1
00:00:00,090 --> 00:00:05,750
The next several videos are going to talk about Web information gathering.

2
00:00:05,850 --> 00:00:13,440
So this is going to be important because a lot of the times we're going to be tasked with a web penetration

3
00:00:13,440 --> 00:00:19,060
test or we might encounter a Web site on an external or internal penetration test.

4
00:00:19,230 --> 00:00:26,520
And being able to gather information and perform enumeration on those Web sites is super important.

5
00:00:26,520 --> 00:00:32,160
So what I'm going to show you through out is how to gather some of the information passively that is

6
00:00:32,220 --> 00:00:37,710
out there and then we'll talk about active methods that actually involve going out to the Web site and

7
00:00:37,710 --> 00:00:39,970
gathering information that way as well.

8
00:00:40,290 --> 00:00:47,100
So the first and most important thing especially when it comes to Web sites or bug bounty hunting etc.

9
00:00:47,490 --> 00:00:54,360
is that we need to identify what sub domains are out there and you saw earlier when we were looking

10
00:00:54,360 --> 00:00:55,240
at Tesla.

11
00:00:55,340 --> 00:01:00,390
It had a scope of something like Asterix Tesla dot com.

12
00:01:00,580 --> 00:01:03,100
This Asterix is a wild card.

13
00:01:03,150 --> 00:01:10,230
This means that anything and everything is open to us in the scope except it was out of scope in the

14
00:01:10,230 --> 00:01:12,370
subdomain range.

15
00:01:12,450 --> 00:01:19,710
Now we can utilize tools to our advantage to discover these subdomains why are subdomains important.

16
00:01:19,710 --> 00:01:27,600
Well we might run into something that is like a dev dot Tesla dot com or we might run into a Web site

17
00:01:27,630 --> 00:01:29,090
that should've never been out there right.

18
00:01:29,100 --> 00:01:37,770
Like the dev or like test site dot Tesla dot com for example or you might find logging forms another

19
00:01:37,770 --> 00:01:43,980
reason that it's so important is because if you just look at Tesla dot com you're limiting yourself

20
00:01:44,010 --> 00:01:50,040
to one website where there could be potentially tons of Web sites on these subdomains.

21
00:01:50,070 --> 00:01:56,090
So we really really need to hunt these and be certain that we're incorporating everything that we can

22
00:01:56,110 --> 00:01:57,810
we're doing our assessments.

23
00:01:57,810 --> 00:02:02,590
So one great tool that I want to point out is a tool called Sub Lister.

24
00:02:02,610 --> 00:02:04,010
Now we need to install that.

25
00:02:04,060 --> 00:02:08,850
Let's type an apt install sub blister like this

26
00:02:13,180 --> 00:02:13,480
OK.

27
00:02:13,510 --> 00:02:21,290
And this will just take a second to get it all set up and we will utilize this tool to get these subdomains.

28
00:02:21,310 --> 00:02:21,670
OK.

29
00:02:21,670 --> 00:02:28,120
Now that it's setup all we have to do is type in some blister hit tab for auto complete hit enter and

30
00:02:28,120 --> 00:02:30,760
it gives you the syntax.

31
00:02:30,820 --> 00:02:38,230
We can do a dash dash H for help or dash H for help and all we really need here is a domain so we can

32
00:02:38,230 --> 00:02:45,610
say dash D for Tesla dot com and it's going to start searching for Tesla dot com.

33
00:02:45,610 --> 00:02:48,500
And don't worry about this error if you get the error.

34
00:02:48,820 --> 00:02:54,000
So it's looking through all these different search engines similar to what the harvester was doing.

35
00:02:54,190 --> 00:02:59,830
But you're going to see that it's returned quite a bit more so we see by do Yahoo Google go through

36
00:02:59,830 --> 00:03:02,270
all these and try to search.

37
00:03:02,380 --> 00:03:06,440
Now while this is going on I want to point out another way to do this.

38
00:03:06,490 --> 00:03:16,840
So let's go out to the Web and let's go and load up another site called CRT the S H with a CRT the age

39
00:03:16,840 --> 00:03:18,310
like this.

40
00:03:18,320 --> 00:03:21,790
Get a load up a Web site like so let's make this a little bigger for you.

41
00:03:22,660 --> 00:03:25,480
And we can do the wildcard ourselves.

42
00:03:25,510 --> 00:03:27,500
You see the percentage is a wild card.

43
00:03:27,760 --> 00:03:31,460
So we're just gonna say percent Kessler dot com.

44
00:03:31,480 --> 00:03:36,070
Now all we're doing is we're using cert fingerprinting.

45
00:03:36,070 --> 00:03:41,920
Now we're gonna go out and look for certificates that have been registered and it's going to attempt

46
00:03:41,920 --> 00:03:47,890
to find those and tell us what's out there so you can see that we can find energy support at Tesla dot

47
00:03:47,890 --> 00:03:55,030
com grid logic the energy the Tesla dot com and we would scroll through these and try to identify all

48
00:03:55,030 --> 00:04:01,120
the different ones like SS so single sign on that might be interesting if I could find anything in here

49
00:04:01,120 --> 00:04:07,720
that's like VPN that Tesla dot com or Deb Tesla dot com any sort of thing like that.

50
00:04:07,810 --> 00:04:12,890
I'm also interested in it API tool box could very well be interesting.

51
00:04:12,980 --> 00:04:16,250
SS o dash Dev dot Tesla dot com.

52
00:04:16,300 --> 00:04:21,820
So these are the sort of things that we're after and you see right now that we have different levels

53
00:04:21,820 --> 00:04:30,340
to domains like here you see that we have our subdomain but what about a sub subdomain like a fourth

54
00:04:30,340 --> 00:04:31,770
level of a domain.

55
00:04:31,930 --> 00:04:35,760
You see grid logic the energy that Tesla dot com.

56
00:04:35,980 --> 00:04:42,790
So we can go deeper and deeper when it comes to these domains and what Seltzer is going to be doing

57
00:04:42,790 --> 00:04:47,560
right now is it's going to try to find just the sub subdomain.

58
00:04:47,570 --> 00:04:49,370
So it's going to look for third levels.

59
00:04:49,510 --> 00:04:55,210
It would not discover this grid logic that energy at Tesla dot com without a little bit of the nagging

60
00:04:55,570 --> 00:04:58,690
and looking through the help to figure out how to do that.

61
00:04:58,870 --> 00:05:05,320
So we can come to a site like CRT s h to see if we could find any additional subdomains within this

62
00:05:05,710 --> 00:05:09,040
and we can utilize tools like sub Lister as well.

63
00:05:09,040 --> 00:05:14,740
So I'm going to let this finish but in the next video I'm going to show you is I'm going to show you

64
00:05:15,130 --> 00:05:21,670
how to improve upon this process with some tools that have been written in go that I think are fantastic.

65
00:05:21,670 --> 00:05:26,620
So I'm going to let this run we're going to have part 2 of this video we actually review the results

66
00:05:26,920 --> 00:05:29,010
and then we'll go from there.

67
00:05:29,020 --> 00:05:31,090
So I will see you over in the next video.