CyberCode Academy episodes:

• March 20, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 15: Mastering Metasploitable 2: A Comprehensive Pentesting Guide

  In this lesson, you’ll learn about:
  

  • Metasploitable 2, an intentionally vulnerable Ubuntu-based virtual machine designed for safely practicing penetration testing techniques in a controlled lab.
  • Structured reconnaissance and enumeration, using tools like Nmap to identify open ports, detect service versions, and map the attack surface before attempting exploitation.
  • Service version detection and exploit matching, identifying outdated or vulnerable services such as:
    • Apache Tomcat
    • vsftpd
    • UnrealIRCd
  • Exploiting intentionally placed backdoors, understanding how misconfigured or vulnerable services can lead to immediate privileged access in lab environments.
  • Credential-based attacks, demonstrating the security risks of weak or default credentials across services like FTP, MySQL, and Tomcat Manager using modules within Metasploit.
  • Remote Code Execution (RCE) scenarios, analyzing vulnerabilities in services such as:
    • Samba (usermap_script vulnerability)
    • DistCC
    • Apache HTTP Server (PHP CGI misconfigurations)
  • Web application exploitation techniques, including:
    • Extracting sensitive server information from diagnostic pages (e.g., phpinfo)
    • Uploading malicious payloads through misconfigured management consoles to gain controlled shell access (e.g., Meterpreter sessions)
  • End-to-end penetration testing workflow, moving from reconnaissance → enumeration → exploitation → post-exploitation within a safe training environment.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 19, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 14: Web Essentials: Files, Extensions, and Enumeration

  This episode explores the fundamental web files and extensions that are critical for both web development and security enumeration. It provides a detailed breakdown of how automated programs, such as search engine crawlers, interact with web servers and how these interactions can reveal sensitive information. Key topics include:
  

  • Instructional Web Files: The episode covers robots.txt, which provides instructions to web robots regarding crawl delays and indexing restrictions. It also examines sitemap.xml, which serves as a roadmap for a website to ensure search engines can find all important pages.
  • Enumeration Techniques: Guidance is provided on how to manually and automatically enumerate these files using tools like Nmap (via scripts like http-robots.txt and http-sitemap-generator) and Metasploit to discover pages that developers might not want indexed.
  • Default Pages and Information Disclosure: You will learn about common default web pages (e.g., index.html, index.php) and how identifying these files can disclose specific details about the web server to an attacker.
  • Data Handling and Extensions: The episode identifies common file extensions for compressed archives (e.g., .zip, .tar.gz) and database files (e.g., .sql, .db, .sqlite). It also provides practical instructions for using the tar command for file compression and SQLite 3 or DB Browser for SQLite for managing database content.
  • Git Fundamentals: Finally, the session introduces essential Git commands such as init, clone, commit, and push for managing code repositories.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 18, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 13: Essential Web Application Penetration Testing and Scanning Tool

  In this lesson, you’ll learn about:
  

  • Web application penetration testing workflows, focusing on discovering hidden resources, identifying vulnerabilities, and validating security weaknesses in authorized testing environments.
  • Content discovery tools, including:
    • DirBuster for dictionary-based directory and file enumeration.
    • Dirb (often referenced similarly in labs) for brute-forcing hidden paths.
  • Vulnerability scanning utilities, such as:
    • Nikto for detecting dangerous files, outdated services, and misconfigurations.
    • WPScan for auditing WordPress installations, enumerating plugins, themes, and users.
  • Exploitation and injection testing tools, including:
    • sqlmap for automating the detection and validation of SQL injection vulnerabilities.
    • Wfuzz for fuzzing parameters, brute-forcing inputs, and discovering unlinked resources.
  • Reconnaissance and surface mapping tools, such as:
    • Aquatone for generating visual attack surface maps via automated screenshots.
    • CeWL for spidering websites to create targeted wordlists for testing.
  • Practical lab application, reinforcing hands-on usage to understand how these tools complement each other during reconnaissance, enumeration, and vulnerability validation phases.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 17, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 12: Introduction to Banner Grabbing and Service Fingerprinting

  In this lesson, you’ll learn about:
  

  • Banner grabbing (service fingerprinting), a technique used to identify open ports, running services, and version information exposed by a target system.
  • How service banners work, understanding that many network services return text-based responses revealing software type, version numbers, and sometimes operating system details.
  • Active vs. passive banner grabbing, including:
    • Active methods — directly sending crafted requests to a target host.
    • Passive methods — analyzing intercepted traffic or publicly available cached responses without directly interacting with the host.
  • Command-line banner grabbing tools, such as:
    • curl -I and wget -S for retrieving HTTP header information.
    • telnet and netcat (nc) for manually connecting to service ports (e.g., FTP on port 21) to retrieve version details.
  • Automated scanning utilities, including:
    • Nikto for identifying web server vulnerabilities and misconfigurations.
    • Nmap using the -sV flag to detect and display service versions across discovered ports.
  • Web proxy inspection, using Burp Suite to analyze HTTP responses and identify server technologies (e.g., Apache, Microsoft IIS) and application frameworks.
  • Practical lab application, reinforcing how banner data supports vulnerability research, exploit selection, and broader network security assessments.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 16, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 11: OSINT, Reconnaissance, and Scanning: Foundations and Tools

  In this lesson, you’ll learn about:
  

  • The early phases of a penetration test, focusing on intelligence gathering, infrastructure mapping, and active scanning techniques.
  • Open Source Intelligence (OSINT), collecting actionable data from publicly available sources without directly interacting with the target system.
  • Google hacking (dorking), using advanced search operators like site:, filetype:, and intitle: to uncover exposed files, misconfigurations, and sensitive information.
  • The Google Hacking Database (GHDB), a curated repository of search queries used by security researchers to identify common web exposure issues.
  • Reconnaissance techniques, including:
    • Identifying authorized IP address ranges to stay within legal testing scope
    • Domain and subdomain enumeration using tools like dig and DNS reconnaissance utilities
    • Email enumeration from public sources to assess potential social engineering vectors
  • Scanning methodologies, transitioning from passive discovery to active probing through:
    • Host discovery
    • Port scanning
    • Service enumeration
    • Vulnerability identification
  • Key industry tools used during scanning, including:
    • Nmap for network and port mapping
    • Nessus and OpenVAS for vulnerability assessments
    • Burp Suite and OWASP ZAP for web application testing
    • Metasploit for controlled exploitation and post-enumeration validation

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 15, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 10: OWASP Fundamentals: Top 10 Vulnerabilities and Web Security

  In this lesson, you’ll learn about:
  

  • Open Web Application Security Project (OWASP), an open community focused on improving software security through standards, tools, and best practices.
  • The OWASP Top 10, a widely recognized awareness document outlining the most critical web application security risks.
  • Common web application vulnerabilities, including:
    • Injection flaws (e.g., SQL injection)
    • Broken authentication mechanisms
    • Sensitive data exposure
    • Security misconfigurations
    • Insufficient logging and monitoring
  • OWASP’s web application security testing framework, providing structured guidance for evaluating application security posture.
  • Key testing domains, such as:
    • Identity and authentication management
    • Session management controls
    • Input validation and sanitization
    • Business logic testing
  • Real-world attack scenarios, including identifying weak cryptographic implementations and bypassing flawed authorization mechanisms.
  • Practical mitigation strategies, helping organizations proactively detect, understand, and remediate vulnerabilities in modern web applications and APIs.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 14, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 9: Tools and Techniques for Concealing Information

  In this lesson, you’ll learn about:
  

  • Steganography fundamentals, the practice of concealing information inside other media files such as images, audio, or video without visibly altering the carrier file.
  • Manual hiding techniques, including simple visual tricks like matching font color to background color and appending hidden data to files using command-line utilities.
  • Least Significant Bit (LSB) steganography, an advanced method that embeds hidden data within the smallest bits of image pixels, making changes imperceptible to the human eye.
  • Using Steghide, a command-line utility for embedding and extracting hidden messages from image and audio files with passphrase protection.
  • Analyzing metadata with ExifTool, which allows investigators to view and modify file metadata such as author details, timestamps, and embedded information.
  • Discovering hidden text with the strings command, a utility that extracts readable character sequences from binary files to uncover embedded messages or hard-coded credentials.
  • Command-line file manipulation techniques, including concatenating files in Linux (cat) or Windows (copy /b) to append hidden data within another file’s raw structure.
  • Practical lab application, reinforcing detection and extraction techniques through hands-on exercises involving metadata inspection, hidden message embedding, and forensic discovery methods.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 13, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 8: Cryptography Fundamentals: Encoding and Ciphers

  In this lesson, you’ll learn about:
  

  • Data Representation and Encoding:
    • ASCII: Uses 128 unique values to represent text characters in computing.
    • Base64: Encodes binary data into text form for safe transfer across text-only channels like email or HTML.
  • Numerical Systems in Computing:
    • Binary (Base 2): Uses 0 and 1, fundamental to machine operations.
    • Decimal (Base 10): Standard human-readable numbering.
    • Hexadecimal (Base 16): Uses 0–9 and A–F, commonly used in memory addresses and color codes.
    • Octal (Base 8): Uses digits 0–7, occasionally used in file permissions and legacy systems.
  • Classic Substitution Ciphers:
    • Caesar Cipher / Shift Cipher: Rotates letters by a fixed number of positions.
    • ROT Variants:
      • ROT13: Shifts letters by 13 positions.
      • ROT5: Shifts numbers.
      • ROT18: Combination of ROT13 for letters and ROT5 for numbers.
      • ROT47: Extends rotation to letters, numbers, and keyboard symbols across ASCII.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 12, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 7: Tradecraft: The Methods and Tools of Modern Espionage

  In this lesson, you’ll learn about:
  

  • Tradecraft Fundamentals: The structured set of tools, techniques, and methods used in modern intelligence gathering and espionage.
  • Key Categories of Tradecraft:
    • Agent Handling: Managing human assets for intelligence collection.
    • Analytic Tradecraft: Techniques for correlating, validating, and interpreting collected intelligence.
    • Black Bag Operations: Covert entries into buildings to obtain information or plant surveillance without detection.
  • Technical and Physical Methods:
    • Concealment Devices & Dead Drops: Securely hiding or transferring items between operatives.
    • Cryptography & Steganography: Encrypting or embedding messages within other files to prevent interception.
    • False Flag Operations: Performing actions designed to appear as though executed by another entity.
    • Tempest: Exploiting unintended radio or electrical emissions from devices to gather intelligence.
  • Good vs. Bad Tradecraft:
    • Bad Tradecraft: Unencrypted communication, obvious patterns, and high-risk “fast and loud” methods that are easily detected.
    • Good Tradecraft: Emphasizes stealth, patience, and the use of custom, untraceable tools and infrastructure for low-profile, high-security operations.

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---

• March 11, 2026Course 27 - Hacking Web Applications, Penetration Testing, CTF | Episode 6: Penetration Testing Lifecycle: From Scoping to Reporting

  In this lesson, you’ll learn about:
  

  • The structured penetration testing lifecycle, a professional methodology that simulates real-world attacks while delivering measurable value to an organization.
  • Pre-engagement interactions, including:
    • Defining scope and boundaries
    • Establishing timelines
    • Securing written authorization
    • Formalizing the Rules of Engagement (ROE) and Statement of Work (SOW) to ensure legal and operational clarity
  • Intelligence gathering and reconnaissance, leveraging Open Source Intelligence (OSINT) and both passive and active footprinting techniques to map infrastructure and identify external exposure.
  • Threat modeling, analyzing high-value assets, identifying potential internal and external threat actors, and prioritizing the most likely and impactful attack paths.
  • Vulnerability analysis, combining automated scanning and manual validation to identify weaknesses, correlate findings, and map realistic exploitation paths.
  • Controlled exploitation, focusing on precision-driven access attempts rather than disruptive tactics, often requiring carefully selected or customized techniques to bypass layered defenses.
  • Post-exploitation activities, including:
    • Assessing the value of compromised systems
    • Demonstrating potential impact through controlled data access
    • Pivoting within the network (if in scope)
    • Performing full cleanup to remove tools, accounts, and artifacts created during testing
  • Professional reporting, often the most critical deliverable:
    • An Executive Summary translating technical risk into business impact
    • A Technical Report detailing vulnerabilities, proof of concept, risk ratings, and clear remediation guidance

  
  
  You can listen and download our episodes for free on more than 10 different platforms:
  https://linktr.ee/cybercode_academy

  ...more

  

  ---