Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Web Penetration


EvialBae1412's Avatar
Member
0 0

Hey guys, this is a website from my friend : http://lexel.io I am doing a pentesting for his request. I found there are 10 ports open and want to do a bruteforce for its ftp port . Anyone has any suggestion for doing the bruteforce ? or better way for penetrate this website?


Futility's Avatar
:(
80 122

EvialBae1412 wrote: Hey guys, this is a website from my friend : http://lexel.io I am doing a pentesting for his request. I found there are 10 ports open and want to do a bruteforce for its ftp port . Anyone has any suggestion for doing the bruteforce ? or better way for penetrate this website?

However… I'll ask you some questions that might help lead you down a useful path.

First off, why specifically do you want the FTP port? What do you hope to gain from it? Did you know that there are a subset of port numbers that are commonly assigned to default services? Perhaps FTP is one of them.

Secondly, why were you (presumably?) hired to do this pen-test in the first place? What are you trying to find and why does your friend think you'd be able to find it?

Finally, bruteforce is generally an ugly ugly way to go about attacking something. It's noisy and crude and crass and usually not necessary. Is there a better way to get what you're trying to get in a more discreet way? Can learning about server setup and website administration help you better yourself at doing this kind of work? If so, maybe try setting up your own server in a VM and playing with it to get a sense for the kinds of things that are possible before moving on to black-box testing of live sites.

I'm glad to help people learn new skills (and to learn from them myself), but there aren't any shortcuts. Anything worth learning is worth learning correctly, and learning something correctly takes time. My suggestion is to tell your friend that you can't really help right now but you'd be glad to take a look sometime in the future. Use that time to hone your craft and build your skills. Ask questions here and read as much as you can elsewhere. You'll be ready to rock in no time at all. And remember- you can do it! (and we can help)

  • Futility

EvialBae1412's Avatar
Member
0 0

Thank you very much for your reply. I'm not hired to do this pentesting. I just start learning the ethical hacking materials and my friend gave his website to let me see what i could explore.


Futility's Avatar
:(
80 122

EvialBae1412 wrote: Thank you very much for your reply. I'm not hired to do this pentesting. I just start learning the ethical hacking materials and my friend gave his website to let me see what i could explore. That's very kind of them to do. In any case, I stand by my original sentiment: you're probably not ready for a "real" black-box pen-test yet. If you need help with any setup or practice or specific questions regarding techniques or the like, I'm sure anyone here would be willing to help. I've been out of webapp testing for a while and don't really know the landscape as well as I used to so it's tough to suggest anything too solid besides maybe perusing write-ups from CTFs from the past (although those may be a bit complicated as well).

OWASP has a pretty comprehensive listing of web bugs that tend to show up in the wild and is, in my opinion, a solid resource for someone learning the lay of the land.

  • Futility

T0pspin's Avatar
Member
0 0

That won't help 90% of the noobs we get here, as there is no "Help me Bro !!!!!!" section for hacking your girlfriends Facebook and WhatsApp accounts.


Futility's Avatar
:(
80 122

T0pspin wrote: That won't help 90% of the noobs we get here, as there is no "Help me Bro !!!!!!" section for hacking your girlfriends Facebook and WhatsApp accounts. Maybe someone who reads this thread will be in the other 10%. Just trying to help people as best I can.

Don't be a dick.

  • Futility

T0pspin's Avatar
Member
0 0

Don't be a dick. - Futility Sorry bro no can do. I am a dick.


Futility's Avatar
:(
80 122

T0pspin wrote: Sorry bro no can do. I am a dick. Tragic. Oh well, I suppose you'll probably just have to fade away with the everyone else in your 90% then.

For the rest of us looking to actually improve ourselves as security professionals (and… just… generally as human beings, too, I suppose), I just remembered this site that some friends of mine made. They recently opened it up to the public (used to be behind a paywall) and it serves as a pretty solid standalone introduction to a bunch of webapp security topics. There are a bunch of video lessons supplemented by modern example applications for breaking into. The structure makes for a pretty good learning platform (in my opinion).

  • Futility

rex_mundi's Avatar
☆ Lucifer ☆
3,110 12

Remember this ya dick ?

From: T0pspin Date: August 04 2017 – 07:00:19 Subject: Facebook Hello and good day Rex,  can I ask if you know how to hack facebook ?

Also, that site looks pretty cool Futility, I'll have to remember to check that out later from home. thumbs up


T0pspin's Avatar
Member
0 0

To be fair, I was a lot younger back then.