To be real hacking is more like sex. Sometimes the other party just won't participate and there is nothing to gain, however once they do participate you will likely go in and out each time deeper and deeper multiple times until something brakes and you're done. Yes some times you can try brute forcing things, but it only works if the other party is weak. If you can't brute force things and well things don't go anywhere, you should try various other approaches and see if taking your time will make a difference.
Its like a gamer trying to play dwarf fortress for the first time. Its completely gibberish to an untrained eye and it probably takes months or years to begin to understand. All in good practice though I assume.
Honestly the most important thing too understanding this video is becoming familiar with Linux. I'm not at all interested in pen-testing as a career, my only involvement is watching these videos. However, I'm able to keep up with the videos just with my existing knowledge of Linux. All the special tools he uses to brute force accounts are pretty self explanatory with a quick Google search.
Great to see a higher level pentest explanation type video which doesn't bore you to death with every tiny detail but still goes over each of your steps. If we see a tool or vector that's new to us we can follow up at a lower level later. For a 30 min video you kept up a speed and momentum that was so easy to follow and engaging it seemed like its was much shorter. To me the sign of good video making is when you realise what you thought was short 5 or 10 min of viewing was actually half an hour or more. Definitely leaving a deserved Thumbs Up on this Video and I'm now off to check out you other content. If this video is a typical I will be subscribing for sure.
I totally agree with this random stranger on the internet. I hope there's more videos on this try hack me stuff on your channel! Nice video and hope to be seeing more of those!
@@brotherindeed992 const f = "H"; let u = "E"; let c = "L"; let k = "LO"; let y = "W"; let o = "O"; console.log(f + u +c + k); let u = "RLD"; console.log(y + o + u); This took me so long to type
The phrase I expect to hear after "really opened my eyes to what must be done to gain access" is you DON'T want to do cybersecurity (or your own hacking). I have a hard time imagining what you mean. Is it: "cybersecurity sounds like a really easy job, because I can sit back and know there are so many defences already in place"? I can't imagine any other way you get from your first thought to the second. Are you just lazy, or really excited about learning how to invade the privacy of others? Nothing else makes sense here.
@@cdev-kz3lj yeah, I don't get invited to parties anymore since all the fatalities at the last one. But you can hardly blame me, the axe was right there, just begging to be used!
I took a class in Cyber Security during my Bachelor's some years ago. This was a cool way of seeing some of those concepts actually applied. I found your way of solving the problem very informational, and it was definitely very entertaining
I found that, using vim (instead of cat), I could read files that were restricted while logged in as jan. /etc/shadow (giving access to hashed passwords), but also kay/pass.bak (skipping the ssh private key step). Would you know why the system allowed me doing this? Some configuration flaw?
my machine had port 8009 open so i spent most of the hour researching apache tomcat "ghostcat" vulnerability and was completely lost. humbled once again..
I knew cybersec/pentesting was a challenge and a puzzle, but I never knew it was like this! Thank you for confirming that it's something I'd like to do with my life!
I watched this the first time and got motivated (Had no idea what was going on though). So I went over to overthewire bandit and after reading TONS of articles I was able to finish all the levels(I had zero experience in this field, also had to see 4 solutions). Now I'm in picoCTF checking out different fields(Whilst reading TONS of articles). I came back here and surprisingly I understood most of the things that you did (Not that I know the tools you used or anything but I can relate to the concept itself). The only thing that I have to read about to understand more is the ssh2john part. Anyways Just letting you know that your videos are an inspiration. I have been training since 1st October and I will be joining a capture-the-flag competition which is for middle east. I'll keep you updated with the results (I am not expecting to get a good rank but want to see how well I can do).
that is basic, thhe users had weak passwords like 'armando' no capitals no numbers no special chars and a short password. It's just asking to get broke into :D
@@muath1125 If you use in a 7 char length passwort only lowercase letters, the password can easy brutforced. (26)^7 = 8,031,810,176 password combinations. Lower and uppercase letters (26+26)^7 = (52)^7 = 1,028,071,702,528 password combinations. Lower & upper & numbers (52+10)^7 = (62)^7 = 3,521,614,606,208 combinations. Lower & upper & numbers & special chars (62+26)^7 = (88)^7 = 40,867,559,636,992 combinations. With those kind of combinations, its extremly hard to brutforce. I recommend a password length of minimum 18 chars with lower & upper & numbers & special chars: 88^18 = 100,158,566,165,017,531,560,835,501,527,138,304 possible password combinations.
Mrs Richards: " I paid for a room with a view!" Basil: (pointing to the lovely view) "That is Torquay, Madam. " Mrs Richards: "It's not good enough!" Basil: "May I ask what you were expecting to see out of a Torquay hotel bedroom window? Sydney Opera House, perhaps? the Hanging Gardens of Babylon? Herds of wildebeest sweeping majestically past?..." Mrs Richards: "Don't be silly! I expect to be able to see the sea!" Basil: "You can see the sea, it's over there between the land and the sky." Mrs Richards: "I'm not satisfied. But I shall stay. But I expect a reduction." Basil: "Why?! Because Krakatoa's not erupting at the moment?
I love how free from shame TryHackMe is. I tried to get into pentesting very early on, I think this was the early 00's, with a similar service. But back then, there was so much snobbery. The site was meant to be used to learn, but you got no hints, no instructions. You just loaded up the first page and was supposed to know what to do already. This was when search engines were still in their very early versions, so trying to look up writeups wasn't an option either. Going on forums would give you one of two responses: Why are you hacking? and You don't even know the basics? So yeah, it was hard getting into pentesting 15-20 years ago, unless you shelled out a few thousand on courses. You couldn't really go for the books, since nobody would tell you what you needed to research. But today, with services like TryHackMe, it's much more open. Free, or close to free education for the masses. And Internet has become a much more secure place thanks to it.
I've been using computers my whole life and my entire career is in software but I have never really dabbled in pen testing or "hacking" even though I am familiar with the concepts. I am so glad I came across your video because it really inspired me to learn more about it and it seems like TryHackMe! is the exact type of platform that I do best on when trying to learn new concepts. You gave a very brief explanation each time you used a new utility in your toolkit but to save us time scrubbing your video and searching for everything, would mind updating the description and listing out and/or linking to what was used? Thanks for posting this video - I love your style.
It would be great if you made a catalog of all the tools you have ready in opt. Although I know most of them I never actually install them in my Linux machine and would be great to have a place where everything is kept for a rainy day :)
John, it would probably help by saying that it is NOT OK to do this kinda stuff to real websites/servers. Unless you want to lose your internet privilege, or get something way worse. (And yes, provided you live in a Western country.) PS. I see so many of these brute-forcing attempts against the websites that I help administer. They are so annoying too by taking a lot of valuable bandwidth. So trust me any single one of those annoying script kiddies gets reported to their ISP.
Hi John, thanks for the great tutorials! I have an issue. After running john2ssh and saving it into hash.txt, I run john with the hash.txt. It gives me 'No password hashes loaded (see FAQ)'. Furthermore, I tried providing it with the rockyou.txt wordlist but it keeps giving me the same error.
hey I have never attempted Penetration testing but I would love to start because it fascinates me I just cant understand anything, I was wondering how you got started and if you have any help for me.
Little sad that my university's IT program didn't have a pen testing course or introduction aside from mentioning it as a side topic. I took some Linux security courses focused on policies and configuration but I never really got exposed to tools such as these. However, I did take some digital forensics courses, so this was very similar to that with respect to data investigation. Also decent hint for threat modelers and network admins to pay attention to their policies considering how easily these tools can slip through.
How did you learn all this and understand it so easily? I've been interested and im a computer science major, but I feel like theres so much to learn but dont know where to start.
i have been learning from a facebook ad i saw and its really helped me heres the website. There are loads of small courses you get that build up your knowledge and even some courses that get you ready for CEH, CCSP AND CISSP Hacking seems to be very different to what you would learn in Comp Sci but some skills you may have from that could be useful
no offence but sometimes I feel you speak too much, i mean like, the detail is sometimes a bit slow and overly long and I feel like im waiting too long to hear the important stuff. I watched another of your video on speed 2x which worked, but this video it didnt work. Just some constructive critism, im sure there are many people who dont mind and its most likely my issue. but feedback is feedback
As far as I know, no -- it is not in their Exam Restrictions. support.offensive-security.com/oscp-exam-guide/ I had used LinEnum without an issue. Thanks for watching!
I feel like eventually some nation-state threat-actor is going to set up one one of these websites. Except while you're learning to exploit telnet, the VM is searching you for exploits.
I didn't understand a single thing of what you were doing over there and I don't like programming/ hacking/whatever at all but I somehow still watched it entirely. That's a big like from me :)
Oh man. John coming at us AGAIN with the great info! This is exactly what I was looking for. I've done a few HTB challenges. But I usually need help during them, because there are basic fundamentals I don't understand. And there are tools I didn't know exist. I can fumble my way through some boxes, but I'm usually pulling out my hair. This is a wonderful service. And will hopefully solve exactly that issue for me. Thank you!
@@UnknownSend3r HTB is still great, and I highly advise it. It's super fun. I'm still quite unfamiliar with the Linux system as a whole. The syntax of many of the tools. And which tools to use, why, and when. Sometimes I simply don't know where to look. But. The more practice I do, the more I learn. Hack The Box is great, but it just kinda throws you in and you just like - do it. I like that. Try Hack Me has stepping stones. Give them both a shot. DuckDuckGo and RU-vid have been extremely helpful though! xD
@@user-yd7ug3jb4t thanks, really appreciate the advice. Il definitely give HTB a go along with THM. Before I start any of them I plan to complete overthewire (along with my RHCSA studies) to get me familiar with the Linux command line. I also think since you're unfamiliar with the Linux system OTW would be a great place to start. It's geared towards those with little Linux experience who are interested in cybersec/hacking, and provides you with what commands you might need to complete each task. Goodluck on your journey.
Its crazy to think this was the exact video that got me into cybersecurity a little over 1 year ago and this week i just landed a job in the industry. Much love to the RU-vid algorithm!
@@halzoun6195 yeah I was in University studying information systems. So i already had a background in web development and some other programming. Also I wouldn't say i picked it up in a year because i am still trying to learn every day.
I've just discovered your channel. I'm super super new at learning coding, hacking and all this, but your videos are really enjoyables! and you help a lot to familiarize with all the technical words and stuff (yeah, I'm not that technical for now XD). Thanks for explaining what you do and what you see, I've already subscribed.
Currently a cybersecurity student and just recently finished a class on pentesting and will be participating in pentesting tournaments soon with my school. Amazing job and what a great resource that you have shared hopefully we will be using this site to practice! Thank you!
im very new to pen testing but I am learning. Even though I can barely follow what your doing, seeing how you actually go about the process is incredibly enlightening.
Hi John. Amazing videos. Hardly had any clue what was going on but found it fascinating nonetheless. Just out of curiosity, do you know or would recommend any resources to learn absolute basics from?
You can certainly use Linux Mint, or any other distro or OS you would like! You can install the tools as you need them. I'm running Ubuntu Linux in this video :)
Hey John, I've recently been made redundant and I was in two minds of a career change at age of 41. I started looking into cybersecurity your channel popped up in the search results. I watched this video to the very end, I sat back in my chair, I took a sip of my tea thinking, that was f@£king cool!! I want to do that for a career. I'm now on the long path to become an expert in cybersecurity just because of your video, thank you.
@@IkkeBareAnders Hi Anders, tbh at the beginning information overload to pick theough. The path I decided to go down is Hack the box learning path. Ive come to grips with the tool about 2 months ago I'm doing bug bounties hacker1 im still along way off my goal one hack at a time.
Im flirting with the idea of switching careers to cyber security, understood nothing but loved this video xD. Does this mean cybersec is my new career path??
I’m 15:00 in and I’ve come to realize that being able to build a PC, overclock it’s hardware, instal an OS and other hardware monitoring programs is not very impressive in the world of PCs. I understood a very minimal amount of what you were doing. Looking at the source code of a website, and using the program similar to a command prompt. What you were telling the program to search for - no idea. The significance of those 4 numbers you noted down is - no idea. I imagine it would take years of practise to actual be able to hack something. My 34 year old brain isn’t a sharp as it used to be and is only going to get worse. The ship may have sailed for me regarding the ability to hack. I have enjoyed what I’ve watched so far! Well done!
@@ekonomija8718 Very good but most machines have private ip addresses within a single network space, that has its own public ip address. This is because with IPv4, around 4 billion addresses are possible, and yet we have billions of IoT devices, so we use the public one as the "gateway" into the network, usually a router, and each individual device has its own private ip address within the network
I ended up exploiting the vim.basic SUID bit set file to gain access to the pass.bak file. But, this SSH route was fantastic to learn, so thanks for pointing it out!
I'm tight, and so am using the OpenVPN route and my own machine (a Mac) - struggling to find something like enum4linux on the Mac - I've downloaded the actual perl script, but it relies on the relevant client tools being installed, and I can't seem to find them - any other options you know of to enumerate users on Samba shares on a Mac?
i didnt done it like that :) but i like ur way also . when i log in into ssh of jan i put the command : sudo -l and linux say i cant use sudo :) so i put this command to find some thing to escalate my previleges : find / -perm -4000 2> /dev/null then i see something interesting ! u know what i found vim.basic 😐 then i use it to read the files which i dont have permissions to do read it 😂 actually previously i try toget shell using vim.basic by this commands : :!sh :!sh :!bash :!bash -i ... and i try also to do this command : :!whoami 😂😂😂 but nothing 's happened :( but its fiiiine i need just one thing to complete this its just the password of kay 😐 i go to /home/kay/ ohhh there is file leys read it ! cat pass.. permission denied ! 😐😐😐 hey linux did u challenge me ! so i put nano pass... and the nano is open but there is nothing but i am sure there is something useful 😐 i put vim.basic pass... then i found the pass of kay 😐 hahaha thank u for reading this stupid thing 😊 and thank u for the like 😁
Thank you brother your funny as heck. Man, I appreciate your openness throughout this walk-through. Also your willingness to help others who may not be as far along as you are in this Field. What are your Goals after this, and have you reached them, or are you still going to make Quality Content for us Viewers to enjoy? I want to say thank you for your time and the Passion that you have for this.
First time I watched this video I didn't understand a single thing. After less than a month of hard study, now I get 100% of it! That's so satisfying, even though it's considered an easy challenge.