1
00:00:08,350 --> 00:00:14,730
All right, so now that we've got our lists and stuff we're going to install that's pronounced a mouse,

2
00:00:14,920 --> 00:00:15,930
not be mouse.

3
00:00:16,360 --> 00:00:16,720
All right.

4
00:00:16,720 --> 00:00:17,950
So I just want to get that straight.

5
00:00:18,280 --> 00:00:23,560
So this is the quintessential domenzain and asset discovery tool.

6
00:00:24,050 --> 00:00:30,660
It's maintained by a WASP and it is indisputably the king of asset discovery.

7
00:00:31,210 --> 00:00:31,580
Right.

8
00:00:31,870 --> 00:00:36,340
There's a lot of money and time and resources behind this project.

9
00:00:37,090 --> 00:00:42,190
It's just one of the fascinating stuff I know is probably its closest competitor finder, which is managed

10
00:00:42,190 --> 00:00:43,720
now by Project Discovery.

11
00:00:44,440 --> 00:00:47,290
So we're going to get into this tool.

12
00:00:47,870 --> 00:00:53,130
You can see that there actually is a GitHub page and you could read through this and, you know, try

13
00:00:53,130 --> 00:00:56,800
to call in the report, but you don't have to because it's included in our Calli applet.

14
00:00:57,290 --> 00:01:05,260
And so before we actually jump into this and so I also want you to see if this is a WASP flagship project.

15
00:01:05,530 --> 00:01:05,860
Right.

16
00:01:05,870 --> 00:01:11,500
So this tool has brought a lot of value to the security community, bug bounty hunters.

17
00:01:11,500 --> 00:01:11,680
Right.

18
00:01:11,680 --> 00:01:15,100
Teamers penetration testers and researchers alike.

19
00:01:15,700 --> 00:01:18,720
So let's get into this suburban Africa one.

20
00:01:19,150 --> 00:01:23,620
You'll see that People has a bug bounty program which was launched in August of twenty eighteen.

21
00:01:24,980 --> 00:01:26,720
And if you scroll down to the bottom.

22
00:01:28,980 --> 00:01:37,230
And you look at SCOP, you'll see that Stadt people dotcom is in scope and they pay out for critical

23
00:01:37,230 --> 00:01:38,970
vulnerabilities and it's eligible for bounty.

24
00:01:39,870 --> 00:01:41,960
So what we're going to do is check that out.

25
00:01:41,970 --> 00:01:42,270
Right.

26
00:01:42,630 --> 00:01:44,490
So first we can run amass.

27
00:01:46,750 --> 00:01:48,490
And Dignity Control A.

28
00:01:49,850 --> 00:01:59,440
And I'm just going to change his bottom window and the top window up so that I can read the syntax of

29
00:01:59,450 --> 00:02:01,550
one zero unless, you know.

30
00:02:03,640 --> 00:02:11,280
You can see that we did have options, so if we just run it like that, usually what happens, a mass

31
00:02:11,830 --> 00:02:12,550
attack each.

32
00:02:17,540 --> 00:02:19,120
And now we have several options, right?

33
00:02:21,040 --> 00:02:27,630
We're going to do it, got a brute to execute forcing after it searches the intelligence feeds it has.

34
00:02:28,630 --> 00:02:35,270
Then we're going to give it a domain name, Dashty, the meaning value separated by commas, but we're

35
00:02:35,270 --> 00:02:37,390
only going to give it one domain paperback on.

36
00:02:38,580 --> 00:02:39,480
And then, of course.

37
00:02:40,540 --> 00:02:44,850
If we go down a little bit further, you'll see we can add the sauce, which will do so.

38
00:02:44,860 --> 00:02:47,470
You can see the source of the discovered name, you'll see where it came from.

39
00:02:48,980 --> 00:02:52,460
And then lastly, we'll put in the word list, if you don't put in the word list, you don't use it

40
00:02:52,460 --> 00:02:53,300
built in word list.

41
00:02:53,690 --> 00:02:56,270
But we want to use all that text because it's the most robust.

42
00:02:57,030 --> 00:02:57,230
Right.

43
00:02:57,420 --> 00:02:58,160
We can go down here.

44
00:03:01,150 --> 00:03:07,990
And then we can just put in, as our say, a couple of things, when you run a mass, you want to run

45
00:03:07,990 --> 00:03:08,560
it with zero.

46
00:03:09,340 --> 00:03:11,050
If not, it could crash.

47
00:03:11,410 --> 00:03:12,770
That's what happened to me multiple times.

48
00:03:13,480 --> 00:03:20,010
Number two, you could in person control holding down control of the press, the right arrow to attack.

49
00:03:20,020 --> 00:03:21,430
Oh, indeed.

50
00:03:21,430 --> 00:03:27,750
Something like people dotcom up a mess in this, which is output the results to a file when it's done.

51
00:03:28,390 --> 00:03:31,900
And number three, the next thing that's important, when you're running a mouse, you're not going

52
00:03:31,900 --> 00:03:34,850
to see output right away, which is going to look like nothing's happening.

53
00:03:35,500 --> 00:03:36,370
Trust me, it is.

54
00:03:36,970 --> 00:03:43,060
What I like to do is I run a mouse and then I let it work in the background while I then interactively,

55
00:03:43,450 --> 00:03:45,220
you know, explore the web asset.

56
00:03:45,490 --> 00:03:48,190
So I might have Spider running while I click through the different pages.

57
00:03:48,190 --> 00:03:52,630
I try to log in to create an account, you know, look for crosscutting vulnerabilities and that sort

58
00:03:52,630 --> 00:03:52,990
of thing.

59
00:03:53,610 --> 00:03:56,020
So you don't want to just stare at a mouse that's running.

60
00:03:56,020 --> 00:03:58,660
You want to let it run in the background and come back once it finishes.

61
00:04:05,950 --> 00:04:08,410
So we will let this run and then we'll come back once it's done.

62
00:04:09,190 --> 00:04:10,450
All right, so here's the results.

63
00:04:10,450 --> 00:04:11,560
You can see what we have here.

64
00:04:12,070 --> 00:04:14,680
We ran the enumeration and the brute.

65
00:04:14,960 --> 00:04:17,080
Now, if we go back here.

66
00:04:20,160 --> 00:04:28,200
You can see there are other modules besides the right everything to track down a database, and you

67
00:04:28,200 --> 00:04:33,630
can then explore the relationships between different domains using visualization that's built into mouse,

68
00:04:34,320 --> 00:04:38,500
and you can even track the differences between your campaigns.

69
00:04:38,970 --> 00:04:44,490
And so let's say the first time you knew Marape outcome and you get a certain number of subdomains,

70
00:04:44,880 --> 00:04:51,060
two weeks pass the second time you get a different set of sublimates, including some things that were

71
00:04:51,060 --> 00:04:51,730
in the first run.

72
00:04:52,140 --> 00:04:56,610
Well, the track will show you the differences and then you can just focus on those because that could

73
00:04:56,610 --> 00:04:58,020
be new infrastructure that was set up.

74
00:04:58,380 --> 00:05:01,080
And it's possible that there's less security controls around those.

75
00:05:01,260 --> 00:05:02,670
You might find bugs there.

76
00:05:03,570 --> 00:05:05,880
So over here is pretty cool.

77
00:05:05,910 --> 00:05:07,520
So it shows you the source.

78
00:05:07,860 --> 00:05:09,720
You can see we've got overflow.

79
00:05:10,230 --> 00:05:11,010
That's a source.

80
00:05:11,520 --> 00:05:12,460
We've got all these subdomains.

81
00:05:12,460 --> 00:05:18,870
And the nice thing about a mouse is that notify the subdomain like, for example, galbi, it'll then

82
00:05:18,870 --> 00:05:25,380
run go beat up people that come back through a mass, through all the intelligence feeds into, I find

83
00:05:25,380 --> 00:05:26,180
another subdomain.

84
00:05:26,460 --> 00:05:29,200
It just keeps doing this until it exhausts itself.

85
00:05:29,970 --> 00:05:33,150
So it's very, very robust, as you can see how powerful this can be.

86
00:05:33,150 --> 00:05:33,410
Right.

87
00:05:33,570 --> 00:05:34,530
Look over subdomains.

88
00:05:35,560 --> 00:05:42,520
A lot of them are staging, you know, make these development servers, you get down to the bottom,

89
00:05:42,520 --> 00:05:48,640
actually shows you the breakdown by autonomous system number so you can get an idea of where their IP

90
00:05:48,640 --> 00:05:49,730
space resides.

91
00:05:50,320 --> 00:05:52,000
You can see they've got some cloud assets.

92
00:05:52,470 --> 00:05:55,770
Amazon shut down even further.

93
00:05:55,780 --> 00:05:57,820
You can see they're using Akamai.

94
00:06:00,600 --> 00:06:05,580
They're using detox protection by Akamai or Amazon, so Microsoft Azure stuff.

95
00:06:06,810 --> 00:06:08,440
So this is really, really, really good.

96
00:06:08,470 --> 00:06:11,900
So let's say you want to actually save this content.

97
00:06:11,910 --> 00:06:14,790
How would you do that if you didn't use the national output?

98
00:06:15,570 --> 00:06:16,170
What you could do?

99
00:06:16,290 --> 00:06:17,100
Let's go to the top.

100
00:06:18,240 --> 00:06:19,740
This is an advanced Tmax feature.

101
00:06:19,920 --> 00:06:21,900
OK, let's pay attention here.

102
00:06:23,370 --> 00:06:29,790
What I can do is I can go here and I can type control a bracket.

103
00:06:31,380 --> 00:06:33,070
Then a press.

104
00:06:34,700 --> 00:06:35,570
Control space.

105
00:06:36,320 --> 00:06:42,770
Now, I can select all this and just press one page down, I get everything I want, then what I can

106
00:06:42,770 --> 00:06:43,010
do.

107
00:06:50,780 --> 00:06:54,860
So now we've got everything here and we're going to do escape ships

108
00:06:58,070 --> 00:07:06,230
and we can take a look at this file and we can do some magic on it so we can say, OK, we'll use this

109
00:07:06,230 --> 00:07:07,490
right bracket as a delimiter.

110
00:07:10,850 --> 00:07:13,280
And then we'll just print the second field.

111
00:07:14,550 --> 00:07:24,210
Like, so we can have a rough list of demands if we can do like said that, it starts with one or more.

112
00:07:25,270 --> 00:07:29,200
There are more spaces into the space right here, so it starts with zero more spaces.

113
00:07:29,350 --> 00:07:33,010
This is the start with character, the place that was nothing.

114
00:07:35,370 --> 00:07:36,600
He didn't need the techie.

115
00:07:39,150 --> 00:07:40,780
So you put the whole thing in quotes.

116
00:07:44,370 --> 00:07:44,950
There we go.

117
00:07:45,420 --> 00:07:50,040
So now we've got rid of the leading spaces and then we can do like a sort of show with the unique names

118
00:07:51,120 --> 00:07:52,160
and reverse it.

119
00:07:52,740 --> 00:07:59,100
And of course, we could put that into people, clean up the mess.

120
00:08:00,880 --> 00:08:03,880
Then tell.

121
00:08:05,260 --> 00:08:07,330
When it comes to public.

122
00:08:11,940 --> 00:08:13,590
So that's just pretty good.

123
00:08:13,770 --> 00:08:15,060
Fifteen, about fifteen hundred.

124
00:08:16,560 --> 00:08:22,200
So now you can see the beauty of the mess and next year we'll get into supplier by.