Ethical Hacking Full Course - Learn Ethical Hacking in 10 Hours | Ethical Hacking Tutorial | Edureka
https://www.edureka.co/cybersecurity-certification-training 🔥CompTIA Security
Certification Training: https://www.edureka.co/comptia-security-plus-certif... Show More
Video Transcript:
Hi guys, my name is Aarya and I'm going to be your instructor for this course today. So in this Ethical Hacking full course video, we'll be learning almost everything that is required for you to get started as an Ethical Hacker. So come let's quickly go over the topics that we are going to be covering today firstly. We're going to be going to the basics of cyber security and cryptography where we'll be learning the key concepts of confidentiality integrity and availability And how the cryptography Concepts also tie into the whole picture next. We'll be looking at some cyber threats. We be seeing how the Cyber threads actually affect our computer and then we will also see how we can mitigate them. After which we will be looking into the history of ethical hacking. We learn how this all began in the Massachusetts Institute of Technology. And then we will be looking into the fundamentals of networking and ethical hacking in this will be learning The various tools that are used in ethical hacking and also the network architectures. These tools are used in after this. We will be having a look into what the most famous operating systems that is there. That is Kali Linux. Kali Linux is used by ethical hackers and penetration testers all around the world will be learning how to install this On our local systems will be learning the tools that come along with it and Bash we should be using them after that. We'll be learning about penetration testing and penetration. Testing is a subset of ethical hacking. So in this we will be learning about a tool called Metasploit and using Metasploit will be learning. Learn more about vulnerability analysis and how we can install back doors in different computer systems and take advantages of these vulnerabilities now nmap is also another tool That we are going to be discussing in this course, we will be learning how we can use nmap to gather information from our networks and how we can use this information to our advantage after that. We'll be learning deeply about three cyber attacks that are there in this industry first is cross-site scripting secondly distributed denial of service and thirdly SQL injection attacks. Now we be doing these attacks ourselves on dummy targets and learning more about these attacks and how they are orchestrated and thus we will be learning More about how we can mitigate them. If we actually become ethical hackers now, we will also be discussing some very Advanced cryptography methods called steganography, which is basically used for hiding digital code inside images last but not the least we will be also discussing how you could become an ethical hacker yourself. So we'll be discussing a roadmap will also be discussing the job profiles that are there in the industry. Re and we will also be discussing the companies that are hiring for these job profiles along with the salaries that they are trying to offer. Also, we won't be leaving hanging right there will also be discussing the 50 most common interview questions that come along with these job profiles so that you can snag that job interview and if you do like our content in the end, please leave us a like, please leave a comment if you want to and do hit the Subscribe button so that you can join our ever-growing community of learners. It can be rightfully said that today's generation lives on the internet And we generally users are almost ignorant as to how those random bits of ones and zeros Rich securely to a computer. It's not magic its work and sweat that makes sure that your packets reach to you on sniffed today Ira ball from at Eureka. I'm here to tell you guys about how cybersecurity makes this all possible now before we begin let me brief you all about the topics that we're going to cover today. So basically we're going to ask three questions. Options that are important To cybersecurity firstly we're going to see why cyber security is needed next we're going to see what exactly is cyber security and in the end I'm going to show you also a scenario how cybersecurity can save a whole organization from organized cybercrime. Okay. So let's get started. Now as I just said we are living in a digital era whether it be booking a hotel room ordering some dinner or even booking a cab. We're constantly using the internet and inherently Constantly generating data this data is generally He stored on the cloud which is basically a huge data server or data center that you can access online. Also, we use an array of devices to access this data now for a hacker. It's a golden age with so many access points public IP addresses and constant traffic and tons of data to exploit black hat hackers are having one hell of a time exploiting vulnerabilities and creating malicious software For the same above that cyber attacks are evolving by the day hackers are becoming smarter and more creative with their malware's. And how they bypass virus scans and firewalls still baffled many people. Let's go through some of the most common types of cyber attacks now, so as you guys can see I've listed out eight cyber attacks that have plagued us since the beginning of the internet. Let's go through them briefly. So first on the list, we have General malware's malware is An all-encompassing term for a variety of cyber threats including Trojans viruses and worms malware is simply defined as code with malicious intent that typically steals data or destroy. On the computer next on the list. We have fishing often posing as a request for data from a trusted third party phishing attacks are sent via email and ask users to click on a link and enter the personal data phishing emails have gotten much more sophisticated in recent years making it difficult for some people to discern a legitimate request For information from a false one phishing emails often fall into the same category as spam but are more harmful than just a simple ad next on the list. We have password attacks. It's a password attack is exactly what it sounds like a third party trying to gain access to your system. My tracking a user's password. Next up is DDOS which stands for distributed denial-of-service DDOS attack focuses on disrupting the service of a network a darker send High volumes of data Or traffic through the network that is making a lot of connection requests until the network becomes overloaded and can no longer function next up. We have man-in-the-middle attacks by impersonating the endpoint in an online information. That is the connection from your smartphone to a website the MIT. Emma docs can obtain information from the end users and entity he or she is communicating with for example, if your Banking online the man in the middle would communicate with you by impersonating your bank And communicate with the bank by impersonating you the man in the middle would then receive all the information transferred between both parties which could include sensitive data such as bank accounts and personal information next up. We have drive-by downloads through malware on a Ledge. Emmett website a program is downloaded to a user system just by visiting the site. It doesn't require any type of action by the user to download it actually next up. We have mail advertising which is a way to compromise your computer With malicious code that is downloaded to your system when you click on an effective ad lastly, we have Rogue softwares, which are basically malware's that are masquerading as legitimate and necessary security software that will keep your system safe. So as you guys can see now the internet sure isn't the safe place. As you might think it is this not only applies for us as individuals. But also large organizations. They're having multiple cyber breaches in the past that has compromised the privacy and confidentiality of a data. If we head over to the site called information is beautiful. We can see all the major cyber breaches that have been committed. So as you guys can see even big companies like eBay, AOL Evernote Adobe have actually gone through major cyber breaches, even though they have a lot of security measures taken to protect the data that they contain so it's not only That small individuals are targeted by hackers and other people but even bigger organizations are constantly being targeted by these guys. So after looking at all sorts of cyberattacks possible the breaches of the past and the sheer amount of data available. We must be thinking that there must be some sort of mechanism and protocol to actually protect us from all these sorts of cyberattacks and indeed there is a way and this is called cyber security in A Computing context security comprises of cybersecurity and physical security. Both are used by Enterprises to protect against unauthorized access to data centers and other computerized systems information security, which is designed to maintain the confidentiality integrity and availability of data is a subset of cybersecurity the use of cyber. Cybersecurity can help prevent against cyberattacks data breaches identity theft and can Aid in Risk Management. So when an organization has a strong sense Of network security and an effective incident response plan, it is better able to prevent and mitigate these attacks for example and user protection defense information and guards against loss of theft while also scanning computers for malicious code. Now when talking about cybersecurity, there are three main activities that we are trying to protect ourselves against and they are Unauthorized modification unauthorised deletion and unauthorized access. These freedoms are very synonymous to the very commonly known CIA Triad which stands for confidentiality integrity and availability. The CIA Triad is also commonly referred to as a three pillars of security and more security policies of bigger organizations. And even smaller companies are based on these three principles. So let's go through them one by one. So first on the list we have confidentiality confidentiality is roughly equivalent to privacy measures undertaken to ensure confidentiality are designed to prevent sensitive information From reaching the wrong people while making sure that the right people can in fact get it access must be restricted. To those authorized to view the data in question in as common as well for data to be categorized according to the amount and type of damage that could be done. Should it fall into unintended hands more or less stringent measures can then be implemented across to those categories? Sometimes safeguarding data confidentiality meanwhile Special training for those privy to such documents such training would typically include security risks that could threaten this information training can help familiarize ourselves. Her eyes people with risk factors and how to guard against them further aspects of training can include strong password and password related best practices and information about social engineering methods to prevent them from bending data handling rules with good intention And potentially disastrous results. Next on list. We have integrity Integrity involves maintaining the consistency accuracy and trustworthiness of data over its entire lifecycle data must not be changed in transit and steps must be taken to ensure that data. Cannot be altered by unauthorized people for example in a breach of confidentiality. These measures include file permissions and user access controls Version Control may be used to prevent are honest changes Or accidental deletion by authorized users becoming a problem. In addition. Some means must be in place to detect any changes in data that might occur as a result of non-human caused events such as electromagnetic pulses or server crash some data might include checksums even cryptography. Graphic checksums for verification of Integrity backup or redundancies must be available to restore the affected data to its correct State last but not least is availability availability is best ensured By rigorous maintaining of all Hardware performing Hardware repairs immediately when needed and maintaining a correctly functional operating system environment that is free of software conflicts. It's also important to keep current with all necessary system upgrades providing adequate communication bandwidth and preventing the occurrences of Bottlenecks are equally important redundancy failover and even higher availability clusters can mitigate serious consequences when hardware issues do occur fast in As adaptive Disaster Recovery is essential for the worst-case scenarios that capacity is reliant on the existence of a comprehensive Disaster Recovery plan safeguards against data loss or interruption in connection must include unpredictable events such as natural disasters and file to prevent data loss from such occurrences a backup copy. He must be stored in a geographically isolated location, perhaps even in a fireproof water safe place Extra security equipments or software such as firewalls and proxy servers and goddess against down times and unreachable data you to malicious actions such as denial-of-service attacks and network intrusions. So now that we have seen what we are actually trying to implement when trying to protect ourselves on the internet. We should also know the ways that we actually protect ourselves when we are attacked by cyber organizations. So the Step to actually mitigate any type of Cyber attack is To identify the malware or the Cyber threat that is being currently going on in your organization. Next. We have to actually analyze and evaluate all the affected parties and the file systems that have been compromised and in the end we have to patch the hole treatment so that our organization can come back to its original running State without any cyber breaches. So how is it exactly done? This is mostly done by actually calculating three factors. The first factor is vulnerable. Leti the second factor is threat and the third is risk. So let me tell you about the three of them a little bit. So first on the list of actual calculation is we have vulnerability. So a vulnerability refers to a known weakness of an asset that can be exploited by one or more attackers. In other words. It is a known issue that allows an attack to be successful. For example, when a team member resigns and you forget to disable Their access to external accounts change logins or remove their names from the company credit cards this leaves. Your business open to both unintentional and intentional threats. However, most vulnerabilities are exploited by automated tacos and not a human typing on the other side of the network. Next testing for vulnerabilities is critical to ensuring the continued security of your systems by identifying weak points and developing a strategy to respond quickly. Here are some questions that you ask when determining your security vulnerabilities. So you have questions like is your data backed up and stored in a secure off-site location is your data stored in the cloud if yes, how exactly is it being protected from cloud vulnerabilities? What kind of security do you have to determine who can access modify or delete information from within your organization next like you could ask questions like what kind of antivirus protection is in use? What is the license currents are the license current? And is it running as often as needed? Also, do you have a data recovery plan in the event of vulnerability being exploited? These are the normal questions that one asks when actually checking their vulnerability. Next up is thread a thread refers to a new or newly discovered incident with potential to do harm to a system or your overall organization. There are three main types of thread National threats like floods or tornadoes unintentional threats such as employee Mistakingly accessing the wrong information and intentional threats. There are many examples of intentional threats including spyware malware advert companies or the Actions of disgruntled employees in addition worms and viruses are categorized as threats because they could potentially cause harm to your organization through exposure to an automated attack as opposed to one perpetrated by human beings. Although these threats are generally outside of one's control and difficult to identify in advance. It is essential to take appropriate measures to assess Threats regularly here are some ways to do so and sure that your team members are staying informed of current trends in cyber security so they can The identify new threats, they should subscribe to blogs like wired and podcast like the Tech janek's Extreme it that covers these issues as well as join professional associations, so they can benefit from breaking news feeds conferences and webinars. You should also perform regular threat assessment to determine the best approaches to protecting a system Against the specific threat along with assessing different types of thread in addition penetration, testing involves modeling real-world threats in order to discover vulnerabilities next on the List, we have risk. So risk refers to the potential for loss or damage when a threat exploits a vulnerability examples of risks include Financial losses as a result of business disruption loss of privacy reputational damage legal implications and can even include loss of life risk can also be defined as follows, Which is basically threat X the vulnerability you can reduce the potential for Risk by creating and implementing a risk management plan. And here are the key aspects to consider When developing your Management strategy firstly we need to assess risk and determine needs when it comes to designing and implementing a risk assessment framework. It is critical to prioritize the most important breaches that need to be addressed all the frequency May differ in each organization. This level of assessment must be done On a regular recurring basis. Next. We also have to include a total stakeholder perspective stakeholders include the business owners as well as employees customers and even vendors all of these players have the potential to negatively impact. Actor organization, but at the same time they can be Assets in helping to mitigate risk. So as we see risk management is the key to cybersecurity. So now let's go Through a scenario to actually understand how cybersecurity actually defend an organization against very manipulative cybercrime. So cyber crime as we all know is a global problem that's been dominating the new cycle. It poses a threat to individual security and an even bigger threat to large International companies Banks and government today's organized cybercrime. Part of Shadows loan hackers of Fast and Now large organized crime Rings function like startups and often employ highly trained developers Were constantly innovating new online adapt most companies have preventative security software to stop these types of attacks, but no matter how secure we are cyber crime is going to happen. So meet Bob, he's a chief security officer for a company that makes a mobile app to help customers track and manage their finances. So security is a top priority. So Bob's company has an activity response. Platform in place that automates the entire cybersecurity process the ARP software integrates all the security And ID software needed to keep a large company like Bob's secured into a single dashboard and acts as a hub for the people processes and Technology needed to respond to and contain cyber doll. Let's see how this platform works in the case of a security breach while Bob is out on a business trip irregular activity occurs on his account as a user Behavior analytic engine that monitors account activity. Recognize a suspicious Behavior involving late-night logins And unusual amounts of data being downloaded. This piece of software is the first signal that something is wrong and alert is sent to the next piece of software in the chain, which is the security information and event management system. Now the ARP can orchestrate a chain of events that ultimately prevents the company from encountering a serious security disaster the ARP connects to a user directory software that Bob's company uses. Which immediately Cognizes the user accounts belong To an executive who is out on a business trip and then proceeds to lock his account. The ARP sends the incident IP address to threat intelligence software which identifies the dress as a suspected malware civil as each piece of security software runs. The findings are recorded in the ARP s incident, which is already busy creating a set of instructions called A playbook for a security analyst to follow The analyst And locks Bob's a bounce and changes his passwords this time. The software has determined the attempted attack came from a well-known cyber crime organization using stolen credentials. Bob's credentials were stolen when the hacker found a vulnerability in his company's firewall software and use it to upload a malware infected file. Now that we know how the attack happened the analyst uses the ARP and identifies and patches all the things the ARP uses information from endpoint tool to determine Which machines need to be patched recommends how to pass them and then allows the analyst to push the batches to all the computers and mobile devices instantly. Meanwhile Bob has to allow the legal Departments of the breach and the ARP instantly notifies the correct version of the situation and the status of the incident after the attack is contained and Bob's account is secured the analyst and communicates which data may have been stolen or compromised during the incident. He identifies which geography is jurisdiction. And Regulatory Agencies cover the users and informations affected by the adapter. Then the ARB creates a series of tasks. So the organization can notify the affected parties and follow all relevant compliances and liability procedures in the past a security breach. This large would have required Bob's company to involve several agencies and third parties to solve the problem a process that could have taken months or longer. But in a matter of hours the incident response platform organized all of the people processes. Has and Technology to identify and contain the problem find the source of the attack fix the vulnerability and notify all affected parties and in the future Bob and his team will be able to turn to cognitive security tools. These tools will read and learn from tens of thousands of trusted publication blogs and other sources of information. This knowledge will uncover new insights and patterns and dissipate an isolate and minimize attacks as they happen and immediately recommend actions for Security Professionals to take Keeping data safe and companies like pops out of the headlines. Cryptography is essentially important because it allows you to securely protect data that you don't want anyone else to have access to it is used to protect corporate Secrets secure classified information and to protect personal information to guard against things like identity theft and today's video is basically going to be about cryptography now before we actually jump into the session. Let me give you guys a brief on the topics that we're going to cover today. So first of all, We're going to cover what is cryptography through the help of a very simplistic scenario, then we are going to go through the classifications of Rafi and how the different classification algorithm works in the end. I'm going to show you guys a Nifty demo on how a popular algorithm called RSA actually works. So let's get started. Now. I'm going to take the help of an example or a scenario to actually explain. What is cryptography. All right. So let's say we have a person and let's call him Andy now suppose Andy sends a message to his friend Sam who's on the other side of the world now, obviously he wants this message to be private and nobody else should Have access to the message now. He uses a public forum. For example the internet for sending this message. The goal is to actually secure this communication. And of course we have to be secured against someone now, let's say there is a smart guy called Eve who is secretly got access to your Communication channel since this guy has access to your communication. He can do much more than just eavesdrop. For example, you can try to change the message in itself. Now this is just a small example. What if Eve actually gets access to your private information. Well that could actually result in a big catastrophe. So, how can an D be sure that nobody in the middle could access the message center sound. The goal here is to make communication secure and that's where cryptography comes in. So what exactly is cryptography? Well cryptography is the practice and the study of techniques for securing communication And data in the presence of adversaries. So, let me take a moment to explain how that actually happens. Well, first of all, we have a message. This message is firstly converted into a Eric form and then this numeric form is applied with a key called an encryption key and this encryption key is used in encryption algorithm. So once the numeric message and the encryption key has been applied in an encryption algorithm. What we get is called a cipher text. Now this Cipher text is sent over the network to the other side of the world where the other person whose message is intended for will actually use a decryption key and use the ciphertext as a parameter of a decryption algorithm. And then he'll get what we actually send as a message and if some error had actually occurred he'd get an arrow. So let's see how cryptography can help secure the connection between Andy and sound so the protect his message and the first converts his readable message To an unreadable form here. He converts a message to some random numbers and after that he uses a key to encrypt his message after applying this key to the numerical form of his message. He gets a new value in cryptography. We call this ciphertext. So now if Andy sends the ciphertext or encrypted message over Communication channel, he won't have to worry about somebody in the middle of discovering the private message. Even if somebody manages to discover the message, He won't be able to decrypt the message without having a proper key to unlock this message. So suppose Eve here discovers the message and he somehow manages to tamper with the message and message finally reaches some Sam would need a key to decrypt the message to recover the original plaintext. So using the key he would convert a cipher. X2 numerical value corresponding to the plain text now after using the key for decryption, what will come out is the original plain text message or an adult now this error is very important. It is the way Sam knows That message sent by Andy is not the same as a message that you receive. So the error in a sense tells us that Eve has tampered with the message. Now, the important thing to note here is that in modern cryptography the security of the system purely relies on keeping the encryption and decryption key secret based on the type of keys and encryption. Algorithms cryptography is classified under the following categories. Now cryptography is broadly classified Under two categories namely symmetric key cryptography and a symmetric key cryptography popularly also known as public key cryptography. Now symmetric key cryptography is further classified as classical cryptography and modern cryptography further drilling down classical cryptography is divided into two which is transposition cipher and substitution Cipher on the other hand modern cryptography. He is divided into stream Cipher and block Cipher in the upcoming slides are broadly explain all these types of cryptography. So let's start with symmetric key cryptography first. So symmetric key algorithms are algorithms for cryptography that use the same cryptographic keys for broad encryption of plaintext and decryption of ciphertext the keys may be identical or there may be some simple transformation to go between the two keys the keys in practice represent a shared secret between two or more parties that can be used to maintain a private information link this requirement that both parties have access To the secret key is not the main drawbacks of symmetric key encryption in comparison to public key encryption also known as a symmetric key encryption now symmetric key cryptography is sometimes also called secret key cryptography and the most popular symmetric key system is the data encryption standards, which also stands for D EAS next up. We're going to discuss transposition Cipher. So in cryptography a transposition cipher is a method of encryption By which the positions held by units of plain text, which are commonly characters are groups of characters are shifted according to a regular system so that the ciphertext constitutes a permutation of the plain text. That is the order of units is changed. The plaintext is reordered now, mathematically speaking a bijective function is used on the characters position to encrypt and an inverse function to decrypt. So as you can see that there is an example All on the slide. So on the plain text side, we have a message, which says meet me after the party. Now. This has been carefully arranged in the encryption Matrix, which has been divided into six rows and the columns. So next we have a key which is basically for to 165 and then we rearranged by looking at the plain text Matrix and then we get the cipher text which basically is some unreadable gibberish at this moment. So that's how this whole algorithm works On the other hand when the ciphertext Being converted into the plain text The plaintext Matrix is going to be referred and it can be done very easily moving on. We are going to discuss substitution Cipher. So substitution of single letter separately simple substitution can be demonstrated by writing out the alphabets in some order to represent the substitution. This is termed a substitution alphabet the cipher the alphabet may be shifted or reversed creating the Caesar And upstage Cipher respectively or scrambled in a more complex fashion. In which case it is called a mixed Alpha bit or deranged alphabet traditionally mixed alphabets may be created by first writing out keyword removing repeated letters in it. Then writing all the remaining letters in the alphabet in the usual order now consider this example shown on the slide using the system. We just discussed the keyword zebras gives us the following alphabets from the plain text alphabet, which is a to z. So the ciphertext alphabet is basically zebras Then followed by all the alphabets. We have missed out in the zebra word. So as you guys, Can see it's zebras followed by s c d e f g h and so on now suppose we were to actually encrypt a message using this code. So as you guys can see on the screen, I've shown you an example, which is a message flee at once. We are discovered is being actually encrypted using this code. So if you guys can see out here the F letter actually corresponds to S. And then the L letter actually corresponds to I out here then we actually get the cipher text which is Si a a is that you using the code and the process that I just discussed now traditionally, the cipher text is written out in blocks of fixed length omitting punctuations and spaces. This is done to help avoid transmission errors to disguise the word boundaries from the plain text. Now these blocks are called groups and sometimes a group count. That is the number of groups is given as an additional check now five-letter groups are traditional as you guys can see that we have also divided our ciphertext into groups of five and this dates back. Back to when messages were actually used to be transmitted by Telegraph. Now if the length of the message happens not to be divisible by 5. It may be padded at the end with nulls and these can be any characters that can be decrypted to obvious nonsense. So the receiver can easily spot them and discard them next on our list is stream Cipher. So a stream Cipher is a method of encrypting text to produce Cipher text in which a cryptographic key and algorithm are applied to each binary digit in a data stream one bit at a time. This method is not much used in modern cryptography. The main alternative method is block Cipher in which a key and algorithm are applied to block of data rather than individual bits in a stream. Okay. So now that we've spoken about block Cipher let's go and actually explain what block Cipher does a block Cipher is an encryption method that A deterministic algorithm for the symmetric key to encrypt a block of text rather than encrypting one bit at a time as in stream ciphers. For example, a common block Cipher AES encryption 128-bit blocks with a key of predetermined length. That is either 128 192 or 256 bits in length. Now block ciphers are pseudo-random permutation families That operate on the fixed size of block of bits. These prps our function that cannot be differentiated from completely random permutation and thus are A reliable and been proven to be unreliable by some Source. Okay. So now it's time that we discussed some asymmetric cryptography. So asymmetric cryptography also known as public key cryptography is any cryptography system that uses pair of keys, Which is a public key which may be disseminated widely and private Keys which are known only to the owner. This accomplishes two functions authentication where the public key verify is that a holder of the paired private key send the message and encryption where only the paired private key holder. Decrypt the message encrypted with the public key and a public key encryption system. Any person can encrypt a message using the receivers public key that encrypted message can only be decrypted with the receivers private key. So to be practical the generation of public and private key pair must be computationally economical the strength of a public key cryptography system relies on computational efforts required to find the private key from its paid public key. So effective security only requires keeping the private key private and the public key can be a openly distributed without compromising security. Okay. So now that I've actually shown you guys How cryptography actually works and how the different classifications are actually applied. Let's go and do something interesting. So you guys are actually watching this video on YouTube right now. So if you guys actually go and click on the secure part besides the URL you can actually go and view the digital certificates that are actually used out here. So click on certificates and you'll see the details in the details. Up. Now as you guys can see the signature algorithm that is used for actually securing YouTube is being shot 256 with RSA and RC is a very very common encryption algorithm that is used throughout the internet then the signature hash algorithm that is being used is sha-256. And the issue is Googling internet Authority and you can get a lot of information about sites and all their Authority Key identifiers or certificate policies the key usage and a lot of thing about security just from this small little button audio. Also, let me show you a little how public key encryption actually works. So on the side, which is basically cobwebs dot CSV or UGA dot edu. You can actually demo out public key encryption. So suppose we had to send a message first we would need to generate keys. So as you can see, I just click generate keys and it got me two keys, which is one is the public key, which I will distribute for the network and one. Private key which I will actually keep secret to myself. Now. I want to send a message saying hi there. When is the exam tomorrow? So now we are going to encrypt it using the public key because that's exactly what's distributed. So now as you can see we have got our ciphertext saw this huge thing right out here is ciphertext and absolutely makes no sense whatsoever now suppose we were to actually then decrypt the message we would Would use the private key that goes along with our account and we would decode the message and as you guys can see voila we have hi there When the exam tomorrow. So we are actually sent a message on the internet in a very secure fashion above that. There's also our essay that needs some explaining because I had promised that to now RSA is a very very commonly used algorithm that is used throughout the internet and you just saw it being used by YouTube. So it has to be common. So RSA has a very unique way of applying this algorithm. There are many actual parameters that you actually need to study. Okay. So now we're actually going to discuss Odyssey, which is a very popular algorithm that is used for of the internet. And you also saw that it's being used by YouTube right now. So this cryptosystem is one of the initial system. It remains most employed cryptosystem even today and the system was invented by three Scholars, which is Ron rivest ADI Shamir and Len adleman hence the name RSA and we will see the two aspects of the RSA cryptosystem. Firstly generation of key pair and secondly encryption decryption algorithms. So each person or a party who desires to participate in communication using encryption needs to generate a pair of keys namely public key and private key. So the process followed in the generation of keys is as follows first, we have to actually calculate n now n is actually given by multiplying p and Q as you guys can see out here. So p and Q are supposed to be very large prime numbers so Out here P will be 35, but Are some very strong encryption we are going to choose very large prime numbers. Then we actually have to calculate Phi L Phi is you can see the formula goes is p minus 1 into Q minus 1 and this helps us determine for the encryption algorithm. Now, then we have to actually calculate e now he must be greater than 1 and less than Phi which is p minus 1 into Q minus 1 and there must be no common factors for e + 5 except for one. So in other words, they must be co-prime to each other. Now to form the public key the pair of numbers n and E from the RSA public Key System. This is actually made public and is distributed throughout the network interestingly though, N is a part of the public key and the difficulty in factorizing a large prime number ensures that the attacker cannot find in finite time. The two primes that is p and Q that is used to obtain n this actually ensures the strength Of RSA now in the generation of the private key. The private key D is It from p q and E for given n and E. There is a unique number D. Now. The number D is the inverse of B modulo 5. This means that D is a number less than five such that when multiplied by E. It gives one. So let's go and actually fill up these numbers. So n should be 35 out Hill and if we generate them we get the value of V, which is 24, which is basically 4 into 6, And then we should also get It's now he should be co-prime. So we are going to give it 11 as 11 is co-prime to both. So now for the actual encryption part we have to put in p and N out here so he out here for us is 11 and N is 35 and then we are going to pick a letter to actually Cipher which is a and then we're going to encode it as a number. So as you guys can see we've encoded as one and out here now. After we've given the message it's numerical form. We click on encryption And we get it now to actually decrypt the message. We are going to need d and n now D for us was 5 and N was 35 so 5 and 35 and then we're going to take encrypted message from above and we're going to decrypt this message. So after you decrypt it, we have the numerical form of the plaintext and then decode the messages click here decode messages. And as you guys can see we have decoded the message using RSA. So guys that's how I receive Oaks. I explained all the factors that we actually use in our essay from n25 to e to D. And I hope you understood a part of it if y'all are still more interested y'all can actually research a lot on our say it's a very in-depth cryptography system p and N now D for us was 5 and N was 35 so 5 and 35. And then we're going to take encrypted message from above and we're going to decrypt this message. So after you decrypted we have the numerical form of the plaintext and then decode the messages click here decode message. And as you guys can see we have decoded the message using RSA. So guys, that's how I receive books. I explained all the factors that we actually use in our essay from n25 to e to D. And I hope you understood a part of it. If y'all are still more interested y'all can actually research a lot on our say it's a very in-depth cryptography system just as pollution was a side effect of the Industrial Revolution. So are the many security vulnerabilities that come with the increase internet connectivity cyber attacks are exploitations of those vulnerabilities for the most part individuals and businesses have found ways to counter cyber attacks using A variety of security measures. And just Good Old Common Sense. We are going to examine eight of the most common cyber security threats that your business could face and the ways to avoid them. So before we actually jump into the session, let me give you how the session will actually work. We are going to discuss the most 8 common cyber threats. We're going to discuss in particular what they are how the threat works and how to protect yourself. Okay. So now let's jump In now cyber attacks are taking place all the time. Even as we speak the security of some organization big or small. All is being compromised. For example, if you visit this site out here that is threat Cloud. You can actually view all the cyber attacks that are actually happening right now. Let me just give you a quick demonstration of how that looks like. Okay, so as you guys can see out here, these are all the places that are being compromised right now. The red Parts actually show us the part That is being compromised and the yellow places actually show us from where it's being compromised from. Okay, as you guys can see now that someone from Madeline's is actually attacking this place and someone from USA was attacking Mexico. It's a pretty interesting site and actually gives you a scale of how many cyber attacks are actually happening all the time in the world. Okay now getting back I think looking at all these types of cyber attacks. It's only necessary that we educate ourselves about all the types Of cyber threats that we have. So these are the eight cyber threats that we're going to be discussing today firstly. We're going to start off with malware. So malware is an all-encompassing term. Or a variety of cyber attacks including Trojans viruses and worms malware is simply defined as code with malicious intent that typically steals data or destroy something on the computer. The way malware goes about doing its damage can be helpful in categorizing what kind of malware you're dealing with. So let's discuss it. So first of all viruses like the biological namesakes viruses attach themselves to clean files and infect other clean files and they can spread uncontrollably damaging a systems core functionality. I'm deleting or corrupting files. They usually appear as executable files that you might have downloaded from the internet. Then there are also Trojans. Now this kind of malware disguises itself as legitimate software or is included in legitimate software that can be tampered With it tends to act discreetly and creates back doors in your security to let other malware sin. Then we have worms worms. In fact entire networks of devices either local or across the Internet by using the Network's interfaces. It uses each consecutive infected machine. To infect more and then we have botnets and such where botnets are networks of infected computers that are made to work together under the controller of an attacker. So basically you can encounter malware if you have some OS vulnerabilities or If you download some legitimate software from somewhere or you have some other email attachment that was compromised with Okay. So how exactly do you remove malware or how exactly do you fight against it? Well, each form of malware has its own way of infecting and damaging computers and data and so each one requires a different malware removal method. The best way to prevent malware is to avoid clicking on links or downloading attachments from unknown senders. And this is sometimes done by deploying a robust and updated firewall which prevents the transfer of large data files over the network in a hope to be doubt attachments that may contain malware. It's also important oughtn't to make sure your computer's operating system whether it be Windows Mac OS Linux uses the most up-to-date security updates and software programmers update programs frequently to address any holes or weak points, and it's important to install all these updates as Well as to decrease your own system weaknesses. So next up on our list of cyber threats we have fishing. So what exactly is fishing well often posing as a request for data from a trusted third party phishing attacks are sent via email and ask Those to click on a link and enter their personal data phishing emails have gotten much more sophisticated in recent years and making it difficult for some people to discern a legitimate request for an information From a false one now phishing emails often fall into the same category as spam but are way more harmful than just a simple ad so how exactly does fishing work. Well most people associate fishing with email message that spoof or mimic Bank credit card companies or other Genesis like Amazon eBay and Facebook these messages look at entik and attempt to get victims to reveal their personal information. But email messages are only one small piece of a phishing scam from beginning to end the process involves five steps. The first step is planning the Fisher must decide which business to Target and determine how to get email addresses for the customers of that business. Then they must go through the setup phase. Once they know which business to spoof and who their victims are fissures create methods for Living the messages and collecting the data then they have to execute the attack. And this is the step. Most people are familiar with that is the fishes and the phony message that appears to be from a reputable Source After that the Fisher records the information the victims enter into the web page or pop-up windows and in the last step, which is basically identity theft and fraud the Fisher's use the information they've gathered to make illegal purchases or otherwise commit fraud and as many as 1/4 of the victims never fully recover. So how exactly can Can you be actually preventing yourself from getting fished? Well, the only thing that you can do is being aware of how phishing emails actually work. So first of all, A phishing email has some very specific properties. So firstly you will have something like a very generalized way of addressing someone liked your client then your message will not be actually from a very reputable source so out here as you can see it's written as Amazon on the label, but if you actually inspect the email address that Came from its from management at Maison Canada dot C A which is not exactly a legitimate Amazon address. Third. You can actually hover over the redirect links and see where they actually redirect you to now this redirects me To www.facebook.com zone.com as you can see out here. So basically, you know, this is actually a phishing email and you should actually report this email to your administrators or anybody else that you think is supposed to be concerned with this also. Let me give you guys a quick demonstration. Chinon how fishing actually works from the perspective of an attacker. So first of all, I have actually created a phishing website for Harvesting Facebook credentials. I simply just took the source code of the Facebook login page and paste it and then made a back-end code in PHP which makes a log file of all the Facebook passwords that get actually entered onto the fishing page now. I've also sent myself an email. As to make sure this looks legitimate, but this is only for spreading awareness. So please don't use this method for actually harvesting credentials. That's actually a very legal thing to do. So, let's get started. First of all, you will go to your email and see that you'll get some emails saying your Facebook credentials have been compromised. So when you open it, it looks pretty legit. Well, I haven't made it look all that legit. It should look legit. But the point out here is to actually make you aware of how this works. So as you guys can see it says Dear client we have strong reasons to believe That your credentials may have been compromised and might have been used by someone else. We have locked your Facebook account. Please click here to unlock sincerely Facebook associate Dean. So if we actually click here, we are actually redirected to a nice-looking Facebook page, which is exactly how Facebook looks like when you're logging in now suppose. I were to actually log into my Facebook account, which I won't I'll just use some brand my Like this is an email addres gmail.com and let's put Password as admin 1 2 3 and we click login now since my Facebook is actually already logged in it will just redirect to facebook.com and you might just see me logged in but on a normal computer is just redirect you to www.facebook.com, which should just show this site again. Okay. So once I click login out here all that the backend code that I've written in PHP. PHP out here will do is that it's going to take all the parameters That have entered into this website. That is my email address and the password and just generate a log file about it. So let's just hit login and see what happens. So as you guys can see I've been redirected to the original Facebook page that is not meant for fishing and on my system audio. I have a log file and this log file will show exactly as you can see are fished out the email address. This is an email addres gmail.com and it's also showed the password. That is admin one two three. So this is how exactly fishing works you enter an email address and you're entering the email address on a phishing website. And then it just redirects you to the original site. But by this time you've already compromised your credentials. So always be careful when dealing with such emails. So now jumping back to our session the next type of cyber attacks. We're going to discuss is password adducts. So an attempt to obtain or decrypt a user's password For illegal use is exactly what a password attack is Hackers can use cracking programs dictionary attacks and passwords Nippers and password attacks password cracking refers to various measures used to discover computer passwords. This is usually accomplished by recovering passwords from data stored in or transported from a computer system password cracking is done by either repeatedly guessing the password usually through a computer algorithm in which the computer tries numerous combinations. Nations under the password is successfully discovered now Password attacks can be done for several reasons, but the most malicious reason is in order to gain unauthorized access to a computer with the computers owners awareness not being in place. Now this results in cyber crime such as stealing passwords for the purpose of accessing Bank information. Now today, there are three common methods used to break into a password-protected system. The first is a Brute Force attack a hacker uses a computer program Or script to try to login with possible. Odd combinations usually starting with the easiest to guess password. So just think if a hacker has a company list he or she can easily guess usernames. If even one of the users has a password one, two, three, he will quickly be able to get in the next our dictionary attacks. Now a hacker uses a program or script to try to login bicycling through the combinations of common words in contrast with Brute Force attacks Where a large proportion key space is searched systematically a dictionary attack tries only those possibilities which are most likely to succeed. Typically derived from a list of words, for example a dictionary generally dictionary attacks succeed because most people have a tendency to choose passwords which are short or such as single words found in the dictionaries or simple easy predicted variations on words such as a pending a digit or so. Now the last kind of password attacks are used by keylogger tax hacker uses A program to track all of the users keystrokes. So at the end of the day everything the user has typed including the login IDs and passwords have been recorded. Added a keylogger attack is different than a brute force or dictionary attack in many ways not the least of which the key logging program used as a malware that must first make it onto the user's device and the keylogger attacks are also different because stronger passwords don't provide much protection against them, which is one reason that multi-factor authentication is becoming a must-have For all businesses and organizations. Now, the only way to stop yourself from getting killed in the whole password attack conundrum is by actually practicing the Best practices that are being discussed in the whole industry about passwords. So basically you should update your password. Regularly. You should use alphanumerics in your password and you should never use words that are actually in the dictionary. It's always advisable to use garbage words that makes no sense For passwords as a just increase your security. So moving on we're going to discuss DDOS attacks. So what exactly is a DDOS or a Dos attack? Well, first of all, it stands for distributed denial of service and a Dos attack focuses on disrupting the service to a network as the name suggests attackers and high volume of data of traffic through the network until the network becomes overloaded and can no longer function. So there are a few different ways attackers can achieve dos attack, But the most common is the distributed denial-of-service attack. This involves the attacker using multiple computers to send the traffic or data that will overload the system in many instances a person may not even realize that his or her computer has been hijacked and is contributing to the Dos attack now disrupting Services can have serious consequences relating to security and online access many instances of large-scale Dos attacks have been implemented as A single sign of protest towards governments or individuals and have led to severe punishment including major jail time. So, how can you Prevent dos attacks against yourself. Well, firstly unless your company is huge. It's rare that you would be even targeted by an outside group or attackers for a Dos attack your site or network could still fall victim to one. However, if another organization on your network is targeted now the best way to prevent an additional breach is to keep your system as secure as possible with regular software updates online security monitoring And monitoring of your data flow to identify any unusual or threatening spikes in traffic before they become a problem. Dos attacks can also be perpetrated by simply cutting a table or dislodging a plug that connects your website server to the Internet so due diligence in physically monitoring. Your connections is recommended as well. Okay. So next up on our list is man-in-the-middle attacks. So by impersonating the endpoints in an online information exchange the man In the middle attack can obtain information from the end user and the entity he or she is communicating with for example So if you are Banking online the man in the middle would communicate with you by impersonating your bank and communicate with the bank by impersonating you the man in the middle would then receive all of the information transferred between both parties which could include sensitive data such as bank accounts and personal information. So how does it exactly work normally an MI t-- M gains access through an unencrypted wireless access point which is basically one that doesn't use WEP WPA or any of the other security measures. Then they would have to access all the information being transferred between both parties by actually spoofing something called address resolution protocol. That is the protocol that is used when you are actually connecting to your gateway from your computer. So how can you exactly prevent MIT am attacks from happening Against you firstly you have to use an encrypted W AP that is an encrypted wireless access point next. You should always check the security of your connection because when somebody is actually trying to To compromise your security. He will try to actually strip down the HTTP or hsts that is being injected in the website, which is basically the security protocols. So if something like this HTTP is not appearing in your website, you're on an insecure website where your credentials or your information can be compromised And the last and final measure that you can actually use is by investing in a virtual private Network which spoofs your entire IP and you can just browse the internet with perfect comfort. Next up on our list is drive-by downloads. So Gone are the days where you had to click to accept a download or install the software update in order to become infected now just opening a compromise webpage Could allow dangerous code to install on your device. You just need to visit or drive by a web page without stopping or to click accept any software at the malicious code can download in the background to your device a drive-by download refers to the unintentional download of a virus or malicious. Software onto your computer or mobile device a drive-by download will usually take advantage or exploit a browser or app or operating system that is out of date and has security flaws. This initial code That is downloaded is often very small and since its job is often simply to contact another computer where it can pull down the rest of the code onto your smartphone tablet or other computers often a web page will contain several different types of malicious code in hopes that one of them will match a weakness on your computer. So What is this exactly what But first you visit the site and during the three-way handshake connection of the TCP IP protocol a back in script is triggered. As soon as a connection is made by Al the last ack packet is sent a download is also triggered And the malware is basically injected into your system. Now the best advice I can share about overriding drive-by downloads is to avoid visiting websites that could be considered dangerous or malicious. This includes adult content file sharing websites, or Anything that offers you a free trip to the Bahamas Now some other tips to stay protected include keep your internet browser and operating system up-to-date use a saved search protocol that once you went to navigate to a malicious site and use comprehensive security software on all your devices like McAfee all access And keeping it up to date. Okay, so that was it about drive-by downloads. Next up is Mal advertising or malvert izing. So malvit sizing is the name we in the security industry give to criminally Android advertisements which intentionally, in fact people and businesses. These can be any ad on any site often ones which you use as a part of your everyday internet usage and it is a growing problem as is evident by a recent US Senate report and the establishment of bodies Like trust and ads now whilst the technology being used in the background is very Advanced the way presents to the person beings infected is simple to all intents and purposes the advertisement looks the same. Same as any other but has been placed by criminal like you can see the mint at out here. It's really out of place. So you could say it's been made by a criminal now without your knowledge a tiny piece of code hidden deep in the advertisement is making your computer go to the criminal servers these and catalog details about your computer And its location before choosing which piece of malware to send you and this doesn't need a new browser window and you won't know about it. So basically you're redirected to some criminal server. Neither injections takes place and voila you're infected. It's a pretty dangerous thing to be in. So how exactly can you stop ma advertising. Well, first of all, you need to use an ad blocker, which is a very must in this day and age you can have ad blocker extensions installed on your browser Whether it be Chrome Safari or Mozilla also regular software updates of your browser and other softwares that work very fertile to your browser always helps and next is some common sense. And yeah, Advertisement that is about a lottery that's offering you free money is probably going to scam you and inject malware to so now we click on those ads. So the last kind of cyber attacks. We are going to discover today and discuss about is Rogue software. So Rogue security software is a form of malicious software and internet fraud that misleads users into believing that there is a virus on their computer and manipulates them into paying money for a fake malware removal tool. It is a form of scare where that money. Lets users through fear and a form of ransomware rock security software has been a serious security thread in desktop Computing since 2008. So now how does a rogue security software work these cams manipulating users in to download the program through a variety of techniques. Some of these methods include ads offering free or trial versions of Security Programs often pricey upgrades or encouraging the purchase of deluxe versions, then also pops warning that your computer is infected with the virus which encourages you to clean. It by clicking on the program and then manipulated SEO rankings that put infected website as the top hits when you search these links then redirect you to a landing page that seems your machine is infected And encourages you a free trial of the Rogue security program. Now once the scareware is installed it can steal all your information slow your computer corrupt your files disable updates for Less timet antivirus softwares or even prevent you from visiting legitimate security software vendor sites. Well talking about prevention. The best defense is a good offense. And in this case and updated firewall makes sure that you have a working one in your office that protects you And your employees from these type of attacks. It is also a good idea to install a trusted antivirus or anti-spyware software program that can detect threats like these and also a general level of distrust on the internet and not actually believing anything right off. The bat is the way to go teen is infected and encourages you a free trial of the Rogue security. Program now once the scareware is installed it can steal all your information slow your computer corrupt your files to siebel updates for Less timet antivirus softwares or even prevent you From visiting legitimate security software vendor sites. Well talking about prevention. The best defense is a good offense. And in this case and updated firewall makes sure that you have a working one in your office that protects you and your employees from these type of attacks. It is also a good idea to install a trusted antivirus or These fiber software program that can detect threats like these and also a general level of distrust on the internet and not actually believing anything right off. The bat is the way to go the key word Of this video is ethical hacking course, but in reality, it's just an expansive video on the fundamentals of ethical hacking. There is no such thing as an ethical hacking course to be honest because snow course can teach you a discipline like ethical hacking all the best that you can do and creating content for ethical hacking is that you can tell people about the fundamentals are followed in this discipline. Okay. Now before we start let me just give you a general idea of the topics that I intend to cover throughout this video. Okay now to be honest, we're going to cover a pretty broad range of material. We are first we're going to be going over footprinting and recognitions where you get an idea. What's involved in the ethical hacking engagement that you're working on and information about the Target that you're engaged with? Then we're going to talk about networking fundamentals and here we're going to get our hands dirty with buckets and the understanding of dcpip at a deeper level and also understanding how the different protocols work and why they work that way now. We are also going to be talking about cryptography where we talk about different cryptography key ciphers. We're going to deal with web encryption to SSL and And TLS we are also going to talk about certificates and the creation of certificates and how they actually operate we will also talk about public key cryptography And we are also scanning an enumeration so nmap and dealing with Windows servers and using SNMP and ldap and all that sort of stuff. Then we're going to be talking about penetration where we deal with different ways of getting into systems and also go over using Metasploit, which is an exploit framework, and we're going to talk about how to Use Metasploit and you actually get in the systems and make use of the exploits that they have then we're going to talk about malware's viruses and worms and rootkits and all of that sort of stuff. We're going to take a look at the different pieces of malware and how you would pull that apart in order to understand what is doing and potentially make use of that malware during an ethical hacking engagement. Then we're going to talk about different types of denial of service attacks or dos attacks and the difference between a denial-of-service attack and Distributed denial-of-service attack, and there is a difference there. So we're going to go over this docks now. We're also going to go over web application hacking And the types of tools that you would use during web application hacking and the different vulnerabilities that web applications have and how to make use of these exploits and those vulnerabilities. We're going to talk about Wireless networking how to probe wireless networks what wireless networks are doing and how to secure wireless networks. We're also going to talk about a little bit about detection vation. And to be honest with you, the direction of Asian kind of comes up in a lot of different areas through the many of the topics that were also going to talk about programming programming tax and how to protect oneself against programming attacks. Okay. So that was the number of topics that we are actually going to cover through this video. Now the approach that I'm going to be taking in the series of videos is whenever possible. We're going to be going to use a Hands-On approach. So we're going to show you the actual All tools I'm going to make use of and the tools to do some sort of demonstration and how they actually work. I am a big believer in getting your hands dirty as the best way to learn anything. So as we go through the series of videos, I strongly encourage you to get access to the tools that I'm going to be demonstrating wherever possible and dig in and get your hands dirty along with me and there are places where we're going to be going over some theoretical material And I'm not a big fan of PowerPoint slides, but That are necessary evil and order to convey certain types of information. So wherever possible I'm going to minimize their use, but you will run across places where they're just a necessity and we're going to have to go through some slides where in order to get some particular points across they are primarily of a theoretical nature. So that's the process that we will be taking through this video and I hope you have fun as you go along the way. Okay. So let's begin now the first topic that we're going to tackle is what What is hacking? Okay, so let us take a trip to the early days of hacking the start with now the internet engineering task force is responsible for maintaining documentation about protocols and very specification and processes and procedures regarding anything on the internet. They have a series of documents called the request for comments or the rfc's and according to RFC one three eight nine. It says a hacker is a person Who Delights in having and Intimate understanding of the internal workings of a system computers and computer networks in particular while the expression hackers may go back a long time and have many different connotations are definitions. As far as computers. Go. Some of the earliest hackers were members of the tech Model Railroad Club at the Massachusetts Institute of Technology and what those people did and the various things That they did and were involved in a detailed and Steven Levy's book called hackers for Our purposes now for our purposes would be talking about other types of hackers. Although the spirit of what we do goes back to those early days. Now, the definition of hacking or hackers has changed particularly in the 1980s and in part as a result of a couple of people namely Robert T Morris who was a Cornell graduate who Unleashed a piece of software that was called a worm on what was an early version Of the internet Forum went on to cause a lot of damage and create a lot of downtime on Systems across the country and across the world. Now the Morris worm did end up resulting in something good. However, that is computer Emergency Response Team at Carnegie Mellon was created primarily in response to the mall swarm. Now, there's also Kevin mitnick was another well-known hacker who was responsible for various acts of computer crime over a couple of decades. He was the first convicted in 1988. So the definition of hacker or hacking move from something Benign to something far more sinister. In popular culture now, we see hacking or hackers in all sorts of popular culture. We've seen them in hacker movies called War Games also the movie hackers. Of course. You also see in The Matrix movies where you can see if you look really closely that they are using a tool called nmap, which we will get into the use of in great detail later on as we go on now. It's the movie sneakers and the movie SWAT fish And on television in other Into other places you can see the agents at NCIS regularly doing things like cracking complex cryptography in just a matter of seconds or minutes. So what is hacking really well hacking is about a deep understanding of something particularly with relation to computers and Computing. It's also about exploring and the joy of learning new things and understanding them very clearly and being able to manipulate those things in ways that maybe other people haven't before it's all About digging into problems. To find out Solutions in creative and interesting ways and sometimes finding problems where there weren't problems previously and that's a little bit about what is hacking. Okay. So now that we have talked about what exactly is hacking and how the meaning and conditions of that word has changed over time how it came into existence how it was coined. Let's go over the reasons that people normally hack. Now you may want to hack just for fun As discussed previously hacking is a tradition. It goes back several decades at MIT even preceding the computer too late definition of hacking now MIT has a long and storied history of hacking and sometimes have a computer to lated nature which in this case happens to be true and sometimes a fan on computer-related nature instance. Now here you can see that MIT is home page has been hacked or you might even say the faced indicate that Disney is buying a mighty. This was an April Fool's Day prank and 1998. Eight. And again, this is just the kind of hacking that it would do for fun. Rather. Now. Sometimes you might want to hack just to prove a political point or any point for that matter in this case. Again, Bill Gates had donated some money to the MIT which allowed them to have a new building and he was coming to MIT to visit and give a talk about Microsoft Windows And its systems. And as you can see the the Windows systems are installed in the entryway at the Or hacked to be running Linux instead and you can see here. That ducks. The penguin is saying welcome to the William Edge Gates Building again that some students who decided that they wanted to make a point about Linux and Microsoft and windows to Bill Gates and they thought hacking was the best way to go about it. Sometimes you have just for the challenge. Here's an example again at MIT where some students turned the facade of a building into a Tetris game board. Now, this was a reasonably difficult hack and the students went after it just for the challenge of completing it and it just so they could have some pride of ownership and to be able to say that they were able to pull this off, you know, the things that teenagers do to show off to other teenagers. It just increases with increase In scale now in spite of its difficulties and its challenges and all the obstacles and planning that have to go into it. They were able to pull it off and now they have those bragging rights. So that was one Them and one of the instances where somebody would hack just for the challenge and for the fun of it. Now, sometimes you want to hack to prevent theft and this is where we get more specifically in the computer-related hackings. You see a lot of Articles and stories in the news Over the last few years about cybercrime and here is an example of data theft compromised and a few than one-and-a-half million cards for Global claimants. So there are some attackers who got into this company global payment and they were able to pull out about a million and a half credit card numbers during the intrusion there. So what you may want to do is you may want to learn how to hack in order to find these holes in your systems or applications or employer systems so that you can fix these holes and prevent these compromises From happening because of the reputation of hit that your company takes where were things like these happen. You have the risk of completely running out of business. So just to protect our job to protect Company and protect your own desire of business. You may just want to learn to hack and that's a very good reason. Now, you may also want to find all the problems that exist in your system for putting them out and deploying them so that you can keep these attackers from getting in And stealing critical or sensitive information. Sometimes you may want to hack to get there before the bad guys and the same sort of idea is the last one where we're just going to talk about and it exactly is ethical hacking now. We were just talking Talking about how sometimes you may want to hack into your own system before publishing it out to the public. Let's take Internet Explorer. For example. Now Internet Explorer was actually published the public With some critical error in the code. And these flaws were heavily exploited by people who actually found them. Now a number of people in the world go out looking for these flaws and they call themselves security researchers and they get in touch with the vendors after they found a flaw or a bug and work. The vendors to get it fixed what they end up with is a bit of reputation. They get a name for themselves and that name recognition may end up getting them a job Or some speaking engagements or book deal or any number of ways that you could cash in on some name recognition from finding the sort of bugs and getting them fixed. If you want to get there before the bad guys. You may think you're helping out a vendor. You may want to just make a name for yourself. If you want to find these sort of bugs before the bad guys do because think about the bad guys finding then is they don't announce them and they don't get them fixed And that makes everybody a little less secure. Finally may want to protect yourself from hacked computer companies and fight cyber criminals, and this is new headline from June 18 2012, and we're starting to see these sort of news headlines show up as companies are starting to retaliate against attackers in order to retaliate against attackers. Now in order to retaliate against Dockers, you need to be able to The same sort of skills and techniques and knowledge and experience that those attackers have And where your company may want you to learn to hack or the company may want to bring in people who are skilled at these sort of activities so that they can attack the Dockers and hopefully you end up with more Steely exterior and you get a reputation for not being a company that people wanted to go after those are several reasons. And there you go. I gave you around a bunch of reasons as to why you may want to hack. Back for fun prove a point take yourself to protect the company to not run out of business And along with another bunch of reasons. Okay. So now that we have talked about why you would want to hack. Let's move on to the types of hackers that exist. Now we're going to be talking about the different types of hacking and the first step of Hawking that I want to discuss is ethical hacking and ethical hackers, which is really what we're going to be talking about for the rest of these lessons now an ethical hacker is Buddy who thinks like a black hat hacker Or things like somebody who is intent on breaking into your systems but follows a moral compass that's more in line with probably the majority of the population. So their intent isn't to do bad things their intent is look for bad things and get them fixed. So that bad things don't happen ethical hackers aren't out to destroy anything and they're not out the break anything unless it's deemed to be acceptable as a part of the engagement and also necessary. And in order to demonstrate a particular vulnerability to the organization that they're working with so that's an ethical hacker and there's a certification that's available from the ec-council. It's a certified ethical hacker and you know, if you find certifications valuable and this sort of thing is what do you want to do? We're seeing a set of certified ethical hacker may be something you might want to look into now. Let's talk about black hat hacker. There's a plenty of cases of black hat hackers Through yours and let's talk about a guy. In particular called Kevin mitnick. This guy right here is a particularly good example probably because he was a black hat hacker for a lot of us years. His goal was to cause mischief to steal where necessary and just to be engaged in the lifestyle of being a hacker and doing whatever was necessary to continue doing whatever it craw doing whatever he was doing it cross moral boundaries or ethical boundaries. And so Kevin mitnick here was involved for well over a decade and computer crime and was finally picked up by the FBI and he was charged and prosecuted and he was eventually convicted of some of the activities that he was involved with now you may be able to argue that Kevin is a gray hat hacker and as well and a gray hat hacker is somebody who kind of skirts the line between black and white hat Hawking and white had Hawking is really what an ethical hacker is so instead of saying ethical hacker. You could say white hat hacker. It's the same idea of white hat hacker is somebody who acts for good if you Think of it like that if you want to think of it as a good versus evil and what they're really doing is they're in it for the technical challenge. They're looking to make things better make things more efficient improve them in some way on the other hand. The black hat hacker is out for the money for the thrill. It's really criminal activity and a gray hat hacker is somebody who may employ The tactics and technique of a black hat hacker, but have sort of a white hat focus in other words they're going to do Do things that may be malicious and destructive in nature, but the reason they're doing it is to improve the security posture of an organization that they're working with so you can see there's actually a book called gray hat hacking. It's a pretty good book and it details a lot of the tactics and strategies and techniques will be going over in subsequent lessons In this video. Now one other type of hacking that I want to talk about is a thing called hacktivism and you'll find hacktivism all over the place and Example in the last year or so and certainly in recent memory is called loves security. Yeah, you heard that right? It's called loves security and you can argue that lulls is actually a response to another type of activism and organization called Anonymous started hacking companies like Sony to protest their involvement in a lawsuit Regarding a PlayStation 3 hacker now allow security was supposedly testing the treatment of anonymous or was hacking in support of this group Anonymous, so they hacked number. Of companies and the things like pulled information usernames and passwords from the databases at these companies and they said that the reason was to shine a light on the security of these companies and also theoretically embarrassed the companies with their weak or poor security postures and the problem with that that they were doing this through were posting information That they had found online and that information often included details about customers for these particular corporations. And for an ethical hacker a white hat hacker that would cross the boundary. Of causing harm. So there's no reason for me as an ethical hacker to post information in a public forum about somebody because I could be doing damage to them. But in this case law security and Anonymous specifically lot of security were engaged in the form of hacktivism And what they were doing was not only damaging to the corporation that certainly was detrimental to those people so different types of hackers and different types of hacking we've got ethical or white hat hacking. You've got black hat gray hat and then we finally got Mmm, it's really the goal and the means that vary from one to the other. Okay. So now that we've discussed the types of hackers. Let's also discuss the skills necessary to become one. So what we're going to discuss in this part are the different skills that are required or will be learned as a part of this video. So initially just for basic Computing you need a basic understanding of operating systems and how to work them. There are going to be several fundamental types of tasks that I won't be going into any detail at all or and you need to know how to run programs. And do things like open up a command prompt without me walking you through and how to do that. So I am going to assume that you have some basic understanding of how to do these sorts of tasks. Also, you need an understanding of the basic system software and you'll need a basic understanding of how to use command line utilities. There are a number of tools and programs that we're going to be going through this video and many of them use the command line now whether it's on Windows or Linux still need to be familiar with typing and being able to run programs from the command line And the various command line switches and parameters that those programs are types of programs are going to use now from a networking perspective. You need a basic understanding of some simple networking Concepts. You need to know what cables are and switches and hubs and how systems are networked together. You don't really need a deep level of understanding. I'll be going through some protocols as reasonably deep level because I think it's important as an ethical hacker to understand What's going on at the protocol level so that you can know better what you are. Going and how to achieve the goals and tasks that you have before you so we're going to be going over some protocols. So just understanding what protocols are and how they go together. They all sort of things are necessary from a networking perspective. Now, we're going to also be learning a bunch of life skills. Yes, there are some life skills that it's important to have. I think the most important one is the ability to accept failure And persevere and by that. I mean you're going to be just running across several things that just don't work the first time around and it's going to take a little bit of time and stick-to-itiveness to plug away and keep going until you get something to work. And the way that you get things to work is having an ability to problem solve and sometimes solving problems requires being a little creative. Sometimes you need thing out of the box and come out a problem From a different perspective in order to find a solution throughout the course of this video. You're going to run across a lot of sticky problems through the course of learning about being an ethical hacker and just doing the work. Because it's not a simple. So here's a little recipe for how to do this now go follow this recipe every time and you're going to be successful. Every situation is different. Every system is different. You're going to run across some pretty sticky problems and you're going to have to just wait and get your hands dirty And keep failing and failing and failing and failing until you find a way to succeed. So I think those skills are very necessary to learn how to be an ethical hacker digging through some of the material that will be going over in this. Yo, as far as what you are going to be learning you're going to be learning about how to use a lot of tools. You're going to learn networking and by that. I mean we're going to be talking about different Protocols are evolved involved in networking systems together, you're going to learn about security and security postures security is the heart and soul of ethical hacking. It's why we do ethical hacking in order to make systems and networks more secure than they were previously. That's the goal from a networking perspective. We're going to be talking about how to read packets from Network captures. You're going to be going into TCP IP related protocols and fairly significant amount of detail and they're going to understand how protocols interact with one another. So we're going to do all that and the reading packets is going to be really important And we're going to do a fair amount of that in addition to just fundamental approach to learning how to read packets in several lessons. We're going to read packets as a way of understanding the different tools that were using and how they're going to learn tactics and methodologies and you get to learn Learn to use the information you've gathered in order to get more information and information is really what is this all about? You can't do much anything without information and sometimes it takes a fair bit of digging in order To find that information and what you're going to learn is the entry points and the Stepping Stones to get the information that you need. And then once you have that information, you're going to be learning about ways to exploit it in order to get deeper into the dark. You're going to learn security awareness. We're going to talk about risk and understanding risks and vulnerabilities primarily recognize the difference between a vulnerability and an exploit and there's a significant difference. There is so security awareness and understanding what a risk is and how that impacts your Target and it's going to be key to a lot of things that we talked about. So it sounds like a lot we're going to cover a fair bit of ground not all of it at a deep level. Sometimes we are going to skim the surface but there's an an awful lot of material to be cover. So let's get started into talking about the different skills are required or will be learned as a part of the series of video. So initially just for basic Computing you Need a basic understanding of operating systems. So it sounds like a lot weird that we're going to cover and fair bit of a is going to be at a very deep level and sometimes we're just going to skip the surface but there's an awful lot of material to cover so let's get started. Okay, so that was all about the skills that we are going to develop. Throughout this video and that might be necessary for you to become an ethical hackl. Now. Let's talk about the types of attacks that you might be dealing with ethical hacker yourself. So now we're going to be talking about the types of attacks. Now one type of attack that you'll find common particularly in cases of hacktivism, for example, or cases where people are trying to make a particular point or just be a general pain is this idea of defacing defacing goes back for quite a while. It's the idea. In of sort of digital graffiti where you've left your mark or your imprint behind So that everybody knows you were there primarily a website thing and it's really just making alterations to something that used to be pretty common a long time ago. Now it's very particular for businesses or people or just organizations in general to have their homepage has been replaced by this other thing that was along the lines of hey, I was here and I took over your web page. We also have a pretty common one for certainly has been common over the years. And it's a pretty good part towards quality exploits in high-profile vulnerabilities. And that's buffer overflow. Now a buffer overflow is a result of the way programs are stored in memory when programs are running they make use of a chunk of memory called a star and it's just like a stack of plates when you put a bunch of plates down when you pull a plate off you're going to pull the top plate you're going to pull the old displayed you're going to pull the one that was on top. So the same thing with the stack here, we're accessing memory And This has to do with the way functions are called in memory when you call the function a chunk of memory gets thrown on top of the stack and that's the chunk of memory that gets accessed and you've got a piece of data in memory, but in that stack and that's called a buffer and when too much data is sent and try to put into the buffer it can overflow now the bounds of the configured area for that particular buffer. It can overflow the bounds of the configured area for that particular buffer. Now the way stack Are put together we end up With the part of the stock where the return address from the function is stored. So when you overflow the buffer you have the ability to potentially override that return at which point you can control the flow of execution of programs. And if you can control the flow of execution of the program, you can insert code into that memory that could be executed and that's where we get buffer overflow that turns into exploits that creates the ability to get like a command shell or some other useful thing from the system Where the The buffer overflow is running. So that's a buffer overflow in short. Sometimes. We also have format string attacks. And sometimes these can be precursors to buffer overflow formats. Now format strings come about because the C programming language makes use of these format strings that determines how data is going to be input or output. So you have a string of characters that define whether the subsequent input Or output is going to be an integer or whether it's going to be a character or whether it's going to be a string or a floating-point that sort of thing. So you have a format string that defines the input or the output now for programmer leaves of the format string and just gets lazy and provides only the variable that's going to be output. For example, you have the ability to provide that format string. If you provide that format string What then happens is the program starts picking the next piece of data of the stack displays them because that way we can start looking at data that's on the stack of the running program just by providing a format string if I can look at the data I may be able to Find information like return address or some other use of piece of information. There is also a possibility of being able to inject data into the stock. I may be able to find some information Like a return address or some other useful piece of information. There is also a possibility of being able to inject data into the stack. I may be able to find some information like a return address or some other useful piece of information. There is also a possibility of being able to inject data into the stock using this particular type. Now moving on to our next type of attack is a denial of service a denial of service. This is a pretty common one And you'll hear about this a lot. This is not to be confused with the one that I'll be talking about after this and that is a distributed denial of service. So this one that you see is that this is a denial of service attack and a denial of service is any attack or action that prevents a service from being available to its legitimate or authorized users. So you hear about a ping flood or a syn flood? That is basically a syn packet being sent to your machine constantly or a Smurf attack and Smurf attack has to do something With icmp Echo requests and responses using broadcast addresses. That one's been pretty well shot down over the last several years. You can also get a denial of service simply from a malformed packet or piece of data where a piece of data is malformed and sent into a program. Now if the program doesn't handle it correctly if it crashes suddenly you're not able to use that program anymore. So therefore you are denied. The service of the program and thus the denial of service. Now, as I said a denial of service is not to be confused with a distributed denial of service. And I know it's pretty trendy particularly in the media to call it any denial-of-service DDOS or any denial-of-service DDOS. Now it's important to note that any denial of service is not a DDOS a DDOS or as you might know a distributed denial of service is a very specific thing distributed denial of the service is a coordinated denial-of-service making use of several hosts in several locations. So if you think about a botnet as an example a botnet could be used to trigger a distributed denial of service, but I've got a lot of bots that I'm controlling from a remote location and I'm using all these boards to do something like sending a lot of data to particular server when I've got a lot of system sending even small amounts of data all of that data can overwhelm the server that I'm sending it to so the Behind a distributed denial-of-service attack is too overwhelmed resources on a particular server In order to cause that server not to be able to respond. Now the first known DDOS attack use the tool called stock Old Rod, which is German for barbed wire the stock Old Rod came out of some work that a guy by the name of mr. Was doing in 1999. He wrote a proof of concept piece of code called tfn, which was the tribe flood Network. Let me just show that for you. So you can see on the Wikipedia page the try flat Network Or tfn is a set of computer programs that is used to conduct various DDOS attacks such as icmp flood syn floods UDP flowers and small for tax. Now. I know many people don't really consider Wikipedia really good source of any sort of knowledge, but it's a good place to start off. So if you want to read about all these types of attacks like icmp floods and what exactly is a syn flood you can always do that from It's not that bad place. Of course, you should use Wikipedia as your final Rosetta Stone moving on. So this program called Old Rod, which was it was used to attack servers like eBay and Yahoo! Back in February of 2000 so that tack in February of 2000 was really the first known distributed denial-of-service attack, which is not to say that there weren't denial of service attacks previously So to that there were certainly plenty of them, but they were not distributed now this means If there weren't a lot of systems used to coordinate And create a denial-of-service condition and therefore we get distributed denial-of-service attack. So that's a handful of type of tax and some pretty common attacks that you're going to see as an ethical hacker when you become an ethical hacker or if you're trying to become an ethical hacker, you should always know about these types of attacks. Okay. So in this lesson, we're going to be talking about penetration testing and some of the details around how it works And Logistics and specifically things like scope so, Exactly is penetration testing. So well, not surprisingly. It's testing to see if you can penetrate something which means you're going to check to see whether you can break into a particular thing. Whether it's a server or in applications depending on the type of Engagement. You've got you may have the ability to try to break in physically to a location but primarily but you're going to be doing with penetration testing Is you're going to be trying to break into systems and networks and applications. And that's the kind of what It's all about and this may actually involve social engineering attacks. So it may require you to make a phone call to somebody and get them to give you their username and password or some other type of social engineering attack where maybe you send a URL via a crafted email. Sometimes it's just strictly a technical approach. We're running scans and you're running Metasploit and you're gaining access that way or maybe some other type of Technology. Application sort of connection, sometimes it's physical access that you need. So in order to get access to a particular system, if you can get physical access then maybe you can get in so that was all about that's what exactly penetration testing is. It's checking whether you can get into a system whether it be physically or on a network. So what are the goals of penetration testing the goals would be to assess weakness in an organization security postures. We want to figure out what they're vulnerable So that they can go and fix It's these problems you want to help them understand their risk positions better and what they can or may be able to do to mitigate those risks and ultimately you want to be able to access systems in a particular way to find weaknesses. So those are really sort of the goals of penetration testing now from a result standpoint when you're done you're testing what you are going to do. Well, you're probably going to generate a report and by that, I don't mean you're going to run some automated tool and you're going to get it to generate. The report for you, you're actually going to give that to the client. You're actually going to give you a report to the client and then they're going to write you a really large check. So that's not really how it works. You're going to write a report detailing the findings in a detailed way so that it includes what did you do to find out what you actually found out and how you can actually mitigate that particular risk. So you should really include remediation activities in order to fix this vulnerabilities That you find and it's pretty easy to walk around saying hey, that's a problem and that's problematic. And that's a problem. That's really not a lot of value in that where there's a value is that hey, that's a problem. And here's how you can go about fixing it. So let's talk about the scope of penetration testing. So firstly you want to actually realize how big is the breadbox and how specifically what is it that the you two of the two of you have agreed That being you the ethical hacker and the other guy being the authorized person to give you permission to ethically hack specifically agree that you can do penetration testing. And you can Target them as an organization or decline and what you have agreed to our any exclusions or any sort of areas that they say you're not allowed to touch so anything so like if they've got a database server, maybe there's a lot of really sensitive data on it and there's a little hesitant and they may put don't touch this thing clause in the school. So there are a lot of different reasons why they may exclude areas from the scope and if they exclude them then trust their reason and listen to them what They have to say in terms of this is what we want you to accomplish. So along those lines you really need to get sign off from the target organization. Now, we've talked about this before and this is certainly all about the ethics then trust and it's also about legality because if you do something That you don't have permissions to do you could be prosecuted for that. So definitely get the scope very clear in writing and with signatures attached to it as to what you can and what you can't do and always get approval from the right people and make sure you get Buddy who has the right level of permissions and is the right level of management so that they can sign off on its understanding and accept the risk that is associated with a penetration test. So let me talk a little bit about security assessments and how they differ from penetration tests. The security assessment is a hand in hand approach with clients. So you would walk in doing a collaborative thing where you're a trusted partner and you are live with them and your goal isn't to penetrate them and point out all the things. That are really bad, but it's to get a full assessment of the risk that the organization is exposed to and you would probably provide more details about fixes That maybe you would in a penetration test. Now what we're going to do is we're going to walk in and make sure that the policies and procedures they have in place are really what they need for the organization and the risk appetite that they've got and we're going to make sure that the policies and procedures have controlled that can tell us whether they are being actually adhere to or not. Procedures and policies are being followed A security assessment is probably a little bit more comprehensive than a penetration test and you would look at more factors to assess the security postures of the organization in their overall risk and you would tailor the output based on the risk appetite and what they're most interested in and that's not to say that I'm going to tell them what they want to hear. But if there's something that they know and I know that they're just not going to do I'm not going to be making a big deal out of it Because they're already Eddie aware of it and I'll make a note of it in the report just for a complete the sick, but I'm not going to go out in a lot of details. So it's really kind of a hand hand collaborative approach where again, you're not just saying that they want us to say we're providing some real security and risk guidance towards her activities and other things so it may provide an unrealistic view. So you've got a week. Let's say to do this penetration test against your target. Now, you're going to have to go in you're going to have to get setup. You're also going to have to start doing a bunch of scans and make sure that Gathering information and screenshots and data for your reports you're going to have to do all sorts of activities. Also during the course of that week. You're going to be engaged in probably beginning to write your report And getting a sense of what is going to say and what's going to be in it. If you don't actually get any major penetration during the course of that week the organization may feel like their code and code secure. That's one of the reasons why penetration testing while really sexy and show is nice and all but if an organization walks out of it it believing that in a week, you didn't manage to get no get the Keys of the Kingdom. They might must be secure that's really misguided view because I'm dedicated skilled and motivated attacker Isn't going to just take a week or some portion of that fee. They're after something they're going to dedicate themselves to do it and really go after it. So just because you didn't find a penetration in some subset of week doesn't mean that they're secure and Illman and in vulnerable to attacks. It just means that during the course of that particular week and The circumstances that were in place you can get a penetration that was really significant or major. That's all it means. It doesn't mean anything beyond that and If an organization walks away feeling like the secure they're going to end up not fixing the real vulnerabilities that may be in place that could expose them to significant risks. So that's penetration testing its corpse its goals and how it differs to security assessments now, it's time to go over foot reading. So what is footprinting well for printing is getting an idea. Via of the entire scope of your target. That means not just the scope that you were given Which may be an address block or it may be a domain name that even maybe a set of a truss blocks. Now, what you want to do is you want to figure out all the information that's associated with that in great detail as you can possibly get so you want the list of domain names as you're going to go through this you probably want some sort of database or Excel spreadsheet or something. Track of all the information because you're going to have a lot of it at the end. You want to be able to find information quickly. So having some sort of in a notepad going with your notes or as I said spreadsheet or a database. So if you can get organized in that way you want to keep all those sorts of things down. So in this case, I want to do some search on suppose. Let's say Eddie record dot go now. I need Network block. So so far we found out that just made up IP addresses because I'm just putting information down, but I need never be Block, So you may have one IP address that you can find externally or you're going to want to hold range of internal clocks and you can do a little bit of digging. If you aren't provided those you want specific IP addresses for critical systems web servers email servers databases. If you can find any of these things of those sorts and you want system architectures and what kind of stuff are they running are they running Intel are they running windows? Are they running some Unix systems? What are they running? What kind of Access Control lists they have. These are going to be To get but you may be able to guess them and you can guess these by doing Port can so what sort of responses you get back from the port scans with the filters and are what you don't get back. We'll tell you about if there's an IDs around or some you want to do a system numeration, or you can get access to a system somehow you want to know usernames group name. So on so the basic idea of footprinting is gathering information now if you can get access to system somehow you want to no use Names group names so you want system banners routing tables SNMP information if you can get it DNS host names if you can get those now, this is for both internal and external on the side. If you're doing an internal penetration test or ethical hacking engagement. You want to know the networking protocols that are out there. Are they using TCP IP, or are they using some UDP or are they on ipx or SPX the using decnet or appletalk or are they using some sort of split DNS? In other words? Do they have internal DNS? So was that give different foam for the external and will it give different information? If you want to check for remote access possibilities now in the foot printing process you want to be very exhaustive you might want to try and take out email addresses server domain name Services. I mean IP addresses or even contact numbers and you want to be very exhausted with your approach. You don't want to miss anything out because if you do that, you can continue and also provide some some launching points for additional. Tax or test that you may be able to do but this is definitely a starting point of the types of information that you need to have as you go about footprinting your target. Now next thing that we are going to see is very interesting. This is one of the many common tools that are out there on the internet and that is the Wayback machine or also known as archive.org now while it might not give you all the information that you need but it gives certainly gives you a starting point and what we're talking about here is the Wayback machine Or archive.org so Just give you a quick look at what archive.org looks like. Okay. I already have it open out here. So audio what you can see is how a website look like around some time ago. So for example, if you want to look at with Google look like so you just have to search for Google out here and wait for results to come back. Okay. So we see that Google goes way back to 1998. So that was the last capture or the first capture other. It was the first capture by the Way back machine and we can see that it has a screenshot of November 11th and how Google looked so, let's see what Google look like in November 11th of 1988. So this is what Google look like it was there was actually nothing to it. It just said welcome to Google Google search engine prototypes and it hasn't link. So yeah, this is what the Google search engine look like. It had a Stanford surge. It had a Linux urge and you could do all sorts of stuff. You could just put the results now. I'm trying to tell y'all is you can see the evolution of the website should time to the Wayback machine and this gives you rather in informated look into how website has actually evolved. Okay. Now that we know what for printing is and how it falls into the hole recognition process. So let's go over a couple of websites to do a little bit of historical thinking about companies and the types Of infrastructure that they may be using and this information of course is useful so that we can narrow down our Focus. Us in terms of what we want to Target against them for attacks now over time we've improved our awareness about what sorts of information we may want to divulge so several years ago you may have gone to a company's website and discover that you could get email addresses and names of people in positions that you may find relevant And there were all sorts of bits of information that could be used against the company and over time we have discovered that those are pieces of information probably don't belong in a website where they can be used against the company and so they've been pulled off now The used to be also that Google had the ability to pull up information that it had cash so far. For example, if a website is no longer available or if it was temporarily down and offline. There was a little cash button that you can click when you did and the Google search and you could pull up that cast information. So even though the website wasn't available you can still get information from Google's servers now Google's remove that so we don't have that ability any longer. However, there is an internet archive that we can Use so this thing is called the Wayback machine and I have it open out here. So it's archive.org / web. So archive.org is a website that gives us information about other websites And how they look like in years ago and by so I'm going to go to the Wayback machine which you can see is at the archive.org and I'm going to go and try and search for Eddie record dot go. So now we're going to take a historical look at Eddie record dot goes website and you can see we've got some years and they've got information going back up to Thousand thirteen, so let's look at what this website looked like when it was just 2013. Okay, there doesn't seem to be any snapshots out here. I wonder what's going on. Okay. So let's go 2014 and the first snapshot seems to be on the September 12th of 2014. Actually. It's on May 17 to so let's see what that looks like. Okay. So this is what Eddie regular look like back in 2013 or other 2014 September 12 2014 to be actually exact now you can see that the we have some live classes And all this pictures there and they've got this weird picture of the sky and here I don't know why that was a thing back in 2014. Now we can browse more advanced screen shots or rather the screen shots that were taken later on and see how this company has evolved with this infrastructure and the way it actually lays out its content. Okay, so it still hasn't evolved but I can go a couple of years ahead and see what this has actually evolved into so if I would go to December 2016, so this is what it looked like in 2016 and we can see That they've added this weird box out here about brides and courses they have other search bar that kind of looks weird, but it's mostly because my Internet is slow and it's not loading all the elements. They've also changed how they've actually laid out the courses we can also. Oh see a change in the prices, I guess. So, yeah, this tells us about how it evolves as complete website. Now this other website I want to talk about is called net crap. Now next craft does Internet research including the types of web servers that companies run and they have a web server service. You can see here as we scroll the Apache server service has sixty four point three percent of the internet Market, of course, and that's followed by Microsoft with 13% interesting information may be useful information, but even more useful than that is looking. But different companies Run for the websites and you can see here. Okay. So let's try and search for Eddie Rekha dot code here. So let's just put in the website URL and that net craft generate the site report. So as you can see that some stuff is not available. You know that the net block owner is by Amazon Technologies name server is this thing right here? DNS admin is AWS DNS host Master. We also have the IP address we can go for a wire look up. Up the IP on virustotal you can do that. There is no IPv6 present. So that's some information that we can see so we can obviously opt-out not Target IPv6 ranges. Then there's also reverse DNS then we also have a bunch of Hosting history. So this is a history of it and we know that it's hosted on a Linux system with an Apache web server and it was last seen and this was when it was last updated. So this is some very useful information. You can also get information on If like Netflix, so if you just type, okay I said I just spelled that wrong. So let me just change from the URL out here. So if you go and die for netflix.com and you'll see that it will show you all sorts of information. So as you see that it's on an e WS server. It's Amazon data services, Ireland and this is all the hosting history that it goes along with it has some send the policy Frameworks domain-based message authentication and Reporting confirmations. And there's all sorts of information that you can get about websites and web servers from net craft. So the Wayback machine long with net craft make up for some interesting tools that are available on the internet from which you can do a little bit of your reconnaissance recess. Okay. Now that we have gone over net craft and the Wayback machine now, it's time to actually get to know how to use the little information that the side actually provides. So what the next topic that we are going to go over is using DNS to get More information now we're going to be Going over to land. This is called who is and the utility that is used to query the various Regional internet registries the store information about domain names and IP addresses and let me just show it to you about all the internet registries are there. So I have Aaron dotnet open out here and these are the internet registries that provides the isps and looks over the Internet control as a whole. So here we have afrinic we have up next we have Aaron we have lacnic and we have ripe NCC So These are all the regions and all the different types of stuff that they support all the different countries. You can look at the map that it is pouring out here by just hovering over the providers. So as you can see all these Brown region out here is Africa after Nick then we have up next which is black or grayish thing, which is India and Australia and quite a lot of issue then we have iron which is a lot of North America in the United States me. Then this lacnic which is mostly the Latino side, Which is a South American part. Then we have the rest of Europe which is ripe NCC and this is the part that ripe NCC is providing internet to okay. So that was all about the internet registries. Now, let's get back to the topic and that is using DNS to get more information. Now for this we are going to be using a Linux based system. So I have a bunch of running on my virtual machine out here and let me just log into it. So firstly we are going to be using this Square. I recalled who is that looks up These internet registries that I just showed you. Let me just quickly remove this. Okay. So for acquiring information from the regional internet registries that I just talked about you can use who is to get information about who owns a particular IP address. So for example, I could do who is and let's see I could do who is Google or rather netflix.com and we can get all sorts of information about Netflix so we can see That we Of the visit markmonitor then let's see. Let's go up and look for all sorts of information that has been given to us by this who is query. So as you guys can see I just went a little bit too much. Okay. So registry domain ID, we have the domain ID where it is registered as a registered URL is markmonitor. Okay. So this is for marking actually now the creation date is 1997. So you haven't realized Netflix been around for a long time and it's been updated on 2015. And registry expiry date as we see is 2019 that's going to actually go off this here. Then this is all useful information so we can see all sorts of domain status the name server URL the DNS SEC that it says unsigned. This is very useful information that is being provided by very simple query. Now, if you want to know who owns a particular IP address, so let's see if we get back the IP address out there. We should have got back the IP address, but it's kind of lost on me. So To get back the IP address also for a domain name service. So, you know, so you could use this command called dick. So your dick netflix.com. Now as you guys can see that it has returned a bunch of multiple IP addresses at these are all the IP addresses that Netflix's so I could do something like if I was trying to check out who all the certain IP address and for example, I have got one of these IP addresses, but let's just assume I don't know that actually belongs to Netflix So I can go who is 50 4.77 dot hundred and eight to and it'll give me some information so As you guys can see it is giving us a bunch of information as to who this is and how it is happening. So we see that it is from Aaron dotnet and so we can very smartly assume that it's from the North American part know we can also see that it's in Seattle. So our guess was completely right. So it also gives us a range. So this is something very useful. So if you see we now have the rain age of the IPS That might be being used by this guy. So we indeed have 54 and it says it goes up to the 54. There's also 34 lat now. Let's check that out and see what information we get set who is and let's check it out. What was the IP that we were just seeing is 34.2 49.1 25.1 67. So 34.2 49.1 65 I don't know. Let's see. You can also put in a random IP address. It don't really matter and they'll give you the information. So let's see is this and some IP address even this seems to be an error and IP address and it's also based in Seattle and we got a bunch of information. So that's how you can use the who is query and the query do actually get all sorts of information about the domain name service and get information from a DNS basically. So now let's go over some theoretical part that Is for DNS. So using DNS to get information so firstly What is the domain name service? And why do we need? So a domain name service is a name given to an IP address so that it's easy to remember. Of course you it's easy to remember names and demonics rather than a bunch of random weird numbers. Now, this was mainly so that we can map names to IP addresses and we can get the a bunch of information from the host name resolution. So that's the purpose of IP addresses now we Also be looking at how to find network ranges. Okay. Now before we get onto actually moving on to how to find out the network ranges, let me just show you how you can also use who is so who is suppose you want to know the domains with the word feu in it. So you could go who is fool and this will give you a whole bunch of things but hafu exist and all the sorts of foods that there is on the internet. So that was one interesting flag, and if you want to know how to use more about Who is you could just go - - hell? Yes. Yeah. So this is all the types of stuff that we can do with who is so you can set the host we can set the board that we want to search for then we can set with the elf laughing and find one level less specific match and we can do an exact match to an inverse look up for specified attributes. Then we can also set the source we can set verbose type and we can choose for request template with this bunch of stuff. Can do so you could suppose say who is verbose and suppose any record dot coal and I'll give you a verbose version of the right database query service objects aren't RPS out format the right database objectives. So, okay. Let's try something else like who is netflix.com? Okay, I'm sorry. I was supposed to be were both and I kept doing Edge silly me. So you do V and that will give you a much more like this is the right database again. And I think I'm doing something wrong. Okay, just for that thing. OK V and tight okay, or let's just see that's let me just show you how to use video primary keys are returned. Only primary Keys. Okay. Let's see. Let's try that out. Okay, so it seems to be that this is a ripe database query service and objects are in our PSL format. So it won't really work for that thing. And it also says that no entries found because this error so this is for some layer lessons. So for now, I hope I gave you a good idea of how to use Hue is like you could Just go ho is then some IP address 192.168.1.1 or some Gabriel just like that or you could just go for a domain name service like Facebook and get all sorts of information about Facebook when the query actually returns you something. Okay. So let's move on To network range is now now in this part of the video. We are going to be going over the utility called who is which is used for getting information from the DNS. Now, let me just show you a website. Get out here. So this is the regional internet registries. So the internet registries are used to store information about domain names and IP addresses and there are five Regional internet registries first is iron, which is responsible for North America. So that would be the US and Canada then we have laugh make Which is responsible for Latin America and portions of the Caribbean then there's ripe that's responsible for Europe and Middle East and Central Asia. There's afrinic which is responsible for Africa. And finally we have up next which is responsible for Asia Pacific Rim. So, that's the Regional internet registries and as I said who is responsible for acquiring information from the various Regional internet registries as you can use who is to get information about who owns A particular IP address, for example, let me just open up my Ubuntu system. Let me clear this out first. So as I was just saying, for example, you could go who is facebook.com. Okay. So as you guys can see we could find out pretty quickly about who owns a particular IP address. So for example, I could do who is in just go facebook.com and tells me about who it belongs to a also gives you who owns a particular IP address And who's responsible for them from the information. You can get email addresses. I belong to a particular company. This one has an email address for Tech contact of Ip reg address it so you can get all sorts of email addresses attack contacts and all sorts of stuff out there the Database contains only.com and dotnet and all sorts of information. Now. I want to query a different IP address and different information Belongs in the different Regional internet registries, of course, so if I want to go to a particular database, I will have to use the minus H flag so I could do who is Aaron net and remember the IP address and I'm going to query that again. And of course I get the same information back because I went there so you could just go who is Edge and then follow it with an IP address. So something like 30 4.25 the 176 the 98 so that's just some random IP address. I just made up and it says that who is option? Okay. So it's a it's a capital H. Okay. So let's see that and we get all sorts of information back from that. So area a Darren and all sorts of stuff now I can get information about domains as well. So if I can query something like netflix.com and I can find out that this is that actually Netflix And there's an administrative contact and the technical content that I need to see the difference. Main server so service that foot have authority of information about the DNS entries for that particular domain. You can also see other information like when the record was created and whole bunch of different phone numbers that you contact an additional storing information about IP addresses and domain name. Sometimes it will store information about particular host names And there may be other reasons why you would store a hostname or particular information about hosting on the system where the one of the rare rirs now if I want to wanted to look up something specifically So once I have found that I could know do a look up on who is supposed say something like who is full. So let's say who is fool. Now if you already don't have who is installed you can easily install it by just going up to install Who is on your Unix system and that should do the trick and then you can start use this really Nifty tool. Okay, so that was all about using who is now let's get on to actually using how to Network ranges for a domain. Okay. So now let's talk about how we are going to be going over and fighting next ranges. So suppose you bought it at engagement and you only know the domain name and you don't know much beyond that and you're expected to figure out Where everything is and what everything is. So how do you go about doing that? Well use some of the tools that we either have been talking about or will soon be talking about in more detail. And the first thing I'm going to do is I'm going to use a domain name that you record.com and I'm going to look up at you like a DOT go and see if I get get an IP address back. So let's just head over there and go poo is Eddie record or not cool, or we could use the host keyword. So as you see we get an IP address back And that is 34 the to dander to 30 the 35 and that is the IP address and you see that I've got back an IP address. So here's just an IP address and I don't know what that IP address belongs to and I also don't know how big the network range or network block is that's associated with so what I'm Do is a who is and I'm going to look up with Aaron who owns it IP address so you can basically go who is 34.2 10.2 3935. So as you guys can see That gives us a bunch of information and who is now this doesn't seem to have a very big Network range, but unlike something like Netflix. So suppose we were to do something like host netflix.com and see See now. We have a bunch of IP addresses. So suppose we will do who is let's see who is 52.99 the $40 147 now I'm expecting Netflix to be a much larger company and have a better. Yeah now see we get net range. So this is the network range that we're talking about. So we had a random IP address and now we have found the network range. So that's how Find network ranges and this can be very useful. So this gives me evidence that netflix.com has a presence on different addresses. The one I have also located by looking up that particular host name. So I've got one address here that I can look at. Let's take a look at the website because let me different address. Now if I didn't have that I could also go And do something like an MX flag. So let's see I could go dig and this will give us all the male's so dig MX. And let's see. Let's see what MX does actually you go help so we could do dig - Edge for a list of options. So these are all the options that we have and the one that we're going to use is something like this. Do you think MX and we say something like netflix.com. So these are all mailings and mx's that we have gotten from Netflix and this is information regarding it's still producing information. That's a big thing to produce. Okay. So as I was just saying you can use the MX flag I could get back all the mail handlers in this case and their mail is being handled by Google and let's see wait, let's go until then it's going to tell me that Google is not particularly surprising and other things that you can do is check for different host names since I'm assuming DNS probably doesn't allow Zone transfers since most DNA. Has servers don't anymore, although they used to you may have to start guessing So I could do something like Web Mail said we find out here. So it's showed us a dump of all the ascending memory stuff. Okay, so that was all about finding Network ranges now moving on to our next topic is using Google for recognizance. Now some people also call this Google hacking now, if you know how to use Google to exactly Target and find what you are looking for. Google is an excellent tool for recognitions purposes. And today. I'm going to show you how you could use Google exactly for your searches. So first of all, let's go Open a tab of Google so open up here. So let's go to google.com. Ok. So now we're going to be talking about how we can use Google to actually gain some information or some targeted information. So this is in general called Google hacked now when I say Google hacking I'm not meaning by breaking into Google to steal information. I'm talking about making use of specific keywords that Google uses to get the most out of the queries That you submit. So for example, a pretty basic one is the use of quotations you go things in order to use Civic phrases. Otherwise Google will find pages that have instances of all those words rather than the word specifically together in particular order. So I'm going to pull this query up and this shows a list of let me just show it to you. So you go index off now. This is showing us an index of all the films now. This is basically all those index of size that you want. So as you guys can see the show this index of all sorts of films that are there now you can Use index of and you see that we have also an index of downloads or something like that. -.com such download and it is an index of all sorts of stuff. Now you can go into some folder and check them out G Jones. You weren't EG Perico. I don't know what these are but some sort of self. And this is how you can use Google Now. Let me just show you some more tricks. So you can use this suppose you're using Google to find for something like a presentation so you could use something like file type. DP DX and it'll search for every type of file there. That is Peabody. Okay. Let's try some other side PVD so config. Okay. So this brings up all the types of files that have some configs in them. So some gaming configuration As we see this initial configuration of Liverpool. Now, you could also use something like the sing and URL and you can use some other route. And this will give you all the things that route in their URL. So King rude and Digital Trends and how to root Android so fasten the root and suppose you want to say something like all in file type or suppose. You want some extension so so dot P BTW the pptx. Does that work? Let's search for JavaScript files. Okay. I think it's JS. Okay, that doesn't seem to work either. This shows us all the things that she estimate. No, it's just external JS. I'm doing this wrong. So you could use file type. So let's see file type and we go see doc. So these are all the documents that you could find at the file type thing. And you could also do GS, I guess. Yeah. This is give you all the JavaScript files are there. So this is how you can use Google to actually narrow down your searches to suppose you want a particular set of keywords, and we want to make sure we get the password file from Google. Okay. So now let's go into more details about the various things. You can find using Google hacking. Now while Google hacking techniques are really useful for just general searching in Google. They're also useful for penetration testers Or ethical hackers. You can narrow down information that you get from Google you get a specific list of systems that may be vulnerable so we can do things like look for are pages that do in the title error. So I'm going to get a whole bunch of information. So suppose like we go in title and we say error So as that we get all sorts of stuff and we can do the mines Google part. So if you don't mind is Google not show you the stuff that's from Google. So we get a variance documentation pages about different vendors and the errors that they support. So here's one doc about Oracle about Java error, but you know something more specific we may be able to get errors about all sorts of other stuff. So this is how you could use the Google hacking technique to your own advantage of your penetration tester. Now, let's also show You something called the Google hacking database now. This is very useful for an ethical hacker. Now on the Google hacking database was created Several years ago by a guy called Johnny Long who put this Google hacking database together to begin to compile a list of searches that would bring up interesting information. Now Johnny has written a couple of books on Google hacking. So we're at the Google hacking database website here and you can see them talk about Google Docs and all sorts of stuff. Now you can see that we can do all sorts of search like and you are Elsa BC B SP this brings up some portal Pages now out here. You can bring up some password APS password and URL. Now this will give you all sorts of stuff on Google suppose you go and URL like a PS password. Now, you can get all sorts of stuff like which have passwords in their URL. So maybe you can just guess a password from there to now that was Google hacking so Google hacking entries and they also, Number of categories and that you can look through to find some specific things. So you may be interested in of course and you will search specific information that you may be looking for with regards to specific product. For example, let me just show you XY database. These are all the certain types of stuff. You can go through out here. And as you see we have all sorts of sound like is an SQL injection thing. This is something regarding Pier archived ours. So these let you get a foothold in the some password cracking. Alms and you can do some Brute Force checking and you can see here if it talks about the type of searches and what it reveals. You can just click here on Google search engine will actually bring up Google fit a list of responses That Google generates. So let's look at this one here. This type is a log. So this is something about cross-site scripting logs and we can also see some party logs if I was not wrong so some denial-of-service POC and we can see a bunch of stuff and if you continue to scroll down there, Our interesting information in here so somehow somebody's got a party log that has a lot of information. They've got it up on a website and basically Bunch of information that you can see you can also get some surveillance video sometimes and you can look into them and this basically how you could use Google. So it's basically a list of queries that you can go through and this is a very useful site if you are a penetration tester and looking for some help with your Google hacking terminologies, so that's it for Or Google hacking now. Let's move on. Okay. So now it's time for some networking fundamentals and what better place to begin with dcpip. Now we're going to be talking about the history of dcpip and the network that eventually morphed into the thing that we now call the internet. So this thing began in 1969 and it spun out of this government organization called arpa which Advanced research projects agency and they had an idea to create a computer network that was resilient to a certain type of military attacks And the idea was to have This network that could survive certain types of war and warlike conditions. So our percent out this request for proposals to BBN, which is Bolt beranek and Newman and they were previously and acoustical consulting company and they won the contract to build what was called the arpanet. The first connection was in 1969. So that's where we get the idea that the internet began in 1969 and the internet as we call it now Then Shall We Begin but arpanet it and often it has a long history That goes goes through NSF net in 1980s and after arpanet was sort of decommissioned and a lot of other networks were folded into this this thing called nsfnet that then turned into what we now call the internet and once a lot of other networks were connected into its first protocol on the arpanet initially there were 18 to 22 protocols, which is very first protocol defining communication on arpanet and it was called 1822 protocol because BBN report 1822 which describes how it works shortly and after that. It was just think all the network control program and the network control program consisted of arpanet host-to-host protocol and an initial control protocol. Now, they're certainly not a direct correlation or an analogy here. But if you want to think about it in particular where you can say that the arpanet host-to-host protocol is kind of like UDP and initial connection protocol or ICP. It's kind of like TCP. So the host-to-host protocol provided a unidirectional flow control steam stream between hosts. Which sounded a little bit like UDP and ICP provided a bi-directional pair of streams between Two Hosts. And again, these aren't perfect knowledge. He's but the host-to-host protocol is a little I bit like UDP and ICP is a little bit like TCP now now the first router was called an interface message processor and that was developed by BBN. It was actually a ruggedized Honeywell computer that had special interfaces and software. So the first router wasn't Roundup built piece of Hardware, but it was actually an existing piece of hardware. Especially published for this particular application. So Honeywell had this computer that they made out and BBN took that and made some specific hardware and faces and build some special software that allowed it to turn into this interface message processor, which passed messages over arpanet from one location to another so where did I become hint here in 1973? So I became in here as well in 1973 as I just said and a guy but name of Vint Cerf and another guy by the name of Robert Kahn took. The ideas of NCP and what the arpanet was doing And they tried to come up with some Concepts that would work for the needs that the arpanet had and so by 1974. They had published a paper that was published by the IEEE and they propose some new protocols. They originally proposed the central protocol called TCP later on TCP was broken into TCP and IP to get away from the monolithic concept that TCP was originally so they broke it into more modular protocols and thus you get TCP and IP. So how do we get to our version? Or which is ipv4 Since that's the kind of Internet that we're using right now version 6 is coming and has been coming for many many years now, but you're still kind of version for so how did we get here between 1977 and 79 and we went through version 0 to 3 By 1979 and 1980. We started using version 4 and that's eventually became the de facto protocol on the internet in 1983 when NCP was finally shut down because of all the hosts on the arpanet, but we're using TCP IP. By that point in 1992 work began on an IP Next Generation and for a long time, although the specifications in the rfc's talked about P&G eventually and I PNG became known as IPv6. You may be wondering where ipv5 went. Well, it was especially purpose protocol that had to do something with streaming and certainly not a widespread thing. One of the differences between ipv4. And IPv6 is that IPv6 has a 128-bit address which gives us the ability To have some Recklessly large numbers of devices that have their own unique IP address IP V4 by comparison has only 32-bit addresses. And as you probably heard we're well on our way to exhausting the number of IP addresses that are available and we've done a lot of things over the years to conserve address space and reuse address space so we can continue to extending to the point till where we completely run a 5p V4 addresses. Another thing about IPv6 is it attempts to fix on the inherent issues and IP And some of those has to do with security concerns and there are certainly a number of flaws and ipv4. I'm going to start working on IP Next Generation or IPv6. They try to address some of those concerns in some of those issues and they may not have done it perfectly but it was certainly an attempt and IPv6 attempt to fix some of the issues that were inherently in IP. And so that's the history of TCP IP still very reach today. Okay. So now that we've discussed a brief history on TCP IP and how it came about to the TCP IP version 4 Cisco's the model itself. Now we're going to be discussing two models. And those are the OSI model and the TCP IP model. Now as I said will be talking about the OSI and TCP models for Network protocols and the network Stacks OSI. First of all is the one that you see out here is the one on the left hand side of the screen and OSI stands for open systems interconnection. And in the late 1970s, they start working on a model for how a network stack and network protocols would look originally the intent was to develop the model and then developed protocols That went with it. But what ended up happening was after they develop the models TCP IP started really taking off and the TCP IP model was what went along with it and much better what was going on with TCP IP, which became the predominant protocol and as a result The OSI protocols never actually got developed. However, we still use the OSI model for teaching tool as well as way of describing what's going on with the network stack and the Applications You'll often hear people talking about different layers. Like that's a little too problem or render layer 3 space now continuing through these lessons. I'll refer occasionally to the different layers. And when I do that, I'm referring to the OSI model. So let's take a look at the OSI model starting from the bottom. We have the physical layer, which is where all the physical stuff lives the wires and cables and network interfaces and hubs repeaters switches and all that sort of stuff. So all that's all physical stuff is sitting Sitting in the physical layer now sitting Above This is the data link layer. And that's where the ethernet protocol ATM protocol frame relay. Those are things live. Now. I mentioned the switch below the physical the switch lives at layer 1, but it operates at layer 2. And the reason it operates at layer 2 is because it looks at the data link address And the layer to our physical address and that's not to be confused with in the physical layer. It does get a little mixed up sometimes and we refer to the MAC address now the MAC address is not the physical address. I'm talking about it is the message authentication code dress on the system as so the MAC address on system as a physical address because it lives on the physical interface and bound physically. However that Mac address Or media Access Control address lives at layer 2 at the data link layer the network layer, which is right above at layer 3. That's why the IP lives as well as icmp ipx and from ipx SPX to the protocols from novel routers operate at layer 3. Three and at layer 4 above that is the transport layer. That's the TCP UDP and SPX again from the ipx SPX suit of protocols number of that is the session layer and that's layer 5 and that's a plot of SSH as well as several other protocols. Then there's a presentation layer Which is a layer 6 and you'll often see people refer to something like jpeg or MPEG as examples of protocols that live on that layer then there's a presentation layer, which is the final layer which is layer 6 and you'll often see people refer to something like Jpeg, or MPEG as example the protocol that live at that layer and then the live at that layer which is the presentation layer. Finally. We have Leo 7, which is the application layer and that's actually TP FTP SMTP and similar application protocols whose responsibility Is to deliver and use the functionality. So that's basically the OSI model and that's the seven layers of the OSI model and there's some important thing to note here. That is when we are putting packets onto the wire the packets get built from Top. Top of the Stack Down by from the top of the stack to the bottom of the stack which is why it's called a stack each layer sits on top of the other and the application layer is responsible for beginning the process and then That follows through the presentation session and transport layer and down through the network data link until we finally drop it on the wire at the physical layer when it's received from the network. It goes from the bottom up and we receive it on the physical and gets handled by the data link and then the network and till the application layer. So basically when a packet Coming in it comes in from the application goes out from the physical and then we're going out also, it goes from the physical through the data link, Then the network transport session presentation and application and finally to the Target system. Now what we're dealing with is an encapsulation process. So at every layer on the way down the different layers add bits of information to the datagram all the packet. So that's when it gets to the other side each layer knows where it's demarcation pointers. Well, it may seem obvious each layer. Talk to the same layer. On the other side. So when we drop a packet out Onto the wire the physical layer talks to the physical layer and in other words the electrical bits that get transmitted by the network interface on the first system are received on the second system on the second system. The layer two headers have report by the first system get removed and handled as necessary. Same thing at the network layer. It's a network layer the puts the IP header and the network layer that removes the IP header and determines what to do From there and so on and so on again while it may seem obvious It's an important distinction to recognize that each layer talk to each layer while it may seem obvious. It's an important distinction to recognize that each layer talk to each layer. And when you're building a packet you go down through the stack and when you're receiving you come up to the stack. And again, it's called a stack because you keep pushing things on top of the packet And they get popped off the other side. So that was detailed and brief working on how the OSI model is set up and how the OSI model works now, let's move on to the VIP model, which is on the right hand side and you'll notice that there's a really big difference here that being that there are only four layers in the TCP IP model as compared to the seven layers of the OSI model. Now, we have the network access layer the internet layer the transport layer and the application layer in the functionality. Now, we have the access layer the internet layer the transport layer and the application layer the functionality that the stack provides is the same and in other words, you're not going to get less functionality out of the TCP IP model. It's just that they've changed where And functionality decides and where the demarcation point between the different layers are so there are only four layers in the TCP IP model, which means that a couple of layers that have taken in functions from some of the OSI models and we can get into that right here the difference Between the models at the network access layer in the TCP IP model that consists of the physical and the data link layer from The OSI model. So on the right here, you see the network access layer that takes into the account the physical and the data link layers from The OSI model and the Left hand side similarly the application layer from the TCP IP model and compresses all the session presentation and the application layer of the OSI model On the right the very top box the application layer and Compass has the session presentation and application layer and on the left hand side that of course leaves the transport layer to be the same and the OSI model. They call it the network layer and then dcpip model. It's called the internet layer same sort of thing. That's where the IP lives and even though it's called the internet layer as compared to the network layer. It's Same sort of functionality. So those are the really big differences between OSI and dcpip model anytime. I refer to layers through the course of this video that I'm going to be referring to the OSI model and in part because it makes it easier to differentiate the different functionality. If I were to say live on function in the TCP IP model, you would necessarily know if I was talking about a physical thing or a data link thing since there's more granularity in the OSI model. It's better to talk about the functionality in terms. Terms of the layers in the OSI model and that's the predominant model The OSI model And the TCP IP model for Network Stacks Network protocols and applications. Okay. So now that we've discussed the TCP IP model. Let's go over some another important protocol and that is UDP. So what do you see out here on your screen right now is Wireshark and we'll be going over the users of our shark and what it's useful for in the sock upcoming lessons. But for now, let me just show you a UDP packet. Okay. So before we get into the analysis of the packet while it's still filtering, let me just tell you a little bit about you to be so UDP is a protocol and the TCP IP suit of protocols. It's in the network layer. That's a network layer in the OSI. So similar reference model the IP network layer carries the IP address and that has information about how to get back is to his destination the transport layer sits on top of the network layer and that carries information About how to differentiate Network layer applications and that information about how those Network application gets differentiated is in the form of ports. So the transport layer has ports and the network layer has in this case an IP address. And UDP is a transport layer protocol and UDP stands for user datagram protocol and often call connectionless or sometimes unreliable. Now unreliable doesn't mean that you can't really rely on it unreliable means that you can't just that what you sent is reaching the other side. So 1 means actually that there's nothing in the protocol that says it's going to guarantee that the data Will Graham that you send or the fact that you send is going to get where you wanted send it. So the Tikal has no sort of safety feature like that. So you shouldn't use this protocol that is used to be if you want some sort of safety net. And if you needed that type of safety net you would have to write it into your own application. So basically UDP is a fast protocol and that's one of the reason why it's good. It's also on the reason why it's unreliable Because in order to get that speed you don't have all of the error checking and validation that messages are getting there. So because it's fast it's good for things like games and for real-time voice and video anything where speed is important. And you would use UDP. So right here. I have a packet capture. So I'm using Wireshark capture some buckets and let's check out UDP packet so out here you see that there are some freedoms That says 167 bites on bio 167 bites have been captured but we're not really interested in the frame part. You're interested in the user datagram protocol. But so here you can see that the source board is one eight five three and the destination Port is Phi 2 0 8 1 now it has a length and it has a checksum and Tough. So as you guys see out here, well, we don't really see a bunch of information what you only see is a source port and the destination port land and there is also a checksum so you to be doesn't come with an awful lot of headers Because it doesn't need any of the things that you see in the other packet headers. The only thing it needs is to tell you how to get the application on the receiving host. And that's where the destination Port comes in and wants the message gets to the destination. The destination needs to know how to communicate back to the originator and that would be Through the source port or a return message. So a return message would convert The Source port to a destination port And send back to that board in order to communicate with the originator. So we have a source port and destination port and the length is a minimal amount of checking and to make sure that if the packet that you received as a different from the length that specify in the UDP header, then there may have been something wrong so you won't may want to discard the message to check for more messages. So the checksum also make sure that nothing in the middle was tampered with although it's If there's some sort of man in the middle. Attack or something like that a checksum is pretty easy to manufacture after you've altered the packet so you can see here in the message that there's a number of UDP packets some of them just UDP the one look and happens to be from some Skype application, I guess so talking to Skype servers and we've already got the DNS now DNS also needs some Fast Response times because you don't want to send a lot of time looking Up information about service that you're going to before because just to go to them. So DNS server through all throughout their queries on to the Using UDP hoping to get fast sponsors. They don't want to spend a lot of time setting up connections and during all the negotiating that comes at the protocol like TCP. For example. So here you see that the DNS is using UDP and what we've got here is another UDP packet for Destination and all sorts of stuff so you can see it out here So you can see the checksum. It's unverified checksum status so you can check out all sorts of stuff using Wireshark. So that was about UDP or The user datagram protocol. Okay. So now that we're done with the user datagram protocol. Let's talk about addressing mode. So addressing modes is how you address a packet to your different destination. So there are three kinds of addressing mode. The first kind of addressing mode is unicast. This is pretty simple one to understand. So there is one destination and one source and the source sends the packet to the destination and it's it depends on the protocol that you're using to actually address. So if it's something like TCP IP your Using a bi-directional stream. So the blue computer can talk to the red computer and the red computer can talk back to the blue computer, but you can also use a UDP stream which is like One Direction stream. So it's not sure if I'm using the correct word. So it's a stream that in One Direction. I guess I'm driving home the point here. So if it's UDP only blue is talking and when blue stops talking then read can talk, but if it's dcpip blue and red him talk simultaneously at the same time now moving on there's also so broadcast now broadcast means that you are sending your bracket to everybody on the network. So broadcast messages are very common from mobile network providers so many get those advertisements saying something like you have a new postpaid plan From Vodafone or as hell or something like that. Those are broadcast messages. So it's one server that is sending out one single message to all the other systems now, there's also multicast now. The cast is like broadcast but selective now multicast is used for actually casting yours your screen to multiple people. So something like screen share and you're doing it with multiple people is multicast because you have the option to not show particular computer what you are actually sharing. So those are three modes of addressing unicast broadcast and multicast. Okay now moving on let's look into the tool that we just used once and UDP. That is why sure. So what exactly is wash off? So this utility called Wireshark is a packet capture. Usually meaning that it grabs data. That's either going out or coming in of a specific Network and there are a number of reasons why this may be useful or important on the reason why it's really important is What's going on in the network is always accurate. In other words. You can't mess around with things once they're on the network or you can't lie about something that's actually on the network as compared with applications in their logs, which can be misleading or inaccurate. Or if an attacker gets into an application they may be able to alter the logging now several other behaviors that make it difficult to see what's really going on and the network you can really see what's going on. Once it hits the wire. It's on the wire and you can't change that fact now once it hits the wire so we're going to do here is a quick packet capture. So let me just open up our shop for you guys. So as you guys can see I have already washed Shock open for us. Let me just remove the CDP filter that was there. So why shock is Cheering. So let's go over the stuff that you can see on the screen some important features of our sharks so that we can use it later. So what I'm doing here is a quick packet capture and I'm going to show some of the important features of Wireshark so that we can use it later on now when we're starting to do some more significant work. I select the interface that I'm using primarily, which is my Wi-Fi, and I'm going to be go over here and we'll bring up a Google page so that we can see what's happening on the network. So let me just quickly open up a Google page as you guys can see It's capturing a bunch of data that's going on here. Let me just open up a Google base and that's going to send up some data. Let's go back. So it's dropping a whole bunch of stuff of the network. I'm just going to stop that going to go back and go back and take a look at some of the messages here. So some of the features of a shock as you can see on the top part of the screen. It doesn't window that says number time Source destination protocol length and info and those are all of the packets that have been captured in the numbering starting from 1 And the time I'm has to do with being relative to the point that we've started capturing and you'll see the source and destination addresses and the protocol the length of the packet and bytes and some information about the packet the bottom of the screen. You'll see detailed information about the packet that has been selected. So suppose I'm sales selecting this TCP packet out here so we can go through the frames frame also has an interface ID is encapsulation type And all sorts of information. Is there about the frame then we can look at the source Port destination Port see Stumble the flag said the check sums, you can basically check everything about a packet because this is a packet analyzer and a packet sniffer. Now, you'll see some detail information about the back of that. I'll be selected. So I'm going to select so the selected this TCP IP packet. We see that in the middle frame and says frame 290. It means that it has a 298 lat packet and the packet that was capture 66 bites and we grabbed 66 Bisons 528 bit later. So you what do you see out here was source and the destination In Mac address of the layer to layer address and then you can see the IP address of both source and destination and says it's a TCP packet gives us a source Port destination port and we can start drilling down into different bits of the packet and you can see when I select a particular section of the packet down At the very bottom you can see what's actually a hex dump of the packet and on the right hand side is the a sky. So this is the hex hex dump and is the a sky that you're looking at. What's really cool about varsha gate is it really pulls the packet into it's different layers that we have. Spoken about the different layers of the OSI and the TCP IP model and the packets are put into different layers and there's a couple of different models That we can talk about with that but were shocked does really nicely. Is it demonstrate those layers for us as we can see here. It is actually four layers and in this particular packet here we can also do something. So I've got a Google web request. So what I want to do here is I want to filter based on HTTP, so I find a filter. So let's see if we can do an http. And what I see here is says text input and it's going to get an image. That's a PNG image. And this is a request to get the icon that's going to be displayed in the address bar. So you also see something called our pouch here, which I'll be talking about very soon. So let's just filtering be done now in the web browser. It's a favicon dot Ico that can do here. I can select analyze and follow TCP streams. You can see all the requests related to this particular request and it breaks them down very nicely. You can see we've sent some requests to Spotify Because I've been using spotify you actually listen to some music then you can see all sorts of stuff. Like this was something to some not found place. So let's just take the Spotify one and you can see that we get a bunch of information from the Spotify thing. At least you can see the destination The Source, it's an Intel core machine. So the first part of the MAC address the first few digits is lets you tell if it's what what is vendor ID so Intel has its own member ID. So F 496 probably tells us that it's that's an Intel Core. So why shock does this really neat little thing that it also tells us from the MAC address what type of machine you're sending your packets to from the back address itself. So it's coming from Sophos foresee and going to an Intel Core in the type is ipv4. So that was all about Bioshock. You can use it extraneously for packet sniffing and pack analysis. Packet analysis come very handy when you're trying to actually figure out how to do some stuff like IDs evasion Where you want to craft your own packets and you want to analyze packets that are going into the IDS system to see which packets are actually getting detected its as some intrusion so you can craft your bucket and a relative manner so that it doesn't get actually detected by the idea system. So this is a very Nifty little tool will be talking about how you can craft your own packets just a little while, but for now, Now, let's move ahead. Okay. So now that we're done with our small little introduction and a brief views on history of our shop. Now, let's move on to our next topic for the video. That is DHCP. Okay. So DHCP is a protocol and it stands for dynamic host configuration protocol. So DHCP is a network management protocol used to dynamically assign an Internet Protocol address to any device on the network so they can communicate using IP now DHCP. Means and centrally manages these configurations rather than requiring some network administrator to manually assigned IP addresses To all the network devices. So DHCP can be implemented on small or small local networks as well as large Enterprises. Now DHCP will assign new IP addresses in each location when devices are moved from place to place which means Network administrators do not have to manually initially configure each device with a valid IP address. So if device This is a new IP address is moved to a new location of the network. It doesn't need any sort of reconfiguration. So versions of DHCP are available for use In Internet Protocol version 4 and Internet Protocol version 6 now as you see on your screen is a very simplistic diagram on how DHCP works. So let me just run you down DHCP runs at the application layer of the TCP IP protocol stack to dynamically assign IP addresses to DHCP clients and to allocate TCP IP configuration information to It's TB clients. This includes subnet mask information default gateways IP addresses domain name systems and addresses. So DHCP is a client-server protocol in which servers managed full of unique IP addresses as well as information about line configuration parameters and assign addresses out of those address pools now DHCP enabled clients send a request the DHCP server, whenever they connect to a network the clients configure with DHCP broadcasts a request the DHCP server and the request Network. In information for local network to which they are attached a client typically broadcasts a query for this information immediately After booting up the DHCP server response to the client requests by providing IP configuration information previously specified by a network administrator. Now this includes a specific IP address as well as for the time period also called Lee's for which the allocation is valid when refreshing an assignment a DHCP client request the same parameters the DHCP server May assign the new IP address based on the You said by the administrator now a DHCP server manages a record Of all the IP addresses it allocates to networks nodes. If a node is we are located in the network the server identifies it using its media Access Control address now which prevents accidental configuring multiple devices with the same IP address now the sap is not routable protocol nor is it a secure one DHCP is limited to a specific local area network, which means a single DHCP server. A pearl an is adequate now larger networks may have a wide area network containing multiple individual locations depending on the connections between these points and the number of clients in each location. Multiple. DHCP servers can be set up to handle the distribution of addresses. Now if Network administrators want a DHCP server to provide addressing to multiple subnets on and given Network. They must configure DHCP relay Services located on interconnecting routers that DHCP request to have to cross these agents relay messages. Between DHCP client and servers dscp also lacks any built-in mechanism that would allow clients and servers to authenticate Each other both are vulnerable to deception and to attack where row clients can exhaust a DHCP servers pool. Okay. So let's move on to our next topic and that is why use DHCP. So I just told you that DHCP don't really have any sort of authentication so it can be folded really easily. So what are the advantages of using DHCP so The sap offers quite a lot of advantages firstly is IP address management a primary advantage of dscp is easier management of IP addresses in a network With the DHCP. You must manually assign IP address, you must be careful to assign unique IP addresses to each client and the configure each client individually the client moves to a different network. You must make model modifications for that client. Now when DHCP is enabled the DHCP server manages the assigning of IP addresses without the administrators intervention clients. And move to other subnets without panel country configuration Because they obtained from a DHCP server new client information appropriate for the new network now apart from that you can say that the hcp also provides a centralized Network client configuration. It has support for boot TP clients. It supports of local clients and remote clients. It supports Network booting and also it has a support for a large Network and not only for sure like small-scale networks, but for larger Works as well. So that way you see DHCP has a wide array of advantages even Though it doesn't really have some authentication. So because of these advantages DHCP finds widespread use in a lot of organizations. Okay, so that winds up DHCP for us. So let us go into the history of cryptography now. So let me give you a brief history of cryptography now cryptography actually goes back several thousand years before shortly after people began to find ways to communicate there are some of Who were finding ways to make the understanding of that communication difficult so that other people couldn't understand What was going on. And this led to the development of Caesar Cipher that was developed by Julius Caesar and it's a simple rotation Cipher and by that, I mean that you rotate a portion of the key in order to generate the algorithm. So here's an example. We've got two rows of letters and that are alphabetical in order and means we basically wrecking the alphabets down and the second row is shifted by three. Letters so Abby is a z actually Because if you move that way B is a z from the first row gets shifted back the second row and then the letter D becomes letter C the there's that's an example of how encryption works. So if you try to encrypt a word like hello, it would look completely gibberish after it came out of the algorithm. So if you count the Letters Out you can see that letter H can be translated to little a letter L. So that's a Caesar Cipher. Now you must Little things like rot13 which means that you rotate the 13 letters instead of three letters. That's what we can do here again, and this is just a simple rotation Cipher ourseives the cipher that's what of course the rod stands for its rotate or rotation. Now coming forward couple thousand years. We have the Enigma Cipher now, it's important to note that the Enigma is not the word given to this particular Cipher by the people who developed it. It's actually the word given to it by the people who were trying to crack it the Enigma Cipher is a German Cipher, they develop this Cipher and machine That was capable of encrypting and decrypting messages. So they could messages to and from different battlefields and waterfronts, which is similar to the Caesar Cipher sees a use it to communicate with his Butterfield generals and the same thing. We're with the Germans. You've got to get messages from headquarter down to where the people are actually fighting and you don't want it to get intercepted in between by the enemy. So therefore you use encryption And lots of energy was spent by the allies and in particular the British trying to decrypt the messages. One of the first instances that we are aware of where machine was used to do the actual encryption and we're going to come ahead a few decades now into the 1970s where it was felt that there was a need for a digital encryption standard. Now the National Institute of Standards and technology is responsible for that sort of thing. So they put out a proposal for this digital encryption standard and an encryption algorithm. What ended up happening was IBM came up with this encryption algorithm that was based on the Lucifer Cipher that it was one of their people had been working on on a couple of years previously in 1974 and they put this proposal together based on the Lucifer Cipher and in 1977 that proposal for an encryption algorithm was the one that was chosen to be the digital encryption standard. And so that came to be known as Des over time and it became apparent That there was a problem with this and that was it only had a 56 bit key size and while in the 1970s that was considered adequate to defend against brute forcing and breaking of course. By 1990s. It was no longer considered adequate and there was a need for something more and it took time to develop something that would last long for some long period of time and so in the meantime a stopgap has developed and this stopgap is what we call the triple Des. The reason it's called triple Des is you apply the Des algorithm three times in different ways and you use three different keys in order to do that. So here's how triple Des Works your first 56 bit key is used to encrypt the plain text just like you would do with the standard digital encryption standard algorithm but changes and you take that Cipher text that's returned from the first round of encryption and you apply the decryption algorithm to the cipher text. However, the key thing to note is that you don't use the key that you use to encrypt you. Don't use the first key to decrypt because otherwise you'll get the plain text back. So what you do is you use a second key with the decryption algorithm against the cipher text from the first round. So now you've got some Cipher text that has been encrypted with one key and decrypt it with Second key and we take the cipher text from that and we apply a turkey using the encryption portion of the algorithm to that Cipher encryption portion of the algorithm to that ciphertext to receive a whole new set of ciphertext obviously to do the decryption. You do the third key and decrypt it with the second key you encrypt it. And then with the first key you decrypt it. And so you do reverse order and the reverse algorithm at each step to apply triple Des. So we get an effective key size of about one sixty eight bits, but it's still only X bits at a time. Now I said triple Des was only a stopgap. What we were really looking for was Advanced encryption standard once again and niste requested proposals so that they could replace the digital encryption standard In 2001 after several thousands of looking for algorithms and looking them over getting them evaluated and getting them looked into this selected an algorithm and it was put together by a couple of mathematicians. The algorithm was called rijndael and that became the advanced encryption standard. Or AES, it's one of the most advantages of AES is it supports multiple key lens currently what you'll typically see is as we are using 128-bit keys. However, AES supports up to 256 bit key. So if we get the point Where 128-bit isn't enough we can move all the way up to 256 bits of keying material. So cryptography has a really long history. Currently. We are in a state where we have a reasonably stable encryption standard and AES, but the history of cryptography shows that with Every set of encryption eventually people find a way to crack it. Okay. So that was a brief history of cryptography. Now. What I want to do is let's go over and talk about a yes triple des and Des in themselves because they are some really key cryptography key moments in history because there's some really key historic moments in the history of cryptography. Now, we're going to talk about the different types of cryptography key ciphers and primarily we're going to be talking about this triple des and AES now. This is the digital encryption standard. It was developed by IBM in the 1970s. And originally it was cryptography Cipher named Lucifer and after some modifications IBM proposed it as digital encryption standard and it was selected by the digital encryption standard ever since then it's been known as dis. Now one thing that cost a little bit of controversy was during the process of selection and it's a requested some changes and it hasn't been particularly clear but changes were requested by the NSA. There has been some speculation that wondered If the NSA was requesting a back door into this digital encryption standard which would allow them to look at encrypted messages in the clear. So basically it would always give the NSA the ability to decrypt DS encrypted messages. It remained the encryption standard for the next couple of decades or so. So what is this and how does it work? Basically? It uses 56-bit Keys rather than the stream Cipher. It's a block Cipher and it uses a 64-bit blocks and a 1998 - Was effectively broken when a desk If the message was cracked and three days a year later a network of ten thousand systems around the world crack the best encrypted message in less than a day and it's just gotten worse since then with modern computing power being what it is since this was actually created we already have come to the realization that we needed something else. So Along Came triple Des Now triple DES isn't three times the strength of desk necessarily it applies. There's just three times and what I mean by that is is what we do is we take a plain text message then let's call that P and we are going to use a key called K 1 and we're going to use that key to encrypt a message and use a key that will be will call K1 and we're going to use that to encrypt the message and that's going to result in the ciphertext and we will call the c 1 so c 1 the output of the first round of encryption. We're going to apply a second key and we'll call That K2 with that second key and we're going to go through a decryption process on see one since it's the wrong key. We're not going to get plain text out on the And what we're going to get is another round of ciphertext and we will call this c 2 what we do with c 2. We are going to apply a third key and we will call this K 3 and we're going to encrypt ciphertext c 2 and that's going to result in another round the ciphertext and we will call that c 3. So we have 3 different Keys applied in two different ways. So with Chi 1 and Chi 3 we do a round of encryption and with key to we do a round of decryption. So it's an encrypted Crypt and crypt process with separate keys while that doesn't really healed. A full 168 bit key size the three rounds of encryption yields an effective key size of a hundred and sixty eight bits because you have to find 356 bit keys. So speaking of that technical detail for triple Des. We're still using the test block Cipher with 56-bit keys. But since we've got three different Keys, we get an effective length of around 160 8. Bits triple Des was really just a stopgap measure. We knew that if test could be broken triple desk surely we broke in with just some more time again. And so the nest was trying to request a standard that was in 1999. And in 2001 this published an algorithm that was called a s so this algorithm that was originally called rijndael was published by nist as advanced encryption standard some technical specifications about a s is that the original drained all album specified variable block sizes and key lengths And as long as those lock sizes and key lengths were multiples of 32 bits. So 32 64 96, and so On you could use those block sizes and key lens when a s was published a specified a fixed 128-bit block size and key length of 128 192 and 256 a yes with three different key lengths but one block size and that's a little bit of detail about desk triple des and AES. So when a s was published a specified fixed 128-bit block size And a key length of 128 192 and 256 bits. So we've got with a S3 different key lens, but one block size. And that was a little bit of detail about this triple des and AES will use some of these and doing some Hands-On work and the subsequent part of this video. Okay. So now that I've given you a brief history of how we have reached to the encryption standards that we're following today. That is the advanced encryption standard. Let's go ahead and talk a little bit more about this triple des and AES. So this is a digital encryption standard. It was developed by IBM in the 1970s and originally it it was a cryptographer xi4 named Lucifer and after some modifications IBM proposed it as the digital encryption standard. It was selected to be the digital encryption standard and ever since then it's been known as Tes or deaths one thing that caused a little bit of controversy was during the process of selection the NSA requested some changes And it hasn't been particularly clear what changes were requested by the NSA. There has been some sort of speculation that wondered if the NSA was requesting a back door into this. It'll encryption standard which would allow them to look at encrypted messages in the clear. So basically it would always give the NSA the ability to decrypt this encrypted messages. It Remains the encryption standard for the next couple of decades or so. And what is this and how does it work now Tests Remain the digital standard for encryption for the next couple of decades. So what does it do and how does it work? So basically it uses a 56 bit key rather than a stream Cipher. It's a block Cipher and it uses 64-bit blocks and in 1998, if you know there's was effectively broken when a des encrypted message was cracked in three days and then a year later a network of 10,000 systems around the world crack the Des encrypted message unless and a day and it's just gotten worse Since then with modern Computing being what it is today. Now since this was created and broken we knew we needed something and what came in between Advanced encryption standards and this is triple Des now triple Des is Three times the strength of this necessarily it's really there's applied three times and what I mean by that is we take a plain text message, then let's call that P and we are going to use a key called K 1 and we're going to use that key to encrypt the message and that's going to result in the ciphertext one. So we'll call that C1 now c 1 is the output of the first round of encryption and we're going to apply a second key called key to and with that second piggy. We are going to go through a decryption process on C1 now since it's the wrong key we are. Not going to get the plain text out of the decryption process on the other end. We are going to get another round of ciphertext and we're going to call that c 2 now with c 2. We are going to apply a third key and we are going to call that K 3 and we're going to encrypt ciphertext c 2 And that's going to result in ciphertext C 3 so we have 3 different Keys applied in two different ways. So what Chi 1 Chi 3 we do around of encryption with key to we do around a decryption. So it's basically an unencrypted decrypt encrypted process with three separate keys, but It does really is it doesn't really healed a 168 bit key size because ineffectiveness it's basically 256-bit keys that are being used to race it whether it be three different keys. So ineffectiveness, You could say that it's the 168 bit key, but it is not the same strength because people realize that triple Des can be easily broken because if this is broken, you can do the same thing with three different ways whether whatever key that you use so it just takes longer time. To decrypt if you don't know the tree and if you are just using a Brute Force attack, you know that triple Des can be broken if this can be broken. So triple Des was literally a stop gap between Des and AES Because people knew that we needed something more than triple des and for this the NISD or the National Institute of Standards and technology in 2001. They chose a s as the algorithm that is now called Advanced encryption algorithm. So it was originally called the rijndael algorithm. And the main thing about the rijndael algorithm and advanced encryption standard algorithm. Is that the rijndael algorithm specifically States in its papers That it has available block size and available key size as long as they are in multiples of 32. So 32 6496 like that. But what AES does differently is that it gives you one block size that is 128 bits and gives you three different key sizes that is 128 192 and 256. So with AES three different key lens, but one block size. Okay, so that was a little bit more information on a yes this and triple des And we are going to be using this information in some subsequent lessons Okay now moving on. Okay. So now that we've discussed the different history of cryptography and more important cryptography algorithms. Let's discuss the different types of cryptography. Now, the first type of cryptography I'm going to talk about is symmetric cryptography and by symmetric cryptography, I mean Key is the same for encrypting or decrypting. So I use the same key whether I am encrypting the data or decrypting data. Well things about symmetric key cryptography is That the use a shorter key length then for asymmetric cryptography, which I'll get into a couple of minutes. It's also faster than a symmetric and you can use algorithms like d EAS or a s as those are both symmetric key cryptography algorithms and you can use a utility like a a script. Let me just demonstrate how a symmetric key cryptography works. So for this we can use a tool called a a script. So in a a script is actually available for Linux and Windows and Mac all the systems. So I'm using it on the Windows one and I'm using the console version. So first of all, I have a text file called text or txt. So let me just show that to you. So we as you guys can see I have this thing called text up txt now to do text or txt. All I let me just show what x dot txt contains. So as you guys can see it has a sentence. The quick brown fox jumped over the lazy dog. So that's the sentence that has all the alphabets in the English language rather. So now we are going to try and encrypt it so we can use something like a SIDS because both of them are symmetric key ciphers symmetric key algorithms rather. So we are using AES in this case. So what we're going to do is say s script I'm going to encrypt it and we're going to give you the password of let's say Pokemon. We're going to call it Pokémon and regarding do Do text Dot txt. We're gonna encrypt that file. So now we have encrypted that file. Let's go see we must be having a new file. So this is called text or txt that a yes. So that is our encrypted file. And this is what we would generally send over the network if we are sending it to anybody. So let's assume the person who's received. It also knows our encryption algorithm. I mean encryption algorithm and the key that goes along with it. So let's try to decrypt it now now before I decrypted, let me just show you What an encrypted message looks Like so this is what the ciphertext look like a snow text Dot txt. The AES. So yeah, as you guys can see the windows control control you she'd everything but if I were to go here I will just go into the file and just ever notepad plus plus you'll see that it's a bunch of crap. You really can't make out anything what is being made? Here we come. Really decipher much. So that's the point of using encryption. Now if you were to decrypted, all you have to do is a script we turned the crib. We're trying to give the password is going to be what was the password Pokémon I'll K so and we're going to try and create text txt. The AES. Let's dir that again. Okay, so that just the crypts are message for us. So this is how you would use a script for encryption and decryption. So that just description and that's How you would use symmetric key encryption to encrypt a file for this example symmetric key uses the either a stream Cipher or a block Cipher and the differences between stream or block ciphers. Is that block takes a block of bits at a time and it's a fixed length. For example 64 bits if I were to use a block Cipher with 64 bits, I would need to take him 64 bits before I could start encrypting now if I didn't have 64 bits to encrypt I would have to fill it with padding In order to get up to 64 bits a stream Cipher on the Other hand it will encrypt a bit at a time. So it doesn't matter how many bits you've got. You don't need to have some multiple of the block length in order to encrypt without padding. And another type of cryptography is a symmetric now asymmetric as you would expect users to different keys. And that's where we have public key and private key a symmetric key cryptography uses a longer Keelan and also has more computation and the encryption process is slower With a symmetric key encryption and the encryption process is slower than with a symmetric key encryption while the For symmetric key is for signing documents or emails for example, but I would have the private key sign something and the public key would be used to verify a signature and another reason for using a symmetric key encryption is to ensure that you got it from who actually sent it since you've got two keys. You always knew who the other end of the equation is Where it's symmetric key senses just one key. If you can intercept the key you can decrypt and also encrypt messages. And so if somebody can figure out the key you can break into a communication stream using symmetric. Turkey and scription so asymmetric gives you the advantage of ensuring that the other end is who the other end says and they are since they're the only ones who should have the private key and in this particular instance in practice. However, however hybrid encryption models tend to be used and that's Where you would use a symmetric encryption to encrypt asymmetric session keys. So basically you encrypt the message that you are sending using symmetric key encryption and then you when Changing the key with somebody else you use a symmetric key encryption. So this is going to be a slower process. You probably won't want to use it for a smaller files in order to do that. Fortunately the file example that I have is a smaller one. So I'm going to try and generate a key right now. So for this we have to head over to our Ubuntu system. So let's see. Let me show you how public key encryption actually works and we are going to first create a key. So let me just clear this out for you. First of all. Let's create a file and let's call that text Dot txt. Now. If you see we are going to edit text or txt to have some file. So have some text in it. So there seems to be a warning with the GDK. I'll just use Echo instead. So now let's see if that is in our file. Okay. So let me just show you how a symmetric key encryption or public key cryptography works. So first of all, we need a text file. So let me see do we have a text file? So there seems to be a text Dot txt. So let's see what this text Dot txt says so it says that this is a random text file. Now, what we want to do is we want to create a public key first, so I'm going to use openssl for doing this. This so we go openssl and we are going to use it with our say so we're trying to generate a key. So generous e and we're going to use this tree to use this and we're going to Output it into file called private key. So we are also going to be using a 4 0 9 6 bit. So this is going to be our private key. So this will create a private key using RSA algorithm. So let it work its way out. So first of all, it's asking me for the past three days now, so since You can protect your keys with the passphrase. So I'm just going to use my name. Okay. So now we see if we LS and we have a private key, I guess. Yep. So we have this private key. Now. We're using this private key. We are going to generate a public key. So for this I'm again going to be using open SSL and open SSL is unix-based. So you will need a Unix system. So you go are say utl. That's RC utility. And what we want to do is encrypt and we want the public key in and key and we want to use the public key that we just generated. I'm sorry guys. So we are going to be using Odyssey. So first of all, we need to generate a public key. So for that we use the private key. So we will give the private key as an argument After the in flag. So private key and we are trying to get out a public key. So pop out and we're going to call public dot key. Okay, so there seems to be Okay. I messed it up a little I forgot to give the output so you go out and then you use public key. So it's asking me for a passphrase and now it's writing the are sticky and since the password was correct. We have a public key to so if you see now we have a public key and a private key. So we are going to encrypt our file using the public key. So we go openssl and we go RS a utl. And we go and crypt and we can do pump in. So we are going to use the public key and we want to put the text at the XT as the file to be encrypted. So text Dot txt. And what we want to Output is an encrypted file. So encrypted Dot txt. Okay, I call it open SL L need to go and edit that out. Yeah, so that makes it a correct command and now we have an encrypted file. So let's see Alice and yep encrypted dot txt. So if you just cut that out, so we see it's a bunch of garbage and we really can't read it unless we decrypt it so or decrypting the key. All we have to do is again use openssl. Let's clear this out first so openssl. And we are going to be using the RC utility again. So RSA utl. We're going to decrypt this time. So we go with the decrypt flag and then we are going to be giving the inky and that is going to be the private key And what we want to decrypt is encrypted the txt. And what we want output it is as let's say plain text txt. So it's going to ask me for my past rays, which is mine. Name and I've entered the passphrase and now we have a plain text Dot txt. Now. If we are to go and LS we see that we have a plain text txt out here just with light info dot txt. Let me just cut that out. So plain text D XD. So this is a random text file. And if you go up we see that it was a bunch of garbage and before that. It was a random text file. Now, you can also run this command called if plain text Dot Txt text txt. So this give you a difference in the text rings. So it's zero so it gives you that's the difference. So both files are the same and that's how public key cryptography works and how symmetric key cryptography works. Okay. Now moving ahead of cryptography. Let's talk about certificates. Okay. So now that we're done with cryptography. Let's talk about digital certificates. So what is a digital certificate? Well, a digital certificate is an electronic password that allows a person or can ization to exchange data securely over the internet using public key infrastructure. So digital certificate is also known as a public key certificate or an identity certificate now digital certificates are a means By which consumers and businesses can utilize the Security application of public key infrastructure public key infrastructure comprises of the technology to enable and secure e-commerce and internet based communication. So what kind of security does a certificate provide so firstly it provides identification and Authentication Asian the person or entities with whom we are communicating I really who they say they are so that is proved by certificates. So then we have confidentiality of information within a message or transaction is kept confidential. It may only be read and understood by the intended sender. Then there's Integrity there's non-repudiation the center cannot deny sending the message or transaction the receiver really get to non-repudiation and I'll explain how non-repudiation comes into digital certificates. So digital certificates are actually issued by By authorities who are business who make it their business to actually certify certify people and their organization with digital certificates. Now, you can see these on Google Chrome now, Let me just open Chrome for you guys and you can see it out here. You can see certificates and you can go into the issue of statements and you can go and all sorts of stuff so you can see it's issued by encrypt Authority X3. So that's an issuing authority for digital certificates. Now that was all about the theory of certificates. Let's go and see how you can create one. Go to create a digital certificate. We are going to be using the openssl tool again. So first of all, Let me show you how to create a certificate. So we are going to be using the openssl tool for that. So first of all, let me clear the screen out. So in this case, I'm going to generate a certificate Authority certificate. So I'm doing an artistic key here to use inside the certificate. So first of all, I need to generate a private key. So to do that as I had just showed you guys we can use the openssl tool ego openssl and Jen are say and we're going To use test three then Ouches and let's call it c a DOT key and we're going to use 4 0 9 6 this so I'm doing an RSA key here to use inside the certificate some generating private key and the private key is used as a part of the certificate and there's a public key associated with the certificate. So you've got public and private key and data gets encrypted with the public key and then gets decrypted with the private key. So they are mathematically linked that the public and private key because you need one for the end of the communication the And the other for the the other end of the communication and they have to be linked so that the data that gets encrypted with one key catch to be decrypted with other key. So this is asking for a passphrase and so I'm going to be giving my name as a passphrase so that has generated the key for us. So now I'm going to generate the certificate itself. So I'm going to be using the openssl utility. So first of all, you say openssl nice a request, so it will be a new request and it's going to be An x.509 request it's going To be valid for 365 days. And let's see the key is going to be see a DOT key and we're going to Output it into CA or let's call it at Eureka dot c r t so this is certificate that I'm producing in the name of the company that I'm working for. So that is at Eureka. So it says it's unable to load the private key. Let me just see as the private key existing. I had a previous. Private key. So let me just remove That doesn't have a see a DOT key seems like I put the name differently. So let me just try that again openssl and we do request so we are requesting new certificate and it's going to be x509 and it's going to be there for 365 days and key is He apparently that's where it's cold out here. So and it's going to be out into Eddie record CRT. That's another so let's enter the past three. So it's my name. So now it's going to ask me a bunch of information That's going to be inside the certificate. So let's say it's asking the country name against let's put in the state. Okay. So iin State Province named some states. So Bangalore look ality. Let's say white Field organization name is Eddie. Rekha unit name brain Force common name. Let's leave that out email address. Let's leave that out too, and we have a certificate. So if you go and list all your files, you'll see that there is a certificate called any record Or CRT out here, which is highlighted. Okay. So now if you want to view this file, you could always use the openssl you can always use the openssl. Utility, so you say you want to read an extra five nine request and you wanted to text and what you want to see is at Eureka CRT. Okay, so that is the certificate. So you see that it has all the signature it has signature algorithm. It has all the information about the certificate And it says signature issuer is cin and state Bangalore and location right field. I wreck up reinforce velocity. It has all sorts of information. Nation so that was all about digital certificates how who issues digital certificates? Where are they useful? So this is basically non-repudiation. So nobody can say with this certificate that if this certificate is included in some sort of website and that website tends to be samples malicious and there's a complaint now the website can go To a court of law and say they didn't know about this because the certificate that was included had their private key and private key was only supposed to be known to the company so that Non-repudiation you just don't deny that you didn't do it. Okay, so that was all about certificate not moving on. Okay. So moving on we're going to be talking about cryptography caching. And while the word cryptography is in the term cryptography caching and it does lead to believe That there is encryption Vault. There is no encryption involved in a cryptographic hash. There is a significant difference between hashing and any sort of encryption and that is primarily that encryption is a two-way process when I encrypt a piece of data or a file or anything else. So what I'm doing is putting it into a state where I expect it to be able to get it back out again, in other words when I interrupt a file expect it to be able to decrypt the file and get the original contents hashing Is a one-way function on the other hand. Once I've hashed piece of data or file there is no expectation and ability to get the original piece of data back hashing generates a fixed length value and different types of hashing will generate different length values. For example, md5 will generate a different length value than sha-1 And they're both hashing algorithms, but they generate different length values and the resulting value from a hash function should be no relation at all to the original piece of data. As a matter of fact, If two inputs generate the same hash value it's called the collision and if you can generate collisions, you may be able to get a point where you can generate a piece of data that are going to generate the same hash values and that leads you to the potential ability to break the particular hashing algorithm that you're using. So what we can use hash is for well one thing we can use hashes for file in text. T we can run a hash on a file and get a value back and later. We can check that the value make sure if it's the same if it's the same I can be sure that the same file was hashed in both instances. So let me just show you an example of what I just said that if we Hash a file we will get the same hash every time so remember the certificate that we just created. Let me just log in again. So we are going to Hash this certificate and it will create a certain hash and we are going to see That every time we hash it we are. Being the same hash so we can use this command called md5sum and we can do Eddie record or CRT. So this is the harsh produced after you've hatched at your record or CRT. So if I do an md5 again, so md5 is a hashing algorithm that you should move so at your record or CRT and it will produce very similar has let's see a sha-1 works like this. So sha-1 and you record or CRT? Okay, Xiao Chuan is sha the shuffle in the shower you tools back? Courage. Okay, so I proved my point that but md5 if it is cryptography hashing algorithm. We are getting the same hash back. So if you are able to produce the same hash that means you have broken the algorithm in itself. So if you run md5 on the knocks, you can get a version of md5 and md5 summation program on Windows and Mac OS where with the utility md5 is does the same thing. So I just showed you the file and I hashed it and another reason we use hashing is we are storing passwords so password. Stored after hashing, we hashed passwords. And the reason for hashing password is so you're not storing the password in clear text which would be easily seen in if you got it protected with low emissions if I hashed password every time I hash the password, I'm going to get the same value back from the same algorithm. So what I do is store the hash and some sort of password database since it's a one-way function. You can't get the password back directly from the hash. Now what you can do with most password cracking programs do some variation of this and you just generate hashes against list of words. If you look at a hash value that matches the one in the password once you get the hash that matches the one in the password, you know, what password is there and here and we come back to the idea of collisions if I can take two different strings of characters and get the same values back And it's easier to crack the password because I mean not necessarily get the password with the hash that I get back from particular string of data is the same as that I get from the original password, then it doesn't matter whether I know the password because the string of data that I put in is going to generate the same hash value that you're going to compare when Login and this hash value will just give you that as valid and you will be able to login. So suppose the password that you chose while making your account is dog And the dog word produces this hash value and if I were to like hash cat with the same algorithm and if the other than was prone to collisions, it might produce the same hash value as dog. So with the password cat I could open up your password. I mean I could open up your account. So that was all about hashing and hashing. Rhythms, let's move on. Okay. So in this part of the video, we are going to go over SSL and TLS Or SSL and TLS are ways of doing encryption and they were developed in order to do encryption between websites web servers and clients or browsers. SSL was originally developed by a company called Netscape and if you don't remember Netscape eventually spun off their source code and became Mozilla project where we get Firefox from so back in 1995 Netscape released version 2 of SSL, and there was a version one, but nothing was Done with it. So we got the version 2 of SSL and that was used for encryption of web transmission between the server and the browser to do a whole number Of flaws between the server and the browser now SSL version 2 had a whole number of flaws and SSL to has the type of flowers that can lead to decryption of messages without actually having the correct keys and not being the right endpoints and so Netscape released SSL version 3 in 1996. And so we get SSL 3.0 which is better than 2.0 but it still hurts. Some issues and so in 1999 we ended up with TLS now SSL is secure socket layer and TLS is transport layer security. They both accomplished the same sort of thing and they're designed for primarily doing encryption between web server and web browsers because we want to be able to encrypt the type of traffic. So let me show you what kind of traffic looks like. So first of all, let me open bar shop and out here. I already have a TLS scan ready for you guys that you can see we have all sorts of TLS data so you can see that here's my source and it's 32 and destination is sound 6 1 2. 4050 9.46 doing a client key exchange and the chain Cipher suspect and Krypton handshake message and then we start getting application data. So there are some other steps involved here and you're not seeing all of it with this particular Wireshark capture because again, you know, we get fragmented packets and at some point it starts getting encrypted and you can see it anyways because wash out without having the key can decrypt those messages But one ends up happening is the client sends a hello and the silver is Ponce with a Hello and they end up exchanging information as part of that now including version numbers supported and you get random number and the clients going to send out a number of surface suits that may want support and order and it can support the server and it's going to pick from those sweet of ciphers. Now, then we start doing the key exchange and then do the change Cipher spect and from the client and server and eventually the server just sends a finished message And at the point we've got this encrypted communication going on, but there's this handshake that Zone between the two systems and there's a number of different types of handshakes depending on the type of end points that you've got. But that's the type of communication that goes on between servers and the client one important thing about using SSL and TLS is as I mentioned some of the earlier versions had vulnerabilities in them and you want to make sure That the server's aren't actually running those. So you want to run some scans to figure out the type of calls and ciphers that different systems you so for this we can use something called SSL scan. So this is available for Unix. Not really sure. If there is something that is similar for Windows or Mac, but on Unix based system that is Linux we can use SSL scan. So let me just show you how to use that clear as far out. So what we can do is run SSL scan again suppose Www dot Ed u-- record dotco. So we're doing Isis can hear against the website and you can see it's going out and probing all the different types of ciphers after you know on this system start with SSL V3 and are going to TLS version 1 and we could force as a substantive try to do an SSL V2. If I scroll back up here I get the surface I Firs which is SSL version 3 it's using RSA and it's using RSA for the asymmetric. Now in order to do the key exchange and Once we get the session key up we're going to do use AES 256 and then we're going to use the secure hash algorithm to do the message authentication or the Mac. It's something calls the hmac for the hashed message authentication code and what it does is simply hashes the MAC address that you would check one side against the other to make sure that the message hasn't been fitted with in transmission. You can see here all the different types of Cipher suits that are available peers TLS running rc4 At 40 bits using md5. So that would be a pretty vulnerable type of communication to use and between the server and the client 40-bit Cipher using rc4 is a low strength Cipher and we would definitely Recommend that clients remove those from the support of ciphers that they have on their server. All that configuration would be done at the web server as well as when you generated your key and your certificates normally certificates would be handled by a certificate Authority. Now, you can also self-signed certificates And have those installed in your web server in order to Communications with your clients that the challenge with that is browsers today warned when they see a certificate against the certificate Authority that is entrusted of it and it doesn't have any certificate. Aditi tall so you'll get a warning in your browser indicating. There may be a problem with your certificate if your clients are Savvy enough and if the users are Savvy enough you may be able to make use of these self fine self-signed certificates and save yourself some money, But generally it's not recommended simply because clients are starting to get these bad certificates and when they run across one that's really a problem a real Rogue certificate. They're going to ignore the certificate message in the browser and just go to the sites that could have malicious purposes in mind and may end up compromising the clients or customers or users. That's SSL and TLS and how they work and negotiate between servers and end points. Okay. So now that we've talked about TLS and SSL. Let's talk about disk encryption. Now this encryption is actually something that was not really difficult to do but sort of out of the reach of normal desktop computers for a really long time. Although there have long been ways to encryption of files and to a lesser degree maybe entire disks as we get faster processor certainly encrypting the entire disks and being able to encrypt and decrypt on the fly without affecting. Performance is something that certainly comes with Within Reach And it's a feature that shows up in most modern operating systems to one degree or another now these days we are going to look at a couple of ways here of doing disk encryption. I want to tell you about one of them first and it's not the one I can show I can't really show the other one either. So with Microsoft their Windows system have this program called BitLocker and BitLocker requires either Windows Ultimate or Windows and price. I don't happen to have Either version so I can't really show it. You but I can tell you that BitLocker has ability to entire disk encryption and they use a s for the encryption Cipher and the thing about BitLocker is that they use a feature that comes with most modern systems particularly laptops. Lll strip in them that's called The Trusted platform module or TPM. The TPM chip is part what it does is it stores the keys that allows operating system To be able to access the disk through this encryption and decryption process and they use a pretty strong encryption Cipher which is a yes, but you have to have one of the cup Well of different versions of Windows in order to be able to use BitLocker and it's one of those things you would normally run in an Enterprise. And so that's why they included in on its Enterprise version. Now on the Mac OS side they have this thing called file Vault and you see in the system preferences on the security and privacy. If you go to filevault you can turn on filevault now I if you have the little button that they're says Stone on file wall, then you can turn on the file wall and it would ask you about setting up keys and it works similar to Those BitLocker now pgp happens to have the ability to do disk encryption and you can see that in the case of this you burned the system. They've got a package called gde Crypt which is a GUI that allows you to map and mount a created encrypted volume so I could run G decrypt and put help me set up the process Of encrypting the volumes have got on my system. Now this conscription is a really good idea because when you are working with clients the data is normally very sensitive. So as I mentioned And you can always use things like BitLocker and windows fault or other search software's for disk encryption. So what I mentioned before is now not only possible. It's very much a reality with current operating systems. Now, let's talk about scanning now scanning is refers to the use of computer networks to gather information Regarding computer systems and networks canning is mainly used to security assessment system maintenance and also for performing attacks by hackers. The purpose of network scanning is as follows, it allows you to Nice available UDP and TCP Network Services running on a targeted host. It allows you to recognize filtering systems between the users and the targeted host. It allows you to determine the operating systems and used by assessing the IP responses. Then it also allows you To evaluate the target host TCP sequence numbers and predictability to determine the sequence prediction attacks and the TCP spoofing now Network scanning consists of Network Port scanning as well as vulnerability scanning Network Port scanning refers to the method of sending data packets via the network. Through computer system specified Service Port this is to identify the available Network Services on that particular system. This procedure is effective for troubleshooting systems issues or for tightening the system security vulnerability scanning is a method used to discover known vulnerabilities Of computing systems available on network. It helps to detect a specific weak spot in an application software or the operating system, which could be used to crash the system or compromise it for undesired purposes. Now Network Port scanning as well as vulnerability scanning is an information. Rings technique, but when carried out by Anonymous individuals are viewed as a pollutant attack Network scanning process is like Port scans and pink stripes And return details about which IP address map to active life hose and the type of service they provide another Network scanning method known as inverse mapping gathers details about IP addresses that do not map to Live host which helps an attacker to focus on feasible addresses Network scanning is one of the three important methods used by an attacker to gather information during the footprint stage and the attacker makes a File of the target organization this includes data Such as organization's domain name systems and email servers in additions to its IP address range and during the scanning stays the attacker discovers details about the specified IP addresses that could be accessed online their system architecture their operating systems and services running on every computer now during the enumeration stays at a collects data including routing tables Network user and group names simple Network management protocol data and so on. So now let's talk About intrusion detection evasion. So before we get into IDs Salvation, let's talk about what exactly is an IDs now an intrusion detection system or IDs is a system that honor does Network traffic for suspicious activity and issues alerts when such activities discovered while anomaly detection and Reporting is primary function some intrusion detection systems are capable of taking actions when malicious activity or anomalous traffic is detected including blocking traffic sent from suspicious IP addresses, although intrusion detection systems monitor Network for Ali malicious activity they are also prone to false alarms or false positives Consequently organizations need to fine-tune their IDs product when they first install them that means properly configuring their intrusion detection system to recognize what normal traffic on the network looks like compared to potentially malicious activity and intrusion prevention system also monitors Network packets for potentially damaging Network traffic, but we're an intrusion detection system responds to potentially malicious traffic by logging the traffic and issuing warning notification intrusion prevention systems response To such By rejecting the potentially malicious packets. So there are different types of intrusion detection system. So intrusion detection system come in different flavors and detect suspicious activities using different methods. So kind of intrusion detection is a network intrusion detection systems that is nids is it deployed at a strategic point or points within the network where it can monitor inbound and outbound traffic to and from all the devices on the network. Then there is host intrusion detection system that is at IDs Which runs on all computers or devices in the network. With direct access to both the internet and the Enterprise internal Network SIDS have an advantage over any ideas in that they have may be able to detect anomalous Network packets that originated from inside the organization's or malicious traffic that nids has failed to detect hid s may also be able to identify malicious traffic that originates from the host itself as when the host has been infected with malware and is attempting spread To other systems signature based intrusion detection system monitors all packaged traversing the network and compare them against database of signatures or attributes. I've known malicious threats much like antivirus softwares. So now let's talk about into IDs evasion. Okay. So now let's talk about IDs evasion. Now IDs is an intrusion detection system as we just spoke about and instead it detect exactly the types of activities that we are engaged in sometimes and sometimes you may be in called in to work on a Target Where activities are known and should be known by The Operators or the operations people involved in monitoring and managing the network and the idea being not only do they want to assess the technical controls that are in place, but they also want to assess the operational procedures and ensure that the systems and processes are working the way that they are supposed to be working. Now when you are engaged with the Target that you are in full cooperation With you don't need to do these types of vision tactics. All these techniques may be actually avoided but if you are asked to perform an assessment or a penetration on a Target where they are not supposed to see your activities, then you need to know some different techniques to evade detection from an IDs. So we're going to talk about a couple of different things. That you can do. So one thing that you can do is manipulate packaged to look a particular way. Now for this there is a tool called packets. So packet is a really good way to actually manipulate traffic and by actually manipulating the contents of a packet like you can specify the destination and source. So it's a really useful tool to set up a package look a particular way. One thing it can do is allow you to spoof IP addresses so I could set the source IP address here. That was something completely different from mine now from Using TCP or UDP? I'm not going to see the response back. And in this case TCP. I'm not even going to get the three weeks connection me Because responses are going to go back to the source IP. But what you can do is an additional two spoofing you can set a particular ways that a packet may look like changing the type of service or by changing the fragmentation of set or by different flags settings at me allow you through an IDs without maybe getting flagged and it may also allow you to a firewall now it's a slim possibility but it's a possibility. Now. Another thing you can do is use packets to generate a A lot of really bogus data And what you might do is hide in the noise generated by packet so you can could create some really bogus packets that are sure to set of ideas alarms and then you can run some legitimate scans underneath and hopefully be able to get some responses different from mine now from using TCP or UDP. I'm not going to see the response back. And in this case DCP, I'm not even going to get the three weeks connection me because responses are going to go back to the source IP. But what you can do is an additional two spoofing you can set up a particular ways That a packet may look like changing the type of service or by changing the augmentation offset or by different flag settings at me allow you through an IDs without maybe getting flagged and it may also allow you to a firewall now it's a slim possibility but it's a possibility. Now. Another thing you can do is use packet to generate a lot of really bogus data and what you might do is hide in the noise generated by packet so you can could create some really bogus packets that are sure to set of ideas alarms And then you can run some legitimate scans underneath and hopefully be able to get some responses. Kali Linux is the industry's leading Linux distribution and penetration testing and ethical hacking it offers tons and tons of hacking and penetration tools and different kind of software's by default. It is widely recognized in all parts of the world even among window users who may not even know what Linux has well to be precise Kali Linux was developed by offensive security as the rewrite of backtrack backtrack just like Kali Linux was a lie. Linux distribution that focused on security it was used for digital forensics and penetration testing purpose. But the question here is why should you choose Kali Linux when you have other choices like parrot security operating system back box black art and many more out there. Let me list are few reasons as to why Kali Linux is the best choice first and foremost it offers more than 600 penetration testing tools from different kind of security fields and four and six secondly. Kali Linux is customizable. So if you're not comfortable with current Kali Linux tools or features or graphical user interface, you can customize Kali Linux the way you want. It is built on a secure platform. The Kali Linux team is actually made up of small group of individuals. Those are the only ones who can commit packages and interact with repositories. All of which is done using multiple secure protocols. So color Linux is definitely a secure platform, although penetration tools tend to be In an English colony includes multilingual support this way More users can operate in the native language and locate the tools that they need for the job that they are doing on Kali Linux and lastly Kali Linux just like back truck is completely free of charge on top of all this benefits Kali Linux offers different installation options one way of installing Kali Linux is by making a collie bootable USB drive. This is the fastest way of installing Kali Linux and the most favorable as Well, We will discuss why in a while. You can also install Kali Linux using hard-disk installing Kali Linux on your computer using the hard disk is a very easy process, but you should make sure that your computer has compatible Hardware. You can also install Kali Linux alongside your operating system. It could be Windows or Mac, but you should exercise caution during setup process because it might mess up with your default bios settings lastly. You can use different kind of virtualization software. Just VMware or watch a box to install Kali Linux on your preferred operating system. Well apart from all this you can also set up Cal Linux on Advanced risc machines or a RM like Raspberry Pi trim slice cube truck and many more. So there you go guys. Now if you know what color Linux is and why it is a leading Linux distro for ethical hacking and penetration testing in today's session. We will explore different ways to install Kali Linux. Let's get started then all Your I said That the fastest method for setting up Kali Linux is to run it live from a USB drive. But why first of all, it's non-destructive, it makes no changes to the host systems hard drive or the operating system that it is installed on. So once you remove USB your operating system will return to its original state. Secondly. It's portable. You can carry color index in your pocket and can run it whenever you want just in few minutes. It's customizable. You can create your own. Kali Linux ISO image and put it into USB drive using a simple procedure which we will discuss later and lastly. It's potentially persistent. You can configure your Kali Linux live USB drive to have persistent storage so that the data you can collect is saved and you can use it across different reboots. Now. Let's see how to create a bootable USB drive on Windows guys. Actually the process is very simple. It's just a three step process. First of all, you need to plug your USB. USB drive into an available USB port on your Windows PC next you need to note down the destination drive. It uses one set mounts. For example, it could be F drive after that. You will have to download and launch a software called win32 disk imager on the software. You'll have to choose color Linux ISO file that needs to be matched and verify that the USB drive To be overwritten is the correct one lastly. Once the Imaging is complete. You need to safely eject the USB drive from Windows machine. So, like I said, it's very simple, right? Well, I'm not going to show you a demo on this one because like I said, it's very easy, and I'm sure you guys can pull it off. If you have any doubts. You can post them in the comment session. We'll get back to you. And as for the demo part will be doing for installations here. First of all, we'll see how to install Kali Linux using VMware on Windows operating system. Then we'll see how to install Kali Linux on Mac using virtualbox moving on. We'll see how to install Kali Linux tools on different Linux distributions. I'll A showing how to install it on Ubuntu. Well, the procedure is same for every other Linux distribution. So you can go ahead and use the same procedure for the Linux distribution that you're using and lastly we will see How to install Kali Linux on Windows 10 using Windows subsystem for Linux. So, I hope it's clear that what we'll be learning in the session. Let's get started with the first demo in this demo. We'll see how to launch Kali Linux using VMware. So guys you can install Kali Linux using any virtualization software. It could be VMware or virtualbox in this demo. I'll show you how to install it using VMware. So first of all, obviously we'll have to install VMware light. So just type of VMware and it's the first link that you find you can go ahead and download VMware Workstation Pro you have it in the downloads. Here you can download workstation player as well or you can download VMware Workstation Pro now. Once that is downloaded. You will have to download a curl Linux ISO image so that you will have to go for official Kali Linux website just type for Kali Linux and it's the first link you can see downloads option here click on download And yeah, you can see different download options here you have color Linux light for 64-bit as well as 32 bit. And then there is Kali Linux 64-bit and 32-bit and you have Great images for VMware and Wachtel boxes. Well suppose you want to skip the entire lengthy procedure of installing it and you want to just use the image, then you can go ahead and use this color Linux 64-bit for VMware or virtual box same goes for the 32-bit as well. But since we are focusing on installing right now, let's just go ahead and download ISO file And install it from the beginning until last step. I have already downloaded it. So I have an ISO file downloaded on my computer. So all you have to do is just click on the torrent link. It will be downloaded. Let's open VMware then so as you can see, I have the embed workstation Pro installed here. So I already have two about to Virtual Machine installed on my VMware Workstation. As you can see on the home page three different options. It says create a new virtual machine or open a virtual machine and connect to remote server. So if you want to create a color index or any other washing machine from step one, you can use this create a new virtual machine option. Well, if you have an image of and watch the machine already, and if you want to just use it and avoid installation procedure. Then you can go ahead and use this open a virtual machine option while just click on this create a new virtual machine and click on next as you can see here. You have an option which says installer disc image file. ISO file. You'll have to attach your so click on browse. Let's see where I've stored my color Linux as you can see. I already have it here and there's one file here. Let me click on that and open so I don't bother about this at all. It usually shows that and then click on next year. So it's asking which operating system will Be installed on this virtual machine. I wanted to be Line-X. So make sure you select Linux 64-bit and click on next you have an option to name your virtual machine. Let's say Kali Linux. And where do I want to store it in my documents under watching machines color next sure and click on next. It says it already exists. Let me try this one. Then let's take our Linux one and next Yeah, so basically Your Kali Linux will need about a 20 GB. Let's assign some 40 GB are that's the maximum this size that you can a lot while you can a lot more than that as well. But minimum it needs about 20 GB and you have an option With Stay Store virtual disk as a single file or multiple files. Let's just select store virtual disk as a single file toward complications and click on next here. So as you can see, you can review your virtual machine settings here. You have an option to make changes to the settings. You can make changes right now, or you can do it later. It as well. Let's just go ahead and make changes now. Click on the customize Hardware option here. Well as for the memory for this virtual machine, it totally depends On what you're using virtual machine for if you're not using it for heavy works. Then you can assign least amount of memory. Let's say I want to assign about 2GB. There we go. And as for the processors number of processors 1 and the number of core processors, you can choose as many as you want. Let's say to this will increase the performance of your virtual machine, so and again, Totally depends on whatever you want to choose and yeah, We have already attached the image network adapter you can set for not USB controller and sound card. You can retain the default settings. And as for the display click on accelerated 3D Graphics sense what color Linux has a graphical user interface and it says 768mb is the recommended amount of memory that you can use for graphics. So let's go ahead and select that and click on close. Well, you can actually make all the settings after installing color index. As well no problem there. Once you've done that click on finish here, As you can see, my color Linux image is ready. For installation. You have two options to power up as you can see you have this option here. You can click on that to power on this virtual machine, or you can go ahead and click on this. Let me click on this. So once you click on that, you should be greeted with this Kali boot screen as you can see, there are a lot of options here. We did discuss live option earlier, right? So if you don't want Any trace of Kali Linux on your operating system, you can go ahead and use live option here. You have live USB persistence mode and live USB encrypted persistence as well suppose. You want to store some data and save it for later the boots you can use live persistent option here and most of the time people get confused with this installing graphical install. Just don't go ahead and click on it. Style option do it only if you are well versed with command line interface. So basically that install option is for command line interface. So you will be greeted with Kali Linux command line interface since if you're doing it if you're using Kali Linux for the first time go ahead with graphical installed select the graphical install and click enter. So as you can see, it will start mounting storage devices whole installation process might take about 10 minutes. So it's prompting you to select a language so select your preferred language, then you control location. Let's say English and click on enter and it's asking you for the country location just give United States and enter and I want the keyboard to be configured with American English. You can choose any native language. Like I said earlier it supports multilingual or it supports Get the languages. So go ahead and choose it, but it might complicate the way you use Khalil mix later. So you can always go ahead and stick out with English only. Well, it doesn't matter. So as you can see it's configuring the network. So it will detect the ISO file and load installation component and then prompt you to enter the hostname for your system while in this installation. Let's just enter Kali and click on and off. You can give the name you want and next it's asking you for the domain name suppose. You have set up virtual machines. Jeans, and if you want to give all of them a domain name, you can assign a domain name as well, but it's optional. Let's not give any domain name here and click on enter. The next thing it does is it will prompt you for the password that you'll have to enter every time you launch your Kali Linux. So just give some password of your choice. And click on continue. The best thing about callanetics is you can set up date and time as well. You can make it later as well, but you can choose it here. So just click on Eastern of whichever choice you like and click on enter. So the installer will now prob your disk and offer you four different choices, As you can see, it says guided use entire disk guided use entire disk and setup lvm, which is logical volume manager same thing, which is encrypted and manual. So if you are an expert, if you already use this color index before you can go ahead and select any of this three options from the bottom. That's he'll be a more manual or encrypted lvm. Otherwise, you can always go ahead and choose guided use entire disk option here If you are a beginner and click on enter so This is the disk partition. Where'd all the data will be stored and click on continue. It's asking if you want to stores all files in one partition, or if you want to make partitions. So depending on your needs, you can go ahead and choose to keep all your files in single partition, which is default or you have separate partition for one or more of the top-level directories. Let's just choose the first option And click on enter. So once you've done that you'll have one last chance to review our disk configuration. Once you're sure that you've given correct details click on enter here. It's asking if the changes that you make to Kali Linux should be written to the disk or not. So say yes. So we did start partition and install the washing machine. It took a while but as you can see installation is almost done. It's asking me to configure the package manager. Well, if you select no in the session, you will not be able to install packages from Cali repositories later and click on continue. So suppose if you want to install other repositories or updates later on you can always go and click on yes. Otherwise, it's always otherwise you can go for know as well. Now it's going to configure the package manager will install package manager and configure it then it will install GRUB boot loader. And it's asking if you want to install GRUB boot loader to master boot record. Definitely. Yes so select. Yes and click on continue. So it's asking to select the device manually. You can click the select the device. So yeah, guys we're done here. So you can finally click on continue option to reboot your new color installation. So as you can see the entire process took about 10 to 11 minutes. So yeah, let's go ahead and click on continue here. It's gonna finish the installation. So guys as you can see the installation process From the step where we select the language till the last step is same. It's just the medium on which you are installing is different for example, right now. We use VMware later on. I'll show you how to use virtualbox. But once you color Linux image is ready to boot the rest of the installation process is similar to this. So it's finished installing. It's loading the image. So if you have done everything right during the installation process And according to your needs your land up in this page use a name. So we've given at this Scully right kli and password as you can see it showing an error. It says the didn't work. Please try again. This is mostly because if first time when you log in you should use word root as your default username. But later on once you have already logged in you can change the username according to your need so root And password you can use the same password which you set during installation. In process so as you can see login is successful and here I go my Kali Linux is up and running so I can start using cullinan X according to my needs. So once you've done that you can go ahead and install VMware tools so that you can maximize it full screen and all that stuff. You can also go ahead and change the date and time settings. As you can see here can go for the settings option here and do the settings And you can start using Color Linux for hacking and penetration testing purposes. So it's as easy as that guys. So please Please go ahead and try installing it. Well, if you find any errors during installation process, let us know in the comment session. We'll get back to you as soon as possible. Now. Let's move on to our second demo. Now. We'll see how to launch Cullen X on Mac operating system using virtualbox in the previous demo. We use VMware and now we'll be using virtualbox. But actually I'm not using any Mac system here operating system, but I'll show you how to install using virtualbox. The procedure is very similar. So all you have to do is on your Mac operating system. Go ahead and click a for Should box download. So this is the virtualbox official page. You can go ahead and click on downloads here. As you can see you have different options here. It says windows for Windows operating system OS X host line X and solar host Since if you're using Windows then go ahead and select Windows host. But as for Mark, you'll have to select this. It's mostly a DOT exe file. Once you've done that you can install virtualbox. It's just click on next next next and it will walk out and provide settings according to your need. I already have installed virtualbox. It's the next thing you do is similar as what you've done with VMware. Go ahead and download official Kali Linux image. Make sure you don't download any duplicate versions of ISO file from other websites. Make sure you download it from original website. If you want to do it from the beginning go ahead and install ISO file your torrent or you can just go ahead and download just the image for Wii virtual box here for 64 bit and you have option for 32-bit as well. I've already done that. So let me open my Virtual box. Yeah artists the procedure for VMware and watch the box is almost seen just slight difference. Let me maximize the screen for you guys as you can see I already have and watching machine launched up here. I haven't powered it up yet. Anyway, I'll show you how to install new one. Just click on new' option here. This is your virtualbox homepage guys. So click on New Year and just give a name. We've already given color Linux all you're right for the virtual machine. So let's give it some of the name. Let's say capital K L line. Unix and choose the type of operating system that's line X and here 64-bit - 64-bit according to your operating system needs you can go ahead and choose it 32 but as well click on next and again, like I said earlier depending on what you're doing on color Linux operating system or virtual machine you go ahead and design the memory since I'm just showing you how to install I'm not assigning much memory you have. So let's just retain the default ones it to 4mb. That's 1 GB and click on next And it's asking you have a three options here. Of not to add virtual artists create virtual orders now and you can go ahead and add a virtual hard disk, you use an external virtual hard disk. Go ahead and select the second option click on create and use virtualbox image. Like I said earlier we downloaded ISO image, right and it's an ISO file with extension dot is oh, so basically it's nothing but image so click on next and I want to the storage on physical hard disk to be assigned dynamically and click on next. So this is the name of the virtual machine which we just gave all your it's asking you to choose the path wherever you want to store your virtual machine. Let's say documents and watching machines click on open and save so that's the part of setup. And as for the memory call you always needs you to assign at least 20 GB. So let's go ahead and give 20 GB you can always assign more than that and click on create. So this is the one we just created right? It's ready. Just click on settings before you power up. You'll have to make certain settings. So if you want to change name or type and version you can always go ahead and do that here. We don't have anything in advance is just the folder where your virtual machine with this Toad go for systems. We won't be using any floppy disk are so right. So on ticket or uncheck it and yeah, this is memory if you want to go ahead and change or assign more memory Because the performance of your virtual machine is not that great. It you can go ahead and do that for the process of make sure you enable this extended features. So basically if you want to increase the performance of your virtual machine the number of processors you assign should increase Well for now since I'm to show you how to install and just going to assign one you have option to increase to say to like that. And as for the display, you can enable 3D acceleration display storage settings. This is the most important one right now. We don't have any image attached to your so click on this empty and click on the CD image that you see here and choose watch. And attach the image or die. So Fire torrent file, which you just downloaded click on open and audio no settings default Network by default. You can always set it for Nat since we're using only one watching machine ha but if you want to use a cuddle in X with any other motion machine like Metasploit able to you can go ahead and use this host-only Adapter option here because when you use Nat and when you have two virtual machines, both of them will be assigned with same IP address, which will definitely a problem. L'm because both of these virtual machines need to interact right? So, yeah. Well, I'm just saying all this video information so you can go ahead and click on host-only adapter if you using 2 virtual machines and you want them to interact as for now, I'm just retaining it Nat and rest You can you don't have to make any changes and click on OK once you've made all the settings click on this or you can go ahead and click on start option. Are you can light click on it and start Again, like I said, the installation process from Step One is very similar to that whether using VMware. So again, you'll be greeted with Kali boot screen and you have multiple options again. I'm not repeating the entire thing here. So go ahead and click on graphical install. And if you're a pro and using command line, You can always go for install option. And if you want to just use it for one time purpose, you can always go for live option here. That's all guys. I'm sure you can catch it from here, right? Because it's almost similar to the ones we did using VMware if you have Here are just go back and take a look at it. Yeah, well, like I said, I showed you on how to use virtualbox to install Kali Linux on Windows operating system. Well, let's aim for the Mac as well. You just have to download your stuff there instead of Windows. You have another option with this operating system. You can dual boot your color Linux with Windows or Mac. It's not as easy as these installation process because it will involve you setting the BIOS to changes that you get to see when you power up your computer initially. Make sure you refer to color Linux official documentation and make sure you've done the installation properly so that you won't mess up your default settings. So guys we are done with two ways of installing Kali Linux one on Windows and one on Mac. We saw how to install it using VMware as well as virtual box in the third part will see how to install Kali tools on any Linux distribution. It could be Ubuntu Fedora peppermint operating system or any other version or distribution of Linux. The procedure is actually similar in every Linux distribution. So if you follow up on one Linux distribution, you can go ahead and do it on the Linux distribution of your choice or the one that you use One thing you should remember is that Kali Linux is not for the Dai Li line X purposes. Well, it's only for ethical hacking or web application penetration testing for these purposes. So guys will be using a tool called Catalan. Let me spell it for you guys. It's Ka T WL iron. So let's just search for that. There we go. It's a script that helps you to install Kali Linux tools on your Linux distribution of your choice. So it's usually the GitHub script. So click on the first link that you find. So for those of you Who like to use penetration testing tools provided by Kali Linux development team. You can effectively do that on your preferred Linux distribution using this tool which is Catalan or Ka t oo a lion. So as you can see once you've installed Catalan properly on your operating system, you should be greeted with this page. I'll show you how to do that. What about it? So the purpose of asking you to see this page is to take a look at prerequisite hours. So first thing you need to have a python of version 2.7 or above installed in your operating system and you need a line exists efficient system. It could be Ubuntu or it could be Fedora or peppermint any other planets distribution. I have a bun to here. I'll be using VMware Workstation Pro. It's already open but let me just go back. All you have to do is search for one, too. And click on the first link. So as you can see there are a lot of options yet for to install a bin to just click on this And you'll be able to download a file ISO image. I've already done that. I'm not doing it again. Let's go back to VMware Workstation as you can see. I already have my Ubuntu operating system installed installing a window is it's very straightforward. So just take a look at the instructions that you need to know when you're installing Ubuntu once you've done the installation, which should look something like this. So let me power up. I've been to operating system. So as you can see, once you install your land up on this page and it's asking for the password you set up this username and password during the installation process. So don't worry about it. Click on enter. So let's say you are a Unix lover you like using your next platform. But right now you want to use certain tools for performing application penetration, testing and ethical hacking. You just don't need all the tools. You need few Tools in that case instead of installing color index on your operating system installing only certain color Linux tools will be The best option right for that. Like I said earlier will be using cut Olin. I have a set of four five commands that you need to use to install Catalan Festival. You need to have get on your operating system. Let me check if I have it or not. Anyway, I have these five or four set of commands which will be using I'm going to attach them In the description below. So if you want you can use them as you can see install get First Command. It says unable to use it because have to login as a root user. So let me just it's asking for the password. Yeah now I'm a root user. So let me try the command again. That's apt-get install Kit. Yeah installing get it's just going to take few minutes. But while this is happening, let's go ahead and explore cartoon To let me go for Firefox here. Let's search for Carter: so it's the first link guys like I said earlier, so let me scroll down as we saw the should be the home page and we did take a look at the requirements. So let's just go back and see if it's done. It's still happening. So one thing is make sure you have a python or version 2.7 or above. Otherwise the entire thing won't work at all. Yeah guys it's done. Now. We are done with the first step. We need to install a we need to clone the cartel in right? So what you do? Like I said, I have a command right here just copy this and place it over there control C. Let's go back to terminal and it makes your skin for you guys. Yeah. And based so basically I'm cloning it here and the next command is I'm copying the python file to this directory and click on Until it's done. It's just quick process now, we'll have to change permissions so that we have access to use Catalan for that. Basically. We are giving execute permission. So chmod plus X. Make sure you take a look at that + x + enter we are audio is now our cut line is installed say a lion, so as you can see It's already the first thing that you should do is before you upgrade your system essays. Please remove all the color like repositories to avoid Any kind of problems. So as you can see it shows you like five options here. First one is Azad Kali repositories and update next view categories. Like I said, Kali Linux is 600 plus tools, right? So you have different tools categorized under different headings. Then you have classic menu indicator. It's nothing here as you can see. I have a small icon here. If you click on that, It'll just show you different menus. That's all and if you want to install color menu for easy access you can do that as well. So let me just click one under one that says add color Linux repositories update remove and view all kundan's. So let's try removing them. Let's drive with adding repositories. It is there are certain duplicate signatures removed and all that. So let's just try to remove like they suggested earlier have been deleted now one. So if you guys want to go ahead And update the repositories already existing ones, you can go ahead and do that. I'm not doing it now because it's going to take a while. So if you want to go back just click back. It's as easy as that. Now, let's say I want to view categories and install one to love it as you can see. There are like number of fusion number of categories here. So I have web application penetration tools your have password attacks. I have exploitation tools. Well, if you are interested, there's an introduction video of what is Kali Linux by director in the south. Security playlist. So go ahead and take a look at that. We have explained like about five to six popular tools in Kali Linux. Anyway getting back to today's session. Let me just say for as you can see it lists all the web application tools. So if I want to install all those there's an option That's zero, but let's just say I want an install a tool called SQL map. I'm sure you might have heard SQL map. If not, it's okay. It's a tool which you use for checking out vulnerabilities at a present an application database system. So anyway, it asks inside the number of the tool that you want to install. Let's say 27. So as you can see it's installing. So it's as if you said guys so once you just done installing, I'll get back to you. Any tool I just showed you how to use how to install SQL map which is there in web application tools. You can go ahead and do that for other different types of tools as well suppose. You want to install all the tools. You can go forward 0 as in click on zero option. So there you go guys. I just showed you how to install one tool so you can go ahead and do that for any kind of stool under any category. So if you just want to go back click pack And go for other types of tools, let's say eight there you can see so whatever different time of exploration tools you want you can go ahead and install them. Let me just click back and the back sometimes when you try to install all the tools, you might get an error saying that's the file doesn't exist or depository doesn't exist. All you have to do is go for one First Option here. As you can see here you have option two which is update. So update your repositories. Make sure the Kali Linux mirror which is present for the updation as the right one. Once I've done that you won't get any errors. All the tools will be installed properly. So suppose you want to get back from these cattle and easy just press control C. And yeah as you can see it says goodbye. So that's as easy as it is to use colonics tools on any kind of Linux distribution while I've showed you on a bun to the procedure is same on any other Linux distribution guys. So there we go guys. I've done with three things first. We did on Windows using VMware then on Mac using virtualbox and third I showed you how to install Kali Linux tools on any kind of Linux distribution. And finally, there's one last demo here. We'll see how to install Kali Linux or Windows operating system using Windows subsystem for Linux feature. So, let me get back to my operating system. We won't be needing VMware Workstation anymore. So guys will be using a feature called Windows subsystem for Linux, which is By default present in all the current versions of Windows 10. This is actually for those who prefer using Color Linux command line interface. So make sure to listen to me properly. Oh use this option only if you are a pro in using command line interface or if you have any experience using command line interface. Otherwise just go ahead and use VMware watch the box and install Kali Linux graphical user interface option. So yeah, this windows subsystem For line X allows you to run Linux distributions as subsystem on your Windows operating system this Her is really a new feature. It exists only in Windows 10. So you need to use latest version of Windows 10 to perform this demo or use this option. And in addition to that. We also have other prerequisites, especially we need to have git installed or you can go ahead and zip the file which is Windows subsystem for Linux files normally but having it is also a nice day. Secondly, you need to have python of version 3 or above make sure you've installed Python and set up the path to check if your python is installed properly or not just sake. Go via command prompt and just type a python version. It should show you wasn't properly only then you can be sure that your python is properly installed. As you can see for made showing three point six point seven, which is definitely above three, and it's properly installed in the path is set. The first thing you need to do is enable WSL Or Windows subsystem for Linux. Just go for the control panel and there click on programs and turn Windows features on or off make sure not to touch any other features. It might mess up your operating system. So scroll down. It's usually at the bottom. Bye. For let's never nibbled a few using it for the first time you need to enable it. So first thing you do is enable it as you can see here. It says windows subsystem for Linux. Make sure you enable it check mark it and click on OK. Once you have done that run your command prompt or terminal as an administrator. All you have to do is right-click on it and click on run as administrator. And yes now will be enabling based distribution. That is like I said windows subsystem for Linux allows you to run a line X distribution as subsystem. Right, but for that we need to enable this base distribution for that. You need to install the base distribution Or any kind of Linux distribution that you need. So just use LX run and install. So once you type that this is the output which you get it says, it's the Legacy Windows system for Linux distribution. So you can go ahead and install other Linux distribution which are available in Microsoft store. But unfortunately Kali Linux is not available, but it doesn't matter right. We're anyway installing it using the procedure. Just click on why here saying yes, I've already installed. So it's showing Legacy Windows system for Linux distribution is already installed on my system for you. It might take a while after installing. The most important thing is it lasts for you to set up a password and username don't skip that step wait for a while and make sure you set up the password and use an improperly only then entire thing will work out once you've done that we are done here. You can close the command prompt. The next thing you need to do is install git I already have it installed. It's very easy install dot exe file and click on installation process. It's very straightforward and open git bash. Yeah before that. Let me go ahead and create a folder called text here. And as you can see it stored on my desktop right now, it's empty. Anyway, let me go back to get here and CD desktop TST all your Venable windows subsystem for Linux. But now we have to download the script right for that. Search for Windows subsystem for Linux Witcher. And the first link is the GitHub link click on that. There you go guys. It says windows subsystem for Linux distributions, which are it is the purpose is to let you easily download and install Linux distribution as subsystem on your Windows operating system. So as you can see you have different options here for the base operating systems. So yeah copy this link here control see see and go back to git git clone and paste the link which you just download it paste it. It shouldn't take very long. It's done guys. So now if your check your test folder Windows subsystem for Linux will be downloaded properly. Let's just go back and check that here is our test folder as you can see windows subsystem for Linux is already there now open your command prompt. CD let's go for the text file. And if you search for the directories under that you can see WSL here. Now, let's go for that as well. You can just press stop directories under that so as you can see the two things the most important things is This get pre-built dot p y and install py this KET pre-build py will fetch Kali Linux Docker files and installed our py will install Kali Linux for you. I already have it installed. But I'll just show you how to do it. So go back to the browser and type talk a file. Click on the second link. I just wanted few to copy the command easily so that you won't make mistakes. This is the one which you'll have to copy to fetch The color index dog of files. So you can just copy this part and go for command prompt. Let me maximize this for you here you can say so if you remember I said python is masked. So make sure you install it properly and set up the path White. And get pre-built. Let me just people dot pi and copy it. As you can see it's installing. It's going to take probably like 2 minutes. So it says it's done at says it's safe to this file in the text folder. Let's go back and check if that's happened. Here's a test folder under WSL you have python as you can see you have python folder. Is it folder of Kali Linux installed or fetched you'll have to install it now, right? So let me now just type python. This is the command that you want to use that's installed on pie and stalled out pie and copy this or just type and enter tab lutefisk stabbed and click enter. So as you can see it took a while But it did install right now. All you have to do is it's installed so you can close the CMD and open your command prompt and run it as an administrator click. Yes. Let me maximize the screen you'll have to set the root password are the default user as brute so set default the command that you need to use hit default user as root. As you can see it's now set to root and click Bash. Done guys, right now. We are running On Callie operating system on command line interface if want to make sure if you're actually running on Curry just type Cat ATC and issue. It shows that Kali Linux rolling. So as you can see we have successfully installed Kali Linux command line interface or how to use command line interface on Windows using Windows subsystem for Linux and I'm telling it to you again just use it if you know how to use command line interface very properly. Otherwise Might be A little overwhelming subpoenas the fault. It's the command that you need to use hit default user as root as you can see. It's now set to root and click Bash. Done guys, right now. We are running on Callie operating system on command line interface if want to make sure if you're actually running on Curry just type Cat ATC and issue its shows that Kali Linux rolling. So as you can see we have successfully installed Kali Linux command line interface Or how to use command line interface on Windows using Windows subsystem for Linux and I'm telling it to you again just use it if you know how to use command line interface very properly. Otherwise It might be a little overwhelming for beginners. So now it's time that we go through the command line basics of any Linux terminal. Now, the Linux terminal is a very powerful tool. It allows you to move around the whole operating system through the files and folders. It allows you to create files. She's their permissions change how they behave and a bunch of other things you can do filtering you can grab stuff the specific stuff from a specific file and there's a bunch of interesting thing that you can do and as an ethical hacker you will be working with Knox distribution most of the time whether it may be Kali Linux or some other thing like Peridot s but you will be working on enough most of the time because it's a powerful tool for networking analysis And scanning and all sorts of stuff that you want to do as an ethical hacker. So the First Essential step is to actually know how to use the tool that is available to you and that is out here, which is the terminal now as I'm running this on a virtual machine, you might find it that my execution times a much slower and that is because I I have a very very slow laptop because my virtual machine is actually eating up a lot of my Ram and I have a bunch of other processes That are also rendering I do this on my free time. So let's go ahead and go through the commands that we are going to actually go through now. Let me actually make a list of commands that I want to teach you guys. So let me see if leafpad is available firstly leafpad is basically a text editor. So the first come on that we're going to start off with is CD. CD stands for change directory now at this moment. We are in the root directory as you guys can see we can print the current working directory with the single PWD and that is a current working directory as you see it's called route and suppose we want to change directory to the home directory. So all you have to do is CD which stands for change directory as I just said and specify the part. No CD / home. Okay. So once we're in home, I want to make a list of commands That are used on the CLI that I want to teach you guys. Guys, so what would I do I would firstly see if any files are available that I can edit. Okay, so these files are available, but let's create a new file for ourselves. So firstly let's do Nano list dot txt. Now. What Nano does is now we'll open up a small command line text editor now come online text editors are very much used by ethical hackers because they save a bunch of time If there's always switching between GUI and command-line because you'll be doing a bunch of stuff on the command line and Will you want to write something you're always switching to gooey? It's a waste of time and you want to see if I'm as an ethical hacker. So you can use this thing called a command line editor and it can basically do most of the stuff a GUI editor would do. Now you say Nano and the name of this file. So now basically has created this file now and it has opened up this new fresh window, which overrides the command line That we were in The Bash and this is a place where you can actually edit what goes in the file now, let's see. See the list of commands that I'm going to teach you. I'm going to teach you LS LS will be the list of files. We did CD. We saw a PWD. So that was a print working directory will be looking at how you can copy stuff at the CP command. Then we will be looking at MV which is basically move then we will be looking at cap. And that's an interesting one And also less which is another interesting thing and we'll be looking at grep which is actually used for graphing or grabbing things from files that You might want to see you'll see what I mean and a short while we will see echo which probably does what you think. If you have any experience with the Linux, then we'll be doing touch and we'll be doing make their which is make directory and then we'll do in ch own chmod then all the most dangerous commands has RM And then you can do man. Let's help. Okay. So these are the list of commands that we are going to go through in this As part of the video so suppose I was making this video and I want to save the somewhere. So you see down here. There are a bunch of options that are sure to you. Now this cat it sign might be not really thinking that the shift 6 1 it's not shift 6:00. It's actually a controlled so cat it is controlled And then G of course means G. So if you go Control G, it will actually get help. Now. What we want to do is save the file and that is control. Oh and that is right out. So what we want to Who is a control? Oh, and now it's going to say if we want to name the file list at the XD and we want to name the file and it says that we have written down 15 lines. So that's how you save a file. Now. All you want to do is exit out of you. Okay. So first let's go LS and let's go through whatever there is. So LS showed us the list of files that are there in that directory. Now Alice can also show you the list of files in a directory. Curry with the paths that you specify likewise ALS VAR. It'll show me everything that is involved. Okay, there are a lot of interesting things like bar. So let's head over twice CD / bar and you hit enter and now we are in the folder bar. So now to actually demonstrate how powerful analysis we have a few Flags now to see the flags of any command you can just do - - help universally throughout the Unix one line so out here you see some information that is Stuff to read but if you go on top and scroll out here, you'll see all the flags that you can use with the command. That is LS and how you can use them So you can see what you use and you can read a little bit about it. So if you use all it ignores entries starting with DOT, so suppose we were to do LS in why let's see so it shows us like this now if you do LSL, it'll show a long list with more information. So these are the permissions Options that you see out here we will be seeing how we can change the permissions of a file soon enough and this is who owns the file the user And the user group is the file number. I guess. I'm not sure which is when the created the name of the file is the time when the file was created, I guess. Okay. So that's how you get very detailed information about all the files now. That's another thing you might want to use with ALS and that is the 8X so you can go LS a and it will show you all. Of the hidden files also. So now you see some two files that were not shown out here. Our file is begins from backup. But when we do LS, / I mean - La we see two more files at this Dot and Dot so let's see if we can move into that CD dot so we can't even move into that. So that's interesting. So these are hidden files. So these are not seen two random users and we can actually do stuff with them. We will see how we can use hidden. Hours later on. So if you want to show hidden files through LSU, All you have to do is LS and - La so that was all about LS. So let's move back to /home where our list of commands that I want to show you always so silly home. Let's Alas and see what was it called, its called list and suppose. I want to see the condensed of list or txt. All I have to do is say list dot txt. Now. It shows us whatever this file is containing. It will read it out for you. Done CD we've done LS and its various forms We've done PWD now it's time to do CP CP is basically used for copying files from one place to another so suppose. I want to copy this address file that is there into some other directory. Let's save our so all I would have to do is CP name Dot txt. And then you specify which location you want to actually copy it to so CD / VAR. So this is where I want to copy my file to and you hit enter and it's Copied but that was a very small file now. We can actually check if it was copied before I move on and pour some more knowledge into you. So let's go into VAR. So CD / VAR hit enter and you're involved again and you CLS and now you see a name dot txt. So let's remove name dot exe from here because I want to copy it again and show y'all a difference between a flag that I'm going to use right now. So the - and letters that you use are called flag. Technically in the Linux terminal RG. So let's go back to home now instead of the name of the file and moving back home. Just like I did you can type out the complete name of the file out here. So you could have gone CD slash home slash name Dot txt and copy to slash bar. But this time what we're going to do is we're going to use a hyphen V, which is basically used for a verbose output of whatever you're doing. So most of the commands that we're going to using will have a - V with them. So, let's see how this actually affects the output. So what we're going to do is we want to copy so sleepy and verbose and we want to copy the file name Dot txt. And we want to copy it to the folder called VAR, right? So now you'll see that it will give us what is being moved rather that is named Dot txt. And where it is being moved to so this is a very good way of knowing what is actually happening because if you do it without the verbose And suppose name not the XD was just 20 GB file and you just don't know if it has finished or not. So if it's a 20 GB file that is continuously update you on where what is being copied. So basically all you have to do is type - V if you want to know where your files being copied and the exact part. Okay, so that was about how you can copy files from here and there now, what was the next command that we want to see so cat. So, let me just go and see the next command that is there so list at the XT so after God I want to show less Okay. So we've done CP we also have to do MV. Now as you guys can see that CP is basically a copy copy is as you would expect it leaves a copy of the file that In the original directory while also maintaining a copy in the directory that you specified. But if you want to move the file completely, all you would have to do is use the command MV. So MV is for moving the file now, let's see what all goes with MV so you can type help and as I said you get the verbose option And you get suffixes you can force things to happen to suppose. You don't have the permission do not problem before overwriting. So it'll give you a prompt and you can completely overlooked the problem with the F thing. Let me just show you how that looks like. We'll be doing a verbose and we will be coughing the address dot txt file and okay. So every time I've been actually typing so you can do address or txt by just pressing Tab and it will auto complete so address or txt to / - bar now, it will show you that it is actually renamed addressed at the XD to VAR dress dot txt. Now. If you go and do LS out here you will see that address dot txt is not actually he go but if we were to move to VAR, so CD / far, okay. I've also been typing out commands that have been previously using and you can simply toggle through all the commands that you've used by the up and down keys. So LS MV MV V help I did CD home and I have to go through all this just to prove a point. It's a seedy bar. We want to change that now. We're in the variable folder. And we also want to see what we have out here. So address should be out here and Alas and as you guys can see addressed at the XT is the first file that has come up and it is basically the same file and it can prove that to you by just getting the file and as address txt. And you see that is some random address for some random person. Okay now, Let's quickly clear out a file or window. You can do that with the control l or you can just type or clear. Now. What we want to do is move back to home. So yeah City home. Okay. So now that we're back at home again. Let's get out our next file. So let's start the XT and after move I wanted to go through cap now cat as you guys can see is printing out the contents of a file and there's also less which does something very similar to cat. So, let's see what it does. So if you go less and you list.txt you actually see the contents of the file in a completely new window, which overlays on the previous window and this is a very neat way to actually see the contents of a file which is true less. If you want to keep your main command line interface not so cluttered which cat clatters it completely. So if you want to get out of this place this less place and all you have to do is press q and Q gets you back and As you see nothing was printed out on our main interface. So this is a very cool way to actually keep your command line interface neat and tidy when you're doing work. Okay, so crap, so grab is used for actually filtering out stuff from file. So suppose we want to see whether a command has some verbose option to it or not. So now I know that MV has a purpose command but suppose I didn't know that so MV - - helped then you use the pipe sign. So what the pipes Means Is you have to take this command the First Command and then you five nine and two the second come on and you want to see graph - V if that exists. Okay, so let's see grab for both. Yep. So a verbose exists and that is - be and that's - - verbose so explaining what is being done. So what happened out here is basically we took this first command and then we filter it And filtering is done through the piping. So basically think about you taking some Ian and pipelining it through something else which funnels it out of this command which is grip so you can use MV / help in conjunction with a bunch of other commands just on correct and I'll leave the creativity up to you. So grab is basically used for getting what you want from a file and graph is used very very much throughout the source of this video through this Kali Linux tutorial That you're going to be watching. So that is a very easy way to see if you have a particular option or let me do Against also so CD / VAR now, we're in the bar folder. And let's LS. We actually have name dot txt. Now. Let's also go into backups OCD be and tapped and that brings us back up folder and we're now in the backup folder Let's do an LS out here. Okay, so we have a bunch of files. Okay. We have some password dot back. No see if you have cat and you go password got back. You can see the entire thing. Now what? What if you didn't want this entirety of it or if you want something in particular you want to be very neat so you can do that same command. You can pipeline it and you can see grab and you want everything with no login so we can see That there's a bunch of things that say no login and we only want those and these are all the things that say no login in them and it's a much less a list and it gives us a very particular list that you are looking for. So that is how you use crap. So now let's head back. To home. Okay, I've done wrong. And again, let's see what the next Monday's so now let's start the XD. So we've done crap. We now have to do Echo Echo and then touch OK let's go back a few we press q and we get out of there. So what did I have to teach again? I'm such a dummy we have do Echo. Okay. So what does it Echo used for so suppose you will say Echo and open code hello world. It would basically do what the man says that is. Echo whatever you say now, it'll say Echo hello world and that will basically Echo whatever you typed out in the conditions. That is Hello World spelled very wrong. Okay now suppose you want to actually put this into a file so you could do Echo hello world. Let's spell it properly this time and you want to answer in the file. We had a phone number I guess for number dot exe. Yep, and we can Echo it at that thing. Now that was done now. Let's see. What is it phone number DOT txt phone. Dot txt and it says hello world So you can basically input text it to a certain file with the echo command and that's how you do it. Okay. Now let's also see how you can make directories and that is with the make directory. Come on. So, okay. We also have to do touch before that. I forgot now Dodge is used for quickly creating files so touch for you could save touch and then the file name so we can create a name file again name dot exe or or that will create a name dot txt. Let me just show it to you and I sell and we have a name dot txt. We can also create multiple files with touch and you could say file1 file2 and file 3 so like this you can create multiple files and let me just LS that out and show it to you and let cell and we have five on file to open files three now. We can also create a directory. So make dir and the name of the directory. So suppose you wanted to say All your movies in One Directory, they make directory movie And now you have directory called movies and you can also move into movies. So CD movie. Okay, so that's how you create directories and you can move into them with the change directory folder. Now, let's see what the next command was. So CD and dot dot so fit CD dot dot you can move back to the previous folder if I'm already know told you that and since we're in movies we can just go back to home with CD dot dot after now. Let's see what else is there, so Cat list Dot txt. And okay now CH own Chmod now CH own will be a little tough to show because we don't have any sort of a user or here. The root user is the only user that we have on this virtual box and set up but if you want to change the ownership of a file, so let's see so you can see the ownership of a file through the LSL. Come on and you see that root and root. So this is owner name. And this is the owner group and they're mostly the same thing. So our next command app you're going to actually see is called CH own. So let's see how CH own is actually used CSU own is used for changing the ownership of a file. So a actually don't remember how to use CH own. So if you actually don't remember or you're getting stuck somewhere just use the help function. So if a command line argument symbolic, so let me just go through this one. So this is how you use it owner and then call them group. Okay, and then the file name so you go CH own and then you want to say the name of the owner and the group you wanted to belong to that is root And rude and then you specify the name of the file. So suppose I won't change file one that already belongs to root and root so it doesn't really matter because I don't have any other username to actually change the ownership to so this is how you would normally change ownership. So let me just show you where you can see the ownership and that is LS - L and I'll share the root and root you see on file one is basically this is the owner. This is the owner group. They're normally the same thing and the same name, but if you had some different owner like a guest you could change it by actually using the CH own method the command methods are different things. I always get confused because of the programming. Okay. Now the next command that is left is called chmod to actually show you how chmod works. Let me show you an interesting file. So suppose. Let me just do this once okay now Echo what you want to Echo? Oh is let's Echo. Hello world and let's put that in quotation. And we want to put this in test now once we've done that lets Alas and we see that we have a test file out here and we want to move test to test our sh so tested sh is the executable file that is used in bash scripting. So we move test to test out sh the way you Actually execute batch files on your command line is with . + / she say dot slash and if I press T, and I press tab. You see that there is no options that's coming up. That is because they're start sh is not an executable file to test out sh is don't have the executable permission. So let me just show that to you LS and you see test or sh it doesn't have the executable. Now you see movie it is executable. I don't know why it is a directory. So it is an executable you can move into it. So it's blue and color. So the way you I actually can make this an executable is by changing his permission. So the way you do that is chmod and basically you change it to an executable. So plus X that is making an executable. If you do plus RL make it readable. And if you do plus W will make it writable also, so if you do plus X and do tests or SSH and now you go and do LSL, you'll see that SSH has become green because it is an executable file now and now if you do dot slash and you press T, You get that Sh, if I press tab, so now it is an executable file. And if I executed it presses out hello world under the my screen. So that's how you can use the chmod or which is basically the change of emissions of files and we'll be changing permissions of files throughout the course of this video will be very useful for us and you'll see as we go along with this video. Okay. So the next thing that I want to show you only to our left and I remember those now and it is RM + RM is used for actually removing. A files so you should be very careful while using RM or any sort of removing command on a Linux system because once you remove something it is very difficult to get it back in as almost The Impossible. It's not like Windows where it's basically just disappeared in front of your eyes, but it's still there in the memory cluttering it all up. That's why Linux always Trump's Windows. That's one of the reasons and make a video on that later on. But for now, let's focus on our M. Now. We can remove file one. So, let's see so file one is going to be removed. So if he LS no, you see 506 this but let me show you our M. And if I do movie it'll say cannot remove movie is a directory. But if you go into the help menu I bet there will be an option That you can just forcefully should move it. So our M force will just remove so our n /r and you can do movie and it will recursively remove everything and if you go Hill and do The LSL you'll see that there is no movie. He directory anymore. And that is how you can remove movies. Now that problem that you see out there is actually a safety measure because once you remove a directory and it's not retrievable, That's a very sad scenario and you don't want to get yourself in such a scenario in whatsoever possibility. Okay moving on so on so forth that was all about the RM folder now you can do RM and address of anything. So RM, I know we moved in address that the x t so in The VAR folder we can go our M VAR and dress Dot txt. And that will remove address out the XD from the folder of our let me just show you that work. So CD bar and LS and you see That there is no address or txt out here. Okay, another way to get help for any command that you want is man and suppose you want to see what RM will show everything about our M that is there to show to you show you how to use use it'll give you a description schnapps has named remove files and directories. It's a very useful way so out here you see is the manual page. So that is where means man and you can press line one nature. You can press Q to quit. So that's very much helpful. OK guys. So that was all about the command line interface and how we can use it to go about the operating system and change file permissions copy fires move files and a bunch of other stuff now it's time to get on with the interesting stuff and that Is firstly we're going to be learning how you can actually see Anonymous with proxy James OK guys. So now that we are done with the command line Basics. It's time that we move forward with proxy James. So before we move forward with proxy chains, let us head back to PowerPoint presentation and see what Exactly proxy chains are. Okay. So proxy chains now as the name suggests proxy chains are basically a chain of proxies now, where is the proxy used a proxy is used whenever you want to anonymize? Has yourself on the wire or the network? You do not want to know or you do not want to others know what the source IP address was for your client system and to do this. All you have to do is send your package through a bunch Of intermediaries systems and these intermediaries systems carry the bucket out and they transmit it to the Target system. And this is much slower and let's see how we can use this in Kali Linux. No in combination with tour to in order to anonymize. Pick not only on web browsing traffic, but rather instead on all networks related traffic generated by pretty much older applications, but you can also change this in the settings. Now, what we're going to do is we're going to open up the proxy chain configuration file And we're going to understand all its options that are available. So to do that. All you have to do is say no you go into the ETC folder and then you go for the proxy chain that conf and what do you see out here? Is in a new editor and we had spoken about Nano editor when we were discussing the CLI part. I hope you haven't skip that now what do you see out here is a bunch of instructions and options. So let me just zoom in into the Squall line interface and now you can read everything much well, so what proxy jeans is well, it gives you the ability rather to draw out your traffic through a series of proxy servers and stay Anonymous in such a fashion by hiding behind them or by having them forward your request. So it looks like On the other side that your requests are coming from them as opposed to you now surprisingly enough. There are large amount of these proxy servers out there that you can use but they're not very stable, you know, They go up and down and they're not very fast so far specific targets, they can be useful but not for brute forcing and not for any sort of computing attack. So suppose you're doing something to certain Target for trying to log in or you're already logged in you can definitely do it through proxy chains, and it will be reasonably fast and reasonably stable. As well, but if you're doing some sort of mass scanning or your brute forcing a password or something of a kind of a proxy chain with a list Of proxies selected from the internet, especially the free proxies. It's not going to work. I mean it's going to work out eventually in a technical sense, but it will consume more time than you can spare and by that. I mean it can be very very long time. It can take about months or two to do a simple scan. So that's not an option and there are other ways of doing that but for the time being I just want you to know how you can use proxy jeans and How you can configure it and actually because it's really useful And I use it fairly often a lot of people do and it's a fantastic piece of software. So first off we have the types of proxies. So you see yes EDP socks for and socks5 now, they are fundamental differences between these protocols and you always want to find yourself a socks5 proxy as that's the best possible one and that has the ability to anonymize all sorts of traffic scdp. Well as a name it says it's for HTTP traffic and socks for Or is very similar to Socks by but it does not support IPv6 protocol And it does not support UDP protocol. So this can be sucks for and can be rather problematic and you always want to make sure that you're using socks5 wherever and however any way down below you have these other options, which we will go over. So basically how you enable these options is that you don't need to type some complex lines of code or anything of any kind basically you all you have to do is just leave the hash out here. I'll show you so suppose we want Do actually activate Dynamic jeans option. So all we have to do is delete the hash. But let's put in the harsh right now. So after you delete the harsh, all you have to do is save the file and the option is enabled this hash presents a commented out line meaning that the system reading this will ignore if there is Harsh and if there isn't hash it will take it into consideration and interpret it according you. Anyway what we have here are statements which allow us to specify how we want our traffic to be routed the First Off we have Dynamic chain Dynamic chain is a some and is an option which you will find people using the most it is most commonly used option and a preferable want to at that and honestly, I think it's the best one out there primarily because it's the most stable one and here's why now suppose you have a b c d proxies. So those are some servers with IP addresses with open ports. And if you have a strict chain policy, which is enabled on this computer right now As you see if you have a strict chain policy, we can only be able to access any site on Internet in general by going through ABCD. So you have to go through all of them and you have to go through them in that specific order. That is ABCD and that's not always a good thing. I mean if you're paying for 5 proxies, that's not a problem because they will always be operational and they will always be up and why not that's not a bad idea or an option but there are however people Who use proxies for free and they don't tend to pay for them. Why would you pay for like five proxies for simple scan or something of that kind? They're not free and the a cost money and they're rather expensive also, but still, I mean the act of paying itself identifies you and kind of diminishes the amount of anonymity you have on the internet. So some complex payment methods can still be used to actually anonymize yourself, but it's fairly simple to just use a dynamic chain. So firstly we're going to go ahead and uncomment The dynamic chain option and we're going to comment out the strict chain option. So strict chain will no longer be used and I will be using Dynamic chains. And one more thing to note here. Is that if you want to use Rocky chains in combination with door if you want to Route all your traffic through the Tor Network not just web traffic. You must be enabling Dynamic chains. I mean, there's a chance that it will work with strict genes. But give the instant instability of door nodes. It is highly unlikely. You will need Dynamic jeans and that is why I'm using them. Anyway, if you're using Dynamic changes just give you the ability to go from ABCD to your desired destination by not having to adhere to any order. So let's say C is down and you would go a b d and it Woodworking with no problems, even if P was down you would go to a d and you would go and still reach the destination. So as long as one single proxy is functional it's going to work And you don't require any specific order to do it down below now down below you have some other options to so first is random chains now random chains in effect are basically the same thing as resetting your service. I mean if you're resetting your door, you will be now assigned new IP address in Taurus is your new IP address every 10 minutes or so. Anyway with the random. You can specify a list of ips and then you can tell your computer. Okay, I want you to try and I want you to connect to this point and every time you connect every time you transmit the packet, I want you to use a different proxy and we can do that as well. And that's one of the options definitely and you can see okay. Use this is phone five times and then change to another one or some kind of like that. There are a lot of options to specify their family the chain length any way down below. There's quite mode. You don't really need that then that's proxy. DNS requests. No leak from DNA. Stata, this is very important. You cannot have any DNA sleek and let me explain to you what DNS leaks are and even though somebody cannot get your particular IP address. They can get the IP address of the DNS server that you are using and that DNS servers do is resolved main domain to the IP address and vice versa. So for example, if you type in youtube.com, The DNS server of your local ISP provider will resolve that into some sort of IP address that YouTube has and it will make a request. No problem and you do not want that happening because Is your local DNS server will be discovered and that is information that can be used in order to figure out your personal IP address. And when that is done your physical location is pretty much compromised. And that's an oval and you definitely need proxy DNS here. It might slow you down a bit, but without that you're practically not Anonymous and it's just a matter of time before somebody finds you now, if you go down below we have some other options here, but we're not really interested in them at the moment. What we here are for the formats for entering proxies and I'm going to leave it at that. So what do you see out here is first the type of the proxy that is sucks 5 then the IP address then the port number and then two words that Islam has secret and then juice to Hidden. Okay. So now what you see out here as I just said is how you would actually write down your proxy chains. And now as I had already also said you always want to be using socks5 and you don't want to be using HTTP because they're not really that safe and socks5 doesn't support a lot of Anyway, and this is the IP address of the proxy server that we will enter a few of them manually later on and this here is the port number that you see on which the proxy server is listening and that port is open over here these two words. Now what some proxy server Especially paid ones will always have a username and password so you can just type them here in plain text and fortunately it is assumed that only you and you alone have access to this computer besides this file and besides this file is you not know. Everybody can read this file anyway, so if you can just type in the username here and password here, you will gain access to a certain proxy that you have chosen or that you have paid for. Anyway, these are just some examples And we won't actually be using these proxies or anything of the kind. We need to go down below here here you see and at the end of the file. So if I just press enter a couple of times, there we go. So here is only one proxy active at the moment and says socks for and all traffic is routed here through Tor by default. So That to tour now and tardy for listens on the sport. So this 9:05 is report is white or listens on now, what we want to do is we want to add socks5 proxy address. So what you want to do is just type in socks5 And the same IP address socks5 and you want to be keeping the spacing correct just use tab. So 127 dot 0 dot 0 dot one and then you want to specify the port number the also so now 0 5 0 so what you see out here the 127. 0.021. This is the loopback address of your computer. So this is for any device communication and if you're paying this address and if you're paying yourself basically and usually people think this address in order to make sure that the IP protocol is set up correctly, even though they don't have internet connectivity. So let's just type in 1.27 dot 0 dot 0 dot one and the same port number and 9:05. So now we have to press Ctrl o to save our You can save on the same name and we're o 65 lines of course down and that's written and now you have to press Ctrl X and you exit out. So let's press Ctrl L and clear our screen now, we just edited our proxy change configuration in a very neat environment. So to go ahead and type in our service door status. So we want to check status of our daughter. So service tour still this so torturous could not be found. Sound so do we have the torturers installed? Okay sewed. Our service is not installed. Just give me a little moment quickly install it. Okay. So now that we have set up our broccoli jeans configuration file and we have put in a sock 5 proxy chain giving it the torch service. Now, what we need to do first is start up our tour service now to actually check if the car is running or not or If the door service is running or not. Let me just clear that out. We need to go service to our star. And you see it says it's inactive. So what do you have to do is say service to our star and that will start the tour service. It might take some time depending on the system that you're using and what are their it has started it for me. Now what you have to do to actually use proxy chains before you go to any website. So all I have to do is say proxy chains, then you specify the browser that you're using. So we're going to be using Firefox and you could say something like www dot Duck duck duck on so now here you will see how your ping is being transmitted to. Dr. Go.com when I say thing, I mean your packets and your requests, I'm sorry for my vocabulary. So now your packets are going to be directed through a bunch of IP addresses, but we haven't actually put a bunch of you just have put the loop back for the Tor Network. So we will let our do the rest of the things for us. Okay, so depending on your system this might take a little bit. Of time to actually open up. Okay. So let's go ahead and see what's actually happening on the terminal while this thing is loading up. Okay, as you can see it's going through a bunch of proxies out of here and some are denying it and some are saying it's okay. So as you guys can see most of the time you might give tonight and it will be a less number of occasions And that is exactly what we're looking for because primarily we have gone a great extent for the anonymity and what do you want to do is stay like that. So this is basically how you Use proxy chains. Now if this computer just decides to open up talk go.com on Mozilla. I could actually show you some interesting stuff but it seems my computer has kind of given up on actually opening duck Taco it still waiting for dr. Goes actually confirmation, but that's about it. So this is how you can actually configure proxy chains. I'm really sorry That my computer isn't working right now, so well and nothing is actually opening on Mozilla. It's mostly because my Ram is over. Loaded. I think I should go ahead and get myself a new Ram. But for now, let me just also say that we can put some custom proxy lists and instead of just saying let me just go ahead and open up that file again as you guys and see out here. I'm going to end this right now because my computer can't really take all this pressure. See it's like so hard. Okay. Let me just quit out of that and let me just open up a new one. Now as I had said that you can put up some custom proxy lists, not really gonna do that. But let me just show you. You can do that you go. No and you go cetera and proxy so you basically have to go into the proxy chain. Okay, so I think I should put this can yeah now if you just go in and edit out here, All you have to do is setup Dynamic jeans and you can go online and search for free proxy list and that will give you everything that the port number to the IP address. Let me just show it to you free proxy server. Our list. So all you have to do is search for free proxy server list and you can see out here the proxy Davis scbs and you basically want to find a soft fire proxy to find self a proxy just add that into your keyword. And once you find those proxy addresses, All you have to do is take down this IP address and followed by the port number and you go ahead and just put it down in this configuration file and then you hit control. Oh and you just save it and And you just go back. So that was all about proxy chains and how you can set up Roxy change to set make yourself. Very Anonymous. I'm sorry hold muscle, uh, pardon work that's still sad state of my computer but moving on let's go ahead and study about Max changes. OK guys. So that was all about proxy chains. Let's move ahead to match changer. Okay. Now before we go into the tool called Mac changer, let's just see what a Mac addresses now Mac address actually stands for media Access Control address of the device and is a unique identifier assigned to a network interface. Stroller for communication purposes now a Mac addresses are used as a network address for most IEEE a certain ethnic Technologies, Including ethernet Wi-Fi and Bluetooth. Now in this context Mac addresses are used in the medium Access Control protocol sub layer and as typically represented as Mac addresses are not recognizable as six groups of two hexadecimal digits each. Now, these are separated by a colon and the first three hexadecimals are actually the organizationally unique identifier. So they actually represent your vendor and the next three Hexadecimal is actually represent your network card unique. Okay, so when you are actually on a network you are recognized on something called an ARP table. Let me just show you the ARP table how you can see it. Let's go in. So the password is root still an ARP table is basically an address resolution protocol table. And well, this is a virtual machine and it doesn't really know many machines on the local network. But if I were to go on my Windows system and show you my ARP table, let's see. Okay, so if I show you the ARP table of my Windows machine and on any machine that has a TCP IP protocol suit installed you will have this command as working called are and you gave the - A and now you see that your IP address or somebody else's IP address is actually map to physical address. Now. The MAC address is very commonly used in the our protocol and this is how you are actually identified on a network. Now sometimes what you want to do is be unknown on this network. There are various reasons why you want to do that. Let me just give you an example of a very malicious. Reason that was done in my college. So we asked students would actually change the MAC address of our own computer to the professor's computer. So we would somehow look up the professor's IP address and then come to know about his Mac address and then we would spoof our Mac to be his Mac address and then we would do some tripe sort of malicious activity on the college internet And then internet administrators of our college would come to know that that Mac address is doing some sort of malicious activity and that Mac address would get permanently banned for that session on the call. Dish Network so basically our professor would not be able to use a wireless projectors that he would use to actually show us as presentations and we end up getting a free class. Now. I am not actually promoting any sort Of bad activity like this. I have just experienced this in my own college life. So that was something but there are many other reasons that you might want to spoof your Mac now Mac changer is an amazing tool for actually spoofing your back. So first of all, how do you come to know your Mac address? So let's see you go ifconfig. This will give us our Mac address. Now this dress that you see out here is the MAC address of this machine. So you can also check out the MAC address By going Mark changer, then let's type in the help options. And this will show us how to get the MAC address. So if you see there's a show flag so we can go Mac changer and you can put the S and then you put the interface now the interface is where it's working. So at 0 is where we are. Actually getting we don't want the loopback one. So at 0 and this will give us the MAC address. So I can't Mac address is zero eight zero zero two seven. Let's see if that was the same one shown. Where is that matter? It's okay. So if a 0 a 0 0 to 7, so, I'm sorry. This was the MAC address. I selected the wrong thing. What I was showing you is the IPv6 address and you can see that's very very long. So, this is our Mac address. Now what you might want to do to change your Mac address. Well, let's see with V we can get the version with s you can show we can do the E. And as I said, If you remember that the first three bits is about the vendors so you can also get the vendor list by going - L. So you go - L and this will give you a list of Mac addresses and which rendered the belong to so sometimes if you don't know the vendors that are actually being used on the network of your college, for example, and you want to just stay Anonymous and not raise any Flags. Lakhs of Suspicion so you could hide yourself as a Cisco router. So suppose your college was using all sorts of Cisco routers and you decided that today. I'm going to put myself as a Cisco router and I'm going to screw around with the network. So it would not raise any Flags before you actually decide to do some malicious activity in some deeper inspection of your Mac address people would actually realize that you are actually spoofing the dress and after some investigation they put Andy take some time to actually reach to you and how you spoofed it, but the And of Ginger Mac is not raising any flags And that is exactly what you should try to do. So Mac changer is also very useful for getting the list of all the Mac addresses and the vendor IDs. Now, let me just clear the screen out quickly. So we go clear and let's bring back the help. So we go matching injure and - help. Now, what we want to do is give ourself a random Mac address now Mac changer, so that is Done with the our flag and we want to do it on F 0. So once you run that you will be given a new Mac address. So our new Mac address is f6c 649 now you can verify that by running ifconfig. Now we could just do ifconfig and you see our new maxi dress is an ether so we could also do something like this ifconfig and you could grab eater. So that's just telling you the MAC address and this is completely new also. You can show it to the Mac changer tool itself. Okay, so we need to give it the e0. I've got that now. You see that this is our current MAC address And this is a permanent Mac address and their two are completely different. Sometimes you also might want to actually change your Mac when your laptop is or your system is booting up because you might want to stay Anonymous all the time. Who knows and sometimes you might think I'll actually change it when I want change it, but let's face it we We are forgetful as human beings and we tend to forget things that we are supposed to do. So what else is better than to actually automate the whole process yourself And forget about remembering all these stupid nitty-gritty stuff. So you can tell Linux or cardigan enough to actually change. Your Mac address on boot-up is use this tool called crontab now crontab is actually used for scheduling tasks on Linux. So let me show you how to do that firstly. Let's clear our screen and go crontab and go Health now. You see it's a pretty small and menu. So first we start with it you flag that user this file is going to work for then we got the E flag, which is for editing crontab users the users crontab list And you can see the list of users crontab and let's see. So do we have any crunch all this? So there is no crontab at this moment so we can set up one for ourselves by going to the E. Then there's the r which is delete users crontab and I want to tell you all be very careful when treating anything of that sort because once you delete something from The Knocks that I've already said that it It is very very difficult to actually retrieve it back. You might get fragmented pieces of what you had actually deleted And that will only leave you with sadness and Devastation. Now, what you want to do is go through crontab and press e and this will bring us to select an Editor to change later on select editor. So we'll do it Nano. So what do you have out here is the readme file of crontab and if you read this entire thing you will get how to use crontab completely. But if you have any sort of doubts even after reading it you can leave them down. The comment section below now. What do you want to do is actually set up a crontab So that you can change your Mac address whenever you reboot your computer. So all you have to do is say at reboot what you want to done is Mac changer, and if you remember we want to run the MAC address and we want it on eat zero. So that's done. Now. All you have to do is save this thing. So you go control. Oh and that will write it out you crontab and you press enter And you have ridden on one line. Now you go control X you have X is it out? So now let us clear the screen by pressing Ctrl L and enter and let's go ahead and get our Mac address. So if we go ahead and run that are Mac address is set to f6c 649. So just remember the first few letters have 66 and 49 now. Let me just reboot my computer and you will see after I reboot and run ifconfig again with gravity table. We will see a different Mac address now rebooting my take some time because I'm actually using Of washing machine But still now it's given problems with the Firefox. But let's hope this won't take much time. Okay. So now that our computer has booted up and we have actually opened up a terminal let's go in and type ifconfig and let's get in our ether that is the MAC address. So if you remember the MAC address now, you see that it has completely changed and that's how you can spoof your Mac address on our local network. And this will basically help you In staying Anonymous on our protocols and anything that actually laughs your IP address to the MAC address. Okay. So that was all about math Changers meet you in the next section. So in this section, we will be talking about wireless encryption protocol cracking. So that is basically Wi-Fi cracking now Wi-Fi in today's day and age uses pins or passwords to normally encrypt the data usage. Basically, if you want to access the wireless access point, you need a password Or a PIN to actually gain authorization now this authorization Chicken is done using a for a handshake which we will try to capture using a tool called aircrack-ng and then we will try to crack into the password using a wordless generator called crunch. Now, you can use aircrack-ng to crack WPA and WPA2. There's also another protocol called WEP or WEP and that is not normally used these days. If you find anybody using that you should always advise them to actually upgrade to WPA or WPA2 because Wei. EP is actually very easily cracking these days And people are generally punished for using WEP by hackers all around the world. Okay. So now you can actually go ahead and go into a terminal and type ifconfig to actually look at your network card name as you guys can see out here. It's called wlo one. So the first step that we need to do to actually go into the process of Wi-Fi cracking is set up our network access card or our access point. Monitor mode so As you guys can see out here after typing ifconfig. It shows me that my Wi-Fi access God is wl1 interface. Now our process of cracking passwords is pretty simple. What we want to do is actually monitor for all sorts of access points that are nearby to us. Once we have chosen the access point that we want to actually penetrate into and find the password. What you want to do is run a narrow dumps can on it and then we will try and D authenticate any device that is connected to the access point now one assumption out here Is that the password is saved in that device and it will automatically try to re-authenticate itself with the access point and we want to catch and log this re-authentication process which will actually have a four-way handshake between your device and the access point. So this is basically the procedure we are going to follow now another thing that you need to know before actually using this process to gain any access to any Is that you need to know a little bit about what the password is? Maybe it could be length or it could be something Like a specific character at a specific place. Maybe you know a series of characters. So you just can't really guess the password out of thin air. That is not how cracking Works unless you have some unlimited potential of processing power in that case. You can very well brute force it and just find the password, but if you are not somebody who Has unlimited processing power and you're trying to use aircrack-ng. You need to know a little bit about the password. Also before we proceed with this wireless encryption protocol cracking. What I want to say is if you want to get into somebody's Wi-Fi network, or you want to actually test for vulnerabilities. It's better that you test for router vulnerabilities. Then actually cracking a Wi-Fi password because you're more likely than not to find more router vulnerabilities than actually successfully Like a Wi-Fi password if you don't know anything about it, if you don't know anything about the password just go ahead and run some vulnerability tests on the router itself and more often than not you will just Find something you can abuse. Okay. Now let's talk about the two tools that I'm going to be using. Now these two tools. One of them is already installed on Kali Linux, but if you are not using this on Carly, you can also use this on any Linux based system. So what you have to do is download and All aircrack-ng, which is easily installed with the command apt-get install aircrack-ng And you also have to install this word list generator called crunch now crunch is easily downloadable by just Googling the name and the first link will be a sourceforge link and all you have to do is go inside that and install it and once you've figured out how to install crunch you can make sure that its installed. Now once you have installed both the software's you can check out if the manual pages are opening up. Let me just open the manual page of aircrack-ng and show you that it has been properly installed. Now as you guys can see the manual page of aircrack-ng opened up and the manual page of crunch is also opening up. So that means both of our software's have been successfully installed on our system. Now before we go ahead. Let me just show you how crunch actually works so crunch is basically a wordless generator. What you would do is you try and generate a word list with given characters. So what you can see out here is I've typed in crunch 3/5, so Means the minimum length is 3 and the maximum length is 5 And I've given it a series of numbers. So it will use these numbers and generate all the words that are possible from length 3 to length 5. So the way we are going to use crunch in conjunction with aircrack is that we are going to use crunch to generate the word list. And then we are going to pipe the word list through aircrack-ng when we are actually trying to capture and crack what we will capture in a certain log file now. What you want to do first is actually put your network interface card on a monitor mode. Now you can do that by typing in ifconfig and then the interface name which happens to be wl1 and first you have to put it down. So I've config wl1 down now to put your interface card into monitor mode. You have to type in IW config and you go the name of the interface and then you go mode monitor. Okay, it seems I've spelled it wrong. So let me just do it once again. So that has put our network interface card into monitor mode And what we need to do after that is we need to start up our network interface. So all we have to do is type in ifconfig wl1 up now. Once it is up and running you can check by typing in ifconfig that indeed your network interface card is up and running don't worry is running in monitor mode if it's up and running what we want to do next is pretty important to the whole process. So what we want to do now. Now is check for some services that might still be running in the background That might hamper with our whole scanning process. So we do this by actually typing in the command Area 1 and G check and then the name of the interface. So as you guys can see nothing is exactly running right now. But if there were any process running you would only add a command airmon-ng check and instead of writing the interface name. All you have to do is say kill. It will kill any processes now if you see Any process named the network administrator you want to kill that process first separately and then kill any other child processes. You may need to actually run this command few times before all the processes are killed and then you're good to go. Okay. So now that we have finished killing all the subprocesses. What we want to do is run and error dumps can on the network card. So that is WL 1. So for this we go Aero dump - Angie and then we put in the name of the interface. And this will start the scan that will look something like this. So after you run the aerodrome scan on your interface, what do you see out here is a result of all the access point that is found out to the monitoring mode. Now if you see we have a bunch of columns out your first of all we have the bssid column. Now, the bssid column is basically the MAC address of all the routers that are found. No, every router obviously has a MAC address. So those are the MAC address that is tied to the router names, which is shown by the SSID then we How the pwr column we have The beacons column we have the data packets column. Another important column is a channel column. It's important know which channel your router is working on. Then we can see the cipher column the authentication so out here we can see the encryption that is used. So most of it is using WPA2. So what we will be cracking is basically WPA2 so from this is what you need to recognize is basically the Wi-Fi router that you want to crack into now, I'm performing this particular test at my office. Is and I don't really have the permission to actually Go in and test them for these vulnerabilities. I'm not a security analyst off here. So I don't really have the permissions to penetrate into them. So what I have done is I have run a similar test at home using my own Wi-Fi and I will show you the results for that. But for this working example, you will see the scans that I'm running in this office. So as we intend to stay ethical what we are going to do out here is we are going to capture whatever we find in our office. For on the educational purposes, but when we are doing the actual cracking step that is the last step of this whole procedure. I'll be running it on a file that I had generated at home as I just said because I have four missions to do whatever I want with my own Wi-Fi and passwords. Okay. So for this example, I'm going to pick this wi-fi that is called attract of Wi-Fi and it's running on channel number 6. So what do you want to pick from here is the bssid And the channel number we need to remember these two things first the bssid and Channel number now. What do you want to do after that is open up a new window on your terminal and login as root. Now what we want to do here is run a separate Arrow dumps can on this specific bssid and check for all the devices that are actually connected to this access point. Now we do this by running the command airodump-ng and while we're doing this, we also want to capture all the scan outputs that we actually get into a certain file. So we will be actually storing it in a file called capture and then we just have to pass in the bssid and the interface We also have to specify the channel. So let's see what the channel is 1 so the channel is Channel 6. So that's what we want to do and we specify the Channel with the - see Flags. So after you have identified the MAC address, all you need to do is copy it down and place it with after the bssid flag. Okay, so we're going to run our Command out here and we just want to say our file is going to be well test out capture. Now that our scan is up and running. All you want to do is wait till someone is actually connected to this access point. So I forgot to mention this for this process to actually work properly. Somebody needs to be connected to that access point because what we are going to try and do is disconnect. That certain device and let them reconnect and capture that log file. Okay, so it seems like nobody is actually connecting to it. So at this time I'm going to do is go back to our Aerodrome scan That we had run on a network interface and look at some other Mac address or other access point to actually penetrate into and let's see if something has actually connected to that. Okay, so oh la la now what do you see out here is that somebody has actually connected to this access point and his Mac address can be seen under the station stab. Now. What we want to do is run the authentication broadcast message on that station And the authenticate that guy. No to actually run the the authentication process. All you have to do is go ahead and open up a new terminal window again and let this can be running in the background. Don't use any scanner this moment. Okay. So the information that they need to remember is the bssid or rather the Mac ID of the station now, you also want your monitoring to be running on the same channel so that your the authentication message is being already Broadcast on the same channel so we can do that easily by going airmon-ng and saying WL One and you can say start on specify channel. So what we want to be doing is running this on Channel 6, then we want to go and use the third suit of tools that is are replay now are replay is used for broadcasting the authentication messages and all sorts of stuff. Now you can see all this in The Help menu also and you can do that by typing in - - help if you go down you see that you can send the authentication message Using the - 0 Flag and that's exactly what you're going to do. Then we stay zero again because we wanted constantly send a broadcast of the authentication. So it's looping basically and until and unless we stop the scan. Nobody will actually be able to access the Wi-Fi. So it's basically like a small toss attack and then we want to specify the bssid. Okay, so it seems like I forgot the whole a tag before the bssid and that should get it working. Okay, so it seems like I have copied some wrong bssid I guess. So, let me just go ahead and copy that once properly. Okay. So now that we have the proper bssid as you guys can see we are running the authentication broadcast message on that particular network access card, and now you want to run this for around a couple of minutes so that you become sure that all the devices have disconnected. Now while this is happening What you're doing is basically sending a Dos attack to that small little Wi-Fi and you want to catch the handshake that occurs between devices and the router that it is connected to while reconnecting themselves Okay. So now that we've let's can run for a couple of minutes. Let us just stop it. Let's stop this others can too now. If I go and list out the files on my desktop, you should see that there's something called the test capture. Now, the test capsule is given to us in various formats. We have the capture format, which is just capture - 0 1. Cap and then we have test capture CSV. We have a Kismet CSV. So it gives you a bunch of formats to actually run your cracking on now if you remember I had told you all that I have already generated a similar. At home, basically when I was trying to crack into my own home password, so I will be running the tests on that file or the cracking procedure on that file. And that is the last step of this whole procedure. So, let me just go ahead and move into that folder. So I go see these can now as you guys can see out here if I list down the files if you can see a Capture One Dot Capture One Dot CSV. This is Kismet CSV and this and that XML. So I was not lying when I said that I have already done this at home. So we are going to run out. Cracking process on capture with 0 1. Cap now. Let me just tell you guys the password for my home. Wi-Fi is sweet ship 346 so you can say That I know the entire password, but I'm going to act like somebody who only has a general idea of what my password look like. So let's say I know that my password contains tweet ship but I don't really know the last three numbers or letters or whatever they may be. Okay, so we are going to use crunch once again to generate a list of words that might include Egypt 346 and let me just open the crunch manual for once now if you go down in the crunch manual What you'll see is the - t so as you guys can see there is a pattern that is pit specified like after it at the red God and Then followed by four other ad rates and all the ad rates will be replaced by a lowercase character. Now you can remove other eight and use a comma and be replaced with an uppercase character or you can use percentages which in case it would be numbers. Or you could use the caret sign in which case it will insert symbol. So when you know the length of the password and also a certain degree of few letters, you can use the hyphen T flag. So that is exactly what we are going to use with crunch out here for this example. So, let me just remind you guys that the password for my home Wi-Fi is we chipped 346. Now what we can do is we can ask crunch to actually generate something that looks like sweet ship 346. So what I could do is say crunch So the minimum length is 12. I already know That and the maximum length is also 12 now. Let me just input in the pattern. So we put in the pattern after - tea. So now I'm going to show you how long it can take. So we are just going to say sweet and then put in some ad rates and then also get a try and guess in the numbers. So after you've put in the pattern you want to also input which letters and numbers it could be and I'm just going to input my entire keyboard out here. Now, what you want to do is pipe this command through aircrack-ng Is cracking procedure. Okay. So now what we want to do is type this command to aircrack-ng and we want to write from a rather read from the capture file. So what we go is - W and then - and then the capture file name. So capture 0 1. Cap and then we also have to specify the essid which is given to the E flag and the essid for my home. Wi-Fi is Nest away underscore cc105. So that's actly what I'm going to type in And this will start the cracking process on my Wi-Fi from the captured file. So as you guys can see this is going to take a long long long long time and I'm not really actually going to complete it. So in this time, I'm actually just going to try and explain why this is not very feasible on a virtual Network. So basically this is not feasible because at this moment why computer is using all four of its course and all the memory that is possible. So what this means is on a virtual box. This is not really possible your virtualbox don't really have that much power. If you are using a 4 core processor computer only two of its maximum course can be actually allotted to your virtual box machine above that. You can't really give it the entire memory because that will make your computer crash. So if you want to do something like this, it's better that you install Kali Linux as a dual boot or as your own daily driver and then you can do this. So this is why I have not done this on a virtual machine And instead downest on deep in Linux, which is my daily driver operating system. Now as you guys can see this constantly trying to actually guess the password by actually going through all the permutations and combinations. That is basically it's taking in all the words generated from crunch piping it into the current command. That is the aircrack-ng command and is comparing everything. So what I'm going to do is I'm actually going to end this because this will take a very very very long time. And what we're going to do is we're going to actually try And shorten the command of the or the amount of guessing that you're trying to do. So, let me just try and do that. So as you guys can see out here, I have reduced the number of alphabets that might be actually tested. But even in this case, this will take a humongous amount of time and let me just show that to you. So as you guys can see the test is running running running and running and and there's not really much you can do you can just Let this run go out for a cup of coffee and then come back and you might still see that drawing. It really depends on what the password is and how much time it takes to crack it and how much processing power you have directly affects how much time this will take so let me just show you guys that this is taking a bunch of time. Okay. So now that I have fast-forwarded a lot into the scan you can see that I have tried almost two one two, Seven six zero eight keys. So that's more than a million Keys. That's 2 million keys that have tried so and it still hasn't reached at 3:46. So what we're going to do is just to show you for demonstration purposes that this procedure actually works. Let me just shorten guessing even more. So what we want to do is this time we want to just guess the numbers so We'll modify our Command accordingly. So we just put in sweet chip and let the algorithm just guess at 3:46 part. So we're going to remove the alphabets from the guessing scope also and as you guys can see the password is almost immediately guessed because only 456 keys were tested. And as you guys can see it shows that the key was found and it's sweet ship 346 now let me also show you that it works with the guessing of letters just because I don't think of did that letters are also guest and not just numbers. So let me make it just gets the P part that is sweet. She and then it should guess B and then 346. So let me just show you that and as you guys can see it guesses it almost immediately after just going through 15,000 Keys. Okay, so that brings us to the end of this wi-fi cracking tutorial and also to the end of this video which was regarding ethical hacking using Kali Linux. I hope you guys had a bunch of fun learning about Mac changes proxy chain. And a bunch of stuff that we did like Wi-Fi password cracking. I hope you practice these procedures and methodologies that have thought you only for your own educational purposes And not use it to harm anybody or do anything harmful with it because let me just tell you very seriously that you can be prosecuted by the law. So let's end this video on a good note by saying please practice this for only educational purposes. Let me just show you that and as you guys can see it guesses it almost immediately after just going through 18,000 Keys. Okay, so that brings us to the end of this wi-fi cracking tutorial and also to the end of this video which was regarding ethical hacking using Kali Linux. I hope you guys had a bunch of fun learning about Mac changes proxy chains and a bunch of stuff that we did like Wi-Fi password cracking. I hope you practice these procedures and methodologies that have taught you only for your own educational purposes and not use it to harm anybody or do anything harmful with it because let me just tell you when he sees this. You that you can be prosecuted by the law. So let's end this video on a good note by saying please practice this for only educational purposes. If you are a hacker pentester security researcher or just another person Who picks Google in front of friends to look cool, then it's likely that you must have already known about some Linux distros, which are particularly made for them. Today. We're going to explore one such Linux distro parrot. Security OS one of the leading Linux distribution and penetration testing and ethical hacking. So let's quickly go through today's agenda first. We will Begin by discussing how Linux distributions are suitable for ethical hacking and different type of Linux distros That are available for ethical hacking and penetration testing. Then we will begin with our today's topic which is parrot security OS we will discuss its features its history. If or not parrot security OS is suitable for you. Moving on we will see how particular day OS is different from Kali Linux and then I'll show you how to install parrot security OS using VMware software and finally we'll end the session by taking a look at few popular parrot security OS tools. So I hope agenda was cleared you guys. Let's get started then a security focused operating system is a hacker's best friend as it helps a hacker to detect the weaknesses in computer systems or computer networks. whether you want to pursue a career in information security or you are already working as a security professional or if you are just interested in this specific field for fun or decent Linux distro, that suits your purpose is always a must now if you're wondering what a line X destroys it is a Linux distribution That has been curated to perform security related tasks on most of the time a lonex distro will have a line X base of the Ubuntu or Debian flavor and the usually Some custom tools pre-installed in it as well. As you guys know line X is the best choice for Security Professionals for obvious reasons. And hence. Most of the Destroyers are usually built on it a line X distro can help you in performing analysis ethical hacking then iteration testing digital forensic task and various other auditing purpose, But guys apart from these destroys. There are other open source tools as well that you can bundle and use as per customer requirements, but using these destroys have lot of advantages. Like first default, they save a lot of time and effort that you need to spend when you are dealing with customer requirements. Secondly the help beginners to easily start with security testing without having to get into the nitty gritties of operating system. And lastly the most Popular reason is you have great pool of distros that you can choose from most of the time Kali Linux is the obvious first choice of operating system for every new hacker. If you ask me why the obvious answer would be because Kali Linux is lot of cool things it comes bundled. With the curated collection of tools moreover. These tools are organized into easy-to-navigate menu and a Lifeboat option. That's very new be user-friendly as an it's very friendly to new ethical hacker, but guys cullinane X is in the only distribution Which is targeted at pentesters. There are many exciting Alternatives that may better fit your use case. Anyway, let's begin our discussion with Kali Linux. It was developed by a fancy security as a rewrite of backtrack Kali Linux distro. Those tops the list of best operating system for ethical hacking purposes. And then there is parrot security OS which is our today's discussion. It is a mixture of Frozen box operating system and Kali Linux. It's the second most popular operating system vertical acting and penetration testing is well, and then you have back box Linux. It's a win to based operating system with its focus mainly on security assessment and penetration testing. Then you have been to and excellent hacking operating system with wide variety of tools that you can choose from Apart from this you have deaf clinics blackout lining cyborg backtrack and many others. But as for today's session, we will be discussing about parrot operating system That it OS is the second most popular Linux distro vertical hacking after Kali Linux. It is a comprehensive portable security lab that you can use for cloud penetration testing computer for insects reverse engineering hacking cryptography and many other security purposes. Now a little bit about his history the first release of parrot OS appeared in April 10 2013. Originally it was developed as part of Frozen box. Now it has grown to include a community of Open Source developers Professional Security Experts Advocates of digital rights And Linux enthusiasts from all over the world. Well compared to others para sacar TOS promises a lightweight operating system and it's highly efficient along with its plethora of Recognize tools you also get the opportunity to work and surf anonymously which is like a granted wish to an ethical hacker or any penetration tester will learn about other features in the later part of the session. So moving on since its release in 2013 parrot has grown rapidly and currently offers many different flavors targeted towards different use cases. For example, like I said, we have para security. It's the original parrot OS and is designed with penetration testing. Forensics hacking development and privacy in mind then you also have parrot home which is targeted towards desktop users. It strips out the penetration testing packages and presents are nicely configured Debian environment. Then you have parrot are it's focused on wireless penetration testing borrowed Studio. It's designed with multimedia Creation in mind. Then you have parrot Cloud the most popular it Target server applications giving the user access to full suit of penetration testing tools included in part security. But it doesn't have a graphical front end like we do in Paris security moving on. We also have parrot iot. It's designed for low resources devices such as orange Pi Raspberry Pi and you have pine 64 and many others. So it's true that pallet security was doesn't have large community Of users behind it as Kali Linux dust, but the distribution has been gaining a lot of momentum recent years. So things could be very different just a year or two from now. So let me convince you more. Let's just discuss A features of parasitic rtos. Let's start with the system requirement. It's based on Debian 9. It runs on a custom hardened line X 4.5 kernel uses a mate desktop and light DM display manager. It requires a minimum of 256 MB RAM and works with both 32 and 64-bit systems as well as a are incompatible version apart on this parrot OS can also be installed on cloud and updated to perform cloud-based security. So basically it runs on Debian 9. It is compatible with 32 as well as 64-bit systems and a RM systems as well and it requires a minimum of 256 MB RAM. So those are the system requirements moving on it also supports anonymity. It offers a tool called and non surf including anonymization Of entire operating system. It comes with custom-built anti-foreign sick tools interfaces for gpg and crisp that up originally it also supports Bose encryption tools such as Elle UK has truecrypt and veracrypt and many others moving on it also supports forensic boot option to shut put Ottomans plus many more it braces Falcon programming language multiple compilers debuggers and Beyond it also provides full support for developing Frameworks for embedding systems and many other amazing features. So Guys, these are few features of para todos. So basically parrot operating system supports and Amity it offers different kind of cryptography tools. It also supports forensic mode and it also provides opportunity to develop Frameworks for embedded systems and many other amazing features moving on before you go ahead and use parrot OS there are some important considerations that you need to take a look at first of all parrot towards provides general purpose features, like any other normal operating system, but guys before you go ahead and use para Todo es there are Some important considerations that you need to take a look at first. Of all it provides general purpose features, like any other normal operating system does but at its core it is still tuned for security and foreign six. Now, let's see how different parrot OS is from other distributions. Bharat is different from a general-purpose distribution because it does not try to hide its features. For example, there is a tool called parrot update reminder. It's simple yet powerful program using this program. You can check for system upgrades once a week, but instead of hiding the upgrade process behind it. This part like any other operating system. It shows the user the full update process from the APT output. So you can see the upgrade process going on. Secondly parrot was designed to be a very comfortable environment for Security Experts and researchers. It includes many basic programs for daily use which other penetration testing distributions usually exclude part security includes its own sandbox system. I mean, it provides a secure distribution user applications and parrot are protected to Emmett the damages in case if the system is compromised anytime. So this way no harm is caused. So like we discussed earlier it also supports Digital four and six digital forensics experts need an environment that does not compromise their proof. So pirate comes with Autumn and functions which are disabled by default to all of four and six Acquisitions to perform in a very safe way. So before you go ahead And choose any of these operating system, make sure you check out their features. The services they offer and make sure that if they are suitable for the task, which you want to perform but as for Peridot s these are its features we discussed earlier and these are the certain points that you should take into consideration before you go ahead and use it. Now if you're wondering who the parrot security is made for well, it's made for Security Experts digital forensics Experts engineering and IIT students researchers, you have journalists and activists as well in the list and you have the new be hackers police officers and special security. Institutions. So basically if you ask me it's suitable for a student or the entry level Security Experts as well. So first, I'll show you how to install para sacar TOS on VMware. So basically when it comes to installation, you have two options, you can install parrot security OS Alongside your operating system using dual boot option or you can install it using any of these virtualization software like virtual box or VMware. Ask for today's session. I'll show you how to install it using VMware. So let's get started with our installation. So, where is this search for the pirate security West and it most probably the first link that you find on the net. This is particle TOS official website as you can see, there's a little bit about its history. Its features. It says it's based on Debian. It's designed for security development and privacy in mind. It also includes a laboratory for security and digital forensics experts along with that it also focuses if you want to develop your own software and all that and it's project goals mostly a security privacy and development. This is the Which you should consider important development unlike other operating systems its features. It secure lightweight when compared to Kali Linux or any other operating systems and it's a free source. So go ahead and explore it. So as for the download options, you can go for security addition here and the download menu here you can see other options as well. It says home edition security and other bills we discussed few of the flavors of pirate. Orsolya. We discussed pirate home part are part student when you lose any weight If you're concerned with parrot security four point five point one is a current version that's running. So you have two options here to download. First of all take a look at the size. It's 3.7 GB and 5.9 GB. So make sure whichever you want you downloading it depending on your operating system requirements. And as you can see, this is a lifeblood installer. I so this is a virtual Appliance. You can choose any of these if download is taking a little longer than you expected. Maybe you can go for mirrors or a torrent. So I've already installed it. I'm not doing it I have What is A file as well as the Soviet format installed as well? Next thing we need to do is install VMware. So VMware VMware Workstation Pro. So you have a download option here. You can go ahead and download it you have for the free option yard also have VMware Player. I guess fate here. I go the Ling sorry about that here in the downloads so you can go for a workstation Pro or you can also go for workstation play or hear any of this with civil suits you have he downloaded it. It's going to take for a while. And then all you have to do is install click on next and finish the installation process. So before you start your virtual machine, make sure you have your parrot OS image ISO file or Ruby a format which ever is of your choice. And then here we go VMware Workstation homepage. Yeah, as you can see I already have a pirate OS operating system installed your or washing machine install your this is I have install it using ISO file. It's very easy. I'll show you how to do it. But if you have ovf format, all you have to do is click on this file menu. Open and as you can see, I have a particle T over here and click and import it. That's all click select it and click on open. So I'm not going to show you how to do that. So it's very straightforward process. That's it. This is my ISO file. Let me show it to you again how to install it. Anyway current file Or you can just go for create a new virtual machine. Yah, click on next and attached ISO file browse. I have it in my local this T here. I have a pair of security and open next it selinux it did. Bian latest version which is 64 bit and click on next give any suitable name for your virtual machine. Let's say parrot secured t Okay, Wes and click on next. Let's assign about 40 GB it again. Depends on what you want to do. If you're doing heavy tasks. Maybe you can assign more disk. So as it a store-bought shall discuss a single file or split into multiple files. I'm going to choose single file click on next and you And always go ahead and make this customize Hardware settings earlier or later, but you can do it now as well. Customize Hardware. I have not connection as for network adapter memory 5 to well, let's just say 2 GB and not yeah, we set processors. I'm just designing one for now cool and clues. You can see the changes which are made are displayed here. Once you're satisfied with your settings with that you made click on finish. You're good to go your cigars. System is been displaying your so like I said, you can always make settings later on. You have the set it question machine setting options here. Just click on this. Let me maximize the screen for you guys. So as you can see the parrot security ISO is very flexible. There are quite a few options you have live mode. You have terminal mode you have Ram mode. So basically live mode is just a standard live USB boot option just like you can see while you're installing Kali Linux suppose. If you don't know how to install Kali Linux, there's a video on how to install it as well by durocher. You can refer to that in the the clacking playlist. Okay, so coming back. Sorry about that you have Have a persistence more encrypted persistence foreign six mode and all that terminal mode. As you can see is out of the live boot option. But without graphical user interface the most popular one among new hackers, or if you're the first time user is install option with a graphical user interface. So it's almost familiar with Kali Linux users. If you want to get a feel of parrot security if analyst features, maybe you can give for live mode, but if you want to get just started then you can always go for install mode. I'm going to click on that and click on standard install. So it's mounting all the installation tools And all that. So once the machine is booted up you'll be asked to select your preferred language the broad menu select the graphical installer options and click on let's say English and United States American English. So then the loader will automatically install some additional components and configure your network related settings. It might take a while. So basically then the installer should prompt you for a host name and the root password. Let's give some root password give the password of your choice reenter the password for verification. And now it's gonna ask you to set up a user apart from the root user. So let's just say test user continue. I'm going to keep it as tests continue and choose a password for the new user which is different from the root user password that you'll have to remember. What so just give this new user a passport continue re-enter the password? Okay. Let me just go back and my mistake. Let me try it again. Select your time zone. So basically after you've set your password, it's asking you for the time zone. Let's say central eastern. So now the installer will provide you four choices about the partition of the disk. The easiest option for you is to use guided use entire disk option which the first option here experienced users can always go for manual partitioning method For more granular configuration options. So yeah Gaiden partitioning I'm going to select that guide use entire disk. This is the disc we're going to store so it's asking if you want to store all files in one partition or different. Let's just say all files in one. Mission and hit on continue. So now we will have to confirm all the changes to be made to the disk on the host machine be aware that continuing will erase the data on the disk. So after that you can just click on finish partitioning And writing disk thing. It's asking if you want to write the changes to the disk, obviously. Yes. So click. Yes. So once aren't confirming the partition changes the installer will run through the process of installing the files let it install the system automatically this may take a while. So I'm we'll meet you guys once installation is done. So once installation is done It'll ask you If you want to install the GRUB boot loader on your hardest just say yes and click on enter device manually or sorry just click the device, which is already there go back. The installation process is now almost complete. So guys the installation is done. Once the installation is done. You can see the machine boots you intimated desktop environment as an if you have chosen to install option will be presented with a light DM login screen. So basically you'll have to enter the password and the which is set up for the test use earlier. Not the root password. Please do remember that. I'm sure you remember setting up a password for the user right that password and login. So here we go. So guys here we are as you can see the machine boots you into the mate desktop environment. Let me pronounce it M80 you can call it whatever you want mate or mate desktop environment. So as you can see, It's very good looking apart from that parrot Security will automatically detect when updates are available and prompt you to update the system as soon as you install it here. It's not showing it to me because I've already updated it, but Otherwise, all you can do is just go to the terminal here. You can see terminal option here right go to terminal there and just say sudo apt-get update last me for the password. How'd it go? Might be a matter of updated in another virtual machine. Anyway, I installed the other one as well. Maybe it's in that anyway, I'll update for you. So let me just minimize this while it's updating. Let's go ahead and do other things. So it's almost done I guess. Yeah, as you can see it's almost updated and it says 116 packages more can be upgraded and if I want to have to run update list, if you want to see which of those packets are have to just list out those using app command. Yo, I'm not showing you two guys. So anyway when you're making you First make sure you system always stays updated. Okay, let's go back to exploring parrot towards so as you can see system is laid out in a very straightforward manner with a collection of tools that you might be familiar with. If you're using Kali Linux before the menu system is almost similar to Kali Linux and it's very easy to navigate the real differences that parrot security is meant to be used as a daily driver as in your regular operating system through the other things as well to prove that you can see you have sound and video options here a lot of Grabbing languages options as well you have system tools And you have Graphics included you have office applications of software's you have base. You have math writer and planner just like any other normal operating system. So while you can use color index as a desktop workstation, it is really is a penetration testing distribution first. I'm talking about Kali Linux. So with curly you need to build the system towards being a daily use system as in you start using Kali Linux you need to modify or you need to customize it in. Your way that you make it more plausible or easy For you to use for the daily purposes, but that's not the case with parrot security OS its interface and everything is so good. It almost appears like a normal operating system and it is like a very normal operating system. So you have your penetrating distance which are there and along with that you have your day-to-day applications are also there in this now talking about the system requirements the default palette Security install uses about 300 13 MB of ram. So as you can see here you can see The squad little bar. It's like a task manager, which you can find it in your windows can click on that. It will show you all the progress that's going on. First of all, it says the pirate gnu Linux system in the release and the colonel all the information about your ISO file and you have made desktop environment here in the hardware, which is this and the presser it's based on available space and all that when you click on the processes, it shows all the processor which are currently Running sleeping just like your task manager. And your Windows operating system. So yeah, like I said, it requires about 200 13 MB of ram approximately around that but of course, this is only system related process running when compared to Kali Linux. It's very lightweight callanetics install requires about 600 4 MB of RAM and that too only with system related process running. So, like I said, it's a very lightweight system. So yeah, the bar is A task manager it lists all the processes that are running and all that you obviously have a terminal which I showed earlier the Cool thing with terminal is that it goes with their interface. Other than that. It's pretty much like any other normal dominant. And then there is a pure ends of the interface. I mean my first reaction when I saw it was wow, amazing, right when compared to the plain Kali Linux. So yeah, you get to use cool collection of wallpapers as well. You have change desktop background here you Have fonts interface and see you have quite a lot of collection of wallpapers and you can go ahead and add your Customs as well. That's all about the interface. And like I said, it's like any other normal operating system. So it comes with a lot of programming languages and a bunch of text editors. You also have IDs as well. It uses plume as your default text editor. So that's it when talking about the normal operating system not talk About the performance almost all of his know that color index is a bit laggy and when you run it on a low-end system, sometimes it's like a nightmare when you have Have Brute Force attack going on in the background. Are you doing something else? It's gonna be worried say stock or it's very slow but imperative it's very lightweight and doesn't like much as you can see, it's smooth now talk about Hardware requirements. Pretty much both Kali Linux And your parrot required high end Hardware, but Pat, it needs low specification Hardware as compared to Kali. So if I have to conclude and one board parrot is a good-looking distro. It's very lightweight its resource friendly and Want to know how much resources consuming and all that you can always go at click on the little bar, which is available there. Click on the resources. You can see the CPU is Tree memory Network history file systems and all that. So basically it's a good-looking distro lightweight resource friendly. All this features apart tight. Security Os Os has pretty good collection of features as well, which we discussed earlier. It comes like what hell lot of tools, but if you see the sections, there are a lot of other things which are not in Kali Linux. So the most A pointed tool here is that in Kali Linux is supposed want to say private when you're doing hacking or any other stuff. You have to install a non serve tour and then enable them or proxy chain. You also have the option of proxy chains to stay yourself Anonymous on the system by you doing hacking or pen testing or anything, but with parrot OS you already have an answer of pre-installed. All you have to do is click on the start button. So let me show you how to stay Anonymous. So this is one of the best feature and Palette security OS it has proxy change. As well as an unsafe to make yourself an anonymous so you can go for this announcer Of and click on and on Star talk before that. You can check your IP of your system. So it says 1.65 1.73 doesn't just remember it don't have to note it down anywhere. Well, not 651 76 now now if I go and enable this first of all L ask you for the administration passport give that Okay. So basically once you enter the password, I'll ask you if you want an answer to kill the dangerous process which that can be D anonymize you are clear cache files or modify your IP table rules and all that. It'll ask you if you want to do that just say yes. So basically as soon as you click on S, as you can see the notifications here the tool will attempt to kill dangerous processes that can be anonymous you anytime it will clear your cache files. It will modify your iptables modify your Of config file disable your IPv6 and only allow you the outbound traffic through top as you can see it's a store is running started for you. Imagine doing all this stuff by yourself. If you don't have an answer fly can call it an X. This would be quite a bit of effort manually, but with the script already present here, it's just a click away. So parrot security also includes a seminal script for i2p as well apart from that once you've enabled you can also check like I said your IP address now. So as you can see it says Global Anonymous proxy activated dance, like no one's watching encrypt like everyone is so basically it's saying the surf is started out. As you can see my IP address has been changed it for something of 160 something. But right now it's 182. So on and on surf has made me Anonymous now, I can do whatever you want in an anonymous mode. So that's all I wanted to show you here now back to Firefox. It has quite a documentation part. Well, it's still in the creation stage here is you can see documentation. It's not all that well prepared or created yet. So if you have any minor dot you can go ahead and refer to the Documentation party. Oh, so here you go. Okay, then let's go back to the Destro. One thing that you can point out about parity with is that it has a lot of cryptography tools such as it has Zulu script Zulu mount a graphical utility that will help you mount your encrypted volumes. Then there is something called Crypt Keeper. It's another graphical utility that allows you to manage encrypted folders and much more. These agilities makes confidential. LT easily accessible anyone with the minimal experience. I mean if you do not have any idea about cryptography you can easily start learning your that's what I meant. So it just doesn't stop With cryptography or a non surf you have lot of other tools which you might not find and color next. So let me show you guys that part as you can see you have lot of tools you have most used tools, which is Armitage. You have Wireshark Zen map over a span all that then you have wireless testing tools. Give me a second. Yeah, post exploitation this set of tools mostly you can't find them in the Kali Linux. You have OS back door towards webpack dough tools. You have web Covey bleep and all that And you have something called social engineering kit. If I'm right. It should be in the exploitation tools. Whereas exploitation here how you can see a social engineering tool kit just click on that password. So it is started up all that. So if I just click one, you have a lot of options the update set configuration you have Social Links. Attacks you have different type of attacks here. You have power shell attack vectors. You have mass mailer attack you have phishing attack vectors and all that. So basically you can click on that and enable all that acts not going to show you in this demo how to do it. This is just the basic introductory video about Peridot s. So, let me just close the terminal while there are common tools like you have nmap. I'm sure you know how to use nmap. Let me just show you anyway and then map is one of the scanning tools. You can find it in information guy. Drink, I'm short and map is you're here to one of the basic tools. Okay, let's just explore and map and Demetria here. Let me just show you how to use nmap first just click and map you have all the help or then map configuration options are displayed in front of you. If you don't have to use just go through them. It's pretty easy a simple example. I'm already using the one which is already there. Just say scan me dot nmap dot orgy. Okay your aegyo making spelling mistake again. Sorry about that. It's gonna take a little while. That's all while it's scanning. Let me just show you another tool, which is Dimitri. It's a deep magic information gathering tool. It has ability. So here it is. It should be in the information gathering only you have your here goes. So basically, like I said, it has ability to gather as much information as possible About a hose subdomains. It's email and formation TCP port scan who's look up and all that. Let's just check out. Then map scanning is done. Here is the terminal. Yeah, it's gonna take a little while. So once the scanning is done, it's going to show you how many seconds it took what are the pores which are open and the close personal that now about the material you can enable it From your dominant, but you can also do it from here information gathering and click on the me. Try password. So let's say Huh? Here we go. So let me maximize. All you have to do is you have lot of options here. You have W, which performs a who's look up you can do it online as an using Firefox as well. You have a lot of websites where you can gather all the information Once you have your IP address or and all that and you have retrieved and crafts outcome information on host perform search for possible subdomains email address and all that. So basically you can give all this options in one go. Let's say TR y - - option taste output your host or text or to the file specified by - oh, so I just press click 0, let me just gives pseudo. Let me just check if I've given any file here. I do have a file called test dot txt. Okay. So like I said in the iPhone option, it will save your output to the dot txt file out of the file specified by - no option. So basically just specify the filename where you want to store the all the scan info. Whoa, and the website where you want to website of whose information you want to scan. So let's say the blue dot pinterest.com. Here you go. It started scanning. Let me just scroll up. The host name and the host IP addresses showing Once you have IP addresses, you know can gather almost all the information. It's also showing the places where it's coordinated. It's created lost modified. You have sources you have address here and then yeah last modified created sores and all that. So basically it's showing a lot of information here. Similarly. You can using Dmitry or a deep magic information gathering tool you can actually gather information about any other website you want to know. Let's just check out if in map is done scanning. So see as you can see it's done. So I've given a website name here instead of that. You can go ahead and give the IP address which is this one and it will show you the same results as you can see. There are a lot of ports usually nmap scan is about more than thousand votes as you can see. It says 992 of the clothes pose and these are the open ports and suppose you want to know more information about each Port because basically if your hacker if you try to hack something you don't need information about all the ports. It's basically the One port which you want to so to know That you can there are a lot of options which are provided by a map. If you want to know more about by and Map There's and video and I'd wake up playlist all about in map. It's under network security. So you make sure to take a look at that. So while you are taking a look at particular device, make sure you go ahead and watch a video on Kali Linux as well. So you will know how different Heroes and color index are though they are similar in few parts. So that's it about system as in parrot OS so like I said, it's On good-looking distro, which is lightweight when compared to Kali Linux and lot of tools lot of unique tools as well. When compared to Kali Linux and it's very smooth away smooth. Oh apart from all these good things. There are a few things that are problematic with part ways. First of all, like you don't find our search body. Oh, that's not a problem. But that's one demerit you can say and it's also a little problematic when it comes to launching your application the process LL slow and like Carla lineage. So guys, this is your parrot OS so basically Lee this was a crisp video on what parrot devices it's review its features and all that and make sure to watch a video on pero no es versus Kali Linux. So Linux has been known for its various distributions that cater to various needs one of the most famous distributions is Kali Linux That is a penetration testing oriented distribution, which was built to bring about much-needed Corrections in its previous. Duration known as backtrack OS now since the release of Kali Linux. It has gone under various iterations in the form of updates while other penetration testing and security related distributions were also being developed all around the world. So in this session, we will compare Kali To One Source distribution that has come under the spotlight and that is parrot OS so today in this video. I will first be giving you guys a brief introduction to what exactly is Kali Linux. And then I will also give a brief introduction to what parrot OS is then we will be comparing Kali versus parrot according to various parameters. So let's move ahead now. Let me give you guys a brief introduction to what Kali Linux is. So Kali Linux is a penetration testing and security focused operating system As the name suggests Carly has a Linux kernel at its core above that the creators of Carly Marty are Oni and Devon Kearns. Added the latest injection packages to help pentesters. Save some time Kali Linux has developed according to the DB and development standards and it was developed as a refined penetration test during distribution. That would be served as a replacement for backtrack OS currently the development of Carly is being handled by offensive security, which is the organization That provides prestigious certifications, like oscp osce and Os WP over the years. Carly has developed its own cult following with people who swear by the word and by the power provided by Kali while I may not be such a staunch believer in Kali Linux. There are plenty of reasons for want to use curly for one. It's absolutely free. Secondly. It comes pre-installed with tons and tons of penetration testing tools and security related tools above that. It can be completely customized according to your needs as the code is an open-source get tree and The whole code is basically available to the public to be tweaked. Also the kernel that runs Kali Linux comes with the latest injection packages. And it also comes with gpg signed packages and repositories above that. Kali Linux has some true multi-language support and it was developed in an extremely secure environment. Also Carly supports a wide range of wireless devices now at this moment Callie May seem like a very useful operating system. But as you guys might remember the great quote, From Spider-Man create power comes with heavy resource utilization according to the official documentation of Carly the system requirements are quite heavy on the low-end Kali Linux needs a basic of at least 128 MB of RAM and a 2 GB hard disk space to set up a simple SSH server that will not even have the GUI of the desktop on the higher end. If you opt to install the default genome desktop And the Kali Linux full meta package. You should really Aim for at least round 2 gigs of RAM and around 20 GB of free hard disk space now besides the RAM and hardest requirement. Your computer needs to have CPU supported by at least one of the following architectures them being amd64 i386 and Armel and AR M HF and also arm 64 now, even though the official documentation says 2GB of RAM is enough. I have personally faced numerous lag and stutter issues When running Carly on a virtual machine with 6G EB of allocated Ram which in my opinion is a definite bummer. Now, let's take a moment to discuss about parrot OS so parrot much like Carly is also a deviant based distribution of Linux. When I see Debian based, it means that the code repositories adhere to the Debian development standards para Todo es 2 comes with its own arsenal of penetration testing and security related tools. Most of these tools are also available on Carly. No, but it was first released in 2013 and was developed by a team of Security Experts Linux enthusiasts open source developers and Advocates of digital rights. The team was headed by Lorenz of Elektra and part is designed in a very unique way while the operating system has everything that is needed for a security expert. It doesn't present itself to be a daunting learning experience for beginners who want to set foot into the world of ethical hacking and vulnerability analysis. But it OS can be very well used as a daily driver as it provides all of the necessary tools to complete day to day tasks. So who exactly is peridot s made for well, first of all, it is made for Security Experts and digital forensic experts. It can be also used by engineers and IIT students who are enthusiastic about ethical hacking then parrot OS can be also used by researchers journalists and hacktivists and last but not the least but it OS is also meant for these officers and special security institution. Okay. So now let's take a moment to actually discuss the system requirements that one might need to run parrot OS so the system requirements for Bharat is much more forgiving than Kali Linux on the CPU side. You need an x86 architecture with at least 700 megahertz of frequency and architecture. Why is you need i386 amd64 or AMD 486 which is basically the X86 architecture or are male and Armature Which are basically iot devices like Raspberry Pi on the side of ram you need at least 256 MB on a nine three eight six architecture three a 20mb on an amd64 architecture and as a general documentation 512mb of RAM is generally recommended by the parrot zik OS people. On the GPU side parrot OS is very surprising as it needs. No graphic acceleration. That means you can run this without a graphic card on the side of hard disk space pirate OS needs at least 16 GB Of free hard disk space for its full installation. That is for G 4 gigabytes Left 4 gigabytes lesser than Kali Linux and for booting options both Kali Linux and parrot OS have the Legacy BIOS preferred. Now comparing two operating systems when it comes to Parrot OS and Kali Linux that are both operating systems meant for similar purposes that is penetration. Testing. In this case. It becomes really tough. Most of the factors in such cases boil down to a matter Of personal taste rather than an objective comparison. Now before we move ahead with the comparison, let me list out a few similarities that you might have noticed between the two operating systems. So first of all, both operating systems are tuned for Operating penetration testing and network related tools and both operating systems are based on Debian development standards both of the operating system Support 32 and 64-bit architecture and both operating systems also support Cloud VPS Along with iot devices. And of course, both of them come pre-installed with their own arsenal of hacking tools. Now, let's get down with the differences. The first criteria of differences that we are going to discuss is Hardware. Points now as you guys can see on the slide. I have put down the system requirements of parrot OS on the left hand side and I have put down the system requirements of Kali Linux on the right hand side. So as you guys can see parrot OS and Kali Linux both need 1 gigahertz dual-core CPU when it comes to Ram parrot OS needs much lesser arm than Kali Linux, but it needs 384 MB of RAM for its minimal running time and Kali Linux needs a 1 gigahertz of RAM. The other hand in terms of GPU, but it OS doesn't really need a graphic card as it has no need for graphical acceleration Kali Linux on the other hand. If you're trying to run the genome desktop version, you will certainly need a graphic card On the other hand pirate OS need 16 GB of free hard disk space for its full installation and Kali Linux needs 20 GB of free space. So basically parrot OS is a much more lightweight version. So we see that parrot OS definitely wins against Kali Linux when it comes to Hardware requirements due to its lightweight nature not only does it require lesser Ram to function properly, but the full installation is also pretty lightweight thanks to the use of the mate desktop environment by the developers. So basically if you're having an older Hardware configuration On your computer pirate OS should definitely be your choice. Now the next parameter that we are going to compare. The two OS is in is look and feel now this section. Be boils down to personal choice personally. I prefer the minimalistic look that is given by parrot OS the interface of parrot OS is built using the Ubuntu mate desktop environment. There are two clear sections on top you see a pain which contains applications places systems, which is much like Kali itself, but it also gives some cool information About CPU temperatures along with the usage graph and the bottom pane contains the menu manager and the work station manager, which is a brilliant addition to the Linux system Kali Linux on the other hand follows the genome desktop interface while it still has the functionality that is offered by para Todo es. It doesn't provide the same clean and refined look in my opinion. If you don't know your way around a collie interface, it is pretty easy to actually get lost. Now, the next parameter that we're going to compare them is hacking tools now since both these operating systems are For penetration testers and ethical hackers. I think hacking tools is the most important criteria that both the operating systems are going to be compared in so when it comes to General tools and functional features para Todo es takes the price when compared to Kali Linux pirate OS has all the tools that are available in Kali Linux and also it adds his own tools. There are several tools that you will find on parrot that is not found on Kali Linux. Let's take a look at a few of them. So the first on that you see is called Wi-Fi Fisher now Wi-Fi fish oil is a rogue access point framework for conducting red team engagements or Wi-Fi security testing using Wi-Fi Fisher penetration testers can easily achieve a man in the middle position against the wireless clients by performing targeted Wi-Fi Association attacks. Wi-Fi Fisher can be further used to mount victim customized web phishing attacks against the connected clients in order to capture credentials or in fact the victim With some sort of malware another tool that is seen on parrot and is much appreciated that is not seen on the Kali sign is called a non surf now being anonymous for a hacker is the first step before hacking a system and anonymizing a system in an ideal way is not an easy task. No one can perfectly anonymize a system and there are many tools available on the internet that see that they are no no my system one such tool is a non surf now, announce. So of is pretty good As it uses the tour iptables to anonymize the whole system. Also, if you guys have not already realizes tour also also comes pre-installed on parrot while it has to be externally installed on Carly. Now these things that you see that Wi-Fi Fisher Tor Browser and announcer surely they can be imported and download it on curly but they don't really come pre-installed and that is what counts right now. So since pirate OS also Is designed with development in mind it also comes pre-installed with a bunch of useful compilers for various languages And ideas for their respective development, which is completely absent on the Kali Linux side. So for this part of hacking tools parrot OS definitely takes a price now the next thing that we are going to compare both y'all both these operating systems is release variations now both operating systems come with a variety of variations, but part OS has much more diversity in terms of variety. So let me just explain what I mean. So as you guys can see on the left-hand side, I have listed down the release variations that are available for parrot OS now aside from the full editions, which is both provided by parrot and Kali. They also both provide the light additions on parrot side and the light Edition on Carly side. They are both basically the same thing. We're in minimalistic tools are actually pre-installed and you can Install and customize the operating system according to your own needs. If you don't choose to customize the operating system, you can very well use it as a very lightweight And portable operating system. So Peridot a slight addition and Carly light additions are two flavors of the operating system. Now, this is where the difference is such differences start. So parrot os are Edition also exist. So this is an addition that is used for wireless penetration, testing and wireless vulnerability testing. So basically anything Thing Wireless parrot OS erudition does it faster and does it better then? There's also parrot OS Studio Edition, which is used for multimedia content creation Yes. You heard that right part it OS can also make content for your social media. So if you're thinking about using part OS for marketing as well as security deposit OSU has definitely your go-to operating system Carly on the other hand aside from its light version and full edition offers. Some desktop interfaces like the E17 KDE and xfce the Ubuntu mate and the lxde. So these are basically just skins That run over Cali and basically make Ali look a little different from one another you can check out all these different customizations on the khari documentation. Other than that Callie has also support for cloud and iot devices in the form of the Armel and arm HF releases. These releases are also available in parrot over. ESO para Todo es doesn't stand down. So as you guys see Peridot s provides you a lot of diversity in the variety that it is offering. So in my opinion parrot OS also takes the price In this section. Now the main question remains which of these two distributions is better for beginners Well, it is to be duly noted that both these distributions are not exactly meant for beginners. If you want to learn about Linux as an operating system, you're better off using something like Go bond to or deepen. This also doesn't mean that you cannot learn the basics on parrot or Kali on the other hand. If you are already knowing the basics of Linux And want to get your hands on an operating system to learn ethical hacking. I would personally recommend using the parrot SEC OS light addition this is because the light version comes with the bare minimum of networking tools. This means as you learn your ethical hacking concept slowly you could develop or install tools one by one. Instead of being overwhelmed with a whole bunch of them from the beginning not only does this allow yourself to evolve as an ethical hacker And penetration tester, but it also makes sure your fundamentals are built in a methodical manner. Now, I recommend parrot OS / Carly for one other reason to that is because the default user for Callie is Route. This makes the environment a whole lot more aggressive and mistakes tend to be punished and a whole lot more difficult to deal with So this means that parted OS is generally the winner in my opinion. When you get hired as a penetration tester or a security analyst one Of the main rules is vulnerability assessment. So what exactly is vulnerability assessment? Well, I've already possessed man is the process of defining identifying classifying and prioritizing vulnerabilities in a computer system application and network infrastructures and providing organization doing the assessment with the necessary knowledge awareness and risk background to understand the threats to its environment and react appropriately to them. So vulnerability is a situation that can be taken advantage of by a hacker Or a penetration tester for their own misuse or actually for fixing the issue. So while I'm ready assessment has three steps. So the first step is actually identifying the assets and the vulnerabilities of the system. The second step is actually quantifying the assessment and the third is reporting the results now vulnerability assessment is only a small part and Pen testing is an extended process of vulnerability assessment when testing NG or penetration testing includes processes like scanning vulnerability assessment And itself exploitation research and Reporting whatever the results are. So in the industry was the most widely used Frameworks when penetration testing is Metasploit. So Metasploit is widely used in penetration testing as I just said and also used for exploitation research. So some of you might ask what exactly is an exploit research well in this world there are tons of exploits and the way to approach each Of them is ever so different. So what we have to do is exploit all the research that is available to us And we have to find the best way to approach them. So suppose, for example, you have a secure shell login. So the best way to actually approach secure shell login until my knowledge is that you have to get a backdoor access to this from the port numbers that you can scan via nmap or eczema. Okay. So without wasting much time at looking at prop and presentations, let's actually get started as to how we can use Metasploit. So So Metasploit is a freely available open source framework That is widely used by pentesters as we just discussed. So to actually install Metasploit, which is easily available on Linux and windows. I guess. Let me just check it out. So you go on your browser and you time Metasploit downloads now you just visit the first link and as you guys can see it says it's the world's most used penetration testing tool and then you just download the Metasploit framework By clicking the download button here. So y'all might also find Pro version which is a paid thing. And this has a little bit of extra features like group support and actually helping a company work as an organization, but we don't actually need that and practicing our pentesting abilities. So for that you just go ahead and download Metasploit framework and install it on your system above that there is another thing I want to get make you guys aware Of and that is Metasploit table. So when actually been testing we need a server or a website to actually pen testing zone. So normally this is a very illegal thing to do with our permission. Ian so Met exploitable has actually created a server with a lot of vulnerabilities on it and it's called Metasploit able to somet exploitable to is easily downloadable from this link and it's a virtual box file. So you guys must have a virtual machine software on your system to actually set this thing up. I'll also go through how to actually set up Metasploit herbal because it has a lot of configuration and network management to go with it. So we'll get to that later. But for now, let's get started with Metasploit table. So before that Metasploit herbal is written in Ruby and if you all know Ruby coding and y'all know how to make exploits y'all can also always contribute to the Metasploit community. So Metasploit is one of the most widely used pen testing tools In the industry. So what exactly is Metasploit? Well, it's a framework and what a framework is is it's actually a collection of tools. So these tools are majorly used for penetration testing and exploitation research now one might ask what Exactly is exploit research. Well, there are tons of exploits out there and there are tons of ways to actually approach them and this only comes to us from thorough research as to how we can approach each and every exploit in their best way. So talking about Metasploit. Well, it's open source and free and it's also written in Ruby. So if you guys know Ruby coding and know how to make exploits y'all can always contribute to the Metasploit framework now talking about the download part. Well y'all can easily download Metasploit from its download page, which is - Floyd.com download I'll be leaving the download link in the description. And once you're on the download page, you'll see two versions one is the free version Which is the original Metasploit framework and it's the core framework that everybody works on and then there's Metasploit Pro which comes with a 14 day free trial. So Metasploit Pro actually has a few extra features, which is great for an organization. Like it helps you work as a team, but if you're a guy who's just practicing pentesting like me Metasploit framework, Work the free version is the absolute way to go now. Also when pentesting you all will also need Metasploit table now met Exploitable is an intentionally vulnerable Target machine for actually practicing your medicine flight skills on so we will go over the installation of Metasploit table later. But for now, let's go over Metasploit table. So once you guys have actually downloaded the link y'all can actually install it on your systems and Metasploit actually has three interfaces. So we are going to be using the command line interface. Or the msf console in other words, but you all can also use the GUI interface which is called Armitage if I'm not wrong. So let's get started. So first of all, I've already actually downloaded Metasploit and install it on my computer and y'all can just do the same by pressing the download button as you guys can see so just start up Metasploit. All you have to do is go on your terminal and so to start a Metasploit all you have to do. Do is go on your terminal on Linux? Well, we're starting upholstery SQL Server because first of all the postgresql server is the basis of all the Metasploit exploits That are stored and starting it will just make it run faster. So we go service post gray SQL and start so that's the start of a service and indeed it has so next thing you want to do is go in and type msf console. And that's going to take a little bit of time because I was very slow computer and it's going to start up our Metasploit free. So as you guys can see you got a big banner out here. It says Metasploit cyber mesial and it's the banner changes every time don't get worried. If you have a different banner and the main thing is That you should see this msf thing out here. So this means we are in the msf Shell right now, which is the Metasploit framework shell. So let's get started by actually curing our screen. So first things first the first command that you might want to run on a deployed is the help command. So help will tell us everything that we can do with this framework. So as you guys can see there are a bunch of commands and the descriptions to go along with it. Y'all can give it a quick read and find the things that are interesting to you. So as you guys can see Banner is display an awesome Metasploit Banner y'all can change the banner as you guys can see there are a lot of Juicy commands like there's a banner command, which I just had used. So if you go and die panel will give you a nice cool Banner about Metasploit and there are other commands which work very similar to Linux like CD. Changes the current directory you can change the color by toggling colors and then you can connect to the host and all sorts of stuff. So Metasploit has a bunch of exploits. So before we go further, I want to make you guys aware of three important terms regarding Metasploit. The first is a vulnerability and we had already discussed this that a vulnerability is a situation which can be taken advantage of by a system or a person who axis so the second part is an exploit. So what exactly is an exploit Yeah, well an exploit is a module which is a bunch of code written in Ruby on Metasploit that is used to Target different vulnerabilities. And the third thing is a payload. So a payload is the action that you do once you actually have access to somebody system. So basically suppose you have hack somebody and you've gained access to their system. Now the activities you do after gaining access is defined as the payload so we just spoke about exploits and I told you guys that Metasploit has a bunch of Right. So how do we see all the exploits that are there? So you go show exploits. Well, as you guys can see we've loaded up a bunch of exploits Which is basically all the exploits that Metasploit has to offer at this moment. So let me just increase the screen a bit and let's cruel completely to the top. Yep. So as you guys can see show exploits give us a bunch of exploits and shows the name a description a disclosure did and the rank. So the name and description is as it says it's the name of the exploit and it's a short description about it. The disclosure date is When the extract was actually released by Metasploit and the rank is how it has fared against the vulnerability. It was released for since it was actually released. So as you guys can see ranks range from Great good and stuff and we have a bunch of exploits. So as you guys can see there's an Android exploit. There's a Samsung Galaxy knocks Android exploit. There are bunch of Windows exploit Adobe Flash exploit FTP exploits MySQL exploit asp.net exploits and a bunch of other stuff. So as you guys can see there are a bunch of exploits to use And it can get confusing and rather Troublesome to search for the exploit. You actually want to use so as A pen tester you can always go for the search keyword, which is basically suppose, you know that you have a MySQL server which has a bunch of vulnerabilities and you want to test those out. So you simply go search my SQL now, I'll search the database for all the exploits that are related to mySQL and present them to you. Okay, so we have our results. So as you guys can see we have a bunch of MySQL related module system. Now at this makes it very easier if you are a pen tester and you're looking for MySQL exploits now suppose you choose your exploit and let's see, let's choose. Which one do we want to use today? We're going to just use this MySQL hash dump. So to actually use this we have to copy the knee so double click on it and it'll just select it and New go Ctrl shift C in your terminal so that copies it and so If you want some more information about it, you can always go info and then just paste in the name of the exploit. So this gives us a bunch of information actually gives us all the information you need about the exploits. So it gives you the name that it's a MySQL password. Hash dump its module name is Ox Terry scanner and all this stuff. It's licensed by Metasploit. Framework in itself and it has a normal rang and these are all the options that you might need to set when actually using the exploit And this also gives you a small description. So it says this module extracts the user names and encrypted password hashes from a MySQL server and stores them for later cracking so seems like really cool stuff. You can do with ice cubes server and its password database. So if you actually want to use this so you have to use the use keyword. So we go you Who's and control shift V? So as you guys can see it's denoted in red out here that we are indeed and exploit that we want to use. Now. The first thing you want to do when you're using an exploit is you want to go and say show options. Now as you guys can see these are the options that we actually need to set before using the exploit. Now the options can be necessary or they can be optional like so there's a password field out here, which is not really necessary, but will help your exploit if you actually provide it but you need to provide the our hosts which is the targeting host machine and the port And the threads is already set now suppose you want to set the our hosts so you can just go set. Host and you can set it to whatever IP address you want like suppose you want to address 192.168.1.1 56 some of that sandwich. I will set the our hosts. You can also set the number of threads now threads are actually what the threads mean and parallel processing that mean how many parallel threads you're gonna run so that you have faster computation. So this means new need GPU power If you have multiple threads running So let's set threads 234 now so we've set the threads 30 and then you can go show options again and see that you have indeed actually set your options. So we've set the threats to 30 and our host has also been set. So that was all about how you can get into a module know get some information about a module and how can also use them or you so once you're done using the module or once you're done setting up the options, You can go ahead and run the command run or even exploit And this will start actually running exploit on the system that we want to now of put in a very arbitrary IP address. So and that not have MySQL Port running so our exploit feel now once you have desiderio exploit and you want to go back to the main msf. Unix shell just go ahead and type back. It's as simple as that so that brings us back to the msf command line. I'm so let's go ahead and clear our screen now. Okay, so it's time to do something interesting. So to do that. First of all, we need to go ahead and actually download Metasploit able to so download Metasploit able to do you have to go on this link. I'll leave the link in the description. So or rather you can just go on your browser and type in Metasploit able to download so met exploitable as we had earlier discussed is a Linux based distribution and It's mostly meant for actually practicing your pen testing skills. So basically it has a bunch of ports open on it. So it's basically just for your he's So that you don't go ahead and test it out on some valid website and then get thrown into jail because that's a very illegal thing to do. So go ahead and download Metasploit able to and then also download Oracle virtualbox machine Oracle virtualbox. So you all can also easily download that from www.virtualbox.org. And this is because you should never run mad exploitable to on a system that is connected to a network. You should always use it on a virtual machine Because it's Protected Their Faith so that nobody else can access it. So to actually set up Metasploit table. Once you've downloaded it you go ahead and open up your virtual box. So out here you have to go into Global tools and you create a host only network manager now already created a host only network manager and then you go ahead and enable the DHCP server by pressing this out here like enable then you go back and you just go new you give it a name like whatever you want to name it. I have already named mine Metasploit with to as you guys can see. So we're going to call this demo for just demonstration purposes choose a type to be Linux and it someone to 64-bit click next give it a gig of RAM and you are going to use an existing virtual hard disk so out here you just click on this button out here and Browse to the place where you actually downloaded and unzipped your Metasploit will download file. Then you get this virtual machine disk file, which is with vmdk file And you just go ahead and load it up. So I'm not going to do that again because that's just going to eat up my Ram and I've already installed it up to you. So that was all about the installation and the configuration. So now let's get started and let's start playing around with Metasploit. So once you're done downloading and installing Metasploit table on your computer, all you have to do is Is go ahead and start it up in your virtual box machine and the login ID And the password both are msf. Admin. So first of all, we need the IP address of our Metasploit double server. So we go ifconfig and this gives us the address. So as you can see out here are addresses 192.168.1.2 6. 101. So once you've go ahead and started a Metasploit herbal, it's time that we go ahead and exploit all the vulnerabilities that is presented to us by meds. Able to so do that. Let's head back to our Linux terminal again. So once we have the IP address that was 192.168.0 6.11 if I am correct, so let's go and quickly get a little bit of information about that. So who is 192.168.1.1 6.1 o 1 so this will give us who is on Metasploit able to and will give us a bunch of information as to To how the server is set up where is set up? The ports are open and various other things. So as you guys can see this gave us a complete who is so to get some more information about our Metasploit. Double Servo. We're going to be using nmap. Now. If you guys don't know about how to use nmap you can go out and check my other video on the playlist of made a pretty good and map tutorial. So we go and map - F - s and V which is steel version and we give it. the name or the domain name server and 2.16 856 R11 So we've got a juicy result out here and we can see that there's a bunch of stuff open. So as you guys can see there's the FTP poor open, Which has a version of vsf tpd 2.3.4. There's also openssh, which is for .7 P1 DPN. There's also tell languages almost miserable to have talent running on your computer. Then there's SMTP. There's HTTP and there's a bunch of ports open as you guys can just see on your screen. So it's We actually used Metasploit like a pen tester to go ahead and test out these vulnerabilities. So let's choose these FTP things. So we have this fdp out here. So from the version number, Which is given to us by the steel version flag on and map we know that it's using vsf tpd 2.3.4. So we can easily search for an exploit of the same version. So as a pen tester you would go search V SFTP D 2.3.4. So this should give us all the exploits that are available for this particular vulnerability. So as you guys can see after a long search from the search vsf tpd, we found a vulnerability or an exploit that can take advantage of the binary. So it's time we actually use this. So first of all, Let's get some info about this so info. Let's copy down this thing and then let's get some info about this. So as a small module description says this module exploits a malicious back door that was added to be SFTP D download archive. This backdoor was introduced. In the vsf tpd, 2.3.4, tar.gz archive between June 30th and voila voila. So we have the options of setting in our host. It has an available targets provided by these guys, and it's a pretty good exploit in my opinion. So let's go ahead and use it. So we go use and love the exploit. So it's visible to us that again entered exploit module which is eunuch / FTP SFTP D 234 back door. So what we're going to do is we are going to actually gain a backdoor access to our met exploitable system. So to actually make this more believable. So if you guys go into your Metasploit herbal system, so you guys can see that That you are in the root directory so you can gain some root access By going sudo Su and going msf admin. So we're now root user in the msf. Admin or rather the Metasploit will console. So if we go LS we can see the various files and if you go sleepy / home when the home directory now and if you do LS out here we can see that there are a bunch of stuff. So there's an FTP folder. There's a hack Folder there's a times of admin folder and the service in this user. So that's five folders if you guys remember so now What we're going to do is we're going to gain some back door access into the system and we're going to create a bunch of folders in the home directory. So let's get on doing that. So to do that we head back to our marriage like terminal and we go show options as we had already entered are exploited. So go show options. So as we see the options that we have to provide is the ER host and port number now the port number has already been set Because it's 21. That's where FTB runs or other TCP runs and we now just have to set the host. So to set the host we have to just put it in the IP address of our Metasploit herbal server. So if I remember correctly it set our hosts to 192.168 / 56 Art 101. So that has said are our hosts so we can again check that if we've done it correctly by going show options. And we indeed have set our hosts. Now. All we have to do is run the exploit. So we go and hit run. So as you guys can see we have actually gained a back door service has found and handling and the command shell session has started now you might be confused as to why do I have this blinking line? Well, this blinking line actually means that you are inside the Metasploit herbal server. That means we have already gained the backdoor access and is taking line denotes that we are on the terminal of Metasploit able to now if you don't guys don't believe me, let's do some experimenting. So as I had said, I'll create a bunch of folders in the home directory. So let's change the home directory first or rather first. You can also do a who am I and instead you that you're the root user next you go and do CD / home and I'll change the home directory. Now, let's make a bunch of folders like make directory. This is a test. So that should have made a directory. So let's go into that directory CD. This is a test. So we're already into the directory. This is a test. Now. Let's make a file called targets Dot txt. So that creates 12. So just to see if you have actually done it properly. Let's go back to our Metasploit herbal. So Now in the home directory you go and type in LS again. Okay. So let's type in LS and see so As you guys can see we have created. This is a test folder and it's already available then so let's go and move into that folder. So this is a test and we are already in that folder. So I'm we are also created a text file which was called targets. So that was LS and it should give us a Target start txt. So as you guys just saw we gained a backdoor access into a remote system through a vulnerability that was available to us on the FTP. Port so we first did that by scanning the entire domain name server of Metasploit table by nmap and gaining some intelligence as to what ports are running and watch boats are actually open then we found out that the FTP port is open. Then we went on to Metasploit and we found out exploit that vulnerability very successfully we found out how to use the exploit some information about that exploit and in the end, we actually executed at months and we are already in that folder. So and we are also created a Text file which was called targets. So that was LS and it should give us a Target start txt. So as you guys just saw we gained a backdoor access into a remote system through a vulnerability that was available to us on the FTP Port. So we first did that by scanning the entire domain name server of Metasploit table by nmap and gaining some intelligence as to what ports are running and what sports are actually open. Then we found out that the FTP port is open. Then we went on to Metasploit and He found out exploit that vulnerability very successfully we found out how to use the exploit some information about that exploit and in the end, we actually executed at months. Now you guys must be wondering what exactly is and map and why should I learn it? Well and map is a network scanner that is widely used by ethical hackers to scan networks as the name suggests. Now, you might wonder why do I need a network scallop? Well, Let me give you an example. So suppose you have a Wi-Fi that has been set up in your new house and you realize that your data is being actually consumed at a faster rate than you are using it. Now. You have suspected that it's your pesky neighbor who keeps on connecting to your Wi-Fi and eating up all your data. So to actually confirm all your doubts. What you want to do is a network scan and nmap is a pretty wonderful tool to do That now nmap runs on Linux. Mac OS and windows and I'm mostly going to be running this on Linux because that's what I do most of my penetration testing and network testing on so let's go ahead and get on with the installation of nmap on your computer. So what you do is go apt-get install and map now for this you have to be logged in as root. If you're not logged in as root just add pseudo before this whole command and it will install it now. I already have nmap installed so Um, Not really going to install it again and again, so let's just go ahead and just do a few scans on our website that is www.eddecosta.com and we are going to see what we get back as results. So first of all, let me just show you how you can scan a certain domain name servers or DNS. So at map we are going to use a flag all the time now, let me just tell you what our flag. So if you just go to nmap and type - - help this will give you all the flags and options that are available to Actually use on any map. So if you are actually stuck and you can't remember stuff, Let's go in and type and Mom - help and it will give you all the stuff now Network scans generally take a long time. So I'm going to be using the fast mode most of the time. So for fast mode, all you have to do is type in any record dot go and sit and wait for this can't get over now when the scan gets over you will see a bunch of information and let me just wait till that information pops up and then we will talk about the information together. Okay. So as you guys can see our scan has been completed it took 13 .71 seconds to actually do the scan. Now as you guys can see it shows us the port's the states and the services now the porch is basically the port number which are service that is also bind it to is working on so we can see that SSH service is working on port number 22 SMTP on 25 actually Beyond 80 our PC by 911 and Sgt. BS on 443 so that is how you can use nmap to scan a certain website. Now if you see and map has also given us The public IP of the DNS because what nmap does is it looks at the DNS and then translate it to an IP that is recognized to that DNS server. So nmap. Also Returns the public IP. So what we can do also is and map - F and 34.2 10.2 30 and Dot. 35. Okay. So as you guys can see that our command also works when we put in the IP address And it produces the same results. Now we can also scan for multiple hosts now suppose you are on a network and you want to scan for multiple hosts now. You don't really want to run different commands for that. Now what you can do is just go in and type and map and a bunch of IP addresses like 192.168.1.1 and Or 1.2 and 192.168.1.3 and what this will do is it will draw the net Maps scan on these three different IP addresses and you did this in just one command. So that's a way that you can do this. Now. You can also know about how much of your scan is left by just pressing the up button so that will tell you and give you a constant update on how your scan is going like - 32.4% Dot and 4.7 now and also show you kind of the time remaining. Okay. So till this port scan is going on. Let me just tell you about the states now States can be of two types open closed and unavailable. Sometimes you will see that it is unavailable and that's because some sort of 5 all or something is running out There states can also be closed in that case mostly and math will not return you any result unless you're explicitly finding something of the closed state. So that was a little trivia on States and how they work. How much are Scott has done so a scout is dot 81% takes around another 20 seconds. It should be done soon. Now. This scan could be significantly made faster with just EF tag, but I really want to give you all a good look into how this works. 97 98 99. Okay. So as you guys can see this is our result. It gives us a bunch of ports and services now as I just said this thing can be also closed and also unable Available. So open and closed we see both the examples. Okay, so that was about how you can scan multiple ports. So you can also scan multiple boards with this command as I will show you. So what I do not one six eight dot one dot one to Thirty. Now what this will do is basically scan everything from 192.168.1.1 to 192.168.1.2 up to 30 like that. So this is a very useful way of actually scanning. Tubal IP addresses. Let me just show you how that works. Since we have used the a flag, this is going to work considerably faster now as you guys can see out here. This had taken around a hundred nineteen seconds. So that's round two minutes now. This will take a considerably less a time. So, let's see this was done in 29.91 seconds, and we'd it 30 IP addresses. So we see that - F surely speed ins the whole scanning process now, you can also give nmap a Target list now, let me Could Target list so targets D XD. We just got it out for you. So that's starting it now. All I want to do is edit this file. So, let me just edit that file and put a 192.168.1.1 192.168.1.2 192.168.1.3 192.168.1.5 for 192.168.1.5 or 15. Boom Rose. Sit now, all we have to do is save it. So that saves it and control X to actually access it. Now, you can go ahead and view what is a target set txt. So as you guys can see this is what isn't Target such cxt. And now you can just pass it to end map with the IL flag and you could say that nmap is going to actually scan all the IP addresses that are in this file. So let that just run. So this will take a little bit of time because it's five IP addresses and it's really radical the fast boat 83% of our work is done. Okay. So as we see our scan has been completed now, what do you see out here is scan results for whatever we had provided and targets dot txt list. So that's how you can also provide and map input file and it will give you the results for all the targets that were specified in the file. Now, let's go ahead and talk about a little bit on Port scanning. So nmap is also A brilliant tool for scouting boards. And if you have a server or web site, you know that there are 65535 ports out there or every silver and almost 99% are unused so sometimes kind Of ports is really at the society. Now you can scan boards by just using the pflag and specifying the port number and this is how you would do it. And if you just specify the IP address after that, so I'm going to use w-w-w dot Ed u-- record. Go and what you can also do is this will scan only the port number 20, but you can also scan from port number 20 to 25. You can also put in comas and tell and lap. You also want to scan all these are the port 80 is HTTP and 443 is HTTP, so you can surely do that. So let me just go ahead and run this. Okay, so that gives us an information on the boards that is there now something about ports. Also you suppose, you know. You want to scan for some HTTP Port so you can just say and map and with the - be you can just say that I want to scan the HTTP board www dot Ed u-- red card dot go so that will just go ahead and do that. And as you guys can see that give us a result and you can also add in stuff like MySQL FTP and stuff like that. So let me just see show you how that rods okhttp is done poor Sgt. Okay, so as you can You guys can see these artboards that are running and it gave us according to the day. Now. If you want to scan all the ports, you can use - P - and the IP address at www.deeptrekker.com. Now this generate takes a lot of time because you're basically doing 65,000 scan. So I'm not really going to do that. I'm going to quit this out. Another thing that I want to show you all that generally takes a lot of time to actually execute is called something like an aggressive scam. So as you guys can See out here. I have done an aggressive scan on Ed Eureka. So do that. All you have to do is and map - A and then you go Eddie record dot go. So let us see how much time did this take to actually execute this deck 459 seconds that's long time for scan, But it gives us a bunch of other information. For example, it gives us the traceroute. So what is the traceroute first of all so traceroute is the route taken by a packet to to actually reach the clients and the target cell. So as you guys can see our back it had 22 hops first went to the first stop was to the Gateway router that is 192.168.1.1. Then when to the Airtel lease line then rent this IP address that went to the pslv SNL dotnet and it went to London New York the Chicago and the went all the way up to wherever this thing has hosted That was some information and then there is some other Information given to us like the TCB open TCB rap program version sport type sport States and all sorts of other information is given about in an aggressive scan another scan that I have previously also done and kept for y'all is because it takes a lot of time and I have done something called this service version so and map - s and V where V Capital will give you the service version. So it tries to actually guess the word. Asian of the service that is running. So for example on TCP Port it tells us it is postfix SMTP D or the Apache. It's Apache HTTP D. You can see all sorts of versions that are here. Another thing and map is generally brilliant is for guessing the operating system that is running. Oh, I have already done this can previously because this takes a humongous amount of time that I don't really have and that is three eighty six point three four seconds And this can together basically took me. In ten minutes, and I don't really have that kind of time for explaining all this stuff. So as you guys could see out here the OS get is kind of os detail is fortunate for the gate it kind of tries to guess the OS upon the time to live that is in the response from the packets that it sends. So - SVP - oh and - A are some really cool stuff stuff That you might want to know. Another thing that you can do is trace route as I had just told y'all and y'all can do Trace. Trout separately. So you go - - traceroute and then you say the name of any sort of website. So suppose. I want to know how I reach netflix.com. So I go netflix.com and this will give me a trace route that shows me how my packet actually reaches the flicks.com. Okay. So this is basically it was a direct one hop. Okay, so that was surprising all the other hand. If I were to do this on Eddie record dot go it would take A bunch of hops to actually reach that it is by just take some time to run. Okay, so it's 94 percent down. I'm just waiting for it to get completed. Okay. So this gave us a hop and as you guys can see we took twenty two hops to actually reach a direct cannot go and it's the same process you go through a bunch of IP addresses and then you reach this thing called you as West do compute that Amazon AWS. Okay, so that was about traceroute now just to end this tutorial. Let me just tell you guys that you all can also save a file to add map. And that is basically save all whatever you found from a search into a file and let me just show you how to do that. Now. Sometimes when you are working as a security analyst you will have to perform Network scans on a wide area network that is huge. It's basically huge these cards take a lot of time And you don't really have the space or your command line to actually store that and see that in the parade. That is feasible. Little for analysis. So what do you want to do is actually save it in a file. So what you can do is say Ed map. Oh n and then you can see the other file we could say results Dot txt, and we could save this in file. So w-w-w dot Ed u-- Rekha dot go. So whatever search result Is going to be generated is going to be stored in this file called results dot txt. Now. This file need not exist. List from before it will just be created by and map and now you see if I do LS. We have a Target or a results dot txt. Now if I just cut out that file, let me just less it actually results Dot txt. And what you see out here is an nmap scan result that is stored. Another thing that I would like to show you all before I end This at map tutorial is a verbose mode. So for verbose mode is basically when we were pressing up arrows to see how much of our scan is done. You can basically do that for postponed. Take all - F + - V for verbose and you could say www dot Ed u-- record Dot and this will basically give you a verbose mode of what is actually going on. I'll tell you everything and boom roasted there it's done and we have finished our and map tutorial and now you see if I do LS. We have a Target or a results dot txt if I just cut out that file. Let me just less it actually results Dot txt. And what do you see out here is an nmap scan result. That is Stored a lot of thing that I would like to show you all before I end this at map tutorial is a verbose mode. So for verbose mode is basically when we were pressing up arrows to see how much of our scan is done. You can basically do that for postponed. So you go - F + - V for verbose and you could say www dot Ed u-- record Dot and this will basically give you a verbose mode of what is actually going on. I'll tell you everything and boom roasted there it's done and We have finished our and map tutorial. So first of all, what exactly is cross-site scripting? Well cross-site scripting refers to client-side code injection attacks where in an attacker can execute a malicious script also commonly referred to as a malicious payload into a legitimate website Or web application now xss is amongst the most rampant of web application vulnerabilities and occurs when of Web application makes use of something like a nun validated or unencoded user input within the output that it generates Now by leveraging xss and attacker does not Target a victim directly instead an attacker would be exploiting a vulnerability within a website or something like a web application that the victim would visit and essentially using the vulnerable website or the web application as a vehicle to deliver A malicious script to the victims browser. Now while exercise can be taken advantage of within a virtual box script ActiveX and Flash unquestionably the most widely abused is Javascript. This is mostly because JavaScript is the fundamental to any browsing experience all the modern sides today have some JavaScript framework running in the background now xss can be used in a range of ways to cause serious problems. Well, the traditional is uses of exercise is the ability for an attacker to steal. Session cookies allowing an attacker to probably impersonate a victim and that Justin's and that just doesn't stop there. So exercise has been used to wreak havoc on social websites spread malware website defa commence and fish for credentials and even used in conjunction with some clever social engineering techniques to escalate to even more damaging attacks. Now cross site scripting can be classified into three major categories. So the first is reflected cross-site scripting. The second is stored or persistent cross-site scripting and the third is dom-based cross-site scripting so out here Dom refers to the document object model that is used file web application building. So let's take a moment to discuss the three types of cross-site scripting. So the first one we're going to be discussing is reflected cross-site scripting Now by far the most common type of cross-site scripting that you'll become. Because is probably reflected cross-site scripting here. The attackers payload Is a script and has to be part of a request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request Now using a phishing email and other social engineering techniques the attacker layers in the victim to inadvertently make a request to the server which contains the cross site scripting payload, and then he ends up executing the script that gets reflected and cute it inside his own browser. Now since reflected cross-site scripting isn't really a persistent kind of attack the attacker needs to deliver This payload to each victim that he wants to serve. So a medium like a social network is very conveniently used for destination of these attacks. So now let's take a step by step. Look at how cross-site scripting actually works. So firstly the attacker crafts a URL containing a malicious string and sends it to the victim. Now the poor victim is tricked by the attacker into requesting the URL from the website, which is running a I respond script and then the website includes the militia string From the URL in the response. And then in the end the victims browser executes, the malicious script inside the response sending the victims cookies to the attacker silver. Okay. So at first reflected xss might seem very harmless because it requires a victim himself to actually send a request containing a militia string now since nobody would be willingly attacking himself. So there seems to be no way of actually performing the attack but as it turns out there are at least two common ways Of causing a victim to launcher reflected cross-eyed attack on himself. So the first way is if the user or targets a specific individual and the attacker can send the malicious URL to the victim. For example using email or for example instant messaging and then trick him into visiting the site. Secondly if the user targets a large group of people the attacker then can publish the link or the malicious URL or his own website or social media, and then he'll just wait for visitors to click on it. So these two methods are similar and both can be very successful with the use of a URL shortening service like one provided by Google. So this masks the militia string from users who might otherwise identifier. Okay. So that was all about reflected cross-site scripting. Let's move on to store cross-site scripting now. So the most damaging type of cross-site scripting that is there today is persistent or stored cross-site scripting installed cross-site scripting attacks. It attacks. I'm sorry installed cross-site scripting attacks. The attacker is injecting a script into the database that is permanently stored on the target application. So a classic example is a malicious script inserted by an attacker in the comment field or on a blog or a forum post. So when a victim navigates to the affected webpage now in a browser The cross site scripting payload will be served. As a part of the web page just like any legitimate comment would be now. This means that the victim will be inadvertently ended Up ending up executing the malicious script. Once the page is viewed in the browser. Now, let's also take a step by step. Look at how cross-site scripting in the stored version works. So the attacker uses one of the websites form to insert a malicious string into the websites database first. Now the victim unknowingly request the page from the website and then the website Glued some malicious string from the database in the response and then sends it to the victim. Now the poor victim will be actually executing The malicious script inside the response and sending all the cookies to the attackers server. So that's basically how stored or persistent cross-site scripting works. Now it's time for the last type of cross-site scripting which is document object model based cross-site scripting. So dom-based cross-site scripting is an advanced type of cross-site scripting attack. So which is made possible when the web applications client-side script writer uses provided data to the document object model. So basically it means That data is subsequently read from the document object model by the web application and output it to the browser. So if the data is incorrectly handled in this place and attacker can very well inject a payload, which will be stored as a part of the document object model and then executed when the data is read back from the Dome. No, let's see how that actually happens. So first attacker craft the URL containing a malicious string and sends it to the victim. Now this victim is again tricked by the attacker into actually requesting the URL from the website. This is like the primary step in actually performing cross-site scripting. Now the third step is that the website receives the request but does not include the militia string in the response. Here's the catch of dom-based cross-site scripting. So now the victims browser executes the legitimate script inside the response. Causing the malicious script to be inserted into the page that is basically into the inner HTML attributes and the final step is then the victims browser then executes the malicious script inserted into the page And then just sends the victim the cookies to the attacker silver. Now if you guys must have realized in the previous examples of persistent and reflected cross-site scripting those server inserts, the malicious script into the page, which is then sent as a response to the victim now when the victims browser receives the response it assumes that the malicious Ripped is to be a part of the pages legitimate content and then automatically executes it during page load as with any other script would be but in a Dom base attack, There is no malicious script insert it as a part of the page. The only scripts that are being actually automatically automatically executed during the page load is legitimate part of the page. So that's the scary part. So the problem is that this legitimate script directly makes user input in order to add HTML to the page. So the militia string is inserted into the page using Nice chairman, so it's pastas sgml. So mostly people who are actually in servicing Or surveying any server for cross-site scripting attacks. They will not be actually checking the client side. So it's a very subtle difference but it's very important. So in traditional cross site scripting the militias JavaScript is actually executed when the page is loaded as a part of the HTML server and in dom-based cross-site scripting the militias JavaScript is executed at some point after the page has already been loaded. Because the page is legitimate JavaScript treating user input is using it in an unsafe way. So now that we have actually discussed all the three types Of cross-site scripting that is varied that is widely available today. Now, let's see what can actually happen if cross-site scripting will if you were actually a victim of cross-site scripting, I'm sorry. So, let's see what can happen if you actually were a victim of cross-site scripting. So the consequences of what an attacker can do with the ability to execute JavaScript on a webpage may not immediately stand out to you guys, but especially Since browsers like Java like Chrome run JavaScript in a very tightly controlled environment these days and JavaScript has very limited access to users operating systems and user files. But when considering the JavaScript has the access to the following that we're going to discuss we can only see how creative JavaScript attackers can get. So firstly with malicious JavaScript has access to all the same objects that the rest of the web page has so this includes a thing called cookies now Cookies are often used to store session tokens. And if an attacker can obtain a user session cookie, they can impersonate that user anywhere on the internet. Secondly JavaScript can read and make arbitrary modifications to the browser's document object model. So your page will just be incorporated with all sorts of scripts and viruses without You even knowing from the server side now JavaScript can be used with the XML HTTP request to send HTTP request with arbitrary content to arbitrary destinations. And the most scary part is That JavaScript and modern browsers can leverage HTML5 apis such as accessing a user's geolocation webcam microphone and whatnot and even specific files from the users file system. Now while most of these apis require the users to opt in cross-site scripting with in actions with some very clever social engineering can bring an attacker of very long way now the above in combination with social engineering as I just said allows an attacker to pull off Advanced attacks, Including cookie theft keylogging fishing and identity theft to now critically cross-site scripting vulnerabilities provide. The perfect ground for attackers to escalate attacks to more serious ones. So now that we understand what cross-site scripting attacks are and how damaging they can be to your application. Let's dive To the best known practices that are actually followed to prevent them in the first place. So the first mechanism that is used is called escaping. So escaping data means that taking data and application has received and ensuring That it's secure before actually rendering it for the end user. Now by escaping user input key characters in the data received by a web page will be prevented from being interpreted in any malicious sort of way now innocence your censoring the data or webpage receives in a way that will disallow characters especially those brackets that begin the HTML attributes like in HTML and I'm G so these will be stopped from being rendered which would otherwise cause harm to your application and users and database, but if your page doesn't allow users to add their own code To the page A good rule of thumb is We need to escape any and all HTML URL and JavaScript entities. However, if you are running a forum and you do allow users to as Rich text to your content, you have a few choices. So firstly you will need to carefully choose which HTML entities you will escape and which you won't or buy replacement format for raw HTML such as markdown which will in turn allow you to continue escaping all the sorts of HTML characters now the second method that is normally used is called validating input And so validating input is the process of ensuring an application is rendering the correct data and preventing malicious data from doing harm to the site the database and the users. So while whitelisting and input validation are more commonly associated with stuff like SQL injection, they can also be used as an additional method of prevention for cross-site scripting attacks. So input validation is especially helpful and good at preventing cross-site scripting in forms as it prevents a user from adding special. Characters into the fields instead of refusing The quest completely. But in fact valid input validation is not the primary method of prevention for vulnerabilities such as cross-site scripting and even SQL injection for that example, but instead they help to reduce the effects should an attacker actually discover such a vulnerability in your system. Now the third way to prevent cross-site scripting attack is to sanitize user input. So sanitizing data is a strong defense but should not be used alone to battle cross-site scripting attacks. It's totally possible. Will that you find the need to use all three methods of prevention in working towards a more secure application. Now as you guys might notice that sanitizing user inputs is especially helpful on sites that allow HTML markup to ensure data received Can Do no harm to users as well as your database by scrubbing the data clean of potentially harmful markup and changing the unacceptable user input into an acceptable format. OK guys. So that was all the theory about cross-site scripting it's time. Demo right now. So for the demonstration now, I'm going to be showing you guys the three types of cross-site scripting that we have discussed throughout the course of the session. So not only will this be a rather interesting to see how cross-site scripting works on a vulnerable web application, but it will also give us a better understanding of cross-site scripting in itself now to perform cross-site scripting is a very big crime. So we really can Target any random web platform website or web application for that matter. So keeping that thing in mind I have chosen the broken web application project. So this is brought To Us by a wasp which stands for open source web application security project. The broken web application project or Bebop is a broken web application that is intentionally vulnerable and it incorporates a majority of the known bugs that are out there and it is widely used by security enthusiastic students And practicing ethical hackers to mostly practice and nurture their skills in the right direction. Okay, so to get started first of all, we need to download a few files and get things ready. So first of all, we will download the broken web. Ation project and I'll be leaving the download link in the description just in case you guys want to practice in your own free time. Secondly. We need to download a virtual box. Now after we have both the files ready And we have it installed and we have our broken web application installed in the virtual machine. We are good to go. Now. I've already done all that boring job and actually installed the broken web application as you guys can see. I'm already running the owasp broken web application on my virtual. And this is the Oval Office virtual machine. So as you guys can see it's based off Linux And if we go ifconfig, it'll give us the IP address that it's running on. So as you guys can see, it's running on 192.168.1 46.4 so If we just head over there, yeah, I've already open that up. We get a portal. So for this particular demonstration, I'm going to be using the broken web application project and also webgoat. So first of all, let's head over to the broken web application project. So we'll be greeted with a login screen out here And the credentials for this is B and Bug as you guys can see, so just go and enter login after you enter the credentials. Okay, so y'all will be welcomed with a place where you can choose your bug and you can also choose the amount of security that you want to practice with. So since this is a very simple demonstration, I'm going to set the security too low. And the first thing that we're going to test is actually reflected cross-site scripting. So reflected cross-site scripting mostly has things to do with the get request when we are actually coding on the back end. So, let's see. First of all we go ahead and choose reflected cross-site scripting for the get method and we go and press hack. Now will be presented with a form. Now form is a very good way of actually showing reflected cross-site scripting because normally when an attacker will be trying to attack you he'll be trying to send you a form or any way. You can actually input something into the his soul so interestingly if we go and just in put nothing into these two fields and just go will see the URL change out here. So firstly you guys see that it's the fields are very clearly visible and These are the two fields and that means that it's an uncoded input. So this is a very rich place to actually practice your web vulnerability and penetration testing skills. So if I were to hackl, I would try and run a script out here. So if I were to go script and I've already practiced a few out here as you guys can see, so if you go script alert, this is an example of reflected xss. Yeah, and if we go and just end the script out here. This is going to actually render the JavaScript input as a part of the page and we are going to get an output because of this. So that's how reflected cross-site script is actually working. So as you guys can see we the what am I saying? As you guys can see the web application has actually rendered our JavaScript and now we can see that reflected cross-site scripting is actually working out here. So now you guys must have realized that in a practical scenario. This form must be sent to the victim and must be tricked into filling the form for the attack to be successful. Also in more practical scenarios where sites are also having forms. They're going to be putting filters to the Of the input parameters such that you cannot run JavaScript in them and you cannot also input any unencoded inputs into them. So that was all about reflective JavaScript. I mean reflected cross-site scripting. So now let's move on to store cross-site scripting which is the most dangerous form of cross-site scripting. Okay, so as I had discussed the comment sections are normally the best place for actually stored cross-site scripting. so as you guys can see out here If we already have a few comments that had added for practicing now in store cross-site scripting the attacker is normally attacking the data that is stored. So basically we are going to inject the script into the database into the server. So if the script has some malicious intent and it can do a multitude of thing if it has a malicious intent will not get into that. So for that reason, let's first add a normal comment out here. So let's say If this was blog I'd say good job there. Like I said or something like hey, man, nice work. If you go and press submit, okay, it's showing this is an example of persistent cross-site scripting because I had already inserted malicious script. So this is that script out here the second input but just for demonstration purposes. Let's go in and put it again so we can also input raw data that is unencoded input in the form of script. So let's go alerts. Unless his print hello world. So if we go and press submit so at first ones that other cross-site script and then it will say that this page isn't working. So this is also a very good example now we have two scripts actually running on this page. So the first one is actually this is an example of cross-site scripting persistent. So that was the second one and then comes the hello world. So that's actually two scripts running back to back. So anybody if I were to actually come back to this side any other day And these comments existed It would just get automatically executed from the database because just because we are referring to it. Okay, so time for dom-based cross-site scripting and I was using this application for the first time yesterday and I realized that there is actually no way that we can actually test dom-based cross-site scripting you. So to actually test on base cross site scripting we are going to be using this thing called webgoat. Now the login credentials to webgoat is guests for the username And guests for the password. I'd already logged in so it didn't ask me. So now if we go out here and go on the cross site scripting in xs/s, you will also see that there is no options available for actually donbass cross-site scripting this is because it's under a acts security or Ajax if you might pronounce it that way. So in this is under a acts security because if you guys remember we had just discussed that don't be cross site scripting is a client-side cross-site scripting. So things like a normal script would normally be checked on the server side. But when we are talking on client side, we are talking about languages like HTML a acts etcetera so you can put your scripts in HTML form. So suppose we were to go so let's input a script first. So suppose you have to go script. Hello world now. If we go and submit the solution nothing actually happens because we are actually putting in encoded in puts out there. It's the Dom that is unencoded. Now if we were to actually go in and input in a language That the client-side actually understands for example HTML, so we immediately get a result. So first of all, it's going to actually manipulate the inner HTML attributes of this site. So if we go image and we put a source now, let's not give the source anything and on alert on are urado on an error. We're going to run some simple JavaScript so alert And we can say this is an example of dom-based xss. Now as soon as I end end the image tag, this is going to get done because the client side Is always rendering the client-side page. So watch this. Sorry, I think I miss type somewhere. Let's go again so image. Unless you something I've already used and you can see that it says hacked and out. He'll we've not even press submit solution. So out here you can see that as soon as we completed it is again saying hacked so that means as soon as you complete the query or the client-side HTML language, so that will completely Trigger the cross-eyed payload image tag. This is going to get run because the client side is always rendering the client-side page. So watch this. I'm sorry. I think I miss type somewhere. Let's go again so image. Okay, let's use something I've already used and you can see that it says hacked and out here. We've not even press submit solution. So out here you can see That as soon as we completed it is again saying that so that means as soon as you complete the query or the client-side HTML language, so that will completely trigger the cross-eyed payload firstly let's go or what does and DDOS means now to understand a DDOS attack. It is essential to understand the fundamentals of a Dos attack does simply stands for denial of service? The service could be of any kind for example, imagine your mother confiscate your cellphone when you are preparing for your exams to help you study without any sort of distraction While the intentions of your model is truly out of care and concern you are being denied the service of calling and any other service offered by your cell phone now with respect to a computer and computer networks. A denial of service could be in the form of hijacking web servers overloading ports, which request rendering them unusable the dying Wireless authentication and eyeing any sort of service that is provided on the internet attacks of such intent can be performed from a single machine while single machine attacks are much easier to execute And monitor their also easy to detect and mitigate to solve this issue. The attack could be executed from multiple devices spread across a wide area. Not only does this make it difficult to stop the attack but it also becomes near impossible to point out. The main culprit such attacks are called distributed denial of service or DDOS attacks. Now, let us see how they work the main idea of a U.s. Attack as explained is making a certain service unavailable since everything that is attacked is in reality running on a machine. The service can be made available. If the performance of the machine can be brought down. This is the fundamental behind dose and DDOS attacks. Now some dos attacks are executed by flooding servers with connection requests until the server is overloaded and is deemed useless others are executed by sending unfragmented packets to a server which they are unable to handle these methods when Muted by a botnet exponentially increase the amount of damage that they are doing And their difficulty to mitigate increases in Leaps and Bounds to understand more about how these attacks work. Let us look at the different types of attacks. Now while there are plenty of ways to perform a DDOS attack. I'll be listing down the more famous ones. These methodologies have become famous due to their success rate and the Damage they have caused over time. It is important to note that with the advancement and Technology. The more creative minds have devised more devious ways to perform. Dos attacks. Now the first type of methodology that we are going to discuss is called ping of death now according to the TCP IP protocol the maximum size of the packet can be 65,535 bytes the Ping of death attack exploits this particular fact in this type of attack. The attacker sends packets that are more than the max packet size when the packet fragments are added up computers generally do not know what to do with such packets and end up freezing or sometimes crashing entirely then we come To reflect on the docks this particular attack. Iraq is more often than not used with the help of a botnet. The attacker sends a host of innocent computers a connection request using a botnet which are also called reflectors. Now this connection that comes from the botnet looks like it comes from the victim and this is done by spoofing The Source part in the packet header. This makes the host of computers send an acknowledgement to the victim computer since there are multiple such requests from the different computers To the same machine this overloads the computer and crashes it this type of attack is also known as a Smurfette. Another type of attack is called mail bomb now mail bomb attacks generally attack email servers in this type of attack instead of packets oversized emails filled with random garbage values are sent to the targeted email server. This generally crashes the email server due to a sudden spike in load and renders them useless until fixed last but not the least we have the teardrop attack. So in this type of attack, The fragmentation offset field of a packet is abused one of the fields in an IP header is a fragment offset field indicating the starting position or offset. Of the data contained in a fragmented packet relative to the data in the original packet if the sum of the offset and the size of one fragmented packet differs from that of the next fragmented packet the packet overlap now when this happens a server vulnerable to teardrop attacks is unable to reassemble the packets resulting in a denial of service condition. Okay. So that was all the theoretical portion of this video now, it's time to actually perform our very own DDOS attack. Okay. So now that we finish the theoretical part of how DDOS actually works and what it actually is but it's different types. Let me just give you guys a quick demonstration on how you could apply a denial of service attack on a wireless network anywhere around you like this could be somewhere like Starbucks Where you're sitting or this could be a library also or your college institution no matter where you're sitting this procedure will work. So the first thing we want to do is actually open up a terminal as because we were Be doing most of our work on a command line basis. Now for this particular demonstration. We will be actually using two tools first is aircrack-ng, which is a suit of tools which contains aircrack-ng airmon-ng a replay and G and airodump-ng. So these are the four tools that come along with it. And the second one that we'll be using is called Mac change of okay. So let me just put my terminal on maximum. So you guys can see what I'm actually writing out. So first thing we want to do is Actually log in as root. So let me just do that quickly because we need to login as root because most of the stuff that we're going to do right now will need administrator access. Now. If the first thing we want to do is check out our wireless network cards name and we can do that easily by typing ifconfig. Now, you can see that my wireless card is called WL 1 and we get the MAC address and we also get the IPv6 dress. So that's my wireless network card and we'll Actually setting that up in monitor mode now before we actually go in to start up our Network are in monitor mode. Let me just show you how you can install the two tools that I just spoke about that is aircrack-ng at Mac changer. So do install aircrack-ng. You can just go app get Install aircrack-ng hit enter and this should do it for you. I already have it installed. So it's not going to do much to install mac changer. You could just go the same command that is zap get install mac changer and you can check if both the tools have been installed properly by opening the manual pages by typing man aircrack-ng and this will open up the manual page for you. And let's also do the same format to ensure. So what we're going to do first is set up our network interface card into monitor mode. So to do that, all we have to do is type ifconfig, and we need to put a network interface card down. So we go. Wlo one down and with the command IW Go mode monitor. Don't forget to specify the interface that you're working on. So IW config WL 1 mode Monitor and all you have to do now is put it back up. So what we are going to type is ifconfig. Wl1 up. You can check the mode it will see managed If it's monitoring mode. So as you guys can see it says mode managed, so that's how we're going to go ahead so you can check that just for your own purposes so we can also check for only. Wlo one by specifying the interface. Or you could also check the mode only by passing it through a pipe function and that is using grep mode. So IW config wl1 crap and mold. Well mode begin to the capital M. So that's how you would probably return it. So as you guys can see That has returned the mode for us icon along with the access point and the frequency. Okay, so that was a little fun trivia on how you could fetch the mode from a certain command that like iwconfig by passing it through a pipe and Open your list mode crap basically means grab. Okay, so now moving on we will get to the more important stuff now so firstly we need to check for some sub processes that might still be running and that right actually interfere with the scanning process. So to do that, What we do is airmon-ng check and then the name of the interface now as you guys can see I have the network manager that is running out here and we need to kill that first and that can be easily done by going kill with the PID after that. You can run a general command called. Old airmon-ng check and kill so whatever it finds it will kill it accordingly and when it produces no results like this, that means you're ready to go as there are no sub processes running That might actually interfere with us can now what we want to do is we want to run a dump scan on the network interface card and check out all the possible access points that are available to us. So as you guys can see this produces a bunch of access points and they come with their be ssids there. So have the power which is the pwr that is the power of the signal and let me go down back again. So yeah, you can see the beacons you can see the data you can see the channels available and what the bssid is. It's the Mac ID That is actually tied in with the essid which basically represents the name of the router. Now, what we want to do from here is we want to choose which router we want to actually dose. Now, the whole process of dosing is actually we will continue Sleety authenticate all the devices that are connected to it. So for now I have chosen Eddie Rekha Wi-Fi to actually toss out and once I send it the authentication broadcast, it will actually the authenticate all the devices that are connected to it. Now this the authentication Is done with a tool called are replay which is a part of the aircrack-ng suit of tools. Now. Let's just see how we can use are a play by opening up the help command. So we go - - help and this opens up the help command for us. Now as you guys can see it shows us that we can send a D'Orsay. Gation message by tapping into - 0 and then we need to type in the count. So what we are going to do is type in - 0 which will send the DL syndication message and now we can dive 1 or 0. So 1 will send only one the authentication message while 0 will continuously Loop it and send a bunch of the authentication messages. We are going to say zero because we want to be sure that we are the authenticating everybody and we can also generally specify the person. We also want to specifically the authenticate but for this demonstration, I'm just Just going to try and the authenticate everybody that is there. So what we are going to do is we are going to copy down the MAC address or the bssid as you would know it and then we are going to run the authentication message. Now as you guys can see Rd authentication message is beginning to hunt on Channel Nine. Now as you guys know and as I already know that our bssid or Mac address is working on Channel 6 now, we can easily change the channel that are interface. Working on by just going IW config WL 1 and then Channel and then specifying the channel as you guys can see our chosen router is working on Channel 6. So that's exactly what we're going to do. Now as you guys can see it immediately starts sending the authentication codes to the specified router and this will actually make any device that is connected to that router almost unusable. You might see that you are still connected to the Wi-Fi, but try browsing the internet with them you will never be able to actually Each any site as I'm constantly the authenticating your service you will need that for a handshake all the time. And even if it completes you are suddenly the authenticated again Because I'm running this thing on a loop. Now, you can let this command run for a few moments or how much of a time you want to DDOS at guy for well, this is not exactly a DDOS because you're doing it from one single machine, but you can also optimize this code to actually looks like it's running from several different machine. So let me just show you how to do that. We are going to write a script file to actually optimize. Is our code lat so this script file will actually automate most of the things that we just did and also optimize a little By changing our Mac address every single time. So we become hard to actually point out. So the first thing that we want to do is we want to put our wireless network card down and maybe that's not the first thing that I want to do. Just give me a moment to think about this. I haven't actually thought this true I'm doing this on the Fly. Okay. So the first thing that we're going to do is we're going to start a while loop that Is going to continuously run Until we actually externally stop it. So we go while true and then we're going to say do and the first thing that we want to do is send out the authentication message and we are going to send a it around 10 the authentication messages and we want to run it on a specific bssid. So that is the bssid that had copied. So let me just put in that and then we just put in the interface is it supposed to work on now? What we want to do after that is You want to change the MAC address After we have sent all these 10 packets. So what we will need to do is put down our wireless network and as already discussed we can do that with ifconfig wlan0 down. And now what we want to do is change our Mac address so we can do that with the simple tool that we had installed and saying Mac changer - are so let me just open up a Quick Tab and show you guys how much Ginger actually works. Now you can already check out my other video called the ethical hacking course, Which actually covers a lot of topics and Mac changer is just one of them and you can check how to use it in depth in that video. But for now, let me just give you a brief introduction how much change it works the Mac changer will basically give you a new Mac address every time let me just open up the help menu for you guys. So as you guys can see these are the options that are available to us. We can get a random Mac address. We can also tell to show our Mac address and we also have to specify Interface When we want to show us the MAC address now, let me just generate new Mac address. So you see our chair that interface up or insufficient permissions is being shown. So this means we always have to put down our interface first. So let me just do that quickly ifconfig wlan0 down. And now what we want to do is give ourselves a new Mac address and boom roasted. We already have a new Mac address as you guys can see from the new Mac part. Now if you put back are in network interface card, and then try and show up Mac address again weeks. See that our current MAC and are from red. Mack are two completely different Mac addresses and of current MAC and the new Mac I identical. So this is how you can actually generate new Mac addresses to spoof your own identity on the while and that is very useful in this case because the person you're attacking will be so confused as to what to do because your Mac address is changing every time and there's no real solution to the situation that you're creating for them. At least. I don't know of any solution. If you do know how to stop this for yourself. Please leave it. Down in the comment section below and help the world a little bit. Now. We wanted also get to know what our Mac address is every time. So let me just type my function through the whole thing and let me just try and grab the new Mac address. So my changer are wl1 and grab Mark and then we want to put our Rental Car In the monitor mode and then we also want to put up our network interface card. Now, what we want to do out here is optimize it so we can be attacking constantly. So let us Put a sleep timer. So this will make our program sleep for a particular amount of time. I'm going to make a sleep for 5 seconds. So after every 5 seconds, it's gonna send that particular bssid. Then the authentication messages then just going to bring down my interface card. It's gonna change my Mac address. It's going to put back the interface card in the monitor mode and sleep for 5 seconds. And then repeat the entire process and to end the script. Let's just say done. So that will denote when Loop is done now. Let me just save it Ctrl o control X to exit and there we go. Okay. So first of all to actually run this need to give it some more permission. So as you guys can see we already have it. Let me just put it in a much more readable format. Okay. So as you guys can see our doors does sh doesn't really have execute ability so we can do that with command chmod. So I'm going to give it some executable permission. So chmod One plus X and then the name of the file. So this will actually change our dos dos SSH into a executable bash script. Okay. So it seems that we have done some error. So let's just go back into our bash script and check for the error that we have probably done. So now - does a jet d'eau start sh. Okay. So the thing that I am missing is that I forgot - A that I'm supposed to put before putting the bssid and the are replay Angie part of the code. So let me just go ahead and quickly do that. Okay. So now that that is done. Let me just save it and quickly exit and see If this thing is working. Ok. So now we are trying to work out our script now you guys should know that this Erica Wi-Fi is my company's Wi-Fi and I have complete permission to go ahead and do this to them. Also. My company's Wi-Fi is kind of secure. So every time it senses that ADI authentication message is being sent. I ain't like that. It kind of changes the channel that it is working on. So these guys are really smart smarter than me most of the time and this time I'm just going to try and force them to work on Channel 6. So let me just go ahead and run my script once. Okay, so let me just check that. They're still working on Channel 6 Yep. They're still working on Channel 6. Let me just check my script once if it's correctly done if I have the perfect Mark ID. Let me just copy in the Mac ID just to be sure once again, so they go. Copied it. Let's go into the script and let's face it out. Okay. So now that that is done and we have mac IDs and everything set up properly. Let me just show you how to run the script so you go Dot and backward slash and then you said - does SH now. I see that our thing is working on Channel 8. So this will definitely not book and say that the SSID is not so what we need to do as I have showed you guys Earlier we can go aw config wl1 and change the channel 2. Channel 6. Oops, I channel to channel it again. This will not work. I'm sorry. That was my bad. So now that we have changed it to channel 6, you can see that it is sending everything immediately. Okay. So that is actually running our script very well. And as you guys can see the security measures are taken by my company. It will not always work on Channel 6. It will keep rotating now until it finds the safe channel. So it really can't find a safe Channel. I was always be dosing on Channel 6 and It will run. Sometimes it won't run sometimes but mostly with unsecured Wi-Fi that is running at your home. Mostly this will work a hundred percent times. So let me just stop this because my company will go mad on me if I just keep on dancing them. So this brings us to the end of a demonstration. This is how you can always toss your neighbors If they're annoying you but remember if you're caught you could be prosecuted. So this was about how the device works with DDOS actually is and the different types and how you can do one on your own with your own system by my company. It will not always work on Channel 6 will keep rotating now until it finds the safe channel. So it really can't find a safe Channel. I was always be dosing on Channel 6 and it will run sometimes it won't run sometimes but mostly with unsecured Wi-Fi That is running at your home. Mostly this will work a hundred percent times. So let me just stop this because my company will go mad on me if I just keep on dancing them. So this brings us to the end. To off a demonstration. This is how you can always dose your neighbors if they're annoying you but remember if you're caught you could be prosecuted. So this was about how the device Works would beat us actually is And the different types and how you can do one on your own with your own system. In early days of Internet building websites were straightforward. There was no JavaScript. No back-end know CSS and very few images but as web gained popularity the need for more advanced technology and dynamic websites group this led to development of common Gateway interface or CGI as we call it and server-side scripting languages like ASP JavaScript PHP And many others websites changed and started storing user input and site content. Databases each and every data field of a website is like a gate to database for example in login form. The user enters the login data and search failed the user enters a search text and in data saving form the user enters the data to be saved. All this indicate data goes to database. So instead of correct data, if any malicious code is entered then there are possibilities for some serious damage to happen to the database and sometimes to the end. Fire system and this is what SQL injection is all about. I'm sure you've heard of SQL SQL query language or SQL is a language which is designed to man, you plate and manage data in a database SQL injection attack is a type of cybersecurity attack that targets these databases using specifically crafted SQL statements to trick the systems into doing unexpected and undesired things. So by leveraging an SQL injection vulnerability present in web. Or the website given the right circumstances an attacker can use it To bypass web applications authentication details as in if you have login and password user can or attacker can enter just the user ID. Skip the password entry and get into the system or it can sometimes retrieve the content of an entire database. He can also use SQL injection vulnerability to add modify and sometime delete records in a database affecting data Integrity while using this vulnerability. Attacker can do unimaginable things this exactly shows How dangerous and SQL injection can be now. Let's check out how a typical SQL injection is carried out. Well, let's start with non-technical explanation guys. Have a simple analogy here. So first let's go through this. Once you understand this you are easily able to relate this with what SQL injection attack is. So anyway first imagine that you have a fully automated bus that functions based on the instructions given by human through a standard web. Well that for might look something like this. For example the for might say drive through the route and where should the bus stop if when should the bus stop this route and where should the bus stop and this condition? That's when should the bus stop or the user inputs. This is where you will have to enter the input into the form now after putting some data into the field. It looks something like this drive through Route 77 and stop at the bus stop if there are people at the bus stop. Well, that looks simple enough, right? So basically you're the human Or the person is trying to give 3 instruction that is per should stop at Route 77. It should stop at the bus stop if there are people at the bus stop. Well, that sounds harmless now imagine a scenario where someone manages to send these instructions which looks something like this drive through Route 77 and do not stop at the bus stop and ignore rest of the firm if there are people at the bus stop. And now since the bus is fully automated. It does exactly as instructed. It drives up Route 77 and does not stop at any bus stop even when there are people waited because the instruction says do not stop at the bus stop and ignore the rest of the form. So this part which is if there are people at the bus stop is ignored we were able to do this because the query structure and the supplied data are not separated properly so that Automated bus does not differentiate between the instructions and the data it simply does anything that it is fed With are asked to do well SQL injection attacks are based on the same concept attackers are able to inject malicious instructions into good ones all of which are then sent to database server through web application and now the technical explanation and SQL injection needs to conditions to exist which is a relational database that uses SQL and a user. And put which is directly used in an SQL query. Let's say we have an SQL statement a simple SQL statement. This statement says select from table users Where username is so-and-so and password is so and so basically you can think of it as a code for a login form. It's asking for the username and the password this SQL statement is passed to a function that sends the entire string to Connected database where it will be passed executed and returns a result at the end if you have noticed First the statement contains some special characters, right? We have asked her to return all the columns for selected database row And then there is equals to only riddance values that match the search string and then we have single quote here and here to tell the SQL database where the search string starts or ends. So for user you have starting here and in here and for password here, so basically a pair now consider the following example in which a website user is able to change the Use of this user and password such as n log in form. So if the values are put into user and password, it looks something like this select From users table. The user name is Dean and password as Winchester's and the SQL statement is simple enough. It's very direct. So if there is a user called Dean with password Winchester's then all the columns of table users are extracted now suppose if the input is not properly sanitized by the web application the attacker Can easily insert some malicious SQL statement like this the username might be Dean or 1 is equal to 1 and then you have double hyphen followed by password is equal To Winchester's so basically along with the data the user or the attacker has tried to enter a malicious SQL statement disguising it as a data here. So guys, you need to notice two things here. First one we have or 1 is equal to 1 it's a condition that will always be true therefore. It is accepted as a valid input by application. For example, if Dean is not a valid user or if there is no user called Dean in the database application would consider the next value because there is or in between our next value is 1 is equal to 1 Which always returns true. So basically our input will be something like this Dean or true and if there is no user called Dean the next input will be true and it will be taken as an input value and values will be displayed. So the next part which has double - I'm sure you know what double - represents Droid. Basically, it's commenting the next part of the SQL query. So it instruct the SQL passer that the rest of the line is a comment and should not be executed. So the part that's password part will be ignored. So basically what we're trying to do is we're trying to bypass the password authentication here. So once the query executes the SQL injection effectively removes the password verification resulting in an authentication bypass by using double life, and we're commenting rest of the comment. And before that using one is equal to one which is translated to true. We are trying to enter the database without even giving an invalid value. So the application will most likely log the attacker in With the first account from the query result. And as you guys know most of the time the first account in a database is that if an administrative user so basically by doing nothing or basically by giving some random data here the attacker was able to extract the admin details, it sounds very dangerous, right? So that's all an SQL injection attack is all about
Related Videos
Java script interview question and answers | Java script training | Edureka Rewind - 6
edureka!
1.8k - Streamed 3 hours ago - 44:
Python Full Course - Learn Python in 12 Hours | Python Tutorial For Beginners | Edureka
edureka!
4.5M - 2 years ago - 11 hours, 56:22
AWS Tutorial For Beginners | AWS Full Course - Learn AWS In 10 Hours | AWS Training | Edureka
edureka!
2.4M - 2 years ago - 9 hours, 28:40
DevOps Tutorial for Beginners | Learn DevOps in 7 Hours - Full Course | DevOps Training | Edureka
edureka!
1.8M - 2 years ago - 6 hours, 47:13
Software Testing Full Course In 10 Hours | Software Testing Tutorial | Edureka
edureka!
527.4k - Streamed 11 months ago - 10 hours, 18:30
Azure Full Course - Learn Microsoft Azure in 8 Hours | Azure Tutorial For Beginners | Edureka
edureka!
1.7M - 2 years ago - 7 hours, 58:47
Tableau Full Course - Learn Tableau in 6 Hours | Tableau Training for Beginners | Edureka
edureka!
1.9M - 2 years ago - 6 hours, 14
Web Development Full Course - 10 Hours | Learn Web Development from Scratch | Edureka
edureka!
4M - 2 years ago - 10 hours, 20:22
Java Full Course | Java Tutorial for Beginners | Java Online Training | Edureka
edureka!
2.9M - 2 years ago - 10 hours, 10:58
C Programming For Beginners | Learn C Programming | C Tutorial For Beginners | Edureka
edureka!
1.8M - 2 years ago - 2 hours, 11:8
Machine Learning Full Course - Learn Machine Learning 10 Hours | Machine Learning Tutorial | Edureka
edureka!
1.9M - 2 years ago - 9 hours, 38:32
SQL Full Course | SQL Tutorial For Beginners | Learn SQL (Structured Query Language) | Edureka
edureka!
1.4M - 2 years ago - 4 hours, 7:51
Ethical Hacking Full Course - Learn Ethical Hacking in 10 Hours | Ethical Hacking Tutorial | Edureka
edureka!
7.3M - 2 years ago - 9 hours, 56:19
Top 10 Certifications for 2022 | Highest Paying Certifications | Best IT Certifications | Edureka
edureka!
9k - 1 day ago - 10:12
Salesforce Full Course - Learn Salesforce in 9 Hours | Salesforce Training Videos | Edureka
edureka!
1.3M - 2 years ago - 9 hours, 11:42
Microsoft Excel Tutorial for Beginners | Excel Training | Excel Formulas and Functions | Edureka
edureka!
3M - 2 years ago - 4 hours, 24:17
Data Science Full Course - Learn Data Science in 10 Hours | Data Science For Beginners | Edureka
edureka!
2M - 2 years ago - 10 hours, 23:57
Power BI Full Course - Learn Power BI in 4 Hours | Power BI Tutorial for Beginners | Edureka
edureka!
2.3M - 2 years ago - 3 hours, 35:38
Cyber Security Full Course In 8 Hours | Cyber Security Tutorial | Cyber Security Training | Edureka
edureka!
242.3k - Streamed 1 year ago - 8 hours, 21:10
Post a Comment