1
00:00:00,480 --> 00:00:01,200
Welcome back.

2
00:00:01,560 --> 00:00:09,180
And in this video, I want to talk about another thing that we already covered, and that is a numeration

3
00:00:09,180 --> 00:00:11,030
and information gathering.

4
00:00:11,790 --> 00:00:16,050
So this is a step that you also shouldn't skip once attacking websites.

5
00:00:16,800 --> 00:00:18,640
We already covered information gathering.

6
00:00:18,750 --> 00:00:25,650
So this video is more like something as a refresher, just so you know which tools you can use to enumerate

7
00:00:25,650 --> 00:00:27,850
and to scan different websites.

8
00:00:28,620 --> 00:00:31,610
So for this section, we're going to be using metastable.

9
00:00:31,620 --> 00:00:34,640
Most of the time we're going to attack some different targets.

10
00:00:34,650 --> 00:00:40,300
But for the start, we're attacking Métis, so make sure that this is up and running.

11
00:00:40,320 --> 00:00:47,300
I also, Randi, I have a comment and it gave me the IP address of 192, that 168 at one that eight.

12
00:00:47,970 --> 00:00:55,650
So the first thing that we can do is try to visit the Web page of that IP address just to see what we

13
00:00:55,650 --> 00:00:55,980
have.

14
00:00:56,550 --> 00:00:59,940
And to do that, we can open our Firefox.

15
00:01:01,750 --> 00:01:07,630
And remember that once we attacked metastable, we said that we are going to attack Port 80 later in

16
00:01:07,630 --> 00:01:11,980
the course now it came that time, we are going to attack Port 80.

17
00:01:12,190 --> 00:01:16,840
And once again, we're attacking Port 80 because it hosts a page.

18
00:01:17,500 --> 00:01:23,410
If I visit this IP address of my Anticipatable, it will open this page right here.

19
00:01:24,100 --> 00:01:28,600
It tells us the warning, the contact and the login to get started.

20
00:01:29,230 --> 00:01:31,240
But down here we get a couple of links.

21
00:01:31,510 --> 00:01:37,150
If we go to any one of them, it will lead us to a different directory of this Web page.

22
00:01:37,300 --> 00:01:40,330
Currently, we are in this dev directory.

23
00:01:41,300 --> 00:01:47,510
If I go to the parent directory, it will go back to the one to that 168 quantitate, which is the main

24
00:01:47,750 --> 00:01:56,060
or the parent directory, if I go and visit Divi W.A., it will lead me to this directory right here,

25
00:01:56,060 --> 00:01:58,580
which is a log in.

26
00:02:00,200 --> 00:02:07,880
And this file hosts I login form, so we got username and password to input.

27
00:02:08,750 --> 00:02:15,080
If we take a look at this web page a little more clearly, we can see down here that it tells us default

28
00:02:15,080 --> 00:02:18,060
username is admin with password password.

29
00:02:18,620 --> 00:02:21,080
So for now, we're not going to brute force this.

30
00:02:21,080 --> 00:02:25,760
We're just going to log in so we can see what we have behind this login form.

31
00:02:26,600 --> 00:02:27,740
And here it is.

32
00:02:28,310 --> 00:02:33,710
We got divi w eight or as we can see right here, it has this name.

33
00:02:34,340 --> 00:02:40,030
We get a warning, a disclaimer, and here we get a bunch of different attacks that we can perform.

34
00:02:40,460 --> 00:02:44,920
Remember, we talked about access, we talked about Ezekial injection.

35
00:02:44,930 --> 00:02:47,660
We also mentioned brute force and command injection.

36
00:02:47,930 --> 00:02:53,420
And these pages are pages where we can practice these type of the attacks.

37
00:02:54,490 --> 00:03:01,840
All of them are stored in a separate directory now we can go about discovering all the directories on

38
00:03:01,840 --> 00:03:07,270
a website like this, or we can use different tools to automate this process.

39
00:03:07,840 --> 00:03:13,660
So to enumerate and to gather as much information as you can about the website, you can use the tools

40
00:03:13,660 --> 00:03:20,140
that we already cover, such as the Harvester Together, emails such as what web to discover, the website

41
00:03:20,140 --> 00:03:22,400
technologies and all of them we already covered.

42
00:03:22,420 --> 00:03:24,310
We're not going to do that once again.

43
00:03:24,580 --> 00:03:30,050
But there is another cool tool that you can use to discover directories and that tool is called Therp.

44
00:03:30,910 --> 00:03:33,870
There is already installed in Callinan's by default.

45
00:03:33,880 --> 00:03:40,440
So I don't think we need to do is to type there and we will get the help menu for this specific tool.

46
00:03:41,260 --> 00:03:47,320
We get a bunch of options, as we can see right here, but also down here we get the examples of usage

47
00:03:47,320 --> 00:03:48,640
of this tool.

48
00:03:49,900 --> 00:03:56,260
So the most simple test, as it says in the brackets, would be just specifying Derp and then the link

49
00:03:56,260 --> 00:03:58,000
to the Web page that we want to scan.

50
00:03:58,810 --> 00:04:04,720
If I go up here, we can also see that we can specify different wordlist, but I believe Derb has a

51
00:04:04,720 --> 00:04:06,370
default wordlist that it uses.

52
00:04:06,400 --> 00:04:09,250
So we're just going to go with that one instead.

53
00:04:09,280 --> 00:04:12,670
So if I type derp and then one night to the 168.

54
00:04:12,670 --> 00:04:13,000
That one.

55
00:04:13,000 --> 00:04:13,570
That eight.

56
00:04:15,830 --> 00:04:23,090
Invalides URL, so we must specify there and then htp to dot slash slash 192, that 168, that one,

57
00:04:23,090 --> 00:04:23,670
that eight.

58
00:04:23,990 --> 00:04:26,240
So this is how we must specify a link.

59
00:04:26,480 --> 00:04:33,030
If I press enter, it will go and search for different subdirectories inside of that web page.

60
00:04:33,740 --> 00:04:38,000
If I scroll a little bit up, we can also see it managed to find some of them.

61
00:04:38,390 --> 00:04:48,640
It found the index index p p info in that regard, test wiki.

62
00:04:48,650 --> 00:04:55,180
And if I go all the way down, we should be able to find even more subdirectories on that Web page.

63
00:04:55,550 --> 00:04:59,370
And right here we might be able to find something interesting.

64
00:04:59,390 --> 00:05:02,570
For example, we can go and visit any one of them.

65
00:05:02,930 --> 00:05:09,380
Let's visit robots that if I copy the link, go up here, paste the link.

66
00:05:10,780 --> 00:05:13,340
Hmm, we get something right here.

67
00:05:13,420 --> 00:05:18,040
User agent, this allow we already know what user agent is.

68
00:05:18,160 --> 00:05:21,060
It is a field inside of the HDP requests.

69
00:05:21,940 --> 00:05:24,220
Let's also see what else we managed to discover.

70
00:05:25,770 --> 00:05:30,960
We got test teams with me, my admin.

71
00:05:31,950 --> 00:05:32,970
That could be useful.

72
00:05:32,970 --> 00:05:34,850
Let's check out what this is.

73
00:05:35,400 --> 00:05:40,770
You never know anything that you find particularly useful or interesting you might want to check out

74
00:05:41,070 --> 00:05:42,660
by visiting that page.

75
00:05:43,350 --> 00:05:47,310
And this seems to be some file with the code.

76
00:05:48,510 --> 00:05:51,020
So let's go and check out something else.

77
00:05:52,990 --> 00:05:56,420
And it seems that there is a directory called Pass W.D..

78
00:05:56,800 --> 00:05:58,300
Let's see what this is.

79
00:05:59,990 --> 00:06:03,200
If I copy that as well, go and paste it.

80
00:06:04,300 --> 00:06:09,730
Missing fields filled with marker required, please go back in your browser and try again.

81
00:06:10,690 --> 00:06:11,920
Topic webcams.

82
00:06:11,920 --> 00:06:17,830
So it seems that this page is missing some fields right now, we don't really know what this is all

83
00:06:17,830 --> 00:06:23,980
about, but by visiting this for discover more and more pages that we might not be able to find once

84
00:06:23,980 --> 00:06:26,080
browsing through the page on our own.

85
00:06:27,440 --> 00:06:33,560
Now, right here, we can also notice some other information that we get on the side besides these links,

86
00:06:33,770 --> 00:06:35,060
and that is the code.

87
00:06:35,600 --> 00:06:40,880
And if you remember, this code is simply just the status code, which tells us whether it managed to

88
00:06:40,880 --> 00:06:41,530
load the page.

89
00:06:41,840 --> 00:06:48,020
Right now, if we get the code 200 for most of these pages, sometimes we will get code like three or

90
00:06:48,020 --> 00:06:51,620
four, which means that the page gets redirected to a different page.

91
00:06:52,100 --> 00:06:58,370
And at the right, we also get the size of that specific page, which is not something that we are currently

92
00:06:58,370 --> 00:06:59,080
interested in.

93
00:06:59,090 --> 00:07:02,420
But you also get that information if you want to see it.

94
00:07:03,370 --> 00:07:09,220
We can see other links as well, and you would go about visiting any link right here that you find interesting.

95
00:07:10,530 --> 00:07:18,450
So let's go down and it seems that it found 56 links, but that is only with this specific wordlist.

96
00:07:19,050 --> 00:07:23,250
It also downloads I believe it downloads the contents, but I'm not really sure about that.

97
00:07:23,550 --> 00:07:29,850
However, what you can do is if you're not satisfied with the results from this third directory, you

98
00:07:29,850 --> 00:07:32,460
can specify your own wordlist if you want.

99
00:07:33,210 --> 00:07:36,060
Nonetheless, this is not that important tool for us.

100
00:07:36,420 --> 00:07:41,070
However, you can use it if you'd like, and you can combine it with different tools that we covered

101
00:07:41,070 --> 00:07:46,900
for the information gathering to gather as much information about the specific website now since we

102
00:07:47,040 --> 00:07:48,520
discovered information gathering.

103
00:07:48,540 --> 00:07:50,610
I'm not going to go into those different tools.

104
00:07:50,850 --> 00:07:56,070
You can also try finding new tools from the GitHub or somewhere else, and you can experiment with those

105
00:07:56,070 --> 00:07:56,890
tools as well.

106
00:07:57,510 --> 00:08:03,780
But right now, what we are going to do in the next video is we're going to configure are really important

107
00:08:03,780 --> 00:08:05,760
tool that is called Burset.

108
00:08:06,120 --> 00:08:10,380
And as soon as we do that, we're ready to perform our first attack.