Modern Ethical Hacking - Complete Course

Before we jump in - I've got to read your mind and shine some light on two questions you probably have lurking in the back of your mind.  Let's quickly address these concerns before we move on shall we!?

I created a helpful Github resource which complements the material in your course.  In this lecture I'm going to walk through that resource with you so you can get the maximum value possible! 

What's it REALLY like being a Penetration Tester\Red Teamer?  Let me share my story.  I want to tell you how I got into this field so you'll know how you can break in as well.  In addition, it's always good to have the backstory on how the author got to where he was - I'm not some super smart guy - I'm just an ordinary dude with loads of curiosity and a passion to be the best Cybersecurity Professional I can be!  Let's jump in.

So do you really want to be a professional Ethical Hacker?  Do you really want to get paid to Pen Test or Red Team an organization to help fortify their defensive posture?  Okay, then you need to know how to speak MITRE ATT&CK! In this lecture I'm going to break down the MITRE mystery and arm you with the skills you need to wow and win!

MITRE Shield is the lesser known, newer, but equally important half of MITRE ATT&CK.  Shield is all about Active Defense.  If you don't know what that is - come on in and get a quick 4 minute rundown.  You're about to get the edge up on the competition - especially if you're interviewing for a cyber job!  Think of this lecture like the sprinkles on your ice cream cone.  Let's go!

Ahh the OWASP Top 10.  Injection, XXE, XSS all the good stuff I've come to love about Web Application Penetration Testing!  This is where the fun lives guys.  When you master these methodologies: MITRE + OWASP = You_Are_Incredibly_Valuable_To_An_Employer;  So that's what's up.  In this lecture you're going to get a nice taste of OWASP and then in the coming lectures you'll have the freedom to practice the theory in the safety of your lab!  It's going to be a wild ride guys and we are just getting started!  Let's do this!!

It's important to stay organized when conducting a pentest engagement or red team exercise.  I know documentation is boring but  - to be honest with you guys - this is where the real value shows up.  Your report is really all the client cares about so if it sucks... well it doesn't matter that you used Unicorn to evade their CrowdStrike Falcon EDR or that you used Cobalt Strike's Beacon Object Files to fool the target organization's SOC.  The bottom line is all that technical leetspeak is nothing without a well documented, meaningful report - and that's why I wanted to take a few moments to show you my favorite way for taking notes while I work!  Don't worry this lecture is going to be quick.  Let's jump in!

Alright: let's start from the top with the Application Layer.  Here's the stuff everyone already thinks you know... but secretly deep down you are wondering if you real do.  Hey, imposter syndrome is a real thing!  I even have it and I've been doing this for over 15 years!  But the point of this section is to get you up to speed on basic networking concepts in the quickest way possible.  So let's begin with the first layer of the OSI and TCP/IP models: Application!

Now it's time to dig into the Transport Layer!  You're going to learn about UDP vs TCP then we'll dig into the details of the three-way-handshake!  Let's go!

And now let's quickly review some well known ports! 

This is incontestably the most important lecture in this networking refresher section.  You'll learn why we have both Mac addresses and IP addresses and exactly how packets and frames traverse a modern network!  Let's jump in baby!

Subnetting!? Really??? Yes.  In order to be a competent Ethical Hacker you really know to know a little bit about subnetting.  Why?  Because you need to know why your scans are failing and what your limits are.  For example, let's say you compromise a domain joined host and attempt to pivot to the Exchange Server via a SOCKS Proxy.  Let's also say, the pivot is failing for some reason and you don't know why.  It would help to know that the network is segmented into distinct VLANS (or subnets) so you can ascertain why you're having such a hard time spreading laterally to high-value targets.  In this lecture, we're going to get you comfortable with the idea of subnetting and then in the next lecture we're going to put it to practical use (from the perspective of a penetration tester, not a network engineer).  Let's go!

Alright now that you've dipped your toes into the sultry waters of subnetting - let's go all in!  In this lecture we're going to break down exactly how you can find what subnet a particular IP is on.  Again, this is good to know when you're on a penetration testing assignment or conducing a red team exercise, mainly - because you want to honor the scope and rules of engagement of your paying customer and secondly - because it help you diagnose technical problems related to network connectivity.  If you're scanning tools are failing against a particular netblock may it's because you don't have a route to that network!  So let's get started shall we!?

Let's wrap up our short subnetting series by discussing network ranges.  So think about this: you've popped a box on the LAN and you know the private IP.  Is there a way you can find out all the possible ranges of IP addresses on that subnet?  And even the maximum number of potential targets on that VLAN?  Yup!  In this lecture I'm going to show you how!  Let's go!

If you're serious about building a modern ethical hacking lab you need to seriously ditch VirtualBox.  It's just not stable enough to support the kind of complex infrastructure we need for emulating modern malware and attacks in a lab environment.  So here we go: every good lab starts with VMWare Workstation and now it is my pleasure to show you how to set it up!  Let's do this baby!

Now we're going to download, configure, setup and tune our Kali VM.  This will be the VM that originates all our offensive operations.  It's going to be in our public subnet, thus emulating an attacker on the internet.  We're going to setup everything you need in this video - and as an added bonus I'm going to show you how to create two scripts to share folders from your host physical computer to your guest VM and how to fix copy-and-paste\drag-and-drop when it stop working between your host and guest machines!  Let's do this baby!

Alright so let's get things going on the right foot!  Today we're going to setup our Windows 10 victim machine.  We will have two Windows 10 client victims in this lab so you can experiment with pivoting and lateral movement.  There is also going to be a Windows 2019 Domain Controller (but I'm getting ahead of myself!)  -  Let's ease into things by setting up our Windows 10 target, configuring a few housekeeping items such as VMWare Tools, display preferences, sleep settings and updates.  Then in the next lecture we'll hit the grind by installing Sysmon and Sysmon-Modular on the endpoint!  Why are we doing that?  So we can see the logs in Splunk right!? What! What!  Let's go!!

Oh yessss my precioussss (I sound like Gollum from Lord of the Rings).  Ha!  In this lecture we're getting down and dirty with Sysmon baby.  It's going to be nuts.  I'm going to show you how to install it, how to configure it using the sysmon-modular SwiftOnSecurity branch and then we're going to look at the Event Logs and show you benign events mapped to MITRE ATT&CK and how you can discern normal from abnormal host telemetry!  What's up!!! ARE YOU READY!!??

Now we're going to enable the whole shebang.  Powershell logging transcription shows us the exact commands typed by attackers.  Module logging shows us modules loaded in memory (PowerView?? Try to hide!) Script-Block logging shows us deobfuscated commands and the exact parameters passed through the Powershell console!  We're going to enable it all and then create som events to prove our logging works!  Powershell is still an often abused vector by bad actors.  Yes .NET and C# assemblies are the new hotness but Powershell logging still needs to be tight!  So let's do this!  It's going to be insane guys - just wait until we start compromising computers in this lab!

We can't have a modern ethical hacking lab without a SIEM!  The Security Onion is a great tool and I've created lectures on that, but in this course we're going to setup Splunk Enterprise.  So I'm going to introduce you to Splunk, the Splunk Universal Forwarder and even show you a few Powershell tricks along the way.  Don't worry - the Powershell part is kind of fast but we'll get into those details later in the course!  We're just setting the stage for an excellent lab - we're just aligning everything, choreographing the beautiful dance of endpoint instrumentation!  There's a reason "instrument" is in instrumentation - it should be musical!  Ah - but enough of my gushing - let's get on with it.  Let's get the Splunk Universal Forwarder staged!  Let's go baby!

Now its time to start setting up the Active Directory lab piece of our Cyber Range!  It all starts with Windows Server 2019 so let's kick off the show with the download and installation baby!

Now let's get all the logging stuff setup.  It's basically a rerun of what we did for our PCs... but this time for our server.  I know this may feel monotonous but I want you to get the hang of manual configuration so you can know EXACTLY what's happening when we start hacking our targets.  Trust me guys - this will pay off in the long run!  You are going to have a world-class lab that will give you a major edge up on your peers because you're actually going to know WTF you're talking about.  So in this lecture we're going to get our Splunk Forwarder installed, Powershell logs turned on, Sysmon and sysmon-modular configurations setup and more.  Let's knock this one out real quick!

Bam! Bam! Bam! Let's make a DC! 

Man on man... you said you wanted a modern cyber range right?  You got it!  In this lecture we're going to configure our DHCP scope and options so when our domain joined workstations power up they'll automatically get an IP lease and have access to the karbonbike.local corporate LAN!  Just like the real thing guys - this is going to be a lot of fun - let's go!

Now it's time to exercise our creativity!  We're going to build our victim user accounts which we can spear phish and attack in latter lessons.  Then in the next lecture, we'll join our PC's to the domain and I'll show you where to get some awesome avatar's for our fictitious Active Directory users! Let's go!

W00t! W00t! Let's join our victim PCs to the domain!  And! As a bonus - we'll set the user avatars and corporate wallpapers so add an extra sprinkling of delicious realism to our lab!  Yes! Yes! Yes!! Let's do this baby!

Spearphishing is still the top technique for gaining initial access into corporate environments so in this lecture I'm going to talk about how I purchased my domain, karbonbike.com, and how I setup the karbonbike.com email addresses.  Then we're going to configure our Outlook clients and send a test email from the outside to verify it works!  Then once we have this down we're ready to move into the OPNsense piece and ultimately Microsoft Defender ATP and Microsoft Defender for Endpoint.  It's going to be nuts guys - let's keep this going!

pfSense??? Nope, we're using OPNSense! Why? Because in my opinion it's better and you'll see why!  In this lecture we're going to download and install the appliance and in the next lecture we'll configure the interfaces.  Let's do this baby!  We are making progress toward the world's most awesome cyber range!

OPNSense is based on FreeBSD which has it's own quirks as it doesn't work like the Ubuntu, Debian, Kali or Parrot Linux distro's you've probably used.  So in this lecture we're going to speak FreeBSD and install VMWare Tools to optimize performance.  I'm also going to show you how to, optionally, install Sensei (which is the next generation firewall add-on... I call it the poor mans Palo Alto Networks Firewall!).  But don't let that fool you Sensei is awesome and you're going to see why in later lectures.

Don't let all the configuration bum you out guys.  In this lecture we're just going to enable SSH (so we can SSH into our OPNSense gateway from our CEO, Randy Morales's workstation - which by the way - we may be able to exploit a misconfiguration here to expand our influence on KarbonBike's production LAN later!) but let me not get ahead of myself - instead we'll enable SSH, setup the timezone, install some updates and make sure our Suricata IDS\IPS ruleset is shiny and in top condition.  We're getting ready for greatness guys - it's your time to finally understand how breach happen, adversaries adapt and secure a high paying job in Cyber! Let's go!

The ET OPEN ruleset is pretty good.  It's free and awesome.  It's basically a vast repository of threat detection rules that is continually updated by the cyber community. ET PRO is even better - last I checked it costs $900 per sensor but... I'm going to show you how to legally install the Proofpoint ET PRO ruleset in your cyber range!!  It includes over 37,000 rules, 50 new signatures a day and detections for the latest malware, C2 frameworks and exploit kits! This is awesome because it means we can see if any of our attacks would have gotten caught by the blue team!  Yo! ARE YOU READY FOR THIS!?  LET'S GO!!!!!!!

At the end of this lecture you will, arguably have, the best open source next generation firewall in the world.  OPNSense + Sensei gives you unparalleled visibility into the attacks we will launch in our Cyber Range.  You already have the Proofpoint ET PRO ruleset so you have visibility into 37,000 attacks.  Suricata, the worlds best open source IDS and IPS is setup.  And now you're adding dynamic application identification, advanced protocol analysis and full layer 7 packet inspection... to your lab? YES! Wait 'till you start hacking!  It's going to be amazing because you're going to see everything from the Blue Team side so you'll know how to adapt your techniques to accomplish your objectives.  LET'S GO!

We want to log and monitor all events from all our infrastructure so we can watch, respond and adapt to attacks we launch against our Cyber Range!  So we're going to install the Splunk Universal Forwarder on OPNSense (which runs FreeBSD).  We'll also do some light configuration and get things ready for when we install Splunk Enterprise in future lessons.  Let's do this baby!

Juice Shop is one of the world's most modern deliberately vulnerable web apps in existence right now.  And the best part is we can execute attacks that map against the OWASP Top 10 attack chain!  In this lecture, I'll show you the monetary motivation for learning web application security.  HINT: HackerOne Bug Bounty!  Then, I'll break down some of the best vulnerable web apps on the internet, lay out your options and kick off the installation for Ubuntu 20 Server - which will host our web app.

A long long time ago, in a galaxy far away... haha actually in a galaxy right here!  Back in the day, it was easy peasy to configure a static IP in Linux.  But Ubuntu 20 has be different because it uses netplan for network configurations.  But have no fear!  In this lecture I'll show you the modern way of configuring static IP's so our OWASP Juice Shop host can be reached from anywhere within our Cyber Range!

So we don't have a DMZ in this course - I really considered building it out but the problem is things start to get really complicated, really fast.  But we can still make this thing realistic.  So in this lecture we're going to emulate a DMZ by creating a 1-to-1 relationship between a fake public IP which we will assign to Juice Shop and will be accessible from our Kali attacker machine sitting on the "outside".  You'll see what I mean once you go through this lecture but the idea here is I wanted this to feel real.  So you're going to have a "public" Juice Shop IP you can hit which maps to a "private" IP on the LAN, just like you'll see in most enterprise environments.  Enjoy!

Aww yeahh!  So in this lecture I'm going to quickly explain the differences between virtual machines and Docker containers.  I'll show you the best way to install docker on Ubuntu 20 and then we'll pull the OWASP Juice Shop image from DockerHub, run the Juice Shop container and confirm it works!  Sounds pretty straight forward right?  Don't worry if Docker feels confusing to you (it took me a long time to understand it) - I'll try to make this process as painless as possible and I'll explain everything I'm doing as I'm doing (and why I'm doing it) so it will make sense!  Let's go!

Alright! Let's ship our web logs to Splunk Enterprise so we can see all the SQLi, LFI, RFI, XXE, Command Injection and other nasty attacks we launch against our poor web app!  lol.  But check this out - this process isn't straightforward.  If you think about it, our OWASP Juice Shop container is a self-contained app which has no way of interacting with the outside world.  And what makes matters worse is containers are designed to be disposable so we will lose all log data when the container restarts or dies.  So here's what we're going to do: in this lecture I'm going to show how to create a persistent host storage volume on the host (our Ubuntu VM) and then configure the Juice Shop container to ship logs to our host.  Next, we'll setup the Splunk Universal forward to injest logs from the Ubuntu host to ship to the Splunk Indexer we're setting up in the next lecture!  Sound crazy? It is - but hang on baby you got this!! LET'S GOOOO!!!!!!

And now the moment we've all been waiting for - Splunk Enterprise!  First, let's grab a fresh copy of Ubuntu 20 so we have a stable platform for Splunk to live on!

Alright - making progress! Now we just need to set the static IP and install the Splunk enterprise software!  In this lecture, I'll show you how to get the Splunk Enterprise trial, we'll set it up in our Cyber Range and do some configuration to get things going!  Let's go!

We're almost home baby!  We just need to double check and confirm we are getting all the data into Splunk we need to have unparalleled endpoint visibility!  Remember, we want to see all our attacks so we can basically Purple Team the Cyber Range playing both roles of the Red Team aggressors and the Blue Team defenders!  This will make you a very competent and capable Cyber Security professional because it will put all your cyber theory to work!  You'll finally understand how attacks and exploits work and the most reasonable approach to detection engineering because you'll be RUNNING THE ATTACKS YOURSELF!  Okay, enough of my gushing, let's get in and play!  ONWARD!

And now... we will ship our server logs into Splunk!  Endpoint visibility is great but we want Network visibility too!  That's why we're shipping the Firewall logs to Splunk baby!  Let's go!

Yes! LEVEL UP! Now we're shooting the ET-PRO Suricata events into Splunk so when we start hacking we can see the indicators we left behind and modify our tools, techniques and procedures!  Are you guys as excited about this as I am?? You should be! LETS DO THIS!!

Now we're going to pull in the web server access logs!  So when we start hitting our web app with SQL injection attacks, Command Injection, XSS, XXE - man all that good stuff - we'll see if we can catch ourselves, adapt our tactics and evade our "invisible" Blue Team! Ha! Let's go

Now we're going to install some awesome apps.  Just plan awesome. These will make sure all the data fields are parsed and properly presented.  And the best of all: the Security Essentials App is amazing! You'll see all your attacks mapped against MITRE!  It breaks down the entire kill chain from compromise to impact!  Some of the apps you will install include: Sysmon app for Splunk , Splunk Add-on for Sysmon Hacker Hurricane's  Powershell Transcription App, Add on for Microsoft Windows, Microsoft Defender Technical Add-On, TA for Microsoft Windows Defender, Add on for Microsoft Defender ATP, Splunk Security Essentials Apps, Splunk CIM and OPNSense!  Are you ready for this baby!??

You know what it is - this is for my extra ambitious students who want to go all out.  If you have the resources on your host machine, this lecture will show you how to truly take things to the next level.  Microsoft Defender for Endpoint is arguable the most competent and capable EDR\EPP solution out there right now. Blackberry Cylance, Crowdstrike Falcon, CounterTack, Countercept, Cyberreason, VMWare Carbon Black Blah blah blah - those guys are great but Microsoft Defender for Endpoint is an a league of it's own and now I'm going to show you how to get your hands on a 60 day free trial so you can take your cyber skills to new heights!  Let's GO!!!!!!!! NOW!!!!!!!

Yes!!! WHAT. DID. I. SAY!? Yup, we're going to launch a test attack on PC1 and then see the events in the Microsoft Defender for Endpoint Security Center!  We're going to see the full process ancestry, parent-child process relationships and even the exact Powershell commands executed on the target!  So in this lecture we're going to install the Microsoft Defender for ATP on-boarding package, get the host to check-in and then launch our attack to confirm detections!  It's about to be bonkers man.  Let's do this!

So we have our private lab setup so we can learn, play and experiment as often as we want with zero consequences.  Now we are approaching a new milestone as I want to show you how to stand up the infrastructure required to perform reconnaissance on targets that have public bug bounty programs.  But before we jump into that, you need to learn about the rules of engagement, how to respect organizational scope and the polite and professional way to "attack" systems and responsibly disclose bugs.  Let's make the world a better place!  We need more good guys protecting organizations!  Are you ready to be a cyber hero?  Let's go!

It is the bug bounty industry best practice to hack from a disposable VM.  Some people use AWS and EC2 instances because it's easier to setup.  In fact, Amazon already makes a Kali Amazon Machine Image (AMI) built for you so you could technically deploy that thing in seconds and be on your merry way.  But I want to use Digital Ocean because it will give you more flexibility, is typically what the industry uses and and it's more fun to setup because you have more options.  So let's get this thing going!  I'll show you how to create your Digital Ocean account, spin up your first Debian droplet and ready your guns for firing! 

It's one thing to install Kali Linux in Virtualbox.  It's another to install it in VMWare Workstation.  And still, it's another to spin up AMI in AWS, SSH in and start hacking.  But it's an entirely different thing to turn a benign Debian Digital Ocean droplet into a weaponized version of Linux: Kali.  Do you know how to do this?  You will by the end of this lecture!  Let's go!

TMUX! I'll tell you what.  If you only watch one video lecture in this entire course, this might be the most useful.  I move pretty fast near the end (you can always pause and rewind) but I show you my top shortcuts for navigating the terminal like a pro!  I'm not kidding, if you master these shortcuts your Linux confidence will skyrocket and you'll be unstoppable!  Let's jump in now!

Alright, alright!  Now I'm going to talk you through setting up a SOCKS proxy by SSHing into our droplet with dynamic port forwarding!  Sounds complicated right?  Don't worry - it's not that bad.  Here's why we will want to do this: as bug bounty hunters you could run Burp from a VM but performance will suffer.  Alternatively, you could run Burp on your host and hack the target directly; however, there's no controllable server between you and the target so if you get blocked or banned you'll need to find a way to resume your testing.  By proxying Burp through our Droplet we'll be able to simply spin up another droplet if we get burned.  This is one of the reasons I do this - the other benefit is if you're running a Bug Bounty against a large organization such as Verizon Media and you get blocked everyone in your house won't lose access to Yahoo, Time Warner, AOL and all that good stuff.  Make sense?  After you set up the dynamic port forward you can return your connection to normal by simply killing the SSH session.  Let's do this!  Let's jump right in baby! 

Docker will give us a stable environment to run our Bug Bounty\Penetration Testing tools but exactly how do you install it?  I'll show you a few things that complicate the installation process and then I'll show you a quick and easy way to get going!  Let's do this baby!

I would say somewhere between 70 to 80% of the open source recon tools I use are written in Go.  I would also say that setting up Go is notoriously hard.  Not because the download is complicated but because the quest to getting the path correct can wreck your day!  But don't worry, I've figured all this out for you so you don't need to sweat it.  In this lecture I'll show you how to setup GoLang, make sure the path is correct and verify you can execute go on your Kali Linux Digital Ocean Droplet!  Let's go! YES PUN INTENDED!!!

Having a good wordlist is crucial when doing asset and subdomain discovery.  In this lecture I'll show you two of the best wordlists in the Bug Bounty scene right now and show you how to install and use them! 

Amass is the incontestable king of asset discovery and subdomain enumeration and today... I'm going to show you how to use it.  We're going to run the enum module against a real target which, at the time of recording in the Spring of 2021, currently has an active Bug Bounty program.  I'll show you how to show the intelligence sources feeding Amass.  I'll show you some tips to keep Amass from crashing and we'll even get into some advanced TMUX tricks as you'll learn how to select, copy and paste text to the clipboard like a champ.  As always, it's going to be a lot of fun so let's jump in right now!!

Subfinder is the second best asset discovery tool you need in your bug bounty arsenal.  In this lecture I'll show you how to install it, run it and interpret the output.  I'll also go over the pros and cons between Subfinder and Amass and then we'll concatenate the results from both into one giant subdomain file which we will feed into httpx in our next lecture!  You're rockin' this man!  Don't stop now!

httpx is great for subdomain validation.  You see amass and Subfinder will do the hardwork of pulling in hundreds and often thousands of domains but that doesn't necessarily mean all those domains are "alive" right now.  Also some of them are going to be 302 redirects to other pages, others will return 404 status codes and still others will just spit up weird output (those are the ones we are interested in as Bug Bounty Hunters... especially if they are subdomains of subdomains...).  So here's the awesomeness of httpx.  We can pipe in our combined amass\Subfinder domain lists and get back a list of active domains and then we can pipe that into a screenshot tool such as Aquatone or Gowitness and get live screenshots of those pages!  This means we don't need to manually copy and paste thousands of URLs into our browser to see what's there!  We can just spit out these screenshots and click through them looking for interesting images!  So let's get httpx going now and then in the next lecture we will feed it into Gowitness and examine the results!  Yes! You're getting this now - I can feeeeel it! hahaha let's go!

Which is better: copying and pasting thousands of domains into a browser and inspecting the home page for each one OR take a bulk screenshot of thousands of domains and flipping through static images?  Clearly the second option will save you the most time and it's the approach professional Bug Bounty hunters take.  There are a bunch of good tools designed to support this task including Aquatone and WitenessMe; however, we will be using Gowitness because it is the easiest to setup and has a wealth of support behind the project.  Let's go! (man so many GoLang puns!) hahaha

What do you get when you cross the fastest port scanner in the world with the utility of scanning domain names?  dnmasscan!  Masscan is arguably the fastest port scanner on the planet (it can scan the entire internet in just 5 minutes) the only drawback is it only takes IP addresses as input.  So this means we would need to convert all our discovered subdomains into IP addresses and then feed those into Masscan.  dnmasscan alleviates this hassle by doing the conversion for us and in this lecture I'm going to show you how to use it!  Let's do this baby!

Now it's time to go spider your web application with Gospider!  We're going to crawl our web applications, including all the Javascript files and out the results so we can examine the results for bugs!  Simple enough right?  Let's go!

nmap scripts move over there's a new kid in town!  Nuclei by Project Discovery is amazing and in some ways, actually rivals the king of opensource vulnerability scanning: the NSE: Nmap Scripting Engine!  In this lecture you'll learn about running Nuclei to find vulnerable web applications, configuring Nuclei templates and providing killer value to the Bug Bounty program you decide to participate in!  Let's do this baby! 

Yes! So let's drill into the OWASP Top 10 and see how many vulnerabilities we can discover in our broken Juice Shop web app!  We will kick things off with Injection, specifically SQL Injection.  In this lecture I'll carefully explain exactly what SQL injection is and why the impact can be catastrophic.  Then, we will leverage SQLi to bypass authentication.  I'll also show you why using automated tools such as sqlmap sometimes fail and why it's important to understand what's happening behind the scenes otherwise you're attack won't work.  We will also use Burp Interception Proxy and Chrome Developer Tools to exploit a SQLi weakness in the web app.  It's going to be a lot of fun (and you're going to learn a ton!) - so why not jump in right NOW!!! Grab your favorite drink and let's go... (this is a juice shop web app afterall! lol)

YES YES YES!! Now we are going to achieve total account takeover ("ATO") over a victim account by abusing broken authentication in the OWASP Juice Shop vulnerable web app!  But I'm not just going to run the attack.  That would be lame.  Instead, I'm going to step you through my thought process in how I execute these tests against live targets and then we'll talk about some modern defenses.  ARE YOU READY FOR THIS!!?? lol - let's go!

Let's say you're doing a web app pentest or bug bounty hunt and you want to find sensitive files on the webserver.  How might you do that?  Click to learn and see!  Let's go!

YES!! This is one of my favorite web app attacks in this section. I'm going to explain what XXE is - and really break it down so you know what it is and the risk this poses to vulnerable web applications.  Then, we're going to profile the web app, upload a malicious XXE payload and exfiltrate files on the local disk including the OS version, sensitive internal IP addresses and even password hashes!  What's up!  LET'S GO BABY!!! LET'S GO!!!

Now we are going to investigate one of the top paying, highest impact yet easiest to identify web application security bugs: IDOR!  You're going to learn what IDOR is, see some bug bounty reports ($10k payouts happen as you'll see), and then actually exploit an IDOR vulnerability in the web app running in our cyber range!  It's going to be a lot of fun guys so let's get right to it!

It's time to learn why verbose error messages are bad.  In this lecture we're going to send the web app unexpected input and observe a detailed HTTP 500 response that reveals a little too much information.  Come inside and check it out!  Let's go!

XSS.  Alert.  Yeah, we've all seen that... blah blah blah.  Check it out - in this lecture we're going to completely level up your XSS skills by taking that boring alert("xss"); payload and weoponizing a Word document with a malicious link that steals the session token from a victim logged into our Juice Shop web app with Admin privileges!  You will see the entire attack chain, from end-to-end and I'll explain EVERYTHING.  XSS? Yeah, it's time to finally understand what it is, the true impact and how to defeat it!  Let's go!

This is a high severity, complicated but little understood attack vector that we need to dig into.  Insecure Deserialization vulnerabilities can, in the best case, lead to DoS attacks and in the worst case lead to arbitrary command execution (RCE).  Also, this vector is further complicated by all the programming languages that use different terms for describing the same thing!  For example, Java refers to the process of converting objects into byte streams as Serializing but Ruby uses the term Marshalling and Python using the term Pickling!  Also there's no easy way to scan for this particular bug class because every language has it's own library set and implementation idiosyncrasies!  So in this lecture - let me clear the fog and break down this complicated attack into something anyone can understand!  Let's go!!!

CVEs.  Exploits.  Bugs.  In this lecture we're going to address why you need to patch your stuff.  We'll also talk about why it's crucial to practice secure coding during the entire software development lifecycle (SDLC).  The earlier you find bugs the less cost you'll spend in terms of time and money later.  Let's to it guys!

If you can't see my hack your logging is wack.  Haha, okay - so this is true - and it's one of the reasons why I as a red teamer will convert my GET requests to POST.  By default, neither Apache nor IIS log POST request so it's an easy way to potentially evade detection and deliver harmful payloads to vulnerable web apps. Let's take a look at what's going on here!  We can run some attacks and see if we can find the hack in Splunk!  This is our cyber range after all so let's make some good use of it!

One of the most common initial access vectors today is Spearphishing so in this lecture we're going to do just that!  We're going to weaponize a Microsoft Excel Workbook with a malicious macro that downloads a Powershell Empire stager and gives us a reverse shell into the victim's Active Directory environment.  The best part of course, is the entire environment is in your lab so you can run these attacks as often as you want, build detections, experiment with new techniques and even see how Microsoft Defender for Endpoint (Microsoft ATP) responds to your adapting tradecraft!  Let's go!!!

Now that we have established a beachhead in the KarbonBike domain we're going to use PowerShell Empire's implementation of Powerview to do some internal discovery and reconnaissance.  As an added bonus, I'm even going to show you how to detect the indicators and artifacts created by this attack by running tasklist and netstat on patient zero.  It's going to be awesome!  I really think the craziest part of all is that we are operating from the security context of a normal user (Randy Morales) yet we are able to get internal IP addresses, all the users in the domain, sensitive file shares and even CLEAR TEXT CREDENTIALS!  Yup, you're going to see it all in this lab so let's go! (aren't you glad you have a cyber range to practice all this goodness in???)

So let's face it - your Active Directory lab is awesome but we only have two domain joined workstations and a domain controller... soo... Bloodhound graphs aren't going to look that awesome.  This doesn't mean we can't setup Kerberoastable users or create accounts with DCSync privileges but it does mean it won't mimic a real production network in terms of SCALE.  So here's what I have for you guys: today I'm going to show you how to generate data for Bloodhound.  There are numerous tools for this, BadBlood is a good one, but I'm going to show you another one which works great.  Let's jump in!

Yes, extracting plain-text credentials from Group Policy Preferences (GPP) files are still a thing!  Yes, Microsoft patched this nasty bug many years ago but most sysadmins may not realize it only fixes the problem going forward (it doesn't retroactively clean up the credential mess)!  So in this lecture I'm going to show you how you can deliver value to your organization by finding rogue groups.xml files, decrypting the passwords and leveraging them to spread laterally.  We'll get into exactly what the GPP is, how to configure them and how this problem can be mitigated.  Let's jump in!

We are about to plug our Kali box into the local KarbonBike.local subnet (the victim subnet), fire up responder, capture NTLMv2 hashes, crack them with hashcat and then implement 2 defenses and 1 detections to thwart the attack!  I'll show you everything, every step of the way.  Nothing is left out!  (oh yeah and since you went through the cyber range section, you can follow along in your lab too!) Let's go!

THIS IS A MONSTER LESSON.  We're going to use Responder to capture NTLMv2 hashes but instead of cracking them like in the last lecture we're going to relay them to Impacket's ntlmrelayx by intercepting the hash over SMB and forwarding it to a Powershell Empire launcher which will allow us to move laterally from PC1 to PC2 when the victim on PC1 typos a corporate fileshare.  This is a very involved lecture (I think it's one of the longest in the series, trust me I tried to make it shorter but it simply wasn't possible because I had so much to cover)!  Take your time as you go through this one.  I explain the differences between NTLM Relay and Pass the Hash attacks and I not only tell you mitigations for the attack but take you to the exact GPOs and settings you need to configure to STALL this attack in its tracks!  ARE YOU READY FOR THIS BABY!!!??? Let's go!!

Learn the basics of Pass the Hash (PtH) and then execute the attack, perform detection engineering and review practical preventions with Active Directory GPO's (all within the safety of the cyber range we setup in earlier lectures!).  This is by far... by far... my favorite lecture.  You're going to learn EXACTY what the Pass the Hash attack is.  Then we're going to abuse our victim's credentials to RDP into the target workstation, run Invoke-Mimikatz from BC-Security + Sysinternals PsExec directly from memory (without using Metasploit or Powershell Empire).  We're also going to use CrackMapExec to steal the security token and achieve domain domination!  The entire time I will carefully walk you through my thought process.  We're even going to jump into our local Splunk Enterprise instance and hit up the Windows Event Logs and Sysmon logs to see the artifacts we generated!  It's going to be nuts... nuts I say... hahaha so let's go!  The GPO protections section is also pretty awesome - it's all jammed into this super video - let's do this!

Ohhh yeahhh... now it's time to show the sheer destruction of Kerberoasting.  As always, we'll start with the conceptual understanding of what it is and what makes it possible. Then we'll use Impacket's GetUserSPNs.py to collected roastable accounts which we will forward to Hashcat to crack and abuse.  I'll show you how I setup the lab so you can copy and learn and then we'll jump into the Windows Security Logs in Splunk so you can see EXACTLY how this attack looks and what you can do to detect and deter.  Let's do this!!

Ah the infamous Golden Ticket!  Let's launch some attacks and talk Splunk detections!  In this lecture you will learn EXACTLY why Golden Tickets are deadlier than a compromised Domain Admin account.  You'll also learn how to execute the attack in our lab, why Windows Defender and Microsoft Security 365 awesome!  We're going to dump the local domain SID as a normal user from our Kali box then we'll perform a DCSync-like attack using a compromised Domain Admin hash to slurp down the NTDS.DIT database... which contains our precious krbtgt account.  After going through this lecture you'll finally have a good understanding of Golden Tickets!

Could Silver be better than Gold??? I'll let you decide!  In this lecture we're going to unmask the mysterious Silver Ticket attack in all it's glory.  This is a potentially confusing attack that many Red Teamer's and Penetration Tester's stumble over.  It can be hard to understand.  But in this lecture you'll not only watch me carefully lay it out but you'll also watch as refactor this seemingly innocent little attach into a full blown privesc where we get SYSTEM rights on the target box!  Yup, we're going to get a reverse shell on the DC via a Nishang Powershell script and it's going to be da bomb baby!  YOU READY FOR THIS!? YES! I KNEW YOU WERE!!! LETS GOOOOO!!!!!!

Awww yeah.... wassup!  In this lecture we're going to pop our Domain Controller with a Koadic C3 MSHTA implant which is going to beacon back to our Digital Ocean droplet and give us a shell on the box.  Then we're going to engage the mimikaz_dynwrapx module to dynamically inject the lsass process with a Skeleton Key which gives us a backdoor into EVERY COMPUTER IN THE DOMAIN!  Yup, it's nuts.  I'll walk you through the attack, talk about detections and wrap with mitigations.  You readdddyy toooo rummbbblleee???? Let's go!!!

Ok, are you read to level up?  You ready for a challenge?  In this lecture we're going to do something crazy.  We're going to drop an implant on our victim machine (which is domain joined to karbonbike.local) via a Powershell launcher one-liner and establish a Grunt in our Covenant C2 .NET framework hosted on a Digital Ocean Droplet.  Then we're going to setup a Microsoft Azure CDN account so we can Domain Front.  Basically, we're going to make it look like our Covenant implant is beaconing back to a Microsoft.com subdomain... a legit, high-reputation domain... but in reality it's being forwarded to our malicious Digital Ocean Droplet masquerading as a Microsoft Ad Analytics subdomain! CRAZY RIGHT? Then to top it all off, we're going to fire up Wireshark while we're issuing commands to our victim so you see what the traffic looks like on the wire.  We'll wrap things up with a talk on advanced detection engineering techniques.  ONLY THE BRAVE ARE WELCOME!  Are you readyy???? LETS GO!!!

Aw yeahhhh. MODERN EXPLOIT DEV!  Let's do this.  In this lecture we're going to set the stage by setting up our Exploit Development Environment with FireEye's FLARE VM.  I'll walk you through the entire process of setting this VM up and even help you avoid some common pitfalls.  Let's go!

So now things are about to get fun.  I love this.  In this lecture we're going to scan the vulnerable VM with the nmap Scripting Engine (NSE) and observe the response.  Guess what happens?  Will nmap detect the Buffer Overflow vulnerability in the target application or not?  Watch and see!  We're also going to filter the POST requests to Sync Breeze login form through Burp and we'll inspect the HTML of the web application and see there is a 64 byte input restriction on the password field. Don't worry, we'll bypass that with Burp Repeater no problem and then ready ourselves for the next lecture.  LET'S DO THIS! YES YES YES!!!! YES!!!!!!!!