1
00:00:00,150 --> 00:00:06,340
So now we're going to use a tool called Door buster to do a little bit directory busting.

2
00:00:06,570 --> 00:00:10,710
There are other tools out there that are similar or do the same thing.

3
00:00:10,710 --> 00:00:12,480
There are two built in tools.

4
00:00:12,480 --> 00:00:17,130
In fact there's a door buster and there's also a tool called Herb.

5
00:00:18,000 --> 00:00:21,630
And then there is a tool called Go buster.

6
00:00:22,680 --> 00:00:24,210
And you have a lot of options.

7
00:00:24,210 --> 00:00:30,750
My option of choice is door buster but I do recommend that you write these down and just explore them

8
00:00:30,750 --> 00:00:33,570
for yourself and see which one you like the best.

9
00:00:33,570 --> 00:00:38,280
So I'm going to go ahead and run door buster and I'm going to run it like this with the ampersand at

10
00:00:38,280 --> 00:00:44,430
the end and it's going to load up this nice little interface.

11
00:00:44,460 --> 00:00:50,220
And what we're gonna do is we're going to say hey I want to run against this target you are l I'm going

12
00:00:50,220 --> 00:00:56,740
to go ahead just copy this right here and I'll tap back into it.

13
00:00:57,760 --> 00:00:59,260
And syntax is important.

14
00:00:59,260 --> 00:01:05,090
It's going to want the port 80 at the end you see the port 80 here with the slash and we're going to

15
00:01:05,090 --> 00:01:11,950
say go ahead and go faster on these threads and then we're gonna go ahead and pick a list.

16
00:01:11,950 --> 00:01:21,930
So go ahead and go to browse and let's go ahead and go to your base folder here go into your user use

17
00:01:22,070 --> 00:01:32,140
our folder your share which is right here and then if you start typing words list it I'll bring up word

18
00:01:32,140 --> 00:01:33,180
lists right here.

19
00:01:35,030 --> 00:01:37,870
And then you see there Buster has its own folder right here.

20
00:01:37,900 --> 00:01:45,650
So we're going to select door buster and from here we can pick a variety of different lists.

21
00:01:45,660 --> 00:01:51,270
I like to just use the small list if I'm not finding anything at all maybe I'll move up to the medium

22
00:01:51,300 --> 00:01:56,090
and out on the interweb is a large list as well.

23
00:01:56,400 --> 00:02:00,780
Let's just go ahead and start with small for proof of concept.

24
00:02:00,970 --> 00:02:03,370
And so now let's break it down.

25
00:02:03,370 --> 00:02:08,140
We've kind of talked about in the last video but let's just do a quick reminder what we're doing is

26
00:02:08,140 --> 00:02:13,810
we're going out to web directories and we're using these word lists and he's wordless have hundreds

27
00:02:13,810 --> 00:02:18,970
if not thousands of different well known directories.

28
00:02:19,000 --> 00:02:24,880
So it could be something like ad men or like cgi bin etc..

29
00:02:24,890 --> 00:02:31,210
And so to go out and try to navigate these it's also going to look for specific file extensions.

30
00:02:31,240 --> 00:02:38,980
So we know that we're up against an Apache Web site while Apache runs BHP if we're up against something

31
00:02:38,980 --> 00:02:46,940
like a Microsoft Web site which is I guess well those tend to run something called ISP or ISP X..

32
00:02:47,090 --> 00:02:52,240
And so this is why enumeration is important as well because we need to know what's running on the back

33
00:02:52,240 --> 00:02:54,780
end to find or make the most use out of it.

34
00:02:54,790 --> 00:02:59,680
Now what we can do with these file extensions and what I like to do is I like to run against BHP or

35
00:02:59,680 --> 00:03:06,460
whatever the base of the server is but I also do like to run something like a text file something like

36
00:03:06,460 --> 00:03:11,820
a zip file and you can make this is as long as OR YEAH AS MANY AS YOU WANT.

37
00:03:11,830 --> 00:03:19,690
YOU COULD SAY RA PD f dark X but the more of these that you put in there the more times it's going to

38
00:03:19,690 --> 00:03:24,220
search because it's going to search through the word lists and say the word this has admin and it's

39
00:03:24,220 --> 00:03:28,180
going to try and end up PBF or admin Z.

40
00:03:28,330 --> 00:03:33,610
So it's important to limit these to what you need for our sake.

41
00:03:33,610 --> 00:03:40,810
I'm going to go ahead and assume BHP and we're going to just scan with the default results here in just

42
00:03:40,810 --> 00:03:42,720
kind of see what happens.

43
00:03:42,730 --> 00:03:49,690
So go ahead and start that and this will kick off and start scanning and it's already finding right

44
00:03:49,690 --> 00:03:54,040
away it's finding some stuff you could see the list getting big and you can go to this results view

45
00:03:54,040 --> 00:04:01,200
or you can see what it's found and you can also go to this tree view here and see what it's found in

46
00:04:01,210 --> 00:04:06,790
kind of click in you could see it's found some potentially interesting files we can go enumerate these

47
00:04:06,790 --> 00:04:14,060
as well and it's found test that BHP page you can right click on these and open in browser and you can

48
00:04:14,060 --> 00:04:18,370
see that it's found this print test here in page before.

49
00:04:18,890 --> 00:04:23,370
So we can look through some of these pages we're going to go ahead just let that go for now it's going

50
00:04:23,370 --> 00:04:28,850
to take a minute it could take up to a while to scan depending on how big your world this is how many

51
00:04:28,850 --> 00:04:35,300
options you choose and how well your Web site is cooperating with your scan as well.

52
00:04:35,300 --> 00:04:40,420
So from here I'm going to show you a few more things so let's go back to our preferences.

53
00:04:40,430 --> 00:04:47,630
If you still have that open go ahead and go back and let's go ahead and just go to the settings and

54
00:04:47,630 --> 00:04:51,620
we'll go to our manual configuration and let's boot up burp sweet

55
00:04:54,850 --> 00:04:59,290
and this is just another proof of concept that burps wheat is your friend especially when you're looking

56
00:04:59,290 --> 00:05:00,770
at Web sites.

57
00:05:00,910 --> 00:05:03,160
So we're going to utilize it just to take a peek.

58
00:05:03,310 --> 00:05:04,680
I just want to see what's out there.

59
00:05:04,690 --> 00:05:11,080
So we'll go ahead and just hit next and start burps sweet here on this.

60
00:05:11,260 --> 00:05:12,150
And while we wait.

61
00:05:12,160 --> 00:05:18,250
Another thing that I need to point out is if this were a Web site like a real Web site instead of a

62
00:05:18,250 --> 00:05:24,040
test page and a very important thing to do is view the source code so we can right click in here and

63
00:05:24,040 --> 00:05:28,990
we could say view page source and we can view the source code.

64
00:05:28,990 --> 00:05:34,750
Now what we're looking for in source code are any kind of comments potentially any kind of information

65
00:05:34,750 --> 00:05:40,870
disclosures we might be looking for any sort of keys or password or user accounts or anything that might

66
00:05:40,870 --> 00:05:44,010
be disclosed in a source code that should not be disclosed.

67
00:05:44,110 --> 00:05:49,990
A lot of times when you do CTF or you do hack the box or VLAN hubs they hide little comments and source

68
00:05:49,990 --> 00:05:56,380
code but in a pen test your point of view we're looking for more important things like the passwords

69
00:05:56,380 --> 00:05:58,350
or keys etc..

70
00:05:58,480 --> 00:06:06,590
So we've got Bert sweet open and we're just going to go ahead and intercept one request here and we're

71
00:06:06,590 --> 00:06:09,790
going to go ahead and just let this forward.

72
00:06:09,980 --> 00:06:12,770
Actually we'll send this to repeater I'm going to show you a little trick.

73
00:06:12,770 --> 00:06:14,570
Go ahead and send this to repeater.

74
00:06:14,750 --> 00:06:19,760
So you're right click send a repeater and you'll see a repeater tab opens up here.

75
00:06:19,760 --> 00:06:26,420
Now the neat thing about repeater is that repeater will show you your response in real time and you

76
00:06:26,420 --> 00:06:32,930
can modify these so you can say hey I want to send this here or you can say something about like I want

77
00:06:32,930 --> 00:06:39,310
to send a poetry class maybe and let that run and you could see what it says OK method not allowed.

78
00:06:39,310 --> 00:06:45,490
So it doesn't like that but you can send different results modify what you see here and see how that

79
00:06:45,490 --> 00:06:46,700
works for us.

80
00:06:46,750 --> 00:06:48,790
Now this is not taking this.

81
00:06:48,790 --> 00:06:49,380
Exactly.

82
00:06:49,450 --> 00:06:52,570
Let's forward and see maybe if we're missing anything and we're not.

83
00:06:52,570 --> 00:06:59,060
So another thing that we can do is we can actually copy this and what we can do is we go into the target

84
00:06:59,060 --> 00:07:06,230
here and we've got the target showing we could set the scope if we need to.

85
00:07:06,310 --> 00:07:13,180
So we can just we can go to scope here and we can say ad and then paste this in here for HDP and we

86
00:07:13,180 --> 00:07:18,800
can do HDP asked for both Bushes do HDP and we'll say yes.

87
00:07:18,940 --> 00:07:24,880
And what this does for us is this limits only searching for in scope items so we're going to just limit

88
00:07:24,880 --> 00:07:29,830
now and then we're going to go ahead and look at the response that came back and you see there's no

89
00:07:29,830 --> 00:07:30,690
response here.

90
00:07:30,940 --> 00:07:32,970
But there is a three or four not modified.

91
00:07:32,980 --> 00:07:39,320
And the interesting thing is look at the server header the server header is disclosing information to

92
00:07:39,320 --> 00:07:40,000
us as well.

93
00:07:40,250 --> 00:07:41,930
And we saw this in the nick doe scan.

94
00:07:41,930 --> 00:07:43,410
It's all coming back around.

95
00:07:43,520 --> 00:07:43,790
Right.

96
00:07:43,790 --> 00:07:49,820
We saw the Nick doe scan say a patchy one point three point to zero and it pulled down this server header.

97
00:07:49,820 --> 00:07:51,780
This is why it's so useful.

98
00:07:51,950 --> 00:07:58,640
And this in itself a screenshot of this right here is information disclosure as well.

99
00:07:58,640 --> 00:08:05,150
So this client that we're working on has a little bit of information disclosure problems and we can

100
00:08:05,150 --> 00:08:12,980
just say information disclosure here and we'll do something if I can type disclosure here and we'll

101
00:08:12,980 --> 00:08:22,760
say something like server headers disclose version information and we'll take a screenshot of that and

102
00:08:22,760 --> 00:08:25,540
we'll put that in our notes as well.

103
00:08:26,660 --> 00:08:30,880
So we're gonna get really deep into Barb sweet once we get to the web app section.

104
00:08:30,890 --> 00:08:34,040
I'd just like to get you utilizing it and familiar with it.

105
00:08:34,040 --> 00:08:38,780
And just so you're comfortable by the time we get there we're going to use it few more times when we

106
00:08:38,840 --> 00:08:43,770
talk through network items and then once we get to the web app it's going to be a lot of brb suite.

107
00:08:43,880 --> 00:08:45,890
So we get very comfortable with that very quick.

108
00:08:46,360 --> 00:08:51,250
So let's take a another peek at our door buster and see how that's working.

109
00:08:51,530 --> 00:08:57,170
And you could see that it still has twenty three minutes but I really just want to put you through the

110
00:08:57,170 --> 00:08:58,790
concept of it.

111
00:08:59,030 --> 00:09:05,570
The concept of it here is that we are looking for any sort of interesting directories and you could

112
00:09:05,570 --> 00:09:08,230
see response codes here as well.

113
00:09:08,300 --> 00:09:15,850
If you've never seen a response code just know for now that to hundreds to hundreds mean OK for hundreds.

114
00:09:15,900 --> 00:09:22,150
I mean there's some sort of error most typically like a four or four means page not found and a three

115
00:09:22,150 --> 00:09:24,020
hundred is typically a redirect.

116
00:09:24,020 --> 00:09:27,190
And then there's five hundred which are like server errors or other.

117
00:09:27,620 --> 00:09:31,760
So what we're going to come in here and do is just kind of peek at these and we can just kind of open

118
00:09:31,760 --> 00:09:37,730
these and see icons probably nothing interesting dark has nothing in it right now.

119
00:09:37,730 --> 00:09:43,800
The manual is not going to be that interesting to us neither is usage maybe maybe usage is interesting.

120
00:09:43,880 --> 00:09:49,130
Openness in the browser and we can see what's kind of running and if you have your proxy on.

121
00:09:49,130 --> 00:09:55,290
Go ahead and turn your intercept off you see mine court there OK.

122
00:09:55,310 --> 00:10:00,140
And now this is an interesting page here we can see usage statistics.

123
00:10:00,140 --> 00:10:06,200
And this might give us a little bit of information disclosure for able to access it at least here.

124
00:10:06,200 --> 00:10:11,900
Well we can see a couple of things we see web of lies or version 2.0 one so we can copy this and see

125
00:10:11,900 --> 00:10:18,200
if there's anything about this here on this machine that maybe is exploitable so let's add this here

126
00:10:18,200 --> 00:10:23,600
as web lies a version to a one and we'll just put it like on this usage I asked him out.

127
00:10:24,350 --> 00:10:29,510
Now we don't know for sure if this is running out on the web or this is just an HCM Al page that has

128
00:10:29,510 --> 00:10:31,910
been generated by something else.

129
00:10:31,910 --> 00:10:34,830
So not for certain that it's actually running on this.

130
00:10:34,850 --> 00:10:39,950
It could just be something they have in this usage folder but it's always good to notate what kind of

131
00:10:39,980 --> 00:10:45,170
items they might be using and they're utilizing this web lies for sure at least in their network.

132
00:10:45,170 --> 00:10:49,860
Again this is probably a little bit of information disclosure or information leakage here.

133
00:10:49,910 --> 00:10:53,140
So they've got a a consistent problem with that.

134
00:10:53,180 --> 00:10:59,960
So let's go ahead and look more at the results and M.R. T.J. is in here and we can come through here

135
00:10:59,960 --> 00:11:06,810
and just look like what's M.R. Markey and we can open that in the browser says what is it T.J..

136
00:11:06,850 --> 00:11:08,720
This is multi router traffic Rafah.

137
00:11:08,760 --> 00:11:09,630
OK.

138
00:11:09,900 --> 00:11:15,240
And we could scroll through this read the details and we can keep going through here and this could

139
00:11:15,240 --> 00:11:16,760
very well be a rabbit hole.

140
00:11:16,920 --> 00:11:20,090
But this kind of makes sense and there's a web server here.

141
00:11:20,100 --> 00:11:21,340
There's a log file.

142
00:11:21,420 --> 00:11:23,470
Let's view the log file.

143
00:11:23,550 --> 00:11:25,350
Nothing nothing unique there.

144
00:11:25,350 --> 00:11:27,670
Let's view the web server.

145
00:11:27,740 --> 00:11:29,540
Let's see if it's the same page.

146
00:11:29,690 --> 00:11:34,010
And it's a little bit different but not not entirely different.

147
00:11:34,040 --> 00:11:42,490
So it's possible what we're seeing here is that what we talked about in the part one of this video which

148
00:11:42,490 --> 00:11:46,470
is that we're seeing the test page is out there.

149
00:11:46,510 --> 00:11:47,950
And why was it out there right.

150
00:11:47,950 --> 00:11:51,880
Is it poor hygiene it's still poor hygiene even if they're running a web server.

151
00:11:51,910 --> 00:11:54,430
But they are running a web server here on the back end.

152
00:11:54,610 --> 00:11:58,900
Whether this web server is useful to us or not I really don't know.

153
00:11:58,900 --> 00:12:04,450
So the goal through this is to dig and this is my challenge for you is to dig kind of through these

154
00:12:04,540 --> 00:12:06,230
results that you get back.

155
00:12:06,370 --> 00:12:11,670
So wait until your your scans finish here and dig through the results.

156
00:12:11,680 --> 00:12:14,230
Look at all these to me right now.

157
00:12:14,230 --> 00:12:19,480
It doesn't look that interesting but again we haven't fully enumerated the real enumeration would be

158
00:12:19,480 --> 00:12:23,650
to go through each and every one of these and determine if there's anything of value here.

159
00:12:23,740 --> 00:12:28,150
Is there any sort of service information that could be useful etc..

160
00:12:28,170 --> 00:12:32,350
So where we're at on the Web portal at the moment.

161
00:12:32,350 --> 00:12:35,430
Again as a recap we have our scan back.

162
00:12:35,440 --> 00:12:35,740
Right.

163
00:12:35,740 --> 00:12:40,520
And we've seen 80s open and running Apache one point three point to zero.

164
00:12:40,600 --> 00:12:42,490
We see for three He's got the same.

165
00:12:42,490 --> 00:12:49,310
We also know about the mod SSL two point eight point four and open SSL zero point nine point six B.

166
00:12:49,330 --> 00:12:53,260
Doesn't hurt to copy this and put this in our notes too because I think that's pretty useful.

167
00:12:53,260 --> 00:12:54,340
We've got that here.

168
00:12:54,610 --> 00:12:57,370
Let's just go ahead and maybe put something up above.

169
00:12:57,370 --> 00:13:02,940
Just as a note and we ran our Nick doe scan and we save this to our for our notes.

170
00:13:02,950 --> 00:13:07,450
So when we go write a report we have it ready and we've got some information here that we've written

171
00:13:07,450 --> 00:13:08,680
down as well.

172
00:13:08,680 --> 00:13:14,560
So it appears that there are some potential vulnerabilities here but we won't know until we start digging

173
00:13:14,560 --> 00:13:16,940
into Google.

174
00:13:16,960 --> 00:13:17,440
OK.

175
00:13:17,440 --> 00:13:20,500
And that will be very very important.

176
00:13:20,740 --> 00:13:27,520
But we're going to get to that when we start getting into the end of this little series here and then

177
00:13:27,520 --> 00:13:32,020
we get transition into the exploitation part of the series.

178
00:13:32,020 --> 00:13:33,770
We'll work on exploiting these.

179
00:13:33,790 --> 00:13:38,410
So this is just a few tricks on how you can enumerate Web sites.

180
00:13:38,560 --> 00:13:44,410
And when we're coming through and showing you these ports and we go over all these ports that we see

181
00:13:44,970 --> 00:13:50,710
we're going to come across new ports so when we do pin tests and what it comes down to is just having

182
00:13:50,710 --> 00:13:53,260
a methodology you might discover a new port.

183
00:13:53,620 --> 00:13:57,370
And as long as you have a methodology that's all you need.

184
00:13:57,370 --> 00:14:00,340
So we're going to work on building that methodology.

185
00:14:00,340 --> 00:14:06,100
And you might find other tools for searching Web sites that you like you might say hey I hate your methods

186
00:14:06,100 --> 00:14:08,200
or you know these tools just work better for me.

187
00:14:08,200 --> 00:14:11,510
And that's absolutely fine as long as you're developing your own methodology.

188
00:14:11,530 --> 00:14:14,610
So just start thinking about when you see a Web site.

189
00:14:14,650 --> 00:14:19,510
What are the basics that you're looking for when you come across the Web site you're looking for service

190
00:14:19,600 --> 00:14:26,080
version information which we have here you're looking for any sort of maybe back end directories you're

191
00:14:26,080 --> 00:14:32,500
looking for source code you're looking for potential vulnerability scanning with Nick DOE and any sort

192
00:14:32,500 --> 00:14:34,690
of information that you can divulge.

193
00:14:34,690 --> 00:14:36,370
Same thing we can come back here.

194
00:14:36,370 --> 00:14:38,530
We talked about it before with the appetizer.

195
00:14:38,590 --> 00:14:41,940
You click on a supplier and see a lot of the same things that we saw.

196
00:14:42,070 --> 00:14:43,550
It knows the operating system.

197
00:14:43,570 --> 00:14:47,350
It knows the web server extensions and it knows what's running on the back end.

198
00:14:47,950 --> 00:14:50,690
So there's a lot of useful information here.

199
00:14:50,770 --> 00:14:52,630
And this is all we are after at this point.

200
00:14:52,630 --> 00:14:57,210
We just want to scan in enumerate and then we're going to dig deep and exploit.

201
00:14:57,790 --> 00:14:59,370
So that is it for this.

202
00:14:59,380 --> 00:15:02,540
We're going to move on to the next port in this section.

203
00:15:02,650 --> 00:15:05,440
We'll do a little bit more enumeration see what else we can uncover.

204
00:15:05,800 --> 00:15:07,650
So I will catch you over in the next video.