1
00:00:06,572 --> 00:00:09,039
- Another really important
part of a penetration test

2
00:00:09,039 --> 00:00:11,097
is looking for names and passwords

3
00:00:11,097 --> 00:00:13,016
belonging to an organization.

4
00:00:13,016 --> 00:00:15,378
You may ask, "How can
I actually find names

5
00:00:15,378 --> 00:00:16,885
"and passwords for an organization

6
00:00:16,885 --> 00:00:20,163
"without actually targeting
the organization?"

7
00:00:20,163 --> 00:00:22,479
There's a lot of public
information available

8
00:00:22,479 --> 00:00:24,999
that can help you in your search.

9
00:00:24,999 --> 00:00:27,381
Public breaches are the number one way

10
00:00:27,381 --> 00:00:30,253
you can actually find this information.

11
00:00:30,253 --> 00:00:32,753
There's been some pretty
high-profile breaches

12
00:00:32,753 --> 00:00:37,287
over the recent years, from
Adobe to LinkedIn, Dropbox,

13
00:00:37,287 --> 00:00:39,730
they were all breached in recent years,

14
00:00:39,730 --> 00:00:43,318
and the attackers took all
those usernames and passwords

15
00:00:43,318 --> 00:00:45,604
and published them out on the internet,

16
00:00:45,604 --> 00:00:49,431
so many people have access
to these public breaches now,

17
00:00:49,431 --> 00:00:53,442
and although people have used
it for malicious reasons,

18
00:00:53,442 --> 00:00:57,442
as an ethical hacker, one
thing that you can use

19
00:00:58,282 --> 00:01:01,380
is look at these breaches and find out

20
00:01:01,380 --> 00:01:03,667
if there are any usernames and passwords

21
00:01:03,667 --> 00:01:06,459
belonging to the organization
that you're working with.

22
00:01:06,459 --> 00:01:09,332
If so, you can see if those usernames

23
00:01:09,332 --> 00:01:11,690
and passwords are still active

24
00:01:11,690 --> 00:01:14,202
and try to log in to their webmail portals

25
00:01:14,202 --> 00:01:17,077
or their VPN portals
using those passwords,

26
00:01:17,077 --> 00:01:20,943
and even if the passwords
are not still used,

27
00:01:20,943 --> 00:01:23,439
we all know that people
are notoriously bad

28
00:01:23,439 --> 00:01:25,506
at picking passwords, so, often times,

29
00:01:25,506 --> 00:01:28,295
people will reuse their password,

30
00:01:28,295 --> 00:01:29,645
or they'll just put a new number

31
00:01:29,645 --> 00:01:31,566
on the end of their password.

32
00:01:31,566 --> 00:01:34,207
Maybe the end of their password has a date

33
00:01:34,207 --> 00:01:39,150
like 2016 on it, and you
might wanna change it to 2017,

34
00:01:39,150 --> 00:01:41,641
and that might actually work.

35
00:01:41,641 --> 00:01:44,544
So these previous breaches
are an important tool

36
00:01:44,544 --> 00:01:47,712
that you can use to
actually find usernames

37
00:01:47,712 --> 00:01:50,221
and passwords belonging
to an organization.

38
00:01:50,221 --> 00:01:53,077
Often times, you can find this information

39
00:01:53,077 --> 00:01:57,047
and end up being able to log
into an organization remotely

40
00:01:57,047 --> 00:02:01,214
without sending in a single
attack towards the organization.

41
00:02:02,080 --> 00:02:04,718
There's also many paste sites out there.

42
00:02:04,718 --> 00:02:07,099
Pastebin is probably the most famous one

43
00:02:07,099 --> 00:02:11,922
where people can just anonymously
copy and paste information

44
00:02:11,922 --> 00:02:14,938
to this website, and
you'll also find a lot

45
00:02:14,938 --> 00:02:17,777
of breached information on there as well,

46
00:02:17,777 --> 00:02:20,397
so it's really important to
search these types of sites

47
00:02:20,397 --> 00:02:22,737
for the organization
that you're performing

48
00:02:22,737 --> 00:02:25,271
the penetration test on as well

49
00:02:25,271 --> 00:02:28,318
to make sure that there
aren't any public usernames

50
00:02:28,318 --> 00:02:30,212
and passwords on there.

51
00:02:30,212 --> 00:02:32,746
As we can see, using
public internet searches

52
00:02:32,746 --> 00:02:35,407
is immensely useful for performing

53
00:02:35,407 --> 00:02:38,827
your penetration testing engagement.

54
00:02:38,827 --> 00:02:40,416
There has been a lot of research done

55
00:02:40,416 --> 00:02:43,714
on how you can actually perform searches

56
00:02:43,714 --> 00:02:46,681
for sensitive information
for these companies,

57
00:02:46,681 --> 00:02:49,153
so you don't have to
figure it all out yourself.

58
00:02:49,153 --> 00:02:52,087
There's a great tool on
the Exploit Database.

59
00:02:52,087 --> 00:02:54,445
Google Hacking Database
is what they call it,

60
00:02:54,445 --> 00:02:56,453
where they have all these example searches

61
00:02:56,453 --> 00:02:58,864
that you can perform to
assist you in your search

62
00:02:58,864 --> 00:03:02,211
for finding sensitive
information for the organization.

63
00:03:02,211 --> 00:03:06,515
So, one example is you can
search for "your password is"

64
00:03:06,515 --> 00:03:09,141
and also put a file type for PDF.

65
00:03:09,141 --> 00:03:11,703
Unfortunately, many
organizations issue passwords

66
00:03:11,703 --> 00:03:13,976
to their employees, and
they put it in documents,

67
00:03:13,976 --> 00:03:16,590
and sometimes that
information can get indexed

68
00:03:16,590 --> 00:03:19,620
on the internet if not secured properly.

69
00:03:19,620 --> 00:03:22,290
So, this site lists many different ways

70
00:03:22,290 --> 00:03:24,442
that you can actually
perform your searches,

71
00:03:24,442 --> 00:03:26,253
and they'll give you recommendations on

72
00:03:26,253 --> 00:03:27,684
if you're looking for password files,

73
00:03:27,684 --> 00:03:29,176
you can use these searches.

74
00:03:29,176 --> 00:03:31,244
If you're looking for database files,

75
00:03:31,244 --> 00:03:33,119
you can use these searches,

76
00:03:33,119 --> 00:03:36,559
and they have a lot and lot of information

77
00:03:36,559 --> 00:03:39,452
on the website for you you
can perform these searches.

78
00:03:39,452 --> 00:03:41,763
Let's take a look at this website.

79
00:03:41,763 --> 00:03:44,226
So, let's get some help on searching

80
00:03:44,226 --> 00:03:47,199
for sensitive information
for this organization.

81
00:03:47,199 --> 00:03:50,707
We'll look at the Exploit
Database, and specifically,

82
00:03:50,707 --> 00:03:53,676
we're gonna look at the Google
Hacking Database section

83
00:03:53,676 --> 00:03:56,048
of the Exploit Database.

84
00:03:56,048 --> 00:03:59,687
This site has many exploits
for public systems,

85
00:03:59,687 --> 00:04:01,715
but as a side project to that,

86
00:04:01,715 --> 00:04:03,847
they have the Google Hacking Database.

87
00:04:03,847 --> 00:04:06,155
And here, we can look at
different types of categories

88
00:04:06,155 --> 00:04:08,791
for files and sensitive information

89
00:04:08,791 --> 00:04:11,793
for the organization that we're targeting.

90
00:04:11,793 --> 00:04:13,876
We can see that there is,

91
00:04:15,195 --> 00:04:17,371
we're highlighting Files
Containing Usernames,

92
00:04:17,371 --> 00:04:20,755
so if you use the searches
within this category,

93
00:04:20,755 --> 00:04:24,740
they help you search for
usernames within the organization

94
00:04:24,740 --> 00:04:27,857
just by doing Google searches.

95
00:04:27,857 --> 00:04:31,043
There is Vulnerable
Files, Vulnerable Servers,

96
00:04:31,043 --> 00:04:34,188
so if you're looking
for vulnerable servers,

97
00:04:34,188 --> 00:04:36,128
they might look for certain search strings

98
00:04:36,128 --> 00:04:40,007
that you can use to actually
find outdated systems.

99
00:04:40,007 --> 00:04:42,628
Maybe they'll be Windows 2000 systems,

100
00:04:42,628 --> 00:04:47,090
or Windows XP systems,
systems that are outdated.

101
00:04:47,090 --> 00:04:49,618
Files Containing Juicy Information,

102
00:04:49,618 --> 00:04:52,430
so these are sensitive information files.

103
00:04:52,430 --> 00:04:55,903
Maybe they'll have names
and social security numbers,

104
00:04:55,903 --> 00:04:58,403
different types of PHI or PII.

105
00:04:59,371 --> 00:05:01,272
There's also Files Containing Passwords.

106
00:05:01,272 --> 00:05:04,027
We'll look at that one specifically,

107
00:05:04,027 --> 00:05:08,512
and you can see, up pops a
list of many different types

108
00:05:08,512 --> 00:05:10,406
of Google searches that you can perform

109
00:05:10,406 --> 00:05:13,101
to search for password files

110
00:05:13,101 --> 00:05:15,601
for a particular organization.

111
00:05:17,026 --> 00:05:19,569
So you can see, this
one, as highlighted now,

112
00:05:19,569 --> 00:05:22,149
this is a FileZilla search,

113
00:05:22,149 --> 00:05:24,849
so if an organization is using FileZilla,

114
00:05:24,849 --> 00:05:27,911
the software can store passwords

115
00:05:27,911 --> 00:05:31,282
for an organization in
its configuration files,

116
00:05:31,282 --> 00:05:35,103
and if a system is publicly
connected to the internet

117
00:05:35,103 --> 00:05:36,511
and gets indexed by Google,

118
00:05:36,511 --> 00:05:37,511
you could perform this search

119
00:05:37,511 --> 00:05:41,594
to look for FileZilla
files containing passwords.

120
00:05:42,757 --> 00:05:46,055
We can see Microsoft FrontPage passwords.

121
00:05:46,055 --> 00:05:48,972
If they're using FrontPage,
these are different types

122
00:05:48,972 --> 00:05:52,963
of searches that you can do
to search for that as well.