Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,150 --> 00:00:06,340
So now we're going to use a tool called Door buster to do a little bit directory busting.
2
00:00:06,570 --> 00:00:10,710
There are other tools out there that are similar or do the same thing.
3
00:00:10,710 --> 00:00:12,480
There are two built in tools.
4
00:00:12,480 --> 00:00:17,130
In fact there's a door buster and there's also a tool called Herb.
5
00:00:18,000 --> 00:00:21,630
And then there is a tool called Go buster.
6
00:00:22,680 --> 00:00:24,210
And you have a lot of options.
7
00:00:24,210 --> 00:00:30,750
My option of choice is door buster but I do recommend that you write these down and just explore them
8
00:00:30,750 --> 00:00:33,570
for yourself and see which one you like the best.
9
00:00:33,570 --> 00:00:38,280
So I'm going to go ahead and run door buster and I'm going to run it like this with the ampersand at
10
00:00:38,280 --> 00:00:44,430
the end and it's going to load up this nice little interface.
11
00:00:44,460 --> 00:00:50,220
And what we're gonna do is we're going to say hey I want to run against this target you are l I'm going
12
00:00:50,220 --> 00:00:56,740
to go ahead just copy this right here and I'll tap back into it.
13
00:00:57,760 --> 00:00:59,260
And syntax is important.
14
00:00:59,260 --> 00:01:05,090
It's going to want the port 80 at the end you see the port 80 here with the slash and we're going to
15
00:01:05,090 --> 00:01:11,950
say go ahead and go faster on these threads and then we're gonna go ahead and pick a list.
16
00:01:11,950 --> 00:01:21,930
So go ahead and go to browse and let's go ahead and go to your base folder here go into your user use
17
00:01:22,070 --> 00:01:32,140
our folder your share which is right here and then if you start typing words list it I'll bring up word
18
00:01:32,140 --> 00:01:33,180
lists right here.
19
00:01:35,030 --> 00:01:37,870
And then you see there Buster has its own folder right here.
20
00:01:37,900 --> 00:01:45,650
So we're going to select door buster and from here we can pick a variety of different lists.
21
00:01:45,660 --> 00:01:51,270
I like to just use the small list if I'm not finding anything at all maybe I'll move up to the medium
22
00:01:51,300 --> 00:01:56,090
and out on the interweb is a large list as well.
23
00:01:56,400 --> 00:02:00,780
Let's just go ahead and start with small for proof of concept.
24
00:02:00,970 --> 00:02:03,370
And so now let's break it down.
25
00:02:03,370 --> 00:02:08,140
We've kind of talked about in the last video but let's just do a quick reminder what we're doing is
26
00:02:08,140 --> 00:02:13,810
we're going out to web directories and we're using these word lists and he's wordless have hundreds
27
00:02:13,810 --> 00:02:18,970
if not thousands of different well known directories.
28
00:02:19,000 --> 00:02:24,880
So it could be something like ad men or like cgi bin etc..
29
00:02:24,890 --> 00:02:31,210
And so to go out and try to navigate these it's also going to look for specific file extensions.
30
00:02:31,240 --> 00:02:38,980
So we know that we're up against an Apache Web site while Apache runs BHP if we're up against something
31
00:02:38,980 --> 00:02:46,940
like a Microsoft Web site which is I guess well those tend to run something called ISP or ISP X..
32
00:02:47,090 --> 00:02:52,240
And so this is why enumeration is important as well because we need to know what's running on the back
33
00:02:52,240 --> 00:02:54,780
end to find or make the most use out of it.
34
00:02:54,790 --> 00:02:59,680
Now what we can do with these file extensions and what I like to do is I like to run against BHP or
35
00:02:59,680 --> 00:03:06,460
whatever the base of the server is but I also do like to run something like a text file something like
36
00:03:06,460 --> 00:03:11,820
a zip file and you can make this is as long as OR YEAH AS MANY AS YOU WANT.
37
00:03:11,830 --> 00:03:19,690
YOU COULD SAY RA PD f dark X but the more of these that you put in there the more times it's going to
38
00:03:19,690 --> 00:03:24,220
search because it's going to search through the word lists and say the word this has admin and it's
39
00:03:24,220 --> 00:03:28,180
going to try and end up PBF or admin Z.
40
00:03:28,330 --> 00:03:33,610
So it's important to limit these to what you need for our sake.
41
00:03:33,610 --> 00:03:40,810
I'm going to go ahead and assume BHP and we're going to just scan with the default results here in just
42
00:03:40,810 --> 00:03:42,720
kind of see what happens.
43
00:03:42,730 --> 00:03:49,690
So go ahead and start that and this will kick off and start scanning and it's already finding right
44
00:03:49,690 --> 00:03:54,040
away it's finding some stuff you could see the list getting big and you can go to this results view
45
00:03:54,040 --> 00:04:01,200
or you can see what it's found and you can also go to this tree view here and see what it's found in
46
00:04:01,210 --> 00:04:06,790
kind of click in you could see it's found some potentially interesting files we can go enumerate these
47
00:04:06,790 --> 00:04:14,060
as well and it's found test that BHP page you can right click on these and open in browser and you can
48
00:04:14,060 --> 00:04:18,370
see that it's found this print test here in page before.
49
00:04:18,890 --> 00:04:23,370
So we can look through some of these pages we're going to go ahead just let that go for now it's going
50
00:04:23,370 --> 00:04:28,850
to take a minute it could take up to a while to scan depending on how big your world this is how many
51
00:04:28,850 --> 00:04:35,300
options you choose and how well your Web site is cooperating with your scan as well.
52
00:04:35,300 --> 00:04:40,420
So from here I'm going to show you a few more things so let's go back to our preferences.
53
00:04:40,430 --> 00:04:47,630
If you still have that open go ahead and go back and let's go ahead and just go to the settings and
54
00:04:47,630 --> 00:04:51,620
we'll go to our manual configuration and let's boot up burp sweet
55
00:04:54,850 --> 00:04:59,290
and this is just another proof of concept that burps wheat is your friend especially when you're looking
56
00:04:59,290 --> 00:05:00,770
at Web sites.
57
00:05:00,910 --> 00:05:03,160
So we're going to utilize it just to take a peek.
58
00:05:03,310 --> 00:05:04,680
I just want to see what's out there.
59
00:05:04,690 --> 00:05:11,080
So we'll go ahead and just hit next and start burps sweet here on this.
60
00:05:11,260 --> 00:05:12,150
And while we wait.
61
00:05:12,160 --> 00:05:18,250
Another thing that I need to point out is if this were a Web site like a real Web site instead of a
62
00:05:18,250 --> 00:05:24,040
test page and a very important thing to do is view the source code so we can right click in here and
63
00:05:24,040 --> 00:05:28,990
we could say view page source and we can view the source code.
64
00:05:28,990 --> 00:05:34,750
Now what we're looking for in source code are any kind of comments potentially any kind of information
65
00:05:34,750 --> 00:05:40,870
disclosures we might be looking for any sort of keys or password or user accounts or anything that might
66
00:05:40,870 --> 00:05:44,010
be disclosed in a source code that should not be disclosed.
67
00:05:44,110 --> 00:05:49,990
A lot of times when you do CTF or you do hack the box or VLAN hubs they hide little comments and source
68
00:05:49,990 --> 00:05:56,380
code but in a pen test your point of view we're looking for more important things like the passwords
69
00:05:56,380 --> 00:05:58,350
or keys etc..
70
00:05:58,480 --> 00:06:06,590
So we've got Bert sweet open and we're just going to go ahead and intercept one request here and we're
71
00:06:06,590 --> 00:06:09,790
going to go ahead and just let this forward.
72
00:06:09,980 --> 00:06:12,770
Actually we'll send this to repeater I'm going to show you a little trick.
73
00:06:12,770 --> 00:06:14,570
Go ahead and send this to repeater.
74
00:06:14,750 --> 00:06:19,760
So you're right click send a repeater and you'll see a repeater tab opens up here.
75
00:06:19,760 --> 00:06:26,420
Now the neat thing about repeater is that repeater will show you your response in real time and you
76
00:06:26,420 --> 00:06:32,930
can modify these so you can say hey I want to send this here or you can say something about like I want
77
00:06:32,930 --> 00:06:39,310
to send a poetry class maybe and let that run and you could see what it says OK method not allowed.
78
00:06:39,310 --> 00:06:45,490
So it doesn't like that but you can send different results modify what you see here and see how that
79
00:06:45,490 --> 00:06:46,700
works for us.
80
00:06:46,750 --> 00:06:48,790
Now this is not taking this.
81
00:06:48,790 --> 00:06:49,380
Exactly.
82
00:06:49,450 --> 00:06:52,570
Let's forward and see maybe if we're missing anything and we're not.
83
00:06:52,570 --> 00:06:59,060
So another thing that we can do is we can actually copy this and what we can do is we go into the target
84
00:06:59,060 --> 00:07:06,230
here and we've got the target showing we could set the scope if we need to.
85
00:07:06,310 --> 00:07:13,180
So we can just we can go to scope here and we can say ad and then paste this in here for HDP and we
86
00:07:13,180 --> 00:07:18,800
can do HDP asked for both Bushes do HDP and we'll say yes.
87
00:07:18,940 --> 00:07:24,880
And what this does for us is this limits only searching for in scope items so we're going to just limit
88
00:07:24,880 --> 00:07:29,830
now and then we're going to go ahead and look at the response that came back and you see there's no
89
00:07:29,830 --> 00:07:30,690
response here.
90
00:07:30,940 --> 00:07:32,970
But there is a three or four not modified.
91
00:07:32,980 --> 00:07:39,320
And the interesting thing is look at the server header the server header is disclosing information to
92
00:07:39,320 --> 00:07:40,000
us as well.
93
00:07:40,250 --> 00:07:41,930
And we saw this in the nick doe scan.
94
00:07:41,930 --> 00:07:43,410
It's all coming back around.
95
00:07:43,520 --> 00:07:43,790
Right.
96
00:07:43,790 --> 00:07:49,820
We saw the Nick doe scan say a patchy one point three point to zero and it pulled down this server header.
97
00:07:49,820 --> 00:07:51,780
This is why it's so useful.
98
00:07:51,950 --> 00:07:58,640
And this in itself a screenshot of this right here is information disclosure as well.
99
00:07:58,640 --> 00:08:05,150
So this client that we're working on has a little bit of information disclosure problems and we can
100
00:08:05,150 --> 00:08:12,980
just say information disclosure here and we'll do something if I can type disclosure here and we'll
101
00:08:12,980 --> 00:08:22,760
say something like server headers disclose version information and we'll take a screenshot of that and
102
00:08:22,760 --> 00:08:25,540
we'll put that in our notes as well.
103
00:08:26,660 --> 00:08:30,880
So we're gonna get really deep into Barb sweet once we get to the web app section.
104
00:08:30,890 --> 00:08:34,040
I'd just like to get you utilizing it and familiar with it.
105
00:08:34,040 --> 00:08:38,780
And just so you're comfortable by the time we get there we're going to use it few more times when we
106
00:08:38,840 --> 00:08:43,770
talk through network items and then once we get to the web app it's going to be a lot of brb suite.
107
00:08:43,880 --> 00:08:45,890
So we get very comfortable with that very quick.
108
00:08:46,360 --> 00:08:51,250
So let's take a another peek at our door buster and see how that's working.
109
00:08:51,530 --> 00:08:57,170
And you could see that it still has twenty three minutes but I really just want to put you through the
110
00:08:57,170 --> 00:08:58,790
concept of it.
111
00:08:59,030 --> 00:09:05,570
The concept of it here is that we are looking for any sort of interesting directories and you could
112
00:09:05,570 --> 00:09:08,230
see response codes here as well.
113
00:09:08,300 --> 00:09:15,850
If you've never seen a response code just know for now that to hundreds to hundreds mean OK for hundreds.
114
00:09:15,900 --> 00:09:22,150
I mean there's some sort of error most typically like a four or four means page not found and a three
115
00:09:22,150 --> 00:09:24,020
hundred is typically a redirect.
116
00:09:24,020 --> 00:09:27,190
And then there's five hundred which are like server errors or other.
117
00:09:27,620 --> 00:09:31,760
So what we're going to come in here and do is just kind of peek at these and we can just kind of open
118
00:09:31,760 --> 00:09:37,730
these and see icons probably nothing interesting dark has nothing in it right now.
119
00:09:37,730 --> 00:09:43,800
The manual is not going to be that interesting to us neither is usage maybe maybe usage is interesting.
120
00:09:43,880 --> 00:09:49,130
Openness in the browser and we can see what's kind of running and if you have your proxy on.
121
00:09:49,130 --> 00:09:55,290
Go ahead and turn your intercept off you see mine court there OK.
122
00:09:55,310 --> 00:10:00,140
And now this is an interesting page here we can see usage statistics.
123
00:10:00,140 --> 00:10:06,200
And this might give us a little bit of information disclosure for able to access it at least here.
124
00:10:06,200 --> 00:10:11,900
Well we can see a couple of things we see web of lies or version 2.0 one so we can copy this and see
125
00:10:11,900 --> 00:10:18,200
if there's anything about this here on this machine that maybe is exploitable so let's add this here
126
00:10:18,200 --> 00:10:23,600
as web lies a version to a one and we'll just put it like on this usage I asked him out.
127
00:10:24,350 --> 00:10:29,510
Now we don't know for sure if this is running out on the web or this is just an HCM Al page that has
128
00:10:29,510 --> 00:10:31,910
been generated by something else.
129
00:10:31,910 --> 00:10:34,830
So not for certain that it's actually running on this.
130
00:10:34,850 --> 00:10:39,950
It could just be something they have in this usage folder but it's always good to notate what kind of
131
00:10:39,980 --> 00:10:45,170
items they might be using and they're utilizing this web lies for sure at least in their network.
132
00:10:45,170 --> 00:10:49,860
Again this is probably a little bit of information disclosure or information leakage here.
133
00:10:49,910 --> 00:10:53,140
So they've got a a consistent problem with that.
134
00:10:53,180 --> 00:10:59,960
So let's go ahead and look more at the results and M.R. T.J. is in here and we can come through here
135
00:10:59,960 --> 00:11:06,810
and just look like what's M.R. Markey and we can open that in the browser says what is it T.J..
136
00:11:06,850 --> 00:11:08,720
This is multi router traffic Rafah.
137
00:11:08,760 --> 00:11:09,630
OK.
138
00:11:09,900 --> 00:11:15,240
And we could scroll through this read the details and we can keep going through here and this could
139
00:11:15,240 --> 00:11:16,760
very well be a rabbit hole.
140
00:11:16,920 --> 00:11:20,090
But this kind of makes sense and there's a web server here.
141
00:11:20,100 --> 00:11:21,340
There's a log file.
142
00:11:21,420 --> 00:11:23,470
Let's view the log file.
143
00:11:23,550 --> 00:11:25,350
Nothing nothing unique there.
144
00:11:25,350 --> 00:11:27,670
Let's view the web server.
145
00:11:27,740 --> 00:11:29,540
Let's see if it's the same page.
146
00:11:29,690 --> 00:11:34,010
And it's a little bit different but not not entirely different.
147
00:11:34,040 --> 00:11:42,490
So it's possible what we're seeing here is that what we talked about in the part one of this video which
148
00:11:42,490 --> 00:11:46,470
is that we're seeing the test page is out there.
149
00:11:46,510 --> 00:11:47,950
And why was it out there right.
150
00:11:47,950 --> 00:11:51,880
Is it poor hygiene it's still poor hygiene even if they're running a web server.
151
00:11:51,910 --> 00:11:54,430
But they are running a web server here on the back end.
152
00:11:54,610 --> 00:11:58,900
Whether this web server is useful to us or not I really don't know.
153
00:11:58,900 --> 00:12:04,450
So the goal through this is to dig and this is my challenge for you is to dig kind of through these
154
00:12:04,540 --> 00:12:06,230
results that you get back.
155
00:12:06,370 --> 00:12:11,670
So wait until your your scans finish here and dig through the results.
156
00:12:11,680 --> 00:12:14,230
Look at all these to me right now.
157
00:12:14,230 --> 00:12:19,480
It doesn't look that interesting but again we haven't fully enumerated the real enumeration would be
158
00:12:19,480 --> 00:12:23,650
to go through each and every one of these and determine if there's anything of value here.
159
00:12:23,740 --> 00:12:28,150
Is there any sort of service information that could be useful etc..
160
00:12:28,170 --> 00:12:32,350
So where we're at on the Web portal at the moment.
161
00:12:32,350 --> 00:12:35,430
Again as a recap we have our scan back.
162
00:12:35,440 --> 00:12:35,740
Right.
163
00:12:35,740 --> 00:12:40,520
And we've seen 80s open and running Apache one point three point to zero.
164
00:12:40,600 --> 00:12:42,490
We see for three He's got the same.
165
00:12:42,490 --> 00:12:49,310
We also know about the mod SSL two point eight point four and open SSL zero point nine point six B.
166
00:12:49,330 --> 00:12:53,260
Doesn't hurt to copy this and put this in our notes too because I think that's pretty useful.
167
00:12:53,260 --> 00:12:54,340
We've got that here.
168
00:12:54,610 --> 00:12:57,370
Let's just go ahead and maybe put something up above.
169
00:12:57,370 --> 00:13:02,940
Just as a note and we ran our Nick doe scan and we save this to our for our notes.
170
00:13:02,950 --> 00:13:07,450
So when we go write a report we have it ready and we've got some information here that we've written
171
00:13:07,450 --> 00:13:08,680
down as well.
172
00:13:08,680 --> 00:13:14,560
So it appears that there are some potential vulnerabilities here but we won't know until we start digging
173
00:13:14,560 --> 00:13:16,940
into Google.
174
00:13:16,960 --> 00:13:17,440
OK.
175
00:13:17,440 --> 00:13:20,500
And that will be very very important.
176
00:13:20,740 --> 00:13:27,520
But we're going to get to that when we start getting into the end of this little series here and then
177
00:13:27,520 --> 00:13:32,020
we get transition into the exploitation part of the series.
178
00:13:32,020 --> 00:13:33,770
We'll work on exploiting these.
179
00:13:33,790 --> 00:13:38,410
So this is just a few tricks on how you can enumerate Web sites.
180
00:13:38,560 --> 00:13:44,410
And when we're coming through and showing you these ports and we go over all these ports that we see
181
00:13:44,970 --> 00:13:50,710
we're going to come across new ports so when we do pin tests and what it comes down to is just having
182
00:13:50,710 --> 00:13:53,260
a methodology you might discover a new port.
183
00:13:53,620 --> 00:13:57,370
And as long as you have a methodology that's all you need.
184
00:13:57,370 --> 00:14:00,340
So we're going to work on building that methodology.
185
00:14:00,340 --> 00:14:06,100
And you might find other tools for searching Web sites that you like you might say hey I hate your methods
186
00:14:06,100 --> 00:14:08,200
or you know these tools just work better for me.
187
00:14:08,200 --> 00:14:11,510
And that's absolutely fine as long as you're developing your own methodology.
188
00:14:11,530 --> 00:14:14,610
So just start thinking about when you see a Web site.
189
00:14:14,650 --> 00:14:19,510
What are the basics that you're looking for when you come across the Web site you're looking for service
190
00:14:19,600 --> 00:14:26,080
version information which we have here you're looking for any sort of maybe back end directories you're
191
00:14:26,080 --> 00:14:32,500
looking for source code you're looking for potential vulnerability scanning with Nick DOE and any sort
192
00:14:32,500 --> 00:14:34,690
of information that you can divulge.
193
00:14:34,690 --> 00:14:36,370
Same thing we can come back here.
194
00:14:36,370 --> 00:14:38,530
We talked about it before with the appetizer.
195
00:14:38,590 --> 00:14:41,940
You click on a supplier and see a lot of the same things that we saw.
196
00:14:42,070 --> 00:14:43,550
It knows the operating system.
197
00:14:43,570 --> 00:14:47,350
It knows the web server extensions and it knows what's running on the back end.
198
00:14:47,950 --> 00:14:50,690
So there's a lot of useful information here.
199
00:14:50,770 --> 00:14:52,630
And this is all we are after at this point.
200
00:14:52,630 --> 00:14:57,210
We just want to scan in enumerate and then we're going to dig deep and exploit.
201
00:14:57,790 --> 00:14:59,370
So that is it for this.
202
00:14:59,380 --> 00:15:02,540
We're going to move on to the next port in this section.
203
00:15:02,650 --> 00:15:05,440
We'll do a little bit more enumeration see what else we can uncover.
204
00:15:05,800 --> 00:15:07,650
So I will catch you over in the next video.
22046
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.