🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy In my last video, I built 24 websites in 24 hours. 🚀 But with such a rapid development sprint, I knew security might have taken a backseat. So in this video, I decided to don my hacker hat and attempt to penetrate my own sites using tools like Nikto, OWASP Zap, Burp Suite, and Snyk. Spoiler alert: I didn't find much. 😅 Realizing my limitations, I called in reinforcements-my friend and professional ethical hacker Tyler Ramsbey. Tyler took the wheel and performed a thorough penetration test on my websites, uncovering vulnerabilities I had completely overlooked. From exposed API keys to cross-site scripting (XSS) and even accessing hidden admin panels, Tyler shows us how a real hacker would exploit these weaknesses. 😱 Along the way, we discuss how tools like LLMs (Large Language Models) can be both a blessing and a curse in cybersecurity, aiding both defenders and attackers. 🛡⚔ Subscribe to Tyler Ramsbey: www.youtube.com/@TylerRamsbey
He just did a video about using Python on Telegram and I was wondering if what he's doing is ethical and legal ... Will you please explain , brother . Thank you and hugs from your autistic sister in Costa Rica
would love the video for building and deploying 24 sites in 24 hours!! Bruh, like how you gently cover that wonderful detail but not show us hoooooooooooow lol! Great videos as usual! Thank you!
Summary of the video: Network chuck sets his website account Username: admin Password: admin Tyler randomly guesses admin/admin Network Chuck: OMGGGGGGG he just hacked my website!!!! AMAZIUNNNNG!!!!!!!
Following you since the beginning of your channel...feels really nice to see that you are Posting new videos regularly..means a lot to a fan like me...
as a web dev. none of this stuff to me was anything even remotely educational... this screams grade 8 in the library at lunch time. isnt even at a script kiddy level really
Owasp Zap and burp suite are what enterprise companies use for DAST and provide to developers and pen testers alike as part of the DevSecOps cycle. Allows for rapid feedback to the developer to reduce risk before it deploys with issues, and is a valuable tool for pen testers poking at a web server in different ways.
You guys are awesome. Thank you for what you do. Chuck has amazing guests all the time. You guys have inspired me to change careers at the ripe old age of 46. I’m going to. I’m starting my coursera IT support specialist. Then most likely the cybersecurity course. I’ve been in law enforcement for the better part of nine years. I’m over it! Thanks again guys!
Good luck with the transition! I'm only 27 myself and am aiming to make the same move. Even with Google's cybersecurity certificate and CompTIA's Security+, I haven't managed to find any hits yet :/ But I know the jobs are out there, and wish you the best in getting there :D
@@Blob-qo5iq - I was told it was 24 web servers to enumerate and provided with the hosts. In an actual pentest, a database would be off-limits unless specified as in-scope. (Chuck only told me the web servers were my targets)
@@Blob-qo5iq - Yeah, good question. So for context, I was provided with 24 websites by Chuck with the instruction to create a video of me looking at the websites for any vulnerabilities. I was not provided any additional context In a web app pentest -- any other services are strictly off-limits because they are out-of-scope. Since the client (Chuck in this case), provided me with the specific full URLs of the in-scope websites - I wouldn't be running nmap to discover hidden services. If, on the other hand, I was told these IPs are in scope, then I would run nmap (but that's not what I was told). I hope that makes sense :)
Chuck I salute you Sir, I started and ventured into IT because of you i really got inspiration and so it was a fun adventure persuing IT, i have seen your journey and evolution from networking servers up to now you are a cyber warLord, keep doing the impactful great work your doing.
Burp is very powerful i found out. lets just say it caught me off guard and I found a major vulnerability in a 500 billion dollar company. still learning it but treat it like a gun anywhere you point it something can go down.
Oh shoot, it's a real hacking example video with real cyber security processes non-sponser, non-proprietary toolset, just back to back explanation of every step of the way, fantastic
@@spiderlurker yeah the video is sponsored so thats obvious, but I think the general content of the video is generalised enough to say that, even as a non-sponsored video, it would be interesting
@NetworkChuck just a quick question, may i ask the ram you have on your computer? I see you work like me on VirtualBox and Kali Linux, needs ram for sure, so, what ram memory do you recommend for a descent work?
Guessing those sites were on a hostinger shared host. You didn't violate tos or anything for their shared hosting running pen tests like this with nuclei?
Hey Chuck can you make a video on how to find secrets on people like hack in their phones and discover secrets don't worry i just want to learn how because I want to become a ethical hacker
for the coffee, run it through a coffee filter, like one of the filter holders that sit on top of cup.. and um.. I have seen a couple of your videos where you have "literally" welcomed people to try hacking you.. 8D
is your site vulnerable to XSS, like if I comment alert("love you bro") and it gets chosen as the comment of the day, would there be a window popup for everyone who logs into the website
Have you seen the clasic scifi movie The Day The Earth Stood Still? I’m guessing the name nikto came from that since it coined the famous line “Klaatu barada nikto” which means “Stop barbarism, I have death, bind.”😂
People complain its all easy thing to do. Yeah obviously its beginner friendly he had to reach larger audiance. Also being pro doesnt mean you dont do basic error too so I would say it still pertinent for all of us.
You can do this with python. 2 functions you can use are: with open("thenameof your file","r") and split to get the output format you want. Good luck ^^
@@ytaccount3434 YES. Companies don't seem to understand the simple fact that WordPress is a BLOGGER Framework made for private persons (or very very small organisations). It is bad at load handling, you have a very bad overview over all the plugins and their vulnerabilities, practically not made for being secure and you have no good way of adding backend stuff (like an API, a database, server-side javascript) natively. You will have to host another server just for that. But then why use wordpress in the first place when you need to host your own NodeJS Backend?
It is kinda sad Tyler missed the lowest hanging fruits just by not doing port scanning (he missed the exposed DB), which should be like one of the first steps. In the end, this is just basic demo stuff and nothing too crazy shown here.
I provided some more context on my channel - but I was provided with 24 full URLs that are in-scope by Chuck. I was not provided any additional context, and was told to treat it like a web app pentest with those in-scope URLs. When a client provides specific URLs that are in-scope, you do not perform nmap scanning on the underlying IPs. If I could have been provided instead with a list of IPs, I would have run Nessus and Nmap on those lists. So the reason I "missed" the database is because the database was explicitly out-of-scope, based on the information I was provided for the video.
🔥🔥Join the NetworkChuck Academy!: ntck.co/NCAcademy
In my last video, I built 24 websites in 24 hours. 🚀 But with such a rapid development sprint, I knew security might have taken a backseat. So in this video, I decided to don my hacker hat and attempt to penetrate my own sites using tools like Nikto, OWASP Zap, Burp Suite, and Snyk. Spoiler alert: I didn't find much. 😅
Realizing my limitations, I called in reinforcements-my friend and professional ethical hacker Tyler Ramsbey. Tyler took the wheel and performed a thorough penetration test on my websites, uncovering vulnerabilities I had completely overlooked. From exposed API keys to cross-site scripting (XSS) and even accessing hidden admin panels, Tyler shows us how a real hacker would exploit these weaknesses. 😱
Along the way, we discuss how tools like LLMs (Large Language Models) can be both a blessing and a curse in cybersecurity, aiding both defenders and attackers. 🛡⚔
Subscribe to Tyler Ramsbey: www.youtube.com/@TylerRamsbey
🎉
He just did a video about using Python on Telegram and I was wondering if what he's doing is ethical and legal ... Will you please explain , brother . Thank you and hugs from your autistic sister in Costa Rica
Bro is really skilled I watch him every time but he have not much follower thanks network chuck for letting him hack your web hehe
would love the video for building and deploying 24 sites in 24 hours!! Bruh, like how you gently cover that wonderful detail but not show us hoooooooooooow lol! Great videos as usual! Thank you!
nah I'd just use avast
Summary of the video:
Network chuck sets his website account
Username: admin
Password: admin
Tyler randomly guesses admin/admin
Network Chuck: OMGGGGGGG he just hacked my website!!!! AMAZIUNNNNG!!!!!!!
He even missed the file upload -.-
Thanks pal, you're a pal
I feel chuck is getting more and more beginner friendly to the point his audience is normal people
4 million subs
@@WorkersRise that makes sense
Kind of a shame really, they did a whole bunch of nothing.
His content has always been beginner hey look at this pineapple you can hack with it! with no real deep dive.
Which is weird given the take he had on LTTs compita A+ exam.... Shill. Shill. Shill.
Tyler is a really decent dude. His discord is awesome too. Thanks Chuck for having him on. He's at less than 20k subs I think which is just criminal.
17:05 , 17:30 contradicting yourself in 25 seconds is pretty impressive
haters more worried about someones speech than learning, you guys do realize he is a human right?
shame this was super simple, tyler is pretty talented at this stuff.
31:51 bro changed time
CHUK :ARE YOU SERIOUS?????????
Absolutely amazing to be part of this. Thank you @NetworkChuck!
Your Amazing Sir.👍
I watch you all time lil bro you are really skilled thanks for your TH-cam vids they helped me lots😊
I w kk
Yoooooo let’s go
Hi
I really appreciate how he is actually teaching people at square 0. Really need a lot of that in such an available format.
Following you since the beginning of your channel...feels really nice to see that you are Posting new videos regularly..means a lot to a fan like me...
>Points out dodgy addons that scrape data, while using Chrome
Priceless comedy
I thought the point of this channel was comedy. All he ever covers is surface level stuff.
@@blancfilms This video popped up somewhere so I checked it out, not looked at anything else to be fair.
@@blancfilms its to raise interest, bro has made a lot of others get into IT.
as a web dev. none of this stuff to me was anything even remotely educational... this screams grade 8 in the library at lunch time. isnt even at a script kiddy level really
True i though i will see something sophisticated.
Sorry who?
@@theguythatknows are you 12?
Owasp Zap and burp suite are what enterprise companies use for DAST and provide to developers and pen testers alike as part of the DevSecOps cycle. Allows for rapid feedback to the developer to reduce risk before it deploys with issues, and is a valuable tool for pen testers poking at a web server in different ways.
That's not the point though is it? Having some knowledge/idea is way better than having nothing.
That was fun! Thanks Tyler!!
Great video chuck. You have the special sauce when it comes to IT learning videos!
I just finished watching your previous video, then this gem dropped, made my day so much better
You guys are awesome. Thank you for what you do. Chuck has amazing guests all the time. You guys have inspired me to change careers at the ripe old age of 46. I’m going to. I’m starting my coursera IT support specialist. Then most likely the cybersecurity course. I’ve been in law enforcement for the better part of nine years. I’m over it! Thanks again guys!
That's awesome! Let me know if I can be of assistance!
Good luck dude
Good luck with the transition! I'm only 27 myself and am aiming to make the same move. Even with Google's cybersecurity certificate and CompTIA's Security+, I haven't managed to find any hits yet :/
But I know the jobs are out there, and wish you the best in getting there :D
This is a great collab! More of these in the future pls
Would be cool to see him go through this again but more in depth with what he would do for an actual pentest.
I have 400+ videos on my channel doing that exact thing with other challenges/machines :)
@@TylerRamsbey Why did you not do basic nmap scans in the beginning. You would have easily found the exposed DB
@@Blob-qo5iq - I was told it was 24 web servers to enumerate and provided with the hosts. In an actual pentest, a database would be off-limits unless specified as in-scope.
(Chuck only told me the web servers were my targets)
@@Blob-qo5iq - Yeah, good question.
So for context, I was provided with 24 websites by Chuck with the instruction to create a video of me looking at the websites for any vulnerabilities. I was not provided any additional context
In a web app pentest -- any other services are strictly off-limits because they are out-of-scope. Since the client (Chuck in this case), provided me with the specific full URLs of the in-scope websites - I wouldn't be running nmap to discover hidden services.
If, on the other hand, I was told these IPs are in scope, then I would run nmap (but that's not what I was told).
I hope that makes sense :)
@@Blob-qo5iq noisy
Yooooo my favorite rapper is here
Chuck I salute you Sir, I started and ventured into IT because of you i really got inspiration and so it was a fun adventure persuing IT, i have seen your journey and evolution from networking servers up to now you are a cyber warLord, keep doing the impactful great work your doing.
kali doesnt have OWASP pre installed, i even just updated kali and still cant find it.
Coffee beans can be found in Forests and wild animals can be found at a watering hole.
cool!
French Press is amazing for that "cup-to-go"! Grinding your own beans? That's where you go over the deep end of the dive :P
Been waiting for this for so long!!!
Great video! Thank you Tyler and Chuck!
The best part is the "same password as my bank account" 😅😅😅
hey you used the wrong thumbnail when you mentioned the website video at the beginning, 0:03
Awesome video and Tyler is an awesome dude too!!!
Great to think that I knew how to do 99% of these!!
Tyler is good people. Awesome interview.
NetworkChuck is Peter McKinnon, if Peter had gotten really into computers instead of really into cameras.
Peter McKinnon, network chuck and cuppajoe5 are the same dude with different hobbies 😂
ajax is making a specific request to a specific url, it reloads the data without reloading the page
Under hour gang
I don't know why you wouldn't white hat. You'd make a fortune.
How I make French Press coffee. I stir a little. Then push the plunger down until all the grounds are all underwater. Then I wait 4 minutes.
Hardcoding your api keys is a dangerous habit. An expensive lesson for some, including myself.
You have my uninterrupted attention for rest of my days …
Is it time to update the quote website to leverage ai to pull quotes dynamically from your videos? :P
fun enough I came from tyler's channel love this colab
great video chuck 🎉🎉
Are there any tools that you'd recommend us regular web designers, to test the security of our sites?
Awesome video!!
Chuck be like: "ways to hide your files like a hacker" = "making 24 websites" 😂😂😂😂 0:01
Damn, amazing video, bro! Keep inspiring!
How exhausting this kind of thing can be for someone.
Burp is very powerful i found out. lets just say it caught me off guard and I found a major vulnerability in a 500 billion dollar company. still learning it but treat it like a gun anywhere you point it something can go down.
even a website got hacked just because of animation-timeline in CSS.
Oh shoot, it's a real hacking example video with real cyber security processes
non-sponser, non-proprietary toolset, just back to back explanation of every step of the way, fantastic
Don't be fooled, there's a sponsor for the video and there's a $449 price tag on the software that's showcased. Still great info in the video though.
@@spiderlurker - The software I showcased is free and I personally don't make any sponsored content :)
It's nice basic stuff you could easily read up onto. But defenitely a nice demo showing the lowest hanging fruits
@@spiderlurker yeah the video is sponsored so thats obvious, but I think the general content of the video is generalised enough to say that, even as a non-sponsored video, it would be interesting
@@Blob-qo5iq yeah, its a nice "taste tester", with more stronger examples in the future using CLI utilities and maybe examples of the cyber kill chain
Caffeine addiction at its finest. Also good IT vids.
he just said in the previous video, that he doesnt drink caffeine coffe anymore cus of the age.
Does Guardio protect against supply chain attack which may result in explosive being planted in your home and personal devices?
@NetworkChuck just a quick question, may i ask the ram you have on your computer? I see you work like me on VirtualBox and Kali Linux, needs ram for sure, so, what ram memory do you recommend for a descent work?
16gb for native OS host and 32gb for vm's. 4gb for cli vm or 8gb for gui. double that for windows VMs,
Axios was on a beta version; which is the wrapper for "Ajax" requests, coincidentally.
Tyler Ramsby brought me here !!
Thanks for both of you great lesson
Next Video: How to make good coffee
Guessing those sites were on a hostinger shared host. You didn't violate tos or anything for their shared hosting running pen tests like this with nuclei?
Can we get the recipe for the coffee?
If it is hosted on AWS you can do a Denial of Wallet attack
ohhh the set in the bg lookin crisp asf
Still got the coffee on point. My man.
Chuck, please put some of you applications behind Cloud flare and re-test.
That is just level 1 any-one can do it
What do you expect considering the format and content on this channel?
That's the whole point, giving entry level users the tools they need to sus out what might be a problem.
the Science Method looks so much cooler
Hey Chuck can you make a video on how to find secrets on people like hack in their phones and discover secrets don't worry i just want to learn how because I want to become a ethical hacker
You made 24 websites in the "Hide your files like a hacker" video? (you maybe want to correct that :) )
so he did like...Directory traversal exploits vulnerabilities scan , right ?
I don't think you could make it any easier
for the coffee, run it through a coffee filter, like one of the filter holders that sit on top of cup..
and um.. I have seen a couple of your videos where you have "literally" welcomed people to try hacking you.. 8D
You don't know burp what kind of hacker r u?
Can you help me set up my Alfa adapter in Linux so I can start testing?
I only watch these videos so that I know how to make coffee ☕
I am checking youtube so often that I got to see AB testing 😅 - that is why I clicked, to write about it
thats not hacking... thats just the first few points in the book of "dont do this on your site"
root loging .... NAH rogin!!!!! this is funnier than it is supposed to be hahaha!
that is so cool father of linux
trello must have had some big data leak since i got that leak warning about trello too
is your site vulnerable to XSS, like if I comment alert("love you bro") and it gets chosen as the comment of the day, would there be a window popup for everyone who logs into the website
first dam it!!chunk got to reply this comment!
This video is one of the best pen testing videos I have watched in a while
Have you seen the clasic scifi movie The Day The Earth Stood Still? I’m guessing the name nikto came from that since it coined the famous line “Klaatu barada nikto” which means “Stop barbarism, I have death, bind.”😂
bro im crying my entire website was hacked
People complain its all easy thing to do. Yeah obviously its beginner friendly he had to reach larger audiance. Also being pro doesnt mean you dont do basic error too so I would say it still pertinent for all of us.
Hey just hacked my countdown 😂
we need more of this
which is the best vm tool vmware, hyper-v, or virtualbox??
Can you explain/create a video how to extract emails from a DUMP file? I have emails compressed in a dump file (.dmp files)
You can do this with python. 2 functions you can use are: with open("thenameof your file","r") and split to get the output format you want. Good luck ^^
I think he is slowly becoming James Hoffman 😂
people burp at me in counter stike.... and i cry at night... rightly so i guess T_T
zaproxy is NOT installed by default. but ok
The #1 reason sites get hacked "I don't want to do this, I don't have time for this." :) Oh and wordpress.
Is WordPress this bad?
@@ytaccount3434 YES. Companies don't seem to understand the simple fact that WordPress is a BLOGGER Framework made for private persons (or very very small organisations).
It is bad at load handling, you have a very bad overview over all the plugins and their vulnerabilities, practically not made for being secure and you have no good way of adding backend stuff (like an API, a database, server-side javascript) natively. You will have to host another server just for that. But then why use wordpress in the first place when you need to host your own NodeJS Backend?
How to show hidden networks in Kali Linux
It is kinda sad Tyler missed the lowest hanging fruits just by not doing port scanning (he missed the exposed DB), which should be like one of the first steps. In the end, this is just basic demo stuff and nothing too crazy shown here.
I provided some more context on my channel - but I was provided with 24 full URLs that are in-scope by Chuck. I was not provided any additional context, and was told to treat it like a web app pentest with those in-scope URLs.
When a client provides specific URLs that are in-scope, you do not perform nmap scanning on the underlying IPs. If I could have been provided instead with a list of IPs, I would have run Nessus and Nmap on those lists.
So the reason I "missed" the database is because the database was explicitly out-of-scope, based on the information I was provided for the video.
Χριστος γεννηθη δοξασατε. Χριστον εν ουρανοις απαντησατε Χριστον επι γης δοξασατε.
A very underated tool is Vega
And have ISO Policies like Business Continuity.
15:18 root rogin
what is Tyler youtube chanel name
I subscribed this great channel
This is exactly why hacking is no more a powerful source ..when you have ppl creating script kiddies online.
you are part of the script kiddies. look at your profile picture
Network Chuck was a nice actor
Hello Chuck, greetings from Argentina, could you do a Cloudflare tutorial on how to use Tunnel for my server?