Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:09,710 2 00:00:09,710 --> 00:00:12,530 In this lesson, we're going to dig in a little more. 3 00:00:12,530 --> 00:00:14,270 We looked at a few different tools 4 00:00:14,270 --> 00:00:16,190 for enumerating a website. 5 00:00:16,190 --> 00:00:17,800 Websites are really important. 6 00:00:17,800 --> 00:00:20,390 You're going to see them, again, internally or external 7 00:00:20,390 --> 00:00:22,295 to a network. 8 00:00:22,295 --> 00:00:28,430 9 00:00:28,430 --> 00:00:30,140 And we're going to utilize some Nmap 10 00:00:30,140 --> 00:00:32,600 scripts to enumerate even more. 11 00:00:32,600 --> 00:00:36,755 And you've been given our IP address. 12 00:00:36,755 --> 00:00:41,430 13 00:00:41,430 --> 00:00:44,790 I always see the same results, as in the past. 14 00:00:44,790 --> 00:00:49,440 But port 80 is open with HTTP, and that's 15 00:00:49,440 --> 00:00:54,010 what we care about most right now. 16 00:00:54,010 --> 00:00:57,540 I'll run a service scan. 17 00:00:57,540 --> 00:01:11,630 HTTP is open, so open Firefox, navigate to the website, 18 00:01:11,630 --> 00:01:15,310 and we get webgoat.net on the default, dot aspx. 19 00:01:15,310 --> 00:01:18,870 20 00:01:18,870 --> 00:01:25,080 And we're running Microsoft HTTPAPI httpd 21 00:01:25,080 --> 00:01:31,170 2.0, which is rather useful. 22 00:01:31,170 --> 00:01:37,180 But we could run some further enumeration. 23 00:01:37,180 --> 00:01:40,720 Let's look at just port 80, and we'll 24 00:01:40,720 --> 00:01:44,395 run a script with http-enum. 25 00:01:44,395 --> 00:01:51,710 26 00:01:51,710 --> 00:01:55,130 The script is going to return not just what service 27 00:01:55,130 --> 00:01:58,940 is running, but also maybe some directories that 28 00:01:58,940 --> 00:02:03,170 are very common, similar to running [INAUDIBLE],, 29 00:02:03,170 --> 00:02:04,865 but with a very select list. 30 00:02:04,865 --> 00:02:10,350 31 00:02:10,350 --> 00:02:12,990 We got our results back, and you see 32 00:02:12,990 --> 00:02:15,540 there is a content directory, a downloads directory, 33 00:02:15,540 --> 00:02:25,240 and a webdav, all marked as potentially interesting 34 00:02:25,240 --> 00:02:25,740 folders. 35 00:02:25,740 --> 00:02:31,210 36 00:02:31,210 --> 00:02:33,370 We could navigate and try to connect 37 00:02:33,370 --> 00:02:37,300 to them through a browser, but there's another script 38 00:02:37,300 --> 00:02:38,260 that we can run. 39 00:02:38,260 --> 00:02:42,025 This one is going to be web, or HTTP, headers. 40 00:02:42,025 --> 00:02:46,410 41 00:02:46,410 --> 00:02:48,810 We'll let that script on, along with the skin. 42 00:02:48,810 --> 00:02:55,590 43 00:02:55,590 --> 00:03:02,000 And this owner turned in more information-- 44 00:03:02,000 --> 00:03:07,440 the straightforward HTTP header information, 45 00:03:07,440 --> 00:03:14,250 which is where we find out that it's Microsoft IIS 10.0. 46 00:03:14,250 --> 00:03:18,150 We can also dig in, and it shows that cross-site scripting 47 00:03:18,150 --> 00:03:19,080 protection is off. 48 00:03:19,080 --> 00:03:24,300 49 00:03:24,300 --> 00:03:25,670 X-Powered by ASP.NET. 50 00:03:25,670 --> 00:03:29,440 51 00:03:29,440 --> 00:03:32,310 So it's potentially useful for us. 52 00:03:32,310 --> 00:03:35,203 All of this, we would want to save in our notes 53 00:03:35,203 --> 00:03:36,120 to come back to later. 54 00:03:36,120 --> 00:03:41,860 55 00:03:41,860 --> 00:03:48,300 Another thing that's useful to look at is methods, 56 00:03:48,300 --> 00:03:52,740 and we'll pass arguments-- 57 00:03:52,740 --> 00:03:56,230 58 00:03:56,230 --> 00:03:57,480 http-methods.url. 59 00:03:57,480 --> 00:04:04,780 60 00:04:04,780 --> 00:04:09,490 We're going to dig into this web.dev 61 00:04:09,490 --> 00:04:12,160 and see if there's anything we can do in there. 62 00:04:12,160 --> 00:04:25,955 63 00:04:25,955 --> 00:04:29,230 And we find out the supported methods, 64 00:04:29,230 --> 00:04:32,185 options trace, get, get being very common, 65 00:04:32,185 --> 00:04:35,200 it's what we're most used to, or post. 66 00:04:35,200 --> 00:04:45,730 But websites are just APIs, and you've got all these methods. 67 00:04:45,730 --> 00:04:49,540 Some of these could be quite useful, 68 00:04:49,540 --> 00:04:52,610 but we won't dig into why just yet. 69 00:04:52,610 --> 00:04:55,660 We'll save that for an HTTP section. 70 00:04:55,660 --> 00:04:57,580 Right now, we're just enumerating. 71 00:04:57,580 --> 00:05:00,970 So we tested web.dav, came up with these potentially risky 72 00:05:00,970 --> 00:05:01,900 ones. 73 00:05:01,900 --> 00:05:04,180 We would want to write that down in our notes, 74 00:05:04,180 --> 00:05:08,470 maybe check the other directories that we found. 75 00:05:08,470 --> 00:05:12,330 76 00:05:12,330 --> 00:05:16,810 What's really helpful-- we found a webdav. 77 00:05:16,810 --> 00:05:25,990 Well, there's an HTTP webdav scan, 78 00:05:25,990 --> 00:05:37,140 and we'll pass the same URL, and this 79 00:05:37,140 --> 00:05:45,390 will help identify webdav installations utilizing options 80 00:05:45,390 --> 00:05:46,395 and prop find methods. 81 00:05:46,395 --> 00:05:53,710 82 00:05:53,710 --> 00:05:58,610 So just more useful information that we will 83 00:05:58,610 --> 00:06:03,125 want to write down in store for the auditing phase. 84 00:06:03,125 --> 00:06:08,970 85 00:06:08,970 --> 00:06:12,930 Now, that's two Windows servers that we've looked at. 86 00:06:12,930 --> 00:06:16,350 But what's really most common out there in the wild 87 00:06:16,350 --> 00:06:20,390 is Linux servers, so we'll take a look at that next. 88 00:06:20,390 --> 00:06:21,000 5768