Lab 1: Footprint the Web Server

 

Lab 1: Footprint the Web Server



Module 13: Hacking Web Servers


Lab 1: Footprint the Web Server


Task 1: Information Gathering using Ghost Eye



Ghost Eye is an information-gathering tool written in Python 3. To run, Ghost Eye only needs a domain or IP. Ghost Eye

 can work with any Linux distros if they support Python 3.


Ghost Eye gathers information such as Whois lookup, DNS lookup, EtherApe, Nmap port scan, HTTP header grabber, 

Clickjacking test, Robots.txt scanner, Link grabber, IP location finder, and traceroute.


refer to blog



---------------------------------------------------------------------------------------------------------------------------------------


Module 13: Hacking Web Servers


Lab 1: Footprint the Web Server


Task 2: Perform Web Server Reconnaissance using Skipfish



Skipfish is an active web application (deployed on a webserver) security reconnaissance tool. It prepares an interactive 

sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then

 annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated

 by the tool is meant to serve as a foundation for professional web application security assessments.



refer to blog



---------------------------------------------------------------------------------------------------------------------------------------



Module 13: Hacking Web Servers


Lab 1: Footprint the Web Server


Task 3: Footprint a Web Server using the httprecon Tool


Web applications can publish information, interact with Internet users, and establish an e-commerce or e-government presence.

 However, if an organization is not rigorous in configuring and operating its public website, it may be vulnerable to a 

variety of security threats. Although the threats in cyberspace remain largely the same as in the physical world (fraud, 

theft, vandalism, and terrorism), they are far more dangerous. Organizations can face monetary losses, damage to reputation,

 and legal action if an intruder successfully violates the confidentiality of their data.


httprecon is a tool for advanced web server fingerprinting. This tool performs banner-grabbing attacks, status

 code enumeration, and header ordering analysis on its target web server.



D:\CEH-Tools\CEHv11 Module 13 Hacking Web Servers\Web Server Footprinting Tools\httprecon

httprecon.exe

url: www.certifiedhacker.com

port number 80

click analyze

Get existing tab, and observe the server (Apache) and the server-side application (ASP.NET) used to develop the webpages.

GET long request tab, which lists all GET requests. Next, click the Fingerprint Details tab.

The details displayed in the screenshot above include the name of the protocol the website is using and its version.




---------------------------------------------------------------------------------------------------------------------------------------



Module 13: Hacking Web Servers


Lab 1: Footprint the Web Server


Task 4: Footprint a Web Server using ID Serve


Pen testers must be familiar with banner grabbing techniques to monitor servers and ensure compliance and appropriate 

security updates. This technique also helps in locating rogue servers or determining the role of servers within a network. 

This lab manual helps understand and learn the banner grabbing technique using ID Serve, which allows an attacker to

 determine a remote target system.



short one


refer to blog



---------------------------------------------------------------------------------------------------------------------------------------



Module 13: Hacking Web Servers


Lab 1: Footprint the Web Server

Task 5: Footprint a Web Server using Netcat and Telnet


Netcat


Netcat is a networking utility that reads and writes data across network connections, using the TCP/IP protocol.

 It is a reliable “back-end” tool used directly or driven by other programs and scripts. It is also a network debugging 

and exploration tool.


Telnet


Telnet is a client-server network protocol. It is widely used on the Internet or LANs. It provides the login session 

for a user on the Internet. The single terminal attached to another computer emulates with Telnet. The primary security 

problems with Telnet are the following:


It does not encrypt any data sent through the connection.


It lacks an authentication scheme.




refer to blog short one




---------------------------------------------------------------------------------------------------------------------------------------


Module 13: Hacking Web Servers


Lab 1: Footprint the Web Server


Task 6: Enumerate Web Server Information using Nmap Scripting Engine (NSE)


The web applications that are available on the Internet may have vulnerabilities. Some hackers’ attack strategies may 

need the Administrator role on your server, but sometimes they simply need sensitive information about the server. Utilizing

 Nmap and http-enum.nse content returns a diagram of those applications, registries, and records uncovered. This way, it is 

possible to check for vulnerabilities or abuses in databases. Through this technique, it is possible to discover genuine 

(and extremely dumb) security imperfections on a site such as some sites (like WordPress and PrestaShop) that maintain 

accessibility to envelopes that ought to be erased once the task has been settled. Once you have identified a vulnerability, 

you can discover a fix for it.



Nmap, along with Nmap Scripting Engine, can extract a lot of valuable information from the target web server. In 

addition to Nmap commands, Nmap Scripting Engine (NSE)provides scripts that reveal various useful information about 

the target web server to an attacker



in parrot

nmap -sV --script=http-enum [target website]

In this scan, we are enumerating the www.goodshopping.com website.




nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- www.goodshopping.com



nmap --script http-trace -d www.goodshopping.com 

This script will detect a vulnerable server that uses the TRACE method by sending an HTTP TRACE request that shows if the method is enabled or not.



nmap -p80 --script http-waf-detect www.goodshopping.com

This command will scan the host and attempt to determine whether a web server is being monitored by an IPS, IDS, or WAF.




refer to blog short one




---------------------------------------------------------------------------------------------------------------------------------------





Module 13: Hacking Web Servers


Lab 1: Footprint the Web Server

Task 7: Uniscan Web Server Fingerprinting in Parrot Security


Uniscan is a versatile server fingerprinting tool that not only performs simple commands like ping, traceroute, 

and nslookup, but also does static, dynamic, and stress checks on a web server. Apart from scanning websites, uniscan 

also performs automated Bing and Google searches on provided IPs. Uniscan takes all of this data and combines them into

 a comprehensive report file for the user.


gather information about the target web server using Uniscan.




refer to blog short one




---------------------------------------------------------------------------------------------------------------------------------------









Lab Scenario

The first step of hacking web servers for a professional ethical hacker or pen tester is to collect as much information as possible about the target web server and analyze the collected information in order to find lapses in its current security mechanisms. The main purpose is to learn about the web server’s remote access capabilities, its ports and services, and other aspects of its security.

The information obtained in this step helps in assessing the security posture of the web server. Footprinting may involve searching the Internet, newsgroups, bulletin boards, etc. for gathering information about the target organization’s web server. There are also tools such as Whois.net and Whois Lookup that extract information such as the target’s domain name, IP address, and autonomous system number.

Web server fingerprinting is an essential task for any penetration tester. Before proceeding to hack or exploit a webserver, the penetration tester must know the type and version of the webserver as most of the attacks and exploits are specific to the type and version of the server being used by the target. These methods help any penetration tester to gain information and analyze their target so that they can perform a thorough test and can deploy appropriate methods to mitigate such attacks on the server.

An ethical hacker or penetration tester must perform footprinting to detect the loopholes in the web server of the target organization. This will help in predicting the effectiveness of additional security measures for strengthening and protecting the web server of the target organization.

The labs in this exercise demonstrate how to footprint a web server using various footprinting tools and techniques.

Lab Objectives

  • Information gathering using Ghost Eye
  • Perform web server reconnaissance using Skipfish
  • Footprint a web server using the httprecon Tool
  • Footprint a web server using ID Serve
  • Footprint a web server using Netcat and Telnet
  • Enumerate web server information using Nmap Scripting Engine (NSE)
  • Uniscan web server fingerprinting in Parrot Security

Overview of Web Server Footprinting

By performing web server footprinting, it is possible to gather valuable system-level data such as account details, OS, software versions, server names, and database schema details. Use Telnet utility to footprint a web server and gather information such as server name, server type, OSes, and applications running. Use footprinting tools such as Netcraft, ID Serve, and httprecon to perform web server footprinting. Web server footprinting tools such as Netcraft, ID Serve, and httprecon can extract information from the target server. Let us look at the features and the types of information these tools can collect from the target server.

Task 1: Information Gathering using Ghost Eye

Ghost Eye is an information-gathering tool written in Python 3. To run, Ghost Eye only needs a domain or IP. Ghost Eye can work with any Linux distros if they support Python 3.

Ghost Eye gathers information such as Whois lookup, DNS lookup, EtherApe, Nmap port scan, HTTP header grabber, Clickjacking test, Robots.txt scanner, Link grabber, IP location finder, and traceroute.

  1. Click Parrot Security to switch to the Parrot Security machine.

    Screenshot

  2. In the login page, the attacker username will be selected by default. Enter password as toor in the Password field and press Enter to log in to the machine.

    Screenshot

  3. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window.

    If a Question pop-up window appears asking for you to update the machine, click No to close the window.

    7666.jpg

  4. Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

  5. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

  6. Now, type cd and press Enter to jump to the root directory.

    Screenshot

  7. Now, navigate to the Ghost Eye directory. Type cd ghost_eye and press Enter.

  8. In the terminal window, type pip3 install -r requirements.txt and press Enter.

    1kgfcvrg.jpg

  9. To launch Ghost Eye, type python3 ghost_eye.py and press Enter.

    Screenshot

  10. The Ghost Eye - Information Gathering Tool options appear, as shown in the screenshot.

  11. Let us perform a Whois Lookup. Type 1 for the Enter your choice: option and press Enter.

  12. Type certifiedhacker.com in the Enter Domain or IP Address: field and press Enter

    Screenshot

  13. Scroll up to see the certifiedhacker.com result. In the result, observe the complete information of the certifiedhacker.com domain such as Domain Name, Registry Domain ID, Registrar WHOIS Server, Registrar URL, and Updated Date.

    Screenshot

  14. Let us perform a DNS Lookup on certifiedhacker.com. In the Enter your choice field, type 2 and press Enter to perform DNS Lookup.

  15. The Enter Domain or IP Address field appears; type certifiedhacker.com, and press Enter.

    Screenshot

  16. As soon as you hit Enter, Ghost Eye starts performing a DNS Lookup on the targeted domain (here, certifiedhacker.com).

  17. Scroll up to view the DNS Lookup result.

    Screenshot

  18. Now, perform the Clickjacking Test. Type 6 in the Enter your choice field and press Enter.

  19. In the Enter the Domain to test field, type certifiedhacker.com and press Enter.

    Screenshot

  20. By performing this test, Ghost Eye will provide the complete architecture of the web server, and also reveal whether the domain is vulnerable to Clickjacking attacks or not.

    Screenshot

  21. Similarly, you can use the other tools available with Ghost Eye such as Nmap port scan, HTTP header grabber, link grabber, and Robots.txt scanner to gather information about the target web server.

  22. This concludes the demonstration of how to gather information about a target web server using Ghost Eye.

  23. Close all open windows on the Parrot Security machine.

Task 2: Perform Web Server Reconnaissance using Skipfish

Skipfish is an active web application (deployed on a webserver) security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

  1. Click Windows Server 2016 to switch to the Windows Server 2016 machine.

    Screenshot

  2. Click Ctrl+Alt+Delete to activate the machine. By default, CEH\Administration user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

    Alternatively, you can also click Pa$$w0rd under Windows Server 2016 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

    Screenshot

  3. Double-click the WAMP Server shortcut icon from Desktop to start WAMP Server services. Alternatively, you can also launch the WAMP Server services from the Start menu apps

    Screenshot

  4. Wait until the WAMP Server icon turns Green in the Notification area. Leave the Windows Server 2016 machine running.

    Screenshot

  5. Click Parrot Security to switch to the Parrot Security machine.

  6. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window.

    5644.jpg

  7. Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

  8. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

  9. Now, type cd and press Enter to jump to the root directory.

    Screenshot

  10. Now, perform security reconnaissance on a web server using Skipfish. The target is the WordPress website http://[IP Address of Windows Server 2016].

  11. Specify the output directory and load a dictionary file based on the web server’s requirement. In this lab, we are naming the output directory test.

  12. In the terminal window, type skipfish -o /root/test -S /usr/share/skipfish/dictionaries/complete.wl http://[IP Address of Windows Server 2016]:8080 and press Enter.

    Screenshot

  13. On receiving this command, Skipfish performs a heavy brute-force attack on the web server by using the complete.wl dictionary file, creates a directory named test in the root location, and stores the result in index.html inside this location.

  14. Before beginning a scan, Skipfish displays some tips. Press Enter to start the security reconnaissance.

    Screenshot

  15. Skipfish scans the web server, as shown in the screenshot.

    Screenshot

  16. Note that Skipfish takes some time (approximately 20 minutes) to complete its scan.

    You can press Ctrl+C to terminate the scan if it is taking longer.

    Screenshot

  17. On completion of the scan, Skipfish generates a report and stores it in the test directory (in the root location). Click Place from the top-section of the Desktop and click Home Folder from the drop-down options.

    Screenshot

  18. Click File System from the left-pane and click root from the right-pane.

    Screenshot

  19. The root window appears, double-click test folder.

    Screenshot

  20. Right-click index.html, hover your mouse cursor on Open With, and click Firefox to view the scan result.

    Screenshot

  21. The Skipfish crawl result appears in the web browser, displaying a summary overview of document and issue types found, as shown in the screenshot.

    Screenshot

  22. Expand each node to view detailed information regarding the result.

  23. Analyze an issue found in the web server. To do this, click a node under the Issue type overview section to expand it.

  24. Analyze the SQL query or similar syntax in parameters issue.

    Screenshot

  25. Observe the URL of the webpage associated with the vulnerability. Click the URL.

    Screenshot

  26. The webpage appears, as shown in the screenshot.

    Screenshot

  27. The PHP version webpage appears, displaying details related to the machine, as well as the other resources associated with the web server infrastructure and PHP configuration.

  28. Click show trace next to the URL to examine the vulnerability in detail.

    Screenshot

  29. An HTTP trace window appears on the webpage, displaying the complete HTML session, as shown in the screenshot.

    If the window does not properly appear, hold down the Ctrl key and click the link.

    Screenshot

  30. Examine other vulnerabilities and patch them to secure the web server.

  31. This concludes the demonstration of how to gather information about a target web server using Skipfish.

  32. Close all open windows on both the Parrot Security and Windows Server 2016 machines.

Task 3: Footprint a Web Server using the httprecon Tool

Web applications can publish information, interact with Internet users, and establish an e-commerce or e-government presence. However, if an organization is not rigorous in configuring and operating its public website, it may be vulnerable to a variety of security threats. Although the threats in cyberspace remain largely the same as in the physical world (fraud, theft, vandalism, and terrorism), they are far more dangerous. Organizations can face monetary losses, damage to reputation, and legal action if an intruder successfully violates the confidentiality of their data.

httprecon is a tool for advanced web server fingerprinting. This tool performs banner-grabbing attacks, status code enumeration, and header ordering analysis on its target web server.

Here, we will use the httprecon tool to gather information about a target web server.

  1. Click Windows 10 to switch to the Windows 10, click Ctrl+Alt+Delete.

    Alternatively, you can also click Ctrl+Alt+Delete button under Windows 10 machine thumbnail in the Resources pane or Click Ctrl+Alt+Delete button under Commands (thunder icon) menu.

  2. By default, Admin user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

    Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

    Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.

    Screenshot

  3. Navigate to D:\CEH-Tools\CEHv11 Module 13 Hacking Web Servers\Web Server Footprinting Tools\httprecon, right-click httprecon.exe, and, from the context menu, click Run as administrator double-click to launch the application.

    If a User Account Control pop-up appears, click Yes.

  4. Main window of httprecon appears, enter the website URL (here, www.certifiedhacker.com) that you want to footprint and select port number (80) in the Target section.

    L1T333.jpg

  5. Click Analyze to start analyzing the designated website.

  6. footprint of the website appears, as shown in the screenshot.

    L1T36.jpg

    Screenshot

  7. Look at the Get existing tab, and observe the server (Apache) and the server-side application (ASP.NET) used to develop the webpages.

  8. When attackers obtain this information, they research the vulnerabilities present in ASP.NET and Apache and try to exploit them, which results in either full or partial control over the web application.

  9. Click the GET long request tab, which lists all GET requests. Next, click the Fingerprint Details tab.

    L1T39.jpg

    Screenshot

  10. The details displayed in the screenshot above include the name of the protocol the website is using and its version.

  11. By obtaining this information, attackers can manipulate HTTP vulnerabilities in order to perform malicious activities such as sniffing over the HTTP channel, which might result in revealing sensitive data such as user credentials.

  12. This concludes the demonstration of how to gather information about the target web server using httprecon.

  13. Close all open windows on the Windows 10 machine.

Task 4: Footprint a Web Server using ID Serve

Pen testers must be familiar with banner grabbing techniques to monitor servers and ensure compliance and appropriate security updates. This technique also helps in locating rogue servers or determining the role of servers within a network. This lab manual helps understand and learn the banner grabbing technique using ID Serve, which allows an attacker to determine a remote target system.

ID Serve is a simple Internet server identification utility. Following is a list of its capabilities:

  • HTTP server identification

  • Non-HTTP server identification

  • Reverse DNS lookup

  1. Click Windows 10 to switch to the Windows 10 machine, navigate to D:\CEH-Tools\CEHv11 Module 13 Hacking Web Servers\Web Server Footprinting Tools\ID Serve and double-click idserve.exe.

  2. The main window of ID Serve appears. Click the Server Query tab.

    L1T42.jpg

  3. For option 1, in the Enter or copy/paste an Internet server URL or IP address section, enter the URL (http://www.certifiedhacker.com) you want to footprint.

  4. Click Query the Server to start querying the website.

  5. After the completion of the query, ID Serve displays the results of the entered website, as shown in the screenshot.

    L1T45.jpg

  6. After obtaining this information, the attacker may perform a vulnerability analysis on that particular version of the web server and implement various techniques to perform exploitation.

  7. Click Exit to close the application. Close all open windows.

Task 5: Footprint a Web Server using Netcat and Telnet

Netcat

Netcat is a networking utility that reads and writes data across network connections, using the TCP/IP protocol. It is a reliable “back-end” tool used directly or driven by other programs and scripts. It is also a network debugging and exploration tool.

Telnet

Telnet is a client-server network protocol. It is widely used on the Internet or LANs. It provides the login session for a user on the Internet. The single terminal attached to another computer emulates with Telnet. The primary security problems with Telnet are the following:

  • It does not encrypt any data sent through the connection.

  • It lacks an authentication scheme.

Telnet helps users perform banner-grabbing attacks. It probes HTTP servers to determine the Server field in the HTTP response header.

  1. Click Parrot Security to switch to the Parrot Security machine.

  2. Click the MATE Terminal icon from the menu bar to launch the terminal.

    111.jpg

  3. Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

  4. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

  5. Now, type cd and press Enter to jump to the root directory.

    Screenshot

  6. In the terminal window, type nc -vv www.moviescope.com 80 and press Enter.

    Screenshot

  7. Once you hit Enter, the netcat will display the hosting information of the provided domain, as shown in the screenshot.

  8. Now, type GET / HTTP/1.0 and press Enter twice.

  9. Netcat will perform the banner grabbing and gather information such as content type, last modified date, accept ranges, ETag, and server information.

    Screenshot

  10. In the terminal windows, type clear and press Enter to clear the netcat result in the terminal window.

    Screenshot

  11. Now, perform banner grabbing using telnet. In the terminal window, type telnet www.moviescope.com 80 and press Enter.

    Screenshot

  12. Telnet will connect to the domain, as shown in the screenshot.

  13. Now, type GET / HTTP/1.0 and press Enter twice. Telnet will perform the banner grabbing and gather information such as content type, last modified date, accept ranges, ETag, and server information.

    Screenshot

  14. This concludes the demonstration of how to gather information about the target web server using the Netcat and Telnet utilities.

  15. Close the terminal window on the Parrot Security machine.

Task 6: Enumerate Web Server Information using Nmap Scripting Engine (NSE)

The web applications that are available on the Internet may have vulnerabilities. Some hackers’ attack strategies may need the Administrator role on your server, but sometimes they simply need sensitive information about the server. Utilizing Nmap and http-enum.nse content returns a diagram of those applications, registries, and records uncovered. This way, it is possible to check for vulnerabilities or abuses in databases. Through this technique, it is possible to discover genuine (and extremely dumb) security imperfections on a site such as some sites (like WordPress and PrestaShop) that maintain accessibility to envelopes that ought to be erased once the task has been settled. Once you have identified a vulnerability, you can discover a fix for it.

Nmap, along with Nmap Scripting Engine, can extract a lot of valuable information from the target web server. In addition to Nmap commands, Nmap Scripting Engine (NSE)provides scripts that reveal various useful information about the target web server to an attacker.

  1. On to the Parrot Security machine, click the MATE Terminal icon from the menu bar to launch the terminal.

    3422.jpg

  2. Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

  3. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

  4. Now, type cd and press Enter to jump to the root directory.

    Screenshot

  5. Enumerate the directories used by web servers and web applications, in the terminal window. Type nmap -sV --script=http-enum [target website] and press Enter.

  6. In this scan, we are enumerating the www.goodshopping.com website.

    Screenshot

  7. This script enumerates and provides you with the output details, as shown in the screenshot.

    Screenshot

  8. The next step is to discover the hostnames that resolve the targeted domain.

  9. In the terminal window, type nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- www.goodshopping.com and press Enter.

    Screenshot

  10. Perform an HTTP trace on the targeted domain. In the terminal window, type nmap --script http-trace -d www.goodshopping.com and press Enter.

  11. This script will detect a vulnerable server that uses the TRACE method by sending an HTTP TRACE request that shows if the method is enabled or not.

    Screenshot

    Screenshot

    Screenshot

  12. Now, check whether Web Application Firewall is configured on the target host or domain. In the terminal window, type nmap -p80 --script http-waf-detect www.goodshopping.com and press Enter.

  13. This command will scan the host and attempt to determine whether a web server is being monitored by an IPS, IDS, or WAF.

  14. This command will probe the target host with malicious payloads and detect the changes in the response code.

    Screenshot

  15. This concludes the demonstration of how to enumerate web server information using the Nmap Scripting Engine (NSE).

  16. Close the terminal windows on the Parrot Security machine.

Task 7: Uniscan Web Server Fingerprinting in Parrot Security

Uniscan is a versatile server fingerprinting tool that not only performs simple commands like ping, traceroute, and nslookup, but also does static, dynamic, and stress checks on a web server. Apart from scanning websites, uniscan also performs automated Bing and Google searches on provided IPs. Uniscan takes all of this data and combines them into a comprehensive report file for the user.

  1. Click Windows Server 2016 to switch to the Windows Server 2016 machine.

    Screenshot

  2. Click Ctrl+Alt+Delete to activate the machine. By default, CEH\Administration user profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

    Alternatively, you can also click Pa$$w0rd under Windows Server 2016 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

    Screenshot

  3. Double-click the WAMP Server shortcut icon from Desktop to start WAMP Server services. Alternatively, you can also launch the WAMP Server services from the Start menu apps

    Screenshot

  4. Wait until the WAMP Server icon turns Green in the Notification area. Leave the Windows Server 2016 machine running.

    Screenshot

  5. Leave the Windows Server 2016 machine running and switch to the Parrot Security machine.

  6. Now, click Parrot Security to switch to the Parrot Security machine, click the MATE Terminal icon from the menu bar to launch the terminal.

  7. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

  8. Now, type cd and press Enter to jump to the root directory.

    Screenshot

  9. In the terminal window, type uniscan -h and hit Enter to display the uniscan help options.

  10. The help menu appears, as shown in the screenshot. First, use the -q command to search for the directories of the web server.

    Screenshot

  11. In the terminal window, type uniscan -u http://10.10.10.16:8080/CEH -q and hit Enter to start scanning for directories.

  12. Here, 10.10.10.16 is the IP address of the Windows Server 2016 machine. This may vary in your lab environment.

  13. In the above command, the -u switch is used to provide the target URL, and the -q switch is used to scan the directories in the web server.

    Screenshot

  14. Uniscan starts performing different tests on the webserver and discovering web directories, as shown in the screenshot.

    Scroll to analyze the complete output of the scan. It should take approximately 10 minutes for the scan to finish.

    Screenshot

  15. Now, run uniscan using two options together. Here -w and -e are used together to enable the file check (robots.txt and sitemap.xml file). In the terminal window, type uniscan -u http://10.10.10.16:8080/CEH -we and hit Enter to start the scan.

    Screenshot

  16. Uniscan starts the file check and displays the results, as shown in the screenshot.

    Scroll to analyze the complete scan result. It should take approximately 10 minutes for the scan to finish.

    Screenshot

  17. Now, use the dynamic testing option by giving the command -d. Type uniscan -u http://10.10.10.16:8080/CEH -d and hit Enter to start a dynamic scan on the web server.

    Screenshot

  18. Uniscan starts performing dynamic tests, obtaining more information about email-IDs, Source code disclosures, and external hosts.

    Scroll to analyze the complete output of the scan. It should take approximately 10 minutes for the scan to finish.

    Screenshot

  19. Uniscan displays the PHP info, as shown in the screenshot below. Close the terminal window.

    Screenshot

    Screenshot

  20. Click Place from the top-section of the Desktop and click Home Folder from the drop-down options.

    Screenshot

  21. Click File System from the left-pane and click usr --> share --> uniscan --> report.

    Screenshot

  22. Right-click on 10.10.10.16.html. Hover your mouse cursor on Open With and click Firefox from the menu to view the scan report.

    Screenshot

  23. The report opens in the browser, giving you all scan details in a more comprehensive manner.

    Screenshot

  24. This concludes the demonstration of how to gather information about the target web server using Uniscan.

  25. Close all terminal windows on the Parrot Security machine.

Comments

Post a Comment

Popular posts from this blog

Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools

Image
Lab 1: Perform S3 Bucket Enumeration using Various S3 Bucket Enumeration Tools Lab Scenario As an ethical hacker, you must try to obtain as much information as possible about the target cloud environment using various enumeration tools. This lab will demonstrate various S3 bucket enumeration tools that can help you in extracting the list of publicly available S3 buckets. Lab Objectives Enumerate S3 buckets using lazys3 Enumerate S3 buckets using S3Scanner Overview of Enumeration Tools Enumeration tools are used to collect detailed information about target systems to exploit them. Information collected by S3 enumeration tools consists of a list of misconfigured S3 buckets that are available publicly. Attackers can exploit these buckets to gain unauthorized access to them. Moreover, they can modify, delete, and exfiltrate the bucket content. Task 1: Enumerate S3 Buckets using lazys3 lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This...
Read more

Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools

Image
Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 1: Perform Cryptanalysis using CrypTool CrypTool is a freeware program that enables you to apply and analyze cryptographic mechanisms, and has the typical look and  feel of a modern Windows application. CrypTool includes a multitude of state-of-the-art cryptographic functions and allows you  to both learn and use cryptography within the same environment. CrypTool is a free, open-source e-learning application used in  the implementation and analysis of cryptographic algorithms. Here, we will use the CrypTool tool to perform cryptanalysis. refer to blog  little long --------------------------------------------------------------------------------------------------------------------------------------- Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 2: Perform Cryptanalysis us...
Read more

Task 2: Perform OS Discovery using Nmap Script Engine (NSE)

Image
  Task 2: Perform OS Discovery using Nmap Script Engine (NSE) Module 03: Scanning Networks Lab 3: Perform OS Discovery Task 2: Perform OS Discovery using Nmap Script Engine (NSE) open zenmap nmap -A [Target IP Address]   = -A: to perform an aggressive scan. nmap -O [Target IP Address]   = -O: performs the OS discovery. nmap --script smb-os-discovery.nse [Target IP Address]   = --script: specifies the customized script and smb-os-discovery.nse: attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol (ports 445 or 139). end Nmap, along with Nmap Script Engine (NSE), can extract considerable valuable information from the target system. In addition to Nmap commands, NSE provides scripts that reveal all sorts of useful information from the target system. Using NSE, you may obtain information such as OS, computer name, domain name, forest name, NetBIOS computer name, NetBIOS domain name, workgroup, system time o...
Read more