- Joined
- Aug 19, 2023
- Messages
- 911
- Reaction score
- 40,589
- Points
- 93
- Thread Author
- #1
General principles of hacking sites
By structure, sites are divided into three large classes:
From the point of view of the attacker, engines sites are no different from other services. Their source code is usually shared, and any researcher can analyze his mistakes, including gaps in security. Therefore, CMS-based websites often become the victims of targeted attacks. Often they break EN masse.
This hacking is automated and usually proceeds as follows: the attacker finds the vulnerability (or just Google for something fresh). Then he makes a exploit or take the ready-made and writes a specialized bot. This bot searches for the specified hole at all sites running in a given range and trying to exploit it.
It would seem, for protection against auto-attacks or just to keep your software up to date, but in reality, CMS is cluttered with different additions, and to keep track of all becomes difficult.
When pentasa is a somewhat different task — to check a particular website for vulnerabilities. This is what we will talk.
Intelligence
Before trying to attack a target, you need to collect information about it. For this is good tool WhatWeb. This utility provides detailed information about the CMS of the victim and used her web tools.
Suggest to run WhatWeb key and, pointing after him, the value of 3 or 4. The only difference between them is that in the second case WhatWeb scans and even their subfolders. Keep in mind that both options set aggressive method of surveys — with all the consequences, but rather "flows" to the server logs.
Here is an example run and the collected answers:
By structure, sites are divided into three large classes:
- in-house (hand-made of the HTML produced by the static generator Jekyll type or collected in the program-the designer of the type Adobe Dreamweaver)
- made online designers (mostly web-site without any databases, and transmitted fields)
- working on CMS (Content Management System, the content management systems).
From the point of view of the attacker, engines sites are no different from other services. Their source code is usually shared, and any researcher can analyze his mistakes, including gaps in security. Therefore, CMS-based websites often become the victims of targeted attacks. Often they break EN masse.
This hacking is automated and usually proceeds as follows: the attacker finds the vulnerability (or just Google for something fresh). Then he makes a exploit or take the ready-made and writes a specialized bot. This bot searches for the specified hole at all sites running in a given range and trying to exploit it.
It would seem, for protection against auto-attacks or just to keep your software up to date, but in reality, CMS is cluttered with different additions, and to keep track of all becomes difficult.
When pentasa is a somewhat different task — to check a particular website for vulnerabilities. This is what we will talk.
Intelligence
Before trying to attack a target, you need to collect information about it. For this is good tool WhatWeb. This utility provides detailed information about the CMS of the victim and used her web tools.
Suggest to run WhatWeb key and, pointing after him, the value of 3 or 4. The only difference between them is that in the second case WhatWeb scans and even their subfolders. Keep in mind that both options set aggressive method of surveys — with all the consequences, but rather "flows" to the server logs.
Here is an example run and the collected answers:
