Website Defacement

Website Defacement

By ghost | 12148 Reads |

0     0

,..;{[WEBSITE DEFACEMENT]};.,

THIS ARTICLE IS PROVIDED AS-IS WITH NO GUARENTEE OF AUTHENTICITY OR WARRANTY. THE WRITER IS NOT RESPONSIBLE IN ANY WAY, SHAPE, OR FORM FOR THE READERS RESPONSE/ACTIONS AS A RESULT OF/DUE OF THIS ARTICLE

Cyber Graffiti (Website Defacement) is the most common type of hacking that occurs today. Most of the the time its just petty teenagers looking to get a thrill and brag about how "1337" they are. Its basically just what the name says, defacing the content of a website, turning it into something else that you created. 90% of the time, telling the real website why you did it. Sometimes even giving them a way to get their old page back.

1. robots.txt

When a website wants to hide a certain part of itself from search engines, it puts them in a file called, "robots.txt" which shows all the disallowed pages so the search engine wont put them in results. This can be accesed easily by tagging it onto the end of a main URL.

www.google.com/robots.txt

This is a great way to find administrative directories, or just general hidden things that will help you out on your way.

2. Simple freehosting.

Defacing a website that uses freehosting services is obviously easier than some of the bigger sites. The first choice is obvious, go to their hosts website and guess their account password. Work on a person who known the password. A number of guessing techniques. You could also look for administrative directories, or try robots.txt

3. IP range/breaking into an intranet.

Jonny sits at his computer, up late searching for the admin directory. He finds it, finally! He types it into his browser, and to his surprise…

ACCESS DENIED. YOUR IP IS NOT IN THE IP RANGE. THIS HAS BEEN REPORTED.

What happend? Why did it do this? And are the cops coming to get me now?

The cops arnt coming. Anytime anyone tells you anything been reported its a lie. They COULD report it to your ISP, but even if that happens, nothing is likely to happen with this little of involvement.

This is basically saying that the website is using an, "Intranet" or sort of a LAN that provides a specific IP address through a proxy for each computer on its network. Our goal is, we need to trick this network into thinking we are one of those computers on the intranet by spoofing our IP into the range of specified IP addreses for the intranet. We would do this by 1. connecting to the proxy itself or 2. connecting to a proxy that started with the first number of their proxy.

Well thats all well and good, how do we find the range?

This can be tricky. If you have ever receaved an email from the website (if they have their own SMTP server) you can try looking in the full header. This is an email i received from Enigma group.

X-Gmail-Received: c6166d03d425ae868cd0e3df7343efc52fc2a476 Delivered-To: c3re4l@gmail.com Received: by 10.36.119.1 with SMTP id r1cs51649nzc; Wed, 6 Jul 2005 11:52:51 -0700 (PDT) Received: by 10.54.26.4 with SMTP id 4mr46329wrz; Wed, 06 Jul 2005 11:52:51 -0700 (PDT) Return-Path: nobody@server47.dedicatedusa.com Received: from server47.dedicatedusa.com (server47.dedicatedusa.com [66.197.162.85]) by mx.gmail.com with ESMTP id 8si107104wrl.2005.07.06.11.52.51; Wed, 06 Jul 2005 11:52:51 -0700 (PDT) Received-SPF: pass (gmail.com: best guess record for domain of nobody@server47.dedicatedusa.com designates 66.197.162.85 as permitted sender) Received: from nobody by server47.dedicatedusa.com with local (Exim 4.50) id 1DqF12-0002po-68 for c3re4l@gmail.com; Wed, 06 Jul 2005 14:53:00 -0400 To: c3re4l@gmail.com Subject: Forum Subscription New Topic Notification ( From Enigma Group Forums ) From: "Enigma Group Forums" psychomarine@gmail.com X-Priority: 3 X-Mailer: IPB PHP Mailer Message-Id: E1DqF12-0002po-68@server47.dedicatedusa.com Date: Wed, 06 Jul 2005 14:53:00 -0400 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - server47.dedicatedusa.com X-AntiAbuse: Original Domain - gmail.com X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12] X-AntiAbuse: Sender Address Domain - server47.dedicatedusa.com X-Source: X-Source-Args: X-Source-Dir:

this would not be the true range, because enigma is not an intranet, but the true range would be in the received line

Received: by 10.36.119.1 with SMTP id r1cs51649nzc; Wed, 6 Jul 2005 11:52:51 -0700 (PDT) Received: by 10.54.26.4 with SMTP id 4mr46329wrz; Wed, 06 Jul 2005 11:52:51 -0700 (PDT)

the range would be 10, or the ip would be 10.36.119.1

therefor you would set up your proxy connection (bonce link) as 10.36.119.1 (if you dont know how to do this, consult your browsers intructions or google it). and then you would re-try the admin directory….

ACCESS DENIED. YOUR IP IS NOT IN THE IP RANGE. THIS HAS BEEN REPORTED.

What??? why didnt it work? Sometimes the intranet will work on a different port than 80 (default) do a quick port scan, try using nmap. Your results may look like:

Port State Service 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 8001/tcp open http-proxy

we know 80 didnt work. so our point of attack would be port 8001. So we try the admin directory with our proxy set to 10.36.119.1 on port 8001….

Welcome admin. Enter here.

And from the admin options you could deface the site!

4. Do your homework

Learn as much about the website as you possibly can. Try and get as little surprises as you can. Use a proxy, if your doing a serious job use a proxy chain (a bunch of proxies linked together). If your not one who can handle the pressure and time, have different proxies set aside so you can try over and over again. a good site for proxies is www.proxy4free.com

The ultimate rule of crime is, "Dont do the crime, if you cant do the time" This article is provided for educational use only, so webmasters can secure theirs sites against these forms of attack. Do not use this data in any way that it was not intended.

~cere4l