Follow us on Twitter!
Your life is ending one minute at a time. If you were to die tomorrow, what would you do today?
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 17
Members Online: 5

Registered Members: 82876
Newest Member: bhl1986
Latest Articles

Website Defacement

Arrow Image Learn to deface websites and break into intranets.



,..;{[WEBSITE DEFACEMENT]};.,

*THIS ARTICLE IS PROVIDED AS-IS WITH NO GUARENTEE OF AUTHENTICITY OR WARRANTY. THE WRITER IS NOT RESPONSIBLE IN ANY WAY, SHAPE, OR FORM FOR THE READERS RESPONSE/ACTIONS AS A RESULT OF/DUE OF THIS ARTICLE*

Cyber Graffiti (Website Defacement) is the most common type of hacking that occurs today. Most of the the time its just petty teenagers looking to get a thrill and brag about how \"1337\" they are. Its basically just what the name says, defacing the content of a website, turning it into something else that you created. 90% of the time, telling the real website why you did it. Sometimes even giving them a way to get their old page back.

1. robots.txt

When a website wants to hide a certain part of itself from search engines, it puts them in a file called, \"robots.txt\" which shows all the disallowed pages so the search engine wont put them in results. This can be accesed easily by tagging it onto the end of a main URL.

www.google.com/robots.txt

This is a great way to find administrative directories, or just general hidden things that will help you out on your way.

2. Simple freehosting.

Defacing a website that uses freehosting services is obviously easier than some of the bigger sites. The first choice is obvious, go to their hosts website and guess their account password. Work on a person who known the password. A number of guessing techniques. You could also look for administrative directories, or try robots.txt

3. IP range/breaking into an intranet.

Jonny sits at his computer, up late searching for the admin directory. He finds it, finally! He types it into his browser, and to his surprise...

ACCESS DENIED. YOUR IP IS NOT IN THE IP RANGE. THIS HAS BEEN REPORTED.

What happend? Why did it do this? And are the cops coming to get me now?

The cops arnt coming. Anytime anyone tells you anything been reported its a lie. They COULD report it to your ISP, but even if that happens, nothing is likely to happen with this little of involvement.

This is basically saying that the website is using an, \"Intranet\" or sort of a LAN that provides a specific IP address through a proxy for each computer on its network. Our goal is, we need to trick this network into thinking we are one of those computers on the intranet by spoofing our IP into the range of specified IP addreses for the intranet. We would do this by 1. connecting to the proxy itself or 2. connecting to a proxy that started with the first number of their proxy.

Well thats all well and good, how do we find the range?

This can be tricky. If you have ever receaved an email from the website (if they have their own SMTP server) you can try looking in the full header. This is an email i received from Enigma group.

X-Gmail-Received: c6166d03d425ae868cd0e3df7343efc52fc2a476
Delivered-To: c3re4l@gmail.com
Received: by 10.36.119.1 with SMTP id r1cs51649nzc;
Wed, 6 Jul 2005 11:52:51 -0700 (PDT)
Received: by 10.54.26.4 with SMTP id 4mr46329wrz;
Wed, 06 Jul 2005 11:52:51 -0700 (PDT)
Return-Path: <nobody@server47.dedicatedusa.com>
Received: from server47.dedicatedusa.com (server47.dedicatedusa.com [66.197.162.85])
by mx.gmail.com with ESMTP id 8si107104wrl.2005.07.06.11.52.51;
Wed, 06 Jul 2005 11:52:51 -0700 (PDT)
Received-SPF: pass (gmail.com: best guess record for domain of nobody@server47.dedicatedusa.com designates 66.197.162.85 as permitted sender)
Received: from nobody by server47.dedicatedusa.com with local (Exim 4.50)
id 1DqF12-0002po-68
for c3re4l@gmail.com; Wed, 06 Jul 2005 14:53:00 -0400
To: c3re4l@gmail.com
Subject: Forum Subscription New Topic Notification ( From Enigma Group Forums )
From: \"Enigma Group Forums\" <psychomarine@gmail.com>
X-Priority: 3
X-Mailer: IPB PHP Mailer
Message-Id: <E1DqF12-0002po-68@server47.dedicatedusa.com>
Date: Wed, 06 Jul 2005 14:53:00 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server47.dedicatedusa.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - server47.dedicatedusa.com
X-Source:
X-Source-Args:
X-Source-Dir:

this would not be the true range, because enigma is not an intranet, but the true range would be in the received line

Received: by 10.36.119.1 with SMTP id r1cs51649nzc;
Wed, 6 Jul 2005 11:52:51 -0700 (PDT)
Received: by 10.54.26.4 with SMTP id 4mr46329wrz;
Wed, 06 Jul 2005 11:52:51 -0700 (PDT)

the range would be 10, or the ip would be 10.36.119.1

therefor you would set up your proxy connection (bonce link) as 10.36.119.1 (if you dont know how to do this, consult your browsers intructions or google it).
and then you would re-try the admin directory....

ACCESS DENIED. YOUR IP IS NOT IN THE IP RANGE. THIS HAS BEEN REPORTED.

What??? why didnt it work? Sometimes the intranet will work on a different port than 80 (default) do a quick port scan, try using nmap. Your results may look like:

Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
8001/tcp open http-proxy

we know 80 didnt work. so our point of attack would be port 8001. So we try the admin directory with our proxy set to 10.36.119.1 on port 8001....

Welcome admin. Enter here.

And from the admin options you could deface the site!

4. Do your homework

Learn as much about the website as you possibly can. Try and get as little surprises as you can. Use a proxy, if your doing a serious job use a proxy chain (a bunch of proxies linked together). If your not one who can handle the pressure and time, have different proxies set aside so you can try over and over again. a good site for proxies is
www.proxy4free.com

The ultimate rule of crime is, \"Dont do the crime, if you cant do the time\" This article is provided for educational use only, so webmasters can secure theirs sites against these forms of attack. Do not use this data in any way that it was not intended.

~cere4l

Comments

Deshoulereson July 07 2005 - 20:47:17
Hrm, you should also add that the smaller sites are less likely to care/report than the bigger ones that have money involved; If you can shop on there expect strong security; This means, don't deface amazon <dot> com... nice job though -Deshouleres
wolfmankurdon July 09 2005 - 09:59:30
Nice article.
nights_shadowon July 10 2005 - 03:52:08
lmao, now people are going to try and go to /admin/ on Enigma. It's a good article though cere34l. Good info.
0wnedon July 10 2005 - 09:15:06
Heh, i lost all my points that way Smile B4 i read this article though lmfao
champlooon June 05 2006 - 05:16:03
what about if it doesnt say exactely "ACCESS DENIED. YOUR IP IS NOT IN THE IP RANGE. THIS HAS BEEN REPORTED"?and it just sais the stuff on the page isnt allowed to display or something,or maybe u are not authorized to view this?Also do u have to get an email from the site just to get that info?
phantom_piemanon October 28 2006 - 23:03:21
:evil:
phantom_piemanon October 28 2006 - 23:04:04
:ninja:
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.