1
00:00:00,380 --> 00:00:08,750
OK, it's time we start our website enumeration, and the very first thing that we should do is to take

2
00:00:08,750 --> 00:00:10,850
a look at the website through our browser.

3
00:00:11,730 --> 00:00:16,560
So we want to see what pages it has, what does it open when we visit its IP address?

4
00:00:17,220 --> 00:00:19,690
This is very basic stuff that we want to check first.

5
00:00:20,070 --> 00:00:22,980
So to do that, we can go to our Firefox.

6
00:00:26,100 --> 00:00:32,820
And make sure that you have your own SPW, a machine started, and once you have it started, then we

7
00:00:32,820 --> 00:00:36,720
can visit the IP address of Paul Wesp B.W. A.

8
00:00:37,610 --> 00:00:43,910
In my case, that is one to the 168 that wanted for we already showed how we can check out the IP address

9
00:00:43,910 --> 00:00:45,080
of this virtual machine.

10
00:00:45,090 --> 00:00:50,940
So once you do that, typing the IP address in your Firefox and it should visit this page.

11
00:00:51,500 --> 00:00:54,080
So this is the first thing that we take a look at.

12
00:00:55,080 --> 00:01:00,990
We already noticed that we have bunching links right here, so this page has a bunch of other pages

13
00:01:00,990 --> 00:01:06,990
that could be hosting different services, that could be offering different things, and it could potentially

14
00:01:06,990 --> 00:01:10,210
have multiple login forms or something similar.

15
00:01:11,100 --> 00:01:13,830
So, for example, let's pick any one of these.

16
00:01:13,830 --> 00:01:19,380
Let's go to this one under the realistic, intentionally vulnerable applications, if we click on it

17
00:01:20,100 --> 00:01:24,270
and let me just enlarge this a little bit so you can see everything better.

18
00:01:26,300 --> 00:01:33,560
Well, who is it, some type of an application, some type of page that our always has and the first

19
00:01:33,560 --> 00:01:36,560
thing that catches my eye is something like this.

20
00:01:36,980 --> 00:01:40,940
We have a search button and we also have a login button.

21
00:01:41,300 --> 00:01:42,140
What does this mean?

22
00:01:42,500 --> 00:01:47,720
Well, it means that this could potentially lead us to some type of a brute force attack where we would

23
00:01:47,720 --> 00:01:50,740
try to gain access to a certain account on this page.

24
00:01:50,900 --> 00:01:55,750
Perhaps they have weak passwords and we can log in if we brute force the account.

25
00:01:56,270 --> 00:01:57,480
You never really know.

26
00:01:57,710 --> 00:01:59,180
We can also create an account.

27
00:01:59,690 --> 00:02:03,170
So this page is already looking interesting to us.

28
00:02:04,220 --> 00:02:11,450
We also have some type of a file that we can send currently no file is selected, but we can see right

29
00:02:11,450 --> 00:02:15,740
here that we have some input as well, and then we have a button to send files.

30
00:02:16,490 --> 00:02:19,810
All of these things we would want to play around and see what we can do with them.

31
00:02:20,830 --> 00:02:23,150
Let's take a look at another page as well.

32
00:02:23,530 --> 00:02:31,440
So if we go back and let's, for example, go to this one, we straightaway get a log in the form.

33
00:02:31,840 --> 00:02:37,810
So this also tells us that there could be a potential brute force attack or weak credentials attack

34
00:02:38,050 --> 00:02:43,090
here as well, since it does offer us a username and password field.

35
00:02:43,810 --> 00:02:44,800
Let's go back.

36
00:02:44,800 --> 00:02:49,840
Since we don't really know any username and password here, we don't really know what this says.

37
00:02:49,840 --> 00:02:51,490
It could be some administrator page.

38
00:02:51,560 --> 00:02:54,340
It basically could be anything whatsoever.

39
00:02:55,380 --> 00:03:01,320
We can also do something like this, for example, go back and let's say we want to try to find some

40
00:03:01,320 --> 00:03:09,540
secret administrator page, try something like padman, and in this case, we don't really get anything.

41
00:03:09,540 --> 00:03:12,910
It says slash admin is not found, but it was worth to try it out.

42
00:03:13,860 --> 00:03:16,230
Now, let's check this out on a real website.

43
00:03:16,230 --> 00:03:22,670
Since this is specifically made vulnerable, so will we know that we will find vulnerabilities in all

44
00:03:22,680 --> 00:03:23,050
of us.

45
00:03:23,490 --> 00:03:24,540
But let's go.

46
00:03:24,540 --> 00:03:28,380
And for example, search for Tesla dot com.

47
00:03:29,830 --> 00:03:34,240
So this is an official website, it is registered and if we visited.

48
00:03:36,430 --> 00:03:42,430
So we get some prompt right here that asks us to select our region, let's just click X right here.

49
00:03:42,880 --> 00:03:48,670
And what we would usually be looking for is, once again, we would try to find some type of a login

50
00:03:48,670 --> 00:03:54,430
form or some type of a search field or any part of Web application where we can interact with.

51
00:03:55,770 --> 00:03:59,400
So we already see right here something like a Tesla account.

52
00:04:00,730 --> 00:04:04,310
And it does ask us to log in, so we do have some type of a log in.

53
00:04:04,330 --> 00:04:07,520
For now, logging firms are not the only thing that we are looking for.

54
00:04:07,540 --> 00:04:10,190
But for now, it's the first thing that catches our eye.

55
00:04:10,960 --> 00:04:14,750
Now, for real websites, we can also perform some advanced search using Google.

56
00:04:15,280 --> 00:04:17,769
This is also called Google Talking.

57
00:04:17,769 --> 00:04:23,160
It's using Google advanced search techniques to discover information that we might find useful.

58
00:04:23,710 --> 00:04:25,630
For example, let's go to Google.

59
00:04:29,790 --> 00:04:35,000
And let's go with Tesla first, so let's type in site.

60
00:04:36,780 --> 00:04:44,260
And then two dots, Tesla dot com and let's say we want to find all the PDA files from this website

61
00:04:44,280 --> 00:04:44,900
right here.

62
00:04:45,090 --> 00:04:50,730
We would type site to dot Tesla dot com and then file type two dot PDF.

63
00:04:51,750 --> 00:04:52,860
If I press enter.

64
00:04:53,800 --> 00:05:00,280
It will give us all the results of -- that this page has, and we can see that these indeed

65
00:05:00,280 --> 00:05:01,070
are --.

66
00:05:01,090 --> 00:05:07,980
It says right here, as we can see, and perhaps we could find something useful in these --.

67
00:05:07,990 --> 00:05:08,640
You never know.

68
00:05:08,950 --> 00:05:14,890
Maybe there is some -- that has information, disclosure, and perhaps it gives us some information

69
00:05:14,890 --> 00:05:16,380
that we find useful.

70
00:05:17,250 --> 00:05:21,480
We can also try to find some emails from this website.

71
00:05:22,230 --> 00:05:23,080
How do we do that?

72
00:05:23,580 --> 00:05:25,650
Well, we can do something like this.

73
00:05:25,800 --> 00:05:37,470
We could open double quotes at Tesla dot com, and then we could dash site and then to dot Tesla dot

74
00:05:37,470 --> 00:05:39,030
com press enter.

75
00:05:40,230 --> 00:05:41,730
And let's see.

76
00:05:43,260 --> 00:05:47,520
Right now, we do not manage to find something interesting for Tesla.

77
00:05:48,660 --> 00:05:53,640
And here is one email we did manage to find, but that's just one email.

78
00:05:54,710 --> 00:06:00,410
It still could be useful for us, but we're looking for a little bit more so we can instead try to go

79
00:06:00,710 --> 00:06:04,270
with some university websites since they usually have a bunch of e-mails.

80
00:06:04,640 --> 00:06:06,370
Let's go with this one.

81
00:06:06,380 --> 00:06:13,790
I'm going to use a university from my country and it's located at this website.

82
00:06:13,790 --> 00:06:15,260
And we are going to use the same command.

83
00:06:15,270 --> 00:06:24,230
So at and then the addition to the email and then the site, which is the same link or same domain I

84
00:06:24,230 --> 00:06:25,490
would press enter right now.

85
00:06:27,120 --> 00:06:32,480
And here is one email address that could also be useful.

86
00:06:33,240 --> 00:06:37,770
Now we can also visit these links and try to find even more, but let's just see what we can gather

87
00:06:37,770 --> 00:06:38,340
from here.

88
00:06:38,370 --> 00:06:43,320
Here's another email address and here appears to be a start of a phone number.

89
00:06:43,320 --> 00:06:48,120
So we also get that here's another email address right here.

90
00:06:48,750 --> 00:06:52,380
And that would pretty much be it from the first page.

91
00:06:52,410 --> 00:06:58,040
Now we can, as I said, visit these links and then we can find even more email addresses, hopefully.

92
00:06:58,230 --> 00:07:01,230
And here's another one that we missed from the first link.

93
00:07:02,040 --> 00:07:06,960
OK, now we try to go to admin before on our own ASPE.

94
00:07:06,960 --> 00:07:12,390
We end by adding slash admin in front of the link or in front of the IP address.

95
00:07:12,810 --> 00:07:17,460
But for regular websites, there is something even better that we can try using Google.

96
00:07:18,060 --> 00:07:24,210
We can use Google Docs to try and find something like admin pages, but we can do that by searching

97
00:07:24,210 --> 00:07:28,390
admin keyword inside the title of the page or inside the URL.

98
00:07:29,190 --> 00:07:32,880
To do that, we simply type in title.

99
00:07:34,800 --> 00:07:45,270
Two dots admin or in you are two dots as well, admin, and then we specify which site and let's use

100
00:07:45,270 --> 00:07:47,760
this same website, this university Web site.

101
00:07:48,060 --> 00:07:51,540
So this is the command and let's press enter.

102
00:07:53,020 --> 00:07:57,350
Ten, we get some responses right here if you go to any one of them.

103
00:07:59,420 --> 00:08:01,520
Secure connection felt.

104
00:08:02,360 --> 00:08:06,350
And the error that it gives us is SSL error, unsupported version.

105
00:08:07,290 --> 00:08:12,240
This website might not support the one point two protocol, which is the minimum version supported by

106
00:08:12,240 --> 00:08:18,310
Firefox, enabling one ninety one point one might allow this connection to succeed.

107
00:08:18,810 --> 00:08:24,030
So let's give it a try if we enable it and we do manage to succeed.

108
00:08:24,300 --> 00:08:30,630
And you can see that this link has addition to it that has admin keyboard, and that is why we managed

109
00:08:30,630 --> 00:08:31,180
to find it.

110
00:08:31,920 --> 00:08:34,320
We also have a couple of input fields right here.

111
00:08:34,350 --> 00:08:40,039
So here we enter email address and password and here we also enter our email address.

112
00:08:40,770 --> 00:08:42,450
And this is just one of the pages.

113
00:08:42,450 --> 00:08:48,360
Maybe there are multiple pages that have admin keyword inside of it and that could be useful for us.

114
00:08:48,390 --> 00:08:53,190
So for now, this seems to be some type of an admin forum.

115
00:08:53,400 --> 00:08:59,010
And if we do also get some email address right here, I do believe this is an email address.

116
00:08:59,430 --> 00:09:01,260
There is not much info about it.

117
00:09:01,260 --> 00:09:04,120
But nonetheless, we did get here successfully.

118
00:09:04,980 --> 00:09:07,140
These are usually the things that you do.

119
00:09:07,140 --> 00:09:12,870
First, to start off with website numeration, we just gather some information about it.

120
00:09:12,880 --> 00:09:16,700
We perhaps try to find some additional pages, such as this admin page.

121
00:09:17,550 --> 00:09:20,970
The most important thing is that we must start somewhere.

122
00:09:21,840 --> 00:09:27,540
There is not a strict rule that says how you can perform your Web site penetration testing and in which

123
00:09:27,540 --> 00:09:29,080
order you do all of these things.

124
00:09:29,940 --> 00:09:35,160
That's why we are going to check out most common techniques and it will be up to you to apply them as

125
00:09:35,160 --> 00:09:35,640
you like.

126
00:09:36,270 --> 00:09:42,000
As far as this lecture, which was on Google talking and just inspecting website in general, you can

127
00:09:42,000 --> 00:09:47,880
take a look at some additional advanced Google comments that are useful for us hackers so we can find

128
00:09:47,880 --> 00:09:51,630
them by, let's say, pipelined Google Docs.

129
00:09:52,350 --> 00:09:58,230
And let's go with the first link, which is exploit dash DB dot com.

130
00:09:58,470 --> 00:09:59,520
Let's visit that.

131
00:10:02,240 --> 00:10:08,960
And once it opens this page, we will get a saying here that this Google hacking database and down here

132
00:10:08,960 --> 00:10:15,350
we have a bunch of Google Docs or Google commands that we can use to extract some useful information

133
00:10:15,350 --> 00:10:16,870
from a certain website.

134
00:10:17,570 --> 00:10:21,790
For example, it gives us the command right here under the category.

135
00:10:21,790 --> 00:10:23,720
It says, what does it search for?

136
00:10:23,750 --> 00:10:27,560
So in this case, it searches for files containing passwords.

137
00:10:27,980 --> 00:10:30,440
And the author name right here.

138
00:10:30,780 --> 00:10:32,360
And you have a bunch of these commands.

139
00:10:32,360 --> 00:10:36,830
As we can see, these are only first 15 commands out of six thousand.

140
00:10:36,840 --> 00:10:43,430
So you can take a look at here, perhaps find some useful commands that you might apply to your penetration

141
00:10:43,430 --> 00:10:45,910
tests and you might use them later on.

142
00:10:46,870 --> 00:10:53,380
However, you will always have this database right here at this link so you can visit it any time that

143
00:10:53,380 --> 00:10:53,800
you like.

144
00:10:54,580 --> 00:10:55,600
OK, awesome.

145
00:10:56,170 --> 00:11:01,290
So we took a look at Google talking or executing some advanced Google search comments.

146
00:11:01,750 --> 00:11:03,690
We also took a look at our website.

147
00:11:03,700 --> 00:11:08,620
We browsed a few pages here and there just to see what the website has.

148
00:11:09,280 --> 00:11:14,740
Now, in the next video, we're going to check out how we can use multiple ways to discover some more

149
00:11:14,740 --> 00:11:21,130
information about our websites, such as IP addresses, such as domain names such as its physical address,

150
00:11:21,130 --> 00:11:24,770
perhaps some additional emails or phone numbers and all of that.

151
00:11:25,030 --> 00:11:27,820
So thank you for watching and I'll see you in the next video.