2. INTRO TO HACKING EPISODE 1: GETTING STARTED
LEGALITY
▸Hacking is illegal, don’t do it
▸I am not liable for anything you do
▸You can still learn a lot even with VM labs rather than
other people’s tech
3. INTRO TO HACKING EPISODE 1: GETTING STARTED
LEGALITY
▸This series is intended to help people learn more
about security — don’t do anything unethical or illegal!
▸If you do malicious hacking, you will probably get
caught
4. INTRO TO HACKING EPISODE 1: GETTING STARTED
SERIES CONTENTS
▸Episode 1: Getting started, including quick start guide
▸Episode 2: General process of hacking
▸Episode 3: Social engineering, vulnerabilities, and
more
5. INTRO TO HACKING EPISODE 1: GETTING STARTED
SERIES CONTENTS
▸Episodes, 4, 5, and 6: Attack vectors
▸Episode 7: Attacks requiring physical access and
more
▸Episode 8: Tools part 1
▸Episode 9: Tools part 2, summary, and more
6. INTRO TO HACKING EPISODE 1: GETTING STARTED
SERIES START GUIDE
▸This video covers general concepts. If you just want to
dive right in, use these:
▸Virtualbox, Kali VM, nmap, Metasploit, Metasploitable
VM, Mutillidae, OWASP top 10
▸Burp Suite and WebGoat — link to guide in description
▸Remember: your devices and networks only
7. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Old definition vs. security definition
▸Hacking (security) — doing things on computing devices
you’re not allowed to do
▸Hackathon vs. hacker convention
▸CTFs, blue team, red team
▸Security changes over time
8. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Why are things hackable?
▸P vs. NP — is security even possible?
▸Software issues: programming, configuration, use
▸Deadlines and budgets for software
▸Bug ticket response: “WONTFIX”
9. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Why are things hackable?
▸Lack of security awareness
▸Poor tools, security is hard
▸Increased connectivity (cloud, IoT, smart)
▸Hyppönen’s law
10. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Why are things hackable?
▸Software can be millions of lines of code
▸All it takes is one bad line of code
▸Example: repeat “goto fail;” line in Apple SSL
11. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸CIA triad — Confidentiality, Integrity, Availability
▸Hacking is easier than securing against hacking
▸Truisms: complexity is the enemy of security, user input is
evil, no absolute security
▸Some argue about absolute security, mentioning
“formal verification”
12. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸AAA
▸Authentication
▸Authorization
▸Accounting
13. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Computers, mobile devices, networking equipment,
IoT, cars, etc.
▸Lack of software updates
▸New devices that are computers, but people don’t
think of them as computers
14. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Motivations for hacking
▸Challenge
▸Social gain/rite of passage
▸“Stunt hacking”
▸Web defacement
▸Hacktivism
15. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Motivations for hacking
▸Money
▸Corporate espionage
▸Nation state attacks for political reasons (APTs)
▸Outside attackers vs. insider threats
16. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Security Controls
▸Preventative
▸Deterrent
▸Detective
▸Corrective
▸Compensating
17. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Malicious hacking
▸Penetration testing (pen testing) — non-malicious hacking for
security hardening
▸Black box, gray box, white box
▸Security research (VM labs)
▸Attacker and victim VMs
18. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸OpSec — Operational Security
▸Hackers can be caught because of talking too much
▸Loose lips sink ships, loose tweets destroy fleets
▸Marcus Hutchins caught because of email address
▸Alpha Bay creator caught because of email address
19. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸OpSec — Operational Security
▸Tor, VPNs, etc.
▸Lack of NDAs
▸Captcha, browser fingerprinting
▸IP leak during VPN disconnect
20. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Security certifications
▸CEH — Certified Ethical Hacker
▸Security+
▸OSCP — Offensive Security Certified Professional
▸CISSP — Certified Information Systems Security
Professional
21. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Events
▸Blackhat
▸ShowMeCon
▸Defcon
▸CCC
22. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Events
▸Toorcon
▸Shmoocon
▸Derbycon
▸BSides
23. INTRO TO HACKING EPISODE 1: GETTING STARTED
USEFUL BACKGROUND SKILLS
▸Familiarity with many different OSes
▸Command line (bash, PowerShell)
▸Networking (subnets, VLANs, firewalls, SSH, ARP,
Cisco, OSI, DNS, NAT, pfSense, pf, iptables, etc.)
▸Virtualization (VMware, Virtualbox)
25. INTRO TO HACKING EPISODE 1: GETTING STARTED
USEFUL BACKGROUND SKILLS
▸PHP, SQL, and Javascript for web hacking
▸Tools and attack vectors mentioned in this video
28. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance
▸OSINT (main focus here)
▸GEOINT
▸SIGINT
▸HUMINT
29. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance/OSINT
▸Passive vs. active
▸whois
▸Maltego
30. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance/OSINT
▸Information brokers*
▸cree.py
▸Trape
31. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance/OSINT
▸Google
▸Social media
▸Archives
32. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸2. Scan and enumerate
▸Might socially engineer someone first
▸Intrusive vs. non-intrusive scanning
▸Credentialed vs. non-credentialed
▸Wireshark
33. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸2. Scan and enumerate
▸Port scanning
▸nmap
▸masscan
▸zmap
34. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸2. Scan and enumerate
▸Shodan
▸Nessus
▸DirBuster
▸robots.txt
35. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸3. Exploit (and sometimes chain)
▸CVEs — Common Vulnerabilities and Exposures
▸Burp Suite
▸Metasploit
▸Dictionary files, lists of default passwords
36. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸3. Exploit (and sometimes chain)
▸Vulnerability discovery — false positives, false negatives
▸Avoiding detection
▸Obfuscation (ex: minifiers), WMI hijacking, crypters
▸Establishing persistence
37. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸4. Pivoting
▸Initially compromised device might not be what you really
want
▸From workstation to domain controller
▸Rpivot
▸3proxy
38. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸4. Pivoting
▸PSExec Pass the hash
▸Mimikatz
▸Where to pivot, and why?
▸Things to search for: text, wallet files, databases
▸Possible local admin password reuse
39. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸“Slow and low” to avoid detection
▸Covert channels (such as DNS)
▸Steganography
▸Standard vs. non-standard ports
40. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸Be aware of logs — what you’re doing is being logged!
▸Windows: C:WINDOWSsystem32config
▸Unix: /var/log/
▸Bash history: $HISTFILE
▸Other: IDSes, application-specific logs
41. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸Deleting logs
▸Linux: log rotation and deletion
▸Bash: rm -f $HISTFILE && unset HISTFILE
▸PowerShell: Clear-History
▸Windows: wevtutil el | Foreach-Object {wevtutil cl “$_”}
▸Delete caches/temp files, empty recycle bin, write random data over free space
42. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸Where are you exfiltrating data to?
▸Tor
▸VPNs*
▸Bots for Tor-like relays
43. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸6. Finally doing something with the data
▸Sell it for cryptocurrency? Make it public? Personal use?
▸Bug bounty or responsible disclosure?
▸Limitations to what you’d do if you’re non-malicious, can
still get in legal trouble even then
▸Documentation for security audit?
44. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸6. Alternatively: not just exfiltrating private data, but
modifying it, or affecting the real world
▸Stuxnet and power plants
▸Students giving themselves better grades
▸Making a driverless car go off a cliff
45. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸6. Alternatively: not just exfiltrating private data, but modifying it,
or using computers to have effects in the real world
▸Remotely disabling power steering and brakes (Charlie Miller)
▸Ukrainian power grid — SCADA/ICS
▸Straight up deleting things, like Shamoon
48. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Usually less technical than security exploits
▸Often used in conjunction with previously mentioned
steps
▸Attachments, links, phone calls, flash drives, accounts
▸Might be used to get an initial foothold in a network
before proceeding with other steps
49. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Phishing — mass, vague
▸Spear phishing — more targeted
▸Whaling — big targets like CEOs
▸setoolkit
▸Maltego
50. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Information brokers/online background checks
▸Might not be 100% accurate, also costs money
▸Some are bad — inaccurate, hidden fees, subscriptions
▸Phone spoofing — spoofcard, spooftel
▸Confidence trick
51. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Get into character and practice before calling
▸Socially engineering phone carriers to give you someone
else’s phone number
▸Email spoofing — header forging
▸Social engineering for quick cash or mixed with technical
steps
52. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
WHAT IS A VULNERABILITY?
▸Vulnerability — accidental security flaw in software
▸Usually fixed in software updates after being
discovered
▸Many vulnerabilities go undetected for years
▸Shellshock — 25 years before being fixed!
53. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
WHAT IS A VULNERABILITY?
▸The software you’re using right now probably has
vulnerabilities!
54. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OTHER VULNERABILITY-RELATED TERMS
▸Backdoor (verb) — to intentionally put a security flaw
in software
▸Backdoor (noun) — intentional security flaw in
software
55. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OTHER VULNERABILITY-RELATED TERMS
▸Exploit (verb) — to make use of a security
vulnerability
▸Exploit (noun) — something that makes use of a
security flaw
▸IOC — Indicator Of Compromise
56. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
LOW-HANGING FRUIT
▸Default passwords
▸Hard-coded passwords
▸Oracle Identity Manager OIMINTERNAL/space
▸Weak or even empty string passwords
▸Semi-related: Intel AMT null response hash via Tamper Data
▸macOS High Sierra root login with no password
57. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
LOW-HANGING FRUIT
▸Lack of rate-limiting for login attempts
▸Honest recovery question answers
▸Outdated software on internet-facing systems
▸Password reuse
58. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
CATEGORIES OF VULNERABILITIES
▸0-day — an unpatched security issue where people have “0
days” to react
▸Unknown except by an individual or small group of attackers
▸Once it is well known, it is no longer a 0-day, just a
vulnerability
▸Misused term, just like air gap (computers not on internet)
59. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
CATEGORIES OF VULNERABILITIES
▸CVE — Common Vulnerabilities and Exposures —
well known vulnerabilities
▸OWASP top 10 categories
▸owasp.org
▸Non-OWASP top 10 vulnerabilities
60. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OWASP TOP 10: NOVEMBER 2017 EDITION
▸1. Injection
▸2. Broken Authentication
▸3. Sensitive Data Exposure
▸4. XML External Entities (XXE)
▸5. Broken Access Control
61. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OWASP TOP 10: NOVEMBER 2017 EDITION
▸6. Security Misconfiguration
▸7. Cross-Site Scripting (XSS)
▸8. Insecure Deserialization
▸9. Using Components with Known Vulnerabilities
▸10. Insufficient Logging and Monitoring
64. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Privilege escalation
▸Server Side Request Forgery (SSRF)
▸Heap and stack attacks, such as heap spraying or stack
canary brute forcing
▸Remote code execution (RCE), arbitrary code execution
65. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Authentication bypass
▸Local file inclusion (LFI)
▸Remote file inclusion (RFI)
▸Unrestricted file upload
▸Web shells
66. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸ARP spoofing
▸VLAN hopping/double tagging
▸NTP attacks
▸Side channel analysis
▸RTL-SDR
67. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸IMSI catching (cell tower spoofing)
▸MITM attacks
▸Typosquatting, bitsquatting
▸Punycode, Unicode, and homograph attacks
▸Greek Ο, Latin O, and Cyrillic О
68. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Type confusion
▸Data execution
▸Serialization and deserialization
▸Resource exhaustion
▸Slowloris attack
69. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Password spraying
▸Traffic sniffing
▸Packet injection
▸Skimming (form of MITM)
▸Amplification attacks
70. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Switch CAM table overflow via MAC flooding
▸Matryoshka (packet-in-packet)
▸SYN flooding
▸Return-oriented programming (ROP)
71. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Host and directory enumeration
▸Buffer overflows, such as stack or heap overflows
▸Neighbor discovery cache poisoning
▸Lack of bounds checking
72. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Domain shadowing
▸Predictable resource location
▸Word macros (see: “maldoc”)
▸Update spoofing (insecure authentication method)
▸Example: Flame
73. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Hiding backdoors with port knocking
▸Opening closed ports in a stealthy way
76. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Establishing persistence with shells and reverse
shells
▸Ingress vs. egress firewall rules
▸C2 (Command & Control) server
▸Meterpreter (reverse_tcp or reverse_https)
77. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Same-origin bypass
▸Compiler backdoors
▸Ken Thompson hack
▸XcodeGhost
78. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Checksum collisions (pigeonholing)
▸Data inference
▸Use-After-Free (UAF)
▸VM escape
79. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Underprotected APIs
▸DNS cache poisoning
▸Integer overflows and underflows
▸DNS sinkholing/domain sinkholing
80. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸DLL injection, CreateRemoteThread
▸NOP slide/sled
▸Uninitialized variables
▸Format string attack
81. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Cookie stealing
▸HSTS browser history sniffing
▸Iterator invalidation
▸Debug features left on in production (OnePlus,
Patreon)
82. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Least privilege violation (need to know basis)
▸Need to read, need to write, need to execute
▸Tie-in with directory enumeration
▸PHP shell_exec() as root
▸Overly permissive regular expression
83. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Billion laughs
▸Bluesnarfing
▸Juice jacking — malicious chargers
▸Directory traversal
▸../../../etc/passwd or ../../../etc/shadow
84. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Predictable “random” numbers
▸/dev/random vs. /dev/urandom
▸Entropy pool
▸Suppliers, consumers, starvation, blocking device
85. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Rowhammer bit-flipping
▸Malvertising
▸Tech support scams
▸Attacks against distributed systems
▸Sybil attack
86. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Brute forcing
▸IP rotating to bypass rate limiting (such as fail2ban)
▸Clickjacking
▸Form grabbing
▸Watering hole
87. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸DNS rebinding
▸Lack of code signing
▸Stolen code-signing certificates
▸Fake websites and apps — WhatsApp example
▸Replay attack
90. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Reputation hijacking — social media, link shorteners
▸Improperly flushed caches
▸Double free()
▸Empty catch block and other exception handling
issues
91. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Rogue/evil twin access points, spectrum analysis
▸BGP hijacking
▸IP spoofing
▸MAC address spoofing to bypass MAC address restrictions
▸Cisco IOS: switchport port-security violation restrict
▸Not disabling accounts of former employees
92. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸BYOD and its security risks
▸Shadow IT
▸Sideloading APKs in Android
▸Encryption downgrade attacks
▸Not failing gracefully
93. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Old passwords, or lack of password length or complexity
requirements
▸Poor wireless security (WEP vs. WPA2, for example)
▸Assuming someone else is in charge of security
▸Cloud
▸Reflection attack
94. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Cross-site request forgery
▸<img
src="http://example.com/changePassword.php/?newPassw
ord=attackerPassword">
▸Wireless jamming — Amazon Key
▸RFID and NFC skimming
▸Driver shim
95. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Race conditions
▸Undocumented assets and inventory management
▸Pointer dereference
▸Default configuration or auto-negotiate/auto-configuration
▸Cleartext credentials
96. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Login banners, banner grabbing
▸Unauthorized software – are users installing things they
shouldn’t?
▸Autorun from removable media
▸Not showing full file extensions — photo.jpg.exe
▸Telecommuting
97. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Man-in-the-browser
▸Lack of backups, ransomware
▸RAID is not backup
▸3-2-1 backup
▸Relying too much on a web application firewall
98. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Lack of secure coding techniques
▸Copying/pasting untrusted code from Stack Overflow
▸Poor (or lack of) implementation of encryption
▸Only using client-side validation
▸3rd party dependencies such as libraries
99. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Lack of account monitoring — what behavior is typical
for a given user?
▸Lack of disaster recovery and incident response
▸Lack of change management
102. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸Physical access – if someone has physical access,
it’s not secure
▸Physical security – locks, cameras, lights, and more
▸Shoulder surfing
103. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸Dumpster diving
▸Wireless mice and keyboards
▸Rogue devices – did someone pretend to be from a
shipping company, delivering a package, then enter
the building and set up a small computer somewhere
(such as a Raspberry Pi)?
104. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸Password resets
▸Cisco IOS: Rommon 1> confreg 0x2142
▸Windows: NTPass
▸BIOS: CMOS jumpers or batteries
▸Consumer router “30-30-30” NVRAM reset
▸Stealing files from unencrypted drives
▸Lock screen bypass
105. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸USB Killer
▸BadUSB
▸Keyboard emulators
▸PoisonTap
▸Splitters
▸Thunderstrike
106. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Equifax
▸Yahoo
▸OPM
▸MySpace
▸Adobe
107. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Dow Jones
▸JP Morgan
▸IRS
▸Experian
▸eBay
108. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Uber
▸NSA — pirated MS Office, Snowden and flash drives
▸CIA
▸Deloitte
▸Anthem
109. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Securities and Exchanges Commission
▸Instagram
▸Google — Operation Aurora (nation state attack)
▸Mt. Gox
110. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
FAMOUS SECURITY FLAWS
▸MS08-067
▸Shellshock
▸Heartbleed
▸Blueborne
▸POODLE
111. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
FAMOUS SECURITY FLAWS
▸KRACK
▸Badtunnel
▸Stagefright
▸Most vulnerabilities only have CVE numbers, not names and
logos
▸CVE-2017-7494
112. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
WEIRD/OBSCURE STUFF
▸Proof-of-Concept (PoC) vs. real world
▸Not all vulnerabilities are exploited
▸“In the wild”
▸Theoretical vs. actual
113. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
WEIRD/OBSCURE STUFF
▸More important to patch when actively exploited, but
everything should still be patched anyway
▸Jellyfish GPU rootkit
▸Hard drive rootkits (not just MBR rootkits)
▸LED blinking for data exfiltration
114. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
WEIRD/OBSCURE STUFF
▸Hard drive noise data exfiltration
▸“Fansmitter” — data exfiltration via fan acoustics
▸Van Eck phreaking
▸“gargoyle” memory scanning evasion
115. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
THREAT MODELS
▸Nation state vs. petty criminal
▸Non-APTs take the path of least resistance
▸APT: Advanced Persistent Threat
▸People might not target your devices for who you are, but
for the possibility to make money, or the fact that your
devices are running certain insecure versions of software
116. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
THREAT MODELS
▸Brian Krebs’ article: “The Scrap Value of a Hacked
PC”
▸Some random person vs. whistleblowers such as
Edward Snowden
▸Not the same security requirements
117. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
TOOLS (SOFTWARE)
▸Many tools for doing the things listed so far
▸“Skid”
▸Don’t bother reinventing the wheel, but don’t be too reliant on
tools either
▸Learn security concepts, not just how to run a tool
▸Malware/RE tools will be covered in later videos
120. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Unusual:
▸Equation Group x0rz dump
▸NSA Shadow Brokers
▸Edward Snowden’s NSA leaks
▸Wikileaks (ex: Vault 7)
▸HackingTeam
121. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Offensive security tools can make you less secure!
▸Download tools from official sources unless you want malware
▸Better to use LiveCDs or isolated VMs rather than installing
things in your “daily driver” OS
▸Windows, macOS, Qubes OS (Linux)
▸Read documentation before doing anything
122. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Metasploit
▸Kali Linux (or GNU/Linux) — extremely important for labs
▸Use in conjunction with intentionally-vulnerable VMs for
learning OWASP top 10
▸Change root password as soon as you boot it up (for LiveCD)
▸Shodan
123. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Anonymity
▸Tor, i2p, VPNs, hacked sites, botnets, shady hosting
▸Web shells
▸WSO, c99, and more
▸GitHarvester
124. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Mimikatz
▸Google dorking
▸inurl, intext, filetype, site, -exclusion, “exact”, OR, AND, *
▸“index of”
▸msfvenom
▸Burp Suite
126. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Aircrack-ng
▸John the Ripper
▸THC Hydra
▸w3af
▸Scapy
127. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Spectrum analyzers such as Wi-Spy/Chanalyzer
▸BlueScanner
▸Cain and Abel
▸Various GitHub scripts
▸Might have narrower use-cases than other tools
136. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸BeEF — Browser Exploitation Framework
▸Tools for home VM labs
▸Metasploitable
▸WebGoat
▸Mutillidae
137. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸DBAN and data destruction
▸AccessData FTK
▸SSL Labs
▸Maltrieve
▸Sparkfun Skimmer Scanner
138. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸Honeypots such as Kippo
▸VirusTotal — not just for malware checking, but also for
seeing PII people uploaded because they don’t
understand VT’s privacy policy
▸VBoxHardenedLoader by hfiref0x
▸exiftool
139. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸Nexpose
▸Recuva
▸American Fuzzy Lop (AFL)
▸TempestSDR
▸See what’s on your roommate’s or neighbor’s screen, even
through walls
140. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (HARDWARE)
▸Hak5 Pineapple and other Hak5 products
▸RTL-SDR or other RF gear for side channel attacks
▸Keyboard emulators
▸Hardware keyloggers
▸Bump keys
141. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (HARDWARE)
▸Pump wedge
▸Bluetooth credit card skimmers
▸PoisonTap — runs on Raspberry Pi Zero
▸USB Killer
▸BLEKey
142. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
COMMON VULNERABILITIES AND EXPOSURES
▸CVSS score/criticality — not all CVEs are equally bad
▸CVE identifiers/numbers (example: CVE-2008-4250)
▸CVE databases
▸MITRE
▸CVE Details
143. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
COMMON VULNERABILITIES AND EXPOSURES
▸Exploit-DB
▸Not all vulnerabilities get CVEs
▸nginx vs. your company’s website
▸Names and logos
▸Things to consider
144. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
BUG BOUNTIES AND SECURITY BROKERS
▸Bug Bounty Program (BBP)
▸Vulnerability Disclosure Program (VDP)
▸Site/company-specific bug bounty programs
▸HackerOne
▸Zero Day Initiative
145. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
BUG BOUNTIES AND SECURITY BROKERS
▸Zerodium
▸1337day
▸Dark web
▸Beware of scams
▸Google Project Zero
146. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Malicious hacking is illegal, do security labs on your
devices and networks only
▸Things are hackable, don’t ignore security
▸Process: recon, scan/enum, exploit, pivot, exfil
▸Social engineering
147. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Many different methods of hacking
▸Many different tools
▸Don’t only learn tools
▸Security is constantly changing
148. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Starting out:
▸Burp Suite and WebGoat — link to guide in
description
▸Virtualbox, Kali VM, nmap, Metasploit,
Metasploitable VM, Mutillidae, OWASP top 10
149. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Learn more on your own — this is just the start!
▸Learn through experience
▸A musician doesn’t learn to play every instrument
▸Security people don’t learn every tool or attack
150. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
FUTURE VIDEOS?
▸Malware
▸Reverse engineering
▸How to stay secure
▸Resources and recommended reading