Week 5: Cracking Into Website Pentesting and the Role of AI

Aditya SoniAditya Soni
6 min read

Table of contents

What was this week about?

This past week, I learned the basics of website pentesting, broadening my understanding of system-level vulnerabilities. Most importantly, I realized the potential for an AI pentester in several steps of hacker methodology. For example, website reconnaissance, or information gathering in general, which might normally take 2-3 days when working with a large corporation can be accomplished only in a matter of minutes with the use of AI. However, something else to note is that, regardless of how effective AI gets in the field of cybersecurity, there always will be a human element unless all corporations are completely taken over by AI. An example of this can be seen in the very first step of hacker methodology, gaining permission. While some might argue that this can also be done using AI just like AI can book you a barber’s appointment, there HAS to be human-to-human communication involved because for now, humans are still more inclined to trust other humans with sensitive acts like permission handling and information release than they are to trust a machine.

This week’s goals:

  • Show tremendous progress in my ethical hacking course (>200 course minutes)

  • Learn more about the usage of AI in website pentesting

  • Perform attacks related to website vulnerabilities against a metasploitable virtual machine.

  • Learn more about backdoor injection on external networks. (NOTE: Practice labs related to this were performed on and against virtual machines that I own and use).

What I learned this week:

Backdoor injection on external networks:

  • There are two ways of performing attacks on external networks, mainly using port forwarding or by using a tunneling service like ngrok.

  • In order to protect your system from these attacks, prevent clicking on links that end with ngrok.io or .com or any other extension since these links might carry a backdoor and the deadly part is that these backdoors will run in the background and therefore you wouldn’t even know.

Using the Setoolkit:

  • It is a tool in Kali that allows the attacker to perform social engineering attacks against a victim for example in a test lab, I performed a credential harvester attack against my windows virtual machine.

  • I firstly launched the Setoolkit and the credential harvester using ngrok as the tunneling service. This generated a URL that I sent to the victim windows machine.

  • Acting as the victim, I opened the link on my windows virtual machine to see a fake google login page.

  • In a real-world scenario, the victim will naively enter their login credentials and the attacker would receive them. This attack is very similar to the Instagram phishing attack, I discussed in a past blog.

  • The main way to protect oneself from such an attack is to mainly avoid clicking on third party links and also checking the URL for any suspicious signs.

Post-hacking sessions:

  • I learned about what an attacker would do once they gain access to a victim computer.

  • One of the first things they would do is that they might hide their malicious execution file, for example, a backdoor which they used to gain access, in the form of a different file by ‘migrating’ it into another file.

  • Then they would place precautionary methods that will sustain their session even if the victim restarts their system or deletes the backdoor or anything else that can possibly break their session in the victim computer.

  • Then finally they would start exploiting the system, for example they might initiate a keylogger or take a screenshot or gain access to the victim’s webcam, etc.

Website Reconnaissance:

  • I learned about different ways to gain information about a website and possible vulnerabilities.

  • I used Maltego, and Netcraft to gain information on the websites.

  • For example a reverse DNS lookup can be used to see what other websites are using the same server as the target website.

Website Pentesting:

  • Several types of vulnerabilities can exist in a website for example a code execution vulnerability, file upload vulnerability etc.

  • A file upload vulnerability, allows the attacker to upload a php file for example, that when executed will give the attacker remote access to the server the website is being hosted on.

  • A code execution vulnerability allows the attacker to execute other commands on the website for example reverse shells that go beyond the website’s intended usecase and allows the attacker to gain access to the server the website is being hosted on.

Cross Site Scripting:

  • It is a website vulnerability that allows attackers to inject malicious scripts into a website that can be executed when hosted on a victim’s browser.

  • There are two types of cross-site scripting, mainly stored XSS and reflected XSS.

  • In stored XSS, the malicious script is permanently stored on the website’s server.

  • In reflected XSS, the malicious script is embedded in the link and sent to the victim.

Challenges I faced:

  • I was unable to use msfvenom to generate backdoors and in extension, msfconsole to host hacking sessions.

  • I was unable to install missing dependencies for Setoolkit.

  • I was also not able to run weevely successfully.

How I solved the problems:

  • The core issue was that rbenv installed its own Ruby version and gem paths, which overrode the system Ruby that Kali’s metasploit-framework package relies on. This caused msfconsole and msfvenom to fail with missing gem errors, even though the system package had all the required gems so I simply removed rbenv and therefore metasploit now correctly used the system ruby and all the gems then worked as intended.

  • The core issue of the second problem was the broken pycrypto. So I uninstalled it and installed pycryptodome, a maintained replacement. I also ran the setoolkit in a virtual environment to avoid breaking other system packages.

  • The core issue was that weevely required python 3.11.x to run but my system default was set to python 3.13.x. I did try to solve the weevely issue by running it in a virtual environment that had the right python version but alas, it is still not working and I am currently trying to fix the issue. If any of my readers are accustomed to this issue and know the solution please feel free to drop a comment.

Finishing up:

This week pushed me deeper into the world of ethical hacking, where I not only explored practical tools like Setoolkit and metasploit, but also uncovered the ways AI can reshape penetration testing. While AI can accelerate reconnaissance and even automate certain attacks, I’ve learned that the human element in cybersecurity remains irreplaceable—for now.

I still have challenges ahead, especially with tools like Weevely, but every setback is also an opportunity to better understand the systems I’m working with. My biggest takeaway is that ethical hacking is as much about persistence and problem-solving as it is about technical skill.

If you’ve faced similar issues—or have solutions for the Weevely problem—feel free to share your insights in the comments. Until next time, I’ll keep breaking things (ethically!) to learn how to secure them better.

Disclaimer:

This blog documents my personal journey in learning ethical hacking and cybersecurity with the intent to build responsible AI tools for penetration testing and system defense.

All experiments are conducted in isolated lab environments on virtual machines I own or control. This project is strictly for educational and ethical purposes.

I do not condone or promote any form of unauthorized or illegal access to systems.

0
Subscribe to my newsletter

Read articles from Aditya Soni directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecurityethicalhackingAIpentestingwebsite

Written by

Aditya Soni
Aditya Soni