1
00:00:01,800 --> 00:00:07,200
In previous lecture, we learned about the basics of hunting subdomains.

2
00:00:07,680 --> 00:00:14,220
Actually, in this lecture, we will dive in a little deeper and look at other tools that are available

3
00:00:14,520 --> 00:00:17,910
for gathering intel on our target.

4
00:00:18,990 --> 00:00:27,120
So we will start by using the infamous tools of Kali Linux, gathering information in a circular stage

5
00:00:27,120 --> 00:00:35,880
or performing a penetration test as every step we take after what is an outcome of all the information

6
00:00:36,090 --> 00:00:38,340
we gather during this stage.

7
00:00:39,280 --> 00:00:46,410
I'm actually for this reason, it's very important that we gather as much information as possible before

8
00:00:47,190 --> 00:00:50,130
jumping into the exploitation stage.

9
00:00:51,600 --> 00:00:59,130
Actually, in this lecture, or this is the first lecture of our section of our ultimate course, we

10
00:00:59,160 --> 00:01:05,610
will cover um, and there are sites like we will get a list of subdomains.

11
00:01:05,610 --> 00:01:08,100
We will use showdown for fun and profit.

12
00:01:08,610 --> 00:01:12,540
Uh, we will um, use shot on honey score.

13
00:01:12,540 --> 00:01:15,100
We will use shodam, plug in census.

14
00:01:15,360 --> 00:01:18,990
We will use a map to find open ports.

15
00:01:19,890 --> 00:01:23,340
Um, we will bypass firewalls with any map.

16
00:01:23,760 --> 00:01:26,790
We will search for open, direct directories.

17
00:01:26,790 --> 00:01:28,500
Uh, using co-pastor.

18
00:01:28,950 --> 00:01:31,620
We will hunt for SSL fluffs.

19
00:01:31,980 --> 00:01:38,130
We will automate, uh, brute force using brute spray will digging with the harvester.

20
00:01:38,520 --> 00:01:42,270
Uh, so we will dig deep with the harvester.

21
00:01:42,720 --> 00:01:52,410
Uh, we will find, uh, technology behind, um, web applications made actually using, uh, with what

22
00:01:52,410 --> 00:01:56,490
the web and weald with, uh, websites and tools.

23
00:01:56,850 --> 00:02:05,460
We will scan, uh, IPS with, uh, must scan and on any map we will find origin servers with Claude

24
00:02:05,460 --> 00:02:06,000
Bundy.

25
00:02:06,120 --> 00:02:12,900
We will sniff around with the shipment and testing Caruthers, uh, y uh, firewall actually.

26
00:02:14,820 --> 00:02:23,580
Firstly, let's start by get a list of subdomains, so they're performing a black box test.

27
00:02:24,180 --> 00:02:28,470
The client may not give us all of the subdomains of the organisation.

28
00:02:29,040 --> 00:02:36,720
So in this recibe, we'll cover one of the five techniques that can be used to get lists of the subdomains

29
00:02:36,720 --> 00:02:37,890
of an organisation.

30
00:02:38,700 --> 00:02:39,910
So how to do it?

31
00:02:40,530 --> 00:02:49,830
So first of all, we have a website that, uh, will help us all doing this.

32
00:02:50,790 --> 00:03:01,080
And this is the actual this website is scans Eeyore, uh, actual and it's open ish.

33
00:03:01,920 --> 00:03:05,030
Scott's scans you.

34
00:03:12,060 --> 00:03:12,420
So.

35
00:03:14,200 --> 00:03:22,180
We have this did the DNA stamps, and we will use the scarce era, uh, it relies on scarcity of words

36
00:03:22,180 --> 00:03:26,200
to resolve, so it's pretty simple to use.

37
00:03:27,130 --> 00:03:28,220
So actually.

38
00:03:30,160 --> 00:03:32,260
Actually, can you see my screen?

39
00:03:32,980 --> 00:03:33,400
Yes.

40
00:03:34,060 --> 00:03:36,490
And then this stumper, that Chrome.

41
00:03:39,460 --> 00:03:41,350
It's really been a stumper.

42
00:03:48,040 --> 00:03:56,020
You're showing, Dean, it's actually it's Dean stumps, all right, in this dumpster at the corner.

43
00:03:57,570 --> 00:03:58,110
Actually.

44
00:03:59,920 --> 00:04:00,220
Yes.

45
00:04:01,160 --> 00:04:01,580
So.

46
00:04:03,780 --> 00:04:12,570
Um, actually, let's find, um, the um, some, uh, domains subdomains with these tools.

47
00:04:13,410 --> 00:04:21,360
Uh, so I will give our websites, take things like them websites to find DNS subdomains.

48
00:04:22,350 --> 00:04:23,580
And it's searching.

49
00:04:26,770 --> 00:04:34,300
So you can see here this information to what this information is.

50
00:04:35,020 --> 00:04:44,290
We can see here that our web site hosting is named cheap hosting and DNS as is named cheap DNS, and

51
00:04:44,290 --> 00:04:51,460
we have the mail subdomain here, mail that take beans that come in.

52
00:04:51,490 --> 00:05:02,050
So you can see here this email that I think things that will redirect us to the main page of our website

53
00:05:02,050 --> 00:05:07,210
because I hadn't set setting up this mail yet.

54
00:05:09,010 --> 00:05:13,630
And as you can see here, our DNS is is name cheap DNS.

55
00:05:14,440 --> 00:05:21,010
So here we can see the name, chip hosting IP address and the address here.

56
00:05:22,120 --> 00:05:29,260
Um, and you can see here we have get as much in the information by just one site.

57
00:05:30,160 --> 00:05:30,640
So.

58
00:05:32,370 --> 00:05:38,070
Actually, we have, um, some additional information here as well.

59
00:05:38,900 --> 00:05:39,440
Um.

60
00:05:40,590 --> 00:05:48,990
You can see here we have, uh, takes the records we'll show here and we can do that.

61
00:05:52,070 --> 00:05:58,430
And all and Excel is six fires, and we do grep for it.

62
00:05:59,660 --> 00:06:00,120
Um.

63
00:06:03,490 --> 00:06:08,050
So we are done with that, we get the information from just one domain.

64
00:06:08,920 --> 00:06:17,980
So it will actually it gives us additional subdomains because we own websites hasn't subdomains yet

65
00:06:18,490 --> 00:06:19,510
and we don't need it.

66
00:06:19,900 --> 00:06:27,190
So for example, in some website, if you can these subdomains for, for example, this is this domain

67
00:06:27,190 --> 00:06:31,900
of website and this is the subdomain here.

68
00:06:32,380 --> 00:06:35,350
So if we search, call it that.

69
00:06:36,580 --> 00:06:38,470
Work here in.

70
00:06:39,530 --> 00:06:41,080
Uh, Dennis Dumpster.

71
00:06:42,490 --> 00:06:46,720
We will get information, so there was an error or request.

72
00:06:46,780 --> 00:06:47,300
Why?

73
00:06:47,320 --> 00:06:49,840
Because I have put slash on it.

74
00:07:00,410 --> 00:07:01,820
Actually, as you can see here.

75
00:07:03,250 --> 00:07:05,470
You know, we can see information, see it.

76
00:07:05,920 --> 00:07:07,870
We have to see records here.

77
00:07:08,200 --> 00:07:15,790
And actually, we have males and we're running in California pulling whom you call your kids the economy

78
00:07:15,800 --> 00:07:17,070
old love.

79
00:07:17,350 --> 00:07:22,170
He, like, um, male -- will come in and.

80
00:07:22,810 --> 00:07:23,590
And he can't.

81
00:07:23,590 --> 00:07:30,010
We have so much subdomains here, as you can see here, and we can see these IP addresses.

82
00:07:30,580 --> 00:07:38,590
So which host address and of which these subdomains, which host address and which servers using this,

83
00:07:38,980 --> 00:07:41,410
as you can see here, they're pretty similar, actually.

84
00:07:41,860 --> 00:07:46,300
And this means they are going to in one hosting.

85
00:07:46,300 --> 00:07:55,060
So these UM domains going to just in one hosting slot, different hosting, you can redirect these um,

86
00:07:55,060 --> 00:07:56,890
and that's well, different hosting Lucasville.

87
00:07:56,890 --> 00:08:01,420
As you can see, there's the uh for Russia currently looks kind of actually.

88
00:08:01,430 --> 00:08:08,470
So this means, uh, actually in talks, but in the Russian language, uh, we have forums, tools and.

89
00:08:09,770 --> 00:08:18,110
We have different weird and get subdomains here, so let's close this, actually, I want to show you

90
00:08:18,740 --> 00:08:25,100
something very helpful for hackers and penetration testers web site, which is spot on.

91
00:08:25,520 --> 00:08:31,910
So Shomon is the world's first search engine that was used to search for devices that are connected

92
00:08:31,910 --> 00:08:32,780
on the internet.

93
00:08:33,170 --> 00:08:41,810
So in the next lecture, actually, we I will teach you the how to use shotgun and how to use showdown

94
00:08:41,810 --> 00:08:43,070
for fun and profit.

95
00:08:43,610 --> 00:08:45,350
So I'm waiting in the next lecture.