Ethical Hacking: How to Access a Web Server

During ethical hacking, a researcher searches for vulnerabilities. An ethical hacker may have several reasons for gaining unauthorized access to a web server, but the main goal is to test server applications for security gaps. Typically, the same tools and methods used by malicious actors are employed, and if successful, you can make the necessary fixes and updates to improve security, detect malicious activity, and develop a comprehensive response plan.

Information Gathering

The first step usually involves collecting information about the intended target, including identifying the target machine, gathering important details about its IP address, operating system, hardware, network configuration and infrastructure, DNS records, and more.

This task can be accomplished in various ways, but mainly with automated tools that scan the server for known vulnerabilities. Information about the physical hardware of the target system can be obtained in different ways, often by carefully analyzing responses from various software subsystems sent during the initiation or even rejection of incoming connections. The collected data is then used to narrow down the range of possible applications typically run on different hardware configurations.

Hackers use tools to test the system for various security gaps, including misconfigured applications on the server, unchanged default passwords, outdated software that needs updating, and other similar issues.

Research Tools

• HTTrack: An open-source web spider that allows you to download entire websites to your local system for later forensic analysis.
• Maltego: An open-source link and data analyzer.
• Nessus: A vulnerability scanner that checks for various issues, including configuration errors, outdated software, insecure or missing passwords, and DoS vulnerabilities that could help gain access or full control over the system.
• Netsparker: Scans websites, applications, and server services for vulnerabilities regardless of the operating system.
• Nikto: Scans for dangerous files and CGI scripts, outdated software, and application configuration errors exploited by attackers.
• ScanMyServer: A free online tool that crawls all pages of a specific site or blog to find various security issues.

The above tools help gather a large amount of information about the target system, including employee names, email addresses associated with the server, computer names, network structure details, and user account information.

After obtaining detailed preliminary information, you can move on to the next stage—planning methods to gain access to the target system.

Gaining Access

Based on the collected information, you can develop possible scenarios for accessing data stored on the server or gaining full control over the system. This task can be accomplished in various ways, but generally, proven penetration techniques are used.

OWASP (Open Web Application Security Project) is an organization that tracks vulnerabilities and maintains a list of the ten most common and potentially dangerous security gaps used by attackers to gain unauthorized access to web servers.

Usually, the simplest way to gain access and control over a server is to exploit known vulnerabilities, which is what attackers most often do. While some hackers use less common attack scenarios, in most cases, if standard methods fail, attackers will look for an easier target.

Top 10 Most Common Issues According to OWASP

The following vulnerabilities were most frequently encountered during breaches in 2019:

1. Injection: Injecting code into a program or request to execute remote commands (such as SQL injection).
2. Broken Authentication: Gaining access to the system using stolen, misconfigured, or otherwise obtained accounts.
3. Sensitive Data Exposure: Occurs when applications do not securely protect passwords, session tokens, and other confidential or valuable information.
4. XML External Entities (XXE): Exploiting vulnerabilities related to XML data parsing in applications.
5. Broken Access Control: Results from improperly configured user or role permissions.
6. Security Misconfiguration: Errors in security-related configurations.
7. Cross-Site Scripting (XSS): Similar to injection attacks. Allows an attacker to inject client-side scripts into web applications to bypass access controls.
8. Insecure Deserialization: A vulnerability where improperly configured or unknown data is used to execute code, bypass authentication, launch DoS attacks, and other scenarios to circumvent security measures.
9. Using Components with Known Vulnerabilities: Running server components that have known security flaws.
10. Insufficient Logging and Monitoring: Poor or missing event logging and monitoring.

After gaining access and establishing a foothold in the system, an attacker focuses on maintaining control over the server for further exploitation. At this stage, the attacker typically gathers information about other accounts or roles. If privileged or application package accounts are compromised, the next step is to either obtain administrative privileges or create a new administrator account in the system.

Backdoors and Covering Tracks

Usually, after the initial breach, the system is prepared for further use or exploitation. While attackers may not do anything attention-grabbing during the initial intrusion, many continue to monitor the accounts used to gain access to see if the breach is detected. These accounts can also be used to delete or modify logs and other system messages. However, many hackers prefer to wait and avoid any actions that might attract attention.

From a vulnerability testing perspective, once the system is compromised, an ethical hacker will want to access and use the system as a real attacker would. The compromised server is used to monitor user accounts, manipulate logs and other system data, and delete or hide traces of the intrusion.

Although the goal of penetration testing is to make the server more secure and resilient to various types of attacks, the above activities play a crucial role. This includes reviewing security logs and using other methods to detect intrusions, protecting data, and restricting access if an attack is successful. Alternative measures may also be implemented to detect breaches that use non-standard scenarios.