1 00:00:01,160 --> 00:00:08,450 Now, once we get the authoritative DNS server address by using who is, we can identify any additional 2 00:00:08,450 --> 00:00:12,710 hosts in the domain such as FTP server, mail server and so on. 3 00:00:14,280 --> 00:00:19,040 If there are any other services in this domain, we can also extract information from them. 4 00:00:20,430 --> 00:00:26,130 Now, another way to discover subdomains and the host is to query search engines. 5 00:00:27,930 --> 00:00:29,850 And then you can compare the results. 6 00:00:31,370 --> 00:00:39,010 OK, so here you might be confused about Hosten subdomains, so let me give you a quick explanation. 7 00:00:40,690 --> 00:00:49,360 If you think of the address, exact example, dotcom, now X is the subdomain of example dotcom. 8 00:00:50,650 --> 00:00:59,710 And exact example, Dotcom can be a host if it is connected to an IP address and resolves to a computer 9 00:01:00,040 --> 00:01:02,980 when one goes to exact example, dotcom. 10 00:01:04,330 --> 00:01:13,780 Q So anyway, there are multiple ways to extract additional Hosten subdomain information, so that means 11 00:01:13,780 --> 00:01:18,520 there's lots of tools out there for us to use on this purpose. 12 00:01:18,820 --> 00:01:27,280 And I'm going to use two tools that are already present in Colly Fears and the Harvester now Fears is 13 00:01:27,280 --> 00:01:28,660 a really cool tool. 14 00:01:29,230 --> 00:01:32,820 Besides that, it uses brute force methods to get subdomains. 15 00:01:33,040 --> 00:01:39,580 Also, after it finds a valid host, then it performs a reverse lookup to uncover additional hosts. 16 00:01:39,760 --> 00:01:41,900 And here are the options for fears. 17 00:01:42,520 --> 00:01:50,860 OK, so first we're going to run a basic scan so type fears dash DNS, Google dot com dash thread's 18 00:01:50,860 --> 00:02:00,790 10 dash files, bagrut slash desktop slash Google info, dot text and hit enter. 19 00:02:02,490 --> 00:02:07,110 So the DNS parameter specifies the domain that you want to scan. 20 00:02:08,230 --> 00:02:11,410 So in our example, it is Google dotcom. 21 00:02:12,930 --> 00:02:17,970 By default, fears runs in a single thread mode, so because of this. 22 00:02:19,000 --> 00:02:22,390 I can add the threads parameter to increase the speed. 23 00:02:23,950 --> 00:02:31,390 So that makes the scan run faster and then the final parameter helps us to save the results to a file. 24 00:02:33,270 --> 00:02:35,700 Now, while scanning the hosts or subdomains. 25 00:02:36,920 --> 00:02:38,120 What happens in the background? 26 00:02:39,000 --> 00:02:46,110 So fierce first tries to find the DNS servers for the target domain. 27 00:02:48,480 --> 00:02:53,640 The next, as I'm showing you on the screen, it attempts to do a zone transfer. 28 00:02:55,060 --> 00:02:59,740 Now, at this point, if a zone transfer is successful, Fierce will stop running. 29 00:03:00,750 --> 00:03:04,800 And then you can take that information that you got from the zone transfer. 30 00:03:06,400 --> 00:03:15,490 Now, if zone transfer fails, as it has in our scan, it checks if wild card DNS is enabled. 31 00:03:16,600 --> 00:03:22,150 And then he performs a brute force against the domain using its built in wordlist. 32 00:03:23,800 --> 00:03:25,570 OK, so now the scan is complete. 33 00:03:27,060 --> 00:03:34,590 And as you can see, once his skin is finished, the found subdomains and discovered subnets are listed. 34 00:03:35,700 --> 00:03:38,640 We can also view and save the file. 35 00:03:39,610 --> 00:03:45,130 But the content is not that different, in fact, is not different at all from the output on our screen, 36 00:03:45,790 --> 00:03:46,930 just makes it convenient. 37 00:03:47,790 --> 00:03:51,750 And by default, Fears uses its own built in wordlist. 38 00:03:53,200 --> 00:04:02,380 But it also provides the ability to use a custom word list that you can build and sometimes different 39 00:04:02,380 --> 00:04:05,380 word lists can uncover new subdomains. 40 00:04:06,700 --> 00:04:09,770 So the second tool is the harvester. 41 00:04:10,570 --> 00:04:17,140 It is another subdomains scanner and it gathers public information such as employee names, email, 42 00:04:17,150 --> 00:04:20,310 subdomains, banners and other similar information. 43 00:04:21,910 --> 00:04:24,690 For now, we're just going to deal with subdomains and host. 44 00:04:25,870 --> 00:04:28,210 And hype the harvester. 45 00:04:29,530 --> 00:04:31,330 And you'll see options. 46 00:04:32,640 --> 00:04:35,910 Now, it's quite easy to use this tool, so let's just run it quickly. 47 00:04:38,110 --> 00:04:42,310 Type the harvester dash d and the domain that you want to search. 48 00:04:43,050 --> 00:04:45,430 So in my case, of course, it's Google outcome. 49 00:04:46,940 --> 00:04:53,470 It might be strange because I will be using Bing to search for Google dotcom. 50 00:04:55,680 --> 00:05:03,030 But by using the B parameter, you can provide a data source el parameter limits the search output. 51 00:05:03,690 --> 00:05:09,830 So the harvest will analyze the first 500 search results of Bing about Google dot com. 52 00:05:10,590 --> 00:05:15,810 And finally, the F parameter helps us to save the result to a file. 53 00:05:19,070 --> 00:05:20,840 OK, so hit ETAs run. 54 00:05:23,750 --> 00:05:26,540 And first, the searches conducted. 55 00:05:31,440 --> 00:05:33,150 Then it will analyze a result. 56 00:05:34,920 --> 00:05:37,200 OK, so here's what we expected to see. 57 00:05:38,170 --> 00:05:39,910 So now. 58 00:05:40,910 --> 00:05:42,440 Go to the saved file directory. 59 00:05:44,770 --> 00:05:48,630 Going to go to the desktop and here's a file, so let's have a look. 60 00:05:49,260 --> 00:05:52,500 So it's not very different from the output that's on the screen. 61 00:05:54,580 --> 00:05:56,120 At least we can have smaller graphics. 62 00:05:57,740 --> 00:06:03,670 Great, so you can run these tools or some other ones if you wish for your target. 63 00:06:04,820 --> 00:06:06,350 You can go ahead and practice at.