- 13
- 20 045
ethicalPap_
Registrace 30. 07. 2016
Welcome to my channel! I am Pap, a security researcher, engineer, and hacker. I hope to help as many people get into cybersecurity as possible. Enjoy the content!
The Secret to Becoming a Better Hacker | Beyond Recon
Stuck on recon? There is a reason for that, but there are ways to move past the recon phase. In this video, I show one of many!
Video Timeline:
0:00 Intro
1:43 Demo
28:40 Outtro
Join the Discord!
discord.gg/VZCfME2t
Follow my socials:
Linkedin: www.linkedin.com/in/vankperry/
Discord: vipv4
Odysee: ethicalPap_
Video Timeline:
0:00 Intro
1:43 Demo
28:40 Outtro
Join the Discord!
discord.gg/VZCfME2t
Follow my socials:
Linkedin: www.linkedin.com/in/vankperry/
Discord: vipv4
Odysee: ethicalPap_
zhlédnutí: 253
Video
I failed an important interview, but it made me better.
zhlédnutí 104Před 14 dny
This is a story about an embarrassingly failed interview that I have had, that shaped my approach to security overall. Want to Connect? LinkedIn www.linkedin.com/in/vankperry/ Discord discord.gg/uqb7nTUx
OAuth (part 1): A Beginner-level Deep Dive for Hackers
zhlédnutí 304Před 14 dny
As cybersecurity champions, we often fail to understand how a technology works at the core, but rush to understand how the technology is applied instead. Lets take it a step back and MASTER the idea of OAuth! Video Timestamps 0:00 Introduction 5:33 OAuth Overview 16:41 Common Misconfigurations 24:00 Hacking Lab Join our Discord! discord.gg/uqb7nTUx Want to Connect? Follow me on LinkedIn! www.li...
Today's youth are brilliant.
zhlédnutí 892Před 21 dnem
Yo! There is a common saying, that "Future generations are lost". From my perspective, future generations are full of intelligent minds, and people who hold the necessary skills to change the world. Today we get to dive into the life of a young man named Neswin. Neswin is eagerly chasing his dream to be a Penetration Tester! He studies 8 hours a day, in addition to regular school work and extra...
Got an interview in cybersecurity? Here's some advice
zhlédnutí 164Před 21 dnem
Lets talk about the reality of getting into cybersecurity. I've had hundreds, if not thousands of interviews in the space - and have begun to MASTER the art of interviewing in recent times. Here's my advice on how to approach 5 different types of interview styles Video Timeline: 0:45 Interview Style 1 3:51 Interview Style 2 6:31 Interview Style 3 7:31 Interview Style 4 13:42 Interview Style 5 J...
GraphQL (Part 2): An Intermediate and Technological Deep Dive for Hackers
zhlédnutí 208Před měsícem
Yo, GraphQL is fun! As cybersecurity champions, we often fail to understand how a technology works at the core, but rush to understand how the technology is applied instead. Lets take it a step back and MASTER the idea of GraphQL! Video Timeline: 0:00 Introduction 2:04 Understanding the GraphQL language 49:32 Introspection Overview 52:15 Intermediate Hacking for GraphQL 1:32:27 Conclusion Join ...
Want to break into Cyber Security? Let's Talk
zhlédnutí 3,7KPřed měsícem
Lets talk about the reality of getting into cybersecurity. This is the kickoff to a series of videos that I will be working through to help prepare you for a career in cybersecurity. Through it all, I AM ROOTING FOR YOU!
GraphQL (Part 1): A Fundamental and Technological Deep Dive for Hackers
zhlédnutí 2,9KPřed měsícem
Yo, GraphQL is fun! As cybersecurity champions, we often fail to understand how a technology works at the core, but rush to understand how the technology is applied instead. Lets take it a step back and MASTER the idea of GraphQL! Video Timeline: 0:00 Intro 4:57 RESTful vs GraphQL 25:14 Common GraphQL misconfiguration 34:40 Exploiting GraphQL Join our discord community! discord.gg/qcBRsc6p
JWT: A Fundamental and Technological Deep Dive
zhlédnutí 302Před měsícem
Yo, JWTs are fun! As cybersecurity champions, we often fail to understand how a technology works at the core, but rush to understand how the technology is applied instead. Lets take it a step back and MASTER the idea of JWT! Video Timeline: 5:33 Structure of JWT 12:05 Making our own JWT 35:29 Testing how JWT provides Authorization 45:23 Common JWT Misconfiguration (Overview) Join our discord co...
Hello, I'm Pap!
zhlédnutí 196Před měsícem
Hello! Feynman’s learning technique comprises four key steps: 1. Select a concept to learn. 2. Teach it to a child. 3. Review and refine your understanding. 4. Organize your notes and revisit them regularly. Want to be apart of the Network? Join our community! discord.gg/qcBRsc6p
Man you need to have a signed hand written signature to claim souls..😅Just checking the box is not enough , disputable in the court of god..
😂
No one is going to hand this to you. There was never such a thing as a perfect jobs. You will not be making 6 figures out the gate as a noob with no degree/exp/only entry level certs. This is a tough road and if you aren't willing to set yourself apart, if all you want is some comfy WFH chill job, you're going to be disappointed. There are already too many of you saturating the entry pool with the same resumes you saw on that one guys video.
Came here for the content, stayed for this guys humour
One of the real ones here, Thank you EthcalPap Do Not Quit!
Duuude you are such a legend man!!!!
Duuude
Math behind this: (Cracking a password means the hacker is trying to guess your password, comonly with GPUs) If you only have 2 symbols and 3 number slots for your password you can only make 2×2×2 (8) unique passwords, its "unique symbols" multiplayed "letters slots" times And if we use the "u^l" to calculate the chance of gussing the password we get this: For 64^8 we get 1 in ~2,81×10^14 For 27^8 we get 1 in ~5,81×10^25 With this information we can now calculate how strong the hacker's GPU's are and to see if this is realistic. 2,81×10^14 / x = 10 weeks x = ~5×10⁷ / s I can say It's realistic, even not that fast. The second one is even WAY more safer that what was said in the video.
Imagine using Totally$ecurePassw0rd as your password.
Yeah, you can have 100 character password but if the site that stores your account gets hacked it's worth as little as puppy1234.
The skull crack gif in the middle of nowhere caught me off guard 💀
If there is a company that allows someone to attempt to bruteforce a password for days or weeks straight, there are far bigger security issues than PW length. Quantum & Faster parallel processes will knock your times down.
Don't forget about db dumps. If you get a hash, you can save it match the hash locally, which a company has no control over. If you match the hash, then you either found a collision, or the password
Yeah get 18 digits and the fun of changing forgotten passwords and unblocking users
I have nightmares of my helpdesk days, time to look into password managers 😂
I will use the entire Bible as my password
I remember reading an XKCD comic The most secure password is just really long, so if you just remember a string of words and make it like 30 characters long like a sentence then it could never get cracked. Like the phrase "negative horse button" as a password is literally like a million times more secure than an eight character password with a mix of letters, numbers and characters.
That's really weak vs a dictionary attack, you can build a script to run every combination of words that equal a set amount of characters. So "Greendoor" would get cracked within the day, or minutes, or seconds.
Let me introduce you to social engineering practices. Your super complex password suddenly means nothing. Accounting for human nature is a lot more difficult than making a complex password.
But protecting against social engineering is also pointless if you have a weak password, which now flips the scenario again and will continue this deadlock. We have to crawl first, then walk, then run 😉. Addressing social engineering is just as important, but should be done in parallel, not in lieu of password hygiene.
@@ethicalpap 100% I haven't run across many companies that even train employees on any kind of cybersecurity. On the personal level though, yeah, getting people past "P4ssW0rd" and such things is the first step.
If your password isn't long and randomized, which normally means you won't be able to remember it well yourself, the next best option is a passphrase. For example "Same bat time, same bat channel". It's easy to remember, and hits 31 characters.
Well there are unfortunately passphrase libraries used by hackers and tools that can make different words or passphrases if you give it enough information about you. Humans are still predicatble ¯\_(ツ)_/¯
Is that LTT reference?
@@calebwilliamson4418 No. It's a reference to old batman. From like... Adam West days.
Unfortunately that then becomes weak to dictionary attacks. They ain't common nowadays since pass phrases are uncommon, but if it becomes the norm, then the whole point of lengthy passwords becomes moot, since the complexity is massively reduced
@@normalchannel2185 This IS true, but since they aren't common, it's a solid plan for the time being. Personally I do use random passwords kept in encrypted files on a few of my local devices, rather than in a browser. But I don't expect that to be the normal.
Do you think taking notes is good when learning in general like when learning new stuff. And not just when hacking and reconing a target?
Absolutely! I enjoy taking notes for general purposes as well (work, learning, school, etc) I use the Cherrytree app for other kinds of notes. The big thing is to make sure you are taking notes in a way that is easier for you to understand when you go back later. I like to write notes in my own words, that way I remember them better.
@@ethicalpap Thanks very much dude. I will start taking more notes lol. Underrated channel seriously. your content is top notch.
Why would the gpu matter more then cpu here
A GPU does a lot of smaller computations CPUs do less more complex computations
completely randomized, 24 characters or more, special characters, capitals included they will Never crack that password.
NTLM was the older hashing algorithm allowing a SSO with LDAP was vulnerable to pass the hash attacks NTLMv2 is most common now I believe, but I’m sure you researched your butt off after that interview, damn man you were close. Thanks for sharing!🎉
Eh, kind of true. Quantum computers are going to crack everything. Agencies like Nist (National Institute of Standard Technology) are already leading the “harvest now, decrypt later” initiative to protect sensitive government data. I’d look into Shors algorithm(which could lead to cracking RSA), and ALSO, how we could utilize concepts in Euclids Algorithm in conjunction with using a lattice point system to potentially safeguard information. P.S: 0% original, all just stuff available online, 100% willing to be wrong :) P.S.S: Would make a cool video P.S.S.S: Talk bout them computers made from da brain
Yes I participated in the NIST research. You are accurate and I also applaud you for doing that much research! Currently, the CRYSTALS-Kyber and CRYSTALS-Dilithium was said to be strongest against the super positioning attacks by quantum, but recently even researchers discovered a flaw with this too. There are solutions though. I appreciate your input here and can absolutely tell that you have done quite a bit of research on quantum
This is a quality video dude.
Wonder how much the rules change if the “normal” computers we use transition to quantum computers, or using a “AI Rig” similar to a crypto mining rigs to run throughout the possible password based on targeted profiling and custom word list 😅
Read comment above ^ Also, you can learn about Quantum Computing for FREE right NOW! Google -Qiskit
Good news is that we'd have to pull about 10,000 minimum quibits for quantum speeds to surpass binary. Superpositioning is still a thing, but rather slow currently. The last I checked, we were at 1180 wubits pulled, and if that's still accurate - 10k is still a ways away 😅
@@ethicalpap That does sound about right, In other words not even close lol 😂 That is good news, but In recent months, several quantum companies have made roadmap announcements with plans to reach 10,000 physical qubits in the next five years or sooner. This is a dramatic increase from the current 20 to 300 qubits, especially given that several of these companies have yet to release their first product. It would be way out the price range of the average individual as well lol .
Wait, if they use only alphabets (18 characters), can't the hacker just do a dictionary attack? Or does it have to be actual words in the password for someone to use a dictionary attack?
Good question, dictionary attacks rely on a list of words. The chances that there are 18 character words or phrases in that list is less likely than that if there were 8 characters. For example, even a password like "turkeyistypeofbird" is far less likely to be in a list of words for a dictionary attack.
@@ethicalpap I see, thanks for the clarification.
Unbelievable that some websites still set such weak limits like 8 characters
Computers are getting faster, but the policies are lagging behind 😢
The best thing I found this year is your CZcams channel. Thanks, Van, for starting it. Love from India!
Underrated content. Your way of teaching and voice is so powerful. All the best for your journey and for me, I am picking what you are telling here. Love <3
thanks boss.i finished your graphql hacking videos and that was very helpful.thanks again
Whoa, this was like watching a movie, your storytelling, and the editing really is amazing , you're gonna go viral soon , mark my words.
Also may I know how you generated the AI images with your face on it ? Those look great.
I actually don't know 😅. My editor does it for me. Here is his discord, if you want to reach out and ask. discord: skylar_chris
sir what can i do if i found .well-known.js file on the target?? Content is: { "keys": [ { "alg": "RS256", "e": "AQAB", "kid": "2nQ40WIrwPwMcGXqfZ8GObHd687r48OznrRtDEjbIbg=", "kty": "RSA", "n": "AMg4mynBfEt5+LRomnkdfuCck3p9rLObHyzxHBmJOT5Xt/Jwg92sdMUeQPQyAdwqJ0j3FM2+waRgOnes6kJkwcqzbQEXurXmbqWUnagO8ZzdRrOIOVvni+gb+W6N3c16ZgV96dPzH/Hr6+KO9VDReES/W1oi2h14L6HfzjapfceMnWzlhH7tY5qAagap1XrWdbyGNkzLNAuih9U+BBIUf8k1CEv1r6VFwhoKHxHGJbxGRKyU4qvwWSjP+GvD1FMPJpUhSNItHTg1UmaKD9Oz54KCWKB5DWE1TIQ1LDX/F2qGP1EPVXg1m5QIdjAMJpIeJv86RHaTxnf9OMTWFkBbvpc=", "use": "sig" } ] }
Quick Note on Terminology: I used the term "Selection Type", but the actual query term is "Object Type".
Thank you for sharing with the community. I love your content. People in the industry tend to overcomplicate things. I spend hours trying to decipher information served on the internet. When I eventually wrap my head around it, I realize it wasn't complicated after all. The VAST majority of people out there tend to repeat what they heard without comprehending it. When you REALLY understand something, it's becoming easier to EXPLAIN it to someone, as opposed to regurgitating information like a parrot. The ability of GraphQL to serve different results for the same call depending on the parameters it takes, reminds me very much of the concept of Method Overloading in programming language. A quick note on "Selection Type". I had heard the term "Object Type" but not "Selection Type" 🤔
Thank you kindly, I'm glad that I can be of some help! Also, you are correct, the term is "object type" not "selection type". Although I meant object type, I used the wrong word (probably because my mind kept going on with "select an object type.... selection type!"). Thank for pointing this out though. I learned best from corrections like this, so it means a lot to me, that you took the time to do so :).
Whoa , that's a great video, btw insane editing. 📈
Top notch content, good job! Thanks for sharing, definitely looking forward to that part 2 and 3 .
graphql part3?🥹
In the works :)
everything is top notch!!!🙌🙌🙌🙌
Thumbnail : 🗿, Story telling : 🗿, Editing : 🗿, Content :🗿, It's just perfect.
You're really good! Hope you get more subscribers :)
Hey pap, new here. I just graduated with my bachelors in IT, now am going for a master is IT. My masters classes are focusing on system testing, virtualization and enterprise architecture and security. I really like the idea of ethical hacking, I have limited experience actually hacking and i started doing ctf's on hackerone and picoCTF. I think cybersecurity researcher might be cool and I want to be able to analyze malware and understand how it works. Do you have any recommendation for finding information on roles in cybersec and picking a niche? looking at some job posting for entry lvl, I see there are some blurred lines on job titles and descriptions. I'm not sure what i want to do yet but I know help desk isnt where i want to stay and coding is ok but I'm not the best at it and I really enjoy reading stories of cybercrimes and how they worked. Ig any advice would be appreciated. good video, I have seen of few videos and this one felt the most real to me.
I mean... its not brilliant beacuse these things are kind of obvious, its just materialism, monkey see monkey do...,Do you want to know what is really genius? Deep understanding of spirituality or religion, whatever you name it. And honestly in this subject, ""knowing how to live like a normal human should"" the humanity is 100% evolving but backwards, people can't even trust eachother, and you're saying "security" is brilliant... ehh. Future is not "inteligent", because even the definition of "inteligence" has been changed to match the modern world agendas. Want to change the world? Change yourself first, as in, understand who YOU really are. "security" changes literally nothing, because most people are just living in a "wake" dream all the time, sleepwalking, not really conscious, you dont even know who you are probably, and you make some opinions about anything? What is even the point? Real science starts when you know yourself and are able to relate to everything. Talking some opinions doesnt matter, the reality, the laws of nature dont care. The humanity is going to be doomed, people are unbecoming of the human spieces, for we live in an age of post-truth, where truth doesnt matter, or actually the truth-sayers and seekers are being prosecuted by the common people all the time every single day for decades now, also thanks internet ! ! .. its not brilliant its a civilizational collapse, like if you cant see it coming
Thanks for sharing, perspectives are always welcome. Though I should clarify, Brilliant here is a reference to people, not "security". What I mean is that security is not the reason why people are Brilliant, it's just a career path in this context.
"If" humanity is doomed, then you are certainly one of the ushers in its destruction. ONE CZcamsr, posted a positive video (in a sea of negative content) about ONE diligent individual, and you couldn't even allow that. I was delighted to finally see a video suggesting that my generation had some praise from an older generation. I see hundreds of videos berating us each month. I understand what you are going for, but you are approaching it from the wrong angle. Your approach lacks humility, and fails to integrate all of the lower (but necessary) aspects of human development in your consideration for the actions of other human beings. Your comment was just completely unnecessary. Take that to Reddit.
@@ethicalpap yea no worry, words, but still
@@TheElementAce well if the truth hurts, do you still want it or not? I tried to be considerate, trust me on that at least. I know it was "unnecessary" because nobody Factually wants to grow up/evolve, NOBODY, because it actually hurts a lot. Evolution doesnt come with a "passion", its complicated... Sad but true, its literal hell of a life where everyones kinda childish but everyone in a different way. You do realize i kind of first commented to "grow up" and now you are telling me literally the same thing? :D Do you kno how ridonculous that is? I know its unnecessary, thats why there is no detail, nobody cares anyway. And oh i know that well. I wrote a poem. ""Life without giving a F is a Lie."" Think about it. And also think why nobody wants to sacrifice their own "perspective" to evolve. I really did start my path as a programmer too, when i was 7 or 8 old, and so what? You didnt understand what i wrote, lack of experiance myman. Thats all there is to it. Sorry. But you are talking about yourself mr humanity is doomed. I honestly have no idea why i turned on notifications, literally every reply i got in all the places is so bad i cant begin to fathom how very doomed we all are
@@ciszaiogien I'm not asking you to "grow up". I wanted you to realize that your "truth" is only applicable to humanity as a whole. And your points don't scale down to the individual level. A single human does what he/she can, given their circumstances. They cannot act in the best interests of all of society, because there are too many interests to consider at once. For example, if there's a kid who is looking for a place to belong, they will choose the place that gives them the most reward. This is natural. But if the system they live in only rewards negative outcomes for society, that kid is forced to participate. If the kid chooses not to participate, their punishment is a life of struggle and poverty. Under these circumstances, it's not fair to criticize someone who chooses to participate, because effectively, they have no choice. The people alive right now didn't set the rules of our society. They simply were born, and found themselves in a period of social decline. But they still have to develop. And they will do so with the options they are given. The "truth" is irrelevant to this fact. So if you want people to turn to religious or spiritual things, you have to make that option more rewarding than the options you believe destroy society. Otherwise, you are wasting your time.
What is this about?
What do you mean by this?
@@ethicalpap .I did not know the discussion was about some advance cyber security stuff.
@@DLAXTOX I see. yes, this video is me giving Neswin the floor. Neswin is young like many other young, brilliant, people out there looking to be cybersecurity professionals. I hope that Neswin is able to encourage other people to keep following their dreams :)
This humbled me. 8 hours a day is crazy and inspiring.
Neswin is GOAT
I've watched a TON of videos like this and this here is the BEST that I've heard so far! Know the role and start working on it! BEST advice I've heard so far! I thank you for this! Now I can concentrate on taking my Security+ and then jump into what I want. Thank you!
I know this is off topic, but what games do you usually play on your Nintendo Switch??. Great video btw keep up the great work. Love you enthusiasm of teaching.
Thanks! I usually play Zelda Mario Kart Pokemon Smash Bros
Next Deep Dive video in the works! Stay tuned, EthicalFam 🔥
sir your all videos are 🔥🔥 but i am eagerly waiting for graphql part 3 please if possible schedule it as soon as possible
@anshcybersec1953 patience, my friend ;)
first comment lets goo
Out of curiosity. What are your thought on authorization? In technologies like JavaScript Auth as a service is becoming the norm opposed to rolling your own. Where in other tech frameworks like rail and Laravel auth is part of the framework.
Funny you mention this, I touch on this in a video that I just finished recording. It should be out in a few days. My thoughts are this: Delegating Authorization for APIs had been a thought for about 2 decades. Major tech firms were working on proprietary implementations, leading up to the OAuth 1.0 specification release in 2007. Now, before I continue here - it is important to note that technology evolves for the purposes of providing convenience to people, whereas cybersecurity evolves for the purpose of ensuring that these convenient methods are secured (thus potentially making them less convenient). It's almost like a game of tug-a-war. Now, rolling your own Auth can be a good thing, but can be unappealing for a business. Here's why: good with own solution: - customizable, flexible, full control of implementation and protocols. bad with own solution: - takes far more time to implement than an out-of-box solution, meaning the company would incur more upfront cost in development, as well as potentially more costs in maintenance, testing, patching, and scaling. *there are far more pros and cons, but I only chose 1 for the sake of a shortened response So, while a dev might be inclined to employ their own solution for full control, an organization might opt for a faster and cost effective solution. If this is the case, it is up to the cyber-team to work with the devs to ensure that the chosen solution is optimal, cost-effective, and also can be hardened to an acceptable level.
Thank you
Sir may i know after how much time-gap i can expect Part-3 of this video
Maybe a few weeks, I have some other deep dives coming soon :). Stay tuned!