WEBVTT 1 00:00:00.160 --> 00:00:02.839 Welcome to the Deep Dive, the show where we cut 2 00:00:02.879 --> 00:00:05.599 through the noise to get you truly well informed on 3 00:00:05.759 --> 00:00:06.759 fascinating topics. 4 00:00:06.879 --> 00:00:08.720 Great to be digging into another one. 5 00:00:08.960 --> 00:00:13.839 So, you know, in our increasingly digital world, there's this constant, 6 00:00:14.039 --> 00:00:19.719 often hidden battle being waged. It's not just against external threats, 7 00:00:20.199 --> 00:00:23.280 but right within the very systems we rely on every 8 00:00:23.399 --> 00:00:26.399 single day. Right, Think of it like well, a digital 9 00:00:26.440 --> 00:00:30.519 fortress and understanding its weaknesses, you know, the chinks in 10 00:00:30.559 --> 00:00:33.359 the armor is just as crucial as actually building the 11 00:00:33.359 --> 00:00:34.280 walls themselves. 12 00:00:34.479 --> 00:00:37.600 Absolutely, for a long long time, the security mindset was 13 00:00:37.640 --> 00:00:41.200 almost entirely focused just on network perimeters, right, the outer 14 00:00:41.280 --> 00:00:46.439 walls exactly. Companies poured money into firewalls, network defenses, which, 15 00:00:46.520 --> 00:00:48.880 honestly it kind of fostered a full sense of security 16 00:00:48.920 --> 00:00:51.799 in some ways. How so well, because then our reliance 17 00:00:51.799 --> 00:00:56.000 on web technologies just exploded, you know, public websites, internal apps, 18 00:00:56.039 --> 00:00:57.039 everything moved online. 19 00:00:57.119 --> 00:00:59.679 Ah okay, And that's where the whole game changed, isn't it. 20 00:01:00.200 --> 00:01:05.560 Precisely because suddenly web applications became just as vulnerable to attack, 21 00:01:05.719 --> 00:01:09.359 maybe even more so than those traditional networks and operating systems. 22 00:01:09.480 --> 00:01:10.920 Yeah, we've all seen the headlines. 23 00:01:11.040 --> 00:01:15.719 Unfortunately, absolutely recent years, I mean, we've seen just spectacular 24 00:01:15.799 --> 00:01:18.480 data leaks, breaches affecting millions of records. 25 00:01:18.680 --> 00:01:21.680 Yeah, everything from credit cards, health histories. 26 00:01:21.400 --> 00:01:25.519 Social security numbers, you name it. And so often these 27 00:01:25.640 --> 00:01:29.519 really devastating attacks they didn't start with breaking through the. 28 00:01:29.400 --> 00:01:31.079 Network firewall, no where. 29 00:01:31.159 --> 00:01:34.480 Then they often started with a vulnerability or maybe a 30 00:01:34.519 --> 00:01:37.840 simple design flawed directly within a web application itself. 31 00:01:37.920 --> 00:01:40.040 Okay, so the industry had to react to that. It did. 32 00:01:40.200 --> 00:01:43.120 We saw this rapid rise in defensive tech, things like 33 00:01:43.280 --> 00:01:48.400 web application firewalls wfs and run time applications self protection 34 00:01:48.599 --> 00:01:52.799 are asp plus you know, sophisticated web vulnerability scanners, source 35 00:01:52.799 --> 00:01:56.599 code scanners became standard. Companies finally started realizing the immense 36 00:01:56.680 --> 00:01:58.920 value of testing applications before they go. 37 00:01:58.879 --> 00:02:01.560 Live, which leads us perfectly in today's deep dive topic 38 00:02:01.680 --> 00:02:05.959 penetration testing exactly. Think of this as your shortcut to 39 00:02:06.280 --> 00:02:11.080 understanding how ethical hackers, well if they act like controlled adversaries, right. 40 00:02:11.000 --> 00:02:15.840 Mm hmm, meticulously identifying and exploiting vulnerabilities, especially in those 41 00:02:15.879 --> 00:02:17.520 really critical web applications. 42 00:02:17.599 --> 00:02:21.520 So today we're going to unpack the skills, the surprising facts, 43 00:02:21.960 --> 00:02:26.199 the powerful tools that help strengthen our digital defenses. And 44 00:02:26.280 --> 00:02:30.560 we're drawing insights from a really comprehensive source called improving 45 00:02:30.639 --> 00:02:33.599 your penetration testing Skills. Yeah, it's a great resource, So 46 00:02:33.680 --> 00:02:36.319 get ready to see the world of digital security from 47 00:02:36.319 --> 00:02:37.520 the attacker's perspective. 48 00:02:37.919 --> 00:02:41.400 But you know, for good, that's the key. At its core, 49 00:02:41.680 --> 00:02:45.439 penetration testing is well, it's the art of making a 50 00:02:45.479 --> 00:02:48.599 computer system or an application do things it was never 51 00:02:48.639 --> 00:02:49.280 designed to do. 52 00:02:49.520 --> 00:02:50.199 But ethically. 53 00:02:50.280 --> 00:02:53.319 But ethically, yes, the goal is always to discover flaws 54 00:02:53.360 --> 00:02:56.280 before the malicious actors do and then provide you know, 55 00:02:56.360 --> 00:02:58.240 actionable advice on how to fix them. 56 00:02:58.319 --> 00:03:01.280 So it helps everyone really, company, hospitals. 57 00:03:00.759 --> 00:03:04.439 Schools, government agencies, helping them secure their vital applications and 58 00:03:04.520 --> 00:03:05.520 of course their data. 59 00:03:05.599 --> 00:03:08.719 So it's like a controlled strategic attack to find the 60 00:03:08.759 --> 00:03:12.280 weak spots before the actual bad guys do. How do 61 00:03:12.400 --> 00:03:16.639 these engagements usually work? Does the testing team always get 62 00:03:16.680 --> 00:03:17.719 all the info upfront? 63 00:03:18.199 --> 00:03:20.599 Well, it varies quite a bit, actually depends on the 64 00:03:20.599 --> 00:03:22.719 type of engagement you've got. Black box testing. 65 00:03:22.919 --> 00:03:24.240 Okay, black box. 66 00:03:24.039 --> 00:03:28.360 This simulates an external attacker who's completely uninformed. The pen 67 00:03:28.400 --> 00:03:32.000 tester starts with well zero knowledge, just like a real 68 00:03:32.039 --> 00:03:35.199 world hacker might trying to map the network discover defenses 69 00:03:35.280 --> 00:03:38.719 all from scratch, but you know, for internal applications, this 70 00:03:38.840 --> 00:03:41.520 might sometimes be a less efficient way to go. Why 71 00:03:41.560 --> 00:03:45.319 is that because a real attacker might easily gather public info, 72 00:03:45.599 --> 00:03:48.080 or frankly, they might be a disgruntled insider who already 73 00:03:48.120 --> 00:03:50.759 knows a lot, So the black box test might miss 74 00:03:50.800 --> 00:03:52.400 things an insider threat wouldn't. 75 00:03:52.439 --> 00:03:54.199 Okay, So it's like trying to break into a house 76 00:03:54.240 --> 00:03:56.960 without knowing where the doors or windows are, versus say, 77 00:03:57.039 --> 00:03:58.080 having some basic. 78 00:03:57.759 --> 00:04:00.319 Blueprints exactly that. Then on the other end of the 79 00:04:00.319 --> 00:04:03.199 spectrum you have white box testing total opposite, I'm guessing 80 00:04:03.400 --> 00:04:09.360 complete opposite. The testing team gets full information, source code, architecture, diagrams, 81 00:04:09.400 --> 00:04:12.599 you name it. It's extremely thorough. And in the middle 82 00:04:13.080 --> 00:04:17.879 that's grey box testing, an intermediate approach. Some info is provided, 83 00:04:18.079 --> 00:04:22.000 but not everything. This often simulates, say an insider threat, 84 00:04:22.079 --> 00:04:25.079 or maybe what someone could do with a compromised user account. 85 00:04:25.160 --> 00:04:28.199 What's really interesting, though, is that even with these structured approaches, 86 00:04:28.399 --> 00:04:31.360 pen testing still has limits. Right, It's not like a 87 00:04:31.399 --> 00:04:32.319 magic wand. 88 00:04:32.120 --> 00:04:35.560 You wave, oh, absolutely not. That's a crucial point to understand. First, 89 00:04:35.800 --> 00:04:39.959 there's the limitation of skills, meaning well, it's incredibly tough 90 00:04:40.000 --> 00:04:42.879 to find one person who's equally skilled across all the 91 00:04:42.920 --> 00:04:48.600 major areas network system and web application Penetration testing expertise 92 00:04:48.680 --> 00:04:50.639 is often really specialized, right. 93 00:04:50.720 --> 00:04:53.279 Someone might be brilliant with apatche servers but know nothing 94 00:04:53.319 --> 00:04:54.160 about ISO. 95 00:04:53.959 --> 00:04:57.279 For example, exactly and figuring out how a seemingly low 96 00:04:57.399 --> 00:05:01.000 risk vulnerability could actually so is a high threat to 97 00:05:01.040 --> 00:05:04.079 a specific system that often comes only with you know, 98 00:05:04.240 --> 00:05:05.720 deep experience and I bet. 99 00:05:05.560 --> 00:05:08.319 Time is always a massive factor, especially compared to a 100 00:05:08.319 --> 00:05:08.959 real attacker. 101 00:05:09.079 --> 00:05:13.680 Always. Penetration testing is almost always a short, pre defined project. 102 00:05:14.240 --> 00:05:16.759 Testers have a limited window, maybe a week or two 103 00:05:17.120 --> 00:05:19.759 to find vulnerabilities and produce results. 104 00:05:19.600 --> 00:05:22.000 Whereas a malicious attacker. 105 00:05:21.680 --> 00:05:26.120 They have unlimited time days, weeks, months, plus. The pen 106 00:05:26.199 --> 00:05:29.879 tester has the added burden of writing these incredibly detailed, 107 00:05:29.879 --> 00:05:34.639 defensible reports with screenshots and explanations. An attacker doesn't worry 108 00:05:34.639 --> 00:05:35.040 about that. 109 00:05:35.360 --> 00:05:38.319 So they can't just throw everything they have at a target, 110 00:05:38.560 --> 00:05:40.040 even if they technically. 111 00:05:39.560 --> 00:05:43.920 Could not always know in really secure environments, standard frameworks 112 00:05:44.000 --> 00:05:46.720 or automated tools might just bounce off. They might be. 113 00:05:46.759 --> 00:05:48.399 Useless, So they have to get creative. 114 00:05:48.519 --> 00:05:52.079 Yeah, forcing the team to create custom exploits or manually 115 00:05:52.120 --> 00:05:56.279 write scripts to test specific things, and that's incredibly time consuming. 116 00:05:56.360 --> 00:06:00.399 It directly impacts the project's budget and timeline. Okay, Another 117 00:06:00.439 --> 00:06:04.600 common limitation is deliberately avoiding denial of service or DOS attacks. 118 00:06:04.839 --> 00:06:07.759 Why avoid those seems like something you'd want to test. 119 00:06:07.920 --> 00:06:10.800 Well, many testers intentionally avoid them because they don't want 120 00:06:10.839 --> 00:06:13.879 to inadvertently cause client downtime. It's a business risk. 121 00:06:14.040 --> 00:06:15.279 Ah, makes sense. 122 00:06:15.279 --> 00:06:19.439 But the downside is this inadvertently leaves systems potentially open 123 00:06:19.519 --> 00:06:24.279 to well script kitties, less sophisticated attackers who just want 124 00:06:24.319 --> 00:06:29.199 notoriety by taking systems offline. So it's really vital to 125 00:06:29.399 --> 00:06:32.600 educate clients upfront about the pros and cons of doing 126 00:06:32.600 --> 00:06:33.319 this kinds of test. 127 00:06:33.439 --> 00:06:36.079 That's a really good point. And what about the tools themselves? 128 00:06:36.120 --> 00:06:37.199 Are they always reliable? 129 00:06:37.959 --> 00:06:41.680 That's another limitation The tools used, No single tool, free 130 00:06:41.759 --> 00:06:44.720 or commercial, is perfect. They all have blind spots, so. 131 00:06:44.720 --> 00:06:47.079 The tester needs to know more than just how to 132 00:06:47.160 --> 00:06:48.399 run the tool exactly. 133 00:06:48.759 --> 00:06:51.680 The testing team needs to be knowledgeable enough to adapt, 134 00:06:51.920 --> 00:06:55.519 understand the tool's limitations, and find alternatives when you know 135 00:06:55.560 --> 00:06:58.480 its features just aren't cutting it for a specific scenario. 136 00:06:58.800 --> 00:07:00.639 All this makes me think about where a pen tester 137 00:07:00.800 --> 00:07:03.839 actually practice this stuff. You can't just go poking around 138 00:07:03.920 --> 00:07:04.800 random websites on. 139 00:07:04.720 --> 00:07:08.360 The internet, right, illegal? You're absolutely right. It is illegal 140 00:07:08.360 --> 00:07:11.959 in most countries to scan, test, or exploit vulnerabilities on 141 00:07:11.959 --> 00:07:15.439 the Internet without explicit written authorization from the owner. 142 00:07:15.839 --> 00:07:16.639 So how do they learn? 143 00:07:16.920 --> 00:07:21.000 That's why having a controlled, owned and isolated lab environment 144 00:07:21.120 --> 00:07:25.600 is just paramount, absolutely essential. It's the only place you 145 00:07:25.639 --> 00:07:29.199 can freely practice and develop your skills without any legal worries. 146 00:07:29.680 --> 00:07:32.000 And there are specific vulnerable environments for that. 147 00:07:32.240 --> 00:07:35.800 Yes, things like oh washbroken web applications or hackers on 148 00:07:35.839 --> 00:07:38.560 which we'll definitely talk more about. They're perfect for this 149 00:07:38.680 --> 00:07:39.720 kind of safe practice. 150 00:07:39.800 --> 00:07:44.959 Okay, so setting up this ethical hacking lab, what's the 151 00:07:45.720 --> 00:07:48.079 go to operating system? I always hear Klie Linux. 152 00:07:48.240 --> 00:07:51.079 Ah, Collie Linux. Yes, it really is kind of the 153 00:07:51.240 --> 00:07:53.160 ethical hackers dream toolkit. 154 00:07:53.319 --> 00:07:54.600 Why is that? What's the big deal? 155 00:07:54.879 --> 00:07:58.800 Its main value is just how much it simplifies the setup. 156 00:07:59.000 --> 00:08:01.000 It comes with pretty much whch all the major hacking 157 00:08:01.000 --> 00:08:04.040 tools pre installed along with all their dependencies. Oh nice, 158 00:08:04.040 --> 00:08:06.560 So it means you can focus immediately on learning and 159 00:08:06.639 --> 00:08:10.560 actually doing the attacks, rather than wasting hours just installing 160 00:08:10.600 --> 00:08:14.800 and configuring individual tools and offensive security. The folks behind 161 00:08:14.879 --> 00:08:17.759 Collie they keep these tools frequently updated, so you're always 162 00:08:17.759 --> 00:08:18.800 working with the latest stuff. 163 00:08:18.920 --> 00:08:22.519 So it's like a constantly updated, pre assembled workshop for 164 00:08:22.639 --> 00:08:25.360 digital security. That's incredibly useful. 165 00:08:25.120 --> 00:08:28.160 It really is, and it's remarkably versatile too. Collie runs 166 00:08:28.160 --> 00:08:32.759 on various hardware Google, Chromebooks, Raspberry. 167 00:08:32.279 --> 00:08:33.799 Pie, Raspberry Pie Wow. 168 00:08:34.320 --> 00:08:37.360 There's even net Hunter, which is a version specifically designed 169 00:08:37.360 --> 00:08:38.440 for mobile devices. 170 00:08:38.519 --> 00:08:40.720 Now, a lot of people, myself included, tend to use 171 00:08:40.799 --> 00:08:44.600 virtualization running it in a VM. What are the pros 172 00:08:44.600 --> 00:08:48.279 and cons of that versus installing Collie directly on say, 173 00:08:48.279 --> 00:08:51.159 a dedicated laptop. What's the real trade off there? 174 00:08:51.559 --> 00:08:55.360 Virtualization is definitely an attractive option. It's cost effective, flexible, 175 00:08:55.679 --> 00:08:58.879 You can easily clone virtual machines if you need multiple 176 00:08:58.919 --> 00:09:02.840 testing copies, and the revert to snapshot feature is invaluable. 177 00:09:03.000 --> 00:09:05.559 If you mess up your testing machine break something poof, 178 00:09:05.559 --> 00:09:09.360 you just restore clean slate. Instantly modifying resources like RAM 179 00:09:09.480 --> 00:09:11.120 or CPU is also super easy. 180 00:09:11.200 --> 00:09:12.519 Okay, sounds great. What's the catch? 181 00:09:12.799 --> 00:09:17.240 The major drawback comes with processor intensive tasks think password cracking. 182 00:09:17.440 --> 00:09:21.320 Those tasks are significantly slower because of the virtualization overhead, 183 00:09:21.639 --> 00:09:24.679 and you simply can't fully leverage a dedicated GPU a 184 00:09:24.720 --> 00:09:28.559 graphics card for that kind of raw processing power inside 185 00:09:28.559 --> 00:09:29.720 a standard VM setup. 186 00:09:30.039 --> 00:09:34.200 So for serious number crunching, physical hardware still wins. But 187 00:09:34.320 --> 00:09:37.879 for most day to day practice and exploration, virtualization is 188 00:09:38.120 --> 00:09:38.879 probably fine. 189 00:09:38.919 --> 00:09:41.279 Absolutely for most tasks it's the way to go. 190 00:09:41.399 --> 00:09:44.799 Okay, So what are some of the essential tools packed 191 00:09:44.799 --> 00:09:47.639 into Collie that a pentester would use regularly? 192 00:09:47.840 --> 00:09:50.279 Right, let's touch on a few key categories. For content 193 00:09:50.360 --> 00:09:53.879 management systems, you know CMSs, like WordPress or joom Law, 194 00:09:54.399 --> 00:09:59.120 there are specialized scanners like what well, wp scan is 195 00:09:59.159 --> 00:10:03.240 a really fast WordPress vulnerability scanner. It's surprising how often 196 00:10:03.360 --> 00:10:07.639 organizations just leave default plugins and themes exposed. WP scan 197 00:10:07.759 --> 00:10:09.279 finds those instantly. 198 00:10:08.919 --> 00:10:10.840 Broadcasting their weak points essentially. 199 00:10:10.519 --> 00:10:13.840 Pretty much similarly, jim scan does the same thing for gymlesites. 200 00:10:13.960 --> 00:10:16.960 Got it? What about finding hidden files and directories? That 201 00:10:16.960 --> 00:10:18.879 seems like a really critical first step for. 202 00:10:18.879 --> 00:10:23.320 An attacker, definitely for that. Dirb is a command line tool. 203 00:10:23.519 --> 00:10:27.080 It uses dictionary files to discover hidden files and directories. 204 00:10:27.559 --> 00:10:31.240 Maybe old admin panels, backup files, things that shouldn't. 205 00:10:30.840 --> 00:10:33.200 Be accessible in Nikto, I've heard that name. 206 00:10:33.360 --> 00:10:36.679 Nikto is a longtime favorite. It's a really feature rich 207 00:10:37.080 --> 00:10:41.639 web server scanner. Checks for thousands of outdated software components, 208 00:10:42.039 --> 00:10:45.600 common configuration errors. It's like giving the web server a 209 00:10:45.639 --> 00:10:47.159 thorough digital health check. 210 00:10:47.279 --> 00:10:51.120 Okay, And for broader network scanning, maybe looking beyond just 211 00:10:51.159 --> 00:10:52.759 the web applications themselves, for. 212 00:10:52.759 --> 00:10:57.000 That network wide view. OpenVAS the Open Vulnerability Assessment Scanner 213 00:10:57.120 --> 00:10:58.840 is a powerful tool in Collinge. 214 00:10:58.919 --> 00:11:01.159 Right that used to be or part of it. 215 00:11:01.279 --> 00:11:03.440 Yeah, it's a free fork of what was once nessus. 216 00:11:03.759 --> 00:11:07.360 It's excellent for identifying a wide range of network side vulnerabilities, 217 00:11:07.399 --> 00:11:10.360 giving you that bigger picture of potential entry points. And 218 00:11:10.399 --> 00:11:13.480 these are just a few examples. The Colleague toolkit is vast. 219 00:11:13.840 --> 00:11:17.759 So speaking of practice, you mentioned those vulnerable environments for 220 00:11:17.799 --> 00:11:21.759 safe learning. Which ones are commonly used for training new pendesters? Yeah? 221 00:11:21.799 --> 00:11:25.159 Absolutely. The a wasp p Broken Web Applications Project or 222 00:11:25.320 --> 00:11:30.440 BWA is really crucial. It's a collection of intentionally vulnerable 223 00:11:30.639 --> 00:11:34.799 web applications all packaged up as a single virtual machine. 224 00:11:34.919 --> 00:11:37.519 Easy to set up them super easy, and it's perfect 225 00:11:37.600 --> 00:11:40.840 for hands on learning. It includes apps like Wacko, Pico 226 00:11:40.960 --> 00:11:44.440 and the Bodget Store, which simulate real world apps but 227 00:11:44.519 --> 00:11:47.000 with less obvious flaws, so they really force you to 228 00:11:47.039 --> 00:11:48.080 think like an attacker. 229 00:11:48.320 --> 00:11:49.399 Okay, any others? 230 00:11:49.480 --> 00:11:52.360 Another excellent one is hackazon. It's from Rapid seven, the 231 00:11:52.399 --> 00:11:53.759 folks who make metasploit. 232 00:11:54.039 --> 00:11:54.399 Okay. 233 00:11:54.440 --> 00:11:58.159 It simulates a modern online store using technologies like ajax 234 00:11:58.320 --> 00:12:02.279 and web services, and it has several security problems deliberately 235 00:12:02.320 --> 00:12:04.639 built right in great practice ground. 236 00:12:04.840 --> 00:12:07.360 So you've got your lab set up, your Collie machine ready, 237 00:12:07.399 --> 00:12:10.279 a safe environment to practice in. What's the very first 238 00:12:10.320 --> 00:12:12.240 thing an ethical hacker does when they start looking at 239 00:12:12.279 --> 00:12:13.000 a target. 240 00:12:12.759 --> 00:12:15.200 That brings us squarely into the art of gathering intel. 241 00:12:15.320 --> 00:12:18.759 We often call it reconnaissance or recon Now, while a 242 00:12:18.799 --> 00:12:23.000 malicious attacker might be chaotic, maybe opportunistic, a professional penetration 243 00:12:23.080 --> 00:12:25.679 tester always follows a structured approach. 244 00:12:25.759 --> 00:12:27.200 Right, there's a method, definitely. 245 00:12:27.519 --> 00:12:32.320 The typical sequence is meticulous information gathering first, then identification 246 00:12:32.360 --> 00:12:37.200 of vulnerabilities, often through scanning, and then finally exploitation. This 247 00:12:37.320 --> 00:12:39.600 structured way helps you find as many bugs as you 248 00:12:39.639 --> 00:12:44.360 can and importantly prepares you to write those valuable, comprehensive 249 00:12:44.360 --> 00:12:45.320 reports for the client. 250 00:12:45.559 --> 00:12:48.759 So reconnaissance is the foundation. What kind of information are 251 00:12:48.759 --> 00:12:50.600 they trying to dig up in this phase? What are 252 00:12:50.600 --> 00:12:51.000 the goals? 253 00:12:51.279 --> 00:12:55.679 The aims are pretty broad, actually identifying it addresses, domains, 254 00:12:55.879 --> 00:13:01.080 subdomains using tools like whois and DNS lookups, okay, gathering 255 00:13:01.080 --> 00:13:04.080 public information from regular search engines like Google and bing, 256 00:13:04.559 --> 00:13:08.039 but also specialized ones like Showdowan or even archives like 257 00:13:08.080 --> 00:13:09.080 the Internet Archive. 258 00:13:09.240 --> 00:13:11.000 Looking for clues anywhere they can find. 259 00:13:10.799 --> 00:13:14.559 Them exactly, Identifying key personnel maybe through LinkedIn using tools 260 00:13:14.600 --> 00:13:17.960 like Maltago. Even figuring out the physical location of servers 261 00:13:18.039 --> 00:13:20.200 using GOIP databases can be part of it. 262 00:13:20.600 --> 00:13:22.559 Gay, Let's unpack some of that you mentioned who is, 263 00:13:22.960 --> 00:13:25.919 How does looking up domain records actually give an attacker 264 00:13:25.919 --> 00:13:27.639 and edge seems pretty basic? 265 00:13:27.759 --> 00:13:33.559 Who is records are public databases. They reveal domain owner details, names, addresses, 266 00:13:33.600 --> 00:13:37.919 phone numbers, emails, the DNS servers being used. An attacker 267 00:13:37.960 --> 00:13:41.440 can use this info for highly targeted social engineering attacks 268 00:13:42.120 --> 00:13:45.519 or even for war driving driving around the registered address 269 00:13:45.559 --> 00:13:47.240 looking for unsecured Wi Fi. 270 00:13:47.679 --> 00:13:48.200 Wow. 271 00:13:48.240 --> 00:13:51.080 And a really striking real world example was the New 272 00:13:51.159 --> 00:13:54.919 York Times attack back in twenty thirteen. Their DNS records 273 00:13:54.960 --> 00:13:58.879 were altered after a successful phishing attack against their domain reseller. 274 00:13:59.240 --> 00:14:02.440 It shows how powerful this seemingly mundane data can be. 275 00:14:02.919 --> 00:14:05.960 It really drives it home. Okay, what about DNS enumeration. 276 00:14:06.000 --> 00:14:07.000 How do they leverage that? 277 00:14:07.559 --> 00:14:10.480 Well? DNS servers often use something called zone transfer to 278 00:14:10.480 --> 00:14:14.039 sync their databases. Okay, if that's misconfigured, which happens, it 279 00:14:14.080 --> 00:14:16.720 can expose a complete list of IP host name pairs 280 00:14:16.720 --> 00:14:19.639 within a network, basically gives the attacker a map of 281 00:14:19.720 --> 00:14:21.080 the internal network structure. 282 00:14:21.120 --> 00:14:21.960 How do they try that? 283 00:14:22.159 --> 00:14:25.279 Tools like dig can be used to attempt a zone transfer. 284 00:14:25.679 --> 00:14:30.480 Other tools like dnascinum automate finding basic DNS records MX 285 00:14:30.519 --> 00:14:34.559 for mail, NS for name servers, A records for IPS, 286 00:14:34.639 --> 00:14:37.919 and can perform reverse lookups even brute force subdomains to 287 00:14:38.000 --> 00:14:40.080 reveal more of the target's infrastructure. 288 00:14:40.159 --> 00:14:42.200 So they're using search engines too, but not just for 289 00:14:42.279 --> 00:14:45.000 finding web pages, right, They're digging deeper exactly. 290 00:14:45.320 --> 00:14:49.120 General search engines like Google, Bing, Duck, dot coo. They 291 00:14:49.159 --> 00:14:52.120 allow these advanced search filters. People call them Google dorks. 292 00:14:52.159 --> 00:14:53.279 Google dorks. Yeah. 293 00:14:53.759 --> 00:14:56.799 They let an attacker find specific file types, maybe error 294 00:14:56.840 --> 00:15:00.679 messages containing sensitive info or specific text in URLs that 295 00:15:00.799 --> 00:15:05.600 might reveal misconfigurations. Offensive Security actually maintains a public Google 296 00:15:05.600 --> 00:15:07.559 hacking database full of these techniques. 297 00:15:07.639 --> 00:15:10.799 Okay, but then there's Showdan that sounds completely different, almost 298 00:15:10.840 --> 00:15:11.399 like sci fi. 299 00:15:11.720 --> 00:15:13.759 Showdan really is a different kind of search engine. It 300 00:15:13.759 --> 00:15:16.639 doesn't look for web content. It searches for devices connected 301 00:15:16.679 --> 00:15:20.799 to the Internet, devices like what like everything, industrial control systems, 302 00:15:20.840 --> 00:15:24.960 running power grids, CCTV cameras, baby monitors, routers, servers, you 303 00:15:25.080 --> 00:15:29.399 name it. And what's truly surprising, maybe shocking, is the 304 00:15:29.399 --> 00:15:33.399 sheer volume of unsecured devices it finds, often left with 305 00:15:33.480 --> 00:15:37.440 default passwords. It's like finding the digital blueprint of a city, 306 00:15:37.519 --> 00:15:40.840 including all its unlocked back doors, with just a search query. 307 00:15:41.240 --> 00:15:44.240 That's kind of terrifying. Are there tools that help automate 308 00:15:44.279 --> 00:15:46.840 gathering info from all these different sources? Yeah. 309 00:15:46.879 --> 00:15:49.519 The Harvester is a Collie tool that acts as a rapper. 310 00:15:49.759 --> 00:15:53.720 It queries various search engines to pull together emails, subdomains, 311 00:15:53.799 --> 00:15:57.279 virtual hosts, open ports related to a target, sort of 312 00:15:57.320 --> 00:16:01.519 aggregator exactly. And another powerful frame work is recon. It 313 00:16:01.519 --> 00:16:05.120 consolidates lots of information gathering modules like it can look 314 00:16:05.159 --> 00:16:08.919 up multiple domains hosted on a single SSL certificate or 315 00:16:09.039 --> 00:16:12.159 enumerate LinkedIn contacts associated with a target company. 316 00:16:12.320 --> 00:16:15.159 Okay, so once they'd gathered all this initial intelligence, the 317 00:16:15.200 --> 00:16:19.440 next phase is usually scanning, right actively probing the target 318 00:16:19.519 --> 00:16:22.799 to see what's actually running and where the potential doors are. Correct. 319 00:16:22.879 --> 00:16:25.799 The scanning phase is about identifying the operating system, the 320 00:16:25.840 --> 00:16:30.120 web server version, the underlying infrastructure, specific applications. 321 00:16:29.519 --> 00:16:31.159 Running, starting with open ports. 322 00:16:31.639 --> 00:16:36.000 Usually yes, finding open ports beyond the standard eighty for 323 00:16:36.159 --> 00:16:39.559 HTTP and four forty three for hdtps because other services 324 00:16:39.639 --> 00:16:40.480 might be exposed. 325 00:16:40.879 --> 00:16:44.360 And for port scanning, the most famous tool is probably 326 00:16:44.600 --> 00:16:44.919 end map. 327 00:16:45.120 --> 00:16:49.000 It's legendary enmap network map er. Yes, it's absolutely the 328 00:16:49.000 --> 00:16:52.039 most widely known port scanner and a cornerstone of reconnaissance 329 00:16:52.080 --> 00:16:55.960 and scanning. It's incredibly effective at finding open TCP and 330 00:16:56.080 --> 00:16:59.919 UDP ports, and it's constantly updated. By default, it just 331 00:17:00.120 --> 00:17:03.639 checks the top one thousand most common ports to speed 332 00:17:03.639 --> 00:17:04.079 things up. 333 00:17:04.160 --> 00:17:06.200 How does it actually figure out if a port is open? 334 00:17:06.279 --> 00:17:08.759 Are there different ways it connects? Maybe some sneakier than others. 335 00:17:08.960 --> 00:17:12.000 Yeah, there are different scan types. The most straightforward is 336 00:17:12.039 --> 00:17:15.279 the TCP connect scan. Using the NZST flag, it performs 337 00:17:15.319 --> 00:17:17.799 a full three way TCP handshake. 338 00:17:17.440 --> 00:17:19.039 Like a normal connection exactly. 339 00:17:19.160 --> 00:17:22.079 It's accurate, but it's also more likely to be logged 340 00:17:22.079 --> 00:17:23.519 at the target machine and slower. 341 00:17:23.680 --> 00:17:25.319 Okay, what's the stealthier option. 342 00:17:25.640 --> 00:17:28.720 That's the syn scan using SSS, often called a half 343 00:17:28.759 --> 00:17:31.319 open scan. It starts the handshake but does not complete 344 00:17:31.319 --> 00:17:31.759 the handshake. 345 00:17:31.839 --> 00:17:33.640 Ah, so it doesn't fully connect right. 346 00:17:33.960 --> 00:17:36.799 This makes it less likely to be logged by basic firewalls, 347 00:17:37.400 --> 00:17:41.039 but those initial syn packets can still definitely alert more 348 00:17:41.079 --> 00:17:45.240 advanced intrusion detection or prevention systems in IPS or IDs. 349 00:17:45.319 --> 00:17:48.000 And you mentioned saving results before, Why is that so 350 00:17:48.079 --> 00:17:49.279 critical for a pent tester? 351 00:17:49.720 --> 00:17:53.559 Oh, in a pentest, saving results is absolutely vital for organization, 352 00:17:53.759 --> 00:17:56.359 for building that final report and honestly as a backup 353 00:17:56.400 --> 00:17:59.240 if something goes wrong or a scan gets interrupted. And 354 00:17:59.319 --> 00:18:02.440 map lets use save results in different formats XML its 355 00:18:02.440 --> 00:18:06.039 own format, agrippable text format so you can easily parse 356 00:18:06.039 --> 00:18:07.480 and reuse that data later. 357 00:18:07.720 --> 00:18:10.640 So beyond just finding open ports, they're profiling the whole 358 00:18:10.680 --> 00:18:12.720 server setup. What kind of details that they're looking for? 359 00:18:12.759 --> 00:18:15.400 Then, yeah, exactly. Once you know the OS and the 360 00:18:15.400 --> 00:18:18.680 open ports, the next step is identifying the exact applications 361 00:18:18.759 --> 00:18:22.759 running is it apatche icojinc Serving web pages what web 362 00:18:22.799 --> 00:18:26.279 application frameworks are they using, PHP, dot Net, Java? What 363 00:18:26.400 --> 00:18:29.960 databases are behind it? Are there load balancers involved? Getting 364 00:18:30.000 --> 00:18:32.200 this level of detail is critical for picking the right 365 00:18:32.240 --> 00:18:33.480 potential exploits later on. 366 00:18:33.799 --> 00:18:36.920 How do they deal with situations where maybe multiple websites 367 00:18:36.960 --> 00:18:39.559 are sharing the same server. That seems like it could 368 00:18:39.559 --> 00:18:40.519 be confusing. 369 00:18:40.240 --> 00:18:44.359 Yeah, that's common. Many websites use name based virtual hosting, 370 00:18:44.640 --> 00:18:48.839 sharing one physical server and IP address. They're distinguished by 371 00:18:48.839 --> 00:18:51.960 the host header in the HTTP request that tells the 372 00:18:52.000 --> 00:18:54.440 server which specific site you're trying to reach. 373 00:18:54.640 --> 00:18:56.279 So how do they figure out what else is on 374 00:18:56.319 --> 00:18:56.720 that server? 375 00:18:57.079 --> 00:19:00.920 There are online tools like HTTP dot ipnables is one 376 00:19:00.960 --> 00:19:04.000 example that can help identify other websites hosted on the 377 00:19:04.039 --> 00:19:07.319 same IP. It helps reveal more of a target's overall 378 00:19:07.359 --> 00:19:08.240 digital footprint. 379 00:19:08.480 --> 00:19:11.440 And load balancers you mentioned them? Can those sometimes give 380 00:19:11.480 --> 00:19:12.799 away useful information too? 381 00:19:13.000 --> 00:19:16.359 They absolutely can. High traffic sites use load balancers to 382 00:19:16.400 --> 00:19:19.759 distribute requests and keep things available. Some cookie based load 383 00:19:19.759 --> 00:19:22.160 balancers put a cookie in your browser to keep you 384 00:19:22.200 --> 00:19:26.279 stuck to one specific back end server. Okay, Sometimes these 385 00:19:26.319 --> 00:19:30.519 cookies accidentally reveal critical server details, maybe encoded pool names 386 00:19:30.640 --> 00:19:33.319 or even internal IP addresses and ports of the back 387 00:19:33.440 --> 00:19:36.680 end servers things they really should not be doing. It's 388 00:19:36.720 --> 00:19:39.039 an often overlooked reconnaissance. 389 00:19:38.400 --> 00:19:42.680 Source fascinating little leaks of information. So what about figuring 390 00:19:42.680 --> 00:19:45.680 out the actual web application frameworks being used? Is that 391 00:19:45.720 --> 00:19:46.519 just guesswork? Oh? 392 00:19:46.519 --> 00:19:49.240 No, not at all. There are several clues pen testers 393 00:19:49.279 --> 00:19:53.000 look for. HTTP headers like the server header or maybe 394 00:19:53.000 --> 00:19:57.359 an xass net version header can directly reveal the tech stack. Okay, 395 00:19:57.440 --> 00:20:00.359 custom cookie set by frameworks like asp not netw or 396 00:20:00.480 --> 00:20:04.279 JSESSIOND for Java apps can also be giveaways. Even seemingly 397 00:20:04.319 --> 00:20:07.559 harmless comments left in the HTML source code can sometimes 398 00:20:07.599 --> 00:20:10.440 contain hints about the framework or libraries being used. 399 00:20:10.559 --> 00:20:13.519 And for automating the identification of these technologies, is there 400 00:20:13.559 --> 00:20:15.960 a quick Collie tool for that? What? 401 00:20:16.160 --> 00:20:18.880