Ce hv8 module 12 hacking webservers

H a c k i n g W e b s e r v e r s

Module 12

Exam 312-50 Certified Ethical HackerEthical Hacking and CountermeasuresHacking Webservers

Hacking WebserversModule 12

Engineered by Hackers. Presented by Professionals.

E th ic a l H a c k in g a n d C o u n te rm e a s u re s v8

Module 12: Hacking Webservers

Exam 312-50

Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.

Module 12 Page 1601


GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claims Responsibility

Monday, September 10th, 2012

Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DD0S attack.

According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account the company is aware o f the issue and is working to resolve it.

Update: customers are complaining that GoDaddy hosted e-mail accounts are down as well, along w ith GoDaddy phone service and all sites using GoDaddy's DNS service.

Update 2: A member o f Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action.

A tipster tells us that the technical reason fo r the failure is being caused by the inaccessibility o f GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.

http://techcrunch.com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

Security NewsGoDaddy Outage Takes Down M illions of Sites, Anonymous M em ber Claim s Responsibility

Nnus

Source: http://techcrunch.com

Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DD0 S attack.

According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account, the company is aware of the issue and is working to resolve it.

Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well, along with GoDaddy phone service and all sites using GoDaddy's DNS service.

Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action.

A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of GoDaddy's DNS servers - specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.


Module 12 Page 1602




AnonymousOwn3r׳s bio reads "Security leader of #Anonymous (׳”Official member")." The individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was targeted.

Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the service, and the company has been the center of a few other controversies. However, AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did this attack."

Copyright © 2012 AOL Inc.

By Klint Finley

http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/


Module 12 Page 1603

http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/


Module Objectives CUrt1fW4

EHttlMUl ttMhM

J IIS Webserver Architecture J Countermeasures

J Why Web Servers are Compromised? J How to Defend Against Web Server

J Impact of Webserver Attacks Attacks

J Webserver Attacks J Patch Management

J Webserver Attack Methodology /L־־ ^ J Patch Management Tools

J Webserver Attack Tools J Webserver Security Tools

J Metasploit Architecture J Webserver Pen Testing Tools

J Web Password Cracking Tools J Webserver Pen Testing

Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

M odule O bjectives•—*> Often, a breach in security causes more damage in terms of goodwill than in actual

quantifiable loss. This makes web server security critical to the normal functioning of an organization. Most organizations consider their web presence to be an extension of themselves. This module attempts to highlight the various security concerns in the context of webservers. After finishing this module, you will able to understand a web server and its architecture, how the attacker hacks it, what the different types attacks that attacker can carry out on the web servers are, tools used in web server hacking, etc. Exploring web server security is a vast domain and to delve into the finer details of the discussion is beyond the scope of this module. This module makes you familiarize with:

e IIS Web Server Architecture e Countermeasures

e Why Web Servers Are Compromised? e How to Defend Against Web

e Impact of Webserver Attacks Server Attacks

e Webserver Attacks e Patch Management

e Webserver Attack Methodology 0 Patch Management Tools

Q Webserver Attack Tools e Webserver Security Tools

e Metasploit Architecture e Webserver Pen Testing Tools

e Web Password Cracking Tools e Webserver Pen Testing


Module 12 Page 1604


CEHModule Flow

Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

M o d u le F lo wTo understand hacking web servers, first you should know what a web server is, how

it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts.

4 m ) Webserver Concepts Webserver Attacks------

Attack Methodology * Webserver Attack Tools

Webserver Pen Testing Webserver Security Tools

y Patch Management Counter-measures■ —■ —

This section gives you brief overview of the web server and its architecture. It will also explain common reasons or mistakes made that encourage attackers to hack a web server and become successful in that. This section also describes the impact of attacks on the web server.


Module 12 Page 1605


Webserver Market Shares

I_______ I_______ I________I_______ I________I64.6%Apache

Microsoft - IIS

LiteSpeed I 1.7%

Google Server | 1.2%

W e b S e rv e r M a r k e t S h a re sSource: http://w3techs.com

The following statistics shows the percentages of websites using various web servers. From the statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that Microsoft ־ IIS server is used by 17.4 % of users.


Module 12 Page 1606

http://w3techs.com


J־ -----►80%

tApacheכ64.6%

17.4%Microsoft ־ IIS

%13Nginx

LiteSpeed

Google Server

Tomcat

Lighttpd

7050 604010 20 30

FIGURE 12.1: Web Server Market Shares


Module 12 Page 1607


Open Source W ebserver C E HArchitecture

I ©AttacksSite Admin

r□

Email

MySQL i fCompiled Extension

Site Users

:11 a

Linux

1 I— —־* I......... Apache

PHP

File System

ג ^ מ יני י

Applicationsי


O p e n S o u rc e W e b S e rv e r A r c h i te c tu r eThe diagram bellow illustrates the basic components of open source web server

Barchitecture.


Module 12 Page 1608


Attacks

1 U

Site Admin

־׳

Site Users

& *A

InternetLinux

EmailApacheVPHP

File System

J

fCompiled Extension MySQL yApplications

־"

FIGURE 12.2: Open Source Web Server Architecture

Where,

© Linux - the server's operating system

© Apache - the web server component

© MySQL - a relational database

© PHP - the application layer


Module 12 Page 1609


IIS Web Server Architecture CIE H

Internet Information Services (IIS) for Windows Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web

HTTP Protocol Stack (HTTP.SYS)

AppDomain

ManagedModules

FormsAuthentication

Native Modules

Anonymous authentication, managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging

Application Pool

Web Server Core

Begin request processing, authentication, authorization, cache resolution, handler mapping, handler pre- execution, release state, update cache, update log, and end request processing


Client

i * a f t p

Kernel Mode

User Mode :■

Svchost.exe +

Windows Activation Service _________ (WAS)__________

WWW Service

External Apps

applicationHost.config

IIS W e b S e rv e r A r c h i te c tu r e׳3---------------------------------------

c 3 IIS, also known as Internet Information Service, is a web server application developed by Microsoft that can be used with Microsoft Windows. This is the second largest web after Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP.

The diagram that follows illustrates the basic components of IIS web server architecture:


Module 12 Page 1610

http://HTTP.SYS


Client

HTTP Protocol Stack (HTTP.SYSIInternet

AppDomain

ManagedModules

FormsAuthentication

Native Modules

Anonymous authentication, Managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging

Kernel Mode

Application Pool

W eb Server Core

Begin requestprocessing/ authentication, authorization, cache resolution, handler mapping, handler pre* execution, release state, update cache, update log, and end request processing

User Mode

Svchost.exe

W indow s Activation Service (W A S )

WWW Service

applicationHost.config

FIGURE 12.3: IIS Web Server Architecture


Module 12 Page 1611

http://HTTP.SYSI


CEHWebsite Defacement

Fie M lז few Hep

* * W © http://juggyboy.com/index.aspx v ^ ד •j_>־

Y o u a r e O W N E D ! ! ! ! ! ! !

H A C K E D !

Hi Master, Your w ebsite owned by US, Hacker!

Next target - microsoft.com

J Web defacement occurs when an intruder maliciously alters visual appearance of a web page by inserting or substituting provocative and frequently offending data

J Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected


W ebsite D efacem entWebsite defacement is a process of changing the content of a website or web page

by hackers. Hackers break into the web servers and will alter the hosted website by creating something new.

Web defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data. Defaced pages expose visitors to propaganda or misleading information until the unauthorized change is discovered and corrected.


Module 12 Page 1612

http://juggyboy.com/index.aspx


B O ®World Wide WebFile Edit View Help

,יי

FIGURE 12.4: Website Defacement


Module 12 Page 1613


Unnecessary default, backup, or sample files

Installing the server with default settings

Improper file and directory permissions

Security conflicts with business ease-of- use case

Default accounts with their default or no passwords

Misconfigurations in web server, operating systems,and networks

Security flaws in the server software, OS and applications

Lack of proper security policy, procedures, and maintenance

Misconfigured SSL certificates and encryption settings

Bugs in server software, OS, and web applications

Improper authentication with external systems

Use of self-signed certificates and default certificates

Unnecessary services enabled, including content management and remote administration

Administrative or debugging functions that are enabled or accessible


W h y W e b S e rv e r s A re C o m p r o m is e dThere are inherent security risks associated with web servers, the local area networks

that host web sites and users who access these websites using browsers.

0 Webmaster's Concern: From a webmaster's perspective, the biggest security concern is that the web server can expose the local area network (LAN) or the corporate intranet to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers, or the compromise of information itself. Software bugs present in large complex programs are often considered the source of imminent security lapses. However, web servers that are large complex devices and also come with these inherent risks. In addition, the open architecture of the web servers allows arbitrary scripts to run on the server side while replying to the remote requests. Any CGI script installed at the site may contain bugs that are potential security holes.

Q Network Administrator's Concern: From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. While the objective of a web is to provide controlled access to the network, too much of control can make a web almost impossible to use. In an intranet environment, the network administrator has to be careful about configuring the web server, so that the legitimate users are recognized and authenticated, and various groups of users assigned distinct access privileges.


Module 12 Page 1614


6 End User's Concern: Usually, the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user's system. Besides, active content from a website browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network.

The table that follows shows the causes and consequences of web server compromises:

Cause Consequence

Installing the server with default settings

Unnecessary default, backup, or sample files

Improper file and directory permissions Security conflicts with business ease-of-use case

Default accounts with their default passwords

Misconfigurations in web server, operating systems and networks

Unpatched security flaws in the server software, OS, and applications

Lack of proper security policy, procedures, and maintenance

Misconfigured SSL certificates and encryption settings

Bugs in server software, OS, and web applications

Use of self-signed certificates and default certificates

Improper authentication with external systems

Unnecessary services enabled, including content management and remote administration

Administrative or debugging functions that are enabled or accessible

TABBLE 12.1: causes and consequences of web server compromises


Module 12 15


Impact of Webserver Attacks CEHC«rt1fW4 itfciul Nm Im

W ebsite defacem ent

Root access to other applications or servers

©Data tam pering


I m p a c t o f W e b S e rv e r A tta c k sAttackers can cause various kinds of damage to an organization by attacking a web

server. The damage includes:

0 Compromise of user accounts: Web server attacks are mostly concentrated on useraccount compromise. If the attacker is able to compromise a user account, then the attacker can gain a lot of useful information. Attacker can use the compromised user account to launch further attacks on the web server.

0 Data tampering: Attacker can alter or delete the data. He or she can even replace thedata with malware so that whoever connects to the web server also becomes compromised.

0 Website defacement: Hackers completely change the outlook of the website byreplacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own.

0 Secondary attacks from the website: Once the attacker compromises a web server, heor she can use the server to launch further attacks on various websites or client systems.

0 Data theft: Data is one of the main assets of the company. Attackers can get access tosensitive data of the company like source code of a particular program.


Module 12 Page 1616


0 Root access to other applications or server: Root access is the highest privilege one gets to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server. Attackers can perform any action once they get root access to the source.


Module 12 Page 1617


CEHModule Flow


M o d u le F lo wConsidering that you became familiar with the web server concepts, we move forward

to the possible attacks on web server. Each and every action on online is performed with the help of web server. Hence, it is considered as the critical source of an organization. This is the same reason for which attackers are targeting web server. There are many attack technique used by the attacker to compromise web server. Now we will discuss about those attack techniques.

attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking, web application attacks, etc.

Webserver Concepts Webserver Attacks

^ Attack Methodology ^ Webserver Attack Tools

Webserver Pen Testing J 3 Webserver Security Tools

-y Patch Management Counter-measures■ —■ —

Module 12 Page 1618 Ethical Hacking and Countermeasures Copyright © by EC-C0UnCilAll Rights Reserved. Reproduction is Strictly Prohibited.


Web Server Misconfiguration CEH

Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft

Remote Administration Functions

Unnecessary Services Enabled

Verbose debug/error

Anonymous or Default Users/Passwords

Misconfigured/Default SSL Certificates

Sample Configuration, and Script Files

Copyright © by EG-Gtlincil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e rv e r M is c o n f ig u r a t io nWeb servers have various vulnerabilities related to configuration, applications, files,

scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the network of a company. These loopholes of the server can help attackers to bypass user authentication. Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft. Once detected, these problems can be easily exploited and result in the total compromise of a website.

e Remote administration functions can be a source for breaking down the server for the attacker.

© Some unnecessary services enabled are also vulnerable to hacking.

0 Misconfigured/default SSL certificates.

© Verbose debug/error messages.

Q Anonymous or default users/passwords.

© Sample configuration and script files.


Module 12 Page 1619


CEHWeb Server Misconfiguration Example

httpd.conf file on an Apache server

<Location /server-status> SetHandler server-status </Location>

This configuration allows anyone to view the server status page, which contains detailed inform ation about the current use o f the web server, including inform ation about the current hosts and requests being processed

php.ini file

display_error = On log_errors = On error_log = syslog ignore repeated errors = Off

This configuration gives verbose error messages


f I W e b S e rv e r M is c o n f ig u r a t io n E x a m p leran n ■

L 1 : J Consider the httpd.conf file on an Apache server.

<Location /server-status> SetHandler server-status </Location>

FIGURE 12.5: httpd.conf file on an Apache server

This configuration allows anyone to view the server status page that contains detailed information about the current use of the web server, including information about the current hosts and requests being processed.

Consider another example, the php.ini file.

display_error = On log_errors - On error_log = syslog ignore repeated errors = Off

FIGURE 12.6: php.inifile on an Apache server

This configuration gives verbose error messages.


Module 12 Page 1620


3 j My Computer +1 £ 3Vb floppy (A:)

/ י LocalDt>k((I B Ctocumcnte and Scttngs! H t J Inetpub

Volume in drive C has no label. Volume Serial Number is D45E-9FEE

http://server.eom/scripts/..%5c../Wind0ws/System32/cmd.exe?/c+dir+c:\


D ir e c to r y T r a v e r s a l A t ta c k sWeb servers are designed in such a way that the public access is limited to some

extent. Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the root directory and access sensitive information in the system.

E Q-j !v!v!Tffxlcompany downloads 1 ו

E O images O news

□ scripts C J support

Volume in drive C has no label. Volume Serial Number is D45E-9FEE

1,024 .rnd 0 123. text 0 AUTOEXEC.BAT

<DIR> CATALINA_HOME0 CONFIG.SYS

<DIR> Documents and Settings<DIR> Downloads<DIR> Intel<DIR> Program Files<DIR> Snort<DIR> WINDOWS

569,344 WlnDump.exe 368 bytes ,115,200 bytes free

Directory of C:\

06/02/2010 11:31AM 09/28/2010 06:43 PM 05/21/2010 03:10 PM 09/27/2010 08:54 PM 05/21/2010 03:10 PM 08/11/2010 09:16 AM 09/25/2010 05:25 PM 08/07/2010 03:38 PM 09/27/2010 09:36 PM 05/26/2010 02:36 AM 09/28/2010 09:50 AM 09/25/2010 02:03 PM

7 File(s) 570, 13 Dir( s) 13,432

http://server.eom/scripts/..%5c../Wind0ws/System32/cmd.exe?/c+dir+c:\

F I G U R E 1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s


Module 12 Page 1621

http://server.eom/s

http://server.eom/s


HTTP Response Splitting Attack C E H(•ttlfwtf itkNjI NMhM

Input = Jason

HTTP/1.1 200 OK

Set-Cookie: author=Jason

Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n

First Response (Controlled by Attacker)

Set-Cookle: author=JasonTheHacker HTTP/1.1200 OK

Second Response

HTTP/1.1 200 OK

y

HTTP response splitting attack involves adding header response data into the input field so that the server split the response into two responsesThe attacker can control the first response to redirect user to a malicious website whereas the other responses will be discarded by web browser

String author =request.getParameter(AUTHOR_PA RAM) ;

Cookie cookie = new Cookie("author״, author); cookie.setMaxAge(cookieExpirat ion) ;response.addCookie(cookie);


H T T P R e s p o n s e S p l i t t in g A tta c kAn HTTP response attack is a web-based attack where a server is tricked by injecting

new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS)׳ Cross Site Request Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks. The attacker alters a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. This is accomplished by adding header response data into the input field. An attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the other responses will be discarded by web browser.


Module 12 Page 1622


Input = Jason

HTTP/1.1 200 OK

Set-Cookie: author=Jason

Input = JasonTheHacker\r\nHTTP/l.l 200 OK\r\n

First Response (Controlled by Attacker)

Set-Cookie; author=JasonTheHacker HTTP/1.1 200 OK

S econd R esponse

HTTP/1.1200 OK

String author =request.getParameter(AUTHOR_PA RAM) ;

Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpirat ion) ;response.addCookie(cookie);

o

Si05</)

FIGURE 12.8: HTTP Response Splitting Attack


Module 12 Page 1623


Web Cache Poisoning Attack CEH

http ://w w w .juggyboy .com /w elcom e.php?lang=

<?php h ea d er ("L ocation:" . $_GET['page']); ?>

An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache

Original Juggyboy page

Attacker sends request to remove page from cache

Normal response after clearing the cache for juggyboy.com

Attacker sends malicious request that generates two responses (4 and 6)

Attacker gets first server response

A ttacker re q u es ts d juggyboy.com again to g en e ra te cache en try

The second response of request [3 that points to

I attacker's page

Attacker gets the second

Address Page

www.jujjyboy.com Attacker's page

Poisoned Server Cache

GET http://juggyboy.com/index.html HTTP/1.1 Pragma: no-cache Host: juggyboy.com

Accept-Charset: iso-8859-1, *,utf-8

GET http://juggyboy.com/redir.php?site=%Od%OaContent-

Length :%200%0d%0a%0d%0aHTTP/l.l%2 02(X>%20OK%0d%0aLast- Modified :%20Mon,%2027%200ct%20200 9%2014:50:18%20GMT*0d%0aConte nt- Length :%2020%0d%0aContcnt• Typ«:%20text/htmr%0d%0a%0d%0a<html >Attack Pagc</html> HTTP/1.1

Host: Juggyboy.com

GEThttp://juggyboy.com/index.html HTTP/1.1 Host: testsite.com User-Agent: Mozilla/4.7 [en](WinNT; I)

Accept-Charset: iso-8859-l,*,utf8־


W e b C a c h e P o is o n in g A tta c kWeb cache poisoning is an attack that is carried out in contrast to the reliability of an

intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned content instead of true and secured content when demanding the required URL through the web cache.

An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request to store in cache. In the following diagram, the whole process of web cache poisoning is explained in detail with a step-by-step procedure.


Module 12 Page 1624

http://www.juggyboy.com/wel

http://www.jujjyboy.com

http://juggyboy.com/index.html

http://juggyboy.com/



http://www.juggyboy.com/welcome.php?lang=<?php header ("Location:" . $_GET['page']); ?>

..... ......■>ind

.ponse of

p o in t! to :k e f 's page

Addm\

www.Im^YLuy.cum Ofigln.il Juggyboy page

Server CacheI

A ttacker sen d s re q u e s t to rem ove page from cache

Normal re sp o n se a f te r clearing th e cache forjuggyboy.com

A ttacker sen d s malicious re q u e s t th a t g e n e ra te s tw o re sp o n ses (4 and 6)

A ttacker g e ts first server re sp o n se

Theres!requth a t

Attacker requests a juggYboy.com again to generate cache entry

_1_>_ e r g e ts th e second;onse o ^ י f re q u e s t

Address 1‘igr

www.JuKjjytiyy.to1n AtUckvr'vp^v

Poisoned Server Cache

Attack!. W׳

GET http://juggyboy.com/indeM.html HTTP/1.1 Pragma: no-cache Host: juggyboy.com

A ccept-C harset: iso-8859-1,T,utf-8

GET http://juggyboy.com/r«dir.php?site=%Od%OaContent-

L*ngth:%200%Od%Oa%Od%OaHTTP/l.l%2 02009(2 OOKHOdKOa Last- Modified :%20Mon,%202 7%200ct%20200 9*2014:50:18K20GMT%0d%0aContent- Le ngt h: 2020%0d%0a Conte nt- Typ«: %20text/html%0d %0a%0d%08<htm! *Attack Page</html> HTTP/1.1

Host: juggyboy.com

GEThttp ://juggyboy .com /index .h tm l HTTP/1.1 Host: tes ts ite .com U ser-A gent: M ozilla/4.7 [en] (WlnNT; I)

Accept-Charset iso-8859-l,״,utf-8

FIGURE 12.9: Web Cache Poisoning Attack


Module 12 Page 1625

http://www.juggyboy.com/wel

http://www.JuKjjytiyy.to1n

http://juggyboy.com/indeM.html

http://juggyboy.com/



+

Copyright © by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

HTTP R esponse H ijackingHTTP response hijacking is accomplished with a response splitting request. In this

attack, initially the attacker sends a response splitting request to the web server. The server splits the response into two and sends the first response to the attacker and the second response to the victim. On receiving the response from web server, the victim requests for service by giving credentials. At the same time, the attacker requests the index page. Then the web server sends the response of the victim's request to the attacker and the victim remains uninformed.

The diagram that follows shows the step-by-step procedure of an HTTP response hijacking attack:


Module 12 Page 1626


FIGURE 12.10: HTTP Response Hijacking


Module 12 Page 1627


S S H B r u t e f o r c e A t t a c k C E HC«rt1fW4 itfciul lUclw(

1^1 SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network

Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel

q SSH tunnels can be used to transmit malwares and other exploits to victims without being detected

IMail Server

SSH Server Web Server Application Server

File Server

InternetUser

Attacker


SSH B ru te F o rc e A tta c kSSH protocols are used to create an encrypted SSH tunnel between two hosts in order

to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH, first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other exploits to victims without being detected.

IMail Server

Attacker

FIGURE 12.11: SSH Brute Force Attack


Module 12 Page 1628


CEHMan-in-the־Middle Attack

\p oO* •• -a Webserver

Attacker


J Man-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and webservers

J Attacker acts as a proxy such that all the communication between the user and Webserver passes through him

Normal Traffic

M a n in־ t־ h e M־ id d le A tta c kA man-in-the-middle attack is a method where an intruder intercepts or modifies the

message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user such as online banking details, user names, passwords, etc. transferred over the Internet to the web server. The attacker lures the victim to connect to the web server through by pretending to be a proxy. If the victim believes and agrees to the attacker's request, then all the communication between the user and the web server passes through the attacker. Thus, the attacker can steal sensitive user information.


Module 12 Page 1629


Normal Traffic

es ..* <e .• * , . , w־ ©־•. יי,5־•.''

A••‘‘

*User visits a website

&

Attacker sniffs the communication to

I session IDs

״•<

© .

nU

^ ; communication to ־־* * * . . '''• ^ 9 0 steal session IDs

( f t v

User

Attacker

FIGURE 12.12: Man-in-the-Middle Attack


Module 12 Page 1630


W ebserver Passw ord C racking C EH

* * * *

An attacker tries to exploit weaknesses to hack well-chosen

passwords

Many hacking attempts start with cracking passwords and proves to the Webserver that

they are a valid user

Attackers use different methods such as social engineering,

spoofing, phishing, using a Trojan Horse or virus, wiretapping,

keystroke logging, etc.

The most common passwords found are password, root, administrator, admin, demo, test, guest, qwerty, pet names, etc.

Web form authentication cracking

SSH Tunnels

FTP servers

SMTP servers

Web shares


W e b S e rv e r P a s s w o r d C r a c k in g----- Most hacking starts with password cracking only. Once the password is cracked, the

hacker can log in in to the network as an authorized person. Most of the common passwords found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc. Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to crack passwords.

Attackers mainly target:

© Web form authentication cracking

© SSH tunnels

0 FTP servers

© SMTP servers

© Web shares


Module 12 Page 1631


EHW ebserver Password Cracking Techniques

Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc.Passwords can be cracked by using following techniques:I

4 Hybrid Attack

A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt

Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

■gd© W eb Server P assw ord C rack ing T echn iques® רדד׳ (77) _

Passwords may be cracked manually or with automated tools such as Cain & Abel, Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password:

© Guessing: A common cracking method used by attackers is to guess passwords either by humans or by automated tools provided with dictionaries. Most people tend to use heir pets' names, loved ones' names, license plate numbers, dates of birth, or other weak pass words such as "QWERTY," "password," "admin," etc. so that they can remember them easily. The same thing allows the attacker to crack passwords by guessing.

© Dictionary Attack: A dictionary attack is a method that has predefined words of various combinations, but this might also not be possible to be effective if the password consists of special characters and symbols, but compared to a brute force attack this is less time consuming.

© Brute Force Attack: In the brute force method, all possible characters are tested, for example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But this type of method is useful to identify one-word or two-word passwords. Whereas if a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password, which is practically impossible.


Module 12 Page 1632


Q Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also consists of symbols and numbers. Password cracking becomes easier with this method.


Module 12 Page 1633


Web Application Attacks CEHC«rt1fW4 itfciul Nm Im

! , I f

J Vulnerabilities in web applications running on a Webserver provide a broad attack path for Webserver compromise

A t , ' ° nSiterOss.rge,enia'0 f.s

Olv׳erf/,■acks4ft,C°okie

'rings׳»Pe,T eCt°rv

Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications


SLW e b A p p l ic a t io n A tta c k sVulnerabilities in web applications running on a web server provide a broad attack

path for web server compromise.

Directory Traversal

Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory

by manipulating a URL.

Parameter/Form Tampering

This type of tampering attack is intended to manipulate the parameters exchanged between client and server in order to modify application data, such as user credentials

and permissions, price and quantity of products, etc.

Cookie Tampering

Cookie tampering is the method of poisoning or tampering with the cookie of the client. The phases where most of the attacks are done are when sending a cookie from

the client side to the server. Persistent and non-persistent cookies can be modified by using different tools.


Module 12 Page 1634


Command Injection Attacks

Command injection is an attacking method in which a hacker alters the content of the web page by using html code and by identifying the form fields that lack validm

constraints.

I Buffer Overflow Attacks

Most web applications are designed to sustain some amount of data. If that amount is exceeded, the application may crash or may exhibit some other vulnerable

behavior. The attacker uses this advantage and floods the applications with too much data, which in turn causes a buffer overflow attack.

Cross-Site Scripting (XSS) Attacks

jr Cross-site scripting is a method where an attacker injects HTML tags or scripts into a target website.

M

users.

Denial-of-Service (DoS) Attack

A denial-of-service attack is a form of attack method intended to terminate the operations of a website or a server and make it unavailable to access for intended

Unvalidated Input and File injection Attacks

Unvalidated input and file injection attacks refer to the attacks carried by supplying an unvalidated input or by injecting files into a web application.

Cross-Site Request Forgery (CSRF) Attack

The user's web browser is requested by a malicious web page to send requests to a malicious website where various vulnerable actions are performed, which are not

intended by the user. This kind of attack is dangerous in the case of financial websites.

SQL Injection Attacks

SQL injection is a code injection technique that uses the security vulnerability of adatabase for attacks. The attacker injects malicious code into the strings that are later

on passed on to SQL Server for execution.

Session Hijacking

1131Session hijacking is an attack where the attacker exploits, steals, predicts, and negotiates the real valid web session control mechanism to access the authenticated

parts of a web application.


Module 12 Page 1635


CEHModule Flow


M o d u le F lo w_ So far we have discussed web server concepts and various techniques used by the

attacker to hack web server. Attackers usually hack a web server by following a procedural method. Now we will discuss the attack methodology used by attackers to compromise web servers.

1 Webserver Concepts Webserver Attacks

Attack Methodology Webserver Attack Tools

Webserver Pen Testing i ) Webserver Security Tools

y Patch Management Counter-measures■ —■ —

This section provides insight into the attack methodology and tools that help at various stages of hacking.


Module 12 Page 1636


-

W ebserver Attack M ethodology C EH

WebserverFootprinting

InformationGathering

Hacking W ebserver Passwords

VulnerabilityScanning


W e b S e rv e r A tta c k M e th o d o lo g yHacking a web server is accomplished in various stages. At each stage the attacker

tries to gather more information about loopholes and tries to gain unauthorized access to the web server. The stages of web server attack methodology include:

0Inform ation G atheringEvery attacker tries to collect as much information as possible about the target web

server. Once the information is gathered, he or she then analyzes the gathered information in order to find the security lapses in the current mechanism of the web server.

( Web Server FootprintingThe purpose of footprinting is to gather more information about security aspects of a

web server with the help of tools or footprinting techniques. The main purpose is to know about its remote access capabilities, its ports and services, and the aspects of its security.

M irroring W ebsiteW 4 J )

Website mirroring is a method of copying a website and its content onto another server for offline browsing.

V ulnerability Scanning


Module 12 Page 1637


Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a web server. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners.

Session HijackingSession hijacking is possible once the current session of the client is identified. Complete control of the user session is taken over by the attacker by means of session hijacking.

H acking Web Server Passw ordsAttackers use various password cracking methods like brute force attacks, hybrid attacks, dictionary attacks, etc. and crack web server passwords.


Module 12 Page 1638


CEHWebserver Attack Methodology: Information Gathering

WHOis.netY3ur Domain Starting Place...

UZ3

WHOIS information for ebay.com:***

[Querying who1s.vens1gn-grs.com][whols.verislgn-grs.com]Who»s Server Vereon 2.0Domain names in the .com and .net domains can now be reoistered with rrorv diftoront competing raaistrars. Go to http;///ww .intom <x«t for detailed information.

Domain Name: EBAY.COM Registrar: MARKM0N1T0R INC.Whois Server: whois.maricwiitjor.com Reterral URL: http://www.marXmonicor.com Name Server: yC-ONSl.CDAYDNS.COM N3m0 Sorvof: SJC DNS2.bBAYDNS.COMN3m« sorvor: SMF UNSl.fcBAYDNS.COM Name Server: SMF-DNSi.fcBAYDNS.COM Status: dleotDeletcPiohlblted Status: clieritTrmsf«Pral1 ibit*dStatus: dienWpdnt*Prohibit*d Status: served etePro hi bited Status: server TransterProh 1b itod Status: sorvorUDdateProhibital updated Date: 15-Sep-2010 Creation Date: 04-aug-l995 Expiration Date: 03-aug-2018

Information gathering involves collecting information about the

targeted company

Attackers search the Internet, newsgroups, bulletin boards, etc.

for information about the company

Attackers use Whois, Traceroute, Active Whois, etc. tools and

query the Whois databases to get the details such as a domain

name, an IP address, or an autonomous system number

Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance

h ttp ://www. whois. netCopyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

» W e b S e rv e r A tta c k M e th o d o lo g y : I n f o r m a t io n$__, G a th e r in g

Every attacker before hacking first collects all the required information such as versions and technologies being used by the web server, etc. Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company. Most of the attackers' time is spent in the phase of information gathering only. That's why information gathering is both an art as well as a science. There are many tools that can be used for information gathering or to get details such as a domain name, an IP address, or an autonomous system number. The tools include:

e Whois

e Traceroute

e Active Whois

e Nmap

0 Angry IP Scanner

e Netcat

# Whois

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.

Module 12 Page 1639

http://www.marXmonicor.com


Source: http://www.whois.net

Whois allows you to perform a domain whois search and a whois IP lookup and search the whois database for relevant information on domain registration and availability. This can help provide insight into a domain's history and additional information. It can be used for performing a search to see who owns a domain name, how many pages from a site are listed with Google, or even search the Whois address listings for a website's owner.

W H O is .n e tY o u r D o m a in S ta r t in g P la c e . . .

WHOIS information for ebay.com:***

[Querying whois.verisign-grs.com][whois.verisign-grs.com]Whois Server Version 2.0Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information.

Domain Name: EBAY.COM Registrar: MARKMONITOR INC.Whois Server: whois.markmonitDr.com Referral URL: http://www.markmonitor.com Name Server: SJC-DNS1.EBAYDNS.COM Name Server: SJC-DNS2.EBAYDNS.COM Name Server: SMF-DNS1.EBAYDNS.COM Name Server: SMF-DNS2.EBAYDNS.COM Status: dientDeleteProhibited Status: dientTransferProhibited Status: dientUpdateProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 15-sep2010־Creation Date: 04-aug-1995 Expiration Date: 03-aug2018־

«

F IG U R E 1 2 .1 3 : W H O I S In f o r m a t io n G a t h e r in g


Module 12 Page 1640

http://www.whois.net

http://www.internic.net

http://www.markmonitor.com


C EHUrt1fw4 ilhiul lUthM

Webserver Attack Methodology: Webserver Footprinting

J Gather valuable system-level information such as account details, operating system, software versions, server names, and database schema details

J Telnet a Webserver to footprint a Webserver and gather information such as server name, server type, operating systems, applications running, etc.

J Use tool such as ID Serve, httprecon, and Netcraft to perform footprinting


W e b S e rv e r A tta c k M e th o d o lo g y : W e b s e r v e r F o o tp r in t in g

The purpose of footprinting is to gather account details, operating system and other software versions, server names, and database schema details and as much information as possible about security aspects of a target web server or network. The main purpose is to know about its remote access capabilities, open ports and services, and the security mechanisms implemented. Telnet a web server to footprint a web server and gather information such as server name, server type, operating systems, applications running, etc. Examples of tools used for performing footprinting include ID Serve, httprecon, Netcraft, etc.

NetcraftSource: http://toolbar.netcraft.com

Netcraft is a tool used to determine the OSes in use by the target organization. It has already been discussed in detail in the Footprinting and Reconnaissance module.


Module 12 Page 1641

http://toolbar.netcraft.com


r i E T C K A F T

Search W eb by DomainExplore 1,045.745 web sites visited by users of the Netcraft Toolbar 3rd August 2012

Search : search tips

j site contains j«׳ microsoft lookup!

e x a m p le : s ite con ta ins .netcra ft.com

Results for microsoftFound 252 sites

Site Site Report First seen Netblock OS1. www.m icrosoft.com a au g u st 1995 m icroso ft corp citrix ne tsca le r

2. supp ort.m icro so ft.com m octob er 1997 m icroso ft corp unknow n

3. techne t.m icroso ft.com m au g u st 1999 m icroso ft corp citrix ne tsca le r

4. windov<s.microsoft.com 0 ju n e 1998 m icroso ft corp windows se rve r 2008

5. m sd n .m icroso ft.com a Se p te m b e r 1998 m icroso ft corp citrix ne tsca le r

6. o ffice .m icroso ft.com £1 n o v e m b e r 1998 m icroso ft corp unknow n

7. soc ia l.tech n e t.m ic ro so ft.com a au g u st 2008 m icroso ft corp citrix ne tsca le r

8. answ ers .m icroso ft.com £1 au g u st 2009 m icroso ft lim ited windows se rve r 2008

9. v4ww.update.m icrosoft.com a m a y 2007 m icroso ft corp windows se rve r 2008

10. soc ia l.m sd n .m icro so ft.com 0 au g u st 2008 m icroso ft corp citrix n e tsca le r

11. g o .m icroso ft.com a n o v e m b e r 2001 m s hotm ail citrix n e tsca le r

12. w ind ow sup d ate .m icroso ft.com a feb u a ry 1999 m icroso ft corp windows se rve r 2008

13. up d a te .m icroso ft.com a feb u a ry 2005 m icroso ft corp windows se rve r 2008

14. ww w.m icrosofttranslator.com a n o v e m b e r 2008 a k a m a i tech n o log ies linux

15. search .m icroso ft.com m ja n u a ry 1997 a k a m a i in te rna tion a l b .v linux

16. w w .m ic ro so fts to re .co m a n o v e m b e r 2008 d ig ita l river ire land ltd. f5 b ig ־ ip

17. log in .m icroso fton line .com £1 d ecem b er 2010 m icroso ft corp windows se rve r 2003

18. w er.m icroso ft.com IB octob er 2005 m icroso ft corp windows se rve r 2008

F IG U R E 1 2 .1 4 : W e b s e r v e r F o o t p r in t in g

Module 12 Page 1642 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCilAll Rights Reserved. Reproduction is Strictly Prohibited.

http://www.microsoft.com

http://www.microsofttranslator.com


Webserver Footprinting Tools CEHhttprecon 7.3 - http://www.nytimes.com:80/ I — I °

Personal Security Freeware by Steve Gibson1111 S S m

^־ ID Serveי

Internet Server Identifica.ion Utility, vl .02 Personal Security Freeware by Stev Copyright (c) 2003 by Gibson Research Corp.

0

ID S e r v eBackground Serv2r Query | Q8A/Help |

Errte* 0* copy I paste an Internet server UR_ or IP address here (example: www.microsdt.com):

' | www.google.coml

w When an Internet URL זה IP has been provided above,^ piess this button to initiate a query of the specified server.Quety The SeverC2

File C on figu ra tion F ingerprinting Repcrting Help

Ta*get (Sun ONE W eb Server 6.1)

| h tb : / / ^ | www.nytimes.com : 180

GET existing j GET longequestj GET non-ex sting] GET wrong protocol)

HTTP/1.1 200 OKDace: Thu, 11 Oct 2012 09:34:37 GMTexpires: Thu, 01 Dec 1994 16:00:00 GMT carhe-control: no-cache pragma: no-cacheSec-Cookie: ALT_ID=007f010021bb479dd5aa00SS; Expires 09:34:37 GMT; Path=/; Domain־ .nytime3.com; Sec-cookie: adxcs=-; path=/; do!rain=.nytimes. cam

Swvei query pcocessng

Server gws Content-Length: 221 FX־X SS־Protectior: 1; mode-block

■X־Frome־Options: SAMEORIGINConnection: close

The seivei identified Ise* a s :

(3

(4

Goto ID Serve web page

Matehfct (352 Implementations) | Fingerprint Details | Report Preview |

Name

a Oracle Application Server 10g 10.1.2.2.0 • S Sun Java System Web Server 7.0 • Abyss 2.5.0.0 X1V Apache 2.0.52V Apache 2.2.6V ru— 1— n c n______________________

Ready

http://www.computec.ch

h ttp://www. grc. comCopyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e rv e r F o o tp r in t in g T o o lsWe have already discussed about the Netcraft tool. In addition to the Netcraft tool,

there are two more tools that allow you to perform web server footprinting. They are Httprecon and ID Serve.

Httprecon( ^ ' Source: http://www.computec.ch

Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This software shall improve the ease and efficiency of this kind of enumeration.


Module 12 Page 1643

http://www.nytimes.com:80/

http://www.microsdt.com

http://www.google.coml

http://www.nytimes.com




/httprecon 7.3 - http://www.nytimes.com:80— םF i le C o n f ig u r a t io n F in g e r p r in t in g R e p o r t in g H e lp

T a rg e t ( S u n O N E W e b S e r v e r G .1 )

A n a ly z e80http:/׳/ ▼ I |w w w .n y t im e s .co m

G E T existing | G E T long re q u es t | G E T non-existing \ G E T w ro n g p ro toco l | H E A D existing | O P T IO N S co m m o n

HTTP/1.1 200 OKDate: Thu, 11 Oct 2012 09:34:37 GMT Server: Apacheexpires: Thu, 01 Dec 1994 16:00:00 GMT cache-control: no-cache pragma: no-cacheSet-Cookie: ALT_ID=007f010021bb479ddSaa005S; Expires=Fri, 11 Oct 2013 09:34:37 GMT; Path=/; Domain=.nytimes.com;Set-cookie: adxca=-; path=/; domain=.nytimes.com Vary: Host

M atch lis t (352 Im p lem en ta tion s ) | F ingerp rin t D e ta ils | R e p o rt P r e v ie w

N a m e I H its M a t c h % \׳/

M O ra c le A p p lic a t io n S e r v e r 1 0g 1 0 .1 .2 .2 .0 58 8 1 .6 3 0 1 4 0 8 4 5 0 7 0 4

H22 S u n J a v a S y s te m W e b S e r v e r 7 .0 57 8 0 .2 8 1630 14084 51

# A b y s s 2 .5 .0 .0 X 1 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7

A p a c h e 2 .0 .5 2 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7

A p a c h e 2 .2 .6 56 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7V n ׳ c n EC OCC1 □7 ־70 070000,1

R e a d y .

FIGURE 12.15: Httprecon Screenshot

ID ServeSource: http://www.grc.com

ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the make, model, and version of any website's server software. This information is usually sent in the preamble of replies to web queries, but it is not shown to the user. ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. Simply by entering any IP address, ID Serve will attempt to determine the associated domain name.


Module 12 Page 1644

http://www.nytimes.com:80/

http://www.nytimes.com

http://www.grc.com


ID ServeGIn te rn e t S e r v e r Id e n t if ic a t io n U t ility , v 1 .02 P e r s o n a l S e c u r i t y F r e e w a r e b y S t e v e G ib s o n

Copyright (c) 2003 by Gibson Research Corp.ID ServeB a c k g r o u n d S e r v e r Q u e r y | Q & A / H e l p

Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com): 1 www.google.com|

When an Internet URL or IP has been provided above, ^ press this button to initiate a query of the specified server.Query The Server

Server query processing:S e r v e r : g w s C o n te n t- L e n g th : 221 X - X S S - P r o t e c t io n : 1; m o d e = b lo c k X - F r a m e - O p t io n s : S A M E O R I G I N C o n n e c t io n : c l o s e

The server identified itself as :| gws__________________(4

ExitGoto ID Serve web pageCopy

FIGURE 12.16: ID Serve


Module 12 Page 1645



CEHWebserver Attack Methodology:Mirroring a Website

Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc

Search for comments and other items in the HTML source code to make footprinting activities more efficient

Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website

H Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrttJE*€ F references Mirro log Window Help

Pa׳*־g HTML fife

lavedTiro.1-a.rfe-rdLeAc* ve correct !one4

320.26*82nr22»08* tf.19KB/») 1

W a ic rtB !

HrcdcdaMd.1400

7 ;Men*:

J□http://www. httrock. com

13 ii , local Disk <(

w m r*til . MyWebSlte

Program Res ש It) *. Program Fits WKi)

i 111 lh«s til ,i t Windows

••*1 1 NTUSSR.DAT «; local Disk *D>: M Ji DVD RW Drivt >&י

«M N«wVolum» <F1:


W e b S e rv e r A tta c k M e th o d o lo g y : M ir r o r in g a W e b s i te— Website mirroring is a method of copying a website and its content onto another

server. By mirroring a website, a complete profile of the site's directory structure, file structure, external links, etc. is created. Once the mirror website is created, search for comments and other items in the HTML source code to make footprinting activities more efficient. Various tools used for web server mirroring include HTTrack, Webripper 2.0, W inWSD, Webcopier, and Blackwidow.

CSource: http://www.httrack.com

HTTrack is an offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link- structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online.


Module 12 Page 1646

http://www

http://www.httrack.com


Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]HFile Preferences terror Log Window JHelp

Parang HTML HeIn progress:

Information

2/14 (.13) 14 0 0

Links scanned: Files written: Fles updated: Errors:

Bytes saved: 320.26KBTime: 2min22sTransferrate: OB/s (1.19MB/s)Active connections: 1

[Actions

HelpCancelNext >;Back |

B j j Local Disk <C:>0 CEH-Tools

j H J . dell a i . inetpub B Intel B t MyWebSites g) ••Jj Program Files a J ׳ j Program Files (x86) & J 1 Users a Windows L Q NTUSER.DAT

a a Local Disk <D:>DVD RW Drive <E:>

El , . New Volume <F:>

FIGURE 12.17: Mirroring a Website


Module 12 Page 1647


CEHW e b s e r v e r A t ta c k M e th o d o lo g y : V u ln e r a b i l i ty S c a n n in g

J Sniff the network traffic to find out active systems,network services, applications, and vulnerabilities present

J Test the web server infrastructure for anymisconfiguration, outdated content, and known vulnerabilities

Perform vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited

Use a vulnerability scanner such as HP Weblnspect, Nessus, Zaproxy, etc. to find hosts, services, and vulnerabilities

Copyright © by K-€MICil. All Rights Reserved. Reproduction Is Strictly Prohibited.

A tta c k M e th o d o lo g y : V u ln e r a b i l i tyW e b S e rv e r S c a n n in g

Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations of a target web server or network. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners.

Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing techniques are adopted in the network traffic to find out active systems, network services, applications, and vulnerabilities present.

Also, attackers test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Various tools are used for vulnerability scanning such as HP Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities.

NessusSource: http://www.nessus.org

Nessus is a security scanning tools that scan the system remotely and reports if it detects the vulnerabilities before the attacker actually attacks and compromises them. Its five features includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features


Module 12 Page 1648

http://www.nessus.org


that enhance usability, effectiveness, efficiency, and communication with all parts of your organization.

FIGURE 12.18: Nessus S creenshot


Module 12 Page 1649


C EHW e b s e r v e r A t t a c k M e t h o d o l o g y :

S e s s i o n H i j a c k i n g

Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data

Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs

Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking

l־ l ° Wburp suite free edition v1A01

s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts

MIME typi HTML־

J curp intruder repeater window about target

ig not found items hiding CSS image and gereral ainarr content 1 iS-g .l«-e=pcn=e= h d ng ?mrt/folders

״; ׳/»8n«nr5s1/3<ls1»3mcs;

hosth«p/«*d*orc

5: נפ0ר reaueat| params headers [ hex |~־¥יT / . • L«»«nc. '* 1 1 / m r 1 ׳ brea*r1ng_n*v•/3 . 0/banner. ntral ?cmh d»c*11T P /1 .18c: ed it ion .cnn .co»ec-Affe&t: K cs illd /S .O 1Vind0¥3 I1T 6.2; W0V61; c v : JS .0 l cko/:0100101 F ire fo x / 15.0.1

tex t/ j« vo 3 cc ip c , tex t/h tnL, «pp Li.Cflt.ion/1 xrol, text/xm l,] | | 0 matches

http :Ale co no mi dime 5 i ndiatime s o9 hltpVJedition cnn 00m —---*wrr• ־° ם I "1 http iVedifion cadd item to 9copecpiaortnis brancharfrvely scan this branch passively scan this branch engagement took [pro version onlf]compare site maps eipand branch oxpana rcquoctca no ms delete branch copy URL# in this blanch copy iioks in tnis oranchsave selected items

I Accept: tr

I : ־ ׳http://portsw igger. net

Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11: Session Hijacking

Copyright © by EG-Gtltncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e r v e r A t t a c k M e t h o d o l o g y : S e s s i o n H i j a c k i n g

1 1 Session hijacking is possible once the current session of the client is identified.Complete control of the user session can be taken over by the attacker once the user establishes authentication with the server. With the help of sequence number prediction tools, attackers perform session hijacking. The attacker, after identifying the open session, predicts the sequence number of the next packet and then sends the data packets before the legitimate user sends the response with the correct sequence number. Thus, an attacker performs session hijacking. In addition to this technique, you can also use other session hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. to capture valid session cookies and IDs. Various tools used for session hijacking include Burp Suite, Hamster, Firesheep, etc.

Burp Suite___Source: http://portswigger.net

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder tool, repeater tool, sequencer tool, etc.


Module 12 Page 1650

http://portswigger

http://portswigger.net


0- ^ 1 xburp suite free edition v1.4.01 ־

burp intruder repeater window aboutspider \ scanner [ intruder | repealer [־ sequencer | decoder [ comparer [ options | alertstarget

site map \ scope |

Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; hiding empty folders

I MIME tj HTML

length MIME typi676

status200params

□

URLmethodhost

GET 1 element/ssi/ads.iframes/

sponse requestparams ■' headers | hex |M '[־

T / . e l e r o e n c / 3 3 i / i n c l / b r e a k i n g _ n e v s / 3 . O / b a n n e r . h c m l ? c s i I D = c s i l T P / 1 .13 c : e d i c i o n . c n n . c o me r - A g e n c : H o z i l l a / 5 . 0 (W in d o w s N T 6 . 2 ; WOW64; c v : i 5 . 0 ) c l c o / :0 1 0 0 i0 1 F i r e f o x / 1 5 .0 . 1

A c c e p C : c e x c / j a v M c r l p c , c e x c / h c m l , a p p l l c a C lo n / x m l , c e x c / x n i l .

http7/economictimes indiatimes.com ־*9 http://edition.cnn.com

)el.□ ־0D o- 2]20׳

□ http: ׳edition.cnn.com .elementadd item to scopespider this branchactively scan this branchpassively scan this branchengagement tools [pro version only] ►compare site mapsexpand branchexpand requested Itemsdelete branchcopy URLs In this branchcopy links in this branchsave selected Items

O- CDBU O- D cn□ ־0 E L IO ־0 eu

* L ־ J SH

FIGURE 12.19: B urp S u ite S creenshot


Module 12 Page 1651

http://edition.cnn.com


W e b s e r v e r A t t a c k M e t h o d o l o g y :

H a c k i n g W e b P a s s w o r d s

Brutus - AET2 - www.hoobie.net/brutus - (January 2000) 1 ~ I ם xFile lo o ls Help

Type I HTTP (Basic Auth) ▼| Start | Stop | Deaf |Target |10.0017|

Connection Options

r Use Proxy Define10 Timeout 1" j -Connections *"־ J~

HTTP (Basic) Options

Method | HEAD ]▼J W KeepAlive

Authentication Options

W Use Username Sngle User Pass Mode |Word List

Browse | File | words.txtUser File useistxt

Positive Authentication Results

Target _ U y p e I Username I Password10.0017/ HTTP (Basic Auth) admin academic10.0017/ HTTP (Basic Auth) backup

Located and nstaled 1 authentication plugns Imtialisng...Target 10.0 017 venfied Opened user fie containing 6 users Opened password fie conta*wvg 818 Passwords Mawmum number of authentication attempts vul be 4908 Engagng target 10.0.017 with HTTP (Basic AuthJT n ■irwi • irofrt amo

Timeout Reject AuthSeq Throttle Quick Kill

h ttp ://w w w . hoobie. net


Use password cracking techniques such as brute force attack, dictionary attack, password guessing to crack Webserver passwords

Use tools such as Brutus, THC-Hydra, etc.

W e b S e r v e r A t t a c k M e t h o d o l o g y : H a c k i n g W e bP a s s w o r d s

One of the main tasks of any attacker is password hacking. By hacking a password, the attacker gains complete control over the web server. Various methods used by attackers for password hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks, syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks, rainbow attacks, etc. Password cracking can also be performed with the help of tools such as Brutus, THC-Hydra, etc.

BrutusO :כב

1 Source: http://www.hoobie.net

Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web passwords without the knowledge of the victim. The features of the Brutus tool are been explained briefly on the following slide.


Module 12 Page 1652

http://www.hoobie.net/brutus

http://www.hoobie.net


(January 2000) ־ www.hoobie.net/brutus ־ Brutus - AET2_ םF ile J o o l s H e lp

Clearj S to pStar(T yp e | H T T P (B a s ic A u (h ) ▼~|

10 r U s e Proxy D efine10 Tim eout r T

T arget |10 .0 .0 .17|

C o nnection Options

Port 180

H T T P (B a s ic ) Options

M eth o d [H E A D W K eep A live

B ro w se

P a s s M o d e fB ro w se P a s s File

Au th en tication Options—

U s e U se rn am e I- S ing le U se r

U se r File users.txt

Po s itive Au th en tication Resu lts

Passw o rdU sern am eTypeT arget

a ca d em icH T T P (B as ic A u th ) adminH T T P (B as ic A u th ) b ack u p

10.0.0.17/10.0.0.17/

a

-

Lo ca te d an d installed 1 authen tication plug-ins Initialising...Target 10.0.0.17 verified O p en ed user file contain ing 6 users.O p en ed passw o rd file contain ing 818 Passw ords. Maximum num ber of au then tication attempts will be 4908 En g ag in g target 10.0.0 .17 with H T T P (B a s ic A uth )T r m « n 1 a r Jrr.1►־•

Tim eout R e je c t A u th S e q Throttle Q u ick Kill

FIGURE 12.20: B ru tus S creenshot


Module 12 Page 1653



C EHM o d u le Flow

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

M o d u l e F l o w

The tools intended for monitoring and managing the web server can also be used by attackers for malicious purposes. In this day and age, attackers are implementing various methods to hack web servers. Attackers with minimal knowledge about hacking usually use

s for hacking web servers.

Webserver Concepts Webserver Attacks

Attack Methodology0

Webserver Attack Tools

Webserver Pen Testingo

Webserver Security Tools

- y Patch Management m — m —Counter-measures

This section lists and describes various web server attack tools.



Webserver Attack Tools: Metasploit

The Metasploit Framework is a penetration testing too lkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms

It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM

ft V ModutM Tag* Q Atporto ־ T a l i 0

(J) metasploit® jet״

w mOptrabng Sy*t»rm (Top »)

• U McmolWMoM• M m• MKnaPnw

Nctwoft S n v K t i (Top S)

• 2tC DCIWC• I I I M S K M t t• )7 HETBOSS***(**• n usn«׳us(Bvv^• MUSAOPSffwctt

Target Syitttn Statu*

• MOkom**4• I Sm—d• I LOOM

PTOftCt Activity (24 Noun)

h ttp://w w w .m etasplo it.com

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited

W e b S e r v e r A t t a c k T o o l s : M e t a s p l o i t

Source: http://www.metasploit.com

The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. It enables users to identify, assess, and exploit vulnerable web applications. Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised web server to discover an exploitable vulnerability in a database that hosts confidential customer data and employee information. Your team members can then leverage the data gained to conduct social engineering in the form of a targeted phishing campaign, opening up new attack vectors on the internal network, which are immediately visible to the entire team. Finally, you generate executive and audit reports based on the corporate template to enable your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or PCI DSS.

Metasploit enables teams of penetration testers to coordinate orchestrated attacks against target systems and for team leads to manage project access on a per-user basis. In addition, Metasploit includes customizable reporting.

Metasploit enables you to:

© Complete penetration test assignments faster by automating repetitive tasks and leveraging multi-level attacks


http://www.metasploit.com

http://www.metasploit.com


© Assess the security of web applications, network and endpoint systems, as well as email users

© Emulate realistic network attacks based on the leading Metasploit framework with more than one million unique downloads in the past year

© Test with the world's largest public database of quality assured exploits

© Tunnel any traffic through compromised targets to pivot deeper into the network

© Collaborate more effectively with team members in concerted network tests

© Customize the content and template of executive, audit, and technical reports

(J metasploitTag* O Rrportt ~ TmJ״ Ql « M l p n O l S*M*o«W0 V Cwnpognt

Operating System s [Top » )

• MHonNMnocm• 2 • Konca P m tr• 2 • *0 *ף0וו״ ffntwHM• 1 • HP ***ClOOtO

Network Services (Top צ)

• 270 DCERPC Server*• 114 •SMB STOKT*• 37-N€TBOSSr<vcr*• » T׳MS ־ W *S(RV S^vcr*״• 20 USAO? Serve**

Target System S U M S

• M O n t o x M• 1 ■ SmM• 1 • loom)

Protect Activity (24 Hours)

FIGURE 12.21: M e ta s p lo it S creensho t


Module 12 Page 1656


M etasploit Architecture C E H(•rtifwtf I til 1(41 Nm Im

ץ

Protocol Tools

M o d u le s

E xplo its

Payloads

Encoders

NOPS

A u x ilia ry

Rex

Fram ew ork-C ore

^ F ram ew ork-B ase ^: A k "

7KS ecurity Tools

W eb Services

In te g ra tio n

Custom plug-ins

In te rfaces

m fsconso le

m sfcli

m s fw e b

m sfw x

m sfap i


M e t a s p l o i t A r c h i t e c t u r e

The Metasploit framework is an open-source exploitation framework that is designed to provide security researchers and pen testers with a uniform model for rapid development of exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework provides the ability to reuse large chunks of code that would otherwise have to be copied or reimplemented on a per-exploit basis. The framework was designed to be as modular as possible in order to encourage the reuse of code across various projects. The framework itself is broken down into a few different pieces, the most low-level being the framework core. The framework core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. It supports vulnerability research, exploit development, and the creation of custom security tools.


Module 12 Page 1657


\

Protocol Tools

Modules

Exploits

Payloads

Encoders

NOPS

Auxiliary

Librariesץ

Rex

Framework-Core

^ Framework-Base ^

A

<•:

Security Tools

Web Services

Integration

>־:

Custom plug-ins <

Interfaces

mfsconsole

msfcli

msfweb

msfwx

msfapi

/

FIGURE 12.22: M e ta s p lo it A rc h ite c tu re


Module 12 Page 1658


M etasploit Exploit M odule C E H

It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit

This module comes with simplified meta-information fields

Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits

S teps to e x p lo it a sys te m fo l lo w th e M e ta s p lo it F ra m e w o rk

C o n f ig u r in g A c tiv e E x p lo it

_S e le c tin g a Ta rge t

*

&


M e t a s p l o i t E x p l o i t M o d u l e

- 1 1 1 ii The exploit module is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit. This module comes with simplified meta-information fields. Using a Mixins feature, users can also modify exploit behavior dynamically, perform brute force attacks, and attempt passive exploits.

Following are the steps to exploit a system using the Metasploit framework:

© Configuring Active Exploit

Verifying the Exploit Options

Selecting a Target

Selecting the Payload

© Launching the Exploit

©

©

©


Module 12 Page 1659


M etasploit Payload Modulej Payload module establishes a communication channel between the Metasploit framework and the victim host

J It combines the arbitrary code that is executed as the result o f an exploit succeeding

J To generate payloads, first select a payload using the command:


M e t a s p l o i t P a y l o a d M o d u l e

The Metasploit payload module offers shellcode that can perform a number of interesting tasks for an attacker. A payload is a piece of software that lets you control a computer system after its been exploited. The payload is typically attached to and delivered by the exploit. An exploit carries the payload in its backpack when it break into the system and then leaves the backpack there.

With the help of payload, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer.

To generate payloads, first select a payload using the command:

m s f > u s e w i n d o w s / s h e l l _ r e v e r s e _ t c p

m s f p a y l o a d ( 3 h e l l _ r e v e r s e _ t c p ) > g e n e r a t e - h

U s a g e : g e n e r a t e [ o p t i o n s ]

G e n e r a t e s a p a y l o a d .

- b < o p t > T h e l i s t o f c h a r a c t e r s t o a v o i d : , \ x 0 0 \ x f f '

- e < o p t > T h e n a m e o f t h e e n c o d e r m o d u l e t o u s e .

- h H e l p b a n n e r .

- o < o p t > A co m m a s e p a r a t e d l i s t o f o p t i o n s i n

V A R = V A L f o r m a t .

- s < o p t > N O P s l e d l e n g t h .

- t < o p t > T h e o u t p u t t y p e : r u b y , p e r i , c , o r r a w .

m s f p a y l o a d ( s h e l l r e v e r s e t c p ) >

9 S C o m m a n d P ro m p t


Module 12 Page 1660


Com m and Prom pt

msf > use windows/shell reverse tcpmsf payload(shell_reverse_tcp) > generate -hUsage: generate [options]Generates a payload.O P T I O N S :

-b <opt> The list of characters to avoid: ,\x00\xff'-e <opt> The name of the encoder module to use.-h Help banner.-o <opt> A comma separated list of options in

VAR=VAL format.-s <opt> NOP sled length.-t <opt> The output type: ruby, peri, c, or raw.msf payload(shell reverse tcp) >

FIGURE 12.23: M e ta s p lo it Payload M o d u le


;

Module 12 Page 1661


Metasploit Auxiliary Module CEH

J M e ta s p lo it 's a u x ilia ry m o d u le s can be used to p e r fo rm a rb it ra r y , o n e -

o f f a c tio n s such as p o r t scan n ing , d e n ia l o f serv ice , and even fuzz in g

J To ru n a u x ilia ry m o d u le , e ith e r use th e run c o m m a n d , o r use th e

e x p l o i t c o m m a n d

C o m m a n d P ro m p t

m s f > u s e d o s / w i n d o w s / s m b / m s 0 6 _ 0 3 5 _ m a i l s l o t

m s f a u x i l i a r y ( m s 0 6 _ 0 3 5 _ m a i l s l o t ) > s e t R H O S T 1 . 2 . 3 . 4

R H O S T = > 1 . 2 . 3 . 4

m s f a u x i l i a r y ( m s 0 6 _ 0 3 5 _ m a i l s l o t ) > r u n

[ * ] M a n g l i n g t h e k e r n e l , t w o b y t e s a t a t i m e . . .


M e t a s p l o i t A u x i l i a r y M o d u l e

Metasploit's auxiliary modules can be used to perform arbitrary, one-off actions such as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run command or use the exploit command.

Module 12 Page 1662 Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.


Metasploit NOPS Module C E H(•rtifwtf I til 1(41 NmIm

NOP modules generate a no-operation instructions used fo r blocking out buffers

Use g e n e r a te command to generate a NOP sled o f an arbitrary size and display it in a given form at

OPTIONS:- b < o p t> : The list of characters to avoid: '\x00\xff'- h : Help banner.

- s < o p t> : The comma separated list of registers to save.- t < o p t> : The output type: ruby, peri, c, or raw m s f n o p (o p ty 2 )>

To generate a 50 byte NOP sled that is displayed as a C-style buffer, run the following command:

Command Promptm s f n o p ( o p t y 2 ) > g e n e r a t e - t c 5 0

u n s i g n e d c h a r b u f [ ] —

" \ x f 5 \ x 3 d \ x 0 5 \ x l 5 \ x f 8 \ x 6 7 \ x b a \ x 7 d \ x 0 8 \ x d 6 \ x 6 6 \ x 9 f \ x b 8 \ x 2 d \ x b 6 "

M\ x 2 4 \ x b e \ x b l \ x 3 f \ x 4 3 \ x l d \ x 9 3 \ x b 2 \ x 3 7 \ x 3 5 \ x 8 4 \ x d 5 \ x l 4 \ x 4 0 \ x b 4 "

״ \ x b 3 \ x 4 1 \ x b 9 \ x 4 8 \ x 0 4 \ x 9 9 \ x 4 6 \ x a 9 \ x b 0 \ x b 7 \ x 2 f \ x f d \ x 9 6 \ x 4 a \ x 9 8 "

n \ x 9 2 \ x b 5 \ x d 4 \ x 4 f \ x 9 1 " ;

m s f n o p ( o p t y 2 ) >

□Generates a NOP sled of a given length

& Command Prompt

m s f > u s e x 8 6 / o p t y 2

m s f n o p ( o p t y 2 ) > g e n e r a t e - h

U s a g e : g e n e r a t e [ o p t i o n s ] l e n g t h


M e t a s p l o i t N O P S M o d u l e

Metasploit NOP modules are used to generate no operation instructions that can be used for padding out buffers. The NOP module console interface supports generating a NOP sled of an arbitrary size and displaying it in a given format. options:

-b <opt> The list of characters to avoid: ?\x00\xff?

-h Help banner.

-s <opt> The comma separated list of registers to save.

-t <opt> The output type: ruby, peri, c, or raw.

G enera te s a NOP sled of a given length


Module 12 Page 1663


To g e n e ra te a 50-byte NOP sled th a t is displayed as a C-style buffer, run th e following com m and:

msf nop(opty2) > generate -t c 50 unsigned char buf[] ="\xf5\x3d\x05\xl5\xf8\x67\xba\x7d\x08\xd6\x6 6\x9f\xb8\x2d\xb6""\x24\xbe\xbl\x3f\x43\xld\x93\xb2\x37\x35\x8 4\xd5\xl4\x40\xb4""\xb3\x41\xb9\x48\x04\x99\x46\xa9\xb0\xb7\x2 f\xfd\x96\x4a\x98""\x92\xb5\xd4\x4f\x91"; msf nop(opty2) >

Figure 12 .25: M e ta s p lo it NOPS M o d u le


Module 12 Page 1664


Webserver Attack Tools: Wfetch I CEHWFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and response data

It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or wireless protocols

wfeicfi - wtetcniFile Edit View Window Help

f lAdvanced Request: f Di«abled I- from file

Verb: [GET י■ | host [localHost

Path Y AAuthentcation UxrtecfcOT

l_ C 0 Jfifth. Anoryraam -d Cornsct NKpQoirah. Qphcr dctajt !race

U«er; Ckertooc.: rw * J JPogtwd: r P«c5y |60 P Reu«

Log Output [Last Status: 500 Internal Server Error;£> started....O Puny: WWWConnect::Close(” ","8<© closed source port: 7i98\r\n © MfVWConnectiConriectriocaihost" ~80')\nQ IP = "|::l].Q0"\n____________________________

http://w w w .m icrosoft.com

Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e r v e r A t t a c k T o o l s : W f e t c h

Source: http://www.microsoft.com

Wfetch is a graphical user-interface aimed at helping customers resolve problems related to the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a problem with a lightweight, very HTTP-friendly test environment. It allows for very granular testing down to the authentication, authorization, custom headers, and much more.


Module 12 Page 1665




wfetch ־ W fe tch l

£1le £d!t yiew Window Help

i) O £ &S S ■W fe tch l

Advanced RequestDisabled T *<from Heye»t> |GET Host |k>ca»x ־־> [ j.jEort |drfa״» j-JVcr |1 1

Palh: |/

TracR?

Go' |so---Raw

r Socket P Reuse

.\jthertcaboo ConnectionAulh l/Vionymoos Connect

Cipher Ckentcert

r Projy

http ^ J2 IComan | detai - ]

User | none _>JPajiwd | Igproxy 80

Log Output [Last Status: S00 Internal Server Error] ....started►־

O Proxy; WWWConnect::Close(” ,"80")\n £ closed source port 7398\r\n 4 ) WWWConnect::ConnectClocalhost".8״<r)\n 0 ::[־1:]80־ = < \n

NUMReady

Figure 12.26: W fe tc h S creenshot


Module 12 Page 1666


W e b P a s s w o r d C r a c k i n g T o o l : B r u t u s

Source: http://www.hoobie.net

Brutus is a remote password cracker's tool. It is available for Windows 9x, NT. and 2000, there is no UNIX version available, although it is a possibility at some point in the future. Brutus was written originally to help check routers for default and common passwords.

Features

Q HTTP (Basic Authentication)

e HTTP (HTML Form/CGI)

e POP3

e FTP

e SMB

Q Telnet

Q Multi-stage authentication engine

© No user name, single user name, and multiple user name modes

0 Password list, combo (user/password) list and configurable brute force modes


Module 12 Page 1667

http://www.hoobie.net


© Highly customizable authentication sequences

© Load and resume position

© Import and Export custom authentication types as BAD files seamlessly

Q SOCKS proxy support for all authentication types

0 User and password list generation and manipulation functionality

© HTML Form interpretation for HTML Form/CGI authentication types

0 Error handling and recovery capability inc. resume after crash/failure

Brutus - AET2 ־ w w w .h o o b ie .n e t/b ru tu s - (January 2000) I 1 ־־ . ם *

CleaStartType |HTTP (Basic Auth) j* J

r ך־ך־ 10 U**Ptoxy Drinc |

Eile Iools Help

Target [10001 Connection Options

Port [80 Connections *0י ־Tmeout r j )־ HTTP (Basic) Options

Method |HEAD ]» ] & KeepAJrve

Browse |

Authentication OptionsW Use Username I- Single Usei Pass Mode |W0»d List

Use» Fte ]users txt Btome | pjg [words bd

Positive Authentication ResultsPasswordUsernameTargetacademicadrran

backupHTTP (Basic Auth) HTTP (Basic Auth)

100017/100017/

Located and installed 1 authentication ptug-ns Iniiafeng.Target 10.0.0.17 verified Opened user file contamng 6 users Opened password file containing 818 Passwords Maximum number of authentication attempts wJ be 4906 Engagng target 10.0.0.17 with HTTP (Basic Auth)T mws<1 »1» w i w

Throttle

Figure 12.27: B ru tus S creenshot


Module 12 Page 1668



Web Password Cracking Tool: THC-Hydra

ר

CEHUrt1fw4 ilhiul lUthM

■ A v e ry fa s t n e tw o rk lo g o n c ra c k e r th a t s u p p o r t m a n y d if fe re n t se rv ice s

BTarget Passwords Tuning Specific Start OutputHydra v7.1 (c)2011 by van Hauser/THC& David M aciejak- fo r legal pu rp o se s JHydra (http://www.thc.org/thc hydra) starting at 2012-10-2117:01:09 [DEBUG] cmdline:/usr/bin/hydra-S -v-V -d -I Administrator-P/home/ •VDes [DATA] 4 tasks, 1 server, 4 login tries (l:1/p:4), ~1 try per task [DATA] attacking service rdp on port 3389 [VERBOSE] Resolving addresses...[DEBUG] resolving 192.168.168.1 done[DEBUG] Code: attack Time: 13S0819069[DEBUG] Options: mode 1 ssl 1 restore 0 showAttempt 1 tasks 4 m ax jjse* [DEBUG] Drains: active 0 targets 1 finished 0 todo_all4 todo4 seotO founc [DEBUG] TargetO-target 192.168.168.1 ip 192 168.168.1 login_nowpass_nc [d e b u g ] Task 0 * pid 0 active 0 redo 0 current_login_ptr (null) current .pass. [DEBUG] Task 1 pidO active 0 rcdoO currcnt_login_ptr (null) current_pass_ [DEBUGJ Task 2 • pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ [d e b u g ] Task 3 ־ pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ [WARNING] rdp servers often don't like many connections, use -t 1 or ■t 4 to r [VERBOSE^ More tasks defined than login/pass pairs exist. Tasks reduced to [DEBUG] head_no[0] active 0 [DEBUGJ child 0 got target 0 selected [DEBUG] head nofi] active 0

Start Stop !Save Output Clear Output

hydra -S v-V d -I Administrator -P /home/ Desktop/pass 1 16192.16...

' xHydra

[ Be Verbose

Target Passwords Tuning Specific Start Target

® Single Target

Q Target List

Port

Protocol

Output Options

& Use SSL

C Prefer IPV6

rdp

0 Show Attempts © Debug

hydra-S-v-V d-IAdministrator-P/home/ /Desktop/pass 116192.16..

h ttp ://w w w . thc.org


/ * W e b P a s s w o r d C r a c k i n g T o o l : T H C - H y d r a

Source: http://www.thc.org

THC-Hydra is used to check for weak passwords. This tool is a brute force tool that is used by attackers as well as administrators. Hydra can automatically crack email passwords and gain access to routers, Windows systems, and telnet or SSH protected servers. It is a very fast network logon cracker that supports many different services.


Module 12 Page 1669

http://www.thc.org/thc

http://www

http://www.thc.org


x H y d ra

T a rg e t P a ssw o rd s T un ing S p e c ific S ta r t

T a rg e t

192.168.168.1

□ P re fe r IP V 6

rd p

O T a rg e t L is t

P o r t

P ro to c o l

O u tp u t O p t io n s

Use SSL

h yd ra -S -v -V -d -I A d m in is t r a to r -P /h o m e / /D e s k to p /p a s s - t 1 6 1 9 2 .1 6 .

oe<;!> x H y d ra

T a rg e t P assw ord s Tun ing S pec ific S ta r t

O u tp u tH ydra v7.1 (c )2 0 1 1 by van H auser/TH C 81 D avid M a c ie ja k fo ־ r lega l p u rp o s e s J

H ydra (h ttp : / /w w w .th c .o rg / th c -h y d ra ) s ta r t in g a t 2012-10-21 17:01:09 [DEBUG] c m d lin e :/u s r /b in /h y d ra -S -v -V -d -I A d m in is t r a to r -P /h o m e / »7Des [DATA] 4 ta sks , 1 server, 4 lo g in tr ie s ( l:1 /p :4 ) , ~1 t r y p e r ta sk [DATA] a tta c k in g se rv ice rd p on p o r t 3389 [VERBOSE] R eso lv ing a d d re s s e s ...[DEBUG] re s o lv in g 192.168.168.1 d o n e[DEBUG] C ode: a t ta c k T im e : 1350819069[DEBUG] O p tio n s : m o d e 1 ss l 1 re s to re 0 s h o w A tte m p t 1 ta sks 4 m ax_use < [DEBUG] B ra ins: a c tiv e 0 ta rg e ts 1 fin ish e d 0 to d o _ a ll4 t o d o 4 se n tO fou nc [DEBUG] T a rg e t 0 - ta rg e t 192.168.168.1 ip 192.168.168.1 lo g in n o & p a s s n c [DEBUG] Task 0 - p id 0 a c tiv e 0 re d o O c u r re n t_ lo g in _ p tr (n u ll) curren t_pass_ [D E BU G ]Task 1 -p id 0 a c t iv e 0 re d o O c u r re n t_ lo g in _ p tr (n u ll) cu rre n t_ p a ss [D E B U G ]T a sk2 -p id O a c t iv e 0 re d o O c u r re n t_ lo g in _ p tr (n u ll) curren t_pass_ [D E B U G ]T a sk3 -p id 0 a c t iv e 0 re d o O c u r re n t_ lo g in _ p tr (n u ll) cu rre n t_ p a ss [W A R N IN G ] rd p se rve rs o f te n d o n 't lik e m a ny co n n e c tio n s , use - t 1 o r - t 4 to r [VERBOSE] M o re ta sks d e fin e d th a n lo g in /p a s s p a irs e x is t. Tasks re d u ce d to [DEBUG] he ad_n o [0 ] a c tiv e 0 [DEBUG] ch ild 0 g o t ta rg e t 0 se le c te d [DEBUG] he ad_n o [1 ] a c tiv e 0

h y d ra -S -v -V -d - I A d m in is t r a to r -P /h o m e / D׳ e s k to p /p a s s - t 16 192.16 ...

Figure 12.28: THC-Hydra Screenshot


Module 12 Page 1670

http://www.thc.org/thc-hydra


EHW e b P a s s w o r d C r a c k i n g T o o l :

I n t e r n e t P a s s w o r d R e c o v e r y T o o l b o x

http;//www.rixlercom

In te rn e t P assw ord R ecovery

T o o lb o x re covers p a s s w o rd s fo r

In te rn e t b ro w se rs , e m a il c lie n ts ,

in s ta n t m essenge rs , FTP c lie n ts ,

n e tw o rk and d ia l-u p acco un ts


W e b P a s s w o r d C r a c k i n g T o o l : I n t e r n e t P a s s w o r d R e c o v e r y T o o l b o x

Source: http://www.rixler.com

Internet Password Recovery Toolbox is a comprehensive solution for recovering passwords for Internet browsers, email clients, nstant messengers, and FTP slients, It can cover network and dial-up accounts and can be used in the whole area of Internet communication links. This program offers instantaneous password recovery capabilities for almost every Internet application you expect it to provide: you name it, the program has it.


Module 12 Page 1671

http://www.rixlercom

http://www.rixler.com



Module 12 Page 1672


C EHM o d u le Flow


M o d u l e F l o w

So far, we have discussed web server concepts, techniques used by attackers, attack methodology, and tools that help in web server. All these concepts help in breaking into the web server or compromising web server security. Now it's time to discuss the countermeasures that help in enhancing the security of web servers. Countermeasures are the practice of using multiple security systems or technologies to prevent intrusions. These are the key components for protecting and safeguarding the web server against web server intrusions.

1 Webserver Concepts Webserver Attacks

Attack Methodology ^ Webserver Attack Tools

^ Webserver Pen Testing ^ _^ Webserver Security Tools

■y Patch Management — ► Counter-measures ■ —■ —


Module 12 Page 1673


This section highlights web server countermeasures that protect web servers against various attacks.


Module 12 Page 1674


Countermeasures: Patches and Updates C EH

Urt1fw4 ilhiul lUthM

Before applying any service pack, hotfix, or security patch, read and peer review all relevant documentation

Test the service packs and hotfixes on a representative non-production environment prior to being deployed to production

Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available

Scan for existing vulnerabilities, patch, and update the server software regularly

Apply all updates, regardless of their type on an "as-needed" basis

Ensure that service packs, hotfixes, and security patch levels are consistent on all Domain Controllers (DCs)

Schedule periodic service pack upgrades as part of operations maintenance and never try to have more than two service packs behind

Have a back-out plan that allows the system and enterprise to return to their original state, prior to the failed implementation


C o u n t e r m e a s u r e s : P a t c h e s a n d U p d a t e sThe following are a few countermeasures that can be adopted to protect web servers against various hacking techniques:

© Scan for existing vulnerabilities and patch and update the server software regularly.© Apply all updates, regardless of their type, on an "as-needed" basis.Q Ensure that service packs, hotfixes, and security patch levels are consistent on all

Domain Controllers (DCs). Ensure that server outages are scheduled and a complete setof backup tapes and emergency repair disks are available.

6 Have a back-out plan that allows the system and enterprise to return to their originalstate, prior to the failed implementation.

© Before applying any service pack, hotfix, or security patch, read and peer review all relevant documentation.

Q Test the service packs and hotfixes on a representative non-production environment prior to being deployed to production.

© Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available.

© Schedule periodic service pack upgrades as part of operations maintenance and never try to have more than two service packs behind.


Module 12 Page 1675


Counterm easures: Protocols CEH(•itifwd 1 ItlMUl IlMhM

Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS and SMB

Harden the TCP/IP stack and consistently apply the latest software patches and updates to system software

9 If using insecure protocols such as Telnet, POP3, SMTP, FTP, take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies

S If remote access is needed, make sure that the remote connection is secured properly, by using tunneling and encryption protocols

3 Disable WebDAV if not used by the application or keep secure if it is required


C o u n t e r m e a s u r e s : P r o t o c o l s

_ _ The following are the some measures that should be applied to the respectiveprotocols in order to protect web servers from hacking:

© Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS and SMB.

© Harden the TCP/IP stack and consistently apply the latest software patches and updates to the system software.

0 If using insecure protocols such as Telnet, POP3, SMTP, or FTP, take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies.

© If remote access is needed, make sure that the remote connection is secured properly, by using tunneling and encryption protocols.

Q Disable WebDAV if not used by the application or keep secure if it is required.


Module 12 Page 1676


C ounterm easures: Accounts CEH

Remove all unused modules and application extensions

Disable unused de fau lt user accounts created during insta lla tion o f an operating system

When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content

Eliminate unnecessary database users and stored procedures and fo llow the principle o f least privilege fo r the database application to defend against SQL query poisoning

Use secure web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization

Slow down brute force and d ic tionary attacks w ith strong password policies, and then audit and a le rt fo r logon failures

Run processes using least privileged accounts as well as least privileged service and user accounts


—!—1—1

111--------- Jil

C o u n t e r m e a s u r e s : A c c o u n t s

The following is the list of account countermeasures for hacking web servers:

Q Remove all unused modules and application extensions.

© Disable unused default user accounts created during installation of an operating system.

© When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content.

Q Eliminate unnecessary database users and stored procedures and follow the principle of least privilege for the database application to defend against SQL query poisoning.

© Use secure web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization.

© Slow down brute force and dictionary attacks with strong password policies, and then audit and alert for logon failures.

Q Run processes using least privileged accounts as well as least privileged service and user accounts.


Module 12 Page 1677


Countermeasures: Files and Directories c

tertMMEHtt*H4i Nath*

D isab le s e rv in g o f d ir e c to ry lis tin g s

E lim in a te th e p re s e n c e o f n o n w e b

f i le s su ch as a rc h iv e f ile s , b ack u p f ile s , te x t f ile s , an d h e a d e r/ in c lu d e

files

D isab le se rv in g c e r ta in f ile ty p e s b y c re a t in g a re s o u rc e m a p p in g

Ensure the presence of web \ application or website files and

scripts on a separate partition or drive other than that of the operating

system, logs, and any other system files

Copyright © by IG-GOHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

E lim in a te u n n e c e s s a ry f ile s w ith in th e . ja r f ile s

E lim in a te s e n s it iv e c o n f ig u ra t io n in fo rm a tio n w ith in th e b y te c o d e

A v o id m a p p in g v i r tu a l d ir e c to r ie s b e tw e e n tw o d if fe re n t s e rve rs , o r

o v e r a n e tw o rk

Monitor and check all network services logs, website access logs,

database server logs (e.g., Microsoft SQL Server, MySQL, Oracle) and OS

logs frequently

C o u n t e r m e a s u r e s : F i l e s a n d D i r e c t o r i e s

— The following is the list of actions that should be taken against files and directories in order to protect web servers from hacking:

Q Eliminate unnecessary files within.jar files.

© Eliminate sensitive configuration information within the byte code.

© Avoid mapping virtual directories between two different servers or over a network.

© Monitor and check all network services logs, website access logs, database server logs (e.g., Microsoft SQL Server, MySQL, Oracle), and OS logs frequently.

© Disable serving of directory listings.

© Eliminate the presence of non-web files such as archive files, backup files, text files, and header/include files.

© Disable serving certain file types by creating a resource mapping

© Ensure the presence of web application or website files and scripts on a separate partition or drive other than that of the operating system, logs, and any other system files


Module 12 Page 1678


CEHHow to Defend Against Web Server Attacks

צ Audit the ports on server regularly to ensure that an insecure or unnecessary serviceis not active on your web server

_ Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL)

£ Encrypt or restrict intranet traffic

s Ensure that certificate data ranges are valid and that certificates are used for their intended purpose

S Ensure that the certificate has not been revoked and certificate's public key is validall the way to a trusted root authority

S Ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed

S Ensure that tracing is disabled ctrace enable="false"/> and debug compiles are turned off

Implement secure coding practices to avoid source code disclosure and input validation attack ט Restrict code access security policy settings to ensure that code downloaded from the Internet ט

or Intranet have no permissions to execute s Configure IIS to reject URLs with to prevent path traversal, lock down system commands

and utilities with restrictive access control lists (ACLs), and install new patches and updates


H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s

The following are the various ways to defend against web server attacks:

Portsrr m nLUi 9 Audit the ports on the server regularly to ensure that an insecure or

unnecessary service is not active on your web server.

© Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL).

© Encrypt or restrict intranet traffic.

Server Certificates5L

0 Ensure that certificate data ranges are valid and that certificates are used for their intended purpose.

Q Ensure that the certificate has not been revoked and certificate's public key is valid all the way to a trusted root authority.


Module 12 Page 1679


Machine. config

© Ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed.

0 Ensure that tracing is disabled ctrace enable="false"/> and debug compiles are turned

© Implement secure coding practices to avoid source code disclosure and input validation attack.

9 Restrict code access security policy settings to ensure that code downloaded from the Internet or intranet has no permissions to execute.

Q Configure IIS to reject URLs with to prevent path traversal, lock down system commands and utilities with restrictive access control lists (ACLs), and install new patches and updates.

Module 12 Page 1680 Ethical Hacking and Countermeasures Copyright © by EC-COUIlCilAll Rights Reserved. Reproduction is Strictly Prohibited.

off.

Code Access Security


How to Defend Against Web Server Attacks (Cont’d) C EH

IISLockdown

- Use the IISLockdown too l, which reduces the vulnerability o f a W indows 2000 Web server. It allows you to pick a specific type o f server role, and then use custom templates to improve security fo r tha t particular server

- IISLockdown installs the URLScan ISAPI filte r allowing website administrators to restrict the kind of HTTP requests tha t the server can process, based on a set o f rules the adm inistrator controls, preventing potentially harm fu l requests from reaching the server and causing damage

&Disable the services running w ith least-privileged accounts

Disable FTP, SMTP, and NNTP services if not required

Disable the Telnet service

Switch o ff all unnecessary services and disable them, so that next tim e when the server is rebooted, they are no t started automatically. This also gives an extra boost to your server performances, by freeing some hardware resources


H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s ( C o n t ’ d )

' IISLockdown© IISLockdown restricts anonymous access to system utilities, as well as having the ability

to write to web content directories. To do this, IISLockdown creates two new local groups called web anonymous users and web applications, and then it adds deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories. Next, IISLockdown adds the default anonymous Internet user account (IUSR_MACHINE) to Web Anonymous Users and the IWAM_MACHINE account to Web Applications. It disables Web Distributed Authoring and Versioning (WebDav) and installs the URLScan ISAPI filter.

0 Use the IISLockdown tool, which reduces the vulnerability of a Windows 2000 web server. It allows you to pick a specific type of server role, and then use custom templates to improve security for that particular server.

© IISLockdown installs the URLScan ISAPI filter, allowing website administrators to restrict the kind of HTTP requests that the server can process, based on a set of rules the administrator controls, preventing potentially harmful requests from reaching the server and causing damage.


Module 12 Page 1681


ServicesQ Disable the services running with least-privileged accounts.

© Disable FTP, SMTP, and NNTP services if not required.

Q Disable Telnet service.

0 Switch off all unnecessary services and disable them, so that the next time the server is rebooted, they are not started automatically. This also gives an extra boost to your server performance, by freeing some hardware resources.


Module 12 Page 1682


EHHow to Defend Against Web Server Attacks (Cont’d)

Restrict banner information returned by IIS Remove unnecessary ISAPI filtersfrom th e W e b s e rv e r


H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s ( C o n t ’ d )

© Registry

© Apply restricted ACLs and block remote registry administration.

© Secure the SAM (Stand-alone Servers Only).

© Share

© Remove all unnecessary file shares including the default administration shares if they are not required.

© Secure the shares with restricted NTFS permissions.

© IIS M etab ase

© Ensure that security-related settings are configured appropriately and access to the metabase file is restricted with hardened NTFS permissions.

© Restrict banner information returned by IIS.

© Auditing and Logging

© Enable a minimum level of auditing on your web server and use NTFS permissions to protect the log files.

ISAPI F ilte rs

R e g is try

Apply restricted ACLs and block remote registry administration

Secure the SAM (Stand-alone Servers Only)

S ites a n d V ir tu a l D ire c to r ie s

Relocate sites and virtual directories to non-system partitions and use IIS Web permissions to restrict access

A u d it in g a n d Logg ing

Enable a minimum level of auditing on your web server and use NTFS permissions to protect the log files

S hares

Remove all unnecessary file shares including the default administration shares if they are not required

Secure the shares with restricted NTFS permissions

IIS M e ta b a s e

Ensure that security related settings are configured appropriately and access to the metabase file is restricted with hardened NTFS permissions

S c rip t M a p p in g s

Remove all unnecessary IIS script mappings for optional file extensions to avoid exploiting

any bugs in the ISAPI extensions that handle these types of files


Module 12 Page 1683


6 Script M appings

0 Remove all unnecessary IIS script mappings for optional file extensions to avoid exploiting any bugs in the ISAPI extensions that handle these types of file.

© Sites and Virtual Directories

© Relocate sites and virtual directories to non-system partitions and use IIS Web permissions to restrict access.

e ISAPI Filters

© Remove unnecessary ISAPI filters from the web server.


Module 12 Page 1684


C EHHow to Defend Against Web Server Attacks (Cont’d)

Do not connect an IIS Server to the Internet

1 until it is fully hardened

Do physically protect 1 the W e b se rve r machine ' in a secure machine room

Do not allow anyone to locally log on to the machine except for the administrator

Limit the server functionality in order to support the web

I technologies that are L going to be used

Do configure a separate anonymous user account for each application, if you host multiple web applications

Do use a dedicated machine as a web server

Create URL mappings to internal servers

cautiously

Use server side session ID tracking and match connections with time

stamps, IP addresses, etc.

Use security tools provided with web server software and scanners that automate and make the process of securing a web server easy1

If a database server, such / as Microsoft SQL Server, is

to be used as a backend database, install it on a

separate server


H o w t o D e f e n d A g a i n s t W e b S e r v e r A t t a c k s ( C o n t ’ d )1111 The following is a list of actions that can be taken to defend web servers from various

kinds of attacks:

© Create URL mappings to internal servers cautiously.

© If a database server such as Microsoft SQL Server is to be used as a backend database, install it on a separate server.

© Do use a dedicated machine as a web server.

© Don't install the IIS server on a domain controller.

© Use server-side session ID tracking and match connection with time stamps, IP address, etc.

© Use security tools provided with the web server and scanners that automate and make the process of securing a web server easy.

© Screen and filter the incoming traffic request.

© Do physically protect the web server machine in a secure machine room.

Do configure a separate anonymous user account for each application, if you host multiple web applications.

©


Module 12 Page 1685


Q Do not connect an IIS Server to the Internet until it is fully hardened.

© Do not allow anyone to locally log on to the machine except for the administrator.

© Limit the server functionality in order to support the web technologies that are going tobe used.


Module 12 Page 1686


EHH o w to D e f e n d a g a i n s t H T T P R e s p o n s e S p l i t t i n g a n d W e b C a c h e P o i s o n i n g

P ro xy S erve rs

» Avoid sharing incoming TCP connections among different clients

a Use different TCP connections with the proxy for different virtual hosts

8 Implement "maintain request host header" correctly

A p p lic a t io n D e v e lo p e rs

9 Restrict web application access to unique Ips

« Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters

» Comply to RFC 2616specifications for HTTP/1.1

S e rve r A d m in

« Use latest web serversoftware

« Regularly update/patchOS and Webserver

© Run web VulnerabilityScanner


H o w t o D e f e n d a g a i n s t H T T P R e s p o n s e S p l i t t i n g a n d W e b C a c h e P o i s o n i n g

The following are the measures that should be taken in order to defend against HTTP response splitting and web cache poisoning:

e Server Admin© Use latest web server software © Regularly update/patch OS and web server © Run web vulnerability scanner Application Developers© Restrict web application access to unique IPS© Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters © Comply to RFC 2616 specifications for HTTP/1.1 Proxy Servers© Avoid sharing incoming TCP connections among different clients © Use different TCP connections with the proxy for different virtual hosts

© Implement "maintain request host header" correctly

©

©


Module 12 Page 1687


CEHM o d u le Flow


M o d u l e F l o w

Developers always try to find the bugs in the web server and try to fix them. The bug fixes are released in the form of patches. These patches provide protection against known vulnerabilities. Patch management is a process used to ensure that the appropriate patches are installed on a system and help fix known vulnerabilities.

1 Webser ver Concepts Webserver Attacks

Attack Methodology« \

Webserver Attack Tools

Webserver Pen Testing i ) Webserver Security Tools

Patch Management Counter-measures■ —■ —

This section describes patch management concepts used to fix vulnerabilities and bugs in the web servers in order to protect them from attacks.


Module 12 Page 1688


P a tc h e s a n d H otfixes CEHUrtiffetf itkNjI lUilwt

A patch can be considered as a repair job to a programming problem

A patch is a small piece o f software designed to fix problems, security vulnerabilities, and bugs and improve the usability o r performance o f a com puter program or its supporting data

Hotfixes are sometimes packaged as a set o f fixes called a combined ho tfix o r service pack

Users may be notified through emails o r through the vendor's website

Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer organization


P a t c h e s a n d H o t f i x e s

A patch is a program used to make changes in the software installed on a computer. Patches are used to fix bugs, to address the security problems, to add functionality, etc. A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve the usability or performance of a computer program or its supporting data. A patch can be considered a repair job to a programming problem.

A hotfix is a package that includes various files used specifically to address various problems of software. Hotfixes are used to fix bugs in a product. Users are updated about the latest hotfixes by vendors through email or they can be downloaded from the official website. Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer organization. Users may be notified through emails or through the vendor's website. Hotfixes are sometimes packaged as a set of fixes called a combined hotfix or service pack.


Module 12 Page 1689


What Is Patch Management? CEH

J "P a tch m a n a g e m e n t is a p rocess used to en su re th a t th e a p p ro p r ia te p a tch e s a re in s ta lle d on a

sys tem and h e lp f ix k n o w n v u ln e ra b ilit ie s "

A n a u to m a te d p a tch m a n a g e m e n t p rocess :

Detect: Use tools to detect missing security patches

Assess: Asses the issue(s) and its associated severity by mitigating the factors that may influence the decision

Acquire: Download the patch fo r testing

M ainta in: Subscribe to get notifications about vulnerabilities as they are reported

Deploy: Deploy the patch to the computers and make sure the applications are not affected

Test: Install the patch first on a testing machine to verify the consequences of the update

Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.

W h a t I s P a t c h M a n a g e m e n t ?

v- ״ According to http://searchenterprisedesktop.techtarget.com, patch management is an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. It involves the following:

© Choosing, verifying, testing, and applying patches

© Updating previously applied patches with current patches

© Listing patches applied previously to the current software

© Recording repositories, or depots, of patches for easy selection

© Assigning and deploying the applied patches

1. Detect: It is very important to always detect missing security patches through proper detecting tools. If there is any delay in the detection process, chances of malicious attacks are very high.

2. Assess: Once the detection process is finished it is always better to assess various issues and the associated factors related to them and better to implement those strategies where issues can be drastically reduced or eliminated.

3. Acquire: The suitable patch required to fix the issues has to be downloaded.


Module 12 Page 1690

http://searchenterprisedesktop.techtarget.com


4. Test: It is always suggested to first install the required patch on to the testing system rather than the main system as this provides a chance to verify the various consequences of updating.

5. Deploy: Patches are to be deployed into the systems with utmost =, so no application of the system is affected.

6. Maintain: It is always useful to subscribe to get notifications about various possible vulnerabilities as they are reported.


Module 12 Page 1691


I d e n t i f y i n g A p p r o p r i a t e S o u r c e s f o r

U p d a t e s a n d P a t c h e s CEH


I d e n t i f y i n g A p p r o p r i a t e S o u r c e s f o r U p d a t e s a n d P a t c h e s-i'l

'-s

It is very important to identify the appropriate source for updates and patches. You should take care of the following things related to patch management.

© Patch management that suits the operational environment and business objectives should be properly planned.

© Find appropriate updates and patches on the home sites of the applications or operating systems' vendors.

© The recommended way of tracking issues relevant to proactive patching is to register to the home sites to receive alerts.

F irs t m a k e a p a tch m a n a g e m e n t p la n th a t f its th e o p e ra t io n a l e n v iro n m e n t an db u s in e ss o b je c t iv e s

F ind ap p ro p r ia te u p d a tes and p a tch e s on th e h o m e sites o f th e a p p lica t io n s o r o p e ra t in g sys tem s ' ven d o rs

T h e re co m m e n d e d w a y o f tra ck in g issues re le v a n t to p ro a c t iv e p a tch in g is to reg is te r

to th e h o m e s ites to re ce iv e a le r ts


Module 12 Page 1692


Installation of a Patch CEH

Copyright © by EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.

I n s t a l l a t i o n o f a P a t c h

You should search for a suitable patch and install it from Internet. Patches can beinstalled in two ways:

Manual Installation

In the manual installation process, the user downloads the suitable patch from the vendor and fixes it.

Automatic Installation

In automatic installation, the applications, with the help of the auto update feature, will get updated automatically.

0 9J U sers can access a n d in s ta ll s e c u r ity p a tch e s v ia th e

~ W o r ld W id e W e b0 0

, W W W

P a tc h e s c a n b e in s ta l le d in t w o w a y s

M a n u a l I n s t a l la t io n

In th is m e th o d , th e u s e r has to

d o w n lo a d th e p a tc h f r o m th e

v e n d o r a n d f ix it

A u t o m a t ic In s t a l la t io n

In th is m e th o d , th e a p p lic a t io n s

u se th e A u to U p d a te fe a tu re to

u p d a te th e m s e lv e s


Module 12 Page 1693


I m p l e m e n t a t i o n a n d V e r i f i c a t i o n o f a

S e c u r i t y P a t c h o r U p g r a d e

B e fo re in s ta ll in g a n y p a tch v e r ify th e so u rce

/ Use p ro p e r p a tc h m a n a g e m e n t p ro g ra m to v a lid a te f i le s v e rs io n s

% an d ch e cksu m s b e fo re d e p lo y in g s e c u r ity p a tch e s

T h e p a tch m a n a g e m e n t to o l m u s t be a b le to m o n ito r th e p a tc h e d י >

s ys te m s * ־ '

The p a tch m a n a g e m e n t te a m s h o u ld ch e ck fo r u p d a te s and

p a tch e s re g u la r ly


" 1 I m p l e m e n t a t i o n a n d V e r i f i c a t i o n o f a S e c u r i t y P a t c h o r U p g r a d e

You should be aware of a few things before implementing a patch. The following things should be kept in mind:

© Before installing any patch source, it should be properly verified. Use a proper patch management program to validate file versions and checksums before deploying security patches.

© The patch management team should check for updates and patches regularly. A patch management tool must be able to monitor the patched systems.


Module 12 Page 1694


P a t c h M a n a g e m e n t T o o l : M i c r o s o f t

B a s e l i n e S e c u r i t y A n a l y z e r ( M B S A )

. ־׳ ־t

J Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server

J It also scans a computer for insecure configuration settings

1Microsoft Baseline Security Analyzer 2.2־!°■

P ^ f*׳ Baseline Security Analyzer

Report Details for WORKGROUP - WIN-MSSELCK4K41 (2012-10-12 10:28:06) ! e requested checks.)Inrompfc'te Scan (Could not complete one o

(onHMtfnumr V״'ORXGRCXJ3\WJN«S£B.Q<'K‘>lIP Address: 1*9.254.103.138S « ״ «T report ,*CRKGROUP ■ WN-MSSBlCMMI (10-12*2012 10-28 AM)v a n da rr 10/12/2012 10:28 AMS u n td nfth H8SA version: 2.2.2170.0

v a r t y «pA>rr catalog:

Sett Ooo i»l(w«lr|l) V Svtunty Updjtr Sun Rm1R%

Offc* SccunCy N9 MCtflty 4xi1U; a

http://w w w .m icrosoft.com

Copyright © by EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.

P a t c h M a n a g e m e n t T o o l : M i c r o s o f t B a s e l i n e S e c u r i t y * S ^ A n a l y z e r ( M B S A )

Source: http://www.microsoft.com

The Microsoft Baseline Security Analyzer (MBSA) allows you to identify missing security updates and common security misconfigurations. It is a tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.


Module 12 Page 1695




Microsoft Baseline Security Analyzer 2.2

1 M icrosoft

t 1 Baseline Security Analyzer

R epo rt D eta ils fo r WORKGROUP - W IN-M SSELCK4K41 (2 012 -10 -12 1 0 :2 8 :0 6 )fl S ecurity a s se s sm e n t:• Incomplete Scan (Could not complete one or more requested checks.)

C om pute r nam e: WORKGROUP \WIN -MSSELCK4K41IP a d d ress: 169.254.103.138S ecurity re p o r t nam e: WORKGROUP ־ WIN -MSSELCK4K41 (10-12-2012 10-28 AM)Scan d a te : 10/12/2012 10:28 AMS canned with MBSA version: 2.2.2170.0C atalog synchron iza tion d a te :S ecurity u p d a te ca talog : Microsoft Update

Sort Order: Score (worst first) v

Security Update Scan Results

S I Previous security report

R e su ltNo security updates are mssng.What was scanned Result detais

No security updates are mssrtg.What was scanned Result detais No security updates are missng.What was scanned Result detais

IQ £0py to (ipboard

Is s u eDeveloperTools,Runtimes, and Redistribu tables Security Updates Office Secunty UpdatesSQL ServerSecurityUpdates

S c o r e

0

^ Prnt this report

FIGURE 12.30: M ic ro s o ft Baseline S ecurity A na lyze r (MBSA)


Module 12 Page 1696


Patch M anagem ent Tools C(•itifwd 1

EHtfeMJl NmIm

P rism P atch M a n a g e rhttp://www.newboundary.com

S ecun ia CSIhttp ://secunia . com

L u m ens io n® P atch and

R e m e d ia t io nhttp://www.lum ension.com

V M w a re v C e n te r P ro te c th ttp ://w w w . vm ware, com

S M aaS 360® P atch A n a ly z e r

Too lU http://www.maas360.com

r i

2 - S

A lt ir is C lie n t M a n a g e m e n t

S u itehttp://www.symantec.com

GFI LA N gua rdh ttp ://w w w . gfi. com

Kaseya S e c u r ity Patch

M a n a g e m e n th ttp ://w w w . kaseya. com

ZE N w orks® P atch

M a n a g e m e n thttp://www.novell.com

S e c u r ity M a n a g e r P lus™ http://www.manageengine.com


P a t c h M a n a g e m e n t T o o l s

In addition to MBSA, there are many other tools that can be used for identifying missing patches, security updates, and common security misconfigurations. A list of patch management tools follows:

© Altiris Client Management Suite available at http://www.svmantec.com

© GFI LANguard available at http://www.gfi.com

© Kaseya Security Patch Management available at http://www.kaseya.com

© ZENworks® Patch Management available at http://www.novell.com

© Security Manager Plus available at http://www.manageengine.com

© Prism Patch Manager available at http://www.newboundary.com

© MaaS360® Patch Analyzer Tool available at http://www.maas360.com

© Secunia CSI available at http://secunia.com

© Lumension® Patch and Remediation available at http://www.lumension.com

© VMware vCenter Protect available at http://www.vmware.com


Module 12 Page 1697

http://www.newboundary.com

http://secunia

http://www.lumension.com

http://www

http://www.maas360.com

http://www.symantec.com

http://www

http://www

http://www.novell.com

http://www.manageengine.com

http://www.svmantec.com

http://www.gfi.com

http://www.kaseya.com

http://www.novell.com

http://www.manageengine.com

http://www.newboundary.com

http://www.maas360.com

http://secunia.com

http://www.lumension.com

http://www.vmware.com


C EHM o d u le Flow


M o d u l e F l o w

Web servers should always be secured in the networked computing environment to avoid the threat of being attacked. Web server security can be monitored and managed with the help of web server security tools.

aWebserver Concepts Webserver Attacks

N׳Attack Methodology © Webserver Attack Tools

r Webserver Pen Testing O Webserver Security Tools

׳ » ׳ ׳Patch Management ■ —

■ —Counter-measures

This section lists and describes various web server security tools.


Module 12 Page 1698


Web Application Security r ש uScanner: Syhunt Dynamic JL E !7

J S yhun t D ynam ic he lps to a u to m a te w e b a p p lic a t io n s e c u r ity te s t in g and g u a rd o rg a n iz a tio n 's

w e b in f r a s t ru c tu re ag a in s t va r io u s w e b a p p lic a tio n s e c u r ity th re a ts

*


W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : S y h u n t D y n a m i c

^ Source: http://www.syhunt.com

Syhunt Dynamic helps to automate web application security testing and guard organization's web infrastructure against various web application security threats.

Features:

e Black-Box Testing - Assess the web application security through remote scanning. Supports any web server platform.

0 White-Box Testing - By automating the process of reviewing the web application's code,Sandcat's code scanning functionality can make the life of QA testers easier, helping them quickly find and eliminate security vulnerabilities from web applications. Supports ASP, ASP.NET, and PHP.

Q Concurrency/Scan Queue Support - Multiple security scans can be queued and thenumber of threads can be adjusted.

© Deep Crawling - Runs security tests against web pages discovered by crawling a singleURL or a set of URLs provided by the user.

© Advanced Injection ־ Maps the entire website structure (all links, forms, XHR requests,and other entry points) and tries to find custom, unique vulnerabilities by simulating a


Module 12 Page 1699

http://www.syhunt.com


wide range of attacks/sending thousands of requests (mostly GET and POST). Tests for SQL Injection, XSS, File Inclusion, and many other web application vulnerability classes.

© Reporting - Generates a report containing information about the vulnerabilities. After examining the application's response to the attacks, if the target URL is found vulnerable, it gets added to the report. Sandcat's reports also contain charts, statistics and compliance information. Syhunt offers a set of report templates tailored for different audiences.

Q Local or Remote Storage ־ Scan results are saved locally (on the disk) or remotely (in the Sandcat web server). Results can be converted at any time to HTML or multiple other available formats.

© In addition to its GUI (Graphical User Interface) functionalities, Syhunt offers an easy to use command-line interface.

V 1304715758 |<kmo.*y*unt<om) • Swwfcft Pro Hyfend£«*• £<tt loch tjdp

O ■ J)•HKh R«WJ■ 1

Anyang ndm Dor•Oadtof wboh Mi Owcfcng icbau fan•SpdHro sxtng Slap r*Nd SpdwnoapAno cc״״cM*d

SU>«r« CiOM $4• Sovmo T Ml found ■_bWKp*pXS$ F«*d c*x> >SS j*©XS״ « $found ._to

$f outtf n4»_Mdar\pfcpXS

j com 80 י»י*צ0> B j Ho•! Mamahon

M £m*h

9 3 J$4«MdP*9«E *«•£•«»

£ gf Souk* SductvM a J S0UC*a (a ViAwjfato URL 1 B WabSfeucM•

(tel •d •on X 14 «ץ• p*>111 « י ץ php9 j•! n lxtwc phpt. K_tMtK_plu(WV. ^ >Jot*pN>

O », •—**ion n ן» • d n hiddm php

irWrfcgrncr

0*cfc(CjomSMS<«K״a/XSS a Id26|

FIGURE 12.31: S yhun t D ynam ic S creenshot


Module 12 Page 1700


EHWeb Application Security Scanner: N־Stalker Web Application Security Scanner

N -S ta lke r is a W e b A p p S e c u r ity S ca n n e r to sea rch fo r v u ln e ra b ilit ie s such as SQL in je c tio n ,

XSS, and k n o w n a ttacks A


W e b A p p l i c a t i o n S e c u r i t y S c a n n e r : N ־ S t a l k e r W e b A p p l i c a t i o n S e c u r i t y S c a n n e r

Source: http://www.nstalker.com

N-Stalker Web Application Security Scanner is a web security assessment solution for your web applications. It is a security assessment tool that incorporates N-stealth HTTP security scanner. It searches for vulnerabilities such as SQL injection, XSS, and known attacks. It helps in managing the web server and web application security. This security tool is used by developers, system/security administrators, IT auditors, and staff.


Module 12 Page 1701

http://www.nstalker.com


■ " » ) » N-Sta!ker W eb A p p lica tio n Security Scanner 2012 - Free E d ition

Scaro«r Scjr Op«on»

1 T»!r*ad* • I',*1״״““־־•׳‘״״־כ ב“ ״ ל » I >»י J tI 6 * ״ י ״ * ״ ״ ■,• 5״

| TfvMda Contra , Faoa Poa«Na Corarai |

Scanner Ivmtt

JHtgh(•! MmI(• ) low ;1 H o |t|

mtmmk_____BytaaS♦* 1102 121

I 903 970A«g Rmoo^m Tmt K IM m iA.gT,ar*»»f Bjf* 9 •IS 84 ft*

198 00 r#Q>nan

o Vu*eraM««*Q hBp J«v a * C*«1V<

| App*c«ton ««gn 0 | O HvtfM ntt*

B # nap<rw«nnr ■ UCfOM

8 I W«ftMrv«r*•0 # I• \.P0*♦

3 | «•0 # •■ $*r׳«r<B

9 | Wat Fo m a 0 ׳#**L • lM w |,

ffl + /•*cxhtitf 0 | *t+cun Wa• affl # '

Component Mam•

Mfe#»ww • M C M N r ce*180/<9oat Ntomalon Found •׳d £ *afe S v

MctmoIMMO J j jf• Wa* Sarva* Ttc**o*>w X»C1*J

S«d• Tac*«c*9y Fo* J-״* A■ Sarva NCT F ramewoA

PMtwo'd Wafc form FoyNJ £ ע

«/ .SanNm K■ | j Cowpontntt 1^1 Scan EvtnH

FIGURE 12.32: -S ta lke r W eb A p p lic a tio n S ecurity Scanner


Module 12 Page 1702


Web Server Security Scanner: Wikto

W e b S e r v e r S e c u r i t y S c a n n e r : W i k t o

Source: http://www.sensepost.com

Wikto is for Windows, with a couple of extra features including fuzzy logic error code checking, a backend miner, Google-assisted directory mining, and real-time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework.

Wikto may not test for SQL injections, but it is still an essential tool for penetration testers who are looking for vulnerabilities in their Internet-facing web servers.


Module 12 Page 1703

http://www.sensepost.com



Module 12 Page 1704


CEHUrt1fw4 ilhiul lUthM

W e b S e r v e r S e c u r i t y S c a n n e r :

A c u n e t i x W e b V u l n e r a b i l i t y S c a n n e r

■ Acunetix WVS checks web applications fo r SQL injections, cross-site scripting, etc.

■ It includes advanced penetration testing tools to ease manual security aud it processes, and also creates professional security audit and regulatory compliance reports

-MBAcunetix Web Vulnerability Scanner (Free Edition)

mm*\ Ptofle: Defeu

Hie Actions Tools Configuration Hdp13 p ׳66 . ל“ ־* 'a4 '_־ * L ־־׳ ׳

_] ♦ | 'A ^ A Renar: >- SsartlPL: :לר5׳ו״ *» >scrw 3n:3C,’kt Ak־rt5 simrw

threat level ׳ ocun#l «־׳level 0: Safe

*

loU «tert» found0«5«O MMrnO i °»O mrormaikxMi

TjrgrtMormjUgn http:/Avwwju00Vl)0y.<0m:80/£ Xtonict )61 request! a .

Prowess son is finisned 10a 00% Q

afc Web Alertsi H i h - n M '

V- KnowieSoe BaseF $1 Ste Structure

E t® / 0Kff t o *out .me rcrbt*:«nbt t o ‘otxDenK t o <tor׳nb8dr• •'orNfcene tO •es t*d?en׳0'

t o c r j ׳ a l r w « 1•othsuviD) tO htHSn^d^ *•*Posri

L6 St«Ctt JMQt jmocS a s *XPov*L0 »lKfc»J*"9e _p ^ 0 s H otrod

u tO ״—9 M 1.Q karma (Xu tO • ortxteenrt tO (X14 tO <l->wnon_*» «

<1_________________ י _________________ I > 1

abilty ScannerWeb Eesnner ׳%*

t_i' Tcoi3־Site Crawler !••׳#ג i

; •-;p Target Hn<fer Siijdaman Scarner

j| Bind SQL Injector|״) j■:Bunptdar

! ItTPSnffer

j $ Auoxnoeatwn icsta ; SJ Compare Resilts

3HLJ- W«b Srvw : • ® W*b SctMtca Scamtf

: 4* Wtb Servers Ed MrConfiqwatcn 34■ 1׳

••!Si Aoolcatton Selthgs *i J, seanstmo

j Sumng Protit(• ״■:it (& General

*:A Proyam UpdateVwton Jnfcrmaoon ־ *(־-וי ■

; ■jyLcenaro : 5 j Sijjpcrt Center

w utr vnphn^) vulirrabAhrt10.13 >0:0*. ־,י., [Warning] S a m n g onty tor XV* (er

Copyright © by EG-G*l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e r v e r S e c u r i t y S c a n n e r : A c u n e t i x W e b B V u l n e r a b i l i t y S c a n n e r

Source: http://www.acunetix.com

Acunetix Web Vulnerability Scanner checks web applications for SQL injections, cross-site scripting, etc. It includes advanced penetration testing tools to ease the manual security audit processes, and also creates professional security audit and regulatory compliance reports.


Module 12 Page 1705

http://www.acunetix.com


ד3 &Acunetix Web Vulnerability Scanner (Free Edition)פ

- J S U r t

g**|a A | a I® I *ft Report / StvtURi: jjgg,eoy.com:*)/ - ProSe: [>

SWut A . Alatt Mjmmjiy

צ B | Qidf » J =2ScanRetuh

Fdc Actions T00H Configuration H

NcwScjn . J y 0. t3 •ftToo*

LA<unrt1x Threat level 0

»! have been ikKvninl 1ךAo<un(l« threat l«v«i

level 0 So(•

<

Total alerts found

oO low0 Informational

M*tFard N«F0iX1d NK Found M UFo^

1 Target information http:/,•www .juggyboy.com: 80/ *Statistics 381 requests

Progress Scan is finished $ oos.ו 00

J*. ,׳. r;׳ A*~ •־,V* Knowledge Oaic

B { j ) Site Structure־ 10/

♦ (jQ about _me♦ (£ artwork♦ downloads= «es

,Q ar tan <al-mages S (jQ htrrtSmeda

stads_page_page0.css stacks_page_pageO . js

♦ uQ games♦ (Q karma♦ 1 Ifcstyte a 14} myblog♦ (jQ quesfconjhe.nJes .-* i f t m common.

10.12 2005.55, [Warning] Scanmng oo»y lor XSS (a

Appfccaoon log Error Log [

@ Web yjncraMty Scanner '41 Web Scanner

a & Toolsjfc■ &te Crawler

Target FrxJer ^ Subdoman Scanner . J Bind SQL In)ector ( 3 HTTPEdtor *fc, HTTP S«ffer •* HTTPFuwer $ Authenocatwn Tester S Compare Resdts

3H & Web ServicesWeb ServKes Scanner

J S Web Services Ed tor “ S Config^aBon

> Acpfca&on Settings J Scan Settings

SrwngBroSw 3 & General

Program Updates •»*; Verson Information

4|j Support Center 4i P\r chase 4>j User Manual (HtmQ 4 ] User Manual (pdf) • AcuSensor

FIGURE 12.34: A cu n e tix W e b V u ln e ra b ility Scanner

Ethical Hacking and Countermeasures Copyright © by EC-COlMCilAll Rights Reserved. Reproduction is Strictly Prohibited.

Module 12 Page 1706


CEHW e b S e r v e r M a l w a r e I n f e c t i o n

M o n i t o r i n g T o o l : H a c k A l e r t

HackAlert

aomun־ AdMsfiews mas **rummCK*>90 [n te f Dj»* n l 5«tKl Ml

P«KXtWI»K 7t N M «I}

\

. . / X .

HackAlert™ is a cloud-based service tha t identifies hidden zero-day malware and drive-by downloads in websites and online advertisements

8 Protects clients and customers from malware injected websites, drive by downloads, and malicious advertising

a Identifies malware before the website is flagged as malicious

o Displays injected code snippets to facilitate remediation

t* Deploys as cloud-based SaaS or as a flexible API for enterprise integration

9 Integrates with WAF or web server modules for instant mitigation

http://www.armorize.com


W e b S e r v e r M a l w a r e I n f e c t i o n M o n i t o r i n g T o o l : H a c k A l e r t

Source http://www.armorize.com

HackAlert is a cloud-based service that identifies hidden zero-day malware and drive-by downloads in websites and online advertisements. Optimizing multiple analysis techniques, this service identifies injected malware and generates alarms before search engines blacklist the website. This enables immediate remediation to protect customers, business reputation, and revenues. It is accessed via either a web-based SaaS interface or a flexible API that facilitates integration with enterprise security tools.


Module 12 Page 1707




HackAlert ״ ׳ י ד km יUf« UrOmmMW* A* *•■w ■׳״

7 D*r• P«Pck1

[j יס; 0*03 Jl “ I ״־•1

r*M H #)

04 M m )T«C4 S 4 m r«1f«1m fd 1$}*<1M I^M t 6

AV

\T0MSc4nt

J—*1_ע_

•ג 2• 10 >1 01 02

FIGURE 12.35: H ackA le rt S creenshot


Module 12 Page 1708


Web Server Malware Infection Monitoring Tool: QualysGuard Malware Detection C

toftNMEH

NMhM

QualysGuard® Malware Detection Service scans websites fo r malware infections and threats

i fl \ .4r C " >. .v0. https portalj ual/5.co׳n ; -iashocard

*1 -*St» «כ0׳ o יןporta .qjayicorr ־־•־־ C ii 4־

0LADTSClWR1yMOt

Dayitoard Scans Rtp«Xi Assets K/x>v*cdg«Oase

)« • .( fw t '

Step 5 of 5 Reiiew and ccnfim you setirgs

1 Details ✓ Site Detailsw

2 ScM wttinj* 1/ Own Sitesee UR.

ג Crawl exclusion llsls ✓ www.i11<><1rl>oy.com

4 S<h*d*li*g </ Tag•AMgntd 1«-־n

0 H«v«m and ConfirmScan Options

Ptg«200ion Intonoty

N mtmKu l—»W. Imv* 1mm, M m l.

Crawl •xaution list*UTintLJfl

wnre 11« (**oil* Hnmunist

h ttp ://w w w . qualys. conr

Copyright © by EG-G(l]ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W e b S e r v e r M a l w a r e I n f e c t i o n M o n i t o r i n g T o o l : Q u a l y s G u a r d M a l w a r e D e t e c t i o n

Source: http://www.qualys.com

QualysGuard Malware Detection Service scans websites thoroughly for malware infections and for a variety of threats. It provides automated alerts and reports that enable you to identify and resolve the threat. It can also be used to protect the customers of an organization from malware infections and safeguard their brand reputations, preventing website black listing. It regularly schedules scanning to monitor websites on an ongoing basis, with email alerts to quickly notify organizations when infections are discovered. Malware infection details are provided so that organizations can take quick action to isolate and remove malware.


Module 12 Page 1709

http://www

http://www.qualys.com


4- C fl Qu**a 1׳k iuS] http! portal qujtyvcom/ponai front/module/irulware/^ub'dMXbowd

Turn helptps I Oft XSite Creation

Review and confirm your settings

^ S it• D«UilsTrtie

y Own SiteSt* URL

3 Crawl exclusion lists ✓ http://www.jugovboy.com

Step 5 of 5

1 Sit© DMails

2 Scan seRings

✓ Tag*Aiagncd tags

Scheduling

0 Review and Confirm

Scan OptionsMaontim togei ?00

No headers have been defined.

Crawl exclusion listsWh«1U«

Wtur* 11• fRwfcji* F

1 3 = ■£ =

© QualysGuard Portal

Help Rini Matthews v׳■ Log Out

30 cays remanng in your tnai. ipgraoe now

-> Q | f l Quaiys. Inc [US] hrtps:;/portal.qualy£com/po1 al-trcnt/mocule/maiware/*ta0=scans.scan-H1stofy

0UALYSGUARD*

MDS

Dashboard Scans Reports Assets KnowledgeBase

1 - 20 of 31 0 & 0 v■

About | Terns of Use |

Scan Management

< Ba:k 10 scan list

Own Site

Page URL Page Name High Med Low Info Status Seventy

0 hctp://www.juggydoy.com Hone 0 0 0 0 hmshed

0 hrtpy/www.jjggyboy.com'Lifestyift'styleflyndex.׳itml 0 0 0 0 Canceled -

r j hrtp./Mww.jjggyt»y.c01n<3ame5/SI0t_Machne/hjex.htrl 0 0 0 0 Canceled -

0 httpy/www.juggyboy.co1n)Gam6s/Ninesweeperyin<fex.hiral 0 9 0 0 Canceled ־

0 hctpy/www.juggytwy.com'irdexhtml 0 0 0 0 Canceled -

0 http://www.juggyboy.co mabo ut_re.'index htnl 0 I) 0 0 Canceled -

0 http־//www.juggyt»y.c01rfseinfekMn(iex.htn1l 0 1) 0 0 Canceled ־

0 hctpy/Aww.jjcgyboy.con\<5uestcn_:he_rules׳'inCexl־tm 0 0 0 0 Canceled -

0 httpy/www.juggyboy.comlKarma/index.htral 0 D 0 0 Canceled -

FIGURE 12.36: Q ua lysG uard M a lw a re D e te c tio n S creenshot


Module 12 Page 1710

http://www.jugovboy.com

http://www.juggydoy.com

http://www.juggyboy.co

http://www.juggyboy.comlKarma/index.htral


W ebserver Security Tools CEH

JH L f Ret׳na cshttp :/ /w w w . beyondtrus t. com

N-Stealth Security Scannerh ttp :/ /w w w . nstalker. com

1 Infiltratorh ttp :/ /w w w . infiltration-sys tems. com

WebCruiserhttp://sec4app. com

NetlQ Secure Configuration Managerh ttp :/ /w w w . netiq.com

SAINTscannerhttp://w w w .saintcorporation.com

dotDefenderhttp://w w w .applicure.com

HP WeblnspectL a \ https://download.hpsm artupdate.com


W eb serve r Secu rity Toolsc Web server Security tools scan large, complex websites and web applications to tackle

web-based vulnerabilities. These tools identify application vulnerabilities as well as site exposure risk, rank threat priority, produce highly graphical, intuitive HTML reports, and indicate site security posture by vulnerabilities and threat level. Some of web server security tools include:

© Retina CS available at http://www.beyondtrust.com

© Nscan available at http://nscan.hypermart.net

© NetlQ Secure Configuration Manager available at http://www.netiq.com

© SAINTScanner available at http://www.saintcorporation.com

© HP Weblnspect available at https://download.hpsmartupdate.com

© Arirang available at http://monkey.org

© N-Stealth Security Scanner available at http://www.nstalker.com

© Infiltrator available at http://www.infiltration-systems.com

© WebCruiser available at http://sec4app.com

© dotDefender available at http://www.applicure.com


Module 12 Page 1711

http://www

http://www

http://sec4app

http://www

http://www.saintcorporation.com

http://www.applicure.com

https://download.hpsmartupdate.com

http://www.beyondtrust.com

http://nscan.hypermart.net

http://www.netiq.com

http://www.saintcorporation.com

https://download.hpsmartupdate.com

http://monkey.org

http://www.nstalker.com

http://www.infiltration-systems.com

http://sec4app.com

http://www.applicure.com


CEHM odule Flow


M odu le F lo wThe whole idea behind ethical hacking is to hack your own network or system in an

attempt to find the vulnerabilities and fix them before a real attacker exploits them system. As a penetration tester, you should conduct a penetration test on web servers in order to determine the vulnerabilities on the web server. You should apply all the hacking techniques for hacking web servers. This section describes web server pen testing tools and the steps involved in web server pen testing.

R L ) Webserver Concepts Webserver Attacks

Attack Methodology * Webserver Attack Tools

Webserver Pen Testing ^ _^ Webserver Security Tools

■1j Patch Management Counter-measures■ _■ —


Module 12 Page 1712


Web Server Pen Testing Tool: CORE Impact® Pro

CORE Impact® Pro is the software solution for assessing and testing security vulnerabilities in the organization:

9 Web Applications 0 Network Systems e Endpoint systems e Wireless Networks a Network Devices e Mobile Devices « IPS/IDS and other defenses

W eb Server Pen Testing Tool: C O R E Im p a c t® ProSource: http://www.coresecuritv.com4

CORE Impact® Pro helps you in penetrating web servers to find vulnerabilities/weaknesses in the web server. By safely exploiting vulnerabilities in your network infrastructure, this tool identifies real, tangible risks to information assets while testing the effectiveness of your existing security investments. This tool is able to perform the following:

© Identify weaknesses in web applications, web servers, and associated databases

© Dynamically generate exploits that can compromise security weaknesses

© Demonstrate the potential consequences of a breach

© Gather information necessary for addressing security issues and preventing data incidents


Module 12 Page 1713

http://www.coresecuritv.com


Fie Yew Modiie* 00 זb Http

Na״w Sta t*J rh»h«d su |Sm |R״ti gNatw... 8(74{20... I/WO, Sto oc. IvD

^HriS 3/2*120... 8/240. Phi.. 1iot. )«H|S*1•/־. *MX... 8/24/20. Fhl.. 40c. l«IU4iV... 8/24/20... 8y24!20׳. Phi.. ho:gCradt... 8/24/20... 8/24/20. Fhl.. t«

[natal... 8/220... 8/24/20. m.. IvO«eB... 8/220... 8/24/20. ft*.. t«letw... 8/220... 8/24/20. 510.. t«*letw... 8/24/20... 8/24/20. F*».. Mo3rwl... 9/24/20... 8/24/30. Fhi.. to-tetw... 8/24/20... 8/24/20. Fhi..

I. ' ■I

imPHC־P R O F E S S I O N A L

l_)L0al *01 l.bodm OOMPATH rvplat nocut lot J Buffo Overflow Prlultoe Euidutlui Exploit יה\י y _T:j AIx fin choc 1 fieri PrMfege Escalation E*pl&t

11 WX ipdateJlMh PATH ceaoe tw b t JjJ Ant Kr ,logger Elta Pnttfcge EscalabonExpert

y *׳,״״יי* 6״״׳'*' *ade Mac os X Hie Local Pnvleoe Ef£• g Aujot Animui ASAMON .SYS Plh-lege

־4־CctyNo |

$y«emlrfo |This product is !catted 10 EC-Council Haja Motadeen

Distribution k«y

PeriodFrom : Tuesday. December 28. 2010 To ־ Thursday June 30, 2011

C00VM9M • 2001-2010 COREsscuruvTechnologist 0, .״״ 0״,-״:**,. g « n

]g Network Attack and Prnotrntion

It alU.li tMMJ 0r

THs • od-le automaticalv selects uri l«jrxhs *tUOw.WT/KHvierk RPT. icartY icrngoac:77879TTts • pJ.k Nte• tQJ AJtonuQulv srleit «>d Iruxhre scfvcuOv acquredm *crmaton The Attach «1dPerptt abortMvp utiixri yevtxriy aeittrtO י׳»זייזו»ו*י׳ו about the network (to׳ nitanct, bynnnn; 1t*> !nfoination Gafrwirg itap) to automaQcalv sdiit 0 id Iruidi tairoUi attaJifa e9J1 tdioethost Itis <m׳i icojir tie folowiw nfoinwoen fol 01b

c*r fuw |

J

Bbe Coat K9 Web■ Protection Referer Priv[3 cachefsd Buffer Owrui opbt

& CDRTods R5H local exploit 3 CSRSS facename ■exploit

2sJ EbyCOIO Cover Pnvleo; Escalation E 3 ESET Smart Searity BPFW.SfS Priviege I >!1 EMn AlTerrvitf Configiraton Prwlce E3

3 sf«5SD Omamic Lrks Prluleos Escati IgJ PfeeQSO Kernel Protesw Prr.-iegebsrdat

!3 S1«5SC kOmer Lacal Privilege Escalation ״^^ FreeBSD mbufs asrdfile Ca<hePoso FreeBSD mctnt Locd Privleoe Escalatton

[gj PreeQSC pseudoa NUU Ponter Qsrefere FreeBSD Tehetd Server Prlvleoe Eacalati

3 GNU Gibe ti.50 ORIGIN Pirviege Escda*GNU Id.so *fcitrary Dlopsn prtvtege Esca

3 HP Lrux Imagnq ■ard Prnbng local ex n teoee9cal3fl־[J BM [)rector CiM PrN [IS SSP jo-.er-Sde [ndube exok*i | t I׳leoeE9ral31»nEwte־Igl netd confPrh

----------------3 1D_PREL0A0 buffe ev«ibw unioc kernel doJjrkO cxpbt

(3 Untx Kernel Ext4 Mos-e Extents ICCTL Prlvlege EscjMot Explait unux kernel rrremoo -urmap eiplot

Linux KonelRDS PioUkoI P1l«-lcoeEfic4l<tnn E*ut.•> *MwvO rV.h««> CvW׳;■ v r«rvl-.׳.■ sj

r FUer modiies by targetr SiswmacU«»vUo׳jt U « .׳

Veriion 11.0.4666

rjIWT fBMOdJw

1 fid P f h 0 o, ני F ¥

FIGURE 12.37: CORE Impact* Pro Screenshot

Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCilAll Rights Reserved. Reproduction is Strictly Prohibited.

Module 12 Page 1714


Web Server Pen Testing Tool: Immunity CANVAS

Copyright © by EC-CWHCil. All Rights Reserved. Reproduction is Strictly Prohibited.

W eb Server Pen Testing Tool: Im m u n ity CAN VASx — Source: http://www.immunitysec.com

CANVAS is an automated exploitation system, and a comprehensive, reliable exploit development framework for security professionals and penetration testers. It allows a pen tester to discover all possible security vulnerabilities on the web server.

11 S*ttlon: dnl«uNImmunity CANVAS V»f: 0.47 | Cuir

♦ O 5 5 Cur»#r*V j i ! MOV Slop Fipioc OS Conftg Calfcock

Mod«ies $t1r(h

> D9S> Iboi*> fWcon

OMCHpUon lH*r 0«An*d N«v» Monthly I CAW AS t>p׳c Post EipM Control Commands fa* Nod«s D«n<al of Sorvce Modules MscTooa Recon ,fools CAfWS 5*׳v»es

> r»po1t*^o׳t Cro*s »o l r!t«rfac•> Ftc«rs P ost 9 Mo<fcJ«4

Current S ta tu s C *this. I oq n»buq 1 oq

Status Action Start tr»« fend T#n« information

4#t

FIGURE 12.38: Immunity CANVAS Screenshot


Module 12 Page 1715

http://www.immunitysec.com


CEHWeb Server Pen Testing

Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol related vulnerabilities, etc. in a web server

The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities


W eb Server Pen Testingv , v , Web server pen testing will help you to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol-related vulnerabilities, etc. in a web server. To perform penetration testing, you need to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.

Why Web Server Pen Testing?Web server pen testing is useful for:

© Identification of Web Infrastructure: To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities.

© Verification of Vulnerabilities: To exploit the vulnerability in order to test and fix theissue.

© Remediation of Vulnerabilities: To retest the solution against vulnerability to ensure that it is completely secure.

Remediation of Vulnerabilities

To retest the solution against vulnerability to ensure that it is completely secure

Verification of VulnerabilitiesTo exploit the vulnerability in order to test and fix the issue

Identification of Web Infrastructure

Why Webserver Pen Testing?

To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities


Module 12 Page 1716


Web Server Penetration Testing C EH

Webserver penetration testing starts with collecting as much information as possible about an organization ranging from its physical location to operating environment

Use social engineering techniques to collect information such as human resources, contact details, etc. that may help in Webserver authentication testing

Use Whois database query tools to get the details about the target such as domain name, IP address, administrative contacts, Autonomous System Number, DNS, etc.

Note: Refer Module 02: Footprinting and Reconnaissance for more information gathering techniques

. —u 1 1ן

□Jם1

eU

Internet, newsgroups, bulletin boards, etc.

START

Search open sources for information about

the target:

Social networking, dumpster diving

Whois, Traceroute, Active Whois, etc.

Perform social engineering

Query the Whois databases

VDocument all

information about the target


W ר־־ח1 eb Server Penetration Testing Web server penetration testing starts with collecting as much information as possible

about an organization, ranging from its physical location to operating environment. The following are the series of steps conducted by the pen tester to penetrate web server:

Step 1: Search open sources for information about the target

Try to collect as much information as possible about target organization web server ranging from its physical location to operating environment. You can obtain such information from the Internet, newsgroups, bulletin boards, etc.

Step 2: Perform Social engineering

Perform social engineering techniques to collect information such as human resources, contact details, etc. that may help in web server authentication testing. You can also perform social engineering through social networking sites or dumpster driving.

Step 3: Query the Whois databases

You can use Whois database query tools such as Whois, Traceroute, Active Whois, etc. to get details about the target such as domain name, IP address, administrative contacts, Autonomous System Number, DNS, etc.

Step 4: Document all information about the target


Module 12 Page 1717


You should document all the information obtained from the various sources.

Note: Refer Module 02 - Footprinting and Reconnaissance for more information about information-gathering techniques.


Module 12 Page 1718


Web Server Penetration Testing (EH(Cont'd) (•rtifwd | |U«4I IlMlwt

Fingerprint web server to gather information such as server name, server type, operating systems, applications running, etc. using tools such as ID Serve, httprecon, and Netcraft

Crawl website to gather specific types of information from web pages, such as email addresses

Enumerate W ebserver d irectories to extract important information such as web functionalities, login forms etc.

Perform directory traversal attack to access restricted directories and execute commands outside of the web server's root directory

Fingerprint web server

^ Use tools such as httprecon, ID Serve

tי

Crawl website Use tools such as httprint, Metagoofil

1י

Enumerate web directories

> Use tools such as DirBuster

Perform directory y Use automated toolstraversal attack such as DirBuster


ijpp) W eb Server Penetration Testing (C on t’d)Step 5: Fingerprint the web server םםם1

Perform fingerprinting on the web server to gather information such as server name, server type, operating systems, applications running, etc. using tools such as ID Serve, httprecon, and Netcraft.

Step 6: Perform website crawling

Perform website crawling to gather specific information from web pages, such as emailaddresses. You can use tools such as httprint and Metagoofil to crawl the website.

Step 7: Enumerate web directories

Enumerate web server directories to extract important information such as webfunctionalities, login forms, etc. You can do this by using tool such as DirBuster.

Step 8: Perform a directory traversal attack

Perform a directory traversal attack to access restricted directories and execute commands outside of the web server's root directory. You can do this by using automated tools such as DirBuster.


Module 12 Page 1719


Web Server Penetration Testing (EH(Cont’d) (•rtifwd | |tk<«4l IlMlwt

Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus, etc. and determine if the system can be exploitedPerform HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header Perform web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in cacheBruteforce SSH, FTP, and other services login credentials to gain unauthorizedaccessPerform session hijacking to capture valid session cookies and IDs. Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking

Examine configuration files

HTTP response hijacking

__y VPerform vulnerability Crack web server

assessment authentication

♦Perform HTTP : Bruteforce SSH, FTP,

response splitting and other services

S' it

Web cache Perform sessionpoisoning attack hijacking


W eb Server Penetration Testing (C on t’d)Step 9: Perform vulnerability scanning

Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus, etc. and determine if the system can be exploited.

Step 10: Perform an HTTP response splitting attack

Perform an HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header.

Step 11: Perform a web cache poisoning attack

Perform a web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in the cache.

Step 12: Brute force login credentials

Brute force SSH, FTP, and other services login credentials to gain unauthorized access.

Step 13: Perform session hijacking

Perform session hijacking to capture valid session cookies and IDs. You can use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking.


Module 12 Page 1720


Webserver Penetration Testing CEH(Cont’d) UrtifW4 j ttkKJi lUilwt

Copyright © by EG-€t0ncil. All Rights Reserved. Reproduction is Strictly Prohibited.

W eb Server Penetration Testing (C on t’d)Step 14: Perform a MITM attack

Perform a MITM attack to access sensitive information by intercepting and altering communications between an end user and web servers.Step 15: Perform web application pen testingPerform web application pen testing to determine whether applications are prone to vulnerabilities. Attackers can compromise a web server even with the help of a vulnerable web application.Step 16: Examine web server logsExamine the server logs for suspicious activities. You can do this by using tools such as Webalizer, AWStats, Ktmatu Relax, etc.Step 17: Exploit frameworksExploit the frameworks used by the web server using tools such as Acunetix, Metasploit, w3af, etc.Step 18: Document all the findings

Summarize all the tests conducted so far along with the findings for further analysis. Submit a copy of the penetration test report to the authorized person.

vPerform MITM

attack

VPerform web

application pen testing

V_______Examine

Webserver logs

VExploit

frameworks

S Perform M ITM attack to access sensitive information by intercepting and altering communications between an end- user and webservers

״ Note: Refer Module 13: Hacking Web Applications for more information on how to conduct web application pen testing

a Use tools such as Webalizer, AWStats, Ktmatu Relax, etc. to examine web sever logs

S Use tools such as Acunetix, Metasploit, w3af, etc. to exploit frameworks


Module 12 Page 1721


C EHM odule Sum m ary

□ Web servers assume critical importance in the realm of Internet security

כ Vulnerabilities exist in different releases of popular webservers and respective vendors patch these often

כ The inherent security risks owing to the compromised webservers have impact on the local area networks that host these websites, even on the normal users of web browsers

□ Looking through the long list of vulnerabilities that had been discovered and patched over the past few years, it provides an attacker ample scope to plan attacks to unpatched servers

□ Different tools/exploit codes aid an attacker in perpetrating web server's hacking

□ Countermeasures include scanning for the existing vulnerabilities and patching them immediately, anonymous access restriction, incoming traffic request screening, and filtering


V ■=־ '

y M odu le Sum m ary

© Web servers assume critical importance in the realm of Internet security.

© Vulnerabilities exist in different releases of popular web servers and respective vendorspatch these often.

© The inherent security risks owing to the compromised web servers impact the local area networks that host these websites, even on the normal users of web browsers.

© Looking through the long list of vulnerabilities that had been discovered and patchedover the past few years, it provides an attacker ample scope to plan attacks to unpatched servers.

© Different tools/exploit codes aid an attacker in perpetrating web server's hacking.

© Countermeasures include scanning for the existing vulnerabilities and patching them immediately, anonymous access restriction, incoming traffic request screening, and filtering.


Module 12 Page 1722

Ce hv8 module 12 hacking webservers

Technology

Transcript of Ce hv8 module 12 hacking webservers