WEBSITE HACK A DETAILED GUIDE.
Hey Freaks! First, let me remind you that the article is written for educational purposes. The author is not responsible for any possible harm caused by the materials of this article.
Website hacking is one of the most common types of attacks today. If you are interested in how sites are hacked, then this article is for you. Here we will analyze the very beginnings of hacking web applications and show how to work with popular engines using examples.
General principles of site hacking
According to the structure, sites are divided into three large classes:
- self-written (made by hand in HTML, produced by a static generator such as Jekyll , or assembled in a constructor program such as Adobe Dreamweaver);
- made in online constructors (mostly these are business card sites without any databases and transmitted fields);
- working on ready-made CMS (Content Management System, content management systems).
There are also self-made CMS created for a specific site, but this has now become a rarity - only the largest resources can afford to support their system, and it is not easy to justify the associated costs.
Most modern sites are based on ready-made engines.
From the point of view of an attacker, website engines are no different from other services and services. Their source code is usually in the public domain, and any researcher can analyze it for errors, including security holes. Therefore, sites on CMS rarely become victims of targeted attacks. More often than not, they break in bulk.
Such hacking is automated and usually proceeds according to the following scheme: a hacker finds a vulnerability (on his own or just googles something fresh). Then he makes an exploit or takes a ready-made one and writes a specialized bot. This bot searches for the specified hole on all sites in a row in the given range and tries to exploit it.
Intelligence service
Before trying to attack a target, you need to collect information about it. WhatWeb is a good tool for this . This utility provides detailed information about the victim's CMS and web tools used by the victim.
We advise you to run WhatWeb with the key-а followed by the value 3 or 4. The only difference between them is that in the second case, WhatWeb will also scan subdirectories. Keep in mind that both options set an aggressive polling method - with all the ensuing, or rather "flowing" logs to the server.
Here is an example run and collected responses:
https://URL [200 OK] Cookies[PHPSESSID], Country[UNITED KINGDOM][GB], Frame, HTML5, JQuery[1.9.0,2.2.3], Open-Graph-Protocol[website], PHP[7.1.33], PasswordField[password], Script[application/ld+json,text/javascript], Title[Bower Partnerships | Best Equity Release Broker Customer Service 2019], UncommonHeaders[link,x-robots-tag,alt-svc], WordPress, X-Powered-By[PHP/7.1.33], X-UA-Compatible[IE=EDGE]
- Here we can see that this is a website of a British company, made on WordPress, using PHP v. 7.1.33 and jQuery 1.9.0, 2.2.3. Not bad for a start!
- If you don't have a VPN or just don't want to bother with installation, check out the online version of WhatWeb .
By the way, when working with foreign sites, it gives great speed.
- If it is enough for you to define only the name of the CMS, then there are separate services for this , even Russian-speaking ones.
Here are the latest statistics on the popularity of various CMS in RuNet:
- WordPress — 58,12%;
- Joomla — 17.12%;
- OpenCart — 4.65%;
- Drupal — 3,75%;
- Wix — 3,74%;
- MODX Revolution — 2,81%;
- MODX Evolution — 2,76%;
- Nethouse - 2.23%;
- others - 4.78%.
IF YOU ARE ENJOYING THEN SUBS TO OUR CHANNEL WILL BE PPRECIATED :)
WordPress
Since WordPress is the most popular CMS right now, let's jump right into it. A very powerful scanner has been released for it that can do magic - WPScan . At the time of writing, the current version was 3.7.8 . This scanner can determine the version of the object being scanned, brute force the admin panel (it even has its own built-in dictionary), look at vulnerable open directories, determine installed plugins, and much more . In addition, it is pre-installed in Kali Linux and other distributions for pentesters. There is even a docker container version .
In our opinion, the management and keys of WPScan could be simplified. Even the program has two help - short ( -h) and detailed ( --hh).
wpscan --update
- After that we start scanning. By itself, WPScan without keys will give general information about the site, only superficially scanning the target:
wpscan --url http://example.com
After the line Interesting Finding(s):, the very moments that you should pay attention to begin:
- WP version;
- open directories;
- suspected vulnerabilities;
- links to resources where you can read about these vulnerabilities.
At the end of the output, a red exclamation mark marks lines that go against security rules. In our case, this is a configuration file sticking out wp-config.phpwith a login and password for the database.
We continue to dig and try to reset the login and password to the admin panel using the same software:
wpscan --url http://[IP-address] --passwords pass.txt --usernames user.txt
Bruteforce very fast due to multithreading. If the admin used standard accounts and set simple passwords, then the result will not be long in coming.
As you can see, we got the credentials for the admin panel and the database without much difficulty. For the average cracker, this would be more than enough, but we haven't checked everything yet. Next in line are WP plugins and other popular entry points.
The crawler showed us that the selected site does not have any plugins installed, however this may be a false conclusion based on the limitations of the passive crawling method. For a more reliable detection of plugins, you need to set an aggressive method for finding them:
wpscan --url http://[IP-address] --enumerate ap --plugins-detection aggressive
Keep in mind that the key apwill show all plugins found, but vponly vulnerable ones. This procedure takes a considerable amount of time. The speed will depend on the remoteness of the site, but even in the best case it will take at least 30 minutes.
As you can see, the aggressive method paid off: Akismet anti-spam plugin version 3.1.1 was detected.
In exactly the same way, you need to look for other vulnerable additions to WP. See the manual in the section for more details --enumerate.
See also known vulnerabilities - CVE . For example, for the version of PHP on which the CMS is running. Then look for ready -made Metasploit modules for WP and check them out.
Joomla
Joomla is also a fairly popular CMS, for which there is a scanner - JoomScan . It was written by the guys from the Open Web Application Security Project ( OWASP ). It is still relevant, although it has not been updated for a long time. The latest version 0.0.7 was released in September 2018.
At its core, this is exactly the same security scanner as WPScan, only a little simpler. JoomScan is also pre-installed in most hacker distributions, and its entire manual fits in a few lines:
It also supports an aggressive method of scanning installed components. The command to start scanning in aggressive mode looks like this:
joomscan --url http://84.42.34.2/ --enumerate-components
Here is an example of an analysis of a version of a Joomla site found on the Internet:
As you can see from the screenshot, the program issues the CMS version, CVE of found vulnerabilities and links to exploits that can be used to hack the site. Also, the output shows all the directories found on the site and a link to the configuration file, if you forgot to hide it.
JoomScan does not know how to brute force the admin area. Today, to perform such brute force, you need a serious tool that works with a chain of proxy servers. If only because Joomla sites often use the brute force stop plugin . When the number of failed authorization attempts reaches a given number, it blocks the attacker's IP address.
If your Joomla site runs on HTTP (which is rare), try using the Nmap script .
Drupal and other CMS
With Drupal, things are a little more complicated, as with other unpopular CMS. There is simply no suitable scanner that would find vulnerabilities on such sites. Of the ready-made tools, only DroopeScan , but it only helps to quickly collect basic information about the victim.
Install DroopeScan via pip (of course, you must have Python installed):
pip install droopescan
Let's start scanning. Since it supports not only Drupal, it is desirable for it to explicitly indicate which CMS we expect to meet on the site:
droopescan scan drupal -u http://url
The rest you have to look for by hand and google on the Internet. Vulnerability database search sites, such as CVEdetails , and ready-made PoC exploits (you can find them on GitHub and on the dark web) are very helpful here.
For example, let's take the CVE-2018-7600 vulnerability , which affects Drupal 7.x and 8.x versions. It allows you to load and invoke a shell remotely. Exploit for PoC can be found here:
The scanner gave us only the version of the CMS, and that was enough to exploit the vulnerability. In general, hacking Drupal and other CMS is essentially no different from finding holes in any other online service. Security flaws either exist or haven't been found yet:
You don't have to look far for a combat exploit to open a Meterpreter session and take full advantage of the vulnerability.
Attack on self-written sites
With hacking self-written sites, everything is much more complicated. There is no specific scanner that would say: here is an old version of the web application, it has a known hole, here is a link to the exploit and a detailed description of its use. There is only a very extensive list of potential vulnerabilities to be tested.
Hacking is a purely creative business. It does not have a rigid framework and a list of required tools, especially if they are open source.
If you hack a self-written site, then it is better to start with the same WhatWeb. Only now we are looking not at CMS, but at all discovered services and their versions.
There are many vulnerable versions of the frameworks themselves. For example, they often use outdated versions of Ruby on Rails or Apache Tomcat . Exploits for them are in the public domain.
It is also worth paying attention to the versions of the programming languages themselves. For example, vulnerabilities are constantly found in PHP, and more than one week can pass from the moment they are discovered to an update on the site.
The next step is to use security scanners. Even if they do not give a ready-made verdict, they will throw food for thought. For example, the dirb program will help iterate through open directories and return response codes.
To check for typical vulnerabilities, use universal scanners: nikto , OWASP ZAP , w3af , skipfish . I also advise you to have a mantra security toolkit in stock .
For everything else, there's Burp Suite . It usually performs a more sophisticated search for web application vulnerabilities. As an example, consider finding and exploiting SQL injections.
We install Burp Suite (it is already preinstalled in Kali Linux), find Repeater (request repeater) in it and run it. In a GET or POST request, we are looking for a value (of type id=12) transmitted to the server and throwing it into the Repeater:
We add a single quote to check that no special characters are filtered in the passed value, and we see an error message syntax error sql. The occurrence of an error indicates that the site is vulnerable to SQL injection. To automate the development of the attack, we use sqlmap:
sqlmap -u http://url/page.php?id=1 --dbs
The key -upoints to the URL of the target, but --dbssays to check all DBMS.
This SQL injection harvester will determine which payload is suitable and, at your command, will pull out all the necessary data from the databases on the site. He will even offer to immediately determine passwords by hashes, if he finds it. This software is especially useful when exploiting the so-called blind SQL injections .
That's all for today. Thank you for your attention and we wish you successful hunting!
Read more paid article for free : Here