Thursday 19 December 2013

Nowadays it’s easy to hack a website in just four steps

Hackers (extremexploit.com)

Till yesteryears it required Tech Geeks to have an above average knowledge to hack a website but these days it has become a child’s play. Like conventional searches, you can Google out the tools required to plan a Hack-Attack on a website and with a little effort you can execute the same with ease. Here it is, in 4 easy steps, how hackers execute it.

Step 1: Identifying

The Hacktivists first identify their target website which they want to attack upon. They first qualify the website, according to the vulnerability level, they wish to attack. Checking the vulnerability of the website allows the hacker to prepare tools and techniques required to bring down the website.

Hackers generally use Google Dork, or Google Hacking, to execute a vulnerability check against these easy-to-hack websites. It was very recent that a hacker posted a list of 5,000 such websites which were really easy to be attacked. If they don’t wish to Google it out, they can Bing it. This tool is heaven for hackers as it helps in qualifying such websites.

Hackers have a ready-to-refer index of Dorks which points out the websites having a particular vulnerability. Right from passwords to Login credentials, there is Dork available for everything. They would Google “intitle:”Index of” master.passwd” which will return them a file containing the passwords and then they have the list of potential victims ready with them to execute the hack.

Step 2: Spotting the vulnerabilities

Acunetix – a Windows based application to test the website – developed by a UK based company, was designed and is still in prominent use by developers to test the vulnerabilities in the website, but the technical expertise of hackers to this tool allows them access to point out the weakness levels of the website. Once the site is identified for attack, this tool is used by hackers to check the vulnerability of the website, as all websites qualified in level 1 may not be susceptible to attack.

Since the hackers have in-depth knowledge of the above mentioned software, they can not only crack the version from a trial one, but the cracked version is also available freely amongst the hacker community. Once they enter the URL or website address in this software they are able to point out the loopholes in the website and all they do is, move to step 3.

Step 3: The Attack on the website – SQL Injection

The SQL injection is the easiest and the most used way by hackers to hack into a website. It is used by hackers to hack into user accounts and steal information stored into its databases. This attack aims at information stealing using some lines of code of SQL (Structured Query List) which is a database programming language. The hacker’s don’t even have to learn the language for this attack, as there is an available software called “Havij” in the hacker forums where it is available free of cost. It comes as an easily useable application. Havij is originally a development from Iran. The word itself means carrot, a bad-slang for the word penis, ultimately meaning that the hack-ware helps penetrating a website.

Havij has 2 versions – paid and unpaid, both of them differential in powers of penetrating, although the paid version can be cracked and downloaded from other hacker forums. The interface of this software completely simple like any other windows application, which does its work when a newbie hacker just copies the link of the website needed to hack and pastes it into the application.

The tasks Havij can perform are very surprising. The best one for them and worst for the users of the website is called “Get”. It fetches all the data stored in the target website’s databases which range from usernames, passwords to phone numbers and bank details.

It is so easy for hackers that within a couple of minutes of their time, in which they can search, download, and use one or two automated hack-wares that allows them to access websites which are vulnerable to such attacks. Very much assured, that the websites of high profile companies like Google, Microsoft and Facebook are completely safe from such tools. As mentioned before, the vulnerability of the web is displayed by the attack made on Sony’s PlayStation Network which led to the leaking of their customers’ personal information in a very similar way.

Step 4: The DDoS – The A Game

SQL Injection has been used by the infamous hacktivist community – Anonymous for over a year now, but they tend to go forth with the DDoS when simple tools like the Havij don’t work. Again like the SQL (pronounced Sequel) Injection attack there are freely available tools for the DDoS as well.

As it appears, the DDoS is also as simple as the SQL Injection attack. The program used here is called the Low Orbit Ion Cannon (LOIC), which was brought to life by web developers for stress testing their own websites, but was later hijacked by hackers to attack the websites for non-social use.

The LOIC is available to the hackers freely on the website Source Forge. Again as simple as the Havij, the hackers just have to type in the link of the website they want to DDoS and the application does the rest. LOIC overloads the server of the target website with upto 200 requests per second.

Now again, the bigger websites can easily cope up with this type of an attack without crashing, most of the other websites cannot. Surely if a group of hackers, although newborn, dedicates itself to the job, it is very easy for them to complete it.

This type of technology horrifies the readers, but it is very simple to use by the hackers that they can even control it from their phones, meaning that they could well be watching a movie with their buddies in the cinema while attacking the website they want to bring down.

This is not an exhaustive list and processes how the hackers execute the act but there are many a tutorials on various hacking forums that teach how to perform the attack. There is no end to this notoriousness, in many cases a heinous crime, which has caused a loss of millions and millions of dollars to the world. So are you going to get your website checked through your developer today? May be today would be a real good day to get it done.

No comments:

Post a Comment