1
00:00:01,970 --> 00:00:07,720
In today's lecture we're going to talk about subdomains subdomains we've seen them everywhere.

2
00:00:07,920 --> 00:00:11,650
For example they come in as subdomain tartaric dot com.

3
00:00:11,910 --> 00:00:18,480
So for example you'd have better Facebook to call it to have mobile Facebook dot com or you might have

4
00:00:18,480 --> 00:00:20,370
used Erdos Facebook dot com.

5
00:00:20,580 --> 00:00:27,660
So for example in Google you have mailed the Google dot com which basically just takes you to G-mail

6
00:00:28,640 --> 00:00:36,290
y subdomains are important is a lot of the cases some websites have subdues subdomains for their own

7
00:00:36,290 --> 00:00:42,100
users for example for the employees or for certain customers.

8
00:00:42,170 --> 00:00:50,630
So they're not advertised unless you're some sort of a VIP customer or if you are an employee you will

9
00:00:50,630 --> 00:00:56,000
not see the subdomains on search engines and you'll just never see a link leading to them.

10
00:00:56,150 --> 00:01:02,380
So they might contain vulnerabilities or exploits that will help you gain access to the Web site but

11
00:01:02,390 --> 00:01:05,880
you just never knew about them because they're not advertised.

12
00:01:05,920 --> 00:01:11,750
Another thing is a lot of the big Web sites when they're trying to install a new update or add a new

13
00:01:11,750 --> 00:01:15,480
feature to the Web site they install it in a subdomain.

14
00:01:15,560 --> 00:01:22,280
So you'll have bater that Facebook that can actually contains a beta version of Facebook which contains

15
00:01:22,280 --> 00:01:24,260
still experimental features.

16
00:01:24,290 --> 00:01:29,210
Now experimental features are great because they're still under development and there is a really high

17
00:01:29,210 --> 00:01:31,570
chance of finding exploits in them.

18
00:01:33,080 --> 00:01:40,370
And this is actually true not so long ago someone was able to brute force the restore password key for

19
00:01:40,400 --> 00:01:44,510
any Facebook user and was able to gain access to any Facebook user.

20
00:01:44,510 --> 00:01:51,140
And this was only possible through the beta at Facebook dot com because Facebook dot com used to check

21
00:01:51,140 --> 00:01:56,210
for a number of attempts or wrong attempts and they just did it implement that security feature in the

22
00:01:56,210 --> 00:02:02,840
beta because they just didn't think anyone's going to go there or for any reason like the beta usually

23
00:02:02,840 --> 00:02:05,300
contains more problems than the normal website.

24
00:02:05,390 --> 00:02:09,400
So it will be very useful to try and hack into it.

25
00:02:11,220 --> 00:02:16,440
So in today's picture we'll see how we can find any of domains that have not been advertised or even

26
00:02:16,440 --> 00:02:17,540
the advertised ones.

27
00:02:17,600 --> 00:02:21,420
So we'll be able to get subdomains of our target.

28
00:02:21,520 --> 00:02:26,080
We're going to use a tool called knock the tools very simple you don't really need to install it all

29
00:02:26,080 --> 00:02:29,430
you have to do is download it using good command.

30
00:02:29,620 --> 00:02:32,740
So the command is going to be get clone.

31
00:02:32,920 --> 00:02:36,530
And then you put the you are out of the two.

32
00:02:37,060 --> 00:02:37,650
And that's it.

33
00:02:37,660 --> 00:02:38,830
It's downloaded now.

34
00:02:38,930 --> 00:02:47,160
So I'm going to navigate to it using the command and will see that we have the high file here and I'm

35
00:02:47,160 --> 00:02:49,040
going to run it using the command Python

36
00:02:51,670 --> 00:02:53,080
not that's why.

37
00:02:53,380 --> 00:02:55,030
And then I'll put the IPA.

38
00:02:55,060 --> 00:03:00,940
Our website I want to get the subdomains up and it's going to be security guards all

39
00:03:06,910 --> 00:03:12,550
and this will show you some information about the website first and then it'll do a brute force and

40
00:03:12,550 --> 00:03:19,580
a Google based subdomain search for security so it'll show me any subdomain that I security might have.

41
00:03:19,690 --> 00:03:24,660
So that I could try and test the security of that subdomain and see what's installed on it.

42
00:03:24,700 --> 00:03:28,590
Maybe I'll be able to gain access to the website through that subdomain.

43
00:03:29,890 --> 00:03:31,860
OK so the scan is complete now.

44
00:03:32,080 --> 00:03:37,900
And as you can see we managed to find seven subdomains that were not as well.

45
00:03:38,110 --> 00:03:45,180
So one of them is FTB those security dot org security that we already know about this.

46
00:03:45,180 --> 00:03:47,730
This is just a local subdomain.

47
00:03:48,520 --> 00:03:54,850
We can see that the mail server has its own subdomain as well and we can see a very interesting one

48
00:03:54,850 --> 00:04:01,510
here news that I secured this year or this was this actually did contain a beta version of a script

49
00:04:01,540 --> 00:04:03,990
that we were working on and secret.

50
00:04:04,060 --> 00:04:09,860
And at the moment now if you go to it it's actually converted and so just take you to the actual website

51
00:04:09,880 --> 00:04:12,220
because the script is out of development.

52
00:04:12,220 --> 00:04:18,340
But now if you if you go and use that security org it'll just tell you that this has been moved to the

53
00:04:18,340 --> 00:04:23,130
main web site and then if you click here you'll go to the main web site with the script installed.

54
00:04:23,290 --> 00:04:28,990
So if someone was trying to hack into our website and did this they'll actually see that there is a

55
00:04:28,990 --> 00:04:34,820
script under development and there is a high chance that there would have been able to find a vulnerability

56
00:04:34,820 --> 00:04:37,840
in it and gain access to the whole website.

57
00:04:38,960 --> 00:04:45,860
So this just shows you how important information gathering is again which can be used to really gain

58
00:04:45,860 --> 00:04:50,600
access to websites or if you don't do it you'd be missing a lot of things.

59
00:04:50,600 --> 00:04:56,720
For example you might be missing a whole script with a whole number of vulnerabilities or you could

60
00:04:56,720 --> 00:05:03,250
be missing an admin logon page or an employee logon page which is used for admins or employees to log

61
00:05:03,250 --> 00:05:03,430
in.