Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,210 --> 00:00:02,850 -: CentralOps.net and sites like it are a wonderful resource 2 00:00:02,850 --> 00:00:03,683 for the hacker, 3 00:00:03,683 --> 00:00:05,160 as it helps to provide some anonymity 4 00:00:05,160 --> 00:00:06,510 during our assessments. 5 00:00:06,510 --> 00:00:08,640 CentralOps allows us to create a Domain Dossier 6 00:00:08,640 --> 00:00:10,440 or Email Dossier on our victims. 7 00:00:10,440 --> 00:00:12,180 Gathering openly available information, 8 00:00:12,180 --> 00:00:13,800 such as the owner of the domain names, 9 00:00:13,800 --> 00:00:14,970 the technical contacts, 10 00:00:14,970 --> 00:00:15,900 technical details, 11 00:00:15,900 --> 00:00:17,430 and the network ranges involved. 12 00:00:17,430 --> 00:00:19,830 This is key information that's required for us to gather 13 00:00:19,830 --> 00:00:21,660 as we attempt to understand the victim network 14 00:00:21,660 --> 00:00:23,550 and plan our attacks. 15 00:00:23,550 --> 00:00:26,280 We can use CentralOps from any computer with a web browser 16 00:00:26,280 --> 00:00:28,020 and since we already have our Kali machine connected 17 00:00:28,020 --> 00:00:30,180 to the internet, that's what we're gonna use. 18 00:00:30,180 --> 00:00:33,423 So from our Kali machine, we're gonna open up Firefox. 19 00:00:38,220 --> 00:00:40,443 From here, we're gonna go to CentralOps.net. 20 00:00:45,510 --> 00:00:47,160 So once we get to CentralOps.net, 21 00:00:47,160 --> 00:00:49,010 we're gonna go to the Domain Dossier. 22 00:00:50,910 --> 00:00:53,670 So now we need to pick a domain to look up or an IP address. 23 00:00:53,670 --> 00:00:55,743 For our example, I'm gonna use AVG. 24 00:00:57,330 --> 00:00:59,880 So AVG is an antivirus company located 25 00:00:59,880 --> 00:01:00,810 in the Netherlands. 26 00:01:00,810 --> 00:01:02,160 So we're gonna look them up 27 00:01:02,160 --> 00:01:03,870 and we're gonna choose all five options. 28 00:01:03,870 --> 00:01:06,270 We want the traceroute, the service scan, the DNS records 29 00:01:06,270 --> 00:01:08,283 the Whois of both network and domain. 30 00:01:09,600 --> 00:01:10,473 And then hit go. 31 00:01:12,570 --> 00:01:14,910 So the first thing we're gonna see, 32 00:01:14,910 --> 00:01:16,500 is our Address lookup 33 00:01:16,500 --> 00:01:19,650 and this is just gonna do a basic check of the name 34 00:01:19,650 --> 00:01:20,580 to the IP address. 35 00:01:20,580 --> 00:01:23,970 In this case, AVG will resolve to two different IP addresses 36 00:01:23,970 --> 00:01:25,570 as displayed here on the screen. 37 00:01:26,460 --> 00:01:28,800 After that we're gonna see the domain Whois record. 38 00:01:28,800 --> 00:01:32,010 Now with a large company like AVG or Yahoo or Google 39 00:01:32,010 --> 00:01:32,843 or somebody like that, 40 00:01:32,843 --> 00:01:34,800 you're not gonna get as much detailed information 41 00:01:34,800 --> 00:01:36,720 as you would if you had a small business. 42 00:01:36,720 --> 00:01:37,890 So in this case we can look 43 00:01:37,890 --> 00:01:40,230 at who they registered their domain through? 44 00:01:40,230 --> 00:01:43,353 Which in this case was Mark Monitor Incorporated. 45 00:01:44,310 --> 00:01:45,630 So we can, we can see that 46 00:01:45,630 --> 00:01:47,670 and that might play into the spear phishing campaign 47 00:01:47,670 --> 00:01:50,270 but it's probably not real helpful for us right now. 48 00:01:51,240 --> 00:01:53,663 We're gonna go ahead and scroll down even further. 49 00:01:54,870 --> 00:01:56,700 The next thing we're gonna come to, 50 00:01:56,700 --> 00:01:58,500 is the detailed Whois record, 51 00:01:58,500 --> 00:02:01,200 and in here we're gonna see the registration information. 52 00:02:01,200 --> 00:02:03,510 We're gonna see who the person is registered to. 53 00:02:03,510 --> 00:02:05,550 In our case, since it's a large company 54 00:02:05,550 --> 00:02:07,590 they just put in Domain Administrator. 55 00:02:07,590 --> 00:02:09,960 If it's a small business, you'll usually see the owner 56 00:02:09,960 --> 00:02:10,830 of the business's name 57 00:02:10,830 --> 00:02:12,660 or their technical support people. 58 00:02:12,660 --> 00:02:13,770 You also will get information, 59 00:02:13,770 --> 00:02:15,270 such as where they are. 60 00:02:15,270 --> 00:02:17,790 In this case they are located in Amsterdam, 61 00:02:17,790 --> 00:02:19,860 with the street name listed there. 62 00:02:19,860 --> 00:02:21,210 You also get phone numbers. 63 00:02:21,210 --> 00:02:24,300 This can be useful as part of a pre-texting campaign as well 64 00:02:24,300 --> 00:02:26,220 and you'll get an email address. 65 00:02:26,220 --> 00:02:27,660 In the case of a large company like this, 66 00:02:27,660 --> 00:02:29,550 they probably are not monitoring this address 67 00:02:29,550 --> 00:02:32,160 but it's domainadministration@avg.com. 68 00:02:32,160 --> 00:02:33,870 If we had somebody's username in there, 69 00:02:33,870 --> 00:02:36,720 for instance Jason.Dion@avg.com, 70 00:02:36,720 --> 00:02:38,250 that could tell us the naming structure 71 00:02:38,250 --> 00:02:39,540 for email addresses that could be useful 72 00:02:39,540 --> 00:02:41,010 in a spear phishing campaign, 73 00:02:41,010 --> 00:02:42,630 or a good point of contact to use 74 00:02:42,630 --> 00:02:44,190 as part of a spear phishing campaign, 75 00:02:44,190 --> 00:02:46,590 such as the technical registration point of contact. 76 00:02:46,590 --> 00:02:48,750 If we have that information, we can use that 77 00:02:48,750 --> 00:02:50,283 as a way into the network. 78 00:02:51,360 --> 00:02:52,500 We're gonna continue scrolling down, 79 00:02:52,500 --> 00:02:53,800 see what else we can find. 80 00:02:56,610 --> 00:02:58,560 Again, Domain Administrator, 81 00:02:58,560 --> 00:02:59,820 Domain Administrator, 82 00:02:59,820 --> 00:03:00,900 not the most helpful thing 83 00:03:00,900 --> 00:03:03,660 because again, this is a large company. 84 00:03:03,660 --> 00:03:05,520 One of the things I noticed that's kind of interesting 85 00:03:05,520 --> 00:03:06,750 is their name servers. 86 00:03:06,750 --> 00:03:09,150 If you notice they're using akam.net. 87 00:03:09,150 --> 00:03:11,580 Akam is actually a large network service provider. 88 00:03:11,580 --> 00:03:13,650 They actually can help prevent denial of service attacks 89 00:03:13,650 --> 00:03:14,490 from occurring. 90 00:03:14,490 --> 00:03:15,840 So if that was gonna be our strategy 91 00:03:15,840 --> 00:03:16,860 to take down this network, 92 00:03:16,860 --> 00:03:18,690 it may not work as well. 93 00:03:18,690 --> 00:03:19,620 If they're a small business, 94 00:03:19,620 --> 00:03:20,820 they're probably not using akam 95 00:03:20,820 --> 00:03:21,720 and that may be a way 96 00:03:21,720 --> 00:03:23,340 that you can take down their network. 97 00:03:23,340 --> 00:03:25,800 But again, a denial of service is never used 98 00:03:25,800 --> 00:03:26,633 in ethical hacking. 99 00:03:26,633 --> 00:03:28,260 There's really no reason for it, 100 00:03:28,260 --> 00:03:30,900 but it's something we can consider using our research here. 101 00:03:30,900 --> 00:03:32,520 We're gonna go down to the Network record. 102 00:03:32,520 --> 00:03:34,380 Now the Network Whois, 103 00:03:34,380 --> 00:03:35,640 is a little bit different. 104 00:03:35,640 --> 00:03:37,470 You'll notice here it actually gives us a range, 105 00:03:37,470 --> 00:03:41,190 93. 184. 217. 0 106 00:03:41,190 --> 00:03:42,840 up through 0.31, 107 00:03:42,840 --> 00:03:45,960 is actually being owned and operated by AVG. 108 00:03:45,960 --> 00:03:48,180 That means they have 31 IP addresses 109 00:03:48,180 --> 00:03:50,220 30 of which are ratable on the internet. 110 00:03:50,220 --> 00:03:52,410 That is 30 possible targets, 111 00:03:52,410 --> 00:03:53,970 whether they're routers, firewalls, 112 00:03:53,970 --> 00:03:55,560 or actual servers tied to the internet 113 00:03:55,560 --> 00:03:56,910 that we could be looking at, 114 00:03:56,910 --> 00:03:59,210 if that is within the scope of our assessment. 115 00:04:00,630 --> 00:04:02,730 As we go down a little bit further, 116 00:04:02,730 --> 00:04:04,260 you can notice who actually registered 117 00:04:04,260 --> 00:04:07,710 for these IP addresses, Derrick Sawyer. 118 00:04:07,710 --> 00:04:09,720 So again, that can be a name that we can use 119 00:04:09,720 --> 00:04:11,580 as part of a pre-texting campaign, 120 00:04:11,580 --> 00:04:12,750 it may be a name that we use 121 00:04:12,750 --> 00:04:15,060 as part of an email phishing campaign. 122 00:04:15,060 --> 00:04:17,130 Lots of different uses when we find good names 123 00:04:17,130 --> 00:04:19,740 and good email addresses for people. 124 00:04:19,740 --> 00:04:22,040 We're gonna go down into our DNS records next. 125 00:04:26,190 --> 00:04:29,400 So in our DNS records, you'll see the DNS records 126 00:04:29,400 --> 00:04:31,710 for avg.com. 127 00:04:31,710 --> 00:04:33,960 There's two address records as we saw earlier. 128 00:04:33,960 --> 00:04:37,230 We see 93.184.217.9 129 00:04:37,230 --> 00:04:40,380 and then we see 93.184.211.28. 130 00:04:40,380 --> 00:04:41,310 These are two different servers 131 00:04:41,310 --> 00:04:43,743 that are answering up for the name avg.com. 132 00:04:44,640 --> 00:04:45,630 This is probably being done 133 00:04:45,630 --> 00:04:47,670 because AVG is such a large company. 134 00:04:47,670 --> 00:04:49,050 One server couldn't handle the loads. 135 00:04:49,050 --> 00:04:52,140 So they have two servers that are acting as content switches 136 00:04:52,140 --> 00:04:54,510 to provide that service to their customers. 137 00:04:54,510 --> 00:04:56,220 And then again, we see a akam.net 138 00:04:56,220 --> 00:04:57,630 as the name servers answering up. 139 00:04:57,630 --> 00:04:59,850 So again, it's gonna be load sharing 140 00:04:59,850 --> 00:05:01,830 and helping to handle a large amount 141 00:05:01,830 --> 00:05:04,410 of load that would come against those servers. 142 00:05:04,410 --> 00:05:06,143 Next we're gonna look at Traceroute. 143 00:05:11,070 --> 00:05:14,130 So it starts out from the servers at CentralOps 144 00:05:14,130 --> 00:05:15,960 and goes out across the internet 145 00:05:15,960 --> 00:05:18,000 until it finds where it's going. 146 00:05:18,000 --> 00:05:20,340 In this case, once we get to the *** 147 00:05:20,340 --> 00:05:22,260 in line 10 through 13, 148 00:05:22,260 --> 00:05:24,150 that's usually where it hits firewalls 149 00:05:24,150 --> 00:05:26,160 and some companies will not respond to pings 150 00:05:26,160 --> 00:05:27,300 or Traceroutes. 151 00:05:27,300 --> 00:05:28,133 And the reason why 152 00:05:28,133 --> 00:05:29,940 is they don't want you mapping their network. 153 00:05:29,940 --> 00:05:31,950 So we know they have at least some firewalls 154 00:05:31,950 --> 00:05:33,570 and some border security there. 155 00:05:33,570 --> 00:05:34,830 Again, we already figured that out 156 00:05:34,830 --> 00:05:37,560 because of the akam.net being the ones answering up 157 00:05:37,560 --> 00:05:38,670 for their domain name. 158 00:05:38,670 --> 00:05:40,830 So we know that they're pretty secure. 159 00:05:40,830 --> 00:05:42,720 Now we'll move on to the Service scan. 160 00:05:42,720 --> 00:05:45,300 And here in the service scan you'll see that FTP Timed out, 161 00:05:45,300 --> 00:05:47,010 SMTP Timed out, 162 00:05:47,010 --> 00:05:49,380 web browsing port 80 is open. 163 00:05:49,380 --> 00:05:50,700 POP servers, IMAP server 164 00:05:50,700 --> 00:05:52,530 and HTTPS, all have timed out 165 00:05:52,530 --> 00:05:53,580 and this is pretty typical 166 00:05:53,580 --> 00:05:56,040 when using a large company like AVG. 167 00:05:56,040 --> 00:05:57,540 So let's do another Domain Dossier. 168 00:05:57,540 --> 00:05:59,690 This time we're gonna use a small business. 169 00:06:01,260 --> 00:06:04,270 from Domain Dossier, I'm gonna go to titancipher.com 170 00:06:07,950 --> 00:06:08,907 and I'm gonna use Service Scan 171 00:06:08,907 --> 00:06:11,493 and Traceroute, and then hit Go. 172 00:06:12,780 --> 00:06:14,940 Now titancipher.com is a domain that I own. 173 00:06:14,940 --> 00:06:16,890 It's hosted on a small server, 174 00:06:16,890 --> 00:06:18,960 it's used on a WordPress platform, 175 00:06:18,960 --> 00:06:20,640 which is actually hosted by Blue Host. 176 00:06:20,640 --> 00:06:23,280 And as we go through, you're gonna see that. 177 00:06:23,280 --> 00:06:24,450 It's gonna look a lot different 178 00:06:24,450 --> 00:06:26,550 than the AVG answers we got last time. 179 00:06:26,550 --> 00:06:30,570 So in this case, we have a single IP address 180 00:06:30,570 --> 00:06:32,330 which is answering up for TitanCipher. 181 00:06:32,330 --> 00:06:34,200 If we go into the domain records, you'll see 182 00:06:34,200 --> 00:06:36,750 that it's bluehost.com that tells me who they're using 183 00:06:36,750 --> 00:06:38,550 and the fact that they're using Bluehost tells you 184 00:06:38,550 --> 00:06:40,860 they're probably using WordPress as their platform 185 00:06:40,860 --> 00:06:42,360 because Bluehost is known for that. 186 00:06:42,360 --> 00:06:44,790 So if you could find vulnerabilities in WordPress 187 00:06:44,790 --> 00:06:47,490 you can then use those against that particular domain. 188 00:06:48,450 --> 00:06:49,440 Next we're gonna scroll down 189 00:06:49,440 --> 00:06:50,580 and you'll see more information 190 00:06:50,580 --> 00:06:52,080 about the actual person who owns it, 191 00:06:52,080 --> 00:06:53,520 their name their address, 192 00:06:53,520 --> 00:06:55,650 their phone numbers, their email addresses, 193 00:06:55,650 --> 00:06:57,500 all information that could be useful. 194 00:06:58,470 --> 00:06:59,910 Again, for a spear fishing campaign 195 00:06:59,910 --> 00:07:01,587 or something of that nature. 196 00:07:01,587 --> 00:07:02,820 Network Whois... 197 00:07:02,820 --> 00:07:04,170 so Network Whois again, 198 00:07:04,170 --> 00:07:06,180 that's gonna show us who owns the IP addresses. 199 00:07:06,180 --> 00:07:07,470 In this case, it's actually owned 200 00:07:07,470 --> 00:07:09,450 by Unified Layer Networks. 201 00:07:09,450 --> 00:07:10,950 They own a large block, 202 00:07:10,950 --> 00:07:12,870 then they've given part of that block to Blue host, 203 00:07:12,870 --> 00:07:16,080 who then gave a single IP to titancipher.com. 204 00:07:16,080 --> 00:07:18,840 So if you notice here, they have a class A address. 205 00:07:18,840 --> 00:07:22,680 So the /16, they're gonna have over 64,000 IPs. 206 00:07:22,680 --> 00:07:23,970 You don't wanna just go in there blindly 207 00:07:23,970 --> 00:07:25,530 and scan 64,000 IPs, 208 00:07:25,530 --> 00:07:28,320 if you're targeting one titancipher.com, 209 00:07:28,320 --> 00:07:29,370 it wouldn't make any sense. 210 00:07:29,370 --> 00:07:31,620 So this is gonna help you identify who owns the network 211 00:07:31,620 --> 00:07:33,330 and what parts of the network there are. 212 00:07:33,330 --> 00:07:34,950 I'm gonna scroll down a little further 213 00:07:38,580 --> 00:07:40,680 and we're gonna find the DNS records. 214 00:07:40,680 --> 00:07:42,540 Now the DNS records here are gonna show us 215 00:07:42,540 --> 00:07:44,513 that there's a name server answering up Bluehost.com. 216 00:07:45,527 --> 00:07:46,360 TitanCipher is being answered up 217 00:07:46,360 --> 00:07:48,180 by Bluehost who is their provider. 218 00:07:48,180 --> 00:07:51,360 They do have a mail server, mail.titancipher.com. 219 00:07:51,360 --> 00:07:52,860 They do have an name server, 220 00:07:52,860 --> 00:07:54,990 second name server on Bluehost. 221 00:07:54,990 --> 00:07:57,873 We also see their A records, which is their IP address. 222 00:08:05,790 --> 00:08:07,620 Next, we can look at the Traceroute. 223 00:08:07,620 --> 00:08:09,600 This Traceroute you see looks a lot different 224 00:08:09,600 --> 00:08:11,610 than the Traceroute we saw with AVG. 225 00:08:11,610 --> 00:08:13,530 In this case, everybody is answered up. 226 00:08:13,530 --> 00:08:14,910 We get both the IP addresses 227 00:08:14,910 --> 00:08:16,710 and the fully qualified domain names, 228 00:08:16,710 --> 00:08:18,180 so we know every single piece 229 00:08:18,180 --> 00:08:19,680 between CentralOps 230 00:08:19,680 --> 00:08:21,810 and that particular server that's answering up. 231 00:08:21,810 --> 00:08:25,680 Now notice the last server that answers up that 193, 232 00:08:25,680 --> 00:08:27,330 something quite interesting here. 233 00:08:27,330 --> 00:08:30,420 When it resolved, it didn't resolve to titancipher.com. 234 00:08:30,420 --> 00:08:32,010 Can you guess why? 235 00:08:32,010 --> 00:08:33,659 Well, the reason why is that this has showed us 236 00:08:33,659 --> 00:08:35,070 that it's a shared server. 237 00:08:35,070 --> 00:08:38,070 It's not owned exclusively by TitanCipher. 238 00:08:38,070 --> 00:08:40,799 In fact, it's owned by Unified Layer who owns Blue Host. 239 00:08:40,799 --> 00:08:43,860 So there may be 20, 30, 40, 50 different websites 240 00:08:43,860 --> 00:08:45,120 on this particular server. 241 00:08:45,120 --> 00:08:47,310 TitanCipher is just one of them. 242 00:08:47,310 --> 00:08:48,330 Now that's important to know 243 00:08:48,330 --> 00:08:50,700 because if you try to hack titancipher.com, 244 00:08:50,700 --> 00:08:52,620 you may not be hitting titancipher.com 245 00:08:52,620 --> 00:08:55,020 you may be hitting some of these other servers in there 246 00:08:55,020 --> 00:08:57,420 and if you do that, you'd now be breaking the law 247 00:08:57,420 --> 00:08:58,890 because you were only hired for an assessment 248 00:08:58,890 --> 00:09:00,330 by this one company. 249 00:09:00,330 --> 00:09:02,040 So you have to be very careful when you start looking 250 00:09:02,040 --> 00:09:03,060 at where they're hosted. 251 00:09:03,060 --> 00:09:04,740 This is really important information when we look 252 00:09:04,740 --> 00:09:05,883 at the Domain Dossier. 253 00:09:06,840 --> 00:09:09,083 Next we're gonna go down to our Service scan. 254 00:09:12,446 --> 00:09:14,700 In the Service scan, you'll see that they're using FTP. 255 00:09:14,700 --> 00:09:16,260 That's a known vulnerability for us 256 00:09:16,260 --> 00:09:17,790 and it even tells us what type of FTP. 257 00:09:17,790 --> 00:09:20,280 In this case, Pure-FTPd server. 258 00:09:20,280 --> 00:09:22,320 That's an important piece of information that we could use 259 00:09:22,320 --> 00:09:24,090 if we were gonna hack this company. 260 00:09:24,090 --> 00:09:27,900 SMTP Timeout, therefore, it's not answering up for SMTP. 261 00:09:27,900 --> 00:09:28,733 That's good to know. 262 00:09:28,733 --> 00:09:30,780 Don't throw any SMTP attacks. 263 00:09:30,780 --> 00:09:32,730 They're...they are running a web server, 264 00:09:32,730 --> 00:09:35,880 they're running Nginx/1.10.2. 265 00:09:35,880 --> 00:09:36,930 We now know the version number 266 00:09:36,930 --> 00:09:38,310 and the software they're using. 267 00:09:38,310 --> 00:09:40,350 That's useful to find vulnerabilities. 268 00:09:40,350 --> 00:09:41,340 Again, all we're doing here 269 00:09:41,340 --> 00:09:42,960 is information gathering, at this point. 270 00:09:42,960 --> 00:09:44,400 POP3 server does answer up, 271 00:09:44,400 --> 00:09:46,560 so there is something listening there. 272 00:09:46,560 --> 00:09:49,260 IMAP-143, another mail server. 273 00:09:49,260 --> 00:09:50,820 It's answering up as well. 274 00:09:50,820 --> 00:09:52,620 Things that we need to take note of. 275 00:09:55,890 --> 00:09:57,090 If we get into their secure site, 276 00:09:57,090 --> 00:10:00,870 we see Port 443 secure HTTP server, 277 00:10:00,870 --> 00:10:02,220 so a secure https. 278 00:10:02,220 --> 00:10:04,380 We can see their SSL certificate here. 279 00:10:04,380 --> 00:10:07,170 They're using a shaw256RSA token 280 00:10:07,170 --> 00:10:09,570 as as their server validation. 281 00:10:09,570 --> 00:10:12,270 That is information that can be useful. 282 00:10:12,270 --> 00:10:14,970 BlueHost.com is the ones who gave them that information. 283 00:10:14,970 --> 00:10:16,020 So we might be able to use that 284 00:10:16,020 --> 00:10:18,390 as part of a spear phishing campaign again. 285 00:10:18,390 --> 00:10:20,520 You can see the fact that we have Apache running 286 00:10:20,520 --> 00:10:21,390 as the server. 287 00:10:21,390 --> 00:10:22,500 You see that, they're at the bottom. 288 00:10:22,500 --> 00:10:24,990 HTTP/1.1 200 OK. 289 00:10:24,990 --> 00:10:26,400 Server Apache. 290 00:10:26,400 --> 00:10:28,800 Again, more information that we wanna take note of. 291 00:10:28,800 --> 00:10:31,050 They also have a PHP session ID. 292 00:10:31,050 --> 00:10:32,880 That's something else that we could take note of. 293 00:10:32,880 --> 00:10:36,030 We see jasondin.com/wp. 294 00:10:36,030 --> 00:10:37,650 WP usually stands for WordPress, 295 00:10:37,650 --> 00:10:39,780 so that could be vulnerabilities we could take care of. 296 00:10:39,780 --> 00:10:41,460 So these are all different things that we can look at, 297 00:10:41,460 --> 00:10:43,830 as we move forward in our exploitation later on. 298 00:10:43,830 --> 00:10:45,030 The next thing we're gonna look at 299 00:10:45,030 --> 00:10:46,770 is our Email Dossier 300 00:10:46,770 --> 00:10:48,220 and we'll just click on that, 301 00:10:49,770 --> 00:10:51,030 and then we're gonna give an email address 302 00:10:51,030 --> 00:10:52,170 that we want to test out. 303 00:10:52,170 --> 00:10:54,780 If we had email.test@hotmail.com for instance, 304 00:10:54,780 --> 00:10:56,880 let's see if that's a valid email address. 305 00:10:57,810 --> 00:10:58,920 Click go. 306 00:10:58,920 --> 00:11:01,050 We find out that it is a bad email address 307 00:11:01,050 --> 00:11:03,540 because it was rejected by the server. 308 00:11:03,540 --> 00:11:05,220 Now instead, if I use an email address 309 00:11:05,220 --> 00:11:06,970 that I think is valid for instance: 310 00:11:10,140 --> 00:11:12,240 titancipher@gmail.com, 311 00:11:12,240 --> 00:11:13,830 hit go. 312 00:11:13,830 --> 00:11:16,323 We'll see that this passed the validation test. 313 00:11:18,450 --> 00:11:19,283 As we scroll down, 314 00:11:19,283 --> 00:11:21,960 we'll see that it actually found the MX records for Google 315 00:11:21,960 --> 00:11:23,360 for that particular address. 316 00:11:25,230 --> 00:11:27,570 And when it tried to make a connection over SMTP to Google 317 00:11:27,570 --> 00:11:30,330 to say, does this email ad address exist? 318 00:11:30,330 --> 00:11:31,620 We can see that it did come back 319 00:11:31,620 --> 00:11:33,350 and say that it was successful... 320 00:11:34,560 --> 00:11:36,540 right here showing us 321 00:11:36,540 --> 00:11:39,570 that, that was a good valid email address. 322 00:11:39,570 --> 00:11:40,670 Let's try another one. 323 00:11:42,930 --> 00:11:45,020 What if we had one like... 324 00:11:48,720 --> 00:11:51,210 titancipher23@gmail.com? 325 00:11:51,210 --> 00:11:53,310 Let's see if that's a valid email address. 326 00:11:54,300 --> 00:11:55,680 We hit go. 327 00:11:55,680 --> 00:11:57,960 Bad address, does not exist. 328 00:11:57,960 --> 00:11:59,940 So if we tried to start sending spear phishing emails 329 00:11:59,940 --> 00:12:02,250 towards titancipher23@gmail.com, 330 00:12:02,250 --> 00:12:03,510 they would just get rejected. 331 00:12:03,510 --> 00:12:06,120 But titancipher@gmail.com does exist. 332 00:12:06,120 --> 00:12:07,770 It would be a valid address to use. 333 00:12:07,770 --> 00:12:09,030 Where this becomes helpful 334 00:12:09,030 --> 00:12:11,190 is when we start looking up information on the company. 335 00:12:11,190 --> 00:12:13,560 For instance, if we go back to AVG, 336 00:12:13,560 --> 00:12:17,730 if we think their naming scheme was first name.last name 337 00:12:17,730 --> 00:12:18,563 and we found a name 338 00:12:18,563 --> 00:12:21,390 of someone who we think is an employee, John Smith, 339 00:12:21,390 --> 00:12:25,350 we can try in here, john.smith@avg.com 340 00:12:25,350 --> 00:12:26,880 and see if it comes back as a valid 341 00:12:26,880 --> 00:12:28,080 or invalid address. 342 00:12:28,080 --> 00:12:30,240 This will help us know what is good addresses 343 00:12:30,240 --> 00:12:31,470 and what are bad addresses. 344 00:12:31,470 --> 00:12:33,270 If you start sending a lot of emails 345 00:12:33,270 --> 00:12:35,490 to a server with bad email addresses, 346 00:12:35,490 --> 00:12:37,860 that server will start realizing that there's a spam coming 347 00:12:37,860 --> 00:12:40,740 from your address and they'll block you down. 348 00:12:40,740 --> 00:12:42,630 You always wanna be targeted in your approach. 349 00:12:42,630 --> 00:12:44,460 You don't wanna just shotgun things. 350 00:12:44,460 --> 00:12:46,560 You wanna be precise like a sniper. 351 00:12:46,560 --> 00:12:48,270 This is just one of the tools that you can use 352 00:12:48,270 --> 00:12:49,530 during a reconnaissance phase. 353 00:12:49,530 --> 00:12:50,550 There's literally hundreds 354 00:12:50,550 --> 00:12:52,110 of different tools available out there, 355 00:12:52,110 --> 00:12:52,943 but this is just one 356 00:12:52,943 --> 00:12:54,360 that I particularly happen to like. 357 00:12:54,360 --> 00:12:56,070 I recommend that you try out various tools 358 00:12:56,070 --> 00:12:58,440 to figure out which one works for you and your style. 359 00:12:58,440 --> 00:13:00,090 This lesson was to show you the process 360 00:13:00,090 --> 00:13:01,290 that an attacker goes through 361 00:13:01,290 --> 00:13:03,240 in collecting some of the basic information they need 362 00:13:03,240 --> 00:13:04,940 in order to develop their attacks. 26171