Idea on how to hack the index.html

[jggozum]

Hi fellas, im new here. can i have your ideas on how to hack html pages? mostly likely breaking the index.html page. the server is Windows Server 2000 and using IIS 5. thank you so much. its good to be here.

[_Marshel_]

can you elaborate more ?

[jggozum]

hi mashel. i want some ideas on how to change the index.html page of the target. thanks

[xXxKrisxXx]

You could attempt to penetrate the box running an IIS 5 exploit. Hope your not asking the members of this forum to help you aid in an unethical attack on a site.

[jggozum]

im just asking the idea on how to.. the tactics on how to do it.

[pseud0]

I think the members are a bit confused because of the lack of details. For example, what is contained within the index page?  What kind of functionality does it have?  More importantly, why are you trying to break it?  As for a general strategy, when you are doing web pen testing you need to think in layers.  If the target page has fields where you can input data then you can try to attack the actual functionality via sql/ldap/crlf/etc injection.  If you have a local proxy such as paros you can try to attack some of the actual HTML/HTTP header traffic by manipulating session, authentication, etc data or even some more advanced injection attacks.  Locally on your system you can mess with the cookies or even save a copy of the site and try client side attacks by breaking the code.  If none of the application level attacks work then move down to the actual web service.  If you know it is IIS then research attacks specifically meant for that web server.  Many of the attacks that you performed against the web page will result in error messages that might even give you version or patch level.  If those attacks don't work then try to figure out if there are supporting apps you can attack.  Does the webpage have an Oracle back-end?  Is there some type of authentication framework that they use? Go for those next.  When all else fails drop down to the OS level.  If you know it is Win2K then you have a massive amount of exploits available.  If all that fails... there is always email and trojans.

[jggozum]

thank you so much pseud0.. lots of ideas.. i already break it thru ftp.. *cheers*

[Kev]

i already break it thru ftp..

LoL, and there is that.

[pseud0]

Yeah, I guess I left out the ole' index.html.ftp.banyan.ext3  buffer smurf underflow.

[jggozum]

hi again fellas..

psued0 what do you mean?

[pseud0]

Nothing at all. Too much coffee, to little sleep, and poor control over the voices in my head.  ie. I was being stupid.

[Kev]

Ah crap! You mean the buffer smurf underflow doesn't really exist?
 

[pseud0]

Yes, it does, but Smurfette only did it a couple of times.  She was young and needed the money.