WEBVTT 1 00:00:00.080 --> 00:00:02.359 Hey there, ready to step into the shoes of a 2 00:00:02.359 --> 00:00:06.000 white hat hacker. Today, we're diving into the world of 3 00:00:06.080 --> 00:00:09.720 penetration testing. Okay, think of it as a security checkup 4 00:00:09.720 --> 00:00:10.800 for the digital age. 5 00:00:11.080 --> 00:00:11.320 Right. 6 00:00:11.359 --> 00:00:14.919 We've got this comprehensive course curriculum all about it, and 7 00:00:14.960 --> 00:00:18.600 we're going to extract the most crucial and fascinating insights 8 00:00:19.359 --> 00:00:19.920 just for you. 9 00:00:20.320 --> 00:00:20.559 Right. 10 00:00:20.760 --> 00:00:24.359 Imagine this, We're planning a heist, not on a bank, okay, 11 00:00:24.519 --> 00:00:28.160 but on a high tech facility brimming with sensitive data. 12 00:00:28.280 --> 00:00:30.839 It's a great analogy. Oh yeah, yeah, because just like 13 00:00:30.879 --> 00:00:35.280 in a heist movie, penetration testing involves meticulous planning, reconnaissance, 14 00:00:35.719 --> 00:00:37.000 and skillful execution. 15 00:00:37.280 --> 00:00:37.840 I like it. 16 00:00:38.280 --> 00:00:42.439 But instead of stealing valuables, our goal is to expose 17 00:00:42.560 --> 00:00:44.359 vulnerabilities before the bad guys do. 18 00:00:44.520 --> 00:00:46.640 Okay, so we're the good guys in this scenario, right, 19 00:00:46.679 --> 00:00:49.479 the ethical hacker is trying to protect sensitive data. Yes, 20 00:00:49.679 --> 00:00:52.640 and this curriculum calls it an authorized form of hacking, 21 00:00:53.159 --> 00:00:54.799 which is a bit of a mind bender. 22 00:00:54.759 --> 00:00:55.799 Right it is authorized. 23 00:00:55.840 --> 00:00:56.119 Yeah. 24 00:00:56.320 --> 00:00:59.679 Companies highre penetration testers often called pen testers, to find 25 00:00:59.679 --> 00:01:03.039 the we this is in their systems before malicious actors do. 26 00:01:03.240 --> 00:01:05.359 So it's like We're hired to break in and then 27 00:01:05.400 --> 00:01:07.400 give them a report card on their security. 28 00:01:07.560 --> 00:01:13.519 Exactly. We have three main objectives. Identify vulnerabilities, understand how 29 00:01:13.519 --> 00:01:16.640 those vulnerabilities could be exploited, and then give them a 30 00:01:16.719 --> 00:01:19.680 clear roadmap for fixing those weaknesses. 31 00:01:19.719 --> 00:01:22.400 And I bet some companies take this very seriously. 32 00:01:22.040 --> 00:01:26.400 Right absolutely. In fact, for industries like finance, penetration testing 33 00:01:27.040 --> 00:01:31.519 isn't just a good idea, it's standard practice. Wow, they 34 00:01:31.560 --> 00:01:35.480 know how tempting their data is to cyber criminals. Yeah, 35 00:01:35.519 --> 00:01:38.439 so they can't afford to leave any gaps in their defenses. 36 00:01:38.879 --> 00:01:41.599 That makes sense. Yeah, so how do we even approach 37 00:01:41.599 --> 00:01:46.560 a pentist? Who I see this document talks about black box, 38 00:01:46.680 --> 00:01:50.319 gray box and white box testing. Sounds mysterious. 39 00:01:50.439 --> 00:01:54.000 Think of them as different levels of intel before our heist. Okay, 40 00:01:54.560 --> 00:01:57.280 black box is going in almost blind, like we only 41 00:01:57.319 --> 00:01:59.840 know the name of the facility. Grey Box gives us 42 00:01:59.840 --> 00:02:02.400 a Martiall blueprint, maybe we know some of the security 43 00:02:02.400 --> 00:02:06.319 systems they use, and white box testing is like having 44 00:02:06.319 --> 00:02:10.240 the full schematics. We know the layout, the tech, everything. 45 00:02:10.439 --> 00:02:13.240 So which approach do we usually use for penetration testing? 46 00:02:13.479 --> 00:02:16.240 For this deep dive, we'll focus on black box and 47 00:02:16.240 --> 00:02:19.400 gray box. Okay, they're the most common because in real 48 00:02:19.439 --> 00:02:24.240 world scenarios, you rarely have complete information about a target system. 49 00:02:24.319 --> 00:02:28.759 Whitebox requires a deep dive into code and architecture, a 50 00:02:28.800 --> 00:02:30.639 whole other level of expertise. 51 00:02:30.759 --> 00:02:34.199 Got it, This is already getting me excited. This curriculum 52 00:02:34.280 --> 00:02:37.680 says we need to think like a hacker. So are 53 00:02:37.719 --> 00:02:40.759 we about to unleash our inner cybervigilantes? 54 00:02:41.400 --> 00:02:47.000 Hold on there, Ethical boundaries are paramount. Illegal activities are 55 00:02:47.360 --> 00:02:50.800 never ever part of a penetration test. Okay. We operate 56 00:02:50.879 --> 00:02:55.759 strictly within a legal framework, always with permission from the client. 57 00:02:55.960 --> 00:02:58.719 So we're more like detectives than criminals, right exactly. 58 00:02:58.800 --> 00:03:01.560 Okay, speaking of history, did you know the term hacker 59 00:03:01.719 --> 00:03:03.240 didn't start with malicious intent? 60 00:03:03.520 --> 00:03:04.280 I didn't know that. 61 00:03:04.439 --> 00:03:08.479 No, It actually originated from MIT students who would cleverly 62 00:03:08.560 --> 00:03:13.680 modify systems, not to steal or disrupt, but to innovate 63 00:03:13.759 --> 00:03:14.759 and push boundaries. 64 00:03:14.919 --> 00:03:17.719 Wow, I had no idea. Yeah, so it was more 65 00:03:17.719 --> 00:03:19.919 about creative problem solving than anything else. 66 00:03:20.080 --> 00:03:20.599 Exactly. 67 00:03:20.800 --> 00:03:21.159 Interesting. 68 00:03:21.280 --> 00:03:24.000 Of course, the term has evolved over time, but at 69 00:03:24.000 --> 00:03:27.879 its core, hacking is about understanding how systems work and 70 00:03:27.919 --> 00:03:29.879 finding clever ways to interact with them. 71 00:03:30.319 --> 00:03:32.680 Okay, So now that we've got our ethical hacker hats on, 72 00:03:33.639 --> 00:03:36.039 let's map out the phases of a penetration test. 73 00:03:36.240 --> 00:03:36.599 Okay. 74 00:03:36.919 --> 00:03:41.520 This curriculum outlines a pretty detailed roadmap, kind of like 75 00:03:41.560 --> 00:03:42.400 our heist plan. 76 00:03:42.960 --> 00:03:46.280 The first phase is all about framing the intervention, all right. 77 00:03:46.479 --> 00:03:50.759 It starts with meeting the client, understanding their security concerns, 78 00:03:51.400 --> 00:03:53.599 and defining the scope of our operation. 79 00:03:53.919 --> 00:03:58.080 So it's like our initial reconnaissance mission. We're gathering intel, 80 00:03:58.280 --> 00:04:02.120 scoping out the target facility, and figuring out the objectives 81 00:04:02.120 --> 00:04:02.599 of our heist. 82 00:04:02.759 --> 00:04:05.759 Right. Clear communication is crucial here. We need to know 83 00:04:05.840 --> 00:04:09.439 what's off limits, what systems are critical, and what the 84 00:04:09.479 --> 00:04:13.319 client's expectations are. The document actually gives an example where 85 00:04:13.360 --> 00:04:17.399 a pintester accidentally brought down a small business's entire network 86 00:04:17.800 --> 00:04:22.399 during a test. Oh wow, because of miscommunication about the scope. 87 00:04:22.519 --> 00:04:23.959 Oh that's a nightmare scenario. 88 00:04:24.160 --> 00:04:24.399 Yeah. 89 00:04:24.720 --> 00:04:28.319 It really highlights the need for a solid plan, absolutely. Yeah. 90 00:04:28.360 --> 00:04:31.040 That's why we have a framework document that outlines the 91 00:04:31.120 --> 00:04:34.319 rules of engagement, kind of like a contract between us 92 00:04:34.360 --> 00:04:39.160 and the client. It clarifies everything, the targets, the methods 93 00:04:39.199 --> 00:04:43.519 will use, the timelines, communication protocols. Okay, even how we'll 94 00:04:43.519 --> 00:04:45.040 deliver our findings. 95 00:04:44.759 --> 00:04:47.319 So it protects both us and the client, making sure 96 00:04:47.360 --> 00:04:49.199 everyone's on the same page exactly. All right. 97 00:04:49.240 --> 00:04:51.759 Cool. Now, once we've got our mission clear, the next 98 00:04:51.759 --> 00:04:53.759 phase is preparing our work environment. 99 00:04:53.879 --> 00:04:56.560 Time to gather our tools and set up our hacker layer. 100 00:04:56.680 --> 00:04:59.079 I like how you think. Yeah. In the digital world, 101 00:04:59.160 --> 00:05:02.879 this means setting up a dedicated, disposable environment for each test. 102 00:05:03.560 --> 00:05:07.360 We often use specialized operating systems like CALLI, Linux, Parados, 103 00:05:07.439 --> 00:05:09.120 or command of VM. 104 00:05:08.959 --> 00:05:11.120 So it's like having a virtual safe house where we 105 00:05:11.120 --> 00:05:14.839 can experiment and work without affecting our own systems or 106 00:05:14.879 --> 00:05:17.639 mixing data from different clients exactly. Okay. 107 00:05:17.759 --> 00:05:20.199 Each of these operating systems comes with its own set 108 00:05:20.240 --> 00:05:24.319 of tools and features, kind of like our specialized heist equipment. Okay, 109 00:05:24.360 --> 00:05:26.079 The key is choosing the right one for the job. 110 00:05:26.720 --> 00:05:28.879 This is where it gets really interesting, right Yeah, Now 111 00:05:28.959 --> 00:05:31.639 we start digging for information about our target. 112 00:05:32.360 --> 00:05:36.920 This is where open source intelligence or ocence comes into play. 113 00:05:38.279 --> 00:05:41.879 You'd be amazed at how much valuable information is publicly available. 114 00:05:42.279 --> 00:05:46.399 So we're scouring the web for clues like blueprints of 115 00:05:46.399 --> 00:05:51.360 the facility, security guard schedules, maybe even finding disgruntled employees 116 00:05:51.399 --> 00:05:53.439 who could provide inside information. 117 00:05:53.600 --> 00:05:57.319 You're getting it all right, I think employee names, email addresses, 118 00:05:57.600 --> 00:06:01.560 company websites, social media posts, anything that can give us 119 00:06:01.560 --> 00:06:04.399 a better understanding of the target's security posture. 120 00:06:04.560 --> 00:06:08.560 And what about search engines like Google? Can we use 121 00:06:08.600 --> 00:06:10.560 them to find sensitive information? 122 00:06:10.959 --> 00:06:15.879 Absolutely? We use advanced search techniques called Google dorking to 123 00:06:16.000 --> 00:06:20.600 uncover hidden data. It's like having a secret code to 124 00:06:20.720 --> 00:06:23.600 unlock hidden rooms in the facility's database. 125 00:06:23.839 --> 00:06:24.199 Wow. 126 00:06:24.319 --> 00:06:26.800 For example, we can use it to find specific types 127 00:06:26.800 --> 00:06:30.720 of files on a company's website, like PDF documents containing 128 00:06:30.720 --> 00:06:31.680 the word password. 129 00:06:31.839 --> 00:06:35.839 Wow. That's incredibly powerful. It's amazing how much information is 130 00:06:35.839 --> 00:06:37.199 out there if you know how to. 131 00:06:37.160 --> 00:06:39.600 Look for it, right. Yeah, But of course we always 132 00:06:39.639 --> 00:06:42.720 use these techniques ethically and responsibly, of course. 133 00:06:43.040 --> 00:06:46.680 Now, this document also mentions other sources of information, like 134 00:06:46.879 --> 00:06:49.040 leaked databases in the dark web. 135 00:06:49.199 --> 00:06:53.040 Those sources can be valuable, but they often raise ethical 136 00:06:53.199 --> 00:06:56.720 and legal concerns. I see, it's important to tread carefully 137 00:06:56.720 --> 00:06:59.879 and ensure any information gathered is obtained legally and effic 138 00:07:00.480 --> 00:07:01.000 makes sense. 139 00:07:01.399 --> 00:07:04.839 So we've gathered all this intel from publicly available sources. 140 00:07:05.600 --> 00:07:08.639 What's the next step in our digital heist, do we 141 00:07:08.720 --> 00:07:09.639 just try to break in. 142 00:07:10.240 --> 00:07:14.360 Not quite yet. We need to transition from passive information 143 00:07:14.480 --> 00:07:17.160 gathering to active reconnaissance. 144 00:07:18.079 --> 00:07:21.680 So in our heist analogy, this is where we start 145 00:07:21.720 --> 00:07:26.639 interacting with the target facility, maybe testing the perimeter fences, 146 00:07:27.319 --> 00:07:30.920 checking for security camera blind spots yep, or even trying 147 00:07:30.959 --> 00:07:32.560 to blend in with the employees. 148 00:07:32.680 --> 00:07:36.600 Exactly. In the digital world, this could involve techniques like 149 00:07:36.680 --> 00:07:41.040 subdomain enumeration m trying to discover all the hidden servers 150 00:07:41.120 --> 00:07:44.560 connected to the main network, like finding secret entrances to 151 00:07:44.600 --> 00:07:45.240 the facility. 152 00:07:45.360 --> 00:07:48.279 I'm starting to see how strategic this all is. We're 153 00:07:48.279 --> 00:07:51.879 not just blindly attacking, We're carefully mapping out the entire 154 00:07:51.959 --> 00:07:53.560 landscape exactly. Cool. 155 00:07:53.959 --> 00:07:59.480 We'll also analyze their TLS certificates, those digital signatures that 156 00:07:59.680 --> 00:08:03.839 verify via website's identity. They can sometimes reveal information about 157 00:08:03.839 --> 00:08:05.439 the systems and software they're using. 158 00:08:05.519 --> 00:08:08.680 It's like finding a discarded security badge that gives us 159 00:08:08.759 --> 00:08:11.920 clues about the technology they're using inside exactly. 160 00:08:11.680 --> 00:08:14.519 And the document even gives an example of finding a 161 00:08:14.600 --> 00:08:20.800 vulnerable code repository on git lab. Through active reconnaissance, it's 162 00:08:20.800 --> 00:08:25.920 like discovering the facility's security protocols have been accidentally leaked online. 163 00:08:26.199 --> 00:08:28.240 Wow, that's a huge advantage for us. 164 00:08:28.519 --> 00:08:28.920 Yeah. 165 00:08:29.000 --> 00:08:33.120 So we've mapped out the target's digital landscape, we've gathered intel, 166 00:08:33.159 --> 00:08:35.639 and we've done our recon Right. Now it's time to 167 00:08:35.639 --> 00:08:37.039 find those entry points. Right. 168 00:08:37.360 --> 00:08:40.000 Think of it like identifying the weak spots and the 169 00:08:40.039 --> 00:08:45.360 facilities defenses, the unguarded entrances, the ventilation shafts, or maybe 170 00:08:45.360 --> 00:08:46.480 even a forgotten backdoor. 171 00:08:46.720 --> 00:08:49.600 And in the digital world, how do we find those 172 00:08:49.639 --> 00:08:50.360 weak points. 173 00:08:50.600 --> 00:08:52.559 One of the primary methods is port scanning. 174 00:08:53.039 --> 00:08:54.960 Okay, so what exactly is port stanning? 175 00:08:55.320 --> 00:08:59.039 Think of ports as doors on a computer system. Each 176 00:08:59.159 --> 00:09:02.879 door leads to to a specific service running on that system. 177 00:09:02.879 --> 00:09:06.080 Port scanning is like trying all the doors, see which 178 00:09:06.080 --> 00:09:08.519 ones are open and what's running behind them. It gives 179 00:09:08.600 --> 00:09:11.000 us a glimpse into what services the target is running 180 00:09:11.440 --> 00:09:13.720 and potentially reveals vulnerable entry points. 181 00:09:14.120 --> 00:09:17.080 Got it. So if a port is open, it means 182 00:09:17.279 --> 00:09:19.679 there's a service running behind it that we can potentially 183 00:09:19.720 --> 00:09:20.320 interact with. 184 00:09:20.480 --> 00:09:23.840 Exactly, And to do this we use a powerful tool 185 00:09:23.879 --> 00:09:27.840 called ENDMP, like our master key, that can not only 186 00:09:27.919 --> 00:09:31.559 identify open doors, but also tells us what kind of 187 00:09:31.679 --> 00:09:34.519 lock is on each door and what might be behind it. 188 00:09:34.600 --> 00:09:38.240 That's amazing. This document actually shows some examples of end 189 00:09:38.240 --> 00:09:40.639 map commands and outputs. Yeah, and to be honest, they 190 00:09:40.679 --> 00:09:41.759 look pretty cryptic to me. 191 00:09:42.120 --> 00:09:45.080 It does take some practice to interpret the results correctly, 192 00:09:45.240 --> 00:09:47.159 I bet, but once you get the hang of it, 193 00:09:47.759 --> 00:09:51.399 end map becomes an indispensable tool. It's like having X 194 00:09:51.480 --> 00:09:53.519 revision for a computer network. 195 00:09:53.600 --> 00:09:57.279 So we've found our open doors the potential entry points, 196 00:09:57.759 --> 00:10:00.919 but before we barge in, need to check the security 197 00:10:00.919 --> 00:10:04.159 system right. Absolutely, we don't want to trigger any alarms, and. 198 00:10:04.120 --> 00:10:07.039 In the digital world that means checking their encryption. 199 00:10:07.639 --> 00:10:10.919 So in our heist analogy, encryption is like the vault door, 200 00:10:11.039 --> 00:10:12.919 protecting the valuable data inside. 201 00:10:13.240 --> 00:10:18.159 Exactly. Encryption scrambles the data and transit, making it unreadable 202 00:10:18.200 --> 00:10:21.440 to anyone who doesn't have the decryption key. It's essential 203 00:10:21.480 --> 00:10:25.759 for protecting sensitive information from interception, especially during man in 204 00:10:25.799 --> 00:10:26.559 the middle attacks. 205 00:10:26.639 --> 00:10:28.320 Wait, what's a man in the middle attack. 206 00:10:28.480 --> 00:10:32.679 Imagine someone intercepting the communication between our team and headquarters. Okay, 207 00:10:32.759 --> 00:10:35.840 listening in on our plans, or even worse, feeding us 208 00:10:35.919 --> 00:10:39.639 false information. M that's essentially what a man in the 209 00:10:39.639 --> 00:10:41.240 middle attack is in the digital world. 210 00:10:41.360 --> 00:10:45.200 Oh, that's scary. Yeah, So encryption helps prevent that by 211 00:10:45.200 --> 00:10:49.519 making the communication unreadable to anyone who doesn't have the key. 212 00:10:49.720 --> 00:10:52.840 Precisely, it's like having a secret code that only our 213 00:10:52.879 --> 00:10:53.759 team understands. 214 00:10:54.120 --> 00:10:57.200 Got it. So how do we check how strong their 215 00:10:57.279 --> 00:10:58.000 encryption is? 216 00:10:58.279 --> 00:11:01.519 We start by looking at their digital certificate. It's like 217 00:11:01.600 --> 00:11:04.279 checking the security company that installed the vault door. 218 00:11:04.240 --> 00:11:07.000 Right Like, when I see that little padlock icon in 219 00:11:07.039 --> 00:11:12.360 my browser, that means the website is using encryption exactly, okay. 220 00:11:12.600 --> 00:11:16.720 But a strong certificate should have certain characteristics like a 221 00:11:16.840 --> 00:11:19.679 key size of at least twenty forty eight bits okay, 222 00:11:20.080 --> 00:11:24.600 and using a secure hashing algorithm like SAHA two five six. 223 00:11:25.159 --> 00:11:28.759 These are like the technical specifications of lock, indicating how 224 00:11:28.799 --> 00:11:30.399 resistant it is to picking. 225 00:11:30.799 --> 00:11:33.320 So we're basically making sure the vault door is made 226 00:11:33.360 --> 00:11:37.559 of high grade steel and has a complex locking mechanism. 227 00:11:37.639 --> 00:11:41.039 You got it, okay. But we don't stop there. We 228 00:11:41.080 --> 00:11:43.840 also need to check the encryption protocols and cipher suites 229 00:11:43.840 --> 00:11:44.320 they're using. 230 00:11:44.480 --> 00:11:46.360 Okay, that sounds a bit more technical. Can you break 231 00:11:46.399 --> 00:11:47.120 those down for us? 232 00:11:47.399 --> 00:11:50.200 Encryption protocols are the rules that govern how the encryption 233 00:11:50.320 --> 00:11:54.679 process works. Think of them as the blueprints for the 234 00:11:54.759 --> 00:12:00.200 vault's security system PLS or transport later security is the 235 00:12:00.200 --> 00:12:03.600 current standard, okay. Different versions like TLS one point two 236 00:12:03.639 --> 00:12:06.840 and TLS one point three, all right, offer varying levels 237 00:12:06.879 --> 00:12:07.399 of security. 238 00:12:07.480 --> 00:12:10.679 So the higher the TLS version, the better the protection. 239 00:12:10.440 --> 00:12:13.120 Generally, yes, okay, TLS one point three is like having 240 00:12:13.159 --> 00:12:16.039 state of the art security systems. It's the most secure 241 00:12:16.080 --> 00:12:17.440 protocol available right now. 242 00:12:17.559 --> 00:12:21.879 Okay, that makes sense. What about cipher suites? What are those? 243 00:12:22.200 --> 00:12:25.399 Cipher suites are like the specific combination of locks and 244 00:12:25.480 --> 00:12:28.759 security measures used in the vault. Okay. They determine the 245 00:12:28.840 --> 00:12:32.840 exact methods used for encryption, authentication, and key exchange. 246 00:12:33.360 --> 00:12:35.639 So they're like the different components that make up the 247 00:12:35.720 --> 00:12:38.159 overall security system exactly. Okay. 248 00:12:38.279 --> 00:12:41.480 And just like with security components, some are stronger than others. 249 00:12:41.600 --> 00:12:42.039 Uh huh. 250 00:12:42.279 --> 00:12:44.440 We need to make sure they're using a robust cipher 251 00:12:44.480 --> 00:12:48.120 suite okay, that provides a high level of protection. 252 00:12:48.879 --> 00:12:54.360 This document mentions best practices for secure communication, like certificate validation, 253 00:12:54.720 --> 00:12:58.039 using strong protocols, and choosing robust cipher suites. 254 00:12:58.120 --> 00:13:01.519 Those are all crucial. Yeah, is the essential checklist uh 255 00:13:01.600 --> 00:13:04.320 huh for ensuring the vault door is properly secured. 256 00:13:04.360 --> 00:13:07.559 All right, We've given their encryption a fur thorough check 257 00:13:07.960 --> 00:13:08.919 making sure it's up. 258 00:13:08.799 --> 00:13:09.639 To par Okay. 259 00:13:09.759 --> 00:13:13.000 Now what do we finally get to try breaking in? 260 00:13:13.799 --> 00:13:16.200 Not quite yet. Now we need to get our hands 261 00:13:16.240 --> 00:13:18.960 dirty okay, and start exploring the inner workings of the 262 00:13:19.000 --> 00:13:19.960 application itself. 263 00:13:20.039 --> 00:13:22.000 Okay, I'm ready for the next phase of our heist. 264 00:13:22.360 --> 00:13:23.320 What's our strategy. 265 00:13:23.720 --> 00:13:26.240 We're going to need a special tool for this in 266 00:13:26.240 --> 00:13:27.759 intercepting proxy. 267 00:13:27.440 --> 00:13:29.120 And intercepting proxy, what's that? 268 00:13:29.600 --> 00:13:33.919 Think of it like installing hidden cameras and microphones inside 269 00:13:33.960 --> 00:13:38.639 the facility, allowing us to see and hear everything that's going. 270 00:13:38.480 --> 00:13:41.960 On, so we can spy on the applications communication exactly Okay. 271 00:13:41.960 --> 00:13:45.000 It allows us to intercept the requests our browser sends 272 00:13:45.080 --> 00:13:48.279 to the server and the response is the server sends back. 273 00:13:48.399 --> 00:13:48.720 Okay. 274 00:13:48.960 --> 00:13:51.799 But the real magic is that we can modify those 275 00:13:51.840 --> 00:13:55.519 requests and responses on the fly, seeing how the application reacts. 276 00:13:55.639 --> 00:13:58.399 So it's like manipulating the security systems. Yeah, trying to 277 00:13:58.399 --> 00:14:00.879 find a way to override them or trigger and malfunction. 278 00:14:01.000 --> 00:14:05.399 Exactly cool. One popular intercepting proxy is burp sweet Community. 279 00:14:06.279 --> 00:14:10.519 It's like having a control panel for the applications communication. 280 00:14:10.080 --> 00:14:15.159 Flow sounds powerful. Yeah, now I remember the curriculum mentioning 281 00:14:15.200 --> 00:14:16.679 something about SSL termination. 282 00:14:17.120 --> 00:14:21.320 Huh what was that about? Ah? Yes, SSL termination. Okay, 283 00:14:21.840 --> 00:14:26.840 it's necessary when we're dealing with encrypted traffic like HTTPS. 284 00:14:27.440 --> 00:14:31.960 The intercepting proxy needs to decrypt the traffic so we 285 00:14:32.039 --> 00:14:35.720 can analyze and modify it and then re encrypt it 286 00:14:35.759 --> 00:14:36.919 before sending it along. 287 00:14:37.159 --> 00:14:41.240 So it's like temporarily disabling the security cameras so we 288 00:14:41.279 --> 00:14:43.600 can sneak past them and then turning them back on 289 00:14:43.679 --> 00:14:45.039 so no one suspects a thing. 290 00:14:45.399 --> 00:14:49.559 A very creative analogy. Thanks and Burke sweet handles this seamlessly. 291 00:14:49.960 --> 00:14:52.759 Okay, we've got our intercepting proxy set up ready to 292 00:14:52.840 --> 00:14:57.320 eavesdrop on the applications communication. What kind of secrets are 293 00:14:57.320 --> 00:14:58.200 we hoping to uncover? 294 00:14:58.440 --> 00:15:00.840 One of our goals is to collect as much technical 295 00:15:00.840 --> 00:15:02.000 information as possible. 296 00:15:02.120 --> 00:15:05.759 It's like studying the blueprints looking for weaknesses in the 297 00:15:05.799 --> 00:15:10.559 building structure, the materials used, or any hidden passages exactly. 298 00:15:11.000 --> 00:15:13.519 We're trying to identify things like the server software in 299 00:15:13.559 --> 00:15:18.080 its version, the programming language is used, the databases involved, 300 00:15:18.440 --> 00:15:20.480 and any third party libraries they rely on. 301 00:15:20.679 --> 00:15:25.480 And the curriculum says even seemingly insignificant details can be valuable, 302 00:15:25.960 --> 00:15:28.320 like error messages and HTTP headers. 303 00:15:28.559 --> 00:15:32.080 Right, those can be like finding scribbled notes left behind 304 00:15:32.120 --> 00:15:36.200 by the security team revealing clues about the system's configuration. 305 00:15:37.000 --> 00:15:40.720 For example, an error message might accidentally reveal the version 306 00:15:40.840 --> 00:15:42.559 of the web server software they're using. 307 00:15:42.759 --> 00:15:45.000 So we need to pay attention to every little detail, 308 00:15:45.080 --> 00:15:47.559 even things that might seem unimportant at first glance. 309 00:15:47.679 --> 00:15:50.600 Absolutely okay, And there are tools that can help us 310 00:15:50.720 --> 00:15:55.639 automate this process. Woppilizer and what Runs are great examples. 311 00:15:55.960 --> 00:16:00.240 They analyze a website and generated detailed report of the 312 00:16:00.279 --> 00:16:01.200 technologies used. 313 00:16:01.240 --> 00:16:03.639 Now it's like having a team of analysts combing through 314 00:16:03.679 --> 00:16:06.879 the facilities, security logs and blueprints exactly. Okay. 315 00:16:06.960 --> 00:16:10.360 The more information we gather, the better equipped we are 316 00:16:10.519 --> 00:16:12.559 to find and exploit vulnerabilities. 317 00:16:12.600 --> 00:16:15.600 Okay, we've collected a wealth of information about the application. Yeah, 318 00:16:15.639 --> 00:16:18.600 now what do we start looking for ways to break in? 319 00:16:18.879 --> 00:16:21.120 Now it's time to go hunting for hidden functionality. 320 00:16:21.279 --> 00:16:24.480 Hidden functionality is this where we start searching for secret 321 00:16:24.559 --> 00:16:26.399 passages and hidden rooms. 322 00:16:26.720 --> 00:16:29.679 Well, in the digital world, it's more about finding parts 323 00:16:29.679 --> 00:16:34.200 of the application that aren't publicly accessible, like backdoors, maintenance, 324 00:16:34.200 --> 00:16:37.000 hatches or maybe even a forgotten control panel. 325 00:16:37.159 --> 00:16:39.960 I see. So we're looking for areas. Yeah, that might 326 00:16:40.080 --> 00:16:43.600 be less secure because they're not meant for public use. 327 00:16:44.000 --> 00:16:47.440 Exactly, all right. We use techniques like directory brute forcing, 328 00:16:48.120 --> 00:16:50.639 with tools like f FUF and deerbuster. 329 00:16:50.759 --> 00:16:52.440 What is directory brute forcing. 330 00:16:52.799 --> 00:16:57.240 It's like trying every possible combination on a lock until 331 00:16:57.240 --> 00:17:01.799 we find the right one. These tools systematically test different 332 00:17:02.080 --> 00:17:05.440 URL combinations to see if they lead to hidden pages 333 00:17:05.559 --> 00:17:06.519 or functionalities. 334 00:17:06.839 --> 00:17:08.599 So it's a bit of trial and error, but with 335 00:17:08.680 --> 00:17:10.119 the help of automated tools. 336 00:17:10.200 --> 00:17:10.640 Exactly. 337 00:17:10.680 --> 00:17:10.920 Okay. 338 00:17:11.079 --> 00:17:13.480 Of course, we need to use these tools carefully and responsibly, 339 00:17:13.920 --> 00:17:17.240 making sure we don't overload their systems or cause any disruptions. 340 00:17:17.599 --> 00:17:20.839 Got it. So we've mapped out the application's public face 341 00:17:21.519 --> 00:17:24.519 and uncovered some hidden areas. Now it's time to get 342 00:17:24.559 --> 00:17:26.720 our hands dirty and see if we can manipulate the 343 00:17:26.759 --> 00:17:27.839 applications behavior. 344 00:17:28.000 --> 00:17:31.039 This is where things get really exciting. We start looking 345 00:17:31.039 --> 00:17:33.160 for vulnerabilities that we can exploit. 346 00:17:33.279 --> 00:17:35.640 Okay, I'm ready to put my hacker skills to the test. 347 00:17:36.200 --> 00:17:38.200 What kind of vulnerabilities are we looking for? 348 00:17:38.279 --> 00:17:41.480 One of the most common vulnerabilities we encounter is cross 349 00:17:41.559 --> 00:17:44.799 site scripting or EXSS XSS. 350 00:17:44.799 --> 00:17:45.720 What's that all about. 351 00:17:46.440 --> 00:17:51.119 Imagine planting a hidden device inside the facility that tricks 352 00:17:51.119 --> 00:17:54.839 the security system into giving us access. That's essentially what 353 00:17:55.119 --> 00:18:00.400 XSS is. It occurs when an application doesn't properly sanitize 354 00:18:00.160 --> 00:18:05.839 is user input, allowing attackers to inject malicious scripts into 355 00:18:05.880 --> 00:18:08.039 web pages viewed by other users. 356 00:18:08.240 --> 00:18:11.119 So we're tricking the application into executing our code. 357 00:18:11.000 --> 00:18:14.759 Exactly, and the consequences can be serious. We could potentially 358 00:18:14.799 --> 00:18:19.759 steal cookies, hijack user sessions, redirect users to malicious websites, 359 00:18:20.000 --> 00:18:21.960 or even deface the entire application. 360 00:18:22.279 --> 00:18:23.640 Yeahkes, that sounds dangerous. 361 00:18:23.839 --> 00:18:24.480 Yeah. 362 00:18:24.559 --> 00:18:29.039 The curriculum mentions different types of EXSS, reflected, stored, and 363 00:18:29.119 --> 00:18:29.799 dom based. 364 00:18:30.200 --> 00:18:34.200 Each type exploits a slightly different mechanism. Okay, but the 365 00:18:34.279 --> 00:18:38.440 underlying principle is the same, injecting malicious code into the application. 366 00:18:39.400 --> 00:18:43.279 This document gives an example of a reflected EXSS vulnerability 367 00:18:43.839 --> 00:18:47.119 where an attacker injects a script into a search query. 368 00:18:47.400 --> 00:18:48.599 That's a classic example. 369 00:18:48.720 --> 00:18:49.000 Okay. 370 00:18:49.279 --> 00:18:51.680 Let's say the application displays the search terms on the 371 00:18:51.720 --> 00:18:56.440 result page. If it doesn't properly sanitize those terms, we 372 00:18:56.559 --> 00:18:59.359 can inject a script that will execute in the user's 373 00:18:59.359 --> 00:19:00.960 browser they view the results. 374 00:19:01.319 --> 00:19:04.839 So we're tricking the application into running our code by 375 00:19:04.880 --> 00:19:07.000 disguising it as a harmless search query. 376 00:19:07.039 --> 00:19:07.599 Exactly. 377 00:19:07.720 --> 00:19:08.079 Okay. 378 00:19:08.319 --> 00:19:12.240 That's why input validation and output incoding are crucial for 379 00:19:12.359 --> 00:19:13.839 preventing EXSS attacks. 380 00:19:14.119 --> 00:19:14.599 Okay. 381 00:19:14.880 --> 00:19:18.079 Input validation is like checking everyone who enters the facility 382 00:19:18.400 --> 00:19:20.720 to make sure they're not carrying any weapons or contraband, 383 00:19:21.039 --> 00:19:24.720 and output in coding is like making sure any messages 384 00:19:24.799 --> 00:19:27.599 sent within the facility, yeah, are properly encrypted so that 385 00:19:27.640 --> 00:19:29.240 no one can tamper with them. 386 00:19:29.480 --> 00:19:34.200 Okay, that makes sense. So what other vulnerabilities do we 387 00:19:34.319 --> 00:19:35.599 typically encounter. 388 00:19:35.759 --> 00:19:37.960 Another major one is SQL injection or. 389 00:19:38.119 --> 00:19:41.279 C LI sql injection. Yeah, I'm guessing that has something 390 00:19:41.319 --> 00:19:42.440 to do with databases. 391 00:19:42.680 --> 00:19:46.960 You're right, SQL, or structured query language, is the language 392 00:19:47.039 --> 00:19:48.880 used to interact with databases. 393 00:19:49.000 --> 00:19:52.079 So in our heist analogy, the database is like the 394 00:19:52.200 --> 00:19:55.279 vault itself where all the valuable data is stored. 395 00:19:55.039 --> 00:19:58.799 Exactly, ok And SQL injection is like finding a way 396 00:19:59.279 --> 00:20:02.880 to manipulate the vault's controls to make it open up. 397 00:20:03.440 --> 00:20:07.279 It happens when an application doesn't properly sanitize user input, 398 00:20:08.480 --> 00:20:12.720 allowing us to inject malicious SEQL code into the commands 399 00:20:12.720 --> 00:20:13.839 it sends to the database. 400 00:20:14.119 --> 00:20:17.559 So we're tricking the database into executing our commands. Yes, 401 00:20:17.920 --> 00:20:19.160