1
00:00:00,950 --> 00:00:01,660
Welcome back.

2
00:00:02,480 --> 00:00:05,820
In this video, we will cover a tool called What?

3
00:00:06,650 --> 00:00:12,920
And as I mentioned in the previous lecture, we use what web to determine which technologies does our

4
00:00:12,920 --> 00:00:13,860
website have?

5
00:00:14,570 --> 00:00:20,690
So it's still information gathering, but from a technical aspect and what Web is told that we already

6
00:00:20,690 --> 00:00:25,050
have preinstalled in colonics and we can run it with the help of a terminal.

7
00:00:25,760 --> 00:00:28,220
So let's do it straight away as usual.

8
00:00:28,220 --> 00:00:34,580
Make sure that you're always purtle machine is running and all we need to do to run the what web tool

9
00:00:34,580 --> 00:00:40,190
is to type Blood-Red and then the IP address of the target that we want to scan.

10
00:00:40,370 --> 00:00:46,970
In my case, this is one I to that 168, that one that for which is the IP address of my old Wesp virtual

11
00:00:46,970 --> 00:00:47,390
machine.

12
00:00:48,260 --> 00:00:49,610
If I press enter.

13
00:00:51,290 --> 00:00:56,840
Since this machine is in my local network, it'll take just a few seconds for this command to finish

14
00:00:57,170 --> 00:01:00,290
and we do get some information here.

15
00:01:01,070 --> 00:01:06,560
As we can see, this is the link that what Web tool try to visit it got two hundred OC code, which

16
00:01:06,560 --> 00:01:08,420
means it's successfully loaded the page.

17
00:01:08,810 --> 00:01:12,890
It discovered the Apache version, which is two point two point fourteen.

18
00:01:14,030 --> 00:01:20,150
If we go right here, we got country, we got email addresses, so it does manage to even get some email

19
00:01:20,150 --> 00:01:21,770
addresses out of this page.

20
00:01:22,990 --> 00:01:29,920
The HTP server appears to be running Ubuntu Linux, we get the Apache version once again and we get

21
00:01:29,920 --> 00:01:37,540
the IP address, the Querrey version, the open SSL version, the P version and some other versions

22
00:01:37,540 --> 00:01:37,960
as well.

23
00:01:37,960 --> 00:01:42,480
As we can see, the target machine is running Python two point six point five.

24
00:01:43,090 --> 00:01:47,560
So this allows us to discover technologies behind a certain website.

25
00:01:47,560 --> 00:01:54,460
And what could be our next step is to take perhaps Apache version, Google this version and see whether

26
00:01:54,460 --> 00:01:57,560
it has any known vulnerabilities that exist.

27
00:01:58,070 --> 00:02:00,190
Now, this is just a regular comment.

28
00:02:00,190 --> 00:02:00,550
With what?

29
00:02:00,560 --> 00:02:06,370
With what we can do to discover what else we can do with whatever we can run this command, which is

30
00:02:06,370 --> 00:02:07,990
what web that help.

31
00:02:09,800 --> 00:02:15,090
Once you type it in, it will give you all of the possible things that you can do with this tool.

32
00:02:15,560 --> 00:02:21,490
So we have a bunch of other options that we can use, such as input file your A prefix.

33
00:02:21,860 --> 00:02:23,720
We got the aggression mode.

34
00:02:23,720 --> 00:02:29,450
So the aggression level controls the tradeoff between speed and stealth and reliability.

35
00:02:29,630 --> 00:02:35,030
There are three aggression modes, the stealthy, aggressive and heavy.

36
00:02:36,130 --> 00:02:42,880
Now, you can go through this menu if you'd like, this is just a short help menu of the tool, but

37
00:02:42,880 --> 00:02:48,550
if you want to know even more about the tool, you can use a command called command, which is shorthand

38
00:02:48,550 --> 00:02:52,270
for manual if you type men and then the tool name.

39
00:02:53,670 --> 00:03:01,350
It will open the manual for what it and under the description, we can see what Web identifies websites.

40
00:03:01,770 --> 00:03:05,660
Its goal is to answer the question, what is that website?

41
00:03:06,180 --> 00:03:12,720
What Web recognizes web technologies, including content management systems, blogging platforms, statistical

42
00:03:12,720 --> 00:03:18,720
holistic packages, JavaScript libraries and many other things in the second paragraph.

43
00:03:18,750 --> 00:03:24,750
We also got some explanation on the aggression level or on the aggression option that we saw from the

44
00:03:24,750 --> 00:03:25,400
help menu.

45
00:03:25,650 --> 00:03:30,030
So as it says, what can be stealthy and fast or thorough but slow?

46
00:03:30,480 --> 00:03:36,420
What Web supports and aggression level to control the trade off between speed and reliability when you

47
00:03:36,420 --> 00:03:37,830
visit the website in your browser?

48
00:03:37,860 --> 00:03:43,490
The transaction includes hints on what web technologies are powering that website.

49
00:03:43,500 --> 00:03:45,840
And that's exactly what what web does.

50
00:03:46,080 --> 00:03:51,990
It enumerates those technologies and it outputs them back to us sometimes.

51
00:03:51,990 --> 00:03:57,720
A single Web page visit contains enough information to identify a website, but when it does not, what

52
00:03:57,720 --> 00:04:00,340
Web can interrogate the website further?

53
00:04:00,450 --> 00:04:03,090
And that is where the other aggression levels come.

54
00:04:03,690 --> 00:04:10,920
The default level of aggression called passive, is the fastest and requires only one HTP request our

55
00:04:10,920 --> 00:04:11,380
website.

56
00:04:12,000 --> 00:04:14,700
This is suitable for scanning public websites.

57
00:04:14,740 --> 00:04:16,769
Now this part right here is important.

58
00:04:17,220 --> 00:04:21,120
We can use the default aggression level to scan public websites if we'd like.

59
00:04:21,450 --> 00:04:27,120
But if we want to use more aggressive levels, as it says right here, more aggressive modes were developed

60
00:04:27,300 --> 00:04:29,190
for in penetration tests.

61
00:04:29,190 --> 00:04:34,110
So you should not use the aggressive modes on a website that you do not have permission to scan.

62
00:04:34,860 --> 00:04:35,920
OK, awesome.

63
00:04:36,660 --> 00:04:40,080
So let's take a look at what else can we run with.

64
00:04:40,440 --> 00:04:41,910
So let's go back to the Help menu.

65
00:04:42,860 --> 00:04:49,790
And we do get some examples of use it right here, but what we want to do, as it says the most at the

66
00:04:49,790 --> 00:04:53,360
moment, is let's try to use aggression.

67
00:04:53,360 --> 00:04:59,870
Level three, for example, since we used one before, which was default, let's increase it a little

68
00:04:59,870 --> 00:05:02,210
bit and let's move the aggression level to three.

69
00:05:02,810 --> 00:05:08,570
Then we can also type Dash V, which stands for Verbose, which means it will output even more things.

70
00:05:08,840 --> 00:05:12,050
And at the end, let's add the IP address.

71
00:05:12,970 --> 00:05:18,570
Oops, we misspelled aggression, so let's add another S and let's let it to run.

72
00:05:20,540 --> 00:05:27,020
OK, the output came once again relatively fast because the parties in my local network, so let's see

73
00:05:27,020 --> 00:05:29,190
what else do we have straightaway?

74
00:05:29,210 --> 00:05:31,070
We notice much more output.

75
00:05:31,070 --> 00:05:38,000
Then once we ran the comment previously and we got it ordered by detected plugins so we can see the

76
00:05:38,000 --> 00:05:40,850
detected plugins, we got the Patriot first.

77
00:05:41,150 --> 00:05:43,070
Then comes the description of Apache.

78
00:05:43,370 --> 00:05:48,440
We got the version right here and we got the website of Apache as well.

79
00:05:48,870 --> 00:05:52,880
So we do get some more information about each of the discovered plugins.

80
00:05:53,770 --> 00:05:59,860
Up here, we get pretty much the information that we got from the first scan and down here we can read

81
00:05:59,860 --> 00:06:07,480
more about every plug in that it managed to find, including email addresses, HTML version, Jüri,

82
00:06:07,480 --> 00:06:10,300
Open, SSL and all of that.

83
00:06:10,300 --> 00:06:15,190
And in case there is a plug in that you do not recognize, you can read through the description and

84
00:06:15,190 --> 00:06:16,960
figure out what it is used for.

85
00:06:17,650 --> 00:06:23,950
Besides of using what web on only one IP address, you can also use WhatsApp on multiple IP addresses

86
00:06:23,950 --> 00:06:24,670
if you'd like.

87
00:06:25,180 --> 00:06:26,590
You can type the same comment.

88
00:06:26,590 --> 00:06:32,230
And for example, let's say you have multiple websites in your local network that you want to scan with

89
00:06:32,230 --> 00:06:32,920
one comment.

90
00:06:32,920 --> 00:06:41,110
You can do so by typing your network range, which in my case is this one, and then it will perform

91
00:06:41,110 --> 00:06:44,950
scanning of all of the IP addresses inside of your network.

92
00:06:45,640 --> 00:06:48,850
And you can notice that I'm getting a lot of errors right here.

93
00:06:49,120 --> 00:06:52,810
These are all the IP addresses that are not hosting any website.

94
00:06:52,810 --> 00:06:59,620
As you can see, it tries to visit this IP address over FTP, but it can't find the route to the host.

95
00:06:59,620 --> 00:07:01,470
Therefore, it throws us an error.

96
00:07:02,140 --> 00:07:07,630
Now, just so you don't have to see all of these errors, what you can do is you can run the same command

97
00:07:07,630 --> 00:07:11,860
and add at the end dash, dash, no dash errors.

98
00:07:13,210 --> 00:07:17,620
This will remove all of these errors so it doesn't get printed out to us.

99
00:07:17,980 --> 00:07:20,070
It just simply gives a better output.

100
00:07:20,230 --> 00:07:25,170
And here you will get response for every device on your network that has a website hosted.

101
00:07:25,390 --> 00:07:32,380
In my case, that should only be our wesp virtual machine as well as perhaps my router.

102
00:07:33,540 --> 00:07:40,380
Let me see if we got the IP address of one or to that 168 that wandered for and down here we got my

103
00:07:40,380 --> 00:07:43,080
rotters IP address, which is 190 to the 168.

104
00:07:43,080 --> 00:07:43,380
That one.

105
00:07:43,380 --> 00:07:43,740
That one.

106
00:07:44,460 --> 00:07:50,370
Now, of course, with the IP range, let me just go down here, clear the screen.

107
00:07:51,300 --> 00:07:54,340
Your IP range might be a completely different one.

108
00:07:54,360 --> 00:07:56,620
It doesn't have to be the same one that I have.

109
00:07:57,360 --> 00:08:02,850
So make sure that you check that out first and then you can run this command with your IP range.

110
00:08:03,510 --> 00:08:11,790
OK, also, and this is what we use the word for, it helped us discover different plugins that the

111
00:08:11,790 --> 00:08:12,510
website has.

112
00:08:13,660 --> 00:08:19,810
Now, what what can be considered one of the tools that are used for advance website operation, because

113
00:08:19,810 --> 00:08:26,620
it does give us a lot of information back, however, we are slowly getting closer to ending website

114
00:08:26,620 --> 00:08:27,200
enumeration.

115
00:08:27,220 --> 00:08:29,730
There are a couple more tools that we want to discuss.

116
00:08:29,740 --> 00:08:32,049
Of course, you do not have to use all of these tools.

117
00:08:32,049 --> 00:08:35,890
We just showing different options that you can use.

118
00:08:36,130 --> 00:08:40,960
And besides all the tools it will cover, there are also a bunch of other tools that you might find

119
00:08:40,960 --> 00:08:41,490
useful.

120
00:08:41,500 --> 00:08:44,460
So feel free to use any one of them that you like.

121
00:08:44,830 --> 00:08:49,160
Now, in the next video, we're going to check out a tool called Therp.

122
00:08:49,330 --> 00:08:52,060
So thank you for watching and I will see you in the next lecture.