Practice Exams:
Home Blog EC Council CEH 312-50 V11 – Website Hacking – Information Gathering part 2

EC Council CEH 312-50 V11 – Website Hacking – Information Gathering part 2

  1. Discovering Websites On The Same Server

In this lecture, I’d like to highlight a very important note when it comes to website penetration testing. Websites are installed on web servers on normal computers. Like we said before, these normal computers have IP addresses. And using the IP address we can access our target website. Now, in many scenarios, your target website or your target server server will contain a large number of websites. So it’ll have the website that you’re looking for that you’re targeting, but it will also contain other websites on the same server. So on the same file system. What this means is if you for example, could not find any vulnerabilities in your target website, you can try to hack into any other website that is installed on the same server. If you could do that, then you’ll be able to gain access to the server.

Gaining access to the server basically means you have access to all the other websites because the server is just a computer and you can literally just navigate to the website that you want to hack and gain access to that website. So if you’re trying to hack into a website and you couldn’t find any exploits, then the next step will be trying to hack any other website that exists on the same server. So what I mean by exist on the same server is they have the same IP address. So let me show you. Here an example. I’m going to be shown an example of Zay. com so my blog, because there is a lot of websites on the same server. And if we look here on Robtex. com, and I came down here to names pointing to the same IP address, you can see all of these websites exist on the same server as Zade. com.

So if you could manage to hack into any of these websites, you’ll be able to navigate from altro of that website and then into Zade. com and then gain full access to my website. So let me just show you here. If I copy any of these domain names, for example, we have this one, Rebate Me, and I’m just going to go onto my terminal. Now if I do a ping zade. com, you’ll see that this is my IP address of my website. And if I do a ping on one of the websites that exist and for now we’re using Reba Me. So if I go Pingreba me, you’ll see that both websites have the same IP address. This means that both websites are installed on the same computer.

And if we could hack into one of them, we can literally just navigate from that website into the other, from our meterpreter shell, or from our PHP shell or any type of shell that we’re using. Another way of finding websites on the same domain is using Bing. And it’s a really simple way. So if you just go on Bing and I’m just going to put IP, and then I’ll put the IP of my target website again, you’ll see all the other websites that exist on the same server as your target website. So you can literally hack into any of these websites and from there hack into my website and gain access to it. This is very important because in many cases your target could be very well secured, but the server itself is not secured. So you can manage to hack one of the other websites and then navigate through the server to your target.

  1. Discovering Subdomains

So far we’ve been gathering very useful information about the target and we’ve seen that the target is always in the form of target such as Google. com. This name right here, such as Google. com, is known as a domain. So this is the domain name. This is what we put in the address bar to access the target website. A lot of websites also have subdomain domains. Subdomains are the names that you see before the domain name like this. So in this example, we have subdomain target, and a real life example would be Mail Google. com. So in this case, the subdomain is subdomain and obviously in the Google example, the subdomain is Mail and then the domain name is Google. com.

So we know if we go to Google. com, we’re going to get the famous search engine that allows us to search for things on the internet. But if we go to Mail Google. com, we’re going to get a completely different web application that can be used to send and receive emails. Therefore, it’s as if we’re getting completely different websites, but we’re still targeting the same domain name which is Google. com. Therefore, if your target is Google. com or Target, it is very important to discover all of the subdomains on it because these subdomains can give us a lot of other information. We can discover sensitive data. We can discover management pages like the pages that the admin or members of the website use to access certain functionality.

We can access completely different web applications. We can even access beta version of the web application or parts of the web application that is still under development. These parts that are under development or the beta versions are really good for hackers because there is a high chance of finding bugs because these parts of the web application haven’t been tested really well or have experimental features and therefore there is a high chance of them containing bugs. Therefore there is a higher chance of finding weaknesses and exploiting them to gain access to the subdomain and then hopefully from there get access to the server or somehow escalate our privileges to fully control the target website or the target web server.

Now, discovering subdomains is really, really easy and there is a lot of tools out there that can be used to do that. I’m going to use a tool called Knock. It’s already installed in the custom Kali that is made for this course. If you don’t have the custom kali, you’re going to have to download it and install it manually. I’ll include its download link in the resources of this lecture. But using this tool is very, very simple. You’re simply going to have to type the name of the tool, which is NOC. PY, followed by the target website. And in our case, let’s just do it to Google. com. So very, very simple. The program name followed by the target, I’m going to hit enter and you’ll notice as soon as I launch the tool. It’s already starting to discover subdomains in here.

So I’m going to cancel this because this will keep going. So I press CTRL C and if we scroll up, you can see we already have a lot of useful results. So we have about Google. com, we’ve got this page that is given 404, we’ve got accounts Google. com, we got Admin, Google. com. If we scroll down even more, we can see we have apps. And if you keep it going, you’re going to get access to their API subdomain and so on. So like I said, all of this increases our attack surface because we can target any of these subdomains to gain access and try to discover sensitive files, discover the vulnerabilities that you’re going to learn later on in the course and try to exploit them to gain access to the target web server. So obviously, the more web applications that you can test, the bigger the attack surface and the higher the chances of you discovering a vulnerability and hopefully achieving your goal and gaining access to the target server.

  1. Discovering Sensitive Files

So far we learned how to find any subdomains that exist within our target website and that have not been listed in today’s lecture. We’re going to see how we can find files and directories that are stored on our target computer or our target website. Again, these could be useful because these files could contain passwords, they could contain config info, information, or they could contain information about this actual server, which will help us further exploit our target. Let me just first show you what I mean by files and directories, just to show you the structure of directories on a web server. So here I have my metasploitable machine. And as we know, usually the web server stuff is stored in VAR www.

And if I do an LS, you’ll see, or I’ll do an LSLA just so that it’s nicer, you’ll see that we have a number of files and directories, and we can see that we have a directory there called matilda day. Matildaday is a web application that is designed to be had just like metasploitable. It is designed so that it has a number, number of exploits so that we can learn how to hack based on it. So we can see that that’s installed in a directory called matilda day. Now, if I go here to my IP address. Now, this is the IP address of the metasploitable machine. So if I do an if config here, you’ll see that it’s 1020 14 to four. So I’m in there, and you can see that they have an easy access for me for matilda day. If I click it. Look at DRL here. So it’s forward slash matildae.

That means I’m inside the matilda day directory. So every time you see a forward slash, that usually means you’re inside a directory. So let’s go back here, do an LS. And if I do CD matilda day, I’m going to do an LS. And you’ll see that I have a large number of files, a large number of files here. So let’s say, for example, I wanted to open one of these files, and we have index PHP. If I do index PHP, then this is our current file. It’s called index PHP. So what we learned from this is matilda day is just a directory inside my web route. So at the moment in the metasploitable device I’m in, let me just write it here for you. So I’m in VAR www matildaday, and then the file that I’m accessing is index dot PHP. Okay? So I hope this is clear now.

So I’m in this directory, in this directory, and I’m accessing a file called index dot PHP. So if I just do a PWD here, you’ll see that I’m in varw materialidate. The IP address kind of hides where your www root is. So it hides the varw, and then everything after that will be displayed here after the IP address. So what we’re looking to find today is all the directories and the files that we cannot see. So throughout these links we will be able to access different types and different pages. This is the same with any other website, but there is always files and directories hidden that you just never see. So we’ll see how we can get URLs for these files and access them and read the information in it.

To do that we’re going to use a tool called Derb and to see how to use that tool, we’re going to do man derb to see all the options associated with that tool. So you can see that to use the tool you just type in derb the URL of your target and then you put a Word list. So the way this works is it works based on a brute force attack and it just uses a Word list of names and it sends requests with these names and anytime it actually finds something it tells us that oh, I found a file with this name. So it’ll only be able to find names and directories based on the Word list that you provide. Now you can create a Word list using Crunch or you can use wordlists that come in within their the options here allow you to configure how the tool is going to work so you can change things around the way you want it.

For example, you can disable the recursiveness of the tool so it just runs on one directory. Instead of trying a number of directories, you can get it to ask you if you wanted to access the directory or not, instead of it automatically accessing directories and trying to find files within these directories because this could be exhaustive. If your target is a big website, there might be a lot of directories and then the tool will be trying to access all of them and find files within all of them. So you can see how big the tree could go. You can also set it to use a username and a password if the target website uses some sort of authentication. And you can use EV for Verbus output and you can also use O to output the results to a file. So let me show you a very simple example of it.

I’m just going to run Durb on our target which is 1020 14 204 and that should be Http because remember, we’re targeting a website, not an IP address. Then I’m going to put the directory that I want to find files and directories within. I don’t want it to be accessing anything within other because we can see here there’s a number of scripts installed on this web server. So we have this script and we also have PHP, My admin and we have Tikiwiki. So we don’t want it to be accessing all of them, we only want it to be working on Matilda day on this example. So that’s why I’m only using this URL and then it’s going to start finding URLs and files within this particular web application.

So I’m going to hit enter and we’re going to let it to work. So this is going to use a Word list file and it’s using a default small wordlist file that is stored in here. So it’s in user shared their wordlists common TXT. You can have a look in this directory and see if there is any other wordlists that you’d like to use. And you can use them only by placing default path to the wordlist after the command. So instead of the way I wrote the command, you’d write it like this and then you’d state where your wordlist is. For example, let’s say it’s enroute. You state it as root wordlist TXT or whatever. But at the moment it’s using the default one which is stored in this directory and user shared their wordlist and it’s using the one that’s called common TXT.

  1. Analysing Discovered Files

So we can see here from the result it was able to find a number of files. Some of them we already know of. Now the fave icon is just an icon, footer and header. These are probably only style files. Index is the index that we see usually. So it’s all right login, we can see that. We discovered a page that allows people to log in. Now in many scenarios I was able to find username and password of a target exploit in a really complex exploit and then ending up not being able to log in because I couldn’t find where to log in. So tools like this could be very useful. And here we can see that we have a login page that we can use to log in. Page not found, very useful. You can see the PHP info file. Now this file is usually very useful because it displays a lot of information about the PHP interpreter running on the web server.

And as you can see this file contains a lot of information, a lot of them are useful. Now you can see, you get to know some of the directories, you know that it’s running PHP five. The configuration is stored in this file. Any files is usually the config files for PHP. So you can see all the places where they’re stored. Going down you’ll see all the permissions, the installed. We can see here it has My SQL, so it’s using MySQL and you can see the directories where different types of configurations are stored. You can also see all the modules and extensions that are being used with PHP. So this file is usually very useful.

You can see we managed to find where the PHP My admin login is and that’s basically the login that’s used to log into the database. Another very useful file is the robots TXT and that is the file that tells search engines such as Google how to deal with the website.So it usually contains files that we don’t want the website or Google to see or to read. So if we can read that file, then we’ll be able to see what the web admin is trying to hide. So going in here we can see that the web admin doesn’t want Google to see a directory called passwords, okay, and it also doesn’t want it to see a file called config inc and it also doesn’t want it to see these other files. So let’s have a look on the passwords and the config inc as examples.

So I’m just going to open a new tab and we’re going to put our address like so it’s the current directory and then we just put passwords after. In that we can see that there’s a file called accounts TXT. And going here we can see that we got some usernames and passwords. So we can see there is admin admin pass, we can see that we have a password as Adrian and some password. So we managed to find usernames and passwords. Now, we’re still not sure what these usernames and passwords are, but we’re sure that we were able to find very useful stuff. Another useful file is the config ink. So let’s see what’s in that.

And from here we can see that we have information that allows us to connect to the database because these are saying dbHost, DB, user, DB pass and name. So we can see that the username is root and the password is blank. So we can go ahead and try to connect to the database based on these commands, and then we should be able to get access to that database also using these passwords. We’re still not sure what we can use them for, but we can add them to a list, try to log into the admin, or just store them in a list so that we can use it if we’re going to do any brute force attack. So then again, this is another video that just shows how important and powerful information gathering can be.

Related Posts