Defacement Methods
Hi, I'm a bit new to hacking in general, but I have some ok skills (html, javascript, and that kind of stuff) and I was wondering what exactly are the most common site defacement methods and how they work. I am trying to mess with one of my freewebs sites I forgot the account info to :p so that maybe I can learn some stuff and eventually mess with my friend haha.
So, what exactly do I have to do to do the kind of stuff Richohealey did to his school's site? ([url]http://www.freewebs.com/richohealey/[/img])
Gain access to ftp? I know a little about RFI, but how does that work and how would I do it? Please help me learn a bit here, I would love to show off some new skills when school starts back this year :)
Thanks…
BTW, the entire HBH community is awesome. I've never met such a gr8 crew of people online EVER. 1,,1, Rock On! ,1,,1
There's no 'most common' methodes, read all the articles, lots of them, lol..
No, we wont tell you how to h@x0r a website without you learning something yourself..
ThisOlderOne wrote: I am also interested in this. Please, no "learn it yourself" comments or 'justfuckinggoogleit' links, questions like this are useful for those with less experience.
Yeah, they sure are useful aren't they? Because you get a nice little synopsis of exactly how to do something while others spent hours figuring it out.
Yeah, they sure are useful aren't they? Because you get a nice little synopsis of exactly how to do something while others spent hours figuring it out.
YEAH!, i spend hours doing stuff i want to learn, and when i get it, someone says "ah, cool, you got it, now tell me how to H@x0r Fuckxor l33tzor a Websiteewsdgfvgdd,a,fk."
fuck….:whoa:
that question is stupid..
there is no universal hacking method. it just shows that you're not even thinking about what you're asking
let alone doing some research on your own and coming here with a specific question on something you don't understand..
i want to start a sentence with "if there was such a thing has a defacement walkthrough.." but it's just too stupid.. to even imagine..
who do you think hackers are? ppl that love computers, that keep themselves up to date on as much topics as they can. you want to hack a site. ok. start by enumerating what the site is composed of. (if you don't know do some research on that first..) use scanners to help, nmap is old but does job, however there are more advanced tools like nessus or nikto that do it better, they will give you some information about the server, other things like forums guestbooks and cms you have to find by browsing the page
after that go get copies of that and read the sources, try to find holes. if you can«t/don«t want to. go to sites like milw0rm and securityfocus and see if there are known exploits for the things you found.
it might take minutes it might take weeks. but you will always have to google and read stuff
sakarin, that was very well put.
Too often have I come across people who want the easy answer, and an easy method of hacking/defacing. Hacking is all about READING, sorry if that came as a shock to you, but there is no easy route.
Stay here, study as much as your brain can possibly allow, and over time you will gradually become a stronger hacker. These challenges do simulate what it would be like to deface a website, and a lot of them are realistic cases, but in the real world, there is no "article" or "walkthrough" of a mission you have chosen for yourself.
Patience is a virtue lol.
Good luck!
http://www.hellboundhackers.org/articles/index.php http://www.hellboundhackers.org/lessons.php http://www.hellboundhackers.org/podcasts.php
you are the exact reason i wrote those articles listed above.
HackingForce wrote: @ThisOlderOne:
No, we wont tell you how to h@x0r a website without you learning something yourself..
I have. I am asking what you believe he did.
lesserlightsofheaven wrote: who cares? you should be concerned with what YOU do. read some books, stay up late tinkering with web pages.
I care.
I have spent endless nights up creating my own sites, if that counts. I have spent hours reading articles on how to perform techniques, but not what technique to use. The realistic missions are good for this reason, but they are quite obvious compared to reality.
I do not wish to deface a site, I am merely curious which technique is most commonly used.
(sorry about the double post.)
ThisOlderOne wrote: Okay, well what do you expect that Richohealey did? :ninja:
WTF is that meant to mean?
You tool, do you know how i arrived at that site? it was a link from a forum when i googled "numeric checksum"
Buuuuurn
EDIT: posted before reading the end;
Sakarin, Nessus is only good if you have access to the logs afterwards… it's noisy as hell.
Nmap + a nice big exploit/0day archive is the go.
ThisOlderOne wrote: I care.
I have spent endless nights up creating my own sites, if that counts. I have spent hours reading articles on how to perform techniques, but not what technique to use. The realistic missions are good for this reason, but they are quite obvious compared to reality.
I do not wish to deface a site, I am merely curious which technique is most commonly used.
(sorry about the double post.)
creating ones own site, while indeed useful and will help you learn, does not compare to testing another site's security (if you're just talking web hacking). if you've supposedly read all these articles on techniques to use, you should understand where and when to use them.
Examples:
SQL Injection- Used where an SQL database is present and input to that database isn't secured. XSS- Used where user supplied input to forms isn't validated. RFI/LFI- In most cases, used when a php include() function doesn't validate input. Cookie Poisoning- When cookie input isn't validated.
you'll note that most to all of web hacking techniques work when a users input is not properly sanitized. this is also true beyond web hacking: buffer overflows, integer overflows.
the only way to really learn once you've read the techniques is to go out and try them, so don't give me this "I don't want to deface a site wah wah" bullshit. go try these out sometime. if you really don't want to touch another site, set up vulnerable conditions on your own network and try it out at home.
Thank you lesserlightsofheaven, that's the most useful post I have read here in a while.
I plan to set up a controlled environment, like you say, when I get my new laptop. And I have found learning PHP and its uses (not its potential abuses) has helped alot. I did not say that I had read every article, just those that were most relevant to what I was attempting.
[offtopic] Has anyone properly succeded in hacking into HBH?[/offtopic]
Cheese is right, People need to rethink what a REAL hacker is.
Aside from that:
XSS is one of the most common forms of attacks these days. Read up on Cross Site Scripting.
Javascript is VERY useful to know, as well as a decent knowledge of PHP and definitely HTML.
Learn about PHP shells, these are very useful in a Remote File Include. I am not going to tell you where to get one, just google it yourself, they are out there.
Session Fixation for a moderately advanced attack.
I don't recommend hacking an FTP, but learning about Linux/*nix FTP commands will help you in a PHP shell.
Read the guides on Google Hackers to learn about advanced googling, can be VERY useful at times.
I agree with lesserlightsofheaven, A controlled environment will be your best bet.
-Bl4ckC4t
ThisOlderOne wrote: [offtopic] Has anyone properly succeded in hacking into HBH?[/offtopic]
a few times it has been attacked. I dont think someone has actually got to the admin panel tho. RoMeO set up a CURL script which DDoS'd it and bought it down. Another guy got an admin (i think anyway) to click a link which set up some code that grabbed everyones passwords. He then posted it on some website which annoyed a lot of people.
The admins dont really like talking about it though ;)
koolkeith12345 wrote: a few times it has been attacked. I dont think someone has actually got to the admin panel tho. RoMeO set up a CURL script which DDoS'd it and bought it down. Another guy got an admin (i think anyway) to click a link which set up some code that grabbed everyones passwords. He then posted it on some website which annoyed a lot of people.
The admins dont really like talking about it though ;)
Look in the HoF FFS!
A cURL script wouldn't DDoS a site either… learn what it is before you make comments like that
I suggest to read this :
http://www.catb.org/~esr/faqs/hacker-howto.html
No one said "i'm new today, tomorrow i'll be a hacker" and for that… Learn HTML/XHTML first, then upgrade yourself to javascript to learn the way of dynamic languages… Hacking isn't just searching for exploits Then to PHP/mysql…etc…or to C/C++/JAVA…. And code a useful programs…. Then you will find that exploits are in your way of programming…. and then….try to patch exploits, make any program (or web based app) and patch it…
Thanks guys…
mozzer wrote: [quote]koolkeith12345 wrote: a few times it has been attacked. I dont think someone has actually got to the admin panel tho. RoMeO set up a CURL script which DDoS'd it and bought it down. Another guy got an admin (i think anyway) to click a link which set up some code that grabbed everyones passwords. He then posted it on some website which annoyed a lot of people.
The admins dont really like talking about it though ;)
Look in the HoF FFS!
A cURL script wouldn't DDoS a site either… learn what it is before you make comments like that[/quote]
Please. He is trying to help. You aren't.
Have some respect before making comments like that.
I gather that HoF is an acronym for Hall of Fame?
sakarin wrote: he didn't just post usefull stuff he ended the post with a mini flame at admins which wasn't true.
its not a miniflame. i dont think that its particually bad that the admins prefer to keep security breaches quiet. And it is true or atleast iv seen people claim that they were dossing hbh whilst hbh mysteriosly goes down due to server problems or something.
in the end i dont really care. As long as the site is up and running and hbh stays the cool community it is then im happy.