Slides for all episodes.

1. INTRO TO HACKING
EPISODE 1: GETTING STARTED

2. INTRO TO HACKING EPISODE 1: GETTING STARTED
LEGALITY
▸Hacking is illegal, don’t do it
▸I am not liable for anything you do
▸You can still learn a lot even with VM labs rather than
other people’s tech

3. INTRO TO HACKING EPISODE 1: GETTING STARTED
LEGALITY
▸This series is intended to help people learn more
about security — don’t do anything unethical or illegal!
▸If you do malicious hacking, you will probably get
caught

4. INTRO TO HACKING EPISODE 1: GETTING STARTED
SERIES CONTENTS
▸Episode 1: Getting started, including quick start guide
▸Episode 2: General process of hacking
▸Episode 3: Social engineering, vulnerabilities, and
more

5. INTRO TO HACKING EPISODE 1: GETTING STARTED
SERIES CONTENTS
▸Episodes, 4, 5, and 6: Attack vectors
▸Episode 7: Attacks requiring physical access and
more
▸Episode 8: Tools part 1
▸Episode 9: Tools part 2, summary, and more

6. INTRO TO HACKING EPISODE 1: GETTING STARTED
SERIES START GUIDE
▸This video covers general concepts. If you just want to
dive right in, use these:
▸Virtualbox, Kali VM, nmap, Metasploit, Metasploitable
VM, Mutillidae, OWASP top 10
▸Burp Suite and WebGoat — link to guide in description
▸Remember: your devices and networks only

7. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Old definition vs. security definition
▸Hacking (security) — doing things on computing devices
you’re not allowed to do
▸Hackathon vs. hacker convention
▸CTFs, blue team, red team
▸Security changes over time

8. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Why are things hackable?
▸P vs. NP — is security even possible?
▸Software issues: programming, configuration, use
▸Deadlines and budgets for software
▸Bug ticket response: “WONTFIX”

9. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Why are things hackable?
▸Lack of security awareness
▸Poor tools, security is hard
▸Increased connectivity (cloud, IoT, smart)
▸Hyppönen’s law

10. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Why are things hackable?
▸Software can be millions of lines of code
▸All it takes is one bad line of code
▸Example: repeat “goto fail;” line in Apple SSL

11. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸CIA triad — Confidentiality, Integrity, Availability
▸Hacking is easier than securing against hacking
▸Truisms: complexity is the enemy of security, user input is
evil, no absolute security
▸Some argue about absolute security, mentioning
“formal verification”

12. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸AAA
▸Authentication
▸Authorization
▸Accounting

13. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Computers, mobile devices, networking equipment,
IoT, cars, etc.
▸Lack of software updates
▸New devices that are computers, but people don’t
think of them as computers

14. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Motivations for hacking
▸Challenge
▸Social gain/rite of passage
▸“Stunt hacking”
▸Web defacement
▸Hacktivism

15. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Motivations for hacking
▸Money
▸Corporate espionage
▸Nation state attacks for political reasons (APTs)
▸Outside attackers vs. insider threats

16. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Security Controls
▸Preventative
▸Deterrent
▸Detective
▸Corrective
▸Compensating

17. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Malicious hacking
▸Penetration testing (pen testing) — non-malicious hacking for
security hardening
▸Black box, gray box, white box
▸Security research (VM labs)
▸Attacker and victim VMs

18. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸OpSec — Operational Security
▸Hackers can be caught because of talking too much
▸Loose lips sink ships, loose tweets destroy fleets
▸Marcus Hutchins caught because of email address
▸Alpha Bay creator caught because of email address

19. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸OpSec — Operational Security
▸Tor, VPNs, etc.
▸Lack of NDAs
▸Captcha, browser fingerprinting
▸IP leak during VPN disconnect

20. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Security certifications
▸CEH — Certified Ethical Hacker
▸Security+
▸OSCP — Offensive Security Certified Professional
▸CISSP — Certified Information Systems Security
Professional

21. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Events
▸Blackhat
▸ShowMeCon
▸Defcon
▸CCC

22. INTRO TO HACKING EPISODE 1: GETTING STARTED
HACKING OVERVIEW
▸Events
▸Toorcon
▸Shmoocon
▸Derbycon
▸BSides

23. INTRO TO HACKING EPISODE 1: GETTING STARTED
USEFUL BACKGROUND SKILLS
▸Familiarity with many different OSes
▸Command line (bash, PowerShell)
▸Networking (subnets, VLANs, firewalls, SSH, ARP,
Cisco, OSI, DNS, NAT, pfSense, pf, iptables, etc.)
▸Virtualization (VMware, Virtualbox)

24. INTRO TO HACKING EPISODE 1: GETTING STARTED
USEFUL BACKGROUND SKILLS
▸Active Directory
▸Identity and access services — LDAP, Kerberos,
RADIUS, OpenID, OAUTH, NTLM
▸Security software — IDS, IPS, SIEM, log analysis,
AV, RASP, WAF, DPI, NGFW, canaries

25. INTRO TO HACKING EPISODE 1: GETTING STARTED
USEFUL BACKGROUND SKILLS
▸PHP, SQL, and Javascript for web hacking
▸Tools and attack vectors mentioned in this video

26. GENERAL PROCESS

27. INTRO TO HACKING
EPISODE 2: GENERAL PROCESS

28. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance
▸OSINT (main focus here)
▸GEOINT
▸SIGINT
▸HUMINT

29. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance/OSINT
▸Passive vs. active
▸whois
▸Maltego

30. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance/OSINT
▸Information brokers*
▸cree.py
▸Trape

31. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸1. Reconnaissance/OSINT
▸Google
▸Social media
▸Archives

32. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸2. Scan and enumerate
▸Might socially engineer someone first
▸Intrusive vs. non-intrusive scanning
▸Credentialed vs. non-credentialed
▸Wireshark

33. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸2. Scan and enumerate
▸Port scanning
▸nmap
▸masscan
▸zmap

34. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸2. Scan and enumerate
▸Shodan
▸Nessus
▸DirBuster
▸robots.txt

35. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸3. Exploit (and sometimes chain)
▸CVEs — Common Vulnerabilities and Exposures
▸Burp Suite
▸Metasploit
▸Dictionary files, lists of default passwords

36. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸3. Exploit (and sometimes chain)
▸Vulnerability discovery — false positives, false negatives
▸Avoiding detection
▸Obfuscation (ex: minifiers), WMI hijacking, crypters
▸Establishing persistence

37. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸4. Pivoting
▸Initially compromised device might not be what you really
want
▸From workstation to domain controller
▸Rpivot
▸3proxy

38. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸4. Pivoting
▸PSExec Pass the hash
▸Mimikatz
▸Where to pivot, and why?
▸Things to search for: text, wallet files, databases
▸Possible local admin password reuse

39. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸“Slow and low” to avoid detection
▸Covert channels (such as DNS)
▸Steganography
▸Standard vs. non-standard ports

40. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸Be aware of logs — what you’re doing is being logged!
▸Windows: C:WINDOWSsystem32config
▸Unix: /var/log/
▸Bash history: $HISTFILE
▸Other: IDSes, application-specific logs

41. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸Deleting logs
▸Linux: log rotation and deletion
▸Bash: rm -f $HISTFILE && unset HISTFILE
▸PowerShell: Clear-History
▸Windows: wevtutil el | Foreach-Object {wevtutil cl “$_”}
▸Delete caches/temp files, empty recycle bin, write random data over free space

42. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸5. Data exfiltration
▸Where are you exfiltrating data to?
▸Tor
▸VPNs*
▸Bots for Tor-like relays

43. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸6. Finally doing something with the data
▸Sell it for cryptocurrency? Make it public? Personal use?
▸Bug bounty or responsible disclosure?
▸Limitations to what you’d do if you’re non-malicious, can
still get in legal trouble even then
▸Documentation for security audit?

44. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸6. Alternatively: not just exfiltrating private data, but
modifying it, or affecting the real world
▸Stuxnet and power plants
▸Students giving themselves better grades
▸Making a driverless car go off a cliff

45. INTRO TO HACKING EPISODE 2: GENERAL PROCESS
GENERAL STEPS INVOLVED
▸6. Alternatively: not just exfiltrating private data, but modifying it,
or using computers to have effects in the real world
▸Remotely disabling power steering and brakes (Charlie Miller)
▸Ukrainian power grid — SCADA/ICS
▸Straight up deleting things, like Shamoon

46. SOCIAL ENGINEERING, VULNERABILITIES, AND
MORE

47. INTRO TO HACKING
EPISODE 3: SOCIAL ENGINEERING,
VULNERABILITIES, AND MORE

48. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Usually less technical than security exploits
▸Often used in conjunction with previously mentioned
steps
▸Attachments, links, phone calls, flash drives, accounts
▸Might be used to get an initial foothold in a network
before proceeding with other steps

49. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Phishing — mass, vague
▸Spear phishing — more targeted
▸Whaling — big targets like CEOs
▸setoolkit
▸Maltego

50. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Information brokers/online background checks
▸Might not be 100% accurate, also costs money
▸Some are bad — inaccurate, hidden fees, subscriptions
▸Phone spoofing — spoofcard, spooftel
▸Confidence trick

51. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
SOCIAL ENGINEERING
▸Get into character and practice before calling
▸Socially engineering phone carriers to give you someone
else’s phone number
▸Email spoofing — header forging
▸Social engineering for quick cash or mixed with technical
steps

52. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
WHAT IS A VULNERABILITY?
▸Vulnerability — accidental security flaw in software
▸Usually fixed in software updates after being
discovered
▸Many vulnerabilities go undetected for years
▸Shellshock — 25 years before being fixed!

53. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
WHAT IS A VULNERABILITY?
▸The software you’re using right now probably has
vulnerabilities!

54. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OTHER VULNERABILITY-RELATED TERMS
▸Backdoor (verb) — to intentionally put a security flaw
in software
▸Backdoor (noun) — intentional security flaw in
software

55. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OTHER VULNERABILITY-RELATED TERMS
▸Exploit (verb) — to make use of a security
vulnerability
▸Exploit (noun) — something that makes use of a
security flaw
▸IOC — Indicator Of Compromise

56. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
LOW-HANGING FRUIT
▸Default passwords
▸Hard-coded passwords
▸Oracle Identity Manager OIMINTERNAL/space
▸Weak or even empty string passwords
▸Semi-related: Intel AMT null response hash via Tamper Data
▸macOS High Sierra root login with no password

57. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
LOW-HANGING FRUIT
▸Lack of rate-limiting for login attempts
▸Honest recovery question answers
▸Outdated software on internet-facing systems
▸Password reuse

58. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
CATEGORIES OF VULNERABILITIES
▸0-day — an unpatched security issue where people have “0
days” to react
▸Unknown except by an individual or small group of attackers
▸Once it is well known, it is no longer a 0-day, just a
vulnerability
▸Misused term, just like air gap (computers not on internet)

59. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
CATEGORIES OF VULNERABILITIES
▸CVE — Common Vulnerabilities and Exposures —
well known vulnerabilities
▸OWASP top 10 categories
▸owasp.org
▸Non-OWASP top 10 vulnerabilities

60. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OWASP TOP 10: NOVEMBER 2017 EDITION
▸1. Injection
▸2. Broken Authentication
▸3. Sensitive Data Exposure
▸4. XML External Entities (XXE)
▸5. Broken Access Control

61. INTRO TO HACKING EPISODE 3: SOCIAL ENGINEERING, VULNERABILITIES, AND MORE
OWASP TOP 10: NOVEMBER 2017 EDITION
▸6. Security Misconfiguration
▸7. Cross-Site Scripting (XSS)
▸8. Insecure Deserialization
▸9. Using Components with Known Vulnerabilities
▸10. Insufficient Logging and Monitoring

62. ATTACK VECTORS PART 1

63. INTRO TO HACKING
EPISODE 4: ATTACK VECTORS PART 1

64. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Privilege escalation
▸Server Side Request Forgery (SSRF)
▸Heap and stack attacks, such as heap spraying or stack
canary brute forcing
▸Remote code execution (RCE), arbitrary code execution

65. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Authentication bypass
▸Local file inclusion (LFI)
▸Remote file inclusion (RFI)
▸Unrestricted file upload
▸Web shells

66. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸ARP spoofing
▸VLAN hopping/double tagging
▸NTP attacks
▸Side channel analysis
▸RTL-SDR

67. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸IMSI catching (cell tower spoofing)
▸MITM attacks
▸Typosquatting, bitsquatting
▸Punycode, Unicode, and homograph attacks
▸Greek Ο, Latin O, and Cyrillic О

68. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Type confusion
▸Data execution
▸Serialization and deserialization
▸Resource exhaustion
▸Slowloris attack

69. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Password spraying
▸Traffic sniffing
▸Packet injection
▸Skimming (form of MITM)
▸Amplification attacks

70. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Switch CAM table overflow via MAC flooding
▸Matryoshka (packet-in-packet)
▸SYN flooding
▸Return-oriented programming (ROP)

71. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Host and directory enumeration
▸Buffer overflows, such as stack or heap overflows
▸Neighbor discovery cache poisoning
▸Lack of bounds checking

72. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Domain shadowing
▸Predictable resource location
▸Word macros (see: “maldoc”)
▸Update spoofing (insecure authentication method)
▸Example: Flame

73. INTRO TO HACKING EPISODE 4: ATTACK VECTORS PART 1
OTHER VULNERABILITIES AND ATTACKS
▸Hiding backdoors with port knocking
▸Opening closed ports in a stealthy way

74. ATTACK VECTORS PART 2

75. INTRO TO HACKING
EPISODE 5: ATTACK VECTORS PART 2

76. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Establishing persistence with shells and reverse
shells
▸Ingress vs. egress firewall rules
▸C2 (Command & Control) server
▸Meterpreter (reverse_tcp or reverse_https)

77. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Same-origin bypass
▸Compiler backdoors
▸Ken Thompson hack
▸XcodeGhost

78. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Checksum collisions (pigeonholing)
▸Data inference
▸Use-After-Free (UAF)
▸VM escape

79. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Underprotected APIs
▸DNS cache poisoning
▸Integer overflows and underflows
▸DNS sinkholing/domain sinkholing

80. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸DLL injection, CreateRemoteThread
▸NOP slide/sled
▸Uninitialized variables
▸Format string attack

81. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Cookie stealing
▸HSTS browser history sniffing
▸Iterator invalidation
▸Debug features left on in production (OnePlus,
Patreon)

82. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Least privilege violation (need to know basis)
▸Need to read, need to write, need to execute
▸Tie-in with directory enumeration
▸PHP shell_exec() as root
▸Overly permissive regular expression

83. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Billion laughs
▸Bluesnarfing
▸Juice jacking — malicious chargers
▸Directory traversal
▸../../../etc/passwd or ../../../etc/shadow

84. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Predictable “random” numbers
▸/dev/random vs. /dev/urandom
▸Entropy pool
▸Suppliers, consumers, starvation, blocking device

85. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Rowhammer bit-flipping
▸Malvertising
▸Tech support scams
▸Attacks against distributed systems
▸Sybil attack

86. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸Brute forcing
▸IP rotating to bypass rate limiting (such as fail2ban)
▸Clickjacking
▸Form grabbing
▸Watering hole

87. INTRO TO HACKING EPISODE 5: ATTACK VECTORS PART 2
OTHER VULNERABILITIES AND ATTACKS
▸DNS rebinding
▸Lack of code signing
▸Stolen code-signing certificates
▸Fake websites and apps — WhatsApp example
▸Replay attack

88. ATTACK VECTORS PART 3

89. INTRO TO HACKING
EPISODE 6: ATTACK VECTORS PART 3

90. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Reputation hijacking — social media, link shorteners
▸Improperly flushed caches
▸Double free()
▸Empty catch block and other exception handling
issues

91. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Rogue/evil twin access points, spectrum analysis
▸BGP hijacking
▸IP spoofing
▸MAC address spoofing to bypass MAC address restrictions
▸Cisco IOS: switchport port-security violation restrict
▸Not disabling accounts of former employees

92. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸BYOD and its security risks
▸Shadow IT
▸Sideloading APKs in Android
▸Encryption downgrade attacks
▸Not failing gracefully

93. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Old passwords, or lack of password length or complexity
requirements
▸Poor wireless security (WEP vs. WPA2, for example)
▸Assuming someone else is in charge of security
▸Cloud
▸Reflection attack

94. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Cross-site request forgery
▸<img
src="http://example.com/changePassword.php/?newPassw
ord=attackerPassword">
▸Wireless jamming — Amazon Key
▸RFID and NFC skimming
▸Driver shim

95. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Race conditions
▸Undocumented assets and inventory management
▸Pointer dereference
▸Default configuration or auto-negotiate/auto-configuration
▸Cleartext credentials

96. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Login banners, banner grabbing
▸Unauthorized software – are users installing things they
shouldn’t?
▸Autorun from removable media
▸Not showing full file extensions — photo.jpg.exe
▸Telecommuting

97. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Man-in-the-browser
▸Lack of backups, ransomware
▸RAID is not backup
▸3-2-1 backup
▸Relying too much on a web application firewall

98. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Lack of secure coding techniques
▸Copying/pasting untrusted code from Stack Overflow
▸Poor (or lack of) implementation of encryption
▸Only using client-side validation
▸3rd party dependencies such as libraries

99. INTRO TO HACKING EPISODE 6: ATTACK VECTORS PART 3
OTHER VULNERABILITIES AND ATTACKS
▸Lack of account monitoring — what behavior is typical
for a given user?
▸Lack of disaster recovery and incident response
▸Lack of change management

100. ATTACKS REQUIRING PHYSICAL ACCESS AND
MORE

101. INTRO TO HACKING
EPISODE 7: ATTACKS REQUIRING PHYSICAL
ACCESS AND MORE

102. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸Physical access – if someone has physical access,
it’s not secure
▸Physical security – locks, cameras, lights, and more
▸Shoulder surfing

103. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸Dumpster diving
▸Wireless mice and keyboards
▸Rogue devices – did someone pretend to be from a
shipping company, delivering a package, then enter
the building and set up a small computer somewhere
(such as a Raspberry Pi)?

104. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸Password resets
▸Cisco IOS: Rommon 1> confreg 0x2142
▸Windows: NTPass
▸BIOS: CMOS jumpers or batteries
▸Consumer router “30-30-30” NVRAM reset
▸Stealing files from unencrypted drives
▸Lock screen bypass

105. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
ATTACKS REQUIRING PHYSICAL ACCESS
▸USB Killer
▸BadUSB
▸Keyboard emulators
▸PoisonTap
▸Splitters
▸Thunderstrike

106. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Equifax
▸Yahoo
▸OPM
▸MySpace
▸Adobe

107. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Dow Jones
▸JP Morgan
▸IRS
▸Experian
▸eBay

108. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Uber
▸NSA — pirated MS Office, Snowden and flash drives
▸CIA
▸Deloitte
▸Anthem

109. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
LARGE-SCALE DATA BREACHES
▸Securities and Exchanges Commission
▸Instagram
▸Google — Operation Aurora (nation state attack)
▸Mt. Gox

110. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
FAMOUS SECURITY FLAWS
▸MS08-067
▸Shellshock
▸Heartbleed
▸Blueborne
▸POODLE

111. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
FAMOUS SECURITY FLAWS
▸KRACK
▸Badtunnel
▸Stagefright
▸Most vulnerabilities only have CVE numbers, not names and
logos
▸CVE-2017-7494

112. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
WEIRD/OBSCURE STUFF
▸Proof-of-Concept (PoC) vs. real world
▸Not all vulnerabilities are exploited
▸“In the wild”
▸Theoretical vs. actual

113. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
WEIRD/OBSCURE STUFF
▸More important to patch when actively exploited, but
everything should still be patched anyway
▸Jellyfish GPU rootkit
▸Hard drive rootkits (not just MBR rootkits)
▸LED blinking for data exfiltration

114. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
WEIRD/OBSCURE STUFF
▸Hard drive noise data exfiltration
▸“Fansmitter” — data exfiltration via fan acoustics
▸Van Eck phreaking
▸“gargoyle” memory scanning evasion

115. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
THREAT MODELS
▸Nation state vs. petty criminal
▸Non-APTs take the path of least resistance
▸APT: Advanced Persistent Threat
▸People might not target your devices for who you are, but
for the possibility to make money, or the fact that your
devices are running certain insecure versions of software

116. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
THREAT MODELS
▸Brian Krebs’ article: “The Scrap Value of a Hacked
PC”
▸Some random person vs. whistleblowers such as
Edward Snowden
▸Not the same security requirements

117. INTRO TO HACKING EPISODE 7: ATTACKS REQUIRING PHYSICAL ACCESS AND MORE
TOOLS (SOFTWARE)
▸Many tools for doing the things listed so far
▸“Skid”
▸Don’t bother reinventing the wheel, but don’t be too reliant on
tools either
▸Learn security concepts, not just how to run a tool
▸Malware/RE tools will be covered in later videos

118. TOOLS PART 1

119. INTRO TO HACKING
EPISODE 8: TOOLS PART 1

120. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Unusual:
▸Equation Group x0rz dump
▸NSA Shadow Brokers
▸Edward Snowden’s NSA leaks
▸Wikileaks (ex: Vault 7)
▸HackingTeam

121. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Offensive security tools can make you less secure!
▸Download tools from official sources unless you want malware
▸Better to use LiveCDs or isolated VMs rather than installing
things in your “daily driver” OS
▸Windows, macOS, Qubes OS (Linux)
▸Read documentation before doing anything

122. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Metasploit
▸Kali Linux (or GNU/Linux) — extremely important for labs
▸Use in conjunction with intentionally-vulnerable VMs for
learning OWASP top 10
▸Change root password as soon as you boot it up (for LiveCD)
▸Shodan

123. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Anonymity
▸Tor, i2p, VPNs, hacked sites, botnets, shady hosting
▸Web shells
▸WSO, c99, and more
▸GitHarvester

124. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Mimikatz
▸Google dorking
▸inurl, intext, filetype, site, -exclusion, “exact”, OR, AND, *
▸“index of”
▸msfvenom
▸Burp Suite

125. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸OWASP ZAP
▸BFF — Basic Fuzzing Framework
▸Firesheep
▸Wireshark
▸FOCA

126. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Aircrack-ng
▸John the Ripper
▸THC Hydra
▸w3af
▸Scapy

127. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Spectrum analyzers such as Wi-Spy/Chanalyzer
▸BlueScanner
▸Cain and Abel
▸Various GitHub scripts
▸Might have narrower use-cases than other tools

128. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸nmap, zenmap
▸tcpdump
▸man, apropos, whatis, whereis, which, find, --help
▸netcat (nc)
▸hashcat
▸Cobalt Strike

129. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Kismet
▸Reaver
▸Bloodhound
▸sqlmap

130. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸sqlninja
▸Acunetix
▸Nessus
▸UPX

131. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Netsparker
▸Bindiff
▸sslstrip
▸Veil Framework

132. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸Responder
▸Dirbuster
▸l0phtcrack
▸ettercap
▸Sniffly2

133. INTRO TO HACKING EPISODE 8: TOOLS PART 1
TOOLS (SOFTWARE)
▸hopper
▸fiddler
▸Powershell Empire and other post-exploitation
frameworks
▸dnscat

134. FINAL EPISODE!

135. INTRO TO HACKING
EPISODE 9: TOOLS PART 2, SUMMARY, AND
MORE

136. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸BeEF — Browser Exploitation Framework
▸Tools for home VM labs
▸Metasploitable
▸WebGoat
▸Mutillidae

137. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸DBAN and data destruction
▸AccessData FTK
▸SSL Labs
▸Maltrieve
▸Sparkfun Skimmer Scanner

138. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸Honeypots such as Kippo
▸VirusTotal — not just for malware checking, but also for
seeing PII people uploaded because they don’t
understand VT’s privacy policy
▸VBoxHardenedLoader by hfiref0x
▸exiftool

139. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (SOFTWARE)
▸Nexpose
▸Recuva
▸American Fuzzy Lop (AFL)
▸TempestSDR
▸See what’s on your roommate’s or neighbor’s screen, even
through walls

140. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (HARDWARE)
▸Hak5 Pineapple and other Hak5 products
▸RTL-SDR or other RF gear for side channel attacks
▸Keyboard emulators
▸Hardware keyloggers
▸Bump keys

141. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
TOOLS (HARDWARE)
▸Pump wedge
▸Bluetooth credit card skimmers
▸PoisonTap — runs on Raspberry Pi Zero
▸USB Killer
▸BLEKey

142. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
COMMON VULNERABILITIES AND EXPOSURES
▸CVSS score/criticality — not all CVEs are equally bad
▸CVE identifiers/numbers (example: CVE-2008-4250)
▸CVE databases
▸MITRE
▸CVE Details

143. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
COMMON VULNERABILITIES AND EXPOSURES
▸Exploit-DB
▸Not all vulnerabilities get CVEs
▸nginx vs. your company’s website
▸Names and logos
▸Things to consider

144. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
BUG BOUNTIES AND SECURITY BROKERS
▸Bug Bounty Program (BBP)
▸Vulnerability Disclosure Program (VDP)
▸Site/company-specific bug bounty programs
▸HackerOne
▸Zero Day Initiative

145. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
BUG BOUNTIES AND SECURITY BROKERS
▸Zerodium
▸1337day
▸Dark web
▸Beware of scams
▸Google Project Zero

146. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Malicious hacking is illegal, do security labs on your
devices and networks only
▸Things are hackable, don’t ignore security
▸Process: recon, scan/enum, exploit, pivot, exfil
▸Social engineering

147. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Many different methods of hacking
▸Many different tools
▸Don’t only learn tools
▸Security is constantly changing

148. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Starting out:
▸Burp Suite and WebGoat — link to guide in
description
▸Virtualbox, Kali VM, nmap, Metasploit,
Metasploitable VM, Mutillidae, OWASP top 10

149. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
SUMMARY
▸Learn more on your own — this is just the start!
▸Learn through experience
▸A musician doesn’t learn to play every instrument
▸Security people don’t learn every tool or attack

150. EPISODE 9: TOOLS PART 2, SUMMARY, AND MORE
FUTURE VIDEOS?
▸Malware
▸Reverse engineering
▸How to stay secure
▸Resources and recommended reading