1
00:00:00,240 --> 00:00:05,360
In this video we're going to do something along similar lines with the previous lesson.

2
00:00:05,400 --> 00:00:11,880
We're going to learn how to discover subdomains and find find out if you're new to penetration testing.

3
00:00:11,880 --> 00:00:19,620
You should know that subdomain discovery or subdomain enumeration is a very important step in application

4
00:00:19,620 --> 00:00:26,340
testing or better said in the recon phase of the penetration testing methodology.

5
00:00:26,340 --> 00:00:31,140
Now there are many very good tools that can be used for this purpose.

6
00:00:31,240 --> 00:00:39,840
Therefore you can just go to get help that com clone a repository and have your automated tool discovery

7
00:00:39,870 --> 00:00:43,270
subdomain set up in no time.

8
00:00:43,380 --> 00:00:46,600
Now I use some of these tools myself.

9
00:00:46,710 --> 00:00:48,830
Tools such as derp.

10
00:00:49,680 --> 00:00:58,480
So we have there there there or go bust or their search.

11
00:00:58,480 --> 00:01:02,400
So all of these tools are actually used for subdomain discovery.

12
00:01:02,450 --> 00:01:05,790
Now without wasting too much time let's actually do it.

13
00:01:05,820 --> 00:01:14,150
So first I need to mention that inspiration for this code comes from app to rock kids.

14
00:01:14,160 --> 00:01:24,940
I hope I don't butcher his name from the Python code dot com website so I'll link to it in the resources.

15
00:01:24,960 --> 00:01:28,900
OK now let's first import requests.

16
00:01:28,980 --> 00:01:36,600
We already know requests from the previous video and we'll also import the service module or import

17
00:01:36,600 --> 00:01:43,370
says because we want to provide our domain as a command line argument.

18
00:01:43,440 --> 00:01:50,490
All right now we need a list of subdomains that we want to test for it and I'm using the list from this

19
00:01:50,670 --> 00:01:51,910
ripple.

20
00:01:52,650 --> 00:01:53,750
So I'd be sacked.

21
00:01:53,750 --> 00:01:57,810
DNS scan subdomains one thousand sixty

22
00:02:00,720 --> 00:02:03,300
alright but you can choose the whatever list you want.

23
00:02:03,330 --> 00:02:10,050
So I already downloaded that list and saved it in the folder where this script is going to run which

24
00:02:10,050 --> 00:02:11,100
is on the desktop.

25
00:02:11,100 --> 00:02:28,460
So I'll just open it let's say sub d or sub underscore or list equals 0 1 subdomains 1000 to 60 thought

26
00:02:28,740 --> 00:02:29,170
Reid.

27
00:02:29,200 --> 00:02:34,030
So we open it and read it in one line.

28
00:02:34,030 --> 00:02:40,170
Now this will contain new line characters after each line.

29
00:02:40,180 --> 00:02:47,470
So we actually needed to split it better said that this sub list variable is actually a string so a

30
00:02:47,470 --> 00:02:51,830
string of words separated by the new line character now.

31
00:02:51,990 --> 00:02:59,680
Oh we want what we want is actually a clean list of words that we can use to brute force or to enumerate

32
00:02:59,840 --> 00:03:00,750
domains.

33
00:03:00,880 --> 00:03:09,280
So we'll say subs equals sub underscore the list split lines.

34
00:03:09,280 --> 00:03:12,410
And that's the method that we use.

35
00:03:12,430 --> 00:03:17,730
Now in this case subs is going to be a list here.

36
00:03:18,100 --> 00:03:19,030
So far so good.

37
00:03:19,030 --> 00:03:20,250
Now for the fun part.

38
00:03:20,950 --> 00:03:26,290
Let me explain how this works how a sub domain brute force works.

39
00:03:26,350 --> 00:03:29,430
First you have a list of words.

40
00:03:29,440 --> 00:03:35,450
So number one you never list of words to try as a sub domain for a specific domain.

41
00:03:35,530 --> 00:03:47,560
Then number two the script makes a request to each word that subdomain dot com and it analyzes the response

42
00:03:47,610 --> 00:03:53,760
whether whether you're going for HDTV or DP Yes.

43
00:03:54,520 --> 00:03:59,680
And then number three based on the response we get valid subdomains.

44
00:03:59,680 --> 00:04:00,200
All right.

45
00:04:00,220 --> 00:04:03,820
Now how do we actually implement this in Python.

46
00:04:03,850 --> 00:04:05,580
Well I'm glad you asked.

47
00:04:05,620 --> 00:04:10,090
So let's actually start with the for loop for sub and subs.

48
00:04:10,090 --> 00:04:21,880
So for each word and sub list or in subs list we'll go for H2 schema here for rapidity but you can test

49
00:04:21,880 --> 00:04:25,690
for both HD DDP and ETP as if you want.

50
00:04:25,840 --> 00:04:33,880
So I'll see you l on their sport to check equals F and I'm going to explain shortly.

51
00:04:33,890 --> 00:04:37,850
H GDP sum.

52
00:04:39,330 --> 00:04:50,790
So for some we take sub dot start r v V1 now f here if you didn't know starting Python three point six

53
00:04:51,210 --> 00:04:54,640
we have f strings.

54
00:04:54,640 --> 00:05:01,710
Okay so f in front of a string here is a string format what's in the accolades is actually taken as

55
00:05:01,710 --> 00:05:04,440
a name from the current context.

56
00:05:04,620 --> 00:05:10,680
There are many ways to do string for months in Python and in my view this is actually one of the cleanest

57
00:05:10,860 --> 00:05:12,610
and the coolest.

58
00:05:12,660 --> 00:05:18,600
Now for efficiency we should actually encapsulate everything in a trait except construct.

59
00:05:18,930 --> 00:05:28,950
So we'll say Try requests that get you are all to check simple.

60
00:05:29,070 --> 00:05:35,800
And then of course we have the accept but not for all the exceptions.

61
00:05:35,820 --> 00:05:42,720
We only catch requests and action errors so we only look for connection errors.

62
00:05:42,720 --> 00:05:48,450
In this case we get a lot of connection errors and if we want to catch an error we can just skip to

63
00:05:48,450 --> 00:05:53,640
the next iteration of the for loop so we'll say that.

64
00:05:53,760 --> 00:06:01,920
However you can get really granular here by catching certain status codes and output them.

65
00:06:02,040 --> 00:06:07,500
Now there is a lot of room to play with however in this case will be just straight forward.

66
00:06:07,500 --> 00:06:17,130
So if a connection error occurs we'll just move on to the next iteration so we'll say pass or else.

67
00:06:17,130 --> 00:06:32,010
So we have else print valid domain and then we have printed the domain your URL to check and that's

68
00:06:32,010 --> 00:06:32,850
just about it.

69
00:06:32,880 --> 00:06:38,760
So this is actually how you write a very simple subdomain discovery tool in a few lines in just a few

70
00:06:38,760 --> 00:06:40,530
lines Python code.

71
00:06:40,590 --> 00:06:42,980
Now let's actually put this in action.

72
00:06:43,010 --> 00:06:51,030
So I've saved it going to open up a command prompt and then navigate to desktop and I'm simply going

73
00:06:51,030 --> 00:07:01,610
to run it with Python so deep thought P Y and then the domain that I want to test for.

74
00:07:01,680 --> 00:07:06,070
So Google doesn't mind if we actually look for a few subdomains.

75
00:07:07,260 --> 00:07:08,030
OK.

76
00:07:08,130 --> 00:07:14,490
Hit enter and as you can see the simplicity of it is just actually beautiful.

77
00:07:14,490 --> 00:07:20,040
This this thing does its work just as intended.

78
00:07:20,040 --> 00:07:22,460
So we already found two subdomains.

79
00:07:22,530 --> 00:07:29,300
Now of course you can dramatically increase its speed by threading more paralyzing it.

80
00:07:29,380 --> 00:07:32,970
You would work with the threading and queue modules here.

81
00:07:32,970 --> 00:07:38,350
You could also have it take multiple arguments such as custom water lists.

82
00:07:38,520 --> 00:07:43,380
You could have a display certain error codes and you could have it save the resource to file instead

83
00:07:43,380 --> 00:07:48,300
of just throwing them in the output as it does here.

84
00:07:48,300 --> 00:07:55,260
You could have it run recursively such as checking for subdomains of subdomains etc. and we might work

85
00:07:55,260 --> 00:08:02,460
on such a tool in a more advanced Python for penetration testing course or glass until then I'd encourage

86
00:08:02,490 --> 00:08:09,690
you to see how you can expand this tool yourself and also make sure to check out the resources for more

87
00:08:09,690 --> 00:08:12,000
good stuff from the Python code.

88
00:08:12,000 --> 00:08:13,440
Dot com blog.