1 00:00:00,300 --> 00:00:07,580 The script you're about to see in this video was written by a guy named Karimi a.k.a. that one Tester. 2 00:00:07,620 --> 00:00:12,570 Now he is a fantastic resource and he writes some really great script. 3 00:00:12,570 --> 00:00:16,540 So I'm going to be linking this script on the resources for the cause. 4 00:00:16,560 --> 00:00:16,860 Go ahead. 5 00:00:16,860 --> 00:00:21,460 Check it out and check out some of the other scripts that he has because they are fantastic. 6 00:00:21,480 --> 00:00:24,560 So that being said let's go ahead and dive right in. 7 00:00:25,260 --> 00:00:25,570 OK. 8 00:00:25,580 --> 00:00:31,470 So now we are on my actual pen test machine and I wanted to show you this script because this is where 9 00:00:31,470 --> 00:00:33,450 I keep it. 10 00:00:33,540 --> 00:00:34,800 It looks very similar. 11 00:00:34,800 --> 00:00:35,880 It's going to look similar. 12 00:00:35,880 --> 00:00:37,290 It's just going to do a lot more. 13 00:00:37,500 --> 00:00:38,560 OK. 14 00:00:38,820 --> 00:00:44,220 So we have here all the different creations of folders and files. 15 00:00:44,220 --> 00:00:45,630 You don't have to worry about this too much. 16 00:00:45,630 --> 00:00:48,120 You can review this when you have the file. 17 00:00:48,120 --> 00:00:53,730 And again I'm going to leave a pastebin of this in the references the pastebin will never expire. 18 00:00:53,730 --> 00:00:58,170 So you'll have access to that and then we just come through here and a lot of this should look similar 19 00:00:58,170 --> 00:00:58,590 already. 20 00:00:58,600 --> 00:00:59,940 So I was building you up for it. 21 00:00:59,940 --> 00:01:00,300 Right. 22 00:01:00,840 --> 00:01:07,770 So we look through subdomains with asset finder we look through subdomains with M.S. And then we probe 23 00:01:07,770 --> 00:01:09,540 for those alive domains. 24 00:01:09,540 --> 00:01:14,010 And then I sort that out and I put that into an alive text and remove that file here. 25 00:01:14,040 --> 00:01:18,370 So everything comes down we look for subdomains we find what's alive. 26 00:01:18,390 --> 00:01:22,890 We put that into a live text and that's it sorted out. 27 00:01:22,890 --> 00:01:24,300 So that should all look pretty familiar. 28 00:01:25,480 --> 00:01:33,130 Then I do what is looking for a possible sub domain takeover attack meaning that these subdomain sometimes 29 00:01:33,130 --> 00:01:43,180 are purchased but sometimes that the records are wrong or the subdomain is lapsed in payment or something 30 00:01:43,180 --> 00:01:43,960 along those lines. 31 00:01:43,960 --> 00:01:50,950 But basically what a subdomain takeover is it say you have test that Tesla dot com and they have not 32 00:01:50,950 --> 00:01:54,880 renewed it or they don't own it or something happened with the record. 33 00:01:54,880 --> 00:02:02,430 Well you go by test stop Tesla dot com and own that subdomain and you could take over there subdomain 34 00:02:02,860 --> 00:02:05,190 and have a subdomain on their site. 35 00:02:05,260 --> 00:02:11,340 So that is what a subdomain takeover is there's a tool out there called subject that you can utilize. 36 00:02:11,440 --> 00:02:17,440 And I just run it against the final list as opposed to just the alive list to just see if it can find 37 00:02:17,440 --> 00:02:23,560 any kind of subdomain takeover on top of that I want to scan for open ports. 38 00:02:23,570 --> 00:02:28,640 I want to know not just what's running on eighty four four or three but I want to know if maybe they 39 00:02:28,640 --> 00:02:31,730 have some kind of weird open port open right. 40 00:02:31,760 --> 00:02:33,620 So like are they running. 41 00:02:34,370 --> 00:02:34,640 I don't know. 42 00:02:34,640 --> 00:02:35,390 3 3 8 9. 43 00:02:35,420 --> 00:02:37,200 They're running RTP on their machine. 44 00:02:37,310 --> 00:02:41,230 So I'll scan for alive ports to see what's out there. 45 00:02:41,300 --> 00:02:44,980 Also do what is called scraping wayback data. 46 00:02:45,050 --> 00:02:53,120 So if you've never heard of archive dot org or way back you are ls basically what those are historical 47 00:02:53,350 --> 00:02:54,160 Web sites right. 48 00:02:54,170 --> 00:03:01,940 So you can go to archive Dora right now and look at a Web site that maybe they go look at Facebook for 49 00:03:01,940 --> 00:03:07,640 example you can look at Facebook from like 10 years ago and see exactly what Facebook looked like at 50 00:03:07,640 --> 00:03:10,220 the time and it has all these things preserved. 51 00:03:10,760 --> 00:03:17,640 So it's really nice and what you can do is you can go and scan with this tool way back or else it's 52 00:03:17,660 --> 00:03:22,640 going to pull down anything that is potentially interesting with parameters right. 53 00:03:22,640 --> 00:03:29,990 So it's going to pull down all these different parameter files javascript each Jamal Jason BHP aspects. 54 00:03:30,020 --> 00:03:35,770 We're gonna take all these out of that output and sometimes there's information left behind. 55 00:03:35,780 --> 00:03:40,990 There might be like stored credentials or a way that that code is kept in there. 56 00:03:41,060 --> 00:03:47,690 We might find source code may find you know a key or something in these files that was there before 57 00:03:47,720 --> 00:03:53,310 and even though it's not there anymore that key or that password might still work. 58 00:03:53,330 --> 00:04:00,260 So it's important to look at the wayback machine and these you URLs to see if there's anything interesting 59 00:04:00,260 --> 00:04:05,540 to us that we can leverage against a client or against the bug bounty or whatever. 60 00:04:05,540 --> 00:04:05,930 Right. 61 00:04:06,410 --> 00:04:12,980 And lastly I come through here and I run go witness and I run go witness against everything to take 62 00:04:12,980 --> 00:04:19,550 those pictures that we talked about and to just make sure that everything I want to look at in a quick 63 00:04:19,910 --> 00:04:24,500 format is there available to me and I put that all into a folder. 64 00:04:25,070 --> 00:04:31,910 So with that all being said I just can run this script against one you url and it comes through here 65 00:04:31,970 --> 00:04:36,860 and does all these things for me while I can go drink my coffee I can work on something else I can start 66 00:04:36,860 --> 00:04:41,630 focusing on certain Web sites I can multitask because of this automation. 67 00:04:41,630 --> 00:04:49,280 So this is just a big build up off of the Linux section from earlier and we've just been utilizing Linux 68 00:04:49,280 --> 00:04:55,070 more and more and more and I wanted to throw out some more complex thinking and how you can utilize 69 00:04:55,070 --> 00:04:56,600 this as an attacker. 70 00:04:56,600 --> 00:05:01,700 And this is really this is it seems overwhelming but this is just running commands that you would run 71 00:05:01,760 --> 00:05:06,130 anyway and then just echoing out a little bit extra stuff and putting it in order. 72 00:05:06,170 --> 00:05:10,760 That's it a little bit of Kung Fu on the command line here with some of these things that you have to 73 00:05:10,760 --> 00:05:14,780 do and think through but otherwise it's nothing crazy. 74 00:05:14,780 --> 00:05:17,970 I promise it it may look like a lot but it's really it's not a lot. 75 00:05:18,050 --> 00:05:26,870 So that's it for this section and that's it for the additional tools I want to just show you. 76 00:05:26,870 --> 00:05:32,240 So from here we're going to go into web application penetration testing and we're going to start talking 77 00:05:32,240 --> 00:05:36,640 about the top 10 I'm going to introduce you to burp suite at a deeper level. 78 00:05:36,650 --> 00:05:41,990 That way we can cover it and understand what it does and then covered the top 10 attacks and possibly 79 00:05:41,990 --> 00:05:42,720 some more. 80 00:05:42,800 --> 00:05:44,960 So I'll catch you over in the next section.