H a c k in g W e b s e r v e rs Module 12
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Hacking Hacking Webservers W ebservers Module 12
Engineered by
Hackers. Presented
by Professionals. Professionals.
E t h ic i c a l H a c k in i n g a n d C o u n t e rm r m e a s u r e s v8 v8 Mo du le 12: Hacking Hacking Webservers Exam 312-50
Module 12 Page 1601
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claims Responsibility Responsibility Monday, Sep tember 10th, 2012
Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DD0S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account the company is aware of the issue issue and is working to resolve resolve it. Update: customers are comp laining that GoDaddy hosted e-mail accounts are down as well, along with GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, responsibility, and makes it clear this is not an Anonymous collective action. A tipster tells us tha t the technical reason for the failure is being being caused caused by the inaccessibility of GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
http://techcrunch.com
Copyright © by EG-G*ancil.All Rights Reserved. Reproduction is Strictl y Prohibited.
Security News N Nnus nus
GoD addy O utage Ta kes Down Millions Millions of Site Sites, s, Anonymous Anonymous M em ber C laim laim s R esponsibil esponsibilit ityy
Source: http://techcrunch.com Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DD0 S attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account, the company is aware of the issue and is working to resolve it. Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well, along with GoDaddy phone service and all sites using GoDaddy's DNS service. Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of GoDaddy's DNS DNS servers -
specifically specifically CNS1.SECURESERVER.N ET, CNS2.SECURESERV ER.NET,
and CNS3.SECU RESERVER.N ET are failing to resolve. resolve.
Module 12 Page 1602
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
AnonymousOwn3r s bio reads "Security leader of #Anonymous ( ”Official member")." The individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was targeted. Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the service, and the company has been the center of a few other controversies. However, AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did this attack."
Copyrig Copy right ht © 2012 AOL Inc. By Klint Finley http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
Module 12 Page 1603
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Module Objectives
CEH
Urt1fW4
J
IIS Web ser ver A rchitecture
J
Countermeasu res
J
W hy We b Servers are Com promis ed?
J
J
Impact of Web ser ver Attacks
How to Defend Against We b Se rver Attacks
J
We bse rve r Attacks
J
Patch M anage men t
J
We bse rve r Attack M ethod olog y
J
J
Patch Patch Management Tool Tools s
We bse rve r Attack Tools Tools
J
We bse rve r Sec urity Tools
J
Metas ploit Architec ture
J
We bse rve r Pen Testing Tools Tools
J
We b Password Cracking Cracking Tools Tools
J
We bse rve r Pen Testing
L/
^
ttlMUl ttMhM
Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
^ M o d ul u l e O b je j e ct c t i v es es •—*>
Often, a breach breach in security causes more damage in terms of goodwill than in actual
quantifiable loss. This makes web server security critical to the normal functioning of an organization. Most organizations consider their web presence to be an extension of themselves. This module attempts to highlight the various security concerns in the context of webservers. After finishing this module, you will able to understand a web server and its architecture, how the attacker hacks it, what the different types attacks that attacker can carry out on the web servers are, tools used in web server hacking, etc. Exploring web server security is a vast domain and to delve into the finer details of the discussion is beyond the scope of this module. This module makes you familiarize with: e
IIS IIS We b Server Architecture Architecture
e
Countermeasures
e
Why Web Servers Are Compromised?
e
How to Defend Against Web
e
Impact Impact of Webs erver Attacks Attacks
e
Webs erver Attacks Attacks
e
Webserver Attack Methodology
Q Webs erver Attack Attack Tools Tools e
Metasploit Architecture Architecture
e
W eb Password Cracking Cracking Tools Tools
Module 12 Page 1604
Server Attacks Attacks e
Patch Management
0
Patch Management Tools
e
Webserver Security Tools
e
We bse rver Pen Testing Testing Tools Tools
e
Webserver Pen Testing
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Module Flow
CEH CE H
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
M o d u l e F lo lo w To understand hacking web servers, first you should know what a web server is, how it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts. 4 m)
Webserver Attack Attacks s
Webserver Webse rver Concep Concepts ts ------
Attack Methodology
*
Webserver Pen Testing
y
Patch Patch Managem Management ent
Webserver Attack Tools
Webserver Security Tools
■— ■—
Counter-measures
This section gives you brief overview of the web server and its architecture. It will also explain common reasons or mistakes made that encourage attackers to hack a web server and become successful successful in that. This section also describes the impact of attacks on the web server.
Module 12 Page 1605
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Webserv Webserver er Mark Market et Share Sharess I_______ I________I_______ I________ ____ ____II _______ I_______ _______ I________I_______
64.6%
Apache
Micr osoft - IIS
LiteSpeed
I
1.7%
Google Server
|
1.2%
W e b S e rv r v e r M a r k e t S h a re re s Source: http://w3techs.com The following statistics shows the percentages of websites using various web servers. From the statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that Micro soft
IIS serv er is is used by 17.4 17.4 % o f users. users.
Module 12 Page 1606
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Apache
Exam 312-50 Certified Ethical Hacker
t
64.6%
Microsoft IIS
17.4%
13%
Nginx
LiteSpeed
Google Server
Tomcat
Lighttpd
10
20
30
40
50
60
70
J -----► 80%
FIGURE 12.1: Web Server Market Shares
Module 12 Page 1607
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
CEH
Op en Source W ebserver Architecture Site Users
Site Admin
Attacks
r
:11 a
I
□
©
Linux
1 File System
I—
.........
* —
I
Apache
Email
^ PHP
Applications Compiled Extension
MySQL
i f
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
B
O p e n S o u r ce ce W e b S e r v e r A r c h ite c t u r e The diagram bellow illustrates the basic components of open source web server
architecture.
Module 12 Page 1608
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Site Users
Site Admin
Attacks
*A
&
1
U
Internet
Linux
File System
J "
Apache
V
Email
PHP f
Applications
Compiled Extension
MySQL y
FIGURE 12.2: Open Source Web Server Architecture
Where,
© Linux - the server's operating system system © Apache - the web server component © M y SQ L - a relational database © PHP - the application layer
Module 12 Page 1609
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
IIS IIS Web Serve erverr Archi Archite tect ctur ure e
Internet Information Services (IIS) for Windows
Client HTTP Protocol
i * a
CIEH
f t p
Stack (HTTP.SYS ( HTTP.SYS))
Server is a flexible, secure, and easy-to-manage web server for hosting anything on the web
Kernel Mode User Mode Svchost.exe
:■
+
Windows Activation Service _________ (WAS)__________
Application Pool
Web Server Core
Native Modules
AppDomain
Begin request processing, processing, authentication, authorization, cache resolution, handler mapping, handler preexecution, release state, update cache, update log, and end request processing
Anonymous authentication, managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging
Managed Modules
WWW Service
External Apps application Host.config
Forms Authentication
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
I I S W e b S e r v e r A r c h i te te c t u r e 3 c3 by
----- ----------------------------------
IIS, IIS, also also known known as Inter net Informat ion Service, is a web se rver application developed
Micro soft that can can be used with M icroso ft Windo ws. This is the second largest largest web after
Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. The diagram that follows illustrates the basic components of IIS web server architecture:
Module 12 Page 1610
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Client HTTP Protocol Stack (HTTP.SYSI ( HTTP.SYSI
Internet
Kernel Mode
User Mode Svchost.exe
Application Pool
Windows Activation Service (WAS)
Web Server Core Core
Native Modules
AppDomain
Anonymous authentication, Managed engine, IIS certificate mapping, static file, default document, HTTP cache, HTTP errors, and HTTP logging
Managed
WWW Service Begin Begin requestprocessing/ authentication, authorization, cache resolution, handler mapping, handle r pre* execution, release state,
application Host.config
update cache, update log, and end request processing
Modules
Forms Authentication
FIGURE 12.3: IIS Web Server Architecture
Module 12 Page 1611
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Website Defacement J
We b d efacem ent occurs when an intruder maliciously alters
FieMl Fie Ml
*
few
CEH CE H
Hep
*
W
©
http://juggyboy.com/index.aspx
v
^ •j_>
visual appearance of a web page by inserting or substituting provocative and frequently offending data J
Y o u
are O W N E D ! ! ! ! ! ! !
Defaced pages exposes visitors to some propaganda or misleading information until the unauthorized change is discovered and corrected
H A C K E D ! Hi Master, Your Your website ow ned by US, Hacker! Next target - microsoft.com
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b si s i t e D e f a ce ce m e n t Website defacement is a process of changing the content of a website or web page by hackers. Hackers break into the web servers and will alter the hosted website by creating something new. Web defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data. Defaced pages expose visitors to propaganda or misleading information until the unauthorized change is discovered and corrected.
Module 12 Page 1612
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
BO ®
World Wide Web File
Edit
View
Help
,
FIGURE 12.4: Website Defacement
Module 12 Page 1613
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Unnecessary default, backup, or sample files Security conflicts with business ease-ofuse case Misconfigurations in web server, operating systems, and networks
Exam 312-50 Certified Ethical Hacker
Installing Installing the server w ith default settings Improper file and directory permissions Default accounts with their default or no passwords
Lack of proper security policy, procedures, and maintenance
Security flaws in the serv er software, OS and and applications
Bugs in server software, OS, and web applications
Misconfigured SSL certificates and encryption settings
Improper authentication with external systems Administrative or debuggin debugging g functions that are enabled or accessible
Use of self-signed certificates and default certificates Unnecessary services en abled, including content management and remote administration
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W h y W e b S e rv e rs A re C o m p r o m is e d There are inherent security risks associated with web servers, the local area networks that host web sites and users who access these websites using browsers. 0
We bm ast er's Concern: From a webmaste r's perspective, perspective, the bigge biggest st security concern is is that the web server can expose the local area network (LAN) or the corporate intranet to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers, or the compromise of information itself. Software bugs present in large complex programs are often considered the source of imminent security lapses. However, web servers that are large complex devices and also come with these inherent risks. In addition, the open architecture of the web servers allows arbitrary scripts to run on the server side while replying to the remote requests. Any CGI script installed at the site may contain bugs that are potential security holes.
Q
Net wor k Adm inistrat or's Concern: From From a network administrator's administrator's perspective, perspective, a poorly configured web server poses another potential hole in the local network's security. While the objective of a web is to provide controlled access to the network, too much of control can make a web almost impossible to use. In an intranet environment, the network administrator has to be careful about configuring the web server, so that the legitimate users are recognized and authenticated, and various groups of users assigned distinct access privileges.
Module 12 Page 1614
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
6
Exam 312-50 Certified Ethical Hacker
End User's Concern: Usually, the end end user does not not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user's system. Besides, active content from a website browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network.
The table that follows shows the causes and consequences of web server compromises: Cause
C o n s e qu e n c e
Installing Installing the the server with default settings
Unnecessary default, backup, or sample files
Improper file and directory permission permissions s
Security conflicts with business ease-of-use case
Default accounts with their default passwords Unpatched security flaws in the server software, OS, and applications applications Misconfigured SSL certificates and encryption settings Use of self-signed certificates and default certificates Unnecessary services enabled, including content management and remote administration
Misconfigurations in web server, operating systems and networks Lack Lack of proper securit y policy, procedures, and maintenance Bugs in server software, OS, and web applications Improper authentication with external external systems Administrative or debugging functions that are enabled or accessible
TABBLE 12.1 12.1:: causes and consequences of web server compromises
Module 12 Page 1615
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Impa Im pact ct of Webserver Webserver Attacks
CEH
C«rt1fW4
itfciul NmIm
© Data tampering
Website defacement
Root access to other applications or servers
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
I m p a c t o f W e b S e rv rv e r A tta c k s Attackers can cause various kinds of damage to an organization by attacking a web server. The damage includes: 0
Compromise of user accounts: W eb server attacks attacks are mostly mostly concentrated on user user account compromise. If the attacker is able to compromise a user account, then the attacker can gain a lot of useful information. Attacker can use the compromised user account to launch further attacks on the web server.
0 Data tampe ring : Attacke r can can alter or delete the data. He or she can even replace the data with malware so that whoever connects to the web server also becomes compromised. 0
We bsi te de facem ent: Hackers Hackers completely change the outlook of the website by replacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own.
0
Seco ndary attacks from from the webs ite: Once the attacker compromises a web server, server, he or she can use the server to launch further attacks on various websites or client systems.
0 Data the ft: Data is is one of the main assets of the company. Atta ckers can get access to sensitive data of the company like source code of a particular program.
Module 12 Page 1616
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
0
Exam 312-50 Certified Ethical Hacker
Roo t access access to othe r applicatio ns or serv er: Root access access is is the highest privilege one gets gets to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server. Attackers can perform any action once they get root access to the source.
Module 12 Page 1617
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
M odule Flow Flow
CEH CE H
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
M o d u l e F lo lo w Consider Considering ing that you became familiar with the we b server concepts, we move forward to the possible attacks on web server. Each and every action on online is performed with the help of web server. Hence, it is considered as the critical source of an organization. This is the same reason for which attackers are targeting web server. There are many attack technique used by the attacker to compromise web server. Now we will discuss about those attack techniques. attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking, web application attacks, etc.
Webserver Concepts
^
Attack Methodology
Webserver Pen Testing
-y
Module
Webserver Attacks
Patch Patch Management Management
12 Page 1618 1618
^
J
Webserver Attack Tools
3 Webserver Security Tools
■— ■—
Counter-measures
Ethical Hacking and Counte rmeasu res Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
We Web Server Misconfiguration
CEH
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft
Verbose debug/error
Remote Administration Functions
Anonymous or Default Users/Passwords
Unnecessary Services Enabled
Sample Configuration, and Script Files
Misconfigured/Default SSL Certificates
Copyright © by EG-Gtlincil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b S e rv r v e r M i s c o n f ig i g u r a ti ti o n Web servers have various vulnerabilities related to configuration, applications, files, scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the network of a company. These loopholes of the server can help attackers to bypass user authentication. Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft. Once detected, these problems can be easily exploited and result in the total compromise of a website. e
Remo te administration functions can be be a source for breaking down the server for the attacker.
©
Some unne cessary services enabled are also vulne rable to hacki hacking. ng.
0
Misconfi gured/de fault SSL certificates.
© Verbos e debu g/erro r messages. Q
Anonym ous or default users/passw users/passwords. ords.
©
Sam ple configurati confi guration on and script files.
Module 12 Page 1619
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Web Server Misconfiguration Example
CEH CE H
httpd.conf file on an an Apache server
SetHandler server-status This This configuration allows anyone to view the server status page, which contains contains detailed inform ation about the curren t use of the web server, server, including informa tion a bout the curren t hosts and requests requests being processed processed
php.ini file
display_error = On log_errors = On error_log = syslog ignore repeated errors = Off This configuration gives verbose error messages
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
f I W e b S e r v e r M i s c o n f ig ig u r a tio n E x a m p le ran
n
L 1 :J
Consid Consider er the httpd. httpd.conf conf file file on an Apache Apache server server..
SetHandler server-status FIGURE 12.5: httpd.conf file on an Apache server
This configuration allows anyone to view the server status page that contains detailed information about the current use of the web server, including information about the current hosts and requests being processed. Consider another example, the php.ini file. display_error = On log_errors - On error_log = syslog ignore repeated errors = Off
FIGURE 12.6: php.inifile on an Apache server
This configuration gives verbose error messages. Module 12 Page 1620
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
3
Volume in drive C has no label. Volume Serial S erial Number is D45E-9FEE
j My Computer +1 £ 3Vbfloppy (A:)
/ I
LocalDt>k(( B
Ctocumcnte and Scttngs
! H t J Inet Inetpu pub b
http://server.eom/s cripts/..%5c../Wind 0ws/System32/cm d.exe?/c+dir+c:\
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
D i r e c to to r y T r a v e r s a l A tta c k s Web servers are designed in such a way that the public access is limited to some extent. Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the root directory and access sensitive information in the system. Volume i n drive C has no label. Volume Serial Nu mber is D45E-9FEE D45E-9FEE Directory of C:\
http://server.eom/s
cripts/..%5c../Wind 0ws/System32/cm d.exe?/c+dir+c:\
06/02/2010 11:31AM 1,024 .rnd 09/28/2010 06:43 PM 0 123. text 05/21/2010 03:10 PM 0 AUTOEXEC.BAT 09/27/2010 08:54 PM
CATALINA_HOME 05/21/2010 03:10 PM 0 CONFIG.SYS 08/11/2010 09:16 AM Docume nts and Settin gs 09/25/2010 05:25 PM Downloads 08/07/2010 03:38 PM Intel 09/27/2010 09:36 PM Prog ram Files 05/26/2010 02:36 AM Snort 09/28/2010 09:50 AM WINDOWS 09/25/2010 02:03 PM 569,344 569,344WlnDump.ex e 7 File( s) 570, 368 bytes 13 Dir( s) 13,432 ,115,200 bytes free
FIG U R E
Module 12 Page 1621
!v!v!Tff xl E Q- j j !v!v!Tff company
1
downloads
O
news
E O images scripts □ C J support support
1 2.7 : D i r e c t o r y T r a v e r s a l A t t a c k s
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
CEH
HTT HT TP R esp on se Splitting Attack Attack
(•ttlfwtf
HTTP response splitting attack involves adding heade r response data into the input field so
itkNjI it kNjI NMhM
Input =Jason
that the server split the response into two responses
HTTP/1.1 200 OK Set-Cookie: author=Jason author=Jason
The attacker can control the first response to redirect user to a malicious website whereas the other responses will be discarded by web browser
Input =JasonTh eHacker\r\n HTTP/ l.l 200 200 OK\r\n
y String author = request.getParameter(AUTHOR_PA RAM) ; Cookie Coo kie cookie = new Cookie("author , author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie);
First Response (Controlled by Attacker)
Set-Cookle: author=JasonTheHacker HTTP/1.1200 OK
Second Response
HTTP/1.1 200 OK
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
H T T P R e s p o n s e S p l it it t i n g A t t a c k An HTTP response attack is a web-based attack where a server is tricked by injecting new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS) Cross Site Request Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks. The attacker alters a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. This is accomplished by adding header response data into the input field. An attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the other responses will be discarded by web browser.
Module 12 Page 1622
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Input =Jason HTTP/1.1 200 OK Set-Cookie: author=Jason
Input =JasonTheHacker\r\nHTTP/l.l 200 OK\r\n
First Response (Controlled by Attacker)
o
Si
05
)
String author = request.getParameter(AUTHOR_PA RAM) ; Cookie cookie = new Cookie Cookie("author", author); cookie.setMaxAge(cookieExpirat ion) ; response.addCookie(cookie);
Set-Cookie; author=JasonTheHacker HTTP/1.1 200 OK
Second Response
HTTP/1.1200 OK
FIGURE 12.8: HTTP Response Splitting Attack
Module 12 Page 1623
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
We Web Cach ache Po Poisoning ing Attack CEH Original Juggyboy page
GET http://juggyboy.com/index.html HTTP/1.1 Pragma: no-cache Host: juggyboy.com Accept-Chars Accept -Charset: et: iso-8859-1,*,utf-8 *,utf -8 GET http://juggyboy.com/ GET http://juggyboy.com/ redir.php?site=%Od%OaContentLength :%200%0d%0a%0d%0aHTTP/l.l%2 02(X>%20OK%0d%0aLastModified :%20Mon,%2027%200ct%20200 :%20Mon,%2027%200ct%20200 9%2014:50:18%20GMT*0d%0aConte ntntLength :%2020%0d%0aContcnt• Typ«:%20text/htmr%0d%0a%0d%0aAtta ck Pagc HTTP/1.1
Host: Juggyboy.com GET http://juggyboy.com/index.html HTTP/1.1 Host: testsite.com User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Charset: iso-8859-l,*,utf8
Attacker sends request to r emove page from cache http://www.juggyboy.com/wel come.php?lang=
Normal response after clearing the cache for juggyboy.com
< ? p h p h e a d e r ( " L o c a t io io n : " . $_GET['page']); ?>
Attacker sends malicious request that generates t wo responses (4 and 6)
Attacker gets first server response
An attacker forces the Attacker requests d juggyboy.com again to generate cache entry The second response of request[3 that points to I attacker's page
Attacker gets the second
Address
Page
www.jujjyboy.com
Attacker's page
web server's cache to flush its actual cache content and sends a specially crafted request, which will be stored in cache
Poisoned Server Cache
Copyright © by EG-Gtlincil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b C a c h e P o i so s o n i n g A t ta ta c k Web cache poisoning is an attack that is carried out in contrast to the reliability of an intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned content instead of true and secured content when demanding the required URL through the web cache. An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request to store in cache. In the following diagram, the whole process of web cache poisoning is explained in detail with a step-by-step procedure.
Module 12 Page 1624
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Addm\ www.Im ^YLuy.cu m
GET http://juggyboy.com/indeM.html HTTP/1.1 Pragma: no-cache Host: juggyboy.com Accept-Charset: iso-8859-1,T,utfiso-8859-1,T,utf-88 GET http://juggyboy.com/ r«dir.php?site=%Od%OaContentL*ngth:%200%Od%Oa%Od%OaHTTP/l.l%2 02009(2OOKHOdKOaLastModified :%20Mon,%202 7%200ct%20200 9*2014:50:18K20GMT%0d%0aContentLength: 2020%0d%0a 020%0d% 0aContentTyp«: %20text/html%0d %0a%0d%08HTTP/1.1 Host: juggyboy.com GET http://juggyboy.com/index.html HTTP/1.1 HTTP/1.1 Host: testsite.com User-Agent: M ozilla/4.7 [en] (WlnNT; I)
Accept-Charset iso-8859iso-8859-l, ,utf-8
Ofigln.il Juggyboy page
Server Cache
I
Attacker sends request to remove page from cache
http://www.juggyboy.com/wel come.php?lang=
No rm al re sp on se af te r clearing the cache forjuggyboy.com
A t t a c k e r s e n d s m a l i ci ci o u s r e q u e s t t h a t g e n e r a t e s t w o r e s p o n s e s ( 4 an an d 6 )
Attacker gets first server response
Attacker requests a jug gY bo y.c om again to generate cache entry > _ 1 Attack!;e r g e t s t h e s e c o n d _ _
. W r e q u e s tof o n s e Address
www.JuKjjytiyy.to1 www.JuKjjytiyy.to1n
^
...... ■ ..... > The ind res!.ponse of requ t h a t po in t! t o :kef's page
1‘ig r AtUckvr'vp^v
Poisoned Server Cache Cache
FIGURE 12.9: Web Cache Poisoning Attack
Module 12 Page 1625
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
+
Copyright © by EG-GtUIICil. All Rights Reserved. Reproduction is Stric tly Prohibited.
HTTP HTTP Resp onse H ijacking ijacking HTTP response hijacking is accomplished with a response splitting request. In this attack, initially the attacker sends a response splitting request to the web server. The server splits the response into two and sends the first response to the attacker and the second response to the victim. On receiving the response from web server, the victim requests for service by giving credentials. At the same time, the attacker requests the index page. Then the web server sends the response of the victim's request to the attacker and the victim remains uninformed. The diagram tha t follows shows the step-by-s step-by-step tep proce dure of an HTTP HTTP response hijacking hijacking attack:
Module 12 Page 1626
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
FIGURE 12.10: HTTP Response Hijacking
Module 12 Page 1627
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
SSH B r u te f o r c e A tta c k 1^1
CEH
C«rt1fW4
itfciul lUclw(
SSH protoco protocols ls are used used to create an encrypted SSH tunnel bet ween two hosts in order to transfer unencrypted data over an insecure network
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel
q
SSH tunnels can be used to trans mit malwa res and othe r exploits to victims with out being detected
I
Mail Server
Internet
User
SSH Server
Web Server
Application Application Server
File Server
Attacker Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
S S H B r u t e F o r c e A t ta ta c k SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH, first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other exploits to victims without being detected.
I
Mail Server
Attacker
FIGURE 12.11: SSH Brute Force Attack
Module 12 Page 1628
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Man-in-the Middle Attack
CEH CE H
J
Man-in-the-Middle Man-in-the-Middle (MI TM ) attacks allow an attacker to access sensitive information by interce pting and altering commun ications bet ween an end-user end-user and and webservers
J
Attacker acts as a proxy such that all the c ommunicatio n betw een the user and Webse rver passes through him
Normal Traffic
\p
oO* ••
-a Webserver
Attacker
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
M a n in t h e M id d le A tta c k A man-in-the-middle attack is a method where an intruder intercepts or modifies the message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user such as online banking details, user names, passwords, etc. transferred over the Internet to the web server. The attacker lures the victim to connect to the web server through by pretending to be a proxy. If the victim believes and agrees to the attacker's request, then all the communication between the user and the web server passes through the attacker. Thus, the attacker can steal sensitive user information.
Module 12 Page 1629
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
n U
Exam 312-50 Certified Ethical Hacker
User visits a website
>• User
^
&
© . ***..
'''•^ 9 0
Normal Traffic
* Attacker sniffs the communication communication to ; session IDs stealI session
( f t v
© es ..* .•
.• *
,., w
, 5''.•
A••‘‘ •‘‘ Attacker FIGURE 12.12: Man-in-the-Middle Attack
Module 12 Page 1630
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
W ebserver ebse rver Password C racking
C EH
An attacker tries to exploit weaknesses to hack well-chosen passwords
****
Many hacking attempts start
The most common passwords
with cracking passwords and proves to the Webserver that
found are password, root, administrator, admin, demo, test,
they are a valid user
guest, qwerty, pet names, etc.
Attackers use different methods such as social engineering,
Web form authentication cracking
spoofing, phishing, using a Trojan Horse or virus, wiretapping,
SSH Tunnels FTP servers
keystroke logging, etc.
SMTP servers Web shares
Copyright © by EG-G*ancil.All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b S e rv e r P a s s w o r d C r a c k i n g -----
Most hacking starts with password cracking only. Once the password is cracked, the
hacker can log log in in to the n etwo rk as an authorized person. Mos t of the comm on passwords found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc. Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to crack passwords. Attackers m ainly target: target: ©
W eb form authe nticatio n cracking cracking
©
SSH tunnel tun nels s
0 FTP servers ©
SM TP servers server s
©
W eb shares
Module 12 Page 1631
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
W ebserver ebserver Password Cracking Techniques
EH
Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc.
I
Passwords can be cracked by using following techniques:
4
Hybrid Attack
A hybrid attack works similar to dictionary attack, but it adds numbers or symbols to the password attempt
Copyright © by EG-C*ancil.All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b S e rv rv e r P a s s w o r d C r a c k i n g T e c h n i q u e s
gd © ®
) 77 ( _
Passwords may be cracked manually or with automated tools such as Cain & Abel, Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password: ©
Guessing: Gues sing: A common com mon cracking meth od used by by attacke atta ckers rs is to guess guess passwords either eithe r by by humans or by automated tools provided with dictionaries. Most people tend to use heir pets' names, loved ones' names, license plate numbers, dates of birth, or other weak pass pass words suc such h as as "QW ERT Y," "password," "admin ," etc. so that they can can remember them easily. The same thing allows the attacker to crack passwords by guessing.
©
Dict iona ry Attack : A dictionar y attack is is a method that has predefined words of various combinations, but this might also not be possible to be effective if the password consists of special characters and symbols, but compared to a brute force attack this is less time consuming.
©
Bru te Force Attack : In the brute force method, all all possible possible characters are tested, for example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But this type of method is useful to identify one-word or two-word passwords. Whereas if a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password, which is practically impossible.
Module 12 Page 1632
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Q
Exam 312-50 Certified Ethical Hacker
Hybrid Hybri d Att ack : A hybrid attack is more powerfu pow erfull as it uses both a dict iona ry attack atta ck and and brute force attack. It also consists of symbols and numbers. Password cracking becomes easier with this method.
Module 12 Page 1633
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Web Appli Ap plica catio tionn Attac Attacks ks J
CEH
C«rt1fW4
itfciul NmIm
Vuln erab ilitie s in we b ap plicat ions running on a W eb ser ver p rovide a broad attack path for Webserver compromise
!
, I f
enia' a'0 f.s T eCt°rv
s
C°okie »Pe,'ring
rOss.Site rge,
A t ,
'° n
Olv 4ft■ , ackerf/, s
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b A p p l iicc a t i o n A t t a c k s SL
Vulnerabilities in web applications running on a web server provide a broad attack
path for web server compromise.
Directory Traversal Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL.
Parameter/Form Tampering This type of tampering attack is intended to manipulate the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.
Cookie Tampering Cookie tampering is the method of poisoning or tampering with the cookie of the client. The phases where most of the attacks are done are when sending a cookie from the client side to the server. Persistent and non-persistent cookies can be modified by using different tools.
Module 12 Page 1634
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Command Injection Attacks Command injection is an attacking method in which a hacker alters the content of the
m
web page by using html code and by identifying the form fields that lack valid
constraints.
I
Buffer Overflow Attacks Most web applications are designed to sustain some amount of data. If that amount is exceeded, the application may crash or may exhibit some other vulnerable
behavior. The attacker uses this advantage and floods the applications with too much data, which in turn causes a buffer overflow attack.
Cross-Site Scripting (XSS) Attacks jr
Cross-sit Cross-site e scripting is a method met hod wh ere er e an attac at tac ke r injec ts HTML HT ML tags or scripts into a target website.
Denial-of-Serv Denial-of-Service ice (DoS) (D oS) Attack A ttack
M
A denial-of-service attack is a form of attack method intended to terminate the operations of a website or a server and make it unavailable to access for intended
users.
Unvalidated Input and File injection Attacks Unvalidated input and file injection attacks refer to the attacks carried by supplying an unvalidated input or by injecting files into a web application.
Cross-Site Request Forgery (CSRF) Attack The user's web browser is requested by a malicious web page to send requests to a malicious website where various vulnerable actions are performed, which are not intended by the user. This kind of attack is dangerous in the case of financial websites.
SQL Injection Attacks SQL injection is a code injection technique that uses the security vulnerability of a database for attacks. The attacker injects malicious code into the strings that are later on passed passed on on to to SQL Serv er for execution.
Session Hijacking
1131
Session hijacking is an attack where the attacker exploits, steals, predicts, and
negotiates the real valid web session control mechanism to access the authenticated parts of a web application.
Module 12 Page 1635
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
M odule Flow Flow
CEH CE H
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
M o d u l e F lo lo w _
So far we have discussed discussed web server concepts and various techniq ues used by the
attacker to hack web server. Attackers usually hack a web server by following a procedural method. Now we will discuss the attack methodology used by attackers to compromise web servers.
1
Webser ver Concepts
Webserver Attack Attacks s
Attack Methodology
Webserver Attack Tools
Webserver Pen Testing
y
Patch Patch Management Management
i
)
■— ■—
Webserver Webserve r Security Tools Tools
Counter-measures
This section provides insight into the attack methodology and tools that help at various stages of hacking.
Module 12 Page 1636
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
-
W ebserver ebserver Atta Attack ck M ethodo logy
Information Gathering
C EH
Webserver Footprinting
Vulnerability Scanning
Hacking Webserver Passwords
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b S e r v e r A t t a c k M e th th o d o lo g y Hacking a web server is accomplished in various stages. At each stage the attacker tries to gather more information about loopholes and tries to gain unauthorized access to the web server. server. The stages stages of web server att ack methodology include: include:
Information Gathering
0
Every attacker tries to collect as much information as possible about the target web
server. Once the information is gathered, he or she then analyzes the gathered information in order to find the security lapses in the current mechanism of the web server.
(
Web Server Fo otprinting The purpose of footprinting is to gather more information about security aspects of a web server with the help of tools or footprinting techniques. The main purpose is to know
about its remote access capabilities, its ports and services, and the aspects of its security.
M irr irroring oring W ebsite ebsite W
4 J )
Website mirroring is a method of copying a website and its content onto another server for offline browsing.
V ulnerability ulnerability Scanning
Module 12 Page 1637
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a web server. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners.
Session H ijacking Session hijacking is possible once the current session of the client is identified. Complete control of the user session is taken over by the attacker by means of session hijacking.
Ha cking Web Server Server Passw ords Attackers use various password cracking methods like brute force attacks, hybrid attacks, dictionary attacks, etc. and crack web server passwords.
Module 12 Page 1638
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Webserver Attac Attack k M ethodology: Information Gathering Information gathering involves collecting information about the targeted company
CEH CE H
WHOis.net Y3ur Domain Domain Starting Place. ..
Attackers search the Internet, newsgroups, bulletin boards, etc.
UZ3
for information about the company Attackers use Whois, Traceroute, Active Whois, etc. tools and query the Whois databases to get the details such as a domain
WHOIS information for ebay.com:*** [Querying who1s.vens1gn-grs.com] [whols.verislgn-grs.com] Who»s Server Vereon 2.0 Domain names in the .com and .ne t domains can now be r eoistered with rr orv diftoront competing raaistrars. Go to http;/ //ww .intom
name, an IP address, or an autonomous system number
N3m 0Sorvof:SJC JCDNS2.bBAYDNS.C .CO M
Note: For complete coverage of information gathering techniques refer to Modul e 02: Footprinting and Reconnaissance
N3m« sorvor: SMF UNSl.fcBAYDNS.COM Name Server: SMF-DNSi.fcBAYDNS.COM Status: dleotDeletcPiohlblted Status: clieritTrmsf«Pral1ibit*d Status: dienWpdnt*Prohibit*d Status: s er ve d etePro hi bited Status: server TransterProh1bitod Status: sorvorUDdateProhibital updated Dat e: 15-Sep-2010 Creation Date: 04-aug-l995 Expirat ion Date: 03-aug-2018
http tp:/ ://www.whois.net Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
» W eb S e rv e r $ __ __ , G a t h e r in in g
A t ta ta c k
M e th th o d o l o g y :
I n fo fo r m a tio n
Every attacker before hacking first collects all the required information such as versions and technologies being used by the web server, etc. Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company. Most of the attackers' time is spent in the phase of information gathering only. That's why information gathering is both an art as well as a science. There are many tools that can be used for information gathering or to get details such as a domain name, an IP address, or an autonomous system number. The tools include:
#
e
Whois
e
Traceroute
e
Active Active W hois
e
Nmap
0
Angry IP Scanner
e
Netcat
Whois
Module 12 Page 1639
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Source: http://www.whois.net Whois allows you to perform a domain whois search and a whois IP lookup and search the whois database for relevant information on domain registration and availability. This can help provide insight into a domain's history and additional information. It can be used for performing a search to see who owns a domain name, how many pages from a site are listed with Google, or even search the Whois address listings for a website's owner.
W H O is .n e t Y o u r D o m a i n S t a r t in in g P l a c e . . .
WHOIS information for ebay.com:*** ebay.com:*** [Querying whois.verisign-grs.com] [whois.verisign-grs.com] Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered registered with many different competing registrars. registrars. Go to http://www.internic.net for detailed information. Domain Name: EBAY.COM Registrar: MARKMONITOR INC. Whois Server: Server: whois.markmonitD whois.markmonitDr.com r.com Referral URL: http://www.markmonitor.com
«
Name Name Server: SJC-DNS1.EBAYDNS.COM Name Name Server: SJC-DNS2.EBAYDNS.COM Name Server: SMF-DNS1.EBAYDNS.COM Name Server: SMF-DNS2.EBAYDNS.COM Status: dientDeleteProhibited dientDeleteProhibited Status: dientTransferProhibited Status: dientUpdateProhibited dientUpdateProhibited Status: serverDeleteProhibited Status: serverTransferProhibited Status: serverUpdateProhibited Updated Date: 15-sep2010 Creation Date: 04-aug-1995 Expiration Date: 03-aug2018
F I G U R E 1 2 .1 .1 3 : W H O I S I n fo fo r m a t i o n G a t h e r i n g
Module 12 Page 1640
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Webserver Attack Attack Methodology: Method ology: Webserver Footprinting J
Gather valua ble system-level information such as account details, operating system, software versions, server names, and database schema details
J
Telnet a Webserver to footprint footprint a Webserver and gather information such as server name, server type, operating systems, applications running, etc.
J
Use tool tool such as ID Serve, httprecon, and Netcraft to perform footprinting
C EH
Urt1fw4
ilhi ul
lUthM lUthM
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b S e r v e r A t t a c k M e th th o d o l o g y : W e b s e r v e r Footprinting The purpose of footprinting is to gather account details, operating system and other software versions , server names, and datab ase schema details and as much information as as
possible possible
about security aspects of a target web server or network. The main purpose is to know about its remote access capabilities, open ports and services, and the security mechanisms implemented. Telnet a web server to footprint a web server and gather information such as server name, server type, operating systems, applications running, etc. Examples of tools used for performing footprinting includ include e ID Serve, httprecon, Netcraft, etc. etc.
N e tc ra ft Source: http://toolbar.netcraft.com Netcraft is a tool used to determine the OSes in use by the target organization. It has already been discussed in detail in the Footprinting and Reconnaissance module.
Module 12 Page 1641
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
riETCKAFT Search Web by Domain Explore 1,045.745 web sites visited by use rs of the Netcraft Netcraft Toolbar
3rd August 2012
Search :
search tips tips
j site con tain s
j« ^ micros microsoft oft
lookup! looku p!
e x a m p l e : s i t e c o n t a i n s . n e t c r a f t .c .c o m
Results for microsoft microsoft Found 252 sites Site 1.
www.microsoft.com
2.
support.microsoft.com
3.
technet.microsoft.com
4.
windov
Site Report First seen
5.
msdn.microsoft.com
6.
office.microsoft.com
7.
social.technet.microsoft.com
8.
answers.microsoft.com
9.
v4ww.update.microsoft.com
10. social.msdn.microsoft.com
Netblock
OS
a
a ug ug us u s t 19 19 9 5
m ic ic r o so so ft ft co co rp rp
m m
october 1997
microsoft corp
unknown
a ug ug us u s t 19 19 9 9
m ic ic r o so so ft ft co co rp rp
citrix netscaler
0 a £1 a £1 a 0
ju n e 199 8
m icr os of t co rp
citrix netscaler
windows server 2008
S e p t e m b e r 1 9 98 98 m i c r o s o f t c o r p
citrix netscaler
november 1998
microsoft corp
unknown
a ug ug us u s t 2 00 00 8
m ic ic r o so so ft ft co co rp rp
citrix netscaler
a u g us us t 2 0 0 9
m ic ic r o s o f t l i m it it e d
w in d o w s s e r v e r 2 0 0 8
m a y 20 0 7
m i c r o s o f t c o rp
w in d o w s s e r v e r 2 0 0 8
a u g u s t 20 20 0 8
m i c r o s o f t co co rp
c i t r ix ne ne t s c a le r
11. go.microsoft.com
a
november 2001
ms hotmail
citrix netscaler
12. windowsupdate.microsoft.com
a a a
febuary 1999
microsoft corp
w i n d ow ow s s e r v e r 2 0 0 8
febuary 2005
m ic ic r o s o f t c o rp
w in d o w s s e r v e r 2 0 0 8
n ov o v em e m b er e r 2 00 00 8
a k am am a i t e ch ch no n o lo lo gi gie s
l in ux ux
15. search.microsoft.com
m
ja n u a ry 199 7
a k a m a i in in t e rn rn a t io io n a l b .v .v
l in in u x
1 6 . w w . m i c r o s o f t s t o re re . c o m
a
november 2008
d i gi gi ta ta l r iv iv e r i re re la la n d lt lt d. d.
f 5 b i g ip
17. login.microsoftonline.com
£1 IB
december 2010
m ic ic r o s o f t c o rp
w in d o w s s e r v e r 2 0 0 3
october 2005
m i c r o s o f t co co rp
w i n d o w s se se r v e r 20 20 0 8
13. update.microsoft.com 14. w w w . m i c r o s o f t t r a n s l a t o r . c o m
18. wer.microsoft.com
F I G U R E 1 2 . 1 4 : W e b s e r v e r F o o t p r in in t i n g
Modu le 12 Page 1642 1642
Ethical Hacking and Counte rmeasu res Copyright © by EC-C EC-COU OUIlC IlCil il All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
We Webserver Footprinting Tools httprecon 7.3 - http://www.nytimes.com:80/ File
Configuration
Fingerprinting
Repcrting
CEH
I—I°
Help
Ta*get (Sun ONE Web Server 6.1) |htb://
^
|www.nytimes.com |www.nytimes.com
: 180
0
HTTP/1.1 200 OK Dace: Thu, 11Oct 11 Oct 2012 09:34:37 GMT expire expi res: s: Thu, 01De 01 Dec 1994 16:00:00 GMT carhe-control: no-cache pragma: no-cache no-cache Sec-Cooki Sec-Cookie: e: ALT_ID=007f010021bb479dd5aa00SS; Expire Expires s 09:34:37 09:34:37 GMT; Path=/; Path=/; Domain .nytime3.com; Sec-cookie: adxcs=-; path=/; do!rain=.nyti mes.cam Matehfct (352 Implementations) Implementations) | Fingerprint Details Details | Report Preview |
a
^
ID Serve
GET existing existing j GET long o ng equ estj GET non-ex non-ex sting] GET wrong protocol)
ID Serve Background
' C2
Serv 2 r Query
Internet Serv er Identifica.i on Utility, v l .02 Personal Security Freeware by Ste Stevve Gibson Copyright (c) 2003 by Gibs on Resea rch Corp.
|
Q8A/H elp
1111
SSm
|
Errte* 0* copy I paste an Internet server UR_ or IP address here (example: www.microsdt.com) :
|www.google.coml
Quety The Sever
w ^
When an Internet Internet URL IP has been provided above, piess piess this button button to initiat initiate e a query of the specified specified serve server. r.
Name Oracle Application Server 10g 10.1.2.2.0
•S
Sun Java System Web Server 7.0
•
Ab byy ss ss 2.5.0.0 X1
Swve i query pcocessng pcocessng
(3
V Apache 2.0.52 V A pache 2.2.6 2.2.6 V r u — 1— n c n______________________
Server gws Content-Length: 221 X X SS Protectior: 1; mode-block X Frome Optio Options: ns: SAME ORIG IN Connection: close
F ■
Ready The seivei identified identified Ise* as :
http://www.computec.ch
(4 Goto ID Serve web page
http://www. ttp:/ /www.grc. grc.com Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b S e r v e r F o o t p r in i n t in i n g T o o ls ls We have already discussed about the Netcraft tool. In addition to the Netcraft tool, there are two more tools that allow you to perform web server footprinting. They are Httprecon and ID Serve.
Httprecon (
^
' Sou rce: rce : http://www.computec.ch
Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This software shall improve the ease and efficiency of this kind of enumeration.
Module 12 Page 1643
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
httprecon 7.3 - http://www.nytimes.com:80/ F i le le
Configuration
F ingerprinting
Reporting
—
Help
T a rg rg e t (S ( S u n O N E W e b S e r v e r G. G . 1) 1)
http:/ /
▼I
G E T e x i s t in in g
| G ET
Analyze
80
|w w w . n y t i m e s . c o m
l o n g r e q u e s t | G E T n o n - e x i st st i n g \ G E T
w r on o n g p rro o to to c co o l | H E A D e xi xi s ti ti n g | O P T I O N S c o m m o n
HTTP/1.1 200 OK Dat Date: Thu, 11 Oct 2012 2012 09:34: 09:34:37 37 GMT Server: Apache expires: Thu, 01 Dec 1994 16:00:00 16:00:00 GMT cache-control: no-cache pragma: no-cache Set-Coo Set -Cooki kie: e: ALT_ID ALT_ID=0 =007f0 07f010 10021 021bb bb47 479dd 9ddSaa0 Saa005S 05S;; Expi Ex pire res= s=Fr Fri, i, 11 Oct 2013 09:34:37 09:34:37 GMT; Path=/; Path=/; Domain=.nyti Domain=.nytimes. mes.co com m; Set-co Set -cook okie ie:: adxca adxca==-;; path=/; path=/; domain=.nytimes.c domain=.nytimes. com Vary: Host Matchlist (352 Implementations)
| F i n g e r p ri ri n t D e t a i l s | R e p o r t P r e v i e w
Name M
I Hits
O r a c l e A p p l i c a t i o n S e r v e r 1 0 g 1 0 . 1 . 2 . 2 .0
58
Match % 8 1 .6 3 0 1 4 0 8 4 5 0 7 0 4
H22
S u n J a v a S y s t e m W e b S e r v e r 7 .0
57
8 0 .2 8 1 6 3 0 1 4 0 8 4 5 1
#
A b y s s 2 . 5 . 0 .0 X 1
56
7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7
A p a c h e 2 .0 .5 2
56
7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7
A p a c h e 2 .2 . 6
56
7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7
EC
070000,1 70 OCC1 □7
V
n c n
/\
Ready.
FIGURE 12.15 12.15:: Httprecon Screenshot
ID Serve Source: http://www.grc.com ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the make, model, and version of any website's server software. This information is usually sent in the preamble of replies to web queries, but it is not shown to the user. ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. Simply by entering any IP address, ID Serve will attempt to determine the associated domain name.
Module 12 Page 1644
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
G
ID Serve
ID Serve
P e r s o n a l S e c u r i ty ty F r e e w a r e b y S t e v e G i b s o n
Background
|
Server Query
I n t e r n e t S e r v e r I d e n t i f i c a t io io n U t i li li t y, y, v 1 . 02 02
Copyright (c) 2003 by Gibson Research Corp. Q &A /H elp
Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com):
1
www.google.com|
Query The Server
When an Internet URL or IP has been provided above, press this button button to initiate a query of the specified server.
^
Server query processing: Server: gws C o n t e n t - L e n g t h : 2 21 21 X - X S S - P r o t e c t io io n : 1; 1; m o d e = b l o c k X - Fr F r a m e - O p ti tio n s : S A M E O R I G I N Connection: close
(4 Copy
The server identified itself as :
|gws __________________
Goto ID Serve web page
Exit
FIGURE 12.16: ID Serve
Module 12 Page 1645
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
Webserver Attack Methodology: Mirroring a Website
CEH CE H
Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc Search for comments and other items in the HTML source code to make footprinting activities more efficient Use tools tools HTTrack, HTTrack, WebCopier Pro, Bla ckW idow , etc. to mirror a website website
H
Site mirroring in progress [2/14 (+13), 327948bytes] - [Test ProjecLMrt tJ
E*€ Freferences Mirro 13 i i, local Disk <(
log Window Help Pa * g HTMLfife
w
m
r
til . MyWe MyWebSl bSlte te* ProgramRes )It) *. ProgramFits WKi i 111 lh«s til ,it it Windows NTUSSR.DAT 1 1••* >:local Disk *D «; M Ji DVDRW Drivt &< :N«wVolum» N«wVolu m»
320.26*8 laved 2nr22» Tiro. 08* tf.19KB/») -a.rfe-rdLe Ac*ve correct !one4
1
1
WaicrtB! 14
0 0
HrcdcdaMd.
7 ;Men*:
M«
J□ http://www.httro rock.com Copyright © by EG-Gtlincil. All Rights Reserved. Reproduction is Strictl y Prohibited.
W e b S e r v e r A t t a c k M e th t h o d o l o g y : M i r ro r o r i n g a W e b s it it e —
We bs ite mirroring is a method of copying a websi te and its conte nt onto anot her
server. By mirroring a website, a complete profile of the site's directory structure, file structure, external links, etc. is created. Once the mirror website is created, search for comments and other items in the HTML source code to make footprinting activities more efficient. Various tools used for web server mirroring include HTTrack, Webripper 2.0, WinWSD, Webcopier, and Blackwidow.
C Source: http://www.httrack.com HTTrack is an offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online.
Module 12 Page 1646
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
H
Exam 312-50 Certified Ethical Hacker
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]
File
Preferences
terror
Log
B j j Local Local Disk 0 CEH-Tools CEH-Tools j H J. dell a B B
i . inetp inetpub ub Intel Intel t MyWebSites
g) ••Jj Program Files a J j Program Program Files Files (x86) (x86) & J1 Users sers a Window Windowss L Q NTUS NTUSER ER.D .DAT AT
Window
JHelp In progress:
Parang HTML He
Information Bytes Bytes saved: Time: Transferrate: Transfer rate: Active connections:
320.26KB 2min22s OB/s (1.19MB/s) 1
Links scanned: Files written: Fles updated: Errors:
2/14 (.13) 14
0 0
[Actions
a a
Local Local Disk Disk DVD RW Drive El , . New Volume
;Back |
Next >
Cancel
Help
FIGURE 12.17 12.17:: Mirroring a Website
Module 12 Page 1647
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Hacking Webserv ers
Exam 312-50 Certified Ethical Hacker
W e b s e r v e r A t t a c k M e th th o d o l o g y : V u l n e r a b i l i ty ty S c a n n i n g
CEH CE H
Perform vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited
J
Sniff Sniff the network traffic to find out active systems, systems, network services, applications, and vulnerabilities present
Use a vulnerability scanner such as HP Weblnspect, Nessus, Nessus, Zaproxy, Zaproxy, etc. to find hosts, services, and vulnerabilities
J
Test Test the web server infrastructure for any any misconfiguration, outdated content, and known vulnerabilities
Copyrigh Copyrightt © by K- €M IC il. All Rights Reserved Reserved.. Reproduction Reproduction Is Strictly Prohibited. Prohibited.
Web Server Scanning
A tta c k
M e th th o d o l o g y :
V u l n e r a b i li l i ty ty
Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations of a target web server or network. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. scanners. Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing techniques are adopted in the network traffic to find out active systems, network services, applications, and vulnerabilities present. Also, attackers test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Various tools are used for vulnerability scanning such as HP Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities.
N e s s u s Source: http://www.nessus.org Nessus is a security scanning tools that scan the system remotely and reports if it detects the vulnerabilities before the attacker actually attacks and compromises them. Its five features includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features Module 12 Page 1648
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
that enhance usability, effectiveness, efficiency, and communication with all parts of your organization.
FIGURE 12.18: Nessus Screenshot
Module 12 Page 1649
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W e b s e r v e r A t ta c k M e th o d o lo g y :
C EH
S e s s io n H i j a c k i n g Sniff valid session session IDs to gain u nauthoriz ed access to the Web Server and snoop the data
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
l l°W
burp suite free edition v1A01 J curp intru intruder repea repeater ter window window about target
s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer
options ' alerts erts
ignot found items hiding CS S image and gerer al ainarr content 1 iS- g .l«-e=pcn=e= h dng ?mrt/fol ders http:Aleconomidim e5indiat imes o
host h«p/«*d*orc
00 9
hltpVJeditioncnn m
°
-— •wIr"1r*http iVedifio nc
;
MIME typi HTML
/»8n«nr5s1/3
-
add item to 9cope cpiaortnis branch arfrvely scan this branch passively s can this branch engagement took [pro version onlf] compare site maps eipand branch
5:
oxpana rcquo ctca noms delete branch copy URL# in this blanch copy iioks in tnis oranch save selected items
0
reaueat
¥ ~| params
headers [ hex |
T / . •L«»« nc . ' * 1 1 /m r 1 brea*r1ng_n*v•/3.0/ banner. ntral ?c m h d»c d»c*11 *11 TP/1.1 8c: edit ion.cnn.co» ion.cnn.co» ec-Affe&t: K c s i l l d / S . O 1Vind0¥3 I1T 6.2; W0V61 W0V61;; c v:J S.0 l cko/:0100101 Firefox/15.0.1 I Accep Accept: t: tr tex t/j «vo 3c cip c, tex t/h tnL , «pp Li.Cflt.i Li.Cflt.ion/1 o n/1xrol, xrol, text/xm l,
I:
]|
| 0 matches
http://portswigger . net
Note: For complete coverage o f Session Hijacking Hijacking concepts and techniques refer to Module 11: 11: Session Hijacking Hijacking Copyright © by EG-Gtltncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W eb 1
1
S e r v e r A t t a c k M e t h o d o lo g y : S e s s io n H ija c k in g
Session hijacking is is possible once the curren cur rentt session of the client clie nt is identified. identif ied.
Complete control of the user session can be taken over by the attacker once the user establishes authentication with the server. With the help of sequence number prediction tools, attackers perform session hijacking. The attacker, after identifying the open session, predicts the sequence number of the next packet and then sends the data packets before the legitimate user sends the response with the correct sequence number. Thus, an attacker performs session hijacking. In addition to this technique, you can also use other session hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. to capture valid session session cookies and and IDs. IDs. Various tools used for session hijacking include Burp Suite, Hamster, Firesheep, etc.
Burp Suite ___Source: http://portswigger.net Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder tool, repeater tool, sequencer tool, etc.
Module 12 Page 1650
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
0- ^ 1
burp suite free edit ion v1.4.01 v1.4.01
x
burp intruder repeater repeat er window about spider \ scanner [ intrud intruder | repealer [ sequencer | decoder [ comparer comparer [ options options | alerts
target
site map \ scope | Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; respon ses; hiding empty folders
* http7/economictimes indiatimes.com 9 http://edition.cnn.com
0 □.el( D o-2]20
host
method GET
□
URL
params status
200
1element/ssi/ads.iframes/
http http: edition.cnn.com .element
length IMIME MIME tj typi HTML 676
□
add item to scope spider this branch actively scan this branch
O- CDBU O- D c n 0 □ELI
0 O eu
passively scan this branch engagement tools [pro version only] ► compare site maps expand branch expand requested Items delete branch
* L J SH
sponse
M ]' T
request
params ■' headers | hex |
/ . e l e r o e n c / 3 3 i / i n c l/ l / b r e a k i n g _ n e v s / 3 . O / b a n n e r . h c m l ? c s iI iI D = c s i l
copy URLs In this branch
TP/1.1
copy links in this branch
3c:
save selected Items
c lc l c o / :0 :0 1 0 0 i 0 1
e d i c io n . c n n . c o m
er-Agen c: A c c ep ep C :
H o zilla/ 5 .0
( W in in d o w s N T
6.2;
W OW O W 64 64 ;
cv:i5 .0 )
F i r e f o x / 1 5 . 0 .1 .1
cex c/ javM crlpc ,
cexc/hcml,
a p p l lc lc a C l o n / x m l ,
c e x c / x n il il .
FIGURE 12.19: Burp Suite Screenshot
Module 12 Page 1651
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W e b s e r v e r A t ta c k M e th o d o lo g y : H a c k in g W e b P a s s w o r d s
Use password cracking techniques such as brute force attack, dictionary attack, password guessing to crack Webserver passwords Use tools such as Brutus, THC-Hydra, etc.
Brutus -AET2 - www.hoobie.net/brutus - (January 2000) 2000) File
lools
1~ I
x
Help
Target |10.0017|
Type IHTTP (Basic Auth)
▼|
Start | Stop | Deaf |
Connection Options 10
Connec tions *" J~
r
Timeout 1" j-
Use Prox Proxy y
Define Define
HTTP (Basic) Options Method
| HEAD HEAD
]▼ J
W KeepAlive
Authentication Options W Use Username
User File
Sngle User
usei stxt
Pass Mode |Word List List Browse |
File
| words.txt
Positive Authentication Results Target 10.0017/ 10.0017/
_U ype HTTP (Basic Auth) HTTP HTTP (Bas (Basic ic Auth Auth))
I Use rname admin backup backup
I Pass word academic
Located and nstaled 1 authentication authentication plugn s Imtialisng... Target 10.0 01 10.0 01 7 venfied Opened user fie containing 6 users Opened password fie conta*wvg 818 Passwords Mawmum number number of authentic ation attem pts vul be 4908 Engagng target 10.0.017 with HTTP (Basic AuthJ
Tn■irwi•irofrt amo
Timeout
Reject
Aut hSeq hSe q
Throttle Quick Kill
h ttp://www. hoobie. hoobie. net Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
S e rv e r
A t ta c k
M e th o d o lo g y :
H a c k in g
W e b
P a s sw o rd s One of the main tasks of any attacker is password hacking. By hacking a password, the attacker gains complete control over the web server. Various methods used by attackers for password hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks, syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks, rainbow attacks, etc. Password cracking can also be performed with the help of tools such as Brutus, THC-Hydra, etc. O : 1
Brutus Source: http://www.hoobie.net
Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web passwords without the knowledge of the victim. The features of the Brutus tool are been explained briefly on the foll owing slide.
Module 12 Page 1652
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
_
Brutus -AET2 www.hoobie.net/brutus (January (January 2000 2000)) F il il e
Joo ls
T arge t
Help
|10.0 .0.17|
T y p e | H T T P (B (B a s i c A u ( h )
▼~|
Star(
j
Stop
Clear
Connection Options Po rt
10
180 180
Timeout
10
r T
r
U s e P r ox ox y
D e f in in e
H T T P ( B a s i c ) O p t io io n s Method
W K e e p A l i v e
[HEAD
A u t h e n t i c a t i o n O p t i o n s— s— Use Username Us er File
I-
Single User
Pass Mode
users.txt
Browse
f Browse
P a s s F i le le
Positive Authentication Results
Type
T arget
10.0.0.17/
H T T P (B asic Auth)
10.0.0.17/
H T T P (B asic Auth)
Username
Password
admin
academic
backup
L o c a t e d a n d i n s ta ta l le le d 1 a u t h e n t i c a t i o n p l ug ug - in in s
a
Initialising... Target 10.0.0.17 verified Opened user file containing 6 users. Opened password file containing 818 Passwords. Maximum number of authentication attempts will be 4908 E n g a g i n g t a rg rg e t 1 0 .0 .0 . 0 .1 .1 7 w i th th H T T P ( B a s i c A u t h ) T r m « n 1
-
ar arJr Jrrr .1 . 1►•
Timeout
Reje ct
Auth Se q
T h r o t tl tl e
Q u i c k K il il l
FIGURE 12.20: Brutus Screenshot
Module 12 Page 1653
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M o d u l e F lo lo w
C EH
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
M o d u le F lo w The tools intended for monitoring and managing the web server can also be used by attackers for malicious purposes. In this day and age, attackers are implementing various methods to hack web servers. Attackers with minimal knowledge about hacking usually use s for hacking web servers.
W e b s e r v e r C o n ce p t s
W e b s e r v e r At ta c ks
Attack Methodology
Webse rver Attack Tools Tools 0
Webserve r Pen Testing Testing
-y
Patc Patch h Management
o
m— m—
Webserver Security Tools
Counter-measures
This This section lists lists and describes various web server at tack tools.
Module Modul e 12 Page 1654 1654
Ethical Hacking and Countermeasure Counter measures s Copyright © by EC-C EC-C0U 0UnCil nCil All Rights Rights Reserved. Reproduction Reproduct ion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Webserve Webserverr Attack To Tool ols: s: Metasploit The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM
(J)metasploit metasploi t ® jet jet ft
V ModutM
Tag*
Q Atporto
T al i 0
wm Target Syitttn Statu*
• MOkom**4
• I Sm—d
• I LOOM
PTOftCt Activity (24 Noun)
Optrabng Sy*t»rm (Top »)
• U McmolWMoM • MKnaPnw MKnaPnw
• M m
Nctwoft Snv Kti (Top S) S) • 2tC DCIWC • III MSKM tt • )7 HETBOSS***(**
• n usn« us(Bvv^
•
MUSAOPSffwctt MUSAOPSffwctt
http://www.metasploit.com Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
W eb
S e r v e r A tta c k T o o ls : M e t a s p lo it
Source: http://www.metasploit.com The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. It enables users to identify, assess, and exploit vulnerable web applications. Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised web server to discover an exploitable vulnerability in a database that hosts confidential customer data and employee information. Your team members can then leverage the data gained to conduct social engineering in the form of a targeted phishing campaign, opening up new attack vectors on the internal network, which are immediately visible to the entire team. Finally, you generate executive and audit reports based on the corporate template to enable your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or PCI DSS. Metasploit enables teams of penetration testers to coordinate orchestrated attacks against target systems and for team leads to manage project access on a per-user basis. In addition, Metasploit includes customizable reporting. Meta sploit enables you to: ©
Complet e penetrat ion test assignments faster by automa ting repet itive tasks tasks and and leveraging multi-level attacks
Module Modul e 12 Page 1655
Ethical Hacking and Countermeasure Counter measures s Copyright © by EC-C EC-C0U 0UnCil nCil All Rights Rights Reserved. Reproduction Reproduct ion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
© Assess Assess the security of web applications, netwo rk and endpoint systems, as well as email users ©
Emulate realistic network attacks attacks based based on the leading Meta splo it fram ewo rk with more than one million unique downloads in the past year
© Test with the world' s largest public public database of quality assured assured exploits exploits © Tunnel any traffic through compromised targets to pivot deepe r into into the netw ork ©
Collaborate more effec tivel y with team members in concerte d networ k tests
©
Customize Customize the conten t and and tem plate of executive, audit, and technical reports
(J metasploit etasploit l« M lp n O
l S*M*o«W0
T a rg rg e t S ys ys t e m S U M S
Tag*
V Cwnpognt Cwnpognt
po r tt tt O R r po
~
T m J Q
O p e r a t in in g S y s t e m s [ T o p » )
• MHonNMnocm cm •
MOntoxM
• 1 SmM •
• 2 •Konca P m tr
• 2 •*0 *0 ffntwHM
1•l oom )
•
Protect Activity (24 Hours)
1 •HP ***ClOOtO
NetworkServices (Top • • • • •
)
270 DCERP DCE RP C Server* 114 •SMB STOKT* 37-N€TBOSSr
FIGU FIGURE RE 12.21: 12.21: M eta spl splo o it S Screenshot creenshot
Module 12 Page 1656
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M etasplo etas ploit it A rch rchitecture itecture
CEH
(•rtifwtf
I til 1(41 41 NmIm
Rex Custom plug-ins
^
F r a m e w o r k -B -B a s e
^
A
k"
: Interfaces m mfsconsole fsconsole msfcli msfweb
Protocol Tools
Framework-Core
K
7 Security Tools Web Services Services Integration
Modules Exploits Payloads Encoders
msfwx
NOPS
msf msfapi api
Auxiliary Auxili ary
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it A r c h ite c t u r e The Metasploit framework is an open-source exploitation framework that is designed to provide security researchers and pen testers with a uniform model for rapid development of exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework provides the ability to reuse large chunks of code that would otherwise have to be copied or reimplemented on a per-exploit basis. The framework was designed to be as modular as possible in order to encourage the reuse of code across various projects. The framework itself is broken down into a few different pieces, the most low-level being the framework core. The framework core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. It supports vulnerability research, exploit development, and the creation of custom security tools.
Module 12 Page 1657
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Libraries
A
Rex Custom plug-ins < ^
:<
/
Protocol Tools
Framework-Core FrameworkFramework-Base Base
^
<•:
Interfaces mfsconsole msfcli msfweb
Modules Secur ity Tools Web Services Services Integration
\
Exploits Payloads Encoders
msfwx
NOPS NOPS
msfapi
Auxiliary
FIGU FIGURE RE 12.22: 12.22: Me tasp loit Arc hit hitectu ect u re
Module 12 Page 1658
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M eta sploit sp loit Exploit M od odule ule
CEH
It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit This module comes with simplified meta-information fields Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits
S t ep ep s to to e x p l o it it a sy sy s te te m f o l l o w t h e M e t a s p l o i t F r a m e w o r k
C o n f i g u r i n g A c t i v e E x p l o it it
_
Selecting a Target
*
& Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it E x p lo it M o d u l e -1
1 1 ii
The exploit module is the basic module in Met asplo it used used to encapsulate an exploit exploit
using which users target many platforms with a single exploit. This module comes with simplified meta-information fields. Using a Mixins feature, users can also modify exploit behavior dynamically, perform brute force attacks, and attempt passive exploits. Following are the steps to exploit a system using the Metasploit framework: ©
Configuring Active Acti ve Exploit
© Verifying the Exploit Options © Selecting a Target ©
Selecting the Payload
©
Launching Launch ing the Exploit Exploi t
Module 12 Page 1659
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 2-50 Certified Certif ied Ethical Hacker
M etasploit Payload Module j
Payload mo dul e establ ishes a co m mu nic at ion cha nne l bet we en th e Me tas plo it f ra m ew or k an d t he vic tim host
J
It combines the arbitr ary code that is executed as as the result of an exploit succeedi succeeding ng
J
To generate payloads, first select a payload payload using using the command:
9S
Command Prompt
msf
> use
msf
p a y l o a d ( 3 h e l l_ r e v e r s e _ t c p )
Usage:
w in d o w s / s h e ll_ r e v e r s e _ t c p
gen erate
Generates
a
>
generate
[o p t io n s ]
p a y lo a d .
-b
< o pt >
T he
lis t
of
cha racters to
-e
< o p t> t>
The
n am e
o f
the
-h
Help
-o
< o pt>
encod er
a v o id : module
,\x 00 \xff' to
us e.
bann er. A
co co m m a
V A R= V AL
separated
< o p t> t>
N OP
sled
-t
< o pt>
The
ou tput
p ay load (she ll
l is t
of
o ptions
in
form at.
-s
msf
-h
leng th. typ e:
reverse
tcp)
rub y,
p e ri,
c ,
or
raw .
>
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e ta s p lo it P a y lo a d M o d u le The Metasploit payload module offers shellcode that can perform a number of interesting tasks for an attacker. A payload is a piece of software that lets you control a computer system after its been exploited. The payload is typically attached to and delivered by the exploit. An exploit carries the payload in its backpack when it break into the system and then leaves the backpack there. With the help of payload, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. To generate payloads, first select a payload using the command:
Module 12 Page 1660
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
;
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Command Prompt msf > use windows/shell reverse tcp msf payload(shell_reverse payload(shell_reverse_tcp) _tcp) > generate -h Usage: generate [options] Generates a payload. OPTIONS:
-b
The list of characters
to avoid: avoid:,\x00\xff'
-e
The name of the encoder encode r module to use. use.
-h Help banner . -o A comma separated list of options in VAR=VAL form format at. . -s
NOP sled
length. length.
-t
The output out put type: type: ruby,
peri, c, or raw. raw.
msf payload(shell reverse tcp) >
FIGU FIGURE RE 12.23: 12.23: M eta sploit Payload Payl oad Mo dule
Module 12 Page 1661
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M etasploit etas ploit Auxiliary Aux iliary M odule
CEH
se d t o p e r f o r m a r b i t r a r y , o n e J M e t a s p l o i t't' s a u x i lili a r y m o d u l e s c a n b e u se o f f a c t i o n s s u c h a s p o r t s c a n n i n g , d e n i a l o f s e r v ic ic e , a n d e v e n f u z z i n g se th th e J T o r u n a u x i l i a r y m o d u l e , e i t h e r u s e t h e run c o m m a n d , o r u se e x p l o i t co co m m a n d
Command Prompt m s f
>
m s f
a u x i li a r y ( m
R H O S T m s f [ * ]
u s e
=>
d o s / w i n d o w s / s m b / m s 0 6 _ 0 3 5 _ m a il s lo t s 0 6 _ 0 3 5 _ m
a i ls l o t )
>
s e t
a ils lo t )
>
r u n
R HO ST
1 . 2 . 3 . 4
1 . 2 . 3 . 4
a u x ilia r y (m M a n g l in g
s 0 6 _ 0 3 5 _ m
t h e
k e r n e l,
t w o
b y t e s
a t
a
t i m e . . .
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it A u x ilia r y M o d u le Metasploit's auxiliary modules can be used to perform arbitrary, one-off actions such as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run command or use the exploit command.
Module Modul e 12 Page 1662
Ethical Hacking and Countermeasure Counter measures s Copyright © by EC-C0l1nCil All Rights Reserved. Reproduction Repr oduction is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Meta Me tasp splo loit it NOPS Module Module
C EH (•rtifwt f
I til 1(441 1 Nm Im
NOP NOP modules generate a no-operation instructions used for blocking blocking o ut buffers Use Use g e n e ra te
command to generate a NOP NOP sled sled of an arbitrary size size and and display display it in in a given given form at
OPTIONS: -b
< o p t> :
The list of character characterss to avoid: d : '\x00\xff'
- h : Help Help banner banner.. - s : The comma separa separated ted list of register registerss to save. save. - t < o p t> : The The output type: type: ruby ruby,, peri peri,, c, c, or raw msf nop(opty2)> To generate a 50 byte NOP sled that is displayed as a C-style buffer, run the following command:
Generates a NOP sled of a given length
&
□
Command Prompt
Command Prompt msf
m s f
>
m s f
n o p (o p t y2 )
U s a g e :
u s e
x 8 6 / o p t y 2
g e n e r a t e
>
g e n e r a t e [ o p t io n s ]
n o p ( o p ty 2 )
unsigned
> gen erate
c h a r b u f []
- t
c
50
—
"\xf5\x3d\x05\xl5\xf8\x67\xba\x7d\x08\xd6\x6
- h
6\x9f\xb8\x2d\xb6"
le n g t h
M\ x 2 4 \ x b e \ x b l \ x 3 f \ x 4 3 \ x l d \ x 9 3 \ x b 2 \ x 3 7 \ x 3 5 \ x 8 4\xd5\xl4\x40\xb4" \ x b 3 \ x 4 1 \x b 9 \ x 4 8 \ x 0 4 \ x 9 9 \x 4 6 \ x a 9 \ x b 0 \x b 7 \ x 2 f\xfd\x96\x4a\x98" n \x 9 2 \ x b 5 \ x d 4 \ x 4 f \ x 9 1 " ; msf
n o p ( o p ty 2 )
>
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo i t N O P S M o d u l e Metasploit NOP modules are used to generate no operation instructions that can be used for padding out buffers. The NOP module console interface supports generating a NOP sled of an arbitrary size and displaying it in a given format. options :
-b >
The list of charact cha racters ers to avoid: ?\x00\xff?
-h
Help banner. banne r.
-s >
The comm a sepa rate d
list of registers to save.
-t
The outp ou tput ut type: typ e: ruby,
peri, c, or raw.
Ge ner ates a NOP sled of a given length
Module 12 Page 1663
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
To generate a 50-byte NOP sled that is displayed as a C-style buffer, run the following command:
msf nop(opty2) > gener ate -t c 50 unsig ned char buf[] = "\xf5\x3d\x05\xl5\xf8\x67\xba\x7d\x08\xd6\x6 6\x9f\xb8\x2d\xb6" "\x24\xbe\xbl\x3f\x43\xld\x93\xb2\x37\x35\x8 4\xd5\xl4\x40\xb4" "\xb3\x41\xb9\x48\x04\x99\x46\xa9\xb0\xb7\x2 f\xfd\x96\x4a\x98" "\x92\xb5\xd4\x4f\x91"; msf nop(opty2) > Figure 12.25: Me tasp loit NOP NOPS S Mod ule
Module 12 Page 1664
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web ebse serv rver er Attack Attack To Tools: ols: Wfetch Wfetch I CEH WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and response data It allows attacker to test the performance of Web sites tha t contain new elements such as as Active Server Pages Pages (ASP (ASP)) or wireless protocols
wfeicfi - wtetcni File
Edit
View
Window
Help
f l Verb: [GE T
Advanced Request:
■| host [localHost
f Di«abled
Authentcation fifth.
I- fromfile
A
Path Y
Anoryraam
UxrtecfcOT Cor nsc nsctt
NKp
Qoirah.
Qphcr
dctajt
U«er;
Ckertooc.: rw *
Pogtwd:
r
-d
P«c5 y
l_C0J !race
J J |60 |60
P R eu eu «
Log Output [Last Status: 500 Internal Server Error; £>started.... O Puny: WWWConnect::Close(”","8< WWWConnect::Close(”","8< © closed source port: 7i98\r\n © MfVWConnectiConrie ctriocaihost" ~80')\n Q IP ="|::l].Q0"\n____________________________
http://www.microsoft.com Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W eb
S e r v e r A tta c k T o o ls : W fe t c h
Source: http://www.microsoft.com Wfetch is a graphical user-interface aimed at helping customers resolve problems related to the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a problem with a lightweight, very HTTP-friendly test environment. It allows for very granular testing down to the authentication, authorization, custom headers, and much more.
Module 12 Page 1665
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
wfetch W f e tc tc h l £1le £d!t yiew Window Help
i) O £ &
Wfetchl ye»t> |GET
Host |k>ca»x>*
S S
j.jEor j.jEortt |drfa » j-JVcr |1 |1 1
Advanced Request
Disabled
T ] < fromHe
Palh: |/ .\jthertcaboo Aulh
l/Vionymoos
Coman | User
|
Pajiwd |
Connection Connect
http
Cipher
detai
-] _> _>J
Ckentcert none
r
Projy Igproxy
Go' |
^ J2 I
^80
Tracso----R? Raw Socket Socket r
P Reus Reuse e
Log Output [Last [Last Status: S00 Internal Internal Server Error] ►started.... O Prox Proxy; y; WWWConnect::Cl WWWConnect::Close(” ose(” ,"80")\n ,"80")\n £ closed source source port 7398\r\n 4 ) WWWConnect::Connect WWWConnect::ConnectClocalh Clocalhost".8 ost".8 = ]::1[:80 \n
NUM NUM
Ready
Figure Figure 12.26: W fetch Screensh ot
Module 12 Page 1666
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
W e b
Exam 312-50 Certified Ethical Hacker
P a s s w o r d C r a c k in g T o o l: B r u t u s
Source: http://www.hoobie.net Brutus is a remote password cracker's tool. It is available for Windows 9x, NT. and 2000, there is no UNIX version available, although it is a possibility at some point in the future. Brutus was written originally to help check routers for default and common passwords. Features Q
HTTP HTTP (Basic Authen ticati on)
e
HTTP HTTP (HTM L Form/CGI)
e
POP3
e
FTP
e
SMB
Q
Telnet
Q
Multi-stage Multi-stage authe nticati on engine
©
No user name, single user name, and multiple multi ple user name modes
0
Password list, list, combo (user/password) list and configurable brute force modes
Module 12 Page 1667
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
©
Highly Highly customizable authe nticatio n sequences
©
Load and resume res ume position positi on
©
Import and and Export custom authen ticatio n types as BAD files seamlessly
Q
SOCKS proxy proxy support for all all authentica tion types
0
User and password list list generati on and manipulation functionality
©
HTML Form interpr etatio n for HTML Form/CGI Form/CGI authe nticatio n types
0
Error handling and recov ery capability inc. inc. resume after crash/failure Brutus - AET2 Eile
Iools
w w w . h o o b i e . n e t / b r u t u s - (Janua ry 200 0)
I 1
.
*
Help
Target Target [10001 [10 001 ^
Type |HTTP (Basic Auth) j* J
Start
Clea
Connection Options Port [80
*
Connections 0
Tmeout r j (
10
r
U**Pt U**Ptoxy oxy
Drinc |
HTTP (Basic) Options Metho Method |HEAD
]» ]
& KeepAJrve
Authentication Options Use Username name W
I- Single Usei
Use» Fte Fte ]users txt
Pass Mode Mode |W 0 »d List Btom Bt om e |
pjg
[words bd
Browse |
Positive Authentication Results Target 100017/ 100017/
HTTP (Basic Auth) Auth) HTTP (Basic Auth) Auth)
Username adrran backup
Password academic
Located Located and installed 1authenticati 1authentication on ptug-ns Iniiafeng. Target 10.0.0.17 verified Opened user file contamng contamng 6 users Opened password file containing 818 Passwords Maximumnumber of authenticat authentication ion attempts w J be 4906 Engagng Enga gng target 10.0.0.17 with HTTP (Basic (B asic Auth) T mws<1 »1 »1» w iw
Throttle
Figure 12.27: Brutus Screenshot
Module 12 Page 1668
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web Password Password Crac Cracki king ng T To ool: THC-Hydra
CEH
Urt1fw4
ilhi ul
lUthM lUthM
A v e r y f a s t n e t w o r k l o g o n c r a c k e r t h a t s u p p o r t m a n y d i f f e r e n t s e r v ic ic e s
B Target
Passwords
Tuning
Specific
Start
'
Target
Target
xHydra Passwords
Tuning
Specific
Start
Output
Hydra v7.1 (c)2011 by van Hauser/THC& David Maciejak- for legal purposes ® Sing le Target
Q Target List
C
Prefer IPV6
Port
Protocol
rdp
Output Options
& Use SSL
0
S h ow ow A t t e m p ts ts
[ Be Verbose
© D eb eb ug ug
Hydra (http://www.thc.org/thc ( http://www.thc.org/thchydra) hydra) startin g a t 2012-10-2 2012-10-2117: 117:01:0 01:09 9 [DEBU G] cmdline:/usr/bin/hydra -S -v-V -v-V -d-I Adm inistra tor- P/ho me/ •VDes •VDes [DATA] 4 tasks, 1 server, 4 login tries (l:1/p:4), ~1 ~1 try per tas k [DATA] attacking service rdp on port 3389 [VERBOSE] Resolving address es... es... [DEBU G] resolving 192.168. 192.168.168. 168.1 1 done [DEBU G] Code: atta ck Time: 13S08190 13S0819069 69 [DEBUG] Options: Options: mode mode 1 ssl 1 restore 0 showAttempt 1 tasks 4 max jjse* [DEBUG] Drains: Drains: active 0 targets 1 finished finished 0 tod o_all4 tod o4 seotO founc [DEBU G] TargetO -tar get 192.168 192.168.168 .168.1 .1 ip 192 192 168. 168.168. 168.1 1 lo gin_n owp ass_ nc [d e b u g ] Task ] Task 0 *pid 0 activ e 0 redo 0 c urrent_log in_ptr (null) current .pa ss. [DEBUG] Task Task 1 pidO active 0 rcdoO currcnt_login_ptr (null) (null) current_pass_ current_pass_ [DEBU GJ Task 2 •pid 0 activ e 0 redo 0 current_ login_ptr (null) current_pass_ (null) current_pass_ [d e b u g ] ] Task 3 pid 0 active 0 redo 0 current_login_p tr (null) [WAR NING ] rdp serve rs often d on't like m any connections, use -t 1 or ■t 4 to r [VERBOSE^ More tasks defined than login/pass pairs exist. Tasks reduced to [DEBUG] head_no[0] active 0 [DEBUGJ child 0got target 0 selected [DEBUG] head n ofi] active 0 Start
hydra-S-v-V hydra-S-v-V d-IAdministrato r-P/hom e/
/Desktop/pass 116192.16.. 116192.16..
J
Stop
!Save Output
hydra -S v-V d -I Adm inistra tor -P /home/
Clear Output
Desktop /pass 1 16192.16...
h t t p : / / w w w . . t hc.org Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
/
*
W e b
P a s s w o r d C r a c k in g T o o l: T H C - H y d r a
Source: http://www.thc.org THC-Hydra is used to check for weak passwords. This tool is a brute force tool that is used by attackers as well as administrators. Hydra can automatically crack email passwords and gain access to routers, Windows systems, and telnet or SSH protected servers. It is a very fast network logon cracker that supports many different services.
Module 12 Page 1669
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
xHydra Target
Passwords
Tuning
Specific
Start
Target 192.168.168.1
O
Target List
□
P r e fe fe r I P V6
Port
Protocol
rd p
O u t p u t O p t io io n s
Use SSL
h y d r a -S - v - V - d -I A d m i n i s t r a t o r -P -P / h o m e /
/ D e s k t o p / p a s s - t 1 6 1 9 2 .1 .1 6 .
oe<;
!> xH yd ra
T ar a r g et et
Pa ass sw sw o rd rd s
T un u n in in g
S pe pe ci cif i c
Start
Output H Hydra ydra v7.1 v7.1 (c)20 1 1 by van Hauser/THC Hauser/THC 81 D a v i d M a c i e j a k f o r l e g a l p u r p o s e s J H y d r a (h ( h t t p : / / w w w . t h c . o r g / t h c - h y d r a) a) startin starti n g a t 2012-102012-10-21 21 17:01:09 17:01:09 [ DE DE B UG UG ] c m d l i n e : / u s r / b i n / h y d r a - S - v - V - d -I A d m i n i s t r a t o r - P / h o m e / » 7D 7D es es [DATA] 4 tasks , 1 server, 4 login tries tri es (l (l:1/p:4), :1/p:4), ~1 try per task [ D A TA TA ] a t t a c k i n g s e r v i c e rd rd p o n p o r t 3 3 8 9 [VER BOSE] Resolving addresses... [D [DEB EBUG] UG] resolving 192.168.168.1 192.168.168.1 done [DEBU [DEB UG] G] C Code: ode: atta ck Time: 1350819069 [ D EB EB UG UG ] O p t io i o n s : m o d e 1 s s l 1 r e s t o r e 0 s h o w A t t e m p t 1 t a sk sk s 4 m a x _ us us e < [ DE DE B U G ] B r a in in s : a c t i v e 0 t a r g e t s 1 f i n is is h e d 0 t o d o _ a l l 4 t o d o 4 s e n t O f o u n c [ DE DE B U G ] T a r g e t 0 - t a r g e t 19 19 2 .1 .1 6 8 .1 .1 6 8 .1 .1 i p 19 19 2 .1 .1 6 8 .1 .1 6 8 .1 .1 l o g i n n o & p a s s n c [ DE DE B U G] G] T a sk sk 0 - p i d 0 a c t i v e 0 r e d o O c u r r e n t _ l o g i n _ p t r (n (n u l l) l) c u r re re n t _ p a s s _ [ D E B U G ]T ]T a s k 1 - p i d 0 a c t i v e 0 r e d o O c u r r e n t _ l o g i n _ p t r ( n u l l)l) c u r r en en t _ p a s s [ D E B U G ] T a s k 2 - p i d O a c t i v e 0 r e d o O c u r r e n t _ l o g i n _ p t r ( n u l l ) c ur ur re re n t_ t_ p a ss ss _ [ D E B U G ] T a s k 3 - p i d 0 a c t i v e 0 r e d o O c u r r e n t _ l o g i n _ p t r ( n u l l)l) c u r r e n t_ t_ p a s s [WARNING] rdp servers often do n't like many connections, use -t 1 or -t 4 to r [ VE VE R BO BO S E] E] M o r e t a s k s d e f i n e d t h a n l o g i n / p a s s p a i r s e x i s t . T a sk sk s r e d u c e d t o [DEB UG] head_no[0] act ive 0 [ DE DE B U G ] c h ilil d 0 g o t t a r g e t 0 s e l e c t e d [DEB UG] head_no[1] act ive 0
h y d r a - S - v - V - d - I A d m i n i s tr tr a t o r - P / h o m e /
D e s k t o p / p a s s - t 1 6 1 9 2. 2. 16 16 .. .. .
Figure 12.28: THC-Hydra THC-Hydra Screens hot
Module 12 Page 1670
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W e b P a s s w o r d C r a c k i n g T o o l: I n t e r n e t P a s s w o r d R e c o v e r y T o o lb o x
EH
Interne t Password Recovery T o o l b o x r e c o v e rs rs p a s s w o r d s f o r I n t e r n e t b r o w s e r s , e m a i l c l ie ie n t s , instant messengers, FTP clients, n e t w o r k a n d d i a ll- u p a c c o u n ts ts
http;//www.rixlercom http;//www.rixlercom
Copyright © b y EG-G*ancil. All All Rights Reserved. Reprodu ction is Strictly Prohibited.
W e b
P a s s w o r d C r a c k in g T o o l: In t e rn e t P a s s w o r d
R e c o v e r y T o o lb o x Source: http://www.rixler.com Internet Password Recovery Toolbox is a comprehensive solution for recovering passwords for Internet browsers, email clients, nstant messengers, and FTP slients, It can cover network and dial-up accounts and can be used in the whole area of Internet communication links. This program offers instantaneous password recovery capabilities for almost every Internet application you expect it to provide: you name it, the program has it.
Module 12 Page 1671
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Module 12 Page 1672
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M o d u l e F lo lo w
C EH
Copyright © b y EG-G*ancil. All All Rights Reserved. Reprodu ction is Strictly Prohibited
M o d u le F lo w So far, we have discussed web server concepts, techniques used by attackers, attack methodology, and tools that help in web server. All these concepts help in breaking into the web server or compromising web server security. Now it's time to discuss the countermeasures that help in enhancing the security of web servers. Countermeasures are the practice of using multiple security systems or technologies to prevent intrusions. These are the key components for protecting and safeguarding the web server against web server intrusions.
W e b s e r v e r C o ncep ts
1
W e b s e r v e r A t t ac ks
Attack Methodology
^
■y
Webserv er Pen Testin Testing g
Patch Patch Managem ent
Module 12 Page 1673
^
^
Webserver Webserver Attac Attack k Tool Toolss
_ ^
Webserver Security Tools
— Counte terr-m measu easure res s ■—► Coun ■—
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 2-50 Certified Certif ied Ethical Hacker
This section highlights web server countermeasures that protect web servers against various attacks.
Module 12 Page 1674
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Countermeasures: Patches and Updates
C EH
Urt1fw4
ilhi ul
lUthM lUthM
Scan for existing existing vulnerab ilities, patch,
Before applying any service pack, hotfix, or
and update the server software
security patch, patch, read and peer rev iew all
regularly
relevant documentation
Apply all updates, regardless of their type
Test the service packs and hotfixes on a
on an "as-needed" basis
representative non-production environment prior to being deployed to production
Ensure that service packs, hotfixes, and
Ensure Ensure that server outages are scheduled scheduled
security patch levels are consistent on all Domain Controllers (DCs)
and a complete set of backup tapes and emergency repair disks are available
Have a back-out plan that allows the
Schedule periodic service pack upgrades as
system and enterprise to return to their
part of operations maintenance and never
original state, prior to the failed
try to have more than two service packs
implementation
behind
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
C o u n t e rm e a s u r e s: P a t ch e s a n d U p d a te s The following are a few countermeasures that can be adopted to protect web servers against various hacking techniques: techniques: ©
Scan for existing existing vulnerabilit ies and patch patch and and update the server software regularly. regularly.
©
Apply all all updates, regardless of the ir type, on an "as-need "as- needed" ed" basis. basis.
Q Ensure that servic e packs, packs, hotfixes, and secu rity patch levels are consis tent on all all Domain Controllers (DCs). (DCs). Ensure that server outages are scheduled and a comp lete set of backup tapes and e merg ency repair disks disks are available. 6
Have a back-ou back-outt plan plan that allows the system system and enterprise to return to their original original state, prior to the failed implementation.
©
Before Bef ore applying any servic e pack, pack, hotfix, hotfix, or security secu rity patch, read and and peer review revi ew all all relevant documentation.
Q
Test the service packs packs and hotfixes hotfixes on a representa tive non-production environm ent prior to being deployed to production.
©
Ensure that server outages are scheduled and a comp lete set of backup backup tapes and emergency repair disks are available.
©
Schedul e periodic service pack upgrades as part of operatio ns mainte nance and never try to have more than two service packs behind.
Module 12 Page 1675
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
C oun term easures: Prot Pr otocol ocolss
C EH
(•itifwd 1 ItlMUl IlMhM
Block all unnecessary ports, Internet Control Message Protocol (ICMP) traffic, and unnecessary protocols such as NetBIOS NetBIOS and SMB
Harden the TCP/IP stack and consistently apply the latest software patches and updates to system software
9 If using insecure pro toco ls such as as Telnet, POP3, SMTP, SMTP, FTP, take ap pro pria te mea sures to provide secure authentication and communication, for example, by using IPSec policies
S If remote access access is is needed, make sure sure th at the re mote co nnection is secured secured properly, by using tunneling and encryption protocols
3
Disable WebDAV if not used by the applic ation or keep secure secure if it is required
Copyright © by EG-G(l1ncil. EG-G(l1ncil. All All Rights Reserved. Reproduction is Strictly Prohibited.
C o u n t e r m e a s u r e s : P r o to c o ls _
_
The following are the some measures measures that shou should ld be be applied applied to the respective respective
protocols in order to protect web servers from hacking: ©
Block all all unnecessary ports, ports, Intern et Control Message Protoco l (ICM P) traffic, and and unnecessary protocols such as NetBIOS and SMB.
©
Harden the TCP/IP stack and consistent ly apply apply the latest software patches and and updates to the system software.
0
If using using insecure protocols such such as Telnet, POP 3, SMTP , or FTP, FTP, take appropriate measures to provide secure authentication and communication, for example, by using IPSec policies.
©
If remo te access is needed, make sure that the rem ote conne ction is secured properly, by using using tunneling and encryptio n protocols.
Q
Disable W eb DA V if not used used by the application applic ation or keep secure if it is required. require d.
Module 12 Page 1676
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
C o u n ter m ea su re res: s: Accounts
CEH
Remove all unused modules and application extensions
Disable unused default user accounts created during installation of an operating system
When creating a new web root directory, grant the appropriate (least possible) NTFS permissions to the anonymous user being used used from the IIS IIS web server to acce access ss the web content Eliminate unnecessary database users and stored procedures and follow the principle of least privilege for the database application to defend against SQL query poisoning Use secure web permissions, NTFS permissions, and .NET Framework access control mechanisms including URL authorization Slow down brute force and dictionary attacks with strong password policies, and then audit and alert for logon failures Run processes using least privileged accounts as well as least privileged service and user accounts
Copyright © b y EG-G*ancil. All All Rights Reserved. Reprodu ction is Strictly Prohibited.
—! — — 1—1
111
---------
C o u n t e rm e a s u r e s: A c c o u n ts
Jil The following is the list of account countermeasures for hacking web servers:
Q
Rem ove all unused modules and application applic ation extensions.
©
Disable Disable unused default user accounts created during installation installation of an operating system.
©
Wh en creating a new web root directory, grant grant the appropri ate (least possible) possible) NTFS NTFS permissions to the anonymous user being used from the IIS web server to access the web content.
Q
Eliminate unnece ssary database users users and stored procedures and and follo w the principle of least privilege for the database application to defend against SQL query poisoning.
©
Use secure secur e web we b permissions, NTFS permissions, and .NET Frame wor k access control mechanisms including URL authorization.
©
Slow down brute force and and dictionary attacks with strong strong password policies, policies, and and then audit and alert for logon failures.
Q
Run processes using least privileged accounts account s as well as least privileged service and user accounts.
Module 12 Page 1677
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Countermeasures: Files and Directories
c EH
tertMM
tt*H4i Nath*
D i s a b le le s e r v i n g o f d i r e c t o r y
E l i m i n a t e u n n e c e s s a r y f il il e s w i t h i n t h e . j a r fi fi l e s
listings
E l im im i n a t e t h e p r e s e n c e o f n o n w e b E l im im i n a t e s e n s i t iv iv e c o n f i g u r a t i o n
f i l e s s u c h a s a r c h i v e f i le le s , b a c k u p
information within the byte code
f i le le s , t e x t f il il e s , a n d h e a d e r / i n c l u d e files
Avoid mapping virtual directories
D i s a b l e s e r v in in g c e r t a i n f i le le t y p e s
b e t w e e n t w o d i f fe fe r e n t s e r v e r s , o r
b y c r e a t in in g a r e s o u r c e m a p p i n g
over a network
Monitor and check all network services logs, web site access access logs, database server logs (e.g., Microsoft SQL Server, MySQL, Oracle) and OS logs frequently
\
Ensure the presence of web application application or website files and and scripts on a separate partition or drive other than that of the operating system, logs, and and any oth er system files
Copyright © b y IG-GOHC il. All All Rights Reserved. Reproduction is Strictly Prohibited.
C o u n t e r m e a s u r e s : F i le s a n d D i r e c t o r ie s —
The followin g is is the list of actions that should be taken against files and directories in
order to protect web servers from hacking: Q
Elimina te unnecessary files with in.jar files. files.
©
Eliminate sensitive configuration information within the byte code.
©
Avoid mapping mapping virtual directories betw een two diffe rent servers or over a network.
©
Mo nito ni torr and check all all netwo rk services logs, logs, web site sit e access logs, logs, data base serv er logs logs (e.g., Microsoft SQL Server, MySQL, Oracle), and OS logs frequently.
©
Disable serving of dire cto ry listings. listings.
©
Elim inate inat e the prese p resence nce of non-web files such as as archi ve files, files, backup files, text files, files, and header/include files.
©
Disable serving certain file type s by by creating creat ing a resource resour ce mapping
©
Ensure the presence of web application or webs ite files and and scripts scripts on a separate partition or drive other than that of the operating system, logs, and any other system files
Module 12 Page 1678
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
How to Defend Against Web Server Attacks
CEH
Audit the ports on server regularly is not active on your web server
to ensure that an insecure or unnecessary unnecessary
_
Limit inboun d tra ffic to po rt 80 fo r
HTTP HTTP and p ort 443 fo r HTTP HTTPS S (SS (SSL)
£
Encrypt Encrypt or restrict restrict intranet traffic
s
Ensure Ensure that certificate data ranges ranges are valid and that certificates are used used for the ir intended purpose
S
Ensure Ensure that the cert ificate has not been revoked revoked and certificate's public key is valid all the way to a trusted root authority
service service
S Ensure Ensure that protecte d resources resources are mapped to HttpForbidd enHan dler and unused HttpModules are removed S Ensure Ensure that trac ing is disabled ctrace enable="false "/> and debug compiles are turned off Implement secure coding practices practices to avoid avoid source code disclosure disclosure and input input validation attack attack Restrict code access security policy settings settings to ensure that code downloaded from the Internet or Intrane t have no permissions to execute s
Configure IIS to reject URLs with to prevent path traversal, lock down system commands and utilities with restrictive access control lists (ACLs), and install install new patches and updates
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
H ow
to D e f e n d A g a i n s t W e b
S e r v e r A tta c k s
The following are the various ways to defend against web server attacks: rr m n
LUi
Ports 9
Audit the ports on the se rver regularly to ensure that an insecure or
unnecessary service is not active on your web server. ©
Limit inbound traffic to port 80 for HTTP and port 443 443 for HTTPS (SSL).
©
Encrypt or restrict intrane t traffic.
5L
0
Server Certificates Ensure that cert ificate data ranges are valid valid and and that certificates are used used for their intended purpose.
Q
Ensure that the certifi cate has not been revoked revok ed and certific cer tific ate's ate 's public key is valid all all the way to a trusted root authority.
Module 12 Page 1679
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Machi achine. ne.config config ©
Ensure that protecte d resources are mapped to HttpFo rbidde nHan dler and and unused unused HttpModules are removed.
0
Ensure that tracing is is disabled ctra ce enable="false"/> and debug compiles are turned off.
Cod odee Access Access Securit Security ©
Implem ent secure coding coding practices practices to avoid source code disclosure disclosure and input validation attack.
9
Restrict code access access security policy settin settings gs to ensure ensure that code code downloaded from the the Internet or intranet has no permissions to execute.
Q
Configure Configure IIS to reject URLs with
to preve nt path travers al, lock down system
commands and utilities with restrictive access control lists (ACLs), and install new patches and updates.
Module Modul e 12 Page 1680 1680
Ethical Hacking and Countermeasure Counter measures s Copyright © by EC-CO -COUIlCil All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
How to Defend Against Web Server Attacks (Cont’d)
C EH
IISLockdown -
Use Use the IISLockdown IISLockdown tool, which reduces the vulnerab ility of a Windo ws 2000 Web server. It allows you to pick a specific specific type o f server role, role, and then use custom custom templates to improve security for that particular server
-
IISLockdown installs the URLScan URLScan ISAPI ISAPI filte r allowing website ad ministra tors to rest rict the kind of HTTP requests that the server can process, based on a set of rules the administrator controls, preventing poten tially ha rmfu l requests from reaching reaching the server and causin causing g damage damage
Disable the services running with least-privileged accounts
&
Disable FTP, SMTP, and NNTP services if not required Disable the Telnet service
Switch of f all unnecessary unnecessary services services and and disable them, so that next tim e when the server is rebooted, they are no t started automatically. automatically. This also also gives gives an extra extra boost to yo ur server perform ances, by freeing some hardware resources
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
H ow
'
to D e f e n d A g a i n s t W e b
S e r v e r A t t a c k s ( C o n t ’d )
IISLockdow II SLockdown ©
IISLockdow IISLoc kdown n restricts anonym ous access to system utilities, as well as having the ability to write to web content directories. To do this, IISLockdown creates two new local groups called web anonymous users and web applications, and then it adds deny access control entries (ACEs) for these groups to the access control list (ACL) on key utilities and directories. Next, IISLockdown adds the default anonymous Internet user account (IUSR_MACHINE) to Web Anonymous Users and the IWAM_MACHINE account to Web Applications. It disables Web Distributed Authoring and Versioning (WebDav) and installs the URLScan ISAPI filter.
0
Use the IISLockdown tool, which reduces the vulnerabil ity of a Wi nd ow s 2000 2000 web server. It allows you to pick a specific type of server role, and then use custom templates to improve security for for that particular particular server. server.
©
IISLockdown installs installs the URLScan ISAPI filter, allowing webs ite administrator s to restrict restrict the kind of HTTP requests that the server can process, based on a set of rules the administrator controls, preventing potentially harmful requests from reaching the server and causing damage.
Module 12 Page 1681
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Services Q
Disable the services servic es running with wit h least-privileged accounts.
©
Disable Disable FTP, FTP, SM TP, and NNT P services if if not required.
Q
Disable Tel net service.
0
Switch o ff all all unneces sary services and disable them, so that the next time the server is rebooted, they are not started automatically. This also gives an extra boost to your server performance, by freeing some hardware resources.
Module 12 Page 1682
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
How to Defend Against Web Server Attacks (Cont’d) Registry
A u d i t in in g a n d L o g g in in g
Apply restricted ACLs and block remote registry administration
Enable a minimum level of auditing on your web server and use NTFS permissions to protect the log files files
Secure the SAM (Stand-alone Servers Only)
Shares
Script Mappings
Remove all unnecessary file shares including the default administration shares if they are not required
Remove all unnecessary IIS script mappings for optional file extensions to avoid exploiting any bugs in the ISAPI extensions that handle these types of files
Secure the shares with restricted NTFS permissions
IIS Metabase Ensure that security related settings are configured appropriately and access to the metabase file is restricted with hardened NTFS permissions Restrict banner informatio n returned by IIS
EH
Sites and Virtual Directories Relocate Relocate sites sites and virtua l direc tories to non-system partitions and use IIS Web permissions to restrict acces accesss ISAPI Filters Remov e unnecessary ISAPI filters from the Webserver
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
H ow
©
to D e f e n d A g a i n s t W e b
S e r v e r A t t a c k s ( C o n t ’d )
Registry
© Apply restricted ACLs ACLs and block block remo te registry administration. ©
©
Secure the SAM (Stand-alone Servers Only). Only).
Sh ar e ©
Remo ve all unnecessary file file shares including including the defau lt administration shares if they are not required.
©
©
Sec ure the shares with restrict ed NTFS NTFS permissions.
IIS M et ab as e ©
Ensure that security-related security-related settings are configured appro priate ly and and access access to the metabase file is restricted with hardened NTFS permissions.
©
©
Restrict banner informatio n returned by IIS. IIS.
Aud iting an d Logging Logging ©
Enable a minimum level level of auditing on your web serve r and and use use NTFS permissions to protec t the log files. files.
Module 12 Page 1683
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
6
Script Script Mappin gs 0
©
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Remo ve all all unneces sary IIS script mapping mappings s for optional file extensions to avoid exploiting any bugs bugs in the ISAPI extensions tha t handle these types of file.
Sites an d Virtual Directorie s ©
Relocate sites and virtual directorie s to non-sy non-system stem partitions and use use IIS IIS Web permissions to restrict access. access.
e
ISAP ISAPII Filt ers ©
Remo ve unnecessary ISAPI ISAPI filters from the web server.
Module 12 Page 1684
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
How to Defend Against Web Server Attacks (Cont’d)
C EH
Do use a dedicated machine as a web server Create URL mappings to internal servers cautiously
Do physically protect 1 Do not connect an IIS the W e b s e r v e r machine ' Server Server to th e Internet in a secure machine room 1 until it is fully hardened hardened
Use server side session ID tracking and match connections with time stamps, IP addresses, etc.
If a database server, such as Microsoft SQL SQL Server, is to be used as a backend database, install it on a separate server /
Use security tools provided with web server software software and scanners that automate and make the process of securing a web serve r easy easy
1
Do not allow anyone to locally log on to the machine except for the administrator
Do configure a separate anonymous user account for each application, if you host multiple web applications
Limit the server functionality in order to support the web I technologies tha t are L going to be used
Copyright © by EG-G(l1ncil. EG-G(l1ncil. All All Rights Reserved. Reproduction is Strictly Prohibited.
H ow 1111
to D e f e n d A g a i n s t W e b
S e r v e r A tt a c k s (C o n t ’d )
The following is a list of actions that can be taken to defend web servers from various
kinds of attacks: ©
Creat e URL mappings to internal servers cautiously.
©
If a datab ase ser ver such as Micros Mi cros oft SQL Serve r is to be used used as as a backend datab ase, install it on a separate server.
©
Do use a dedicate dedi cated d machine machi ne as a web server.
©
Don't Don 't install the IIS serv er on a domain domai n controlle cont roller. r.
©
Use server-side session session ID tracking trackin g and match connec tion tio n with time stamps, IP address, etc.
©
Use security tools tools provided with the web serve r and scanners that auto mat e and and make make the process of securing a web server easy.
©
Screen and filter the incoming traffic request. request.
©
Do physically protec t the web server machine in a secure machine room.
©
Do configure a separate anonymous user account for each application, if you host multiple web applications.
Module 12 Page 1685
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Q Do not connect an IIS Serv er to the Inte rnet until it is fully hardened. © Do not allow anyone to locally log log on to to the machine except for the admini strator. © Limit Limit the serve r functio nality in order to support the we b techno logie s that are going going to be used.
Module 12 Page 1686
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
H o w to D e f e n d a g a i n s t H T T P R e s p o n s e S p l it t in g a n d W e b C a c h e P o i s o n i n g
Server Admin
Application Developers
Disallow carriage return (%0d or \r) and line feed (%0a or \n) characters
Avoid sharing incom ing TCP connections among different clients
a
» Comp ly to RFC RFC 2616 specifications f or HTTP/1.1 HTTP/1.1
Use Use diffe rent TC TCP connections with the proxy for different virtual hosts hosts
8
Implement "maintain request request host header" correctly
Use latest web server software
9
Restrict web application access to unique Ips
«
Regularly Regularly update/patc h OS and Webserver
«
© Run Run web V ulnerability Scanner
Proxy Servers »
«
EH
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
H ow
to D e f e n d a g a i n s t H T T P R e s p o n s e S p lit t in g
W e b
C a c h e P o is o n in g
and
The following are the measures that should be taken in order to defend against HTTP response splitting and web cache poisoning:
e
Server Admin ©
Use latest web server softwa re
©
Regularly update/patch OS and web server
©
Run web vulner ability scanner
© Application Developers
©
©
Restrict web application access access to unique IPS
©
Disallow carriage carriage return (%0d or \r) and line line feed (% 0a or \n) characters
©
Comply to RFC RFC 2616 2616 specificati specif ications ons for HTTP/1.1 HTTP/1.1
Proxy Servers © Avoid sharing sharing incoming TCP connectio ns among differen t clients clients ©
Use differen t TCP connecti ons with the proxy proxy for different virtual hosts
©
Implem ent "mai ntain request host hea der" correct ly
Module 12 Page 1687
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M o d u l e F lo lo w
CEH
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
M o d u le F lo w Developers always try to find the bugs in the web server and try to fix them. The bug fixes are released in the form of patches. These patches provide protection against known vulnerabilities. Patch management is a process used to ensure that the appropriate patches are installed on a system and help fix known vulnerabilities.
1
«\
We b s e r v e r C o n c e p t s
Webserve r Attacks Attacks
Attack Methodology
Webserve r Attack Tools Tools
Webse rver Pen Testing
Patch Management
) Web serv er Security Tools Tools
i
— —
Counter-measures
This section describes patch management concepts used to fix vulnerabilities and bugs in the web servers in order to protect them from attacks.
Module 12 Page 1688
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
P a tch e s a n d H ot otfi fixes xes A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs bugs and improve the usability or performance of a computer program or its supporting data
Hotfixes are an update to fix a specific customer issue and not always distributed distributed outside the customer organization organization
CEH
Urtiffetf
i tkNjI
lUilwt
A patch can be considered as a repair job to a programming problem
Users may be notified through emails or through the vendor's website
Hotfixes are sometimes packaged as a set of fixes called a combined hotfix or service pack
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
P a t c h e s a n d H o t f ix e s A patch is a program used to make changes in the software installed on a computer. Patches are used to fix bugs, to address the security problems, to add functionality, etc. A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve the usability or performance of a computer program or its supporting data. A patch can be considered a repair job to a programming problem. A hotfix is a package that includes various files used specifically to address various problems of software. Hotfixes are used to fix bugs in a product. Users are updated about the latest hotfixes by vendors through email or they can be downloaded from the official website. Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer organization. Users may be notified through emails or through the vendor's website. Hotfixes are sometimes packaged as a set of fixes called a combined hotfix or service pack.
Module 12 Page 1689
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
What Is Patch M an anage agem m ent? J
CEH
" P a t c h m a n a g e m e n t is is a p r o c e s s u s e d t o e n s u r e t h a t tth h e a p p r o p r i a t e p a t c h e s a r e i n s t a l le le d o n a system and help fix known vulnerabilities"
A n a u t o m a t e d p a t c h m a n a g e m e n t p ro ro c es es s :
Maintain: Subscribe to get notifications about vulnerabilities as they are reported
Detect: Use tools to detect missing security patches
Assess: Asses the issue(s) and its associated severity by mitigating the factors that may influence the decision
Deploy: Deploy the patch to the computers and make sure the applications are not affected
Test: Install the patch first on a testing machine to verify the consequences of the update
Acquire: Download the patch for testing
Copyright © b y EG-G*ancil. All All Rights Reserved. Reprodu ction Is Strictly Prohibited.
W h a t Is P a tc h M a n a g e m e n t ? v-
According to http://searchenterprisedesktop.techtarget.com http://searchenterprisedesktop.techtarget.com,, patch management is
an area of systems management that involves acquiring, testing, and installing multiple patches (code changes) to an administered computer system. It involves the following: ©
Choosing, verifying, verify ing, testing, and and applying patches
©
Updating previously applied patches with current patches
©
Listin Listing g patches applied applied previously to the current software
©
Recording repositories, repositories, or depots, of patches for easy selection
© Assigning and deploying deplo ying the applied patches 1.
Dete ct: It is is very im portant to always detect missing secu rity patche s through proper detecting tools. If there is any delay in the detection process, chances of malicious attacks are very high.
2. Assess: Once the detectio n process is is finished it is is always b etter to assess vario us issues and the associated factors related to them and better to implement those strategies where issues issues can can be drastically reduced or eliminated. 3. Acqui re: The suitable patch required to fix fix the issues issues has has to be downloaded.
Module 12 Page 1690
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
4. Test: It is always alw ays suggested to first install the required requ ired patch on to the testing system rath er than the main system as this provides a chance to verify the various consequences of updating. 5.
Deploy : Patc hes are to be be deployed into the systems with utm ost =, so no application of the system is affected.
6.
Ma int ain : It is always useful to subscribe to get notifica tions abou t various possible possible vulnerabilities as they are reported.
Module 12 Page 1691
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
I d e n t if y i n g A p p r o p r ia t e S o u r c e s f o r U p d a te s a n d P a tc h e s
CEH
F i rs rs t m a k e a p a t c h m a n a g e m e n t p l a n t h a t fi fi t s t h e o p e r a t i o n a l e n v i r o n m e n t a n d business objectives
F i n d a p p r o p r i a t e u p d a t e s a n d p a t c h e s o n t h e h o m e s i te te s o f t h e a p p l i c a t io io n s o r o p e r a t i n g s y s t e m s ' v e n d o r s
T h e r e c o m m e n d e d w a y o f t r ac ac k i n g i ss ss u e s relevant to pro active patching is to register t o t h e h o m e s i te te s t o r e c e i v e a l e r t s
Copyright © b y EG-G*ancil. All All Rights Reserved. Reprodu ction is Strictly Prohibited.
I d e n t if y in g A p p r o p r ia t e S o u r c e s fo r U p d a t e s a n d -i'l
Patches
'-s
It is very important to identify the appropriate source for updates and patches. You should take care of the following following things things related to patch m anageme nt. ©
Patch mana geme nt that suits suits the operationa l enviro nme nt and and business business objectives should be properly planned.
©
Find Find appropriate updates and and patches on on the home sites of the applications or operating systems' vendors.
© The recomme nded wa y of tracking issu issues es releva nt to proa ctive patching is to register to the home sites to receive alerts.
Module 12 Page 1692
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Installation of a P atch 0
J
~
0
U s e r s c a n a cc cc e s s a n d i n s t a l l s e c u r i t y p a t c h e s v i a th th e W o r ld ld W i d e W e b
CEH
9 0
P a t c he h e s c a n b e in i n s t a l le le d i n t w o w a y s M a n u a l I n s t a l la l a t io io n In this m ethod , the user has to d o w n l o a d t h e p a t c h fr fr o m t h e ven dor and fix it
A u t o m a t i c I n s t a ll l l a t io io n I n t h i s m e t h o d , t h e a p p l ic ic a t i o n s u se s e th t h e A u t o U p d a t e f e a t u r e to to update themselves
, W W W
Copyright © b y EG-G(nncil. All Rights Reserved. Reproduction is Strictly Prohibited.
I n s t a l la t io n
of a Pa tch
You should search for a suitable patch and install it from Internet. Patches can be installed in two ways: Manual Installation Installation In the manual installation process, the user downloads the suitable patch from the vendor and fixes it. Automatic Installation Installation In automatic installation, the applications, with the help of the auto update feature, will get updated automatically.
Module 12 Page 1693
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
I m p l e m e n t a t io n a n d V e r if ic a t io n o f a S e c u r it y P a t c h o r U p g r a d e
B e f o r e i n s t a l lili n g a n y p a t c h v e r i f y t h e s o u r c e
/
U s e p r o p e r p a t c h m a n a g e m e n t p r o g r a m t o v a l i d a t e f ilil e s v e r s io io n s a n d c h e c k s u m s b e f o r e d e p l o y i n g s e c u r i ty ty p a t c h e s
%
T h e p a tc tc h m a n a g e m e n t t o o l m u s t b e a b le le t o m o n i to to r t h e p a t c h e d
<
systems
* '
T h e p a tc tc h m a n a g e m e n t t e a m s h o u l d c h e c k f o r u p d a t e s a n d patches regularly
Copyright © b y EG-G*ancil. All All Rights Reserved. Reprodu ction is Strictly Prohibited
" 1
Im p le m e n t a t io n a n d V e r if ic a t io n
o f a S e c u r it y P a t c h
o r U p g ra d e You should be aware of a few things before implementing a patch. The following things should be kept in mind: ©
Before Bef ore installing any patch source, it should be be properly verified. Use a pro per patch management program to validate file versions and checksums before deploying security patches.
© The patch patch man agem ent team should check for updates and and patches regularly. regularly. A patch management tool must be able to monitor the patched systems.
Module 12 Page 1694
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
P a t c h M a n a g e m e n t T o o l: M i c r o s o f t B a s e lin e
S e c u r it y A n a ly z e r (M B S A )
J
Micros oft Baseline Baseline Security Analyzer (MBSA) (MBSA) checks checks for available updates to the operating system, system, Micros oft Data Access Components (MDAC), MSXML (Microsoft XML Parser), .NET Framework, and SQL Server
J
It also scans scans a comput er for insecure config uratio n settings
Microsoft Baseline Security Analyzer 2.2
P ^
.
t
1 !° ■
f* Baseline Securi ty Analyzer Repor t Details for WORKGROU WORKGROUP P - WIN-MSSE WIN-MSSELCK4 LCK4K41 K41 (2012-10-12 10:28:06)
! Inrompfc'te Scan (Could not complete one o
(onHMtfnumr IP Address : S« «T rep ort va n da rr S u nt d nfth H8SA version: version:
e requested checks.)
V'ORXGRCXJ3\WJN«S£B.Q<' \WJN«S £B.Q<'K‘> K‘>l 1*9.254.103.138 ,*CRKGROUP■WN-MSSB P■ WN-MSSBl CMMI (10-12*2012 10-28AM) 10/12/201210:28AM 2.2.2170. .2170.0
v a rt y «pA>rr «pA>rr catal catalog: og: SettOo o
i»l(w« lr|l) V
Svtunty Upd jtr Su n Rm1R% Rm1R%
Offc*SccunCy
N9MCtflty4xi1U; a
http://www.microsoft.com
Copyright © b y EG-C*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
P a t c h M a n a g e m e n t T o o l: M ic r o s o f t B a s e l in e S e c u r it y * S ^
A n a ly z e r (M B S A )
Source: http://www.microsoft.com The Microsoft Baseline Security Analyzer (MBSA) allows you to identify missing security updates and common security misconfigurations. It is a tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.
Module 12 Page 1695
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Microsoft Baseline Security Analyzer 2.2 1
Microsoft
t 1 Baseline Baseline Security Analyzer Analyzer Report Detail s for WORKGROUP - WIN-MSSE LCK4K41 (2012-10- 12 10:28:06) fl Security asses sme nt:
•
Incomplete Scan Scan (C (Could ould no t complete one or more requested checks.) checks.)
C om om pu pu te te r n a me me : IP a d d r e s s : Security report name: Scan date: Scanned with MBSA MBSA version: Catalog synchronization date: S ec ec ur ur it it y u pd p d at a t e c at at al al og og : Sort Order:
WORKGROUP\WIN -MSSELCK4K41 169.254.1 03.1 38 WORKGROUP WI N- MSSELCK4K41 ( 110 0 - 12 12 --2 2 01 01 2 1 00- 228 8 AM) 10/12/ 2012 10:28 AM 2.2.2170.0 Microsoft Upda te
Score (worst first) v
Security Update Scan Results Score
0
^
Prnt this report report
Issue
Result
Developer Tools, Runtimes, Runtimes, a nd Redistribu Redistribu tables Security Updates
No security upd ate s ar e m ssn g. What was scanned Result detais
Office Secunty Updates
No security upd ate s ar e m ssr tg. What was scanned Result Result detais
SQL Server Security Updates
No security upd ate s ar e mi ssng. What was scanned Result Result detais
IQ £0py to (ipboard
SI
Previous Previous security security report
FIGU FIGURE RE 12.30: 12.30: M icroso ft Baseline Baseline Security A Analyzer nal yzer (MBSA (MBSA))
Module 12 Page 1696
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Patch M anag em ent To T o o ls
C EH
(•itifwd 1 tfeMJl Nm Im
Altiris Client Management
P r is is m P a t c h M a n a g e r
Suite
2 -S
http://www.newboundary.com
http://www.symantec.com
S
ri
GFI LANguard h t t p : / / w w w . . gfi. com
K a s e ya ya S e c u r i t y P a t ch ch
M a a S 36 36 0 ® P a tc tc h A n a l y z e r Tool U
http://www.maas360.com
Secunia CSI
Management
http://secunia.com http://secunia.com
h t t p : / / w w w . kaseya. kaseya. com
ZENworks® P atch
™
Lumension® Patch and
Management
Remediation
http://www.novell.com
http://www.lumension.com
Security Ma nager Plus
V M w a r e v C e n t e r P r o te te c t
http://www.manageengine.com
h t t p : / / w w w. w . vm ware, com
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
P a tc h
M a n a g e m e n t T o o ls
In addition to MBSA, there are many other tools that can be used for identifying missing patches, security updates, and common security misconfigurations. A list of patch management tools follows: © Altiris Client Man age me nt Suite available at http://www.svmantec.com © GFI LANguard available avai lable at http://www.gfi.com ©
Kaseya Kaseya Secur ity Patch Man age me nt available at http://www.kaseya.com
© ZENworks® Patch Man age me nt available at http://www.novell.com © Secur ity Ma nage r Plus available at http://www.manageengine.com © Prism Patch Manag er available at http://www.newboundary.com © MaaS360® Patch Analyzer Tool available at http://www.maas360.com © Secun ia CSI CSI available avail able at http://secunia.com ©
Lumension® Patch and Remed iation available at http://www.lumension.com
© VM wa re vCenter Protect available at http://www.vmware.com
Module 12 Page 1697
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M o d u l e F lo lo w
C EH
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
M o d u le F lo w Web servers should always be secured in the networked computing environment to avoid the threat of being attacked. Web server security can be monitored and managed with the help of web server security tools.
W e b s e r v e r Co ncepts
W e b s e r v e r A t t ac ks
a
N
r
Attack Methodology
©
Webserver Attack Tools
Webserv er Pen Testin Testing g
O
Webserver Security Tools
Patch Patch Managem ent »
— —
Counter-measures
This This section lists lists and describes various web server security tools.
Module 12 Page 1698
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web Application Security Scanner: Syhunt Dynamic J
r u JLE!7
S y h u n t D y n a m i c he he lp lp s t o a u t o m a t e w e b a p p l ic ic a t i o n s e c u r i t y t e s t in in g a n d g u a rd rd o r g a n iz iz a t io io n ' s w e b i n f r a s t r u c t u r e a g a in in s t v a ri ri o u s w e b a p p l ic ic a t io io n s e c u r i ty ty t h r e a t s
*
Copyright © b y EG-G*ancil. All All Rights Reserved. Reprodu ction is Strictly Prohibited.
W e b A p p lic a t io n S e c u r it y S c a n n e r : S y h u n t D y n a m ic ^
Source: http://www.syhunt.com
Syhunt Dynamic helps to automate web application security testing and guard organization's web infrastructure against various web application security threats. Features: e
Black-Bo Black-Box x Testing - Assess Assess the we b application secu rity through rem ote scanning. scanning. Supports any web server platform.
0
White-Bo x Testing - By automa ting the process of reviewin g the web application's code, Sandcat's code scanning functionality can make the life of QA testers easier, helping them quickly find and eliminate security vulnerabilities from web applications. Supports ASP, ASP.NET, and PHP.
Q Concurrency/ Scan Queue Sup port - Mu ltip le sec urity scans can be queu ed and the number of threads can be adjusted. © Deep Crawling - Runs Runs security tests against against web pages pages discovered by crawling a single single URL or a set of URLs provided by the user. © Advanced Injection
Maps the entire websi te structure (all (all links links,, forms, XHR requests, requests,
and other entry points) and tries to find custom, unique vulnerabilities by simulating a
Module 12 Page 1699
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
wide range of attacks/sending thousands of requests (mostly GET and POST). Tests for SQL Injection, XSS, File Inclusion, and many other web application vulnerability classes. ©
Reporting Reporting - Gen erate s a report containing information abo ut the vulnerabilitie s. After examining the application's response to the attacks, if the target URL is found vulnerable, it gets added to the report. Sandcat's reports also contain charts, statistics and compliance information. Syhunt offers a set of report templates tailored for different audiences.
Q
Local Local or Remote Storage
Scan results results are saved saved locally (on the disk) disk) or remo tely (in the
Sandcat web server). Results can be converted at any time to HTML or multiple other available formats. ©
In addition additio n to its GUI (Graphic (Gr aphical al User Inte rface) rfac e) functionali functio nalities ties,, Syhun Syhuntt offers an easy to use command-line command-line interface. V 1304715758|
O
J)•
HKh HKh R«WJ■ 1 j < 0 *«
com80
B j Ho•! Mamahon M £m*h
9 3 J$4«MdP*9« J$4«MdP*9«
E *«•£•«»
£ gf Souk* SductvM aJ S0UC* a (a ViAwjfatoURL1
B
WabSfeucM•
(tel •d•o •d•on
X 14« •p*> 111 «
php
9 j•! n lxtwcphp t.
K_tMtK_plu(WV
. ^
>Jot*pN> >Jot*pN>
O », •—**ion • « n dn hiddm php php
irWrfcgrncr
Anyangnd ndmDor• Oad tof wboh Mi Owcfcngicbau fan•
SpdHro^sxtngSlapr*Nd r* Nd Spdwno^apAno cc cM*d
SU>«r«C «CiOM$4•So Sovmo TMl found ■_bWKp*pXS $ found c*x>> >>SS found ._to found ._to « $ j*©XS
F«*d
f outtf n4»_Mdar\pfcpXS$
0*cfc(C jomSMS<«K a/XSS a Id26|
FIGU FIGURE RE 12. 12.31: 31: Syhunt S yhunt D ynam ic Screenshot
Module 12 Page 1700
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
WebApplicat pplicatiion S Secur ecuriity Scanner: Scanner: NSta NStallkerWebAppl ppliicati cation Securit Security Scanner
EH
N - S t a l k e r is is a W e b A p p S e c u r i t y S c a n n e r t o s e a r c h f o r v u l n e r a b i l i titi e s s u c h a s S QL QL in in j e c t i o n ,
A
XSS, and known at tacks
Copyright © by EG-G(IIIICil. EG-G(IIIICil. All Rights Reserved. Reprodu ction is Strictly Prohibited.
W e b A p p l i c a t io n S e c u r it y S c a n n e r : N
S ta lk e r W e b
A p p l ic a t io n S e c u r it y S c a n n e r Source: http://www.nstalker.com N-Stalker Web Application Security Scanner is a web security assessment solution for your web applications. It is a security assessment tool that incorporates N-stealth HTTP security scanner. It searches for vulnerabilities such as SQL injection, XSS, and known attacks. It helps in managing the web server and web application security. This security tool is used by developers, system/security administrators, IT auditors, and staff.
Module 12 Page 1701
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
"
)»
»
N-Sta!ker Web Applica tion Security Security Scanner 2012 - Free Free Edition
Scaro«r
Sc jr Op«on»
1 T»!r*ad* •
I 6 * | TfvMda Contra
1 “ “ • ‘* , ' I “, * ■ 5•
» «< I J
t , Faoa Poa«Na Corarai |
Scanner Ivmtt o
Vu*era Vu*eraM««* M««*
Q
hBp hBp J«v a * C*«1V<
0
8
| App*c«ton ««gn | OHvtfMntt* B # nap
0# I
• \.P0*♦
3 |
0 #•
9
«•
$*r «r
Htgh(•!
| Wat Foma**
0#
mtmmk _____ _____
L • lM w|,
0
ffl + /•*cxhtitf | *t+cun Wa• a
ffl # '
J
MmI ( • ) low ;1 Ho|t|
BytaaS *
1102 121
A«g Rmoo ^m T mt mt
I 903 970 KIM m i
A.gT,ar*»»fBjf*
9•IS 84ft* 19800 r#Q>nan
Component Mam•
d £ *afeS^v feS^v• ^tomalon malonFo Found MctmoIMMO
Mfe#»ww • M C M N r ce*180/<9oat N
J j jf• Wa* Sarva* Ttc**o*>w Ttc**o*>w X»C1*J J
A■ Sarva -* * S«d• Tac*«c* 9y Fo NCT FramewoA £
PMtw o'd Wafcform afcform FoyNJ FoyNJ
S a n N m K ■ | j / . « Cowpontntt 1^1 Scan Evtn H
FIGU FIGURE RE 12.32: -S talker Web A Ap p plication Securit Securityy Scanner S canner
Module 12 Page 1702
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web Server Serve r Security Se curity Scanner: Scanne r: Wikto
W eb
S e r v e r S e c u r ity S c a n n e r : W ik t o
Source: http://www.sensepost.com Wikto is for Windows, with a couple of extra features including fuzzy logic error code checking, a backend miner, Google-assisted directory mining, and real-time HTTP request/response monitoring. Wikto is coded in C# and requires the .NET framework. Wikto may not test for SQL injections, but it is still an essential tool for penetration testers who are looking for vulnerabilities in their Internet-facing web servers.
Module 12 Page 1703
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Module 12 Page 1704
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W e b S e r v e r S e c u r it y S c a n n e r : A c u n e t ix W e b V u ln e r a b ilit y S c a n n e r
CEH
Urt1fw4
ilhi ul
lUthM
Acun etix WVS checks we b applic ation s fo r SQL SQL injections, cross-site scripting, etc. It includ includes es advanced advanced penetration testing tools to ease ease manual security audit process processes, es, and and also creates professional security audit and regulatory compliance reports
-MB
Acunetix Web Vulnerability Scanner (Free Edition) Hie Actions Tools Configuration Hdp
13 66 p . “ * _' a4' _]
abilty Scanner %* Web Eesnner 3 t_i' Tcoi i !•• # Site Crawler p TargetHn
Bunptdar :
ItTPSnffer
!
j $ Auoxnoeatwn icsta SJ Co C ompare re Resilts ;
3HLJ-W«bS rv w W*b SctMtca Scamtf ® •: WtbServer sEdMr* 4 : 34■1Confiqwatcn Si AoolcattonSelthgs••! i J, seanstmo* : (•j Su mn g Pr otit it (& ( & General A ProyamUpdate: * )*- Vwton Jnfcrmaoon
jyLcenaro jyLcenaro■; 5 j Sijjpcrt Center :
L*
♦ | 'A ^ A Renar:
>- SsartlPL:
5:
*» >scrw 3n:3C,’
*\ Ptofle: Defeu
kt Ak rt5 simrw iH ih -n M
afc Web Alerts V- KnowieSoeBase F Ste Structure E t®/ ff t o *out .me bt to K to wnon_*»
»ocun#l threat level
$1
<1 _________________
level 0: Safe
*
0K rcrbt*:«n ‘otxDen •'orNfcen ' t*d?en 1•othsuvi *•*Posri *•*Posri * X Po v * Hotrod
0
loU «tert»found «tert»found
0«5«
O MMrn O i °» O mrormaikxMi
(X •ortxteen (X « I
___ ___ ______ _____
10.13 >0:0*. , ., [Warnin [Warning] g] Sa m ng onty
m m
'
>
£
Tjr grt MormjUg Mor mjUg n
http:/Avwwju00Vl)0y.<0m:80/
Xtonict
)61 request!
Prowess
son isfinisned
a . 10a 10a 00% Q
1
torXV*(er wutr vnphn^)vulirrabAhrt
Copyright © by EG-G*l1nci EG-G*l1ncil. l. All All Rights Reserved. Reproduction is Strictly Prohibited.
W eb B
S e r v e r S e c u r it y S c a n n e r : A c u n e tix W e b
V u ln e r a b ilit y S c a n n e r
Source: http://www.acunetix.com Acunetix Web Vulnerability Scanner checks web applications for SQL injections, cross-site scripting, etc. It includes advanced penetration testing tools to ease the manual security audit processes, and also creates professional security audit and regulatory compliance reports.
Module 12 Page 1705
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 2-50 Certified Certif ied Ethical Hacker
&
3
Acunetix Web Vulnerability Scanner (Free Edition)
Fdc
Actions
NcwScjn NcwScjn
T00 T00H H .
J
Configuration
y
0.
Too* @ WebyjncraM ty Scanner '41 Web Scanner a & Tools jfc■&te Crawler ler Target FrxJer ^ SubdomanScanner . J Bind SQL In)ector (3 HTTPE HTTPEdtor dtor *fc, HTTPS«ff er •* HTTPFuwer $ Authenocatwn Tester S CompareResdts 3H & WebServices WebServKes Scanner J S Web Web Services Edto Edtor “ S Config nfig^a ^aBon > Acpfca&onSettings J Scan Settings SrwngBroSw 3 & General ProgramUpdates •»*; Verson Information
H
t3 •ft •ft B | g**|a A g**|a A||a I® I® I * Qidf » J = 2 ft Report / Stvt URi: ScanRetuh
SWut
J*. ,.r; A*~• ,
jjgg,eoy.com:*)/
L
Ao
V * KnowledgeOaic B {j ) Site Structure
level 0 So(•
♦ (jQ about_m ut_me ♦ (£ artw artwor ork downloads «es ,Q ar tan
ProSe: [>
- JSUrt
A
<
10/ ♦ =
-
A . Alatt Mjmmjiy
Total alerts found
M*tFard N«F0iX1d NK Found MUFo^
♦ uQ games ♦ (Q karma ♦ 1^ Ifcstyte styte a 14} myblog ♦ (jQ quesfconjhe.nJes
o O low 0 Informational 1 Targetinformation
http:/,•www.juggyboy.com:80/
Statistics
381 requests
Progress
Scan is finished
* 00 . 00 .oos $
.-* if t m common. 4|j Support Center 4i 4i P\rchase P\rchase 4>j User Manual (HtmQ 4 ] User Manual (pdf) • AcuSensor
10.12 2005.55, [Warning] Scanmng oo»y lor XS S (a
Appfccaoonlog Error Err or Log [
FIGURE 12.34: Acunet ix Web Vulnerability Scanner
Module 12 Page 1706
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-COlM OlMCil All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
W e b S e r v e r M a l w a r e In f e c tio n
CEH
M o n i t o r i n g T o o l: H a c k A l e r t
HackAlert™ HackAlert™ is a cloud-base d service that identifies hidden zero-day malware and drive-by downloads in websites and online advertisements 8 Protects clients and and customers customers from malware injected websites, drive by downloads, and malicious advertising
HackAlert
*>90
CK
[nte f Dj» Dj»*n l 5«tKl Ml
P«KXtWI»K
7t NM «I }
aomun AdMsfiews
mas **rumm
a Identifies malware before the website is flagged as malicious o Displays Displays injecte d code snippets to facilitate remediation
\
t* Deploys as clou d-ba sed SaaS SaaS or as as a flexible API API for enterprise integration 9
Integrates wit h WAF WAF or web server server modules for instant mitigation
. .
/ X . http://www.armorize.com
Copyright © by EG-G(l1ncil. EG-G(l1ncil. All All Rights Reserved. Reproduction is Strictly Prohibited.
W eb
S e r v e r M a l w a r e I n f e c t i o n M o n it o r i n g T o o l:
H a c k A le r t Source http://www.armorize.com HackAlert is a cloud-based service that identifies hidden zero-day malware and drive-by downloads in websites and online advertisements. Optimizing multiple analysis techniques, this service identifies injected malware and generates alarms before search engines blacklist the website. This enables immediate remediation to protect customers, business reputation, and revenues. It is accessed via either a web-based SaaS interface or a flexible API that facilitates integration with enterprise security tools.
Module 12 Page 1707
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 2-50 Certified Certif ied Ethical Hacker
HackAlert
km
Uf«
Ur OmmMW*
A*
w*•
7 D*r• P«Pck1 k1 ] j
;
Jl Jl “ I •1
0* 03
r*M H #) 04M m
)
11
T«C4 T«C4S4 m r« f« m f d
1 $} $}
*<1MI^ M t
6
AV
T0MSc4nt
_ _1*—J
•
2•
10
<1
01
\ 02
FIGURE 12.35: HackAlert Screenshot
Module 12 Page 1708
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
Exam 312-50 Certified Ethical Hacker
WebServer Malw alwar aree Infe nfect ctiion Monitori onitoring ng Tool: QualysGuar ualysGuard d Malw alwar aree Det Detect ectiion
C EH
toftNM
NMhM
QualysGu QualysGuard® ard® Malware Detection Service Service scans scans websites websites fo r malw are infections and threats
4r
C
"
> .
.v0. https portalj^ual/5.con ;
-iashocard
l\ . Reiiew and ccnfim you setirgs
Step 5of 5 1
Details
2
ScM wttinj*
✓ 1/
Crawl exclusionllsls ✓ 4 0
S
Site Details w Own Site seeUR. 1rl>oy.com www.i11 www.i11< < > < Tag• AMgntd1 AMgntd 1«-n
o 4
i f
»^ 0» St-*1*
iiC
•
porta.qjayi corr
0LADTSClWR1y MOt Dayitoard
Scans
Rtp«Xi Rtp«Xi
Assets Ass ets
K/x>v*cdg«Oase
H«v«mandConfirm Scan Options Ptg«
200 io n Intonoty Nmtm Ku l—»W. Imv* 1mm, M m l .
)«•.(
fwt
'
Crawl •xaution list* UTintLJfl wnre11 wnre 11« « (**oil* Hnmunist
h t t p : / / w w w . qualys. conr
Copyright © b y EG-G(l]ncil. All All Rights Reserved. Reprodu ction is Strictly Prohibited.
W eb
S e r v e r M a l w a r e I n f e c t i o n M o n it o r i n g T o o l:
Q u a l y s G u a r d M a l w a r e D e t e c t io n Source: http://www.qualys.com QualysGuard Malware Detection Service scans websites thoroughly for malware infections and for a variety of threats. It provides automated alerts and reports that enable you to identify and resolve the threat. It can also be used to protect the customers of an organization from malware infections and safeguard their brand reputations, preventing website black listing. It regularly schedules scanning to monitor websites on an ongoing basis, with email alerts to quickly notify organizations when infections are discovered. Malware infection details are provided so that organizations can take quick action to isolate and remove malware.
Module 12 Page 1709
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasures Hacking Webservers
4-
C
Exam 312 312-50 -50Certified Certif ied Ethical Hacker
f l Qu**a 1k iuS] http!
portal portal qujtyvcom/ ponai fr ont/ module/ irulwar e/ ^ub'dMXbowd ^ub'dMXbowd
Site Creation
Turn help tps
I Oft
X
Revie w and confirm your settings
Step 5 of 5
Sit• D«Uils
^
1
Sit© DM ai ai ls ls
2
Scan seRings seRings
Trtie
y
Own Site St* URL
3
Crawl exclusion lists ✓
http://www.jugovboy.com
✓ Tag*
Scheduling
Aiagncd tags
0
Review Review and and Conf Confir irm m
Scan Options Maontim togei
?00
No headers have been defined.
Crawl exclusion lists
Wh«1U« Wtur* 11• fRwfcji* F
13=■ © QualysGuard Portal
-> Q
£ =
|f l Quaiys. Inc [US] [US] hrtps:;/portal.qualy£ com/po 1 al-trcnt/mocule/maiware/*ta al-trcnt/mocule/maiware/*ta0 =scans.scan-H1stofy 0 =scans.scan-H1
0UALYSGUARD* MDS Dashboard
Help
Scans
Reports
Assets
KnowledgeBase
Rini Matthews v ■
Log Out
30 cays remanng inyour tnai. ipgraoe now
Scan Management
Own Site 1-20 of 310 Page URL
Page Name
0
hctp://www.juggydoy.com
0
Hone
High
Med
L ow
0
0
0
Info
Status
&
0
v■
Se venty
0
hmshed
hrtpy/www.jjggyboy.com'Lifestyift'styleflyndex. itml
0
0
0
0
Canceled
-
r j hrtp./Mww.jjggyt»y.c01n<3ame5/SI0t_Machne/hjex.htrl
0
0
0
0
Canceled
-
0
httpy/www.juggyboy.co1n)Gam6s/Ninesweeperyin
0
9
0
0
Canceled
0
hctpy/www.juggytwy.com'irdexhtml
0
0
0
0
Canceled
-
0
http://www.juggyboy.co mabout_re.'index htnl
0
I)
0
0
Canceled
-
0
http ttp//www.juggyt»y.c01rfseinfekMn(iex.htn rfseinfekMn(iex.htn 1l
0
1)
0
0
Canceled
0
hctpy/Aww.jjcgyboy.con\<5uestcn_:he_rules 'inCexl tm
0
0
0
0
Canceled
-
0
http httpy/www.juggyboy.comlKarma/index.htral
0
D
0
0
Canceled
-
About | Terns of Use |
FIGURE 12.36: Qual ysGuard Mal ware Detection Screenshot
Module 12 Page 1710
Ethical Ethica l Hacking Hacki ng and Countermeasures Countermeasur es Copyright © by EC-C EC-C0U 0UnC nCil il All Rights Reserved. Reproduc Reproduction tion is Strictl Stri ctly y Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
W ebse rver S ecurity To Tool olss JH J H L f
CEH
Ret na cs
h ttp :/ / w w w . beyo ndt rus t. com
N-Stealth Security Scanner h t t p :/ / w w w . n s t a l k e r . c o m
NetlQ Sec ure Configuration
1
Manager
Infilt rato r h t t p :/ / w w w . i n f i l t r a t i o n - s y s t e m s . c o m
h t t p :/ / w w w . netiq.com
La\
SAINTscanner
WebCruiser
h t t p : / / w w w. s a i n t c o r p o r a t i o n . c o m
h t t p : / / s e c 4 a p p . c o m
HP Weblnspect
dotDefender
h ttps:/ / downloa d.hpsm art upda te.com
h ttp :/ / w w w.a pp licur e.c om
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b s e r v e r S e c u r it it y T o o ls ls c W eb server serve r Security Secur ity tools scan large, complex websites webs ites and web applications applicati ons to tackle web-based vulnerabilities. These tools identify application vulnerabilities as well as site exposure risk, rank threat priority, produce highly graphical, intuitive HTML reports, and indicate site security posture by vulnerabilities and threat level. Some of web server security tools include: © Reti Retina na CS avai availa labl ble e at at http://www.beyondtrust.com ©
Nscan ava avail ilab able le at at http://nscan.hypermart.net
© NetlQ Secure Secure Conf Config igur urati ation on Manager Manager availab available le at http://www.netiq.com © SAINTS SAINTScan canner ner avai availa labl ble e at http://www.saintcorporation.com ©
HP Webln Weblnspe spect ct ava avail ilab able le at at https://download.hpsmartupdate.com
© Arir Ariran ang g ava availa ilabl ble e at at http://monkey.org © N-St N-Stea ealt lth h Security Security Scanne Scannerr availab available le at http://www.nstalker.com © Infi Infilt ltra rato torr ava avail ilab able le at at http://www.infiltration-systems.com © WebCru WebCruis iser er ava avail ilab able le at at http://sec4app.com © dotDef dotDefend ender er avai availa labl ble e at at http://www.applicure.com
Module 12 Page 1711
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
M odule Flow Flow
CEH
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo lo w The whole idea behind ethical hacking is to hack your own network or system in an attempt to find the vulnerabilities and fix them before a real attacker exploits them system. As a penetration tester, you should conduct a penetration test on web servers in order to determine the vulnerabilities on the web server. You should apply all the hacking techniques for hacking web servers. This section describes web server pen testing tools and the steps involved in web server pen testing. R L)
Webserve Webs erverr Concepts Concepts
Attack Methodology
Webserver Pen Testing
■1 j
Patch Manage Managemen mentt
Module 12 Page 1712
Webserver Webse rver Attacks Attacks
*
Webserver Attack Attack Tools Tools
^ _^ Webserver Security Tools Tools
■ _ ■—
Counter-measures
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
We Web Server Pen Pen Testi Testing ng Tool: CORE CORE Impa Im pact® ct® Pro CORE Impact® Pro is the software solution for assessing and testing security vulnerabilities in the organization: 9 Web Applications 0 Network Systems e Endpoint systems e Wireless Networks a Network Devices e Mobile Devices « IPS/IDS and other defenses
W e b S e r ve v e r P e n T e s ti t i n g T o ol o l: C O R E Im I m p a c t ® P ro ro 4
Source: http://www.coresecuritv.com
CORE Impact® Pro helps you in penetrating web servers to find vulnerabilities/weaknesses in the web server. By safely exploiting vulnerabilities in your network infrastructure, this tool identifies real, tangible risks to information assets while testing the effectiveness of your existing security investments. This tool is able to perform the following: © Identify weaknesses in in web applications, applications, web servers, servers, and and associate associated d databases databases © Dynamica Dynamically lly generate generate exploit exploits s that can can compromise compromise security security weaknesses weaknesses © Demonstrate Demonstrate the potenti potential al conseque consequences nces of a breach breach © Gather information necessary for addressin addressing g security issu issues es and preventing data data incidents
Module 12 Page 1713
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50Certif Certifie ied d Ethical Ethical Hacker
Fie Yew Modiie* 00 b Http
I. ' ■I
Naw Stat*J rh»h«d su |Sm I/WO, Sto ^oc. ti gNatw.. 8(74{20.. I/W ^HriS 3/2*120.. 8/24^0. Phi.. 1iot. HS | *1•/. / . *MX... 8/24/20. Fhl.. 40c. ^IU4iV.. 8/24/20.. 8y24!20 !20.. Phi.. :gCradt... 8/24/20... 8/24/20. Fhl.. [natal.. 8/2^20. 8/2^20.. 8/24/20. m.. *ade Macos ,*4/20. 6'*' ^«eB. ^«ey B... .. 8/2^2 0...X*8/2 ft*.. letw... 8/2^20... 8/24/20. 510.. *letw.. 8/24/20.. 8/24/20. F*». 3rwl.. 9/24/20.. 8/24/30. Fhi.. -tetw... 8/24/20... 8/24/20. Fhi.. |
l_)L0al
l.bodmOO M PATHrvpl plat 01* y \ nocutlotJ lotJ Buffo OverflowPrlul toe Euidutlui Exploit finchoc1 c fi fegeE eEscalationE*pl&t 1fieri PrM WXipdat eJlMh PATHceaoe twb t 1^ 1 JjJ AntKr,r,lloggerElt ggerEltaPntfcgeEscalabonExpert Hie Local Pnvleoe Ef g AujotAnimui ASAMON.SYSPlh-l -lege£• imPHC BbeCoatK9W eb■ProtectionRefererP r Priv P R O F E S S I O N A L cachefsdBufferOwrui opbt opbt 3 [ 4 CDRTodsR5Hlocalexploit & CSRSSface cename■exploit 3 CctyNo 2sJE 2sJEbyCOIO CoverPnvl erPnvleo;EscalationE This product is !catt ed 10 ESETSmartSeari rityBPFW .SfSPriv iviegeI 3 $y«emlrfo | EM nAlTerrvitfConfigir irato tonPrwlc^eE eE31^!> EC-Council Haja Motadeen sf«5SDOmamicLrks PrluleosEsc^ati 3 Distribution k«y IgJPfe IgJPfeeQSOKernelProteswPrr.-i swPrr.-iegebsrdat egebsrdat S1«5SCkOmerLacalPrivilegeE eEscalation3 ! FreeBSDmbufsa sasrd rdfilile Ca
|R IvD )« l« ho t« IvO t« t« M o to
T:j AIx _
----------------
unux kernel rrremoo -urmap eiplot .•>LinuxKonelRDS Pio Uko I P1l«-lcoeEfic4l
sj ..■-vr«rvl;■rV.h««>Cv^W r FUer modiiesby target r SiswmacU«»vUo jt U « .
MwvO* WT/KHvie ierk rkRPT .7879icartYicrngoac: 7 TTts•pJ ts•pJ..k Nte•tQJ AJtonuQulvsrlei ulvsrleitt«>dIr dIruxhre uxhre It alU.li tMMJ 0r scfvcuOvacquredm*crmaton TheAtach«1 ach«1dPerpttabortMvputiixri ye yevtxriyaeittrtO *« « aboutthenet enetwork(to ork(tonitanct,bynnnn;1 nn;1t*> !nfoinationGafrwirgit irgitap) ap)toautom toautomaQcalvsdii calvsdiitt idIruiditairo tairoUiattaJ attaJii THs• od-le automaticalvselects uri l«jrxhs *tUOw.
J
0
m iicojijir tiefolowiwnfoinwoenfol01b fae9J1td tdioethostItis<
rjI jIWT fB fBMOdJw
c*r fuw
oF¥
|
1 f id id P
fh 0
,
FIGURE 12.37: CORE Impact* Pro Screenshot
Module 12 Page 1714
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50Certif Certifie ied d Ethical Ethical Hacker
We Web Server Pen Pen Testi Testing ng Tool: Immunity CANVAS
Copyright © by EC-CWHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e rv r v e r P e n T e s ti ti n g T o o l: l: Im Im m u n i t y C A N V A S x
—
Source: http://www.immunitysec.com
CANVAS is an automated exploitation system, and a comprehensive, reliable exploit development framework for security professionals and penetration testers. It allows a pen tester to discover all all possible possible security vulnerabilities on the web server. Immunit y CANVAS V»f: 0.47 | Cuir
♦
O
V j i ! MOV Slop Fipioc
55 OSConftg
11 S*ttlon: dnl«uN
Cur»#r* #r* Calfcock
Mod«ies $t1 $t 1r(h OMCHpUon
lH*r 0«An*d N«v»Monthly I CAWAS t>p c Post EipM Control Control Commands fa* Nod«s
> D9S > Iboi* > fWcon
D«n
CAfWS5*v»es
> r»po1t*^o t Cro*s Cro*s »ol r!t«rfac• > Ftc«rs Pos t 9 Mo
Cu rrent rr ent Statu s C* t t h i s . I oq n»buq 1oq Status Action Start tr»« fend T#n« information
4#t
FIGURE 12.38 12.38:: Immunity CANVAS Screenshot
Module 12 Page 1715
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
Web Web Serv Se rver er Pen Testing Testin g
CEH
Web server pen testing is used used to identify, analyze, and report v ulnerabilitie s such as authentication weaknesses, configuration errors, protocol related vulnerabilities, etc. in a web server The best way to perform penetration testing is to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities
Verification of Vulnerabilities To exploit the vulnerability in order to test and fix the issue
Why Webserver Webserver Remediation of Vulnerabilities
Pen Testing?
To retest the solution against vulnerability to ensure that it is completely secure
Identification of Web Infrastructure To identify make, version, and update levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r P e n T e s ti tin g v , v , Web We b server pen pen testing testing will will help help you to ident identify, ify, analyz analyze, e, and and report vulnerabilities such as authentication weaknesses, configuration errors, protocol-related vulnerabilities, etc. in a web server. To perform penetration testing, you need to conduct a series of methodical and repeatable tests, and to work through all of the different application vulnerabilities.
Why Web Server Pen Testing? Web server pen testing is useful for: © Identification of W eb Infrastructure: To identi identify fy mak make, e, versio version, n, and and update levels levels of web servers; this helps in selecting exploits to test for associated published vulnerabilities. © Verification of Vulnerabilities: To explo exploit it the the vulnerability in in order order to test test and and fix fix the issue. © Remediation of Vulnerabilities: To retest retest the the solution solution agai against nst vulnerability vulnerability to ensu ensure re that it is completely secure.
Module 12 Page 1716
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
C EH
Web Web Serv Se rver er Penetration Testing START
e U
Search open sources for information about the target
Webserver penetration testing starts with collecting as much information as possible about an organization ranging from its physical location to operating environment
Internet, newsgroups, bulletin boards, boards, etc.
:
Perform social engineering
Query the Whois databases
Use social engineering techniques to collect information such as human resources, resources, contact details, etc. that may help in Webser ver authentication testing Use Use Whois database query tools to get the details about the target such as domain name, IP address, address, administrat ive contacts, Autonomous System Number, DNS, etc.
Social networking, dumpster diving
Note: Refer Module 02: Footprinting and Reconnaiss Reconnaissance ance for more information gathering techniques
Whois, Traceroute, Active Whois, etc. .
V
— u
1 1
□J 1
Document all information about the target
Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
1
W e b S e r v e r P e n e t ra r a t io io n T e s ti ti n g
W eb server serve r penetrati pene tration on testing starts with collecting as much information inform ation as possible about an organization, ranging from its physical location to operating environment. The following are the series of steps steps conducted conducted by the pen tester to penetrate web server: Step 1: Search open sources for information about the target Try to collect as much information as possible about target organization web server ranging from its physical location to operating environment. You can obtain such information from the Internet, newsgroups, bulletin boards, etc. Step 2: Perform Social engineering Perform social engineering techniques to collect information such as human resources, contact details, etc. that may help in web server authentication testing. You can also perform social engineering through social networking sites or dumpster driving. Step 3: Query the Whois databases You can use Whois database query tools such as Whois, Traceroute, Active Whois, etc. to get details about the target such as domain name, IP address, administrative contacts, Autonomous System Number, DNS, etc. Step 4: Document all information about the target
Module 12 Page 1717
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
You should document all the information obtained from the various sources. Note: Refer Module 02 - Footprinting and Reconnaissance for more information about information-gathering techniques.
Module 12 Page 1718
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50Certif Certifie ied d Ethical Ethical Hacker
Web Web Serv Se rver er Penetration Testing (Cont'd)
Fingerprint web
^
server
(E H (•rtifwd | | U«4I
IlMlwt
Use tools such as httprecon, ID Serve
Fingerprint web server to gather information such as as server name, server typ e, operating systems, systems, applications running, etc. using tools such as ID Serve, Serve, httpreco n, and N etcraft
Use tools such as httprint, httprint, Metagoofil
Crawl website to gather specific types of inform ation from web pages, such such as as email addresses
t
Crawl website
1
Enumerate web directories
>
Use tools such as DirBuster
Perform directory traversal attack
y
Use automated automa ted tools such as DirBuster
Enumerate Webserver directories to extract important information such as web functionalities, login forms etc.
Perform directory traversal attack to access restricted directories and execute commands outside outside o f the web server's server's root d irectory
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
ij p p ) W e b S e r v e r P e n e t r a t io io n T e s t in i n g (C ( C o n t ’d ’d ) 1
Step 5: Fingerprint the web server serve r
Perform fingerprinting on the web server to gather information such as server name, server type, operating systems, applications running, etc. using tools such as ID Serve, httprecon, and Netcraft. Step 6: Perform website crawling Perform Perfo rm website websi te crawling to gather specific specific information informati on from web pages, pages, such such addresses. You can use tools such as httprint and Metagoofil to crawl the website.
as email
Step 7: Enumerate web directories Enumerate web we b server directories to extract extract important information such such functionalities, login forms, etc. You can do this by using tool such as DirBuster.
as web
Step 8: Perform a directory traversal attack Perform a directory traversal attack to access restricted directories and execute commands outside of the web server's root directory. You can do this by using automated tools such as DirBuster.
Module 12 Page 1719
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
Web Web Serv Se rver er Penetration Testing (Cont’d)
Examine configuration files
HTTP response hijacking
y
V
Perform vulnerability ass essm ent
Crack web server authentication
__
♦ Perform HTTP
:
response splitting splitting
Bruteforc e SSH, FTP, FTP, and other services
S' Web cache poisoning attack
it
Perform session hijacking
(E H (•rtifwd | |tk<«4l IlMlwt wt
Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus, etc. and determine if the system can be exploited Perform HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header Perform web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in cache Bruteforce SSH, FTP, and other services login credentials to gain unauthorized access Perform session hijacking to capture valid session cookies and IDs. Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r P e n e t r a t io io n T e s t in in g ( C o n t ’d ’d ) Step 9: Perform vu lnerabil ity scanning scanning Perform vulnerability scanning to identify weaknesses in a network using tools such as HP Weblnspect, Nessus, etc. and determine if the system can be exploited. Step 10: Perform an HTTP response splitting attack Perform an HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header. Step 11: Perform a web cache poisoning attack Perform a web cache poisoning attack to force the web server's cache to flush its actual cache content and send a specially crafted request, which will be stored in the cache. Step 12: Brute force login credentials Brute force SSH, FTP, and other services login credentials to gain unauthorized access. Step 13: Perform session hijacking Perform session hijacking to capture valid session cookies and IDs. You can use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking.
Module 12 Page 1720
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50 Certif Certifie ied d Ethical Ethical Hacker
Webs We bser erve verr Penetration Testing (Cont’d)
CEH j j
UrtifW4
ttkKJi lUilwt
v S
Perform MITM attack
Perform M ITM attack to access access sensitive information by intercepting and altering communications between an enduser and webservers
V Note: Refer Module 13: 13: Hacking Hacking Web Applications for more information on how to conduct web application pen testing
Perform web application pen testing
V_______ Examine Webserver logs
a
Use tools such as Webalizer, Webalizer, AWStats, Ktmatu Relax, etc. to examine web sever logs logs
V Exploit frameworks
S
Use tools such as Acunetix, Metasploit, w3af, etc. to exploit frameworks
Copyright © by EG-€t0ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r P e n e t r a t io io n T e s t in in g ( C o n t ’d ’d ) Step 14: Perform a MITM attack Perform a MITM attack to access sensitive information by intercepting and altering communications between an end user and web servers. Step 15: Perform web application pen testing Perform web application pen testing to determine whether applications are prone to vulnerabilities. Attackers can compromise a web server even with the help of a vulnerable web application. Step 16: Examine web server logs Examine the server logs for suspicious activities. You can do this by using tools such as Webalizer, AWStats, Ktmatu Relax, etc. Step 17: Exploit frameworks Exploit the frameworks used by the web server using tools such as Acunetix, Metasploit, w3af, etc. Step 18: Document all the findings Summarize all the tests conducted so far along with the findings for further analysis. Submit a copy of the penetration test report to the authorized person.
Module 12 Page 1721
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.
Ethical Hacking and Countermeasure Countermeasures s Hacking Webservers
Exam 312-50Certif Certifie ied d Ethical Ethical Hacker
M odu odull e Sum m ar ary y
CEH CEH
□ Web servers assume assume critical critical importance in the realm of Internet security security Vulnerabilities exis existt in different releases of popular popular webservers and respective respective vendors patch these often The inherent securit security y risks risks owing to the compromised webservers webserve rs have impact on on the local area networks that host these websites, even on the normal users of web browsers □
Looking Looking through the long list of vulnerabili vulnera bilities ties that had been discovered and patched over the past few years, it provides an attacker ample scope to plan attacks to unpatched servers
□
Different tools/exploit codes aid an attacker in perpetrati perpet rating ng web server's server' s hacking hacking
□ Countermeasures Countermeasur es include scanning scanning for the existing existing vulnerabili vulnera bilities ties and patching them immediately, anonymous access restriction, incoming traffic traffi c request screening, and filtering
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
=■ V '
y
M o d u l e S u m m a rry y
© We b servers assume assume critica criticall importance in the realm of of Internet securit security. y. © Vulnerabilities exist exist in in different releases of of popular popular web servers and and respective vendors patch these often. © The inherent security risk risks s owing owing to the the compromised web servers impact the local local area networks that host these websites, even on the normal users of web browsers. © Lookin Looking g through the long long list list of vulnerabilities that had been discovered and and patched over the past few years, it provides an attacker ample scope to plan attacks to unpatched servers. © Different tools/exploit tools/exploit codes aid an attacker in perpetrating web server's hack hacking ing.. © Countermeasures include scanning scanning for the existi existing ng vulnerabilities and patching patching them immediately, anonymous access restriction, incoming traffic request screening, and filtering.
Module 12 Page 1722
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil All Rights Reserved Reserved.. Reproduction is Strictly Strictly Prohibited.