1
00:00:00,180 --> 00:00:02,780
Hello everybody and welcome back.

2
00:00:02,790 --> 00:00:07,980
And now before we continue with the suit I just want to show you some of the tools that you can check

3
00:00:07,980 --> 00:00:14,580
out by yourself that already come pre installed in clinics and are used for discovering basically more

4
00:00:14,580 --> 00:00:17,840
information about a certain website.

5
00:00:17,910 --> 00:00:22,650
So let's just open our terminal will go then briefly.

6
00:00:22,650 --> 00:00:30,150
There's only two tools and then we'll continue after that to use burp suit in order to a heck of a page

7
00:00:31,870 --> 00:00:34,410
but first of these tools is called What web.

8
00:00:34,590 --> 00:00:43,230
If you just type here what web you will be prompted with your options for this comment and what this

9
00:00:43,230 --> 00:00:50,640
comment basically does is it e identifies different web technologies running on a certain website where

10
00:00:50,920 --> 00:00:57,560
it can for example detect your script libraries use for designing the website it can discover some different

11
00:00:57,560 --> 00:01:00,590
systems technologies that are running on the website.

12
00:01:00,800 --> 00:01:07,970
Now we will only cover one of the options right here which is just the repos which is minus we will

13
00:01:07,970 --> 00:01:10,790
just use that in order to show you that what this tool does.

14
00:01:10,790 --> 00:01:16,520
So let me just check out the I.P. address of my was machine.

15
00:01:16,530 --> 00:01:18,080
So I'll just start here.

16
00:01:18,090 --> 00:01:22,570
I have config and we can see that it is not one that's nine.

17
00:01:22,590 --> 00:01:30,570
So if I type here what web minus V 1 I do that 168 dot com that one that 9

18
00:01:33,430 --> 00:01:40,960
we should see some of the things that are running on the Web site which can be useful if you're planning

19
00:01:41,340 --> 00:01:43,210
further attack.

20
00:01:43,210 --> 00:01:49,810
So we can see we got a bunch of these options bunch of the output which says basically diversions and

21
00:01:49,810 --> 00:01:51,870
the things that are running on the Web site.

22
00:01:51,880 --> 00:01:59,350
So we go from the top as it says the page is found which it gives us the status quo two hundred.

23
00:01:59,570 --> 00:02:06,650
This is the title the IP address the country summary EDTA in the summary basically you can see all of

24
00:02:06,650 --> 00:02:14,480
the things that it is running and below that you will see in more details what version are they running.

25
00:02:14,510 --> 00:02:22,820
So for example you can see J query h the email five Open SSL Python HDP server Apache and so on and

26
00:02:22,820 --> 00:02:23,450
so on.

27
00:02:23,510 --> 00:02:29,680
But if you scroll right down you can see Apache version two point two point fourteen.

28
00:02:29,690 --> 00:02:33,030
We can see different modules module proxy.

29
00:02:33,080 --> 00:02:36,800
Underscore HDMI all website.

30
00:02:36,830 --> 00:02:39,950
Now this is just the website of the Apache.

31
00:02:39,950 --> 00:02:41,870
Let me just go down emails.

32
00:02:41,900 --> 00:02:45,190
So it extracted some of the emails I believe.

33
00:02:45,270 --> 00:02:46,120
Not really sure.

34
00:02:46,130 --> 00:02:51,940
That's that it could be that these are just some of the emails that are located on the website.

35
00:02:51,940 --> 00:02:58,390
Yeah because of this one I believe always but BWI it basically just found some email on the website

36
00:02:58,630 --> 00:03:10,260
HDMI all five a CTP server Jake Query Open SSL BHP we can see the Virgin passenger Perl Python script

37
00:03:10,770 --> 00:03:12,360
and so on.

38
00:03:12,390 --> 00:03:17,170
So these are just some of the useful information you can find out about a certain website.

39
00:03:17,310 --> 00:03:24,780
For example if you find out that it uses javascript you can possibly try to plan out and the cross site

40
00:03:24,780 --> 00:03:27,640
scripting attack or something like that.

41
00:03:27,690 --> 00:03:30,030
Now that's just the first tool that I want to show you.

42
00:03:30,030 --> 00:03:37,200
We won't be covering it in detail so let's just go on to the next one right away and the next two would

43
00:03:37,200 --> 00:03:38,130
be derp.

44
00:03:38,250 --> 00:03:45,660
So just type in your terminal there and you will get the available options for this too.

45
00:03:45,660 --> 00:03:54,380
So basically what these two does is it scans for directories that aren't found in the page it.

46
00:03:54,520 --> 00:04:01,270
It basically recursively tries to find web pages with different extensions if it finds out that that

47
00:04:01,330 --> 00:04:04,260
page exists or if it doesn't exist.

48
00:04:04,270 --> 00:04:09,190
It basically finds it out by the status code of the page itself.

49
00:04:09,190 --> 00:04:12,880
So for example we all know that if you visit the page it doesn't exist.

50
00:04:12,880 --> 00:04:18,030
You get that weird four or four error page not found.

51
00:04:18,220 --> 00:04:22,380
And if he does it did exist you get the status code of 200.

52
00:04:22,390 --> 00:04:28,220
So basically how this program works is it brute forces the Web site with directories.

53
00:04:28,660 --> 00:04:34,870
And if you get the status code of 200 to a print does that page exists and if it gets the status code

54
00:04:34,870 --> 00:04:40,570
for all four it will say that the page doesn't exist now it's a simple concept.

55
00:04:40,570 --> 00:04:46,090
So let's just run this program on the same webs which is our US political machine.

56
00:04:46,300 --> 00:04:51,010
So let me just see what the syntax is.

57
00:04:51,010 --> 00:04:54,790
As we can see there a Euro base word lists.

58
00:04:54,820 --> 00:05:02,570
So let me just look it's out the word list now some of the word lists you can find its users share the

59
00:05:02,570 --> 00:05:03,600
word lists.

60
00:05:04,780 --> 00:05:10,310
And then just type here l s and let me see which one we will use.

61
00:05:10,310 --> 00:05:15,880
Let me go to Matt Price point since there are a bunch of other board lists as you can see right here.

62
00:05:16,910 --> 00:05:24,230
Let me see if there is any one list that could be useful for us for these specifically for this specific

63
00:05:24,320 --> 00:05:30,530
attack which is basically brute force in the directories in order to find some of the directories that

64
00:05:30,620 --> 00:05:31,980
aren't on the Web site.

65
00:05:32,010 --> 00:05:35,240
So let me just see it right here.

66
00:05:35,240 --> 00:05:41,710
I can't seem to find any directory.

67
00:05:41,990 --> 00:05:45,710
Let me just tell us Greg there.

68
00:05:45,820 --> 00:05:49,160
Maybe it will find something like that No.

69
00:05:49,790 --> 00:05:51,330
Well let me just go.

70
00:05:51,700 --> 00:05:52,740
Oh there it is.

71
00:05:52,750 --> 00:05:57,740
There is literally a blurb so we can use something from here I believe extensions common.

72
00:05:58,220 --> 00:06:01,660
But I just kept that so we can see if that is what we need.

73
00:06:02,470 --> 00:06:04,510
No I don't think that is what we need.

74
00:06:04,510 --> 00:06:05,770
This is the.

75
00:06:06,330 --> 00:06:06,540
Yeah.

76
00:06:06,550 --> 00:06:10,690
The file extension so let me just see what is under common.

77
00:06:10,750 --> 00:06:19,200
It could be something useful so we can try that one not really sure if it is made for this.

78
00:06:19,200 --> 00:06:20,010
Probably not.

79
00:06:20,010 --> 00:06:22,710
But let us give it a try.

80
00:06:22,710 --> 00:06:23,160
Why not.

81
00:06:23,160 --> 00:06:28,100
So we will use the common the 60.

82
00:06:28,160 --> 00:06:28,650
Let me just.

83
00:06:28,720 --> 00:06:30,870
Yeah common that 60 word list.

84
00:06:30,900 --> 00:06:33,510
So it is it should be in the same pad three as well.

85
00:06:33,510 --> 00:06:37,660
So slash user slash share slash word and then slash Europe.

86
00:06:37,800 --> 00:06:40,580
And you should see these common dot text file.

87
00:06:40,740 --> 00:06:43,390
So let's just run there once again.

88
00:06:43,830 --> 00:06:51,840
And if we type here there one ninety two that 168 that one that's nine hopes that nine and we type here

89
00:06:51,930 --> 00:07:00,570
the users share or at least I could have specified comment at the 60 since we are already in the

90
00:07:03,460 --> 00:07:08,910
in the folder and then the options that is received.

91
00:07:08,930 --> 00:07:15,320
We want to add any options or do we want to basically just run this look and see if it will work like

92
00:07:15,320 --> 00:07:15,860
this

93
00:07:20,520 --> 00:07:24,360
use HDP OK.

94
00:07:24,390 --> 00:07:28,200
So we need to specify a CTP

95
00:07:32,070 --> 00:07:41,250
and as we can see right now it is running the director a brute force and we can see right here.

96
00:07:41,340 --> 00:07:43,740
I just want we can see the code.

97
00:07:43,740 --> 00:07:46,720
Two hundred means that the page exists.

98
00:07:50,640 --> 00:07:57,540
No need to scan that we just see code 500 code 200 200.

99
00:07:57,570 --> 00:08:01,080
All of these 200 pages do exist.

100
00:08:01,090 --> 00:08:02,790
So we can prove that.

101
00:08:02,960 --> 00:08:08,070
Let us just use any page that was code 200 for example.

102
00:08:08,080 --> 00:08:17,210
This one we can copy the URL and let us go open our Firefox.

103
00:08:17,700 --> 00:08:22,560
Now the reason why I'm showing you this attack is because some of the Web sites can configure to have

104
00:08:23,340 --> 00:08:29,140
available Web pages with basically usernames and passwords and so

105
00:08:32,080 --> 00:08:36,400
you can basically find something you shouldn't be able to find.

106
00:08:36,400 --> 00:08:41,210
Just by trying out random directories for that page.

107
00:08:41,260 --> 00:08:49,030
Now before I go and paste the link I need to turn off my proxy which is the suit.

108
00:08:49,060 --> 00:08:54,420
So if you have it or as a set as proxy and not running it currently.

109
00:08:54,580 --> 00:08:58,630
Just go here and for this time you go on no proxy.

110
00:08:58,630 --> 00:09:04,450
So I don't have to turn on the bird suit for this video and we will paste and go and as you can see

111
00:09:04,570 --> 00:09:05,390
it there.

112
00:09:05,410 --> 00:09:06,550
It found a page.

113
00:09:06,550 --> 00:09:09,310
So this page exists.

114
00:09:09,310 --> 00:09:18,430
And if we check out another page that gave us the status code of 200 for example to see we can take

115
00:09:18,520 --> 00:09:19,780
any page we want.

116
00:09:19,780 --> 00:09:30,290
So code 200 index that page the email this some icon file so but it doesn't matter.

117
00:09:30,300 --> 00:09:33,720
Let's just see if it works and it does work.

118
00:09:33,720 --> 00:09:34,640
We got the picture.

119
00:09:34,650 --> 00:09:44,000
So all of these 200 codes exist on the Web site as a directory so basically that's about it for this

120
00:09:44,000 --> 00:09:44,350
tool.

121
00:09:44,360 --> 00:09:52,850
Now we will be coding our own directory brute force or in the event section it is really easy to code

122
00:09:52,940 --> 00:09:55,870
and you will see how it works behind the scenes.

123
00:09:55,880 --> 00:10:00,010
So but for now on I just want to show you these two tools.

124
00:10:00,050 --> 00:10:06,250
And in the next lecture we will continue with these bird suit and some of the attacks on our o US virtual

125
00:10:06,290 --> 00:10:07,310
machine.

126
00:10:07,340 --> 00:10:09,860
So I hope I see you there and take our.