Thursday, September 9, 2010

Web hacking

Hacking Web Servers

                          By Ankita Chaterjee



 This article is totally intended for educational purpose and does not in anyway encourage hacking. The real purpose of this writing is to  prevention from hack attempts.  I am no way responsible if you do anything illegal and against the law.

Web servers and web applications have a very high potential to  be compromised. Previous article "Hacking Web Application" discusses how to hack web applications. I will be discussing how to hack webservers.
Understanding how web servers are hacked is an important part  of  an ethical hackers' job. This includes knowing their vulnerabilities, as well as understanding the types of
attacks—including Internet Information Server (IIS) Unicode exploits—a hacker may use.

Types of Web Server Vulnerabilities:-
The following vulnerabilities  are most commonly exploited in web servers:

1) Misconfiguration of the web server software

2) Operating system or application bugs, or flaws in programming code

3) Vulnerable default installation of operating system and web server software, and/or lack
of patch management to update operating system or web server software

4) Lack of or not following proper security policies and procedures
 an exploit of a web server offers a hacker easier access to internal systems or databases.

How webservers are compromised?
1) Misconfigurations, in operating systems, or networks
2)Bugs, OS bugs may allow commands to run on the web
3) Installing the server with defaults, service packs may not be
applied in the process, leaving holes behind
4) Capturing administrator credentials through man-in-the-middle attacks
5)Revealing an administrator password through a brute-force attack
6)Using a DNS attack to redirect users to a different web server
7)Using SQL injection attacks (if the SQL server and web server are the same system
8) Using web server extension or remote service intrusion

Hacking IIS Server:-
There are many webservers available in the market. IIS is one of the most widely used web server platforms on the
Internet. Microsoft's web server has been a frequent target over the years.
Various vulnerabilities have attacked IIS server, Examples include:
• ::$DATA vulnerability
• showcode.asp vulnerability
• Piggy backing vulnerability
• Privilege command execution

IIS hacking tools;-

Metasploit framework is an advanced open-source platform for
developing, testing,different  exploit codes. Its a  tool for penetration testing, exploit development, and vulnerability
research. It runs on any UNIX-like system under its default configuration.A customized Cygwin environment for windows OS users also available.

1 comment:

  1. Arnab here. Very good article. Metasploit is nice. Thanks.

    ReplyDelete