Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,090 --> 00:00:05,750 The next several videos are going to talk about Web information gathering. 2 00:00:05,850 --> 00:00:13,440 So this is going to be important because a lot of the times we're going to be tasked with a web penetration 3 00:00:13,440 --> 00:00:19,060 test or we might encounter a Web site on an external or internal penetration test. 4 00:00:19,230 --> 00:00:26,520 And being able to gather information and perform enumeration on those Web sites is super important. 5 00:00:26,520 --> 00:00:32,160 So what I'm going to show you through out is how to gather some of the information passively that is 6 00:00:32,220 --> 00:00:37,710 out there and then we'll talk about active methods that actually involve going out to the Web site and 7 00:00:37,710 --> 00:00:39,970 gathering information that way as well. 8 00:00:40,290 --> 00:00:47,100 So the first and most important thing especially when it comes to Web sites or bug bounty hunting etc. 9 00:00:47,490 --> 00:00:54,360 is that we need to identify what sub domains are out there and you saw earlier when we were looking 10 00:00:54,360 --> 00:00:55,240 at Tesla. 11 00:00:55,340 --> 00:01:00,390 It had a scope of something like Asterix Tesla dot com. 12 00:01:00,580 --> 00:01:03,100 This Asterix is a wild card. 13 00:01:03,150 --> 00:01:10,230 This means that anything and everything is open to us in the scope except it was out of scope in the 14 00:01:10,230 --> 00:01:12,370 subdomain range. 15 00:01:12,450 --> 00:01:19,710 Now we can utilize tools to our advantage to discover these subdomains why are subdomains important. 16 00:01:19,710 --> 00:01:27,600 Well we might run into something that is like a dev dot Tesla dot com or we might run into a Web site 17 00:01:27,630 --> 00:01:29,090 that should've never been out there right. 18 00:01:29,100 --> 00:01:37,770 Like the dev or like test site dot Tesla dot com for example or you might find logging forms another 19 00:01:37,770 --> 00:01:43,980 reason that it's so important is because if you just look at Tesla dot com you're limiting yourself 20 00:01:44,010 --> 00:01:50,040 to one website where there could be potentially tons of Web sites on these subdomains. 21 00:01:50,070 --> 00:01:56,090 So we really really need to hunt these and be certain that we're incorporating everything that we can 22 00:01:56,110 --> 00:01:57,810 we're doing our assessments. 23 00:01:57,810 --> 00:02:02,590 So one great tool that I want to point out is a tool called Sub Lister. 24 00:02:02,610 --> 00:02:04,010 Now we need to install that. 25 00:02:04,060 --> 00:02:08,850 Let's type an apt install sub blister like this 26 00:02:13,180 --> 00:02:13,480 OK. 27 00:02:13,510 --> 00:02:21,290 And this will just take a second to get it all set up and we will utilize this tool to get these subdomains. 28 00:02:21,310 --> 00:02:21,670 OK. 29 00:02:21,670 --> 00:02:28,120 Now that it's setup all we have to do is type in some blister hit tab for auto complete hit enter and 30 00:02:28,120 --> 00:02:30,760 it gives you the syntax. 31 00:02:30,820 --> 00:02:38,230 We can do a dash dash H for help or dash H for help and all we really need here is a domain so we can 32 00:02:38,230 --> 00:02:45,610 say dash D for Tesla dot com and it's going to start searching for Tesla dot com. 33 00:02:45,610 --> 00:02:48,500 And don't worry about this error if you get the error. 34 00:02:48,820 --> 00:02:54,000 So it's looking through all these different search engines similar to what the harvester was doing. 35 00:02:54,190 --> 00:02:59,830 But you're going to see that it's returned quite a bit more so we see by do Yahoo Google go through 36 00:02:59,830 --> 00:03:02,270 all these and try to search. 37 00:03:02,380 --> 00:03:06,440 Now while this is going on I want to point out another way to do this. 38 00:03:06,490 --> 00:03:16,840 So let's go out to the Web and let's go and load up another site called CRT the S H with a CRT the age 39 00:03:16,840 --> 00:03:18,310 like this. 40 00:03:18,320 --> 00:03:21,790 Get a load up a Web site like so let's make this a little bigger for you. 41 00:03:22,660 --> 00:03:25,480 And we can do the wildcard ourselves. 42 00:03:25,510 --> 00:03:27,500 You see the percentage is a wild card. 43 00:03:27,760 --> 00:03:31,460 So we're just gonna say percent Kessler dot com. 44 00:03:31,480 --> 00:03:36,070 Now all we're doing is we're using cert fingerprinting. 45 00:03:36,070 --> 00:03:41,920 Now we're gonna go out and look for certificates that have been registered and it's going to attempt 46 00:03:41,920 --> 00:03:47,890 to find those and tell us what's out there so you can see that we can find energy support at Tesla dot 47 00:03:47,890 --> 00:03:55,030 com grid logic the energy the Tesla dot com and we would scroll through these and try to identify all 48 00:03:55,030 --> 00:04:01,120 the different ones like SS so single sign on that might be interesting if I could find anything in here 49 00:04:01,120 --> 00:04:07,720 that's like VPN that Tesla dot com or Deb Tesla dot com any sort of thing like that. 50 00:04:07,810 --> 00:04:12,890 I'm also interested in it API tool box could very well be interesting. 51 00:04:12,980 --> 00:04:16,250 SS o dash Dev dot Tesla dot com. 52 00:04:16,300 --> 00:04:21,820 So these are the sort of things that we're after and you see right now that we have different levels 53 00:04:21,820 --> 00:04:30,340 to domains like here you see that we have our subdomain but what about a sub subdomain like a fourth 54 00:04:30,340 --> 00:04:31,770 level of a domain. 55 00:04:31,930 --> 00:04:35,760 You see grid logic the energy that Tesla dot com. 56 00:04:35,980 --> 00:04:42,790 So we can go deeper and deeper when it comes to these domains and what Seltzer is going to be doing 57 00:04:42,790 --> 00:04:47,560 right now is it's going to try to find just the sub subdomain. 58 00:04:47,570 --> 00:04:49,370 So it's going to look for third levels. 59 00:04:49,510 --> 00:04:55,210 It would not discover this grid logic that energy at Tesla dot com without a little bit of the nagging 60 00:04:55,570 --> 00:04:58,690 and looking through the help to figure out how to do that. 61 00:04:58,870 --> 00:05:05,320 So we can come to a site like CRT s h to see if we could find any additional subdomains within this 62 00:05:05,710 --> 00:05:09,040 and we can utilize tools like sub Lister as well. 63 00:05:09,040 --> 00:05:14,740 So I'm going to let this finish but in the next video I'm going to show you is I'm going to show you 64 00:05:15,130 --> 00:05:21,670 how to improve upon this process with some tools that have been written in go that I think are fantastic. 65 00:05:21,670 --> 00:05:26,620 So I'm going to let this run we're going to have part 2 of this video we actually review the results 66 00:05:26,920 --> 00:05:29,010 and then we'll go from there. 67 00:05:29,020 --> 00:05:31,090 So I will see you over in the next video. 7293