1 00:00:00,054 --> 00:00:01,440 Instructor: Welcome back. 2 00:00:01,440 --> 00:00:03,723 Let's continue with our WhatWeb tool. 3 00:00:04,920 --> 00:00:05,939 So in the previous video, 4 00:00:05,939 --> 00:00:07,860 we only saw how we can perform 5 00:00:07,860 --> 00:00:11,820 the basic stealthy scan on a certain website. 6 00:00:11,820 --> 00:00:13,950 Another thing that we can do with WhatWeb 7 00:00:13,950 --> 00:00:15,540 besides testing a website 8 00:00:15,540 --> 00:00:19,173 is to test a range of IP addresses all at once. 9 00:00:20,040 --> 00:00:21,993 So if I open up my terminal, 10 00:00:23,370 --> 00:00:27,750 and I type, "whatweb --help", 11 00:00:27,750 --> 00:00:29,160 once again to list out 12 00:00:29,160 --> 00:00:31,140 all of the available options, 13 00:00:31,140 --> 00:00:32,732 and scroll all the way up. 14 00:00:35,610 --> 00:00:37,590 Here under the targets, 15 00:00:37,590 --> 00:00:39,480 we can see that we can specify URLs, 16 00:00:39,480 --> 00:00:41,280 host names, IP addresses, 17 00:00:41,280 --> 00:00:45,000 but we can also specify IP ranges. 18 00:00:45,000 --> 00:00:49,083 We can specify them like this or like this. 19 00:00:50,430 --> 00:00:51,720 Now to test this out, 20 00:00:51,720 --> 00:00:55,620 I'm going to scan my entire home network, 21 00:00:55,620 --> 00:00:57,870 and to know what range of IP addresses 22 00:00:57,870 --> 00:01:00,000 should I scan for my home network, 23 00:01:00,000 --> 00:01:01,590 I could type down here 24 00:01:01,590 --> 00:01:03,720 command, "ifconfig", 25 00:01:03,720 --> 00:01:07,200 or, "sudo ifconfig", since, remember? 26 00:01:07,200 --> 00:01:09,720 This requires root privileges. 27 00:01:09,720 --> 00:01:11,100 Press enter. 28 00:01:11,100 --> 00:01:12,693 Enter our password. 29 00:01:13,680 --> 00:01:18,680 And we can see that my IP address is 192.168.1.4 30 00:01:19,080 --> 00:01:21,330 And what's more important than the IP address 31 00:01:21,330 --> 00:01:24,341 in this case is the netmask, 32 00:01:24,341 --> 00:01:25,991 and my net mask is 255.255.250.0. 33 00:01:31,230 --> 00:01:34,140 The subnet mask right here means 34 00:01:34,140 --> 00:01:37,680 that only the last octet of my IP address 35 00:01:37,680 --> 00:01:41,070 is changeable, which is this last number. 36 00:01:41,070 --> 00:01:42,780 So these first three octets 37 00:01:42,780 --> 00:01:46,230 or these first three numbers never change 38 00:01:46,230 --> 00:01:48,210 in my home network. 39 00:01:48,210 --> 00:01:49,380 This also means 40 00:01:49,380 --> 00:01:51,600 that the range of IP addresses that belong 41 00:01:51,600 --> 00:01:55,717 to my network are going to be from 0 to 255. 42 00:01:58,530 --> 00:02:00,630 So basically the range of the IP addresses, 43 00:02:00,630 --> 00:02:03,406 that my network can have is this one: 44 00:02:03,406 --> 00:02:08,406 192.168.1.0 to 192.168.1.255 45 00:02:13,860 --> 00:02:16,563 This is the range of my home network. 46 00:02:17,790 --> 00:02:19,110 So let me scan it. 47 00:02:19,110 --> 00:02:22,200 Now for you it might be different based on what type 48 00:02:22,200 --> 00:02:25,530 of network you got, but in most home networks 49 00:02:25,530 --> 00:02:28,210 the subnet mask is going to be this one 50 00:02:29,160 --> 00:02:33,510 therefore just the last octet will be changeable for you. 51 00:02:33,510 --> 00:02:36,030 Now before I actually run the scan 52 00:02:36,030 --> 00:02:39,900 I don't have any websites hosted in my home network 53 00:02:39,900 --> 00:02:43,500 but I do got some devices running something on port 80. 54 00:02:43,500 --> 00:02:47,130 And Port 80 is an HTTP port that websites use to 55 00:02:47,130 --> 00:02:48,840 host their pages. 56 00:02:48,840 --> 00:02:52,413 So we should still get some result from scanning my network. 57 00:02:53,430 --> 00:02:57,483 Let us go delete this and type whatweb. 58 00:02:59,310 --> 00:03:02,043 And then the range of my home network. 59 00:03:03,000 --> 00:03:08,000 Let us go with 1 to 192.168.1.255 60 00:03:08,970 --> 00:03:11,550 So this is the range of IP addresses that they want to scan 61 00:03:11,550 --> 00:03:14,700 and all of them belong to my home network. 62 00:03:14,700 --> 00:03:16,740 And the good thing right here is 63 00:03:16,740 --> 00:03:19,590 that I can use whichever aggression level I want 64 00:03:19,590 --> 00:03:22,230 since it is my own network. 65 00:03:22,230 --> 00:03:25,380 Let's test out aggression level three. 66 00:03:25,380 --> 00:03:28,600 To do that we can specify dash dash aggression 67 00:03:29,550 --> 00:03:33,720 and then three after it we can also specify the 68 00:03:33,720 --> 00:03:37,560 dash V option to better output all of this. 69 00:03:37,560 --> 00:03:39,483 And let's press enter. 70 00:03:42,180 --> 00:03:44,310 You will notice we are getting some of the results 71 00:03:44,310 --> 00:03:48,630 but there is a lot of this error happening on the screen. 72 00:03:48,630 --> 00:03:52,410 Now what this error right here is, let me just control C 73 00:03:52,410 --> 00:03:55,170 since we're not going to wait for this to finish. 74 00:03:55,170 --> 00:03:57,720 And what this error is, is all 75 00:03:57,720 --> 00:04:02,100 of the hosts that it tried to scan but couldn't manage to. 76 00:04:02,100 --> 00:04:04,980 And the reason why it couldn't manage to scan these hosts is 77 00:04:04,980 --> 00:04:07,080 because they do not exist. 78 00:04:07,080 --> 00:04:08,880 I currently only have around two 79 00:04:08,880 --> 00:04:11,340 or three devices on my home network 80 00:04:11,340 --> 00:04:14,463 and all of these other IP addresses are out of use. 81 00:04:15,540 --> 00:04:18,180 So let me go up here to see what it found. 82 00:04:18,180 --> 00:04:22,260 It found the result for the IP address 192.168.1.1. 83 00:04:22,260 --> 00:04:25,890 And this is my router down here we can see all 84 00:04:25,890 --> 00:04:29,253 of the plugins that it managed to detect for my router. 85 00:04:30,360 --> 00:04:33,810 We can see an interesting plugin which is password field. 86 00:04:33,810 --> 00:04:35,490 This is something that we would write down 87 00:04:35,490 --> 00:04:39,030 since any password field that we find we can use later on 88 00:04:39,030 --> 00:04:39,863 in something 89 00:04:39,863 --> 00:04:42,780 like a brute force attack to try to guess the password 90 00:04:42,780 --> 00:04:46,050 and try to brute force the login credentials. 91 00:04:46,050 --> 00:04:48,090 But nonetheless, this is just a router. 92 00:04:48,090 --> 00:04:51,450 So we are not really interested in it at the moment. 93 00:04:51,450 --> 00:04:54,570 This is just an example of a test of how it would look like. 94 00:04:54,570 --> 00:04:57,060 And since I don't have any website on my home network 95 00:04:57,060 --> 00:04:58,860 it didn't really give much result. 96 00:04:58,860 --> 00:05:01,410 We can see right here, here is another IP address 97 00:05:01,410 --> 00:05:02,520 that is active. 98 00:05:02,520 --> 00:05:06,210 It is 192.168.1.10 and this is an IP address 99 00:05:06,210 --> 00:05:09,450 of my laptop, which is currently up and running, it 100 00:05:09,450 --> 00:05:14,070 detected this HTTP server on it, but it got this status code 101 00:05:14,070 --> 00:05:16,410 of 403 Forbidden. 102 00:05:16,410 --> 00:05:18,930 So it is not allowed to visit that page. 103 00:05:18,930 --> 00:05:21,270 Therefore this is as much information 104 00:05:21,270 --> 00:05:22,800 as it's managed to get. 105 00:05:22,800 --> 00:05:25,680 And all the other ones down here are simply 106 00:05:25,680 --> 00:05:26,733 just offline. 107 00:05:27,600 --> 00:05:31,290 Now if you don't want this outputted, this red text 108 00:05:31,290 --> 00:05:34,950 you can use the same command and at the end add 109 00:05:34,950 --> 00:05:37,740 dash dash no-errors. 110 00:05:37,740 --> 00:05:41,430 What this no-errors option does is it simply just 111 00:05:41,430 --> 00:05:45,720 doesn't print these offline IP addresses. 112 00:05:45,720 --> 00:05:46,650 Let's test it out. 113 00:05:46,650 --> 00:05:50,100 If I run the same command just with no-errors 114 00:05:50,100 --> 00:05:53,640 you will see we are not going to get any red text anymore. 115 00:05:53,640 --> 00:05:56,490 It will only scan these two live IP addresses, which is 116 00:05:56,490 --> 00:05:59,520 my home router and the laptop. 117 00:05:59,520 --> 00:06:01,530 And that is basically it. 118 00:06:01,530 --> 00:06:04,140 That is everything, that it will output. 119 00:06:04,140 --> 00:06:06,810 Okay, so it took just a few seconds to finish. 120 00:06:06,810 --> 00:06:08,010 And keep in mind that 121 00:06:08,010 --> 00:06:10,920 since we are running level three of aggression scan 122 00:06:10,920 --> 00:06:13,950 it will take a little bit more time to scan something 123 00:06:13,950 --> 00:06:18,360 than with level one since it is performing a deeper scan 124 00:06:18,360 --> 00:06:21,330 than just the level one stealthy scan. 125 00:06:21,330 --> 00:06:23,820 Okay, so we ran this command 126 00:06:23,820 --> 00:06:26,790 and we used the aggression level three. 127 00:06:26,790 --> 00:06:29,670 We used dash V to output all the detected plug-ins 128 00:06:29,670 --> 00:06:31,233 as well as their description. 129 00:06:32,070 --> 00:06:34,380 And we used no errors to not print 130 00:06:34,380 --> 00:06:37,740 out these offline IP addresses. 131 00:06:37,740 --> 00:06:39,510 But what if we for example 132 00:06:39,510 --> 00:06:42,990 wanted to save this output that we got 133 00:06:42,990 --> 00:06:45,873 in a file for some future references? 134 00:06:46,980 --> 00:06:50,350 Well, if I type the command: "whatweb --help", 135 00:06:54,420 --> 00:06:57,960 and I go through this help menu once again, 136 00:06:57,960 --> 00:07:00,477 I will get to this part which is "LOGGING". 137 00:07:01,710 --> 00:07:04,350 And down here we can see that there are a bunch 138 00:07:04,350 --> 00:07:08,430 of options that we can use to log our file 139 00:07:08,430 --> 00:07:10,290 or to save our file. 140 00:07:10,290 --> 00:07:12,720 So let's just go with the first one 141 00:07:12,720 --> 00:07:14,280 or we can even use the second one 142 00:07:14,280 --> 00:07:16,443 which is to log verbose output. 143 00:07:17,370 --> 00:07:21,030 To do that we use this option right here and then equals 144 00:07:21,030 --> 00:07:24,480 and then the file name that we wanted to save to. 145 00:07:24,480 --> 00:07:28,290 So if I go down here and another useful command 146 00:07:28,290 --> 00:07:30,750 once you have a bunch of things happening 147 00:07:30,750 --> 00:07:32,760 in your terminal and by bunch 148 00:07:32,760 --> 00:07:35,850 of things I mean just bunch of texts printed out 149 00:07:35,850 --> 00:07:39,900 what we can do to get rid of this is run the command clear. 150 00:07:39,900 --> 00:07:43,710 This will clear our terminal so we get much cleaner look. 151 00:07:43,710 --> 00:07:46,620 Now if I press upper arrow to find the command 152 00:07:46,620 --> 00:07:48,270 that we ran previously and 153 00:07:48,270 --> 00:07:53,270 at the end I add log and then dash verbose equals. 154 00:07:53,550 --> 00:07:57,123 And here I can call the file, "results", for example. 155 00:07:58,230 --> 00:07:59,583 If I press here, enter. 156 00:08:00,600 --> 00:08:04,380 Now you will notice that besides of this outputting it 157 00:08:04,380 --> 00:08:08,070 to the terminal, it will also save it inside of a file. 158 00:08:08,070 --> 00:08:10,170 Let's wait for this to finish to check out the file 159 00:08:10,170 --> 00:08:11,003 that we got. 160 00:08:12,180 --> 00:08:13,440 Okay, so it finished. 161 00:08:13,440 --> 00:08:15,360 Let us clear the screen once again 162 00:08:15,360 --> 00:08:20,360 and if I type "ls" right here, we'll see our results file. 163 00:08:20,820 --> 00:08:24,270 Let's lower the terminal and open this file to 164 00:08:24,270 --> 00:08:25,650 see what it got saved. 165 00:08:25,650 --> 00:08:29,820 And if I enlarge it, we will see that we got our results 166 00:08:29,820 --> 00:08:34,470 saved for both IP addresses, for my laptop IP address, and 167 00:08:34,470 --> 00:08:36,929 for my router IP address. 168 00:08:36,929 --> 00:08:39,929 Now for your scan, if you scan your home network 169 00:08:39,929 --> 00:08:43,500 you will probably have more devices or less devices 170 00:08:43,500 --> 00:08:45,870 or you might not get any result in case none 171 00:08:45,870 --> 00:08:50,280 of your devices is having an open port 80 or in case none 172 00:08:50,280 --> 00:08:53,460 of your devices is running an HTTP server. 173 00:08:53,460 --> 00:08:56,010 So don't worry if you didn't get any device. 174 00:08:56,010 --> 00:08:57,870 This is just an example to see 175 00:08:57,870 --> 00:09:02,520 that we can even run the ranges of IP addresses and to test 176 00:09:02,520 --> 00:09:05,460 out this aggression level three scan since we can only do it 177 00:09:05,460 --> 00:09:08,283 on the websites that we own or have permission to scan. 178 00:09:09,240 --> 00:09:10,320 Okay great so, 179 00:09:10,320 --> 00:09:12,360 look at all of the commands that we crafted 180 00:09:12,360 --> 00:09:15,123 with all of these options right here. 181 00:09:15,960 --> 00:09:19,500 And this is just a part of this WhatWeb tool. 182 00:09:19,500 --> 00:09:22,590 You don't need to be learning all of these commands. 183 00:09:22,590 --> 00:09:25,350 You can always just run the help command and read 184 00:09:25,350 --> 00:09:29,010 through its help manual to discover what you want to run. 185 00:09:29,010 --> 00:09:31,200 We won't be going through all of these options 186 00:09:31,200 --> 00:09:34,440 in WhatWeb tool since there is too much of them 187 00:09:34,440 --> 00:09:36,840 but I encourage you to play with it a little bit 188 00:09:36,840 --> 00:09:40,290 and see if it has any other interesting options. 189 00:09:40,290 --> 00:09:43,410 Great. In the next video we're going to see how 190 00:09:43,410 --> 00:09:45,900 we can harvest or gather as much emails 191 00:09:45,900 --> 00:09:49,350 as possible from just knowing a domain. 192 00:09:49,350 --> 00:09:50,183 See you there.