1 00:00:02,940 --> 00:00:09,300 So far we've learned how to find and use subdomains that exist within our target website and that have 2 00:00:09,300 --> 00:00:11,910 not been listed in today's lecture. 3 00:00:11,910 --> 00:00:18,060 We're going to see how we can find files and directories that are stored on our target computer or our 4 00:00:18,060 --> 00:00:19,310 target website. 5 00:00:19,320 --> 00:00:25,710 Again these could be useful because these files could contain passwords they could contain config information 6 00:00:26,010 --> 00:00:34,490 or they could contain information about the actual server which will help us further exploit our target. 7 00:00:34,490 --> 00:00:40,490 Let me just first show you what I mean by files and directories just to show you the structure of directories 8 00:00:40,520 --> 00:00:41,410 on a web server. 9 00:00:41,540 --> 00:00:43,850 So here I have my little machine. 10 00:00:44,060 --> 00:00:53,950 And as we know usually the web server stuff is stored in var W W W and if I do an ls you'll see or undo 11 00:00:54,070 --> 00:00:57,030 give us a just so that it's nicer. 12 00:00:58,350 --> 00:01:04,690 You'll see that we have a number of files and directories and we can see that we have a directory they're 13 00:01:04,790 --> 00:01:07,040 called Matilda. 14 00:01:07,260 --> 00:01:12,970 Matilda is a Web is a web application that is designed to be hacked just like to exploit a world. 15 00:01:13,080 --> 00:01:20,070 It is designed so that it has a number of exploits so that we can learn how to hack based on it so we 16 00:01:20,070 --> 00:01:23,500 can see that that's installed in a directory called Mithal day. 17 00:01:23,790 --> 00:01:29,510 Now if I go here to my IP address now this is the IP address of the floatable machine. 18 00:01:29,550 --> 00:01:36,470 So if I do any of configure you'll see that it's 10 20 3:46. 19 00:01:36,520 --> 00:01:42,830 So I mean they're And you can see that they have an easy access for me for the day. 20 00:01:43,100 --> 00:01:48,490 If I click it look at the URL here so it's forward slash Mythili day. 21 00:01:48,590 --> 00:01:51,520 That means I'm inside the middle of directory. 22 00:01:51,620 --> 00:01:56,760 So every time you see a forward slash that usually means you're inside a directory. 23 00:01:56,780 --> 00:02:05,780 So let's go back here and do an ls and if I do see the Matilda am I'm going to do of this and you'll 24 00:02:05,780 --> 00:02:10,310 see that I have a large number of files a large number of files here. 25 00:02:10,430 --> 00:02:17,160 So let's say for example I wanted to open one of these files and we have indexed that ph with if I do 26 00:02:17,160 --> 00:02:24,370 end up with then this is our current file it's called index APHC. 27 00:02:24,370 --> 00:02:30,610 So what we learn from this is Metulla there is just a directory inside my Webroot. 28 00:02:30,750 --> 00:02:38,240 So at the moment in the midst locatable device arm in that we just write it here for you some inviter 29 00:02:38,660 --> 00:02:42,220 w w Matile a day 30 00:02:45,610 --> 00:02:52,530 and then the file that I'm accessing is index BHB. 31 00:02:52,700 --> 00:02:54,910 OK so I hope this is clear now. 32 00:02:54,980 --> 00:03:03,110 So on in this directory and this directory and access in a file called index page. 33 00:03:03,500 --> 00:03:08,850 So if I just do a PWT here you'll see that I'm in var w w w until today. 34 00:03:10,430 --> 00:03:14,720 The IP address kind of hides where you are the readably that you wrote is. 35 00:03:14,750 --> 00:03:21,890 So it hides the Vardaman WW and then everything after that will be displayed here after the IP address. 36 00:03:21,920 --> 00:03:27,590 So we're looking to find today is all the directories on the files that we cannot see. 37 00:03:27,590 --> 00:03:32,650 So through out these links we will be able to access different types in different pages. 38 00:03:32,660 --> 00:03:38,000 This is the same with any other web site but there is always files and directories hidden that you just 39 00:03:38,000 --> 00:03:39,540 never see. 40 00:03:39,560 --> 00:03:45,030 So we'll see how we can get you or else for these files and access them and read the information in 41 00:03:45,040 --> 00:03:45,480 it. 42 00:03:46,800 --> 00:03:51,570 Do that we're going to use a tool called there and to see how to use that. 43 00:03:51,600 --> 00:03:57,580 We're going to do man there to see all the options associated with that too. 44 00:03:58,320 --> 00:04:02,870 So you can see that to use the tool you just type in Derb. 45 00:04:03,050 --> 00:04:06,520 You are out of your target and then you put a wordlist. 46 00:04:06,690 --> 00:04:10,260 So the way this works is it works based on a brute force attack. 47 00:04:10,440 --> 00:04:16,610 And it just uses a word list of names and it sends requests with these names. 48 00:04:16,620 --> 00:04:22,650 And anytime we actually find something it tells us that oh I find I found a file with this name so it 49 00:04:22,650 --> 00:04:29,900 will only be able to find names and directories based on the wordlist that you provide. 50 00:04:29,910 --> 00:04:38,680 Now you can create a wordlist using crunch or you can use word lists that come in within their the options 51 00:04:38,680 --> 00:04:41,950 here allow you to configure how the tool is going to work. 52 00:04:42,190 --> 00:04:45,430 So you can change things around the way you it. 53 00:04:45,430 --> 00:04:51,220 For example you can disable the recursive ness of the tool so it just runs on one directory instead 54 00:04:51,220 --> 00:04:53,120 of trying a number of directories. 55 00:04:54,270 --> 00:04:58,870 You can get it to ask you if if you want to access a directory or not. 56 00:04:58,990 --> 00:05:04,290 Instead of automatically accessing directories and trying to find files within these directories because 57 00:05:04,290 --> 00:05:09,780 this could be exhaustive if your target is a big Web site there might be a lot of directories and then 58 00:05:09,780 --> 00:05:14,880 the two will be trying to access all of them and find files with all of them so they can see how big 59 00:05:14,880 --> 00:05:16,020 the tree could go. 60 00:05:18,600 --> 00:05:24,560 You can also set it to use a username and password if the target web sites uses some sort of authentication 61 00:05:26,300 --> 00:05:35,570 and you can use it for verbal output and you can also use OE to output the results to a file. 62 00:05:35,580 --> 00:05:37,970 So let me show you a very simple example of it. 63 00:05:37,980 --> 00:05:53,020 I'm just going to wander on our target which is 10 20 14 to 0 4 and thus should be Hastey because remember 64 00:05:53,020 --> 00:05:55,860 we're targeting a Web site not an IP address. 65 00:05:58,210 --> 00:06:04,580 Then I'm going to put the directory that I want to be that I want to find files and directories within. 66 00:06:04,850 --> 00:06:10,580 I don't want to be accessing anything with any other because you can see here there is a number of scripts 67 00:06:10,580 --> 00:06:17,790 installed on this web server so we have this script and we also have page p.m.-I admin and we have the 68 00:06:17,820 --> 00:06:18,680 weiqi. 69 00:06:18,890 --> 00:06:24,170 So we don't want it to be accessed and all of them we only wanted to be working on Matile a day. 70 00:06:24,170 --> 00:06:25,190 On this example. 71 00:06:25,190 --> 00:06:27,010 So that's why I want to use this year. 72 00:06:27,040 --> 00:06:32,840 And then it's going to start finding your allies and files within this current particular web application. 73 00:06:33,750 --> 00:06:37,080 So I'm going to enter and we're going to work. 74 00:06:37,080 --> 00:06:44,280 So this is going to use a wordless file and it's used in a default small wordless file that is stored 75 00:06:44,280 --> 00:06:47,060 in here so it's in use or share their word lists. 76 00:06:47,180 --> 00:06:48,350 Come on. 77 00:06:48,660 --> 00:06:53,620 You can have a look at this directory and see if there is any other one this that you'd like to use. 78 00:06:53,730 --> 00:06:59,490 And you can use them only by placing the full path to the word list after the command. 79 00:06:59,730 --> 00:07:04,980 So instead of the way I wrote the command you'd write it like this and then you'd state where your running 80 00:07:04,980 --> 00:07:05,370 list is. 81 00:07:05,370 --> 00:07:09,750 For example let's see if it's in route you stated as rude at least 82 00:07:13,940 --> 00:07:15,300 GST or whatever. 83 00:07:15,740 --> 00:07:21,770 But at the moment it's use of the default one which is stored in this directory in users shared their 84 00:07:21,830 --> 00:07:25,420 wordlist and it's used in the one that's called com and the GST.