Beruflich Dokumente
Kultur Dokumente
Module 12
Hacking Webservers
Module 12
En g in e e red by
Hackers.
E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v8
M odule 12: Hacking Webservers Exam 312-50
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claim s Responsibility
Monday, September 10th, 2012
Final update: GoDaddy is up, and claims th a t the outage was due to internal errors and not a DD0S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Tw itter account the company is aware o f the issue and is working to resolve it. Update: customers are com plaining tha t GoDaddy hosted e-mail accounts are down as well, along w ith GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A m em ber o f Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipste r tells us tha t the technical reason fo r the failure is being caused by the inaccessibility o f GoDaddy's DNS servers specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
http://techcrunch.com
Copyright by E G G * a n c i l . All Rights Reserved. Reproduction is Strictly Prohibited.
S ecurity N ew s
Nnus
GoD addy O utage T akes Down M illions of Sites, Anonym ous M em ber C laim s R esponsibility
Source: http://techcrunch.com Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DD0 S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account, the company is aware of the issue and is working to resolve it. Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well, along with GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of GoDaddy's DNS servers specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
AnonymousOwn3rs bio reads "Security leader of #Anonymous ( Official m em ber")." The individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was targeted. Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the service, and the company has been the center of a few other controversies. this attack." However, AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Module Objectives
J J J J J J J J IIS Webserver Architecture W hy W eb Servers are Compromised? Impact of Webserver Attacks Webserver Attacks Webserver Attack Methodology Webserver Attack Tools Metasploit Architecture Web Password Cracking Tools L / ^ J J J J J J J Countermeasures
Urt1fW4
CEH
ttlMUl ttMhM
How to Defend Against Web Server Attacks Patch Management Patch Management Tools Webserver Security Tools Webserver Pen Testing Tools Webserver Pen Testing
^ M odule O b jectiv e s
* > Often, a breach in security causes more damage in terms of goodwill than in actual quantifiable loss. This makes web server security critical to the normal functioning of an organization. Most organizations consider their web presence to be an extension of themselves. This module attempts to highlight the various security concerns in the context of webservers. After finishing this module, you will able to understand a web server and its architecture, how the attacker hacks it, what the different types attacks that attacker can carry out on the web servers are, tools used in web server hacking, etc. Exploring web server security is a vast domain and to delve into the finer details of the discussion is beyond the scope of this module. This module makes you familiarize with: e e e e e Q e e IIS Web Server Architecture W hy W eb Servers Are Compromised? Impact of Webserver Attacks Webserver Attacks Webserver Attack Methodology Webserver Attack Tools Metasploit Architecture Web Password Cracking Tools e 0 e e e e e Countermeasures How to Defend Against W eb Server Attacks Patch Management Patch Management Tools W ebserver Security Tools W ebserver Pen Testing Tools W ebserver Pen Testing
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Module Flow
CEH
M o d u l e F lo w
To understand hacking web servers, first you should know what a web server is, how it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts. 4
m)
Webserver Concepts
------
Webserver Attacks
Attack Methodology
Patch Management
Counter-measures
This section gives you brief overview of the web server and its architecture. It will also explain common reasons or mistakes made that encourage attackers to hack a web server and become successful in that. This section also describes the impact of attacks on the web server.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
64.6%
Microsoft - IIS
LiteSpeed
1.7% 1.2%
Google Server
W eb S e rv e r M a rk e t S h a re s
Source: http://w3techs.com The following statistics shows the percentages of websites using various web servers. From the statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that Microsoft IIS server is used by 17.4 % of users.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Apache
64.6%
Microsoft IIS
17.4% 13%
Nginx
LiteSpeed
Google Server
Tomcat
Lighttpd
10
20
30
40
50
60
70
J -----
80%
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
: 1 1 a
Linux
1
File System
.........
Apache
PHP
Applications
Compiled Extension
MySQL
i f
O p e n S o u rc e W e b S e rv e r A rc h ite c tu re
The diagram bellow illustrates the basic components of open source web server
architecture.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Site Users
Site Admin
Attacks
&
*A
1
Internet
File System
J
"
Applications
MySQL y
Where,
Linux - the server's operating system Apache - the web server component MySQL - a relational database PHP - the application layer
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C IEH
Internet Information Services (IIS) for Windows Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web
i * a
Kernel Mode User Mode Svchost.exe
f t p
Application Pool
Native Modules
Anonymous authentication, managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging
AppDomain
Managed Modules
WWW Service
External Apps
Forms Authentication
application Host.config
IIS W e b S e r v e r A r c h i t e c t u r e
3 c3 by ----- ---------------------------------IIS, also known as Internet Information Service, is a web server application developed Microsoft that can be used with Microsoft Windows. This is the second largest web after
Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. The diagram that follows illustrates the basic components of IIS web server architecture:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Stack (HTTP.SYSI
Kernel M o d e
User Mode
Svchost.exe
W in d o w s A ctiva tio n S e rv ice (W A S )
A pplication Pool
W e b S erver Core
Begin requestprocessing/ authentication, authorization, cache resolution, handler mapping, handler pre* execution, release state, update cache, update log, and end request processing
N ative M od ules
Anonymous authentication, Managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging
AppD om ain
Managed M odules
WWW Service
Forms
A uthentication
application Host.config
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Website Defacement
J Web defacement occurs when an intruder maliciously alters visual appearance of a web page by inserting or substituting provocative and frequently offending data J Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected
Fie M l fe w Hep
CEH
http://juggyboy.com/index.aspx
j_>
Y o u a re O W N E D ! ! ! ! ! ! !
H A C K E D !
Hi M aster, Your w e b s ite o w n e d by US, H acker! N ext ta rg et - m icrosoft.com
W ebsite D e facem en t
Website defacement is a process of changing the content of a website or web page by hackers. Hackers break into the web servers and will alter the hosted website by creating something new. W eb defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data. Defaced pages expose visitors to propaganda or misleading information until the unauthorized change is discovered and corrected.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
BO
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Unnecessary default, backup, or sample files Security conflicts with business ease-ofuse case Misconfigurations in web server, operating systems, and networks Lack of proper security policy, procedures, and maintenance Bugs in server software, OS, and web applications Improper authentication with external systems Administrative or debugging functions that are enabled or accessible
Installing the server with default settings Improper file and directory permissions Default accounts with their default or no passwords Security flaws in the server software, OS and applications Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Unnecessary services enabled, including content management and remote administration
W h y W e b S e r v e r s A re C o m p r o m i s e d
There are inherent security risks associated with web servers, the local area networks that host web sites and users who access these websites using browsers. 0 W ebm aster's Concern: From a webmaster's perspective, the biggest security concern is that the web server can expose the local area network (LAN) or the corporate intranet to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers, or the compromise of information itself. Software bugs present in large complex programs are often considered the source of imminent security lapses. However, web servers that are large complex devices and also come with these inherent risks. In addition, the open architecture of the web servers allows arbitrary scripts to run on the server side while replying to the remote requests. Any CGI script installed at the site may contain bugs that are potential security holes. Q Network Administrator's Concern: From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. W hile the objective of a web is to provide controlled access to the network, too much of control can make a web almost impossible to use. In an intranet environment, the network administrator has to be careful about configuring the web server, so that the legitimate users are recognized and authenticated, and various groups of users assigned distinct access privileges.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
End User's Concern: Usually, the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user's system. Besides, active content from a website browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network.
The table that follows shows the causes and consequences of web server compromises: Cause Consequence Unnecessary default, backup, or sample files
Installing the server with default settings Improper file and directory permissions
Default accounts with their default passwords Unpatched security flaws in the server software, OS, and applications Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Unnecessary services enabled, including content management and remote administration
Misconfigurations in web server, operating systems and networks Lack of proper security policy, procedures, and maintenance Bugs in server software, OS, and web applications Improper authentication with external systems Administrative or debugging functions that are enabled or accessible
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Data ta m p e rin g
CEH
Crt1fW 4 itfciul Nm Im
W e b s ite d e fa c e m e n t
I m p a c t o f W e b S e r v e r A tt a c k s
Attackers can cause various kinds of damage to an organization by attacking a web server. The damage includes: 0 Compromise of user accounts: W eb server attacks are mostly concentrated on user account compromise. If the attacker is able to compromise a user account, then the attacker can gain a lot of useful information. Attacker can use the compromised user account to launch further attacks on the web server. 0 Data tampering: Attacker can alter or delete the data. He or she can even replace the data with malware so that whoever connects to the web server also becomes compromised. 0 W ebsite defacement: Hackers completely change the outlook of the website by replacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own. 0 Secondary attacks from the website: Once the attacker compromises a web server, he or she can use the server to launch further attacks on various websites or client systems. 0 Data theft: Data is one of the main assets of the company. Attackers can get access to sensitive data of the company like source code of a particular program.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Root access to other applications or server: Root access is the highest privilege one gets to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server. Attackers can perform any action once they get root access to the source.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
CEH
M o d u l e F lo w
Considering that you became familiar with the web server concepts, we move forward to the possible attacks on web server. Each and every action on online is performed with the help of web server. Hence, it is considered as the critical source of an organization. This is the same reason for which attackers are targeting web server. There are many attack technique used by the attacker to compromise web server. Now we will discuss about those attack techniques. attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking, web application attacks, etc.
Webserver Concepts
Webserver Attacks
Attack Methodology
-y
Patch Management
Counter-measures
Module
12 Page 1618
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft
Verbose debug/error
W eb S e rv e r M is c o n fig u ra tio n
W eb servers have various vulnerabilities related to configuration, applications, files, scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the network of a company. These loopholes of the server can help attackers to bypass user authentication. Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft. Once detected, these problems can be easily exploited and result in the total compromise of a website. e Remote administration functions can be a source for breaking down the server for the attacker. 0 Some unnecessary services enabled are also vulnerable to hacking. Misconfigured/default SSL certificates.
Verbose debug/error messages. Q Anonymous or default users/passwords. Sample configuration and script files.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
php.ini file
f I W e b S e rv e r M is c o n fig u ra tio n E x a m p le
ran n
L 1 :J
This configuration allows anyone to view the server status page that contains detailed information about the current use of the web server, including information about the current hosts and requests being processed. Consider another example, the php.ini file.
display_error = On log_errors - On error_log = syslog ignore repeated errors = Off
FIGURE 12.6: php.inifile on an Apache server
3 / I
! H t J Inetpub
D i r e c t o r y T r a v e r s a l A t ta c k s
W eb servers are designed in such a way that the public access is limited to some extent. Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the root directory and access sensitive information in the system.
Volume in drive C has no label. Volume Serial Number is D45E-9FEE Directory of C:\ 1,024 .rnd 06/02/2010 11:31AM 09/28/2010 06:43 PM 0 123.text 05/21/2010 03:10 PM 0 AUTOEXEC.BAT 09/27/2010 08:54 PM <DIR> CATALINA_HOME 0 CONFIG.SYS 05/21/2010 03:10 PM Documents and Settings 08/11/2010 09:16 AM <DIR> 09/25/2010 05:25 PM <DIR> Downloads 08/07/2010 03:38 PM <DIR> Intel 09/27/2010 09:36 PM <DIR> Program Files 05/26/2010 02:36 AM <DIR> Snort 09/28/2010 09:50 AM <DIR> WINDOWS 09/25/2010 02:03 PM 569,344 WlnDump.exe 7 File(s) 570, 368 bytes 13 Dir( s) 13,432 ,115,200 bytes free
http://server.eom/s
Q-j !v!v!Tffxl
company
cripts/..%5c../Wind 0ws/System32/cm
d.exe?/c+dir+c:\
1 downloads
E O im a g e s
O news scripts C J support
F IG U R E
1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
(ttlfw tf itkNjI N M hM
y String author = request.getParameter(AUTHOR_PA RAM ); Cookie cookie = new Cookie("author , author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie);
Second Response
HTTP/1.1 200 OK
H T T P R e s p o n s e S p l itt i n g A tta c k
An HTTP response attack is a web-based attack where a server is tricked by injecting new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS) Cross Site Request Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks. The attacker alters a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. This is accomplished by adding header response data into the input field. An attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the other responses will be discarded by web browser.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Input = Jason
HTTP/1.1 200 OK Set-Cookie: author=Jason
String author = request.getParameter(AUTHOR_PA RA M ); Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie);
< / )
0 5
S i
S e c o n d R e sp o n se
HTTP/1.1200 OK
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Attacker sends request to remove page from cache h ttp ://w w w .ju g g y b o y .c o m /w el com e.php?lang= <?php h e a d e r ("L ocation:" . $_GET['page']); ?>
Host: Juggyboy.com GET http://juggyboy.com/index.html HTTP/1.1 Host: testsite.com User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Charset: iso-8859-l,*,utf8
web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache
Address www.jujjyboy.com
W e b C a c h e P o i s o n i n g A tta c k
W eb cache poisoning is an attack that is carried out in contrast to the reliability of an intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned content instead of true and secured content when demanding the required URL through the web cache. An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request to store in cache. In the following diagram, the whole process of web cache poisoning is explained in detail with a step-by-step procedure.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
GET http://juggyboy.com/indeM.html HTTP/1.1 Pragm a: no-cache H ost: juggyboy.com A ccept-C harset: iso-8859-1,T,utf-8 GET http://juggyboy.com/ rdir.php?site=%Od%OaContentL*ngth:%200%Od%Oa%Od%OaHTTP/l.l%2 02009(2OOKHOdKOaLastModified :%20Mon,%202 7%200ct%20200 9*2014:50:18K20GMT%0d%0aContentLength: 020%0d%0aContentTyp:%20text/html%0d%0a%0d%08<htm! *Attack Page</html> HTTP/1.1
Server Cache
A ttac k er g e ts first se rv e r re s p o n s e
Host: juggyboy.com GET h ttp ://ju g g y b o y .c o m /in d e x .h tm l HTTP/1.1 Host: te s ts ite .c o m U ser-A gent: M ozilla/4.7 [en] (W lnNT; I)
Attacker re q u e sts a ju g g Y b o y.co m again to generate cache entry Attack! ;e r g e ts t h e second _> _1 _
. W re q u e s t o f o n s e
Address www.JuKjjytiyy.to1n
Accept-Charset iso-8859-l,,utf-8
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
SSH B r u te f o rc e A tta c k
1^1
CEH
Crt1fW 4 itfciul lUclw(
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel
SSH tunnels can be used to transmit malwares and other exploits to victims without being detected
I
Mail Server SSH Server Web Server Application Server
User
Internet
File Server
Attacker
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
SSH B r u te F o r c e A tt a c k
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH, first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other exploits to victims without being detected.
Mail Server
Attacker
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Man-in-theMiddle Attack
J J
CEH
Man-in-the-Middle (M ITM ) attacks allow an attacker to access sensitive information by intercepting and altering communications between an end-user and webservers Attacker acts as a proxy such that all the communication between the user and Webserver passes through him
Normal Traffic
\p
o O *
a W ebserver
Attacker
M a n i n t h e M i d d l e A tta c k
A man-in-the-middle attack is a method where an intruder intercepts or modifies the message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user such as online banking details, user names, passwords, etc. transferred over the Internet to the web server. The attacker lures the victim to connect to the web server through by pretending to be a proxy. If the victim believes and agrees to the attacker's request, then all the communication between the user and the web server passes through the attacker. Thus, the attacker can steal sensitive user information.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
n U
User
^
Normal Traffic
> .
* * * ..
&
*
Attacker sniffs the communication to ; stealI session IDs
''' ^ 9 0
(f t v
s ..* e
< e ^ . *
,., w
. ,5 ''. A
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
****
Many hacking attempts start with cracking passwords and proves to the Webserver that they are a valid user
The most common passwords found are password, root, administrator, admin, demo, test, guest, qwerty, pet names, etc.
Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan Horse or virus, wiretapping, keystroke logging, etc.
Web form authentication cracking SSH Tunnels FTP servers SMTP servers Web shares
W eb S e rv e r P a s s w o rd C ra c k in g
----Most hacking starts with password cracking only. Once the password is cracked, the hacker can log in in to the network as an authorized person. Most of the common passwords found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc. Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to crack passwords. Attackers mainly target: W eb form authentication cracking SSH tunnels
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EH
Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc.
Hybrid Attack
A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt
gd
) 77 ( _
W eb S erver P assw o rd C ra c k in g T e c h n iq u e s
Passwords may be cracked manually or with automated tools such as Cain & Abel,
Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password: Guessing: A common cracking method used by attackers is to guess passwords either by humans or by automated tools provided with dictionaries. Most people tend to use heir pets' names, loved ones' names, license plate numbers, dates of birth, or other weak pass words such as "QW ERTY," "password," "admin," etc. so that they can remember them easily. The same thing allows the attacker to crack passwords by guessing. Dictionary Attack: A dictionary attack is a method that has predefined words of various combinations, but this might also not be possible to be effective if the password consists of special characters and symbols, but compared to a brute force attack this is less time consuming. Brute Force Attack: In the brute force method, all possible characters are tested, for example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But this type of method is useful to identify one-word or two-word passwords. Whereas if a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password, which is practically impossible.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also consists of symbols and numbers. Password cracking becomes easier with this method.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Crt1fW 4
CEH
itfciul Nm Im
Vulnerabilities in web applications running on a Webserver provide a broad attack path for Webserver compromise
, If
enia'0 f.s T eCtrv Cokie
s Pe, 'ring
rO ss.Site rge,
A t,
' n
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p l i c a t i o n A tt a c k s
SL
Directory Traversal
Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL.
Parameter/Form Tampering
This type of tampering attack is intended to manipulate the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
Cookie Tampering
Cookie tampering is the method of poisoning or tampering with the cookie of the client. The phases where most of the attacks are done are when sending a cookie from the client side to the server. Persistent and non-persistent cookies can be modified by using different tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
constraints.
behavior. The attacker uses this advantage and floods the applications with too much data, which in turn causes a buffer overflow attack.
M
users.
A denial-of-service attack is a form of attack method intended to terminate the operations of a website or a server and make it unavailable to access for intended
Session Hijacking
1131
Session hijacking is an attack where the attacker exploits, steals, predicts, and
negotiates the real valid web session control mechanism to access the authenticated parts of a web application.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
CEH
M o d u l e F lo w
_ So far we have discussed web server concepts and various techniques used by the attacker to hack web server. Attackers usually hack a web server by following a procedural method. Now we will discuss the attack methodology used by attackers to compromise web servers.
Webserver Concepts
Webserver Attacks
Attack Methodology
Patch Management
Counter-measures
This section provides insight into the attack methodology and tools that help at various stages of hacking.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Information Gathering
W ebserver Footprinting
Vulnerability Scanning
W e b S e r v e r A tta c k M e t h o d o l o g y
Hacking a web server is accomplished in various stages. At each stage the attacker tries to gather more information about loopholes and tries to gain unauthorized access to the web server. The stages of web server attack methodology include:
0
(
Every attacker tries to collect as much information as possible about the target web
W eb Server Footprinting
The purpose of footprinting is to gather more information about security aspects of a web server with the help of tools or footprinting techniques. The main purpose is to know
about its remote access capabilities, its ports and services, and the aspects of its security.
M irroring W ebsite
W
4 J)
Website mirroring is a method of copying a website and its content onto another server for offline browsing.
V ulnerability Scanning
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a web server. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners.
Session H ijacking
Session hijacking is possible once the current session of the client is identified. Complete control of the user session is taken over by the attacker by means of session hijacking.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
WHOis.net
Y3ur Domain Starting Place...
UZ3
N 3 m 0 S o r v o f :S JC D N S 2 .b B A Y D N S .C O M
N3m sorvor: SMF UNSl.fcBAYDNS.COM Name Server: SMF-DNSi.fcBAYDNS.COM Status: dleotDeletcPiohlblted Status: clieritTrmsfPral1ibit*d Status: dienWpdnt*Prohibit*d Status: s e rv e d eteProhibited Status: server TransterProh 1 bitod Status: sorvorUDdateProhibital updated Date: 15-Sep-2010 Creation Date: 04-aug-l995 Expiration Date: 03-aug-2018
Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance
h ttp:/ / w w w .w h o is .n e t
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W eb S e rv e r $ __ , G a t h e r i n g
A t ta c k
M e th o d o l o g y :
In fo rm a tio n
Every attacker before hacking first collects all the required information such as versions and technologies being used by the web server, etc. Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company. Most of the attackers' time is spent in the phase of information gathering only. That's why information gathering is both an art as well as a science. There are many tools that can be used for information gathering or to get details such as a domain name, an IP address, or an autonomous system number. The tools include: e e e e 0 e Whois Traceroute Active Whois Nmap Angry IP Scanner Netcat
W hois
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Source: http://www.whois.net Whois allows you to perform a domain whois search and a whois IP lookup and search the whois database for relevant information on domain registration and availability. This can help provide insight into a domain's history and additional information. It can be used for performing a search to see who owns a domain name, how many pages from a site are listed with Google, or even search the Whois address listings for a website's owner.
W H O is .n e t
Y o u r D o m a in S t a r t i n g P l a c e . . .
F IG U R E 1 2 .1 3 : W H O I S In f o r m a t io n G a t h e r in g
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
Urt1fw4 ilhiul lUthM
N etcraft
Source: http://toolbar.netcraft.com Netcraft is a tool used to determine the OSes in use by the target organization. It has already been discussed in detail in the Footprinting and Reconnaissance module.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r iE T C K A F T Se a rch W e b by Domain
Explore 1,045.745 web sites visited by users of the Netcraft Toolbar
S e a rc h : search tips
j site contains
j ^ microsoft
e x a m p le : s it e c o n t a in s .n e tc r a ft.c o m
lookup!
Netblock
m ic ro s o ft corp m ic ro s o ft corp m ic ro s o ft corp m ic ro s o ft corp
OS
citrix n e t s c a le r unknow n citrix n e t s c a le r window s s e r v e r 2 0 0 8 citrix n e t s c a le r unknow n citrix n e t s c a le r window s s e r v e r 2 0 0 8 window s s e r v e r 2 0 0 8 citrix n e t s c a le r citrix n e t s c a le r w in d ow s s e r v e r 2 0 0 8 w in d ow s s e r v e r 2 0 0 8 lin u x lin u x f5 b ig ip w in d ow s s e r v e r 2 0 0 3 w in d ow s s e r v e r 2 0 0 8
S e p t e m b e r 1998 m ic ro s o ft corp n o v e m b e r 1998 a u g u st 2008 au g u st 2009 m a y 2007 a u g u st 2008 n o v e m b e r 2001 fe b u a r y 1 9 9 9 fe b u a r y 2 0 0 5 n o v e m b e r 2008 ja n u a r y 1997 n o v e m b e r 2008 d ecem b er 2010 o c to b e r 2 0 0 5 m ic ro s o ft corp m ic ro s o ft corp m ic ro s o ft lim ite d m ic ro s o ft corp m ic ro s o ft corp m s h o tm a il m ic ro s o ft corp m ic ro s o ft corp a k a m a i te c h n o lo g ie s a k a m a i in t e r n a t io n a l b .v d ig ita l riv e r ir e la n d ltd. m ic ro s o ft corp m ic ro s o ft corp
10. s o c ia l.m s d n .m ic r o s o ft .c o m 11. g o .m ic r o s o ft.c o m 12. w in d o w s u p d a te .m ic r o s o ft.co m 13. u p d a t e .m ic r o s o ft.c o m 14. w w w .m ic ro s o fttra n s la to r.c o m 15. s e a r c h .m ic r o s o ft .c o m 16. w w .m ic r o s o fts t o r e .c o m 17. lo g in .m ic r o s o fto n lin e .c o m 18. w e r.m ic r o s o ft.c o m
a a a m
a
1 IB
F IG U R E 1 2 .1 4 : W e b s e r v e r F o o t p r in t in g
Ethical Hacking and Countermeasures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
II
ID Serve
^ 1111
SSm
H TTP/1.1 2 0 0O K D ace: Thu, 1 1 Oct 2 0 1 2 09:34:37 G M T expires: Thu, 0 1D ec 1 9 9 4 16:00:00 G M T carhe-control: no-cache pragm a: no-cache Sec-Cookie: ALT_ID = 007f010021bb479dd5aa00SS; Expires 09:34:37 G M T ; Path= /; D om ain .nytim e3.com ; Sec-cookie: adxcs= -; path=/; do!rain=.nytim es.ca m
Matehfct (352 Implementations) | Fingerprint Details | Report Preview |
ID S e r v e
Background
Errte* 0* copy
Internet Server Identifica.ion Utility, v l .02 Personal Security Freeware by Stev Steve Gibson
Copyright (c) 2003 by Gibson Research Corp.
Q8A/Help
'
C 2
(3
|www.google.coml
w ^ W hen an Internet URL IP has been provided above, piess this button to initiate a query of the specified server.
a
S
V V
V
Ready
Server gws Content-Length: 221 XX S S Protectior: 1 ; mode-block XFromeOptions: SAMEORIGIN Connection: close
The seivei identified Ise* a s :
http://www.computec.ch
(4
http://www. grc.com
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r F o o t p r i n t i n g T o o ls
W e have already discussed about the Netcraft tool. In addition to the Netcraft tool, there are two more tools that allow you to perform web server footprinting. They are Httprecon and ID Serve.
H ttprecon
( ^ ' Source: http://www.computec.ch Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This software shall improve the ease and efficiency of this kind of enumeration.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T a r g e t ( S u n O N E W e b S e r v e r G .1 ) A n a ly z e
http://
|w w w . n y t im e s . c o m
80
G E T e x is tin g
| G E T lo n g r e q u e s t | G E T n o n - e x istin g
\ G E T w r o n g p r o t o c o l | H E A D e x is tin g | O P T I O N S c o m m o n
HTTP/1.1 200 O K Date: Thu, 11 Oct 2012 09:34:37 G M T Server: Apache expires: Thu, 01 Dec 1994 16:00:00 G M T cache-control: no-cache pragma: no-cache Set-Cookie: ALT_ID=007f010021bb479ddSaa005S; Expires=Fri, 11 Oct 2013 09:34:37 GM T; Path=/; Domain=.nytimes.com ; Set-cookie: adxca=-; path=/; domain=.nytimes.com Vary: Host
M a t c h lis t ( 3 5 2 Im p le m e n ta t io n s ) N am e M H22 # O r a c l e A p p lic a t io n S e r v e r 1 0 g 1 0 .1 .2 .2 .0 S u n J a v a S y s t e m W e b S e r v e r 7 .0 A b y s s 2 .5 .0 .0 X 1 A p a c h e 2 .0 .5 2 A p a c h e 2 .2 .6 V Ready. n c n | F in g e r p rin t D e t a ils | R e p o r t P r e v i e w I H its 58 57 56 56 56 EC M a tch
/\
8 1 .6 3 0 1 4 0 8 4 5 0 7 0 4 8 0 .2 8 1 6 3 0 1 4 0 8 4 5 1 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7 0 7 0 000,1 70 OCC1 7
ID Serve
Source: http://www.grc.com ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the make, model, and version of any website's server software. This information is usually sent in the preamble of replies to web queries, but it is not shown to the user. ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. Simply by entering any IP address, ID Serve will attempt to determine the associated domain name.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
ID Serve
I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .02 P e r s o n a l S e c u r it y F r e e w a r e b y S t e v e G ib s o n
ID Serve
B a ck g ro u n d S e rv e r Q u e ry
Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com):
w ww.google.com |
When an Internet URL or IP has been provided above, press this button to initiate a query of the specified server.
(4
Copy
|gws__________________
Exit
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc Search for comments and other items in the HTML source code to make footprinting activities more efficient Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrttJ log Window Help Pa*g HTM Lfife
r
320.26*8 laved 2nr22 Tiro. 08* tf.19KB/) -a.rfe-rdLe Ac*ve correct !one4 W a ic rtB ! HrcdcdaMd.
til . MyWebSlte* ProgramRes )It) *. ProgramFits WKi i 111 lhs til , i t Windows NTUSSR.DAT 1 1 * > :local Disk *D ; M D VD RW Drivt <& :NwVolum < F1
0 0
14
7 ;Men*:
Ji
J h ttp :/ / w w w .h ttro c k .c o m
Copyright by E G G t l i n c i l .All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r A tta c k M e th o d o l o g y : M i r r o r i n g a W e b s it e
Website mirroring is a method of copying a website and its content onto another server. By mirroring a website, a complete profile of the site's directory structure, file structure, external links, etc. is created. Once the mirror website is created, search for comments and other items in the HTML source code to make footprinting activities more efficient. Various tools used for web server mirroring include HTTrack, W ebripper 2.0, W inW SD , Webcopier, and Blackwidow.
C
Source: http://www.httrack.com HTTrack is an offline browser utility. It allows you to download a World W ide W eb site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
H
File
Preferences terror
B j j Local Disk <C:> 0 CEH-Tools j H J . dell a i. B B t g) Jj a Jj inetpub Intel MyWebSites Program Files Program Files (x86)
0 0
& J 1 Users a Windows L Q NTUSER.DAT a a Local Disk <D:> DVD RW Drive <E:> El , . New Volume <F:>
;B ack |
Next >
Cancel
Help
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b s e rv e r A tta c k M e th o d o lo g y : V u ln e ra b ility S c a n n in g
Perform vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited Use a vulnerability scanner such as HP Weblnspect, Nessus, Zaproxy, etc. to find hosts, services, and vulnerabilities J
CEH
Sniff the network traffic to find out active systems, netw ork services, applications, and vulnerabilities present Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities
W eb S e rv e r S c a n n in g
A tta c k
M e th o d o lo g y :
V u ln e ra b ility
Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations of a target web server or network. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing techniques are adopted in the network traffic to find out active systems, network services, applications, and vulnerabilities present. Also, attackers test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Various tools are used for vulnerability scanning such as HP Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities.
N essus
Source: http://www.nessus.org Nessus is a security scanning tools that scan the system remotely and reports if it detects the vulnerabilities before the attacker actually attacks and compromises them. Its five features includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features
Module 12 Page 1648 Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
that enhance usability, effectiveness, efficiency, and communication with all parts of your organization.
FIGURE 1 2 .1 8 : N essus S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b s e r v e r A tta c k M e th o d o lo g y : S e s s io n H ija c k in g
Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data
C EH
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
burp suite free edition v1A01 J curp intruder repeater target window about s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer options ' alerts
l l W
ig not found items hiding CSS image and gereral ainarr content 1 iS-g .l-e=pcn=e= h d ng ?mrt/folders http:A leconom i dime 5 indiatime s o
hltpVJedition cnn m
0 09
5: 0
|~params
T / . Lnc .'* 1 1 / m r 1 brea*r1ng_n*v/3 . 0 /banner. ntral ?c m h d c * 11 T P / 1 .1 8c: e d it io n .c n n .co ec-Affe&t: K c s illd / S .O 1 Vind03 I1T 6 .2 ; W0V61; c v : J S .0 l cko/:0100101 F ir e f o x / 15.0.1 I Accept: tr t e x t/ j v o 3 c c ip c , t e x t/ h tn L , pp Li.Cflt.ion/1 xrol, tex t/x m l,
I : | ]
| 0 matches
http ://p o rtsw ig g er. n et Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11: Session Hijacking
Copyright by EG-Gtltncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
1 1
S e r v e r A t t a c k M e t h o d o lo g y : S e s s io n H ija c k in g
Session hijacking is possible once the current session of the client is identified.
Complete control of the user session can be taken over by the attacker once the user establishes authentication with the server. W ith the help of sequence number prediction tools, attackers perform session hijacking. The attacker, after identifying the open session, predicts the sequence number of the next packet and then sends the data packets before the legitimate user sends the response with the correct sequence number. Thus, an attacker performs session hijacking. In addition to this technique, you can also use other session hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. to capture valid session cookies and IDs. Various tools used for session hijacking include Burp Suite, Hamster, Firesheep, etc.
Burp Suite
___Source: http://portswigger.net Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder tool, repeater tool, sequencer tool, etc.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
0- ^ 1
host
method GET
URL 1element/ssi/ads.iframes/
params status
2 0 0
0 .el( D o -2]20
http: edition.cnn.com .element add item to scope spider this branch actively scan this branch passively scan this branch engagement tools [pro version only] compare site maps expand branch expand requested Items delete branch copy URLs In this branch copy links in this branch sponse request
O - CDBU O - D cn 0 E L I
0 O eu
M']
T 3c:
T P / 1 .1 e r- A g e n c: A ccep C :
* L J SH
c lc o / :0 1 0 0 i0 1
c e x c / ja v M c r lp c ,
FIGURE 1 2 .1 9 : B u rp S u ite S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b s e r v e r A tta c k M e th o d o lo g y : H a c k in g W e b P a s s w o r d s
Brutus - AET2 - www.hoobie.net/brutus - (January 2000)
File lo o ls Help Type I HTTP (Basic Auth) | Start | Stop | Deaf |
Use password cracking techniques such as brute force attack, dictionary attack, password guessing to crack W ebserver passwords Use tools such as Brutus, THC-Hydra, etc.
Target |10.0017|
1~ I
Connection Options Connections * " J~ HTTP (Basic) Options Method | HEAD ]J W KeepAlive 10 Timeout 1" j r Use Proxy Define
Authentication Options W Use Username User File useistxt Sngle User Browse | Pass Mode |Word List File | words.txt
Positive Authentication Results Target 10.0 0 1 7 / 10.0 0 1 7 / _U ype HTTP (Basic Auth) HTTP (Basic Auth) I Username admin backup I Password academic
Located and nstaled 1 authentication plugns Imtialisng... Target 10.0 0 1 7 venfied Opened user fie containing 6 users Opened password fie conta*wvg 818 Passwords Mawmum number of authentication attempts vul be 4908 Engagng target 10.0.017 with HTTP (Basic AuthJ
T n irw i irofrt amo
Timeout
Reject
AuthSeq
W e b
S e rve r
A tta c k
M e th o d o lo g y :
H a c k in g
W e b
P a ssw o rd s One of the main tasks of any attacker is password hacking. By hacking a password, the attacker gains complete control over the web server. Various methods used by attackers for password hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks, syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks, rainbow attacks, etc. Password cracking can also be performed with the help of tools such as Brutus, THC-Hydra, etc.
O : 1
Brutus
Source: http://www.hoobie.net
Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web passwords without the knowledge of the victim. The features of the Brutus tool are been explained briefly on the following slide.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
T a rg e t
|1 0 .0 .0 .1 7|
T y p e | H T T P ( B a s i c A u (h )
~|
S ta r(
S to p
C le ar
H T T P (B a s ic ) O p tio n s M e th o d [H E A D
K e e p A liv e
f
B ro w s e
P a s s File
1 0 .0 .0 .1 7 /
1 0 .0 .0 .1 7 /
T ype
H T T P (B a s ic A u th ) H T T P (B a s ic A u th )
U sern am e ad m in b ackup
P a ssw o rd a c a d e m ic
L o c a t e d a n d installed 1 a u th e n tic a tio n plug-ins Initialising... T a r g e t 1 0 .0 .0 .1 7 verifie d O p e n e d u se r file c o n ta in in g 6 users. O p e n e d p a s s w o r d file c o n ta in in g 8 1 8 P a s s w o r d s . M ax im um n u m b e r of a u th e n tic a tio n atte m p ts will b e 4 9 0 8 E n g a g in g ta rg e t 1 0 .0 .0 .1 7 w ith H T T P ( B a s i c A u th )
T rm n 1 a r Jr r . 1
a
T im e o u t R e je c t A u th S e q T h ro ttle Q u ic k Kill
FIGURE 1 2 .2 0 : B ru tu s S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F low
C EH
M o d u le F lo w The tools intended for monitoring and managing the web server can also be used by attackers for malicious purposes. In this day and age, attackers are implementing various methods to hack web servers. Attackers with minimal knowledge about hacking usually use s for hacking web servers.
Webserver Concepts
Webserver Attacks
o m m
-y
Patch M anagement
Counter-measures
This section lists and describes various web server attack tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(J)jet metasploit
ft V ModutM Tag*
Atporto
T a li 0
wm
Target Syitttn Statu* O ptrabng Sy*trm (Top )
MOkom**4 I S m d
UM cm olW M oM M m MKnaPnw
LOOM
n usnus(B vv^
W e b
S e r v e r A t t a c k T o o ls : M e t a s p lo it
Source: http://www.metasploit.com The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. It enables users to identify, assess, and exploit vulnerable web applications. Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised web server to discover an exploitable vulnerability in a database that hosts confidential customer data and employee information. Your team members can then leverage the data gained to conduct social engineering in the form of a targeted phishing campaign, opening up new attack vectors on the internal network, which are immediately visible to the entire team. Finally, you generate executive and audit reports based on the corporate template to enable your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or PCI DSS. Metasploit enables teams of penetration testers to coordinate orchestrated attacks against target systems and for team leads to manage project access on a per-user basis. In addition, Metasploit includes customizable reporting. M etasploit enables you to: Complete penetration test assignments faster by automating repetitive tasks and leveraging multi-level attacks
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Assess the security of web applications, network and endpoint systems, as well as email users Emulate realistic network attacks based on the leading Metasploit framework with more than one million unique downloads in the past year Test with the world's largest public database of quality assured exploits Tunnel any traffic through compromised targets to pivot deeper into the network Collaborate more effectively with team members in concerted network tests Customize the content and template of executive, audit, and technical reports
(J metasploit
l M lp n O
S*M *oW 0
V Cwnpognt
Tag*
O R rpo rtt
TmJ Q
Targ et S y s te m S U M S
O p eratin g S y s te m s [T o p )
M H onN M nocm
M O n to x M
1SmM
1 loom)
2 Konca P m t r
2 *0*0 ffntwHM
1 HP ***ClOOtO
N e tw o r kServices (Top )
270 DCERPC Server* 114 SMB STOKT* 37-NTBOSSr<vcr* MS TW *S(RV S^vcr* 20 USAO? Serve**
FIGURE 1 2 .2 1 : M e ta s p lo it S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M etasploit A rchitecture
C EH
(rtifwtf I til1 (4 1 Nm Im
K
S e c u rity Tools W e b S ervices In te g ra tio n
M e t a s p lo it A r c h ite c tu r e The Metasploit framework is an open-source exploitation framework that is designed to provide security researchers and pen testers with a uniform model for rapid development of exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework provides the ability to reuse large chunks of code that would otherwise have to be copied or reimplemented on a per-exploit basis. The framework was designed to be as modular as possible in order to encourage the reuse of code across various projects. The framework itself is broken down into a few different pieces, the most low-level being the framework core. The framework core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. It supports vulnerability research, exploit development, and the creation of custom security tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Protocol Tools ^
Framework-Base
<:
Interfaces mfsconsole msfcli msfweb msfwx msfapi Security Tools Web Services Integration
FIGURE 1 2 .2 2 : M e ta s p lo it A rc h ite c tu re
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit
Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits
S te p s t o e x p lo it a s y s te m f o l l o w t h e M e t a s p lo it F r a m e w o r k
C o n fig u r in g A c tiv e E x p lo it
S e le c tin g a T a rg e t
&
Copyright by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it E x p lo it M o d u le
- 1 1 1 ii
The exploit module is the basic module in Metasploit used to encapsulate an exploit
using which users target many platforms with a single exploit. This module comes with simplified meta-information fields. Using a Mixins feature, users can also modify exploit behavior dynamically, perform brute force attacks, and attempt passive exploits. Following are the steps to exploit a system using the Metasploit framework: Configuring Active Exploit
Verifying the Exploit Options Selecting a Target Selecting the Payload Launching the Exploit
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
9S
m sf m sf
C o m m a n d P ro m p t
> use w in d o w s / s h e ll_ r e v e r s e _ t c p > g e n e ra te -h
p a y lo a d (3 h e ll_ r e v e r s e _ tc p ) g e n e ra te a [o p t io n s ]
U sage:
G e n e ra te s
p a y lo a d .
-b -e -h -o
l i s t nam e
o f o f
c h a ra c te rs to th e en cod er
a v o id : m o d u le
, \ x 0 0 \ x ff' to u s e .
s e p a ra te d fo rm a t. s le d o u tp u t
l i s t
o f
o p t io n s
in
le n g t h . ty p e : tc p ) ru b y , > p e r i, c , o r ra w .
p a y lo a d (s h e ll
re v e rs e
M e t a s p lo it P a y lo a d M o d u le The Metasploit payload module offers shellcode that can perform a number of interesting tasks for an attacker. A payload is a piece of software that lets you control a computer system after its been exploited. The payload is typically attached to and delivered by the exploit. An exploit carries the payload in its backpack when it break into the system and then leaves the backpack there. With the help of payload, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. To generate payloads, first select a payload using the command:
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C om m and P ro m p t
msf > use windows/shell reverse tcp msf payload(shell_reverse_tcp) > generate -h Usage: generate [options] Generates a payload.
O P T IO N S :
-b <opt> -e <opt>
to avoid:,\x00\xff'
-h Help banner. -o <opt> A comma separated list of options in VAR=VAL format. -s <opt> -t <opt> NOP sled length. peri, c, or raw.
FIGURE 1 2 .2 3 : M e ta s p lo it P a ylo a d M o d u le
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
run c o m m a n d ,
o r use th e
C o m m a n d P ro m p t
m s f m s f
>
u s e
a u x ilia r y (m =>
R H O ST m s f [ * ]
1 . 2 . 3 . 4 s 0 6 _ 0 3 5 _ m k e r n e l, a ils lo t ) tw o > r u n a t a t i m e . . .
a u x ilia r y (m M a n g lin g
t h e
b y t e s
M e t a s p lo it A u x ilia r y M o d u le Metasploit's auxiliary modules can be used to perform arbitrary, one-off actions such as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run command or use the exploit command.
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
(rtifwtf I til1(41 Nm Im
com m and to generate a NOP sled o f an arbitrary size and display it in a given form at
To generate a 50 byte NOP sled that is displayed as a C-style buffer, run the following command:
&
C om m and P rom pt
m sf n o p (o p ty 2 ) char > g e n e ra te b u f [] - t c 50 u n s ig n e d
n o p (o p ty 2 ) g e n e r a t e
U s a g e :
M e t a s p lo it N O P S M o d u le Metasploit NOP modules are used to generate no operation instructions that can be used for padding out buffers. The NOP module console interface supports generating a NOP sled of an arbitrary size and displaying it in a given format.
options:
The list of characters to avoid: ?\x00\xff? Help banner. The comma separated The output type: ruby, list of registers to save. peri, c, or raw.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
To g e n e r a te a 5 0-byte NOP sled t h a t is displayed as a C-style buffer, run t h e following com m and:
msf nop(opty2) > generate -t c 50 unsigned char buf[] = "\xf5\x3d\x05\xl5\xf8\x67\xba\x7d\x08\xd6\x6 6\x9f\xb8\x2d\xb6" "\x24\xbe\xbl\x3f\x43\xld\x93\xb2\x37\x35\x8 4\xd5\xl4\x40\xb4" "\xb3\x41\xb9\x48\x04\x99\x46\xa9\xb0\xb7\x2 f\xfd\x96\x4a\x98" "\x92\xb5\xd4\x4f\x91"; msf nop(opty2) >
F ig u re 1 2 .2 5 : M e ta s p lo it NOPS M o d u le
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
wfeicfi - wtetcni
File Edit View Window Help
f l
Verb: [GET Path Y Authentcation fifth. Qoirah. Uer; Pogtwd: Anoryraam -d UxrtecfcOT Cornsct Qphcr NKp dctajt l_ C 0 J !race | host [localHost Advanced Request: f Diabled I- from file
Ckertooc.: r w *
J J
|60 P Reu
Pc5 y
Log Output [Last Status: 500 Internal Server Error; > started.... O Puny: WWWConnect::Close( ","8< closed source port: 7i98\r\n MfVWConnectiConriectriocaihost" ~80')\n Q IP = "|::l].Q0"\n____________________________
W e b
S e r v e r A t t a c k T o o ls : W f e t c h
Source: http://www.microsoft.com Wfetch is a graphical user-interface aimed at helping customers resolve problems related to the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a problem with a lightweight, very HTTP-friendly test environment. It allows for very granular testing down to the authentication, authorization, custom headers, and much more.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
i) O &
W fe tc h l y e t> |GET Palh: |/
.\jthertcaboo Aulh l/Vionymoos Coman | User Connection Connect Cipher http d etai ^ J2 I
S S
Advanced Request
Disabled
T] < fromHe
-] _> J
^80
Ckentcert none
Pajiwd |
Projy Igproxy
rSocket P Reuse
Log Output [Last Status: S00 Internal Server Error] started.... O Proxy; WWWConnect::Close( ,"80")\n closed source port 7398\r\n 4 ) WWWConnect::ConnectClocalhost".8<r)\n 0 > = ]::1[:80\n
Ready
NUM
F ig u re 1 2 .2 6 : W fe tc h S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
P a s s w o r d C r a c k in g T o o l: B r u t u s
Source: http://www.hoobie.net Brutus is a remote password cracker's tool. It is available for Windows 9x, NT. and 2000, there is no UNIX version available, although it is a possibility at some point in the future. Brutus was written originally to help check routers for default and common passwords. Features Q e e e e Q Q 0 HTTP (Basic Authentication) HTTP (HTML Form/CGI) POP3 FTP SM B Telnet Multi-stage authentication engine No user name, single user name, and multiple user name modes Password list, combo (user/password) list and configurable brute force modes
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Q 0 0
Highly customizable authentication sequences Load and resume position Import and Export custom authentication types as BAD files seamlessly SOCKS proxy support for all authentication types User and password list generation and manipulation functionality HTML Form interpretation for HTML Form/CGI authentication types Error handling and recovery capability inc. resume after crash/failure
B ru tu s - AET2 w w w .h o o b ie .n e t/b ru tu s - (Ja nuary 2 0 0 0 ) Eile Iools Help Type |HTTP (Basic Auth) j* J Start
I 1 .
Target
[10001 ^
C le a
Tmeout
rj
10
U**Ptoxy
Drinc |
&KeepAJrve
Pass Mode |W 0d List Btome | pjg [words bd
Browse |
W Use Username
Use Fte ]users txt
I- Single Usei
Positive Authentication Results Target 100017/ 100017/ HTTP (Basic Auth) HTTP (Basic Auth) Username adrran backup Password
academ ic
Located and installed 1 authentication ptug-ns Iniiafeng. Target 10.0.0.17 verified Opened user file contamng 6 users Opened password file containing 818 Passwords Maximum number of authentication attempts w J be 4906 Engagng target 10.0.0.17 with HTTP (Basic Auth)
T mws<1 1 w iw
Throttle
F ig u re 1 2 .2 7 : B ru tu s S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urt1fw4
CEH
ilhiul lUthM
B
Target Target Single Target Passw ords Tuning Specific Start
'
xH ydra
Passw ords Tuning Specific Start
Target Output
Q Target List
C
Port
P refer IPV6
rdp
[ B e Verbose
Debug
Hydra (http://www.thc.org/thc hydra) starting a t 2012-10-2117:01:09 [DEBUG] cmdline:/usr/bin/hydra-S -v-V -d -I A dm inistrator-P/hom e/ VDes [DATA] 4 tasks, 1 server, 4 login tries (l:1/p:4), ~1 try per task [DATA] attacking service rdp on port 3389 [VERBO SE] Resolving a d d re s s e s ... [DEBUG] resolving 192.168.168.1 done [DEBUG] Code: attack Time: 13S0819069 [DEBUG] Options: mode 1 ssl 1 restore 0 show Attem p t 1 tasks 4 m a x jjs e * [DEBUG] Drains: active 0 targets 1 finished 0 to d o _a ll4 to d o 4 seotO founc [DEBUG] TargetO -target 192.168.168.1 ip 192 168.168.1 login_now pass_nc [ d e b u g ] Task 0 * pid 0 active 0 redo 0 current_login_ptr (null) current .p a s s . [DEBUG] Task 1 pidO active 0 rcd oO currcnt_login_ptr (null) current_pass_ [DEBUGJ Task 2 pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ [ d e b u g ] Task 3 pid 0 active 0 redo 0 current_login_ptr (null) current_pass_ [W ARN IN G ] rdp servers often d on 't like many connections, use -t 1 or t 4 to r [VERBOSE^ M ore tasks defined than login/pass pairs exist. Tasks reduced to [DEBUG] head_no[0] active 0 [DEBUGJ child 0 got target 0 selected [DEBUG] head n o fi] active 0 Sta rt Stop !S a ve O utput Clear Output
/Desktop/pass 1 16192.16..
Desktop/pass 1 16192.16...
W e b
P a s s w o r d C r a c k in g T o o l: T H C - H y d r a
Source: http://www.thc.org THC-Hydra is used to check for weak passwords. This tool is a brute force tool that is used by attackers as well as administrators. Hydra can automatically crack email passwords and gain access to routers, Windows systems, and telnet or SSH protected servers. It is a very fast network logon cracker that supports many different services.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
x H y d ra T a rg e t T a rg e t 1 9 2 .1 6 8 .1 6 8 .1 P a s s w o rd s T u n in g S p e c ific S ta r t
T a rg e t L is t
P r e fe r IP V 6
P o rt
P r o to c o l O u t p u t O p tio n s
rd p
U se SSL
h y d ra -S -v -V -d -I A d m in is t r a t o r -P / h o m e /
/D e s k to p /p a s s - t 1 6 1 9 2 .1 6 .
oe< ;
T a rg e t
!>
x H y d ra T u n in g S p e c ific S ta r t
P a s s w o rd s
O u tp u t H y d ra v7.1 (c )2 0 1 1 b y v a n H a u se r/T H C
81 D a v id M a c ie ja k f o r le g a l p u rp o s e s J
H y d ra (h tt p ://w w w .th c .o r g /t h c - h y d r a ) s ta r tin g a t 2012-10-21 17 :01:0 9 [D E BU G ] c m d lin e :/u s r /b in /h y d r a -S -v - V -d -I A d m in is t r a t o r - P / h o m e / 7Des [D A TA ] 4 ta s k s , 1 s e rv e r, 4 lo g in tr ie s (l:1 /p :4 ) , ~1 t r y p e r ta s k [D A TA ] a tt a c k in g s e rv ic e r d p o n p o r t 33 89 [VERBOSE] R e s o lv in g a d d r e s s e s ... [D E BU G ] re s o lv in g 1 9 2.16 8.16 8.1 done [D E BU G ] C o d e : a tt a c k T im e : 1 3 5 0 8 1 9 0 6 9 [D EBU G ] O p tio n s : m o d e 1 s s l 1 r e s to r e 0 s h o w A tte m p t 1 ta s k s 4 m a x _ u s e < [D E BU G ] B ra in s : a c tiv e 0 ta r g e ts 1 fin is h e d 0 t o d o _ a ll4 t o d o 4 s e n tO fo u n c [D E BU G ] T a rg e t 0 - t a r g e t 19 2.1 6 8 .1 6 8 .1 ip 19 2.1 6 8 .1 6 8 .1 l o g i n n o & p a s s n c [D EBU G ] Ta sk 0 - p i d 0 a c tiv e 0 r e d o O c u r r e n t_ lo g in _ p tr (n u ll) c u rre n t_ p a s s _ [D E B U G ]T a s k 1 - p id 0 a c t iv e 0 r e d o O c u r r e n t _ lo g in _ p tr ( n u ll) c u rre n t_ p a s s [D E B U G ]T a s k 2 - p id O a c t iv e 0 r e d o O c u r r e n t _ lo g in _ p tr ( n u ll) c u rre n t_ p a s s _ [D E B U G ]T a s k 3 - p id 0 a c t iv e 0 r e d o O c u r r e n t _ lo g in _ p tr ( n u ll) c u rre n t_ p a s s [W A R N IN G ] r d p s e rv e rs o f t e n d o n 't lik e m a n y c o n n e c tio n s , u se - t 1 o r - t 4 t o r [VERBOSE] M o r e ta s k s d e fin e d th a n lo g in /p a s s p a ir s e x is t. Tasks re d u c e d to [D E BU G ] h e a d _ n o [0 ] a c tiv e 0 [D E BU G ] c h ild 0 g o t t a r g e t 0 s e le c te d [D E BU G ] h e a d _ n o [1 ] a c tiv e 0
h y d r a - S - v - V - d - I A d m in is t r a t o r - P / h o m e /
D e s k to p /p a s s - t 16 1 9 2 .1 6 ...
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b P a s s w o r d C r a c k i n g T o o l: I n t e r n e t P a s s w o r d R e c o v e r y T o o lb o x
EH
http;//www.rixlercom
W e b
P a s s w o r d C r a c k in g T o o l: In t e r n e t P a s s w o r d
R e c o v e r y T o o lb o x Source: http://www.rixler.com Internet Password Recovery Toolbox is a comprehensive solution for recovering passwords for Internet browsers, email clients, nstant messengers, and FTP slients, It can cover network and dial-up accounts and can be used in the whole area of Internet communication links. This program offers instantaneous password recovery capabilities for almost every Internet application you expect it to provide: you name it, the program has it.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F low
C EH
M o d u le F lo w So far, we have discussed web server concepts, techniques used by attackers, attack methodology, and tools that help in web server. All these concepts help in breaking into the web server or compromising web server security. Now it's time to discuss the countermeasures that help in enhancing the security of web servers. Countermeasures are the practice of using multiple security systems or technologies to prevent intrusions. These are the key components for protecting and safeguarding the web server against web server intrusions.
Webserver Concepts
Webserver Attacks
Attack Methodology
^ _^
Patch M anagement
Counter-measures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
This section highlights web server countermeasures that protect web servers against various attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urt1fw4
C EH
ilhiul lUthM
Before applying any service pack, hotfix, or security patch, read and peer review all
Test the service packs and hotfixes on a representative non-production environment prior to being deployed to production
Ensure that service packs, hotfixes, and security patch levels are consistent on all D om ain Controllers (DCs)
Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available
Have a back-out plan that allow s the system and enterprise to return to their original state, prior to the failed im plem entation
Schedule periodic service pack upgrades as part of operations maintenance and never try to have more than tw o service packs behind
C o u n te rm e a s u re s : P a tc h e s a n d U p d a te s The following are a few countermeasures that can be adopted to protect web servers against various hacking techniques: Scan for existing vulnerabilities and patch and update the server software regularly. Apply all updates, regardless of their type, on an "as-needed" basis.
Q Ensure that service packs, hotfixes, and security patch levels are consistent on all Domain Controllers (DCs). Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available. 6 Q Have a back-out plan that allows the system and enterprise to return to their original state, prior to the failed implementation. Before applying any service pack, hotfix, or security patch, read and peer review all relevant documentation. Test the service packs and hotfixes on a representative non-production environment prior to being deployed to production. Ensure that server outages are scheduled and a complete set of backup tapes and emergency repair disks are available. Schedule periodic service pack upgrades as part of operations maintenance and never try to have more than two service packs behind.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Harden th e TCP/IP stack and consistently apply th e latest softw a re patches and updates to system softw a re
If using insecure protocols such as Telnet, POP3, SMTP, FTP, take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies
S If remote access is needed, make sure tha t the remote connection is secured properly, by using tunneling and encryption protocols
C o u n t e r m e a s u r e s : P r o t o c o ls _ _ The following are the some measures that should be applied to the respective
protocols in order to protect web servers from hacking: Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS and SMB. Harden the TCP/IP stack and consistently apply the latest software patches and updates to the system software. 0 If using insecure protocols such as Telnet, POP3, SMTP, or FTP, take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies. If remote access is needed, make sure that the remote connection is secured properly, by using tunneling and encryption protocols. Q Disable WebDAV if not used by the application or keep secure if it is required.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Disable unused d e fa u lt user accounts created d u ring in sta lla tio n o f an op eratin g system
When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content
Elim inate unnecessary database users and stored procedures and fo llo w the principle o f least privilege fo r th e database application to defend against SQL query poisoning
Use secure w eb perm issions, NTFS perm issions, and .NET Fram ew ork access con trol m echanism s including URL au th o riza tio n Slow d o w n b ru te force and d ic tio n a ry attacks w ith strong password policies, and th e n au d it and a le rt fo r logon failures Run processes using least privileged accounts as w e ll as least privileged service and user accounts
!1 1
C o u n te rm e a s u re s : A c c o u n ts
--------- Jil The following is the list of account countermeasures for hacking web servers: 1 1 1
Remove all unused modules and application extensions. Disable unused default user accounts created during installation of an operating system. W hen creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used from the IIS web server to access the web content.
Eliminate unnecessary database users and stored procedures and follow the principle of least privilege for the database application to defend against SQL query poisoning.
Use secure web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization.
Slow down brute force and dictionary attacks with strong password policies, and then audit and alert for logon failures.
Run processes using least privileged accounts as well as least privileged service and user accounts.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
tertMM
c EH
tt*H4i Nath*
A v o i d m a p p in g v i r t u a l d i r e c t o r i e s b e t w e e n t w o d if fe r e n t s e rv e rs , o r o v e r a n e tw o rk
D is a b le s e r v in g c e r t a i n f ile t y p e s b y c r e a t i n g a r e s o u r c e m a p p in g
M onitor and check all network services logs, website access logs, database server logs (e.g., Microsoft SQL Server, MySQL, Oracle) and OS logs frequently
Ensure the presence of web application or website files and scripts on a separate partition or drive other than that of the operating system, logs, and any other system files
C o u n te r m e a s u r e s : F ile s a n d D ir e c t o r ie s The following is the list of actions that should be taken against files and directories in
order to protect web servers from hacking: Q Eliminate unnecessary files within.jar files. Eliminate sensitive configuration information within the byte code. Avoid mapping virtual directories between two different servers or over a network. Monitor and check all network services logs, website access logs, database server logs (e.g., Microsoft SQL Server, MySQL, Oracle), and OS logs frequently. Disable serving of directory listings. Eliminate the presence of non-web files such as archive files, backup files, text files, and header/include files. Disable serving certain file types by creating a resource mapping Ensure the presence of web application or website files and scripts on a separate partition or drive other than that of the operating system, logs, and any other system files
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
service
to ensure that an insecure or unnecessary HTTP and port 443 for HTTPS (SSL)
s S
Ensure that certificate data ranges are valid and that certificates are used for their intended purpose Ensure that the certificate has not been revoked and certificate's public key is valid all the way to a trusted root authority
S Ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed S Ensure that tracing is disabled ctrace enable="false"/> and debug compiles are turned off
s Implement secure coding practices to avoid source code disclosure and input validation attack Restrict code access security policy settings to ensure that code downloaded from the Internet or Intranet have no permissions to execute Configure IIS to reject URLs with to prevent path traversal, lock down system commands and utilities with restrictive access control lists (ACLs), and install new patches and updates
H o w to D e f e n d A g a in s t W e b
S e rv e r A tta c k s
The following are the various ways to defend against web server attacks:
LUi
r rm n
Ports
9 Audit the ports on the server regularly to ensure that an insecure or unnecessary service is not active on your web server. Limit inbound traffic to port 80 for HTTP and port 443 for HTTPS (SSL). Encrypt or restrict intranet traffic.
5L
Server Certificates
Ensure that certificate data ranges are valid and that certificates are used for their intended purpose.
Ensure that the certificate has not been revoked and certificate's public key is valid all the way to a trusted root authority.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Machine.config
Ensure that protected resources are mapped to HttpForbiddenHandler and unused HttpModules are removed. 0 Ensure that tracing is disabled ctrace enable="false"/> and debug compiles are turned off.
commands and utilities with restrictive access control lists (ACLs), and install new
Ethical Hacking and Countermeasures Copyright by EC-COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
IISLockdown installs the URLScan ISAPI filte r allow ing website adm inistrators to restrict th e kind of HTTP requests th a t the server can process, based on a set o f rules th e ad m inistra tor controls, preventing potentially h a rm fu l requests fro m reaching the server and causing damage
Disable the services running w ith least-privileged accounts Disable FTP, SMTP, and NNTP services if no t required Disable the Telnet service
&
Switch o ff all unnecessary services and disable them , so th a t next tim e when the server is rebooted, they are n o t started autom atically. This also gives an extra boost to your server perform ances, by freeing some hardware resources
H o w to D e f e n d A g a in s t W e b
S e r v e r A t t a c k s ( C o n t d )
'
IISLockdown
IISLockdown restricts anonymous access to system utilities, as well as having the ability to write to web content directories. To do this, IISLockdown creates two new local groups called web anonymous users and web applications, and then it adds deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories. Next, IISLockdown adds the default anonymous Internet user account (IUSR_MACHINE) to W eb Anonymous Users and the IW AM _M ACHINE account to W eb Applications. It disables W eb Distributed Authoring and Versioning (WebDav) and installs the URLScan ISAPI filter. 0 Use the IISLockdown tool, which reduces the vulnerability of a Windows 2000 web server. It allows you to pick a specific type of server role, and then use custom templates to improve security for that particular server. IISLockdown installs the URLScan ISAPI filter, allowing website administrators to restrict the kind of HTTP requests that the server can process, based on a set of rules the administrator controls, preventing potentially harmful requests from reaching the server and causing damage.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Services
Q Q 0 Disable the services running with least-privileged accounts. Disable FTP, SMTP, and NNTP services if not required. Disable Telnet service. Switch off all unnecessary services and disable them, so that the next time the server is rebooted, they are not started automatically. This also gives an extra boost to your server performance, by freeing some hardware resources.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EH
Enable a minimum level of auditing on your web server and use NTFS permissions to protect the log files
S h a re s
Remove all unnecessary file shares including the default administration shares if they are not required Secure the shares with restricted NTFS permissions
S c rip t M a p p in g s Remove all unnecessary IIS script mappings for optional file extensions to avoid exploiting any bugs in the ISAPI extensions that handle these types of files S ite s a n d V ir t u a l D ir e c to r ie s Relocate sites and virtual directories to non-system partitions and use IIS Web permissions to restrict access ISAPI F ilte rs
Remove unnecessary ISAPI filters
fr o m t h e W e b s e r v e r
IIS M e ta b a s e
Ensure that security related settings are configured appropriately and access to the metabase file is restricted with hardened NTFS permissions Restrict banner information returned by IIS
H o w to D e f e n d A g a in s t W e b
S e r v e r A t t a c k s ( C o n t d )
Registry
Apply restricted ACLs and block remote registry administration. Secure the SAM (Stand-alone Servers Only).
Share
Remove all unnecessary file shares including the default administration shares if they are not required. Secure the shares with restricted NTFS permissions.
IIS M e ta b a s e
Ensure that security-related settings are configured appropriately and access to the metabase file is restricted with hardened NTFS permissions. Restrict banner information returned by IIS.
Auditing a n d Logging
Enable a minimum level of auditing on your web server and use NTFS permissions to protect the log files.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Script M appings
0 Remove all unnecessary IIS script mappings for optional file extensions to avoid exploiting any bugs in the ISAPI extensions that handle these types of file.
ISAPI Filters
Remove unnecessary ISAPI filters from the web server.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
If a database server, such as Microsoft SQL Server, is to be used as a backend database, install it on a separate server /
Use security tools provided with web server software and scanners that automate and make the process of securing a web server easy
Do configure a separate anonymous user account for each application, if you host multiple web applications
Limit the server functionality in order to support the web I technologies that are L going to be used
H o w to D e f e n d A g a in s t W e b 1111
S e r v e r A tta c k s (C o n td )
The following is a list of actions that can be taken to defend web servers from various
kinds of attacks: Create URL mappings to internal servers cautiously. If a database server such as Microsoft SQL Server is to be used as a backend database, install it on a separate server. Do use a dedicated machine as a web server. Don't install the IIS server on a domain controller. Use server-side session ID tracking and match connection with time stamps, IP address, etc. Use security tools provided with the web server and scanners that automate and make the process of securing a web server easy. Screen and filter the incoming traffic request. Do physically protect the web server machine in a secure machine room. Do configure a separate anonymous user account for each application, if you host multiple web applications.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Q Do not connect an IIS Server to the Internet until it is fully hardened. Do not allow anyone to locally log on to the machine except for the administrator. Limit the server functionality in order to support the web technologies that are going to be used.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
H o w to D e f e n d a g a in s t H T T P R e s p o n s e S p littin g a n d W e b C a c h e P o is o n in g
EH
A p p lic a tio n D e v e lo p e r s 9 Restrict web application access to unique Ips Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters Comply to RFC 2616 specifications for HTTP/1.1
P ro x y S e rv e rs Avoid sharing incoming TCP connections among different clients Use different TCP connections with the proxy for different virtual hosts Implement "maintain request host header" correctly
H o w to D e f e n d a g a in s t H T T P R e s p o n s e S p lit t in g W e b C a c h e P o is o n in g
and
The following are the measures that should be taken in order to defend against HTTP response splitting and web cache poisoning:
Server Admin Use latest web server software Regularly update/patch OS and web server Run web vulnerability scanner
Application Developers Restrict web application access to unique IPS Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters Comply to RFC 2616 specifications for HTTP/1.1
Proxy Servers Avoid sharing incoming TCP connections among different clients Use different TCP connections with the proxy for different virtual hosts Implement "maintain request host header" correctly
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F low
CEH
M o d u le F lo w Developers always try to find the bugs in the web server and try to fix them. The bug fixes are released in the form of patches. These patches provide protection against known vulnerabilities. Patch management is a process used to ensure that the appropriate patches are installed on a system and help fix known vulnerabilities.
Webserver Attacks
Patch Management
Counter-measures
This section describes patch management concepts used to fix vulnerabilities and bugs in the web servers in order to protect them from attacks.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P a tc h e s a n d H o tfix es
A patch is a small piece o f softw a re designed to fix problem s, security vulnerabilities, and bugs and im prove the usa b ility o r perform ance o f a com p u te r program o r its supporting data A patch can be considered as a re pair jo b to a program m ing problem
CEH
Urtiffetf itkNjI lUilwt
Hotfixes are an update to fix a specific custom er issue and no t always distributed outside the custom er organization
Users may be no tified through em ails o r through the ven dor's w ebsite
H otfixes are som etimes packaged as a set o f fixes called a com bined h o tfix o r service pack
P a t c h e s a n d H o tfix e s A patch is a program used to make changes in the software installed on a computer. Patches are used to fix bugs, to address the security problems, to add functionality, etc. A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve the usability or performance of a computer program or its supporting data. A patch can be considered a repair job to a programming problem. A hotfix is a package that includes various files used specifically to address various problems of software. Hotfixes are used to fix bugs in a product. Users are updated about the latest hotfixes by vendors through email or they can be downloaded from the official website. Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer organization. Users may be notified through emails or through the vendor's website. Hotfixes are sometimes packaged as a set of fixes called a combined hotfix or service pack.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
"P a tc h m a n a g e m e n t is a p ro c e s s u se d to e n s u re th a t th e a p p r o p r ia te p a tc h e s a re in s ta lle d o n a
A n a u to m a te d p a tc h m a n a g e m e n t p ro c e s s :
Deploy: Deploy the patch to the computers and make sure the applications are not affected
Assess: Asses the issue(s) and its associated severity by mitigating the factors that may influence the decision
Test: Install the patch first on a testing machine to verify the consequences of the update
an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. It involves the following: Choosing, verifying, testing, and applying patches Updating previously applied patches with current patches Listing patches applied previously to the current software Recording repositories, or depots, of patches for easy selection
Assigning and deploying the applied patches 1. Detect: It is very important to always detect missing security patches through proper detecting tools. If there is any delay in the detection process, chances of malicious attacks are very high. 2. Assess: Once the detection process is finished it is always better to assess various issues and the associated factors related to them and better to implement those strategies where issues can be drastically reduced or eliminated. 3. Acquire: The suitable patch required to fix the issues has to be downloaded.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
4. Test: It is always suggested to first install the required patch on to the testing system rather than the main system as this provides a chance to verify the various consequences of updating. 5. Deploy: Patches are to be deployed into the systems with utmost = , so no application of the system is affected. 6. Maintain: It is always useful to subscribe to get notifications about various possible vulnerabilities as they are reported.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Id e n t if y in g A p p r o p r ia te S o u r c e s fo r U p d a te s a n d P a tc h e s
CEH
F irs t m a k e a p a t c h m a n a g e m e n t p la n t h a t f it s t h e o p e r a t i o n a l e n v ir o n m e n t a n d b u s in e s s o b j e c t i v e s
T h e r e c o m m e n d e d w a y o f tr a c k in g is s u e s r e le v a n t t o p r o a c t iv e p a t c h in g is t o r e g is te r t o t h e h o m e s ite s to r e c e iv e a le r t s
Id e n t if y in g A p p r o p r ia te S o u r c e s fo r U p d a te s a n d -i'l
'-s
P a tc h e s
It is very important to identify the appropriate source for updates and patches. You should take care of the following things related to patch management. Patch management that suits the operational environment and business objectives should be properly planned. Find appropriate updates and patches on the home sites of the applications or operating systems' vendors. The recommended way of tracking issues relevant to proactive patching is to register to the home sites to receive alerts.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Installation of a Patch
0 0
~ J U s e rs c a n acce ss a n d in s ta ll s e c u r ity p a tc h e s v ia th e W o r ld W id e W e b
CEH
9 0
P a tc h e s c a n b e i n s t a l l e d in t w o w a y s M a n u a l In s t a lla tio n In t h is m e t h o d , t h e u s e r h a s t o d o w n l o a d t h e p a tc h f r o m t h e v e n d o r a n d f ix it
, W W W
In s ta lla tio n
o f a P a tc h
You should search for a suitable patch and install it from Internet. Patches can be installed in two ways: Manual Installation In the manual installation process, the user downloads the suitable patch from the vendor and fixes it. Automatic Installation In automatic installation, the applications, with the help of the auto update feature, will get updated automatically.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
B e fo r e in s ta llin g a n y p a tc h v e r if y t h e s o u rc e
U se p r o p e r p a tc h m a n a g e m e n t p r o g r a m t o v a lid a te file s v e r s io n s
a n d c h e c k s u m s b e fo r e d e p lo y in g s e c u r ity p a tc h e s
T h e p a tc h m a n a g e m e n t t o o l m u s t b e a b le t o m o n it o r t h e p a tc h e d s y s te m s
<
* '
T h e p a tc h m a n a g e m e n t te a m s h o u ld c h e c k f o r u p d a te s a n d p a tc h e s re g u la r ly
" 1
Im p le m e n t a t io n a n d V e r if ic a t io n o r U p g ra d e
o f a S e c u r ity P a t c h
You should be aware of a few things before implementing a patch. The following things should be kept in mind: Before installing any patch source, it should be properly verified. Use a proper patch management program to validate file versions and checksums before deploying security patches. The patch management team should check for updates and patches regularly. A patch management tool must be able to monitor the patched systems.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
P a t c h M a n a g e m e n t T o o l: M ic r o s o f t B a s e lin e
J J
S e c u r it y A n a ly z e r (M B S A )
.
Microsoft Baseline Security Analyzer (MBSA) checks for available updates to the operating system, Microsoft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server It also scans a computer for insecure configuration settings
1 !
P ^
e requested checks.)
(onHMtfnumr IP Address: S T report v a n d a rr S u n t d nfth H8SA version: v a r t y pA>rr catalog: S e t tOoo il(wlr|l) V
V 'O RX G RC X J3 \WJNSB.Q<'K> l 1*9.254.103.138 ,*CRKGROUP W N-M SSBlCMMI (10-12*2012 10-28 A M ) 10/12/2012 10:28 A M 2.2.2170.0
Offc* SccunCy
N9 MCtflty 4xi1U; a
P a t c h M a n a g e m e n t T o o l: M ic r o s o f t B a s e lin e S e c u r it y * S ^ A n a ly z e r (M B S A )
Source: http://www.microsoft.com The Microsoft Baseline Security Analyzer (MBSA) allows you to identify missing security updates and common security misconfigurations. It is a tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using M BSA to detect common security misconfigurations and missing security updates on your computer systems.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Developer Tools, Runtimes, and Redistribu tables Security Updates Office Secunty Updates SQL Server Security Updates
No security updates are mssrtg. What was scanned Result detais No security updates are missng. What was scanned Result detais
IQ 0py to (ipboard
SI
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(itifwd 1 tfeMJl Nm Im
C EH
2 -S
GFI L A N g u a rd
h ttp ://w w w . gfi. com
ri
M a a S 3 6 0 P a tch A n a ly z e r Tool
U
http://w w w .m aas360.com
S e c u n ia CSI
h ttp ://se cun ia .com
Z E N w o rk s P a tc h M anagem ent
h ttp ://w w w .no vell.com
L u m e n s io n P a tc h a n d R e m e d ia tio n
http://w w w .lum ension.com
S e c u r ity M a n a g e r P lus
http://w w w .m anageengine.com
V M w a r e v C e n te r P ro te c t
h ttp ://w w w . vm ware, com
P a t c h M a n a g e m e n t T o o ls In addition to MBSA, there are many other tools that can be used for identifying missing patches, security updates, and common security misconfigurations. A list of patch management tools follows: Altiris Client Management Suite available at http://www.svmantec.com GFI LANguard available at http://www.gfi.com Kaseya Security Patch Management available at http://www.kaseya.com
ZENworks Patch Management available at http://www.novell.com Security Manager Plus available at http://www.manageengine.com Prism Patch Manager available at http://www.newboundary.com MaaS360 Patch Analyzer Tool available at http://www.maas360.com Secunia CSI available at http://secunia.com Lumension Patch and Remediation available at http://www.lumension.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u le F low
C EH
M o d u le F lo w W eb servers should always be secured in the networked computing environment to avoid the threat of being attacked. W eb server security can be monitored and managed with the help of web server security tools.
Webserver Attacks
Patch M anagement
Counter-measures
This section lists and describes various web server security tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
r u J LE!7
Syhunt Dynamic helps to automate web application security testing and guard organization's web infrastructure against various web application security threats. Features: e Black-Box Testing - Assess the web application security through remote scanning. Supports any web server platform. 0 White-Box Testing - By automating the process of reviewing the web application's code, Sandcat's code scanning functionality can make the life of QA testers easier, helping them quickly find and eliminate security vulnerabilities from web applications. Supports ASP, ASP.NET, and PHP. Q Concurrency/Scan Queue Support - Multiple security scans can be queued and the number of threads can be adjusted. Deep Crawling - Runs security tests against web pages discovered by crawling a single URL or a set of URLs provided by the user. Advanced Injection Maps the entire website structure (all links, forms, XHR requests, and other entry points) and tries to find custom, unique vulnerabilities by simulating a
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
wide range of attacks/sending thousands of requests (mostly GET and POST). Tests for SQL Injection, XSS, File Inclusion, and many other web application vulnerability classes. Reporting - Generates a report containing information about the vulnerabilities. After examining the application's response to the attacks, if the target URL is found vulnerable, it gets added to the report. Sandcat's reports also contain charts, statistics and compliance information. Syhunt offers a set of report templates tailored for different audiences. Q Local or Remote Storage Scan results are saved locally (on the disk) or remotely (in the Sandcat web server). Results can be converted at any time to HTML or multiple other available formats. In addition to its GUI (Graphical User Interface) functionalities, Syhunt offers an easy to use command-line interface.
V 1 3 0 4 7 1 5 7 5 8|< k m o .*y*u n t< o m ) Sw w fcftP roH y fe n d * < tt loch tjdp
O
HKh RWJ 1
j < 0 * com80
J)
Bj H o ! M a m a h o n
M m*h
9 3 J$4MdP*9
E *
W a b S fe u cM
1 1 1
X1 4 p * >
php
(tel d on
9 j ! n lx tw cp h p
t. K_tMtK_plu(WV . ^ >Jot*pN> O , **ion n d n hiddm php
irW rfcg rn cr
A nyangn d mD o r
O ad tof wboh Mi Owcfcng icbau fan
F*d
FIGURE 1 2 .3 1 : S y h u n t D y n a m ic S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
EH
A
W e b A p p lic a t io n S e c u r i t y S c a n n e r : N S t a lk e r W e b A p p lic a tio n S e c u r it y S c a n n e r Source: http://www.nstalker.com N-Stalker W eb Application Security Scanner is a web security assessment solution for your web applications. It is a security assessment tool that incorporates N-stealth HTTP security scanner. It searches for vulnerabilities such as SQL injection, XSS, and known attacks. It helps in managing the web server and web application security. This security tool is used by developers, system/security administrators, IT auditors, and staff.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
"
Scaror 1 T!r*ad*
6 | TfvMda Contra
1 * ,' I 5 , *
< I J
S canner Ivmtt
o Vu*eraM* Q hBp Jv a * C*1V< | App*cton gn 0 | O H vtfM n tt* B # nap<rwnnr UCfOM 8 I WftMrvr*
0# I
\.P0*
3 |
0 # $*rr<B
| Wat F o m a * * Htgh(!
0#
MmI( ) lo w ;1 H o | t |
L lM w |,
f f l #'
BytaaS*
m tm m k _____
1 1 0 21 2 1
I 903 970 K IM m i
Ag Rm oo ^m Tmt
A.gT,ar* f Bjf*
9IS 8 4ft*
198 00 r#Q > nan
Component Mam
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
S e r v e r S e c u r it y S c a n n e r : W ik t o
Source: http://www.sensepost.com Wikto is for Windows, with a couple of extra features including fuzzy logic error code checking, a backend miner, Google-assisted directory mining, and real-time HTTP request/response monitoring. W ikto is coded in C# and requires the .NET framework. Wikto may not test for SQL injections, but it is still an essential tool for penetration testers who are looking for vulnerabilities in their Internet-facing web servers.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Urt1fw4
CEH
ilhiul lUthM
-MB
*\
Ptofle: Defeu
1 3 6 6 p . * _ 'a 4 '
_] |
Tools
Configuration
Hdp
'A ^
A Renar:
L*
> SsartlPL: 5 :> *scrw 3n:3C, kt Ak rt5 simrw iH ih -n M ' ocun#l threat level level 0: Safe
abilty Scanner %* Web Eesnner 3 t_i' Tcoi i !# Site C raw ler p TargetH n < fe r ; ; Siijdaman Scarner j |)j| BindSQL Injector ItTPSnffer
mm
Bunptdar :
j $ Auoxnoeatwn icsta SJ Compare R e s i l t s ; 3HLJ- Wb S r v w W*bSctMtca Scamtf : WtbServers EdM r* 4 : 341 Confiqwatcn Si A o o l c a t t o nS e l t h g s ! i J, seanstmo* : ( j Sumng P r o t i t i t (& G e n e r a l A Proyam U p date: * ) * Vwton J n f c r m a o o n jyLcenaro; 5 j Sijjpcrt Center :
afc Web Alerts V - KnowieSoe Base F Ste Structure E t / ff t o *out .me bt t o K t o <tornb8dr e tO es to c r j a lr w D ) tO htHSn^d^ L6 StCtt JMQt jmocS a s L 0 lKfcJ*"9e _ p ^ 0 s u tO 9 M 1.Q karma u tO rt tO 1 4 tO <l->wnon_*
$1
OM M rn
O i
O m rorm aikxMi TjrgrtMormjUgn Xtonict Prowess 1 http:/Avw wju00Vl)0y.<0m :80/ )61 request! son isfinisned a . 10a 00% Q
0 5
(X ortxteen (X >
t o r X V * ( e r
W e b B
S e r v e r S e c u r it y S c a n n e r : A c u n e t ix W e b
V u ln e r a b ility S c a n n e r
Source: http://www.acunetix.com Acunetix W eb Vulnerability Scanner checks web applications for SQL injections, cross-site scripting, etc. It includes advanced penetration testing tools to ease the manual security audit processes, and also creates professional security audit and regulatory compliance reports.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
&
Fdc Actions . T00H Configuration H NcwScjn Too* @ Web yjncraMty Scanner '41 Web Scanner a & Tools jfc &te Crawler Target FrxJer ^ Subdoman Scanner . J Bind SQL In)ector ( 3 HTTPEdtor *fc, HTTP Sffer * HTTPFuwer $ Authenocatwn Tester S Compare Resdts 3 H & Web Services Web ServKes Scanner J S Web Services Edtor S Config^aBon > Acpfca&on Settings J Scan Settings Srw ngBroSw 3 & General Program Updates *; Verson Information 4|j 4i 4> j 4] Support Center P\rchase User Manual (H tm Q User Manual (pdf) AcuSensor
3
ProSe: [> JS U rt
J y
0.
t 3 ft
B |
Q idf J = 2
ScanRetuh
g**|a A |a I I *
ft Report / StvtURi: SWut jjgg,eoy.com:*)/
J*. ,. r; A*~ ,
V * Knowledge Oaic B { j ) Site Structure
A.
Alatt Mjmmjiy A o< u n(l threat lvi level 0 So( A<unrt1x Threat level 0 ! have been ik Kvnin l 1
10/
(jQ about_me ( artwork = S downloads es ,Q a r tan <al-mages (jQ htrrtSmeda stads_page_page0.css stacks_page_pageO.js
<
Total alerts found
M *tFard
NF0iX1d NK Found M UFo^ 1
o
O low 0 Informational Target information Statistics Progress http:/,www.juggyboy.com: 80/ 38 1 requests Scan is finished 00 .oos
* $
Ethical Hacking and Countermeasures Copyright by EC-COlMCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r M a lw a r e In fe c t io n M o n i t o r i n g T o o l: H a c k A l e r t
CEH
HackAlert is a cloud-based service th a t identifies hidden zero-day m alware and drive-by downloads in websites and online advertisem ents 8 Protects clients and customers from malware injected websites, drive by downloads, and malicious advertising Identifies malware before the website is flagged as malicious Displays injected code snippets to facilitate remediation
HackAlert
CK
* > 9 0
[ n te f Dj* n l 5tKl Ml
aomun AdMsfiews
mas **rumm
PKXtWIK
7 t
N M I}
\
. .
t* Deploys as cloud-based SaaS or as a flexible API for enterprise integration 9 Integrates w ith WAF or web server modules for instant mitigation
/ X .
http://www.arm orize.com
W e b
S e r v e r M a l w a r e In f e c t io n M o n it o r in g T o o l:
H a c k A le r t Source http://www.armorize.com HackAlert is a cloud-based service that identifies hidden zero-day malware and drive-by downloads in websites and online advertisements. Optimizing multiple analysis techniques, this service identifies injected malware and generates alarms before search engines blacklist the website. This enables immediate remediation to protect customers, business reputation, and revenues. It is accessed via either a web-based SaaS interface or a flexible API that facilitates integration with enterprise security tools.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
HackAlert
Uf 7 D*r PPck1
]j ; 0* 03
km
U rO mmMW* A* w*
Jl I 1
r*M H #) ) 1$}
04 M m
TC4 S 4 m r f m f d
*<1MI^ M t
AV
11
T0MSc4nt
_ _1 * J
1 0
< 1 0 1
\
02
FIGURE 1 2 .3 5 : H a c k A le rt S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
toftN M
C EH
N M h M
4r
"
> .
-iashocard
l\ .
Step 5 of 5 1 2 4 0 Details ScM wttinj* 1/ Reiiew and ccnfim you setirgs Site Details w Own Site seeUR. Crawl exclusion llsls S<h*d*li*g Hvm and Confirm Scan Options Ptg < / www.i11< > < 1 rl> oy.co m Tag AMgntd 1 n o ^0 St-* 1 * 4
i f
iiC
porta .qjayicorr
0LADTSClWR1y
MOt Dayitoard Scans RtpXi Assets K/x>v*cdgOase
200
ion Into n oty N mtm Ku lW. Im v* 1m m , M m l. Crawl xaution list* UTintLJfl wnre 11 (**oil* Hnmunist
) .(
fw t
'
W e b
S e r v e r M a l w a r e In f e c t io n M o n it o r in g T o o l:
Q u a ly s G u a r d M a lw a r e D e t e c t io n Source: http://www.qualys.com QualysGuard M alw are Detection Service scans websites thoroughly for malware infections and for a variety of threats. It provides automated alerts and reports that enable you to identify and resolve the threat. It can also be used to protect the customers of an organization from malware infections and safeguard their brand reputations, preventing website black listing. It regularly schedules scanning to monitor websites on an ongoing basis, with email alerts to quickly notify organizations when infections are discovered. M alw are infection details are provided so that organizations can take quick action to isolate and remove malware.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
4-
Own Site
S t* URL
http://www.jugovboy.com
T a g *
Aiagncd tags
Scan O ptions
Maontim togei
? 0 0
Wh1U
Wtur* 11 fRwfcji* F
13=
QualysGuard Portal
-> Q
=
Rini Matthews v Log Out
0UALYSGUARD*
MDS
Dashboard Scan s Reports Assets KnowledgeBase
Help
Scan Management
< Ba:k 10 scan list
Own Site
1 -20 of 3 10 High 0 0 0 0 0 0 0 0 0 Med 0 0 0 9 0 I) 1 ) 0 D Low 0 0 0 0 0 0 0 0 0 &
Info 0 0 0 0 0 0 0 0 0
Status hmshed Canceled Canceled Canceled Canceled Canceled Canceled Canceled Canceled
Seventy
r j hrtp./Mww.jjggyty.c01n<3ame5/SI0t_Machne/hjex.htrl 0 0 0 0 0 0 httpy/www.juggyboy.co1n)Gam6s/Ninesweeperyin<fex.hiral hctpy/www.juggytwy.com'irdexhtml http://www.juggyboy.comabout_re.'index htnl http //www.juggyty.c01rfseinfekMn(iex.htn1l hctpy/Aww.jjcgyboy.con\<5 uestcn_:he_rules'inCexltm httpy/www.juggyboy.comlKarma/index.htral
FIGURE 1 2 .3 6 : Q u a ly s G u a rd M a lw a re D e te c tio n S c re e n s h o t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Retna cs
Infiltrator
h tt p :/ / w w w . infiltration-sys tems. com
SAINTscanner
h ttp ://w w w .sa in tco rp o ra tio n .co m
WebCruiser
http ://sec4 a pp . com
HP Weblnspect
La\
dotDefender
h ttp ://w w w .a p p licu re .co m
Copyright by
EG-G(IIIICil. All
W e b s e rv e r S e c u rity T o o ls
c Web server Security tools scan large, complex websites and web applications to tackle web-based vulnerabilities. These tools identify application vulnerabilities as well as site exposure risk, rank threat priority, produce highly graphical, intuitive HTML reports, and indicate site security posture by vulnerabilities and threat level. Some of web server security tools include: Retina CS available at http://www.beyondtrust.com Nscan available at http://nscan.hypermart.net NetlQ Secure Configuration Manager available at http://www.netiq.com SAINTScanner available at http://www.saintcorporation.com HP Weblnspect available at https://download.hpsmartupdate.com Arirang available at http://monkey.org N-Stealth Security Scanner available at http://www.nstalker.com Infiltrator available at http://www.infiltration-systems.com WebCruiser available at http://sec4app.com dotDefender available at http://www.applicure.com
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule Flow
CEH
Copyright by
EG-G(IIIICil. All
M o d u le F lo w
The whole idea behind ethical hacking is to hack your own network or system in an attempt to find the vulnerabilities and fix them before a real attacker exploits them system. As a penetration tester, you should conduct a penetration test on web servers in order to determine the vulnerabilities on the web server. You should apply all the hacking techniques for hacking web servers. This section describes web server pen testing tools and the steps involved in web server pen testing. R L) Webserver Concepts Webserver Attacks
Attack Methodology
1 j
Patch Management
Counter-measures
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e rv e r P e n T e s tin g T o o l: C O R E Im p a c t P ro
4 Source: http://www.coresecuritv.com CORE Impact Pro helps you in penetrating web servers to find vulnerabilities/weaknesses in the web server. By safely exploiting vulnerabilities in your network infrastructure, this tool identifies real, tangible risks to information assets while testing the effectiveness of your existing security investments. This tool is able to perform the following: Identify weaknesses in web applications, web servers, and associated databases Dynamically generate exploits that can compromise security weaknesses Demonstrate the potential consequences of a breach Gather information necessary for addressing security issues and preventing data incidents
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
F ie Y e wM o d iie * 0 0b H ttp
I. ' I
l_)L0al
N a w S tat* J rh h d su |S m ti gN atw ... 8(7 4 {2 0 ... I/W O , S to ^ o c . io t. ^HriS 3 /2 * 1 2 0 ... 8 /2 4 ^0 . P h i.. 1 l.b o d m O O M P A T H rv p lat0 1 * H |S * 1 /. *MX... 8 /2 4 /2 0 . F h l.. 4 0 c . y \nocut lot J Buffo Overflow Prlultoe Euidutlui Exploit ^IU 4iV ... 8 /2 4 /2 0 ... 8 y 2 4 !2 0 . P h i.. finch o c1fie riP rM fe g eE sc a la tio nE * p l& t :gC radt... 8 /2 4 /2 0 ... 8 /2 4 /2 0 . F h l.. W XipdateJlMh PA THceaoe tw b t 1 ^1 JjJ A n tK r,lo g g e rE ltaP n ttfc g eE sc a la b o n E x p e rt [n a ta l... 8/2^20... 8 /2 4 /2 0 . m.. Hie Local Pnvleoe Ef y *ade8/2^20... Mac os X* ,* 6 ^eB... 8 /2 4 /2 0 .'*' ft*.. gA u jo tA n im u iA S A M O N .S Y SP lh -le g e letw ... 8/2^20... 8 /2 4 /2 0 . 5 1 0 .. imPHC B b eC o atK9W e b P ro te c tio nR e fe re rP riv * le tw ... 8 /2 4 /2 0 ... 8 /2 4 /2 0 . F * .. c a c h e fsdB u ffe rOwruiopbt 3 [ 4 PROFESSIONAL 3 rw l... 9 /2 4 /2 0 ... 8 /2 4 /3 0 . F h i.. C D R T o d sR5Hlo c a le x p lo it & -tetw ... 8 /2 4 /2 0 ... 8 /2 4 /2 0 . F h i.. C S R S Sfa c e n a m e e x p lo it 3 CctyNo | 2 sJE b y C O IO C o v erP n v leo ;E sc a la tio nE This product is !catted 10 E S E T S m a rtS earityB P F W .S fSP riv ie g eI 3 $ y em lrfo | EC-Council Haja Motadeen E M nA lT e rrv itfC o n fig irato nP rw lc ^ eE 31 ^!> sf 5 S DO m a m icL rks P rlu le o sE sc ^ a ti 3 Distribution ky Ig JP fe e Q S O K e rn e lP ro te swP rr.-ieg eb srd at S 1 5 S Ck O m e rL a c a lP riv ile g eE sc a la tio n3 ! F re e B S D m b u fsasrd fileC a < h e P o so^ ^ F re e B S D m ctn tL o c dP riv le o eE sc a la tto n Period gj P re e Q S Cp se u d o ^ aN U U P o n terQ srefere[ From : Tuesday. December 28. 2010 F re e B S D T eh etdS erv erP rlv le o eE a c a la ti *G N U G ib eti.5 0O R IG IN P irv ie g eE sc d a3 To Thursday June 30, 2011 G N UId.so *fcitrary Dlopsn prtvtege Esca H PL ru xIm ag n q a rdP rn b n glo c a lex^n 3 PrN J BM [)rector CiM ^[teoee9cal3fl | ISS S Pjo-.er-S de[n d u b eexo k* i[ C 0 0 V M 9 M 2001-2010 C O R E sscuruvT echnologist 0 , :**,. 0 .-, g n Ig ln e tdc o n fP r h le o e E 9 r a l3 1 n E w te t I Veriion 11.0.4666 1 D _ P R E L 0 A 0buffeevibw3 ---------------unioc kernel doJjrkO cxpbt Untx Kernel Ext4 M os-e Extents ICCTL Prlvlege E scjM ot Explait 3 ( ]g Network Attack and Prnotrntion sj .. vrrvl; rV .h>C v ^ W
unux kernel rrremoo -urmap eiplot .> Linux KonelRDS PioU koI P1l-lcoeEfic4l<tnn E*ut THs od-le automaticalv selects uri ljrxhs *tUOw.
|R I v D ) l h o t I v O t t M o to
T :j A Ix _
M w vO * W T /K H v ie rkR P T .7 ica rtYic rn g o a c : 7 8 7 9 T T tspJ.kN tetQ JA Jto n u Q u lvsrleit > dIruxhre It alU.li tMMJ 0r scfv cu O vacq u red m * c rm a to nT h eA tta c h1dP erp ttab o rtM v pu tiix ri yevtxriya eittrtO * ab o u tth en e tw o rk(to nitanct,bynnnn; 1t* > !n fo in atio nG afrw irgitap )toa u to m a Q c a lvsdiit0 idIruidi ta iro U iattaJi fae 9 J1 td io e th o s tItis< m iicojirtiefo lo w iw n fo in w o e nfo l0 1 b
c*r fuw |
rjIW T fB M O d Jw
oF
FIGURE 12.37: CORE Impact* Pro Screenshot
1 fid P
f h 0 ,
Ethical Hacking and Countermeasures Copyright by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e rv e r P e n T e s tin g T o o l: Im m u n ity C A N V A S
x Source: http://www.immunitysec.com CANVAS is an automated exploitation system, and a comprehensive, reliable exploit development framework for security professionals and penetration testers. It allows a pen tester to discover all possible security vulnerabilities on the web server.
Immunity CANVAS Vf: 0.47 | Cuir 11 S*ttlon: dnluN
Cur#r* Calfcock
M odies $t1r(h
OMCHpUon lH*r 0An*d Nv Monthly I CAW AS t>pc Post EipM Control Commands fa* Nods
>D 9 S
> Iboi* > fWcon
C A fW S5 * v e s
> rpo1t*^ot Cro*s o l r!trfac > Ftcrs P o st 9 M o<fcJ4
4#t
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
Web server pen testing is used to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol related vulnerabilities, etc. in a web server The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities
Verification of Vulnerabilities To exploit the vulnerability in order to test and fix the issue
Why Webserver
Remediation of Vulnerabilities To retest the solution against vulnerability to ensure that it is completely secure
Pen Testing?
Identification of Web Infrastructure To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities
Copyright by
EG-G(IIIICil. All
W e b S e rv e r P e n T e s tin g
v , v , Web server pen testing will help you to identify, analyze, and report vulnerabilities such as authentication weaknesses, configuration errors, protocol-related vulnerabilities, etc. in a web server. To perform penetration testing, you need to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.
W hy W eb S erver P en T estin g ?
Web server pen testing is useful for: Identification of Web Infrastructure: To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities. Verification of Vulnerabilities: To exploit the vulnerability in order to test and fix the issue. Remediation of Vulnerabilities: To retest the solution against vulnerability to ensure that it is completely secure.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
C EH
e U
the target
Webserver penetration testing starts with collecting as much inform ation as possible about an organization ranging from its physical location to operating environment Use social engineering techniques to collect information such as human resources, contact details, etc. that may help in Webserver authentication testing Use Whois database query tools to get the details about the target such as domain name, IP address, administrative contacts, Autonomous System Number, DNS, etc. Note: Refer Module 02: Footprinting and Reconnaissance for more information gathering techniques
V
Document all information about the target
J 1
Copyright by
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
You should document all the information obtained from the various sources. Note: Refer Module 02 - Footprinting and Reconnaissance for more information about information-gathering techniques.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(E H
(rtifwd | |U4I IlMlwt
Fingerprint web server to gather information such as server name, server type, operating systems, applications running, etc. using tools such as ID Serve, httprecon, and Netcraft
Perform directory traversal attack to access restricted directories and execute commands outside of the web server's root directory
Copyright by
EG-G(IIIICil. All
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
(E H
(rtifwd | |tk<4l IlMlwt
Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus, etc. and determine if the system can be exploited Perform HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header Perform web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in cache Bruteforce SSH, FTP, and other services login credentials to gain unauthorized access Perform session hijacking to capture valid session cookies and IDs. Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
Perform HTTP response splitting : Bruteforce SSH, FTP, and other services
S'
Web cache poisoning attack
it
Copyright by
EG-G(IIIICil. All
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
CEH
UrtifW4
ttkKJi lUilwt
Perform M ITM attack to access sensitive information by intercepting and altering communications between an enduser and webservers
V
Perform web application pen testing
Note: Refer Module 13: Hacking W eb Applications for more information on how to conduct web application pen testing
V_______
Examine Webserver logs
a Use tools such as Webalizer, AWStats, Ktmatu Relax, etc. to examine web sever logs
V
Exploit frameworks
S Use tools such as Acunetix, M etasploit, w3af, etc. to exploit frameworks
Copyright by
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
M odule S um m ary
CEH
Web servers assume critical importance in the realm of Internet security Vulnerabilities exist in different releases of popular webservers and respective vendors patch these often The inherent security risks owing to the compromised webservers have impact on the local area networks that host these websites, even on the normal users of web browsers Looking through the long list of vulnerabilities that had been discovered and patched over the past few years, it provides an attacker ample scope to plan attacks to unpatched servers Different tools/exploit codes aid an attacker in perpetrating web server's hacking
Countermeasures include scanning for the existing vulnerabilities and patching them immediately, anonymous access restriction, incoming traffic request screening, and filtering
Copyright by
EG-G(IIIICil. All
=V '
M o d u le S u m m a ry
Web servers assume critical importance in the realm of Internet security. Vulnerabilities exist in different releases of popular web servers and respective vendors patch these often. The inherent security risks owing to the compromised web servers impact the local area networks that host these websites, even on the normal users of web browsers. Looking through the long list of vulnerabilities that had been discovered and patched over the past few years, it provides an attacker ample scope to plan attacks to unpatched servers. Different tools/exploit codes aid an attacker in perpetrating web server's hacking. Countermeasures include scanning for the existing vulnerabilities and patching them immediately, anonymous access restriction, incoming traffic request screening, and filtering.
Ethical Hacking and Countermeasures Copyright by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.