your home network can be HACKED!! Let's try. Ready to get your CCNA? Boson xmas sale (25% off) http...
Video Transcript:
i'm about 90 sure your home network can be hacked like it's not safe no you don't believe me let me show you in this video i will show you how to test your network your home network for vulnerabilities can a hacker actually hack you the answer is probably yes so once i prove that to you then i will show you how to secure your network we'll start with how to secure and harden the router you have now in fact i'll show you six things you need to do right now because you're in danger and then we'll move on to more advanced stuff things that you might want to purchase a new router for i'll give you a peek into my network and what i do so buckle your seatbelts this video has a ton of stuff i'm so excited i'm going to show you nmap how to create a linux server in the cloud testing your home network show you what a soho is a small office home office network let's do it owen a huge shout out to the sponsor of this video boson software they are the official sponsor of our ccna series here and they by far have the best practice practice exam i could ever say that practice exam software lab software courseware out there i love it i'm using it right now every single day to study for my ccmp encore in fact if you want to see that journey i'm going live on twitch every morning wake up and be my study buddy link below and if you want to get bose on you should right now if you're studying for any cisco certification they've got a christmas sale going on use the code mary20 you get 25 off it's lit check it out do it now anyways let's start hacking and securing our networks and go i've had too much coffee if you can't tell that's okay though right i already know exactly what your network looks like it looks like this you've got all your devices cell phones computers tablets alexas smart light bulbs tvs all connecting to one device your router this device does it all it's your router it's your wap it's your switch it's everything all in one and that device with one cable connects you to the internet and that one cable could be a coaxial cable it could be ethernet doesn't matter and that's your network that's a typical soho network ever heard that term before soho small office home office and this is obviously smaller and much more simple than what you might see in a business or an enterprise enterprise networks networks you find out a business have massive routers and switches and firewalls and they have a ton of security features but they still get hacked which begs the question if those big companies can get hacked is your small little dinky network safe in most cases no no it's not let me show you where you might be vulnerable here are your four weak areas the first big one straight from the internet can people attack you and get into your network we'll test and find out we'll try by far the scariest weak point you may have in your network are the devices that are connected to your network the things you have in your house huge vulnerabilities number three you're wireless anyone can walk by and see your wireless network and try to connect to it is it safe and four probably the most impactful is your connection to your business to your company your job i mean come on most of us are working from home right now right how does your company have you connecting to their stuff is it secure we'll talk about that so number one is your network safe from the outside let's test it out the first thing we have to look at is your public ip address when you connect to the internet your isp or your internet service provider gives your router a public ip address this layer 3 network address is what you use to surf the internet it's kind of like your name you're kind of like your home address it's how websites know to communicate with you do you know your public ip address if you do put it in the comments below no no please please don't do that it's actually very very bad if someone finds out what your public ip address is let me show you let's actually find out what yours is real quick open up your web browser and we'll navigate on over to google. com and right here in the search bar just type in what is my ip address and there it is again it's very bad for someone to know your public ip address because it tells a lot about you don't believe me we'll try this the link below this search right here you might see here what is myipaddress. com i'm going to go to that and right here in the browser it shows me pretty close to where i live zoom out there yeah kansas that's crazy scary right so if someone learns your ip address they could get a pretty good guess of where you live but that's not the only danger if a hacker learns that this is your public ip address they'll start using hacking techniques to find weaknesses in your network you want to try some let's try it on your network right now now i'm going to show you two ways to do this the first way is really easy takes like three seconds the second way is really really nerdy and geeky and is super fun but anyways basic way first easy way first open up your web browser and navigate to a site called pentest tools.
com and then right here in the middle click on scan your network what this will do is actually scan your public ip address and see if there's any open holes in your network open ports so go ahead and copy your ip address there paste it in here and i'm actually going to put another network in because my network's pretty secure this one i know is vulnerable i want to show you what that looks like so go ahead and click on scan now and notice right here what it says scanning for open ports what does that mean ports are literally holes in your network so like right now your network your router probably has a firewall and what that does is protect anything from the outside from getting in but what you can do if you want to use some cool things like maybe you have a website inside your network you might open up a hole maybe that hole is port 80 or http that will allow people to access your public ip address at port 80 and get to something behind your firewall maybe you have a website running on your laptop or something just something fun you did maybe a little project you did and then you forgot about it maybe you shut your website down but that hole might still be there that's a bad thing ideally you don't want any holes in your network at all nothing's coming in so looking back at our scan results let's see how vulnerable i am i'm gonna scroll down to the free stuff here it found an open port a very popular one actually 33. 89 that's remote desktop you never ever want to leave that port open on your network now what did you find do you have any ports open on your network let me know in the comments below and that's it's okay to tell me that just don't tell me your public ip address and i'll show you what we can do about that here in a moment but next i want to show you the geeky awesome just way to search and test your network for vulnerabilities now if i scroll down to the bottom of this page real quick notice it says it was a light scan they don't give you access to the full features but they're actually using a free open source program called nmap to scan your network yeah so it's free open source meaning we can use that tool ourselves let's do it now to do that we will need a server outside your network so we'll need a linux server that's not inside here you don't want that to happen you want to scan the outside of your network to see if there's any holes you can poke through now when you heard linux server you may have thought wow hard i can't do that yes you can it's super easy i'll walk you through it right now and it's free dude i'm so stoked let's set it up right now let's do it in the description i have a link it's to a site called lenode. com this is one of my favorite cloud service providers i use them all the time and if you sign up right now you get a hundred dollar credit to do anything you want now the server we're about to create in the cloud costs five dollars a month to run if you just create one server to play with that's 20 months of free linux server goodness why would you not want that so go ahead and sign up for that i'm going to get logged in here to mine and this will be so fast trust me so at the top right click on create and click on lenode we're using all default settings so easy leave it at debian 10 for the image choose your region somewhere close to you i'm going to choose dallas scroll down to pick your size pick the smallest one five dollars that's what i want and then put in the name of it i'm hacking and then create a password that's it click on create and you just created a server in the cloud awesome if you've never done it before it's pretty exciting man and we'll wait for that to finish cooking you'll know it's done brewing when you see that it's running so now let's connect to it right here in the browser click on launch console i want to change mine to glish and go ahead and get logged in username will be root and password will be the one that you just created we're in we're in a linux computer nah so first we gotta install nmap don't worry super easy one command apt install and map dash y that's it that's all you do and hit enter it's going to do it and it's really fast watch done that was like 15 seconds okay now i'm going to test your network for vulnerabilities i'll enter one command and map we'll do a dash lowercase s uppercase t this will use a tcp scan and then put in your ip address and hit enter perfect time for a coffee break it might take a moment here the results are in it scanned 1 000 ports 987 of them are closed that's good but poor 80s open 22 is open 443 1720 i got some holes to plug man ah now again this is a legit hacking tool that hackers actually use to find vulnerabilities so you just hacked yourself and that's that's really cool to say and this tool is pretty dang powerful we're not even scratching the surface but let me show you one more command we can use the command will be nmap dash dash script then type in v-uln or vuln and then your public ip address and hit enter and take you a big ol long coffee break okay this took a minute but it's worth it trust me watch this why this took so long is it use a script to find vulnerabilities on your network it searched known vulnerabilities and saw if your network was up just enough mine wasn't one attack that could my little cisco network here is slow loris a ddos attack or ddos i'm vulnerable to that attack if i scroll down i've got a tls vulnerability not good but this is exactly what hackers will do to find vulnerabilities in your network if they know your public ip address they'll scan it and go huh i found a vulnerability for this guy's network this gals network i'm gonna exploit that sucker and then you're you're done so that begs the question how do you protect people from seeing or knowing your public id address the first big thing is just don't tell people your public ip address and that might be like a duh statement but you might accidentally show them like maybe while you're making a video or live streaming like maybe like you thought i just did you're probably thinking chuck you're an idiot you just exposed your public ip address you said not to that's not my public ip address i don't live in kansas and that leads me to one of the best ways to protect yourself and that's use a vpn which is what i'm using right now i'm using nordvpn you can use whatever vpn you want to use but this will hide my public ip address from the internet as i'm surfing now i will say this it's not foolproof like don't think if you're using a vpn you're like you're just completely safe on your home network no that's not the case at all because while my computer right here my beefy computer behind me over here it's using this vpn and has that public ip address everything else in my network whatever device it is is still using my real public ip address and what hackers often do is they'll use that tool in map and instead of scanning just one ip address like we were doing they'll scan ranges of ip addresses they literally have computers sitting there just running through these things and they might just happen upon your ip address and find vulnerabilities and boom they got you so what do you do how do you protect yourself you've got a couple options here either harden or secure your router make some config changes or get a better router that can actually be more secure now most likely your router you have now can do a good enough job to protect you i'm going to show you real quick six things i would change on your router right now you have to do this please do this right now let's do it now i have no idea what router you have but most routers are pretty similar so first thing i would change here on this tp link router is make sure you have your firewall enabled i'm going to go to advanced scroll down to security click on firewall and make sure this sucker is turned on and it is but that's not the only problem you might have that doesn't close all ports you can still allow ports through even with your firewall on there's a little thing called port forwarding and let's go make sure there's nothing coming through our firewall so for that i'm gonna scroll up a little bit to nat forwarding that's what you might see on your router i'll click on that forwarding and then port forwarding every entry you see here is one hole in your network port 1080 port 80 ports 21 through 45.
these are being allowed you may have done these yourself to try and get something running like maybe you have a plex server right plex is awesome operating on the port 32400 go ahead and scan your network for that see if it's open you can do that with the command nmap dash lowercase s capital t and then dash p for port and put in whatever port you want to three two four hundred for plex and then your public ip address it'll tell you if it's open or not so best practice close all your stinkin ports don't let anything end from the outside you might be thinking chuck but i want to access my stuff from the outside i want to do that no i'll show you a better way just don't do it this way please and that was number two by the way so number one turn on your firewall number two turn off port forwarding don't forward stuff into your network three and one of the biggest ones oh my gosh don't do this please go to system and go to administration i'm gonna scroll down here try to find the setting let me scroll here where is it where is it oh right here remote management turn that crap off right now this right now allows someone from the outside some nefarious hacker with a beard a guy really up to no good he's allowed to access your public ip address whatever it is on port 443 he'll hit this portal and have the ability to try and log in now sure he'll need a username and password and if you change that you might be good did you change your username and password on your router because if you didn't it's got default values it might be admin admin it might be admin password it might be something else but those things can be easily found oh my gosh stop it don't do it go into your router change your default username and password right now that was number four so number three was disable remote management you don't need people to manage your router from the outside you don't need that and change your username and password right now now you might be wondering chuck well why do they have remote management on the router if it's dangerous well in best case scenarios the router is safe and you can access it remotely and it's secure https the thing is a lot of routers have firmware have software that's currently vulnerable meaning that hackers could find this get to this page and exploit it break into your network just like that so why risk it just disable that feature it's not that important to have for you speaking of firmware update your dang firmware update your software on your router i'm gonna go right here to firmware upgrade and i'm going to upgrade to whatever upgrade i find done now i won't be that fast this is an emulation here but literally before this video i upgraded my firmware on my network my unifi hardware why do you think they have upgrades why do you think they have one available for you because they're either they're doing one of two things they have a new feature or they found a vulnerability with their hardware and software and they're patching it they're fixing it so if you have hardware right now in your network that has not been updated it's likely it has a vulnerability that hackers can exploit man you might already be hacked right now oh scary right and number six this comes down to wireless i'm gonna go to wireless right now wireless settings just two just two things real quick actually three security make sure you're using wpa2 always and wpa3 when it comes out always use the most secure standard out there you can two man don't use a password like this please and don't use an ssid like this like when you go to connect to your wi-fi this is the name of your wireless network if you have your network named tp-link or anything default that will tell the hacker as they're driving by they do that it's called war driving they'll drive around neighborhoods and try to find wireless they have like this crazy powerful wi-fi detector they'll try to find wireless networks so they can hack and if they see the one that says tp-link they just learned what kind of router you have and they'll start searching for tp-link for vulnerabilities and you're done you're toast man so name your ssid something else something random coffee harry potter whatever i do harry potter themed in my network and then make a strong password make it crazy i do random generated strings that are like 20 characters long it's it sucks to put those suckers in trust me and you might be thinking chuck well how do i give that password to my guest that would be such a pain don't give that password to your guest don't let guests onto your main network don't do that give them their own network that doesn't touch your stuff that's one thing i would do so this particular wireless device this router has a guest network feature if you have that check see if you do and enable it if you don't you might want to get a new router we'll cover that here in a moment i'll give you my recommendations oh and bonus i forgot so i said six here's number seven seven's lucky anyway go back to uh let's see security and firewall right here respond to pings from lan and wan what this means is that if you send a ping to your network device meaning just a simple hey you there he'll respond back with saying yes i'm here it's a common network thing we do all all the time just to see if things are up and running for security you don't want that on you want everything off especially your wan so disable that why well because as a hacker is trying to scan ranges of networks to see if there's a network device available he can hack if he scans your public ip address you don't want your router to respond you don't want that to happen you want your router to go nope nope no one here just pass right along that's what you want to happen you want to fly under the radar keep yourself safe anyways so adjust your router in fact don't just do your router go to your family's house go to your friends houses and make sure their routers are secure harden their router secure their routers and that's really for your benefit because when you go to your families and friends houses right you probably use their wi-fi networks do you want to put yourself on an insecure network man so secure secure secure too much coffee so we just covered number one and number three people getting into your network from the outside and also kind of securing and hardening your wi-fi make sure you have a good password and stuff but now the most dangerous thing i think out there that we don't expect that's hard to find and realize it's the things on your network number two is freaking scary because it's the devices you don't expect to be bad alexa um light bulbs your smart light bulbs that have wi-fi connection all those iot devices that's risky man why let me show you real quick you may have done a great job not letting anything into your network from the outside cool awesome great but everything on your network on the inside you like using your phone your computer everything on your internal network is allowed to access pretty much whatever they want on the internet so they can go through or out and then whatever server they communicate with let's say you're going to facebook or youtube like right now you're watching youtube well youtube is then allowed to send stuff back through to you that's how it works if i go to youtube and i'm like hey youtube talk to me send me some videos it'll send you videos back and that's allowed through the firewall that communication is allowed so if it's allowed for you your computer your phones it's also allowed for your smart light bulb over here and your smart tv all of those devices are communicating to the internet they are they are right now just like you can the problem is we don't know who they're communicating with it could be a legit service they need like your light bulb may be reaching out to its manufacturer server and pulling down a firmware upgrade okay that's a good thing or this light bulb could be reaching out to a foreign website maybe a chinese website maybe a hacker was able to find a vulnerability with that particular light bulb and through that communication was able to hack your light bulb and suddenly that hacker is on your network it might be your light bulb it might be your your tv your smart toilet whatever you have because pretty much everything in our house is smart now at least mine is all of that would be seen as legitimate communication on your firewall a basic firewall i'll go into what i mean by that here in a moment and it would be allowed and right now your network could be compromised and you wouldn't even know it that's terrifying so what are your options right now let me show you what i do with my network here's my design right now network chuck's network here's how i handle my dangerous iot devices now like all of you i have a wireless network that i access and use i call it portkey anyone know where that's from let me know below this is my main wireless network where all my phones tablets computers laptops whatever everything that people use we get on that basically devices that i pretty much trust for my iot devices i say i don't trust you guys at all so i'm going to put you on your own separate network separate from my my stuff that i trust so you can't affect me in any way because like on my personal network i've got things that are important like my my network attached storage my nas my file systems and all the videos i make and save i don't want hackers have access to any of that and i don't want my iot devices to have access to any of that so i put them on their own network and this wireless network i actually call seeker of truth anyone know where that's from this network is separate because it's on its own vlan or virtual lan virtual network it's on vlan 6. this one actually is on its own vln as well vlan 7. and on this one i have devices i don't trust like alexa and philips hue my smart light bulbs now what makes this network special is that again they can't access my other network my firewall prevents that i also take it a step further by doing what's called client isolation or device isolation which means alexa can't talk to anyone else on that network philips hue those light bulbs can't talk to anyone else on that network typically you would be able to she could talk to philips hue phillips you could talk to her that's how a network works it connects devices so they can talk but with client isolation it prevents those devices from talking to any other device on the network you want that for your iot devices golden now i take it a step even further i'm a bit paranoid i have another network i've created another section of isolation i call this network horcruxes because you don't want to touch any of these devices this is where i put my iot devices that i really really really don't trust like the cheap light bulbs i buy off amazon because i don't want to pay full price for a philips hue bulb so yeah just cheap iot devices things that aren't name brand that probably don't receive firmware upgrades that are talking to servers i don't really know about and of course it's going to be on its own vlan because it is a separate network vln let's just say eight now i'm able to do this because i have network hardware that allows for i'll go into what i have in a moment but here are your options if you want to do something like this now that tp-link router i was showing you and other routers like that they can't do this so if you want this kind of client isolation for iot devices and other stuff maybe even for your guest dude you got to get something else the good news is that it's not too expensive to get features like this here are my three recommendations there is a software called dd-wrt you can take your standard router that you have now whether it's linksys asus netgear if the model is supported you can load this custom firmware onto your router now i'm going to make a video covering what models are supported and how to walk through that process to configure a network it's gonna be super fun but for now just know that's an option and with that custom firmware you can do those fun cool things now if you're studying for your ccna if you're a cisco nerd which i hope you are then getting cisco equipment is totally an option go to ebay find some cheap routers switches and create your own custom network cisco can definitely do all that we talked about in this video and it's what i have in my network right now i actually have two separate networks two separate physical manufacturers in my network cisco being one of them the other one which is what i use for my main network and that's ubiquity or you'll see it called a unify this is kind of the uh the prosumer option like it feels like you're using enterprise equipment but it's not expensive like you might find in an enterprise so let me show you what i'm using and what i have right now i'll go to my portal now i'm a huge fan of unifi here's how they work they're controller based so basically they have a controller this could be its own device its own server that will then control your network devices you might have a router a switch access points typically on a unifi network you'll have separate devices like you might find on the enterprise network that's why i call it prosumer it feels more enterprise because you get more features that's what happens when you invest in a network like this now what they've done recently and i made a video about it and i love the s i love it so much is they created a product called a dream machine you can learn more about that at a link here i reviewed the entire thing basically it's one device that has a controller built in a wireless access point a switch a firewall the whole the whole thing that's amazing you should get one that's like 300 bucks same price as what you might get for a normal router but it's infinitely better now for me i have the dream machine pro or the udm pro the main difference here is that it's just a bit faster and here's what i have my network i got the dream machine pro that's my firewall my router and it's also doing what's called ids and ips this is crazy important if you have iot on your network which most of us do i'll show you why here in a moment also on my network i have two switches and three access points one is obviously down right now and so while this is technically a home network it's more like an enterprise network this is what a typical enterprise network might feel like so if you want to put an enterprise network in your home and have that look and feel go with this love it now i want to show you one thing real quick because it came up today and it's under threat management my ids ips i'm gonna go to threat management right now my ids and ips my intrusion detection system and my intrusion protection system found three threats on my network now these were threats coming from the outside and they were threats coming from the inside accessing something outside let me show you i'll go to my traffic log here it's telling me a network trojan was detected shows me what devices we're trying to reach out to it and where it was going with the ids it'll just tell you what's happening and say hey fix it with the ips it'll actually do something about it it'll detect it and protect you block it this stuff is what you want on your home network you want this separating your iot devices on a separate network is the first best step you should make but then having an active monitoring system where it's constantly downloading the latest vulnerabilities and threats and checking your network for those is what you want this is turning into a unified commercial i'm sorry but what we did earlier when we scanned networks with nmap this actually does it all the time it's called endpoint scans and it's scanning my network identifying my devices tell me what type of os they have and letting me know what open ports they have and look at all this that's crazy and they'll also test and see if there's vulnerabilities that's why that's how it was able to see those two devices we're having an issue by the way if you want to do something like this on your network you can run nmap inside your network you'll need linux obviously but simply run the command let's say nmap dash s lowercase s capital t and then your subnet you might have 192.