1 00:00:00,000 --> 00:00:01,829 Centralops.net and sites like it are 2 00:00:01,829 --> 00:00:03,419 a wonderful resource for the hacker, as 3 00:00:03,419 --> 00:00:04,859 it helps to provide some anonymity 4 00:00:04,859 --> 00:00:06,960 during our assessments. Centralops 5 00:00:06,960 --> 00:00:08,820 allows us to create a domain dossier or 6 00:00:08,820 --> 00:00:10,769 email dossier on our victims, gathering 7 00:00:10,769 --> 00:00:12,599 openly available information, such as the 8 00:00:12,599 --> 00:00:14,250 owner of the domain names, the technical 9 00:00:14,250 --> 00:00:16,049 contacts, technical details, and the 10 00:00:16,049 --> 00:00:18,029 network range is involved. This is key 11 00:00:18,029 --> 00:00:19,500 information that's required for us to 12 00:00:19,500 --> 00:00:20,910 gather as we attempt to understand the 13 00:00:20,910 --> 00:00:23,699 victim network and plan our attacks. We 14 00:00:23,699 --> 00:00:24,990 can use centralops from any computer 15 00:00:24,990 --> 00:00:26,849 with a web browser. And since we already 16 00:00:26,849 --> 00:00:28,170 have our Kali machine connected to the 17 00:00:28,170 --> 00:00:29,580 Internet, that's what we're going to use. 18 00:00:29,580 --> 00:00:31,619 So, from our Kali machine we're going to 19 00:00:31,619 --> 00:00:38,969 open up firefox. From here we're going to 20 00:00:38,969 --> 00:00:46,140 go to centralops.net. So once we get to 21 00:00:46,140 --> 00:00:47,550 centralops.net, we're going to go 22 00:00:47,550 --> 00:00:51,390 to the domain dossier. So now we need 23 00:00:51,390 --> 00:00:52,680 to pick a domain to look up, or an IP 24 00:00:52,680 --> 00:00:54,719 address. For our example, I'm going to use 25 00:00:54,719 --> 00:00:59,399 AVG. So AVG is an antivirus company 26 00:00:59,399 --> 00:01:00,989 located in the Netherlands. So we're 27 00:01:00,989 --> 00:01:02,520 going to look them up, and we're going to 28 00:01:02,520 --> 00:01:04,229 choose all five options. We want the 29 00:01:04,229 --> 00:01:05,760 traceroute, the service scan, the DNS 30 00:01:05,760 --> 00:01:07,680 records, the whois of both network and 31 00:01:07,680 --> 00:01:13,020 domain, and then hit go. So the first 32 00:01:13,020 --> 00:01:15,360 thing we're going to see is our address 33 00:01:15,360 --> 00:01:17,400 lookup. And this is just going to do a 34 00:01:17,400 --> 00:01:20,009 basic check of the name to the IP 35 00:01:20,009 --> 00:01:22,350 address, in this case avg will resolve to 36 00:01:22,350 --> 00:01:24,479 two different IP addresses, as displayed 37 00:01:24,479 --> 00:01:26,939 here on the screen. After that we're 38 00:01:26,939 --> 00:01:28,890 going to see the domain whois record. Now 39 00:01:28,890 --> 00:01:31,140 with a large company like AVG, or Yahoo, 40 00:01:31,140 --> 00:01:32,790 or Google, or somebody like that, you're 41 00:01:32,790 --> 00:01:33,900 not going to get as much detailed 42 00:01:33,900 --> 00:01:35,549 information as you would if you had a 43 00:01:35,549 --> 00:01:37,650 small business. So in this case we can 44 00:01:37,650 --> 00:01:39,780 look at who they register their domain 45 00:01:39,780 --> 00:01:40,740 through, which in this case was 46 00:01:40,740 --> 00:01:44,909 Markmonitor Incorporated. So we can we 47 00:01:44,909 --> 00:01:46,439 can see that and that might play into 48 00:01:46,439 --> 00:01:47,909 the spearfishing campaign, but it's 49 00:01:47,909 --> 00:01:49,619 probably not real helpful for us right 50 00:01:49,619 --> 00:01:51,930 now. We're going to go ahead and uh, 51 00:01:51,930 --> 00:01:55,350 scroll down even further. The next thing 52 00:01:55,350 --> 00:01:57,420 we're going to come to, is the detailed 53 00:01:57,420 --> 00:01:59,219 whois record. And in here we're going to 54 00:01:59,219 --> 00:02:01,350 see the registration information, we're 55 00:02:01,350 --> 00:02:02,820 going to see who the person is 56 00:02:02,820 --> 00:02:04,920 registered to, in our case since, it's a 57 00:02:04,920 --> 00:02:06,659 large company, they just put in domain 58 00:02:06,659 --> 00:02:08,489 administrator. If it's a small business 59 00:02:08,489 --> 00:02:10,110 you'll usually see the owner of the 60 00:02:10,110 --> 00:02:11,400 business's name, or their technical 61 00:02:11,400 --> 00:02:13,290 support people. You also will get 62 00:02:13,290 --> 00:02:13,920 information such 63 00:02:13,920 --> 00:02:16,140 as where they are. In this case they are 64 00:02:16,140 --> 00:02:18,300 located in Amsterdam, with the street 65 00:02:18,300 --> 00:02:20,580 name listed there. You also get phone 66 00:02:20,580 --> 00:02:22,620 numbers, this can be useful as part of 67 00:02:22,620 --> 00:02:24,270 a pre texting campaign as well. And 68 00:02:24,270 --> 00:02:26,580 you'll get an email address, in the case 69 00:02:26,580 --> 00:02:27,780 of a large company like this, they 70 00:02:27,780 --> 00:02:29,459 probably are not monitoring this address, 71 00:02:29,459 --> 00:02:31,709 but its domainadministration@avg.com. 72 00:02:31,709 --> 00:02:33,630 If we had somebodies user name in there, 73 00:02:33,630 --> 00:02:36,900 for instance Jason.dion@avg.com, that 74 00:02:36,900 --> 00:02:38,370 could tell us the naming structure for 75 00:02:38,370 --> 00:02:39,630 email addresses that could be useful in 76 00:02:39,630 --> 00:02:41,730 a spearfishing campaign, or a good point 77 00:02:41,730 --> 00:02:42,989 of contact to use as part of a 78 00:02:42,989 --> 00:02:44,610 spearfishing campaign, such as the 79 00:02:44,610 --> 00:02:46,080 technical registration point of contact. 80 00:02:46,080 --> 00:02:48,090 If we had that information we can use 81 00:02:48,090 --> 00:02:51,510 that as a way into the network. We're 82 00:02:51,510 --> 00:02:52,590 going to continue scrolling down, see 83 00:02:52,590 --> 00:02:57,450 what else we can find. Again domain 84 00:02:57,450 --> 00:03:00,030 administrator, domain administrator, not 85 00:03:00,030 --> 00:03:01,260 the most helpful thing because again, 86 00:03:01,260 --> 00:03:03,959 this is a large company. One of the 87 00:03:03,959 --> 00:03:05,010 things I noticed that's kind of 88 00:03:05,010 --> 00:03:06,930 interesting is their name servers. If you 89 00:03:06,930 --> 00:03:09,420 notice they're using akam.net. Akam 90 00:03:09,420 --> 00:03:10,709 is actually a large network service 91 00:03:10,709 --> 00:03:12,600 provider. They actually can help prevent 92 00:03:12,600 --> 00:03:14,160 denial of service attacks from occurring. 93 00:03:14,160 --> 00:03:15,900 So, if that was going to be our strategy to 94 00:03:15,900 --> 00:03:17,430 take down this network, it may not work 95 00:03:17,430 --> 00:03:19,680 as well. If they're a small business they're 96 00:03:19,680 --> 00:03:21,209 probably not using akam, and that may 97 00:03:21,209 --> 00:03:22,530 be a way that you can take down their 98 00:03:22,530 --> 00:03:24,690 network. But again a denial of service is 99 00:03:24,690 --> 00:03:26,700 never used in ethical hacking, there's 100 00:03:26,700 --> 00:03:28,769 really no reason for it. But it's something we 101 00:03:28,769 --> 00:03:30,359 can consider using our research here. 102 00:03:30,359 --> 00:03:32,190 We're going to go down to the network record. 103 00:03:32,190 --> 00:03:34,859 Now the network whois is a little bit 104 00:03:34,859 --> 00:03:36,390 different. You'll notice here, it actually 105 00:03:36,390 --> 00:03:41,130 gives us a range 93.184.217.0 up 106 00:03:41,130 --> 00:03:43,320 through .31 is actually 107 00:03:43,320 --> 00:03:46,079 being owned and operated by AVG. That 108 00:03:46,079 --> 00:03:48,480 means they have 31 IP addresses, 30 of 109 00:03:48,480 --> 00:03:50,310 which are routable on the internet. That 110 00:03:50,310 --> 00:03:52,890 is 30 possible targets, whether they're 111 00:03:52,890 --> 00:03:54,870 routers, firewalls, or actual servers tied to 112 00:03:54,870 --> 00:03:56,459 the internet that we could be looking at, 113 00:03:56,459 --> 00:03:58,380 if that is within the scope of our 114 00:03:58,380 --> 00:04:01,530 assessment. As we go down a little bit 115 00:04:01,530 --> 00:04:03,600 further you can notice who actually 116 00:04:03,600 --> 00:04:06,840 registered for these IP addresses, Derek 117 00:04:06,840 --> 00:04:09,269 Sawyer. So again, that can be a name that 118 00:04:09,269 --> 00:04:10,620 we can use as part of a pre texting 119 00:04:10,620 --> 00:04:12,810 campaign, it may be a name that we use as 120 00:04:12,810 --> 00:04:15,299 part of an email phishing campaign, lots 121 00:04:15,299 --> 00:04:16,739 of different uses when we find good 122 00:04:16,739 --> 00:04:18,510 names and good email addresses for 123 00:04:18,510 --> 00:04:20,609 people. We're going to go down into our 124 00:04:20,609 --> 00:04:23,660 DNS records next. 125 00:04:25,040 --> 00:04:28,820 So in our DNS records, you'll see the DNS 126 00:04:28,820 --> 00:04:32,510 records for avg.com. There's two address 127 00:04:32,510 --> 00:04:35,660 records as we saw earlier, we see 93.184.279 128 00:04:35,660 --> 00:04:39,860 and then we see 93.184.211.28. 129 00:04:39,860 --> 00:04:41,420 These are two different servers that are 130 00:04:41,420 --> 00:04:44,750 answering up for the name avg.com. This 131 00:04:44,750 --> 00:04:46,370 is probably being done because AVG is 132 00:04:46,370 --> 00:04:48,440 such a large company, one server couldn't 133 00:04:48,440 --> 00:04:50,000 handle the load, so they have sort two 134 00:04:50,000 --> 00:04:51,350 servers that are acting as content 135 00:04:51,350 --> 00:04:53,120 switches to provide that service to 136 00:04:53,120 --> 00:04:55,310 their customers. And then again we see 137 00:04:55,310 --> 00:04:57,410 akam.net as the name servers answering 138 00:04:57,410 --> 00:04:59,210 up, so again it's going to be load 139 00:04:59,210 --> 00:05:01,430 sharing and helping to handle a large 140 00:05:01,430 --> 00:05:02,780 amount of load that would come against 141 00:05:02,780 --> 00:05:05,030 those servers. Next we're gonna look at 142 00:05:05,030 --> 00:05:07,413 traceroute. 143 00:05:07,413 --> 00:05:12,830 So it starts out from the 144 00:05:12,830 --> 00:05:14,630 servers at centralops, and goes out 145 00:05:14,630 --> 00:05:16,790 across the internet until it finds where 146 00:05:16,790 --> 00:05:19,220 it's going. In this case, once we get to 147 00:05:19,220 --> 00:05:21,320 the star star stars in line 10 through 148 00:05:21,320 --> 00:05:23,690 13, that usually where it hits firewalls, 149 00:05:23,690 --> 00:05:25,700 and some companies will not respond to 150 00:05:25,700 --> 00:05:27,920 pings or traceroutes, and the reason why 151 00:05:27,920 --> 00:05:29,150 is they don't want you mapping their 152 00:05:29,150 --> 00:05:30,950 network. So we know they have at least 153 00:05:30,950 --> 00:05:32,930 some firewalls, and some border security 154 00:05:32,930 --> 00:05:34,670 there, again we already figured that out 155 00:05:34,670 --> 00:05:37,070 because of the akam.net being the one's 156 00:05:37,070 --> 00:05:38,900 answering up for their domain name, so we 157 00:05:38,900 --> 00:05:40,970 know that they're pretty secure. Now 158 00:05:40,970 --> 00:05:42,260 we'll move on to the service scan. And 159 00:05:42,260 --> 00:05:44,030 here in the service scan you'll see that 160 00:05:44,030 --> 00:05:47,210 ftp timed out, smtp timed out, web 161 00:05:47,210 --> 00:05:50,150 browsing port 80 is open, pop servers, imap 162 00:05:50,150 --> 00:05:52,640 servers, and https all have timed out, and 163 00:05:52,640 --> 00:05:54,020 this is pretty typical when using a 164 00:05:54,020 --> 00:05:56,390 large company like AVG. So let's do 165 00:05:56,390 --> 00:05:57,980 another domain dossier. This time we're 166 00:05:57,980 --> 00:06:01,400 going to use a small business. From 167 00:06:01,400 --> 00:06:01,900 domain dossier, I'm going to go to 168 00:06:01,900 --> 00:06:08,390 Titanpcipher.com. And I'm going to use 169 00:06:08,390 --> 00:06:10,940 service scan and traceroute, and then hit 170 00:06:10,940 --> 00:06:14,210 go. Now tightencipher.com is a domain that 171 00:06:14,210 --> 00:06:17,060 I own. It's hosted on a small server, it's 172 00:06:17,060 --> 00:06:18,620 used that on a wet, a wordpress platform, 173 00:06:18,620 --> 00:06:20,810 which is actually hosted by Bluehost, and 174 00:06:20,810 --> 00:06:21,830 as we go through you're going to see 175 00:06:21,830 --> 00:06:24,590 that. It's going to look a lot different than the 176 00:06:24,590 --> 00:06:26,900 AVG answers we got last time. So in this 177 00:06:26,900 --> 00:06:30,650 case we have a single IP address, which 178 00:06:30,650 --> 00:06:32,780 is answering up for Titancipher. If we go 179 00:06:32,780 --> 00:06:34,280 into the domain records, you'll see that 180 00:06:34,280 --> 00:06:35,990 it's bluehost.com, that tells me who 181 00:06:35,990 --> 00:06:37,640 they're using, and the fact that they're using 182 00:06:37,640 --> 00:06:38,510 Bluehost tells you 183 00:06:38,510 --> 00:06:39,980 they're probably using WordPress as 184 00:06:39,980 --> 00:06:41,780 their platform, because bluehost is known 185 00:06:41,780 --> 00:06:42,890 for that. So if you can find 186 00:06:42,890 --> 00:06:45,020 vulnerabilities in WordPress, you can 187 00:06:45,020 --> 00:06:46,190 then use those against that particular 188 00:06:46,190 --> 00:06:49,220 domain. Next we're going to scroll down 189 00:06:49,220 --> 00:06:50,660 and you'll see more information about 190 00:06:50,660 --> 00:06:52,430 the actual person who owns it, their name, 191 00:06:52,430 --> 00:06:54,320 their address, their phone numbers, their 192 00:06:54,320 --> 00:06:56,390 email addresses, all information that 193 00:06:56,390 --> 00:06:59,210 could be useful again for a spear 194 00:06:59,210 --> 00:07:00,380 phishing campaign or something of that 195 00:07:00,380 --> 00:07:03,710 nature. Network whois. So network whois 196 00:07:03,710 --> 00:07:05,120 again, that's going to show us who owns 197 00:07:05,120 --> 00:07:06,950 the IP addresses. In this case, it's 198 00:07:06,950 --> 00:07:08,750 actually owned by Unified Layer Networks. 199 00:07:08,750 --> 00:07:11,150 They own a large block, then they've 200 00:07:11,150 --> 00:07:12,950 given part of that block to Bluehost, who 201 00:07:12,950 --> 00:07:15,383 then gave a single IP to Titancipher.com. 202 00:07:15,383 --> 00:07:17,330 So if you notice here they have a 203 00:07:17,330 --> 00:07:20,240 class A address, so with the /16 they're 204 00:07:20,240 --> 00:07:23,000 going to have over 64,000 IPS. You don't 205 00:07:23,000 --> 00:07:24,050 want to just go in there blindly and 206 00:07:24,050 --> 00:07:26,780 scan 64,000 IPS if you're targeting one 207 00:07:26,780 --> 00:07:28,790 Titancipher.com, it wouldn't make any 208 00:07:28,790 --> 00:07:30,050 sense. So this is going to help you 209 00:07:30,050 --> 00:07:31,820 identify who owns the network, and what 210 00:07:31,820 --> 00:07:33,500 parts of the network there are. We're going 211 00:07:33,500 --> 00:07:38,780 to scroll down a little further, and we're 212 00:07:38,780 --> 00:07:41,330 going to find, and we're going to find 213 00:07:41,330 --> 00:07:44,030 the dns records. Now the dns records here 214 00:07:44,030 --> 00:07:45,200 are going to show us that there's a name 215 00:07:45,200 --> 00:07:45,700 server answering up, bluehost.com. 216 00:07:45,700 --> 00:07:49,040 Titancipher is being answered up by Bluehost 217 00:07:49,040 --> 00:07:50,900 who is their provider. They do have a 218 00:07:50,900 --> 00:07:53,720 mail server, mail.titancipher.com. They do 219 00:07:53,720 --> 00:07:55,880 have a name server, second name server, on 220 00:07:55,880 --> 00:07:58,400 bluehost. We also see their a records, 221 00:07:58,400 --> 00:08:08,480 which is their IP address. Next, we can 222 00:08:08,480 --> 00:08:10,430 look at the traceroute. This traceroute 223 00:08:10,430 --> 00:08:11,960 you see looks a lot different than the 224 00:08:11,960 --> 00:08:14,270 traceroute we saw with AVG. In this case 225 00:08:14,270 --> 00:08:16,160 everybody has answered up. We get both 226 00:08:16,160 --> 00:08:17,810 the IP addresses, and the fully qualified 227 00:08:17,810 --> 00:08:19,880 domain names, so we know every single 228 00:08:19,880 --> 00:08:22,160 piece between centralops and that 229 00:08:22,160 --> 00:08:23,600 particular server that's answering up. 230 00:08:23,600 --> 00:08:25,460 Now notice the last server that answers 231 00:08:25,460 --> 00:08:28,640 up, that .193. Something quite interesting 232 00:08:28,640 --> 00:08:30,800 here, when it resolved, it didn't resolve to 233 00:08:30,800 --> 00:08:33,229 tightencipher.com. Can you guess why? 234 00:08:33,229 --> 00:08:35,360 Well the reason why is that this just 235 00:08:35,360 --> 00:08:37,400 shows us that it's a shared server, it's 236 00:08:37,400 --> 00:08:39,950 not owned exclusively by Titancipher. 237 00:08:39,950 --> 00:08:41,870 In fact it's owned by unified layer who 238 00:08:41,870 --> 00:08:44,720 owns Bluehost. So there may be 20, 30, 40, 239 00:08:44,720 --> 00:08:46,640 50 different websites on this particular 240 00:08:46,640 --> 00:08:48,890 server, Titancipher is just one of them. 241 00:08:48,890 --> 00:08:50,870 Now that's important to know, because if 242 00:08:50,870 --> 00:08:51,960 you try to have titancipher.com 243 00:08:51,960 --> 00:08:54,020 you may not be hitting Titancipher.com, 244 00:08:54,020 --> 00:08:55,760 you may be hitting some of 245 00:08:55,760 --> 00:08:57,590 these other servers in there and if you 246 00:08:57,590 --> 00:08:59,390 do that, you'd now be breaking the law, 247 00:08:59,390 --> 00:09:00,860 because you were only hired for an assessment 248 00:09:00,860 --> 00:09:02,960 by this one company. So you have to be 249 00:09:02,960 --> 00:09:04,340 very careful when you start looking at 250 00:09:04,340 --> 00:09:05,750 where they're hosted. This is really 251 00:09:05,750 --> 00:09:07,070 important information when we look at the 252 00:09:07,070 --> 00:09:09,710 domain dossier. Next we're going down to 253 00:09:09,710 --> 00:09:14,900 our service scan. In the service scan 254 00:09:14,900 --> 00:09:17,120 you'll see that they're using FTP, that's 255 00:09:17,120 --> 00:09:18,800 a known vulnerability for us. And it even 256 00:09:18,800 --> 00:09:20,360 tells us what type of ftp, in this case 257 00:09:20,360 --> 00:09:23,240 pure ftpd server. That's an important 258 00:09:23,240 --> 00:09:24,320 piece of information that we could use 259 00:09:24,320 --> 00:09:25,640 if we were going to hack this company. 260 00:09:25,640 --> 00:09:28,550 SMTP times out, therefore it's not 261 00:09:28,550 --> 00:09:30,500 answering up for smtp. That's good to 262 00:09:30,500 --> 00:09:33,140 know, don't throw any smtp attacks. They're, 263 00:09:33,140 --> 00:09:35,090 they are running a web server. They're 264 00:09:35,090 --> 00:09:38,300 running nginx 1.10.2. We now 265 00:09:38,300 --> 00:09:39,710 know the version number and the software 266 00:09:39,710 --> 00:09:41,480 they're using. That's useful to find 267 00:09:41,480 --> 00:09:43,400 vulnerabilities. Again, all we're doing 268 00:09:43,400 --> 00:09:44,720 here is information gathering at this 269 00:09:44,720 --> 00:09:46,760 point. Pop3 server does answer up, so 270 00:09:46,760 --> 00:09:49,040 there is something listening there. Imap 271 00:09:49,040 --> 00:09:51,980 143, another mail server. It's answering 272 00:09:51,980 --> 00:09:53,810 up as well, things that we need to take 273 00:09:53,810 --> 00:09:54,896 note of. 274 00:09:54,896 --> 00:09:59,240 If we get into their secure site 275 00:09:59,240 --> 00:10:03,200 we see port 443, secure HTTP server. So 276 00:10:03,200 --> 00:10:05,540 it's secure HTTPS we can see their ssl 277 00:10:05,540 --> 00:10:07,940 certificate here, they're using a sha256 278 00:10:07,940 --> 00:10:11,420 RSA token as as their server validation. 279 00:10:11,420 --> 00:10:12,950 That is information that it can be 280 00:10:12,950 --> 00:10:15,860 useful. Bluehost.com is the ones who 281 00:10:15,860 --> 00:10:17,570 gave them that information, so we might 282 00:10:17,570 --> 00:10:18,560 be able to use that as part of a 283 00:10:18,560 --> 00:10:21,020 spearfishing campaign again. You can see 284 00:10:21,020 --> 00:10:22,820 the fact that we have apache running as 285 00:10:22,820 --> 00:10:24,290 the server, you see that there at the 286 00:10:24,290 --> 00:10:28,010 bottom HTTP 11 200 ok server apache. 287 00:10:28,010 --> 00:10:30,050 Again more information that we want to 288 00:10:30,050 --> 00:10:31,910 take note of. They also have a PHP 289 00:10:31,910 --> 00:10:33,950 session ID, that's something else that we 290 00:10:33,950 --> 00:10:35,482 can take note of. We see 291 00:10:35,482 --> 00:10:38,060 JasonDion.com/WP. 292 00:10:38,060 --> 00:10:40,160 WP usually stands for WordPress, so that 293 00:10:40,160 --> 00:10:41,300 could be vulnerabilities we could take 294 00:10:41,300 --> 00:10:42,680 care of. So these are all different 295 00:10:42,680 --> 00:10:44,120 things that we can look at as we move 296 00:10:44,120 --> 00:10:46,130 forward in our exploitation later on. The 297 00:10:46,130 --> 00:10:47,540 next thing we're going to look at is our 298 00:10:47,540 --> 00:10:49,580 email dossier, and we'll just click on 299 00:10:49,580 --> 00:10:52,700 that. And then we're going to give an 300 00:10:52,700 --> 00:10:54,000 email address that we want to test out. 301 00:10:54,000 --> 00:10:56,630 If we have email.test@hotmail.com for 302 00:10:56,630 --> 00:10:57,920 instance, let's see if that's a valid 303 00:10:57,920 --> 00:11:01,700 email address. Click go, we find out that 304 00:11:01,700 --> 00:11:03,770 it is a bad email address because it was 305 00:11:03,770 --> 00:11:05,390 rejected by the server. 306 00:11:05,390 --> 00:11:07,370 Now instead if I use an email address 307 00:11:07,370 --> 00:11:09,690 that I think is valid, for instance 308 00:11:09,690 --> 00:11:12,620 titancipher@gmail.com 309 00:11:12,620 --> 00:11:16,520 hit go, we'll see that 310 00:11:16,520 --> 00:11:20,930 this passed the validation test. As we 311 00:11:20,930 --> 00:11:22,250 scroll down we'll see that it actually 312 00:11:22,250 --> 00:11:24,440 found the MX records for Google for that 313 00:11:24,440 --> 00:11:28,070 particular address, and when it tried to make 314 00:11:28,070 --> 00:11:29,990 a connection over smtp to google to say 315 00:11:29,990 --> 00:11:32,990 does this email address exist, we can see 316 00:11:32,990 --> 00:11:34,280 that it did come back and say that it 317 00:11:34,280 --> 00:11:38,390 was successful, right here, showing us 318 00:11:38,390 --> 00:11:40,700 that that was a good valid email address. 319 00:11:40,700 --> 00:11:45,980 Let's try another one. What if we had one 320 00:11:45,980 --> 00:11:53,030 like titancipher23@gmail.com, 321 00:11:53,030 --> 00:11:54,410 let's see if that's a valid email 322 00:11:54,410 --> 00:11:59,330 address. We hit go, bad address does not 323 00:11:59,330 --> 00:12:01,130 exist. So if we try to start sending 324 00:12:01,130 --> 00:12:02,379 spear phishing emails towards 325 00:12:02,379 --> 00:12:04,910 titancipher23@gmail.com, they would just get 326 00:12:04,910 --> 00:12:07,850 rejected. But Titancipher@gmail.com does 327 00:12:07,850 --> 00:12:09,410 exist, it would be a valid address to use. 328 00:12:09,410 --> 00:12:11,570 Where this becomes helpful is when we 329 00:12:11,570 --> 00:12:13,010 start looking up information on the 330 00:12:13,010 --> 00:12:14,180 company. For instance, if we go back to 331 00:12:14,180 --> 00:12:17,240 AVG, if we think they're naming scheme 332 00:12:17,240 --> 00:12:20,150 was first name dot last name, and we 333 00:12:20,150 --> 00:12:21,620 found a name of someone who we think is 334 00:12:21,620 --> 00:12:24,590 an employee, John Smith, we can try in 335 00:12:24,590 --> 00:12:28,070 here john.smith@avg.com, and see if it 336 00:12:28,070 --> 00:12:29,900 comes back as a valid or invalid address. 337 00:12:29,900 --> 00:12:32,030 This will help us know what is good 338 00:12:32,030 --> 00:12:33,770 addresses and what are bad addresses. If 339 00:12:33,770 --> 00:12:35,660 you start sending a lot of emails to a 340 00:12:35,660 --> 00:12:37,880 server with bad email addresses, that 341 00:12:37,880 --> 00:12:39,410 server will start realizing that it is 342 00:12:39,410 --> 00:12:40,790 spam coming from your address, and 343 00:12:40,790 --> 00:12:43,430 they'll block you down. You always want 344 00:12:43,430 --> 00:12:44,900 to be targeted in your approach, you 345 00:12:44,900 --> 00:12:46,760 don't want to just shotgun things. You 346 00:12:46,760 --> 00:12:49,040 want to be precise like a sniper. This is 347 00:12:49,040 --> 00:12:50,270 just one of the tools that you can use 348 00:12:50,270 --> 00:12:51,890 during a reconnaissance phase. There's 349 00:12:51,890 --> 00:12:53,270 literally hundreds of different tools 350 00:12:53,270 --> 00:12:55,010 available out there, but this is just one 351 00:12:55,010 --> 00:12:56,420 that I particularly happened to like. I 352 00:12:56,420 --> 00:12:58,340 recommend you try out various tools to 353 00:12:58,340 --> 00:12:59,480 figure out which one works for you and 354 00:12:59,480 --> 00:13:01,430 your style. Now during the rest of our 355 00:13:01,430 --> 00:13:02,780 course we'll be skipping over the 356 00:13:02,780 --> 00:13:04,670 reconnaissance phase. This is because our 357 00:13:04,670 --> 00:13:06,350 virtual lab we built is separate from 358 00:13:06,350 --> 00:13:07,640 the internet, and therefore there 359 00:13:07,640 --> 00:13:09,080 simply won't be any openly available 360 00:13:09,080 --> 00:13:10,880 information available for us to find. 361 00:13:10,880 --> 00:13:12,890 This lesson was to show you the process 362 00:13:12,890 --> 00:13:14,750 an attacker goes through in collecting 363 00:13:14,750 --> 00:13:16,220 some of the basic information they need 364 00:13:16,220 --> 00:13:17,810 in order to develop their attacks. 365 00:13:17,810 --> 00:13:19,940 Now that the reconnaissance is complete 366 00:13:19,940 --> 00:13:21,830 we're going to move on to phase two. 367 00:13:21,830 --> 00:13:25,029 The scanning and enumeration phase.