Web defacement is a cyberattack where an attacker gains unauthorized access to a website and alters its visual content, often replacing legitimate pages with propaganda, threats, or offensive messages. These attacks typically exploit vulnerabilities in web applications or weak administrative controls and aim to damage reputations, spread misinformation, or deliver political messages. This lab provides step-by-step instructions for executing web defacement so that security practitioners can safely observe indicators of compromise.
You may need to change the IP address in the IIS configuration. Click Windows Start Button -> Internet Information Services -> Select WebSite > Bindings -> Select or Add Port 80 > Click Edit > Choose IP Address From The Drop Down List -> Click Ok.
Disclaimer: This article is suitable for intermediate and expert users and only for education.
Open a web browser and type the IP address selected from the IIS configuration. Success configuration will result in the following web content:
Use any exploitation technique in lab Activity: Exploitation & Clearing Traces
Make sure the connection to the target server successfully establish
Type pwd and hit enter
Type cd .. (change the directory)
Type pwd and hit enter
Type cd .. (change the directory)
Type pwd and hit enter
Download any deface file and place into /home/kali (the default directory used by Metasploit to upload and download).
Type dir and hit enter (list target directory)
Note:
i. Folder name Source contains a source file for the web content.
ii. In an actual attack, you need to search the source folder of the web content by predicting the folder name.
Type cd Source and hit enter
Type dir and hit enter
Type del and hit enter (delete original file)
Type upload index.html and hit enter (deface file)
Type shell and hit enter (to go into Windows CMD)
Type iisreset and hit enter (restart Windows Server IIS)
Browse the web server content by using the web server IP address (Deface successfully)
