hey thanks for joining us for this episode on footprinting concepts I'm Sophie This is Daniel We're going to talk today about snooping finding some information Yeah I'm excited because I do this for fun I haven't heard the word snooping in a while That's just kind of fun to say isn't it isn't it isn't snooping around sneaking Being Were you that kid cuz I was that kid I could not like not Oh yes Yeah Yeah Like look around stuff I had to go in my parents' room I had to you know open lockers that weren't mine and stuff Yeah that story Yeah but that is kind of I mean obviously that's we're we're losing the nuance of it but footprinting is in essence you're you're seeking out information right so you know about a target usually right that's exactly what footprinting is right it's it's basically taking that idea of that I'm just except we're being purposefully nosy right that makes more sense Whereas as a nosy person you are just kind of like into people's business Yeah Whereas this is I am being paid by my client to be nosy about them Yeah As an ethical hacker that's what you're going to do Hackers do this as well They're not just Well they probably are nosy people by nature I would assume and some extent because you're wanting to break into things that you're not supposed to have access to But in this context when you're footprinting you are looking for any information about your client whether that be technical whether that be organizational so on and so forth We want to learn about the technology and the people and the industry and everything that is about them A lot of times you'll hear this uh term OSENT or open source intelligence gathering or OSENT gathering or doing OSENT If you've never heard that before that's this is where this all begins where I'm looking for anything that's out in the ether that could be of use to me as I learn and profile my target who is hopefully as an ethical hacker as your client You know bad actors will be doing this because that is their that is their victim So that's the whole purpose of doing this is trying to figure out any possible thing about these targets so that you can use that information as they say knowledge is power to gain some sort of access into the systems So that's that's what footprinting is and there's two different categories I guess two different kinds of footprinting this could fall under We have passive and we have active And sometimes maybe unintentionally I think I might engage in a little bit of passive footprinting I think you engage in some active footprinting Yeah I think so Yeah Yeah You running some scanners right using any of those S3 bucket kicking tools oh yeah It's fun I don't do anything with the information It's just it's fun to see what I can find Yeah But that that brings us to the point So there's a difference right you have passive and active So passive is where you have no interaction with your target right you you are not reaching out and and querying for anything This is more like kind of easedropping on a conversation You just kind of oh don't mind me I'm just here to grab some sugar packets but continue You know you're you're trying to hear what's going on You're anything that's like I said kind of out in the ether right so looking for freely available public information um is is all a part of that Now you could absolutely physically be eavesdropping on a conversation that that is a part of this That would be a passive attack You're just kind of walking by and whatever you can glean you glean right same kind of idea when it goes into the digital realm which which would be their website You go to their website does it have an about page is there financial reports about them so you're going to be looking in different financial markets whatever part of their industry in do the people that work there have any ties or have they done public speaking what can I just pick up from the world because you never know you may get lucky find a few unsecured pieces of sensitive information and then it's like your birthday and Christmas all rolled into one because you're like yay yay yay you this wasn't good actually and then you start because if you're an ethical hacker you're going yeah oh no that's not good it's this weird dichotomy that you live in where you're happy you found something and you're like oh well now I got to report that in a finding because that's not we got to close this down that's no bueno weird thing about this though is if you think about it this is really difficult nigh impossible to detect because a lot of this information those organizations mean to give out They are meaning to say we want you to have this even stuff like if you are maybe putting on your LinkedIn like contact information like here's an email that you can reach me at if you're interested in a job or whatever or business cards things like that like you don't necessarily want to hide your email or your phone number maybe people need it but it can also be used for for bad things Exactly So that's why it's really important for you you're very uh cautious You have good opsec when it comes to what you put out into the interwebs and the world at large because you never know and it's really difficult if not impossible to detect if someone is doing this if they are footprinting you right think of that whole you know old detective novel thing where you know Sherlock Holmes and his and his glasses Oh there's the footprints you know Scooby-Doo kind of kind of activity going on and we follow the footprints to where they go and we can learn more about these people Now that is passive So active you likened passive footprinting to eavesdropping Would active footprinting be more like interrogating yes Okay Right This is actually making some sort of contact with your targets All right Direct interaction You and this is the difference between active Passive is just kind of taking it in active is like "Hey tell me about something." Now we say interrogation right um that's the idea of I I grab Sophie and I sit her in a chair under hotlights and I'm like "Tell me where you were on the third on 3:00 a.m." She's like "I was asleep." Like "You're a liar." She's like "I'm not a liar." I'm like I mean you probably are You've probably lied about something Maybe not this but I admit to nothing Yeah exactly And that's a smart move when it comes to an interrogation but we are asking questions we are saying hey um system and you got to think of this in the digital world now this could be in the physical world as well I can go up I can use social engineering techniques we're going to kind of go through all this in this domain of C right now we're just kind of giving you that overview but you social engineering is a great way to you kind of put on a persona interact with someone that is a part of your organ the organization that you're targeting and then see if you can get any good information out of them So in the physical world that's how that would look like But you can also do it digitally right i can interrogate systems I can question them I can ask them questions Think of things like DNS queries Who is right we're going to get in again going to get into all that lovely fun good stuff uh very soon But that would be a direct interaction Maybe if I do a port scan hey tell me what system doing host discovery All these fun things are possible right and that would be active um footprinting That's that's you doing something actively talking making direct action The only downside to this is now you're making detection possible right you you could be tipping your hand An alarm might be set that you trip over and set it off and now someone's like "What is going on here?" Right we know that that's kind of a sensitive area and you keep asking questions about it you are you know you are interrogating my SMTP server Why are you doing that why aren't you just sending email that would be the normal way to work with this Instead I'm seeing odd things So if your target has good security set in place with systems that are tuned to look for oddities maybe heruristically or whatever or signature based they might see you do something and then go this IP keeps contacting us oddly making weird requests that's a indication that they might be interrogating the systems for information Let's go ahead and just blacklist that Call that a day Now that's not a foolproof plan for stoppage but now you know if all of a sudden you can't do things there they might be on to you So detection is possible there Okay So when we're doing footprinting doing footprinting when we are footprinting would be when we're footprinting that would be the verb I mean I think both work both are both work Okay Both work Well when we're when we're doing this when we are exercising this practice there might be information that we're finding that's not particularly val Maybe there's information that's publicly available that it's like well yeah but who cares it's not valuable to us So what kind of information would we be looking for when footprinting all right that's a great question and it's it's one that's very pertinent to the idea of footprinting because what as we said we're trying to learn as much as we can and I kind of gave a very soft answer to that at the very beginning of this but let's get a little more detail on that Typically they're looking for three types of information System information network information and organizational information Right and under those rubrics so let's start with system information right this will be things like what operating systems are they using what services are they um are they working with and I mean something like Active Directory um are they using like LDAP so on and so forth right um usernames passwords this is system information While that does kind of also fall under like a user as well because it would be their username and or password right typically we'll see this underneath that system information rubric right and then network information DNS DNS is a is a wealth of information Uh domains and subdomains as well What registered domains do they have and can I uh how many can I find because those might all fall under the scope of my engagement And the main domain might be locked down tight as a drum But subdomains might be a little more loosey- goosey because they think "Oh well that's staging or that's that's uh you know test What's the big deal?" Well it's live at five and accessible by the internet and it is a domain under your control Therefore you need to have as much security there because guess what a subdomain probably has its hooks into the domain at large the network at large So I want to learn as much about that network as I possibly can Domains and subdomains help me increase the attack surface that I can go after giving me a more probable uh possibility of actually finding a vulnerability that I can exploit Um another more information like firewall rules What h what kind of roadblocks am I going to encounter as if I were to try to work in this network is there strong ingress filtering is there any egress filtering how can I figure those things out there's ways to do that but I want to know as much as I can about those firewall rules What was me do you have a W is it IDS IP if I fire off something from a random area will it then shut that down can I do you know it's all that's what we're trying to figure out And then organizational information will be contact info right so give me email addresses uh departmental information I want to know who's in what department where they sit on the hierarchy I'm looking for things like org charts are always fun to go there Employee information just anything about them Like Sophia you said going on the LinkedIn it is a very common practice to scour social media sites for information about employees of an organization you are actively engaged with either as a client or if you're a hacker as a target right so getting them and unfortunately it's really weird Uh how many times have you seen someone go I started a new job today and they've got like a picture on Instagram or Twitter or whatever and it's of their new cubicle with their laptop all the swag they got and their badge Yeah Right People love to post post because it's kind of a flex right it's kind of go "Oh look I work at Microsoft." Yeah Or I work at Google And even stuff that's not intentional like you take a picture of your cubicle and you don't realize your badge is there and it's plainly visible or there's something there Maybe you've got a you shouldn't have a sticky note with your username and password out but maybe you do and you don't realize it's in the picture Right So yeah even just accidental stuff that you don't even you don't somebody like me wouldn't even think I'm just thinking like I'm posting this so my mom can see it That's exactly right And what's what's interesting about that is you can get geographical locationational information on the EXF data of the pictures Yeah Right fun right there's all sorts of crazy information that you can gather about employees location anything about that organization So I see the wheels are turning in your head You mentioned location and even stuff like like on Twitter I noticed that it was a while ago but I went to tweet something and Twitter had it set up where automatically your location will be added You had to go in and turn it off and if you don't know that it's turned on you don't see it to you because it's already out there and it was funny There was um I think Garmin that had or it was Fitbit or something like that It was either Garmin or Fitbit Like they were health monitors Yeah Right But they had GPS's in them Right Right And it exposed the location of of a secret CIA base because the troops that were stationed there were like working out and that information was like "What is all this Fitbit data or whatever it was coming from Kazakhstan?" Yeah Some random location you would think Yeah Crap Wow that's not supposed to be uh you know known That's a very high stakes situ for me It would just be like oh I don't want this person to know where like it's dangerous for me Yes that's that's very high stakes Very interesting stuff though right so this is what they're looking for when it comes to the information that you could gather under those three rubrics So keep those in mind Something that is probably testable Some of this is more obvious as to what us like you mentioned firewall rules It okay if you're trying to get past a firewall it would be helpful to know what the firewall rules are right some of this other stuff it might not be as obvious why we might need this information So how would having this info help us as pentesters or as as an attacker quote unquote right I and I think you have said we we've touched on this a bit We've kind of go but there are some other things may re uh it may reveal other security controls as well right the fact that you have a firewall What kind of firewall is it and is it a W is it nextg firewall what are we working with here uh what uh maybe you have other systems in place Maybe there's uh network segmentation that's occurring That could be a security control that you discover like "Oh I see you've got this kind of separated from that I see what you're doing there That's nice." Right um filtering could be done as well Maybe through a web application you're you're doing some sort of like input filtering You can sus that kind of stuff out pretty easily by it going "You can't do that." Oh well thank you very much It's nice to know Right So this will also uh help them find live targets right we know these things are live because we have done the heavy lifting and found them We have done the work to make sure that they are there And now I can just focus on targets I know are up and working because trying to hack in a system that's not on is kind of hard Yeah The best security you can have is to not have a device Yeah Or just go off the grid completely And other than that would be like vulnerability identification Okay Now I can start really kind of moving into the idea of what vulnerabilities might be here And I very well may be seeing that right out of the out of the gate with just some fundamental both passive and active footprinting I might go "Oh man you know I see that this website has basically told me that it is vulnerable and I didn't have to do much other than go there and read some information off of a job board or something." Yeah that's true Right And yeah job boards that'd be like a wealth of information Yeah very much are They very much are So very that those are the kinds of information that's what they could do with it and that's that's how it helps them So this in theory could you know if you if you do it correctly could lead directly to your target being compromised Absolutely Absolutely It it not only could it it usually does This is the first step in you uh and a lot of times when you see this in like the hacking phases or whatever and these different things is like footprinting and reconnaissance or recon enumeration right this is all kind of like a part of that one big ball Maybe you see scanning as a part of that because that would be active um footprinting or I'm learning more about my target through scanning But that's absolutely so crucial Crucial is the word You must know about your targets so that you can find right those places that you might be able to to compromise them through Without doing this it's very unlikely you're just going to fall backwards into some open door and gain access into the system Not that it doesn't happen but it's just highly unlikely especially in today's day and age where uh security is much more important than it used to be It's a part of our just uh eco our our ecosphere at this point So it does absolutely support compromise uh and attacks like social engineering right understanding our victims or our targets will be crucial into helping us properly use a social engineering attack I think you actually made mention this earlier in the episode to craft that perfect fishing email is is knowing about our target so that that will work well Sensitive data exposure as well I might just stumble across something like an open S3 bucket and go "Oh this is a whole database of usernames and passwords or credit card numbers or whatever the case is." Yeah And all I had to do was look for it That's that's happened to me before You right We I'm not I'm not going to do anything with it but it's like oh just playing around This is just here looking at S3 buckets We both like going "Hey that's a that's a AWS key." And it's just it's public I mean it's not like I broke into anything It's just there didn't do a dang thing other than go to a website and click go Yeah And it was like here's an AWS key Hope you like it You really can never be too careful No you cannot Uh and then system and network hacking also as well You know using that information will help you compromise systems because if I know that you are using an out-of-date version of some sort of CMS that has known vulnerabilities well guess what that's an attacker I'm going to try that So yeah definitely footprinting It seems a bit mundane and like dull and dry that you're just gathering all this information about your targets And it's like I don't really feel like I'm doing much but it's the information you pick up in this phase that will get you to where you want to go which is system compromise And that's what it's all about He describes it as like dry to me I'm like this is the fun part Oh this is this is like I've learned to uh like and I enjoy it more but I appreciate it more Yeah Yeah I'm just nosy by nature So it just it just comes naturally to me I want to find stuff out even if I not going to do anything with it It's just it's just fun to see what I can I knew when we were like these next couple episodes like this whole footprinting area I'm like Sophia is going to love this stuff because it's just free info and she's she's a nosy nelly So this is really just just the tip of the iceberg So thank you for joining us on this episode for you know footprinting concepts Like Daniel said we're going to have some other episodes relating to this I'm very excited and I hope you'll join us [Music] there Hey thanks for joining us I'm Sophie This is Daniel And this episode is all about Google dorks I was going to wear my sweater vest and I forgot it at home We're not talking about that kind of dork It's It's different I'm just being It's not a socially awkward person No No I'm just being that works at Google But it is a kind of a funny name and I tried to find like the origin of it and I didn't have much luck So it was kind of a recursive Yeah uh definition wasn't it yeah It was like well it's called Google dorking because you're dorking people And I was like that doesn't help me You can't use the de the word to define the word Yeah But that's the world that we live in Yeah Unfortunately So what in the world are Google Doss okay So yeah funny name We can get a big hehaw out of you Go ahead and pause the thing so you can n slap up the chuckle the pain in the sides Uh but basically it's using advanced search features of Google so that you can do footprinting right it will allow you to do very granular searching that may uncover a few things that people might not have realized that they would do Right so it's uh if you can utilize these things you'll find all this wonderful uh uncovered information and then you can use that for well nefarious purposes or if you're an ethical hacker as we are for nefarious good purposes Yeah I don't know how to put that but you get the idea When you're pretending to be nefarious Yeah Yeah You're playing a part so that we can stop nefarious people The real nefarious people It's a real weird complex system we've built here isn't it yeah It's a complex world we live in Yeah But I know that there's some things you can use in like Google searching Very simple stuff like if you put a word in quotes that means that it'll search specifically for that phrase or you can put a little minus sign and I don't want to look for searches with this word in them Whatever But it's it's more com there's more tools than just that right yes Absolutely Use them to perform recon Yeah And and most people probably do know those lovely little search the simple ones right because they they're very effective at filtering out things you don't need or looking for very specific things that you do need Now imagine just applying that but on a grander scale as well as those things to find stuff And that's that's the idea behind Google dorking is just look at those uh uh advanced search options that you have available to you from Google and then start going hm if I were a hacker how could I use this to search out specific things because you got you have to know that as hackers we stay on top of things like uh the latest exploits that are available Um I'm trying to think of one off the top of my head Of course I'm I'm blanking out because we're got the red light going on It's giving me that fever Is Is it hot in here um I'm thinking I know Exchange right so O 0365 or not 0365 Microsoft Exchange the actual server service here at the near the end or the last quarter of 2022 had a huge vulnerability that was discovered Big deal right so I can start Google dorking for Exchange servers I can I can try to find them right that would be one of those things I would want to do Are you using Exchange is this a an Exchange email that I would work google Dorking might be able to help me find at least find email accounts and use those email accounts to try to enumerate whether or not they are using that on-prem Exchange system right because if I just Google the words Microsoft Exchange whatever like I'm going to get articles about it right but if I use one of these Google dork like little shortcut things these little in in URL in title stuff like that that'll that'll narrow it down for me Yeah Another thing I like to use them for is to look for sites that have like inputs or URL specific things Like if uh I see like ID equals in the URL that's good for me because maybe I have myself a little place that I can start working up something to the effect of I don't know SQL injections right because that is a telltale sign of of taking SQL So if I see ID equals 5025 well that's an ID of something It's probably reading it from my SQL database or a SQL database of some type And I I say SQ is SQL right i'm go ahead and put my glasses on I should have grown my beard out around the neck area Actually Daniel it's SQL structured query language It's SQL is the Microsoft Yes I know But colloquially most people just say SQL So there's that Anyh who moving on If I can use Google to just search for websites that have that Now obviously I could even further that down to a specific target So for this domain in the URL search for ID equals I can now start see if has Google cached anything that would have that If it does oh well this is special for me and I'm going to put that in my list of probable uh you know inroads into their systems So if I feel like that's more immediate then I would I would just start doing that But usually you kind of amass a list of things that look like potentials and then you prioritize that list of most likely to least likely uh as far as like your ability to actually successfully exploit that stuff But that's just methodology right but right now we're just a part of that footprinting phase I want to find those places Doing Google dorking can help you do that And Daniel has a couple of links here with with some lists and I clicked on the first one and I only looked at the first you know section of the web page And then I scroll down and and there's uh a lot of a lot a lot like I just keep I'm using a trackpad but I just keep scrolling and it just doesn't end And this is a list of the tons of the most important Google dorks from I think a couple years ago 2019 This is 2020 2020 sorry So there's really no shortage of of these Google dorks to work with Yeah And the the reason I I I have a couple of links for us here uh and they both kind of do the same I got uh two links that do basically the same thing which are giving you common Google dorking uh or Google dorks Uh one's from 2020 and I thought well someone's going to go Daniel that's old So I found one from 2022 and and also that's not the only reason The other reason is is that this list might have Google dorks that this list does not and vice versa So it's nice to have options And what's funny ironically finding Google Dorks is simply a Google away Wow Yes I'll go ahead and let you pause and and laugh at that because man that's a You got to wipe the tears out of your eyes over that joke There's that fake dad laugh that we love She's She is actually funny So that's it's fun to work with her on a good day Hey give you credit Just take a compliment Thank you Appreciate it Thank you Thank you Daniel That said let's take a look at some of these websites so you can join in on the jokes with us There we go Complete Google Dork list for 2020 uh for ethical hacking and penetration testing You know they they kind of hedge their bets on that Hey you're supposed to be doing ethical hacking and penetration testing with this not other nefarious things Don't be a jerk True Right And here is exactly what we're talking about So we have like in URL colon domain So if I want to make sure that a specific domain is in the URL I can use the in URL advanced Google option or dork as it were to look for a specific domain Okay and then any additional dorks So you can kind of string these things together Again really refining and making a perfect Google dork stewed to a perfection right and then let's see here So it says a hacker would simply use uh uh use in the desired parameters as follows So in URL is one of them very recommended right the URL of a site you want to query We also have the domain domain for the site and then the dorks are the sub fields and parameters that you would use to that you're actually looking for So I want to look for you know uh Drupal or WordPress Those are those would be the specific dorks I'm looking for All right So there's a whole list of them on this site as you can see in title in URL in text define the site So just look in this site for these things kind of idea book movie weather related link lots of fun stuff in there and it's all about getting creative on how that works and that's what these lists do giving you some good examples So let's uh this is the most important that's where you were reading that from was top of that list I said most this was updated I guess in 2020 but the list keeps going but it is a long long list So here's one right FTP looking for FTP and you'll notice that's just quotations looking for that from www eastgame.net So eastgame.net might have an FTP server that may very well had some sort of vulnerability to it and they were looking for that specifically As you get down a little bit further in the list you start seeing things like in title index of right so they're looking for if you look at your web browser at the very top of that Let me see if I can uh right up here you can see when I hover over this I get a title Google Dorks list 2020 a complete cheat sheet GVhackers.com That will be the title So in title is going to be looking for that in the title or it's in the title of the web page which I believe is that There you go So if there is a title tag in the HTML what's in that title H if it's this display that as a search result I love her face It just it's just she's like oh oh hell to the yes I was like scrolling through the list and I like took one and just put it into Google And not not only does it like bring what you're looking for usually to the top but I noticed it also narrows down like only three you know usually it's at the bottom It'll say like Google with like 20 O's There's like three O's So there's only three pages for me to look at which is nice It narrows it down cuz it's bring because how many times you see the 24 million results It's like I can't go through 24 million 18 results Yeah I can easily go through that That's a little more digestible by the average Joe right so this is one list of them Uh let me um scroll out Let's go to the other one The updated list right google Dorks list and updated database in 2022 Hey it says it's a it was updated December the 4th That was like three days ago So this is a very up-to-date list as of the filming of this episode And now you know what day we filmed it because we let that cat out of the bag right uh tells you a little bit how to use it a little same kind of information we just saw But what's really important for us not only to understand how to but is and this is a it's a much more informative version of the other site even though that one did a really good job as well What's what I really want to get to is the Google Dorks updated database This is cash money right here right because we can start I do like the ones they start with like Bill Gates in title index of parent directory size last modified This is a huge Google description Microsoft and it looks for PDF txt epub doc and docx in URL of jsp php html aspx html cfs html ebooks ebook on site anything with a info at the end So it's a huge dork and all you have to do is copy and paste that into where google Google it's in the name which we can do That's Should we do that one why not yeah try it I want to see what happens I'm going to copy and zoom out Grab a tab Go to Google and just pop that into the old bada bing And there we go We have results Indo index of Yagago Naga Pravda Corpus company This is interesting resources.mmpi.m Now we are just randomly like throwing darts at a board here Obviously throwing throwing spaghetti against the wall and getting things But if Bill Gates was my target this might be an interesting piece of information that I could use That's the whole purpose of Google Doc not to just kind of like scattershot and get whatever you can Some people do that It's kind of like you know I keep using AWS because uh Sophia and I worked on AWS pentesting show together and she became very enamored with Greyhound Warfare which is kind of a and bucket kicking just like open S3 buckets Yes please It's fun You can just randomly search and maybe you find something interesting and if you do you can report that to that company Never know maybe even find yourself with a bug bounty That could be awesome But that's the same kind of idea If you're just randomly looking for stuff you may find something you may not You probably won't but you you might But how to use it targetedly is what you really want to get good at Yeah So learn from the examples that they give you That's the whole purpose of uh of this Let's go back to that and see what else we have here Oh yeah There's a good one Search for Windows XP Professional because if you're running Windows XP Professional you're asking for it I mean I don't know if we can have sympathy for you honestly I'm just kidding Right There are good reasons why people are still on XP Hopefully we're not able to find that So I would couple that with my target Make sure that was like the domain or the U or in URL or um site however you want to do it to specifically target your clients to find whether or not they have any Windows XP boxes or a reference to that via the web That would be an important thing So definitely look through those And then last but not least we have the apex predator when it comes to doing Google dorks which is the Google hacking database by exploit by the uh exploit DB This is this is good These are good things for us What's interesting is is that it's continually updated As they get new Google Dorks that are constantly being searched for or used they show up here But you can also start searching it for specific types of Google dorks because you know how it's like hard to come up with reax which is regular expression That's hard to do That's a skill not everybody has But it doesn't mean I don't want to play the game But it just means that I'm typically googling the reax because somebody else has beaten me to the punch and I don't want to spend half my life trying to figure out how to do the perfect reax to find something It's the same thing with Google here and doing Google dorking Well exploit DB just says "Well just search our database for specific things and then I'll give you that." Right so if we look in here we have under that a pop out that comes out from the side So don't go there Right here's one from 919 2022 in text index of and then SQL Right that's cool in URL JSON beautifier online IIS Windows server in the title that means you're you're and you'll notice it says in title and then it gives you the dork which is IIS Windows server which means that you're on the landing page of the IIS server letting you know that site is running IIS on a Windows server So if you are going for that that's what you want So you can definitely start looking for this stuff And then of course you have the search over here Do a quick search of stuff So if I wanted to look for things like Exchange I don't even have to hit enter It just automatically updates And you can see in title Exchange login So if I wanted to try to brute force my way or I had good creds I just need to know where that login is Rock and roll or I knew some default credits to something like a lynxis router like let's do that Let's look for lynxis uh l i n ksys There we go In URL right dynamic/lo.html for the links smart Wi-Fi signin So if I know what the default credits are for that I can just start looking for systems that are online facing the internet go to that page on my results And you can just click these right if I click that it'll take you to a little more detail And uh this one only has category pages and login portals and who who did it but you actually have that description over here in this actual search which you can click on which takes you here And there it is Links smart Wi-Fi Click on that Look at that There's a Lynxys smart Wi-Fi signin page Access the router This is a live thing This isn't mine I don't own this I just click the link that took me to a web page I'm not going to attempt to try to log into this thing But if I were so inclined and they were my target I absolutely would try So you start to see the importance of how you can use Google Dorks very effectively to really narrow down search find very specific things that are that you are looking for vulnerability wise informationally whatever Yeah you learn that Google Dorking system and all those advanced functions and you start looking at how other people use it by checking out those different lists that we have in the uh Google Dorking um or the Google hacking uh database and you will become very good at that and that is a great skill to have as an ethical hacker a penetration tester because you can uncover gold with this So I've led you to the water It is up to you to to drink and take in Yeah Google Dorking I've just been kind of going through the that list from that first page you showed us Yeah And just like copy pasting and just seeing what happens And there is a bunch of stuff that comes up that like if I were to take this is probably a good place to start if you're like me and you didn't know about any of this If even if you just took one of these like I don't know file.php you know one of these Google dorks and then added your target name to it or whatever like it's just about changing it to kind of fit what you're looking for and that I don't know it you get it It's all about right you you you start to build and craft now that you know how these things work together This is like a starting point right this is the starting point It's up to you to start to like go okay well now I know how to search for a specific site or domain I know how to search out titles I know how to search out what type of information I'm looking for Now I just string all that stuff together to make the perfect Google do for me and yes find that info If I had stuff that I actually needed to look for maybe I would have found something I was just goofing around So I didn't find anything important And if I did I wouldn't know what to do with it So it doesn't matter But now you know now you have kind of a place to start A little uh launching pad there Hopefully you go in and take a look at those Thanks for joining us for this episode on Google Dorks We'll see you next [Music] time Hello Thanks for joining us I'm Sophie This is Daniel And this episode is all about show Dan Not that Dan Not Not that Dan Different Dan I'm not the Shogun of Harlem if that's what you're thinking Yeah See I do for that And census is the other thing we're gonna talk about Uh or that is how it's pronounced right census Yeah that's how I have always heard it So we'll go with that Not like the US census No we'll talk about it We'll talk about it So we've uh we've looked at different ways to kind of gather information you know footprinting and recon and all that Um so this is kind of this is related to that right yes absolutely This is we are in the footprinting domain Showdown and census can help us in that uh activity Footprinting our targets our our clients If you're a bad actor out there you're targeting your victim and shame on you you horrible horrible person Stop doing that Turn to the light side Do not be Darth Vader a fascist regime I don't know how we got down this rabbit hole but man it was a fun ride wasn't it but that's what we're going to do We're going to look at Showdown and Census and how we can utilize them to search out and find things because they do a really good job of that and it's really interesting to watch the results and see the little bits and bobs that it returns to you about those devices that it does find Very cool stuff So these are search engines that you can look for stuff that would be very difficult or I guess maybe impossible to find if you used a search engine like Google like a Yeah Well right Because Google is more like cash websites It's right like you said that surface web is what Google is all about That's that's their stock and trade and they do a great job of it Right Where Showdown and Census come into play is they're like "Yeah I'm not so much worried about websites per se as I am about things connected to the internet." And some people will call them IoT search engines even though they look for more things than IoT and find more things than just IoT devices They will find servers They will find firewalls They will find you know uh even VoIP systems and VPN can do all sorts of weird stuff with both of these things So you're kind of going way deeper into what the internet is because now we're looking for those devices that are connected And that can be helpful for not only people that are trying to do ethical hacking pentesting but also um hackers themselves that are trying to do the exact same things but for nefarious purposes And even your blue teams can utilize this stuff because well I did I didn't realize if I do like a domain search for my own domain and all of a sudden I start finding oh what is that you do a search for my IP address What is that i didn't realize that was on the network That's an important thing I should probably realize and put and document and figure out what's going on here Right so as a blue teamer you might be able to uncover things that weren't readily known or documented And it could be a helpful thing because then you can start to secure those things If you don't know it exists then you don't know whether or not security is happening And that is not a state you want to live in because that's just a hacker's playground That's not what we want So that's what showdan and census are for and what we can do with them So let's start with showdown Okay that's the first one that you mentioned Why not and so you kind of said that this is you can look for stuff that's maybe not quite on the surface So are we going to be able to look at slash use showdan today oh yes yes yes Let me uh let's first start off with making sure we properly understand showdan from showdan Let's let showdan tell us what showdan is I think that's probably a good way to go about We'll do the same thing with census But my first website that we have for you today is going to be the what is showdown page from help.showshowdown.io The basics what is showdown urls and everything will be in your uh learner resources So fear not If you're like I don't see that URL Daniel don't worry It's it's all there for you So what is Showdan showdan is a search engine for internet connected devices Full stop Probably just stopped there Web search engines such as Google and Bing are great for finding websites So you didn't just hear it from Daniel I read this page and understood it and then conveyed it to you But if you ever need to like explain Showdan to somebody this is a really good about Showdan page So check that out What is it kind of gets into it says "What if you're interested in measuring which countries are becoming more connected you can do that with Showdan What if uh you want to know which version of I is most popular you can do that with Showdan So a lot of really cool ways in which you can use this thing I'm going to show you a couple of things that we could take a look at that can kind of get like whoa that's crazy because that's fun right and might even actually be useful for you But you definitely if you are going to be an ethical hacker/pentester redteamer or somebody in security Showdan has a free tier right you can just go to the Showdown website type in something in the search bar and it will give you some results You can't use really anything other than that Uh pretty much if you don't have a user account with them now cool news is you get a free user account and then a a few more things open up to you So do sign up get that Showdan uh login so that you can explore a little bit more Again it's just a little bit more What I'm going to show you today will be at that free level so you don't have to spend any money but then it starts asking you for cash If you really want to you know knock the brakes off this thing and take it for a spin you're going to have to spend a little bit of money But if this is something you do it's like it's like a carpenter without a saw or a hammer It doesn't make sense If you're a carpenter and you want to be one that's good you go out you buy a quality saw and you buy a quality hammer because those are tools of your trade Showdown's kind of one of those things Not super expensive but it's you know you're not going to you know throw that money on the ground and walk away from it either No I think it's like 60 bucks 50 or $60 uh for like for uh there is an annual $50 or $60 one and then there is like a monthly fee for those people that are actively using Showdan So that's that's where you would start There's tiers to the thing starting at per month Got it All right That said let's take a look at Showdan's search engine Here it is This is the Showdan dashboard I am logged in So like I said if you're if you don't have a login you won't be able to recreate what I'm doing here but it's as simple as a sign up away And then you can So a few things we can uh kind of just look at here on the screen for us is we've got getting started Lots of great stuff over in this area right here couple of videos that might help you with uh setting up real-time monitoring As you can see it's kind of pushing the advanced features and the the really good features that you get when you pay for this So just be aware of that Got developer access you got API key that comes with this thing which you do get at the free tier as well So if you wanted to integrate this into some sort of programmatic system you could use that API for that You got a filters cheat sheet We're going to talk a little more about filters but there's a cheat sheet right out of the gates to help you start working with filters Starting to more granular granularly search for specific things is extremely helpful right and I like I said we'll get more of that in just a moment But uh there you go That's fun stuff But I guess I guess I don't Let's Let's look at filters because filters are kind of important I was going to I'm going to just do like a basic search and maybe I will do that Let's just do like we'll do printers you know just look for a printer Hit enter There we go It searched And it finds printers Now it breaks things down Found 170,000 almost 171,000 printers How specific that it just found the word printer and some results that it as it searched through the internet It has cash results So it's why it works so fast China's got a lot of printers You can see China likes printers Wow Yeah they got one or two printers up in there Almost 90,000 it found in China So it's breaking it down by country Again getting you some statistical data So if you had an exploit on printer for some strange reason maybe China would be your big target because of so many how many printers they actually have That's like more than half the results That's crazy Korea is like almost at uh at on par with us Yeah we're number two though Hey nothing wrong with silver right and then the ports that come back that had printer involved right uh port 515 was very popular with 33,000 results Uh 445 with 29,000 results That's because these are popular ports used for printing right associated with printing And then the top organizations we see that I cannot say that first name Alune I guess Alu computing 71,000 Korea Telecom telecom right oh man this Alune they had another 4,000 uh over here China mobile communications start to see what organizations are using printer yeah interesting stuff products we see Samba cups MDNS not unfamiliar anybody that's worked with a printer knows those are just common there's Rico that's a manufacturer they have their own protocol looks like or That's the product Microsoft RPC that are working with that top operating systems Windows 6.1 Windows 7 Professional Server 2012 We got Unix right here Bam Number two But these over here these are print These are printer You see this printer name printer This IP address means that this printer is connected to the internet And I can click on that like so We can come over here and start learning more information about this This country is in Bulgaria The city is Vasta Uh what organization is Rimx Limited we can see that it is running on port 515 Giving us some information about that This is a very generic easy thing to work with You start to get the idea We can use this for gathering information just like what we're seeing right here So that said what else can we do with this thing right You mentioned filters I did Good call She's on the ball Well she's on the money earning her money today So would that that would narrow it down right correct Which would make it easier to find what we're looking for if we were looking for something specifically She gets it sometimes I love to watch her learn Yeah Like a caveman seeing fire for the first time It learns We are having fun today Right So right Uh but filters help us do that very thing But we got to learn a little bit about filters How do we work with the filters so I've got this filter reference page This is going to be your money right here because knowing uh the filters that are relevant to you or being able to reference the filters you need are going to be super helpful We can see some general filters We got some HTTP filters We got some SSL filters Bitcoin if you're looking for that Some restricted filters It says that u the following filters are only available to users of higher API plans So you got to be paying that to Chetta if you want to have access to tag and vone But vone hello that means it is looking for vulnerabilities I can search for specific vulnerable things So it might be worth it depending yeah depending on how often you use this or what you're using it for It might be worth paying more I guess not worth it for me but you know right if I was if I was building things and I you know I might spend the money on a on a lathe It's a very expensive piece of equipment but could be totally worth it right again you see that here NTP What else we got in this thing here oh yeah Leave you can find screenshots I say we play with that one Yes Right Screenshots just seems like a fun thing And basically how this works is if I want like a screenshot I can ask the thing for screenshot I can say has screenshot There's other filters as well but I do like screenshots because they really kind of hit things home But basically what you do is you have your filter name and it's separated by a colon from the search string Right so if I said printer port colon 21 that would find things with the string printer as well as anything that had port 21 but they had to be together right so if I I will now find printers with port 21 We can take a look at that We'll go back Let's do that We'll do printer and we'll just add port colon 21 This makes it easy Off the top of your head uh Sophia are you familiar with port 21 i am not This is FTP Okay File transfer protocol Oh okay So printers running file transfer protocols Should they be doing this i don't know Doesn't seem reasonable does it but a lot of them do actually Let's hit enter Let's just see what happens I don't know if it took my enter Yeah it looks like it is Just waiting you know sometimes There we go And now we found 106 results Narrowed it down We really narrowed it down So now I'm only finding printers that have FTP running And yes you can see FTP server ready H It's running a Huelet Packard FTP print server It tells me HP latex 360 printer The user is logged in Maybe this takes anonymous login Can I use it what else can I do starts to get interesting from here right yeah Lots of fun So let's play with the And of course if you click on uh the IP address that will take you to the more details page giving you more information about that We also see that is also running a web server that's probably for administration You go there Oh what are my ink levels and how many pages have we printed and so on and so forth But if I can get into that administration page what else can I do maybe I can take control of it If it's inside of my targets organization it might be a great foothold into their network Yeah right You never know what else we got some We got 443 which is the uh secure uh site for the HTTP 8090 We got internal serap So some form of of web service that's going on there We see HTTP right there Anything else no that's about it There's more information we'll kind of go over a little bit here in just a minute but I just kind of wanted you to see how that kind of works itself out and follow the breadcrumbs All right so we got to get moving now because we're time is I just realized time is fleeting in this episode It's just too much fun Let's do I said screenshots right screenshots are fun So I'm going to look for camera right has screenshot true Like so Oh look at here Oh those are fun right so this is it This is an IP camera There's its IP address It's in Japan Osaka Author is Steven Woo Thanks Steve hooking us up And yeah there you go There is the actual image from that And let's follow the bouncing ball can if you click this little thing right here it should take you to that IP address in your browser So I'm going to do that and we'll see what happens Oh welcome to the internet camera Interesting right super fun What's this whoa Too much Daniel There we go What's that that looks fun Could be Let's click on It's probably just a login which it is but it's basic HTTP authentication So I could brute force that and maybe find myself Maybe that camera has default credits Oh could be fun right so there you go That's that's what's up So don't forget this fil I'm going to get out of there Then there's also this explore area kind of common searches in Showdown you can look at So we see different categories like industrial control systems databases network infrastructure video games even right but if you do things like ICS click on that and you can see common terms scatter PLC and you'll notice it even breaks it down by manufacturer uh or protocol like Modbus If I want to look for the Modbus protocol I can explore Modbus Showing us it's just running It's either our Wi-Fi Maybe I'll have to bring in a wired connector here He's shy I'm finding 386,812 things that are running the Modbus protocol Guess what modbus not known for its security It as in it doesn't really have it right so fun stuff Interesting And these are connected to Oh yeah the internet That means you can sit at your house and do these things But very interesting very cool Check out all these different pages that will help you understand Showdan because Showdan's a very neat search engine finding interesting little bits and bobs out there on the internets Clearly lots that you could do with it lots of different things you could explore and little little filters you could take a look at Just got to get good with it So what is the difference so what makes this different from census so census very similar right you're going to be different in what you get especially on the free tier Uh the information that comes back you'll get a lot of the same information a lot of the same capabilities Search filters will be different You know the filters will be a bit different because it's specific to one or the other Let's jump into uh Census Take a look at that Here is what is Census the platform to help information security practitioners discover monitor and analyze devices that are accessible from the internet Sounds a lot like Showdown right we regularly probe every public IP address and popular domain names curate and enrich the resulting data making it intelligible uh through an interactive search engine and API Again very simple Uh it's really good like I said for blue teams to find assets that they own that they might not be aware of that are out there right that are internetf facing So it's that's a really good idea uh to use for it as well But if we just go to the main page this is the about page It's pretty straightforward Um you find the census search region Hit census search From there you can see you have a drop down over here where you can do it from hosts You can do certificates as well Host is where I typically land but certificates can be useful And then it says search an IP address name protocol or field Okay I can do that I will look for what itpro.tv because that's us We can do what we like to ourselves And here are some hosts that are associated with ITPro.tv Now right out of the gate I can already start to see a bunch of really interesting information that we are cloud-based as you can see right digital Ocean Amazon Amazon Amazon Amazon Okay so I get it We're on Amazon Anything else doesn't look like it right but I can see EC2 So we know we have EC2 instances Um let's see if I find any like S3 EC2 What else ec2 EC2 That's basically what our infrastructure is running on is AWS EC2 instances This Digital Ocean one is kind of an oddball though So we can see it runs port S uh 22 That's SSH remote login And it's running the web server Let's click on that Let's follow the breadcrumbs shall we and we can see over here we get a summary Oh look at this Tells me what operating system it's running Showdan does that as well right we just didn't see that part There's a raw tab uh on Showdan Check that out Super good Has a lot of like very granular information but here we're just seeing it in the basic summary We can see it's under digital ocean We get the routing and the ASM uh autonomous system number and all the different protocols that it's running It's also showing me that it's running OpenBSD open SSH I get versioning information This is a gold mine And you can also click where's it at oh look at that It's showing me where it is on Google Maps Super cool Click this view all data It's kind of similar to the raw data uh information on Showdan Click that and I get fullon bannering right excellent stuff Lots of And it tells you what these things are I'll kind of kind of scroll out a little bit We got service banners showing you all the little really useful pieces of information or very well may be useful pieces I see this is running Abuntu uh 20.04 That's the operating system Anything else um I guess that's the software vendor and a software product which is Open SSH from OpenBSD version 8.2 P1 You get the idea Information on a plate All yours right couple other things Make sure you go through these different tabs at the top like the explore tab Click that What do we find what was that they colors Yes Look colors It's how it's connected from the original IP to the end of domain Oh this is our forums You'll notice we also have staging So that means that this is the production forums but this IP also kind of gets to staging which is for development to make changes and verify things work before they push it to production And if you right click on these things and hold it oh you can actually go to these things and get more information Info input as Johnny 5 would say right crazy right lots of stuff So census there's one more tab at the top which is I'm sorry two more You got a history which says to get started it's like a maximum of two events Oh you start doing comparisons on on the different u uh histories of what it's finding it It's cached results and then you can compare them together to see if anything has changed And we got who is searches tells us who that's information is from We're going to talk more about who is down the road in this module Uh if I'm not mistaken lots of interesting info So information gathering on internetf facing devices showdan census there's another one out there thankful and there's others that are available but these are the two heavy hitters in town so these are the ones I would highly recommend that you kind of learn a bit about and even with just these two there's so much that you could use it for and just you could just go wild spend all day days doing this and honestly you'll probably you'll figure out which one you like the best and then you'll get good at using that personal preference kind of a thing just whatever whatever you prefer But obviously we there's no way that we could go through every little tiny nuance of each of these search engines in just one episode So you will have to go in and take some time for yourself to explore that But thank you for joining us for this episode on Showdown Dan and Census And we'll see you next time Hey thanks for joining us I'm your host Sophie here with Daniel who really needs no introduction because if you've been if you've been watching and following along you know very well who we are by now And this episode is all about subdomain enumeration And I did not know what that was And luckily Daniel gave me a crash course before this But uh I think I think I'm probably going to need some more information So that's pretty simple Yeah I'm also very simple I'm pretty simple So that's that's probably the issue So can we maybe start with what is a subdomain yeah So a subdomain lovely little thing So you got sub just thing you eat It's delicious But that's not what we're talking about here Now I want a sub Nice Ah way to go Look I'm coming to you later today Anyway a domain right this is going to be your whatever.com or this site.net suchand such.org right your domain the thing that kind of is your presence on the internet right we understand this and it makes sense So if I had a website that catered to maybe I'm I'm all about ethical hacking so I create danseicalhacking.com and you're like "Cool I love that stuff It's amazing." But then I kind of branch off into I don't know Uh give me give me give me a give me a thing to do A thing to do Art maybe How about art you You could do art I could do art Yeah I have faith in you Yeah and I say "Hey you know I already own danthicalhacking.com and maybe I'm making ethical hacking art and I create a subdomain called art.danical ethicalhacking.com right it's not really connected per se to my main domain but it is as well Or maybe I just need to get a little more what's the word uh organized when it comes to things that I'm doing with." Now in real life land you're you're always going to see these you know what we call second level domains Those those regular domains that you go to the website That's what those terminology you need to be familiar with right um and then there's GTLD the generic top level domains That's a catchall for specific uh areas like the dotcoms of the world the nets of the world the.orgs of the world the.govs so on and so forth GTLD Don't forget that Then you have that subdomain that just kind of pushes off to the left of the dots of your main domain Right so that's just how that works Typically used to organize things Now it can be the same kind of you know scenario where I was like hey I want to do something that's art but it's ethical hacking related So I'm going to make a subdomain called art and that whole site is going to be about ethical hacking art that I create Now this is a contrived example obviously right we want to make it a little more useful to what we're talking about today which is actual ethical hacking and this is like if we take ITPro TV for example right the main domain is itpro.tv but we also have app.itpro.tv and I think we might have something like dev.itpro.tv or stage or staging.itpro.tv TV Try to get the idea I'm organizing things and technology about my organization into their own areas and just kind of shunting off of the main branch of what I own as a domain Okay and that's the idea So organization it works out really well What we don't want to do is forget about them right that there are subdomains out there and we want to make sure that we can find those things because they are very helpful to us So subdomain enumeration would basically be finding enumerating those subdomains So correct why why would we want to do that for for this the purposes of what we're doing here right so the reason I say that is important and why Sophia is asking like why why would we do this what why do I care Daniel i'm like well a it's on your exam so you want to pass that probably going to need to know a thing or two about said subdomain topic And it's also important because it's a part of the tax service right when you are casting a net of what can I hack would you like to have more things that could possibly be hacked or less things that could possibly be hacked i leave the choice to you Be feel free to not do subdomain enumeration and have a really really hard time Maybe you're maybe you're that uh that genius that can just I don't need more Uh you give me one digital presence and I'm in I wish I were you I'm not So and most people aren't So what do we do we look for other areas that might be a little less secure right because and we kind of talked about this Sophia that main domain is probably all locked down but you probably have a development team you have marketing you have all these other people that might have the ability to add and take away or modify things on these subdomain sites that might create a security vulnerability right and that's why we look this is why this is important for us as ethical hackers penetration testers to find these subdomains bug bounty hunters this is their stock and trade right here right because they're all about the web apps I want to find every single So if I'm looking at a bug bounty or a uh a responsible disclosure you know um program and it says here's your scope and it says star for you know our organization.com that means anything that has our organization.com after it is fair game The more things I find the more likely it is that I will find a weakness and I want to go after that So that's why this is like super important for us to do Well we love demos here on on this here show You're doing a demo Sweet That was he has a little more faith in me than I'm comfortable with But we like to we like to show I mean we tell sometimes but we do like to show So are we going to be able to take a look at how we can do some subdomain numeration yeah No problemmo right finding subdomains is relatively a simple task Um and there's a few ways you can go about doing it I recommend doing is like find a few ways that you find that uh kind of because nothing catches everything per se So you use a couple of techniques and usually grab uh more Definitely look at Bug Bounty Hunters methodologies and things of that nature if you really want to get good at doing this because like I said this is their stock and trade This part of ethical hacking is what makes them good at what they do because the more things they find that they can hack the more likely it is that they will hack them So let's see here What can we do we're going to go to my computer as we have I'm going to do a little Google search in Right Easy peasy Now I don't know if you've watched this episode We got an episode all about Google hacking I'll call Google Dorks And I can use Google Dorks to look for sites right so I can just do something like site colonpro.tv Just look for our site and then I can start looking in the just block I can start looking in the results and seeing what I get I got www.itpro.tv That's There you go You see that right there www is a subdomain fun We have blog.itpro.tv It's another one So but https that's not a subdomain No https is the protocol right okay Right And then it pro.tv is the domain Anything before to the left of the dot of itpro.tv is a subdomain Nice Okay Dubdub Just confirming Dubdub is just a very common subdomain Okay Right Letting you know it's on the worldwide web Because a lot of times you type in dubdubdub and then the web address and then the dubdub just goes away Yes like it disappears from the search bar Because it's it's redirecting you to the site without interesting Yeah Learn something new every day Yeah It's fun isn't it it's fun It's a little game we like to play Learning It's like Sesame Street but for grown-ups Yeah Without the Muppets Let's see here We've also got engineering Pro.tv H I wonder what that's about And I noticed it's an engineering blog Now I know maybe engineers have put something up there We have good engineers They typically are very security-minded So otherwise we would not be using this No I mean there's nothing I can do You could always look That's the great thing about open source intelligence It's out there You just have to do it if you want And there's no law against it Anyway I see dubdubdub a lot Dubdubdub again so on and so forth So that's one way Just doing a simple Google search is just an easy way to do it Now another thing I want to do let's go to let's go to the main itro.tv TV I'm going to click on that link I'm gonna kind of scroll out Another thing you can do is look at source code at the HTML the underlying page So just you know right click on the page find that old view page source action right here I'm running Brave but you know your mileage may vary on whatever browser you're using So I'll click page source And then what I would do I see one right out of out of the gate right there honestly So I see dubdubdub right http But what I would do here is just kind of do a uh a scroll through So I'm going to do what a command f and look for it.tv And we have 43 results Now they're probably uh not all there You know there's a few uniques probably a few reuses right but let's let's kind of jump in there and see what we see I see I got one right here Assets.itpro.tv We did not find that in our Google search right so there's a there's a subdomain and we support So get some emails as well It's another thing you would want to do is grab some emails Instagram page Guess I'm gonna have to scroll out so I can a lot of options here Yeah I I don't want that That's it It's a very short page on what came back Oh there we Yeah Yeah So there we go Now it said it had more than that but that's that's crazy Said there was 43 We didn't find 43 I'm going to scrub through Here we go Oh app.Iitpro.tv with a login page right there Um it [Music] protitv blog.Iitprotv It's right there Bang bang bang I want to keep you like I can't see that Daniel There's nothing really to see so far Just kind of bouncing through it Blog blog app assets again Assets assets So I'm just looking for those strings I could also push this out into a text file use something like GP and O and all that just kind of pull out the exact information that I'm looking for just from source code But the more source code pages I look at the more likely it is I'm going to find This is called um scraping It's kind of frowned upon Uh if you automate this process right the people that in the internets don't like it when you scrape sites but I mean there's no law against it So your mileage may vary on that allow you to do or not do that as you wish So do a Google search right do looking at source code on the pages of the main domain looking for other areas and uh that's a great way to get started looking for but I mean you mentioned automating so instead of tapping through and trying to find can we automate that process Yeah this is a bit tedious isn't it oh a little bit I mean it's still useful to do Don't not do this But yeah automation just life in the big leagues right so I got a couple of tools that I kind of pulled out uh to help us with this Uh let's do Netcraft first So Netcraft is an online tool So that's that's nice So open a browser and do a Google search for Netcraft and you will find NetCraft Internet Research Bam Click that link I think it's under resources Yeah under resources you will find search DNS It's about this region right here So in the upper toolbar area you see all these dropdowns You got resources Once you have that open hello you can find search DNS which I did Click on that link That takes you here Search the web by domain And it is easy It even tells you example site contains.netcraft.com netcraft.com So we can use them as example but we'll use US itpro.tv and hit search And let's see what we got here Oh look We've seen that before app.itpro.tv dubdubdub.itro Here's a new one Go.itpro.tv Here's another new one Show-notes.itpro.tv I believe that's probably an S3 bucket Oh yeah I know It always gets her like what's going on did you see it's the one thing that I've have a little bit of information about Yeah it's like catnip for it's crazy Uh forums.itpro.tv What else do we have proportal That's for our businessto business customers They use the pro portal to manage their teams and things of that nature Yeah we have help Pro.tv Blog.itpro Yeah Netcraft did a great job of finding some subdomains for us And again it's expanding our attack surface giving us more things that we can start scanning for vulnerabilities looking for issues security-wise so we have stuff to report and that they can fix that as our clients If if IT ProTV was our clients and we were ethical hackers I'd right So the other one that I have for us today is in my KI box This is called Sublister Oh yeah buddy It's fun stuff And you can just grab this from GitHub or do like an app get install and Collie I think Kie has this in the repositories I went ahead and ran it because it can take a minute to run Um and you can see I was like looking at to to run it you basically if I can control this more fine-tunely from here and here we go That way you can see what I ran You'll notice I just ran sublister.py Pi and I did dash D for what domain would I want to look for propro.tv I I do throw on some threads because this thing can get like blocked by Google really fast because really it goes really fast Yeah I told you people don't like web scraping And be like "Hey what are you doing there Mr Automated?" "Hey you having a good time there pal?" "Yeah party's over buddy You ain't got to go home but you can't stay here." And they kick you out They say you your IP address will not allow you to do this after a while and it it takes a while So lower the threads down I found 100 seems to be all right Uh you might get up to 200 or so but hey there you go Dash dash threads Do 100 threads or 200 threads and see how that works And you'll notice I did actually get blocked by virus Virus will probably blocking our request I say that I got blocked It says it probably is blocking us now right so it scans that and you'll notice it's looking through a bunch of different search engines BYU Yahoo Google Bing Ask Netcraft Hey look at that There's Netcraft DNS dumpster virus total threat crowd SSL certificates passive DNS Right So it's doing that It says it found four domains app.itro.tv blog.itpro.tv Go and Proportal So it only found the four Right Goes back to the idea that not everything grabs everything Yeah Right Netcraft seemed to do the best Maybe try a couple Yes To make sure you're catching everything Right You'd hate to leave something on the table that if you would have just run another subdomain Yeah tool that you would have found it and been off to the races and go "Oh look at this It's horribly insecure." I mean that's bad Well if we're going to fix it but man it was fun breaking in right hopefully it hasn't you know nothing bad Oh no I found other f that does happen where ethical hackers or pentesters they gain access into a system and go what is that somebody else is in this system Yeah And then they have to report like hey stop the presses you actually have a data breach and now they have to go into instant response Oh because there was an incident Yeah It can get fun in the world of security right but there you go Subdomains like I said pretty straightforward Finding them also fairly straightforward is just one of those links in the chain of what you have to do in your methodology to so that you have a large attack surface Find those vulnerabilities exploit those vulnerabilities write those things up in your report and give them to your clients so they can become much more secure than they were when you found them Wow you you really wrapped it up better than I ever could have So yeah thanks for that Thank you for joining us for this episode on subdomain enumeration and we'll see you next time