Finding administration panel

By 0KaL ( @0KaL_H4 ) 0kal@email.com WhiteCollarGroup Youre going to hack another website. You can already imagine another line in your notify-list. And if you get root access? How many virtualhosts is this server hosting? Ok, the administrator password is already here. Its encrypted, but theres no problem. A new tab in the browser, you open your favorite reverse MD5 service. Cool, you found the plain password! Ok, its only missing the administration panel. But wheres it? The lack of instruction about the searching for administration login panel is the biggest reason for withdrawal of defacements today (not that its a bad thing for the webmasters). In this paper we will see some tips for how to find the administration panel from that website you already have the credentials. Lets start?

Try the commons

Many developers try to ally to the defaults, used by most of the programmers, to be administration panels URL: /admin /control /engine You can also try variations: /administrator /administrate /adm /admlogin Its also usual to use the leet written: /4dm1n Remember that it can change, according to the language.

Robots.txt
Its a file that gives instructions to search engines (like Googlebot/Caffeine) of what directories or files to index or no. Already understood? Some developers instruct the search engines to dont index their administration panels. For example, imagine that the site URL is www.target.com. So, you access www.target.com/robots.txt and, if youre lucky, you can find your target: Disallow: /admin

Google
inurl:"target.com" intext:"Login" inurl:"target.com" intext:"Password" inurl:"target.com" intext:"Admin*"

inurl:"target.com" intext:"Enter" inurl:"target.com" intext:"Manage*" inurl:"target.com" intext:"Edit*" Be creative and think as a developer: If Im a programmer, what text would I put in a administration panel?

Source-code
Some programmers still having the terrible mania to keep the uploads folders as a subfolder of the administration panel directory! With this, you can copy the image URL, for example. If youre lucky, you can see that: http://www.target.com/admin/uploads/image.jpg If you didnt find, hit [Ctrl] + [U] and go looking for page elements, like images, scripts, links There are good chances to find. I remember a website I hacked that I couldnt find the administration panel in no way. When I saw the page source code, guess: http://www.target.com/.aDm1ncP/uploads/image.jpg Was hosted in a Linux (case sensitive), so, maybe, I would never find that panel, if not by this programmer error. So, I ask you: why be a so hard directory name while giving a so easy way to find it? Another thing that kills is to make standard names to directories. I remember when I was trying to hack a website, searching for the administration panel. No way to find. But the images was being sent to a directory called _images. I noticed the underline in front of the name. Why he did that? I dont know, but if he did, he would can do the same with the administration panel. So, I tried _admin and, bingo! Found.

SQLi
Some SQL servers allows you to execute shell/DOS commands. Search for this support under the SQL server youre attacking. Maybe a ls or a dir can help. As its according to each server type, I cant give more details here. Maybe in the next.

RFI
Ill now show something that I think ever happened with many defacers: I was searching for RFI vulnerabilities, for check if this vulnerability really was out of the top. After hard work, I found one, but when I included the webshell I had no permissions to do something. Safe mode was on, and even the file listing (function opendir() and others) was blocked, but was possible to run PHP codes using Eval. I also found a SQL Injection vulnerability in the site, so I get the passwords, but when I tried to find the administration panel I remembered the RFI. So, I used the glob() function in order to list files (this function isnt denied by safe mode, yet), and, finnaly, I found the administration panel.
$dir = "./"; // directory $list = glob($dir."*"); foreach($list as $f) { echo $f."<br>\n"; }

Admin Finder
You can also try to use an Admin Finder, online or not (online is best, because it uses the hosts network no doubt, better than in your house). Many peoples likes those admin finder that can be found in Havij, but if you search for Online Admin Panel Search or Online Admin Finder in Google, you will can find someones. I havent enough data to rate the best script.

Subdomain
Some websites have its administration panels accessible in a subdomain. Its very easy to do, so, increasingly used. We can only try: admin.target.com adm.target.com ()

Another domain
Many websites (mainly big websites) have administration panels in second domains. Yes, it will be very complicated. Many others (Ive seen many so) can be accesed by an URL in common for many websites developed by an only agency. You can try to discover who are the developers of the site, talk with their clients, verify their systems The more experienced hacker would try to work in this agency. Maybe you cant ask for a job for they, but you must to study they very well.

Previous defacer
Yes, you can ask for help for friends defacers, but this isnt my suggestion now. Its common to hack some website and, then, discover that youre not the first. So, verify in mirror websites if theres some mirror for your target. You can also use dorks: site:mymirrorsite-h.org intitle:target.com hacked by Search in many distinct mirror websites and even forums (its common to have a topic with the defacements): target.com defaced hacked Try to contact the defacer. Maybe some social engineering will be needed. By the way

Social Engineering
The more administrators in the site, the more your chance to hack it. Try to get the email of one of the administrators (you can use some who-is service, for example), and try to send an email: Hi, how are you? I had to format my computer. The login URL was in bookmarks, and Ive lost all of them. Can you send me the link?

Thanks! You can also send a keylogger to the administrator, but thats already another story Create too much. Im not the best to talk about social engineering, therefore Ill leave here.

Brute-force
Didnt find it? Really? Well we ever tried dictionary-based attack (Admin Finder), so now we go to the ignorance. Is really needed to hack that website? This way can delay too much (relatively), but, if really it will worth, who must to know is you. But, lets go There are many tools (mainly in Python or in Perl) for go trying all the possible characters combinations and list all the found files. Take a look in the internet, searching for admin panel finder brute force. I know many scripts, but each script have his own strengths and weaknesses. So, Ill allow you to find your favorite script. Usually it haves its own documentation, maybe bundled in the script, script comments or some readme file.

Send to the hell

Cant, yet??? Well, bro Maybe its time to start conforming, maybe go to the next. What happens is that some websites (mainly the big websites) just havent public web interface to administrate. They resort to the local access networks (LANs), mainly if they have their own webhoster. So, they restrict the access to some IP range. So, bro Thats common, dont cry. It happens with anyone, sometime or other.

Here I presented some tips I learned with my time in hacking. Of course there are many ways you can search and try. Learn by yourself, and learn with the others. Good luck! Be responsible to your actions.