WEBVTT

00:00.270 --> 00:05.880
The network is the first thing we think about when we imagine computers getting hacked.

00:05.880 --> 00:06.300
Right?

00:06.300 --> 00:08.320
And it's the Pentesters playground.

00:08.340 --> 00:12.990
It's both the first step and the final frontier of compromising a computer.

00:13.320 --> 00:18.900
It's also what makes the compromise of a single computer effectively and the compromise of an entire

00:18.900 --> 00:21.300
building full of computers.

00:21.330 --> 00:22.590
It's fitting.

00:22.590 --> 00:30.330
Then we continue our journey with a discussion about compromising the network and using its own power

00:30.330 --> 00:33.420
and weaknesses to inform the PEN test.

00:33.660 --> 00:40.020
The first step is getting on the network and there are human architectural and protocol factors that

00:40.020 --> 00:44.940
make the more presence of an attacker on the network potentially devastating.

00:45.520 --> 00:52.990
For this reason, defenders often deploy network access control NAC systems.

00:53.200 --> 01:01.510
The intents of these systems is to detect and prevent an intrusion on the network by identifying and

01:01.510 --> 01:04.210
authenticating devices on the network.

01:04.680 --> 01:10.680
In this section, we will review some of the methods employed by the Nazis and demonstrate practical

01:10.680 --> 01:13.260
methods of bypassing these controls.

01:13.350 --> 01:20.430
Now, let's get started by the learning of bypassing media access, control, filtering and things to

01:20.430 --> 01:23.030
consider for the physical assessor.

01:24.620 --> 01:29.270
An attacker needs to be aware of the methods for the remote compromise.

01:29.300 --> 01:37.430
Attacking the VPN wireless infiltration from a distance, using a high gain antennas and so on.

01:37.460 --> 01:42.410
However, Pentester can never forget the big picture.

01:42.440 --> 01:49.520
This is a field where it is very easy to get caught up and in the highly specific technical details

01:49.520 --> 01:56.330
and amidst the human element of security design, there is a design flow concept that pentesters like

01:56.330 --> 01:59.090
to call the candy bar model.

01:59.880 --> 02:07.260
This simply refers to a network that is a thought and crunchy on the outside, but gooey on the inside.

02:07.820 --> 02:14.210
In other words, it's a model that emphasizes the threats of the outside world when designing the security

02:14.210 --> 02:20.150
architecture while assuming that someone who is physically inside the company facilities had been vetted

02:20.150 --> 02:22.490
and therefore trusted.

02:22.640 --> 02:25.260
The mindset here dates back many years.

02:25.280 --> 02:31.370
In the earlier days of what became the Internet, the physical access points to the network were inside

02:31.370 --> 02:33.070
highly secure facilities.

02:33.080 --> 02:40.520
Packets coming in over the network were safely assumed to be from a secure environment and sent by an

02:40.520 --> 02:41.930
authorized individual.

02:42.620 --> 02:49.190
In today's world, a packet hitting the border of a company's network could be from an authorized individual

02:49.220 --> 02:55.370
on a business trip, or it could be a very clever teenager on the other side of the planet, eager to

02:55.370 --> 02:58.010
try out some newly learned tricks.

02:58.490 --> 03:04.160
The candy bar model will come up in a later lectures when we discuss other network attacks.

03:04.740 --> 03:10.110
Once you crack the outer shell, you will often find that the path forward seems paved, especially

03:10.110 --> 03:10.710
for you.

03:10.830 --> 03:17.340
And the successful compromise will inform your client of the devastating consequences of this mistaken

03:17.340 --> 03:18.330
assumption.

03:19.070 --> 03:22.350
Feel free to treat yourself to an actual candy bar.

03:22.370 --> 03:24.950
Upon successful compromise, you deserve it.

03:25.100 --> 03:29.780
How to Social engineer Your target is a subject for another section altogether.

03:29.780 --> 03:35.270
But for the purposes of this discussion, let's assume that you have a physical access to network drops.

03:36.110 --> 03:38.270
Not all the physical access is the same though.

03:38.270 --> 03:45.470
But if you convince your target to hire your as a full time employee, then you will have constant physical

03:45.470 --> 03:46.400
access, right?

03:46.550 --> 03:48.690
They will even hand you a computer.

03:48.710 --> 03:54.770
However, what's more likely is that you have exploited a small gap in their physical security stance,

03:54.770 --> 04:00.470
and your presence can be undetected or tolerated for only a short period of time.

04:01.200 --> 04:08.420
We have snuck in through the smoker store after striking up some conversation with an unwitting employee

04:08.430 --> 04:13.620
or you have been given permission to walk around for an hour with an unconvincing looking contractor,

04:13.620 --> 04:18.810
uniform and clipboard, or which is my personal favorite.

04:18.840 --> 04:26.730
You have earned trust and affection by bringing in a big box of donuts for the people expecting an auditor's

04:26.730 --> 04:29.370
visit based on a well scripted phone call.

04:30.670 --> 04:36.490
And my client is still shaking after this test and will ask whether the donuts were real.

04:36.490 --> 04:43.420
And for now we will demonstrate how to set up a Kali box to function as a rogue wireless access point

04:43.450 --> 04:50.770
while impersonating the media access Control address of a voice over Internet protocol Phone.