1 00:00:00,360 --> 00:00:01,620 -: Welcome back. 2 00:00:01,620 --> 00:00:03,990 Let us code our second project for 3 00:00:03,990 --> 00:00:06,750 the web application penetration testing section. 4 00:00:06,750 --> 00:00:09,210 So, in the previous video we took a look at how 5 00:00:09,210 --> 00:00:12,540 we can create a simple brute forcer that will be able to 6 00:00:12,540 --> 00:00:16,830 brute force both of our DVWA login pages. 7 00:00:16,830 --> 00:00:20,040 We made the post request, we also made the get request, 8 00:00:20,040 --> 00:00:23,190 and we also changed fields accordingly 9 00:00:23,190 --> 00:00:25,590 to each one of those pages. 10 00:00:25,590 --> 00:00:28,380 Now, as I already mentioned, that program, 11 00:00:28,380 --> 00:00:31,770 you will need to adjust for every page that you brute force. 12 00:00:31,770 --> 00:00:34,440 However, this program that we're going to create right now, 13 00:00:34,440 --> 00:00:36,360 which is the directory brute forcer, 14 00:00:36,360 --> 00:00:38,940 you won't need to adjust for different pages. 15 00:00:38,940 --> 00:00:41,550 It will work for for every page. 16 00:00:41,550 --> 00:00:44,610 And what a directory brute force is is, 17 00:00:44,610 --> 00:00:45,660 as we already mentioned, 18 00:00:45,660 --> 00:00:47,910 it will discover some hidden directories 19 00:00:47,910 --> 00:00:50,220 that could possibly be useful to us 20 00:00:50,220 --> 00:00:53,100 once performing web application enumeration. 21 00:00:53,100 --> 00:00:56,100 So this is something similar as a dirb tool 22 00:00:56,100 --> 00:00:59,610 that we covered in web app penetration testing section. 23 00:00:59,610 --> 00:01:01,350 So let's get straight into it. 24 00:01:01,350 --> 00:01:03,150 I'm going to open the terminal 25 00:01:03,150 --> 00:01:05,171 and I'm going to navigate to our 26 00:01:05,171 --> 00:01:08,130 desktop and tools directory. 27 00:01:08,130 --> 00:01:10,860 Here we got our web app penetration testing directory, 28 00:01:10,860 --> 00:01:15,273 and right here, inside of this, we got our previous project. 29 00:01:16,140 --> 00:01:20,773 Let us now nano a program that we can call directories.py. 30 00:01:23,550 --> 00:01:24,750 As the previous program, 31 00:01:24,750 --> 00:01:29,750 this one is also going to import the requests library. 32 00:01:30,210 --> 00:01:31,950 And before we start coding it, 33 00:01:31,950 --> 00:01:36,120 let's first think how our program is going to look like. 34 00:01:36,120 --> 00:01:38,400 So we're going to ask the user of the program 35 00:01:38,400 --> 00:01:42,300 to specify the target URL or the target thing. 36 00:01:42,300 --> 00:01:46,230 Then we will open a file that has common directory names. 37 00:01:46,230 --> 00:01:49,950 We will read from that file, and for each directory name, 38 00:01:49,950 --> 00:01:53,310 we are going to perform our request for that page. 39 00:01:53,310 --> 00:01:54,960 If we receive our response 40 00:01:54,960 --> 00:01:56,970 or if we manage to load that page, 41 00:01:56,970 --> 00:02:00,270 that means that directory exists on that page. 42 00:02:00,270 --> 00:02:02,820 If we get something like a connection error, 43 00:02:02,820 --> 00:02:05,250 that means that page doesn't exist. 44 00:02:05,250 --> 00:02:07,650 So this program is really simple. 45 00:02:07,650 --> 00:02:09,810 Let's start coding it. 46 00:02:09,810 --> 00:02:14,133 And first thing, as we said, is going to be the target URL. 47 00:02:15,210 --> 00:02:19,050 This is going to be equal to the input value, as usual. 48 00:02:19,050 --> 00:02:22,360 And here we can specify something like this 49 00:02:23,730 --> 00:02:26,673 and then enter target URL. 50 00:02:29,430 --> 00:02:32,370 What we also want to ask from the user is the file name. 51 00:02:32,370 --> 00:02:35,370 So file_name is going to be equal to 52 00:02:35,370 --> 00:02:40,370 input enter name of the file containing directories. 53 00:02:41,942 --> 00:02:44,025 (typing) 54 00:02:46,560 --> 00:02:50,130 Okay, so these are the only two things that we need. 55 00:02:50,130 --> 00:02:53,190 After we get them, we can open our file like this. 56 00:02:53,190 --> 00:02:56,850 So file equals open, and then the first parameter 57 00:02:56,850 --> 00:02:59,700 is going to be the file, name which they specify. 58 00:02:59,700 --> 00:03:02,010 And the second parameter is going to be 59 00:03:02,010 --> 00:03:03,510 opening file for reading. 60 00:03:03,510 --> 00:03:05,520 And this is something we already covered so, 61 00:03:05,520 --> 00:03:09,240 you should be pretty familiar with how we open files. 62 00:03:09,240 --> 00:03:10,800 As soon as we open file, 63 00:03:10,800 --> 00:03:13,620 we can start reading different directory names 64 00:03:13,620 --> 00:03:16,500 and requesting those pages. 65 00:03:16,500 --> 00:03:20,523 So for line in our file, 66 00:03:21,450 --> 00:03:23,790 for each and every directory in our file, 67 00:03:23,790 --> 00:03:26,080 we're going to first strip that line 68 00:03:27,600 --> 00:03:29,100 from any additional characters 69 00:03:29,100 --> 00:03:31,020 and we are going to store that inside of 70 00:03:31,020 --> 00:03:32,760 the directory variable. 71 00:03:32,760 --> 00:03:36,120 So directory will be equal line.strip. 72 00:03:36,120 --> 00:03:39,510 After that we can create a full URL variable, 73 00:03:39,510 --> 00:03:44,040 and the full URL variable will be equal to target URL 74 00:03:44,040 --> 00:03:49,040 plus and then slash and then plus our directory. 75 00:03:49,320 --> 00:03:51,360 So what we are essentially doing right here is, 76 00:03:51,360 --> 00:03:54,390 let's say the target inputs a website thing 77 00:03:54,390 --> 00:03:57,450 CORA domain name of google.com. 78 00:03:57,450 --> 00:03:59,040 Let's say they input that 79 00:03:59,040 --> 00:04:03,445 and from our file we read the admin directory. 80 00:04:03,445 --> 00:04:05,430 Essentially what we are doing, 81 00:04:05,430 --> 00:04:07,050 right here in this line, 82 00:04:07,050 --> 00:04:10,380 is we are combining these two like this. 83 00:04:10,380 --> 00:04:13,830 So this is how we search a directory on a certain domain. 84 00:04:13,830 --> 00:04:17,373 We simply just add a slash and type the directory name. 85 00:04:18,209 --> 00:04:20,519 Now that we got the full URL variable, 86 00:04:20,519 --> 00:04:23,790 we can perform the same thing from the previous video, 87 00:04:23,790 --> 00:04:27,937 response will be equal to request from full URL. 88 00:04:29,760 --> 00:04:32,430 And this request function we don't have. 89 00:04:32,430 --> 00:04:35,250 It is not request.get or request.post. 90 00:04:35,250 --> 00:04:36,963 It is just a request function 91 00:04:36,963 --> 00:04:39,060 that we are going to code right now. 92 00:04:39,060 --> 00:04:43,380 So, go up here and type define request. 93 00:04:43,380 --> 00:04:47,340 This request of course takes the parameter of URL, 94 00:04:47,340 --> 00:04:49,800 and what this function should do, 95 00:04:49,800 --> 00:04:52,083 is it should try to connect to that page 96 00:04:52,083 --> 00:04:55,560 that we're looking for, and if it doesn't manage to connect, 97 00:04:55,560 --> 00:04:57,120 we're just going to pass. 98 00:04:57,120 --> 00:04:58,860 So how can we do this? 99 00:04:58,860 --> 00:05:02,550 Well, we can type try and then we can try to 100 00:05:02,550 --> 00:05:07,200 return from this function requests.get. 101 00:05:07,200 --> 00:05:08,790 And the reason why we are returning 102 00:05:08,790 --> 00:05:10,980 is because we are going to store the response 103 00:05:10,980 --> 00:05:13,680 inside of this response variable. 104 00:05:13,680 --> 00:05:17,400 So we're essentially returning requests.get. 105 00:05:17,400 --> 00:05:22,400 And then let's add http:// and plus our URL. 106 00:05:24,540 --> 00:05:27,870 So it is going to essentially try to visit our URL. 107 00:05:27,870 --> 00:05:32,340 We're just adding it the prefix of http two dot slash slash. 108 00:05:32,340 --> 00:05:34,710 So like this, everything should work. 109 00:05:34,710 --> 00:05:37,110 If we manage to visit that page, 110 00:05:37,110 --> 00:05:38,670 we're going to return the value. 111 00:05:38,670 --> 00:05:41,640 And if we don't manage to visit that page, 112 00:05:41,640 --> 00:05:46,427 in case of requests.exceptions.ConnectionError, 113 00:05:47,660 --> 00:05:49,743 (typing) 114 00:05:50,970 --> 00:05:52,710 We're just going to pass. 115 00:05:52,710 --> 00:05:54,660 And let's not forget to add two dots 116 00:05:54,660 --> 00:05:56,910 at the end of the except statement. 117 00:05:56,910 --> 00:05:59,370 So in this case, we didn't manage to connect, 118 00:05:59,370 --> 00:06:00,840 therefore we are just passing. 119 00:06:00,840 --> 00:06:05,190 And the return value inside this response will be nothing. 120 00:06:05,190 --> 00:06:07,860 Since we're not returning anything. 121 00:06:07,860 --> 00:06:10,440 So how can we then check which one managed to connect 122 00:06:10,440 --> 00:06:12,570 and which one didn't manage to connect? 123 00:06:12,570 --> 00:06:17,040 Well, we can just type the if response statement. 124 00:06:17,040 --> 00:06:19,500 And what is if response means is, 125 00:06:19,500 --> 00:06:21,750 if there is something in response, 126 00:06:21,750 --> 00:06:24,150 then do the following statement. 127 00:06:24,150 --> 00:06:28,950 If there is nothing in response, then it won't do anything. 128 00:06:28,950 --> 00:06:32,130 So in this case, if we have something in response, 129 00:06:32,130 --> 00:06:34,140 that means the try statement worked 130 00:06:34,140 --> 00:06:36,180 and we manage to connect to that page. 131 00:06:36,180 --> 00:06:37,690 So we are just going to print 132 00:06:42,510 --> 00:06:47,510 discovered directory at this path 133 00:06:48,210 --> 00:06:51,543 and we're going to print the full URL. 134 00:06:53,070 --> 00:06:54,150 Simple as that. 135 00:06:54,150 --> 00:06:56,340 And this is our entire program. 136 00:06:56,340 --> 00:06:58,170 Let's go through it once again real fast. 137 00:06:58,170 --> 00:07:00,450 So we import the request library. 138 00:07:00,450 --> 00:07:03,870 We ask the user of this program for the target URL. 139 00:07:03,870 --> 00:07:06,210 We also ask for the file name. 140 00:07:06,210 --> 00:07:10,170 Then we open that file and we read each and every line 141 00:07:10,170 --> 00:07:11,370 inside of that file. 142 00:07:11,370 --> 00:07:13,410 We strip it from any additional characters 143 00:07:13,410 --> 00:07:16,110 and store it inside of the directory variable. 144 00:07:16,110 --> 00:07:19,170 Then we create a full URL variable that will be 145 00:07:19,170 --> 00:07:23,820 the combination of target URL slash and the directory name. 146 00:07:23,820 --> 00:07:26,700 Then we request that full URL. 147 00:07:26,700 --> 00:07:28,020 And if we manage to connect to, 148 00:07:28,020 --> 00:07:31,500 we will return this value inside of the response variable. 149 00:07:31,500 --> 00:07:33,210 If we don't manage to connect, 150 00:07:33,210 --> 00:07:36,150 this response variable will stay empty. 151 00:07:36,150 --> 00:07:37,050 And then at the end, 152 00:07:37,050 --> 00:07:40,470 we're just checking if there is something in response, 153 00:07:40,470 --> 00:07:43,830 print that we discover the directory at this path. 154 00:07:43,830 --> 00:07:45,570 If there is nothing inside of the response, 155 00:07:45,570 --> 00:07:48,000 it will not print anything. 156 00:07:48,000 --> 00:07:50,340 So let's test our program out. 157 00:07:50,340 --> 00:07:53,340 I will save this and all we need to do is 158 00:07:53,340 --> 00:07:56,790 Python3 directories.py. 159 00:07:56,790 --> 00:07:58,170 We entered the target URL. 160 00:07:58,170 --> 00:08:01,170 So let's just go and see what is the IP address 161 00:08:01,170 --> 00:08:02,550 of our metasploitable, 162 00:08:02,550 --> 00:08:05,523 and in my case 192.168.1.2. 163 00:08:08,460 --> 00:08:11,220 And the name of file containing directories. 164 00:08:11,220 --> 00:08:13,170 So we need this file, 165 00:08:13,170 --> 00:08:15,480 and luckily inside of our Kali Linux, 166 00:08:15,480 --> 00:08:20,480 if I open a second terminal and I type locate dirb or dirb, 167 00:08:21,330 --> 00:08:23,100 however you wanna pronounce it, 168 00:08:23,100 --> 00:08:28,100 we go to the user share and then dirb directory, type ls, 169 00:08:28,320 --> 00:08:32,580 we will have this word lists directory right here. 170 00:08:32,580 --> 00:08:35,700 If we change to data directory, so cd word lists, 171 00:08:35,700 --> 00:08:40,700 and type ls, we will have a bunch of these txt files. 172 00:08:40,736 --> 00:08:43,650 And inside of this common.txt file 173 00:08:43,650 --> 00:08:47,250 are common names for different directories. 174 00:08:47,250 --> 00:08:51,540 So what we can do is we can copy this common.txt file 175 00:08:51,540 --> 00:08:56,220 inside of our home, Mr Hacker, then desktop, and then tools, 176 00:08:56,220 --> 00:08:59,943 and then web app penetration testing directory. 177 00:09:01,020 --> 00:09:02,883 Once I go to that directory, 178 00:09:05,940 --> 00:09:09,810 and type ls, we should have our common.txt 179 00:09:09,810 --> 00:09:14,040 inside of the same directory as our directories.py file. 180 00:09:14,040 --> 00:09:18,269 So now if I go right here and specify common.txt, 181 00:09:18,269 --> 00:09:20,670 press enter, 182 00:09:20,670 --> 00:09:23,520 this will go and search for every directory. 183 00:09:23,520 --> 00:09:26,580 And we can already see that it is discovering some of them. 184 00:09:26,580 --> 00:09:28,980 We got this slash directory, this slash dev, 185 00:09:28,980 --> 00:09:33,120 slash index, slash php, slash php by admin. 186 00:09:33,120 --> 00:09:36,240 And those are all the directories that it manages to find 187 00:09:36,240 --> 00:09:39,870 in the main directory of the metasploitable machine. 188 00:09:39,870 --> 00:09:42,840 Now you can also specify sub directories, if you want. 189 00:09:42,840 --> 00:09:45,660 For example, if I run the program again and type 190 00:09:45,660 --> 00:09:50,373 192.168.1.2/dvwa, 191 00:09:51,420 --> 00:09:55,380 and I type the same file name, which is common.txt, 192 00:09:55,380 --> 00:09:57,420 now it will search for the directories 193 00:09:57,420 --> 00:09:59,880 inside of this slash dvwa. 194 00:09:59,880 --> 00:10:02,880 And we can see it is finding different directories 195 00:10:02,880 --> 00:10:04,413 than it found right here. 196 00:10:05,430 --> 00:10:07,050 And what you would basically do, 197 00:10:07,050 --> 00:10:09,480 once performing this type of enumeration, 198 00:10:09,480 --> 00:10:12,450 is you would try to find something interesting. 199 00:10:12,450 --> 00:10:14,550 You would go from each and every sub directory 200 00:10:14,550 --> 00:10:18,210 and try to figure out if there is any interesting directory 201 00:10:18,210 --> 00:10:21,210 onto that page that maybe shouldn't be there. 202 00:10:21,210 --> 00:10:23,723 For example, if I run our program 203 00:10:23,723 --> 00:10:26,673 and I type the IP address /mutillidae, 204 00:10:30,510 --> 00:10:32,537 which is the name of one of the directories 205 00:10:32,537 --> 00:10:34,020 on our metasploitable, 206 00:10:34,020 --> 00:10:37,743 I press enter and I also use the common.txt file, 207 00:10:38,636 --> 00:10:40,740 it will find bunch of the directories, 208 00:10:40,740 --> 00:10:43,890 but there is a directory that particularly stands out, 209 00:10:43,890 --> 00:10:47,010 which is this passwords directory. 210 00:10:47,010 --> 00:10:51,690 So we can visit that link, 211 00:10:51,690 --> 00:10:56,690 which is 192.168.1.2, and then mutillidae/passwords. 212 00:10:59,760 --> 00:11:02,250 And it'll lead us to this directory, 213 00:11:02,250 --> 00:11:05,070 which has this accounts.txt file. 214 00:11:05,070 --> 00:11:06,750 If I click on it, 215 00:11:06,750 --> 00:11:09,780 well it seems like we found some file 216 00:11:09,780 --> 00:11:12,120 that contains usernames and passwords. 217 00:11:12,120 --> 00:11:15,930 We got admin, the password is probably adminpass. 218 00:11:15,930 --> 00:11:18,450 And this could be something like a security question 219 00:11:18,450 --> 00:11:21,090 and the answer to the security question. 220 00:11:21,090 --> 00:11:24,090 So this would be a vulnerability of information disclosure 221 00:11:24,090 --> 00:11:25,740 where it gave us some information 222 00:11:25,740 --> 00:11:27,990 that we shouldn't have the access to. 223 00:11:27,990 --> 00:11:31,560 And we would never know that this passwords directory exists 224 00:11:31,560 --> 00:11:35,010 if we didn't run our directories program 225 00:11:35,010 --> 00:11:36,960 which discovered it and then visited it 226 00:11:36,960 --> 00:11:40,170 and found out that their accounts usernames 227 00:11:40,170 --> 00:11:43,350 and passwords available for us to read. 228 00:11:43,350 --> 00:11:44,280 Okay, great. 229 00:11:44,280 --> 00:11:46,890 So we have finished two projects successfully. 230 00:11:46,890 --> 00:11:48,630 We coded the login brute forcer 231 00:11:48,630 --> 00:11:50,910 and the directory brute forcer. 232 00:11:50,910 --> 00:11:54,390 So we are officially done with web app penetration testing. 233 00:11:54,390 --> 00:11:56,100 And in the next section, 234 00:11:56,100 --> 00:11:58,290 we are ready to touch on a subject of 235 00:11:58,290 --> 00:12:00,360 man in the middle attack. 236 00:12:00,360 --> 00:12:01,800 It is a really interesting attack 237 00:12:01,800 --> 00:12:04,140 that we can perform inside of a network 238 00:12:04,140 --> 00:12:06,000 and in the next section we are going to see 239 00:12:06,000 --> 00:12:07,988 exactly how we can perform it. 240 00:12:07,988 --> 00:12:09,093 See you there.