Hacking Web Applications & Servers

Welcome to the Hacking Web Applications & Servers module. This note will guide you thru all the methodologies I followed while preparing for CEH (Practical) exam.

Identify Technology (Footprint)

  • Identifying the technology that is used by the web application would give us an idea on how to exploit that particular application.

List of tools used to identify the technology

  1. httprecon

  2. whatweb (CLI)

Other Methods

  • Using Telnet

  • Using NetCat

Nmap Scripts

Normal HTTP Enumeration

nmap -sV --script=http-enum www.xyz.com

WAF Detection

nmap -p 80,443 --script=http-waf-detect www.xyz.com 

Directory Bruteforce

Brute force directory guessing attacks are very common attacks used against websites and web servers. They are used to finding hidden and often forgotten directories on a site to try to compromise.

Dirbuster for Directory Brute force

DirBuster is a multi-threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.

However, tools of this nature are often only good as the directory and file list they come with. A different approach was taken to generate this. The list was generated from scratch, by crawling the Internet and enough, the directory and files that are actually used by developers! DirBuster comes with a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.

CheatSheets for Dirbuster

You can use any directory brute force tools eg: GoBuster, Dirsearch, BruteX, etc... But make your mind that every tool makes the same process. So, master one tool and you are good to go.

Service Bruteforce


Man! I can't say words about this tool!πŸ”₯This is one of my fav tools for brute force passwords for services running on a network.

hydra -L /Path/To/Username/WordList -P /Path/To/Password/WordList 10.10.10.x ftp

On Hydra, you can set your desired service to brute force, on the above command you can see I have set the brute force to FTP. Same as you can set for any service. Examples, SSH, RDP, SAMBA, etc...


Medusa is also one of the best tools out there for brute force. Even though I love Hydra, I use medusa alot. Maybe I can prioritize Medusa first and Hydra second place.

medusa -h 10.10.10.x -U /root/Documents/user_list.txt -p /root/Documents/pass_list.txt -M ftp -F


Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. DVWA aims to practice some of the most common web vulnerabilities, with various levels of difficulty. DVWA plays one of the major roles in the C|EH (Practical) exam. It is advisable to crack DVWA and get used to the box since the challenges may appear based on the challenges available on this box.

Hey! Thank you for being up here in my process. DVWA is one of the best applications for practising your web application attacks. Since I completed this challenge years before, I request you to work on this. I can't help you with each module in the DVWA but there are tons of video tutorials and blogs about this box. Please complete this box since this might be important for your exam.

I have attached the solution Playlist of DVWA below πŸ‘‡πŸ» check this out


By now, you should have the knowledge on:


For Certified Ethical Hacker (Practical) exam, You don't need to worry about the wordlist since most probably they would have attached the wordlist for each module so make use of those first. If you have any failures then go with the default wordlist.

Last updated