When you are a webmaster, it is your responsibility to not let your server turn into a spam spewing, DDoSing, password cracking, malware command and control server. You also have a responsibility to keep any information that you collect on your users safe. Just ask Yahoo! and their 1 billion users.
To add to that, it really isn’t hard to leave a wide open gaping hole on your website that can lead to hackers not only doing things like defacing your website or stealing personal data on your users, but also installing software for controlling botnets behind your website without you even knowing.
These tools aren’t perfect, but they don’t have to be.
Any real hacker out there is going to look at this list and tell you that this isn’t going to protect you from any serious attack. If somebody wants in, these tools aren’t going to protect you. And they will be right. But let’s be honest with ourselves, do the Russians care what’s on your website? Probably not. What you probably want to concern yourself with is the script kiddies that use these very tools exclusively to compromise websites for the lulz or to add to their botnet for DDoSing Steam.
These “hackers” are the majority of the threats on the internet, and even though they aren’t real skilled they don’t have to be to do some serious damage or compromise the security of your website users.
I don’t get any traffic, I highly doubt that a hacker is going to find my site.
www.shodan.io. Literally a search engine for vulnerable websites, applications, servers, etc.
Okay, so what are these tools?
Chances are you have heard of a couple if not all of these tools. There is also a chance that you simply dismissed them because they are only used buy kids and skids. Well let me reiterate that unfortunately these are the people that probably will reck you.
1. Sqlmap – Automatic SQL injection and database takeover tool
Yup, the all time script kiddie website pwner. Dumping databases has literally never been easier. With just a couple of commands this tool will search for vulnerabilities in queries or forms, tell you what they are, exploit them, and dump a database. As an added bonus it can even run a dictionary attack against the passwords if you want. It’s a one stop shop, and you can use it for free to attack your own website.
Nikto – Open Source web server scanner.
Nikto is another command line tool that will first use the robots.txt and visit everything listed there, and then spider through a website and spot anything that seems interesting. It will find things like a test directory (example.org/test/test.php) or pages that dump the phpinfo(). You would be surprised at the amount of stuff that Nikto will find on any give web server.
Additionally, after the spidering Nikto will start looking through the visible software on the server and find things like outdated Apache servers, or OpenSSL servers that are affected by public vulnerabilities and tell you what they are like this:
That is a no access required, remotely exploitable, incredibly high impact vulnerability with an exploitability subscore of 10. It is literally as good as it gets for a script kiddie and this server is online right now just ripe for the picking.
This will will get exploited at some point and there will be catastrophic data loss or a significant leak of data. I notified the administrators of this community and they are convinced it’s not an issue so to hell with them. But I digress. My point here is don’t be that guy.
w3af – Web Application Attack and Audit Framework
W3af is unique to this list because it is a GUI application. It is also a point and click audit and exploitation tool. It’s a pretty nasty tool with it in the wrong hands, but if you audit your site before somebody else “audits” it you will be in good shape.
W3af is the latest and greatest when it comes to open source vulnerability scanners, and it is available by default in Kali Linux just like the rest of these tools. I personally don’t use this tool as often because I hate the GUI. I know that’s a stupid reason but, whatever.
All three of these tools are incredibly easy to use, and there are in depth guides for all of them all over the internet. I highly suggest that you install them or spin up Kali Linux and beat up your servers for a little while. Audit your websites and get a handle on using these tools so that you can do it before the bad guys.