1
00:00:00,360 --> 00:00:06,170
Welcome back, let us code our second project for the Web application penetration testing section.

2
00:00:06,720 --> 00:00:12,450
So in the previous video, we took a look at how we can create the simple brute force that will be able

3
00:00:12,450 --> 00:00:16,220
to brute force both of our TV w a log in pages.

4
00:00:16,830 --> 00:00:18,270
We made the Post's request.

5
00:00:18,300 --> 00:00:24,630
We also made the get request, and we also changed fields accordingly to each one of those pages.

6
00:00:25,560 --> 00:00:30,960
Now, as I already mentioned, that program, you will need to adjust for every page that you brute

7
00:00:30,960 --> 00:00:31,280
force.

8
00:00:31,740 --> 00:00:35,950
However, this program that we are going to create right now, which is the directory brute force,

9
00:00:36,390 --> 00:00:38,760
you won't need to adjust for different pages.

10
00:00:38,940 --> 00:00:41,130
It will work for every page.

11
00:00:41,490 --> 00:00:47,700
And what a directory brute force is, is, as we already mentioned, it will discover some hidden directories

12
00:00:47,880 --> 00:00:52,390
that could possibly be useful to us once performing Web application enumeration.

13
00:00:53,100 --> 00:00:58,910
So this is something similar as a Derb tool that we covered in Web penetration testing section.

14
00:00:59,580 --> 00:01:01,350
So let's get straight into it.

15
00:01:01,360 --> 00:01:08,430
I'm going to open the terminal and I'm going to navigate to our desktop and tools directory here.

16
00:01:08,430 --> 00:01:10,860
We got our Web penetration testing directory.

17
00:01:10,860 --> 00:01:15,150
And right here inside of this, we got our previous project.

18
00:01:16,140 --> 00:01:22,020
Let us now know a program that we can call directories DCPI.

19
00:01:23,500 --> 00:01:31,420
As the previous program, this one is also going to import the requests library, and before we start

20
00:01:31,420 --> 00:01:35,610
cutting it, let's first think how our program is going to look like.

21
00:01:36,070 --> 00:01:41,830
So we're going to ask the user of the program to specify the target URL or the target think.

22
00:01:42,310 --> 00:01:45,870
Then we will open a file that has common directory names.

23
00:01:46,210 --> 00:01:52,540
We will read from the file and for each directory name, we are going to perform a request for that

24
00:01:52,540 --> 00:01:52,920
page.

25
00:01:53,290 --> 00:01:59,680
If we receive a response or if we manage to load that page, that means that directory exists on that

26
00:01:59,680 --> 00:02:00,040
page.

27
00:02:00,280 --> 00:02:04,910
If we get something like a connection there, that means that it doesn't exist.

28
00:02:05,260 --> 00:02:07,270
So this program is really simple.

29
00:02:07,630 --> 00:02:09,550
Let's start coding it.

30
00:02:09,760 --> 00:02:13,450
And first thing, as we said, is going to be the target.

31
00:02:13,690 --> 00:02:14,020
You are.

32
00:02:15,350 --> 00:02:22,280
This is going to be equal to the input value, as usual, and here we can specify something like this.

33
00:02:23,680 --> 00:02:26,350
And then enter Target, you are.

34
00:02:29,420 --> 00:02:35,150
What we also want to ask from the user is the file names to file underscore name is going to be equal

35
00:02:35,150 --> 00:02:36,020
to input.

36
00:02:38,500 --> 00:02:44,740
Enter the name of the file containing directors.

37
00:02:46,520 --> 00:02:53,240
OK, so these are the only two things that we need after we get them, we can open our file like this.

38
00:02:53,240 --> 00:02:59,380
So file equals open and then the first parameter is going to be the file name, which they specify,

39
00:02:59,660 --> 00:03:03,490
and the second parameter is going to be opening file for reading.

40
00:03:03,500 --> 00:03:05,030
And this is something we already covered.

41
00:03:05,030 --> 00:03:08,510
So you should be pretty familiar with how we open files.

42
00:03:09,200 --> 00:03:15,830
As soon as we open file, we can start reading different directory names and requesting those pages.

43
00:03:16,490 --> 00:03:17,720
So for line.

44
00:03:18,730 --> 00:03:26,020
In our file for each and every directory, no file, we are going to first strip that line.

45
00:03:27,580 --> 00:03:32,950
From any additional characters and we are going to store that inside of the directory variable, so

46
00:03:32,980 --> 00:03:35,320
directory will be equal line dot strip.

47
00:03:36,040 --> 00:03:43,500
After that we can create a full RL variable and the fully URL variable will be equal to Target Yooralla

48
00:03:44,020 --> 00:03:48,890
plus and then slash and then plus our directory.

49
00:03:49,300 --> 00:03:54,730
So what we are essentially doing right here is let's say the target input's, our website thing or a

50
00:03:54,730 --> 00:03:56,780
domain name of Google dot com.

51
00:03:57,430 --> 00:04:02,860
Let's say the input that and from our file we read the admin directory.

52
00:04:03,700 --> 00:04:10,090
Essentially what we are doing right here in this line is we're combining this to like this.

53
00:04:10,360 --> 00:04:13,300
So this is how we search a directory on a certain domain.

54
00:04:13,810 --> 00:04:17,290
We simply just add a slash and type the directories name.

55
00:04:18,210 --> 00:04:24,380
Now that we got the full your variable, we can perform the same thing from the previous video response

56
00:04:24,390 --> 00:04:33,600
will be equal to request from full bureau and this request function we don't have it is not requested

57
00:04:33,600 --> 00:04:35,040
Geto requested post.

58
00:04:35,250 --> 00:04:39,090
It is just the request function that we are going to code right now.

59
00:04:39,100 --> 00:04:42,780
So go up here and type the fine request.

60
00:04:43,410 --> 00:04:50,460
This request, of course, takes the parameter of your L and what this function should do is it should

61
00:04:50,460 --> 00:04:56,010
try to connect to that page that we are looking for and if it doesn't manage to connect, we're just

62
00:04:56,010 --> 00:04:56,820
going to pass.

63
00:04:57,090 --> 00:04:58,500
So how can we do this?

64
00:04:58,850 --> 00:05:06,540
Well, we can type try and then we can try to return from this function requests that get.

65
00:05:07,140 --> 00:05:12,600
And the reason why we are returning is because we are going to store the response inside of this response

66
00:05:12,810 --> 00:05:13,320
variable.

67
00:05:13,650 --> 00:05:19,230
So we're essentially returning requests that get and then let's add HTP.

68
00:05:21,510 --> 00:05:28,740
And plus, our you are out, so it is going to essentially try to visit our ORL, we're just adding

69
00:05:28,920 --> 00:05:32,070
the prefix of HTP to dogs.

70
00:05:32,340 --> 00:05:34,320
So like this, everything should work.

71
00:05:34,680 --> 00:05:38,700
If we manage to visit that page, we're going to return the value.

72
00:05:38,700 --> 00:05:44,940
And if we don't manage to visit that page in case of requests, dot exceptions.

73
00:05:47,890 --> 00:05:49,420
DOT connection, error.

74
00:05:51,010 --> 00:05:57,220
We're just going to pass and let's not forget to add to that at the end of the except statement, so

75
00:05:57,220 --> 00:06:00,850
in this case we didn't manage to connect, therefore we're just passing.

76
00:06:00,850 --> 00:06:07,130
And the return value inside this response will be nothing since we're not returning anything.

77
00:06:07,810 --> 00:06:12,430
So how can we then check which one managed to connect and which one didn't manage to connect?

78
00:06:12,580 --> 00:06:16,510
Well, we can just type the gift response statement.

79
00:06:16,990 --> 00:06:23,650
And what this response means is if there is something in response, then do the following statement.

80
00:06:24,100 --> 00:06:28,150
If there is nothing in response, then it won't do anything.

81
00:06:28,930 --> 00:06:35,170
So in this case, if we have something in response, that means the statement worked and we managed

82
00:06:35,170 --> 00:06:36,210
to connect to that page.

83
00:06:36,220 --> 00:06:37,630
So we're just going to print.

84
00:06:42,560 --> 00:06:51,410
Discovered the rectory at this path and we're going to print before you are out.

85
00:06:53,120 --> 00:06:54,160
Simple as that.

86
00:06:54,170 --> 00:06:56,070
And this is our entire program.

87
00:06:56,330 --> 00:06:58,160
Let's go through it once again real fast.

88
00:06:58,160 --> 00:07:00,080
So we import the request library.

89
00:07:00,410 --> 00:07:03,800
We ask the user of this program for the target URL.

90
00:07:03,860 --> 00:07:05,620
We also ask for the file name.

91
00:07:06,200 --> 00:07:11,120
Then we open that file and we read each and every line inside of that file.

92
00:07:11,360 --> 00:07:15,580
We strip it from any additional characters and store it inside of the directory variable.

93
00:07:16,100 --> 00:07:22,930
Then we create a fully URL variable that will be the combination of Target Your and the directory name.

94
00:07:23,810 --> 00:07:30,440
Then we request that for the URL and if we manage to connect to, we will return this value inside of

95
00:07:30,440 --> 00:07:31,480
the response variable.

96
00:07:31,490 --> 00:07:35,870
If we don't manage to connect, this response, variable will stay empty.

97
00:07:36,110 --> 00:07:41,720
And then at the end we're just checking if there is something in response print that we discover the

98
00:07:41,720 --> 00:07:43,430
directory at this path.

99
00:07:43,820 --> 00:07:47,550
If there is nothing inside of the response, it will not print anything.

100
00:07:47,990 --> 00:07:50,060
So let's test our program out.

101
00:07:50,330 --> 00:07:58,190
I will say this and all we need to do is Python three directories that why we enter the target you URL.

102
00:07:58,200 --> 00:08:04,040
So let's just go and see what is the IP address of our anticipatable and in my case one add to that

103
00:08:04,040 --> 00:08:05,410
168 funded to.

104
00:08:08,400 --> 00:08:15,500
And the name of containing the rectories, so we need this fall and luckily inside of our clinics,

105
00:08:15,510 --> 00:08:24,090
if I open a second terminal and I type locate deer or Derb how we want to pronounce it, we go to the

106
00:08:24,120 --> 00:08:31,950
user share and then their directory type, unless we will have this word lists directory right here

107
00:08:32,550 --> 00:08:34,370
if we change to that tree.

108
00:08:34,530 --> 00:08:36,730
So the word lists and type L.

109
00:08:36,750 --> 00:08:37,110
S.

110
00:08:38,060 --> 00:08:45,800
We will have a bunch of these defaults and inside of this common the text file or common names for different

111
00:08:45,800 --> 00:08:46,470
directories.

112
00:08:47,240 --> 00:08:52,880
So what we can do is we can copy this comment, the text file inside of our home.

113
00:08:52,910 --> 00:08:53,750
Mr. Hacker.

114
00:08:54,080 --> 00:09:02,750
Then desktop and then tools and then webapp penetration testing directory once I go to that directory.

115
00:09:05,900 --> 00:09:12,410
And type less, we should have our common the texte inside of the same directory as our directories

116
00:09:12,410 --> 00:09:13,370
dot p file.

117
00:09:14,030 --> 00:09:19,730
So now if I go right here and specify common dot 60 press enter.

118
00:09:20,680 --> 00:09:26,350
This will go and search for every director and we can already see that it is discovering some of them.

119
00:09:26,530 --> 00:09:33,820
We got this large directory, this large dev slash index slash BHP slashed by admen, and those are

120
00:09:33,850 --> 00:09:39,310
all the directories that manages to find in the main directory of the anticipatable machine.

121
00:09:39,850 --> 00:09:42,850
Now, you can also specify Subdirectories if you want.

122
00:09:42,880 --> 00:09:50,220
For example, if I ran the program again and type one idea to the 168 that wanted to data it a.

123
00:09:51,360 --> 00:09:57,420
And I typed the same file name, which is common that the act now, it will search for the directories

124
00:09:57,420 --> 00:10:04,290
inside of this DB and we can see it is finding different directories than it found right here.

125
00:10:05,390 --> 00:10:11,300
And what you would basically do once performing this type of enumeration is you would try to find something

126
00:10:11,570 --> 00:10:17,450
interesting, you would go from each and every subdirectory and try to figure out if there is any interesting

127
00:10:17,450 --> 00:10:20,810
directory onto that page that maybe shouldn't be there.

128
00:10:21,200 --> 00:10:27,500
For example, if I write another program and I type the IP address motel.

129
00:10:28,590 --> 00:10:35,040
I the ABC, which is the name of one of the directorates in government, exploitable, I press enter

130
00:10:35,400 --> 00:10:37,650
and I also use the comment that the default.

131
00:10:39,020 --> 00:10:44,120
It will find a bunch of the directories, but there is a directory that particularly stands out, which

132
00:10:44,120 --> 00:10:54,530
is this password's directory, so we can visit that link, which is one to the 168 that found that two.

133
00:10:54,530 --> 00:10:58,220
And then Motyl, they slash passwords.

134
00:10:59,720 --> 00:11:05,970
And it will lead us to this directory, which has this accounts, the text file if I click on it.

135
00:11:06,710 --> 00:11:12,100
Well, it seems like we found some file that contains usernames and passwords.

136
00:11:12,110 --> 00:11:13,070
We got admin.

137
00:11:13,250 --> 00:11:15,320
The password is probably admin pass.

138
00:11:15,860 --> 00:11:20,500
And this could be something like a security question and the answer to the security question.

139
00:11:21,050 --> 00:11:26,030
So this would be a vulnerability of information disclosure where it gave us some information that we

140
00:11:26,030 --> 00:11:32,390
shouldn't have the access to and we would never know that these passwords directory exists if we didn't

141
00:11:32,570 --> 00:11:39,620
run our directories program, which discovered it and then visited it and found out that their account

142
00:11:39,620 --> 00:11:42,420
usernames and passwords are available for us to read.

143
00:11:43,310 --> 00:11:44,120
OK, great.

144
00:11:44,270 --> 00:11:50,030
So we have finished two projects successfully, Frico that the login brute force and the directory brute

145
00:11:50,030 --> 00:11:50,300
force.

146
00:11:50,900 --> 00:11:56,990
So we are officially done with web penetration testing and in the next section we're ready to touch

147
00:11:56,990 --> 00:11:59,840
on a subject of men in the middle attack.

148
00:12:00,350 --> 00:12:04,100
It is a really interesting attack that we can perform inside of our network.

149
00:12:04,100 --> 00:12:07,970
And in the next section, we are going to see exactly how we can perform it.

150
00:12:08,360 --> 00:12:08,960
See you there.