Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,210 --> 00:00:02,850
-: CentralOps.net and sites like it are a wonderful resource
2
00:00:02,850 --> 00:00:03,683
for the hacker,
3
00:00:03,683 --> 00:00:05,160
as it helps to provide some anonymity
4
00:00:05,160 --> 00:00:06,510
during our assessments.
5
00:00:06,510 --> 00:00:08,640
CentralOps allows us to create a Domain Dossier
6
00:00:08,640 --> 00:00:10,440
or Email Dossier on our victims.
7
00:00:10,440 --> 00:00:12,180
Gathering openly available information,
8
00:00:12,180 --> 00:00:13,800
such as the owner of the domain names,
9
00:00:13,800 --> 00:00:14,970
the technical contacts,
10
00:00:14,970 --> 00:00:15,900
technical details,
11
00:00:15,900 --> 00:00:17,430
and the network ranges involved.
12
00:00:17,430 --> 00:00:19,830
This is key information that's required for us to gather
13
00:00:19,830 --> 00:00:21,660
as we attempt to understand the victim network
14
00:00:21,660 --> 00:00:23,550
and plan our attacks.
15
00:00:23,550 --> 00:00:26,280
We can use CentralOps from any computer with a web browser
16
00:00:26,280 --> 00:00:28,020
and since we already have our Kali machine connected
17
00:00:28,020 --> 00:00:30,180
to the internet, that's what we're gonna use.
18
00:00:30,180 --> 00:00:33,423
So from our Kali machine, we're gonna open up Firefox.
19
00:00:38,220 --> 00:00:40,443
From here, we're gonna go to CentralOps.net.
20
00:00:45,510 --> 00:00:47,160
So once we get to CentralOps.net,
21
00:00:47,160 --> 00:00:49,010
we're gonna go to the Domain Dossier.
22
00:00:50,910 --> 00:00:53,670
So now we need to pick a domain to look up or an IP address.
23
00:00:53,670 --> 00:00:55,743
For our example, I'm gonna use AVG.
24
00:00:57,330 --> 00:00:59,880
So AVG is an antivirus company located
25
00:00:59,880 --> 00:01:00,810
in the Netherlands.
26
00:01:00,810 --> 00:01:02,160
So we're gonna look them up
27
00:01:02,160 --> 00:01:03,870
and we're gonna choose all five options.
28
00:01:03,870 --> 00:01:06,270
We want the traceroute, the service scan, the DNS records
29
00:01:06,270 --> 00:01:08,283
the Whois of both network and domain.
30
00:01:09,600 --> 00:01:10,473
And then hit go.
31
00:01:12,570 --> 00:01:14,910
So the first thing we're gonna see,
32
00:01:14,910 --> 00:01:16,500
is our Address lookup
33
00:01:16,500 --> 00:01:19,650
and this is just gonna do a basic check of the name
34
00:01:19,650 --> 00:01:20,580
to the IP address.
35
00:01:20,580 --> 00:01:23,970
In this case, AVG will resolve to two different IP addresses
36
00:01:23,970 --> 00:01:25,570
as displayed here on the screen.
37
00:01:26,460 --> 00:01:28,800
After that we're gonna see the domain Whois record.
38
00:01:28,800 --> 00:01:32,010
Now with a large company like AVG or Yahoo or Google
39
00:01:32,010 --> 00:01:32,843
or somebody like that,
40
00:01:32,843 --> 00:01:34,800
you're not gonna get as much detailed information
41
00:01:34,800 --> 00:01:36,720
as you would if you had a small business.
42
00:01:36,720 --> 00:01:37,890
So in this case we can look
43
00:01:37,890 --> 00:01:40,230
at who they registered their domain through?
44
00:01:40,230 --> 00:01:43,353
Which in this case was Mark Monitor Incorporated.
45
00:01:44,310 --> 00:01:45,630
So we can, we can see that
46
00:01:45,630 --> 00:01:47,670
and that might play into the spear phishing campaign
47
00:01:47,670 --> 00:01:50,270
but it's probably not real helpful for us right now.
48
00:01:51,240 --> 00:01:53,663
We're gonna go ahead and scroll down even further.
49
00:01:54,870 --> 00:01:56,700
The next thing we're gonna come to,
50
00:01:56,700 --> 00:01:58,500
is the detailed Whois record,
51
00:01:58,500 --> 00:02:01,200
and in here we're gonna see the registration information.
52
00:02:01,200 --> 00:02:03,510
We're gonna see who the person is registered to.
53
00:02:03,510 --> 00:02:05,550
In our case, since it's a large company
54
00:02:05,550 --> 00:02:07,590
they just put in Domain Administrator.
55
00:02:07,590 --> 00:02:09,960
If it's a small business, you'll usually see the owner
56
00:02:09,960 --> 00:02:10,830
of the business's name
57
00:02:10,830 --> 00:02:12,660
or their technical support people.
58
00:02:12,660 --> 00:02:13,770
You also will get information,
59
00:02:13,770 --> 00:02:15,270
such as where they are.
60
00:02:15,270 --> 00:02:17,790
In this case they are located in Amsterdam,
61
00:02:17,790 --> 00:02:19,860
with the street name listed there.
62
00:02:19,860 --> 00:02:21,210
You also get phone numbers.
63
00:02:21,210 --> 00:02:24,300
This can be useful as part of a pre-texting campaign as well
64
00:02:24,300 --> 00:02:26,220
and you'll get an email address.
65
00:02:26,220 --> 00:02:27,660
In the case of a large company like this,
66
00:02:27,660 --> 00:02:29,550
they probably are not monitoring this address
67
00:02:29,550 --> 00:02:32,160
but it's domainadministration@avg.com.
68
00:02:32,160 --> 00:02:33,870
If we had somebody's username in there,
69
00:02:33,870 --> 00:02:36,720
for instance Jason.Dion@avg.com,
70
00:02:36,720 --> 00:02:38,250
that could tell us the naming structure
71
00:02:38,250 --> 00:02:39,540
for email addresses that could be useful
72
00:02:39,540 --> 00:02:41,010
in a spear phishing campaign,
73
00:02:41,010 --> 00:02:42,630
or a good point of contact to use
74
00:02:42,630 --> 00:02:44,190
as part of a spear phishing campaign,
75
00:02:44,190 --> 00:02:46,590
such as the technical registration point of contact.
76
00:02:46,590 --> 00:02:48,750
If we have that information, we can use that
77
00:02:48,750 --> 00:02:50,283
as a way into the network.
78
00:02:51,360 --> 00:02:52,500
We're gonna continue scrolling down,
79
00:02:52,500 --> 00:02:53,800
see what else we can find.
80
00:02:56,610 --> 00:02:58,560
Again, Domain Administrator,
81
00:02:58,560 --> 00:02:59,820
Domain Administrator,
82
00:02:59,820 --> 00:03:00,900
not the most helpful thing
83
00:03:00,900 --> 00:03:03,660
because again, this is a large company.
84
00:03:03,660 --> 00:03:05,520
One of the things I noticed that's kind of interesting
85
00:03:05,520 --> 00:03:06,750
is their name servers.
86
00:03:06,750 --> 00:03:09,150
If you notice they're using akam.net.
87
00:03:09,150 --> 00:03:11,580
Akam is actually a large network service provider.
88
00:03:11,580 --> 00:03:13,650
They actually can help prevent denial of service attacks
89
00:03:13,650 --> 00:03:14,490
from occurring.
90
00:03:14,490 --> 00:03:15,840
So if that was gonna be our strategy
91
00:03:15,840 --> 00:03:16,860
to take down this network,
92
00:03:16,860 --> 00:03:18,690
it may not work as well.
93
00:03:18,690 --> 00:03:19,620
If they're a small business,
94
00:03:19,620 --> 00:03:20,820
they're probably not using akam
95
00:03:20,820 --> 00:03:21,720
and that may be a way
96
00:03:21,720 --> 00:03:23,340
that you can take down their network.
97
00:03:23,340 --> 00:03:25,800
But again, a denial of service is never used
98
00:03:25,800 --> 00:03:26,633
in ethical hacking.
99
00:03:26,633 --> 00:03:28,260
There's really no reason for it,
100
00:03:28,260 --> 00:03:30,900
but it's something we can consider using our research here.
101
00:03:30,900 --> 00:03:32,520
We're gonna go down to the Network record.
102
00:03:32,520 --> 00:03:34,380
Now the Network Whois,
103
00:03:34,380 --> 00:03:35,640
is a little bit different.
104
00:03:35,640 --> 00:03:37,470
You'll notice here it actually gives us a range,
105
00:03:37,470 --> 00:03:41,190
93. 184. 217. 0
106
00:03:41,190 --> 00:03:42,840
up through 0.31,
107
00:03:42,840 --> 00:03:45,960
is actually being owned and operated by AVG.
108
00:03:45,960 --> 00:03:48,180
That means they have 31 IP addresses
109
00:03:48,180 --> 00:03:50,220
30 of which are ratable on the internet.
110
00:03:50,220 --> 00:03:52,410
That is 30 possible targets,
111
00:03:52,410 --> 00:03:53,970
whether they're routers, firewalls,
112
00:03:53,970 --> 00:03:55,560
or actual servers tied to the internet
113
00:03:55,560 --> 00:03:56,910
that we could be looking at,
114
00:03:56,910 --> 00:03:59,210
if that is within the scope of our assessment.
115
00:04:00,630 --> 00:04:02,730
As we go down a little bit further,
116
00:04:02,730 --> 00:04:04,260
you can notice who actually registered
117
00:04:04,260 --> 00:04:07,710
for these IP addresses, Derrick Sawyer.
118
00:04:07,710 --> 00:04:09,720
So again, that can be a name that we can use
119
00:04:09,720 --> 00:04:11,580
as part of a pre-texting campaign,
120
00:04:11,580 --> 00:04:12,750
it may be a name that we use
121
00:04:12,750 --> 00:04:15,060
as part of an email phishing campaign.
122
00:04:15,060 --> 00:04:17,130
Lots of different uses when we find good names
123
00:04:17,130 --> 00:04:19,740
and good email addresses for people.
124
00:04:19,740 --> 00:04:22,040
We're gonna go down into our DNS records next.
125
00:04:26,190 --> 00:04:29,400
So in our DNS records, you'll see the DNS records
126
00:04:29,400 --> 00:04:31,710
for avg.com.
127
00:04:31,710 --> 00:04:33,960
There's two address records as we saw earlier.
128
00:04:33,960 --> 00:04:37,230
We see 93.184.217.9
129
00:04:37,230 --> 00:04:40,380
and then we see 93.184.211.28.
130
00:04:40,380 --> 00:04:41,310
These are two different servers
131
00:04:41,310 --> 00:04:43,743
that are answering up for the name avg.com.
132
00:04:44,640 --> 00:04:45,630
This is probably being done
133
00:04:45,630 --> 00:04:47,670
because AVG is such a large company.
134
00:04:47,670 --> 00:04:49,050
One server couldn't handle the loads.
135
00:04:49,050 --> 00:04:52,140
So they have two servers that are acting as content switches
136
00:04:52,140 --> 00:04:54,510
to provide that service to their customers.
137
00:04:54,510 --> 00:04:56,220
And then again, we see a akam.net
138
00:04:56,220 --> 00:04:57,630
as the name servers answering up.
139
00:04:57,630 --> 00:04:59,850
So again, it's gonna be load sharing
140
00:04:59,850 --> 00:05:01,830
and helping to handle a large amount
141
00:05:01,830 --> 00:05:04,410
of load that would come against those servers.
142
00:05:04,410 --> 00:05:06,143
Next we're gonna look at Traceroute.
143
00:05:11,070 --> 00:05:14,130
So it starts out from the servers at CentralOps
144
00:05:14,130 --> 00:05:15,960
and goes out across the internet
145
00:05:15,960 --> 00:05:18,000
until it finds where it's going.
146
00:05:18,000 --> 00:05:20,340
In this case, once we get to the ***
147
00:05:20,340 --> 00:05:22,260
in line 10 through 13,
148
00:05:22,260 --> 00:05:24,150
that's usually where it hits firewalls
149
00:05:24,150 --> 00:05:26,160
and some companies will not respond to pings
150
00:05:26,160 --> 00:05:27,300
or Traceroutes.
151
00:05:27,300 --> 00:05:28,133
And the reason why
152
00:05:28,133 --> 00:05:29,940
is they don't want you mapping their network.
153
00:05:29,940 --> 00:05:31,950
So we know they have at least some firewalls
154
00:05:31,950 --> 00:05:33,570
and some border security there.
155
00:05:33,570 --> 00:05:34,830
Again, we already figured that out
156
00:05:34,830 --> 00:05:37,560
because of the akam.net being the ones answering up
157
00:05:37,560 --> 00:05:38,670
for their domain name.
158
00:05:38,670 --> 00:05:40,830
So we know that they're pretty secure.
159
00:05:40,830 --> 00:05:42,720
Now we'll move on to the Service scan.
160
00:05:42,720 --> 00:05:45,300
And here in the service scan you'll see that FTP Timed out,
161
00:05:45,300 --> 00:05:47,010
SMTP Timed out,
162
00:05:47,010 --> 00:05:49,380
web browsing port 80 is open.
163
00:05:49,380 --> 00:05:50,700
POP servers, IMAP server
164
00:05:50,700 --> 00:05:52,530
and HTTPS, all have timed out
165
00:05:52,530 --> 00:05:53,580
and this is pretty typical
166
00:05:53,580 --> 00:05:56,040
when using a large company like AVG.
167
00:05:56,040 --> 00:05:57,540
So let's do another Domain Dossier.
168
00:05:57,540 --> 00:05:59,690
This time we're gonna use a small business.
169
00:06:01,260 --> 00:06:04,270
from Domain Dossier, I'm gonna go to titancipher.com
170
00:06:07,950 --> 00:06:08,907
and I'm gonna use Service Scan
171
00:06:08,907 --> 00:06:11,493
and Traceroute, and then hit Go.
172
00:06:12,780 --> 00:06:14,940
Now titancipher.com is a domain that I own.
173
00:06:14,940 --> 00:06:16,890
It's hosted on a small server,
174
00:06:16,890 --> 00:06:18,960
it's used on a WordPress platform,
175
00:06:18,960 --> 00:06:20,640
which is actually hosted by Blue Host.
176
00:06:20,640 --> 00:06:23,280
And as we go through, you're gonna see that.
177
00:06:23,280 --> 00:06:24,450
It's gonna look a lot different
178
00:06:24,450 --> 00:06:26,550
than the AVG answers we got last time.
179
00:06:26,550 --> 00:06:30,570
So in this case, we have a single IP address
180
00:06:30,570 --> 00:06:32,330
which is answering up for TitanCipher.
181
00:06:32,330 --> 00:06:34,200
If we go into the domain records, you'll see
182
00:06:34,200 --> 00:06:36,750
that it's bluehost.com that tells me who they're using
183
00:06:36,750 --> 00:06:38,550
and the fact that they're using Bluehost tells you
184
00:06:38,550 --> 00:06:40,860
they're probably using WordPress as their platform
185
00:06:40,860 --> 00:06:42,360
because Bluehost is known for that.
186
00:06:42,360 --> 00:06:44,790
So if you could find vulnerabilities in WordPress
187
00:06:44,790 --> 00:06:47,490
you can then use those against that particular domain.
188
00:06:48,450 --> 00:06:49,440
Next we're gonna scroll down
189
00:06:49,440 --> 00:06:50,580
and you'll see more information
190
00:06:50,580 --> 00:06:52,080
about the actual person who owns it,
191
00:06:52,080 --> 00:06:53,520
their name their address,
192
00:06:53,520 --> 00:06:55,650
their phone numbers, their email addresses,
193
00:06:55,650 --> 00:06:57,500
all information that could be useful.
194
00:06:58,470 --> 00:06:59,910
Again, for a spear fishing campaign
195
00:06:59,910 --> 00:07:01,587
or something of that nature.
196
00:07:01,587 --> 00:07:02,820
Network Whois...
197
00:07:02,820 --> 00:07:04,170
so Network Whois again,
198
00:07:04,170 --> 00:07:06,180
that's gonna show us who owns the IP addresses.
199
00:07:06,180 --> 00:07:07,470
In this case, it's actually owned
200
00:07:07,470 --> 00:07:09,450
by Unified Layer Networks.
201
00:07:09,450 --> 00:07:10,950
They own a large block,
202
00:07:10,950 --> 00:07:12,870
then they've given part of that block to Blue host,
203
00:07:12,870 --> 00:07:16,080
who then gave a single IP to titancipher.com.
204
00:07:16,080 --> 00:07:18,840
So if you notice here, they have a class A address.
205
00:07:18,840 --> 00:07:22,680
So the /16, they're gonna have over 64,000 IPs.
206
00:07:22,680 --> 00:07:23,970
You don't wanna just go in there blindly
207
00:07:23,970 --> 00:07:25,530
and scan 64,000 IPs,
208
00:07:25,530 --> 00:07:28,320
if you're targeting one titancipher.com,
209
00:07:28,320 --> 00:07:29,370
it wouldn't make any sense.
210
00:07:29,370 --> 00:07:31,620
So this is gonna help you identify who owns the network
211
00:07:31,620 --> 00:07:33,330
and what parts of the network there are.
212
00:07:33,330 --> 00:07:34,950
I'm gonna scroll down a little further
213
00:07:38,580 --> 00:07:40,680
and we're gonna find the DNS records.
214
00:07:40,680 --> 00:07:42,540
Now the DNS records here are gonna show us
215
00:07:42,540 --> 00:07:44,513
that there's a name server answering up Bluehost.com.
216
00:07:45,527 --> 00:07:46,360
TitanCipher is being answered up
217
00:07:46,360 --> 00:07:48,180
by Bluehost who is their provider.
218
00:07:48,180 --> 00:07:51,360
They do have a mail server, mail.titancipher.com.
219
00:07:51,360 --> 00:07:52,860
They do have an name server,
220
00:07:52,860 --> 00:07:54,990
second name server on Bluehost.
221
00:07:54,990 --> 00:07:57,873
We also see their A records, which is their IP address.
222
00:08:05,790 --> 00:08:07,620
Next, we can look at the Traceroute.
223
00:08:07,620 --> 00:08:09,600
This Traceroute you see looks a lot different
224
00:08:09,600 --> 00:08:11,610
than the Traceroute we saw with AVG.
225
00:08:11,610 --> 00:08:13,530
In this case, everybody is answered up.
226
00:08:13,530 --> 00:08:14,910
We get both the IP addresses
227
00:08:14,910 --> 00:08:16,710
and the fully qualified domain names,
228
00:08:16,710 --> 00:08:18,180
so we know every single piece
229
00:08:18,180 --> 00:08:19,680
between CentralOps
230
00:08:19,680 --> 00:08:21,810
and that particular server that's answering up.
231
00:08:21,810 --> 00:08:25,680
Now notice the last server that answers up that 193,
232
00:08:25,680 --> 00:08:27,330
something quite interesting here.
233
00:08:27,330 --> 00:08:30,420
When it resolved, it didn't resolve to titancipher.com.
234
00:08:30,420 --> 00:08:32,010
Can you guess why?
235
00:08:32,010 --> 00:08:33,659
Well, the reason why is that this has showed us
236
00:08:33,659 --> 00:08:35,070
that it's a shared server.
237
00:08:35,070 --> 00:08:38,070
It's not owned exclusively by TitanCipher.
238
00:08:38,070 --> 00:08:40,799
In fact, it's owned by Unified Layer who owns Blue Host.
239
00:08:40,799 --> 00:08:43,860
So there may be 20, 30, 40, 50 different websites
240
00:08:43,860 --> 00:08:45,120
on this particular server.
241
00:08:45,120 --> 00:08:47,310
TitanCipher is just one of them.
242
00:08:47,310 --> 00:08:48,330
Now that's important to know
243
00:08:48,330 --> 00:08:50,700
because if you try to hack titancipher.com,
244
00:08:50,700 --> 00:08:52,620
you may not be hitting titancipher.com
245
00:08:52,620 --> 00:08:55,020
you may be hitting some of these other servers in there
246
00:08:55,020 --> 00:08:57,420
and if you do that, you'd now be breaking the law
247
00:08:57,420 --> 00:08:58,890
because you were only hired for an assessment
248
00:08:58,890 --> 00:09:00,330
by this one company.
249
00:09:00,330 --> 00:09:02,040
So you have to be very careful when you start looking
250
00:09:02,040 --> 00:09:03,060
at where they're hosted.
251
00:09:03,060 --> 00:09:04,740
This is really important information when we look
252
00:09:04,740 --> 00:09:05,883
at the Domain Dossier.
253
00:09:06,840 --> 00:09:09,083
Next we're gonna go down to our Service scan.
254
00:09:12,446 --> 00:09:14,700
In the Service scan, you'll see that they're using FTP.
255
00:09:14,700 --> 00:09:16,260
That's a known vulnerability for us
256
00:09:16,260 --> 00:09:17,790
and it even tells us what type of FTP.
257
00:09:17,790 --> 00:09:20,280
In this case, Pure-FTPd server.
258
00:09:20,280 --> 00:09:22,320
That's an important piece of information that we could use
259
00:09:22,320 --> 00:09:24,090
if we were gonna hack this company.
260
00:09:24,090 --> 00:09:27,900
SMTP Timeout, therefore, it's not answering up for SMTP.
261
00:09:27,900 --> 00:09:28,733
That's good to know.
262
00:09:28,733 --> 00:09:30,780
Don't throw any SMTP attacks.
263
00:09:30,780 --> 00:09:32,730
They're...they are running a web server,
264
00:09:32,730 --> 00:09:35,880
they're running Nginx/1.10.2.
265
00:09:35,880 --> 00:09:36,930
We now know the version number
266
00:09:36,930 --> 00:09:38,310
and the software they're using.
267
00:09:38,310 --> 00:09:40,350
That's useful to find vulnerabilities.
268
00:09:40,350 --> 00:09:41,340
Again, all we're doing here
269
00:09:41,340 --> 00:09:42,960
is information gathering, at this point.
270
00:09:42,960 --> 00:09:44,400
POP3 server does answer up,
271
00:09:44,400 --> 00:09:46,560
so there is something listening there.
272
00:09:46,560 --> 00:09:49,260
IMAP-143, another mail server.
273
00:09:49,260 --> 00:09:50,820
It's answering up as well.
274
00:09:50,820 --> 00:09:52,620
Things that we need to take note of.
275
00:09:55,890 --> 00:09:57,090
If we get into their secure site,
276
00:09:57,090 --> 00:10:00,870
we see Port 443 secure HTTP server,
277
00:10:00,870 --> 00:10:02,220
so a secure https.
278
00:10:02,220 --> 00:10:04,380
We can see their SSL certificate here.
279
00:10:04,380 --> 00:10:07,170
They're using a shaw256RSA token
280
00:10:07,170 --> 00:10:09,570
as as their server validation.
281
00:10:09,570 --> 00:10:12,270
That is information that can be useful.
282
00:10:12,270 --> 00:10:14,970
BlueHost.com is the ones who gave them that information.
283
00:10:14,970 --> 00:10:16,020
So we might be able to use that
284
00:10:16,020 --> 00:10:18,390
as part of a spear phishing campaign again.
285
00:10:18,390 --> 00:10:20,520
You can see the fact that we have Apache running
286
00:10:20,520 --> 00:10:21,390
as the server.
287
00:10:21,390 --> 00:10:22,500
You see that, they're at the bottom.
288
00:10:22,500 --> 00:10:24,990
HTTP/1.1 200 OK.
289
00:10:24,990 --> 00:10:26,400
Server Apache.
290
00:10:26,400 --> 00:10:28,800
Again, more information that we wanna take note of.
291
00:10:28,800 --> 00:10:31,050
They also have a PHP session ID.
292
00:10:31,050 --> 00:10:32,880
That's something else that we could take note of.
293
00:10:32,880 --> 00:10:36,030
We see jasondin.com/wp.
294
00:10:36,030 --> 00:10:37,650
WP usually stands for WordPress,
295
00:10:37,650 --> 00:10:39,780
so that could be vulnerabilities we could take care of.
296
00:10:39,780 --> 00:10:41,460
So these are all different things that we can look at,
297
00:10:41,460 --> 00:10:43,830
as we move forward in our exploitation later on.
298
00:10:43,830 --> 00:10:45,030
The next thing we're gonna look at
299
00:10:45,030 --> 00:10:46,770
is our Email Dossier
300
00:10:46,770 --> 00:10:48,220
and we'll just click on that,
301
00:10:49,770 --> 00:10:51,030
and then we're gonna give an email address
302
00:10:51,030 --> 00:10:52,170
that we want to test out.
303
00:10:52,170 --> 00:10:54,780
If we had email.test@hotmail.com for instance,
304
00:10:54,780 --> 00:10:56,880
let's see if that's a valid email address.
305
00:10:57,810 --> 00:10:58,920
Click go.
306
00:10:58,920 --> 00:11:01,050
We find out that it is a bad email address
307
00:11:01,050 --> 00:11:03,540
because it was rejected by the server.
308
00:11:03,540 --> 00:11:05,220
Now instead, if I use an email address
309
00:11:05,220 --> 00:11:06,970
that I think is valid for instance:
310
00:11:10,140 --> 00:11:12,240
titancipher@gmail.com,
311
00:11:12,240 --> 00:11:13,830
hit go.
312
00:11:13,830 --> 00:11:16,323
We'll see that this passed the validation test.
313
00:11:18,450 --> 00:11:19,283
As we scroll down,
314
00:11:19,283 --> 00:11:21,960
we'll see that it actually found the MX records for Google
315
00:11:21,960 --> 00:11:23,360
for that particular address.
316
00:11:25,230 --> 00:11:27,570
And when it tried to make a connection over SMTP to Google
317
00:11:27,570 --> 00:11:30,330
to say, does this email ad address exist?
318
00:11:30,330 --> 00:11:31,620
We can see that it did come back
319
00:11:31,620 --> 00:11:33,350
and say that it was successful...
320
00:11:34,560 --> 00:11:36,540
right here showing us
321
00:11:36,540 --> 00:11:39,570
that, that was a good valid email address.
322
00:11:39,570 --> 00:11:40,670
Let's try another one.
323
00:11:42,930 --> 00:11:45,020
What if we had one like...
324
00:11:48,720 --> 00:11:51,210
titancipher23@gmail.com?
325
00:11:51,210 --> 00:11:53,310
Let's see if that's a valid email address.
326
00:11:54,300 --> 00:11:55,680
We hit go.
327
00:11:55,680 --> 00:11:57,960
Bad address, does not exist.
328
00:11:57,960 --> 00:11:59,940
So if we tried to start sending spear phishing emails
329
00:11:59,940 --> 00:12:02,250
towards titancipher23@gmail.com,
330
00:12:02,250 --> 00:12:03,510
they would just get rejected.
331
00:12:03,510 --> 00:12:06,120
But titancipher@gmail.com does exist.
332
00:12:06,120 --> 00:12:07,770
It would be a valid address to use.
333
00:12:07,770 --> 00:12:09,030
Where this becomes helpful
334
00:12:09,030 --> 00:12:11,190
is when we start looking up information on the company.
335
00:12:11,190 --> 00:12:13,560
For instance, if we go back to AVG,
336
00:12:13,560 --> 00:12:17,730
if we think their naming scheme was first name.last name
337
00:12:17,730 --> 00:12:18,563
and we found a name
338
00:12:18,563 --> 00:12:21,390
of someone who we think is an employee, John Smith,
339
00:12:21,390 --> 00:12:25,350
we can try in here, john.smith@avg.com
340
00:12:25,350 --> 00:12:26,880
and see if it comes back as a valid
341
00:12:26,880 --> 00:12:28,080
or invalid address.
342
00:12:28,080 --> 00:12:30,240
This will help us know what is good addresses
343
00:12:30,240 --> 00:12:31,470
and what are bad addresses.
344
00:12:31,470 --> 00:12:33,270
If you start sending a lot of emails
345
00:12:33,270 --> 00:12:35,490
to a server with bad email addresses,
346
00:12:35,490 --> 00:12:37,860
that server will start realizing that there's a spam coming
347
00:12:37,860 --> 00:12:40,740
from your address and they'll block you down.
348
00:12:40,740 --> 00:12:42,630
You always wanna be targeted in your approach.
349
00:12:42,630 --> 00:12:44,460
You don't wanna just shotgun things.
350
00:12:44,460 --> 00:12:46,560
You wanna be precise like a sniper.
351
00:12:46,560 --> 00:12:48,270
This is just one of the tools that you can use
352
00:12:48,270 --> 00:12:49,530
during a reconnaissance phase.
353
00:12:49,530 --> 00:12:50,550
There's literally hundreds
354
00:12:50,550 --> 00:12:52,110
of different tools available out there,
355
00:12:52,110 --> 00:12:52,943
but this is just one
356
00:12:52,943 --> 00:12:54,360
that I particularly happen to like.
357
00:12:54,360 --> 00:12:56,070
I recommend that you try out various tools
358
00:12:56,070 --> 00:12:58,440
to figure out which one works for you and your style.
359
00:12:58,440 --> 00:13:00,090
This lesson was to show you the process
360
00:13:00,090 --> 00:13:01,290
that an attacker goes through
361
00:13:01,290 --> 00:13:03,240
in collecting some of the basic information they need
362
00:13:03,240 --> 00:13:04,940
in order to develop their attacks.
26171
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.