Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:03,395 2 00:00:03,395 --> 00:00:06,790 [LOGO AUDIO] 3 00:00:06,790 --> 00:00:10,190 4 00:00:10,190 --> 00:00:14,090 One of the most common protocols we're going to see is HTTP. 5 00:00:14,090 --> 00:00:16,250 HTTP is for hosting websites. 6 00:00:16,250 --> 00:00:18,320 We would see this on an external scan. 7 00:00:18,320 --> 00:00:20,300 We could see it on an internal scan. 8 00:00:20,300 --> 00:00:23,660 Websites are a big part of the internet. 9 00:00:23,660 --> 00:00:29,410 So anything connecting to the internet, networks, websites 10 00:00:29,410 --> 00:00:31,280 are going to be a big part of it. 11 00:00:31,280 --> 00:00:35,520 There are so many programs, so many ways 12 00:00:35,520 --> 00:00:38,160 that you can build a site, so many languages 13 00:00:38,160 --> 00:00:43,410 that, there's just a plethora of possible vulnerabilities. 14 00:00:43,410 --> 00:00:48,510 As an attacker, if we see that there's a website being hosted, 15 00:00:48,510 --> 00:00:52,260 it's like knowing that there's an unguarded back door, 16 00:00:52,260 --> 00:00:55,270 that there's going to be some way of getting in there. 17 00:00:55,270 --> 00:00:58,200 So let's dive in and see what that actually looks like. 18 00:00:58,200 --> 00:01:01,490 19 00:01:01,490 --> 00:01:03,185 We've been given an IP address. 20 00:01:03,185 --> 00:01:08,010 21 00:01:08,010 --> 00:01:10,940 So we're on a civil Nmap scan against it. 22 00:01:10,940 --> 00:01:13,050 And we see port 80 is open. 23 00:01:13,050 --> 00:01:18,590 We also see 135, 139, and 445. 24 00:01:18,590 --> 00:01:25,500 Let's run a couple extras on this machine. 25 00:01:25,500 --> 00:01:29,810 But port 80 is open, port 80 for HTTP. 26 00:01:29,810 --> 00:01:34,040 When I see that, I want to open up a web browser. 27 00:01:34,040 --> 00:01:37,653 And a lot of people will say, there's 28 00:01:37,653 --> 00:01:39,695 a lot you can do before you get to a web browser. 29 00:01:39,695 --> 00:01:44,017 30 00:01:44,017 --> 00:01:45,850 But I think there's a lot you can learn just 31 00:01:45,850 --> 00:01:47,260 from going there. 32 00:01:47,260 --> 00:01:49,120 WebGoat.net. 33 00:01:49,120 --> 00:01:56,880 So WebGoat is a purposefully vulnerable application website, 34 00:01:56,880 --> 00:01:58,440 built by OWASP. 35 00:01:58,440 --> 00:02:01,383 See it over here? 36 00:02:01,383 --> 00:02:02,550 And it's great for teaching. 37 00:02:02,550 --> 00:02:03,760 It's great for training. 38 00:02:03,760 --> 00:02:06,580 It's great for learning. 39 00:02:06,580 --> 00:02:10,780 Let's see what we learned from our scan. 40 00:02:10,780 --> 00:02:17,720 Running Microsoft IIS HTTP D 10.0. 41 00:02:17,720 --> 00:02:19,280 We've got Microsoft running. 42 00:02:19,280 --> 00:02:21,228 There's a MySQL. 43 00:02:21,228 --> 00:02:22,020 That's interesting. 44 00:02:22,020 --> 00:02:25,250 We'll come back to that later. 45 00:02:25,250 --> 00:02:28,610 Fingerprint scan came back no exact matches. 46 00:02:28,610 --> 00:02:31,730 We had Windows. 47 00:02:31,730 --> 00:02:38,507 Going with Windows, it's IIS on port 80. 48 00:02:38,507 --> 00:02:39,465 That's a dead giveaway. 49 00:02:39,465 --> 00:02:42,610 50 00:02:42,610 --> 00:02:44,290 So it's neat. 51 00:02:44,290 --> 00:02:45,800 It's helpful. 52 00:02:45,800 --> 00:02:48,451 What else can we learn from this? 53 00:02:48,451 --> 00:02:50,750 There's a couple extra scans that we can do. 54 00:02:50,750 --> 00:02:53,690 55 00:02:53,690 --> 00:02:55,250 Search on a What Web. 56 00:02:55,250 --> 00:03:04,000 57 00:03:04,000 --> 00:03:08,070 And that's going to reach out and find some information 58 00:03:08,070 --> 00:03:08,940 about our server. 59 00:03:08,940 --> 00:03:13,740 Again, Microsoft IIS 10.0. 60 00:03:13,740 --> 00:03:14,850 No real change there. 61 00:03:14,850 --> 00:03:18,110 62 00:03:18,110 --> 00:03:21,080 Looks like there's no cross-site scripting protection. 63 00:03:21,080 --> 00:03:25,170 64 00:03:25,170 --> 00:03:27,660 When you run a program like What Web, 65 00:03:27,660 --> 00:03:29,730 it's running a bunch of scripts. 66 00:03:29,730 --> 00:03:35,940 And some of them are going to be to test and see 67 00:03:35,940 --> 00:03:38,460 if there's vulnerabilities. 68 00:03:38,460 --> 00:03:41,310 It's kind of nice. 69 00:03:41,310 --> 00:03:49,710 Another tool that we've got is HTTP or HTT pi. 70 00:03:49,710 --> 00:03:52,260 They can manage as HTTP. 71 00:03:52,260 --> 00:03:54,060 And it'll reach out. 72 00:03:54,060 --> 00:04:00,570 You can see here, it just sends an HTTP request. 73 00:04:00,570 --> 00:04:03,030 You got a 302 found. 74 00:04:03,030 --> 00:04:05,400 And this is where we find out what our server. 75 00:04:05,400 --> 00:04:09,810 That it's a Microsoft IIS 10.0. 76 00:04:09,810 --> 00:04:13,050 This is all the header information that came back. 77 00:04:13,050 --> 00:04:18,720 And then it just says that, the object was moved to-- 78 00:04:18,720 --> 00:04:24,750 and then an anchor with an href of default.aspx. 79 00:04:24,750 --> 00:04:27,120 That's another dead giveaway. 80 00:04:27,120 --> 00:04:32,070 Microsoft IIS utilizes the aspx file type. 81 00:04:32,070 --> 00:04:36,220 82 00:04:36,220 --> 00:04:42,510 So it's just good confirmation of what we are working against. 83 00:04:42,510 --> 00:04:47,850 Another tool, DIRB, will enumerate for us quite a bit. 84 00:04:47,850 --> 00:04:50,610 85 00:04:50,610 --> 00:04:52,950 You got to give it an URL, not just an IP address. 86 00:04:52,950 --> 00:04:55,750 87 00:04:55,750 --> 00:04:58,830 So it's going to run against this default word 88 00:04:58,830 --> 00:05:02,070 list, the DIRB word list with common.txt. 89 00:05:02,070 --> 00:05:09,630 And what it's looking for is directories. 90 00:05:09,630 --> 00:05:15,120 So we saw the default.aspx is where we were getting sent to. 91 00:05:15,120 --> 00:05:19,095 And we connect to just the IP address. 92 00:05:19,095 --> 00:05:24,060 93 00:05:24,060 --> 00:05:25,785 And in here, there is content. 94 00:05:25,785 --> 00:05:28,920 95 00:05:28,920 --> 00:05:29,880 That's one it tried. 96 00:05:29,880 --> 00:05:34,530 97 00:05:34,530 --> 00:05:36,900 We are forbidden. 98 00:05:36,900 --> 00:05:37,990 Try Downloads. 99 00:05:37,990 --> 00:05:42,390 We'll see some of these things that DIRB is popping out. 100 00:05:42,390 --> 00:05:45,000 101 00:05:45,000 --> 00:05:49,860 We'll wait until it finishes the scan, truthfully, 102 00:05:49,860 --> 00:06:00,030 because it's going to go through 4,600 words. 103 00:06:00,030 --> 00:06:06,690 But what it's doing is, it's sending a GET request 104 00:06:06,690 --> 00:06:09,570 to the full URL to see if it gets back anything. 105 00:06:09,570 --> 00:06:15,200 106 00:06:15,200 --> 00:06:19,520 Since it found these top-level folders, 107 00:06:19,520 --> 00:06:22,280 now it's looking for subdirectories. 108 00:06:22,280 --> 00:06:33,610 109 00:06:33,610 --> 00:06:36,250 We'll probably continue to get 403s. 110 00:06:36,250 --> 00:06:38,800 But a 403 means it might actually be there. 111 00:06:38,800 --> 00:06:52,460 112 00:06:52,460 --> 00:06:58,570 So this is basic enumeration. 113 00:06:58,570 --> 00:07:00,550 One other tool that we have is Browsh. 114 00:07:00,550 --> 00:07:05,830 115 00:07:05,830 --> 00:07:12,430 And it will do website and enumeration based 116 00:07:12,430 --> 00:07:24,970 on an URL in your command line. 117 00:07:24,970 --> 00:07:28,500 So it looks a lot like what you would see in the browser. 118 00:07:28,500 --> 00:07:33,150 And it can be quite useful if you have Browsh on the machine 119 00:07:33,150 --> 00:07:38,970 if you don't have anything more than command line 120 00:07:38,970 --> 00:07:44,835 because you could see, its best guess at rendering the website. 121 00:07:44,835 --> 00:07:48,317 122 00:07:48,317 --> 00:07:49,275 Oh, that made it worse. 123 00:07:49,275 --> 00:07:55,190 124 00:07:55,190 --> 00:07:57,785 And you see DIRB will run for quite a while. 125 00:07:57,785 --> 00:08:05,390 126 00:08:05,390 --> 00:08:06,710 But we would let it run. 127 00:08:06,710 --> 00:08:09,290 We would mark down all of the directories 128 00:08:09,290 --> 00:08:12,740 and see if we have access to anything. 129 00:08:12,740 --> 00:08:14,930 And that is our basic enumeration. 130 00:08:14,930 --> 00:08:22,280 Again, this is a website running on a Microsoft server 131 00:08:22,280 --> 00:08:26,150 because it's running Microsoft IIS server. 132 00:08:26,150 --> 00:08:36,120 133 00:08:36,120 --> 00:08:38,970 You can feel free to let your scan continue, see 134 00:08:38,970 --> 00:08:41,940 what directory, subdirectories you find. 135 00:08:41,940 --> 00:08:46,070 But we're going to move on to the next lesson. 8896