Professional Documents
Culture Documents
1 - - - - - - - - - - - - - - - - - - - - LEARNING OBJECTIVES
e L0#01: Summarize Web Server Conce pts e L0#04: Expla in Web Server Attack Countermeasures
e L0 #02: Demonstrate Different Web Server Attacks e L0#0 5: Summarize Patch Management Concepts
Learning Objectives
Most organizations consider their web presence to be an extension of themselves.
Organizations maintain websites associated with their business on the World Wide Web to
establish their web presence. Web servers are a critical component of web infrastructure. A
single vulnerability in web server configuration may lead to a security breach on websites.
Therefore, web server security is critical to the normal functioning of an organization .
At the end of this module, you will be able to do the following:
• Describe web server concepts
• Perform various web server attacks
■ Describe web server attack methodology
■ Use different web server attack tools
■ Apply web server attack countermeasures
• Use different web server security tools
• Describe patch management concepts
A web server is a computer system that stores, processes, and delivers web pages to clients via HTTP
Static Application
Data Store Data Store
-~-----------------------
--~-:~1_:~ - ~-:~~~~~ i>
Application
Server
Web Server
-------
~
I.
Servlet Response W eb Container
The document root is one of the root file directories of the web server that stores
critical HTML files related to the web pages of a domain name, which will be sent in
response to requests.
For example, if the requested URL is www.certifiedhacker.com and the document root is
named "certroot" and is stored in the directory /admin/web, then /admin/web/certroot
is the document directory address.
If the complete request is www.certifiedhacker.com/P-folio/index.html, the server will
search for the file path /admin/web/certroot/P-folio/index.html.
• Server Root
It is the top-level root directory under the directory tree in which the server's
configuration and error, executable, and log files are stored. It consists of the code that
implements the server. The server root, in general, consists of four files. One file is
dedicated to the code that implements the server, while the other three are
subdirectories, namely, -conf, -logs, and -cgi-bin, which are used for configuration
information, logs, and executables, respectively.
■ Virtual Document Tree
A virtual document tree provides storage on a different machine or disk after the
original disk becomes full. It is case-sensitive and can be used to provide object-level
security.
In the above example under
document root, for a request of
www.certifiedhacker.com/P-folio/index.html, the server can also search for the file path
/admin/web/certroot/P-folio/index.html if the directory admin/web/certroot is stored in
another disk.
• Virtual Hosting
■ Web Proxy
A proxy server is located between the web client and web server. Owing to the
placement of web proxies, all requests from clients are passed on to the web server
through the web proxies. They are used to prevent IP blocking and maintain anonymity.
Open-source Web Server Architecture
Open-source web server architecture typically uses Linux, Apache, MySQL, and PHP, often
called the LAMP software bundle, as the principal components.
The following are the functions of the principal components in open-source web server
architecture:
■ Linux is the operating system {OS) of the web server and provides a secure platform
■ Apache is the component of the web server that handles each HTTP request and
response
■ MySQL is a relational database used to store the content and configuration information
of the web server
■ PHP is the application layer technology used to generate dynamic web content
• •
:........................... ►
Internet •.......................... :.
Linux
t
File System
•......... Apache •· ......• ~ Email
•
cfcl e'
PHP •.......................
t
Applications MySQL
Compiled Ext ension
Figure 13.2: Functions of the principal components of the open-source web server architecture
Attackers usually target software vulnerabilities and configuration errors to compromise web servers
Network and OS level attacks can be well defended using proper network security measures such as firewalls,
IDS, etc. However, web servers can be accessed from anywhere via the Internet, which renders them highly
vulnerable to attacks
Custom Web Applications Q, Stack 7 Business Logic Flaws Impact ofWeb Server Attacks
Websitel
................>
Internet
Web Server
Browser on User's
Computer
Website2
Figure 13.4: Conceptual diagram of a web server: the user visits websites hosted on a web server
Organizations can defend most network-level and OS-level attacks by adopting network
security measures such as firewalls, intrusion detection systems (IDSs), and intrusion
prevention systems (IPSs) and by following security standards and guidelines. This forces
attackers to turn their attention to web-server- and web-application-level attacks because a
web server that hosts web applications is accessible from anywhere over the Internet. This
makes web servers an attractive target. Poorly configured web servers can create
vulnerabilities in even the most carefully designed firewall systems. Attackers can exploit poorly
configured web servers with known vulnerabilities to compromise the security of web
applications. Furthermore, web servers with known vulnerabilities can harm the security of an
organization. As shown in below figure, organizational security includes seven levels from stack
1 to stack 7.
Attackers perform web server attacks with certain goals in mind. These goals may be either
technical or non-technical. For example, attackers may breach the security of a web server and
steal sensitive information for financial gains or merely for the sake of curiosity.
The following are some common goals of web server attacks:
■ Stealing credit-card details or other sensitive credentials using phishing techniques
■ Integrating the server into a botnet to perform denial of service (DoS) or distributed Dos
(DDoS) attacks
■ Compromising a database
■ Obtaining closed-source applications
■ Hiding and redirecting traffic
■ Escalating privileges
Some attacks are performed for personal reasons, rather than financial gains:
■ For pure curiosity
A web server configured by poorly trained system administrators may have security
vulnerabilities. Inadequate knowledge, negligence, laziness, and inattentiveness toward
security can pose the greatest threats to web server security.
The following are some common oversights that make a web server vulnerable to attacks:
■ Failing to update the web server with the latest patches
■ Using the same system administrator credentials everywhere
■ Allowing unrestricted internal and outbound traffic
■ Running unhardened applications and servers
Impact of Web Server Attacks
Attackers can cause various kinds of damage to an organization by attacking a web server. The
following are some of the types of damage that attackers can cause to a web server.
■ Compromise of user accounts: Web server attacks mostly focus on compromising user
accounts. If the attacker compromises a user account, they can gain a large amount of
useful information. The attacker can use the compromised user account to launch
further attacks on the web server.
■ Website defacement: Attackers can completely change the appearance of a website by
replacing its original data. They deface the target website by changing the visuals and
displaying different pages with messages of their own.
■ Secondary attacks from the website: An attacker who compromises a web server can
use the server to launch further attacks on various websites or client systems.
■ Root access to other applications or server: Root access is the highest privilege level to
log in to a server, irrespective of whether the server is a dedicated, semi-dedicated, or
virtual private server. Attackers can perform any action once they attain root access to
the server.
■ Data tampering: An attacker can alter or delete the data of a web server and even
replace the data with malware to compromise users who connect to the web server.
■ Data theft: Data are among the primary assets of an organization. Attackers can attain
access to sensitive data such as financial records, future plans, or the source code of a
program.
■ Damage reputation of the company: Web server attacks may expose the personal
information of a company's customers to the public, damaging the reputation of the
company. Consequently, customers lose faith in the company and become afraid of
sharing their personal details with the company.
Improper f ile and directory permissions Unnecessary default, backup, or sa mple files
Security conflicts with bus iness ease-of-use case Misconfigured SSL certificates and encryption settings
Lack of proper security policies, procedures, and Administ rative or debugging functions t hat are enabled
maintenance or acces sible on web servers
Improper authentication with external syst ems Use of self-signed certificates and default certificates
The following are some oversights that can compromise a web server:
• Improper file and directory permissions
• Installing the server with default settings
■ Unnecessary services enabled, including content management and remote
administration
■ Security conflicts with the business' ease-of-use requirements
Attacker compromises the DNS server and changes the DNSsettings so that all the requests coming
towards the target web server are redirected to his/her own malicious server
......................... ►D
·
: Redirects user request to =
: the malicious website -
Attacker :
Compromises DNS : Fake Site
0 •
server and changes
the DNS settings
:
't
.e .... ................................
DNS se,verchecks the respective DNS
mapping for the requested domain name
:
:
□'"'"''
,_
·········~;;:.;;;i·;;;,;;,~~~·;;;;.,~~···8 ···- . . .
DNS Server (Target) Users (Victim) Legitimate Site
1························· ►
: Redirects user request to
the malicious website
Attacker
Compromises DNS Fake Site
E1F •
till- •
DNS Server (Target) Users (Victim) Legitimate Site
Attacker takes advantage of the DNS recursive method of DNS redirection to perform DNS amplification attacks
~················································=
What is the IP Address of What is the IP Address of
certifiedhacker.com? certifiedhacker.com?
it ♦ v8 i'i'v
Attacker
The following are the steps involved in processing recursive DNS requests; these steps are
illustrated in the below figure.
■ Step 1:
Users who desire to resolve a domain name to its corresponding IP address send a DNS
query to the primary DNS server specified in its Transmission Control Protocol (TCP)/IP
properties.
■ Steps 2 to 7:
If the requested DNS mapping does not exist on the user's primary DNS server, the
server forwards the request to the root server. The root server forwards the request to
the .com namespace, where the user can find DNS mappings. This process repeats
recursively until the DNS mapping is resolved.
■ Step 8:
Ultimately, when the system finds the primary DNS server for the requested DNS
mapping, it generates a cache for the IP address in the user's primary DNS server.
Here is the IP
~· •••·1·d~ ·~~; k~~:.; i,~·t· ••••~ ~ l!=;;;~~--!I
Address of certifiedhacker.com .com NameSpace
User's PC should have the answer
Root Servers
User's Primary DNS Server
:··········································3> (Recursion Allowed) ~········································!
Here is the IP Address of
certifiedhacker.com :
A
~
Primary DNS Server of
certifiedhacker.com e
What is the IP Address of What is the IP Address of
certifiedhacker.com? certifiedhacker.com?
Attackers exploit recursive DNS queries to perform a DNS amplification attack that results in
DDoS attacks on the victim's DNS server.
The following are the steps involved in a DNS amplification attack; these steps are illustrated in
the below figure.
■ Step 1:
The attacker instructs compromised hosts (bots) to make DNS queries in the network.
■ Step 2:
All the compromised host s spoof the victim's IP address and send DNS query requests to
the primary DNS server configured in the victim's TCP/IP settings.
■ Steps 3 to 8:
If the requested DNS mapping does not exist on the victim's primary DNS server, the
server forwards the requests to the root server. The root server forwards the request to
the .com or respective top-level domain (TLD) namespaces. This process repeats
recursively until the victim's primary DNS server resolves the DNS mapping request.
■ Step 9:
After the primary DNS server finds the DNS mapping for the victim's request, it sends a
DNS mapping response to the victim's IP address. This response goes to the victim
because bots use the victim's IP address. The replies to copious DNS mapping requests
from the bots result in DDoS on the victim's DNS server.
What Is the IP Address of Where can I find the IP Address
l'-1 [!]A [ii]
~ . l,;,J"'
certlfledhacker.com? Please
i,.:~~'r.'?.'~:.~'~,.~·~!~~~~~~:·.➔
.e.. .........................
of certifiedhacker.com?
►
-c[••····i9d~~~t·k~~~-·····
r····►~···················e··➔ User's Primary DNS Servers
but .com NameSpace
Sends signals to : Botnet should have the answer Root Servers
•
What is the IP Address (Recursion Allowed)
activate bots : compromised PCs
of certlfledhacker.com? A (N th ·t t · f •• •• • • •• • •• • •• • • • • • •• • • •• • • • • •• • •• • •• • • • ._
:·························v · otau on a 1ve or . ....................................... •
j !.......................> - -c-•rt-ifi_,•,..~h-•-~..•r_.c_om
_ J_ _, ...................................:. A l.
8 :
~-
: Primary ONS V
! Server of What is the IP : : Here is the IP
: certifiedhacker Addressof : He re is the IP Address : : :
: .com knows it certifiedhacker.com? : of certifiedhacker.com : : :
v vvv
Attacker
In directory traversal attacks, attackers use the ../ (dot-dot-slash) sequence to access restricted directories
outside the web server root directory
Attackers can use the trial and error method to navigate outside the root directory and access sensitive
information in the system
OirectoryofC:\
:l>
04/02/2022 11:31 AM 1,024 .rnd
04/28/2022 06:43 PM 0 123.text
http://server.com/scri
pts/..%Sc ../Windows/
System32/cmd.exe?/c
+dir+c:\
03/21/2022 03:10 PM
04/27/2022 08:54 PM <DIR>
03/21/2022 03:10 PM
04/11/2022 09:16 AM <DIR>
04/25/2022 05:25 PM <DIR>
03/07/2022 03:38 PM <DIR>
04/27/2022 09:36 PM <DIR>
O AUTOEXEC.BAT
CATAL1NA_HOME
O CONFIG.SYS
Documents and Settings
Downloads
Intel
Program Files
8 -
-
""'""''
.,e,.....,
"""'
sc~s
""""'
02/26/2022 02:36 AM <DIR> Snort
04/28/2022 09:50 AM <DIR> WINDOWS
04/2S/2022 02:03 PM
7 File(s)
569,344 WinDump.exe
S70,368 bytes
""
WI
13 Oir(s) 13,432,115,200 bytes free
Directory of C:\
--
04/28/2022 06:43 PM O 123.te,ct
03/2 1/2022 OHO PM O AUTOEXEC.BAT B 111!1!1
http://serve r.com/scri 04/27/2022 08:54 PM <DIR> CATAUNA_HOME
Website Defacement
offending data
Website Defacement
Website defacement refers to unauthorized changes made to the content of a single web page
or an entire website, resulting in changes to the visual appearance of the web page or website.
Hackers break into web servers and alter the hosted website by injecting code to add images,
popups, or text to a page in such a manner that the visual appearance of the page changes. In
some cases, the attacker may replace the entire website instead of just changing a single page.
http://www.certlliedhacke r.com/index.aspx
HACKED!
Hi Master, Your website is
owned by US, Hackers!
Defaced pages expose visitors to propaganda or misleading information until the unauthorized
changes are discovered and corrected. Attackers use a variety of methods, such as MySQL
injection, to access a website to deface it. In addition to changing the visual appearance of the
target website, attackers deface websites for infecting the computers of visitors by making the
website vulnerable to virus attacks. Thus, website defacement not only embarrasses the target
organization by changing the appearance of its website but is also intended to harm its visitors.
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch
various attacks on web servers such as directory traversal, server intrusion, and data theft
..
httpd.conf file
tl Verbose Debug/Error Messages ■ This configuration allows anyone to on an Apache server
view the server status page, which
tl Anonymous or Default Use rs/Passwords contains detailed information about <Location /server - status>
the web server being currently used, SetHandler server-status
including information about the
tl Sample Configuration and Script Files </Location>
current hosts and requests being
processed
tl Remote Administration Functions
php.ini file
tl Unnecessary Services Enabled display_ error = On
Y This configuration generates ..A. . . log_errors = On
"Keeping the server configuration secure requires vigilance" -Open Web Application Security
Project (OWASP)
Administrators who configure web servers improperly may leave serious loopholes in the web
server, thereby providing an attacker the chance to exploit the misconfigured web server to
compromise its security and obtain sensitive information. The vulnerabilities of improperly
configured web servers may be related to configuration, applications, files, scripts, or web
pages. An attacker searches for such vulnerable web servers to launch attacks. The
misconfiguration of a web server provides the attacker a path to enter the target network of an
organization. These loopholes in the server can also help an attacker bypass user
authentication. Once detected, these problems can be easily exploited and may result in the
total compromise of a website hosted on the target web server.
As shown in the below figure, the configuration may allow anyone to view the server status
page, which contains detailed information about the current use of the web server, including
information about the current hosts and requests being processed.
<Location /server-status>
SetHandler server-status
</Location>
As shown in the below figure, the configuration may give verbose error messages.
display_error = On
log_errors = On
error_log = syslog
ignore_repeated_errors Off
Set-Cookie: author=Jason
Set-Cookie: author=JasonTheHacker
HTTP/ 1.1 200 OK
String author=
request . getParameter(AUTHOR_PARAM);
Second Response
Cookie cookie = new Cookie ("author",
author);
cookie.setMaxAge(cookieExpiration); HTTP/ 1.1 200 OK
response.addCookie(cookie);
Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author-Jason
Second Response
Victim Server
ID
-
Figure 13.14: Exam ple of an HTTP response-splitt ing attack
:;,~~•- --1
attacks the reliability of www.certffied Original Certified Hacker
an intermediate web hadler.com page
cache source
l •-!"'"' l
~f t ... !!~~~-~~~-~~~~-~-~t.'.~~~-~~~-~~~~- ......~
I,
~ ~ ~\c><ache
■ In this attack, the Host: certif,edhacke r .com , 'U : , http://www.
attackers swap cached Accept-Charset iso-8859-1, •,utf-8 ! Normal reSJ>onse after ! certifll!dhacker.com/welcome.php?
GET http://certlfledh~ker.com/ :..(• • • • •• • •• ~1~,a_r!~.8.~
~~.:~~~f:!t~~-~~~~~~~~-~-•• ,,a,.: la~=
content for a random I ' ,._,,. ' <?php header rl.ocation: .. .
re dlr.p hp?slte""0d" 0aConte nt- , '
URL with infected ~e2
n:i~:,::~~:~°:s~OaHm>/1.l ! Attacke rsends~alicicus rec,.rest ! ~ $-_G
_er_r"'_••_·n_,'-' - - - ~
content
! l j !
An attacker forces t he
:-'!J,::::·:~·:::~
-!~~r~-~----- i~~-.~~~; ~~;
HM""""•dhK.,uom Attacke n e co,estscerufi..jhad<er.com
web server 's cache t o
unknowingly use the
flush its actual cache
poisoned content : ; ://certifiedhacker.comfnde
l
html HTTP/ 1.lHost:testsite.com : r.s nse ofrequest l _ft :A. : ofrequest 3 i, content and sends a
instead of the true and u ser-A&ent: Mozilla/ 4.7(en) :.C:: ··· .. ................. ....<" V " ..- that points to specially crafted
i : i
I '
(W inNT; I) attacker' pa e
secured content when request, which will be
requesting the required Accept-Charset: lso-8859-1, •, utf i ~ stored i n cache
Address Page
URL through the web
www.certifiedhacke r.com Attacker's page
cache
Poisoned Server Cache
An attacker forces the web server's cache to flush its actual cache content and sends a specially
crafted request to store in the cache. In this case, all the users of that web server cache will
receive malicious content until the servers flush the web cache. Web cache poisoning attacks
are possible if the web server and application have HTTP response-splitting flaws.
Server Cache
I
I
Server:cache
~!:://certifiedhacker.com/index.html j I I
HTTP/1.1 ttacker sends request tQremove page from each
Pragma: no-cache
Host: certifiedhacker.com ~Cl·· ............................................
I
I
••• ::ii,:
I
I http://www.
Accept-Charset: iso-8859-1 1 • ,utf-8 Normal resPonse after I
certifiedhacker.com/welcome.php?
GET http://certifiedhacker.com/
- ............................................. ··B·i
clearing the cache fo~ certified hacker.com lang=
Host: certlfiedhacker.com
:-<!··· ·························~······················
1 A tacker requests certifiedhacker.com • 1
An attacker forces the
I
ft .. ..... I ■ I
web server's cache to
GET
:·v.·
1 again to generate cache entry
■ • • • • • • • • • • • ■ • • • ~- ■ • • • • • • • • • • ·
:
: ••••••••••••• ~
1
:
flush its actual cache
http://certifiedhacker.com/index. : A ac er gets the second : : The secord respons~
html HTTP/1.1 Host: t estsite.com : l".esp~nseof reauest 3 ~ : ~ : ofreque~t 3 :
content and sends a
User-Agent: Mozilla/4.7 [en] ,<£··· ••• ········'······· ·~<-·w ····· that polnfs to I specially crafted
(WinNT; I)
request, which will be
Accept-Charset: lso-8859-1, •,utf-8 : "''"" :
Server Cache ••P _,.,[ "'' ' stored in cache
- -
www.certifiedhacker.com Attacker's page
Attackers ca n brute force SSH login credentials to gain unauthorized access to an SSH tunnel
SSH tunnel s ca n be used to transmit malwares and other exploits to victims w itho ut being detected
..·········3>-~-~
-
.
~
.: Mail Server
•=········➔~
(ll:.. I
User lnternet
·······!>
~
SSH Server
.... ····!> ~
~
Web Server
:
....... ··1.......;:,
:
~n-
MaU s,N..
=
Application Server
The most common passwords found are password, root, administrator, ad min, demo, test, guest, qwerty, pet names, etc.
8 SMTP servers
8 Web form authentication cracking
Attacker mainly targets: 8 Web shares
8 FTP servers
8 SSH Tunnels
Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan Horse or virus, wiretapping,
and keystroke logging
Attackers usually begin hacking attempts with password cracking to prove to the web server that they are valid users
Passwords can be cracked manually by guessing or by performing dictionary, brute force, and hybrid attacks usingautomated
tools such as THC Hydra, and Ncrack
Password cracking is the most common method of gaining unauthorized access to a web server
by exploiting flawed and weak authentication mechanisms. Once the password is cracked, an
attacker can use the password to launch further attacks.
We present some details of various tools and techniques used by attackers to crack passwords.
Attackers can use password cracking techniques to extract passwords from web servers, FTP
servers, SMTP servers, and so on . They can crack passwords either manually or with automated
tools such as THC Hydra, Ncrack, and RainbowCrack.
Attackers may send numerous fake requests to the we b server, which ca uses web server crashing or
DoS/DDoS makes it unavai lable to the legitimate users
Attacks
Note: For complete coverage of DoS/DDoS attacks, refer to Module 10: Den ial-of-Service
The attacker tricks the user to submit login details for a website that looks legitimate, and redirects
Phishing them to the malicious website hosted on the attacker's web server
Attacks
Note: For complete coverage of phi shing attacks, refer to Module 09: Social Engineering
Web Vulnerabilities in web applications running on a web server provide a broad attack path for
Application compromising the web servers
Attacks
Note : For complete coverage of we b application attacks, refer to Module 14: Hacking Web Applications
A DoS/DDoS attack involves flooding targets with copious fake requests so that the target stops
functioning and becomes unavailable to legitimate users. By using a web server DoS/DDoS
attack, an attacker attempts to take the web server down or make it unavailable to legitimate
users. A web server DoS/DDoS attack often targets high-profile web servers such as bank
servers, credit-card payment gateways, and even root name servers.
Unwanted and malicious
1-•1
traffic takes control over all
the available bandwidth
Unwanted
and malicious
traffic 1-•1
Internet
Router 1-•1
Successful DDoS attacks can
result in service downtime,
financial losses, and
Legitimate permanent business
user disability
To crash a web server running an application, the attacker targets the following services to
consume the web server's resources with fake requests:
• Network bandwidth
• Server memory
■ Application exception handling mechanism
■ CPU usage
■ Hard-disk space
■ Database space
Note: For complete coverage of DoS/DDoS attacks, refer to Module 10: Denial-of-Service.
Man-in-the-Middle Attack
Man-in-the-middle/manipulator-in-the-middle {MITM} attacks allow an attacker to access
sensitive information by intercepting and altering communications between an end user and
web servers. In an MITM attack or sniffing attack, an intruder intercepts or modifies the
messages exchanged between the user and web server by eavesdropping or intruding into a
connection. This allows an attacker to steal sensitive user information, such as online banking
details, usernames, and passwords, transferred over the Internet to the web server. The
attacker lures the victim to connect to the web server by pretending to be a proxy. If the victim
believes and accepts the attacker's request, then all the communication between the user and
web server passes through the attacker. In this manner, the attacker can steal sensitive user
information.
~
~~ ;;:;l~
.,.,;
...
• User visits a website
.............................. .... . .. . ... . . > [[]
Normal traffic
. .. . ........ . ....... ... . . . . . ..... . ... .. ........
···<::~:..'••,, j :
.. .. ..........
•' e ......................................
~ y .• .---·-·
' •:).
Attacker replays the request :
.::
·.. ~;;:;; ;;;~~~·s~ls· ;~;:~r~·;~ ;~·t·~; ~-s·;; .. • 9 ···..·· i <: ·····.. ···.. ····· ;~;~~~-r~s·;~~;;• • • .. • .... • • • • .. • ·:
Attacker
Note: For complete coverage of man-in-the-middle {MITM} attacks, refer to Module 11: Session
Hijacking.
Phishing Attacks
Attackers perform a phishing attack by sending an email containing a malicious link and tricking
the user into clicking it. Clicking the link will redirect the user to a fake website that appears
similar to the legitimate website. Attackers create such websites by hosting their address on
web servers. When a victim clicks on the malicious link while believing the link to be a
legitimate website address, the victim is redirected to the malicious website hosted on the
attacker's server. The website prompts the user to enter sensitive information, such as
usernames, passwords, bank account details, and social security numbers, and divulges the
data to the attacker. Later, the attacker may be able to establish a session with the legitimate
website by using the victim's stolen credentials to perform malicious operations on the target
legitimate website.
server
0 0
Sends malicious link through email Uses the victim's credentials to
impersonate the victim on the
-
'. . . . . . . . . . ~~.a.~.~~~. . . . . . . . . . :
legitimate server
Note: For complete coverage of phishing attacks, refer to Module 09: Social Engineering.
Even if web servers are configured securely or are secured using network security measures
such as firewalls, a poorly coded web application deployed on the web server may provide a
path for an attacker to compromise the web server's security. If web developers do not adopt
secure coding practices while developing web applications, attackers may be able to exploit
vulnerabilities and compromise web applications and web server security. An attacker can
perform different types of attacks on vulnerable web applications to breach web server
security.
■ Server-Side Request Forgery (SSRF) Attack: Attackers exploit server-side request
forgery (SSRF} vulnerabilities, which evolve from the unsafe use of functions in an
application, in public web servers to send crafted requests to the internal or backend
servers. The backend server believes that the request is made by the web server
because they are on the same network and responds with the data stored in it.
■ Parameter/Form Tampering: In this type of tampering attack, the attacker manipulates
the parameters exchanged between the client and server to modify application data,
such as user credentials and permissions as well as price and quantity of products.
■ Cookie Tampering: Cookie-tampering attacks occur when a cookie is sent from the
client side to the server. Different types of tools help in modifying persistent and non-
persistent cookies.
■ Unvalidated Input and File Injection Attacks: Unvalidated input and file-injection
attacks are performed by supplying an unvalidated input or by injecting files into a web
application.
■ Session Hijacking: Session hijacking is an attack in wh ich the attacker exploits, steals,
predicts, and negotiates the real valid web session's control mechanism to access the
authenticated parts of a web application.
■ SQL Injection Attacks: SQL injection exploits the security vulnerability of a database for
attacks. The attacker injects malicious code into the strings, which are later passed on to
the SQL server for execution.
■ Directory Traversal : Directory traversal is the exploitation of HTTP through wh ich
attackers can access restricted directories and execute commands outside of the web
server's root directory by manipulating a URL.
■ Denial-of-Service (DoS) Attack: A Dos attack is intended to terminate the operations of
a website or server to make it unavailable for access by its intended users.
■ Cross-Site Scripting (XSS) Attacks: In this method, an attacker injects HTML tags or
scripts into a target website.
■ Buffer Overflow Attacks: The design of most web applications helps them in sustaining
some amount of data. If that amount exceeds the storage space available, the
application may crash or exhibit some other vulnerable behavior. An attacker uses this
advantage and floods the application with an excess amount of data, causing a buffer
overflow attack.
■ Cross-Site Request Forgery (CSRF) Attack: An attacker exploits the trust of an
authenticated user to pass malicious code or commands to the web server.
■ Command Injection Attacks: In this type of attack, a hacker alters the content of the
web page by using HTML code and by identifying the form fields that lack valid
constraints.
■ Source Code Disclosure: Source-code disclosure is a result of typographical errors in
scripts or misconfiguration, such as failure to grant executable permissions to a script or
directory. Source-code disclosure can occasionally allow attackers to access sensitive
information about database credentials and secret keys to compromise the web server.
Note: For complete coverage of web application attacks, refer to Module 14: Hacking Web
Applications.
A web server attack typically involves preplanned activities called an attack methodology that
an attacker follows to reach the goal of breaching the target web server's security. Attackers
hack a web server in multiple stages. At each stage, the attacker attempts to gather information
about loopholes and to gain unauthorized access to the web server.
The following are the various stages of the attack methodology for web servers.
■ Information Gathering
Every attacker tries to collect as much information as possible about the target web
server. The attacker gathers the information and then analyzes it to find lapses in the
current security mechanisms of the web server.
■ Web Server Footprinting
The purpose of footprinting is to gather information about the security aspects of a web
server with the help of tools or footprinting techniques. Through footprinting, attackers
can determine the web server's remote access capabilities, its ports and services, and
other aspects of its security.
■ Website Mirroring
Website mirroring is a method of copying a website and its content onto another server
for offline browsing. With a mirrored website, an attacker can view the detailed
structure of the website.
■ Vulnerability Scanning
Vulnerability scanning is a method of finding the vulnerabilities and misconfigurations of
a web server. Attackers scan for vulnerabilities with the help of automated tools known
as vulnerability scanners.
■ Session Hijacking
Attackers can perform session hijacking after identifying the current session of the
client. The attacker takes complete control over the user session through session
hijacking.
■ Web Server Passwords Hacking
Attackers use password-cracking methods such as brute-force attacks, hybrid attacks,
and dictionary attacks to crack the web server's password .
Information Gathering
Registrar Info
Important Dates
......""
Attackers search the Internet,
newsgroups, bulletin boards, etc. Name Servers
-.2p06-nM
_,pOli_nel
---
-p06-l,e!
MOl_,.,...0011'1
Note: For complete cove rage of information gathering techniques, refer to Module 02: Footpri nting and Reconnaissance
Information Gathering
Information gathering is the first and one of the most important steps toward hacking a target
web server. In this step, an attacker collects as much information as possible about the target
server by using various tools and techniques. The information obtained from this step helps the
attacker in assessing the security posture of the web server. Attackers may search the Internet,
newsgroups, bulletin boards, and so on for gathering information about the target organization.
Attackers can use tools such as who.is and Whois Lookup to extract information such as the
target's domain name, IP address, and autonomous system number.
■ who.is
Source: https://who.is
who.is is designed perform a variety of whois lookup functions. It lets the user perform a
domain whois search, whois IP lookup, and whois database search for relevant
information on domain registration and availability.
~
WHOIS Search, Domain Name, Website, and IP Tools
ebay.com l
II
Q Your IP address is
Registrar Info
Name MarkMonttor, Inc.
Important Dates
Expires On 2022-08-02
Registered on 1995-08-04
Updated On 2021-07-02
Name Servers
dns1 p06.nsone.net 19851446
Similar Domains
ebay ac I ebay.ac ,r I ebay academy I ebay accountants I ebay adult I ebay ae I ebay af I ebay.ag I ebay agency I ebay.am
I ebay as I ebay asia I ebay associates I ebay at I ebay auctJon I ebay audio I ebay auto I ebay bar I ebay bargains I
ebay.be I
• robots. bit
lkff'• aa..,t : Googlebot
DJullow :
The robots.txt file contains the list of the web IJHr- as..,t: 10otlebot -1-1•
DJHllow:/
server directories and files that the web site IJnr- aaent: cooelebot •aobile
Disallow:
owner wants to hide from web crawlers User• qent: HSM8ot
Disallow:/
Iner-agent : Slllf'P
Oiullow:/
Us er- agertt : r -
An attacker can simply request the Robots.txt Diullow:/
User-q..,t : Gtaabot
file from the URL and retrieve sensitive Dlullow:/
IJHf'• Aifflt: b _arctll W I"
Olullow:
information such as the root directory structure IJser- acerit : bai dusplder
Disallow:/
and content management system information IJsff'• qent : NIYel'bot
Disallow:/
about the target website IJH f"••aent : yetl
DtuUow:/
lker- aog••n: y.ahoo --:r-1.er
Olullow:/
Uu r - ag..,t: psbot
An attacker can also download the Robots.txt Dlullow:/
IJHr- •a..,t: yahoo -bl OfS/v3.9
file of a target website using the Wget tool Dlullow:/
IJUf"• "Cf'nt: •
Disallow:
( r-.,t-de by: 18
~~~~~~ : ! c~l- b1n/
•robon,Drt · N t'pld 0
Ed
t robots.t>ct
Us r- ag nt: Googl bot
Disallow:
User -agent: aooglebot• illilge
Dhallow:/
User -aaent: 11ooglebot -110bilc
Dis.allow :
User -aaent: HSN8o
Disallow:/
User-asen : Slurp
Disallow:/
Us r-ag nt : T
Disallow: /
User-.igent: G1gabot
Disallow :/
User- agent: 1a_arch1ver
Disallow:
User- agent: baiduspider
Disallow:/
User- agent : naverbot
Disallow:/
Us r-as n : y ti
Disallow:/
User-agent : yahoo --c:rawler
Disallow:/
User- a ent: psbot
Disallow:/
User- agent: yahoo bl ogs/v3.9
01"i.;Jllow:/
User -agent: •
Disallow:
Crawl -del ay : 18
Disallow: / c 1 bin/
Netcat
This utility reads and writes data across network Server Identified as
connections, using the TCP/ IP protocol Mlcrosoft-l lS/10.0
..
# nc -vv www . microsoft . com 80 -press [Enter] http //netcat sourceforge net
Telnet
1
Web Server Footprinting Tools C EH
"".... 1.... -
f;l,C..,,...,_,..........,.,,__,,ttoi,
■ -IJ---...-1.,_
~!•- --
httprecon
n=
0 •
"""'" 7
httpS://www. nettraft. com
7
i (!::;J
li[, --..1a,0"9-ll-(1-1(;(1--1- -1 - , -1Pnrn-1,m-1»...11tqMI
ID Serve
UoOKaa
httpS://source/orge.net
lnlemet Server ldentificc\Jon Uti!l1'j, vl 02
Personal Security Freewa,e by Steve Gibson
Copyillft [c) 2003 tis,Gibcon Researctl Corp
S.erverOuery r Q&A/t!elp L
..o:=J Nmap
httpS://nmap.org
, _all
- 1 0.•
,, _1111
-
_uso
•HO
,, -n•
_1H C2' I WhetlanlntemetURLorlPtw~p,ovidedat:c,.e.
peulhtbo.ltonlolrllhate1Qtn)'dltw~-
,,, _1n
J
, _ 1 1.JJ
l*
_121
_,o,, CJ' ~;~=~ing Ghost Eye
, _1121
, _ 1 1.lli Content-Encod111g grip
host-header c2hhcm\lklmJsd\h'Vob3N0lmNIA>O••
httpS://gifhub.com
X·Server-Coche lalse
=-J
Query complete
https://www. compuree. ch
JiotolOS-webpage
https://www.grc.com
~ SkOpfish
httpS://code.google.com
footprinting tools can extract information from the target server. Here, we examine the
features and types of information these tools can collect from the target server.
Web Server Footprinting Tools
• Netcat
Source: http://netcat.sourceforge.net
Netcat is a networking utility that reads and writes data across network connections by
using the TCP/IP protocol. It is a reliable "back-end" tool used directly or driven by other
programs and scripts. It is also a network debugging and exploration tool.
The following are the commands used to perform banner grabbing for
www.moviescope.com as an example to gather information such as server type and
version .
o # nc -vv www. movies cope. com 80 - press [Enter]
■ Telnet
Source: https://docs.microsoft.com
Telnet is a client-server network protocol that is widely used on the Internet or LANs. It
provides login sessions for a user on the Internet. A single terminal attached to another
computer emulates the session by using Telnet. The primary security issues with Telnet
are the following.
o It does not encrypt data sent through the connection.
o It lacks an authentication scheme.
■ httprecon
Source: https://www.computec.ch
httprecon is a tool for advanced web server fingerprinting. This tool performs banner-
grabbing attacks, status code enumeration, and header ordering analysis on the target
web server and provides accurate web server fingerprinting information.
httprecon performs the following header analysis test cases on the target web server:
o A legitimate GET request for an existing resource
o An exceedingly long GET request (a Uniform Resource Identifier (URI) of >1024
bytes)
o A common GET request for a non-existing resource
o A common HEAD request for an existing resource
o Enumeration with OPTIONS, which is allowed
o The HTTP method DELETE, which is usually not permitted
o The HTTP method TEST, which is not defined
I I I I I I I
GET emtr,g GET long 1equest GET non-existing GET wtongptolocol J HEAD emt.-., OPTIONS commoo DELETE emt.-., TEST method Attack Request I
I
M.ichlst (352 lmplemen<.iions) J F;nge,pirot Details Repo1t P,ev;... I
I Nome IHb I Match ¾
' - Apache 2.0.46 72 100
' - Apache 2.0.55 n 100
• MK:1osoft IIS 6.0 n 100
'- Apache 1.3.37 70 97.22...
'- Apache 2.0.54 70 97.22...
'- Apache 2.2.4 70 97.22...
'- Apache 2.2.6 70 97.22...
'- Apache 1.3.33 69 95.83...
'- Apache 2.2.2 69 95.83...
'- Apache 2.2.3 69 95.83...
'- Apache 2.0.59 68 94.44...
'- Apache 1.3.26 67 93.05...
'- Apache 1.3.27 66 91.66...
!Reedy.
• ID Serve
Source: https;//www.grc.com
ID Serve is a simple Internet server identification utility. The following is a list of its
capabilities.
o HTTP Server Identification: ID Serve can identify the make, model, and version of a
website's server software. ID Serve sends this information in the preamble of replies
to web queries, but the information is not visible to the user.
o Non-HTTP Server Identification: Most non-HTTP (non-web) Internet servers (e.g.,
FTP, SMTP, Post Office Protocol (POP), and NEWS) are required to transmit a line
containing a numeric status code and a human-readable greeting to any connecting
client. Therefore, ID Serve can also connect with non-web servers to receive and
report the server's greeting message. This generally reveals the server's make,
model, version, and other potentially useful information.
o Reverse DNS Lookup: When ID Serve users enter a site's or server's domain name or
URL, the application will use a DNS to determine the IP address of that domain.
@ ID Serve X
I r,;- Enter or copy/ paste an Internet server UR~ or IP address here [example: www.microsoft.com) :
U1 lhttp:/ /www.certifie dhacker.com1
~
When an Internet URL or IP has been provided above.
(2' I.___
Q_ue_~_T_h_e_S_
er_ve_r _~I press this button to initiate a query of the specified server.
cp open asaq7
cp open nrpc Microsoft Windows RPC
cp open asrpc NJ.crosoft Windows RPC
cp open asrpc Microsoft windows RPC
■ Check if the web server is protected by a web application firewall (WAF) or IPS:
$runap - pBO -- script http- waf- detect - -script- args="http- waf-
detect . uri=/testphp . vulnweb. com/artists . php ,http-waf-
detect . detectBodyChanges " www.modsecurity . org
STATE SERVICE
/tcp open http Microsoft IIS httpd 18 .8
http-server header: Microsoft -IIS/18.8
http-enu11
/login . aspx : Possible adllin folder
5/tcp open msrpc Microsoft Windows RPC
9/tcp open netbios-ssn Microsoft Windows netbios -ssn
5/tcp open mcrosoft-ds?
881/tcp open msinq?
183/tcp open msrpc Microsoft Windows RPC
185/tcp open msrpc Microsoft Windows RPC
187/tcp open 11Srpc Microsoft Windows RPC
389/tcp open ms -wbt -server Microsoft Tenninal Services
357/tcp open http Microsoft HTTPAPI httpd 2.8 (SSDP/UPnP)
l http-server-header: Microsoft -HTTPAPI/2.8
C Address . 82:15:5D:82:45 :2F (Unknown)
rvice Info: OS: Windows, CPE: c :/o:mcrosoft :windows
Website Mirroring
https://www.maJamumsoft.com
Website Mirroring
Website mirroring copies an entire website and its content onto a local drive. The mirrored
website reveals the complete profile of the site's directory structure, file structure, external
links, images, web pages, and so on . With a mirrored target website, an attacker can easily map
the website' s directories and gain valuable information. An attacker who copies the website
does not need to be online to go through the target website. Furthermore, the attacker can
gain valuable information by searching the comments and other items in the HTML source code
of downloaded web pages. Many website mirroring tools can be used to copy a target website
onto a local drive; examples include WebCopier Pro, HTTrack Web Site Copier, Website Ripper
Copier, and Cyotek WebCopy.
■ WebCopier Pro
Source: h ttps ://www. maxim umsoft. com
WebCopier Pro is an offline browser to download websites and store them locally, so
that they can be viewed/analyzed later. It allows attackers to analyze the website
structure and find dead links.
l - g ~., -
~
; W ebCopi er Pro - MaximumSoft w ebsite □ X
"'
Hom• Download Advanced Theme
·~
+ ro ~
■ Stop
II Pause
®~ i/lli Fmd
o Properties D ~
:::@Schedule
- ,n~ 0 @ support
$ np of the day
Ntw ProJ•ct S a, Brow se Copy to Program Help
ProJect Settings Download • p.. , " Files• Phone ,Pad Options Sho V Roport Topics ~ Chock Version
Pro,oct Download Browse Tools Hole
Contonts
·'-11 ,~ I\
~ =- - Elapsed
'; ,,: 0
I □=□□=25 I
El-OJ MaximumSolt website
1B O MaximumSoft (default.him) .J a,. Remaining
I □=□□=□S I
Download Status IDownloading...
I
File Name Size Status
Found 1542
I Speed 1150.7 KB/ sec I
Processed 1409
I Avg Speed 1705.3 KB/sec I
Filtered 125
I Downloaded 117.6 MB
I
Errors I0 I Total Size I30.8 MS I "
..__ PrOJOcts ID Contonts [Io Log Fri• @ Browser i Download Info ~ ...- ►I
■
Often these administrative interface credentials are not
properly configured and remain setto default ~efault Passwords
------ --
the default login credent ials:
...,,,....
-
8 Consult the administrative interface documentation and "'"""
identify the default passwords N>C-
https://cirt..net/passwords
Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited
■ cirt.net
Source: https://cirt.net/passwords
cirt.net is a lookup database for default passwords, credentials, and ports.
Default Password DB
Home
Scan your
website for Default Passwords
XSS and SQL
Injection
vulnerabilities 531 vendOII, 2117 pauwordl
ACCTON Acer
First Name •
Ml!~ ADC Kentrox
AddPac Technol29i ADT
Aironet Aladdin
Amino
IS JUST MADE FOR YOU! AIM
{ru 8Jl~IIW!
Aec
8!m
The following are some additional websites for finding the default passwords of web server
administrative interfaces:
■ https://open-sez. me
■ https://www.fortypoundh ead.com
■ http://www.defaultpassword.us
■ https://default-password.info
■ https://www.routerpasswords.com
Most w eb applic ation servers contain default content and functionalities, w hich allows attackers to leverage atta cks
Many servers contain various sample scripts and pages designed to demonstrate certain
application server functions and application programming interfaces (APls). Often, web
servers fail to secure these scripts from attackers, and these sample scripts either
contain vulnerabilities that can be exploited by attackers or implement functionalities
that allow attackers to exploit.
■ Publicly accessible powerful functions
Some web servers include powerful functionalities that are intended for administrative
personnel and restricted from public use. However, attackers attempt to exploit such
powerful functions to compromise the server and gain access. For example, some
application servers allow web archives to be deployed over the same HTTP port as that
used by the application . An attacker may use common exploitation frameworks such as
Metasploit to perform scanning to identify default passwords, upload backdoors, and
gain command-shell access to the t arget server.
An attacker attempts to identify server manuals, which may contain useful information
about configuration and server installation. Accessing this information allows the
attacker to prepare an appropriate framework to exploit the installed web server.
Tools such as Nikto2 can be used to identify default contents.
■ Nikto2
Source: https://cirt.net
Nikto is a vulnerability scanner used extensively to identify potential vulnerabilities in
web applications and web servers.
....,.,_ X +
o a 10.10.1.13
Index of/
~ l.a>J mochfw:d Sm 12mDIW2D
. ) ~--~ t_9tr~,-
i:J Exel<»•""' 2022-05-25 00.43 72K
D~ 2022-05-2508.ss
00 README pn 2022-05-25 OS 50
Q Tool, 2022-05-25 OS 57
0 ~ 2022-05-25 08 57
~k.a.. '""' 2022-05-25 08.51
D sa«ruhol 2022-05.25 os.s1
D mc 2022-05.25 08·51
itj ,"nclo", ,,., 2022-05-25 01 (H 72K
Though directory listings do not have significant relevance from a security perspective, they
occasionally possess the following vulnerabilities that allow attackers to compromise web
applications:
■ Improper access controls
■ Unintentional access to the web root of servers
In general, after discovering a directory on a web server, an attacker makes a request for that
directory and attempts to access the directory listing. Attackers also attempt to exploit
vulnerable web server software that grants access to directory listings.
Attackers use tools such as Dirhunt and Sitechecker to find directory listings of the target web
server.
■ Dirhunt
Source: https://github.com
Dirhunt is a web crawler optimized for searching and analyzing directories. This tool can
find interesting results if the server has the "index of" mode enabled. Dirhunt is also
useful if the directory listing is not enabled. It detects directories with false 404 errors,
directories where an empty index file has been created to hide things, and so on.
Vulnerability Scanning
Sniff the netw ork traffic to find any active © ·,c•caoo't.S'ltf1IOII~ ~-·~..«11'1.
Vulnerability Scanning
Vulnerability scanning is performed to identify vulnerabilities and misconfigurations in a target
web server or network. Vulnerability scanning reveals possible weaknesses in a target server to
exploit in a web server attack. In the vulnerability-scanning phase, attackers use sniffing
techniques to obtain data on the network traffic to determine active systems, network services,
and applications. Automated tools such as Acunetix Web Vulnerability Scanner are used to
perform vulnerability scanning on a target server and find hosts, services, and vulnerabilities.
• Acunetix Web Vulnerability Scanner
Source: https://www.acunetix.com
Acunetix Web Vulnerability Scanner (WVS) scans websites and detects vulnerabilities.
Acunetix WVS checks web applications for SQL injections, XSS, and so on. It includes
advanced pen testing tools to ease manual security audit processes and creates
professional security audit and regulatory compliance reports based on AcuSensor
Technology. It supports the testing of web forms and password-protected areas, pages
with CAPTCHA, single sign-on, and two-factor authentication mechanisms. It detects
application languages, web server types, and smartphone-optimized sites. Acunetix
crawls and analyzes different types of websites, including HTMLS, Simple Object Access
Protocol (SOAP), and Asynchronous JavaScript and Extensible M arkup Language (AJAX).
It supports the scanning of network services running on the server and the port
scanning of the web server.
A Aa.ntt.x. Su.i, X +
Stop Su~ Gt •:e Repon >NM txpon_ - Group By: Non. - T FUte<
GoN,N,:!w.t>S..-218· ·~ • , p ~ ~ ~ ~
- ........
!. D X E.rrt>fdtl'q~~313-0 -~ ~ . , , _
for the execution of a command or [ltl'ff"MShn'lgWlbS.-llll•5·DnctolyT---..11"11!,p11...,_Dndoaow
.,,_,,,
binary on a target machine to gain
2007-tJ"I.OS ! , SN'087xWmSW..-W.t.HTTPnt~lluff.-OWfik:,w'IYl!wlbl-
higher privileges t han the ex isting
F'flD"'--.-.::tMWlbca'n•JIISS · ~ W t l l l t ~
ones or bypass security mechanisms
,.......--.£nwpr1MWlbS.-S1160-Muqlle~~~
)( 0racWWll,(;a-,!•$1tft(FMWtttContnS--) ~ ~ a b i l -
Kslo~S-OISlW.tlM_,j,.......,Croff.Slle~~
https://www.t!xploit-db. com
•
DATABASE
0.
Show 1S search web server vulnerabiliti
~
...... - :ia:'orr, . . . . . :,..o,.
;--,,-
UC.:::' J ~ :e ) Ce
• 2017-09-13
2016-08-29
±
± II X
Mako Web Server 2.5- Mult1P'e VUnerabtl hes
DoS
Wndows
Wrodows
h),;>lf11nx
Guillaune Kaddoudl
ra. 2016-08-10 ± X WebNMS Framework 5efver 5 2/S 2 $Pl - Mu/tJple VUnerabilrtJes W<bAj,ps JSP Pedro Ribeiro
11!1 2011-11-18 ± GoAhead Web Server 2.5 • 90form/formTest' Multiple Cross-Srte Scnptmg VUlnerabillbes Remote Wrodow3 Prabhu s Angadi
~
2011-10-10 ± ✓ GoAhead Web Server 2.18 • ·adduser asp' Multiple Ctoss-Srte Scnptiog Vulnerabilmes Remote Windows Stlerit Dream
2010-04-08 ± nny Java Web Server 1.71 - Muh1ple Input Validabon Vulnerabilities Remote Murupte cp77fk4'
2014-02-19 ± II X Embedthis Goahead webSefver 3 1 3-0- Multiple VUlnerablhties DoS Llrux Maksym1Jjan Motyl
$1 Easy File Shanng Web Server 1.3x/4.5 • Ol"ectory Traversal / Muttlple lnformatlOO D1sdosure
2007-12-07 ± DoS Multiple Luigi Aurienvna
--
VUlnerabthttes
2007-07-05 ± ✓ SAP OB 7.x Web Server • WAHTTPexe' Multiple Buffer Overflow VUlnerabilrt1es Remote Wndows Mark Litchfield
2005-03-10 ± PY Software Active Webcam 4.3/5.5- WebServer Multiple Vulnerabllrties Remote wmow, Sowhat
- ±
2004-11-10 ✓ 04webserver 1.42 - Multiple Vulnerabi.lrties Remote Multiple Tan Chew Keong
2004-01-23 ± Noven Netware Enterpr1se Web Server 5.1/6 O- Multiple Cross-srte Scnpung VUlnerabdrt1es Remote Netware Rafel lvgi The-lns1der
2012-10-17 ± X Oracle WebCenter Sites (Fat'Nire Content Server) - Mutt1pie Vulnerabllrt1es WebApps Multiple SEC Consult
6'
2002-08-19 ± Keno Mail5efvef 5.0/5. 1 web Mail - Wt.pie Cross-site SCflptlng VUinerabiiities WebApps COi Abraham uncoln
Module 13 Page 1828 Ethical Hacking and Counterm easu res Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibit ed.
Ethical Hacking and Co untermeasures Exam 312-50 Certified Et hical Hacker
Hacking Web Servers
Session Hijacking
https://po,tswigger.net
Session Hijacking
Valid session IDs can be sniffed to gain unauthorized access to a web server and snoop its data.
An attacker can hijack or steal valid session content using various techniques such as session
token prediction, session replay, session fixation, sidejacking, and XSS. By using these
techniques, the attacker attempts to capture valid session cookies and IDs in established
sessions. The attacker uses tools such as Burp Suite, JHijack, and Ettercap to automate session
hijacking.
■ Burp Suite
Source: https://portswigger.net
Burp Suite is a web security testing tool that can hijack session IDs in established
sessions. The Sequencer tool in Burp Suite tests the randomness of session tokens. With
this tool, an attacker can predict the next possible session ID token and use that to take
over a valid session.
Om1tchn
Use password cracking techniques such as brute force attack, dictionary attack, and password guessing to crack
web server passwords
Source: https://hashcat.net
Hashcat is a cracker compatible with multiple OSs and platforms and can perform multi-
hash (MD4, 5; SHA - 224, 256, 384, 512; RIPEMD-160; etc.), multi-device password
cracking. The attack modes of this tool are straight, combination, brute force, hybrid diet
+ mask, and hybrid mask+ diet.
■ THC Hydra
Source: https://github.com
THC Hydra is a parallelized login cracker that can attack numerous protocols. This tool is
a proof-of-concept code that provides researchers and security consultants the
possibility to demonstrate how easy it would be to gain unauthorized remote access to
a system.
Currently, this tool supports the following protocols: Asterisk; Apple Filing Protocol
(AFP); Cisco Authentication, Authorization, and Accounting (AAA); Cisco auth; Cisco
enable; Concurrent Versions System {CVS); Firebird; FTP; HTTP-FORM-GET; HTTP-FORM-
POST; HTTP-GET; HTTP-HEAD; HTTP-POST; HTTP-PROXY; HTTPS-FORM-GET; HTTPS-
FORM-POST; HTTPS-GET; HTTPS-HEAD; HTTPS-POST; HTTP-Proxy; ICQ; Internet Message
Access Protocol {IMAP); Internet Relay Chat {IRC); Lightweight Directory Access Protocol
{LDAP); Memcached; MongoDB; Microsoft SQL Server; MySQL; Network Control
Protocol {NCP); Network News Transfer Protocol {NNTP); Oracle Listener; Oracle system
identifier {SID}; Oracle; PC-Anywhere; personal computer Network File System {PC-NFS);
POP3; Postgres; Radmin; Remote Desktop Protocol {RDP); Rexec; Rlogin; Rsh; Real Time
Streaming Protocol (RTSP); SAP R/3; Session Initiation Protocol (SIP); Server Message
Block (SMB); Simple Mail Transfer Protocol (SMTP); SMTP Enum; Simple Network
Management Protocol {SNMP) vl+v2+v3; SOCKSS; SSH {vl and v2); SSH key; Subversion;
Web servers w ith forwarding and reverse HTTP proxy functions enabl ed, are employed by attackers to perform the
follow ing act ions:
6 Attacking th ird party systems on the Internet
Att ackers use GET and CONNECT requests to use vulnerable web servers as proxies to connect and o bt ain inform at ion
from target syst ems thro ugh t hese proxy web servers
Ai ~
GET/ CONNECT Requests GET/ CON NECT Requests
Attacker
Requested Information
Proxy Web Server
Requested Information !!!I
Target Systems
The M etasploit Framework is an exploit development platform that supports fully automat edexploitation of
web servers, by abusing known v ulnerabilities and lev eraging weak passwords v ia Telnet, SSH, HTTP, and SNMP
Metasploit
Architecture Rex
I Framework-core ] PIWIIICIOl1llol
CUIIDIII....... ··;:.::t i Framework-Base ]<=··· -1
:
--~-- 1-
----- .,:. l.!!!!!!!!x;!!!!!.~ ,.: ..
:
/'
.......
mfsconsole Exploits
msfdi Payloads
msfweb Encoders
msfwx NOPS
msfapi Auxiliary
\.
https;//www.metosploit.com
Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited
An attacker may use the following features of Metasploit to perform a web server attack:
• Closed-loop vulnerability validation
• Phishing simulations
■ Social engineering
■ Manual brute forcing
• Manual exploitation
• Evade-leading defensive solutions
Metasploit enables pen testers to perform the following:
■ Quickly complete pen-test assignments by automating repetitive tasks and leveraging
multi-level attacks
■ Assess the security of web applications, network and endpoint systems, as well as email
users
■ Tunnel any traffic through compromised ta rgets to pivot deep into a network
■ Customize the content and template of executive, audit, and technical reports
Metasploit Architecture
The Metasploit Framework is an open-source exploitation framework that provides security
researchers and pen t esters with a uniform model for the rapid development of exploits,
payloads, encoders, no operation (NOP) generators, and reconnaissance tools. The framework
reuses large chunks of code that a user would otherwise have to copy or re-implement on a
per-exploit basis. The framework is modular in architecture and encourages the reuse of code
across various projects. The framework can be broken down into a few different pieces, the
lowest level of which is th e framework core. The framework core is responsible for
implementing all the required interfaces that allow interaction with exploit modules, sessions,
and plugins. It supports vulnerability research, exploit development, and the creation of custom
security tools.
..........
Rex
[ Framework-core ]
011111111. . . . ...,.
::.t[ Framework-Base ]<··· •:
11•ln11
mfsconsole
..
~
...........
......
I!.
... .....
Exploits
\.
msfcli
msfweb
msfwx
msfapi
/
--··I!.
\.
Payloads
Encoders
NOPS
Auxiliary
/
lg B Select a Payload
Payload Module
Payload module establishes a communication channel
between the Metasploit framework and the victim host
Auxiliary Module
Auxiliary modules can be used to perform arbitrary,
one-off actions such as port scanning, denial of service,
and even fuzzing
Command to generate a NOP sled of a given length Command to generate a SO-byte NOP sled
msf > use x86/opty2 ms£ n op (opty2) > generate -t c SO
-=,a unsigned char buf [] =
msf nop (opty2) > generate -h e=::,:a
"\xfS \ x 3d\ x OS \ x lS \ xf8 \x67 \ xba \ x 7d\x08 \ xd6 \ x66 \ x9f \ xb8 \ x 2 d
Usage : generate [options] length -=j9 \xb6"
: ; "\x24 \xbe \ xbl \ x3f \ x43 \ xld\x93 \ xb2 \ x37 \x35 \ x84 \ xdS \x14 \x40
-=j9 \xb4"
F=f9 "\xb3 \ x41 \ xb9\x48 \ x 04 \x99 \ x46 \ x a9\xb0\ xb7 \ x 2 f \ xfd \x96 \ x4a
-=j9 \x98"
"\x92 \ xbS \xd4 \ x4f \ x91 ";
msf n op(opty2) >
Metasploit Modules
■ Metasploit Exploit Module
It is a basic module in Metasploit used to encapsulate a single exploit, using which users
target many platforms. This module has simplified meta-information fields. Using the
Mixins feature, users can also dynamically modify exploit behavior, perform brute-force
attacks, and attempt passive exploits.
A system can be exploited with the Metasploit Framework through the following steps :
0 Configure an active exploit
0 Verify the exploit options
0 Select a target
0 Select a payload
0 Launch the exploit
■ Metasploit Payload Module
An exploit carries a payload in its backpack when it breaks into a system and then leaves
the backpack th ere. The following three types of payload modules are provided by the
Metasploit Framework.
o Singles: Self-contained and compl etely standalone
A Metasploit payload module can upload and download files from the system, take
screenshots, and collect password hashes. It can even take over the screen, mouse, and
keyboard to control a computer remotely. The payload Module establishes a
communication channel between the Metasploit framework and victim host. It
combines arbitrary code that is executed as the result of an exploit succeeding. To
generate payloads, a payload is first selected using the command shown in the
screenshot.
Auxiliary modules of Metasploit can be used to perform arbitrary, one-off actions such
as port scanning, DoS, and even fuzzing. It includes tools and modules that assess the
security of the target as well as auxiliary modules such as scanners, DoS modules, and
fuzzers. The show auxiliary command in Metasploit can be used to list all the
available auxiliary modules in Metasploit. All modules in Metasploit other than the ones
used to exploit are auxiliary modules. Metasploit uses auxiliary modules as an extension
for various purposes other than exploitation. Auxiliary modules are stored in the
modules/auxiliary/ directory of the framework' s main directory. The run command or
the exploit command can be used to run an auxiliary module.
ms/ nop(opty2)>
The following command is used to generate a NOP sled of a given length:
msf > use x86/opty2
msf nop(opty2) > generate - h
Usage : generate [options] length
hrtps://www.immunityinc.com
r- Copynght CJ by iC-C1uncil All Rights Reserved Reproduction IS Stnctly Proh1b1ted
Source: https://www.immunityinc.com
Immunity's CANVAS provides penetration testers and security professionals with hundreds of
exploits, an automated exploitation system, and a comprehensive, reliable exploit development
framework. It provides features such as client-side exploitation, privilege escalation, HTTP
tunneled privilege escalation, remote kernel exploitation, advanced backdoor technology, and
advanced web attack technology.
Namr oescnption
smbghost_lpr An riNabon of 1
- 1 results ror that query-
(CANVAS]
ID. 0->2
10 161 0 217
"""'J~
IHl ■cted l
1
Curn,nt Status Canvu Log Debug L09
12929 116 92 11 25. 11 1571 I V@tpnvl UJID tor pnv SeO!teugPnv1l~ 15 11>14111•0 ll9x98118•08ll8•119118•08119x1Mlf 10.89 -
(2029·116·92 11,2S. ll , ."2CI [ urr.u•ng1ne) r.tproc,>ddr wlthaalloc : FOl.l\d :ad.apl..l2.dll(AdJustTollllPnvilogos at -7ff81414
(2829·86·92 11.2S: ll , U•J [ getpnvl S..ccu,fully ;w!Ju•ted pr1•
[2&29·86·92 11 , 2s : 11 , 921J r canvu•ng1M) r.tproc.ddr wllhaalloc : FOl.l\d hroolJ2.dll IH-roceu at 88087ff8UllddC11
(2029-86-82 11, 25 : 12 · " ' ' [ ,,.. ..,uplo, t I l "J"" ting into p1d 648
12029·86·82 11 , 25 : 12,5011 l ca,vas.ng1M) C.,t,,roc1ddr witlal\loc FO\Sld ~P<ooll2 .d\ I lr.tll>du\ellandloA at -7ff8Jl88.e90
12029 ·86 92 IL25 : 12,92ll l c.an•,UP•plo1tl Attmpllng to 01g111t• 50Cl<£T 291 1nto p1d 648
12029 86 92 ll : 25 : ll,5271 I can,asraplou) lllgratod SOO([T 208 to • lllOOtr SOCX£T 5264
(2029 86 82 ll:25:ll,SlSI [ canir.uuplouJ Gtoneraung 64blt llosdrf Shellcode
(1029 ,86 ai 11 ,15.U,7971 l canva5rng1M) [•) New APl, uunq NtCroateThreadEll
(2029·16·92 11 25 : U,926) [ carr.as.nq1neJ r.tprocaddr •Hhaalloc: FCM.lld ke,.,..ll2.dlllVtrtualAllocEll at -7ff8Ula6bse
[2829·86-12 11,25 : U,998) [ ,..,,....nglM) C.tproc•ddr wltlaalloc · FO<.lld ktroolJ2.dlljW it•ProcH.-ry at -7fflll8.16
r2029-16·82 11.2s :1•,a.11 r unvH•ngineJ r..tproc•ddr wll,-1\oc . FOi.rid h•••l32.dltlEutThrud at 88e07ff814'4deo
(2029·86·12 11 25 •14,1771 [ canva,•ng11,..J Gtotprocaddr •1ttnal\oc· FO\Sld n•d\l d\l llltCn,at~ThrPadb 1t N807ff814a7d840
[2029·86·92 11· 25 : l•,9761 I c:anvuraplott I 110SDH ■19ratl!d to p1d '48
• MPack (https://sourceforge.net)
• w3af (https://w3aforg)
An idea I web hosting network should be designed w ith at least three segments namely, an Internet segment,
a secure server security segment often called a demilitarize d zone (DM Z), and an internal net w ork
The w eb server should be placed in t he Server Security Segment (DMZ) of t he network, isolat ed from t he
public and internal networks
Firewalls should be pl aced for the internal network and lnternettraffic, directed toward the DMZ
m,
Web Server
Database Applicat ion
Server Se rver
~
External FTP Server Internal
Firewall Firew all
M ail Server
Mail Server
Before applying any service pack, hotfix, or security Ensure that server outages are scheduled, and
patch, read and peer review all relevant that a complete set of backup tapes and
documentation emergency repair d isks are available
m
Test service packs and hotfixes on a Schedule periodic service-pack upgrades as part
Block all unnecessary ports, ICMP traffic, and Remove all unused modules and application extensions
unnecessary protocols such as NetBIOS and 5MB Disable unused default user accounts created during the
installation of an OS
Harden the TCP/ IP stack and consistently apply the
latest software patches and updates to system When creating a new web root directory, grant
software appropriate (least possi ble) NTFS permissions to
anonymous users of the 11 5 web server to access t he web
If insecure protocols such as Telnet, POP3, SMTP, and content
FTP are used, th en take appropriate measures to Eliminate unnecessary database users and stored
provide secu re authentication and communication, for procedures and follow the principle of least privi lege for
exa mple, by using IPsec policies the database application to defend against SQL query
poisoning
If remote access is needed, ensure that remote
connections are secured properly by using tunneling Use secure web permissions, NTFS permissions, and .NET
and encryption protocols Framework access control mechanisms including URL
aut horization
Disable Web DAV if it is not used by the application or Slow dow n brute force and dictionary attacks w ith strong
keep it sec ure if it is required password policies and implement audits and alerts for
login failures
■ Isolate the supporting servers such as LDAP servers from the local subnet to filter out
the traffic through a firewall before entering the local network.
■ Ensure that all the file transfer applications through the web server are done through
FTPS for better data encryption and protection .
Countermeasures: Accounts
The following countermeasures can be adopted to secure user accounts on a web server:
■ Remove all unused modules and application extensions.
■ Disable unused default user accounts created during the installation of an OS.
■ When creating a new web root directory, grant the appropriate (least possible) NTFS
permissions to anonymous users of the IIS web server to access the web content.
■ Eliminate unnecessary database users and stored procedures and follow the principle of
least privilege for the database application to defend against SQL query poisoning.
■ Use secure web permissions, NTFS permissions, and .NET Framework access control
mechanisms, including URL authorization.
■ Slow down brute-force and dictionary attacks with strong password policies and
implement audits and alerts for login failures.
■ Run processes using least privileged accounts as well as least privileged services and
user accounts.
■ Limit the administrator or root-level access to the minimum number of users and
maintain a record of the same.
■ Maintain logs of all user activity in an encrypted form on the web server or in a separate
machine on the intranet.
■ Disable all noninteractive accounts that should exist but do not require an interactive
login.
■ Use secure VPN networks such as OpenVPN while accessing multi-server platforms or
accessing data from cross-server network models, which helps use one account for
multiple server access.
■ Use password managers such as KeePass to maintain a proper password policy for
multiple user accounts.
■ Enable the Separation of Duties (SoD) feature on the server config settings.
■ Force users to periodically change passwords for their accounts by creating a password
expiry policy.
■ Enable the user account locking feature by setting a limit on the number of failed login
attempts.
■ Implement 2FA or MFA as an additional layer of security for user accounts.
0 Eliminat e unnecessary files w ithin t he .jar files e Disable the serv ing of directory listings
•
M onitor and check all network services logs, En sure th at web applications o r website files and
website access logs, database server logs (e.g.,
M icrosoft SQL Server, MySQL, Oracle), and OS
logs frequentl y
e scripts are stored in a partition or drive separate
from that of the OS, logs, an d any ot her system
files
Use a Website Change Detection System to detect hacking attempts on the web server
Running specific script on the server that detects any changes made in the exist ing executable file or new file included
on the server
Periodica lly comparing the hash values of the files on the server with their respective master hash value to det ect the
changes made in codebase
For example: DirectoryMonitor is an automated tool that goes through al l your web folders and detects any changes made to
your codebase and alerts you via an email, if changes are detected
e Ensure that protected resources are mapped to e Implement secure coding practices
HttpForbiddenHandler and unused HttpModules are
removed
e Restrict code access security policy settings
e Ensure that tracing is disabled <trace enable="false"/> e Configure 115 to reject UR Ls with" ../" and install new
and debug compiles are turned off patches and updates
a 8
8
Apply restricted ACLs and block remote registry administration
Secure the SAM (Stand-alone servers only)
II Ensure t hat security-related settings are configured appropriately and that access to the meta base file is restricted
with hardened NTFS permissions
8 Remove all unnecessary file shares, including the default administration shares, if they are not required
II 8 Secure the shares with restrict ed NTFS permissions
II Relocate sites and virtual directories to non-system partitions and use 115 web permiss ions to restrict access
II Remove all unnecessary 11S script mappings foroptional f ile extensions to avoid exploitation of any bugs in the ISAPI
extensions that handle these types of files
II Enable a minimum level of auditing on the web server and use NTFS permissions to protect log files
Monitor all ports on the web server regularly to prevent unnecessary traffic toward the
target web server. If traffic is not monitored, the target web server will be vulnerable to
malware attacks. Do not allow public access to port 80 for HTTP or to port 443 for
HTTPS; traffic to these ports should be limited. If port 80 is kept open, the server will be
vulnerable to Dos attacks, which consume server resources. Intranet traffic should
either be encrypted or restricted to secure the web server.
Attackers attempt to hide their identity by spoofing the IP address of a legitimate user.
By processing the security log file, either using the "deny this IP address" rule in the
firewall ruleset file or by creating a "routed blackhole" command, the target system can
defend against web server attacks.
• Server Certificates
Server certificates guarantee security and are signed by a trusted authority. However,
an attacker may compromise certified servers using forged certificates to intercept
secure communications by performing MITM attacks. There are various techniques to
avoid such MITM attacks. The following are some of them.
o Use the direct validation of certificates.
o Use a novel protocol that does not depend on third parties for certificate validation .
o Allow domains to directly and securely examine their certificates by using previously
est ablished user authentication credentials.
o Use a robust cryptographic construction that enhances server identity validation and
resolves the limitations of third-party solutions.
o Ensure that the certificate data ranges are valid and that certificates are used for
their intended purpose.
o Ensure that the certificate has not been revoked and that the certificate's public key
is valid all the way to a trusted root authority.
■ Machine.config
The machine.config file provides a mechanism of securing information by changing
machine-level settings. It affects all other applications. The machine.config file includes
machine settings for the .Net framework, which affect the security. The following can be
performed with the machine.config file:
o Ensure that protected resources are mapped to HttpForbiddenHandler and that
unused HttpModules are removed
o Ensure that tracing is disabled <trace enable="false"/> and debug compiles are
turned off
o Verify that ASP.NET errors are not reverted to the client
o Verify session state settings
■ Code Access Security
The following measures can be adopted to ensure code access security.
o Implement secure coding practices to avoid source-code disclosure and input
validation attacks.
o Restrict code access security policy settings to ensure that there are no permissions
to execute code downloaded from the Internet or intranet.
o Configure 115 to reject URLs with " ../" to prevent path traversal, lockdown system
commands and utilities with restrictive access control lists (ACLs), and install new
patches and updates.
o If targets do not implement code access security in their web servers, then there is a
possibility of execution of malicious code.
The following are some other measures to defend against web server attacks:
■ Apply restricted ACLs and block remote registry administration.
■ Secure the SAM (stand-alone servers only).
■ Ensure that security-related settings are configured appropriately and that access to the
metabase file is restricted with hardened NTFS permissions.
■ Remove unnecessary Internet Server Application Programming Interface (ISAPI) filters
from the web server.
■ Remove all unnecessary file shares, including the default administration shares, if they
are not required.
■ Secure the shares with restricted NTFS permissions.
■ Relocate sites and virtual directories to non-system partitions and use 115 web
permissions to restrict access.
■ Remove all unnecessary IIS script mappings for optional file extensions to avoid
exploitation of any bugs in the ISAPI extensions that handle these types of files.
■ Enable a minimum level of auditing on the web server and use NTFS permissions to
protect log files.
■ Use a dedicated machine as a web server.
■ Create URL mappings to internal servers cautiously.
■ Do not install the 115 server on a domain controller.
■ Use server-side session ID tracking and match connections with timestamps, IP
addresses, etc.
■ If a database server such as Microsoft SQL Server is to be used as a backend database,
install it on a separate server.
■ Use security tools provided with web server software and scanners that automate and
simplify the process of securing a web server.
■ Physically protect the web server machine in a secure machine room.
■ Do not connect an IIS Server to the Internet until it is fully hardened.
■ Do not allow anyone to locally log in to the machine except the administrator.
■ Configure a separate anonymous user account for each application if multiple web
applications are hosted.
■ Limit the server functionality to support only the web technologies to be used.
■ Screen and filter incoming traffic requests.
■ Store website files and scripts on a separate partition or drive.
■ Use an effective anti-bot mitigation service such as DataDome to detect botnets in real
time.
Application Developers
Proxy Servers
■ Proxy Servers
o Avoid sharing incoming TCP connections among different clients
o Use different TCP connections with the proxy for different virtual hosts
o Implement "maintain request host header" correctly
Choose an ICANN accredited registrar and encourage them to set Registrar-Lock on the domain name
Use DNS monito ring tools/services t o monitor the IP address of the DNS server and set alerts
Avoid downloa ding audio and video codecs and other down loaders fro m untrusted we bsites
Change t he default router password that comes wit h t he fact ory settings
how to receive good-quality reception and support, and whether the DNS server's
infrastructure is hardened against attacks.
■ Configuring a master-slave DNS within your network: Use a master-slave DNS and
configure the master without Internet access. Maintain two slave servers so that even if
an attacker hacks a slave, it will update only when it receives an update from the
master.
■ Constant monitoring of DNS servers: The constant monitoring of DNS servers ensures
that a domain name returns the correct IP address.
■ Ensure router safety: Change the default username and password of the router. Keep
the firmware up-to-date for ensuring safety from new vulnerabilities.
■ Use VPN service: Establish virtual private network (VPN)-encrypted tunnels for secure
private communication over the Internet. This feature protects messages from
eavesdropping and unauthorized access.
■ Use firewall protection services to safeguard the original DNS resolvers and filter out the
rogue DNS resolver traffic.
■ Maintain proper protection systems such as MFA and hardware security to ensure
controlled access to the DNS server.
■ Install script blocker extensions in the browser.
■ Use only secured and reputed VPN networks instead of free VPN services, which can
track your activities and record them for future use.
,,_
■ -.,.-.-.s,._..,.... .....-,- 1-- ,
,,-~ ·~·..:...: '
0
- - - - -- - ·-i - ti- -
- -~-----·-----.._
11 • ~ ill ti - I .:, c ■ 11>
-------
~.
:::=::;;::
__
; ;;::_
-
_.i!:!::":
- -
~ ~ - --- - -
..,,..,_
- - ..---f'I
*~l\lng ■Ua(:k•
VI.MerlllNto
=-,. ---
·-
:;;
;.r::
"-
-:= ·=--
•- : ~(fNIO~ICM
--~_
o::,:.-QJ
:::...o:
--.- ___ "-
·-~-
• !~I.Ill : -----
" ::;:111 •-Oolo : ,....
a-i--c-. _ _ _
... ..
• •-c...c...r- - - - - 1~::-
=.-:--=----- 1
-~---~ ......_____..., ~
•=C:c- ~'::::::==: ...
--~-
1...,...1:lO~
·-·D--r-
..-. ...,_-,...._,._~. ..•.,..:..a,,.-__-----·---
l!.iiil
&6_'--_.....,.__,__ ..
----..._ __
• .., _ _ ,m, _ _ _ . , _
'Jr_ _ _ _ ..,_.,__,_..
.__
.......,...,_..,.
I.Mlb_,,,osl
..«_
...._,.... .......,,.
.....
lllll--,HTT,Aoa
....
--~,~~·
--
.,.,.
Oi!IKttdWtbT~
............
......
....,_
""'
"
...,_,,_,..,._,_,,
-
,_
._,
..........
..,,_
l l'41totil~¼I-IO'IO.C
■~o..c..i,..,
■M-'oo,,oC-,
itlS-..KJMI..C-,,
_,__........_~'"'
.,,...-.,tv,t.~"
Hl[pJ,.,,.,a,f>A.,_J
.,,_,t,tu,t~"
- ~171>8-= .,t.n.ctw~r,
Hl[p/.....
Nip/,._....,._,~"
··-
■PIM<l"Bd.'41f■
lt,IP..,...,_,0.-.... Hl[p/,-._.....,__~,W
1111_._.,_ .....,.....a,t,A._,~"
....,,,._.,.-oi.,/lfjJt,./
110 - 0 . ~ E ~ Hl[p/ltt,,,4.......~ l l f e l
■C-S..SGl(lllr-olXSS-1
■C-S.$0J:llr'o/XSS.I
■c-s.~1xss-1 Hip/--~~-
Hl[pl,._.....,_~~it111'ooctctc:t
Hl[p/,_,......._~... v.M.t1.
Figure 13.45: Screenshot of Syh unt Hyb rid web ap plicatio n security scanner
■ N-Stalker X
Source: https://www.nstalker.com
N-Stalker is a web application security scanner that searches for vulnerabilities to
attacks such as clickjacking, SQL injection, and XSS. It allows spider crawling throughout
the application and the creation of web macros for form authentication. It also provides
proxy capabilities for " drive-thru" attacks and identifies components through reverse
proxies that distribute different platforms in the same application URL.
. " .. ;
C
at
Pro y - .x,1
~ Sanner Events
E ~ ScaMer A
Vu r11 . ty Application might be
I 0as!lbolrd
vulnerable to
Ste Scqufflce Gene-11lnfo
AIOwed Hosts
clickjacklng attacks
OetMSandfix
Rejeded t!OSIS • Seventy : Me<ium
Browser Oetals
!) Objects
Hm'~t Vlllnerabillty
... ~ •Class : Cl1Ck.Jadc
- ~ ( 01 Hm' Re:sl)onse
OWASP (Top 10 AS)( CWE
S'mAabonft,gne •References :
\Vebforms (2) (693)
RegFalse~ll'Ve
E-mlls • Target URL : h~Jlww-N mov,escope co
BroLen pagn (I) •Post Data : NIA
Hidden f"ields
nfonne!J041 lHJ.age (2)
Vunera • WIiy is it an issue?
8 ~'llwww fflO\acope i:tlffi
8 AppbllCHI l!lgtll be vut!fflble lo ckl;Jloblg 1tt1w N-St.alker has round your system Is
9 / vulnerable to d1d(Jaclong alladcwtlieh
■ I anows mauaous users to manipulate
1.tutc>ie Cr0U4te request forgery vunertbtty hu b4 legitimate user lnteradions Wlthin your
Web forn, aJows passw«d caclmg II Ille ~nt-slde appUcabon.
l'Qssible unconmon HTTP melhOc! found to be support
Wtbsefver WI disclose plltforn, de,. 0( vers.on Ill
W ~ er wl dosc:lose 1)19tforn, deleb or vm,on 11f v
. .
< > < >
Scan Module Current Total ,.
11-Steler Spider UocMe 7 7
"
SanMocUes I ~ t s l:::l ScM!Evcnts CJ
Sla!IIS S c e n - - f u l ) I ~
--------------------------
■ WPSec (https;//wpsec.com)
■ Skipfish (https://code.google.com)
■ Detectify (https://detectify.com)
■ SonarQube (https://www.sonarqube.org)
■ Arachn i (https://www.arachni-scanner.com)
■ w3af (https;//w3aforg)
■ Grabber (http://rgaucher.info)
■ Vega (https://subgraph.com)
Qualys
Community
Qualys Community Edition assesses
vulnerabilities on all internal IT infrastructure as
wel l as externa l-facing assets t o ensure a sec ure
Observatory
https://observotory.mozilla.org
--_J
Edition
stat e
Asset Overview •
7
_.,_,. G,
I I Nikto2
https://cirt net
https://www.quolys.com
[ lmmuniWeb
https://www. fflmuniweb.com
l
Copynght Cl by EC-Ctuncil All Rights Reseived Reproduction is Strictly Prohibited
Source: https://www.qualys.com
Qualys Community Edition discovers IT assets, manages vulnerabilities, scans web
applications, and maintains cloud assets inventory. It offers vulnerability management
to identify dangerous bugs and remediate them immediately. Qualys can also assess
vulnerabilities on all internal IT infrastructure as well as external-facing assets to ensure
a secure state.
Asset Overview •
Adlona V AddWkigll ....,.,.._1.., C,
II ..
.....
• SOFTWARE DISTRJBUTION
I- I_-,
XP
....
2.+211
.....
I - I.....
2.+2.IL.
MANUFACTURERS
"""''
Syatemlitodel
.....
au
C:0.nt
■ k 13
•• ••
53
. . .. "'
• Hewlla.Pacun::I
MS<
HPEJi"'8oall. 840G1
MS-7873
•
'""
Quttera
https://quttua.com
Web Inspector
https://www.webrtspector.com
ti !
"""
C!CI SiteGuarding ~J
https://www.qualys.com •- ---•0-Cll """
"""
httpSc//www.,fte..,." Jing. ,om
Preview
My Web Application
http:/lwww.mwtest.info1malware-demos-named/
Last scan by Edgar Venables (regen_ev) 29 Mar 2013 1 33Pl.t GMT-0700 100:00:31
1 -6of6 ~ V
Al Sites
l!:J http://www.mwtest.11folmalware--Oemos-named/MS07-004n,1... mm
DetectJons found (72)
~ http://www.mwtest.rifoJmalware-demos-named/MS06-0S7n.l ... mm
My Web Appkatl>n
Oetecbons found {31)
El http://www.mwteslrifolmalware--<lemos-named/MS06--01-4-R... 11 mm
mwtestirlfo
~ http://www.mw1est.infoJmalware..<femos-n11med/MS06-0 14-R... 11 mm
OetectJons foulld (41) (J http://www.mw1est.11foJmalware--demos-named/MS06-013II.I... mm
~ httpJ/www.mw1e.st.infoJmalware--<lemcs-named/APSB10-02/... mm
The following are some additional web server malware infection monitoring tools:
■ Sucuri SiteCheck (https://sucuri.net)
■ Sitelock Malware Removal (https://www.sitelock.com)
■ Quttera (https://quttera.com)
■ Web Inspector (https://www.webinspector.com)
■ SiteGuarding (https://www.siteguarding.com)
~
Fortify Webl nspect is an automated dynamic testing solution Acunetix Web Vulnerability
t hat discovers configuration iss ues and identifies and priorit izes Scanner
securit y vul nerabiliti es in running applications https://www.ocunetbc.com
~
, _ 1,,.., 1 - -
, .. We ..._ ~ ... Net IQ Secure Configuration
.J - • t.J OtoM . .. c.....,_. _ _ '.la•-,~ :J"- ,.,__ ~ -.....
ia•- - Manager
https://WW1N.ne:tiq.com
I !!'!~-~,-=-=~~.-~~ j;=....
~-
---~-
·--
----
•Ck>-
·°'-
G,,__ _
~
SAINT Security Suite
-··--__,.
·--
https://www. corson-sfflntcom
----
·--
·Ck>-
==-~·•
-- -
•--
______
______
[w Sophos Intercept X for Server
https://www.sophos.com
7
Ijl
lo.o.
ro--
~---
0"1 - ...
,
0-,--..-
0 1 ......- . - ... _,_ _ _ _ - ·
------ https.j/www.microfoc.us.com
UpGuard
https://WW!N. upguord.com
P•use
Compk•n<e M.1n.ger
Audit ... Potecy M•n•ger ~ Report < Schedule Sm.nUpd•te
-
Crawled! 1116ol 616 Network
......,. G)Traff,cMon,tor
.AudM.ed: ll.Sof632
-
@IU ...-.
""'° PlPlr.lo
01;1 ...
~.,,.,. Findings
~-
Cffl:lfcms
621a .,a,Joo COl'ftffltiD
• E21C .,or, .. Cooto.
0i0 -
-
· E2llD .......
• Ck:J rf'taU'crs
@IU ...,..
~ Si.ts
0i0 ........
Info
~ ;!l ._..,_.h... httP//~~tv~l'rnnster-funcb-v POST de-1ulptl0rl JPost,~l'CW'\A. Input Vlrill$0Cln •nd ~HtnUDOft
http//le_fO~com/Jeew'lt,t"" GrT l~ls«W ~ v.ito.t'Of'I encl R e ~
"1...CVV'iot•tton Cnedl C.rO N!M't'IOef ll 1«ffl)
nap/Jrc.ro~tv~~fll-SUffll"l'I• GU
CORE Impact
e CORE Impact finds vulnerabilities on an organization's web serve r
8 This tool allows a user to evaluate the security posture of a web server using the present-day cybercrime tec hniques
.., ___ _
Web Server Pen Testing --.' •1-r:,a, • ·••&c.+ .. ,o,'
Tools ·-
0
0o----
----
11 0 ,,., _ _
·-- -------
_____ .._
-------·
.,_
____
.._._..,_______
_.. ..
.......-
.,,..._.,,,___,.._..,
e lmmunityCANVAS
·:1~=;= ___
...-... __ ......
....... .....,..
__
..,,,,.,.,...
..,-._....,.._
(https://www.immunityinc.com )
___
.,.,_,
e Arachni (https://www.arachni-
scanner.com)
.........
•·~-
,
J- --
J_..,....,,
..,.....,
====--· ~-----
e WebSurgery (https://sunrisetech.gr)
ti~ii
!l Mitmprox (https://mitmproxy.org)
Source: https://www.coresecurity.com
CORE Impact finds vulnerabilities in an organization's web server. This tool allows a user
to evaluate the security posture of a web server by using the same techniques currently
employed by cyber criminals. It scans for possible vulnerabilities in the web server,
imports scan results, and runs exploits to test the identified vulnerabilities. It can also
scan network servers, workstations, firewalls, routers, and various applications for
vulnerabilities; identify which vulnerabilities pose real threats to the network;
determine the potential impact of exploited vulnerabilities; and prioritize and execute
remediation efforts.
., A
0
--
-
t':. . .~:-:::::::::::::::::::::::::::::::::::::::::::::::::r'.
:
0 O.,.c-..-....-
flM,,j ~S.-$otw...lta..'"
~l/wat. ,-. ......... ,..
vwa..u---.,-..nu.. ....
o--
lil O .Nl1~ b -
0 O...,.c--.....- ~JfWZIL..,-. ....... ,..
Vlvat..Vlllllt-,..._ ......... "9
mo.,.,..-.-,.... l/llJlllL. VII/JR..•-- /'WU.. IOlo
or•.__ Vltnm..V11n1Ll;....IIK.o-,._
or• -
mo.,.,.c-.......,., ......
:t/11'111»...lll\l'llll... ,-no.L.No
Vltl'll»..Vl11Jtl...f-. lWU..,_
V1 1'20LV1v&.. _______ _
mo..-c--__._
!.:,sec.="--"=-·"--------------' ~ -
13-.. .....
i l0.,l1.)I.\
Gl • - - - -
)-
';.IC IOZ'.J.1.1
l&D.J,IAJ
111W.JU1
U.-
-
'--
~
•-
iM
~ , ,~
- ...,_-
- ---~·- ------Cc-~---..ual\J--
-~---
JICl~--
~ - - ,.,..__...,..___~
J- ~ all'.J£.a '-- ..
l ~ lll.17.JUS '-- aM
e •- - I0.11.>6.a - ....,
t o::.-.~,.:;:~;:•
J - ... .......... -.V.JUI
J,_.....,_,.,..,..,.. to.1'.u.16
.,__,_,,+o-dtli,.....
. _,110( tllD.JU1
..,,...,.
J..,.__..._-.. -.V.M.•
The following are some additional web server pen testing tools:
• Immunity CANVAS (https://www.immunityinc.com)
• Arachni (https://www.arachni-scanner.com)
■ WebSurgery (https://sunrisetech.gr)
■ Mitmprox (https://mitmproxy.org)
• Webalizer (https://webalizer.net)
Patch Management
Developers always attempt to find bugs in a web server and fix them. Bug fixes are distributed
in the form of patches, which provide protection against known vulnerabilities. Unpatched or
vulnerable patches can create a security loophole in the web server. This section describes the
role of patches, upgrades, and hotfixes in securing web servers. This section also provides
guidance for choosing proper patches, upgrades, hotfixes, and their appropriate sources for
secure patch management.
Hotfixes are an update to fix a specific customer issue and not always distributed outside the customer
organization
A patch is a small piece of software designed to fix problems, security vulnerabilities, and bugs and improve
the performance of a computer program or its supporting data
Hotfixes are sometimes packaged as a set of fixes called a combined hotfix or service pack
"Patch management is a process used to fix known vulnerabilities by ensuring that the appropriate patches
are installed on a system"
Assess Asses the issue(s) and associated severities by mitigating the factors that may influence the decision
Test Install the patch first on a testing machine to verify the consequences of the update
Deploy Deploy the patch to the computers and ensure that the applications are not affected
Installation of a Patch
First, m ake a patch management Users can access and install secu rit y Before inst alling any patch, verify
plan that fits the operat ional pat ches via the World Wide Web the source
environment and business
obj ectives Use a proper patch management
Pat ches can be installed in t w o w ays
program t o validat e file versio ns and
Manual Installation checksums before deploying security
Find appropriate updates and
8 In this method, the user patches
patches o n th e home sites of th e
applications or operating systems' downloads the patch from the
vendors vendor and installs it The patch m anagement tool mu st
be able to monitor the patched
Automatic Installation systems
J The recommended way of tracking 8 In this method, the applications
issues relevant t o proactive use the Auto Update feature to The patch management team
patching is to register w ith the update themselves should check for up dates and
hom e sites to receive alerts
patches regularly
Installation of a Patch
The installation of a patch entails the following tasks.
• Identifying Appropriate Sources for Updates and Patches
It is important to identify appropriate sources for updates and patches. Patches and
updates that are not installed from trusted sources can render the target server even
more vulnerable to attacks, instead of hardening its security. Thus, the selection of
appropriate sources for updates and patches plays a vital role in securing web servers.
The following are some methods for identifying appropriate sources for updates and
patches.
o Create a patch management plan that fits the operational environment and business
objectives.
o Find appropriate updates and patches on the home sites of the applications or OS
vendors.
o The recommend ed method of tracking issues relevant to proactive patching is to
regi st er to the home sites to receive alerts.
■ Installation of a Patch
Users can access and install security patches via the World Wide Web. Patches can be
installed in two ways.
o Manual Installation
In this method, the user downloads the patch from the vendor and installs it.
o Automatic Installation
In this method, applications use an auto update feature to update themselves.
• Implementation and Verification of a Security Patch or Upgrade
GFI
LanGuard
GFI LanGuard's patch management automa ticall y
scans your network and installs and manages security
and non-security patches
Symantec Client Management
Suite
https://www.broadcom.com
l
Solarwinds Patch Manager
https://www.solorwinds.com
& , ..
.!. !'. 3
lbM
_
_., _..
3
.,-
b -•-~ll7JllOP
• J'taa-·-- .~,-
~ ~ Entir• Netwof1l . 23 computffli
. rp ...
,8,(11(19-11.J.M-I
• • ~s.o..r,....,_~,,
• --5-ilt-.,_G91>
a i...~-P"t
;==:=.IICl"'1~-..i-.. ·-
·- .....,_
1
·---
05,\-•S,,tlJt._.._._._L'->-.0..J.1..._,.
--1
·-
· 1'- II
·-
01$11•a$:IUl:--LS.).JI0.0.J,.1.,__,.
., __ 1
tul'ICP~I . ...... s.-........
■ -..._,__.,..,._a
. ,........_Ill,
(25.1.alltlUl<-Ll.>IIO..O.t.tAi.,.
-11- -
·-
lJi ez5,ll-lt9'11111'_,_._.0Ht..O.J,.1L•J"
.a, 111.u.1
•D tl5" IO*lllll'".,_4.01ll.o0.J,.11,__,.
·-
la"IOl1'::01'L,.,..L.J.~-I.J.o..z31~11......n• .___. .
f\ 111.u,•
a ......,.
•• CGA >1:U9'Cl111c- L7,._.._ V.1..1.!IU..a.oA_.__,. .
·-
J
.ll au.1u c:afl-:l)-rn,_L.._0--.,_._._u.o.JUJIKUP>A!>_...
'1 111.u.u
• C & l • Z l - n k - L l . ~ L & J l l l ~ . . 0 . J , ._ _.,.
1 :·--
as.o»--.-u.•ll.47>1Al;o
~ - -..ll'J
a -~
a lU....:111:1 •• CZ5ol-l0--H • J.-ll.lllJ.J,.1,....,.
a5ofl•iti:oe--l..t.>lll<P.J,.1..•_..
•
·--·- = 0 ! 5 , l l · I O ~ --"-:;lo.~.J,~_,.
11. io.u.n,,
•
C1SA . _ . . _ _. . IU-6.47.J,.L . ._..
1· - CIS,Ollil!IIOUl<-lll-. .c(11.l.M . .
~==-.~;,g=:19·1111•--1.U-160.Al7_1,.Ld6_..
---
----n.·-. .-..,. . . . . . . __... .
:::--" ~
_,__ QfMI.I_IIIN_...., ..
♦ --
& -.
~
·--
QeMI_,
-
Gff_ csi - -
.......
.... ,,,,.,bbm,,.,.,., __ _
~
IOM.....,MNI........ _ _ __ .
.'
Figure 13.51: Screenshot of GFI LanGuard pat ch managem ent softw are
Module Summary
► Web server attack methodology in detail, including information gathering, web server
footprinting, website mirroring, vulnerability scanning, session hijacking, and web
server passwords hacking
~
► Various web server hacking tools
□ In the next module, we will discuss in detail how attackers, as well as ethical hackers and
pen-testers, hack web applications
Module Summary
In this module, we discussed in detail the general concepts related to web servers; various web
server threats and attacks; the web server attack methodology, including information
gathering, web server footprinting, website mirroring, vulnerability scanning, session hijacking,
and web server passwords hacking; and various web server hacking tools. Additionally, we
discussed various countermeasures that can be employed to prevent web server hacking
attempts by threat actors. We also discussed how to secure web servers using various security
tools. We concluded the module with a detailed discussion on patch management concepts.
In the next module, we will discuss in detail how attackers, including ethical hackers and pen
testers, hack web applications.