WEBVTT 1 00:00:00.120 --> 00:00:02.720 Welcome to a deep dive that might just change how 2 00:00:02.759 --> 00:00:04.360 you look at the digital world around you. 3 00:00:04.599 --> 00:00:07.400 Yeah, today we're really pulling back the curtain on hacking. 4 00:00:07.679 --> 00:00:10.439 But and this is key, not from the criminal side. 5 00:00:10.599 --> 00:00:13.519 We're looking at the people who learn these techniques to 6 00:00:14.759 --> 00:00:15.599 well defend. 7 00:00:15.400 --> 00:00:18.600 Us all exactly. Our main source today is this book 8 00:00:18.879 --> 00:00:23.559 Ethical Hacking, A hands on Introduction to Breaking In. And 9 00:00:23.679 --> 00:00:27.280 it's really practical, not just theory then, no, not at all. 10 00:00:27.519 --> 00:00:29.920 It shows you how systems get compromised, you know, from 11 00:00:29.960 --> 00:00:34.159 the basics of networks right up to complex exploitation. It's 12 00:00:34.200 --> 00:00:36.960 solid stuff, technically reviewed by people like doctor ed Novak, 13 00:00:37.159 --> 00:00:39.119 who really knows his security and privacy. 14 00:00:39.200 --> 00:00:42.560 Okay, so what's our mission here? What do we want you, 15 00:00:42.719 --> 00:00:44.159 the listener to get out of this? 16 00:00:44.719 --> 00:00:46.840 Well, the goal is to help you start thinking like 17 00:00:46.840 --> 00:00:49.799 an ethical hacker, someone who can, you know, carefully look 18 00:00:49.799 --> 00:00:52.640 at a system, figure out its weaknesses and find ways. 19 00:00:52.399 --> 00:00:54.520 In, but purely for defensive reasons. 20 00:00:54.600 --> 00:00:56.880 Right, It's kind of a shortcut to understanding these hidden 21 00:00:56.920 --> 00:00:59.880 cyber threats and honestly how much they impact our every 22 00:01:00.079 --> 00:01:00.600 day lives. 23 00:01:00.840 --> 00:01:02.000 All right, let's dive in. 24 00:01:02.320 --> 00:01:07.040 So the influence of hacking today it's huge. It touches everything, 25 00:01:07.120 --> 00:01:11.200 doesn't it, elections, power grids, big infrastructure, even just our 26 00:01:11.239 --> 00:01:12.120 personal safety. 27 00:01:12.200 --> 00:01:15.840 Absolutely, it's not abstract. Remember the Colonial pipeline attack in 28 00:01:15.840 --> 00:01:20.319 twenty twenty one that caused real panic, flight cancelations, actual 29 00:01:20.400 --> 00:01:24.640 fuel shortages. Millions of people felt that directly. 30 00:01:24.719 --> 00:01:27.079 And that's just one example. We've seen attacks on companies, 31 00:01:27.120 --> 00:01:31.079 even countries just accelerate like crazy over the past decade. 32 00:01:31.159 --> 00:01:34.120 Yeah, twenty twenty one alone was wild hackers stealing over 33 00:01:34.159 --> 00:01:37.040 one hundred million in crypto, trying to poison a water 34 00:01:37.079 --> 00:01:37.640 supply in. 35 00:01:37.599 --> 00:01:41.719 Florida, attacking Pfizer, hitting government agencies all over the place. 36 00:01:41.840 --> 00:01:43.159 So why is this happening? Why? 37 00:01:43.280 --> 00:01:46.519 Now? Well, fundamentally, it's because we depend so much on 38 00:01:46.560 --> 00:01:49.799 technology right. Our entire society, our economy, it all runs 39 00:01:49.799 --> 00:01:52.640 on it. So attacks on that tech infrastructure have massive 40 00:01:52.680 --> 00:01:55.040 knock on effects socially and economically. 41 00:01:55.079 --> 00:01:58.760 So understanding hacking isn't really optional anymore, pretty much essential. Yeah, 42 00:01:58.799 --> 00:02:00.719 and to really get it, you need to get your 43 00:02:00.760 --> 00:02:02.719 hands dirty safely though exactly. 44 00:02:02.840 --> 00:02:04.879 That's where setting up your own virtual lab comes in 45 00:02:05.159 --> 00:02:08.400 is crucial. You need this isolated space to learn and 46 00:02:08.479 --> 00:02:13.199 practice without accidentally messing up your real computer or network. 47 00:02:13.080 --> 00:02:16.520 Keeps everything secure. So what does this lab look like? Typically? 48 00:02:16.879 --> 00:02:20.120 Usually you'd set up a few virtual machines or vms. 49 00:02:20.159 --> 00:02:22.759 You'd have something like a Kithens router firewall that's like 50 00:02:22.800 --> 00:02:27.400 your virtual networks bodyguard. Then a Kali Linux machine. Think 51 00:02:27.439 --> 00:02:29.960 of that as your ethical hacking toolkit. It's packed with 52 00:02:30.000 --> 00:02:33.560 specialized software, got it. You probably want a couple of 53 00:02:33.599 --> 00:02:39.159 say Ubuntu Linux desktops as targets just to practice attacking 54 00:02:39.199 --> 00:02:42.599 common systems. And definitely a metasploitable VM. 55 00:02:42.639 --> 00:02:46.400 Metasploitable yeah, like, that's the one designed to be vulnerable exactly. 56 00:02:46.639 --> 00:02:49.120 It's deliberately full of holes, so it's perfect for profiting 57 00:02:49.159 --> 00:02:52.080 attacks without doing any real harm. It's a safe target. 58 00:02:52.159 --> 00:02:54.840 And you run all this using virtual box. 59 00:02:55.120 --> 00:02:57.520 Yeah. Virtual box is a great option. It's free and 60 00:02:57.680 --> 00:03:00.800 lets you create these virtual computers inside your actual computer. 61 00:03:01.240 --> 00:03:04.199 You just need a reasonably decent machine yourself. You know 62 00:03:04.280 --> 00:03:07.599 of hard drive space, maybe thirty gigs free and enough 63 00:03:07.759 --> 00:03:11.599 RAM say four gigs minimum, ideally more to run several 64 00:03:11.719 --> 00:03:12.199 vms at. 65 00:03:12.159 --> 00:03:15.240 Once, right, like building a whole mini network inside your laptop, 66 00:03:15.280 --> 00:03:17.360 a safe little sandbox precisely. 67 00:03:17.680 --> 00:03:21.639 So let's talk about the digital battlefield itself. The network fundamentals. Okay, 68 00:03:21.960 --> 00:03:25.199 at the most basic level, everything on the Internet travels 69 00:03:25.199 --> 00:03:27.280 in packets. You have to think of them like a 70 00:03:27.639 --> 00:03:31.080 digital envelopes sense, Yeah, and each envelope has a from 71 00:03:31.199 --> 00:03:33.879 address and a two address. Those are the source and 72 00:03:33.919 --> 00:03:37.800 destination MSE addresses for local stuff, and IP addresses for 73 00:03:37.840 --> 00:03:39.319 getting across the wider Internet. 74 00:03:39.360 --> 00:03:41.560 And the routers they're like the post offices. 75 00:03:41.479 --> 00:03:44.240 Exactly like sorting offices. They look at the destination IP 76 00:03:44.319 --> 00:03:47.560 address and forward the packet along the way. It's all hierarchical. 77 00:03:48.039 --> 00:03:51.319 The lowest level is your local network, your land like 78 00:03:51.400 --> 00:03:55.120 your home Wi Fi, all connected through one main router. 79 00:03:55.120 --> 00:03:58.680 Which brings us to something like ARP spoofing. You mentioned 80 00:03:58.680 --> 00:03:59.919 that as an example. 81 00:03:59.719 --> 00:04:03.199 Yes, NRP spoofing. It's a classic example of exploiting a 82 00:04:03.240 --> 00:04:08.280 fund metal maybe slightly flawed protocol. Basically, if you're on 83 00:04:08.319 --> 00:04:11.879 say public Wi Fi at a coffee shop, yeah, an 84 00:04:11.879 --> 00:04:16.000 attacker on that same network could potentially use airpacepoofing to 85 00:04:16.079 --> 00:04:19.319 intercept your unencrypted web traffic. See what sites you're visiting, 86 00:04:19.360 --> 00:04:19.920 that kind of thing. 87 00:04:19.959 --> 00:04:21.480 How does that work? Sound sneaky? 88 00:04:21.720 --> 00:04:24.839 It is. The attacker basically tricks both your computer and 89 00:04:24.879 --> 00:04:28.040 the router. They convince your machine that the attacker's machine 90 00:04:28.040 --> 00:04:30.600 is the router. They convince the router that the attacker's 91 00:04:30.639 --> 00:04:31.600 machine is your computer. 92 00:04:31.759 --> 00:04:33.240 So all the traffic goes through though. 93 00:04:33.199 --> 00:04:35.240 Exactly they become a man in the middle. And this 94 00:04:35.399 --> 00:04:38.759 just highlights how risky unencrypted communication on public Wi Fi 95 00:04:38.800 --> 00:04:41.680 can be. Even simple tools like earl snarf can then 96 00:04:41.720 --> 00:04:44.279 pull out things like the website addresses you visit from 97 00:04:44.279 --> 00:04:45.399 that intercepted traffic. 98 00:04:45.600 --> 00:04:49.079 Wow. Okay, so how do ethical hackers actually see and 99 00:04:49.199 --> 00:04:50.480 analyze this traffic? 100 00:04:51.040 --> 00:04:53.959 Good question. That's where you need to understand the Internet 101 00:04:54.040 --> 00:04:58.319 protocol stack. Think of protocols as just rules for talking, 102 00:04:58.959 --> 00:05:01.720 like how human and say hello to start a conversation 103 00:05:02.160 --> 00:05:05.879 and goodbye to end it. Computers need similar rules and 104 00:05:05.920 --> 00:05:08.120 it's layered right. Yeah. It typically shown as a five 105 00:05:08.199 --> 00:05:11.040 layer stack. Yeah. Information gets wrapped up kind of like 106 00:05:11.120 --> 00:05:13.279 nesting dolls as it moves down the layers. 107 00:05:13.399 --> 00:05:17.160 So like the application layers where your browser works with HTTP. 108 00:05:16.959 --> 00:05:19.560 Right, then it goes down to transport maybe using TCP, 109 00:05:20.240 --> 00:05:23.879 then network with IP addresses, data link with AMC addresses 110 00:05:23.920 --> 00:05:27.399 for the local network, and finally physical turning it into 111 00:05:27.439 --> 00:05:29.720 electrical signals or light pulses. 112 00:05:29.519 --> 00:05:32.319 And each layer does its job independently. 113 00:05:32.040 --> 00:05:34.759 Pretty much, which is efficient, but it also means a 114 00:05:34.800 --> 00:05:37.439 weakness of one layer, like ARP at the data link 115 00:05:37.519 --> 00:05:38.759 layer can be exploited. 116 00:05:38.839 --> 00:05:41.519 And what about ports. You hear about open ports being bad. 117 00:05:41.720 --> 00:05:45.279 Ah, ports they're essential. They let multiple programs on your 118 00:05:45.279 --> 00:05:47.639 computer use the network at the same time, like your 119 00:05:47.639 --> 00:05:51.319 browser uses port four four three for HTTPS, your email 120 00:05:51.360 --> 00:05:52.279 client uses others. 121 00:05:52.399 --> 00:05:53.360 But they're also a risk. 122 00:05:53.600 --> 00:05:56.800 They can be open ports are like open doors into 123 00:05:56.800 --> 00:06:01.439 your system. Attackers scan for open ports because they represent 124 00:06:01.800 --> 00:06:04.800 potential ways to interact with services running on your machine. 125 00:06:05.000 --> 00:06:06.920 They're often the first thing an attacker looks for. 126 00:06:07.560 --> 00:06:10.199 So how do you actually see all this packet stuff? 127 00:06:10.399 --> 00:06:13.639 The key tool here is wire Shark. Think of it 128 00:06:13.680 --> 00:06:17.879 as your network microscope. It captures every single packet going 129 00:06:17.879 --> 00:06:19.600 in and out of your computer's network. 130 00:06:19.360 --> 00:06:22.000 Interface, every single one. That must be a lot of data. 131 00:06:22.639 --> 00:06:26.160 It can be thousands. Yeah, but wire shark has power fulfillters. 132 00:06:26.279 --> 00:06:28.399 You can tell it show me only traffic to this 133 00:06:28.439 --> 00:06:32.319 specific IP address, or show me packets containing the word password. 134 00:06:32.519 --> 00:06:34.160 It lets you cut through the noise and find what 135 00:06:34.199 --> 00:06:36.680 you're looking for. It's how you really visualize what's happening. 136 00:06:36.759 --> 00:06:39.160 You can even monitor firewall traffic. 137 00:06:38.839 --> 00:06:42.199 Absolutely on something like a pfens firewall VM. You could 138 00:06:42.240 --> 00:06:45.360 use a tool called TCP dump to capture traffic passing 139 00:06:45.399 --> 00:06:48.399 through it, save it and analyze it later, maybe even 140 00:06:48.480 --> 00:06:49.480 using online tools. 141 00:06:49.600 --> 00:06:52.199 Okay, that covers the fundamentals. Let's move into Part three, 142 00:06:52.319 --> 00:06:55.639 exploitation techniques actually breaking in right. 143 00:06:56.000 --> 00:07:00.279 A really fundamental concept here is getting remote control. Key 144 00:07:00.319 --> 00:07:02.199 technique is the reverse shell. 145 00:07:02.399 --> 00:07:04.879 Reverse shell sounds backwards. 146 00:07:05.160 --> 00:07:08.240 It kind of is. Imagine an attacker manages to run 147 00:07:08.279 --> 00:07:11.399 some malicious code on your machine. Now, instead of the 148 00:07:11.439 --> 00:07:13.800 attacker trying to connect in through your firewall, which is 149 00:07:13.879 --> 00:07:17.319 usually blocked, this malicious code connects out from inside your 150 00:07:17.360 --> 00:07:19.160 network to the attacker's waiting machine. 151 00:07:19.399 --> 00:07:23.079 Uh so it bypasses the firewalls incoming rules. 152 00:07:23.120 --> 00:07:27.079 Clever, very clever, and it gives the attacker persistent access 153 00:07:27.199 --> 00:07:28.680 a way back in whenever they want. 154 00:07:28.839 --> 00:07:31.160 And if they do that to lots of machines. 155 00:07:30.759 --> 00:07:33.519 Then you have a botnet, a whole network of compromised 156 00:07:33.519 --> 00:07:37.160 computers or bots, all under the attacker's control, and they can. 157 00:07:37.120 --> 00:07:39.959 Use these bots for what DEDAS attacks. 158 00:07:40.079 --> 00:07:42.560 DDAs is a big one. Yeah, overwhelming a website or 159 00:07:42.639 --> 00:07:45.240 server with so much traffic from the botnet that it 160 00:07:45.360 --> 00:07:47.079 just falls over, it goes offline. 161 00:07:47.160 --> 00:07:49.120 Wasn't there a famous botnet, Mira. 162 00:07:49.240 --> 00:07:52.360 Miri exactly back in twenty sixteen was huge, infected something 163 00:07:52.439 --> 00:07:54.759 like three hundred thousand devices. 164 00:07:54.199 --> 00:07:58.480 Mostly those Internet of Things devices, right, cameras, routers. 165 00:07:58.519 --> 00:08:01.199 Yeah, basic stuff. And the crazy part is how it 166 00:08:01.240 --> 00:08:03.879 infected them, mostly just by logging in with the default 167 00:08:04.000 --> 00:08:06.480 usernames and passwords that people never changed. 168 00:08:06.560 --> 00:08:09.040 Wow, just default credentials yep. 169 00:08:09.399 --> 00:08:11.920 And what made me write tricky to stop was how 170 00:08:12.000 --> 00:08:15.399 the bots found their master, their commanding control server or 171 00:08:15.519 --> 00:08:18.759 C two. They didn't use a fixed IP address, They 172 00:08:18.759 --> 00:08:22.199 looked up a domain name a URL, which the attackers 173 00:08:22.199 --> 00:08:24.800 could easily change. Made it much harder to take down 174 00:08:24.800 --> 00:08:25.480 the whole network. 175 00:08:25.600 --> 00:08:28.079 Okay, so controlling machines is one thing. What about data 176 00:08:28.720 --> 00:08:30.480 that leads to cryptography? Right? 177 00:08:30.639 --> 00:08:35.080 Yeah? And ransomware absolutely. Crytography is fundamental to digital security 178 00:08:35.320 --> 00:08:39.399 and ransomware. Oh that's the nightmare scenario where malware encrypts 179 00:08:39.440 --> 00:08:40.440 all your important. 180 00:08:40.120 --> 00:08:42.000 Files, it demands money to get them back. 181 00:08:42.120 --> 00:08:45.360 Right, malicious encryption to understand the risks, it helps to 182 00:08:45.360 --> 00:08:48.320 know a bit about how encryption works, even simple concepts 183 00:08:48.720 --> 00:08:50.039 like the one time pad. 184 00:08:49.960 --> 00:08:52.519 That's the theoretically unbreakable one. 185 00:08:52.799 --> 00:08:55.559 Theoretically yes, if the key is truly random and you 186 00:08:55.639 --> 00:08:58.080 only use it once. The critical part is only once. 187 00:08:58.200 --> 00:09:00.879 What happens if you reuse the key big problems. 188 00:09:01.200 --> 00:09:04.039 If you encrypt two different messages with the same one 189 00:09:04.080 --> 00:09:08.039 time pad key, you actually leak information that lets someone 190 00:09:08.080 --> 00:09:11.879 potentially figure out both original messages. It shows how even 191 00:09:11.919 --> 00:09:15.679 a perfect system can fail catastrophically if used incorrectly. 192 00:09:15.759 --> 00:09:18.919 So for real world security, we use things like RSA 193 00:09:19.440 --> 00:09:21.279 public key cryptography exactly. 194 00:09:21.399 --> 00:09:24.960 RSA is a cornerstone, uses a pair of keys, a 195 00:09:25.000 --> 00:09:27.639 public key you can share with anyone, and a private 196 00:09:27.759 --> 00:09:28.840 key you guard. 197 00:09:28.600 --> 00:09:31.759 Fiercely, and if someone encrypts a message with my public. 198 00:09:31.440 --> 00:09:35.159 Key, only you with your corresponding private key, can decrypt it. 199 00:09:35.159 --> 00:09:37.679 It guarantees confidentiality. 200 00:09:36.840 --> 00:09:39.440 And the other way around. Encrypting with a private key 201 00:09:39.840 --> 00:09:40.559 that acts like. 202 00:09:40.559 --> 00:09:43.720 A digital signature. If you encrypt something or usually a 203 00:09:43.720 --> 00:09:46.679 hash of something, with your private key, anyone can use 204 00:09:46.679 --> 00:09:48.840 your public key to verify that you must have been 205 00:09:48.840 --> 00:09:50.240 the one who signed it. 206 00:09:50.320 --> 00:09:54.279 Proves authenticity, which is crucial for things like secure websites 207 00:09:54.480 --> 00:09:58.240 HDTPS that uses TLS right Transport layer security. 208 00:09:58.480 --> 00:10:02.159 Right TLS uses all these public private keys for authentication, 209 00:10:02.639 --> 00:10:06.399 and keys change symmetric encryption for the actual data transfer 210 00:10:06.840 --> 00:10:11.240 message authentication codes. For integrity, it relies on certificate authorities 211 00:10:11.679 --> 00:10:14.200 CAAs to vouch for the public keys and build that 212 00:10:14.279 --> 00:10:14.960 chain of trust. 213 00:10:15.159 --> 00:10:17.440 But attackers still try to break it, like trying to 214 00:10:17.480 --> 00:10:22.039 force a connection down from HTTPS to unencrypted HTTP. 215 00:10:22.200 --> 00:10:25.279 They definitely try. It's called SSL stripping, but modern browsers 216 00:10:25.320 --> 00:10:29.480 fight back with something called HTCs HTT Strict Transport Security. 217 00:10:29.879 --> 00:10:32.200 It basically tells the browser only ever talk to this 218 00:10:32.279 --> 00:10:36.559 site over HTDPS, which prevents most downgrade attacks. 219 00:10:36.200 --> 00:10:38.120 Although misconfigurations can still happen. 220 00:10:38.159 --> 00:10:41.919 I guess oh absolutely, especially with subdomains or complex setups. 221 00:10:42.039 --> 00:10:43.759 Security is never perfectly simple. 222 00:10:43.799 --> 00:10:47.320 Okay, let's shift focus a bit Part four, the human side, 223 00:10:47.559 --> 00:10:49.200 social engineering and ocent. 224 00:10:49.639 --> 00:10:52.600 Yeah, the human element is often the weakest link. Phishing 225 00:10:52.639 --> 00:10:55.240 emails are a classic example. It's surprisingly easy to fake 226 00:10:55.240 --> 00:10:57.200 the from address in an email because of how the 227 00:10:57.279 --> 00:10:59.720 underlying protocol SMTP works, so you. 228 00:10:59.720 --> 00:11:01.120 Can make can email look like it came from a 229 00:11:01.120 --> 00:11:02.879 trusted source easily. 230 00:11:02.679 --> 00:11:05.240 And now we're seeing the rise of deep fakes, which 231 00:11:05.279 --> 00:11:07.600 is frankly terrifying. 232 00:11:07.679 --> 00:11:09.879 AI generated fake videos exactly. 233 00:11:10.279 --> 00:11:14.960 Using machine learning, attackers can create incredibly convincing videos. Imagine 234 00:11:14.960 --> 00:11:18.080 getting a video call that looks and sounds exactly like 235 00:11:18.120 --> 00:11:20.840 your CEO telling you to approve a wire transfer or 236 00:11:20.879 --> 00:11:21.840 expect a certain. 237 00:11:21.600 --> 00:11:25.799 Email which is actually malicious. Wow. The potential for deception 238 00:11:25.919 --> 00:11:27.759 there is huge, It really is. 239 00:11:28.120 --> 00:11:31.840 Which highlights why information gathering OCENT open source intelligence is 240 00:11:31.840 --> 00:11:33.080 so critical for attackers. 241 00:11:33.200 --> 00:11:35.240 Just collecting publicly available info yep. 242 00:11:35.720 --> 00:11:38.519 The more an attacker knows about you or your organization, 243 00:11:38.919 --> 00:11:42.440 the more tailored and convincing their attack can be. OCENT 244 00:11:42.600 --> 00:11:45.559 is the process of finding and connecting those public data. 245 00:11:45.360 --> 00:11:46.960 Points like what kind of data points? 246 00:11:47.039 --> 00:11:50.679 Oh anything? Contact details from website registration records, ye, email 247 00:11:50.679 --> 00:11:53.279 addresses are user names exposed in data breaches. You can 248 00:11:53.360 --> 00:11:57.399 check sites like have in pobayan dot com, social media profiles, 249 00:11:57.559 --> 00:11:59.799 company directories, news articles. 250 00:11:59.519 --> 00:12:01.639 And tools help connect these dots. You mentioned. 251 00:12:01.720 --> 00:12:05.240 Maltago, Yeah, Maultago is great for visualizing these connections. You 252 00:12:05.279 --> 00:12:08.399 feed it bits of information and it spiders out, finding 253 00:12:08.440 --> 00:12:11.600 links you might never see otherwise. It can map relationships 254 00:12:11.639 --> 00:12:15.440 between people, companies, email addresses infrastructure, and. 255 00:12:15.399 --> 00:12:19.399 This OCENT enables really nasty attacks like simjacking. 256 00:12:19.759 --> 00:12:24.480 Simjacking is a prime example of weaponized OCENT. It's highly sophisticated. 257 00:12:24.799 --> 00:12:28.840 Attackers gather enough personal information about you to convincingly impersonate 258 00:12:28.879 --> 00:12:31.320 you when talking to your mobile phone provider. 259 00:12:30.960 --> 00:12:32.840 And they trick the provider into. 260 00:12:32.919 --> 00:12:35.720 Transferring your phone number to a simcard they control. 261 00:12:36.000 --> 00:12:38.080 Oh wow, so they get all your calls and texts, 262 00:12:38.639 --> 00:12:41.440 including two factor authentication codes exactly. 263 00:12:41.480 --> 00:12:45.080 It completely bypasses SMS based two FA It requires a 264 00:12:45.080 --> 00:12:47.080 lot of prep work, but it's devastating when it works. 265 00:12:47.240 --> 00:12:50.600 Scary stuff. What about finding vulnerable systems directly? 266 00:12:50.960 --> 00:12:56.120 Google dorking Google dorking. It's basically using advanced search operators 267 00:12:56.120 --> 00:12:58.799 in Google to find things that shouldn't be public, like 268 00:12:58.799 --> 00:13:03.759 what misconfigured web servers, login pages, sensitive documents or configuration 269 00:13:03.840 --> 00:13:08.600 files accidentally indexed by Google, even live unsecured webcams. Sometimes 270 00:13:08.639 --> 00:13:10.360 you'd be amazed what's just out there? 271 00:13:10.480 --> 00:13:12.919 And beyond Google there are specialized tools. 272 00:13:12.960 --> 00:13:16.159 Oh yeah, Tools like mass scan can scan huge ranges 273 00:13:16.200 --> 00:13:19.320 of the Internet incredibly quickly, looking for specific open ports. 274 00:13:19.879 --> 00:13:24.000 Showdan is like a search engine specifically for Internet connected devices. 275 00:13:24.279 --> 00:13:28.679 Finding everything from industrial control systems to refrigerators online though 276 00:13:28.799 --> 00:13:31.519 SHOWDAN logs your IP so ethical use is key. 277 00:13:31.879 --> 00:13:34.240 And once you find a potential target system and you 278 00:13:34.240 --> 00:13:34.879 start looking. 279 00:13:34.720 --> 00:13:37.840 For known weaknesses, use the osent you gathered. What software 280 00:13:37.879 --> 00:13:41.360 is it running? What version? Then you check vulnerability databases 281 00:13:41.600 --> 00:13:44.480 like the CVE list using tools like search sploit to 282 00:13:44.519 --> 00:13:48.480 see if there are known published exploits for that specific. 283 00:13:48.080 --> 00:13:51.799 Software, and automated scanners like ENMAP or nessis can help 284 00:13:51.840 --> 00:13:53.320 find these vulnerabilities too. 285 00:13:53.639 --> 00:13:58.120 Absolutely. NMAP is fantastic for port scanning and service identification. 286 00:13:58.759 --> 00:14:02.399 NESSUS is a more common, comprehensive vulnerability scanner. The checks 287 00:14:02.399 --> 00:14:06.279 for thousands of known issues, including things like back doors 288 00:14:06.320 --> 00:14:09.480 like the one deliberately built into that metasploitable practice machine. 289 00:14:09.759 --> 00:14:12.159 There are even tools like discovered that try to automate 290 00:14:12.320 --> 00:14:14.279 a whole range of ocent gathering. 291 00:14:14.679 --> 00:14:17.200 Okay, so that's finding non issues. What about the unknown? 292 00:14:18.000 --> 00:14:21.720 Part five? Advanced exploitation? Finding zero days? 293 00:14:21.799 --> 00:14:25.399 Right? Zero days? These are the vulnerabilities nobody knows about 294 00:14:25.480 --> 00:14:27.919 yet except maybe the person who found them. They can 295 00:14:27.960 --> 00:14:31.320 be incredibly valuable, sometimes selling for huge sums on the 296 00:14:31.320 --> 00:14:32.200 black market or to. 297 00:14:32.159 --> 00:14:34.759 Governments because there's no patch, no defense yet exactly. 298 00:14:35.320 --> 00:14:38.360 The famous heart bleed bug in open ssl was effectively 299 00:14:38.360 --> 00:14:40.360 a zero day for a while before it was discovered 300 00:14:40.399 --> 00:14:41.120 and publicized. 301 00:14:41.200 --> 00:14:43.080 And how do people find these? Fuzzing? 302 00:14:43.399 --> 00:14:46.879 Fuzzing is a major technique. It's basically automated bug hunting. 303 00:14:47.399 --> 00:14:50.960 You throw tons and tons of malformed, unexpected random data 304 00:14:50.960 --> 00:14:53.960 at a program, hoping to make it crash or behave. 305 00:14:53.720 --> 00:14:55.039 Strangely just random jump. 306 00:14:55.159 --> 00:14:58.960 Well, simple fuzzers do that, but smarter fuzzers like American 307 00:14:59.000 --> 00:15:03.159 Fuzzy lop AFL are more clever. They watch how the 308 00:15:03.200 --> 00:15:07.000 program reacts to input and intelligently mutate the inputs that 309 00:15:07.039 --> 00:15:09.879 seem to explore new paths within the code, making the 310 00:15:09.919 --> 00:15:12.399 process much more efficient at finding hidden bugs. 311 00:15:12.480 --> 00:15:14.759 So once an attacker gets in, maybe using a zero 312 00:15:14.879 --> 00:15:18.240 day or maybe something simpler, they want to stay hidden, right. 313 00:15:18.399 --> 00:15:20.440 Trojans and rootkits exactly. 314 00:15:20.799 --> 00:15:24.159 Persistence and stealth are key. A trojan horse program is 315 00:15:24.200 --> 00:15:27.279 malware disguised is something harmless, like the Greek myth, just 316 00:15:27.399 --> 00:15:29.840 like it. You might hide your malicious implant inside a 317 00:15:29.919 --> 00:15:33.679 legitimate looking installer file for Linux dot deb, or maybe 318 00:15:33.720 --> 00:15:36.639 inside a simple Windows game like Mind Sweeper, or even 319 00:15:36.679 --> 00:15:39.840 a word document, macro or an Android app DOTK file. 320 00:15:40.039 --> 00:15:41.720 How do they get past antivirus? Then? 321 00:15:41.879 --> 00:15:45.559 Good question. Antivirus often looks for known signatures of malware, 322 00:15:45.960 --> 00:15:49.279 so attackers use techniques to change the signature. Simple encoding 323 00:15:49.360 --> 00:15:51.919 like BA sixty four can sometimes help disguise the code, 324 00:15:51.960 --> 00:15:55.200 but more advanced methods polymorphic encoders are the next level. 325 00:15:55.559 --> 00:15:58.879 Something like the chicatagun I encoder used by the Metasbolate 326 00:15:58.960 --> 00:16:02.799 framework actually generates a slightly different version of the malware 327 00:16:02.840 --> 00:16:06.039 code each time it's used. It does the same bad stuff, 328 00:16:06.159 --> 00:16:09.279 but its signature looks different every time, making it much 329 00:16:09.320 --> 00:16:11.840 harder for signature based antivirus to catch. 330 00:16:12.000 --> 00:16:14.960 And then rootkits those sound serious they are. 331 00:16:15.480 --> 00:16:18.200 If a trojan gets the malware installed, a root kit 332 00:16:18.519 --> 00:16:21.720 helps it hide and maintain control at a very deep level, 333 00:16:21.960 --> 00:16:24.279 often by modifying the operating system itself. 334 00:16:24.399 --> 00:16:26.600 How does that work? In Linux? For example, so. 335 00:16:26.759 --> 00:16:29.679 Normal programs run in user space, but they need to 336 00:16:29.679 --> 00:16:32.799 ask the core of the OS, the kernel, to do 337 00:16:32.879 --> 00:16:36.919 privileged things like accessing hardware or managing files. They do 338 00:16:36.960 --> 00:16:40.360 this using system calls for ciscolls. A rootkit might hook 339 00:16:40.399 --> 00:16:43.960 these cis calls it replaces the kernel's normal function for say, 340 00:16:44.200 --> 00:16:47.399 listing files in a directory, with its own function. This 341 00:16:47.519 --> 00:16:50.320 malicious function does the normal job, but also hides the 342 00:16:50.399 --> 00:16:52.519 rootkit's own files from the listing. 343 00:16:52.440 --> 00:16:55.039 So the malware becomes invisible to standard tools. 344 00:16:55.279 --> 00:17:00.240 Exactly could to hide processes. Network connections prevent reboots. Very 345 00:17:00.240 --> 00:17:02.279 sneaky and hard to detect or remove. 346 00:17:02.480 --> 00:17:05.359 Let's switch to web applications. SEQL injection that seems to 347 00:17:05.359 --> 00:17:06.079 come up a lot. 348 00:17:06.240 --> 00:17:09.640 It does because it's still surprisingly common. It happens when 349 00:17:09.759 --> 00:17:12.920 a website developer doesn't properly clean up the input they 350 00:17:12.920 --> 00:17:15.240 get from a user, maybe from a search. 351 00:17:15.039 --> 00:17:17.359 Box or a log in form, and the attacker puts 352 00:17:17.400 --> 00:17:18.640 database commands in there. 353 00:17:18.839 --> 00:17:22.960 Precisely, they inject malicious sequel commands into the input field. 354 00:17:23.279 --> 00:17:26.240 If the website just blindly pastes that input into its 355 00:17:26.319 --> 00:17:30.279 database query, the attacker's commands get executed by the database. 356 00:17:29.960 --> 00:17:32.240 Letting them do what dump data. 357 00:17:32.160 --> 00:17:36.359 Yeah, potentially steal entire tables of data, user names, passwords, 358 00:17:36.400 --> 00:17:39.319 customer info, whatever's in the database. It relies on trusting 359 00:17:39.440 --> 00:17:40.759 user input, which you should. 360 00:17:40.480 --> 00:17:44.680 Ever do, and web interactions rely heavily on HTTP requests right, 361 00:17:45.000 --> 00:17:45.880 especially cookies. 362 00:17:45.920 --> 00:17:48.799 Absolutely you need to understand how browsers talk to servers 363 00:17:48.880 --> 00:17:53.599 using get and post requests, the headers involved like host 364 00:17:53.599 --> 00:17:56.960 and user agent, and crucially the cookie header. 365 00:17:56.960 --> 00:17:58.039 That's what keeps you logged in. 366 00:17:58.240 --> 00:18:01.960 Yeah, cookie store your session state. If an attacker can 367 00:18:02.039 --> 00:18:05.839 steal your session cookie, maybe through intercepting traffic or another 368 00:18:05.880 --> 00:18:09.000 attack like XSS, they can often put that cookie in 369 00:18:09.039 --> 00:18:12.119 their own browser and impersonate you, taking over your logged 370 00:18:12.119 --> 00:18:14.160 in session without needing your password at all. 371 00:18:14.319 --> 00:18:17.720 Speaking of passwords, systems don't store them in plain text, 372 00:18:17.759 --> 00:18:19.440 hopefully they use hashes, right. 373 00:18:19.480 --> 00:18:22.880 They store hashes. A hash function like SAHA two fifty 374 00:18:22.920 --> 00:18:26.200 six takes an input your password and produces a fixed 375 00:18:26.240 --> 00:18:29.759 size output the hash. It's designed to be one way 376 00:18:29.799 --> 00:18:33.039 easy to compute the hash from the password, but incredibly 377 00:18:33.079 --> 00:18:34.880 hard to get the password back from the hash. 378 00:18:35.039 --> 00:18:38.720 But attackers can still crack hashes dictionary attacks they. 379 00:18:38.559 --> 00:18:41.319 Can try if the system just stores the raw hash 380 00:18:41.319 --> 00:18:44.599 of the password. Attackers can pre calculate hashes for millions 381 00:18:44.599 --> 00:18:48.039 of common passwords a rainbow table, or just try hashing 382 00:18:48.039 --> 00:18:49.799 words from a dictionary until they find a match. 383 00:18:50.359 --> 00:18:52.920 So how do systems defend against that? Salting? 384 00:18:53.160 --> 00:18:56.200 Exactly? Salting is crucial. Before hashing the password, the system 385 00:18:56.200 --> 00:18:58.839 adds a unique random value, the salt, to it, so 386 00:18:58.880 --> 00:19:01.680 even if two users have this password, their salted hashes 387 00:19:01.720 --> 00:19:02.000 will be. 388 00:19:02.000 --> 00:19:05.680 Different, which makes rainbow tables useless completely useless. 389 00:19:05.920 --> 00:19:09.559 Attackers then have to crack each salted hash individually, usually 390 00:19:09.680 --> 00:19:11.920 using brute force methods with tools like John the Ripper, 391 00:19:12.079 --> 00:19:15.759 or for more speed, using graphics cards hashcat. It makes 392 00:19:15.799 --> 00:19:17.240 cracking much much slower. 393 00:19:17.359 --> 00:19:21.960 Okay, another big web attack cross site scripting XSS. What's 394 00:19:22.039 --> 00:19:22.559 that about? 395 00:19:22.880 --> 00:19:27.079 XSS is about injecting malicious JavaScript code into a web 396 00:19:27.079 --> 00:19:29.720 page so that it runs in the victims browser. 397 00:19:29.839 --> 00:19:30.920 How does the script get there? 398 00:19:31.039 --> 00:19:34.359 Two main ways. Stored XSS is where the malicious script 399 00:19:34.440 --> 00:19:37.119 gets saved permanently on the website's server, maybe in a 400 00:19:37.119 --> 00:19:40.400 comment section or a user profile. Anyone who've used that 401 00:19:40.440 --> 00:19:44.319