WEBVTT 0:00:03.880000 --> 0:00:06.880000 website reconnaissance and footprinting. 0:00:06.880000 --> 0:00:10.000000 In this video, we're going to be exploring the process of performing a 0:00:10.000000 --> 0:00:14.140000 passive reconnaissance or passive information gathering on a website. 0:00:14.140000 --> 0:00:17.040000 And of course, we're going to be exploring footprinting a little bit. 0:00:17.040000 --> 0:00:18.400000 What is footprinting? 0:00:18.400000 --> 0:00:20.960000 Footprinting is essentially the same as reconnaissance. 0:00:20.960000 --> 0:00:26.180000 The only difference is we identify more important information that's pertinent 0:00:26.180000 --> 0:00:27.560000 to a particular target. 0:00:27.560000 --> 0:00:31.480000 So again, in this case, we'll be taking a look at a couple of websites. 0:00:31.480000 --> 0:00:33.540000 One of them is my own. 0:00:33.540000 --> 0:00:36.760000 I'm not giving you permission to do anything to it. 0:00:36.760000 --> 0:00:41.160000 As I said, from a passive perspective, you can go ahead and use this site, 0:00:41.160000 --> 0:00:44.260000 but we'll be using others that you can also use. 0:00:44.260000 --> 0:00:48.420000 In my case, you do have the permission to do passive reconnaissance on 0:00:48.420000 --> 0:00:56.860000 the site. So no information we're looking for. 0:00:56.860000 --> 0:00:58.260000 This is it right over here. 0:00:58.260000 --> 0:01:02.280000 So the first bit of information we're going to look for is the IP address 0:01:02.280000 --> 0:01:07.060000 of the actual website or the web server that's hosting that website, any 0:01:07.060000 --> 0:01:11.540000 directories that might be hidden from search engines, any names on the 0:01:11.540000 --> 0:01:16.000000 website, email addresses, phone numbers, physical addresses, anything 0:01:16.000000 --> 0:01:19.340000 that can give us a better understanding of our target. 0:01:19.340000 --> 0:01:23.840000 And of course, in the case of the website itself, the web technology is 0:01:23.840000 --> 0:01:25.820000 being used on the website. 0:01:25.820000 --> 0:01:28.700000 So we can actually get started with this. 0:01:28.700000 --> 0:01:31.600000 I'm just going to switch over to my Kali Linux virtual machine. 0:01:31.600000 --> 0:01:37.260000 As I said, this lab or this course will not really use a lot of, you know, 0:01:37.260000 --> 0:01:40.800000 a lot of lab environments, because we're doing this, especially in the 0:01:40.800000 --> 0:01:44.400000 case of passive information gathering, we're doing this on the internet. 0:01:44.400000 --> 0:01:47.960000 So I'm just going to switch over to my Kali VM, and we can actually get 0:01:47.960000 --> 0:01:50.260000 started. So give me a moment. 0:01:50.260000 --> 0:01:55.400000 All right, so I'm back on my Kali VM. 0:01:55.400000 --> 0:01:58.800000 And as you can see, I've just opened up Firefox here. 0:01:58.800000 --> 0:02:02.900000 And in this case, we're going to be utilizing my own website or my own 0:02:02.900000 --> 0:02:05.560000 blog, which is hackasploit.org. 0:02:05.560000 --> 0:02:08.080000 Right? So we'll just open this up. 0:02:08.080000 --> 0:02:12.120000 And this for the sake of this video, this is going to be the actual target 0:02:12.120000 --> 0:02:16.580000 website that we're going to be performing passive reconnaissance on or 0:02:16.580000 --> 0:02:18.400000 passive information gathering on. 0:02:18.400000 --> 0:02:21.060000 So you can see this is the website here. 0:02:21.060000 --> 0:02:24.420000 This is a blog. It's not really a company website. 0:02:24.420000 --> 0:02:25.580000 But there we are. 0:02:25.580000 --> 0:02:30.040000 We can see that, you know, we, you know, it looks fairly simple enough. 0:02:30.040000 --> 0:02:32.980000 But we really don't know anything about this site. 0:02:32.980000 --> 0:02:36.680000 So what is our first order of business? 0:02:36.680000 --> 0:02:41.900000 Well, the first thing we can do is we can obtain the IP address of the 0:02:41.900000 --> 0:02:43.520000 website that's hosting this website. 0:02:43.520000 --> 0:02:46.980000 Now, in some cases, or in most cases, when you're dealing with production 0:02:46.980000 --> 0:02:52.980000 sites, the web, the website might be behind a proxy or a firewall, like 0:02:52.980000 --> 0:02:54.560000 cloud flare or security. 0:02:54.560000 --> 0:02:58.180000 So in order to do this, just open up a terminal, and we're going to be 0:02:58.180000 --> 0:02:59.840000 utilizing the host command. 0:02:59.840000 --> 0:03:03.160000 Now, if you want to learn more about a command on Linux, you can always 0:03:03.160000 --> 0:03:06.140000 utilize the what is command and then type the name of the command. 0:03:06.140000 --> 0:03:10.560000 So, in this case, the host command, you can see that this is a DNS lookup 0:03:10.560000 --> 0:03:16.820000 utility. Now, we'll be covering but for now, all we're doing is we're 0:03:16.820000 --> 0:03:20.720000 trying to resolve the domain name to an IP address, right? 0:03:20.720000 --> 0:03:24.980000 So whenever you open up your browser and you type in a website, the browser 0:03:24.980000 --> 0:03:28.540000 really doesn't know what to do with that information. 0:03:28.540000 --> 0:03:31.660000 And this is where DNS comes into place, right? 0:03:31.660000 --> 0:03:36.840000 So, whenever you type in a website into your browser, your browser says, 0:03:36.840000 --> 0:03:40.880000 okay, I have this website, I need to resolve it to an IP address, because 0:03:40.880000 --> 0:03:48.080000 that's really the only way I can communicate with that web server, because 0:03:48.080000 --> 0:03:52.640000 remember, on the internet systems are identified via the IP addresses 0:03:52.640000 --> 0:03:56.880000 and not via domain names, domain names were essentially set up so that 0:03:56.880000 --> 0:03:59.540000 we don't have to remember IP addresses. 0:03:59.540000 --> 0:04:07.940000 Just imagine if you had to remember the IP address of every website you 0:04:07.940000 --> 0:04:13.160000 browser, your address will perform a lookup on your configured DNS server. 0:04:13.160000 --> 0:04:18.120000 And it'll tell it essentially, hey, I have this website, could you please 0:04:18.120000 --> 0:04:20.560000 tell me the IP address of this website? 0:04:20.560000 --> 0:04:24.940000 It'll look through and it'll say, okay, I have this website here or this 0:04:24.940000 --> 0:04:28.100000 domain, it is mapped to the following IP address. 0:04:28.100000 --> 0:04:31.480000 And here you go, here's the IP address, your browser then sends a GET 0:04:31.480000 --> 0:04:35.960000 request and the server then responds and provides or sends back the website 0:04:35.960000 --> 0:04:39.020000 in HTML CSS format. 0:04:39.020000 --> 0:04:40.960000 And your browser then renders it to you. 0:04:40.960000 --> 0:04:44.340000 And that happens within a couple of seconds, which is really cool. 0:04:44.340000 --> 0:04:48.860000 So I can type in host and hackasploit.org. 0:04:48.860000 --> 0:04:52.220000 And you can see that that will perform a DNS lookup. 0:04:52.220000 --> 0:04:57.800000 And in this case, it tells us that hackasploit.org has two addresses, 0:04:57.800000 --> 0:04:59.460000 which is a little bit strange. 0:04:59.460000 --> 0:05:04.740000 And the reason for that is because this website or my website, as it were, 0:05:04.740000 --> 0:05:08.680000 is behind CloudFlare, which is a firewall slash proxy. 0:05:08.680000 --> 0:05:11.840000 So it's not giving us one IP, which again can be quite confusing. 0:05:11.840000 --> 0:05:15.400000 So if you ever see that, just know from that point that you're dealing 0:05:15.400000 --> 0:05:17.200000 with some form of proxy. 0:05:17.200000 --> 0:05:22.540000 Now the host command also displays the IPV6 addresses for, you know, for 0:05:22.540000 --> 0:05:23.760000 that particular web server. 0:05:23.760000 --> 0:05:27.240000 And in this case, as I said, because it's going through CloudFlare, we 0:05:27.240000 --> 0:05:29.060000 have that there. 0:05:29.060000 --> 0:05:33.860000 We also get the actual, the actual mail server, and it provides us with 0:05:33.860000 --> 0:05:38.300000 the actual domain for that mail server will be touching upon that as we 0:05:38.300000 --> 0:05:40.820000 proceed, or as we move along in this course. 0:05:40.820000 --> 0:05:45.600000 But there we are, we've identified, you know, the IP address of the actual 0:05:45.600000 --> 0:05:51.300000 target website. Now on the website itself, there's a bit of there's a 0:05:51.300000 --> 0:05:54.760000 couple of other checks that we can perform with regards to identifying 0:05:54.760000 --> 0:05:58.420000 information. As I said, one of the important things is to try and see 0:05:58.420000 --> 0:06:01.980000 if we can identify any names or any email addresses. 0:06:01.980000 --> 0:06:05.000000 In this case, at the bottom, we can see that we have a Facebook link, 0:06:05.000000 --> 0:06:07.420000 a Twitter link, and a YouTube channel. 0:06:07.420000 --> 0:06:09.840000 Right. So, you know, that can be quite useful. 0:06:09.840000 --> 0:06:14.500000 However, when we talk about scouring a website or sort of, you know, looking 0:06:14.500000 --> 0:06:19.820000 for information on a website, the best place to start is the robots.txt 0:06:19.820000 --> 0:06:23.740000 file. Now, I'll explain what this file is used for in a second. 0:06:23.740000 --> 0:06:27.360000 But if we click on it, you can see that it is a, it's a, you know, a text 0:06:27.360000 --> 0:06:29.020000 file that contains a few entries. 0:06:29.020000 --> 0:06:35.140000 Now, when you have a website, it's pretty common that a search engine 0:06:35.140000 --> 0:06:37.580000 like Google or Bing or Dr. 0:06:37.580000 --> 0:06:39.620000 Go will crawl the website. 0:06:39.620000 --> 0:06:40.600000 What does scrolling mean? 0:06:40.600000 --> 0:06:44.960000 It essentially scours the website and then it indexes it on google.com 0:06:44.960000 --> 0:06:48.960000 so that when someone, you know, when someone searches, Harkersploit, that 0:06:48.960000 --> 0:06:50.120000 website is brought up. 0:06:50.120000 --> 0:06:55.840000 So, when search engines do this, they could potentially be revealing information 0:06:55.840000 --> 0:06:59.380000 that you do not want to be made public. 0:06:59.380000 --> 0:07:02.380000 And this is where the robots .txt file comes into place. 0:07:02.380000 --> 0:07:04.640000 Almost every website have it has it. 0:07:04.640000 --> 0:07:07.760000 If a website doesn't have it, then, you know, they're really doing something 0:07:07.760000 --> 0:07:13.540000 wrong because it essentially allows you to specify what folders or what 0:07:13.540000 --> 0:07:16.980000 files you don't want search engines to index. 0:07:16.980000 --> 0:07:21.220000 So in this case, you can see that it specifies the, we have a disallow 0:07:21.220000 --> 0:07:22.840000 rule here. All right. 0:07:22.840000 --> 0:07:23.840000 So what does that mean? 0:07:23.840000 --> 0:07:27.420000 It means that we're telling search engines whenever you're crawling through 0:07:27.420000 --> 0:07:32.840000 this website, please disregard the following, the following directory. 0:07:32.840000 --> 0:07:36.640000 Now, in this case, the directory is WP admin. 0:07:36.640000 --> 0:07:39.280000 Now, WP is in reference to WordPress. 0:07:39.280000 --> 0:07:43.260000 So that we have already identified that this website is running WordPress. 0:07:43.260000 --> 0:07:49.320000 And why would you not want this folder or this directory leaked to or 0:07:49.320000 --> 0:07:51.600000 made available on Google? 0:07:51.600000 --> 0:07:55.760000 Well, that's because this is a restricted directory. 0:07:55.760000 --> 0:07:58.640000 This is the WordPress admin directory. 0:07:58.640000 --> 0:08:00.480000 And it's only restricted to administrators. 0:08:00.480000 --> 0:08:04.900000 And generally speaking, it's good security practice to prevent this from 0:08:04.900000 --> 0:08:09.100000 being indexed by a search engine like Google. 0:08:09.100000 --> 0:08:12.700000 Now, just by viewing this file, which is publicly accessible, it needs 0:08:12.700000 --> 0:08:16.640000 to be so that Google can actually go through it and disallow the directories 0:08:16.640000 --> 0:08:21.160000 or the files that have been specified by the website administrator, we 0:08:21.160000 --> 0:08:24.820000 can identify that this website is running WordPress because that directory 0:08:24.820000 --> 0:08:29.100000 tells us so. And we have a couple of other directories right over here 0:08:29.100000 --> 0:08:33.720000 that, you know, essentially are in reference to a specific WordPress plugin. 0:08:33.720000 --> 0:08:36.540000 So that's the first file. 0:08:36.540000 --> 0:08:41.060000 The second one, that's very important is the site map dot XML file. 0:08:41.060000 --> 0:08:43.720000 Right. So I'll type in site map dot XML. 0:08:43.720000 --> 0:08:47.700000 Now this is typically called site map or site maps dot XML. 0:08:47.700000 --> 0:08:49.760000 So I'll just give this a couple of seconds. 0:08:49.760000 --> 0:08:53.400000 There we are. So what's a site map, a site map is essentially a file. 0:08:53.400000 --> 0:09:00.620000 It's typically XML that allows essentially is essentially used to provide 0:09:00.620000 --> 0:09:06.160000 search engines really with a an organized way of indexing the website. 0:09:06.160000 --> 0:09:10.580000 So you can see because this is a blog, there's a post site map, a page 0:09:10.580000 --> 0:09:13.680000 site map, a category site map and an author site map. 0:09:13.680000 --> 0:09:17.780000 So already from this, you can pretty much tell, you know, what type of 0:09:17.780000 --> 0:09:20.020000 information we can obtain. 0:09:20.020000 --> 0:09:25.220000 So if we wanted to view authors, and again, this, this is just used to 0:09:25.220000 --> 0:09:29.380000 tell search engines, you know, more about the website itself. 0:09:29.380000 --> 0:09:35.000000 So in this case, the site, the author site map tells Google, or any other 0:09:35.000000 --> 0:09:37.600000 search engine about the authors on this blog. 0:09:37.600000 --> 0:09:41.320000 In this case, we can see that the blog has an author called Hackersploit. 0:09:41.320000 --> 0:09:43.580000 All right. That really doesn't tell us much. 0:09:43.580000 --> 0:09:46.980000 It doesn't give us any concrete names or email addresses. 0:09:46.980000 --> 0:09:57.140000 We then have the page site map, which will give us by a search engine 0:09:57.140000 --> 0:10:02.000000 like Google. So this is very useful because, you know, if a, if a particular 0:10:02.000000 --> 0:10:06.640000 page was not linked on the main website or the front end of a website, 0:10:06.640000 --> 0:10:10.620000 then this could tell us or provide us with an idea as to some of the other 0:10:10.620000 --> 0:10:15.800000 links or some of the other pages that can be accessed, you know, publicly. 0:10:15.800000 --> 0:10:18.660000 So, you know, we can see that we have all of these pages on the site. 0:10:18.660000 --> 0:10:20.800000 And of course, this really doesn't make any sense. 0:10:20.800000 --> 0:10:22.920000 As I said, this is my own personal blog. 0:10:22.920000 --> 0:10:25.240000 But you're starting to get an understanding. 0:10:25.240000 --> 0:10:28.580000 We then have the category site map, which again, in the case of a blog, 0:10:28.580000 --> 0:10:30.880000 just displays the list of categories. 0:10:30.880000 --> 0:10:34.420000 This is very, very useful when you're performing a penetration test on 0:10:34.420000 --> 0:10:35.440000 a WordPress website. 0:10:35.440000 --> 0:10:39.020000 Always look out for categories, because there could be some categories 0:10:39.020000 --> 0:10:41.680000 that are hidden on the front end. 0:10:41.680000 --> 0:10:45.320000 And then of course, we have the post site map, which just gives, you know, 0:10:45.320000 --> 0:10:50.200000 Google or search engines, you know, a list of posts on that particular 0:10:50.200000 --> 0:10:55.520000 website. So yeah, that is the robots .txt file and the site map file. 0:10:55.520000 --> 0:10:58.840000 Now, there's a couple of other really cool resources that I recommend 0:10:58.840000 --> 0:10:59.920000 taking a look at. 0:10:59.920000 --> 0:11:02.340000 I'm just going to zoom out here. 0:11:02.340000 --> 0:11:04.580000 And these are browser plugins. 0:11:04.580000 --> 0:11:06.380000 So I'm currently using Firefox. 0:11:06.380000 --> 0:11:10.000000 They are equivalents for Google Chrome or Chromium. 0:11:10.000000 --> 0:11:13.540000 So I'll just search for, I'll just perform a Google search for Mozilla 0:11:13.540000 --> 0:11:17.380000 add-ons like so. 0:11:17.380000 --> 0:11:20.900000 And I'll just open up the add-ons page here. 0:11:20.900000 --> 0:11:27.020000 And the first one we're going to look for is a add-on call built with. 0:11:27.020000 --> 0:11:31.900000 This is a technology profiler that will essentially tell you what is running 0:11:31.900000 --> 0:11:36.240000 on that website or what web technology or content management system is 0:11:36.240000 --> 0:11:37.180000 running on that website. 0:11:37.180000 --> 0:11:39.740000 So I'll just add it to Firefox here. 0:11:39.740000 --> 0:11:42.280000 There we are. Add that there. 0:11:42.280000 --> 0:11:47.180000 And we can head back over into my blog and I'll just refresh that there. 0:11:47.180000 --> 0:11:49.960000 And we'll give this a couple of seconds. 0:11:49.960000 --> 0:11:53.960000 There we go. And if we click on the built with icon here, you can see 0:11:53.960000 --> 0:11:58.320000 that it will give you essentially various categories, but it'll tell you 0:11:58.320000 --> 0:11:59.960000 what's running on this website. 0:11:59.960000 --> 0:12:02.440000 So let's take a look at the detailed view. 0:12:02.440000 --> 0:12:06.540000 So you can see that this website has Google Analytics, which means the 0:12:06.540000 --> 0:12:12.260000 analytics are being aggregated and analyzed on the Google Analytics dashboard. 0:12:12.260000 --> 0:12:18.480000 It also tells us that this site is using a few widgets like Yoast MailChimp 0:12:18.480000 --> 0:12:19.980000 WordPress plugins. 0:12:19.980000 --> 0:12:23.760000 So we can pretty much tell that the site is running WordPress. 0:12:23.760000 --> 0:12:26.680000 It's pretty self-explanatory by this point. 0:12:26.680000 --> 0:12:30.440000 So this is one of the really cool things about a built with in the context 0:12:30.440000 --> 0:12:32.420000 of content management systems. 0:12:32.420000 --> 0:12:42.200000 It actually tells us what if we take a look at some of the other information, 0:12:42.200000 --> 0:12:45.980000 we can see that these are the web technologies or web frameworks being 0:12:45.980000 --> 0:12:51.680000 used. So we can see that this website utilizes jQuery CDN or Content Delivery 0:12:51.680000 --> 0:12:55.140000 Network. There's a YouTube plugin. 0:12:55.140000 --> 0:12:59.280000 Let's see what we have, what else we have here. 0:12:59.280000 --> 0:13:03.800000 These are the subdomains here, which I'll get to in a second. 0:13:03.800000 --> 0:13:05.860000 This is very, very important. 0:13:05.860000 --> 0:13:10.660000 But it essentially gives you a list of forums, or sorry, the list of subdomains 0:13:10.660000 --> 0:13:13.420000 associated with this particular domain. 0:13:13.420000 --> 0:13:17.560000 We'll get into subdomain enumeration later, but you can take a look at 0:13:17.560000 --> 0:13:20.880000 built with to learn more about a target site. 0:13:20.880000 --> 0:13:26.300000 We can also perform this on ine.com just to have a different site to run 0:13:26.300000 --> 0:13:27.740000 this on as well. 0:13:27.740000 --> 0:13:30.240000 So I'll click on built with here. 0:13:30.240000 --> 0:13:35.660000 And if we take a look at the actual detailed tab here, you can see that 0:13:35.660000 --> 0:13:38.020000 my free lookups have ended. 0:13:38.020000 --> 0:13:39.820000 So no problem there. 0:13:39.820000 --> 0:13:41.400000 But we click on this here. 0:13:41.400000 --> 0:13:45.080000 You can see it just gives you an idea as to what technologies are being 0:13:45.080000 --> 0:13:47.500000 used on this site. 0:13:47.500000 --> 0:13:49.160000 Fairly simple to understand. 0:13:49.160000 --> 0:13:53.420000 So it just gives you a better idea as to what website you're dealing with. 0:13:53.420000 --> 0:13:56.520000 So yeah, that is how to use built with. 0:13:56.520000 --> 0:14:02.220000 There are a couple of other add-ons that you can use, one of which is, 0:14:02.220000 --> 0:14:06.420000 let me see if I can find it here, is WAPALIZER. 0:14:06.420000 --> 0:14:12.640000 WAPALIZER is also another web technology profiler. 0:14:12.640000 --> 0:14:15.400000 So as you can see, it identifies technologies on websites. 0:14:15.400000 --> 0:14:17.340000 So I'll just add that there. 0:14:17.340000 --> 0:14:19.900000 And we'll give that a couple of seconds. 0:14:19.900000 --> 0:14:27.660000 There we go. And we'll go back to my blog here. 0:14:27.660000 --> 0:14:29.960000 And I'll just click on that there. 0:14:29.960000 --> 0:14:32.760000 And you can see, I'll just click on OK. 0:14:32.760000 --> 0:14:37.440000 And in this case, it tells us that no technologies were generated or detected. 0:14:37.440000 --> 0:14:38.460000 That's really weird. 0:14:38.460000 --> 0:14:39.740000 So I'm just going to refresh that. 0:14:39.740000 --> 0:14:41.220000 Hopefully this works here. 0:14:41.220000 --> 0:14:43.900000 I think this requires me to actually sign in. 0:14:43.900000 --> 0:14:48.680000 But this does in certain cases display the web technology is being used 0:14:48.680000 --> 0:14:52.200000 either way. You can use built with or WAPALIZER. 0:14:52.200000 --> 0:14:57.620000 I personally prefer utilizing built with because it works quite a lot. 0:14:57.620000 --> 0:15:02.280000 And of course, you can also log in and sign up for a subscription. 0:15:02.280000 --> 0:15:07.940000 Another really, really cool utility that you can use to perform web technology 0:15:07.940000 --> 0:15:12.580000 footprinting for a particular website is the what web utility, so what 0:15:12.580000 --> 0:15:15.960000 web, which comes pre-packaged with Kali. 0:15:15.960000 --> 0:15:17.460000 So there we are. 0:15:17.460000 --> 0:15:19.720000 What web is fairly simple to use. 0:15:19.720000 --> 0:15:26.260000 We can, in this case, perform a stealthy scan. 0:15:26.260000 --> 0:15:28.360000 But it's very simple. 0:15:28.360000 --> 0:15:33.080000 We just type in what web and hackasploit .org or the domain that you're 0:15:33.080000 --> 0:15:34.020000 trying to check. 0:15:34.020000 --> 0:15:36.540000 So I'll give this a couple of seconds. 0:15:36.540000 --> 0:15:42.660000 As you can see here, it's going to provide you with a somewhat comprehensive 0:15:42.660000 --> 0:15:47.420000 view of the actual web technologies on the site. 0:15:47.420000 --> 0:15:49.660000 So it's not going to display it very neatly. 0:15:49.660000 --> 0:15:52.680000 But I'll just go through this here. 0:15:52.680000 --> 0:15:56.400000 So you can see that there is a redirect, which is why it tells you 301 0:15:56.400000 --> 0:15:58.520000 moved permanently. 0:15:58.520000 --> 0:16:02.100000 The HTTP server is going through CloudFlare, then provide this with the 0:16:02.100000 --> 0:16:05.320000 IP. The redirect is completed because it's going through a proxy. 0:16:05.320000 --> 0:16:09.960000 Remember that we then have the actual GET request here. 0:16:09.960000 --> 0:16:13.140000 So this was the redirect because it's going through CloudFlare. 0:16:13.140000 --> 0:16:17.360000 So you can see that it's using jQuery, modernizer. 0:16:17.360000 --> 0:16:18.760000 These are the web frameworks. 0:16:18.760000 --> 0:16:20.240000 And then of course, PHP. 0:16:20.240000 --> 0:16:21.100000 This is very important. 0:16:21.100000 --> 0:16:25.180000 It tells us the version of PHP that's running on the web server. 0:16:25.180000 --> 0:16:29.080000 And then of course, the script, in this case, that really isn't useful. 0:16:29.080000 --> 0:16:32.720000 It provides us with the actual site title. 0:16:32.720000 --> 0:16:34.980000 And then of course, the HTTP headers. 0:16:34.980000 --> 0:16:40.220000 So these are all the headers that are passed with each request or with 0:16:40.220000 --> 0:16:44.080000 each response, which may give you an ideas to what WordPress plugins are 0:16:44.080000 --> 0:16:48.280000 being used. And then of course, it tells us that it's running WordPress, 0:16:48.280000 --> 0:16:52.000000 and it's powered by PHP 7.4.29. 0:16:52.000000 --> 0:16:56.100000 So you can always utilize what web, because it's free. 0:16:56.100000 --> 0:17:00.480000 And if you don't want to go through, or if you don't utilize any of the 0:17:00.480000 --> 0:17:04.460000 built-in browser-based technology profilers, then you can always rely 0:17:04.460000 --> 0:17:09.400000 on what web. Now, the final technique that I'll be highlighting or covering 0:17:09.400000 --> 0:17:13.920000 here is the process of downloading an entire website. 0:17:13.920000 --> 0:17:15.420000 All right, so what does this mean? 0:17:15.420000 --> 0:17:18.360000 Well, let's say you're analyzing website and maybe you want to analyze 0:17:18.360000 --> 0:17:23.120000 the source code of a website, you can actually download the entire website 0:17:23.120000 --> 0:17:29.620000 as is through the use of a tool called HDT Rack or HDTrack. 0:17:29.620000 --> 0:17:31.280000 However, you want to pronounce it. 0:17:31.280000 --> 0:17:33.900000 So you can see it's called a website copier. 0:17:33.900000 --> 0:17:36.340000 This is fairly simple to understand. 0:17:36.340000 --> 0:17:42.340000 It allows you to download a website from the internet to a local directory, 0:17:42.340000 --> 0:17:46.560000 building recursively all the directories getting HTML images and other 0:17:46.560000 --> 0:17:49.480000 files from the server onto your computer. 0:17:49.480000 --> 0:17:53.700000 This works on both Windows and Linux, and you can install it on Linux 0:17:53.700000 --> 0:18:03.360000 by installing the actual web HDT Rack command or installing the web HDT 0:18:03.360000 --> 0:18:10.980000 Rack package. So sudo apt get install web HDT Rack. 0:18:10.980000 --> 0:18:13.180000 I believe I already have it installed. 0:18:13.180000 --> 0:18:15.960000 I'll just provide my password for the Kali user. 0:18:15.960000 --> 0:18:19.220000 And if I open up my start menu here, I can just search for it. 0:18:19.220000 --> 0:18:22.880000 So web HDT Rack website copier. 0:18:22.880000 --> 0:18:24.560000 And I'll just open this up. 0:18:24.560000 --> 0:18:26.660000 This will open up the web instance. 0:18:26.660000 --> 0:18:30.620000 So it's going to start the server on port 8080 on your local host or on 0:18:30.620000 --> 0:18:32.380000 your Kali Linux system. 0:18:32.380000 --> 0:18:34.760000 My language preference is English. 0:18:34.760000 --> 0:18:39.600000 And then next, you can specify an existing project name. 0:18:39.600000 --> 0:18:43.980000 Or in this case, we can I can just type in hack exploit, although I may 0:18:43.980000 --> 0:18:45.960000 want to run this on another website. 0:18:45.960000 --> 0:18:49.640000 But you know, we'll just do it on hackersploit here. 0:18:49.640000 --> 0:18:53.940000 Project category, we don't have one, we can save this under home Kali 0:18:53.940000 --> 0:18:57.220000 websites. That's perfectly fine. 0:18:57.220000 --> 0:19:01.660000 And then next, we can download the website, we can also get individual 0:19:01.660000 --> 0:19:05.300000 files, download all the sites in pages. 0:19:05.300000 --> 0:19:08.840000 Or you know, we can just go for the default, which is download the website. 0:19:08.840000 --> 0:19:10.180000 So we can add the URL. 0:19:10.180000 --> 0:19:13.680000 So I'll just play org. 0:19:13.680000 --> 0:19:17.340000 If there is authentication, you can provide username and password. 0:19:17.340000 --> 0:19:19.140000 So I'll just hit okay. 0:19:19.140000 --> 0:19:22.240000 Or you can also specify a list of URLs. 0:19:22.240000 --> 0:19:26.340000 If you want to download multiple websites, and hit next. 0:19:26.340000 --> 0:19:30.080000 And in this case, we can hit start. 0:19:30.080000 --> 0:19:32.820000 All right, so it's going to begin downloading the website. 0:19:32.820000 --> 0:19:37.220000 Now, in my case, you can see that in this case, it failed. 0:19:37.220000 --> 0:19:41.860000 And of course, I knew that it was going to fail because or maybe it didn't 0:19:41.860000 --> 0:19:44.860000 fail. We can actually check the directory, because I'm not sure whether 0:19:44.860000 --> 0:19:46.500000 the proxy would allow that. 0:19:46.500000 --> 0:19:49.860000 So if I click on websites, you can see we have hackersploit org. 0:19:49.860000 --> 0:19:54.440000 If we click on that there, yeah, it doesn't look like it's saved it or 0:19:54.440000 --> 0:19:56.820000 it downloaded it successfully. 0:19:56.820000 --> 0:20:00.320000 Just trying to see if I have a website that we can actually perform this 0:20:00.320000 --> 0:20:03.040000 on. Although we really don't need to go into that. 0:20:03.040000 --> 0:20:06.600000 This can be very useful if you're trying to analyze the source code of 0:20:06.600000 --> 0:20:09.480000 a website to learn more about the website, you know, whether you're trying 0:20:09.480000 --> 0:20:13.380000 to identify vulnerabilities or you're trying to get an understanding of 0:20:13.380000 --> 0:20:15.740000 the actual structure of the website. 0:20:15.740000 --> 0:20:19.760000 So that is going to conclude the practical demonstration side of this