WEBVTT

00:01.460 --> 00:07.100
Pending information gathering with Metasploit in this nature, we will analyze the very expensive and

00:07.490 --> 00:11.870
active techniques of information gathering in detail, actually not in the lecture in this section of

00:11.870 --> 00:12.230
our view.

00:12.230 --> 00:17.720
Then of course, from the beginning, we will analyze the most commonly used and most commonly neglected

00:17.780 --> 00:21.560
techniques of passive information gathering and then later reserves.

00:21.560 --> 00:24.530
We will focus on gaining information through the port scanning.

00:25.010 --> 00:30.800
Metasploit has several built in scanning capabilities, as well as some third party tools integrated

00:30.800 --> 00:34.310
with it to virtually and changed the process of port scanning.

00:34.760 --> 00:40.340
We will analyze both the image scanners as well as some of the people or Third-Party scanners, which

00:40.640 --> 00:42.440
work over the Metasploit Framework.

00:42.860 --> 00:48.350
So let's move onto the receipts and start our process of gaining information about our target.

00:49.220 --> 00:55.340
So we will start information gathering with the company domain name and get information about the company,

00:55.340 --> 01:02.810
search for subdomains to find targets, check for honeypot and gather email addresses and much more.

01:03.170 --> 01:04.040
So how to do it.

01:04.610 --> 01:09.770
The Metasploit Framework has several modules that for information gathering.

01:09.860 --> 01:13.610
So in this recibe, you will learn how to use some of these modules.

01:13.910 --> 01:20.030
However, I recommended that you will export all the axillary modules available in the framework.

01:20.630 --> 01:27.080
So let's we will start first name DNS record scanner here.

01:27.080 --> 01:32.480
So let's start our Metasploit here, and you can see the actual it's in.

01:32.630 --> 01:41.870
I will increase the font of my terminal little bit with, you know, actions or preferences and here

01:41.870 --> 01:42.560
behavior.

01:46.970 --> 01:47.420
Surely.

01:53.150 --> 01:56.240
Here is increased from a little bit.

02:01.970 --> 02:04.760
So let's open Limitless, what can you see it, actually?

02:05.090 --> 02:05.540
Clearly.

02:06.140 --> 02:06.500
Yes.

02:07.570 --> 02:16.420
So now we will start, um, Nathan, vertically, so immersive console, immersive console here.

02:19.370 --> 02:19.760
So.

02:21.510 --> 02:27.780
The teeniest DNS records Cannon and Enumerator axillary model can be used to gather information about

02:27.780 --> 02:34.680
a domain name from giving the in a server by performing various DNS queries such as loan transfers or

02:34.680 --> 02:41.770
reverse lookups, Asari records brute forcing and other techniques to run the axillary model.

02:41.780 --> 02:45.960
We use the use command followed by the model we want to use.

02:45.960 --> 02:49.410
In this case, we will run here.

02:49.740 --> 02:52.260
Uh, x dos here.

02:53.890 --> 02:54.210
U.S.

02:54.770 --> 02:58.640
And we will use auxiliary auxiliary.

03:01.850 --> 03:02.420
Gather.

03:04.480 --> 03:05.980
A new D.A..

03:06.910 --> 03:09.990
As you can see, we are now using this, actually.

03:10.360 --> 03:17.200
And then, uh, then, uh, you can then we can use the intercom to display the information about the

03:17.200 --> 03:23.620
model, such as there are two basic options and this great describes here descriptions here, as you

03:23.620 --> 03:24.310
can see here.

03:24.970 --> 03:32.080
Um, so this model is provided by Carlos Perez and this is the Carlos Perez Opera, uh, kind of his

03:32.080 --> 03:33.790
email address and website.

03:34.830 --> 03:40.460
So as you can see here, basic options, we have the and we will give the target's domain name and uh,

03:40.560 --> 03:43.690
we can give the enemy and the NSA any record.

03:44.220 --> 03:47.250
So initiate his own transfer against each DNS record.

03:47.250 --> 03:50.460
Actually, we can see here threats for any word here.

03:50.460 --> 03:50.880
Threats.

03:50.900 --> 03:52.560
It's a default one.

03:53.570 --> 03:54.080
And.

03:55.530 --> 04:02.500
This expansion by replacing the tilde with a T in until the list, we can enumerated the takes the record

04:02.520 --> 04:03.150
as here.

04:04.020 --> 04:07.920
So to run the model, we need to set the domain names.

04:07.920 --> 04:14.290
So and to make it, uh, run a bit faster, we will set the thread number to ten.

04:14.700 --> 04:17.640
So as you can see, we have variable here.

04:17.650 --> 04:18.450
This is the domain.

04:18.840 --> 04:20.040
This is the target domain.

04:20.190 --> 04:24.890
So in this case, our target domain will be our website.

04:25.050 --> 04:25.980
Take means dot com.

04:26.250 --> 04:29.910
So check out this very first website here.

04:30.570 --> 04:31.770
Take pins dot com.

04:34.290 --> 04:38.760
As you can see here, this is our website in Web, so.

04:44.300 --> 04:53.570
Yes, close it, and then we will set the website to our domain, so set domains, so we're we are assigning

04:54.020 --> 04:56.030
our variable name here.

04:56.210 --> 05:03.150
As you can see, there's a domain name and actually we can see, for example, airport as well.

05:03.350 --> 05:07.460
In this case, the airport is default 59 53.

05:07.700 --> 05:10.790
But in this case domain, we have to assign domain.

05:11.210 --> 05:18.110
Our target domain and these, as you can see here, this is the what is our opportunity to target port

05:18.110 --> 05:19.020
TCP port.

05:19.040 --> 05:22.400
So this is a default one and this is the target domain.

05:22.400 --> 05:28.280
So we will pinged our target domain, shall not change assigned domain.

05:28.580 --> 05:29.510
Take bins that.

05:30.830 --> 05:36.110
So as you can see, our domain is, um, ticketmaster.com, so let's use info again.

05:37.520 --> 05:44.260
As you can see here in our domain, current setting is changed, and this is that tech means that come

05:44.260 --> 05:44.560
now.

05:45.130 --> 05:46.060
And after that.

05:47.460 --> 05:53.400
We will set the trips to 10 or faster scanning, so threads set.

05:54.370 --> 05:58.000
Rats here, as you can see, this is a threat is default one.

05:58.210 --> 06:04.360
So how many threats do you will have the manifester your scanning will be?

06:04.630 --> 06:06.310
So three and threats 10.

06:06.550 --> 06:09.910
And after that, as you can see, let's run Infocom.

06:09.910 --> 06:15.400
And again, as you can see, our domain is ticketmaster.com and our trade is 10.

06:16.060 --> 06:20.140
So now let's run our exploit run.

06:33.410 --> 06:39.890
As you can see here, uh, looking at that, we can see that we are able to obtain several DNS records

06:40.250 --> 06:48.500
from the power of good domain, as you can see here, this is our website is Namecheap hosting and this

06:48.500 --> 06:54.740
is the IP address of our hosting and this is the subdomain for male and DNS Namecheap hosting, as you

06:54.740 --> 06:56.750
can see in the civil information here.

06:56.900 --> 06:59.770
But we that's more we have to do more.

06:59.780 --> 07:05.570
So the DNS record scanner and enumerator actually remodel can also be used for active information gathering

07:05.870 --> 07:10.640
using its brute forcing capabilities by setting enum.

07:11.990 --> 07:12.860
So let's change it.

07:13.010 --> 07:16.280
So as you can see here, this this is the enum BRT.

07:16.290 --> 07:19.430
This means brute force VRT is fast, as you can see it.

07:19.440 --> 07:24.410
So what this does, the bit is brute force subdomains and host names.

07:24.710 --> 07:31.040
We had this simply supplied more or less so in the next section, we will, uh, do that.

07:32.670 --> 07:33.930
I'm waiting you in the next issue.