Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:03,304 2 00:00:03,304 --> 00:00:06,608 [LOGO AUDIO] 3 00:00:06,608 --> 00:00:10,254 4 00:00:10,254 --> 00:00:15,800 We looked at Windows servers for hosting websites for HTTP. 5 00:00:15,800 --> 00:00:19,460 Now we're going to look at a Ubuntu, a Linux Unix 6 00:00:19,460 --> 00:00:23,653 distribution and see it running Apache. 7 00:00:23,653 --> 00:00:24,570 How is that different? 8 00:00:24,570 --> 00:00:26,015 What does is look like? 9 00:00:26,015 --> 00:00:29,160 You're going to find it's very much the same. 10 00:00:29,160 --> 00:00:32,890 Just once we get to the operating system, 11 00:00:32,890 --> 00:00:35,190 we're going to interact a little differently when 12 00:00:35,190 --> 00:00:37,680 we have a shell, when we're interacting 13 00:00:37,680 --> 00:00:39,730 with the actual machine. 14 00:00:39,730 --> 00:00:44,100 But most of it's going to look very similar 15 00:00:44,100 --> 00:00:45,450 up until that point. 16 00:00:45,450 --> 00:00:52,700 17 00:00:52,700 --> 00:00:54,500 We have just a terminal. 18 00:00:54,500 --> 00:00:56,305 So let's get our IP address. 19 00:00:56,305 --> 00:01:05,310 20 00:01:05,310 --> 00:01:06,980 So it's saying my IP address with a .3. 21 00:01:06,980 --> 00:01:15,630 22 00:01:15,630 --> 00:01:17,580 So we'll use that. 23 00:01:17,580 --> 00:01:20,526 And it comes back port 80 open. 24 00:01:20,526 --> 00:01:25,545 Once you could adjust port 80 per services scan. 25 00:01:25,545 --> 00:01:34,710 26 00:01:34,710 --> 00:01:40,930 And it comes back with Apache HTTPD 2.4.1.8. 27 00:01:40,930 --> 00:01:43,920 That's useful information. 28 00:01:43,920 --> 00:01:46,310 Now we'll take that and run Script Header. 29 00:01:46,310 --> 00:01:48,860 30 00:01:48,860 --> 00:01:49,835 Sorry, Script Banner. 31 00:01:49,835 --> 00:01:55,480 32 00:01:55,480 --> 00:01:58,315 And it should return banner information for us. 33 00:01:58,315 --> 00:02:03,950 34 00:02:03,950 --> 00:02:07,570 The banner being the information that your machine receives 35 00:02:07,570 --> 00:02:10,030 the first time it connects remotely to another machine. 36 00:02:10,030 --> 00:02:17,640 37 00:02:17,640 --> 00:02:21,450 In this situation, it says the server is an Apache 38 00:02:21,450 --> 00:02:30,020 2.4.18 running on Ubuntu. 39 00:02:30,020 --> 00:02:34,520 Let's jump into MSF Console, something we haven't done yet 40 00:02:34,520 --> 00:02:35,345 with this protocol. 41 00:02:35,345 --> 00:02:42,720 42 00:02:42,720 --> 00:02:46,770 The Metasploit framework comes with some very useful 43 00:02:46,770 --> 00:02:51,030 auxiliary modules, scanners, that 44 00:02:51,030 --> 00:02:56,430 will enumerate all sorts of useful stuff for you. 45 00:02:56,430 --> 00:03:03,670 46 00:03:03,670 --> 00:03:06,180 Yeah, so are our hosts to our IP address. 47 00:03:06,180 --> 00:03:08,910 48 00:03:08,910 --> 00:03:13,040 And you can look at the options real fast. 49 00:03:13,040 --> 00:03:14,900 It's going to connect to port 80. 50 00:03:14,900 --> 00:03:18,760 It's not encrypted with SSL, so we don't 51 00:03:18,760 --> 00:03:21,980 need to negotiate SSL or TLS. 52 00:03:21,980 --> 00:03:25,730 If it was on port 443, it might be different, 53 00:03:25,730 --> 00:03:27,762 should be different, would be different. 54 00:03:27,762 --> 00:03:31,070 55 00:03:31,070 --> 00:03:33,980 Let's run this. 56 00:03:33,980 --> 00:03:34,700 That was fast. 57 00:03:34,700 --> 00:03:38,690 It came back with Apache 2.4.18, which is nothing new. 58 00:03:38,690 --> 00:03:40,415 It's what we kind of expected. 59 00:03:40,415 --> 00:03:45,460 60 00:03:45,460 --> 00:03:50,800 Another thing we could do is Curl Page. 61 00:03:50,800 --> 00:03:56,570 And I'm going to pipe it to More just because I 62 00:03:56,570 --> 00:03:59,520 know it's going to give us a lot of information. 63 00:03:59,520 --> 00:04:01,300 More gives you one page at a time. 64 00:04:01,300 --> 00:04:04,760 So DOC type is HTML. 65 00:04:04,760 --> 00:04:09,140 And here's that header information, 66 00:04:09,140 --> 00:04:11,250 which shows that it's about to 2. 67 00:04:11,250 --> 00:04:16,130 68 00:04:16,130 --> 00:04:17,590 Can be quite useful. 69 00:04:17,590 --> 00:04:26,640 70 00:04:26,640 --> 00:04:29,560 And another tool is going to be WGET. 71 00:04:29,560 --> 00:04:31,675 WGET will retrieve web files. 72 00:04:31,675 --> 00:04:36,110 73 00:04:36,110 --> 00:04:40,990 So if we ask it for the index file, which 74 00:04:40,990 --> 00:04:47,290 is usually the Home page for a website, it will download it. 75 00:04:47,290 --> 00:04:49,160 And we see we've got index there. 76 00:04:49,160 --> 00:04:53,200 So we could CAT index and pipe that to More. 77 00:04:53,200 --> 00:04:55,930 78 00:04:55,930 --> 00:04:57,130 And it's the same file. 79 00:04:57,130 --> 00:05:03,470 80 00:05:03,470 --> 00:05:05,230 Another tool we can look at is Browsh. 81 00:05:05,230 --> 00:05:08,050 82 00:05:08,050 --> 00:05:13,960 And we give it a Startup URL. 83 00:05:13,960 --> 00:05:16,515 84 00:05:16,515 --> 00:05:19,900 And it needs it as-- no, that's fine-- 85 00:05:19,900 --> 00:05:23,040 as night viewers. 86 00:05:23,040 --> 00:05:25,830 It's going to render in the command line what 87 00:05:25,830 --> 00:05:27,090 our website looks like. 88 00:05:27,090 --> 00:05:30,930 It looks like it's an Apache 2, Ubuntu default web page. 89 00:05:30,930 --> 00:05:33,560 90 00:05:33,560 --> 00:05:35,540 This is all useful information that we 91 00:05:35,540 --> 00:05:40,540 would want to write down in our notes for enumeration. 92 00:05:40,540 --> 00:05:45,960 93 00:05:45,960 --> 00:05:47,610 Get out of here. 94 00:05:47,610 --> 00:05:54,550 Control-W. 95 00:05:54,550 --> 00:05:58,390 Another great tool is Lynx. 96 00:05:58,390 --> 00:06:05,710 And you pass this one as the URL with an HTTP. 97 00:06:05,710 --> 00:06:10,710 98 00:06:10,710 --> 00:06:12,780 And it's very similar to what we just 99 00:06:12,780 --> 00:06:18,900 saw, less gooey, more just reading and parsing out 100 00:06:18,900 --> 00:06:22,110 the text for you in something that's a little easier 101 00:06:22,110 --> 00:06:29,680 on the eyes than the default. 102 00:06:29,680 --> 00:06:31,563 HTML. 103 00:06:31,563 --> 00:06:32,480 Sure you want to quit? 104 00:06:32,480 --> 00:06:32,980 Yes. 105 00:06:32,980 --> 00:06:41,750 106 00:06:41,750 --> 00:06:47,240 We can use DIRB, but we're going to jump back into MSF Console 107 00:06:47,240 --> 00:06:48,683 since we've already done DIRB. 108 00:06:48,683 --> 00:06:58,840 109 00:06:58,840 --> 00:07:04,060 And again, we use an auxiliary scanner for HTTP. 110 00:07:04,060 --> 00:07:05,755 This one is going to be Brute Dirs. 111 00:07:05,755 --> 00:07:12,724 112 00:07:12,724 --> 00:07:18,650 Showing quite a few options. 113 00:07:18,650 --> 00:07:21,170 We'll set Rhosts to our IP. 114 00:07:21,170 --> 00:07:25,670 115 00:07:25,670 --> 00:07:29,560 Mostly all the yeses were filled. 116 00:07:29,560 --> 00:07:35,350 We will delete, or exploit rather than typing Run. 117 00:07:35,350 --> 00:07:45,580 118 00:07:45,580 --> 00:07:47,200 And what this will do is, it's going 119 00:07:47,200 --> 00:07:55,440 to use a word list, one that comes 120 00:07:55,440 --> 00:07:58,140 with Metasploit framework. 121 00:07:58,140 --> 00:08:02,130 Let's see if it can't find some directories for us. 122 00:08:02,130 --> 00:08:03,800 So it found DIR, it found Source. 123 00:08:03,800 --> 00:08:08,680 124 00:08:08,680 --> 00:08:14,160 And since it's the Ubuntu Apache default website, not expecting 125 00:08:14,160 --> 00:08:18,995 to find many directories. 126 00:08:18,995 --> 00:08:22,115 If we did find more directories, that might be telling. 127 00:08:22,115 --> 00:08:27,670 128 00:08:27,670 --> 00:08:31,540 We'll look at the non-Metasploit version of that. 129 00:08:31,540 --> 00:08:32,440 So DIRB. 130 00:08:32,440 --> 00:08:35,020 131 00:08:35,020 --> 00:08:37,675 Instead of an IP address you would URL. 132 00:08:37,675 --> 00:08:40,580 133 00:08:40,580 --> 00:08:42,890 And let's give it the same word list 134 00:08:42,890 --> 00:08:46,340 that we just used, the Metasploit 135 00:08:46,340 --> 00:08:56,270 framework for Directory.txt. 136 00:08:56,270 --> 00:09:08,710 137 00:09:08,710 --> 00:09:09,505 Data word lists. 138 00:09:09,505 --> 00:09:13,480 139 00:09:13,480 --> 00:09:15,240 That one went a lot faster. 140 00:09:15,240 --> 00:09:17,960 Came back with Data and DIR, same 141 00:09:17,960 --> 00:09:20,480 as we found with Metasploit. 142 00:09:20,480 --> 00:09:26,250 143 00:09:26,250 --> 00:09:29,340 The last thing we want to look at is the Robots.txt. 144 00:09:29,340 --> 00:09:33,850 145 00:09:33,850 --> 00:09:39,150 So Robots.txt is what a web browser, what a search engine, 146 00:09:39,150 --> 00:09:43,410 utilizes in order to understand which pages, which files, 147 00:09:43,410 --> 00:09:48,360 are within bounds to spider and read, 148 00:09:48,360 --> 00:09:52,590 and include in search results, and what 149 00:09:52,590 --> 00:09:54,360 files it doesn't want read. 150 00:09:54,360 --> 00:09:56,730 Or maybe what browsers it doesn't want 151 00:09:56,730 --> 00:09:58,090 to be reading these things. 152 00:09:58,090 --> 00:10:02,410 So that Robots.txt file can usually be very helpful. 153 00:10:02,410 --> 00:10:06,000 It could tell us all of the subdirectories and directories 154 00:10:06,000 --> 00:10:12,710 because it's got to tell the search engine to read or not 155 00:10:12,710 --> 00:10:14,275 read them. 156 00:10:14,275 --> 00:10:15,900 Sometimes you get all that information, 157 00:10:15,900 --> 00:10:16,850 other times you don't. 158 00:10:16,850 --> 00:10:18,110 But let's give it a try. 159 00:10:18,110 --> 00:10:24,600 160 00:10:24,600 --> 00:10:28,661 In this case, we will hop back into Metasploit. 161 00:10:28,661 --> 00:10:40,450 162 00:10:40,450 --> 00:10:44,890 It's very useful if you start doing things in Metasploit 163 00:10:44,890 --> 00:10:46,615 to just keep it up. 164 00:10:46,615 --> 00:10:49,160 165 00:10:49,160 --> 00:10:52,590 If you only have one tab, you only have command line, 166 00:10:52,590 --> 00:10:54,330 then sometimes that's not an option. 167 00:10:54,330 --> 00:10:57,070 168 00:10:57,070 --> 00:11:01,870 We're going to use this HTTP Robots.txt scanner. 169 00:11:01,870 --> 00:11:04,440 170 00:11:04,440 --> 00:11:05,660 Set our Rhosts hosts. 171 00:11:05,660 --> 00:11:09,190 172 00:11:09,190 --> 00:11:11,770 It's always best to check your options with Metasploit. 173 00:11:11,770 --> 00:11:14,330 174 00:11:14,330 --> 00:11:15,800 Make sure that everything that says 175 00:11:15,800 --> 00:11:19,010 "Yes" in the required column, actually 176 00:11:19,010 --> 00:11:22,790 has a current setting that makes sense to us. 177 00:11:22,790 --> 00:11:24,650 .3 on 80. 178 00:11:24,650 --> 00:11:29,270 179 00:11:29,270 --> 00:11:29,990 More on that. 180 00:11:29,990 --> 00:11:32,816 181 00:11:32,816 --> 00:11:34,895 That went pretty fast. 182 00:11:34,895 --> 00:11:38,340 183 00:11:38,340 --> 00:11:42,240 So any user agents allowed, so any sort of browser works. 184 00:11:42,240 --> 00:11:48,825 Then we have these Disallows, CGI bin, and Junk. 185 00:11:48,825 --> 00:11:51,963 186 00:11:51,963 --> 00:11:54,005 Maybe if it was the Gibson, it would say garbage. 187 00:11:54,005 --> 00:11:58,870 188 00:11:58,870 --> 00:12:00,520 And we use the user agent of Badbot. 189 00:12:00,520 --> 00:12:03,220 190 00:12:03,220 --> 00:12:05,852 What was disallowed was No Badbot Dir. 191 00:12:05,852 --> 00:12:13,090 192 00:12:13,090 --> 00:12:22,030 That could be useful if we did a Curl of the website looking 193 00:12:22,030 --> 00:12:23,290 at CGI bin. 194 00:12:23,290 --> 00:12:27,362 195 00:12:27,362 --> 00:12:28,695 Pipe that to More, just in case. 196 00:12:28,695 --> 00:12:32,810 197 00:12:32,810 --> 00:12:37,760 We got a 404. 198 00:12:37,760 --> 00:12:41,770 Knowing that CGI bin exists might be helpful. 199 00:12:41,770 --> 00:12:45,460 This case, got a 403 forbidden. 200 00:12:45,460 --> 00:12:48,850 So that can be potentially useful later for exploitation 201 00:12:48,850 --> 00:12:50,155 or for auditing. 202 00:12:50,155 --> 00:12:57,220 203 00:12:57,220 --> 00:12:59,770 And with that, we've looked at now a Windows 204 00:12:59,770 --> 00:13:04,600 server running HTTP and a Linux server running HTTP. 205 00:13:04,600 --> 00:13:07,060 There's a lot more that you can get into with a website 206 00:13:07,060 --> 00:13:10,250 and with HTTP, specifically. 207 00:13:10,250 --> 00:13:13,470 And we will cover that in its own section. 208 00:13:13,470 --> 00:13:14,000 12915