes the exact software name and version. Super useful for 145 00:07:31.800 --> 00:07:33.279 finding known vulnerabilities. 146 00:07:33.480 --> 00:07:37.600 So searching showdan for like FTP could show all of 147 00:07:37.639 --> 00:07:40.399 acme's exposed FTP servers. 148 00:07:40.040 --> 00:07:42.920 Exactly and maybe tell you they're running an old vulnerable version. 149 00:07:43.199 --> 00:07:47.160 Showdan excels at mapping that Internet facing attack surface. It 150 00:07:47.240 --> 00:07:50.879 shows what services are listening, what software they're running. Okay, 151 00:07:50.959 --> 00:07:54.279 and sen Census is similar from the folks behind zMap. 152 00:07:54.720 --> 00:07:59.480 It maintains huge data sets on IPv four addresses, websites, certificates. 153 00:07:59.720 --> 00:08:03.639 These tools let pen testers and importantly defenders too see 154 00:08:03.680 --> 00:08:06.639 their own footprint from an attacker's view, what's actually exposed? 155 00:08:06.759 --> 00:08:10.720 Fascinating the search engine for devices, and it's not just 156 00:08:10.759 --> 00:08:13.680 about what's obviously visible, is it? What about hidden data 157 00:08:13.800 --> 00:08:14.800 like inside files? 158 00:08:14.839 --> 00:08:18.160 Ah? Good point, you're hitting on metadata analysis metadata. Even 159 00:08:18.199 --> 00:08:21.920 seemingly harmless files, you know, PDFs, jpg images, word docs. 160 00:08:22.199 --> 00:08:25.120 They can contain hidden info metadata like what kind of info, 161 00:08:25.439 --> 00:08:28.240 things like the version of Photoshop used to make an image, 162 00:08:28.279 --> 00:08:30.839 the operating system it was created on, maybe the author's name, 163 00:08:30.839 --> 00:08:31.839 creation dates. 164 00:08:31.879 --> 00:08:33.879 Seriously, Yeah, in a picture file? 165 00:08:33.960 --> 00:08:37.480 Oh yeah. Analyzing this with tools like x off tool 166 00:08:37.679 --> 00:08:40.120 or even just the basic strings command can give clues, 167 00:08:40.639 --> 00:08:44.759 maybe hints about client side software they use, which could 168 00:08:44.759 --> 00:08:48.120 have vulnerabilities, or it could help make a phishing email 169 00:08:48.159 --> 00:08:51.240 more convincing. Wow, it really makes you think, doesn't it. 170 00:08:51.440 --> 00:08:54.480 How often do we share files without realizing what hidden 171 00:08:54.519 --> 00:08:55.879 info is tagging along? 172 00:08:56.039 --> 00:08:56.279 Yeah? 173 00:08:56.360 --> 00:09:00.799 Really, imagine a competitor or worse, building this detail profile 174 00:09:00.840 --> 00:09:04.720 of acme's whole tech setup, even down to software versions 175 00:09:04.759 --> 00:09:08.840 their designers use, just from public files. That's the power 176 00:09:08.879 --> 00:09:09.639 of good recon. 177 00:09:09.799 --> 00:09:12.279 Okay, so you've done your recon. You've built this detailed 178 00:09:12.279 --> 00:09:15.879 map of Acmecorp. The next logical step for a pintester 179 00:09:15.960 --> 00:09:17.600 that's getting initial access. 180 00:09:17.320 --> 00:09:20.399 Right right, finding a weak spot, and actually getting inside 181 00:09:20.440 --> 00:09:21.360 the network perimeter. 182 00:09:21.679 --> 00:09:22.720 How does that usually happen? 183 00:09:22.919 --> 00:09:26.159 Well, exploitation, gaining access. It can take different forms. You 184 00:09:26.200 --> 00:09:29.320 can attack servers directly, but honestly, servers are getting much 185 00:09:29.320 --> 00:09:30.360 better defended. 186 00:09:30.000 --> 00:09:32.360 These days, so attackers look elsewhere. 187 00:09:32.000 --> 00:09:35.360 They often do. The big shift isn't just what they target, 188 00:09:35.360 --> 00:09:39.360 but who. With servers hardened, the human element, the user 189 00:09:39.720 --> 00:09:43.720 often becomes the weakest link ah the user, So client 190 00:09:43.799 --> 00:09:47.440 side exploits targeting the users themselves through things like phishing 191 00:09:47.559 --> 00:09:49.840 or malicious websites are really common. 192 00:09:49.919 --> 00:09:52.320 Makes sense. And once you're in what then? 193 00:09:52.559 --> 00:09:55.240 While usually you have basic access first, so the next 194 00:09:55.240 --> 00:09:57.039 step is often privilege. 195 00:09:56.720 --> 00:09:58.919 Escalation, escalation going higher up. 196 00:09:59.000 --> 00:10:03.240 Exactly, move from that basic, low level user access to 197 00:10:03.320 --> 00:10:07.279 something more powerful, like becoming an administrator or gaining system 198 00:10:07.399 --> 00:10:11.679 level control that lets you access more data, control more systems. 199 00:10:11.799 --> 00:10:14.919 Okay, got it. And I've heard this phrase for after 200 00:10:14.960 --> 00:10:17.480 you get in, or maybe to help stay in living 201 00:10:17.480 --> 00:10:19.720 off the land. It sounds like something from a survival show. 202 00:10:19.879 --> 00:10:22.600 Huh, yeah, it doesn't, bit, but it's a really critical 203 00:10:22.639 --> 00:10:26.039 skill in modern pen testing. Especially inside Windows networks. 204 00:10:26.279 --> 00:10:28.759 So what is it really in the cyber context? 205 00:10:28.799 --> 00:10:31.200 Living off the land means using tools and programs that 206 00:10:31.240 --> 00:10:34.559 are already on the system, trusted built in applications and binaries, 207 00:10:34.759 --> 00:10:37.039 but you use them to do things they weren't necessarily 208 00:10:37.039 --> 00:10:38.559 designed for malicious things. 209 00:10:38.639 --> 00:10:41.120 Usually, why do that? Why not just bring in your 210 00:10:41.120 --> 00:10:42.039 own hacking tools? 211 00:10:42.200 --> 00:10:46.360 Ah? Because the whole point is evasion, blending in, blending 212 00:10:46.440 --> 00:10:51.080 in defensive tools like Windows Defender, AppLocker, other endpoint security. 213 00:10:51.720 --> 00:10:56.679 They're looking for known bad files, known malicious executables. If 214 00:10:56.679 --> 00:10:59.720 you bring in custom malware, it might get flagged immediately, right, 215 00:11:00.080 --> 00:11:02.679 But if you use the system's own tools, tools that 216 00:11:02.720 --> 00:11:05.879 are supposed to be there, often signed by Microsoft, they're 217 00:11:05.960 --> 00:11:09.080 much less likely to raise alarms. You're using the system 218 00:11:09.120 --> 00:11:10.279 against itself, So. 219 00:11:10.240 --> 00:11:14.639 You're turning trusted tools into weapons. Basically, m could you preconxample? 220 00:11:14.840 --> 00:11:18.639 Sure? Take searchitil dot ex in Windows search it til 221 00:11:19.200 --> 00:11:23.639 for certificates exactly. Its legitimate job is managing digital certificates. 222 00:11:23.639 --> 00:11:26.320 But guess what it can also be used to download 223 00:11:26.320 --> 00:11:27.200 files from the Internet. 224 00:11:27.360 --> 00:11:27.759 No way? 225 00:11:27.879 --> 00:11:31.720 Yeah? And because searchitol dot etc. Is a standard Microsoft 226 00:11:31.759 --> 00:11:35.240 signed program, security software often trusts it it might let 227 00:11:35.279 --> 00:11:37.320 it download a malicious file without blinking an. 228 00:11:37.200 --> 00:11:39.559 Eye, whereas if you try to use something obvious like 229 00:11:39.639 --> 00:11:42.080 reigate or a PowerShell download. 230 00:11:41.679 --> 00:11:45.759 Command exactly, those might get blocked instantly, especially by things 231 00:11:45.799 --> 00:11:50.200 like Powershells constrained language mode, which really limits what scripts 232 00:11:50.279 --> 00:11:54.559 can do. If it's enabled. Curtitil often flies under the radar. 233 00:11:54.759 --> 00:11:58.399 So a harmless certificate tool becomes a stealthy downloader. That's clever. 234 00:11:59.039 --> 00:12:02.120 But how to defend even spot that if you're using 235 00:12:02.200 --> 00:12:03.200 legitimate tools. 236 00:12:03.799 --> 00:12:06.559 That is the million dollar question for defenders, and it's 237 00:12:06.559 --> 00:12:09.840 why this technique is so powerful. This blending in is 238 00:12:09.879 --> 00:12:12.759 the whole goal. It's a key part of what miter 239 00:12:12.960 --> 00:12:16.840 ATD and CK calls the defense evasion tactic tie zero 240 00:12:16.919 --> 00:12:19.120 zero zero five. I think, Okay, the better you are 241 00:12:19.159 --> 00:12:21.320 at living off the land, the quieter you are, the 242 00:12:21.399 --> 00:12:23.639 less likely you get caught. You make your malicious actions 243 00:12:23.639 --> 00:12:27.240 look like normal system activity, even against advanced defenses, even 244 00:12:27.279 --> 00:12:31.200 against things like Windows Defenders AMSI, the Anti Malware Scan 245 00:12:31.279 --> 00:12:34.600 Interface AMSI. Yeah, it's pretty clever. It hooks into scripting 246 00:12:34.600 --> 00:12:38.480 engines like PowerShell and tries to inspect commands before they run, 247 00:12:38.600 --> 00:12:40.240 looking for a malicious patterns, but. 248 00:12:40.200 --> 00:12:41.120 It can be bypassed. 249 00:12:41.440 --> 00:12:45.559 It can, especially once an attacker has local access. They 250 00:12:45.600 --> 00:12:49.480 can use techniques like obfuscation, deliberately scrambling or hiding parts 251 00:12:49.480 --> 00:12:53.360 of their malicious scripts to confuse AMSI make it harder 252 00:12:53.360 --> 00:12:54.879 for it to see the malicious intent. 253 00:12:55.200 --> 00:12:58.320 So even AMSI isn't fool proof if someone's already inside 254 00:12:58.320 --> 00:12:59.240 and knows what they're doing. 255 00:12:59.639 --> 00:13:03.440 Nothing ever completely fool proof, but yeah, obfuscation can be 256 00:13:03.559 --> 00:13:04.559 effective against it. 257 00:13:04.840 --> 00:13:08.320 This really highlights that the threat isn't always some exotic 258 00:13:08.440 --> 00:13:11.919 new malware. Sometimes it's just the clever misuse of everyday 259 00:13:11.960 --> 00:13:13.399 tools already on your machine. 260 00:13:13.440 --> 00:13:16.759 Precisely, it's like being a digital chameleon, using what's there 261 00:13:16.799 --> 00:13:18.919 to achieve your goals without standing out. 262 00:13:19.200 --> 00:13:22.519 For defenders, then it's not just about what tools are running, 263 00:13:22.559 --> 00:13:26.120 but how and why they're being run, looking for abnormal 264 00:13:26.240 --> 00:13:27.799 use of normal tools exactly. 265 00:13:27.879 --> 00:13:28.879 Context is everything. 266 00:13:28.960 --> 00:13:32.240 Okay, So let's say our pentester is inside acbecores network. 267 00:13:32.240 --> 00:13:35.519 They got initial access, maybe using searchole to download something, 268 00:13:35.799 --> 00:13:38.240 and they're living off the land blending in. 269 00:13:38.519 --> 00:13:41.639 What's next Now they want to expand their reach, move around, 270 00:13:41.840 --> 00:13:44.600 find more valuable targets. That's lateral movement. 271 00:13:44.360 --> 00:13:46.480 Going sideways through the network right. 272 00:13:46.799 --> 00:13:50.440 And to do that effectively, you need really good situational 273 00:13:50.440 --> 00:13:53.200 awareness inside the network, well kind of awareness. You need 274 00:13:53.240 --> 00:13:56.840 to gather tons of local info. What processes are running 275 00:13:56.840 --> 00:13:59.480 on this machine, what software is installed, what are the 276 00:13:59.519 --> 00:14:03.279 detailed network settings? Who else is logged in? What groups 277 00:14:03.360 --> 00:14:06.320 does this user belong to? System configuration details? 278 00:14:06.399 --> 00:14:09.120 Okay, mapping the immediate surrounding exactly. 279 00:14:09.159 --> 00:14:13.200 You're looking for opportunities, maybe cached credentials left behind by 280 00:14:13.240 --> 00:14:16.679 an admin, misconfigurations that let you jump to another server, 281 00:14:17.240 --> 00:14:18.679 shared folders. 282 00:14:18.639 --> 00:14:22.080 And you mentioned not relying on a single tool crucial. 283 00:14:22.120 --> 00:14:24.879 Because you never know what tools will be available or 284 00:14:24.919 --> 00:14:27.679 allowed on the specific machine you land on. You need 285 00:14:27.720 --> 00:14:30.360 to be adaptable, no different ways to get the same information, 286 00:14:30.799 --> 00:14:34.320 using built in commands or whatever tools are present. Resourcefulness 287 00:14:34.360 --> 00:14:35.200 is key, got it? 288 00:14:35.720 --> 00:14:38.080 And are there tools that help map out the whole 289 00:14:38.279 --> 00:14:41.799 internal network, especially complex ones? I heard you mentioned something 290 00:14:41.840 --> 00:14:44.840 that visualizes attack paths. That sounds like a superpower. 291 00:14:45.080 --> 00:14:49.639 Ah? Yeah, absolutely for mapping complex active directory environments, which 292 00:14:49.679 --> 00:14:53.320 you find in most large organizations like our acmecorp. A 293 00:14:53.399 --> 00:14:57.120 standout tool is sharpound. Sharpound, which is actually the data 294 00:14:57.200 --> 00:15:00.000 collector component of the larger Bloodhound project. 295 00:15:00.039 --> 00:15:03.679 Sharpound and Bloodhound the sound like a cybersecurity detective agency. 296 00:15:03.720 --> 00:15:04.679 How do they work together? 297 00:15:04.879 --> 00:15:07.759 Huh yeah, you can think of it like that. Shartpound 298 00:15:07.840 --> 00:15:11.080 is the field agent, the data gatherer. It used to 299 00:15:11.080 --> 00:15:15.399 be a mainly PowerShell, but now it's often a sea shard, executable, faster, 300 00:15:15.559 --> 00:15:19.600 sometimes stealthier. It goes out and queries active directory and 301 00:15:19.639 --> 00:15:20.840 the computers in the domain. 302 00:15:20.960 --> 00:15:22.080 What data does it collect? 303 00:15:22.159 --> 00:15:25.720 Things like user accounts, group memberships, who's logged in, where, 304 00:15:25.960 --> 00:15:31.159 active sessions, computer configurations, access control lists acls, who has 305 00:15:31.200 --> 00:15:35.440 permission to what? Group? Policy objects? GPO's tons of relationship data. 306 00:15:35.480 --> 00:15:38.240 Okay, so Chartpound gathers all that raw relationship data. 307 00:15:38.919 --> 00:15:42.120 Then what then that data is fed into Bloodhound. Bloodhound 308 00:15:42.159 --> 00:15:44.960 uses a graph database in neofour j usually to store 309 00:15:45.000 --> 00:15:48.679 all those relationships, and crucially, it provides a graphical interface 310 00:15:48.720 --> 00:15:49.840 to visualize it all. 311 00:15:50.240 --> 00:15:51.720 Visualize it like a map. 312 00:15:51.799 --> 00:15:54.559 Ex exactly like a map, but a map of relationships 313 00:15:54.600 --> 00:15:57.080 and permissions within the active directory for us. 314 00:15:57.120 --> 00:15:58.320 And why is that so powerful? 315 00:15:58.720 --> 00:16:03.240 Because it lets pentest and defenders see attack paths they'd 316 00:16:03.320 --> 00:16:07.639 likely never find otherwise. Bloodhound is famous for identifying the 317 00:16:07.720 --> 00:16:09.600 shortest paths to domain. 318 00:16:09.279 --> 00:16:12.519 Admit, shortest path to domain admin. That's like keys to 319 00:16:12.559 --> 00:16:13.639 the kingdom, right pretty much? 320 00:16:13.679 --> 00:16:17.639 Yeah, full control over the entire Windows domain. Bloodhound shows 321 00:16:17.639 --> 00:16:20.879 you how seemingly minor connections or permissions can be chained 322 00:16:20.879 --> 00:16:24.799 together together. Like it might show you that this random 323 00:16:24.919 --> 00:16:28.120 low privileged user account you compromised happens to have an 324 00:16:28.159 --> 00:16:31.159 active login session on a server. Okay, and maybe a 325 00:16:31.200 --> 00:16:34.440 domain admin logged into that same server recently, maybe leaving 326 00:16:34.440 --> 00:16:37.879 credentials cased in memory, or maybe that server has a 327 00:16:37.879 --> 00:16:41.559 certain vulnerability. Bloodhound connects those dots. It shows you that 328 00:16:41.639 --> 00:16:45.919 path user as server x, domain admin credential nash game over. 329 00:16:46.080 --> 00:16:49.519 Wow, that visual connection makes all the difference. It's not 330 00:16:49.600 --> 00:16:53.080 just lists of users and groups, it's the pathways between them. 331 00:16:53.200 --> 00:16:57.279 Precisely. It turns abstract permissions into concrete attack roots. 332 00:16:57.559 --> 00:17:01.360 So from a defender's viewpoint, seeing those ads must completely 333 00:17:01.440 --> 00:17:03.559 change how they prioritize security efforts. 334 00:17:03.720 --> 00:17:07.400 Right absolutely. It's a game changer for defenders too. Instead 335 00:17:07.440 --> 00:17:12.200 of just patching random vulnerabilities, Bloodhound shows you the relationship vulnerabilities. 336 00:17:12.240 --> 00:17:13.559 Relationship vulnerabilities. 337 00:17:13.599 --> 00:17:17.279 I like that it highlights the critical choke points, which users, 338 00:17:17.359 --> 00:17:21.960 if compromised, give attackers easy routes, Which systems are stepping 339 00:17:21.960 --> 00:17:26.240 stones to sensitive areas. It lets defenders focus hardening efforts 340 00:17:26.279 --> 00:17:29.799 on breaking those specific paths, maybe tightening permissions on a 341 00:17:29.880 --> 00:17:33.640 key group, removing local admin rights, segmenting networks better. 342 00:17:33.880 --> 00:17:36.960 So it guides defensive strategy based on actual attack paths, 343 00:17:37.000 --> 00:17:38.559 not just generic best practices. 344 00:17:38.720 --> 00:17:42.640 Exactly. It helps you prioritize based on real risk revealed 345 00:17:42.680 --> 00:17:46.920 by those connections, group membership sessions, acls, GPOs, all the 346 00:17:47.000 --> 00:17:48.240 data Sharpound collects. 347 00:17:48.319 --> 00:17:51.119 That's incredible. It really is like having a dynamic GPS 348 00:17:51.119 --> 00:17:54.119 for the entire corporate network, showing all the hidden roads 349 00:17:54.119 --> 00:17:55.960 and shortcuts right to the crown jewels. 350 00:17:56.160 --> 00:17:59.400 It's a fantastic example of how critical thinking, data collection, 351 00:17:59.559 --> 00:18:04.599 and visualization come together in cybersecurity. It makes complex relationships 352 00:18:04.799 --> 00:18:08.920 tangible and actionable in a way that scrolling through logs 353 00:18:09.000 --> 00:18:10.200 just can't. 354 00:18:10.559 --> 00:18:13.440 Okay, wow, we've covered a lot today. We journeyed through 355 00:18:13.480 --> 00:18:16.440 these crucial phases of a pen test, starting with that 356 00:18:16.559 --> 00:18:21.519 detailed reconnaissance, turning those scattered digital breadcrumbs bat Ecnicorp into. 357 00:18:21.400 --> 00:18:23.759 A full blueprint, right building the map. 358 00:18:23.599 --> 00:18:27.799 Then gaining initial access, maybe using those clever evasion tactics 359 00:18:27.839 --> 00:18:30.119 like living off the land to stay hidden. 360 00:18:29.960 --> 00:18:32.759 Blending in using their own tools against them. 361 00:18:32.599 --> 00:18:37.240 And finally charting the internal network, finding those critical attack paths, 362 00:18:37.519 --> 00:18:40.599 maybe using powerful tools like Sharpound and bloodhound and see 363 00:18:40.599 --> 00:18:41.519 the hidden connections. 364 00:18:41.599 --> 00:18:46.119 Yeah, we've really seen how these ethical hackers meticulously transform 365 00:18:46.240 --> 00:18:49.480 all these disparate bits of information into a strategic map, 366 00:18:49.880 --> 00:18:52.440 not just to break in, but ultimately to help secure 367 00:18:52.519 --> 00:18:54.839 these digital environments, make them stronger. 368 00:18:55.119 --> 00:18:57.400 Yeah, that's the key point, isn't it. The ultimate goal 369 00:18:57.440 --> 00:19:00.680 of a penetration test isn't just finding flaws. It's about 370 00:19:00.960 --> 00:19:05.759 providing that critical intelligence needed to build tougher, more resilient defenses. 371 00:19:05.880 --> 00:19:08.000 Exactly. It's proactive security. 372 00:19:08.799 --> 00:19:12.880 So maybe final thought for everyone listening, what hidden connections, 373 00:19:12.920 --> 00:19:16.400 what overlooked details might be lurking in your digital environment 374 00:19:16.480 --> 00:19:18.759 right now, just waiting to be discovered. 375 00:19:18.920 --> 00:19:20.200 Mm hmm. Makes you think? 376 00:19:20.720 --> 00:19:23.960 It's a powerful reminder. I think that real security isn't 377 00:19:23.960 --> 00:19:26.720 just about building higher walls around the perimeter. It's also 378 00:19:26.759 --> 00:19:30.880 about understanding all the pathways, the obvious ones and especially 379 00:19:30.920 --> 00:19:33.759 the hidden ones that could potentially lead an adversary right 380 00:19:33.799 --> 00:19:36.160 to your front door, or maybe even inside already