1

00:00:01,870 --> 00:00:03,550

Hello and welcome, everyone.



2

00:00:04,420 --> 00:00:12,490

So in this video, we are going to discuss about filters, so how can you utilize filters for identification



3

00:00:12,490 --> 00:00:20,430

of SRF and exfiltration of sensitive data to increase the severity and criticality of your book?



4

00:00:21,450 --> 00:00:28,050

So here we are going to do it onto a life target and I'm going to show you how you can successfully



5

00:00:28,050 --> 00:00:32,790

perform SRF and also use the different types of filters.



6

00:00:33,000 --> 00:00:33,480

All right.



7

00:00:33,870 --> 00:00:39,690

So our target is this Web site and we are going to attack on this.



8

00:00:40,380 --> 00:00:48,120

So what I'm going to do, first of all, is I'm going to scan this Web site using my birth, which is



9

00:00:48,120 --> 00:00:53,120

basically I'm going to spider all the Web users and end points first.



10

00:00:53,580 --> 00:00:57,160

So I have configured this with Bob already.



11

00:00:57,180 --> 00:00:59,240

And now let me just go to my books, Sude.



12

00:01:00,470 --> 00:01:04,820

Do intercept on and let me just reload the Stargate.



13

00:01:06,140 --> 00:01:10,560

Let me just go back to Bob and you can see we have our target.



14

00:01:11,180 --> 00:01:20,630

Let me just send this to reporter and now we want to spider this and get all the possible EQR.



15

00:01:21,380 --> 00:01:23,000

Let me just go back to repeater.



16

00:01:23,510 --> 00:01:23,930

Right.



17

00:01:23,930 --> 00:01:28,130

Click And now we want to spider this.



18

00:01:28,250 --> 00:01:31,550

So let's just click on Add to Sitemap.



19

00:01:31,820 --> 00:01:34,990

And this is now added to site map.



20

00:01:35,540 --> 00:01:44,240

So here you can see of the website is successfully added and our target was ViiV lab, 12. F.R..



21

00:01:45,640 --> 00:01:50,740

And it is all here now, so let me just right click over here.



22

00:01:52,930 --> 00:01:59,030

And click on Add to score, and it successfully added to my school, as you can see over here.



23

00:01:59,500 --> 00:02:00,010

Perfect.



24

00:02:00,310 --> 00:02:05,560

Now let me just click on Filter and click on show only in scope items.



25

00:02:05,740 --> 00:02:14,890

And here you can see I will only be able to see those items which are into my school and all other targets



26

00:02:14,890 --> 00:02:20,970

or background requests that are going into my browser will not get captured into Boxwood.



27

00:02:22,270 --> 00:02:22,690

Perfect.



28

00:02:22,900 --> 00:02:30,790

So now you can read for this and it will automatically spider more and give you some of the links,



29

00:02:30,790 --> 00:02:32,240

as you can see over here.



30

00:02:32,500 --> 00:02:37,680

So we have successfully got a lot of links from here, so I'm going to use one of them.



31

00:02:38,020 --> 00:02:44,260

So let's say I'm going to use this one, which I have already saved it over here.



32

00:02:44,410 --> 00:02:46,290

And you can see this is here.



33

00:02:46,300 --> 00:02:47,440

So let me just copy this.



34

00:02:47,770 --> 00:02:53,190

This is the same endpoint that I have discovered through spidering.



35

00:02:53,620 --> 00:02:59,170

Let me just pasted over here, go to Bob and I'm going to capture this.



36

00:03:02,280 --> 00:03:06,560

Now, I will just go here and I click and send this to repeater.



37

00:03:07,050 --> 00:03:12,990

Now you can see over here, this is the end point, which is pointing to WP content plugins.



38

00:03:13,400 --> 00:03:15,630

They're small to what press?



39

00:03:16,470 --> 00:03:23,640

The smaller BHP is formed through Callicles to get raw data from database query equal to.



40

00:03:24,880 --> 00:03:29,900

Nothing query equals to I have added your target here.



41

00:03:30,640 --> 00:03:34,700

So there was a barometer, I was just replaced that parameter to target here.



42

00:03:35,140 --> 00:03:39,040

Now I have identified the endpoint to be vulnerable.



43

00:03:39,310 --> 00:03:44,610

So what I'm going to do is I'm going to add my collaborative IP over here.



44

00:03:44,830 --> 00:03:50,560

Now, for some reasons, if you do not have a collaborator into the community edition of Boxwood, do



45

00:03:50,560 --> 00:03:53,370

not need to worry about that in this video.



46

00:03:53,380 --> 00:03:59,200

I'm not going to use the collaborative IP or the collaborative client to capture the request and prove



47

00:03:59,200 --> 00:03:59,830

necessary.



48

00:04:00,280 --> 00:04:06,790

Instead, I will show you some of the free resources that you can utilize, which works in the same



49

00:04:06,790 --> 00:04:08,020

an efficient manner.



50

00:04:08,560 --> 00:04:11,710

So first of all, you need to come onto the Web site.



51

00:04:12,100 --> 00:04:15,460

Once you are here, you are able to create a free Web hope.



52

00:04:16,240 --> 00:04:23,500

Now, I have created my free web hook and let me just show you how does it looks like and you will see



53

00:04:23,500 --> 00:04:24,460

your unique.



54

00:04:24,460 --> 00:04:26,690

You are and it looks something like this.



55

00:04:26,800 --> 00:04:31,240

So this is my unique you model and you just need to copy this.



56

00:04:31,660 --> 00:04:38,170

And if we get any hit on our unique curan, it would look something like this.



57

00:04:38,170 --> 00:04:40,010

We can see I have got one request.



58

00:04:40,360 --> 00:04:42,670

This is the previous request that I have got.



59

00:04:42,670 --> 00:04:44,560

Let me just delete this request right now.



60

00:04:44,920 --> 00:04:47,500

And now it is waiting for your first request.



61

00:04:47,950 --> 00:04:51,370

Let let me copy the unique you are to my Vanderhook.



62

00:04:52,150 --> 00:04:56,260

Go to Boxwood and enter my Rampal quarrel and hit send.



63

00:04:56,710 --> 00:05:05,200

And you can see as soon as we hit send and we have received a response, there comes a hit on to our



64

00:05:05,500 --> 00:05:11,780

web who you are, which means the host from which we are getting the hit is wonderful.



65

00:05:12,460 --> 00:05:15,490

You can see we have also got the host IP.



66

00:05:15,730 --> 00:05:22,570

If I do a whois, I would be able to know that this request is coming from this particular target.



67

00:05:23,020 --> 00:05:23,440

All right.



68

00:05:23,740 --> 00:05:29,750

So let me just close this and show you the second alternative.



69

00:05:29,770 --> 00:05:33,730

So this is the second alternative, which is Pipedream dot com.



70

00:05:34,420 --> 00:05:40,390

And you can just come over here and you can request a bin and you can see waiting for an event.



71

00:05:40,510 --> 00:05:42,530

So it is waiting for even to happen.



72

00:05:42,940 --> 00:05:45,730

Now, this is your end point, which you can utilize.



73

00:05:45,760 --> 00:05:52,930

So let me just copy, even go back to Boxwood and replace the previous one with the new.



74

00:05:53,960 --> 00:05:57,210

End point of our question and let me hit send.



75

00:05:57,740 --> 00:05:58,240

Let's wait.



76

00:05:58,280 --> 00:06:02,810

If we get a hit over here, as you can see, it says success through.



77

00:06:03,350 --> 00:06:04,060

Let's wait.



78

00:06:04,070 --> 00:06:10,550

If we go if we have got a new request, once we get a new request, it is going to send a ping over



79

00:06:10,550 --> 00:06:10,880

here.



80

00:06:12,170 --> 00:06:15,800

And you can see we have got a successful request over here.



81

00:06:16,220 --> 00:06:21,260

And you can see it comes from the same IP address as we saw previously.



82

00:06:21,770 --> 00:06:22,280

Perfect.



83

00:06:22,730 --> 00:06:26,860

Now, we have come to know that our target is one rebel.



84

00:06:26,930 --> 00:06:33,350

That is the reason it is making connection request to the attacker, control domain or any third party



85

00:06:33,350 --> 00:06:33,660

domain.



86

00:06:34,370 --> 00:06:40,370

Similarly, this is a third resource that I am going to show you, which is a request catcher dot com.



87

00:06:40,940 --> 00:06:46,220

Not the best thing about request catcher dot com is you can also create your free subdomains, as you



88

00:06:46,220 --> 00:06:46,970

can see here.



89

00:06:47,390 --> 00:06:52,820

So I have created a free subdomain which is backboned or request catcher dot com.



90

00:06:52,820 --> 00:06:59,140

And you can see your I can receive successful requests, know how to use this.



91

00:06:59,150 --> 00:07:02,510

Once you have created your subdomain, copy the sub domain name.



92

00:07:03,020 --> 00:07:05,850

Go over where you want to test for Estacada.



93

00:07:06,200 --> 00:07:10,820

Let me just replace this with my new subdomain of request.



94

00:07:10,820 --> 00:07:13,040

Gachet And let me just right here.



95

00:07:14,000 --> 00:07:20,270

SRF So the subdomain and the endpoint, I can add anything that I want.



96

00:07:20,630 --> 00:07:27,740

I have already done this test once, as you can see, and the endpoint that I chose was slash test and



97

00:07:27,740 --> 00:07:35,720

this time I'm choosing SRF so that I can show you I get a new request onto my body, not request catcher



98

00:07:35,720 --> 00:07:36,280

dot com.



99

00:07:36,980 --> 00:07:39,500

Let me just hit send indigency.



100

00:07:39,500 --> 00:07:46,220

I have successfully got one more hit and this is the hit which I'm getting from the same target, which



101

00:07:46,220 --> 00:07:47,400

is this IP address.



102

00:07:47,900 --> 00:07:54,650

Now this proof that I was able to successfully induce a request from this target to myself.



103

00:07:55,190 --> 00:08:02,420

Now in the next video you're going to see how can we utilize this to exfiltrate sensitive information



104

00:08:02,420 --> 00:08:03,230

from the target.



105

00:08:03,680 --> 00:08:04,190

Thank you.