Ethical hacking: How to hack a web server
When practicing ethical hacking, a hacker is searching for vulnerabilities. An ethical hacker has several reasons to try gaining unauthorized control of a web server, though the primary reason is to test a server and its software for vulnerabilities.
By using the same tools and methods that malicious attackers rely on, you can attempt to gain access to a server. If successful, you can identify necessary fixes and upgrades that must be performed to improve security and to detect and respond to malicious activity.
Earn two pentesting certifications at once!
Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.
Gathering intelligence
The first phase of any hacking attempt generally involves the collection of information about the relevant target. This includes identifying the target system and gathering salient details about its IP address, operating system, hardware, network configuration and infrastructure, DNS records and so on.
This can be done in a variety of ways, but it is most often done by using automated tools that scan a server for known vulnerabilities. Information about a target system’s physical hardware can be found through various means, often by carefully examining the responses various software subsystems send when initiating (or even sometimes rejecting) inbound connections. This information can then be used to narrow down the kinds of software known to commonly run on various hardware configurations.
Hackers use tools that can test for a variety of security issues, including misconfiguration of software present on the targeted server, the presence of common or unchanged default passwords, outdated software in need of updating or patching and similar security issues.
Reconnaissance tools
- HTTrack: An open-source web crawler which allows users to download entire websites to a local, offline computer for forensic analysis
- Maltego: An open-source link analysis and data mining tool
- Nessus: A vulnerability assessment scanner that checks for conditions such as software misconfiguration or deprecation, insecure or missing passwords and denial-of-service attack vulnerabilities which might allow a malicious attacker to gain access to — or total control over — a system
- Netsparker: Scans the sites, applications and services present on a web server for vulnerabilities, regardless of its operating system
- Nikto: Scans for dangerous files and CGIs, outdated server software and software misconfiguration known to be exploitable by malicious attackers
- ScanMyServer: A free online tool which crawls through every page of a specified website or blog and attempts to identify various security issues
These tools can provide a great deal of information about the targeted server — including data like the names of employees or staff members, email addresses associated with the server, computer names, network structure information and user account information.
Armed with the right kind of knowledge about the target, you can move on to the next phase: attempting to gain access.
Hacking in
Using the gathered data, you can determine viable options for attempting to gain access to data stored on the server or control over the server itself. This can be done in many ways, but generally will involve efforts that rely on proven intrusion techniques.
The Open Web Application Security Project, or OWASP, is an organization that tracks vulnerabilities. OWASP maintains a top ten list of the most common and potentially dangerous weaknesses used by attackers to gain unauthorized access to web servers.
Known vulnerabilities are typically the easiest way to gain unauthorized control of a server and are most often relied upon by malicious attackers. These are the most effective and efficient means to gain unauthorized access. Though some hackers may use tools or methods that deviate from common attacks, many will move on and look for a “softer” target if these common attacks fail.
The OWASP top 10
The following vulnerabilities are those most commonly seen in security breaches in the past year.
- Injection: In which an attacker will inject code into a program or query to execute remote commands (as in the case of an SQL injection)
- Broken Authentication: Relies on using stolen, misconfigured or otherwise vulnerable login data to gain access to a system
- Sensitive Data Exposure: Occurs when an application doesn’t adequately protect data such as passwords, session tokens or other sensitive and valuable data
- XML External Entities (also called XXE): A kind of attack which relies on vulnerabilities in how an application parses XML data
- Broken Access Control: Relies on failures in user and role permission configuration to enable unauthorized access
- Security Misconfigurations
- Cross-Site Scripting (XSS): Similar to injection attacks, XSS allows attackers to inject client-side scripts into web applications which can be used to bypass access controls
- Insecure Deserialization: A vulnerability in which misconfigured or unknown data is used to execute code, bypass authentication, cause a Denial of Service attack or otherwise circumvent security measures
- Using server components with known vulnerabilities
- Insufficient logging and monitoring
Once unauthorized access to a targeted server is secured, efforts then generally focus on maintaining control of the server for further exploitation. At this stage, malicious attackers would typically have gained access to one or more user accounts or roles; if they have managed to access a privileged user account or the operating system “account” for various software packages, this could allow them to either gain administrator privileges or set up a new administrator account on the system.
Backdoors and covered tracks
Typically, initial security breaches are used to prepare a system for subsequent use or exploitation. Though no overt or implicit misuse may occur when a server is first hacked, many hackers will monitor accounts they have created or gained control over to determine if their intrusion has been detected. Hackers may use these accounts to attempt to erase or alter logs and other system messages. However, many hackers adopt a wait-and-see approach, opting to refrain from anything “noisy” that may draw attention to them.
In terms of vulnerability testing, once a system is compromised, the ethical hacker would then want to access and use the system as if they were a malicious attacker. Access to a hacked server should be used by the ethical hacker to monitor user accounts, to attempt to manipulate logs and other system data and to generally try to erase or otherwise cover any evidence of their intrusion.
FREE role-guided training plans
Though the goal of vulnerability testing is to make a server more secure and resistant to attack, this post-hack activity also serves an important purpose. Through the review of security logs and other ongoing intrusion detection methods, other improvements can be identified which help detect hacks that use an unusual or unknown mechanism, or in protecting data and limiting access once an attack has been successful.
In this Series
- Ethical hacking: How to hack a web server
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
- Ethical hacking: Attacking routers
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
