Thursday, 17 June 2021

Website Penetration

 Website Penetration

What is a Website

In this section, we are going to understand what a website is. A website is nothing but just an application that is installed on a device or computer. A website has two main applications a web server(for example, Apache) and a database(for example, MySQL).

  1. The web server is used to understand and executes the web application. A web application can be written in Java, Python, PHP, or any other programming language. The only restriction is that the web server needs to be able to understand and execute the web application.
  2. The database contains the data that is used by the web application. All of this is stored on a computer called the server. The server is connected to the internet and has an IP address, and anybody can access or ping it.

The web application is executed either by the target or by the web server which is installed on our server. Therefore, any time we run a web application or request a page, it is actually executed on the web server and not on the client's computer. Once it is executed on the web server, the web server sends an HTML page which is ready to read to the target client or person, as shown in the following diagram:



Suppose, we are using a computer or a phone, and we want to access google.com. In our URL, if we type google.com, it will be translated to an IP address using a DNS server. A DNS is a server that translates every name, .com, .edu or any website with a name or a domain name to its relevant IP address. If we request google.com, then the request goes to a DNS server and translates google.com to the IP where Google is stored. Then the DNS server will go to the IP address of Google and execute the page that we wanted using all of the applications that we have spoken about, and then just give us a ready HTML page.

Now the program gets executed on the server, and we just get an HTML which is a markup language as a result of the program. This is very important, because in the future, if we want to get anything executed on the web server, such as a shell, then we need to send it in a language that the web server understands(for example PHP). Once we execute it inside the server, it will be executed on the target computer.

This means that, regardless of the person that accesses the pages, the web shell that we are going to send(if it is written in Java or in a language that the server understands) will be executed on the server and not on our computer. Therefore, it will give us access to the server and not to the person who accessed that server.

On the other hand, some websites use JavaScript, which is a client-side language. If we can find a website that allows us to run JavaScript code, then the code will be executed by the clients. Even though the code might be injected into the web server, it will be executed on the client side, and it will allow us to perform attacks on the client computer and not on the server. Hence, it is very important to distinguish between a client-side language and a server-side language.

Attacking a Website

In this section, we are going to discuss attacking a website. For attacking websites, we have two approaches:

  1. We can use the methods of attacking a website method that we have learned so far. Because we know that a website is installed on a computer, we can try to attack and hack it just like any other computer. However, we know that a website is installed on a computer, and we can try to attack and hack it just like any other computer. We can also use server-side attacks to see which operating system, web server or other applications are installed. If we find any vulnerabilities, we can use any of them to gain access to the computer.
  2. Another way to attack is client-side attacks. Because websites are managed and maintained by humans. This means that, if we manage to hack any of the administrators of the site, we will probably be able to get their username and password, and from there log in to their admin panel or to the Secure Socket Shell (SSH). Then we will be able to access any of the servers that they use to manage the website.

If both of the methods fail, we can try to test the web application, because it is just an application installed on that website. Therefore, our target might not be the web application, maybe our target is just a person using that website, but whose computer is inaccessible. Instead, we can go to the website, hack into the website, and from there go to our target person.

All of the devices and applications are interconnected, and we can use one of them to our advantage and then make our way to another computer or to another place. In this section, instead of focusing on client-side and server-side attacks, we will be learning about testing the security of the web application itself.

We are going to use the Metasploitable machine as our target machine, and if we run ifconfig command, we will see that its IP is 10.0.2.4, as shown in the following screenshot:



If we look inside the /var/www folder, we can see all the website files stored, as shown in the following screenshot:



In the above screenshot, we can see that we have a phpinfo.php page, and we have dvwa, Mutillidae, and phpMyAdmin. Now, if we go to any machine on the same network, try to open the browser and go to 10.0.2.4, we will see that we have a website made for Metasploitable, as shown in the given screenshot. A website is just an application installed on the web browser, and we can access any of the Metasploitable websites and use them to test their security:




Now we are going to look at the DVWA page. It requires a Username as admin and a Password as a password to log in. Once we enter these credentials, we can log in to it, as shown in the following screenshot:


Once we logged in, we can modify the security settings by using the DVWA Security tab, as shown in the following screenshot:



Under the DVWA Security tab, we will set Script Security to low and click on Submit:




We will keep it set to low in the upcoming section. Because this is just an introductory course, we will only be talking about the basic way of discovering web application vulnerabilities in both DVWA and the Mutilliidae web application.

If we go to the Mutillidae web application in the same way that we accessed the DVWA web application, we should make sure that our Security Level is set to 0, as shown in the following screenshot:


We can toggle Security Level by clicking the Toggle Security option on the page:


Information Gathering

In this section, we will discuss various techniques to gather information about the client using Whois Lookup, Netcraft, and Robtex. Then we will see how we can attack a server by targeting websites that are hosted on that server. Moving towards the information gathering section, we will learn about subdomains and how they can be useful for performing attacks. Later we are going to look for files on the target system to gather some information and also analyze that data.

Now, we will do information gathering before we start trying to exploit. Therefore, we are going to gather as much information as we can about the IP of the target, the technology that is used on the website, the domain name info, which programming language is used, what kind of server is installed on it, and what kind of database is being used. We will gather the company's information and its DNS records. We will also see subdomains that are not visible to other people and we can also find any files that are not listed. Now we can use any of the information-gathering tools that we used before, for example, we can use Maltego and just insert an entity as a website, and start running actions. We can also use Nmap, or even Nexpose, and test the infrastructure of the website and see what information we can gather from that.

This section will cover the following topics:

  • Whois Lookup
  • Netcraft

Whois Lookup

In this section, we are going to have a look at Whois Lookup. It is a protocol that is used to find the owners of internet resources, for example, a domain, a server, and an IP address. In this, we are not actually hacking, we are just retrieving information from a database about owners of stuff on the internet. For example, if we wanted to register a domain name like zaid.com we have to supply information about the person who is signing in like the address, and then the domain name will be stored in our name and people will see that Zaid owns the domain name. That is all we are going to do.

If we google Whois Lookup, we will see a lot of websites providing the services, so we are going to use http://whois.domaintools.com, enter our target domain name as isecurity.org, and press the Search button as shown in the following screenshot:




In the following screenshot, we can see that we get a lot of information about our target website:




We can see the email address that we can use to contact the domain name info. Usually, we will be able to see the company's address that has registered the domain name, but we can see that this company is using privacy on their domain. If the company is not using any privacy, we will be able to see their address and much more information about the actual company.

We can see when the domain name was created, and we can also see the IP address of isecurity.org. If we ping the IP, we should get the same IP address as mentioned in the following screenshot.

If we run ping.www.isecurity.org, the same IP address will be returned:


In the above screenshot, we can see the IP Location, Domain Status, and we can also access the History, but we need to register for that. Now, again we can use this information to find exploits.

In the following screenshot, in the Whois Record, we can find more information about the company that registered this domain:



This is essential information, but it is very helpful in the long run, just to know what their IP is, what our target is, and what services they are using. We can see the name server that is being used, and we can also see which company they are provided by.

Netcraft

In this section, we will learn how to get information about the technologies which is used by the target websites. To do this, we are going to use a website called Netcraft (https://www.netcraft.com), and then we will put the target address, select our target as isecur1ty.org, and click on the arrow as shown in the following screenshot:


After this, click on Site Report as shown in the following screenshot:


In the given screenshot, we can see some basic information like Site title, Site rank, Description, Keywords, and when the website was created:


When we further scroll down, we can see the website itself, the Domain, the IP address, and the Domain registrar, which is the company that registered the domain for isecur1ty:

In the preceding screenshot, we would normally see information about the organization, but here, we can't because isecur1ty is using privacy protection. Usually, we should be able to see such information and even more.

In the preceding screenshot, we can see that it is hosted in the UK, we can also see the Nameserver, which is ns1.digitalocean.com, and again, if we just go to ns1.digitalocean.com, we will discover that this is a website for web hosting.

Now, we know that this is a web hosting company, and in worst-case scenarios, we can use this or try to hack into ns1.digitalocean.com itself to gain access to isecur1ty.

If we further scroll down, we will see the Hosting History of the hosting companies that isecur1ty used. We can see that the latest one is running on Linux with Apache, the same server that we saw in the previous section, 2.2.31 with Unix mod_ssl and all the other add-ons:


Again, this is very important to find exploits and vulnerabilities on our target computer.

Scrolling down to Web Track ers, will show us the third-party applications used on our target, so we can see that our target uses MaxCDN, Google, and other Google services. This could also help us to find and gain access to the target computer as shown in the following screenshot:


The Technology tab shows us the technologies which are used on the target websites:

 

In the above screenshot, we can see that it is using the Apache web server. On the Server-Side, we can see that the website uses PHP, which means the website can understand and run PHP code. In future, if we manage to run any kind of code on our target, then the code should be sent as PHP code. To create payloads on Metasploit or on Veil-Evasion, we should create them in PHP format and the target website will be able to run them because it supports PHP.

On the Client-Side, we can see in the preceding screenshot that the website supports JavaScript, so if we run JavaScript on the website, it would not be executed on the website, it will be executed on the user side who are viewing the website because JavaScript is a client-side language and PHP is server-side. If we manage to run PHP code, it will be executed on the server itself. If we manage to run JavaScript, it will be executed on the users. It is the same as jQuery. This is just a framework for JavaScript.

In the following screenshot, if we are scrolling down, then the website uses WordPress Self-Hosted software. Netcraft will show any web applications being used on the website:

WordPress is just a web application, so we could see other examples in our case, and it is an open source web application, there are a lot of other websites that might have. If we are lucky enough to find an existing one, then we can go ahead and exploit it on the target website. For example, suppose we have WordPress and if we go to 
https://www.exploit-db.com/ and search for WordPress, we will be able to find a lot of exploits related to WordPress.

There are different versions of WordPress. We need to make sure that we have the same number of versions as our target. We will look at an example to see how to use exploits, but it just shows how powerful information gathering is. If we further scroll, we will find other information like the websites uses HTML5 and CSS, and all kind of stuff as shown in the following screenshot:


Hence, Netcraft is used for getting to know the website. We gathered information regarding the site that it runs on PHP and runs JavaScript. It uses WordPress, so we can use WordPress to hack into the website. If we scroll up, we also discovered the web hosting of the website. So, in the worst-case scenarios, we can try to hack into a web hosting server and gain access to our target website.









No comments:

Post a Comment