Thursday, March 31, 2011

How to hack a website/web server - 3 step guide.

I get lot of mails from people who ask me two questions very frequently; First is "abhinav can you hack facebook,gmail,orkut etc" and the second is "how can i hack a website" .
The first question is very irrelevant as there are no defined techniques to hack such secure sites . You can only hack someones account only by making the victim to commit some mistake like making the victim to enter informations in a phishing page etc . 
The second question is very relevant and is a wide field of study . Hacking web sites and online servers is a hot thing to study about but it requires extensive knowledge of various terminologies related to networking . 
One thing that forms the basis of hacking is that there are no pre-defined techniques to hack anything. Every software,application,server has different techniques to hack . So we cannot say that this is a sure shot technique to hack all the websites . It totally depends upon the technology and platform on which the website is based . 
But there are some of the most basic steps that every hacker follows to hack any perticular website or server .
These steps forms the basics of web hacking. It involves the use of some popular free tools available for download on the internet . I have divided the entire process into 3 different steps .

Step 1 - Gaining information 

This is the bigging step where you have to collect various information about the website or the server host . The informations include ip address,banner grabbing to know some services running on it , location of the server , other domain addresses linked to it etc . This process is also termed as Reconnascence.

Step 2 - Enumeration and scanning for vulnerabilities  

What is Enumeration ? If acquisition and non intrusive probing have not turned up any results, then an attacker will next turn to identifying valid user accounts or poorly protected resource shares.
This step involves finding out the various services that are running on the server and to find out the open ports . Lots of tools are available to perform this step but the best among them is NMAP.

Step 3 - Gaining access to the server/remote host

This is the final step in which we exploit the running services that we found in step 2 to gain access to the server or remote host . Running exploits require a good knowledge of shell scripting . Once you have found out the various services running on the server you can search for available flaws that are there and exploit it to gain access to the server. 



Post a Comment