Master Ethical Hacking 2019 Course Curriculum!

  • 2
    Basic commands!
  • 3
    Prepare your lab!
    • Changing IP address and setting up wireless adapter
    • Creating bootable Kali USB
    • Important networking terms
    • Important hacking terms
    • Few things to do after installing Kali Linux
    • Changing our Mac Address - Macchanger
  • 4
    Footprinting!
    • Google hacking
    • Nikto basics
    • Whois tool
    • Email harvesting
    • Shodan
    • Zone transfer with dig
  • 5
    Scanning!
    • Installing Metasploitable
    • Nmap - part 1
    • Nmap - part 2
    • Nmap - part 3
    • Zenmap
    • TCP scans
    • Nmap bypassing defences
    • Nmap scripts 1
    • Nmap scripts 2
  • 6
    Web penetration testing!
    • Installing Owasp
    • HTTP request
    • HTTP response
    • Burp Suite configuration
    • Editing packets in Burp Suite
    • Whatweb & Dirb
    • Password recovery attack
    • Burp Suite login bruteforce
    • Hydra login bruteforce
    • Session fixation
    • Injection attacks
    • Simple command injection
    • Exploiting command injection vulnerability
    • Finding blind command injection
    • Webpentest - basics of SQL
    • Manual SQL injection - part 1
    • Manual SQL injection - part 2
    • SQLmap basics
    • XML injection
    • Installing XCAT and preventing injection attacks
    • Reflected XSS
    • Stored XSS
    • Changing HTML code with XSS
    • XSSer & XSSsniper
  • 7
    WPA2 cracking
    • Wireless attacks theory
    • Putting network card in monitor mode
    • Capturing handshake with Airodump
    • RockYou.txt
    • Cracking with Aircrack
    • Cracking with Hashcat
    • Making password lists with Crunch
    • Making password lists with Cupp
    • Rainbowtables - part 1
    • Rainbowtables - part 2
    • Installing fluxion
    • Finding and cracking hidden network
    • Preventing wireless attacks
  • 8
    Man in the middle
    • ARP protocol basics
    • MITM attack theory
    • Installing MITMf
    • Manual Arpspoofing
    • Problems while installing MITMf
    • HTTP traffic sniffing
    • DNS spoofing and HTTPS password sniffing
    • Hooking browsers with BEEF
    • Screenshotting targets browser
    • Cloning any webpage
    • Ettercap basics
  • 9
    System hacking
    • MSFconsole enviroment
    • Metasploit modules explained
    • Bruteforcing SSH with Metasploit
    • Attacking Tomcat with Metasploit
    • Getting Meterpreter with command injection
    • PHP code injection
    • 2 Metasploitable exploits
    • Wine installation
    • Crafting Windows payloads with Msfvenom
    • Encoders & Hexeditor
    • Windows 10 Meterpreter shell
    • Meterpreter enviroment
    • Windows 10 privilege escalation
    • Preventing privilege escalation
    • Post exploitation modules
    • Getting Meterpreter over Internet with port forwarding
    • Eternalblue exploit
    • Persistence module
    • Hacking over Internet with Ngrok
    • Android device attack with Venom
    • Real hacking begins now!
  • 10
    Python basics
    • Variables
    • raw_input
    • IF ELSE statement
    • FOR loop
    • WHILE loop
    • Python lists
    • Functions
    • Classes
    • Importing libraries
    • Files in Python
    • Try and Except rule
  • 11
    Coding advance backdoor
    • Theory behind reverse shell
    • Simple server code
    • Connection with reverse shell
    • Sending and receiving messages
    • Sending messages with while true loop
    • Executing commands on target system
    • Fixing backdoor bugs & adding functions
    • Installing Pyinstaller
    • First performance test of our backdoor
    • Trying to connect every 20 seconds
    • Creating persistence - part 1
    • Creating persistence - part 2
    • Changing directory
    • Uploading & downloading files
    • Downloading files from Internet
    • Starting programs from our backdoor
    • Capturing screenshot on target PC
    • Embedding backdoor in image - part 1
    • Embedding backdoor in image - part 2
    • Checking for administrator privileges
    • Adding help option
  • 12
    Creating keylogger for backdoor
    • Importing Pynput
    • Simple keylogger
    • Adding report function
    • Writing keystrokes to a file
    • Adding keylogger to our reverse shell - part 1
    • Adding keylogger to our reverse shell - part 2
    • Final project test
  • 13
    Basic authentication bruteforcer
    • Printing banner
    • Adding available options
    • Starting threads for bruteforce
    • Making function to run the attack
    • Bruteforcing router login
    • Bypassing antivirus with all your future programs
    • Sending malware with spoofed email
    • What's next

Meet Your Instructor!

  • Aleksa Tamburkovski

    Penetration Tester

    Aleksa Tamburkovski

    I started getting into Cyber Security and Ethical Hacking at very young age at only 15 years old. First few years it was only a hobby whereas now I am currently working with a private cyber security company that aims to help diffrent organizations to secure and prevent unauthorized access to their networks and systems as well as studying mechanical engineering and avio engineering seperately. I am also just starting to get into online courses creation right here at Uthena where I have several courses published that already helped alot of students to find out more about ethical hacking and to truly see whether that is something that they want to pursue as a career! I myself started learning ethical hacking years ago by taking online courses and reading books and now I am happy that I can provide you high quality courses where I can teach and add things that I felt I needed or that I felt that were missing once I learned them long ago through diffrent courses! As an instructor right here at Uthena I am very grateful for the opportunity to share my knowledge as well as help as much as I can with any questions you might have!

What Does This Course Include?

  • Lifetime access to 25+ hours of ethical hacking video tutorials filmed in 2019!

  • Access to our Facebook group and Discord server for answers to questions!

  • Download every video and then watch anywhere with no internet connection!

  • You will love this course or we will give you a full refund within 30 days!

Student Questions, Instructor Answers!

Enroll in the course to enjoy answers to your questions from the instructor as seen below!

Student

Someone know how to download pass txt. Is impossible?


Instructor

Which password list you want to download exactly ? Right here at this link https://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt    You have a github repository for a password list with 1000000 passwords! There you can git clone that page or if that doesnt work you can go to the Raw part of the page where you will see list of all passwords then press CTRL + A to select all and copy it in any .txt file

GitHub

danielmiessler/SecLists

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, ...


Another option would be to go on your Kali Linux machine and navigate to folder /usr/share/wordlists! You can do that with this command "cd /usr/share/wordlists". There you will have some password lists that already come preinstalled in Kali Linux and you can choose which one suits you the best!


Student

Could is be possible that my IP address has been blocked from installing VirtualBox/Kali Linux in my system?


Instructor

You cant access the internet on your Kali Linux machine or what exactly is the problem ? If so try clicking on your kali linux machine and go to settings, then go to network settings and if you want your local IP address to belong to your local network change the NAT option to Bridged Adapter and select your adapter there! If you are talking about not being able to install Virtual Box at all I dont think your IP address could be blocked from doing that. If this is not the case could you explain your problem a little bit more in detail so I could help you with solving it!


Student

The problem is that, I have tried all I could to download VIRTUAL BOX and KALI LINUX but could not install on my system. The first time i tried it, Everything was fine. but when I got to ISO Image. That one could not, then I UNINSTALL and since then to install it back has become a big problem now for me for the past two weeks

It can only allow the installation of the old version , but KALI LINUX could not  install

It' s really disappointing


Instructor

If you are having problem installing or downloading kali linux try with different version. For example if you tried installing the 64 bit version on your VirtualBox try to install 32bit now and see if that will work? If it gives out any error let me know what does it say. The alternative to Kali Linux if nothing works could be Parrot OS! It is in my opinion as good as kali linux and it is used in security and pen testing as well. Here is a link to their website where you can download it!  https://www.parrotsec.org/

Parrot Security

The best choice for security experts, developers and crypto-addict...

Discover our awesome cyber security GNU/Linux environment. It includes a full portable laboratory for security and digital forensics experts, but it also includes all you need to develop your own software or protect your privacy with anonymity and crypto tools.


Student

Alright Thanks very much, let me try it at once.


Instructor

No problem! Feel free to show us if you got any error while doing it so we can resolve it and get your kali Linux or parrot OS working!


Student

Still encountering the same problem.

Is Kali Linux the same as Ubuntu Linux?


Student

Not the same, but similar. Kali, as well as Ubuntu, are both built off of the Debian codebase.


If you are trying to install a virtual instance, Offensive security.com has downloads for both VMWare and Virtual box.


Follow this link to download whichever you need. https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/

Kali Linux Downloads – Virtual Images


Student

My system could only allow the installation of the old version of Virtual box. Does this Kali Linux has old version too? Secondly is it { Kali Linux VMware Images} or {Kali Linux VirtualBox Images} which of them should I install?

Again Kali Linux, is it ISO or OVA?


Instructor

You can use older version of Virtual Box It shouldn’t present any problems! If it does please post the error here so we can resolve it! Also you want to download Kali Linux VirtualBox Image which will give you a .iso file with newest Kali Linux being the size of around 3.3GB large. Just make sure to first check out of your PC is 64bit or 32bit and if virtualization is enabled in your bios. This can cause a problem when installing 32bit version of Kali Linux. If the New version of Kali Linux presents problem while trying to install it on older version of virtualbox you can install the older version of kali Linux no problem! Most of the stuff if not all of the needed stuff will be exactly the same in both of them! If you need any help with something else feel free to post here.

The difference between ISO and OVA is that ISO file for kali linux is something that you use during installation of kali linux or if you want to burn the disk image onto your USB drive for example. The OVA you will typically encounter when exporting a certain virtual machine, it will be saved with name something.ova


Student

Can you send me a link of old version of Kali Linux? Let me try it too. because the new version after installing it, To add it to Virtual box is the main problem. I don't know how else to do it?


Instructor

There doesn’t seem to be a link on google for it as they all get redirected to newest Kali Linux version. If you want to download older version best place is to search it on torrent and download it from there! Could you give us some detailed look at the error you are getting? Maybe I can help you resolve it. What does it say when you try to add new version of kali linux to virtualbox?


Student

FATAL: No bootable medium found! System halted

Here is what is displayed on the screen.

I am waiting for it to give me the option to select Graphic..... something like that. But it never displayed anything ,  just stand still.


Instructor

Can you try and follow the instruction from this video right here https://youtu.be/OonETK7oIcA  Try to execute everything the same and see if it still prompts you with an error!

YouTube

Codexual

How to install Kali Linux 2018.2 on VirtualBox


Also check out forum right here where people have encountered similar error and here they say how they were able to solve it! https://askubuntu.com/questions/413594/what-does-no-bootable-medium-found-mean-in-virtualbox

Ask Ubuntu

What does "No bootable medium found" mean in VirtualBox?

I have recently been trying to install VirtualBox, when this message came up:


No bootable medium found!

Can somebody please tell me what went wrong?


Student

Alright, Thanks. Let me try it out carefully.


Instructor

Hello, I just checked and I am able to connect and access everything on Uthena. Are you still having problem connecting to it?


Student

hello sir in master ethical hacking course while downloading tilix and tor ot ws showing error there is no package so please reply me to resolve this one


Student

Just got the ethical hacking course bundle excited to get started


Instructor

Can you please send a screenshot of the error or copy paste the error right here so I can know in more detail what the error is about ? This will help me in better understanding where the problem is occurring and then we can get it resolved as soon as possible!


I hope you will enjoy all the ethical hacking courses in that bundle. If you have any questions regarding any errors or problems you might encounter feel free to post them here so we can fix them!


For the no Package found error with Tor I will refer you to this link https://unix.stackexchange.com/questions/259592/problem-installing-tor-on-kali-linux  Here someone had similar problem and solved it with the following commands specified in the answer part!

Unix & Linux Stack Exchange

Problem installing tor on Kali Linux

I'm trying to install tor on my Kali Linux 2016.1 (kali-rolling). When I type apt-get install tor in Terminal, this error appears:


Reading package lists... Done

Building dependency tree 

Rea...


Student 

Can you enter to my computer and solution exploit finished but no session was created

Please

Someone knows how to solution exploit finished but no session was created


Instructor

Can you please tell me which lecture was it or what attack were you doing so I can help you with the error?


Student

How can I get a solution these someone help me please isn’t showing any apps?


Instructor

The reason why no files or directories are being displayed is probably because there aren’t any in that certain directory? Are you sure you had any files in there before and that they aren’t by any chance in some other directory?


Student 

Guys a have a question to hack pc with payload you need to have good internet because when I open virus it take me long to load and it didn’t load.


Instructor

Does the payload eventually connect after certain period of time or does it just hang there without ever connecting ? Are you sure you specified LHOST IP Address to be the same IP Address as your output IP from the "ifconfig" command ? If you have Network Settings set to NAT could you change it to be Bridged Adapter and make sure to specify the adapter that you are using and that is also supported by Kali Linux! Also double check if the information you specified in payload creation such as Local IP to listen on and Local Port are same as the settings you specify in your metasploit multi handler!


Student 

man you are the best.

Guys I have other problem

I don’t know if I need to install another windows because when I exploit it exploits the meter prefer only my pc and the other that I have no I am thinking that I have before other viruses created that why no

My pc shows meterpreter the other not exploits? When I activate virus?


Instructor

If you have windows as main host operating system and kali linux as virtual machine you can attack your windows host from kali linux! However make sure to first check whether your Windows OS is 32 or 64bit. If it is 32bit you can must use windows/meterpreter/reverse_tcp! If it is 64bit you can use widows/meterpreter/reverse_tcp as well as windows/x64/meterpreter/reverse_tcp since on 64bit OS you can run both 32bit and 64bit programs so both should work. If you are running a virtual machine thats running windows and you are trying to attack that machine make sure to specify it to be on Bridged Adapter the same you did for Kali Linux Virtual Machine!


Student

Guys does it work for windows 10 or only windows10 because is launching long.  man I perform it … wtf why?


Instructor

No it does not work on Windows 10. Double-pulsar attack can only be performed on Windows 7 Host that hasn’t been updated for at least 2 years!


Student

Guys why it’s not working the hack multi/handler payload

In my own pc it works.  On the others no and I tried?  Does it work for windows?


Instructor

You are trying to attack your router at IP of 192.168.1.1 which most likely doesn’t have tomcat or isn’t vulnerable to the attack. Make sure to test attacks on vulnerable targets!


Student

Guys I have a question.  when I download the owasp.  I will be able to hack others pc like not mines?


Instructor

The owasp is made vulnerable on purpose so you can test and practice already known exploits! It has nothing to do with hacking other PCs. The only way to hack other PCs is if they haven’t been updated for a long time or if they are running a vulnerable software which can be exploited. The only current way for hacking up to date PCs is over meterpreter payload which needs to be delivered either over some link, gmail, usb or similar!


Student

So the payload dont works to connect others pcs.  yeah that’s what I am saying sending payload for example image does it work to hack pc?


Instructor

The payload you specified in the screenshot doesn’t work to hack other PCs.


Student

I don’t get any error it just exploits my pc the others no?


Instructor

Make sure to be on the same Local Network as the other PC as you are running the attack with local IP address specified as LHOST. If your target is not in your LAN the attack will not work unless you perform a port forward or use ngrok!

Why Learn Cyber Security in 2019?

You are about to experience an awesome ethical hacking course completely for free with brand new tutorials just created in February 2019 that will empower you to go from knowing absolutely nothing about hacking into getting started today.

You might wonder, why would I want to learn ethical hacking? What is it?

Ethical hacking is just hacking used for good, to help people secure their websites, their applications, and their online properties.

Ethical hacking is an extremely valuable job skill that the more applications, the more website, the more software that is created, the more ethical hackers are needed to keep these things secure, to proactively find the vulnerabilities before real hackers or black hat hackers find them.

This is a very valuable job skill that you can work on Upwork and other websites online, and you can get a full-time job in this almost anywhere in the world. You can see people right here on Upwork earning a fortune and earning great hourly rates all over the world to do ethical hacking.

I just put in “ethical hacking,” and I filtered for 10K plus earned to show you the ones who have been working consistently in ethical hacking.

You can see anywhere from $10 an hour at the very lowest as a security consultant to over $100 an hour to be an ethical hacker that is certified and experienced with a consistent job success.

This is why I have executive produced this video course for you, to give you this free very valuable skills here to help you get these same results in your life online.

What you are about to watch is a free preview from our “Master Ethical Hacking in 2019“ course available on hour next-generation educational marketplace, Uthena.com.

You can see that as of today, the course has got six sections of videos from introduction and installation, basic commands, prepare your lab, footprinting, scanning, and web penetration testing.

All of these are included for you for free in what you are about to read or watch on YouTube, starting with the introduction from your instructor, then a Virtual Box installation tutorial, next a Kali Linux installation tutorial, then going full screen in Kali Linux followed by basic commands, preparing your lab from changing IP address and setting up a wireless adapter to creating a bootable Kali USB, and different terms you need to know for networking and hacking, and a few things to do after making the installation, changing your mac address.

All of these you can look in the description of the YouTube video and find a time point that allows you to skip straight to that time. If for example, you just want to go straight to important networking terms, then jump back to change your IP address, then go into footprinting, you can look for the time points and click down in the video, and skip straight to those sections.

After you are done with footprinting, then we have got scanning, including Metasploitable, Nmap, Zenmap, TCPscans, then into web penetration testing.

These are the videos that we have produced in just three weeks for this course working together with the instructor. We have planned 20 plus hours total for this course for you over the next few weeks. We have got seven hours already in the course, all that you are going to get to watch in this video.

When you buy the course on Uthena, you also get lifetime access and first immediate access to all the videos that come up. You get no ads on it and you get a 30-day money back guarantee.

You will either love this course, or we will be happy to give you a refund. You also get a Facebook group and Discord channel that you can join where you can ask questions and network with your fellow students.

If you would like to buy the course, will you please buy it today because I imagine you will love watching the course on Uthena with no ads and no distractions.

If you would like the very best value, you can get the Ethical Hacking Forever Course Bundle, which has three new courses that are actively being produced right now.

There are over 10 hours of video in this bundle now. I imagine there will be hundreds of hours of bundles soon.

The “Ethical Hacking Forever Course Bundle” gives you all of the ethical hacking courses I make forever, which means the ones for 2020 and 2021, and all of the advanced courses, all of these will go in this Ethical Hacking Forever Course Bundle that I’ve just launched today with this video, starting with these three courses to begin and all of the courses to come.

A forever bundle means that you buy this one bundle and I indefinitely add courses to it for you. Every time there is a new version of the course, you will get that right away for $48.81 today.

Thank you very much for getting started with “Master Ethical Hacking in 2019.”

It’s time now to start with the “Before We Begin!” section with your instructor.

I’m Jerry Banfield.

Thank you very much for reading this.

I imagine you are going to love what’s next.

Best Hacking Course for Beginners in 2019?

Hello everyone, and welcome to this “Online Ethical Hacking” course.

Now, before we begin, I would like to talk about a few things that you might be interested in, such as the legal side of using the things that you will learn in this course.

You are probably wondering what could possibly make this course different from any other course you attended online or any other course you watched on YouTube, Udemy, or basically anywhere else.

Let me first answer the second question.

There is a difference between this course and other courses that you probably watched.

First of all, I decided to split this course into three sections, the beginner section, the intermediate section, and the advanced section.

Now, the thing that differs in this course from other courses is the advanced section.

What we will be doing in the advanced section is making our own tools, we will be coding our own advanced tools, and not the basic kinds of tools. Most likely we will be coding our own Metasploit framework, for example.

This means we will be coding our own command and control center that can receive many connections from other PCs, not just one. We will be coding in the advanced reverse shell, backdoor, keyloggers and many other tools used by ethical hackers.

Now, if you don’t know what these tools do yet, we will be covering all those in the beginner and in the intermediate section, but we will be covering the tools from other people. In the advanced section, we will be making the same tools just by ourselves.

Now, the programming languages that we will be using are Python and C because I find those programming languages mostly used by ethical hackers.

C is a low-level language and it is harder than Python, and things that you can do with Python in like three lines takes you about 20 lines in C.

We will be covering both of those programming languages, Python so that you can make things faster and C so that you can understand things better.

We will also be covering in the advanced section a little bit of assembly language, which we will be using for our exploit development part.

Now, for you that are wondering what we will be doing in the beginner section, we will be covering the installation of Virtual Box and Kali Linux.

Virtual Box is basically a program that allows us to make our own virtual machine. We use a virtual machine so we don’t crash anything in our main machine. If we make a mistake, or if we delete a file we shouldn’t delete, it will basically just stay on the virtual machine, and if it doesn’t work anymore, we can just delete it and start over again.

This file is the Kali Linux.

Kali Linux is a Linux distribution, or an operating system that is used for ethical hacking and penetration testing.

Now you might be asking, why is it used for that?

Well, basically it comes preinstalled with some of the best-known tools used for ethical hacking.

It comes with a bunch of programs that we will use and cover in the next tutorials. In the intermediate section, we will be covering those tools that are pre-built into Kali Linux and also some of the tools that are not built into the Kali Linux.

We will be downloading those tools from the online GitHub repository from other people who made them.

As I said, later in the advanced course, we will be making our own tools.

Now, there is also one more important thing I should mention, which is the legal use of these methods that you will learn in this course.

You should not be using these methods on any device or website you do not own or on any device or website you do not have permission to use. It can get you into some serious trouble and possibly jail time if you make a big mistake.

So please, do not test any of these methods on devices you do not own. We can make all of the things we need in our virtual environment and we can do our attacks from there.

Now that’s about it.

I hope you will enjoy this course and I hope I see you in the next lecture where we will be downloading Virtual Boxand Kali Linux.

I hope I see you there and take care.

VirtualBox Installation Tutorial 2019

In this post I’m going to show you how to download the VirtualBox program and the Kali Linux distribution that we need in order to start hacking.

First, just open up your Google Chrome or Firefox and type “Virtualbox” in the search bar.

It should lead you to this page where you just click on the first link, which is virtualbox.org and basically as you can see right here, we have this green button that says: “Download VirtualBox 6.0.”

At this time, the version is currently 6.0, but it might be a higher version when you start this tutorial depending on whether they upgrade the version or not.

So, just click on the green button to download VirtualBox 6.0 and it will lead us to this site where we can choose our platform.

I am running this on Windows 10, so I will click on the “Windows host.” If you are running this on Linux, which I honestly doubt, you can click here on the Linux distributions, and we also have “OS X hosts” and “Solaris hosts.”

It started downloading the setup program for the VirtualBox and it is 210 megabytes large, which will take me some time because my Internet is not that fast. It is around one megabyte per second, so this will take around three minutes.

Now, while this is downloading, we will go to the Kali Linux page, which you can find by simply typing “Kali Linux”in your search engine. This will lead you to this first link right here, which says, “Kali Linux, penetration testing and ethical hacking on Linux distribution.”

Here we can see the developer Offensive Security. The initial release was on 13 March 2013, which was five years ago.

We just click on the first link and it will lead us to the official site of Kali Linux.

Now, what we want to do is download the distribution. So we just click on the “Downloads” menu and select “Download Kali Linux.”

Basically it will give us a bunch of these options, a bunch of these different versions of Kali Linux.

Now, the two versions that you will be interested in are these two: Kali Linux 64 Bit and Kali Linux 32 Bit.

My machine is a 64-bit machine, so I will be downloading the 64-bit Kali Linux, but if you are running this on a 32-bit machine, you can download the Kali Linux 32-bit version.

They are basically both around the same size. The 32 Bit is a little bit larger. I don’t know why, but both are around three gigabytes large. The current version of the Kali Linux is 2018.4, and at the time you are downloading, this might be a higher version.

We will just click here on HTTP, you can download over Torrent if you want to, but I will download through my browser and I will just click the link and it should start the download for me.

As I said earlier, my Internet is really slow, so this will take around 6 hours for me.

We won’t be waiting that much, so I will just cut the tutorial until this download finishes and we can continue from there.

As you can see right here, we got the two files that we need, the VirtualBox setup program and the Kali Linux ISOfile, which is our operating system that we will install.

First of all, we will install the VirtualBox.

So, just double click on the file that you downloaded and it should start up a welcome box first that says, “Welcome to the Oracle VM VirtualBox.”

Basically, this is just a welcome message for you and we will just click “Next” right here, and it will lead us to this setup window.

Now, if you want to, you can change your things, but I really don’t like to mess with this stuff. It’s basically already configured as you will need it, so I won’t change here anything.

I will just go to “Next.”

Here on this window, you can just check if you want to make a desktop shortcut or if you want to create Start menu entries.

Basically, I just leave all of these checked. If you do not want a desktop shortcut, just uncheck it, simple as that, and we can proceed to the next step.

Now, this is a warning that pops up every time you install the VirtualBox. It basically says that while installing you might be disconnected from the Internet, which hasn’t happened to me and I installed this like a lot of times.

It might happen to you, so if you are running this or if you are running anything important in the background over the Internet, you might want to wait until that download or anything you are doing finishes before you press “Yes”right here.

Since I’m not running anything at the moment, I will just click “Yes” and we can click “Install” to begin the installation.

Now, this might take a few minutes, around 5 minutes I believe. That’s how long it took me last time.

So I will just wait until this finishes and I will get back to you as soon as this is done.

Here we are.

It finished the installation process of the VirtualBox.

Now, in the point of installation it asked me for the administrator password, so it probably asked you as well. Just type in your administrator password and it will continue the installation.

We want to check here to start Oracle VirtualBox after installation and we just click here “Finish.”

So right now, it should open up a window for your VirtualBox.

Note that you won’t be having any of these machines right here.

These are just my machines that I previously made even before the installation in the previous version.

You won’t be having any of these Kali, Kali Linux, win7, and any of these machines right here.

This will all be empty for you.

What we want to do basically is to create a new machine together.

So, just find wherever on your version of your VirtualBox is this blue button which says “New.”

Click on it and it will open this little window right here where it will ask you for the name and the operating system you want to install.

So, basically, I will just name this “ethical hacking machine.”

You can change the machine folder if you want to. It is saved right here for me, and we want to install Linux. For me, it automatically puts Oracle (64-bit), which I want to change since Kali Linux is a Debian based distribution.

I will just find Debian (64-bit) since I installed the Kali Linux 64-bit version. Once you check all of this and once you make sure it is Debian 64-bit, we can continue on the next step.

Right here it will ask you for your memory size that you want to use. Basically, RAM memory which you want to give to this machine.

So, for example, I have 8 gigabytes of RAM memory and I will give around 4 gigabytes for this machine, which means that I will be leaving the rest of the 4 gigabytes for my main machine to run.

Now, be careful here. You do not want to over give the RAM memory because it might make your PC a lot slower and it might make the virtual machine unusable. Basically, it might even crash your PC if you just put in all the RAM memory for your VirtualBox machine.

If you have around 4 gigabytes of RAM, 2 gigabytes will be more than enough for your virtual machine, but just in case I would put here 4 since I can leave the other 4 for my main machine.

So, right now I will click on “Next” after putting 4 gigabytes of RAM and it will lead us to this window where it will basically ask us for our hard disk.

Now, it says here that the recommended size of the hard disk is 8 gigabytes, but later when it gives us that option we want to change that. We want to increase the size of the hard disk for this virtual machine.

Here it asks us if we want to create a virtual hard disk now or do not add a virtual hard disk. You want to check “Create a virtual hard disk now” and proceed with the installation.

So, here we click “Create.”

It asks now for the hard disk file type. We want the VirtualBox disk image to be checked, so just check the dot here and click on “Next.”

Basically, here it asks if you want to make your hard disk dynamically allocated or fixed size.

It depends on what you want.

“Fixed size” will already use the entire memory you gave to the hard disk. So if I give 20 gigabytes of memory from my hard disk, it will already mark those in those gigabytes as used while if you pick “dynamically allocated,” it will just fill in as the time goes. This means it won’t allocate any memory for your hard disk, it will just dynamically fill in while you install some of the files on your VirtualBox machine.

So because “fixed size” takes a little bit more time to create, we will just click “dynamically allocated,” but you can put here “fixed size” as it will make your machine a little bit faster.

Right now, I will just click on “dynamically allocated” and click on “Next.”

Here it asks us for the size of our hard disk, which is preset with 8 gigabytes. The recommended size is at least 8gigabytes.

I will put here around 30 gigabytes for this virtual machine, but around 15 or 20 will be more than enough for you since the files of Linux are not that big and we won’t be downloading any major files, possibly around a few megabytes big files.

So I will just click here on 30. Let’s see 30 or we can leave on 29.9 and click on “Create.”

Now, as you can see right here, it created the “ethical hacking machine” for us or whatever name you put it, and it is currently in the state of powered off.

What we want to do before powering on the machine is to give it the Kali Linux ISO file that we previously installed from the Kali Linux page.

We want to plug in our operating system, and how do we do that?

We will basically just click on the machine, which in my case is “ethical hacking machine” and go here on “Settings.”

It will open up this window with a bunch of different settings as you can see: General, System, Display and Storage.

Let’s go through all of this.

Here, in “General,” is what we set at the beginning.

So, Linux Debian 64.

The “Advanced” tab with “Snapshot folder, Shared clipboard, Drag and drop.”

Well, basically these options right here allow you to drag files from your main machine to your virtual machine. You can just take a folder and drag it onto the desktop of your virtual machine, which I will show later. We do not care about this now.

Then, “Disk Encryption.”

We did not put any disk encryption and we won’t until the advanced section. Basically what “disk encryption”means is that you will encrypt your entire hard disk of the virtual machine, so even if someone knows your login password, they won’t be able to log in unless they know the password of the encryption.

The encryption I believe that is used is AES 256-bit. I’m not really sure. It basically encrypts your entire operating system and all of the files you have on your PC or in this case on your virtual machine.

We will be covering the disk encryption in the advanced section when we will be installing Kali Linux again just with the disk encryption enabled.

So now we go to the “System” and here we can see our base memory, which I set on 4 gigabytes of RAM.

You might have set on 2 gigabytes, which is also enough.

The “Processor” part.

I have 4 cores on my CPU and here it gave only one core automatically to my virtual machine, which is more than enough, but I like to put 2 because it makes it work a little bit faster and it might help in some use of other programs later on.

Down here on the “Execution Cap” is the amount percentage that you want each CPU to use. If I put here 1 CPUand 53%, it will only use the 53% of one of the cores of my quad-core CPU.

So I will just put here a 100% and 2 CPUs right here.

You do not need this much, one core is more than enough for this, but if you want and if you have more cores to spare, you can set here 2.

On the “Display,” we don’t really care about this and here on the “Storage,” we want to insert our Kali Linux ISO file.

Now, under the “Controller IDE,” we want to go to this “Empty” here and right click to then click “Remove Attachment.”

It will ask you if you are sure you want to delete.

Yes, we are.

Click “Remove.”

Now, under the “Controller IDE,” you click on the disk with the “+” sign and you click here on “Choose disk.”

It will basically open this up and it will ask you to search for the Kali Linux ISO file.

For me, it is right here on the desktop. For you, wherever you set it.

So, I will just select this file and click on “Choose.”

Right now, we have set our operating system and we are good to go.

So, for this time all of this and the other settings don’t really matter for us.

We will be covering, after the installation, the network part of the settings, but for now, we are good to go.

So if you have this set right here, just click “OK” and you are ready to start the machine.

Now, I will continue the installation of Kali Linux in the next tutorial, so I hope I will see you there.

Bye.

Kali Linux Installation Tutorial

In the last tutorial we installed VirtualBox and we set up all of the settings for our virtual machine.

If you have done all the things in the previous tutorial and you have double-checked these settings, we are good to go right now.

Just click here on the “Start” button to start the machine. Make sure you set the right machine “ethical hacking machine” and you can have a look at your settings.

It will start the process of installation of our Kali Linux right now. You might be wondering if this machine will be a little bit slow.

Well, basically, it depends on your entire PC. If you have a good PC, the virtual machine should not have a problem to run.

As we can see right here, it basically gave us the boot menu of Kali Linux and there are a bunch of these options, which are basically just live versions of the Kali Linux.

We do not want to boot into the live version since there is no point to do that. Basically, the two options that we are interested in are “install” or “graphical install.”

Now you can pick any of these two you like. I usually go with the install, but graphical install is also the same as the install, just a little bit more prettier.

I got used to the install, so I will just click on here. You can go to the graphical if you want to.

I will just click on the “install” and we can see that it takes some time.

The first thing that pops up is the language selection. Here you can select any language you pretty much like depending wherever you are from. For the purpose of this tutorial, I will be selecting “English.”

I just found “English” and I will click “Enter” right here.

You might notice that your cursor does not work on the virtual machine for now because we are in the process of installing the operating system, so you need to navigate all the settings with your keyboard, most likely with your arrows.

Right now, it asks us to select our location.

I am from Europe, but I will just select here United States because it doesn’t really matter. We can change it later if we want to.

For now, I will just leave it on United States.

This is the keyboard configuration window. It basically asks you what kind of keyboard you want.

Now, I didn’t even know there are this much configuration for keyboards. I always pick here American English, so I will do the same right now.

You can take any of these if you would like to. I just don’t know what kind of keyboard configuration tiers are, but if you know, you can pick here Belgian or any other like Arabic or Albanian, it doesn’t really matter.

So, I will just pick here American English and right here it is loading some additional components as it says on the screen.

Basically, this process of installation will take some time.

Once it starts installing all the files it needs, it will pretty much take around 30 to 40 minutes for it to finish and, in the meantime, it will ask some of the questions, which I will cover, of course, but it actually depends for different virtual machines and how much the process will take.

So, here it says, “Configuring the network.”

You can name it basically whatever you want.

I will just click on “Continue” and for configuring the domain name, I will just leave it blank because I don’t really need it.

As you can see right here it says, “The domain name is the part of your Internet address to the right of your host name. It is often something that ends in .com, .net, .edu or .org.”

Now, if you need it, you can put it right here, but I don’t need it right now, so I will just click on “Continue” and here it will ask us for our root password.

You might be asking, if you are a beginner, what is root?

Well, root is like an administrator on the Windows machine, just basically with a lot more privilege.

With root account, you can basically do whatever you want on the machine and there are no limits.

If you would like to delete all the files from the machine or crash the entire computer, you can do that with a simple command in root user.

Now into Kali Linux, we will be almost always using the root user since as I said it has most of the privileges and it can do things some other users can’t.

So, you are just setting the password for a root user and that password can be anything you like.

Here I will just type in “test1234.”

You can check it to show the password in clear if you would like to.

Now, just click on “Continue” right here, then it will ask me to reconfirm the password.

So I will just type here again “test1234” and I will go on “Continue.”

This is the clock configuration.

Select your time zone as it says right here. You can select any time zone you want.

I will just go with the “Eastern” and right now I believe it should start the process of installation.

Oh, yes. I forgot about this.

For the partitioning disk, now this is the part where I talked about before in the settings area where it asks if you want to encrypt your hard disk or not.

Right now, since this is a beginner section, we do not want an encrypted hard disk, but later on, I will show you how to install the version with the entire hard disk encrypted.

So just go here on “Guided – use the entire disk,” click “Enter” and select the disk to partition and click “Enter” right here.

Here it says 32 gigabytes since the last tutorial, we selected our hard disk to be 32 gigabytes large.

Just click on “Enter” and basically, here it asks if you want to separate the /home, /var, and /tmp partitions, but for the new users it is recommended not to do that.

Basically, we will just go with the four files in one partition.

So select that option and click “Enter.”

And here it just basically re-asks us if we want to undo some of the previous configurations. We do not want that, we want to click on “Finish partitioning and write the changes to the disk.”

Then it will ask us “Write the change to disk, yes or no?”

We click here, “Yes.”

Right now it started the process of installing the system. This will take around 30 to 40 minutes, maybe less, maybe more, depending on your computer.

So I will see you when this finishes.

All right, my process of installation has finished.

It took around I believe 15 minutes, so it shouldn’t take much more for you and here we have the first question that popped up, which is, “Do you want to use a network mirror?”

Here it says, “A network mirror can be used to supplement the software that is included in the CD-ROM. This may also make newer versions of software available.”

So, here you want to click on “Yes” and proceed to the next question, which it will ask you for the HTTP proxy information. We will just leave blank for none. We do not care about that at the moment.

So just go on and continue, and right now it will basically just configure the APT and I believe the next question will be something about the GRUB boot loader or master boot loader, which asks us if we have another operating system running on this machine.

If we don’t, we want to install the master boot loader and if we do have, which I honestly doubt since we are installing a virtual machine and this is the only operating system on it, you want to be careful if you are putting this on to your main PC since it might mess up with your Windows 10 if you are dual booting it with Kali Linux.

So, you want to be careful, but if you are running this as an only operating system whether it is in the virtual machine or just as a main operating system on your host machine, you want to install GRUB.

I believe the question will pop up in a few seconds, so we will just wait for it a little bit.

Here it is.

It is installing GRUB loader and I believe in a few seconds or possibly a minute or two, it will prompt us with the last question, I believe.

After that, it should finish the process of installation and it should put us into our Kali Linux login screen.

We will just wait on this and here it is.

So basically it says, “Install the GRUB boot loader on a hard disk” and we will read this so you understand it a little bit better.

“It seems that this new installation is the only operating system on this computer. If so, it should be safe to install the GRUB boot loader to the master boot record of your first hard drive.”

So it just says that if this is the only operating system, you should be installing the GRUB boot loader to the master boot record, but be aware if it is not, if you are dual booting it with another system, it might cause some trouble.

But since we are not, we will just click on “Yes” because we want to install and here it will ask if we want to enter the device manually. We do not want to and we just go down here on /dev/sda and hit “Enter.”

Right now it should finish the installation and in a few seconds we should be booting up into our Kali Linuxmachine.

I just noticed that there was another question that popped up. This is more directed to those who installed the Kali Linux in the host machine because they would probably be installing it from the USB Drive and it basically just says that if the installation is complete, you can remove the USB Drive so you just don’t reboot into the installation process again.

Since we are on a virtual machine and we didn’t put in from the USB Drive, we will just click on “Continue” without taking any action.

So just click here “Continue.”

If you did, however, boot from the USB Drive on your host machine, you want to remove the USB Drive, and then click on the “Continue” button.

So here it is.

The finishing installation is on 60%.

After a few minutes, our installation has finished and now we are booting in.

While this process is taking, just don’t click on anything.

Now, my installation has finished and we are booting into our Kali Linux machine.

For the first time, it might take you a few minutes to boot in. It surely will take for me at least like five minutes to just load up the desktop, but don’t worry.

After the installation is finished we will install some of the programs we need in order to run this, for example, as a full screen, because if I spread this window the machine itself won’t go full screen.

It will just stay this big and basically will have this white space around it. We will fix that in the next tutorial.

From now on, let’s just log in.

So, you might not know this but it will prompt you with a username first and it will prompt you for a username for your root account, and on all the Linux distributions the username for the root account is “root.”

Basically it’s just “root.”

So just type in “root.”

It will be the same for you and click on the “Next” button and it will ask you for your password now, whatever your password was that you typed in the process of installation, just type it again right here.

For me, it is “test1234” and just click on the “Sign in” button, and it should open up our desktop.

Now, this might take a few seconds or minutes because it’s the first time, so we will just wait and here it is.

It opened up my desktop.

Now as I said we will be installing the full-screen mode for the Kali Linux in the next tutorial.

From now on, if you want to, you can experiment with a little bit of this. We will be covering all these programs and we will be covering all of these commands in the terminal.

But more about that later and in the next section, we are going to install the full screen and I hope I see you there.

Peace.

Going Full Screen in Kali Linux!

In this tutorial, we will be installing full-screen mode in Kali Linux.

In previous tutorials, we installed Virtual Box and we put up our Kali Linux machine. 

So right now you should be seeing same as I do in this little screen right here. The first thing we want to do for this tutorial, you basically just want to follow up with my commands. 

I will explain all these commands later on, but for now, just for the sake of installing the full-screen mode, you want to click on this right here, which is the Linux terminal. 

It should open up this box which basically we use to give commands to the operating system to the machine itself.

Now as you can see, the root part basically represents the account that we are on. So currently we are on the root account and the Kali is the host name you gave to this machine. 

So this part should be the same for us and this part could be anything you named it in the process of installation. Just for now, we want to go to the Firefox, which is at the top of the list of the programs. You want to go to the Firefox and click on this. 

I believe it will open up the Kali Linux page automatically, which we need in this case in order to take some of the things it provides us right here. 

So just one second. It says "Welcome to Firefox."

Here we can see as the most visited sites, even though we haven't visited anything yet, it basically just says Offensive Security, Kali Linux, Kali Docs, Kali Tools and Exploit-DB.

We basically right now want to go to the Kali Docs and it is a little bit slow. It should load up any moment. It might be just taking a lot of time because this is the first time opening Firefox in this virtual machine. 

There it is. It opened it.  

Now, once it loaded this page as I said you want to go to Kali docs and you want to scroll down. Basically, you want to find the "social sources" of these repositories. It should be anywhere here. 

Here it is: "Kali sources.list repositories." 

It should be named the same for you, and just click here on that. It will lead us to this page where we want to copy the "Kali regular repositories."

It says here on a standard clean install of Kali Linux, you should have the following entry present in etc/apt/sources.lists. 

Now, we will copy this just in case we don't have it, but we probably do. Just in case, we will copy it. You can close this page now. 

And now we want to use our terminal for the first time. So just follow up with these commands. You do not need to wonder at the moment what they do. Just type in the same as I do and you should be good to go. 

We want to go to the etc/apt/sources.lists. 

Pardon me. 

Just go cd/etc/apt and as you can see we changed our directory to etc/apt, and we want to open sources.list. 

So just type in "nano sources.list." 

Click enter and it should open up this page. 

Now it should look similar as mine does, and basically, these are just a bunch of Linux repositories from where you will do your updates of the system. All of these, which have hash before them are not being used while you are updating the system. 

So if we delete this hash, something that was after the hash will be used in the updating section, but currently, we only want this here. So if you do not have this, just copy paste the thing that we copied from the repository, and just click here.

Right click, paste and it will basically copy the same thing right here. You didn't need to do that because it was already there. But in case it wasn't there, you want to copy and paste it right here. 

Basically, I know you can copy it at the top or at the bottom because all of these others with hash will not be used. So we want to save this file and it says right here to write out, which means to save. We want to press CTRL + O.

It will ask us "File Name to Write: sources.lists."

Just click here Enter.

In order to close this, click CTRL+Y or Z depending on your keyboard. So once again, we want to go to nano sources.list. 

This is just me recapturing what just happened. You copy and paste this right here without hash. So this thing that we copied from the website. You press CTRL + O to save, Enter, and then CTRL + Y or Z. 

There we go. So now that you did that, you want to go with "apt update" command. This shall update our apt which will basically just, if in case we change something in the sources of this, it will update that.

But since we didn't, we only just copy and pasted the thing that was already there, we do not need to do this, but we will do it just in case. 

So click here on "apt update" and it will connect to the Kali download or basically any site that you have linked in the sources.lists file, and it will check for any updates there. Since we only have one repository listed there, it only took it from there, but there are currently no new updates, only upgrades that we will do at the end of this tutorial. 

So right now what you want to do is go type in this command. First off, if you want to clear the screen and make it a little bit prettier, just type in "clear" and it will clear everything from here.

Now what we want to do is type in "apt install linux-headers-$(uname -r)."

We want to type in this command, which in most cases won't work. Right now, as you can see, it will give us some of the errors. 

"Unable to locate package and Linux headers."

These Linux headers, it is unable to locate it. 

So now what we want to do first of all to check what your Linux header version is, you can type "uname –r."

Just type in that and it will give us our current headers version, which is 4.18.0. 

Now, what we want to do is basically find the new Linux headers version. We want to type "apt install linux-headers-."

I'm not really sure how it's called in English, but this is basically on SHIFT + 8 for me. It is probably for you as well. Just click here, Enter, and it will give us a bunch of these options which we do not want to install.

So it will say, "Do you want to continue?"

We want to press here, "No." We just wanted to check here for the Linux headers current version, which is usually going to be the first one, but basically, you are just searching something that looks like this.

We can see right here since our version was 4.18.O, the current and new version one is 4.19.0. So we just need to copy this part of the section. So "4.19.0-kali1-amd64."

Just copy it, and now that we copy that, you can clear the screen again. Type in this command: "Apt install linux-image."

And here now we paste the thing that we copied, which is our new version, which is 4.19.0-kali1-amd64. 

Now, in the time of you watching this, it might not be this version. So don't just type in what I type here and follow the process and just copy the current version, the newer version and use it in this command. 

So, apt install linux-image-4.19.0, which we query and it will basically download the new version or Linux headers. 

Now after this process, which will take I believe, a few minutes, maybe even less, we want to reboot the system. 

I will catch up when these finishes. 

Now we can see that it finished the installation of Linux headers. So first thing we want to do after that is reboot our machine. Just type in "reboot" and it will restart your Kali Linux machine. We want to just click X on this, so it doesn't bother us, and now we wait for the machine to boot up and a few more commands right after that, then we are ready to go.  

After the installation of full-screen mode, I will be showing you some of the basic commands in the Linux terminal, which you need to know in order to continue with the learning of ethical hacking.

Those were just some of the basics you must know in order to get yourself used to the Linux operating system and in order to run some of the programs. So it is essential for you to learn them. There are like thousands and thousands of commands. You do not need to know all of them, just like 20 basic commands and all of the others, you can search on the Internet for your own needs.

So here it put it up into our login screen. Once again, we type in "root" as username and password, which is "test1234" for me, and right now we want to install Linux headers. 

We downloaded them last time, the image version of our headers version and now we want to install the current Linux headers from the terminal. So just go on the terminal. If you do not have it for some reason right here, you can open it with right click on the desktop.

Now we want to run this command, which is "apt install." 

Here we go, "apt install linux-headers-$(uname -r)."

Now, basically what this means, in case you are wondering the dollar sign means that after this minus sign, it will just put the output of this comment. So let's delete this.  

As I showed you before, the output "uname -r" command will be our current Linux headers version, which was before 4.18.0, but since we updated it, it should be 4.19.0. 

As we can see, we successfully updated it last time. So now when we run this command that we typed a few seconds ago, "apt install linux-headers-$(uname -r)" it will just paste the output of "uname –r" instead of the dollar sign.

Just click here Enter on this command. It will ask you, "Do you want to continue?"

We want to click here, y. 

Just type here "y" for Yes, "N" for No. 

We want to continue and it will install our Linux headers new version. Now I'm not sure how long this will take. It could take a few seconds or a few minutes. I will be back when it is over. 

Now as we can see, this has finished. It basically took around one to two minutes.

The next thing we want to go is on the devices in the upper left corner, fifth from the start. So devices and we want to go insert "Guest Additions Image."

It will ask us a question if we want to automatically start it. We intended it to be on. We do not want to automatically start it since it will not work. 

Now, we want to run this command: "cd/media/cdrom."

Once you type that, you will go to this directory, which is /media/cdrom and here if you type "ls," which is listing all the files in that directory, it will give us a bunch of files. In most, we are not even interested. So we are only interested in this file, VboxLinuxAdditions.run

Now what we want to do is change the mode of this VboxLinuxAdditions.run. If it is not already an executable for you, you just type in this command, which basically this "chmod" stands for change mode, +x stands for making it an executable. 

We want to type the name of the file. You can type it like me or you can just copy and paste it. Here I will show you. Copy paste and it will change the mode. 

Now it will say that changing permissions is read-only file system. It doesn't matter for now. It might work for you, it might not work for you. Basically, it just doesn't matter since it is already an executable for me. 

So you just type in the next command, which is the last command and we just copy paste the same thing. So "sh ./VboxLinuxAdditions.run" and then the name of the file, and you just run this and it should install the Virtual Box Guest Additions, which will hopefully make our machine full screen. This shouldn't take a lot of time I believe. We will see. After the installation of this, our machine should be full screen.

My virtual machine crashed for some reason. Not really sure why. After the last command is finished, which was "sh ./VboxLinuxAdditions.run" it crashed after that. 

So I just restarted the machine and now it is full screen. In case yours crashes as well, just try rebooting the machine and it should go full screen. 

Right now if I type in "root" and "test1234" you can see that the machine is right now going full screen. There is no white space around the virtual machine. It is full screen and if you want to remove the lower and upper part as well, you can just go on "View" and go full-screen mode. 

Right now our machine is full screen. We can open a terminal, we can enlarge it, and now we have a platform to work on. 

So basically, that is that from this tutorial. 

If you had any problems or any errors, which are common in installing Virtual Box Guest Additions, there are lots of errors that occur from time to time, just copy the error and paste it in Google, and most likely you will find a solution to the problem, which will probably be just a simple command or something. 

Now, in my case, I didn't really have any error except from my virtual machine crashing, but we got the full screen and we are set to go.

Now, in the next lecture, we will cover some of the basic commands that you will almost always use from now on. 

I hope I see you there and take care. 

Basic Linux Commands Part 1!

Hello everyone and welcome back to this lecture. 

Now in this tutorial, we will be covering some of the basic Linux commands, and in order for you to get to know Linux better, the good way would be to start off with learning these basic commands that I will teach you right now. 

So to start off we just want to open up our terminal, which is this icon right here, so just click on it. It should open up this terminal and if you want to, you can enlarge it a little bit so you can see things better. 

From this box right here we will be running most of our programs, and we will be running all of the algo commands, so you better get used to this as we will be doing most of our work from here. 

So the first command I want to show you is "pwd" which stands for Print Working Directory.

So it basically just prints out the current directory that you are in, which in my case is /root. 

Now, if we wanted to change directory, we will firstly need to know what subdirectories are in /root.

In order to list all the files and all the subdirectories in /root, we can just type here "ls" which will show us all of the current subdirectories that are located in the /root directory.

As we can see, we have desktop documents, downloads, music, pictures, public and two more.  

So if for example you want to list all the files that are in the /root directory, you would do it with "ls - la" command. 

What this does is basically it will print out also these subdirectories, but it will also print out the hidden files and hidden subdirectories. We can see right here that it printed out more files than this command right here. 

As you can see, all of these files that start with a dot are not being seen in the "ls" command, and if you want to take a wide view on all of the current files in this /root directory, you can do it with the "ls - la" command. 

Now, also one important command is to clear the screen so you don't see all of this all the time. You can do it with a simple command, which basically as it says just clears. 

So type here "clear" and it should remove all of the commands that we ran previously. It should give us a new and freshly open terminal. 

For example, let's say you wanted to go to the desktop directory, which is a subdirectory of /root, you can do that with a simple two-letter command, which is basically just "cd desktop."

This "cd" stands for change directory and it will basically just put us in the desktop directory right now. As you can see right here, the terminal is now located in the /Desktop directory. 

If we type here the "pwd" command once again, it will show us that now our current directory is /root /Desktop. 

Now, let's say for example you wanted to create a file in the desktop directory. You can do that with the simple command, which is "touch" and let's say file.txt for example.

Now, if we type here "ls" which will list all the files in this directory, it will just print out the file.txt. We created the file.txt with this command right here.

So basically, the "touch" command creates files. 

Let's say that we wanted to remove this file. How do we remove that file? We remove it with also a two letter command, which is just "rm" which stands for Remove.

So we just type up here "rm file.txt" and if we type "ls" once again, which will list all the files in the directory, we will see nothing because the only file that was there was the file that we previously created, and then after deleted it. 

So let's cover that once again. 

We are currently in the /root/Desktop directory and if we want to create a file we basically type "touch file.txt."

Now, this doesn't have to be file.txt, it can be anything.txt. It can just basically be anything. 

So, for example, it doesn't even have to be .txt. 

So "touch anything" and if we type "ls" once again, we can see there is a file called "anything."

So let's do again. Let's remove it. 

We type here "rm anything" and if we type "ls" once again, it won't be there anymore. 

Now, we covered how to make files right now, but let's say we wanted to create a subdirectory in this desktop directory. So to make a directory, which is basically just a folder, you want to type the command "mkdir" which stands for Make Directory, and then type here the directory name you want to make.  

So, let's say we want to make a directory called "kali" and let's say we list right here the current desktop directory, it will have a subdirectory called "kali" that we just created. 

Now, you might notice that the subdirectories are a different color than the basic file. So let's make our file1 again, file1.txt and let's list again. You can see that the file1.txt is white while the subdirectory is blue.

So files will be a different color than subdirectories. You should know that. 

Well, it's not that important, but you will get used to it in time. 

So let's delete the file once again with the "rm" command. 

Now to delete the subdirectory, you want to use the same "rm" command, which is kali, but you will notice that if we want to delete the kali directory, it will say "cannot remove kali: Is a directory."

Now, in order for us to delete a directory, we need to add a "-r" at the end of the command. So just type here again "rm kali" and just add here "-r."

As you can see, the command works properly and if we type "ls" again, it won't be there. There is no kali directory anymore. 

So let's clear our screen with the "clear" command. 

Right now, I just want to tell you before I cut this tutorial right here that the command "rm -r" is very dangerous.

Now, you might be asking, why? 

Well, basically I will show you why. 

For example, let's create a directory called "file" for example. Here we can see with the "ls" command it's right there, and we want to change our current directory into the file directory.

We do it like this and you can see that our current path right now is /Desktop /file and we are in the directory that we previously created. 

So now let's say that we create three files right here "touch file1, touch file2, touch file3." If we type "ls" here, we can see that right now we have three files right here.

Now, why is the "rm -r" command so dangerous?

Well, if you are a root account and you just type here "rm *–r" the "-r" command deleted everything. You might be wondering so what we just deleted are three files in one command, which basically this star right here is referring to all the files in the subdirectory. 

So if you type here this command, which is "rm * -r" it will delete all of the files in the current directory, and as you can see we don't have any file left. 

Now, the reason this is so dangerous is because if we go to the root directory and type here the same command "rm * -r" it will basically delete all the files on the Linux system, which will make your Kali Linux machine crash and not work anymore.

Now, I'm not sure if they updated it and if it asks for some confirmation in order to run this command, but we will not test it right here because you will be deleting all of the files in this system. 

So for this part one tutorial that would be it. 

We will cover other commands in the part two tutorial with the basic Linux commands and I hope I see you there. 

Bye.

Basic Linux Commands Part 2

Hello everybody and welcome back to the Linux commands part two tutorial.

Now as you may see right here, I have two terminals opened. One I will just write the commands as we do them and in the other one, I will put them in a text file. 

So I will open this command.txt. 

You don't have to open this file. This is just for me so I know which commands I covered, and which I didn't, and the other one, we will just test the commands in this one.

So before we begin, I just want to mention the command that we did in the previous video, which is the "cd" command. You now know that it stands for change directory and basically just change the directory to another directory from this terminal. 

Now, for example, let's say we want to go to the documents directory. We could just type here "cd Documents." But the question now is, if for example you wanted to go one directory back, how do you do that? 

Well, there comes the simple command which also starts with "cd," but instead of typing here a directory you can just here type ‘..’ which will basically lead you one directory back. 

So if I press enter right here, it will lead me back to the previous directory, to the root directory as you can see right here, print working directory we are again in the root. 

And if we type "ls" to list the current folders and files in this directory, we will once again see the documents right here. So basically I just wanted to mention that you can change directory with the "cd" command and you can also go one directory back.

So for example if you had let's say a directory in the documents directory, I just created it with the "mkdir" command, we also covered that in the previous video, it stands for Make Directory, you can see that now in the documents directory we have another one, another directory which I basically called just "directory". 

Also, let's go to that directory and you can see that our current path right now is /Documents/directory. 

Now, in order to go back two directories, you can just type here two times "cd," and then two dots, and then "cd," then two dots and now we are going to be back once again in the root directory.

So now that we got that out of the way, I will just type it right here so I know I covered that command, and we will clear the screen for the next command. 

Now, this one is a simple command for example if you wanted to check out on which account you are currently, which most likely you will be on the root account, you can just type here the command, which basically does what it says. 

It's "whoami."

The command basically just asks, “Who is the current user of this terminal?”

Right now, as we can see, it is root. 

You can just read it from here. You don't need to even write this command. You can just read it from this first word right here, which will most likely be root unless you have another account. 

We will cover in some next videos how to make another account, which could be useful because we do not want to run all our programs as a root user because it can be dangerous. 

So in another video, we will cover how to make another user, which you could use for some potentially dangerous programs. 

So now I will just write it right here. 

This is not really that useful command, but in case you forget or in case a user is named something differently than root you can just check here with the "whoami" command.

Now, there is a command that I used in the previous videos, but never really explained what it does. It's an important command, especially if you are running some of the programs or downloading the programs which are not executables and you want to make them an executable so you can run them in your terminal. 

Now, in order to demonstrate this command, I will just go and make a folder called "programs." As we can see, it is right here and I will change my directory into that program. 

Right now I will basically just create a simple Python program that we can just call "program.py." 

It doesn't really matter. 

Right here, I will just code a simple addition program. Just give me one second. It doesn't matter at the moment what I am doing, but we will be also covering Python later on.

For example, Enter first number, b will be for example Enter second number, and c will equal a * b.

Now, this is simple to understand. We basically ask for an input for two numbers you know, just making an addition and storing it in c. Then, we can basically just print that number, that c number, the result.

So we will just type here Result equals to “+ str(c)).

I hope this works. It should probably work.

So we have here a program called "program.py" now it is a Python program, but you might notice that if we try to run that program and you do that by typing here "." then "/" and then the name of the program, you will notice that it won't work.

It will say, “Permission denied.” 

Now, why is the permission denied? 

Well, if we use a command that we covered in the previous video, which is "ls - la" we can see all the files in the current directory, also the hidden files and our program.py.

Now, what interests us here is this part right here. Basically, these are just mods that are enabled for this file. 

R stands for Read, W that stands for Write, and X stands for Execute. 

Now, you might notice that in our program.py, we don't have an X which stands for Execute, therefore, we cannot really execute that program. In order to make that program executable we want to type here "chmod + x" and then the name of the program. 

Now, if I click here enter and type here "ls - la" again, you can see now that the program changed its color and not only the color, it also added the X which stands for, as I said, "executable." 

You can see the difference from here and from here, and that's how you can check if the program is executable or not. 

So now, let's clear the screen.

Now, if you wanted to, you can run the program. 

It will ask us, “Enter first number,” let's say 3, “Enter second number,” four, and it will say, “Result equals to 12.” 

Now, this command is important and you should learn.

It can be used to make any program that is not executable an executable. So now that we have got that command out of the way, I will just remove this. Well, actually I will leave it right here. Maybe we will use it for another command such as "cat." 

Let's cover that command right now.

The command "cat" basically just prints out the contents of the file into our own terminal as an output. 

So if we type here "cat" and then the name of our file, it will just print out the code that we just typed as you can see right here. It can be used so you don't really open the file in order to read it like this. You can just print it out in the terminal with the "cat" command and it will just print out all the contents from the file.

Now, that is not the main use of this command. Basically, the main use of this command would probably be in some of the bigger files where you just want to find a certain thing in them. 

In order to demonstrate what I mean, we will combine the "cat" command with another command called "grep." 

Now, basically what "grep" does is if you want to list for example a huge file with a bunch of words, and from that huge file you want to put aside all the words that contain "password" in them. 

Let me just demonstrate. Maybe it's easier if I demonstrate it. 

Now, we will create in programs file another file, which will be called words.txt and here we will just type here a bunch of words, then 123password123, then a bunch of words, and for example abcpasswordx, for example, and then a bunch of other random stuff.

Now, if we save this file, CTRL + O to save, enter to save under that name and CTRL + X to close.

We can see that right here we have that words.txt file. 

Now, in order to see the contents of that file, as I said we can just type "cat words.txt" and we will see all of those words. Here we can with our own eyes find all the words that contain "password" in them.

But let's say for example that this file was much bigger with millions and millions of words, you couldn't possibly just go through all of those words and just find by yourself all of those words that contain "password" in them. 

So what you want to do is combine the "cat" command with the "grep" command.

How do we do that? 

Well, basically we just start off the same command "cat words.txt" and then we basically pipe the "grep" command.

How do we pipe? 

Well, basically this straight line, just type it right here, then you type here "grep" and then the word that you want to be contained in the other words.

So for example "password" in our case. 

Now, what this will do, it will list all the words that contain the word "password" in them. As we see, it only listed two words which is "abcpasswordx" and "123password123."

So it is also a very important mix of two commands, which we will be using a lot. At least, I am using it a lot in my case. 

Let's continue with another command, which can be right now "echo."

Basically, with "echo" you can just add a word into another file without opening it. 

So, if we want to add "John" as a word into file words.txt. you just type "echo John" then this arrow that points to the right, and then "words.txt." 

As you can see, the command worked and right now if we "cat words.txt" it will only be "John."

Now, you might be asking, “Where did the other words go?” 

Well, if you use the "echo" command, it will basically rewrite the entire text file. So from those bunch of words, it basically deleted all of them and just put "John" in there. 

Now, if we use another word, let's say "echo Jake" into words.txt and we "cat" once again words.txt, we can see that John is no longer there, it's only "Jake."

So let me just type here the "echo" command.

One more thing you want to know, which I probably should have mentioned at the beginning and it is really important, is this command right here "apt update""apt -upgrade."

Now, this basically is referring to your Kali Linux repositories, and it will basically just check for the updates from there, and in case there are some updates it will download them and you can install the updates with the "apt upgrade" command.

Now, you want to run this command as you finish the installation of Kali Linux, but we will be doing that command in our next video because the "apt upgrade" command will take, after the installation, I believe about an hour in order to finish.

It will download just a bunch of other files and upgrade them, and I don't even know what not. It will just take a lot of time. That's what I know. So we will be doing that command at the end.

So right now, if you want to check out the history of all of the commands you typed previously in this current session of terminal, you can just do that with the simple command which says "history."

It just print right here all the commands that I ran before. So as you can see right here, these are all the commands that we ran before. It's not that useful, but you might need it sometime. I don't use it that much. 

The next command we want to do, let's say for example you want to copy the program.py file into another directory. 

So we will just create another directory in this programs directory. We will call it "test" for example, and now you can see that we have the "test" directory, which is blue and the green program.py file, which is an executable. 

Now, for example, you want to copy this file into the "test" directory. We do that with a simple "cp" command. Well, "cp" basically stands for "copy" and you just type here the file that you want to copy, which in our case is "program.py" and then you type here the directory you want to copy it in, and in our case it is "test."

So just press enter and basically, as you can see right now, if we change directory to "test" we will have also a program.py there and they are identical.

So if we "cat" this program.py in "test" directory, then we go one directory back and "cat" here a program.py, they are basically identical because we copied them. 

So let me just put here the "cp" command. We finish that command. But let's say for example you didn't want to copy that file. Let me just delete it from the "text" directory. You wanted to move it. It is no longer here.  

If you wanted to remove it from the "programs" directory into the "test" directory, you do that with the "mv" command, which stands for "move," to move program.py to the directory where we want to move it, "test" in our case. 

You can see right now that if we type here "ls" in order to list all the files, we can see that the program.py is no longer here, it is now moved to the "test" directory.

So we type here "ls" in the "test" directory, and now it is only here. 

Now, this command can be used for two things. In order to move files from one directory to another directory, and in order to rename files.

So for example, if I type here "move program.py" and then I don't specify a directory where I want to move it, but I specify another name for the file. Let's say "anothername.py" which is not a directory, it is a file, it will rename the "program.py" into "anothername.py."

As we can see right here, there is no program.py now, the program is called "anothername.py" and if we "cat" it right here, we can see that it is the same program that we typed before.

So it is also important to know that it can be used for two things, which is rename and move, just so you know. 

Right now, we can cover some of the more basic commands such as "man."

Now, this command basically is used for opening a manual for any other command.  

So, if we type here "man cat" it will open us a file which will basically give you all the options available for the "cat" command.

As you can see right here, it can be used for any other command. So basically if you type here "man cp" it will open up a manual for the "cp" command where you can see what else you can do with the "cp" command. As it says right here, copy files and directories.

Now, for example, you can type here "man history."

I don't know if it has a manual, let's see. Yes, it has the manual from the history. Basically, it shows the manual for all the other commands. These manuals are already pre-installed on Linux. You will have them with the installation of it.

You can just check out if you forget what some command does or something like that. You can just type here "man" and then "grep" and it will basically open you up with a manual, and you can just read right here and use the command. 

So now that we got that out of the way, you will be using manual a lot in the programs later on which you do not know how they work. 

So you will be opening up a lot of manuals in order to find out the command that you need to use in order to run that program. 

Also, if we wanted to let's say locate one of the files we forgot where we saved it, and we want to locate it, we can do that with a simple command called "locate."

So, let me just try here with anothername.py. Yeah, I don't think it will work like this. Not really sure why. But for example, you want to locate every file in the system which has a word in it, you can just type here "locate" and you will see that it will print a bunch of these files, and they all have in some of the part, they have a word in it. 

As you can see, this file has a word in it right here. So kali - password, and then something else.  All of these files will have a word in it. Let's say you want to locate everything that has "wordlist" it will also print out all the files that have "wordlist" in it as you can see: wordlist, wordlist, wordlist, then wordlists.list and so on and so on. 

So we covered that command as well. 

Now, this is about it for this tutorial and in the next one, we will cover some of the commands which are more towards the system that you are using. 

For example, in order to check some of the system settings you will be running the commands that I will show you in the next video such as for example shutdown, ps, uname, restart, reboot and so on and so on, and ifconfig, a bunch of those network commands. 

So you should learn this. You should remember like these are some of the more important commands that you will be using all the time.

That's about it for this tutorial.

I hope I see you in the next one. 

Bye. 

Basic Linux Commands Part 3

Hello everyone and welcome back to the part three of Linux basic commands. In this tutorial, we will cover some of the commands mostly used in order to communicate with the system. 

Let me just open the two terminals once again so I can write the commands in one terminal and execute them in another terminal. We will basically just cover some of the commands for networking, the most known and basic ones, and some of the commands in order to check the running processes or check the version of your headers and so on. 

First of all, let me just nano command.txt right here.

The first command that I want to cover, which is a simple command, and you probably already know what it does is for example "shutdown." 

Now, most of you that know this command will know that this command won't really shut down my PC right away. For example, if I click here, enter right here, it will say, “Shutdown scheduled for Monday,” and then the time. 

I believe this is one minute from me typing "enter" to this command. 

So in about 50 seconds, this Linux machine will shut down. 

We do not want that since we have other commands to cover. We will just cancel it with "shutdown -c" and right now our machine will not shut down. 

Now, if you want to restart from terminal, for example, you will type here the "reboot" command. The "reboot" command most of you probably expected it to be restart, but the restart command does not exist in Linux. 

In order for you to restart the system, you want to type here in the terminal "reboot."

Now, don't click enter here since it will shut down your PC. Well, it will restart it, but automatically it doesn't have a one minute delay as it has with the shutdown command. So we will not run this command. 

I'm just basically showing you if you click here "enter" it will restart the machine. So let me just type the commands here. We will delete it here since we do not want to run it. 

Now, some of the commands that are towards the processes that are running in this machine are for example "ps" which will give you the processes running in the current terminal that we have open.

So this batch will be always open. You do not need to run anything in order for this process to be here, and the "ps" process is the process that we just ran as you can see right here.

This is just the processes that this Linux terminal is running. Now, if you want to check all of the processes, let me just enlarge this terminal for one second and type here "top." 

This will open up all of the processes currently running on your Kali Linux machine. Now, most of this we don't even start ourselves as this is just a bunch of processes that Linux itself starts up as it boots.

You can also see some of the outputs right here such as CPU percentage usage, and tasks with 2 running and 176 sleeping, available memory, swap memory, and a bunch of other options.

So right here you can also check who is running the processes. In our case, I believe all the processes will be root since we don't even have any other account. So all that will be root. 

Now that we got that out of the way, in order to close this you just press here CTRL + X or Y and it will just basically close this top command which shows us the processes in real-time. 

Now, you can see that it stopped so we can just clear here the screen and put this terminal back to its size. 

Let me just type here "ps" and "top." 

We covered those four from now on. Now, another command, which is a really simple command is "uname." So basically this will give you out the name of your operating system, which in our case is Linux.

So it's just "uname." 

Now, in order to check out all the options for this command, you can just type here "man uname" and it will open up manual for this command and you can see things it is possible to do with this command. 

So for example "- r" which we used in order to install our headers before, if you remember, well basically to check our current headers it will print out the kernel release.

The "- s" will print out as it says right here the kernel name an "- a" will print all. So let's try "- a" and it will print out the full name as you can see. 

Linux Kali, this is our headers version that we downloaded in that image. As I said, it is Debian based and there are a bunch of other additions to this command. So this is not really that important command. We used it only in the process of installing the VirtualBox guest additions.

So we might be using it from time to time, but it's not that important really. 

Now, the next command that is important however is the command where you check out your IP address.

Now, some of you may know, that in Windows, in order for you to check your IP address you type "ipconfig." 

Well, in Linux it is basically the same command except the second letter is switched with f so it basically is "ifconfig." 

This command will print out all the network interfaces that are currently connected to the Kali Linux machine and also the IP addresses of those interfaces if they are connected to the Internet. 

So we can see that right now we only have one interface. 

Well basically two, but one is a loopback interface. You will all have this one and you will probably all have this one as well, which will be named the same, but in case for example that you plug in a wireless adapter, you will be given another name for the wireless interface, which can be different for all of you. 

Here we can see our IP address, which will probably be the same for you if you didn't configure it in the network settings. 

Now, in order for us to change this, I will cover that in the next video where we changed this IP address to an IP address that basically belongs to our own local network.

Now, what do I mean by that? 

Well, all the other machines in my local network are starting with 192.168.1 and here we have a machine that starts with 10.0.2 and basically those do not belong to the same local network. 

So we want to make this machine have the IP address that starts with 192.168.1. But we will cover that in the next tutorial. 

For now, this is just the command to check out your IP address and it is very important. You should remember it as you will be using it extensively. 

So the next command is "netstat."

Now, this is a pretty big command because it has a bunch of options. For example, you want to type here "netstat" and for example "- nr."

This command right here will basically give you a gateway, as you can see right here, the IP address of the gateway that you can check out. I use it a lot in order to find out what is the IP address of the router on some of the Wi-Fis that I do not know the IP address of the router.

In this case, it is 10.0.2.2, but this is only because we are using the net in order to connect to the Internet. Once we configure the network in the next tutorial we will be sharing I believe 192.168.1.1 as that is my router IP address. 

So with "netstat," you can also check out your current connection's TCP connections and right now we don't have any TCP connection as you can see. Let me just check here without a "–" and no, it doesn't have. 

So, basically, we are not connected anywhere right now, which is good because we are not even on the Internet and we didn't run any program in order to connect somewhere.

So we won't be having any connections to the other IP addresses or servers right here. But if you run some of the programs, run for example "Tor" or open "Firefox," so let’s just open "Firefox," it should open up connection I believe. 

Let's just open up and wait for it to connect, and it is connected right now. If you want to run the same command, you can see that we are connected to a bunch of different IP addresses, which are basically just the IP addresses of this website.

Here you can see that the process, the program that is making the connection is Firefox and the program ID is 1669. 

So if we close this right here, it shouldn't have them anymore. Well, it basically just has them because before we closed it, it was an established connection and right now we have a time wait state, which basically means we are not connected anymore. So we cannot make communication with that site anymore.

Since here it was established as we were opening that website and here as we closed it, there is no connection anymore. 

I believe this will disappear in a few seconds or minutes, but we won't be waiting for that, let’s just clean the screen and type here "netstat" as we cover that. 

Now, there are probably two most important commands that you want to run. 

Most people teach this at the beginning as one of the first commands, but I only taught it right here at the end because basically one of these commands will take an hour to finish, at least for me. When I install a new Kali Linux machine it takes about an hour to finish.

So, the first command is "apt update" or you can just type your "apt-get update." What this will do, it will connect to the Linux repositories that you have linked in these sources.list file and it will check for any updates. 

Now, you can see right here it is connecting to kali.download and it will check if there are any current updates right there. 

Now, once that command finishes, you want to go with "apt get upgrade" and as you can see, this will print out a bunch of new files that need to be upgraded, and it will possibly be the same for you.

If you click here Y which we  want to, this will take a lot of time to finish, but you must do it. 

Now, not a lot of time, but about an hour or maybe 40 minutes. I'm not really sure. It depends. We won't be waiting of course for that to finish. We will just cut to the next tutorial.

For that time, I want to show you the simple last command in order to communicate with the terminal and system, which is basically just "exit" and maybe we will need to run it twice because it has some processes opened. 

So, if you type here "exit," it will basically just close the terminal, simple as that. 

Now, if you run this command "apt upgrade" which you should have and you should wait for this basically to finish, it might ask you some of the questions along the process of installation of these files and you basically want to answer "Yes" to all of them. 

So we won't be waiting for this to finish right now, we will just cut it right here and I hope I see you in the next tutorial where we will be configuring our IP address in network settings.

Hope I see you there and take care.

Changing IP address on Linux and setting up Wireless Adapter!

Welcome back everybody and in this tutorial, we will cover some of the network settings where we will be changing our IP address. 

Now, as we saw in the previous tutorial, if we type "ifconfig" you will notice that we get this IP address, which probably does not belong to your local network. As you can see right here, if I open the command prompt from windows and run the "ipconfig" command, you will notice that my IP address is 192.168.1.3. 

So you can see that it doesn't even start the same as the IP address of this command. 

Now, we want to make sure that the Kali machine gets the same IP address, well not the same IP address, but the same start of the IP address and how do we do that?

Well, basically just go on "machine," then "settings."

Once you go there scroll down to the network and you will notice that right now it is attached to NAT.

I believe this is set by default and that is basically "Network Address Translations."

You want to go on the advanced and check if the cable is connected. So if this is unchecked, check it, but I believe it is cable connected as default. Here you want to go to the bridged adapter not NAT, but bridged adapter and pick your interface, network interface. 

Now, my network interface that I use is basically the first one right here. For you, it probably is named differently and you want to pick the one you want to use. For example, if you want to use a wireless interface, a wireless network card, you can just plug it in. Let me just show you for one second. Here I have my wireless card and I will plug it in, in order to show you how to pick your wireless network interface.

Right here it should be plugged in and if we scroll right here, let me just close and reopen this. So if we go to the machine settings and once again a network, we should have four right now. 

You remember we had these three and the wireless LAN network adapter was not here. 

Now, once you click on the wireless network adapter, there is a possibility that it won't be supported by the Kali Linux. For example, I don't think it is, so if I click here "Okay" and right now if I reboot my machine, which I won't do, my wireless card will not work.

I won't be able to connect to the Wi-Fi. 

Now, yours might work, so you want to try that, but in my case, this one doesn't work for me. So I just connect on my PC over cable and make sure once again that the cable is connected and you just click here "Okay."

Once you pick "bridged adapter" and once you pick the network interface, you want to just click here "Okay." 

Now, if we type here "ifconfig" once again, you will notice that now our IP address has changed. It doesn't anymore start with 10.0.2, it starts with 192.168.1.5. It basically now belongs to our local network IP range.

As you can see, here is .5 and here is .3. We can check by pinging 192.168.1.3 and you can see that we will receive packets from our Windows machine, which means we are on the local network.

We can also ping google.com in order to check that, and this will take a few more seconds because our Windows machine is much closer than google.com and basically this is a virtual machine. 

It is a little slower, but in a few seconds, we should be receiving the packets from Google.

Here we go, we got the Google's IP address, and right now we should start receiving the packets. Here they are. As you can see, we received four packets from Google and this means we are able to connect to the Internet. 

So that's about it. 

We just wanted to set our IP address correctly in order to continue doing some of the other stuff.

This was rather a short tutorial and in the next one, I will show you how to burn an ISO Kali Linux image onto the USB Drive. For those who want to install it directly on their main PC, they will need to burn the operating system onto the USB Drive. 

So I hope I see you in the next tutorial and take care. 

Creating Bootable Kali USB!

Hello everybody and welcome back. 

In this tutorial, we will make a bootable USB Drive with our Kali Linux. 

You might need this if you want to boot Kali Linux on your main machine. So you will need the USB drive that has the ISO image burnt on it in order to start up the operating system. 

Now, for this, you will need two things and those two are the ISO image or basically Kali Linux or any other operating system you want, and you will need this program called Rufus.

Now, you can download that program from this website right here. You basically just navigate down here to the download section and click on "Rufus 3.4." 

Now, I won't be downloading it right now since I already downloaded it a few seconds ago. Basically, you can see that the size is not really that big, it is only one megabyte. So once you download that, you just double click on it. It will ask you for your administrator password, which in my case is nothing. I just click here on "Yes" and it should open up our program.

Basically, this is the entire program. You can see that here it automatically found my USB Drive which Kingston 32 gigabytes and the only one currently. It will ask you right here, “What do you want to do?”

You do not want "non bootable" or "FreeDOS," you want here to have checked "disk" or "ISO image." 

Now, you can just leave it on this. You want to select which image you want to boot and you go here on desktop or wherever you saved it and click on the ISO image.

I will pick here Kali Linux and you can see that it will set all the other settings automatically. 

Now, the only thing you want to do from here is click on "start." 

But before you do that, you will notice that it will give you basically some warning. 

Yes, right here there was a warning for some "syslinux" files. I'm not really sure what that was. But basically, another important thing to note is that if you do this, it will delete all the files you had on your USB Drive. 

So if you have anything important on your USB Drive, make sure to move it to another folder before you continue with this process or you will lose all your other files.

Now, here it will ask us if we want to write an ISO image or in "DD image" mode. We want to write in the "ISO image" mode and click here on "Okay."

Here is the warning: "All data on device Kingston will be destroyed. To continue with this operation click OK, to quit click cancel."

So, that's what I was saying, if you have any important files, please move them so you don't lose them in this process of making a bootable USB Drive. 

Now, since I don't have anything on this USB Drive, I will just click here on "Okay."

You can see that right now, it is deleting partitions as it says right here, and it is currently making our USB Drive bootable. Now, this might take a few seconds to finish. It shouldn't take that long.

You can see right here all the files that it is basically making in our USB Drive in order to make it a bootable. You just basically wait for this process to finish. Then, you will have your bootable USB Drive, which you can later on just plug into your computer or laptop, or whatever you are using, and boot your Kali Linux on your main machine.

Now, it is also important to know that Kali Linux might not be supported on all the chipsets on your machine. I couldn't boot the Kali Linux on my laptop.

So, later on, I installed Linux Mint.

If it doesn't work, if the installation of Kali Linux doesn't work on your main machine, that's probably because some of the components isn't supporting Kali Linux or isn't supported by Kali Linux.

So, in that case, you would probably need to download any other Linux such as Ubuntu, which we have right here and make sure you install this. 

Now, basically, Ubuntu and Kali Linux are very similar.

Well, not that similar, but Kali Linux basically is a Linux operating system, it just comes here pre-installed with all the other hacking tools. The only problem would be if you install any other Linux, you will need to download all these tools that Kali Linux already has once you install it, which can take some time. 

For example, it took me weeks to install all of the programs I needed on my "Linux Mint" machine since I couldn't freely install Kali Linux on it.

So you should know that this process is taking a little bit of time. 

I thought it would finish faster, so I will just cut the tutorial short here and we will continue learning in the next lecture.

I hope I see you there and take care.

Important Linux Networking Terms!

Hello everybody and welcome back.

In the previous tutorials, we finished setting up our Kali Linux machine and setting up our ethical hacking environment. 

We are almost ready to start learning the methods and the attacks of hackers, but before we do that, I need to introduce you to some of the networking terms, and some of the ethical hacking terms that you need to know in order to be able to follow with this course.

This is just some of the basic terms that you all probably already know, but just in case, we will cover them shortly one by one. 

So in this part one, we will cover only networking terms and in the next part, we will cover the ethical hacking terms.

So let's start off with the basic one which is "TCP/IP model."

Well, "TCP/IP model" basically uses client-server model of communication in which a user or a machine, for example, is provided a service like sending a webpage by another computer in the network. 

So there are seven layers of this module and they go in order as a physical layer, data layer, network layer, transport layer, session layer, presentation layer and the last one is application layer.

So the next thing we need to cover is IP addresses and I already ran the command "ifconfig" which we covered before. You can see that here I have two interfaces, the wl0 interface and the n01 interface. 

If they were both to be connected to the Internet they would both have different IP addresses, local IP addresses.

Now, I'm connected over the wireless card interface, which is wl01 and my ipv4 address is 192.168.1.15.

So basically, what an IP address is, it is a numerical number or label that is used to identify the machine on the Internet and also used as a location addressing. 

There are two types of IP addresses: ipv4 and ipv6.

Ipv4 is mostly used over ipv6. 

Now, there is also one thing you should differentiate, which is the "local IP address" and "global IP address." 

The local IP address is the IP address that you see right here, which is 192.168.1.15 and it is only usable on this local network.

This basically means if you were to type here this ipv4 address in your Firefox or Google Chrome, you won't be able to connect to me because this is a local IP address, and it only works on a local network. 

Now, the global IP address is used by a router to communicate with the entire Internet. 

For example, you can find out what your global IP address is by typing in Google: "What is my IP?"

Just click on the first link and it will show you what your global IP address is. 

The next thing you should cover is the MAC address. 

The MAC address or Media Access Control is basically a physical address given to a network adapter when it is manufactured. You can find out what your MAC address is by typing in the same command, which is "ifconfig," which will also show you the different MAC addresses for all your interfaces, for all your network interfaces.

Now, here we can see this is the MAC address of my wireless interface. It is right here. My other network interface, which is not connected to the Internet at the moment has this MAC address. 

It is a physical MAC address and it is also a unique MAC address. It is hardwired or hard-coded onto your computer's network interface card.

The next thing are routers. 

For routers, we all have them at our own home. It is a common device we usually call it a router, but it is actually a piece of network hardware that allows communication between your local home network and the Internet. It is also a layer of protection for your local machines.

The next things you should know are TCP and UDP protocols. 

Those are the most known protocols and the most basic protocols. They are used basically for communication and they are used to establish a connection between one computer and another computer. 

For example, TCP stands for Transmission Control Protocol. It is different than UDP because it is a connection-oriented protocol while UDP is a connectionless protocol.

This means that in TCP there is something called a three-way handshake, which means that the two computers have to agree that the message came whole from one computer to another before sending the next packet. 

In the UDP protocol, packets are just thrown at the other machine and it doesn't matter if some of those packets is malfunctioned or didn't even get there. The machine will just start sending other packets to the other computer. 

UDP is mostly used for streaming or basically for your Skype calls, for example, while TCP is used to transfer packets that are important to go in a certain way.

Those packets are labeled with different numbers so that when one machine sends to the other machine a program or a file, it should all come in order that follows those numbers. 

So basically, for the TCP, there is a guarantee that the data transfer remains intact and arrives in the same order in which it was sent, while in the UTP, it's not like that. 

Now, the next one is the ARP protocol, which stands for the Address Resolution Protocol. It is a communication protocol used for discovering the link layer address such as MAC address associated with a given Internet layer address. 

Now, this mapping is a critical function in the Internet protocol suite. It basically has two types of ARP protocols, the "request type" and the "reply type." 

The "request type" requests a certain MAC address of a machine of which it knows the IP address and just wants to find out what its MAC address is, and the "reply type" is the reply sent by that machine which says, "Hey, I am 192.168.1.5 and this is my MAC address."

That is ARP protocol. It is used for ARP spoofing in man-in-the-middle attacks, which we will be covering later on. 

There are a bunch of other protocols that you should check out if you don't know what they do such as TCP, FTP, SMTP, ICMP and many more,but the most important protocols for us are the HTTP and HTTPS protocols. 

Now, you might be asking, what is the difference between those two? 

Well, basically in HTTP protocol there is no data encryption implemented and if you are visiting an HTTP site and you are putting in a username and password, there it can be seen in a plain text by anyone that is interfering with the connection between you and that website.

As in the HTTPS, there is the addition "S" as you can see, which stands for SSL or TLS, which is Secure Sockets Layer and Transport Layer Security, which basically encrypts your data and doesn't allow anyone who is interfering with the connection to see your data in plain text.

They are encrypted and hard to decrypt. For example, there are some SSL vulnerabilities out there that's why most HTTP websites nowadays use TLS. There are three versions of TLS, I believe, one, two and three and they are secure. 

The last thing that you need to know is the DNS which basically you use all day every time you visit a website. It is useful for us humans because we cannot remember numbers that well as we can remember words. 

So, for example, if you want to visit facebook.com without DNS, you will need to know Facebook's IP address and you would type it in the Google search bar instead of facebook.com.

DNS allows us to, instead of the IP address, remember just the name, and then it translates the name into the IP address.

It is a very important thing in the networking protocols and it is also one of the main things to attack. We will be doing DNS attacks later on as we go with the course.

Now, the DHCP is basically only used for giving you the IP address. Mostly it is also pre-built into your router and every time you connect to the Internet, it basically just gives you an available ipv4 address.

So, that's about it for these networking terms. 

You should all learn more about them if you want to. I won't be covering this in the networking course. You should just search them up on Google and basically just read more about them if you want to. 

For now, this will be enough and in the next lecture we will cover some of the ethical hacking terms that you also need to know in order to follow the course.

I hope to see you there and take care. 

Important Hacking Terms!

Hello everybody and welcome back. 

In the previous tutorial, we covered some of the basic networking terms, which you will need to know in order to follow up with this course. 

Now, those were just some of the basic terms not really widely explained. If you want to know more about some of those terms that I covered in the previous video, you can always google any of them and just learn more about them. 

But in this video, we will cover some of the hacking terms that you need to know in order to better understand what we will be doing in the next lectures. 

So, I will just write here, I will open Leafpad, which is basically something like Notepad for Linux and here I will write one by one the terms that we cover. 

Now, the first hacking term which is also a beginning process in ethical hacking is called "footprinting." 

You might be asking now, what is footprinting?

Well, basically it is just the same as it says it is. It's just getting as many information about, for example, a company as you can before you attack them. Now, let's say a client asks you to test his company website and you want to get as much information as you can. 

Now, one of the most common methods for doing that would probably be Google hacking, which is basically just opening Google and searching for files or anything that is uploaded on the Internet, which may help you in further attacks. 

There is also a website called "Shodan" and it is basically used to discover vulnerable devices on the Internet.

You can use that in order to check if any of those devices that belong to the company is vulnerable to any of the known attacks. 

Now, we will cover all of those tools. 

Don't worry. 

We will cover them one by one in detail and you will know what I am talking about. 

But also there is one more tool which I don't think it is that known, but it is called Harvester. I'm not sure we even have it installed in the Kali Linux. We might have. If we don't, we will install it. 

Harvester is basically used for gathering the emails for a certain domain. For example, you want to gather all of the emails that belong to the Apple company. You just type the domain name and the Harvester will basically automatically go over Google and there are a bunch of other options that I will show.

But plainly it will go over to Google and search for all the emails available that belong to that domain. 

So, it will basically get a list of all the emails that belong to a certain company that you are attacking. 

Now, that is basically footprinting, so we will cover that firstly in one of the next lectures. Once you finish footprinting, there comes the next thing, the next process in the process of ethical hacking which is scanning and enumeration. 

I will just write that out right here: scanning and enumeration. 

Now, footprinting basically gets you the information without actually testing or without actually attacking the company itself or the website or whatever it is you are testing. 

The scanning basically does as it says. It is just scanning the company network, for example, in order to discover what versions of software they are running, what ports they have open, what operating system they are running on their machines and more and more.  

Now, you might have heard of this program, you probably have if you have any ethical hacking knowledge from before, it is called "Nmap."

Let me just type here nmap. 

This is the program that we will cover in details. It is basically used to scan a network. You can use it to scan a website or a range of IP addresses if you want to. You can discover with it what ports are open on a certain website or on a certain machine or on more machines. 

You can also discover what operating system it has. It basically just prints you out with a bunch of operating systems and it shows the possibility of having that operating system in percentage. 

It is most likely accurate, but there are times when it just gives you a wrong operating system, but those I didn't have that much. Now, also what "Nmap" can do is discover the version of software running on an open port. 

So, for example, you have an HTTP port open and you are running a website, the Nmap has the ability to discover what web server you are running on that port. 

It might print out "Apache 2" or anything else that you are running there, which basically just gives out the banner in order for us to grab it and find out what version you are running.

Now, as I said, we will cover all of that in the details. For now on, you just need to know theoretically what it basically does and we will cover it practically later on. 

The next thing you also need to know is system hacking. This is a very important part because this is actually the part where we discover a way to enter the machine, for example. 

Now, system hacking is usually done with back doors. A back door is a program that you run on a victim PC and it basically gives you the full access to that PC without the victim knowing that. 

Now, back doors usually have some of the options such as being able to execute commands on the victims PC, being able to access the microphone, the web camera, being able to screenshot the screen, being able to upload and download files, change files and upload a key logger, which will give us back keystrokes that the victim is typing on their keyboard.  

Basically, back doors are detectable. The ones we will cover in the intermediate section can be detected because they are mostly widely used by every ethical hacker ever. 

So, in the advanced section, we will code our own back doors that will be fully undetectable by any antivirus available. 

Now that we have covered system hacking, we can go on with the malware. You most likely know what malware is, but basically, malware is a malicious program. Now by malicious, I mean it can be any program that does damage to your PC.

Let's say you make a program, a simple program that just creates files in an infinite loop. So, basically, it creates infinite files. Now that program will most likely make your PC crash before you get to close it. 

So, it is basically a version of a malware since it makes your PC crash and it doesn't do any good. Now, most known terms for malware are worms, Trojans, and viruses. We will be also coding some of the malware, but we are not really interested in that for now since those programs really don't have any use except to destroy someone's machine.

So, we won't be covering that much of malware, but we will surely go over it. 

Now, the next thing you want to know is what is sniffing? 

Sorry, I can type at the moment.  

Well, basically, sniffing is an action where you, as it says, sniff someone else's packets. Now, you shouldn't be doing that, but in some cases, in some ethical hacking projects, you might need to do that in order to gather some of the information. 

For example, a password can be hacked through sniffing. On a local network, if you run a man-in-the-middle attack and you sniff other's packets, if someone logs in to a website that isn't HTTPS, you will see their password in plain text.

The tool that you most likely will use for sniffing is called Wireshark. It is a widely known tool and it is used to just basically go over the packets that are going through your network interface card. 

So, now that we covered what sniffing is, we can go to social engineering. 

Now, this is something very important as it is most likely to get you into a company or any other machine, or basically to hack anything you want to since in the social engineering attacks you don't really attack the machine itself as much as you attack the person. 

So, for example, I always say, why would you hack a Wi-Fi from a restaurant if you can just ask someone, what is the Wi-Fi password? 

Now it is a simple use of social engineering. Not really that good one, but it is an example. So social engineering basically means attacking people. 

Now, what do I mean by attacking people? 

Well, let's say, for example, I make a back door, I code a back door.  

Now, what are the chances of someone opening an executable file that looks suspicious? 

Well, not big chances. 

But if you, for example, change the icon of that file to be a picture and you change the name of that file to be a .jpg or PNG, the chances of someone opening that file increased drastically. 

So, let's say that you know something about the person that you want to hack and you just send them a fake email from someone they know and in the email you send basically that picture, which is a hidden backdoor and they open the picture and the back door just installs itself deeply in the system without them even knowing that.

That is basically what social engineering is. It is a method of attacking people and not the machine. Now that we covered that, we can go onto the next step which is denial of service. 

Now, denial of service is basically what it says. It is used to crash someone's website or machine. So, basically, you just send a lot of packets, which the website cannot handle and basically just crashes and nobody else is able to connect to it anymore.

Now, in order to perform denial of service attacks, you will need a bunch of PCs in order to be able to crash anything. So you can't perform a denial of service attack with one PC. 

You won't be crashing anything because there are not enough packets that can be sent in order to crash a website. But if you make a command and control center, for example, and send bunch of back doors to a bunch of PCs and they all run the same command at the same time, which is sending packets to the website they will be able to crash it. 

Now, depending on the website, some of them are easier to crash and some of them are harder to crash, but you get the basic idea.

Now, we will cover SQL and XSS cross-site scripting. 

Let me just find this. 

Well, basically here we exploit any input. For example, the basic example of SQL injection would be, let's say you have an online shop and someone didn't filter out the requests that you put in the search bar well enough. 

So, if you type here a code, for example, it will be read by the website as a part of their website code and you will be running code on their website, and you should not be able to do that. 

Now, these attacks are only available because of the poor programming of their website. They didn't program it well enough. They didn't filter out the user input.

So that is SQL.

Now, we will cover also Wi-Fi hacking in detail. 

Now, there are a bunch of methods to attack Wi-Fi with the CPU, GPU, whatever you want. Most of the courses that I saw do not even cover the attacking of Wi-Fi with GPU. 

I don't know why because well basically the most common method is with Aircrack program, which tries to break the password of Wi-Fi with the CPU. 

Now the power of the CPU is fast, but the power of your graphics card will be much much better for hacking Wi-Fi because when you hack Wi-Fi, you basically get the hashed password and you don't see it in plain text, and you need the power of your CPU or power of your graphics card in order to crack that password hash, and the much faster method is to crack with your graphics card.

We will also cover the attacking of Wi-Fi on an enterprise wireless, which we will basically use to make a fake login page where someone will enter their password for the wireless. 

We can also make an "evil twin," which is basically a method where you reproduce the exact same wireless hotspot and with enough signal available to the victims. You can make them connect to your wireless instead of their real wireless. 

So, basically you just authenticate everyone from the real wireless and they will automatically connect back to your wireless, and therefore, you can watch all of the data that is going through and also if they need login in order to use the wireless, you will capture their password. 

Now we will also cover mobile hacking. 

In mostly mobile hacking, we will cover the Android attacks because there are more Android than iOS, but we will also cover some of the Apple attacks, where for example, let's say you make an application which looks like a legit application, and you install it on someone's mobile phone. 

You will then be able to access all of their messages, calls, send messages, you can watch files, pictures, download, upload and do all of that without them knowing it. 

Now, how we do that?

Well, basically we need to create something like a back door just for the Android device. The problem with this method is that they need to click on a certain part which can be suspicious. 

I will show you when we get to that. We will try to make that as less suspicious as we can. 

Now, there is also one more thing we need to cover, which is cryptography. 

Well, you probably know what cryptography is, but that is basically a method of protecting your information.  

Now, for example, you have password hashes. They are hashed for a reason so some of the attacks such as sniffing can't be used to seek the password and steal it. 

You can steal the password, but it won't be in plain text. It will be encrypted and you will need to decrypt it. If the password is big and uses numbers, letters, symbols and all of that, it will be very hard for the attacker to decrypt your password. 

Now, cryptography basically uses coding so that only those for whom the information is intended can read and process it and nobody else can. 

We will cover some of the basic cryptography methods, but we will only touch it a little bit since cryptography is a course itself. It has a lot of stuff to it and we won't be able to cover all that, but we will just barely touch it in order for you to understand what that is. 

So, that's about it for these basic terms now as well as the networking terms if you want to search more about these online and read about them. 

But we will cover all of them theoretically and practically later on in the intermediate section, and basically, we will code some of our own tools in the advanced section.

The footprinting part, I will cover now in the beginner section. 

I will show you Google hacking, the Shodan website, and the Harvester in order to get emails and until then, I hope you have a great day and I will see you later. 

Bye.

Few Things to Do After Installing Kali Linux

Hello everybody and welcome back. 

Now before we begin with the footprinting lessons, I would like to just show you some of the things you might want to install before we begin.

So the first thing I want you to install is "GitHub repository."

Basically, if you do not already have it, you just type here "apt install git."

Now, if you encounter this error, just basically delete these locks from the path that is specified right here.

So just take this path, copy it, type here the "rm" command that we covered, which stands for remove, then paste the file. 

Now, it might ask you to remove other locks as well. This one is also here, we want to remove this one as well. Basically, just copy the path and delete it. Let's just paste and let's see if there is something else.

There is one more lock in the cache, which we also want to remove. So copy the third one and I believe this one is the last one. 

So now that you deleted it, you can install "git" which is already installed for me. You just type here "apt install git."

How do we use git? 

Now let me just show you. 

You just go here on the GitHub website. 

Basically, any program that is not pre-installed in the Kali Linux, you will probably be downloading it over GitHub. 

So let's say, for example, I know a name of one program that is called "Instashell." It does not come pre-installed in the Kali Linux, but you can download it in from GitHub. 

I will show you the command right now. 

So basically, it is the first one. You can see that the site is GitHub and the path is what you want to copy.  

If you just enlarge this, it is the website and this is the program that I want to download. It is used for Instagram hacking. 

We will be covering it later on. 

For now on, I just want to show you how to install any program on GitHub. So basically, you just find the program you want to download and you copy the link right here, and once you go copy the link, you just go to your terminal. 

Let me see just where we are. 

We are in the /root directory and if we type here "git clone" which is basically the start of the command, and then you paste the link and just add ".git" it will download the program into our root directory. 

So, as you can see right here now, we have the full program downloaded. It is as simple as that, and now you can go to the program and basically use the program. 

So, if you do not have a git installed, you basically just install it with the command, "apt install git."

The next thing I want to show you is, for example, if you want to run a program that is not available to run as a root user or doesn't allow you to run as a root user, you might want to add a non-root user, which is simple, and you just type here the command "add user" and then basically any name you want.

So, let's say we want a user called John. It will ask you some of the questions for the new user, which you can answer correctly or not depending on you. It will ask you firstly for the password, which I will set as 1234. 

It will ask you to retype the password. I will retype it as 1234 and now it will ask some of the personal information, which I will skip. I will just paste the wrong thing so it doesn't really matter if this information is correct. 

Just type here "Yes" and you have a new user.  

Now, in order to add that user into a "sudo group," which basically means you will be able to run these root commands with that user just using the password from root. 

So the command for that is "usermod – aG" and "sudo," and then the name of the account you created, which in my case is John, and it will basically add John as a sudo user and he will be able to execute root commands if he provides the root password. 

Now, at the rebooting, you can basically login into your user account, but I will just stay here as a root user for now on and we will install the next thing you might want to have, which is "Tilix." 

Tilix is a program which basically allows you to execute multiple commands from the same terminal. 

Now, it could be useful if you are running a bunch of the commands and you want to see what is going on so you just run multiple commands from the same terminal and see the output of all of those commands. 

That's why I will install it just in case. I am not really sure if we will use it, but it is good to have it.

Now, this will take a few seconds to install and I believe once it is installed, we can run it basically with a simple command, which is just Tilix. 

Here we go, 5% installed. We will wait for this to finish and we will run it right away so I can show you how it works. It's basically the same terminal we have here. 

If we want to, we can split it in two parts.

The installation has finished and now I will show you how to run it. 

In order to run Tilix we just type "your telex" and it will open up a terminal as you can see right here, which is basically the same as this one, just it is white and if we want to we can split it on this button, and here we can make multiple terminal windows basically in one terminal.

So, if we want to, we can type one command right here, the other command here, and basically here the third command. It could be useful once you run big things like for example multiple commands for some program and you want to see what is going on, you basically use Tilix.

Now that we have Tilix, we can close it. We don't need it right now. The next thing and the last thing I want you to do is install "Tor."

Now Tor is a browser which is used to accept the onion routers on your links basically, which basically leads you to the Deep Web. 

Now, you can go "apt-get install tor" and just here you want to press Y. 

Basically, we need Tor for multiple things. Multiple programs require Tor in order to run. For example, the previous program we just installed, which was Instashell, which we will cover later on uses Tor in order to switch IP addresses in the process of brute-forcing Instagram accounts. Now, that is not the only program that uses Tor.

There is a bunch of programs that use it and you also might want to visit the Deep Web sometime, so you can just download it and we will have it for all the future purposes.

So this should finish relatively fast. 

Here we go. 

It is finished. 

We will clear the screen and in order to start Tor as a service, we just type here "service tor start" and it will open up Tor. 

Now, if you want to run Tor, you just type your Tor, which will say — Yes. Could not bind to this. Address already in use. Is Tor already running? 

Yeah. We're basically already running Tor so it just gives us an error that Tor is already running.  

So, if you want to stop it, for example, we can just stop with this command "service tor stop."

Now, that is about it for some of the basic things you might need in the future and in the next lecture I will show you how to change your MAC address in a simple program that is already pre-built in the Kali Linux. It is called "Mac changer." 

So we will cover that in the next tutorial and after that, we will go on to the Google hacking, Harvester, and Shodan.

Now, I hope I see you in the next lecture and take care. 

Bye. 

Changing Our MAC Address - Macchanger

Hello everybody and welcome back. Now, in this lecture, we will cover our first program that we will use, which is called "Macchanger."

It allows us to change our MAC address, which can be used for multiple things such as, for example, if on a particular wireless network there is a blacklist or whitelist which is based on the MAC addresses, you can bypass that with simply changing your MAC address. 

Now the program that we will use is called "Macchanger." If you just type here in the terminal "machanger" you will notice that it will print the usage of the command. 

So here it says we need to type "macchanger options" and then the device. Now, in order to check out our available options, we can type here as it says "try macchanger — help."

So we will type "macchanger — help."

It will basically show us right here some of the available options that we can use right now. In order to find out what our MAC address is, we want to use this option which is "- show" or "- s."

Now, if we just type here "macchanger - s" it will say that we incorrectly used this program because we didn't specify the device. 

Now, this device basically means your network interface card. You might be having multiple interface cards, so we want to pick one. 

If you type here "ifconfig" as we covered in the previous tutorials, it will print you up with your network interfaces. 

Here I only have "lo" interface and the "etho" interface witch I use to connect to the Internet. 

So, I will use this one.

If I just repeat the command "macchanger - s" and then "etho" it will read my current MAC address and my permanent MAC address, which in this case are both the same because we didn't change it yet.

Now, if you have multiple interfaces, just pick the one you use currently and just specify it at the end of the command. 

Let's type here once again "macchanger — help" in order to see what else we can do with this program. 

So we covered this part, which is showing our current MAC address. 

Now let's say we want to change the MAC address, we can look at some of the options here. It says set fully random MAC address, which we can do with the "- r" or "— random."

So, let's try to put the random MAC address and see what happens. If we type here "macchanger - r" which stands for this option right here, which is set fully random address, and then we specify once again our network interface, we can see that right now our MAC address has changed.

As you can see right here, new Mac is this one. The previous one was this one. So if we want to show our MAC address again, we can see that it has changed. 

I forgot to specify the interface. We can see that the current MAC address is a different one from the permanent one, and we can see that we successfully changed MAC address.

But let's say, for example, you want to bypass the whitelist of the MAC addresses, you would want to specify a specific MAC address.

So, we can do that with this command, which is basically "— mac" and then specifying a MAC address.

Let's say, for example, we want this MAC address. Let me just open another terminal right here. Let's say we need to have this MAC address right here. We can try to get it with the "-m" command. We just move this right here.

So, if we run once again "macchanger — mac" now we will set here the MAC address. Here we will put equal. I am not sure we need to put equal right here. We will try with that first, and then 22:33:44:55:66:77, and then we will specify our network interface. 

So, if we see right here, it changed our MAC to the specific MAC address that we wanted it to change to. 

Right now, once again, if we type "machanger — show" now it is like this. Yes, I always forget to specify the network interface. We can see that our current MAC address is "22:33:44:55:66:77" and our permanent MAC is our normal MAC address, which doesn't really change. 

Oh yes. If we want to we can reset back to the original permanent hardware MAC with the "-b" command. 

Now, if you are finished with your attack, for example, and you want to change the MAC address to the normal MAC address, which is our permanent MAC address, you can do that with "-p" command. 

So let's try that "macchanger -p" and then our network interface, and we can see that the new MAC is now the same as the permanent one, and now we are back to normal.  

We can just type here "show" again, and we are the same as we started before using this program. 

This is a useful program for you to change the MAC address. You can even put it to change it at the boot up of this machine, so it changes basically every time you restart the machine. It will change your MAC address, which can be used to provide a little bit of anonymity, but I don't really use that. 

You can if you want to and that's about it for this program. It is one of the simple ones, so we covered it first. 

In the next lecture, we will cover Google hacking, which is also pretty simple. 

I will show that in the next lecture.

I hope to see you there and take care.

Footprinting! - Google Hacking

Hello everybody and welcome back.

Right now we are slowly entering our footprinting section, which will be the last part of the beginner section including the scanning section that we will do right after we cover the footprinting.

Before we begin, while our machine is starting up, let us just explain a little bit more what footprinting is.

First of all, there are two types of footprinting: one is active and one is passive.

Now, the active footprinting basically requires some interaction with the target that you are trying to attack while the passive footprinting is basically just gathering all the publicly available information for your target.

So, for example, if your target has a Facebook account, a Twitter, or basically any other account or any other source of information from which you can gather some of the valuable stuff you might need.

Now let’s say, for example, your target is a company and has public information online that this company uses Windows XP on their machines. You can already cut out the Linux exploits and Windows 10 or 7 exploits, and you can basically just focus on writing a Windows XP exploit.

Now, we all know that nobody really uses XP anymore because it is vulnerable and it is basically an open box, but that was just an example. There are lots of public information which you can find.

Let’s go to some of the practical methods with Google hacking. We will cover Google hacking in this tutorial, so let me just login, “test1234.”

As soon as my desktop boots up we will open Firefox and we will run some of the specific commands in the Google search bar in order to find some of the stuff we might need.

Now, this is just one of the tools for footprinting that we will cover in the course. The other ones will be Harvester, Nikto, Shodan and Whois that we will cover in the next lectures, but for now on let’s just open our Firefox.

So just click on your Firefox icon and basically since it will lead you to your Kali Linux website, you want to navigate to Google. So we can add another tab and go on to google.com.

Now, let’s say that you want to find all the websites that have a user input that could possibly be vulnerable to the SQL injection.

On the Google search bar, you just type here: inurl: “index.php?id=”

What this will do is it will find all the websites that end in the index.php?id= and then some number.

Now, what does that mean?

Basically, if we click on any of these links like this one, we can see right here that this website could possibly be vulnerable to the SQL injection.

We can check that easily with the apostrophe and if we try to login, it says, “login failed due to incorrect email address, wrong passphrase.”

So this site isn’t horrible, at least at the first try, but we won’t try it anymore since we shouldn’t really do that.

I just want to show you how to filter out all of the websites that actually have a user input, which could be vulnerable to the SQL injection.

So basically anywhere where you can type something, and then the website page can process it, could be vulnerable to the user input, which could be a piece of code that you would trick the server to run for you.

But more about that in the website hacking section.

Now, that was just one of the commands.

In order to find the commands you might need, there is a Google hacking database, and to find it you just type here in Google, “Google hacking database,” and you click on the first link.

It will lead us to a website with a bunch of the commands that can be used in order to find out things we might need like passwords, PDF files or Excel files, or anything.

As you can see, it says right here it is the “Exploit Database” website, the “Google Hacking Database.”

These are just a bunch of the commands, which you just copy and paste into the Google search bar and it will list you all the files you are searching.

I am not really sure what these commands are, but it says right here if we click on the one, it will lead us to the command, which is this one.

Now I can only guess what this does, but we can read it in the description.

“Dork for finding login portals for well-known company websites hosted on famous hosting providers such as all of these.”

Basically, this command does that. We can try it out if we want to. It’s not really that useful for us, but why not?

You just copy the command and paste it, and we will see how it works.

They are all basically account login as we can see, “account-login, my-account-login, my-account/login.”

So it filtered out all of the websites with a directory which is /my-account-login.

Now, let’s see, for example, another one.

As you can see, these are listed with a date. The first one was yesterday. Let’s go on this one: intitle:“index of /”ssh

Now, you can read right here the data you find: Web servers version, SSH version, SSH keys, SSH logins, and SSH .exe files.

As it says right here:

”I found a lot of servers using SSH 1.4. They are usually five plus years old and full of security holes. A search in exploit database for SSH 1 turns up plus forty thousand exploits. For these, some may work.”

This could be a useful command for us. We can copy it and see what we find with it.

We won’t be attacking any of these since we don’t have permission, but it sure could be useful later on.

As you can see, we will not mess with this right now. What we want to do is only use these commands and we will cover hacking of websites later on, not on these websites, but on the websites that we do own, which we will make in our own virtual environment.

You need to use these commands only.

You can basically, if you want to search things like PDF files, you can type here in the quick search “PDF,” and it will show you the PDF I believe.

Let’s see how to find a PDF file with this command here and if this could be a PDF file that could contain a password.

As you can see right here, all files are PDF files. Let’s see if we open one, it will ask us to save these files. We do not want to save it.

Basically, this is just all of the PDF files available on the Internet. Let us just see the more accurate explanation of this command.

“Passwords and information on targets employees/customers also for spear phishing. Replace PDF extension with any other document extension like doc, docx, txt.”

Okay, that was PDF and you can use any of these commands. If you want to know what it does, you just click on the command.

This one really doesn’t have any explanation.

Let’s just check out another one.

As you can see, this command which is pretty huge, will help you to find out videos published in Google Drives.

There is a bunch of file extensions for videos. I’m not really sure why PDF is there, but there is possibly a reason for that.

So let’s say now that we do not want a PDF file, but we want an Excel file. We just type Excel.

There is no matching records found.

We can set here on 120 commands and there is a .xls file, which is an Excel file and if you click there we can see what else it will find. It’s a mix of login portals and passwords, but this is a huge command. We will not use it right now.

So, that’s all I wanted to show you.

As you can see, they basically explain for every command what it does when you click on it and see the explanation, which is basically just a lot of login portals.

It could be useful if you wanted to find some of the vulnerable sites to the specific attacks like we showed in the first command, or in the first string that we typed into Google, which was that index.php?id= that would lead us to all of the websites with user input that could be possibly vulnerable to SQL injection.

So, that’s about it for the Google hacking.

Now, if you want to, you can scroll down and check out all these other commands. It could be useful for you, but we won’t be doing that since there are lots of them and we will continue footprinting in the next lecture.

I hope I see you there and take care.

Footprinting! - Nikto Basics

Hello everybody and welcome back. 

Now in this lecture, we will cover our second tool for the footprinting, which is called "Nikto." 

Nikto can also be used for the web penetration testing, which basically it scans for the website and it prints out if there is any possible vulnerability on the website or if there is any outdated version. 

For example, the Apache 2 could be outdated and the Nikto will show us that. 

Now, this can be put into the active interaction since we are scanning the website and you should not be doing that on a website you do not own. 

So I will just scan the web server that I put out on my laptop. It is an Apache web server and it doesn't really have anything on it, but it's running currently so we should be able to see the IP address and the version of the Apache, and also maybe some of the errors it could possibly have. 

So, let me just enlarge this a little bit. 

Now, in order to run Nikto, you basically just type here "Nikto."

It will show you the usage of the command. 

Now, these are some of the basic options that you can see right here. If we want to, we could print the extended version. I believe it is "help" as it says right here.

Yeah.

This would be the extended version of the "Nikto help" command and we can see there are a bunch of the options right here for this program. 

Now we won't be covering all of these since that will take a lot of time, but we will cover some. Basically, the most important one would be host.

Here it is: "Target host."

So, in order for you to scan a website, you need to provide a target host. That target host can be either a domain name or basically an IP address. Now in my case, I will use my IP address since my laptop is on my local network, and its IP address is 192.168.1.15.

Now, if you have any available website or any other virtual machine, you can test it on that one, then you can check out if your local website is vulnerable to something or possibly could be vulnerable to something. 

Let me just show you.

Let's type here "Nikto" and basically, we will specify first off "h" for the host, and then 192.168.1.15.

Now, this will print out some of the errors it might find such as here we have "The anti-clickjacking X-Frame-Options header is not present. The XSS protection header is not defined."

This could be a problem. It is opening us to a cross-site scripting attack, but it also could be just a false alarm. Here we can see the allowed HTTP methods on the Apache website, which is GET, HEAD, POST and OPTIONS, and this will take a few seconds to finish. 

Basically, if it takes a lot of time, we will just close it so I can show you some of the other options that Nikto has.

Here we have "login.php: admin login page/section found. Portions of this server’s headers are not in Nikto database or are newer than the known string."

Okay. 

"Would you like to submit this information?"

We do not want to submit any right now. 

Now, you might be asking, what kind of login page am I hosting on my laptop?

Well, basically, I just have a fake Instagram page right there. I just made it. So if we typed my laptop's IP address, it will lead us to a fake Instagram page. As you can see right here, it is not a real Instagram, it is basically just my IP address, which we will use for some of the attacks later on.

But for now on, we will just use the Nikto, in order to scan this page and as we can see, it has finished. It printed out a bunch of the options, which could be useful or not for you depending on the website and depending on the errors.

But let's check out some of the other examples of this command. So let me just type here "H" and we can see the "help" command once again. We can see our options: Config, display, format, hosts, evasion: Encoding Technique.  

For example, you can use the evasion. I believe it is tagged as "a - e" in the command. We can use the "-e" then specify any of these numbers if you want to like fake parameter, directory self-reference or any other. 

Right here we will use number one, random encoding non-UTF8. 

Okay.

So you will basically run the same command, but let's add before that. 

Now, I believe that this will print out the same output, so we are not really interested right now in waiting for this to finish. One more thing I want to show you is that you can specify a port on which you want to scan. 

Now, most likely that port will always be port 80 so it is not really needed, but in case you want to, for example, scan port 443 which is the HTTPS usual port, you can change that with the "-P" option.

As we can see, default is 80. 

So you would just type here "Nikto" and then the host, which in my case is  192.168.1.15, and then you specify a port and type here 80 or 443. 

For any other port, you want. But most likely, it will be one of those two. 

Now, let's say, for example, we want to scan port 80 since my Apache web server is running on port 80 on my laptop, and we want to save that into a file. 

Now, how do we do that? 

With the "-o" command. 

Let me just check here if it really is "-o."

I'm not seeing it right here. I believe it is. Yes, it is. 

Output. So just type here "-o" and we will name our file, basically, we can name it anything you want. We will name it right here "Result." 

Then, you also need to specify the file type, which I believe is F which is format. 

Save file. Format. Okay. 

So format. 

We will just type "txt." 

We want to save it into a txt file.

We can run the same command once again, and basically right here once it finishes we will have a file with all this stuff written to it, so you don't have to write it manually. 

The output option can be used if you need to provide to someone the scan results. So you can just put that into any file type. I just decided it to be txt for this example and you can just send the file to someone. 

Now, let us just wait for this to finish, so we can check out our file. Here it asks us again if we want to report something to the website, I believe. 

Let me just read once again. Not in Nikto database. 

Would you like to submit this information? 

No. We do not want to. 

So now if we type "ls" I should have a "Result" file as we can see right here. 

Now, if we nano the "Result" file or let us just "cat" it, we should see all of our output right there. As we can see, target host name, target port is right here and some of the other info. Not really sure why it didn't put all of them in here or maybe it did, I just can’t see them. But that's the example of writing a Nikto output into a file.

Let us just delete this file for now. 

If you want to run Nikto, you can see that there is an option to run it over a proxy. As you can see, "use proxy."

You can use the proxy defined in the "nikto.conf" file.

Now, in order for you to do this, you need to link in that file any proxy you want basically. If you have one, I will show you how to put it there. I don't really have one at the moment. We will cover proxy and VPN later on, but for now on let me just locate the "nikto.conf" file.

We covered this command. 

So, you just type here "locate" and then the name of the file, and it will show us all the files that are named like this, and where they are stored.

Now, we are interested in the first one, which is in etc and if we nano to the "nikto.conf" file, we can see a bunch of options right here. 

Let us navigate and find the proxy option. Let me just check where it is. Here we go. 

"Proxy settings still must be enabled by -useproxy."

So basically, if you wanted to use proxy in the Nikto program, you would specify useproxy in the command, and here you would specify the proxy host and the proxy port.

So, if you had a proxy you would specify the proxy IP address right here, which for me is just "localhost" at the moment, and here you would specify the port. Also, one more thing you will need to do is remove the # in order for this to be configured.

After that, you would just type CTRL + O, save, enter CTRL + X to exit, and then you could use your proxy nano Nikto.

But since I don't really need it at the moment, I will just put the # back so we don't use it. I will say once again, just remember that the file is located in the etc. You can also find it with the "locate" command.

So, that will be about it for the Nikto program. If you want to, you can check out the other options as well. 

I don't find them useful at the moment, but if you want you could check out all the other options. We will continue in the next lecture with the "Whois" program.

I hope to see you there and take care. 

Footprinting! - Whois

Hello everybody and welcome back. In this lecture, we will cover one more footprinting tool, which is basically called "Whois." 

Now the "Whois" is an important footprinting tool because it basically gives us a bunch of information about a website that we scanned. 

Now, the information can be used for multiple further attacks, since the information that we get from the website from the "Whois" command or program is basically, who registered the website, where is it registered, which date does the registration expire?

We get a bunch of addresses, telephone numbers, email addresses and a bunch of the other options.

So, let us just type here, the Whois is preinstalled in Kali Linux, so you don't need to install it. You will have it already there. As we can see what the usage is, Whois, then the option, then the object. 

This is a bunch of the options that you have. We will not cover them. We will just basically scan the site with the host option.

Let's scan a big site for example, so that we can get a bunch of the information, like cnn.com. If you type here "Whois cnn.com," it should print out a bunch of the publicly available information about that website. 

Let us just wait for this to finish. It shouldn't take too long. Here we go. 

Now, the first thing we see right here is that notice, which says, “You're not authorized to access or query our WHOIS database through the use of high-volume, automated, electronic processes or for the purpose or purposes of using data in any manner that violates these terms of use.”

So, basically this is not illegal. 

You can see right here, “By submitting a Whois query you agree to abide by the following terms of use. You agree that you may use this data only for lawful purposes.”

Basically, you shouldn't be using any of this data for any of the attacks that we will cover if you do not have permission to do so. We will just check out the data. We will not use it for any further attacks. 

So, let us just see what we got from this command. 

As you can see, the first thing we have here is the domain name that we typed, cnn.com, the registry domain ID, we can see that the registry Whois server is this one.  

Now, most of these commands do not really interest us. We can see this could be possibly interesting for us, which is the name server. It could be useful for some of the DNS attacks. But until then, we will just check out all these options. 

Let me just see if there is anything interesting right here. 

Registrar abuse contact email. We can see an email right here. Contact phone. Registry expiry date. 

We can see when it expires, its creation date, updated date.

Let us go a little bit down here. 

Terms of use. 

Okay. 

Registry domain ID. 

This is basically all that we have seen already. 

Here are some of the publicly available information. As you can see, the registrant email "tmgroup AT turner.com."

So for example, if you were an attacker and you were hired to test the company and you test their website like this, when you get a bunch of these emails, you can use them for some of the further attacks such as malware sending. 

You can send a malware for example from this email and this is just a hypothetical example. It can be used for some of the further attacks, such as sending malware to this email, and then hopefully waiting for someone to open it. 

Then, you will have a back door installed on the inside of the company. 

Here we can see more of the publicly available options, such as the registered city, state, postal code, country, a bunch of the other mobile phones, emails as we said.

Down here, let me just see, another email right here and the name server. As we can see, this can be useful. Let me just check if that is that. 

So basically, you use this command in order to gather more information about the company.

It surely can provide some of the information you might need, in order to for example save this to a file as we did in the previous command, in the previous lecture with Nikto.

Let me just see if it has an option to save to a file. I'm not sure if it does, but if it doesn't, you can do that with simply typing here the same command, and you can type the arrow into "result.txt."

Now, it won't print out anything here I believe, and it will print all of the output into the "result.txt" file. 

So, when this finishes, we should have a file with all of these things written to it. As you can see we didn't get any output, but if we type here "ls," we can see the result.txt.

Let's "cat" that file and we should have all of our information available in that file now so you can send it to someone if you want to, or you can just have it so you don't have to type the command every time in order to check something out. 

Now, since I don't need that file, I will just delete it and that's basically it for this program. You will find it useful sometimes, and sometimes not. But in the next lecture, we will cover the email harvesting, which we will use a program called "Harvester."

I’m not really sure if it's installed. 

Yeah, it is installed in the Kali Linux, so we will cover it in the next lecture, and until then, you can practice these two programs that we covered for now on, including the Google hacking and Nikto.

You can also practice with the Whois program to find as much information as you can. 

Now, this is it for this lecture and I hope I see you in the next tutorial.

Bye.

Footprinting! - Email Harvesting

Hello everybody and welcome back. In this tutorial, we will cover the email harvesting tool, which is called basically "The Harvester."

So, in the last tutorial, I checked out if we have it installed already and we do. I will just locate it and we will run it because I already tried to run it from here. 

Harvester, it just doesn't work. So, let’s just locate it first and we can see that it is stored in this directory usr/share/golismero/tools.

So, we will just go to that directory and we can see here a few programs, and we will change our directory to "The Harvester."

If we type here "cd theHarvester" we can see that right here we have an executable Python file, which we will run in order to run this program. 

Let me just enlarge this program and I just want to tell you that this program basically doesn't work from time to time. So for example, once I run it, it might print us the emails and it might not because I run this a bunch of times on the same website and it sometimes just finds a lot of things and sometimes it just doesn't find anything. 

So, if we just run this program, it will show us an error and it will say, “The domain search is mandatory.” 

We basically need to specify our domain website. 

So, let me just type here the help option, which is "theHarvester -help" and it will show us our available options. Here we can see that the "-d" is basically specifying the domain or company name to search for. The "-b" is engine, so the search engine will by default be Google as it says right here.  

We want to leave it on that since I believe Google is the best. Here we can have the "-l" which is also an important option, which stands for limit. It will limit the number of results to work with. 

So basically, if you just type here "d200" it will search for the first 200 results and it will show us the emails and hosts from those 200. 

Now, we can try these examples right here, so we will just copy the first one. Let's just use "-d microsoft.com -l" for the results number which we will set to 500 and "-b" in order for it to be googled.

So, let's just try this. It will take a few seconds. It might find something and it might not. Basically, if it doesn't find anything, you can try it using the same command later on and it will probably work. 

It just decides from time to time when it will find them and it will not. So, if it doesn't work, we won't really care much about it. We will just continue on with the tutorials and you can try it later out with the same command. 

Here we go, it is soon going to finish it, but in this case, we just weren't able to find anything. 

So, let me just try here another website or basically we just type Microsoft without .com. Maybe it will search it as a company name and it might find some of the results.

We will give it one more try after it if it doesn't find anything here, and we will finish the tutorial there since there is no point. As I said, sometimes this tool finds something and sometimes it just doesn't want to find anything.

We will wait for this to finish. The first 200 results are already over. This one didn't work as well. So, let me just try out one website that worked 20 minutes ago when I tried it. This is a website from my country, some university websites. It doesn't even matter, you can try this on any website you want. 

Maybe if we use the other website it will print us something. If it doesn't we will just proceed to the next tutorial, which will be "Shodan."

It is basically a search engine, a website that we use to search for vulnerable devices. 

Now, you will be surprised how many vulnerable devices are there out on the Internet. The most common vulnerable devices are basically the routers with the default username and passwords.

If you were to go on to the login page of that IP address, you will be able to enter their router and change all their settings. But more about that in the next tutorial as we can see this one didn't work either.

We tried three times and it didn't work any of those three. 

So, basically later on or tomorrow, whenever you want, you can just try the command out once again and it will probably work. It just doesn't want to work right now. 

Once again, it is located in this directory. You won't be able to run it from the terminal or from any directory. If you want to, I will show you in the next tutorials how to move a file and be able to run it from any directory with just its name. 

So, for example, I will show you how to run this file with just its name and not go into this directory all the time when we want to use it. But we will teach that in some of the other tutorials. 

For now on, I will cut the tutorial short here and I hope I see you in the next one.

Footprinting! - Shodan

Hello everybody. 

Welcome back and in this tutorial we will cover the "Shodan," but before we go on to the "Shodan" I just want to show you "The Harvester" from the previous lecture, which we couldn't get to work. 

Maybe if we try it right now it will. Let me just locate it once again. 

So we will go to "usr/share/golismero/tools/theHarvester." 

Now, I won't cover right now how to use Harvester since we did that in the previous tutorial, but I will just try to run it once again so we can see if it will work today. Now, let me just type here "the Harvester" and as the domain, we will use the same website we tried on in the previous video, which is this one. 

For the "-l" command we will list 500 results and for the "-b" command we want to search over the Google engine. So, if we just enter right here, we will just wait a few seconds until it searches Google.

We will see if right now we get some of the results that we couldn't get in the previous video. As we can see, it will finish soon. It processed 400 results and here we go. As you can see, the same website that in the previous lecture didn't work, right now gave us some of the information. 

For example, we found a bunch of email addresses that belong to that domain as you can see right here. We also found some of the hosts with their IP addresses that also belong to that domain you can see "portal allinclusive."

We found some of the email addresses that if this was a company that we were testing, we could use in order to process with our attacks.  

For example, we could send malware to all of these email addresses and hope that some of them will open it. But I just wanted to show you that it works sometimes, so let's just proceed on to the "Shodan," which is a website.

So, just open up your Firefox and a new tab, then type here "Shodan."

We will click on the first link and it will lead us to the website where we can discover some of the vulnerable devices on the Internet.

As we can see, this website right here "explore the internet of things, monitor network security" and a bunch of other things. 

So we are on this website right now and basically let us just search for some of the vulnerable devices.

In the search bar, I will just type here "password."

As you can see, we got two million results right here. We got some of the IP addresses. Let me just type here "default password," so maybe it will show us the results of the IP addresses that have the routers configured with the default password.

This one right here default name "admin," password "1234," but it is unauthorized. So let us just go down here. This IP address right here, important banner message, username is "admin" and password is "password."

So, if we click on this IP address, it will open some of its information. Let us just copy the IP address. We will copy right here and paste it in Google. 

Now, there is a good chance that this won’t work, before I type here the username and password, let me just check here, what was it?

I believe "admin" and "password."  

Yeah, let's try this. Let me just refresh this and type here "admin" and as a password, "password."

Now well, let me type it once again. Yeah, sometimes it just won't work since these could be updated and they are not really vulnerable anymore. Someone could have changed the username and password, and right now we can't log in anymore to it.

So, let me just find another one. As we can see, this one user named "cisco" with the password "Cisco." Let us just click on this one for now. 

“The default username and password have a privilege level of 15. Please change these publicly known initial credential using the Cisco IOS command.” 

So basically, if this one didn't change, we should be able to log in with the default username and password. Let me just paste it right here and we are unable to connect right here. 

Well, it doesn't really matter. Even if you could possibly connect to someone and they didn't update it, and they still have the default username and password, you shouldn't really do anything with it since it is illegal to change other people's settings on their router.

That's why people get notified here about their vulnerabilities. Let me just show you how you can check yourself out.

Just type here, “What is my IP address” basically just copy your public IP address right here as it says, “Your public IP address” and paste it in the search bar, and if it finds something, it means that your device or your router is vulnerable to something. 

In my case, it didn't find anything since it is not really vulnerable, but in your case, it might find something. Before we finish this tutorial, I just want to show you for example if you found out that your own IP address is stored on Shadon, that means that it has some kind of a vulnerability. 

So, in order for you to change that, for example if it has a default password and username vulnerability, you will need to update your username and password in the router.

In order to find out what your router IP address is, you can just type here "netstat - nr" and the IP address that is located below the gateway is the router’s IP address.

So, you can just copy it, go onto the Firefox. Let's open a new tab and right here you paste the IP address and it will ask you for your username and password. 

So, you just type here your username and password whatever it is. If you do not know, just search the name of your router on the Internet and it will show you the default username and password that you get in the configuration of the router. 

So, if you didn't change it, the username and password will be the same. You can find the default username and password for any router on the Internet. We do not want to save the username and password, so now we wait for it to log in. 

Let me just show you, for example, you can just type here on Google “default router passwords.”

You can just go to any website basically and just search the model of your router and find out what their default IP address is, and also what their default password is.  

Now, most likely, it would be something like "admin, admin" or "admin, password," but it could also be something else. 

Now, this is the site I didn't visit before, so let me just check out if there is anything available here. Here you can basically just paste the name of your router and it will give you the information.

Let me just try with this one. Let's say this was your router and you find out what the name of your router is, you just paste it right here and it will find the router you were searching for. 

It will also give you its IP address by default and your default username and password for that router. 

So, once you find that out, you can just paste the IP address right here and it will log in. 

Now for me, it is for some reason loading for too long. Let me just type here once again and here we are. We are logged in. 

Now it didn't ask me for a username and password because it asked it two minutes ago. 

So now we are in my router. Here you can have a bunch of the information. 

Now, depending on your router, different settings will be on different places. It won't be the same as my router. 

My router is an old one, so it will probably not look even nearly the same as mine does. You just want to play with the settings a little bit and click on a bunch of things until we find the username and password changing section where basically you can change your default password into any password you want. 

Once you do that, nobody will be able to login into your router anymore with the default username and password. It is really important for you to do that because if someone logs in, they can change any of the settings for the router. They can change for example port forwarding, they can change your wireless password and everything else.  

So, it is a pretty vulnerable device and you want to change that. 

Now, that would be about it for this "Shadon" website and with that, we finish the most part of the footprinting. 

We just leave the two tools for the next lecture, which will be the dig and the DNSENUM tools, which I will cover briefly, and after that, we can continue on to the scanning session. 

So I hope to see you in the next lecture, and take care.

Footprinting! - Zone Transfer With Dig

Hello everybody and welcome back. This is the last part of the footprinting section where we will cover two tools, which are basically almost the same, but there are slight differences between them. 

The first one is called "Dig," so if you just type here on your keyboard "dig," you will notice that nothing will happen since we didn't specify any website. But for more information we will just type here "dig —help" to provide us with the simple usage of this command.

Now you can use any website for this. It is basically not illegal. This is just a tool in order to scan the DNS. Dig basically stands for Domain Internet Groper, and with it, you can basically try one of the attacks, which is called the zone transfer.

Now zone transfer, it uses the replication for primary and secondary DNS servers in order to be synchronized. Well, basically the secondary server, for example, asks for data for zone from primary server. The primary server answers with a copy of database, which has IP addresses and name of hosts.

Now, the configuration of the DNS can potentially allow anyone to request a zone transfer. So, with this tool, we will try out the zone transfer on some of the bigger websites, which of course won't work, but on the smaller ones it could possibly be a misconfiguration in the DNS, so that the zone transfer is enabled.

Now zone transfer is happening over TCP on port 53 and not over UDP at the regular port 53 for the DNS. 

So, if you just type here "dig google.com" you will notice that it would give us a bunch of the information about google.com. 

So for example, as we can see, this is the DNS query right here. The NS right here stands for Name Server and we can see that there are four of them. The A basically represents the IP address, the one A stands for the ipv4 IP address and AAAA stands for the ipv6 IP address. 

We can see also some of the other options, which is the server that it used to query, which is our own router on port 53. As you can see, the usual DNS port will be port 53 over UDP and my router IP address is 192.168.1.1. 

We can see that the one query, we got one answer authority four, which is these four servers right here, and additional line I believe it is referring to this one right here, even though there is eight ones. 

But these are basically the same servers just with the different format of IP address. This one is as it says ipv4 and this one right here is ipv6 IP address. 

So that’s the basic use of the "dig" command. You can use it to find out some of the information about the domain, but if you wanted to try out the zone transfer, you can do it like this. So, just type here "dig" and then you type here "axfr" which stands for the zone transfer.

Now, we can use for example "facebook.com" and we can use the other server for example A.NS.FACEBOOK.COM. 

If we type this right here, you will notice that after a few seconds it will basically prompt us with “The zone transfer failed,” since Facebook didn't misconfigure their DNS, so the zone transfer attack cannot be done on Facebook.

Now there are maybe other smaller sites that could be possibly vulnerable to some transfer attack, but we won't be trying to find them at the moment. This is just one of the tools that you can use in order to find out if it is vulnerable. 

But let me just show you another tool right here, which is called "DNSENUM" and also preinstalled in Kali Linux. So basically, it is the same as the dig tool. If we type right here "DNSENUM google.com" it will provide us with similar information.

As we can see, host address google.com, which is A, stands for the ipv4, and then it will print us the IP address, the ipv4 address of google.com.

Right here, it is trying to find out some of the name servers of Google. As we saw before, there should be four of them. 

Now, this might take a few seconds and sometimes it actually just times out. It might time out right now, but we will see in a few seconds, I will come back when these finishes. 

As we can see, it finished right here and it says that the google.com NS record query failed. It timed out.

So we won't be trying that anymore. I just wanted to show you that you can use that tool as well if you want to. But that would be it for the footprinting section.

So let us just recap what we covered.  

We covered some of the tools that we use to gather as much information as we can about our targets. 

So, for example, these two we covered in order to gather some of the information from their server for their DNS. 

We also tried one of the attacks, which is the zone transfer and of course it didn't work on Facebook.  But as I said, it might work on some of the other websites. 

We also covered the Whois, we also covered the Shadon website, we covered The Harvester in the previous lecture where I showed you that it sometimes can actually work.

We also covered the Nikto, which is a big command tool. You should search more about it if you want to. It might be useful later on. 

So that would be about it for the footprinting section, and with this section, we basically finish the beginner section and we enter the intermediate section where we will start off with creating our vulnerable virtual machine, which we will use in order to run our scans and attacks.

Since it is not legal for us to attack a machine that we do not own, we will create a virtual machine which we can attack. 

Now you might have heard of that virtual machine. It is called Metasploitable and I will show you in the next tutorial how to install it.

We will start covering one of the bigger tools in Kali Linux and one of the tools that you will use a lot, which is called the Nmap.

But more about that in the scanning section, and I hope to see you there. 

Take care.

Scanning! - Installing Metasploitable

Hello everybody and welcome back. We have officially started our intermediate section and we are starting it off with the download of the virtual machine called "Metasploitable."

Now as you can see, I am downloading it right now from the Rapid7 website. If you go and type here in your Google search bar "Metasploitable" and click on the first link, it will ask you to make an account before the download. 

So basically, you need to submit some of this information in order to download the "Metasploitable" from the Rapid7 website. 

Now, if you do not want to specify any information, you can just go on to some other website. I just clicked on this one and you can download it from here. 

You just click here on "Download" and in a few seconds, your download will start. The "Metasploitable" zip file is around 800 megabytes large.

Let me just close this one since I don't need to download it two times. As you can see, I am here already downloading it, so we will wait until that finishes, and then we will build the virtual machine into our VirtualBox. 

Now, if you are asking what is "Metasploitable," it basically is an intentionally vulnerable virtual machine, which we will use in order to test our further attacks and scans. 

Now we use this machine because scanning any website you do not have permission to scan can be illegal and you shouldn't be doing it. 

So, this is also a dangerous machine, so you shouldn't expose it to any network you do not trust. For example, you should only keep it over net or host, don't connect it to a bridge adapter, don’t connect it to a local network since it is purposely made vulnerable and there is a bunch of holes in this machine. 

Now, we will not be explaining all the vulnerabilities that this machine has, but we will cover some of them.

Basically, I will just wait for this to finish and once it finishes I will show you how to install the virtual machine. My download has just finished, so what you want to do right now is basically to copy and paste this zip file onto your desktop. 

So once you got it on your desktop, which is right here, what you want to do is basically extract this file since it is a zip file. We want to extract it. I will use WinRAR to do that, so this will take a few seconds, and after it is finished we can proceed with the making of our Metasploitable. 

You will notice once it is done that we will get five files I believe in this folder, and we are only interested in one, which is basically the .vmdk file that we will use as a hard disk for this virtual machine. 

Now this is finished and you can see right here if we open it there are five files and we will use this one. I will show you right here how to put it into a virtual machine.

So basically, just for the sake of the making, just click on the new virtual machine and you can type here any name you want, so I will just call it "vulnerable." Here you want to pick as a type of operating system, you want to choose Linux. In the version type, you want to go scroll down and pick "Other Linux."  

Once you have these options picked, you just click on the next option. Here we have the memory size. Now the memory size for the Metasploitable should be at least 512 megabytes, and it will work fine on the 512. 

I would advise you, if you have some spare RAM memory, you can just put here 1 gigabyte and it will work better. But if you do not have, you just leave it on 512 and it will also work fine. 

Now, keep in mind that you will be running two virtual machines. One is Kali Linux and one is Metasploitable once we run our test. So be aware that you will need also RAM memory in order to run your main machine. 

If you do not have enough memory, just leave here 512. Now, once you have picked your memory size, just click here on "Next" and under this option, you want to go to the "Use an existing virtual hard disk."

Here you just want to go on the "Choose a virtual hard disk file" and you basically just want to find the Metasploitable, which in my case is right here. 

Let me just see why it won't work. 

“Does not match the value in the media registry.” 

What do you mean, it does not match the value? 

Well, it doesn't even matter, there is some error for me. It doesn't really matter. I believe that is because I already have Metasploitable installed. 

For you, you just find your Metasploitable VMDK file, which for me is right here, and you just click on that one, you choose it and you shouldn't have this inaccessible. It is only for me. 

Once you do that, you just click here on "Create" and you have your virtual machine made. Now, once you have this, you just basically click on here "Start."

Now for me, it will pop up an error, but for you, it will just start the process of installing the virtual machine and I don't think it will ask you any questions. Only at the end, it will ask you for the username and password, which I've written it right here.

The user name is "msfadmin" and the password is also "msfadmin." 

So once it asks you for the username and password, just type here "msfadmin" and you should be logged into the virtual machine into your Metasploitable.  

Now keep in mind, it won't have a desktop like windows or our Kali Linux, it will just be a command-line since it is not a GUI made virtual machine. You will be able to execute any commands that you execute in the Kali Linux terminal and it is basically all the things you will be able to do. 

Now, we will continue with the scanning in the next lecture where we will be using one of the most known tools in Kali Linux, which is called "Nmap."

I will show you a bunch of different scans you can do with it, but until then, I hope you are having a great day and I will see you later.

Scanning! - Nmap Part 1

Hello everybody and welcome back. 

In this tutorial, we will finally start covering some of the basics of the Nmap program. 

Now, as I said before, the Nmap is a really important tool that you will use all the time. So, it is essential for you to at least learn some of the basics of that program.

Before we begin, I want to say that Nmap is a network mapper, it is basically a free and open source tool mostly used for vulnerability scanning and network discovery. 

You can also use the Nmap to identify some of the devices or all of the devices that are running on your local network, also at discovering hosts that are on or offline at the moment, and discovering services they offer on some of the ports that they have open.

You can go as far as discovering what version of software they are running on their open ports. Now, Nmap can be used to scan multiple hosts, it doesn't have to be only one host that you scan. It is basically working by just sending the raw packets to the system ports.  

Now, as it does that, it basically listens to responses and determines whether the ports are closed or open or filtered in some way, for example with a firewall. 

You can use different types of protocols in Nmap. You can use TCP, UDP, ICMP, and SCTP. 

Now as I said before, Nmap is a network mapper. It can also be used to detect the operating system that is running on the machine that you are scanning and also discover the vulnerabilities if there are for that particular version of the software they are running on an open port. 

Now, a system and my PC can have 65,535 TCP and UDP ports, but Nmap will by default only scan the most commonly used 1,000 ports. 

You can change that as well, so you can scan all the 65,000 ports, but it will probably take a lot longer than the regular 1,000 ports. 

Now, before we begin using Nmap, I just want to show you first of all how you can run it, which is basically just to open your terminal in Kali Linux. It is already preinstalled in it and you can just type here "nmap."

You will see that it will print out a bunch of the options that we will cover. But before we do that, I just want to give you a more detailed explanation on the IP addresses because you will be using them extensively in here. 

Now, with an IP address, if you know someone's IP address, you can basically do a lot with it. For example, let's open up our Firefox and let us type right here the major IP.  

We will click on the first website that this one opens and we basically just copy any IP address that we find, and we will try to find out the most information we can about that IP. 

So, let me just load up the website. Here we go. 

Now click on the first one, which is major IP addresses blocks by country - Nirsoft. 

So, it is on the Nirsoft website. Here you can basically click any country you want. Let's go with the Australia. Not really a smart choice since it is the most faraway country from me. Here just pick any IP address you want. 

Let's say I pick this one, which is 14.192.160.0. If I copy this IP address and I go to my terminal – Let me just clear the screen right here and I use a tool called "nslookup." As you can see with this tool I will need to specify the IP address that I just copied, which is this one, and it should return the name of that web server in return. 

So if I type right here it will say, “Server can’t find.”

Okay, so it cannot find that one. Not a big deal. Let us just copy the other one and check if that one works instead. 

So we just paste the other IP address and it won't work. 

Now, let me just show you on the IP address that will work for sure. So, if you type here "nslookup google.com," it will return the Google's IP address with this command. 

As you can see right here, the address of Google will be 172.217.19.110.  

Now, you can do the same in reverse, so if you type here "nslookup" and instead of typing "google.com" you type here the IP address of google.com. You will see in return what is the name of that IP address. 

Now, this is taking some time. Let us just wait a little bit before we close it. It says, “Time out,” so let me try it once again. So "nslookup" and then I paste here the IP address of Google. 

Yeah, it will probably timeout once again, so let me just type here "nslookup" and let's try facebook.com. Here we can see that Facebook's IP address is 31.13.84.36. 

So let's try in reverse. Let me just type here "nslookup" and then the Facebook's IP address. Hopefully, it will return facebook.com in the output. 

No. Weird, because it says, “No servers could be reached.” 

Let me just try to ping it. But we are on the Internet, so it should work. Not really sure why it doesn't work at the moment, but it doesn't really matter. Instead, we can try another command, which can be also used to get some of the information from an IP address.

Now, that tool that we will use is called "curl." 

Now, for example, let me show you if you type here "curl IP info.io" and "/" and then you paste the Facebook's IP address right here and you click on it, you press enter and basically it will say that the IP that we typed here, the hostname is facebook.com, city not specified, region not specified, country is specified and location is also given in coordinates.

Organization, as it says right here, is Facebook. So since "nslookup" didn't work, we will use "curl." 

Let me just look up the Google's IP address once again, so we can see the curl command with the Google's IP address. 

So, let me just type here "curl ipinfo.io" and "/" and then you type here the Google's IP address. As you can see, we also get the hostname, we also get the organization Google, location is also given in the coordinates and the country is US.

So let us just now choose any of these IP addresses right here, but let's not go with Australia, let's go with Belgium. Here we just copy any IP address. Let's copy this one. Let me try the "nslookup." 

Maybe it will work right now. Probably not, but let's give it one more try. 

“Server can’t find.” 

Okay. Doesn’t matter. We will go on with the curl. So, we copy the random IP address that we do not know anything about and we just type here "ipnfo.io/" and then we paste the IP address that we copied, which should belong to Belgium. 

So, as we see right here, we are given the IP, the city, the region, the country, location, also given in the coordinates, postal code, organization, which we can confirm since it says for this IP address right here that the MAC Telecom and we get the same result right here. 

Now you can see that you can find a lot of stuff with simply just looking up the IP address.

There is also one more thing you can do in the search engine. You can just type here "IP locator." We can use the same IP address that we copied from here, which is this one 80.91.144.0 and we will just pick the first site, which will hopefully locate our IP address.

If we type here, paste, and we go on the IP lookup, we can see right here that we get the location of the IP, which is Belgium and it is correct. We also get the latitude and longitude, which we can check if it matches this one. 

Let us just go down here. It is the same. Basically, it is the same in every decimal. So this program is working. So let me just see if we can check out on a map where it is located, but we can just simply go on any Google map and just type here this coordinates and we will find out where this IP address is physically located. 

Now, that we saw what we can do with the IP addresses, we can open up our "Nmap" for now on. So, if you just type here "nmap" you will see again a bunch of those options, but we will start off with these examples right here. 

So as you can see right here, they put an example "nmap - v -A scanme.nmap.org."

Now, it is important to mention that nmap scanning on the device you do not own or do not have permission to scan is illegal in most of the countries, I believe. So you should not be scanning any website or any device that you do not have permission to scan and it can also be very noisy. 

You can be caught by firewall and you are not anonymous with this, especially not with the basic commands.

Now, later on, we can cover how to be more quiet while using nmap and scanning, but you should only be doing it if you have permission to scan too. 

If you go on to this website, you will notice that if we copy it and we will paste that website, you will see that they gave us the permission to use that website in order to practice with nmap.

So, let us just wait for this to load up and it should be prompting us with a message that will basically say, “Go ahead and ScanMe,” as you can see right here. 

Here it says, “Hello and welcome to scanme.nmap.org. We set up this machine to help folks learn about nmap and also to test and make sure that nmap installation is working properly. You are authorized to scan this machine with nmap or other port scanners. Try not to hammer on the servers too hard. Few scans in a day is fine, but don't scan 100 times a day or use this site to test your ssh brute-force password cracking tool.”

We basically have permission to scan this. Now don't overscan it as it says right here. 

“Don't scan it over 100 times a day.” 

Basically, you can scan it a few times a day. So we will just type here "nmap -v -A scanme.nmap.org."

But before we run this command, I just want to check out or to show you what does -v and -A do. 

Now -A as we can see right here enable OS detection, version detection, script scanning and traceroute, while -v increases verbosity level.  

It basically means to print out what it is doing in the process of scanning. So if you type here "- vv" it will print out even more information in the process of scanning.

Now, we won't be using any of these options at the moment. We will just type here "nmap scanme.nmap.org."

This can take time and it can take time from few seconds to multiple hours depending on multiple things, such as the speed of your connection and also the location of the target that you are scanning, and also the number of targets that you're scanning. 

As we said before, you can scan multiple targets with nmap and that will take longer than scanning just one target. If you just press the arrow upwards right here, we can see what percentage of scan is finished. 

We can see that 7.4 % is done and here it will give us information about other hosts. So for example, if you were to scan 100 hosts and here it says, "22 hosts up" it means that the Nmap retrieved 22 hosts to be online or up and working. 

Now as you can see, the Nmap scan result has finished and here we see a bunch of ports. Some of them are filtered and some of them are open. As we said, the filtered ones could be protected in some of the ways such as with a firewall, while the open ones are basically just open such as HTTP as we saw basically when we visited this website.

We basically used the HTTP port, which is open, so we were able to connect to this website. There are other ports that are also open such as SSH port which is the 22 always TCP port. You can see some of the hard ports open such as 9929 and 31337, which is for Elite and "nping- echo" and other ports are just filtered. 

So this is just a basic scan with Nmap, we will continue with some of the more advanced scans in the next lecture and I hope I see you there. 

Bye.  

Scanning! - Nmap Part 2

Hello everybody and welcome back now, this is the part two tutorial of the Nmap program.

In the previous tutorial I basically just show you what you can do with an IP address and what information you can gather only by knowing someone's IP address. We also ran a simple scan on the "nmap scanme.org" website, which basically allows us to do the scan there. 

You should only be scanning either that site or any machine you do own since nmap scans could be illegal in your country. Also, before we begin, let me just type here once again "nmap" to show all the available options. 

Let me perform the same scan we did before, which is just "nmap scanme.nmap.org" and basically, if you wanted to for example write this to a file, you just specify two arrows right here, and then we call the file "results.txt" for example. 

Now, this will take as previous time a few seconds and it won't give us the output right here. It will basically save all of the output into our "result.txt" file. 

So, it is useful if you for example run the scan for multiple hours and you don't need to keep the terminal open in order to see the scan. You can just basically save it into a file and you can access it anytime and anywhere. 

So you don't run a scan on multiple hosts and run it for five hours, and then you accidentally close the terminal, and basically, the entire scan is lost and you need to redo it once again.

As you can see right here, the scan has finished and it hasn't given us any output, so I can just clear the screen and type here "ls." 

As you can see right here we have the "results.txt" file. If we get that result.txt file, we will get the same output that we got in the previous video with our results printed out into this file. 

Since we know that we can delete this file right now, we can type here "nmap" once again.

Now I won't be scanning the "scanme.nmap.org" anymore, I will be scanning basically my Windows machine right now. You can continue scanning this site. You can also scan the Metasploitable that we installed in the previous lectures and you can also scan your host machine. 

Let me just show you. You can also scan yourself if we just check our IP address right here 192.168.1.6 and you type here "192.168.1.6."

I don't believe any port are open.

Yeah. All 1,000 scan ports are closed. 

So, on this Kali Linux virtual machine, I am not having any port open and that should be on yours as well for now on at least. As I said in the previous video, the Nmap only scans the top 1,000 used ports. 

So if you want to, for example, specify the number of ports you want to scan or you want to scan all 65,000 ports, we can do that with "-p." So how we do that, well basically we just type here "nmap -p" and then we type here "1-65,000."  

We can just do 65,000 or we can do all 65,535, I believe that's how many there are. Then, we specify again our own IP address and this will take longer to finish. Instead of scanning only 1,000 ports it will scan all 65,535 ports. It will finish relatively fast since we are scanning ourselves and it only finished in 1.5 seconds.

So now, we won't be scanning ourselves anymore since there is no point. Let me just find out what the IP address of my Windows machine is. I will type here in my command prompt "ipconfig" and the IP address of my host machine is 192.168.1.4.

I will just type here "nmap 192.168.1.4" and let's see how fast this will finish. It shouldn't take too much of our time. Let me just check here. Alright, it will finish and we can see there a few ports open right here. 

The netbios-ssn, Microsoft-ds, and nsrpc, which are these three ports. They are all three open. As you can see, they are all over TCP. 

Now, for example, let's scan again my host machine, but right now let us scan all 65,535, I believe that's the maximum number of ports. We type here the IP address of our Windows machine. 

Oh, yes. I only specified that this should scan this port. I should specify a range of ports, so 1-65,535 and we press here enter. This will take a little bit longer than the 1,000 ports scan, so let us see where it is right now. 

Yeah, it is only on 4%. You can check out the process with the upper arrow.

If you didn't specify right here, the "- v," which stands for the verbose that will basically just print you this right here as it goes with the scan. I didn't specify it, so it doesn't print anything before the "-."

Let me just show you. We will finish this, so we don't wait until it's over. Let's just type "nmap" once again. We can see right here that the "-v" command stands for increased verbosity level. 

Use "vv" which is basically "-vv" in order to see more details. So let's run the same command, but with 1,000 ports. So let me just type here "nmap 192.168.1.4" and basically just "-vv."

Here you can see that as it goes with the scan, it prints out the information and at the end, it prints out the same thing that it printed out before. We can see as it went it concluded that there is one host that is up and as it discovered the open ports it printed out for us. 

Now, this can be useful if you want to find out open ports on a host that will take an hour to scan or for a range of hosts. So let me just show you how you can scan a range of hosts. 

For example, let’s scan your entire local network. You can see right here that the second command in the examples shows us how to specify the range of hosts.

So, as you can see right here 192.168.0.0/16 this will basically scan the first 16 hosts in the local network.  

Now, we know in my local network, since my subnet mask is 255.255.255.0 there are only 255 hosts available. So we will specify all of them. Let me just type here "nmap" and then we will type here 192.168.1.1/255. 

Let us just put here the capital F which stands for basically doing this scan faster so we do not waste a lot of time. Let me just press enter right here.

Now, let me just check once again since this didn't work. Maybe I specified wrong. Well, basically it gave me some error. Let me just redo this command. But not like this. Let me just type here instead of "/" I use "-."

So right now, it should work. But let's also add the option verbosity so it prints us everything as it goes. It actually finished relatively fast. That is probably because we specified right here the "-F" option, which basically makes its scan finish faster. 

We can see that all of these hosts are down. We can see that between these two there was one that is up which is .15. That is my laptop that is currently running. So as we go down here we found our router. Here it is. 

So 192.168.1.1. It also found our Windows host machine, which is my current Windows 10 machine as my host operating system.  

As you can remember, here are the three open ports on my host machine. It found my laptop, which only has the Apache II running on the HTTP port over TCP and it also found our virtual machine, which is 192.168.1.6 and has none of the ports open.

So the Nmap result finished with 255 IP addresses scanned and four hosts were up scanned in 6.06 seconds.

Now, let's also, for example, if you want to write that into a file, you can do that with the double arrow command and also into the results.txt.

As we saw in the previous video, it won't give you any output, but it will write your scan into the result.txt file, so you don't have to redo this scan once again later if you close the terminal. 

So, it should finish in a few seconds I believe and we will have a file with all 255 machines scanned. As you can see, it has finished and if we "cat" the results.txt, we will get the same output as in the previous scan. 

Now, this is about it for this lecture. We will continue with some of the more aggressive scans and more specified and detailed scans in the next lecture, which will also be Nmap. 

We will cover how to get the version of a software running on a specific port. For example, we will find out how to get the version of my Apache II on my laptop, which is running over HTTP. 

As you can see right here, we don't get the version specified, but it is an important option because it allows us to find out the version of a software which can be used in order for us to find out any vulnerabilities for that particular software. 

I hope to see you in the next lecture and take care.

Scanning! - Nmap Part 3

Hello everybody and welcome back to the part three tutorial of "Nmap."

Now, we will cover some of the more advanced scans that we will use in order to figure out, for example, the version of process running on a particular open port. 

So let's just type here once again "nmap" in order to see our available options. And let's, for example, try to detect the operating system running on my Windows machine. 

Now, as in the previous video, the IP address of my Windows machine is 192.168.1.4. So we will find here the option for the operating system, which is I believe "–o."

Here we go. It says “Enable OS detection.” 

Now, you can add some of the specific options as it says right here, “osscan - limit: Limit OS detection to promising targets,” or “Guess OS more aggressively.” 

So we will just type here the basic command, which is just "-o."

We just type here "nmap -o" and the "192.168.4" which is my Windows 10 machine.

Now, we can press the upper arrow in order to see how long it will take and it should finish any second right now. We can see right here these are the open ports, the MAC address right here.

“Warning: OS results may be unreliable because we could not find at least 1 open and 1 closed port. Device type:  general purpose.”

It is just saying right here, “Running (JUST GUESSING): Microsoft Windows XP.”

Now, as you can see, this is wrong right here. I am not running the XP, I am running Windows 10.

So this scan can be wrong sometimes. It doesn't guess 100% every time you scan it. Now, it does guess most of the times, but as we can see right here, it didn't guess right now.

We can see that it gives us some of the other options as well such as "aggressive OS guesses" which is Microsoft Windows XP SP2, Microsoft Windows Server or Microsoft Windows Server 2008.

We can see that none of these is true, so this scan didn't work for us. 

Let me just clear right here, but let us just try to scan the operating system of my Linux machine, which is on my laptop. The IP address of my laptop is 192.168.1.15 and let's just paste that right here. 

Yes, we forgot to specify the "-o" which stands for the operating system scan. So let us just see right here and as we can see, it says it is running Linux, which is correct. So basically, it will just print you the open ports, the MAC address, and the guess of the operating system that the target is running. 

Now, you can also do as we can see right here, we can try to scan the "scanme.nmap.org" or you can also try to scan the Metasploitable. 

So basically, once you open the Metasploitable, since you don't have it open right now, just type here in the command line, once you logged in with the username and password msf admin and msf admin, just type the ifconfig and basically find out what the IP address is on the Metasploitable, and just use it from your Kali Linux machine in a Nmap scan.

So right here, let me just check out the site name once again since I will scan this one. Let me just copy it. We will type here "nmap -o" and then we paste the site name. Let's find out what operating system is running on that website. Now, since this is not in my local network this will take longer to finish as you notice right here.

But not too long. It should finish any second right now. Let us just wait for this to finish so we can see our output. The scan has finished for the "scanme.nmap.org."

We also got all these ports open, which we also saw in the previous videos and we got the operating system and it says, “(JUST GUESSING): Linux.” 

Now, it is probably running Linux, but we cannot guess with a 100% since I don't own that machine and I don't know what type of Linux does it have as it says right here, “Aggressive OS guesses: Linux 4.4 (89%).” 

Now, let's see some of the other options we can also use instead of the operating system. 

We can cover the "– sV."

As we can see, it is the service and version detection.

“sV: probe open ports to determine service version info.” 

There are also some of the other options right here for the sV option, but we will for now on just use the -sV. 

Let me scan once again my Windows 10 machine. 

So -sV. We will also type here the "-v" for the verbosity and we will type here 192.168.1.4 which is the IP address of my Windows 10 machine. 

Now, as I said before, you can either scan their website "scanme.nmap.org," your host machine or your Metasploitable in order to check out the output of this scan. 

So let us just see right here, it prints us the open ports. As we remember those are these three and hopefully it will print out the version of these services running there.

As we can see, it does and right here we have on the open port Microsoft -ds which is the service, the version is Microsoft Windows 7 - 10 Microsoft - ds (workgroup WORKGROUP).  

The version for the netbios - ssn is Microsoft Windows netbios - ssn. 

As we previously saw, we can even get some of the information from the version scan. As we saw in the previous scan, the operating system scan it said for my Windows 10 machine that it was XP, and right here when we scanned the version we can see Microsoft Windows 7 - 10 Microsoft.

So basically, we can notice from that, that some of the operating system scans are not really correct. You can use the common sense which says that most of the people today don't even use Windows XP since it is basically an open machine. 

Now that we checked out the version of services running on my Windows host, let's check out the servers and versions running on the "scanme.nmap.org." 

We will type once again "- sV" for scanning the versions, and then the name of the website. As you may have noticed, the Nmap can take the website name and the IP address as well. It doesn't just have to be the IP address, we can also type here the domain name as you can see and it will work properly. 

So let's just see at what percentage this currently is. 

Now, it doesn't want to show us, but it should be over soon. The scan has finished for the scanme.nmap.org and we can see that only the open ports got the version, which is normal since in the filter ports they have probably a firewall that is blocking our packets in order to find out what version they are running.

We can see on the open ports, which is 22 and 80, which is for the SSH, we can see that the version they are running is "Open SSH 6.6.1 Ubuntu" and on the 80/tcp open port, we can see the "Apache 2.4.7" on the Ubuntu. 

So as we did in the previous video, if you want to write that into a file, just type here ">>" and then "results.txt."

Now, we won't be doing that since I already showed you how to do that. We can cover one more option in this tutorial, which will be the "-A" option.

As we can see, it basically does multiple things such as enable OS detection, version detection, script scanning and traceroute.

So this will enable the OS detection to also print out the version of the services and it will also scan for some of the scripts. We can see right here if we type here "nmap -v -A" and then "scanme.nmap.org" we can see if the result from this scan will differ from the result of the previous scan. 

Now, this scan can take a little bit longer since it is scanning for multiple stuff instead of just single stuff such as for example the operating system scan. This is scanning operating system and version, script and traceroute.

So it will take a little bit longer. 

As we can see, it is discovering ports at the moment and now it is scanning services basically determining what version they are running. 

Now it is initiating OS detection as we can see right here, “try #1, try #2.”

Okay, it should be finishing soon enough.  

It says that only 37% has finished. 

Okay, it should finish right here. Yeah, it finished. 

So you can see that this print printed out a bunch of the options. 

For example, here under the TCP SSH port, we see the ssh- host key, which is right here. I don't think that in the previous scan we even saw the 25/tcp port. Let me just check out. It doesn't even matter. I can't remember it. It was probably there. 

And under the open HTTP Apache port, we can also see the version and also here under the port 80, which is the Apache HTTP 2.4.7 Ubuntu, we can see the supported methods on the website, which are “OPTIONS GET HEAD POST.” 

Now, this is the information that we didn't really see in any of the previous scans. So let me just check out what else we have here. So here we have the standard OS detection, which is Linux 4.4 on the 89% and here we have the traceroute.

Now, traceroute is basically the path that my virtual machine took in order to connect to the nmap. We are familiar with the first IP address that it took, which is my router. So basically, it is normal to have your router as a first starting point in the traceroute, and then it proceeded to other DNS servers in order to find out the IP address of the Nmap.

So traceroute can be useful sometimes mostly in troubleshooting, but it can be used for other things as well. We can see that the Nmap finished one IP address in 74 seconds which is pretty good.

Most of the Nmap scans can take a lot longer, even a few hours. So for now on, we will just finish the tutorial right here and I will see you in the Nmap part 4 tutorial in the next lecture.

Now, I hope you are having a great day and take care.

Scanning! - Zenmap

Hello everybody and welcome back to another Nmap tutorial. But before we continue with the command line Nmap, I want to show you for those who are interested in how to use Nmap as a GUI interface.

Now, we will use a program for that, which is called "Zenmap," which is basically the same thing as Nmap just it has a graphical user interface. It comes pre-installed in Kali Linux, so we won't have to install it. 

And for those of you who don't want to use a graphical user interface and prefer to stay with the command-line interface, you can just skip to the next video. 

But for those of you who prefer the graphical interface more, I will show you how to open it and use it from there. 

First of all, open up your Kali Linux machine, and then in the upper left corner you will see the arrow next to the applications. 

So just point to that arrow and you will see a bunch of things right here. We want to go to the information gathering. Yeah, it is right here and scroll all the way down and you will see something called "Zenmap."

Now, the icon as you can see is some kind of an eye, so just click on the Zenmap. It might ask you first time for the root password. I'm not really sure, but if it asks, just type it here and you will be prompted with this screen, which is basically the graphical user interface for the Nmap.  

Now, how do we use this? 

Well, let me just make this not too large. This is quite good. Here where it says “Target” you basically input the IP address. 

So let's say for example that we want to scan my laptop, I will just type here 192.168.1.15. As you can see, while I'm typing right here on the target it is adding the same IP address into the command. You can see right here that we already have a command specified. 

Now, you can change the output of the command with the profile. As you can see right here, it is as intense scan. If we go on to here and type here "ping scan," it will change the command for us.

Now you can see that we have the "-sN" option. If we change it once again to the quick scan it will have the "-F" option. 

On the left side, as you can see right here, this is hosts in case we want to scan a range of hosts. I believe they will be right here, and the OS is the operating system running on those hosts. 

The Nmap output will be the same as in the command line output. Here we will have the ports, protocol, state, services, and version. 

So, if you want to, you can do some of these options, but let me do some of my options. We will use "-F" in order to scan it faster. Basically, this -F scans top 100 ports instead of top 1,000 ports, that's why it finishes faster. 

It's not really faster, it just scans less ports than the normal scan. But here on the -T4, we will type here "sV" so it can scan the version.  

Once you have specified your command, whether it is this one or whether it is any other of these already given options, you just click here on the scan and it should start scanning right here. 

As you can see, “Nmap 1 IP address (0 hosts up).”

It still didn't detect that my laptop is up. It probably will. Let me just try here. 

Well, the upper arrow doesn't work right here. So in order to see the results while you scan, just type here "-" and then "vv" or one v depending on how much information you want to see during the scan.

So we will wait for this to finish or let us just start here once again with the "-v."

We can see right here that it basically already gave us more data, more information than the last scan. Let me just see right here, “Raw packets. Nmap done: 1 IP address (0 hosts up) scanned.”

Now, let me just see right here if my laptop is up. It possibly isn't that IP address. I don't know why I thought it was that one. Yeah, it's not .1.15 it's .1.8.

Let us redo the scan right here and let us add the "-v" as we can see right here. So the "-sV" for the version "-v" for the information showing right here, and "-F" for finishing the scan faster.

So let us just click here "Scan" once again and right now it should find my machine. As we can see, it discovered open port 5357 tcp on my laptop machine and that is basically it. 

Now, currently on my laptop, I'm running Windows. 

As you can see right here, "OS Windows."  

It doesn't specify which Windows, but it doesn't really matter. We didn't even add the "-o" option for the operating system. It shows the MAC address of my network interface on my laptop, and it shows the open ports right here.

It also says right here: “Read data files from this path.""

So as you can see, once we scan this, we can see the host right here and the operating system which is under the ? right here. We can perform the same scan and add the "-o" option for the operating system.

Now, if you are having struggles to remember all the commands you can just open up your terminal on one side and Zenmap on the other one and type here "nmap" and basically find the option you want.

So "-o" for us is the operating system. Let me just find it right here. It says right here, “Enable OS detection.” 

Then, as you can see right here, the icon has changed, but let me just check this out. 

Yes, now "Aggressive OS guesses" is Microsoft Windows 10, which is correct. On my laptop, I'm currently running Windows 10.

So it gives you a bunch of other operating systems, but there are less probability than Windows 10.

Basically, that is about it for this Zenmap. 

If you want you can perform your scans over here if you prefer this interface instead of this one. But we will continue in the next tutorials to use the command line interface and we will cover some of the options that allow us to bypass the detection with Nmap.

Also, we will learn where to get the scripts and how to use them.  We will also download some of our own scripts.

So that's about it for the Zenmap and as I said before you can use this one instead of this one, they are basically both the same.

I will see you in the next tutorial where we will cover some of the other options that Nmap gives us. 

I hope to see you there and take care.  

Scanning! - TCP scans

Hello everybody and welcome back. 

In this tutorial, we will continue with some of the other options that Nmap allows us. 

Now, you might be asking, why are we covering all of these options for Nmap?

Well, basically it is a really important tool and knowing all of these options will make you at least 50% better in penetration testing since scanning is a really important part of performing a penetration test. 

So let us right here just open up our terminal. Let me make it this big and in the other terminal right here, I will open up the commands, "nano commands.txt" where I will write all of the Nmap commands that we cover in this particular tutorial.

So let's just type here once again "nmap" and the first thing we want to check out is the "-Pn" command. 

Now, we can find it right here or for example, let's say you can’t find a specific command in these bunch of the commands, you can just type here "nmap" and then "grep -Pn."

It should be "- P" and then n. 

Here it is: “Treat all hosts as online — skip host discovery.”

Now, this is an important command. You might be asking, why? 

Well, some of the hosts that you scan on the network can appear to be offline. So for example, if you know a specific host must be running and is online, but let's say you scan it right here and it says that it is offline 

Now this is my laptop, so it will say that it is online at the moment. But I've had some scans that basically said that my machine that I was scanning, which was right next to me and which was connected to the network and running basically, said that the host was down and every time I specified the "-Pn" option, it basically skips the host discovery and as it says, “Treats all hosts on the network as if they were online.” 

This will perform the scan and it will give you the results without host discovery. So let's say for example I scan this IP address, which I don't have anything running on it, so it will say that the host is down. As you can see right here, “0 hosts up.” 

This will be the same output for the machine that is running, but it is blocking the ping requests or it is showing other machines that it is offline.  

So in that case, you should specify the "-Pn" option, and then you specify the IP address and it will show as if it is online.

Now, in my case, it won't show since I don't have anything there. So let me just scan my laptop once again. I just typed here "nmap -Pn" and then 192.168.1.8 and it will skip the host discovery and it will basically automatically say that my host is up and running. It will scan for its open ports. 

Now, let me just see, it has finished around 22%. You might notice that the scan is going a little bit slower, so we won't be waiting for that to finish, there is no point. Or we can just leave it right here, perhaps it finishes while I type it right here. 

So "-Pn" and then the IP address, basically the IP address of any machine that you are scanning or any website that you are scanning. Of course, try not to scan the websites that you do not have permission on. You can always use the "scanme.nmap.org" which we have permission to scan by Nmap.

Or you can basically just use the "Metasploitable" virtual machine that we installed. You can also install basically any other virtual machine that you will use in order to scan and attack. 

Now, since I can't really run the Metasploitable, it gives me some error, I downloaded another virtual machine that I'll show you how to install and I will show you why we will use it. 

Basically, we will use it extensively in the website penetration testing part. I'm not really sure if Metasploitable has OS in it pre-installed. I doubt, so you can check out if it has that, and then you don't need to install this virtual machine as well. 

But if it doesn't, you should install this virtual machine as it is vulnerable and it is used for web penetration testing. 

So we will cover some of the attacks on the web sites using this machine.

But let us see right here, as you can see the scan has finished and it treated our host as if it was up, and it discovered an open port. It also gave us back the MAC address.

So, it is a useful command if you know that the host is running and it is showing that it is offline. You just type here ''-Pn" and you will have your host scanned. 

Now, the next option I want to show you, which I didn't show you before if we type here "nmap" would be the "-sT" command. If we go up here and find the "–sT," you can see that it is basically a full TCP scan. 

Let me just find it right here, we have the sU, sN, sS. Here it is. We can see a bunch of these options. We will only cover first these three basically. But for now on, let's just cover the sT, which if you look right here, it is basically a connection. 

Now, by connection, it means that it performs the full three-way handshake in order to scan the target. As we talked before, the TCP connection requires three-way handshake, so let me just open up Paint, so I can show you better. 

For example, let's say you have a PC right here and you have another PC right here, so basically, just laptops since I'm not really sure how to draw PCs. 

This is PC A and this is PC B.

Let's say the PC B is your target and you scan from the computer A. When you use the -sT option, so -sT option, it basically performs a three-way handshake scan with the TCP, which is basically us sending a bit set called syn, then the other machine is sending us the bit set called "syn-ack," which is basically same as syn. 

But in order for you to learn more about this and to know what I'm talking about right here, you should read more about the TCP and UDP scans, and TCP and UDP connections. 

I talked briefly about it in the previous tutorials, but you might need to know a little bit more in order to understand how these scans work. But it is not that complicated, and then the scan finishes with only "ack." 

I don't have where to write it, but that is basically the three-way handshake. So it is syn, syn-ack and then once again ack.

Why is it called three-way handshake? 

Because it is consisted of three parts as you can see right here syn, syn-ack then once again just ack. 

So the -sT option in Nmap performs all of these three and therefore it can be detected on the target machine as you perform the full connection on the system. But it is also a more accurate option for scanning. 

Since if you were to complete only the syn it won't be able to gather as much information and as accurate information as you will be able to gather with the full TCP three-way handshake.  

So, if you want your target to not be able to detect you, you shouldn't be using the -sT since it is very detectable as I said, since you use the full TCP handshake. 

Let me just type here "nmap -sT" and then we can just type here the 192.168.1.8. It will basically give us the same output as this option right here. But here you specified it to use the full three-way handshake. This is the option that will give you the most accurate and precise results. 

Let me just see. Here it is. It finished with the same result as the previous scan so we have one TCP open port. Let me just write it right here, "nmap -sT 192.168.1.8."

So we covered the full TCP connection scan. 

Now, the next thing you want to basically cover is the -sS scan.  So let me just open up here, -sS is only the first part of the -sT.

Let me just explain it a little bit better. As you can see the -sT is a full connect and the -sS is the TCP only syn bit set.  So basically, in order for us to scan, we will only be sending this first part of the three-way handshake.

That's why it is specified as -sS.

The capital S stands for syn right here.

The thing about syn scanning is, it isn't detectable on the target host. You can use that option in order to prevent the target from detecting your scan because it won't really complete the handshake, but it is less accurate and it can also be detected by your IPS.

Now, we will talk in the next tutorial how to avoid the IPS detection and how to avoid some of the defenses that could be implemented into a router, for example, in order to block or send false information on to your Nmap scan. 

So let us perform the sS scan. We will basically type here "nmap –sS" and then the IP address of our laptop or basically any machine or website that you are scanning. This is taking a little longer than the -sT scan probably because it takes a lot longer time in order for it to gather the same information that it gathers while using the full TCP handshake scan.

We will wait for this to finish in order to see what the results are and if they are the same as the -sT option. So while this is running, I will just type here "-sS 192.168.1.8."

Now, while this is 45% okay, while this is doing, let us recap. The "-Pn" option as we said is used when the hosts appear down and "-sT" option is a three-way handshake TCP connection to the host and it is detectable and more accurate. 

The "-sS" scan performs the only first part of the three-way handshake, which is the syn part. It is not detectable on the host, it is less accurate, and it can be detected by your IPS.

So, as we can see, the scan has finished and it gave us the same output as the -sT scan, which is good. We have one open port and we have this service running on it. 

Let us just type here once again "nmap."

There is one more option I want to show you before we finish this tutorial, which is the "-sU" option.  

If we go right here, you can see the -sU option is basically only UDP scan. All of these three options, well basically all of these five right here perform the TCP scan or basically a part of TCP scan as well, as some of these right here. But if you specify the -sU option, it will only perform UDP scan. 

Now, as we talked before, UDP is connectionless and we won't have any confirmation that the packets arrived at our target. It is not consisted of a three-way handshake or basically, it is not consisted of any handshake. 

We simply with UDP just send packets to the other host and hope that they get there intact and whole. So let us just use the UDP scan. We specify the -sU option, U stands for UDP, and we type here our IP address. Let us see how long this will take. As we can see, it won't finish that fast. This is also a slower scan. 

So while that is doing that, let me just write it right here so we can see which ones we covered. My advice would be to use -sT when it doesn't really matter if hosts detect you, and if you are performing a penetration test for example where the target shouldn't be able to detect you, you can use the –sS scan. 

Or you can use some of the options for scans that I will show you in the next tutorial in order to make your scan even less detectable. 

Let me just see where this is at. It is at 62%.

So I will cut the tutorial right here, and I will show you the output of this command in the next one as well as some of the other options that we will cover. 

I hope you enjoyed this lecture and I hope to see you in the next one.

Bye.  

Scanning! - Nmap Bypassing Defences

Hello everybody and welcome back. 

Before we begin with the options for this part of the tutorial, I just want to show you the output of the previous scan that we did. 

As we can see, it discovered a port that is different from the port that these three previous scans got us, which was the port I believe 5357 or something like that, which was a TCP port. Instead of that, we got a UDP open port netbios - ns which runs on 137 on our laptop machine. 

So, you might notice that the UDP scan basically just gives you the output for UDP ports, which makes sense. It will basically give you any UDP port which is open. 

For example, it could be this netbios, it could be your DNS or anything that is running over UDP. This option right here will give you open UDP ports. 

Now that we covered that, we covered basically the full three-way TCP handshake. We covered the syn, only the first part of the three-way TCP handshake and we covered the UDP scan. 

So now that we covered all of those options, I want to show you how you can avoid some of the defenses that your target might have and how you can avoid your IPS. 

The first thing you might want to do, if your target is blocking your Nmap or you can’t get any output, for example, you can try the "-sA" option. 

Now, as I said in the previous video -sA is listed where TCP scans are since the A stands for ACK, which is the last part of the three-way TCP handshake. As you can see right here, it is the third option and it stands for ACK.  

I deleted this drawing that I did before, since it was really bad. Let me just draw it once again. It doesn't even matter. This is the PC A, this is the PC B, and from A we want to scan B. 

But let's say you try to perform a three-way TCP handshake. So it goes like this, then this machine sends syn-ack and once again you send ack right here. This one last is only the ack.

I really do encourage you to read more about TCP handshakes since this can be a little bit confusing if you don't know what I am talking about. But basically, the method behind this is the -sA which is only the last part of the TCP handshake can be used to bypass some of the rules of your router.

For example, if there is a rule that allows syn packets only from the internetwork. What I just said is basically let's say this is some website that will only allow the full three-way TCP handshakes or syn packets, which is the first part of the TCP handshake only from the internetwork. So basically only from the machines that are on its local network. 

You, as someone coming from the Internet trying to send a syn packet to the machine being outside of your local network, you will get blocked. If that rule really exists on the target machine, you can trick it by sending only the ack which is the last part of three-way TCP handshake, which will trick the router or the website to think that it is an answer to a previous syn bit set.

Let's say this router is connected to some of the other devices on its local network. Now, pardon me for my really bad drawing right here, but basically, this circle right here is representing the internal network of this machine and it will only accept the three-way handshake or syn packets syn bit sets from the machines that are on its local network. 

You, as someone coming from the outside and trying to send the syn packet, will get blocked. So if you only send the ack packet without sending the previous syn packet or bit set, it is not a packet, it is basically a bit set from the TCP packet, it might trick your router to think that this ack is an answer to a previous syn bit set that some of the local machines sent.

So, in order to do that, you just type here "nmap -sA" and then the IP address of your router. Let me just type here also. So basically, you use this option if there is the blockage of syn bit set on the target machine. 

This is not that common to see, so you won't be needing it that much, but it can happen. 

Now, the next thing you might want to specify is the source port that your packets are going in from. 

By default, the Nmap sets the port, which is your port from which you send the packets to the machine. It can be any port. I believe the Nmap specifies it randomly at the beginning of the scan.

It can be a problem in case where the target only allows the packets from the specific ports. 

Now, what I mean is, let's say, for example, you run an Nmap scan from this machine and it basically uses the port 333 for the outgoing scan, which is a randomly assigned port for your machine. 

But once it gets to the target machine, there is a rule on the target machine that this port will only accept packages from the ports, for example 80.

So, your packages no matter which type of option you specify whether it is the UDP scan, the ack scan, the syn scan or the full TCP scan, it will get blocked since your packets are not coming from the outgoing port which is port 80.

In order for you to be able to scan this target, you need to specify the port which it allows the packets to come from. It will usually be some of the known ports which is, for example, port 53 for the DNS, port 25, port 80, port 8080.

It can be any of those widely known ports. But it can also be any other random port, so you will need to find it out by yourself. Once you do find out that by yourself, you can just type here the source port and then the number of the source port.

For example, let's say the source port is 80, and then we type here the IP address of our target machine. As we can see right here, “IP address [0 hosts up]”.

Not really sure why that happens as we can see right here, “Host seems down. If it is really up, but blocking our ping probes, try -Pn”

So, let us just try "-Pn" which we covered in the previous tutorial, but for some reason, it doesn't want to show us that the host is up. Let me just see right here if I correctly specified this option, source port. I believe it is, but let us check once again. 

Where could it be? 

“Timing.OS detection. Script scan. Service Port. Exclude ports. Port ratio, fast scan ports don't randomize.” 

Now, maybe they changed this option. I thought it was "source – port" and it didn't give us any error, so I believe it still is, but for some reason, our host is appearing to be down. We won’t be really wasting our time on that. 

So basically, let us recap. You use the "source - port" option when your target is only allowing packets to come from certain ports, for example, as we saw 80. Let me just write right here "source - port 192.168.1.8" and let us continue to the next step in order to bypass some of the detection problems which could be the data length. 

Now, the Nmap by default sends packets of specific size. I'm not really sure what the size is, but I believe it sends the same sized packets every time. So some of the defenses today have rules to deny packets that are of standard Nmap size.

Basically what that means is that Nmap every time when it sends packets it sends them with the same size and if someone has a rule specified or knows that Nmap exists, it can make a rule that says basically block any packet that is the size of the standard Nmap packet. 

Now, to bypass this detection system, you can configure different packet sizes with the option "data - length."

Let me just type here normally. Let us try that one out. If we type here "nmap" and then "data - length" and we specify for example 50, and we type here the IP address, it didn't give us any error so it means that the syntax of the command is correct. 

This is taking a little bit of time. It should give us the correct output once it finishes, so let me just type here the data length 193.168.1.8. 

Now, of course, you don't have to specify only this option once you scan. You can specify a bunch of options including this one. You can basically use all of these three, for example, to combine into a scan which will bypass all of these three detection problems, which the first one is the blockage of syn bit sets, the second one is blockage of specific ports, and the third one is the blockage of the Nmap standard packet size.

So we will cover one more in order to bypass the detection and defense. Right here we have the output of the scan. As we can see, it performed correctly and we have one open port which is TCP and the servers running is WSDAP.

Let us continue on to the next one, which would be the spoofing of your MAC address. 

Now, long ago, in one of the first tutorials we covered how to change our MAC address. You can use that as well, but the Nmap gives us its own option to spoof our MAC address. As we can see, if we type here "nmap," I believe it will show us the option right here. Not really sure if it is listed. Yes, it is. It is right here.

We can also see the data length command and the source port. As we can see, I forgot where this option was. Let me just try here with "-g" as it says that it is same as source port. It didn't work for us, so let me just type here "nmap -g" and then port 80, then 192.168.1.8.

Let us see if the host is up right now, and it is up. So basically instead of this option "source port" you can use "-g" and specify the port of course. So that's good. I didn't know that existed, but let us not care about that at the moment. 

At the moment, we want to spoof our MAC address with this command. As we can see the syntax is "spoof - mac" and then we add the MAC address right here. You can add other options as well as prefix, vendor name, but we will just type here the MAC address. We can see that the description for this option is, “Spoof your MAC address,” so let us do that.

The source port scan finished, so let us just clear the screen and type here "namp — spoof - mac."

I believe that was the option and you type your MAC address that you want to fake. Let me just save this and to show you. Let us use the Mac changer. We covered it before. You type here "show" and then the network interface in order to see your current MAC address.

So this is the format of the MAC address. You can see it is divided by two dots and it is consisted of 6 parts that are basically divided by these two dots. So you can just type here "22:33:44:55:66:77."

We right here type the IP address of our host of our target. As you can see right here, it says, “Spoofing MAC address 22:33:44:55:66:77(No registered vendor)” and, “Host seems down. If it's really up, but blocking our ping probes try -Pn.” 

Now, for some reason, it seems that the host is down with that option. It could be because we didn't really specify these two options, but I doubt really. We won't really bother with that right now. I just want you to know about that option. 

For example, it is used if this machine right here allows the packets to come only from certain MAC addresses. It can be used as a blacklist or as a white list. This machine can have a blacklist where it blocks some of the MAC addresses and some of those could be yours as well. Or it would have white list where it only allows certain MAC addresses.

Now, most likely it will have a white list where it will allow only trusted devices with their MAC addresses.

In order for you to be able to send packets to this machine, you need to spoof the MAC address of a trusted device from this that this target machine has specified in its white list. Once you do that with the "spoof - mac" option, you will be able to send packets and receive packets from the target machine. 

Let us type right here "Spoof - mac." Then, you basically just type here "33:44:55:66:77."

It doesn't have to be this MAC address. You can basically specify an address you want. Right here you type the IP address of your target or the hostname. It doesn't really matter. So that would be about it for avoiding defense and IPS. 

These four things can be useful if your target specified some of the rules in order to block your scans. But you will find out that rarely targets use any of these rules to prevent you from scanning them. But if it happens, you can use these options that we covered in this video. 

Now, in the next video, I will show you what Nmap scripts are, how to get to them and how to use them. 

So I hope you are enjoying this tutorial and I hope to see you in the next one. 

Bye.  

Scanning! - Nmap Scripts 1

Hello everybody and welcome back. 

In this tutorial, I will show you some of the advanced use of the Nmap, which is basically using the scripts that are already pre-installed in Kali Linux. 

Now, scripts can be used for anything like to discover SSH host key, to discover some of the vulnerabilities, to SSH brute force, to basically do a bunch of things. As we will see right here, there are a bunch of scripts that are already in our Kali Linux machine.

First of all, in order to get to them, you just want to change your directory into the usr/share/nmap. If you go into that directory and type here "ls" you will see a subdirectory called "scripts." 

Now, let me enlarge this right here. 

So, if you change your directory to scripts and type here "ls," you will see that it will print out a bunch of these .nse files which are basically the already preinstalled Nmap scripts that you can use for basically any type of scan you want. 

Let me just show you first of all how to use them. So if you type here "nmap" you will see the "script" option, which is right here. Basically, you type here "=" and then the name of the script. It is as simple as that.

So in order for you to use the script, you just specify this option, then =, and then you specify the name of any of these files right here, which are basically scripts, and you run them on your target IP. 

Now, we will try out one of the scripts for now on, which will be the SSH brute force, which will be also one of the first active attacks on the target. It will basically brute force. It will try out a bunch of passwords for the SSH on our target. 

Now, for that target, you can use any of the virtual machines you want. You cannot use the "scan.nmap.org" website as it says, "Do not try the website to brute force SSH on the Nmap website."

So, you want to either run your Metasploitable, which I showed how to install in the previous videos or you can basically run any other machine that has the port 22 open. 

Now, in my case, I will run OWASP, which I will show you how to install in some of the next tutorials. For now on, just use your Metasploitable since it also has the SSH port open. So let me just wait while this opens right here. 

It doesn't take long. It will basically prompt me with username and password soon. It's pretty similar to the Metasploitable. This is just a virtual machine that runs a bunch of the vulnerable programs on it. 

As you can see, “Starting AppArmor profile, starting PostgresSQL database,” and a bunch of this other stuff. This is the machine that we will use in the next section, which would be "web pen testing." 

Let me just log in right here. We don't need this anymore. We just need to find out what the IP address of this machine is, which is 192.168.1.7. 

So, if we only scan the codes for now on with the Nmap, we do a basic scan, you can see that it finishes relatively fast and it gives us a bunch of these ports open. Only TCP ports. As you can see, we have the 22 TCP SSH ports open. 

Now, while scanning Metasploitable, you should also have this port open. As long as this port is open on the target machine, you can run the scan.

So the script that we are looking for, we want to find the SSH script so in order to narrow our options let us just type here "ls" and then we pipe that into grep SSH. 

It will only show us the scripts that have SSH in their name. Now, we can use any of these, but for now on I will just use the "ssh-brute.nse."

We copy the name of the script and in order for you to run the script you type here "nmap - - script =" and then you paste here the name of the script. You can just copy paste it from here, and then the only thing you need is the IP address, which is 192.168.1.7 and just press here "Enter."

As you can see, it started brute-forcing our target. If it finds the username and password, you will be able to SSH into that machine and basically do anything to it. This is a very serious attack and it can get you into trouble, especially if you find out the password and actually login into that machine and start changing stuff.

So, only use this on the machines that you do own. 

Now, for this specific machine, I don't think it will find the password, but we will just leave it running just in case. I don't think that the password and username is stored in this list that it is using in order to brute force the SSH target. So this can take some time. It depends on the list that you use. 

So let me just close this right here since I thought it would finish a little bit faster. It doesn't matter. I will just type here "CTRL + C" in order to close and we start the brute force. 

Now, let's say once again we want to find that and you want to change the password list. As you can see, it has the specific password list that it uses in order to brute-force the target.  

So what you want to do is to nano the script that you are using, which in my case is SSH brute and what you want to change right here is the option where it gives us the password list.

Now, I'm not really sure where that is. I believe it is right here usage. It's right here. So pass.list. I believe you change that and it will change the password list that you are using. 

You can also change the port, which is 22. Basically, SSH will most likely always run on the port 22. But there are cases where people run stuff on the other ports just to prevent the attacks. You might be needing to change that as well.

Here you can see that the port rule is 22 and SSH, you basically just change the 22 into any port number you want that runs SSH on it, and you will be good to go.

So, if there are any other options that you want to change right here, you can change it in the file itself. If it requires that the port and the password list, and once you do that you just type here "CTRL + O" to save and enter, to save under that name, and "CTRL + X" to exit, and you will be good to go. 

You can run the script again and it should change your password list and port number. Let's say for example you want to find out the SSH host key for that particular machine. We just copy, which isn't really useful, but let's just try it. Why not?

 So "nmap - - script = ssh - host key" and then the IP address of our target machine.

As we can see, it gave us the SSH host key, which is basically just this DSA and RSA. It really isn't that useful, but sometimes it possibly could be. You can experiment with all of these scripts right here.

In the next tutorial, I will show you how to download some of the scripts online from the GitHub repository that we will use in order to scan for specific vulnerabilities. 

Let us just recap.

In order to get to the scripts folder, you just go to the user share nmap scripts directory and the syntax is basically "nmap - - script =" then the name of the script itself, and you just specify the IP address.

That's about it for this tutorial. It was rather short. In the next one, we will download some of our own scripts. 

So I hope to see you there and take care.

Scanning! - Nmap Scripts 2

Hello everybody and welcome back to the last part of the Nmap scanning tutorials. 

Now, in this tutorial, we will download some of our own scripts and we will run them against our target in order to discover some of the vulnerabilities it might have. 

Once you finish this tutorial right here, you will know more than 80% of people that use Nmap. It is really essential for you to get these tools right, so you can perform your scans at the best.

So, first of all, let us change the directory to the Nmap scripts directory. 

It is usr/share/nmap/scripts.

If you type here "ls" we have here a bunch of scripts and mostly these right here, which is "cve 2015," and then some number are certain vulnerabilities that were discovered in the age of this number.  

Basically, this one was from 2017, this one was from 2015, and so on and so on. But we want to discover all of the vulnerabilities that could occur in a certain target. So for that, we want to download some of our own scripts. 

So just open up Firefox and open up a new tab, and just type here "vulscan GitHub." Once it loads up the page, we want to click on the first link, which will lead us to the GitHub repository for this script. So just click here on the first link and here we are on the GitHub repository of this Nmap vulnerability scanner.

As you can see right here, we have the usage, which we will cover after we download this script. 

Now, in order to download this, I already showed you in the previous videos, you just copy the link right here and we will use the Git program that we already installed. Let me just change my directory and it's not there it is in root. 

So that's about it. 

Let us just delete these two files from previous videos. We do not need them anymore. We want to type here "git clone" then we paste the link that we copied, and then we add ".git."

Now, it will take some time to download this and once it finishes we will have our script installed on our Kali Linux machine. I believe it will finish. Yeah, here it is. If we type here "ls" we can see the vulscan is right here as a directory.

In order to go to it, we just type here "cd vulscan" and we can see a bunch of the files that we got with it. But this isn't the only program I want to install. Right now we want to install another script.

So open up your Firefox once again, add a second tab and just type here "nmap vulners" and then once again type here GitHub. It will once again lead you to this page and you just want to click here on the first link, which is from the GitHub website. The procedure is same so you just copy the link of the page, go to your directory. 

Let me just go one directory back and make sure that we are in the same directory where vulscan is and just type here "git clone," paste your link right here and add ".git" to it. It will also download the script into our directory and we will be good to go. 

As we can see, this one has finished faster than the previous one. So right now we should have both of these scripts in our directory. We can see right here that we have Vulscan and we also have Nmap vulners. 

Now, let us make a directory "Nmap scripts" in order to put them both into that directory, so we don't have them like this right here. Let me just move Vulscan into "Nmap scripts" and move the Nmap vulners into "Nmap scripts."  

Right here, we should only have the Nmap scripts file and if we change our directory to it, we will have our both scripts right here. So now that we downloaded them, we can run them.

In order to run them, we use the same command that we used in the previous video. 

So "nmap - - script" and right here instead of typing the "=" sign, which we would use in order to specify one script, we want to remove the "=" sign and just put here space and just type here "vulscan" and "nmap vulners."

As we can see right here, we specified two scripts instead of one and it will use both of them in order to discover the vulnerabilities. So after this, we want to add "- sV" in order to discover the version of the services running on open ports.

Right here we want to also add the IP address of the target. Let me just check once again what was the IP address of this target. It was .1.7.

So here we type on 192.168.1.7 and we let this run. Let me just enlarge this. This could take some time, but not too long. It should finish relatively fast and it will print out a bunch of the vulnerabilities that it found on this target. 

Now, I know that this target is vulnerable since it is made vulnerable in order for us to test it. We can see that we got a different output from previous scans. Here we have open ports and these vulnerabilities, as it says right here, if you see no findings it means it didn't find any vulnerable on this specific port and basically uses a bunch of these websites in order to scan for the vulnerabilities. 

And if we scroll up, we can see that on the TCP open port, which is running Apache, it found a bunch of vulnerabilities right here.  

Now, you can test these scripts on your own machine in order to find out if your PC has some of the vulnerabilities. But basically, even mine has some of the vulnerabilities that go up to 5, sometimes 7.5. But mostly these aren't so dangerous, these that are low numbers. This is basically a mark for the vulnerabilities. 

So if it is 1.2, it is a really small vulnerability, but it is still there. And if it is 10.0, it is basically an easily exploited vulnerability. So if you just find something like this, you need to update your device as soon as possible. Or in this case, Apache II since it is found on the port 80.

Let us just see if there is anything else and we can see also on the SSH port it found some of the vulnerabilities which aren't so highly rated, but they are still there. Also, once you find something like this, you can basically just copy this link right here, which will lead you to a page on Firefox. If you paste it, you just open a new tab and paste the link from the vulnerability and it will open up the page where it will describe in greater details the vulnerability that it discovered. 

So here we can see the mark, which is 10, the access complexity is low, the confidentiality is complete, the integrity is complete and the availability is complete.

In the description, you can check out what the vulnerabilities, which in this case is modules/arch/win32 something, something, something. Let us just not read all these numbers.  

“When running on Windows does not ensure that request processing is complete before calling isapi_unload for ISAPI.dll module which allows remote attackers to execute arbitrary code via unspecified vectors related to a crafted request, a reset packet, and orphaned callback pointers.” 

Now, this is basically a vulnerability and if you wanted to exploit it, you would basically just copy the name of the vulnerability, which in our case is this one. So just copy and you can just go on to Google, then paste that vulnerability and type here "exploit." 

Then you can hope that you will find something or someone that already has written an exploit for this vulnerability. We can just try to find it. We can click on any link and try to find if anyone has written any exploit for this. 

Now, we do not want to go right here. There probably is something, but we won't really spend so much time trying to find it. I will just check out some of the links right here.

"I agree." Whatever. Let's go.

So, available exploits. We can just check here available exploits and we have the module name for the Metasploit program that we haven’t still covered, so we won't be showing it right now. But it is basically an auxiliary module which allows us to scan the vulnerability that we just discovered in the Metasploit framework. 

Now, we can also try to find the vulnerability with the name of the vulnerability itself, not like this, but like this "Apache mod_isapi" exploit, and you can try to find something.  

Let us check right here and here. We found something which is basically a C++ program that probably exploits this vulnerability. So here it is. You could just copy this entire program and just paste it into a C++ file, compile that file and run it, and you would exploit the vulnerability. 

Of course, you will need to change some of the certain things right here like ports, IP addresses and so on. But if you wanted to, you could do that. Not really sure what it would give you, but I believe it will give you a reverse shell. Not really sure what this vulnerability is, so we won't be exploiting it right now since it requires an auxiliary module from the Metasploit framework.

For now on we will just leave it on here where we have all of these scans completed and you can also try to research all these other vulnerabilities and see if there are any exploits written for them that you can use. 

We will cover the exploitation in some of the future lectures. For now on, we just wanted to see how we can scan the target for certain vulnerabilities and we did that, so that's about it for this. 

Now, before I close this lecture and close the Nmap lecture, I just want to show you that there is another tool that you can use if you want to. It is basically almost the same as Nmap and it is almost the same code which is Amap.

The Amap is also a scanner, the difference is basically in just one letter. It has some of the different syntax for the scanning part, but if you want to you can check it out. I won't be covering it since we covered a bigger tool, which is Nmap and more useful tool.

You can check out some of these options by yourself and you can use this as well if you want to. But that would be it for these Nmap tutorials. If you learn all of this stuff that we covered in the previous videos, you will be having some of the intermediate to advanced knowledge of Nmap. 

Now, maybe in the advanced section, we will learn how to write some of our own Nmap scripts, which will boost your knowledge about Nmap even more. 

In the next video, I will show you how to install the OWASP virtual machine that we will use for the web penetration testing. It doesn't take that long. It basically takes a few minutes. It might be taking longer to download since it is around I believe 1.5 gigabytes or something like that. 

But once you download it, it will take only a few minutes to install, and then we will start web penetration testing which will be a longer section since there is a lot to cover and I hope I see you in the next lecture and take care. 

Bye.  

Web penetration testing! - Installing Owasp

Hello everybody and welcome to the website penetration testing section. 

Now, before we begin with explaining some of the basic terms and things you will need to know, let me just show you where you can download the intentionally vulnerable virtual machine that we will use as a web pen testing machine. 

You just go open up your Google Chrome and type this link into your search bar which is https://sourceforge.net/projects/owaspbwa/

When you type that, it will lead you to this page where you basically just click here on the download. Once you click here on the download, it should start downloading the 1.7 gigabytes large zip file, which will take some time to install, but once it does the process of installing the virtual machine itself is rather easy and fast. 

Since I have already this zip file installed on my Windows 10 host machine, I will close this installation process or downloading process. You just wait for it to finish and you will basically end up with this file right here, which is the "OWASP_Broken_Web_Apps VM 1.2.7z."

The file as you can see is a WinRAR file and it is zipped. It is the size of 1.69 gigabytes. Once you get this file, you want to extract it. So just extract it to any folder you want and you will get all of these files right here.

Now, you might be asking, why we have all of these VMDKs right here?

Well, we only are interested in the first one, which isn't any type of s001, 002. You will use only this one. I will show you how to make the virtual machine right now. 

So open up your virtual box once you have extracted all these files, you just go here on the new and you type here the name of your virtual machine. You can name it OWASP if you want to. 

Here you pick the Linux, and here you pick the Ubuntu 8 64-bit. So find Ubuntu 64-bit and just type here next, “Cannot create the machine folder OWASP in the parent.”

Okay, so I already have this machine. Let me just type here "OWASP1" and here you can leave it on 512 megabytes. It doesn't matter. So just click here "Next" and under the hard disk you go to the "use an existing virtual hard disk" and you try to find it. 

Let me just show you. If you open up the extracted folder, you want to click on the first one, which is the "OWASP Broken Web Apps -cl1.vmdk." 

You pick that one and click here "Open" and choose. Once you choose that, just click here on "Create" and you created your virtual machine. In order to start your virtual machine, just click here on "Start" and basically it will finish the process of installing the virtual machine by itself.

We will just wait for it since it doesn't take that long. After that, it will prompt you with the username and password for the virtual machine, which while this is installing, let me write into the notepad file.

So the username will be "root" and the password will be "owaspbwa."

Once it prompts you with the username and password just type these two right there. 

Now, this also as well as Metasploitable is not a GUI machine, it is basically a command-line machine so you will only be able to execute commands from here. As we can see, it prompted us with a login. So, owaspbwa login, type here "root" and as a password type here "owaspbwa."

Once you do that, it will log in into your command-line and the only thing we want to do from here is basically configure our IP address in order to be a part of our local network. 

Now, be careful that you don't expose this machine to the untrusted network as it is a machine full of vulnerabilities.

So if you can just keep it on host only or on the net. But in my case, I will just put it on the bridged adapter since I will perform scans from another virtual machine that is also on the bridged adapter. 

We want to make them both belong to our local host. So in order to do that, first of all just close this machine. You need to close it. Type here "Okay," go on to these settings for that virtual machine. Basically, we just do the same thing that we did for our Kali Linux, go under "Network," find bridged adapter and choose your network interface. 

Once you do that, also make sure "Cable connected" is checked and click here "Okay" and you are set to go. So right here, if we open up our machine, I will show you what things we get from it. In the next lectures, I will teach you some of the basic stuff you need to know in order to continue web pen testing. 

Now, just wait for it to boot up and once again it will prompt you with username and password. Once it does that, we are good to go. Our machine is up and running a bunch of vulnerable programs that we can pen test. 

Here you can see it is starting a bunch of the programs, "Tomcat web server" and here it even says, “In all these cases you can use root as username and password owaspbwa.” 

In case you forgot, you can just read it from up here and type here the password and it will log in to your command-line. So if we type here once again "ifconfig" we will have IP address of 192.168.1.9 which belongs to our local network.

Now, let me show you what happens when we visit that IP address. So just go onto your Kali machine or from your host machine. It doesn't even matter. Open up your Firefox and type here the IP address of your virtual machine.

It will lead you to this page and you will see a bunch of these options right here, which you can click on. For example, if you go to OWASP right here, you will get a bunch of, as you can see, “Malicious file execution, information leakage, inproper error handling.”

This is just a bunch of programs running for you to test. We will cover most of them, not all of them since that will take a lot of time, but most of them. You can even see some of the login pages as we can see, “Authentication required.”

We have no idea how to get in here, but we will find out soon enough. As we can see, "Apache Tomcat," it gives us the version a bunch of vulnerable programs that we will test in the future videos. But until then, you can experiment and see what kind of things we have right here. 

We will pen test them later on after I finish explaining some of the basic stuff you need to know in order to continue. So this is it for this lecture. We will cover the HTTP protocol in the next lecture and I hope I see you there. 

Take care.

Web penetration testing! - HTTP request

Hello everybody and welcome back. In this tutorial, we will cover some of the basic terms that you need to know in order to understand better the things we will cover in the web penetration testing section. 

Let me just open here Leafpad and enlarge it a little bit. First thing, what I want you to know is basically some of the most basic terms which is for example HTTP.  

Now, we already covered what it is in the basic networking terms and basic ethical hacking terms, but here we need to cover it a little bit more in details. 

HTTP is a HyperText Transfer Protocol.

It is basically used on all of your website pages. As you can see, if we open up any page you will either have an HTTP or HTTPS right here. As we already said before, the difference between these two is that HTTPS uses SSL or TLS encryption in order to protect your files from anyone trying to interfere with your Internet connection. 

Basically, if this was an HTTP website without the S, anyone that is putting himself in the middle between me and this website can basically read all of my information. 

For example, if there was a login page right here as we can see "login" right here and if I type here my username and password, he could get them in plain text. While as with the SSL and TLS encryption all my data would be encrypted and he wouldn't be able to get anything out of it.

That is another thing that you can check every time you log in somewhere, for example, your Facebook page, your Instagram page, any page basically today shouldn't be HTTP. 

If you open up a page like Facebook and it says right here only HTTP, it is most likely going to be a fake Facebook page and someone is phishing for your credentials. So that is an important thing to know. 

Also, the next thing I want to tell you about is the HTTP headers. 

Now, we will cover HTTP headers in great detail later on with our Burp Suite tool, but for now on, there are basically two things you need to know, which is what is an HTTP request and what is an HTTP response.  

We will cover the HTTP requests right now. 

Let me just open up a picture that I downloaded, which is basically a request header. It will show you how an HTTP header request looks like and we will cover some of the parts that it shows. Basically, let us just open this picture first.

This is a typical HTTP request header. Let me just enlarge this a little bit so you can see it better. As we can see, there are a few stuff right here that we need to know about. First of all, what is the HTTP request?

Well, an HTTP request is basically every time you type here "google.com" on your Firefox. You just open here and type "google.com," it will perform an HTTP request for this page.

Now, what I mean by that is, we as clients request a page and the server sends us back the page with the HTTP response. That page contains the HTML, the HTTP response, and so on and so on.

Now, basically the HTTP request says some of the options right here that I will explain right now. The GET part right here is an HTTP method which basically references to the website that we tried to search.

So if we try to search "google.com" right here, it would type "GET google.com" since we tried to get that website. It is simple as that. You just translate this into English and basically, it just asks to get that page from the server.  

The protocol right here, which is HTTP/1.1 is just a current version of HTTP and the path as we can see right here is the current path that we searched.

For example, as you can see right here, the path would be /projects/owaspbwa. That would be the path if we searched this page. The host would be the server that we search for. 

The host will be the name of the website that we typed in our search bar. In our case right here, sourceforge.net would be the host. The user agent is basically what server uses to identify every client.

So with an HTTP request, we sent to server also some of our own information like what kind of web browsers we are using, which in this case is Mozilla 5.0.

What is our operating system? 

In this case, it is Windows, and so on and so on.

So basically, the user agent is ourselves with our web browser. Here we can see "accept text" and "HTML."

Basically, here we specify as a request what do we accept from the server in return. We basically accept the HTML page, which is most likely what we are going to get.

Let me just show you.

The HTML is basically a code that you use to write these websites. You can check out the HTML code of every page with right click on the page and check the source code. Once it opens this up, this is basically an HTML code which starts with head, body, and so on. It has a bunch of things, it's not really that hard to learn, and it is the essentials of every website you visit, so it's good to know that as well.  

So let us get back to our HTTP request. The accept-language as we can see right here is basically the language as it says, “English-US, Accept encoding, gzip, deflate," so we do accept encoding. There are certain attacks that we can use in order to remove this encoding and basically get the file in plain text.

Accept-charset, which is "utf-8."

So keep alive: "300, connection: keep-alive."

There are a bunch of these options that we don't really care about, but the one that we do care about is the cookie. 

Now, what is a cookie? 

A cookie is basically a temporary value that is used to keep our information about the current session that we are having. Without cookies, the server would after every request forget who we are and wouldn't know what we searched, for example, or what our username and password was.

Or basically, it wouldn't know who we are in the previous requests. The cookie is stored on the server and it basically has all the information about our current session.

We can see the PHP session ID and this is basically the cookie itself. It is a random number. It is also one of the main points of the attacks. As we can see, if we were to change this cookie value to something else, we would be logging in into a different session, which could be potentially dangerous.

There is another option right here in the HTTP request headers that isn't listed right here and it is the authorization.

Now, with this parameter HTTP enables the identity check of client.  

For example, if I log in into my router, this little window that will pop up right here is basically authorization. This is how my router checks the identity of me. If I know the username and password, I can log in, if I don't know the username and password I can't log in. 

So those are some of the basics of the HTTP request headers. There is also some of the other things you should keep an eye on, which is session tracking with cookies.

It is an important one as I said. 

Also HTML, you need to know what HTML is, which most likely you do. It is a code that is basically used in order to create websites. As we can see right here, this is HTML code and that is about it for the HTTP request headers.

Now, I will also discuss the HTTP response headers, which are similar, but basically, an HTTP response is as it says, a response from the server to us. So the HTTP request is what we send to the server and the HTTP response is what servers send back to us. 

We will discuss that in the next tutorial and I hope I see you there.  

Web penetration testing! - HTTP response

Hello everybody and welcome back. 

In the previous lecture, we discussed what was an HTTP request and right now we will discuss what an HTTP response is.

As I said, they are very similar. The response is basically what the server sends back to us. For example, when we send an HTTP request with the GET, and then the name of some page, we basically want the server to send us that page back.  

It will send us the HTTP response with the HTML code of that server, and that's how we load the pages.

Let us see the basic structure of the HTTP response. Here I have a picture and let me just enlarge this a little bit. As we can see right here, the upper part is the header of the HTTP response.

As I said the HTTP response is consisted of two things, which is the header and the body. In the header, we get this information about the server and in the body, we basically get the content or the web site HTML code, which is basically just the page itself.

So the HTTP response starts with the protocol, which is currently version 1.1 and then the status code. The status code basically represents the 200 right here. As we can see, it represents that the operation was successfully done.

Now, you can also have some of the other codes right here, for example, if the number starts with four that means that you have a certain error in a request. If the number starts with five, there is an error. But this is not an error on the client side, this is an error on the server side.

So the 400, and then some number is the error in the request side or on the client side. The 500 and then some number is the error on the server side.

Also as I said, 200 means that operation was successfully done and the 300 means redirection of the website.

So, for example, you try to visit some of the websites and it redirects you to another website, that will be specified with the status code of 300 and something. 

Now, there are some of the things that we need to remember right here. 

Today, it doesn't really matter to us that much. The server is basically important since it gives us the version and type of the server itself. As it says right here, it is "Apache 2.0.63 Unix" and it is useful for us attackers because we basically get the version of the server.

We can usually just paste in Google and try to find any specific vulnerabilities for that version. Today, some of the websites even leave out this option right here in the HTTP response just because it is so valuable to the attackers. 

But most of them still have it, so we will be using this option as well in order to try to find and gather some of the other vulnerabilities for that specific version of the server.

The next thing we are interested in is a thing that isn't really specified in this HTTP response, but it's basically a set/set - cookie option.

It is the server that is setting a cookie value for ourselves. So it is basically sending a cookie value that it assigns to my machine in order to track my session. It is also an important thing. Here you can see that the header and the body response is divided by this blank line.

You don't need to remember it like that, you can basically just remember it as in the content or in the body of the response. It will be an HTML code, which is easy to recognize with these arrows. It basically always begins with these arrows and closes with these same arrows. 

So you will easily know what the HTML code is.

Now, that is some of the things that you need to know from the HTTP response.  

But before we continue, there is another thing that I want you to know, which is the HTTP methods available. Let me just open my virtual machine, let us just log in. 

Now, we covered one method already in our first HTTP request video. We covered the GET method. So basically when I type "google.com" or let's say "facebook.com" I send an HTTP request with the GET method, which basically just requested from the server this page.

There are a few other methods for example: POST, HEAD, TRACE, BOOT, DELETEa  options. Those are all bunch of the methods that you can send to the server. The most important for us would be the GET method, which we already covered and is just requesting the website, and the POST method. 

Now, the POST method is basically us sending some of the information to the server. You might be asking what kind of information do we want to send?

A simple example would be us sending a username and password. It is done with the POST method. So let me just open up the picture again. We opened the request header and here we can see the GET method.

Now, instead of the GET if we did a POST request it would type here POST.

So basically just POST.

The POST request would be if we, for example, on email type here "anything" and pressed here "Log in," this is us sending a POST request.

Now, I will explain it a little bit further once we get to the Burp Suite configuration since it can be a little bit difficult to configure first time. So I will lead you through that process, but let me just for now close this and show you how you can scan with the things that we did learn already, the available HTTP methods on a certain website.

So for example, you want to scan a website and see if there is a POST method available, HEAD method available, DELETE method available or any other method, you can do that with a simple Nmap script.

We already covered Nmap before, so let us just go into our scripts folder, which is under this path right here usr/share/nmap/scripts.

What we want to find is the HTTP method script. So let me just type here "ls" in order to list the methods try to grep the HTTP. 

Yes, I forgot the command "grep" right here. As we can see, there is a lot of them, so let me just type here "ls grep" and then method. Maybe it lists less options. As we can see, there it is and this is the script that we want, which is "HTTP - methods.nse."

So in order to run that on to our OSWAP virtual machine that I showed how to install before, let me just check here the IP address, it is .1.9, so we just write here "nmap" and then "- - script" and then "=."

Now we will copy the script name, paste it right here, and then we will specify the ports that it should scan.  

So it shouldn’t really scan all of the ports.

It isn't necessary. We know that the HTTP ports and HTTPS ports are 80 and 443.

Now, we will also add the port 8080 since it can be relatively commonly used as an alternative port to 80. So let us just type here "- p" for the ports and type here "80" which is the HTTP port, "443" which is the port for HTTPS, and port "8080."

At the end, we want to specify our IP address of the target, so it is .1.9. Now, let this run. I'm not really sure how long it should take. It should finish relatively fast. Here we go, and we can see that it gives us the output port 80 TCP open HTTP and available HTTP methods.

We can see right here supported methods GET, HEAD, POST, OPTIONS, and TRACE. These are some of the HTTP methods and a potentially risky method is TRACE. So we can see that with this Nmap script we can gather the available methods for any website with the specified port. 

Now, in order for us to view the packets that are going to the website and back, we need to use a proxy and for that proxy, we will use Burp Suite, which will let us see all of our packets that we are sending and will let us change them.

It is also used for some of the attacks such as a simple brute force onto the website, the session hijacking and bunch of other attacks. 

Now, the process of making the Burp Suite as your proxy can be a little tricky, so I will show you how to do that in the next video.

Until then, I hope you are having a great day and take care.

Web penetration testing! - Burp Suite configuration

Hello everybody and welcome back. 

Right now, we will try to configure our Burp Suite in order for us to make it as a proxy and in order for us to intercept our own HTTP requests and responses. 

The Burp Suite which is a program that we will use, is already pre-installed in Kali Linux. If you go on to the applications right here and you go on to the web application analysis, it should be the first one right here.

So if this is the first time for you running it, it might ask you for a root password, you just type it in and you open up the Burp Suite. 

Now, another way that you can open it is through the command line. Here it will say what appears to be a message about the version, just click here "Okay," it doesn't even matter what it says, and it should open up our Burp Suite.

I already configured my Burp Suite, so it works for me. Basically, I will just show you the process, we will need to configure some of the things in our Firefox and also some of the things in the Burp Suite in order to capture our packets.

Here just click on "Next US burp defaults," click on "Start burp" and it should start in a few seconds. Now, what I wanted to say is that you can also run it through a command line with the Burp Suite and it will just open up the same thing right here.

It will use your terminal for it so you don’t have to go to the applications, and so on and so on. As you can see right here, this is the Burp Suite. It has a bunch of options. It is used for us to intercept our own packets.

Here we have some of the options such as HTTP history. Here we will have the websites that we visited in the current session and here you have the intercept. Here you have the option that the intercept is on and intercept is off.

Now, before I cover all of these options, I just want to show you what you need to do in order to get this to work. 

What you want to go to, is go to the proxy, which is the second one from the left, and then below that you want to go to the options, so proxy, and then options.

Here we are interested in the proxy listeners part, but you will have by default this 127.0.0.1 on port 8080, which is listening on 8080 on a local host. 

Now, what you want to do is select that one and basically just click here on the edit. It should open up this small window where you want to specify the port to be *8080. Basically, you can put here all interfaces or loopback only, I leave it on loopback only.

You can also specify a certain address like my current IP address of this virtual machine which is 192.168.1.6, but I will leave it on localhost and on loopback only since I will specify that proxy in my Firefox as well. 

Just click here on the "Okay."

So port 8080, loopback only 127.0.0.1, click here on "Okay."

What we want to do is go to our Firefox. So open up your web browser and where you want to go is basically here on the right, these three lines, open menu and go to the preferences. 

Now, under the preferences, you want to go to the general which is already opened right here by default. You want to scroll all the way down and find the network proxy.  

Here we can see, “Configure how Firefox connects to the internet.” 

What we want to do is basically make our Firefox connect to the Internet through our Burp Suite. Click here on the settings and it should open up this small window. By default, it should be set on "no proxy."

What you want to do is change that to be set on the manual proxy configuration. So once you check that, I believe since you didn't configure it before, it should have only the first one which is HTTP proxy set on 127.0.0.1 on port 8080. 

Now, what you want to do is all of these four you want to set on the same settings, which is basically even the SSL, even the FTP, even the SOCKS host, you want to set all of these four onto the IP address of your local host, which is 127.0.0.1.

All of those four you want to be set on the port 8080. Once you set all of this four to be exactly the same, you want to check here SOCKS v5. It should be checked by default, but if it is not, check here SOCKS v5.

Once you do that, click here on "Okay" and you should be good to go. So, if we click here, setting again we can see that now our manual configuration proxy is set on the local host. 

Now, if you go right here and try to search "google.com" first of all, it won't work for you. It should say something like “Insecure connection,” or something like that. Basically, it won't let you connect to google.com.  

But if you, for example, go to an HTTP website, which I'm not really sure. Let me just find any HTTP website. Do I have anything saved?

Well, we have our web application which is not HTTPS, so you should be able to connect to any HTTP website, but you will not be able to connect to any HTTPS website. 

Now, if you type here any HTTP website and it is loading on forever, what you want to do is go to your Burp Suite and make intercept off. So if your intercept is on like it is right now for me, it won't let you load any page since it will wait for you to forward or drop the packet. 

Let me just show you what I'm talking about. If I refresh this page right here, you will see that this will load forever, it will never load the page. 

In the Burp Suite we can see that it basically gave us some of the HTTP header request header for this website, which is just my virtual machine, my OWASP vulnerable machine, and it will ask me if I want to drop this packet, which means to discard it or to forward that packet to that machine. 

Now, if I forward it and I open right here once again, let me just open up my Firefox, you can see that now it loaded the page because I forwarded the package. 

But if you have that checked on, which means the intercept is on, you want to make it off so you can load the page without forwarding every package. 

So just click here and make sure that the intercept is off.

Now, if I try to reload the page once again, it will reload it normally and open the page. 

We want to also make sure that we can load our HTTPS websites. For me, it works, but for you, it won't work until you install in your Firefox a Burp Suite CA certificate.

Basically, we need to install the Burp Suite certificate in our Firefox in order for our Firefox to look at Burp Suite as a trusted proxy source. 

So in order to do that, first of all, make sure your Burp Suite is running, make sure that you configured the preferences in Firefox. Let me just go once again right here and make sure that this is the same as mine. 

Make sure the Burp Suite is running, if it's not running, this won't work. You won't be able to download the certificate. Once this is the same as mine and once you run the Burp Suite and the intercept is off, you want to go and open up a new tab and type here "HTTP" and then "burp."

Once you type that, it will lead you to this page where it will say, “Burp Suite Community Edition. Welcome to burp suite Community Edition.”

What you want to go on here is on the CA certificate and click on it. It will ask you if you want to download this file, “Do you want to save it?”

Yes, and the file is 973 bytes, so it's not that large. You just click here on the "Save." Once it downloads, you find where you saved it. Let us just find it. I already have one downloaded, so I have it right here. You will only have one of these.

Once you find that you want to go to your Firefox. Again to the preferences, but instead of going to the network's proxy settings, we want to go on to the privacy and security settings.

So once you are there, once you are at the privacy and security settings, what you want to do is basically scroll down and find the certificates.

Maybe they are all the way down. So here are the certificates and you want to go onto the “View certificates.”

Once this window opens up, it will show you a bunch of these certificates that already are in your Firefox web browser. 

Now, what you want to do is import the already downloaded certificate that we downloaded from this website, which is "HTTP burp." 

How we do that?

Well basically we just go on to the import right here. So click on the "Import" and find where this file is saved for you. I already imported it so I won't be importing it twice. Here it is. Just click on the file and click on the "Open," and once it does that, click on the "Okay" and you should be good to go.

After that, if you type "google.com" once again, it should be loading the HTTPS websites as well as the HTTP websites.

Now, if this didn't work, make sure once again that the Burp Suite is running or this will not work. Make sure that all of these options are already set as mine and you should be good to go. 

Once we made this work for HTTP and HTTPS, now we can track all of the packets going through our own Burp Suite. As we can see right here, if I go on to the target, it will give me a list of all the hosts that I’ve already visited. 

As we can see right here, these are just a bunch of the HTTP request packets that I sent in order to visit my virtual machine, which is on the IP address of 192.168.1.9.

Now, in the next tutorial, I will show you some of these packets and how you can configure them, how you can change them and all of that, and where you can find all the websites that you visited and specific packet if you search for it.

But for now on, just make sure that your Burp Suite works. 

Let me just show you once again. Let's visit "facebook.com." It should open up the Facebook page and it should also have here a bunch of other Facebook domains opened. As you can see, the page that you requested will be the darker letters than the ones it automatically searched for in order to get to your Facebook page.

We can see right here this is our Facebook page and the HTTP requests that we got from it.

So I will make sure to explain the requests and responses better in the next video, and until then, I hope you are having a great day and take care.

Web penetration testing! - Editing packets in Burp Suite

Welcome back everybody and in this tutorial, I will show you some of the basics of Burp Suite, how to intercept packets, how to view packets, how to view responses, and so on and so on. 

This is also a great way for you to learn more about the packets themselves and learn more how an HTTP, for example, get requests or post requests look like, and when you will be seeing them.

First of all, let's run our Burp Suite.

So for that, just type in your terminal "burp suite" or you can run it through the applications right here. It will open up in the exact same way. As we can see right here, we get the message again. So just click here "Okay."

Let me just close the terminal right here, and you just go on "Temporary project," then "Next," and then "Start burp." Every time you open the Burp Suite you will notice that under the proxy settings right here, the intercept is always ON by default.

That would mean that if I go onto my Firefox and try to load twitter.com, it will never load it until I forward the packet or turn the intercept off. So it is useful if you want to watch the packet. 

We can see how the first packet looks. I requested this page with the protocol HTTP/1.1, the host is firefox.com, and the user agent is Mozilla 5.0. These are just my information since this is an HTTP request I am sending this to the server. 

We can forward it, but you will notice that there will be another packet. Basically, there will be a lot of packets that you will need to forward in order to get to the website. As we can see, even though I forward the first packet, it is still not on the website itself. 

So let me just forward all of the packets, and once you do not get any packet anymore, you should be loading the page. As we can see, there are lots of them since this is a big website. 

In the previous video, we did the same with the virtual machine and you saw that I only needed to forward one packet in order to get to the page of my virtual machine. But for now on, I had to forward several of them and right now I should have Twitter loaded.

As we can see, it is not loading anymore, I forwarded all the packets and I received all of the responses from the server. Now, in order to check that you can go under HTTP history, and you will see right here all of the domains, all of the websites that you visited in the process of connecting. 

Now, there are a bunch of these detect portals, you will always have them, you just want to find the website that you are searching for, and when you find that, you can see the response to all of your requests. As we can see, here we have twitter.com. That is the page that we searched for.

Here we can see the first request that we sent. In order to check out the response on that request that we sent, you just click here on "response" and this is the response of the server. As we talked before, it is consisted of the head and body, so here we have the head and with a bunch of these set cookie options.

Now, this is just a body right here, starts the body, which is the HTML code. We talked about that. But let me just find the set-cookie option. Here it is. So basically, this is the option that I was talking about in the HTTP response video. This is the cookie that the Twitter set for us in order to track our session. 

As we can see, the option "set-cookie" and this is our cookie right here. Now, there are a bunch of the things in the cookie as well as path, domain, secure, which means HTTP only set cookie, max age, expires. It basically even says when does the cookie expire.

So it expires on Monday 18th February 2019, which means it expires today on this time. Okay, so that's one of the things that we covered. Here we can also have the status code which is "200."

We successfully loaded the page so we got the status code 200. These are just a bunch of the options that we do not care about, so we can go down here and here starts the HTML code of the page itself, so this is what we load. 

It is basically a huge code, so we don't need to watch it since the website is quite big. That's how you can check the request and the response of a certain packet. You can go onto the post. Here we have a post request.

You can check the response right here. Here is the request. 

Now, there are some of the options, that we did not care about. For example, this is not really that important to us. 

Now, what is important is let us turn the intercept on once again. So, if I turned right here off and turn it on, and here let's say, for example, I want to log in. Now, we said that the packet that we send with our username and password will be a post request. 

Once I type here the username and the password, we should be sending the post request to the website. Let us try that. If I just type here anything and press here "log in," you will notice that it is loading since we turned the intercept on.

But right here, we have the packet that we want to send as a post request. Here we can see the basic HTTP headers structure and here we can see username or email four Ws and password five Ws.

So we can see our packet from here. If I forward it, it will send to the server the username and email with this username and this password right here. These are just a bunch of the things that we do not care about at the moment. 

Now, if you turn the intercept off or forward this packet, it doesn't really matter, it will give us an error that, “This account doesn't exist”.

So you might be needing to forward a couple of packets as we can see there are no longer packets arriving. We forwarded them all and it says, “The username and password you entered did not match our records. Please double-check and try again.”

Now, let's try to change that in the Burp Suite. Let's change the packet itself.

Let us just go back one page. We should go to the login page once again. Now, also I forgot to mention that using Burp Suite, your Internet might be slower and you will be loading pages a little bit slower than usual, but it is not a big deal. 

We can see that it could be that my intercept is on of course, that's why I couldn't load twitter.com, so let us just turn it off and we loaded the Twitter page.

Now, let us turn the intercept on once again and let us send again the same username and same password which is five Ws. If I click here "Log in," you can see that it is stuck since our intercept is off. 

Now, this is a previous packet, so it doesn't matter. Here is our packet and here let me try to change the username into four Bs. As you can see, four Bs and if I try to forward this packet and forward all of the other packets, it will still give us the wrong username and wrong password, but it will show that the username wasn't four Ws, it was four Bs.

As you can see right here, without any interaction with the page itself through the web browser, we managed to change the username through our Burp Suite.

So that is another useful thing to know. It will be used later on in order for us to brute force websites. For example, you just add a password list and you change the packets as you forward them and it tries every different password instead of the password that you specified right here.

We can turn the intercept off right now. As I said before, in order to check the websites that you visited, you can go to the HTTP history or on to the target. Here you can also see the websites that you visited. 

Now, there are a lot of other options that I will show you later on. For now on, it is enough for you to understand that there is a request and response that you can check out in Burp Suite and also you can change the structure of packets, you can also delete some of the things, you can also change usernames and passwords. 

For example, let us go back once again.

So we go back to the login page, intercept ON, and then if I just type here something once again, now it doesn't matter what the username and password is, we can see it is stuck. Here the post request with the username four Ws and password five Ws, we can change, for example, the user agent.

Now, if we delete this, we will no longer be sending our information to the server. We will not send basically what version of web browsers we are running and what operating system we are running. So it is good if you do not want the server to know some of the information about you. 

So, if you forward this packet, you will get some of the others, let us forward them all and let us finish these couple of packets. So once it finishes, we get the same error. But if we go right here and we go to the HTTP history — let me just go right here to the Twitter and find the packet where we sent it. It should be all the way down I believe.

Let me just find it.

"Login error, login error."

We basically just want to find the post requests. Here they are, some of the post requests, and as you can see right here, the difference between these two — this one was the previous one and this one was the one we sent right now, is that this one has the user agent, which basically says that we are using Mozilla 5.0 Linux and this one below is the same request with the same username and same password, but we deleted the information about ourselves.

So the server will no longer be getting the information about our browser and our operating system, which is another layer of anonymity for you. 

That's about it for this tutorial. 

These were just some of the basics and me showing some of the things for this program. We will continue in the next lectures and I hope I see you there.

Web penetration testing! - WhatWeb & Dirb

Hello everybody and welcome back. 

Before we continue with the Burp Suite, I just want to show you some of the tools that you can check out by yourself that already come pre-installed in Kali Linux and are used for discovering basically more information about a certain website. 

So let us just open our terminal. We will go over them briefly. There are only two tools, and then we will continue after that to use Burp Suite in order to hack a web page. But the first of these tools is called "WhatWeb."

If you just type here "whatweb," you will be prompted with your options for this command. What this command basically does is it identifies different web technologies running on a certain website.

It can, for example, detect JavaScript libraries used for designing the websites, it can discover some different systems, technologies that are running on the website. 

Now, we will only cover one of the options right here, which is just the verbose or "- v."

We will just use that in order to show you what this tool does. So let me just check out the IP address of my OWASP machine. I will just type here ifconfig and we can see that it is .1.9. 

So if I type here "whatweb - v 192.168.1.9," we should see some of the things that are running on the website, which can be useful if you are planning a further attack. 

We can see we got a bunch of these options, a bunch of the output, which says basically the versions and the things that are running on the website. We will go from the top. As it says, the page is found, which it gives us the status code 200.

This is the title, the IP address, the country, summary. 

In the summary basically, you can see all the things that it is running and below that, you will see in more details what version they are running. So for example, you can see JQuery HTML5, OpenSSL, Python, HTTP server, Apache, and so on and so on. 

But if you scroll right here down, you can see "Apache version 2.2.14."

We can see different modules, module proxy _html, website.

Now, this is just the website to the Apache.

Let me just go down. 

Emails. So it has extracted some of the emails I believe. Not really sure if that's that.

It could be that these are just some of the emails that are located on the website. Yeah, because of this one I believe. 

OWASPBWA. 

It basically just found some email on the website. 

HTML 5, HTTP server JQuery, OpenSSL, PHP. 

We can see the version, passenger, Perl, Python, scripts, and so on. These are just some of the useful information you can find out about a certain website. For example, if you find out that it uses JavaScript, you can possibly try to plan out in the cross-site scripting attack or something like that. 

Now, that's just the first tool that I want to show you. We won't be covering it in detail. 

Let us just go on to the next one right away, and the next tool would be "Dirb."

So just type in your terminal "dirb" and you will get the available options for this tool. Basically, what this tool does is it scans for directories that aren't found in the page. It basically recursively tries to find web pages with different extensions. 

If it finds out that the web page exists, or if it doesn't exist, it basically finds it out by the status code of the page itself. So for example, we all know that if you visit a page that doesn't exist, you get that weird "404 error, page not found."

And if it does exit, you get the status code of "200."

So basically, how this program works is it brute forces the website with directories and if you get the status code of 200, it will print us that page exists. If it gets the status code of 404, it will say that the page doesn't exist. 

Now, it's a simple concept, so let us just run this program on our OWASP virtual machine.

Let me just see what the syntax is. As we can see "dirb URL base wordlist."

So let me just locate some of the wordlists. 

Now, some of the wordlist, you can find its "usr/share/wordlists," and then just type here "ls" and let me see which one we will use. Let me go to Metasploit since there are a bunch of other wordlists as we can see right here. 

Let me see if there is any wordlist that could be useful for us for this specific attack, which is basically brute forcing the directories in order to find some of the directories that aren't on the website. 

Let me just see right here. I can't seem to find any directory. Let me just "ls grep dir," maybe it will find something like that. No. Let me just go — there it is. There is literally a dirb, so we can use something from here I believe. 

Extensions common. 

Let us just "cat" that, so we can see if that is what we need. No, I don't think that is what we need. This is the  file extension. So let me just see what is under common. It could be something useful. 

We can try that one. Not really sure if it is made for this. Probably not, but let us give it a try. Why not? 

So we will use the "common.txt."

Yeah, common.txt word list. 

So it should be in the same path for you as well:  /usr/share/wordlists and then /dirb and you should see the common.txt file.  

Let's just run dirb once again and if we type here "dirb192.168.1.9" and we type here the "usr/share/wordlists" I could have just specified common.txt since we are already in the folder, and then the options.

Let us just see if we want to add any options or do we want to basically just run this?

Let me see if it will work like this. Use HTTP. Okay, so we need to specify HTTP. As we can see right now, it is running the directory brute force. We can see right here, we can see the code 200 means that the page exists. 

No need to scan it let me just see — code 500. Okay, code 200. All of these 200 pages do exist. So we can prove that. Let us just use any page that was code 200 like this one. We can copy the URL and let us go open our Firefox.

Now, the reason why I'm showing you this attack is because some of the websites can configure to have available web pages with basically usernames and passwords.

So you can basically find something you shouldn't be able to find just by trying out random directories for that page. 

Now, before I go and paste the link, I need to turn off my proxy, which is the Burp Suite.  

So if you have it set as proxy and not running it currently, just go here and for this time go on "no proxy." I didn't have to turn on the Burp Suite for this video and we will paste and go. As you can see, it found a page. So this page exists. If we check out another page that gave us the status code of 200, let us see, we can take any page we want. So code 200 index.html list. 

This is some ICO file, but it doesn't matter. Let us just see if it works and it does work. We got a picture. So all these 200 codes exist on the website as a directory. Basically that's about it for this tool. 

Now, we will be coding our own directory brute forcer in the advanced section. It is really easy to code and you will see how it works behind the scenes. But for now on, I just want to show you these two tools. 

In the next lecture, we will continue with the Burp Suite and some of the attacks on our OWASP virtual machine.

So I hope I see you there and take care.  

Web penetration testing! - Password recovery attack

Hello everybody and welcome back. 

In this tutorial, we will cover some of the Burp Suite attacks that could be useful for us. Let us start off by turning our Burp Suite on. You can turn on your Burp Suite from the applications.

I will just turn mine on from the terminal. Also, if you unset the proxy as me in the previous video, let us just set Burp Suite to be our proxy so we can intercept our packets.

So just go here on the preferences, we already covered all of this, scroll down to the network settings.  

Let me just click here on "Next" for the Burp Suite and start it. We go on "network proxy" and then on "settings" and just check here the "manual proxy configuration."

Click here "Okay," and now your Burp Suite is set as a proxy. Now, as we already know, Burp Suite is already set to intercept our packets. So if we try to go on google.com, we won't be able to connect.

Let us first of all turn that off and now we should be able to access the Google page. Waiting for Google. Now, the Internet is a little bit slow, so we will wait for that. The first thing I want to show you is the Burp Spider. 

Now, the Burp Spider, basically there are active and passive spidering of the web page. The passive spidering the Burp Suite does by default, so if we for example visit Google, if you go on this arrow, it will show you the subdirectories of the Google, and you can also go as much as you want. 

As we can see, there are a bunch of these files that it already found in Google. Now, how does the scanning work or the spidering? 

It basically watches the HTML page and here it has a bunch of these links and it clicks on each of these links. So for example, the spider basically just scanned through this HTML code and found this link, and it clicked on it, and then it added it to the spidering folder where it shows all of the links that are connected on that page.

Now, in order for you to spider a web page, of course, your intercept has to be turned off and if you wanted to scan the page actively, you need to right-click. 

Let us just first of all visit our OWASP virtual machine. So we visited that, and let us see what it gave for it right here. It didn't print it out yet, so let me just reload this page. We have it right here and for now on, it doesn't have anything there, but if we go on to this one, it found the subdirectory that we clicked on. 

But let's say we want to spider only this cyber directory actively, just click here on "Yes" and you can see you have added an item to target scope. 

"Do you want Burp Proxy to stop sending out-of-scope items?”

Let us just go here on the spider and we can see the requests made and the bytes transferred, it is still running. As we can see, “Use these settings to monitor and control Burp Spider."

To begin spidering, browse the target application, then right-click on one or more nodes in the target site map and choose “Spider this host/branch.”

Now, this is the active spidering as we can see this has a bunch of subdirectories itself. You can find some of the interesting things with just searching those subdirectories. That isn't really that important to us, so we won't be giving too much of our time to that. What we want to do is we want to perform our first attack on the OWASP virtual machine.  

So the first thing we will do will be rather simple. Let me just open the Firefox and go one step back. What you want to do is you want to go on to your OWASP IP address, and then once you go to this page, just click here on the "OWASP WebGoat."

Now, it will prompt you with the username and the password. The username and password will be "webgoat." 

So just type that and you should be able to log in right here. We do not want to save password since we will be brute forcing the same login later on. It will basically prompt you with the welcome screen, so just click here on "Start Webgoat."

Here we can have a bunch of attacks that we can perform on the OWASP Webgoat.

Now, for the first attack, and the rather easy one, we want to go onto the authentication flaws. Basically, let me just find where that is. Here it is. We want to go on to the "Forgot password."

So if you go on to the forgot password, it will basically ask you for the username of your own account in order to change the password. 

Now, what the problem with this is, first of all, we do not know any username for this specific page. So if we type here, for example, "ggggg" and submit, it will say, “Not a valid username. Please try again”.

Now, the concept of this attack is that we send a bunch of usernames right here and hope that we get a different response from the server for some of those usernames, which will basically tell us that that username exists.

So let me just explain that a little bit better.

For example, let's say we send 10 usernames into this. We just type here 10 different usernames and one of them happens to exist on this webpage. For that specific one, it will not print us this error, which says, “Not a valid username. Please try again.”

This means that our HTTP response for the server in its HTML code won't have this string, which will make the HTTP response basically smaller or bigger in terms of bytes. We will be able to determine the difference between the HTTP response from the not valid username and from the valid username.

Now, in order for you to understand this better, let us do that in practice. What we want to do is, first of all, turn our intercept on for this. So just go on the intercept on, and our goal right now is to find out a valid username.

If we type here anything, we will receive that packet that we sent, which is a post request since we are posting in this form right here on this page as we can see, and our username that we are posting is anything.

Now, you can just forward this or turn the intercept off. We want to find this packet in our Burp Suite. So let us just find it. We are looking at the responses. This is not it. Post: anything. So here it is. This is our post request that we sent a few seconds ago, which says "username anything" and we got a "not valid username" for that.  

What we want to do with this packet is we want to send it to an Intruder. Now, the intruder is basically a brute forcer for the Burp Suite. Here you can have, if you right-click on the packet, so find your post packet with the username, right-click on it and go send to Intruder.

Once you do that, you will see this section right here will turn orange, so just click on it. You will see these four options right here. What you want to do is go on to the positions, and you will see your packet. 

Now, the next thing you want to do here, you will see that some of these things right here are selected, for example, the username, the submit button, our cookie, PHP session ID, JSON SESSION ID, screen, menu. 

So what you want to do is click here on "Clear" in order to remove all of that selection. Right here what we want to do is only select our username. So just select "anything" and click here on "Add" and you will see that out of all of these things only our username is selected.

Now, why do we do this?

Well, we do it basically so Burp Suite knows which part of the packet to change with the certain list that we will provide it with different usernames. So if we left it on all of those things before selected it would change all of those things to different usernames and it will make the page not load since it would change the link the cookie and it would all crash basically.

But then, we cleared it and added only username and selected it, and now, it will only change the username. Now, under the "Attack type," you will have four options. What you want to select is the "Sniper" option.  

The Sniper option basically uses one list and selects each input position one by one. So we provide, for example, the list of five usernames, which we created in our terminal or wherever. You can use the user list basically from the Kali Linux itself, since it comes installed with a bunch of these wordlists and it will send packets one by one with changing this value right here with a different username from the list. 

So let us do that. Once you perform all of these, so once you select your username and you click here on "Add," select the "Sniper attack type" option, you want to go onto the payloads. 

Now, the payloads sets for now on you want to leave unchanged. In the payload options, the simple list you want to click on load in order for us to load list and what we want to do right here, we want to find a list that already comes pre-installed in the Kali Linux. So, just go to this /directory and go to the user, let me just find it, then go to the share, then go to the wordlists.

Let us just find the wordlists. Should be somewhere here. "Wordlists" here, so click on the wordlists, click on Metasploit. From here we want to find the "http_default_users.txt."

You want to select this user list and click here on "Open."

As you can see, this is a small user list. It basically has like 15 passwords or something like that. Once you click that, you want to go on to the "Start attack."  

Now, what this will do, it will exchange our username input with all of these different users from the list. 

So here it will say, “The Community Edition of Burp Suite contains a demo version of Burp Intruder,” basically this says that the free version of Burp Suite will run slower than the Pro version of Burp Suite, and in order for you to run this brute force faster, you need to buy the Pro version.

But for now on, we will just click here on the "Okay" since we don't need it. As you can see, it is running all of these usernames in the form right here. So it is sending packets with different usernames and as we can see it finished.

There were 14 usernames and all had status code 200. But what we want to search right now is the difference in the length of the response of the server. That's what I was saying basically. Yes, you can see all of these are 30606, except one which is 30516.

What does that mean?

That means that it got a different response from the server than all of these others, which is a good thing since it possibly means that this username is a valid username. As we can see in any other username, so let's pick this one for example, which has this length and go on to the response.

We can try to find the, “Not a valid username. Please try again.”

It will be there. It's just very hard to find since this is a huge HTML file. It doesn't even matter, so just find the username that has a different length. And if we paste the admin right here since we can see that the admin is the only one with different length, and we click on "Submit," we can see that we proceeded to the next step since that username was a valid username.  

Now it says, “What is your favorite color?” for that account. You can basically brute force this as well with the same method. So just create a list with a bunch of different colors and brute force this field the same way we brute force the username input. 

But we won't be doing that right now, what we want to do next, and by next I mean in the next video, is we want to brute force a login. 

So basically we will be brute forcing the username and password at the same time. We will do that in the next video and until then, I hope you have a great day and I will see you later. 

Bye.

Web penetration testing! - Burp Suite login brute force

Hello everybody and welcome back. 

In this tutorial, we will cover the brute forcing of the username and password. 

Now, this is a very common attack since this will work on any website that basically has the username and password input. So in order to do that, let us first open up our OWASP machine. Make sure it is turned on, make sure that your Burp Suite is turned on, and make sure that your Burp Suite is used as the proxy in the Firefox.

Once you turn all of that on, just go on to the IP address of your virtual machine, and where we want to go right now is we want to go on to the OWASP Bricks. 

So click on the OWASP Bricks and right here you will see this page, and where we want to go is here "Bricks" and then "Login pages."

It will lead you to basically these six different login pages. We want to click on to the "Login #3" and you will see it will prompt us with the username and password, which is probably very familiar to you since we see these kinds of user identification on every website.

Basically Facebook, Twitter, all of them use this kind of form input. In order for us to brute force this, first of all, we will need to make a user list and password list. 

I already made mine, so let me just open a new terminal. As we can see right here, if I type here "ls," I have a users.txt and passwords.txt. Let me just "nano" the users.txt, so you can see that it basically has a few usernames.

So you can just copy all of these usernames from me and create your users.txt file. How we do that, well basically just nano the users.txt file, type these usernames, CTRL + O then enter, and then CTRL + X to exit.

Do that also with the passwords.txt.

Here is my passwords list file. As we can see, 1, 2, 3, 4, 5, 6, password, password1, admin, webgoat, then capital WebGoat, qwerty, 1, 2, 3, 1, 2, 3, and so on and so on. 

So these are just rather small lists. We use small lists right now, so it doesn't take a lot of time in order to brute force this. What we want to do right here is we want to turn our intercept on. Once we do that, go on to your login page, which is "Login #3" and type here anything, DDDDD. DDDDD.

It doesn't even matter. Just click here "Submit" and we can see right here the packet that we are sending.

So, of course, we are sending with the post request, we are sending on to this page which is the same as this one, and we are sending username of this and password of this. 

So once we see the packet, you can turn the intercept off. Right here, it will say, “Wrong username or password,” which we really didn't expect that to work. So let us just find the packet right now. Let me just find it. It is under "OWASP Bricks login 3."

It's not this since this is a GET request you basically try to find the POST request "OWASP Bricks login 3" and here it is, my post request for the login #3 page. 

Now, what we want to do right here, we want to create an attack where we will send a bunch of usernames and passwords. And wait for the different server response for some of them, which will tell us that that username and password is correct. 

Now, it is similar to the previous attack, which we used on the username, but right here what we want to do is we want to check out the server response for every attack, for every username and every password and we want to see if the server responds in its HTML code has this string right here. 

As you can see, “Wrong username or password,” and this is this string. So this is the same as this, this is just in the HTML code of the page. 

Now, the username and password, which doesn't have this string right here is the valid username and valid password.

The concept of this attack is brute forcing until we find a response which doesn't contain this string. 

So let us do that.  

What we want to do is basically do the same as in the previous video. We want to send this packet into the Intruder and once this packet is in the Intruder go on to the positions and you will see also once again that all these positions are selected. 

You want to clear all of them and right now, instead of selecting one position, we want to select both username and password.

So click here on "Add" and select also the "password," click here on "Add." For the type of the attack, you do not want to use Sniper since it is used to only brute force one input. We want to use the "Cluster Bomb."

The "Cluster Bomb" is basically used to brute force two different inputs. So once you select here the attack type "Cluster Bomb" and once you select here the username and password, go on to the payloads, and here as a payload set one.

We want to leave this and go down here and click on "Load" and we want to basically load our username and password list that we created. The username and password that I created is in the root folder, so let me just find where root is.

Here it is, and as we can see here are our two lists that we created. So for the first list, we pick the users.txt and click here "Open."

This is our list right here, and then after you select that list, which is the user list, you want to go on to the "payload set." On here, you just click here on "Two" which is basically referring to the second input of our packet, which is the password.

Once you select "Two," click here on "Load" and select the passwords.txt, which is our list for passwords. 

Now, after you do that, you want to select one more thing, which is we want to add to the "Burp Suite" the string that it should search for in the packets, which is this string since we know this string will only be prompted once the username or password is wrong.

Let me just find where that option is. Just go here on the "Options" and once you go on to the options, scroll right here down and in the "Grep - Match" what you want to do, Match is the option that we will use in order to find the string in our packet.

So just remove all of these strings right here. We do not need them. Let me just click right here on the "Remove" once again since it doesn't work or "Clear."

Yeah, just click here on "Clear" and it will ask you if you want to create list. We want to, and in the "Add" section, what you want to type is, “Wrong username or password.”

Now, make sure that it is the same, exactly the same as this. So the user space name must also be the user space name right here this. So if you, for example, type here "username" that is the one word it will not work. 

So make sure you add a space right there and once you do that click here on "Add." We selected the string that we want to search for in our response on the server. Once you select all of that, where you want to go is here on the "Start attack."

You will get the same prompt window as before, so just click here on the "Okay." 

As you can see right now, it is trying out different combinations of our usernames and passwords, and where this is checked, it is basically showing us the responses that have this string in them. So all of them have this string, which is the wrong username or password, and what we want to do is find the one that doesn't have that.  

As we can see, we found it right here, so this response doesn't have wrong username or password in the output of the server. For example, if you were to use this one, which is user and admin, so let us just try it right here, user admin, you will get the wrong username or password, and that's why it's checked. 

But this one isn't, so it must be a valid account. If we type here admin, and then admin below and submit, you will see that we have successfully logged in. 

Now, once you do that, you basically brute forced a login and you can log in as a different user. 

Now, of course, most of the people won't really have the username and password set as admin, admin, but for the real-life attacks, you want to use much bigger lists and you want to use more probable usernames and passwords.

Now, in order to perform this same attack faster, what I will show you in the next video is another tool that Kali Linux comes with, which is "Hydra."

It is a brute forcer for the website login pages, but it works much faster than the Burp Suite brute forcer. Let me just find it. Where is our page? It has finished, but it took some time to run this 60 different types of combinations in order to find one, which was the valid username and valid password.

Now, you will see that the "Hydra" which is the tool that we will use in the next video will do that much faster. 

So I hope I see you in the next video and take care. 

Bye.  

Web penetration testing! - Hydra login brute force

Hello everybody and welcome back.

Let us continue from where we previously finished, which was the Burp Suite brute forcer. What we want to do right now is use a different tool that is already installed in Kali Linux, which is called "Hydra."

So if you type here "Hydra" it will give you the different options that you can use for this tool. 

Now, we will do the same attack with the same user list and same password list, and on the same page in order to show you that this will work much faster than the previous scan, which took around 30 seconds.

So the syntax can be a little bit hard for this tool. I will show you why it can be a little bit problematic if you do not know what you are doing.

I will make sure to explain every part of the syntax. 

Now, before we even type anything, you can see the usage or the example right here, which is rather simple than the one that we will use at the end. 

We do not care about it at the moment. Let us just clear the screen and let us just open our Burp Suite. 

Now, let us go to the proxy and turn our intercept on in order to check out the packet that we will get once we type here any username and any password.

So just type here "anything" and what we are interested in this packet is the path that it took on the website in order to log in to this page.

What you want to do right here is copy this page right here or this path right here. Now, the principle behind this attack is the same for any page, so basically, just go on to any page that you have permission to test.

And if you turn your intercept on and type a bunch of random words, you just want to copy the page itself in order to specify the correct path that you will brute force. 

First of all, what you want to do is turn the intercept off, so it gives us wrong username and wrong password. Then, type here "hydra" and then type the IP address of our virtual machine, which is referring to as a host.

Now, the next thing that we need to type right here is this "http - form - post."

What this means is basically that this is a post type request and with that post type request we are filling in the form. So this right here is called "form" and the request type that we are using to send the form is "POST request" and it will always be post request. 

You cannot send form with the GET request. 

So once you type here "http - form - post" just add here the path between these two. So just add path right here and once you add path you do not want to close it. 

What you want to do is type here ":"

This is just the syntax, so once you type here : after the path, what you want to type here is username.

First, it goes ":username =" then this upper arrow, and type here "USER" then once again upper arrow, then this sign.

Let me just find it. 

This sign "&" right here. I'm not really sure how it is called in English, but type that sign and after that type here "passwd =" then once again the upper arrow, and then pass and another upper arrow, and then once again the same sign, and then type here "submit = submit" and then ":" once again, and then wrong username or password, and then close this quote.

So what happened right here is basically first here we specified the host, which is the IP address of our machine. Then we specified the type of request that we want to send, which is we are filling in the form with the post request.

Then, we specified the path to the form, which is this. We copy that from the packet. After that comes the syntax, which is separated with two dots [:]. 

So ":username =" and now the Hydra syntax knows where the username is because you specified it between these two arrows. It will use the usernames from our user.txt list in order to put it between these two arrows every time.

It is a little bit hard syntax, so you will get used to it after some time. The same is with the password, which is separated with this sign from the username and the password in between these two arrows, it will specify all of the passwords from our password.txt list.

Now, then you separate right here with the same sign as well, and we type here "submit = submit." That submit is referring to this button right here, which is basically "submit." 

So the button in the HTML page is called "Submit" so we type here "submit = submit."

Let me just find right here why it type it twice. Let me just clear the screen. Something happened. I don’t know why that happened, but it doesn't matter. 

So "submit" is referring to the button that we have to click in order to send our request, and with these ":" right here, it is searching for the packet that doesn't have this string. It is the same principle as in the Burp Suite, just the syntax right here is a little bit harder since in Burp Suite everything was automated and we could do it easily.

Here in the syntax, we need to specify after the button that we click, what type of string we are not looking for in the packet. 

Once you do that, you just type here "- L" for the list, and then just find the path to your user.txt file. For me, it is in this directory and here type  "-P" for the passwords.txt.

Once you type that, you got the entire syntax written, so the entire command written. So right now, what you want to do is just press "Enter" and we can see that it started attacking and it should finish relatively fast.

As you can see right here, it already finished and it found one valid username and one valid password which is admin, admin. If we try it once again right here, so just type here "admin, admin" it will work again.

So this is the syntax that we covered or the command that we covered. 

Now, the prevention for this attack, if you want to create your own web page, is basically just block the user from trying to log in after five failed attempts.

Now, this method of prevention, the brute force attack will basically make 90% of people quit after they notice that the website is blocking after a certain number of attempts. 

For example, I believe that Instagram, Twitter, Facebook, they all do that, but there are bypasses for that as well, which is changing your IP address every time you finish brute forcing like five passwords. But this is a more advanced thing, and we will do it later on when we attack the social media with our brute force. 

So that's about it for this lecture. In the next one, we will cover some of the other attacks on our OWASP virtual machine. 

Until then, I hope you have a great day and take care.

Web penetration testing! - Session fixation

Hello everyone and welcome back. 

In this video, I will show you a certain type of the attack, which is called "Session fixation" and is basically used when the owner of the website misconfigured the website creation or basically anyone who created that website allowed that some of the information that the user sends to the server becomes the ID of that session.

Now, before we get into that, I just want to show you another attack, which most likely you will not come across, especially not on some of the bigger websites. You might come across it for some of the smaller websites since it is basically a flaw in the cookie itself in the session ID itself.

If the session ID is not random enough, sometimes you can basically guess the session ID of some of the other user or just find a valid session ID.  

So in order to show you what I'm talking about, just to open up your Burp Suite and on your virtual machine, which is the OWASP, just go here on the "OWASP Webgoat".

If it asks you to log in, just type here "webgoat, webgoat." After that, you want to go on to the "Session management flaws" right here. Here you want to go on to the "Hijack a session."

Now, as we can see right here, we are prompted in with the username and password. Now, what we want to do is basically turn our intercept on and type here "anything" and send our post request. As we can see, it is right here and what I'm talking about is this weak ID.

Now it is called "weak ID" since it is purposely made weak for this attack, and for the first time of you looking at it, this might seem like a really random number, but it isn't. It is actually really easy to guess it. I will just show you how you can generate a lot of cookie requests or different requests in order to see, for example, 10,000 different cookies and in order to compare them and see which values change in this session ID, and which values don't. 

After you do that, you can basically try to guess the session ID with it. But we won't be going through the entire text since it could take some time. I will just show you how you can check out if the ID of that session is weak or not.

Once we do that, we want to turn our intercept off, the invalid username and password of course. 

Now, we want to go to the target, find the page that we send the username and password to.  

I'm not really sure where that is. I’m not even sure what I typed as username and password, so let me just find it right here. It's not this. Which page is it? 

This is screen 72, menu 1800. Okay, so we want to find the Webgoat. Here it is, something with Webgoat. Let us just find the packet right here. So we search for the Webgoat path. Here it is. Let me just see. It's not this one, it's not this one, it’s not this one, it's not this one. Here it is. It's this one, as we can see your username "ggsfg."

What we want to do from here is you want to right-click on the packet and send it to "Sequencer." So once you go to "Sequencer," it will light up this part right here.

Let me just click on the sequencer and you will see that it already set the form fill to be weak ID right here. It gives you a bunch of other options. What you want to set is your session ID and once you do that and click on the "Start live capture," it will basically gather a lot of cookie values and it will see if the value of cookies is random enough, or if it can be predicted. 

So let's go and start "live capture," and as we can see right here, it would start sending a bunch of packets and gathering different cookie values, and once it gathers enough, it can tell us if the cookie value is random enough for it to be well protected.

If it is not random enough, we will be able to guess another valid cookie value, which can basically make you enter someone else's session. 

So for example, if I send the wrong username and password, and I scan the cookie and send a bunch of other requests and scan the other cookies, and find out that the randomness of the numbers is not high, I can guess someone else's cookie session and basically enter their profile on Facebook, for example, without even knowing the username or password.

But this is the attack that you most likely will never ever encounter since it really must be a misconfigured website in order for this to be possible. Today's websites have cookie values that you cannot possibly predict since they are really, really random. 

Once this finishes or we do not even need to wait for it to finish, I think we can click here "Analyze now."

You can see that the overall result, the overall quality of randomness within the sample is estimated to be extremely poor. So, as we can see, it says that the randomness of the cookie is extremely poor in significance level. 

If for example, to the count you can see some of the character sets, which basically just show you how many characters appear and where. Let me just find right here if there is anything interesting for us. 

Well, basically the entropy is the value of the randomness, and if you want to, you can check out other options and output as well. But I just wanted to show you this that you can scan for the weakness of the website ID with this method.

We won't be pursuing the attack since there is no point. As I said, this is the attack that you most likely will never encounter. So let me just close this and let us go on to the attack that I wanted to show you, which was the session fixation attack. 

This "session fixation attack" is done through a link and I will show you how to do it. So it is under the same subsection which is the "Session management flaws" and just click here on this "Session fixation."

Now, it will say right here, “You are Hacker Joe, and you want to steal the session from Jane. Send a prepared email to the victim, which looks like an official email from the bank.”

Basically as you can see, we have an example of the email and here we want to send something within a link that will make us be able to hack another account without knowing the username or password.

Now, we know that this page right here is vulnerable to the session ID being imported into the link itself sending it to someone. If someone clicks on that link, it will have already premade session ID that you typed into the link. 

Once you know that session ID, you can basically log in or basically just enter their account without using username or password.

So let me show you how that is done. 

If we go right here, and if we look at the contents of the email, we can see there is a link referring to the "Webgoat attack screen 56, menu 1800."

What you want to do is basically you want to add this sign after the 1800 and after that, you want to type here "SID," which stands for "Session ID =" and then type here any random number.  

I will type here "555" and we also want to put the entire link between quotes. So "ahref" in the HTML code stands for referring to a certain page. So once someone clicks on this, it will lead them to this page, but we added the session ID.

So it will lead them to the same page, but it will have the session ID already preconfigured by us in the link. Once you do that, you want to make sure that the page is correct. As we can see, Webgoat attack is the same as here, but the WebGoat is capital W and capital G right here.

We want to change that in the link as well. So capital G and capital W. Once we do that, you can send the email. We specified our session ID for the victim to be "555."

So if you click some link and logs in with that session ID we will be able to access that account. If we send an email as an attacker — we can turn the intercept off. So let us just turn this off right here, and we get to the stage two of this attack. 

As we can see, “You completed stage 1.”

Now, we are acting as a victim, so let's say the victim received this email, which was the email that we sent right now and this is the link that we specified the session ID. 

As you can see down here in the left corner of the page, we can see the entire link and we can also see our session ID specified "SID = 555."

So let's say the victim gets this email and it looks like a legit email, and he clicks on this, it will lead them to a login page where it will ask them for username or password just as any other page. But if we can see right here on the link, we already have our session ID specified.  

As soon as someone types here and logs in, we will be able to access that account. Now we also want to act as a victim right here and as we can see stage three, “The bank has asked you to verify your data. Log in to see if your details are correct. Your username is Jane and your password is Tarzan.”

So just type here Jane and Tarzan as password and you click here on "Don’t save."

Now, it says, “It is time to steal the session now. Use the following link to reach Goat Hills Financials. You are Hacker Joe. You completed stage 3.”

We know that Jane has logged into the bank account and what we want to do, we want to basically go to our log screen, so this is just a regular log screen and we, as a hacker, want to log into that session.

But we do not know the username and password for that session, we only know the session ID. So what we want to do is turn the intercept on and right here, we type here "anything" which is not correct. So just type here "anything" random and here we will have the request post request.

Now, if you were to just forward this, it will say wrong username or password since this is a wrong username or password. But what we want to do right here is we want to go up and find the link. As we can see right here, this is the link and under the SID we want to change that to the session of our victim. 

We know that because we set it in the link to be "555." Now, if we forward this packet, it will basically log in into the victim’s account without us even knowing the username or password.

As we can see, we type something random, random username, random password and if you click here "Forward," we can see, “Congratulations, you have successfully completed the session.”   

We are in the victim’s account. First name Jane, last name Plane, credit card type NC, credit card number and then this. This is an attack that you might encounter, so that's why it's called the "Session fixation" since even before our victim has logged in, we already fixed the session in the link in order for us to know it later on once the target has logged in with that session. 

So that's about it for this attack.

In the next tutorials we will continue with the Burp Suite, and for now on I hope you are having a great day and take care.

Bye.

You can buy Private Label Rights (PLR) for this course, click here.