1
00:00:02,940 --> 00:00:09,300
So far we've learned how to find and use subdomains that exist within our target website and that have

2
00:00:09,300 --> 00:00:11,910
not been listed in today's lecture.

3
00:00:11,910 --> 00:00:18,060
We're going to see how we can find files and directories that are stored on our target computer or our

4
00:00:18,060 --> 00:00:19,310
target website.

5
00:00:19,320 --> 00:00:25,710
Again these could be useful because these files could contain passwords they could contain config information

6
00:00:26,010 --> 00:00:34,490
or they could contain information about the actual server which will help us further exploit our target.

7
00:00:34,490 --> 00:00:40,490
Let me just first show you what I mean by files and directories just to show you the structure of directories

8
00:00:40,520 --> 00:00:41,410
on a web server.

9
00:00:41,540 --> 00:00:43,850
So here I have my little machine.

10
00:00:44,060 --> 00:00:53,950
And as we know usually the web server stuff is stored in var W W W and if I do an ls you'll see or undo

11
00:00:54,070 --> 00:00:57,030
give us a just so that it's nicer.

12
00:00:58,350 --> 00:01:04,690
You'll see that we have a number of files and directories and we can see that we have a directory they're

13
00:01:04,790 --> 00:01:07,040
called Matilda.

14
00:01:07,260 --> 00:01:12,970
Matilda is a Web is a web application that is designed to be hacked just like to exploit a world.

15
00:01:13,080 --> 00:01:20,070
It is designed so that it has a number of exploits so that we can learn how to hack based on it so we

16
00:01:20,070 --> 00:01:23,500
can see that that's installed in a directory called Mithal day.

17
00:01:23,790 --> 00:01:29,510
Now if I go here to my IP address now this is the IP address of the floatable machine.

18
00:01:29,550 --> 00:01:36,470
So if I do any of configure you'll see that it's 10 20 3:46.

19
00:01:36,520 --> 00:01:42,830
So I mean they're And you can see that they have an easy access for me for the day.

20
00:01:43,100 --> 00:01:48,490
If I click it look at the URL here so it's forward slash Mythili day.

21
00:01:48,590 --> 00:01:51,520
That means I'm inside the middle of directory.

22
00:01:51,620 --> 00:01:56,760
So every time you see a forward slash that usually means you're inside a directory.

23
00:01:56,780 --> 00:02:05,780
So let's go back here and do an ls and if I do see the Matilda am I'm going to do of this and you'll

24
00:02:05,780 --> 00:02:10,310
see that I have a large number of files a large number of files here.

25
00:02:10,430 --> 00:02:17,160
So let's say for example I wanted to open one of these files and we have indexed that ph with if I do

26
00:02:17,160 --> 00:02:24,370
end up with then this is our current file it's called index APHC.

27
00:02:24,370 --> 00:02:30,610
So what we learn from this is Metulla there is just a directory inside my Webroot.

28
00:02:30,750 --> 00:02:38,240
So at the moment in the midst locatable device arm in that we just write it here for you some inviter

29
00:02:38,660 --> 00:02:42,220
w w Matile a day

30
00:02:45,610 --> 00:02:52,530
and then the file that I'm accessing is index BHB.

31
00:02:52,700 --> 00:02:54,910
OK so I hope this is clear now.

32
00:02:54,980 --> 00:03:03,110
So on in this directory and this directory and access in a file called index page.

33
00:03:03,500 --> 00:03:08,850
So if I just do a PWT here you'll see that I'm in var w w w until today.

34
00:03:10,430 --> 00:03:14,720
The IP address kind of hides where you are the readably that you wrote is.

35
00:03:14,750 --> 00:03:21,890
So it hides the Vardaman WW and then everything after that will be displayed here after the IP address.

36
00:03:21,920 --> 00:03:27,590
So we're looking to find today is all the directories on the files that we cannot see.

37
00:03:27,590 --> 00:03:32,650
So through out these links we will be able to access different types in different pages.

38
00:03:32,660 --> 00:03:38,000
This is the same with any other web site but there is always files and directories hidden that you just

39
00:03:38,000 --> 00:03:39,540
never see.

40
00:03:39,560 --> 00:03:45,030
So we'll see how we can get you or else for these files and access them and read the information in

41
00:03:45,040 --> 00:03:45,480
it.

42
00:03:46,800 --> 00:03:51,570
Do that we're going to use a tool called there and to see how to use that.

43
00:03:51,600 --> 00:03:57,580
We're going to do man there to see all the options associated with that too.

44
00:03:58,320 --> 00:04:02,870
So you can see that to use the tool you just type in Derb.

45
00:04:03,050 --> 00:04:06,520
You are out of your target and then you put a wordlist.

46
00:04:06,690 --> 00:04:10,260
So the way this works is it works based on a brute force attack.

47
00:04:10,440 --> 00:04:16,610
And it just uses a word list of names and it sends requests with these names.

48
00:04:16,620 --> 00:04:22,650
And anytime we actually find something it tells us that oh I find I found a file with this name so it

49
00:04:22,650 --> 00:04:29,900
will only be able to find names and directories based on the wordlist that you provide.

50
00:04:29,910 --> 00:04:38,680
Now you can create a wordlist using crunch or you can use word lists that come in within their the options

51
00:04:38,680 --> 00:04:41,950
here allow you to configure how the tool is going to work.

52
00:04:42,190 --> 00:04:45,430
So you can change things around the way you it.

53
00:04:45,430 --> 00:04:51,220
For example you can disable the recursive ness of the tool so it just runs on one directory instead

54
00:04:51,220 --> 00:04:53,120
of trying a number of directories.

55
00:04:54,270 --> 00:04:58,870
You can get it to ask you if if you want to access a directory or not.

56
00:04:58,990 --> 00:05:04,290
Instead of automatically accessing directories and trying to find files within these directories because

57
00:05:04,290 --> 00:05:09,780
this could be exhaustive if your target is a big Web site there might be a lot of directories and then

58
00:05:09,780 --> 00:05:14,880
the two will be trying to access all of them and find files with all of them so they can see how big

59
00:05:14,880 --> 00:05:16,020
the tree could go.

60
00:05:18,600 --> 00:05:24,560
You can also set it to use a username and password if the target web sites uses some sort of authentication

61
00:05:26,300 --> 00:05:35,570
and you can use it for verbal output and you can also use OE to output the results to a file.

62
00:05:35,580 --> 00:05:37,970
So let me show you a very simple example of it.

63
00:05:37,980 --> 00:05:53,020
I'm just going to wander on our target which is 10 20 14 to 0 4 and thus should be Hastey because remember

64
00:05:53,020 --> 00:05:55,860
we're targeting a Web site not an IP address.

65
00:05:58,210 --> 00:06:04,580
Then I'm going to put the directory that I want to be that I want to find files and directories within.

66
00:06:04,850 --> 00:06:10,580
I don't want to be accessing anything with any other because you can see here there is a number of scripts

67
00:06:10,580 --> 00:06:17,790
installed on this web server so we have this script and we also have page p.m.-I admin and we have the

68
00:06:17,820 --> 00:06:18,680
weiqi.

69
00:06:18,890 --> 00:06:24,170
So we don't want it to be accessed and all of them we only wanted to be working on Matile a day.

70
00:06:24,170 --> 00:06:25,190
On this example.

71
00:06:25,190 --> 00:06:27,010
So that's why I want to use this year.

72
00:06:27,040 --> 00:06:32,840
And then it's going to start finding your allies and files within this current particular web application.

73
00:06:33,750 --> 00:06:37,080
So I'm going to enter and we're going to work.

74
00:06:37,080 --> 00:06:44,280
So this is going to use a wordless file and it's used in a default small wordless file that is stored

75
00:06:44,280 --> 00:06:47,060
in here so it's in use or share their word lists.

76
00:06:47,180 --> 00:06:48,350
Come on.

77
00:06:48,660 --> 00:06:53,620
You can have a look at this directory and see if there is any other one this that you'd like to use.

78
00:06:53,730 --> 00:06:59,490
And you can use them only by placing the full path to the word list after the command.

79
00:06:59,730 --> 00:07:04,980
So instead of the way I wrote the command you'd write it like this and then you'd state where your running

80
00:07:04,980 --> 00:07:05,370
list is.

81
00:07:05,370 --> 00:07:09,750
For example let's see if it's in route you stated as rude at least

82
00:07:13,940 --> 00:07:15,300
GST or whatever.

83
00:07:15,740 --> 00:07:21,770
But at the moment it's use of the default one which is stored in this directory in users shared their

84
00:07:21,830 --> 00:07:25,420
wordlist and it's used in the one that's called com and the GST.