1
00:00:10,050 --> 00:00:16,560
OK, so in the last lecture, we talked about a witness capturing screenshots of our targets at Skell

2
00:00:16,710 --> 00:00:21,810
and now we're going to get into port scanning so you could use and map the map is good, but map is

3
00:00:21,810 --> 00:00:27,270
like a precision surgeon ready to analyze the responses, has intelligence to determine if a particular

4
00:00:27,270 --> 00:00:31,080
service is listening or non-standard port maskin is more like a flamethrower.

5
00:00:31,230 --> 00:00:36,450
I was just going to throw a flame across the Internet and scan everything in five minutes.

6
00:00:36,810 --> 00:00:43,190
Right now, the way I like to do this is over my scan and I'll take the results and put them into investment.

7
00:00:43,500 --> 00:00:46,290
That way we can get more details of this open for us.

8
00:00:46,840 --> 00:00:50,940
The other thing, though, is that Maskin only takes IP addresses right as input.

9
00:00:52,380 --> 00:00:57,120
So it's super fast, but it only takes IPPs, but we have ptomaine, so what are we going to do?

10
00:00:57,960 --> 00:01:00,840
And that's why Restacking created the maskin.

11
00:01:01,200 --> 00:01:05,810
So it's an archive project, but basically it's a wrapper around that scan and it allows you to feel

12
00:01:05,820 --> 00:01:08,550
domain's into maskin so you can scan those.

13
00:01:09,910 --> 00:01:14,860
And here's the basic usage, so I just want to show you guys how we can combine the flexibility of having

14
00:01:14,860 --> 00:01:17,890
subdomains with the speed and efficacy of maskin.

15
00:01:18,310 --> 00:01:18,670
All right.

16
00:01:18,670 --> 00:01:19,720
So we do maskin.

17
00:01:20,530 --> 00:01:23,010
You can see we have Mathcounts tolerate it.

18
00:01:23,020 --> 00:01:24,280
And so by default in Kalay.

19
00:01:25,030 --> 00:01:31,000
But again, it takes IPPs, we have Domain's and subdomains.

20
00:01:31,160 --> 00:01:35,410
So this is what we can do and we'll put it in UPT.

21
00:01:40,720 --> 00:01:41,030
Right.

22
00:01:41,050 --> 00:01:43,150
So it's complaining because the folder is empty.

23
00:01:43,150 --> 00:01:44,660
So let's just go into that folder.

24
00:01:45,160 --> 00:01:45,630
Oh right.

25
00:01:45,640 --> 00:01:46,750
So let's rerun this.

26
00:01:46,900 --> 00:01:50,810
I'm just going to hit the right arrow to autocomplete and backspace out the destination.

27
00:01:53,290 --> 00:01:53,630
All right.

28
00:01:53,630 --> 00:01:55,030
So now we've got these maskin.

29
00:01:57,700 --> 00:01:59,110
Let's see if we can run it.

30
00:02:01,700 --> 00:02:06,830
All right, very cool, but we're running out of options, Maskin, so we could create a symbolic link

31
00:02:07,040 --> 00:02:09,900
that will allow us to run it from our home directory.

32
00:02:10,550 --> 00:02:21,200
Would you be kind of nice so we can do L.N. symbolic and we'll link up Dean Maskin, Dean Maskin to

33
00:02:22,340 --> 00:02:25,040
user Ben Dean Maskin.

34
00:02:27,250 --> 00:02:36,250
The reason I picked user Ben is because that those in our path here, so now, even though I'm in the

35
00:02:36,250 --> 00:02:41,500
home folder, I should be able to type them, scan.

36
00:02:41,930 --> 00:02:42,370
Very nice.

37
00:02:42,370 --> 00:02:42,610
Right.

38
00:02:42,790 --> 00:02:45,010
And this is actually good because this is where all my files are.

39
00:02:46,090 --> 00:02:54,430
So what we can do is we can say Searoad Maskin and we can give it the PayPal combined file as the input

40
00:02:54,430 --> 00:02:58,840
file, the file containing the domain names to resolve and scan input file.

41
00:03:00,460 --> 00:03:08,950
And then we need a Dienes output file, so we'll just call that DNS dot blog and then we'll put everything

42
00:03:08,950 --> 00:03:12,820
into PayPal that Dean Meskin.

43
00:03:13,480 --> 00:03:13,840
All right.

44
00:03:13,850 --> 00:03:17,080
So while this runs, let's split the screen and examine the combined file again.

45
00:03:17,110 --> 00:03:22,890
You can see it is running, but it's using the default speed of 500.

46
00:03:23,710 --> 00:03:24,030
Right.

47
00:03:24,070 --> 00:03:29,350
So if you want to change that, you would just add the option to meskin options here.

48
00:03:29,890 --> 00:03:32,110
You change the rate to something like two thousand or one.

49
00:03:33,070 --> 00:03:37,090
Obviously, the faster you make it, the less likely you'll actually get detections.

50
00:03:37,690 --> 00:03:38,890
You'll probably have false negatives.

51
00:03:38,890 --> 00:03:40,540
So this is inversely proportional, right?

52
00:03:40,930 --> 00:03:44,140
The quicker you go, the faster you finish, but the less detections you'll have.

53
00:03:45,170 --> 00:03:50,770
So if you wanted to modify this rate, you would add it after this DNS log parameter right here.

54
00:03:51,110 --> 00:03:52,450
But let's let's take a.

55
00:03:54,490 --> 00:04:00,850
But the idea here is that we're going to get an output file, right, that contains open ports and then

56
00:04:01,150 --> 00:04:07,870
we can feed this as input into a map and scan those ports for versions, for services and versions and

57
00:04:07,870 --> 00:04:11,040
things like that, and even run some Inmet scripts against them.

58
00:04:11,530 --> 00:04:17,530
We can output those results as an example file and then send that into a tool called brute spray, which

59
00:04:17,530 --> 00:04:22,600
will then automatically attempt default creds found from the EMAP output.

60
00:04:23,770 --> 00:04:27,100
So hopefully you're starting to see how everything works together.

61
00:04:27,460 --> 00:04:30,970
And this is pretty simple to install and install Rouzbeh.

62
00:04:32,260 --> 00:04:38,860
All right, so my session just unceremoniously closed and kicked me out, which is quite rude, but

63
00:04:38,950 --> 00:04:40,210
let me see if I can get back in.

64
00:04:44,720 --> 00:04:45,860
Teams attached.

65
00:04:46,610 --> 00:04:47,750
All right, we're back in business.

66
00:04:48,050 --> 00:04:48,950
That's why I like Demoex.

67
00:04:49,520 --> 00:04:49,850
All right.

68
00:04:49,850 --> 00:04:52,070
To control a shift five.

69
00:04:53,350 --> 00:04:54,340
And we'll do a cat.

70
00:04:55,380 --> 00:05:03,480
PayPal combined, let's do control alt the you may notice that there's no protocol prefix for any of

71
00:05:03,480 --> 00:05:05,180
these domains, right.

72
00:05:05,310 --> 00:05:06,840
So let me show you guys something.

73
00:05:08,400 --> 00:05:11,580
Shivji to go to the bottom I to answered.

74
00:05:12,390 --> 00:05:14,180
Let's put this in this review

75
00:05:19,020 --> 00:05:20,360
scape shivs.

76
00:05:20,430 --> 00:05:22,080
Easy, cat.

77
00:05:22,770 --> 00:05:23,460
Now we've got a few.

78
00:05:23,460 --> 00:05:23,700
Right.

79
00:05:23,970 --> 00:05:30,630
Let's say you wanted to get rid of these HTTP protocols because by default, these maskin can't scan.

80
00:05:32,040 --> 00:05:39,540
Domains that contain the protocol prefix, so you could do something like this with Orch, you could

81
00:05:39,540 --> 00:05:40,890
run a field separator.

82
00:05:41,770 --> 00:05:44,500
On a forward slice, right?

83
00:05:46,240 --> 00:05:46,780
And then.

84
00:05:50,120 --> 00:05:58,400
You could print the second filled of the file and see how to solve that problem.

85
00:05:59,390 --> 00:06:04,330
Everything else is missing because nothing else, you know, nothing else had the the HDP part.

86
00:06:05,930 --> 00:06:09,530
You could also do this and that print out everything.

87
00:06:10,890 --> 00:06:16,200
And it also includes the domains that we changed then, of course, you could just output that to a

88
00:06:16,200 --> 00:06:16,710
new file.

89
00:06:23,130 --> 00:06:27,270
And you're on your way, control, easy exit.

90
00:06:28,470 --> 00:06:30,330
That looks crazy, but it's working.

91
00:06:31,770 --> 00:06:33,280
Wow, that looks absolutely amazing.

92
00:06:33,300 --> 00:06:35,610
It's like putting a mirror inside of a mirror.

93
00:06:36,240 --> 00:06:38,520
This is this is the Inmarsat guys, right?

94
00:06:38,610 --> 00:06:41,550
So in the next lecture, we're going to get into go spider.

95
00:06:41,880 --> 00:06:44,370
So I will see you in the next picture by.