Attacking WebServers - Different Vectors - Tutorial
Before i talk about this post you should read my other 2 guides i wrote about
just click my profile then go to threads and you will see those 2
This Guide is to teach you how to do Information Gathering and attacking your targets
Today hackers mainly only target web hosting servers this guide is different this guide teaches you how to attack targeted servers
Lets say you have a Medical Hospital that you are wanting to target.
Now lets face it 9 * out of 10 all of you hackers would only target the website because thats what your used to
Well today im teaching you how to do more then just that
Tools:
1.nmap
2.Maltego
3.DirBuster
4.smbclient
5.Cain and abel
+ More
Lets say a medical company has a subnet ip range of
224.231.12-224.231.12.255
Your First targeted ip address is 224.231.12.234
First thing you need to do is run a Nmap Scan on the Targeted IP address
example
Now lets just say assume there are more ports open what do you do first.
Allow the nmap scan to finish and lets say it finds ports
7717
Which is a service controller for a Software that allows Remote connections to it via a Terminal service
Lets say you logged into it and you dont know the passwords - Google the service provide and check the default username passwords for the service
okay so lets say that doesnt work this ip address only has 2 ports open
What do you do now
So now its time to move onto the next ip address
open up maltego input the ip address and click run all transformations
you will then see the subnets and then you can right click on the subnets to spread out all the ip addresses
Or if your on windows use angry ip scanner to get the IP subnets
Now you have a list of over 100+ ip addresses and you dont know what to do
First thing is run nmap - http Print Scan ( Google it )
What that does is it connects to every ip address does a nmap scan on it and connects to all ports and displays to you the Fingerprint of it such as
nmap --->scan ip 127.0.0.1 --> open ports 21,80,53
http print scan -> Port 80 "Welcome to Service Station"
So now you know what all services are running on the whole entire network
now You go to random ip addresses and start issuing off exploits based off the knowledge you got
Lets say one ip address has a Folder that is not viewabled to the public but you know the user rights on it allows you to view other folders such as
127.0.0.1/ ( not viewable)
127.0.0.1/FolderName/File.txt (Viewable)
127.0.0.1/FolderName/Folder/(viewable)
What that means is that the admin didnt set the policy correctly for the Can View cant View folder directories
What you would do with this situation is run a bruteforce attack
By using DirBuster which uses Parallel Asynnorization (however you spell it )
Which means it can scan multiple things at every second instead of just scanning 1 thread it will scan lets say 10 at the same time for faster stuff
By running DirBuster you can now get a list of the viewable folders (hopefully) depending on your DirList
Sometimes you can get the Full Directory and sometimes there can be usernames passwords or basic info to help you in your further attacks.
----------------------------------------------------------------------------------------------
Now Lets say your targeting a Windows Server that has SMB running on it with Anonymous Login
By using SMBCLIENT
You can connect to its service and do the avaiable options up above
Not only that with the SMB service it displays multiple usernames and Names of the Staff - You can use that to help further your attack for Bruteforcing
If your on the local network you can run cain and able to do a ARP Poisoning attack Which will sniff the whole entire network and giving you hash codes - usernames - passwords etc etc
Which is also good for getting access to private company INTRANET ip address port 80 websites
Thanks
Before i talk about this post you should read my other 2 guides i wrote about
just click my profile then go to threads and you will see those 2
This Guide is to teach you how to do Information Gathering and attacking your targets
Today hackers mainly only target web hosting servers this guide is different this guide teaches you how to attack targeted servers
Lets say you have a Medical Hospital that you are wanting to target.
Now lets face it 9 * out of 10 all of you hackers would only target the website because thats what your used to
Well today im teaching you how to do more then just that
Tools:
1.nmap
2.Maltego
3.DirBuster
4.smbclient
5.Cain and abel
+ More
Lets say a medical company has a subnet ip range of
224.231.12-224.231.12.255
Your First targeted ip address is 224.231.12.234
First thing you need to do is run a Nmap Scan on the Targeted IP address
example
Code:
Discovered open port 443/tcp on 74.125.227.37 Discovered open port 80/tcp on 74.125.227.37
Allow the nmap scan to finish and lets say it finds ports
7717
Which is a service controller for a Software that allows Remote connections to it via a Terminal service
Lets say you logged into it and you dont know the passwords - Google the service provide and check the default username passwords for the service
okay so lets say that doesnt work this ip address only has 2 ports open
What do you do now
So now its time to move onto the next ip address
open up maltego input the ip address and click run all transformations
you will then see the subnets and then you can right click on the subnets to spread out all the ip addresses
Or if your on windows use angry ip scanner to get the IP subnets
Now you have a list of over 100+ ip addresses and you dont know what to do
First thing is run nmap - http Print Scan ( Google it )
What that does is it connects to every ip address does a nmap scan on it and connects to all ports and displays to you the Fingerprint of it such as
nmap --->scan ip 127.0.0.1 --> open ports 21,80,53
http print scan -> Port 80 "Welcome to Service Station"
So now you know what all services are running on the whole entire network
now You go to random ip addresses and start issuing off exploits based off the knowledge you got
Lets say one ip address has a Folder that is not viewabled to the public but you know the user rights on it allows you to view other folders such as
127.0.0.1/ ( not viewable)
127.0.0.1/FolderName/File.txt (Viewable)
127.0.0.1/FolderName/Folder/(viewable)
What that means is that the admin didnt set the policy correctly for the Can View cant View folder directories
What you would do with this situation is run a bruteforce attack
By using DirBuster which uses Parallel Asynnorization (however you spell it )
Which means it can scan multiple things at every second instead of just scanning 1 thread it will scan lets say 10 at the same time for faster stuff
By running DirBuster you can now get a list of the viewable folders (hopefully) depending on your DirList
Sometimes you can get the Full Directory and sometimes there can be usernames passwords or basic info to help you in your further attacks.
----------------------------------------------------------------------------------------------
Now Lets say your targeting a Windows Server that has SMB running on it with Anonymous Login
Code:
Anonymous login successful Sharename Type Comment --------- ---- ------- Error returning browse list: NT_STATUS_ACCESS_DENIED session request to 173.254.196.118 failed (Called name not present) session request to 173 failed (Called name not present) Anonymous login successful Server Comment --------- ------- AIM-BCRTR-6930 AIM-CAYSH AIM-GLB AIM-USPRAUVE7 AIMCHANEXCH AIMCHANMBX1
By using SMBCLIENT
Code:
# open (host,port)
Code:
open {host,port} - opens a SMB connection against the target host/port
login {username,passwd} - logs into the current SMB connection
login_hash {username,lmhash,nthash} - logs into the current SMB connection using the password hashes
logoff - logs off
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
pwd - shows current remote directory
ls {wildcard} - lists all the files in the current directory
rm {file} - removes the selected file
mkdir {dirname} - creates the directory under the current path
rmdir {dirname} - removes the directory under the current path
put {filename} - uploads the filename into the current path
get {filename} - downloads the filename from the current path
close - closes the current SMB Session
exit - terminates the server process (and this session)
You can connect to its service and do the avaiable options up above
Not only that with the SMB service it displays multiple usernames and Names of the Staff - You can use that to help further your attack for Bruteforcing
If your on the local network you can run cain and able to do a ARP Poisoning attack Which will sniff the whole entire network and giving you hash codes - usernames - passwords etc etc
Which is also good for getting access to private company INTRANET ip address port 80 websites
Thanks
0 comments:
Post a Comment