Web Server Hacking Methodology
Web Server Pen Testing
Identify the target
= internet, newsgroups, bulletin boards etc
=social networking, dumpster driving
=Whois, traceroute, active whois, etc
Web Server Pen Testing continued:
=use tools such as netcraft and httprecon
=Use tools such as HTTtrackm webcopier pro
=use tools such as Nmap
=use automated tools such as Dirbuster
=identify weaknesses in a network, tools: Acunetix, web inspect, nessus
=to pass malicious data to a vuln app that includes the data in an http resonse header
= to force the web servers cahce to flush its actual cache conent ad senda specially crafted request, which will be stored in cache
= to gain unauthorized access
= to capture valid session cookies and IDs, Use tools such as Burp Suite, Firesheep, JHiJack, to automate session hijacking
=to access sensitive info by intercepting and altering comms between an end-user and web servers
Perform web app pen testing:
=Use tools such as webalizer AWstats, Ktmatu relax, to examine web server logs
=Use tools such as metasploit, w3af to exploit frameworks
Web server pen testing steps in full: