WEBVTT 1 00:00:00.040 --> 00:00:03.080 Welcome back to the deep dive. Ready to dive into 2 00:00:03.120 --> 00:00:04.639 some ethical hacking today. 3 00:00:04.759 --> 00:00:05.839 Always ready, we're. 4 00:00:05.639 --> 00:00:08.759 Going to be looking specifically at red teaming. We've got 5 00:00:08.759 --> 00:00:11.400 a great guide for this one, the Hacker Playbook three 6 00:00:11.599 --> 00:00:12.400 by Peter Kim. 7 00:00:12.480 --> 00:00:16.719 Oh yeah, great book. It's like kind of flipping this script, right, 8 00:00:16.960 --> 00:00:19.000 learning to think like the bad guys exactly. 9 00:00:19.160 --> 00:00:22.239 So how would you explain red teaming for someone who 10 00:00:22.359 --> 00:00:24.760 might not be, you know, super familiar with it. 11 00:00:24.760 --> 00:00:27.160 It's kind of like, well, it's more than just you know, 12 00:00:27.480 --> 00:00:31.280 checking for vulnerabilities. It's more about like simulating a real. 13 00:00:31.120 --> 00:00:34.520 Attack, so like more than just a vulnerability scan. 14 00:00:34.520 --> 00:00:37.280 Right, It's like, okay, traditional pen testing that's like checking 15 00:00:37.280 --> 00:00:40.159 the locks on your doors, but red teaming that's like 16 00:00:40.280 --> 00:00:42.520 hiring someone to actually try and break into your house. 17 00:00:42.679 --> 00:00:45.039 Ethically of course, well, of course ethically. Yeah, that's a 18 00:00:45.039 --> 00:00:48.079 great analogy. So, like, how would that kind of approach 19 00:00:48.200 --> 00:00:50.200 actually benefit an organization? 20 00:00:50.600 --> 00:00:53.960 I think it just gives them a much better understanding of, 21 00:00:55.039 --> 00:00:57.840 you know, where their weaknesses are, like how an attacker 22 00:00:57.840 --> 00:01:01.000 would actually exploit those vulnerability. 23 00:01:00.399 --> 00:01:03.679 So it helps them prioritize right totally instead of just 24 00:01:03.679 --> 00:01:05.159 being like, oh, we have this vulnerability. 25 00:01:05.200 --> 00:01:08.519 It's like, okay, but how could someone actually. 26 00:01:08.319 --> 00:01:12.519 Exploit that makes sense? So what kind of tools would 27 00:01:12.560 --> 00:01:14.920 a red team or actually use in one of these 28 00:01:15.680 --> 00:01:16.799 simulated attacks. 29 00:01:17.000 --> 00:01:20.959 Oh, there's a ton of specialized tools this book talks about, 30 00:01:21.159 --> 00:01:25.159 like metasploit for example. Yeah, metasploit that's a framework for 31 00:01:25.239 --> 00:01:28.120 like developing and testing exploits. And then you got things 32 00:01:28.120 --> 00:01:30.599 like cobalt strike, which is like what they'd use after 33 00:01:30.599 --> 00:01:32.799 they've already gotten in to really move around. 34 00:01:32.920 --> 00:01:35.599 So Metasploit's kind of like the battering ram, and then 35 00:01:35.640 --> 00:01:37.920 cobalt strike is what they use once they're inside. 36 00:01:38.040 --> 00:01:42.239 Yeah, kind of like that. There's also Responder. It's a 37 00:01:42.239 --> 00:01:45.120 cool one. It takes advantage of how Windows networks talk 38 00:01:45.159 --> 00:01:47.840 to each other to like capture sensitive information. 39 00:01:47.480 --> 00:01:48.959 So like usernames and passwords. 40 00:01:49.079 --> 00:01:51.680 Yeah, exactly. Basically they're eavesdropping on the network. 41 00:01:51.760 --> 00:01:54.000 So just by being on a network, someone could like 42 00:01:54.400 --> 00:01:58.239 potentially snag my log in credentials potentially. 43 00:01:58.439 --> 00:02:02.280 Yeah, there are ways to mitigate that risk though. 44 00:02:02.519 --> 00:02:04.680 Okay, that's good to know. I'm already feeling a little 45 00:02:04.760 --> 00:02:09.520 vulnerable here, and we can't forget about passwords, right, those 46 00:02:09.560 --> 00:02:11.280 are still a huge target. 47 00:02:11.000 --> 00:02:13.639 Totally This book goes into like all the different ways 48 00:02:13.639 --> 00:02:18.439 attackers can crack passwords, route force attacks, dictionary attacks. It's 49 00:02:18.479 --> 00:02:19.080 pretty crazy. 50 00:02:19.159 --> 00:02:23.560 So a strong unique password is still like the best offense. 51 00:02:23.680 --> 00:02:26.120 It's one of the most important for sure. Like having 52 00:02:26.159 --> 00:02:28.919 a really good lock on your front door makes sense. 53 00:02:29.439 --> 00:02:31.719 So let's say our red teamer they've got their tools 54 00:02:31.759 --> 00:02:34.000 ready to go. What's the first step in one of 55 00:02:34.000 --> 00:02:34.639 these attacks. 56 00:02:34.759 --> 00:02:38.919 Reconnaissance. You's got to start with recon recon Yeah, reconnaissance 57 00:02:39.080 --> 00:02:42.479 gathering information about their target, like as much as possible. 58 00:02:42.560 --> 00:02:45.919 So they're basically spying on their target, but in a 59 00:02:45.960 --> 00:02:46.680 good way. 60 00:02:46.639 --> 00:02:49.599 Right, Like it's like a detective gathering evidence before they 61 00:02:49.599 --> 00:02:50.400 go make an arrest. 62 00:02:50.599 --> 00:02:53.000 That makes sense. So what kind of techniques do they 63 00:02:53.080 --> 00:02:53.520 use for that? 64 00:02:53.599 --> 00:02:57.400 Well, the book talks about things like n map. It's 65 00:02:57.439 --> 00:03:00.560 a tool that can scan networks see what ports and 66 00:03:00.599 --> 00:03:01.400 services are open. 67 00:03:01.439 --> 00:03:02.599 Okay, en map. What else? 68 00:03:02.840 --> 00:03:06.360 Oh, there's eyewitness That one takes screenshots of websites to 69 00:03:06.439 --> 00:03:09.039 get info about you know, how they're structured. 70 00:03:09.120 --> 00:03:11.080 So end map is like locking on the doors, seeing 71 00:03:11.120 --> 00:03:14.639 who answers, and then eyewitnesses like peeking through the windows exactly, 72 00:03:14.680 --> 00:03:18.120 pretty sneaky. What about cloud environments, Like, how do they 73 00:03:18.120 --> 00:03:19.120 factor into all of this? 74 00:03:19.520 --> 00:03:22.120 Cloud scanning is a big deal these days. There are 75 00:03:22.199 --> 00:03:27.560 tools that can find misconfigurations or like exposed data in 76 00:03:27.639 --> 00:03:28.120 the cloud. 77 00:03:28.280 --> 00:03:30.639 Makes sense since everything's moving to the cloud these days. 78 00:03:30.479 --> 00:03:33.719 Yeah, for sure. And then there's you know, subdomain discovery 79 00:03:33.879 --> 00:03:36.120 trying to find all those hidden parts of a website 80 00:03:36.120 --> 00:03:37.120 that might be vulnerable. 81 00:03:37.360 --> 00:03:41.199 So they're leaving no stone unturned. They're looking for weaknesses everywhere. 82 00:03:41.280 --> 00:03:44.199 Yep. That's the whole point of red teaming, simulating a 83 00:03:44.240 --> 00:03:47.159 real attack, which means finding any weakness they can. 84 00:03:47.319 --> 00:03:50.520 So I'm curious, is it all like technical vulnerabilities they're 85 00:03:50.560 --> 00:03:53.319 looking for or do they also use you know, social engineering? 86 00:03:53.560 --> 00:03:56.159 Oh, social engineer is huge. The book even gives an 87 00:03:56.159 --> 00:04:00.479 example of how they might use a like a phishing emails. 88 00:04:00.439 --> 00:04:02.800 Right, the classic try to trick you into clicking on a. 89 00:04:02.759 --> 00:04:06.159 Bad link yep, exactly, praying on people's you know, natural 90 00:04:06.199 --> 00:04:08.120 tendency to trust to be helpful. 91 00:04:08.199 --> 00:04:11.840 So even if someone's like pretty savvy with technology, they 92 00:04:11.840 --> 00:04:15.039 can still fall victim to these social engineering attacks. 93 00:04:15.080 --> 00:04:17.680 Totally, it's all about psychology, So it's not just about 94 00:04:17.680 --> 00:04:21.040 having you know, good tech defenses. It's also about educating people. 95 00:04:20.879 --> 00:04:22.879 Making sure everyone's aware of the risks. 96 00:04:22.600 --> 00:04:25.800 Exactly because the human element that's often the weakest link. 97 00:04:26.199 --> 00:04:30.800 Makes sense. So let's say hypothetically someone does fall victim 98 00:04:30.879 --> 00:04:32.439 to one of these phishing attacks. 99 00:04:33.279 --> 00:04:36.519 What happens next, Well, the attacker would want to you know, 100 00:04:37.079 --> 00:04:40.560 gain a foothold in the network and then start moving laterally, 101 00:04:40.680 --> 00:04:43.399 moving laterally, yeah, like spreading to other systems. They might 102 00:04:43.519 --> 00:04:45.480 use a tool like you know, Responder, which we talked 103 00:04:45.480 --> 00:04:48.920 about earlier, to grab credentials and get access to other accounts. 104 00:04:49.000 --> 00:04:50.920 So it's like a domino effect kind of. 105 00:04:51.000 --> 00:04:53.560 Yeah, one compromise system leads to another, and so on 106 00:04:53.720 --> 00:04:55.680 until they reach their final objective. 107 00:04:55.319 --> 00:04:59.879 Which could be anything I guess stealing sensitive data, disrupting operations. 108 00:05:00.279 --> 00:05:02.839 It depends on the attackers goals, but yeah, it could 109 00:05:02.839 --> 00:05:06.519 be pretty scary stuff. And they might even try to 110 00:05:06.680 --> 00:05:10.759 escalate their privileges. Yeah, you know, get admin access. 111 00:05:10.439 --> 00:05:13.120 So they can have even more control. Wow, it's a 112 00:05:13.160 --> 00:05:15.839 whole like a chess match, isn't it? Trying to stay 113 00:05:15.839 --> 00:05:16.600 one step ahead? 114 00:05:16.680 --> 00:05:18.279 It really is. It's a fascinating field. 115 00:05:18.399 --> 00:05:20.720 Well, we're definitely just scratching the surface here. We haven't 116 00:05:20.720 --> 00:05:24.720 even gotten into like NTLM hashes or you know all 117 00:05:24.759 --> 00:05:26.360 those other technical details. 118 00:05:26.399 --> 00:05:27.399 We'll save those for next time. 119 00:05:27.519 --> 00:05:30.639 Sounds good, Stay tuned for part two of our deep 120 00:05:30.720 --> 00:05:34.000 dive into red teaming. We'll be getting into even more 121 00:05:34.040 --> 00:05:37.439 of the the nitty gritty details. 122 00:05:37.680 --> 00:05:40.439 Can't wait back for more red teaming fun. 123 00:05:40.639 --> 00:05:42.040 Oh yeah, I'm hooked. 124 00:05:42.240 --> 00:05:44.759 Good. Good because we left off with our attacker getting 125 00:05:44.759 --> 00:05:45.680 a foothold. 126 00:05:45.279 --> 00:05:47.639 Remember, yeah, like sneaking through a window or something. 127 00:05:47.800 --> 00:05:49.519 Right now, they need to deploy some malware. 128 00:05:50.240 --> 00:05:54.279 And the Hacker playbook it mentioned something about custom droppers. 129 00:05:54.720 --> 00:05:57.759 Oh yeah, droppers. There's sneaky little things. 130 00:05:58.040 --> 00:06:00.160 I'm guessing it's more than just dropping a five. 131 00:06:00.240 --> 00:06:03.079 Somewhere way more. It's like, think of it like a trojan. 132 00:06:02.720 --> 00:06:06.439 Horse, ah, hiding the bad stuff inside something that looks 133 00:06:06.480 --> 00:06:07.639 harmless exactly. 134 00:06:07.759 --> 00:06:11.120 The Hacker Playbook actually walks through like building one from scratch. 135 00:06:11.319 --> 00:06:14.319 Wow, that's pretty hardcore. What's the what kind of malware 136 00:06:14.399 --> 00:06:15.319 are they hiding in there? 137 00:06:15.439 --> 00:06:17.680 Well, the example of the book, it's a payload that 138 00:06:17.720 --> 00:06:22.000 can either like execute shell code or load a DLL. 139 00:06:21.879 --> 00:06:25.160 Shell code DLLs I know I've heard those terms before. 140 00:06:25.000 --> 00:06:27.720 Right, So shell code that's basically a small program, but 141 00:06:27.759 --> 00:06:29.920 it can do some serious damage, okay. And a DLL 142 00:06:30.079 --> 00:06:32.920 DL stands for Dynamic Link Library. It's like a collection 143 00:06:33.000 --> 00:06:34.959 of code that other programs. 144 00:06:34.480 --> 00:06:38.879 Can use, So the attacker could like hijack a legitimate 145 00:06:38.920 --> 00:06:41.279 program using that DLL yep, or. 146 00:06:41.199 --> 00:06:43.959 Add malicious functionality to a program that's already there. 147 00:06:44.360 --> 00:06:48.319 Sneaky. I bet this stuff can get past antivirus pretty easily. 148 00:06:48.399 --> 00:06:51.279 Oh yeah, Antivirus evasion is a whole other game, and 149 00:06:51.360 --> 00:06:53.360 this book it dives deep into that too. 150 00:06:53.519 --> 00:06:55.439 Oh man, sounds complicated. 151 00:06:55.759 --> 00:06:59.319 It can be, but think of it like a like 152 00:06:59.360 --> 00:07:02.279 a cat mouse. You know, attackers are always coming up 153 00:07:02.319 --> 00:07:04.920 with new tricks and the antivirus guys are trying to 154 00:07:04.920 --> 00:07:05.879 stay one step ahead. 155 00:07:06.199 --> 00:07:09.279 So what are some of those tricks? How do they 156 00:07:09.279 --> 00:07:11.040 actually get around antivirus? 157 00:07:11.240 --> 00:07:15.639 Well, one common technique is obfuscation, like scrambling the code 158 00:07:15.680 --> 00:07:18.399 so the anti virus can't really understand what it's looking at. 159 00:07:18.279 --> 00:07:20.920 So it's like writing a secret message that only the 160 00:07:20.959 --> 00:07:22.000 attacker can read. 161 00:07:22.120 --> 00:07:25.120 Pretty much. The book also talks about code packing, which 162 00:07:25.160 --> 00:07:27.480 is like compressing and encrypting. 163 00:07:27.040 --> 00:07:29.680 The code, making it even harder to analyze yep. 164 00:07:29.720 --> 00:07:31.959 And then there's just straight up encryption too. 165 00:07:31.920 --> 00:07:34.279 So even if the anti virus does detect it, it 166 00:07:34.319 --> 00:07:36.480 can't really do anything unless it can decrypt it. 167 00:07:36.600 --> 00:07:38.240 Exactly. It's a constant arms rice. 168 00:07:38.439 --> 00:07:42.720 What if a company has like a really strict application 169 00:07:42.879 --> 00:07:45.759 white listing policy, can attackers get around that? Oh? 170 00:07:45.800 --> 00:07:48.680 Yeah they can. The hacker playbook actually shows how to 171 00:07:48.680 --> 00:07:51.319 do it, like using built in Windows programs to execute 172 00:07:51.360 --> 00:07:52.160 malicious code. 173 00:07:52.240 --> 00:07:55.199 Whoa, so they're taking a legitimate tool and twisting it 174 00:07:55.240 --> 00:07:56.120 to do something bad. 175 00:07:56.399 --> 00:07:59.519 Exactly. There's this one example with MS build dot ex. 176 00:08:00.120 --> 00:08:02.560 It's supposed to be for building software, but they can 177 00:08:02.639 --> 00:08:05.319 use it to run malicious code disguised as a project file. 178 00:08:05.560 --> 00:08:07.600 That's crazy. Are there other examples like that? 179 00:08:07.879 --> 00:08:10.720 Oh yeah, they're a bunch like REGSVR thirty two dot 180 00:08:10.759 --> 00:08:13.720 ex run to L thirty two dot ex. These are 181 00:08:13.720 --> 00:08:15.920 all programs that are already on Windows systems, so they 182 00:08:15.920 --> 00:08:17.079 often fly under the radar. 183 00:08:17.199 --> 00:08:19.279 So it's all about finding those loopholes huh yep. 184 00:08:19.360 --> 00:08:21.399 And once an attacker is in, they'll want to make 185 00:08:21.439 --> 00:08:24.240 sure they can stay in even if their initial access 186 00:08:24.240 --> 00:08:25.040 gets shut down. 187 00:08:25.160 --> 00:08:27.879 Ah So back doors exactly. 188 00:08:27.639 --> 00:08:30.000 Back doors ways to sneak back in if the front 189 00:08:30.040 --> 00:08:31.120 door is locked and. 190 00:08:31.079 --> 00:08:33.080 The hacker playbook. I'm guessing it has some tips on 191 00:08:33.120 --> 00:08:33.960 those two Oh. 192 00:08:33.879 --> 00:08:37.840 Yeah, tons of them, modifying system files, installing rootkits. 193 00:08:38.200 --> 00:08:41.840 Rootkits those are like the ultimate back door, right, They're 194 00:08:41.879 --> 00:08:42.720 pretty nasty. 195 00:08:42.840 --> 00:08:46.679 Basically, they're designed to like completely hide themselves. 196 00:08:46.320 --> 00:08:49.279 On the system, so the anti virus wouldn't even see them. 197 00:08:49.159 --> 00:08:51.000 Right, It's like they blend in perfectly. 198 00:08:51.120 --> 00:08:52.879 This is starting to feel like a spy movie a 199 00:08:52.919 --> 00:08:53.320 little bit. 200 00:08:53.679 --> 00:08:57.720 The book also talks about hijacking legitimate processes. So the 201 00:08:57.759 --> 00:09:01.039 malicious code is running, but it's hit and inside something 202 00:09:01.080 --> 00:09:02.120 that looks totally normal. 203 00:09:02.480 --> 00:09:05.039 This crazy stuff. How do they even come up with this? 204 00:09:05.440 --> 00:09:07.600 Well, they have to be creative, right, and they're always 205 00:09:07.600 --> 00:09:11.039 looking for new ways to, you know, to stay hidden. 206 00:09:11.480 --> 00:09:15.480 Like the book even mentions backdoors that communicate over DNS traffic. 207 00:09:15.600 --> 00:09:18.559 DNS traffic isn't that like just for looking up websites? 208 00:09:18.679 --> 00:09:21.559 Yeah, but it's also a way to like send commands 209 00:09:21.559 --> 00:09:24.919 and receive data, and security tools don't always pay close 210 00:09:24.960 --> 00:09:25.679 attention to it. 211 00:09:25.759 --> 00:09:28.759 Wow, So they're using like the Internet's plumbing system to 212 00:09:28.879 --> 00:09:30.480 sneak data. 213 00:09:30.039 --> 00:09:31.039 Out something like that. 214 00:09:31.559 --> 00:09:33.200 This is making my head spin. And you know what 215 00:09:33.240 --> 00:09:35.480 else I noticed in the Hacker Playbook. They seem to 216 00:09:35.519 --> 00:09:36.759 really love PowerShell. 217 00:09:36.919 --> 00:09:40.440 Oh yeah, PowerShell is like a favorite tool for both 218 00:09:40.799 --> 00:09:44.159 sissedminds and attackers. How come, Well, it's built into Windows, 219 00:09:44.240 --> 00:09:47.360 so it's already there on most systems. Yeah, and it's 220 00:09:47.759 --> 00:09:49.519 really powerful. You can do a lot with it. 221 00:09:49.519 --> 00:09:51.440 It sounds dangerous, it can be. 222 00:09:51.879 --> 00:09:55.480 Attackers can use it for everything from like automating tasks 223 00:09:55.559 --> 00:09:57.720 to downloading and running malicious code. 224 00:09:57.799 --> 00:10:00.519 And I bet it's good at evading those security tools huh. 225 00:10:00.559 --> 00:10:02.799 Oh yeah. The book has a whole section on PowerShell 226 00:10:02.799 --> 00:10:06.399 attack and evasion techniques, like, well, there's obfuscation, just like 227 00:10:06.440 --> 00:10:09.360 we talked about with regular code, but there's also encoding, 228 00:10:09.600 --> 00:10:13.399 which uses like different character sets and encryption. 229 00:10:13.159 --> 00:10:14.840 Making it even harder to understand. 230 00:10:15.000 --> 00:10:16.679 Yep. And they're always coming up the new ways to 231 00:10:16.679 --> 00:10:17.159 do it, you. 232 00:10:17.120 --> 00:10:19.919 Know, so even if someone knows to look out for PowerShell, 233 00:10:20.360 --> 00:10:22.960 it might not be that easy to spot exactly. 234 00:10:23.200 --> 00:10:25.159 Yeah. And the book even talks about how to run 235 00:10:25.240 --> 00:10:29.600 PowerShell code without actually using like the PowerShell program. 236 00:10:30.080 --> 00:10:32.440 Wait, what, how is that even possible? 237 00:10:32.639 --> 00:10:35.240 There are a few tricks. They can embed the code 238 00:10:35.240 --> 00:10:39.120 in other files like office documents or PDFs. 239 00:10:38.759 --> 00:10:40.720 So when you open the document, it just like runs 240 00:10:40.720 --> 00:10:41.320 in the background. 241 00:10:41.399 --> 00:10:43.600 Yep. And there are ways to use other programs like 242 00:10:43.759 --> 00:10:46.639 WMI to execute the code indirectly. 243 00:10:46.360 --> 00:10:48.399 So they're basically hiding it in plain sight. 244 00:10:48.960 --> 00:10:49.440 You got it. 245 00:10:49.840 --> 00:10:52.279 Okay, I'm starting to see how this PowerShell thing can 246 00:10:52.320 --> 00:10:56.799 be so dangerous. But let's go back to that two 247 00:10:56.840 --> 00:10:59.519 minute drill scenario for a second. Remember they got in 248 00:10:59.559 --> 00:11:00.480 with the fish attack. 249 00:11:00.559 --> 00:11:02.200 Oh yeah, I'm curious what happens next. 250 00:11:02.320 --> 00:11:04.480 Me too. So they're in the network, now what. 251 00:11:04.879 --> 00:11:07.720 Well, the next step involves a tool called Bloodhound. 252 00:11:08.120 --> 00:11:10.440 Bloodhound sounds intense. 253 00:11:10.639 --> 00:11:14.399 It is. It's designed to map out active directory. 254 00:11:14.200 --> 00:11:18.480 Active directory that's how Windows networks manage users and computers. 255 00:11:18.080 --> 00:11:21.240 Right, yep. And Bloodhound basically shows the attacker like all 256 00:11:21.279 --> 00:11:24.200 the relationships and permissions. It's like a roadmap of the network. 257 00:11:24.240 --> 00:11:27.200 Whoa, So they can see exactly how everything's connected pretty much. 258 00:11:27.279 --> 00:11:29.480 Yeah, and that helps them figure out the best way 259 00:11:29.519 --> 00:11:31.559 to move around to get to their target. 260 00:11:31.679 --> 00:11:33.480 That's kind of scary, actually can be. 261 00:11:34.039 --> 00:11:37.279 So in the book The Attacker, they compromise a system 262 00:11:37.399 --> 00:11:40.399 belonging to an employee named buzz Aldron. 263 00:11:40.720 --> 00:11:43.759 Buzz Aldron, like the astronaut yep. 264 00:11:43.759 --> 00:11:45.799 I guess the author has a sense of humor. So 265 00:11:45.840 --> 00:11:49.519 what happens with Buzz, Well, they find out that Buzz's 266 00:11:49.519 --> 00:11:53.840 system has access to some sensitive data on another system 267 00:11:53.879 --> 00:11:57.000 called CSK lab, but they don't have admin rights on 268 00:11:57.039 --> 00:11:57.480 that system. 269 00:11:57.519 --> 00:11:59.279 Yet another roadblock yep. 270 00:11:59.799 --> 00:12:03.240 The is this PowerShell script called power up to find 271 00:12:03.279 --> 00:12:04.879 misconfigurations on the system. 272 00:12:05.039 --> 00:12:07.120 So they're looking for those little new poles again. 273 00:12:07.159 --> 00:12:10.200 Yep, always looking for loopholes, and in this case, they 274 00:12:10.240 --> 00:12:13.960 find a vulnerability that lets them like basically write their 275 00:12:13.960 --> 00:12:17.639 own code to a specific location and then a system 276 00:12:17.679 --> 00:12:19.120 service will execute. 277 00:12:18.639 --> 00:12:21.600 It, so they get full control over the system pretty much. 278 00:12:21.679 --> 00:12:23.279 They call it system level access. 279 00:12:23.320 --> 00:12:26.720 Wow, impressive, but what about like staying in control? What 280 00:12:26.759 --> 00:12:28.440 if they lose their initial access? 281 00:12:28.840 --> 00:12:32.879 Redundancy is key in the book. They establish a second 282 00:12:32.879 --> 00:12:34.480 connection using Cobalt Strike. 283 00:12:34.639 --> 00:12:36.679 Always got to have a backup plan always. 284 00:12:37.080 --> 00:12:41.399 Cobalt Strike can tunnel traffic through these things called named pipes, 285 00:12:41.639 --> 00:12:44.399 which are like hidden communication channels within the. 286 00:12:44.320 --> 00:12:46.720 Network, so even if one connection goes down, they still 287 00:12:46.759 --> 00:12:50.039 have another way in exactly, this attacker is pretty persistent. 288 00:12:50.120 --> 00:12:52.519 I was reading ahead a bit, and they actually find 289 00:12:52.679 --> 00:12:55.759 the eternal Blue vulnerability. The one that want to Cry use. 290 00:12:55.840 --> 00:12:58.559 Oh yeah, Eternal Blue. That was a big one, a 291 00:12:58.600 --> 00:13:00.399 really bad vulnerability window. 292 00:13:00.480 --> 00:13:02.159 I remember hearing about want to Cry. It was all 293 00:13:02.200 --> 00:13:04.240 over the news. Caused a ton of damage. 294 00:13:04.320 --> 00:13:07.559 Yep, ransomware spreading like wildfire. And in the Hacker playbook, 295 00:13:08.080 --> 00:13:11.159 the attacker uses Eternal Blue to get into a semi 296 00:13:11.240 --> 00:13:12.200 isolated network. 297 00:13:12.320 --> 00:13:15.159 So even though it was years ago, that vulnerability is 298 00:13:15.200 --> 00:13:15.960 still out there. 299 00:13:16.200 --> 00:13:20.159 Yep. Sometimes systems don't get patched and attackers can take 300 00:13:20.159 --> 00:13:20.879 advantage of that. 301 00:13:21.360 --> 00:13:24.679 Crazy So back to our two minute drill. They've got 302 00:13:24.679 --> 00:13:27.679 Eternal Blue. Now they're in deeper, getting closer to those 303 00:13:27.759 --> 00:13:30.240 rocket secrets. What happens next? 304 00:13:30.399 --> 00:13:33.200 To find a connection to a database server. It's got 305 00:13:33.240 --> 00:13:34.879 even more sensitive data, but of. 306 00:13:34.759 --> 00:13:35.840 Course it's encrypted. 307 00:13:36.159 --> 00:13:38.440 Of course, there's always another hurdle. 308 00:13:38.600 --> 00:13:41.240 And does the book tell us how they crack the encryption. 309 00:13:41.960 --> 00:13:44.320 It actually leaves that part as a challenge for the reader. 310 00:13:45.639 --> 00:13:48.320 But based on everything we've learned so. 311 00:13:48.279 --> 00:13:49.559 Far, I bet we can guess. 312 00:13:49.639 --> 00:13:51.600 Oh yeah, there are a few possibilities they could try 313 00:13:51.639 --> 00:13:55.399 to find, like a backdoor in the database software itself, 314 00:13:55.879 --> 00:13:57.320 you know, some kind of vulnerability, or. 315 00:13:57.320 --> 00:13:59.559 Maybe try to steal the encryption key could. 316 00:13:59.320 --> 00:14:02.399 Be maybe by by compromising another system that has access 317 00:14:02.440 --> 00:14:02.879 to the key. 318 00:14:03.360 --> 00:14:06.519 Lots of possibilities, and I guess there's always route forcing, 319 00:14:06.559 --> 00:14:07.559 but that could take forever. 320 00:14:07.879 --> 00:14:09.840 It could. Yeah, it all depends on how strong the 321 00:14:09.919 --> 00:14:10.519 encryption is. 322 00:14:10.799 --> 00:14:13.159 Man, this is intense. I feel like I'm right there 323 00:14:13.159 --> 00:14:15.200 with the attacker trying to figure out the next move. 324 00:14:15.519 --> 00:14:17.799 That's the whole point of this book, you know, to 325 00:14:17.919 --> 00:14:20.639 get you thinking like an attacker so you can understand 326 00:14:20.639 --> 00:14:22.720 how they operate and how to defend against them. 327 00:14:23.120 --> 00:14:26.000 It's working. I'm definitely thinking differently about security now. 328 00:14:26.039 --> 00:14:27.279 Good, that's what we want. 329 00:14:27.440 --> 00:14:31.559 Well, we've covered a lot of ground malware, back doors, PowerShell, 330 00:14:32.200 --> 00:14:34.039 eternal glue. 331 00:14:34.559 --> 00:14:36.759 My head is spinning and we're not done yet. We 332 00:14:36.799 --> 00:14:39.840 still to talk about password cracking, how attackers break those 333 00:14:39.879 --> 00:14:43.519 digital locks and get access to sensitive information. That's coming 334 00:14:43.559 --> 00:14:44.320 up in part three. 335 00:14:44.639 --> 00:14:46.480 Can't wait. This has been a wild ride so far. 336 00:14:48.399 --> 00:14:49.919 All right, back for the final. 337 00:14:49.720 --> 00:14:51.759 Round, Round three. Ready to rumble. 338 00:14:52.080 --> 00:14:53.799 So we've made it to the part I've been kind 339 00:14:53.840 --> 00:14:55.679 of dreading password cracking. 340 00:14:56.120 --> 00:14:57.519 Yeah, this is where it gets real. 341 00:14:57.879 --> 00:15:00.159 I mean, we've already talked about how attackers use those 342 00:15:00.240 --> 00:15:03.360 huge password lists and powerful cracking rigs. 343 00:15:03.200 --> 00:15:04.600 Mind boggling, right totally. 344 00:15:04.639 --> 00:15:06.440 I mean, where do those lists even come from? Are 345 00:15:06.440 --> 00:15:09.200 we talking about like every password ever used? 346 00:15:09.200 --> 00:15:11.879 Pretty much? Think about all the data breaches that happen, 347 00:15:12.200 --> 00:15:15.679 all those stolen passwords, they end up online and attackers 348 00:15:15.679 --> 00:15:16.480 collect them. 349 00:15:16.320 --> 00:15:18.519 So it's like they're learning from all our bad password 350 00:15:18.559 --> 00:15:19.480 habit exactly. 351 00:15:19.879 --> 00:15:22.919 The Hacker playbook talks about this one list. It's got 352 00:15:23.000 --> 00:15:27.639 over one point four billion username and password combinations. One 353 00:15:27.679 --> 00:15:29.120 point four billion. 354 00:15:29.440 --> 00:15:32.080 That's insane. But even with a list that big, they 355 00:15:32.120 --> 00:15:34.960 still need some serious horsepower to actually crack them, right. 356 00:15:35.039 --> 00:15:37.519 Oh yeah, we're not talking about your average laptop here. 357 00:15:37.919 --> 00:15:42.399 These are dedicated cracking rigs with multiple GPUs. 358 00:15:41.879 --> 00:15:44.679 Like the kind of stuff gamers use, similar. 359 00:15:44.559 --> 00:15:48.720 But way more powerful. They're basically building supercomputers just for this. 360 00:15:49.320 --> 00:15:51.679 Wow. So brute force is obviously a big part of it. 361 00:15:51.720 --> 00:15:52.480 But is that all they do. 362 00:15:52.679 --> 00:15:55.039 Nope, They've got other tricks up their sleeves too, like 363 00:15:55.120 --> 00:15:56.080 dictionary attacks. 364 00:15:56.240 --> 00:15:57.159 Dictionary attack. 365 00:15:57.279 --> 00:15:59.720 Yeah, they use a list of like common words and 366 00:15:59.759 --> 00:16:01.840 frey is that people use in their passwords, so. 367 00:16:01.799 --> 00:16:04.759 They're not just randomly guessing letters, they're actually trying real 368 00:16:04.799 --> 00:16:05.480 words yep. 369 00:16:05.559 --> 00:16:08.159 And then there are rule based attacks where they take 370 00:16:08.200 --> 00:16:11.440 those dictionary words and modify them, like replacing an A 371 00:16:11.759 --> 00:16:12.639 with an AD symbol. 372 00:16:12.720 --> 00:16:15.879 So it's a mix of brute force and strategy exactly. 373 00:16:15.919 --> 00:16:18.320 The more they understand about the target system and how 374 00:16:18.320 --> 00:16:21.559 it hashes passwords, the more effective their attacks can be. 375 00:16:22.200 --> 00:16:25.320 Makes sense. So let's bring it back to that two 376 00:16:25.320 --> 00:16:29.440 minute drill scenario. Our attacker is facing down that encrypted database. 377 00:16:30.080 --> 00:16:31.039 How do they crack it? 378 00:16:31.799 --> 00:16:34.360 Well, the book doesn't actually spell it out. It leaves 379 00:16:34.399 --> 00:16:35.360 it as a challenge. 380 00:16:35.600 --> 00:16:38.559 Ooh, a cliffhanger, but we can speculate. Okay, let's put 381 00:16:38.600 --> 00:16:41.399 on our hacker hats for a minute. What are some possibilities. 382 00:16:41.799 --> 00:16:44.440 One option would be to look for vulnerabilities in the 383 00:16:44.519 --> 00:16:45.639 database software. 384 00:16:45.360 --> 00:16:48.519 Itself, like a back door that lets them bypass the 385 00:16:48.639 --> 00:16:50.399 encryption altogether exactly. 386 00:16:50.879 --> 00:16:54.320 Or maybe a way to like extract the encryption key 387 00:16:54.360 --> 00:16:55.000 from somewhere. 388 00:16:55.080 --> 00:16:57.399 Ah, that would be a nice shortcut. But how would 389 00:16:57.399 --> 00:16:57.960 they do that? 390 00:16:58.159 --> 00:17:00.399 Could be a lot of ways. Maybe they compse a 391 00:17:00.440 --> 00:17:03.080 system that has access to the key, or use a 392 00:17:03.159 --> 00:17:05.279 key logger to capture it when someone types it in. 393 00:17:05.480 --> 00:17:09.599 Wow, sneaky. It's all about finding the weakest link, huh. 394 00:17:09.680 --> 00:17:12.240 Yep. And of course they can always just try brute 395 00:17:12.240 --> 00:17:14.279 forcing the encryption key itself. 396 00:17:14.200 --> 00:17:16.279 With the supercomputers the very same. 397 00:17:16.960 --> 00:17:18.799 It might take a while, though, depending on how strong 398 00:17:18.839 --> 00:17:19.559 the encryption is. 399 00:17:19.839 --> 00:17:23.079 Okay, so even encryption isn't a silver bullet, it's more 400 00:17:23.200 --> 00:17:24.759 like buying time. 401 00:17:25.160 --> 00:17:28.160