1
00:00:08,910 --> 00:00:16,620
So in the last lecture, we got into the surprising at all, and now I want to show you how you can

2
00:00:16,860 --> 00:00:24,640
take a list of domains and probe them to confirm that they have no listening services for EDP initiative,

3
00:00:24,660 --> 00:00:30,670
because now in the past, I would use TomTom's HDTV, which is absolutely amazing.

4
00:00:30,690 --> 00:00:34,200
This guy is you know, he's extremely talented.

5
00:00:34,210 --> 00:00:39,560
He's he's really nice, great personality and well-spoken, very articulate.

6
00:00:40,140 --> 00:00:41,970
But you know, nothing against him.

7
00:00:41,980 --> 00:00:42,380
No, no.

8
00:00:42,690 --> 00:00:49,440
I like to use the ax because I guess it has a broader support base and there's more there's more minds

9
00:00:49,440 --> 00:00:49,990
working on it.

10
00:00:50,010 --> 00:00:51,090
It's not just one person.

11
00:00:51,630 --> 00:00:54,840
And so that's not to say that Tom Nominals project hasn't been forked.

12
00:00:55,200 --> 00:01:00,300
But, you know, this one, there's just a lot of development and it is just more robust and it's easier

13
00:01:00,300 --> 00:01:01,020
for me to use.

14
00:01:02,370 --> 00:01:05,880
So what we're going to do, you could just download the latest release, obviously, if you wanted to

15
00:01:05,880 --> 00:01:12,570
just grab the binary right, you would go down here, you download the Linux and 64 and you would just

16
00:01:12,570 --> 00:01:13,650
basically have the binary.

17
00:01:14,700 --> 00:01:18,930
But what we're going to do is we're going to build it from source and you can see what you can do.

18
00:01:18,930 --> 00:01:19,200
Right.

19
00:01:19,710 --> 00:01:23,160
You can basically say HTP and then tackle the name of the file.

20
00:01:23,310 --> 00:01:27,770
So we're going to use our combined file and then we can print out the title, the content length and

21
00:01:27,770 --> 00:01:28,440
the status code.

22
00:01:28,440 --> 00:01:32,420
And I'll show you, you know, all this data for all the domains that you have.

23
00:01:32,910 --> 00:01:36,180
And the reason we're doing this is because data we get back from subfolder and amass.

24
00:01:37,110 --> 00:01:42,870
You know, isn't necessarily current, I mean, you know, those feeds, don't you know, those feeds

25
00:01:42,870 --> 00:01:45,630
at one time were accurate, but they may not be now.

26
00:01:46,110 --> 00:01:51,630
And that's what you need to make sure you channel both the output through a tool like HTP X.

27
00:01:55,840 --> 00:01:58,160
And you can see there's lots of different options here.

28
00:01:58,180 --> 00:02:01,120
We don't need to get into all these because he's pretty straightforward.

29
00:02:01,120 --> 00:02:06,190
You could just one cat for the file and then pipe it to ETP and you get some nice responses.

30
00:02:06,940 --> 00:02:07,290
Right.

31
00:02:09,460 --> 00:02:14,860
And here's a one liner to you, run some finder with HTP in one sweep.

32
00:02:16,360 --> 00:02:17,030
So it's really nice.

33
00:02:17,070 --> 00:02:18,070
So let's just get this going.

34
00:02:18,850 --> 00:02:19,150
All right.

35
00:02:19,150 --> 00:02:24,580
So what are we going to do is we're going to run HGP X and we're just going to Pathet to into the terminal

36
00:02:24,850 --> 00:02:25,590
and get this going.

37
00:02:26,550 --> 00:02:30,750
And again, this is working, this works because we installed go and we did that a few years back,

38
00:02:30,750 --> 00:02:35,700
so make sure you've got go set up, you've got your go path and to go route configured and everything

39
00:02:35,710 --> 00:02:38,070
set up in your DSH are safe out.

40
00:02:38,580 --> 00:02:47,250
So now that we have the set up, we can type HBP and we can see you can see everything we can do with

41
00:02:47,250 --> 00:02:47,370
it.

42
00:02:49,920 --> 00:02:58,080
All right, so what we're going to do is we're just going to pipe people combined into a seatbacks,

43
00:02:58,910 --> 00:03:02,560
what we want are the following content.

44
00:03:02,580 --> 00:03:04,830
Link up with the title first.

45
00:03:07,850 --> 00:03:14,090
And I think we definitely want that status code and see if there's anything else in here, we don't

46
00:03:14,090 --> 00:03:14,920
need the IP.

47
00:03:15,680 --> 00:03:18,320
You can see there's a lot of options, right, which is good.

48
00:03:18,320 --> 00:03:19,530
It's good that we have flexibility.

49
00:03:20,140 --> 00:03:21,620
Everything else looks pretty good.

50
00:03:23,160 --> 00:03:27,140
You can even set the ports that you wanted to come back and you can even change the user agent screen,

51
00:03:27,810 --> 00:03:30,030
you want to use randomly generated user agent string's.

52
00:03:31,530 --> 00:03:34,050
That is code we did that thread's 50, that's fine.

53
00:03:35,920 --> 00:03:36,880
Strike the title.

54
00:03:37,900 --> 00:03:41,380
All right, everything looks good, so we're going to run it.

55
00:03:43,390 --> 00:03:43,930
Control easy.

56
00:03:44,350 --> 00:03:46,090
Look at this, beautiful.

57
00:03:47,400 --> 00:03:50,430
I mean, it's so cool, I mean, I love this you're actually seeing.

58
00:03:51,980 --> 00:03:58,010
The euro status code, the number of bytes returned in the title right now, this makes it really,

59
00:03:58,010 --> 00:03:59,390
really, really, really, really easy.

60
00:03:59,420 --> 00:04:00,250
Look at the check this out.

61
00:04:00,470 --> 00:04:03,050
Access denied for all three.

62
00:04:03,390 --> 00:04:05,780
That means that there is authentication minus end point.

63
00:04:06,050 --> 00:04:06,410
Right.

64
00:04:07,130 --> 00:04:08,810
But now we know for for not found.

65
00:04:09,980 --> 00:04:10,700
This is not valid.

66
00:04:10,830 --> 00:04:13,880
We don't even need to bother looking at this in a browser.

67
00:04:14,420 --> 00:04:18,980
It's that we didn't have to go there because ATP X told us that it's not good.

68
00:04:18,980 --> 00:04:19,220
Right.

69
00:04:20,060 --> 00:04:22,040
So we're getting a bunch of Hobbins and this is really, really good.

70
00:04:22,040 --> 00:04:27,140
It's gonna save us a lot of time when we go through Usenko witness later when we take screenshots of

71
00:04:27,140 --> 00:04:27,500
everything.

72
00:04:28,010 --> 00:04:31,130
So we'll let this run and then we will return once it finishes.

73
00:04:32,120 --> 00:04:32,600
All right.

74
00:04:32,600 --> 00:04:38,300
So a few minutes later, we are back, everything's finished and you can see a lot of beautiful, colorful

75
00:04:38,450 --> 00:04:39,150
output.

76
00:04:39,900 --> 00:04:47,450
Now, one thing that you might want to do when you think about your bug bounty automation flow is outputting

77
00:04:47,450 --> 00:04:49,400
this and matching and only certain things.

78
00:04:50,690 --> 00:04:51,070
Right.

79
00:04:51,500 --> 00:04:56,960
So what you could do is you could filter for certain projects in the response.

80
00:04:57,290 --> 00:05:01,880
You could filter by a specific status code to maybe you only want, you know, four or three status

81
00:05:01,880 --> 00:05:08,950
codes for all three, or maybe you only want status codes where the content length is not zero.

82
00:05:09,110 --> 00:05:09,480
Right.

83
00:05:10,460 --> 00:05:12,470
You can get really specific here.

84
00:05:13,520 --> 00:05:20,540
You can export the results as a Jason file if you do tactics and then you can feed that into other tools

85
00:05:20,780 --> 00:05:27,170
further down your automation workflow so you can match on content length like I'm showing you here email,

86
00:05:27,180 --> 00:05:32,420
you can say email and you maybe have a specific content link that you want to match and you can do that

87
00:05:32,420 --> 00:05:32,990
here as well.

88
00:05:34,140 --> 00:05:39,330
So there's a lot of flexibility here, and, you know, I encourage you to really explore all of your

89
00:05:39,330 --> 00:05:41,790
options here, you know, that's what we're going to do here.

90
00:05:42,480 --> 00:05:47,490
And we are actually going to wrap up the EDP Express.

91
00:05:48,360 --> 00:05:51,660
And what we're going to do in the next lecture is we're going to get go witness training so we can start

92
00:05:51,660 --> 00:05:53,250
to look at some screenshots of these pages.

93
00:05:53,580 --> 00:05:53,850
Right.

94
00:05:53,850 --> 00:05:57,600
Because you could technically just say, OK, I'm going to put all these in my browser and go to each

95
00:05:57,600 --> 00:05:59,420
one down the line.

96
00:05:59,430 --> 00:06:01,350
But that's not very smart and it can take a long time.

97
00:06:01,350 --> 00:06:07,590
So you can instead feed everything into something like a witness, which is a rewrite of eyewitness.

98
00:06:08,070 --> 00:06:12,120
And it will then show you screenshots of all of these pages.

99
00:06:12,120 --> 00:06:15,810
And you can just look at the screen shots that look interesting and then focus your back on the efforts.

100
00:06:15,810 --> 00:06:17,370
They're kind of cool, right?

101
00:06:17,790 --> 00:06:19,710
All right, guys, I'll see you in the next picture.

102
00:06:19,920 --> 00:06:21,480
Come back a little bit by.