Tutorial

How to Bypass a Targets Defenses and Intrusion Prevention Systems in Ethical Hacking

Hello everybody and welcome back. Before we begin with the options for this part of the tutorial I just want to show you the output of the previous scan that we did. As we can see it discovered a port that is different than the port that these three previous scans got us. Which was the port I believe 5357 or something like that which was a TCP port. And instead of that, we got a UDP open port NetBIOS – ns which runs on 137 on our laptop machine.

So you might notice that the UDP scan basically just gives you the output for UDP ports which makes sense. It will basically give you any UDP port which is open. For example it could be this NetBIOS, it could be your DNS or anything that is running over UDP.

This option right here will give you open UDP ports.

So now that we covered that, we covered basically the full three-way TCP handshake. We covered the syn, only the first part of three-way TCP handshake, and we covered the UDP scan.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

Now that we covered all of those options I want to show you how you can avoid some of the defenses that your target might have and how you can avoid your IPS.

So for example, the first thing you might want to do if your target is blocking your Nmap or you can’t get any output, for example, you can try the – sA option. Now, as I said in the previous video – sA is listed where TCP scans are since the ‘A’ stands for ACK which is the last part of three-way TCP handshake.

As you can see right here it is the third option and it stands for ACK.

Now, I deleted the drawing that I did before since it was really bad. Let me just draw it once again.

This is the PC.A and this is the PC.B and from A we want to scan B.

But let’s say you try to perform a three-way TCP handshake. So it goes like this, then this machine sends syn-ack and once again you send ACK right here. This last one is only the ACK.

I really do encourage you to read more about TCP handshakes since this can be a little bit confusing if you don’t know what I am talking about. But basically the method behind this is the – sA, which is only the last part of TCP handshake, can be used to bypass some of the rules of your router.

For example, if there is a rule that allows syn packets only from the inter network. So what I just said is basically let’s say this is some website that will only allow the full three-way TCP handshakes or syn packets which is the first part of the TCP handshake only from the inter network. So basically only from the machines that are on its local network. And you as someone coming from the internet trying to send a syn packet to the machine being outside of your local network, you will get blocked.

And if that rule really exists on the target machine you can trick it by sending only the ACK which is the last part of three-way TCP handshake which will trick the router or the website to think that it is an answer to a previous syn bit set.

So let’s say this router is connected to some of the other devices on its local network. Now, pardon me for my really bad drawing right here, but basically this circle right here is representing the internal network of this machine and it will only accept the three-way handshake or syn bit sets from the machines that are on its local network.

And you as someone coming from the outside trying to send the syn packet will get blocked. So if you only send the ACK packet without sending the previous syn bit set from the TCP packet, it might trick your router to think that this ACK is an answer to a previous syn bit set that some of the local machines sent.

So in order to do that you just type here Nmap – sA and then the IP address of your router.

So basically you use this option if there is the blockage of syn bit set on the target machine.

Now, this is not that common to see so you won’t be needing it that much, but it can happen.

Now, the next thing you might want to specify is the source port that your packets are going from. Now, by default the Nmap sets the port which is your port from which you send the packets to the machine. It can be any port. I believe the Nmap specifies it randomly at the beginning of the scan and it can be a problem in case where the target only allows the packets from the specific ports.

Now, what I mean is let’s say for example, you run an Nmap scan from this machine and it basically uses the port 333 for the outgoing scan which is a randomly assigned port for your machine. But once it gets to the target machine there is a rule on the target machine that this port will only accept packages from the ports for example 80.

So your packages no matter which type of option you specify whether it is the UDP scan, the ACK scan, the syn scan or the full TCP scan, it will get blocked since your packets are not coming from the outgoing port which is port 80.

So in order for you to be able to scan this target you need to specify the port which it allows the packets to come from. So it will usually be some of the known ports which is for example, port 53 for the DNS, port 25, port 80, port 8080. It can be any of those widely known ports but it can also be any other random port, so you will need to find it out by yourself. But once you do find out that by yourself, you can just type here – – source port and then the number of the source port. For example, let’s say the source port is 80 and then we type here the IP address of our target machine.

And as we can see right here the “IP address (0 hosts up)”. Not really sure why that happens. As we can see right here, “Host seems down.” If it is really up, but blocking our ping probes, try – Pn”. So let us just try – Pn which we covered in the previous tutorial, but for some reason it doesn’t want to show us that the host is up.

Let me just see right here if I correctly specified this option – – source port.

I believe it is, but let us check once again where it could be. Now, maybe they changed this option. I thought it was – – source – port and it didn’t give us any error so I believe it still is, but for some reason our host is appearing to be down. But we won’t be really wasting our time on that.

So basically let us recap. You use the – – source – port option when your target is only allowing packets to come from certain ports. For example, as we saw 80.

So let me just write right here – – source – port 192.168.1.8 and let us continue to the next step in order to bypass some of the detection problems which could be the data length.

Now, the Nmap by default sends packets of specific size. I’m not really sure what the size is, but I believe it sends the same sized packets every time. So some of the defenses today have rules to deny packets that are of standard Nmap size. Basically, what that means is that Nmap every time when it sends packets it sends them with the same size and if someone has a rule specified or knows that Nmap exists, it can make a rule that says basically block any packet that is the size of the standard Nmap packet.

Now, to bypass this detection system you can configure different packet sizes with the option – – data – length. So let us try that one out. If we type here Nmap and then – – data – length and we specify for example 50 and we type here the IP address it didn’t give us any error so it means that the syntax of the command is correct.

So this is taking a little bit of time. It should give us the correct output once it finishes. Now, of course you don’t have to specify only this option. Once you scan, you can specify a bunch of options including this one. So you can basically use all of these three for example to combine into a scan which will bypass all of these three detection problems. Which the first one is the blockage of syn bit sets, the second one is blockage of specific ports, and the third one is the blockage of the Nmap standard packet size. So we will cover one more in order to bypass the detection and defense.

Right here we have the output of the scan. As we can see it performed correctly and we have one open port which is TCP and the servers running is wsdapi.

So let us continue on to the next one which would be the spoofing of your MAC address.

Now, long ago one of the first tutorials we covered how to change our MAC address. You can use that as well, but the Nmap gives us its own option to spoof our MAC address. As we can see if we type here Nmap, I believe it will show us the option right here. I am not really sure if it is listed.

Yes, it is right here. We can also see the data length command and the source port.

Let me just try here with – g as it says that it is same as – – source port. It didn’t work for us so let me just type here Nmap – g and then port 80 and then 192.168.1.8.

Let us see if the host is up right now, and it is up. So basically instead of this option – – source port you can use – g then specify the port of course.

So that’s good. I didn’t know that existed, but let us not care about that at the moment. At the moment we want to spoof our MAC address with this command.

As we can see the syntax is – – spoof – mac and then we add the MAC address right here.

You can add other options as well as prefix, vendor name, but we’ll just type here the MAC address. And we can see that the description for this option is ‘Spoof your MAC address’ so let us do that. The source port scan finished so let us just clear the screen and type here nmap – – spoof – mac, I believe that was the option, and you type your MAC address that you want to fake.

So let me just save this and to show you, or let us use the Mac changer. We covered it before. You type here – – show and then the network interface in order to see your current MAC address.

So this is the format of the MAC address. You can see it is divided by a colon and it is consisted from six parts that are basically divided by these colons.

So you can just type here [22:33:44]:5[5:66:77] and we right here type the IP address of our host of our target. And as you can see right here it says ‘Spoofing MAC address [22:33:44]:5[5:66:77] (No registered vendor)’ And, “Host seems down. If it’s really up, but blocking our ping probes try – Pn.”

Now, for some reason it seems that the host is down with that option. It could be because we didn’t really specify these two options, but I doubt really.

We won’t really bother with that right now. I just want you to know about that option. That for example, it is used if this machine right here allows the packets to come only from certain MAC addresses.

It can be used as a black list or as a white list. This machine can have a black list where it blocks some of the MAC addresses and some of those could be yours as well. Or it would have white list where it only allows certain MAC addresses.

Now, most likely it will have a white list where it will allow only trusted devices with their MAC addresses and in order for you to be able to send packets to this machine, you need to spoof the MAC address of a trusted device from this that this target machine has specified in its white list.

And once you do that with the – – spoof – mac option, you will be able to send packets and receive packets from the target machine.

So let us type right here – – spoof – mac and then you basically just type here [33:44:55]:6[6:77]. It doesn’t have to be this MAC address you can basically specify an address you want. And right here you type the IP address of your target or the host name.

So that would be about it for the avoiding defense in IPS. These four things can be useful if your target specified some of the rules in order to block your scans.

But you will find out that rarely targets use any of these rules to prevent you from scanning them. But if it happens you can use these options that we covered in this video. Now, in the next video I will show you what are Nmap scripts, how to get to them and how to use them. So I hope you are enjoying this tutorial and I hope I see you in the next one bye.

Final Words from Jerry Banfield.

Wow. You are one of the only people that made it all the way to the end. Thank you for watching this entire video.

We have a video course for you called Master Ethical Hacking in 2019 on Uthena that we imagine given you’ve watched all of this, you might really love and enjoy the complete course.

If you’d like to get the complete course, which includes answers to your questions and it includes lifetime updates and new videos, will you please go to uthena.com and buy Master Ethical Hacking in 2019.

Alternatively, you might love the Ethical Hacking Forever course bundle where you can get six courses currently in this bundle plus every single course we add for life and no additional cost.

I intend to add at least 20 more Ethical Hacking courses to this bundle to make it the very best Ethical Hacking course bundle in the world. I already think it is today, of course, because it’s mine.

Thank you for being here and watching this. I trust if you found this helpful you will leave a like on the video and subscribe to see more. Maybe you’ll take a look in the description where you might find some links that you will love.

I love you.

You’re awesome.

Thanks for being here with me and I will see you again soon on another video on our Jerry Banfield YouTube channel.

Leave a Like on the Video?

Yes. You reached all the way to the end. Will you leave a like to let us know, you made it this far in the video, because you will feel great helping the video rank higher and giving something back.

Love,

Jerry Banfield.

How to Configure Burp Suite to Intercept HTTP Requests and Responses.

Hello everybody and welcome back. Right now we will try to configure our Burp Suite in order for us to make it as a proxy in order for us to intercept our own, HTTP requests and responses.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

So the Burp Suite which is a program that we will use is already preinstalled in Kali Linux. So if you go on to the applications right here and you go on to the web application analysis it should be the first one right here.

So if this is the first time for you running it, it might ask you for a root password. You just type it in and you open up the Burp Suite.

Now, another way that you can open it is through the command line.

So here it will basically just give us a message about the version. Just click okay. It doesn’t even matter what it says and it should open up our Burp Suite.

Now, I already configured my Burp Suite so it works for me. Basically, I will just show you the process. We will need to configure some of the things in our Firefox and also some of the things in the Burp Suite in order to capture our packets.

So just click here on ‘Next’.

‘Use Burp defaults’ click here on ‘Start Burp’ and it should start in a few seconds.

Now, what I wanted to say is that you can also run it through a command line with ‘burpsuite’ and it will just open up the same thing right here.

It will use your terminal for it so you don’t have to go to the applications and so on and so on.

So as you can see right here, this is the Burp Suite.

It has a bunch of options. It is used for us to intercept our own packets. Here we have some of the options such as HTTP history.

Here we will have the websites that we visited in the current session.

Here you have the intercept. Here you have the option that the intercept is on and intercept is off.

Now, before I cover all of these options I just want to show you what you need to do in order to get this to work.

So what you want to go to is go to the proxy which is the second one from the left and then below that you want to go to the options. So ‘Proxy’ and then ‘Options’.

Here we are interested in the “Proxy Listeners’ part, but you will have by default this 127.0.0.1 on port 8080 which is listening on 8080 on a local host.

Now, what you want to do is select that one and basically just click here on the ‘Edit’ and it should open up this small window where you want to specify the ‘bind to port’ to be 8080 and basically you can put here all interfaces or ‘loopback only’.

I will leave it on ‘lookback only’ and you can also specify a certain address. So for example, my current IP address of this virtual machine is 192.168.1.6, but I will leave it on localhost and on ‘loopback’ only since I will specify that proxy in my Firefox as well.

So just click on the ‘Okay’. So port 8080, loopack only, 127.0.0.1, click here on ‘Okay’.

Now what we want to do is go to our Firefox. So open up your web browser and where you want to go is basically here on the right this three lines ‘Open menu’ and go to the ‘Preferences’.

Now under the preferences you want to go to the ‘General’ which is already opened right here by default. You want to scroll all the way down and find the ‘Network Proxy’. So here we can see ‘Configure how Firefox connects to the Internet’.

What we want to do is basically make our Firefox connect to the internet through our Burp Suite. So click on the ‘Settings’ and it should open up this small window.

By default it should be set on ‘No proxy’. What you want to do is change that to be set on the ‘Manual proxy configuration’. So once you check that, I believe since you didn’t configure it before it should have only the first one which is ‘HTTP’ proxy set on 127.0.0.1 on port 8080.

Now, what you want to do is all of these four you want to set on the same settings which is basically even the SSL, even the FTP, even the SOCKS host you want to set all of these four onto the IP address of your local host which is 127.0.0.1. And all of those four want to be set on the port 8080.

Once you set all of these four to be exactly the same, you want to check here SOCKS v5. It should be checked by default, but if it is not check SOCKS v5.

Once you do that, click here on ‘Okay’ and you should be good to go.

So if we click ‘Setting’ again we can see that now our manual configuration proxy is set on the local host.

Now, if you go to your browser and try to search google.com, first of all it won’t work for you. It should say something like ‘Insecure connection’ or something like that. Basically, it won’t let you connect to google.com. But if you for example, go to an HTTP web site, you should be able to connect to any HTTP website, but you will not be able to connect to any HTTPS website.

Now, if you typed here any HTTP website and it is loading on forever, what you want to do is go to your Burp Suite and make intercept off.

So if your intercept is on like it is right now for me, it won’t let you load any page since it will wait for you to forward or drop the packet. Let me just show you what I’m talking about.

If I refresh this page right here, you will see that this will load forever. It will never load the page.

And in the Burp Suite, we can see that it basically gave us some of the HTTP request header for this website which is just my OWASP vulnerable machine and it will ask me if I want to drop this packet which means to discard it or to forward that packet to that machine.

Now, if I forward it and I open up my Firefox you can see that now it loaded the page, because I forwarded the packet.

Now, if you have the intercept checked on which means the intercept is on, you want to make it off so you can load the page without forwarding every packet.

Now, we want to also make sure that we can load our HTTPS websites. For me it works, but for you it won’t work until you install in your Firefox a Burp Suite CA certificate.

Basically, we need to install the Burp Suite certificate in our Firefox in order for our Firefox to look at Burp Suite as a trusted proxy source.

So in order to do that first of all, make sure your Burp Suite is running, make sure that you configured the preferences in Firefox. So make sure that this is the same as mine.

Make sure the Burp Suite is running. If it’s not running, this won’t work. You won’t be able to download a certificate. And once this is the same as mine, and once you run the Burp Suite and the intercept is off, you want to go and open up a new tab and type here HTTP and then Burp. Just that.

So once you type that it will lead you to this page where it will say ‘Burp Suite Community Edition. Welcome to Burp Suite Community Edition’.

What you want to go on here is on the CA certificate and click on it. It will ask you if you want to download this file.

‘Do you want to save it?’ Yes.

So the file is 973 bytes so it’s not that large. You just click here on the ‘Save’ and once it downloads you find where you saved it. I already have one downloaded so I have it right here.

You will only have one of these. So once you find it you want to go to your Firefox, again to the ‘Preferences’, but instead of going to the Network Proxy’ settings, we want to go to the ‘Privacy & Security’  settings.

So once you are there, once you’re at the ‘Privacy & Security’ settings what you want to do is basically scroll down and find the certificates.

So here are the certificates and you want to go on to the ‘View Certificates’.

Once this window opens up, it will show you a bunch of the certificates that are already in your Firefox web browser.

Now, what you want to do is import the already downloaded certificate that we downloaded from this website which is HTTP Burp. How do we that? Well, basically we just go on to the import right here.

So click on the ‘Import’ and find where this file is saved for you. I already imported it so I won’t be importing it twice. Here it is. Just click on the file and click on ‘Open’.

And once it does that click on “Okay’ and you should be good to go.

Now, after that if you type google.com once again, it should be loading the HTTPS websites as well as the HTTP websites.

Now, if this didn’t work make sure once again that the Burp Suite is running or this will not work. Make sure that all of the options are already set as mine and you should be good to go.

Now, once we made this work for HTTP and HTTPS now we can track all of the packets going through our own Burp Suite. As we can see right here if I go on to the target, it will give me a list of all the hosts that I’ve already visited.

As we can see right here this is just a bunch of the HTTP request packets that I sent in order to visit my virtual machine which is on the IP address of 192.168.1.9.

Now, in the next tutorial, I will show you some of these packets, how you can configure them, how you can change them and all of that, and where you can find all the websites that you visited and specific packet if you search for it.

But for now just make sure that your Burp Suite works and that when you visit a website, for example, facebook.com, it should open up the Facebook page and it should also have here a bunch of other Facebook domains opened.

As you can see the page that you requested will be the darker letters than the ones that it automatically searched for in order to get to your Facebook page.

And we can see, this is our Facebook page and the HTTP requests that we got from it.

So I will make sure to explain the requests and responses better in the next video.

Until then I hope you’re having a great day and take care.

Final Words from Jerry Banfield.

Wow, you are one of the only people that made it all the way to the end.

Thank you for watching this entire video.

We have a video course for you called Master Ethical Hacking in 2019 on Uthena that we imagine given you’ve watched all of this, you might really love and enjoy the complete course.

If you’d like to get the complete course which includes answers to your questions and it includes lifetime updates and new videos, will you please go to uthena.com and buy Master Ethical Hacking in 2019.

Alternatively, you might love the Ethical Hacking Forever course bundle where you can get six courses currently in this bundle plus every single course we add for life at no additional cost.

I intend to add at least 20 more ethical hacking courses to this bundle to make it the very best Ethical Hacking course bundle in the world. I already think it is today, of course, because it’s mine.

Thank you for being here and watching this. I trust if you found this helpful, you will leave a like on the video and subscribe to see more and maybe you’ll take a look in the description of the Youtube video where you might find some links that you will love.

I love you.

You’re awesome.

Thanks for being here with me and I will see you again soon on another video on our Jerry Banfield YouTube channel.

Leave a Like on the Video?

Thank you very much for getting to the end of this video.

Will you please leave a like on it, because you will feel great doing that. Every like helps the video immensely to get out there to other people.

Thank you very much for helping us share this video by leaving a like.

Love,

Jerry Banfield.

What are HTTP Responses and Headers?

Hello everybody and welcome back.

In the previous lecture we discussed what was an HTTP request and right now we will discuss what an HTTP response is.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

So as I said, they are very similar. The response is basically what the server sends back to us. For example, when we send an HTTP request with the GET and then the name of some page we basically want the server to send us that page back.

So it will send us the HTTP response with the HTML code of that server and that’s how we load the pages.

So let us see the basic structure of the HTTP response. Here I have a picture.

As we can see right here the upper part is the header of the HTTP response.

As I said, the HTTP response is consisted of two things which is the header and the body. In the header, we get these information about the server and in the body we basically get the content or the web site HTML code which is basically just the page itself.

So the HTTP response starts with the protocol which is current version 1.1 and then the status code. The status code basically represents the 200 right here. As we can see, it represents that the operation was successfully done.

Now, you can also have some of the other codes right here. For example, if the number starts with four that means that you have a certain error in a request. If the number starts for example, with five, there is an error. But this is not an error on the client-side. This is an error on the server side.

So the 400 and then some number is the error in the request side or on the client side and the 500 and then some number is the error on the server side.

Also as I said, 200 means that operation was successfully done and the 300 means redirection of the website.

So for example you try to visit some of the website and it redirects you to another website that will be specified with the status code of 300 and something.

Now, there are some of the things that we need to remember. The date doesn’t really matter to us that much. The server is basically important since it gives us the version and type of the server itself. As it says right here it is Apache 2.0.63 Unix and it is useful for us attackers, because we basically get the version of the server and we can usually just paste in Google and try to find any specific vulnerabilities for that version.

So today some of the websites even leave out the server version in the HTTP response just because it is so valuable to the attackers. But most of them still have it so we will be using this option as well in order to try to find and gather some of the other vulnerabilities for that specific version of the server.

The next thing we are interested in is a thing that isn’t really specified in this HTTP response, but it’s basically a set/set-cookie option. It is the server that is setting a cookie value for ourselves. So it is basically sending a cookie value that it assigns to my machine in order to track my session. So it is also an important thing.

Here you can see that the header and the body response is divided by this blank line.

So you don’t need to remember it like that. You can basically just remember it as in the content or in the body of the response. It will be an HTML code which is easy to recognize with these arrows. It basically always begins with these arrows and closes with these same arrows.

So you will easily know what the HTML code is. Now, that is some of the things that you need to know from the HTTP response. But before we continue, there is another thing that I want you to know which is the HTTP methods available.

Now, we covered one method already in our first HTTP request video. We covered the GET method.

So basically when I type google.com or let’s say facebook.com I send an HTTP request with the GET method. Which basically just requested from the server this page.

Now, there are a few other methods for example POST, head, trace, boot, delete options. Those are all a bunch of the methods that you can send to the server. The most important for us would be the GET method which we already covered which is just requesting the website and the POST method.

Now, the POST method is basically us sending some of the information to the server.

Now, you might be asking, what kind of information do we want to send? Well a simple example would be us sending a username and password. It is done with the POST method.

So we opened the request header and here we can see the GET method.

Now, instead of the GET, if we did a post request it would be POST instead of GET.

So basically just P-O-S-T. So, the POST request would be if we for example on email type here anything and pressed here ‘Log in’.

This is us sending a POST request. Now, I will explain it a little bit further once we get to the Burp Suite configuration since it can be a little bit difficult to configure first time. So I will lead you through that process but let me just show you how you can scan with the things that we did learn already the available HTTP methods on a certain website.

So for example, you want to scan a website and see if there is a POST method available, head method available, delete method available or any other method. You can do that with a simple Nmap script. So we already covered Nmap before so let us just go into our scripts folder which is under this path right here usr/share/nmap then scripts.

What we want to find is the HTTP method script. So let me just type here ls in order to list the methods try to grep the HTTP.

As we can see there is a lot of them.

So let me just type here ls grep and then method, maybe it lists less options.

As we can see there it is and this is the script that we want which is http – methods.nse.

So in order to run that onto our OWASP virtual machine that I showed how to install before, the IP address is .1.9, so we just write here Nmap and then – – script and then = and now we will copy the script name, paste it and then we will specify the ports that it should scan.

So it shouldn’t really scan all of the ports. It isn’t necessary. We know that the HTTP ports and HTTPS ports are 80 and 443. Now, we will also add the port 8080 since it can be relatively commonly used as an alternative port to 80. So let us just type here – p for the ports and type here 80 which is the HTTP port, 443 which is the port for HTTPS, and port 8080. And now at the end, we want to specify our IP address of the target so it is .1.9.

Now, let this run. I’m not really sure how long it should take. It should finish relatively fast. Here we go, and we can see that it gives us the output port 80 TCP open HTTP and available HTTP methods.

We can see right here supported methods GET, head, POST, options and trace. These are some of the HTTP methods and potentially risky method is trace.

So we can see that with this Nmap script we can gather the available methods for any website with the specified port. Now, in order for us to view the packets that are going to the website and back we need to use a proxy.

And for that proxy we will use Burp Suite which will let us see all of our packets that we are sending and which will let us change them and also it is used for some of the attacks such as a simple brute force onto the website, the session hijacking and bunch of other attacks.

Now, the process of making the Burp Suite as your proxy can be a little tricky so I will show you how to do that in the next video.

Until then I hope you’re having a great day and take care.

Final Words From Jerry Banfield

Thank you very much for finishing this entire video. We are honored you’ve spent this time here. We’ve got a complete course I imagine you will love and enjoy named Master Ethical Hacking in 2019.

You can get this course on uthena.com. You can also get it as a part of the Ethical Hacking Forever course bundle which has nearly 100 hours of video.

Already it’s got six different ethical hacking courses in it we imagine you will love and enjoy from several different instructors showing you the very best of ethical hacking.

You can get this forever bundle meaning when you buy it today, you get all the rest of the courses added for life. I intend to add at least 20 courses to this bundle over its lifetime, new courses every year.

This course in particular is Master Ethical Hacking in 2019. You just watched a video from it for free which we’ve given you to both sell you the course and to give you a part of the course that we hope is helpful for whatever you are doing.

When you buy the course, you also get to have answers to questions from ethical hackers that can help you with anything from the basics into the advanced challenges you run into.

I find as a student answers to questions from an instructor are the very most valuable part of a course. You get two different places, a Facebook group and a Discord Server to get answers to your questions.

Thank you very much for being here with us, we trust if you look around in the description on this video, you might even find resources that are more helpful to you than just buying the course by itself.

There may even be some specials and some deals in the descriptions you might really appreciate.

Thank you very much for watching this video. I’m Jerry Banfield, the founder of Uthena.

Our purpose is to give you the very best professional education possible on the most in-demand subjects both on Uthena and on YouTube.

We love you.

You’re awesome.

Thanks for watching this and I imagine I’ll see you again soon especially if you subscribe then you will be able to see more of these videos easy.

Would You Like to Listen to My Music?

Just when you thought, “Oh, my god this dude can’t have anything else.” Yes, I’ve got music. Will you please try listening to a few of my songs, because I love them and listen to my own music as much as I listen to anyone else’s.

Here, I’ll give you a little taste right now. My favorite three songs are ‘Jack’s Dance,’ ‘Half Interesting,’ and ‘Baby On Chest Hair’.

I’ve got three albums and all these are from my ‘0=1.  I’ll play a little bit of them for you right now.

Listen to the clip

Love,

Jerry Banfield.

Using Burp Suite Scanner to Intercept, Read and Edit Packets.

Welcome back everybody and in this tutorial I will show you some of the basics of Burp Suite. How to intercept packets, how to view packets, how to view responses and so on and so on. This is also a great way for you to learn more about the packets themselves and learn more how an HTTP for example, GET requests or POST requests look like and when you will be seeing them.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

So let’s first of all run our Burp Suite. So for that, just type in your terminal Burp Suite or you can run it through the applications right here. It will open up in the exact same way.

As we can see right here we get the message again. So just click ‘Okay’.

Here you just go on ‘Temporary project’, ‘Next’ and then ‘Start Burp’.

Every time you open the Burp Suite you will notice that under the proxy settings right here, the intercept is always on by the default.

So that would mean that if I go onto my Firefox for example, and try to load for example, twitter.com, it will never load it until I forward the packet or turn the intercept off.

So it is useful if you want to watch the packet. So we can see the first packet how it looks. So I requested this page with the protocol HTTP/1.1 the host is firefox.com and the user agent is Mozilla 5.0.

These is just my information since this is an HTTP request I am sending to the server. So we can forward it, but you will notice that there will be another packet.

So basically there will be a lot of packets that you will need to forward in order to get to the website. As we can see, even though I forward the first packet it is not still on the website itself. So let me just forward all of the packets.

Once you do not get any packet anymore, you should be loading the page.

As we can see there are lots of them since this is a big website.

In the previous video, we did the same with the virtual machine and you saw that I only needed to forward one packet in order to get to the page of my virtual machine.

But for now I had to forward several of them and right now I should have Twitter loaded.

As we can see it is not loading anymore. I forwarded all the packets and I received all of the responses from the server. Now, in order to check that you can go under ‘HTTP history’ and you will see right here all of the domains, all of the websites that you visited in the process of connecting.

Now, there are a bunch of these detect portals. You will always have them. You just want to find the website that you’re searching for and when you find that, you can see the response to all of your requests.

So here we have twitter.com which is the page that we searched for and here we can see the first request that we sent.

In order to check out the response on that request that we sent, you just click here on ‘Response’ and this is the response of the server.

And as we talked before, it is consisted of the head and body. So we have the head and with a bunch of set cookie options.

So basically this is just a body. Right here starts the body which is the HTML code.

But let me just find the set cookie option. Here it is.

So basically this is the option that I was talking about in the HTTP response video. This is the cookie that Twitter set for us in order to track our session.

So as we can see the option set – cookie and this is our cookie right here.

Now, there are a bunch of the things in the cookie as well as paths, domain, secure which means HTTP only, set cookie, max age, expires. It basically even says when does the cookie expire. So it expires on Monday 18th February 2019 which means it expires today on this time.

So that’s one of the things that we covered here. We can also have the status code which is 200 OK.

We successfully loaded the page so we got the status code 200. We can go down here and here start the HTML code of the page itself. So this is what we load.

It is basically a huge code so we don’t need to watch it since the website is quite big.

So that’s how you can check the request and the response of a certain packet.

You can go onto the POST. Here we have a POST request.

You can check the response right here. Here is the request.

Now, there are some of the options that we do not care about. For example, this is not really that important to us.

Now, what is important is let us turn the intercept on once again. Let’s say for example, I want to log in. Now, we said that the packet that we send with our username and password will be a POST request. So once I type here the username and the password, we should be sending the POST request to the website.

So let us try that. If I just type here anything and press here log in, you will notice that it is loading since we turned the intercept on.

But right here we have the packet that we want to send as a POST request. Here we can see the basic HTTP headers structure and here we can see user name or email four Ws and password five Ws. So we can see our packet from here.

If I forward it, it will send to server the username and email with this username and this password right here.

Now, if you for example turn the intercept off or forward this packet and forward a bunch of other packets, it will give us an error that ‘This account doesn’t exist’.

So you might be needing to forward a couple of packets. So we forwarded them all and it says ‘The username and password you entered did not match our records. Please double-check and try again.’

Now, let’s try to change that in the Burp Suite. Let’s change the packet itself. So let us just go back one page. We should go to the log in page once again.

Now, also I forgot to mention that using Burp Suite your internet might be slower and you will be loading pages a little bit slower than usually, but it is not a big deal.

Let’s just go twitter.com. Now, let us turn the intercept on once again and let us send again the same username and same password which is five Ws.

And if I click here ‘Log in’, it will continue loading since our intercept is off. Here is our packet and here let me try to change the username into four Bs.

As you can see four Bs and if I try to forward this packet and forward all of the other packets, it will still give us the wrong username and wrong password. But it will show that the username wasn’t four Ws it was four Bs.

As you can see right here without any interaction with the page itself through the web browser, we managed to change the username through our Burp Suite.

So that is another useful thing to know. It will be used later on in order for us to brute force websites. For example, you just add a password list and you change the packets as you forward them and it tries every different password instead of the password that you specified.

So we can turn the intercept off right now. And as I said before in order to check the websites that you visited, you can go to the ‘HTTP history’ or on to the ‘Target’. And here you can also see the websites that you visited.

Now, there are a lot of other options that I will show you later on. For now it is enough for you to understand that there is a request and response that you can check out in Burp Suite and also you can change the structure of packets. You can also delete some of the things. You can also change usernames and passwords.

For example, we go back to the login page and turn intercept on. Then if I just type here something once again, it doesn’t matter what the username and password is, we can see it is stuck.

And here the POST request with the username four Ws and password five Ws we can change for example, the user agent.

Now, if we delete this, we will no longer be sending our information to the server. We will not send basically what version of web browsers we are running and what operating system we are running. So it is good if you do not want the server to know some of the information about you.

So if you forward the packet, you will get some of the others. Forward them all.

So once it finishes, we get the same error.

But if we go right here and we go to the ‘HTTP history’ we basically just want to find the POST requests. And as you can see right here the difference between these two, this one was the previous one,

and this one was the one we sent right now,

is that the first one has the user agent which basically says that we are using Mozilla 5.0 Linux and the second one is the same request with the same username and same password, but we deleted the information about ourself.

So the server will no longer be getting the information about our browser and our operating system which is another layer of anonymity for you.

So that’s about it for this tutorial. These were just some of the basics and me showing some of the things for this program. We will continue in the next lectures and I hope I see you there bye.

Final Words From Jerry Banfield

Thank you very much for finishing this entire video. We are honored you’ve spent this time here. We’ve got a complete course I imagine you will love and enjoy named Master Ethical Hacking in 2019.

You can get this course on uthena.com. You can also get it as a part of the Ethical Hacking Forever course bundle which has nearly 100 hours of video.

Already it’s got six different ethical hacking courses in it we imagine you will love and enjoy from several different instructors showing you the very best of ethical hacking.

You can get this forever bundle meaning when you buy it today, you get all the rest of the courses added for life. I intend to add at least 20 courses to this bundle over its lifetime, new courses every year.

This course in particular is Master Ethical Hacking in 2019. You just watched a video from it for free which we’ve given you to both sell you the course and to give you a part of the course that we hope is helpful for whatever you are doing.

When you buy the course, you also get to have answers to questions from ethical hackers that can help you with anything from the basics into the advanced challenges you run into.

I find as a student answers to questions from an instructor are the very most valuable part of a course. You get two different places, a Facebook group and a Discord Server to get answers to your questions.

Thank you very much for being here with us, we trust if you look around in the description on this video, you might even find resources that are more helpful to you than just buying the course by itself.

There may even be some specials and some deals in the descriptions you might really appreciate.

Thank you very much for watching this video. I’m Jerry Banfield, the founder of Uthena.

Our purpose is to give you the very best professional education possible on the most in-demand subjects both on Uthena and on YouTube.

We love you.

You’re awesome.

Thanks for watching this and I imagine I’ll see you again soon especially if you subscribe then you will be able to see more of these videos easy.

Where to Follow Jerry Banfield.

Will you please join us as a subscriber on YouTube and as a follower on Facebook by liking the page, because you made it this far in I’m imagining you will love continuing to see more of the same kind of videos from me each day.

Love,

Jerry Banfield.

Using Hydra Brute Forcing to Test Website Vulnerabilities.

Welcome back everybody and let us start off with the command injection.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

Now in the previous video I told you a little bit about the command injection, but let us actually get the practical method of using that attack.

So the command injection, as I said, some web applications can use parts of their operating system to do something, for example, pinging.

Now, usually the command injection itself will run the command on the same server, but depending on the architecture of the server itself it can also execute the command on another server as well.

Now, what I mean by that is, let’s say the same example as before which is pinging the machine. So you go to the website which basically pings the machine. Let me just actually try to find that website.

So I will turn the Burp Suite on.

I will open another terminal for me, and let us actually try to find the legit website that pings another machine or another website.

I believe there are lots of them online so we will just find one of them. So let me just turn on the Burp Suite.

Okay, let us just turn off the intercept and once we turn off the intercept let us go to the Firefox.

So let us just try to search for the simple pinging website maybe that will work, maybe it won’t. I just want to show that those websites do exist. Now, our Firefox is a little bit slow because of the Burp Suite.

So let us just wait for it for a few seconds.

Free Ping Test Tool: Ping your server or website’.

So we just click on the first link and let us see what kind of website this is. As we can see, here is the webserver name.

So this is the type of website I was talking about. So basically here you just put your WebServer name and it will ping your server in order to check if it is online or not.

Now, what I was talking about is that if for example, this website was vulnerable to the command injection, we could possibly run any command that we can run in our own terminal also right here and it will process the command in the server’s terminal. But also, it can send the command to another server and we could actually execute this command to another server as well.

So let us start off with the website that we can actually test. You shouldn’t be testing any of these websites you do not own. So even if this one is vulnerable which I doubt since it was first and probably one of the most famous ones it probably isn’t vulnerable to the command injection. But we will use a website that is vulnerable to the command injection.

We need to go visit our virtual machine which is our OWASP machine. Let me just check the IP address of it. It should be .1.6 and let us go to 192.168.1.6.

Now, once you are here, what you want to do is go to the ‘Damn Vulnerable Web Application.’

I believe we didn’t go here before. So just click on this. Now, what this will ask you is the username and password.

Now, you can just type here the username and password which is admin admin. But let us actually try to practice one of the attacks that we’d covered before, and one of those attacks is the Hydra.

So let us actually brute force this login page. It is good practice as we did cover this before. So what we want to do is open our terminal and we’ll do it fast.

I won’t cover any of the syntax since I covered it in previous videos. You can check that out if you want to.

What we basically want to do is type ‘hydra’ and the syntax is similar as in the previous videos. We type the IP address. We are posting the form so http-form-post.

Now, before I complete this actually, let me just show you I do have the same files as before which is the users.txt and passwords.txt. So we’ll use the same lists as in the previous videos.

So let us start again. We type here the IP address and then the post form, so http-form-post and then we specify the link.

Now, in order for us to check out the link let us go right here and we can see that the path is dvwa/login.php.

So let us copy that and let us paste it right here in out syntax.

So once we do that, we want to specify the username and password and we want to click on the ‘Submit’ button and we want to specify a string that it will give for every incorrect log in.

Now, in order for us to see what string it would give let us just type here something random and see what it gives us as an error.

So it gives us ‘login failed’.

So we will use this string in order to specify the correct from the incorrect login credentials.

So now what we want to do is inspect element. So let us inspect the element in order to find out the name of the username and the name of the password login form.

Now, what I mean by that let me just show you. As we can see, form action login.php, method post. We click on arrow down, fieldset in order to find out, and here we can see a label for user username. The name for this field is username which is most likely always going to be something like that, or user, or something like that.

We divide these two with a colon. So we type here username=^USER^ and then this sign &.

Then after that we want to see what is the name of the password field which is probably going to be the name password.

So the name of the password field is password so we specify right here password =^PASS^ and then we want to specify the login button which is called login as we can see right here.

So as we can see, the submit we should type here Login=submit since the name of the button itself is login and the action is submit.

So let us just type that, Login=Submit, and then we specify another colon which means to divide these sections and we specify the string that we get once we provide a wrong username and password which is login failed.

So let us just copy the string and paste it right here, close our apostrophe and then specify the list of user names and the list of passwords. So L users.txt and then capital P passwords.txt and let this run.

It should find the password and username which is admin admin.

And as we can see it finished and it found one available username and one available password.

Now, if you wanted to, you could just type here and skip this part.

It is good always to have a good practice of something that you learned in the previous videos.

And once we are here, what we want to do is we want to go to the command execution part.

So click on the ‘Command Execution’ part and you will see the similar website as the one we visited before which is the Ping for FREE. So basically you just type here, as it says, the IP address and it will ping it.

Now, we can try it. Let us ping my router since it is online of course. I wouldn’t be able to access the internet if it wasn’t and we can see the pinging results.

So it performed three ping scans and we can see that it received three packets. So that’s good.

But let’s say for example, you think that this is vulnerable possibly for the command execution and you try a simple command which is 192.168.1.1 where we specify our router IP address and we type here the ; in order to divide these two commands and we type here for example, whoami.

We did cover this command. It will give the account on the terminal on this WebServer if it is vulnerable to the command execution. So we submit that and we can see that it executed the ping scan and it also gave us the output who is running on that server. Which basically tells us that this server is vulnerable to the command injection.

We were able to execute the command on the server that isn’t only the pinging command.

Now, I will continue to show you how to actually exploit this. For now we just ran a simple command in order to find out whether it’s vulnerable or not.

In the next video I will show you how to exploit this and make that server connect to our own machine.

So that’s about it for this lecture. We will continue in the next one and I hope I see you there.

Bye.

Final Words from Jerry Banfield.

When you’d like more free tutorials and you want to see the latest of everything I’m making to help you online, I trust you’ll go to jerrybanfield.com and you’ll follow me on Facebook, YouTube and Twitter where you can see all of the free tutorials and previews and courses there.

Thank you for getting through already the first two lectures of it plus all of my sales pitches.

I’m honored you’re here. I hope you love this video.

Where to follow Jerry Banfield

Wow. While I’m asking you to do all these things I might as well just keep asking things see how many of you will go for it, right?

So let’s ask you now will you please follow on Twitter, because I think you’ll love it getting to see everything at one place.

On jerrybanfield.com I’ve got tons of blog posts, books and YouTube videos and you can see all of those. Gaming, everything will be right in your Twitter feed so that when you follow me there’s going to be so much stuff you won’t even hardly be able to see anything else.

I mean, you’re going to absolutely love following me on Twitter so join me over on Twitter and Facebook and YouTube and on my website while you’re at it.

Love,

Jerry Banfield.

Running Scripts on Targets to Find Vulnerabilities with Nmap: Advanced Ethical Hacking Tutorial.

Hello everybody and welcome back. In this tutorial, I will show you some of the advanced uses of the Nmap which is basically using the scripts that are already preinstalled in Kali Linux.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

Now, scripts can be used for anything. To discover, for example, SSH host key, to discover some of the vulnerabilities, to SSH brute force, to basically do a bunch of things.

As we will see right here, there are a bunch of scripts that are already in our Kali Linux machine.

So first of all in order to get to them, you just want to change your directory into the usr/share/nmap/.

If you go into that directory and type here ls, you will see a subdirectory called scripts.

If you change your directory to scripts and type here ls, you will see that it will print out bunch of these .nse files which are basically the already preinstalled Nmap scripts that you can use for basically any type of scan you want.

So, for example, let me just show you first of all how to use them.

So if you type here Nmap you will see the – – script option which is right here and then basically you type here = and then the name of the script.

It is as simple as that.

So in order for you to use the script, you just specify that option and then = and then you specify the name of any of the pre-installed scripts and you run them on your target IP.

Now, we will try out one of the script for now which will be the SSH brute force which will be also one of the first active attacks on the target.

A brute force will try out a bunch of passwords for the SSH on our target.

Now, for that target you can use any of the virtual machines you want. You cannot use scan.nmap.org website as it says do not try the website brute force SSH on the Nmap website.

So you want to either run your Metasploitable which I showed how to install in the previous videos or you can basically run any other machine that has the port 22 open.

Now, in my case I will run OWASP which I will show you how to install in some of the next tutorials.

For now on just run your Metasploitable since Metasploitable also has the SSH port open.

So let me just wait while this opens right here.

It doesn’t take long.

It will basically prompt me with username and password soon. It’s pretty similar to the Metasploitable. This is just a virtual machine that it runs a bunch of the vulnerable programs on it.

So as you can see ‘Starting AppArmor profiles, Starting Postgres SQL database’ and bunch of these other stuff.

This is the machine that we will use in the next section which would be WebPen testing. So let me just log in right here.

We just need to find out what the IP address of this machine is, which is 192.168.1.7.

So we only scan the host for now with the Nmap. So we do a basic scan.

You can see that it finishes relatively fast and it gives us a bunch of these ports open which are only TCP ports.

As you can see we have the 22 TCP SSH port open.

Now, while scanning Metasploitable you should also have this port open.

So as long as this port is open on the target machine, you can run the scan.

So the script that we are looking for, we want to find the SSH script. So in order to narrow our options, let us just type here ls and then we pipe that into grep SSH.

So it will only show us the scripts that have SSH in their name.

Now, from all of these we can use any of these, but for now on I will just use the sshbrute.nse.

We copy the name of the scripts and in order for you to run the script you type here nmap – – script = and then you paste the name of the script and then the only thing you need is the IP address which is 192.168.1.7 and just press here ENTER. As you can see it started brute forcing our target.

If it finds the username and password you will be able to SSH into that machine and basically do anything to it.

This is a very serious attack. It can get you into trouble especially if you find out the password and actually log in into that machine and start changing stuff.

So only use this on the machines that you do own. Now, for this specific machine I don’t think it will find the password, but we will just leave it to run just in case.

I don’t think that the password and username is stored in this list that it is using in order to brute force the SSH target.

So this can take some time. It depends on the list that you use. So let me just close this right here since I thought it would finish a little bit faster.

I will just type Ctrl + C in order to close and we start the brute force.

Now, let’s say once again we want to find that and you want to change the password list for example.

As you can see it has the specific password list that it uses in order to brute force the target.

So what you want to do is to nano the script that you are using which in my case is SSH brute.

What you want to change right here is the option where it gives us the password list.

It’s right here. So, pass.lst. I believe you change that and it will change the password list that you’re using.

So you can also change the port which is 22. Basically, SSH will most likely always run on the port 22, but there are cases where people run stuff on the other ports just to prevent the attacks. So you might be needing to change that as well.

So here you can see that the port rule is 22 and SSH.

You basically just change the 22 into any port number you want that runs SSH on it and you will be good to go.

So if there are any other options that you want to change right here you can change it in the file itself. If it requires that for example, the port and the password list, and once you do that you just type here Ctrl + O to save, ENTER to save under that name and Ctrl + X to exit and you will be good to go.

Now, you can run the script again and it should change your password list and port number.

Now, let’s say for example, you want to find out the SSH host key for that particular machine which isn’t really useful, but let’s just try it. Why not?

So nmap — script = ssh-host key and then the IP address of our target machine.

Now, as we can see it gave us the SSH host key which is basically just this DSA and RSA. It really isn’t that useful, but sometimes it possibly could be.

So you can experiment with all of the pre-installed scripts. In the next tutorial I will show you how to download some of the scripts online from the GitHub repository that we will use in order to scan for specific vulnerabilities.

So let us just recap. In order to get to these scripts’ folder you just go to the usr/share/nmap/scripts directory and the syntax is basically nmap – – script = then the name of the script itself and you just specify the IP address.

So that’s about it for this tutorial it was rather short and in the next one as I said, we will download some of our own scripts.

Part Two: Downloading Our Own Scripts and Running them Against Targets.

Now, in this tutorial we will download some of our own scripts and we will run them against our target in order to discover some of the vulnerabilities it might have.

Now, once you finish this tutorial right here you will know more than 80% of people that use Nmap. It is really essential for you to get this tool right so you can perform your scans at the best.

So first of all let us change the directory to the Nmap scripts directory. So it is usr/share/nmap/scripts.

If you type here ls, we have here a bunch of scripts and mostly these right here which is cve2015 and then some number are certain vulnerabilities that were discovered in the age of this number.

But we want to discover all of the vulnerabilities that could occur in a certain target.

So for that we want to download some of our own scripts. So just open up Firefox and open up a new tab and just type here vulscan github.

Once it loads up the page, we want to click on the first link which will lead us to the GitHub repository for this script.

So just click here on the first link and here we are on the GitHub repository of this Nmap vulenarbilty scanner.

As you can see right here, we have the usage which we will cover after we download this script.

Now, in order to download this, I already showed you in the previous videos, you just copy the link right here and we will use the Git program that we already installed.

Let me just change my directory. It is in root. So that’s about it.

We want to type here git clone and then we paste the link that we copied and then we add .git.

Now, it will take some time to download this and once it finishes, we will have our script installed on our Kali Linux machine.

Here it is. If we type here ls we can see the vulscan is right here as a directory.

In order to go to it, we just type here cd Vulscan and we can see a bunch of the files that we got with it.

But this isn’t the only program I want to install. Right now we want to install another script. So open up your Firefox once again, add a second tab and just type here nmap-vulners and then once again type here github.

So it will once again lead you to this page and you just want to click here on the first link which is from the GitHub website.

The procedure is the same. So just copy the link of the page, go to your directory in the same directory where vulscan is and just type here git clone, paste your link right here and add .git to it.

It will also download the script into our directory and we will be good to go.

So as we can see this one has finished faster than the previous one.

So right now we should have both of these scripts in our directory. As we can see right here, we have vulscan and we also have nmap-vulners.

Now, let us make a directory nmapscripts in order to put them both into that directory so we don’t have them like this right here.

So let me just move vulscan in to nmapscripts and move the nmap-vulners into nmapscripts. Right here we should only have the nmapscripts file and if we change our directory to it, we’ll have our both scripts right here.

So now that we downloaded them now we can run them. So in order to run them, we use the same command that we used in the previous tutorial.

So nmap – -script and right here instead of typing the = sign which we would use in order to specify one script, we want to remove the = sign and just put here space and just type here vulscan and nmap-vulners.

As we can see right here, we specified two scripts instead of one and it will use both of them in order to discover the vulnerabilities.

So after this we want to add -sV in order to discover the version of the services running on open ports. And right here we want to also add the IP address of the target.

So here we type 192.168.1.7 and we let this run.

This could take some time, but not too long. It should finish relatively fast and it will print out a bunch of the vulnerabilities that it found on this target.

Now, I know that this target is vulnerable since it is made vulnerable in order for us to test it and we can see that we got a different output from previous scans.

So here we have open ports and these vulnerabilities, as it says right here, if you see ‘No findings’ it means it didn’t find any vulnerabilities on this specific port and basically uses a bunch of these websites in order to scan for the vulnerabilites.

And if you scroll up we can see that on the TCP open port which is running Apache, it found a bunch of vulnerabilities right here.

Now, you can test these scripts on your own machine in order to find out if your PC has some of the vulnerabilities, but basically even mine has some of the vulnerabilities that go up to five, sometimes 7.5.

But mostly these aren’t so dangerous, these that are low numbers. This is basically a mark for the vulnerabilities. So if it is 1.2 it is a really small vulnerability, but it is still there and if it 10.0 it is basically an easy exploited vulnerability.

So if you just find something like this, you need to update your device as soon as possible or in this case Apache 2, since it is found on the port 80.

Let us just see if there is anything else. We can see also on the SSH port it found some of the vulnerabilities which aren’t so highly rated, but they are still there.

Also once you find something like this, you can basically just copy this link right here which will lead you to a page on Firefox if you paste it.

You just open a new tab and paste the link from the vulnerability and it will open up the page where it will describe in greater details the vulnerability that it discovered.

So here we can see the mark which is 10, the access complexity is low, the confidentiality is complete, and the integrity is complete, and the availability is complete.

In the description you can check out what the vulnerabilities which in this case is modules/arch/win32, “When running on Windows, does not ensure that request processing is complete before calling isapi_unload for an ISAPI.dll module, which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet and “orphaned callback pointers”.

Now, this is basically a vulnerability and if you wanted to for example, exploit it, you would basically just copy the name of the vulnerability which in our case is this one.

So just copy and you can just go on to Google, paste that vulnerability and type exploit and hope that you will find something or someone that already has written an exploit for this vulnerability.

So we can just try to find it. We can click on any link for example, and try to find if anyone has written any exploit for this.

There probably is something, but we won’t really spend so much time trying to find it. I will just check out some of the links right here.

So we can just check here ‘Available Exploits’ and we have the module name for the Metasploit program that we haven’t still covered so we won’t be showing it right now.

But it is basically an auxiliary module which allows us to scan the vulnerability that we just discovered in the Metasploit framework.

Now, we can also try to find the vulnerability with the name of the vulnerability itself like this. Apache mod_isapi exploit. And you can try to find something.

Here we found something which is basically a C++ program that probably exploits this vulnerability. So here it is. You could just copy this entire program and just paste it into a C++ file, compile that file and run it and you would exploit the vulnerability.

Of course, you will need to change some of these certain things right here for example, ports, IP addresses and so on. But if you wanted to, you could do that.

Not really sure what it would give you, but I believe it will give you a reverse shell. Not really sure what this vulnerability is so we won’t be exploiting it right now since it requires an auxiliary module from the Metasploit framework.

For now on we will just leave it on here where we have all of these scans completed and you can also try to research all these other vulnerabilities and see if there are any exploits written for them that you can use.

But we will cover the exploitation in some of the future lectures. For now on we just wanted to see how we can scan the target for certain vulnerabilities and we did that.

So that’s about it for this.

Now, before I close this lecture and close the Nmap lectures, I just want to show you that there is another tool that you can use if you want to.

It is basically almost the same as Nmap and it is called almost the same which is Amap.

Now, Amap is basically also a scanner. The difference is basically in just one letter. It has some of the different syntax for the scanning part, but if you want to you can check it out. I won’t be covering it since we covered a bigger tool which is Nmap and more useful tool.

You can check out some of these options by yourself and you can use this as well if you want to.

But that will be it for these Nmap tutorials. If you learn all of the stuff that we covered in previous videos, you will be having some of the intermediate to advanced knowledge of Nmap.

Now, maybe in the advanced section we will learn how to write some of our own Nmap scripts which will boost your knowledgeable about Nmap even more.

So in the next video, I will show you how to install the OWASP virtual machine that we’ll use for the Web Penetration testing.

It doesn’t take that long. It basically takes a few minutes. It might be taking longer to download since it is around, I believe, 1.5 gigabytes or something like that.

But once you download it, it will take only a few minutes to install. And then we will start Web Penetration testing which will be a longer section since there is a lot to cover and I hope I see you in the next lecture.

Take care.

Bye.

Final Words From Jerry Banfield.

Thank you very much for finishing this entire video. We are honoured you’ve spent this time here.

We’ve got a complete course I imagine you will love and enjoy named Master Ethical Hacking in 2019.

You can get this course on uthena.com.

You can also get it as a part of the Ethical Hacking Forever course bundle which has nearly 100 hours of video already. It’s got six different Ethical Hacking courses in it we imagine you will love and enjoy from several different instructors showing you the very best of Ethical Hacking.

You can get this Forever bundle meaning, when you buy it today, you get all the rest of the courses added for life.

I intend to add at least 20 courses to this bundle over its lifetime, new courses every year.

This course in particular is Master Ethical Hacking in 2019. You just watched a video from it for free which we’ve given you to both sell you the course and to give you a part of the course that we hope is helpful for whatever you are doing.

When you buy the course, you also get to have answers to questions from ethical hackers that can help you with anything from the basics into the advanced challenges you run into.

I find as a student, answers to questions from an instructor are the very most valuable part of a course. You get two different places, a Facebook group and a Discord Server to get answers to your questions.

Thank you very much for being here with us. We trust if you look around in the description on this video, you might even find resources that are more helpful to you than just buying the course by itself.

There may even be some specials and some deals in the descriptions you might really appreciate.

Thank you very much for watching this video, I’m Jerry Banfield the founder of Uthena.

Our purpose is to give you the very best professional education possible on the most in-demand subjects both on Uthena and on YouTube.

We love you.

You’re awesome.

Thanks for watching this and I imagine I’ll see you again soon. Especially if you subscribe, then you will be able to see more of these videos easy.

When you want to watch more videos with us, will you please hit that subscribe button on YouTube and go like the page on Facebook put ‘See first’ in your newsfeed.

Go really crazy, because you’ve got this far into this video I imagine you’ll love all the other videos we share for you every day here on my YouTube channel and on my Facebook page.

Love,

Jerry Banfield.

Installing and Learning TcpDump Commands for Ethical Hacking Beginners.

Hello guys and welcome to another video of our tutorials.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

In this tutorial I’m going to show you how to install and to use TcpDump and some useful commands related to it.

So to start we’re going to use the terminal window and now we can try to search for TcpDump in order to install it.

Usually you have to do this as root, but as I said in Kali you are usually root anyways, because most of the tools you’re going to use will require root.

So what I have to do is type apt search tcpdump and this will give me a lot of results related to TcpDump and will as well also give me the TcpDump packet itself.

There it is.

So if I want to install it, all I have to do is type apt install tcpdump, hit ENTER and it’s going to go through the installation process.

Now, in this case it tells me that it’s already installed and I have the current version which is 4.9.2.3.

All right. So we can move forward with the TcpDump usage. But before we do that you should go and check if your network adapter is in promisc mode.

To do that, as we stated before, you need to use netstat.

The command here is netstat –i. And there it is. My ethernet adapter here is having a p flag which means promisc.

Now, we want to start listening on different interfaces for packets and especially on the ethernet interface. Because in our case if we use ifconfig we will see that we have two interfaces. One is the ethernet interface and the other one is a loopback.

So we’re not really interested in the loopback, because there isn’t much traffic going on there. We are interested in the ETH interface.

So to start listening on the ETH interface, we have to type the following command.

And as I said you have to do it with root or sudo or power user, but as it is in Kali you’re already root.

So tcpdump -i eth0.

This will be the most basic type of command. When you do that it starts listening and you can already see the traffic going on.

But if we stop that, you can have a look and see that the time format is not really clear.

The ports and the destinations seem to be already resolved to some part and there isn’t a lot of information from the packet itself.

So yeah, we have statistics of course, 72 packets captured and so on and so on.

What we want to do is type the following command to get a little bit more information from TcpDump.

So we use again -i for eth0, because this is the interface we’re interested in and then we type -nn again.

What will this do? Well typing the first single ‘n’ will not resolve the host names. Meaning that if we are going to have traffic for example, to Google it will not give us the Google DNS or name or the FQDN, it will give us the Google IP address instead. Which is okay. It’s better if you’re doing some sort of analysis of the traffic and you don’t want to get this information from the resolver here, but you want to do it yourself or something like that.

If we do the nn it will also not resolve the ports which is also handy when you’re viewing the traffic and the IP port numbers are also here in the capture.

So that would be the one part of the command. Then we want to do -s0.

And -s0 means SNAP length is set of the size of the package to 0. Which will virtually mean it’s unlimited size of packets.

Because it might also put some limit on the packet size and you might not get the full length of the packet, but in this case -s0 you get the full packet.

The other one we want to add would be -v which is for verbose representation.

And you can also increase that with another ‘v’ if you want to have more verbose output, but let’s just keep it to ‘v’ for now.

And then let’s say we want to monitor traffic on a specific port. And that’s the cool part. You can actually apply the filters of the package that you probably can do in Wireshark. You can apply those before you even capture and create the packet capture.

So basically if I say port 80, this filter and this command will only capture traffic on port 80.

And since I don’t have any traffic going on on port 80 here it stays empty.

But if I open Firefox and start browsing the web to pages that are on port 80, you can see what’s going on here. There are some packets going on.

You can see the source, you can see the destination, flags, checksums. All information that you might want to see is here.

Another thing you can do is run TcpDump and look for ASCII information. ASCII encoding. Like for example, let me just give you a quick overview.

This is the command if you want to see the capture in ASCII.

As you see here this is the ASCII representation of the traffic that’s going on. All the pings and all the heartbeats and everything that Firefox is doing right now is going through TcpDump on port 80.

You can see HTTP request which got a 200 response and these are the responses. So the information you can see here is available.

Another command that we can use is for example, filtering by host. And in this situation we’ll have to use the following filter which is the host, which is the 192.168.1.16, the host of this machine. This is actually the IP address of this machine.

Or if you want you can use the gateway of the network and listen for traffic from the gateway on this ethernet adapter.

Unfortunately we don’t have any traffic that we can capture here, because we’re listening in a passive mode and there won’t be anything that we can capture.

But what we can do if we can skip those filters, go back to the first command, remove the port, use the ‘v’ and then use ‘x’ to see the traffic in hex.

There it is. You can see the hexadecimal representation of the traffic which is in many cases useful as much as the ASCII representation.

Now, if it’s hard for us to look at the traffic this way, which we can all agree on that, we can store the traffic into a pcap file. Same thing that we can do with Wireshark, we can do with TcpDump and it’s pretty, pretty powerful.

So let’s just pipe this traffic and pipe it to a file. Now, the option here to pipe it to a file as it is, is just use the -w and then for the output we can use for example, test.pcap.

Now, we don’t see the actual traffic going on here. We can only get the statistics as it’s seen here. But it says that there are 40 packets, 44 packets and all these are written to the test.pcap file.

For example, if we open another terminal window and if we do a check of the size of the pcap file it’s 12 kilobytes.

And if we are watching it for a while, it should eventually grow to a bigger file, because packets are stored in there. But keep in mind that this is text so it’s slowly growing.

But still if you do a packet capture for a long time, especially on a busy network and especially in promisc mode you can rest assured that this file will grow very big very quickly and you should keep that in mind, because this can cause you troubles.

Okay, I’m stopping the monitoring of the packet increase. I can stop the capture as well and we see how many packets we have captured. None of them were dropped by the kernel.

And if we want to analyze these packets now what we need to do is actually use another command of TcpDump which is tcpdump -tttt -r ./test.pcap.

Now I’m going to explain the tttt and what it is and let me just show you the results and then we can go back to the flags.

For example, if we want to see that like slowly moving on you can use the pipe tool less command -S for example.

It will show you all the results, each entry on a new line and it will be continuous line. It won’t move it to the next row.

So as we can see here now we have a proper time stamp, date and time, we have the source and the destination which were actually resolved as we can see because of the results.

If we do nn it will not resolve them.

And then we have the IP address, the source, the port, the destination of the port, we have the flag, like for example fin or sin or reset or whatever. We have the sequence of the packet and all additional information from that packet.

This is reading a captured packet so you can actually move back and forward in this.

You can use simple less filters for the IP address. For example, 16, and there you have it.

Optionally, you can do the other thing as well. You can just type host 192.168.1.1 and it should produce you all the results from that packet only for the IP address you’re interested in.

Or if you like you can just use again port 80 and unfortunately there is no traffic on port 80, but I think you get the idea.

So what is the ttt or the tttt?

To check the TcpDump options and all the flags and all the commands you can add to it, you can use man tcpdump.

This will give you the manual page.

And here as you see there is a lot of options available. There is some information also about it. So we want to look for the tttt now and we just use a quick search option and there it is.

tttt will “Print the timestamp as hours, minutes, seconds, and fractions of a second since midnight preceded by the date on each dump line.”

If we use it five times it will give us some delta, time, micro-second resolution and things like that.

So ‘v’ for verbose, ‘vv’ or ‘vvv’. You’ll see also lowercase ‘-w’ which means basically write to file option.

There it is, -w. “Write the raw packet to a file rather than parsing it.”

So this is pretty much a quick introduction of TcpDump and what you can do with it.

Another great thing about it is that for example, the file which we did is test.pcap.

We can open Wireshark and then with Wireshark I can open the file and read it through the Wireshark interface and it will be exactly the same file and it will give me exactly the same information.

So there is TcpDump, very quickly and briefly about what you can do with it. Just go and play with the options and look around.

Thank you very much and I’ll catch you on the next video.

Final Words.

Thank you very much for watching this video tutorial.

What you’ve just seen is a part of the Pass the Certified Ethical Hacking Exam: CEH Version 10! course that we have on uthena.com.

This course has all the rest of the videos that you might love and enjoy related to the one you just saw. Will you please use the link in the description to enroll in the course, because I imagine since you’ve finished this video you will love taking the full course.

You can see the full course starts with module 1 and is organized by modules matching the Certified Ethical Hacking exam exactly by section.

Module 2 Footprinting and Reconnaissance.

Section 3 Networks.

Section 4 Enumeration.

We’ve got through to module 11 right now. We’re filming the course and when you take a look at the landing page we will finish this course and get it up to a full 20 modules for you, and include anything else necessary at the end.

In addition to just the videos in this course, you also get access to our Facebook group and Discord Server where you can ask certified ethical hackers questions and get answers. Which that to me is the best value of the course above and beyond the videos.

If you just love learning ethical hacking and you want to always stay up-to-date and you don’t ever want to have to buy another course again, we’ve got an Ethical Hacking Forever course bundle I imagine you will love.

Because this one bundle includes six Ethical Hacking courses, currently over 50 hours of video today in all of these courses.

And with a Forever bundle you get all of the courses we add to this forever without having to pay again.

I intend to make new Ethical Hacking courses every year. At least a new course or two every year indefinitely.

All of those get added to the bundle without you needing to buy any of the additional courses again.

This course, in addition to the six here, you get all that are added for life through this bundle.

We appreciate the chance to serve you today. You also help pay for these new courses to be produced when you buy the bundle. We’re very grateful for that.

If you just can’t get enough of Jerry Banfield you can also get the Jerry Banfield Forever bundle.

This includes all the courses I make forever on any subject.

And I get really excited every time I see these purchases. I had just went to the bathroom the other day and I saw a notification on PayPal that you sold a bundle and I got really excited and I even sent the student that bought it an email saying, “Thank you very much for purchasing this bundle.”

I get so excited seeing these Forever bundles sales so thank you for giving me the chance to serve you today.

I imagine you will love watching more videos with me, maybe taking some courses. You can watch on Facebook and YouTube. That is a great way to keep up.

If you like watching on YouTube, will you please subscribe on YouTube.

If you’d like to also have the option to watch these videos on Facebook, will you please go to facebook.com/jbanfield, because you might love and enjoy seeing these videos there in addition to my gaming live videos.

You want to see everything, twitter.com is a great place to follow where you can see all the new podcast episodes, everything I make all in one spot and jerrybanfield.com has links to all my courses, books, and anything else you could possibly want from me.

I love you.

You’re awesome.

I imagine you’ll leave a like on this video if you found it helpful, and I expect you, since you’ve got to the very last part of it, I’ll see you again soon.

Where to see more.

Wow, while I’m asking you to do all these things I might as well just keep asking things, see how many of you will go for it, right?

So let’s ask you now. Will you please follow on Twitter, because I think you’ll love getting to see everything at one place.

On jerrybanfield.com, I’ve got tons of blog posts, books, and YouTube videos and you can see all of those. Gaming everything will be right in your Twitter feed so that when you follow me there’s going to be so much stuff you won’t even hardly be able to see anything else.

I mean you’re going to absolutely love following me on Twitter so join me over on Twitter and Facebook and YouTube and on my website while you’re at it.

Love,

Jerry Banfield.

Cracking WEP WiFi Encryption for Ethical Hackers.

Now that we know that in order to crack a WEP key we need to actually sniff as many packets as we can, we need to capture a lot of packets so we can get two packets with the same IVs or same random number on them. So we will be sniffing data using airodump-ng.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

We used airodump-ng in the previous videos and I told you how we can actually target a specific AP or target a specific Wi-Fi we want to capture packets from.

So in order to hack WEP, we are going to use airodump-ng and with airodump-ng we are going to use aircrack-ng.

So airodump-ng will be capturing the packets and what aircrack-ng is going to do is that aircrack-ng will be trying to read those IVs.

Aircrack-ng will be trying to read that 24-bit random number I told you about in the previous video, and it is going to run statistical attacks on it and then when it finds two packets with the same IV it will crack the WEP key for us.

So airodump-ng is very easy. We just need to put channel and then bssid and then write the output.

Using aircrack-ng is even more easy. We just type in aircrack-ng and after that we are going to write the file name.

The file name is similar to the file name in airodump-ng. It will actually be the file in which we are capturing the packets. So it is going to get more clear when we actually do it.

So, let’s get into Kali.

I’m going to go to Terminator.

Okay, so one thing we need to be clear about is if we are in monitor mode or not.

So I am not in monitor mode. So I am going to turn my monitor mode on.

I am doing that again in front of you just so you guys have a revision of things and you know how all of this is done so you don’t have to go back.

So we have monitor mode active in wlan0mon.

I’m going to clear it and after that I can say iwconfig, and here the monitor mode is on.

So now I am going to say airodump-ng wlan0mon to check the Wi-Fi available for us and here is our test network.

This is the Wi-Fi we were trying to hack.

This is the WEP Network we’re trying to hack or crack the key for.

So now I am going to start capturing the packets from this test network.

So we write airodump-ng, we write — bssid and I am going to copy it from here.

After that we specify the channel, and the channel is 1, and then we give it the output file name. So we can say here output-wep-crack or you can give it any name you want and after that we are going to say wlan0mon.

So, it is very easy. Airodump-ng –bssid of the Wi-Fi or network we are trying to hack or crack the key, then channel and then the name of output file and then the interface monitor mode it is running on.

We press ENTER and it will start capturing packets from this test network.

So now what we are going to do is we are going to run aircrack-ng along with it.

So it is very easy. We say aircrack-ng and after that we have to put the file name. So we say output -wep-crack-01 and then the capture file.

So let me actually show you. This is the file.

So, we have this file available. We can say aircrack-ng then after that we can copy it or we can just type in output and then capture file.

And what we are going to do is just press ENTER. So we press ENTER and it has now started to actually read those IVs and crack the key.

So it is saying that it failed to find two packets with the similar IV or similar random number so it is going to try next on 5,000 IVs.

And you remember in the last videos we said that data is the number of useful packets we captured.

So now it can get more clear to you that these are the packets with different kind of IVs. For example, we have captured 2,700 packets right now and each of those packets have a different IV.

So we actually need an IV or we need two packets with different IVs. So it is going to keep capturing those data packets and then keep comparing them. Aircrack-ng will be comparing them and airodump-ng is actually capturing the packets.

And it can take some time. There are two kind of WEP encryptions. One is 46-bit and another is 128-bit.

So 128-bit can take a little longer and if it is like a 46-bit it can just happen and it will just crack the key in 15,000 IVs. But for 128-bit it can go up to almost 50,000 IVs.

And if a network is busy and a lot of people are using our test network, for example, or the network we were trying to hack, the data flowing in the network will be a lot and it will be even a faster process.

But if only one client is connected and he is not doing anything or the device is just sitting idle, we will have to wait for the data packets to flow. Because if someone is not doing anything on their device it means that no data packets are in the networks and we need data packets. We need to capture thousands of data packets.

So for now we are just going to wait and let aircrack-ng do its thing and in some time it is going to crack the key for us.

So now we managed to actually crack that key and you can see that this is the IV and we have the password here which is testpassword1 and it took almost one lakh and 80,000 IVs for the aircrack-ng to crack it.

So you just need to be patient to capture as much IVs as you can, as much data packets as you can, because hacking can actually get very hectic when you have to be very patient and you need to wait for things to happen.

So sometimes it will happen for you in 10,000 IVs or 10,000 data packets and sometimes it can take about two lakh or three lakh IVs too.

So for me it happened in almost one lakh and 80,000 IVs and now what I am going to do is I am going to turn off my monitor mode so I can check if I can connect with this network or not.

So I’m going to stop monitor mode on my device and yeah I have wlan0 on manage mode.

We can check from here, and yes, we are in manage mode.

So let’s see if we can connect to it or not.

Now what I’m going to do is I’m going to copy it from here.

I can copy and then go back again and the Wi-Fi is not connected.

I can click ‘Select network’.

Then on the test network I will click on ‘Connect’.

Here I am going to paste it and click on connect.

So you can see that we got connected to the test network with this key we found with aircrack-ng which is testpassword1.

And another thing. We only managed to do it just because we had two devices connected to the network and there was a lot of data packets, and we got to capture a lot of data packets. And then we found the IV and then aircrack did its thing.

Final words.

Awesome. Yes. You finished this tutorial on Ethical Hacking in 2019.

This is a part of a complete Start Ethical Hacking Course in 2019 on my education and business platform Uthena.com.

I’m Jerry Banfield. I found and hired and paid Bilal Shah to make this course for you because I imagined how much you need it and it helped you for your professional development.

Will you please buy the course with us, because I imagine you’ll love being enrolled in this course on Uthena which includes all the new videos first in this course as we film them.

We are actively working and getting new videos for you as fast as we can. You also get access to a Facebook group and a Discord Server for answers to questions.

If you’d like to get every course like this I make forever, watch indefinitely with no ads all on uthena.com and get access to all the courses I pay to make plus the ones I film myself for one price for life.

My goal is for this to be the best money you’ve ever spent in online education.

Will you please buy the Jerry Banfield Forever bundle, because that helps me keep hiring more people to make awesome courses for you.

We are working every day to give you the best quality courses including the best audio and the best videos, the best teaching and we are grateful for the time you’ve spent here with us today, we hope you enjoy the full course.

If you found this helpful, will you please leave a like on the video, because you will feel good knowing you’re helping this video get watched more.

Love,

Jerry Banfield.

TheHarvester Tool: Email Harvesting & Ethical Hacking Tutorial on Kali Linux.

Hello everybody and welcome back. In this tutorial we will cover the email harvesting tool which is basically called, The Harvester.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

So, in the last tutorial I checked out if we have it installed already and we do.

So I will just locate it and we will run it because I already tried to run it from here and it just doesn’t work.

So let’s just locate it first and we can see that it is stored in this directory usr/share/golismero/tools.

So we will just go to that directory and we can see here a few programs and we will change our directory to theHarvester.

So if we type here cd theHarvester we can see that right here we have an executable Python file which we will run in order to run this program.

I just want to tell you that this program basically doesn’t work from time to time.

So, for example, once I run it, it might print us the emails and it might not. Because I ran this a bunch of times on the same website and it sometimes just finds a lot of things and sometimes it just doesn’t find anything.

So if we just run this program it will show us an error and it will say “The domain search is mandatory.” So we basically need to specify our domain website.

So let me just type here the help option which is theHarvester.py -h and it will show us our available options.

Here we can see that the -d is basically specifying the domain or company name to search for.

The -b is engine. So, the search engine. By default it will be Google as it says right here. We want to leave it on that since I believe Google is the best.

And here we can have the -l which is also an important option which stands for limit. It will limit the number of results to work with.

So basically if you just type d200 it will search for the first 200 results and it will show us the emails and hosts from those 200.

Now, we can try these examples right here. So we will just copy the first one. Let’s just use -d microsoft.com -l for the results number which we will set to 500 and -b in order for it to be Googled.

So let’s just try this. It will take a few seconds. It might find something and it might not.

Basically if it doesn’t find anything you can try using the same command later on and it will probably work. It just decides from time to time when it will find and when it will not.

So if it doesn’t work we won’t really care much about it. We will just continue on with the tutorials and you can try it out later with the same command.

So here we go. It is soon going to finish it, but in this case we just weren’t able to find anything.

So let me just try here another website or basically we just type Microsoft without .com. Maybe it will search it as a company name and it might find some of the results.

We will give it one more try after it if it doesn’t find anything here and then we will finish the tutorial there since there is no point.

As I said, sometimes this tool finds something and sometimes it just doesn’t want to find anything.

So we will wait for this to finish. The first 200 results are already over.

No, this one didn’t work as well.

So let me just try out one website that worked 20 minutes ago when I tried it. This is a website from my country. Basically some university website. It doesn’t even matter.

You can try this on any website you want. Maybe if we use the other website maybe it will print us something.

If it doesn’t we’ll just proceed to the next tutorial which will be Shodan which is basically a search engine or a website that we use to search for the vulnerable devices.

Now you will be surprised how many vulnerable devices are out there on the internet. The most common vulnerable devices are basically the routers with the default username and passwords. If you were to go on to the login page of that IP address you will be able to enter their router and change all their settings.

But more about that in the next tutorial as we can see this one didn’t work either.

So three times we tried and it didn’t work. So basically, later on or tomorrow or whenever you want you can just try the command out once again and it will probably work.

It just doesn’t want to work right now.

So once again it is located in this directory.

You won’t be able to run it from the terminal or from any directory. If you want to, I will show you in the next tutorials how to move a file and be able to run it from any directory with just its name.

So, for example, I will show you how to run this file with just its name and not go into this directory all the time when we want to use it.

But we will teach that in some of the other tutorials. And for now on I will cut the tutorial short here and I hope I see you in the next one.

Final Words.

Thank you very much for watching this video tutorial that I, Jerry Banfield executive-produced, meaning I hired the instructor to make a video for you as a part of a Master Ethical Hacking in 2019 course that I imagine you will love and enjoy.

You can unlock a career in penetration testing and go from beginner to advanced in this brand new course all with the same instructor that we’ve just went through in the video here together.

We’ve got five sections of the course ready for you now and we are making new videos every single week for this course for you.

I imagine by the end of 2019, this course will include 10 to 20 hours of Ethical Hacking tutorials for you from the very basics, which we’ve already got, into advanced things like building your own custom hacking tools.

This course also has a Discord Server and a Facebook group where you can get answers to your questions from ethical hackers and fellow students.

If you would like to buy the course, will you please use this link to buy it for $8.81 because I imagine if you’ve got this far in you will absolutely love the full course.

You can also get this as a part of the Jerry Banfield Forever course bundle which includes all of the classes I teach as the instructor, I make a new class every week or so, and all of the courses I pay instructors to make as in this hacking course for life.

You can get all of my courses for life for $181.81 in the Jerry Banfield Forever course bundle. There’s a link for that in the description of the video above.

My purpose in this is for it to be the best value you’ve ever got in education on in-demand subject.

I am intending to make anywhere from 50 to 100 new courses for you in a year indefinitely, both myself and as the executive producer.

Thank you very much for watching this tutorial. I imagine if you found it helpful you’ll leave a like to help others find this information that you found valuable with us.

Where to see more.

You’ve got this far in I imagine you will love seeing the videos we keep creating for you each day. Will you please subscribe on YouTube and like on Facebook, because that will give you two ways to see the same videos every single day and you will be like, “Oh, my god stop spamming my newsfeed. Oh, I’m sick of you. I’m not subscribing and not linking.

I mean, you’re going to have a great time. You’re going to love the videos we put out every single day. It’s going to be a blast.

We’re going to do a journey together of a lifetime starting or continuing today.

Love,

Jerry Banfield.

Hacker Sniffing Tutorial Using Netsniff-ng Commands.

Hello guys and welcome to this video tutorial about sniffing.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

Hacker Sniffing Tutorial! Netsniff-ng Commands and Ettercap Wireshark for Poisoning & Spoofing

In this video, we’ll go quickly through Netsniff-ng. I’ll show you how to use it and some commands with it and also how to get around with ‘help‘.

Then we’ll move on to Ettercap. I will show you how to use Ettercap’s interface, some additional features of Ettercap, how to start poisoning and actually spoofing with Ettercap and then a great combination of Ettercap with Wireshark.

Then we are going to try to make a little demonstration and how traffic between two machines on the network is getting captured by a third one and how it could also be read.

So stick with me and let’s start.

First of all, to start Netsniff-ng you usually go to Applications, Sniffing & Spoofing and then just click on the Netsniff-ng.

It will load a terminal window and it will already have the help preloaded for you.

So if you get up in the window, you can see all the help you need here as well as some examples of commands. We can go through these examples.

I can at least go through one of them and give you some brief information on what it does.

So this is the interface.

This is the output file.

This means silent.

This is choosing a type of the pcap file to be created after that.

This is the actual type.

I will get into details about that later.

This is the information about how to bind it to a CPU and what kind of packet to capture.

So for example, if you type netsniff-ng -D it will give you additional information about that hex value that we found.

The hex value should be found here.

So this hex value will actually be ‘0xa1b2c3d4′.

Basically, what it says is that the packet capture will be TcpDump capable. You can read it with TcpDump and these are some specifics about the capture.

There are different types of capture so you can go around to all of them and play with them.

But for now we are going to use this example here just to give you a brief overview of how to use Netsniff-ng which is pretty much similar to TcpDump.

When we started out, since it’s silent, it’s running but it doesn’t give us any information.

If we quit with Ctrl + C it will give us the statistics of that capture. So let’s just try and quit it.

I think this is enough.

It has captured 51 packets for roughly about 17 seconds.

And now if I want to read these packets I can do tcpdump -tttt -r./ and then the file name is dump.pcap.

And there it is.

If I want to ‘pipe’ it to less I will be able to read it a little bit easier and I can move around going up and down.

There aren’t too many packets so that’s okay.

Okay, as you see here it doesn’t try to do any particular changes to the capture so I will have to use -nn, because I can see here it tried to resolve the machines and the machine names based on the IP address.

So let me just type that -nn.

Now we have only IP addresses and ports as well as flags for the packet which is sync, reset and so on.

Okay, for Netsniff-ng that’s pretty much it.

So we can move to Ettercap.

I’ll just close the window quickly and start Ettercap. Again, from spoofing there we will find Ettercap.

As you can see the interface is at the moment pretty simple. There are only a few options. This is because we haven’t really started anything. Ettercap is just waiting for us to start.

And to start using Ettercap what you need to do is first click on ‘unified sniffing’.

Next you will choose the interface you want to sniff on and here are all the interfaces that Ettercap is able to see here on this machine.

Next, click on ‘Okay’.

It gives us some sort of statistic about the actual software, the version, the IP address and the MAC address, all the modules loaded and everything and then it started to populate the menus.

As you can see here we have targets, hosts, man in the middle(Mitm) already and things like that.

So our next step would be looking for targets or looking for hosts.

So go to ‘Hosts‘ and click on ‘Scan for hosts’.

It will fill up pretty quick. And now when you go to ‘Host‘, if you click on ‘Hosts list’ we’ll have all the hosts in my network.

So there it is. This is the gateway and these are some machines connected to the network.

For our test, we will try to sniff the traffic between the machine with an IP address .1.2 and the machine with an IP address .1.6. As you see I added first one to a target 1 and the other one to target 2.

If you go to current targets, in order to do man in the middle you have to be in the middle of two machines. And in this case we will be here in the middle sitting between 1.2 and .1.6 machines.

You can add as many targets as you like.

Some other information that might be useful, if you go to ‘View’ and ‘Connections’ you have what is similar to a Wireshark statistics with some predefined filters here that, for example, you can exclude everything but UDP or everything but the TCP.

So you can also filter by yourself for a host which could be an IP address as well and if you are only interested in active connections, you can filter by active connections.

So at the moment we are actually listening, but let me start a man in the middle attack or actual ARP poisoning.

When I start this, it will start poisoning the ARP tables for these two targets, 1.2 and .1.6. I should start seeing more connections between them if there are any, of course.

At the moment there isn’t a connection going on between those two machines, but I’m going to start one and I’m going to try and show it to you in Wireshark.

So let’s just go to Applications, sniffing and start Wireshark as well.

It started listening as you can see.

We’re going to apply a filter here which would be IP address .1.2 and IP address .1.6.

Currently, we don’t see any traffic going on between those two, but hopefully something will show up.

Okay, let’s start some traffic between those two machines and see if it will show up in our Wireshark.

Let me just go to my other machine and here we can start an NC to that machine on port 23.

“This is test. Please reply. I reply.”

Okay, that should be enough and we’re moving on to our Wireshark. As you see, there is traffic between those two machines on a TCP as well as the Telnet port.

So if I follow the TCP stream, I can see that I already captured “This is test” and if I keep sniffing, I will capture other packets that are exchanged between those two machines and not intended for me.

And as you see, the source is .1.6, the destination is .1.2, and of course we can also verify that our IP is .1.6.

So this is a practical ‘man in the middle‘ with ARP cache poisoning using Ettercap.

You can also use Ettercap to kill connections by modifying packets and sending them to the actual source and destination. It will destroy the connection.

So let’s try to kill a connection using Ettercap.

Okay, this one. This is the one we’re looking for.

So at the moment it is still going on. It should show up here as well.

Yeah. “Telnet.” “This is another test.” You can see that here.

So it’s still going on. It says “idle” because currently there is no data being transmitted, but the connection is there.

Let me try and “kill the connection”.

Connection was killed.

It says it’s killed. It doesn’t show it here in the list.

So let me see what will happen if I go to the terminal of my other machine. Yep, it is killed.

And I can confirm that this happened on the other machine as well.

So that proves that you can also not only listen to connections, but you can prevent a connection or you can just intermit it or you can destroy a connection between hosts.

If you want to prevent someone from talking to another one, you can do that as well.

And now when I select, ‘killed’, there it is.

I can also see how this connection formed, packets, number of bytes and so on and so forth.

So pretty much that’s it about Ettercap and Wireshark and I hope you like it. I hope you found something interesting and I’ll catch you in the next video.

Thank you very much and goodbye.

More from Jerry Banfield.

Thank you very much for watching all the way to the end of this tutorial.

The video you’ve seen is a part of How to Hack in 2019: Noob to Certified Ethical Hacker with CEH Version 10!

This is a video course with 30-plus hours of video in it, hundreds of lectures that covers each individual module that is in the Certified Ethical Hacking exam for version 10.

Now, this course will not give you a certification. It prepares you to take the CEH Version 10 exam. You can see this course has a ton of videos in it.

I’m imagining since you made it to the end of this tutorial, you will love this course. It’s $27.81 on uthena.com which is a platform. I’m Jerry Banfield, the founder of this platform.

You can also get this course within the Ethical Hacking Forever course bundle for $48.81. You buy this bundle once. We will add new Ethical Hacking courses forever to it.

For example we have a Python Hacking course coming out now that will be added to this bundle very shortly. This bundle has six courses currently in it and a hundred plus hours of video. It’s one of the best options in the world to learn ethical hacking.

Three courses right here are all from 2019 and we will keep this bundle updated forever for you.

If you check the links in the description of the video, you will also find some additional coupons. You may be able to get to take the course for less, to take different courses, to subscribe, and even find different stores that may have the same course.

I appreciate you watching here with us today. I imagine if this is helpful you’ll leave a like on it, because you will feel good about leaving a like on the video and giving something back.

If you subscribe, you will have the chance to watch more videos like this every day.

If you take a look in the description of the video you’ll find playlists related to this video with more videos for free on YouTube.

I love you.

You’re awesome.

I hope you have a wonderful day today.

Final Words.

If you’ve got this far in I imagine you will love seeing the videos we keep creating for you each day.

Will you please subscribe on YouTube and like on Facebook, because that will give you two ways to see the same videos every single day and you will be like, “Oh, my god, stop spamming my newsfeed. Oh, I’m sick of you. I’m not subscribing and I am not liking.”

I mean, you’re going to have a great time. You’re going to love the videos we put out every single day. It’s going to be a blast.

We’re going to do a journey together of a lifetime starting or continuing today.

Web Penetration Testing: SQL and SQL Injection Basics on Kali Linux.

Hello everybody and welcome back to another tutorial in Web penetration testing.

If you find anything helpful in this post or funny, will you please leave a like because you will feel great helping other people find it?

Right now we will start off by covering some of the basics of SQL and the basics of SQL injection.

So, first of all, for those of you who don’t know, with the SQL injection we basically make an interaction with the database itself.

Now, the database is mostly used to store information. For example, usernames and passwords can be stored in a database and once you type them in a form the server queries the database and compares the password you typed in with the password stored in the database and if they match it will allow you to log in.

So an example would be, for any login form that you encounter, whether it is on Instagram, Twitter or any social media account, what it will do is once you type in your password, first of all it will probably hash your password and compare the hash password with the hash password stored in the database and if they match you will be able to log in.

So the problem here happens if the person who created that website didn’t filter the user input well enough and didn’t forbid some of the characters used to query the database.

Now, it can potentially allow the user to send SQL queries and gather a bunch of the information that he shouldn’t really gather.

It can also allow the user to delete the entire database if he wanted to.

Now, before we begin let me just open Leafpad right here and explain a little bit more what SQL is and how you query the database.

First of all, the database is just a bunch of tables that are connected with the same system and that are also connected between each other.

Now, what I mean by tables is basically, a table is a list that contains information for the same type of elements, for example, table of users.

So facebook.com, for example, probably has a database with a bunch of tables of users and those tables are basically consisted of rows and columns.

So for example, you could have the row of users and below a row of passwords for the users then below a row of some of the other information for users such as mobile phone, email or basically any other information you want. It doesn’t have to be anything linked with the user itself.

It could be, for example, you visit an online shop and it sells flowers, for example, and you could have a table of different types of flowers right there and different types of information for those flowers.

Once you search the online shop, it queries for that database.

Now, how do we query a database? How do we actually interact with the database itself?

Now, there is the SQL language. It is not that hard to learn, but in the SQL injection it might seem a little tricky to get used to it. But once you learn some of the basic commands it is not that hard to continue learning it.

Now, some of the top commands could be CREATE, SELECT, UPDATE, INSERT, DELETE, and DROP.

Now, these commands are used to query the database and they basically do as they say.

Create’ will create database.

‘Select’ will select a specific table in that database or specific column or row.

Update’ will basically update the database.

Insert’ will insert a new element to the database or to the table itself.

Delete’ will delete a certain part of the database. For example, you want to delete a user. He decided to, for example, close the account and you want to delete it from the database. You will do it with the delete command.

Drop’ basically deletes the entire database itself. It can be very dangerous if the site is vulnerable to the SQL injection. So for example, let’s say that Facebook was vulnerable to the SQL injection and you just type ‘drop’ and the name of the database, you would basically delete the entire database of users and passwords.

That would become a really big problem, but luckily Facebook is not vulnerable to SQL injection and most of the bigger websites aren’t vulnerable to SQL injection either. But some of the less known websites could be.

So, one more thing. The commands ‘delete’ and ‘drop’ are not really used that much by the attacker since loss of information is not a preferred method of the attack itself since the attacker in most cases wants to gather information and not delete them.

Now, put yourself in the shoes of the attacker. What is valuable to the attacker is the passwords and usernames that he could gather for that account rather than deleting every account.

If he deleted every account he would just create a big problem. But if he gathered all usernames and passwords, he could basically log in as anybody to that website.

That could present a huge problem if that website was for example, PayPal.

He could send bunch of money to himself and he would probably get caught after some time, but that isn’t the point right here.

Now, the command out of all of these that you will use always is the ‘select’ command.

So this command is used to query the database. So for example, if you found a website that is vulnerable to SQL injection, you want to select the table with the passwords. You will do that with this command.

Now, the basic SQL query will look something like this.

So, SELECT elements FROM table WHERE condition.

So this is the basic query for the SQL database. We SELECT some elements FROM some table, WHERE, and then a certain condition.

The example for this command would be something like this.

SELECT name, description, price FROM products WHERE price<599.

Now, this is the basic query database for a website that would possibly be some kind of an online shop.

So we select the name of the product that we are searching for, the description of that name, and the price of that name from all of the products where price is less than 599. And then once the user selects that somewhere the server prints out back all of the responses that are below 599 and that have a name, description and price with them.

So it doesn’t have to be a single thing that we specify. We can specify two things.

So, for example, you could just type SELECT columnA FROM tableX WHERE columnE = ‘employee’ AND columnF = 100;.

Now, as you can see you can also use these logical conditions which basically allows us to set two things right here.

So we SELECT columnA FROM tableX WHERE columnE= ‘employee’ AND columnF =100;.

So this is how the basic SQL query looks like. Now, you might find it a little bit tricky, but you should be able to understand it.

If you don’t however, just search on the internet some of the SQL basics and you will get used to it real fast. It is one of the easier languages, but its syntax can be a little bit weird as we can see right here.

This ‘SELECT’ ‘FROM’ and ‘WHERE’ is typed in capital letters. You don’t have to if you don’t want to. I just wanted to type it in capital so I can show you the different parts of it.

So this columnA is the part of the database, this tableX is part of the database, the columnE is also part of the database that’s why I typed it in the lower letters and the ‘SELECT’, ‘FROM’ and ‘WHERE’ and ‘AND’ are basically conditions that we use to query the database.

Now, those are some of the basics of SQL. Let us continue in the next lecture with the exploitation and the attack of the SQL injection on our OWASP virtual machine.

So, this was about it for this lecture. As I said, if you want to learn more about SQL you can easily research more on the Internet.

I will see you in the next video or blog post where we will be attacking our first target.

So, I hope I see you there and take care.

Final Words.

Yes, you even can have electronic music from me. I think you might love and enjoy some of my music on iTunes, Amazon Music, and Spotify.

Love,

Jerry Banfield.