[ Certified Ethical Hacker v10 ] :: [ Chapter 6 ] :: Web Servers and Applications

Hacking Web Servers and Applications

Tools to Know for Reconnaisance, Scanning and Attacking Web Servers and Applications

Discovering Server Details

Netcraft
whatweb <target ip> -v # for a single target

whatweb -v 192.168.0.1/24 # for a subnet
ua-tester -u www.schoolforhackers.com -d M D
uniscan-gui  # opens a GUI

Tampering with Server Requests

Tamper Data / Tamper Data for Firefox Quantum – a lightweight proxy plugin for Firefox that lets  you capture and modify http/s requests.

Web Penetration Testing with Tamper Data (Firefox Add-on)

Web Exploit and Vulnerability Tool Kits

Nikto

Wikto: a website vulnerability tool:
http://sectools.org/tool/wikto/

Burp Suite

Burp is a must-have tool, both for the CEH test and for real-life security auditing. Know this tool as deeply as you can before testing.

“Getting Started with Burp Proxy”:
https://support.portswigger.net/customer/en/portal/articles/1783118-Proxy_Getting%20Started.html

“Brute Force a Website Login Page with Burp Suite”:
https://www.youtube.com/watch?v=25cazx5D_vw

“Brute force attack (form, ssh, ftp) using burp suite and hydra”:
https://www.youtube.com/watch?v=y3Oh54BUN0U

“Brute Force Router Password using BurpSuite”:
https://www.youtube.com/watch?v=gSVM65_pLfA

ZAP: The ZED Attack Proxy

OWASP makes their own testing proxy, ZAP (or Zed or ZAProxy) that makes auditing for the OWASP Top 10 Vulnerabilities a much clearer process.

Get it and learn about it: https://www.zaproxy.org/

Really Ancient Tools Mentioned in the CEH Exam

Hunt: 20+ years old.
“Hunt is a program for intruding into a connection, watching it and resetting it. Hunt operates on Ethernet and is best used for connections which can be watched through it. However, it is possible to do something even for hosts on another segments or hosts that are on switched ports. Hunt doesn’t distinguish between local network connections and connections going to/from Internet. It can handle all connections it sees.”
https://packetstormsecurity.com/sniffers/hunt/

 

Brutus

THC-Hydra

OWASP Guide

Nessus / OpenVAS

WinSSLMiM

POODLE (obsolete)

Vulnerabilities to Exploit

Hidden fields

Buffer overflow

DoS

Banner grabbing:

telnet schoolforhackers.com 80

XSS

Cross-site scripting exploits web forms that don’t do good sanitizing of the data you input. Root-me.org has a good description of the “rules”:

http://repository.root-me.org/Exploitation%20-%20Web/EN%20-%20Blackhat%20US%202011%20:%20XSS%20street%20fight.pdf

From the excellent JackkTutorials, see this video:
“Basic XSS Guide #1 – Alert() – Redirection – Cookie Stealing”

https://www.youtube.com/watch?v=486KmQOcwWg

Insecure Deserialization

This kind of attack takes advantage of the way web requests serialize data, a way to pass an object as a string of characters. It’s one of the OWASP Top 10 Vulns, and you should have at least a basic idea what it is.

Another, longer example:

Attack Targets

Input validation

Unvalidated redirects and forwards

Insecure login systems (see Brutus)

Scripting errors

Session management

CAPTCHA

AntiCaptcha plugin (Chrome, Firefox)

CAPTCHA Be Gone (?)

Rumola (Firefox, Chrome, Safari)

Directory traversal