WEBVTT 1 00:00:00.120 --> 00:00:03.799 Welcome to the deep dive. In a world just overflowing 2 00:00:03.839 --> 00:00:06.960 with information, wouldn't it be incredible to cut through all 3 00:00:07.000 --> 00:00:10.279 that noise and get straight to those you know, aha 4 00:00:10.599 --> 00:00:14.119 moments on topics that really matter. Absolutely, Today we're diving 5 00:00:14.199 --> 00:00:18.399 headfirst into a realm that's both fascinating and frankly critical 6 00:00:18.480 --> 00:00:20.920 for our digital safety. Ethical hacking. 7 00:00:21.079 --> 00:00:25.199 Yeah, it's true. The word hacking often conjures up images 8 00:00:25.199 --> 00:00:28.440 of malicious activity, right, dark rooms, hoodies, right exactly, But 9 00:00:28.519 --> 00:00:33.719 ethical hacking, sometimes called penetration testing, completely flips that perception 10 00:00:33.759 --> 00:00:37.560 on its head. It's really about strategically simulating those very attacks, 11 00:00:37.640 --> 00:00:39.799 but not to cause harm, No, not at all. It's 12 00:00:39.840 --> 00:00:43.880 to proactively uncover vulnerabilities before the real bad actors ever 13 00:00:43.920 --> 00:00:45.920 find them. When you zoom out and look at the 14 00:00:45.920 --> 00:00:50.119 bigger picture. It's an indispensable part of modern cybersecurity exactly. 15 00:00:50.280 --> 00:00:52.640 So this deep dive is custom tailored for you, and 16 00:00:52.679 --> 00:00:55.679 we're drawing from a really insightful source ethical hacking with 17 00:00:55.759 --> 00:00:58.759 Koalie Linux Learn Fast How to Hack Like a Pro 18 00:00:58.920 --> 00:01:00.560 by Hugo Hoffman, good book. 19 00:01:00.679 --> 00:01:00.960 Yeah. 20 00:01:01.039 --> 00:01:05.200 Our mission to basically arm you with the essential concepts, 21 00:01:05.640 --> 00:01:09.719 the UH systematic methodologies and to peek into the powerful 22 00:01:09.760 --> 00:01:11.719 tools ethical hackers. 23 00:01:11.599 --> 00:01:14.640 Use, but always, always with that white hat perspective. 24 00:01:15.159 --> 00:01:17.560 That's the key, and you might be surprised at how 25 00:01:17.599 --> 00:01:20.280 accessible some of these fundamental ideas can be even if 26 00:01:20.319 --> 00:01:23.120 you don't have like a super deep technical background. 27 00:01:23.280 --> 00:01:26.079 Well, that white hat distinction is truly paramount. It's, you know, 28 00:01:26.120 --> 00:01:28.959 the cornerstone of everything we'll talk about. Yeah, the information 29 00:01:29.000 --> 00:01:31.920 we're sharing is strictly for educational purposes. It's designed to 30 00:01:31.920 --> 00:01:36.680 improve security posture, improve understanding. Any actions we describe here 31 00:01:36.719 --> 00:01:41.799 must be undertaken with explicit written authorization and only in 32 00:01:41.879 --> 00:01:45.200 carefully controlled, isolated environments. Think of it like your own 33 00:01:45.239 --> 00:01:46.200 personal home lab. 34 00:01:46.400 --> 00:01:47.519 Cannot stress that enough. 35 00:01:47.680 --> 00:01:51.359 Seriously, we really can't stress enough the severe legal and 36 00:01:51.400 --> 00:01:55.719 ethical implications of unauthorized use of these kinds of powerful techniques. 37 00:01:56.000 --> 00:01:59.480 Okay, So to properly set the stage for understanding ethical hacking, 38 00:02:00.040 --> 00:02:02.200 we kind of need to start with a Linux. If 39 00:02:02.200 --> 00:02:04.879 you're thinking about an IT career, especially in this field. 40 00:02:05.280 --> 00:02:08.719 Why is Linux so foundational? I mean we see it dominating. 41 00:02:08.240 --> 00:02:13.599 Everywhere, right, Oh, absolutely, cloud environments, IoT devices, DevOps, pipelines, 42 00:02:14.000 --> 00:02:16.879 massive enterprise servers, it's everywhere. 43 00:02:16.919 --> 00:02:17.800 So what's the magic. 44 00:02:18.680 --> 00:02:21.560 The real insight I think lies in understanding the core 45 00:02:21.599 --> 00:02:26.400 philosophy behind Linux's open nature. It's just fundamentally different from 46 00:02:26.400 --> 00:02:29.960 proprietary software. So well, we generally talk about three main 47 00:02:30.039 --> 00:02:33.120 licensing models that sort of underpin this freedom. First, you 48 00:02:33.159 --> 00:02:36.759 get the Free Software Foundation, the FSF, the Champion, the 49 00:02:36.800 --> 00:02:40.520 g and U General Public License or GPL. This license 50 00:02:40.560 --> 00:02:44.719 gives users incredible freedom, freedom to use, modify, even redistribute 51 00:02:44.759 --> 00:02:46.879 the software, maybe even sell it as long as the 52 00:02:46.919 --> 00:02:50.599 original conditions like those for the Linux kernel itself aren't changed. 53 00:02:50.639 --> 00:02:53.000 And that's free, as in freedom, not free beer. 54 00:02:53.039 --> 00:02:56.120 Exactly, not necessarily free of charge. Then you have the 55 00:02:56.120 --> 00:02:59.919 Open Source Initiative OSI. They tend to favor more flex 56 00:03:00.280 --> 00:03:04.240 licenses like BSD, MIT Apache. These are often easier for 57 00:03:04.280 --> 00:03:08.479 commercial use because they have fewer complex restrictions. And finally, 58 00:03:08.800 --> 00:03:10.120 there's creative comments. 59 00:03:10.520 --> 00:03:12.240 Ah yeah, I've seen those icons. 60 00:03:12.319 --> 00:03:15.840 Right. Let's creators pick exactly which rights they want to reserve, 61 00:03:15.960 --> 00:03:20.159 like requiring attribution or only allowing non commercial use, or 62 00:03:20.159 --> 00:03:21.520 even making it public domain. 63 00:03:21.719 --> 00:03:25.800 So what does this open philosophy practically mean for you know, 64 00:03:25.960 --> 00:03:28.439 someone wanting to get into ethical hacking. 65 00:03:28.439 --> 00:03:33.240 Well, it translates to incredible flexibility, just massive flexibility. You 66 00:03:33.280 --> 00:03:36.960 can install multiple Linux versions on tons of devices without 67 00:03:36.960 --> 00:03:38.159 commercial limits. 68 00:03:38.000 --> 00:03:40.039 Which makes experimenting super easy. 69 00:03:40.159 --> 00:03:43.319 Totally spin up, test deployments, try things out, bitch them 70 00:03:43.319 --> 00:03:46.120 if they don't work, no big deal. Plus it's remarkably 71 00:03:46.159 --> 00:03:47.039 cost effective, right. 72 00:03:47.080 --> 00:03:49.599 You can run complex stuff on pretty cheap hardware. 73 00:03:49.360 --> 00:03:52.280 Exactly, run complex processes on a you know, sub three 74 00:03:52.319 --> 00:03:55.599 hundred dollars PC, whereas you might need really expensive systems 75 00:03:55.599 --> 00:03:58.719 for Windows or Mac, especially for heavy tasks like say 76 00:03:59.120 --> 00:04:03.080 video editing or complex simulations. Okay, And this inherent flexibility 77 00:04:03.120 --> 00:04:05.919 gives rise to what we call Linux distributions or. 78 00:04:05.840 --> 00:04:08.159 Distros, right, like Obuntu or Mint. 79 00:04:08.639 --> 00:04:11.360 Yeah, those are popular ones. Think of Linux itself as 80 00:04:11.360 --> 00:04:14.560 the engine and chassis of a car. A distro is 81 00:04:14.599 --> 00:04:17.920 like the fully assembled vehicle customized for a specific. 82 00:04:17.480 --> 00:04:19.319 Purpose, like Android for phones. 83 00:04:19.680 --> 00:04:24.360 Perfect example, Android is a Linux distro optimized for mobile, 84 00:04:24.879 --> 00:04:28.319 or scientific Linux for scientific computing, and for what we're 85 00:04:28.360 --> 00:04:32.160 talking about today, network security testing. Kali Linux is a 86 00:04:32.160 --> 00:04:33.279 prime example. 87 00:04:32.959 --> 00:04:34.600 Because it comes with all the tools pre. 88 00:04:34.519 --> 00:04:39.079 Installed, exactly, prepackaged with hundreds of tools, saves you immense 89 00:04:39.120 --> 00:04:41.759 setup time. Let's you focus on the strategy you know not. 90 00:04:41.959 --> 00:04:44.279 Just fiddling with configurations makes sense. 91 00:04:44.399 --> 00:04:46.680 And there are families of these distros, right yeah. 92 00:04:46.680 --> 00:04:49.399 The big ones are Debian, which includes a Buntu Mint 93 00:04:49.439 --> 00:04:52.600 and Collie itself, then red Hat with Sentos and Fedora, 94 00:04:52.800 --> 00:04:55.120 SUS and Arch. Lots of flavors. 95 00:04:55.160 --> 00:04:57.040 So when you install Linux you usually get a choice, 96 00:04:57.079 --> 00:04:58.920 right do you I or command line yep? 97 00:04:59.360 --> 00:05:02.600 Graphically use interface GUI that's the point click most people know, 98 00:05:02.959 --> 00:05:06.439 or the command line interface CLI, which is text based. 99 00:05:06.519 --> 00:05:09.240 And for security, probably best not to live as the 100 00:05:09.319 --> 00:05:10.519 root user all the time. 101 00:05:10.759 --> 00:05:13.720 Oh definitely not for normal operations. Better to harden your 102 00:05:13.720 --> 00:05:17.240 system use standard user accounts. And for storage, there are 103 00:05:17.240 --> 00:05:20.199 cool options like Logical Volume Manager LVM. 104 00:05:20.399 --> 00:05:21.000 What does that do? 105 00:05:21.439 --> 00:05:25.240 It offers really flexible disc manipulation. Imagine you have like 106 00:05:25.680 --> 00:05:28.360 three hard drives. LVM lets you pull them together into 107 00:05:28.360 --> 00:05:30.360 one big dynamic storage. 108 00:05:29.959 --> 00:05:32.199 Space so you can resize things easily. 109 00:05:32.120 --> 00:05:34.959 Exactly, resize virtual discs, create new ones on the fly. 110 00:05:35.920 --> 00:05:39.680 Or Another common setup is combining a fast SSD for 111 00:05:39.759 --> 00:05:43.680 your system files with slower, bigger hard drives for data storage. 112 00:05:44.079 --> 00:05:45.199 LVM can manage that too. 113 00:05:45.399 --> 00:05:48.199 Okay, cool, so we've got the OS down. What about 114 00:05:48.240 --> 00:05:50.920 the specific gear the software. 115 00:05:50.399 --> 00:05:53.360 And hardware right the toolkit. The source mentions a lot 116 00:05:53.360 --> 00:05:57.279 of essential software tools network sniffers and analyzers like tcpdump, 117 00:05:57.519 --> 00:06:03.000 Microsoft netmond Land Detective Channelizer, utter Cap, Network Minor, Fiddler 118 00:06:03.399 --> 00:06:04.240 and the big one. 119 00:06:04.079 --> 00:06:07.560 Wire Shark and Collie Linux itself obviously, plus virtualization stuff 120 00:06:07.560 --> 00:06:09.399 like VMware or virtual box. 121 00:06:09.240 --> 00:06:11.519 Yep for running your labs. But on the hardware side, 122 00:06:11.600 --> 00:06:14.720 one area that's often overlooked but really really important for 123 00:06:14.800 --> 00:06:16.720 pen testing is your wireless adapter. 124 00:06:16.959 --> 00:06:19.959 Why isn't the one in my laptop good enough? 125 00:06:20.040 --> 00:06:23.319 Probably not? Actually, most built in Wi Fi cards just 126 00:06:23.360 --> 00:06:25.720 aren't up to the task for serious pen testing. 127 00:06:25.800 --> 00:06:26.399 Okay. Why not? 128 00:06:26.639 --> 00:06:30.920 Well, mainly because they typically lack two key capabilities, monitor 129 00:06:30.959 --> 00:06:32.480 mode and packet injection. 130 00:06:32.680 --> 00:06:35.399 Right. Monitor mode lets you listen to everything, not just 131 00:06:35.439 --> 00:06:36.879 stuff addressed to you. 132 00:06:36.639 --> 00:06:39.800 Exactly passively listen to all the traffic flying around. And 133 00:06:39.959 --> 00:06:43.839 packet injection lets you actually craft and send specific packets 134 00:06:43.920 --> 00:06:45.240 onto the network. 135 00:06:45.120 --> 00:06:47.480 Which you need for a lot of Wi Fi attacks. 136 00:06:47.480 --> 00:06:50.959 Absolutely essential. Plus, virtual machines often have trouble accessing those 137 00:06:50.959 --> 00:06:53.399 built in cards directly anyway, so it's less. 138 00:06:53.240 --> 00:06:55.199 About the brand name on the adapter and more about 139 00:06:55.199 --> 00:06:58.120 what's inside the chip set precisely. 140 00:06:58.319 --> 00:07:00.639 It's all about the chipset. For instance, it's the atheros 141 00:07:00.839 --> 00:07:02.439 AR nine two to seven to one chipset is a 142 00:07:02.519 --> 00:07:03.240 huge favorite. 143 00:07:03.240 --> 00:07:03.800 Why that one? 144 00:07:03.839 --> 00:07:07.519 It fully supports monitor mode, packet injection, even creating fake 145 00:07:07.600 --> 00:07:11.439 access points. Super versatile for tons of calie Linux attacks. 146 00:07:11.480 --> 00:07:13.639 But only two point four geta Hurts Right, that's the catch. 147 00:07:13.720 --> 00:07:16.360 Yeah, if your target network is only on five gigahertz, 148 00:07:16.399 --> 00:07:19.079 you won't even see it. Then there's the real Tech 149 00:07:19.199 --> 00:07:22.000 RTL eight eight one two AU chipset. 150 00:07:22.160 --> 00:07:23.319 What's the deal with that one? 151 00:07:23.480 --> 00:07:25.720 Well, the big advantage is it supports both two point 152 00:07:25.759 --> 00:07:28.519 four geta Hurts and five geta HURTZ. Sure, plus monitor 153 00:07:28.560 --> 00:07:32.720 mode and packet injection. Sounds perfect almost. The book does 154 00:07:32.800 --> 00:07:35.879 note it can sometimes be a bit less reliable for 155 00:07:35.920 --> 00:07:38.959 certain attacks, might occasionally need you to like replug the 156 00:07:39.000 --> 00:07:40.800 card or just retry the attack. 157 00:07:41.000 --> 00:07:41.920 So there's a trade off. 158 00:07:42.079 --> 00:07:46.800 Definitely. You can find really cheap unbranded adapters with these chipsets. 159 00:07:46.839 --> 00:07:48.959 They're small, discrete, which can be. 160 00:07:48.920 --> 00:07:51.079 Handy, or you go for the bigger guns, right. 161 00:07:50.920 --> 00:07:53.680 You can opt for the more robust all for brand adapters. 162 00:07:53.680 --> 00:07:57.279 They're usually larger, maybe less subtle, but they tend to 163 00:07:57.279 --> 00:08:01.160 offer better build quality, better range, and just overall reliability. 164 00:08:01.240 --> 00:08:03.480 So the takeaway is check the chip set. 165 00:08:03.639 --> 00:08:07.920 Absolutely. Compatibility for serious pen testing almost entirely boils down 166 00:08:07.920 --> 00:08:10.120 to getting an adapter with the right chipset inside it, 167 00:08:10.199 --> 00:08:12.480 not just a popular brand, got it? 168 00:08:13.160 --> 00:08:16.839 So hardware sorted, Let's get this ethical hacking lab actually 169 00:08:16.920 --> 00:08:18.560 up and running. You mentioned virtual Box. 170 00:08:18.720 --> 00:08:21.680 Yeah, virtual Box is fantastic for this. It's free, works 171 00:08:21.680 --> 00:08:25.120 on Windows, Mac, Linux, cross platform, lets you run multiple 172 00:08:25.199 --> 00:08:28.000 virtual machines on your computer. Highly recommended for setting up 173 00:08:28.000 --> 00:08:28.519 Collie and. 174 00:08:28.519 --> 00:08:31.800 Collie Linux itself is like the Swiss Army Knife exactly. 175 00:08:31.839 --> 00:08:35.600 It's a really user friendly distribution, but it's specifically built 176 00:08:35.639 --> 00:08:38.960 for pen testing, packed with hundreds of built in tools 177 00:08:38.960 --> 00:08:39.840 for everything you can. 178 00:08:39.759 --> 00:08:43.639 Imagine, like information gathering, forensics. 179 00:08:43.039 --> 00:08:48.320 Reverse engineering, stress testing, vulnerability assessment, you name it. It's 180 00:08:48.360 --> 00:08:52.279 designed to be a comprehensive toolkit for finding weaknesses and 181 00:08:52.480 --> 00:08:54.480 ultimately helping improve security. 182 00:08:54.639 --> 00:08:57.440 So setting it up in virtual Box, what are the 183 00:08:57.519 --> 00:08:58.120 key steps? 184 00:08:58.440 --> 00:09:01.120 The source recommends giving it at least four gigs a RAM, 185 00:09:01.240 --> 00:09:04.200 maybe twenty gigs for the virtual hard drive, enough space 186 00:09:04.279 --> 00:09:07.679 to work and networking. Crucial step bridge the VM to 187 00:09:07.720 --> 00:09:10.559 your router. That makes it act like any other device 188 00:09:10.600 --> 00:09:12.279 on your home network. Gets it online. 189 00:09:12.320 --> 00:09:13.919 Okay, Then you boot it up yep. 190 00:09:14.000 --> 00:09:16.000 After the initial boot, if you're at the command line, 191 00:09:16.039 --> 00:09:19.120 just type start EGGX to get the graphical interface. 192 00:09:18.720 --> 00:09:20.000 And the default login. 193 00:09:19.919 --> 00:09:22.879 For the command line. It's usually a username, route password 194 00:09:22.960 --> 00:09:25.279 tour but you'll want to change that. 195 00:09:25.320 --> 00:09:28.639 Good point and network canfig static IP? 196 00:09:29.159 --> 00:09:31.279 Yeah, assign it a static IP address, like giving it 197 00:09:31.279 --> 00:09:34.159 a permanent address on your network. Then set the default 198 00:09:34.159 --> 00:09:36.000 gateway so it knows how to reach the internet. 199 00:09:36.080 --> 00:09:38.799 Then test it ping the router, ping Google. 200 00:09:38.559 --> 00:09:41.919 Exactly, ping ten dot ten, dot Deal dot one or 201 00:09:41.919 --> 00:09:46.039 whatever your router is than ping www dot Google dot com. 202 00:09:46.080 --> 00:09:47.080 Just make sure it's all work. 203 00:09:47.480 --> 00:09:50.519 Okay, Collie is installed. What's the absolute first thing you 204 00:09:50.519 --> 00:09:50.919 should do? 205 00:09:51.200 --> 00:09:54.480 Update it? This is the single most critical task after 206 00:09:54.519 --> 00:09:58.320 a clean install. Seriously, think of it like tuning up 207 00:09:58.320 --> 00:09:59.720 a race card before you hit the track. 208 00:10:00.039 --> 00:10:01.879 Right, get all the latest patches and tool. 209 00:10:01.720 --> 00:10:06.120 Version Precisely, Collie uses advanced packaging tools APT to manage 210 00:10:06.159 --> 00:10:08.360 it software. You'll run a sequence of commands. 211 00:10:08.399 --> 00:10:09.200 Okay, what are they? 212 00:10:09.559 --> 00:10:12.879 First? App get update. That's like refreshing your app store catalog, 213 00:10:12.919 --> 00:10:15.799 so Collie knows about all the newest software and security patches. 214 00:10:15.879 --> 00:10:16.440 Makes sense. 215 00:10:16.559 --> 00:10:20.399 Then app Get Upgrade I the why just answers yes automatically. 216 00:10:20.480 --> 00:10:22.440 It actually installs the newest versions of the stuff you 217 00:10:22.480 --> 00:10:25.879 already have got it and finally app to get disted upgrade. 218 00:10:26.279 --> 00:10:29.240 This one handles more complex upgrades, make sure all the 219 00:10:29.240 --> 00:10:33.519 dependencies work together, and removes any old obsolete. 220 00:10:32.879 --> 00:10:34.679 Packages and reboot after all that. 221 00:10:34.919 --> 00:10:38.440 Always best practice. Reboot after that sequence to make sure 222 00:10:38.480 --> 00:10:41.000 everything is fresh and clean and running correctly. 223 00:10:41.120 --> 00:10:45.200 And for just managing packages day to day, listing removing Yeah. 224 00:10:45.039 --> 00:10:47.960 Basic commands let you list installed packages, maybe filter With 225 00:10:48.000 --> 00:10:51.679 GP you can show a package's description and dependencies, or 226 00:10:51.679 --> 00:10:54.519 remove something you don't need anymore with Pseudo app Get Removed. 227 00:10:54.559 --> 00:10:57.600 The book also mentions some useful extras to install. 228 00:10:57.759 --> 00:11:01.480 It does things like preload for potentially faster app access, 229 00:11:01.720 --> 00:11:04.360 bleach bit to free up disk base and help with privacy, 230 00:11:04.679 --> 00:11:07.440 boot up manager to disabled services you don't need running. 231 00:11:07.480 --> 00:11:10.000 Also Nome do for keyboard launching, Yeah. 232 00:11:09.799 --> 00:11:12.919 App file to search inside packages, scrub for more secure 233 00:11:12.960 --> 00:11:16.399 file deletion, Shutter for taking screenshots, and figle it for 234 00:11:16.480 --> 00:11:20.039 fun custom console messages. Little quality of life improvements. 235 00:11:20.080 --> 00:11:22.360 What about SSH secure shell? 236 00:11:22.639 --> 00:11:25.840 Ah, good point. A smart step is to harden your 237 00:11:25.879 --> 00:11:30.159 SSH setup. Collie comes with default SSH keys, right well, 238 00:11:30.440 --> 00:11:34.360 fundamental security practice is disable those and generate unique ones 239 00:11:34.480 --> 00:11:39.039 just for your machine. Use DPKG, reconfigure open server so. 240 00:11:39.080 --> 00:11:41.240 Your lab isn't using predictable keys. 241 00:11:41.159 --> 00:11:44.600 Exactly verify the new key hashes, then start the SSH 242 00:11:44.679 --> 00:11:47.960 service that lets you securely connect to your COLLIVM from 243 00:11:47.960 --> 00:11:51.200 another computer, which is often really convenient. It's a small 244 00:11:51.240 --> 00:11:55.080 step but significantly improves your security posture right off the bat. 245 00:11:55.200 --> 00:12:00.559 Okay, foundations laid Linux, Collie, basic Setuple's get into the 246 00:12:00.559 --> 00:12:04.559 actual process, the penetration testing life cycle. Why even do 247 00:12:04.600 --> 00:12:05.240 a pen test? 248 00:12:05.519 --> 00:12:08.600 Yeah? The fundamental question right beyond just finding bugs, it's 249 00:12:08.600 --> 00:12:13.600 about evaluating an organization's actual security posture by actively simulating 250 00:12:13.600 --> 00:12:14.840 real world attacks, so. 251 00:12:14.759 --> 00:12:17.120 You find the specific holes a hacker could use. 252 00:12:17.320 --> 00:12:21.080 Exactly find those specific vulnerabilities, and then crucially use those 253 00:12:21.120 --> 00:12:24.519 findings to help create and redesign more robust security measures. 254 00:12:24.639 --> 00:12:27.320 And the reports are key to Absolutely. 255 00:12:26.919 --> 00:12:30.879 A good pen test delivers comprehensive reports detailing everything found. 256 00:12:31.279 --> 00:12:34.919 Plus it really aids in disaster recovery and business continuity 257 00:12:34.960 --> 00:12:38.480 planning because you're anticipating how at tax might actually happen. 258 00:12:38.720 --> 00:12:41.440 What makes a PEN test actually successful, though. 259 00:12:41.600 --> 00:12:45.279 Well, several critical factors. You absolutely need to follow a 260 00:12:45.320 --> 00:12:49.679 well defined methodology, Meticulous documentation is non. 261 00:12:49.440 --> 00:12:51.519 Negotiable, and the right tools. 262 00:12:51.279 --> 00:12:54.840 Yep, using the right mix of proprietary and open source tools. 263 00:12:55.399 --> 00:13:00.639 Also ensuring legitimate ethical individuals conduct the tests, and maybe most. 264 00:13:00.519 --> 00:13:02.679 Importantly, giving actionable recommendation. 265 00:13:02.840 --> 00:13:06.720 Precisely providing actionable recommendations for fixing the issues. It's not 266 00:13:06.799 --> 00:13:10.360 just about finding flaws, it's about offering clear paths to 267 00:13:10.440 --> 00:13:11.440 stronger defenses. 268 00:13:11.519 --> 00:13:13.600 And the benefits go beyond just fixing holes. 269 00:13:13.679 --> 00:13:17.440 Oh yeah, much broader. It helps identify needed infrastructure changes, 270 00:13:17.639 --> 00:13:20.759 prepares the org to prevent future exploits, evaluates how well 271 00:13:20.840 --> 00:13:23.159 security devices like firewalls are actually. 272 00:13:22.840 --> 00:13:25.679 Working, confirms defenses, maybe trains the security team. 273 00:13:25.960 --> 00:13:29.200 Definitely trains the team by exposing them to realistic scenarios. 274 00:13:29.799 --> 00:13:33.720 It helps identify specific threats relevant to that organization or industry, 275 00:13:34.159 --> 00:13:38.720 optimizes security spending for better ROI, helps create solid policies 276 00:13:39.120 --> 00:13:43.039 and ensures compliance with regulations to avoid breaches and lawsuits. 277 00:13:43.519 --> 00:13:44.320 Lots of benefits. 278 00:13:44.559 --> 00:13:48.519 How does a PEN test differ from say, a security audit. 279 00:13:48.799 --> 00:13:52.240 Good question, think of a security audit more like a checklist. 280 00:13:52.639 --> 00:13:55.320 Does the company follow its own policies and procedures? Yes 281 00:13:55.440 --> 00:13:56.159 or no? Okay? 282 00:13:56.399 --> 00:13:58.799 And a vulnerability assessment that goes a step further. 283 00:13:58.879 --> 00:14:02.879 It discovers vulnerability, finds potential weaknesses, but it doesn't necessarily 284 00:14:02.879 --> 00:14:05.759 confirm if they're actually exploitable or what the real damage 285 00:14:05.799 --> 00:14:06.120 could be. 286 00:14:06.279 --> 00:14:08.240 So the pen test is the one that actually tries 287 00:14:08.279 --> 00:14:09.480 to break in exactly. 288 00:14:09.679 --> 00:14:12.480 A penetration test is a systematic assessment that includes an 289 00:14:12.519 --> 00:14:17.039 audit component, but also demonstrates successful exploitation of weaknesses. It 290 00:14:17.080 --> 00:14:20.600 gives a much clearer, more impactful picture of the actual 291 00:14:20.679 --> 00:14:21.600 real world risk. 292 00:14:21.759 --> 00:14:25.799 Gotcha. The book also talks about teams Red Team, Blue Team. 293 00:14:25.960 --> 00:14:28.840 Right, it's a helpful analogy. The Red team acts as 294 00:14:28.840 --> 00:14:33.240 the aggressor the ethical hackers. They often have limited internal access, 295 00:14:33.320 --> 00:14:36.879 maybe attack with or without warning. Sometimes it even includes 296 00:14:37.080 --> 00:14:40.399 sissemins from other departments to simulate insider. 297 00:14:40.039 --> 00:14:42.879 Threats, and the Blue team is defense yep. 298 00:14:43.279 --> 00:14:45.679 The Blue Team is the defensive force. They have full 299 00:14:45.720 --> 00:14:48.759 access to resources and their main job is to detect 300 00:14:48.799 --> 00:14:52.240 and mitigate the Red team's activities. Basically anticipating how a 301 00:14:52.279 --> 00:14:55.919 real attack might unfold. Usually includes the company's IT staff, 302 00:14:56.240 --> 00:14:59.000 often involved in the less expensive, more frequent assessments. 303 00:14:59.120 --> 00:15:01.440 Okay, and the type of tests depends on how much 304 00:15:01.480 --> 00:15:05.360 info the tester gets upfront. White box black box exactly. 305 00:15:05.639 --> 00:15:08.759 A white box test means the tester gets complete knowledge 306 00:15:08.759 --> 00:15:13.080 network maps, asset lists, diagrams ideal for a really thorough 307 00:15:13.080 --> 00:15:13.799 security audit. 308 00:15:13.840 --> 00:15:14.960 Black box is the opposite. 309 00:15:15.000 --> 00:15:19.159 Tester knows nothing pretty much simulates a real external attacker. 310 00:15:19.480 --> 00:15:21.960 In a blind test version, the tester knows nothing, but 311 00:15:22.000 --> 00:15:23.960 the target company is told about the test. 312 00:15:23.720 --> 00:15:24.799 Scope and double blind. 313 00:15:24.960 --> 00:15:27.799 That's where neither the tester nor the target company knows 314 00:15:27.799 --> 00:15:32.679 the scope beforehand. Really tests everyone's alertness. Very popular approach. 315 00:15:32.759 --> 00:15:33.759 What about gray box? 316 00:15:34.120 --> 00:15:37.240 Green box is somewhere in the middle, partial knowledge maybe 317 00:15:37.279 --> 00:15:39.960 just a domain name. Saves time compared to black box, 318 00:15:40.120 --> 00:15:43.720 but still offers perspectives from both a developer and an attacker, and. 319 00:15:43.679 --> 00:15:46.279 The overall strategy can be announced or unannounced. 320 00:15:46.440 --> 00:15:50.840 Right announced strategy, tester gets the full tour physical access, 321 00:15:51.519 --> 00:15:55.039 less network impact usually since the company is ready unannounced. 322 00:15:55.120 --> 00:15:56.480 Is style mode. 323 00:15:56.200 --> 00:16:00.519 Pretty much only top management knows. Really tests security personnel 324 00:16:00.519 --> 00:16:03.320 alertness social engineering defenses, but it tends to have a 325 00:16:03.360 --> 00:16:06.480 higher potential impact and needs a super strict process. 326 00:16:06.720 --> 00:16:11.120 Okay, let's dive into the first stage, pre engagement information gathering. 327 00:16:11.279 --> 00:16:13.960 This is foundational. The whole focus here is gathering as 328 00:16:14.000 --> 00:16:17.080 much information as possible about the target, often through scanning 329 00:16:17.120 --> 00:16:20.279 or footprinting techniques. It sets the stage for everything else, 330 00:16:20.600 --> 00:16:22.159 like a detective building their case. 331 00:16:22.320 --> 00:16:25.639 And this is where the rules of engagement or ROE 332 00:16:25.639 --> 00:16:27.759 come in. The permission slip. 333 00:16:27.759 --> 00:16:31.320 Exactly, it's the formal permission document. Yeah. It spells out everything, 334 00:16:31.679 --> 00:16:35.000 what activities are allowed, the specific IP ranges you can test, 335 00:16:35.320 --> 00:16:37.360 and critically what's off limits. 336 00:16:37.519 --> 00:16:41.279 Testing times too, business hours versus after hours. 337 00:16:41.080 --> 00:16:46.440 Yep, acceptable methods is social engineering? Okay, Denial of service 338 00:16:47.440 --> 00:16:51.919 specific tools like n MAP, aggressive scans, the duration of 339 00:16:51.960 --> 00:16:53.240 the test which can be months. 340 00:16:53.440 --> 00:16:56.080 Sometimes emergency contact is crucial too, I. 341 00:16:55.960 --> 00:16:59.320 Bet absolutely vital. And measures to prevent calling the cops 342 00:16:59.320 --> 00:17:00.720 because of a fall alarm. 343 00:17:00.480 --> 00:17:02.919 From the test, ah, yeah, that would be awkward. 344 00:17:03.000 --> 00:17:05.799 A critical insight here, stressed in the source is how 345 00:17:05.839 --> 00:17:09.759 you handle the information you gather. Best practice use laptops 346 00:17:09.759 --> 00:17:12.359 provided by the client for the test and reporting. 347 00:17:12.000 --> 00:17:13.799 Then return them immediately after. 348 00:17:13.839 --> 00:17:16.839 Exactly prevents any accusations of the test holding on to 349 00:17:16.920 --> 00:17:20.519 sensitive data vital for data security. The book even suggests 350 00:17:20.519 --> 00:17:23.319 pulling the hard drives for secure storage later since tech 351 00:17:23.359 --> 00:17:24.160 gets old fast. 352 00:17:24.279 --> 00:17:28.680 So this pre engagement involves checklists too, defining what gets tested. 353 00:17:28.559 --> 00:17:36.720 Meticulous checklists, reviewing what the customer actually needs tested servers, workstations, routers, firewalls, databases, apps, 354 00:17:36.960 --> 00:17:42.640 physical security, loip, mobile devices, even printers and cameras, sometimes. 355 00:17:42.279 --> 00:17:45.480 Mapping the Internet presence, what's visible from outside. 356 00:17:45.079 --> 00:17:49.400 YEP, identifying oz's on the network, assessing wireless analog systems, 357 00:17:49.440 --> 00:17:54.680 mobile worker devices, scrutinizing web apps, front facing sites, redirects, 358 00:17:54.960 --> 00:17:58.599 even checking ad networks as potential malware vectors. 359 00:17:58.720 --> 00:18:00.920 And defining the scope clearly. 360 00:18:00.680 --> 00:18:04.559 Absolutely key. What are the deliverables? What reports? Defining data, 361 00:18:04.759 --> 00:18:08.880 verifying functionality, outlining the technical structure with flow diagrams. It 362 00:18:08.960 --> 00:18:10.519 ensures everyone's on the same page. 363 00:18:10.599 --> 00:18:13.880 What if things change during the test, client updates. 364 00:18:13.440 --> 00:18:16.880 Something that's a great point The source highlights client changes, 365 00:18:16.880 --> 00:18:20.440 business processes. Tech apps can definitely impact the test. It's 366 00:18:20.480 --> 00:18:22.519 crucial to the's a review to the engagement lead. 367 00:18:22.400 --> 00:18:24.960 Before they happen, so the testers know what they're dealing with, 368 00:18:25.160 --> 00:18:27.000 what specific areas should they focus on? 369 00:18:27.279 --> 00:18:31.759 The advice is broad system software security, network security, especially 370 00:18:31.799 --> 00:18:35.799 default canfigs, client side apps, and the whole client to 371 00:18:35.880 --> 00:18:40.119 server and server side communication chain. Aim for comprehensive coverage. 372 00:18:40.160 --> 00:18:43.480 This also includes social engineering if it's in scope. 373 00:18:43.319 --> 00:18:47.920 Right, gathering passwords or project details through human interaction, documenting 374 00:18:48.000 --> 00:18:52.400 existing security measures, checking secure document destruction like literally checking 375 00:18:52.400 --> 00:18:53.799 the trash sometimes wow. 376 00:18:53.559 --> 00:18:56.240 Assessing application comms, physical security. 377 00:18:55.839 --> 00:18:57.640 All of it. Can you intercept comms? Can you get 378 00:18:57.680 --> 00:19:00.200 into the building? Test honeypots? 379 00:19:00.200 --> 00:19:04.160 Thorough and contracts are obviously huge here NDAs. 380 00:19:04.559 --> 00:19:08.319 Non disclosure agreements are standard clear terms on fees, schedules, 381 00:19:08.559 --> 00:19:13.200 sensitive information documents covering assets, confidentiality contracts for trade secrets, 382 00:19:13.359 --> 00:19:17.079 customer lata and critically and indemnification. 383 00:19:16.400 --> 00:19:19.640 Claus to protect the tester legally exactly. 384 00:19:19.240 --> 00:19:22.079 Protects the pen tester from legal or financial liabilities if 385 00:19:22.079 --> 00:19:25.960 something goes wrong despite following the rowe and the reporting 386 00:19:26.000 --> 00:19:29.480 section needs to clearly outline the methodology and promise constructive, 387 00:19:29.519 --> 00:19:30.480 actionable reporting. 388 00:19:30.720 --> 00:19:34.680 So summing up stage one. It's time consuming, but essential 389 00:19:34.720 --> 00:19:38.720 for setting expectations and protecting everyone. Methods range from passive 390 00:19:38.720 --> 00:19:41.720 Google searching to active surveillance. 391 00:19:41.319 --> 00:19:46.359 Right passive recon aggressive active surveillance, web profiling to map 392 00:19:46.359 --> 00:19:49.839 out sites. It takes time because it lays the groundwork 393 00:19:49.920 --> 00:19:51.480 for a safe and effective test. 394 00:19:51.599 --> 00:19:56.160 Okay, Stage one done. Now Stage two the attack stage. 395 00:19:56.440 --> 00:19:59.359 This is where the ethical hacker actively tries to compromise 396 00:19:59.440 --> 00:20:03.680 the target using all that intel gathered before the critical insight. 397 00:20:04.279 --> 00:20:05.920 An attacker only needs one. 398 00:20:05.759 --> 00:20:08.160 Way in, while the company has to defend everything. 399 00:20:08.279 --> 00:20:09.960 Exactly a tough position to be in. 400 00:20:10.119 --> 00:20:13.519 So what are the steps here? Perimeter penetration, testing. 401 00:20:13.200 --> 00:20:17.799