Since there are excellent tuts on this already, I am not going to spend a lot of time on this. One question I see a lot from newbies is that they "can not locate the htpasswd"....
A few notes on htaccess and htpasswd:
- - htaccess only sometimes shows the dir to the htpasswd (or passwd or different name)
- - the chances of getting this file are slim, as this vulnerability is well-known out there and most webmasters have denied you access, hidden the file, or placed the file on their home dir.
For the fans, here is some more detailed info on the subject I found:
In order to find the .htpasswd (or interpret the .htaccess) you need to understand the difference between the web root and the system root.
The AuthUserFile is specified in terms of the system root. That is, the directory structure you would see if you were actually logged into the computer through a terminal.
When a web browser accesses a machine, it is through a web server. The web server is configured so that the browser will start at some specific directory in the machine. I refer to that as the web root. It is specified in the web server configuration file, off in some directory you can't browse to.
So, lets say that the web root is set to /home/users/www.site.com/www. When you surf to http:/www.site.com/ you find yourself in the machine directory /home/users/www.site.com/www (but nothing really tells you that), and if there is an index.html there, you will display it.
So lets say that the web root is set as above, and that the .htaccess contains the line:
code:
--------------------------------------------------------------
AuthUserFile /home/users/www.site.com/www/hidden/.htpasswd--------------------------------------------------------------
(or something similar)
Applying what I said above, you would find the .htpasswd at:
code:
--------------------------------------------------------
http://www.site.com/hidden/.htpasswd--------------------------------------------------------
Since the web root is /home/users/www.site.com/www. You still may not be able to read it because it might be forbidden through some other method, say only accessible from certain IP addresses, or . files are not accessible through their web server.
Now, lets say the .htaccess said:
code:
--------------------------------------------------------------
AuthUserFile /home/users/abc.com/hidden/.htpasswd--------------------------------------------------------------
Now, there is no way we can get to it since the web root puts us in home/users/www.site.com/hidden/www and we are well past the days when you could back up above a web root in an Apache web server.
If ../ worked, we would be in luck, since we could specify
http://www.site.com/../hidden/.htpasswd. This used to work, or the unicoded version worked, or the double unicoded version worked, or quotes worked, or unicoded quotes, etc., etc. Not so anymore....
Our only hope, when the .htpasswd is not on the web root, is to find another exploit that will allow us to access files. Such things exist but are hard to find, so read on....
SO NOW WHAT?Well, as you tried to get the passfile looking for it in the obvious locations, and failed...maybe there are other ways of obtaining it....
Using AD or another security scanner, you can start looking for so-called vulnerabilities. This means testing the website for security, and trying to find ways into the site. How does this work, you ask? We need a tool to test the security...
For these essays, I will be talking about a tool called WebSiteFinder, or WSF in short. Written by Wolfman, this is a great tool, in my opinion. AD or Passcraft can do the same, so use whatever you feel comfortable with. If you start out, use AD.
To make these tools really effective, you need an exploit list. This is a list of basic paths that will be tested for possible vulnerabilities or access against the website. AD offers a basic exploit list, at least the older versions did. Exploit lists can be found all over the web, but please realise these are very basic, and some of the holes (=vulnerabilities) they have in it, are old and will not work anymore on most sites.
HOW TO MAKE YOUR OWN EXPLOIT LISTReally good exploiters or crackers will not share their lists with you. The reason: Once some exploits are made public, chances are the holes will be discovered quickly and thus closed! And that is a bummer.
So you have to build your own list. How, you ask? Here are a few tips.
1. ANALYZE, THINK, STUDY, BE CREATIVEFirst place to start, is to analyze your current exploit list. What makes sense, and what does not. What paths do you understand? Why do you think that particular path is a vulnerability, and if you came accross it, how would you use it? If you don't know, ask on a forum via PM, there are many people around that can and will help you. Moreover, read up on security sites (better get used to it), such as packetstorm, securiteam, etc.
NOTE: It is no use to just try exploits on sites if you don't understand what you are doing. The results can be very bad. You could, unwillingly, do damage to the site!
2. KEEP YOUR EYES ON THE SCREENLook at directory trees of sites you visit. Try to go up and down in levels in the dir to possibly find more holes...copy these to your exploit list.
3. STATS and LOGSThese are KING in my book. Why? Stats show the requests made to a website, and some stats list all the requests....including those of someone trying to exploit the site. The paths that this person tried may not have worked on the site, but heh, copy them to your exploit list, they may come in handy for other sites! Access logs show the same thing...moreover, they might tell you alot about the server, home server (FTP logs), usernames, and the basic website structure.
INTERMEZZO: "What to do with the usernames?"This is a question I get a lot. Someone has seen the stats, and now has a list of usernames. Now what? Well, half the battle is won! Remember the statement I made about increasing your chances in getting access? This is it! Proceed in two ways:
1. Use the usernames and one of your wordlists to do a BF attack
2. Match the usernames to working combos you have. There are tools for this, and try to see if the combos work. Many users use the same password for different sites...see where I am getting at?
4. GOOGLE, GOOGLE, GOOGLE!I love google. I embrace googling. You should too. Make googling your hobby! Type in a path or exploit, and see what you get, you will be surprised! It will lead you to access logs, vulnerability reports, cool sites, etc. Whatever you find and think is useful, copy to your exploit list...