1
00:00:00,110 --> 00:00:03,010
Now the next few videos have to deal with web apps as well.

2
00:00:03,360 --> 00:00:09,630
But instead of looking at subdomains we're going to look at what a Web site is built with.

3
00:00:10,080 --> 00:00:12,750
And that's a good indicator here of built with.

4
00:00:12,750 --> 00:00:18,000
So let's go out to Google and we're going to do a search built with.

5
00:00:19,890 --> 00:00:26,070
And we're going to go right to built with dot com and let's take a look at what this does.

6
00:00:26,100 --> 00:00:29,640
So let's just search Tesla dot com for example.

7
00:00:29,640 --> 00:00:35,160
We'll do a look up and I'm going to make this a little bit bigger so you can read it.

8
00:00:35,400 --> 00:00:42,900
And what this does is this goes out and it looks at what type of tech Tesla is running.

9
00:00:43,080 --> 00:00:47,920
Now it gives all this stuff that it can see Google Analytics Salesforce that's great.

10
00:00:47,940 --> 00:00:50,520
But it also tells us the widgets that are running.

11
00:00:50,520 --> 00:00:55,640
You can see it is part of bug crowd log me in Twitter OK.

12
00:00:55,640 --> 00:00:57,720
It's got these language things here.

13
00:00:57,750 --> 00:01:01,470
But what we're really after is what kind of frameworks you might be running on.

14
00:01:01,500 --> 00:01:07,660
So it says here that it's running on HP it has Adobe enterprise cloud.

15
00:01:07,680 --> 00:01:07,970
OK.

16
00:01:07,980 --> 00:01:10,080
That's interesting.

17
00:01:10,110 --> 00:01:13,390
It's got CDMA and the content delivery network.

18
00:01:13,390 --> 00:01:15,330
Interesting utilizes stripe.

19
00:01:15,450 --> 00:01:16,440
OK.

20
00:01:16,500 --> 00:01:17,800
We can scroll through this.

21
00:01:17,820 --> 00:01:20,450
Looks like it might be written in Andrew Paul.

22
00:01:20,520 --> 00:01:22,790
That's an indicator there.

23
00:01:22,860 --> 00:01:24,860
And this is a big Web site.

24
00:01:24,870 --> 00:01:25,580
So it's got a lot.

25
00:01:25,590 --> 00:01:27,170
Look at all the information here.

26
00:01:27,510 --> 00:01:30,290
And it might be a lot to track down.

27
00:01:30,840 --> 00:01:35,450
So with this with a big Web site like this there's a better way.

28
00:01:35,520 --> 00:01:42,270
I think now built with a great great resource but I think there's some other stuff out there that might

29
00:01:42,270 --> 00:01:43,440
help us a little bit better.

30
00:01:43,750 --> 00:01:50,070
So let's go out to Google as well and let's search for a tool called flap a liar just like this and

31
00:01:50,070 --> 00:01:51,780
we're going to use it for Firefox.

32
00:01:52,530 --> 00:01:59,890
So it should pull this up here and we'll click on the first one and go ahead and just select add to

33
00:01:59,890 --> 00:02:06,230
Firefox select ad and now it will appear.

34
00:02:06,460 --> 00:02:08,220
So now we have appetizer.

35
00:02:08,260 --> 00:02:12,310
Let's go back to Tesla and you see this little guy here in the corner.

36
00:02:12,310 --> 00:02:13,930
We're gonna click on this.

37
00:02:13,930 --> 00:02:19,180
We're gonna accept it and now we get a little bit of information as to what's going on.

38
00:02:19,270 --> 00:02:24,610
Not as much information as built with but I actually like apples are a lot more because it kind of just

39
00:02:24,610 --> 00:02:28,390
gives you an indication right away with what's going on.

40
00:02:28,510 --> 00:02:34,660
Now appetizer is more of an active type of reconnaissance.

41
00:02:34,660 --> 00:02:39,520
I only say that and I don't necessarily believe it but it's because we do have to interact with the

42
00:02:39,520 --> 00:02:40,440
Web site.

43
00:02:40,450 --> 00:02:46,210
Now we're not doing any type of scanning we're just going after the Web site like a normal user would.

44
00:02:46,300 --> 00:02:51,740
And to me it's still kind of passive because we're not doing anything that would be out of the norm.

45
00:02:51,760 --> 00:02:55,820
So here we can see the content management system is running on true Paul.

46
00:02:55,960 --> 00:02:58,870
We can see the programming language is running HP.

47
00:02:58,930 --> 00:03:02,350
Those are both identified with built with as well.

48
00:03:02,350 --> 00:03:04,930
Now why is this important to you're telling me.

49
00:03:04,930 --> 00:03:11,680
Well it's important because if we know that's running with PDP or Jew Paul there might be a vulnerability

50
00:03:11,680 --> 00:03:17,890
within those a lot of times when we have this let's see if we go to this Web site you can see HP is

51
00:03:17,890 --> 00:03:22,750
running we get a lot of things and we get Virgin numbers so look at the way apples Web site.

52
00:03:23,020 --> 00:03:25,260
You see that it's running on an operating system.

53
00:03:25,270 --> 00:03:27,020
Bun 2 it's got a programming language.

54
00:03:27,020 --> 00:03:33,000
Page P the web servers engine X with one point one for dad zero version no.

55
00:03:33,050 --> 00:03:33,410
Okay.

56
00:03:33,430 --> 00:03:37,960
I can tell that is running on Amazon Web Services as a platform.

57
00:03:37,960 --> 00:03:41,310
It's got all kinds of information here it's got the payment processing.

58
00:03:41,320 --> 00:03:47,810
It's running Google Analytics so see the type of information that can come through a lot of times you

59
00:03:47,810 --> 00:03:48,760
see things like J.

60
00:03:48,760 --> 00:03:51,320
Query and other type of libraries here.

61
00:03:51,430 --> 00:03:53,220
And the version numbers as well.

62
00:03:53,230 --> 00:03:59,350
Now you take those Virgin numbers and you do enumeration on them and you try to find any type of vulnerabilities

63
00:03:59,350 --> 00:04:01,300
that might happen there.

64
00:04:01,360 --> 00:04:07,420
And the more information that we can gather on a client on a Web site whatever it is the better off

65
00:04:07,420 --> 00:04:07,960
we are.

66
00:04:08,290 --> 00:04:14,210
So when we're gathering information on Tesla OK now we know the content management systems written Interpol

67
00:04:14,380 --> 00:04:16,430
the programming language page.

68
00:04:16,450 --> 00:04:18,070
Is that going to lead to an exploit.

69
00:04:18,080 --> 00:04:21,040
Maybe but you don't know where it's going to come up in the future.

70
00:04:21,280 --> 00:04:24,290
So this type of information gathering is great.

71
00:04:24,430 --> 00:04:30,340
Now one more thing that we can use we've got something built into our machine let's go out to the terminal

72
00:04:31,000 --> 00:04:32,140
and we can take a look at it.

73
00:04:33,640 --> 00:04:39,070
So we've got a tool called what web just like this and hit enter on it.

74
00:04:39,790 --> 00:04:45,440
And if we look at the syntax all we need is to specify a target.

75
00:04:45,550 --> 00:04:50,260
So we enter the URL hostname IP address or in that format.

76
00:04:50,260 --> 00:04:52,990
So we just say what web you are L so let's give it a go.

77
00:04:52,990 --> 00:04:53,920
We'll say what web.

78
00:04:54,700 --> 00:04:59,800
And we'll just say h CPS Tesla dot com

79
00:05:05,670 --> 00:05:08,020
and it is a redirect.

80
00:05:08,040 --> 00:05:11,310
So it might not pull down everything for us here.

81
00:05:11,370 --> 00:05:15,170
So it did pull down an IP address it gave us a redirect.

82
00:05:15,180 --> 00:05:23,370
I don't know if there is a follow redirection up option here but what we'll do is we will just say something

83
00:05:23,370 --> 00:05:28,020
instead we'll say like Tesla dot com instead of four 4 three and see if that does anything different

84
00:05:28,610 --> 00:05:29,560
and it didn't.

85
00:05:29,610 --> 00:05:32,830
So it does give us some information in here.

86
00:05:32,910 --> 00:05:38,870
It's not as pretty of a layout but it is a tool that is built in to Cali Linux for us.

87
00:05:38,910 --> 00:05:41,190
So look we can pull down Drupal 8.

88
00:05:41,310 --> 00:05:43,500
We didn't know what kind of Drupal was running on.

89
00:05:43,500 --> 00:05:45,400
Now he knows Drupal 8.

90
00:05:45,600 --> 00:05:49,360
We see that it's running HP seven point three point seven.

91
00:05:49,470 --> 00:05:52,490
That's ID two that we didn't have previously.

92
00:05:52,500 --> 00:06:00,060
So using more tools to our advantage gives us more information and we can pull down the headers that

93
00:06:00,060 --> 00:06:04,530
it has here and you see they have different types of headers which we're not going to get into this

94
00:06:04,590 --> 00:06:05,300
quite yet.

95
00:06:05,300 --> 00:06:12,030
When we get into the web that portion of this we'll talk more about headers but this is just yet a another

96
00:06:12,030 --> 00:06:15,420
thing that we need to look at and we pull down IP address as well.

97
00:06:15,420 --> 00:06:20,770
So a little bit more information that we can gather here and just keep going from this.

98
00:06:21,120 --> 00:06:28,770
So that is it utilized the resources around you to gather information we could utilize resources that

99
00:06:28,770 --> 00:06:32,310
go out and scan a specific web page like this.

100
00:06:32,310 --> 00:06:38,040
We can go and utilize a resource such as we appetizer that you just visit the Web page and you can see

101
00:06:38,040 --> 00:06:44,860
what's running on there or a Web site like built with dot com where we just don't even navigate to a

102
00:06:44,860 --> 00:06:45,330
Web site.

103
00:06:45,330 --> 00:06:50,670
We just type it in and it does all the work for us and we can pull down all this information which is

104
00:06:50,670 --> 00:06:53,520
by far the most information out of these three tools.

105
00:06:53,520 --> 00:07:00,160
So utilize all the resources available to you and you will have much advantages when it comes to pen

106
00:07:00,330 --> 00:07:02,760
testing and your enumeration skills.

107
00:07:02,760 --> 00:07:04,080
So that's it for this video.

108
00:07:04,110 --> 00:07:05,670
I'll catch you over in the next one.