Module 13: Hacking Web Servers

 

Module 13: Hacking Web Servers

https://pastebin.com/7VAr2gW4

https://pastebin.com/rtfJpeQQ


Scenario

Most organizations consider their web presence to be an extension of themselves. Organizations create their web presence on the World Wide Web using websites associated with their business. Most online services are implemented as web applications. Online banking, search engines, email applications, and social networks are just a few examples of such web services. Web content is generated in real-time by a software application running on the server-side. Web servers are a critical component of web infrastructure. A single vulnerability in a web server’s configuration may lead to a security breach on websites. This makes web server security critical to the normal functioning of an organization.

Hackers attack web servers to steal credentials, passwords, and business information. They do this using DoS, DDoS, DNS server hijacking, DNS amplification, directory traversal, Man-in-the-Middle (MITM), sniffing, phishing, website defacement, web server misconfiguration, HTTP response splitting, web cache poisoning, SSH brute force, web server password cracking, and other methods. Attackers can exploit a poorly configured web server with known vulnerabilities to compromise the security of the web application. A leaky server can harm an organization.

In the area of web security, despite strong encryption on the browser-server channel, web users still have no assurance about what happens at the other end. This module presents a security application that augments web servers with trusted co-servers composed of high-assurance secure co-processors, configured with a publicly known guardian program. Web users can then establish their authenticated, encrypted channels with a trusted co-server, which can act as a trusted third party in the browser-server interaction. Systems are constantly being attacked, so IT security professionals need to be aware of the common attacks on web server applications.

A penetration (pen) tester or ethical hacker for an organization must provide security to the company’s web server. This includes performing checks on the web server for vulnerabilities, misconfigurations, unpatched security flaws, and improper authentication with external systems.

Objective

The objective of this lab is to perform web server hacking and other tasks that include, but are not limited to:

  • Footprint a web server using various information-gathering tools and inbuilt commands

  • Enumerate web server information

  • Crack remote passwords

Overview of Web Server

Most people think a web server is just hardware, but a web server also includes software applications. In general, a client initiates the communication process through HTTP requests. When a client wants to access any resource such as web pages, photos, or videos, then the client’s browser generates an HTTP request to the web server. Depending on the request, the web server collects the requested information or content from data storage or the application servers and responds to the client’s request with an appropriate HTTP response. If a web server cannot find the requested information, then it generates an error message.

Lab Tasks

Ethical hackers or pen testers use numerous tools and techniques to hack a target web server. Recommended labs that will assist you in learning various web server hacking techniques include:

  1. Footprint the web server

    • Information gathering using Ghost Eye

    • Perform web server reconnaissance using Skipfish

    • Footprint a web server using the httprecon Tool

    • Footprint a web server using ID Serve

    • Footprint a web server using Netcat and Telnet

    • Enumerate web server information using Nmap Scripting Engine (NSE)

    • Uniscan web server fingerprinting in Parrot Security

  2. Perform a web server attack

    • Crack FTP credentials using a Dictionary Attack

Comments

Post a Comment

Popular posts from this blog

Lab 1: Gain Access to the Target System using Trojans

Image
  Lab 1: Gain Access to the Target System using Trojans Module 07: Malware Threats Lab 1: Gain Access to the Target System using Trojans Task 1: Gain Control over a Victim Machine using the njRAT RAT Trojan Attackers use Remote Access Trojans (RATs) to infect the target machine to gain administrative access. RATs help an attacker to  remotely access the complete GUI and control the victim’s computer without his/her awareness. They can perform screening and  camera capture, code execution, keylogging, file access, password sniffing, registry management, and other tasks. The virus  infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It  can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log  keystrokes, and spy on webcams. njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it is cap...
Read more

Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools

Image
Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 1: Perform Cryptanalysis using CrypTool CrypTool is a freeware program that enables you to apply and analyze cryptographic mechanisms, and has the typical look and  feel of a modern Windows application. CrypTool includes a multitude of state-of-the-art cryptographic functions and allows you  to both learn and use cryptography within the same environment. CrypTool is a free, open-source e-learning application used in  the implementation and analysis of cryptographic algorithms. Here, we will use the CrypTool tool to perform cryptanalysis. refer to blog  little long --------------------------------------------------------------------------------------------------------------------------------------- Module 20: Cryptography Lab 5: Perform Cryptanalysis using Various Cryptanalysis Tools Task 2: Perform Cryptanalysis us...
Read more

Lab :3 Audit Organization's Security for Phishing Attacks

Image
  Lab :3 Audit Organization's Security for Phishing Attacks Module 09: Social Engineering Lab :3 Audit Organization's Security for Phishing Attacks Task :1 Audit Organization's Security for Phishing Attacks using OhPhish this just allows you to send your company a phishing email to see how many click  refer to blog for rest of steps Lab Scenario Social engineers exploit human behavior (manners, enthusiasm toward work, laziness, innocence, etc.) to gain access to the information resources of the target company. This information is difficult to be guarded against social engineering attacks, as the victim may not be aware that he or she has been deceived. The attacks performed are similar to those used to extract a company’s valuable data. To guard against social engineering attacks, a company must evaluate the risk of different types of attacks, estimate the possible losses, and spread awareness among its employees. As a professional ethical hacker or pen tester, you must per...
Read more