Attackers hack an internet server in multiple stages. At each stage, the attacker tries to collect more information about the loopholes and tries to gain unauthorized access to the web server.
Webserver Attack Methodology
- Information Gathering
- Webserver Footprinting
- Mirroring Website
- Vulnerability Scanning
- Session Hijacking
- Hacking Webserver Passwords
Webserver Attack Methodology: Information Gathering
- Information gathering involves collecting information about the targeted company.
- Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company.
- Attackers use Whois, Traceroute, Active Whois, etc. tools and query the Whois databases to get the details such as a domain name, an IP address, or an autonomous system number.
Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance
Webserver Attack Methodology: Information Gathering from Robots.txt File
- The robots.txt file contains the list of the web server directories and files that the web site owner wants to hide from web crawlers.
- Attacker can simply request Robots.txt file from the URL and retrieve the sensitive information such as root directory structure, content management system information, etc., about the target website.
- Gather valuable system-level data such as account details, operating system, software versions, server names, and database schema details.
- Telnet a webserver to footprint a webserver and gather information such as server name, server type, operating systems, applications running, etc.
- Use tool such as ID Serve, httprecon, and Netcraft to perform footprinting.
Enumerating Webserver Information Using Nmap
- Attackers can use advanced Nmap commands and Nmap Scripting Engine (NSE) scripts to enumerate information about the target website.
nmap -sV -O -p target IP address
nmap -sV --script=http-enum target IP address
nmap target IP address -p 80 --script=http-frontpage-login
nmap --script http-passwd --script-args http-passwd.root=/target IP address
- Discover virtual domains with hostmap:
$nmap --script hostmap
- Detect a vulnerable server that uses the TRACE method:
$nmap --script http-trace -p80 localhost
- Harvest email accounts with http-google-email:
$nmap --script http-google-email
- Enumerate users with http-userdir-enum:
$nmap -p80 --script http-userdir -enum localhost
- Detect HTTP TRACE:
$nmap -p80 --script http-trace
- Check if webserver is protected by a WAF/IPS:
$nmap -p80 --script http-waf-detect --script-args="http-waf-detect.uri=/testphp.vulnweb.com/artists.php,http-waf-detect.detectBodyChanges" www.modsecurity.org
- Enumerate common web applications:
$nmap --script http-enum -p80
- Obtain robots.txt:
$nmap -p80 --script http-robots.txt
Webserver Attack Methodology: Mirroring a Website
- Mirror a website to create a complete profile of the site’s directory structure, files structure, external links, etc.
- Search for commments and other items in the HTML source code to make footprinting activities more efficient.
- Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website.
Webserver Attack Methodology: Vulnerability Scanning
- Implement vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited.
- Use a vulnerability scanner such as HP Weblnspect, Acunetix Web Vulnerability Scanner, etc. to find hosts, services, and vulnerabilities.
- Sniff the network traffic to find out active systems, network services, applications, and vulnerabilities present.
- Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities.
Vulnerability scanning is to discover whether the system has identifiable weaknesses, usually using automated tools such as HP Weblnspect, Acunetix Web Vulnerability Scanner to scan hosts, services or weaknesses. Monitor network traffic to find systems, services, applications and weaknesses. Look for any misconfigured settings, outdated content, and known weaknesses in your web server infrastructure.
Webserver Attack Methodology: Session Hijacking
- Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data.
- Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs.
- Use tools such as Burp Suite, Firesheep, JHijack, etc. to automate session hijacking.
Monitor valid session IDs to obtain unauthorized access rights, and then spy on data. Use session hijacking techniques like session fixation, session sidejacking, XSS, etc. to obtain valid session cookies and IDs. Session hijacking can be done using tools like Burp Suite, Firesheep, JHijack etc.
Webserver Attack Methodology: Hacking Web Passwords
- Use password cracking techniques such as brute force attack, dictionary attack, password guessing to crack Webserver passwords.
- Use tools such as THC-Hydra, Brutus, etc.
Use brute force attacks, dictionary attacks, and password guessing to crack web server passwords. Use tools such as: THC-Hydra and Brutus, etc.
- Basic Auth → Webserver Processing (using Hydra)
- Form Based:
- submit → Send to the background (AP) for processing