WEBVTT

00:00.510 --> 00:04.100
Hello everyone and welcome back to part 29 of my Lin ethical hacking course.

00:04.110 --> 00:08.130
In this poll we're going to look at our first Web site penetration test.

00:08.280 --> 00:13.770
So essentially companies will pay people to penetrations has their Web site with the web applications

00:13.770 --> 00:14.610
on them.

00:14.730 --> 00:20.090
The first one we're going to look at is a simple upload vulnerability within a page piece.

00:20.110 --> 00:27.030
So when Web sites are created web applications typically think of like a job Web site or a forum where

00:27.030 --> 00:33.650
you upload an avatar or on the job Web site you could upload your CB or additional files maybe.

00:33.800 --> 00:40.550
And the vulnerability comes into it when they allow to allow you to upload same files such as page files

00:40.900 --> 00:45.960
because we are going to generate a page be backdoor that will allow us to connect to the backdoor which

00:45.960 --> 00:50.160
is basically hidden on the Web site's directory.

00:50.250 --> 00:52.710
So it's hidden amongst their files.

00:52.710 --> 00:53.760
We can connect to it.

00:53.760 --> 00:57.540
So that's why it's a backdoor because we can access the Web site through the backdoor thing.

00:57.650 --> 00:58.430
Think of it like that.

00:59.000 --> 01:04.170
And once we've got that connection set up we can literally do anything to that person's web so we can

01:04.170 --> 01:06.180
edit the files we can deface the Web site.

01:06.180 --> 01:11.760
What I mean by that is we can edit the index or PDP can edit the text on the web so we can connect to

01:11.760 --> 01:12.830
the database we can.

01:13.050 --> 01:16.140
Basically we have full control over the Web site.

01:16.140 --> 01:18.450
Think of it like a remote admin panel.

01:18.450 --> 01:23.670
So an admin panel the admin logs in to the administrator of the Web site logs in on connected same files

01:23.730 --> 01:24.870
accounts et cetera.

01:24.870 --> 01:31.380
It's similar to that except it's our payload it's a backdoor so open your mitts disposable machines

01:31.380 --> 01:32.550
so we can connect to it.

01:32.670 --> 01:38.640
Just type I have config and got the IP address of the server and open calendar knocks and visit it in

01:38.640 --> 01:40.740
a year or else you just typed in you are elbow.

01:40.740 --> 01:45.210
So for me it's one or two that will be different for you just click on that should be familiar.

01:45.210 --> 01:51.060
This from the previous video instead of going to Matilda they were going to go to DV w a click on the

01:51.540 --> 01:52.410
and log in.

01:52.410 --> 01:58.710
So the username is admin and the password is just password that's already saved means you just click

01:58.710 --> 01:59.280
log in.

01:59.460 --> 02:03.870
Once you've done that just save the password so you don't have to keep type no in and you'll be presented

02:03.870 --> 02:05.460
with this.

02:05.700 --> 02:12.630
So deed v W.A. isn't a web application that is vulnerable but its main goals are to be a need for security

02:12.630 --> 02:16.430
professionals to test their skills and tools in the legal environment.

02:16.440 --> 02:21.840
It will also help web developers better understand the processes of security in securing web applications

02:21.840 --> 02:27.540
and a teacher's slash students to teach in them web application security in a classroom environment.

02:27.540 --> 02:32.130
So hopefully that clears in open what this actually is this thing of this is just a Web site.

02:32.130 --> 02:37.410
So this could be anyone's Web site say this is a small business business and this is their web that

02:37.410 --> 02:41.340
they don't have much money and they don't have much knowledge on cyber security.

02:41.880 --> 02:47.010
So essentially they would probably implore you to look at their Web site and penetration test their

02:47.010 --> 02:52.620
web applications to find abilities like you were saying before about like a job Web site they might

02:52.620 --> 02:57.600
pay you to find vulnerabilities when uploading a file or using brute force.

02:57.600 --> 03:03.750
So all these down here are vulnerabilities typical vulnerabilities within a web site.

03:03.810 --> 03:08.700
So the amount of small businesses that I've seen have these type of vulnerabilities is quite a lot to

03:08.700 --> 03:12.720
be honest and you can earn good money from penetration testing.

03:12.720 --> 03:19.530
So what I want what I want to get into is cybersecurity ball penetration testing is my favorite thing

03:19.530 --> 03:21.240
because I like the challenge of it.

03:21.720 --> 03:26.760
So this part is really interesting for people who are interested in that also think if you're not then

03:27.270 --> 03:30.320
there's not much point watching these videos.

03:30.780 --> 03:34.140
So let's get started the first one we're going to use is the upload.

03:34.440 --> 03:39.480
So we're gonna find the vulnerability with the net and exploit it and upload our payload and edit some

03:39.480 --> 03:40.650
files.

03:40.710 --> 03:46.000
So imagine this person's web site is a small job Web sites and you will play an image of yourself.

03:46.080 --> 03:47.550
So you just click on Browse.

03:47.550 --> 03:50.010
This is like annual the script appear to be script.

03:50.010 --> 03:54.560
You just click on Browse you find your image and then upload it.

03:55.940 --> 04:01.490
But the one thing you need to do and make sure you need to do first before you upload your actual file

04:01.970 --> 04:08.360
is go to the DMV to be a security and change you from high to low because we'll start on low.

04:08.370 --> 04:13.010
And once we get through out this section of the course because we're only on Web site penetration testing

04:13.010 --> 04:17.960
we're done client side we're on Web site then we'll go and server and then we'll do X like miscellaneous

04:17.960 --> 04:20.210
stuff but change it to low.

04:20.230 --> 04:24.650
And then once we get further on in the course we'll change the security up.

04:24.730 --> 04:30.140
Essentially it just makes it more difficult to actually exploit once it's on high medium and low you

04:30.140 --> 04:33.500
get the idea the security on this Web site is now low.

04:33.500 --> 04:36.210
So let's go back to upload and let's upload an image.

04:36.440 --> 04:38.840
So let's say this web so we can upload our image.

04:38.840 --> 04:42.320
I've got a random image from an old video so I'll just upload that they are.

04:42.350 --> 04:44.040
That's me with a horse mask.

04:44.060 --> 04:46.300
They haven't watched us from the hacking demo.

04:46.400 --> 04:48.750
You click on open Megaupload.

04:49.010 --> 04:49.810
So there we go.

04:49.970 --> 04:53.880
Hackable uploads pic to Jack J peg has successfully uploaded.

04:53.970 --> 04:58.640
And as you can see here we've got a directory of what is so bloated so we can actually visit this image

04:58.760 --> 05:05.690
on the Web site's directory because a Web site essentially will have the index to P P then it will have

05:05.690 --> 05:07.920
a sub directory of uploads.

05:08.060 --> 05:13.370
In this case it's got hackable and then uploads and that's where the uploads go so to find this if you

05:13.370 --> 05:15.330
closest here there's two dots.

05:15.350 --> 05:16.350
Sue full stops.

05:16.350 --> 05:21.590
A forward slash to dots forward slash stamp means go back a directory go back a directory.

05:21.590 --> 05:26.900
So it's basically saying he had to go back to directories and that's because we're in the upload and

05:26.900 --> 05:28.010
we're in the vulnerabilities.

05:28.010 --> 05:34.850
So it's saying go back out of upload and back out of vulnerabilities then you can type hackable then

05:34.850 --> 05:41.120
you can go to uploads so you click on that and you can see here these are images that we've just uploaded.

05:41.420 --> 05:47.140
So most popular Web sites that allow images to be uploaded will have a directory such as uploads with

05:47.150 --> 05:49.520
all the images go or uploads from users.

05:49.520 --> 05:50.280
So we click on that.

05:50.300 --> 05:51.770
That is the image we just uploaded.

05:51.800 --> 06:00.280
So now we know the images is actually stored on their server but lets say we generate a PSP file on

06:00.280 --> 06:01.210
me or upload it.

06:01.280 --> 06:06.330
This is where the vulnerability comes into it because it's not checking for file extensions et cetera.

06:06.510 --> 06:11.350
That's generate a page P barcode backdoor shell.

06:11.480 --> 06:17.180
So I'm going to open terminal instead or Terminator so you can see it better because you can actually

06:17.510 --> 06:27.800
zoom in and to create this all you need to do is type w e the e l y says this is weekly it's come spring

06:27.800 --> 06:33.320
storm Cally Linux and then all you need to do is type generate then type a password.

06:33.350 --> 06:35.130
So this is a password for the shell.

06:35.270 --> 06:40.520
Like I said before think of it like an admin panel an admin panel will have a log in for the admin such

06:40.520 --> 06:41.450
as your username password.

06:41.450 --> 06:43.450
This one only has a password.

06:43.580 --> 06:51.680
So this is for quite ironically this is for security purposes even aware uploading a payload to their

06:51.680 --> 06:52.910
server.

06:52.910 --> 06:54.620
We don't want them to be able to access it.

06:55.400 --> 07:01.120
So we have a password so let's just have one two three four five that we need to store the shell somewhere.

07:01.760 --> 07:08.200
So this is we'll just call it shell drop HP and it's going to be stored inside the root directory click

07:08.240 --> 07:10.770
it into and there we go it's generated.

07:10.910 --> 07:13.370
So if I type alas she can cease.

07:13.430 --> 07:14.350
She'll be here somewhere.

07:14.350 --> 07:15.050
There we go.

07:15.050 --> 07:16.660
Shell dot Page Pate.

07:16.970 --> 07:18.490
So this is just on the redirect.

07:18.500 --> 07:21.860
So if you go to places home and here it is.

07:21.860 --> 07:22.940
So this is our payload.

07:22.940 --> 07:29.540
So we're gonna upload this payload now and let's see what happens so we'll offload it open and click

07:29.540 --> 07:30.350
upload.

07:30.380 --> 07:31.110
There we go.

07:31.280 --> 07:32.140
Hackable or upload.

07:32.140 --> 07:35.150
Sheldon page as imploded successfully.

07:35.150 --> 07:41.300
So now we know our payload is on their server so our virus essentially has found its way into the server

07:42.040 --> 07:45.430
and now it's just sitting there waiting for us to can actually.

07:45.600 --> 07:50.020
And all you need to do to connect to it is type w e.

07:50.060 --> 07:52.040
So we play again.

07:52.160 --> 07:56.120
Then you need to take the you or al of where the payload is stored.

07:56.150 --> 08:01.280
Think of this like as a virus that's entered somewhere and it's just staying quiet until you connect

08:01.280 --> 08:04.240
to it and then it can take over.

08:04.370 --> 08:11.930
So obviously in this case this person's website is vulnerable and it's really quite bad to be honest

08:12.050 --> 08:16.910
if it has this level of security so if you find a website that allows you to just open a page files

08:16.910 --> 08:20.440
that is really bad you can email them and say we're fine.

08:20.480 --> 08:22.640
I found a vulnerability with a new Web site.

08:22.640 --> 08:24.880
They might give you a cash reward.

08:24.950 --> 08:30.540
So this benefits of being a good ethical hacker not just a malicious one.

08:30.560 --> 08:34.490
So I'm going to take the IP address of the server.

08:34.490 --> 08:38.970
Now if this was a genuine Web site you just type you out al of the Web site and then where the page

08:39.110 --> 08:51.670
file has been stored so forward slash it's in DV W.A. DV W.A. and then let me just make sure I got it

08:51.670 --> 08:52.870
right.

08:52.870 --> 08:54.980
So it's a hackable.

08:55.420 --> 08:57.880
Remember you go out of these two directories.

08:57.880 --> 09:00.550
So it's just hackable and then uploads.

09:01.210 --> 09:03.990
So if you think of a normal Web site.

09:04.000 --> 09:09.010
So a typical Web site will not say where it's been or played it but if you think of the previous video

09:09.010 --> 09:14.410
where you can use a script to find all the directories and sensitive files and sub directories then

09:14.410 --> 09:18.220
you can put these two things together and then find it that way.

09:18.220 --> 09:19.210
So it's very clever.

09:19.210 --> 09:26.910
What you can do with all this stuff if you use your head but upload and then Shell dot page and then

09:26.920 --> 09:32.590
all you need to do is take the password to is one two three four five like enter just type one of a

09:32.590 --> 09:33.700
password you saved.

09:33.700 --> 09:34.480
And there we go.

09:34.480 --> 09:35.490
So we've got a session.

09:35.680 --> 09:36.700
It's a help.

09:37.590 --> 09:38.320
And there we go.

09:38.320 --> 09:39.850
So our payloads uploaded.

09:40.060 --> 09:41.940
These are the commands that we can execute now.

09:41.940 --> 09:45.220
So we've basically got full control of their Web site.

09:45.340 --> 09:47.790
We can file remove.

09:47.800 --> 09:55.270
We can edit files so let's see where we are so we're currently in VW BWI hackable.

09:55.270 --> 10:02.500
So let's go into var to be a W DV W.A. and hackable

10:05.720 --> 10:12.620
so now we're in hackable type Alice so there's uploads and users so we can go into the users.

10:12.620 --> 10:14.240
Let's just go back and see the uploads.

10:14.360 --> 10:14.960
Now.

10:15.230 --> 10:18.470
You could go to the main directly with the indexed IP HP.

10:18.680 --> 10:22.010
So let's go to that because that's typically what the main web site would have.

10:22.010 --> 10:28.550
So it'll be just in TV to be way Let's type alas ignore these warnings here because as you can see it

10:28.550 --> 10:29.090
still works.

10:29.120 --> 10:33.950
Now we're on the main directory of the websites as you can see here there's a index top HP and we can

10:33.950 --> 10:36.520
remove that and deface the website.

10:36.560 --> 10:40.360
So what you do is you just remove the file by using a command here.

10:40.370 --> 10:46.320
So file file are an underscore R.M. remove indexed each demo.

10:46.370 --> 10:52.580
In this case I think it's page B so indexed or PSP and add real upload so you can use file or upload

10:52.700 --> 10:56.170
and then upload a new indexed or page.

10:57.860 --> 11:02.480
So I'm not going to be like showing you any sort of commands in this video was just showing you how

11:02.480 --> 11:11.390
to actually see a vulnerable part of a Web site Web and or faced look at your What can I say like your

11:11.390 --> 11:12.470
first vulnerability.

11:12.470 --> 11:18.500
So your first pen test it's a simple one because the security of the website allow this will not be

11:18.500 --> 11:20.580
found on many Web sites these days.

11:20.590 --> 11:22.270
Well it's still useful to know.

11:22.280 --> 11:27.040
So now we've got full access our payloads uploaded and that's basically.

11:27.170 --> 11:33.240
So we've got full control in the next video we'll look at another attacking method and then we'll start

11:33.240 --> 11:38.820
to increase the security when it gets a little bit more complicated to upload our show.

11:39.170 --> 11:44.970
And hopefully this gives you an idea of how Web sites are actually exploited and hacked.

11:44.970 --> 11:46.700
So I'll leave it here for now.

11:46.770 --> 11:50.130
Just for this video so if it did help please leave a comment.

11:50.130 --> 11:52.090
If you stock with anything please leave a comment.

11:52.290 --> 11:57.440
Please leave a like if it did help subscribe for future content and I will see you all in the next video.