1 00:00:01,970 --> 00:00:07,720 In today's lecture we're going to talk about subdomains subdomains we've seen them everywhere. 2 00:00:07,920 --> 00:00:11,650 For example they come in as subdomain tartaric dot com. 3 00:00:11,910 --> 00:00:18,480 So for example you'd have better Facebook to call it to have mobile Facebook dot com or you might have 4 00:00:18,480 --> 00:00:20,370 used Erdos Facebook dot com. 5 00:00:20,580 --> 00:00:27,660 So for example in Google you have mailed the Google dot com which basically just takes you to G-mail 6 00:00:28,640 --> 00:00:36,290 y subdomains are important is a lot of the cases some websites have subdues subdomains for their own 7 00:00:36,290 --> 00:00:42,100 users for example for the employees or for certain customers. 8 00:00:42,170 --> 00:00:50,630 So they're not advertised unless you're some sort of a VIP customer or if you are an employee you will 9 00:00:50,630 --> 00:00:56,000 not see the subdomains on search engines and you'll just never see a link leading to them. 10 00:00:56,150 --> 00:01:02,380 So they might contain vulnerabilities or exploits that will help you gain access to the Web site but 11 00:01:02,390 --> 00:01:05,880 you just never knew about them because they're not advertised. 12 00:01:05,920 --> 00:01:11,750 Another thing is a lot of the big Web sites when they're trying to install a new update or add a new 13 00:01:11,750 --> 00:01:15,480 feature to the Web site they install it in a subdomain. 14 00:01:15,560 --> 00:01:22,280 So you'll have bater that Facebook that can actually contains a beta version of Facebook which contains 15 00:01:22,280 --> 00:01:24,260 still experimental features. 16 00:01:24,290 --> 00:01:29,210 Now experimental features are great because they're still under development and there is a really high 17 00:01:29,210 --> 00:01:31,570 chance of finding exploits in them. 18 00:01:33,080 --> 00:01:40,370 And this is actually true not so long ago someone was able to brute force the restore password key for 19 00:01:40,400 --> 00:01:44,510 any Facebook user and was able to gain access to any Facebook user. 20 00:01:44,510 --> 00:01:51,140 And this was only possible through the beta at Facebook dot com because Facebook dot com used to check 21 00:01:51,140 --> 00:01:56,210 for a number of attempts or wrong attempts and they just did it implement that security feature in the 22 00:01:56,210 --> 00:02:02,840 beta because they just didn't think anyone's going to go there or for any reason like the beta usually 23 00:02:02,840 --> 00:02:05,300 contains more problems than the normal website. 24 00:02:05,390 --> 00:02:09,400 So it will be very useful to try and hack into it. 25 00:02:11,220 --> 00:02:16,440 So in today's picture we'll see how we can find any of domains that have not been advertised or even 26 00:02:16,440 --> 00:02:17,540 the advertised ones. 27 00:02:17,600 --> 00:02:21,420 So we'll be able to get subdomains of our target. 28 00:02:21,520 --> 00:02:26,080 We're going to use a tool called knock the tools very simple you don't really need to install it all 29 00:02:26,080 --> 00:02:29,430 you have to do is download it using good command. 30 00:02:29,620 --> 00:02:32,740 So the command is going to be get clone. 31 00:02:32,920 --> 00:02:36,530 And then you put the you are out of the two. 32 00:02:37,060 --> 00:02:37,650 And that's it. 33 00:02:37,660 --> 00:02:38,830 It's downloaded now. 34 00:02:38,930 --> 00:02:47,160 So I'm going to navigate to it using the command and will see that we have the high file here and I'm 35 00:02:47,160 --> 00:02:49,040 going to run it using the command Python 36 00:02:51,670 --> 00:02:53,080 not that's why. 37 00:02:53,380 --> 00:02:55,030 And then I'll put the IPA. 38 00:02:55,060 --> 00:03:00,940 Our website I want to get the subdomains up and it's going to be security guards all 39 00:03:06,910 --> 00:03:12,550 and this will show you some information about the website first and then it'll do a brute force and 40 00:03:12,550 --> 00:03:19,580 a Google based subdomain search for security so it'll show me any subdomain that I security might have. 41 00:03:19,690 --> 00:03:24,660 So that I could try and test the security of that subdomain and see what's installed on it. 42 00:03:24,700 --> 00:03:28,590 Maybe I'll be able to gain access to the website through that subdomain. 43 00:03:29,890 --> 00:03:31,860 OK so the scan is complete now. 44 00:03:32,080 --> 00:03:37,900 And as you can see we managed to find seven subdomains that were not as well. 45 00:03:38,110 --> 00:03:45,180 So one of them is FTB those security dot org security that we already know about this. 46 00:03:45,180 --> 00:03:47,730 This is just a local subdomain. 47 00:03:48,520 --> 00:03:54,850 We can see that the mail server has its own subdomain as well and we can see a very interesting one 48 00:03:54,850 --> 00:04:01,510 here news that I secured this year or this was this actually did contain a beta version of a script 49 00:04:01,540 --> 00:04:03,990 that we were working on and secret. 50 00:04:04,060 --> 00:04:09,860 And at the moment now if you go to it it's actually converted and so just take you to the actual website 51 00:04:09,880 --> 00:04:12,220 because the script is out of development. 52 00:04:12,220 --> 00:04:18,340 But now if you if you go and use that security org it'll just tell you that this has been moved to the 53 00:04:18,340 --> 00:04:23,130 main web site and then if you click here you'll go to the main web site with the script installed. 54 00:04:23,290 --> 00:04:28,990 So if someone was trying to hack into our website and did this they'll actually see that there is a 55 00:04:28,990 --> 00:04:34,820 script under development and there is a high chance that there would have been able to find a vulnerability 56 00:04:34,820 --> 00:04:37,840 in it and gain access to the whole website. 57 00:04:38,960 --> 00:04:45,860 So this just shows you how important information gathering is again which can be used to really gain 58 00:04:45,860 --> 00:04:50,600 access to websites or if you don't do it you'd be missing a lot of things. 59 00:04:50,600 --> 00:04:56,720 For example you might be missing a whole script with a whole number of vulnerabilities or you could 60 00:04:56,720 --> 00:05:03,250 be missing an admin logon page or an employee logon page which is used for admins or employees to log 61 00:05:03,250 --> 00:05:03,430 in.