WEBVTT

00:01.800 --> 00:07.200
In previous lecture, we learned about the basics of hunting subdomains.

00:07.680 --> 00:14.220
Actually, in this lecture, we will dive in a little deeper and look at other tools that are available

00:14.520 --> 00:17.910
for gathering intel on our target.

00:18.990 --> 00:27.120
So we will start by using the infamous tools of Kali Linux, gathering information in a circular stage

00:27.120 --> 00:35.880
or performing a penetration test as every step we take after what is an outcome of all the information

00:36.090 --> 00:38.340
we gather during this stage.

00:39.280 --> 00:46.410
I'm actually for this reason, it's very important that we gather as much information as possible before

00:47.190 --> 00:50.130
jumping into the exploitation stage.

00:51.600 --> 00:59.130
Actually, in this lecture, or this is the first lecture of our section of our ultimate course, we

00:59.160 --> 01:05.610
will cover um, and there are sites like we will get a list of subdomains.

01:05.610 --> 01:08.100
We will use showdown for fun and profit.

01:08.610 --> 01:12.540
Uh, we will um, use shot on honey score.

01:12.540 --> 01:15.100
We will use shodam, plug in census.

01:15.360 --> 01:18.990
We will use a map to find open ports.

01:19.890 --> 01:23.340
Um, we will bypass firewalls with any map.

01:23.760 --> 01:26.790
We will search for open, direct directories.

01:26.790 --> 01:28.500
Uh, using co-pastor.

01:28.950 --> 01:31.620
We will hunt for SSL fluffs.

01:31.980 --> 01:38.130
We will automate, uh, brute force using brute spray will digging with the harvester.

01:38.520 --> 01:42.270
Uh, so we will dig deep with the harvester.

01:42.720 --> 01:52.410
Uh, we will find, uh, technology behind, um, web applications made actually using, uh, with what

01:52.410 --> 01:56.490
the web and weald with, uh, websites and tools.

01:56.850 --> 02:05.460
We will scan, uh, IPS with, uh, must scan and on any map we will find origin servers with Claude

02:05.460 --> 02:06.000
Bundy.

02:06.120 --> 02:12.900
We will sniff around with the shipment and testing Caruthers, uh, y uh, firewall actually.

02:14.820 --> 02:23.580
Firstly, let's start by get a list of subdomains, so they're performing a black box test.

02:24.180 --> 02:28.470
The client may not give us all of the subdomains of the organisation.

02:29.040 --> 02:36.720
So in this recibe, we'll cover one of the five techniques that can be used to get lists of the subdomains

02:36.720 --> 02:37.890
of an organisation.

02:38.700 --> 02:39.910
So how to do it?

02:40.530 --> 02:49.830
So first of all, we have a website that, uh, will help us all doing this.

02:50.790 --> 03:01.080
And this is the actual this website is scans Eeyore, uh, actual and it's open ish.

03:01.920 --> 03:05.030
Scott's scans you.

03:12.060 --> 03:12.420
So.

03:14.200 --> 03:22.180
We have this did the DNA stamps, and we will use the scarce era, uh, it relies on scarcity of words

03:22.180 --> 03:26.200
to resolve, so it's pretty simple to use.

03:27.130 --> 03:28.220
So actually.

03:30.160 --> 03:32.260
Actually, can you see my screen?

03:32.980 --> 03:33.400
Yes.

03:34.060 --> 03:36.490
And then this stumper, that Chrome.

03:39.460 --> 03:41.350
It's really been a stumper.

03:48.040 --> 03:56.020
You're showing, Dean, it's actually it's Dean stumps, all right, in this dumpster at the corner.

03:57.570 --> 03:58.110
Actually.

03:59.920 --> 04:00.220
Yes.

04:01.160 --> 04:01.580
So.

04:03.780 --> 04:12.570
Um, actually, let's find, um, the um, some, uh, domains subdomains with these tools.

04:13.410 --> 04:21.360
Uh, so I will give our websites, take things like them websites to find DNS subdomains.

04:22.350 --> 04:23.580
And it's searching.

04:26.770 --> 04:34.300
So you can see here this information to what this information is.

04:35.020 --> 04:44.290
We can see here that our web site hosting is named cheap hosting and DNS as is named cheap DNS, and

04:44.290 --> 04:51.460
we have the mail subdomain here, mail that take beans that come in.

04:51.490 --> 05:02.050
So you can see here this email that I think things that will redirect us to the main page of our website

05:02.050 --> 05:07.210
because I hadn't set setting up this mail yet.

05:09.010 --> 05:13.630
And as you can see here, our DNS is is name cheap DNS.

05:14.440 --> 05:21.010
So here we can see the name, chip hosting IP address and the address here.

05:22.120 --> 05:29.260
Um, and you can see here we have get as much in the information by just one site.

05:30.160 --> 05:30.640
So.

05:32.370 --> 05:38.070
Actually, we have, um, some additional information here as well.

05:38.900 --> 05:39.440
Um.

05:40.590 --> 05:48.990
You can see here we have, uh, takes the records we'll show here and we can do that.

05:52.070 --> 05:58.430
And all and Excel is six fires, and we do grep for it.

05:59.660 --> 06:00.120
Um.

06:03.490 --> 06:08.050
So we are done with that, we get the information from just one domain.

06:08.920 --> 06:17.980
So it will actually it gives us additional subdomains because we own websites hasn't subdomains yet

06:18.490 --> 06:19.510
and we don't need it.

06:19.900 --> 06:27.190
So for example, in some website, if you can these subdomains for, for example, this is this domain

06:27.190 --> 06:31.900
of website and this is the subdomain here.

06:32.380 --> 06:35.350
So if we search, call it that.

06:36.580 --> 06:38.470
Work here in.

06:39.530 --> 06:41.080
Uh, Dennis Dumpster.

06:42.490 --> 06:46.720
We will get information, so there was an error or request.

06:46.780 --> 06:47.300
Why?

06:47.320 --> 06:49.840
Because I have put slash on it.

07:00.410 --> 07:01.820
Actually, as you can see here.

07:03.250 --> 07:05.470
You know, we can see information, see it.

07:05.920 --> 07:07.870
We have to see records here.

07:08.200 --> 07:15.790
And actually, we have males and we're running in California pulling whom you call your kids the economy

07:15.800 --> 07:17.070
old love.

07:17.350 --> 07:22.170
He, like, um, male -- will come in and.

07:22.810 --> 07:23.590
And he can't.

07:23.590 --> 07:30.010
We have so much subdomains here, as you can see here, and we can see these IP addresses.

07:30.580 --> 07:38.590
So which host address and of which these subdomains, which host address and which servers using this,

07:38.980 --> 07:41.410
as you can see here, they're pretty similar, actually.

07:41.860 --> 07:46.300
And this means they are going to in one hosting.

07:46.300 --> 07:55.060
So these UM domains going to just in one hosting slot, different hosting, you can redirect these um,

07:55.060 --> 07:56.890
and that's well, different hosting Lucasville.

07:56.890 --> 08:01.420
As you can see, there's the uh for Russia currently looks kind of actually.

08:01.430 --> 08:08.470
So this means, uh, actually in talks, but in the Russian language, uh, we have forums, tools and.

08:09.770 --> 08:18.110
We have different weird and get subdomains here, so let's close this, actually, I want to show you

08:18.740 --> 08:25.100
something very helpful for hackers and penetration testers web site, which is spot on.

08:25.520 --> 08:31.910
So Shomon is the world's first search engine that was used to search for devices that are connected

08:31.910 --> 08:32.780
on the internet.

08:33.170 --> 08:41.810
So in the next lecture, actually, we I will teach you the how to use shotgun and how to use showdown

08:41.810 --> 08:43.070
for fun and profit.

08:43.610 --> 08:45.350
So I'm waiting in the next lecture.