1
00:00:01,030 --> 00:00:01,760
Hello, everyone.

2
00:00:02,560 --> 00:00:09,550
So this is of one of the very, very famous mind map which has been made by decent Haddix.

3
00:00:10,180 --> 00:00:12,880
So let's see this, the Rickon somebody by Cherrix.

4
00:00:13,960 --> 00:00:21,460
The first approach or the first step is identifying IP addresses and the main Tilley's, which is a

5
00:00:21,460 --> 00:00:22,480
top level domains.

6
00:00:23,080 --> 00:00:24,400
We have already seen this.

7
00:00:24,400 --> 00:00:27,790
We are doing this with the help, with the help of Essense.

8
00:00:28,420 --> 00:00:31,390
We take that yes and no.

9
00:00:31,390 --> 00:00:39,430
And this way we get to know the whole bunch of IP addresses that we that are being owned by that specific

10
00:00:39,430 --> 00:00:40,300
organization.

11
00:00:41,650 --> 00:00:49,390
We have also seen a reverse who is through which we get more domains which are related to the main parent

12
00:00:49,390 --> 00:00:51,670
domain or the acquisitions.

13
00:00:52,750 --> 00:00:55,900
Next is a domain scraping for discovered.

14
00:00:55,900 --> 00:01:03,610
Till this year we are going to run Ima's or sub finders because we are going to identify more and more

15
00:01:03,670 --> 00:01:07,550
subdomains of that particular target.

16
00:01:08,350 --> 00:01:15,040
I like to use a fine domain because it is a much more a faster so you can also use fine domain.

17
00:01:15,990 --> 00:01:24,420
Next is a domain brute forcing resolve and add new IP ranges, this can be done using mass DNS and manually

18
00:01:24,420 --> 00:01:24,940
as well.

19
00:01:25,320 --> 00:01:29,510
So we are going to brute force the domains we can use mass DNS.

20
00:01:29,520 --> 00:01:31,110
It is excellent for doing this.

21
00:01:31,740 --> 00:01:36,850
Then we will see if those domains actually resolve or not.

22
00:01:36,870 --> 00:01:42,900
You can do this with the help of its GDP X by Project Discovery team and you will be able to see if

23
00:01:42,900 --> 00:01:46,670
those domains are actually resolving and giving a two hundred.

24
00:01:46,680 --> 00:01:48,760
OK, then you can run assort.

25
00:01:48,930 --> 00:01:53,760
I hyphen you a unique filter and save them into a list.

26
00:01:54,420 --> 00:02:02,910
Next to content are both bootcamps using Muskan, which will identify which ports are open for all the

27
00:02:02,910 --> 00:02:06,240
targets that we have identified into the previous step.

28
00:02:07,140 --> 00:02:11,430
Next is to do visual identification so we can use eyewitnessed.

29
00:02:11,790 --> 00:02:13,380
We can also use Accattone.

30
00:02:13,620 --> 00:02:23,130
It is very, very useful with the help of visual identification will be able to enumerate all those

31
00:02:23,130 --> 00:02:23,770
domains.

32
00:02:23,790 --> 00:02:30,750
So let's see if any of the domain is running a vulnerable, unauthenticated dashboard, our internal

33
00:02:30,750 --> 00:02:35,220
dashboard or our application, which is on its default configuration.

34
00:02:35,550 --> 00:02:41,220
Or let's see if there is a directory listing enabled which contains sensitive files like.

35
00:02:42,550 --> 00:02:49,090
DB dot com or environment files or some kind of backup files or the source code disclosure, that can

36
00:02:49,090 --> 00:02:54,030
be very, very helpful for us that we can easily identify from the screenshots.

37
00:02:54,760 --> 00:03:00,670
So those two tools are very useful, which is eye witness as well as Accattone.

38
00:03:01,390 --> 00:03:04,590
The next step is platform identification.

39
00:03:05,110 --> 00:03:14,140
So we are basically going to do banner grabbing of that specific target to identify on of what a CMS

40
00:03:14,140 --> 00:03:15,820
and technology they are running on.

41
00:03:16,330 --> 00:03:22,450
We can use of the Polisar and build with it is a very, very helpful and useful to do this.

42
00:03:23,020 --> 00:03:30,730
Apart from this, we can also identify the technology of that particular target using HTP X tool as

43
00:03:30,730 --> 00:03:31,010
well.

44
00:03:31,370 --> 00:03:39,510
Again, we can also use and map to identify the platform and we can do a grab as well.

45
00:03:39,850 --> 00:03:46,080
You can do a service vision detection using IFN as we fly in and map and you can see the output into

46
00:03:46,090 --> 00:03:46,570
our file.

47
00:03:47,380 --> 00:03:49,890
The next step is content discovery.

48
00:03:50,230 --> 00:03:52,750
So in this we are going to use Globemaster.

49
00:03:54,130 --> 00:03:56,360
We can use different tools as well.

50
00:03:56,710 --> 00:04:00,310
So for example, you can use direct research or directly burster.

51
00:04:01,250 --> 00:04:07,250
Also, if you want to perform fuzzing, you can use DeBlois first or if you have the ring, you will

52
00:04:07,250 --> 00:04:13,610
be able to get a lot of sensitive endpoints for wordlist.

53
00:04:13,610 --> 00:04:15,950
You can use the cyclist wordlist.

54
00:04:15,980 --> 00:04:17,510
They are very good.

55
00:04:17,780 --> 00:04:24,050
You can also use the old text you can use for DBE or pillared all things.

56
00:04:26,180 --> 00:04:32,330
Now for the last step, that is the parameter discovery, you can use a tool which is parameter, which

57
00:04:32,330 --> 00:04:37,110
will be very, very helpful in identifying the parameters of that particular target.

58
00:04:37,860 --> 00:04:41,990
Also, you can use berp, analyze, target.

59
00:04:42,260 --> 00:04:50,120
So whenever you add any target to the scope of boxwood and you run spider at that particular point,

60
00:04:50,420 --> 00:04:55,670
you will be able to see the parameters for that particular target.

61
00:04:56,320 --> 00:05:03,830
Also, I like to use Barum Spider, which will enumerate all the parameters of that specific target

62
00:05:03,830 --> 00:05:08,820
from a Wayback Machine or a Weilbach archive, which is very, very useful.

63
00:05:09,350 --> 00:05:16,280
So I hope you guys understood the on summary by Chadwicks and you will implement this into your workflow

64
00:05:16,280 --> 00:05:22,040
or your methodology, and it will be definitely very, very helpful for everyone.

65
00:05:23,060 --> 00:05:23,600
Thank you.