Shalom Shalom Shalom my people hello what is up everybody what's up Cyrus the virus how are we doing buddy what's up Knight links what's up YouTube a lot of you in here what's up as Saban thinks this sub appreciate it hey everybody welcome welcome welcome we still got a couple minutes so we'll wait it out until 8 o'clock what's up key bash wolf auth dragster games Kyle Horton thanks blackness prime thanks thanks also reckless pancake thank you everybody what is ah hi Alexander Alexandra from Brazil how are you doing buddy what's up PMR Eric what's up deadly Maddy [Music] TJ virus alpha beta zero hey guys a lot of people coming through happy to see all of you here Luxembourg says hi hi Luxembourg guten tag all right one minute guys one minute we'll kick off hey thank you deadly appreciate that thank you so much hi from Portugal hi Portia go yeah that's all I know I was close enough in region silk close enough don't worry about panic installing juice shop we've got plenty of time absolutely plenty of time I placed gold in I placed golden healer I'm gonna switch this out and switch it back in there we go hi mo from Puerto Rico hey guys hey everybody rashon oh thank you for the sub appreciate it thank you thank you all right it's 8 o'clock we are hoppin loving to to to loving it guys alright welcome to what we're gonna be calling the web app pen testing course trying to be YouTube friendly and not not call it anything else so we're gonna call this the web app web app testing course we're gonna be doing pen testing and I'm gonna give you guys a little bit of PowerPoint if you've been with me before you know we do maybe 10 minutes of PowerPoint just like an overview since this is the first lesson it might be a little longer because we got some rules to get out of the way some things to cover and we've got a very very active chat so as you notice we've got 70 something people on YouTube 70 something on twitch right now so I can't keep up with all the messages we'll talk about that here in a minute as well so if this is your first time also we always do stream in the beginning we do the lessons and then we've opened up the floor for AMA and I'll answer your questions as long as I can go so let's go ahead and open up to the PowerPoint and then we will and it looks like my screen doesn't want to work tonight so what we'll do is we'll switch screens and that's super easy for me so give me one second already technical difficulties so we will switch over to the other side doo doo doo slide show on monitor 3 from beginning there we go thanks Eric appreciate it okay bring this over here for me and also bring this over this way perfect just gotta flip my screens over I've been having issues with my left monitor showing up in stream for whatever reason the right one shows up all the time not sure what the issue is with it so let me go ahead and switch those over boom there's that I'll add my face into it because I'm sure you guys really want to see that and let me pull up my chats and I will be ready to go all right here we go welcome to week one sorry for the one minute of technical difficulty there so week one quick quick Who am I most of you know who I am a lot of you this is your first time here so I'm gonna run through it really quick for anybody watching this later on YouTube as well so I am a husband first hacker military veteran gamer sports fan animal dad loved to play overwatch as some of you guys have seen I got five animals two cats three dogs I'm a former accountant turn pen tester so I worked in accounting for a long time and then I sited I'm gonna switch off I'm gonna become a pen tester and I did just that so day to day I'm a senior security engineer and I own my own pen testing company which is called TCM security on top of that I have two projects that I do one is the cyber mentor which you are watching right now so that is my twitch streaming youtubing etc the other is veteran set comm so if you are a military veteran and you are watching this today please do consider going to better insect comm slash slack we have a private community just for military veterans who are interested in cyber security so that is not only a veteran community that's also where a lot of us blog so we blog over here at better insect comm I do some blogging as well at my TCM security side at TCM SATCOM so on top of this what are we gonna learn in this course and let me get rid of this you don't need to see y'all see me right now what are we gonna learn okay we are going to learn pen testing techniques and I'll turn off alerts as well we're gonna learn pen testing techniques right we're gonna talk about five steps of pen testing information gathering scanning and enumeration exploitation maintaining access and cleanup okay those are the five steps it will briefly cover those today it's very important to know and the methodology doesn't change whether you're doing network pen testing or you're doing Wireless pen testing you're doing anything so you're doing webapp pen testing it's all the same so on top of this we're gonna be learning some tools we're gonna be covering burp suite I will also be covering burp suite pro you do not have to have burp suite pro there are just some features that I want to show you about burp suite pro that make it really nice and I am a big big fan of it so I I just I got to show it you know and if there's one tool that I recommend people purchase especially if like you're trying to get into a bug bounty hunting or doing Web Apps $400 for burp suite pro is 100% worth it so on top of that Nick dodo buster curl sublist or nmap there so webapp tools that we can use so we're gonna be covering some of those looking into those okay on top of this we're gonna be covering the Olas top ten every single item in the top ten and some others so we're gonna take a look at what we're gonna be doing here in a minute I've got quite a few things for us on the agenda so we'll take a look lastly we're gonna cover some important documents we'll talk about resources career advice etc so again if you missed it in the beginning we are talking first we'll do the course this tonight it's gonna take an hour to maybe an hour and a half and then we'll do a AMA afterwards so we'll do a ma of anywhere from I liked I'm trying to get out of here at 10:00 tonight but I will push it later if we need to my wife leaves tomorrow so I kind of want to spend some quality time with her but typically we'll go sometimes we go all the way to midnight so these streams can sometimes last for hours the lessons anywhere from an hour and a half to two hours typically so a good chunk of a ma if you enjoy that so special note at the bottom this course runs every Wednesday at 8 p.m. until we are finishing it unless otherwise noted so sometimes I do have to travel I have my own life going on sometimes I'm not available on Wednesdays I will make that very clear in way ahead of time if I'm not going to be available as noted again and they afterwards there are very few rules that I have in this chat rule number one is don't be a dick if you be a dick I will ban you without any question don't ask black cat or how to hack facebook sir type questions don't ask me about botnets don't ask me anything illegal I'm not going to answer them that's a good way to get you booted as well okay so anything stupid if you think it's stupid it's probably stupid so please just don't do it because I am I am trigger-happy today and I will I will ban you in a second other than that we are a chill chat we will just we'll hang out we'll chat we'll have a time and my encouragement to you is to help each other because right now I'm looking at it we got a hundred nine people just in twitch we got another hundred and something it looks like on YouTube so please do help each other if somebody has a question and you know the answer to it I've already see it going on right now somebody asked a question about burp suite pro and somebody else answered it perfect that's the kind of environment I want you guys to be in so other than that let's go ahead and push forward okay let's talk about resources really quick because these are important if you are interested we have a mailing list and look at that so another technical difficulty hold on guys okay I just booted up my own website which happens to have my live stream on it all right so anyway website this is where you get to a few important places the cyber mentor com so we've got the contact slash subscribe up here this is really what's important you come over here also we've got the links right if you're interested in the social media links but over here if you get on the mailing list the mailing lists will allow you to be there when I send homework so right now there's about a thousand of you on the mailing list when I send homework out it'll go to the mailing list there's also a couple places that will go to it'll go to github at some point I'm going to be putting out the github you see for the zero to hero or the beginner network pentesting this is exactly what I did the mailing list is in here for each week or the homework more importantly let's see this if I bring over the discord here and we go there is a web app course discord right here okay so if you come into the discord channel it's the link if you hit exclamation discord in the chat it will bring it up also if you just go to the link on the web page you can come into discord we've got about two thousand people in here we have a special channel just for this course if you are taking this course and you're interested you can chat with other people there are also pins for when I send out messages all the resource lists that I'm going to be sending out tonight or showing you guys tonight are gonna be in here they're also going to be in the announcements from earlier so I sent all this out so don't ask for links if you guys are interested in links they'll either be in the description the video later or they're gonna be sitting in these channels so please do consider using disc or channel as well so let's go back into the PowerPoint and so I showed you guys the disc or I showed you guys the github github is where I'm gonna be uploading the course material there's also a tool or two that I might show you from the github last but not least the course is 100% free if you were interested there is a patreon that you can tip me at or you can tip on the stream labs comm slash the cybermen tour not expected at all but donations are accepted other than that let's talk about resources so there are so many resources and we're gonna cover these really quick so this whole course is going to revolve around a tool called juice shop well not a tool a platform that was invented just for web app pentesting so I sent out an email on the mailing list for everybody who has already signed up we are going to be using juice shop now it is a highly vulnerable web app and I will bring you to the page here so if we go to the page we take a look at it and we go here so juice shop this is it it's very very simple to install all you have to do is sign up for Heroku and then hit this deploy button it takes about 10 to 15 minutes 100% free you get your own instance fun times awesome stuff on top of that you can install it in other things you can install it via docker be a vagrant ec2 instance they've got all different ways that you can install this but Heroku is free very easy to setup it's a literally a one click of a button okay on top of this while we're here there is this link for this get book by the same author he put together a whole book of everything okay now in here there is a bunch of stuff we can talk about all the vulnerability categories that were going to be covering so if you look at what we're gonna be covering in this course a 1 a 2 a 3 a 4 5 6 7 8 9 10 that is all of your OAuth top 10 right here so we will be covering every single one of the OAuth top 10 we'll also be covering some additional material here okay so very very fun stuff now there is a challenge board for this and what we'll do is we'll have a scoreboard and I don't know if I have a picture of the scoreboard yet but when we get to the scoreboard we'll talk about it but basically what is out there is there are a bunch of different challenges and here they are so how we're gonna run this course is we are going to we're gonna do it step by step right we're gonna start with the trivial challenges so my original thought for this course was like hey you know what I'm gonna take injection or cross-site scripting and I'm gonna show you all the cross-site scripting vulnerabilities and just cover that one week what the the issue with that is we can start at tier 0 and tier 1 and then we get to get up to the difficult ones and it's gonna lose people so what I think is I'm gonna do is we're gonna do trivial challenges one week then easy challenges the medium and then we'll just keep going on you see the list gets longer and longer and longer so as we start getting into these later weeks and you see the new tiers up here for cross-site scripting it's just gonna get harder and harder so we're gonna start out really simple we'll cover the concepts every time I introduce something new like cross-site scripting I'll have information about what it is why it's vulnerable we'll even talk some defenses with it as well so I will I will teach you guys what I know through a really good web app and what this is going to do is hopefully when we're done it's going to make you confident in your abilities to to do pen testing with web apps this isn't really bug bounty hunting there there are bug bounty hunting is web apps right it really is the methodologies in web app pen testing and bug bounty hunting are slightly different but not very different okay so you learn a lot of this you can take this knowledge and go do bug bounty hunting and I have provided links here to very popular programs which we'll talk about before we do this there is also this Olas tests guy that i want to share with you guys so every time I do a pen test this is how we do it a lot test guide so if we come down here and I show you these links now there is a PDF and there is a github okay in those links that I sent out now this github shows a checklist I'm gonna bring this checklist over I use this on every single web app assessment that I do this is version 4 they just released version 5 so we come through here and you can see like it starts with information gathering configuration and deployment in here's where it can get a little overwhelming when we're talking about doing web app pen tests look at all the stuff that we have to do this is one assessment okay one assessment is a hundred and twenty four lines and that is very very detailed that we have to go through so this is fantastic and the nice thing about this checklist is the PDF that comes with it so if we look at the PDF it lines up perfectly we scroll through there's a bunch of stuff in here I don't know where it starts like page 25 or so here's the framework where are we okay so page 25 20 year we are so page 28 actually you come into here oh TG info zero zero one if we look back at this OTG info zero zero one there is a whole write-up on tools to use what you're looking for how to do it your methodology is all here on top of that remediation okay so literally if you're doing a pen test and you have any questions you can refer to this guide and your checklist and that ensures that you don't miss anything when there's a hundred and twenty four steps available to do a pen test chances are you're not gonna remember everything that's coming through so it's very nice to have this kind of guide this checklist etc and I like I said I use this on every single list and it's nice just to go in here and say hey what tools do it do I use for that with all the tools and everything that are out there it's just hard to remember everything okay so here we go onward so if we go back into the PowerPoint I'm losing my links bug bounties and education let's talk about those really quick so back into here bug bounties what are bug bounties bug bounties if you don't know our public sourced bug hunting so it's like doing a web app web that for a customer that says hey you can hack me and you can hack me and if you hack me I might give you some money basically how it works so there's a few big players bug crowds one hacker one is also a big player the syn/ack Red Team is a little bit more private but you can apply to be in there you can do you could do a test to get in and if you're good enough you get in and then there is this website guru 99 listed the top 30 bug bounty programs so if you look at this as well most companies have their own as well so Intel Yahoo's snapchat so you might find these on like a bug crowd but you also can go to their website and look at some of the information that they have out there and do testing for these companies so other than that really quick shout outs on the education front elearn security web application penetration testing version 3 this is a fantastic course okay it's under courses web application penetration testing awesome stuff great materials look at all the lessons it covers them if not all of the OWASP top 10 I took this course I am a hi-hi advocate of it so I love it it's great I don't know the pricing and pricing right now is anywhere from a thousand to 1,400 but you're realistically looking at 1,200 to 1,400 bucks if that is too expensive for you there are alternatives port Swaggart who makes burp suite has come out with a web security academy if you go to port swig or net slash web - security look at the topics that they're coming out with on the side and they are introducing new stuff all the time so sequel injection cross-site scripting cross-site request forgery external XML external entities SSR F right so all this stuff here nice really nice stuff free lessons bugcrowd is also coming out with their own free stuff as well so all the major platforms are starting to come out with this free training and if you come through here if you have money and you have a employer that's willing to pay the G you opt isn't a bad certification either it really looks good on a resume I don't know if it'll get you fully web app pentesting after doing it but it's a decent start but these run about six grand so that's really really expensive on the other hand if you do like a work-study and this is something you're interested in then you can do a week's worth of work with them and they'll let you buy the course in the certification exam for like 1500 bucks so that's that's an alternative as well last but not least a classic okay the web application hacker's handbook this is really old it's from 2012 I believe and people will say it's dated it's dated yes but at the same time it is relevant even though it's even though it's seven years old or whatever it's still relevant web app penetration testing concepts don't change that much many of the flaws that were there a long time ago still exist in the methodology still exists this book is still very very relevant okay so that is not an all-inclusive list okay that's not all-inclusive at all but it's a good start and this is really this is just a good start resources list to get into web application bug bounties I think bug bounty hunting is good for practice I also think that if you're curious about an exploit say like xx II what I would do is Google x XE bug bounty write up and just look at all the write-ups in the methodology and the tricks that people use when they were doing bug bounty hunting same thing with a web app pen test if I see something weird chances are somebody's also seeing that and possibly reported it through a bug bounty site and that has helped me before when I'm doing actual client work to refer back and say yeah this is this is screwed up or no it's not you know they they wrote it off it's nothing so alright some quick notes before we start please only use the information learned in this course for ethical purposes only also please take notes if I'm going too fast you can feel free to ask me to slow down or show something again it doesn't mean that I'll be able to but it does mean that I am watching the chat when I can and I will I will do my best to to go as slow as possible and show everything we got a lot of information tonight's gonna actually be really chill we are just getting we're just getting set up all we're going to be doing is we're gonna be testing against a public platform and we will be doing enumeration that's all we're gonna be doing tonight it's enumeration enumeration deserves in my opinion six weeks of teaching I'm not going to I'm gonna do it for one week but that's how important enumeration is all right so I'm gonna take a drink of my coffee here let's talk about the important steps here okay the five steps of hacking so this is important and I mentioned this before so we've got five steps of hacking we've got reconnaissance ok reconnaissance is like information gathering and there's two types of reconnaissance there is what is considered active reconnaissance and passive reconnaissance now typically stage 1 of reconnaissance is passive passive means that we don't actually go out to a client site and touch it or scan it or do anything with it ok we're gathering information from Google or public information that's already out there that we never have to physically scan a web site the second that we go into active reconnaissance we start moving into scanning and enumeration so we gather information with reconnaissance what are we looking for we're looking for possible subdomains any kind of interesting files that might be out on the web we want to do a Whois and make sure that the client we're testing is actually the client that we're testing because sometimes they give you the wrong IP address or wrong information happens all the time on top of that we might want to look through breach credential dumps right and see if we find any information there for passwords or anything like that so very interesting stuff we'll cover a lot of that here in just a little bit so on top of reconnaissance the next step is scanning an enumeration we will cover some scanning a numeration tonight as well so scanning when we're talking Web Apps we're talking using like herb Suites active scanner which is part of the pro plan we're talking about using nmap we're talking about using tools like nikto ok scanning goes on and it looks at the website looks for some sort of vulnerabilities we look at what kind of information is is available to us and then we enumerate it we look for services we look for all kinds of information right so the more information that we can gather about a this the better off we are we are as hackers right as as penetration tester professionals the best penetration testers are the people that can enumerate have good patience and are willing to dig deep when nothing is there on the surface this is what we are after okay this is the most important gaining access all that other stuff not as important yes it's fun exploit but you're not gonna get to the exploitation unless you scan and enumerate properly so on top of this the other three stages gaining access sounds just like you think it is we consider that the same thing as exploitation so gaining access exploitation same thing that is when you run an exploit against a potential vulnerability and you leverage that to gain some sort of access now in network pentesting that typically means a shell same thing with web app we can be talking about like RCE which is remote code execution if we can leverage a shell that way even gaining access to a user account or gaining access to an admin account it's all gaining access okay the other two steps are maintaining access how can we maintain that access how do we if a say if we're doing a network pen test how do we stay on that computer if they turn it off or if they take it off the network to go home because it's a laptop what can we do there so the idea of that is how do we maintain access until we are done with it and then when we are done with it we are going to do covering our tracks right that's deleting log files making sure that nobody else knows that we're there in this course we are covering reconnaissance scanning enumeration and gaining access that is it for web app pentesting that's all we're going to need in this course and everything is going to be done through juice shop all right so let's look at the next slide here so let's talk about reconnaissance and we're almost done with powerpoints I promise so with passive recon we need to do target validation right like I said we need to know the who is the nslookup DNS recon we really just want to know for sure that the target we are attacking is in scope it's the one the client gave us there is a great podcast out there called dark net Diaries and if you've ever heard of Music's cool-dude right he had a situation where he pen tested the wrong company that was almost identical to the other company he should have been pen testing great episode as well so it's very very important to listen to and/or make sure that you're validating your targets so that's what the who is is for when we're talking bug bounties we don't need to really do that because the information is on the web they posted it that is what they're saying so just make sure that you're following the directive that they give you on top of that finding subdomains so you can do some Google foo to find subdomains you can use a tool called dig and map can find subdomains sub Lister is my go-to this is my favorite there's a tool out there called Bluto which has kind of been iffy for me lately and SRT that Sh is pretty good as well etc we'll talk about why we're after subdomains but importantly what it is is say you have google.com okay and then you're looking for interesting subdomains because maybe we don't want to stop at google comm what if there's a dev google calm or test Google com maybe there's something that they put out there that was just for a dev environment or an admin environment or something that they were trying to not have publicly available they left kind of vulnerable and we can find that and maybe leverage those attacks so somebody asked if a map is active scanning yes and map is active scanning and map in terms of this situation is active this is correct Google foo is not dig is not sub list ER is not cert that Sh is not okay and that is so good call on that fingerprinting so this is where we start to kind of get into the active ish area and napkin do fingerprinting a tool called whop Eliezer is very nice and could do fingerprinting what web does fingerprinting as well built with is a website that we can use to do fingerprinting and netcat can actually be used to do fingerprinting as well so some of these are active some of these are passive whop Eliezer and map are active wet web is active built with is passive and netcat is active so built with would be the passive here lastly data breaches have I been poned or similar lists this is one of the best areas especially if you're doing network pen testing but it still holds true for web apps as well looking through breach data lists and looking at some cool tools that are out there to to utilize the passwords and information that had been given or have been dumped in in breaches like say the LinkedIn breach this kind of information can be used later in attacks there is a great website that I discovered actually a couple weeks ago that I'll share with you guys before this I had written my own tool at this point I think I'm just gonna use the website from now on like my tool is it's okay for what I need but the websites so much more comprehensive when it comes to real pen testing so I'll cover both of those as well okay so let's get into some hands-on stuff so we have a task here our task is going to be we have been asked to gather information about the company iRobot comm let's take a look at some useful information gathering tools and see what we can come up with that's the end now we're gonna say why iRobot well if you go to bugcrowd comm / iRobot that is why [Music] okay so if we come through here and we're looking at some interesting stuff right so we have to look at the targets in scope this is important okay so we've got stored irobot WWI robot they've got some iTunes for the iOS and the Android Google Play Store so the web app as well and you can test your own iRobot okay out of scope is only home support iRobot comm and iRobot in so we cannot pen test against these do not try it and we'll talk about that here in a little bit so from here there are a few things we need to do but if we look at this there is no there is no wild card here like a wild card or asterisk I Robot comm that would be out of scope so that means not okay we have stored iRobot etc WW but maybe there's a dev diary robot right so there's a bunch of tools that we can look at and gather information here so let's take a look and just look at some of these tools first things first I'm gonna open this up now the first tool I want to show you is going to be sub lister and then we'll take this a little further so if you google sub lister and it's already in my search history but you go like this sub lister with the three as an e you're going to see that we have this github here go ahead and click on the github let's bring up the screen for a second see how we're doing okay the YouTube is so many people I have to bring it over there you guys go awesome so don't know why it's not working for me I already have it installed if you guys can get to this domain that's absolutely fine make sure I'm actually getting out to the web I am so if you need to copy this github domain it's right here all you have to do is I put mine in the OP folder got some tools in here I thought I did okay it's in the root I lied so we go into sub Lister here so if you need to just get clone on that on this address here and you should be able to pull down the get you actually have to go in there and clone it though so from sub Lister if we say LS we've got the sub Lister dot PI and you say python sub lister dot pi and then all we have to do is say - d for the domain we want a target and what are we going to target we are going to target iRobot comm just like that okay people are saying that it's in the app repo now I did not know that so if you do apt apparently apt install sub Lister should work clearly I'm having connection issues on this machine so let's go ahead and let me switch over to this machine here make sure I can actually reach out I think I know the issue we'll just use my main pen test machine so we can do app install sub lister again there we go that's actually working so instead of running sub Lister up PI we should just be able to use sub Lister and it should work fine okay so the reason I'm having this issue in case you guys are curious is one machine is NAT 'add this machine is Ngata this machine is bridged so I have issues with NAT but the bridge the bridge machine is always constant so okay sub Lister we do a domain if you ever have a question on what you're doing as well you could just type in sub Lister usually it'll give you some information - D is there or - - help tells you a little bit more as well so we're just gonna do - D for the domain we'll try I Robot calm and that'll work now take a break here grab a drink and answer questions if I see anything worth answering okay and this just takes a second and this is one way to do it so we'll look through this way there's also other ways to do this so if we take a look here let's see what I've got open I'm gonna quit my tabs oh it's just dogs anyway I was using this form I was trying to find a dog through to do an upload okay so if we go to cert that SH or yep CR TSH and we can look for could do a % dot iRobot dot-com the percent is a wild card and we do search nothing came up because I typed in iRobot incorrectly iRobot there you go you do not have to provide API keys for for sub lister it's fantastic okay so you see a lot of overwhelming information that comes through here this is great look at all these Robo pro a robot comm educate education edu Robo Pro TRP - VPN iRobot calm that's interesting Active Directory Federation services test environment iRobot comm VPN de iRobot comm autodiscover legacy webmail these are all very interesting subdomains Meraki my JIRA so not only are we pulling off information here about what type of subdomains they have we're finding in information about their internal network a little bit right look they've got Active Directory running okay they've got auto discovery which tells they've got some kind of exchange environment you come down and you see that they've got a Meraki in their network they're using jira my citrix test okay they're using Citrix so they're using slack like slack I Robot comm single sign-on down here so we find a lot of information zoom AWS github so this is just getting juicier and juicier right we're not going to attack any of these by the way so don't get don't get your hopes up but just know that they're interesting now this is gonna take a little bit so we're looking here and we could start navigating to some of these before we do that let me go ahead and let me actually move this let me blank my screen for a second I just don't want to show any kind of confidential information before I close out on my burp suite do to do I'm gonna load up burp suite pro really quick and also pull some information down close temporary project all right I've loaded burp suite let's give that a second little moss looking for one note guys one note okay so in burp suite a couple things that we can do so the old-fashioned way here is we can go into preferences and you can come down to actually just scroll down and your preferences and Firefox and you go to settings and you can configure your proxy manual you can use the settings here I'll give you guys a second to actually write it down if you're interested what we're looking for is the 127.0.0.1 and also we're looking for the 8080 on the port by default so we're after both of those things okay so the other way to do that is to actually install a tool called foxy proxy so if we cancel this I have this tool here called foxy proxy all you got to do is google foxy proxy and then go to the install so if we say foxy proxy and I'm already in my burp so it's picking that up let me turn that intercept off you go to foxy proxy you can add on the standard here okay and yes you can follow along with most of what I'm about to do with burp suite community so don't feel obligated to have to be a part of a part of what I'm doing with pro but anyway you can go ahead and just hit the install that would be here otherwise we should be good to go so what we can do is if you saw in the initial request here we did get our intercept we can intercept one more time and you can see now that if we come over here there's an intercepted page so what we're doing is we're intercepting a request now if you're not familiar with get requests or post requests or different types of HTTP methods I do encourage you to look those up because they are super important otherwise we should be okay here we'll get into method testing at some point in this in this course I'm sure so anyway we're intercepting requests we can come in here and change this requests we can make this a put if we want we can do a lot of different tampering we're not after that yet we're just doing enumeration and we really what we want is we want to go out to the irobot comm site and this is a little bit of passive versus active right so this is a little bit of active enumeration now we come out to iRobot comm if you look in the target a lot of stuff is coming up look at all of this all these web sites that interact with iRobot we've got we've got a bunch of them here I just saw a Facebook pop-up so they've got a bunch and it's just gonna keep coming coming through so we can actually go through and we can just do the iRobot and add this to scope so I will show you guys that if we just right click and add to scope and then we'll say yes and what we can do is we can just show all of the in scope items and look what happens it takes the rest of it away okay and then so what else we can do is we can we can do something a little bit better than this what if we go to the scope and we use advance control instead and we say add we'll do any any on this protocol a host or IP range port file so on the host range what if we did some regex what if our regex looked like this I'll give you guys a second to copy it okay so we've got a period Asterix backslash period test backslash comm dollar sign right so we're using that for scope so now instead of ww-what if we just come out to iRobot we can also add in the the iRobot as well so and I also know that should be good if it wants actually low you guys said you're annoyed by the the alert so I'll turn the alerts off see if we can fold in and I use test comm which is fine I think showing up because I'm an idiot so it's gonna look like this I robot okay period wild card I can actually paste this in the chat this might actually be helpful I'm losing my mind tonight I'm on very very little sleep there you go let's try that okay look why are we changing the scope because if we didn't change the scope only thing here would be iRobot comm WWI robot calm okay because we have changed the scope we now can start seeing other things like store I Robot calm okay so now we get all the items in scope now we do know that we want one of them not in scope right and what was that that we don't want in scope if we come back to let's go to bugcrowd I'll go to iRobot we don't want in scope this home support so we can open that in a new tab bring up this home support here and then we can just remove this from the scope and we won't ever see that again though we don't have to test it I am drinking coffee somebody did notice that good call so let's check on our sub Lister okay so blisters come back now if we look at sub Lister look at all the stuff oh man they've got Jenkins we know Jenkins JetBrains a lot of stuff here it's iced coffee why wouldn't it be in a glass so keep coming through all these things API - iRobot so we can do like a DFS or maybe SSO or whatever else is there paste and go see if that works if that doesn't work we could do was SSO - iRobot comm something along those lines ok and that brought us to a DFS so a DFS right we just brought that up and look you could see when we actually go to a subdomain they start showing up in here as well so we can sign in to the site they've got all the other lists of sites that they have available for us to sign into as well proof point Oracle cloud cute s rally dev ringcentral so if you look at all these they've got WebEx work day work front so yeah and some people are asking the different the different colors here right so if we've actually access to site or bent on it or burp has touched it it'll be black if it is gray it means we haven't navigated to it but it knows about it through another website that we've encountered so at this point we've been to couple right in the store automatically populated here so anyway what are some things that we can do and what's nice about Burke as well is if you come through here you can see that it starts like lighting up with these little little orange here so it says hey strict Transport Security is missing this is just a header miss configuration so it's saying HSTs is missing if you read about it you can read about the strict Transport Security protocol down here and what it should be set to if you read the advisory blah blah blah right so it gives you some information on this and we didn't even do any scanning this is just basically touching the website same thing with this cross site scripting filter miss configuration they probably just don't have their cross-site scripting header in there they're finding some cookies without flag set probably not the login cookies because we haven't logged in so these are really nothing we're gonna be worried about at the moment click jacking is off too so it looks like they really don't care about their headers we can also do a proof-of-concept on that we can go to a website called headers io or headers comm I think might be security headers if this is a porn site I'm so sorry security headers that IO I believe okay and then we can go irobot calm and they get a big old F okay so it tells you this is nice when you're doing a pen test to is it tells you here what's all missing and these are recommended security headers that should be on a website so if we're doing a pen test we would identify the missing headers that they have and put this in as like a low finding so this is something to be looking for but nothing we're worried about at the moment but just something as to relate to what we're seeing in here this wouldn't be any kind of finding on a bug bounty or anything this is very very low finding but it is the finding okay so on top of that we could do so we're pulling in information here right and one thing that we can do is if we right-click say on iRobot itself if we actually drop down we could see all the pages that it's pulled up we could in fact do a scan against the site if we wanted to and now we could crawl an audit or we could just crawl now crawl used to be what is called what was called spidering in spidering I like spidering better than this crawl feature for whatever reason I don't like this audit means that is gonna actively start trying to attempt exploitation against the website and it does a vulnerability scan as well we don't really want to do that at this point we could just crawl it and see if it finds anything of interest if you come over to the dashboard here you can see that it's starting to crawl it does take some time you'll start to see that you see them going from grey to black they're lighting up here that's what we're looking for - it's crawling all these websites that knows about it's finding things like the robots.txt and we can look at the robots.txt and see what's in there so it looks like they're hiding images slash home support and HRD right rail for whatever reason if you're not familiar with what robots.txt is this is telling the like a search engine or a spidering like Google for example when Google spiders web site it comes to iRobot like we're doing and when it says robots.txt it says hey don't don't include this in your search engine please so and you see new stuff coming in so we come through and this is going kind of ok speed we can click on the Settings tab here and what we could do is go into the resource pool and we can create a new resource pool now you got to be careful with this but I like to set it at 100 and just see if it starts airing out I'll pause it and I'll set it slower but if you have the resources available it's better because look it's starting to go a lot faster than what it was doing so I'm pretty sure this is a feature that is available for for free burp suite now if we did the active scam if we go back in here and we do the audit selected items this is not a free feature on top of this there are if we go into the extender up here in the top corner there is the App Store the App Store is a wonderful beautiful thing you can come in here such as a tool like this active scan + + ok active scan + + is an additional to the active scan that we can run that's the vulnerability scanner it looks for more stuff retired je s this looks for vulnerable JavaScript libraries right so you want to look through some of these and add these in if you can additional scanner checks etc you know this is nice to have these extended tools you do not have that option with burp suite regular you have to have burp suite pro so and as it's looking it's still identifying stuff but again we're not we're not doing any active scanning so unless I find something crazy you're probably only going to see header information in here as to what it's seeing and what's possible okay so this is all all fun useful information there are a lot of other tools that we could use to help identify website like let's go back to iRobot and if you see this tool I have right here this is called WAP eliezer waa PPA lyz ER all you have to do is google apple Iser and install it to your firefox instance one of the must-have tools if you look here it tells us a lot of information of what's going on on the site it's got the CMS information of site core it's got widgets it's telling us hey this is running on a Windows Server and we're running on is 10.0 so this is a little bit of information disclosure my guess is if we looked at a response header from the website that is yeah look right here see this server is ten point oh it's telling us right here what the the server is is is ten point oh you should not disclose your your information in your headers like this this would be a low finding on a pen test so this oh it's I'm hidden by overlay I'm so sorry guys let me let me take my ugly mug off so again here's the lap eliezer so i asked ten point Oh Windows server here you can see Google Analytics but back to what I'm saying is this server responds all we did was make a get request we said hey I want I want your web page I robot calm and in the response said hey here's all my information gave us some cookies right come through and it's got the whole HTML and everything else that's in here now we could render that web page if burps being friendly sometimes it is sometimes it isn't and doesn't look like this ones being friendly I think there was an issue with the version I'm on they've since patched it I've been using it on Windows and it's been fine but you can get the HTML as well but if you just look at the raw response right here in the header tells us what kind of server it is on a pen test I would ding this on a on a bug bounty they don't care this is too low of a finding but the issue here and what we're after is we're saying okay you're providing me information and while Microsoft is ten point Oh might not be vulnerable right now it could be vulnerable later and this is just a fingerprint right I'm fingerprinting this but it also tells me you're running you're running a Microsoft server most likely behind the scenes right so when I'm doing my attacks I'm not looking necessarily for PHP files I'm looking for ASP files aspx ASM ASM X when I'm doing my exploits or exploit attempts I'm not doing slash Betsie slash you know shadow or password I'm looking for boot ini so this just the little piece of information gives me clues on how I can narrow down my exploits when it gets later on in the show so this is why again fingerprinting enumeration is important but if we're doing a numeration on this we're after a lot of stuff right we're gonna Google IAS 10.0 and we're going to say hey uh is this is this vulnerable is is 10.0 vulnerable Google and Google will say yes or no and here's why site core is the site core vulnerable the same thing we'd come through here jQuery three point three point one underscore rjs this is kind of why we have these active scanners as well and look we're running on Azure here it's picking up platform-as-a-service is a sure so this is sitting in the cloud chances are very very highly likely if we got a reverse shell on this machine the we're not gonna be in their environment would be my guess this is probably in a DMZ but even better it's out in the cloud right so but we can see asp.net framework it's all coming together there's JavaScript as well so a lot of information to be had just from this another great website similar to this is built with so we can just say something like something like built with comm and we can do the same thing iRobot comm and you can see all the stuff that is running this is all fingerprint information right they've got the widgets here all the different widgets they use e-commerce functionality the frameworks they're using okay so there's a lot of information to be had here so if we're doing a pen test on a site like this we want to gather that information and keep it in our back pocket this is all very important stuff to have in our back pocket and then we can check on our scan see our scan still going it's got three minutes left it's made 5,600 requests and we're still going so other things that we can do now there there are some good good websites what I won't demonstrate but I will show you to an extent is this website that I discovered and it is called we leak infocomm now this site is pretty awesome let me blow this up just a little bit so if we come in here and we look at this so it costs two dollars for this site by the way two dollars for 24 hours access that's plenty of time you can come in here and you can do a domain so I can say at iRobot comm and iRobot comm it'll return anybody that's been in a data breach it'll return information about them it'll return possibly a first name last name the IP address an email tied to that domain etc and then we can just start really narrowing it down we could say okay Bob Smith it's part of this domain let's take that username and that password and let's try to log in somewhere like we have this sign-in page let's try to sign in with that username or password that's what's called credential stuffing we take this information here and we try to pass it along in credential stuff right on top of that we can we can try to do some other things now some more advanced stuff that I've tried is that I am so say I find Bob Smith okay and Bob Smith is part of this company or whatever and I want to search by his name okay so search Bob Smith I find who I know is him and I do this usually by unique names like you try to find a unique name and we say okay we found this unique person it'll show their personal personal email addresses as well so just because you don't find the domain you can find their personal email address look through all the dumps and see password similarities and it's a amazing another thing is too you could search by a hash say that you find a user and their hash hasn't been cracked you can actually search that hash and tie them to other email addresses and find information that way so what what happens is you tie an employee to their entire history through anything that you can gather start gathering information about them password reuse whatever it is it's only a matter of time before you find somebody who just added an exclamation or use the same password or whatever it is and you're able to log in to something that you shouldn't be logged into so this is this is more or less part of external testing now when I do when I do pen testing for a web app typically how I how I package it is I will sell the external pen test for that web app as well because you want to scan the server and make sure that there's no weird open ports or nothing's going on that you can't just hack into the the web server itself regardless of what's on 80 or 443 so as part of that I will do credential stuffing and password spraying and all the other stuff this is a fantastic site now in the past I had built a tool that did the similar thing and I still use it on a click like fly list and I'll I'll click on it real quick just to show you but this breach parts tool did the same thing it just came through there's a 44 gigabyte download that you have to download and it parses that list and you say hey at irobot com what's in here and then you pull down all the users and passwords and that's really what we're after so you can find a lot of information similarities you know password reuse usual suspects etc so very very good stuff here as well oh okay I need a drink one second okay so on the same front we can also come into here and there's a website which I had pulled up and the other one it's called hunter IO let me see if this is back to working if we got a hunter oh oh here and you sign up for an account you get like 20 searches or something a month and I could see if I can pull up another one here I just don't want to have to login and everything okay here's hunter daya so let's say that we're searching for iRobot com you see there's 71 results here and you can see that it gives you the most common pattern of first initial dot last name or first initial last name at iRobot comm we see that to be true pretty much across the board and then if I'm trying to get into their application through enumeration this is one of the popular ways you take some of this a lot of times you could pass this to like an Outlook server and see if there's valid user names and passwords and then you just start spraying these you need to be very very careful because you can lock somebody out of their account especially if they're in Active Directory so don't just go spraying and praying if you don't have permission make sure that you're not spraying and praying without permission okay so anyway that is that also very very good tool here okay so this just gives us more information we can go out to LinkedIn we can look at employees at iRobot comm and we could say okay I know it's first initial last name I'm gonna add them to my list and that's how you get a nice long list of users and credentials or potential credentials that you can find on them if there's somebody causing drama guys hold on a second give me one second to open up the chat bot is there somebody in here due to do I don't have them in the chat I can't ban them no ban hammer unfortunately I don't I don't see him in here okay a couple minute let's take a couple minute break and just chat for a second do I lose my screen no that's weird chat for a second any questions on what we've seen before I keep pushing forward or doing more I just want to make sure everybody's up to speed okay my always drinking coffee no usually energy drinks but I'm I'm really tired by didn't want to be too amped up thoughts a sequel map on a production server be very careful you might tip it over but if sequel injections in scope go for it did I find these tools by just searching just yeah searching around looking other people as enumeration is how you would do it once you have those credentials might be fair to fetch the same info over all systems yes okay only questions about this guys as my 20 ATT I've been worth it yes but that's what we'll ask AMA here in a minute I'm gonna I'm gonna come back we're we're getting down to a ma we're not there yet does webalizer leave a footprint that's a great question it's public information by just going there so I don't think it's it's a big deal to have it on so anyway alright I'm going back to the screen so screw this VM it's all jacked up so we come back in here we can do scanning against the website let's talk a little bit about scanning we've been talking mostly just just on kind of passive scans we haven't gotten super active so with active one thing that we could do we can just for example run a couple tools one tool that I like to run is Nick doe you can say - h4 host and just do something like iRobot comm now in a bug bounty program are you really gonna find anything probably not this is not something again for bug bounties that we want to do really what we're after here is we are after this in terms of a web penetration test and let's see if it actually comes back with any information it should be almost instant let me uh let me copy this and try putting the www in front of this one there we go boom I screwed up okay what's nice about this well nikto is a vulnerability scanner okay Nick doe will come through it'll tell us some information it'll say hey here's your target IP I'll show you why this is nice here in a minute it's got the SSL cert info sometimes we find things like wild card certifications and just know knows in here again just findings on on pen tests but still information that's useful it's also going to tell us how our information look that same header information here anti click jockeys missing anti XSS is missing right and the server header change to a comma I go somehow to say that which suggests a Web Application Firewall whew we're up against a laugh so we'd let this run in a real-world situation we'd see if it pulls back anything it's just doing some light vulnerability scanning it's gonna see if any of the frameworks or anything running behind the scenes is potentially vulnerable to what we're scanning against Nick doe doesn't find a lot a lot of useful information if you're talking bug bounty programs alright so anyway what we're gonna do here too is let's say that we want to scan this for the SSL and we want to look at the ciphers let's say we want to look at nmap 4 4 3 on the port and there's a script that I like that is - - script equals SSL new ciphers and the worldís a actually we won't do we'll just do the IP address that we have let's try that script real quick and they did really well look at that that was fast - so we're looking at the TLS ciphers that they're using so if we come through I'll scroll back up for a second this is something that we checked when we're doing a pen test the webapp pen test ok so I pulled with nikto I pulled the IP address we came back and I ran this SSL a new cipher script against the IP address we pulled with nikto up here and then you come down you run it and you check against ciphers it gives it a grade between a and F and as you can see if you scroll down all the way the bottom their least strength is an a so they're doing very well on the cipher front now ciphers are incredibly hard to exploit it takes a lot of time it's not something that most people will ever do in their lifetime it's just something that is valuable during an enumeration phase to report back on and if they're using like say if they're having FS in their ciphers okay maybe that's an issue right like a big issue and maybe there's other things that are wrong out there if they're not if they're neglecting just simple things like ciphers maybe we have issues right okay so other things that we can do we can end map the the server to get fingerprints right we just end map the ciphers but we could say and map eighty four four three and we can do - eighty-four something like this we can hit paste on the IP and scan that way and this will take a little bit of time because we're running the - a to scan against this but this just allows us to gather some more information as you tell we have gone into more of a active scanning phase here so anyway on top of this this is gonna take a while if we're talking nikto scanning nikto takes forever okay and map and that's done already so you see some information here on the SSL certs it's pulling down alternatives as well that's cool you can see the service version has has changed here invalid URL that we're pulling down so it might be low balancing I'm not sure what's going on here that's changing it so we actually didn't really pull down a lot of information we got the SSL cert not nothing too too much else here besides like our DNS right or an our DNS Aria traceroute yeah I wondered if all the people scanning our robot are gonna freak them out too but right now we're yoloing out so this is good if we come back into here say for example that we wanted to actively scan against this you got to be careful with active scans and let's go ahead and do a right click scan on iRobot this is only for verb suite pro let's say audit because we already crawled it alright let's just say audit now we can consolidate the items here like we can come in here remove duplicates if there's any duplicates we can remove items with no parameters if we want just to get out of this so that way we're only fuzzing things for you know a sequel injection cross-site scripting and places where we can inject information in parameters so that brings us down to a nice list of four and there's only it's off of a home page it's not really gonna find much but we could active scan against this right now let's talk about the proper way of doing this this is not the proper way if we're going to do active scanning what we should do is we should go to the website and we're at the website we need to click around we need to go to you know accessories and anything now that takes us to store to iRobot but we really want to self spider the site oh I think I got banned from iRobot perfect so anyway you want to yes mapping you want to manually map the website so anyway what we do is we why we do that is we gather through here and we want to gather as much information because our spider is going to miss some information spider finds a lot of things that maybe we don't find but the same time we have to be the counterpart and help out here yeah I'm not worried about the the band guys like everybody else is saying it's it's perfectly normal we're running a lot of traffic against their site okay so with the information that we found and everything else then we would start scanning it now I'm gonna throw out some caveats or some please don't do this if you are in a application and say for example you have admin access because that's how it works with with pen tests typically they give you an admin account and a lower-level account say you have an admin account that controls usernames you can create new users delete users etc you go in there you spider that maybe you create a new user maybe you delete a user and you use that process and that gets all stored inside of this so all those requests that you made will get put into here now if you run an active scan against those requests guess what it's going to repeat those requests and you could end up deleting a whole database or adding a bunch of junk users same thing with forms and all kinds of other stuff now I made this mistake I made this mistake not that long ago and you know what actually probably tipped us off guys you guys are talking about the laughs it's honestly the nikto probably the nikto is so identifiable when we're talking against a decent any decent laugh it's gonna pick up nikto in a second so my guess is when we started scanning here it picked it up you see it changed honestly that's what happened so Nick Doe probably screwed us up okay so I will talk about the mistake I made just this week doing a web app pen test so I'm working on a client whether that pen test and they have multi-factor authentication right so I went I logged in provided my username password I did my multi-factor now the multi-factor it goes to my it goes to my cell phone well I'm the idiot who did a active scan on the unauthenticated side they're just on the login page and it had my credentials stored so guess what I got like a hundred and something text messages at one time because burp suite was going through and generating login login login login and yeah so tons and tons of text messages so don't be like me be very careful when you run when you run an active scan and you guys are talking about being quiet right everybody's uh everybody's talking about being quiet and I'll speak on that as well and this is my my belief as a pen tester I am loud and I'm intentionally loud I want to know if you are going to see me in the network or you're gonna see me scanning your website anything I throw at you I want to know if you catch me awesome you've caught me we all tone down the scanning will make it slower will make it quieter but if you don't catch me that's something I have to report on on my report and that will help us tune the sim or tune your laugh or tune whatever it is to to make it better right so I really am I am everybody says be quiet be quiet you have to be loud in my opinion you have to be loud people can disagree with that if they want but how is the blue team gonna get better if you're going and you're going in Pro stealth mode right away when they can't catch somebody that is a beginning scanner or like a script kitty right so this burps we actually throw in such dangerous queries it's not the dangerous queries that firstly is doing its mimicking what you've already done so if you went in to delete it a test user that you created verbally it's gonna already know that you deleted that user and what if a user is just a user ID one in the night rise user ID two or something like that and then that just kids you know it just starts deleting people you don't want that and look are at least on mine it lit up read that I found a vulnerable version of the jQuery you I won point eleven point two my guess is with jQuery it's probably some sort of cross-site scripting I'm not gonna dig into it we're not gonna get into any kind of exploitation against the public bug bounty on stream but it has this is what lights up red and we're not even scanning against this it just picked this up passively well kind of actively right but it just picked it up without doing an active scan it is from the retired j/s extension exactly and there is no time in the pentest engagements to stay quiet exactly as well okay this one requests finished already on the scan pretty quick I don't think it pulled it will only did five pages right so you're not going to find a lot we're on authenticated we didn't really crawl the website we're doing bad bad enumeration let's see if we're unbanned nope we're still banned it's okay so really here we're closing on an hour and a half and I'm feeling comfortable like all this is what we're doing and what I'm showing you is just different paths and ways to get to get enumeration on a website right I think burp suite pro is by far the most useful tool that you can have in your pen testing toolkit by far I have gotten bug bounties just because of burp suite pro finding something that I didn't catch so this will not catch everything it will and maybe catches 30% of what's there you are responsible for the other 70% and you're gonna see this as we go further my goal for us my goal for us in this course my goal as homework for this course is let's go out to the website let's see if I remember my my website let me pull up my juice shop here and if I can find my juice shop okay also don't hack my juice shop please cuz then I'll just be sad so if we go out to the juice shop app welcome to juice shop yay okay this is the first time you see it this is our application this is what I want to pen test so what I want us to do and what I want you guys to practice is take everything we've learned today everything we've learned today and practice it again now you don't have to do sub lister against this don't worry about that you're gonna have your own sub domain nothing else is gonna be here in terms of a sub domain what you should do I mean you can run it but it's not it's gonna come off public information anyway you're not gonna find anything right what I want you to do is practice loading this in coming in here and showing only in scope items coming in here and fixing your scope right saying okay well I want to do juice shop so I'll go to the juice shop and then I will put that one and only that one in scope and then we just go from there so it's really like this is what we're after we're after being able to scope our stuff will work on intercepting with proxies will work on intruder repeater you're gonna learn all these different tools as we go first things first get your website enumerated come in here click on some stuff look at this submit something you know just play around and see what you can see and then get there so there is a scoreboard which you have to find but if you're looking at it you can just find the scoreboard off of what I have if we come in here it has all the different difficulties you see there's 9 10 19 21 16 and 11 so we are gonna go through these it has all your challenges even some of these have little walkthroughs so this dom-based xss has a walk through it's really nice this is a very very nice platform so that's the homework I think I think I'm capping it here I the the point I wanted to hammer down is the importance of enumeration some basic concepts on how to set up your burp and how to use burp how to do a little bit of scanning with burp a little bit of numeration sub listing is super important when you're doing a pen test tools like Nick doe tools like nmap all of those are super important there's also public resources out there like built with there's rap eliezer there's a bunch of stuff the we leaked info right like all the things that we cover tonight I encourage you to go back and re-watch this and just see just see all the steps that you can do and enumerate what you have here now next week what we're going to do is we're gonna go into these difficulties like I said step by step I'll hold your hand we'll explain why everything is the way it is so we're gonna be covering cross-site scripting obviously here and we'll go through these challenges and talk about them and why they're important so I'm gonna go ahead and call it there with one minute to spare and I'm gonna open up the chat take another drink of my coffee we'll have a ma if you guys want hopefully that was explained well enough I was talking really fast cuz I wanted information to to go you guys so hopefully that was that was good okay glad you guys enjoy it I never know yeah I want iced coffee too this is all melted hey thanks Christian I appreciate it I should always talk this fast no thanks guys what distribution is best for beginner hacker that is my opinion Kali Linux you can also play around parrot but I am a Kali fan all the way how long did the ewp take me three weeks on and off I think maybe a month I I didn't do all the labs or anything if you read my write-up on it really I knew a good chunk of pen testing I still think was fantastic course to supplement on the web app side but it was I went through it pretty quick the thing that I liked about the the ewp T everything that they give you in the course like that is all you need for the exam that is in that I appreciate so they teach you literally everything you need to know and it's fantastic how does someone new to all this know to be looking for just repetition man just just doing this kind of stuff in and soaking it all in picking up a book picking up some of these free lessons this guide that I put up here look this guide will tell you what you're looking for this information gathering will tell you what you're looking for Google hacking showdown right like this is some stuff where we can we even talk about Google hacking where you can go out on Google look for sensitive files or information fingerprinting the web server we did looking for meta files I mean there's all different kinds of stuff in here which is where this PDF also becomes important and I showed you guys this on a different one but like it has oh look at this look how many pages are in here of just how to do this stuff based on this checklist if you're a beginner I I'm past the beginner phase I'm no expert by any means but I still go to this this is my go to dude you do trying to catch up can we get F in chat for PowerShell Empire how did I go from finance to pen testing a lot of late nights studying a lot of late nights studying for some reason the chat does not like the word port sugar asher microsoft does not care they used to have a pen test form that you fill out now they don't really care just just FYI they haven't cared in like three years they expect it it's always a nice thing to like have a heads up and say hey microsoft we're gonna be pen testing but they know like somebody like i robots getting pen tested yeah so I said burbs sweet pics up 30 percent so it picks up 30 percent we have to do the other 70 percent like that's this that's and I'm sorry I wasn't showing my screen that's this right this checklist this is this is the other 70 percent manual enumeration manual testing burp suite scanner is nice for picking up some of the obvious stuff and maybe it's good when you're looking over and glossing over and maybe you miss something but the manual enumeration and testing is super important I can't I can't talk enough about how awesome this is when I was talking earlier about SSL week ciphers how would you proof of concept only I wouldn't I don't attack weak ciphers it's just not worth the time I proof of concept right off the end Apps Script or Qualis does it as well cause as an SSL scanner other than that I mean I'll just take a screenshot right of that that script honestly are my slideshows available they are not but I will make them available in the discord after this from the ashes that Empire Rises covenant exactly we did not cover showed an if you need any links from anything you saw tonight on the length the links are in the discord the links will be up on the video as well I take notes as I go I use an application called keep note it's fantastic I take just I I'll note down any little bit of information that I think will help me especially if it's information that's disclosed and I can write as a finding as well like you saw that server header the is 10.0 that's something that I would write up on a report is a low finding what's the difference we pentester an ethical hacker there there really isn't a difference in my opinion next lesson is a week from today 8 o'clock there you go thank you guys if you don't find a substantial bone that's good let me i'm pen testing website now where i i'm not finding it ton like there's some there's some stuff in there but some things that we want to look at is like can I enumerate users right can i new mer 8 users on the like a login page does it give me a verbose error message it says username slash password or does it say username not found password not found like does it tell us like where passwords wrong then it says that we know the users good can I walk accounts out what kind of information is disclosed what kind of ciphers are out there do they have something like autocomplete enabled you know do they have default web pages or missing headers like the cross-site scripting or the HSTs stuff like that that we saw those are all like nice little low findings that can really help improve like a security posture and still you might not be finding anything crazy on the substantial side trying to catch up guys the chat is so far ahead of why I am how did I get anybody to look at me I switched into helpdesk and then I became a network engineer and I got certifications along the way it doesn't matter how much experience you have it matters how well you can interview and how telling people that you don't know being honest and say you're willing to learn very very useful in interviews honestly you just got to find an employer willing to take a chance on you every employer has taken a chance on me and I've not let them down and that's really what it is the checklist has been posted in discord people we cover this in the beginning if you weren't here it is in discord manual testing code review is where you find the juicy stuff that is accurate can any individual hacking IT stuff require more than one GPU it can if you want to do something like intense hash cracking but I mean my GPU holds up fine I run into more is servers than I do on Apache I'd have to look for that salary list I don't know where that's at this moment I'll look for it if you ping me in in a in discord I'll find it do you need programming knowledge I to become a pen tester you need to have some programming knowledge you don't have to be a programmer you have to understand the code and what's you're seeing you don't have to have the the whole developer background and mindset in order to be a good pen tester I'm an i7 fanboy over the Rison but either way I use an i-9 right now you guys are asking about vulnerabilities if it's in the Olaf top-10 we're going to cover it so you're asking about videos it's gonna happen somebody asked about the spraying and praying the password spraying that's a good question so what we're doing is Outlook has a enumeration they don't want to call it a vulnerability but they have user enumeration so there's nice Outlook tools oh wow oh 365 out there that you can spray even Metasploit it'll come back and say hey this users valid or this users not valid from there you can narrow down your list and just fire away now some Outlook instances like Oh 365 locks out after like 10 or 15 it's only a temporary lock out ten or fifteen attempts I have seen Outlook instances where they do not lock out at all where you gotta be careful is like the single sign-on because that ties to Active Directory attempts and then you could start denying service just so many users you've got to be very very careful in your pasture spraying and try to only pass or spray two or three passwords or you're gonna screw up a whole lot of stuff due to do too many questions I'm gonna skip some of these guys I haven't done the G opt how is Kali different Google that question I glad you guys are enjoying it thank you guys the 2080 TI has been worth it I did a lot of hash cracking last week and it was fantastic very good speeds catching up guys I'm scrolling through some of these if your student is it worth dropping $400 for burp only if you plan on doing like bug bounty hunting or trying to get that money back for it how would somebody cut their teeth on Microsoft ad environment you can build your own for free if you have enough RAM to do it otherwise the pentester academy has a course for like 300 bucks or something that you can take with a lab I think that's fantastic you can do offshore for 100 bucks a month and hack the Box Ross the labs on hack the Box you could read up articles as well but obviously hands-on practice is gonna be better how many weeks so I anticipate this course being probably like anywhere from eight to ten maybe three books on pen testing I don't read books man I'm a video / hands-on learner somebody said red team field manual I've heard good things when's the next overwatch stream whenever you guys want I will stream overwatch whenever you want I did not go to DEFCON this year some links will be the links that I showed earlier will be on YouTube as well what sans courses have I done I have done no sans courses now the OS CP ok the g-pen what's they have an advanced G pen it's the the the 660 look into San 660 after the OSC P I think it's a good step up just my opinion I have 32 gigs of RAM so I do a lot of stuff though I've got all kinds of VMs running everything going I'm streaming I need 32 for what I'm doing if I heard anything about the offset weather of course I've heard mixed reviews on the the exam and the information that's learned in it but I I haven't taken it Seidel and a bashatt or anything I just heard mixed things from people that have like I got a black badge at a con yeah I want a wireless capture-the-flag earlier this year that is correct GP TX that might be it I don't like to read books I'm not a book reader what do I think of the security plus I think the security plus is a good exam if you're a or a good good thing to have if you're a beginner it doesn't hurt to get you jobs it's not useful once you're established in your career like I won't renew my security plus but if you're trying to work in government as well the United States DoD 8570 government work requires the security plus so if you're if you're new ish to the field I I don't think it's a bad cert at all MTX you get out of here sir how do you pass getting locked out of the server you make you make attempts very slowly and over a course of time like if the password spraying attacks work very very well if you have a thousand usernames that are valid because then I can pass summer 2019 exclamation to a thousand usernames and guess what one of those is probably gonna pop but if I only have 10 usernames then my chances are really decreased and I can only spray three at a time right and then I'm done so you really have to make it a good three I would rather spray three against a thousand than I would 10 so the bigger the company the easier it is my opinion do I recommend taking the CH before OSAP do not take the CH go directly the OS CP do not cross go yeah ej PT + e CP PTR good exactly to have NEC V's under my belt I am NOT a reverse engineer or any sort of exploit developer so no the answer's Bignell on that one thoughts on thoughts on CCNA hey burnt toast I have to reply to your email thoughts on CCNA I think it's good I think it's good to a point I think it's good to help you understand basic networking and its really nice to have in a pen testing aspect it's helped me in a lot of situations a lot of people use Cisco and a lot of pen tests revolve around Cisco I wouldn't go past that because the farther you go into Cisco certs the more pigeon-holed you get into Cisco certs I have a very good buddy at my last job who is a CC and D is CCNP like CC DP or whatever as well like he's got a lot of the CC DS or the CC whatever they did the second stage of it is not the IE and he got pigeon holed into a lot even as a pen tester - doing a lot of like like security console assessments config reviews all kinds of stuff like that you don't want to be that guy see CDP that's it all right I can breathe I have caught up kind of have you been working with a company that buys probably exploit would know what it were these questions all right I'm caught up on chat what's up that was a long list of questions guys sorry if I skipped over your question I just took the ones that were like utmost value my domain admin streak is over it is over guys I brag too much I have lost I'm gonna try for the CISSP I am NOT my plan is to be a business owner me as a business owner I don't care what certifications I have what's your opinion on doing the Network+ then the OSCE approach I think that's fine honestly you don't have to have that much of a background in networking just be comfortable like do you know what ARP is do you know what routing table is do you know you know like things like that what a kam table is do you know let the seven layers of your OSI model that sounds foreign to you you probably need some little bit of background in networking when can you say that you know Linux when you're comfortable in the terminal like I don't know everything about Linux there's a ton of stuff I don't understand just when you're comfortable navigating around you know some of the commands you get a little bit of bash scripting down and you feel comfortable I think that's when you could say you know Linux at least I the everyday user level right do I use SMP walk much I like SNMP - check preferably SNMP walks ok but I like SNMP - check it's a little easier to use what happened on the internal assessment what happened I ran into a situation that had none of the the common attacks god LM an hour poisoning was was disabled there was no SMB relay or there's no really no SMB in the network no default credentials good password policy very small environment so I ran into a big stone wall I was very very close I had a really good idea that didn't pan out so I ended up capturing some credentials doing some man in the middle listening with ettercap but it really wasn't anything great but what I did what happened was I I got logged into their company phone and I was on the the Oh wha in there they have Oh 365 oh three sixty five password reset option offered a password reset phone call to the company phone so what I did was I forwarded the company phone to my phone but what was happening is the forward wasn't going through because his inside the network the forward was getting picked up by the or the call is getting picked up by an auto attendant first that would then dial the line and then forward in so the you have to press a button to get to me and there was no off option for an extension unfortunately so unless I would actually have been able to hack the phone provider account then that would have worked for the password reset but unfortunately it didn't work if I would have been a password reset I would have been able to password reset all the accounts and I would have had domain for sure very very close outside the box thinking though and that's kind of what you run into when you when you're in an environment there's not much going on thank you ever do pen testing with the cloud eye pen test a little bit with the cloud nowadays you like those thi sent bill do I see elearn certs or other certs replacing the OTP as a golden standard I don't think so something some big framework has to adopt allure and security for that to happen and it just hasn't happened yet I keep my fingers crossed I think elearn is is the gold standard for the price that they have but it just hasn't happened yet or off SEC you know could update their stuff would be cool to if if off second cluded Active Directory and updated material I think top-of-the-line honestly recommendations for learning bash just google bash videos bash scripting and it's there's a ton of stuff out there even udemy can teach you some of that oh there's eight layers filicide model alright I'm on to you Dante I'm reading some of these I got a skip a couple again sorry guys quantum computing I don't know enough about that to answer that when I want mention I want to be a business owner I so I own my own pen testing company now it's just a matter of time like I am a business owner I'm just saying I will I am a business owner I want I don't want I don't care about what certifications I have it's a matter if I think I could do the work and the client can do the work II W PT verse o SWE I'm still on the e w PT boat although the OS w he does have the source code review which i think is good II W PT does too but it's not as detailed I would imagine do you ever use fierce and just at yield stuff that sub lister doesn't I don't use fierce I'll have to check it out is it viable to make $1,500 in bug bounties monthly uh yeah I think that's a reasonable goal if you're working at it like do you have do you have 40 hours a week to apply to it because then yes I think probably you could get there I don't know how much time would take you starting from zero though it's everybody's different in how they learn you don't want to be a programmer but you want to be in computers cybersecurity you don't have to be a programmer in cybersecurity it just helps you don't have to be one just deal with certifications and find a job field that interests you do certifications and find the tools and stuff that you need to know based on job listings and just work towards that kind of knowledge you don't have to have the the cs degree to be to be hireable was it boy it was void if it was encrypted no it was not encrypted not that I know of do clients feel like it's a waste no well the client needed it for for compliance purposes so they had to do it regardless and there are some some findings that I had in there that is would be very valuable for them that it's going to improve they benefited a lot from being a smaller environment have they been a larger environment I think I would have been okay the eighth layer is a joke guys the layers a joke is owning a pentest company better I think owning and being your own boss is the best feeling in the world right like dirt nobody has to tell you what to do you can work when you want to work you can do whatever you want to do as long as your clients are happy and you're making money and you're happy what there's no better feeling I don't think it's boring at all you get to be a sales guy you get to be a marketing person you get to be a pen tester you get to wear all these different hats there's a lot of stress sometimes there's a lot of work but holy [ __ ] have I learned a lot it's been awesome in how do you prepare a laptop I've got a laptop checklist I sent it out I sent it out last week to discord but it's basically a sure VPN that it talks in - I already pee into that that VP my VPN in then I are TP into that machine and I test from there it's super super easy Open VPN connection and most clients don't care if you're on site some like that face to face what I'm doing sales calls I'll say hey do you want me to be on site and usually they don't want to pay for that travel it saves a lot of money if they don't have to pay for that travel so some are old-school and want to see you on site but a lot of people are just like hey shipped me a laptop I'll plug it in for you I've never done I owe t hacking to have a lot of people on my team I am a one-man shop do I want pen testers working for you yes I do at some point I would love to have a co-worker first things first I got to get a salesperson but I got to have enough money to pay a sales person so I'll be my first hire top three certifications I need to know more details on which which field do I play around with Ari and malware I don't I have purchased a course that have not used yet I will get to it at some point I'm sure do I need an intern uh not yet not yet I will say this and this is my friend told me this and I think it's a fantastic idea if you are watching and your company needs a pen test and you recommend me and you are interested in pen testing I will let you sit second seat and you could watch the entire pen test with me if you get your company to hire me I will do that if you get a different company and you recommend me to hire me I offer 10% on the revenue of that not not the profit the revenue so it's a quick way to earn some some easy cash too so good offers if you guys if you guys can get me a deal I will let you sit second seat you can have a whole week with me doing the pen test can you do a pen test or sysadmin drop out of college you can but I've only seen it done with with a lot of certifications or a comps I'd agree so you gotta be racking up those comps i degrees honestly or you got a rack up that the certifications that I meant to say sorry what do you think it's a proper time to start up I mean a proper time is when you feel comfortable enough to do the work you have enough money saved up and you think it could be successful potentially have some networking and some clients and information out there that leads you to believe you would be successful on your own for me the reason I stepped out is my old job there were clients coming to me or coming to my job to have me pen test them like they knew who I was and they said I want that guy to do my pen test but you know the job that I was working out there not offering any Commission on that they're just saying oh hey cool we've got this guy working for us that people know so I was benefiting them but I was seeing no benefit from it directly and at that point I was like well people know who I am and they want me to do the pen test why don't I just go on my own and do my been test so is it hard to find projects or clients it is it is difficult yes ibid very competitively I think so I I think that's a very good thing it's hard to drive traffic and it's hard to to get people I get a to people my website every week every day it's hard to actually drive that most of my most of my income right now is coming more from live training events or doing one-on-one training sessions and mentoring sessions I have a ton of those that I do the clients are sporadic about once every month or so maybe once every month or two but I've got a lot of bids out right now and stuff is coming through and it's doing it's doing really well any certs that you're doing currently I have the EPW TX that I have back-burnered I am doing the PT X right now I'm gonna do offshore with it and I'm just getting some some laughs advanced Active Directory stuff that I really into but top three certifications for pentesting all right we're gonna start we're gonna do beginner pen testing here top three elearn Security PTP number one offensive security certified professional number two and the sands G SEC number three I rank those based on this decision one is cost out of the three of those technically the osc P is the cheapest perfect sans is the most expensive elearn securities in between it's about fourteen hundred dollars right second doesn't have a practical exam elearn security does osep does the sans certification does not third how practical is the is the course how relevant how new is it elearn security course teaches internal and external penetration tactics fantastic you need that to become a decent pen tester osep only teaches external methodology and is more capture the flag like jisuk teaches more of external methodology as well G pen not the G set guys G pen and so with the cost and everything there it's kind of kind of expensive the other thing to think about is the HR capacity right so the elearn security nobody frickin knows who it is that's unfortunate OSE P is the golden ticket everybody knows that is that'll get you an interview an HR but you're gonna lack knowledge to get that pentest job the the G pen is the most expensive you're still gonna lack knowledge with it but it does it's somewhere in the middle in terms of where you land on an HR program it sans certifications are very valuable but I like the e learn security purely because of its ok on the cost it's got a practical exam and it teaches you relevant and modern attacks on both the external and the internal side so oh let's see for someone who barely getting by on easy machines I'd shoot for the e JP T before trying ok the easy machines on hack the box are like moderate machines on the OS CP just take the pwk you don't you don't have to have a JP TV for just do the pw k and get it over with honestly I'm so far behind on these questions guys I'm sorry do you get to critique me over my shoulder if you're watching sure absolutely what's up Stephen G hacker halted I don't know I saw that's in Atlanta right I saw there are free tickets I think there's something else going on that weekend that I applied for a speaking spot and I don't I don't think that I can do both is what it was or that it's somebody's in town or something's going on I don't know Java how would I make a Java course offer still stands at the referrals out of state or out of country back dooring antivirus is a much much later video to come at some point yeah you have to prepare yourself for not having work with for months like but you have to be able to supplement there's there's ways to supplement money Kobalt doing pen testing with cobalt doing 1099 work with other employers or however you need to do it doing bug bounties whatever you need to do to supplement the work while you're not finding clients same thing with live training sessions and one sessions I've ever trained Junior pen testers yes I have trained I've trained a lot of people the process is really about methodology a lot of juniors have decent methodology but getting that enumeration down and getting training them what to look for and then the internal pen testing is where a lot of junior pen tester struggle so how hard is it to start and maintain the the cost startup of a company and pen testing is very very cheap I think my startup costs for under five thousand dollars and that's including tools and everything else that I needed if you're paid 140 K and that's net salaried you have to pay taxes you have to pay taxes so I'll give you an example I was making a hundred and forty thousand if you take in the vacation time everything else that I was making in order to break even and you pay more taxes too I would have to make like 180 thousand dollars I did that if you watch the entrepreneurial series that I have I talk about all that in that decision and you know how to calculate that it's a lot more money like the money you make now there's a lot more fringe benefits that come out of that but you don't even realize so you have to total up all this stuff that you get including health insurance you have to have insurance you know like liability insurance for yourself when you do these pen tests so there's a lot of stuff that your employer pays for that you just don't realize I think pts is applicable for everything I'm still far behind guys hi Susan o Keefe yeah I saw was in Atlanta who who was I think Joe gray was putting out free tickets internal pentesting is the most fun pen testing you'll ever do I promise you it does not get more fun than internal pen testing change screens here okay there we go and here here's the thing about internal pen testing versus external so all this methodology and stuff that you learn in most of these courses you you learn you know the methodology and how to how to enumerate but like when you when you do external exploitation chances are you're not finding a remote code execution on the external network you might find a miss configuration like we've encountered Cisco Cisco on a default like default login on a router before that's bad juju but typically you're looking for some sort of credential stuffing password spraying leveraging training attacks to get in to applications and then chain those elsewhere on the internal side because the external side is hardened quite a bit the internal side think about it it's like on the external they put up a fortress but on the internal they have no doors a lot of people don't focus on that internal aspect it's the wrong decision but that's really how it is it is a bloodbath it is so fun it's really it's it's really a joy it really is do they pen test and entertainment Wi-Fi systems on aircraft I would imagine that they do I I was interviewing for a military based pen test aircraft pen test before I got my previous job I obviously that's different with the entertainment Wi-Fi because it's military base but I would imagine all the major companies have their pen test team or somebody pen testing there their equipment aircraft pen testing yeah buddy it was in the middle of nowhere I forgot the base it was God California Oh Edwards Air Force Base it's like outside 40 minutes outside of Palmdale it's in the desert there was no towns nearby nothing nearby but they they did a $50,000 in training a year $50,000 in training they sent you to the Lincoln School they did a Ida Pro class with their people they did so much you got like two or three sans courses so I mean that benefit alone but it was like a 45-minute drive just to get to base I heard 30 minutes additionally once you're already on base so it really wasn't worth it and living in the desert Christian you're a funny guy lot of stuff coming through and if you guys if you subbed and I didn't say anything I'm checking now sorry guys action sub I don't know if I said thank you action I appreciate it buddy JD donated $5 I didn't see that come through either Thank You JD I appreciate that buddy thank you thank you thank you everybody what was your name on discord and why did I ban you is the question I had used other webapp Bowl and scanners I guess technically if we're talking nikto but professionally no I use burp easy path the junior pentest cyber analyst will be coming from a senior certifications man certifications and knowledge that's all you need in this field is knowledge if you can interview well that's all we want we don't have enough people but you have to have the knowledge and that's the issue is not enough people put in the effort to actually get to the level that they could be successful in this field there's a lot of people I I did the speech earlier but say it again I'm gonna go on a rant this field is for people who are driven that like to learn that want to learn something new every day we are a very special kind of person you have complacency on the lower level the lower tiers you see people in the same jobs for five years 10 years that is not pen testing you get it into pen testing you find a little bit of complacency with some people but most people are always learning wanting to know that new exploit this mindset is not for everybody pen testing sounds sexy but when people try to get into they dive into it they realize it's really hard and not a lot of people are cut out for it so as long as you have the knowledge and you're willing to put in the time in the effort that's all you gotta do buddy to get it become pen tester that's all you got to do so noodle I checked on the ban list earlier and I did not see your name in it so if it wasn't you and all that you see it was not in my list Congrats drew good luck on your first pen test anyone else to those lovely already beat RTP vulnerabilities yes I did that's gonna be interesting the deja blue or whatever it was ah go stop text you were you were fighting with other people and causing a lot of [ __ ] I remember now why why should i unban you appeal to the court of TCM yes don't have a big ego that is correct why do I like Nessa so much it's just good to give to like a client in terms of like if I helps ok helps pick up things that nmap doesn't pick up it helps find and identify some things that maybe with version information or stuff that you just don't see right away it's good for a quick review like if you say hey I want to look at all my service version information I can just go look at that or what ports are open or what HTTP ports are open where is the printer at you know it Maps all that stuff for you and put some nice little categories and that's really useful on top of that for just providing that report on top of the report you right we don't like copy the necessary port but providing all the additional scan information as well is very valuable to the client yep there's a lot of smarter people out there always focus on being the dumbest person in the room always focus on being the dumbest person in the room if you are if you feel like you are the smartest person in the room it is time to quit your job move somewhere where you are the dumbest person honestly I have no opinions on kevin Mitnick yes I have my osep when's the next lesson with the wife the wife is going on vacation going to visit her family for the next few days so maybe next week I don't know when that's gonna be kevin Mitnick was a fantastic social engineer but catching up with all my emails all right I told you guys I told you guys 10 o'clock I'm still rambling on it's 10:15 I should have an faq of my MA but those questions are coming from YouTube unfortunately whoever done our fit hacking I've done our feed cloning that's about as far as it's gone I provide the entire necess scan report every single item the wife and I gonna be a pro pen test Cup couple I don't think so she doesn't like pen testing I wish I could switch to overwatch I think that uh would be too hard to keep up a chat and play overwatch I do need sleep absolutely need sleep I got four hours yesterday looking to look into boss cloner it's too grand you can build your own for about 500 and they teach you how to do it boss boner you'll carry me I need carried what else catching up I don't know anything about the HTTP denial of service Universal income sounds like politic talk I do not talk politics because I can only get myself into trouble I think there will be a lot of automation in the next 10 years yes I still think there's always going to be a need for manual manual aspect of jobs no no politics I don't know what does it mean when a networks self-aware I have no idea what your you're talking about all right I will give this I'll tell you what ten more minutes will do ten more minutes there's still hundred and eighty two of you in here you guys are crazy least favorite overwatch hero tala my teen oh god that's a hard question I don't know why this is so so difficult I don't know the answer to that I feel like it's a dps character like you can't go wrong with the tank and you can't go wrong with the healer and there's so many characters like if somebody could play that character well then I don't have an issue with it but there's there's complicated characters right like say like a Genji if somebody's playing Genji and they can't play them well right now what's driving me nuts is everybody's playing Sigma and competitive and nobody is good at Sigma and it it's sucking so bad oh god I am I am bad at doom fist a good a good doom fist can absolutely ruin a game for everybody same thing like you said a Hans get a Hanzo Hanzo built is alt so fast everybody's playing sigma and competitive right now literally everybody Reapers been annoying for like three seasons most favorite internet security suit what does that mean sweet suit what testing image is better to prepare yourself for proof ask hack the box lots of hack the box provost will get you there virtual hacking labs from what I hear as well give me an example of what you mean by internet security suite because I'm still confused when you say you know networking basics we talked about this a little bit earlier but like do you know what an ARP table is Kam table do you know the the seven layers the OSI model do you know what a routing table is do you know what the netstat command does nbtstat etc ipv4 versus ipv6 do you know how to subnet Borderlands 3 I am super excited for I got into Borderlands 2 maybe a year and a half ago two years ago and I thought it was fantastic and I was probably about 5 10 years out of that since its release it is such a good game I will play the hell out of Borderlands 3 I am a fan of the Windows Defender security suite if that's what we're going with cyberpunk 2077 I'm looking forward to that as well are we just asking dumb questions ask them questions now I like the winky face though oh you guys have been awesome alright I've never played World of Warcraft never never for good reason because I'm afraid that I'm going to I'm going to like it if I like it I'll become be receiving that picture of Cartman on South Park playing World of Warcraft that's what I would become if I if I actually liked it so next week is hands-on juice shop I don't know much about malware analysis man I can't answer that question I'm sorry Google is your best friend though I've had no videos taken down from the policy no best way to learn Python develop a program try think of something you want to do it doesn't matter what it is just think of something you want to do and make it happen build it piece by piece it doesn't have to be great it doesn't have to function well but make it function and then once it's functioning make it better think of ways to improve it improve your logic right so think about it logically first how do you want the program to work what are your situations or their conditional statements or their loops and then from there just build out tiny pieces and there's always resources out there Stack Exchange or whatever it is will have resources available for what you want to do promise you Google is the answer for everything what branch of military was I in I was in the army that is that is correct they did have it taken down sure Susan you're a hacker an hour salsa or whatever your name is I was a 68 echo which is a dental specialist and then I was a 70 Bravo which is a health Abin officer I got to be on both sides 11:00 bang bang too serious ah would I say that education okay going from accounting to red team ops so I say education is irrelevant I don't think it's irrelevant I don't think it's necessarily necessary I do think that my having a master's degree has helped me get job interviews and has definitely helped land me jobs before especially my network engineering job it required a master's degree and I think I leveraged that job to get in the field of pen testing so it's a little bit of mix they're mixed feelings towards it I think that you can get by in the field of pen testing and even IT without a degree but I do think in a degree we'll put you ahead you have to weigh the ROI what's your return on investment oh you're gonna make more money with it is the four years worth it is the expenses you're gonna have to pay for it worth it so what you can or cannot legally do for practicing pen tests on public sites if you have a website that allows you to pen test it then that's in scope if it's not on a bug bounty program or doesn't give you explicit permission then you can't attack it that's that simple I got two minutes hobbies outside of pen testing or games sports I like watching sports playing sports basketball football all good stuff tennis great what else I like to play the guitar I like Tesla's those are cool I like to eat it's eating a hobby I think it is I have a fantasy football team I've been running for like 13 or 14 years actually that just reminds me I got to spin it up I don't think the tools change Keith I mean same same tools that are out there there's something else that I don't know about then I would google that but I think standard scanning tools work just fine beginner acoustic course uh you guys don't want that for me do I speak Italian I do not do you have a Tesla I do not do I run keeper picks no we don't Brady or went absolutely Brady what I master in I mastered in computer information systems and with that it is 10:30 I have survived your AMA so next week we're gonna get into starting to do some of this information gathering again homework homework homework get on juice shop and start a numerating it with all the tools that we did before I'm gonna expect you to have done that hopefully you found some interesting stuff maybe even get some points out of it there are some easy points up for grabs so we will we'll go from there I'll look into unbanning you noodle I'm I'm thinking about it we'll see yeah I am ready for sleep thanks everybody for watching thanks everybody for being here still have a hundred and forty people in here that is insane guys so thank you so much I appreciate everything so next week Wednesday 8 o'clock Eastern be there be square pieces bye guys