1
00:00:00,510 --> 00:00:01,589
Instructor: Welcome back.

2
00:00:01,589 --> 00:00:03,840
And in this video I want to talk

3
00:00:03,840 --> 00:00:06,750
about another thing that we already covered.

4
00:00:06,750 --> 00:00:11,750
And that is enumeration and information gathering.

5
00:00:11,790 --> 00:00:14,370
So this is a step that you also shouldn't skip

6
00:00:14,370 --> 00:00:16,830
once attacking websites.

7
00:00:16,830 --> 00:00:18,780
We already covered information gathering,

8
00:00:18,780 --> 00:00:22,950
so this video is more like something as a refresher

9
00:00:22,950 --> 00:00:25,620
just so you know which tools you can use to enumerate

10
00:00:25,620 --> 00:00:28,650
and to scan different websites.

11
00:00:28,650 --> 00:00:29,820
So for this section,

12
00:00:29,820 --> 00:00:32,640
we're going to be using metasploitable most of the time.

13
00:00:32,640 --> 00:00:34,680
We're going to attack some different targets,

14
00:00:34,680 --> 00:00:37,830
but for the start we are attacking metasploitable.

15
00:00:37,830 --> 00:00:40,320
So make sure that metasploitable is up and running.

16
00:00:40,320 --> 00:00:42,900
I also ran the "ifconfig" command

17
00:00:42,900 --> 00:00:47,900
and it gave me the IP address of "192.168.1.8".

18
00:00:48,000 --> 00:00:50,580
So the first thing that we can do is try to

19
00:00:50,580 --> 00:00:54,180
visit the webpage of that IP address,

20
00:00:54,180 --> 00:00:56,610
just to see what we have.

21
00:00:56,610 --> 00:01:00,123
And to do that we can open our Firefox.

22
00:01:01,800 --> 00:01:04,349
And remember that once we attack metasploitable,

23
00:01:04,349 --> 00:01:05,820
we said that we are going to attack

24
00:01:05,820 --> 00:01:08,490
port 80 later in the course.

25
00:01:08,490 --> 00:01:10,170
Now it came that time.

26
00:01:10,170 --> 00:01:12,330
We are going to attack port 80

27
00:01:12,330 --> 00:01:14,730
and once again, we are attacking port 80

28
00:01:14,730 --> 00:01:17,520
because it holds a web page.

29
00:01:17,520 --> 00:01:20,970
If I visit this IP address of my metasploitable,

30
00:01:20,970 --> 00:01:24,120
it will open this page right here.

31
00:01:24,120 --> 00:01:26,370
It tells us the warning, the contact

32
00:01:26,370 --> 00:01:29,220
and the login to get started.

33
00:01:29,220 --> 00:01:31,530
But down here we get a couple of links.

34
00:01:31,530 --> 00:01:33,480
If we go to any one of them,

35
00:01:33,480 --> 00:01:37,350
it will lead us to a different directory of this webpage.

36
00:01:37,350 --> 00:01:40,443
Currently, we are in the "/dav" directory.

37
00:01:41,310 --> 00:01:42,930
If I go to the parent directory

38
00:01:42,930 --> 00:01:46,710
it will go back to the 192.168.1.8,

39
00:01:46,710 --> 00:01:49,980
which is the main or the parent directory.

40
00:01:49,980 --> 00:01:53,010
If I go and visit "DVWA",

41
00:01:53,010 --> 00:01:56,010
it will lead me to this directory right here

42
00:01:56,010 --> 00:02:00,240
which is "/DVWA/login.php".

43
00:02:00,240 --> 00:02:04,320
And this file hosts a login form.

44
00:02:04,320 --> 00:02:08,759
So we got "Username" and "Password" to input.

45
00:02:08,759 --> 00:02:12,150
If we take a look at this webpage a little more literally,

46
00:02:12,150 --> 00:02:14,317
we can see down here that it tells us,

47
00:02:14,317 --> 00:02:18,630
"default username is 'admin' with password 'password'."

48
00:02:18,630 --> 00:02:21,060
So for now, we're not going to brute force this.

49
00:02:21,060 --> 00:02:22,260
We're just going to log in,

50
00:02:22,260 --> 00:02:26,640
so we can see what we have behind this login form.

51
00:02:26,640 --> 00:02:30,720
And here it is, we got "DVWA"

52
00:02:30,720 --> 00:02:34,350
or as we can see right here, it has this name.

53
00:02:34,350 --> 00:02:36,180
We get a warning, a disclaimer,

54
00:02:36,180 --> 00:02:39,120
and here we get a bunch of different attacks

55
00:02:39,120 --> 00:02:40,470
that we can perform.

56
00:02:40,470 --> 00:02:42,870
Remember we talked about "XSS",

57
00:02:42,870 --> 00:02:44,940
we talked about "SQL injection".

58
00:02:44,940 --> 00:02:47,970
We also mentioned "Brute force" and "Command" injection.

59
00:02:47,970 --> 00:02:51,030
And these pages are pages,

60
00:02:51,030 --> 00:02:53,553
where we can practice these type of the attacks.

61
00:02:54,540 --> 00:02:58,020
All of them are stored in a separate directory.

62
00:02:58,020 --> 00:03:00,630
Now we can go about discovering

63
00:03:00,630 --> 00:03:03,480
all the directories on a website like this,

64
00:03:03,480 --> 00:03:07,860
or we can use different tools to automate this process.

65
00:03:07,860 --> 00:03:10,920
So to enumerate and together as much information

66
00:03:10,920 --> 00:03:12,690
that you can about the website,

67
00:03:12,690 --> 00:03:14,520
you can use the tools that we already cover

68
00:03:14,520 --> 00:03:17,070
such as the harvester to gather emails

69
00:03:17,070 --> 00:03:20,790
such as what web to discover the website technologies

70
00:03:20,790 --> 00:03:22,410
and all of them we already covered.

71
00:03:22,410 --> 00:03:24,570
We're not going to do that once again.

72
00:03:24,570 --> 00:03:26,580
But there is another cool tool that you can use to

73
00:03:26,580 --> 00:03:29,910
discover directories and that tool is called dirb.

74
00:03:30,960 --> 00:03:33,870
Dirb is already installed in Kali Linux by default.

75
00:03:33,870 --> 00:03:36,360
So one thing we need to do is to type dirb

76
00:03:36,360 --> 00:03:41,280
and we will get the help menu for this specific tool.

77
00:03:41,280 --> 00:03:43,920
We get bunch of options as we can see right here,

78
00:03:43,920 --> 00:03:46,620
but also down here we get the examples

79
00:03:46,620 --> 00:03:48,753
of usage of this tool.

80
00:03:49,920 --> 00:03:51,810
So the most simple test

81
00:03:51,810 --> 00:03:53,160
as it says in the brackets,

82
00:03:53,160 --> 00:03:55,110
would be just specifying dirb

83
00:03:55,110 --> 00:03:58,830
and then the link to the web page that we want to scan.

84
00:03:58,830 --> 00:03:59,730
If I go up here,

85
00:03:59,730 --> 00:04:03,180
we can also see that we can specify different "wordlist",

86
00:04:03,180 --> 00:04:06,390
but I believe dirb has a default wordlist that it uses.

87
00:04:06,390 --> 00:04:09,270
So we are just going to go with that one instead.

88
00:04:09,270 --> 00:04:10,830
So if I type "dirb"

89
00:04:10,830 --> 00:04:13,740
and then "192.168.1.8".

90
00:04:15,390 --> 00:04:16,740
Whoops, "Invalid URL."

91
00:04:16,740 --> 00:04:18,623
So we must specify "dirb",

92
00:04:18,623 --> 00:04:23,623
and then "http://192.168.1.8".

93
00:04:24,000 --> 00:04:26,430
So this is how we must specify a link.

94
00:04:26,430 --> 00:04:29,190
If I press enter, it will go

95
00:04:29,190 --> 00:04:31,830
and search for different sub directories

96
00:04:31,830 --> 00:04:33,780
inside of that webpage.

97
00:04:33,780 --> 00:04:35,490
If I scroll a little bit up,

98
00:04:35,490 --> 00:04:37,440
we can also see it managed to find

99
00:04:37,440 --> 00:04:39,210
some of them it found:

100
00:04:39,210 --> 00:04:40,272
"/index",

101
00:04:40,272 --> 00:04:41,953
"/index.php",

102
00:04:41,953 --> 00:04:43,855
"/phpinfo",

103
00:04:43,855 --> 00:04:45,330
"/phpinfo.php".

104
00:04:46,323 --> 00:04:47,157
We got: "/test",

105
00:04:47,157 --> 00:04:48,660
"/twiki".

106
00:04:48,660 --> 00:04:51,780
And if I go all the way down, we should be able to

107
00:04:51,780 --> 00:04:55,620
find even more sub directories on that webpage.

108
00:04:55,620 --> 00:04:57,360
And right here we might be able

109
00:04:57,360 --> 00:04:59,400
to find something interesting.

110
00:04:59,400 --> 00:05:02,940
For example, we can go and visit any one of them.

111
00:05:02,940 --> 00:05:05,520
Let's visit "robots.txt".

112
00:05:05,520 --> 00:05:09,513
If I copy the link, go up here, paste the link.

113
00:05:10,830 --> 00:05:13,357
Hmm, we get something right here,

114
00:05:13,357 --> 00:05:14,587
"User-agent,"

115
00:05:14,587 --> 00:05:18,150
"Disallow," we already know what user agent is.

116
00:05:18,150 --> 00:05:21,990
It is a field inside of the http requests.

117
00:05:21,990 --> 00:05:24,390
Let's also see what else we managed to discover.

118
00:05:25,770 --> 00:05:30,770
We got: "/test", "/themes", "readme", "phpmyadmin".

119
00:05:31,950 --> 00:05:32,910
That could be useful.

120
00:05:32,910 --> 00:05:35,400
Let us check out what this is.

121
00:05:35,400 --> 00:05:36,270
You never know.

122
00:05:36,270 --> 00:05:38,460
Anything that you find particularly useful,

123
00:05:38,460 --> 00:05:41,070
or interesting you might want to check out

124
00:05:41,070 --> 00:05:43,380
by visiting that page.

125
00:05:43,380 --> 00:05:47,433
And this seems to be some file with the PHP code.

126
00:05:48,450 --> 00:05:51,183
So let's go and check out something else.

127
00:05:53,010 --> 00:05:56,790
And it seems that there is a directory called "passwd".

128
00:05:56,790 --> 00:05:58,443
Let's see what this is.

129
00:06:00,000 --> 00:06:03,333
If I copy that as well, go and paste it.

130
00:06:04,237 --> 00:06:06,967
"Missing Fields," "Fields with a ** mark are required,"

131
00:06:06,967 --> 00:06:10,627
"Please go back in your browser and try again,"

132
00:06:10,627 --> 00:06:11,820
"Topic WebHome."

133
00:06:11,820 --> 00:06:15,240
So it seems that this page is missing some fields.

134
00:06:15,240 --> 00:06:18,600
Right now we don't really know what this is all about,

135
00:06:18,600 --> 00:06:20,910
but by visiting this we discover more

136
00:06:20,910 --> 00:06:21,870
and more pages that

137
00:06:21,870 --> 00:06:24,600
we might not be able to find once browsing

138
00:06:24,600 --> 00:06:26,193
through that page on our own.

139
00:06:27,450 --> 00:06:28,283
Now right here,

140
00:06:28,283 --> 00:06:31,260
we can also notice some other information that we get

141
00:06:31,260 --> 00:06:33,780
on the side besides these links.

142
00:06:33,780 --> 00:06:35,670
And that is the code.

143
00:06:35,670 --> 00:06:39,300
And if you remember, this code is simply just a status code

144
00:06:39,300 --> 00:06:41,850
which tells us whether it managed to load the page.

145
00:06:41,850 --> 00:06:45,360
Right now we get "CODE:200" for most of these pages.

146
00:06:45,360 --> 00:06:48,360
Sometimes we will get code like 304,

147
00:06:48,360 --> 00:06:49,193
which means that

148
00:06:49,193 --> 00:06:52,140
the page gets redirected to a different page.

149
00:06:52,140 --> 00:06:56,670
And at the right we also get the size of that specific page,

150
00:06:56,670 --> 00:06:59,070
which is not something that we are currently interested in.

151
00:06:59,070 --> 00:07:02,493
But, you also get that information if you want to see it.

152
00:07:03,360 --> 00:07:04,980
We can see other links as well.

153
00:07:04,980 --> 00:07:07,920
And you would go about visiting any link right here,

154
00:07:07,920 --> 00:07:09,273
that you find interesting.

155
00:07:10,590 --> 00:07:12,210
So let us go down.

156
00:07:12,210 --> 00:07:15,120
And it seems that it found 56 links,

157
00:07:15,120 --> 00:07:19,050
but that is only with this specific wordlist.

158
00:07:19,050 --> 00:07:21,690
It also downloads, I believe it downloads the contents,

159
00:07:21,690 --> 00:07:23,580
but I'm not really sure about that.

160
00:07:23,580 --> 00:07:26,610
However, what you can do is if you're not satisfied

161
00:07:26,610 --> 00:07:29,670
with the results from this dirb directory,

162
00:07:29,670 --> 00:07:33,240
you can specify your own wordlist if you want.

163
00:07:33,240 --> 00:07:36,450
Nonetheless, this is not that of an important tool for us.

164
00:07:36,450 --> 00:07:38,280
However, you can use it if you'd like

165
00:07:38,280 --> 00:07:41,040
and you can combine it with different tools that we covered

166
00:07:41,040 --> 00:07:43,913
for the information gathering to gather as much information

167
00:07:43,913 --> 00:07:46,410
about the specific website.

168
00:07:46,410 --> 00:07:48,510
Now, since we already covered information gathering,

169
00:07:48,510 --> 00:07:50,850
I'm not going to go into those different tools.

170
00:07:50,850 --> 00:07:52,830
You can also try finding new tools

171
00:07:52,830 --> 00:07:54,570
from the GitHub or somewhere else

172
00:07:54,570 --> 00:07:57,540
and you can experiment with those tools as well.

173
00:07:57,540 --> 00:07:59,790
But right now what we are going to do

174
00:07:59,790 --> 00:08:02,400
in the next video is we are going to configure

175
00:08:02,400 --> 00:08:06,180
a really important tool that is called Burp Suite.

176
00:08:06,180 --> 00:08:07,770
And as soon as we do that,

177
00:08:07,770 --> 00:08:10,473
we are ready to perform our first attack.