How to hack a website with Kali.

As of 2015 there was an estimated 863 Million websites on the internet.  The subject of the websites ranges everywhere from the family cat photos to millions of users data and financial information.  If you run a website you are responsible for it’s security, and you are also responsible for the information stored on the server.  Being able to hack a website with Kali is the first step to knowing how to protect your website.

When you learning how to hack a website the first thing that you should consider is what your end goal is with the attack.  Is it to dump the database contents? What about finding a command injection and taking over the server?  Another option is to take the website offline.  This guide will touch on all of these, however it will focus on the first which is dump the database.  Often times the goal is to get the information off of the server, and that is what dumping the database will do for you.

Note: Learning to use sqlmap is not real hacking. But hey, it’s how anonymous does it. Understanding how this stuff works it knowing how your website will be attacked, which is in fact valuable.

Prerequisites

  • A computer running Kali Linux or Kali running in a VM.
  • Some time
  • The willingness to learn

Well that was pretty basic right?  Kali includes everything that you need for learning the basics of how to hack a website.

Getting Started

Listen Up! When you hack a website that you don’t have permission to mess with, it is a punishable crime.  Please use this on a website that you own, or you have permission to run a pentest on.

I have already started up Kali.  You can see that I don’t use the default Kali installation.  I use the Kali Mate install, so some things may look a little bit different from what you see or you are used to.  Don’t let this get you off track. Plus, we are hackers, we will be spending most of our time in the terminal anyways.

Kali mate default install.

Our first swing at this server will be an attack on the web application using Sqlmap.  Sqlmap is a tool that will not only automatically find sql injection vulnerabilities, but it will also exploit them for you and allow you to completely take over a database if an injection vulnerability is found.

For this demonstration I will be attacking a web application called DVWA (Damn Vulnerable Web Application).

Damn Vulnerable Web Application

One thing about DVWA is that it requires you to be logged in to access the vulnerabilities.  I have already logged in, but we will need to pass Sqlmap a session id so that when it attacks the website, it also is logged in.

I have installed Cookie Monster in Firefox so that we can grab that session ID.  I will grab that session but I am not going to show the process because it will be different for you.  What you need to take from this is that if you are attacking a website that requires you to be logged in, you will need to log in with a browser and grab the session ID. Now, moving forward.

Before we get to whacking at this server, we need to get an idea of where we are going to attack the site.  You want to look for GET requests in the url, these are the simplest to exploit.  You can also exploit POST requests exactly the same way using the –data flag in Sqlmap but we are just going to focus on GET requests .

The get request that we are going to go after is the one:

The command we will use to check this for vulnerabilities we will use this command in Kali:

The –cookie=’security=low; PHPSESSID=8gd2u2r91j3t6lai65k6uerqe6′ can be omitted if you are attacking a page that doesn’t require you to be logged in, otherwise you will need to replace it with a session ID of a logged in user.

After running sqlmap will dump everything that it is doing into the terminal.  This output is the process of finding vulnerabilities in the URL.

See the full output from my command here.

Next we will have sqlmap tell us what tables there are in the database.  This time we will run the same exact command, except we will add ‘–tables‘ to the end of it.

Pretty nifty huh?  See the full output of my command here.

At this point we have completely compromised this system.  We can now pull any data that we want, take the site offline, deface it, or whatever else we decide to do.

Let’s see if we can find some user information.  If you look at the full output from the –tables command you can see that in the ‘dvwa‘ database we have a ‘users‘ table, so let’s grab them.

Command doesn’t look all that different does it?

See the full command output here.

As you can see, sqlmap was able to pull the users from the database and even cracked them for us using a simple dictionary attack.  Chances are you will want to crack the passwords outside of sqlmap, but for this demonstration it worked.

Some notes on alternative hacking methods.

So if sql injection isn’t what you are after, you can also try to attack the webserver directly.  To do this you can use tools like Nikto or Metasploit.  If you are only interested in taking the website down, maybe a DDoS is in order,  granted that is usually temporary.

Well, now you know how to hack a website with Kali Linux.  If you run into any problems, or have any questions please feel free to leave a comment.  If you would like a guide on other techniques let me know in the comments and I will do what I can to get a guide written for you.

Thanks for reading!

Daniel is a freelance web developer and IT consultant with a passion for security and privacy. Although he isn't much of a writer, he enjoys writing blog posts that help out others in the community.

Leave a Reply

Your email address will not be published. Required fields are marked *