1
00:00:00,120 --> 00:00:07,080
So the next tool on our list is h t t PRO SO WE CAN TYPE h t probe like this and we'll just say get

2
00:00:07,080 --> 00:00:07,590
hub.

3
00:00:08,130 --> 00:00:11,970
And guess who makes an appearance again is our friend Tom.

4
00:00:11,970 --> 00:00:13,380
Nom Nom.

5
00:00:13,380 --> 00:00:18,330
So we're gonna go ahead and just download this another go tool.

6
00:00:18,330 --> 00:00:22,790
Go ahead and copy this and paste it in.

7
00:00:22,820 --> 00:00:25,550
Over here it's gonna clear the screen.

8
00:00:25,550 --> 00:00:26,230
Paste this.

9
00:00:26,240 --> 00:00:27,240
Let it download.

10
00:00:28,230 --> 00:00:37,200
And we're using this to ensure that what we're doing when we we run asset finder for example that these

11
00:00:37,200 --> 00:00:38,850
come back alive or not.

12
00:00:38,870 --> 00:00:41,960
So we want to know if the hosts are alive.

13
00:00:42,060 --> 00:00:49,490
So what we're gonna do is we can say something like we have that file we have the final that text right

14
00:00:49,770 --> 00:00:58,590
and we can say hey find all that text we can cap it out we go Tesla dot com recon final that text and

15
00:00:58,590 --> 00:00:59,660
cap that.

16
00:01:00,030 --> 00:01:08,310
Now we want to say h t t pro and that we'll just go out and it will say hey do you respond at all when

17
00:01:08,310 --> 00:01:09,420
I send something out to you.

18
00:01:09,420 --> 00:01:11,350
I'm gonna make an H cheeky P request.

19
00:01:11,370 --> 00:01:19,140
I'm going to make an H G.P.S. request and it doesn't matter if it is a status code two hundred says

20
00:01:19,140 --> 00:01:24,120
go three hundred four hundred whatever it just wants to know if it responds and if it responds that

21
00:01:24,120 --> 00:01:26,580
tells it that it's alive here.

22
00:01:26,580 --> 00:01:27,400
OK.

23
00:01:27,540 --> 00:01:32,910
So what we're gonna do is I'm going to go ahead and control C on this process and let this stop and

24
00:01:32,910 --> 00:01:35,370
we're going to narrow this down just a little bit.

25
00:01:35,400 --> 00:01:44,820
So on HBP probe itself I'm going to do a dash s which is just going to remove all the default ports.

26
00:01:44,850 --> 00:01:47,630
So it's scanning on 80 and four for three.

27
00:01:47,700 --> 00:01:50,990
For me I have automatic DNS happening on port 80.

28
00:01:51,120 --> 00:01:55,710
So I'm only going to search this on for for 3 if you do not have automatic DNS.

29
00:01:55,710 --> 00:01:56,880
That's fine.

30
00:01:56,880 --> 00:02:01,650
You can leave this as is by adding this extra option just for myself.

31
00:02:01,650 --> 00:02:03,240
So we know how many false positives.

32
00:02:03,690 --> 00:02:08,130
So on top of this I'm going to hit enter and just let you see what's happening so now it's only searching

33
00:02:08,130 --> 00:02:10,390
at HDP s and what's coming back.

34
00:02:10,770 --> 00:02:13,000
The control C on this next.

35
00:02:13,170 --> 00:02:14,600
I want to do something here.

36
00:02:14,610 --> 00:02:20,910
I want to remove you can see it comes off the CPS double that slash slash and 4 or 4 3.

37
00:02:20,970 --> 00:02:22,350
That's great.

38
00:02:22,350 --> 00:02:28,110
However I want to scan these and we're going to take this in the next video we're going to we're just

39
00:02:28,110 --> 00:02:32,910
going to continuing our automation and just talk about some things that we can do and I'll show you

40
00:02:32,910 --> 00:02:39,670
my script towards the end of this section of a longer script that I have that I utilize.

41
00:02:39,690 --> 00:02:46,410
So here we're going to remove the HD G.P.S. off of this so we can actually scan this with and map and

42
00:02:46,410 --> 00:02:49,410
we're gonna do here is we're just going to use said.

43
00:02:49,560 --> 00:02:55,910
And if you remember from previous videos I am not a said master so I just googled this.

44
00:02:56,250 --> 00:02:58,830
If I'm being straightforward with you here.

45
00:02:59,070 --> 00:03:00,510
So I'm going to say.

46
00:03:00,510 --> 00:03:08,000
Question Mark and feel free to copy exactly what I'm doing just like this.

47
00:03:08,000 --> 00:03:13,820
So this in theory should now strip off the G.P.S. off the front.

48
00:03:13,820 --> 00:03:17,360
We also need to take off the four for three off the back.

49
00:03:17,360 --> 00:03:24,560
So if you recall we can use truncate for that or translate I should say dash D and then we just say

50
00:03:24,950 --> 00:03:26,990
4 4 3 be gone.

51
00:03:26,990 --> 00:03:31,360
So now we hit enter and it should start pulling this down.

52
00:03:31,360 --> 00:03:36,260
It might take a second to actually probe through this and pull it down now that everything has been

53
00:03:36,680 --> 00:03:41,570
stripped down and set it out but it's going to pull these down and it's going to come back and it's

54
00:03:41,570 --> 00:03:46,280
going to say hey instead of having each G.P.S. in front everything and four for three at the end it's

55
00:03:46,280 --> 00:03:51,110
just going to have these subdomains and just like this perfect timing.

56
00:03:51,110 --> 00:03:57,500
So just the subdomains that we want here and they're all going to be stripped down perfectly for us.

57
00:03:57,500 --> 00:04:04,640
So with that let's go ahead and copy this copy this whole long thing we're just going to take it the

58
00:04:05,570 --> 00:04:07,870
we'll take this here and we'll change this just a little bit.

59
00:04:07,880 --> 00:04:14,690
So copy this and we're going to echo something like we're gonna say

60
00:04:17,520 --> 00:04:21,130
probing for alive domains.

61
00:04:21,600 --> 00:04:23,570
And then we'll just paste this here.

62
00:04:25,080 --> 00:04:29,190
But what we'll do instead of Tesla dot com will dollar sign your URL.

63
00:04:31,510 --> 00:04:31,980
OK.

64
00:04:31,980 --> 00:04:37,500
And then we'll put in the one more thing is we're going to sort this by unique we'll say sort unique

65
00:04:37,830 --> 00:04:38,160
that way.

66
00:04:38,160 --> 00:04:41,970
Anything that's in final that text that hasn't been sorted by unique.

67
00:04:41,970 --> 00:04:43,570
This is where we get rid of a here.

68
00:04:43,740 --> 00:04:47,490
OK so sort unique is going to take rid of all the duplicates.

69
00:04:47,550 --> 00:04:50,010
Then we'll run it through HDTV probe.

70
00:04:50,190 --> 00:04:51,290
We'll set that out.

71
00:04:51,300 --> 00:04:59,740
Get rid of that four four three here and then we're gonna put this all into a file called a live dot

72
00:04:59,760 --> 00:05:00,680
text.

73
00:05:00,900 --> 00:05:11,100
So we'll say your l recon alive Doc text and there you should have it.

74
00:05:11,550 --> 00:05:21,940
So if we save this and now we go ahead and we just run run dot s h and we say Tesla dot com it's going

75
00:05:21,940 --> 00:05:26,530
to harvest the subdomains asset finder you shouldn't see anything come through then it's going to probe

76
00:05:26,530 --> 00:05:28,140
for the alive subdomains.

77
00:05:28,330 --> 00:05:33,820
We should be creating a file right about now that has the alive subdomains and here we go into files

78
00:05:34,330 --> 00:05:38,710
go into Tesla dot com recon and then alive that text is there.

79
00:05:38,740 --> 00:05:40,780
It's just it's working on it right.

80
00:05:41,050 --> 00:05:42,830
So nothing's going to come in right away.

81
00:05:42,850 --> 00:05:45,760
It's going to take a minute but that's that's really it.

82
00:05:45,790 --> 00:05:50,410
That's all we're trying to do at this point and I want to bring that back.

83
00:05:50,410 --> 00:05:52,830
And so here we have our script it's worked.

84
00:05:52,960 --> 00:05:53,860
Let's go and check it now.

85
00:05:53,860 --> 00:05:58,230
So alive that text now has all these different lived subdomains.

86
00:05:58,270 --> 00:06:02,640
So we would go through here and we can look through these we can enumerate these.

87
00:06:02,650 --> 00:06:05,090
And this is the point that we wanted to get down to.

88
00:06:05,230 --> 00:06:08,260
We wanted something that we can enumerate now.

89
00:06:08,320 --> 00:06:08,680
Right.

90
00:06:08,680 --> 00:06:11,830
So we can go and cat Tesla dot com

91
00:06:14,410 --> 00:06:21,370
recon and we could say alive dot text and then I can sort through these if I want to find something

92
00:06:21,370 --> 00:06:25,010
interesting or I can graph and say like grep on Dev.

93
00:06:25,110 --> 00:06:32,200
OK there's a dev grep on test or staging as THG.

94
00:06:32,380 --> 00:06:37,330
Those are always good ones or admin looking for AB and panels are always good ones as well.

95
00:06:37,480 --> 00:06:41,740
And you just want to look through these and see where something might be of interest.

96
00:06:41,740 --> 00:06:48,400
Any kind of test domain or any kind of a dead domain or anything like that will be very very interesting

97
00:06:48,430 --> 00:06:51,730
could potentially lead to some good findings.

98
00:06:52,660 --> 00:06:59,590
So from here we're going to go ahead and move on to one more tool that I like to utilize in this step

99
00:07:00,190 --> 00:07:03,470
when it comes to this automated enumeration.

100
00:07:03,670 --> 00:07:08,890
And then we'll go ahead and tie it all together all this show you what one of my longer scripts looks

101
00:07:08,890 --> 00:07:13,270
like and then we'll start working on the lost top 10 attacks.