Contenu connexe
Similaire à Ce hv8 module 12 hacking webservers
Similaire à Ce hv8 module 12 hacking webservers (20)
Ce hv8 module 12 hacking webservers
- 1. H a c k in g W e b s e r v e rs
Module 12
- 2. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Hacking Webservers
Module 12
En g in e e red by
Hackers.
Pre se n te d by Professio nals.
E th ic a l H a c k in g a n d C o u n te r m e a s u r e s v8
M odule 12: Hacking Webservers
Exam 312-50
Module 12 Page 1601
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 3. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
GoDaddy Outage Takes Down Millions of Sites,
Anonymous Member Claim s Responsibility
Monday, September 10th, 2012
Final update: GoDaddy is up, and claims th a t the outage was due to internal errors
and not a DD0S attack.
According to many customers, sites hosted by major web host and domain registrar
GoDaddy are down. According to the official GoDaddy Tw itter account the company is
aware o f the issue and is working to resolve it.
Update: customers are com plaining tha t GoDaddy hosted e-mail accounts are down as
well, along w ith GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A m em ber o f Anonymous known as AnonymousOwn3r is claiming
responsibility, and makes it clear this is not an Anonymous collective action.
A tipste r tells us tha t the technical reason fo r the failure is being caused by the
inaccessibility o f GoDaddy's DNS servers — specifically CNS1.SECURESERVER.NET,
CNS2.SECURESERVER.NET, and CNS3.SECURESERVER.NET are failing to resolve.
http://techcrunch.com
Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited.
GGacl
S ecurity N ew s
Nnus
GoD addy O utage T akes Down M illions of Sites,
Anonym ous M em ber C laim s R esponsibility
Source: http://techcrunch.com
Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a
DD0 S attack.
According to many customers, sites hosted by major web host and domain registrar GoDaddy
are down. According to the official GoDaddy Twitter account, the company is aware of the
issue and is working to resolve it.
Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well,
along with GoDaddy phone service and all sites using GoDaddy's DNS service.
Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and
makes it clear this is not an Anonymous collective action.
A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of
GoDaddy's DNS servers -
specifically CNS1.SECURESERVER.NET, CNS2.SECURESERVER.NET,
and CNS3.SECURESERVER.NET are failing to resolve.
Module 12 Page 1602
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 4. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
AnonymousOwn3r׳s bio reads "Security leader of #Anonymous ( ”׳Official m em ber")." The
individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was
targeted.
Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the
service, and the company has been the center of a few other controversies.
However,
AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did
this attack."
Copyright © 2012 AOL Inc.
By Klint Finley
http://techcrunch.com/2012/09/10/godaddy-outage-takes-down-millions-of-sites/
Module 12 Page 1603
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 5. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Module Objectives
CEH
Urt1fW4
J
IIS Webserver Architecture
J
Countermeasures
J
W hy W eb Servers are Compromised?
J
J
Impact of Webserver Attacks
How to Defend Against Web Server
Attacks
J
Webserver Attacks
J
Patch Management
J
Webserver Attack Methodology
J
Patch Management Tools
J
Webserver Attack Tools
J
Webserver Security Tools
J
Metasploit Architecture
J
Webserver Pen Testing Tools
J
Web Password Cracking Tools
J
ttlMUl ttMhM
Webserver Pen Testing
־־L /
^
Copyright © by IG-COHCil. All Rights Reserved. Reproduction is Strictly Prohibited.
^ M odule O b jectiv e s
•—*
>
Often, a breach in security causes more damage in terms of goodwill than in actual
quantifiable loss. This makes web server security critical to the normal functioning of an
organization. Most organizations consider their web presence to be an extension of
themselves. This module attempts to highlight the various security concerns in the context of
webservers. After finishing this module, you will able to understand a web server and its
architecture, how the attacker hacks it, what the different types attacks that attacker can carry
out on the web servers are, tools used in web server hacking, etc. Exploring web server security
is a vast domain and to delve into the finer details of the discussion is beyond the scope of this
module. This module makes you familiarize with:
e
IIS Web Server Architecture
e
e
W hy W eb Servers Are Compromised?
e
e
Webserver Attacks
e
Webserver Attack Methodology
Q
Webserver Attack Tools
e
Metasploit Architecture
e
Web Password Cracking Tools
Module 12 Page 1604
How to Defend Against W eb
Server Attacks
Impact of Webserver Attacks
e
Countermeasures
e
Patch Management
0
Patch Management Tools
e
W ebserver Security Tools
e
W ebserver Pen Testing Tools
e
W ebserver Pen Testing
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 6. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Module Flow
CEH
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo w
To understand hacking web servers, first you should know what a web server is, how
it functions, and what are the other elements associated with it. All these are simply termed
web server concepts. So first we will discuss about web server concepts.
4
m)
Webserver Attacks
Webserver Concepts
------
Attack Methodology
*
Webserver Pen Testing
y
Patch Management
Webserver Attack Tools
Webserver Security Tools
■—
■—
Counter-measures
This section gives you brief overview of the web server and its architecture. It will also explain
common reasons or mistakes made that encourage attackers to hack a web server and become
successful in that. This section also describes the impact of attacks on the web server.
Module 12 Page 1605
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 7. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Webserver Market Shares
I ______ I ______ I _______I_______ I _______I
_
_
_
_
64.6%
Apache
Microsoft - IIS
LiteSpeed
I
1.7%
Google Server
|
1.2%
W eb S e rv e r M a rk e t S h a re s
Source: http://w3techs.com
The following statistics shows the percentages of websites using various web servers. From the
statistics, it is clear that Apache is the most commonly used web server, i.e., 64.6%. Below that
Microsoft ־IIS server is used by 17.4 % of users.
Module 12 Page 1606
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 8. Ethical Hacking and Countermeasures
Hacking Webservers
Apache
Exam 312-50 Certified Ethical Hacker
t
כ
64.6%
17.4%
Microsoft ־IIS
13%
Nginx
LiteSpeed
Google Server
Tomcat
Lighttpd
10
20
30
40
50
60
70
־J -----►
80%
FIGURE 12.1: Web Server Market Shares
Module 12 Page 1607
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 9. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
CEH
Open Source W ebserver
Architecture
Site Users
Site Admin
Attacks
r
:1 a
1
I
□
©
Linux
1
File System
^
.........
I—
*—־
I
Apache
Email
י ג יני מ
PHP
Applications
י
Compiled Extension
MySQL
i f
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
B
O p e n S o u rc e W e b S e rv e r A rc h ite c tu re
The diagram bellow illustrates the basic components of open source web server
architecture.
Module 12 Page 1608
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 10. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Site Users
Site Admin
־׳
*A
&
Attacks
1
U
Internet
Linux
File System
J
"־
Apache
V
Email
PHP
f
Applications
Compiled Extension
MySQL y
FIGURE 12.2: Open Source Web Server Architecture
Where,
© Linux - the server's operating system
© Apache - the web server component
© MySQL - a relational database
© PHP - the application layer
Module 12 Page 1609
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 11. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
IIS Web Server Architecture
Internet Information
Services (IIS) for Windows
Client
i * a
C H
IE
HTTP Protocol
Stack (HTTP.SYS)
f t p
Server is a flexible, secure,
and easy-to-manage web
server for hosting anything
on the web
Kernel Mode
User Mode
Svchost.exe
:■
+
Windows Activation Service
_________ (WAS)__________
Application Pool
Web Server Core
Native Modules
AppDomain
Begin request processing,
authentication,
authorization, cache
resolution, handler
mapping, handler preexecution, release state,
update cache, update
log, and end request
processing
Anonymous
authentication,
managed engine, IIS
certificate mapping,
static file, default
document, HTTP cache,
HTTP errors, and HTTP
logging
Managed
Modules
WWW Service
External Apps
application
Host.config
Forms
Authentication
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
IIS W e b S e r v e r A r c h i t e c t u r e
3׳
c3
by
----- ---------------------------------IIS, also known as Internet Information Service, is a web server application developed
Microsoft that can be used with Microsoft Windows. This is the second largest web after
Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP,
HTTPS, FTP, FTPS, SMTP, and NNTP.
The diagram that follows illustrates the basic components of IIS web server architecture:
Module 12 Page 1610
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 12. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Client
HTTP Protocol
Stack (HTTP.SYSI
In ternet
Kernel M o d e
User Mode
Svchost.exe
A pplication Pool
W in d o w s A ctiva tio n S e rv ice
(W A S )
N ative M od ules
W e b S erver Core
AppD om ain
Anonymous
authentication,
Managed engine, IIS
certificate mapping,
static file, default
document, HTTP cache,
HTTP errors, and HTTP
logging
Managed
M odules
WWW Service
Begin requestprocessing/
authentication,
authorization, cache
resolution, handler
mapping, handler pre*
execution, release state,
application
Host.config
update cache, update
log, and end request
processing
Forms
A uthentication
FIGURE 12.3: IIS Web Server Architecture
Module 12 Page 1611
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 13. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Website Defacement
J
Web defacement occurs when
an intruder maliciously alters
Fie M lז
*
fe w
*
CEH
Hep
W
©
http://juggyboy.com/index.aspx
v
^ ד
•j_>
־
visual appearance of a web
page by inserting or
substituting provocative and
frequently offending data
J
Y o u a re O W N E D ! ! ! ! ! ! !
Defaced pages exposes visitors
to some propaganda or
misleading information until
the unauthorized change is
discovered and corrected
H A C K E D !
Hi M aster, Your w e b s ite o w n e d
by US, H acker!
N ext ta rg et - m icrosoft.com
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W ebsite D e facem en t
Website defacement is a process of changing the content of a website or web page
by hackers. Hackers break into the web servers and will alter the hosted website by creating
something new.
W eb defacement occurs when an intruder maliciously alters the visual appearance of a web
page by inserting or substituting provocative and frequently offensive data. Defaced pages
expose visitors to propaganda or misleading information until the unauthorized change is
discovered and corrected.
Module 12 Page 1612
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 14. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
BO ®
World Wide Web
File
Edit
View
Help
,
יי
FIGURE 12.4: Website Defacement
Module 12 Page 1613
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 15. Ethical Hacking and Countermeasures
Hacking Webservers
Unnecessary default, backup, or
sample files
Security conflicts with business ease-ofuse case
Misconfigurations in web server, operating systems,
and networks
Lack of proper security policy, procedures, and
maintenance
Bugs in server software, OS, and
web applications
Improper authentication with external
systems
Administrative or debugging functions that are
enabled or accessible
Exam 312-50 Certified Ethical Hacker
Installing the server with default
settings
Improper file and
directory permissions
Default accounts with their default or no
passwords
Security flaws in the server software, OS and
applications
Misconfigured SSL certificates and encryption
settings
Use of self-signed certificates and
default certificates
Unnecessary services enabled, including content
management and remote administration
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W h y W e b S e r v e r s A re C o m p r o m i s e d
There are inherent security risks associated with web servers, the local area networks
that host web sites and users who access these websites using browsers.
0
W ebm aster's Concern: From a webmaster's perspective, the biggest security concern is
that the web server can expose the local area network (LAN) or the corporate intranet
to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers,
or the compromise of information itself. Software bugs present in large complex
programs are often considered the source of imminent security lapses. However, web
servers that are large complex devices and also come with these inherent risks. In
addition, the open architecture of the web servers allows arbitrary scripts to run on the
server side while replying to the remote requests. Any CGI script installed at the site
may contain bugs that are potential security holes.
Q
Network Administrator's Concern: From a network administrator's perspective, a
poorly configured web server poses another potential hole in the local network's
security. W hile the objective of a web is to provide controlled access to the network, too
much of control can make a web almost impossible to use. In an intranet environment,
the network administrator has to be careful about configuring the web server, so that
the legitimate users are recognized and authenticated, and various groups of users
assigned distinct access privileges.
Module 12 Page 1614
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 16. Ethical Hacking and Countermeasures
Hacking Webservers
6
Exam 312-50 Certified Ethical Hacker
End User's Concern: Usually, the end user does not perceive any immediate threat, as
surfing the web appears both safe and anonymous. However, active content, such as
ActiveX controls and Java applets, make it possible for harmful applications, such as
viruses, to invade the user's system. Besides, active content from a website browser can
be a conduit for malicious software to bypass the firewall system and permeate the
local area network.
The table that follows shows the causes and consequences of web server compromises:
Cause
Consequence
Installing the server with default
settings
Unnecessary default, backup, or sample files
Improper file and directory permissions
Security conflicts with business ease-of-use
case
Default accounts with their default
passwords
Unpatched security flaws in the server
software, OS, and applications
Misconfigured SSL certificates and
encryption settings
Use of self-signed certificates and
default certificates
Unnecessary services enabled, including
content management and remote
administration
Misconfigurations in web server, operating
systems and networks
Lack of proper security policy, procedures,
and maintenance
Bugs in server software, OS, and web
applications
Improper authentication with external
systems
Administrative or debugging functions that
are enabled or accessible
TABBLE 12.1: causes and consequences of web server compromises
Module 12 Page 1615
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 17. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Impact of Webserver Attacks
CEH
C«rt1fW
4
itfciul Nm Im
©
Data ta m p e rin g
W e b s ite d e fa c e m e n t
R o o t access to o th e r
a p p licatio n s o r servers
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
I m p a c t o f W e b S e r v e r A tt a c k s
Attackers can cause various kinds of damage to an organization by attacking a web
server. The damage includes:
0
Compromise of user accounts: W eb server attacks are mostly concentrated on user
account compromise. If the attacker is able to compromise a user account, then the
attacker can gain a lot of useful information. Attacker can use the compromised user
account to launch further attacks on the web server.
0
Data tampering: Attacker can alter or delete the data. He or she can even replace the
data with malware so that whoever connects to the web server also becomes
compromised.
0
W ebsite defacement: Hackers completely change the outlook of the website by
replacing the original data. They change the website look by changing the visuals and
displaying different pages with the messages of their own.
0
Secondary attacks from the website: Once the attacker compromises a web server, he
or she can use the server to launch further attacks on various websites or client systems.
0
Data theft: Data is one of the main assets of the company. Attackers can get access to
sensitive data of the company like source code of a particular program.
Module 12 Page 1616
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 18. Ethical Hacking and Countermeasures
Hacking Webservers
0
Exam 312-50 Certified Ethical Hacker
Root access to other applications or server: Root access is the highest privilege one gets
to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server.
Attackers can perform any action once they get root access to the source.
Module 12 Page 1617
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 19. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M odule Flow
CEH
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo w
Considering that you became familiar with the web server concepts, we move forward
to the possible attacks on web server. Each and every action on online is performed with the
help of web server. Hence, it is considered as the critical source of an organization. This is the
same reason for which attackers are targeting web server. There are many attack technique
used by the attacker to compromise web server. Now we will discuss about those attack
techniques.
attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking,
web application attacks, etc.
Webserver Concepts
^
Attack Methodology
Webserver Pen Testing
-y
Module
Webserver Attacks
Patch Management
12 Page 1618
^
J
Webserver Attack Tools
3 Webserver Security Tools
■—
■—
Counter-measures
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 20. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web Server Misconfiguration
CEH
Server misconfiguration refers to configuration weaknesses in web infrastructure that can be
exploited to launch various attacks on web servers such as directory traversal, server intrusion,
and data theft
Verbose debug/error
Remote Administration
Functions
Unnecessary Services
Enabled
Anonymous or Default
Users/Passwords
Sample Configuration,
and Script Files
Misconfigured/Default
SSL Certificates
Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited.
GGlni.
W eb S e rv e r M is c o n fig u ra tio n
W eb servers have various vulnerabilities related to configuration, applications, files,
scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote
accessing the application, then these become the doorways for the attacker to enter into the
network of a company. These loopholes of the server can help attackers to bypass user
authentication. Server misconfiguration refers to configuration weaknesses in web
infrastructure that can be exploited to launch various attacks on web servers such as directory
traversal, server intrusion, and data theft. Once detected, these problems can be easily
exploited and result in the total compromise of a website.
e
Remote administration functions can be a source for breaking down the server for the
attacker.
©
Some unnecessary services enabled are also vulnerable to hacking.
0
Misconfigured/default SSL certificates.
© Verbose debug/error messages.
Q
Anonymous or default users/passwords.
©
Sample configuration and script files.
Module 12 Page 1619
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 21. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web Server Misconfiguration
Example
CEH
httpd.conf file on an Apache server
<Location /server-status>
SetHandler server-status
</Location>
This configuration allows anyone to view the server status page, w hich contains detailed info rm atio n about
the current use o f the web server, including info rm atio n about the cu rre n t hosts and requests being processed
php.ini file
display_error = On
log_errors = On
error_log = syslog
ignore repeated errors = Off
This configuration gives verbose error messages
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
f I W e b S e rv e r M is c o n fig u ra tio n E x a m p le
ran
n■
L 1 :J
Consider the httpd.conf file on an Apache server.
<Location /server-status>
SetHandler server-status
</Location>
FIGURE 12.5: httpd.conf file on an Apache server
This configuration allows anyone to view the server status page that contains detailed
information about the current use of the web server, including information about the current
hosts and requests being processed.
Consider another example, the php.ini file.
display_error = On
log_errors - On
error_log = syslog
ignore repeated errors = Off
FIGURE 12.6: php.inifile on an Apache server
This configuration gives verbose error messages.
Module 12 Page 1620
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 22. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
3
Volume in drive C has no label.
Volume Serial Number is D45E-9FEE
j My Computer
+
1
3Vb floppy (A:)
£
/
I
יLocalDt>k((
B
Ctocumcnte and Scttngs
! H t J Inetpub
http://server.eom/s
cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
D i r e c t o r y T r a v e r s a l A t ta c k s
W eb servers are designed in such a way that the public access is limited to some
extent. Directory traversal is exploitation of HTTP through which attackers are able to access
restricted directories and execute commands outside of the web server root directory by
manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the
root directory and access sensitive information in the system.
Volume in drive C has no label.
Volume Serial Number is D45E-9FEE
Directory of C:
http://server.eom/s
cripts/..%5c../Wind
0ws/System32/cm
d.exe?/c+dir+c:
1,024 .rnd
06/02/2010 11:31AM
09/28/2010 06:43 PM
0 123.text
05/21/2010 03:10 PM
0 AUTOEXEC.BAT
09/27/2010 08:54 PM <DIR>
CATALINA_HOME
0 CONFIG.SYS
05/21/2010 03:10 PM
Documents and Settings
08/11/2010 09:16 AM <DIR>
09/25/2010 05:25 PM <DIR>
Downloads
08/07/2010 03:38 PM <DIR>
Intel
09/27/2010 09:36 PM <DIR>
Program Files
05/26/2010 02:36 AM <DIR>
Snort
09/28/2010 09:50 AM <DIR>
WINDOWS
09/25/2010 02:03 PM
569,344 WlnDump.exe
7 File(s)
570, 368 bytes
13 Dir( s) 13,432 ,115,200 bytes free
F IG U R E
Module 12 Page 1621
E
Q-j !v!v!Tffxl
company
1 וdownloads
E O imgs
ae
O
news
scripts □
C J support
1 2 .7 : D i r e c t o r y T r a v e r s a l A t t a c k s
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 23. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
CEH
HTTP R esponse Splitting Attack
(•ttlfw
tf
HTTP response splitting attack involves adding
header response data into the input field so
that the server split the response into two
responses
itkNjI N hM
M
Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason
The attacker can control the first response to
redirect user to a malicious website whereas
the other responses will be discarded by web
browser
Input = JasonTheHackerrnHTTP/l.l 200 OKrn
y
String author =
request.getParameter(AUTHOR_PA
RAM ;
)
Cookie cookie = new
Cookie("author , ״author);
cookie.setMaxAge(cookieExpirat
ion) ;
response.addCookie(cookie);
First Response (Controlled by Attacker)
Set-Cookle: author=JasonTheHacker
HTTP/1.1200 OK
Second Response
HTTP/1.1 200 OK
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
H T T P R e s p o n s e S p l itt i n g A tta c k
An HTTP response attack is a web-based attack where a server is tricked by injecting
new lines into response headers along with arbitrary code. Cross-Site Scripting (XSS) ׳Cross Site
Request Forgery (CSRF), and SQL Injection are some of the examples for this type of attacks.
The attacker alters a single request to appear and be processed by the web server as two
requests. The web server in turn responds to each request. This is accomplished by adding
header response data into the input field. An attacker passes malicious data to a vulnerable
application, and the application includes the data in an HTTP response header. The attacker can
control the first response to redirect the user to a malicious website, whereas the other
responses will be discarded by web browser.
Module 12 Page 1622
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 24. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Input = Jason
HTTP/1.1 200 OK
Set-Cookie: author=Jason
Input =JasonTheHackerrnHTTP/l.l 200 OKrn
First Response (Controlled by Attacker)
o
String author =
request.getParameter(AUTHOR_PA
RA ) ;
M
S
i
Cookie cookie = new
Cookie("author", author);
cookie.setMaxAge(cookieExpirat
ion) ;
response.addCookie(cookie);
0
5
<)
/
Set-Cookie; author=JasonTheHacker
HTTP/1.1 200 OK
S e c o n d R e sp o n se
HTTP/1.1200 OK
FIGURE 12.8: HTTP Response Splitting Attack
Module 12 Page 1623
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 25. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web Cache Poisoning Attack CEH
Original Juggyboy page
GET http://juggyboy.com/index.html
HTTP/1.1
Pragma: no-cache
Host: juggyboy.com
Accept-Charset: iso-8859-1,*,utf-8
GET http://juggyboy.com/
redir.php?site=%Od%OaContentLength :%200%0d%0a%0d%0aHTTP/l.l%2
02(X>%20OK%0d%0aLastModified :%20Mon,%2027%200ct%20200
9%2014:50:18%20GMT*0d%0aConte ntLength :%2020%0d%0aContcnt•
Typ«:%20text/htmr%0d%0a%0d%0a<html
>
Attack Pagc</html> HTTP/1.1
Host: Juggyboy.com
GET
http://juggyboy.com/index.html
HTTP/1.1 Host: testsite.com
User-Agent: Mozilla/4.7 [en]
(WinNT; I)
Accept-Charset: iso-8859-l,*,utf8־
Attacker sends request to remove page from cache
h ttp ://w w w .ju g g y b o y .c o m /w el
com e.php?lang=
Normal response after
clearing the cache for juggyboy.com
<?php h e a d e r ("L ocation:" .
$_GET['page']); ?>
Attacker sends malicious request
that generates two responses (4 and 6)
Attacker gets first server response
An attacker forces the
A ttacker re q u e s ts d juggyboy.com
again to g e n e ra te ca ch e e n try
The second
response of
request [3
that points to
I attacker's page
Attacker gets the second
web server's cache to
flush its actual cache
content and sends a
specially crafted
request, which will be
stored in cache
Address
Page
www.jujjyboy.com
Attacker's page
Poisoned Server Cache
Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited.
GGlni.
W e b C a c h e P o i s o n i n g A tta c k
W eb cache poisoning is an attack that is carried out in contrast to the reliability of an
intermediate web cache source, in which honest content cached for a random URL is swapped
with infected content. Users of the web cache source can unknowingly use the poisoned
content instead of true and secured content when demanding the required URL through the
web cache.
An attacker forces the web server's cache to flush its actual cache content and sends a specially
crafted request to store in cache. In the following diagram, the whole process of web cache
poisoning is explained in detail with a step-by-step procedure.
Module 12 Page 1624
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 26. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Addm
www.Im^YLuy.cum
GET http://juggyboy.com/indeM.html
HTTP/1.1
Pragm a: no-cache
H ost: juggyboy.com
A ccept-C harset: iso-8859-1,T,utf-8
GET http://juggyboy.com/
r«dir.php?site=%Od%OaContentL*ngth:%200%Od%Oa%Od%OaHTTP/l.l%2
02009(2OOKHOdKOaLastModified :%20Mon,%202 7%200ct%20200
9*2014:50:18K20GMT%0d%0aContentLength: 020%0d%0aContentTyp«:%20text/html%0d%0a%0d%08<htm!
*Attack Page</html> HTTP/1.1
Ofigln.il Juggyboy page
Server Cache
I
A ttac k er s e n d s re q u e s t t o re m o v e page from cache
http://www.juggyboy.com/wel
come.php?lang=
Norm al re s p o n s e a f te r
clearing th e cache forjuggyboy.com
<?php header ("Location:" .
$_GET['page']); ?>
A ttac k er s e n d s m alicious re q u e s t
th a t g e n e ra te s tw o re s p o n s e s (4 and 6)
2
Host: juggyboy.com
GET
h ttp ://ju g g y b o y .c o m /in d e x .h tm l
HTTP/1.1 Host: te s ts ite .c o m
U ser-A gent: M ozilla/4.7 [en]
(W lnNT; I)
Accept-Charset iso-8859-l,,״utf-8
A ttac k er g e ts first se rv e r re s p o n s e
Attacker re q u e sts a ju g g Y b o y.co m
again to generate cache entry
Attack!e r g e ts t h e second _> 1
;
__
. ׳W re q u e s t o f o n s e
^
..... ......■
>
The
ind
res!
.ponse of
יrequ
th a t p o in t! to
:k e f's page
Address
www.JuKjjytiyy.to1n
1
‘igr
AtU ckvr'vp^v
Poisoned Server Cache
FIGURE 12.9: Web Cache Poisoning Attack
Module 12 Page 1625
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 27. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
+
Copyright © by EG-GtUIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
HTTP R esp o n se H ijack in g
HTTP response hijacking is accomplished with a response splitting request. In this
attack, initially the attacker sends a response splitting request to the web server. The server
splits the response into two and sends the first response to the attacker and the second
response to the victim. On receiving the response from web server, the victim requests for
service by giving credentials. At the same time, the attacker requests the index page. Then the
web server sends the response of the victim's request to the attacker and the victim remains
uninformed.
The diagram that follows shows the step-by-step procedure of an HTTP response hijacking
attack:
Module 12 Page 1626
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 28. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
FIGURE 12.10: HTTP Response Hijacking
Module 12 Page 1627
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 29. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
SSH B r u te f o rc e A tta c k
CEH
C«rt1fW
4
1^1
itfciul lUclw(
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer
unencrypted data over an insecure network
Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel
q
SSH tunnels can be used to transmit malwares and other exploits to victims without being
detected
I
Mail Server
Internet
User
SSH Server
Web Server
Application Server
File Server
Attacker
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
SSH B r u te F o r c e A tt a c k
SSH protocols are used to create an encrypted SSH tunnel between two hosts in order
to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH,
first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the
help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the
login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other
exploits to victims without being detected.
I
Mail Server
Attacker
FIGURE 12.11: SSH Brute Force Attack
Module 12 Page 1628
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 30. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Man-in-the־Middle Attack
CEH
J
Man-in-the-Middle (M ITM ) attacks allow an attacker to access sensitive information by intercepting
and altering communications between an end-user and webservers
J
Attacker acts as a proxy such that all the communication between the user and Webserver passes
through him
Normal Traffic
p
o* •
O •
- W ebserver
a
Attacker
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M a n ־i n ־t h e ־M i d d l e A tta c k
A man-in-the-middle attack is a method where an intruder intercepts or modifies the
message being exchanged between the user and web server through eavesdropping or
intruding into a connection. This allows an attacker to steal sensitive information of a user
such as online banking details, user names, passwords, etc. transferred over the Internet to the
web server. The attacker lures the victim to connect to the web server through by pretending
to be a proxy. If the victim believes and agrees to the attacker's request, then all the
communication between the user and the web server passes through the attacker. Thus, the
attacker can steal sensitive user information.
Module 12 Page 1629
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 31. Ethical Hacking and Countermeasures
Hacking Webservers
n
U
Exam 312-50 Certified Ethical Hacker
Normal Traffic
User visits a website
>•״
User
^־
&
© .
* * * ..
'''• ^ 9 0
*
Attacker sniffs the
communication to ;
stealI session IDs
(f t v
s
© e ..*
< * • .־
e
^
,., w
.• ,5יי
־
''.•־
A•
• ‘‘
Attacker
FIGURE 12.12: Man-in-the-Middle Attack
Module 12 Page 1630
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 32. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W ebserver P assw ord C rack in g
C EH
An attacker tries to exploit
weaknesses to hack well-chosen
passwords
****
Many hacking attempts start
The most common passwords
with cracking passwords and
found are password, root,
administrator, admin, demo, test,
proves to the Webserver that
they are a valid user
guest, qwerty, pet names, etc.
Attackers use different methods
such as social engineering,
Web form authentication cracking
spoofing, phishing, using a Trojan
SSH Tunnels
Horse or virus, wiretapping,
FTP servers
keystroke logging, etc.
SMTP servers
Web shares
Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited.
GGacl
W eb S e rv e r P a s s w o rd C ra c k in g
-----
Most hacking starts with password cracking only. Once the password is cracked, the
hacker can log in in to the network as an authorized person. Most of the common passwords
found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc.
Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan
horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to
crack passwords.
Attackers mainly target:
©
W eb form authentication cracking
©
SSH tunnels
0 FTP servers
©
SMTP servers
©
W eb shares
Module 12 Page 1631
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 33. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W ebserver Password C racking
Techniques
EH
Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus,
THC Hydra, etc.
I
Passwords can be cracked by using following techniques:
4
Hybrid
Attack
A hybrid attack
works similar to
dictionary attack,
but it adds numbers
or symbols to the
password attempt
Copyright © by E - * n i . All Rights Reserved. Reproduction is Strictly Prohibited.
GCacl
W eb S erver P assw o rd C ra c k in g T e c h n iq u e s
■gd©
® _ ( 77 ) רדד׳
Passwords may be cracked manually or with automated tools such as Cain & Abel,
Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password:
©
Guessing: A common cracking method used by attackers is to guess passwords either by
humans or by automated tools provided with dictionaries. Most people tend to use heir
pets' names, loved ones' names, license plate numbers, dates of birth, or other weak
pass words such as "QW ERTY," "password," "admin," etc. so that they can remember
them easily. The same thing allows the attacker to crack passwords by guessing.
©
Dictionary Attack: A dictionary attack is a method that has predefined words of various
combinations, but this might also not be possible to be effective if the password consists
of special characters and symbols, but compared to a brute force attack this is less time
consuming.
©
Brute Force Attack: In the brute force method, all possible characters are tested, for
example, uppercase from "A to Z" or numbers from "0 to 9" or lowercase "a to z." But
this type of method is useful to identify one-word or two-word passwords. Whereas if a
password consists of uppercase and lowercase letters and special characters, it might
take months or years to crack the password, which is practically impossible.
Module 12 Page 1632
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 34. Ethical Hacking and Countermeasures
Hacking Webservers
Q
Exam 312-50 Certified Ethical Hacker
Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and
brute force attack. It also consists of symbols and numbers. Password cracking becomes
easier with this method.
Module 12 Page 1633
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 35. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Web Application Attacks
J
!
CEH
C«rt1fW
4
itfciul Nm Im
Vulnerabilities in web applications running on a Webserver provide a broad attack path for
Webserver compromise
, If
enia'0 f.s
T eCt°rv
C°okie
rO Site
ss.
rge,
A t,
'° n
4 ■ cks Olv
ft, a ׳erf/,
s ' ׳ring
»Pe,
Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b A p p l i c a t i o n A tt a c k s
SL
Vulnerabilities in web applications running on a web server provide a broad attack
path for web server compromise.
Directory Traversal
Directory traversal is exploitation of HTTP through which attackers are able to access
restricted directories and execute commands outside of the web server root directory
by manipulating a URL.
Parameter/Form Tampering
This type of tampering attack is intended to manipulate the parameters exchanged
between client and server in order to modify application data, such as user credentials
and permissions, price and quantity of products, etc.
Cookie Tampering
Cookie tampering is the method of poisoning or tampering with the cookie of the
client. The phases where most of the attacks are done are when sending a cookie from
the client side to the server. Persistent and non-persistent cookies can be modified by using
different tools.
Module 12 Page 1634
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 36. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Command Injection Attacks
Command injection is an attacking method in which a hacker alters the content of the
m
web page by using html code and by identifying the form fields that lack valid
constraints.
Buffer Overflow Attacks
I
Most web applications are designed to sustain some amount of data. If that amount
is exceeded, the application may crash or may exhibit some other vulnerable
behavior. The attacker uses this advantage and floods the applications with too much data,
which in turn causes a buffer overflow attack.
Cross-Site Scripting (XSS) Attacks
jr
Cross-site scripting is a method where an attacker injects HTML tags or scripts into a
target website.
Denial-of-Service (DoS) Attack
M
A denial-of-service attack is a form of attack method intended to terminate the
operations of a website or a server and make it unavailable to access for intended
users.
Unvalidated Input and File injection Attacks
Unvalidated input and file injection attacks refer to the attacks carried by supplying
an unvalidated input or by injecting files into a web application.
Cross-Site Request Forgery (CSRF) Attack
The user's web browser is requested by a malicious web page to send requests to a
malicious website where various vulnerable actions are performed, which are not
intended by the user. This kind of attack is dangerous in the case of financial websites.
SQL Injection Attacks
SQL injection is a code injection technique that uses the security vulnerability of a
database for attacks. The attacker injects malicious code into the strings that are later
on passed on to SQL Server for execution.
Session Hijacking
1131
Session hijacking is an attack where the attacker exploits, steals, predicts, and
negotiates the real valid web session control mechanism to access the authenticated
parts of a web application.
Module 12 Page 1635
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 37. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M odule Flow
CEH
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M o d u l e F lo w
_
So far we have discussed web server concepts and various techniques used by the
attacker to hack web server. Attackers usually hack a web server by following a procedural
method. Now we will discuss the attack methodology used by attackers to compromise web
servers.
Webserver Concepts
Webserver Attacks
Attack Methodology
1
Webserver Attack Tools
Webserver Pen Testing
y
Patch Management
i
)
■—
■—
Webserver Security Tools
Counter-measures
This section provides insight into the attack methodology and tools that help at various stages
of hacking.
Module 12 Page 1636
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 38. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
-
W ebserver Attack M ethodology
Information
Gathering
C EH
W ebserver
Footprinting
Vulnerability
Scanning
H a ck in g
W e b se rve r Passw ords
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r A tta c k M e t h o d o l o g y
Hacking a web server is accomplished in various stages. At each stage the attacker
tries to gather more information about loopholes and tries to gain unauthorized access to the
web server. The stages of web server attack methodology include:
Inform ation G athering
0
Every attacker tries to collect as much information as possible about the target web
server. Once the information is gathered, he or she then analyzes the gathered information in
order to find the security lapses in the current mechanism of the web server.
(
W eb Server Footprinting
The purpose of footprinting is to gather more information about security aspects of a
web server with the help of tools or footprinting techniques. The main purpose is to know
about its remote access capabilities, its ports and services, and the aspects of its security.
M irroring W ebsite
W
4 J)
Website mirroring is a method of copying a website and its content onto another
server for offline browsing.
V ulnerability Scanning
Module 12 Page 1637
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 39. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a
web server. Vulnerability scanning is done with the help of various automated tools known as
vulnerable scanners.
Session H ijacking
Session hijacking is possible once the current session of the client is identified. Complete
control of the user session is taken over by the attacker by means of session hijacking.
H acking Web Server Passw ords
Attackers use various password cracking methods like brute force attacks, hybrid
attacks, dictionary attacks, etc. and crack web server passwords.
Module 12 Page 1638
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 40. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Webserver Attack Methodology:
Information Gathering
Information gathering involves collecting information about the
targeted company
CEH
WHOis.net
Y3ur Domain Starting Place...
Attackers search the Internet, newsgroups, bulletin boards, etc.
UZ3
for information about the company
Attackers use Whois, Traceroute, Active Whois, etc. tools and
query the Whois databases to get the details such as a domain
WHOIS information for ebay.com:***
[Querying who1s.vens1gn-grs.com]
[whols.verislgn-grs.com]
Who»s Server Vereon 2.0
Domain names in the .com and .net domains can now be reoistered
with rrorv diftoront competing raaistrars. Go to http;///ww .intom <x«t
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKM0N1T0R INC.
Whois Server: whois.maricwiitjor.com
Reterral URL: http://www.marXmonicor.com
Name Server: yC-ONSl.CDAYDNS.COM
name, an IP address, or an autonomous system number
N 0ooS DS.bADS O
3 Sr f JCN BYN M
m v:
2 .C
Note: For complete coverage of information gathering techniques
refer to Module 02: Footprinting and Reconnaissance
N3m« sorvor: SMF UNSl.fcBAYDNS.COM
Name Server: SMF-DNSi.fcBAYDNS.COM
Status: dleotDeletcPiohlblted
Status: clieritTrmsf«Pral1ibit*d
Status: dienWpdnt*Prohibit*d
Status: s e rv e d eteProhibited
Status: server TransterProh 1 itod
b
Status: sorvorUDdateProhibital
updated Date: 15-Sep-2010
Creation Date: 04-aug-l995
Expiration Date: 03-aug-2018
h :/ w ww o .n t
ttp / w . h is e
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
»
W eb
S e rv e r
$ , G a th e rin g
__
A t ta c k
M e th o d o l o g y :
In fo rm a tio n
Every attacker before hacking first collects all the required information such as versions and
technologies being used by the web server, etc. Attackers search the Internet, newsgroups,
bulletin boards, etc. for information about the company. Most of the attackers' time is spent in
the phase of information gathering only. That's why information gathering is both an art as
well as a science. There are many tools that can be used for information gathering or to get
details such as a domain name, an IP address, or an autonomous system number. The tools
include:
e
e
Traceroute
e
Active Whois
e
Nmap
0
Angry IP Scanner
e
#
Whois
Netcat
W hois
Module 12 Page 1639
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 41. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Source: http://www.whois.net
Whois allows you to perform a domain whois search and a whois IP lookup and search the
whois database for relevant information on domain registration and availability. This can help
provide insight into a domain's history and additional information. It can be used for
performing a search to see who owns a domain name, how many pages from a site are listed
with Google, or even search the Whois address listings for a website's owner.
W H O is .n e t
Y o u r D o m a in S t a r t i n g P l a c e . . .
WHOIS information for ebay.com:***
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Domain Name: EBAY.COM
Registrar: MARKMONITOR INC.
Whois Server: whois.markmonitDr.com
Referral URL: http://www.markmonitor.com
Name Server: SJC-DNS1.EBAYDNS.COM
Name Server: SJC-DNS2.EBAYDNS.COM
Name Server: SMF-DNS1.EBAYDNS.COM
Name Server: SMF-DNS2.EBAYDNS.COM
Status: dientDeleteProhibited
Status: dientTransferProhibited
Status: dientUpdateProhibited
Status: serverDeleteProhibited
Status: serverTransferProhibited
Status: serverUpdateProhibited
Updated Date: 15-sep2010־
Creation Date: 04-aug-1995
Expiration Date: 03-aug2018־
«
F IG U R E 1 2 .1 3 : W H O I S In f o r m a t io n G a t h e r in g
Module 12 Page 1640
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 42. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Webserver Attack Methodology:
Webserver Footprinting
J
Telnet a Webserver to footprint a Webserver and
gather information such as server name, server
type, operating systems, applications running,
etc.
J
ilhiul lUthM
Gather valuable system-level information such
as account details, operating system, software
versions, server names, and database schema
details
J
C EH
Urt1fw4
Use tool such as ID Serve, httprecon, and
Netcraft to perform footprinting
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r A tta c k M e th o d o l o g y : W e b s e r v e r
F o o tp rin tin g
The purpose of footprinting is to gather account details, operating system and other software
versions, server names, and database schema details and as much information as
possible
about security aspects of a target web server or network. The main purpose is to know about its
remote access capabilities, open ports and services, and the security mechanisms implemented.
Telnet a web server to footprint a web server and gather information such as server name,
server type, operating systems, applications running, etc. Examples of tools used for performing
footprinting include ID Serve, httprecon, Netcraft, etc.
N etcraft
Source: http://toolbar.netcraft.com
Netcraft is a tool used to determine the OSes in use by the target organization. It has already
been discussed in detail in the Footprinting and Reconnaissance module.
Module 12 Page 1641
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 43. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
r iE T C K A F T
Se a rch W e b by Domain
Explore 1,045.745 web sites visited by users of the Netcraft Toolbar
3rd August 2012
S e a rc h :
search tips
j site contains
j« ׳microsoft
^
lookup!
e x a m p le : s it e c o n t a in s .n e tc r a ft.c o m
Results for microsoft
Found 252 sites
Site
Site Report First seen
1.
w w w .m icro s o ft.co m
2.
s u p p o r t.m ic r o s o ft.c o m
3.
te c h n e t.m ic r o s o ft .c o m
4.
w in d ov< s.m icrosoft.co m
5.
m s d n .m ic r o s o ft .c o m
6.
o ffic e .m ic r o s o ft.c o m
7.
s o c ia l.t e c h n e t .m ic ro s o ft .c o m
8.
a n s w e r s .m ic r o s o ft.c o m
9.
v 4 w w .u p d a te.m icro s o ft.c o m
10. s o c ia l.m s d n .m ic r o s o ft .c o m
a
m
m
0
a
£1
a
£1
a
0
Netblock
OS
citrix n e t s c a le r
a u g u s t 1995
m ic ro s o ft corp
o c to b e r 1997
m ic ro s o ft corp
unknow n
a u g u s t 1999
m ic ro s o ft corp
citrix n e t s c a le r
ju n e 1998
m ic ro s o ft corp
S e p t e m b e r 1998 m ic ro s o ft corp
window s s e r v e r 2 0 0 8
citrix n e t s c a le r
n o v e m b e r 1998
m ic ro s o ft corp
unknow n
a u g u st 2008
m ic ro s o ft corp
citrix n e t s c a le r
au g u st 2009
m ic ro s o ft lim ite d
window s s e r v e r 2 0 0 8
m a y 2007
m ic ro s o ft corp
window s s e r v e r 2 0 0 8
a u g u st 2008
m ic ro s o ft corp
citrix n e t s c a le r
citrix n e t s c a le r
11. g o .m ic r o s o ft.c o m
a
n o v e m b e r 2001
m s h o tm a il
12. w in d o w s u p d a te .m ic r o s o ft.co m
a
a
a
m
fe b u a r y 1 9 9 9
m ic ro s o ft corp
w in d ow s s e r v e r 2 0 0 8
fe b u a r y 2 0 0 5
m ic ro s o ft corp
w in d ow s s e r v e r 2 0 0 8
13. u p d a t e .m ic r o s o ft.c o m
14. w w w .m ic ro s o fttra n s la to r.c o m
15. s e a r c h .m ic r o s o ft .c o m
n o v e m b e r 2008
a k a m a i te c h n o lo g ie s
lin u x
ja n u a r y 1997
a k a m a i in t e r n a t io n a l b .v
lin u x
16. w w .m ic r o s o fts t o r e .c o m
a
n o v e m b e r 2008
d ig ita l riv e r ir e la n d ltd.
f5 b ig ־ip
17. lo g in .m ic r o s o fto n lin e .c o m
£1
IB
d ecem b er 2010
m ic ro s o ft corp
w in d ow s s e r v e r 2 0 0 3
o c to b e r 2 0 0 5
m ic ro s o ft corp
w in d ow s s e r v e r 2 0 0 8
18. w e r.m ic r o s o ft.c o m
F IG U R E 1 2 .1 4 : W e b s e r v e r F o o t p r in t in g
Module 12 Page 1642
Ethical Hacking and Countermeasures Copyright © by EC-COUIlCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 44. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Webserver Footprinting Tools
httprecon 7.3 - http://www.nytimes.com:80/
File
C o n fig u ra tio n
F in g e rp rin tin g
R ep crtin g
CEH
I—I°
H elp
Ta*get (Sun ONE W eb Server 6.1)
| h t b :/ /
^
| www.nytimes.com
: 180
0
H
TTP/1.1 2 0 O
0 K
D
ace: Thu, 1 Oct 2 1 09:34:37 G T
1
02
M
expires: Thu, 0 D 1 9 16:00:00 G T
1 ec 9 4
M
carhe-control: no-cache
pragm no-cache
a:
Sec-Cookie: ALT_ID 007f010021bb479dd5aa00SS; Expires
=
09:34:37 G T Path= D ain. ־nytim
M;
/; om
e3.com
;
Sec-cookie: adxcs= path=/; do!rain=.nytim ca
-;
es. m
Matehfct (352 Implementations) | Fingerprint Details | Report Preview |
a
Oracle Application Server
10g 10.1.2.2.0
7.0
Sun Java System W eb Server
•
ID S e r v e
Background
'
C
2
Errte* 0* copy
Copyright (c) 2003 by Gibson Research Corp.
Serv2r Query
I paste an Internet
|
Q8A/Help
1111
SSm
|
server UR_ or IP address here (example: www.microsdt.com):
|www.google.coml
Quety The S ever
w
^
W hen an Internet URL זהIP has been provided above,
piess this button to initiate a query of the specified server.
S w vei query pcocessng
(3
Abyss
V
Internet Server Identifica.ion Utility, v l .02
Personal Security Freeware by Stev Gibson
Steve
Name
•S
V
V
י ^־
ID Serve
GET existing j GET lo n g e q u e s tj GET non-ex sting] GET wrong p rotocol)
2.5.0.0 X1
Apache 2.0.52
Apache 2.2.6
ru— 1 n c n______________________
—
Server gws
Content-Length: 221
X־X S S ־Protectior: 1 mode-block
;
X־Frome־Options: SAMEORIGIN
Connection: close
F
■
Ready
The seivei identified Ise* a s :
http://www.computec.ch
(4
Goto ID Serve web page
http://www. grc.com
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b S e r v e r F o o t p r i n t i n g T o o ls
W e have already discussed about the Netcraft tool. In addition to the Netcraft tool,
there are two more tools that allow you to perform web server footprinting. They are
Httprecon and ID Serve.
H ttprecon
(
^
' Source: http://www.computec.ch
Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some
research in the field of web server fingerprinting, also known as http fingerprinting. The goal is
the highly accurate identification of given httpd implementations. This software shall improve
the ease and efficiency of this kind of enumeration.
Module 12 Page 1643
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 45. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
httprecon 7.3 - http://www.nytimes.com:80/
F ile
C o n fig u r a tio n
F in g e r p r in t in g
R e p o r t in g
— ם
H e lp
T a r g e t ( S u n O N E W e b S e r v e r G .1 )
http://׳
▼I
G E T e x is tin g
A n a ly z e
80
|w w w . n y t im e s . c o m
| G E T lo n g r e q u e s t | G E T n o n - e x istin g
G E T w r o n g p r o t o c o l | H E A D e x is tin g | O P T I O N S c o m m o n
HTTP/1.1 200 O
K
Date: Thu, 11 Oct 2012 09:34:37 G T
M
Server: Apache
expires: Thu, 01 Dec 1994 16:00:00 G T
M
cache-control: no-cache
pragma: no-cache
Set-Cookie: ALT_ID=007f010021bb479ddSaa005S; Expires=Fri, 11 Oct 2013
09:34:37 GM Path=/; Domain=.nytimes.com
T;
;
Set-cookie: adxca=-; path=/; domain=.nytimes.com
Vary: Host
M a t c h lis t ( 3 5 2 Im p le m e n ta t io n s )
| F in g e r p rin t D e t a ils | R e p o r t P r e v i e w
N am e
M
I H its
M a tch
%
O r a c l e A p p lic a t io n S e r v e r 1 0 g 1 0 .1 .2 .2 .0
58
H22
S u n J a v a S y s t e m W e b S e r v e r 7 .0
57
8 0 .2 8 1 6 3 0 1 4 0 8 4 5 1
#
A b y s s 2 .5 .0 .0 X 1
56
7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7
A p a c h e 2 .0 .5 2
56
7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7
A p a c h e 2 .2 .6
56
7 8 .8 7 3 2 3 3 4 3 6 6 1 3 7
EC
/׳
8 1 .6 3 0 1 4 0 8 4 5 0 7 0 4
0 7 0 000,1 70 ־OCC1 □7
V ׳
n c n
Ready.
FIGURE 12.15: Httprecon Screenshot
ID Serve
Source: http://www.grc.com
ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the
make, model, and version of any website's server software. This information is usually sent in
the preamble of replies to web queries, but it is not shown to the user. ID Serve can also
connect with non-web servers to receive and report that server's greeting message. This
generally reveals the server's make, model, version, and other potentially useful information.
Simply by entering any IP address, ID Serve will attempt to determine the associated domain
name.
Module 12 Page 1644
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 46. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
G
ID Serve
ID Serve
I n t e r n e t S e r v e r I d e n t i f i c a t i o n U t ilit y , v 1 .02
B a ck g ro u n d
|
S e rv e r Q u e ry
P e r s o n a l S e c u r it y F r e e w a r e b y S t e v e G ib s o n
Copyright (c) 2003 by Gibson Research Corp.
Q & A / H e lp
Enter or copy I paste an Internet server URL or IP address here (example: www.microsoft.com):
1
w ww.google.com |
Query The Server
When an Internet URL or IP has been provided above,
press this button to initiate a query of the specified server.
^
Server query processing:
S e rv e r: gw s
C o n t e n t - L e n g t h : 221
X - X S S - P r o t e c t i o n : 1; m o d e = b l o c k
X - F r a m e - O p tio n s : S A M E O R I G I N
C o n n e c tio n : c lo s e
(4
Copy
The server identified itself as :
|gws__________________
Goto ID Serve web page
Exit
FIGURE 12.16: ID Serve
Module 12 Page 1645
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 47. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Webserver Attack Methodology:
Mirroring a Website
CEH
Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc
Search for comments and other items in the HTML source code to make footprinting activities more efficient
Use tools HTTrack, WebCopier Pro, BlackWidow, etc. to mirror a website
H
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test ProjecLMrttJ
E*€ Freferences Mirro
13 ii, local Disk <(
log
Window Help
Pa׳*־g HTM fife
L
w
m
r
til . MyWebSlte*
ש
ProgramRes
)It) *. ProgramFits WKi
i 111
lh«s
til , t Windows
i
NTUSSR.DAT 1 1•
•*
>local Disk *D
:
«;
M
D RW Drivt <&י
VD
:N«wVolum» <
F1
320.26*8
laved
2nr22»
Tiro.
08* tf.19KB/»)
-a.rfe-rdLe
Ac*ve correct !one4
1
1
W a ic rtB !
0
0
14
HrcdcdaMd.
7 ;Men*:
Ji
M
«
J□
h :/ w wh c .c m
ttp / w . ttro k o
Copyright © by E - t i c l All Rights Reserved. Reproduction is Strictly Prohibited.
GGlni.
W e b S e r v e r A tta c k M e th o d o l o g y : M i r r o r i n g a W e b s it e
—
Website mirroring is a method of copying a website and its content onto another
server. By mirroring a website, a complete profile of the site's directory structure, file structure,
external links, etc. is created. Once the mirror website is created, search for comments and
other items in the HTML source code to make footprinting activities more efficient. Various
tools used for web server mirroring include HTTrack, W ebripper 2.0, W inW SD , Webcopier, and
Blackwidow.
C
Source: http://www.httrack.com
HTTrack is an offline browser utility. It allows you to download a World W ide W eb site from the
Internet to a local directory, building recursively all directories, getting HTML, images, and other
files from the server to your computer. HTTrack arranges the original site's relative linkstructure. Simply open a page of the "mirrored" website in your browser, and you can browse
the site from link to link, as if you were viewing it online.
Module 12 Page 1646
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 48. Ethical Hacking and Countermeasures
Hacking Webservers
H
Exam 312-50 Certified Ethical Hacker
Site mirroring in progress [2/14 (+13), 327948 bytes] - [Test Project.whtt]
File
Preferences
terror
B j j Local Disk <C:>
0
CEH-Tools
j H J . dell
a i.
B
B t
g) ••Jj
a ׳j
J
inetpub
Intel
MyWebSites
Program Files
Program Files (x86)
& J 1 Users
a
Windows
L Q NTUSER.DAT
Log
Window
JHelp
In progress:
Parang HTML He
Information
Bytes saved:
320.26KB
Time:
2min22s
Transferrate:
OB/s (1.19MB/s)
Active connections: 1
Links scanned:
Files written:
Fles updated:
Errors:
2/14 (.13)
14
0
0
[Actions
a a
Local Disk <D:>
DVD RW Drive <E:>
El , . New Volume <F:>
;B
ack |
Next >
Cancel
Help
FIGURE 12.17: Mirroring a Website
Module 12 Page 1647
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 49. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W e b s e rv e r A tta c k M e th o d o lo g y :
V u ln e ra b ility S c a n n in g
CEH
Perform vulnerability scanning to identify weaknesses
in a network and determine if the system can be exploited
J
Sniff the network traffic to find out active systems,
netw ork services, applications, and vulnerabilities present
Use a vulnerability scanner such as HP Weblnspect,
Nessus, Zaproxy, etc. to find hosts, services, and
vulnerabilities
J
Test the web server infrastructure for any
misconfiguration, outdated content, and known
vulnerabilities
Copyright © by K-€M ICil. All Rights Reserved. Reproduction Is Strictly Prohibited.
W eb
S e rv e r
S c a n n in g
A tta c k
M e th o d o lo g y :
V u ln e ra b ility
Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations
of a target web server or network. Vulnerability scanning is done with the help of various
automated tools known as vulnerable scanners.
Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its
configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing
techniques are adopted in the network traffic to find out active systems, network services,
applications, and vulnerabilities present.
Also, attackers test the web server infrastructure for any misconfiguration, outdated content,
and known vulnerabilities. Various tools are used for vulnerability scanning such as HP
Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities.
N essus
Source: http://www.nessus.org
Nessus is a security scanning tools that scan the system remotely and reports if it detects the
vulnerabilities before the attacker actually attacks and compromises them. Its five features
includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery,
patch management integration, and vulnerability analysis of your security posture with features
Module 12 Page 1648
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 50. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
that enhance usability, effectiveness, efficiency, and communication with all parts of your
organization.
FIGURE 1 2 .1 8 : N essus S c re e n s h o t
Module 12 Page 1649
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 51. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W e b s e r v e r A tta c k M e th o d o lo g y :
C EH
S e s s io n H ija c k in g
Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data
Use session hijacking techniques such as session fixation, session sidejacking, Cross-site scripting, etc. to capture valid
session cookies and IDs
Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking
l ־l ° W
burp suite free edition v1A01
J curp intruder repeater
target
window about
s:arinei - intrude! f repeats! | sequence! [ ceccflet [ comparer
options ' alerts
ig not found items hiding CSS image and gereral ainarr content 1iS-g .l«-e=pcn=e= h d ng ?mrt/folders
http:A conom dime 5 indiatime s o
le
i
host
h«p/«*d*orc
0 9
0
hltpVJedition cnn m
° •ם־Irr* - -—
w"1 - iVedifion c
http
;׳ ״
MIME typi
HTML־
/»8n«nr5s1/3<ls1»3mcs;
add item to 9cope
cpiaortnis branch
arfrvely scan this branch
passively scan this branch
engagement took [pro version onlf]
compare site maps
eipand branch
5: ר0נפ
oxpana rcquoctca noms
delete branch
copy URL# in this blanch
copy iioks in tnis oranch
save selected items
reaueat
|~־¥יparams
headers [ hex |
T / . • L«»«nc.'* 1 1 / m r 1 ׳brea*r1ng_n*v•/3 . 0 /banner. ntral ?c m h d » c * 11
T P / 1 .1
8c: e d it io n .c n n .co »
ec-Affe&t: K c s illd / S .O 1
Vind0¥3 I1T 6 .2 ; W0V61; c v : J S .0 l
cko/:0100101 F ir e f o x / 15.0.1
I Accept: tr x t/ j« v o 3 c c ip c , t e x t/ h tn L , «pp Li.Cflt.ion/1
te
xrol, tex t/x m l,
I : | ]׳ ־
| 0 matches
http ://p o rtsw ig g er. n et
Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11: Session Hijacking
Copyright © by EG-Gtltncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
1
1
S e r v e r A t t a c k M e t h o d o lo g y : S e s s io n H ija c k in g
Session hijacking is possible once the current session of the client is identified.
Complete control of the user session can be taken over by the attacker once the user
establishes authentication with the server. W ith the help of sequence number prediction tools,
attackers perform session hijacking. The attacker, after identifying the open session, predicts
the sequence number of the next packet and then sends the data packets before the
legitimate user sends the response with the correct sequence number. Thus, an attacker
performs session hijacking. In addition to this technique, you can also use other session
hijacking techniques such as session fixation, session sidejacking, cross-site scripting, etc. to
capture valid session cookies and IDs. Various tools used for session hijacking include Burp
Suite, Hamster, Firesheep, etc.
Burp Suite
___Source: http://portswigger.net
Burp Suite is an integrated platform for performing security testing of web applications. Its
various tools work seamlessly together to support the entire testing process, from initial
mapping and analysis of an application's attack surface, through to finding and exploiting
security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder
tool, repeater tool, sequencer tool, etc.
Module 12 Page 1650
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 52. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
0- ^ 1 ־
burp suite free edition v1.4.01
x
burp intruder repeater window about
target
spider scanner [ intruder | repealer [ ־sequencer | decoder [ comparer [ options | alerts
site map scope |
Filter hiding not found items; hiding CSS, image and general binary content hiding 4xx responses; hiding empty folders
* ־http7/economictimes indiatimes.com
9 http://edition.cnn.com
0□
. ־el(
D׳
o 2]20
-
host
method
GET
□
URL
params status
20
0
1element/ssi/ads.iframes/
length I MIME tj
typi
676
HTM L
□
http: ׳edition.cnn.com .element
add item to scope
spider this branch
actively scan this branch
O CDBU
O D cn
0 □ ־E L I
0 O eu
־
passively scan this branch
engagement tools [pro version only] ►
compare site maps
expand branch
sponse
expand requested Items
M']־
delete branch
T
request
params ■headers | hex |
'
/ . e le r o e n c / 3 3 i/ in c l/ b r e a k in g _ n e v s / 3 . O / b a n n e r. h c m l? c s iID = c s il
copy URLs In this branch
copy links in this branch
* ־L J SH
T P / 1 .1
3c:
save selected Items
c lc o / :0 1 0 0 i0 1
e d ic io n .c n n .c o m
e r- A g e n c:
A ccep C :
H o z illa / 5 .0
( W in d o w s
NT
6 .2 ;
W O W 64;
c v :i5 .0 )
F i r e f o x / 1 5 .0 .1
c e x c / ja v M c r lp c ,
c e x c / h c m l,
a p p llc a C lo n / x m l,
c e x c / x n il.
FIGURE 1 2 .1 9 : B u rp S u ite S c re e n s h o t
Module 12 Page 1651
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 53. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
W e b s e r v e r A tta c k M e th o d o lo g y :
H a c k in g W e b P a s s w o r d s
Brutus - AET2 - www.hoobie.net/brutus - (January 2000)
Use password cracking
techniques such as brute
force attack, dictionary
File
lo o ls
Target
1~ I ם
x
Help
|10.0017|
Type I HTTP (Basic Auth)
attack, password guessing to
crack W ebserver passwords
Use tools such as Brutus,
▼|
Start | Stop | Deaf |
Connection Options
HTTP (Basic) Options
THC-Hydra, etc.
Method
| HEAD
r
10 Timeout 1" j -
Connections * ־J~
"
Use Proxy
Define
W KeepAlive
]▼J
Authentication Options
W Use Username
User File
Sngle User
useistxt
Pass Mode |Word List
Browse |
File
| words.txt
Positive Authentication Results
Target
10.0 0 1 7 /
10.0 0 1 7 /
_U ype
HTTP (Basic Auth)
HTTP (Basic Auth)
I Username
admin
backup
I Password
academic
Located and nstaled 1 authentication plugns
Imtialisng...
Target 10.0 0 1 7 venfied
Opened user fie containing 6 users
Opened password fie conta*wvg 818 Passwords
Mawmum number of authentication attempts vul be 4908
Engagng target 10.0.017 with HTTP (Basic AuthJ
T n■ i •irofrt amo
irw
Timeout
Reject
AuthSeq
Throttle Quick Kill
h ttp ://w w w . hoobie. n et
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
S e rve r
A tta c k
M e th o d o lo g y :
H a c k in g
W e b
P a ssw o rd s
One of the main tasks of any attacker is password hacking. By hacking a password, the attacker
gains complete control over the web server. Various methods used by attackers for password
hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks,
syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks,
rainbow attacks, etc. Password cracking can also be performed with the help of tools such as
Brutus, THC-Hydra, etc.
O :כב
1
Brutus
Source: http://www.hoobie.net
Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web
passwords without the knowledge of the victim. The features of the Brutus tool are been
explained briefly on the following slide.
Module 12 Page 1652
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 54. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Brutus - AET2 ־www.hoobie.net/brutus ( ־January 2000)
F i le
Jo o ls
T a rg e t
_
ם
H e lp
|1 0 .0 .0 .1 7|
T y p e | H T T P ( B a s i c A u (h )
▼~|
S ta r(
j
S to p
C le ar
C o n n e c tio n O p tio n s
P o rt
10
1
80
T im e o u t
10
r T
r
U s e P ro x y
D e fin e
H T T P (B a s ic ) O p tio n s
M e th o d
W
[H E A D
K e e p A liv e
A u th e n tic a tio n O p tio n s—
U s e U se rn a m e
U s e r F ile
I-
S in g le U s e r
Pass M ode
users.txt
B ro w s e
f
B ro w s e
P a s s File
P o s itiv e A u th e n tic a tio n R e s u lts
T
ype
U sern am e
P a ssw o rd
1 .0 .1 /
0 .0 7
T arg e t
H T T P (B a s ic A u th )
ad m in
a c a d e m ic
1 0 .0 .0 .1 7 /
H T T P (B a s ic A u th )
b ackup
L o c a t e d a n d installed 1 a u th e n tic a tio n plug-ins
a
Initialising...
T a r g e t 1 0 .0 .0 .1 7 verifie d
O p e n e d u se r file c o n ta in in g 6 users.
O p e n e d p a s s w o r d file c o n ta in in g 8 1 8 P a s s w o r d s .
M ax im um n u m b e r of a u th e n tic a tio n atte m p ts will b e 4 9 0 8
E n g a g in g ta rg e t 1 0 .0 .0 .1 7 w ith H T T P ( B a s i c A u th )
T rm «n 1
-
a r Jr r .1►
•־
T im e o u t
R e je c t
A u th S e q
T h ro ttle
Q u ic k Kill
FIGURE 1 2 .2 0 : B ru tu s S c re e n s h o t
Module 12 Page 1653
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 55. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M o d u le F low
C EH
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction Is Strictly Prohibited.
M o d u le F lo w
The tools intended for monitoring and managing the web server can also be used by
attackers for malicious purposes. In this day and age, attackers are implementing various
methods to hack web servers. Attackers with minimal knowledge about hacking usually use
s for hacking web servers.
Webserver Concepts
Webserver Attacks
Webserver Attack Tools
Attack Methodology
0
Webserver Pen Testing
-y
Patch M anagement
Webserver Security Tools
o
m
—
m
—
Counter-measures
This section lists and describes various web server attack tools.
Module 12 Page 1654
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 56. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Webserver Attack Tools:
Metasploit
The Metasploit Framework is a penetration testing to o lkit, exploit development platform, and research tool
that includes hundreds of working remote exploits for a variety of platforms
It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak
passwords via Telnet, SSH, HTTP, and SNM
® ״jet
(J)metasploit
ft
V ModutM
Tag*
Q
Atporto
־
T a li 0
wm
Target Syitttn Statu*
• MOkom**4
• I S—
md
•
I
O ptrabng Sy*t»rm (Top »)
• U M olW oM
cm M
• M m
• MKnaPnw
LOOM
PTOftCt Activity (24 Noun)
N ctw oft S n v K t i (Top S)
• 2tC DCIW C
• III M S K M tt
• )7 HETBOSS***(**
• n usn«׳us(B vv^
•
M USAOPSffwctt
h ttp ://w w w .m eta sp lo it.c o m
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited
W e b
S e r v e r A t t a c k T o o ls : M e t a s p lo it
Source: http://www.metasploit.com
The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and
relatively painless. It enables users to identify, assess, and exploit vulnerable web applications.
Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised
web server to discover an exploitable vulnerability in a database that hosts confidential
customer data and employee information. Your team members can then leverage the data
gained to conduct social engineering in the form of a targeted phishing campaign, opening up
new attack vectors on the internal network, which are immediately visible to the entire team.
Finally, you generate executive and audit reports based on the corporate template to enable
your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or
PCI DSS.
Metasploit enables teams of penetration testers to coordinate orchestrated attacks against
target systems and for team leads to manage project access on a per-user basis. In addition,
Metasploit includes customizable reporting.
M etasploit enables you to:
©
Complete penetration test assignments faster by automating repetitive tasks and
leveraging multi-level attacks
Module 12 Page 1655
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 57. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
© Assess the security of web applications, network and endpoint systems, as well as email
users
©
Emulate realistic network attacks based on the leading Metasploit framework with more
than one million unique downloads in the past year
© Test with the world's largest public database of quality assured exploits
© Tunnel any traffic through compromised targets to pivot deeper into the network
©
Collaborate more effectively with team members in concerted network tests
©
Customize the content and template of executive, audit, and technical reports
(J metasploit
l« M lp n O
l
S*M *o«W 0
Targ et S y s te m S U M S
Tag*
V Cwnpognt
O R rpo rtt
~
TmJ ״Q
O p eratin g S y s te m s [T o p » )
• M onN nocm
H M
•
M O n to x M
• 1■SmM
• 2 •Konca P m t r
•
• 2 •*0 וו״0*ףffntwHM
1 •loom)
• 1 •HP ***ClOOtO
Protect Activity (24 Hours)
Ntwr Services (Top )צ
e ok
•
•
•
•
•
270 DCERPC Server*
114 •SMB STOKT*
37-N€TBOSSr<vcr*
» ־MS ׳W ״
T
*S(RV S^vcr*
20 USAO? Serve**
FIGURE 1 2 .2 1 : M e ta s p lo it S c re e n s h o t
Module 12 Page 1656
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 58. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M etasploit A rchitecture
C EH
(•rtifwtf
I til1 1 Nm Im
(4
Rex
Custom plug-ins
^
F ra m e w o rk -B a s e
^
A
k"
:
In te rfa c e s
m fs c o n s o le
m s fc li
m s fw e b
P rotocol Tools
F ra m e w o rk -C o re
K
7
S e c u rity Tools
M o d u le s
ץ
E xp lo its
P ayload s
W e b S ervices
E ncoders
In te g ra tio n
m s fw x
NOPS
m s fa p i
A u x ilia ry
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it A r c h ite c tu r e
The Metasploit framework is an open-source exploitation framework that is designed
to provide security researchers and pen testers with a uniform model for rapid development of
exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework
provides the ability to reuse large chunks of code that would otherwise have to be copied or
reimplemented on a per-exploit basis. The framework was designed to be as modular as
possible in order to encourage the reuse of code across various projects. The framework itself
is broken down into a few different pieces, the most low-level being the framework core. The
framework core is responsible for implementing all of the required interfaces that allow for
interacting with exploit modules, sessions, and plugins. It supports vulnerability research,
exploit development, and the creation of custom security tools.
Module 12 Page 1657
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 59. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Libraries
ץ
A
Rex
Custom plug-ins <
^
:<־
/
Protocol Tools
Framework-Core
Framework-Base
^
<•:
Interfaces
mfsconsole
msfcli
msfweb
Modules
Security Tools
Web Services
Integration
Exploits
Payloads
Encoders
msfwx
NOPS
msfapi
Auxiliary
FIGURE 1 2 .2 2 : M e ta s p lo it A rc h ite c tu re
Module 12 Page 1658
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 60. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M etasploit Exploit M odule
C EH
It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit
This module comes with simplified meta-information fields
Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits
S te p s t o e x p lo it a s y s te m f o l l o w t h e M e t a s p lo it F r a m e w o r k
C o n fig u r in g A c tiv e E x p lo it
_
S e le c tin g a T a rg e t
*
&
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it E x p lo it M o d u le
- 1 1 1 ii
The exploit module is the basic module in Metasploit used to encapsulate an exploit
using which users target many platforms with a single exploit. This module comes with
simplified meta-information fields. Using a Mixins feature, users can also modify exploit
behavior dynamically, perform brute force attacks, and attempt passive exploits.
Following are the steps to exploit a system using the Metasploit framework:
©
Configuring Active Exploit
© Verifying the Exploit Options
©
Selecting a Target
©
Selecting the Payload
©
Launching the Exploit
Module 12 Page 1659
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 61. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
M etasploit Payload M odule
j
Payload module establishes a com m unication channel between the M etasploit fram ew ork and the victim host
J
It combines the arbitrary code tha t is executed as the result o f an exploit succeeding
J
To generate payloads, first select a payload using the command:
9S
C o m m a n d P ro m p t
m sf
>
m sf
p a y lo a d (3 h e ll_ r e v e r s e _ tc p )
use
U sage:
w in d o w s / s h e ll_ r e v e r s e _ t c p
g e n e ra te
G e n e ra te s
a
>
g e n e ra te
-h
[o p t io n s ]
p a y lo a d .
-b
< o p t>
The
l i s t
o f
c h a ra c te rs to
-e
< o p t>
The
nam e
o f
th e
-h
H e lp
-o
< o p t>
a v o id :
m o d u le
, x 0 0 x ff'
to
u s e .
b an n e r.
A
com m a
VAR=VAL
s e p a ra te d
< o p t>
NOP
s le d
-t
< o p t>
The
o u tp u t
p a y lo a d (s h e ll
l i s t
o f
o p t io n s
in
fo rm a t.
-s
m sf
en cod er
le n g t h .
ty p e :
re v e rs e
tc p )
ru b y ,
p e r i,
c ,
o r
ra w .
>
Copyright © by EG-G*ancil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it P a y lo a d M o d u le
The Metasploit payload module offers shellcode that can perform a number of
interesting tasks for an attacker. A payload is a piece of software that lets you control a
computer system after its been exploited. The payload is typically attached to and delivered
by the exploit. An exploit carries the payload in its backpack when it break into the system and
then leaves the backpack there.
With the help of payload, you can upload and download files from the system, take
screenshots, and collect password hashes. You can even take over the screen, mouse, and
keyboard to fully control the computer.
To generate payloads, first select a payload using the command:
Module 12 Page 1660
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 62. Ethical Hacking and Countermeasures
Hacking Webservers
;
Exam 312-50 Certified Ethical Hacker
C om m and P ro m p t
msf > use windows/shell reverse tcp
msf payload(shell_reverse_tcp) > generate -h
Usage: generate [options]
Generates a payload.
O P T IO N S :
-b <opt>
The listof characters
to avoid:,x00xff'
-e <opt>
The nameof the encoder module to use.
-h Help banner.
-o <opt> A comma separated list of options in
VAR=VAL format.
-s <opt>
NOP sled
length.
-t <opt>
The output type: ruby,
peri, c, or raw.
msf payload(shell reverse tcp) >
FIGURE 1 2 .2 3 : M e ta s p lo it P a ylo a d M o d u le
Module 12 Page 1661
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 63. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Metasploit Auxiliary Module
J
CEH
M e ta s p lo it's a u x ilia ry m o d u le s can b e u s e d t o p e r fo r m a r b it r a r y , o n e o f f a c tio n s su ch as p o r t s c a n n in g , d e n ia l o f s e rv ic e , a n d e v e n fu z z in g
J
To ru n a u x ilia ry m o d u le , e ith e r use th e
run c o m m a n d ,
o r use th e
e x p l o i t com m and
C o m m a n d P ro m p t
m s f
>
m s f
a u x ilia r y (m
R H O ST
m s f
[ * ]
u s e
=>
d o s / w in d o w s / s m b / m s 0 6 _ 0 3 5 _ m a ils lo t
s 0 6 _ 0 3 5 _ m
a ils lo t )
>
a ils lo t )
>
s e t
R H O ST
1 . 2 . 3 . 4
1 . 2 . 3 . 4
a u x ilia r y (m
M a n g lin g
s 0 6 _ 0 3 5 _ m
t h e
k e r n e l,
tw o
b y t e s
r u n
a t
a
t i m e . . .
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it A u x ilia r y M o d u le
Metasploit's auxiliary modules can be used to perform arbitrary, one-off actions such
as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run
command or use the exploit command.
Module 12 Page 1662
Ethical Hacking and Countermeasures Copyright © by EC-C0l1nCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 64. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Metasploit NOPS Module
C EH
(•rtifwtf
I til1(41 Nm Im
NOP modules generate a no-operation instructions used fo r blocking o u t buffers
Use g e n e r a t e
com m and to generate a NOP sled o f an arbitrary size and display it in a given form at
OPTIONS:
- b < o p t> :
The list of characters to avoid: 'x00xff'
- h : Help banner.
- s < o p t> : The comma separated list of registers to save.
- t
< o p t> :
The output type: ruby, peri, c, or raw
m sf n o p (o p ty 2 )>
To generate a 50 byte NOP sled that is displayed as a
C-style buffer, run the following command:
Generates a NOP sled of a given length
&
□
Comm and P rom pt
C om m and P rom pt
m sf
m s f
>
u s e
x 8 6 / o p ty 2
m s f
n o p (o p ty 2 )
>
g e n e r a t e
n o p (o p ty 2 )
u n s ig n e d
char
> g e n e ra te
b u f []
- t
c
50
—
" x f 5 x 3 d x 0 5 x l5 x f8 x 6 7 x b a x 7 d x 0 8 x d 6 x 6
- h
6 x 9 f x b 8 x 2 d x b 6 "
U s a g e :
g e n e r a t e
[o p t io n s ]
le n g t h
M x 2 4 x b e x b l x 3 f x 4 3 x l d x 9 3 x b 2 x 3 7 x 3 5 x 8
4 x d 5 x l4 x 4 0 x b 4 "
״x b 3 x 4 1 x b 9 x 4 8 x 0 4 x 9 9 x 4 6 x a 9 x b 0 x b 7 x 2
f x fd x 9 6 x 4 a x 9 8 "
nx 9 2 x b 5 x d 4 x 4 fx 9 1 " ;
m sf n o p (o p ty 2 )
>
Copyright © by EG-G(IIIICil. All Rights Reserved. Reproduction is Strictly Prohibited.
M e t a s p lo it N O P S M o d u le
Metasploit NOP modules are used to generate no operation instructions that can be
used for padding out buffers. The NOP module console interface supports generating a NOP
sled of an arbitrary size and displaying it in a given format.
options:
-b <opt>
The list of characters to avoid: ?x00xff?
-h
Help banner.
-s <opt>
The comma separated
list of registers to save.
-t <opt>
The output type: ruby,
peri, c, or raw.
G e n e r a te s a NOP sled of a given length
Module 12 Page 1663
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 65. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
To g e n e r a te a 5 0-byte NOP sled t h a t is displayed as a C-style buffer, run t h e following
com m and:
msf nop(opty2) > generate -t c 50
unsigned char buf[] =
"xf5x3dx05xl5xf8x67xbax7dx08xd6x6
6x9fxb8x2dxb6"
"x24xbexblx3fx43xldx93xb2x37x35x8
4xd5xl4x40xb4"
"xb3x41xb9x48x04x99x46xa9xb0xb7x2
fxfdx96x4ax98"
"x92xb5xd4x4fx91";
msf nop(opty2) >
F ig u re 1 2 .2 5 : M e ta s p lo it NOPS M o d u le
Module 12 Page 1664
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 66. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
Webserver Attack Tools: Wfetch I CEH
WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and
response data
It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or
wireless protocols
wfeicfi - wtetcni
File
Edit
View
Window
Help
f l
Verb: [GET
Advanced Request:
■ יhost [localHost
|
f Di«abled
Path Y
Authentcation
Anoryraam
UxrtecfcOT
Cornsct
Qphcr
dctajt
U«er;
Ckertooc.: r w *
Pogtwd:
r
l_ C 0 J
NKp
Qoirah.
fifth.
I- from file
A
-d
P«c5y
!race
J J
|60
P
Reu«
Log Output [Last Status: 500 Internal Server Error;
£> started....
O Puny: WWWConnect::Close(” ","8<
© closed source port: 7i98rn
© MfVWConnectiConriectriocaihost" ~80')n
Q IP = "|::l].Q0"n____________________________
h ttp ://w w w .m icro so ft.co m
Copyright © by EG-G(l1ncil. All Rights Reserved. Reproduction is Strictly Prohibited.
W e b
S e r v e r A t t a c k T o o ls : W f e t c h
Source: http://www.microsoft.com
Wfetch is a graphical user-interface aimed at helping customers resolve problems related to
the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a
problem with a lightweight, very HTTP-friendly test environment. It allows for very granular
testing down to the authentication, authorization, custom headers, and much more.
Module 12 Page 1665
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 67. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
w fetch ־W fe tc h l
£1
le £d!t yiew
Window
Help
i) O £ &
W fe tc h l
y » |GET
e t>
Host |k> >
ca»x *
S S ■
j.jEort |drfa »״j-JVcr |1 1
Advanced Request
Disabled
T ] < fromHe
־־
Palh: |/
.jthertcaboo
Aulh
l/Vionymoos
Connection
Connect
http
d etai
Coman |
Cipher
User
-]
Ckentcert none
|
Pajiwd |
r
Projy Igproxy
Go' |
^ J2 I
_>
J
^80
Tracso--R? Raw
rSocket
P Reuse
Log Output [Last Status: S00 Internal Server Error]
►־started....
O Proxy; WWWConnect::Close(” ,"80")n
£ closed source port 7398rn
4 ) WWWConnect::ConnectClocalhost".8<״r)n
0 > ־08:[1::]־n
=
NUM
Ready
F ig u re 1 2 .2 6 : W fe tc h S c re e n s h o t
Module 12 Page 1666
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 68. Ethical Hacking and Countermeasures
Hacking Webservers
W e b
Exam 312-50 Certified Ethical Hacker
P a s s w o r d C r a c k in g T o o l: B r u t u s
Source: http://www.hoobie.net
Brutus is a remote password cracker's tool. It is available for Windows 9x, NT. and 2000, there
is no UNIX version available, although it is a possibility at some point in the future. Brutus was
written originally to help check routers for default and common passwords.
Features
Q
HTTP (Basic Authentication)
e
HTTP (HTML Form/CGI)
e
POP3
e
FTP
e
SM B
Q
Telnet
Q
Multi-stage authentication engine
©
No user name, single user name, and multiple user name modes
0
Password list, combo (user/password) list and configurable brute force modes
Module 12 Page 1667
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.
- 69. Ethical Hacking and Countermeasures
Hacking Webservers
Exam 312-50 Certified Ethical Hacker
©
Highly customizable authentication sequences
©
Load and resume position
©
Import and Export custom authentication types as BAD files seamlessly
Q
SOCKS proxy support for all authentication types
0
User and password list generation and manipulation functionality
©
HTML Form interpretation for HTML Form/CGI authentication types
0
Error handling and recovery capability inc. resume after crash/failure
B ru tu s - AET2 ־w w w .h o o b ie .n e t/b ru tu s - (Ja nuary 2 0 0 0 )
Eile
Iools
Target
I 1 ם . ־־
*
Help
[10001 ^
Type |HTTP (Basic Auth) j* J
Start
C le a
Connection Options
Port [80
*
(־
Connections 0י
Tmeout
rj־
10 ך־ך־
r
U**Ptoxy
Drinc |
HTTP (Basic) Options
Method |HEAD
]» ]
&KeepAJrve
Authentication Options
W Username
Use
I- Single Usei
Use» Fte ]users txt
Pass Mode |W 0»d List
Btome |
pjg
[words bd
Browse |
Positive Authentication Results
Target
100017/
100017/
HTTP (Basic Auth)
HTTP (Basic Auth)
Username
adrran
backup
Password
academ ic
Located and installed 1 authentication ptug-ns
Iniiafeng.
Target 10.0.0.17 verified
Opened user file contamng 6 users
Opened password file containing 818 Passwords
Maximum number of authentication attempts w J be 4906
Engagng target 10.0.0.17 with HTTP (Basic Auth)
T mws<1 »1 w i w
»
Throttle
F ig u re 1 2 .2 7 : B ru tu s S c re e n s h o t
Module 12 Page 1668
Ethical Hacking and Countermeasures Copyright © by EC-C0UnCil
All Rights Reserved. Reproduction is Strictly Prohibited.