1 00:00:00,000 --> 00:00:01,840 Security Tools. 2 00:00:01,840 --> 00:00:03,890 In this lesson, we're going to talk about 3 00:00:03,890 --> 00:00:05,720 some of the different tools that you may use 4 00:00:05,720 --> 00:00:08,000 as you're assessing your organization security. 5 00:00:08,000 --> 00:00:09,550 Now, as we go through this lesson, 6 00:00:09,550 --> 00:00:12,550 we are going to talk about various areas and various tools. 7 00:00:12,550 --> 00:00:14,860 For instance, we're going to talk about Networking tools 8 00:00:14,860 --> 00:00:18,180 File Manipulation tools, Shells and Scripts, 9 00:00:18,180 --> 00:00:20,277 Packet Capture tools, Forensic tools 10 00:00:20,277 --> 00:00:21,840 and Exploitation tools. 11 00:00:21,840 --> 00:00:24,120 Now, before we get started I want to point out, 12 00:00:24,120 --> 00:00:27,020 you do not need to know how to use all of these tools, 13 00:00:27,020 --> 00:00:29,310 but you should be aware of what they're used for 14 00:00:29,310 --> 00:00:31,050 as a security professional. 15 00:00:31,050 --> 00:00:33,370 Now, a lot of the tools we're going to mention in this lesson 16 00:00:33,370 --> 00:00:35,220 are ones you should already be familiar with 17 00:00:35,220 --> 00:00:38,200 and know how to use from A+ or Network+. 18 00:00:38,200 --> 00:00:39,860 But for the Security+ Exam, 19 00:00:39,860 --> 00:00:41,110 we are much more focused on 20 00:00:41,110 --> 00:00:43,120 you knowing the ability of each tool 21 00:00:43,120 --> 00:00:45,380 and what you would choose to use it for. 22 00:00:45,380 --> 00:00:46,810 For example, if I wanted to find out 23 00:00:46,810 --> 00:00:49,780 if a host was up or down, what tool might I use? 24 00:00:49,780 --> 00:00:51,500 I would probably use something like ping 25 00:00:51,500 --> 00:00:52,800 because by doing a ping to it, 26 00:00:52,800 --> 00:00:55,140 I can get a response and see if the host is online 27 00:00:55,140 --> 00:00:57,300 and available or if it's not. 28 00:00:57,300 --> 00:00:59,150 That's the level of detail we want to talk about 29 00:00:59,150 --> 00:01:00,420 in this lesson. 30 00:01:00,420 --> 00:01:02,420 Now, the first category of tools we're going to talk about 31 00:01:02,420 --> 00:01:03,500 is networking. 32 00:01:03,500 --> 00:01:05,240 And this is specifically going to be focused on 33 00:01:05,240 --> 00:01:07,500 reconnaissance tools and discovery tools 34 00:01:07,500 --> 00:01:09,690 to find hosts and servers and different systems 35 00:01:09,690 --> 00:01:11,110 across your network. 36 00:01:11,110 --> 00:01:13,640 The first tools we're going to talk about is traceroute 37 00:01:13,640 --> 00:01:16,040 and that's comes as either tracert in Windows 38 00:01:16,040 --> 00:01:18,610 or traceroute in a Unix or Linux system. 39 00:01:18,610 --> 00:01:20,860 This is a network diagnostic command tool 40 00:01:20,860 --> 00:01:22,930 that will allow us to display possible routes 41 00:01:22,930 --> 00:01:25,080 and measuring transit delays of packets 42 00:01:25,080 --> 00:01:27,360 as they go across an IP network. 43 00:01:27,360 --> 00:01:30,110 So whether using IPv4 or IPv6, 44 00:01:30,110 --> 00:01:31,440 this tool will help you out. 45 00:01:31,440 --> 00:01:32,940 For example, if I wanted to find out 46 00:01:32,940 --> 00:01:36,140 the route between my computer and my web server, 47 00:01:36,140 --> 00:01:39,170 I can type in traceroute diontraining.com 48 00:01:39,170 --> 00:01:40,010 and hit enter. 49 00:01:40,010 --> 00:01:42,030 If I do that, I'm going to go and see 50 00:01:42,030 --> 00:01:43,960 all of the different routers I went through 51 00:01:43,960 --> 00:01:45,250 from where I'm sitting right now, 52 00:01:45,250 --> 00:01:46,810 until I get to my web server 53 00:01:46,810 --> 00:01:48,930 located back in the United States. 54 00:01:48,930 --> 00:01:51,810 The next one we have is Nslookup and Dig. 55 00:01:51,810 --> 00:01:52,990 Both of these are utilities 56 00:01:52,990 --> 00:01:54,820 that are used to determine the IP address 57 00:01:54,820 --> 00:01:56,500 associated with the domain name. 58 00:01:56,500 --> 00:01:57,470 They're going to be used to obtain 59 00:01:57,470 --> 00:01:59,150 mail server settings for domain 60 00:01:59,150 --> 00:02:01,080 and other DNS related information. 61 00:02:01,080 --> 00:02:03,840 Nslookup is the name server lookup 62 00:02:03,840 --> 00:02:06,260 and Dig allows you to dig through those DNS records 63 00:02:06,260 --> 00:02:07,560 and get information. 64 00:02:07,560 --> 00:02:10,250 When you're using windows, Nslookup is your tool, 65 00:02:10,250 --> 00:02:11,690 if you're using Unix or Linux, 66 00:02:11,690 --> 00:02:14,390 you can use either Nslookup or Dig. 67 00:02:14,390 --> 00:02:15,520 The next one we're going to talk about 68 00:02:15,520 --> 00:02:17,925 is ipconfig and ifconfig. 69 00:02:17,925 --> 00:02:19,630 Ipconfig is used in Windows, 70 00:02:19,630 --> 00:02:22,370 Ifconfig is used in Linux or Unix. 71 00:02:22,370 --> 00:02:24,000 Now these are utilities that display 72 00:02:24,000 --> 00:02:25,460 all the network configurations 73 00:02:25,460 --> 00:02:27,570 of the currently connected network devices 74 00:02:27,570 --> 00:02:29,810 and they can be used to modify DHCP 75 00:02:29,810 --> 00:02:31,630 and DNS settings as well. 76 00:02:31,630 --> 00:02:33,970 So if I wanted to go and use a static IP address 77 00:02:33,970 --> 00:02:35,440 instead of a dynamic IP address, 78 00:02:35,440 --> 00:02:37,400 I can do that using these tools. 79 00:02:37,400 --> 00:02:39,730 If I wanted to then revert and go back to DHCP, 80 00:02:39,730 --> 00:02:41,980 I could do that using these tools as well. 81 00:02:41,980 --> 00:02:43,890 The next tool we have is Nmap. 82 00:02:43,890 --> 00:02:45,970 Nmap is an open source network scanner 83 00:02:45,970 --> 00:02:47,240 that's used to discover hosts 84 00:02:47,240 --> 00:02:49,210 and services on a computer network 85 00:02:49,210 --> 00:02:51,900 by sending packets and analyzing the responses. 86 00:02:51,900 --> 00:02:54,130 Now, again, for the Security+ Exam 87 00:02:54,130 --> 00:02:56,100 you don't have to be an expert at Nmap, 88 00:02:56,100 --> 00:02:58,880 but you should be able to look at the output from Nmap, 89 00:02:58,880 --> 00:03:00,500 be able to read it and then pick out 90 00:03:00,500 --> 00:03:02,370 what are the open ports or closed ports 91 00:03:02,370 --> 00:03:03,930 over some basic vulnerabilities 92 00:03:03,930 --> 00:03:05,790 based on those Nmap scans. 93 00:03:05,790 --> 00:03:08,590 When you move on into CySA+ later on, 94 00:03:08,590 --> 00:03:10,327 you are going to have to be very familiar with Nmap 95 00:03:10,327 --> 00:03:11,570 and the way to use it. 96 00:03:11,570 --> 00:03:13,110 The same thing with PenTest+, 97 00:03:13,110 --> 00:03:14,890 because this is used by both analysts 98 00:03:14,890 --> 00:03:16,720 and penetration testers. 99 00:03:16,720 --> 00:03:19,130 The next one we have is ping or PathPing. 100 00:03:19,130 --> 00:03:20,920 These are utilities that are used to determine 101 00:03:20,920 --> 00:03:23,930 if a host is reachable on an internet protocol network. 102 00:03:23,930 --> 00:03:25,450 So for example, if I wanted to see 103 00:03:25,450 --> 00:03:27,100 if my website was up or down, 104 00:03:27,100 --> 00:03:29,080 I could use ping or PathPing 105 00:03:29,080 --> 00:03:31,160 to be able to see if that machine was up 106 00:03:31,160 --> 00:03:32,720 by sending a ping message to it 107 00:03:32,720 --> 00:03:35,230 and I would then get an echo reply message back. 108 00:03:35,230 --> 00:03:37,100 If that echo reply message comes back 109 00:03:37,100 --> 00:03:38,910 that means I have a successful connection 110 00:03:38,910 --> 00:03:40,890 between me and that Nhost. 111 00:03:40,890 --> 00:03:42,450 That tells me the server's up. 112 00:03:42,450 --> 00:03:44,170 The next one we have is Hping. 113 00:03:44,170 --> 00:03:46,710 An Hping is an open source packet generator 114 00:03:46,710 --> 00:03:48,430 and it's also an analyzer. 115 00:03:48,430 --> 00:03:50,720 It's used for the TCP/IP protocol 116 00:03:50,720 --> 00:03:53,640 and it's used for security auditing and testing of firewalls 117 00:03:53,640 --> 00:03:54,800 and networks. 118 00:03:54,800 --> 00:03:57,470 The great thing about Hping is that you can really configure 119 00:03:57,470 --> 00:03:59,300 exactly what is being sent. 120 00:03:59,300 --> 00:04:03,300 It's actually used by Nmap as part of its package as well. 121 00:04:03,300 --> 00:04:05,120 Hping is really this underlying tool 122 00:04:05,120 --> 00:04:07,670 that really allows us to craft the packet however we want. 123 00:04:07,670 --> 00:04:09,100 So that way if we have something like ping 124 00:04:09,100 --> 00:04:10,160 and it's unresponsive, 125 00:04:10,160 --> 00:04:12,800 we can try Hping with a better crafted packet 126 00:04:12,800 --> 00:04:15,340 and see if we can get the response we want. 127 00:04:15,340 --> 00:04:17,190 The next one we have is netstat. 128 00:04:17,190 --> 00:04:18,940 And netstat is a utility that displays 129 00:04:18,940 --> 00:04:19,850 the network connections 130 00:04:19,850 --> 00:04:22,660 for the transmission control protocol, TCP 131 00:04:22,660 --> 00:04:23,900 as well as routing tables 132 00:04:23,900 --> 00:04:25,910 and a number of other network interface 133 00:04:25,910 --> 00:04:27,670 and network protocol statistics. 134 00:04:27,670 --> 00:04:29,500 Essentially, if you go into your window system 135 00:04:29,500 --> 00:04:30,770 and type netstat, 136 00:04:30,770 --> 00:04:31,850 you're going to be able to see 137 00:04:31,850 --> 00:04:33,090 all of the different things 138 00:04:33,090 --> 00:04:35,810 that your computer is connected to right now. 139 00:04:35,810 --> 00:04:37,240 If you're doing an incident response 140 00:04:37,240 --> 00:04:41,340 using netstat-ano as the command is really useful, 141 00:04:41,340 --> 00:04:42,310 'cause it will show you everything 142 00:04:42,310 --> 00:04:44,130 that has a persistent connection. 143 00:04:44,130 --> 00:04:46,270 This can help you identify if there's any back doors 144 00:04:46,270 --> 00:04:49,670 or connections that are remote access Trojan may be using. 145 00:04:49,670 --> 00:04:51,785 The next one we have is Netcat. 146 00:04:51,785 --> 00:04:53,820 And netcat is a utility for reading from 147 00:04:53,820 --> 00:04:55,570 and writing to network connections 148 00:04:55,570 --> 00:04:57,470 using their TCP or UDP, 149 00:04:57,470 --> 00:05:00,090 which allows it to be used as a dependable backend 150 00:05:00,090 --> 00:05:02,060 that can be used directly or easily 151 00:05:02,060 --> 00:05:04,230 driven by other programs and scripts. 152 00:05:04,230 --> 00:05:06,060 Now, what do we use Netcat for? 153 00:05:06,060 --> 00:05:08,200 Well, there's a couple of things we might use it for. 154 00:05:08,200 --> 00:05:09,880 The first is banner grabbing. 155 00:05:09,880 --> 00:05:12,300 You can use Netcat and connect to a web server, 156 00:05:12,300 --> 00:05:13,960 you'll get a text based response back 157 00:05:13,960 --> 00:05:15,290 and you'll be able to read the code 158 00:05:15,290 --> 00:05:17,120 that the web server is sending back to you. 159 00:05:17,120 --> 00:05:19,580 That way you can understand what operating system it is 160 00:05:19,580 --> 00:05:22,560 or what type of software it's being used on that web server. 161 00:05:22,560 --> 00:05:24,170 Another thing we use Netcat for 162 00:05:24,170 --> 00:05:25,810 is to be able to have a shell connection 163 00:05:25,810 --> 00:05:27,840 and remotely control a machine. 164 00:05:27,840 --> 00:05:30,850 For this reason, Netcat is blocked by most security 165 00:05:30,850 --> 00:05:32,770 inside of most enterprise organizations 166 00:05:32,770 --> 00:05:33,840 and you won't build a run it 167 00:05:33,840 --> 00:05:35,480 without an exception to policy. 168 00:05:35,480 --> 00:05:37,380 But if you play with it on your own system, 169 00:05:37,380 --> 00:05:38,610 there's no blocking there. 170 00:05:38,610 --> 00:05:39,870 And so you can try it out there 171 00:05:39,870 --> 00:05:41,210 and see how it's used. 172 00:05:41,210 --> 00:05:42,920 When you go into PenTest+ 173 00:05:42,920 --> 00:05:44,990 or if you go into a Certified Ethical Hacker, 174 00:05:44,990 --> 00:05:47,510 you will be expected at that time to understand Netcat 175 00:05:47,510 --> 00:05:49,070 and how to use it. 176 00:05:49,070 --> 00:05:51,020 The next one we have is ARP. 177 00:05:51,020 --> 00:05:53,010 ARP is utility for viewing and modifying 178 00:05:53,010 --> 00:05:55,860 the local address resolution protocol or ARP cache 179 00:05:55,860 --> 00:05:57,780 on a given host or server. 180 00:05:57,780 --> 00:05:59,580 If you think back to your Network+ days, 181 00:05:59,580 --> 00:06:02,510 you'll remember that ARP is a layer two protocol. 182 00:06:02,510 --> 00:06:03,840 Instead of IP addresses 183 00:06:03,840 --> 00:06:05,270 when you're on the local area network, 184 00:06:05,270 --> 00:06:06,850 we actually use ARP messages 185 00:06:06,850 --> 00:06:08,290 and we transfer information 186 00:06:08,290 --> 00:06:11,180 based on their MAC address, not their IP address. 187 00:06:11,180 --> 00:06:13,550 The ARP cache actually is that mapping. 188 00:06:13,550 --> 00:06:15,180 If you think about how DNS is used 189 00:06:15,180 --> 00:06:18,390 for IP addresses to domain names, ARP is like that, 190 00:06:18,390 --> 00:06:20,930 but going from MAC addresses to IP addresses. 191 00:06:20,930 --> 00:06:23,540 And you can use the ARP tool to be able to see that table 192 00:06:23,540 --> 00:06:25,670 to see what IP addresses and what MAC addresses 193 00:06:25,670 --> 00:06:26,810 are bound together. 194 00:06:26,810 --> 00:06:28,880 Similar to how he used Dig or Nslookup 195 00:06:28,880 --> 00:06:31,910 when we're talking about IP addresses to domain names. 196 00:06:31,910 --> 00:06:34,140 The next tool we're going to talk about is route, 197 00:06:34,140 --> 00:06:36,650 and route is utility to be able to view and manipulate 198 00:06:36,650 --> 00:06:39,720 the IP routing table on a given host or server. 199 00:06:39,720 --> 00:06:41,030 Did you know that every computer 200 00:06:41,030 --> 00:06:42,820 has its own router inside of it? 201 00:06:42,820 --> 00:06:43,653 Well, it does. 202 00:06:43,653 --> 00:06:45,930 And the route tool is what allows it to know that. 203 00:06:45,930 --> 00:06:47,930 When you go into the route tool by default 204 00:06:47,930 --> 00:06:50,290 everything is going to be sent out to the default gateway 205 00:06:50,290 --> 00:06:52,710 which is your router on your network. 206 00:06:52,710 --> 00:06:54,270 But you may not want that. 207 00:06:54,270 --> 00:06:55,640 You may want to be able to modify that 208 00:06:55,640 --> 00:06:57,230 and send it in different ways. 209 00:06:57,230 --> 00:06:59,500 This again is something that a lot of pentesters will do. 210 00:06:59,500 --> 00:07:01,660 They'll go in and modify that route tool 211 00:07:01,660 --> 00:07:03,980 to send traffic a different way. 212 00:07:03,980 --> 00:07:06,210 The next thing we're going to talk about is cURL. 213 00:07:06,210 --> 00:07:08,280 Now cURL is a command line tool 214 00:07:08,280 --> 00:07:10,790 that's used to transfer data to or from a server 215 00:07:10,790 --> 00:07:13,360 using any of a number of different protocols. 216 00:07:13,360 --> 00:07:17,660 cURL can be used with HTTP for web, FTP for file transfer, 217 00:07:17,660 --> 00:07:21,010 IMAP for mail, POP3 for mail, 218 00:07:21,010 --> 00:07:23,470 SEP for secure file copying, 219 00:07:23,470 --> 00:07:26,000 SFTP for secure file transfer, 220 00:07:26,000 --> 00:07:28,360 SMTP for outbound email, 221 00:07:28,360 --> 00:07:30,970 TFTP for trivial file transfer, 222 00:07:30,970 --> 00:07:33,610 Telnet for unsecure remote access, 223 00:07:33,610 --> 00:07:35,560 LDAP for directory access 224 00:07:35,560 --> 00:07:37,640 and FILE to send and receive files 225 00:07:37,640 --> 00:07:39,160 over the local network. 226 00:07:39,160 --> 00:07:40,590 cURL can do all of these 227 00:07:40,590 --> 00:07:42,170 and that's why it's used by analysts 228 00:07:42,170 --> 00:07:43,780 when they're trying to test different protocols 229 00:07:43,780 --> 00:07:46,370 over a given network or different server. 230 00:07:46,370 --> 00:07:48,940 The next tool we're going to talk about is the Harvester. 231 00:07:48,940 --> 00:07:51,030 The Harvester is just a Python script 232 00:07:51,030 --> 00:07:54,230 but it's used to gather emails, subdomains, hosts, 233 00:07:54,230 --> 00:07:56,710 employee names, open ports and banners 234 00:07:56,710 --> 00:07:57,950 from different public sources, 235 00:07:57,950 --> 00:08:00,400 like search engines PGP key servers 236 00:08:00,400 --> 00:08:02,270 and SHODAN databases. 237 00:08:02,270 --> 00:08:04,270 All of this information can be gathered 238 00:08:04,270 --> 00:08:05,810 using the Python script. 239 00:08:05,810 --> 00:08:07,380 This is a reconnaissance tool. 240 00:08:07,380 --> 00:08:09,890 It's used by penetration testers and attackers 241 00:08:09,890 --> 00:08:11,187 when they're doing this against your network. 242 00:08:11,187 --> 00:08:12,870 And that's why you have to be aware of it 243 00:08:12,870 --> 00:08:13,800 because it could be something 244 00:08:13,800 --> 00:08:15,450 you might want to run against your own network 245 00:08:15,450 --> 00:08:18,020 to see what type of information you can find 246 00:08:18,020 --> 00:08:20,230 as an outsider looking in. 247 00:08:20,230 --> 00:08:22,600 The next tool we're going to talk about is Sn1per. 248 00:08:22,600 --> 00:08:23,860 This is an automated scanner 249 00:08:23,860 --> 00:08:25,770 that can be used during a penetration test 250 00:08:25,770 --> 00:08:27,800 to enumerate and scan for vulnerabilities 251 00:08:27,800 --> 00:08:29,420 across your network. 252 00:08:29,420 --> 00:08:31,670 Personally, this isn't one I heavily use. 253 00:08:31,670 --> 00:08:34,650 Instead, I like to use things like Nessus instead. 254 00:08:34,650 --> 00:08:36,460 The next tool we have is scanless. 255 00:08:36,460 --> 00:08:38,160 And this is a utility that's used to create 256 00:08:38,160 --> 00:08:39,810 an exploitation website 257 00:08:39,810 --> 00:08:43,220 that can perform open port scans in a more stealthy manner. 258 00:08:43,220 --> 00:08:44,900 Now, essentially when you have scanless, 259 00:08:44,900 --> 00:08:46,560 you can set up a web server 260 00:08:46,560 --> 00:08:49,380 and that web server can then do all of your scans for you 261 00:08:49,380 --> 00:08:51,040 against those given targets. 262 00:08:51,040 --> 00:08:53,430 That way, if they see the scan coming, 263 00:08:53,430 --> 00:08:54,820 it's coming from this web server 264 00:08:54,820 --> 00:08:56,230 and not from your own hosts, 265 00:08:56,230 --> 00:08:57,770 and it's harder to detect you. 266 00:08:57,770 --> 00:08:59,930 The next tool we have is dnsenum. 267 00:08:59,930 --> 00:09:03,030 This is a utility that's used for DNS enumeration 268 00:09:03,030 --> 00:09:05,150 and it's used to locate all the DNS servers 269 00:09:05,150 --> 00:09:07,660 and DNS entries for a given organization. 270 00:09:07,660 --> 00:09:09,370 When you're using dnsenum, 271 00:09:09,370 --> 00:09:11,020 you could do the exact same thing 272 00:09:11,020 --> 00:09:13,310 using something like Nslookup or Dig, 273 00:09:13,310 --> 00:09:15,570 but using dnsenum, is a little bit easier 274 00:09:15,570 --> 00:09:17,960 because it automates a lot of this process for you. 275 00:09:17,960 --> 00:09:20,910 Again, this is the reconnaissance tool or discovery tool 276 00:09:20,910 --> 00:09:23,480 that's used by penetration testers as well as hackers. 277 00:09:23,480 --> 00:09:25,280 The next tool we have is Nessus. 278 00:09:25,280 --> 00:09:27,940 And this is by far my favorite vulnerability scanner. 279 00:09:27,940 --> 00:09:29,970 It is a proprietary vulnerability scanner 280 00:09:29,970 --> 00:09:32,240 that can remotely scan a computer or a network 281 00:09:32,240 --> 00:09:33,840 for different vulnerabilities. 282 00:09:33,840 --> 00:09:35,560 When you hear about Nessus, remember, 283 00:09:35,560 --> 00:09:37,320 this is an infrastructure scanner. 284 00:09:37,320 --> 00:09:39,660 So we're talking about things like routers and switches 285 00:09:39,660 --> 00:09:42,950 and hosts and servers when we're using Nessus. 286 00:09:42,950 --> 00:09:44,880 The next one we have is cuckoo. 287 00:09:44,880 --> 00:09:46,740 Now cuckoo is an open source software 288 00:09:46,740 --> 00:09:49,280 for automating analysis of suspicious files. 289 00:09:49,280 --> 00:09:51,670 Essentially, it's a sandboxed environment. 290 00:09:51,670 --> 00:09:53,250 So if I have a file that I'm looking at 291 00:09:53,250 --> 00:09:54,130 during instant response, 292 00:09:54,130 --> 00:09:56,100 I go, "Hmm, this looks suspicious. 293 00:09:56,100 --> 00:09:57,250 Is this malware?" 294 00:09:57,250 --> 00:10:00,020 Well, I can take that and put inside the cuckoo sandbox, 295 00:10:00,020 --> 00:10:02,270 run it and then see what type of bad things 296 00:10:02,270 --> 00:10:03,270 that file is doing. 297 00:10:03,270 --> 00:10:05,740 This can help you very quickly and easily identify 298 00:10:05,740 --> 00:10:06,750 what that file is 299 00:10:06,750 --> 00:10:08,470 as either friend or foe, 300 00:10:08,470 --> 00:10:09,900 malware or benign, 301 00:10:09,900 --> 00:10:12,080 because it can run it inside the sandbox environment 302 00:10:12,080 --> 00:10:14,580 and do some automated processing for you. 303 00:10:14,580 --> 00:10:16,510 All right, that was a lot of different tools 304 00:10:16,510 --> 00:10:17,910 in the network section. 305 00:10:17,910 --> 00:10:21,000 Next, we're going to talk about the file manipulation section. 306 00:10:21,000 --> 00:10:23,410 And in here, we're going to talk about a bunch of tools 307 00:10:23,410 --> 00:10:25,410 that are really specific to Linux. 308 00:10:25,410 --> 00:10:26,840 When we talk about file manipulation 309 00:10:26,840 --> 00:10:28,640 the first one we want to talk about is head. 310 00:10:28,640 --> 00:10:30,110 Head is a command-line utility 311 00:10:30,110 --> 00:10:32,250 for outputting the first 10 lines of a file 312 00:10:32,250 --> 00:10:33,510 that's provided to it. 313 00:10:33,510 --> 00:10:36,980 So for example, if I typed in head, log file 314 00:10:36,980 --> 00:10:40,500 it will show me the first 10 lines of that log file. 315 00:10:40,500 --> 00:10:42,540 This is more helpful when you're looking at something like 316 00:10:42,540 --> 00:10:44,110 a file or a folder, 317 00:10:44,110 --> 00:10:45,910 and you want to get information about it. 318 00:10:45,910 --> 00:10:46,743 Now, on the other hand, 319 00:10:46,743 --> 00:10:48,150 if I'm looking at a log file 320 00:10:48,150 --> 00:10:50,500 the first headlines aren't nearly as useful, 321 00:10:50,500 --> 00:10:52,550 instead, I'd rather see the last 10 lines 322 00:10:52,550 --> 00:10:54,310 and that's what tail is used for. 323 00:10:54,310 --> 00:10:56,640 So I typed tail, log file, 324 00:10:56,640 --> 00:10:58,320 I would have this command line utility 325 00:10:58,320 --> 00:11:01,780 that outputs the last 10 lines of that file provided to it. 326 00:11:01,780 --> 00:11:02,647 Because if I'm thinking about, 327 00:11:02,647 --> 00:11:05,070 "Hey, I just saw something weird on my network." 328 00:11:05,070 --> 00:11:06,580 I can log in immediately, 329 00:11:06,580 --> 00:11:09,530 check the last 10 lines and see if I have it in my logs, 330 00:11:09,530 --> 00:11:11,670 that will be very quick and easy to do. 331 00:11:11,670 --> 00:11:13,260 The next thing we have is cat, 332 00:11:13,260 --> 00:11:15,760 where head does the first 10 tail does the last 10 333 00:11:15,760 --> 00:11:17,820 cat does the entire file. 334 00:11:17,820 --> 00:11:19,670 Cat stands for concatenate. 335 00:11:19,670 --> 00:11:21,000 This is a command line utility 336 00:11:21,000 --> 00:11:24,040 for outputting the contents of a file to your screen. 337 00:11:24,040 --> 00:11:25,170 All of that file. 338 00:11:25,170 --> 00:11:26,150 Now this could be something 339 00:11:26,150 --> 00:11:27,500 that can overwhelm your screen though 340 00:11:27,500 --> 00:11:29,520 because if you're doing something like a log file, 341 00:11:29,520 --> 00:11:31,480 there might be a million entries in there. 342 00:11:31,480 --> 00:11:33,240 So you might want to actually bring it down 343 00:11:33,240 --> 00:11:34,750 and look for something specific. 344 00:11:34,750 --> 00:11:37,090 To do that we would use grep. 345 00:11:37,090 --> 00:11:38,380 Grep is a command-line utility 346 00:11:38,380 --> 00:11:40,060 for searching plain text data sets 347 00:11:40,060 --> 00:11:42,890 for lines that match a regular expression or a pattern. 348 00:11:42,890 --> 00:11:44,840 For example if I wanted to find all the cases 349 00:11:44,840 --> 00:11:46,580 where Jason logged into the system, 350 00:11:46,580 --> 00:11:48,970 I can do grep, authentication log 351 00:11:48,970 --> 00:11:52,110 and then the thing I'm looking for, Jason's username. 352 00:11:52,110 --> 00:11:53,070 And if I hit enter, 353 00:11:53,070 --> 00:11:55,180 it will show me all the cases in that log file 354 00:11:55,180 --> 00:11:57,120 where it finds the word Jason. 355 00:11:57,120 --> 00:11:58,190 The great thing about grep is that 356 00:11:58,190 --> 00:12:00,500 it can also support these regular expressions. 357 00:12:00,500 --> 00:12:02,763 So even if I don't know the exact thing I'm looking for 358 00:12:02,763 --> 00:12:06,440 but I know the format of it, I can search for it using grep. 359 00:12:06,440 --> 00:12:07,540 For example if I'm looking for 360 00:12:07,540 --> 00:12:09,120 all the social security numbers, 361 00:12:09,120 --> 00:12:11,560 I know those come in a format of three digits, 362 00:12:11,560 --> 00:12:13,960 dash two digits, dash four digits. 363 00:12:13,960 --> 00:12:15,830 And so I could put that in with a regular expression 364 00:12:15,830 --> 00:12:18,250 and find all the cases of that through a given file 365 00:12:18,250 --> 00:12:20,130 or across the entire system. 366 00:12:20,130 --> 00:12:22,430 The next tool we have is chmod. 367 00:12:22,430 --> 00:12:23,940 And this is a command-line utility 368 00:12:23,940 --> 00:12:25,950 that's used to change the access permissions 369 00:12:25,950 --> 00:12:27,500 of file system objects. 370 00:12:27,500 --> 00:12:29,350 So if I'm working on analytic system 371 00:12:29,350 --> 00:12:30,777 and I go and look at a file and I say, 372 00:12:30,777 --> 00:12:33,260 "Huh, this file has execute permissions 373 00:12:33,260 --> 00:12:35,090 but it should only have right permissions." 374 00:12:35,090 --> 00:12:36,970 I can fix that using chmod. 375 00:12:36,970 --> 00:12:38,850 That's the benefit of chmod. 376 00:12:38,850 --> 00:12:40,360 The last, the next tool we're going to talk about 377 00:12:40,360 --> 00:12:42,350 in this section here is logger. 378 00:12:42,350 --> 00:12:44,740 Now logger is a utility that provides an easy way 379 00:12:44,740 --> 00:12:48,980 to add messages to the /var/log/syslog file 380 00:12:48,980 --> 00:12:51,570 from the command line or from other files. 381 00:12:51,570 --> 00:12:53,190 Now, why would we want to do this? 382 00:12:53,190 --> 00:12:54,640 Well, maybe we want to make sure 383 00:12:54,640 --> 00:12:56,510 that we're writing a new script or a new tool 384 00:12:56,510 --> 00:12:59,360 and we want to log any errors when we've run that tool. 385 00:12:59,360 --> 00:13:00,990 We can do that by using logger 386 00:13:00,990 --> 00:13:03,620 and then send that data to that syslog file. 387 00:13:03,620 --> 00:13:05,000 The next section we're going to talk about 388 00:13:05,000 --> 00:13:06,950 is shells and scripts. 389 00:13:06,950 --> 00:13:08,460 Now inside of shells and scripts, 390 00:13:08,460 --> 00:13:12,160 the first one we're going to talk about is secure shell or SSH. 391 00:13:12,160 --> 00:13:14,790 This is utility that supports encrypted data transfer 392 00:13:14,790 --> 00:13:17,920 between two computers and it's used for secure logins, 393 00:13:17,920 --> 00:13:20,620 file transfers or general purpose connections. 394 00:13:20,620 --> 00:13:24,910 SSH is a great tool and we use it a lot in security. 395 00:13:24,910 --> 00:13:25,743 Why? 396 00:13:25,743 --> 00:13:27,240 Because it is an encrypted tunnel. 397 00:13:27,240 --> 00:13:28,800 So if I'm sitting at my desk 398 00:13:28,800 --> 00:13:30,310 and I need to log into my server 399 00:13:30,310 --> 00:13:31,690 that may be across the hall 400 00:13:31,690 --> 00:13:33,220 or across the world, 401 00:13:33,220 --> 00:13:34,910 I can do that using SSH. 402 00:13:34,910 --> 00:13:37,690 And it gives me a shell interface where everything is secure 403 00:13:37,690 --> 00:13:40,130 and I can then go ahead and command and control it. 404 00:13:40,130 --> 00:13:42,130 The next thing we have is PowerShell. 405 00:13:42,130 --> 00:13:45,130 Now PowerShell is used only in Windows. 406 00:13:45,130 --> 00:13:46,780 PowerShell is a task automation 407 00:13:46,780 --> 00:13:49,270 and configuration management framework from Microsoft 408 00:13:49,270 --> 00:13:51,250 and it consists of a command line shell 409 00:13:51,250 --> 00:13:52,890 and the associated scripting language 410 00:13:52,890 --> 00:13:54,590 which is known as PowerShell. 411 00:13:54,590 --> 00:13:56,810 Again, you don't need to know how to read PowerShell 412 00:13:56,810 --> 00:14:00,300 or use PowerShell for this course or for this exam. 413 00:14:00,300 --> 00:14:01,960 But as a security analyst, 414 00:14:01,960 --> 00:14:03,810 you will be using PowerShell a lot 415 00:14:03,810 --> 00:14:05,790 if you're working in a Windows environment. 416 00:14:05,790 --> 00:14:07,110 Now, if you're working in a Linux environment 417 00:14:07,110 --> 00:14:07,943 on the other hand, 418 00:14:07,943 --> 00:14:10,020 you'll probably use Python instead. 419 00:14:10,020 --> 00:14:12,050 Python isn't interpreted high-level 420 00:14:12,050 --> 00:14:13,960 and general-purpose programming language. 421 00:14:13,960 --> 00:14:16,790 But a lot of times we use it as a way to do scripting 422 00:14:16,790 --> 00:14:18,360 as well as create our own programs 423 00:14:18,360 --> 00:14:19,960 for vulnerability scans 424 00:14:19,960 --> 00:14:21,760 or using something for penetration testing 425 00:14:21,760 --> 00:14:22,780 or things like that. 426 00:14:22,780 --> 00:14:24,470 If you're going to learn one programming language 427 00:14:24,470 --> 00:14:27,090 as a security analyst, I recommend it's Python. 428 00:14:27,090 --> 00:14:28,700 It is really easy to learn. 429 00:14:28,700 --> 00:14:29,920 It is really powerful 430 00:14:29,920 --> 00:14:32,650 and is used for most employers in their systems. 431 00:14:32,650 --> 00:14:35,200 The next one we're going to talk about is OpenSSL. 432 00:14:35,200 --> 00:14:36,920 Now this isn't necessarily a shell 433 00:14:36,920 --> 00:14:38,670 or a script environment itself, 434 00:14:38,670 --> 00:14:41,080 but more of a software library for applications 435 00:14:41,080 --> 00:14:42,810 that will help us secure communications 436 00:14:42,810 --> 00:14:44,010 over computer networks 437 00:14:44,010 --> 00:14:46,820 against eavesdropping or the need to identify the party 438 00:14:46,820 --> 00:14:48,160 at the other end. 439 00:14:48,160 --> 00:14:49,610 When you go and connect to a website 440 00:14:49,610 --> 00:14:52,137 you're using SSL or TLS, 441 00:14:52,137 --> 00:14:54,740 and OpenSSL is used by a lot of places. 442 00:14:54,740 --> 00:14:57,300 Now, the reason why OpenSSL is being talked about here 443 00:14:57,300 --> 00:14:59,050 in shell and script environments 444 00:14:59,050 --> 00:15:01,280 is because if you're using secure shell, 445 00:15:01,280 --> 00:15:03,740 you're going to be using OpenSSL to protect it. 446 00:15:03,740 --> 00:15:05,230 If you're going to do a remote connection 447 00:15:05,230 --> 00:15:07,190 to a Windows server to use PowerShell, 448 00:15:07,190 --> 00:15:09,890 you should have an SSL tunnel or a TLS tunnel 449 00:15:09,890 --> 00:15:12,380 using OpenSSL to protect it. 450 00:15:12,380 --> 00:15:13,680 This will allow us to make sure that 451 00:15:13,680 --> 00:15:15,390 what we're sending to and from our servers 452 00:15:15,390 --> 00:15:18,190 and to and from our shells is secure. 453 00:15:18,190 --> 00:15:21,030 The next thing we want to talk about is packet captures. 454 00:15:21,030 --> 00:15:24,130 Now, the first thing we're going to talk about is tcpdump. 455 00:15:24,130 --> 00:15:26,790 This is a command line utility that allows you to capture 456 00:15:26,790 --> 00:15:29,280 and analyze network traffic going through your system. 457 00:15:29,280 --> 00:15:32,030 So for example, if I put a network tap on my system 458 00:15:32,030 --> 00:15:33,750 and I'm connecting my laptop to it, 459 00:15:33,750 --> 00:15:37,210 I can use tcpdump on that laptop to connect the data 460 00:15:37,210 --> 00:15:39,080 crossing that network segment. 461 00:15:39,080 --> 00:15:40,150 Once I have that data 462 00:15:40,150 --> 00:15:44,230 I can then analyze it either using tcpdump or another tool. 463 00:15:44,230 --> 00:15:46,090 Now, another thing I can do if I have that data 464 00:15:46,090 --> 00:15:47,550 is I can actually replay it. 465 00:15:47,550 --> 00:15:49,470 So I can actually use TCP replay 466 00:15:49,470 --> 00:15:51,870 which is a suite of free open source utilities 467 00:15:51,870 --> 00:15:53,070 for editing and replaying 468 00:15:53,070 --> 00:15:55,120 previously captured network traffic. 469 00:15:55,120 --> 00:15:56,470 As a penetration tester, 470 00:15:56,470 --> 00:15:58,130 this is something I do often. 471 00:15:58,130 --> 00:16:00,740 I might capture a handshake of a wireless network 472 00:16:00,740 --> 00:16:04,160 and then I can replay it to get myself onto that network. 473 00:16:04,160 --> 00:16:07,140 That's the benefit of using something like tcpreplay. 474 00:16:07,140 --> 00:16:08,780 The next one we have is Wireshark. 475 00:16:08,780 --> 00:16:10,750 And I know we've talked about Wireshark before 476 00:16:10,750 --> 00:16:13,347 but if you went and did a dump using tcpdump, 477 00:16:13,347 --> 00:16:15,150 you now have this pcap file. 478 00:16:15,150 --> 00:16:16,300 How are you going to look at it? 479 00:16:16,300 --> 00:16:19,070 Well, you can do it in the text mode using tcpdump 480 00:16:19,070 --> 00:16:22,280 but honestly it's a lot easier to open it up in Wireshark. 481 00:16:22,280 --> 00:16:24,550 Wireshark is a popular network analysis tool 482 00:16:24,550 --> 00:16:26,360 and it can be used to capture network packets 483 00:16:26,360 --> 00:16:28,300 and display them at a granular level 484 00:16:28,300 --> 00:16:30,640 for real time or offline analysis. 485 00:16:30,640 --> 00:16:32,100 You actually don't even have to capture them 486 00:16:32,100 --> 00:16:33,090 using Wireshark, 487 00:16:33,090 --> 00:16:34,970 you can capture them using tcpdump 488 00:16:34,970 --> 00:16:37,380 and then load them up inside Wireshark as well. 489 00:16:37,380 --> 00:16:38,920 If you're capturing an inside Wireshark 490 00:16:38,920 --> 00:16:41,530 it does use a lot of the same code as tcpdump. 491 00:16:41,530 --> 00:16:44,570 The next section we're going to talk about is Forensics. 492 00:16:44,570 --> 00:16:46,700 Now in forensics, we only have a handful of tools 493 00:16:46,700 --> 00:16:48,370 that we need to know for the exam. 494 00:16:48,370 --> 00:16:50,220 The first one is the dd. 495 00:16:50,220 --> 00:16:52,110 And dd is a command line utility 496 00:16:52,110 --> 00:16:53,700 that's used to copy disk images 497 00:16:53,700 --> 00:16:56,150 using a bit by bit copying process. 498 00:16:56,150 --> 00:16:56,983 So if I have a hard disk 499 00:16:56,983 --> 00:16:58,740 that I need to collect evidence from, 500 00:16:58,740 --> 00:17:01,100 I can do a dd image of that hard disk 501 00:17:01,100 --> 00:17:02,740 to a secondary hard disk. 502 00:17:02,740 --> 00:17:04,430 Then all my analysis will be done 503 00:17:04,430 --> 00:17:05,830 on that secondary hard disk 504 00:17:05,830 --> 00:17:07,410 to make sure I'm not messing with the evidence 505 00:17:07,410 --> 00:17:08,970 on that primary disk. 506 00:17:08,970 --> 00:17:10,900 That's what dd is used for. 507 00:17:10,900 --> 00:17:13,810 The second tool we're going to talk about is FTK Imager. 508 00:17:13,810 --> 00:17:15,880 Now where dd is a command line tool, 509 00:17:15,880 --> 00:17:17,840 FTK Imager works on Windows 510 00:17:17,840 --> 00:17:20,350 and it is a graphical user interface based tool. 511 00:17:20,350 --> 00:17:23,300 FTK Imager is a data preview and imaging tool 512 00:17:23,300 --> 00:17:26,210 and it's going to let you quickly access electronic evidence 513 00:17:26,210 --> 00:17:28,120 to determine if you need to do further analysis 514 00:17:28,120 --> 00:17:32,410 with a forensic tool like FTK or EnCase or Autopsy. 515 00:17:32,410 --> 00:17:34,340 The next tool we have is Memdump. 516 00:17:34,340 --> 00:17:36,760 Now Memdump is a Linux command line utility 517 00:17:36,760 --> 00:17:38,250 that's used to dump system memory 518 00:17:38,250 --> 00:17:39,730 to the standard output stream 519 00:17:39,730 --> 00:17:42,030 by skipping over holes and memory maps. 520 00:17:42,030 --> 00:17:43,760 So we can output this to the screen 521 00:17:43,760 --> 00:17:46,470 or we can output it to an image on an external hard disk 522 00:17:46,470 --> 00:17:47,890 and then analyze it later. 523 00:17:47,890 --> 00:17:49,060 So essentially if you want to capture 524 00:17:49,060 --> 00:17:51,710 that volatile information in memory before it changes, 525 00:17:51,710 --> 00:17:53,690 Memdump is a great tool to use for that. 526 00:17:53,690 --> 00:17:56,610 The next tool we use in forensics is known as WinHex. 527 00:17:56,610 --> 00:17:58,090 Now this is a commercial product 528 00:17:58,090 --> 00:17:59,410 meaning you have to pay for it. 529 00:17:59,410 --> 00:18:02,450 It's a disk editor and universal hexadecimal editor 530 00:18:02,450 --> 00:18:05,630 it can be used for data recovery and digital forensics. 531 00:18:05,630 --> 00:18:07,280 Now, I don't know why CompTIA 532 00:18:07,280 --> 00:18:09,100 decide to use Windex as the example, 533 00:18:09,100 --> 00:18:11,690 there's lots of other tools out there for hex editing 534 00:18:11,690 --> 00:18:13,510 but this is the one they listed in the objectives. 535 00:18:13,510 --> 00:18:15,430 So that's why I'm bringing it up here for you. 536 00:18:15,430 --> 00:18:18,260 The last one we're going to talk about in forensics is Autopsy. 537 00:18:18,260 --> 00:18:20,640 Now Autopsy is a digital forensics platform 538 00:18:20,640 --> 00:18:22,270 and graphical user interface 539 00:18:22,270 --> 00:18:24,660 that is laid on top of The Sleuth tool Kit. 540 00:18:24,660 --> 00:18:27,420 It also is used with other digital forensic tools as well. 541 00:18:27,420 --> 00:18:28,860 So when we as Autopsy, 542 00:18:28,860 --> 00:18:30,320 there's an imaging function in there. 543 00:18:30,320 --> 00:18:31,830 It relies on dd. 544 00:18:31,830 --> 00:18:33,500 There's an analyst function in there 545 00:18:33,500 --> 00:18:34,580 that's where we start getting things 546 00:18:34,580 --> 00:18:35,820 from The Sleuth tool Kit. 547 00:18:35,820 --> 00:18:37,660 There's ways to Sleuth disk files. 548 00:18:37,660 --> 00:18:39,900 And so we can do different ways of file carving in there. 549 00:18:39,900 --> 00:18:41,050 Autopsy is trying to make 550 00:18:41,050 --> 00:18:43,470 all these hard to use command line tools easier 551 00:18:43,470 --> 00:18:45,720 by providing a graphical user interface to them. 552 00:18:45,720 --> 00:18:48,470 The last section we want to talk about is exploitation, 553 00:18:48,470 --> 00:18:49,650 and this is going to be more focused 554 00:18:49,650 --> 00:18:51,480 on our penetration testers. 555 00:18:51,480 --> 00:18:52,820 Now we talk about exploitation 556 00:18:52,820 --> 00:18:55,550 the first framework we need to talk about is Metasploit. 557 00:18:55,550 --> 00:18:58,620 Merasploit is also known as the Metasploit Framework or MSF 558 00:18:58,620 --> 00:19:00,680 and it is a computer security tool 559 00:19:00,680 --> 00:19:03,170 that offers information about software vulnerabilities, 560 00:19:03,170 --> 00:19:05,040 intrusion detection signature development 561 00:19:05,040 --> 00:19:07,010 and improves penetration testing. 562 00:19:07,010 --> 00:19:08,780 It is a great tool that is used 563 00:19:08,780 --> 00:19:11,470 from the command line interface and allows you to go through 564 00:19:11,470 --> 00:19:13,960 and search this database of known vulnerabilities, 565 00:19:13,960 --> 00:19:16,240 and you may have found while using something like Nessus. 566 00:19:16,240 --> 00:19:18,090 And then you can exploit that machine 567 00:19:18,090 --> 00:19:19,230 using that vulnerability 568 00:19:19,230 --> 00:19:20,460 because there's already exploits 569 00:19:20,460 --> 00:19:22,530 built into the Metasploit Framework. 570 00:19:22,530 --> 00:19:24,440 It really is being a script kiddie in a sense 571 00:19:24,440 --> 00:19:26,010 because a lot of the functionality 572 00:19:26,010 --> 00:19:27,550 is really easy to use, 573 00:19:27,550 --> 00:19:28,717 but then it actually goes beyond that 574 00:19:28,717 --> 00:19:30,510 and you could develop your own plugins 575 00:19:30,510 --> 00:19:32,800 and use them inside this framework too. 576 00:19:32,800 --> 00:19:33,920 The next one we want to talk about 577 00:19:33,920 --> 00:19:36,930 is the Browser Exploitation Framework or BeEF. 578 00:19:36,930 --> 00:19:39,410 This is a tool that can hook one or more browsers 579 00:19:39,410 --> 00:19:40,930 and then use them as a beachhead 580 00:19:40,930 --> 00:19:42,690 for launching various direct commands 581 00:19:42,690 --> 00:19:44,690 and further attacks against the system 582 00:19:44,690 --> 00:19:46,500 from within the browser context. 583 00:19:46,500 --> 00:19:47,510 When we talk about BeEF, 584 00:19:47,510 --> 00:19:49,190 it can be used as a penetration tester 585 00:19:49,190 --> 00:19:50,180 as a man in the middle, 586 00:19:50,180 --> 00:19:52,760 between them and the system they're trying to connect to. 587 00:19:52,760 --> 00:19:54,240 Where they can get the information, 588 00:19:54,240 --> 00:19:55,970 they can request it through the browser 589 00:19:55,970 --> 00:19:58,070 pause that information before sending it back 590 00:19:58,070 --> 00:20:00,450 modifying it, and then sending it back. 591 00:20:00,450 --> 00:20:02,420 BeEF is a very, very powerful thing 592 00:20:02,420 --> 00:20:04,790 and it's something you should learn as a penetration tester 593 00:20:04,790 --> 00:20:06,250 but not something you need to learn in depth 594 00:20:06,250 --> 00:20:07,610 for Security+. 595 00:20:07,610 --> 00:20:08,830 The next thing we want to talk about 596 00:20:08,830 --> 00:20:10,970 is a couple of password cracking tools. 597 00:20:10,970 --> 00:20:13,130 The first of these is Cain and Abel. 598 00:20:13,130 --> 00:20:15,140 Cain and Abel is a password recovery tool 599 00:20:15,140 --> 00:20:16,880 that can be used to sniff the network, 600 00:20:16,880 --> 00:20:19,060 cracking crypted passwords using dictionary, 601 00:20:19,060 --> 00:20:21,270 brute-force or cryptanalysis attacks. 602 00:20:21,270 --> 00:20:23,310 It can also record VOiP conversations, 603 00:20:23,310 --> 00:20:26,250 decoding scrambled passwords, reveal password boxes 604 00:20:26,250 --> 00:20:28,110 or analyze routing protocols. 605 00:20:28,110 --> 00:20:29,700 Cain and Abel is a great tool 606 00:20:29,700 --> 00:20:31,500 and it is really, really powerful. 607 00:20:31,500 --> 00:20:33,290 It runs on Windows. 608 00:20:33,290 --> 00:20:35,350 The next one we have is Jack the Ripper 609 00:20:35,350 --> 00:20:38,080 and this is a cross platform password cracker. 610 00:20:38,080 --> 00:20:40,220 It's also an open source password cracker. 611 00:20:40,220 --> 00:20:42,450 It is known as a password security auditing tool 612 00:20:42,450 --> 00:20:44,020 and password recovery tool 613 00:20:44,020 --> 00:20:45,930 that's available for most operating systems. 614 00:20:45,930 --> 00:20:47,170 Just like Cain and Abel, 615 00:20:47,170 --> 00:20:48,690 Jack the Ripper can do dictionary 616 00:20:48,690 --> 00:20:50,760 or brute-force password attacks. 617 00:20:50,760 --> 00:20:53,400 All right, I know that was a ton of different tools, 618 00:20:53,400 --> 00:20:54,360 but again remember, 619 00:20:54,360 --> 00:20:55,950 you don't need to know how to operate these, 620 00:20:55,950 --> 00:20:58,150 you just need to know which category they belong to 621 00:20:58,150 --> 00:21:00,683 and which one you use for a given situation.