Netflix/PentestingDarkWebSites
Netflix
/
PentestingDarkWebSites
0
1
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity
a basic guide on hacking dark web sites. Know the site before you use it. How a secure a site tells alot about who runs the site.
50 Commits 1 Branch 0 Tags 59 KiB
Go to file
Netflix 6be14dc5bd Update 'tools.md' 2021-03-11 21:47:07 +01:00
payloads Add 'payloads/SSTI.txt' 2021-02-11 21:12:54 +01:00
README.md Update 'README.md' 2021-03-04 21:40:07 +01:00
SSRF.md Update 'SSRF.md' 2021-02-27 20:57:01 +01:00
SSTI.md Update 'SSTI.md' 2021-02-11 21:19:57 +01:00
tools.md Update 'tools.md' 2021-03-11 21:47:07 +01:00
tor.md Update 'tor.md' 2021-02-27 22:17:32 +01:00

README.md

PentestingDarkWebSites

a basic guide on hacking dark web sites. Know the site before you use it. How a secure a site tells alot about who runs the site.

A N00bs wet dream

Sites on the dark web are perfect for playground people that wants to get into hacking. Since they are already on tor, they wont be able to see your IP. But it is still a good idea also use a VPN. How serious a site admin takes security on their site can tell a lot about how good of a site they will be. If they have a lot of security holes in their site, have terrible opsec, dont PGP encrypt messages, they are either scammers that will exit scam at some point or they are inexpierenced and will be hacked at some point or even raided and shut down by the feds. Either way your freedom, hard earned money is at risk. If you take the time and poke around the site a bit, and test their security, and decide if the site admin motive then you can save your money or your freedom. Im not a 1337 haxor at all, you dont have to be. It would be cooler and probally better if you had the skills. The skills will come if you practice, do hack the box challenges, vulnerable vms, and read a shit ton. The vulnerable VMs and the hack the boxes are used for gaining expirence. Google also has a site that you can learn about XSS.

To find the sites when I want to practice, I usually try to click random ads on sites that are a bit sketchy. The sleezy type of market that will post any ads if you send them some coins. So, anyone who is serious about the darkweb, knows that you should not use a site that has Javascript. This is because JS can be used to get information about your browser, or even used to infect you. But you would be suprised on how many sites run JS. These are good sites to target. They are usually coded by n00bs that wont have any protection.

Server Page

A lot of web servers like Apache or ngnix have server pages enable by default. To test to see if a site has the server page enabled, add the following to the URL:

http://tacobell.onion/server-status

This page could give attackers information that would allow them to see senstive information like IP, senstive information. It also can be used to fingerprint what web server they are running, if they know what web server you are running then, all they need to do is to guess the version. If you are running a vulnerable server that has a public exploit available, then the server is gonna get popped.

Ngnix also has a status page, this can be found by visting the following web path:

http://tacobell.onion/nginx_status

Useful Tools

OnionScan is a great tool that can be used to test the security of the site. This tool does a simple scan of the onion and create a report for the site.

Always take a look for upload feature

A lot of new programmers or unexperienced coders will not restirct file upload. This is very important for sites to have because it could allow a hacker to upoad a shell on the box. This would allow them to access the server and could allow attackers to steal money or delete the site.

Some tricks to do is find or code a back door in PHP and then rename the file but with a double extension like:

profile_pic.jpg.php

This method won't work every time, but there are stupid people in the world that it might work on.

The first set of goals is to:

  • Bypass any upload filter
  • Getting the machine to run the uploaded file

Another good way to bypass any filter is to change the magic number of the file. Magic numbers allow programs to identify the file type.

File Type Magic Number
PNG 89 50 4E 47 0D 0A 1A 0A
GIF 47 49 46 38 37 61
GIF 47 49 46 38 39 61
jpg FF D8 FF DB
jpg FF D8 FF E0 00 10 4A 46 49 46 00 01
jpeg FF D8 FF EE
jpeg FF D8 FF E1 ?? ?? 45 78 69 66 00 00

SSTI

SSTI stands for Server Side Template Injection. Some websites are built on some type of template engine, this allows to create static templates that they can enter data in at run time. These sites are built to be fast. A hacker could inject code into the template that could allow the hacker to get a shell on the machine, or it might allow them to run commands on the system, which if the hacker is skilled enought it would probally end up with a shell.

The following command could be used to test to see if a application is vulnerable. If the application returns the answer to 1300+37, ( 1337 ) then the application is probally vulnerable. The answer might be displayed on the web page, or the URL might show the answer. More can be found here

${{1300+37}}

#!/usr/bin/python
from flask import Flask, request, make_response, render_template
from jinja2 import Environment
from articles import POSTS
from waf import sanitize
app = Flask(__name__)
Jinja2 = Environment()
@app.route("/", methods=['GET', 'POST'])
def home():
    if request.method == 'POST':
        query = request.form['query']
        query = sanitize(query)
        query = Jinja2.from_string(query).render()
        posts = []
        for po in POSTS:
            if query.lower() in po['title'].lower():
                posts.append(po)
        return make_response(render_template('index.html', data=posts, query=query))
    else:
        posts = POSTS
        return make_response(render_template('index.html', data=posts))
if __name__ == "__main__":
    app.run()

This script will create a vulnerable web app that you can mess with and hone in your mad skills. You will need to install Python3 on linux. You could also do it on windows but this guide will mostly focus on Linux.

Save this in the same directory as the other script, Create a file named: index.html.

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <link
      rel="stylesheet"
      href="{{ url_for('static', filename='style.css') }}"
    />
    <title>Document</title>
  </head>
  <body>
    <div class="wrap">
    <h2><a href="/">Search App</a></h1>
      <form action="/" method="post">
        <input type="text" name="query" id="query" />
        <input type="submit" value="Search" />
      </form>
      {% if query %}
      <p style="padding: 5px 0">Results for {{ query }}:</p>
      {% endif %}
      {% for po in data %}
      <div class="article">
        <h2>{{ po.title }}</h2>
        <p>{{ po.content }}</p>
      </div>
      {% endfor %}
    </div>
  </body>
</html>

source: https://medium.com/mii-cybersec/server-side-template-injection-e1cf2c4e2fb

XSS

XSS is a powerfull tool. Sites on the dark web SHOULD NOT have JavaScript enable, but there are sites that use it. These site might be have a XSS vulnerable in them. Last summer there was this dark web market I found named bit market or something else. The admin of the market was a clearly a noob. They had the Apache server page accesible so I could see what pages was active and other things. On the page I found a URL that the admin was using to keep track of how much is in his market. It was a table that read directory the database that had all some user info and how much was in their balance. . So the first thing I did was go to the login page of the admin and tried to XSS the login page. The site had no protection.

I was able to send stuff like this:

<script>alert('hello')</script>

Then I went to back to the page where the user info was, I was able to create a pop up when the page loaded. So I wrote a script that would keep creating users that had the payload in the name. So when the admin would visit the site he would get a bunch of pop ups. I did it for a couple of days but then the admin caught on and remvoed the users from the database. He also started to add a bit of protection, sadly the protection was not that good. But I was able to inject a XSS payload that was similar to this one:

<img src="./WAP.html" onerror=window.open("https://pornhub.com","xss");>

Here are a few examples. There are more on list in the XSS resource area at the end:

 */alert(1)</script><script>/*

 "><script>alert('xss')</script>

 j\avascript:alert`1`

SQL Injection

<Iframe SrcDoc="<Script Src=URL></Script>">

Osint

OSINT stands for open source intelligence. It is pretty easy, its basicly trying to find as much information about a target using the internet or other publicly available sources. Anyone that uses the internet has some type of bread crumb on the internet.

This tool is a wrapper for Onionscan that do a scan and outptu a pretty report.

Bypass login

Logic always wins, Some times sites will have vulnerable logins. An hacker could use on of these queries to login to other users accounts.

A vulnerable SQL Query would look like this:

$query = "SELECT * FROM `users` WHERE user_name='$use_rname' and password='$password'";

By attempting to login into with

`x' OR '1' = '1`

This will trick the login system to login, because the database will read it as 1 = 1, which will always be true. This will trick the code to login to the first user in the database. Which is most times the admin of the site or any user who has the username that was inputed.. It is a good idea to also try to use admin as the username. A lot of time custom made logins systems will be vulnerable to this type of attacks, like IP cam, or routers. But you never know how n00by the programmer was untill you test if its vulnerable.

The whole query looks like this:

SELECT * FROM users WHERE user_name = 'x' OR '1' = '1' AND password = 'x' OR '1' = '1'

There are other a bunch of logical statments that could be found. These can be found at:

Resources

XSS

SSTI

File upload

Tools

SSRF

SQL Injection

HANDS ON SITES