Here I have written how a hacker actually pentests a website,and at the end of the post you will find some of the best website pentesting tools available.
Been a Hacker doesn’t been you just pick up tools and attack.Trust me following the proper method is always more fun and definitely gives a professional kick.
Information Gathering – During IG, the hacker searches for useful information that has been leaked onto the Internet about the application or organization . This information can vary from targets names to source code to email address of the regular user or in case of poorly developed website admin account login credentials .
Most noobie skip this step Please avoid this mistake ,the more you know your target ,better are your chances of succeeding.
Mapping – During the mapping phase, the hacker interacts with the various components of the website. This phase provides them an understanding of the functionality and transactions available within the web application. This step is important as it helps in finding flaws and vulnerabilities within the site.
Exploitation – Exploitation comes in many forms depending on the vulnerability you have. In many cases, the goal is to retrieve data or gain full access to the systems. Using a tool like Laudanum to get a shell on a system and then add local users is a great window of opportunity.
Don’t forget Metasploit, as it is the god placing numerous exploitations. This step is useless if you have’t done the above steps , because then you practically dont know anything about the website.
Post-Exploitation – After all the heavy lifting ,the hacker makea sure to leave a back door in the site ,which would enable them an easy access in future preventing them from doing all the work again.
Tools every hacker must have in their toolbox
Burp Suite – Burp Suite is a web proxy that comes in both a free and commercial version. In addition to the proxy functionality, Burp also includes Repeater, Intruder, Decoder, Comparer, and scanning tools built in. Repeater and Intruder are instrumental when it comes to web testing. This is the swiss army knife of web pen testing.
Zed Attack Proxy – Zed Attack Proxy is an easy to use penetration testing tool used to identify flaws in web applications. It includes many different tools, such as a brute forcer, scanner, fuzzier, and decoder.
SqlMap – SqlMap is an open source penetration testing tool to automate the process of detecting and exploiting SQL Injection vulnerabilities. Using simple commands, it is easy to quickly identify and then exploit SQL injections.
Nikto – Nikto is an open source web server scanning tool that can identify web server versions, mis- configurations, and a large list of vulnerable files
Laudanum – Laudanum is a collection of web scripts that can be deployed to a vulnerable server to provide file browsing and shell functionality on the affected system. These scripts come in many languages, including, Java, and PHP.
BeEF – The Browser Exploitation Framework (BeEF) is an excellent tool while performing a web pen test. The framework makes it really easy to exploit the browser using identified cross-site scripting flaws. Once exploited, it may be possible to pivot from the outside to the inside of a network.