11.3 Attack Methodology

Webserver Attack Methodology

Information gathering involves collecting information about the targeted company.
Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company.
Attackers use Whois, Traceroute, Active Whois, etc. tools and query the Whois databases to get the details such as a domain name, an IP address, or an autonomous system number.

Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance

Whois

The robots.txt file contains the list of the web server directories and files that the web site owner wants to hide from web crawlers.
Attacker can simply request Robots.txt file from the URL and retrieve the sensitive information such as root directory structure, content management system information, etc., about the target website.

Gather valuable system-level data such as account details, operating system, software versions, server names, and database schema details.
Telnet a webserver to footprint a webserver and gather information such as server name, server type, operating systems, applications running, etc.
Use tool such as ID Serve, httprecon, and Netcraft to perform footprinting.

Attackers can use advanced Nmap commands and Nmap Scripting Engine (NSE) scripts to enumerate information about the target website.
nmap -sV -O -p target IP address
nmap -sV --script=http-enum target IP address
nmap target IP address -p 80 --script=http-frontpage-login
nmap --script http-passwd --script-args http-passwd.root=/target IP address
Discover virtual domains with hostmap: $nmap --script hostmap <host>
Detect a vulnerable server that uses the TRACE method: $nmap --script http-trace -p80 localhost
Harvest email accounts with http-google-email: $nmap --script http-google-email <host>
Enumerate users with http-userdir-enum: $nmap -p80 --script http-userdir -enum localhost
Detect HTTP TRACE: $nmap -p80 --script http-trace <host>
Check if webserver is protected by a WAF/IPS: $nmap -p80 --script http-waf-detect --script-args="http-waf-detect.uri=/testphp.vulnweb.com/artists.php,http-waf-detect.detectBodyChanges" www.modsecurity.org
Enumerate common web applications: $nmap --script http-enum -p80 <host>
Obtain robots.txt: $nmap -p80 --script http-robots.txt <host>

Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc.
Search for commments and other items in the HTML source code to make footprinting activities more efficient.
Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website.

HTTrack

Implement vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited.
Use a vulnerability scanner such as HP Weblnspect, Acunetix Web Vulnerability Scanner, etc. to find hosts, services, and vulnerabilities.
Sniff the network traffic to find out active systems, network services, applications, and vulnerabilities present.
Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities.

弱點掃瞄是為了發掘系統是否有可辨識的弱點，通常使用如HP Weblnspect, Acunetix Web Vulnerability Scanner等自動化工具來掃描主機、服務或弱點。監聽網路流量來找尋系統、服務、應用程式和弱點。對網路伺服器基礎建設找尋任何配置錯誤設定、過時的內容和已知的弱點。

Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data.
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs.
Use tools such as Burp Suite, Firesheep, JHijack, etc. to automate session hijacking.

監聽有效的session IDs取得未授權的存取權限，進而窺探資料。使用session hijacking技術像是session fixation, session sidejacking, XSS等來取得有效的session cookies和IDs。可以使用像Burp Suite, Firesheep, JHijack等工具來進行session hijacking。

Use password cracking techniques such as brute force attack, dictionary attack, password guessing to crack Webserver passwords.
Use tools such as THC-Hydra, Brutus, etc.

使用暴力破解攻擊、字典檔攻擊和密碼猜測來破解網路伺服器密碼。使用工具如：THC-Hydra和Brutus等。

Basic Auth → Webserver處理 (使用Hydra打)

Form Based:

Text

Password

submit → 送到後台(AP)處理