Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,150 --> 00:00:06,340 So now we're going to use a tool called Door buster to do a little bit directory busting. 2 00:00:06,570 --> 00:00:10,710 There are other tools out there that are similar or do the same thing. 3 00:00:10,710 --> 00:00:12,480 There are two built in tools. 4 00:00:12,480 --> 00:00:17,130 In fact there's a door buster and there's also a tool called Herb. 5 00:00:18,000 --> 00:00:21,630 And then there is a tool called Go buster. 6 00:00:22,680 --> 00:00:24,210 And you have a lot of options. 7 00:00:24,210 --> 00:00:30,750 My option of choice is door buster but I do recommend that you write these down and just explore them 8 00:00:30,750 --> 00:00:33,570 for yourself and see which one you like the best. 9 00:00:33,570 --> 00:00:38,280 So I'm going to go ahead and run door buster and I'm going to run it like this with the ampersand at 10 00:00:38,280 --> 00:00:44,430 the end and it's going to load up this nice little interface. 11 00:00:44,460 --> 00:00:50,220 And what we're gonna do is we're going to say hey I want to run against this target you are l I'm going 12 00:00:50,220 --> 00:00:56,740 to go ahead just copy this right here and I'll tap back into it. 13 00:00:57,760 --> 00:00:59,260 And syntax is important. 14 00:00:59,260 --> 00:01:05,090 It's going to want the port 80 at the end you see the port 80 here with the slash and we're going to 15 00:01:05,090 --> 00:01:11,950 say go ahead and go faster on these threads and then we're gonna go ahead and pick a list. 16 00:01:11,950 --> 00:01:21,930 So go ahead and go to browse and let's go ahead and go to your base folder here go into your user use 17 00:01:22,070 --> 00:01:32,140 our folder your share which is right here and then if you start typing words list it I'll bring up word 18 00:01:32,140 --> 00:01:33,180 lists right here. 19 00:01:35,030 --> 00:01:37,870 And then you see there Buster has its own folder right here. 20 00:01:37,900 --> 00:01:45,650 So we're going to select door buster and from here we can pick a variety of different lists. 21 00:01:45,660 --> 00:01:51,270 I like to just use the small list if I'm not finding anything at all maybe I'll move up to the medium 22 00:01:51,300 --> 00:01:56,090 and out on the interweb is a large list as well. 23 00:01:56,400 --> 00:02:00,780 Let's just go ahead and start with small for proof of concept. 24 00:02:00,970 --> 00:02:03,370 And so now let's break it down. 25 00:02:03,370 --> 00:02:08,140 We've kind of talked about in the last video but let's just do a quick reminder what we're doing is 26 00:02:08,140 --> 00:02:13,810 we're going out to web directories and we're using these word lists and he's wordless have hundreds 27 00:02:13,810 --> 00:02:18,970 if not thousands of different well known directories. 28 00:02:19,000 --> 00:02:24,880 So it could be something like ad men or like cgi bin etc.. 29 00:02:24,890 --> 00:02:31,210 And so to go out and try to navigate these it's also going to look for specific file extensions. 30 00:02:31,240 --> 00:02:38,980 So we know that we're up against an Apache Web site while Apache runs BHP if we're up against something 31 00:02:38,980 --> 00:02:46,940 like a Microsoft Web site which is I guess well those tend to run something called ISP or ISP X.. 32 00:02:47,090 --> 00:02:52,240 And so this is why enumeration is important as well because we need to know what's running on the back 33 00:02:52,240 --> 00:02:54,780 end to find or make the most use out of it. 34 00:02:54,790 --> 00:02:59,680 Now what we can do with these file extensions and what I like to do is I like to run against BHP or 35 00:02:59,680 --> 00:03:06,460 whatever the base of the server is but I also do like to run something like a text file something like 36 00:03:06,460 --> 00:03:11,820 a zip file and you can make this is as long as OR YEAH AS MANY AS YOU WANT. 37 00:03:11,830 --> 00:03:19,690 YOU COULD SAY RA PD f dark X but the more of these that you put in there the more times it's going to 38 00:03:19,690 --> 00:03:24,220 search because it's going to search through the word lists and say the word this has admin and it's 39 00:03:24,220 --> 00:03:28,180 going to try and end up PBF or admin Z. 40 00:03:28,330 --> 00:03:33,610 So it's important to limit these to what you need for our sake. 41 00:03:33,610 --> 00:03:40,810 I'm going to go ahead and assume BHP and we're going to just scan with the default results here in just 42 00:03:40,810 --> 00:03:42,720 kind of see what happens. 43 00:03:42,730 --> 00:03:49,690 So go ahead and start that and this will kick off and start scanning and it's already finding right 44 00:03:49,690 --> 00:03:54,040 away it's finding some stuff you could see the list getting big and you can go to this results view 45 00:03:54,040 --> 00:04:01,200 or you can see what it's found and you can also go to this tree view here and see what it's found in 46 00:04:01,210 --> 00:04:06,790 kind of click in you could see it's found some potentially interesting files we can go enumerate these 47 00:04:06,790 --> 00:04:14,060 as well and it's found test that BHP page you can right click on these and open in browser and you can 48 00:04:14,060 --> 00:04:18,370 see that it's found this print test here in page before. 49 00:04:18,890 --> 00:04:23,370 So we can look through some of these pages we're going to go ahead just let that go for now it's going 50 00:04:23,370 --> 00:04:28,850 to take a minute it could take up to a while to scan depending on how big your world this is how many 51 00:04:28,850 --> 00:04:35,300 options you choose and how well your Web site is cooperating with your scan as well. 52 00:04:35,300 --> 00:04:40,420 So from here I'm going to show you a few more things so let's go back to our preferences. 53 00:04:40,430 --> 00:04:47,630 If you still have that open go ahead and go back and let's go ahead and just go to the settings and 54 00:04:47,630 --> 00:04:51,620 we'll go to our manual configuration and let's boot up burp sweet 55 00:04:54,850 --> 00:04:59,290 and this is just another proof of concept that burps wheat is your friend especially when you're looking 56 00:04:59,290 --> 00:05:00,770 at Web sites. 57 00:05:00,910 --> 00:05:03,160 So we're going to utilize it just to take a peek. 58 00:05:03,310 --> 00:05:04,680 I just want to see what's out there. 59 00:05:04,690 --> 00:05:11,080 So we'll go ahead and just hit next and start burps sweet here on this. 60 00:05:11,260 --> 00:05:12,150 And while we wait. 61 00:05:12,160 --> 00:05:18,250 Another thing that I need to point out is if this were a Web site like a real Web site instead of a 62 00:05:18,250 --> 00:05:24,040 test page and a very important thing to do is view the source code so we can right click in here and 63 00:05:24,040 --> 00:05:28,990 we could say view page source and we can view the source code. 64 00:05:28,990 --> 00:05:34,750 Now what we're looking for in source code are any kind of comments potentially any kind of information 65 00:05:34,750 --> 00:05:40,870 disclosures we might be looking for any sort of keys or password or user accounts or anything that might 66 00:05:40,870 --> 00:05:44,010 be disclosed in a source code that should not be disclosed. 67 00:05:44,110 --> 00:05:49,990 A lot of times when you do CTF or you do hack the box or VLAN hubs they hide little comments and source 68 00:05:49,990 --> 00:05:56,380 code but in a pen test your point of view we're looking for more important things like the passwords 69 00:05:56,380 --> 00:05:58,350 or keys etc.. 70 00:05:58,480 --> 00:06:06,590 So we've got Bert sweet open and we're just going to go ahead and intercept one request here and we're 71 00:06:06,590 --> 00:06:09,790 going to go ahead and just let this forward. 72 00:06:09,980 --> 00:06:12,770 Actually we'll send this to repeater I'm going to show you a little trick. 73 00:06:12,770 --> 00:06:14,570 Go ahead and send this to repeater. 74 00:06:14,750 --> 00:06:19,760 So you're right click send a repeater and you'll see a repeater tab opens up here. 75 00:06:19,760 --> 00:06:26,420 Now the neat thing about repeater is that repeater will show you your response in real time and you 76 00:06:26,420 --> 00:06:32,930 can modify these so you can say hey I want to send this here or you can say something about like I want 77 00:06:32,930 --> 00:06:39,310 to send a poetry class maybe and let that run and you could see what it says OK method not allowed. 78 00:06:39,310 --> 00:06:45,490 So it doesn't like that but you can send different results modify what you see here and see how that 79 00:06:45,490 --> 00:06:46,700 works for us. 80 00:06:46,750 --> 00:06:48,790 Now this is not taking this. 81 00:06:48,790 --> 00:06:49,380 Exactly. 82 00:06:49,450 --> 00:06:52,570 Let's forward and see maybe if we're missing anything and we're not. 83 00:06:52,570 --> 00:06:59,060 So another thing that we can do is we can actually copy this and what we can do is we go into the target 84 00:06:59,060 --> 00:07:06,230 here and we've got the target showing we could set the scope if we need to. 85 00:07:06,310 --> 00:07:13,180 So we can just we can go to scope here and we can say ad and then paste this in here for HDP and we 86 00:07:13,180 --> 00:07:18,800 can do HDP asked for both Bushes do HDP and we'll say yes. 87 00:07:18,940 --> 00:07:24,880 And what this does for us is this limits only searching for in scope items so we're going to just limit 88 00:07:24,880 --> 00:07:29,830 now and then we're going to go ahead and look at the response that came back and you see there's no 89 00:07:29,830 --> 00:07:30,690 response here. 90 00:07:30,940 --> 00:07:32,970 But there is a three or four not modified. 91 00:07:32,980 --> 00:07:39,320 And the interesting thing is look at the server header the server header is disclosing information to 92 00:07:39,320 --> 00:07:40,000 us as well. 93 00:07:40,250 --> 00:07:41,930 And we saw this in the nick doe scan. 94 00:07:41,930 --> 00:07:43,410 It's all coming back around. 95 00:07:43,520 --> 00:07:43,790 Right. 96 00:07:43,790 --> 00:07:49,820 We saw the Nick doe scan say a patchy one point three point to zero and it pulled down this server header. 97 00:07:49,820 --> 00:07:51,780 This is why it's so useful. 98 00:07:51,950 --> 00:07:58,640 And this in itself a screenshot of this right here is information disclosure as well. 99 00:07:58,640 --> 00:08:05,150 So this client that we're working on has a little bit of information disclosure problems and we can 100 00:08:05,150 --> 00:08:12,980 just say information disclosure here and we'll do something if I can type disclosure here and we'll 101 00:08:12,980 --> 00:08:22,760 say something like server headers disclose version information and we'll take a screenshot of that and 102 00:08:22,760 --> 00:08:25,540 we'll put that in our notes as well. 103 00:08:26,660 --> 00:08:30,880 So we're gonna get really deep into Barb sweet once we get to the web app section. 104 00:08:30,890 --> 00:08:34,040 I'd just like to get you utilizing it and familiar with it. 105 00:08:34,040 --> 00:08:38,780 And just so you're comfortable by the time we get there we're going to use it few more times when we 106 00:08:38,840 --> 00:08:43,770 talk through network items and then once we get to the web app it's going to be a lot of brb suite. 107 00:08:43,880 --> 00:08:45,890 So we get very comfortable with that very quick. 108 00:08:46,360 --> 00:08:51,250 So let's take a another peek at our door buster and see how that's working. 109 00:08:51,530 --> 00:08:57,170 And you could see that it still has twenty three minutes but I really just want to put you through the 110 00:08:57,170 --> 00:08:58,790 concept of it. 111 00:08:59,030 --> 00:09:05,570 The concept of it here is that we are looking for any sort of interesting directories and you could 112 00:09:05,570 --> 00:09:08,230 see response codes here as well. 113 00:09:08,300 --> 00:09:15,850 If you've never seen a response code just know for now that to hundreds to hundreds mean OK for hundreds. 114 00:09:15,900 --> 00:09:22,150 I mean there's some sort of error most typically like a four or four means page not found and a three 115 00:09:22,150 --> 00:09:24,020 hundred is typically a redirect. 116 00:09:24,020 --> 00:09:27,190 And then there's five hundred which are like server errors or other. 117 00:09:27,620 --> 00:09:31,760 So what we're going to come in here and do is just kind of peek at these and we can just kind of open 118 00:09:31,760 --> 00:09:37,730 these and see icons probably nothing interesting dark has nothing in it right now. 119 00:09:37,730 --> 00:09:43,800 The manual is not going to be that interesting to us neither is usage maybe maybe usage is interesting. 120 00:09:43,880 --> 00:09:49,130 Openness in the browser and we can see what's kind of running and if you have your proxy on. 121 00:09:49,130 --> 00:09:55,290 Go ahead and turn your intercept off you see mine court there OK. 122 00:09:55,310 --> 00:10:00,140 And now this is an interesting page here we can see usage statistics. 123 00:10:00,140 --> 00:10:06,200 And this might give us a little bit of information disclosure for able to access it at least here. 124 00:10:06,200 --> 00:10:11,900 Well we can see a couple of things we see web of lies or version 2.0 one so we can copy this and see 125 00:10:11,900 --> 00:10:18,200 if there's anything about this here on this machine that maybe is exploitable so let's add this here 126 00:10:18,200 --> 00:10:23,600 as web lies a version to a one and we'll just put it like on this usage I asked him out. 127 00:10:24,350 --> 00:10:29,510 Now we don't know for sure if this is running out on the web or this is just an HCM Al page that has 128 00:10:29,510 --> 00:10:31,910 been generated by something else. 129 00:10:31,910 --> 00:10:34,830 So not for certain that it's actually running on this. 130 00:10:34,850 --> 00:10:39,950 It could just be something they have in this usage folder but it's always good to notate what kind of 131 00:10:39,980 --> 00:10:45,170 items they might be using and they're utilizing this web lies for sure at least in their network. 132 00:10:45,170 --> 00:10:49,860 Again this is probably a little bit of information disclosure or information leakage here. 133 00:10:49,910 --> 00:10:53,140 So they've got a a consistent problem with that. 134 00:10:53,180 --> 00:10:59,960 So let's go ahead and look more at the results and M.R. T.J. is in here and we can come through here 135 00:10:59,960 --> 00:11:06,810 and just look like what's M.R. Markey and we can open that in the browser says what is it T.J.. 136 00:11:06,850 --> 00:11:08,720 This is multi router traffic Rafah. 137 00:11:08,760 --> 00:11:09,630 OK. 138 00:11:09,900 --> 00:11:15,240 And we could scroll through this read the details and we can keep going through here and this could 139 00:11:15,240 --> 00:11:16,760 very well be a rabbit hole. 140 00:11:16,920 --> 00:11:20,090 But this kind of makes sense and there's a web server here. 141 00:11:20,100 --> 00:11:21,340 There's a log file. 142 00:11:21,420 --> 00:11:23,470 Let's view the log file. 143 00:11:23,550 --> 00:11:25,350 Nothing nothing unique there. 144 00:11:25,350 --> 00:11:27,670 Let's view the web server. 145 00:11:27,740 --> 00:11:29,540 Let's see if it's the same page. 146 00:11:29,690 --> 00:11:34,010 And it's a little bit different but not not entirely different. 147 00:11:34,040 --> 00:11:42,490 So it's possible what we're seeing here is that what we talked about in the part one of this video which 148 00:11:42,490 --> 00:11:46,470 is that we're seeing the test page is out there. 149 00:11:46,510 --> 00:11:47,950 And why was it out there right. 150 00:11:47,950 --> 00:11:51,880 Is it poor hygiene it's still poor hygiene even if they're running a web server. 151 00:11:51,910 --> 00:11:54,430 But they are running a web server here on the back end. 152 00:11:54,610 --> 00:11:58,900 Whether this web server is useful to us or not I really don't know. 153 00:11:58,900 --> 00:12:04,450 So the goal through this is to dig and this is my challenge for you is to dig kind of through these 154 00:12:04,540 --> 00:12:06,230 results that you get back. 155 00:12:06,370 --> 00:12:11,670 So wait until your your scans finish here and dig through the results. 156 00:12:11,680 --> 00:12:14,230 Look at all these to me right now. 157 00:12:14,230 --> 00:12:19,480 It doesn't look that interesting but again we haven't fully enumerated the real enumeration would be 158 00:12:19,480 --> 00:12:23,650 to go through each and every one of these and determine if there's anything of value here. 159 00:12:23,740 --> 00:12:28,150 Is there any sort of service information that could be useful etc.. 160 00:12:28,170 --> 00:12:32,350 So where we're at on the Web portal at the moment. 161 00:12:32,350 --> 00:12:35,430 Again as a recap we have our scan back. 162 00:12:35,440 --> 00:12:35,740 Right. 163 00:12:35,740 --> 00:12:40,520 And we've seen 80s open and running Apache one point three point to zero. 164 00:12:40,600 --> 00:12:42,490 We see for three He's got the same. 165 00:12:42,490 --> 00:12:49,310 We also know about the mod SSL two point eight point four and open SSL zero point nine point six B. 166 00:12:49,330 --> 00:12:53,260 Doesn't hurt to copy this and put this in our notes too because I think that's pretty useful. 167 00:12:53,260 --> 00:12:54,340 We've got that here. 168 00:12:54,610 --> 00:12:57,370 Let's just go ahead and maybe put something up above. 169 00:12:57,370 --> 00:13:02,940 Just as a note and we ran our Nick doe scan and we save this to our for our notes. 170 00:13:02,950 --> 00:13:07,450 So when we go write a report we have it ready and we've got some information here that we've written 171 00:13:07,450 --> 00:13:08,680 down as well. 172 00:13:08,680 --> 00:13:14,560 So it appears that there are some potential vulnerabilities here but we won't know until we start digging 173 00:13:14,560 --> 00:13:16,940 into Google. 174 00:13:16,960 --> 00:13:17,440 OK. 175 00:13:17,440 --> 00:13:20,500 And that will be very very important. 176 00:13:20,740 --> 00:13:27,520 But we're going to get to that when we start getting into the end of this little series here and then 177 00:13:27,520 --> 00:13:32,020 we get transition into the exploitation part of the series. 178 00:13:32,020 --> 00:13:33,770 We'll work on exploiting these. 179 00:13:33,790 --> 00:13:38,410 So this is just a few tricks on how you can enumerate Web sites. 180 00:13:38,560 --> 00:13:44,410 And when we're coming through and showing you these ports and we go over all these ports that we see 181 00:13:44,970 --> 00:13:50,710 we're going to come across new ports so when we do pin tests and what it comes down to is just having 182 00:13:50,710 --> 00:13:53,260 a methodology you might discover a new port. 183 00:13:53,620 --> 00:13:57,370 And as long as you have a methodology that's all you need. 184 00:13:57,370 --> 00:14:00,340 So we're going to work on building that methodology. 185 00:14:00,340 --> 00:14:06,100 And you might find other tools for searching Web sites that you like you might say hey I hate your methods 186 00:14:06,100 --> 00:14:08,200 or you know these tools just work better for me. 187 00:14:08,200 --> 00:14:11,510 And that's absolutely fine as long as you're developing your own methodology. 188 00:14:11,530 --> 00:14:14,610 So just start thinking about when you see a Web site. 189 00:14:14,650 --> 00:14:19,510 What are the basics that you're looking for when you come across the Web site you're looking for service 190 00:14:19,600 --> 00:14:26,080 version information which we have here you're looking for any sort of maybe back end directories you're 191 00:14:26,080 --> 00:14:32,500 looking for source code you're looking for potential vulnerability scanning with Nick DOE and any sort 192 00:14:32,500 --> 00:14:34,690 of information that you can divulge. 193 00:14:34,690 --> 00:14:36,370 Same thing we can come back here. 194 00:14:36,370 --> 00:14:38,530 We talked about it before with the appetizer. 195 00:14:38,590 --> 00:14:41,940 You click on a supplier and see a lot of the same things that we saw. 196 00:14:42,070 --> 00:14:43,550 It knows the operating system. 197 00:14:43,570 --> 00:14:47,350 It knows the web server extensions and it knows what's running on the back end. 198 00:14:47,950 --> 00:14:50,690 So there's a lot of useful information here. 199 00:14:50,770 --> 00:14:52,630 And this is all we are after at this point. 200 00:14:52,630 --> 00:14:57,210 We just want to scan in enumerate and then we're going to dig deep and exploit. 201 00:14:57,790 --> 00:14:59,370 So that is it for this. 202 00:14:59,380 --> 00:15:02,540 We're going to move on to the next port in this section. 203 00:15:02,650 --> 00:15:05,440 We'll do a little bit more enumeration see what else we can uncover. 204 00:15:05,800 --> 00:15:07,650 So I will catch you over in the next video. 22046