HACKING

  

Hi guys I from Master Programming

 ....... welcomeyou all to this Ethical Hacking blog. Now the key word of this post is ethical hacking course but in reality it's just an expansive post on thefundamentals of ethical hacking. There is no such thing as an ethical hackingcourse to be honest because no course can teach you a discipline like ethicalhacking all the best that you can do in creating content for ethical hacking isthat you can tell people about the fundamentals that are followed in thisdiscipline okay now before we start let me just give you a general idea of thetopics that I intend to cover throughout in this post okay now to be honestwe're going to cover a pretty broad range of material we are firstly gonnabe going over footprinting in recognizance where you get an idea ofwhat's involved in the ethical hacking engagement that you're working on andinformation about the target that you're engaged with then we're going to talkabout networking fundamentals and here we're gonna get our hands dirty withpackets and the understanding of tcp/ip at a deeper level and also understandinghow the different protocols work and why they work that way now we are also goingto be talking about cryptography where we talk about different cryptographicciphers we're gonna deal with web encryption - SSL and TLS we are alsogoing to talk about certificates and the creation of certificates and how theyactually operate we will also talk about public key cryptography and we are allscanning an enumeration so nmap and dealing with Windows servers and usingSNMP and LDAP and all that sort of stuff then we are going to be talking aboutpenetration where we deal with different ways of getting into systems and also goover using Metasploit which is an exploit framework and we're going totalk about how to use Metasploit and you actually get in the systems and make useof the exploits that they have then we're going to talk about malwareviruses and worms and rootkits and all of that sort of stuff we're gonna takelook at the different pieces of malware and how you would pull that apart inorder to understand what is doing and potentially make use of that malwareduring an ethical hacking engagement then we're going to talk about differenttypes of denial of service attacks or dass attacks and the difference betweena denial of service attack and distributed denial of service attack andthere is a difference there so we're going to go over the stocks now we'realso going to go over web application hacking and the types of tools that youwould use during web application hacking and the different vulnerabilities thatweb applications have and how to make use of these exploits and thosevulnerabilities we're going to talk about wireless networkinghow to probe wireless networks what wireless networks are doing in the hardsecure wireless networks we're also going to talk up a little bit aboutdetection evasion and to be honest with youdetection evasion kind of comes up in a lot of different areas through the manyof the topics that we are also going to talk about programming programmingattacks and how to protect oneself against programming attacks okay so thatwas the number of topics that we are actually going to cover through thisvideo now the approach that I'm going to be taking in the series of videos iswhenever possible we're gonna be going to use a hands-on approach so we'regoing to show you the actual tools I'm going to make use of and the tools to dosome sort of demonstration and how they actually work I am a big believer ingetting your hands dirty as the best way to learn anything so as we go throughthe series of videos I strongly encourage you to get access to the toolsthat I'm going to be demonstrating wherever possible and dig in and getyour hands dirty along with me and there are places where we're going to be goingover some theoretical material and I'm not a big fan of PowerPoint slides butsometimes there are necessary evil in order to convey certain types ofinformation so wherever possible I'm gonna minimize their use but you willrun across places where they're just a necessity and we are going to have to gothrough some slides where in order to get some particular points across theyare primarily of a theoretical nature so that's the pros that we will be takingthrough this video and I hope you have fun as you go along the wayokay so let's begin now the first topic that we're gonna tackle is what ishacking okay so let us take a trip to the early days of hacking the star tripnow the internet Engineering Task Force is responsible for maintainingdocumentation about protocols and various specification and processes andprocedures regarding anything on the internet they have a series of documentscalled the request for comments or the RFC's and according to RFC one threeeight nine it says a hacker is a person who delights in having an intimateunderstanding of the internal workings of a system computers and computernetworks in particular while the expression hackers may go back a longtime and how many different connotations are definitions as far as computers gosome of the earliest hackers were members of the tech Model Railroad Clubat the Massachusetts Institute of Technology and what those people did andthe various things that they did and were involved in a detailed in StevenLevy's book called hackers for our purposes now for our purposes we'll betalking about other types of hackers although the spirit of what we do goesback to those early days now the definition of hacking or hackers haschanged particularly in the 1990s and in part as a result of a couple of peoplenamely Robert T Morris who was a Cornell graduate who unleashed a piece ofsoftware that was called a worm on what was an early version of the internetform went on to cause a lot of damage and create a lot of downtime on systemsacross the country and across the world now the Morris worm did end up resultingin something good however that is computer emergency response teamCarnegie Mellon was created primarily in response to the Morris worm now there'salso kevin Mitnick was another well-known hacker who was responsiblefor various acts of computer crime over a couple of decades he was firstconvicted in 1988 so the definition of hacker or hacking moved from somethingbenign to something far more sinister in popular culture now we see hacking orhackers in all sorts of popular culture we've seen themin hacker movies called wargames also the movie hackers of course you also seeit in the Matrix movies where you can see if you look really closely that theyare using a tool called nmap which we will get into the use of in great detaillater on as we go on now on to the movie sneakers and the movie SWAT fish and ontelevision in addition to other places you can see the agents at NCIS regularlydoing things like cracking complex cryptography in just a matter of secondsor minutes so what is hacking really well hacking is about a deepunderstanding of something particularly with relation to computers and computingit's also about exploring and the joy of learning new thingsand understanding them very clearly and being able to manipulate those things inways that maybe other people haven't before it's also about digging intoproblems to find out solutions in creative and interesting ways andsometimes finding problems where there weren't problems previously and that's alittle bit about what is hacking ok so now that we have talked about whatexactly is hacking and how the meaning and conditions of that word has changedover time how it came into existence how it was coined let's go with the reasonsthat people normally hack now you may want to hack just for fun as discussedpreviously hacking is a tradition that goes back several decades at MIT evenpreceding the computer relief definition of hacking now MIT has a long andstoried history of hacking and sometimes of a computer related nature which inthis case happens to be true and sometimes of a non computer relatednature instance now here you can see that MIT s homepage has been hacked oryou might even say defaced to indicate that Disney is buying MIT this was anApril Fool's Day prank in 1998 and again this is just the kind of hacking thatyou would do for fun rather now sometimes you might even a hack just toprove a political point or any point for that matter in this case again BillGates had donated some money to the MIT which allowed them to have a newbuilding and he was coming to MIT to visitand give a talk about Microsoft Windows and its systems and as you can see thethe Windows systems that are installed in the entryway at the building werehacked to be running Linux instead and you can see here that tux the penguin issaying welcome to the William H Gates building again that some students whodecided that they wanted to make a point about Linux and Microsoft and Windows toBill Gates and they thought hacking was the best way to go about it sometimesyou hack just for the challenge here's an example again at MIT where somestudents turned the facade of a building into a Tetris game board now this was areasonably difficult hack and the students went after it just for thechallenge of completing it and it's just so they could have some pride ofownership and to be able to say that they were able to pull this off you knowthe things that teenagers do to show off to other teenagers it just increaseswith increasing scale now in spite of its difficulties and these challengesand all the obstacles and planning that have to go into it they were able topull it off and now they have those bragging rights so that was one of themand one of the instances where somebody would hack just for the challenge andfor the fun in it now sometimes you want a hack to prevent theft and this iswhere we get more specifically in the computers related hackings you see a lotof articles and stories in the news over the last video is about cybercrime andhere is an example of data theft compromised and a fewer than one and ahalf million cards for global claimants so there are some attackers who gone tothis company Global payment and they were able to pull out about a millionand a half credit card numbers during the intrusion there so what you may wantto do is you may want to learn how to hack in order to find these holes inyour systems or applications or employer systems so that you can fix these holesand prevent these compromises from happening because of the reputation hitthat your company takes where are things like these happen you have the risk ofcompletely running out of business so just to protect your job you protectyour company and to protect your own desire of businessyou may just want to learn to hack and that's a very good reason now you mayalso want to find all the problems that exist in your system for putting themout and deploying them so that you can keep these attackers from getting in andstealing critical or sensitive information sometimes you may want ahack to get there before the bad guys and the same sort of idea is the lastone where we're just going to talk about and that exactly is ethical hacking nowwe were just talking about how sometimes you may want to hack into your ownsystem before publishing it out to the public that's take Internet Explorer forexample now Internet Explorer was actually published to the public withsome critical error in the code and these flaws were heavily exploited bypeople who actually found them now a number of people in the world go outlooking for these flaws and they call themselves security researchers and theycan in touch with the vendors up there they found a flaw or a bug and work withthe vendors to get it fixed what they end up with is a bit of reputation theyget a name for themselves and that name recognition may end up getting them ajob or some speaking engagements or book deal or any number of ways that youcould cash in on some name recognition from finding these sort of bugs andgetting them fixed if you want to get there before the bad guy is you maythink you're helping out a vendor you may want to just make a name foryourself you want to find these sort of bugs before the bad guys do becausethink about the bad guy is finding them is they don't announce them and theydon't get them fixed and that makes everybody a less secure

 finally may wantto protect yourself from hacked computer companies and fight cyber criminals andthis is a new headline from June 18 2012 and we're starting to see these sort ofnews headlines show up as companies are starting to retaliate against attackersin order to retaliate against attackers now in order to tally it againstDecker's you need to be able to have the same sort of skills and techniques andknowledge and experience that those attackers have and where your companymay want you to learn to hack or the company may want to bring in people whoare skilled and these sort of activities so that they can attack the Dockers andhope you end up with more steely exterior andget a reputation for not being a company that people want it go after those areseveral reasons and there you go I gave you around a bunch of reasons as to whyyou may want a hack for fun prove a pointprotect yourself to protect a company they're not run out of business andalong with another bunch of reasons ok so now that we have talked about why youwould want a hack let's move on to the types of hackers that exist now we'regonna be talking about the different types of hacking and the first type ofhacking that I want to discuss is ethical hacking and ethical hackerswhich is really what we're going to be talking about through the rest of theselessons now an ethical hacker is somebody who thinks like a black hathacker or things like somebody who's intent on breaking into your systems butfollows a moral compass that's more in line with probably the majority of thepopulation so their intent isn't to do bad things their intent is to look forbad things and get them fixed so that bad things don't happen ethical hackersaren't out to destroy anything and they're not out to break anything unlessit's deemed to be acceptable as a part of the engagement and also necessary inorder to demonstrate a particular vulnerability to the organization thatthey are working with so that's an ethical hacker and there's acertification that's available from the EC Council it's a certified ethicalhacker and you know if you find certifications valuable and this sort ofthing is what you want to do we're seeing a set if certified ethical hackermay be something you might want to look into now let's talk about black hathacker there's a plenty of cases of black hat hackers through years andlet's talk about a guy in particular called kevin Mitnick this guy right hereis a particularly good example probably because he was a black hat hacker for alot of his ears his goal was to cause mischief to steal were necessary andjust to be engaged in the lifestyle of being a hacker and doing whatever wasnecessary to continue doing whatever it craw doing whatever he was doing itcrossed moral boundaries or ethical boundaries and so kevin Mitnick here wasinvolved for well over a decade in computer crime and was finally picked upby the FBI and he was charged and prosecuted and hewas eventually convicted of some of the activities that he was involved with nowyou may be able to argue that Kevin is a grey hat hacker as well and a green hathacker is somebody who kind of skirts the line between black and white hathacking and white hat hacking is really what an ethical hacker is so instead ofsaying ethical hacker he could say white hat hacker it's the same idea a whitehat hacker is somebody impacts for good if you want to think of it like that ifyou want to think of it as a good versus evil and what they're really doing isthey're in it for the technical challenge they're looking to make thingsbetter make things more efficient improve them in some way on the otherhand the black hat hacker is out for the money for the trail it's really criminalactivity and the gray hat hacker is somebody who may employ the tactics andtechnique of the black hat hacker but have sort of a white hat focus in otherwords they're going to do things that may be malicious and destructive innature but the reason they're doing it is to improve the security posture of anorganization that they are working with so you can see it's actually a bookcalled grey hat hacking it's a pretty good book and it details a lot of thetactics and strategies and techniques we'll be going over in subsequentlessons in this video now one other type of hacking that I want to talk about isa thing called hacktivism and you will find hacktivism all over the place andone example in the last year or so and certainly in recent memory is calledlulz security yeah you heard that right it'scalled lulz security and you can argue that lulz is actually a response toanother type of hacktivism an organization called anonymous startedhacking companies like Sony to protest their involvement in a lawsuit regardinga PlayStation 3 hacker now allows security was supposedly protesting thetreatment of anonymous or was hacking in support of this group Anonymous so theyhacked a number of companies and the things like pulled information usernamesand password from the databases at these companies and they said that the reasonwas to shine a light and the security of these companies and also theoreticallyembarrassed the companies with a weak or poor security postureand the problem with that that they were doing this through were postinginformation that they had found online and that information often includeddetails about customers for these particular corporations and for anethical hacker a white hat hacker that would cross the boundary of causing harmso there's no reason for me as an ethical hacker to post information in apublic forum about somebody because I could be doing damage to them but inthis case love security and anonymous specifically large security were engagedin the form of hacktivism and what they were doing was not only damaging to thecooperation that certainly was detrimental to those people so differenttypes of hackers and different types of hackingwe've got ethical or white-hot hacking you've got black hat grey hat and thenwe finally got hacktivism it's really the goal and the means that vary fromone to the other okay so now that we've discussed the types of hackers let'salso discuss the skills necessary to become one so what we're going todiscuss in this part are the different skills that are required or will belearned as a power of this video so initially just for basic computing youneed a basic understanding of operating systems and how to work them there aregoing to be several fundamental types of tasks that I won't be going into anydetail at all or and you need to know how to run programs and do things likeopen up a command prompt without me walking you through and how to do thatso I am going to assume that you have some basic understanding of how to dothese sorts of tasks also you need an understandings of the basic systemsoftware or and you'll need a basic understanding of how to use command-lineutilities there are a number of tools and programs that we're gonna be goingthrough this video and many of them use a command-line now whether it's onWindows or Linux you'll need to be familiar with typing and being able torun programs from the command line and the various command line switches andparameters that those programs or types of programs are going to use now from anetworking perspective you need a basic understanding of some simple networkingconcepts you need to know what cables are and switches and hubs and howsystems are networked together you don't really need a deep level ofunderstanding I'll be going through some protocols as reasonably deep levelbecause I think it's important as an ethical hacker to understand what'sgoing on at the protocol level so that you can knowbetter what you are doing and how to achieve the goals and tasks that youhave before you so we're gonna be going over some protocols so justunderstanding what protocols are and how they go together those sort of thingsare necessary from networking perspective now we're gonna also belearning a bunch of life skills yes there are some life skills that it'simportant to have I think the most important one is the ability to acceptfailure and persevere and by that I mean you're going to be just running acrossseveral things that just don't work the first time around and it's going to takea little bit of time and stick-to-itiveness to plug away and keepgoing until you get something to work and the way that you get things to workis having an ability to problem-solve and sometimes solving problems requiresbeing a little creative sometimes you need thing out of the box and come out aproblem from a difference perspective in order to find a solution throughout thecourse of this video you're going to run across a lot of sticky problems throughthe course of learning about being an ethical hacker and just doing the workbecause it's not as simple so here's a little recipe for how to do this now gofollow this recipe every time and you're going to be successful every situationis different every system is different you're gonna run across some prettysticky problems and you're going to have to just wait and get your hands dirtyand keep failing and failing and failing and failing until you find a way tosucceed so I think those skills are very necessary to learn how to be an ethicalhacker digging through some of the material that we'll be going over inthis video as far as what you're going to be learning you're gonna be learningabout how to use a lot of tools you're gonna learn networking and by that Imean we're gonna be talking about different protocols or avoid involved innetworking systems together you're going to learn about security and securitypostures security is the heart and soul of ethical hacking it's why we do Eskilhacking in order to make systems and networks more secure than they werepreviously that's the goal from a networking perspective we're going to betalking about how to read packets from Network captures you're going to begoing into tcp/ip related protocols the fairly significant amount of detail andyou're going to understand how protocols interact with one another so we're gonnado all that and reading packets is going to be reallyimportant and we're going to do a fair amount of that in addition to justfundamental approach to learning how to read packets in several lessons we'regonna read packets as a way of understanding the different tools thatwe're using and how they're going to learn tactics and methodologies and youget to learn to use the information you've gathered in order to get moreinformation and information is really what is this all about you can't do muchanything without information and sometimes it takes a fair bit of diggingin order to find that information and what ilgwon did learn is the entrypoints and the stepping stones to get the information that you need and thenonce you have that information you're going to be learning about ways toexploit it in order to get deeper into the target you're gonna learn securityawareness we're gonna talk about risk and understanding risks andvulnerabilities primarily it's recognized the difference between avulnerability and an exploit and there's a significant difference there sosecurity awareness and understanding what risk is and how that impacts yourtarget and it's going to be key to a lot of things that we talked about so itsounds like a lot we're going to cover a fair bit of ground not all of it at adeep level sometimes we're going to skim the surface but there's an awful lot ofmaterial to be cover so let's get started into talking about the differentskills are required or will be learned as a part of the series of video soinitially just for basic computing you need a basic understanding of operatingsystems so it sounds like a lot weird that we're going to cover and a fair bitof it is going to be at a very deep level and sometimes we're just gonnaskip the surface but this is an awful lot of material to cover so let's getstarted okay so that was all about the skillsthat we are gonna develop throughout this video and that might be necessaryfor you to become an integral hacker now let's talk about the types of attacksthat you might be dealing with as ethical hacker yourself so now we'regoing to be talking about the types of attacks now one type of a dark thoughtyou'll find common particularly in cases of hacktivism for example or cases wherepeople are trying to make a particular point or just be a general pain isthis idea of defacing the defacing goes back for quite a while it's the idea ofsort of digital graffiti where you've left your mark or your imprint behind sothat everybody knows you were there primarily a website thing and it'sreally just making alterations to something that used to be pretty commona long time ago now it's very particular for businesses or people or justorganizations in general to have their home pages being replaced by this otherthing that was along the lines of hey I was here and I took over your webpage wealso have a pretty common one there certainly has been common over the yearsand it's a pretty good path towards quality exploits in high-profilevulnerabilities and that's buffer overflow now a buffer overflow is aresult of the way programs are stored in memory when programs are running theymake use of a chunk of memory called a star and it's just like a stack ofplates when you put a bunch of plates down when you pull a plate off you'regonna pull the top plate you're gonna pull the oldest plate you're gonna pullthe one that was on top so the same thing with a stack here we're accessingmemory and this has to do with the way functions are called in memory when youcall a function a chunk of memory gets thrown on top of the stack and that'sthe chunk of memory that gets accessed and you've got a piece of data in memorywithin that stack and that's called a buffer and when too much data is sentand tried to put into the buffer it can overflownow the bounds of the configured area for that particular buffer it canoverflow the bounds of the configured area for that particular buffer now theway stacks are put together we end up with a part of the stack where thereturn address from the function is stored so when you offload the bufferyou have the ability to potentially override that return at which point youcan control the flow of execution of programs and if you can control the flowof execution of the program you can insert code into that memory that couldbe executed and that's where we get buffer overflow that turns into exploitsthat creates the ability to get like the command shell or some other useful thingfrom system where the buffer overflow is running so that's a buffer overflow inshort sometimes we also have form a string attacks and sometimes these canbe precursors to Buffalo fuel formats now format strings comeabout because the C programming language makes use of these format strings thatdetermines how data is going to be input or output so you have a string ofcharacters that define whether the subsequent input or output is going tobe an integer or whether it's going to be a character or whether it's going tobe a string or a floating-point that sort of thingso you have a format string that defines the input or the output now forprogrammer leaves off the format string and just gets lazy and provides only thevariable that's going to be output for example you have the ability to providethat format string if you provide that format string what that happens is theprogram starts picking the next piece of data off the stack and displays thembecause that way we can start looking at data that's on the stack of the runningprogram just by providing a format string and if I can look at the data Imay be able to find information like a return address or some other use ofpiece of information there is also a possibility of being able to inject datainto the stack I may be able to find some informationlike a return address or some other useful piece of information there isalso a possibility of being able to inject data into the stack I may be ableto find some information like a return address or some other useful piece ofinformation there is also a possibility of being able to inject data into thestack using this particular type of attack now moving on to our next type ofattack is a denial of service it's not of service this is a pretty common oneand you'll hear about this a lot this is not to be confused though with the onethat I'll be talking about after this and that is a distributed denial ofservice so this one that you see is that this is a denial of service attack and adenial of service is any attack or action that prevents a service frombeing available to its legitimate or authorized users so you hear about aping flood or a sim flood that is basically a syn packet being sent toyour machine constantly or a smurf attack and smurf attack has to dosomething with ICMP echo requests and responses using broadcast addresses thatone's been pretty well shut down over the last several years you can also geta denial of service simply from a malformed packet or a piece of datawhere a piece of data is malformed and sent into a programnow if the program doesn't handle it correctly if it crashes suddenly you arenot able to use that program anymore so therefore you are denied the service ofthe program and thus the denial of service now as I said a denial ofservice is not to be confused with a distributed denial of service and I knowit's pretty trendy particularly in the media to call it any denial of service aDDoS or any denial of service a DDoS now it's important to know that anydenial of service is not a DDoS a DDoS or as you might know a distributeddenial of service is a very specific thing a distributed denial of service isa coordinated denial of service making use of several hosts in severallocations so if you think about a botnet as an example a botnet could be used totrigger a distributed denial of service where I've got a lot of bots that I'mcontrolling from a remote location and I'm using all these BOTS to dosomething like sending a lot of data to a particular server when I've got a lotof system sending even small amounts of data all of that data can overwhelm theserver that I'm sending it to so the idea behind a distributed denial ofservice attack is to overwhelm resources on a particular server in order to causethat server not to be able to respond now the first known DDoS attack used thetool called stock old rot which is German for Bob while the stock old rodcame out of some work that a guy by the name of mixer was doing in 1999 he wrotea proof-of-concept piece of code called TFN which was the tribe flood networklet me just show that for you so you can see on the Wikipedia pagethat the tribe flood network or tfn is a set of computer programs is used toconduct various DDoS attacks such as ICMP floods syn floods UDP floods andSmurf attacks now I know many people don't really consider Wikipedia a reallygood source of any sort of knowledge but it's a good place to start off so if youwant to read about all these types of attacks like ICMP floods and whatexactly is a syn flood you can always do that from Wikipedia it's not that badplace of course you shouldn't use Wikipedia as your final rosetta stonemoving on so this program called old rod which was it was used to attack serverslike eBay and Yahoo back in February of 2000 so that attack in February of 2000was really the first known distributed denial of service attack which is not tosay that there were in denial of service attacks previously so -

 that there werecertainly plenty of them but they were not distributed now this means thereweren't a lot of systems used to coordinate and create a denial ofservice condition and therefore we get distributed denial of service attack sothat's a handful of type of attacks and some pretty common attacks that you'regoing to see as an ethical hacker when you become an ethical hacker or ifyou're trying to become an ethical hacker you should always know aboutthese types of attacks ok so in this lesson we are going to betalking about penetration testing and some of the details around how it worksand logistics and specifically things like scope so what exactly ispenetration testing so well not surprisingly it's testing to see if youcan penetrate something which means you're going to check to see whether youcan break into a particular thing whether it's a server or in applicationsdepending on the type of engagement you've got you may have the ability totry to break in physically to a location by primarily but you're going to bedoing what penetration testing is you're going to be trying to break into systemsand networks and applications and that's the kind of what it's all about and thismay actually involve social engineering attacks so it may require you to make aphone call to somebody and get them to give you their username and password orsome other type of social nearing attack where maybe you send aURL by a crafted email sometimes it's just strictly a technical approach whenyou're running scans and you're running Metasploit and you're gaining accessthat way or maybe some other type of technical application sort of connectionsometimes it's physical access that you need so in order to get access to aparticular system if you can get physical access then maybe you can getin so that was all about that's what exactly penetration testing is it'schecking whether you can get into a system whether it be physically or on anetwork so what are the goals of penetration testing the goals would beto assess weakness in an organization security postures you want to figure outwhat they're vulnerable so that they can go and fix these problems you want tohelp them understand their risk positions better and what they can ormay be able to do to mitigate those risks and ultimately you want to be ableto access systems in a particular way to find weaknesses so those are really sortof the goals of penetration testing now from a result standpoint when you'redone you're testing what you are gonna do well you're probably going togenerate a report and by that I don't mean you're gonna run some automatedtool and you're gonna get it to generate a report for you you are actually goingto give that to the client you're actually gonna give you a report to theclient and then they're gonna write you a really large check so that's notreally how it works you're gonna write a report detailing the findings in adetailed way so that it includes what did you do to find out what you actuallyfound out and how you can actually mitigate that particular risk so youshould really include remediation activities in order to fix thisvulnerabilities that you find and it's pretty easy to walk around saying heythat's a problem and that's problem and that's problem that's really not a lotof value in that where there's a value is that hey that's a problem and here ishow you can go about fixing it so let's talk about the scope of penetrationtesting so firstly you want to actually realize how big is the breadbox and howspecifically what is it that the you two of the two of you have agreed that beingused article Hackel and the other guy being the authorized person to give youpermission to ethically hack specifically ofthat you can do penetration testing and you can target them as an organizationor the client and what you have agreed to are any exclusions or any sort ofareas that they say you're not allowed to touch so anything so like if they'vegot a database server maybe a desk Lord or really sensitive data on it andthere's a little hesitant and they may put don't touch this thing clause in thescope so there are a lot of different reasons why they may exclude areas fromthe scope and if they exclude them then trust their reason and listen to themwhat they have to say in terms of this is what we want you to accomplish solong those lines you really need to get sign-off from the target organizationnow we've talked about this before and this is certainly all about the ethicsand then Trust and it's also about legality because if you do somethingthat you don't have permissions to do you could be prosecuted for that sodefinitely get the scope very clear in writing and with signatures attached toit as to what you can and you what you can't do and always get approval fromthe right people and make sure you get somebody who has the right level ofpermissions and it's the right level of management so that they can sign off onits understanding and accept the risk that is associated with a penetrationtest so let me talk a little bit about security assessments and how they differfrom penetration tests the security assessment is a hand-in-hand approachwith clients so you would walk in doing collaborative thing where you're atrusted partner and you are lie with them and your call isn't a penetratethem and point out all the things that are really bad but it's to get a fullassessment of the risk that the organization is exposed to and you wouldprobably provide more details about fixes that maybe you would in apenetration test now what we're gonna do is we're gonna walk in and make surethat the policies and procedures they have in place really what they need forthe organization and the risk appetite that they've got and we're gonna makesure that the policies and procedures have controls that can tell us whetherthey are being actually adhered to or not so the procedures and policies arebeing followed a security assessment is probably a little bit more comprehensivethan a penetration test and it would look at more factors to assess thesecurity postures of the organization their overall risk and you would tailorthe output based on the risk appetite and what they're most interested in andthat's not to say that I'm gonna tell them what they want to hear but ifthere's something that they know and I know that they're just not gonna do I'mnot going to be making a big deal out of it because they're already aware of itand I'll make a note of it in the report just for a completeness sake but I'm notgonna go out in a lot of details so it's really kind of a hand hand collaborativeapproach where again you're not just saying that they want us to say we'reproviding some real security and risk guidance towards their activities andother things so it may provide an unrealistic view so you've got a weeklet's say to do this penetration test against your target now you're going tohave to go in you're going to have to get set up you're also going to have tostart doing a bunch of scans and make sure that you're gathering informationsand screenshots and data for your reports you're gonna have to do allsorts of activities also during the course of that week they're going to beengaged in probably beginning to write your report and getting a sense of whatis going to say and what's going to be in itif you don't actually get any major penetration during the course of thatweek the organisation may feel like their code encodes secure that's one ofthe reasons why penetration testing but really sexy and show is nice and all butif an organization walks out of phase believing that in a week you didn'tmanage to get no get the keys of the kingdom they they mind must be securethat's really misguided view because and dedicated skilled and motivated attackerisn't gonna just take a week or some portion of that fee they're aftersomething they're gonna dedicate themselves to do it and really go afterit so just because you didn't find a penetration in some subset of a weekdoesn't mean that they are secure and l-mawlaand invulnerable to attacks it just means that during the course of thatparticular week and other circumstances that were in place you didn't get apenetration that was really significant or major that's all it means it doesn'tmean anything beyond that and if an organization walks away feeling likethey're secure they're gonna end up not fixing the real vulnerabilities that maybe in place that could expose some significant risksso that's penetration testing it scopes its goals and how it differs to securityassessments now it's time to go over foot rating sowhat is foot printing well foot printing is getting an idea of the entire scopeof your target that means not just the scope that you were given which may bean address block or it may be a domain name that even may be a set of at restblocks now what you want to do is you want to figure out all the informationthat's associated with that in great detail as you can possibly get so youwant the list of domain names as you're going to go through this you probablywant some sort of database or Excel spreadsheet or something to keep trackof all the information because you're going to have a lot of it at the end youwant to be able to find the information quickly so having some sort of eitherNotepad going with your notes or as I said a spreadsheet or a database so ifyou can get organized in that way you want to keep all those sorts of thingsdown so in this case I want to do thumbs our search on suppose let's say Eddierecord Co now I need network blocks so so far we found out that just made up IPaddresses because I'm just putting information down but I need never blockso you may have one IP address that you can find externally or you're going towant with whole range of internal clocks and you can do a little bit of diggingif you aren't provided those you want specific IP addresses for criticalsystems web servers email servers databases if you can find any of thesethings of those sorts and he wants us to market actual and what kind of stuff arethey running are they running Intel are they running Windows are they runningsome UNIX systems what are they running what kind of access control lists theyare these are going to be hard to get but you may be able to guess them andyou can guess these by doing port scan so what sort of responses you get backfrom the port scans with the filters and or what you don't get back will tell youabout if there's an IDs around or some you want to do a system the enumerationor you can get access to a system somehow you want to know user namesgroup name and so on so the basic idea of footprinting is gathering informationnow if you can get access to system somehow you want to know user namesgroup names so you want system banners routine tables SNMP information if youcan get it DNS host names if you can get thosenow this is for both internal and external on the side if you're doing aninternal penetration test or ethical hacking engagement you want to know thenetworking protocols that are there are they using tcp/ip or are they using someUDP or are they on IP X or SPX are they useing decnet or appletalk orare they using some sort of split dns in other words do they have internal DNSservers that give different form for their external and will it givedifferent information if you want to check for remote access possibilitiesnow in the footprinting process you want to be very exhaustive you might want totry and take out email addresses server domain name services I mean IP addressesor even contact numbers and you want to be very exhaustive with your approachyou don't want to miss anything out because if you do that you can continueand also provide some some launching points for additional attacks or teststhat you may be able to do but this is definitely a starting point of the typesof information that you need to have as you go about footprinting your targetnow next thing that we are going to see is very interesting this is one of themany common tools that are out there on the Internet and that is the waybackmachine or also known as archive.org now well it might not give you all theinformation that you need but it get certainly gives you a starting point andwhat we're talking about out here is the wayback machine or archive.org so let mejust give you a quick look at what archive.org looks like okay I alreadyhave it open out here so out here what you can see is how a website looked likearound some time ago so for example if you want to look what Google look likeso you just have to search for Google out here and wait for results to comeback okay so we see that Google goes way back to 1998 so that was the lastcapture or the first capture rather it was the first capture by the waybackmachine and we can see that it has a screenshot of November 11th and howGoogle looked so let's see what Google look like in November 11th of 1988 sothis is what Google looked like it was there was actually nothing to it it justsaid welcome to Google Google search engine prototypes and it has some linkso yeah this is where the Google engine looked like it had a Stanfordsurge it had a Linux surge and you could do all sorts of stuff you could just putthe results now what I'm trying to tell y'all is you can see the evolution ofthe website through time through the wayback machine and this gives yourather in informated look into how website has actually evolved okay nowthat we know what footprinting is and how it falls into the whole recognitionprocess so let's go over a couple of websites to do a little bit ofhistorical thinking about companies and the types of infrastructure that theymay be using and this information of course is useful so that we can narrowdown our focus in terms of what we want to target against them for attacks nowover time we've improved our awareness about what sorts of information we maywant to divulge so several years ago you may have gone to a company's website anddiscovered that you could get email addresses and names of people inpositions that you may find relevant and there were all sorts of bits ofinformation that could be used against the company and over time we havediscovered that those sorts of pieces of information probably don't belong in awebsite where they can be used against a company and so they've been pulled offnow it used to be also that Google had the ability to pull up information thatit had cached so far for example if a website is no longer available or effortwas temporarily down and offline there was a little cache button that you couldclick when you did and the Google search and you could pull up that castinformation so even though the website wasn't available you could still getinformation from Google's servers now Google's remove that so we don't havethat ability any longer however there is an Internet Archive that we can use sothis thing is called the Wayback Machine and I have it open out here so it'sarchive.org slash web so archive.org is a website that gives us informationabout other web sites and how they look like in years ago and by so I'm going togo to the Wayback Machine which you can see is at the archive.org and I'm gonnago and try and search for EDI record Co so now we're going to take a historicallook at Eddie record coast website and you can see we've got some years andthey've got information going back up to 2013 so let's look at what this websitelooked like when it was just talent 13 okay there don't seem to beany snapshots out here I wonder what's going on okay so let's go 2014 and thefirst snapshot seems to be on the September 12th of 2014actually it's on May 17 - so let's see what that looks like okay so this iswhat Eddie Rica looked like back in 2013 or rather 2014 september 12 2014 to beactually exact now you can see that we have some live classes and all thesepictures are there and they've got this weird picture of this guy out here Idon't know why that was a thing back in 2014 now we can browse more advancedscreenshots or rather the screen shots that were taken later on and see howthis company has evolved with this infrastructure and the way it actuallylays out its content okay so it still has Deval but I can go a couple of yearsahead and see what this has actually evolved into so if I would go toDecember 2016 so this is what it looked like in 2016 and we can see that they'veadded this weird box out here about pricing courses they have a littlesearch bar that kind of looks weird but it's mostly because my internet is slowand start loading all the elements they've also changed how they'veactually laid out the courses we can also see a change in the prices I guessso yeah this tells us about how it evolves as complete website now thisother website that I want to talk about is called net crafts now net craftersinternet research including the types of web servers that companies run and theyhave a web service service you can see here as we scroll the Apache servers are64 point three percent of the internet market of course and that's followed byMicrosoft with 13 percent interesting information may be useful informationbut even more useful than that is looking at what different companies runfor their websites and you can see here ok so let's try and search for Eddierecord go out here so let's just put it in the website URL and that net craftgenerate the site report so as you can see that some of the stuff is notavailable you know that the net block owner is by Amazon technology's nameserver is this thing right here DNS admin is AWS Deannahostmaster we also have the IP address we can go for a viral look up the IP onvirustotal you can do that there is no ipv6presence so that's some information that we can see so we can obviously opt outto not target ipv6 ranges and there's also reverse dns then we also have abunch of hosting history so this is a history of it and we know that it'shosted on a Linux system with an Apache web server and it was last seen and thiswas when it was last updated so this is some very useful information you canalso get information on stuff like Netflix so if you just type ok I say Ijust spelled that wrong so let me just change from the URL out here so if yougo and type for Netflix comm and you'll see that it'll show you all sorts ofinformation so as you see that it's on an e WS server it's an Amazon tierservices Ireland and this is all the hosting history that it goes along withit has some Center policy frameworks domain based message authentication andreporting confirmations and there's all sorts of information that you can getabout websites and their web servers from net craft so the wayback machinealong with net craft make up for some interesting tools that are available onthe internet from which you can do a little bit of your reconnaissanceprocess ok now that we have gone over net craft and the wayback machine nowit's time to actually get to know how to use the little information that thissite actually provides so what the next topic that we're going to go over isusing DNS to get more information now we're going to be going over a tool andthis is called who is a utility that is used to query the various regionalinternet registries to store information about domain names and IP addresses andlet me just show it to you about all the internet registries are there so I haveAaron net open out here and these are the internet registries that providesthe ISPs and looks about the Internet control as a whole so out here we haveAfriNIC we have APNIC we have our and we have laughs Nick and we have ripe andCEC so these are all regions and all the different types of stuff that theysupport all different countries you can look at thethat it is sporting out here by just hovering over the providers so as youcan see all these brown region out here is Africa AfriNIC then we have ethnicwhich is this black or grayish thing which is India and Australia and quite alot of Asia then we have Aaron which is a lot of North America in the UnitedStates measly naina slackening which is North Lee the Latino side which is theSouth American part then we have the rest of Europe which is ripe ncc andthis is the part that ripe ncc is providing internet too okay so that wasall about the internet registries now let's get back to the topic and that isusing DNS to get more information now for this we are going to be using aLinux based system so I have a bunch of running on my virtual machine out hereand let me just log into it so firstly we are going to be using this querycalled who is that looks up these internet registries that I just showedyou let me just quickly remove this okay so for acquiring information from theregional internet registries that I just talked about you can use who is to getinformation about who owns a particular IP address so for example I could do whois and let's see I could do who is Google or rather netflix.com and we canget all sorts of information about Netflix so we can see that we have thevisit mark monitor then let's see let's go up and look for all sorts ofinformation that is being given to us by this who is query so as you guys can seeI just spent a little bit too much okay so register a domain ID we have thedomain ID where it is registered the restor URL is mark monitor okay so thisis for marking actually now the creation date is 1997so you haven't realized Netflix been around for a long time and it's beingupdated on 2015 and the registry expiry date as we see is 2019 so it's gonnaactually go off this year then this is all useful information so you can seeall sorts of domain status the name server the URL the DNS sake that it saysunsigned this is very useful information that is being provided by very simplequery now if you want to know who owns a particularIP address so let's see did we get back the IP address out there we should havegot back the IP address but it's kind of lost on me so to get back the IP addressalso for a domain name server saying no so you could use this command calleddick so your dig Netflix com now as you guys can see that it has returned abunch of multiple IP addresses these are all the IP addresses that Netflix is soI could do something like if I was trying to check out who owns a certainIP address and for example I have got one of these IP addresses but let's justassume I don't know that actually belongs to Netflix so I can go who is 504.77 dot 108 dot 2 and it will give me some information so as you guys can seeit is giving us a bunch of information as to who this is and how it ishappening so we see that it is from Aaron net and so if we can very smartlyassume that it's from the North American part no we can also see that it's inSeattle so our guess was completely right so italso gives us a range so this is something very useful so if you see wenow have the range of the IPS that might be being used by this guy so we indeedhave 54 and it says this goes up to the 54 there's also 34 let's check that outand see what information we get so who is and let's check it outwhat was the IP that we were just seeing is 34 that to 49.1 25 and 167 so 34 to40 9.1 65 I don't know let's see you can also put in a random IP address itdoesn't really matter and it'll give you the information so let's see is this andsome IP address even this seems to be an error an IP address and it's also basedin Seattle and we get a bunch of information so that's how you can usethe Whois query and the dick query to actually get all sorts of informationabout a domain name service and get information from a DNS basically sonow let's go over some theoretical part that is for DNS so using DNS to getinformation so firstly what is a domain name service and why do we need so adomain name service is a name given to an IP address so that it's easy toremember of course you it's easy to remembernames and mnemonics rather than a bunch of random veered numbers now this wasmainly so that we can map names to IP addresses and we can get the a bunch ofinformation from the host name resolution so that's the purpose of IPaddresses now we will also be looking at how to find Network ranges okay nowbefore we get on to actually moving on to how to find out the network rangeslet me just show you how you can also use who is so who is suppose you want toknow the domains with the word foo in it so you could go who is foo and this willgive you a whole bunch of things about how food cysts and all the sorts of foosaid there is on the Internet so that was one interesting flag and ifyou want to know how to use more about who is you could just go - Michelle yesyeah so this is all the types of stuff that we can deal with who with so youcan set the host we can set the port that we want to search for then we canset with the elf lab we can find one level that specific match and we can doan exact match to an inverse lookup for specified attributes then we can alsoset the source we can set verbose type and we can choose for a request templatethere's a bunch of stuff they can do so you could suppose say who is verbose andsuppose any record code and I'll give you a verbose version of the rightdatabase query service objects are an RP SL format the right database of theeternal so okay let's try something else like who is netflix.com okay I'm sorry Iwas supposed to do verbose and I kept doing etch silly meso you do V and it'll give you a much more like this is a write database againI think of doing something wrong okay just for that thingokay V and tight okay or let's just see that's let me just show you how to use aprimary keys are only primary keys okay let's see let'stry that out okay so it seems to be that this is a ripe database query serviceand the objects are in our PSL format so it won't really work for that thing andit also says that no entry is found because it's error so this is for somelater lesson so for now I hope I gave you a good idea of how to use hue islike you could just go who is then some IP address like 192.168 of 101 orsomething gay pre-addressed like that or you could just go for a domain nameservice like Facebook and get all sorts of information about Facebook when thequery actually returns you something ok so let's move on to network ranges nownow in this part of the video we're gonna be going over the utility calledwho is which is used for getting information from the DNS now let me justshow you a website out here so this is the regional internet registries so theinternet registries are used to store information about domain names and IPaddresses and there are five regional internet registries first is Erin whichis responsible for North America so that would be the US and Canada then we havelatnok which is responsible for Latin America and portions of the Caribbeanthen there's right that's responsible for Europe and Middle East in CentralAsia there's afrinic which is responsible forAfrica and finally we have APNIC which is responsible for Asia Pacific Rim sothat's the regional internet registries and as I said who is is responsible foracquiring information from the various regional internet registries as you canuse who wish to get information about who owns particular IP address forexample let me just open up my Ubuntu system let me clear this out first so asI was just saying for example you could go who is facebook.com okay so as you guys can see we couldfind out pretty quickly about who owns a particular IP address so for example Icould do who is and just go facebook.com and tells me about who it belongs toit also gives you who owns a particular IP address and who's responsible forthem from the information you can get email addresses that belong to aparticular company this one has an email address for tech contact of IP reg atrade so you can get all sorts of email addresses tech contacts and also of thestuff out there the registry database contains only dot-com and dotnet andalso have some information now I want to query a different IP address anddifferent information belongs in the different regional internet registriesof course so if I want to go to a particular database I will have to use eminus H flag so I could do who is Aaron net and remember the IP address and I'mgoing to query that again and of course I get the same information back becauseI went there so you could just go who is H and then follow it with an IP addressso something like 34 205 176 98 so that's just a random IP address I justmade up and it says who is option okay so it's a it's a capital H okay so let'ssee that and we get all sorts of information backfrom that so area aide Aaron and all sorts of stuff now I can get informationabout domains as well so if I can query something like Netflix calm and I canfind out that this is that actually Netflix and there's an administrativecontact and the technical count data you can see the different domain server sothe servers that would have authority of information about the DNS entries forthat particular domain you can also see other information like when the recordwas created and a whole bunch of different phone numbers that you contactand additionally storing information about IP addresses and domain namesometimes it will store information about a particular host names and theremay be other reasons why you would store a host name or particular informationabout host name on the system whether one of the air are IRS now if I want towant to look up something specifically once I found that I could now do alook-up on who is suppose let's say something like who is foo so let's saywho is foo now if you already don't have who is installed you can easily installit by just going apt install who is on your UNIX system and that should do thetrick and then you can start use this really nifty tool okay so that was allabout using who is now let's get on to actually using how to find out networkranges for a domain okay so now let's talk about how we are going to be goingover and fighting metric ranges so suppose you bought an engagement and youonly know the domain name and you don't know much beyond that and you'reexpected to figure out where everything is and what everything is so how do yougo about doing that well use some of the tools that we either have been talkingabout or will soon be talking about in more detail and the first thing I'mgoing to do is I'm gonna use the domain name Eddy record Co and I'm gonna lookup at you like a taco and see if I get an IP address back so let's just headover there and go who is Eddie record co or we could use the host keywordso as you see we get an IP address back and that is 34.2 den door to 30 to 35and that is the IP address and you see that I've got back an IP address sohere's just an IP address and I don't know what that IP just belongs to I alsodon't know how big the network range or network block is and that's associatedwith so what I'm going to do is a who is and I'm going to look up with Aaron whoowns that IP address so you can basically go who is 34 to 10 to 30 35 soas you guys can see that gives us a bunch of information and who is now thisdoesn't seem to have a very big network range but unlike something like Netflixso suppose we were to do something like host netflix.com and see now we have abunch of IP addresses so suppose we were to do who is let'ssee who is 50 2.19 41 47 now I'm expecting Netflix to be a much largercompany and have a better yeah now see we get net range so this is the networkrange that we are talking about so we had a random IP address and now we havefound the network range so that's how you find network ranges and this can bevery useful so this gives me evidence that Netflix comm has the presence ondifferent addresses the one I have also located by looking up that particularhost name so I've got one address here that I can look let's take a look at thewebsite because I'm in a different address now if I didn't have that Icould also go and do something like an MX flag so let's see I could go dig andthis will give us all the meals so dig em X and let's see let's see what MXdoes actually you go help so we could do dig H for a list of options so these areall options that we have and the one that we're gonna use issomething like this big MX and we say MMS online netflix.com so these are allmailings and MX's that we have gotten from Netflix and this is informationregarding its so producing information that's a big thing to produce okay so asI was just saying you can use the MX flag I could get back all the mailhandlers in this case and their mail is being handled by Google and let's seelet's go on top then it's going to tell me that Google's not particularlysurprising and other things that you can do is check for different host namessince I'm assuming DNS probably doesn't allow its own transferssince most DNS servers don't anymore although they used to you may have tostart guessing so I could do something like web mails that we find out here sothis shows us the dump of all the outstanding memory stuff okay so thatwas all about finding Network ranges now moving on to our next topic is usingGoogle for recognizance now some people also call this Googlehacking now if you know how to use Google to exactly target and find whatyou are looking for Google is an excellent tool for recognizance purposesand today I'm going to show you how you could use Google exactly for yoursearches so first of all let's open a tab of Google um let's open up here solet's go to google.com okay so now we are going to be talking about how we canuse Google to actually gain some information or some targeted informationso this is in general called Google hacked it now when I say Google hackingI'm not meaning by breaking into Google to steal information I'm talking aboutmaking use of specific keywords that Google uses to get the most out of thequeries that you sum it so for example a pretty basic one is the use ofquotations you go things in order to use specific phrases otherwise Google willfind pages that have instances of all those words browsing the wordsspecifically together in particular order so I'm gonna pull this query upand this shows a list of let me just show it to you so if you go index offnow this is showing us an index of all thefilms now this is basically all those index of sites that you want so as youguys can see this shows us the index of all sorts of films that are there nowyou can use index off and you see that we have also an index of downloads orsomething like that - calms down load and it is an index of all sorts of stuffnow you can go into some folder and check them out G Jones you weren't in GPerico I don't know what these are but some sort of stuff and this is how youcan use Google now let me just show you some more tricks so you can use thissuppose you're using google define for something like a presentation so youcould use something like file type pptx and it'll search for every type of filethere that is pbd okay let's try some other side dot p VD so config okay sothis brings up all the types of files that have some configs in them so thisisn't gaming configuration as we see this in digital configuration ofliverpool now you could also use something like this thing in URL and youcan use under root and this will give you all the things with root in thereURL so walking route and just the trends and how to root android so passing theroot and suppose you want to say something like all in file type orsuppose you want some extension so so dart PBT PBT X thus our let's search forJavaScript files okay I think it's J s okay that doesn't seemto work either this shows us all the things with J yes in it no it's justexternal J s I'm doing wrong so you could use file type so let's seefile type and we go see doc so these are all the documents that you could findthe file type thing and you could also do G yes I guess yep and this will giveyou all the JavaScript files out there so this is how you can use Google toactually narrow down your searches so suppose you want a particular set ofkeywords and we want to make sure we get the passwords file from Google ok so nowlet's go in more details about the various things you can find using Googlehacking techniques now while Google hacking techniques are really useful forjust general searching in Google they're also useful for penetration testers orethical hackers you can narrow down information that you get from Google youget a specific list of systems that may be vulnerable so we can do things likelook for error pages that do in the title error so I'm gonna get a wholebunch of information so suppose like we go in title and we say errorso as that we get all sorts of stuff and we can do the - google part so if you doa - Google not show you the stuff that's from Google so we get a variousdocumentation pages about different vendors and the errors that they supportso here's one talk about Oracle about Java error you know something morespecific we may be able to get errors about all sorts of other stuff so thisis how you could use the Google hacking technique to your own advantage ifyou're a penetration tester now let's also show you something called theGoogle hacking database now this is very useful for an ethical hacker now on theGoogle hacking database was created several years ago by a guy called Johnnylong who put this google hacking database together to begin to compile alist of searches that would bring up interesting information now johnny haswritten a couple of books on google hacking so we you're at the Googlehacking database website here and you can see them talk about Google dorks andall sorts of stuff now you can see that we can do all sorts of search like inURLs BCBS PE this brings up some portal pages now out here you can bring up somepassword aps password in url now this will give you all sorts of stuff onGoogle so suppose you go in URL it's like a PS password now you can get allsorts of stuff like which have passwords in the URL so maybe you can just guess apassword from there or - now that was Google hacking so Google hacking entriesand they also have a number of categories and that you can look throughto find some specific things so you may be interested in of course and you havesearch specific information that you may be looking for with regards Pacificproduct for example let me just show you exploit database these are all thecertain types of stuff you can go through out here and as you see we haveall sorts of stuff like this is an SQL injection thing mmm this is somethingregarding pure archive tars so these let you get a foothold intosome password cracking attempts and you can do some brute force checking and youcan see here if it talks about the type of search it is and what it reveals youcan just click here on Google search and it will actually bring up Google for thelist of responses that Google generates so let's look at this one here thetype is log so this is something about cross-site scripting logs and we canalso see some party logs if I was not wrong so some denial of service POC andwe can see a bunch of stuff and if you continue to scroll down there are a lotof interesting information in here so somehow somebody's got a potty log thathas loved a lot of information they've got it up on a website and it'sbasically a bunch of information there you can see you can also get somesurveillance video sometimes and you can look into them and it's basically howyou could use Google so it's basically a list of queries that you can go throughand this is a very useful site if you are a penetration tester and looking forsome help that your Google hacking terminologies so that's it for Googlehacking now let's move on okay so now it's time for some networkingfundamentals and what better place to begin with tcp/ip now we're gonna betalking about the history of tcp/ip and the network that eventually morphed intothe thing that we now called the Internet so this thing began in 1969 andit's spun out of this government organization called ARPA which AdvancedResearch Projects Agency and they had an idea to create a computer network thatwas resilient to a certain type of military attacks and the idea was tohave this network that could survive certain types of war and warlikeconditions so ARPA sent out this request for proposals to BBN which is boltBeranek and Newman and they were previously an acoustical consultingcompany and they won the contract build what was called the ARPANET the firstconnection was in 1969 so that's where we get the idea that the internet beganin 1969 and the internet as we call it now generally beginbut ARPANET did and ARPANET has a long history that goes through NSF net in1980s and after ARPANET was served decommissioned and a lot of othernetworks were fallen into this the string called NSF net that then turnedinto what we now call the Internet and once a lot all the networks wereconnected into its first protocol on the ARPANET initially there were 18 to 22protocols which was very first protocol defining communication on orphanet andit was called 1822 protocol because BBN report 1822which describes how it worked shortly and after that there was this thingcalled the network control program and the network control program consisted ofARPANET host-to-host protocol and an initial control protocol now they'recertainly not a direct correlation or an analogy here but if you want to thinkabout it in particular where you could say that the ARPANET host your hostprotocol is kind of like UDP and initial connection protocol or ICP it's kind oflike TCP so the host or hosts protocol provided a unidirectional flowcontrolled steam stream between hosts which sounded a little bit like UDP andICP provided a bi-directional pair of streams between two hosts and againthese aren't perfect analogies but the host-to-host protocol is a little I bitlike UDP and ICP is a little bit like TCP now now the first router risk of allan interface message processor and that was developed by BBN it was actually aruggedized Honeywell computer that had special interfaces and software so thefirst router wasn't ground-up built piece of hardware but it was actually anexisting piece of hardware that was specially purposed for this particularapplication so Honeywell had this computer that they made out and BBN tookthat and made some specific hardware in phases and wrote some special softwarethat allowed it to turn into this interface message processor which passedmessages over ARPANET from one location to another so where did I become Hinhere in 1973 so I became in here as well in 1973 as I just said and a guy by thename of Vint Cerf and another guy by the name of Robert Kahn took the ideas ofNCP and what the ARPANET was doing and they tried to come up with some conceptsthat would work for the needs that the ARPANET had and so by 1974 they hadpublished a paper that was published by the I Triple E and they proposed somenew protocols they originally proposed the central protocol called TCP later onTCP was broken into TCP and IP to get away from the monolithic concept thatTCP was originally so they broke it into more modular protocols and thus you getTCP and IP so how do we get to our version 4 which is ipv4 since that's thekind of internet that we are using right now version 6 is coming and has beencoming for many many years now but we're still kind of version 4 sowe get here between 1977 and 79 and we went through version zero to three by1979 and 1980 we started using version four and that eventually became the defacto protocol on the Internet in 1983 when NCP was finally shut down becauseof all the hosts on the ARPANET wherever using tcp/ip by that point in 1992 aword began on an IV next generation and for a long time although thespecifications in the RFC's talked about PNG eventually and I PNG became known asipv6 you may be wondering where ipv5 wentwell it was a specially purpose protocol that had to do something with streamingand certainly not a widespread thing one of the differences between ipv4 and ipv6is that ipv6 has a 128-bit address which gives us the ability to have someridiculously large numbers of devices that have their own unique IP addressipv4 by comparison has only 32-bit addresses and as you probably heardwe're well on our way to exhausting the number of IP addresses that areavailable and we've done a lot of things over the years to conserve address spaceand reuse address space so we can continue to extending to the point tillwhere we completely run of ipv4 addresses another thing about ipv6 is itattempts to fix on the inherent issues and IP and some of those has to do withsecurity concerns and there are certainly a number of flaws and ipv4 andwhen they started working on IP next generation or ipv6 they try to addresssome of those concerns in some of those issues and they may not have done itperfectly but it was certainly an attempt an ipv6 attempt to fix some ofthe issues that were inherently in IP and so that's the history of tcp/ipstill very rich today ok so now that we have discussed a brief history on tcp/ipand how it came about to the TCP IP version 4 let's discuss the model itselfnow we're going to be discussing two models and those are the OSI model andthe tcp/ip model now as I said we'll be talking about the OSI and TCP models forNetwork protocols and the network stacks OSI first of all is the one that you seeout here it's the one on the left-hand side of the screen and OSI stands foropen systems interconnect and in the late 1970s they start working onmodel for how a network stack and network protocols would look originallythe intent was to develop the model and then developed protocols that went withit but what ended up happening was after they developed models tcp/ip startedreally taking off and the tcp/ip model was what went along with it and muchbetter what was going on with tcp/ip which became the predominant protocoland as a result the OSI protocols never actually got developed however we stilluse the OSI model for teaching tool as well as way of describing what's goingon within the network stack and the networkedapplications you'll often hear people talking about different layers likethat's a layer two problem or we under layer three space now continuing throughthese lessons I'll refer occasionally to the different layers and when I do thatI'm referring to the OSI model so let's take a look at the OSI model startingfrom the bottom we have the physical layer which is where all the physicalstuff lives the wires and cables and network interfaces and hubs repeaterswitches and all that sort of stuff so all that's all physical stuff is sittingin the physical layer now sitting above this is the data link layer and that'swhere the Ethernet protocol ATM protocol frame relay those are things live now Imentioned the switch below the physical the switch lives at layer one but itoperates at layer two and the reason it operates at layer two is because itlooks at the data link address and the layer two or physical address and that'snot to be confused with in the physical layer it does get a little mixed upsometimes and we refer to the MAC address nowthe MAC address is not the physical address then I'm talking about it is themessage authentication code address on a system as so the MAC address on systemas a physical address because it lives on the physical interface and boundphysically however that MAC address or media access control address lives atlayer two at the data link layer the network layer which is right above atlayer 3 that's why the IP lives as well as ICMP IP X and from IP x SP x suit ofprotocols from novel routers operate at layer 3 and at layer 4 above that is atransport layer that's the TCP UDP and SP X again from the IP x SP x root ofproto number that is the session layer andthat's layer five and that's up to talk ssh as well as several other protocolsand then there's a presentation there which is layer 6 and you'll often seepeople refer to something like JPEG or MPEG as examples of protocols that liveat that layer then there's a presentation layer which is the finallayer which is layer 6 and you'll often see people refer to something like JPEGor MPEG as examples of protocol that live at that layer and then they live atthat layer which is the presentation layer finally we have layer 7 which isthe application layer and that's HTTP FTP SMTP and similar applicationprotocols whose responsibility is to deliver and the user functionality sothat's basically the OSI model and that's the seven layers of the OSI modeland there's some important thing to note here that is when we are putting packetsonto the wire the packets get built from top of the stack down by from the top ofthe stack to the bottom of this time which is why it's called a stack eachlayer sits on top of the other and the application layer is responsible forbeginning the process and then that follows through the presentation sessionand transport layer and down through the network data link until we finally dropit on the vial at the physical layer when it's received from the network itgoes from the bottom up and we receive it on the physical and gets handled bythe data link and then the network and till the application layer so basicallywhen a packet is coming in it comes in from the application goes out from thephysical and then what is going out also it goes from the physical through thedata link then the Network transport session presentation and application andfinally to the target system now what we're dealing with is an encapsulationprocess so at every layer on the way down the different layers add bits ofinformation to the Datagram or the packet so that's when it gets to theother side each layer knows where its demarcation pointers well it may seemobvious each layer talked to the same layer on the other side so when we dropa packet out onto the wire the physical layer talks to the physical layer and inother words the electrical bits that get transmitted by the network interface onthe first system are received on the second system on the second system thelayer 2 headers have were put by the first system get removed and handled asnecessary same thing at the network it's a network layer that puts the IPheader and the network layer that removes the IP header and determineswhat to do from there and so on and so on again well it may seem obvious it'san important distinction to recognize that each layer talk to each layer whileit may seem obvious it's an important distinction to recognize that each layertalk to each layer and when you are building a packet you go down throughthe stack and when you are receiving you come up through the stack and again it'scalled a stack because he keep pushing things on top of the packet and they getpopped off the other side so that was detailed and brief working on how theOSI model is set up and how the OSI model works now let's move on to thetcp/ip model which is on the right-hand side and you'll notice that there's areally big difference here that being that there are only four layers in thetcp/ip model as compared with the seven layers of the OSI model now we have thenetwork access layer the internet layer the transport layer and the applicationlayer and the functionality now we have the access layer the internet layer thetransport layer and the application layer the functionality that the stackprovides is the same and in other words you're not going to get lessfunctionality out of the tcp/ip model it's just that they've changed wheredifferent functionality decides and where the demarcation point between thedifferent layers are so there are only four layers in the tcp/ip model whichmeans that a couple of layers that have taken in functions from some of the OSImodels and we can get into that right here the difference between the modelsat the network access layer in the tcp/ip model that consists of thephysical and the data link layer from the OSI model so on the right here yousee the network access layer that takes into the account the physical and thedata link layers from the OSI model on the left-hand side similarly theapplication layer from the tcp/ip model encompasses all the session presentationand the application layer of the OSI model so on the right the very top boxthe application layer encompasses the session presentation and applicationlayer and on the left-hand side that of course leaves the transport layer to bethe same and the OSI model they call it the network layer and then tcp/ip modelis called the internet layer same sort of thing that's where the IP lives andeven though it's called the internet layer as compared to the network layerit's the same sort of functionality so those are the really big differencesbetween OSI and dpip model anytime I refer to layersthrough the course of this video that I'm going to be referring to the OSImodel and in part because it makes it easier to differentiate the differentfunctionality if I were to say lay one function in the tcp/ip model you wouldnecessarily know if I was talking about a physical thing or a datalink thingsince there's more granularity in the OSI model it's better to talk about thefunctionality in terms of the layers in the OSI model and that's a predominancemodel the OSI model and the tcp/ip model for network stacks network protocols andapplications okay so now that we've discussed thetcp/ip model let's go over another important protocol and that is UDP sowhat you see out here on your screen right now is Wireshark and we'll begoing over the uses of our shark and what it's useful for in the upcominglessons but for now let me just show you a UDP packet okay so before we get intothe analysis of the packet file it's still filtering let me just tell you alittle bit about UDP so UDP is a protocol and the tcp/ip suitof protocols it's in the network layer that's a network layer in the OSI so aseven layer reference model the IP network layer carries the IP address andthat has information about how to get back its truest destination thetransport layer sits on top of the network and that carries informationabout how to differentiate network layer applications and that information abouthow those network application gets differentiated is in the form of portsso the transport layer has ports and the network layer has in this case an IPaddress and UDP is a transport layer protocol and UDP stands for userDatagram protocol and often call connectionless or sometimes unreliablenow unreliable doesn't mean that you can't really rely on it unreliable meansthat you can't trust that what you send is reaching the other side so what meansactually that there's nothing in the protocol that says it's going toguarantee that the data or Grahame that you send or the packet that you send isgonna get where you want to send it so the protocol has no sort of safetyfeature like that so you shouldn't use this protocol that is UDP if you wantsome sort of safety net and if you needed that type of safety net you wouldhave to write it into your own application so you basically UDP is afast protocol and that's one the reason why it's good it's also one the reasonwhy it's unreliable because in order to get that speed you don't have all of theerror checking and validation that messages are getting there so becauseit's fast it's good for things like games and for real-time voice and videoanything where speed is important and you would use UDP so right here I have apacket capture so I'm using wireshark capture some packets and let's check outa UDP packet so out here you see that there are some framesit says 167 bytes on via 167 bytes appiied captured but we'renot really interested in the frame podrían interested in the user Datagramprotocol path so out here you can see that the source port is 185 3 and thedestination port is Phi 2 0 8 1 now it has a length and it has a checksum andstuff so as you guys see out here well we don't really see a bunch ofinformation what you only see is the source port and the destination port thelength and there's also a checksum so you repeat doesn't come with an awfullot of headers because it doesn't need any of the things that you see in theother packet needles the only thing it needs is to tell you how to get theapplication on the receiving host and that's where the destination port comesin and once the message gets to the destination the destination you shouldknow how to communicate back to the originator and that would be through thesource port or a return message so a return message would convert the sourceport to a destination port and send back to that port in order to communicatewith the originator so we have a source port and destination port and the lengthis a minimal amount of checking and to make sure that if the packet that youreceived is a different from the length that's specified in the UDP header thenthere may have been something wrong sumon may want to discard the message tocheck for more messages so the checksum also makes sure that nothing in themiddle was tampered with although it's if there's some sort of man in themiddle attack or something like that checksum is pretty easy to manufactureafter you've altered the packet so you can see here and the message thatthere's a number of UDP packets some of them just say UDP so one look at andhappens to be from some Skype application I guess sotalking to Skype servers and we've already got the DNS now our dns alsoneeds some fast response times because you don't want to send a lot of timelooking up information about servers that you're going to before because justto go to them so DNS servers through up throughout the queries onto the wireusing UDP hoping to get fast sponsors they don't want to spend a lot of timesetting up connections and during all the negotiating that comes with aprotocol like TCP for example so here you see that the DNS is using UDP andwhat we've got here is another UDP packet the poor destination and allsorts of stuff so you can see it out here so you can see the checksum it'sunverified checksum status so you can check out all sorts of stuff usingVarsha so that was about UDP or the user Datagram protocol okay so now that we'redone with that uses Datagram protocol let's talk about addressing modes soaddressing modes is how you address a packet do your different destinations sothere are three kinds of addressing most the first kind of addressing mode isunicast this is pretty simple one to understand so there is one destinationand one source and the source sends the packet to the destination and it's itdepends on the protocol that you're using to actually address if it'ssomething like tcp/ip you're probably using a bi-directional stream so theblue computer can talk to the red computer and the red computer can talkback to the blue computer but you can also use a UDP stream which is like onedirectional stream so it's not sure if I'm using the correct word so it's astream that's in one direction I guess I'm driving home the point hereso if it's UDP only blue is talking and when blue stops talking then red cantalk but if s tcp/ip blue and red can talk simultaneously at the same time nowmoving on there's also broadcast now broadcastmeans that you are sending your packet to everybody on the network so broadcastmessages are very common from mobile network providers so when you get thoseadvertisements saying something like you have a new post rate plan from Vodafoneor SL or something like that those are broadcast messages so it's one serverthat is sending out one single message to all the other systemsnow there's also multicast now multicast is like broadcast but selective nowmulticast is used for actually casting your your screen to multiple people sosomething like screen share when you are doing it with multiple people ismulticast because you have the option to not show particular computer what youare actually sharing so those are the three modes of addressing unicastbroadcast and multicast okay now moving on let's look into the tool that we justused once and UDP that is Varsha so what exactly is Varsha so this utility calledWireshark is a packet capture utility meaning that it grabs data that's eithergoing out or coming in of network and there are a number reasonwhy this may be useful or important when the reason why it's really important iswhat's going on in the network is always accurate in other words you can't messaround with things once they're on the network or you can't lie about somethingthat's actually on the network as compared with applications in their logswhich can be misleading or inaccurate or if an attacker gets into an applicationthey may be able to alter the logging now several other behaviors that make itdifficult to see what's really going on and the network you can really seewhat's going on once it hits the wire it's on the wire and you can't changethat fact now once it hits the wire so we're going to do here is a quick packetcapture so let me just open up Wireshark for you guys so as you guys can see Ihave already Wireshark open for us let me just remove this UDP filter that wasthere so Wireshark is recapturing so let us go over the stuff that you can see onthe screen some important features of our shock so that we can use it later sowhat I'm doing here is a quick packet capture and I'm going to show some ofthe important features of Wireshark so that we can use it later on now whenwe're starting to do some more significant work I select the interfaceand I'm using primarily which is my Wi-Fi and I'm going to be go over hereand we'll bring up a Google page so that we can see what's happening on thenetwork so let me just quickly open up a Google pageyou guys can see it's capturing a bunch of data that's going around here now letme just open up the Google page and that's gonna send up some data let's goback so it's grabbing a whole bunch of stuffoff the net okay I'm just gonna stop that I'm gonna go back and go back andtake a look at some of the messages here so it's on the features of Wireshark asyou can see on the top part of the screen here there's a window that saysnumber time source destination protocol length and info and those are all of thepackets that have been captured and they're numbering starting from one andthe time has to do with being relative to the point that we've startedcapturing and you see the source and destination addresses and the protocolthe length of the packet and by its in some information about the packet thebar on the screen you'll see detailed information about the packet that hasbeen selected so suppose I'm Sayla selecting this TCP packet out here so wecan go through the frames frame also has some interface ID is an encapsulationtype and all types of information is thereabout the frame then we can look at the source board the destination boardsequence number the flag said the check sums you can basically check everythingabout a packet because this is a packet analyzer and the packet sniffernow you'll see some detailed information about the packet that I've each selectedso I'm going to select so as I've selected this tcp/ip packet we see thatin the middle frame it says frame 290 it means that it has a 290 a flat packetand the packet that was captured is 66 bytes and we grab 66 PI's and it's 528bits later so you what do you see out here was a source in the destination MACaddress at the layer 2 layer address and then you can see the IP address of portsource and destination and says it's a TCP packet gives us a source portdestination port and we can start drilling down into different bits of thepacket and you can see when I select a particular section of the packet down atthe very bottom you can see what's actually a hex dump of the packet and onthe right hand side is the ask I so this is the hex hex dump and is the ask Ithat you're looking at what's really cool about wash agate is it really pullsthe packet into its different layers that we have spoken about the differentlayers of the OSI and the tcp/ip model and the packets are put in two differentlayers and there's a couple of different models that we can talk about with thatbut Wireshark does really nicely is it demonstrate those layers for us as wecan see here it is actually folios and in this particular packet here we canalso do something so I've got a Google web request so what I want to do here isI want to filter based on HTTP so I find filter so let's see we can do an sgtpand what I see here is say yes text input and it's going to get an image sothat's a PNG image and this request get the item that's going to be displayed inthe address bar so you also see something called ARP out here which I'llbe talking about very soon so let's just a filtering be done now in the webbrowser it's a favicon dot ICO that I can dohere I can select analyze and follow TCP streams you can see all the requestsrelated to this particular request and it breaks them down very nicely so youcan see we've sent some requests to Spotify because I've been using Spotifyyou actually listen to some music then you can see Ohsorts of stuff like this was something to some not found place so let's justtake the Spotify one and you can see that we get a bunch of information fromthe Spotify thing at least you can see the destination the source it's an IntelCore machine so the first part of the MAC address the first few digits letsyou tell if it's what what is the vendor ID so intel has its own mental ID so f186 probably tells us that it's that's an Intel Core so why shock does isreally neat little thing that it also tells us from the MAC address what typeof machine you're sending your packets to from the back address itself so it'scoming from a soft force for C and going to an Intel Core and the type is ipv4 sothat was all about Wireshark you can use it extraneously for packet sniffing andpacket analysis packet analysis comes very handy when you are trying toactually figure out how to do some stuff like IDs evasion where you want to craftyour own packets and you want to analyze packets that are going into the IDSsystem to see which packets are actually getting detected as some intrusion soyou can craft your packet in a relative manner so that it doesn't get actuallydetected by the idea system so this is a very nifty little tool we'll be talkingabout how you can craft your own package it's just in a little while but for nowlet's move ahead ok so now that we are done with our small little introductionand bring a fuse or an history of our shop now let's move on to our next topicfor the video that is DHCP okay so DHCP is a protocol and it stands for dynamichost configuration protocol so DHCP is a network management protocol used todynamically assign an Internet Protocol address to any device on a network sothey can communicate using IP now DHCP automates and centrally manages theseconfigurations rather than requiring some network administrator to manuallyassigned IP addresses to all the network devices so DHCP can be implemented onsmall or small local networks as well as large enterprises nowDHCP will assign new IP addresses in each location when devices are movedfrom place to place which means network administrators do not have to manuallyinitially configure each device with a valid IP address so if device of the newIP address is moved to a new location of the networkit doesn't need any sort of reconfiguration so versions of DHCP areavailable for use in the Internet Protocol version 4 and Internet Protocolversion 6 now as you see on your screen is a very simplistic diagram on how theHCP works so let me just run you down dhcp runs at the application layer ofthe tcp/ip protocol stack to dynamically assign IP addresses to DHCP clients andto allocate DCP IP configuration information to DHCP clients thisincludes subnet mask information default gateways IP addresses domain namesystems and addresses so DHCP is the clients of a protocol in which serversmanage pool of unique IP addresses as well as information about clientconfiguration parameters and assign addresses out of those address pools nowDHCP enabled clients send a request to the DHCP server whenever they connect toa network the clients configure with DNC we broadcast a request to the DHCPserver and the request network configuration information for a localnetwork to which they attached a client typically broadcasts a query for thisinformation immediately after booting up the DHCP server responds to the clientrequest by providing IP configuration information previously specified by anetwork administrator now this includes a specific IP address as well as for thetime period also called lease for which the allocation is valid when refreshingan assignment a DHCP client requests the same parameters the DHCP server mayassign new IP address based on the policy set by the administrator now aDHCP server manages a record of all the IP addresses it allocates to networksnodes if a node is V allocated in the network the server identifies it usingits media access control address now which prevents accidental configuringmultiple devices with the same IP address the DHCP is not a router butprotocol nor is it a secure one DHCP is limited to a specific local area networkwhich means a single DHCP server per LAN is adequate now larger networks may havea wide area network in multiple individual locationsdepending on the connections between these points and the number of clientsin each location multiple DHCP servers can be set up to handle the distributionof addresses now if network administrator's want aDHCP server to provide addressing to multiple subnets on a given network hemust configure DHCP relay services located on interconnecting routers thatDHCP requests to have to cross now these agents relay messages between DHCPclient and servers DHCP also lacks any built-in mechanism that for the lovelines and servers to authenticate each other both are vulnerable to deceptionand to attack where row clients can exhaust the DHCP servers pool okay solet's move on to our next topic and that is why use DHCP so I just told you thatDHCP don't really have any sort of authentication so it can be fooledreally easily so what are the advantages of using DHCP so DHCP offers quite a lotof advantages firstly is IP address management a primary advantage of DHCPis easier management of IP addresses in a network with a DHCP you must manuallyassign IP address you must be careful to assign unique IP addresses to eachclient and to configure each client individually if a client moves to adifferent network you must make manual modifications for that clientnow when DHCP is enabled the DHCP server manages the assigning of IP addresseswithout the administrator's intervention clients can move to other subnetswithout panel called reconfiguration because they obtain from a DHCP servernew client information appropriate for the new network now apart from that youcan say that DHCP also provides a centralized net for client configurationits support for boot tpe clients its supports of local clients and remoteclients it supports Network booting and also it has a support for a largenetwork and not only for short like small-scale networks but for largernetworks as well so that way you see DHCP has a wide array of advantages eventhough it doesn't really have some authentication so because of theseadvantages DHCP finds widespread use in a lot of organizations ok so that windsup DHCP for us so now let's move on to our next topicfor this video and that is address resolution protocol now addressresolution protocol is protocol that is used in the local area network so let mejust give you a brief introduction to it and then we'll get into how we can useit as an ethical hacker for looking into stuff and looking into vulnerabilitiesand looking if somebody is actually being hacked or something like that okso first of all and I just said address resolution protocol is a local areanetwork protocol it basically works when you are using a LAN so suppose you havea bunch of computers that are connected over a LAN and they have the followingIPS which is 192.168.1.3 one followed to 32 33 34 so these are the computers andthis is a scenario how the art protocol works is that when suppose the redcomputer out here wants to send a piece of data or a packet or a Datagram tothis yellow computer that is the IP that it's calling out so it'll call it willbroadcast it would land saying a Whois message like who is 192.168.1.1 3 3 andthey will be constantly listening for a reply after that so they send out apacket and they don't really know which machine to send it to because nobody hasresponded yet so after that the red computer asked who is 192.168.1 3 3 andafter that the yellow computer recognizes that it has the same IPaddress and he'll say that hey here's my MAC address so we can communicate moreeasily in the future so this MAC address is going to be tied in to this IPaddress and think all the ARP table I'm going to show you the ARP table rightnow in just few minutes now what you have to understand is that this isactually exploitable because there is no validation anybody can come into thissituation and just lie so suppose that 192.168.1.3 1 and there's this yellowcomputer and we also have this other computer with a blue computer and thisis not supposed to be on the LAN but somehow this guy got into the buildingand he just connected LAN wire and now he's on the network nowwhat he can do is that he can catch the packet that you are sending and thensend it to 192.168 or 1 3 3 simply by lying when the ARP protocol isrunning and saying that yep I'm actually the yellow computer so send your data tome and then he'll modify the data and send it to the yellow one and when thereply comes it'll also be forwarded to the blue computer so what I'm explainingout here in this scenario is actually called a man-in-the-middle attack okayso that was about the ARP protocol now let's talk about how we can use the ARPprotocol for our advantage or as an ethical hacker okay so now that we knowhow our actually works let me show you how you can access the art table of yourcomputer so what do you have to do is just open up command prompt and all yougo is our a now this is not specific to windows it can be run on any machinethat has this tcp/ip suite of protocols installed on this computer so everycomputer system what is called an ARP table and the reason it's called an ARPtable is because it matches a layer two or physical address or MAC address to anIP address and that's what our address resolution protocol is and what itresults is an IP address to a MAC address or a physical address and theMac or physical address are interchangeable because they mean thesame thing the reason it's called the physical address is because it isphysically on a network interface which is of course a physical device so it'ssometimes called the physical address that sometimes called a MAC address formedia access controls so I might use MAC address and I might use physical addressto make a particular point but it means the same thing so you can see here thatthe IP address and there are de MAC addresses so these are the IP addressesand these are the MAC addresses and they are listed in the ARP table and I'vedone minus a which means show me all your ARP entries while I'm doing this ona Windows system as I just said it's possible on a Linux system and anythingwith a tcp/ip pseudo protocols installed because it's an important utility tohave in order to help diagnose any issue with your network problems so this ishow you would display an ARP table and as I said ARP is just mapping from IPaddress to MAC address so let me show you how the protocol looks like whenit's actually working so let's head over to our shop so we choose the interfacethat we want to see okay now all we do is put on a filterthat says ARP so if you guys see out here there is this are pockets that weare finding so this is how it looks like and I just said that it's a who has andI tell me now there is no authentication so when thisguy is looking for okay so who has 192.168.1 now if we hit the hardware andif you see out here the MAC address that the target market dress is empty becauseit hasn't gotten a reply it now when the MAC address is given theyjust enter changed and it is sent back so the sender MAC address is a Broadcomand why shock does a really neat job at getting out vendor names from the dns Imean from the MAC address so there's this a Sturrock thing then there'sGoogle as I just saw out here some Google phone I guess maybe an AndroidI'm not really sure this is how our plucks like and this is how art worksand if you're trying to do a man-in-the-middle attack and youshouldn't be trying to do that because that's completely unethical but just incase you were trying to force a man-in-the-middle attack you could justtry to forward the IP to your own address and just poof your name well arepaying it so you can use other tools like ettercap for that now that was allabout ARP now let's move on to our next topic so the next topic has come upwhich right after ARP because while studying about ARP you must haverealized I told you that ARP has no sort of validation so how could that exactlybe fixed so if the data that actually is being transferred over LAN is encryptedusing cryptography ARP can actually be used very validly I mean what you wantto do is you want to hide what you're actually sending before sending it outon a local network so that people who are not supposed to get it can'tactually see it now let's first talk to the question what exactly iscryptography so cryptography is basically the art of hiding anything nowwhen talking about computers and computer science in general it includeshiding data so cryptography doesn't really actuallystart with the New Age it's been there for a long long time since the time ofJulius Caesar and all we'll be talking about the history of cryptography rightnow but what I want you to understand is that when a message is sent a key isactually used along with an encryption algorithm now this key is also sent tothe other person and how the skis and we can get into that later so all you wantto basically understand for now is a message is encrypted using an encryptionalgorithm which takes the key and the message as parameters then on the otherside of the message the ciphertext that is after encryption you get somethingcalled ciphertext because it has to be deciphered now so cipher is just word ina Latin word I guess or a Greek word I'm not really sure that means to hide sofirst you encrypt your message then you decrypt your message with the ciphertextand the decryption key which is most of the time the same as the encryption keyand when we're talking the symmetric key cryptography so use a decryption key andthe message along with the decryption algorithm and you get the same messageon the other side so basically it's like a password it's ait's a password protect for messages and it's a fancy way to say that and that iscryptography so let us go into the history of cryptography now so let megive you a brief history of cryptography now cryptography actually goes backseveral thousand years before shortly after people began find ways tocommunicate there were some of us who were finding ways to make theunderstanding of that communication difficult so that other people couldn'tunderstand what was going on and this led to the development of Caesar cipherthat was developed by Julius Caesar and it's a simple rotation cipher and bythat I mean that you rotate a portion of the key in order to generate thealgorithm so here's an example we've got two rows of letters and that arealphabetical in order and means we basically written the alphabets down andthe second row is shifted by three letters so a B is a Zee actually becauseif you move that way a B is a Zee from the first row getsshifted back to the second row and then the letter D becomes a letter C sothere's that's an example of how encryption books so if you try toencrypt a word like hello it would look completely gibberish after it came outof the dark rhythm so if you count the letters out you can see that letter Hcan be translated to Lily a letter L so that's a Caesar cipher now you must haveheard of things like rot13 which means that you rotate the 13 letters insteadof three letters that's what we can do here again and this is just a simplerotation cipher or sieve the cipher that's what of course the rod stands forits rotate or rotation now coming forward a couple thousand zeroes we havethe enigma cipher now it's important to note that the enigma is not the wordgiven to this particular cipher by the people who developed it it's actuallythe word given to it by the people who were trying to crack it the enigmacipher is a German cipher they developed this cipher and machine that was capableof encrypting and decrypting messages so they good messages to and from differentbattlefields and war fronts which is similar to the Caesar cipher Caesar usedit to communicate with his battlefield generals and the same thing with theGermans you've got to get messages from headquarter down to where the people areactually fighting and you know wanted to get intercepted in between by the enemyso therefore you use encryption and lots of energy was spent by the Allies and inparticular the British trying to decrypt the messages one of the first instancesthat we are aware of where a machine was used to do the actual encryption andwe're going to come ahead a few decades now into the 1970s where it was feltthat there was a need for a digital encryption standard now the NationalInstitute of Standards and Technology is responsible for that sort of thing sothey put out a proposal for this digital encryption standard and an encryptionalgorithm what ended up happening was IBM came up with this encryptionalgorithm that was based on the Lucifer cipher that was one their people hadbeen working on on a couple of years previously in 1974 and they put thisproposal together based on the Lucifer cipher and in 1977 that proposal for anencryption algorithm was the one that was chosen to be the digital encryptionstandard and so that came to be known as desks over time and it became apparentthat there was a problem with this and that was it only had a 56 bit key sizeand while in the 1970s was considered adequate to defendagainst brute-forcing and breaking of code by 1990s it was no longerconsidered adequate and there was a need for something more and it took time todevelop something that would last long for some long period of time and so inthe meantime a stopgap was developed and this stop gap is what we call the TripleDES the reason it's called Triple DES is you apply the DES algorithm three timesin different ways and you use three different keys in order to do that sohere's how Triple DES works your first 56 bit key is used to encrypt theplaintext just like you would do with the standard digital encryption standardalgorithm where changes and you take that ciphertext that's returned from thefirst round of encryption and you apply the decryption algorithm to theciphertext however the key thing to note is that you don't use the key that youuse to encrypt you don't use the first key to decrypt bit because otherwiseyou'll get the plaintext back so what do you do is you use a second key with thedecryption algorithm against the ciphertext from the first round so nowyou've got some ciphertext that has been encrypted with one key and decrypt itwith the second key and we take the ciphertext from that and we apply athird key using the encryption portion of the algorithm to that cipherencryption portion of the algorithm to that ciphertext to receive a whole newset of ciphertext obviously to do the decryption you do the third key anddecrypt it with the second key you encrypt it and then with the first keyyou decrypt it and so you do reverse order and the reverse algorithm and eachstep to apply shuffled s so we get an effective key size of about 168 bits butit's still only 56 bits at a time now I said Triple DES was only a stopgapwhat we were really looking for was advanced encryption standard once againand niste requested proposals so that they could replace the digitalencryption standard in 2001 after several thousands of looking foralgorithms and looking them over getting them evaluated and getting them lookedinto an is selected an algorithm and it was put together by a couple ofmathematicians the algorithm was called 'rain dal and that became the advancedencryption standard or AES it's one of the most advantages of AES is itsupports multiple key lengths currently what you'll typically see is as we areusing 128-bit keys however AES supports up to 256 bit key so if weget to the point where 128 bit isn't enough we can move all the way up to 256bits of keying material so cryptography has a really long history currently weare in a state where we have a reasonably stable encryption standard inAES but the history of cryptography shows that with every set of encryptioneventually people find a way to crack it okay so that was a brief history ofcryptography now what I want to do is let's go over and talk about AES TripleDES and this in themselves because they are some really key cryptography momentsin history because there's some really key historic moments in the history ofcryptography now we're going to talk about the different types ofcryptography X I firs and primarily we're going to be talking about DESTriple DES and AES nowadays is the digital encryption standard it wasdeveloped by IBM in the 1970s and originally it was cryptography ciphernamed Lucifer and after some modificationsIBM proposed it as digital encryption standard and it was selected by thedigital encryption standard ever since then it's been known as des now onething that caused a little bit of controversy was during the process ofselection NSA requested some changes and it hasn't been particularly clear whatchanges were requested by the NSA there has been some speculation that wonderedif the NSA was requesting a backdoor into this digital encryption standardwhich would allow them to look at encrypted messages in the clear sobasically it would always give the NSA the ability to decrypt DES encryptedmessages it remained the encryption standard for the next couple of decadesor so so what is this and how does it work basically it uses 56 bit key israther than the stream cipher it's a block cipher and it uses 64-bit blocksand in 1998 des was effectively broken when a DES encrypted message was crackedin three days a year later a network of 10,000 systems around the world crackedthe best encrypted message in less than a day and it's just gotten worse sincethen with modern computing power being what it is since this was actuallycreated we already have come to the realization that we need it somethingelse so Along Came Triple DES now Triple DESisn't three times the strength best necessarily it applies des justthree times and what I mean by that is what we do is we take a plain textmessage then let's call that P and we're gonna use a key called K 1 and we'regonna use that key to encrypt the message and use a key that will be we'llcall K 1 and we're going to use that to encrypt the message and that's going toresult in the ciphertext and we will call the C 1 so C 1 the output of thefirst round of encryption we're gonna apply a second key and we'll call that K2 with that second key and we're going to go through a decryption process on C1 since it's the wrong key we are not gonna get plaintext out on the other endwhat we are going to get is another round of ciphertext and we will call theC 2 what we do with C 2 we are going toapply a third key and we will call this K 3 and we're going to encryptciphertext C 2 and that's going to result in another round of ciphertextand we will call that C 3 so we have three different keys applied in twodifferent ways so with key 1 and key 3 we do a round of encryption and with keyto we do a round of decryption so it's an encrypted crypt and crypt processwith separate keys while that doesn't really healed a full 168 bit key sizethe three rounds of encryption use an effective key size of 168 bits becauseyou have to find three 56 bit keys so speaking of that technical detail forTriple DES we are still using the test block cipher with 56 bit keys but sincewe've got three different keys we get an effective length of round 168 bitsTriple DES will surely just a stopgap measure we knew that if des could bebroken triple desc surely we broke in with justsome more time I guess and so the NIST was trying to request a standard thatwas in 1999 and in 2001 this published an algorithm that was called AES so thisalgorithm that was originally called 'rain Doyle was published by NIST asadvanced encryption standard some technical specifications about AES isthat the original rained all algorithms specified variable block sizes and keylengths and as long as those lock sizes and key lengths were multiples of 32bits so 32 64 96 and so on you could use those block sizes and key lengths when aes was published a specified a fixed 128-bit block size and kiloof 128 192 and 256 AES were three different key lengths but one block sizeand that's a little bit of detail about des Triple DES and AES so when AAAS waspublished a es specified fixed 128-bit block size and a key length of 128 192and 256 bits so we've got with a has three different key lengths but oneblock size and that was a little bit of detail about des Triple DES and AESwe'll use some of these in doing some hands-on work and the subsequent part ofthis video ok so now that I've given you a brief history of how we have reachedto the encryption standards that we are following today that is the AdvancedEncryption standard let's go ahead and talk a little bit more about des TripleDES and AES so this is a digital encryption standard it was developed byIBM in the 1970s and originally it was a cryptographer excite for the Lucifer andafter some modifications IBM proposed it as the digitalencryption standard it was selected to be the digital encryption standard andever since then it's been known as DES or DES one thing that caused a littlebit of controversy was during the process of selection the NSA requestedsome changes and it hasn't been particularly clear what changes wererequested by the NSA there has been some sort of speculation that wondered if theNSA was requesting a backdoor into this digital encryption standard which wouldallow them to look at encrypted messages in the clear so basically it wouldalways give the NSA the ability to decrypt this encrypted messages itremained the encryption standard for the next couple of decades or so and what isthis and how does it work now tests remain the digital standardfor encryption for the next couple of decadesso what does it do and how does it work so basically it uses the 56 bit keyrather than a stream cipher it's a block cipher and it uses 64-bit blocks and in1998 if you know des was effectively broken when a DES encrypted message wascracked in three days and then a year later our network of 10,000 systemsaround the world cracked the DES encryption message in less than a dayand it's just gotten worse since then with modern computing being what it istoday now since this was created and broken weknew we needed something and what came inbetween Advanced Encryption standards and this is Triple DES now Triple DESisn't three times the strength of this necessarily it's really des appliedthree times and what I mean by that is we take a plaintext message then let'scall that P and we are going to use a key called k1 and we're going to usethat key to encrypt the message and that's going to result in the ciphertext1 so we call that c1 now c1 is the output of the first round of encryptionand we're going to apply a second key called key to and with that second Wegewe are going to go through a decryption process on c1 now since it's the wrongkey we are not going to get the plaintext out of the decryption processon the other end we are going to get another round of ciphertext and we'regoing to call that c2 now with c2 we are going to apply a third key and we aregoing to call that k3 and we're gonna encrypt ciphertext C 2 and that's goingto result in ciphertext C 3 so we have three different keys applied in twodifferent ways so what key 1 key 3 we do a round of encryption with key to we doaround the decryption so it's basically an encrypt decrypt encrypted processwith three separate keys but what it does really is it doesn't really healeda 168 bit key size because in effectivenessit's basically 256-bit keys that are being used tries whether it be threedifferent keys so in effectiveness you could say that it's a 168 bit key but itis not the same strength because people realize that Triple DES can be easilybroken because if des is broken you can do the same thing with three differentways whether whatever key that you use so it just takes a long time to decryptif you don't know the tree and if you are just using a brute force attack youknow that Triple DES can be broken if this can be broken so Triple DES wasliterally a stopgap between DES and AES because people knew that we neededsomething more than triple des and for this the N is T or the NationalInstitute of Standards and Technology in 2001 they chose a s as the algorithmthat is now called advanced encryption algorithm so it was originally calledthe rain dal algorithm and a the main thing about the rain dal algorithm andadvanced encryption standard algorithm that rained all algorithm specificallystates in its papers that it has available block size and available keysize as long as they are in multiples of 32 so 32 64 96 like that but what a EESdoes differently is that it gives you one block size that is 128 bits andgives you three different key sizes that is 128 192 and 256 so with AES threedifferent key lengths but one block size okay so that was a little bit moreinformation on a yes des and Triple DES and we are going to be using thisinformation in some subsequent lessons okay now moving on okay so now thatwe've discussed the different history of cryptography and more importantcryptographic algorithms let's discuss the different types of cryptography nowthe first type of cryptography I'm going to talk about asymmetric cryptographyand by symmetric cryptography I mean that the key is the same for encryptingor decrypting so I use the same key whether I am encrypting the data ordecrypting data one of the things about symmetric key cryptography is that theyuse a shorter key length then for asymmetric cryptography which I'll getinto a couple of minutes it's also faster than asymmetric and you can usealgorithms like des or AES as those are both symmetric key cryptographyalgorithms and you can use a utility like AES script let me just demonstratehow a symmetric key cryptography works so for this we can use a tool called a sscript so in a es script is actually available for Linux and Windows and Macall the systems so I'm using it on the Windows one and I'm using the consoleversion so first of all I have a text file called text or txt so let me justshow that to you so we as you guys can see I have this thing called text of txtnow to do txt or txt all I let me just show what txt or txt contains so as youguys can see it has the sentence called the quick brown fox jumped over the lazytalk so that's the sentence that has all the alphabets in the English languagerather so now we are going to try and encrypt it so we can use something likea es RDS because both of them are symmetric key ciphers symmetric keyalgorithms rather so we are using AES in this case so what we're going to do issay a script and will encrypt it and we're gonna use a password of let's sayPokemon we're gonna call Pokemon and we're gonna do tech start txt you'regonna encrypt that file so now we have encrypted a file let's go see MV youmust be having a new file so this is called text or txt dot AES so that isour encrypted file and this is what we would generally send over the network ifwe are sending it to anybody so let's assume the person who's received it alsoknows our encryption algorithm I mean encryption algorithm and the key thatgoes along with it so let's try to decrypt it now nowbefore I decrypted let me just show you what an encrypted message looks like sothis is what the cipher text looks like type a s no text not the exceed any s soyeah as you guys can see the windows come so I can't really feed everythingbut if I were to go here I would have just go into the file and just evernotepad plus plus you'll see that it's bunch of crap you really can't make outanything what is being made here we can't really decipher much so that's thepoint of using encryption now if you were to decrypt it all you have to do isa s script we turn the crib we're trying to give the password is gonna be evil asa password Pokemon okay so and we're gonna try and create text txt in yesthat's dir that again okay so that just eclipse our message for us so this ishow you would use a script for encryption and decryptionso that just decrypt it and that's how you would use symmetric key encryptionto encrypt a file for this example symmetric key uses the either a streamcipher or a block cipher and the differences between stream or blockciphers is that block takes a block of bits at a time and it's a fixed lengthit's for example 64 bits if I were to use a block cipher with 64 bits I wouldneed to take in 64 bits before I could start encrypting now if I didn't have 64bits to encrypt I would have to fill it with padding in order to get up to 64bits a stream cipher on the other hand it will encrypt a bit at a time so itdoesn't matter how many Bitsey of God you don't need to havesome multiple of the block lengths in order to encrypt without padding andanother type of cryptography is asymmetric now asymmetric as you wouldexpect uses two different keys and that's where we have public key andprivate key in symmetric key cryptography uses a long aquiline andalso has no computation and the encryption process is slower with asymmetric key encryption and the encryption process is slower than with asymmetric key encryption one that uses for symmetric key is for signingdocuments or emails for example where I would have the private key signsomething and the public key would be used to verify a signature and anotherreason for using a symmetric key encryption is to ensure that you got itfrom who actually sent it since you've got two keys you always know who theother end of the equation is where the symmetric key since it's just one key ifyou can intercept the key you can decrypt and also encrypt messages and soif somebody can figure out the key you can break into a communication streamusing symmetric key encryption so M asymmetric gives you the advantage ofensuring that the other end is who the other end says and they are sincethey're the only ones who should have the private key and in this particularinstance in practice however however hybrid encryption models tend to be usedand that's where you would use a symmetric encryption to encrypt asymmetric session keys so basically you encrypt the message that you are sendingusing symmetric key encryption and then you when you're exchanging the key withsomebody else you use a symmetric key encryption sothis is going to be a slower process you probably won't want to use it for smallfiles and all do that fortunately the file example that I have is a smallerone so I'm going to try and generate a key right now so for this we have tohead over to our a bunch of system so let's see let me show you how public keyencryption actually works and we are gonna first create a key so let me justclear this out for you so first of all let's create file and let's call thattext txt now if you see me are gonna edit text ortxt to have some file so have some text in it so that seems to be a warning withthe GDK I'll just use echo instead let's see if that is in our filelet me just show you how a symmetric key encryption or public key cryptographyworks so first of all we need a text file so let me see do we have a textfile so there seems to be a text txt so let's see what this text our txt says soit says that this is a random txt file now what we want to do is we want tocreate a public key first so I'm gonna use open SSL for doing this so we goopen SSL and we are gonna use it with RSA so we're trying to generate a key sogen RSA and we're gonna use this tree to users and we're gonna output it into afile called private key so we are also going to be using a fortune or 9:6 spitso this is gonna be our private key so this will create a private key using RSAalgorithm so let it work its way out so first of all it's asking me forpassphrase now so since you can protect your keys with the passphrase so I'mjust gonna use my name okay so now we see if we LS and we have a private key Iguess yeah so we have this private key now we're using this private key we aregoing to generate a public key so for this I'm again going to be using openSSL and open SSL is a UNIX pace so you will need a UNIX system so you go RSAutl that's RSA utility and what we want to do is encrypt and we want the publickey in n key and we want to use the public key that we just generated I'msorry guys so we are it's gonna be using RSA so first of all we need to generatea public key so for that we use the private key so we will give the privatekey as an argument after the in flag so private key and we are trying to get outa public key so pop out and we're going to call public dot key okay so thereseems to be okay I messed it up a little I forgot togive the output so you go out and then he use public key so it's asking me formy pass phrase and now it's writing the RSA key and since the password wascorrect we have a public key too so if you see now we have a public key and aprivate key so we are going to encrypt our file using the public key so we goopen SSL and we go our a utl and we go encrypt and we can do farm-in so we aregonna use the public key and we want to put the text txt as the file to be incryptid so text txt and what we want to output is an encrypted file so encryptedtxt okayall open sll you go and edit that out now yeah so that makes it a correctcommand and now we have an encrypted file so let's see Ellis and yepencrypted txt so if you just cut that out so we see it's a bunch of garbageand we really can't read it unless we decrypt it so for decrypting the key allwe have to do is again use open SSL let's clear the cell firstso open SSL and we are going to be using the RSC utility again so RSA utl you'regoing to decrypt this time so we go with the decrypt flag and then we are goingto be giving the in key and that is going to be the private key and what wegoing to decrypt is encrypted dot txt and what we want output it is as let'ssay plaintext dot txt so it's going to ask me for my past rays which is my nameand I've entered the passphrase and now we have a plain text txt now ifwe are to go in LS we see that we have a plain text txt out here just with lightinfo dot txt now let me just cut that out so plain text dot d XD so this is arandom text file and if we go up we see the arrow is a bunch of garbage andbefore that it was a random txt file now you can also run this command called ifplain text txt text txt so this give you a difference in the text rings so it's 0so it gives you that's the difference so both the files are the same and that'show public key cryptography works and how symmetric key cryptography works oknow moving ahead of cryptography let's talk about certificates okay so now thatway down with cryptography let's talk about digital certificates so what is adigital certificate well a digital certificate is an electronic passwordthat allows a person organization to exchange data securely over the internetusing public key infrastructure so digital certificate is also known as apublic key certificate or an identity certificate now digital certificates area means by which consumers and businesses can utilize the securethe application of public key infrastructure public key infrastructurecomprises of the technology to enable and secure ecommerce and internet-basedcommunication so what kind of security does a certificate provide so firstly itprovides identification and authentication the person or entitieswith whom we are communicating or really who they say they are so that is provedby certificates so then we have confidentiality the information within amessage or transaction is kept confidentialit may only be read and understood by the intended sender then there'sintegrity there's non repudiation the sender cannot deny sending message ortransaction the receiver really get to non-repudiation and I'll explain how nonrepudiation comes in to digital certificates so digital certificates areactually issued by authorities who were business who make it their business toactually survey certify people and their organization with digital certificatesnow you can see these on Google Chrome now let me just open Chrome for you guysand you can see it out here you can see certificates and you can go into theissue of statements and you can go in all sorts of stuff so you can see it'sissued by encrypted thority x3 so that's an issuing authority for digitalcertificates now that was all about the theory of certificates let's go and seehow you can create one so to create a digital certificate we are going to beusing the open SSL tool again so first of all let me show you how to create acertificate so we are going to be using the open SSL tool for that so first ofall let me clear the screen out so in this case I'm going to generate acertificate authority certificate so I'm doing an artistic key here to use insidethe certificate so first of all I need to generate a private key so to do thatas I had just showed you guys we can use the open SSL tool you go open SSL andJenn RSA and we can use test 3 and we'll get the outers and let's call it c8 keyand we're gonna use 4 0 9 6 bits so I'm doing an RSA key here to use inside thecertificate so I'm generating a private key and the private key is used at thepart of the certificate and there's a public key associated with thecertificate so you've got public and private key and data gets encrypted withthe public key and then gets decrypted the private key so they aremathematically linked at the public and private key because you need one for theend of the communication the and the other for the other end of thecommunication and they have to be linked so that the data that gets encryptedwith one key gets to be decrypted with other key so this is asking for apassphrase and so I'm gonna be giving my name as a passphrase so that hasgenerated the key for us so now I'm going to generate the certificate itselfso I'm gonna be using the open ssl utility so first of all you say open ssland say request so it be a new request and it's gonna be an x.509 request it'sgoing to be valid for 365 days and let's see the key is gonna be see a dot keyand we're gonna output it into CA or let's call it at your record dot c RT sothis is a surrogate that I'm pretty using in the name of the company thatI'm working for so that is Ed Eureka so it says it's unable to load the privatekey let me just see as a private key existing I had a previous private key solet me just remove that doesn't have a see a dot key seems like I put the namedifferently so let me just try that againOpenSSL and we do requests so we're requesting new certificates I'mjust gonna be x.509 and it's gonna be there for 365 days and key is see it onkey apparently that's what's call out hereso and it's gonna be out into any record CRT Nancy's over so let's enter the passvery so it's my name so now it's gonna ask me a bunch ofinformation that's gonna be inside certificates so let's say it's askingthe country name against let's put in the state okay so I in state provincename some state so Mangalore a locality let's say white field organization nameis reka unit name brain force common name let's leave that out emailaddress let's leave that out too and we have our certificate so if you goand list out your files you will see that there is a certificate called anyrecord CRT out here which is highlighted ok so now if you want to view this fileyou could always use the OpenSSL you always use the OpenSSL a utility so yousay you want to read an XO 5/9 request and you want it in text and what youwant to see is any record see Artie okay so that is the certificate so you seethat it has all the signature it has signature algorithm it has all theinformation about the certificate and it's a signature issuer CIN and StateBangalore in location white field I like our brain force velocity it has allsorts of information so that was all about digital certificates how whoissues digital certificates where are they useful so this is basicallynon-repudiation so nobody can say it wait this certificate that if thiscertificate is included in some sort of a website and that website tends to besuppose malicious and there's a complaint now the website can't go to acourt of law and say they didn't know about this because certificate thatwas included had their private key and the private key was only supposed to beknown to the company so that is non-repudiation you just can't deny thatyou didn't do it okay so that was all about certificates not moving on okay somoving on we are gonna be talking about cryptography caching now while the wordcryptography is in the term cryptography caching and it does lead you to believethat there is encryption ball there is no encryption involved in acryptographer cache there is a significant difference between hashingand any sort of encryption and that is primarily that encryption is a two-wayprocess when I encrypt a piece of data or a file or anything else what I'mdoing is putting it into a state where I expect it to be able to get it back outagain in other words when I encrypt a file expect it to be able to decrypt thefile and get the original contents hashing is a one-way function on theother hand once I've hashed piece of data or file there is no expectation andability to get the original piece of data back hashing generates a fixedlength value and different types of hashing will generate different lengthvalues for example md5 will generate a different length value than sha-1 andthey're both hashing algorithms but they generate different length values and theresulting value from a hash function should be no relation at all to theoriginal piece of data as a matter of fact if two inputs generate the samehash value it's called a collision and if you can generate collisions you maybe able to get a point where you can generate a piece of datathat are going to generate the same hash values and that leads you to thepotential ability to break the particular hashing algorithm that youare using so what we can use hash is for well one thing we can use hashes forfile integrity we can run a hash on a file and get a value back and later wecan check that the value to make sure if it's the same if it's the same I can besure that the same file was hashed in both instances so let me just show youan example of what I just said that if we hash a file we will get the same hashevery time so remember the certificate that we just created let me just log inagain so we are going to hash this certificate and it will create a certainharsh and we are going to see that every time we hash it we are getting the samehash so we can use this command call md5 sum and we can do add your record or Cor so this is the harsh produce afteryou've hashed at your record or CRT so if I do an md5 again so md5 is a hashingalgorithm that you should know off so at you record CRT and it will produce verysimilar has let's see a sha-1 looks like this so sha-1 and you record CRT okaysha-1 is sure the shot from the char utils package okay so I've proved myupon that with md5 a way which is cryptography hashing algorithm we aregetting the same hash back so if you are able to produce the same hash that meansyou have broken the algorithm in itself so if you run md5 or Linux you can get aversion of md5 an md5 summation program on Windows and Mac OS where with theutility md5 which does the same thing so I just showed you the file and I hashedit and another reason we use hashing is we are storing passwords so passwordsare stored after hashing we hash the passwords and the reason for hashingpasswords is so you're not storing the passwords in clear-textwhich would be easily seen even if you got it protected with permissions if Ihashed password every time I hash that password I'm going to get the same valueback from the same algorithm so what I do is store the hash and some sort ofpassword database since it's a one-way function you can't get the password backdirectly from the hash now what you can do with most password cracking programsdo some variation of this and you just generate hashes against list of wordsand you look at a hash value that matches the one in the password once youget the hash that matches the one in the password you know what password is thereand here and we come back to the idea of collisions if I can take two differentstrings of characters and get the same values back it's easier to crack thepassword because I may not necessarily get the password we have the hash that Iget back from particular string of data is the same as that I get from theoriginal password then it doesn't matter whether I know the password because thestring of data that I put in is going to generate the same hash value that you'regoing to compare when you login and this hash value will just give you that isvalid and you'll be able to login so suppose the password that you chosewhile making your account is dog and the dog word produces this hash value and ifI were do like hash cat with the same algorithm and if the algorithm was proneto callus it might produce the same hash value asfelt so with the password cat I could open up your password I mean I couldopen up your account so that was all about hashing and hashing algorithmslet's move on okay so in this part of the video we are gonna go over SSL andTLS now SSL and TLS are ways of doing encryption and they were developed inorder to do encryption between websites web servers and clients or browsers SSLwas originally developed by a company called Netscape and if you don'tremember Netscape eventually spun off their source code and became Mozillaproject where we get Firefox from so back in 1995 Netscape released version 2of SSL and there was a version 1 but nothing was ever done with itso we got to version 2 of SSL and that was used for encryption of webtransmission between the server and the browser they do a whole number of flawsbetween the server and the browser now SSL version 2 had a whole number offlaws and SSL 2 has the type of flaws that can lead to decryption of messageswithout actually having the correct keys and not being the right endpoints and soNetscape released SSL version 3 in 1996 and so we get SSL 3.0 which is betterthan 2.0 but it still had some issues and so in 1999 we ended up with TLS nowSSL is secure socket layer and TLS is transport layer securitythey both accomplish the same sort thing and they're designed for primarily doingencryption between web server and web browsers because we want to be able toencrypt the type of traffic so let me show you what kind of traffic looks likeso first of all let me open bar shop and out here I already have a TLS scan readyfor you guys that you can see we have all sorts of TLS data so you can seethat here's my source and it's 1.32 and destination is sound 6-1 2.40 $59 46doing a client keychain and a change cipher SPECT and encrypted handshakemessage and then we start getting application data so there are some othersteps involved here and you're not seeing all of it with this particularwireshark capture because again you know we get fragmented packets and at somepoint it starts getting encrypted and you can't see it anyway is becauseWireshark without having the key can decrypt those messages but one ends uphappening is the client sends a hello and the server responds with a hello andthey end up exchanging information as partthat now including version number supported and you get random number andthe clients going to send out a number of cypher suits that may want support anorder and it can support the server and it's going to pick from those suite ofciphers now then we start doing the key exchange and then do the change cipherSPECT and from the client and server and eventually the server just sends afinished message and at the point we've got this encrypted communication goingon but there's this handshake that goes on between the two systems and there's anumber of different types of handshakes depending on the type of endpoints thatyou've got but that's the type of communication that goes on betweenservers and the client one important thing about using SSL and TLS is as Imentioned some of the earlier versions had vulnerabilities in them and you wantto make sure that the server's aren't actually running those so you want torun some scans to figure out the type of calls in ciphers that different systemsuse so for this we can use something called SSL scan so this is available forUNIX I'm not really sure if there is something that is similar for Windows orMac but on a UNIX based system that is Knox we can use SSL scans so let me justshow you how to use that clear this part out so what we can do is run SSL scanagain suppose www dot and you record dot goso I'm going to do an SSS can here against the website and you can see it'sgoing on improving all the different types of ciphers that we know on thissystem start with SSL v3 and are going our TLS version 1 and we could force andscan to try to do an SSL v2 if I scroll back up here I got the surface I firswhich is SSL version 3 it's using RS a and it's using RSA for the asymmetricnow in order to do the key exchange and once we get the session key up you'regoing to use AES 256 and then we're going to use the secure hash algorithmto do the message authentication or the math it's something calls the H Mac forthe hashed message authentication code and what it does is simply hashes theMAC address that you would check one side against the other to make sure thatthe message hasn't been fitted with in transmission you can see here all thedifferent types of cipher suits that are available here steel as surrounding arec4 at 40 bits using md5 so that would be a pretty vulnerable type ofcommunication to use and between server and the client the 40 bit cipher usingour c4 is a low strength cipher and we would definitely recommend that clientsremove those from the supported ciphers that they have on their server all thatconfiguration would be done at the web server as well as when you generatedyour key and your certificates normally certificates would be handled by acertificate authority now you can also sell signed certificates and have thoseinstalled in your web server in order to communications with your clients it's anthe challenge with that is browsers today warn when they see a certificateagainst a certificate authority that is entrusted of it and it doesn't have anycertificate authority at all so you'll get a warning in your browser indicatingthere may be a problem with your certificate if your clients are savvyenough and if the users are savvy enough you may be able to make use of theseself fine self-signed certificates and save yourself some money but generallyit's not recommended simply because clients are starting to get these badcertificates and when they run across one that's really a problem a real roguecertificate they're going to ignore the certificate message in their browser andjust go to these sites that could have malicious purposes in mind and may endup compromising the clients or your customers or user so that's SSL and TLSand how they work and negotiate between servers and endpointsokay so now that we've talked about the LS and SSL let's talk about diskencryption now this encryption is actually something that was not reallydifficult to do but sort of out of the reach of normal desktop computers for areally long time although there have long been ways to encryption of filesand to a lesser degree maybe entire disks as we get faster processorscertainly encrypting entire disks and being able to encrypt and decrypt on thefly without affecting performance is something that certainly comes withWithin Reach and it's a feature that shows up in mostmodern operating systems to one degree or another now these days we are goingto look at a couple of ways here of doing disk encryption I'm going to tellyou about one of them first and it's not the one I can show I can't really showthe other one either so with Microsoft there window system have this programcalled BitLocker and BitLocker requires either Windows ultimate or WindowsEnterprise I don't happen to have either version so I can't really show it to youbut it can tell you that BitLocker has ability to enter disk encryption andthey use AES for the encryption cipher and the thing about BitLocker is thatthey use a feature that comes with most modern systems particularly laptops yeschip in them that's called the trusted platform module or TPM the TPM chip ispart what it does is it stores the keys that allow the operating system to beable to access the disk through this encryption and decryption process andthey use a pretty strong encryption cipher which is a yes but you have tohave fun with a couple of different versions of Windows in order to be ableto use BitLocker and some of those things you would normally run in anenterprise and so that's why they included in on its enterprise ocean nowon the Mac OS side they have this thing called File Vault and you see in theSystem Preferences on the security and privacy if you could file vault you canturn on File Vault now I if you have the little button that there says turn onfile well then you can turn on the file wall Alfred asked you about setting upkeys and it works similar to Windows BitLocker now PGP happens to have theability to do disk encryption and you can see that in the case of this youburn the system they've got a package called gde crypt which is a GUI thatallows you to map and mount a created encrypted volume so I could run gdecrypt and would help me set up the process of encryptingthe volumes they've got on my system now this conscription is a really good ideabecause when you are working with clients the data is normally verysensitive so as I mentioned you can always use things like BitLocker andWindows vault or other search softwares for disk encryption so what I mentionedbefore is now not only possible it's very much reality with current operatingsystems now let's talk about scanning now scanning refers to the use ofcomputer networks to gather information regarding computer systems and networkscanning is mainly used to security assessment and system maintenance andalso for performing attacks by hackers but the purpose of network scanning isas follows it allows you to recognize available UDP and TCP network servicesrunning on a targeted host it allows you to recognize filtering systems betweenthe users and the targeted hosts it allows you to determine the operatingsystems and use by assessing the IP responses then it also allows you toevaluate the target hosts TCP sequence numbers and predictability to determinethe sequence prediction attacks and the TCP spoofing now network scanningconsists of Network port scanning as well as vulnerability scanning Networkport scanning refers to the method of sending data packets via the networkthrough computer system specified service port this is to identify theavailable network services on that particular system this procedure iseffective for troubleshooting systems issues or for tightening the systemsecurity vulnerability scanning is a method used to discover knownvulnerabilities of computing systems available on network it helps to detecta specific weak spot in an application software or the operating system whichcould be used to crash the system or compromise it for undesired purposes nownetwork port scanning as well as vulnerability scanning is an informationgathering technique but when carried out by anonymous individuals they are viewedas a pollutant tuk network scanning processes like port scans and pingswipes and return details about which IP address mapped to active live who's andthe type of service they provide another network scanning method known as inversemapping gathers details about IP addresses that do not map to live hostswhich helps an attacker focus on feasible addresses network scanning isone of the three important methods used by an attacker to gather informationduring the footprint stage and the attacker makes a profile of the targetorganization this in data such as organizations domain namesystems and email servers in additions to its IP address range and during thescanning stays the attacker discovers details about the specified IP addressesthat could be accessed online their system architecture their operatingsystems and services running on every computer now during the enumerationstaged attacker collects data including routing tables network user and groupnames simple network management protocol data and so on now a very popular toolthat is used for network scanning is nmap now nmap is a must-have tool formost ethical hackers and as a clackers throughout the industry are using thison a daily basis now what it is used for is scanning as I just said and the onlybad part about EDD map is it is a very noisy scanner but if you know some waysof IDs evasion which is the next topic that we're going to talk about you canvery well do an nmap scan by being very quiet so let's go into nmap and see thedifferent ways that we can use n maps so ed map is originally available on a UNIXsystem but I've also heard that it's also available on Windows systems fornow I'm going to be using the UNIX version so first of all let's go aheadand open up our UNIX system that is running on our virtual machine now letme clear out the screen out here so I already have nmap installed but if youdon't you can go apt-get install nmap and that should install nmap for you ifyou're not a root user you might want to check and use the sudo command alongwith this thing so I'm not really gonna run this command right now because Ialready have a map installed what I'm going to do is show you the differentways we can use nmap so when you're using a tool on your Linux the firstthing that you want to do with any tool is go and type the help command so ifyou do help I'll show you all the stuff that you can do with nmap so as you guyscan see that we can do a bunch of stock specification and we do host discoverywe have different types of scan techniques and port specification andscan orders then there's all the service version detection and script scans sothere's a bunch of things that we can do okay so now what we want to do is let mejust show you how you can do all sorts of stuff so suppose you want to do annmap can let's say Eddie record oh so thiswill start up an nmap scan on the IP address that edu rocket Co sits on so asyou guys can see this is running an nmap scan and it can take a little bit oftime now since it's taking a lot of time I'm going to show you some other ways byjust quitting out of it okay so now that I've stopped it because it was takingtoo much time you can specify IP address so supposeyou want to 192.168.1 24 you can do an nmap scan on an IP address like that I'malso going to quit out of this because my computer is really slow and taking abunch of time to actually load anything then you can also do scan on an entiresubnet like suppose you want 192.168.1 then suppose you want to do all the IPSthrough one till 24 so this is how you would do it and you can run that andthen it would do an nmap scan and all those IP addresses I'm going to quit outof every scan because this computer is really really slow ok so let me show yousome other flags so suppose you had a file that's a stock its dot txt sosuppose you had a file that had all the target files in it so let me just createa target file target's dot txt now you could use this file and actually createan nmap so and actually run through all the IP addresses so suppose targets aretxt had a list of IP addresses all you would have to do is nmap and i.l whichis basically input list so small I and capital L and then you tell the name ofthe target which is target's dot txt okay so because that had no IP addressesthat you can see 0 IP addresses can and 0.89 seconds so you can do that now youcan also do an exclude so nmap allows you to do that with nmap you cando exclude and suppose you want to do a scan and you want to exclude some IPaddress so let's see 192.168.1.1 suppose you want to exclude that so you can verywell do that and it will start scanning up all sorts of stuff so that was thehost name so that's why it's failure it was its target now you can also do somescanning techniques so suppose you to scan for sin sports so sin ports soyou could do something like let's choose a default IP address now add map for sofor a since can you do small s and capitalist so that is for sin scans andthis will choose all the TCP send port scans and you can do it on anything soafter that you just put in an IP address so out here I'm going to say 192.168triage I don't know 2.34 and it'll give you all sorts of information after thatis done I'm not going to run the scan for a long time after that you can alsoscan TCP connection ports so for that you use the st flag so nmap s and T andthis is default and you can use a TCP connection for scan so you after thatyou just enter the IP address of 192.168.0.0 R and that should do a TCPport scan let's quit out of that then so let me just tell you all the flags forthe different types of scanning techniques so su instead of s T let mejust tell you yes you said of s T will actually scan for UDP ports then if youdo an S a it will scan for all the acknowledgment port scans so if whenthere's a TCP handshake going on it sends back an acknowledgement packet soyou can specifically scan for those type of stuff and for Windows port scan youcan do SW and for a main Montfort's card you can do an S em okay now you can alsodo a bunch of host discovery stuff with Ed map so let's go over them one by onenow with n map you can do something like s and L and this will show no scan so itwill scan only the list target so you could do something like 192 and then theIP address so 192.168 2.34 so that will do that and let's quit or that quicklyyou can also use the SM tag so so you can use the S n tag which is fordisabling port scanning or host discovery only so this will not give youdiscovery it will save you some time and you can use the N flag also and thiswill tell you to never do hostname resolution so you can just save yourselfsome time in that way then you can also do art discovery on a local network solet me just show you how to do that and map for our discovery is PR so that isfor art discovery and you could do it on your local network 192.168.1.1 okay sothat's all very invalid IP yeah so that was a gateway and since that's thegateway is surrounding n map on some random IP all the time let's let's go onifconfig first and let's see our IP addressour IP is 192.168.1.1 so let's try and do some scans on ourselves that was allabout hoe discovery now you can also do some poor specification so you can dopoor specifications like this so our IP is 192.168.1.1 T 1 so they'll scan portnumber 21 and I'll show you that TCP closed FTP is a FTP and it's closed sothat's how it should be then you can use the port scan like you could say 21 200and that would scan all the ports from 21 200so that was about port scanning now you can also do a fast port scan so that'swhat the F tank so nmap let's get up the previous string so n1 and all you wantto say is F - f so that'll be a fast port scan and it's considerably fasterthan see that that was very fast so it was considerably faster than most of thescans and that was also you can do another thing so suppose you want tojust scan the top port so you could say top ports and all the top mm bolts andthat'll sky and all the top mm poor cell is on this IP address now this will takea long time because it's a very slow computer so okay that did it now let'sgo and do some service inversion detection so let's first serviceinversion detection let's get back our Eddie record our Co IP address so thatis 34 - 10 so let's try and do some service detection on that so nmap 34 -10.2 30.3 5 so you could have done it on Eddie record co itself so SV will giveyou the service version so you'll try and attempt to determine all sorts ofservice versions that are running on that IP address so far I personally knowthat it's an Apache server 2.0 that's running on there so I'm not really goingto wait for the scan to run but that's how you actually do it so you can alsoincrease the version intensity so let's just stop out of that now you canincrease the version intensity so the intensity is done something like this soit go version and intensity and then you specify a number anything between 0 to 9the higher the number the more correctness that you can kind of getoffered by nmap so you can say version intensity 8 ok seems like versionintensity actually has been T removed from nmap so that's an update that youlearned in this lesson ok you can also do aggressive scans sofor Java scans all you have to do is an a tag so a and that will do a veryaggressive scan on that IP address ok so that was all about aggressive scanlet's take a really long time so I'm going to just quitthen you can do something like os detection also so for OS X should justif you want some OS detection you could use nmap and you could go - oh andthat'll give you the os detection and that's basically the end of our n maptutorial so moving on we are going to be discussing ideas evasion which is goingto be the last lesson for this video so now let's talk about intrusion detectionevasion so before we get into IDs evasion let's talk about what exactly isan IDs now an intrusion detection system or IDs is a system that monitors networktraffic for suspicious activity and issues alerts when such activitiesdiscovered while anomaly detection and reporting is primary function someintrusion detection systems are capable of taking actions when maliciousactivity or anomalous traffic is detected including blocking traffic sentfrom suspicious IP addresses although intrusion detection systems monitornetwork for potentially malicious activity they are also prone to falsealarms or false positives consequently organizations need to fine tune theirIDs product when they first install them that means properly configuring theintrusion detection system to recognize what normal traffic on the network lookslike compared to potentially malicious activity an intrusion prevention systemalso monitors network packets for potentially damaging network traffic butwhere an intrusion detection system responds to potentially malicioustraffic by logging the traffic and issuing warning notification intrusionprevention systems response from such traffic by rejecting the potentiallymalicious packets so there are different types of intrusion detection systems sointrusion detection system come in different flavors and detects suspiciousactivities using different methods so kind of intrusion detection is a networkintrusion detection system that is nids is a deployed at a strategic point orpoints within the network where it can monitor inbound and outbound traffic toand from all the devices on the network then there is host intrusion detectionsystem that is H IDs which runs on all computers or devices in the network withdirect access to both the internet and the enterprise internal network H IDshave an advantage over n ideas in that they may be able to detect anomalousnetwork packets that originate from inside the organization's or malicioustraffic that nids has failed to detect H IDs may also be able to identifymalicious traffic that originates from the host itself as when the host hasbeen in acted with malware and is attemptingspread to other systems signature based intrusion detection system monitors allpackets traversing the network and compares them against the database ofsignatures or attributes of known malicious threats much like antivirusoffice so now let's talk about into IDs evasion okay so now let's talk about IDsevasion now IDs is an intrusion detection systemas we just talked about and instead it detect exactly the types of activitiesthat we are engaged in sometimes and sometimes you may be in called in towork on a target where your activities are known and should be known by theoperators or the operations people involved in monitoring and managing thenetwork and the idea being not only do they want to assess the technicalcontrols that are in place but they also want to assess the operationalprocedures and ensure that the systems and processes are working the way thatthey are supposed to be working now when you are engaged with the target that youare at full cooperation with you don't need to do these types of variationtactics all these techniques may be actually avoided but if you are asked toperform an assessment or a penetration on a target where they are not supposedto see your activities then you need to know some different techniques to evadedetection from an IDs so we are going to talk about a couple of different thingsthat you can do so one thing that you can do is manipulate packaged to look aparticular way now for this there is a tool called packets so packets is areally good way to actually manipulate traffic and by actually manipulating thecontents of a packet like you can specify the destination and source soit's a really useful tool to say the package look a particular way one thingit can do is allow you to spoof IP addresses so I could say at the sourceIP address here that was something completely different from mine now ifI'm using TCP or UDP I'm not going to see the response path and in this caseTCP I'm not even going to get the three big connection me because the responsesare going to go back to the source IP but what you can do is an additional twospoofing you can set a particular ways that a packet may look like changing thetype of service or by changing the fragmentation offset or by differentflag settings that may allow you through an IDs without maybe getting flagged andit may also allow you to a firewall now it's a slim possibility but it's apossibility now another thing you can do is use packets to generate a lot ofreally bogus data and what you might do is hide in the noise generatorby pack heat so you can could create some really bogus packets that are sureset off idea salams and then you can run some legitimate scans underneath andhopefully be able to get some responses hopefully be able to get some responsesback without being detected so if you were to look at an map let me just openin map up for you and go nmap help you can see a throttle response out hereyeah the timing in performance on the manual page is here one of the thingsthat you can see is the throttle in other words the timing template to goreally slow so if I do a minus Capital D of 0 with an nmap scan it's going toreally really slow it down and it goes really really slow so there's apossibility it may not rise to the threshold that would trigger an IDs andthis is what we would call a low-and-slow scan now of course this isonly n map and that would be a port scan and there are still a lot of other worksthat you would have to do and you may have to find other ways to get aroundthat and you can see also here on the space there's some firewall IDs evasionand spoofing and you can do things like fragment packets and we reallyfragmented packets sometimes will avoid IDs because an IDs is going to lookwhat's in front of it and may not have the ability to actually gather theentire packet and put it back together to take a look and what's going onso sometimes fragmented packets can get through and you can also add decoys intoa scan and again use the kind of cover friendly-fire sort of approach where nmap will throw a bunch of decoys into the mix of the scan that you're doingand hopefully you'll get lost amongst the decoys that are going on I can alsospook the source address and do some other things around data lens and TTLand I can also smooth MAC addresses and send packets with bogus checksum so allof those have the possibility of getting around firewalls and IDs and doingevasion now one of the downsides of using some of these techniques andparticularly the timing technique that we talked about is that you run the riskof really slowing down your work which of course is a side effect of this typeof approach where you have to hide yourself and your activities but thething to keep in mind is you've got limited time frame in order to performthese sort of activities and you really want to keep that in mind and be awareof how long some of these techniques are gonna take so also under the line offriendly file you could do the spoof technique with a throttle of 5 and justthrow a lot of really bogus traffic at your target while also running aseparate nmap scan which shows legitimate information and againhopefully you can get through underneath that friendly file that's causing a lotof noise similarly there's this tool called Knickdome and Nicko does web application testing and you can see that it has someabilities there are some ideas evasion techniques so if you are doing webapplication testing and you need to do IDs evasion what you can also do isthrow an echo scan out and do it from another system and again you may be ableto hide underneath the noise from micro scans while you are doing some othertechnique you can hope you can see enough of these sorts of tactics to hideyourself well enough to be able to get what you need from your target withoutbeing detected by the target and the operations people there okay guys thisbrings us to the end of this exhaustive video I hope you guys had fun andlearning about the various topics that we talked about if you have any doubtsyou can always leave them down in the comment section below if you guys reallydid enjoy the session which is a lot of fun to make for myself you could leave alike and a comment and also share it with your friends that's it for megoodbye. I hope you have enjoyed  the post  be kindenough to like it and you can comment any of your doubts and queries and i will reply them at the earliest happy learning.