Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·7y ago

Key Takeaways

The video covers exploitation methods, shell and payload types, and credential stuffing in the context of penetration testing, utilizing tools such as Metasploit, netcat, and Breached Parse to demonstrate various techniques.

Full Transcript

yeah I don't know what pops up during the stream for that J Delta no cats on the mug sorry it's my ugly mug on the mug on the ugly mug think about it how's it going along meet hey Zack in the box hey Jake hey Scott hey keV hey loopback you got it once out of me I don't know if you're gonna get it twice once it's pretty good hey J Delta hey gray hey reckless long time no see a cool dad long time no see you as well I look amazing thank you it's best compliment a son could give me just just letting you know any chance I could put some cats in the mug maybe I might even let you design the mug we'll get to the Carolina con here in a minute we'll talk about the it's actually part of tonight's lesson so it was a good build-up I didn't plan on that but it uh it worked out well so we'll talk about that I'll get you the link for breech parse MTX it's not a May time yet buddy I know you're ready though you probably got a hundred questions written down what's up ion what's up super crunchy all right we're gonna go ahead and get started nice mustache Thanks it's about all I can grow alright my people we are in week seven week seven so congratulations if you've been following along this far you've made it farther than most so what are we gonna be doing tonight we are gonna be doing some quick housekeeping no more than five minutes we're gonna be doing some shell and payload types we're gonna be talking about exploitation we're gonna talk about what the what's to do when there is no exploitation there's nothing to exploit what can we do and then finally we're gonna end with Q&A and AMA so let's go ahead and go right into the housekeeping so first and foremost humble brags you may have saw some stuff around my neck you got to stay humble guys this is just me staying humble so badge number one attendance badge it's actually my wife badge number two speaker badge this is all for Carolina con badge number three the black badge won the Wireless CTF what's up attendance for life I'm over here like Flavor Flav thank you guys again you have to stay humble you have to stay humble but you guys go to cons come back carolina con was awesome I got to meet some you guys gray was on my team gray one as well so I mean it was fun meeting me some of you guys awesome giving a talk awesome playing the CTF so really cool and rum ham was there too so it was really cool guys other than that you guys have asked for a magical magical mug I have put my ugly mug on an ugly mug if I ever give out any more merch than this please shoot me because I've sold out this is your heat Sur mug it's when it gets hot it shows my face you wanted it this is what it is no more merch after this guys this is pretty much it so if you want it there's a link down below other than that please leave me alone about the merch this is as far as it goes I did order one we have had some orders and yeah J Delta bought one I think it's funny the prices are insane please don't blame me for that either alright keys to the castle so after tonight we have been through everything you need to exploit a machine on an external network with that being said I haven't given you every single tool or tactic that you have out there but I've given you the methodology the lesson plan everything that you would need to do the exploit now it's gonna be up to you to put in the work on the enumeration to put in the work doing research to finding the right tools and figuring out if things are exploitable all we're doing tonight is covering some exploits we're covering some some of the basics but I would have full confidence in you guys now going out and practicing some capture the flag capture or Pat practicing some basic level hack the box practicing some ball and hubs just on the easy side where we haven't gotten to the the escalation side yet but you can imagine as of now you're getting the roots that are just insta wins and that's good you have the keys to the castle you are really far ahead now than where you were seven weeks ago that's awesome from here what's to come a lot of you have been asking about privilege escalation and I'm indifferent on privilege escalation so I can sit there and I can teach you some things and I will show you some concepts right I'm not going to show you the traditional I'll give you links I'll send it out but I'm not going to show you the traditional capture the flag type that's just not realistic so what we're going to be doing from here is we're going to be building out an Active Directory lab I'm going to be sending out a link to a Windows Server 2016 trial we're gonna have like a Windows 7 machine and we'll have our victim that'll be our victim machine then we'll have our our Kali machine we'll be running a three system setup and we're going to start exploiting ad as if we were from the internal side so with that being said what we're gonna do is we're going to set up vulnerabilities we're going to exploit them and then we're actually going to cover some of the blue side and and patch it as well just to make sure that we know what's going on and how we can how we can take this information and and talk to a blue team err you're at right so you might say hey I found this and here's the solution and you actually know in the back of your mind how to patch that solution so really good stuff you're not going to see the traditional Prebys because traditional profess is just not realistic traditional profess to me is talking ad environments we'll talk about what things to look for important files in enumeration yes but in terms of you know what you see on some of the crazier hack the box or what you've heard about like the osep most of that's just not realistic it's cool but it's not realistic hello to all the new people that have come in I've seen quite a few come in alright so let's talk about some shells we're gonna be doing two shell types really most commonly there's a reverse shell which is by far the most common and we're gonna demonstrate this with netcat here in a second if you'd never use netcat before it is just basically a port listener or a port connector depending on what you make it do and basically what you're doing if you see this wonderful diagram that I stole here from hacking tutorials you can see that we have a attack box and this is the most common set up again say attacker IP is the 1.1 now all they're doing is they're setting up a listener on port 4 4 4 4 with netcat which is NC by default on Kali Linux and the target machine is showing the netcat syntax and that's fine that's how we can actually connect but all you have to do is think about some sort of exploit which we're gonna learn about or some sort of shell code like you learned about last Monday when Rosanna Murray's tea exploit development that shellcode that you saw that'll tell the the machine when it's exploited - hey connect back to this port to this IP address and we're just sitting there listening so that's kind of what a reverse shell is now there's also something called a bind shell right so a bind shell is pretty much the opposite and my PowerPoint presentation just died that is awesome one second okay buying shell so the buying shell is the opposite we had a victim connect to the attacker in a sense of a vine show we open up a malicious port on the target machine and then we connect to it directly so it's a little bit different and there are cases where you need one or the other typically a reverse shell is fine but imagine that you are on a network say external pentesting and you need somebody to connect to you over the internet it would almost be easier if you could do a bind shell and connect to them because to get them to connect back to you you have to open up a port on your router do a port forward and send it to your attacking machine now if you do a bind shell you pretty much just connect to them directly not saying that you couldn't but I couldn't do the reverse shell but the by shell sometimes easier also sometimes reverse shell just doesn't work so we'll have to try a buying shell so tonight you're gonna see an instance of where shell doesn't work and that actually is going to bring us into the talks of stage vs. non staged payloads so we have two types of payloads you're gonna see and one is non staged so basically that's gonna send exploit shellcode all at once there's no staging to it it's a little bit larger in size and it doesn't always work because of that large size can't always get the payload across now if you see and we're going to take a look at this later you'll see it more in depth but if you look at the example over here you see where it says windows it has the slash and then it says meterpreter underscore reverse underscore tcp this is a reverse shell in meterpreter a reverse TCP shell if we look at staged stage sends the payload in stages so it's opposite right but it can be less stable because it's sending things over in stages if we look at a staged payload it looks a little bit different where there was an underscore over here now there is a forward slash so windows forward slash meterpreter forward slash reverse underscore tcp so a little bit different there now before we get into tonight's lesson I am going to show you a brief example of our our bind shell so I'll show you how to use netcat and we'll do a quick bind shell you might not be able to do this you might just have to follow along so let's play let's play victim and let's play attacker so on this let's play this machine being the victim let me open a new window here and the victim in a bind shell has been exploited and let's just say that the shell code opened up a port on 4 4 4 5 and when it it's a it's a Linux machine so it opened up a bash terminal or it's gonna open up a bash terminal when somebody connects to it now I've got my fancy other stuff over here right my real pen test machine let's open this one up and let's just say okay I'm the attacker I'm making a bind connection all I need to do is reach out to that machine which I think's on 1/29 we'll see and try to connect over 4 or 4 4 5 nothing's happening visually but let's take a look over here okay so we did get a connection here and you see we connected to 129 from 128 it opened up this port and let's see here let's say if we say Who am I there's actually a shell here present working directory we're in route hostname it's Cali so this was an example of a buying connection now what you need to pay attention to is the syntax if you're connecting all we need is netcat the IP address and the port we want to connect to if you're listening let's go back to my other machine and this is typical listening it's just netcat tak LVP and then the port you want to listen on so I use four four four five you see a lot of times like Metasploit it's four four four four if you start getting trickier you might use four for three or eighty to try to bypass filtering because by a lot of a V's block port four four four four or the firewall will block it so starting to become well-known on that end you will see this a lot when it comes to running exploits when it comes to doing capture-the-flag you don't see it as much in the pentesting realm unless you have to have it called back to you nothing I don't use it but you don't see it as much you're gonna see it way more when you're when you're dealing with like capture the flag stuff and hack the box or osep but very very important to know how to spin up a quick listener alright so today is going to be a continuation of last week let me go ahead and close this out and last week we had our scanning lesson so we did a little bit a map we do a little bit of necess we talked about nikto we talked about some other tools right and what we found was there were some likely vulnerabilities one of them was this Apache mod SSL open SSL this this line kept coming up over and over and over again right you see it down here the local buffer overflow attack you see a denial service so that one just kept coming up and we saw it when we googled it that it was coming up we searched fellated it kept coming up the other one was a SMB type exploit so today we're going to use Metasploit to exploit one of those and then we're going to use we're going to do some downloading and compiling off the web to perform another exploit so you're gonna get to see how Metasploit works and you're gonna get to see how it works for just downloading and compiling something like off of exploit DB or off of github so what we're not gonna do today is we're not going to be working with any type of advanced shells we're gonna talk a little bit about payloads when we get into it again because one of our payloads is not going to work but what we're going to save is we're gonna save everything for when we get into the ad portion that's going to be the the meat of this course so right now we're all methodology a little bit of exploitation and then we're gonna get into that exploitation next week that post exploitation we're gonna get into more advanced shells and we're gonna keep growing as we have been the past few weeks so let's start with one of these let's go ahead and just start with the more difficult we'll save will save the Metasploit one for last so we've found this Apache one point three point two zero now the first thing I would do as a pen tester and if I'm seeing all these things come up I would go out to Google and I would say hey Google what's Apache 1.3 0.2 0.2 some of these things but I would look through it again so this one and we talked about this one last week this open [ __ ] so it's Apache mod SSL and the mod SSL has to be less than two point eight point seven we match that with two point eight point four and if we scroll in here sometimes they give you instructions okay they tell you how to compile it and they don't tell you much about it sometimes they'll give you a little bit more info so we would want to do some research on this to make sure this is exactly what we're gonna be exploiting but if you come into here and you actually look a little closer if we just do a page find one point three point two zero it looks like there's 12 matches so it looks like the one point three point two zero of Apaches vulnerable and we also know we're on Red Hat so if we look at Red Hat you could see that it's got two different versions of Red Hat seven point two that it's running depending on the return address is what it looks like and will either run number one or number two for that and try to exploit it so somebody's already going ahead of me Jeff this exploit doesn't really work that well so what we're gonna do instead is we're going to use open luck instead of open [ __ ] because we like to have better grammar here if you scroll down just for you see this helps in Wernick or Vernick open luck I've got it opened right here and we're gonna use this so go ahead and just copy this and I've got a folder just named Keo that I've made and I've compiled this but we're going to act like I haven't in fact I will make a new folder we'll just call it Keo too and we're just going to get clone this right kiyo is short for key optics okay so we clone the open lock yes I do have my osep we we clone the open look right and what we're gonna do is we're gonna follow the instructions on the page so it says we got to clone it we got to install this Lib SSL dev go ahead and copy this I've already got it but we can try again you can see mines up to date I will I'll sit here and wait for you guys just for a second just so you guys can get this installed just in case you are following along it might take a minute a brute 5:05 are you from New Mexico is that where the 505 comes from while I give the the class 30 seconds here oh well nevermind that alright so once you have the Lib SSL installed we're going to compile so we're gonna use a compiler called GCC we're gonna grab the file we want to compile I guess I should LS and show you what's in this folder right so let's CD to open luck LS okay so there's open [ __ ] dot C and there's the readme so what we're gonna do is we're going to say GCC I'm gonna say open [ __ ] we're gonna do an attack of O and we're just going to name it whatever we want I'm just gonna name it open to be easy and then there was one more thing we had one more instruction was the - L crypto so we gotta type that in as well okay so if we LS you can see that in green mean we have executable permissions on open is there so we'll just do the forward slash open and it gives us all of the readings here so the syntax we're gonna do dot forward slash open we're gonna say target box the port and dash C so we don't have to declare the port but we should declare because we're not gonna have to run it over as a cell that's fine we don't know what C is it says open end connections use range forty to fifty okay so we'll just use 40 the box is going to be the IP address and then the target is going to be whatever offset this is in here so remember we were on 7.2 of RedHat and it was Apache one point three point two zero so what we have here is we have two options we've got one or two I'm gonna cheat just a little bit and tell you that it's this guy the six B so if we try six a it won't work then we would just move on to six B I'm just gonna save us a step and save us some time so to run the exploit dot forward slash open we're gonna say zero x6b we're gonna use the IP address of the machine we're attacking for key optics and we're gonna do the - see you 40 I'm gonna let that run see if this gave us a shell back it sure did okay and we are root on cap tricks level one so we have just exploited this machine now from here there's there's a numeration that I would do right off the bat and I don't want to go into post exploitation because that's really gonna be saved for next week but we should talk about at least a little bit about it right so there are some things here that we can do me personally the first few things I like to look at our networking commands and you say ARF - a Arps not found okay we say route route not found so sudo - shell we might not have a great shell here sudo worked so Souter - L tells us who can run the sudo command while we're route right now so we're gonna run all the commands but if you're doing capture the flag type events this is really good information to know you might have some sort of tool or command that you can run a sudo that you wouldn't expect so we could upgrade this to bash I'm not getting into all that and then so you would want to also see you know what present working directory puts you in - okay threw you into temp can you move around can you navigate another one I'd look at would be net stat as a networking command again we're going to talk about all this when we move into Windows it'll be easier to give you the visual now the crown jewels are the Etsy password we could just cat that and the Etsy shadow right so you say Etsy shadow ok so there's some users on here we've got route we've got routes hash we've got John and Harold as well we've got their hashes so we would take this we would extract the we track this information we would also extract the etsy password file and we would combine those we do something called unshadowed which basically combines both the files and would allow us to least go into hash cat or John or whatever and try to crack those I've got a video on cracking that we will cover this again at a later time but if you want to cover it sooner or later you don't know about this topic you can go watch the video I have my youtube on cracking hash cat or Linux hashes with hash cat so it's pretty straightforward but this is one of the most important things to dump now when we're using the ARP and we're using route and netstat basically all I'm doing is looking for other network connections it's possible that this is a dual home computer it's running to nix one of the Nix is on one network one of the Nix is on another network and you're able to talk to a whole new subnet of networks so it's important to look at where your routing table lies what connections you have with netstat and arp and yeah so anyway I'm not going to spend too much time on that I do want to go into medicine show you some things with payloads and then we'll go from there so let's just go into a new new tab here will just say MSF console all right so let's repeat a step from last week so what we did was we found the SMB and let's try that again it's gonna type search SMB it's gonna bring back a lot of stuff remember we're looking for SMB version and we could just type it in that might actually make it easier okay so let's just copy this remember again there's the different types there's the auxilary exploit post exploit so we've been doing auxilary this entire time now we're gonna start going into exploitation in terms of modules so first we'll use this we'll paste it and what I like to do I like to come in here and I just like to type info gives you a little bit about it tells you the basic options you know it's just an SMB version detection it's more important when it comes to exploits to know exactly what you're running and sometimes they give you a little bit more information on the module itself so we need our host also I could just get the basics again from just typing options and not have all that information so our host that's the remote host that's what we're going to try to exploit or talk to at least so for me we're gonna set the our host one 92168 to 0 to 130 and we don't have an SMB pass or SMB user that we need because remember from last time this was just giving up information on a default login we run it we see that there is a Samba 2.2.1 a type here for SMB right so we're gonna go and go to Firefox again we're gonna say Google and we'll just paste that say exploit and we did have a version in here I believe well we already know right we know it's Red Hat I'm wondering if the version came out in the SMB sometimes it does just Linux 2.4 you don't see you let's see no nothing came out there okay but we do know it's we know it's Red Hat so there's a couple different ones in here and you see the name of it is actually under this trans to open so we can do is we can come and we can say just search that trans to open if I put the two in there that would help okay and the reason we're seeing so many different ones in this Google search page is because likely let's see what they've got likely these are custom written exploits from exploit evie and they also have some you see the rapid7 that ties into met its plight so they've got Metasploit module information so you're gonna see quite a few and also on top of that there's one two three four separate modules for the different types of operating system so we know we are running linux so i'm just going to go ahead and copy this we're gonna say use paste options and again we're gonna set the our hose also again good to read info before we fire off so this exploits the buffer overflow found in samba versions two point two zero two two point two eight this particular module is capable of exploiting the flaw and x86 Linux systems do not have the know exact stack options set so we are meeting these conditions in terms of in terms of version x86 and it's talking about Red Hat older versions we've confirmed we're on seven point two so I don't know in terms of older what that means but I would be comfortable enough trying to fire this so if we say run or you could type exploit because it feels cool alright control see that you should be having the same issue so what's happening is you're getting a session open that means you were actually talking to the computer you're exploiting it something is working in your favor and then the session dies immediately which means something's also not working in your favor my antennas go off right away to something to do with the payload here and when I mentioned earlier that that was going to be payload related well here's where it comes up so if we go into here and we type in options again now you can see something that was not here before it gives us the payload options it says okay will you cancel that so maybe something is wrong and what we can do is we say okay I'm running Linux x86 meterpreter reverse TCP we can try to change this into a bind TCP and there's so many payloads like we could say set payload and we come in here we say Linux and we know it's x86 because that's what's available for this we double tab okay so there's a bunch of stuff in here now you saw we were using meterpreter reverse TCP there is a shell bind or there is a meterpreter bind TCP right but we can try to do this if we're dead set on getting a meterpreter shell but but when we we try this it's not gonna work I'm just saving us a little bit of time here so this one won't work we can come through here as well and we can look at some of the non staged payloads remember do you see the difference here again when oh this is coming up you see the forward slashes we're talking staged you see no forward slashes after the shell here you're seeing a non staged payload so because our staged payloads are not working we're gonna try a non staged payload and payload instead so we can try a Linux one and see if it works so we'll just say shell reverse TCP options okay sometimes they're coming to options because what happens is when you set a new payload it actually erases everything that's set under the payload before so it just tells us the command it's gonna run the alehouse l port it all looks fine sometimes the braces though type in run let's see if this works I honestly haven't tried it with this one this one works so I'll show you the one that I've tried it with before after this okay so you could say Who am I and we can say hostname so again we're route and again we've exploited so this is pretty cool we got a shell here there are some cool things that we can do with more advanced shells meterpreter shells which we're gonna get into you know next week possibly the week after the how long it takes us to do the build you talking about my CTF skills hold on we got a guy in here talking trash did you not see my humble rags guys what is this what is this is black badge from winning the the CTF buddy oh yeah and all my other swag look at this look at this don't tell me to go play some CTF I play cts that's it humble guys you got to stay humble you got to stay humble please all right so anyway so we've got this command shell pretty much the same thing as before so you've exploited this machine two ways now we've got one hell of a report to write if we're writing a real report right we've talked about all the other vulnerabilities that we had before let me see if I can pull up some of them we don't even I didn't even capture all them because I got tired of just writing it down and let's see if I have a optics and I pull this over maybe so remember we were going through these one-by-one we found there was a default web page there was some header disclosure there was 404 disclosure week ciphers so we got a lot of flaws here if we're gonna be writing this report on top of of course the critical vulnerabilities that we've already found and would have to report as well but if you're finding these vulnerabilities on an assessment you should be alerting immediately should be an immediate stop and alert to whoever the IT manager or project manager is in charge of in charge of things right for who you're you're doing a pen test for so first exploit I would have called immediately and said hey I just exploit your machine what do you want me to do sometimes they say great go back try again find all the paths you can given the time frame so that is it for the exploitation I need a quick drink all right we're gonna do one more exploit we're gonna do one I'm gonna do one buta root kind of so let's close out of this jump here and we're gonna do one together I'm gonna do something from hack the box and what we're gonna be doing is I don't remember the name of the machine I'm gonna see if I can fault the name of machine we're gonna be doing lame lame is one of the easier machines so I'm gonna get connected if you've got a VIP membership you can follow along if you don't that's okay you can just kind of watch and soak it in so I'm gonna CD to my downloads folder do my OpenVPN get connected and stuff okay so first things first we're gonna end map this bad boy and it is gonna be sitting at 10.10 dot dot let that run all double check that real quick while it's running seems down feels bad it could be wrong should be right well that's it feels bad it's not responding so let me go check it real quick until then you get to see my pretty face and you can do some AMA right now if you'd like to ask me some questions while we're waiting I could be very unlucky and we could just be in the middle of a reset at the moment as well because it shows that it's up am i from new mexico originally no have I lived in New Mexico yes okay so it is up I'm just gonna hit reset real quick on it tell us more about the black magic out of here you got to stay humble rum ham you got to stay humble any new trainings I'm working on I've got to finish the ealer and security web penetration testing Xtreme by May 15th and I'm like three chapters in so I don't know if I'm gonna finish that one in time I may need an extension spreading fake news as AB animal offense gray okay there's the ping let's end map that ama stands for asking me anything all right so we're gonna let this run just for a minute should be quick I don't think there's a lot of ports open on this one how much time do I spend on CTF environments not as much as I like anymore when I get practice time nowadays I'm practicing on like syn/ack and doing real-world environments just so you know better my skills because it's more realistic and you can get paid you know so I'd rather rather do that and try to earn some money and you know better where I can as opposed to doing the the CTF stuff the CTF we won was Wireless so I actually like wireless quite a bit what games do I play I do like overwatch we have played hack net does not mean I enjoyed that game humble people do not have time for CTS I'm a done hack the box offshore I have not that is on my to-do list so I've got the penetration testing extreme already purchased for elearn security I plan on doing that together with offshore to kind of piece them in and get some real like advanced Active Directory training in so oh there is no carry gray stay humble how do I log my trainings what do you mean how do I log them on a resume we're getting there oh yeah I take notes I showed my keep notes in the beginning let me see if I can pull one up we make very sure that I don't disclose anything here like like my OS CP I went through every single chapter did a sub chapter in a sub sub chapter all the way through and then all the exercises and then all the machines down below which I won't scroll down to but you can see about how far I am down this the more detailed notes the better you are this this is keep notes some people like cherry tree I like keep note because keep note is more color friendly to my eyes I like a white background I don't do the dark background I know some people like the dark backgrounds this is dragging now how would I organize my notes on offshore raw slabs just the way you saw it pretty much exactly the same way you saw it so cynic is a private bug bounty program let me see if I can bring up let's get my ugly mug off of the page cynic like how bugcrowd comes up first that's funny so this is cynic basically it is there's the Red Team you apply for the red team and you send a resume if they like your resume you have to do a written assessment a practical assessment an interview etc and a background check and then you get in so it takes a little bit but there's it's less crowded so I think it's easier to to earn money anyway you have to do one for every type of assessment they have so if you want to work on web apps you have to do web apps if you want to work on hosts assessments like network you have to do a hosts assessment so there's mobile there's hardware there's a bunch of them I only have host and web app done so there's quite a few that I could still still attempt and try to do what questions that is how does one get invited you apply and try to make it pretty much sorry that I'm slower MTX I won't answer any more of your questions tonight buddy I'll just ignore them all right we'll get back to the AMA and a little bit so let's look at this because we are still not in AMA territory we are only 847 my people all right so there are a few things here we see FTP is open we see SSH is open and we've got SMB 139 four four five perfect we've got three six three two which is interesting so if we're enumerate ingush een and we're probably gonna take this till nine o'clock so I won't enumerate everything the first thing I would probably look at is what's running on the FTP server it says anonymous FTP is allowed so what type of information can be downloaded from there just by looking at this obviously we want to look at the version right we want to see okay is this 2.3.4 of via vs FTP D vulnerable SSH so SSH we can try to prod remember we talked last time when SSH is open and this is on like a pen test not necessarily just a capture the flag when when SSH is open we're gonna try to do a brute force attack during a pen test to see if the sim catches us and if they have weak controls Thank you very I know that I appreciate that so for 139 four four five what we're doing is we're looking at these and we're saying okay can we connect to to 139 four four five and see what the version is well we don't need the version we got it right here already can we connect to it anonymously what kind of information can we get out of the folders etc and this three six three two I've actually never seen before doing this machine so okay so when we roll through here we can take a look at FTP if we want so let's just open up a new tab real quick and I'll take my space off the screen so I'll do a new tab and we'll just say FTP okay so it says anonymous logins available so we would say anonymous anonymous ok successful pretty much commands I said LS here comes the directory listing okay doesn't leave anything there so we can put things in here if we wanted to just put available let's see yeah we could put stuff however well puts right up here however we'd have to have a way to access this so if we're doing like a capture the flag and this is for some reason say like a web server like somehow the FTP lives where the the web server is and you could put something in there like a reverse shell maybe that's interesting or they put some kind of file in there for you to upload interesting or download interesting but sorry trying to read the chat and do both you guys are crazy how often are versions reported accurate via in that pretty often accurate but anyway so without a way to target this right now you know unless I can get a user to open up an FTP you know it's still bad that I can anonymous log and this is definitely a finding on an assessment but unless I can social engineer user to open up some malware that I put in it may not be worth my time at the moment unless I can find a different way to execute that malware so we can check out this version two point three point four and see if there's an exploit for it okay so it's got an exploit for backdoor command execution we'd go in and we'd read that looks like a rapid seven meaning the Metasploit module module exploits malicious backdoor that was added to the download archive so if there was if this is patched it's not gonna work and I can tell you right now that it's patched however would I be trying this the textbook yes I would this is probably with one of the first things that I would try but for the the sake of saving time here because we still have another lesson to get into I'm gonna go ahead and just tell you this one's not it so with that out of the way SSH I usually don't touch until near the end I would Google this open SSH and see if I could find anything but I would also look at this SM BD 3.0 point to 0 we can copy that search it and say exploit I'll just take that off Debbie and that's it exploit rapid sevens got another one called a username map script if you guys spoil any game of thrones or end game for anybody else you get the banhammer that is just a rule that falls under rule number one of don't be a dick also rule number two might just turn into stay humble just so you guys know this module exploits a command execution vulnerability in Sim version 3.0 point to zero through three point 0.25 rc3 when using the non default user name and map script configuration option but specifying a user name containing shell metacharacters attackers can execute arbitrary commands no authentication is needed to exploit this vulnerability since the option is used to map user names prior to authentication this is an unauthenticated RCE remote code execution so we're going to try that one again this was a user name map script so we're going to come into Metasploit well let's open up a new Metasploit we're going to search username map that didn't work is it let's see I'm gonna cheat I don't want to look for it it's user map this is why you make notes and it probably would have told me in here if I would have read a little harder yes it does user maps script right down here by J Delta so we'll copy this again paste it we can info but we already read the info so we'll just say options we just got to set an R host so set the our host to 10.10 10.3 and the targets automatic so let's go ahead and try running it whether or not it works is a whole another question let's see if we the host is still up it's not because it hates us I wonder if our reset just went through or if this box is just incredibly unstable yeah this is classic this is what you pay for $13 a month that's what it gets you so we'll let this run for a second if this doesn't work we're stopping at 9 o'clock I do have VIP VIP costs like 13 bucks a month how often do Metasploit modules work for me on tests fairly often if I'm confident about it but you know there's some like like you saw the vs f TPD right I would have been fairly confident that it was working and/or if that would have been an exploit I would have fire it off and it would it wouldn't have worked he didn't have the backdoor version in it so you run into situations like that there's some were you just like yeah I know this is money it's gonna fire it off its gonna work but sometimes you do have to kind of spray and pray I guess to the best of your abilities there we go all right run and we've got a shell so again Who am I we are root hostname lame I would cap the Etsy shadow again steal all those hashes in there we can ARP - eh if it responds back in an orderly fashion apparently they don't like networking commands today there it is we can print the route if I was a low-level user sudo - L again I would look around for important files so our destinations going out dot zero out of a wildcard gateway nothing special there we could check the net stat if we wanted to but just some basic basic enumeration I would definitely look around all the the files that I could find and see what's interesting in there that's really what enumeration is right if you're meticulous and outside you got to be just as meticulous on the inside especially if you're doing capture the flag stuff thank so Khan for the the sub I appreciate that well thanks all you guys thanks Amunet thanks low kids appreciate it you guys are awesome ok so that is it for exploitation we are running right on time now if you are on the mailing list you notice that I sent out what we're gonna be talking about what do we do in a situation when there is nobody that or nothing right that we can exploit let's let's even narrow this down a little bit more cuz some you're gonna jump right to social engineering well I'll just call the help desk and tell them I'm so-and-so and get the password reset yeah that's possible right you can definitely social engineer but with a lot of these engagements a lot of pen testing external Network engagements have no social engineering allowed there are different sorts or types of assessments for that sorts of assessments for that where there are full-on engagements that allow social engineering there's strictly social engineering agents so companies like to limit you in scope as much as possible humans are the weakest link and we can still exploit humans being the weakest link even if everything else holding true is pretty much unexploited all right say this companies up to date on their patching they you know maybe you find some small vulnerabilities but there's nothing that you can get remote code execution on that's where talk about tonight now if you sat through my Carolina Kahn talk already this is gonna be semi repetitive but only a tiny piece of it is from that Carolina contacts so if somebody asked about the website I'll pull up the website really quick if you want on the mailing list Thank You vida I appreciate this up if you come into now there's a more up here okay you come into more the contact subscribe and you come down to here this isn't the best website I'm not a good web dev if you come down here and just join the mailing list you'll get the weekly email all right so let's go ahead and talk do I draw my logo no I didn't I bought it on Fiverr cuz I'm cool if you're not getting emails I would try Rhys absque reiben you might have typed in the wrong email Fiverr is dope alright let me get up this PowerPoint presentation since it killed my original one so we're gonna talk about a couple different concepts tonight and we're gonna talk about we're gonna be talking about credentials stuffing and password spraying are some of the biggest items that we can do social engineering is not allowed so let's go ahead and present this from the current slide so you have to go through my whole spiel again alright so we're gonna start off with credential stuffing and then we'll talk about password spray so what is credential stuffing well it's injecting breached account credentials in hopes of a takeover so we've got a compromised server here right you see the compromised server we've got credentials for Joe Sue and Bob these are part of some breach you can think Equifax you could think LinkedIn you can think whatever breach you want these hashes get taken people take the hashes and they take them offline and crack them for you sometimes they're nice and they put them on the clear web sometimes they put them on the dark web and try to sell them so however you obtain this you can get these clear text passwords Oh Jo's up here we got Joe goddamn it Joe how we take these these clear text passwords right and we try to put them against website logins if you're a bad guy you're putting these credentials firing them off at random email servers you're firing them off at banks you're firing them off wherever you can log in with them right if you're a good guy well what you're gonna be doing is you're going to be staying in scope like the good hacker that you are and you're going to try to log into a website that is owned by the client so and if you're lucky these credentials will work right away and that is the benefit of credential stuffing so a simple script can go a long way this is actually version 2 we are in alan version 3 so people have been asking about breach parse here's the github for breach parse right here so basically this tool what it does is it searches through a 1.4 billion clear text password lists and it spits out what you what you specify it to spit out so if we go through the script really quick and it may be hard to read basically this is the usage up here if you see it says breach parse domain to search file to output so if you wanted to search and we did test the last week we're actually gonna do Tesla this week again we're just gonna keep with Tesla if you say breach Bart's at Tesla calm and then just say Tesla dot txt it'll go ahead and output that for you so what it's going to do is it's going to roll through and it's going to create a bunch of files it's going to create a master text it's going to create a user's text and a password text now the master text has a user name and password users is just all the users passwords just all the passwords that way you don't have to do an awk and sort it out I'm already doing that for you so we do a touch of a Master File we total all the files and we do a file account because we build a progress bar out here with a function basically is just so we know how far along we are because I got tired of watching this roll through and not knowing where it was at so has the function of the progress bar more importantly all it's doing is doing a find command it's finding what you put in there as that at Tesla comm it's looking for at Tesla comm through every single file that we have and when it finds that it greps or it looks the files then it grabs for that and then it outputs it to the master from there the master we output that to users and a passwords via an awk and that's it it spits out something kind of like this so you're looking at the Tesla - master dot txt you can see a few different things here so what is the information reveal well it reels obviously the usernames and passwords right but also it reveals if you look at the orange it reveals the username patterns so you could see that sérgio dot Salle's or paulo dot i cannot even pronounce that you could see that it's a first name dot last name now for Tesla this is not whole completely true because you see some first names in there as well you see Kirk you see Camille and it's probably under assumption that what happened was maybe when they were smaller they had a Kirk but as they grew bigger into the large company they are if they had to start moving towards a first name dot last name and I've even seen first initial last name now so they may have changed their email a few times over on top of this there's some other information that we can gather here we can see password patterns and repeat offenders so with password patterns in repeat offenders we're seeing the shark at Tesla calm this person's shown up three times one thing that's really really interesting is this password right here where you see the 907 da de 8 1 4 so you see that they just changed the rotation of capitalized letters and non capitalized letters here so it doesn't really I mean it gives us you know X amount of possibilities right but in a four character space with capitalized letters and we're holding the rest constant I can run through something to to make all of these out and figure it out pretty quick so when we look for patterns like this we may be able to easily hack into a company that has poor password rotation and there's some more advanced thoughts here too that I don't actually have on this slide if I'm a bad guy or I'm doing a social engineering engagement a full on even red team engagement what I might do is I might take this password this 907 da de or let's we can find one that's even more more complicated I think this one's probably one of the better ones on here maybe trap that one as well so what you do is you say okay I want to take this 907 da de and I'm gonna take it and I'm gonna put it back into its original hash format we don't know what original hash format it was so we'll probably put it into like four or five different hash types well take those hashes and then there's sites like unhatched that you pay a small fee and you can run it against a hash table and get the email address tied to that so what does that do well one it finds the hash for a password that hasn't been cracked yet or isn't a part of these lists just because it's crackable doesn't mean it's been cracked what it also does is it ties some of these more unique passwords to almost a more definate user right if it was password one okay we're not sure that's gonna you know there's gonna be so many of those but something unique like this 907 da de 8 one four I'm gonna be a stronger confidence level that if I see it pop up and it ties to a hash or even if I put this string in and I put it in through my clear text list again right instead of at Tesla comm I'll put it through the clear text list and I'll try to see if this comes up for different email address so we can really start finding out what websites this user uses and how we can exploit them further especially if we're a bad guy right or doing a red team assessment and there's nothing off-limits so you know these these passwords really come into play and and when people are using their work emails like this it makes it easy for us to just exploit the hell out of them so we're gonna do this tonight this is what we're gonna do in the last 20 minutes we're gonna do a little bit of credential stuffing I actually don't even know if there's a login so we may just pretend and if there is if there is no credential stuffing found we're going to talk about password spraying and they're pretty close to each other somebody asks this is when you have nothing else to exploit yes that is correct all right so let's get out of that presentation if you are interested in that presentation you can check out the YouTube channel basically I have the whole thing up there from Carolina con which gives a story of going from from an external assessment like this and leaving my way in and getting domain admin it's a pretty decent story also covers the blue team side of things so if you're if you're more interested you're welcome to check that out so if you have already downloaded breach parse let's go into here a

Original Description

Zero to Hero: 0:00 - Welcome 2:43 - Lesson overview & staying humble 8:20 - Reverse shells vs bind shells 11:05 - Staged vs non-stage payloads 12:20 - Brief bind shell demonstration with netcat 15:30 - Reviewing scans from last week 17:30 - Exploiting mod_ssl 2.8.4 w/ OpenLuck manually 27:38 - Exploiting Samba 2.2.1a w/ trans2open Metasploit 37:50 - Reviewing some of our report findings 39:45 - Scanning, enumerating, and exploiting Hack The Box's Lame 1:01:00 - Credential stuffing & password spraying overview 1:13:05 - Running breach-parse against Tesla.com 1:14:05 - Using Burp Suite to perform credential stuffing & password spraying Q&A / AMA 1:28:53 - Boxers or briefs? 1:29:00 - What are you drinking? 1:29:42 - Are web pentest skills and network pentest skills interchangeable? 1:30:02 - What college degree is best for cybersecurity? 1:30:25 - What's new in your life / upcoming talks? 1:30:55 - What is this channel about? 1:31:10 - Troubleshooting a Kioptrix issue 1:31:40 - Is the CEH worth pursuing? 1:31:55 - Jon Jones?? 1:32:10 - Best advice to move from service desk to security? 1:33:10 - Is OSCP the best certification? 1:33:30 - Do you need a CS degree to be successful? 1:33:45 - What makes hacking unethical? 1:34:30 - How to transition from webdev to appsec? 1:35:38 - Tips for organization when testing large clients? 1:37:02 - What did you think about the Pentest+? 1:38:50 - How many more segments of Zero to Hero are left? 1:40:20 - How do you submit/plan a talk? 1:44:48 - What keyboard are you using? 1:45:25 - Are we building an AD lab next week? 1:45:48 - Are most of your assessments AD? 1:46:30 - Should I stop the OSCP and attempt the eJPT if I'm struggling? 1:47:00 - What are your specs? 1:48:15 - Are we covering all PowerShell in the course? 1:48:40 - OSCP vs HTB 1:48:55 - What is you Domain Admin % rate on all engagements? 1:49:45 - Domain Admin from a printer? 1:52:30 - How many assessments have you done total? 1:53:30 - How much time do you get per as
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 34 of 60

1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

This video teaches viewers how to conduct penetration testing, exploit vulnerabilities, and use credential stuffing to gain access to systems. It covers various tools and techniques, including Metasploit, netcat, and Breached Parse. The video is geared towards beginners in cybersecurity and provides a comprehensive overview of the topics covered.

Key Takeaways
  1. Set up a test environment with Kali Linux and Windows Server 2016
  2. Use Metasploit to exploit vulnerabilities
  3. Use netcat to create reverse and bind shells
  4. Use Breached Parse to analyze breach data and identify password patterns
  5. Conduct credential stuffing and password spraying attacks
💡 Credential stuffing can be used to gain access to systems by exploiting breached account credentials, and tools like Breached Parse can be used to analyze breach data and identify password patterns.

Related Reads

📰
Botnet Activity Escalates While Web3 Development Persists Amidst Bearish Market
Learn how botnet activity and Web3 development are impacted by the bearish market, and why it matters for cybersecurity and blockchain professionals
Dev.to AI
📰
When Ransomware Hits, the District Stops
Learn a recovery playbook for schools and local government to minimize downtime when ransomware hits, focusing on proactive measures beyond just backups
Dev.to · Ryan Beglau
📰
Jalisco, OmegaLord Phishing Kits Target Microsoft 365 Accounts
Learn about new phishing kits targeting Microsoft 365 accounts and how to protect against them
TechRepublic
📰
I Patched My OpenClaw Instance Against the Claw Chain Vulnerabilities in 40 Minutes — Here's the Checklist
Learn how to patch OpenClaw instances against Claw Chain Vulnerabilities in under an hour with a simple checklist
Dev.to AI

Chapters (42)

Welcome
2:43 Lesson overview & staying humble
8:20 Reverse shells vs bind shells
11:05 Staged vs non-stage payloads
12:20 Brief bind shell demonstration with netcat
15:30 Reviewing scans from last week
17:30 Exploiting mod_ssl 2.8.4 w/ OpenLuck manually
27:38 Exploiting Samba 2.2.1a w/ trans2open Metasploit
37:50 Reviewing some of our report findings
39:45 Scanning, enumerating, and exploiting Hack The Box's Lame
1:01:00 Credential stuffing & password spraying overview
1:13:05 Running breach-parse against Tesla.com
1:14:05 Using Burp Suite to perform credential stuffing & password spraying
1:28:53 Boxers or briefs?
1:29:00 What are you drinking?
1:29:42 Are web pentest skills and network pentest skills interchangeable?
1:30:02 What college degree is best for cybersecurity?
1:30:25 What's new in your life / upcoming talks?
1:30:55 What is this channel about?
1:31:10 Troubleshooting a Kioptrix issue
1:31:40 Is the CEH worth pursuing?
1:31:55 Jon Jones??
1:32:10 Best advice to move from service desk to security?
1:33:10 Is OSCP the best certification?
1:33:30 Do you need a CS degree to be successful?
1:33:45 What makes hacking unethical?
1:34:30 How to transition from webdev to appsec?
1:35:38 Tips for organization when testing large clients?
1:37:02 What did you think about the Pentest+?
1:38:50 How many more segments of Zero to Hero are left?
1:40:20 How do you submit/plan a talk?
1:44:48 What keyboard are you using?
1:45:25 Are we building an AD lab next week?
1:45:48 Are most of your assessments AD?
1:46:30 Should I stop the OSCP and attempt the eJPT if I'm struggling?
1:47:00 What are your specs?
1:48:15 Are we covering all PowerShell in the course?
1:48:40 OSCP vs HTB
1:48:55 What is you Domain Admin % rate on all engagements?
1:49:45 Domain Admin from a printer?
1:52:30 How many assessments have you done total?
1:53:30 How much time do you get per as
Up next
AI Found ALL Vulnerabilities - Release Delayed!
Pranjal
Watch →