WEBVTT

00:00.480 --> 00:04.290
Hello my phone and welcome back to part twenty eight of my learned ethical hacking course.

00:04.320 --> 00:09.370
In this part I'm going to look at discovering sensitive files within a web site's directory.

00:09.990 --> 00:14.120
So typically when you visit a Web site or this could be actually any Web site.

00:14.130 --> 00:15.570
So let's take my one for example.

00:15.570 --> 00:20.640
So when you visit code on command dot com essentially you're visiting my root directory of my servers

00:21.090 --> 00:23.580
or my Web sites set up.

00:23.610 --> 00:27.920
And when you visit the redirect tree that's got the index to hate demo.

00:27.930 --> 00:31.380
Now that could be dot HP as well.

00:31.920 --> 00:33.750
But essentially that's just the index page.

00:33.760 --> 00:35.070
So that's the home page.

00:35.100 --> 00:39.960
Now that is typically just stored straight into the root directory.

00:40.050 --> 00:48.900
So if I go to the browser and I go to my Web site if I click answer right now I'm going to my root directory

00:49.050 --> 00:50.610
of my web site.

00:50.640 --> 00:53.720
So this will have the index to each demo.

00:53.850 --> 00:59.730
So if I do forward slash indexed or HMO or in this case Patrick because that's what my web sites created

00:59.730 --> 01:02.210
with as you can see it sent you straight to the same page.

01:03.330 --> 01:07.350
So I just close out of that is essentially what we're going to be looking at because when you visit

01:07.350 --> 01:10.480
a Web site you don't know all the directories.

01:10.500 --> 01:16.410
So what I'm going to show you in this is how to search automatically for the directories and files that

01:16.410 --> 01:22.930
you can discover that are typically not meant to be discovered or are trying to be more discreet about

01:22.930 --> 01:28.360
to the owner of the Web site wants to be discreet about the directory as possible Bill.

01:28.430 --> 01:31.130
I'll skip to we'll find all the directories.

01:31.470 --> 01:33.300
So if you think of this as a Web site.

01:33.330 --> 01:39.480
So when you go to your var WW inside your calendar looks machine inside the page to Mel.

01:39.480 --> 01:40.850
This is where we upload payloads.

01:40.860 --> 01:45.810
This is essentially a Web site can visit this by going to your colleague Linux IP address just type

01:45.970 --> 01:49.830
f config in your terminal and visit that in a browser.

01:51.360 --> 01:53.130
But when you visit Web sites.

01:53.130 --> 01:59.040
So essentially what we've just done on my want is visited the indexed page being bought within a web

01:59.040 --> 02:03.780
site that might have different sub directories so they might be about to create a folder.

02:03.780 --> 02:10.140
This is now a sub directory within our Web site and inside this about they might be about Dot Page Pate

02:10.230 --> 02:13.830
and that will be the all about the Web site.

02:13.860 --> 02:19.800
So that's why when you visit the index to each demo you click a link within a heading that says about

02:19.800 --> 02:24.840
us to you click on that and that's where it will send you to the about Dot BHP or hitch demo.

02:26.010 --> 02:32.380
But there might be other sensitive directories within a web site such as admin.

02:32.550 --> 02:38.340
So if you create that that's just a directory and this admin directory might have the admin panel.

02:38.820 --> 02:45.270
So when you visit this page now you wouldn't typically know this because the index to page to mail will

02:45.270 --> 02:51.090
not link you to this but it still exists within the directory and that's what the papers of our scripts

02:51.090 --> 02:53.420
will be to find all the directories.

02:53.420 --> 02:59.320
So when you click on this it might have the within this it might have the admin logging top BHP and

02:59.340 --> 03:04.350
when you click on now or visit it within a browser then it will say please log in with your admin username

03:04.380 --> 03:12.870
or password and it can be quite dangerous then because people could brute force the attack on that specific

03:13.170 --> 03:17.190
web page to gain access to your admin panel.

03:17.220 --> 03:18.910
So essentially that's what we're gonna be looking out for.

03:18.940 --> 03:24.480
If you open up your missus approachable server and what we're going to do is we're gonna go to the directory

03:25.050 --> 03:26.150
of our scripts.

03:26.160 --> 03:31.290
Now it comes print stalled so there's about five different scripts that are pre installed with our meta

03:31.290 --> 03:32.530
splitsville server.

03:32.750 --> 03:42.120
So we type CDE and go to var and then w w w click answer then type less hyphen L.A. click enter that

03:42.120 --> 03:46.200
will list everything inside this directory in any logical order.

03:47.180 --> 03:49.350
And as you can see here there's something called Matilda.

03:49.370 --> 03:50.800
And that is a folder.

03:51.360 --> 03:58.710
So if I just get my mouse back you can exit the screen for me to splurging all on IBM where by pressing

03:58.710 --> 04:02.410
control and alt at the same time as you can see here there's Matilda.

04:02.770 --> 04:06.810
But till the day is a Web site that has vulnerabilities within it.

04:06.840 --> 04:15.450
So we can basically attack a test all knowledge as in it but think of it like a think of it like a test.

04:15.450 --> 04:21.000
So if we go to our Kelly Linux browser and we visit our servers IP address.

04:21.000 --> 04:23.920
Now this IP address is our meat disposables IP address.

04:23.910 --> 04:28.020
So if you type of conflict that will be different to Kelly Linux machine.

04:28.020 --> 04:32.310
So as you can see for this one it's 1 9 2 dot 1 6 8 0 1 10 dot 130.

04:32.310 --> 04:35.780
So let's visit that in the browser to visit our Web site.

04:35.790 --> 04:41.590
Essentially we're connecting to our server Mrs Royce will server click enter and there we go search

04:41.610 --> 04:42.780
it come up like this.

04:42.860 --> 04:47.520
And as you can see there's five different scripts pre installed so there's motility.

04:47.790 --> 04:54.540
So if you click on the now essentially we're in the Matilda root directory here even though it's a soap

04:54.540 --> 05:00.080
directory because as you can see it's a folder it's a separate folder within our reef directory root

05:00.080 --> 05:03.340
directory of our server is this.

05:03.590 --> 05:09.730
This is a sub directory so essentially if you think of it like this this is our reef directory.

05:09.920 --> 05:13.220
But then picture this as like motility so we're visiting this.

05:14.090 --> 05:15.870
That's essentially what's happening.

05:15.890 --> 05:20.060
So when we visit Matilda day this is the soup directory.

05:20.060 --> 05:26.540
It says that a folder itself is essentially the roof folder for the home page.

05:26.540 --> 05:33.000
So with inside this folder within this folder will be the index page pay or hedged email.

05:33.190 --> 05:37.880
And as you can see this is born to be hacked so it's essentially like a hacker's playground.

05:38.120 --> 05:39.940
So you can change the security level.

05:39.980 --> 05:46.540
You can give hints or disable them and you've got to basically just try and hack into this Web site.

05:48.140 --> 05:49.220
But we're not going to be doing that.

05:49.220 --> 05:52.460
We're just going to discover all the directories within this Web site.

05:52.490 --> 05:57.890
So like I said before you will not typically know all the sub directories because you're not going to

05:57.890 --> 05:59.670
be typing.

06:00.260 --> 06:04.820
For example admin after this quick answer and as you can see this does not exist.

06:04.820 --> 06:10.180
So clearly they don't have a sub directory with an admin panel or the sub directory is not called admin

06:10.190 --> 06:12.040
it could be called admin 1.

06:12.380 --> 06:14.470
That could be an admin panel but it's clearly not.

06:14.480 --> 06:18.000
So that is the purpose of a script to find all the sub directories.

06:18.050 --> 06:21.800
This will find sensitive files as well.

06:22.540 --> 06:25.250
So let us go back to all.

06:25.520 --> 06:33.790
Um in fact what we'll do is we'll open up our terminal now so open up your terminal and we'll search

06:33.790 --> 06:35.130
for these files.

06:35.320 --> 06:37.690
So all you need to do you don't need to install it.

06:37.810 --> 06:39.640
You don't need to install anything.

06:39.640 --> 06:41.170
All you need to do is type D.

06:41.210 --> 06:50.620
I'll be then the address for your server which is just the IP address of the meter splitter machine.

06:50.710 --> 06:54.650
So if you just type each TTP then the IP address.

06:54.700 --> 06:56.690
So 1 9 0 1 6 8.

06:56.710 --> 06:58.150
Now this would be different for you.

06:58.780 --> 07:01.320
No one turned up 130.

07:02.410 --> 07:05.930
Then you need to visit the actual directory of Mattel today.

07:05.980 --> 07:12.660
So you need to type m You see I l i d a.

07:12.840 --> 07:13.910
Ay.

07:13.990 --> 07:19.420
Make sure you add Mattel a date to the end of this because if you just search every sub directory of

07:19.420 --> 07:24.940
this then you will find all this of directories of every single script because they revisit the root

07:24.940 --> 07:27.540
directory as you can see it's got multiple ones.

07:27.970 --> 07:33.910
If we removed all of this on the server and just hadn't until the day as our sub main root directory

07:33.910 --> 07:40.120
then you could just take the IP address for now because it's a sub directory we'll just leave it here.

07:40.270 --> 07:41.980
Hopefully that makes sense.

07:42.170 --> 07:49.150
I suggest until I make them go and have a look at like Web sites how they're made and how they're set

07:49.150 --> 07:52.990
up because that will help you understand what's going on here.

07:53.290 --> 07:55.830
Well it's fairly basic to understand anyway.

07:55.900 --> 07:59.600
So once you type this you can just click enter.

07:59.620 --> 08:04.900
Now you can add a trailing backslash if you want to just click enter and maybe go so it starts scanning

08:05.790 --> 08:15.430
and the way it works is it uses a a basically a wait list to find common directories.

08:15.430 --> 08:23.790
So a common directory would be for Slash admin for the admin page or the admin panel as you can see

08:23.800 --> 08:32.920
this is a typical or common index or hedged email or page in this case then this if you noticed here

08:32.950 --> 08:40.130
there's a directory called installation which we wouldn't have known if we didn't use the script.

08:41.350 --> 08:42.590
Let's have a look what else there is.

08:42.590 --> 08:44.810
So let's just make this a little bit larger.

08:44.920 --> 08:47.860
So there's also header home footer.

08:48.100 --> 08:52.360
There's an icon there's diet classes.

08:52.360 --> 08:55.630
If we scroll down a little bit there's also files.

08:55.630 --> 08:57.110
Now it doesn't show.

08:57.220 --> 08:58.030
It shows both.

08:58.030 --> 09:04.000
So it doesn't just show folders which are sub directories it also shows just plain files which in this

09:04.000 --> 09:10.860
case Page Pate in photo op BHP so we can visit this if we go back to our Web sites and just type BHP

09:10.870 --> 09:18.820
info off BHP click enter as you can see now we've located the p HP in photo BHP so we can see what type

09:18.820 --> 09:24.010
of page page using BHP 5 and there's a configuration file.

09:24.070 --> 09:30.760
So we've basically found the configuration file has some useful information here but we go back to our

09:30.760 --> 09:33.520
terminal there's also register.

09:33.520 --> 09:40.660
Now that was probably a common directory because there will be a link to it on the index page because

09:40.660 --> 09:45.330
when you register a Web site there has to link you to the register page.

09:46.210 --> 09:53.770
Ignore these ones here that say use w hyphen w motor scanning but essentially this is how we can discover

09:55.240 --> 09:57.220
all lists of directories within them.

09:57.580 --> 10:01.460
As you can see here there's motility passwords as well.

10:01.840 --> 10:05.710
So these are sub directories of motility.

10:05.720 --> 10:12.670
So as you can see includes as a folder and within includes this index index top HP an installation within

10:12.670 --> 10:19.420
the sub directory javascript there's the log in notes and Page are found and then within the sub directory

10:19.420 --> 10:22.230
passwords there's all of this information.

10:22.420 --> 10:26.900
So let's visit something else so robot stuff text.

10:28.780 --> 10:35.050
So let's visit robots that text the cancer and there we go.

10:35.050 --> 10:44.110
So they're basically robots as used in Web sites to prevent Google from crawling the specific directories

10:45.460 --> 10:51.330
that gets into more detail which is quite along to explain Bill in a nutshell it basically when you

10:51.340 --> 10:57.460
have a robot taxed up blocks and directories from being indexed by Google.

10:57.460 --> 11:03.070
So when you search for Facebook on Google indexes all the Facebook links and that's why they appear

11:03.130 --> 11:07.710
on Google's search engine the index site of index my Web site.

11:07.900 --> 11:16.560
And I'll have a robot a robot stock text to prevent Google from indexing my admin panel for example.

11:16.600 --> 11:21.970
So when you say to my Web site and Google the admin panel will not show up but that's essentially what

11:21.970 --> 11:23.740
this robot's text does.

11:23.740 --> 11:26.490
So these are passwords directory as you can see here.

11:26.530 --> 11:36.220
So let's just visit the sillier day on and passwords and now we're inside the passwords directory.

11:36.280 --> 11:41.460
So like I said we wouldn't have got this far if we didn't use this script.

11:41.590 --> 11:49.270
So I always look here for the sub directory and then the files that were are in the sub directory will

11:49.290 --> 11:50.230
up here here.

11:50.590 --> 11:56.380
Do not get confused like I said before with Matilda because Matilda is also a soup directory of our

11:56.380 --> 11:57.370
server.

11:57.380 --> 12:01.990
But picture this is like the root directory Matilda a picture is the root directory even though it's

12:01.990 --> 12:09.610
the sub directory of our main server a Web site will only have the Web site files on it anyway so that

12:09.610 --> 12:10.620
will always be the root.

12:10.630 --> 12:15.020
But in this case because we have multiple scripts it's a sub directory.

12:16.000 --> 12:22.460
But this is technically passwords here and JavaScript includes and images are all sub directories of

12:22.460 --> 12:27.250
a sub directory because Matilda is technically a server directory but you get the idea.

12:27.280 --> 12:33.070
Anyway we're inside the passwords sub directory and as you can see there's accounts dot text.

12:33.610 --> 12:40.990
So if we click on accounts the text we've got some accounts so Matilda passwords account stock text

12:43.060 --> 12:50.390
and there's admin admin pass monkey Adrian some pass from zombie films rock the boat.

12:50.470 --> 12:54.520
This doesn't really mean anything to us at the moment because we don't know what we can log in with

12:54.520 --> 12:59.200
this sort of thing we don't know if it's genuine but you get the idea because now we're discovering

12:59.200 --> 13:06.610
sensitive files so you can always just discover these files or type in the sub directory to get more

13:06.610 --> 13:11.050
files appear so if we type in let's type javascript

13:13.670 --> 13:20.660
they'd be ghosts and I would in this javascript sub directory am I've got more j ust files if you notice

13:20.660 --> 13:23.250
these don't appear here.

13:23.690 --> 13:29.950
So these are all files within the root directory of Matilda and these are sub directories.

13:29.960 --> 13:31.450
So that's important to remember

13:34.560 --> 13:38.910
um let's just open a jazz file.

13:38.910 --> 13:48.500
Let's just click on page five secrets windows session storage that sets item authentication token so

13:48.500 --> 13:50.440
we've got some tokens here.

13:50.480 --> 13:56.540
This will all be relevance in the future videos but I think I'll leave it there for now because I have

13:56.540 --> 13:57.490
talked quite a lot.

13:59.110 --> 14:06.130
So this was just a video on how to discover secret or discovering sensitive sub directories and files

14:06.130 --> 14:07.870
within a web site's directory.

14:08.020 --> 14:09.430
So hopefully this helped.

14:09.490 --> 14:13.240
Please leave a comment if you stick with anything I'll be happy to help.

14:13.500 --> 14:17.350
Subscribe for future content and I will see you all in the next video.