WEBVTT 1 00:00:00.200 --> 00:00:03.240 Right now, as you are listening to this, you are 2 00:00:03.279 --> 00:00:07.400 completely surrounded, like invisible signals are just bouncing off the 3 00:00:07.400 --> 00:00:11.039 walls of your home, ricocheting around your local coffee shop, 4 00:00:11.240 --> 00:00:13.720 passing right through the glass of your office windows. 5 00:00:13.839 --> 00:00:14.599 Yeah, everywhere. 6 00:00:14.720 --> 00:00:18.239 We rely on these Wi Fi networks for absolutely everything. 7 00:00:18.399 --> 00:00:21.920 You know, our banking, private conversations are jobs, and yet 8 00:00:21.960 --> 00:00:24.800 we treat them like I don't know magic. 9 00:00:24.679 --> 00:00:27.399 Right, Like it just works and we don't question it exactly. 10 00:00:27.519 --> 00:00:30.359 But to a hacker who's say, sitting in a parking 11 00:00:30.399 --> 00:00:34.119 lot a block away, yeah, those signals aren't magic at all. 12 00:00:34.520 --> 00:00:38.200 They are a potentially unlocked door directly into your entire 13 00:00:38.280 --> 00:00:39.320 digital life, a. 14 00:00:39.359 --> 00:00:41.000 Very wide open door in a lot of cases. 15 00:00:41.119 --> 00:00:44.560 Yeah, so today we're learning how to lock that door. 16 00:00:45.320 --> 00:00:48.240 Welcome to today's deep dive. Our mission here is simple, really, 17 00:00:48.320 --> 00:00:50.320 you have to learn how to think exactly like an 18 00:00:50.359 --> 00:00:52.719 attacker if you want to build a defense that actually, 19 00:00:53.000 --> 00:00:57.000 you know, works. We're using this comprehensive guide Hacking Wireless 20 00:00:57.039 --> 00:01:00.320 Networks for Dummies to explore ethical hacking, which this is. 21 00:01:01.320 --> 00:01:04.239 That is the fundamental philosophy of security. Really, you just 22 00:01:04.359 --> 00:01:07.599 cannot defend a perimeter you don't fully understand, right, and 23 00:01:07.680 --> 00:01:09.719 to understand what we're dealing with, we have to look 24 00:01:09.799 --> 00:01:13.760 at how wireless networks, what engineers call the I E 25 00:01:14.599 --> 00:01:17.200 eight too two Dot eleven standards or you know what 26 00:01:17.239 --> 00:01:20.400 you just call Wi fi, how they've completely reshaped. 27 00:01:19.920 --> 00:01:21.920 Our world because it's a massive industry. 28 00:01:21.640 --> 00:01:25.519 Now right, Well absolutely, they created a multi billion dollar 29 00:01:25.560 --> 00:01:31.640 infrastructure based almost entirely on mobility and convenience. But with 30 00:01:31.760 --> 00:01:36.120 that incredible convenience came this massive, unprecedented security gap. 31 00:01:35.920 --> 00:01:37.239 Which is a huge blind spot. 32 00:01:37.359 --> 00:01:41.319 Yeah, because what's fascinating here is that unlike traditional wired networks, 33 00:01:41.359 --> 00:01:44.439 where your data travels through a physical like copper or 34 00:01:44.480 --> 00:01:50.319 fiber optic cable inside a locked building, wireless introduces a 35 00:01:50.359 --> 00:01:54.200 third dimension radio waves exactly, radio waves and radio waves, well, 36 00:01:54.200 --> 00:01:57.400 they do not respect physical boundaries. They completely remove traditional 37 00:01:57.439 --> 00:01:58.879 physical security barriers. 38 00:01:58.920 --> 00:02:02.319 It really is. It's like building a massive state of 39 00:02:02.319 --> 00:02:05.239 the art bank fault with these foot thick steel walls, 40 00:02:05.400 --> 00:02:07.359 but then you just leave the roof completely open to 41 00:02:07.400 --> 00:02:07.719 the sky. 42 00:02:07.920 --> 00:02:09.879 That's a great way to picture it, right. 43 00:02:09.759 --> 00:02:11.560 Because someone doesn't need a break through the front door, 44 00:02:11.599 --> 00:02:14.560 they can just drop in from above. So to defend 45 00:02:14.560 --> 00:02:17.000 the network like that, you really have to dive right 46 00:02:17.039 --> 00:02:19.240 into the mindset of the person trying to drop through the. 47 00:02:19.280 --> 00:02:24.199 Roof precisely, and in the security field, framing that mindset 48 00:02:24.240 --> 00:02:27.879 requires separating three terms that people I mean, they constantly 49 00:02:27.919 --> 00:02:32.560 mix them up, threat, vulnerability, and risk. Understanding how those 50 00:02:32.560 --> 00:02:36.199 three interact. That's the absolute foundation of thinking like a hacker. 51 00:02:36.240 --> 00:02:39.039 Okay, let's unpack this because I hear those used interchangeably 52 00:02:39.120 --> 00:02:41.599 all the time. But it's really a chain reaction, right 53 00:02:41.639 --> 00:02:44.319 it is. Yeah, So you have a vulnerability, which is 54 00:02:46.000 --> 00:02:49.080 it's just a weakness in your system. For example, let's 55 00:02:49.080 --> 00:02:50.919 say you buy a new router, you plug it in, 56 00:02:51.319 --> 00:02:54.400 and you just leave the password as the factory default 57 00:02:54.439 --> 00:02:56.639 like admin. That's your vulnerability exactly. 58 00:02:56.680 --> 00:03:00.400 A vulnerability is static, it's a static flaw just there 59 00:03:00.439 --> 00:03:03.280 doing nothing. A threat, on the other hand, well, that 60 00:03:03.319 --> 00:03:05.159 requires intent like a person. 61 00:03:05.400 --> 00:03:05.599 Right. 62 00:03:05.719 --> 00:03:08.680 A threat is the agent actively trying to cause disruption 63 00:03:08.840 --> 00:03:11.919 or steal data. So that could be a malicious human 64 00:03:11.960 --> 00:03:14.400 sitting in a car with a laptop, or even an 65 00:03:14.439 --> 00:03:18.120 automated piece of malware just scanning the Internet for open connections. 66 00:03:18.639 --> 00:03:21.319 The threat looks for the vulnerability, and. 67 00:03:21.280 --> 00:03:25.680 When the threat successfully finds and exploits that vulnerability. That 68 00:03:25.840 --> 00:03:28.159 is when you get the risk bingo. The risk is 69 00:03:28.199 --> 00:03:32.639 the actual damage, the stolen passwords, the intercepted corporate emails, 70 00:03:32.639 --> 00:03:35.960 a compromise database. So the vulnerability is the unlocked door 71 00:03:36.000 --> 00:03:38.960 to your house. The threat is the burglar walking down 72 00:03:39.000 --> 00:03:42.680 the street checking handles, and the risk is well, your 73 00:03:42.719 --> 00:03:43.800 television getting stolen. 74 00:03:43.919 --> 00:03:47.840 That is a perfect analogy really now, keeping that burglar 75 00:03:47.840 --> 00:03:51.080 analogy in mind, people often wonder why small networks, like 76 00:03:51.120 --> 00:03:54.879 small businesses, local dental offices, or even just your personal 77 00:03:54.919 --> 00:03:57.639 home network, why they are such prime targets. 78 00:03:57.439 --> 00:04:00.520 Right, because the assumption is that highly skilled hackers only 79 00:04:00.599 --> 00:04:04.719 care about hacking massive banks or multinational corporations, you. 80 00:04:04.680 --> 00:04:05.919 Know, which just isn't true. 81 00:04:06.199 --> 00:04:08.879 Yeah, Like, if I'm a cyber criminal, why would I 82 00:04:08.919 --> 00:04:11.439 waste my time sitting outside a local bakery trying to 83 00:04:11.479 --> 00:04:14.240 hack their Wi Fi. There's no massive payoff there. 84 00:04:14.319 --> 00:04:17.680 Well, it's all about the path of least resistance. Hackers 85 00:04:18.000 --> 00:04:21.279 they love low hanging fruit. Oh sure, a massive bank 86 00:04:21.319 --> 00:04:24.879 has a team of full time network administrators constantly monitoring 87 00:04:24.879 --> 00:04:29.160 traffic for anomalies, Right, A local bakery or your home 88 00:04:29.199 --> 00:04:30.360 network does not. 89 00:04:30.720 --> 00:04:31.240 Definitely not. 90 00:04:31.560 --> 00:04:35.439 Default settings are almost always left unchanged and there is 91 00:04:35.639 --> 00:04:40.040 zero intrusion detection. But the real secret here is that 92 00:04:40.079 --> 00:04:43.600 the wireless access point, the router itself, is rarely the 93 00:04:43.639 --> 00:04:44.600 actual target. 94 00:04:44.759 --> 00:04:46.279 It's just a gateway exactly. 95 00:04:46.560 --> 00:04:49.079 The real treasure usually isn't flating in the air. The 96 00:04:49.160 --> 00:04:51.120 Wi Fi is just a bridge to the wired network 97 00:04:51.160 --> 00:04:54.079 behind it. Once an attacker compromises the Wi Fi, they're 98 00:04:54.079 --> 00:04:57.279 inside the perimeter. Wow, they suddenly have full access to 99 00:04:57.319 --> 00:04:59.959 the file servers, the point of sale systems, the databasis 100 00:05:00.040 --> 00:05:02.560 sitting on that supposedly secure wired side. 101 00:05:02.879 --> 00:05:05.560 But even then, aren't a lot of these hackers just 102 00:05:05.680 --> 00:05:10.560 opportunistic kids, kind of like board teenagers wandering through a 103 00:05:10.600 --> 00:05:13.319 parking lot at night, just pulling on car door handles 104 00:05:13.360 --> 00:05:14.759 to see what happens to be unlocked. 105 00:05:14.879 --> 00:05:16.319 Yeah, a lot of them are. 106 00:05:16.319 --> 00:05:19.120 Because they aren't necessarily looking for a specific target. They 107 00:05:19.160 --> 00:05:20.680 just want to see what they can get into for 108 00:05:20.720 --> 00:05:21.480 bragging rights. 109 00:05:21.959 --> 00:05:25.360 A large portion of them certainly are doing exactly that. 110 00:05:26.000 --> 00:05:28.639 But that open car door analogy, it scales up to 111 00:05:28.680 --> 00:05:32.040 the most dangerous actors as well. Really, Oh yeah, the 112 00:05:32.120 --> 00:05:35.439 high end intruders. Sometimes the sources refer to them as 113 00:05:35.720 --> 00:05:40.399 uber hackers. They're pulling those handles for much more sophisticated reason. 114 00:05:40.759 --> 00:05:43.160 They aren't trying to steal the bakeries recipes. They want 115 00:05:43.199 --> 00:05:46.199 to use the bakery's network to mask their true location. 116 00:05:46.680 --> 00:05:49.519 Oh, I see, they're laundering their digital footprints precisely. 117 00:05:49.560 --> 00:05:51.800 If a top tier hacker is preparing to launch a 118 00:05:51.839 --> 00:05:56.399 major attack against say a highly secure e commerce database, 119 00:05:56.959 --> 00:05:59.160 they do not want the digital trail leading back to 120 00:05:59.160 --> 00:06:03.439 their own laptop. Obviously not, So they compromise a vulnerable 121 00:06:03.480 --> 00:06:07.360 small business router or your home network, and they route 122 00:06:07.399 --> 00:06:11.120 their attack right through your connection. When the authorities track 123 00:06:11.160 --> 00:06:14.040 the digital footprints of the attack, it leads straight back 124 00:06:14.079 --> 00:06:17.360 to your IP address. You become their disguise. 125 00:06:17.680 --> 00:06:21.480 That is terrifying. You could literally have federal investigators knocking 126 00:06:21.480 --> 00:06:24.800 on your door because someone parked outside your house used 127 00:06:24.800 --> 00:06:28.639 your Wi Fi to commit a felony yep, and without 128 00:06:28.680 --> 00:06:31.439 proper monitoring, you would have absolutely no idea it even happened, 129 00:06:31.519 --> 00:06:34.279 none at all, Which brings us to the core question, right, yeah, 130 00:06:34.319 --> 00:06:36.959 how do you prevent that? How do you test your 131 00:06:37.000 --> 00:06:41.079 own systems and find these vulnerabilities before the bad guys 132 00:06:41.120 --> 00:06:44.120 do without accidentally crossing a legal line or I don't know, 133 00:06:44.439 --> 00:06:45.720 bringing down your own network. 134 00:06:45.759 --> 00:06:48.439 Well, you need a highly structured methodology. This is the 135 00:06:48.480 --> 00:06:51.800 main difference between a hacker and an ethical hacker. Ethical 136 00:06:51.800 --> 00:06:54.879 hacking isn't just randomly firing off digital tools and seeing 137 00:06:54.920 --> 00:06:59.560 what breaks. It is a highly disciplined practice. The industry 138 00:06:59.560 --> 00:07:02.920 standard the term is penetration testing, so it's basically. 139 00:07:02.600 --> 00:07:05.360 A highly regulated game of capture the flag. When you 140 00:07:05.399 --> 00:07:08.720 conduct a penetration test, you have a specific goal. You're 141 00:07:08.720 --> 00:07:13.079 trying to answer three fundamental questions. Right First, what can 142 00:07:13.120 --> 00:07:17.720 an unauthorized intruder actually see on this network? Second? What 143 00:07:17.720 --> 00:07:21.360 can they do with that information? And third, and maybe 144 00:07:21.399 --> 00:07:25.240 most importantly, does anyone at the target location even notice 145 00:07:25.399 --> 00:07:26.879 that the intruder is poking around? 146 00:07:27.040 --> 00:07:30.560 Yes, and you have to answer those questions within very 147 00:07:30.600 --> 00:07:34.160 strict boundaries. There's a framework of rules often referred to 148 00:07:34.240 --> 00:07:36.160 as the Ten Commandments of ethical hacking. 149 00:07:36.240 --> 00:07:38.519 The ten Commandments I love that if. 150 00:07:38.519 --> 00:07:41.480 You violate these you transition immediately from a security professional 151 00:07:41.480 --> 00:07:45.040 to a cyber criminal. And the absolute most critical commandment 152 00:07:45.160 --> 00:07:47.199 is thou shalt obtain permission. 153 00:07:47.480 --> 00:07:49.720 You literally need to get out of jail free card 154 00:07:49.800 --> 00:07:51.399 in your pocket written permission. 155 00:07:51.639 --> 00:07:56.000 You must have explicit authorization outlining exactly what you're allowed 156 00:07:56.040 --> 00:07:58.319 to test, when you're allowed to test it, and what 157 00:07:58.399 --> 00:07:59.600 methods you can use. 158 00:07:59.600 --> 00:08:02.560 Because the legal system does not mess around with us anymore. 159 00:08:02.680 --> 00:08:05.360 There is actually this famous case out of Michigan that 160 00:08:05.480 --> 00:08:08.079 perfectly illustrates why permission is so vital. 161 00:08:08.399 --> 00:08:09.759 Oh, the war driving case. 162 00:08:10.160 --> 00:08:13.519 Yes, so this guy was out doing something called war driving, 163 00:08:14.160 --> 00:08:16.120 which is where you just drive around town with a 164 00:08:16.160 --> 00:08:19.879 laptop and an antenna, just scanning the airways to log 165 00:08:19.959 --> 00:08:21.800 the locations of different wireless networks. 166 00:08:22.079 --> 00:08:25.079 Right, and war driving itself exists in a bit of 167 00:08:25.120 --> 00:08:27.240 a legal gray area, depending on what you do with 168 00:08:27.279 --> 00:08:27.680 the data. 169 00:08:27.839 --> 00:08:32.320 Yeah, but this guy and his friends crossed a massive line. 170 00:08:32.360 --> 00:08:35.759 They parked outside a local hardware chain store, found the 171 00:08:35.799 --> 00:08:39.879 store's unsecured Wi Fi network, and connected to it. They missedake, 172 00:08:40.320 --> 00:08:43.440 and from there they access the store's central computer system 173 00:08:43.840 --> 00:08:47.279 and installed a program designed to capture customer credit card information. 174 00:08:48.000 --> 00:08:50.519 He was caught, and he became the first person in 175 00:08:50.559 --> 00:08:54.759 the United States convicted of that specific type of wireless crime. Wow, 176 00:08:54.799 --> 00:08:57.440 you do not want to be that guy. Without written permission. 177 00:08:57.679 --> 00:08:59.519 A judge isn't going to care if you claim you 178 00:08:59.519 --> 00:09:02.000 were just like testing their security for fun. 179 00:09:01.960 --> 00:09:05.080 Exactly, which ties directly into the second vital commandment, thou 180 00:09:05.159 --> 00:09:09.240 shalt do no harm. This is the prime directive when 181 00:09:09.240 --> 00:09:12.159 you are deep into a penetration test. It is very 182 00:09:12.200 --> 00:09:14.799 easy to get caught up in the intellectual thrill of 183 00:09:15.000 --> 00:09:18.840 cracking a system. But you cannot cause unplanned outages. You 184 00:09:18.879 --> 00:09:22.320 cannot crash the servers, and you absolutely cannot trample on 185 00:09:22.360 --> 00:09:24.679 employee privacy by reading personal emails. 186 00:09:24.919 --> 00:09:27.240 You're there to identify the hole in the fence, not 187 00:09:27.360 --> 00:09:28.519 to burn the building. 188 00:09:28.279 --> 00:09:32.960 Down, beautifully said. And finally, you must report all your findings. 189 00:09:33.440 --> 00:09:36.919 If you uncover fifty vulnerabilities, you report all fifty. You 190 00:09:36.960 --> 00:09:39.519 don't just highlight the easy fixes to make the client 191 00:09:39.600 --> 00:09:40.480 feel good. 192 00:09:40.679 --> 00:09:43.399 This all sounds incredibly rigorous. It's not just some guy 193 00:09:43.399 --> 00:09:45.559 in a hoodie typing furiously on a keyboard like you 194 00:09:45.600 --> 00:09:46.240 see in the movies. 195 00:09:46.399 --> 00:09:49.039 No, no, it's a scientific process. It has to be 196 00:09:49.080 --> 00:09:53.799 an empirical, repeatable method. The industry relies heavily on standardized 197 00:09:53.799 --> 00:09:58.200 frameworks like what One of the most comprehensive is the OSSTMM, 198 00:09:58.440 --> 00:10:01.360 the Open Source Security Test Methodology Manual. 199 00:10:01.600 --> 00:10:03.519 That is quite the acronym it is. 200 00:10:03.519 --> 00:10:08.000 Yeah, but it's pure reviewed and outlines incredibly specific steps 201 00:10:08.000 --> 00:10:11.200 for testing everything, and it goes far beyond just your 202 00:10:11.240 --> 00:10:15.440 standard WiFi router. It includes protocols for testing Bluetooth networks, 203 00:10:15.639 --> 00:10:20.120 cellular signals, and even get this, wireless input devices. 204 00:10:20.200 --> 00:10:25.600 Wait, wireless input devices like a wireless mouse or keyboard 205 00:10:25.679 --> 00:10:26.440 sitting on a desk. 206 00:10:26.879 --> 00:10:30.840 Yes, think about how a wireless keyboard works. Every time 207 00:10:30.919 --> 00:10:33.200 you press a key, that keyboard has to send an 208 00:10:33.279 --> 00:10:36.759 unencrypted burst of radio frequency to the little USB dongle 209 00:10:36.759 --> 00:10:39.919 plugged into your computer. Oh wow, Right, So if an 210 00:10:39.919 --> 00:10:42.440 attacker has the right equipment, they can simply pluck those 211 00:10:42.519 --> 00:10:44.720 radio pulses right out of the air. They don't need 212 00:10:44.720 --> 00:10:47.120 to hack your WiFi router to get your company password. 213 00:10:47.320 --> 00:10:49.440 They just sit in the parking lot and record the 214 00:10:49.559 --> 00:10:52.039 radio signals your keyboard emits as you type the password 215 00:10:52.039 --> 00:10:52.639 into your screen. 216 00:10:52.799 --> 00:10:54.840 That is mind blowing and it makes you realize how 217 00:10:54.840 --> 00:10:58.960 expansive this invisible battlefield really is. But I mean, a 218 00:10:59.039 --> 00:11:01.960 hacker can't explo any of these vulnerabilities if they can't 219 00:11:02.039 --> 00:11:03.360 physically capture the signal. 220 00:11:03.480 --> 00:11:04.639 Right, that's the bottleneck. 221 00:11:04.840 --> 00:11:07.159 So how do they stretch their reach? How do they 222 00:11:07.200 --> 00:11:10.720 physically execute this? That brings us to the hardware. The 223 00:11:10.759 --> 00:11:14.279 actual gear required to pull this off is fascinating, mostly 224 00:11:14.320 --> 00:11:17.120 because of what it isn't You would think in the 225 00:11:17.159 --> 00:11:20.519 modern era a hacker would just use a high powered smartphone. 226 00:11:20.600 --> 00:11:23.240 Well, it comes down to a trade off between portability 227 00:11:23.279 --> 00:11:28.000 and sheer processing power. Smartphones and small handheld devices which 228 00:11:28.080 --> 00:11:32.000 used to be PDAs like the classic HPIPAQ back in 229 00:11:32.039 --> 00:11:35.519 the day. They're fantastic for the war driving we discussed earlier. 230 00:11:35.600 --> 00:11:36.240 As they're small. 231 00:11:36.320 --> 00:11:39.919 They're small, battery efficient, and great for simply driving around 232 00:11:39.960 --> 00:11:43.320 and logging the public names of networks, which are called SSIDs. 233 00:11:43.799 --> 00:11:46.919 But logging a network is very different from breaking into. 234 00:11:46.720 --> 00:11:50.320 One, right because breaking into a network, especially cracking modern 235 00:11:50.399 --> 00:11:54.159 encryption locks like WPA two, is essentially just pure brute 236 00:11:54.159 --> 00:11:54.799 force math. 237 00:11:55.120 --> 00:11:58.679 Exactly, when you're analyzing millions of packets of data or 238 00:11:58.720 --> 00:12:02.440 running intensive cryptographic algorithms to crack a password, you need 239 00:12:02.600 --> 00:12:06.360 massive CPU power. A smartphone will simply overheat and fail 240 00:12:06.600 --> 00:12:07.320 trying to do that. 241 00:12:07.360 --> 00:12:08.039 Math makes sense. 242 00:12:08.039 --> 00:12:10.399 An ethical hacker relies on a laptop because they need 243 00:12:10.440 --> 00:12:14.279 the processing capabilities, the larger hard drives to store captured data, 244 00:12:14.679 --> 00:12:18.000 and the ability to run specialized operating systems. 245 00:12:17.759 --> 00:12:21.639 And that operating system requirement is a huge hurdle. Most 246 00:12:21.639 --> 00:12:24.960 consumer laptops run Windows or macOS, but a lot of 247 00:12:25.000 --> 00:12:28.240 the most powerful security tools are built natively for Linux. 248 00:12:29.200 --> 00:12:32.200 But you can't just pause a penetration test, shut down 249 00:12:32.200 --> 00:12:34.919 your computer, and reboot into a different operating system just 250 00:12:34.960 --> 00:12:36.360 to run one specific tool. 251 00:12:36.639 --> 00:12:39.559 No, you need agility, and you also need a very 252 00:12:39.600 --> 00:12:44.360 specific capability that standard operating systems restrict. Windows, for example, 253 00:12:44.399 --> 00:12:47.399 is designed to be user friendly and safe. It actively 254 00:12:47.440 --> 00:12:50.440 prevents the user from directly manipulating the network card to 255 00:12:50.519 --> 00:12:53.600 inject raw forged packets of data into the air. 256 00:12:53.879 --> 00:12:55.720 To keep you from breaking your own stuff, right. 257 00:12:55.559 --> 00:12:58.080 It protects the user from breaking their own machine. But 258 00:12:58.360 --> 00:13:01.080 a hacker needs to break those rules. They need what 259 00:13:01.240 --> 00:13:05.000 is called raw socket access. Linux specifically, when paired with 260 00:13:05.080 --> 00:13:08.360 certain customized drivers, takes the training wheels off. It allows 261 00:13:08.360 --> 00:13:10.440 the hacker to directly control the radio waves. 262 00:13:10.720 --> 00:13:13.000 So how do you get that Linux capability? If you're 263 00:13:13.039 --> 00:13:16.600 working on a Windows laptop, you use an emulator. It's 264 00:13:16.600 --> 00:13:18.960 like a Russian nesting doll of operating systems. 265 00:13:19.000 --> 00:13:23.159 Precisely, you use software to run an entirely separate operating 266 00:13:23.159 --> 00:13:26.559 system inside a window on your current desktop. Tools like 267 00:13:26.639 --> 00:13:30.919 sigwin can create a Unix like environment directly inside Windows, 268 00:13:31.080 --> 00:13:32.559 translating the commands on the fly. 269 00:13:32.799 --> 00:13:33.480 Oh that's clever. 270 00:13:33.799 --> 00:13:36.960 Or you use software like VMware, which creates a complete 271 00:13:37.120 --> 00:13:40.519 virtual machine. You could be running Windows as your base, 272 00:13:40.960 --> 00:13:43.879 but have a fully functional red hat Linux machine running 273 00:13:43.879 --> 00:13:48.080 inside it, utilizing all those specialized hacking tools simultaneously. 274 00:13:48.480 --> 00:13:50.480 There's also a really elegant solution if you don't want 275 00:13:50.480 --> 00:13:52.840 to install anything at all. Live CDs. 276 00:13:53.039 --> 00:13:54.519 Oh I love live CDs. Right. 277 00:13:54.559 --> 00:13:56.679 You take a disc with a specialized operating system like 278 00:13:56.759 --> 00:13:59.960 Knoppix or war Linux, pop it into the drive, and reboot. 279 00:14:00.399 --> 00:14:03.200 The entire operating system runs directly off the CD into 280 00:14:03.240 --> 00:14:04.240 the computer's. 281 00:14:03.840 --> 00:14:05.480 Ram, never touches the hard drive. 282 00:14:05.559 --> 00:14:08.799 Exactly when you are done, you inject the disc, reboot, 283 00:14:08.919 --> 00:14:11.480 and it's like you were never there. It's a ghost 284 00:14:11.559 --> 00:14:15.519 operating system. Here's where it gets really interesting. Though. As 285 00:14:15.600 --> 00:14:19.519 cool as the software is, the physical gear is where 286 00:14:19.519 --> 00:14:22.960 the real ingenuity shines. Specifically the antennas. 287 00:14:23.200 --> 00:14:25.679 Yeah, the antenna is the hacker's ear to the ground. 288 00:14:26.000 --> 00:14:29.960 The internal wireless card in the laptop, specifically cards using 289 00:14:30.000 --> 00:14:33.559 the hernies or prism to chipsets are highly prized because 290 00:14:33.559 --> 00:14:35.120 they support monitor mode. 291 00:14:35.200 --> 00:14:36.000 Monitor mode. 292 00:14:36.039 --> 00:14:39.240 Monitor mode allows the wireless card to stop ignoring traffic 293 00:14:39.279 --> 00:14:42.159 that isn't addressed to it and instead listen to every 294 00:14:42.200 --> 00:14:45.000 single piece of data flying through the air, regardless of 295 00:14:45.000 --> 00:14:47.919 where it is going. But the internal antenna of a 296 00:14:48.000 --> 00:14:50.679 laptop is weak. To capture data from a distance, you 297 00:14:50.759 --> 00:14:53.559 need specialized external antennas. 298 00:14:53.200 --> 00:14:57.039 And there are two main categories here. First is omnidirectional OMNI, 299 00:14:57.080 --> 00:14:59.399 meaning all directions. These are like the little plastic sticks 300 00:14:59.440 --> 00:15:01.360 you see on the back of your home rider. Think 301 00:15:01.399 --> 00:15:04.000 of an omnidirectional antenna like a bare light bulb hanging 302 00:15:04.000 --> 00:15:06.000 in the middle of a room. It pushes energy out 303 00:15:06.000 --> 00:15:08.559 in a complete three hundred and sixty degree sphere. It 304 00:15:08.600 --> 00:15:11.480 covers everywhere, but because the energy is spread out so thin, 305 00:15:11.600 --> 00:15:12.679 it doesn't reach very far. 306 00:15:12.960 --> 00:15:16.840 Omnidirectional antennas are perfect for war driving, though. A hacker 307 00:15:16.840 --> 00:15:19.240 will mount a large omni antenna to the roof of 308 00:15:19.279 --> 00:15:21.759 their car so they can pick up signals from houses 309 00:15:21.799 --> 00:15:23.600 on both sides of the street as they drive through 310 00:15:23.600 --> 00:15:26.879 a neighborhood, and they pair that antenna directly with a 311 00:15:26.919 --> 00:15:28.919 GPS device plugged into the laptop. 312 00:15:29.399 --> 00:15:31.360 This is the part that feels like a spy movie 313 00:15:31.440 --> 00:15:35.159 to me. The laptop is constantly pulling in the network 314 00:15:35.240 --> 00:15:41.480 names the SSIDs from the antenna. Simultaneously, it is pulling 315 00:15:41.519 --> 00:15:46.399 the exact latitude and longitude from the GPS. The software 316 00:15:46.679 --> 00:15:49.960 marries those two pieces of data together in real time YEP. 317 00:15:50.240 --> 00:15:54.240 As you drive, the computer is literally drawing a map, 318 00:15:54.639 --> 00:15:58.039 dropping a pin on the exact coordinates of every vulnerable 319 00:15:58.080 --> 00:16:00.600 network you pass. You end up with a lit treasure 320 00:16:00.639 --> 00:16:03.120 map of an entire city's digital weak points. 321 00:16:03.320 --> 00:16:05.840 But what if the target isn't a neighborhood. What if 322 00:16:05.840 --> 00:16:08.840 the target is a specific corporate building sitting a quarter 323 00:16:08.879 --> 00:16:12.799 mile away across a busy highway. The omni directional antenna 324 00:16:12.799 --> 00:16:14.960 won't reach it. The light bulb isn't bright enough. 325 00:16:15.039 --> 00:16:17.399 That is when you build a cantenna. This is mcgiver 326 00:16:17.519 --> 00:16:21.559 level engineering and it is brilliant. Yeah, a cantenna is 327 00:16:21.559 --> 00:16:24.240 a directional antenna. You can literally build one out of 328 00:16:24.240 --> 00:16:26.279 an empty SOUPCN or prinkle. 329 00:16:25.879 --> 00:16:28.600 Scan after you eat the chips, of course, obviously. 330 00:16:28.240 --> 00:16:30.600 You drill a hole in the side solder a small 331 00:16:30.639 --> 00:16:33.480 piece of copper wire to a connector and bolt it in. 332 00:16:34.080 --> 00:16:36.960 If an omni antenna is a bare light bulb. A 333 00:16:36.960 --> 00:16:40.799 cantenna is a flashlight. The metal walls of the cantenna 334 00:16:41.240 --> 00:16:44.240 can focus all that scattered radio energy and shoot it 335 00:16:44.279 --> 00:16:46.480 out in one blindingly concentrated beam. 336 00:16:46.720 --> 00:16:47.399 It's amazing. 337 00:16:47.639 --> 00:16:50.279 Suddenly, instead of listening to a fifty foot radius, you 338 00:16:50.320 --> 00:16:53.120 can pinpoint a specific window on the tenth floor of 339 00:16:53.159 --> 00:16:54.879 a building halfway across the city. 340 00:16:55.080 --> 00:16:58.639 It is a remarkable piece of improvised physics. So armed 341 00:16:58.639 --> 00:17:01.279 with this map, the soft where the processing power in 342 00:17:01.320 --> 00:17:05.440 the directional antennas, what is the hacker's actual first move. 343 00:17:05.680 --> 00:17:08.680 Well, you would assume they immediately launch some incredibly complex 344 00:17:08.720 --> 00:17:11.839 cryptographic attack to smash the passwords. But they don't. No, 345 00:17:11.920 --> 00:17:15.920 they don't. The first step is entirely passive. It's called footprinting. 346 00:17:16.680 --> 00:17:18.680 You don't try to break the locks until you check 347 00:17:18.680 --> 00:17:21.160 if someone just left the keys under the mat, And 348 00:17:21.279 --> 00:17:23.559 nine times out of ten the keys are left out 349 00:17:23.680 --> 00:17:27.160 due to simple human error, which brings us to arguably 350 00:17:27.200 --> 00:17:30.160 the most dangerous reconnaissance tool in the world. Google. 351 00:17:30.519 --> 00:17:34.759 It sounds overly simplistic, but it is devastatingly effective. This 352 00:17:34.839 --> 00:17:37.759 doesn't involve the dark web or special software. It is 353 00:17:37.880 --> 00:17:43.160 literally just using Google dot Com, hackers use advanced search queries, 354 00:17:43.200 --> 00:17:45.079 which is often called Google dorking. 355 00:17:45.599 --> 00:17:49.039 Right, you type in very specific search operators. For instance, 356 00:17:49.079 --> 00:17:51.759 you could tell Google to only search a specific company's 357 00:17:51.759 --> 00:17:55.039 public website and then use the operator file type colon 358 00:17:55.200 --> 00:17:57.000 XLS mixed with the word password. 359 00:17:57.079 --> 00:17:58.079 Oh, that's a classic. 360 00:17:58.200 --> 00:18:00.720 Google will instantly scour that public SA server and hand 361 00:18:00.720 --> 00:18:04.519 you any Excel spreadsheets that an employee accidentally uploaded containing 362 00:18:04.519 --> 00:18:08.480 system passwords. Or you can search for Visio network diagrams, 363 00:18:08.680 --> 00:18:12.720 which literally provide a blueprint of the company's entire digital infrastructure. 364 00:18:12.920 --> 00:18:14.559 You don't have to hack the network to figure out 365 00:18:14.559 --> 00:18:16.559 how it's built. You just ask Google to find the 366 00:18:16.599 --> 00:18:18.400 map an engineer accidentally made. 367 00:18:18.200 --> 00:18:22.359 Public the sources detail. An even more direct method using Google, 368 00:18:22.599 --> 00:18:25.400 an attacker can search for specific strings of texts that 369 00:18:25.440 --> 00:18:28.920 appear on the default logging pages of commercial routers like 370 00:18:29.160 --> 00:18:32.720 Cisco or d Link hardware. You can click a link 371 00:18:32.759 --> 00:18:35.480 on a Google Search results page and find yourself staring 372 00:18:35.559 --> 00:18:39.559 directly at the live, unprotected administrative control panel for a 373 00:18:39.640 --> 00:18:42.599 router in a warehouse on the other side of the country, all. 374 00:18:42.480 --> 00:18:44.920 Because someone plugged it in, connected to the Internet and 375 00:18:44.960 --> 00:18:47.519 forgot to put a password on it. Yeah, this perfectly 376 00:18:47.519 --> 00:18:49.720 illustrates a concept called candy security. 377 00:18:49.960 --> 00:18:52.960 It's an excellent metaphor. A network might have a hard, 378 00:18:53.079 --> 00:18:57.039 crunchy exterior. The IT department spends a fortune on state 379 00:18:57.079 --> 00:19:01.440 of the art firewalls, complex WPA two encryption and intrusion 380 00:19:01.480 --> 00:19:05.519 detection software. It looks impenetrable from the outside. 381 00:19:05.359 --> 00:19:08.680 But once you bypass that thin, crunchy outer shell, the 382 00:19:08.680 --> 00:19:11.920 inside is incredibly soft and chewy. The inside of the 383 00:19:11.960 --> 00:19:16.359 network is full of unencrypted internal traffic, sensitive documents, sitting 384 00:19:16.359 --> 00:19:20.240 on open chair drives, and most importantly, gullible people. 385 00:19:20.519 --> 00:19:21.480 That's the real issue. 386 00:19:21.559 --> 00:19:24.160 If an attacker can find just one tiny crack in 387 00:19:24.200 --> 00:19:27.279 that crunchy shell, they have free rain in the chewy center. 388 00:19:27.440 --> 00:19:30.200 And the most common way hackers get past that crunchy 389 00:19:30.200 --> 00:19:34.480 shell is through the employees themselves. There is a highly 390 00:19:34.519 --> 00:19:37.559 relatable scenario from the source material that plays out in 391 00:19:37.599 --> 00:19:41.759 offices every single day. Imagine an employee will call him Lars. 392 00:19:42.079 --> 00:19:44.880 We all know Lars. Lars works in a cubicle near 393 00:19:44.920 --> 00:19:47.319 the center of the office, but his desk is right 394 00:19:47.359 --> 00:19:49.880 next to a noisy printer. He wants to work for 395 00:19:49.920 --> 00:19:52.759 the breakroom couch down the hall where it's quiet, but 396 00:19:52.799 --> 00:19:55.160 there's no etnet jack in the wall there to plug 397 00:19:55.200 --> 00:19:55.960 his laptop into. 398 00:19:56.000 --> 00:19:59.880 It is a completely innocent workplace desire. Lars isn't trying 399 00:19:59.920 --> 00:20:02.079 to sabotage the company. He just wants to get his 400 00:20:02.119 --> 00:20:02.960 work done in peace. 401 00:20:03.200 --> 00:20:06.720 Exactly so, on his lunch break, Lars runs down to 402 00:20:06.759 --> 00:20:09.920 the local electronic store and buys a cheap sixty dollars 403 00:20:09.960 --> 00:20:12.640 consumer Wi Fi router. He brings it back to his desk, 404 00:20:12.880 --> 00:20:15.000 plugs it into the corporate network jack on his wall, 405 00:20:15.119 --> 00:20:18.440 and turns it on. His laptop connects wirelessly. He moves 406 00:20:18.480 --> 00:20:21.440 to the break room, and he is thrilled. He solved 407 00:20:21.440 --> 00:20:24.559 his problem, Oh Lars. But Lars isn't an IT professional. 408 00:20:25.039 --> 00:20:28.039 He didn't set up WPA too encryption, he didn't create 409 00:20:28.079 --> 00:20:31.480 a strong password Without realizing it. Lars just took his 410 00:20:31.480 --> 00:20:35.640 company's million dollar rock solid firewall and completely bypassed it. 411 00:20:36.240 --> 00:20:38.960 He is now broadcasting the soft chewy center of the 412 00:20:38.960 --> 00:20:42.440 corporate network out into the public parking lot for anyone 413 00:20:42.519 --> 00:20:43.759 with a cantenna to connect to. 414 00:20:44.119 --> 00:20:49.440 Lars's actions highlight the eternal ongoing battle in technology security 415 00:20:49.559 --> 00:20:54.400 versus convenience users. Fundamentally want technology to just work. They 416 00:20:54.440 --> 00:20:58.599 want anywhere, all the time. Access and consumer operating systems 417 00:20:58.640 --> 00:21:01.960 are built to provide exactly that. Features like a smartphone 418 00:21:02.000 --> 00:21:05.799 automatically connecting to the nearest open Wi Fi network, prioritize 419 00:21:05.799 --> 00:21:07.920 instant connectivity over safety. 420 00:21:07.599 --> 00:21:10.119 Because if a device is hard to connect, customers get 421 00:21:10.160 --> 00:21:11.279 frustrated and return it. 422 00:21:11.440 --> 00:21:14.759 Exactly when you make a system highly secure, you inevitably 423 00:21:14.799 --> 00:21:17.839 make it less convenient. You have to remember long passwords, 424 00:21:17.920 --> 00:21:21.200 use multi factor authentication, use VPNs. When you make a 425 00:21:21.200 --> 00:21:24.160 system perfectly convenient, you almost always make it insecure. 426 00:21:24.359 --> 00:21:27.279 So if the technology is constantly trying to be convenient 427 00:21:27.480 --> 00:21:29.480 and the users just want to get their work done, 428 00:21:29.920 --> 00:21:32.440 hackers often realize they don't need to hack the technology 429 00:21:32.480 --> 00:21:34.640 at all. They just hack the human being. 430 00:21:34.920 --> 00:21:39.960 We call this social engineering. You bypass the complex cryptography entirely. 431 00:21:40.359 --> 00:21:45.240 Hackers will pose as outside it consultants or elevator repair technicians, 432 00:21:45.680 --> 00:21:48.759 or even a new employee from the accounting department. They 433 00:21:48.759 --> 00:21:51.599 will confidently walk into a building with a clipboard, find 434 00:21:51.599 --> 00:21:54.480 a receptionist and simply ask for the Wi Fi password. 435 00:21:54.799 --> 00:21:56.759 They will ask for the SSID. 436 00:21:56.440 --> 00:21:59.160 Network name, and people just hand it over. They do 437 00:21:59.279 --> 00:22:03.920 because human being are naturally helpful and trusting. If someone 438 00:22:03.960 --> 00:22:06.319 looks the part and acts like they belong there, we 439 00:22:06.440 --> 00:22:08.960 hold the door open for them. It really puts things 440 00:22:08.960 --> 00:22:12.720 into perspective. We build these incredibly complex invisible radio networks 441 00:22:12.799 --> 00:22:16.319 using advanced mathematics and military grade encryption. But the absolute 442 00:22:16.359 --> 00:22:19.519 biggest threat to wireless security is human fallibility. 443 00:22:19.599 --> 00:22:20.319 Always has been. 444 00:22:20.400 --> 00:22:24.079 It's leaving the router password as admin. It's Lars plugging 445 00:22:24.079 --> 00:22:26.000 in a cheap router so he can sit on a couch. 446 00:22:26.480 --> 00:22:28.559 It's an employee handing the Wi Fi key to a 447 00:22:28.599 --> 00:22:29.680 stranger with a clipboard. 448 00:22:29.839 --> 00:22:33.279 It is the ultimate vulnerability. You can deploy the most 449 00:22:33.319 --> 00:22:37.720 expensive sophisticated technical defenses money can buy, but if your 450 00:22:37.759 --> 00:22:41.359 personnel are not actively trained to recognize a social engineering attack, 451 00:22:41.880 --> 00:22:44.200 or if they don't understand the risks of shadow it 452 00:22:44.680 --> 00:22:48.240 like Lars's rogue router, your network is wide open. 453 00:22:48.319 --> 00:22:51.519 It is incredibly humbling. Securing a wireless network is absolutely 454 00:22:51.559 --> 00:22:54.200 not a set it and forget it task. You cannot 455 00:22:54.200 --> 00:22:57.160 just buy a security appliance, plug it in and assume 456 00:22:57.200 --> 00:22:58.160 you are safe forever. 457 00:22:58.599 --> 00:23:02.000 It is an ongoing arms rate. The methodologies and tools 458 00:23:02.000 --> 00:23:05.799 hackers use are constantly evolving, which means your defensive posture 459 00:23:05.839 --> 00:23:10.920 must continuously adapt. It requires constant vigilance, regular penetration testing 460 00:23:11.000 --> 00:23:14.359 using the ethical hacking frameworks we discussed, and most importantly, 461 00:23:14.519 --> 00:23:17.559 continuous education for the humans who actually interact with the 462 00:23:17.599 --> 00:23:20.640 network every day. You have to patch the software, yes, 463 00:23:20.680 --> 00:23:22.680 but you also have to patch the human behavior. 464 00:23:22.759 --> 00:23:24.839 Patch the human behavior. That is the perfect way to 465 00:23:24.839 --> 00:23:27.039 phrase it. As we wrap up this deep dive, I 466 00:23:27.079 --> 00:23:28.880 want to bring it back to that physical imagery we 467 00:23:28.920 --> 00:23:32.400 started with because it fundamentally changes how you perceive your environment. 468 00:23:32.680 --> 00:23:34.799 I want you to think about the physical dimensions of 469 00:23:34.839 --> 00:23:36.920 your own home or the office you are sitting in 470 00:23:37.000 --> 00:23:41.000 right now. As humans, our brains naturally assume that our 471 00:23:41.039 --> 00:23:44.680 privacy stops at the physical barrier. It stops at the 472 00:23:44.680 --> 00:23:47.039 front door or at the glass of the window. We 473 00:23:47.160 --> 00:23:49.039 lock the dead bolt, we draw the blinds, and we 474 00:23:49.079 --> 00:23:50.519 feel perfectly. 475 00:23:50.000 --> 00:23:51.759 Secure because no one can see in it. 476 00:23:52.039 --> 00:23:55.599 But your wireless routers radio waves do not care about 477 00:23:55.640 --> 00:23:57.960 your drywall. They do not care about your locked doors 478 00:23:58.039 --> 00:24:01.839 or your drawn blinds. Right now, at this exact second, 479 00:24:02.000 --> 00:24:05.640 the signals carrying your private emails, your financial records, and 480 00:24:05.680 --> 00:24:08.759 your personal conversations are bleeding through the walls, they are 481 00:24:08.759 --> 00:24:11.640 expanding out into the street. So if your most sensitive 482 00:24:11.680 --> 00:24:14.359 digital life is physically floating in the air, sitting in 483 00:24:14.359 --> 00:24:18.079 the passenger seat of a stranger's car parked outside your building, wait, no, 484 00:24:18.240 --> 00:24:21.119 sitting right there where anyone can grab it, how safe 485 00:24:21.119 --> 00:24:22.000 do you really feel? 486 00:24:22.240 --> 00:24:25.200 That is an incredibly haunting thought to leave on The 487 00:24:25.279 --> 00:24:27.519 walls around you are not as solid as you think. 488 00:24:28.000 --> 00:24:31.319 Lock your digital doors, keep learning, stay curious, and we 489 00:24:31.359 --> 00:24:32.880 will catch you on the next deep dive.