1
00:00:01,140 --> 00:00:04,230
Instructor: What exactly is a vulnerability?

2
00:00:04,230 --> 00:00:06,870
We talked about process of gaining access

3
00:00:06,870 --> 00:00:09,090
and making target execute our commands,

4
00:00:09,090 --> 00:00:11,910
but let us explain what happens

5
00:00:11,910 --> 00:00:14,070
once we exploit to vulnerability.

6
00:00:14,070 --> 00:00:15,990
Well, let's start like this.

7
00:00:15,990 --> 00:00:19,170
And trust me, if it sounds a little complicated,

8
00:00:19,170 --> 00:00:22,470
it'll be more clear once we get to practical examples

9
00:00:22,470 --> 00:00:24,450
in the next few videos.

10
00:00:24,450 --> 00:00:27,180
For now, let's explain it like this.

11
00:00:27,180 --> 00:00:30,303
We know that developers write programs.

12
00:00:31,230 --> 00:00:34,740
They use their code, which can be written in any language

13
00:00:34,740 --> 00:00:39,390
whether it is Python, Java, C, or some other language.

14
00:00:39,390 --> 00:00:42,660
The goal for developer is to create a software

15
00:00:42,660 --> 00:00:44,580
using a programming language.

16
00:00:44,580 --> 00:00:45,750
And as we mentioned,

17
00:00:45,750 --> 00:00:49,050
that software can be based on any language whatsoever.

18
00:00:49,050 --> 00:00:50,520
Once the software is complete

19
00:00:50,520 --> 00:00:54,030
and it goes through a few test checks and security checks,

20
00:00:54,030 --> 00:00:56,550
then that software gets deployed on machines

21
00:00:56,550 --> 00:00:58,923
and it can be ran from those machines.

22
00:01:00,060 --> 00:01:01,890
This can be any type of software.

23
00:01:01,890 --> 00:01:03,300
It doesn't matter.

24
00:01:03,300 --> 00:01:04,980
However, the problem occurs

25
00:01:04,980 --> 00:01:08,400
once that software is open to the internet.

26
00:01:08,400 --> 00:01:12,420
For example, FTP is open on some machines and servers

27
00:01:12,420 --> 00:01:13,833
for file transfer protocol.

28
00:01:14,670 --> 00:01:18,660
SSH could also be open for Secure Shell connection.

29
00:01:18,660 --> 00:01:22,980
HTP could be open to host a webpage that clients connect.

30
00:01:22,980 --> 00:01:26,520
Basically, if your software is hosted on an open port,

31
00:01:26,520 --> 00:01:31,170
then it is also open for possible attacks from the outside.

32
00:01:31,170 --> 00:01:32,730
And as we already know

33
00:01:32,730 --> 00:01:34,890
that the software is consisted of code

34
00:01:34,890 --> 00:01:36,303
that developers wrote.

35
00:01:37,140 --> 00:01:40,980
Problem occurs if that code is not well written,

36
00:01:40,980 --> 00:01:43,020
if it has some bugs.

37
00:01:43,020 --> 00:01:44,190
Now, it doesn't necessarily mean

38
00:01:44,190 --> 00:01:45,570
that if there is a bug

39
00:01:45,570 --> 00:01:47,940
that we can exploit the target,

40
00:01:47,940 --> 00:01:50,940
but sometimes those bugs can be critical.

41
00:01:50,940 --> 00:01:52,980
And the attacker could use that bug

42
00:01:52,980 --> 00:01:54,810
to make software act in a way

43
00:01:54,810 --> 00:01:57,120
that it is not intended to.

44
00:01:57,120 --> 00:02:00,180
That's called exploitable vulnerability.

45
00:02:00,180 --> 00:02:04,050
Usually once exploited, we drop parallel or a shell back

46
00:02:04,050 --> 00:02:06,510
so we can control that machine

47
00:02:06,510 --> 00:02:08,490
and do what we want with it.

48
00:02:08,490 --> 00:02:11,220
Once a bug or vulnerability is discovered,

49
00:02:11,220 --> 00:02:13,050
it gets that name that we've seen

50
00:02:13,050 --> 00:02:16,710
for vulnerabilities in Nasas that starts with CVE

51
00:02:16,710 --> 00:02:20,490
and then the year of when the vulnerability first occurred.

52
00:02:20,490 --> 00:02:24,150
A vulnerability that exists and has not been patched yet

53
00:02:24,150 --> 00:02:27,600
by the vendors is called Zero Day.

54
00:02:27,600 --> 00:02:30,450
Usually as soon as critical Zero Day is discovered,

55
00:02:30,450 --> 00:02:32,970
it gets patched almost immediately.

56
00:02:32,970 --> 00:02:35,130
But you will see examples of Zero Days

57
00:02:35,130 --> 00:02:36,360
that were used for months

58
00:02:36,360 --> 00:02:39,240
before anyone found out about them.

59
00:02:39,240 --> 00:02:42,840
The most known recent one was in 2017

60
00:02:42,840 --> 00:02:44,670
when the WannaCry ransomware occurred

61
00:02:44,670 --> 00:02:48,000
and infected bunch of hospitals and police stations.

62
00:02:48,000 --> 00:02:51,540
It was based on an exploit called Eternal Blue

63
00:02:51,540 --> 00:02:54,450
which was created and used by NSA.

64
00:02:54,450 --> 00:02:57,360
They never reported it and used it for their attacks

65
00:02:57,360 --> 00:03:01,380
until those exploits got stolen from them and got leaked.

66
00:03:01,380 --> 00:03:04,650
We will see in this course a lot of recent Zero Days

67
00:03:04,650 --> 00:03:06,060
that are now patched.

68
00:03:06,060 --> 00:03:08,580
Some of them will even be as recent

69
00:03:08,580 --> 00:03:10,380
as just a few months ago.

70
00:03:10,380 --> 00:03:12,420
However, all of this makes sense

71
00:03:12,420 --> 00:03:15,000
if the target has a vulnerability.

72
00:03:15,000 --> 00:03:17,910
But remember, vulnerabilities don't always

73
00:03:17,910 --> 00:03:20,100
have to be of technical nature.

74
00:03:20,100 --> 00:03:22,920
Imagine a company with bunch of networks,

75
00:03:22,920 --> 00:03:25,590
servers and machines fully secured

76
00:03:25,590 --> 00:03:29,190
and also protected by the best firewall.

77
00:03:29,190 --> 00:03:32,250
No security holds, no vulnerabilities.

78
00:03:32,250 --> 00:03:34,170
We can't even scan the target

79
00:03:34,170 --> 00:03:35,820
to figure out its infrastructure

80
00:03:35,820 --> 00:03:38,880
because it's protection is so good.

81
00:03:38,880 --> 00:03:41,850
Now, imagine an employee that works there.

82
00:03:41,850 --> 00:03:43,410
Let's call him John.

83
00:03:43,410 --> 00:03:46,263
And let's focus on John at the moment.

84
00:03:47,340 --> 00:03:49,140
John likes cars.

85
00:03:49,140 --> 00:03:51,330
He usually searches for car pictures

86
00:03:51,330 --> 00:03:53,550
and videos while working.

87
00:03:53,550 --> 00:03:56,100
One day he gets an email from a person

88
00:03:56,100 --> 00:03:59,760
that has email name exactly the same as his colleague.

89
00:03:59,760 --> 00:04:02,790
In that email, there is a car picture.

90
00:04:02,790 --> 00:04:05,460
He sees that the email is coming from his colleague

91
00:04:05,460 --> 00:04:07,050
so he doesn't question it.

92
00:04:07,050 --> 00:04:09,540
Therefore, he opens that picture at work

93
00:04:09,540 --> 00:04:12,420
and it indeed is a car picture.

94
00:04:12,420 --> 00:04:14,490
But little does he know that email

95
00:04:14,490 --> 00:04:17,970
was spoofing an email for him so that at the first glance,

96
00:04:17,970 --> 00:04:20,100
it looks like it comes from his colleague.

97
00:04:20,100 --> 00:04:22,680
And that picture opened a car image,

98
00:04:22,680 --> 00:04:26,013
but it also ran our malicious program in the background.

99
00:04:26,910 --> 00:04:28,770
What happens next?

100
00:04:28,770 --> 00:04:32,310
Now, John's work computer is infected

101
00:04:32,310 --> 00:04:34,590
and he doesn't even know it.

102
00:04:34,590 --> 00:04:36,510
And from his computer,

103
00:04:36,510 --> 00:04:39,090
we can compromise the entire network

104
00:04:39,090 --> 00:04:42,510
and the entire inside of that company.

105
00:04:42,510 --> 00:04:43,920
Now, this is just an example,

106
00:04:43,920 --> 00:04:46,500
but stuff like this happens a lot.

107
00:04:46,500 --> 00:04:48,840
Matter of fact, most of the hacking that happens

108
00:04:48,840 --> 00:04:51,420
that you read about happens this way

109
00:04:51,420 --> 00:04:54,150
and not by someone finding a Zero Day vulnerability

110
00:04:54,150 --> 00:04:56,340
on a fully secured company.

111
00:04:56,340 --> 00:04:59,670
Remember, people are always the weakest spot.

112
00:04:59,670 --> 00:05:01,920
So if you can hack something through them,

113
00:05:01,920 --> 00:05:03,690
why would you bother trying to discover

114
00:05:03,690 --> 00:05:07,470
a technical vulnerability that might not even be there?

115
00:05:07,470 --> 00:05:10,200
In the next video, we're only left to talk briefly

116
00:05:10,200 --> 00:05:12,660
about shells and different types of shells

117
00:05:12,660 --> 00:05:15,600
that we want to drop once exploiting the target.

118
00:05:15,600 --> 00:05:18,360
After that, we are ready to get our hands dirty

119
00:05:18,360 --> 00:05:22,200
and start gaining access to our target machine.

120
00:05:22,200 --> 00:05:23,500
See you in the next video.