Hi guys my name is Aryaa and I welcome
you all to this Ethical Hacking course
video. Now the key word of this video is
ethical hacking course but in reality
it's just an expansive video on the
fundamentals of ethical hacking. There is
no such thing as an ethical hacking
course to be honest because no course
can teach you a discipline like ethical
hacking all the best that you can do in
creating content for ethical hacking is
that you can tell people about the
fundamentals that are followed in this
discipline okay now before we start let
me just give you a general idea of the
topics that I intend to cover throughout
in this video okay now to be honest
we're going to cover a pretty broad
range of material we are firstly gonna
be going over footprinting in
recognizance where you get an idea of
what's involved in the ethical hacking
engagement that you're working on and
information about the target that you're
engaged with then we're going to talk
about networking fundamentals and here
we're gonna get our hands dirty with
packets and the understanding of tcp/ip
at a deeper level and also understanding
how the different protocols work and why
they work that way now we are also going
to be talking about cryptography where
we talk about different cryptographic
ciphers we're gonna deal with web
encryption - SSL and TLS we are also
going to talk about certificates and the
creation of certificates and how they
actually operate we will also talk about
public key cryptography and we are all
scanning an enumeration so nmap and
dealing with Windows servers and using
SNMP and LDAP and all that sort of stuff
then we are going to be talking about
penetration where we deal with different
ways of getting into systems and also go
over using Metasploit which is an
exploit framework and we're going to
talk about how to use Metasploit and you
actually get in the systems and make use
of the exploits that they have then
we're going to talk about malware
viruses and worms and rootkits and all
of that sort of stuff we're gonna take
look at the different pieces of malware
and how you would pull that apart in
order to understand what is doing and
potentially make use of that malware
during an ethical hacking engagement
then we're going to talk about different
types of denial of service attacks or
dass attacks and the difference between
a denial of service attack and
distributed denial of service attack and
there is a difference there so we're
going to go over the stocks now we're
also going to go over web application
hacking and the types of tools that you
would use during web application hacking
and the different vulnerabilities that
web applications have and how to make
use of these exploits and those
vulnerabilities we're going to talk
about wireless networking
how to probe wireless networks what
wireless networks are doing in the hard
secure wireless networks we're also
going to talk up a little bit about
detection evasion and to be honest with
you
detection evasion kind of comes up in a
lot of different areas through the many
of the topics that we are also going to
talk about programming programming
attacks and how to protect oneself
against programming attacks okay so that
was the number of topics that we are
actually going to cover through this
video now the approach that I'm going to
be taking in the series of videos is
whenever possible we're gonna be going
to use a hands-on approach so we're
going to show you the actual tools I'm
going to make use of and the tools to do
some sort of demonstration and how they
actually work I am a big believer in
getting your hands dirty as the best way
to learn anything so as we go through
the series of videos I strongly
encourage you to get access to the tools
that I'm going to be demonstrating
wherever possible and dig in and get
your hands dirty along with me and there
are places where we're going to be going
over some theoretical material and I'm
not a big fan of PowerPoint slides but
sometimes there are necessary evil in
order to convey certain types of
information so wherever possible I'm
gonna minimize their use but you will
run across places where they're just a
necessity and we are going to have to go
through some slides where in order to
get some particular points across they
are primarily of a theoretical nature so
that's the pros that we will be taking
through this video and I hope you have
fun as you go along the way
okay so let's begin now the first topic
that we're gonna tackle is what is
hacking okay so let us take a trip to
the early days of hacking the star trip
now the internet Engineering Task Force
is responsible for maintaining
documentation about protocols and
various specification and processes and
procedures regarding anything on the
internet they have a series of documents
called the request for comments or the
RFC's and according to RFC one three
eight nine it says a hacker is a person
who delights in having an intimate
understanding of the internal workings
of a system computers and computer
networks in particular while the
expression hackers may go back a long
time and how many different connotations
are definitions as far as computers go
some of the earliest hackers were
members of the tech Model Railroad Club
at the Massachusetts Institute of
Technology and what those people did and
the various things that they did and
were involved in a detailed in Steven
Levy's book called hackers for our
purposes now for our purposes we'll be
talking about other types of hackers
although the spirit of what we do goes
back to those early days now the
definition of hacking or hackers has
changed particularly in the 1990s and in
part as a result of a couple of people
namely Robert T Morris who was a Cornell
graduate who unleashed a piece of
software that was called a worm on what
was an early version of the internet
form went on to cause a lot of damage
and create a lot of downtime on systems
across the country and across the world
now the Morris worm did end up resulting
in something good however that is
computer emergency response team
Carnegie Mellon was created primarily in
response to the Morris worm now there's
also kevin Mitnick was another
well-known hacker who was responsible
for various acts of computer crime over
a couple of decades he was first
convicted in 1988 so the definition of
hacker or hacking moved from something
benign to something far more sinister
in popular culture now we see hacking or
hackers in all sorts of popular culture
we've seen them
in hacker movies called wargames also
the movie hackers of course you also see
it in the Matrix movies where you can
see if you look really closely that they
are using a tool called nmap which we
will get into the use of in great detail
later on as we go on now on to the movie
sneakers and the movie SWAT fish and on
television in addition to other places
you can see the agents at NCIS regularly
doing things like cracking complex
cryptography in just a matter of seconds
or minutes so what is hacking really
well hacking is about a deep
understanding of something particularly
with relation to computers and computing
it's also about exploring and the joy of
learning new things
and understanding them very clearly and
being able to manipulate those things in
ways that maybe other people haven't
before it's also about digging into
problems to find out solutions in
creative and interesting ways and
sometimes finding problems where there
weren't problems previously and that's a
little bit about what is hacking ok so
now that we have talked about what
exactly is hacking and how the meaning
and conditions of that word has changed
over time how it came into existence how
it was coined let's go with the reasons
that people normally hack now you may
want to hack just for fun as discussed
previously hacking is a tradition that
goes back several decades at MIT even
preceding the computer relief definition
of hacking now MIT has a long and
storied history of hacking and sometimes
of a computer related nature which in
this case happens to be true and
sometimes of a non computer related
nature instance now here you can see
that MIT s homepage has been hacked or
you might even say defaced to indicate
that Disney is buying MIT this was an
April Fool's Day prank in 1998 and again
this is just the kind of hacking that
you would do for fun rather now
sometimes you might even a hack just to
prove a political point or any point for
that matter in this case again Bill
Gates had donated some money to the MIT
which allowed them to have a new
building and he was coming to MIT to
visit
and give a talk about Microsoft Windows
and its systems and as you can see the
the Windows systems that are installed
in the entryway at the building were
hacked to be running Linux instead and
you can see here that tux the penguin is
saying welcome to the William H Gates
building again that some students who
decided that they wanted to make a point
about Linux and Microsoft and Windows to
Bill Gates and they thought hacking was
the best way to go about it sometimes
you hack just for the challenge here's
an example again at MIT where some
students turned the facade of a building
into a Tetris game board now this was a
reasonably difficult hack and the
students went after it just for the
challenge of completing it and it's just
so they could have some pride of
ownership and to be able to say that
they were able to pull this off you know
the things that teenagers do to show off
to other teenagers it just increases
with increasing scale now in spite of
its difficulties and these challenges
and all the obstacles and planning that
have to go into it they were able to
pull it off and now they have those
bragging rights so that was one of them
and one of the instances where somebody
would hack just for the challenge and
for the fun in it now sometimes you want
a hack to prevent theft and this is
where we get more specifically in the
computers related hackings you see a lot
of articles and stories in the news over
the last video is about cybercrime and
here is an example of data theft
compromised and a fewer than one and a
half million cards for global claimants
so there are some attackers who gone to
this company Global payment and they
were able to pull out about a million
and a half credit card numbers during
the intrusion there so what you may want
to do is you may want to learn how to
hack in order to find these holes in
your systems or applications or employer
systems so that you can fix these holes
and prevent these compromises from
happening because of the reputation hit
that your company takes where are things
like these happen you have the risk of
completely running out of business so
just to protect your job you protect
your company and to protect your own
desire of business
you may just want to learn to hack and
that's a very good reason now you may
also want to find all the problems that
exist in your system for putting them
out and deploying them so that you can
keep these attackers from getting in and
stealing critical or sensitive
information sometimes you may want a
hack to get there before the bad guys
and the same sort of idea is the last
one where we're just going to talk about
and that exactly is ethical hacking now
we were just talking about how sometimes
you may want to hack into your own
system before publishing it out to the
public that's take Internet Explorer for
example now Internet Explorer was
actually published to the public with
some critical error in the code and
these flaws were heavily exploited by
people who actually found them now a
number of people in the world go out
looking for these flaws and they call
themselves security researchers and they
can in touch with the vendors up there
they found a flaw or a bug and work with
the vendors to get it fixed what they
end up with is a bit of reputation they
get a name for themselves and that name
recognition may end up getting them a
job or some speaking engagements or book
deal or any number of ways that you
could cash in on some name recognition
from finding these sort of bugs and
getting them fixed if you want to get
there before the bad guy is you may
think you're helping out a vendor you
may want to just make a name for
yourself you want to find these sort of
bugs before the bad guys do because
think about the bad guy is finding them
is they don't announce them and they
don't get them fixed and that makes
everybody a less secure finally may want
to protect yourself from hacked computer
companies and fight cyber criminals and
this is a new headline from June 18 2012
and we're starting to see these sort of
news headlines show up as companies are
starting to retaliate against attackers
in order to retaliate against attackers
now in order to tally it against
Decker's you need to be able to have the
same sort of skills and techniques and
knowledge and experience that those
attackers have and where your company
may want you to learn to hack or the
company may want to bring in people who
are skilled and these sort of activities
so that they can attack the Dockers and
hope
you end up with more steely exterior and
get a reputation for not being a company
that people want it go after those are
several reasons and there you go I gave
you around a bunch of reasons as to why
you may want a hack for fun prove a
point
protect yourself to protect a company
they're not run out of business and
along with another bunch of reasons ok
so now that we have talked about why you
would want a hack let's move on to the
types of hackers that exist now we're
gonna be talking about the different
types of hacking and the first type of
hacking that I want to discuss is
ethical hacking and ethical hackers
which is really what we're going to be
talking about through the rest of these
lessons now an ethical hacker is
somebody who thinks like a black hat
hacker or things like somebody who's
intent on breaking into your systems but
follows a moral compass that's more in
line with probably the majority of the
population so their intent isn't to do
bad things their intent is to look for
bad things and get them fixed so that
bad things don't happen ethical hackers
aren't out to destroy anything and
they're not out to break anything unless
it's deemed to be acceptable as a part
of the engagement and also necessary in
order to demonstrate a particular
vulnerability to the organization that
they are working with so that's an
ethical hacker and there's a
certification that's available from the
EC Council it's a certified ethical
hacker and you know if you find
certifications valuable and this sort of
thing is what you want to do we're
seeing a set if certified ethical hacker
may be something you might want to look
into now let's talk about black hat
hacker there's a plenty of cases of
black hat hackers through years and
let's talk about a guy in particular
called kevin Mitnick this guy right here
is a particularly good example probably
because he was a black hat hacker for a
lot of his ears his goal was to cause
mischief to steal were necessary and
just to be engaged in the lifestyle of
being a hacker and doing whatever was
necessary to continue doing whatever it
craw doing whatever he was doing it
crossed moral boundaries or ethical
boundaries and so kevin Mitnick here was
involved for well over a decade in
computer crime and was finally picked up
by the FBI
and he was charged and prosecuted and he
was eventually convicted of some of the
activities that he was involved with now
you may be able to argue that Kevin is a
grey hat hacker as well and a green hat
hacker is somebody who kind of skirts
the line between black and white hat
hacking and white hat hacking is really
what an ethical hacker is so instead of
saying ethical hacker he could say white
hat hacker it's the same idea a white
hat hacker is somebody impacts for good
if you want to think of it like that if
you want to think of it as a good versus
evil and what they're really doing is
they're in it for the technical
challenge they're looking to make things
better make things more efficient
improve them in some way on the other
hand the black hat hacker is out for the
money for the trail it's really criminal
activity and the gray hat hacker is
somebody who may employ the tactics and
technique of the black hat hacker but
have sort of a white hat focus in other
words they're going to do things that
may be malicious and destructive in
nature but the reason they're doing it
is to improve the security posture of an
organization that they are working with
so you can see it's actually a book
called grey hat hacking it's a pretty
good book and it details a lot of the
tactics and strategies and techniques
we'll be going over in subsequent
lessons in this video now one other type
of hacking that I want to talk about is
a thing called hacktivism and you will
find hacktivism all over the place and
one example in the last year or so and
certainly in recent memory is called
lulz
security yeah you heard that right it's
called lulz security and you can argue
that lulz is actually a response to
another type of hacktivism an
organization called anonymous started
hacking companies like Sony to protest
their involvement in a lawsuit regarding
a PlayStation 3 hacker now allows
security was supposedly protesting the
treatment of anonymous or was hacking in
support of this group Anonymous so they
hacked a number of companies and the
things like pulled information usernames
and password from the databases at these
companies and they said that the reason
was to shine a light and the security of
these companies and also theoretically
embarrassed the companies with a weak or
poor security posture
and the problem with that that they were
doing this through were posting
information that they had found online
and that information often included
details about customers for these
particular corporations and for an
ethical hacker a white hat hacker that
would cross the boundary of causing harm
so there's no reason for me as an
ethical hacker to post information in a
public forum about somebody because I
could be doing damage to them but in
this case love security and anonymous
specifically large security were engaged
in the form of hacktivism and what they
were doing was not only damaging to the
cooperation that certainly was
detrimental to those people so different
types of hackers and different types of
hacking
we've got ethical or white-hot hacking
you've got black hat grey hat and then
we finally got hacktivism it's really
the goal and the means that vary from
one to the other okay so now that we've
discussed the types of hackers let's
also discuss the skills necessary to
become one so what we're going to
discuss in this part are the different
skills that are required or will be
learned as a power of this video so
initially just for basic computing you
need a basic understanding of operating
systems and how to work them there are
going to be several fundamental types of
tasks that I won't be going into any
detail at all or and you need to know
how to run programs and do things like
open up a command prompt without me
walking you through and how to do that
so I am going to assume that you have
some basic understanding of how to do
these sorts of tasks also you need an
understandings of the basic system
software or and you'll need a basic
understanding of how to use command-line
utilities there are a number of tools
and programs that we're gonna be going
through this video and many of them use
a command-line now whether it's on
Windows or Linux you'll need to be
familiar with typing and being able to
run programs from the command line and
the various command line switches and
parameters that those programs or types
of programs are going to use now from a
networking perspective you need a basic
understanding of some simple networking
concepts you need to know what cables
are and switches and hubs and how
systems are networked together you don't
really need a deep level of
understanding I'll be going through some
protocols as reasonably deep level
because I think it's important as an
ethical hacker to understand what's
going on at the protocol level so that
you can know
better what you are doing and how to
achieve the goals and tasks that you
have before you so we're gonna be going
over some protocols so just
understanding what protocols are and how
they go together those sort of things
are necessary from networking
perspective now we're gonna also be
learning a bunch of life skills yes
there are some life skills that it's
important to have I think the most
important one is the ability to accept
failure and persevere and by that I mean
you're going to be just running across
several things that just don't work the
first time around and it's going to take
a little bit of time and
stick-to-itiveness to plug away and keep
going until you get something to work
and the way that you get things to work
is having an ability to problem-solve
and sometimes solving problems requires
being a little creative sometimes you
need thing out of the box and come out a
problem from a difference perspective in
order to find a solution throughout the
course of this video you're going to run
across a lot of sticky problems through
the course of learning about being an
ethical hacker and just doing the work
because it's not as simple so here's a
little recipe for how to do this now go
follow this recipe every time and you're
going to be successful every situation
is different every system is different
you're gonna run across some pretty
sticky problems and you're going to have
to just wait and get your hands dirty
and keep failing and failing and failing
and failing until you find a way to
succeed so I think those skills are very
necessary to learn how to be an ethical
hacker digging through some of the
material that we'll be going over in
this video as far as what you're going
to be learning you're gonna be learning
about how to use a lot of tools you're
gonna learn networking and by that I
mean we're gonna be talking about
different protocols or avoid involved in
networking systems together you're going
to learn about security and security
postures security is the heart and soul
of ethical hacking it's why we do Eskil
hacking in order to make systems and
networks more secure than they were
previously that's the goal from a
networking perspective we're going to be
talking about how to read packets from
Network captures you're going to be
going into tcp/ip related protocols the
fairly significant amount of detail and
you're going to understand how protocols
interact with one another so we're gonna
do all that and
reading packets is going to be really
important and we're going to do a fair
amount of that in addition to just
fundamental approach to learning how to
read packets in several lessons we're
gonna read packets as a way of
understanding the different tools that
we're using and how they're going to
learn tactics and methodologies and you
get to learn to use the information
you've gathered in order to get more
information and information is really
what is this all about you can't do much
anything without information and
sometimes it takes a fair bit of digging
in order to find that information and
what ilgwon did learn is the entry
points and the stepping stones to get
the information that you need and then
once you have that information you're
going to be learning about ways to
exploit it in order to get deeper into
the target you're gonna learn security
awareness we're gonna talk about risk
and understanding risks and
vulnerabilities primarily it's
recognized the difference between a
vulnerability and an exploit and there's
a significant difference there so
security awareness and understanding
what risk is and how that impacts your
target and it's going to be key to a lot
of things that we talked about so it
sounds like a lot we're going to cover a
fair bit of ground not all of it at a
deep level sometimes we're going to skim
the surface but there's an awful lot of
material to be cover so let's get
started into talking about the different
skills are required or will be learned
as a part of the series of video so
initially just for basic computing you
need a basic understanding of operating
systems so it sounds like a lot weird
that we're going to cover and a fair bit
of it is going to be at a very deep
level and sometimes we're just gonna
skip the surface but this is an awful
lot of material to cover so let's get
started
okay so that was all about the skills
that we are gonna develop throughout
this video and that might be necessary
for you to become an integral hacker now
let's talk about the types of attacks
that you might be dealing with as
ethical hacker yourself so now we're
going to be talking about the types of
attacks now one type of a dark thought
you'll find common particularly in cases
of hacktivism for example or cases where
people are trying to make a particular
point or just be a general pain is
this idea of defacing the defacing goes
back for quite a while it's the idea of
sort of digital graffiti where you've
left your mark or your imprint behind so
that everybody knows you were there
primarily a website thing and it's
really just making alterations to
something that used to be pretty common
a long time ago now it's very particular
for businesses or people or just
organizations in general to have their
home pages being replaced by this other
thing that was along the lines of hey I
was here and I took over your webpage we
also have a pretty common one there
certainly has been common over the years
and it's a pretty good path towards
quality exploits in high-profile
vulnerabilities and that's buffer
overflow now a buffer overflow is a
result of the way programs are stored in
memory when programs are running they
make use of a chunk of memory called
a star and it's just like a stack of
plates when you put a bunch of plates
down when you pull a plate off you're
gonna pull the top plate you're gonna
pull the oldest plate you're gonna pull
the one that was on top so the same
thing with a stack here we're accessing
memory and this has to do with the way
functions are called in memory when you
call a function a chunk of memory gets
thrown on top of the stack and that's
the chunk of memory that gets accessed
and you've got a piece of data in memory
within that stack and that's called a
buffer and when too much data is sent
and tried to put into the buffer it can
overflow
now the bounds of the configured area
for that particular buffer it can
overflow the bounds of the configured
area for that particular buffer now the
way stacks are put together we end up
with a part of the stack where the
return address from the function is
stored so when you offload the buffer
you have the ability to potentially
override that return at which point you
can control the flow of execution of
programs and if you can control the flow
of execution of the program you can
insert code into that memory that could
be executed and that's where we get
buffer overflow that turns into exploits
that creates the ability to get like the
command shell or some other useful thing
from system where the buffer overflow is
running so that's a buffer overflow in
short sometimes we also have form a
string attacks and sometimes these can
be precursors to Buffalo
fuel formats now format strings come
about because the C programming language
makes use of these format strings that
determines how data is going to be input
or output so you have a string of
characters that define whether the
subsequent input or output is going to
be an integer or whether it's going to
be a character or whether it's going to
be a string or a floating-point that
sort of thing
so you have a format string that defines
the input or the output now for
programmer leaves off the format string
and just gets lazy and provides only the
variable that's going to be output for
example you have the ability to provide
that format string if you provide that
format string what that happens is the
program starts picking the next piece of
data off the stack and displays them
because that way we can start looking at
data that's on the stack of the running
program just by providing a format
string and if I can look at the data I
may be able to find information like a
return address or some other use of
piece of information there is also a
possibility of being able to inject data
into the stack
I may be able to find some information
like a return address or some other
useful piece of information there is
also a possibility of being able to
inject data into the stack I may be able
to find some information like a return
address or some other useful piece of
information there is also a possibility
of being able to inject data into the
stack using this particular type of
attack now moving on to our next type of
attack is a denial of service it's not
of service this is a pretty common one
and you'll hear about this a lot this is
not to be confused though with the one
that I'll be talking about after this
and that is a distributed denial of
service so this one that you see is that
this is a denial of service attack and a
denial of service is any attack or
action that prevents a service from
being available to its legitimate or
authorized users so you hear about a
ping flood or a sim flood that is
basically a syn packet being sent to
your machine constantly or a smurf
attack and smurf attack has to do
something with ICMP echo requests and
responses using broadcast addresses that
one's been pretty well shut down over
the last several years you can also get
a denial of service simply from a
malformed packet or a piece of data
where a piece of data is malformed and
sent into a program
now if the program doesn't handle it
correctly if it crashes suddenly you are
not able to use that program anymore so
therefore you are denied the service of
the program and thus the denial of
service now as I said a denial of
service is not to be confused with a
distributed denial of service and I know
it's pretty trendy particularly in the
media to call it any denial of service a
DDoS or any denial of service a DDoS
now it's important to know that any
denial of service is not a DDoS a DDoS
or as you might know a distributed
denial of service is a very specific
thing a distributed denial of service is
a coordinated denial of service making
use of several hosts in several
locations so if you think about a botnet
as an example a botnet could be used to
trigger a distributed denial of service
where I've got a lot of bots that I'm
controlling from a remote location
and I'm using all these BOTS to do
something like sending a lot of data to
a particular server when I've got a lot
of system sending even small amounts of
data all of that data can overwhelm the
server that I'm sending it to so the
idea behind a distributed denial of
service attack is to overwhelm resources
on a particular server in order to cause
that server not to be able to respond
now the first known DDoS attack used the
tool called stock old rot which is
German for Bob while the stock old rod
came out of some work that a guy by the
name of mixer was doing in 1999 he wrote
a proof-of-concept piece of code called
TFN which was the tribe flood network
let me just show that for you
so you can see on the Wikipedia page
that the tribe flood network or tfn is a
set of computer programs is used to
conduct various DDoS attacks such as
ICMP floods syn floods UDP floods and
Smurf attacks now I know many people
don't really consider Wikipedia a really
good source of any sort of knowledge but
it's a good place to start off so if you
want to read about all these types of
attacks like ICMP floods and what
exactly is a syn flood you can always do
that from Wikipedia it's not that bad
place of course you shouldn't use
Wikipedia as your final rosetta stone
moving on so this program called old rod
which was it was used to attack servers
like eBay and Yahoo back in February of
2000 so that attack in February of 2000
was really the first known distributed
denial of service attack which is not to
say that there were in denial of service
attacks previously so - that there were
certainly plenty of them but they were
not distributed now this means there
weren't a lot of systems used to
coordinate and create a denial of
service condition and therefore we get
distributed denial of service attack so
that's a handful of type of attacks and
some pretty common attacks that you're
going to see as an ethical hacker when
you become an ethical hacker or if
you're trying to become an ethical
hacker you should always know about
these types of attacks ok
so in this lesson we are going to be
talking about penetration testing and
some of the details around how it works
and logistics and specifically things
like scope so what exactly is
penetration testing so well not
surprisingly it's testing to see if you
can penetrate something which means
you're going to check to see whether you
can break into a particular thing
whether it's a server or in applications
depending on the type of engagement
you've got you may have the ability to
try to break in physically to a location
by primarily but you're going to be
doing what penetration testing is you're
going to be trying to break into systems
and networks and applications and that's
the kind of what it's all about and this
may actually involve social engineering
attacks so it may require you to make a
phone call to somebody and get them to
give you their username and password or
some other type of social
nearing attack where maybe you send a
URL by a crafted email sometimes it's
just strictly a technical approach when
you're running scans and you're running
Metasploit and you're gaining access
that way or maybe some other type of
technical application sort of connection
sometimes it's physical access that you
need so in order to get access to a
particular system if you can get
physical access then maybe you can get
in so that was all about that's what
exactly penetration testing is it's
checking whether you can get into a
system whether it be physically or on a
network so what are the goals of
penetration testing the goals would be
to assess weakness in an organization
security postures you want to figure out
what they're vulnerable so that they can
go and fix these problems you want to
help them understand their risk
positions better and what they can or
may be able to do to mitigate those
risks and ultimately you want to be able
to access systems in a particular way to
find weaknesses so those are really sort
of the goals of penetration testing now
from a result standpoint when you're
done you're testing what you are gonna
do well you're probably going to
generate a report and by that I don't
mean you're gonna run some automated
tool and you're gonna get it to generate
a report for you you are actually going
to give that to the client you're
actually gonna give you a report to the
client and then they're gonna write you
a really large check so that's not
really how it works you're gonna write a
report detailing the findings in a
detailed way so that it includes what
did you do to find out what you actually
found out and how you can actually
mitigate that particular risk so you
should really include remediation
activities in order to fix this
vulnerabilities that you find and it's
pretty easy to walk around saying hey
that's a problem and that's problem and
that's problem that's really not a lot
of value in that where there's a value
is that hey that's a problem and here is
how you can go about fixing it so let's
talk about the scope of penetration
testing so firstly you want to actually
realize how big is the breadbox and how
specifically what is it that the you two
of the two of you have agreed that being
used article Hackel and the other guy
being the authorized person to give you
permission to ethically hack
specifically of
that you can do penetration testing and
you can target them as an organization
or the client and what you have agreed
to are any exclusions or any sort of
areas that they say you're not allowed
to touch so anything so like if they've
got a database server maybe a desk Lord
or really sensitive data on it and
there's a little hesitant and they may
put don't touch this thing clause in the
scope so there are a lot of different
reasons why they may exclude areas from
the scope and if they exclude them then
trust their reason and listen to them
what they have to say in terms of this
is what we want you to accomplish so
long those lines you really need to get
sign-off from the target organization
now we've talked about this before and
this is certainly all about the ethics
and then Trust and it's also about
legality because if you do something
that you don't have permissions to do
you could be prosecuted for that so
definitely get the scope very clear in
writing and with signatures attached to
it as to what you can and you what you
can't do and always get approval from
the right people and make sure you get
somebody who has the right level of
permissions and it's the right level of
management so that they can sign off on
its understanding and accept the risk
that is associated with a penetration
test so let me talk a little bit about
security assessments and how they differ
from penetration tests the security
assessment is a hand-in-hand approach
with clients so you would walk in doing
collaborative thing where you're a
trusted partner and you are lie with
them and your call isn't a penetrate
them and point out all the things that
are really bad but it's to get a full
assessment of the risk that the
organization is exposed to and you would
probably provide more details about
fixes that maybe you would in a
penetration test now what we're gonna do
is we're gonna walk in and make sure
that the policies and procedures they
have in place really what they need for
the organization and the risk appetite
that they've got and we're gonna make
sure that the policies and procedures
have controls that can tell us whether
they are being actually adhered to or
not so the procedures and policies are
being followed a security assessment is
probably a little bit more comprehensive
than a penetration test and it would
look at more factors to assess the
security postures of the organization
their overall risk and you would tailor
the output based on the risk appetite
and what they're most interested in and
that's not to say that I'm gonna tell
them what they want to hear but if
there's something that they know and I
know that they're just not gonna do I'm
not going to be making a big deal out of
it because they're already aware of it
and I'll make a note of it in the report
just for a completeness sake but I'm not
gonna go out in a lot of details so it's
really kind of a hand hand collaborative
approach where again you're not just
saying that they want us to say we're
providing some real security and risk
guidance towards their activities and
other things so it may provide an
unrealistic view so you've got a week
let's say to do this penetration test
against your target now you're going to
have to go in you're going to have to
get set up you're also going to have to
start doing a bunch of scans and make
sure that you're gathering informations
and screenshots and data for your
reports you're gonna have to do all
sorts of activities also during the
course of that week they're going to be
engaged in probably beginning to write
your report and getting a sense of what
is going to say and what's going to be
in it
if you don't actually get any major
penetration during the course of that
week the organisation may feel like
their code encodes secure that's one of
the reasons why penetration testing but
really sexy and show is nice and all but
if an organization walks out of phase
believing that in a week you didn't
manage to get no get the keys of the
kingdom they they mind must be secure
that's really misguided view because and
dedicated skilled and motivated attacker
isn't gonna just take a week or some
portion of that fee they're after
something they're gonna dedicate
themselves to do it and really go after
it so just because you didn't find a
penetration in some subset of a week
doesn't mean that they are secure and
l-mawla
and invulnerable to attacks it just
means that during the course of that
particular week and other circumstances
that were in place you didn't get a
penetration that was really significant
or major that's all it means it doesn't
mean anything beyond that and if an
organization walks away feeling like
they're secure they're gonna end up not
fixing the real vulnerabilities that may
be in place that could expose some
significant risks
so that's penetration testing it scopes
its goals and how it differs to security
assessments
now it's time to go over foot rating so
what is foot printing well foot printing
is getting an idea of the entire scope
of your target that means not just the
scope that you were given which may be
an address block or it may be a domain
name that even may be a set of at rest
blocks now what you want to do is you
want to figure out all the information
that's associated with that in great
detail as you can possibly get so you
want the list of domain names as you're
going to go through this you probably
want some sort of database or Excel
spreadsheet or something to keep track
of all the information because you're
going to have a lot of it at the end you
want to be able to find the information
quickly so having some sort of either
Notepad going with your notes or as I
said a spreadsheet or a database so if
you can get organized in that way you
want to keep all those sorts of things
down so in this case I want to do thumbs
our search on suppose let's say Eddie
record Co now I need network blocks so
so far we found out that just made up IP
addresses because I'm just putting
information down but I need never block
so you may have one IP address that you
can find externally or you're going to
want with whole range of internal clocks
and you can do a little bit of digging
if you aren't provided those you want
specific IP addresses for critical
systems web servers email servers
databases if you can find any of these
things of those sorts and he wants us to
market actual and what kind of stuff are
they running are they running Intel are
they running Windows are they running
some UNIX systems what are they running
what kind of access control lists they
are these are going to be hard to get
but you may be able to guess them and
you can guess these by doing port scan
so what sort of responses you get back
from the port scans with the filters and
or what you don't get back will tell you
about if there's an IDs around or some
you want to do a system the enumeration
or you can get access to a system
somehow you want to know user names
group name and so on so the basic idea
of footprinting is gathering information
now if you can get access to system
somehow you want to know user names
group names so you want system banners
routine tables SNMP information if you
can get it DNS host names if you can get
those
now this is for both internal and
external on the side if you're doing an
internal penetration test or ethical
hacking engagement you want to know the
networking protocols that are there are
they using tcp/ip or are they using some
UDP or are they on IP X or SPX
are they useing decnet or appletalk or
are they using some sort of split dns in
other words do they have internal DNS
servers that give different form for
their external and will it give
different information if you want to
check for remote access possibilities
now in the footprinting process you want
to be very exhaustive you might want to
try and take out email addresses server
domain name services I mean IP addresses
or even contact numbers and you want to
be very exhaustive with your approach
you don't want to miss anything out
because if you do that you can continue
and also provide some some launching
points for additional attacks or tests
that you may be able to do but this is
definitely a starting point of the types
of information that you need to have as
you go about footprinting your target
now next thing that we are going to see
is very interesting this is one of the
many common tools that are out there on
the Internet and that is the wayback
machine or also known as archive.org now
well it might not give you all the
information that you need but it get
certainly gives you a starting point and
what we're talking about out here is the
wayback machine or archive.org so let me
just give you a quick look at what
archive.org looks like okay I already
have it open out here so out here what
you can see is how a website looked like
around some time ago so for example if
you want to look what Google look like
so you just have to search for Google
out here and wait for results to come
back okay so we see that Google goes way
back to 1998 so that was the last
capture or the first capture rather it
was the first capture by the wayback
machine and we can see that it has a
screenshot of November 11th and how
Google looked so let's see what Google
look like in November 11th of 1988 so
this is what Google looked like it was
there was actually nothing to it it just
said welcome to Google Google search
engine prototypes and it has some link
so yeah this is where the Google
engine looked like it had a Stanford
surge it had a Linux surge and you could
do all sorts of stuff you could just put
the results now what I'm trying to tell
y'all is you can see the evolution of
the website through time through the
wayback machine and this gives you
rather in informated look into how
website has actually evolved okay now
that we know what footprinting is and
how it falls into the whole recognition
process so let's go over a couple of
websites to do a little bit of
historical thinking about companies and
the types of infrastructure that they
may be using and this information of
course is useful so that we can narrow
down our focus in terms of what we want
to target against them for attacks now
over time we've improved our awareness
about what sorts of information we may
want to divulge so several years ago you
may have gone to a company's website and
discovered that you could get email
addresses and names of people in
positions that you may find relevant and
there were all sorts of bits of
information that could be used against
the company and over time we have
discovered that those sorts of pieces of
information probably don't belong in a
website where they can be used against a
company and so they've been pulled off
now it used to be also that Google had
the ability to pull up information that
it had cached so far for example if a
website is no longer available or effort
was temporarily down and offline there
was a little cache button that you could
click when you did and the Google search
and you could pull up that cast
information so even though the website
wasn't available you could still get
information from Google's servers now
Google's remove that so we don't have
that ability any longer however there is
an Internet Archive that we can use so
this thing is called the Wayback Machine
and I have it open out here so it's
archive.org slash web so archive.org is
a website that gives us information
about other web sites and how they look
like in years ago and by so I'm going to
go to the Wayback Machine which you can
see is at the archive.org and I'm gonna
go and try and search for EDI record Co
so now we're going to take a historical
look at Eddie record coast website and
you can see we've got some years and
they've got information going back up to
2013 so let's look at what this website
looked like when it was just
talent 13 okay there don't seem to be
any snapshots out here I wonder what's
going on okay so let's go 2014 and the
first snapshot seems to be on the
September 12th of 2014
actually it's on May 17 - so let's see
what that looks like okay so this is
what Eddie Rica looked like back in 2013
or rather 2014 september 12 2014 to be
actually exact now you can see that we
have some live classes and all these
pictures are there and they've got this
weird picture of this guy out here I
don't know why that was a thing back in
2014 now we can browse more advanced
screenshots or rather the screen shots
that were taken later on and see how
this company has evolved with this
infrastructure and the way it actually
lays out its content okay so it still
has Deval but I can go a couple of years
ahead and see what this has actually
evolved into so if I would go to
December 2016 so this is what it looked
like in 2016 and we can see that they've
added this weird box out here about
pricing courses they have a little
search bar that kind of looks weird but
it's mostly because my internet is slow
and start loading all the elements
they've also changed how they've
actually laid out the courses we can
also see a change in the prices I guess
so yeah this tells us about how it
evolves as complete website now this
other website that I want to talk about
is called net crafts now net crafters
internet research including the types of
web servers that companies run and they
have a web service service you can see
here as we scroll the Apache servers are
64 point three percent of the internet
market of course and that's followed by
Microsoft with 13 percent interesting
information may be useful information
but even more useful than that is
looking at what different companies run
for their websites and you can see here
ok so let's try and search for Eddie
record go out here so let's just put it
in the website URL and that net craft
generate the site report so as you can
see that some of the stuff is not
available you know that the net block
owner is by Amazon technology's name
server is this thing right here DNS
admin is AWS Deanna
hostmaster we also have the IP address
we can go for a viral look up the IP on
virustotal
you can do that there is no ipv6
presence so that's some information that
we can see so we can obviously opt out
to not target ipv6 ranges and there's
also reverse dns then we also have a
bunch of hosting history so this is a
history of it and we know that it's
hosted on a Linux system with an Apache
web server and it was last seen and this
was when it was last updated so this is
some very useful information you can
also get information on stuff like
Netflix so if you just type ok I say I
just spelled that wrong so let me just
change from the URL out here so if you
go and type for Netflix comm and you'll
see that it'll show you all sorts of
information so as you see that it's on
an e WS server it's an Amazon tier
services Ireland and this is all the
hosting history that it goes along with
it has some Center policy frameworks
domain based message authentication and
reporting confirmations and there's all
sorts of information that you can get
about websites and their web servers
from net craft so the wayback machine
along with net craft make up for some
interesting tools that are available on
the internet from which you can do a
little bit of your reconnaissance
process ok now that we have gone over
net craft and the wayback machine now
it's time to actually get to know how to
use the little information that this
site actually provides so what the next
topic that we're going to go over is
using DNS to get more information now
we're going to be going over a tool and
this is called who is a utility that is
used to query the various regional
internet registries to store information
about domain names and IP addresses and
let me just show it to you about all the
internet registries are there so I have
Aaron net open out here and these are
the internet registries that provides
the ISPs and looks about the Internet
control as a whole so out here we have
AfriNIC we have APNIC we have our and we
have laughs Nick and we have ripe and
CEC so these are all regions and all the
different types of stuff that they
support all different countries you can
look at the
that it is sporting out here by just
hovering over the providers so as you
can see all these brown region out here
is Africa AfriNIC then we have ethnic
which is this black or grayish thing
which is India and Australia and quite a
lot of Asia then we have Aaron which is
a lot of North America in the United
States measly naina slackening which is
North Lee the Latino side which is the
South American part then we have the
rest of Europe which is ripe ncc and
this is the part that ripe ncc is
providing internet too okay so that was
all about the internet registries now
let's get back to the topic and that is
using DNS to get more information now
for this we are going to be using a
Linux based system so I have a bunch of
running on my virtual machine out here
and let me just log into it so firstly
we are going to be using this query
called who is that looks up these
internet registries that I just showed
you let me just quickly remove this okay
so for acquiring information from the
regional internet registries that I just
talked about you can use who is to get
information about who owns a particular
IP address so for example I could do who
is and let's see I could do who is
Google or rather netflix.com and we can
get all sorts of information about
Netflix so we can see that we have the
visit mark monitor then let's see let's
go up and look for all sorts of
information that is being given to us by
this who is query so as you guys can see
I just spent a little bit too much
okay so register a domain ID we have the
domain ID where it is registered the
restor URL is mark monitor okay so this
is for marking actually now the creation
date is 1997
so you haven't realized Netflix been
around for a long time and it's being
updated on 2015 and the registry expiry
date as we see is 2019 so it's gonna
actually go off this year then this is
all useful information so you can see
all sorts of domain status the name
server the URL the DNS sake that it says
unsigned this is very useful information
that is being provided by very simple
query now if you want to know who owns a
particular
IP address so let's see did we get back
the IP address out there we should have
got back the IP address but it's kind of
lost on me so to get back the IP address
also for a domain name server saying no
so you could use this command called
dick so your dig Netflix com now as you
guys can see that it has returned a
bunch of multiple IP addresses these are
all the IP addresses that Netflix is so
I could do something like if I was
trying to check out who owns a certain
IP address and for example I have got
one of these IP addresses but let's just
assume I don't know that actually
belongs to Netflix so I can go who is 50
4.77 dot 108 dot 2 and it will give me
some information so as you guys can see
it is giving us a bunch of information
as to who this is and how it is
happening so we see that it is from
Aaron net and so if we can very smartly
assume that it's from the North American
part no we can also see that it's in
Seattle
so our guess was completely right so it
also gives us a range so this is
something very useful so if you see we
now have the range of the IPS that might
be being used by this guy so we indeed
have 54 and it says this goes up to the
54 there's also 34 let's check that out
and see what information we get so who
is and let's check it out
what was the IP that we were just seeing
is 34 that to 49.1 25 and 167 so 34 to
40 9.1 65 I don't know let's see you can
also put in a random IP address it
doesn't really matter and it'll give you
the information so let's see is this and
some IP address even this seems to be an
error an IP address and it's also based
in Seattle and we get a bunch of
information so that's how you can use
the Whois query and the dick query to
actually get all sorts of information
about a domain name service and
get information from a DNS basically so
now let's go over some theoretical part
that is for DNS so using DNS to get
information so firstly what is a domain
name service and why do we need so a
domain name service is a name given to
an IP address so that it's easy to
remember
of course you it's easy to remember
names and mnemonics rather than a bunch
of random veered numbers now this was
mainly so that we can map names to IP
addresses and we can get the a bunch of
information from the host name
resolution so that's the purpose of IP
addresses now we will also be looking at
how to find Network ranges okay now
before we get on to actually moving on
to how to find out the network ranges
let me just show you how you can also
use who is so who is suppose you want to
know the domains with the word foo in it
so you could go who is foo and this will
give you a whole bunch of things about
how food cysts and all the sorts of foo
said there is on the Internet
so that was one interesting flag and if
you want to know how to use more about
who is you could just go - Michelle yes
yeah so this is all the types of stuff
that we can deal with who with so you
can set the host we can set the port
that we want to search for then we can
set with the elf lab we can find one
level that specific match and we can do
an exact match to an inverse lookup for
specified attributes then we can also
set the source we can set verbose type
and we can choose for a request template
there's a bunch of stuff they can do so
you could suppose say who is verbose and
suppose any record code and I'll give
you a verbose version of the right
database query service objects are an RP
SL format the right database of the
eternal so okay let's try something else
like who is netflix.com okay I'm sorry I
was supposed to do verbose and I kept
doing etch silly me
so you do V and it'll give you a much
more like this is a write database again
I think of doing something wrong okay
just for that thing
okay V and tight okay or let's just see
that's let me just show you how to use a
primary keys are
only primary keys okay let's see let's
try that out okay so it seems to be that
this is a ripe database query service
and the objects are in our PSL format so
it won't really work for that thing and
it also says that no entry is found
because it's error so this is for some
later lesson so for now I hope I gave
you a good idea of how to use hue is
like you could just go who is then some
IP address like 192.168 of 101 or
something gay pre-addressed like that or
you could just go for a domain name
service like Facebook and get all sorts
of information about Facebook when the
query actually returns you something ok
so let's move on to network ranges now
now in this part of the video we're
gonna be going over the utility called
who is which is used for getting
information from the DNS now let me just
show you a website out here so this is
the regional internet registries so the
internet registries are used to store
information about domain names and IP
addresses and there are five regional
internet registries first is Erin which
is responsible for North America so that
would be the US and Canada then we have
latnok which is responsible for Latin
America and portions of the Caribbean
then there's right that's responsible
for Europe and Middle East in Central
Asia
there's afrinic which is responsible for
Africa and finally we have APNIC which
is responsible for Asia Pacific Rim so
that's the regional internet registries
and as I said who is is responsible for
acquiring information from the various
regional internet registries as you can
use who wish to get information about
who owns particular IP address for
example let me just open up my Ubuntu
system let me clear this out first so as
I was just saying for example you could
go who is facebook.com
okay so as you guys can see we could
find out pretty quickly about who owns a
particular IP address so for example I
could do who is and just go facebook.com
and tells me about who it belongs to
it also gives you who owns a particular
IP address and who's responsible for
them from the information you can get
email addresses that belong to a
particular company this one has an email
address for tech contact of IP reg a
trade so you can get all sorts of email
addresses tech contacts and also of the
stuff out there the registry database
contains only dot-com and dotnet and
also have some information now I want to
query a different IP address and
different information belongs in the
different regional internet registries
of course so if I want to go to a
particular database I will have to use e
minus H flag so I could do who is Aaron
net and remember the IP address and I'm
going to query that again and of course
I get the same information back because
I went there so you could just go who is
H and then follow it with an IP address
so something like 34 205 176 98 so
that's just a random IP address I just
made up and it says who is option okay
so it's a it's a capital H okay so let's
see that
and we get all sorts of information back
from that so area aide Aaron and all
sorts of stuff now I can get information
about domains as well so if I can query
something like Netflix calm and I can
find out that this is that actually
Netflix and there's an administrative
contact and the technical count data you
can see the different domain server so
the servers that would have authority of
information about the DNS entries for
that particular domain you can also see
other information like when the record
was created and a whole bunch of
different phone numbers that you contact
and additionally storing information
about IP addresses and domain name
sometimes it will store information
about a particular host names and there
may be other reasons why you would store
a host name or particular information
about host name on the system whether
one of the air are IRS now if I want to
want to look up something specifically
once I found that I could now do a
look-up on who is suppose let's say
something like who is foo so let's say
who is foo now if you already don't have
who is installed you can easily install
it by just going apt install who is on
your UNIX system and that should do the
trick and then you can start use this
really nifty tool okay so that was all
about using who is now let's get on to
actually using how to find out network
ranges for a domain okay so now let's
talk about how we are going to be going
over and fighting metric ranges so
suppose you bought an engagement and you
only know the domain name and you don't
know much beyond that and you're
expected to figure out where everything
is and what everything is so how do you
go about doing that well use some of the
tools that we either have been talking
about or will soon be talking about in
more detail and the first thing I'm
going to do is I'm gonna use the domain
name Eddy record Co and I'm gonna look
up at you like a taco and see if I get
an IP address back so let's just head
over there and go who is Eddie record co
or we could use the host keyword
so as you see we get an IP address back
and that is 34.2 den door to 30 to 35
and that is the IP address and you see
that I've got back an IP address so
here's just an IP address and I don't
know what that IP just belongs to I also
don't know how big the network range or
network block is and that's associated
with so what I'm going to do is a who is
and I'm going to look up with Aaron who
owns that IP address so you can
basically go who is 34 to 10 to 30 35 so
as you guys can see that gives us a
bunch of information and who is now this
doesn't seem to have a very big network
range but unlike something like Netflix
so suppose we were to do something like
host netflix.com and see now we have a
bunch of IP addresses
so suppose we were to do who is let's
see who is 50 2.19 41 47 now I'm
expecting Netflix to be a much larger
company and have a better yeah now see
we get net range so this is the network
range that we are talking about so we
had a random IP address and now we have
found the network range so that's how
you find network ranges and this can be
very useful so this gives me evidence
that Netflix comm has the presence on
different addresses the one I have also
located by looking up that particular
host name so I've got one address here
that I can look let's take a look at the
website because I'm in a different
address now if I didn't have that I
could also go and do something like an
MX flag so let's see I could go dig and
this will give us all the meals so dig
em X and let's see let's see what MX
does actually you go help so we could do
dig H for a list of options so these are
all options that we have
and the one that we're gonna use is
something like this big MX and we say
MMS online netflix.com so these are all
mailings and MX's that we have gotten
from Netflix and this is information
regarding its so producing information
that's a big thing to produce okay so as
I was just saying you can use the MX
flag I could get back all the mail
handlers in this case and their mail is
being handled by Google and let's see
let's go on top then it's going to tell
me that Google's not particularly
surprising and other things that you can
do is check for different host names
since I'm assuming DNS probably doesn't
allow its own transfers
since most DNS servers don't anymore
although they used to you may have to
start guessing so I could do something
like web mails that we find out here so
this shows us the dump of all the
outstanding memory stuff okay so that
was all about finding Network ranges now
moving on to our next topic is using
Google for recognizance
now some people also call this Google
hacking now if you know how to use
Google to exactly target and find what
you are looking for Google is an
excellent tool for recognizance purposes
and today I'm going to show you how you
could use Google exactly for your
searches so first of all let's open a
tab of Google um let's open up here so
let's go to google.com okay so now we
are going to be talking about how we can
use Google to actually gain some
information or some targeted information
so this is in general called Google
hacked it now when I say Google hacking
I'm not meaning by breaking into Google
to steal information I'm talking about
making use of specific keywords that
Google uses to get the most out of the
queries that you sum it so for example a
pretty basic one is the use of
quotations you go things in order to use
specific phrases otherwise Google will
find pages that have instances of all
those words browsing the words
specifically together in particular
order so I'm gonna pull this query up
and this shows a list of let me just
show it to you so if you go index off
now
this is showing us an index of all the
films now this is basically all those
index of sites that you want so as you
guys can see this shows us the index of
all sorts of films that are there now
you can use index off and you see that
we have also an index of downloads or
something like that - calms down load
and it is an index of all sorts of stuff
now you can go into some folder and
check them out G Jones you weren't in G
Perico I don't know what these are but
some sort of stuff and this is how you
can use Google now let me just show you
some more tricks so you can use this
suppose you're using google define for
something like a presentation so you
could use something like file type pptx
and it'll search for every type of file
there that is pbd okay let's try some
other side dot p VD so config okay so
this brings up all the types of files
that have some configs in them so this
isn't gaming configuration as we see
this in digital configuration of
liverpool now you could also use
something like this thing in URL and you
can use under root and this will give
you all the things with root in there
URL so walking route and just the trends
and how to root android so passing the
root and suppose you want to say
something like all in file type or
suppose you want some extension so so
dart PBT PBT X thus our let's search for
JavaScript files okay
I think it's J s okay that doesn't seem
to work either this shows us all the
things with J yes in it no it's just
external J s I'm doing wrong
so you could use file type so let's see
file type and we go see doc so these are
all the documents that you could find
the file type thing and you could also
do G yes I guess yep and this will give
you all the JavaScript files out there
so this is how you can use Google to
actually narrow down your searches so
suppose you want a particular set of
keywords and we want to make sure we get
the passwords file from Google ok so now
let's go in more details about the
various things you can find using Google
hacking techniques now while Google
hacking techniques are really useful for
just general searching in Google they're
also useful for penetration testers or
ethical hackers you can narrow down
information that you get from Google you
get a specific list of systems that may
be vulnerable so we can do things like
look for error pages that do in the
title error so I'm gonna get a whole
bunch of information so suppose like we
go in title and we say error
so as that we get all sorts of stuff and
we can do the - google part so if you do
a - Google not show you the stuff that's
from Google so we get a various
documentation pages about different
vendors and the errors that they support
so here's one talk about Oracle about
Java error you know something more
specific we may be able to get errors
about all sorts of other stuff so this
is how you could use the Google hacking
technique to your own advantage if
you're a penetration tester now let's
also show you something called the
Google hacking database now this is very
useful for an ethical hacker now on the
Google hacking database was created
several years ago by a guy called Johnny
long who put this google hacking
database together to begin to compile a
list of searches that would bring up
interesting information now johnny has
written a couple of books on google
hacking so we you're at the Google
hacking database website here and you
can see them talk about Google dorks and
all sorts of stuff now you can see that
we can do all sorts of search like in
URLs BCBS PE this brings up some portal
pages now out here you can bring up some
password aps password in url now this
will give you all sorts of stuff on
Google so suppose you go in URL it's
like a PS password now you can get all
sorts of stuff like which have passwords
in the URL so maybe you can just guess a
password from there or - now that was
Google hacking so Google hacking entries
and they also have a number of
categories and that you can look through
to find some specific things so you may
be interested in of course and you have
search specific information that you may
be looking for with regards Pacific
product for example let me just show you
exploit database these are all the
certain types of stuff you can go
through out here and as you see we have
all sorts of stuff like this is an SQL
injection thing mmm this is something
regarding pure archive tars
so these let you get a foothold into
some password cracking attempts and you
can do some brute force checking and you
can see here if it talks about the type
of search it is and what it reveals you
can just click here on Google search and
it will actually bring up Google for the
list of responses that Google generates
so let's look at this one here the
type is log so this is something about
cross-site scripting logs and we can
also see some party logs if I was not
wrong so some denial of service POC and
we can see a bunch of stuff and if you
continue to scroll down there are a lot
of interesting information in here so
somehow somebody's got a potty log that
has loved a lot of information they've
got it up on a website and it's
basically a bunch of information there
you can see you can also get some
surveillance video sometimes and you can
look into them and it's basically how
you could use Google so it's basically a
list of queries that you can go through
and this is a very useful site if you
are a penetration tester and looking for
some help that your Google hacking
terminologies so that's it for Google
hacking now let's move on okay so now
it's time for some networking
fundamentals and what better place to
begin with tcp/ip now we're gonna be
talking about the history of tcp/ip and
the network that eventually morphed into
the thing that we now called the
Internet so this thing began in 1969 and
it's spun out of this government
organization called ARPA which Advanced
Research Projects Agency and they had an
idea to create a computer network that
was resilient to a certain type of
military attacks and the idea was to
have this network that could survive
certain types of war and warlike
conditions so ARPA sent out this request
for proposals to BBN which is bolt
Beranek and Newman and they were
previously an acoustical consulting
company and they won the contract build
what was called the ARPANET the first
connection was in 1969 so that's where
we get the idea that the internet began
in 1969 and the internet as we call it
now generally begin
but ARPANET did and ARPANET has a long
history that goes through NSF net in
1980s and after ARPANET was served
decommissioned and a lot of other
networks were fallen into this the
string called NSF net that then turned
into what we now call the Internet and
once a lot all the networks were
connected into its first protocol on the
ARPANET initially there were 18 to 22
protocols which was very first protocol
defining communication on orphanet and
it was called 1822 protocol because BBN
report 1822
which describes how it worked shortly
and after that there was this thing
called the network control program and
the network control program consisted of
ARPANET host-to-host protocol and an
initial control protocol now they're
certainly not a direct correlation or an
analogy here but if you want to think
about it in particular where you could
say that the ARPANET host your host
protocol is kind of like UDP and initial
connection protocol or ICP it's kind of
like TCP so the host or hosts protocol
provided a unidirectional flow
controlled steam stream between hosts
which sounded a little bit like UDP and
ICP provided a bi-directional pair of
streams between two hosts and again
these aren't perfect analogies but the
host-to-host protocol is a little I bit
like UDP and ICP is a little bit like
TCP now now the first router risk of all
an interface message processor and that
was developed by BBN it was actually a
ruggedized Honeywell computer that had
special interfaces and software so the
first router wasn't ground-up built
piece of hardware but it was actually an
existing piece of hardware that was
specially purposed for this particular
application so Honeywell had this
computer that they made out and BBN took
that and made some specific hardware in
phases and wrote some special software
that allowed it to turn into this
interface message processor which passed
messages over ARPANET from one location
to another so where did I become Hin
here in 1973 so I became in here as well
in 1973 as I just said and a guy by the
name of Vint Cerf and another guy by the
name of Robert Kahn took the ideas of
NCP and what the ARPANET was doing and
they tried to come up with some concepts
that would work for the needs that the
ARPANET had and so by 1974 they had
published a paper that was published by
the I Triple E and they proposed some
new protocols they originally proposed
the central protocol called TCP later on
TCP was broken into TCP and IP to get
away from the monolithic concept that
TCP was originally so they broke it into
more modular protocols and thus you get
TCP and IP so how do we get to our
version 4 which is ipv4 since that's the
kind of internet that we are using right
now version 6 is coming and has been
coming for many many years now but we're
still kind of version 4 so
we get here between 1977 and 79 and we
went through version zero to three by
1979 and 1980 we started using version
four and that eventually became the de
facto protocol on the Internet in 1983
when NCP was finally shut down because
of all the hosts on the ARPANET wherever
using tcp/ip by that point in 1992 a
word began on an IV next generation and
for a long time although the
specifications in the RFC's talked about
PNG eventually and I PNG became known as
ipv6
you may be wondering where ipv5 went
well it was a specially purpose protocol
that had to do something with streaming
and certainly not a widespread thing one
of the differences between ipv4 and ipv6
is that ipv6 has a 128-bit address which
gives us the ability to have some
ridiculously large numbers of devices
that have their own unique IP address
ipv4 by comparison has only 32-bit
addresses and as you probably heard
we're well on our way to exhausting the
number of IP addresses that are
available and we've done a lot of things
over the years to conserve address space
and reuse address space so we can
continue to extending to the point till
where we completely run of ipv4
addresses another thing about ipv6 is it
attempts to fix on the inherent issues
and IP and some of those has to do with
security concerns and there are
certainly a number of flaws and ipv4 and
when they started working on IP next
generation or ipv6 they try to address
some of those concerns in some of those
issues and they may not have done it
perfectly but it was certainly an
attempt an ipv6 attempt to fix some of
the issues that were inherently in IP
and so that's the history of tcp/ip
still very rich today ok so now that we
have discussed a brief history on tcp/ip
and how it came about to the TCP IP
version 4 let's discuss the model itself
now we're going to be discussing two
models and those are the OSI model and
the tcp/ip model now as I said we'll be
talking about the OSI and TCP models for
Network protocols and the network stacks
OSI first of all is the one that you see
out here it's the one on the left-hand
side of the screen and OSI stands for
open systems interconnect and in the
late 1970s they start working on
model for how a network stack and
network protocols would look originally
the intent was to develop the model and
then developed protocols that went with
it but what ended up happening was after
they developed models tcp/ip started
really taking off and the tcp/ip model
was what went along with it and much
better what was going on with tcp/ip
which became the predominant protocol
and as a result the OSI protocols never
actually got developed however we still
use the OSI model for teaching tool as
well as way of describing what's going
on within the network stack and the
networked
applications you'll often hear people
talking about different layers like
that's a layer two problem or we under
layer three space now continuing through
these lessons I'll refer occasionally to
the different layers and when I do that
I'm referring to the OSI model so let's
take a look at the OSI model starting
from the bottom we have the physical
layer which is where all the physical
stuff lives the wires and cables and
network interfaces and hubs repeater
switches and all that sort of stuff so
all that's all physical stuff is sitting
in the physical layer now sitting above
this is the data link layer and that's
where the Ethernet protocol ATM protocol
frame relay those are things live now I
mentioned the switch below the physical
the switch lives at layer one but it
operates at layer two and the reason it
operates at layer two is because it
looks at the data link address and the
layer two or physical address and that's
not to be confused with in the physical
layer it does get a little mixed up
sometimes and we refer to the MAC
address now
the MAC address is not the physical
address then I'm talking about it is the
message authentication code address on a
system as so the MAC address on system
as a physical address because it lives
on the physical interface and bound
physically however that MAC address or
media access control address lives at
layer two at the data link layer the
network layer which is right above at
layer 3 that's why the IP lives as well
as ICMP IP X and from IP x SP x suit of
protocols from novel routers operate at
layer 3 and at layer 4 above that is a
transport layer that's the TCP UDP and
SP X again from the IP x SP x root of
proto
number that is the session layer and
that's layer five and that's up to talk
ssh as well as several other protocols
and then there's a presentation there
which is layer 6 and you'll often see
people refer to something like JPEG or
MPEG as examples of protocols that live
at that layer then there's a
presentation layer which is the final
layer which is layer 6 and you'll often
see people refer to something like JPEG
or MPEG as examples of protocol that
live at that layer and then they live at
that layer which is the presentation
layer finally we have layer 7 which is
the application layer and that's HTTP
FTP SMTP and similar application
protocols whose responsibility is to
deliver and the user functionality so
that's basically the OSI model and
that's the seven layers of the OSI model
and there's some important thing to note
here that is when we are putting packets
onto the wire the packets get built from
top of the stack down by from the top of
the stack to the bottom of this time
which is why it's called a stack each
layer sits on top of the other and the
application layer is responsible for
beginning the process and then that
follows through the presentation session
and transport layer and down through the
network data link until we finally drop
it on the vial at the physical layer
when it's received from the network it
goes from the bottom up and we receive
it on the physical and gets handled by
the data link and then the network and
till the application layer so basically
when a packet is coming in it comes in
from the application goes out from the
physical and then what is going out also
it goes from the physical through the
data link then the Network transport
session presentation and application and
finally to the target system now what
we're dealing with is an encapsulation
process so at every layer on the way
down the different layers add bits of
information to the Datagram or the
packet so that's when it gets to the
other side each layer knows where its
demarcation pointers well it may seem
obvious each layer talked to the same
layer on the other side so when we drop
a packet out onto the wire the physical
layer talks to the physical layer and in
other words the electrical bits that get
transmitted by the network interface on
the first system are received on the
second system on the second system the
layer 2 headers have were put by the
first system get removed and handled as
necessary same thing at the network
it's a network layer that puts the IP
header and the network layer that
removes the IP header and determines
what to do from there and so on and so
on again well it may seem obvious it's
an important distinction to recognize
that each layer talk to each layer while
it may seem obvious it's an important
distinction to recognize that each layer
talk to each layer and when you are
building a packet you go down through
the stack and when you are receiving you
come up through the stack and again it's
called a stack because he keep pushing
things on top of the packet and they get
popped off the other side so that was
detailed and brief working on how the
OSI model is set up and how the OSI
model works now let's move on to the
tcp/ip model which is on the right-hand
side and you'll notice that there's a
really big difference here that being
that there are only four layers in the
tcp/ip model as compared with the seven
layers of the OSI model now we have the
network access layer the internet layer
the transport layer and the application
layer and the functionality now we have
the access layer the internet layer the
transport layer and the application
layer the functionality that the stack
provides is the same and in other words
you're not going to get less
functionality out of the tcp/ip model
it's just that they've changed where
different functionality decides and
where the demarcation point between the
different layers are so there are only
four layers in the tcp/ip model which
means that a couple of layers that have
taken in functions from some of the OSI
models and we can get into that right
here the difference between the models
at the network access layer in the
tcp/ip model that consists of the
physical and the data link layer from
the OSI model so on the right here you
see the network access layer that takes
into the account the physical and the
data link layers from the OSI model on
the left-hand side similarly the
application layer from the tcp/ip model
encompasses all the session presentation
and the application layer of the OSI
model so on the right the very top box
the application layer encompasses the
session presentation and application
layer and on the left-hand side that of
course leaves the transport layer to be
the same and the OSI model they call it
the network layer and then tcp/ip model
is called the internet layer same sort
of thing that's where the IP lives and
even though it's called the internet
layer as compared to the network layer
it's the same sort of functionality so
those are the really big differences
between OSI and
dpip model anytime I refer to layers
through the course of this video that
I'm going to be referring to the OSI
model and in part because it makes it
easier to differentiate the different
functionality if I were to say lay one
function in the tcp/ip model you would
necessarily know if I was talking about
a physical thing or a datalink thing
since there's more granularity in the
OSI model it's better to talk about the
functionality in terms of the layers in
the OSI model and that's a predominance
model the OSI model and the tcp/ip model
for network stacks network protocols and
applications
okay so now that we've discussed the
tcp/ip model let's go over another
important protocol and that is UDP so
what you see out here on your screen
right now is Wireshark and we'll be
going over the uses of our shark and
what it's useful for in the upcoming
lessons but for now let me just show you
a UDP packet okay so before we get into
the analysis of the packet file it's
still filtering let me just tell you a
little bit about UDP
so UDP is a protocol and the tcp/ip suit
of protocols it's in the network layer
that's a network layer in the OSI so a
seven layer reference model the IP
network layer carries the IP address and
that has information about how to get
back its truest destination the
transport layer sits on top of the
network and that carries information
about how to differentiate network layer
applications and that information about
how those network application gets
differentiated is in the form of ports
so the transport layer has ports and the
network layer has in this case an IP
address and UDP is a transport layer
protocol and UDP stands for user
Datagram protocol and often call
connectionless or sometimes unreliable
now unreliable doesn't mean that you
can't really rely on it unreliable means
that you can't trust that what you send
is reaching the other side so what means
actually that there's nothing in the
protocol that says it's going to
guarantee that the data or Grahame that
you send or the packet that you send is
gonna get where you want to send it so
the protocol has no sort of safety
feature like that so you shouldn't use
this protocol that is UDP if you want
some sort of safety net and if you
needed that type of safety net you would
have to write it into your own
application so you basically UDP is a
fast protocol and that's one the reason
why it's good it's also one the reason
why it's unreliable because in order to
get that speed you don't have all of the
error checking and validation that
messages are getting there so because
it's fast it's good for things like
games and for real-time voice and video
anything where speed is important and
you would use UDP so right here I have a
packet capture so I'm using wireshark
capture some packets and let's check out
a UDP packet so out here you see that
there are some frames
it says 167 bytes on
via 167 bytes appiied captured but we're
not really interested in the frame
podrían interested in the user Datagram
protocol path so out here you can see
that the source port is 185 3 and the
destination port is Phi 2 0 8 1 now it
has a length and it has a checksum and
stuff so as you guys see out here well
we don't really see a bunch of
information what you only see is the
source port and the destination port the
length and there's also a checksum so
you repeat doesn't come with an awful
lot of headers because it doesn't need
any of the things that you see in the
other packet needles the only thing it
needs is to tell you how to get the
application on the receiving host and
that's where the destination port comes
in and once the message gets to the
destination the destination you should
know how to communicate back to the
originator and that would be through the
source port or a return message so a
return message would convert the source
port to a destination port and send back
to that port in order to communicate
with the originator so we have a source
port and destination port and the length
is a minimal amount of checking and to
make sure that if the packet that you
received is a different from the length
that's specified in the UDP header then
there may have been something wrong
sumon may want to discard the message to
check for more messages so the checksum
also makes sure that nothing in the
middle was tampered with although it's
if there's some sort of man in the
middle attack or something like that
checksum is pretty easy to manufacture
after you've altered the packet so you
can see here and the message that
there's a number of UDP packets some of
them just say UDP so one look at and
happens to be from some Skype
application I guess so
talking to Skype servers and we've
already got the DNS now our dns also
needs some fast response times because
you don't want to send a lot of time
looking up information about servers
that you're going to before because just
to go to them so DNS servers through up
throughout the queries onto the wire
using UDP hoping to get fast sponsors
they don't want to spend a lot of time
setting up connections and during all
the negotiating that comes with a
protocol like TCP for example so here
you see that the DNS is using UDP and
what we've got here is another UDP
packet the poor destination and all
sorts of stuff so you can see it out
here so you can see the checksum it's
unverified checksum status so you can
check out all sorts of stuff using
Varsha so that was about UDP or the user
Datagram protocol okay so now that we're
done with that uses Datagram protocol
let's talk about addressing modes so
addressing modes is how you address a
packet do your different destinations so
there are three kinds of addressing most
the first kind of addressing mode is
unicast this is pretty simple one to
understand so there is one destination
and one source and the source sends the
packet to the destination and it's it
depends on the protocol that you're
using to actually address if it's
something like tcp/ip you're probably
using a bi-directional stream so the
blue computer can talk to the red
computer and the red computer can talk
back to the blue computer but you can
also use a UDP stream which is like one
directional stream so it's not sure if
I'm using the correct word so it's a
stream that's in one direction
I guess I'm driving home the point here
so if it's UDP only blue is talking and
when blue stops talking then red can
talk but if s tcp/ip blue and red can
talk simultaneously at the same time now
moving on
there's also broadcast now broadcast
means that you are sending your packet
to everybody on the network so broadcast
messages are very common from mobile
network providers so when you get those
advertisements saying something like you
have a new post rate plan from Vodafone
or SL or something like that those are
broadcast messages so it's one server
that is sending out one single message
to all the other systems
now there's also multicast now multicast
is like broadcast but selective now
multicast is used for actually casting
your your screen to multiple people so
something like screen share when you are
doing it with multiple people is
multicast because you have the option to
not show particular computer what you
are actually sharing so those are the
three modes of addressing unicast
broadcast and multicast okay now moving
on let's look into the tool that we just
used once and UDP that is Varsha so what
exactly is Varsha so this utility called
Wireshark is a packet capture utility
meaning that it grabs data that's either
going out or coming in of
network and there are a number reason
why this may be useful or important when
the reason why it's really important is
what's going on in the network is always
accurate in other words you can't mess
around with things once they're on the
network or you can't lie about something
that's actually on the network as
compared with applications in their logs
which can be misleading or inaccurate or
if an attacker gets into an application
they may be able to alter the logging
now several other behaviors that make it
difficult to see what's really going on
and the network you can really see
what's going on once it hits the wire
it's on the wire and you can't change
that fact now once it hits the wire so
we're going to do here is a quick packet
capture so let me just open up Wireshark
for you guys so as you guys can see I
have already Wireshark open for us let
me just remove this UDP filter that was
there so Wireshark is recapturing so let
us go over the stuff that you can see on
the screen some important features of
our shock so that we can use it later so
what I'm doing here is a quick packet
capture and I'm going to show some of
the important features of Wireshark so
that we can use it later on now when
we're starting to do some more
significant work I select the interface
and I'm using primarily which is my
Wi-Fi and I'm going to be go over here
and we'll bring up a Google page so that
we can see what's happening on the
network so let me just quickly open up a
Google page
you guys can see it's capturing a bunch
of data that's going around here now let
me just open up the Google page and
that's gonna send up some data let's go
back
so it's grabbing a whole bunch of stuff
off the net okay I'm just gonna stop
that I'm gonna go back and go back and
take a look at some of the messages here
so it's on the features of Wireshark as
you can see on the top part of the
screen here there's a window that says
number time source destination protocol
length and info and those are all of the
packets that have been captured and
they're numbering starting from one and
the time has to do with being relative
to the point that we've started
capturing and you see the source and
destination addresses and the protocol
the length of the packet and by its in
some information about the packet the
bar on the screen you'll see detailed
information about the packet that has
been selected so suppose I'm Sayla
selecting this TCP packet out here so we
can go through the frames frame also has
some interface ID is an encapsulation
type
and all types of information is there
about the frame then we can look at the
source board the destination board
sequence number the flag said the check
sums you can basically check everything
about a packet because this is a packet
analyzer and the packet sniffer
now you'll see some detailed information
about the packet that I've each selected
so I'm going to select so as I've
selected this tcp/ip packet we see that
in the middle frame it says frame 290 it
means that it has a 290 a flat packet
and the packet that was captured is 66
bytes and we grab 66 PI's and it's 528
bits later so you what do you see out
here was a source in the destination MAC
address at the layer 2 layer address and
then you can see the IP address of port
source and destination and says it's a
TCP packet gives us a source port
destination port and we can start
drilling down into different bits of the
packet and you can see when I select a
particular section of the packet down at
the very bottom you can see what's
actually a hex dump of the packet and on
the right hand side is the ask I so this
is the hex hex dump and is the ask I
that you're looking at what's really
cool about wash agate is it really pulls
the packet into its different layers
that we have spoken about the different
layers of the OSI and the tcp/ip model
and the packets are put in two different
layers and there's a couple of different
models that we can talk about with that
but Wireshark does really nicely is it
demonstrate those layers for us as we
can see here it is actually folios and
in this particular packet here we can
also do something so I've got a Google
web request so what I want to do here is
I want to filter based on HTTP so I find
filter so let's see we can do an sgtp
and what I see here is say yes text
input and it's going to get an image so
that's a PNG image and this request get
the item that's going to be displayed in
the address bar so you also see
something called ARP out here which I'll
be talking about very soon so let's just
a filtering be done now in the web
browser
it's a favicon dot ICO that I can do
here I can select analyze and follow TCP
streams you can see all the requests
related to this particular request and
it breaks them down very nicely so you
can see we've sent some requests to
Spotify because I've been using Spotify
you actually listen to some music then
you can see Oh
sorts of stuff like this was something
to some not found place so let's just
take the Spotify one and you can see
that we get a bunch of information from
the Spotify thing at least you can see
the destination the source it's an Intel
Core machine so the first part of the
MAC address the first few digits lets
you tell if it's what what is the vendor
ID so intel has its own mental ID so f
186 probably tells us that it's that's
an Intel Core so why shock does is
really neat little thing that it also
tells us from the MAC address what type
of machine you're sending your packets
to from the back address itself so it's
coming from a soft force for C and going
to an Intel Core and the type is ipv4 so
that was all about Wireshark you can use
it extraneously for packet sniffing and
packet analysis packet analysis comes
very handy when you are trying to
actually figure out how to do some stuff
like IDs evasion where you want to craft
your own packets and you want to analyze
packets that are going into the IDS
system to see which packets are actually
getting detected as some intrusion so
you can craft your packet in a relative
manner so that it doesn't get actually
detected by the idea system so this is a
very nifty little tool we'll be talking
about how you can craft your own package
it's just in a little while but for now
let's move ahead ok so now that we are
done with our small little introduction
and bring a fuse or an history of our
shop now let's move on to our next topic
for the video that is DHCP okay so DHCP
is a protocol and it stands for dynamic
host configuration protocol so DHCP is a
network management protocol used to
dynamically assign an Internet Protocol
address to any device on a network so
they can communicate using IP now DHCP
automates and centrally manages these
configurations rather than requiring
some network administrator to manually
assigned IP addresses to all the network
devices so DHCP can be implemented on
small or small local networks as well as
large enterprises now
DHCP will assign new IP addresses in
each location when devices are moved
from place to place which means network
administrators do not have to manually
initially configure each device with a
valid IP address so if device of the new
IP address is moved to a new location of
the network
it doesn't need any sort of
reconfiguration so versions of DHCP are
available for use in the Internet
Protocol version 4 and Internet Protocol
version 6 now as you see on your screen
is a very simplistic diagram on how the
HCP works so let me just run you down
dhcp runs at the application layer of
the tcp/ip protocol stack to dynamically
assign IP addresses to DHCP clients and
to allocate DCP IP configuration
information to DHCP clients this
includes subnet mask information default
gateways IP addresses domain name
systems and addresses so DHCP is the
clients of a protocol in which servers
manage pool of unique IP addresses as
well as information about client
configuration parameters and assign
addresses out of those address pools now
DHCP enabled clients send a request to
the DHCP server whenever they connect to
a network the clients configure with DNC
we broadcast a request to the DHCP
server and the request network
configuration information for a local
network to which they attached a client
typically broadcasts a query for this
information immediately after booting up
the DHCP server responds to the client
request by providing IP configuration
information previously specified by a
network administrator now this includes
a specific IP address as well as for the
time period also called lease for which
the allocation is valid when refreshing
an assignment a DHCP client requests the
same parameters the DHCP server may
assign new IP address based on the
policy set by the administrator now a
DHCP server manages a record of all the
IP addresses it allocates to networks
nodes if a node is V allocated in the
network the server identifies it using
its media access control address now
which prevents accidental configuring
multiple devices with the same IP
address the DHCP is not a router but
protocol nor is it a secure one DHCP is
limited to a specific local area network
which means a single DHCP server per LAN
is adequate now larger networks may have
a wide area network
in multiple individual locations
depending on the connections between
these points and the number of clients
in each location multiple DHCP servers
can be set up to handle the distribution
of addresses
now if network administrator's want a
DHCP server to provide addressing to
multiple subnets on a given network he
must configure DHCP relay services
located on interconnecting routers that
DHCP requests to have to cross now these
agents relay messages between DHCP
client and servers DHCP also lacks any
built-in mechanism that for the love
lines and servers to authenticate each
other both are vulnerable to deception
and to attack where row clients can
exhaust the DHCP servers pool okay so
let's move on to our next topic and that
is why use DHCP so I just told you that
DHCP don't really have any sort of
authentication so it can be fooled
really easily so what are the advantages
of using DHCP so DHCP offers quite a lot
of advantages firstly is IP address
management a primary advantage of DHCP
is easier management of IP addresses in
a network with a DHCP you must manually
assign IP address you must be careful to
assign unique IP addresses to each
client and to configure each client
individually if a client moves to a
different network you must make manual
modifications for that client
now when DHCP is enabled the DHCP server
manages the assigning of IP addresses
without the administrator's intervention
clients can move to other subnets
without panel called reconfiguration
because they obtain from a DHCP server
new client information appropriate for
the new network now apart from that you
can say that DHCP also provides a
centralized net for client configuration
its support for boot tpe clients its
supports of local clients and remote
clients it supports Network booting and
also it has a support for a large
network and not only for short like
small-scale networks but for larger
networks as well so that way you see
DHCP has a wide array of advantages even
though it doesn't really have some
authentication so because of these
advantages DHCP finds widespread use in
a lot of organizations ok so that winds
up DHCP for us so now let's move on to
our next topic
for this video and that is address
resolution protocol now address
resolution protocol is protocol that is
used in the local area network so let me
just give you a brief introduction to it
and then we'll get into how we can use
it as an ethical hacker for looking into
stuff and looking into vulnerabilities
and looking if somebody is actually
being hacked or something like that ok
so first of all and I just said address
resolution protocol is a local area
network protocol it basically works when
you are using a LAN so suppose you have
a bunch of computers that are connected
over a LAN and they have the following
IPS which is 192.168.1.3 one followed to
32 33 34 so these are the computers and
this is a scenario how the art protocol
works is that when suppose the red
computer out here wants to send a piece
of data or a packet or a Datagram to
this yellow computer that is the IP that
it's calling out so it'll call it will
broadcast it would land saying a Whois
message like who is 192.168.1.1 3 3 and
they will be constantly listening for a
reply after that so they send out a
packet and they don't really know which
machine to send it to because nobody has
responded yet so after that the red
computer asked who is 192.168.1 3 3 and
after that the yellow computer
recognizes that it has the same IP
address and he'll say that hey here's my
MAC address so we can communicate more
easily in the future so this MAC address
is going to be tied in to this IP
address and think all the ARP table I'm
going to show you the ARP table right
now in just few minutes now what you
have to understand is that this is
actually exploitable because there is no
validation anybody can come into this
situation and just lie so suppose that
192.168.1.3 1 and there's this yellow
computer and we also have this other
computer with a blue computer and this
is not supposed to be on the LAN but
somehow this guy got into the building
and he just connected
LAN wire and now he's on the network now
what he can do is that he can catch the
packet that you are sending and then
send it to 192.168 or 1 3 3
simply by lying when the ARP protocol is
running and saying that yep I'm actually
the yellow computer so send your data to
me and then he'll modify the data and
send it to the yellow one and when the
reply comes it'll also be forwarded to
the blue computer so what I'm explaining
out here in this scenario is actually
called a man-in-the-middle attack okay
so that was about the ARP protocol now
let's talk about how we can use the ARP
protocol for our advantage or as an
ethical hacker okay so now that we know
how our actually works let me show you
how you can access the art table of your
computer so what do you have to do is
just open up command prompt and all you
go is our a now this is not specific to
windows it can be run on any machine
that has this tcp/ip suite of protocols
installed on this computer so every
computer system what is called an ARP
table and the reason it's called an ARP
table is because it matches a layer two
or physical address or MAC address to an
IP address and that's what our address
resolution protocol is and what it
results is an IP address to a MAC
address or a physical address and the
Mac or physical address are
interchangeable because they mean the
same thing the reason it's called the
physical address is because it is
physically on a network interface which
is of course a physical device so it's
sometimes called the physical address
that sometimes called a MAC address for
media access controls so I might use MAC
address and I might use physical address
to make a particular point but it means
the same thing so you can see here that
the IP address and there are de MAC
addresses so these are the IP addresses
and these are the MAC addresses and they
are listed in the ARP table and I've
done minus a which means show me all
your ARP entries while I'm doing this on
a Windows system as I just said it's
possible on a Linux system and anything
with a tcp/ip pseudo protocols installed
because it's an important utility to
have in order to help diagnose any issue
with your network problems so this is
how you would display an ARP table and
as I said ARP is just mapping from IP
address to MAC address so let me show
you how the protocol looks like when
it's actually working so let's head over
to our shop so we choose the interface
that we want to see
okay now all we do is put on a filter
that says ARP so if you guys see out
here there is this are pockets that we
are finding so this is how it looks like
and I just said that it's a who has and
I tell me now
there is no authentication so when this
guy is looking for okay so who has
192.168.1 now if we hit the hardware and
if you see out here the MAC address that
the target market dress is empty because
it hasn't gotten a reply it
now when the MAC address is given they
just enter changed and it is sent back
so the sender MAC address is a Broadcom
and why shock does a really neat job at
getting out vendor names from the dns I
mean from the MAC address so there's
this a Sturrock thing then there's
Google as I just saw out here some
Google phone I guess maybe an Android
I'm not really sure this is how our
plucks like and this is how art works
and if you're trying to do a
man-in-the-middle attack and you
shouldn't be trying to do that because
that's completely unethical but just in
case you were trying to force a
man-in-the-middle attack you could just
try to forward the IP to your own
address and just poof your name well are
paying it so you can use other tools
like ettercap for that now that was all
about ARP now let's move on to our next
topic so the next topic has come up
which right after ARP because while
studying about ARP you must have
realized I told you that ARP has no sort
of validation so how could that exactly
be fixed so if the data that actually is
being transferred over LAN is encrypted
using cryptography ARP can actually be
used very validly I mean what you want
to do is you want to hide what you're
actually sending before sending it out
on a local network so that people who
are not supposed to get it can't
actually see it now let's first talk to
the question what exactly is
cryptography so cryptography is
basically the art of hiding anything now
when talking about computers and
computer science in general it includes
hiding data so
cryptography doesn't really actually
start with the New Age it's been there
for a long long time since the time of
Julius Caesar and all we'll be talking
about the history of cryptography right
now but what I want you to understand is
that when a message is sent a key is
actually used along with an encryption
algorithm now this key is also sent to
the other person and how the skis and we
can get into that later so all you want
to basically understand for now is a
message is encrypted using an encryption
algorithm which takes the key and the
message as parameters then on the other
side of the message the ciphertext that
is after encryption you get something
called ciphertext because it has to be
deciphered now so cipher is just word in
a Latin word I guess or a Greek word I'm
not really sure that means to hide so
first you encrypt your message then you
decrypt your message with the ciphertext
and the decryption key which is most of
the time the same as the encryption key
and when we're talking the symmetric key
cryptography so use a decryption key and
the message along with the decryption
algorithm and you get the same message
on the other side
so basically it's like a password it's a
it's a password protect for messages and
it's a fancy way to say that and that is
cryptography so let us go into the
history of cryptography now so let me
give you a brief history of cryptography
now cryptography actually goes back
several thousand years before
shortly after people began find ways to
communicate there were some of us who
were finding ways to make the
understanding of that communication
difficult so that other people couldn't
understand what was going on and this
led to the development of Caesar cipher
that was developed by Julius Caesar and
it's a simple rotation cipher and by
that I mean that you rotate a portion of
the key in order to generate the
algorithm so here's an example we've got
two rows of letters and that are
alphabetical in order and means we
basically written the alphabets down and
the second row is shifted by three
letters so a B is a Zee actually because
if you move that way
a B is a Zee from the first row gets
shifted back to the second row and then
the letter D becomes a letter C so
there's that's an example of how
encryption books so if you try to
encrypt a word like hello it would look
completely gibberish after it came out
of the dark rhythm so if you count the
letters out you can see that letter H
can be translated to Lily a letter L so
that's a Caesar cipher now you must have
heard of things like rot13 which means
that you rotate the 13 letters instead
of three letters that's what we can do
here again and this is just a simple
rotation cipher or sieve the cipher
that's what of course the rod stands for
its rotate or rotation now coming
forward a couple thousand zeroes we have
the enigma cipher now it's important to
note that the enigma is not the word
given to this particular cipher by the
people who developed it it's actually
the word given to it by the people who
were trying to crack it the enigma
cipher is a German cipher they developed
this cipher and machine that was capable
of encrypting and decrypting messages so
they good messages to and from different
battlefields and war fronts which is
similar to the Caesar cipher Caesar used
it to communicate with his battlefield
generals and the same thing with the
Germans you've got to get messages from
headquarter down to where the people are
actually fighting and you know wanted to
get intercepted in between by the enemy
so therefore you use encryption and lots
of energy was spent by the Allies and in
particular the British trying to decrypt
the messages one of the first instances
that we are aware of where a machine was
used to do the actual encryption and
we're going to come ahead a few decades
now into the 1970s where it was felt
that there was a need for a digital
encryption standard now the National
Institute of Standards and Technology is
responsible for that sort of thing so
they put out a proposal for this digital
encryption standard and an encryption
algorithm what ended up happening was
IBM came up with this encryption
algorithm that was based on the Lucifer
cipher that was one their people had
been working on on a couple of years
previously in 1974 and they put this
proposal together based on the Lucifer
cipher and in 1977 that proposal for an
encryption algorithm was the one that
was chosen to be the digital encryption
standard and so that came to be known as
desks over time and it became apparent
that there was a problem with this and
that was it only had a 56 bit key size
and while in the 1970s
was considered adequate to defend
against brute-forcing and breaking of
code by 1990s it was no longer
considered adequate and there was a need
for something more and it took time to
develop something that would last long
for some long period of time and so in
the meantime a stopgap was developed and
this stop gap is what we call the Triple
DES the reason it's called Triple DES is
you apply the DES algorithm three times
in different ways and you use three
different keys in order to do that so
here's how Triple DES works your first
56 bit key is used to encrypt the
plaintext just like you would do with
the standard digital encryption standard
algorithm where changes and you take
that ciphertext that's returned from the
first round of encryption and you apply
the decryption algorithm to the
ciphertext however the key thing to note
is that you don't use the key that you
use to encrypt you don't use the first
key to decrypt bit because otherwise
you'll get the plaintext back so what do
you do is you use a second key with the
decryption algorithm against the
ciphertext from the first round so now
you've got some ciphertext that has been
encrypted with one key and decrypt it
with the second key and we take the
ciphertext from that and we apply a
third key using the encryption portion
of the algorithm to that cipher
encryption portion of the algorithm to
that ciphertext to receive a whole new
set of ciphertext obviously to do the
decryption you do the third key and
decrypt it with the second key you
encrypt it and then with the first key
you decrypt it and so you do reverse
order and the reverse algorithm and each
step to apply shuffled s so we get an
effective key size of about 168 bits but
it's still only 56 bits at a time
now I said Triple DES was only a stopgap
what we were really looking for was
advanced encryption standard once again
and niste requested proposals so that
they could replace the digital
encryption standard in 2001 after
several thousands of looking for
algorithms and looking them over getting
them evaluated and getting them looked
into an is selected an algorithm and it
was put together by a couple of
mathematicians the algorithm was called
'rain dal and that became the advanced
encryption standard or AES it's one of
the most advantages of AES is it
supports multiple key lengths currently
what you'll typically see is as we are
using 128-bit keys however
AES supports up to 256 bit key so if we
get to the point where 128 bit isn't
enough we can move all the way up to 256
bits of keying material so cryptography
has a really long history currently we
are in a state where we have a
reasonably stable encryption standard in
AES but the history of cryptography
shows that with every set of encryption
eventually people find a way to crack it
okay so that was a brief history of
cryptography now what I want to do is
let's go over and talk about AES Triple
DES and this in themselves because they
are some really key cryptography moments
in history because there's some really
key historic moments in the history of
cryptography now we're going to talk
about the different types of
cryptography X I firs and primarily
we're going to be talking about DES
Triple DES and AES nowadays is the
digital encryption standard it was
developed by IBM in the 1970s and
originally it was cryptography cipher
named Lucifer and after some
modifications
IBM proposed it as digital encryption
standard and it was selected by the
digital encryption standard ever since
then it's been known as des now one
thing that caused a little bit of
controversy was during the process of
selection NSA requested some changes and
it hasn't been particularly clear what
changes were requested by the NSA there
has been some speculation that wondered
if the NSA was requesting a backdoor
into this digital encryption standard
which would allow them to look at
encrypted messages in the clear so
basically it would always give the NSA
the ability to decrypt DES encrypted
messages it remained the encryption
standard for the next couple of decades
or so so what is this and how does it
work basically it uses 56 bit key is
rather than the stream cipher it's a
block cipher and it uses 64-bit blocks
and in 1998 des was effectively broken
when a DES encrypted message was cracked
in three days a year later a network of
10,000 systems around the world cracked
the best encrypted message in less than
a day and it's just gotten worse since
then with modern computing power being
what it is since this was actually
created we already have come to the
realization that we need it something
else
so Along Came Triple DES now Triple DES
isn't three times the strength
best necessarily it applies des just
three times and what I mean by that is
what we do is we take a plain text
message then let's call that P and we're
gonna use a key called K 1 and we're
gonna use that key to encrypt the
message and use a key that will be we'll
call K 1 and we're going to use that to
encrypt the message and that's going to
result in the ciphertext and we will
call the C 1 so C 1 the output of the
first round of encryption we're gonna
apply a second key and we'll call that K
2 with that second key and we're going
to go through a decryption process on C
1 since it's the wrong key we are not
gonna get plaintext out on the other end
what we are going to get is another
round of ciphertext and we will call the
C 2
what we do with C 2 we are going to
apply a third key and we will call this
K 3 and we're going to encrypt
ciphertext C 2 and that's going to
result in another round of ciphertext
and we will call that C 3 so we have
three different keys applied in two
different ways so with key 1 and key 3
we do a round of encryption and with key
to we do a round of decryption so it's
an encrypted crypt and crypt process
with separate keys while that doesn't
really healed a full 168 bit key size
the three rounds of encryption use an
effective key size of 168 bits because
you have to find three 56 bit keys so
speaking of that technical detail for
Triple DES we are still using the test
block cipher with 56 bit keys but since
we've got three different keys we get an
effective length of round 168 bits
Triple DES will surely just a stopgap
measure we knew that if des could be
broken
triple desc surely we broke in with just
some more time I guess and so the NIST
was trying to request a standard that
was in 1999 and in 2001 this published
an algorithm that was called AES so this
algorithm that was originally called
'rain Doyle was published by NIST as
advanced encryption standard some
technical specifications about AES is
that the original rained all algorithms
specified variable block sizes and key
lengths and as long as those lock sizes
and key lengths were multiples of 32
bits so 32 64 96 and so on you could use
those block sizes and key lengths when a
es was published a specified a fixed
128-bit block size and kilo
of 128 192 and 256 AES were three
different key lengths but one block size
and that's a little bit of detail about
des Triple DES and AES so when AAAS was
published a es specified fixed 128-bit
block size and a key length of 128 192
and 256 bits so we've got with a has
three different key lengths but one
block size and that was a little bit of
detail about des Triple DES and AES
we'll use some of these in doing some
hands-on work and the subsequent part of
this video ok so now that I've given you
a brief history of how we have reached
to the encryption standards that we are
following today that is the Advanced
Encryption standard let's go ahead and
talk a little bit more about des Triple
DES and AES so this is a digital
encryption standard it was developed by
IBM in the 1970s and originally it was a
cryptographer excite for the Lucifer and
after some modifications
IBM proposed it as the digital
encryption standard it was selected to
be the digital encryption standard and
ever since then it's been known as DES
or DES one thing that caused a little
bit of controversy was during the
process of selection the NSA requested
some changes and it hasn't been
particularly clear what changes were
requested by the NSA there has been some
sort of speculation that wondered if the
NSA was requesting a backdoor into this
digital encryption standard which would
allow them to look at encrypted messages
in the clear so basically it would
always give the NSA the ability to
decrypt this encrypted messages it
remained the encryption standard for the
next couple of decades or so and what is
this and how does it work
now tests remain the digital standard
for encryption for the next couple of
decades
so what does it do and how does it work
so basically it uses the 56 bit key
rather than a stream cipher it's a block
cipher and it uses 64-bit blocks and in
1998 if you know des was effectively
broken when a DES encrypted message was
cracked in three days and then a year
later our network of 10,000 systems
around the world cracked the DES
encryption message in less than a day
and it's just gotten worse since then
with modern computing being what it is
today
now since this was created and broken we
knew
we needed something and what came in
between Advanced Encryption standards
and this is Triple DES now Triple DES
isn't three times the strength of this
necessarily it's really des applied
three times and what I mean by that is
we take a plaintext message then let's
call that P and we are going to use a
key called k1 and we're going to use
that key to encrypt the message and
that's going to result in the ciphertext
1 so we call that c1 now c1 is the
output of the first round of encryption
and we're going to apply a second key
called key to and with that second Wege
we are going to go through a decryption
process on c1 now since it's the wrong
key we are not going to get the
plaintext out of the decryption process
on the other end we are going to get
another round of ciphertext and we're
going to call that c2 now with c2 we are
going to apply a third key and we are
going to call that k3 and we're gonna
encrypt ciphertext C 2 and that's going
to result in ciphertext C 3 so we have
three different keys applied in two
different ways so what key 1 key 3 we do
a round of encryption with key to we do
around the decryption so it's basically
an encrypt decrypt encrypted process
with three separate keys but what it
does really is it doesn't really healed
a 168 bit key size because in
effectiveness
it's basically 256-bit keys that are
being used tries whether it be three
different keys so in effectiveness you
could say that it's a 168 bit key but it
is not the same strength because people
realize that Triple DES can be easily
broken because if des is broken you can
do the same thing with three different
ways whether whatever key that you use
so it just takes a long time to decrypt
if you don't know the tree and if you
are just using a brute force attack you
know that Triple DES can be broken if
this can be broken so Triple DES was
literally a stopgap between DES and AES
because people knew that we needed
something more than triple des and for
this the N is T or the National
Institute of Standards and Technology in
2001 they chose a s as the algorithm
that is now called advanced encryption
algorithm so it was originally called
the rain dal algorithm and a the main
thing about the rain dal algorithm and
advanced encryption standard algorithm
that rained all algorithm specifically
states in its papers that it has
available block size and available key
size as long as they are in multiples of
32 so 32 64 96 like that but what a EES
does differently is that it gives you
one block size that is 128 bits and
gives you three different key sizes that
is 128 192 and 256 so with AES three
different key lengths but one block size
okay so that was a little bit more
information on a yes des and Triple DES
and we are going to be using this
information in some subsequent lessons
okay now moving on okay so now that
we've discussed the different history of
cryptography and more important
cryptographic algorithms let's discuss
the different types of cryptography now
the first type of cryptography I'm going
to talk about asymmetric cryptography
and by symmetric cryptography I mean
that the key is the same for encrypting
or decrypting so I use the same key
whether I am encrypting the data or
decrypting data one of the things about
symmetric key cryptography is that they
use a shorter key length then for
asymmetric cryptography which I'll get
into a couple of minutes it's also
faster than asymmetric and you can use
algorithms like des or AES as those are
both symmetric key cryptography
algorithms and you can use a utility
like AES script let me just demonstrate
how a symmetric key cryptography works
so for this we can use a tool called a s
script so in a es script is actually
available for Linux and Windows and Mac
all the systems so I'm using it on the
Windows one and I'm using the console
version so first of all I have a text
file called text or txt so let me just
show that to you so we as you guys can
see I have this thing called text of txt
now to do txt or txt all I let me just
show what txt or txt contains so as you
guys can see it has the sentence called
the quick brown fox jumped over the lazy
talk so that's the sentence that has all
the alphabets in the English language
rather so now we are going to try and
encrypt it so we can use something like
a es RDS because both of them are
symmetric key ciphers symmetric key
algorithms rather so we are using AES in
this case so what we're going to do is
say a script and will encrypt it and
we're gonna use a password of let's say
Pokemon we're gonna call Pokemon and
we're gonna do tech start txt you're
gonna encrypt that file so now we have
encrypted a file let's go see MV you
must be having a new file so this is
called text or txt dot AES so that is
our encrypted file and this is what we
would generally send over the network if
we are sending it to anybody so let's
assume the person who's received it also
knows our encryption algorithm I mean
encryption algorithm and the key that
goes along with it
so let's try to decrypt it now now
before I decrypted let me just show you
what an encrypted message looks like so
this is what the cipher text looks like
type a s no text not the exceed any s so
yeah as you guys can see the windows
come so I can't really feed everything
but if I were to go here I would have
just go into the file and just ever
notepad plus plus you'll see that it's
bunch of crap you really can't make out
anything what is being made here we
can't really decipher much so that's the
point of using encryption now if you
were to decrypt it all you have to do is
a s script we turn the crib we're trying
to give the password is gonna be evil as
a password Pokemon okay so and we're
gonna try and create text txt in yes
that's dir that again okay so that just
eclipse our message for us so this is
how you would use a script for
encryption and decryption
so that just decrypt it and that's how
you would use symmetric key encryption
to encrypt a file for this example
symmetric key uses the either a stream
cipher or a block cipher and the
differences between stream or block
ciphers is that block takes a block of
bits at a time and it's a fixed length
it's for example 64 bits if I were to
use a block cipher with 64 bits I would
need to take in 64 bits before I could
start encrypting now if I didn't have 64
bits to encrypt I would have to fill it
with padding in order to get up to 64
bits a stream cipher on the other hand
it will encrypt a bit at a time so it
doesn't matter how many
Bitsey of God you don't need to have
some multiple of the block lengths in
order to encrypt without padding and
another type of cryptography is
asymmetric now asymmetric as you would
expect uses two different keys and
that's where we have public key and
private key in symmetric key
cryptography uses a long aquiline and
also has no computation and the
encryption process is slower with a
symmetric key encryption and the
encryption process is slower than with a
symmetric key encryption one that uses
for symmetric key is for signing
documents or emails for example where I
would have the private key sign
something and the public key would be
used to verify a signature and another
reason for using a symmetric key
encryption is to ensure that you got it
from who actually sent it since you've
got two keys you always know who the
other end of the equation is where the
symmetric key since it's just one key if
you can intercept the key you can
decrypt and also encrypt messages and so
if somebody can figure out the key you
can break into a communication stream
using symmetric key encryption so M
asymmetric gives you the advantage of
ensuring that the other end is who the
other end says and they are since
they're the only ones who should have
the private key and in this particular
instance in practice however however
hybrid encryption models tend to be used
and that's where you would use a
symmetric encryption to encrypt a
symmetric session keys so basically you
encrypt the message that you are sending
using symmetric key encryption and then
you when you're exchanging the key with
somebody else
you use a symmetric key encryption so
this is going to be a slower process you
probably won't want to use it for small
files and all do that fortunately the
file example that I have is a smaller
one so I'm going to try and generate a
key right now so for this we have to
head over to our a bunch of system so
let's see let me show you how public key
encryption actually works and we are
gonna first create a key so let me just
clear this out for you so first of all
let's create file and let's call that
text txt
now if you see me are gonna edit text or
txt to have some file so have some text
in it so that seems to be a warning with
the GDK I'll just use echo instead
let's see if that is in our file
let me just show you how a symmetric key
encryption or public key cryptography
works so first of all we need a text
file so let me see do we have a text
file so there seems to be a text txt so
let's see what this text our txt says so
it says that this is a random txt file
now what we want to do is we want to
create a public key first so I'm gonna
use open SSL for doing this so we go
open SSL and we are gonna use it with
RSA so we're trying to generate a key so
gen RSA and we're gonna use this tree to
users and we're gonna output it into a
file called private key so we are also
going to be using a fortune or 9:6 spit
so this is gonna be our private key so
this will create a private key using RSA
algorithm so let it work its way out so
first of all it's asking me for
passphrase now so since you can protect
your keys with the passphrase so I'm
just gonna use my name okay so now we
see if we LS and we have a private key I
guess yeah so we have this private key
now we're using this private key we are
going to generate a public key so for
this I'm again going to be using open
SSL and open SSL is a UNIX pace so you
will need a UNIX system so you go RSA
utl that's RSA utility and what we want
to do is encrypt and we want the public
key in n key and we want to use the
public key that we just generated I'm
sorry guys so we are it's gonna be using
RSA so first of all we need to generate
a public key so for that we use the
private key so we will give the private
key as an argument after the in flag so
private key and we are trying to get out
a public key so pop out and we're going
to call public dot key okay so there
seems to be
okay I messed it up a little I forgot to
give the output so you go out and then
he use public key so it's asking me for
my pass phrase and now it's writing the
RSA key and since the password was
correct we have a public key too so if
you see now we have a public key and a
private key so we are going to encrypt
our file using the public key so we go
open SSL and we go our a utl and we go
encrypt and we can do farm-in so we are
gonna use the public key and we want to
put the text txt as the file to be in
cryptid so text txt and what we want to
output is an encrypted file so encrypted
txt
okay
all open sll you go and edit that out
now yeah so that makes it a correct
command and now we have an encrypted
file so let's see Ellis and yep
encrypted txt so if you just cut that
out so we see it's a bunch of garbage
and we really can't read it unless we
decrypt it so for decrypting the key all
we have to do is again use open SSL
let's clear the cell first
so open SSL and we are going to be using
the RSC utility again so RSA utl you're
going to decrypt this time so we go with
the decrypt flag and then we are going
to be giving the in key and that is
going to be the private key and what we
going to decrypt is encrypted dot txt
and what we want output it is as let's
say plaintext dot txt so it's going to
ask me for my past rays which is my name
and I've entered the passphrase
and now we have a plain text txt now if
we are to go in LS we see that we have a
plain text txt out here just with light
info dot txt now let me just cut that
out so plain text dot d XD so this is a
random text file and if we go up we see
the arrow is a bunch of garbage and
before that it was a random txt file now
you can also run this command called if
plain text txt text txt so this give you
a difference in the text rings so it's 0
so it gives you that's the difference so
both the files are the same and that's
how public key cryptography works and
how symmetric key cryptography works ok
now moving ahead of cryptography let's
talk about certificates okay so now that
way down with cryptography let's talk
about digital certificates so what is a
digital certificate well a digital
certificate is an electronic password
that allows a person organization to
exchange data securely over the internet
using public key infrastructure so
digital certificate is also known as a
public key certificate or an identity
certificate now digital certificates are
a means by which consumers and
businesses can utilize the secure
the application of public key
infrastructure public key infrastructure
comprises of the technology to enable
and secure ecommerce and internet-based
communication so what kind of security
does a certificate provide so firstly it
provides identification and
authentication the person or entities
with whom we are communicating or really
who they say they are so that is proved
by certificates so then we have
confidentiality the information within a
message or transaction is kept
confidential
it may only be read and understood by
the intended sender then there's
integrity there's non repudiation the
sender cannot deny sending message or
transaction the receiver really get to
non-repudiation and I'll explain how non
repudiation comes in to digital
certificates so digital certificates are
actually issued by authorities who were
business who make it their business to
actually survey certify people and their
organization with digital certificates
now you can see these on Google Chrome
now let me just open Chrome for you guys
and you can see it out here you can see
certificates and you can go into the
issue of statements and you can go in
all sorts of stuff so you can see it's
issued by encrypted thority x3 so that's
an issuing authority for digital
certificates now that was all about the
theory of certificates let's go and see
how you can create one so to create a
digital certificate we are going to be
using the open SSL tool again so first
of all let me show you how to create a
certificate so we are going to be using
the open SSL tool for that so first of
all let me clear the screen out so in
this case I'm going to generate a
certificate authority certificate so I'm
doing an artistic key here to use inside
the certificate so first of all I need
to generate a private key so to do that
as I had just showed you guys we can use
the open SSL tool you go open SSL and
Jenn RSA and we can use test 3 and we'll
get the outers and let's call it c8 key
and we're gonna use 4 0 9 6 bits so I'm
doing an RSA key here to use inside the
certificate so I'm generating a private
key and the private key is used at the
part of the certificate and there's a
public key associated with the
certificate so you've got public and
private key and data gets encrypted with
the public key and then gets decrypted
the private key so they are
mathematically linked at the public and
private key because you need one for the
end of the communication the and the
other for the other end of the
communication and they have to be linked
so that the data that gets encrypted
with one key gets to be decrypted with
other key so this is asking for a
passphrase and so I'm gonna be giving my
name as a passphrase so that has
generated the key for us so now I'm
going to generate the certificate itself
so I'm gonna be using the open ssl
utility so first of all you say open ssl
and say request so it be a new request
and it's gonna be an x.509 request it's
going to be valid for 365 days and let's
see the key is gonna be see a dot key
and we're gonna output it into CA or
let's call it at your record dot c RT so
this is a surrogate that I'm pretty
using in the name of the company that
I'm working for so that is Ed Eureka so
it says it's unable to load the private
key let me just see as a private key
existing I had a previous private key so
let me just remove that doesn't have a
see a dot key seems like I put the name
differently so let me just try that
again
OpenSSL and we do requests
so we're requesting new certificates I'm
just gonna be x.509 and it's gonna be
there for 365 days and key is see it on
key
apparently that's what's call out here
so and it's gonna be out into any record
CRT Nancy's over so let's enter the pass
very so it's my name
so now it's gonna ask me a bunch of
information that's gonna be inside
certificates so let's say it's asking
the country name against let's put in
the state okay so I in state province
name some state so Mangalore a locality
let's say white field organization name
is reka unit name brain force
common name let's leave that out email
address let's leave that out too
and we have our certificate so if you go
and list out your files you will see
that there is a certificate called any
record CRT out here which is highlighted
ok so now if you want to view this file
you could always use the OpenSSL you
always use the OpenSSL a utility so you
say you want to read an XO 5/9 request
and you want it in text and what you
want to see is any record see Artie okay
so that is the certificate so you see
that it has all the signature it has
signature algorithm it has all the
information about the certificate and
it's a signature issuer CIN and State
Bangalore in location white field I like
our brain force velocity it has all
sorts of information so that was all
about digital certificates how who
issues digital certificates where are
they useful so this is basically
non-repudiation so nobody can say it
wait this certificate that if this
certificate is included in some sort of
a website and that website tends to be
suppose malicious and there's a
complaint now the website can't go to a
court of law and say they didn't
know about this because certificate that
was included had their private key and
the private key was only supposed to be
known to the company so that is
non-repudiation you just can't deny that
you didn't do it okay so that was all
about certificates not moving on okay so
moving on we are gonna be talking about
cryptography caching now while the word
cryptography is in the term cryptography
caching and it does lead you to believe
that there is encryption ball there is
no encryption involved in a
cryptographer cache there is a
significant difference between hashing
and any sort of encryption and that is
primarily that encryption is a two-way
process when I encrypt a piece of data
or a file or anything else what I'm
doing is putting it into a state where I
expect it to be able to get it back out
again in other words when I encrypt a
file expect it to be able to decrypt the
file and get the original contents
hashing is a one-way function on the
other hand once I've hashed piece of
data or file there is no expectation and
ability to get the original piece of
data back hashing generates a fixed
length value and different types of
hashing will generate different length
values for example md5 will generate a
different length value than sha-1 and
they're both hashing algorithms but they
generate different length values and the
resulting value from a hash function
should be no relation at all to the
original piece of data as a matter of
fact if two inputs generate the same
hash value it's called a collision and
if you can generate collisions you may
be able to get a point
where you can generate a piece of data
that are going to generate the same hash
values and that leads you to the
potential ability to break the
particular hashing algorithm that you
are using so what we can use hash is for
well one thing we can use hashes for
file integrity we can run a hash on a
file and get a value back and later we
can check that the value to make sure if
it's the same if it's the same I can be
sure that the same file was hashed in
both instances so let me just show you
an example of what I just said that if
we hash a file we will get the same hash
every time so remember the certificate
that we just created let me just log in
again so we are going to hash this
certificate and it will create a certain
harsh and we are going to see that every
time we hash it we are getting the same
hash so we can use this command call md5
sum and we can do add your record or C
or
so this is the harsh produce after
you've hashed at your record or CRT so
if I do an md5 again so md5 is a hashing
algorithm that you should know off so at
you record CRT and it will produce very
similar has let's see a sha-1 looks like
this so sha-1 and you record CRT okay
sha-1 is sure the shot from the char
utils package okay so I've proved my
upon that with md5 a way which is
cryptography hashing algorithm we are
getting the same hash back so if you are
able to produce the same hash that means
you have broken the algorithm in itself
so if you run md5 or Linux you can get a
version of md5 an md5 summation program
on Windows and Mac OS where with the
utility md5 which does the same thing so
I just showed you the file and I hashed
it and another reason we use hashing is
we are storing passwords so passwords
are stored after hashing we hash the
passwords and the reason for hashing
passwords is so you're not storing the
passwords in clear-text
which would be easily seen even if you
got it protected with permissions if I
hashed password every time I hash that
password I'm going to get the same value
back from the same algorithm so what I
do is store the hash and some sort of
password database since it's a one-way
function you can't get the password back
directly from the hash now what you can
do with most password cracking programs
do some variation of this and you just
generate hashes against list of words
and you look at a hash value that
matches the one in the password once you
get the hash that matches the one in the
password you know what password is there
and here and we come back to the idea of
collisions if I can take two different
strings of characters and get the same
values back it's easier to crack the
password because I may not necessarily
get the password we have the hash that I
get back from particular string of data
is the same as that I get from the
original password then it doesn't matter
whether I know the password because the
string of data that I put in is going to
generate the same hash value that you're
going to compare when you login and this
hash value will just give you that is
valid and you'll be able to login so
suppose the password that you chose
while making your account is dog and the
dog word produces this hash value and if
I were do like hash cat with the same
algorithm and if the algorithm was prone
to callus
it might produce the same hash value as
felt so with the password cat I could
open up your password I mean I could
open up your account so that was all
about hashing and hashing algorithms
let's move on okay so in this part of
the video we are gonna go over SSL and
TLS now SSL and TLS are ways of doing
encryption and they were developed in
order to do encryption between websites
web servers and clients or browsers SSL
was originally developed by a company
called Netscape and if you don't
remember Netscape eventually spun off
their source code and became Mozilla
project where we get Firefox from so
back in 1995 Netscape released version 2
of SSL and there was a version 1 but
nothing was ever done with it
so we got to version 2 of SSL and that
was used for encryption of web
transmission between the server and the
browser they do a whole number of flaws
between the server and the browser now
SSL version 2 had a whole number of
flaws and SSL 2 has the type of flaws
that can lead to decryption of messages
without actually having the correct keys
and not being the right endpoints and so
Netscape released SSL version 3 in 1996
and so we get SSL 3.0 which is better
than 2.0 but it still had some issues
and so in 1999 we ended up with TLS now
SSL is secure socket layer and TLS is
transport layer security
they both accomplish the same sort thing
and they're designed for primarily doing
encryption between web server and web
browsers because we want to be able to
encrypt the type of traffic so let me
show you what kind of traffic looks like
so first of all let me open bar shop and
out here I already have a TLS scan ready
for you guys that you can see we have
all sorts of TLS data so you can see
that here's my source and it's 1.32 and
destination is sound 6-1 2.40 $59 46
doing a client keychain and a change
cipher SPECT and encrypted handshake
message and then we start getting
application data so there are some other
steps involved here and you're not
seeing all of it with this particular
wireshark capture because again you know
we get fragmented packets and at some
point it starts getting encrypted and
you can't see it anyway is because
Wireshark without having the key can
decrypt those messages but one ends up
happening is the client sends a hello
and the server responds with a hello and
they end up exchanging information as
part
that now including version number
supported and you get random number and
the clients going to send out a number
of cypher suits that may want support an
order and it can support the server and
it's going to pick from those suite of
ciphers now then we start doing the key
exchange and then do the change cipher
SPECT and from the client and server and
eventually the server just sends a
finished message and at the point we've
got this encrypted communication going
on but there's this handshake that goes
on between the two systems and there's a
number of different types of handshakes
depending on the type of endpoints that
you've got but that's the type of
communication that goes on between
servers and the client one important
thing about using SSL and TLS is as I
mentioned some of the earlier versions
had vulnerabilities in them and you want
to make sure that the server's aren't
actually running those so you want to
run some scans to figure out the type of
calls in ciphers that different systems
use so for this we can use something
called SSL scan so this is available for
UNIX I'm not really sure if there is
something that is similar for Windows or
Mac but on a UNIX based system that is
Knox we can use SSL scans so let me just
show you how to use that clear this part
out so what we can do is run SSL scan
again suppose www dot and you record dot
go
so I'm going to do an SSS can here
against the website and you can see it's
going on improving all the different
types of ciphers that we know on this
system start with SSL v3 and are going
our TLS version 1 and we could force and
scan to try to do an SSL v2 if I scroll
back up here I got the surface I firs
which is SSL version 3 it's using RS a
and it's using RSA for the asymmetric
now in order to do the key exchange and
once we get the session key up you're
going to use AES 256 and then we're
going to use the secure hash algorithm
to do the message authentication or the
math it's something calls the H Mac for
the hashed message authentication code
and what it does is simply hashes the
MAC address that you would check one
side against the other to make sure that
the message hasn't been fitted with in
transmission you can see here all the
different types of cipher suits that are
available here steel as surrounding are
c4 at 40 bits using md5 so that would be
a pretty vulnerable type of
communication to use and between server
and the client the 40 bit cipher using
our c4 is a low strength cipher and we
would definitely recommend that clients
remove those from the supported ciphers
that they have on their server all that
configuration would be done at the web
server as well as when you generated
your key and your certificates normally
certificates would be handled by a
certificate authority now you can also
sell signed certificates and have those
installed in your web server in order to
communications with your clients it's an
the challenge with that is browsers
today warn when they see a certificate
against a certificate authority that is
entrusted of it and it doesn't have any
certificate authority at all so you'll
get a warning in your browser indicating
there may be a problem with your
certificate if your clients are savvy
enough and if the users are savvy enough
you may be able to make use of these
self fine self-signed certificates and
save yourself some money but generally
it's not recommended simply because
clients are starting to get these bad
certificates and when they run across
one that's really a problem a real rogue
certificate they're going to ignore the
certificate message in their browser and
just go to these sites that could have
malicious purposes in mind and may end
up compromising the clients or your
customers or user so that's SSL and TLS
and how they work and negotiate between
servers and endpoints
okay so now that we've talked about the
LS and SSL let's talk about disk
encryption now this encryption is
actually something that was not really
difficult to do but sort of out of the
reach of normal desktop computers for a
really long time although there have
long been ways to encryption of files
and to a lesser degree maybe entire
disks as we get faster processors
certainly encrypting entire disks and
being able to encrypt and decrypt on the
fly without affecting performance is
something that certainly comes with
Within Reach
and it's a feature that shows up in most
modern operating systems to one degree
or another now these days we are going
to look at a couple of ways here of
doing disk encryption I'm going to tell
you about one of them first and it's not
the one I can show I can't really show
the other one either so with Microsoft
there window system have this program
called BitLocker and BitLocker requires
either Windows ultimate or Windows
Enterprise I don't happen to have either
version so I can't really show it to you
but it can tell you that BitLocker has
ability to enter disk encryption and
they use AES for the encryption cipher
and the thing about BitLocker is that
they use a feature that comes with most
modern systems particularly laptops yes
chip in them that's called the trusted
platform module or TPM the TPM chip is
part what it does is it stores the keys
that allow the operating system to be
able to access the disk through this
encryption and decryption process and
they use a pretty strong encryption
cipher which is a yes but you have to
have fun with a couple of different
versions of Windows in order to be able
to use BitLocker and some of those
things you would normally run in an
enterprise and so that's why they
included in on its enterprise ocean now
on the Mac OS side they have this thing
called File Vault and you see in the
System Preferences on the security and
privacy if you could file vault you can
turn on File Vault now I if you have the
little button that there says turn on
file well then you can turn on the file
wall Alfred asked you about setting up
keys and it works similar to Windows
BitLocker now PGP happens to have the
ability to do disk encryption and you
can see that in the case of this you
burn the system they've got a package
called gde crypt which is a GUI that
allows you to map and mount a created
encrypted volume so I could run gde
crypt and would help me set up the
process of encrypting
the volumes they've got on my system now
this conscription is a really good idea
because when you are working with
clients the data is normally very
sensitive so as I mentioned you can
always use things like BitLocker and
Windows vault or other search softwares
for disk encryption so what I mentioned
before is now not only possible it's
very much reality with current operating
systems now let's talk about scanning
now scanning refers to the use of
computer networks to gather information
regarding computer systems and network
scanning is mainly used to security
assessment and system maintenance and
also for performing attacks by hackers
but the purpose of network scanning is
as follows it allows you to recognize
available UDP and TCP network services
running on a targeted host it allows you
to recognize filtering systems between
the users and the targeted hosts it
allows you to determine the operating
systems and use by assessing the IP
responses then it also allows you to
evaluate the target hosts TCP sequence
numbers and predictability to determine
the sequence prediction attacks and the
TCP spoofing now network scanning
consists of Network port scanning as
well as vulnerability scanning Network
port scanning refers to the method of
sending data packets via the network
through computer system specified
service port this is to identify the
available network services on that
particular system this procedure is
effective for troubleshooting systems
issues or for tightening the system
security vulnerability scanning is a
method used to discover known
vulnerabilities of computing systems
available on network it helps to detect
a specific weak spot in an application
software or the operating system which
could be used to crash the system or
compromise it for undesired purposes now
network port scanning as well as
vulnerability scanning is an information
gathering technique but when carried out
by anonymous individuals they are viewed
as a pollutant tuk network scanning
processes like port scans and ping
swipes and return details about which IP
address mapped to active live who's and
the type of service they provide another
network scanning method known as inverse
mapping gathers details about IP
addresses that do not map to live hosts
which helps an attacker focus on
feasible addresses network scanning is
one of the three important methods used
by an attacker to gather information
during the footprint stage and the
attacker makes a profile of the target
organization this in
data such as organizations domain name
systems and email servers in additions
to its IP address range and during the
scanning stays the attacker discovers
details about the specified IP addresses
that could be accessed online their
system architecture their operating
systems and services running on every
computer now during the enumeration
staged attacker collects data including
routing tables network user and group
names simple network management protocol
data and so on now a very popular tool
that is used for network scanning is
nmap now nmap is a must-have tool for
most ethical hackers and as a clackers
throughout the industry are using this
on a daily basis now what it is used for
is scanning as I just said and the only
bad part about EDD map is it is a very
noisy scanner but if you know some ways
of IDs evasion which is the next topic
that we're going to talk about you can
very well do an nmap scan by being very
quiet so let's go into nmap and see the
different ways that we can use n maps so
ed map is originally available on a UNIX
system but I've also heard that it's
also available on Windows systems for
now I'm going to be using the UNIX
version so first of all let's go ahead
and open up our UNIX system that is
running on our virtual machine now let
me clear out the screen out here so I
already have nmap installed but if you
don't you can go apt-get install nmap
and that should install nmap for you if
you're not a root user you might want to
check and use the sudo command along
with this thing so I'm not really gonna
run this command right now because I
already have a map installed what I'm
going to do is show you the different
ways we can use nmap so when you're
using a tool on your Linux the first
thing that you want to do with any tool
is go and type the help command so if
you do help I'll show you all the stuff
that you can do with nmap so as you guys
can see that we can do a bunch of stock
specification and we do host discovery
we have different types of scan
techniques and port specification and
scan orders then there's all the service
version detection and script scans so
there's a bunch of things that we can do
okay so now what we want to do is let me
just show you how you can do all sorts
of stuff so suppose you want to do an
nmap
can let's say Eddie record oh so this
will start up an nmap scan on the IP
address that edu rocket Co sits on so as
you guys can see this is running an nmap
scan and it can take a little bit of
time now since it's taking a lot of time
I'm going to show you some other ways by
just quitting out of it okay so now that
I've stopped it because it was taking
too much time
you can specify IP address so suppose
you want to 192.168.1 24 you can do an
nmap scan on an IP address like that I'm
also going to quit out of this because
my computer is really slow and taking a
bunch of time to actually load anything
then you can also do scan on an entire
subnet like suppose you want 192.168.1
then suppose you want to do all the IPS
through one till 24 so this is how you
would do it and you can run that and
then it would do an nmap scan and all
those IP addresses I'm going to quit out
of every scan because this computer is
really really slow ok so let me show you
some other flags so suppose you had a
file that's a stock its dot txt so
suppose you had a file that had all the
target files in it so let me just create
a target file target's dot txt now you
could use this file and actually create
an nmap so and actually run through all
the IP addresses so suppose targets are
txt had a list of IP addresses all you
would have to do is nmap and i.l which
is basically input list so small I and
capital L and then you tell the name of
the target which is target's dot txt
okay so because that had no IP addresses
that you can see 0 IP addresses can and
0.89 seconds so you can do that now you
can also do an exclude so nmap
allows you to do that with nmap you can
do exclude and suppose you want to do a
scan and you want to exclude some IP
address so let's see 192.168.1.1 suppose
you want to exclude that so you can very
well do that and it will start scanning
up all sorts of stuff so that was the
host name so that's why it's failure it
was its target now you can also do some
scanning techniques so suppose you
to scan for sin sports so sin ports so
you could do something like let's choose
a default IP address now add map for so
for a since can you do small s and
capitalist so that is for sin scans and
this will choose all the TCP send port
scans and you can do it on anything so
after that you just put in an IP address
so out here I'm going to say 192.168
triage I don't know 2.34 and it'll give
you all sorts of information after that
is done I'm not going to run the scan
for a long time after that you can also
scan TCP connection ports so for that
you use the st flag so nmap s and T and
this is default and you can use a TCP
connection for scan so you after that
you just enter the IP address of
192.168.0.0 R and that should do a TCP
port scan let's quit out of that then so
let me just tell you all the flags for
the different types of scanning
techniques so su instead of s T let me
just tell you yes you said of s T will
actually scan for UDP ports then if you
do an S a it will scan for all the
acknowledgment port scans so if when
there's a TCP handshake going on it
sends back an acknowledgement packet so
you can specifically scan for those type
of stuff and for Windows port scan you
can do SW and for a main Montfort's card
you can do an S em okay now you can also
do a bunch of host discovery stuff with
Ed map so let's go over them one by one
now with n map you can do something like
s and L and this will show no scan so it
will scan only the list target so you
could do something like 192 and then the
IP address so 192.168 2.34 so that will
do that and let's quit or that quickly
you can also use the SM tag so so you
can use the S n tag which is for
disabling port scanning or host
discovery only so this will not give you
discovery it will save you some time and
you can use the N flag also and this
will tell you to never do hostname
resolution so you can just save yourself
some time in that way then you can also
do art discovery on a local network so
let me just show you how to do that and
map for our discovery is PR so that is
for art discovery and you could do it on
your local network 192.168.1.1 okay so
that's all very invalid IP yeah so that
was a gateway and since that's the
gateway is surrounding n map on some
random IP all the time let's let's go on
ifconfig first and let's see our IP
address
our IP is 192.168.1.1 so let's try and
do some scans on ourselves that was all
about hoe discovery now you can also do
some poor specification so you can do
poor specifications like this so our IP
is 192.168.1.1 T 1 so they'll scan port
number 21 and I'll show you that TCP
closed FTP is a FTP and it's closed so
that's how it should be then you can use
the port scan like you could say 21 200
and that would scan all the ports from
21 200
so that was about port scanning now you
can also do a fast port scan so that's
what the F tank so nmap let's get up the
previous string so n1 and all you want
to say is F - f so that'll be a fast
port scan and it's considerably faster
than see that that was very fast so it
was considerably faster than most of the
scans and that was also you can do
another thing so suppose you want to
just scan the top port so you could say
top ports and all the top mm bolts and
that'll sky and all the top mm poor cell
is on this IP address now this will take
a long time because it's a very slow
computer so okay that did it now let's
go and do some service inversion
detection so let's first service
inversion detection let's get back our
Eddie record our Co IP address so that
is 34 - 10 so let's try and do some
service detection on that so nmap 34 -
10.2 30.3 5 so you could have done it on
Eddie record co itself so SV will give
you the service version so you'll try
and attempt to determine all sorts of
service versions that are running on
that IP address so far I personally know
that it's an Apache server 2.0 that's
running on there so I'm not really going
to wait for the scan to run but that's
how you actually do it so you can also
increase the version intensity so let's
just stop out of that now you can
increase the version intensity so the
intensity is done something like this so
it go version and intensity and then you
specify a number anything between 0 to 9
the higher the number the more
correctness that you can kind of get
offered by nmap so you can say version
intensity 8 ok seems like version
intensity actually has been T removed
from nmap so that's an update that you
learned in this lesson
ok you can also do aggressive scans so
for Java scans all you have to do is an
a tag so a and that will do a very
aggressive scan on that IP address
ok so that was all about aggressive scan
let's take a really long time so I'm
going to just quit
then you can do something like os
detection also so for OS X should just
if you want some OS detection you could
use nmap and you could go - oh and
that'll give you the os detection and
that's basically the end of our n map
tutorial so moving on we are going to be
discussing ideas evasion which is going
to be the last lesson for this video so
now let's talk about intrusion detection
evasion so before we get into IDs
evasion let's talk about what exactly is
an IDs now an intrusion detection system
or IDs is a system that monitors network
traffic for suspicious activity and
issues alerts when such activities
discovered while anomaly detection and
reporting is primary function some
intrusion detection systems are capable
of taking actions when malicious
activity or anomalous traffic is
detected including blocking traffic sent
from suspicious IP addresses although
intrusion detection systems monitor
network for potentially malicious
activity they are also prone to false
alarms or false positives consequently
organizations need to fine tune their
IDs product when they first install them
that means properly configuring the
intrusion detection system to recognize
what normal traffic on the network looks
like compared to potentially malicious
activity an intrusion prevention system
also monitors network packets for
potentially damaging network traffic but
where an intrusion detection system
responds to potentially malicious
traffic by logging the traffic and
issuing warning notification intrusion
prevention systems response from such
traffic by rejecting the potentially
malicious packets so there are different
types of intrusion detection systems so
intrusion detection system come in
different flavors and detects suspicious
activities using different methods so
kind of intrusion detection is a network
intrusion detection system that is nids
is a deployed at a strategic point or
points within the network where it can
monitor inbound and outbound traffic to
and from all the devices on the network
then there is host intrusion detection
system that is H IDs which runs on all
computers or devices in the network with
direct access to both the internet and
the enterprise internal network H IDs
have an advantage over n ideas in that
they may be able to detect anomalous
network packets that originate from
inside the organization's or malicious
traffic that nids has failed to detect
H IDs may also be able to identify
malicious traffic that originates from
the host itself as when the host has
been in
acted with malware and is attempting
spread to other systems signature based
intrusion detection system monitors all
packets traversing the network and
compares them against the database of
signatures or attributes of known
malicious threats much like antivirus
office so now let's talk about into IDs
evasion okay so now let's talk about IDs
evasion
now IDs is an intrusion detection system
as we just talked about and instead it
detect exactly the types of activities
that we are engaged in sometimes and
sometimes you may be in called in to
work on a target where your activities
are known and should be known by the
operators or the operations people
involved in monitoring and managing the
network and the idea being not only do
they want to assess the technical
controls that are in place but they also
want to assess the operational
procedures and ensure that the systems
and processes are working the way that
they are supposed to be working now when
you are engaged with the target that you
are at full cooperation with you don't
need to do these types of variation
tactics all these techniques may be
actually avoided but if you are asked to
perform an assessment or a penetration
on a target where they are not supposed
to see your activities then you need to
know some different techniques to evade
detection from an IDs so we are going to
talk about a couple of different things
that you can do so one thing that you
can do is manipulate packaged to look a
particular way now for this there is a
tool called packets so packets is a
really good way to actually manipulate
traffic and by actually manipulating the
contents of a packet like you can
specify the destination and source so
it's a really useful tool to say the
package look a particular way one thing
it can do is allow you to spoof IP
addresses so I could say at the source
IP address here that was something
completely different from mine now if
I'm using TCP or UDP I'm not going to
see the response path and in this case
TCP I'm not even going to get the three
big connection me because the responses
are going to go back to the source IP
but what you can do is an additional two
spoofing you can set a particular ways
that a packet may look like changing the
type of service or by changing the
fragmentation offset or by different
flag settings that may allow you through
an IDs without maybe getting flagged and
it may also allow you to a firewall now
it's a slim possibility but it's a
possibility now another thing you can do
is use packets to generate a lot of
really bogus data and what you might do
is hide in the noise generator
by pack heat so you can could create
some really bogus packets that are sure
set off idea salams and then you can run
some legitimate scans underneath and
hopefully be able to get some responses
hopefully be able to get some responses
back without being detected so if you
were to look at an map let me just open
in map up for you and go nmap help you
can see a throttle response out here
yeah the timing in performance on the
manual page is here one of the things
that you can see is the throttle in
other words the timing template to go
really slow so if I do a minus Capital D
of 0 with an nmap scan it's going to
really really slow it down and it goes
really really slow so there's a
possibility it may not rise to the
threshold that would trigger an IDs and
this is what we would call a
low-and-slow scan now of course this is
only n map and that would be a port scan
and there are still a lot of other works
that you would have to do and you may
have to find other ways to get around
that and you can see also here on the
space there's some firewall IDs evasion
and spoofing and you can do things like
fragment packets and we really
fragmented packets sometimes will avoid
IDs because an IDs is going to look
what's in front of it and may not have
the ability to actually gather the
entire packet and put it back together
to take a look and what's going on
so sometimes fragmented packets can get
through and you can also add decoys into
a scan and again use the kind of cover
friendly-fire sort of approach where n
map will throw a bunch of decoys into
the mix of the scan that you're doing
and hopefully you'll get lost amongst
the decoys that are going on I can also
spook the source address and do some
other things around data lens and TTL
and I can also smooth MAC addresses and
send packets with bogus checksum so all
of those have the possibility of getting
around firewalls and IDs and doing
evasion now one of the downsides of
using some of these techniques and
particularly the timing technique that
we talked about is that you run the risk
of really slowing down your work which
of course is a side effect of this type
of approach where you have to hide
yourself and your activities but the
thing to keep in mind is you've got
limited time frame in order to perform
these sort of activities and you really
want to keep that in mind and be aware
of how long some of these techniques are
gonna take so also under the line of
friendly file you could do the spoof
technique with a throttle of 5 and just
throw a lot of really bogus traffic at
your target while also running a
separate nmap scan which shows
legitimate information and again
hopefully you can get through underneath
that friendly file that's causing a lot
of noise
similarly there's this tool called Knick
dome and Nicko does web application
testing and you can see that it has some
abilities there are some ideas evasion
techniques so if you are doing web
application testing and you need to do
IDs evasion what you can also do is
throw an echo scan out and do it from
another system and again you may be able
to hide underneath the noise from micro
scans while you are doing some other
technique you can hope you can see
enough of these sorts of tactics to hide
yourself well enough to be able to get
what you need from your target without
being detected by the target and the
operations people there okay guys this
brings us to the end of this exhaustive
video I hope you guys had fun and
learning about the various topics that
we talked about if you have any doubts
you can always leave them down in the
comment section below if you guys really
did enjoy the session which is a lot of
fun to make for myself you could leave a
like and a comment and also share it
with your friends that's it for me
goodbye. I hope you have enjoyed
listening to this video please be kind
enough to like it and you can comment
any of your doubts and queries and we
will reply them at the earliest do look
out for more videos in our playlist and
subscribe to Edureka channel to learn
more, happy learning.
