11.3 Attack Methodology

Webserver Attack Methodology

  • Information Gathering
  • Webserver Footprinting
  • Mirroring Website
  • Vulnerability Scanning
  • Session Hijacking
  • Hacking Webserver Passwords

Webserver Attack Methodology: Information Gathering

  • Information gathering involves collecting information about the targeted company.
  • Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company.
  • Attackers use Whois, Traceroute, Active Whois, etc. tools and query the Whois databases to get the details such as a domain name, an IP address, or an autonomous system number.

Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance


Webserver Attack Methodology: Information Gathering from Robots.txt File

  • The robots.txt file contains the list of the web server directories and files that the web site owner wants to hide from web crawlers.
  • Attacker can simply request Robots.txt file from the URL and retrieve the sensitive information such as root directory structure, content management system information, etc., about the target website.

Webserver Attack Methodology: Webserver Footprinting

  • Gather valuable system-level data such as account details, operating system, software versions, server names, and database schema details.
  • Telnet a webserver to footprint a webserver and gather information such as server name, server type, operating systems, applications running, etc.
  • Use tool such as ID Serve, httprecon, and Netcraft to perform footprinting.

Webserver Footprinting Tools

  • httprecon
  • ID Serve

Enumerating Webserver Information Using Nmap

  • Attackers can use advanced Nmap commands and Nmap Scripting Engine (NSE) scripts to enumerate information about the target website.
  • nmap -sV -O -p target IP address
  • nmap -sV --script=http-enum target IP address
  • nmap target IP address -p 80 --script=http-frontpage-login
  • nmap --script http-passwd --script-args http-passwd.root=/target IP address
  • Discover virtual domains with hostmap: $nmap --script hostmap <host>
  • Detect a vulnerable server that uses the TRACE method: $nmap --script http-trace -p80 localhost
  • Harvest email accounts with http-google-email: $nmap --script http-google-email <host>
  • Enumerate users with http-userdir-enum: $nmap -p80 --script http-userdir -enum localhost
  • Detect HTTP TRACE: $nmap -p80 --script http-trace <host>
  • Check if webserver is protected by a WAF/IPS: $nmap -p80 --script http-waf-detect --script-args="http-waf-detect.uri=/testphp.vulnweb.com/artists.php,http-waf-detect.detectBodyChanges" www.modsecurity.org
  • Enumerate common web applications: $nmap --script http-enum -p80 <host>
  • Obtain robots.txt: $nmap -p80 --script http-robots.txt <host>

Webserver Attack Methodology: Mirroring a Website

  • Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc.
  • Search for commments and other items in the HTML source code to make footprinting activities more efficient.
  • Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website.


Webserver Attack Methodology: Vulnerability Scanning

  • Implement vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited.
  • Use a vulnerability scanner such as HP Weblnspect, Acunetix Web Vulnerability Scanner, etc. to find hosts, services, and vulnerabilities.
  • Sniff the network traffic to find out active systems, network services, applications, and vulnerabilities present.
  • Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities.

    弱點掃瞄是為了發掘系統是否有可辨識的弱點,通常使用如HP Weblnspect, Acunetix Web Vulnerability Scanner等自動化工具來掃描主機、服務或弱點。監聽網路流量來找尋系統、服務、應用程式和弱點。對網路伺服器基礎建設找尋任何配置錯誤設定、過時的內容和已知的弱點。

Webserver Attack Methodology: Session Hijacking

  • Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data.
  • Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs.
  • Use tools such as Burp Suite, Firesheep, JHijack, etc. to automate session hijacking.

    監聽有效的session IDs取得未授權的存取權限,進而窺探資料。使用session hijacking技術像是session fixation, session sidejacking, XSS等來取得有效的session cookies和IDs。可以使用像Burp Suite, Firesheep, JHijack等工具來進行session hijacking。

Webserver Attack Methodology: Hacking Web Passwords

  • Use password cracking techniques such as brute force attack, dictionary attack, password guessing to crack Webserver passwords.
  • Use tools such as THC-Hydra, Brutus, etc.


  • Basic Auth → Webserver處理 (使用Hydra打)
  • Form Based:
    • Text
    • Password
    • submit → 送到後台(AP)處理

results matching ""

    No results matching ""