1
1

00:00:01,950  -->  00:00:03,320
<v Lecturer>In today's lecture, we're going</v>
2

2

00:00:03,320  -->  00:00:05,674
to talk about subdomains.
3

3

00:00:05,674  -->  00:00:07,328
Subdomains, we've seen them everywhere.
4

4

00:00:07,328  -->  00:00:11,820
For example, they come in as subdomain.target.com.
5

5

00:00:11,820  -->  00:00:14,980
So for example, you'd have beta.facebook.com.
6

6

00:00:14,980  -->  00:00:17,610
You'd have mobile.facebook.com.
7

7

00:00:17,610  -->  00:00:20,510
Or you might have user.facebook.com.
8

8

00:00:20,510  -->  00:00:23,030
So, for example in Google,
9

9

00:00:23,030  -->  00:00:26,250
you have mail.google.com which basically just
10

10

00:00:26,250  -->  00:00:27,243
takes you to Gmail.
11

11

00:00:28,714  -->  00:00:32,780
Why subdomains are important is a lot of the cases,
12

12

00:00:32,780  -->  00:00:36,920
some websites have subdomains for their own users.
13

13

00:00:36,920  -->  00:00:39,870
For example, for the employees or
14

14

00:00:39,870  -->  00:00:42,080
for certain customers.
15

15

00:00:42,080  -->  00:00:44,740
So, they're not advertised unless you are some sort
16

16

00:00:44,740  -->  00:00:46,030
of a V.I.P. customer,
17

17

00:00:46,030  -->  00:00:48,680
or if you are
18

18

00:00:48,680  -->  00:00:50,230
an employee.
19

19

00:00:50,230  -->  00:00:52,640
You will not see these subdomains on search engines
20

20

00:00:52,640  -->  00:00:56,070
and you just never see a link leading to them.
21

21

00:00:56,070  -->  00:00:59,230
So, they might contain vulnerabilities or exploits
22

22

00:00:59,230  -->  00:01:01,709
that will help you gain access to the whole website
23

23

00:01:01,709  -->  00:01:03,680
but you just never knew about them
24

24

00:01:03,680  -->  00:01:05,750
because they're not advertised.
25

25

00:01:05,750  -->  00:01:08,370
Another thing is, a lot of the big websites
26

26

00:01:08,370  -->  00:01:10,630
when they're trying to install a new update,
27

27

00:01:10,630  -->  00:01:13,480
or add a new feature to the website,
28

28

00:01:13,480  -->  00:01:15,480
they install it in a subdomain,
29

29

00:01:15,480  -->  00:01:19,420
so you'd have beta.facebook.com actually contains
30

30

00:01:19,420  -->  00:01:22,180
a beta version of Facebook which contains,
31

31

00:01:22,180  -->  00:01:24,180
still, experimental features.
32

32

00:01:24,180  -->  00:01:26,540
Now, experimental features are great because
33

33

00:01:26,540  -->  00:01:28,070
they are still under development,
34

34

00:01:28,070  -->  00:01:29,720
and there's a really high chance
35

35

00:01:29,720  -->  00:01:31,503
of finding exploits in them.
36

36

00:01:32,850  -->  00:01:34,970
And this is actually true not so long ago,
37

37

00:01:34,970  -->  00:01:36,549
someone was able to brute force
38

38

00:01:36,549  -->  00:01:40,060
the restore password key
39

39

00:01:40,060  -->  00:01:41,630
for any Facebook user.
40

40

00:01:41,630  -->  00:01:44,410
And was able to gain access to any Facebook user.
41

41

00:01:44,410  -->  00:01:46,150
And this was only possible
42

42

00:01:46,150  -->  00:01:48,570
through the beta.facebook.com
43

43

00:01:48,570  -->  00:01:52,460
because facebook.com used to check for number of attempts
44

44

00:01:52,460  -->  00:01:53,293
or wrong attempts.
45

45

00:01:53,293  -->  00:01:55,930
And they just didn't implement that security feature
46

46

00:01:55,930  -->  00:01:58,370
in the beta because they just didn't think
47

47

00:01:58,370  -->  00:01:59,500
anyone is gonna go there.
48

48

00:01:59,500  -->  00:02:01,074
Or for any reason,
49

49

00:02:01,074  -->  00:02:02,928
like the beta usually contains
50

50

00:02:02,928  -->  00:02:05,018
more problems than the normal website,
51

51

00:02:05,018  -->  00:02:09,263
so it will be very useful to try and hack in to it.
52

52

00:02:11,110  -->  00:02:13,200
So, in today's lecture, we'll see how we can find
53

53

00:02:13,200  -->  00:02:15,970
any subdomains that have not been advertised,
54

54

00:02:15,970  -->  00:02:17,142
or even the advertised ones.
55

55

00:02:17,142  -->  00:02:20,563
So, we'll be able to get subdomains of our target.
56

56

00:02:21,410  -->  00:02:23,520
We'll going to use tool called "Knock".
57

57

00:02:23,520  -->  00:02:24,580
The tool is very simple,
58

58

00:02:24,580  -->  00:02:25,830
you don't really need to install it.
59

59

00:02:25,830  -->  00:02:27,570
All you have to do is download it
60

60

00:02:27,570  -->  00:02:28,870
using Git.
61

61

00:02:28,870  -->  00:02:29,703
Knock.
62

62

00:02:29,703  -->  00:02:32,193
So, the command's going to be git clone,
63

63

00:02:32,193  -->  00:02:35,330
and then you put the U.R.L.
64

64

00:02:35,330  -->  00:02:36,610
of the tool.
65

65

00:02:36,610  -->  00:02:37,590
And that's it.
66

66

00:02:37,590  -->  00:02:38,850
It's downloaded now.
67

67

00:02:38,850  -->  00:02:40,810
So I'm gonna navigate to it
68

68

00:02:40,810  -->  00:02:42,113
using the CD command.
69

69

00:02:43,600  -->  00:02:46,910
And we'll see that we have the py file here.
70

70

00:02:46,910  -->  00:02:49,177
I'm gonna run it using the command "python".
71

71

00:02:51,547  -->  00:02:54,730
"Knockpy.py", and then I'll put the I.P.
72

72

00:02:54,730  -->  00:02:57,930
or the website that I wanna get the subdomains of,
73

73

00:02:57,930  -->  00:03:01,013
and it's gonna be isecurity.org.
74

74

00:03:06,810  -->  00:03:08,740
And, this will show you some information
75

75

00:03:08,740  -->  00:03:10,150
about the websites first,
76

76

00:03:10,150  -->  00:03:12,340
and then it will do a brute force
77

77

00:03:12,340  -->  00:03:15,718
and a Google-based subdomain search for isecurity.
78

78

00:03:15,718  -->  00:03:17,199
So, it'll show me any subdomain
79

79

00:03:17,199  -->  00:03:20,197
that isecurity might have so that I could try
80

80

00:03:20,197  -->  00:03:23,240
and test the security of that subdomain
81

81

00:03:23,240  -->  00:03:25,110
and see what's installed, maybe I'll
82

82

00:03:25,110  -->  00:03:27,140
be able to gain access to the website
83

83

00:03:27,140  -->  00:03:28,463
through that subdomain.
84

84

00:03:29,800  -->  00:03:31,960
Okay, so the scan's complete now.
85

85

00:03:31,960  -->  00:03:33,580
And as you can see, we managed to find
86

86

00:03:33,580  -->  00:03:35,572
seven subdomains
87

87

00:03:35,572  -->  00:03:38,030
that were not advertised.
88

88

00:03:38,030  -->  00:03:40,963
So one of them is ftp.isecurity.org.
89

89

00:03:42,722  -->  00:03:44,491
Isecurity.org, we already know about this.
90

90

00:03:44,491  -->  00:03:47,503
This is just the local subdomain.
91

91

00:03:48,400  -->  00:03:50,160
We can see that the mail server
92

92

00:03:50,160  -->  00:03:52,560
has it's own subdomain as well.
93

93

00:03:52,560  -->  00:03:54,770
And, we can see a very interesting one,
94

94

00:03:54,770  -->  00:03:57,402
here, news.isecurity.org.
95

95

00:03:57,402  -->  00:04:01,480
This actually did contain a beta version of the script
96

96

00:04:01,480  -->  00:04:02,380
that we were working on.
97

97

00:04:02,380  -->  00:04:03,960
A new script.
98

98

00:04:03,960  -->  00:04:05,730
And at the moment now, if you go to it,
99

99

00:04:05,730  -->  00:04:08,070
it's actually converted and it'll just
100

100

00:04:08,070  -->  00:04:12,170
take you to the actual website 'cause (mumbles) development.
101

101

00:04:12,170  -->  00:04:15,760
But now, if you go and use that isecurity.org,
102

102

00:04:15,760  -->  00:04:17,967
it'll just tell you that "this has been moved
103

103

00:04:17,967  -->  00:04:18,990
"to the main website."
104

104

00:04:18,990  -->  00:04:21,330
And then if you click here, you'll go to the main website,
105

105

00:04:21,330  -->  00:04:22,781
with the script installed.
106

106

00:04:22,781  -->  00:04:25,540
So, if someone wants to hack in to our website,
107

107

00:04:25,540  -->  00:04:28,130
and did this, they'll actually see
108

108

00:04:28,130  -->  00:04:30,540
that there is a script under development.
109

109

00:04:30,540  -->  00:04:32,450
And there is a high chance that they would've
110

110

00:04:32,450  -->  00:04:34,901
been able to find a vulnerability in it
111

111

00:04:34,901  -->  00:04:37,763
ang gain access to the whole website.
112

112

00:04:38,890  -->  00:04:41,280
So, this just shows you how important
113

113

00:04:41,280  -->  00:04:43,320
information gathering, guys again,
114

114

00:04:43,320  -->  00:04:47,100
which can be used to really gain access to websites.
115

115

00:04:47,100  -->  00:04:50,520
Or, if you don't do it, you'll be missing a lot of things.
116

116

00:04:50,520  -->  00:04:52,822
For example, you might be missing a whole script
117

117

00:04:52,822  -->  00:04:55,900
with the whole number of vulnerabilities.
118

118

00:04:55,900  -->  00:04:58,482
Or you could be missing an admin login page,
119

119

00:04:58,482  -->  00:05:01,530
or an employee login page, which is used
120

120

00:05:01,530  -->  00:05:03,493
for admins and employees to log in.