When practicing ethical hacking, the hacker looks for vulnerabilities. An ethical hacker has several reasons for trying to gain unauthorized control of a web server, although the main reason is to test the server and its software for vulnerabilities.
You can try to gain access to the server using the same tools and methods that malicious attackers rely on. If successful, you can identify the necessary fixes and upgrades that must be made to improve security and to detect and respond to malicious activity.
Intelligence gathering[Ethical hacking]
The first stage of any hacking attempt generally involves gathering information about the target in question. This includes identifying the target system and gathering important details about its IP address, operating system, hardware, network and infrastructure configuration, DNS records and so on.
This can be done in a variety of ways, but is most often done using automated tools that scan the server for known vulnerabilities. Information about the target system’s physical hardware can be found in a variety of ways, often by scrutinizing the responses that various software subsystems send when initiating (or sometimes even rejecting) incoming connections.
This information can then be used to narrow down the kinds of software that are known to commonly run on different hardware configurations.
Hackers use tools that can test for various security issues, including misconfiguration of the software present on the target server, the presence of common or unchanged default passwords, outdated software that needs updating or patching, and similar security issues.
- HTTrack: An open-source web crawler which allows users to download entire websites to a local, offline computer for forensic analysis
- Maltego: An open-source link analysis and data mining tool
- Nessus: A vulnerability assessment scanner that checks for conditions such as software misconfiguration or deprecation, insecure or missing passwords and denial-of-service attack vulnerabilities which might allow a malicious attacker to gain access to — or total control over — a system
- Netsparker: Scans the sites, applications and services present on a web server for vulnerabilities, regardless of its operating system
- Nikto: Scans for dangerous files and CGIs, outdated server software and software misconfiguration known to be exploitable by malicious attackers
- ScanMyServer: A free online tool which crawls through every page of a specified website or blog and attempts to identify various security issues.
These tools can provide a great deal of information about the targeted server — including data like the names of employees or staff members, email addresses associated with the server, computer names, network structure information and user account information.
Armed with the right kind of knowledge about the target, you can move on to the next phase: attempting to gain access.
Using the gathered data, you can determine viable options for attempting to gain access to data stored on the server or control over the server itself. This can be done in many ways, but generally will involve efforts that rely on proven intrusion techniques.
The Open Web Application Security Project, or OWASP, is an organization that tracks vulnerabilities. OWASP maintains a top ten list of the most common and potentially dangerous weaknesses used by attackers to gain unauthorized access to web servers.
Known vulnerabilities are typically the easiest way to gain unauthorized control of a server and are most often relied upon by malicious attackers. These are the most effective and efficient means to gain unauthorized access. Though some hackers may use tools or methods that deviate from common attacks, many will move on and look for a “softer” target if these common attacks fail.
The OWASP top 10
The following vulnerabilities are those most commonly seen in security breaches in the past year.
- Injection: In which an attacker will inject code into a program or query to execute remote commands (as in the case of an SQL injection)
- Broken Authentication: Relies on using stolen, misconfigured or otherwise vulnerable login data to gain access to a system
- Sensitive Data Exposure: Occurs when an application doesn’t adequately protect data such as passwords, session tokens or other sensitive and valuable data
- XML External Entities (also called XXE): A kind of attack which relies on vulnerabilities in how an application parses XML data
- Broken Access Control: Relies on failures in user and role permission configuration to enable unauthorized access
- Security Misconfigurations
- Cross-Site Scripting (XSS): Similar to injection attacks, XSS allows attackers to inject client-side scripts into web applications which can be used to bypass access controls
- Insecure Deserialization: A vulnerability in which misconfigured or unknown data is used to execute code, bypass authentication, cause a Denial of Service attack or otherwise circumvent security measures
- Using server components with known vulnerabilities
- Insufficient logging and monitoring
- Once unauthorized access to a targeted server is secured, efforts then generally focus on maintaining control of the server for further exploitation. At this stage, malicious attackers would typically have gained access to one or more user accounts or roles; if they have managed to access a privileged user account or the operating system “account” for various software packages, this could allow them to either gain administrator privileges or set up a new administrator account on the system.
Backdoors and covered tracks
Typically, initial security breaches are used to prepare a system for subsequent use or exploitation. Though no overt or implicit misuse may occur when a server is first hacked, many hackers will monitor accounts they have created or gained control over to determine if their intrusion has been detected. Hackers may use these accounts to attempt to erase or alter logs and other system messages. However, many hackers adopt a wait-and-see approach, opting to refrain from anything “noisy” that may draw attention to them.
When it comes to vulnerability testing, once a system is compromised, an ethical hacker will want to gain access and use the system as if they were a malicious attacker. Access to a hacked server should be used by an ethical hacker to monitor user accounts, attempt to manipulate logs and other system data, and generally try to erase or otherwise cover up any evidence of their intrusion.
While the goal of vulnerability testing is to make a server more secure and resistant to attack, this post-hacking activity also serves an important purpose. By reviewing security logs and other ongoing intrusion detection methods, additional improvements can be identified to help detect hackers using an unusual or unknown mechanism or to protect data and restrict access once an attack is successful.