1
00:00:00,180 --> 00:00:05,620
Welcome to part two of this module while we're finally here.

2
00:00:05,650 --> 00:00:11,680
I've made mention of cool several times in the modules that were leading up to this one and now it's

3
00:00:11,680 --> 00:00:13,620
time to take a look at it.

4
00:00:13,660 --> 00:00:16,960
Cool is located in applications.

5
00:00:16,960 --> 00:00:19,000
Password attacks.

6
00:00:19,000 --> 00:00:20,650
And it's right at the top of the list.

7
00:00:24,310 --> 00:00:27,080
It can also be brought up in the terminal window by typing.

8
00:00:27,080 --> 00:00:32,110
Cool Tack Tack H.

9
00:00:32,310 --> 00:00:35,700
Cool is a custom word list generator.

10
00:00:35,700 --> 00:00:40,920
It falls into the category of password cracking tools and Cally Linux.

11
00:00:40,920 --> 00:00:44,240
First off you might be wondering what exactly is it.

12
00:00:44,430 --> 00:00:52,860
In its basic definition it is a program that you can use to generate a custom word list based on a target

13
00:00:52,860 --> 00:00:54,440
Web site.

14
00:00:54,560 --> 00:01:01,730
You can give it a U.R.L. and allow it to Spider the site it will extract unique words and arrange them

15
00:01:01,730 --> 00:01:06,910
into a text file that you can use for brute force cracking.

16
00:01:07,010 --> 00:01:11,810
So why would you want to create a custom list in this way.

17
00:01:11,810 --> 00:01:15,610
Well when it comes to creating passwords.

18
00:01:15,770 --> 00:01:21,140
Most people most of the time are just not that creative.

19
00:01:21,230 --> 00:01:26,540
The average user is not going to use a 20 plus character passphrase.

20
00:01:26,540 --> 00:01:31,100
And so the passwords that they do pick tend to be very predictable.

21
00:01:31,250 --> 00:01:37,820
People go with something that is easy to remember rather than something that is properly secure.

22
00:01:37,850 --> 00:01:44,630
We've seen this with large scale data breaches that have happened in the last few years such as the

23
00:01:44,630 --> 00:01:51,640
Ashley Madison hack where an entire lists of usernames and passwords were dumped on the Internet.

24
00:01:51,890 --> 00:02:00,950
The passwords people were using were just not very strong at all such as things like for example password

25
00:02:00,950 --> 00:02:08,820
1 2 3 or the name of the company that they worked for and then they thought to make this secure.

26
00:02:09,790 --> 00:02:16,630
By doing something like adding a number at the end of the word for instance if their password was Raiders

27
00:02:17,050 --> 00:02:23,410
because that happened to be their favorite football team they might go with Raiders 1 2 3.

28
00:02:23,410 --> 00:02:30,580
Thinking that the inclusion of numbers on the end would make them on hackable but in the modern age

29
00:02:30,580 --> 00:02:37,400
of password hacking those passwords are going to get cracked in no time at all so for a penetration

30
00:02:37,400 --> 00:02:44,180
tester creating a custom word list for the company that you are targeting as part of a sanctioned pen

31
00:02:44,180 --> 00:02:49,310
test can potentially yield you a lot of legitimate passwords.

32
00:02:49,370 --> 00:02:57,710
Once you've generated this list with cool you can go back and do some manual recon and add some custom

33
00:02:57,710 --> 00:03:05,930
words to your list viewing people's profiles on social media services like Facebook Twitter LinkedIn

34
00:03:05,930 --> 00:03:10,570
etc where people post almost every single aspect of their lives.

35
00:03:10,580 --> 00:03:17,210
You can learn a lot about a person just by going through those pages that they setup and building lists

36
00:03:17,240 --> 00:03:17,860
out of them.

37
00:03:19,390 --> 00:03:20,670
Think of it like this.

38
00:03:21,280 --> 00:03:27,640
Let's say you're doing a pen test and you want to target the account of the company's chief executive

39
00:03:27,640 --> 00:03:34,990
officer the probability is pretty high that you can use a dictionary style attack to get their password.

40
00:03:35,210 --> 00:03:38,540
Just basing it off of their Facebook page.

41
00:03:38,780 --> 00:03:45,830
So you pull up the CEO's Facebook page you can see things like what their hobbies are their kids names

42
00:03:45,860 --> 00:03:55,510
their birthdays anniversaries and things of that nature and more often than not someone working at a

43
00:03:55,510 --> 00:04:00,510
company uses the company name and their password in some form or another.

44
00:04:00,790 --> 00:04:12,320
They may do things like the company name or add a 1 or a 0 at the end of it or an asterisk or something

45
00:04:12,320 --> 00:04:19,980
like that using these custom word lists gives you a better chance of success at gaining access to their

46
00:04:19,980 --> 00:04:24,300
account over some of the default lists that are out there.

47
00:04:24,330 --> 00:04:33,420
You can also combined the lists you create using this tool with other lists you have created using other

48
00:04:33,420 --> 00:04:40,320
methods and tools as well as with full sized dictionary length word lists that you might download off

49
00:04:40,320 --> 00:04:46,090
the Internet or those that come prepackaged with Kelly Linux the long and short of it is.

50
00:04:46,110 --> 00:04:52,320
These methods allow you to tailor your brute force attack based on what you can learn about your target

51
00:04:52,320 --> 00:04:55,940
through open source intelligence and reconnaissance.

52
00:04:55,950 --> 00:05:00,920
In this video we won't be covering every detail about how password cracking works.

53
00:05:00,930 --> 00:05:06,710
Since each module is intended to be standalone for the tool that is being discussed.

54
00:05:06,780 --> 00:05:12,240
However if you have been following along with these modules in order you will have already seen several

55
00:05:12,240 --> 00:05:18,240
examples of word lists being used for brute forcing and there will doubtless be more examples as we

56
00:05:18,240 --> 00:05:24,170
go along so let's go ahead and take a look at some of the options that are available.

57
00:05:25,160 --> 00:05:31,070
For demonstration purposes we'll use a second terminal window for carrying out our word list creation

58
00:05:31,640 --> 00:05:36,130
and leave the first to serve as a list of available options.

59
00:05:36,140 --> 00:05:42,320
There aren't a lot of options to go over but what options are available are actually quite useful in

60
00:05:42,320 --> 00:05:46,790
helping you to create custom lists as we work through them.

61
00:05:46,790 --> 00:05:52,370
One of the things that you're going to notice is that some of these options are meant to be used in

62
00:05:52,370 --> 00:05:54,860
conjunction with other options.

63
00:05:54,860 --> 00:06:00,710
They aren't necessarily arranged that way over the course of this tutorial will be grouping them together

64
00:06:00,710 --> 00:06:05,100
so we aren't necessarily going to be going through them from top to bottom.

65
00:06:05,240 --> 00:06:09,100
It's basically going to be broken down to the function of each.

66
00:06:09,290 --> 00:06:12,560
Each option and how they work together.

67
00:06:12,710 --> 00:06:20,660
So let's start with some basic usage of the tool and you can run cool without specifying any options.

68
00:06:20,720 --> 00:06:24,780
In this case you'd simply supply it with a target.

69
00:06:24,970 --> 00:06:32,810
It is at this point that I am required to give a word of caution however the use of this tool falls

70
00:06:32,810 --> 00:06:37,160
into a certain gray area in terms of its legality.

71
00:06:37,250 --> 00:06:46,790
The information cool collects is really effectively open source which is to say it is gathering words

72
00:06:46,790 --> 00:06:50,490
off websites and assembling them into lists.

73
00:06:50,570 --> 00:06:53,970
That is something you could do by hand if you really wanted to.

74
00:06:53,970 --> 00:06:57,590
And I'm not personally aware of any law against it.

75
00:06:57,590 --> 00:07:04,250
That being said I'm not a lawyer and I'm not familiar with the laws in every country and jurisdiction.

76
00:07:04,250 --> 00:07:11,240
So for that reason I'm going to tell you to only use this tool against a website or a target that you

77
00:07:11,240 --> 00:07:17,140
either own or have express written permission to conduct your penetration test against.

78
00:07:17,330 --> 00:07:23,750
And remember that while gathering word lists and creating word lists off a website may be legal in your

79
00:07:23,750 --> 00:07:30,480
country or jurisdiction using them to brute force passwords is pretty much universally against the law.

80
00:07:30,560 --> 00:07:36,470
If you do decide to run this tool Please make certain that you are acting within the limits of all applicable

81
00:07:36,470 --> 00:07:40,040
laws and if you aren't sure don't run it.

82
00:07:40,070 --> 00:07:45,140
So with that out of the way I'm going to be running cool against the menace applicable to a virtual

83
00:07:45,140 --> 00:07:48,260
machine that I have running on the network.

84
00:07:48,470 --> 00:07:54,260
So we're going to run it in the simplest possible way to start out with you use the other window by

85
00:07:54,260 --> 00:07:58,310
typing cool and supplying it with the target.

86
00:07:58,310 --> 00:08:05,090
This would be a Web site but since it's on the network I'll just be using the IP address.

87
00:08:08,100 --> 00:08:11,100
If we just type it in and hit enter with no options

88
00:08:14,340 --> 00:08:20,720
and give it just a few minutes it's going to come back with a list of words from that Web site.

89
00:08:20,740 --> 00:08:27,420
There are several Web applications that come prepackaged with many a split appeal to the larger the

90
00:08:27,420 --> 00:08:27,990
Web site.

91
00:08:27,990 --> 00:08:36,420
The longer this process will take cool as a ruby app and I think perhaps I need to update my ruby libraries.

92
00:08:36,690 --> 00:08:41,000
Which is why we're getting this message but it should still work.

93
00:08:41,000 --> 00:08:47,780
That being said I'm going to make a small cut to the recording here to save time as this will most probably

94
00:08:47,780 --> 00:08:52,440
take a few minutes to complete already.

95
00:08:52,490 --> 00:08:59,850
As you can see it went through the site and there are a lot of unique words that it discovered.

96
00:09:00,000 --> 00:09:03,820
It's actually quite a long list.

97
00:09:03,860 --> 00:09:11,960
This is what it looks like when you run the tool just by itself without any specific options being specified

98
00:09:15,160 --> 00:09:21,370
one thing to point out here is that since we ran it with no options being specified all we're getting

99
00:09:21,370 --> 00:09:24,120
is output in the terminal window.

100
00:09:24,160 --> 00:09:32,890
This doesn't actually save anything that we can go back and work with later in order to save results.

101
00:09:32,890 --> 00:09:40,870
We're going to need to use the TAC w switch and that lets you specify a file to write your output to

102
00:09:42,030 --> 00:09:46,070
unless you specify otherwise which we'll get to in a minute.

103
00:09:46,140 --> 00:09:49,750
The file will be saved to the directory you're in.

104
00:09:49,920 --> 00:09:56,230
Which in this case is a folder called cool which I created for this test.

105
00:09:56,400 --> 00:10:03,080
I'll name the file after the target which in this case is met a split ABL.

106
00:10:03,360 --> 00:10:13,830
So cool tech w that Floyd double for our file name 10 month 0 0 to 8 press Enter

107
00:10:16,650 --> 00:10:24,210
really do you need to update those ruby libraries so I'll let this run again and make another small

108
00:10:24,210 --> 00:10:27,560
cut to the recording here and we're done.

109
00:10:27,660 --> 00:10:33,030
There's nothing to indicate that the tool has finished collecting words except that we once again have

110
00:10:33,030 --> 00:10:34,390
a command prompt.

111
00:10:34,560 --> 00:10:44,740
So if we do class we can see that a file called met a split table has been created in our default folder.

112
00:10:45,150 --> 00:10:50,960
So we're gonna go ahead and we're going to cap the file and there.

113
00:10:50,980 --> 00:10:52,300
There you have it.

114
00:10:52,400 --> 00:10:58,310
If you're doing a pen test I do recommend that you create the folder based on the name of your target

115
00:10:59,060 --> 00:11:05,840
so that you stay organized and know where to find all the files relevant to what you're doing.

116
00:11:05,870 --> 00:11:12,820
Here we see that the file we created contains the same data that we got when we ran cool the first time.

117
00:11:12,890 --> 00:11:16,260
We can also quickly find out what the word count was.

118
00:11:16,280 --> 00:11:29,000
If we do W.C. tech l split about 5000 164 words in total found off that Web site.

119
00:11:29,010 --> 00:11:30,850
All unique words I should add.

120
00:11:30,900 --> 00:11:36,150
So let's take a look at what some of the options are for the four spider ring a site.

121
00:11:36,350 --> 00:11:40,940
The first option we'll look at is the tack C option.

122
00:11:41,480 --> 00:11:48,890
Basically all this does is show you the number of times this word is found on a particular Web site

123
00:11:50,020 --> 00:11:52,420
let's take a look at it here.

124
00:11:58,920 --> 00:12:04,830
We had entered and one thing to keep in mind depending on the size the website you're going against

125
00:12:04,830 --> 00:12:08,110
this process can take some time to run.

126
00:12:08,280 --> 00:12:12,780
Generally speaking for that 5000 wondered and 64 words.

127
00:12:12,780 --> 00:12:21,780
This process is taking about three minutes but larger Web sites will definitely take much longer and

128
00:12:21,780 --> 00:12:23,450
that can be even longer.

129
00:12:23,550 --> 00:12:32,100
If you expand the spider ing process to include hyperlinks and subsidiary sites that are only nominally

130
00:12:32,100 --> 00:12:33,780
connected to your target.

131
00:12:33,780 --> 00:12:36,050
We'll speak about that in a moment.

132
00:12:36,060 --> 00:12:39,600
For now I'm going to make another brief cut with the process now finished.

133
00:12:39,660 --> 00:12:46,590
We can see that each of the words in the display has a number next to it if we screw up

134
00:12:50,290 --> 00:12:53,810
we can see that the numbers increase.

135
00:12:53,890 --> 00:12:58,270
This is telling you the number of times a particular word was found.

136
00:12:58,840 --> 00:13:06,240
One thousand two hundred and twenty six injection five hundred and seventy three motility three hundred

137
00:13:06,260 --> 00:13:07,910
ninety two etc..

138
00:13:08,100 --> 00:13:16,110
The benefit of doing this is to help you to tweak your word list to narrow it down and focus it more

139
00:13:16,590 --> 00:13:22,920
keenly on your target when you're looking at password cracking you're probably not going to want to

140
00:13:22,920 --> 00:13:33,890
include words like the or and or four you can use this to cut those out of your list.

141
00:13:34,230 --> 00:13:40,470
But if we see other words that are found frequently on the site there may be a good chance that a lazy

142
00:13:40,470 --> 00:13:48,990
user will have used that word in some form or fashion as part of their password for that site.

143
00:13:48,990 --> 00:13:56,010
Generally speaking the higher the number count and the larger the user base of a particular site the

144
00:13:56,010 --> 00:14:01,790
higher the chance that you'll get lucky and grab at least some passwords.

145
00:14:01,800 --> 00:14:06,350
Now the next option we're going to be looking at is the tack D option.

146
00:14:06,570 --> 00:14:14,490
This controls the spider in depth by default if you don't use this option cool is going to only spider

147
00:14:14,490 --> 00:14:18,880
two pages deep into the Web site with TAC D.

148
00:14:18,900 --> 00:14:26,100
You can specify a higher number but as I said depending on the size of the site this is going to dramatically

149
00:14:26,100 --> 00:14:29,610
affect how long the spider ring process will take.

150
00:14:29,610 --> 00:14:35,280
Also keep in mind that increasing the spider ring depth is going to increase the amount of traffic to

151
00:14:35,280 --> 00:14:37,200
that target Web site.

152
00:14:37,200 --> 00:14:41,790
The next one that goes along with this is the tack o switch.

153
00:14:41,970 --> 00:14:49,440
This tells cool that you can visit sites that are linked outside of your target domain for example with

154
00:14:49,440 --> 00:14:51,120
metal splitsville sites.

155
00:14:51,270 --> 00:15:00,180
If there is a hyperlink that goes to say Yahoo dot com then what is going to happen is if you use the

156
00:15:00,210 --> 00:15:07,380
TAC o option cool is not only going to Spider the target but it's also going to Spider the Yahoo site

157
00:15:07,380 --> 00:15:08,760
as well.

158
00:15:08,760 --> 00:15:13,430
Once again this is going to get you into a gray area legally.

159
00:15:13,440 --> 00:15:20,760
If the tool is following links to other sites outside of the approved scope of your penetration test

160
00:15:20,820 --> 00:15:23,990
you run a potential risk of breaking the law.

161
00:15:24,060 --> 00:15:29,880
Once again this information that cool collects is only what is normally available to anyone who views

162
00:15:30,270 --> 00:15:32,760
the page in a normal way.

163
00:15:32,760 --> 00:15:40,740
But it's somewhat self-defeating to the ultimate purpose of cool which is to tailor your efforts against

164
00:15:41,040 --> 00:15:43,040
one particular target.

165
00:15:43,260 --> 00:15:48,290
While there is a certain degree of likelihood that a user is going to select a password or even a user

166
00:15:48,290 --> 00:15:53,200
name based on something related to the Web site that your spider ring.

167
00:15:53,210 --> 00:16:00,450
It doesn't necessarily follow or seem very likely that a nominally related site would be used.

168
00:16:00,450 --> 00:16:06,750
What you'd end up with is a list of words that don't relate to your target at all and is only going

169
00:16:06,750 --> 00:16:13,740
to slow down the brute forcing process by cluttering up your word list for these reasons I don't recommend

170
00:16:13,740 --> 00:16:17,250
using Tak o at all but it is your option.

171
00:16:17,250 --> 00:16:22,230
Again with the aforementioned warning to always make sure that you're using it in a manner consistent

172
00:16:22,230 --> 00:16:27,460
with the law and if you do wish to create larger word lists.

173
00:16:27,630 --> 00:16:35,130
My suggestion would be to use cool against your target omit the attack o option entirely and then combine

174
00:16:35,130 --> 00:16:42,360
the word list you create using cool with a proper full length word list such as the ones that come prepackaged

175
00:16:42,750 --> 00:16:49,080
with Carly or that you download off the Internet in this way you achieve a balance of efficiency in

176
00:16:49,080 --> 00:16:54,000
size and you're less likely to end up with a lot of duplicate words.

177
00:16:54,330 --> 00:17:01,050
The next option that kind of goes along with this group of options is the TAC Ms which this lets you

178
00:17:01,050 --> 00:17:03,480
specify a minimum more length.

179
00:17:03,480 --> 00:17:08,190
The default is three as you saw when we did the other scan.

180
00:17:08,190 --> 00:17:18,270
Words like and or the or four showed up in our list.

181
00:17:18,270 --> 00:17:24,720
Now if you happen to know the password policy of your target you might know that the policy calls for

182
00:17:24,720 --> 00:17:32,100
a minimum number of characters if the password has to be eight characters long for example any words

183
00:17:32,100 --> 00:17:38,690
below eight characters would be useless and that would just clutter up your list and waste time.

184
00:17:38,760 --> 00:17:45,330
Of course this is assuming that the user didn't take a word that is shorter than the minimum number

185
00:17:45,330 --> 00:17:50,220
of characters and then increase the length by adding in numbers or something.

186
00:17:50,220 --> 00:17:56,790
In any event with the tack M switch you can set a limit on how many characters long the words are that

187
00:17:56,790 --> 00:17:59,770
are returned by the spider in process.

188
00:17:59,790 --> 00:18:06,640
It may or may not be a good idea but the option is there and it's worth remembering the next group of

189
00:18:06,700 --> 00:18:14,690
options is going to allow us to scan for metadata contained within a site cool will actually download

190
00:18:14,690 --> 00:18:23,060
certain types of data from a target Web site and then use the E F tool to extract metadata out of them.

191
00:18:23,190 --> 00:18:29,960
Then these extra words can be added to your word list if you want them to be in other words cool we'll

192
00:18:29,960 --> 00:18:41,140
download things like documents PD FS PowerPoint files ledgers just to name a few.

193
00:18:41,190 --> 00:18:47,670
There are several file extension types that it will download and then try to extract metadata out of

194
00:18:48,510 --> 00:18:55,670
so in conjunction with attack a switch you can tell cool to keep these downloaded files.

195
00:18:56,010 --> 00:19:03,240
You may want to keep those files for future reference such as for example if you were doing more reconnaissance

196
00:19:03,240 --> 00:19:10,190
against the target there might be something in those documents that would help you gain a foothold either

197
00:19:10,190 --> 00:19:18,320
way to save this data by default cool will store these files in these slash temp directory but you can

198
00:19:18,320 --> 00:19:26,570
use the TAC TAC met a temp directory to specify another directory you want to save the files to.

199
00:19:26,750 --> 00:19:38,200
So basically it would look like this cool tack tack mirrored dash temp dash DIY her and we'll put it

200
00:19:38,200 --> 00:19:55,580
into the cool folder tack a tack tack metal file mid exploitable die text 0 0 8

201
00:20:00,040 --> 00:20:01,930
so we specified the directory

202
00:20:04,870 --> 00:20:13,240
to save these files we're going to use the TAC 8 option so that it processes the metadata and we'll

203
00:20:13,240 --> 00:20:18,610
also use the tac tac metaphor file option to give the file a specific name.

204
00:20:18,610 --> 00:20:22,060
In this case let's just call it met a split of DOT tax.

205
00:20:22,240 --> 00:20:28,990
I confess I haven't actually looked to see if the various vulnerable Web apps that come pre installed

206
00:20:28,990 --> 00:20:36,190
on met a split able to have any document or PBF type files for cool to analyze.

207
00:20:36,190 --> 00:20:41,260
So I guess we'll just have to find out as we go even if it doesn't produce a result.

208
00:20:41,260 --> 00:20:48,410
This is how you would use the tool in cases where documents are present already so it's finished.

209
00:20:48,430 --> 00:20:56,220
After a little bit of spam which I cleared between sessions let's have a look at what came up if anything

210
00:20:58,700 --> 00:21:01,790
so you can see that it actually created a file.

211
00:21:01,790 --> 00:21:13,250
Cool underscore temp dot PD F and the F tool will use any files created and it will extract any metadata

212
00:21:13,910 --> 00:21:21,470
any documents or whatnot from the site will be stored in the default folder as you can see looking at

213
00:21:21,470 --> 00:21:28,430
the metadata could also be helpful because a lot of times particularly with word documents or PD apps

214
00:21:28,850 --> 00:21:37,640
they will contain things like author's name email addresses and sometimes you can even find internal

215
00:21:37,640 --> 00:21:40,570
directory structures or things of that nature.

216
00:21:40,820 --> 00:21:48,170
So it's always a good idea to check the metadata whenever possible these next couple of options pertain

217
00:21:48,170 --> 00:21:50,940
to how cool connects to a Web site.

218
00:21:50,990 --> 00:21:58,070
The first grouping that we're going to be looking at are the authentication options right down here.

219
00:21:58,070 --> 00:22:06,170
It may be that your target requires either H TTP digest or basic authentication before you can actually

220
00:22:06,230 --> 00:22:07,990
access the site.

221
00:22:08,000 --> 00:22:12,090
Cool gives you the ability to specify those options here.

222
00:22:12,200 --> 00:22:22,180
So if we just use the tac tac off type you can specify which of these two you wish to use the username

223
00:22:22,340 --> 00:22:25,510
and password required can also be specified.

224
00:22:25,520 --> 00:22:32,930
If you know them CURRENTLY COOL only supports digest and basic but look for future versions that will

225
00:22:32,930 --> 00:22:34,580
expand on these options

226
00:22:39,550 --> 00:22:46,620
the next group is for proxy access I think these are pretty self-explanatory but I'll just quickly go

227
00:22:46,620 --> 00:22:47,920
over them here.

228
00:22:48,060 --> 00:22:54,840
If you have to go through a proxy to get to your target you can specify the proxy host whether it's

229
00:22:54,840 --> 00:23:01,640
a proxy name or IP address the port the proxy is on and the username and password.

230
00:23:01,770 --> 00:23:07,650
If one is required for that proxy the next option that is nominally grouped with these is the TAC you

231
00:23:07,650 --> 00:23:09,690
for user agent.

232
00:23:09,690 --> 00:23:17,580
This will allow you to specify your own user agent to use when cool performs at spider ring processes.

233
00:23:17,640 --> 00:23:25,020
One reason you might want to do this would be if your target has an IP sorry wharf setup.

234
00:23:25,200 --> 00:23:31,350
Maybe the user agent that cool sends could be flagged by some of those and trigger some kind of alert

235
00:23:32,290 --> 00:23:40,870
the solution might be to specify a user agent that is common such as for example the Mozilla strings.

236
00:23:40,890 --> 00:23:47,320
Then it will let you bypass any wharf rules that might be in place and mitigate any suspicious looking

237
00:23:47,320 --> 00:23:48,040
activity

238
00:23:54,450 --> 00:23:56,610
here on user agents dot org.

239
00:23:56,610 --> 00:23:59,970
You can find all of the user agent strings.

240
00:23:59,970 --> 00:24:05,790
It really is as easy as just copying and pasting the one you want after the switch.

241
00:24:05,790 --> 00:24:11,130
If you look down the list you can see that there are tons of different user agent strings that you can

242
00:24:11,130 --> 00:24:15,510
use at your leisure up to this point.

243
00:24:15,540 --> 00:24:22,960
The options that we've looked at have been focused on generating a list to use with a password cracker.

244
00:24:23,040 --> 00:24:29,170
Cool also gives us the option to gather possible user names from a target Web site.

245
00:24:29,220 --> 00:24:35,520
It does this in the form of any email addresses that are contained and there are a couple of switches

246
00:24:35,520 --> 00:24:42,070
that you can use to extract the email addresses from the website itself.

247
00:24:42,090 --> 00:24:50,630
There is the Tak e option and that basically tells cool to include any email address it finds Well it's

248
00:24:50,630 --> 00:24:51,670
spider ring.

249
00:24:51,710 --> 00:24:58,820
Then there is the tac tac email file option which generates a file to save those email addresses in

250
00:24:59,660 --> 00:25:03,280
so going back to our example.

251
00:25:03,290 --> 00:25:05,050
This is what that would look like.

252
00:25:05,150 --> 00:25:05,840
Cool.

253
00:25:05,930 --> 00:25:16,390
Tak e Tak tak email underscore file and I'm going to call this one something else.

254
00:25:16,750 --> 00:25:25,980
Mrs. Floyd of all emails and then we supply our target and we press Enter cool should now generate a

255
00:25:25,980 --> 00:25:31,480
list of any emails contained within the H PML of the target site.

256
00:25:31,620 --> 00:25:35,580
These will be placed into a file in our default directory.

257
00:25:35,580 --> 00:25:42,330
It does this by looking at any of the mail to tags that are contained within the H Tamil code itself

258
00:25:43,200 --> 00:25:52,050
because I neglected to specify attack w switch the passwords that would have been put into a file were

259
00:25:52,050 --> 00:25:53,170
not written.

260
00:25:53,220 --> 00:26:00,750
However the user names hopefully were so we'll type class and we can see that Mideast political emails

261
00:26:00,750 --> 00:26:02,190
was created.

262
00:26:02,190 --> 00:26:09,120
I don't know if they're gonna be any emails in this file I haven't actually tried to gather any email

263
00:26:09,120 --> 00:26:14,550
addresses from the Metis political machine using cool before so this will be interesting so we'll cap

264
00:26:14,580 --> 00:26:15,350
the file

265
00:26:18,020 --> 00:26:18,350
all right.

266
00:26:18,350 --> 00:26:22,450
We did pull some emails they're not very good emails.

267
00:26:22,470 --> 00:26:30,060
They're obviously just for demonstration purposes but these could be used for user names and obviously

268
00:26:30,060 --> 00:26:35,250
if you are looking at a real web site chances are you would be able to pull a great many more emails

269
00:26:35,250 --> 00:26:40,110
than this and you could use these extra email addresses.

270
00:26:41,140 --> 00:26:50,470
And create a custom user name list for your brute forcing attacks and that pretty much covers cool.

271
00:26:50,470 --> 00:26:52,390
This is a really fun tool.

272
00:26:52,390 --> 00:26:55,180
It's really simple to use it doesn't have a lot of options.

273
00:26:55,180 --> 00:27:01,480
As I said at the beginning of the introduction but the options that it does have are very useful and

274
00:27:01,840 --> 00:27:03,220
flexible.

275
00:27:03,220 --> 00:27:11,620
So by using this tool to create your own custom word lists it should greatly improve your odds of brute

276
00:27:11,620 --> 00:27:18,930
forcing a target within a timely manner and that is a big consideration during any penetration test.

277
00:27:18,940 --> 00:27:28,360
Remember that if you're using a full length dictionary file every word from a to z then it's going to

278
00:27:28,390 --> 00:27:33,820
take a very very long time to try all possible combinations.

279
00:27:33,850 --> 00:27:39,010
It may take days it may take weeks it may take months.

280
00:27:39,070 --> 00:27:41,530
It's probably an exaggeration but you get the idea.

281
00:27:41,530 --> 00:27:47,950
The point is it will take for too long and that is time that the connection to the target has to be

282
00:27:48,370 --> 00:27:56,860
maintained at least in the case of online attacks and it's potentially time that the system administrator

283
00:27:56,860 --> 00:28:01,460
that you're trying to test might detect your presence.

284
00:28:01,480 --> 00:28:09,970
So again this tool is a useful way to go about making your brute forcing process more efficient.

285
00:28:11,110 --> 00:28:18,010
I hope this tutorial was helpful to you and that you find cool to be as useful and as fun to use as

286
00:28:18,010 --> 00:28:19,890
I've always found it.

287
00:28:19,900 --> 00:28:20,310
Thank you.