1 00:00:00,120 --> 00:00:04,200 OK so we have our results back in part one we went pretty quick. 2 00:00:04,200 --> 00:00:10,500 Part Two I want to talk about the results what might be interesting here and then identify some other 3 00:00:10,500 --> 00:00:15,420 tools that you can download and use and go play with on your own. 4 00:00:15,450 --> 00:00:21,240 So this has identified quite a few things. 5 00:00:21,250 --> 00:00:22,360 I mean there's a big list here. 6 00:00:22,360 --> 00:00:27,960 Eighty seven subdomains and I lied to you and I said that it didn't get forth levels. 7 00:00:28,060 --> 00:00:33,910 I thought there used to be a recursive feature where you'd have to do a dash are to get those. 8 00:00:33,910 --> 00:00:35,170 Now you don't have to do that. 9 00:00:35,170 --> 00:00:37,540 It just picks up pork bellies for you. 10 00:00:37,810 --> 00:00:43,230 Now some blister is great at finding some of these things like we come through here. 11 00:00:43,230 --> 00:00:51,520 There is a dabbed Tesla dot com and I saw down towards the end that there was some staging staging to 12 00:00:52,000 --> 00:00:54,440 here a dev here a test. 13 00:00:54,520 --> 00:01:03,040 These all look juicy SS dash Dev looks juicy I might be after something like Q A as well or something 14 00:01:03,040 --> 00:01:05,550 like a VPN dot Tesla dot com. 15 00:01:05,560 --> 00:01:07,200 I want to know where your mail is at. 16 00:01:07,230 --> 00:01:11,050 So here's web mail ex mail anything here. 17 00:01:11,110 --> 00:01:15,900 You can also look through these lists and possibly identify what kind of tools they're using you might 18 00:01:15,900 --> 00:01:22,900 see something like a link dot Tesla dot com or zoom dot Tesla dot com and this really just kind of drives 19 00:01:22,900 --> 00:01:31,140 home what they're running on their back end for a lot of things now this isn't the all inclusive sub 20 00:01:31,140 --> 00:01:38,550 Lister is a great tool sub Lester was ahead of its time when it came out but there are better tools 21 00:01:38,550 --> 00:01:45,250 out there there are tools that incorporate pretty much everything in one go. 22 00:01:45,300 --> 00:01:51,030 So you might have certain essays like this you might have sub lesser included in the one tool that is 23 00:01:51,030 --> 00:02:00,360 really popular if you go to Google type in a lost a mass and this is the go to tool for a lot of people 24 00:02:00,360 --> 00:02:01,900 doing bug bounty hunting. 25 00:02:01,950 --> 00:02:09,550 So if we click on the AIM ask project here in GitHub you can download the project and install it. 26 00:02:09,550 --> 00:02:12,640 Per the installation instructions here. 27 00:02:12,640 --> 00:02:15,390 So you have an installation guide down the documentation. 28 00:02:15,400 --> 00:02:22,630 The reason I have chosen not to show it in this series is because actually running a mass takes a long 29 00:02:22,630 --> 00:02:27,970 time but you can configure a mass to do a lot of things and find a lot more subdomain. 30 00:02:27,970 --> 00:02:35,490 So my challenge to you is to get a mass install and on top of that see how many more subdomains than 31 00:02:35,560 --> 00:02:39,420 eighty seven can you find when you actually run it. 32 00:02:39,430 --> 00:02:46,090 So another last thing to point out is if you want to use some bluster and you were used it was really 33 00:02:46,090 --> 00:02:47,650 really slow. 34 00:02:47,680 --> 00:02:55,780 It's always helpful to check the dash H on the help and you can see in here that there is a dash T for 35 00:02:55,780 --> 00:03:03,940 threads always check the help so we can specify a domain like we did before do something like dash D 36 00:03:03,940 --> 00:03:10,900 of Tesla dot com and then you can specify threads of like 100 as opposed to maybe one thread or 10 threads 37 00:03:10,900 --> 00:03:12,590 I was running originally. 38 00:03:12,640 --> 00:03:17,140 We give it 100 thread it's an a go a lot faster we're gonna get a lot more results. 39 00:03:17,140 --> 00:03:23,260 You could also do a dash V for verbosity here and get your results in real time if you're impatient 40 00:03:23,290 --> 00:03:25,150 or you're trying to go out to the Web. 41 00:03:25,690 --> 00:03:32,920 So there are great tools out there for doing subdomain hunting and again subdomain hunting is very very 42 00:03:32,920 --> 00:03:40,800 critical because if we just limited ourself to Tesla dot com look at all the things that we would miss. 43 00:03:40,960 --> 00:03:42,850 So we can find out a lot here. 44 00:03:42,860 --> 00:03:46,010 Now not all of these pages are going to be alive. 45 00:03:46,030 --> 00:03:52,420 Also there's a good possibility that we can go to something like this MFA dot Dev or dash Dev dot Tesla 46 00:03:52,420 --> 00:03:54,040 dot com and it won't work. 47 00:03:54,100 --> 00:03:55,370 We can give it a go and see. 48 00:03:55,370 --> 00:03:59,770 Like now always do these work these are what's show up in search engines. 49 00:03:59,890 --> 00:04:01,770 But it's worth knowing about them. 50 00:04:01,780 --> 00:04:12,130 And there are other tools out there such as like go to Google such as Tom h t t p probe like this. 51 00:04:12,130 --> 00:04:18,390 Tools like that out there that will probe the list that you give it and give it this list into the probe. 52 00:04:18,400 --> 00:04:22,220 It'll say hey this Web site's alive or this Web site's not alive. 53 00:04:22,240 --> 00:04:25,150 And then you can start narrowing down these lists as well. 54 00:04:25,150 --> 00:04:29,000 So that is something to think about when you get your wheels spinning. 55 00:04:29,050 --> 00:04:35,740 But for now for information gathering in for the scope of this course we don't have to worry about too 56 00:04:35,740 --> 00:04:36,180 much. 57 00:04:36,180 --> 00:04:42,490 They do want to point out some other alternatives and ways to do subdomain hunting and then what to 58 00:04:42,490 --> 00:04:44,640 look for in subdomain hunting. 59 00:04:44,650 --> 00:04:46,140 So that is it for this video. 60 00:04:46,390 --> 00:04:47,910 I'm going to catch you over in the next one.