Complete Ethical Hacking Course | Ethical Hacking Training for Beginners | Edureka

Hi guys my name is Aryaa and I welcome
you all to this Ethical Hacking course video. Now the key word of this video is
ethical hacking course but in reality it’s just an expansive video on the
fundamentals of ethical hacking. There is no such thing as an ethical hacking
course to be honest because no course can teach you a discipline like ethical
hacking all the best that you can do in creating content for ethical hacking is
that you can tell people about the fundamentals that are followed in this
discipline okay now before we start let me just give you a general idea of the
topics that I intend to cover throughout in this video okay now to be honest
we’re going to cover a pretty broad range of material we are firstly gonna
be going over footprinting in recognizance where you get an idea of
what’s involved in the ethical hacking engagement that you’re working on and
information about the target that you’re engaged with then we’re going to talk
about networking fundamentals and here we’re gonna get our hands dirty with
packets and the understanding of tcp/ip at a deeper level and also understanding
how the different protocols work and why they work that way now we are also going
to be talking about cryptography where we talk about different cryptographic
ciphers we’re gonna deal with web encryption – SSL and TLS we are also
going to talk about certificates and the creation of certificates and how they
actually operate we will also talk about public key cryptography and we are all
scanning an enumeration so nmap and dealing with Windows servers and using
SNMP and LDAP and all that sort of stuff then we are going to be talking about
penetration where we deal with different ways of getting into systems and also go
over using Metasploit which is an exploit framework and we’re going to
talk about how to use Metasploit and you actually get in the systems and make use
of the exploits that they have then we’re going to talk about malware
viruses and worms and rootkits and all of that sort of stuff we’re gonna take
look at the different pieces of malware and how you would pull that apart in
order to understand what is doing and potentially make use of that malware
during an ethical hacking engagement then we’re going to talk about different
types of denial of service attacks or dass attacks and the difference between
a denial of service attack and distributed denial of service attack and
there is a difference there so we’re going to go over the stocks now we’re
also going to go over web application hacking and the types of tools that you
would use during web application hacking and the different vulnerabilities that
web applications have and how to make use of these exploits and those
vulnerabilities we’re going to talk about wireless networking
how to probe wireless networks what wireless networks are doing in the hard
secure wireless networks we’re also going to talk up a little bit about
detection evasion and to be honest with you
detection evasion kind of comes up in a lot of different areas through the many
of the topics that we are also going to talk about programming programming
attacks and how to protect oneself against programming attacks okay so that
was the number of topics that we are actually going to cover through this
video now the approach that I’m going to be taking in the series of videos is
whenever possible we’re gonna be going to use a hands-on approach so we’re
going to show you the actual tools I’m going to make use of and the tools to do
some sort of demonstration and how they actually work I am a big believer in
getting your hands dirty as the best way to learn anything so as we go through
the series of videos I strongly encourage you to get access to the tools
that I’m going to be demonstrating wherever possible and dig in and get
your hands dirty along with me and there are places where we’re going to be going
over some theoretical material and I’m not a big fan of PowerPoint slides but
sometimes there are necessary evil in order to convey certain types of
information so wherever possible I’m gonna minimize their use but you will
run across places where they’re just a necessity and we are going to have to go
through some slides where in order to get some particular points across they
are primarily of a theoretical nature so that’s the pros that we will be taking
through this video and I hope you have fun as you go along the way
okay so let’s begin now the first topic that we’re gonna tackle is what is
hacking okay so let us take a trip to the early days of hacking the star trip
now the internet Engineering Task Force is responsible for maintaining
documentation about protocols and various specification and processes and
procedures regarding anything on the internet they have a series of documents
called the request for comments or the RFC’s and according to RFC one three
eight nine it says a hacker is a person who delights in having an intimate
understanding of the internal workings of a system computers and computer
networks in particular while the expression hackers may go back a long
time and how many different connotations are definitions as far as computers go
some of the earliest hackers were members of the tech Model Railroad Club
at the Massachusetts Institute of Technology and what those people did and
the various things that they did and were involved in a detailed in Steven
Levy’s book called hackers for our purposes now for our purposes we’ll be
talking about other types of hackers although the spirit of what we do goes
back to those early days now the definition of hacking or hackers has
changed particularly in the 1990s and in part as a result of a couple of people
namely Robert T Morris who was a Cornell graduate who unleashed a piece of
software that was called a worm on what was an early version of the internet
form went on to cause a lot of damage and create a lot of downtime on systems
across the country and across the world now the Morris worm did end up resulting
in something good however that is computer emergency response team
Carnegie Mellon was created primarily in response to the Morris worm now there’s
also kevin Mitnick was another well-known hacker who was responsible
for various acts of computer crime over a couple of decades he was first
convicted in 1988 so the definition of hacker or hacking moved from something
benign to something far more sinister in popular culture now we see hacking or
hackers in all sorts of popular culture we’ve seen them
in hacker movies called wargames also the movie hackers of course you also see
it in the Matrix movies where you can see if you look really closely that they
are using a tool called nmap which we will get into the use of in great detail
later on as we go on now on to the movie sneakers and the movie SWAT fish and on
television in addition to other places you can see the agents at NCIS regularly
doing things like cracking complex cryptography in just a matter of seconds
or minutes so what is hacking really well hacking is about a deep
understanding of something particularly with relation to computers and computing
it’s also about exploring and the joy of learning new things
and understanding them very clearly and being able to manipulate those things in
ways that maybe other people haven’t before it’s also about digging into
problems to find out solutions in creative and interesting ways and
sometimes finding problems where there weren’t problems previously and that’s a
little bit about what is hacking ok so now that we have talked about what
exactly is hacking and how the meaning and conditions of that word has changed
over time how it came into existence how it was coined let’s go with the reasons
that people normally hack now you may want to hack just for fun as discussed
previously hacking is a tradition that goes back several decades at MIT even
preceding the computer relief definition of hacking now MIT has a long and
storied history of hacking and sometimes of a computer related nature which in
this case happens to be true and sometimes of a non computer related
nature instance now here you can see that MIT s homepage has been hacked or
you might even say defaced to indicate that Disney is buying MIT this was an
April Fool’s Day prank in 1998 and again this is just the kind of hacking that
you would do for fun rather now sometimes you might even a hack just to
prove a political point or any point for that matter in this case again Bill
Gates had donated some money to the MIT which allowed them to have a new
building and he was coming to MIT to visit
and give a talk about Microsoft Windows and its systems and as you can see the
the Windows systems that are installed in the entryway at the building were
hacked to be running Linux instead and you can see here that tux the penguin is
saying welcome to the William H Gates building again that some students who
decided that they wanted to make a point about Linux and Microsoft and Windows to
Bill Gates and they thought hacking was the best way to go about it sometimes
you hack just for the challenge here’s an example again at MIT where some
students turned the facade of a building into a Tetris game board now this was a
reasonably difficult hack and the students went after it just for the
challenge of completing it and it’s just so they could have some pride of
ownership and to be able to say that they were able to pull this off you know
the things that teenagers do to show off to other teenagers it just increases
with increasing scale now in spite of its difficulties and these challenges
and all the obstacles and planning that have to go into it they were able to
pull it off and now they have those bragging rights so that was one of them
and one of the instances where somebody would hack just for the challenge and
for the fun in it now sometimes you want a hack to prevent theft and this is
where we get more specifically in the computers related hackings you see a lot
of articles and stories in the news over the last video is about cybercrime and
here is an example of data theft compromised and a fewer than one and a
half million cards for global claimants so there are some attackers who gone to
this company Global payment and they were able to pull out about a million
and a half credit card numbers during the intrusion there so what you may want
to do is you may want to learn how to hack in order to find these holes in
your systems or applications or employer systems so that you can fix these holes
and prevent these compromises from happening because of the reputation hit
that your company takes where are things like these happen you have the risk of
completely running out of business so just to protect your job you protect
your company and to protect your own desire of business
you may just want to learn to hack and that’s a very good reason now you may
also want to find all the problems that exist in your system for putting them
out and deploying them so that you can keep these attackers from getting in and
stealing critical or sensitive information sometimes you may want a
hack to get there before the bad guys and the same sort of idea is the last
one where we’re just going to talk about and that exactly is ethical hacking now
we were just talking about how sometimes you may want to hack into your own
system before publishing it out to the public that’s take Internet Explorer for
example now Internet Explorer was actually published to the public with
some critical error in the code and these flaws were heavily exploited by
people who actually found them now a number of people in the world go out
looking for these flaws and they call themselves security researchers and they
can in touch with the vendors up there they found a flaw or a bug and work with
the vendors to get it fixed what they end up with is a bit of reputation they
get a name for themselves and that name recognition may end up getting them a
job or some speaking engagements or book deal or any number of ways that you
could cash in on some name recognition from finding these sort of bugs and
getting them fixed if you want to get there before the bad guy is you may
think you’re helping out a vendor you may want to just make a name for
yourself you want to find these sort of bugs before the bad guys do because
think about the bad guy is finding them is they don’t announce them and they
don’t get them fixed and that makes everybody a less secure finally may want
to protect yourself from hacked computer companies and fight cyber criminals and
this is a new headline from June 18 2012 and we’re starting to see these sort of
news headlines show up as companies are starting to retaliate against attackers
in order to retaliate against attackers now in order to tally it against
Decker’s you need to be able to have the same sort of skills and techniques and
knowledge and experience that those attackers have and where your company
may want you to learn to hack or the company may want to bring in people who
are skilled and these sort of activities so that they can attack the Dockers and
hope you end up with more steely exterior and
get a reputation for not being a company that people want it go after those are
several reasons and there you go I gave you around a bunch of reasons as to why
you may want a hack for fun prove a point
protect yourself to protect a company they’re not run out of business and
along with another bunch of reasons ok so now that we have talked about why you
would want a hack let’s move on to the types of hackers that exist now we’re
gonna be talking about the different types of hacking and the first type of
hacking that I want to discuss is ethical hacking and ethical hackers
which is really what we’re going to be talking about through the rest of these
lessons now an ethical hacker is somebody who thinks like a black hat
hacker or things like somebody who’s intent on breaking into your systems but
follows a moral compass that’s more in line with probably the majority of the
population so their intent isn’t to do bad things their intent is to look for
bad things and get them fixed so that bad things don’t happen ethical hackers
aren’t out to destroy anything and they’re not out to break anything unless
it’s deemed to be acceptable as a part of the engagement and also necessary in
order to demonstrate a particular vulnerability to the organization that
they are working with so that’s an ethical hacker and there’s a
certification that’s available from the EC Council it’s a certified ethical
hacker and you know if you find certifications valuable and this sort of
thing is what you want to do we’re seeing a set if certified ethical hacker
may be something you might want to look into now let’s talk about black hat
hacker there’s a plenty of cases of black hat hackers through years and
let’s talk about a guy in particular called kevin Mitnick this guy right here
is a particularly good example probably because he was a black hat hacker for a
lot of his ears his goal was to cause mischief to steal were necessary and
just to be engaged in the lifestyle of being a hacker and doing whatever was
necessary to continue doing whatever it craw doing whatever he was doing it
crossed moral boundaries or ethical boundaries and so kevin Mitnick here was
involved for well over a decade in computer crime and was finally picked up
by the FBI and he was charged and prosecuted and he
was eventually convicted of some of the activities that he was involved with now
you may be able to argue that Kevin is a grey hat hacker as well and a green hat
hacker is somebody who kind of skirts the line between black and white hat
hacking and white hat hacking is really what an ethical hacker is so instead of
saying ethical hacker he could say white hat hacker it’s the same idea a white
hat hacker is somebody impacts for good if you want to think of it like that if
you want to think of it as a good versus evil and what they’re really doing is
they’re in it for the technical challenge they’re looking to make things
better make things more efficient improve them in some way on the other
hand the black hat hacker is out for the money for the trail it’s really criminal
activity and the gray hat hacker is somebody who may employ the tactics and
technique of the black hat hacker but have sort of a white hat focus in other
words they’re going to do things that may be malicious and destructive in
nature but the reason they’re doing it is to improve the security posture of an
organization that they are working with so you can see it’s actually a book
called grey hat hacking it’s a pretty good book and it details a lot of the
tactics and strategies and techniques we’ll be going over in subsequent
lessons in this video now one other type of hacking that I want to talk about is
a thing called hacktivism and you will find hacktivism all over the place and
one example in the last year or so and certainly in recent memory is called
lulz security yeah you heard that right it’s
called lulz security and you can argue that lulz is actually a response to
another type of hacktivism an organization called anonymous started
hacking companies like Sony to protest their involvement in a lawsuit regarding
a PlayStation 3 hacker now allows security was supposedly protesting the
treatment of anonymous or was hacking in support of this group Anonymous so they
hacked a number of companies and the things like pulled information usernames
and password from the databases at these companies and they said that the reason
was to shine a light and the security of these companies and also theoretically
embarrassed the companies with a weak or poor security posture
and the problem with that that they were doing this through were posting
information that they had found online and that information often included
details about customers for these particular corporations and for an
ethical hacker a white hat hacker that would cross the boundary of causing harm
so there’s no reason for me as an ethical hacker to post information in a
public forum about somebody because I could be doing damage to them but in
this case love security and anonymous specifically large security were engaged
in the form of hacktivism and what they were doing was not only damaging to the
cooperation that certainly was detrimental to those people so different
types of hackers and different types of hacking
we’ve got ethical or white-hot hacking you’ve got black hat grey hat and then
we finally got hacktivism it’s really the goal and the means that vary from
one to the other okay so now that we’ve discussed the types of hackers let’s
also discuss the skills necessary to become one so what we’re going to
discuss in this part are the different skills that are required or will be
learned as a power of this video so initially just for basic computing you
need a basic understanding of operating systems and how to work them there are
going to be several fundamental types of tasks that I won’t be going into any
detail at all or and you need to know how to run programs and do things like
open up a command prompt without me walking you through and how to do that
so I am going to assume that you have some basic understanding of how to do
these sorts of tasks also you need an understandings of the basic system
software or and you’ll need a basic understanding of how to use command-line
utilities there are a number of tools and programs that we’re gonna be going
through this video and many of them use a command-line now whether it’s on
Windows or Linux you’ll need to be familiar with typing and being able to
run programs from the command line and the various command line switches and
parameters that those programs or types of programs are going to use now from a
networking perspective you need a basic understanding of some simple networking
concepts you need to know what cables are and switches and hubs and how
systems are networked together you don’t really need a deep level of
understanding I’ll be going through some protocols as reasonably deep level
because I think it’s important as an ethical hacker to understand what’s
going on at the protocol level so that you can know
better what you are doing and how to achieve the goals and tasks that you
have before you so we’re gonna be going over some protocols so just
understanding what protocols are and how they go together those sort of things
are necessary from networking perspective now we’re gonna also be
learning a bunch of life skills yes there are some life skills that it’s
important to have I think the most important one is the ability to accept
failure and persevere and by that I mean you’re going to be just running across
several things that just don’t work the first time around and it’s going to take
a little bit of time and stick-to-itiveness to plug away and keep
going until you get something to work and the way that you get things to work
is having an ability to problem-solve and sometimes solving problems requires
being a little creative sometimes you need thing out of the box and come out a
problem from a difference perspective in order to find a solution throughout the
course of this video you’re going to run across a lot of sticky problems through
the course of learning about being an ethical hacker and just doing the work
because it’s not as simple so here’s a little recipe for how to do this now go
follow this recipe every time and you’re going to be successful every situation
is different every system is different you’re gonna run across some pretty
sticky problems and you’re going to have to just wait and get your hands dirty
and keep failing and failing and failing and failing until you find a way to
succeed so I think those skills are very necessary to learn how to be an ethical
hacker digging through some of the material that we’ll be going over in
this video as far as what you’re going to be learning you’re gonna be learning
about how to use a lot of tools you’re gonna learn networking and by that I
mean we’re gonna be talking about different protocols or avoid involved in
networking systems together you’re going to learn about security and security
postures security is the heart and soul of ethical hacking it’s why we do Eskil
hacking in order to make systems and networks more secure than they were
previously that’s the goal from a networking perspective we’re going to be
talking about how to read packets from Network captures you’re going to be
going into tcp/ip related protocols the fairly significant amount of detail and
you’re going to understand how protocols interact with one another so we’re gonna
do all that and reading packets is going to be really
important and we’re going to do a fair amount of that in addition to just
fundamental approach to learning how to read packets in several lessons we’re
gonna read packets as a way of understanding the different tools that
we’re using and how they’re going to learn tactics and methodologies and you
get to learn to use the information you’ve gathered in order to get more
information and information is really what is this all about you can’t do much
anything without information and sometimes it takes a fair bit of digging
in order to find that information and what ilgwon did learn is the entry
points and the stepping stones to get the information that you need and then
once you have that information you’re going to be learning about ways to
exploit it in order to get deeper into the target you’re gonna learn security
awareness we’re gonna talk about risk and understanding risks and
vulnerabilities primarily it’s recognized the difference between a
vulnerability and an exploit and there’s a significant difference there so
security awareness and understanding what risk is and how that impacts your
target and it’s going to be key to a lot of things that we talked about so it
sounds like a lot we’re going to cover a fair bit of ground not all of it at a
deep level sometimes we’re going to skim the surface but there’s an awful lot of
material to be cover so let’s get started into talking about the different
skills are required or will be learned as a part of the series of video so
initially just for basic computing you need a basic understanding of operating
systems so it sounds like a lot weird that we’re going to cover and a fair bit
of it is going to be at a very deep level and sometimes we’re just gonna
skip the surface but this is an awful lot of material to cover so let’s get
started okay so that was all about the skills
that we are gonna develop throughout this video and that might be necessary
for you to become an integral hacker now let’s talk about the types of attacks
that you might be dealing with as ethical hacker yourself so now we’re
going to be talking about the types of attacks now one type of a dark thought
you’ll find common particularly in cases of hacktivism for example or cases where
people are trying to make a particular point or just be a general pain is
this idea of defacing the defacing goes back for quite a while it’s the idea of
sort of digital graffiti where you’ve left your mark or your imprint behind so
that everybody knows you were there primarily a website thing and it’s
really just making alterations to something that used to be pretty common
a long time ago now it’s very particular for businesses or people or just
organizations in general to have their home pages being replaced by this other
thing that was along the lines of hey I was here and I took over your webpage we
also have a pretty common one there certainly has been common over the years
and it’s a pretty good path towards quality exploits in high-profile
vulnerabilities and that’s buffer overflow now a buffer overflow is a
result of the way programs are stored in memory when programs are running they
make use of a chunk of memory called a star and it’s just like a stack of
plates when you put a bunch of plates down when you pull a plate off you’re
gonna pull the top plate you’re gonna pull the oldest plate you’re gonna pull
the one that was on top so the same thing with a stack here we’re accessing
memory and this has to do with the way functions are called in memory when you
call a function a chunk of memory gets thrown on top of the stack and that’s
the chunk of memory that gets accessed and you’ve got a piece of data in memory
within that stack and that’s called a buffer and when too much data is sent
and tried to put into the buffer it can overflow
now the bounds of the configured area for that particular buffer it can
overflow the bounds of the configured area for that particular buffer now the
way stacks are put together we end up with a part of the stack where the
return address from the function is stored so when you offload the buffer
you have the ability to potentially override that return at which point you
can control the flow of execution of programs and if you can control the flow
of execution of the program you can insert code into that memory that could
be executed and that’s where we get buffer overflow that turns into exploits
that creates the ability to get like the command shell or some other useful thing
from system where the buffer overflow is running so that’s a buffer overflow in
short sometimes we also have form a string attacks and sometimes these can
be precursors to Buffalo fuel formats now format strings come
about because the C programming language makes use of these format strings that
determines how data is going to be input or output so you have a string of
characters that define whether the subsequent input or output is going to
be an integer or whether it’s going to be a character or whether it’s going to
be a string or a floating-point that sort of thing
so you have a format string that defines the input or the output now for
programmer leaves off the format string and just gets lazy and provides only the
variable that’s going to be output for example you have the ability to provide
that format string if you provide that format string what that happens is the
program starts picking the next piece of data off the stack and displays them
because that way we can start looking at data that’s on the stack of the running
program just by providing a format string and if I can look at the data I
may be able to find information like a return address or some other use of
piece of information there is also a possibility of being able to inject data
into the stack I may be able to find some information
like a return address or some other useful piece of information there is
also a possibility of being able to inject data into the stack I may be able
to find some information like a return address or some other useful piece of
information there is also a possibility of being able to inject data into the
stack using this particular type of attack now moving on to our next type of
attack is a denial of service it’s not of service this is a pretty common one
and you’ll hear about this a lot this is not to be confused though with the one
that I’ll be talking about after this and that is a distributed denial of
service so this one that you see is that this is a denial of service attack and a
denial of service is any attack or action that prevents a service from
being available to its legitimate or authorized users so you hear about a
ping flood or a sim flood that is basically a syn packet being sent to
your machine constantly or a smurf attack and smurf attack has to do
something with ICMP echo requests and responses using broadcast addresses that
one’s been pretty well shut down over the last several years you can also get
a denial of service simply from a malformed packet or a piece of data
where a piece of data is malformed and sent into a program
now if the program doesn’t handle it correctly if it crashes suddenly you are
not able to use that program anymore so therefore you are denied the service of
the program and thus the denial of service now as I said a denial of
service is not to be confused with a distributed denial of service and I know
it’s pretty trendy particularly in the media to call it any denial of service a
DDoS or any denial of service a DDoS now it’s important to know that any
denial of service is not a DDoS a DDoS or as you might know a distributed
denial of service is a very specific thing a distributed denial of service is
a coordinated denial of service making use of several hosts in several
locations so if you think about a botnet as an example a botnet could be used to
trigger a distributed denial of service where I’ve got a lot of bots that I’m
controlling from a remote location and I’m using all these BOTS to do
something like sending a lot of data to a particular server when I’ve got a lot
of system sending even small amounts of data all of that data can overwhelm the
server that I’m sending it to so the idea behind a distributed denial of
service attack is to overwhelm resources on a particular server in order to cause
that server not to be able to respond now the first known DDoS attack used the
tool called stock old rot which is German for Bob while the stock old rod
came out of some work that a guy by the name of mixer was doing in 1999 he wrote
a proof-of-concept piece of code called TFN which was the tribe flood network
let me just show that for you so you can see on the Wikipedia page
that the tribe flood network or tfn is a set of computer programs is used to
conduct various DDoS attacks such as ICMP floods syn floods UDP floods and
Smurf attacks now I know many people don’t really consider Wikipedia a really
good source of any sort of knowledge but it’s a good place to start off so if you
want to read about all these types of attacks like ICMP floods and what
exactly is a syn flood you can always do that from Wikipedia it’s not that bad
place of course you shouldn’t use Wikipedia as your final rosetta stone
moving on so this program called old rod which was it was used to attack servers
like eBay and Yahoo back in February of 2000 so that attack in February of 2000
was really the first known distributed denial of service attack which is not to
say that there were in denial of service attacks previously so – that there were
certainly plenty of them but they were not distributed now this means there
weren’t a lot of systems used to coordinate and create a denial of
service condition and therefore we get distributed denial of service attack so
that’s a handful of type of attacks and some pretty common attacks that you’re
going to see as an ethical hacker when you become an ethical hacker or if
you’re trying to become an ethical hacker you should always know about
these types of attacks ok so in this lesson we are going to be
talking about penetration testing and some of the details around how it works
and logistics and specifically things like scope so what exactly is
penetration testing so well not surprisingly it’s testing to see if you
can penetrate something which means you’re going to check to see whether you
can break into a particular thing whether it’s a server or in applications
depending on the type of engagement you’ve got you may have the ability to
try to break in physically to a location by primarily but you’re going to be
doing what penetration testing is you’re going to be trying to break into systems
and networks and applications and that’s the kind of what it’s all about and this
may actually involve social engineering attacks so it may require you to make a
phone call to somebody and get them to give you their username and password or
some other type of social nearing attack where maybe you send a
URL by a crafted email sometimes it’s just strictly a technical approach when
you’re running scans and you’re running Metasploit and you’re gaining access
that way or maybe some other type of technical application sort of connection
sometimes it’s physical access that you need so in order to get access to a
particular system if you can get physical access then maybe you can get
in so that was all about that’s what exactly penetration testing is it’s
checking whether you can get into a system whether it be physically or on a
network so what are the goals of penetration testing the goals would be
to assess weakness in an organization security postures you want to figure out
what they’re vulnerable so that they can go and fix these problems you want to
help them understand their risk positions better and what they can or
may be able to do to mitigate those risks and ultimately you want to be able
to access systems in a particular way to find weaknesses so those are really sort
of the goals of penetration testing now from a result standpoint when you’re
done you’re testing what you are gonna do well you’re probably going to
generate a report and by that I don’t mean you’re gonna run some automated
tool and you’re gonna get it to generate a report for you you are actually going
to give that to the client you’re actually gonna give you a report to the
client and then they’re gonna write you a really large check so that’s not
really how it works you’re gonna write a report detailing the findings in a
detailed way so that it includes what did you do to find out what you actually
found out and how you can actually mitigate that particular risk so you
should really include remediation activities in order to fix this
vulnerabilities that you find and it’s pretty easy to walk around saying hey
that’s a problem and that’s problem and that’s problem that’s really not a lot
of value in that where there’s a value is that hey that’s a problem and here is
how you can go about fixing it so let’s talk about the scope of penetration
testing so firstly you want to actually realize how big is the breadbox and how
specifically what is it that the you two of the two of you have agreed that being
used article Hackel and the other guy being the authorized person to give you
permission to ethically hack specifically of
that you can do penetration testing and you can target them as an organization
or the client and what you have agreed to are any exclusions or any sort of
areas that they say you’re not allowed to touch so anything so like if they’ve
got a database server maybe a desk Lord or really sensitive data on it and
there’s a little hesitant and they may put don’t touch this thing clause in the
scope so there are a lot of different reasons why they may exclude areas from
the scope and if they exclude them then trust their reason and listen to them
what they have to say in terms of this is what we want you to accomplish so
long those lines you really need to get sign-off from the target organization
now we’ve talked about this before and this is certainly all about the ethics
and then Trust and it’s also about legality because if you do something
that you don’t have permissions to do you could be prosecuted for that so
definitely get the scope very clear in writing and with signatures attached to
it as to what you can and you what you can’t do and always get approval from
the right people and make sure you get somebody who has the right level of
permissions and it’s the right level of management so that they can sign off on
its understanding and accept the risk that is associated with a penetration
test so let me talk a little bit about security assessments and how they differ
from penetration tests the security assessment is a hand-in-hand approach
with clients so you would walk in doing collaborative thing where you’re a
trusted partner and you are lie with them and your call isn’t a penetrate
them and point out all the things that are really bad but it’s to get a full
assessment of the risk that the organization is exposed to and you would
probably provide more details about fixes that maybe you would in a
penetration test now what we’re gonna do is we’re gonna walk in and make sure
that the policies and procedures they have in place really what they need for
the organization and the risk appetite that they’ve got and we’re gonna make
sure that the policies and procedures have controls that can tell us whether
they are being actually adhered to or not so the procedures and policies are
being followed a security assessment is probably a little bit more comprehensive
than a penetration test and it would look at more factors to assess the
security postures of the organization their overall risk and you would tailor
the output based on the risk appetite and what they’re most interested in and
that’s not to say that I’m gonna tell them what they want to hear but if
there’s something that they know and I know that they’re just not gonna do I’m
not going to be making a big deal out of it because they’re already aware of it
and I’ll make a note of it in the report just for a completeness sake but I’m not
gonna go out in a lot of details so it’s really kind of a hand hand collaborative
approach where again you’re not just saying that they want us to say we’re
providing some real security and risk guidance towards their activities and
other things so it may provide an unrealistic view so you’ve got a week
let’s say to do this penetration test against your target now you’re going to
have to go in you’re going to have to get set up you’re also going to have to
start doing a bunch of scans and make sure that you’re gathering informations
and screenshots and data for your reports you’re gonna have to do all
sorts of activities also during the course of that week they’re going to be
engaged in probably beginning to write your report and getting a sense of what
is going to say and what’s going to be in it
if you don’t actually get any major penetration during the course of that
week the organisation may feel like their code encodes secure that’s one of
the reasons why penetration testing but really sexy and show is nice and all but
if an organization walks out of phase believing that in a week you didn’t
manage to get no get the keys of the kingdom they they mind must be secure
that’s really misguided view because and dedicated skilled and motivated attacker
isn’t gonna just take a week or some portion of that fee they’re after
something they’re gonna dedicate themselves to do it and really go after
it so just because you didn’t find a penetration in some subset of a week
doesn’t mean that they are secure and l-mawla
and invulnerable to attacks it just means that during the course of that
particular week and other circumstances that were in place you didn’t get a
penetration that was really significant or major that’s all it means it doesn’t
mean anything beyond that and if an organization walks away feeling like
they’re secure they’re gonna end up not fixing the real vulnerabilities that may
be in place that could expose some significant risks
so that’s penetration testing it scopes its goals and how it differs to security
assessments now it’s time to go over foot rating so
what is foot printing well foot printing is getting an idea of the entire scope
of your target that means not just the scope that you were given which may be
an address block or it may be a domain name that even may be a set of at rest
blocks now what you want to do is you want to figure out all the information
that’s associated with that in great detail as you can possibly get so you
want the list of domain names as you’re going to go through this you probably
want some sort of database or Excel spreadsheet or something to keep track
of all the information because you’re going to have a lot of it at the end you
want to be able to find the information quickly so having some sort of either
Notepad going with your notes or as I said a spreadsheet or a database so if
you can get organized in that way you want to keep all those sorts of things
down so in this case I want to do thumbs our search on suppose let’s say Eddie
record Co now I need network blocks so so far we found out that just made up IP
addresses because I’m just putting information down but I need never block
so you may have one IP address that you can find externally or you’re going to
want with whole range of internal clocks and you can do a little bit of digging
if you aren’t provided those you want specific IP addresses for critical
systems web servers email servers databases if you can find any of these
things of those sorts and he wants us to market actual and what kind of stuff are
they running are they running Intel are they running Windows are they running
some UNIX systems what are they running what kind of access control lists they
are these are going to be hard to get but you may be able to guess them and
you can guess these by doing port scan so what sort of responses you get back
from the port scans with the filters and or what you don’t get back will tell you
about if there’s an IDs around or some you want to do a system the enumeration
or you can get access to a system somehow you want to know user names
group name and so on so the basic idea of footprinting is gathering information
now if you can get access to system somehow you want to know user names
group names so you want system banners routine tables SNMP information if you
can get it DNS host names if you can get those
now this is for both internal and external on the side if you’re doing an
internal penetration test or ethical hacking engagement you want to know the
networking protocols that are there are they using tcp/ip or are they using some
UDP or are they on IP X or SPX are they useing decnet or appletalk or
are they using some sort of split dns in other words do they have internal DNS
servers that give different form for their external and will it give
different information if you want to check for remote access possibilities
now in the footprinting process you want to be very exhaustive you might want to
try and take out email addresses server domain name services I mean IP addresses
or even contact numbers and you want to be very exhaustive with your approach
you don’t want to miss anything out because if you do that you can continue
and also provide some some launching points for additional attacks or tests
that you may be able to do but this is definitely a starting point of the types
of information that you need to have as you go about footprinting your target
now next thing that we are going to see is very interesting this is one of the
many common tools that are out there on the Internet and that is the wayback
machine or also known as now well it might not give you all the
information that you need but it get certainly gives you a starting point and
what we’re talking about out here is the wayback machine or so let me
just give you a quick look at what looks like okay I already
have it open out here so out here what you can see is how a website looked like
around some time ago so for example if you want to look what Google look like
so you just have to search for Google out here and wait for results to come
back okay so we see that Google goes way back to 1998 so that was the last
capture or the first capture rather it was the first capture by the wayback
machine and we can see that it has a screenshot of November 11th and how
Google looked so let’s see what Google look like in November 11th of 1988 so
this is what Google looked like it was there was actually nothing to it it just
said welcome to Google Google search engine prototypes and it has some link
so yeah this is where the Google engine looked like it had a Stanford
surge it had a Linux surge and you could do all sorts of stuff you could just put
the results now what I’m trying to tell y’all is you can see the evolution of
the website through time through the wayback machine and this gives you
rather in informated look into how website has actually evolved okay now
that we know what footprinting is and how it falls into the whole recognition
process so let’s go over a couple of websites to do a little bit of
historical thinking about companies and the types of infrastructure that they
may be using and this information of course is useful so that we can narrow
down our focus in terms of what we want to target against them for attacks now
over time we’ve improved our awareness about what sorts of information we may
want to divulge so several years ago you may have gone to a company’s website and
discovered that you could get email addresses and names of people in
positions that you may find relevant and there were all sorts of bits of
information that could be used against the company and over time we have
discovered that those sorts of pieces of information probably don’t belong in a
website where they can be used against a company and so they’ve been pulled off
now it used to be also that Google had the ability to pull up information that
it had cached so far for example if a website is no longer available or effort
was temporarily down and offline there was a little cache button that you could
click when you did and the Google search and you could pull up that cast
information so even though the website wasn’t available you could still get
information from Google’s servers now Google’s remove that so we don’t have
that ability any longer however there is an Internet Archive that we can use so
this thing is called the Wayback Machine and I have it open out here so it’s slash web so is a website that gives us information
about other web sites and how they look like in years ago and by so I’m going to
go to the Wayback Machine which you can see is at the and I’m gonna
go and try and search for EDI record Co so now we’re going to take a historical
look at Eddie record coast website and you can see we’ve got some years and
they’ve got information going back up to 2013 so let’s look at what this website
looked like when it was just talent 13 okay there don’t seem to be
any snapshots out here I wonder what’s going on okay so let’s go 2014 and the
first snapshot seems to be on the September 12th of 2014
actually it’s on May 17 – so let’s see what that looks like okay so this is
what Eddie Rica looked like back in 2013 or rather 2014 september 12 2014 to be
actually exact now you can see that we have some live classes and all these
pictures are there and they’ve got this weird picture of this guy out here I
don’t know why that was a thing back in 2014 now we can browse more advanced
screenshots or rather the screen shots that were taken later on and see how
this company has evolved with this infrastructure and the way it actually
lays out its content okay so it still has Deval but I can go a couple of years
ahead and see what this has actually evolved into so if I would go to
December 2016 so this is what it looked like in 2016 and we can see that they’ve
added this weird box out here about pricing courses they have a little
search bar that kind of looks weird but it’s mostly because my internet is slow
and start loading all the elements they’ve also changed how they’ve
actually laid out the courses we can also see a change in the prices I guess
so yeah this tells us about how it evolves as complete website now this
other website that I want to talk about is called net crafts now net crafters
internet research including the types of web servers that companies run and they
have a web service service you can see here as we scroll the Apache servers are
64 point three percent of the internet market of course and that’s followed by
Microsoft with 13 percent interesting information may be useful information
but even more useful than that is looking at what different companies run
for their websites and you can see here ok so let’s try and search for Eddie
record go out here so let’s just put it in the website URL and that net craft
generate the site report so as you can see that some of the stuff is not
available you know that the net block owner is by Amazon technology’s name
server is this thing right here DNS admin is AWS Deanna
hostmaster we also have the IP address we can go for a viral look up the IP on
virustotal you can do that there is no ipv6
presence so that’s some information that we can see so we can obviously opt out
to not target ipv6 ranges and there’s also reverse dns then we also have a
bunch of hosting history so this is a history of it and we know that it’s
hosted on a Linux system with an Apache web server and it was last seen and this
was when it was last updated so this is some very useful information you can
also get information on stuff like Netflix so if you just type ok I say I
just spelled that wrong so let me just change from the URL out here so if you
go and type for Netflix comm and you’ll see that it’ll show you all sorts of
information so as you see that it’s on an e WS server it’s an Amazon tier
services Ireland and this is all the hosting history that it goes along with
it has some Center policy frameworks domain based message authentication and
reporting confirmations and there’s all sorts of information that you can get
about websites and their web servers from net craft so the wayback machine
along with net craft make up for some interesting tools that are available on
the internet from which you can do a little bit of your reconnaissance
process ok now that we have gone over net craft and the wayback machine now
it’s time to actually get to know how to use the little information that this
site actually provides so what the next topic that we’re going to go over is
using DNS to get more information now we’re going to be going over a tool and
this is called who is a utility that is used to query the various regional
internet registries to store information about domain names and IP addresses and
let me just show it to you about all the internet registries are there so I have
Aaron net open out here and these are the internet registries that provides
the ISPs and looks about the Internet control as a whole so out here we have
AfriNIC we have APNIC we have our and we have laughs Nick and we have ripe and
CEC so these are all regions and all the different types of stuff that they
support all different countries you can look at the
that it is sporting out here by just hovering over the providers so as you
can see all these brown region out here is Africa AfriNIC then we have ethnic
which is this black or grayish thing which is India and Australia and quite a
lot of Asia then we have Aaron which is a lot of North America in the United
States measly naina slackening which is North Lee the Latino side which is the
South American part then we have the rest of Europe which is ripe ncc and
this is the part that ripe ncc is providing internet too okay so that was
all about the internet registries now let’s get back to the topic and that is
using DNS to get more information now for this we are going to be using a
Linux based system so I have a bunch of running on my virtual machine out here
and let me just log into it so firstly we are going to be using this query
called who is that looks up these internet registries that I just showed
you let me just quickly remove this okay so for acquiring information from the
regional internet registries that I just talked about you can use who is to get
information about who owns a particular IP address so for example I could do who
is and let’s see I could do who is Google or rather and we can
get all sorts of information about Netflix so we can see that we have the
visit mark monitor then let’s see let’s go up and look for all sorts of
information that is being given to us by this who is query so as you guys can see
I just spent a little bit too much okay so register a domain ID we have the
domain ID where it is registered the restor URL is mark monitor okay so this
is for marking actually now the creation date is 1997
so you haven’t realized Netflix been around for a long time and it’s being
updated on 2015 and the registry expiry date as we see is 2019 so it’s gonna
actually go off this year then this is all useful information so you can see
all sorts of domain status the name server the URL the DNS sake that it says
unsigned this is very useful information that is being provided by very simple
query now if you want to know who owns a particular
IP address so let’s see did we get back the IP address out there we should have
got back the IP address but it’s kind of lost on me so to get back the IP address
also for a domain name server saying no so you could use this command called
dick so your dig Netflix com now as you guys can see that it has returned a
bunch of multiple IP addresses these are all the IP addresses that Netflix is so
I could do something like if I was trying to check out who owns a certain
IP address and for example I have got one of these IP addresses but let’s just
assume I don’t know that actually belongs to Netflix so I can go who is 50
4.77 dot 108 dot 2 and it will give me some information so as you guys can see
it is giving us a bunch of information as to who this is and how it is
happening so we see that it is from Aaron net and so if we can very smartly
assume that it’s from the North American part no we can also see that it’s in
Seattle so our guess was completely right so it
also gives us a range so this is something very useful so if you see we
now have the range of the IPS that might be being used by this guy so we indeed
have 54 and it says this goes up to the 54 there’s also 34 let’s check that out
and see what information we get so who is and let’s check it out
what was the IP that we were just seeing is 34 that to 49.1 25 and 167 so 34 to
40 9.1 65 I don’t know let’s see you can also put in a random IP address it
doesn’t really matter and it’ll give you the information so let’s see is this and
some IP address even this seems to be an error an IP address and it’s also based
in Seattle and we get a bunch of information so that’s how you can use
the Whois query and the dick query to actually get all sorts of information
about a domain name service and get information from a DNS basically so
now let’s go over some theoretical part that is for DNS so using DNS to get
information so firstly what is a domain name service and why do we need so a
domain name service is a name given to an IP address so that it’s easy to
remember of course you it’s easy to remember
names and mnemonics rather than a bunch of random veered numbers now this was
mainly so that we can map names to IP addresses and we can get the a bunch of
information from the host name resolution so that’s the purpose of IP
addresses now we will also be looking at how to find Network ranges okay now
before we get on to actually moving on to how to find out the network ranges
let me just show you how you can also use who is so who is suppose you want to
know the domains with the word foo in it so you could go who is foo and this will
give you a whole bunch of things about how food cysts and all the sorts of foo
said there is on the Internet so that was one interesting flag and if
you want to know how to use more about who is you could just go – Michelle yes
yeah so this is all the types of stuff that we can deal with who with so you
can set the host we can set the port that we want to search for then we can
set with the elf lab we can find one level that specific match and we can do
an exact match to an inverse lookup for specified attributes then we can also
set the source we can set verbose type and we can choose for a request template
there’s a bunch of stuff they can do so you could suppose say who is verbose and
suppose any record code and I’ll give you a verbose version of the right
database query service objects are an RP SL format the right database of the
eternal so okay let’s try something else like who is okay I’m sorry I
was supposed to do verbose and I kept doing etch silly me
so you do V and it’ll give you a much more like this is a write database again
I think of doing something wrong okay just for that thing
okay V and tight okay or let’s just see that’s let me just show you how to use a
primary keys are only primary keys okay let’s see let’s
try that out okay so it seems to be that this is a ripe database query service
and the objects are in our PSL format so it won’t really work for that thing and
it also says that no entry is found because it’s error so this is for some
later lesson so for now I hope I gave you a good idea of how to use hue is
like you could just go who is then some IP address like 192.168 of 101 or
something gay pre-addressed like that or you could just go for a domain name
service like Facebook and get all sorts of information about Facebook when the
query actually returns you something ok so let’s move on to network ranges now
now in this part of the video we’re gonna be going over the utility called
who is which is used for getting information from the DNS now let me just
show you a website out here so this is the regional internet registries so the
internet registries are used to store information about domain names and IP
addresses and there are five regional internet registries first is Erin which
is responsible for North America so that would be the US and Canada then we have
latnok which is responsible for Latin America and portions of the Caribbean
then there’s right that’s responsible for Europe and Middle East in Central
Asia there’s afrinic which is responsible for
Africa and finally we have APNIC which is responsible for Asia Pacific Rim so
that’s the regional internet registries and as I said who is is responsible for
acquiring information from the various regional internet registries as you can
use who wish to get information about who owns particular IP address for
example let me just open up my Ubuntu system let me clear this out first so as
I was just saying for example you could go who is okay so as you guys can see we could
find out pretty quickly about who owns a particular IP address so for example I
could do who is and just go and tells me about who it belongs to
it also gives you who owns a particular IP address and who’s responsible for
them from the information you can get email addresses that belong to a
particular company this one has an email address for tech contact of IP reg a
trade so you can get all sorts of email addresses tech contacts and also of the
stuff out there the registry database contains only dot-com and dotnet and
also have some information now I want to query a different IP address and
different information belongs in the different regional internet registries
of course so if I want to go to a particular database I will have to use e
minus H flag so I could do who is Aaron net and remember the IP address and I’m
going to query that again and of course I get the same information back because
I went there so you could just go who is H and then follow it with an IP address
so something like 34 205 176 98 so that’s just a random IP address I just
made up and it says who is option okay so it’s a it’s a capital H okay so let’s
see that and we get all sorts of information back
from that so area aide Aaron and all sorts of stuff now I can get information
about domains as well so if I can query something like Netflix calm and I can
find out that this is that actually Netflix and there’s an administrative
contact and the technical count data you can see the different domain server so
the servers that would have authority of information about the DNS entries for
that particular domain you can also see other information like when the record
was created and a whole bunch of different phone numbers that you contact
and additionally storing information about IP addresses and domain name
sometimes it will store information about a particular host names and there
may be other reasons why you would store a host name or particular information
about host name on the system whether one of the air are IRS now if I want to
want to look up something specifically once I found that I could now do a
look-up on who is suppose let’s say something like who is foo so let’s say
who is foo now if you already don’t have who is installed you can easily install
it by just going apt install who is on your UNIX system and that should do the
trick and then you can start use this really nifty tool okay so that was all
about using who is now let’s get on to actually using how to find out network
ranges for a domain okay so now let’s talk about how we are going to be going
over and fighting metric ranges so suppose you bought an engagement and you
only know the domain name and you don’t know much beyond that and you’re
expected to figure out where everything is and what everything is so how do you
go about doing that well use some of the tools that we either have been talking
about or will soon be talking about in more detail and the first thing I’m
going to do is I’m gonna use the domain name Eddy record Co and I’m gonna look
up at you like a taco and see if I get an IP address back so let’s just head
over there and go who is Eddie record co or we could use the host keyword
so as you see we get an IP address back and that is 34.2 den door to 30 to 35
and that is the IP address and you see that I’ve got back an IP address so
here’s just an IP address and I don’t know what that IP just belongs to I also
don’t know how big the network range or network block is and that’s associated
with so what I’m going to do is a who is and I’m going to look up with Aaron who
owns that IP address so you can basically go who is 34 to 10 to 30 35 so
as you guys can see that gives us a bunch of information and who is now this
doesn’t seem to have a very big network range but unlike something like Netflix
so suppose we were to do something like host and see now we have a
bunch of IP addresses so suppose we were to do who is let’s
see who is 50 2.19 41 47 now I’m expecting Netflix to be a much larger
company and have a better yeah now see we get net range so this is the network
range that we are talking about so we had a random IP address and now we have
found the network range so that’s how you find network ranges and this can be
very useful so this gives me evidence that Netflix comm has the presence on
different addresses the one I have also located by looking up that particular
host name so I’ve got one address here that I can look let’s take a look at the
website because I’m in a different address now if I didn’t have that I
could also go and do something like an MX flag so let’s see I could go dig and
this will give us all the meals so dig em X and let’s see let’s see what MX
does actually you go help so we could do dig H for a list of options so these are
all options that we have and the one that we’re gonna use is
something like this big MX and we say MMS online so these are all
mailings and MX’s that we have gotten from Netflix and this is information
regarding its so producing information that’s a big thing to produce okay so as
I was just saying you can use the MX flag I could get back all the mail
handlers in this case and their mail is being handled by Google and let’s see
let’s go on top then it’s going to tell me that Google’s not particularly
surprising and other things that you can do is check for different host names
since I’m assuming DNS probably doesn’t allow its own transfers
since most DNS servers don’t anymore although they used to you may have to
start guessing so I could do something like web mails that we find out here so
this shows us the dump of all the outstanding memory stuff okay so that
was all about finding Network ranges now moving on to our next topic is using
Google for recognizance now some people also call this Google
hacking now if you know how to use Google to exactly target and find what
you are looking for Google is an excellent tool for recognizance purposes
and today I’m going to show you how you could use Google exactly for your
searches so first of all let’s open a tab of Google um let’s open up here so
let’s go to okay so now we are going to be talking about how we can
use Google to actually gain some information or some targeted information
so this is in general called Google hacked it now when I say Google hacking
I’m not meaning by breaking into Google to steal information I’m talking about
making use of specific keywords that Google uses to get the most out of the
queries that you sum it so for example a pretty basic one is the use of
quotations you go things in order to use specific phrases otherwise Google will
find pages that have instances of all those words browsing the words
specifically together in particular order so I’m gonna pull this query up
and this shows a list of let me just show it to you so if you go index off
now this is showing us an index of all the
films now this is basically all those index of sites that you want so as you
guys can see this shows us the index of all sorts of films that are there now
you can use index off and you see that we have also an index of downloads or
something like that – calms down load and it is an index of all sorts of stuff
now you can go into some folder and check them out G Jones you weren’t in G
Perico I don’t know what these are but some sort of stuff and this is how you
can use Google now let me just show you some more tricks so you can use this
suppose you’re using google define for something like a presentation so you
could use something like file type pptx and it’ll search for every type of file
there that is pbd okay let’s try some other side dot p VD so config okay so
this brings up all the types of files that have some configs in them so this
isn’t gaming configuration as we see this in digital configuration of
liverpool now you could also use something like this thing in URL and you
can use under root and this will give you all the things with root in there
URL so walking route and just the trends and how to root android so passing the
root and suppose you want to say something like all in file type or
suppose you want some extension so so dart PBT PBT X thus our let’s search for
JavaScript files okay I think it’s J s okay that doesn’t seem
to work either this shows us all the things with J yes in it no it’s just
external J s I’m doing wrong so you could use file type so let’s see
file type and we go see doc so these are all the documents that you could find
the file type thing and you could also do G yes I guess yep and this will give
you all the JavaScript files out there so this is how you can use Google to
actually narrow down your searches so suppose you want a particular set of
keywords and we want to make sure we get the passwords file from Google ok so now
let’s go in more details about the various things you can find using Google
hacking techniques now while Google hacking techniques are really useful for
just general searching in Google they’re also useful for penetration testers or
ethical hackers you can narrow down information that you get from Google you
get a specific list of systems that may be vulnerable so we can do things like
look for error pages that do in the title error so I’m gonna get a whole
bunch of information so suppose like we go in title and we say error
so as that we get all sorts of stuff and we can do the – google part so if you do
a – Google not show you the stuff that’s from Google so we get a various
documentation pages about different vendors and the errors that they support
so here’s one talk about Oracle about Java error you know something more
specific we may be able to get errors about all sorts of other stuff so this
is how you could use the Google hacking technique to your own advantage if
you’re a penetration tester now let’s also show you something called the
Google hacking database now this is very useful for an ethical hacker now on the
Google hacking database was created several years ago by a guy called Johnny
long who put this google hacking database together to begin to compile a
list of searches that would bring up interesting information now johnny has
written a couple of books on google hacking so we you’re at the Google
hacking database website here and you can see them talk about Google dorks and
all sorts of stuff now you can see that we can do all sorts of search like in
URLs BCBS PE this brings up some portal pages now out here you can bring up some
password aps password in url now this will give you all sorts of stuff on
Google so suppose you go in URL it’s like a PS password now you can get all
sorts of stuff like which have passwords in the URL so maybe you can just guess a
password from there or – now that was Google hacking so Google hacking entries
and they also have a number of categories and that you can look through
to find some specific things so you may be interested in of course and you have
search specific information that you may be looking for with regards Pacific
product for example let me just show you exploit database these are all the
certain types of stuff you can go through out here and as you see we have
all sorts of stuff like this is an SQL injection thing mmm this is something
regarding pure archive tars so these let you get a foothold into
some password cracking attempts and you can do some brute force checking and you
can see here if it talks about the type of search it is and what it reveals you
can just click here on Google search and it will actually bring up Google for the
list of responses that Google generates so let’s look at this one here the
type is log so this is something about cross-site scripting logs and we can
also see some party logs if I was not wrong so some denial of service POC and
we can see a bunch of stuff and if you continue to scroll down there are a lot
of interesting information in here so somehow somebody’s got a potty log that
has loved a lot of information they’ve got it up on a website and it’s
basically a bunch of information there you can see you can also get some
surveillance video sometimes and you can look into them and it’s basically how
you could use Google so it’s basically a list of queries that you can go through
and this is a very useful site if you are a penetration tester and looking for
some help that your Google hacking terminologies so that’s it for Google
hacking now let’s move on okay so now it’s time for some networking
fundamentals and what better place to begin with tcp/ip now we’re gonna be
talking about the history of tcp/ip and the network that eventually morphed into
the thing that we now called the Internet so this thing began in 1969 and
it’s spun out of this government organization called ARPA which Advanced
Research Projects Agency and they had an idea to create a computer network that
was resilient to a certain type of military attacks and the idea was to
have this network that could survive certain types of war and warlike
conditions so ARPA sent out this request for proposals to BBN which is bolt
Beranek and Newman and they were previously an acoustical consulting
company and they won the contract build what was called the ARPANET the first
connection was in 1969 so that’s where we get the idea that the internet began
in 1969 and the internet as we call it now generally begin
but ARPANET did and ARPANET has a long history that goes through NSF net in
1980s and after ARPANET was served decommissioned and a lot of other
networks were fallen into this the string called NSF net that then turned
into what we now call the Internet and once a lot all the networks were
connected into its first protocol on the ARPANET initially there were 18 to 22
protocols which was very first protocol defining communication on orphanet and
it was called 1822 protocol because BBN report 1822
which describes how it worked shortly and after that there was this thing
called the network control program and the network control program consisted of
ARPANET host-to-host protocol and an initial control protocol now they’re
certainly not a direct correlation or an analogy here but if you want to think
about it in particular where you could say that the ARPANET host your host
protocol is kind of like UDP and initial connection protocol or ICP it’s kind of
like TCP so the host or hosts protocol provided a unidirectional flow
controlled steam stream between hosts which sounded a little bit like UDP and
ICP provided a bi-directional pair of streams between two hosts and again
these aren’t perfect analogies but the host-to-host protocol is a little I bit
like UDP and ICP is a little bit like TCP now now the first router risk of all
an interface message processor and that was developed by BBN it was actually a
ruggedized Honeywell computer that had special interfaces and software so the
first router wasn’t ground-up built piece of hardware but it was actually an
existing piece of hardware that was specially purposed for this particular
application so Honeywell had this computer that they made out and BBN took
that and made some specific hardware in phases and wrote some special software
that allowed it to turn into this interface message processor which passed
messages over ARPANET from one location to another so where did I become Hin
here in 1973 so I became in here as well in 1973 as I just said and a guy by the
name of Vint Cerf and another guy by the name of Robert Kahn took the ideas of
NCP and what the ARPANET was doing and they tried to come up with some concepts
that would work for the needs that the ARPANET had and so by 1974 they had
published a paper that was published by the I Triple E and they proposed some
new protocols they originally proposed the central protocol called TCP later on
TCP was broken into TCP and IP to get away from the monolithic concept that
TCP was originally so they broke it into more modular protocols and thus you get
TCP and IP so how do we get to our version 4 which is ipv4 since that’s the
kind of internet that we are using right now version 6 is coming and has been
coming for many many years now but we’re still kind of version 4 so
we get here between 1977 and 79 and we went through version zero to three by
1979 and 1980 we started using version four and that eventually became the de
facto protocol on the Internet in 1983 when NCP was finally shut down because
of all the hosts on the ARPANET wherever using tcp/ip by that point in 1992 a
word began on an IV next generation and for a long time although the
specifications in the RFC’s talked about PNG eventually and I PNG became known as
ipv6 you may be wondering where ipv5 went
well it was a specially purpose protocol that had to do something with streaming
and certainly not a widespread thing one of the differences between ipv4 and ipv6
is that ipv6 has a 128-bit address which gives us the ability to have some
ridiculously large numbers of devices that have their own unique IP address
ipv4 by comparison has only 32-bit addresses and as you probably heard
we’re well on our way to exhausting the number of IP addresses that are
available and we’ve done a lot of things over the years to conserve address space
and reuse address space so we can continue to extending to the point till
where we completely run of ipv4 addresses another thing about ipv6 is it
attempts to fix on the inherent issues and IP and some of those has to do with
security concerns and there are certainly a number of flaws and ipv4 and
when they started working on IP next generation or ipv6 they try to address
some of those concerns in some of those issues and they may not have done it
perfectly but it was certainly an attempt an ipv6 attempt to fix some of
the issues that were inherently in IP and so that’s the history of tcp/ip
still very rich today ok so now that we have discussed a brief history on tcp/ip
and how it came about to the TCP IP version 4 let’s discuss the model itself
now we’re going to be discussing two models and those are the OSI model and
the tcp/ip model now as I said we’ll be talking about the OSI and TCP models for
Network protocols and the network stacks OSI first of all is the one that you see
out here it’s the one on the left-hand side of the screen and OSI stands for
open systems interconnect and in the late 1970s they start working on
model for how a network stack and network protocols would look originally
the intent was to develop the model and then developed protocols that went with
it but what ended up happening was after they developed models tcp/ip started
really taking off and the tcp/ip model was what went along with it and much
better what was going on with tcp/ip which became the predominant protocol
and as a result the OSI protocols never actually got developed however we still
use the OSI model for teaching tool as well as way of describing what’s going
on within the network stack and the networked
applications you’ll often hear people talking about different layers like
that’s a layer two problem or we under layer three space now continuing through
these lessons I’ll refer occasionally to the different layers and when I do that
I’m referring to the OSI model so let’s take a look at the OSI model starting
from the bottom we have the physical layer which is where all the physical
stuff lives the wires and cables and network interfaces and hubs repeater
switches and all that sort of stuff so all that’s all physical stuff is sitting
in the physical layer now sitting above this is the data link layer and that’s
where the Ethernet protocol ATM protocol frame relay those are things live now I
mentioned the switch below the physical the switch lives at layer one but it
operates at layer two and the reason it operates at layer two is because it
looks at the data link address and the layer two or physical address and that’s
not to be confused with in the physical layer it does get a little mixed up
sometimes and we refer to the MAC address now
the MAC address is not the physical address then I’m talking about it is the
message authentication code address on a system as so the MAC address on system
as a physical address because it lives on the physical interface and bound
physically however that MAC address or media access control address lives at
layer two at the data link layer the network layer which is right above at
layer 3 that’s why the IP lives as well as ICMP IP X and from IP x SP x suit of
protocols from novel routers operate at layer 3 and at layer 4 above that is a
transport layer that’s the TCP UDP and SP X again from the IP x SP x root of
proto number that is the session layer and
that’s layer five and that’s up to talk ssh as well as several other protocols
and then there’s a presentation there which is layer 6 and you’ll often see
people refer to something like JPEG or MPEG as examples of protocols that live
at that layer then there’s a presentation layer which is the final
layer which is layer 6 and you’ll often see people refer to something like JPEG
or MPEG as examples of protocol that live at that layer and then they live at
that layer which is the presentation layer finally we have layer 7 which is
the application layer and that’s HTTP FTP SMTP and similar application
protocols whose responsibility is to deliver and the user functionality so
that’s basically the OSI model and that’s the seven layers of the OSI model
and there’s some important thing to note here that is when we are putting packets
onto the wire the packets get built from top of the stack down by from the top of
the stack to the bottom of this time which is why it’s called a stack each
layer sits on top of the other and the application layer is responsible for
beginning the process and then that follows through the presentation session
and transport layer and down through the network data link until we finally drop
it on the vial at the physical layer when it’s received from the network it
goes from the bottom up and we receive it on the physical and gets handled by
the data link and then the network and till the application layer so basically
when a packet is coming in it comes in from the application goes out from the
physical and then what is going out also it goes from the physical through the
data link then the Network transport session presentation and application and
finally to the target system now what we’re dealing with is an encapsulation
process so at every layer on the way down the different layers add bits of
information to the Datagram or the packet so that’s when it gets to the
other side each layer knows where its demarcation pointers well it may seem
obvious each layer talked to the same layer on the other side so when we drop
a packet out onto the wire the physical layer talks to the physical layer and in
other words the electrical bits that get transmitted by the network interface on
the first system are received on the second system on the second system the
layer 2 headers have were put by the first system get removed and handled as
necessary same thing at the network it’s a network layer that puts the IP
header and the network layer that removes the IP header and determines
what to do from there and so on and so on again well it may seem obvious it’s
an important distinction to recognize that each layer talk to each layer while
it may seem obvious it’s an important distinction to recognize that each layer
talk to each layer and when you are building a packet you go down through
the stack and when you are receiving you come up through the stack and again it’s
called a stack because he keep pushing things on top of the packet and they get
popped off the other side so that was detailed and brief working on how the
OSI model is set up and how the OSI model works now let’s move on to the
tcp/ip model which is on the right-hand side and you’ll notice that there’s a
really big difference here that being that there are only four layers in the
tcp/ip model as compared with the seven layers of the OSI model now we have the
network access layer the internet layer the transport layer and the application
layer and the functionality now we have the access layer the internet layer the
transport layer and the application layer the functionality that the stack
provides is the same and in other words you’re not going to get less
functionality out of the tcp/ip model it’s just that they’ve changed where
different functionality decides and where the demarcation point between the
different layers are so there are only four layers in the tcp/ip model which
means that a couple of layers that have taken in functions from some of the OSI
models and we can get into that right here the difference between the models
at the network access layer in the tcp/ip model that consists of the
physical and the data link layer from the OSI model so on the right here you
see the network access layer that takes into the account the physical and the
data link layers from the OSI model on the left-hand side similarly the
application layer from the tcp/ip model encompasses all the session presentation
and the application layer of the OSI model so on the right the very top box
the application layer encompasses the session presentation and application
layer and on the left-hand side that of course leaves the transport layer to be
the same and the OSI model they call it the network layer and then tcp/ip model
is called the internet layer same sort of thing that’s where the IP lives and
even though it’s called the internet layer as compared to the network layer
it’s the same sort of functionality so those are the really big differences
between OSI and dpip model anytime I refer to layers
through the course of this video that I’m going to be referring to the OSI
model and in part because it makes it easier to differentiate the different
functionality if I were to say lay one function in the tcp/ip model you would
necessarily know if I was talking about a physical thing or a datalink thing
since there’s more granularity in the OSI model it’s better to talk about the
functionality in terms of the layers in the OSI model and that’s a predominance
model the OSI model and the tcp/ip model for network stacks network protocols and
applications okay so now that we’ve discussed the
tcp/ip model let’s go over another important protocol and that is UDP so
what you see out here on your screen right now is Wireshark and we’ll be
going over the uses of our shark and what it’s useful for in the upcoming
lessons but for now let me just show you a UDP packet okay so before we get into
the analysis of the packet file it’s still filtering let me just tell you a
little bit about UDP so UDP is a protocol and the tcp/ip suit
of protocols it’s in the network layer that’s a network layer in the OSI so a
seven layer reference model the IP network layer carries the IP address and
that has information about how to get back its truest destination the
transport layer sits on top of the network and that carries information
about how to differentiate network layer applications and that information about
how those network application gets differentiated is in the form of ports
so the transport layer has ports and the network layer has in this case an IP
address and UDP is a transport layer protocol and UDP stands for user
Datagram protocol and often call connectionless or sometimes unreliable
now unreliable doesn’t mean that you can’t really rely on it unreliable means
that you can’t trust that what you send is reaching the other side so what means
actually that there’s nothing in the protocol that says it’s going to
guarantee that the data or Grahame that you send or the packet that you send is
gonna get where you want to send it so the protocol has no sort of safety
feature like that so you shouldn’t use this protocol that is UDP if you want
some sort of safety net and if you needed that type of safety net you would
have to write it into your own application so you basically UDP is a
fast protocol and that’s one the reason why it’s good it’s also one the reason
why it’s unreliable because in order to get that speed you don’t have all of the
error checking and validation that messages are getting there so because
it’s fast it’s good for things like games and for real-time voice and video
anything where speed is important and you would use UDP so right here I have a
packet capture so I’m using wireshark capture some packets and let’s check out
a UDP packet so out here you see that there are some frames
it says 167 bytes on via 167 bytes appiied captured but we’re
not really interested in the frame podrían interested in the user Datagram
protocol path so out here you can see that the source port is 185 3 and the
destination port is Phi 2 0 8 1 now it has a length and it has a checksum and
stuff so as you guys see out here well we don’t really see a bunch of
information what you only see is the source port and the destination port the
length and there’s also a checksum so you repeat doesn’t come with an awful
lot of headers because it doesn’t need any of the things that you see in the
other packet needles the only thing it needs is to tell you how to get the
application on the receiving host and that’s where the destination port comes
in and once the message gets to the destination the destination you should
know how to communicate back to the originator and that would be through the
source port or a return message so a return message would convert the source
port to a destination port and send back to that port in order to communicate
with the originator so we have a source port and destination port and the length
is a minimal amount of checking and to make sure that if the packet that you
received is a different from the length that’s specified in the UDP header then
there may have been something wrong sumon may want to discard the message to
check for more messages so the checksum also makes sure that nothing in the
middle was tampered with although it’s if there’s some sort of man in the
middle attack or something like that checksum is pretty easy to manufacture
after you’ve altered the packet so you can see here and the message that
there’s a number of UDP packets some of them just say UDP so one look at and
happens to be from some Skype application I guess so
talking to Skype servers and we’ve already got the DNS now our dns also
needs some fast response times because you don’t want to send a lot of time
looking up information about servers that you’re going to before because just
to go to them so DNS servers through up throughout the queries onto the wire
using UDP hoping to get fast sponsors they don’t want to spend a lot of time
setting up connections and during all the negotiating that comes with a
protocol like TCP for example so here you see that the DNS is using UDP and
what we’ve got here is another UDP packet the poor destination and all
sorts of stuff so you can see it out here so you can see the checksum it’s
unverified checksum status so you can check out all sorts of stuff using
Varsha so that was about UDP or the user Datagram protocol okay so now that we’re
done with that uses Datagram protocol let’s talk about addressing modes so
addressing modes is how you address a packet do your different destinations so
there are three kinds of addressing most the first kind of addressing mode is
unicast this is pretty simple one to understand so there is one destination
and one source and the source sends the packet to the destination and it’s it
depends on the protocol that you’re using to actually address if it’s
something like tcp/ip you’re probably using a bi-directional stream so the
blue computer can talk to the red computer and the red computer can talk
back to the blue computer but you can also use a UDP stream which is like one
directional stream so it’s not sure if I’m using the correct word so it’s a
stream that’s in one direction I guess I’m driving home the point here
so if it’s UDP only blue is talking and when blue stops talking then red can
talk but if s tcp/ip blue and red can talk simultaneously at the same time now
moving on there’s also broadcast now broadcast
means that you are sending your packet to everybody on the network so broadcast
messages are very common from mobile network providers so when you get those
advertisements saying something like you have a new post rate plan from Vodafone
or SL or something like that those are broadcast messages so it’s one server
that is sending out one single message to all the other systems
now there’s also multicast now multicast is like broadcast but selective now
multicast is used for actually casting your your screen to multiple people so
something like screen share when you are doing it with multiple people is
multicast because you have the option to not show particular computer what you
are actually sharing so those are the three modes of addressing unicast
broadcast and multicast okay now moving on let’s look into the tool that we just
used once and UDP that is Varsha so what exactly is Varsha so this utility called
Wireshark is a packet capture utility meaning that it grabs data that’s either
going out or coming in of network and there are a number reason
why this may be useful or important when the reason why it’s really important is
what’s going on in the network is always accurate in other words you can’t mess
around with things once they’re on the network or you can’t lie about something
that’s actually on the network as compared with applications in their logs
which can be misleading or inaccurate or if an attacker gets into an application
they may be able to alter the logging now several other behaviors that make it
difficult to see what’s really going on and the network you can really see
what’s going on once it hits the wire it’s on the wire and you can’t change
that fact now once it hits the wire so we’re going to do here is a quick packet
capture so let me just open up Wireshark for you guys so as you guys can see I
have already Wireshark open for us let me just remove this UDP filter that was
there so Wireshark is recapturing so let us go over the stuff that you can see on
the screen some important features of our shock so that we can use it later so
what I’m doing here is a quick packet capture and I’m going to show some of
the important features of Wireshark so that we can use it later on now when
we’re starting to do some more significant work I select the interface
and I’m using primarily which is my Wi-Fi and I’m going to be go over here
and we’ll bring up a Google page so that we can see what’s happening on the
network so let me just quickly open up a Google page
you guys can see it’s capturing a bunch of data that’s going around here now let
me just open up the Google page and that’s gonna send up some data let’s go
back so it’s grabbing a whole bunch of stuff
off the net okay I’m just gonna stop that I’m gonna go back and go back and
take a look at some of the messages here so it’s on the features of Wireshark as
you can see on the top part of the screen here there’s a window that says
number time source destination protocol length and info and those are all of the
packets that have been captured and they’re numbering starting from one and
the time has to do with being relative to the point that we’ve started
capturing and you see the source and destination addresses and the protocol
the length of the packet and by its in some information about the packet the
bar on the screen you’ll see detailed information about the packet that has
been selected so suppose I’m Sayla selecting this TCP packet out here so we
can go through the frames frame also has some interface ID is an encapsulation
type and all types of information is there
about the frame then we can look at the source board the destination board
sequence number the flag said the check sums you can basically check everything
about a packet because this is a packet analyzer and the packet sniffer
now you’ll see some detailed information about the packet that I’ve each selected
so I’m going to select so as I’ve selected this tcp/ip packet we see that
in the middle frame it says frame 290 it means that it has a 290 a flat packet
and the packet that was captured is 66 bytes and we grab 66 PI’s and it’s 528
bits later so you what do you see out here was a source in the destination MAC
address at the layer 2 layer address and then you can see the IP address of port
source and destination and says it’s a TCP packet gives us a source port
destination port and we can start drilling down into different bits of the
packet and you can see when I select a particular section of the packet down at
the very bottom you can see what’s actually a hex dump of the packet and on
the right hand side is the ask I so this is the hex hex dump and is the ask I
that you’re looking at what’s really cool about wash agate is it really pulls
the packet into its different layers that we have spoken about the different
layers of the OSI and the tcp/ip model and the packets are put in two different
layers and there’s a couple of different models that we can talk about with that
but Wireshark does really nicely is it demonstrate those layers for us as we
can see here it is actually folios and in this particular packet here we can
also do something so I’ve got a Google web request so what I want to do here is
I want to filter based on HTTP so I find filter so let’s see we can do an sgtp
and what I see here is say yes text input and it’s going to get an image so
that’s a PNG image and this request get the item that’s going to be displayed in
the address bar so you also see something called ARP out here which I’ll
be talking about very soon so let’s just a filtering be done now in the web
browser it’s a favicon dot ICO that I can do
here I can select analyze and follow TCP streams you can see all the requests
related to this particular request and it breaks them down very nicely so you
can see we’ve sent some requests to Spotify because I’ve been using Spotify
you actually listen to some music then you can see Oh
sorts of stuff like this was something to some not found place so let’s just
take the Spotify one and you can see that we get a bunch of information from
the Spotify thing at least you can see the destination the source it’s an Intel
Core machine so the first part of the MAC address the first few digits lets
you tell if it’s what what is the vendor ID so intel has its own mental ID so f
186 probably tells us that it’s that’s an Intel Core so why shock does is
really neat little thing that it also tells us from the MAC address what type
of machine you’re sending your packets to from the back address itself so it’s
coming from a soft force for C and going to an Intel Core and the type is ipv4 so
that was all about Wireshark you can use it extraneously for packet sniffing and
packet analysis packet analysis comes very handy when you are trying to
actually figure out how to do some stuff like IDs evasion where you want to craft
your own packets and you want to analyze packets that are going into the IDS
system to see which packets are actually getting detected as some intrusion so
you can craft your packet in a relative manner so that it doesn’t get actually
detected by the idea system so this is a very nifty little tool we’ll be talking
about how you can craft your own package it’s just in a little while but for now
let’s move ahead ok so now that we are done with our small little introduction
and bring a fuse or an history of our shop now let’s move on to our next topic
for the video that is DHCP okay so DHCP is a protocol and it stands for dynamic
host configuration protocol so DHCP is a network management protocol used to
dynamically assign an Internet Protocol address to any device on a network so
they can communicate using IP now DHCP automates and centrally manages these
configurations rather than requiring some network administrator to manually
assigned IP addresses to all the network devices so DHCP can be implemented on
small or small local networks as well as large enterprises now
DHCP will assign new IP addresses in each location when devices are moved
from place to place which means network administrators do not have to manually
initially configure each device with a valid IP address so if device of the new
IP address is moved to a new location of the network
it doesn’t need any sort of reconfiguration so versions of DHCP are
available for use in the Internet Protocol version 4 and Internet Protocol
version 6 now as you see on your screen is a very simplistic diagram on how the
HCP works so let me just run you down dhcp runs at the application layer of
the tcp/ip protocol stack to dynamically assign IP addresses to DHCP clients and
to allocate DCP IP configuration information to DHCP clients this
includes subnet mask information default gateways IP addresses domain name
systems and addresses so DHCP is the clients of a protocol in which servers
manage pool of unique IP addresses as well as information about client
configuration parameters and assign addresses out of those address pools now
DHCP enabled clients send a request to the DHCP server whenever they connect to
a network the clients configure with DNC we broadcast a request to the DHCP
server and the request network configuration information for a local
network to which they attached a client typically broadcasts a query for this
information immediately after booting up the DHCP server responds to the client
request by providing IP configuration information previously specified by a
network administrator now this includes a specific IP address as well as for the
time period also called lease for which the allocation is valid when refreshing
an assignment a DHCP client requests the same parameters the DHCP server may
assign new IP address based on the policy set by the administrator now a
DHCP server manages a record of all the IP addresses it allocates to networks
nodes if a node is V allocated in the network the server identifies it using
its media access control address now which prevents accidental configuring
multiple devices with the same IP address the DHCP is not a router but
protocol nor is it a secure one DHCP is limited to a specific local area network
which means a single DHCP server per LAN is adequate now larger networks may have
a wide area network in multiple individual locations
depending on the connections between these points and the number of clients
in each location multiple DHCP servers can be set up to handle the distribution
of addresses now if network administrator’s want a
DHCP server to provide addressing to multiple subnets on a given network he
must configure DHCP relay services located on interconnecting routers that
DHCP requests to have to cross now these agents relay messages between DHCP
client and servers DHCP also lacks any built-in mechanism that for the love
lines and servers to authenticate each other both are vulnerable to deception
and to attack where row clients can exhaust the DHCP servers pool okay so
let’s move on to our next topic and that is why use DHCP so I just told you that
DHCP don’t really have any sort of authentication so it can be fooled
really easily so what are the advantages of using DHCP so DHCP offers quite a lot
of advantages firstly is IP address management a primary advantage of DHCP
is easier management of IP addresses in a network with a DHCP you must manually
assign IP address you must be careful to assign unique IP addresses to each
client and to configure each client individually if a client moves to a
different network you must make manual modifications for that client
now when DHCP is enabled the DHCP server manages the assigning of IP addresses
without the administrator’s intervention clients can move to other subnets
without panel called reconfiguration because they obtain from a DHCP server
new client information appropriate for the new network now apart from that you
can say that DHCP also provides a centralized net for client configuration
its support for boot tpe clients its supports of local clients and remote
clients it supports Network booting and also it has a support for a large
network and not only for short like small-scale networks but for larger
networks as well so that way you see DHCP has a wide array of advantages even
though it doesn’t really have some authentication so because of these
advantages DHCP finds widespread use in a lot of organizations ok so that winds
up DHCP for us so now let’s move on to our next topic
for this video and that is address resolution protocol now address
resolution protocol is protocol that is used in the local area network so let me
just give you a brief introduction to it and then we’ll get into how we can use
it as an ethical hacker for looking into stuff and looking into vulnerabilities
and looking if somebody is actually being hacked or something like that ok
so first of all and I just said address resolution protocol is a local area
network protocol it basically works when you are using a LAN so suppose you have
a bunch of computers that are connected over a LAN and they have the following
IPS which is one followed to 32 33 34 so these are the computers and
this is a scenario how the art protocol works is that when suppose the red
computer out here wants to send a piece of data or a packet or a Datagram to
this yellow computer that is the IP that it’s calling out so it’ll call it will
broadcast it would land saying a Whois message like who is 3 3 and
they will be constantly listening for a reply after that so they send out a
packet and they don’t really know which machine to send it to because nobody has
responded yet so after that the red computer asked who is 192.168.1 3 3 and
after that the yellow computer recognizes that it has the same IP
address and he’ll say that hey here’s my MAC address so we can communicate more
easily in the future so this MAC address is going to be tied in to this IP
address and think all the ARP table I’m going to show you the ARP table right
now in just few minutes now what you have to understand is that this is
actually exploitable because there is no validation anybody can come into this
situation and just lie so suppose that 1 and there’s this yellow
computer and we also have this other computer with a blue computer and this
is not supposed to be on the LAN but somehow this guy got into the building
and he just connected LAN wire and now he’s on the network now
what he can do is that he can catch the packet that you are sending and then
send it to 192.168 or 1 3 3 simply by lying when the ARP protocol is
running and saying that yep I’m actually the yellow computer so send your data to
me and then he’ll modify the data and send it to the yellow one and when the
reply comes it’ll also be forwarded to the blue computer so what I’m explaining
out here in this scenario is actually called a man-in-the-middle attack okay
so that was about the ARP protocol now let’s talk about how we can use the ARP
protocol for our advantage or as an ethical hacker okay so now that we know
how our actually works let me show you how you can access the art table of your
computer so what do you have to do is just open up command prompt and all you
go is our a now this is not specific to windows it can be run on any machine
that has this tcp/ip suite of protocols installed on this computer so every
computer system what is called an ARP table and the reason it’s called an ARP
table is because it matches a layer two or physical address or MAC address to an
IP address and that’s what our address resolution protocol is and what it
results is an IP address to a MAC address or a physical address and the
Mac or physical address are interchangeable because they mean the
same thing the reason it’s called the physical address is because it is
physically on a network interface which is of course a physical device so it’s
sometimes called the physical address that sometimes called a MAC address for
media access controls so I might use MAC address and I might use physical address
to make a particular point but it means the same thing so you can see here that
the IP address and there are de MAC addresses so these are the IP addresses
and these are the MAC addresses and they are listed in the ARP table and I’ve
done minus a which means show me all your ARP entries while I’m doing this on
a Windows system as I just said it’s possible on a Linux system and anything
with a tcp/ip pseudo protocols installed because it’s an important utility to
have in order to help diagnose any issue with your network problems so this is
how you would display an ARP table and as I said ARP is just mapping from IP
address to MAC address so let me show you how the protocol looks like when
it’s actually working so let’s head over to our shop so we choose the interface
that we want to see okay now all we do is put on a filter
that says ARP so if you guys see out here there is this are pockets that we
are finding so this is how it looks like and I just said that it’s a who has and
I tell me now there is no authentication so when this
guy is looking for okay so who has 192.168.1 now if we hit the hardware and
if you see out here the MAC address that the target market dress is empty because
it hasn’t gotten a reply it now when the MAC address is given they
just enter changed and it is sent back so the sender MAC address is a Broadcom
and why shock does a really neat job at getting out vendor names from the dns I
mean from the MAC address so there’s this a Sturrock thing then there’s
Google as I just saw out here some Google phone I guess maybe an Android
I’m not really sure this is how our plucks like and this is how art works
and if you’re trying to do a man-in-the-middle attack and you
shouldn’t be trying to do that because that’s completely unethical but just in
case you were trying to force a man-in-the-middle attack you could just
try to forward the IP to your own address and just poof your name well are
paying it so you can use other tools like ettercap for that now that was all
about ARP now let’s move on to our next topic so the next topic has come up
which right after ARP because while studying about ARP you must have
realized I told you that ARP has no sort of validation so how could that exactly
be fixed so if the data that actually is being transferred over LAN is encrypted
using cryptography ARP can actually be used very validly I mean what you want
to do is you want to hide what you’re actually sending before sending it out
on a local network so that people who are not supposed to get it can’t
actually see it now let’s first talk to the question what exactly is
cryptography so cryptography is basically the art of hiding anything now
when talking about computers and computer science in general it includes
hiding data so cryptography doesn’t really actually
start with the New Age it’s been there for a long long time since the time of
Julius Caesar and all we’ll be talking about the history of cryptography right
now but what I want you to understand is that when a message is sent a key is
actually used along with an encryption algorithm now this key is also sent to
the other person and how the skis and we can get into that later so all you want
to basically understand for now is a message is encrypted using an encryption
algorithm which takes the key and the message as parameters then on the other
side of the message the ciphertext that is after encryption you get something
called ciphertext because it has to be deciphered now so cipher is just word in
a Latin word I guess or a Greek word I’m not really sure that means to hide so
first you encrypt your message then you decrypt your message with the ciphertext
and the decryption key which is most of the time the same as the encryption key
and when we’re talking the symmetric key cryptography so use a decryption key and
the message along with the decryption algorithm and you get the same message
on the other side so basically it’s like a password it’s a
it’s a password protect for messages and it’s a fancy way to say that and that is
cryptography so let us go into the history of cryptography now so let me
give you a brief history of cryptography now cryptography actually goes back
several thousand years before shortly after people began find ways to
communicate there were some of us who were finding ways to make the
understanding of that communication difficult so that other people couldn’t
understand what was going on and this led to the development of Caesar cipher
that was developed by Julius Caesar and it’s a simple rotation cipher and by
that I mean that you rotate a portion of the key in order to generate the
algorithm so here’s an example we’ve got two rows of letters and that are
alphabetical in order and means we basically written the alphabets down and
the second row is shifted by three letters so a B is a Zee actually because
if you move that way a B is a Zee from the first row gets
shifted back to the second row and then the letter D becomes a letter C so
there’s that’s an example of how encryption books so if you try to
encrypt a word like hello it would look completely gibberish after it came out
of the dark rhythm so if you count the letters out you can see that letter H
can be translated to Lily a letter L so that’s a Caesar cipher now you must have
heard of things like rot13 which means that you rotate the 13 letters instead
of three letters that’s what we can do here again and this is just a simple
rotation cipher or sieve the cipher that’s what of course the rod stands for
its rotate or rotation now coming forward a couple thousand zeroes we have
the enigma cipher now it’s important to note that the enigma is not the word
given to this particular cipher by the people who developed it it’s actually
the word given to it by the people who were trying to crack it the enigma
cipher is a German cipher they developed this cipher and machine that was capable
of encrypting and decrypting messages so they good messages to and from different
battlefields and war fronts which is similar to the Caesar cipher Caesar used
it to communicate with his battlefield generals and the same thing with the
Germans you’ve got to get messages from headquarter down to where the people are
actually fighting and you know wanted to get intercepted in between by the enemy
so therefore you use encryption and lots of energy was spent by the Allies and in
particular the British trying to decrypt the messages one of the first instances
that we are aware of where a machine was used to do the actual encryption and
we’re going to come ahead a few decades now into the 1970s where it was felt
that there was a need for a digital encryption standard now the National
Institute of Standards and Technology is responsible for that sort of thing so
they put out a proposal for this digital encryption standard and an encryption
algorithm what ended up happening was IBM came up with this encryption
algorithm that was based on the Lucifer cipher that was one their people had
been working on on a couple of years previously in 1974 and they put this
proposal together based on the Lucifer cipher and in 1977 that proposal for an
encryption algorithm was the one that was chosen to be the digital encryption
standard and so that came to be known as desks over time and it became apparent
that there was a problem with this and that was it only had a 56 bit key size
and while in the 1970s was considered adequate to defend
against brute-forcing and breaking of code by 1990s it was no longer
considered adequate and there was a need for something more and it took time to
develop something that would last long for some long period of time and so in
the meantime a stopgap was developed and this stop gap is what we call the Triple
DES the reason it’s called Triple DES is you apply the DES algorithm three times
in different ways and you use three different keys in order to do that so
here’s how Triple DES works your first 56 bit key is used to encrypt the
plaintext just like you would do with the standard digital encryption standard
algorithm where changes and you take that ciphertext that’s returned from the
first round of encryption and you apply the decryption algorithm to the
ciphertext however the key thing to note is that you don’t use the key that you
use to encrypt you don’t use the first key to decrypt bit because otherwise
you’ll get the plaintext back so what do you do is you use a second key with the
decryption algorithm against the ciphertext from the first round so now
you’ve got some ciphertext that has been encrypted with one key and decrypt it
with the second key and we take the ciphertext from that and we apply a
third key using the encryption portion of the algorithm to that cipher
encryption portion of the algorithm to that ciphertext to receive a whole new
set of ciphertext obviously to do the decryption you do the third key and
decrypt it with the second key you encrypt it and then with the first key
you decrypt it and so you do reverse order and the reverse algorithm and each
step to apply shuffled s so we get an effective key size of about 168 bits but
it’s still only 56 bits at a time now I said Triple DES was only a stopgap
what we were really looking for was advanced encryption standard once again
and niste requested proposals so that they could replace the digital
encryption standard in 2001 after several thousands of looking for
algorithms and looking them over getting them evaluated and getting them looked
into an is selected an algorithm and it was put together by a couple of
mathematicians the algorithm was called ‘rain dal and that became the advanced
encryption standard or AES it’s one of the most advantages of AES is it
supports multiple key lengths currently what you’ll typically see is as we are
using 128-bit keys however AES supports up to 256 bit key so if we
get to the point where 128 bit isn’t enough we can move all the way up to 256
bits of keying material so cryptography has a really long history currently we
are in a state where we have a reasonably stable encryption standard in
AES but the history of cryptography shows that with every set of encryption
eventually people find a way to crack it okay so that was a brief history of
cryptography now what I want to do is let’s go over and talk about AES Triple
DES and this in themselves because they are some really key cryptography moments
in history because there’s some really key historic moments in the history of
cryptography now we’re going to talk about the different types of
cryptography X I firs and primarily we’re going to be talking about DES
Triple DES and AES nowadays is the digital encryption standard it was
developed by IBM in the 1970s and originally it was cryptography cipher
named Lucifer and after some modifications
IBM proposed it as digital encryption standard and it was selected by the
digital encryption standard ever since then it’s been known as des now one
thing that caused a little bit of controversy was during the process of
selection NSA requested some changes and it hasn’t been particularly clear what
changes were requested by the NSA there has been some speculation that wondered
if the NSA was requesting a backdoor into this digital encryption standard
which would allow them to look at encrypted messages in the clear so
basically it would always give the NSA the ability to decrypt DES encrypted
messages it remained the encryption standard for the next couple of decades
or so so what is this and how does it work basically it uses 56 bit key is
rather than the stream cipher it’s a block cipher and it uses 64-bit blocks
and in 1998 des was effectively broken when a DES encrypted message was cracked
in three days a year later a network of 10,000 systems around the world cracked
the best encrypted message in less than a day and it’s just gotten worse since
then with modern computing power being what it is since this was actually
created we already have come to the realization that we need it something
else so Along Came Triple DES now Triple DES
isn’t three times the strength best necessarily it applies des just
three times and what I mean by that is what we do is we take a plain text
message then let’s call that P and we’re gonna use a key called K 1 and we’re
gonna use that key to encrypt the message and use a key that will be we’ll
call K 1 and we’re going to use that to encrypt the message and that’s going to
result in the ciphertext and we will call the C 1 so C 1 the output of the
first round of encryption we’re gonna apply a second key and we’ll call that K
2 with that second key and we’re going to go through a decryption process on C
1 since it’s the wrong key we are not gonna get plaintext out on the other end
what we are going to get is another round of ciphertext and we will call the
C 2 what we do with C 2 we are going to
apply a third key and we will call this K 3 and we’re going to encrypt
ciphertext C 2 and that’s going to result in another round of ciphertext
and we will call that C 3 so we have three different keys applied in two
different ways so with key 1 and key 3 we do a round of encryption and with key
to we do a round of decryption so it’s an encrypted crypt and crypt process
with separate keys while that doesn’t really healed a full 168 bit key size
the three rounds of encryption use an effective key size of 168 bits because
you have to find three 56 bit keys so speaking of that technical detail for
Triple DES we are still using the test block cipher with 56 bit keys but since
we’ve got three different keys we get an effective length of round 168 bits
Triple DES will surely just a stopgap measure we knew that if des could be
broken triple desc surely we broke in with just
some more time I guess and so the NIST was trying to request a standard that
was in 1999 and in 2001 this published an algorithm that was called AES so this
algorithm that was originally called ‘rain Doyle was published by NIST as
advanced encryption standard some technical specifications about AES is
that the original rained all algorithms specified variable block sizes and key
lengths and as long as those lock sizes and key lengths were multiples of 32
bits so 32 64 96 and so on you could use those block sizes and key lengths when a
es was published a specified a fixed 128-bit block size and kilo
of 128 192 and 256 AES were three different key lengths but one block size
and that’s a little bit of detail about des Triple DES and AES so when AAAS was
published a es specified fixed 128-bit block size and a key length of 128 192
and 256 bits so we’ve got with a has three different key lengths but one
block size and that was a little bit of detail about des Triple DES and AES
we’ll use some of these in doing some hands-on work and the subsequent part of
this video ok so now that I’ve given you a brief history of how we have reached
to the encryption standards that we are following today that is the Advanced
Encryption standard let’s go ahead and talk a little bit more about des Triple
DES and AES so this is a digital encryption standard it was developed by
IBM in the 1970s and originally it was a cryptographer excite for the Lucifer and
after some modifications IBM proposed it as the digital
encryption standard it was selected to be the digital encryption standard and
ever since then it’s been known as DES or DES one thing that caused a little
bit of controversy was during the process of selection the NSA requested
some changes and it hasn’t been particularly clear what changes were
requested by the NSA there has been some sort of speculation that wondered if the
NSA was requesting a backdoor into this digital encryption standard which would
allow them to look at encrypted messages in the clear so basically it would
always give the NSA the ability to decrypt this encrypted messages it
remained the encryption standard for the next couple of decades or so and what is
this and how does it work now tests remain the digital standard
for encryption for the next couple of decades
so what does it do and how does it work so basically it uses the 56 bit key
rather than a stream cipher it’s a block cipher and it uses 64-bit blocks and in
1998 if you know des was effectively broken when a DES encrypted message was
cracked in three days and then a year later our network of 10,000 systems
around the world cracked the DES encryption message in less than a day
and it’s just gotten worse since then with modern computing being what it is
today now since this was created and broken we
knew we needed something and what came in
between Advanced Encryption standards and this is Triple DES now Triple DES
isn’t three times the strength of this necessarily it’s really des applied
three times and what I mean by that is we take a plaintext message then let’s
call that P and we are going to use a key called k1 and we’re going to use
that key to encrypt the message and that’s going to result in the ciphertext
1 so we call that c1 now c1 is the output of the first round of encryption
and we’re going to apply a second key called key to and with that second Wege
we are going to go through a decryption process on c1 now since it’s the wrong
key we are not going to get the plaintext out of the decryption process
on the other end we are going to get another round of ciphertext and we’re
going to call that c2 now with c2 we are going to apply a third key and we are
going to call that k3 and we’re gonna encrypt ciphertext C 2 and that’s going
to result in ciphertext C 3 so we have three different keys applied in two
different ways so what key 1 key 3 we do a round of encryption with key to we do
around the decryption so it’s basically an encrypt decrypt encrypted process
with three separate keys but what it does really is it doesn’t really healed
a 168 bit key size because in effectiveness
it’s basically 256-bit keys that are being used tries whether it be three
different keys so in effectiveness you could say that it’s a 168 bit key but it
is not the same strength because people realize that Triple DES can be easily
broken because if des is broken you can do the same thing with three different
ways whether whatever key that you use so it just takes a long time to decrypt
if you don’t know the tree and if you are just using a brute force attack you
know that Triple DES can be broken if this can be broken so Triple DES was
literally a stopgap between DES and AES because people knew that we needed
something more than triple des and for this the N is T or the National
Institute of Standards and Technology in 2001 they chose a s as the algorithm
that is now called advanced encryption algorithm so it was originally called
the rain dal algorithm and a the main thing about the rain dal algorithm and
advanced encryption standard algorithm that rained all algorithm specifically
states in its papers that it has available block size and available key
size as long as they are in multiples of 32 so 32 64 96 like that but what a EES
does differently is that it gives you one block size that is 128 bits and
gives you three different key sizes that is 128 192 and 256 so with AES three
different key lengths but one block size okay so that was a little bit more
information on a yes des and Triple DES and we are going to be using this
information in some subsequent lessons okay now moving on okay so now that
we’ve discussed the different history of cryptography and more important
cryptographic algorithms let’s discuss the different types of cryptography now
the first type of cryptography I’m going to talk about asymmetric cryptography
and by symmetric cryptography I mean that the key is the same for encrypting
or decrypting so I use the same key whether I am encrypting the data or
decrypting data one of the things about symmetric key cryptography is that they
use a shorter key length then for asymmetric cryptography which I’ll get
into a couple of minutes it’s also faster than asymmetric and you can use
algorithms like des or AES as those are both symmetric key cryptography
algorithms and you can use a utility like AES script let me just demonstrate
how a symmetric key cryptography works so for this we can use a tool called a s
script so in a es script is actually available for Linux and Windows and Mac
all the systems so I’m using it on the Windows one and I’m using the console
version so first of all I have a text file called text or txt so let me just
show that to you so we as you guys can see I have this thing called text of txt
now to do txt or txt all I let me just show what txt or txt contains so as you
guys can see it has the sentence called the quick brown fox jumped over the lazy
talk so that’s the sentence that has all the alphabets in the English language
rather so now we are going to try and encrypt it so we can use something like
a es RDS because both of them are symmetric key ciphers symmetric key
algorithms rather so we are using AES in this case so what we’re going to do is
say a script and will encrypt it and we’re gonna use a password of let’s say
Pokemon we’re gonna call Pokemon and we’re gonna do tech start txt you’re
gonna encrypt that file so now we have encrypted a file let’s go see MV you
must be having a new file so this is called text or txt dot AES so that is
our encrypted file and this is what we would generally send over the network if
we are sending it to anybody so let’s assume the person who’s received it also
knows our encryption algorithm I mean encryption algorithm and the key that
goes along with it so let’s try to decrypt it now now
before I decrypted let me just show you what an encrypted message looks like so
this is what the cipher text looks like type a s no text not the exceed any s so
yeah as you guys can see the windows come so I can’t really feed everything
but if I were to go here I would have just go into the file and just ever
notepad plus plus you’ll see that it’s bunch of crap you really can’t make out
anything what is being made here we can’t really decipher much so that’s the
point of using encryption now if you were to decrypt it all you have to do is
a s script we turn the crib we’re trying to give the password is gonna be evil as
a password Pokemon okay so and we’re gonna try and create text txt in yes
that’s dir that again okay so that just eclipse our message for us so this is
how you would use a script for encryption and decryption
so that just decrypt it and that’s how you would use symmetric key encryption
to encrypt a file for this example symmetric key uses the either a stream
cipher or a block cipher and the differences between stream or block
ciphers is that block takes a block of bits at a time and it’s a fixed length
it’s for example 64 bits if I were to use a block cipher with 64 bits I would
need to take in 64 bits before I could start encrypting now if I didn’t have 64
bits to encrypt I would have to fill it with padding in order to get up to 64
bits a stream cipher on the other hand it will encrypt a bit at a time so it
doesn’t matter how many Bitsey of God you don’t need to have
some multiple of the block lengths in order to encrypt without padding and
another type of cryptography is asymmetric now asymmetric as you would
expect uses two different keys and that’s where we have public key and
private key in symmetric key cryptography uses a long aquiline and
also has no computation and the encryption process is slower with a
symmetric key encryption and the encryption process is slower than with a
symmetric key encryption one that uses for symmetric key is for signing
documents or emails for example where I would have the private key sign
something and the public key would be used to verify a signature and another
reason for using a symmetric key encryption is to ensure that you got it
from who actually sent it since you’ve got two keys you always know who the
other end of the equation is where the symmetric key since it’s just one key if
you can intercept the key you can decrypt and also encrypt messages and so
if somebody can figure out the key you can break into a communication stream
using symmetric key encryption so M asymmetric gives you the advantage of
ensuring that the other end is who the other end says and they are since
they’re the only ones who should have the private key and in this particular
instance in practice however however hybrid encryption models tend to be used
and that’s where you would use a symmetric encryption to encrypt a
symmetric session keys so basically you encrypt the message that you are sending
using symmetric key encryption and then you when you’re exchanging the key with
somebody else you use a symmetric key encryption so
this is going to be a slower process you probably won’t want to use it for small
files and all do that fortunately the file example that I have is a smaller
one so I’m going to try and generate a key right now so for this we have to
head over to our a bunch of system so let’s see let me show you how public key
encryption actually works and we are gonna first create a key so let me just
clear this out for you so first of all let’s create file and let’s call that
text txt now if you see me are gonna edit text or
txt to have some file so have some text in it so that seems to be a warning with
the GDK I’ll just use echo instead let’s see if that is in our file
let me just show you how a symmetric key encryption or public key cryptography
works so first of all we need a text file so let me see do we have a text
file so there seems to be a text txt so let’s see what this text our txt says so
it says that this is a random txt file now what we want to do is we want to
create a public key first so I’m gonna use open SSL for doing this so we go
open SSL and we are gonna use it with RSA so we’re trying to generate a key so
gen RSA and we’re gonna use this tree to users and we’re gonna output it into a
file called private key so we are also going to be using a fortune or 9:6 spit
so this is gonna be our private key so this will create a private key using RSA
algorithm so let it work its way out so first of all it’s asking me for
passphrase now so since you can protect your keys with the passphrase so I’m
just gonna use my name okay so now we see if we LS and we have a private key I
guess yeah so we have this private key now we’re using this private key we are
going to generate a public key so for this I’m again going to be using open
SSL and open SSL is a UNIX pace so you will need a UNIX system so you go RSA
utl that’s RSA utility and what we want to do is encrypt and we want the public
key in n key and we want to use the public key that we just generated I’m
sorry guys so we are it’s gonna be using RSA so first of all we need to generate
a public key so for that we use the private key so we will give the private
key as an argument after the in flag so private key and we are trying to get out
a public key so pop out and we’re going to call public dot key okay so there
seems to be okay I messed it up a little I forgot to
give the output so you go out and then he use public key so it’s asking me for
my pass phrase and now it’s writing the RSA key and since the password was
correct we have a public key too so if you see now we have a public key and a
private key so we are going to encrypt our file using the public key so we go
open SSL and we go our a utl and we go encrypt and we can do farm-in so we are
gonna use the public key and we want to put the text txt as the file to be in
cryptid so text txt and what we want to output is an encrypted file so encrypted
txt okay
all open sll you go and edit that out now yeah so that makes it a correct
command and now we have an encrypted file so let’s see Ellis and yep
encrypted txt so if you just cut that out so we see it’s a bunch of garbage
and we really can’t read it unless we decrypt it so for decrypting the key all
we have to do is again use open SSL let’s clear the cell first
so open SSL and we are going to be using the RSC utility again so RSA utl you’re
going to decrypt this time so we go with the decrypt flag and then we are going
to be giving the in key and that is going to be the private key and what we
going to decrypt is encrypted dot txt and what we want output it is as let’s
say plaintext dot txt so it’s going to ask me for my past rays which is my name
and I’ve entered the passphrase and now we have a plain text txt now if
we are to go in LS we see that we have a plain text txt out here just with light
info dot txt now let me just cut that out so plain text dot d XD so this is a
random text file and if we go up we see the arrow is a bunch of garbage and
before that it was a random txt file now you can also run this command called if
plain text txt text txt so this give you a difference in the text rings so it’s 0
so it gives you that’s the difference so both the files are the same and that’s
how public key cryptography works and how symmetric key cryptography works ok
now moving ahead of cryptography let’s talk about certificates okay so now that
way down with cryptography let’s talk about digital certificates so what is a
digital certificate well a digital certificate is an electronic password
that allows a person organization to exchange data securely over the internet
using public key infrastructure so digital certificate is also known as a
public key certificate or an identity certificate now digital certificates are
a means by which consumers and businesses can utilize the secure
the application of public key infrastructure public key infrastructure
comprises of the technology to enable and secure ecommerce and internet-based
communication so what kind of security does a certificate provide so firstly it
provides identification and authentication the person or entities
with whom we are communicating or really who they say they are so that is proved
by certificates so then we have confidentiality the information within a
message or transaction is kept confidential
it may only be read and understood by the intended sender then there’s
integrity there’s non repudiation the sender cannot deny sending message or
transaction the receiver really get to non-repudiation and I’ll explain how non
repudiation comes in to digital certificates so digital certificates are
actually issued by authorities who were business who make it their business to
actually survey certify people and their organization with digital certificates
now you can see these on Google Chrome now let me just open Chrome for you guys
and you can see it out here you can see certificates and you can go into the
issue of statements and you can go in all sorts of stuff so you can see it’s
issued by encrypted thority x3 so that’s an issuing authority for digital
certificates now that was all about the theory of certificates let’s go and see
how you can create one so to create a digital certificate we are going to be
using the open SSL tool again so first of all let me show you how to create a
certificate so we are going to be using the open SSL tool for that so first of
all let me clear the screen out so in this case I’m going to generate a
certificate authority certificate so I’m doing an artistic key here to use inside
the certificate so first of all I need to generate a private key so to do that
as I had just showed you guys we can use the open SSL tool you go open SSL and
Jenn RSA and we can use test 3 and we’ll get the outers and let’s call it c8 key
and we’re gonna use 4 0 9 6 bits so I’m doing an RSA key here to use inside the
certificate so I’m generating a private key and the private key is used at the
part of the certificate and there’s a public key associated with the
certificate so you’ve got public and private key and data gets encrypted with
the public key and then gets decrypted the private key so they are
mathematically linked at the public and private key because you need one for the
end of the communication the and the other for the other end of the
communication and they have to be linked so that the data that gets encrypted
with one key gets to be decrypted with other key so this is asking for a
passphrase and so I’m gonna be giving my name as a passphrase so that has
generated the key for us so now I’m going to generate the certificate itself
so I’m gonna be using the open ssl utility so first of all you say open ssl
and say request so it be a new request and it’s gonna be an x.509 request it’s
going to be valid for 365 days and let’s see the key is gonna be see a dot key
and we’re gonna output it into CA or let’s call it at your record dot c RT so
this is a surrogate that I’m pretty using in the name of the company that
I’m working for so that is Ed Eureka so it says it’s unable to load the private
key let me just see as a private key existing I had a previous private key so
let me just remove that doesn’t have a see a dot key seems like I put the name
differently so let me just try that again
OpenSSL and we do requests so we’re requesting new certificates I’m
just gonna be x.509 and it’s gonna be there for 365 days and key is see it on
key apparently that’s what’s call out here
so and it’s gonna be out into any record CRT Nancy’s over so let’s enter the pass
very so it’s my name so now it’s gonna ask me a bunch of
information that’s gonna be inside certificates so let’s say it’s asking
the country name against let’s put in the state okay so I in state province
name some state so Mangalore a locality let’s say white field organization name
is reka unit name brain force common name let’s leave that out email
address let’s leave that out too and we have our certificate so if you go
and list out your files you will see that there is a certificate called any
record CRT out here which is highlighted ok so now if you want to view this file
you could always use the OpenSSL you always use the OpenSSL a utility so you
say you want to read an XO 5/9 request and you want it in text and what you
want to see is any record see Artie okay so that is the certificate so you see
that it has all the signature it has signature algorithm it has all the
information about the certificate and it’s a signature issuer CIN and State
Bangalore in location white field I like our brain force velocity it has all
sorts of information so that was all about digital certificates how who
issues digital certificates where are they useful so this is basically
non-repudiation so nobody can say it wait this certificate that if this
certificate is included in some sort of a website and that website tends to be
suppose malicious and there’s a complaint now the website can’t go to a
court of law and say they didn’t know about this because certificate that
was included had their private key and the private key was only supposed to be
known to the company so that is non-repudiation you just can’t deny that
you didn’t do it okay so that was all about certificates not moving on okay so
moving on we are gonna be talking about cryptography caching now while the word
cryptography is in the term cryptography caching and it does lead you to believe
that there is encryption ball there is no encryption involved in a
cryptographer cache there is a significant difference between hashing
and any sort of encryption and that is primarily that encryption is a two-way
process when I encrypt a piece of data or a file or anything else what I’m
doing is putting it into a state where I expect it to be able to get it back out
again in other words when I encrypt a file expect it to be able to decrypt the
file and get the original contents hashing is a one-way function on the
other hand once I’ve hashed piece of data or file there is no expectation and
ability to get the original piece of data back hashing generates a fixed
length value and different types of hashing will generate different length
values for example md5 will generate a different length value than sha-1 and
they’re both hashing algorithms but they generate different length values and the
resulting value from a hash function should be no relation at all to the
original piece of data as a matter of fact if two inputs generate the same
hash value it’s called a collision and if you can generate collisions you may
be able to get a point where you can generate a piece of data
that are going to generate the same hash values and that leads you to the
potential ability to break the particular hashing algorithm that you
are using so what we can use hash is for well one thing we can use hashes for
file integrity we can run a hash on a file and get a value back and later we
can check that the value to make sure if it’s the same if it’s the same I can be
sure that the same file was hashed in both instances so let me just show you
an example of what I just said that if we hash a file we will get the same hash
every time so remember the certificate that we just created let me just log in
again so we are going to hash this certificate and it will create a certain
harsh and we are going to see that every time we hash it we are getting the same
hash so we can use this command call md5 sum and we can do add your record or C
or so this is the harsh produce after
you’ve hashed at your record or CRT so if I do an md5 again so md5 is a hashing
algorithm that you should know off so at you record CRT and it will produce very
similar has let’s see a sha-1 looks like this so sha-1 and you record CRT okay
sha-1 is sure the shot from the char utils package okay so I’ve proved my
upon that with md5 a way which is cryptography hashing algorithm we are
getting the same hash back so if you are able to produce the same hash that means
you have broken the algorithm in itself so if you run md5 or Linux you can get a
version of md5 an md5 summation program on Windows and Mac OS where with the
utility md5 which does the same thing so I just showed you the file and I hashed
it and another reason we use hashing is we are storing passwords so passwords
are stored after hashing we hash the passwords and the reason for hashing
passwords is so you’re not storing the passwords in clear-text
which would be easily seen even if you got it protected with permissions if I
hashed password every time I hash that password I’m going to get the same value
back from the same algorithm so what I do is store the hash and some sort of
password database since it’s a one-way function you can’t get the password back
directly from the hash now what you can do with most password cracking programs
do some variation of this and you just generate hashes against list of words
and you look at a hash value that matches the one in the password once you
get the hash that matches the one in the password you know what password is there
and here and we come back to the idea of collisions if I can take two different
strings of characters and get the same values back it’s easier to crack the
password because I may not necessarily get the password we have the hash that I
get back from particular string of data is the same as that I get from the
original password then it doesn’t matter whether I know the password because the
string of data that I put in is going to generate the same hash value that you’re
going to compare when you login and this hash value will just give you that is
valid and you’ll be able to login so suppose the password that you chose
while making your account is dog and the dog word produces this hash value and if
I were do like hash cat with the same algorithm and if the algorithm was prone
to callus it might produce the same hash value as
felt so with the password cat I could open up your password I mean I could
open up your account so that was all about hashing and hashing algorithms
let’s move on okay so in this part of the video we are gonna go over SSL and
TLS now SSL and TLS are ways of doing encryption and they were developed in
order to do encryption between websites web servers and clients or browsers SSL
was originally developed by a company called Netscape and if you don’t
remember Netscape eventually spun off their source code and became Mozilla
project where we get Firefox from so back in 1995 Netscape released version 2
of SSL and there was a version 1 but nothing was ever done with it
so we got to version 2 of SSL and that was used for encryption of web
transmission between the server and the browser they do a whole number of flaws
between the server and the browser now SSL version 2 had a whole number of
flaws and SSL 2 has the type of flaws that can lead to decryption of messages
without actually having the correct keys and not being the right endpoints and so
Netscape released SSL version 3 in 1996 and so we get SSL 3.0 which is better
than 2.0 but it still had some issues and so in 1999 we ended up with TLS now
SSL is secure socket layer and TLS is transport layer security
they both accomplish the same sort thing and they’re designed for primarily doing
encryption between web server and web browsers because we want to be able to
encrypt the type of traffic so let me show you what kind of traffic looks like
so first of all let me open bar shop and out here I already have a TLS scan ready
for you guys that you can see we have all sorts of TLS data so you can see
that here’s my source and it’s 1.32 and destination is sound 6-1 2.40 $59 46
doing a client keychain and a change cipher SPECT and encrypted handshake
message and then we start getting application data so there are some other
steps involved here and you’re not seeing all of it with this particular
wireshark capture because again you know we get fragmented packets and at some
point it starts getting encrypted and you can’t see it anyway is because
Wireshark without having the key can decrypt those messages but one ends up
happening is the client sends a hello and the server responds with a hello and
they end up exchanging information as part
that now including version number supported and you get random number and
the clients going to send out a number of cypher suits that may want support an
order and it can support the server and it’s going to pick from those suite of
ciphers now then we start doing the key exchange and then do the change cipher
SPECT and from the client and server and eventually the server just sends a
finished message and at the point we’ve got this encrypted communication going
on but there’s this handshake that goes on between the two systems and there’s a
number of different types of handshakes depending on the type of endpoints that
you’ve got but that’s the type of communication that goes on between
servers and the client one important thing about using SSL and TLS is as I
mentioned some of the earlier versions had vulnerabilities in them and you want
to make sure that the server’s aren’t actually running those so you want to
run some scans to figure out the type of calls in ciphers that different systems
use so for this we can use something called SSL scan so this is available for
UNIX I’m not really sure if there is something that is similar for Windows or
Mac but on a UNIX based system that is Knox we can use SSL scans so let me just
show you how to use that clear this part out so what we can do is run SSL scan
again suppose www dot and you record dot go
so I’m going to do an SSS can here against the website and you can see it’s
going on improving all the different types of ciphers that we know on this
system start with SSL v3 and are going our TLS version 1 and we could force and
scan to try to do an SSL v2 if I scroll back up here I got the surface I firs
which is SSL version 3 it’s using RS a and it’s using RSA for the asymmetric
now in order to do the key exchange and once we get the session key up you’re
going to use AES 256 and then we’re going to use the secure hash algorithm
to do the message authentication or the math it’s something calls the H Mac for
the hashed message authentication code and what it does is simply hashes the
MAC address that you would check one side against the other to make sure that
the message hasn’t been fitted with in transmission you can see here all the
different types of cipher suits that are available here steel as surrounding are
c4 at 40 bits using md5 so that would be a pretty vulnerable type of
communication to use and between server and the client the 40 bit cipher using
our c4 is a low strength cipher and we would definitely recommend that clients
remove those from the supported ciphers that they have on their server all that
configuration would be done at the web server as well as when you generated
your key and your certificates normally certificates would be handled by a
certificate authority now you can also sell signed certificates and have those
installed in your web server in order to communications with your clients it’s an
the challenge with that is browsers today warn when they see a certificate
against a certificate authority that is entrusted of it and it doesn’t have any
certificate authority at all so you’ll get a warning in your browser indicating
there may be a problem with your certificate if your clients are savvy
enough and if the users are savvy enough you may be able to make use of these
self fine self-signed certificates and save yourself some money but generally
it’s not recommended simply because clients are starting to get these bad
certificates and when they run across one that’s really a problem a real rogue
certificate they’re going to ignore the certificate message in their browser and
just go to these sites that could have malicious purposes in mind and may end
up compromising the clients or your customers or user so that’s SSL and TLS
and how they work and negotiate between servers and endpoints
okay so now that we’ve talked about the LS and SSL let’s talk about disk
encryption now this encryption is actually something that was not really
difficult to do but sort of out of the reach of normal desktop computers for a
really long time although there have long been ways to encryption of files
and to a lesser degree maybe entire disks as we get faster processors
certainly encrypting entire disks and being able to encrypt and decrypt on the
fly without affecting performance is something that certainly comes with
Within Reach and it’s a feature that shows up in most
modern operating systems to one degree or another now these days we are going
to look at a couple of ways here of doing disk encryption I’m going to tell
you about one of them first and it’s not the one I can show I can’t really show
the other one either so with Microsoft there window system have this program
called BitLocker and BitLocker requires either Windows ultimate or Windows
Enterprise I don’t happen to have either version so I can’t really show it to you
but it can tell you that BitLocker has ability to enter disk encryption and
they use AES for the encryption cipher and the thing about BitLocker is that
they use a feature that comes with most modern systems particularly laptops yes
chip in them that’s called the trusted platform module or TPM the TPM chip is
part what it does is it stores the keys that allow the operating system to be
able to access the disk through this encryption and decryption process and
they use a pretty strong encryption cipher which is a yes but you have to
have fun with a couple of different versions of Windows in order to be able
to use BitLocker and some of those things you would normally run in an
enterprise and so that’s why they included in on its enterprise ocean now
on the Mac OS side they have this thing called File Vault and you see in the
System Preferences on the security and privacy if you could file vault you can
turn on File Vault now I if you have the little button that there says turn on
file well then you can turn on the file wall Alfred asked you about setting up
keys and it works similar to Windows BitLocker now PGP happens to have the
ability to do disk encryption and you can see that in the case of this you
burn the system they’ve got a package called gde crypt which is a GUI that
allows you to map and mount a created encrypted volume so I could run gde
crypt and would help me set up the process of encrypting
the volumes they’ve got on my system now this conscription is a really good idea
because when you are working with clients the data is normally very
sensitive so as I mentioned you can always use things like BitLocker and
Windows vault or other search softwares for disk encryption so what I mentioned
before is now not only possible it’s very much reality with current operating
systems now let’s talk about scanning now scanning refers to the use of
computer networks to gather information regarding computer systems and network
scanning is mainly used to security assessment and system maintenance and
also for performing attacks by hackers but the purpose of network scanning is
as follows it allows you to recognize available UDP and TCP network services
running on a targeted host it allows you to recognize filtering systems between
the users and the targeted hosts it allows you to determine the operating
systems and use by assessing the IP responses then it also allows you to
evaluate the target hosts TCP sequence numbers and predictability to determine
the sequence prediction attacks and the TCP spoofing now network scanning
consists of Network port scanning as well as vulnerability scanning Network
port scanning refers to the method of sending data packets via the network
through computer system specified service port this is to identify the
available network services on that particular system this procedure is
effective for troubleshooting systems issues or for tightening the system
security vulnerability scanning is a method used to discover known
vulnerabilities of computing systems available on network it helps to detect
a specific weak spot in an application software or the operating system which
could be used to crash the system or compromise it for undesired purposes now
network port scanning as well as vulnerability scanning is an information
gathering technique but when carried out by anonymous individuals they are viewed
as a pollutant tuk network scanning processes like port scans and ping
swipes and return details about which IP address mapped to active live who’s and
the type of service they provide another network scanning method known as inverse
mapping gathers details about IP addresses that do not map to live hosts
which helps an attacker focus on feasible addresses network scanning is
one of the three important methods used by an attacker to gather information
during the footprint stage and the attacker makes a profile of the target
organization this in data such as organizations domain name
systems and email servers in additions to its IP address range and during the
scanning stays the attacker discovers details about the specified IP addresses
that could be accessed online their system architecture their operating
systems and services running on every computer now during the enumeration
staged attacker collects data including routing tables network user and group
names simple network management protocol data and so on now a very popular tool
that is used for network scanning is nmap now nmap is a must-have tool for
most ethical hackers and as a clackers throughout the industry are using this
on a daily basis now what it is used for is scanning as I just said and the only
bad part about EDD map is it is a very noisy scanner but if you know some ways
of IDs evasion which is the next topic that we’re going to talk about you can
very well do an nmap scan by being very quiet so let’s go into nmap and see the
different ways that we can use n maps so ed map is originally available on a UNIX
system but I’ve also heard that it’s also available on Windows systems for
now I’m going to be using the UNIX version so first of all let’s go ahead
and open up our UNIX system that is running on our virtual machine now let
me clear out the screen out here so I already have nmap installed but if you
don’t you can go apt-get install nmap and that should install nmap for you if
you’re not a root user you might want to check and use the sudo command along
with this thing so I’m not really gonna run this command right now because I
already have a map installed what I’m going to do is show you the different
ways we can use nmap so when you’re using a tool on your Linux the first
thing that you want to do with any tool is go and type the help command so if
you do help I’ll show you all the stuff that you can do with nmap so as you guys
can see that we can do a bunch of stock specification and we do host discovery
we have different types of scan techniques and port specification and
scan orders then there’s all the service version detection and script scans so
there’s a bunch of things that we can do okay so now what we want to do is let me
just show you how you can do all sorts of stuff so suppose you want to do an
nmap can let’s say Eddie record oh so this
will start up an nmap scan on the IP address that edu rocket Co sits on so as
you guys can see this is running an nmap scan and it can take a little bit of
time now since it’s taking a lot of time I’m going to show you some other ways by
just quitting out of it okay so now that I’ve stopped it because it was taking
too much time you can specify IP address so suppose
you want to 192.168.1 24 you can do an nmap scan on an IP address like that I’m
also going to quit out of this because my computer is really slow and taking a
bunch of time to actually load anything then you can also do scan on an entire
subnet like suppose you want 192.168.1 then suppose you want to do all the IPS
through one till 24 so this is how you would do it and you can run that and
then it would do an nmap scan and all those IP addresses I’m going to quit out
of every scan because this computer is really really slow ok so let me show you
some other flags so suppose you had a file that’s a stock its dot txt so
suppose you had a file that had all the target files in it so let me just create
a target file target’s dot txt now you could use this file and actually create
an nmap so and actually run through all the IP addresses so suppose targets are
txt had a list of IP addresses all you would have to do is nmap and i.l which
is basically input list so small I and capital L and then you tell the name of
the target which is target’s dot txt okay so because that had no IP addresses
that you can see 0 IP addresses can and 0.89 seconds so you can do that now you
can also do an exclude so nmap allows you to do that with nmap you can
do exclude and suppose you want to do a scan and you want to exclude some IP
address so let’s see suppose you want to exclude that so you can very
well do that and it will start scanning up all sorts of stuff so that was the
host name so that’s why it’s failure it was its target now you can also do some
scanning techniques so suppose you to scan for sin sports so sin ports so
you could do something like let’s choose a default IP address now add map for so
for a since can you do small s and capitalist so that is for sin scans and
this will choose all the TCP send port scans and you can do it on anything so
after that you just put in an IP address so out here I’m going to say 192.168
triage I don’t know 2.34 and it’ll give you all sorts of information after that
is done I’m not going to run the scan for a long time after that you can also
scan TCP connection ports so for that you use the st flag so nmap s and T and
this is default and you can use a TCP connection for scan so you after that
you just enter the IP address of R and that should do a TCP
port scan let’s quit out of that then so let me just tell you all the flags for
the different types of scanning techniques so su instead of s T let me
just tell you yes you said of s T will actually scan for UDP ports then if you
do an S a it will scan for all the acknowledgment port scans so if when
there’s a TCP handshake going on it sends back an acknowledgement packet so
you can specifically scan for those type of stuff and for Windows port scan you
can do SW and for a main Montfort’s card you can do an S em okay now you can also
do a bunch of host discovery stuff with Ed map so let’s go over them one by one
now with n map you can do something like s and L and this will show no scan so it
will scan only the list target so you could do something like 192 and then the
IP address so 192.168 2.34 so that will do that and let’s quit or that quickly
you can also use the SM tag so so you can use the S n tag which is for
disabling port scanning or host discovery only so this will not give you
discovery it will save you some time and you can use the N flag also and this
will tell you to never do hostname resolution so you can just save yourself
some time in that way then you can also do art discovery on a local network so
let me just show you how to do that and map for our discovery is PR so that is
for art discovery and you could do it on your local network okay so
that’s all very invalid IP yeah so that was a gateway and since that’s the
gateway is surrounding n map on some random IP all the time let’s let’s go on
ifconfig first and let’s see our IP address
our IP is so let’s try and do some scans on ourselves that was all
about hoe discovery now you can also do some poor specification so you can do
poor specifications like this so our IP is T 1 so they’ll scan port
number 21 and I’ll show you that TCP closed FTP is a FTP and it’s closed so
that’s how it should be then you can use the port scan like you could say 21 200
and that would scan all the ports from 21 200
so that was about port scanning now you can also do a fast port scan so that’s
what the F tank so nmap let’s get up the previous string so n1 and all you want
to say is F – f so that’ll be a fast port scan and it’s considerably faster
than see that that was very fast so it was considerably faster than most of the
scans and that was also you can do another thing so suppose you want to
just scan the top port so you could say top ports and all the top mm bolts and
that’ll sky and all the top mm poor cell is on this IP address now this will take
a long time because it’s a very slow computer so okay that did it now let’s
go and do some service inversion detection so let’s first service
inversion detection let’s get back our Eddie record our Co IP address so that
is 34 – 10 so let’s try and do some service detection on that so nmap 34 –
10.2 30.3 5 so you could have done it on Eddie record co itself so SV will give
you the service version so you’ll try and attempt to determine all sorts of
service versions that are running on that IP address so far I personally know
that it’s an Apache server 2.0 that’s running on there so I’m not really going
to wait for the scan to run but that’s how you actually do it so you can also
increase the version intensity so let’s just stop out of that now you can
increase the version intensity so the intensity is done something like this so
it go version and intensity and then you specify a number anything between 0 to 9
the higher the number the more correctness that you can kind of get
offered by nmap so you can say version intensity 8 ok seems like version
intensity actually has been T removed from nmap so that’s an update that you
learned in this lesson ok you can also do aggressive scans so
for Java scans all you have to do is an a tag so a and that will do a very
aggressive scan on that IP address ok so that was all about aggressive scan
let’s take a really long time so I’m going to just quit
then you can do something like os detection also so for OS X should just
if you want some OS detection you could use nmap and you could go – oh and
that’ll give you the os detection and that’s basically the end of our n map
tutorial so moving on we are going to be discussing ideas evasion which is going
to be the last lesson for this video so now let’s talk about intrusion detection
evasion so before we get into IDs evasion let’s talk about what exactly is
an IDs now an intrusion detection system or IDs is a system that monitors network
traffic for suspicious activity and issues alerts when such activities
discovered while anomaly detection and reporting is primary function some
intrusion detection systems are capable of taking actions when malicious
activity or anomalous traffic is detected including blocking traffic sent
from suspicious IP addresses although intrusion detection systems monitor
network for potentially malicious activity they are also prone to false
alarms or false positives consequently organizations need to fine tune their
IDs product when they first install them that means properly configuring the
intrusion detection system to recognize what normal traffic on the network looks
like compared to potentially malicious activity an intrusion prevention system
also monitors network packets for potentially damaging network traffic but
where an intrusion detection system responds to potentially malicious
traffic by logging the traffic and issuing warning notification intrusion
prevention systems response from such traffic by rejecting the potentially
malicious packets so there are different types of intrusion detection systems so
intrusion detection system come in different flavors and detects suspicious
activities using different methods so kind of intrusion detection is a network
intrusion detection system that is nids is a deployed at a strategic point or
points within the network where it can monitor inbound and outbound traffic to
and from all the devices on the network then there is host intrusion detection
system that is H IDs which runs on all computers or devices in the network with
direct access to both the internet and the enterprise internal network H IDs
have an advantage over n ideas in that they may be able to detect anomalous
network packets that originate from inside the organization’s or malicious
traffic that nids has failed to detect H IDs may also be able to identify
malicious traffic that originates from the host itself as when the host has
been in acted with malware and is attempting
spread to other systems signature based intrusion detection system monitors all
packets traversing the network and compares them against the database of
signatures or attributes of known malicious threats much like antivirus
office so now let’s talk about into IDs evasion okay so now let’s talk about IDs
evasion now IDs is an intrusion detection system
as we just talked about and instead it detect exactly the types of activities
that we are engaged in sometimes and sometimes you may be in called in to
work on a target where your activities are known and should be known by the
operators or the operations people involved in monitoring and managing the
network and the idea being not only do they want to assess the technical
controls that are in place but they also want to assess the operational
procedures and ensure that the systems and processes are working the way that
they are supposed to be working now when you are engaged with the target that you
are at full cooperation with you don’t need to do these types of variation
tactics all these techniques may be actually avoided but if you are asked to
perform an assessment or a penetration on a target where they are not supposed
to see your activities then you need to know some different techniques to evade
detection from an IDs so we are going to talk about a couple of different things
that you can do so one thing that you can do is manipulate packaged to look a
particular way now for this there is a tool called packets so packets is a
really good way to actually manipulate traffic and by actually manipulating the
contents of a packet like you can specify the destination and source so
it’s a really useful tool to say the package look a particular way one thing
it can do is allow you to spoof IP addresses so I could say at the source
IP address here that was something completely different from mine now if
I’m using TCP or UDP I’m not going to see the response path and in this case
TCP I’m not even going to get the three big connection me because the responses
are going to go back to the source IP but what you can do is an additional two
spoofing you can set a particular ways that a packet may look like changing the
type of service or by changing the fragmentation offset or by different
flag settings that may allow you through an IDs without maybe getting flagged and
it may also allow you to a firewall now it’s a slim possibility but it’s a
possibility now another thing you can do is use packets to generate a lot of
really bogus data and what you might do is hide in the noise generator
by pack heat so you can could create some really bogus packets that are sure
set off idea salams and then you can run some legitimate scans underneath and
hopefully be able to get some responses hopefully be able to get some responses
back without being detected so if you were to look at an map let me just open
in map up for you and go nmap help you can see a throttle response out here
yeah the timing in performance on the manual page is here one of the things
that you can see is the throttle in other words the timing template to go
really slow so if I do a minus Capital D of 0 with an nmap scan it’s going to
really really slow it down and it goes really really slow so there’s a
possibility it may not rise to the threshold that would trigger an IDs and
this is what we would call a low-and-slow scan now of course this is
only n map and that would be a port scan and there are still a lot of other works
that you would have to do and you may have to find other ways to get around
that and you can see also here on the space there’s some firewall IDs evasion
and spoofing and you can do things like fragment packets and we really
fragmented packets sometimes will avoid IDs because an IDs is going to look
what’s in front of it and may not have the ability to actually gather the
entire packet and put it back together to take a look and what’s going on
so sometimes fragmented packets can get through and you can also add decoys into
a scan and again use the kind of cover friendly-fire sort of approach where n
map will throw a bunch of decoys into the mix of the scan that you’re doing
and hopefully you’ll get lost amongst the decoys that are going on I can also
spook the source address and do some other things around data lens and TTL
and I can also smooth MAC addresses and send packets with bogus checksum so all
of those have the possibility of getting around firewalls and IDs and doing
evasion now one of the downsides of using some of these techniques and
particularly the timing technique that we talked about is that you run the risk
of really slowing down your work which of course is a side effect of this type
of approach where you have to hide yourself and your activities but the
thing to keep in mind is you’ve got limited time frame in order to perform
these sort of activities and you really want to keep that in mind and be aware
of how long some of these techniques are gonna take so also under the line of
friendly file you could do the spoof technique with a throttle of 5 and just
throw a lot of really bogus traffic at your target while also running a
separate nmap scan which shows legitimate information and again
hopefully you can get through underneath that friendly file that’s causing a lot
of noise similarly there’s this tool called Knick
dome and Nicko does web application testing and you can see that it has some
abilities there are some ideas evasion techniques so if you are doing web
application testing and you need to do IDs evasion what you can also do is
throw an echo scan out and do it from another system and again you may be able
to hide underneath the noise from micro scans while you are doing some other
technique you can hope you can see enough of these sorts of tactics to hide
yourself well enough to be able to get what you need from your target without
being detected by the target and the operations people there okay guys this
brings us to the end of this exhaustive video I hope you guys had fun and
learning about the various topics that we talked about if you have any doubts
you can always leave them down in the comment section below if you guys really
did enjoy the session which is a lot of fun to make for myself you could leave a
like and a comment and also share it with your friends that’s it for me
goodbye. I hope you have enjoyed listening to this video please be kind
enough to like it and you can comment any of your doubts and queries and we
will reply them at the earliest do look out for more videos in our playlist and
subscribe to Edureka channel to learn more, happy learning.

Comments 20

Leave a Reply

Your email address will not be published. Required fields are marked *