Scribd
Upload
79 views

IbrahimBello Pentesting VulnerabilityAssessmentProject

The document discusses hacking the target website http://certifiedhacker.com. Various reconnaissance tools were used like host command, DNS recon, WHOIS, Wappalyzer and Shodan to gather information. Scanning tools like Dirb, Gobuster and Nikto were used to detect vulnerabilities. Nmap scan found open ports including port 22 for SSH. The user vagrant was found using SSH enumusers. Burpsuite pro was used to perform an automated crawl and audit of the site. In conclusion, while the site has security measures like a firewall, a backup file directory was discovered that could be further exploited by threat actors.

Uploaded by

ibrahim bello
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views

IbrahimBello Pentesting VulnerabilityAssessmentProject

The document discusses hacking the target website http://certifiedhacker.com. Various reconnaissance tools were used like host command, DNS recon, WHOIS, Wappalyzer and Shodan to gather information. Scanning tools like Dirb, Gobuster and Nikto were used to detect vulnerabilities. Nmap scan found open ports including port 22 for SSH. The user vagrant was found using SSH enumusers. Burpsuite pro was used to perform an automated crawl and audit of the site. In conclusion, while the site has security measures like a firewall, a backup file directory was discovered that could be further exploited by threat actors.

Uploaded by

ibrahim bello
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

WEB HACKING

TARGET: http://certifiedhacker.com

Ibrahim Bello : 100847608


PHASE 1
FOOTPRINTING AND RECONNAISSANCE

1. HOST COMMAND
# host www.certifiedhacker.com

The IP address of www.certifiedhacker.com is 162.241.216.11 and the mail


server is mail.certifiedhacker.com
2. DNS recon
# dnsrecon -t brt -d certifiedhacker.com

The above is the result I got after running the dnsrecon command against the
target.
3. WHOIS COMMAND
# whois www.certifiedhacker.com

The above is the result I got after running the whois command against the target.
4. OSINT- WAPPALYZER
Wappalyzer is a web browser extension, technology profiler that reveals the
technologies used to create webpages. It can be installed by searching in browser
extensions database.

Result shows the target web server is Nginx 1.19.10 version and the java script
library is JQuery
5. SHODAN
One must hava shodan.io account brfore one can use it
Create an acount first
Then put the ip of the target (162.241.216.11) in the search box
Below is the result gotten

From the above result, one can see the list of open ports and possible
vulenrabilities and their CVE details, this helps us to know the kind of exploit
to run against the target
6. NETCRAFT
Just like shodan.io , netcraft.com is also a web-based recon tool, by putting the
target website address in the search box, netcraft populates a site report for the
target
7. MALTEGO

1. Set up a maltego account


2. Log in
3. Clck on machines on the tab menu
4. Click on run machine
5. Click on company stalker or any of the foorprint options
6. Click next
7. Add target address in the domain name form
8. Click finish
PHASE 2 : SCANNING AND ENUMERATION AND ATTACKING THE
SERVER
1. WAFW00F
This command is used in testing the target server for presence of firewall.

# wafw00f www.certifiedhacker.com

The above result shows that www.certifiedhacker.com is behind ModSecurity


(SpiderLabs) WAF
The wafw00f command on Kali displays information on the server's firewall(s),
and since my target has a firewall, the server is extremely secure.

2. Dirb command
DIRB is a content scanner for the web. It searches for Web Objects that are already
present (and/or hidden). It operates by executing a dictionary-based attack on a
web server and then analysing the results.
In order to use the dirb command, I need to scan the target site against a worlist.
dirb http://certifiedhacker.com /usr/share/wordlists/SecLists/Discovery/Web-
Content/common.txt
I was able to find an address to backup folder called “certifiedhacker.zip”
The address is certifiedhacker.com/certifiedhacker.zip
3. Gobuster
Gobuster is a tool used to brute-force URIs including directories and files as well
as DNS subdomains
# gobuster dir --url http://certifiedhacker.com/ -w
/usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
4. Nikto

5. NMAP
I will use nmap to check for open ports, in this situation, I used the metasploit
nmap, which is db_nmap to scan for ip ranging from 0-65535
Msf6> db_nmap -Pn certifiedhacker.com

The above result shows all the open ports on the target address.
I can now try to use metasploit to exploit the above open port vulnerabilities
I was able to use nc command to interact with port 587
nc certifiedhacker.com 587
Seeing that port 22 is opened, I tried to exploit the port using metasploit
I set auxiliary/scanner/ssh/ssh_enumusers to scan for ssh usernames and I found
vagrant

I tried bruteforcing , inorder to get the password for the user:vagrant , but firewall
restrictions are rate restricting the brute-forcing, which is why hydra aborts after
two attempts.
6. Burpsuite Pro
In order to be able to use burpsuite pro, I requested for a trial version
I will be doing two types of scan, automated and manual scan
To start the automated scan, click new scan and select “crawl and audit”
In the url to scan form, I put the target website: www.certifiedhacker.com
I chose default setting for the Protocol settings, which is “scan using HTTP and
HTTPS”
Then click “ok”
The scan will starts.
Above is the result of the scan on the target address using burpsuite pro

CONCLUSION
During my initial investigation of certifiedhacker.com, I discovered a directory
listing and a firewall on the site. On the same server as the website, some more
domains were discovered. An address on the website that leads to the website's
backup zip file was also discovered, which is a very big vulnerability, threat actors
can use to further exploit the website's programming.
Now, in terms of website security, it is secure, although there are some tiny
weaknesses that may be exploited, but overall, the website is fairly secure.

You might also like