WEBVTT 1 00:00:00.080 --> 00:00:03.680 Hey, there looks like we're diving deep into pen testing 2 00:00:03.720 --> 00:00:06.240 this time, especially for Windows and Linux. 3 00:00:06.400 --> 00:00:08.439 Yeah, some fascinating stuff here, it really is. 4 00:00:08.480 --> 00:00:12.439 We've got sources on everything, open source intelligence, shell coding, 5 00:00:12.960 --> 00:00:17.559 the works. Think of this deep dive ash like a 6 00:00:17.640 --> 00:00:20.000 crash course in hacker thinking, so. 7 00:00:19.960 --> 00:00:21.679 You can build up some serious defenses. 8 00:00:21.719 --> 00:00:22.320 Exactly. 9 00:00:22.519 --> 00:00:25.359 What I find fascinating is how much this stuff shows 10 00:00:25.440 --> 00:00:29.800 us about, you know, flaws that are just baked into operating. 11 00:00:29.359 --> 00:00:31.559 Systems like they were designed with blind spots. 12 00:00:31.679 --> 00:00:34.280 Yeah, and ethical hackers they're basically pointing those out. 13 00:00:34.200 --> 00:00:35.240 Before the bad guys do. 14 00:00:35.640 --> 00:00:36.159 Exactly. 15 00:00:36.240 --> 00:00:39.520 Okay, let's unpack this first up, this whole world of 16 00:00:39.679 --> 00:00:43.960 open source intelligence os ocent. Right, It's crazy how much 17 00:00:44.000 --> 00:00:45.159 information is just out there. 18 00:00:45.280 --> 00:00:47.679 It's not just out there, it's often shockingly easy to 19 00:00:47.679 --> 00:00:47.960 get to. 20 00:00:48.200 --> 00:00:49.719 Like what kind of stuff are we talking? 21 00:00:49.840 --> 00:00:54.200 Well, some of the sources mentioned cases where like employee passports, 22 00:00:54.359 --> 00:00:57.880 no way thanks returns. Yeah, seriously, just sitting in poorly 23 00:00:57.920 --> 00:00:59.479 secured directories online. 24 00:00:59.520 --> 00:01:02.320 So it's not even about being some master hacker. It's 25 00:01:02.439 --> 00:01:03.759 just knowing where to look. 26 00:01:04.079 --> 00:01:06.200 That's a big part of it. Yeah, and then there 27 00:01:06.200 --> 00:01:10.000 are tools like showdand they can find these vulnerable systems. 28 00:01:09.879 --> 00:01:13.920 We were talking like power plants, traffic control, that kind 29 00:01:13.920 --> 00:01:14.680 of all of that. 30 00:01:14.840 --> 00:01:17.359 Yeah, the kind of stuff that could cause real chaos 31 00:01:17.359 --> 00:01:18.760 if it fell into the wrong hands. 32 00:01:19.159 --> 00:01:21.200 So showed in. It's like a search engine, but for 33 00:01:21.359 --> 00:01:23.079 like vulnerable systems. 34 00:01:23.920 --> 00:01:26.400 Kind of think of it as like a hacker's Google. 35 00:01:26.879 --> 00:01:27.760 Okay, I get you. 36 00:01:27.959 --> 00:01:30.840 It finds Internet connected devices and shows you their weaknesses. 37 00:01:31.000 --> 00:01:31.439 Wow. 38 00:01:31.719 --> 00:01:34.760 And then there's Google dorking, which is, you know, using 39 00:01:34.840 --> 00:01:37.239 specific search queries to find hidden information. 40 00:01:37.480 --> 00:01:39.959 So if I wanted to see how much of IY 41 00:01:40.040 --> 00:01:42.680 info is out there, could I use that on myself? 42 00:01:42.760 --> 00:01:45.560 Well? Absolutely, really, you could use showdan to search for 43 00:01:45.599 --> 00:01:47.359 your own IP address, see what pops up. 44 00:01:47.640 --> 00:01:50.799 Might be surprised, take a digital background check on yourself exactly. 45 00:01:50.840 --> 00:01:53.400 You never know what skeletons are hiding in your online closet. 46 00:01:53.719 --> 00:01:57.680 Speaking of skeletons, these sources also talk about going beyond 47 00:01:57.719 --> 00:02:00.159 the firewall. What does that even mean? 48 00:02:00.680 --> 00:02:04.359 So traditional firewalls they're great at controlling traffic, right, but 49 00:02:04.439 --> 00:02:08.439 they assume the attackers outside trying to get in. Makes sense, Well, 50 00:02:08.439 --> 00:02:09.800 what if they're already inside? 51 00:02:10.120 --> 00:02:11.159 Ooh, sneaky. 52 00:02:11.280 --> 00:02:14.520 These sources describe scenarios where attackers set of their own. 53 00:02:14.479 --> 00:02:17.639 Entry points, like what sneaking in a laptop or something. 54 00:02:17.759 --> 00:02:20.479 Well, they talk about things like setting up a malicious 55 00:02:20.479 --> 00:02:23.400 IP phone A phone, Yeah, that acts as a rogue 56 00:02:23.439 --> 00:02:24.080 access point. 57 00:02:24.159 --> 00:02:27.199 So it's like smuggling in a weapon, but disguised as 58 00:02:27.240 --> 00:02:28.080 something harmless. 59 00:02:28.120 --> 00:02:30.159 You got it. And once they're in, they can use 60 00:02:30.199 --> 00:02:32.840 stuff like ARP poisoning to get sensitive. 61 00:02:32.560 --> 00:02:36.360 Data even on a switch network. Even then, remind me 62 00:02:36.400 --> 00:02:39.080 how AIRP poisoning works again, I always mix that one up. 63 00:02:39.560 --> 00:02:42.319 It exploits how devices find each other on a network. 64 00:02:42.919 --> 00:02:45.680 Think of it like changing the address on a letter. 65 00:02:45.639 --> 00:02:47.599 So it goes to the wrong place exactly. 66 00:02:48.159 --> 00:02:51.639 An attacker can poison the ARP cash and trick devices 67 00:02:51.680 --> 00:02:54.159 into sending their traffic to the attacker's. 68 00:02:53.719 --> 00:02:55.599 Machine instead of where it's supposed to go. 69 00:02:55.719 --> 00:02:59.400 Yep. So even with good network security, if they have 70 00:02:59.439 --> 00:03:02.919 physical apps access, it's game over pretty much. It's a 71 00:03:02.960 --> 00:03:05.919 reminder that security isn't just about the tech. It's physical 72 00:03:05.960 --> 00:03:09.000 security too, and user awareness. I bet, oh absolutely, that's 73 00:03:09.000 --> 00:03:10.120 why training is so important. 74 00:03:10.199 --> 00:03:12.759 Yes, so you're saying, even with fire walls and all 75 00:03:12.840 --> 00:03:16.759 that fancy stuff, the weakest link is often a careless. 76 00:03:16.360 --> 00:03:20.000 Employee or a poorly secured office. Yeah, and that brings 77 00:03:20.080 --> 00:03:25.159 us to something that's been plaguing computer systems forever, passwords. 78 00:03:25.240 --> 00:03:28.199 You'd think in twenty twenty four we'd have that figured. 79 00:03:27.879 --> 00:03:30.080 Out, but the sources paint a different picture. 80 00:03:30.159 --> 00:03:32.919 What are we still doing wrong? Everyone knows to use 81 00:03:32.960 --> 00:03:35.639 upper case, levercase, numbers, symbols. 82 00:03:35.159 --> 00:03:38.680 All that, right, It's not just about complexity, it's understanding 83 00:03:38.719 --> 00:03:42.840 how attackers actually target passwords. Okay, interesting, they mentioned this 84 00:03:42.879 --> 00:03:47.039 thing called LM hash vulnerabilities. Uh oh, which is a 85 00:03:47.120 --> 00:03:48.719 legacy issue that still pops up. 86 00:03:48.800 --> 00:03:50.759 Okay, back up for a sec. What even is an 87 00:03:50.879 --> 00:03:53.520 LM hash? Why is that still a problem in twenty 88 00:03:53.520 --> 00:03:54.039 twenty four? 89 00:03:54.199 --> 00:03:57.759 So LM hashes it's an old way Windows US to 90 00:03:57.800 --> 00:03:58.560 store passwords. 91 00:03:58.680 --> 00:03:59.360 How old? 92 00:03:59.360 --> 00:04:01.879 Old enough? That a super weak and easy to crack? Like, 93 00:04:01.960 --> 00:04:04.680 how easy even with today's hardware it takes seconds? 94 00:04:04.800 --> 00:04:05.520 You're kidding? 95 00:04:05.800 --> 00:04:10.360 Nope, And here's the kicker. Some systems still use them. 96 00:04:10.120 --> 00:04:12.840 For like backwards compatibility exactly. So, even if you have 97 00:04:12.919 --> 00:04:15.240 a strong password, if it's stored as an LM hash, 98 00:04:15.319 --> 00:04:17.079 it's basically useless pretty much. 99 00:04:17.120 --> 00:04:19.680 Yeah, it's like leaving your front door wide open. Hikes, 100 00:04:20.000 --> 00:04:23.839 and then there's network sniffing techniques, things like smb relay attacks. 101 00:04:23.920 --> 00:04:25.480 Okay, now you're just using jargon. 102 00:04:25.639 --> 00:04:29.319 Uh huh. Sorry. Basically, it's exploiting how Windows shares files 103 00:04:29.319 --> 00:04:31.279 and resolves names on the network. 104 00:04:30.879 --> 00:04:33.959 So tricking systems into giving up sensitive info. 105 00:04:34.279 --> 00:04:38.240 Yep. And once an attacker has those passwords, they use 106 00:04:38.279 --> 00:04:41.240 tools like John the Ripper and hashcat to crack them. 107 00:04:41.600 --> 00:04:43.759 We talk in like brute force attacks. 108 00:04:43.959 --> 00:04:46.759 That's one way. Yeah, they can turn through millions of 109 00:04:46.759 --> 00:04:47.759 passwords per second. 110 00:04:47.839 --> 00:04:51.600 So even with good password policies, attackers have ways around them. 111 00:04:51.920 --> 00:04:55.000 That's why the sources emphasize multi factor authentication. 112 00:04:55.199 --> 00:04:57.519 That extra layer of security. 113 00:04:56.959 --> 00:04:59.839 Exactly makes it way harder for attackers even if they 114 00:04:59.879 --> 00:05:01.199 have your password. 115 00:05:00.879 --> 00:05:04.040 Like having a dead bolt and d a regular law exactly. 116 00:05:04.160 --> 00:05:07.000 And of course security awareness training is huge so people. 117 00:05:06.839 --> 00:05:08.680 Don't fall for phishing scams and all that. 118 00:05:08.920 --> 00:05:12.560 Exactly. It's not just tea about technology, it's about creating 119 00:05:12.639 --> 00:05:13.759 a culture of security. 120 00:05:13.879 --> 00:05:18.120 Okay, so we've got open source intel bypassing firewalls and 121 00:05:18.240 --> 00:05:21.120 weak passwords. What else is in the hacker playbook? 122 00:05:21.319 --> 00:05:24.079 Well this might surprise you, but attackers rely a lot 123 00:05:24.199 --> 00:05:28.560 on tools built right into Windows willie like what PowerShell. 124 00:05:29.279 --> 00:05:31.319 The sources describe it as a double edged sword. 125 00:05:31.759 --> 00:05:35.319 PowerShell isn't that just for system admins? What makes it 126 00:05:35.360 --> 00:05:36.040 so dangerous? 127 00:05:36.120 --> 00:05:40.480 That's incredibly powerful and versatile. It can automate tasks, manage systems, 128 00:05:40.519 --> 00:05:43.040 all that right, But attackers have figured out how to 129 00:05:43.160 --> 00:05:44.480 use it for their purposes. 130 00:05:44.720 --> 00:05:47.399 The sources mentioned some techniques that sound kind of scary, 131 00:05:47.759 --> 00:05:50.839 like encoding and decoding binaries within PowerShell. 132 00:05:50.959 --> 00:05:54.240 It's like smuggling contraband. They take malicious code, make it 133 00:05:54.240 --> 00:05:57.120 look harmless, then transferred to the target, and once it's there, 134 00:05:57.279 --> 00:06:00.000 they use PowerShell to decode it back into executable code 135 00:06:00.079 --> 00:06:00.560 and run it. 136 00:06:00.639 --> 00:06:02.600 So it's like hiding a weapon and plane sight. 137 00:06:03.000 --> 00:06:05.720 You got it. And the sources point out that PowerShell 138 00:06:05.759 --> 00:06:09.000 can interact directly with the Windows API, making it even. 139 00:06:08.879 --> 00:06:13.319 More dangerous, so they can bypass security, escalate privileges, all 140 00:06:13.360 --> 00:06:14.879 that nasty stuff. 141 00:06:14.480 --> 00:06:16.639 All without installing traditional malware. 142 00:06:16.759 --> 00:06:18.759 This is starting to feel like a theme. You know, 143 00:06:19.240 --> 00:06:22.319 attackers using legitimate tools for bad stuff. 144 00:06:22.240 --> 00:06:25.360 Exactly, and that's what makes defending against them so much harder. 145 00:06:25.439 --> 00:06:27.279 You can't just block specific files. 146 00:06:27.439 --> 00:06:30.680 You have to understand how those tools can be misused. 147 00:06:30.279 --> 00:06:32.120 And monitor for suspicious activity. 148 00:06:32.199 --> 00:06:38.199 Okay, so we've got ocent firewalls, passwords, now PowerShell, what else? 149 00:06:38.360 --> 00:06:41.319 Let's talk about shell code. The sources get into this 150 00:06:41.360 --> 00:06:43.439 whole world of low level instructions. 151 00:06:43.680 --> 00:06:47.160 Shell could always sound so intimidating, like Hollywood hacker stuff. 152 00:06:47.240 --> 00:06:50.000 It has a certain mystique. Yeah, but really it's just 153 00:06:50.040 --> 00:06:52.319 instructions that telecomputer what to do, and it can be. 154 00:06:52.319 --> 00:06:54.639 Used for more than just you know, gaining a shell. 155 00:06:54.759 --> 00:06:57.040 Oh yeah, way more. It's like a Swiss army knife 156 00:06:57.040 --> 00:07:01.079 for attackers. Like what else can you do bypass security, 157 00:07:01.120 --> 00:07:04.600 steal data, install back doors, even attack other systems? 158 00:07:04.879 --> 00:07:07.040 Sounds pretty versatile, it is, and. 159 00:07:07.040 --> 00:07:12.040 The sources mentioned techniques for bypassing dep and ASLR. 160 00:07:11.759 --> 00:07:12.959 Uh oh more acronyms. 161 00:07:13.120 --> 00:07:17.639 Sorry, dep is Data execution prevention makes it harder to 162 00:07:17.680 --> 00:07:21.639 run shell code in memory ASLR address space layout randomization 163 00:07:21.720 --> 00:07:23.000 scrambles things up, makes. 164 00:07:22.800 --> 00:07:24.600 It harder to hit the target exactly. 165 00:07:24.920 --> 00:07:27.399 But the attackers are always coming up with ways around these, 166 00:07:27.800 --> 00:07:32.439 like what they mentioned something called return oriented programming or ROP. 167 00:07:33.240 --> 00:07:37.720 What's that? Basically chaining together existing code snippets to get 168 00:07:37.720 --> 00:07:38.720 their shell code to run. 169 00:07:39.040 --> 00:07:42.319 So it's like a hacker macguivering their way around security 170 00:07:42.360 --> 00:07:43.240 measures exactly. 171 00:07:43.279 --> 00:07:46.680 They use whatever's available, and the sources really highlight how 172 00:07:46.720 --> 00:07:49.040 important it is to stay ahead of the curve with 173 00:07:49.199 --> 00:07:50.160 shell code. 174 00:07:49.959 --> 00:07:51.560 Because the attackers are always innovating. 175 00:07:51.800 --> 00:07:55.839 Absolutely, you need layered security to make exploitation much harder. 176 00:07:55.959 --> 00:07:58.879 It's like that constant arms race attackers and defenders. 177 00:07:58.920 --> 00:08:01.560 You got it. And that brings us to another technique 178 00:08:01.639 --> 00:08:04.399 for finding vulnerabilities, fuzzing. 179 00:08:04.879 --> 00:08:07.120 Fuzzing that sounds kind of messy. What is that? 180 00:08:07.439 --> 00:08:11.040 It's about throwing random data at a target, seeing what breaks. 181 00:08:10.800 --> 00:08:12.959 Like deliberately trying to make the software crash. 182 00:08:13.040 --> 00:08:16.920 Pretty much by analyzing those crashes you can find vulnerabilities. 183 00:08:17.000 --> 00:08:20.680 I see the sources describe a network fuzzing scenario using 184 00:08:20.720 --> 00:08:23.439 tie off and Python, but then they talk about fuzzing 185 00:08:23.480 --> 00:08:25.160 at a low level. What's the difference. 186 00:08:25.639 --> 00:08:29.000 So network fuzzing is sending weird packets over the network 187 00:08:29.199 --> 00:08:29.680 looking for. 188 00:08:29.680 --> 00:08:31.720 Flaws, and the low level stuff. 189 00:08:31.600 --> 00:08:35.000 That's targeting specific parts of the software or even hardware. 190 00:08:36.000 --> 00:08:39.360 So you can fuzz pretty much anything that processes data. 191 00:08:39.840 --> 00:08:42.559 Yeah, that's the cool thing about it, but it's important 192 00:08:42.600 --> 00:08:44.360 to use it responsibly. 193 00:08:43.960 --> 00:08:46.039 Otherwise you could cause more problems than you solve. 194 00:08:46.639 --> 00:08:52.720 Exactly, uncontrolled fuzzing could crash systems or even reveal vulnerabilities 195 00:08:52.759 --> 00:08:53.720 to other attackers. 196 00:08:54.120 --> 00:08:56.240 So it's powerful, but you got to be careful. 197 00:08:56.559 --> 00:09:02.120 Absolutely. Now, imagine an attacker has spent like days gaining 198 00:09:02.159 --> 00:09:02.759 access to. 199 00:09:02.720 --> 00:09:05.720 A system using some of these techniques we've been talking about. 200 00:09:05.840 --> 00:09:07.360 Yeah, what do you think happens next? 201 00:09:07.960 --> 00:09:10.080 Well, if they went through all that trouble, they probably 202 00:09:10.120 --> 00:09:11.440 want to make sure they can come. 203 00:09:11.320 --> 00:09:14.000 Back right exactly. That's where persistence comes in. 204 00:09:14.120 --> 00:09:17.440 Okay, I'm intrigued. Tell me more about this persistence thing. 205 00:09:18.080 --> 00:09:21.440 So the sources talk about how attackers maintain access to 206 00:09:21.480 --> 00:09:22.399 a system. 207 00:09:22.120 --> 00:09:24.039 Even if their initial access is blocked. 208 00:09:24.120 --> 00:09:26.159 Exactly, it's about setting up a back door. 209 00:09:26.240 --> 00:09:27.960 So you kick them out the front door, they've already 210 00:09:27.960 --> 00:09:28.840 found a way in the back. 211 00:09:29.000 --> 00:09:32.960 That's the idea. They use things like materpreter, persistence, netcat, 212 00:09:33.039 --> 00:09:33.639 back doors. 213 00:09:34.200 --> 00:09:37.840 Netcat isn't that a pretty basic networking tool? 214 00:09:38.080 --> 00:09:40.159 It is, but it can be used for sneaky stuff too. 215 00:09:40.399 --> 00:09:42.519 And this interpreter thing, what's that all about. 216 00:09:42.840 --> 00:09:46.120 It's part of the Metasclite framework, a really powerful tool 217 00:09:46.159 --> 00:09:47.320 for penetration. 218 00:09:46.960 --> 00:09:48.440 Testing, and attackers use it too. 219 00:09:48.480 --> 00:09:51.600 I bet Oh, absolutely, It's got all sorts of features 220 00:09:51.639 --> 00:09:53.519 for maintaining access to a system. 221 00:09:53.639 --> 00:09:57.360 Sounds pretty scary and PowerShell empire persistence. 222 00:09:57.799 --> 00:10:00.159 What's that leveraging the power of scripts based. 223 00:10:00.360 --> 00:10:02.639 So they can set up all sorts of automated tasks 224 00:10:02.720 --> 00:10:04.240 to keep their access going. 225 00:10:04.360 --> 00:10:06.720 You got it. And the sources point out that to 226 00:10:06.759 --> 00:10:08.799 combat this you need proactive. 227 00:10:08.320 --> 00:10:10.960 Monitoring, strong security control. 228 00:10:10.720 --> 00:10:12.600 And understanding how the attackers work. 229 00:10:12.720 --> 00:10:15.080 So it's about making it as hard as possible for 230 00:10:15.120 --> 00:10:17.120 them to gain a foothold in the first place. 231 00:10:17.039 --> 00:10:20.320 Exactly, but even then they might find a way. That's 232 00:10:20.320 --> 00:10:21.919 why layered security is so important. 233 00:10:22.039 --> 00:10:23.720 Multiple lines of defense, you got it. 234 00:10:23.720 --> 00:10:27.240 It's like a castle with moats, walls guards. 235 00:10:26.799 --> 00:10:30.600 Each layer, making it harder to penetrate deeper precisely. 236 00:10:30.919 --> 00:10:34.200 And we've already talked about ARP poisoning, but the sources 237 00:10:34.279 --> 00:10:39.600 really go into how that exploits trust at a fundamental level. Yeah, 238 00:10:39.799 --> 00:10:41.840 remind me again of how that works. It always trips 239 00:10:41.840 --> 00:10:42.039 me up. 240 00:10:42.120 --> 00:10:45.519 It's like the network's phone book, right, mapping IP addresses 241 00:10:45.559 --> 00:10:47.480 to make addresses. 242 00:10:47.000 --> 00:10:50.200 Exactly when a device wants to send data, it uses 243 00:10:50.480 --> 00:10:52.279 ARP to find the MPa address for. 244 00:10:52.320 --> 00:10:55.080 That IP address, so it knows where to send the data, right. 245 00:10:55.399 --> 00:10:59.039 But the problem is ARP was designed with trust in mind. 246 00:10:59.480 --> 00:11:01.639 It is soon everyone's being honest. 247 00:11:01.559 --> 00:11:04.960 Exactly, and an attacker can exploit that by sending fake 248 00:11:05.360 --> 00:11:06.879 ARP replies. 249 00:11:06.559 --> 00:11:08.159 Claiming to be another device on the network. 250 00:11:08.159 --> 00:11:10.559 You got it. They hijack the communication. 251 00:11:10.120 --> 00:11:13.320 Like setting up a fake detour sign, redirecting traffic to 252 00:11:13.360 --> 00:11:14.559 a dead end exactly. 253 00:11:14.600 --> 00:11:16.960 And this happens at a low level, so firewalls often 254 00:11:17.039 --> 00:11:17.679 can't stop it. 255 00:11:18.200 --> 00:11:21.279 That's terrifying. But the sources mention ways to mitigate this 256 00:11:21.440 --> 00:11:22.200 right absolutely. 257 00:11:22.240 --> 00:11:24.519 They talk about using static ARP entries. 258 00:11:24.440 --> 00:11:27.840 So you create a fixed mapping between IP and MP 259 00:11:27.960 --> 00:11:29.279 addresses exactly. 260 00:11:29.360 --> 00:11:31.840 It's like writing the correct address in permanent. 261 00:11:31.440 --> 00:11:33.320 Marker so it can't be changed easily. 262 00:11:33.440 --> 00:11:36.919 That's the idea. They also mentioned implementing ARP inspection on 263 00:11:36.960 --> 00:11:38.440 network devices. 264 00:11:38.240 --> 00:11:41.679 So it verifies the ARP requests and replies exactly. 265 00:11:41.720 --> 00:11:44.600 It's like having a security guard checking IDs to make. 266 00:11:44.519 --> 00:11:46.639 Sure everyone is who they say. 267 00:11:46.440 --> 00:11:49.440 They are, You got it. It's a reminder that even 268 00:11:49.519 --> 00:11:53.000 simple protocols can have vulnerabilities. 269 00:11:52.279 --> 00:11:53.960 That attackers can exploit. 270 00:11:54.519 --> 00:11:56.159 Always got to be thinking a few steps ahead. 271 00:11:56.200 --> 00:11:59.799 Okay, we've got to be careful about ARP poisoning. What 272 00:12:00.120 --> 00:12:02.519 else do these sources tell us about how attackers think? 273 00:12:02.679 --> 00:12:05.759 Well, let's talk about fingerprinting in network security. 274 00:12:06.080 --> 00:12:07.320 Okay, I'm listening. What's that. 275 00:12:07.639 --> 00:12:12.080 Basically, attackers use techniques to identify the operating system. 276 00:12:11.879 --> 00:12:12.960 And software versions. 277 00:12:13.240 --> 00:12:15.399 Often. Yeah, it's like a digital detective work. 278 00:12:15.399 --> 00:12:18.279 So they're gathering clues about their target exactly, And. 279 00:12:18.240 --> 00:12:22.039 They do this by sending carefully crafted network packets. 280 00:12:21.720 --> 00:12:23.879 And analyzing the responses precisely. 281 00:12:24.279 --> 00:12:27.440 They look for subtle differences that reveal info about the system. 282 00:12:27.600 --> 00:12:30.840 The sources mention a tool called p zero F that 283 00:12:30.879 --> 00:12:32.679 can fingerprint systems passively. 284 00:12:32.799 --> 00:12:36.000 Oh yeah, p zeros cool. It just deserves network traffic. 285 00:12:35.720 --> 00:12:37.240 And figures out what OS is running. 286 00:12:37.360 --> 00:12:39.879 Yep. It takes advantage of the fact that different OS 287 00:12:39.960 --> 00:12:42.440 implement protocols a little differently. 288 00:12:42.120 --> 00:12:44.000 Leaving behind unique fingerprints. 289 00:12:44.320 --> 00:12:46.519 Exactly. It's like analyzing the wear and tear on a 290 00:12:46.559 --> 00:12:48.200 letter to figure out where it came from. 291 00:12:48.240 --> 00:12:50.120 What other techniques do attackers use. 292 00:12:50.279 --> 00:12:52.840 Well, they can use active probing techniques. 293 00:12:52.639 --> 00:12:55.399 So actually sending packets to the target yep. 294 00:12:55.679 --> 00:12:57.360 And they can look at things like the time to 295 00:12:57.360 --> 00:12:59.039 live values in IP packets. 296 00:12:59.120 --> 00:13:02.360 The TTL isn't that just to prevent packets from endlessly 297 00:13:02.399 --> 00:13:03.200 bouncing around. 298 00:13:03.480 --> 00:13:07.879 It is, but different ocs have default TTL values, so 299 00:13:07.919 --> 00:13:09.399 it can be used for fingerprinting. 300 00:13:10.000 --> 00:13:12.480 Sneaky. Okay, so they've fingerprinted the system. 301 00:13:12.679 --> 00:13:16.480 Now what that information helps them target their attacks. They 302 00:13:16.559 --> 00:13:19.000 can choose the right exploits based on the OS and 303 00:13:19.039 --> 00:13:19.919 software versions. 304 00:13:20.080 --> 00:13:22.120 It's like a tailor making a custom suit. 305 00:13:22.320 --> 00:13:25.080 Exactly. The better they know the measurements, the better the fit. 306 00:13:25.440 --> 00:13:29.720 So fingerprinting is about intel gathering and customizing the attack precisely. 307 00:13:30.240 --> 00:13:33.879 The sources also talk about stack fingerprinting, which is even more. 308 00:13:33.759 --> 00:13:35.879 Advanced stack finger printing. What's that. 309 00:13:36.159 --> 00:13:39.080 It's like analyzing the bruststrokes of a painting to identify 310 00:13:39.120 --> 00:13:39.559 the artist. 311 00:13:39.759 --> 00:13:41.879 So going deeper than just the surface. 312 00:13:41.639 --> 00:13:46.039 Level exactly, they're looking at the TCPIP stack implementation. 313 00:13:45.679 --> 00:13:49.240 Which is like the foundation of Internet communication yep, And. 314 00:13:49.159 --> 00:13:52.399 By analyzing those subtle differences they can get an even 315 00:13:52.440 --> 00:13:53.639 more precise fingerprint. 316 00:13:53.960 --> 00:13:57.000 The sources mention a tool called spapy that can do this. 317 00:13:57.200 --> 00:14:01.279 Scapey is awesome. It's a really powerful tool for manipulating 318 00:14:01.320 --> 00:14:02.159 network packets. 319 00:14:02.679 --> 00:14:04.000 It's written in Python. 320 00:14:03.759 --> 00:14:06.080 Right, Yeah, you can create your own custom packets and 321 00:14:06.080 --> 00:14:07.279 see how the target responds. 322 00:14:07.679 --> 00:14:10.600 Sounds incredibly powerful, but also kind of dangerous. 323 00:14:10.600 --> 00:14:13.279 Definitely in the wrong hands, it could be used for 324 00:14:13.320 --> 00:14:14.360 malicious purposes. 325 00:14:15.000 --> 00:14:19.440 The sources mentioned using stapy to create a stack masquerade. 326 00:14:20.000 --> 00:14:21.039 What's that about. 327 00:14:21.360 --> 00:14:24.679 Basically, it's crafting packets that mimic a specific OS or 328 00:14:24.720 --> 00:14:25.840 software version. 329 00:14:25.840 --> 00:14:28.200 So creating a fake ID exactly. 330 00:14:28.320 --> 00:14:31.799 They can fool security tools or bypass finger printing defenses. 331 00:14:31.840 --> 00:14:33.799 It's like a digital disguise, you got it. 332 00:14:34.559 --> 00:14:38.399 In cybersecurity, sometimes the best offense is a good defense. 333 00:14:38.440 --> 00:14:39.519 Or a convincing fake. 334 00:14:39.799 --> 00:14:40.919 Uh huh exactly. 335 00:14:41.200 --> 00:14:43.759 Speaking of defense, the sources also talk about ways to 336 00:14:43.799 --> 00:14:45.120 protect against finger printing. 337 00:14:45.240 --> 00:14:47.600 Oh yeah, absolutely. It's all about making it hard for 338 00:14:47.639 --> 00:14:50.759 attackers to gather information like what kind of stuff, blocking 339 00:14:50.799 --> 00:14:55.279 suspicious probes, using network address translation yeat, yeah, NAT, to 340 00:14:55.360 --> 00:14:58.879 hide internal systems, or even using intrusion detection systems. 341 00:14:59.080 --> 00:15:02.480 So basically putting up barriers and watching for intruders exactly. 342 00:15:02.919 --> 00:15:05.600 But remember security is a constant process. 343 00:15:05.759 --> 00:15:07.320 Attackers are always finding new. 344 00:15:07.200 --> 00:15:09.360 Ways in and defenders need to adapt. 345 00:15:09.679 --> 00:15:15.279 Okay, so we've got ARP, poisoning, fingerprinting, stack masquerading. It's 346 00:15:15.360 --> 00:15:18.200 clear attackers can exploit a lot of flaws and. 347 00:15:18.200 --> 00:15:20.879 It's important to understand these things from a defender's. 348 00:15:20.399 --> 00:15:22.840 Perspective too, so you can build better defenses. 349 00:15:22.960 --> 00:15:25.879 Precisely, it's like studying your opponent's moves in chess. 350 00:15:26.639 --> 00:15:29.120 The better you understand them, the better you can counter them. 351 00:15:29.240 --> 00:15:32.360 Exactly. Okay, let's shift gears and talk about edtter cap. 352 00:15:32.639 --> 00:15:36.039 Better cap sounds kind of ominous. What is that? 353 00:15:36.240 --> 00:15:38.960 It's a tool for man in the middle attacks. Oh, 354 00:15:39.120 --> 00:15:42.519 it can intercept traffic, modify it, even inject new traffic. 355 00:15:42.600 --> 00:15:43.639 Sounds pretty powerful. 356 00:15:43.799 --> 00:15:45.480 It is. It's like a hacker's toolbox. 357 00:15:45.639 --> 00:15:47.679 What makes it so effective for these man in the 358 00:15:47.679 --> 00:15:48.440 middle attacks. 359 00:15:48.679 --> 00:15:53.159 It can do ARP poisoning, sniffing, code injection, even create 360 00:15:53.240 --> 00:15:55.120 fake captive portals. 361 00:15:54.840 --> 00:15:58.360 So it's a one stop shop for malicious network activity 362 00:15:58.440 --> 00:15:59.000 pretty much. 363 00:15:59.559 --> 00:16:02.360 And talk about using it for bridged. 364 00:16:02.039 --> 00:16:04.039 Sniffing bridge sniffing. What's that? 365 00:16:04.200 --> 00:16:06.679 Regular sniffing is like listening to a conversation right in 366 00:16:06.720 --> 00:16:09.080 front of you. Okay, Bridge sniffing is like setting up 367 00:16:09.080 --> 00:16:11.480 a listening post at a busy intersection. 368 00:16:11.159 --> 00:16:13.559 So you can hear conversations from all directions. 369 00:16:13.679 --> 00:16:18.200 Exactly. By bridging two network interfaces, edtercap can capture traffic 370 00:16:18.240 --> 00:16:20.679 that would normally be invisible, So even. 371 00:16:20.480 --> 00:16:24.639 If devices aren't talking directly to the attacker's machine, attercap 372 00:16:24.720 --> 00:16:26.080 can still listen in yep. 373 00:16:26.600 --> 00:16:29.919 It's especially effective on switch networks. 374 00:16:29.559 --> 00:16:31.159 Where traffic is usually isolated. 375 00:16:31.320 --> 00:16:34.279 Right. They also talk about creating a malicious access point. 376 00:16:34.200 --> 00:16:36.559 With edertercap, like a fake Wi Fi hotspot. 377 00:16:36.759 --> 00:16:40.840 Exactly. They can intercept traffic, capture credentials, all sorts of 378 00:16:40.919 --> 00:16:41.600 nasty stuff. 379 00:16:41.639 --> 00:16:43.679 So if you're at a coffee shop, be careful what 380 00:16:43.720 --> 00:16:44.720 Wi Fi you connect to. 381 00:16:45.039 --> 00:16:48.919 Absolutely, always good advice. Yeah. The sources also get into 382 00:16:49.120 --> 00:16:52.000 edtercap filters, which are pretty. 383 00:16:51.679 --> 00:16:55.000 Interesting filters, like for filtering traffic kinda. 384 00:16:55.120 --> 00:16:58.039 There are rules that define how edercap interacts with traffic. 385 00:16:58.120 --> 00:17:00.000 So you can customize its behavior exactly. 386 00:17:00.360 --> 00:17:04.279 You can modify packets, drop connections, even run scripts based 387 00:17:04.319 --> 00:17:05.359 on certain criteria. 388 00:17:05.640 --> 00:17:06.759 That sounds powerful. 389 00:17:06.880 --> 00:17:08.880 It is. It's like setting up traps on a network. 390 00:17:09.079 --> 00:17:11.160 But filters can be used for good too, right. 391 00:17:11.160 --> 00:17:16.000 Absolutely. Defenders can use them to detect and block suspicious activity. 392 00:17:15.839 --> 00:17:19.039 So like a security guard who can spot troublemakers. 393 00:17:19.240 --> 00:17:21.920 Exactly. It's all about understanding the capabilities of. 394 00:17:21.880 --> 00:17:24.160 These tools and using them to your advantage. 395 00:17:24.200 --> 00:17:27.319 Precisely, the source is even mentioned as scripting language for 396 00:17:27.400 --> 00:17:29.160 edttercap filters, so you. 397 00:17:29.160 --> 00:17:31.359 Can program them for even more complex tasks. 398 00:17:31.440 --> 00:17:32.920 Yep, it gives you a lot of control. 399 00:17:33.039 --> 00:17:37.400 Okay, so we've got etter cap bridged sniffing malicious access 400 00:17:37.440 --> 00:17:40.559 points filters. It's a lot to take in. 401 00:17:40.680 --> 00:17:42.480