.

i wanna to exploit webserver

<<

yonas

Newbie
Newbie

Posts: 2

Joined: Fri Oct 28, 2011 1:01 am

Post Fri Oct 28, 2011 7:59 am

i wanna to exploit webserver

i wanna to exploit my webserver using Metasploit ,i had scan its  vulnerability using nessus and know i want to exploit it ,i read some note of how to use metasploit but that not enough to do so and i need ur help...
,,,,what i got up to know is ...
open port,                          vulnerability
80                                      backup file found on web server
''                                          User credentials are sent in clear text
''                                          Web Server Uses Plain Text Authentication Forms
                                                      ........
here why i went to exploit is that my campany ask me to show them its effect practically but am frighten is if thier server falldown or be damaged at all
    thank u for ur help!
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Fri Oct 28, 2011 8:24 am

Re: i wanna to exploit webserver

Well, what you need to do is get them to request in writing the full test with safeties off.  Schedule the test so users will be aware there may be downtime. 

Also you should develop a scope of work for the test. 
  • What do they want to know?
  • Can the site be taken down?
Can information be stolen?
Is it linked to any backend databases?
Do those databases contain sensitive information?
[/list]

Also include what attacks you intend to use, whether or not they will bring the site down.  The target of the attack should be stated and the window of time it will be attacked.  Preferably off hours so customers will not be affected. 

Metasploit will be helpful, but you may have to utilize other tools to produce decent results.  If the server itself has never been hardened then it won't matter what ports are open, it is probably vulnerable to a number of attack vectors. 

If it is a Web application server then your toolset and attack surface may go beyond just port 80.  Vulnerabilities may be present in the code.
Certs: GCWN
(@)Dewser
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Fri Oct 28, 2011 8:35 am

Re: i wanna to exploit webserver

After all 3xban said you can create an image of the server and run it in a virtual environment and test it, so if the server crash you know why and how to fix it.

So with that lab you will avoid their worry about the server crash, when you work for a company you have some benefits like the time to do it, backups, etc, etc that you can use to test it.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Fri Oct 28, 2011 8:54 am

Re: i wanna to exploit webserver

Good point Impelse!  Completely forgot about virtualization (as I close down like 3 of my VMs right now :p)  Definitely an excellent way to go. 

Make sure your Virtual lab is separate from the production lab or you may make some systems mad :D

And definitely agree with backups/snapshots.

Also document each of your steps while testing so you know where things broke and when and how. 
Certs: GCWN
(@)Dewser
<<

yonas

Newbie
Newbie

Posts: 2

Joined: Fri Oct 28, 2011 1:01 am

Post Sat Oct 29, 2011 1:22 am

Re: i wanna to exploit webserver

tank u 3xban and Impelse for ur help,,,,,
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Oct 31, 2011 8:33 am

Re: i wanna to exploit webserver

No problem Yonas!  Good luck!!
Certs: GCWN
(@)Dewser
<<

ev0wpnz

Newbie
Newbie

Posts: 5

Joined: Tue Nov 08, 2011 10:05 am

Post Tue Nov 08, 2011 9:26 pm

Re: i wanna to exploit webserver

Yonas,
I think the information provided you was great but maybe not what you are looking for. The question that you are asking is not an easy one to answer. Exploiting web applications or the web services that are hosting them is not an easy task for a beginner. It seems to me that you are targeting a single host and not an entire network. This makes the issue even more difficult as the attack surface is minimized. Based on your post I think there may be some other areas that you should explore before you start attempting to exploit web applications/servers. It's important to understand the networking and administration side of things before you being exploiting. If not you will end up firing off some exploit and end up with a shell that you don't know how to use. I think you would benefit from learning about Linux/Windows Administration networking basics python/ruby and then move into more security related things such as penetration testing. I know this is the canned answer that you probably have gotten a hundred times. There is a reason for that though.

Your probably going to skip over everything I said. To answer your question I would recommended look into w3af for web app exploitation.
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Thu Nov 10, 2011 7:20 pm

Re: i wanna to exploit webserver

Check out the resources here:
http://www.securityaegis.com/web-applic ... resources/

It should give you an idea how to exploit web applications, even though this is in most cases not the actual webserver that's being exploited. (You should read it anyway as it's a really decent resource I came across today.  ;D )
I'm an InterN0T'er
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Nov 10, 2011 9:11 pm

Re: i wanna to exploit webserver

<grin> That's Jhaddix's site (he's a member here, too!)  ;)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software