How Hackers Target and Hack Your Site (1)

The answer to this question may be difficult to determine, simply because there are so many ways to hack a site. Our aim in this article to show you the techniques most used by hackers in targeting and hacking your site!

Let’s suppose that this is your site: hack-test.com

 

Let’s ping this site to get the server IP:

 

 

Now we have 173.236.138.113 – this is the server IP where our target site is hosted.

To find other sites hosted on the same server, we will use sameip.org:

Same IP
26 sites hosted on IP Address 173.236.138.113

 

 .......

Twenty-six other websites are hosted on this server [173.236.138.113]. Many hackers will target all other sites on the same server in order to hack your site. But for the purpose of study, we will target your site only and put aside hacking the other sites on same server.

We’ll need more information about your site, such as:

1. DNS records (A, NS, TXT, MX and SOA)
2. Web Server Type (Apache, IIS, Tomcat)
   
3. Registrar (the company that owns your domain)
   
4. Your name, address, email and phone
   
5. Scripts that your site uses (php, asp, asp.net, jsp, cfm)
   
6. Your server OS (Unix,Linux,Windows,Solaris)
   
7. Your server open ports to internet (80, 443, 21, etc.)
   

Let’s start with finding your site’s DNS records. We will use the website “Who.is” to achieve this:
 

We have discovered that your site DNS records are:

HACK-TEST.COM DNS RECORDS

Record	Type	TTL	Priority	Content
hack-test.com	A	4 hours		173.236.138.113 ()
hack-test.com	SOA	4 hours		ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283 1800 1814400 14400
hack-test.com	NS	4 hours		ns1.dreamhost.com
hack-test.com	NS	4 hours		ns3.dreamhost.com
hack-test.com	NS	4 hours		ns2.dreamhost.com
www.hack-test.com	A	4 hours		173.236.138.113 ()

Let’s determine the web server type:

 

As you see, your site web server is Apache. We will determine its version later.

 

 

HACK-TEST.COM SITE INFORMATION

IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank:  1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit:  1 Month: 2.0 3 Month: 3.7

 

Now it is time to find your Doman Registrar and your name, address, email and phone:

We have now got your registrar and other vital information about you. We can find the type of scripts on your site (the OS type, web server version) by using a cool tool in backtrack 5 R1 called Whatweb: 

 

Now we found that your site is using a famous php script called WordPress, that your server os is Fedora Linux and that your web server version is (apache 2.2.15), let’s find open ports in your server.

To do this, we will use nmap:

1 – Find services that run on server 

2 – Find server OS

Only port 80 is open and OS is Linux 2.6.22(Fedora Core 6)

Now that we have gathered all the important information about your site, let’s scan it for vulnerabilities like

Sql injection – Blind sql injection – LFI – RFI – XSS – CSRF, and so forth.

We will use Nikto.pl to gather info, perhaps, some vulnerabilities:

We will also use W3AF. You can find this tool in backtrack 5 R1

  root@bt:/pentest/web/w3af# ./w3af_gui 

Starting w3af, running on:
Python version:
2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version: 2.20.1
PyGTK version: 2.17.0 

w3af - Web Application Attack and Audit Framework
Version: 1.2
Revision: 4605
Author: Andres Riancho and the w3af team. 

 

We will insert our site URL and choose full audit option:

After some time, the scan will finish and you will see

 

 

Your site is vulnerable to sql injection, xss and others!

Let’s investigate the sql injection vulnerability:

http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220

This is the vulnerable url and cat is the vulnerable parameter.

So, let’s exploit this vulnerability:

 

We will find that exploitating this vuln failed, so we will use sqlmap to the job and dump all database information that we need to hack this site J

 

Using sqlmap with –u url

 

After some seconds you will see

 

Type n and press enter to continue

 

As you see your site is vulnerable to error-based sql injection and your mysql database version is 5

Let’s find all databases in your site by adding “–dbs ”

 

Now we found 3 databases

 

We will dump wordpress database tables by adding “–D wordpress –tables ”

 

We will find all wordpress tables

 

We want to dump “wp_users” table, so we will find all users (admin?) information (user is and password hash) and try to crack hash and enter wordpress control panel ( wp-admin)

We will columns of “wp_users” table by adding “-T wp_users –columns ”

 

We will find 22 columns

 

We just need to dump to columns, so we will dump (user_login and user_pass ) columns by adding

-C user_login,user_pass –dump

We will find important information; we found now users and pass hashes

 

but we want to crack those hashes to clear text passwords. We will use the online site “http://www.onlinehashcrack.com/free-hash-reverse.php”

And try to crack this hash 7CBB3252BA6B7E9C422FAC5334D22054

 

And clear text password is q1w2e3

And user name is “GeorgeMiller”