1 00:00:01,180 --> 00:00:08,470 ‫Now, once we get the authoritative DNS server address by using who is, we can identify any additional 2 00:00:08,470 --> 00:00:12,730 ‫hosts in the domain such as FTP server, mail server and so on. 3 00:00:14,300 --> 00:00:19,070 ‫If there are any other services in this domain, we can also extract information from them. 4 00:00:20,460 --> 00:00:26,160 ‫Now, another way to discover subdomains and the host is to query search engines. 5 00:00:27,970 --> 00:00:29,880 ‫And then you can compare the results. 6 00:00:31,390 --> 00:00:39,030 ‫OK, so here you might be confused about Hosten subdomains, so let me give you a quick explanation. 7 00:00:40,710 --> 00:00:49,380 ‫If you think of the address, extant example, dotcom, now ex is the subdomain of example dotcom. 8 00:00:50,700 --> 00:00:59,730 ‫And exact example, Dotcom can be a host if it is connected to an IP address and resolves to a computer 9 00:01:00,060 --> 00:01:03,000 ‫when one goes to exact example, dotcom. 10 00:01:04,370 --> 00:01:04,710 ‫Cool. 11 00:01:07,070 --> 00:01:13,790 ‫So anyway, there are multiple ways to extract additional Hosten subdomain information, so that means 12 00:01:13,790 --> 00:01:18,530 ‫there's lots of tools out there for us to use on this purpose. 13 00:01:18,860 --> 00:01:24,620 ‫And I'm going to use two tools that are already present in Colly fears. 14 00:01:24,830 --> 00:01:28,700 ‫And the Harvester Affairs is a really cool tool. 15 00:01:29,240 --> 00:01:32,840 ‫Besides that, it uses brute force methods to get subdomains. 16 00:01:33,080 --> 00:01:39,600 ‫Also, after it finds a valid host, then it performs a reverse lookup to uncover additional hosts. 17 00:01:39,770 --> 00:01:41,930 ‫And here are the options for fears. 18 00:01:42,530 --> 00:01:51,380 ‫OK, so first we're going to run a basic scan so type fears dash DNS Google dot com dash thread's 10 19 00:01:51,380 --> 00:02:00,800 ‫dash file bagrut slash desktop slash Google info, dot text and hit enter. 20 00:02:02,510 --> 00:02:07,130 ‫So the DNS parameter specifies the domain that you want to scan. 21 00:02:08,250 --> 00:02:11,430 ‫So in our example, it is Google dotcom. 22 00:02:12,960 --> 00:02:16,320 ‫By default, fears runs in a single thread mode. 23 00:02:16,920 --> 00:02:18,000 ‫So because of this. 24 00:02:19,020 --> 00:02:22,440 ‫I can add the threads parameter to increase the speed. 25 00:02:23,960 --> 00:02:31,430 ‫So that makes the skin run faster and then the final parameter helps us to save the results to a file. 26 00:02:33,290 --> 00:02:35,720 ‫Now, while scanning the hosts or subdomains. 27 00:02:36,940 --> 00:02:46,150 ‫What happens in the background so fierce first tries to find the DNS servers for the target domain. 28 00:02:48,500 --> 00:02:53,660 ‫The next, as I'm showing you on the screen, it attempts to do a zone transfer. 29 00:02:55,090 --> 00:02:59,770 ‫Now, at this point, if a zone transfer is successful, four years will stop running. 30 00:03:00,780 --> 00:03:04,830 ‫And then you can take that information that you got from the zone transfer. 31 00:03:06,420 --> 00:03:15,510 ‫Now, if zone transfer fails, as it has in our scan, it checks if wild card DNS is enabled. 32 00:03:16,620 --> 00:03:22,170 ‫And then he performs a brute force against the domain using its built in wordlist. 33 00:03:23,820 --> 00:03:25,590 ‫OK, so now the scan is complete. 34 00:03:27,080 --> 00:03:34,640 ‫And as you can see, once a scan is finished, the found subdomains and discovered subnets are listed. 35 00:03:35,720 --> 00:03:43,490 ‫We can also view and save the file, but the content is not that different, in fact, is not different 36 00:03:43,490 --> 00:03:46,960 ‫at all from the output on our screen, just makes it convenient. 37 00:03:47,810 --> 00:03:51,770 ‫And by default, Fears uses its own built in wordlist. 38 00:03:53,220 --> 00:04:02,400 ‫But it also provides the ability to use a custom word list that you can build and sometimes different 39 00:04:02,400 --> 00:04:05,400 ‫word lists can uncover new subdomains. 40 00:04:06,720 --> 00:04:09,790 ‫So the second tool is the harvester. 41 00:04:10,590 --> 00:04:17,190 ‫It is another subdomains scanner and it gathers public information such as employee names, email, 42 00:04:17,200 --> 00:04:20,340 ‫subdomains, banners and other similar information. 43 00:04:21,950 --> 00:04:24,710 ‫For now, we're just going to deal with subdomains and host. 44 00:04:25,890 --> 00:04:28,230 ‫And type the harvester. 45 00:04:29,550 --> 00:04:31,350 ‫And you'll see options. 46 00:04:32,660 --> 00:04:35,930 ‫Now, it's quite easy to use this tool, so let's just run it quickly. 47 00:04:38,160 --> 00:04:44,490 ‫Type the harvester dash d and the domain that you want to search, so in my case, of course, it's 48 00:04:44,490 --> 00:04:45,450 ‫Google dot com. 49 00:04:46,820 --> 00:04:56,480 ‫Now, it might be strange because I will be using Bing to search for Google dotcom, but by using the 50 00:04:56,480 --> 00:05:03,040 ‫B parameter, you can provide a data source L parameter limit the search output. 51 00:05:03,710 --> 00:05:09,850 ‫So the Harvester will analyze the first 500 search results of Bing about Google dot com. 52 00:05:10,610 --> 00:05:15,830 ‫And finally, the F parameter helps us to save the result to a file. 53 00:05:19,090 --> 00:05:20,860 ‫OK, so hit, Ettus, Run. 54 00:05:23,790 --> 00:05:26,580 ‫And first, the searches conducted. 55 00:05:31,470 --> 00:05:33,150 ‫Then it will analyze a result. 56 00:05:34,940 --> 00:05:37,220 ‫OK, so here's what we expected to see. 57 00:05:38,190 --> 00:05:39,930 ‫So now. 58 00:05:40,960 --> 00:05:42,490 ‫Go to the saved file directory. 59 00:05:44,780 --> 00:05:48,650 ‫Going to go to the desktop and here's a file, so let's have a look. 60 00:05:49,280 --> 00:05:52,520 ‫So it's not very different from the output that's on the screen. 61 00:05:54,620 --> 00:05:56,140 ‫At least we can have smaller graphics. 62 00:05:57,780 --> 00:06:03,680 ‫Great, so you can run these tools or some other ones if you wish for your target. 63 00:06:04,840 --> 00:06:06,370 ‫You can go ahead and practice at.