Chapter 13-61-90

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Web Servers
Vulnerability Scanning C EH
j Implement vulnerability scan to identify acunetix
weaknesses in a network and determine if the
system can be exploited
si Use vulnerability scanners such as Acunetix Web

Vulnerability Scanner, and Fortify Weblnspect to
find hosts, services, and vulnerabilities • SntfU}
J Sniff the network traffic to find any active

systems, network services, applications, and
vulnerabilities present
0
Q »
-
A9 JM T MfH
— .
IM'WIMI U« > nl Imei i urtwl
«li|l"ltled vcrtftMC
(
«1 Test the web server infrastructure for any -
misconfiguratlons, outdated content, and

vulnerabilities using vulnerability scanners like
Acunetix Web Vulnerability Scanner
aaineut .com
m Copyright C by fC-CMRLlI Ml Reserved Reproductionis SMcfly ProhrfMed
Vulnerability Scanning
Vulnerability scanning is performed to identify vulnerabilities and misconfigurations in a target
web server or network. Vulnerability scanning reveals possible weaknesses in a target server to
exploit in a web server attack. In the vulnerability -scanning phase, attackers use sniffing
techniques to obtain data on the network traffic to determine active systems, network services,
and applications. Automated tools such as Acunetix Web Vulnerability Scanner are used to
perform vulnerability scanning on a target server and find hosts, services, and vulnerabilities.
Acunetix Web Vulnerability Scanner
Source: https:/ / www.acunetix.com
Acunetix Web Vulnerability Scanner ( WVS ) scans websites and detects vulnerabilities.
Acunetix WVS checks web applications for SQL injections, XSS, and so on. It includes
advanced pen testing tools to ease manual security audit processes and creates
professional security audit and regulatory compliance reports based on AcuSensor
Technology. It supports the testing of web forms and password -protected areas, pages
with CAPTCHA, single sign -on, and two-factor authentication mechanisms. It detects
application languages, web server types, and smartphone - optimized sites. Acunetix
crawls and analyzes different types of websites, including HTML5, Simple Object Access
Protocol (SOAP), and Asynchronous JavaScript and Extensible Markup Language ( AJAX ).
It supports the scanning of network services running on the server and the port
scanning of the web server.
Module 13 Page 1653 Ethical Hacking and Countermeasures Copyright © by EC-CoiMCil

All Rights Reserved. Reproduction Is Strictly Prohibited.
Hacking Web Servers
acunetix Administrator * Q
< Back Stop Scar Generate Report WAf Export

-. - Group By:None • T Fitter
Status: Open X
A Dashboard
0 Targets Scan Stats & info Vulnerabilities Site Structure BM
A Vulnerabilities Sr ... Vulnerability uvu =
0 Blind SQL Injection . .

httpV/ www moviescope com/
I Scans
* O Blind SQL Injection httpV/ www.moviescope.com/
*
ti Reports O Microsoft IIS tilde directory enumeration http.//www.

* moviescope .com/
0 Unencrypted VIEWSTATE parameter http:/ / www.mavic3COpe.com/
O Settings
0 Unencrypted http /www.rnoviescope.com/
VIEWSTATE parameter
^
0 Vulnerable Javascript library (verified) http:/ /www.moviescope.com/
© .
ASP NET debugging enabled (verified ) http.//www.
* rnoviescope .com/
© ASP.NET version disclosure http;// www.moviescope.com/
© -
Clickjacking: X -Frame Options header missing .
http /www maviescope.com/
^
© Login page password guessing attack http:// www. .com/
moviescope
© Unencrypted connection (verified] http /www. .com/

^ moviescope
© Content Security Policy (CSP) not implemented http /www. .com/

^ moviescope
© Microsoft IIS version disclosure http /www.moviescope.com/

^
© -
Password type input with auto complete enabled . .
httpV/ www moviescope com/
_
Figure 13.33: Screenshot of Acunetix Web Vulnerability Scanner
The following are some additional vulnerability scanning tools:

Fortify Weblnspect ( https:/ / www. microfocus.com )
• Tenable.io ( https:// www.tenable.com )
ImmuniWeb ( https:/ / www.immuniweb.com )
Netsparker ( https:// www . netsparker.com )
Module 13 Page 1654 Ethical Hacking and Countermeasures Copyright © by EC-CoUIICil

Ethical Hacking and Countermeasures -
Exam 312 50 Certified Ethical Hacker
Hacking Web Servers
Finding Exploitable Vulnerabilities C EH

J Search for web server exploitable
vulnerabilities based on the web
server OS and software application ^
.
im n w o e
on exploit sites such as

SecurityFocus «
•* **••• nJaaritaM I
(https://www.sen/ rrfy/ocus.com ),
Exploit Database
( https:/ / www.exploit -db.com ), etc.
J Search for vulnerability based on

information gathered in the
previous stages using the Exploit
Database
J Exploiting these vulnerabilities

allows for the execution of a
command or binary on a target
machine to gain higher privileges
than the existing ones or bypass
security mechanisms
• -- -
httpsj/ www enpJotf db.a
mm -
Copyright Q by tfi CMMS All R
^ts Reserved Reproduction IS SmcOyPrnhrfMwJ
Finding Exploitable Vulnerabilities

Flaws and programming errors in software design lead to security vulnerabilities. Attackers take
advantage of these vulnerabilities to perform various attacks on the confidentiality, availability,
or integrity of a system. Software vulnerabilities such as programming flaws in a program ,
service, or within the OS software or kernel can be exploited to execute malicious code.
Many public vulnerability repositories that are available online allow access to information
about various software vulnerabilities. Attackers search on exploit sites such as SecurityFocus
( https:// www.securityfocus.com ) and Exploit Database ( https:// www .exploit -db.com ) for
exploitable vulnerabilities of a web server based on its OS and software applications. Attackers
use the information gathered in the previous stages to find the relevant vulnerabilities by using
Exploit Database.
Exploiting these vulnerabilities allows attackers to execute a command or binary on a target
machine to gain higher privileges than existing ones or to bypass security mechanisms.
Attackers using these exploits can even access privileged user accounts and credentials.
Module 13 Page 16S5 Ethical Hacking and Countermeasures Copyright ) by IC CoilltCil -

All Rights Reserved. Reproduction is Strictly Prohibited.
Hacking Web Servers
EXPLOIT hi, 0 8. (jgrgmraT)

DATABASE
il
mmm MatAMi
web server wulnefsblllll
_: 3 e : - :
te ; Z2
:5
2017 0913 Make WaO Server 2.3 • kAitipt ViAnarxMbes Itamola hypartrni
*
nuKi 0o«on WittFHnm 2 <1 - Multiple Viirwablttiea Oo5 Window au ewne Kaddouch
* *
M WetAlMS Ft anwwjrt !ilerver 5 2/53 8P1 Multiple ViinetatblllMa WrbApot JSf* PMD Rtbetru
. ‘ '
. x ACM Web Senw Cameras Multiple Vuhnrabilrties AXbApps
* OoAhaemvk) Sarver 2 5 gofcxmrttxmTssf Multiple Cn» -sne Scnptmg VMnp adobes Wndowa Ftaohus Angaiti
*
201MO 1a - OoAhead Web Serve 2.10 - eddueei asp lAJhple Ctoe -&»e Scrtptmo WjheraWfcw
* * Silent Dreero
2010040B Dny Jmt Wab Scrvar 1 71 Multiple Inpul Variation VurcrabtltMs cp771k4r
-
l., I V
* f rT
* -
»dtN« GoeheedWeb6ervw 31 3-0 Mtf0pie VUnarebOOee DoS UTMI MahiymfMn Mory
*
Easy File Shoring Web Server 1.1/;4 5 Directory Traversal i Multiple aifcrmabon Oockraurv
KM iro *
.
DoG Luigi Aunernrra
200 ' C ) 03 SAP 06 7 a Wtb Server WAHtTPw Multtpte aurtei Owfa Vufrwafafetws Mart Utchfwld
nra ra PY Software Acllte Webcam 4 3 / 3 « WaCAfrvw MJBpie Aimraoittes Sswftal
2004 11- 10-

-i '. .
* -
04v»*o«<v r i 42 - MUtipi V\ir fatwv>«
* *
-
Niwel Netware Enterprise Web Server 5 1/00 ' Multiple Croea SileScnptngVuinefabfttin
Ten Chew Keong
Ratal Ivgi The eipdat
»12 10-17 x Oracle webCanrar Sites (FatWUe Canter Barren Multiple VUneratolities SEC Conn
* *
Keno MetfServw 5 OHS i Wnb Mail Multiply Croe^Sde denying vtAnerebimee WebAppe C01 Abraham Lincoln
Showingi to 15 of 22 enbiee Altered horn 42,109 total entiles! FlftST FfiEVlUt.
^ 2 NEXT LAST
Figure 13.34: Screenshot of Google Hacking Database (GHDB)
Module 13 Page 1656 Ethical Hacking and Countermeasures Copyright © by EC-COlincil

Hacking Web Servers
Session Hijacking C EH
K Burp Sort
* <emmun#>
- [cH-.on v2.14? - Temporary Project X
J Sniff valid session IDs to gain m Wdiw nap
unauthorized access to the web 3 x -

server to snoop data
Dashboard Tarjd
J
J |HTTP hater J weeSocket» Bang | Qfos [
«1 Use session hijacking techniques # 0 PwwesttB nni4 aM saj [U.24*255 HI (
such as session fixation, session r ras d

' | | Drop
( irftrret « o
* "
sidejacking, Cross-site scripting, etc.,
to capture valid session cookies
i
_
-
I » «»» i »" i
i: •nitl'lttanltbr
and IDs x r t;«J 1 . *• e c : BITS 1.1
sat o;:ix»
CMfUgatt: BaiSlU S : .
Rir dav
* KT 1C .. . *- II .
KCWS -4 Jeeka rciCOJOl riltlia (1 :
A««apv
nl Use tools such as Burp Suite, - *(*
ik «att U>rr M 5
l - ,»» jpC 6
lic«pt - tc:»4i* it p., riafiata
JHijack, Ettercap, etc. to automate CtsaactiK
|
dais
flaiarax rw mii cn
session hijacking etiga
:
* K =-
* qa - Rati2 B * la - r&XSkCritcclkXuarbaxUAjrtC:•
Ca:ba Caaaral au -»*C
ij
Note: For complete coverage of Session Hijacking concepts

and techniques refer to Module 11: Session Hijacking , r»
© « || * 1 I » I * aaarrf> »mt tap
httpxS/ pansw / gger.net
Copyright C tiy fi I Ml Rights Reserved Reproduction is Strictly ProhRaud
Session Hijacking
Valid session IDs can be sniffed to gain unauthorized access to a web server and snoop its data.
An attacker can hijack or steal valid session content using various techniques such as session
token prediction, session replay, session fixation, sidejacking, and XSS. By using these
techniques, the attacker attempts to capture valid session cookies and IDs in established
sessions. The attacker uses tools such as Burp Suite, Firesheep, and JHijack to automate session
hijacking.
Burp Suite
Source: https:/ / portswigger.net
Burp Suite is a web security testing tool that can hijack session IDs in established
sessions. The Sequencer tool in Burp Suite tests the randomness of session tokens. With
this tool, an attacker can predict the next possible session ID token and use that to take
over a valid session.
Module 13 Page 1657 Ethical Hacking and Countermeasures Copyright © by EC-CoilltCil

Hacking Web Servers
1' Burp Suite Community Edition v2.1.02 - Temporary Project X

Burp Project Intruder Repeater Wndow Help
Repeater Sequencer Decoder Comparer Extender Project optione Uteroptions

Dashboard T Target Intruder
o I HTTP hstory [ WebSoctets httlory | 0pinna

P Request to https://app bik :443 [1324925S 52J
.
F orwerd Drop Intercept is on | Action

\* (D
Raw ] Params Headers I Hex j
GET
/
_ _
r "sdksvcbl. 5 C t=65:32S9 SCllC 4 BI44 ibranch key =/
.
_ _ _
.ey li**e idwOtrfbroocfqrXEks4 w «pjrrk“ 3?Xicallba
. callback C HTTP/1.1
ck«brar ch
Host: app.iink
-
Ussr Agent : Mosilla / 5. C (Windows NT 10.0; X0W64. r : £ I Gecko / 2D1C 0101 irefox 63.0
Accept :
- -
-
Accept Language «n D5 an ; q*£ .5
-
Accept Encoding - grip, deflate
- .
Connection close
Referer https
_ www . snule . css
Cookie : »sxKqS rT 4Q:c s"sr = : Y2kifSSO;nXRniksKscSj
.iaS5SchliyD X5.ayyDO:nkJc 5 rBtG:
- -- -^
If None Match: V •’Sa ECKOkCJlSrclkXuaZbqrASAxtE:"
Cacbe Control: aax age» C -
»
© [ < |[ (
|
» j 1
Type a search term 0 matches
Figure 13.35: Screenshot of Burp Suite
The following are some additional session hijacking tools:

JHijack ( https:// sourceforge.net )
Ettercap ( https : / / ettercap.github.io )
CookieCatcher ( https:/ / github.com )
Cookie Cadger ( https:/ / github.com )
Note: For complete coverage of concepts and techniques related to session hijacking, refer to
Module 11: Session Hijacking.

Hacking Web Servers
Web Server Password Hacking m

j Use password cracking techniques such as brute
force attack, dictionary attack, and password
guessing to crack web server passwords slifffttiHn
j Use tools such as Hashcat, THC Hydra, and Ncrack
!§§•
asESS: :ssa S:»8! U
'
https //hashcat net
-
Copyright C by K GMd Ml Rgnts Reserved Reproductionis StncnyPrnhrfMwJ
Web Server Password Hacking

In this phase of web server hacking, an attacker attempts to crack web server passwords. The
attacker may employ all possible techniques of password cracking to extract passwords,
including password guessing, dictionary attacks, brute-force attacks, hybrid attacks,
precomputed hashes, rule-based attacks, distributed network attacks, and rainbow attacks. The
attacker needs patience to crack passwords because some of these techniques are tedious and
time-consuming. The attacker can also use automated tools such as Hashcat, THC Hydra, and
Ncrack to crack web passwords and hashes.
Hashcat
Source: https:/ / hashcat.net
Hashcat is a cracker compatible with multiple OSs and platforms and can perform multi ¬
hash ( MD4, 5; SHA - 224, 256, 384, 512; RIPEMD- 160; etc.), multi-device password
cracking. The attack modes of this tool are straight, combination, brute force, hybrid diet
+ mask, and hybrid mask + diet.
Module 13 Page 16S9 Ethical Hacking and Countermeasures Copyright ) by IC-CoilltCil

Hacking Web Servers
.
hashcat (vS 0.0) starting .. .
OpenCL Platform #1: NVIDIA Corporation
* Device 1: GeForce GTX 1080
*
* Device #2 : GeForce GTX 1080,
. 2028 / 8112
2029 / 8119
.
MB allocatable 20MCU
MB allocatable , 20MCU
* Device 3 : GeForce GTX 1080, 2029 / 8119 MB allocatable , 20MCU
*
* Device #4 : GeForce GTX 1080, 2029 / 8119 .
MB allocatable 20MCU
Hashes: 1 digests: 1 unique digests 1 unique salts.
Bitmaps : 16 Bits , 65536 entries, OxOOOOffff mask , 262144 bytes, 5 / 13 rotates
Applicable optimizers:
* Optimi zed - kernel
* Zero -Byte
* Single -- Hash
* Single Salt
* Brute -Force
Minimum password length supported by kernel : 0
Maximum password length supported by kernel : 55
watchdog: Temperature abort trigger set to 90c
Session,, ... hashcat (Brain Session / Attack: 0 xc054 fc8 f /0x6e 7dc2 f 0)
Running
Status
..
Hash Type
Hash Target
.... phpass , WordPress (MD 5 ) , phpBB 3 (MD5 ), Joomla (MD 5 )
$ H $ 3 s 5 boZ 2wsUlgl 2 tI6b 5PrRoADzYfXDl
Time. Started Sun Oct 28 17: 02:05 2018 (11 secs )
Time.Estimated Fri Nov 21 04 : 22: 41 9862 ( 7844 years, 23 days )
Guess.Mask
Guess.Queue
. ? a? a? a? a?a? a? a? a [ 8 ]
1/1 (100.005«)
Speed. #1 .
Speed. #2 ...
. . 6684 H / s (94.69ms ) 0 Accel :256 Loops :1024 Thr: 256
6653 H / s (95.15 ms ) 0 Accel : 256 Loops :1024 Thr : 256
Vec:l
vec :l
Speed. # 3 ... 6746 H / s (93.82ms ) 0 Accel : 256 Loops :1024 Thr : 256 vec :l
Speed. #4 . . . 6720 H / s (94.20ms ) 0 Accel : 256 Loops :1024 Thr: 256 Vec :l
Speed. #* . . . 26809 H / s
Recovered.. 0 /1 (0.00%) Digests , 0 /1 (0.00%) Salts
Progress... 0 / 6634204312890625 (0.00%)
Rejected 0 /0 (0.00%)
Brain.Link . #1 RX: 1.3 MB (0.00 Mbps ), TX: 10.5 MB (0.00 Mbps ) , idle
Brain. Link . # 2
Brain.Link . # 3
.
RX: 1.3 MB (0.00 Mbps ) TX: 10.5 MB (0.00 Mbps ) , idle
RX: 1.3 MB (0.00 Mbps ) , TX: 10.5 MB (0.00 Mbps ) , idle
Brain.Link . #4
Restore.Point
.
RX: 1.3 MB (0.00 Mbps ) TX: 10.5 MB (0.00 Mbps ) , idle
0 /6634204312890625 (0.00%)
Restore .Sub #1
,
Restore .Sub. #2
Salt:0 Amplifier : 0 -1 Iteration:102400 103424
Salt:0 Amplifier :0 -1 Iteration:103424 -104448
-
Restore .Sub . # 3 Salt:0 Amplifier :0 -1 Iteration:105472 -106496
Restore .Sub. #4 Salt :0 Amplifier :0 -1 Iteration:106496 -107520
Candidates.#1. sarierin - > b2*12312
Candidates . #2. -
ahLIERIN > iURRIESS
Candidates.#!. hNherane -> iQTRIESS
Candidates . #4 . d&serane - > 2 J712312
Hardware .Mon . #1 Temp: 56c Fan : 32% Uti 1:100% Core :1822MHz Mem: 4513MHz Bus :l
Hardware .Mon. #2 Temp: 58 c Fan : 34 % Util : 100% Core :1809MHz Mem : 4513MHz Bus :1
Hardware .Mon . # 3 Temp: 54 c Fan : 31% Util :100% Core :1847MHz Mem : 4513MHz Bus :l
Hardware .Mon . #4 Temp: 59c Fan: 35% Util :100% Core :1835MHz Mem : 4513MHz Bus :l
[sjtatus [pjause [bjypass [cjheckpoint [qjuit =>
Figure 13.36: Screenshot of Hashcat password cracker
THC Hydra
Source: https:/ / github.com
THC Hydra is a parallelized login cracker that can attack numerous protocols. This tool is
a proof - of- concept code that provides researchers and security consultants the
possibility to demonstrate how easy it would be to gain unauthorized remote access to
a system.
Currently, this tool supports the following protocols: Asterisk; Apple Filing Protocol
( AFP ); Cisco Authentication, Authorization, and Accounting ( AAA ); Cisco auth; Cisco
enable; Concurrent Versions System ( CVS ); Firebird; FTP; HTTP- FORM- GET; HTTP- FORM -
POST; HTTP- GET; HTTP- HEAD; HTTP- POST; HTTP- PROXY; HTTPS- FORM- GET; HTTPS-
FORM- POST; HTTPS-GET; HTTPS- HEAD; HTTPS- POST; HTTP- Proxy; ICQ; Internet Message

Hacking Web Servers
Access Protocol ( IMAP ); Internet Relay Chat ( IRC); Lightweight Directory Access Protocol
( LDAP ); Memcached; MongoDB; Microsoft SQL Server; MySQL; Network Control
Protocol ( NCP ); Network News Transfer Protocol ( NNTP ); Oracle Listener; Oracle system
identifier ( SID ); Oracle; PC- Anywhere; personal computer Network File System ( PC- NFS );
POP3; Postgres; Radmin; Remote Desktop Protocol ( RDP ); Rexec; Rlogin; Rsh; Real Time
Streaming Protocol ( RTSP ); SAP R / 3; Session Initiation Protocol ( SIP ); Server Message
Block ( SMB ); Simple Mail Transfer Protocol ( SMTP ); SMTP Enum; Simple Network
Management Protocol ( SNMP ) vl+v 2+v3; SOCKS 5; SSH ( vl and v 2 ); SSH key; Subversion;
TeamSpeak ( TS 2 ); Telnet; VMware- Auth; Virtual Network Computing ( VNC); and
Extensible Messaging and Presence Protocol ( XMPP ).
•••
File Edit View Search Terminal Help
Parrot Terminal
root @parrot
#hydra - L / root / Wordlists / Usernames . txt - P / root / Wordlists / Passwords txt .
ftp : / / 10.10 . 10.10
Hydra v 8.8 ( c ) 2019 by van Hauser / THC -
Please do not use in military or seer
et service organizations , or for illegal purposes .
Hydra ( https : / / github . com / vanhauser - thc / thc hydra ) starting at 2020 - 01 - 09 01:
-
50 : 38
[ DATA ] max 16 tasks per 1 server , overall 16 tasks , 41174 login tries ( 1: 238 /
-
p : 173 ) , 2574 tries per task
fDATA 1 attacking f t p: / / 19.10 16.10 : 21/.
[ 21 ] [ ftp ] host : 10.10 . 10.10 login : Martin password : apple
( STATUS ] 4727.86 tries / min, 4727 tries in 60 : 01(1, 36447 to do in 00 : 08 h , 16 a
ctive
[ STATUS ] 4702.00 tries / min , 14106 tries in 00 : 03 h , 27068 to do in 00 : 06h , 16
active
[ 21 ] [ ftp ] host : 10.10 . 10.10 login : Jason password : qwerty
[ 21 ] [ ftp ] host : 10.10 . 10.10 login: Shiela password : test
[ STATUS ] 4708.57 tries / min , 32960 tries in 00 : 07 h , 8214 to do in 00 : 02 h , 16 a
ctive
[ STATUS ] 4706.25 tries / min , 37650 tries in O 0 : 08h , 3524 to do in 00 : 01h , 16 a
ctive
1 of 1 target successfully completed , 3 valid passwords found
[ WARNING ] Writing restore f i l e because 8 final worker threads did not complet
e until end .
[ ERROR ] 8 targets did not resolve or could not be connected
[ ERROR ] 16 targets did not complete
Hydra ( https : / / github . com/ vanhauser - thc / thc - hydra ) finished at 2020 - 01 - 09 01:
59 : 23
Figure 13.37: Screenshot of THC Hydra password cracker
The following are some additional password cracking tools:

Ncrack ( https:// nmap.org )
Rainbow crack ( http:// project - rainbowcrack .com )
Wfuzz ( http:// www . edge -security . com )
Wireshark ( https:/ / www . wireshark .org )
Module 13 Page 1661 Ethical Hacking and Countermeasures Copyright © by EC-Councll

Hacking Web Servers
Using Application Server as a Proxy C EH

«J Web servers with forwarding and reverse HTTP proxy functions enabled, are employed by attackers to perform the
following actions:
• Attacking third party systems on the Internet
• Connecting to arbitrary hosts on the organization's internal network
e Connecting back to other services running on the proxy host itself
tl Attackers use GET and CONNECT requests to use vulnerable web servers as proxies to connect and obtain information
from target systems through these proxy web servers
A: Attacker
GET/ CONNECT Requests
Requested Information
Proxy Web Server
GET/ CONNECT Requests
Requested Information
m Target Systems
Copyright By tl I Ml Rights Reserved Reproductionis Strictly ProhRaud
Using Application Server as a Proxy

Web servers are occasionally configured to perform functions such as forwarding or reverse
HTTP proxy . Web servers with these functions enabled are employed by attackers to perform
the following attacks:
Attacking third- party systems on the Internet
Connecting to arbitrary hosts on the organization' s internal network
Connecting back to other services running on the proxy host itself
Attackers use GET and CONNECT requests to use vulnerable web servers as proxies to connect
to and obtain information from target systems through these web servers.
A - GET/ CONNECT Requests GET/ CONNECT Requests
(T>
Attacker
4 Requested information
Proxy Web Server
Requested Information fflB
Target Systems
Figure 13.38: Illustration of the use of an application server as a proxy
Module 13 Page 1662 Ethical Hacking and Countermeasures Copyright © by EC-CDUItCll

Hacking Web Servers
Module Flow C EH
O e 0 ©
Web Server Web Server Web Server Web Server
Concepts Attacks Attack Attack
Methodology Tools
0 0 0
Counter¬ Patch Web Server
measures Management Security
Tools
Copyright C by fi I Ml Rights Reserved Reproductionis Snicfiy Prohdaud
Web Server Attack Tools

In the preceding section, we discussed the methodology used by attackers to hack a web
server. This section will introduce web server hacking tools that attackers may use in the
methodology described in the preceding section. These tools extract critical information during
the hacking process.

Hacking Web Servers
Metasploit C EH
J The Metasploit Framework is an exploit development platform that supports fully automated exploitation of
web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM
Metasploit Libraries
I r|
Architecture
L
1
Rex
-
Framework Core
>J I- — #
•— •*— •— •-
Custom plugins - Protocol Tools
Framework -Base <
Interfaces J f
Security Tools
A
Modules
mfsconsolc
MM SHI AM exploits
msatfl Payloads
lrlL‘£ ra!!on
rmfweb Encoders
msfwx NOPS
msfapi Auxiliary
hrrpi //ww» mrraspicwt cam
Cop Tipit By tl I Ml R>gnts Reserved Reproduction is Smccy ProhRmd

^
Metasploit
Source: https:// www . metasploit . com
The Metasploit Framework is a penetration-testing toolkit, exploit development platform, and
research tool that includes hundreds of working remote exploits for various platforms. It
performs fully automated exploitation of web servers by abusing known vulnerabilities and
leveraging weak passwords via Telnet, SSH, HTTP, and SNM .
Module 13 Page 1664 Ethical Hacking and Countermeasures Copyright © by EC-CDUItCil

Hacking Web Servers
_ , . 9 Project Scant V Account «» Administration V ?

GJ metasploit
community
Overview Analysis Sessions Campaigns Wrti App
* Module
* Togs Reports Tasks
Moinr .
Scnr l Hosts
•* Go to wo» (T) UP $ Scan £§ impcvt Q ircp •

" Q Modules Bruteforce © eixon O New Host <
*-
|Hosts Notes i< Services O Vulnerabilities US --aptured Data
'
Show 100 * | «lltl«
U
Q
IP Address
192.1** •
192 160 168 100
192106 1M 102
Hostname
— A
Operating System
* K
BOi unknown
OH Unknown
»
-. i « »«
VM Purpose
server
device
device
Svcs
19
1
1
Vlns Act Holes
4
Updated
9 minutes ago
B minutes ago
8 minutes ago
*
Status
K2
335
SB
»
,
& Mictosoft Windows (7

Q 192168 168 11 tmil Professional '601 Service client 16 4 0 minutes ago 4EZJZ!3)
Pack) bi
O 192 168 168 119 OH Unknown device 1 8 minutes ago
Microsoft Windows ( 7
Q 192 168 168 111 OSAAV . /C Professional 7601 Service diem 10 4 9 minutes ago iff Si. jif inert IP
Pack) b1
Microsoft Widows (7
a 192168 166 113 ADMIN PC Professional 7601 Service diem 9 4 9 minutes ago iH Si .
KHVlJ tM
Pack)bl
a | 192108108 115 WWKJWIPMICOK t Microsoftwindows (lOOtJl device 0 3 9 minutes ago
Microsoft Windows (7
a 192 168 168 120 Ml Professional 7601 Service client 9 4 9 minutes ago mi SidHIKll |
fg
PadObi
& Microsoft Windows (7
192108 168 13 Professional 7601 Service diem It 4 9 minutes ago
Pack) bl
$ Miciouifi Windows (7
Q 192168 168.133 ADMINPC Professional 7601 Service dknt 9 4 9 minutes ago HH Si.iWHdMl tm
Pack) bl
o 192168 168 14 ecci 4 > Microsoft Windows ( XP) SP2« clem 8 2 7 minutes ago KS3B
IlirrisfA .
** w isdnwv IT »
Figure 13.39: Screenshot of Metasploit
An attacker may use the following features of Metasploit to perform a web server attack :
Closed-loop vulnerability validation

Phishing simulations
Social engineering
Manual brute forcing
Manual exploitation
Evade-leading defensive solutions
Metasploit enables pen testers to perform the following:
Quickly complete pen -test assignments by automating repetitive tasks and leveraging
multi-level attacks
Assess the security of web applications, network and endpoint systems, as well as email
users
Tunnel any traffic through compromised targets to pivot deep into a network
Customize the content and template of executive, audit, and technical reports

Hacking Web Servers
Metasploit Architecture
The Metasploit Framework is an open- source exploitation framework that provides security
researchers and pen testers with a uniform model for the rapid development of exploits,
payloads, encoders, no operation (NOP) generators, and reconnaissance tools. The framework
reuses large chunks of code that a user would otherwise have to copy or re -implement on a
per -exploit basis. The framework is modular in architecture and encourages the reuse of code
across various projects. The framework can be broken down into a few different pieces, the
lowest level of which is the framework core. The framework core is responsible for
implementing all the required interfaces that allow interaction with exploit modules, sessions,
and plugins. It supports vulnerability research, exploit development, and the creation of custom
security tools.
Ubraries
L Rex
Framework- Core
>
Custom plugins Protocol Tools
’
,
£ ( Framework-Base )<
Interfaces
*
Security Tools Modules
A
mfsconsole Web Services Exploits
msfdi A Payloads
Integration
msfweb Encoders
msfwx NOPS
msfapi
Figure 13.40: Metasploit architecture

Auxiliary
J

Hacking Web Servers
Metasploit Exploit Module C EH

Steps to exploit a system using the
al Exploit Module, which is the basic module in Metasploit Framework
Metasploit used to encapsulate an exploit,
with the help of which users can target many
platforms with a single exploit D Configure an Active Exploit
j This module comes with simplified meta ¬

information fields 0 Verify the Exploit Options
j With the use of a Mixins feature, users can

also modify exploit behavior dynamically ,
perform brute force attacks, and attempt 0 Select a Target
passive exploits
\m
Select a Payload
0 Launch the Exploit
Copyright C by fC-Cmdl Ml Rgms Reserved Reproduction is StncBy ProhRmd
Metasploit Payload and Auxiliary Modules C EH

••• iVrul Tnexiw
Payload Module
Payload module establishes a communication channel
between the Metasploit framework and the victim host
F4a E*! View lean* Toiwwt* Ha Ip
* *
|
.- -
Ufa | y l
|
•aap ia
'
I « He I I
*n* • *1* Ivon tin* I
i * r «t«* payload
oanatate
.
—
. .
OJA • ns* window* ' » n* M rMtrM tip
••ult * Mill • •
Oataatara action* any b* mp liad attar wnul
ay than LMKTEUVP l
^
*1
aprions
«1 It combines the arbitrary code that is executed because

of the success of an exploit .
-•» --
if ftru ani.otUnij
tore* am odinu
A *uyT Oawiaiatadi alia* fai the u uatlan
P !» . -
fatal rt*» l’ » ii paylaad Mia auta piadui * *p|i * uvri»ta no* * lan taa« T »
ul To generate payloads, first select a payload using the
command as shown in the screenshot
•$
-b
-a --
•ipl *
«
apt
raa M* **IUUM mm t » u »a
Tia **< rod»' tn UN
upt »
# •apt '* Output farwrtl ba » t i ha » p dw award .
* r u *y « vbappl »
yaiit *tmy ilvijr , Mi *dow* k|
Tha l »* at rharaefar * « n aval aaanpta
.
> *aa \ * tf
*
.
|nva , j a* )
* .
* la mia parl
n «|
i »i
. .
• ..
liJ
aii 2. ill nlf , cL
dlI ,, Clt
.
pcverxhr II ptl py pyihitn , raw ,
.
*1*» io«.*aop
*o .ii l a i nan c ,a
* *
. . '* * h
.
» e *xe «ali% **« s
* *
.
sa#’ vlc
vice - --.
ira . inn vb < Mpt . » i P . a * pv , a « p > **
*
. -
t*r ua»M , hta p « h jar |* p leap *ti
» ***
. .
, pth , p «» rmd pth net pi* ratlectian , *» *» air vha pi
- ..
*
-
•
.
. "
Auxiliary Module 1
k -- apt Tha nualin at t [MI to artcoda tha aaylaa4
rinrui tha taaplata bahavlar an injact tha paytaad a* a
* naw Sill
J Auxiliary modules can be used to perform arbitrary,
one-off actions such as port scanning, denial of service, •••
Fite EcM View S«anti Tfmhnal M*tp
rot ttrimnitl
and even fuzzing iI5 ^ ute do1/ window* / imb / ittdft «J5 aollalot
.
ill ualllsryldoi . M . i Ki i / Mb / wiOt » mailt U * l > Mt RHO / T 1.2 1.4
•
twit *• 1.2.3.4
• .
«1 To run an auxiliary module, either use the run
command, or exploit command *| Running nodule aqalntl 1.7 . 3.4
, j
•
ill *u » lll » ry ( iJi; » / Miiv!lMw » / iin|,. *n10*I !> nalU (it ) » ru »*
-
1 2 1.4 : 441 flUng tha kernel .
Copyright O by B I All Rsgtits Reiervrd Reproduction « Stnctty ProtUOtBd
Module 13 Page 1667 Ethical Hacking and Countermeasures Copyright © by EC CoUIICil -

All Rights Reserved . Reproduction Is Strictly Prohibited.
Hacking Web Servers
Metasploit NOPS Module C EH

j NOPS modules generate a no- operation instruction used for blocking out buffers
tJ Use generate command to generate a NOP sled of arbitrary size and display it in a specific format
OPTIONS:
-b <opt>: The list of characters to avoid : \ x00 \ xff
-h : Help banner
'
-s <opt>: The comma separated list of registers to save

- t <opt>: The output type: ruby, perl, c, or raw
mi £ nop ( opty 2 ) >
a ft
Command to generate a NOP sled of a given length

Itz-XB
Command to generate a 50 byte NOP sled -
msf > use x 86/opty2 nop ( opty 2 ) > generate - t c 50
9: 9 unsigned char buf [ ] =
msf nop( opty2 > > generate -h " \ xf 5 \ x 3d \ x05 \ xl 5 \ xf 8 \ x 67 \ xbx \ x 7d \ x 08 \ xd 6 \ x 66 \ x 9 f \ xbB \ x 2 d
Usage : generate [options] length \*b6 "
" \ x 24 \ xb« \ xbl \ x3f \ x 43 \ xld \ x 93\ xb2 \ x-37 \ x35 \ x84 \ xd5 \ xl 4 \ x 40
\ xb 4 "
\ xb3 \ x 41 \ xb 9 \ x 4 8 \ x 04 \ x 99 \ x 46 \ xa 9 \ xb0 \ xb 7 \ x2 f \ xfd \ x 96 \ x 4 a
17 1^
^
\ x98 ”
" \ x 92 \ xb 5 \ xd 4 \ x 4 f \ x 91“ ;
wkat nop ( opty 2 ) >
Copyright C By tl I Ml Rigms Reserved Reproduction is Snicfiy PrnhRaud
Metasploit Modules
Metasploit Exploit Module
It is a basic module in Metasploit used to encapsulate a single exploit, using which users
target many platforms. This module has simplified meta - information fields. Using the
Mixins feature, users can also dynamically modify exploit behavior, perform brute -force
attacks, and attempt passive exploits.
A system can be exploited with the Metasploit Framework through the following steps:
o Configure an active exploit
o Verify the exploit options
o Select a target
o Select a payload
o Launch the exploit
Metasploit Payload Module
An exploit carries a payload in its backpack when it breaks into a system and then leaves
the backpack there. The following three types of payload modules are provided by the
Metasploit Framework .
o Singles: Self -contained and completely standalone
o Stagers: Sets up a network connection between the attacker and victim
o Stages: Downloaded by stager modules

Hacking Web Servers
A Metasploit payload module can upload and download files from the system, take
screenshots, and collect password hashes. It can even take over the screen, mouse, and
keyboard to control a computer remotely. The payload Module establishes a
communication channel between the Metasploit framework and victim host. It
combines arbitrary code that is executed as the result of an exploit succeeding. To
generate payloads, a payload is first selected using the command shown in the
screenshot.
•••
ParrotTerminal
isf 5 > use windows / shell reverse tcp

isf 5 p a y l o a d l w i n d o w s / s h e l l r e v e r s e r r p ) > generate - h
Isage : generate [ options ]
ienerates a payload . Datastore options may be supplied after normal options ,
ixample : generate - f python LHOST = 127.6 . 0.1

IPTIONS :
-E Force encoding
-0 <opt > Deprecated : alias for the * - o ' option
- P <opt> Total desired payload size , auto - produce appropriate NOP sled length
- S <opt > The new section name to use when generating ( large ) Windows binaries |
b <opt > The list of characters to avoid example : ' \ x 00 \ xff '
- e <opt> The encoder to use
- f <opt > Output format : bash , c , csharp , dw , dword , hex , java , ) s be , jsle num , perl , p .
. .
. powershell , psl py , python , raw , rb , ruby , sh , vbapplication , vbscript , asp , aspx , aspx - exe ,
.
ixis 2 , dll , elf elf - so , exe , exe - only , exe - service , exe - small , hta - psh , jar , jsp , loop - vbs , ma
. . .
:ho , msi msi - nouac , osx - app , psh psh - cmd , psh - net , psh - reflect ion , vba vba - exe vba - psh , vb .
; , war
-h Show this message
•i <opt > The number of times to encode the payload
-k Preserve the template behavior and inject the payload as a new thread )
- n <opt > Prepend a nopsled of [ length ] size on to the p a y l o a d I
Figure 13.41: Screenshot displaying the Metasploit payload command
Metasploit Auxiliary Module

Auxiliary modules of Metasploit can be used to perform arbitrary, one -off actions such
as port scanning, DoS, and even fuzzing. It includes tools and modules that assess the
security of the target as well as auxiliary modules such as scanners, DoS modules, and
fuzzers. The show auxiliary command in Metasploit can be used to list all the
available auxiliary modules in Metasploit. All modules in Metasploit other than the ones
used to exploit are auxiliary modules. Metasploit uses auxiliary modules as an extension
for various purposes other than exploitation. Auxiliary modules are stored in the
modules/ auxiliary / directory of the framework's main directory. The run command or
the exploit command can be used to run an auxiliary module.

Hacking Web Servers
•••
Parrot Terminal
msf5 > use dos/windows/smb/ms06 035 mailslot

msf5 auxiliary(dos/windows/smb <ns06 035 mailslot) > set RHOST 1.2.3.4
,
RHOST «> 1.2.3.4

msf5 auxiliary(dos/windows/smb/ms06 035 mailslot) > run
[*] Running module against 1.2.3.4
[ •] 1.2.3.4:445 - Mangling the kernel , two bytes at a time...
Figure 13.42: Screenshot displaying auxiliary module commands of Metasploit
The basic definition of an auxiliary module is as follows:

require ' msf/core'
p "My Auxiliary Module"
class Metasploit3 < Msf::Auxiliary
end # for the class definition
Metasploit NOPS Module
NOP modules generate no-operation instructions used for blocking out buffers. The
generate command can be used to generate a NOP sled of arbitrary size and display it
in a given format.
Options:
-b <opt> : A list of characters to avoid ( '\ x00\xff )
h: Help banner
-s <opt> : A comma separated list of registers to save
-t <opt> : The output type (Ruby, Perl, C, or raw )
msf nop(opty2 )>

The following command is used to generate a NOP sled of a given length:
msf > use x 86 / opty2
msf nop ( opty2 ) > generate -h
Usage : generate [ options ] length
The following command is used to generate a 50-byte NOP sled:

msf nop ( opty2 ) > generate -t c 50
unsigned char buf [ ] —
" \ xf 5 \ x 3d \ x 05 \ xl 5 \ xf 8 \ x 67 \ xba \ x 7d \ x 08 \ xd 6 \ x 66 \ x 9f \ xb8 \ x2d \ xb6"
" \ x 24 \ xbe \ xbl \ x3f \ x 43 \ xld \ x 93 \ xb2 \ x 37 \ x 35 \ x 84 \ xd5 \ x l 4 \ x 40 \ xb4 "
" \ xb3 \ x 41 \ xb 9 \ x 48 \ x 04 \ x 99 \ x 46 \ xa 9 \ xb 0 \ xb 7 \ x2f \ x f d \ x 96 \ x 4 a \ x 98 "
" \ x 92 \ xb5 \ xd 4 \ x 4f \ x 91
msf nop ( opty2 ) >
Module 13 Page 1670 Ethical Hacking and Countermeasures Copyright ) by IC-CoilltCil

Hacking Web Servers
Web Server Attack Tools C EH

Immunity ’s CANVAS
tf Immunity’s CANVAS provides hundreds of exploits, an
automated exploitation system, and a comprehensive,
•nrrt 2S5 -SZS wraai
reliable exploit development framework, to penetration :

testers and security professionals
<diM
L ;l» t « *#r
*- H> .
idni thailn
***
,
Dfkd d
id It provides features such as client-side exploitation,
privilege escalation, advanced web attack technology,
l imuti ro
* uw
m• - 4
i
^ **
and remote kernel exploitation
a THC Hydra ( https:/ / github.com )
a HULK DoS ( https :/ / github.com )
—
ItWM Cwwi!! Lay
n 11 U M Ail I
* «1 n .
—
( Ml crMtwglMl MMU iiwtw M
l» n li mt. nl I PHMM SM iniui « uimw
*
II «1 »».« ! I T«u| fenM <aMl 14
a MPack (https://sourceforge.net )
IMU
. nn
Imi n n II v u AMI
•> uU U N..ATI
III ISIMI
* I
I
imiiuw i ^
k UlM >wl (M V [
* * I .**
inn i4 n»* <A 4
t * * « MMi •'•* ** ’
a w 3af ( http: / / w 3of.org )
SMit
1
MM
•» ) . I
UIM
II II U IMI
i i < i ud mttm
ill mil M » K|
HI
U lrartl * -
«
M CWMlMW id
CopyrifM C by R-GHKI Ml Rgms Reserved Reproductions StncOy Prohrfaud

Immunity's CANVAS
Source: https:/ / www . immunityinc.com
Immunity' s CANVAS provides penetration testers and security professionals with hundreds of
exploits, an automated exploitation system, and a comprehensive, reliable exploit development
framework. It provides features such as client- side exploitation, privilege escalation, HTTP
tunneled privilege escalation, remote kernel exploitation, advanced backdoor technology, and
advanced web attack technology.
Module 13 Page 1671 Ethical Hacking and Countermeasures Copyright © by EC-COUIICil

Hacking Web Servers
Hie Listeners Session Report control Help
O X Current 1
CaUbark
»MM 1 1M Current
target(l)
moot
target Host Stop Exploit Configuration
Modules Search Node Trea exploit Description
: Idfac t . Cmdiin
*
• Raw Regex I Listener 0- »0 • (unlxshetlnode )
_
—
Name Descn id
_ ^Drowse
—
drac appw«b rce this IT
- - t «i
1 results for that query
* *% V
^
Current Status Canvas Log Debug Lag

tieia as n u usa. asal | canvaaangina ) AxtmUc itirtig SM
! 7 ia ei 71 tt S7 vs . tsai |
—
canvasangina ! Oono handling a nav LIStaaar Carnartlan
*
lieil #171 tl MST . dMI | ( amasnplolt I Punung coanand id
uau es-n ti usr . ajsi i host listener ) sanding caauwd Id ( proapt ttbdbdl
I ten ai 71 llS7 :M. ll l I hostltstenerl sanding < o nd echo S > iproapt dbdbdi
lieu ai 23 u s7 :sa . tari i * camataxploitl Coanand output for id
LTOU « 21 u u sa.aasi i
- -
tanvasaiplall ] uid diloot I gid e( roat )
Set Covertness; 1.0
Figure 13.43; Screenshot of Immunity CANVAS
The following are some additional web server attack tools:

THC Hydra (https:// github.com )
HULK DoS ( https :// github.com )
MPack ( https :// sourceforge.net )
w 3 af ( http:/ / w3af.org )
Module 13 Page 1672 Ethical Hacking and Countermeasures Copyright © by EC-CDIMCil

Hacking Web Servers
Module Flow C EH
O e e o
Web Server Web Server Web Server Web Server
Concepts Attacks Attack Attack
Methodology Tools
9 o >
Counter ¬ Patch Web Server
measures Management Security
Tools
Capyr C by (i I Ail ngi. t? Reserved ReproductionuStncflyProh aud

'f ^
Countermeasures
In previous sections, we discussed the benefits of a well-informed web server security posture,
the danger posed by web server attacks, the methodology used in web server attacks, and the
tools that assist an attacker in performing web server attacks. In this section, we discuss the
tools and techniques used in securing web servers. This section discusses various methods to
detect web server attacks, countermeasures, and defense techniques.

Hacking Web Servers
Place Web Servers in Separate Secure Server Security

Segment on Network C EH
J An ideal web hosting network should be designed with at least three segments namely, an Internet segment,
a secure server security segment often called a demilitarized zone ( DMZ), and an internal network
cd The web server should be placed in the Server Security Segment ( DMZ) of the network, isolated from the
public and internal networks
j Firewalls should be placed for the internal network and Internet traffic, directed toward the DMZ
user
SB* N= -
r «>
& Router
* »* w
Web Server
Sfe < *i3 >

Database
Server
v
Application
Server
V A FTP Server Internal
r Firewall
Internal Network
Copyright C hy fi I Ml RSgrits Reserved Reproduction is Snicfiy ProhRaud
Place Web Servers in Separate Secure Server Security Segment on Network

An ideal web hosting network should be designed with three segments: an Internet segment; a
secure server security segment, which is often called the demilitarized zone ( DMZ); and an
internal network. The first step in securing web servers is to place them separately in the DMZ,
which is isolated from the public network and from the internal web- hosting network. Placing
web servers in a separate segment adds security barriers between the web servers and the
internal network as well as between the web servers and the outside public network . This
separation allows the administrator to place firewalls and apply access control based on
security rules for the internal network as well as for Internet traffic toward the DMZ. Such a
web- hosting network can prevent attacks on the web server by outside attackers or malicious
insiders.
Network segmentation divides a network into different segments, each having its own hub or
switch . It allows network administrators to protect one segment from others by enforcing
firewalls and security rules depending on the level of security desired . In a segmented network,
an attacker who compromises one segment of the network will not be able to compromise the
security of other segments of the network. Let us example a sample web- hosting network that
is segmented by the administrator in such a manner that the web server is placed in a DMZ.
Module 13 Page 1674 Ethical Hacking and Countermeasures Copyright © by EC CoUIICil -

Hacking Web Servers
User
E3
SB*
Web Server Database
V > HB Application
Server Server
v
Router
*A* * fE?
External
> life
FTP Server Internal
v
A **
r
Firewall Firewall
Mail Server
Internet DMZ Internal Network
Figure 13.44: Illustration of three different segments in a web-hosting network

Hacking Web Servers
Countermeasures: Patches and Updates C EH

n Scan for existing vulnerabilities, patch, and update
__ Ensure that service packs, hotfixes, and security
U the server software regularly
En patch levels are consistent on all Domain
Controllers ( DCs)
__ Before applying any service pack, hotfix, or security

__ Ensure that server outages are scheduled , and
Ml patch, read and peer review all relevant M a complete set of backup tapes and emergency
documentation repair disks are available
El Apply all updates, regardless of their type on an

__
lU
-
Have a back out plan that allows the system and
enterprise to return to their original state, prior
El "as-needed" basis
to the failed implementation
__
M
Test the service packs and hotfixes on a
representative non - production environment
__ Schedule periodic service pack upgrades as part of
operations maintenance and try to never have
prior to being deployed to production more than two service packs outstanding
Copyright C by tC-CMRLN Ml Rights Reserved Reproductions Strictly ProhRaud
Countermeasures: Patches and Updates

The following are various countermeasures for secure update and patch management of web
servers.
Scan for existing vulnerabilities; patch and update the server software regularly.
Before applying any service pack, hotfix, or security patch , read and peer review all
relevant documentation .
Apply all updates, regardless of their type, on an "as- needed" basis.
Test service packs and hotfixes on a representative non - production environment prior
to deployment in production .
Ensure that service packs, hotfixes, and security patch levels are consistent on all
domain controllers ( DCs ).
Ensure that server outages are scheduled and that a complete set of backup tapes and
emergency repair disks are available.
Keep a back-out plan that allows the system and enterprise to return to their original
state, prior to a failed implementation .
Schedule periodic service - pack upgrades as part of operations maintenance and never
trail by more than two service packs.
Disable all unused script extension mappings.
Avoid using default configurations that web servers are dispatched with .
Use virtual patches in the organization because they provide additional
identification / logging capabilities.
Establish a disaster recovery plan to handle patch management failures.
Module 13 Page 1676 Ethical Hacking and Countermeasures Copyright © by EC C0UltCil -

Hacking Web Servers
Countermeasures: Protocols and Accounts C EH

Protocols Accounts
a Block all unnecessary ports, Internet Control Message

Protocol ( ICMP ) traffic, and unnecessary protocols such
-> Remove all unused modules and application extensions
J Disable unused default user accounts created during the
as NetBIOS and SMB installation of an operating system
J Harden the TCP/IP stack and consistently apply the ul When creating a new web root directory, grant
latest software patches and updates to system appropriate ( least possible) NTFS permissions to the
software anonymous user who is being used from the IIS web server
to access the web content
j When using insecure protocols such as Telnet, POP3, «1 Eliminate unnecessary database users and stored
SMTP, and FTP, take appropriate measures to provide procedures and follow the principle of least privilege for
secure authentication and communication, for example, the database application to defend against SQL query
by using IPSec policies poisoning
a) If remote access is needed, make sure that the remote al Use secure web permissions, NTFS permissions, and .NET
connection is secured properly using tunneling and Framework access control mechanisms including URL
encryption protocols authorization
up Slow down brute force and dictionary attacks with strong
J Disable WebDAV if not used by the application or password policies, and then perform audits and remain
ensure its security, if required alert for logon failures
Copyright C By tl I Ml Rights Reserved Reproductionis Strictly ProhRaud
Countermeasures: Protocols and Accounts

Countermeasures: Protocols
The following are various countermeasures for using secure protocols on web servers.
Block all unnecessary ports, Internet Control Message Protocol ( ICMP ) traffic, and
unnecessary protocols such as Network Basic Input/Output System ( NetBIOS ) and SMB.
Harden the TCP/ IP stack and consistently apply the latest software patches and updates
to system software .
If insecure protocols such as Telnet, POP3, SMTP, and FTP are used, then take
appropriate measures to provide secure authentication and communication, for
example, by using IP Security ( IPSec ) policies .
If remote access is needed, ensure that remote connections are secured properly by
using tunneling and encryption protocols.
Disable Web Distributed Authoring and Versioning ( WebDAV ) if it is not used by the
application, or keep it secure if it is required.
Use secure protocols such as Transport Layer Security ( TLS )/SSL for communicating with
the web server .
Ensure that unidentified FTP servers operate in an innocuous part of the directory tree
that is different from the web server's tree.
Countermeasures: Accounts
The following countermeasures can be adopted to secure user accounts on a web server:
Remove all unused modules and application extensions.

Hacking Web Servers
Disable unused default user accounts created during the installation of an OS.
When creating a new web root directory, grant the appropriate ( least possible) NT File
System ( NTFS) permissions to anonymous users of the IIS web server to access the web
content.
Eliminate unnecessary database users and stored procedures and follow the principle of
least privilege for the database application to defend against SQL query poisoning.
Use secure web permissions, NTFS permissions, and .NET Framework access control
mechanisms including URL authorization.
Slow down bruteforce and dictionary attacks with strong password policies, and
implement audits and alerts for login failures.
Run processes using least privileged accounts as well as least privileged service and user
accounts
Limit the administrator or root- level access to the minimum number of users and
maintain a record of the same.
Maintain logs of all user activity in an encrypted form on the web server or in a separate
machine on the intranet.
Disable all non- interactive accounts that should exist but do not require an interactive
login.
Module 13 Page 1678 Ethical Hacking and Countermeasures Copyright ) by IC-CoilltCil

Hacking Web Servers
Countermeasures: Files and Directories C EH
^ Eliminate unnecessary files within the . jar files Disable serving of directory listings
Eliminate the presence of non - web files such as

Eliminate sensitive configuration information
^ within the byte code
archive files, backup files, text files, and
header / include files
Avoid mapping virtual directories between two Disable serving certain file types by creating a
^ different servers, or over a network resource mapping
Monitor and check all network services logs, Ensure the presence of web application or
website access logs, database server logs (e.g., website files and scripts on a separate partition
Microsoft SQL Server, MySQL, Oracle ), and OS or drive other than that of the operating system,
logs frequently logs, and any other system files
CopyrigM C by fC-Cmdl Ml Rigms Reserved Reproduction is SmcOy ProhRmd
Countermeasures: Files and Directories

The following countermeasures can be adopted for securing files and directories on a web
server.
Eliminate unnecessary files within . jar files.
Eliminate sensitive configuration information within the byte code.
Avoid mapping virtual directories between two different servers or over a network.
Monitor and check all network services logs, website access logs, database server logs
( e.g., Microsoft SQL Server, MySQL, and Oracle ), and OS logs frequently.
Disable the serving of directory listings.
Eliminate non - web files such as archive files, backup files, text files, and header/ include
files.
Disable the serving of certain file types by creating a resource map.
Ensure that web applications or website files and scripts are stored in a partition or
drive separate from that of the OS, logs, and any other system files.
Run the web server within a sandbox directory for preventing access to system files.
Avoid all non - web file types from being referenced in a URL.

All Rights Reserved . Reproduction is Strictly Prohibited.
Ethical Hacking and Countermeasures -
Exam 312 50 Certified Ethical Hacker
Hacking Web Servers
Detecting Web Server Hacking Attempts C EH

j Use a Website Change Detection System to detect hacking attempts on the web server
Website Change Detection System involves:
Running specific script on the server that detects any changes made in the existing executable file or new file included
on the server
Periodically comparing the hash values of the files on the server with their respective master hash value to detect the
changes made in codebase
Alerting the user upon any change detected on the server
For example: Directory Monitor is an automated tool that goes through all your web folders and detects any changes made to
your codebase and alerts you via an email, if changes are detected
Detecting Web Server Hacking Attempts

An attacker who gains access to a web server by compromising security through known
vulnerabilities present in the web server may attempt to plant backdoors ( scripts). These
backdoors allow the attacker to gain access, launch phishing attacks, or send spam emails. The
victim remains unaware of the web server attack until the server is blacklisted on spam mails or
until the attacker redirects the visitors of a target site hosted on the web server to some other
site. Thus, a web server attack is difficult to detect unless such malicious events occur. By the
time these events occur, it may be too late to react because the attacker would have already
succeeded . Therefore, a mechanism to detect a web server hacking attempt in its early stages is
required to prevent harm to the web server.
When an attacker installs a backdoor on a web server, the size of files infected with the
backdoor automatically increases. A website change detection system ( WDS ) is a script that
runs on the server to detect changes made to any executable file or the presence of any new
file on the web server, such as HTML, JavaScript (JS), PHP, Active Server Pages ( ASP ), Perl, and
Python files. It works by periodically comparing the hash values of the files on the server with
their respective master hash values to detect any changes to the codebase. If it detects any
change on the server, it alerts the user to take necessary action . Thus, WDS helps in detecting
web server hacking attempts in the early stages of an attack. For example, Directory Monitor is
an automated tool that goes through entire web folders, detects any changes made to the
codebase, and alerts the user through an email.
Module 13 Page 1680 -

Ethical Hacking and Countermeasures Copyright © by EC Council
Hacking Web Servers
How to Defend Against Web Server Attacks C EH

D Ports Server Certificates
Regularly audit the ports on the server to ensure that _ Ensure that certificate data ranges are valid and that the
an insecure or unnecessary service is not active on certificates are used for their intended purpose
your web server
- Ensure that no certificate has been revoked and the
- forLimitHTTPS
inbound traffic to port 80 for HTTP and port
(SSL )
443 certificate's public key is valid all the way to a trusted
root authority
Encrypt or restrict intranet traffic
B Machine.config B Code Access Security
Ensure that protected resources are mapped to e Implement secure coding practices
HttpForbiddenHandler and unused HttpModules are
removed e Restrict code access security policy settings
S Ensure that tracing is disabled < trace enable ="false"/ > e Configure IIS to reject URLs with and install new
and debug compiles are turned off patches and updates
Copyright C by fC-Cmdl Ml Rgms Reserved Reproduction is SmcOy ProhRmd
How to Defend Against Web Server Attacks (Cont ’d) C EH

s Apply restricted ACLs and block remote registry administration
e Secure the SAM (Stand-alone Servers Only)
Ensure that security related settings are configured appropriately and access to the metabase file is restricted with
hardened NTFS permissions
Remove unnecessary 1SAPI filters from the web server
e Remove all unnecessary file shares including the default administration shares if not required
o Secure the shares with restricted NTFS permissions
B -
Relocate sites and virtual directories to non system partitions and use IIS Web permissions to restrict access
Remove all unnecessary IIS script mappings for optional file extensions to avoid exploiting any bugs in the ISAPI extensions
that handle these types of files
Enable a minimum level of auditing on your web server and use NTFS permissions to protect the log files
1 CopyTigtit C by 1C CiHIOCIl All Rights Rcserrrd Reproduction is Strictly PraMMwl
Module 13 Page 1681 Ethical Hacking and Countermeasures Copyright © by EC CoilllCil -

All Rights Reserved . Reproduction is Strictly Prohibited.
Hacking Web Servers
How to Defend Against Web Server Attacks (Cont ’d) C EH
D Use a dedicated machine as a web server

B Physically protect the web server machine in a secure
machine room
B Create URL mappings to internal servers cautiously

B Do not connect an IIS Server to the Internet until it is
fully hardened
B Do not install the IIS server on a domain controller

B Do not allow anyone to locally log on to the machine
except the administrator
B Use server- side session ID tracking and match

connections with timestamps, IP addresses, etc. B3 Configure a separate anonymous user account for each
application, if you host multiple web applications
If a database server, such as Microsoft SQL Server, A

B is to be used as the backend database, install it on
a separate server
Umit the serverfunctionality in order to support the
web technologies that are going to be used
B
Use security tools provided with web server software
and scanners that automate and make the process of
securing a web server straightforward
m Screen and filter the Incoming traffic request
Copyright C by fC-Cmdl Ml Rigms Reserved Reproductionis SmcOy ProhRmd
How to Defend Against Web Server Attacks

Defenses against web server attacks include the following.
Ports
Monitor all ports on the web server regularly to prevent unnecessary traffic toward the
target web server. If traffic is not monitored, the target web server will be vulnerable to
malware attacks. Do not allow public access to port 80 for HTTP or to port 443 for
HTTPS; traffic to these ports should be limited. If port 80 is kept open, the server will be
vulnerable to DoS attacks, which consume server resources. Intranet traffic should
either be encrypted or restricted to secure the web server.
Attackers attempt to hide their identity by spoofing the IP address of a legitimate user.
By processing the security log file, either using the "deny this IP address" rule in the
firewall ruleset file or by creating a "routed blackhole" command, the target system can
defend against web server attacks.
Server Certificates
Server certificates guarantee security and are signed by a trusted authority. However,
an attacker may compromise certified servers using forged certificates to intercept
secure communications by performing MITM attacks. There are various techniques to
avoid such MITM attacks. The following are some of them.
o Use the direct validation of certificates.
o Use a novel protocol that does not depend on third parties for certificate validation.
o Allow domains to directly and securely examine their certificates by using previously
established user authentication credentials.


Chapter 13-61-90

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 13-61-90

Uploaded by

Copyright:

Available Formats

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Web Servers

si Use vulnerability scanners such as Acunetix Web

J Sniff the network traffic to find any active

«1 Test the web server infrastructure for any -

misconfiguratlons, outdated content, and

Module 13 Page 1653 Ethical Hacking and Countermeasures Copyright © by EC-CoiMCil

< Back Stop Scar Generate Report WAf Export

0 Targets Scan Stats & info Vulnerabilities Site Structure BM

A Vulnerabilities Sr ... Vulnerability uvu =

0 Blind SQL Injection . .

ti Reports O Microsoft IIS tilde directory enumeration http.//www.

© Unencrypted connection (verified] http /www. .com/

© Content Security Policy (CSP) not implemented http /www. .com/

© Microsoft IIS version disclosure http /www.moviescope.com/

The following are some additional vulnerability scanning tools:

Module 13 Page 1654 Ethical Hacking and Countermeasures Copyright © by EC-CoUIICil

Finding Exploitable Vulnerabilities C EH

on exploit sites such as

J Search for vulnerability based on

J Exploiting these vulnerabilities

Finding Exploitable Vulnerabilities

Module 13 Page 16S5 Ethical Hacking and Countermeasures Copyright ) by IC CoilltCil -

EXPLOIT hi, 0 8. (jgrgmraT)

web server wulnefsblllll

nra ra PY Software Acllte Webcam 4 3 / 3 « WaCAfrvw MJBpie Aimraoittes Sswftal

2004 11- 10-

Ratal Ivgi The eipdat

Showingi to 15 of 22 enbiee Altered horn 42,109 total entiles! FlftST FfiEVlUt.

Figure 13.34: Screenshot of Google Hacking Database (GHDB)

Module 13 Page 1656 Ethical Hacking and Countermeasures Copyright © by EC-COlincil

unauthorized access to the web 3 x -

such as session fixation, session r ras d

Note: For complete coverage of Session Hijacking concepts

httpxS/ pansw / gger.net

Copyright C tiy fi I Ml Rights Reserved Reproduction is Strictly ProhRaud

Module 13 Page 1657 Ethical Hacking and Countermeasures Copyright © by EC-CoilltCil

1' Burp Suite Community Edition v2.1.02 - Temporary Project X

Repeater Sequencer Decoder Comparer Extender Project optione Uteroptions

o I HTTP hstory [ WebSoctets httlory | 0pinna

F orwerd Drop Intercept is on | Action

Figure 13.35: Screenshot of Burp Suite

The following are some additional session hijacking tools:

Module 13 Page 1658 Ethical Hacking and Countermeasures Copyright © by EC-CoiMCil

Web Server Password Hacking m

https //hashcat net

Web Server Password Hacking

Module 13 Page 16S9 Ethical Hacking and Countermeasures Copyright ) by IC-CoilltCil

Figure 13.36: Screenshot of Hashcat password cracker

Module 13 Page 1660 Ethical Hacking and Countermeasures Copyright © by EC-CoiMCil

Figure 13.37: Screenshot of THC Hydra password cracker

The following are some additional password cracking tools:

Module 13 Page 1661 Ethical Hacking and Countermeasures Copyright © by EC-Councll

Using Application Server as a Proxy C EH

• Attacking third party systems on the Internet

• Connecting to arbitrary hosts on the organization's internal network

e Connecting back to other services running on the proxy host itself

Copyright By tl I Ml Rights Reserved Reproductionis Strictly ProhRaud

Using Application Server as a Proxy

A - GET/ CONNECT Requests GET/ CONNECT Requests

Figure 13.38: Illustration of the use of an application server as a proxy

Module 13 Page 1662 Ethical Hacking and Countermeasures Copyright © by EC-CDUItCll

Copyright C by fi I Ml Rights Reserved Reproductionis Snicfiy Prohdaud