1
00:00:00,390 --> 00:00:05,640
‫Now, to understand what we'll do throughout the course, I think it's better to start to learn the

2
00:00:05,640 --> 00:00:08,670
‫exploitation concept and the terminology.

3
00:00:10,090 --> 00:00:16,900
‫So literally an exploit should be defined as a piece of software or a sequence of command that takes

4
00:00:16,900 --> 00:00:24,100
‫advantage of a vulnerability to cause unintended or unanticipated behavior to occur on computer software

5
00:00:24,130 --> 00:00:25,330
‫or hardware.

6
00:00:26,230 --> 00:00:33,640
‫But I'd like to explain it in these words and exploit is an attack on a computer system, especially

7
00:00:33,640 --> 00:00:37,720
‫one that takes advantage of a particular vulnerability the system has.

8
00:00:38,780 --> 00:00:46,010
‫Such behavior frequently includes things like gaining control of a computer system, allowing privilege

9
00:00:46,010 --> 00:00:49,610
‫escalation or a denial of service attack.

10
00:00:50,790 --> 00:00:53,370
‫Used as a verb, exploit refers.

11
00:00:54,620 --> 00:00:57,830
‫To the act of successfully making such an attack.

12
00:00:58,990 --> 00:01:01,120
‫Now you heard me use the word vulnerability.

13
00:01:02,140 --> 00:01:03,530
‫I think we should clarify that one.

14
00:01:04,700 --> 00:01:13,400
‫A vulnerability is a flaw or weakness in systems designed implementations or internal controls that

15
00:01:13,400 --> 00:01:18,560
‫could result in a security breach or a violation of the system security policy.

16
00:01:19,790 --> 00:01:26,360
‫In the context of cyber security, the payload is the portion of the malware which performs malicious

17
00:01:26,360 --> 00:01:30,500
‫action and exploit is used to run a payload on the target.

18
00:01:31,540 --> 00:01:34,840
‫The things we could do on the target depend on the payload.

19
00:01:35,910 --> 00:01:39,000
‫A payload may give you a shell at the target.

20
00:01:40,060 --> 00:01:43,510
‫And access to the passwords stored on the target computer.

21
00:01:44,350 --> 00:01:47,290
‫A back door on the target, etc..

22
00:01:48,310 --> 00:01:55,150
‫Payloads are usually written in assembly language, and they are usually platform dependent.

23
00:01:55,360 --> 00:01:59,620
‫In other words, you may not use a payload written for Windows on a Linux system.

24
00:02:01,070 --> 00:02:05,810
‫So let's explain the vulnerability, exploit and payload terms with an example.

25
00:02:06,680 --> 00:02:07,730
‫Here we have a missile.

26
00:02:08,620 --> 00:02:10,030
‫And here is the target.

27
00:02:11,190 --> 00:02:14,010
‫Well, I think the vulnerability is obvious.

28
00:02:14,490 --> 00:02:17,190
‫An umbrella wouldn't be enough to protect the guy, right?

29
00:02:18,420 --> 00:02:20,290
‫Missile with a rocket fuel.

30
00:02:20,310 --> 00:02:21,030
‫Everything else.

31
00:02:21,390 --> 00:02:25,770
‫And then it has a warhead on top that does the actual damage.

32
00:02:27,290 --> 00:02:34,940
‫So the missile is the delivery system, and that's the exploit, the warhead is the payload that actually

33
00:02:34,940 --> 00:02:36,410
‫does something to the target.

34
00:02:38,600 --> 00:02:44,750
‫All right, so because you force the systems to work in unintended ways, there are always some risks

35
00:02:44,750 --> 00:02:46,580
‫while performing penetration tests.

36
00:02:47,120 --> 00:02:53,930
‫And it's probably obvious, but exploitation and post exploitation phases are the most risky parts of

37
00:02:53,930 --> 00:02:55,340
‫any penetration test.

38
00:02:56,120 --> 00:02:58,340
‫We can classify the risks as follows.

39
00:02:59,680 --> 00:03:06,310
‫Especially the legacy systems and custom applications may be taken offline by an automated vulnerability

40
00:03:06,310 --> 00:03:09,220
‫scanner or over abuse by the attacker.

41
00:03:10,410 --> 00:03:13,050
‫Likewise, servers may be out of service.

42
00:03:14,280 --> 00:03:20,670
‫Based on the amount of the automated scanning, the size of the network pipes and a number of ports

43
00:03:20,670 --> 00:03:27,870
‫on a particular system, it's possible to overwhelm a service or medium, resulting in performance loss.

44
00:03:29,000 --> 00:03:36,890
‫You may unintentionally or intentionally cause configuration changes while trying to exploit a vulnerability.

45
00:03:38,110 --> 00:03:43,210
‫Now, it's very common for a penetration tester to access the confidential data of the institute.

46
00:03:44,130 --> 00:03:48,120
‫So watch out, please be very careful with the data that you collect.

47
00:03:49,340 --> 00:03:54,320
‫And you may have some tunnels or back doors, especially in post exploitation.

48
00:03:54,920 --> 00:04:00,680
‫It's a big risk to forget to clean them up at the end of the penetration test, but don't worry, all

49
00:04:00,680 --> 00:04:07,880
‫the exploitations and post exploitations will perform run at the memory of the target systems, so the

50
00:04:07,880 --> 00:04:12,260
‫back doors or the tunnels are deleted when you shut down the systems.

51
00:04:13,330 --> 00:04:18,520
‫So to help mitigate the risks, many approaches can be taken, and I'll give you a few examples.

52
00:04:20,220 --> 00:04:27,180
‫Exclude legacy systems and custom applications from automated testing to ensure security, perform manual

53
00:04:27,180 --> 00:04:28,920
‫testing of excluded items.

54
00:04:30,380 --> 00:04:36,950
‫Perform testing of critical systems during off hours, critical systems can be scheduled for testing

55
00:04:37,220 --> 00:04:40,160
‫during low volume business or off business hours.

56
00:04:41,380 --> 00:04:48,190
‫Perform testing in a phased manner, starting with user acceptance, testing U80 environments to ensure

57
00:04:48,190 --> 00:04:52,150
‫the actual test do not affect particular systems or networks.

58
00:04:52,810 --> 00:04:56,710
‫Once that is complete, then begin testing on production environments.

59
00:04:57,720 --> 00:05:01,710
‫Set up monitoring and escalation procedures prior to testing.

60
00:05:02,980 --> 00:05:07,330
‫And her fault management is in place to ensure systems send alerts when they go down.

61
00:05:08,570 --> 00:05:14,780
‫Ensure proper phone numbers and other contact information is defined to immediately investigate and

62
00:05:14,780 --> 00:05:17,480
‫restore services in the event of a problem.

63
00:05:19,000 --> 00:05:24,640
‫Escalation procedures should include contact information for the person performing the test so they

64
00:05:24,640 --> 00:05:27,760
‫can immediately stop all testing if required.

65
00:05:28,860 --> 00:05:34,860
‫Now you've got to throttle back automatic testing to use less bandwidth to help prevent bandwidth issues.

66
00:05:35,580 --> 00:05:40,620
‫Also, the number of ports can be reduced if there's a concern for overloading a particular group of

67
00:05:40,620 --> 00:05:41,190
‫systems.

68
00:05:42,060 --> 00:05:47,610
‫Usually, it's recommended to test the u8e environment instead of reducing the number of ports because

69
00:05:47,610 --> 00:05:49,800
‫certain vulnerabilities may be missed.

70
00:05:51,140 --> 00:05:58,130
‫And always have a cleanup procedure to reverse the modifications of configurations to delete users created

71
00:05:58,130 --> 00:06:03,980
‫during the test, to remove the back doors, et cetera, et cetera, the exploits and the payloads that

72
00:06:03,980 --> 00:06:09,530
‫the exploitation frameworks use work in the memory in general, and that means they are not permanent

73
00:06:09,860 --> 00:06:13,220
‫and the backdoors and tunnels are terminated when the memory is cleaned.