Vcoderz Community
We create websites that have it all, beauty & brains
Lebanon Web Design & Development - Coddict
 

Go Back   Vcoderz Community > Computer Zone > Computers & Information Technologies > E-Learning Center

Notices

E-Learning Center « E-Learning tutorials and competitions. »

Reply
 
Share Thread Tools Search this Thread
Old 07-30-2010   #1
RUSSIAN
Registered Member
 
RUSSIAN's Avatar
 
Last Online: 08-06-2014
Join Date: Nov 2009
Posts: 568
Thanks: 838
Thanked 231 Times in 173 Posts
Groans: 23
Groaned at 16 Times in 13 Posts
Default [ Lesson 2 ] Gathering basic information

Note: JawadN who began this idea promised to make his 2nd lesson few days later then the 1st, but since he's busy I also shall try to contribute. Hope it will help a little.

1. INTRO
Of course, this isn't a complete tutorial. Most likely, info mentioned here is well-known for you.

So we want to begin hacking-cracking sites and servers. Very good of us, but at first, we should know what background do we have on the target server. Here we will talk how to collect some basic info which will, or will not, help us in the future.
In our examples, we will use vcoderz.com & forum.vcoderz.com.
Also note that in this article we have MS Windows XP SP2 & firefox 3 on our PC. Maybe you don't like it, but I have it on my PC and I will not install smth other just to write this article. But, I hope, It works in other OSs.

2. Where is our target?
Ok we now want to know where is vcoderz.com geographically and is it on a dedicated or shared hosting server.
Geographical location can interest us if we want a shell in a specific country. Also be suggested that hacking sites in the country where you are or are going to isn't a very good idea. If you will just deface some dumb website, nothing will happen, but if you'll do smth serious it can have bad results for you. This article isn't about internet anonymity and what is "serious". It is only your responsibility. Anyway the actions discribed here mostly aren't directly related to hacking and are not against any law (I hope so).

Now we will press Win+R and type CMD. We should have CMD opened. Now type:
Quote:
ping vcoderz.com
You'll see how fast VC will respond to our request. Also We'll see its IP: 67.23.129.44. For me, it doesn't respond, maybe it is due to timeout or firewall rules. anyway we get what we wanted. Now we should get to this URL: http://whois.domaintools.com/ and type the IP we just got. From here we'll see that:
  • VC is in Canada.
  • It is hosted by http://netfirms.com/ hosting company.
  • VC is on the shared hosting server with 1270 other sites, whois shows some of them:
    1. 247organized.com
    2. 3x5entrepreneur.com
    3. 3x5guides.com
    If you want more, you have to pay them
Also who is can show us the host name of the IP. If we'll ping forum.vcoderz.com (it is on the other server), we'll see its IP 69.73.170.226. It has hostname: static-226-170-73-69.nocdirect.com. It is most likely provider's name or smth other (because the hosting is http://www.jaguarpc.com/, you can see it from the "OrgTechEmail:" section. usually there is IP owner's E-mail there and it 90% refers to the hosting company

Now we want to know who owns our target domain. It is useful: if we will not be able to hack his site, we can threaten him by e-mail or phone call or we can kidnap him and make him tell us the admin password.
We will again refer to whois service and type vcoderz.com there. Damn! Our admin hidden his data using Domain Privacy Group, Inc service. If you'll buy a domain, I suggest you to do so. But some times we can see registrar's name/org and name servers which can help us determine who host our target and is it a dedicated server. Try whois gov.ru, you'll see:
nserver: ns1.gov.ru. 194.226.80.79
nserver: ns2.gov.ru. 194.226.127.210
IPs usually are not written, just nameservers. So we see that russian government's site is on the dedicated server. Also it indirectly suggests that admin isn't a 100% noob if he can setup his own nameservers.

3. What OS?
We will now face more complicated problem. We should know what OS our target server runs.
First of all, let's try to make web server show us a 404 error:
http://vcoderz.com/thispageneverwashere
No we didn't get what we wanted. We only saw that it is apache server. But it can be apache on Windows.
In fact, we often are not able to know the OS. Even if we'll know it is *NIX, we will not know what type of *NIX it is. But here is my tips:
Try telnet on port 22 (it is SSH port). If it works, then we 90% will have to deal with a *nix server:
Quote:
telnet vcoderz.com 22
SSH-2.0-OpenSSH_5.3
Quote:
telnet forum.vcoderz.com 22
SSH-2.0-OpenSSH_4.6p1 Debian-5ubuntu0.6
In last example we can also see OpenSSH version.
What SSH returns us is called SSH banner.

But note that the 404 error can tell us more:
http://forum.vcoderz.com/hayapacheyouarefooled

Be advised that if you see IIS then you will deal with windows server.
Also if 3389 port is opened it is 98% Windows. Try to press Win+R & type MSTSC and then server's IP. You will be able to see what Windows is used.
Also port 4899 (RAdmin) suggests that it is Windows, but it isn't on big servers, I never saw it there.

Ok let's say we now know what we want. It can be very very difficult to know this info. all 404-403-500 error pages can be changed. SSH also isn't used really everywhere and it may be allowed to connect to it only from one IP. Also not all Windows OSs use RDP. But in 80% situations we can say if it is *nix or Win.
There are more advanced ways to know the OS. But there are also more advanced admins who will bann them.
Anyway remember: you'll not get uname -a without a shell. If you're interest what OS & services are on some server, hack it and you'll know.

4. FTP server
If our target uses FTP server (port 21), we can know it's version:
Quote:
ftp vcoderz.com
220 (vsFTPd 2.0.7)
Quote:
ftp forum.vcoderz.com
220 ProFTPD 1.3.1 Server (ProFTPD) [69.73.170.226]
220 is just FTP's message which indicates that FTP server is ready for new user (it will ask you for the user name and password).

5. Web server
We already talked about it before. The most common way to know HTTP server is to request a non-existing page and see what will happen. If you see words like Apache, Nginx or IIS then you have that server. Here is how error messages look like:

Apache

Nginx

IIS

LightHTTPD

LiteSpeed

But admin can make his own 404, 403, 500 and so pages. What to do?
At first, try to open server's IP in your browser:
http://67.23.129.44/
We see Apache. But most hosters place their dumb pages there. Admins leave default "It works!" which tells about Apache (don't know about other servers, but I saw it only with Apache). Some times it is a test page, but it also says that it is Apache server.
If we still can't get what we want, we can edit the request to cause the 501 error. We'll use Odysseus. Get it. Don't forget to set Configuration window of that soft both "Intercept Request" & "Intercept Reply" and enable interceptor. Hope you'll be able to do it yourself because it is simple.
Now let's make our browser use proxy localhost:50000 and point it to the target site. You'll see a big window. Open "Raw" tab and in the first line replace "GET" with "DELETE". You just changed the method from GET to DELETE, but no admin will unblock it and you'll get a 405 error, (not all admins bother creating a page for it so you may be able to see server name on that page) but let's see what is with them.
When you'll send your request, you'll see a window with server reply. If it is apache, it will return "Server: Apache". With Nginx you'll see that word. IIS will also tell its version:
Quote:
DELETE / HTTP/1.1
Host: www.moim.gov.lb
User-Agent: whatever
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
If-Modified-Since: Tue, 20 Jul 2010 05:25:16 GMT
If-None-Match: "3af1af0cb27cb1:bc95"
Cache-Control: max-age=0
Quote:
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Also some times other servers say PHP version in their "Powered-By: " section and their version (Nginx some times do that). But big sites use their own servers (google uses GFE/2.0) or recompile apache or nginx making them to tell smth like "unknown web server".
Try to play with requests and you'll be able to see more errors and data.

6. What the site is powered by?
Ok the title says it all, we now will try to know.
First of all, the most common web scripting languages are:
  1. PHP (V5 for now)
  2. Perl (also 5)
  3. ASP.net (mostly on Windows servers, IIS)
  4. Python and frameworks based on it
  5. ColdFusion (8 is now most popular, 9 also is I think, but I never was dealing with it)
Also I saw ppl who use even LISP through CGI, but I never tried it and don't suggest to do so, also that site was very lame and now get closed. And it can be written in pure HTML+JS, then you're not be able to do smth with the site (but still can hack the server or admin's e-mail and then know his FTP/CP password).

So. If the site is written in PHP, its pages have names like index.php. If in Perl, they will be like script.pl or script.cgi and will be located under cgi-bin folder which will be written in the address bar. But admin can rewrite URLs and then we will face some problems.

VC is written in PHP.

Also the site can be self-written or powered by some engine like DLE or joomla. If it is a forum it is most likely VBulletin, IPB, PHPBB, PunBB, MyBB. It could be written in footer like this:
Quote:
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
The same with CMSs.
But some times we're not able to know what engine it is, if all copyrights are removed, URLs rewritten, etc. Just try. After some time you'll be used to them and will be able to identify most of them. I don't have an idea how to teatch you, I think I can't, only you can really improve yourself.

7. Path disclosure
Path disclosure is a kind of vulnerability, but it is "soft". Itself it can't result in hacking. It can't let an attacker hack anything. It only shows him the path where the site is located. I'll show you an example:http://vcoderz.com/list.php?t=1&s=-1. If you have this information and only it, it is useless. But in the future it will help you. For example, if you'll find LFI on the site, it will be useful to know pathes. If you want to improve yourself, find 3 or more scripts that will show you the pathes.

So how to find it? Like we did in the past and like we do most times: we should make some script run incorrectly: try to leave it without parameters it uses or place there smth wich isn't planned to be there by the admin (if you see a number, type here -1 or', or ", if you ever tried to find SQL inj or XSS, the process will be mostly similar.
The admin could just set error_reporting to none and it never will apere adn we again are out..

Also try to get site.com/robots.txt, it may contain pathes to admin CP or some other dirs. Try some well-known pathes like /admin, /administrator and so even if you didn't find robots.txt. Also try to find PHPMyAdmin and cPanel.


So for now that's all I wanted to say. I hope it may help some beginners. Please excuse my bad english and style. Any corrections/additions are welcomed


__________________
What about a 500+ symbols long, colored signature with URL allowed and size limited to 7?
RUSSIAN is offline   Reply With Quote
Reply

  Vcoderz Community > Computer Zone > Computers & Information Technologies > E-Learning Center

Tags
basic, gathering, information, lesson



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 07:05 PM.


Lebanon web design and development
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Ad Management plugin by RedTyger
Share