1
00:00:00,000 --> 00:00:05,819
so welcome to my talk thanks to be here
late appreciate that

2
00:00:06,359 --> 00:00:10,950
so today I'm going to talk about a tool
that i bought that I build a smart

3
00:00:10,950 --> 00:00:12,120
buster

4
00:00:12,120 --> 00:00:19,169
so I'm Patrick Matthew my information
are there and everything will be on my

5
00:00:19,170 --> 00:00:22,920
get up so I I'll just release it in the
next few days

6
00:00:24,240 --> 00:00:31,948
um so when my im co-founder of our
access i work as a intense investor a

7
00:00:31,949 --> 00:00:37,350
purple team at security compass I'm
Canadian French Canadian so sorry for

8
00:00:37,350 --> 00:00:46,920
everything and run that I say that so I
start mostly acting and made nineties

9
00:00:46,920 --> 00:00:55,199
I've been in this for that long i did a
college and university degree and I'm

10
00:00:55,199 --> 00:01:01,170
technically in bug bounties and that all
came mostly from bug bounty as you will

11
00:01:01,170 --> 00:01:06,750
see the problem at the problem that i
had so that anyone has heard of this

12
00:01:06,750 --> 00:01:15,180
before a Rubicon except you guys at now
that's cool i almost put your name but

13
00:01:15,180 --> 00:01:21,060
cool alright so what is very smart
buster

14
00:01:21,060 --> 00:01:27,240
so it's a plug-in inside burp an
extension and the main objective is to

15
00:01:27,240 --> 00:01:30,179
replace their Buster and zerbe

16
00:01:30,180 --> 00:01:40,500
so by doing tons of 10 tests and bug
bounty at this idea came up so why is

17
00:01:40,500 --> 00:01:45,540
that i did want to add a smart those
tools as there buster and their be are

18
00:01:45,540 --> 00:01:51,299
pretty straightforward with word list so
the plug-in the way works a will

19
00:01:51,299 --> 00:01:57,930
technically just use the URL that is
sent true burp when you proxy and i use

20
00:01:57,930 --> 00:02:03,329
this information to create smart request
like I will show you

21
00:02:04,930 --> 00:02:09,759
so the state of the tall currently has
been released at the demo labs at Def

22
00:02:09,758 --> 00:02:17,170
Con last month and there's a working
version on get up then the goal today is

23
00:02:17,170 --> 00:02:21,489
really to let you guys know about the
tool what it's doing but also to have

24
00:02:21,490 --> 00:02:27,400
the community join in to add more
features to it and there's a lot of to

25
00:02:27,400 --> 00:02:31,810
do a lot of things that I had in mind
which are not done yet but i will

26
00:02:31,810 --> 00:02:39,430
explain you and the code is really
documented so I'm kind of freak with

27
00:02:39,430 --> 00:02:44,080
this i add a lot of to deuce comments
everywhere so it's really easy to get in

28
00:02:44,080 --> 00:02:49,390
and add stuff to it so why but white at
all

29
00:02:49,390 --> 00:02:56,799
I'm so like I said after doing a lot of
men test web application test using the

30
00:02:56,800 --> 00:03:03,820
Buster and their be you quickly find out
that the tool those tools are really low

31
00:03:03,820 --> 00:03:08,530
efficiency there's no application
context at all it's just a wordless that

32
00:03:08,530 --> 00:03:13,870
it's bush and trying to brute-force
directories and file so there's no logic

33
00:03:13,870 --> 00:03:19,810
option there's no techniques be nothing
and there's a ton of files that devs and

34
00:03:19,810 --> 00:03:26,170
system in and others that will wrongly
up upload those to their server but when

35
00:03:26,170 --> 00:03:29,470
they upload these files usually they
will have specific names which makes

36
00:03:29,470 --> 00:03:34,900
sense with the application in the
website and the wordless I that are used

37
00:03:34,900 --> 00:03:39,580
for derby and there Buster or bass
techniques beyond the robots.txt file

38
00:03:39,580 --> 00:03:47,920
from that on top 1000 of addicts our
website so these wet these lists of

39
00:03:47,920 --> 00:03:51,700
directories and files are based on
website which are not the website you're

40
00:03:51,700 --> 00:03:58,690
testing so you're doing tons of unwanted
check and at some example if you look

41
00:03:58,690 --> 00:04:04,359
into the files you'll see directories
like /a test bob or something like this

42
00:04:04,360 --> 00:04:09,850
which is a test that somewhere Bob did
but you're testing this inside education

43
00:04:09,850 --> 00:04:13,388
which is not related to people named Bob
right

44
00:04:14,170 --> 00:04:20,500
so there's also the problem that when
you use their Buster the you need to do

45
00:04:20,500 --> 00:04:25,150
manual input so if there's directory
that exists you need to tell him tell

46
00:04:25,150 --> 00:04:30,130
the tool to check this specific
directories it's not checking file

47
00:04:30,130 --> 00:04:35,770
extension and it's not checking the
current context of what you're browsing

48
00:04:35,770 --> 00:04:39,940
to weather website got so it's not
checking the filenames directories the

49
00:04:39,940 --> 00:04:46,240
domain name and etc and another one
which is my in- of to do is it's not

50
00:04:46,240 --> 00:04:49,630
also checking the technology of the
website you're looking at

51
00:04:50,139 --> 00:04:55,720
so if you want it that's a website which
is PHP why will you look for PSP file

52
00:04:55,720 --> 00:05:03,280
right so like i said what i want to do
is add context to the brute force tool

53
00:05:03,280 --> 00:05:08,950
add a stealth mode limit the number of
requests if you want to be a more style

54
00:05:08,950 --> 00:05:15,039
for to slow things down offer a simple
and documenting code so you guys can

55
00:05:15,040 --> 00:05:22,539
join in and at add features to the code
other objective like i said its

56
00:05:22,539 --> 00:05:29,349
application context so my tool when ice
when your browser website variable get

57
00:05:29,350 --> 00:05:34,479
the URL inside the URL if there's a
directory a filename and extension it

58
00:05:34,479 --> 00:05:38,919
will use those those things to
brute-force other similar file based on

59
00:05:38,919 --> 00:05:46,060
this so it's a dynamic content and
that's what makes the Lee at the

60
00:05:46,060 --> 00:05:55,450
difference here so but the feature that
I add mostly when I do a request it's at

61
00:05:55,450 --> 00:06:02,050
first it will check for specific files
that exists but only ons so when you you

62
00:06:02,050 --> 00:06:08,590
go to a victim . com site it will go and
check the robots.txt gather all the the

63
00:06:08,590 --> 00:06:16,690
swallow directories and file and we'll
test if those file exists then I have a

64
00:06:16,690 --> 00:06:23,080
spider option the spider option will
spider the number of URL that you

65
00:06:23,080 --> 00:06:26,650
defined first and we'll gather nouns and
verbs

66
00:06:27,240 --> 00:06:31,710
on the page is spidering and you can
reuse those words that I've been written

67
00:06:31,710 --> 00:06:37,859
on the website to apart and brute force
more directories and file names inside

68
00:06:37,860 --> 00:06:42,750
this website then I also check for the
sitemap suicide my contains everything

69
00:06:42,750 --> 00:06:49,410
of the website so you can set like check
and number of URL inside the sitemap i

70
00:06:49,410 --> 00:06:53,940
use the current directories the current
file i have a list of prefix and suffix

71
00:06:53,940 --> 00:07:01,440
so if you got filed at PHP i will do
file as suffix that PHP and the suffix

72
00:07:01,440 --> 00:07:05,280
I'm brute-forcing things that make sense
like I will show you and I got the

73
00:07:05,280 --> 00:07:11,729
suffix to so suffix file that the HP i
do also the same with the extension so

74
00:07:11,729 --> 00:07:18,120
that dot PHP . something or . something
else so i will just switch it but based

75
00:07:18,120 --> 00:07:27,330
on the file you just browse to so it's
making sense in the context and the fun

76
00:07:27,330 --> 00:07:31,979
thing is you don't it's the difference
well from their buses that you don't run

77
00:07:31,979 --> 00:07:37,710
the tools you just activated in verb and
your browser website and that's it

78
00:07:37,710 --> 00:07:42,780
while you browse it takes the URL do the
brute force in the background and give

79
00:07:42,780 --> 00:07:47,130
you results so you just browse through
your panties to your stuff and then you

80
00:07:47,130 --> 00:07:53,849
get results at the same time it's not
stranded and in works in the pro version

81
00:07:53,849 --> 00:08:03,599
and the non-pro version of birth which
is really interesting question yes so

82
00:08:03,599 --> 00:08:07,830
inside verbal show you right after at ya

83
00:08:08,340 --> 00:08:13,109
the question is how do we activate
inside verb the plug-in so inside bird

84
00:08:13,110 --> 00:08:18,240
there's an extension tab and it's a
Python file that you just put their you

85
00:08:18,240 --> 00:08:21,240
click activate and that's it it's really
simple

86
00:08:22,270 --> 00:08:28,479
so I said it works in the non pro
version which is interesting I and even

87
00:08:28,480 --> 00:08:34,570
the multi Tradeworks so it's doing tons
of requests I it's not limited like

88
00:08:34,570 --> 00:08:41,380
maybe the some feature of verb are I add
the log so everything is log into a file

89
00:08:41,380 --> 00:08:48,130
and everything is based on an ini file
that you got configuration right there

90
00:08:48,130 --> 00:08:55,210
and finally the data jisun which are all
the directories file extension etre that

91
00:08:55,210 --> 00:09:04,300
the tool is using so if we look at how
things are done so inside the code I the

92
00:09:04,300 --> 00:09:13,449
bird extender is the at last that you
extend to gather request from birth in

93
00:09:13,450 --> 00:09:18,310
Python or Java fewer of code in Java so
at first you get a function which is

94
00:09:18,310 --> 00:09:26,020
register extender callbacks and inside
this one each time there's a request

95
00:09:26,020 --> 00:09:33,220
this code will execute so from there at
the code and request the function

96
00:09:33,220 --> 00:09:33,970
process

97
00:09:33,970 --> 00:09:40,690
HTTP message for any request or response
so inside a code i just put it if that's

98
00:09:40,690 --> 00:09:47,170
a request made by you what while you
browse do my smart request function and

99
00:09:47,170 --> 00:09:54,699
it will go user URL parse it and do the
request based on it i create order class

100
00:09:54,700 --> 00:09:59,230
which are the spider the lugger the
requester which is the melted red glass

101
00:09:59,230 --> 00:10:06,580
to create other requests on a cue the
URL data is a parser of the URL and I

102
00:10:06,580 --> 00:10:10,270
got the requester worker which our base
with the the motrin

103
00:10:13,030 --> 00:10:21,220
so like I said the process HTTP message
really intercept everything and if you

104
00:10:21,220 --> 00:10:25,840
look at the colors really the important
thing is to check where the request

105
00:10:25,840 --> 00:10:31,930
comes from because burb each time you do
a request inside the tool it tells you

106
00:10:31,930 --> 00:10:37,599
from where it's coming so you need to
check that it's not coming from yourself

107
00:10:37,600 --> 00:10:43,840
because it will just loop infinity which
I totally did at first was not a good

108
00:10:43,840 --> 00:10:53,530
idea so smart request will do get smart
data so it will execute the code to get

109
00:10:53,530 --> 00:10:59,020
the robots.txt the spy during the
sitemap ons and then it will create a

110
00:10:59,020 --> 00:11:04,750
dynamic content based on the domain name
the file name directories all this is

111
00:11:04,750 --> 00:11:09,700
put inside accused that the requester
we'll just go in it empty it and create

112
00:11:09,700 --> 00:11:18,580
request to check if the file exists or
not the other thing is the application

113
00:11:18,580 --> 00:11:23,710
context is not just a file name so it's
also the domain name and what's really

114
00:11:23,710 --> 00:11:31,360
lacking inside there buster and derby is
that if you want to check a victim . com

115
00:11:32,020 --> 00:11:39,250
maybe this is a Sandman upload the file
which is victim . zip or something I

116
00:11:39,250 --> 00:11:44,440
dish which is maybe a dump of the
database right so i use the domain name

117
00:11:44,440 --> 00:11:51,100
and any sub domain related to it and I
tried them all with all the XX extension

118
00:11:51,100 --> 00:11:55,210
that I got in my file so each directory
that I go out try this

119
00:11:56,860 --> 00:12:03,280
so if the end then put this file at the
rude or at the / something out

120
00:12:03,280 --> 00:12:11,380
technically find it one of the two which
is really interesting but needs to be

121
00:12:11,380 --> 00:12:16,720
added to the tool is the application
technology so at a check at of what the

122
00:12:16,720 --> 00:12:20,590
website is is it running on a patchy is
it

123
00:12:20,590 --> 00:12:24,490
sharepoint is a PHP is be whatever

124
00:12:25,250 --> 00:12:30,620
and based on this technology have a
specific Jason file doing checks for

125
00:12:30,620 --> 00:12:37,970
this a specific technology which will be
really interesting and mostly when I

126
00:12:37,970 --> 00:12:45,080
look at sharepoint I it got a tons of
web services which people often forget

127
00:12:45,080 --> 00:12:52,280
and those services usually are not
restricted not authenticated and when

128
00:12:52,280 --> 00:12:56,209
you request those they will give you
like all the usernames all the emails

129
00:12:56,210 --> 00:13:01,490
everything internally and even sometimes
just gave you access to upload or browse

130
00:13:01,490 --> 00:13:07,670
the internal website even from external
when it's an intranet web site seeing

131
00:13:07,670 --> 00:13:17,569
that so happens so the focus
stealth-action there's a configuration

132
00:13:17,570 --> 00:13:21,890
to into the configuration file to limit
the number of requests everything is

133
00:13:21,890 --> 00:13:25,490
there at this the only thing missing
right now it's just that if I'm like

134
00:13:25,490 --> 00:13:32,930
stop after five or something like this
and like I said the code is really

135
00:13:32,930 --> 00:13:38,640
simple with tons of comments &

136
00:13:38,640 --> 00:13:44,910
this is the way that how the code works
internally so maybe it's a bit small so

137
00:13:44,910 --> 00:13:51,030
obviously that the burb fight and file
will get the GC and file with the data

138
00:13:51,030 --> 00:13:54,720
the configuration file when it get the
configuration file

139
00:13:55,260 --> 00:14:00,000
it's getting all the information like I
said the state static one and documents

140
00:14:00,000 --> 00:14:04,650
one and we'll go for extension
directories and files so you got the

141
00:14:04,650 --> 00:14:09,840
example here like explain a bit earlier
like filed an extension that injection .

142
00:14:09,840 --> 00:14:17,670
or file . injection . so it's checking
everything like this this is the the

143
00:14:17,670 --> 00:14:22,199
configuration file so the number of
tears the padding file extension number

144
00:14:22,200 --> 00:14:27,840
of page two requests with the spider
which function to call so the smart

145
00:14:27,840 --> 00:14:33,390
things to add to the tools like just
giving up the possibility to use a

146
00:14:33,390 --> 00:14:40,290
specific word file wordlist like there
buster is doing or using the spider mode

147
00:14:40,290 --> 00:14:46,949
only or something like this and really
important is the in scope so inside burp

148
00:14:46,950 --> 00:14:54,600
you got the ad to scope option right now
it by default it's on if you don't add

149
00:14:54,600 --> 00:14:56,520
the websites to the scope

150
00:14:56,520 --> 00:15:03,030
nothing will happen if you remove this
option anything like you do we'll ask

151
00:15:03,030 --> 00:15:04,380
and everything

152
00:15:04,380 --> 00:15:07,650
problem is if you go and test the
website

153
00:15:07,650 --> 00:15:14,790
usually there's 32 maybe 15 website
which our third parties and request

154
00:15:14,790 --> 00:15:24,780
jisun java and feed xml javascript tons
of things that are not on the website

155
00:15:24,780 --> 00:15:30,089
you're testing and the tons of requests
and I'm doing will go on all those sites

156
00:15:30,090 --> 00:15:37,740
so one request might turn into so right
now with the option with add to scope

157
00:15:37,740 --> 00:15:42,600
it's around 5 550 request for one click

158
00:15:43,230 --> 00:15:49,500
so if you don't do this you might go and
do 5000 click request for one click

159
00:15:50,259 --> 00:15:58,929
which is the website won't like right
the in your file type so you got the

160
00:15:58,929 --> 00:16:03,790
gift gee peg those kind of file if you
want to reject something you can add it

161
00:16:03,790 --> 00:16:09,789
there and technical things which is the
training / by default you always add a

162
00:16:09,789 --> 00:16:14,619
slash at the end when it's a directory
but some website or configure so weirdly

163
00:16:14,619 --> 00:16:17,619
that you can remove this option if
needed

164
00:16:19,299 --> 00:16:25,389
so this is explained this is what the
data file looks like so inside the

165
00:16:25,389 --> 00:16:31,869
extension section you can see . . back
that swept all PHP s you get a small

166
00:16:31,869 --> 00:16:37,449
description the file prefix so what's
interesting in prefix I look at

167
00:16:37,449 --> 00:16:38,289
everything

168
00:16:38,289 --> 00:16:46,359
linux windows 7 and 10 and look for copy
of and when you do a copy paste of a

169
00:16:46,359 --> 00:16:50,619
filing the same directory what it's
happening so you can see in prefix and

170
00:16:50,619 --> 00:17:07,269
suffix so dash copy or copy space copy
or a copy of old just a tiled just a dot

171
00:17:07,269 --> 00:17:14,138
sometime so all those files based on you
12 and windows if someone do a copy base

172
00:17:14,138 --> 00:17:16,658
and uploaded by error to the website

173
00:17:16,659 --> 00:17:21,159
this will be catch and the interesting
part is that you can catch those files

174
00:17:21,159 --> 00:17:24,220
because of the context of the
application in the current URL which you

175
00:17:24,220 --> 00:17:31,000
cannot find with a specific static list
of there buster and then you got files

176
00:17:31,000 --> 00:17:36,250
and directories that you look for a
config file that gets doctors and all

177
00:17:36,250 --> 00:17:43,299
those things at my data file is not that
huge it can be ad but the most critical

178
00:17:43,299 --> 00:17:46,290
stuff is there

179
00:17:46,290 --> 00:17:49,409
yep

180
00:17:50,160 --> 00:17:55,140
so when you run that all income in line
while anywhere that you output the

181
00:17:55,140 --> 00:17:59,610
results from the extender you will see
something like this so by default you

182
00:17:59,610 --> 00:18:04,169
got the verbals option which tell you
what function has been tested and

183
00:18:04,170 --> 00:18:12,690
whether URL is so you can see a request
prefix for this file so it added I'll

184
00:18:12,690 --> 00:18:23,700
and then it added . it that you can see
all index of copy of copy 1234 and at

185
00:18:23,700 --> 00:18:30,210
the end you see this file exists and the
the code that is returned so 43 at 200

186
00:18:30,210 --> 00:18:36,180
maybe a 44 or something like this but
the thing is they might be false

187
00:18:36,180 --> 00:18:45,480
positives to problem is that I web well
sysadmin and server configuration won't

188
00:18:45,480 --> 00:18:49,530
be the same for the 44 errors the
problem

189
00:18:49,530 --> 00:18:53,460
well by default the RFP tells you that
when there's a page that doesn't exist

190
00:18:54,240 --> 00:19:01,170
you need to return a 44 but nobody
mostly do it and so you get a 2 unread

191
00:19:01,170 --> 00:19:06,030
which is a file that exists but inside
the text of the page it will tell you

192
00:19:06,030 --> 00:19:11,340
that this is a page that doesn't exist
or it's a four-for-one intex so i'll

193
00:19:11,340 --> 00:19:18,300
just show you right after what i did
with this next step of the tools like I

194
00:19:18,300 --> 00:19:25,470
said a technology check adding also this
come from a comment from defcon adding a

195
00:19:25,470 --> 00:19:31,410
concept of community data that is sent
to an animus service web services so if

196
00:19:31,410 --> 00:19:38,460
you all use the tool and you find a
directory which is $OPERAND / config it

197
00:19:38,460 --> 00:19:42,570
will just tell the web services like we
found / config it's a real data that

198
00:19:42,570 --> 00:19:48,360
exists out there and we can have like a
ranking so if there's 3,000 people

199
00:19:48,360 --> 00:19:52,199
finding this dietary it might be like
everywhere

200
00:19:53,520 --> 00:20:00,150
the trance peed by default it's just a
tread that it's intense and it might not

201
00:20:00,150 --> 00:20:07,140
be liked by people that you test the
website so i need to add a tread speed

202
00:20:07,140 --> 00:20:14,610
limit the aspiring is getting the nouns
and numbers like i said but i'm not

203
00:20:14,610 --> 00:20:20,610
using it right now so just a function to
go over it and yeah for sure there's

204
00:20:20,610 --> 00:20:30,149
some small technical fix to do sorry I
and like I said the 44 needs to be fixed

205
00:20:30,150 --> 00:20:34,440
but technically it's mostly working so
this is the code it's a bit small but

206
00:20:34,440 --> 00:20:42,450
what it's doing for the false positive
verification of the 44 i get i create a

207
00:20:42,450 --> 00:20:50,730
md5 hash random one doesn't matter and I
request this ash on the website so

208
00:20:50,730 --> 00:20:58,260
website.com / the ash i'm pretty sure
that this will never exist right and you

209
00:20:58,260 --> 00:21:04,530
use this result to see if the page what
the page give you as an error so if the

210
00:21:04,530 --> 00:21:07,860
reader response status is 44

211
00:21:07,860 --> 00:21:10,860
it's a normal case every 44 is
considered normal

212
00:21:11,370 --> 00:21:18,090
if it returns you a tree or something
you base your the fact that tree

213
00:21:18,090 --> 00:21:22,949
hundreds error might be false positive
so I just want to add a message like

214
00:21:22,950 --> 00:21:27,780
this might be false positive because
it's mostly impossible to guess what the

215
00:21:27,780 --> 00:21:34,649
cum deep the code is doing on the
website behind and if the responses are

216
00:21:34,650 --> 00:21:43,800
200 so the most wrong 1i use beautiful
soup which is an API that parse HTML and

217
00:21:43,800 --> 00:21:49,350
I look for text which is like page not
phone or 44 or something like this if

218
00:21:49,350 --> 00:21:53,459
you want to if you testing a website
that says that X which is not in the

219
00:21:53,460 --> 00:21:56,370
code you a dish with this code and
that's it

220
00:21:56,370 --> 00:22:00,149
so Nicole is there

221
00:22:00,150 --> 00:22:04,620
the only difference that the only thing
that needs to be done is at if based on

222
00:22:04,620 --> 00:22:07,139
this to say in the results like this

223
00:22:07,140 --> 00:22:16,350
this might be the false-positive the
technology the way to do it is like i

224
00:22:16,350 --> 00:22:21,270
said if the server is that she do a
passage checks if it's sure . do the

225
00:22:21,270 --> 00:22:27,210
shirt . checks which peed do those
checks and technically just doing at

226
00:22:27,210 --> 00:22:32,430
last with this kind of function based on
data decent file which has all the

227
00:22:32,430 --> 00:22:35,220
directories and files to look should be
easy

228
00:22:35,220 --> 00:22:43,890
the community data like i said and some
technical fix so right now i'm using a

229
00:22:43,890 --> 00:22:50,970
ini file for configuration I didn't do a
gooey inside verb i don't like coding

230
00:22:50,970 --> 00:22:57,360
javac we so I just didn't do it but it's
welcome if someone want to help i want

231
00:22:57,360 --> 00:23:02,879
my colleagues send me the configuration
of the ini ini inside agree so I just

232
00:23:02,880 --> 00:23:08,190
need to add it by also want a box with
the results not just getting results and

233
00:23:08,190 --> 00:23:14,790
inside the console it's not that great
right now and any ideas that you might

234
00:23:14,790 --> 00:23:20,340
have are welcome for sure so that covers
it

235
00:23:20,910 --> 00:23:31,650
any question alright i'll just try to do
a small demo quickly i got a few minutes

236
00:23:31,650 --> 00:23:35,730
left so inside the directory

237
00:23:36,240 --> 00:23:42,420
I gotta try running and you can see that
at the root there's copy of index that

238
00:23:42,420 --> 00:23:52,350
HTML index that back-to-back file HTML .
back the normal HTML file and I got a

239
00:23:52,350 --> 00:23:59,070
conflict directory with web.config
inside it so when you go inside burb you

240
00:23:59,070 --> 00:24:05,250
go to the extender you add the burp
smarter file which is a Python one you

241
00:24:05,250 --> 00:24:08,250
load it and that's it

242
00:24:09,250 --> 00:24:14,440
you need to do like I said the ad to
scope so right now the local Lowe's is

243
00:24:14,440 --> 00:24:23,200
add right there and when you go here so
the results will just appear in this

244
00:24:23,200 --> 00:24:30,130
page if everything works when you do the
cliq nothing works

245
00:24:30,130 --> 00:24:33,130
yeah as usual

246
00:24:34,090 --> 00:24:38,800
yeah I know did the same thing at DEFCON
how they go

247
00:24:40,480 --> 00:24:46,270
so those are all the things that it
looks at four on the website so all the

248
00:24:46,270 --> 00:24:52,389
directories all the extension for the
smart domain so it's looking for look

249
00:24:52,390 --> 00:24:58,090
allows that dark that zip that are that
whatever then the request file so the

250
00:24:58,090 --> 00:25:05,620
specific at critical files that i need
to look at and there's tons of those and

251
00:25:05,620 --> 00:25:09,729
at the end it tells you that those are
two really exists or not and those are

252
00:25:09,730 --> 00:25:13,750
false positive because this is a cali
and everything that runs on that she

253
00:25:13,750 --> 00:25:19,600
which is like . HT access is returning
as a 4-3 even if the file exists or not

254
00:25:19,600 --> 00:25:27,580
you got this one which URL exist which
is a slash config so that works and it's

255
00:25:27,580 --> 00:25:38,500
during other yeah so when you go to the
website and you try / config which will

256
00:25:38,500 --> 00:25:47,650
give you this awesome directory so it
will tell you that inside / config

257
00:25:47,650 --> 00:25:52,390
there's the web.config file which is
there but again the . HD access the

258
00:25:52,390 --> 00:26:00,280
false-positive came up here so the only
things to add will be maybe like when

259
00:26:00,280 --> 00:26:04,090
it's of oratory add a warning saying
maybe it's not maybe it's a false

260
00:26:04,090 --> 00:26:04,899
positive

261
00:26:04,900 --> 00:26:09,730
so that's the demo is kind of boring I
mean it's just giving you results right

262
00:26:09,730 --> 00:26:12,730
so but it works thank you

263
00:26:14,330 --> 00:26:23,689
so I'm going to be here for anybody have
any questions thanks again