1 00:00:00,270 --> 00:00:05,880 The network is the first thing we think about when we imagine computers getting hacked. 2 00:00:05,880 --> 00:00:06,300 Right? 3 00:00:06,300 --> 00:00:08,320 And it's the Pentesters playground. 4 00:00:08,340 --> 00:00:12,990 It's both the first step and the final frontier of compromising a computer. 5 00:00:13,320 --> 00:00:18,900 It's also what makes the compromise of a single computer effectively and the compromise of an entire 6 00:00:18,900 --> 00:00:21,300 building full of computers. 7 00:00:21,330 --> 00:00:22,590 It's fitting. 8 00:00:22,590 --> 00:00:30,330 Then we continue our journey with a discussion about compromising the network and using its own power 9 00:00:30,330 --> 00:00:33,420 and weaknesses to inform the PEN test. 10 00:00:33,660 --> 00:00:40,020 The first step is getting on the network and there are human architectural and protocol factors that 11 00:00:40,020 --> 00:00:44,940 make the more presence of an attacker on the network potentially devastating. 12 00:00:45,520 --> 00:00:52,990 For this reason, defenders often deploy network access control NAC systems. 13 00:00:53,200 --> 00:01:01,510 The intents of these systems is to detect and prevent an intrusion on the network by identifying and 14 00:01:01,510 --> 00:01:04,210 authenticating devices on the network. 15 00:01:04,680 --> 00:01:10,680 In this section, we will review some of the methods employed by the Nazis and demonstrate practical 16 00:01:10,680 --> 00:01:13,260 methods of bypassing these controls. 17 00:01:13,350 --> 00:01:20,430 Now, let's get started by the learning of bypassing media access, control, filtering and things to 18 00:01:20,430 --> 00:01:23,030 consider for the physical assessor. 19 00:01:24,620 --> 00:01:29,270 An attacker needs to be aware of the methods for the remote compromise. 20 00:01:29,300 --> 00:01:37,430 Attacking the VPN wireless infiltration from a distance, using a high gain antennas and so on. 21 00:01:37,460 --> 00:01:42,410 However, Pentester can never forget the big picture. 22 00:01:42,440 --> 00:01:49,520 This is a field where it is very easy to get caught up and in the highly specific technical details 23 00:01:49,520 --> 00:01:56,330 and amidst the human element of security design, there is a design flow concept that pentesters like 24 00:01:56,330 --> 00:01:59,090 to call the candy bar model. 25 00:01:59,880 --> 00:02:07,260 This simply refers to a network that is a thought and crunchy on the outside, but gooey on the inside. 26 00:02:07,820 --> 00:02:14,210 In other words, it's a model that emphasizes the threats of the outside world when designing the security 27 00:02:14,210 --> 00:02:20,150 architecture while assuming that someone who is physically inside the company facilities had been vetted 28 00:02:20,150 --> 00:02:22,490 and therefore trusted. 29 00:02:22,640 --> 00:02:25,260 The mindset here dates back many years. 30 00:02:25,280 --> 00:02:31,370 In the earlier days of what became the Internet, the physical access points to the network were inside 31 00:02:31,370 --> 00:02:33,070 highly secure facilities. 32 00:02:33,080 --> 00:02:40,520 Packets coming in over the network were safely assumed to be from a secure environment and sent by an 33 00:02:40,520 --> 00:02:41,930 authorized individual. 34 00:02:42,620 --> 00:02:49,190 In today's world, a packet hitting the border of a company's network could be from an authorized individual 35 00:02:49,220 --> 00:02:55,370 on a business trip, or it could be a very clever teenager on the other side of the planet, eager to 36 00:02:55,370 --> 00:02:58,010 try out some newly learned tricks. 37 00:02:58,490 --> 00:03:04,160 The candy bar model will come up in a later lectures when we discuss other network attacks. 38 00:03:04,740 --> 00:03:10,110 Once you crack the outer shell, you will often find that the path forward seems paved, especially 39 00:03:10,110 --> 00:03:10,710 for you. 40 00:03:10,830 --> 00:03:17,340 And the successful compromise will inform your client of the devastating consequences of this mistaken 41 00:03:17,340 --> 00:03:18,330 assumption. 42 00:03:19,070 --> 00:03:22,350 Feel free to treat yourself to an actual candy bar. 43 00:03:22,370 --> 00:03:24,950 Upon successful compromise, you deserve it. 44 00:03:25,100 --> 00:03:29,780 How to Social engineer Your target is a subject for another section altogether. 45 00:03:29,780 --> 00:03:35,270 But for the purposes of this discussion, let's assume that you have a physical access to network drops. 46 00:03:36,110 --> 00:03:38,270 Not all the physical access is the same though. 47 00:03:38,270 --> 00:03:45,470 But if you convince your target to hire your as a full time employee, then you will have constant physical 48 00:03:45,470 --> 00:03:46,400 access, right? 49 00:03:46,550 --> 00:03:48,690 They will even hand you a computer. 50 00:03:48,710 --> 00:03:54,770 However, what's more likely is that you have exploited a small gap in their physical security stance, 51 00:03:54,770 --> 00:04:00,470 and your presence can be undetected or tolerated for only a short period of time. 52 00:04:01,200 --> 00:04:08,420 We have snuck in through the smoker store after striking up some conversation with an unwitting employee 53 00:04:08,430 --> 00:04:13,620 or you have been given permission to walk around for an hour with an unconvincing looking contractor, 54 00:04:13,620 --> 00:04:18,810 uniform and clipboard, or which is my personal favorite. 55 00:04:18,840 --> 00:04:26,730 You have earned trust and affection by bringing in a big box of donuts for the people expecting an auditor's 56 00:04:26,730 --> 00:04:29,370 visit based on a well scripted phone call. 57 00:04:30,670 --> 00:04:36,490 And my client is still shaking after this test and will ask whether the donuts were real. 58 00:04:36,490 --> 00:04:43,420 And for now we will demonstrate how to set up a Kali box to function as a rogue wireless access point 59 00:04:43,450 --> 00:04:50,770 while impersonating the media access Control address of a voice over Internet protocol Phone.